INTEGRITY-178 safety-critical RTOS

A proven provider of software and certification solutions, Green Hills Software maintains a dedicated group that has handled the risks associated with operating systems,
run-times, common service libraries, and the development tool-chain. Our broad safety-critical product line spans different processors and certification types.

Supporting the entire certification effort

The Rockwell Collins Avionics Management and Display System aboard the S-92 Sikorsky helicopter is among the INTEGRITY-178 applications approved as compliant
to DO-178B Level A.

Green Hills Software's certification approach is to provide proven software system solutions with completed security certificates and safety compliance approvals. Our solutions combine customer-specific certification support with common software capabilities that are reused across a multitude of customers.

Green Hills Software supports a customer's entire certification effort, including hardware/software product compatibility, custom hardware device driver development, complete product testing on customer's hardware, appropriate life cycle data generation and delivery, and audit support. This frees customers to focus on core competencies, lowering the schedule, cost, and certification risks associated with using internal or multi-supplier resources.

A complete safety-critical line

Green Hills Software offers a full line of safety & security critical products that are available today with complete DO-178 Level A certification evidence. This includes:

  • INTEGRITY-178 RTOS —a complete time, space, and resource partitioned real time operating system
  • ANSI C Library—an ANSI C library subset
  • Embedded C++—a C++ library subset
  • GMART—a single-tasking Ada run-time based on the SPARK Ada profile
  • GSTART—a multi-tasking Ada run-time based on the Ravenscar Ada profile
  • GMART Bare Target—an Ada bare target run-time, used with GMART
  • GCERT Bare Target—a C bare target run-time, used with the ANSI C library
  • ARINC-653—ARINC-653 compliant Part 1 APEX interface and Part 2 file system
  • PJFS-178—a file and directory management system and user interface supporting physical and virtual storage devices
  • IPFLITE/TFTP—UDP/IP network stack and socket library interface, including support for TFTP capabilities
  • Audit Logging—logging and retrieval of kernel and application triggered events during RTOS execution
  • Secure Hash Algorithm (SHA-1)—verifies integrity of ELF images at RTOS startup and during run-time
  • Abstract Machine Testing—verifies correct operation of hardware at RTOS startup and during run-time

Within the INTEGRITY-178 RTOS' partitioned environment, these other Green Hills products—tailored for applications that can use commercial off-the-shelf software without detailed and rigorous certification evidence (e.g., DO-178B Levels D/E)—are supported:

  • ARINC-615A Data Loader—ARINC-615A data loading support
  • POSIX—a POSIX run-time library subset
  • C/C++—a full C/C++ run-time library
  • Ada—a full Ada run-time library
  • File System—a FAT file system
  • Networking—GHNet-178 TCP/IP IPV4/IPV6 stack, advanced router stack, Net-SNMP stack, IPSec library, and other networking related capabilities

Operating system architecture

INTEGRITY-178 RTOS, ARINC-653, DO-178B Level A, safety-critical
The INTEGRITY-178 RTOS guarantees that failures resulting from a defect in a program operating within one partition CAN NOT disrupt the operation of programs assigned to other partitions.

Proven pedigree
The INTEGRITY-178 RTOS has earned its pedigree through a unique combination of powerful capabilities:

  • A single partitioning-supporting operating system that satisfies both DO-178B Level A safety assurance requirements and NSA High Robustness security functional and assurance requirements
  • Proven in real-world customer applications since 1997 with over 60 certification packages developed for more than 30 different microprocessors delivered to date
  • The first commercial partition-enforcing RTOS approved as complying to DO-178B Level A objectives (2002)
  • INTEGRITY-178B: The first RTOS to obtain SKPP/EAL 6+ certification (2008)
  • The first RTOS to be certified conformant to the Future Airborne Capabilities Environment (FACE™) Technical Standard, edition 2.1 (2018) and edition 3.0 (2019)
  • Highly scrutinized RTOS source code—perhaps the most scrutinized to date

Protection in time and space domains
INTEGRITY-178's unique approach to resource management provides guaranteed resource availability for multiple safety-critical and/or security-critical applications on a single processor operating at different safety assurance levels (A/B/C/D/E) and/or security levels.

