INTEGRITY-178 EAL 6+ certified, safety-critical RTOS
A proven provider of software and certification solutions, Green Hills Software maintains a dedicated group that has handled the risks associated with operating systems, run-times, common service libraries, and the development tool-chain. Our broad safety-critical product line spans different processors and certification types.
Supporting the entire certification effort
The Rockwell Collins Avionics Management and Display System aboard the S-92 Sikorsky helicopter is among the INTEGRITY-178 applications approved as compliant to DO-178B Level A.
Green Hills Software's certification approach is to provide proven software system solutions with completed security certificates and safety compliance approvals. Our solutions combine customer-specific certification support with common software capabilities that are reused across a multitude of customers.
Green Hills Software supports a customer's entire certification effort, including hardware/software product compatibility, custom hardware device driver development, complete product testing on customer's hardware, appropriate life cycle data generation and delivery, and audit support. This frees customers to focus on core competencies, lowering the schedule, cost, and certification risks associated with using internal or multi-supplier resources.
A complete safety-critical line
Green Hills Software offers a full line of safety & security critical products that are available today with complete DO-178 Level A certification evidence. This includes:
- INTEGRITY-178 RTOS —a complete time, space, and resource partitioned real time operating system
- ANSI C Library—an ANSI C library subset
- Embedded C++—a C++ library subset
- GMART—a single-tasking Ada run-time based on the SPARK Ada profile
- GSTART—a multi-tasking Ada run-time based on the Ravenscar Ada profile
- GMART Bare Target—an Ada bare target run-time, used with GMART
- GCERT Bare Target—a C bare target run-time, used with the ANSI C library
- ARINC-653—ARINC-653 compliant Part 1 APEX interface and Part 2 file system
- PJFS-178—a file and directory management system and user interface supporting physical and virtual storage devices
- IPFLITE/TFTP—UDP/IP network stack and socket library interface, including support for TFTP capabilities
- Audit Logging—logging and retrieval of kernel and application triggered events during RTOS execution
- Secure Hash Algorithm (SHA-1)—verifies integrity of ELF images at RTOS startup and during run-time
- Abstract Machine Testing—verifies correct operation of hardware at RTOS startup and during run-time
Within the INTEGRITY-178 RTOS' partitioned environment, these other Green Hills products—tailored for applications that can use commercial off-the-shelf software without detailed and rigorous certification evidence (e.g., DO-178B Levels D/E)—are supported:
- ARINC-615A Data Loader—ARINC-615A data loading support
- POSIX—a POSIX run-time library subset
- C/C++—a full C/C++ run-time library
- Ada—a full Ada run-time library
- File System—a FAT file system
- Networking—GHNet-178 TCP/IP IPV4/IPV6 stack, advanced router stack, Net-SNMP stack, IPSec library, and other networking related capabilities
Operating system architecture
The INTEGRITY-178 RTOS has earned its pedigree through a unique combination of powerful capabilities:
- A single partitioning-supporting operating system that satisfies both DO-178B Level A safety assurance requirements and NSA High Robustness security functional and assurance requirements
- Proven in real-world customer applications since 1997 with over 60 certification packages developed for more than 30 different microprocessors delivered to date
- The first commercial partition-enforcing RTOS approved as complying to DO-178B Level A objectives (2002)
- The first RTOS to obtain SKPP/EAL 6+ certification (2008)
- Highly scrutinized RTOS source code—perhaps the most scrutinized to date
Protection in time and space domains
INTEGRITY-178's unique approach to resource management provides guaranteed resource availability for multiple safety-critical and/or security-critical applications on a single processor operating at different safety assurance levels (A/B/C/D/E) and/or security levels.
Engineered from the ground up to provide security and determinism, the INTEGRITY-178 RTOS guarantees protection across both the time and space domains, including protecting the confidentiality and integrity of an application's data from unintended access by other applications.
Protection in the space domain
- Guaranteed resource availability—Partition's memory is protected from access by another partition
- Memory protection—Utilizes underlying hardware MMU to enforce execute-read-write permissions
- "Hard currency" OS—No shared resource pools, each partition is individually allocated resources for system calls
- Statically verifiable MMU settings—No dynamic manipulation of MMU to support message passing
- Statically verifiable system resource allocation—Project defined boot table controls ownership
- Connections—Secure (non-bypassable) inter-partition communications
Protection in the time domain
- Deterministic—Given a state & input results in the same state transition
- Scheduler/timing analysis—No heuristics in scheduler
- No priority inversion—No binary semaphores in kernel implementation; support for Highest Locker Semaphores, hence no unbounded blocking times
- ARINC-653-1 partition scheduler—Optimized two-level scheduler with guaranteed execution time windows and execution overrun detection
- Bounded computation time for all system calls—No dynamic memory allocation in kernel space
- No hidden execution time/latency—Message transfers use task's execution time and interrupts never disabled to update kernel structures
- Software timers with access permissions
INTEGRITY-178 RTOS multicore support
Resolving the complexity of multicore systems
To satisfy increasing demands for computing throughput, processor designers are adding multiple cores within a single chip package. Operating system support for multicore is a necessity in order to incorporate these devices into new designs and system upgrades.
