Safety Critical Products: INTEGRITY®-178B RTOS


The INTEGRITY®-178B operating system is the most secure operating system in the world to have been certified by the NSA-managed NIAP lab to EAL6+ High Robustness. No other commercial operating system has attained this level of security. No other commercial operating system has entered into an evaluation at EAL6+ High Robustness.

In the past, Safety Critical software systems with multiple levels of safety criticality have been deployed on federated systems, where each function executes on a dedicated processor. The need to lower maintenance costs and reduce the size/weight/power of older embedded computer systems, combined with the availability of modern processor technology, has created the demand for a commercial run-time system that permits multiple programs at different safety levels to execute on a single processor. In addition, the run-time system must be certifiable to a level of criticality as high or higher than that of any program running on the processor.

The cost to test and certify safety critical software is directly proportional to the level of safety criticality. The higher the safety level, the more complex and expensive the certification process. The most economical and architecturally ideal single processor solution is to certify only those programs that operate at the highest level of safety criticality to the highest level of certification. The programs or functions that operate at lower levels of criticality would then be certified to lower levels of safety. This method is valid as long as the run-time system guarantees that any failure resulting from a defect in a program operating at a lower safety level CAN NOT, under any circumstance, disrupt the operation of the higher safety level functions. The run-time system must guarantee protection in both the space and time domains. In other words, a commercial real-time operating system must be securely partitioned so that it provides both memory protection and real-time scheduling protection.

» Also see the INTEGRITY Real-Time Operating System

DO-178B Level A Certified RTOS, Certified POSIX IEEE 1003.13, MILS-Compliant, EAL 6+ Safety Critical software, INTEGRITY-178B Secure Partition Diagram

Related Articles
Safety critical runtime options
Protection in the Time Domain
  • Deterministic — given state, input same state transition
  • Schedulability Analysis
       - RMA support within a partition or across the entire processor
       - Task utilization statistics
       - Execution overrun detection
       - No heuristics in scheduler
  • No Priority Inversion
       - No semaphores in kernel implementation
       - Highest Locker Semaphores, no unbounded blocking times
  • ARINC-653-1 Partition Scheduler
       - Optimized two-level scheduler
       - Guaranteed time window to run with intra- and inter-partition allocation of idle time
  • Bounded Computation Time For All System Calls
       - No dynamic memory allocation in kernel space
  • No hidden execution time/latency
       - Message transfers use task's execution time
       - Never disable interrupts to update kernel structures
  • Pure Software Timers With Access Permissions

"INTEGRITY-178B has been engineered from the ground up to provide security and determinism."

Protection in the Space Domain
  • Guaranteed Resource Availability – Partition's memory is protected from access by another partition 
  • Memory Protection – Utilizes underlying HW MMU, applies execute-read-write permissions 
  • "Hard Currency" OS – Programs in Secure Partitions donate own memory to satisfy system call 
  • Statically verifiable MMU settings – No dynamic manipulation of MMU to support message passing 
  • No Recursion in Kernel – Static call graph guarantees max kernel stack size 
  • Static Verification of System Resources (kernel objects) 
  • Connections – Secure interpartition communications 
  • Secure Device Drivers – User Mode tasks which use connections as interface to the ISR/Synchronous Call 


INTEGRITY-178B is an ARINC-653-1 compliant, securely partitioned real time operating system that targets demanding safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor. INTEGRITY-178B has been engineered from the ground up to provide security and determinism. As a result it guarantees protection across both the time and space domains.

The kernel's design guarantees bounded computation times by eliminating features such as dynamic memory allocation. Underlying hardware mechanisms are used to provide full system memory protection for all components, including user applications, device drivers, and inter-partition communications. Clocks and timers are protected with access permissions and implemented entirely in software. Its memory-protection and error-handling features provide a secure system with built-in fault isolation and tolerance. At the lowest level, the kernel is protected from malicious access through its object-oriented design and access verification. Traditional kernel access problems such as invalid kernel addresses and invalid system call parameters are eliminated by the kernel's secure design.

INTEGRITY-178B's unique approach to resource management, which includes processor utilization and memory management, provides guaranteed resource availability for multiple safety-critical programs on a single processor operating at different safety levels.

With its securely partitioned design, deterministic behavior, real-time responsiveness and small footprint, INTEGRITY-178B offers a universal run-time environment that is capable of executing a variety of avionics and flight control functionality operating at different safety and security levels.

INTEGRITY-178B's ARINC-653-1-Application/EXecutive (APEX) interface provides a recognized standard interface between the operating system of an avionics computer resource (ACR) and the application software. It's ability to fully support ARINC-653-1 while complying with DO-178B Level A provides a COTS baseline avionics operating environment that meets standards already adopted and accepted by the commercial avionics industry for Integrated Modular Avionics.
DO-178B Level A Certified RTOS, Certified POSIX IEEE 1003.13, MILS-Compliant, EAL 6+ Safety Critical software, INTEGRITY-178B DiagramINTEGRITY-178B reduces the time to introduce new functionality into existing systems. Through secure partitioning in both time and space, minimal regression testing is required for a system's preexisting components. Testing is often the most expensive activity of any certification effort. This reduction of effort translates into large cost savings and decreased time to market. For systems without secure partitioning, regression tests/analysis must be performed to guarantee schedulability, as well as ensuring no data access violations, by the new functionality. As a result, both performance and functional tests are required.



 Key Customers           
  • Lockheed Martin
  • Boeing
  • Rockwell
  • Raytheon
  • BF Goodrich Aerospace
  • Alenia Aerospatiale

Project Details         

Safety Critical Products:

INTEGRITY - High Reliability RTOS Solution
INTEGRITY-178B - DO-178B Level A Safety Critical Certified RTOS
MULTI - Advanced Multi-Language Development Environment
AdaMULTI - Ada Enabled Advanced Multi-Language Development Environment
GMART - DO-178B Level A SPARK Compliant Safety Critical kernel
GSTART - DO-178B Level A Ravenscar Compliant Safety Critical kernel
G-Cover - DO-178B Level A Qualified Test Capability


© 1996-2016 Green Hills Software Trademark & Patent Notice