Engineered from the ground up to provide security and determinism, the INTEGRITY-178 RTOS guarantees protection across both the time and space domains, including protecting the confidentiality and integrity of an application's data from unintended access by other applications.

Protection in the space domain

  • Guaranteed resource availability—Partition's memory is protected from access by another partition
  • Memory protection—Utilizes underlying hardware MMU to enforce execute-read-write permissions
  • "Hard currency" OS—No shared resource pools, each partition is individually allocated resources for system calls
  • Statically verifiable MMU settings—No dynamic manipulation of MMU to support message passing
  • Statically verifiable system resource allocation—Project defined boot table controls ownership
  • Connections—Secure (non-bypassable) inter-partition communications

Protection in the time domain

  • Deterministic—Given a state & input results in the same state transition
  • Scheduler/timing analysis—No heuristics in scheduler
  • No priority inversion—No binary semaphores in kernel implementation; support for Highest Locker Semaphores, hence no unbounded blocking times
  • ARINC-653-1 partition scheduler—Optimized two-level scheduler with guaranteed execution time windows and execution overrun detection
  • Bounded computation time for all system calls—No dynamic memory allocation in kernel space
  • No hidden execution time/latency—Message transfers use task's execution time and interrupts never disabled to update kernel structures
  • Software timers with access permissions

INTEGRITY-178 RTOS multicore support

Resolving the complexity of multicore systems
To satisfy increasing demands for computing throughput, processor designers are adding multiple cores within a single chip package. Operating system support for multicore is a necessity in order to incorporate these devices into new designs and system upgrades. Advanced, flexible operating system support for multicore is required to achieve the multicore system benefits of higher performance and reduced size, weight, and power (SWaP).

For developers of real-time embedded systems, the advent of multicore processors has resulted in several new design challenges:

  • How to select an architecture that permits effective use of multicore processors.
  • How to develop, integrate, or port previously independent applications running on single-core processors to a multicore operating environment that includes shared system resources.
  • How to mitigate multicore interference that results from contention for those shared resources.
  • Finding an architecture that supports different use scenarios for different sets of processor cores.
  • Finding an architecture that provides the flexibility, tradeoffs, and tools necessary for eventual system certification on a multicore processor.

Most software architectures, including the fundamental asymmetric multi-processing (AMP) and symmetric multi-processing (SMP) scheduling approaches, require developers to make tradeoffs when attempting to resolve these challenges. The INTEGRITY-178 RTOS uniquely provides a highly-flexible multicore solution that addresses them all.

tuMP, multicore, RTOS, DO-178B A tuMP example showing two time-partition windows each with different assignments of Affinity Groups (AG) for the available cores and containing unique AMP and SMP applications.

Time-variant Unified Multi-Processing (tuMP™)
Green Hills Software's resolution to the multicore design challenges is called Time-variant Unified Multi-Processing (tuMP, pronounced "2MP"), a multicore scheduling solution for the INTEGRITY-178 RTOS. The tuMP capabilities enable multiple independent safety and/or security-critical applications to execute on a multicore operating environment in a predictable, bounded, and application independent manner. The tuMP partition enforcing scheduling method results in a unified OS that provides practical time variant scheduling of both AMP and SMP applications simultaneously.

With tuMP, the system architect creates associations of cores and applications called Affinity Groups (AG) that correspond to some intended system function (or functions). Affinity Groups define how cores will be utilized by one or more applications, with the system architect defining how the Affinity Groups will be scheduled over time. Affinity Groups may be scheduled independent of other Affinity Groups, permitting time-lines that closely correspond to application requirements, yet also permitting new sets of Affinity Groups to be developed that can make use of any of the time windows where cores are not being utilized. Any new application (or extension of an existing application) can make use of the unallocated execution time across the entire multicore processor.