For developers of real-time embedded systems, the advent of multicore processors has resulted in several new design challenges:
- How to select an architecture that permits effective use of multicore processors.
- How to develop, integrate, or port previously independent applications running on single-core processors to a multicore operating environment that includes shared system resources.
- Finding an architecture that supports different use scenarios for different sets of processor cores.
- Finding an architecture that provides the flexibility and tradeoffs necessary for eventual system certification on a multicore processor.
Most architectures, including the fundamental AMP and SMP scheduling approches, require developers to make tradeoffs when attempting to resolve these challeges. The INTEGRITY-178 RTOS uniquely provides a highly-flexible multicore solution that addresses them all.
Time-variant Unified Multi-Processing (tuMP)
Green Hills Software's resolution to the multicore design challenges is called Time-variant Unified Multi-Processing (tuMP, pronounced "2MP"), a multicore scheduling solution for the INTEGRITY-178 RTOS. The tuMP capabilities enable multiple independent safety and/or security-critical applications to execute on a multicore operating environment in a predictable, bounded, and application independent manner. The tuMP partition enforcing scheduling method results in a unified OS that provides practical time variant scheduling of both AMP and SMP applications simultaneously.
With tuMP, the system architect creates associations of cores and applications called Affinity Groups (AG) that correspond to some intended system function (or functions). Affinity Groups define how cores will be utilized by one or more applications, with the system architect defining how the Affinity Groups will be scheduled over time. Affinity Groups may be scheduled independent of other Affinity Groups, permitting time-lines that closely correspond to application requirements, yet also permitting new sets of Affinity Groups to be developed that can make use of any of the time windows where cores are not being utilized. Any new application (or extension of an existing application) can make use of the unallocated execution time across the entire multicore processor.
Safety and security certification data
DO-178B Level A certification data
Software life-cycle data managed as part an INTEGRITY-178
DO-178B Level A certification effort includes:
- Customer-specific Plan for Software Aspects of Certification (PSAC)
- Software Plans (Development, Verification, CM, SQA)
- Software Standards (Requirements, Design, Code)
- Software Requirements Documents
- Software Design Documents
- Source Code
- Executable Object Code
- Traceability Matrices
- Software Verification Test Cases and Procedures
- Software Verification Results
- Partition integrity, timing, memory, and stack analysis
- Problem Reports
- Software Configuration Management Records
- Software Quality Assurance Records
- Tool Accomplishment Summary
- Customer-specific Software Life Cycle Environment Configuration Index
- Customer-specific Software Configuration Index
- Customer-specific Software Accomplishment Summary (SAS)
- Integration guidance documentation
Green Hills Software's in-house safety and security experts develop, verify, support, and maintain the DO-178B Level A compliant software processes and life cycle data for all INTEGRITY-178 products. Through this dedicated team of experts, Green Hills Software supports customers throughout their safety critical certification efforts and delivers the required compliance substantiation data.
This certification package includes Green Hills Software services for all the DO-178B Level A compliance activities associated with verifying the INTEGRITY-178 operating system on the processor architecture specified by a customer's requirements. All audits, reviews, analysis and testing of the INTEGRITY-178 operating system are performed by Green Hills Software using the customer's target processor system.
SKPP related data
In addition to safety-related life-cycle data, the following SKPP related life-cycle data are generated as part of the initial certification and/or a customer-specific security effort:
- Security-specific Software Development Plan
- Development Security Plan
- Security-specific Configuration Control Procedures
- Assurance Maintenance Plan
- Assurance Maintenance Requirements
- Installation, Generation, & Startup Guidance
- User and Administrator Guidance Document
- Security Target and Security Policy
- Formal model and proof
- Covert Channel Analysis
- Architecture Design Document
- Target Platform-specific Definition Document
- Target Platform-specific Vulnerability Analysis
- Customer-specific Security Impact Analysis
- Security-specific reviews
Green Hills also develops and maintains SKPP compliant processes and life-cycle data for INTEGRITY-178 security customers. By also completing all of the safety related processes and generating the corresponding safety life-cycle data, all security certifications support both safety (DO-178B Level A) and security (SKPP) usage in a single product. Green Hills uses secure delivery procedures to deliver the substantiation evidence to security customers and to provide means for secure delivery authentication.