Safety-Critical Systems

Operating systems are another factor in the equation. User's personal experience with PCs and with some of the more erratic digital devices
currently being marketed will cause them to look very closely at this component. There are several Real-Time Operating Systems suitable for
use safety-critical systems, classified at different levels of integrity against various accepted categories. LynxOS-178 is certifiable
to DO-178B Level A. It also offers the interoperability benefits of POSIX and support the ARINC 653 Application Executive (APEX). LynuxWorks
has received an Advisory Circular AC 20-148 acceptance letter from the FAA. With the reusable software component (RSC) approval by the FAA of LynxOS-178, developers can consider the operating system portion of the safety-critical software code and supporting DO-178 artefacts for reuse in other system designs. This can reduce the time and cost of achieving FAA certification and further reduce the risk incurred in redevelopment of code across multiple safety-critical systems.

DO-178B has become a de facto standard, produced by the Radio Technical Commission for Aeronautics (RTCA) and now established in the FAA's Advisory Circular AC20-115B as the accepted means of certifying all new aviation software. The targeted DO-178 certification level is either A,B,C,D or E. These levels correspond to the consequences of the failure of the software, from catastrophic to no-effect.

ARINC 653-1 is an abbreviation for the Draft 3 of supplement 1 to ARINC Specification 653. The standard defines the APEX executive for space and time partitioning that may be used wherever multiple applications need to share a single processor and memory, in order to guarantee that one application cannot bring down another in the event of failure.

Each partition in an ARINC 653-based system represents a separate application and only makes use of the memory space allocated to it. The APEX also allocates a dedicated time slice to each application, thus creating time partitioning. Each partition also supports multitasking. The indirect result is that applications certified at different levels within DO-178 can run in isolated partitions on the same computer. The standard ARINC 653 services include both inter-partition and intra-partition communication. The latter includes buffers, blackboards, semaphores and events.

The LynxOS-178 RTOS applies secure partitions for time, memory and resources. It implements an ARINC 653-1 based time partition that gives each partition a fixed execution time so that the system is deterministically safe. Each RTOS partition performs like a stand-alone real-time operating system. System events in one partition can neither share resources nor interfere with events in another - (except VM0, a partition with root privileges).

Wind River's Platform for Safety Critical ARINC 653 offers complete ARINC 653-1 compliance and DO-178B certification evidence, a range of language options - C, C++ or Ada is available for ARINC 653-1 system development with this product. Applications can be written to VxWorks, ARINC or POSIX APIs. The partition-level operating system varies for different certification levels and adaptation of legacy operating systems, enabling the OS to run existing code with little change.

The platform includes an XML-based utility to configure all ARINC 653 run-time objects (partition, ports, health monitoring, etc). This XML-tobinary compiler is qualified as a development tool under DO-178B guidelines. It ensures that tabular partition configuration data is generated correctly in binary format and supports the independent development, testing and certification/re-certification of applications in an Integrated Modular Avionics (IMA) system.

IMA systems use a common computing platform to host multiple avionics applications, reducing the dependence on specific hardware architectures and the number of distinct sub-systems used in the aircraft. This lowers the burden of planning for obsolescence and technology insertions. They can be used in conjunction with ARINC 653, enabling the development of portable avionic applications. They also provide a software framework for the implementation of in-service upgrades for both safety-critical and non-critical systems.

Greenhill's Integrity and Velocity RTOS have recently been certified to Safety Integrity Level 3 (SIL3) of IEC-61508. In addition to being certified to DO-178B Level A for flight-critical avionics and being used in FDA/CDRH Class II and III life-critical medical devices. INTEGRITY is currently undergoing evaluation at assurance level EAL6+ of the Common Criteria. The INTEGRITY-178B Real-time Operating Systems uses an ARINC-653-1 APEX interface, providing a recognized standard interface between the operating system of an avionics computer resource (ACR) and the application software. INTEGRITY-178B's approach to resource management, which includes processor utilisation and memory management, provides guaranteed resource availability for multiple safety-critical programs on a single processor operating at different safety levels.