The biggest challenge for safety-critcal applications on a multicore processor is multicore interference. On a multicore processor, safety-critical applications are time-partitioned on each core but can be running concurrently with applications on other cores. The problem is that each of the concurrent applications needs access to the processor’s shared resources, such as memory controllers, DDR memory, I/O, shared cache, and the internal fabric that connects them. Contention for those shared resources can result in a delay that significantly impacts determinism and safety. Directly addressing such multicore interference, the Certification Authority Software Team (CAST) has published guidance for multicore systems in a position paper called CAST-32A. Because the interference is caused at the hardware level, the software closest to the hardware, namely the operating system, is in the best position to provide the means to mitigate it. INTEGRITY-178 tuMP addresses CAST-32A multicore interference with a Bandwidth Allocation and Monitoring (BAM) capability to observe interference channels and mitigate them. Based upon more than 50 staff-years of research and development into multicore interference analysis and mitigation strategies, BAM monitors and enforces bandwidth allocated by the system architect to the chip-level interconnect for each of the cores. This level of multicore interference mitigation is required for an integrated modular avionincs (IMA) system to achieve the IMA goal that each application be modifiable with little or no impact on other applications and the platform resources and modules.

Safety and security certification data

DO-178C/ED-12C Level A certification data

Software life-cycle data managed as part an INTEGRITY-178
DO-178B Level A certification effort includes:

  • Customer-specific Plan for Software Aspects of Certification (PSAC)
  • Software Plans (Development, Verification, CM, SQA)
  • Software Standards (Requirements, Design, Code)
  • Software Requirements Documents
  • Software Design Documents
  • Source Code
  • Executable Object Code
  • Traceability Matrices
  • Software Verification Test Cases and Procedures
  • Software Verification Results
  • Partition integrity, timing, memory, and stack analysis
  • Problem Reports
  • Software Configuration Management Records
  • Software Quality Assurance Records
  • Tool Accomplishment Summary
  • Customer-specific Software Life Cycle Environment Configuration Index
  • Customer-specific Software Configuration Index
  • Customer-specific Software Accomplishment Summary (SAS)
  • Integration guidance documentation

Green Hills Software's in-house safety and security experts develop, verify, support, and maintain the DO-178C/ED-12C Level A compliant software processes and life cycle data for all INTEGRITY-178 products. Through this dedicated team of experts, Green Hills Software supports customers throughout their safety critical certification efforts and delivers the required compliance substantiation data.

This certification package includes Green Hills Software services for all the DO-178C/ED-12C Level A compliance activities associated with verifying the INTEGRITY-178 operating system on the processor architecture specified by a customer's requirements. All audits, reviews, analysis and testing of the INTEGRITY-178 operating system are performed by Green Hills Software using the customer's target processor system.

SKPP related data

In addition to safety-related life-cycle data, the following SKPP related life-cycle data are generated as part of the initial certification and/or a customer-specific security effort:

  • Security-specific Software Development Plan
  • Development Security Plan
  • Security-specific Configuration Control Procedures
  • Assurance Maintenance Plan
  • Assurance Maintenance Requirements
  • Installation, Generation, & Startup Guidance
  • User and Administrator Guidance Document
  • Security Target and Security Policy
  • Formal model and proof
  • Covert Channel Analysis
  • Architecture Design Document
  • Target Platform-specific Definition Document
  • Target Platform-specific Vulnerability Analysis
  • Customer-specific Security Impact Analysis
  • Security-specific reviews

Green Hills also develops and maintains SKPP compliant processes and life-cycle data for INTEGRITY-178 security customers. By also completing all of the safety related processes and generating the corresponding safety life-cycle data, all security certifications support both safety (DO-178C/ED-12C Level A) and security (SKPP) usage in a single product. Green Hills uses secure delivery procedures to deliver the substantiation evidence to security customers and to provide means for secure delivery authentication.