Safety-Critical

The INTEGRITY-178 RTOS guarantees that failures resulting from a defect in a program operating within one partition CAN NOT disrupt
the operation of programs assigned to other partitions.

The INTEGRITY-178 tuMP RTOS is engineered for the strict determinism required in safety-critical airborne systems to meet the requirements of RTCA DO-178B/C and EUROCAE ED-12B/C . INTEGRITY-178 was the first commercial RTOS approved as complying with DO-178B Level A objectives (2002). INTEGRITY-178 and the multicore INTEGRITY-178 tuMP are field-proven with over 80 DO-178B/C Level A/EAL 6+ unique customer certification packages delivered across more than 30 different microprocessors.

Based on a modern separation microkernel design, INTEGRITY-178 tuMP provides complete application partitioning in space, time, and resources. That partitioning supports multiple applications at different safety and/or security levels running on the same processor, either on the same core or different cores. It also supports resource allocation, fault detection, and fault isolation to prevent unintended interactions between independent applications.

Robust Partitioning

Robust partitioning is a capability that enables verification of a safety-critical application independently from other applications as well as independent measurement of worst-case execution time (WCET). Robust partitioning thereby reduces the time and cost of adding new or modified applications into existing systems. Through robust partitioning in time, space, and resources, INTEGRITY-178 tuMP minimizes regression testing for the unchanged applications. This reduced effort translates into considerable cost savings and faster time-to-market. For systems without robust partitioning, both regression testing and analysis must be performed to assess the impact of the new or modified applications on the continued correct operation and margins of the unchanged applications.

Robust partitioning on a multicore processor is much more complex than on a single-core processer. In addition to time and space partitioning for each core, partitioning must account for contention when different processor cores access shared resources simultaneously. The CAST-32A position paper on multicore processors specifies a number of requirements for robust partitioning:

  • Software partitions cannot contaminate the storage areas for the code, I/O, or data of other partitions
  • Software partitions cannot consume more than their allocations of shared resources
  • Failures of hardware unique to a software partition cannot cause adverse effects on other software partitions
  • No software partition consumes more than its allocation of execution time on the core(s) on which it executes, irrespective of whether partitions are executing on none of the other active cores or on all of the other active cores

The execution time delays caused by shared resource contention can have a severe impact on WCET, up to 8-12 times longer in some cases. That multicore interference must be mitigated to meet robust partitioning requirements. INTEGRITY-178 tuMP provides a general multicore interference solution in the form of a bandwidth allocation and monitoring (BAM) solution. BAM allows a software architect to allocate bandwidth to shared resources on a per-core basis and enforce those limits to minimize WCET according to the design assurance level (DAL) requirements for the applications running on each core.

Protection in the space domain

  • Guaranteed resource availability—Processor cores and memory are statically allocated to each partition
  • Memory protection—Hardware MMU enforces memory access and execute-read-write permissions
  • "Hard currency" OS—No shared resource pools, and each partition is individually allocated resources for system calls
  • Statically verifiable MMU settings—No dynamic manipulation of MMU to support message passing
  • Statically verifiable system resource allocation—Project-defined boot table controls ownership
  • Connections—Inter-partition communications are statically allocated and non-bypassable

Protection in the time domain

  • Deterministic behavior—A given state & input always results in the same state transition
  • Predictable scheduler and timing analysis—No heuristics in scheduler
  • Priority inversion protection—No binary semaphores in kernel implementation; support for Highest Locker Semaphores, hence no unbounded blocking times
  • ARINC 653 part 1 partition scheduler—Guaranteed execution time windows and guaranteed assignment of cores to concurrently run tasks
  • Bounded computation time for all system calls—No dynamic memory allocation in kernel space
  • No hidden execution time or latency—Message transfers use task's execution time, and interrupts are never disabled to update kernel structures
  • Event timer protection—Software timers controlled by kernel with access permissions

Safety Certification Data

Green Hills Software’s in-house safety and security experts develop, verify, support, and maintain the DO-178B/C Level A compliant software processes and life cycle data for all INTEGRITY-178 products. Through this dedicated team of experts, Green Hills Software supports customers throughout their safety-critical certification efforts and delivers the required compliance substantiation data. Software life-cycle data managed as part an INTEGRITY-178 tuMP DO-178B/C Level A certification effort includes:

  • Customer-specific Plan for Software Aspects of Certification (PSAC)
  • Software Plans (Development, Verification, CM, SQA)
  • Software Standards (Requirements, Design, Code)
  • Software Requirements Documents
  • Software Design Documents
  • Source Code
  • Executable Object Code
  • Traceability Matrices
  • Software Verification Test Cases and Procedures
  • Software Verification Results
  • Partition integrity, timing, memory, and stack analysis
  • Problem Reports
  • Software Configuration Management Records
  • Software Quality Assurance Records
  • Tool Accomplishment Summary
  • Customer-specific Software Life Cycle Environment Configuration Index
  • Customer-specific Software Configuration Index
  • Customer-specific Software Accomplishment Summary (SAS)
  • Integration guidance documentation

The above certification package includes Green Hills Software services for all the DO-178B/C Level A compliance activities associated with verifying the INTEGRITY-178 tuMP operating system on the processor architecture specified by a customer’s requirements. All audits, reviews, analysis, and testing of the INTEGRITY-178 tuMP operating system are performed in-house by Green Hills Software using the customer’s target processor system.