SySGO's microkernel-based RTOS is to be used in a development that will integrate various existing avionic systems formerly based on other safety critical commercial operating systems, with a single COTS hardware running PikeOS. This has been newly designed in accordance with safety standards, such as DO-178B, IEC 61508 and EN 50128, and with its low number of code lines, it has the benefit of being quite cost effective. Partitioning makes it possible to limit the certification to the safety-critical components of the entire system. Using the partitioning mechanisms of PikeOS, safety critical real-time applications can co-exist with Linux, guaranteeing that Linux applications are not able to compromise the execution of the critical tasks. The objective of this project is to reduce costs for avionic systems by integrating several existing systems on a single platform. PikeOS has support from AONIX's Object Ada, allowing legacy Ada applications to be migrated to the new platform.

The language question is a thorny one. Ada is naturally the language that springs to mind for safety critical military applications. Alternatives
to the use of conventional languages may need to be considered, including code generation, which may well become significant in the near future. Rhapsody from I-Logix has support from Esterel's SCADE, to produce an integrated design environment for safety critical systems production. SCADE provides a set of tools for Model-Driven Development (MDD) within this environment, allowing design and simulation in UML 2.0 and the eventual generation of C code in a process that meets DO-178 and IEC61508 international safety standards. Using qualified C code generators eliminates the need for low-level C code verification activities, saving a considerable amount of development time. This new MDD solution supports multiple development scenarios, including pure safety-critical systems and hybrid systems containing a mixture of safety-critical and non-safety critical applications.

ARTiSAN Studio is also heavily involved in safety-critical applications, with a range of customers in the automotive sector. ISYSTEMS integration of ARTiSAN Studio with its emulation and debug technology for on-target simulation of embedded applications modeled in UML and Extessy's co-simulation platform EXITE provide the support to bring UML into the industrial and automotive arenas.

Another language option, perhaps an unexpected one for safety-critical systems, is Java. Aonix has announced Java 5 language upgrade of PERC Ultra. This introduces full Java 5 language features such as generics, annotations and type-safe enumerations. Along with these revisions PERC Ultra also includes enhancements to key packages from the Java Standard Edition library set, to take advantage of Java 5 features as well as new libraries such as java.uhl.concurrent and java.nio.channels. In addition to Java 5 capabilities, PERC Ultra also introduces a variety of performance, porting and tool improvements. Tool enhancements include integration with the Eclipse Test and Performance Tools Program (TPTP) profiling capability, shell enhancements and easier installation. New ports include WinCE/XScale, VxWorks 6.x for PowerPC, Linux XScale Big Endian and the latest safety-critical version of LynxOS.

IEC-61508 is the standard commonly recognized by regulatory bodies for the safety certification of industrial control, automation and automotive systems. It covers the entire software development life cycle and places a strong emphasis on analyzing and mitigating safety hazards, enforcement of a rigorous quality management system, and extremely thorough verification and validation.

There has to be support from the hardware as well, new chips such as the Sun Microsystems UltraSPARC4+, IBM's Cell, and other multicore
solutions are appearing on the market for use in complex safety- and security-critical applications. The 64-bit UltraSPARC4+ is a dual-core
device, providing mission-critical throughput and chip multithreaded technology. The IBM Cell Broadband Engine Architecture (CBEA) consists
of a general-purpose POWERPC processor core connected to eight special-purpose DSP cores. These DSP cores give an effective SIMD architecture that can satisfy the diverse requirements of cryptography, graphics transform and fast-Fourier transforms (FFT), matrix operations, and scientific workloads.

The techniques and technologies of the avionics industry are clearly applicable across other types of application. Transport, medical and heavy industrial applications are all in need of highly reliable software environments, the standards already developed in avionics will guide and inform new developments in these areas.