Skip to the main content.

Global armed services are looking at strategies and techniques to open up systems and reduce vendor lock. These programs are often deployed for decades and so these architectures need to be resistant to changes in supply chain, capable of advancing functionality to keep systems globally competitive against all adversaries, and functionally safe and secure. Virtually every presentation from the US armed services is driving a Modular Open Systems Approach (MOSA), and include acronyms like FACE (Future Airborne Capability Environment), SOSA (Sensor Open System Architecture), and other open capability standards.  

Earlier this week, we received confirmation from the Future Airborne Capability Environment (FACE) Consortium that LynxOS-178, our DAL A certified real-time operating system, had passed the conformance testing for version 3.1 of the FACE specification for three processor architectures; Arm, PowerPC, and x86.

If you are new to FACE, this article by our VP of Engineering provides a great background and is a quick read.

As we discuss in this white paper, a supplier cannot simply claim FACE conformance. Instead, the process mandates a 3rd party verification authority (VA) performance the testing. The FACE Conformance Program provides the conformance criteria and processes necessary to assure that UoCs (Unit of Conformance – In our case this is a software component) are developed according to the FACE Technical Standard. These criteria and processes require the verification, certification, and registration of the UoC. In our case, we chose LDRA as our VA.


We have to be careful, though, not to think that our work is done by simply aligning to standards. While they describe interfaces of libraries that applications can link into to use operating system services, these interfaces only include descriptions for software that can run in the user application space. The standards lack descriptions of expected behavior and side effects that can inform real-time and hazard analysis. They do not account for the system information that's needed to build, integrate, and configure a comprehensive system to behave correctly. They also do not cover software components that reside in the operating system itself, such as drivers and health monitors. 

Those are the areas where Lynx focuses to deliver differentiated standards-based platforms through:
  1. LynxSecure which enables architects to partition resources and allocate components as individual virtual machines, and
  2. LynxElement (Unikernel) which can be used as the runtime environment for each individual components instead of traditional guest OSs to improve resource utilization and timing properties

Some great reading on how these can assist system architects can be found in this article written by Will Keegan (page 26 of this edition of Military Embedded).

LynxElement: Lynx's Second Generation of Secure Unikernel

LynxElement: Lynx's Second Generation of Secure Unikernel

Followers of Lynx will know that our primary focus is LYNX MOSA.ic. This software framework, founded on the LynxSecure® separation kernel hypervisor,...

Read More