Demonstrating a DAL A Application Running Across Multiple Processor Cores
Green Hills Software has announced that it is demonstrating its bound multi-processing (BMP) and symmetric multi-processing (SMP) capabilities of the INTEGRITY-178 Time-Variant Unified Multi-Processing (tuMP) RTOS for DAL A, B, and C applications at the FACE & SOSA technical interchange meeting and exposition (Booth #47) in Dayton, Ohio.
INTEGRITY-178 tuMP is the only operating system conformant to the FACE Technical Standard edition 3.0 with the capability to execute a DO-178C Level A, B, or C application across multiple processor cores as defined in ARINC 653 Part 1, Supplement 4, Section 2; ‘Multiple ARINC 653 processes within a partition scheduled to execute concurrently on different processor cores’ (i.e. BMP). INTEGRITY-178 tuMP is also the only RTOS that meets the optional SMP requirement defined in ARINC 653, Part 2, Supplement 3.
Hypervisor offerings claiming support for their unbounded SMP execution environments are commonplace for non-safety critical applications. Although claims of a safety-critical SMP execution environment and ARINC 653 Part 1, Supplement 4 compliance for multicore are often confusing and misleading.
Thus system integrators must confront the RTOS or hypervisor supplier directly and ask if their solution supports the execution of a multi-threaded Level A, B or C application on two or more cores, which is a fundamental multicore requirement of Part 1, Supplement 4 as well as the recently released Supplement 5.
The obvious question to ask is, does the supplier include a real-time DAL A compliant kernel that is capable of scheduling threads of execution across multiple cores, one that hopefully is also compliant with ARINC 653, Part 1, Supplement 4 or 5. The lack of functional BMP multicore support from other RTOS and hypervisor suppliers could be due to a lack of design support or simply a lack of understanding of the ARINC 653 standard.
For example one of the hypervisor suppliers claiming support for Supplement 4 has stated the following: ‘ARINC 653P1-4 does not include the ability to run an instance of a partition across multiple cores (known as a multicore partition), but states that this capability may be added in a future update of the standard’.
The capability to execute multiple threads of an application across multiple processor cores is critical to achieving optimal performance and flexibility when using multicore processors. Although such solutions are readily available for non-safety-critical operating systems such as Linux, or even Linux in a hypervisor’s virtual machine environment, it is much more challenging for safety-critical applications.
As a true Integrated Modular Avionics (IMA) multicore operating system with a proven nine-year service history, the INTEGRITY-178 tuMP RTOS was designed from the beginning as a multicore solution for safety and security-critical applications, and it has the capability to run multi-threaded applications at all design assurance levels up to and including Level A.
A second challenge of using multicore processors for safety-critical applications is the inherent contention from multiple cores trying to access a given shared resource, such as memory or I/O. Certification authorities have emphasized their concerns about such interference by including objectives for interference identification, mitigation, and verification in the CAST-32A position paper.
Whereas most RTOS and hypervisor offerings leave multicore interference mitigations as an exercise for the system integrator, INTEGRITY-178 tuMP includes a fully capable multicore scheduler, and a bandwidth allocation and management capability, called BAM, to control and monitor shared processor resource access.
The supported bandwidth management technique emulates a high-rate hardware-based approach to ensure continuous allocation enforcement. These capabilities greatly lower integration and certification risk, while also enabling the integrator to manage significant software retest costs that would occur when a software application changes or is added.
An architecture based on multicore processors can only be considered an IMA system if the integrator or sustainment operation can easily mitigate and control multicore interference as new software functionality is added to the system or existing applications are updated, which is the basic premise behind IMA.
INTEGRITY-178 tuMP is the only commercial multicore operating system capable of hosting Multi-Level Security (MLS) applications within its secure MILS partitions, without restricting the MLS application (such as a high assurance guard or downgrader) to a bare-metal execution environment. INTEGRITY-178 tuMP is also the only commercial multicore operating system able to guarantee and enforce a Cross Domain Solution’s (CDS) information flows.
INTEGRITY-178 tuMP MLS and CDS capabilities are backed by a comprehensive and massive set of security assurance evidence that is aligned with the NSA High-Robustness and the Common Criteria’s EAL 6+ assurance requirements. When an RTOS supplier claims that their solution can meet MLS or CDS assurance requirements, such claims should be thoroughly scrutinized by conducting a deep-dive audit into their functional security capabilities and corresponding software assurance evidence.
After all, while it is easy to claim a high level of security, unproven claims will not prevent rogue applications or malicious actors from compromising the system.