The Real-time and Embedded Systems Forum met from Wednesday October 24^th through to Thursday October 25^th co-located with The Open Group quarterly conference at the Grand Hotel Krasnapolsky in Amsterdam. The forum was divided into two sessions, the general open plenary session concentrated on safe software and safety critical systems, and the forum working group meetings. Both of the sessions in Amsterdam were open sessions.

The Wednesday session consisted of five briefings. Sessions included the Forum status update and overview , followed by four sessions related to Safety Critical software and systems, looking at the needs for standardization in this area and several practical experiences of implementing safe systems.

The working group meetings for the forum on the Thursday included a workshop on Safety Critical systems in the morning where a work plan has now been put together for 2002, and meetings of the Security working group and the group looking at Hard Requirements for Real-time Java®.

The Real-time Forum Working Groups are making good progress.  The Hard Real-time Java requirements Group continues with the emphasis on FAA certification requirements (DO-178B).  The Security for Real-time and Embedded Systems Group carried out a final review of RFI for Security for RT & ES.  The Safety Critical Group prepared an outline of their approach and identified the relevant domains. 

Looking forward to the 2002 roadmap, the planned deliverables for 2002 include test suites for POSIX 1003.13b Profiles 51 and 53, a certification program for POSIX Real-time profiles, a specification for Security for Real-time and Embedded Systems with reference implementations, white papers concerned with security and safety critical systems, and a new test and certification program in the area of Security for Real-Time and Embedded Systems.

The future meeting schedule for the forum is as follows:

• January 23-24 Anaheim, Los Angeles, Forum Meeting
• Week commencing April 8, Brussels, Belgium, Forum Meeting

1. Andrew Josey, The Open Group - introduction
   Session notes , [slides]
2. Dave Emery, MITRE, and forum co-chair - Safety Critical Software
   Session notes , [slides]
3. Chris Clark, LynuxWorks - Using LynxOS in Safety Criticial Applications
   Session notes , [slides
4. Vance Hilderman, Enea TekSci - Certifying an RTOS to DO178B: Tips and Tricks
   Session notes , [slides]
5. Peter Amey, Praxis Critical Systems - The Cost-Effectiveness of Precision
   Session notes , [slides]

Welcome and Introduction

Andrew Josey, Forum Director and Director of Certification, The Open Group

Andrew welcomed everyone and explained that Martin Timmerman, the keynote speaker had been taken ill and was not able to attend at short notice. Due to this he gave an expanded talk on the current status of the Forum and plans for 2002.

Andrew explained that he has recently moved to a new role within The Open Group as Director of Certification, this meant he would be concentrating primarily on the certification aspects of the forum and transitioning the forum directorship. He then went through the agenda:

• Overview of the forum
• Report
• 2002 Plans
• Other Items

He moved onto the vision of the forum drawn from the 2002 forum plan -- that ultimately the forum is intended to grow the marketplace for everybody. The goals of the forum are:

• To be the single place for information exchange
• To act as an independent broker
• To develop a series of white papers
• To identify priorities for standardization
• To develop test and certification programs to cause growth of the marketplace

Industry sectors in the scope of the forum include Industrial controls, Aerospace, Telecommunications, Defense, Medical/scientific, and Automotive control.

Presently there are 17 members of the forum, most of those being US based. There is a need to get more European participation. He ran through the opportunity of the forum before presenting the forum's scope that also included safety critical. He stressed that collaboration was the key and then gave a list of liaisons

Before reporting on the Austin, TX meeting last July Andrew introduced the forum co-chairs, Dave Emery, MITRE and Lt. Col. Glen Logan. Joe Bergmann reported on the work done by the Security Working group saying that it goes beyond the RT group. He then listed the working group champions, viz.:

• Sam Bowser, Security
• Robert Allen/Glen Logan, Hard RT requirements for JAVA
• Andrew Josey/Joe Gwinn, RT profiles
• Glen Logan, Testing and Certification
• Dave Emery, Safety Critical

A small discussion on security validation ensued at this point. He then showed a work plan submitted by Dave Emery for Safety Critical when Dave Emery gave a 30 sec. summary on it. He presented a slide on how the forum usually operates explaining that at this meeting all the sessions were to be open because of the travel restrictions of most member companies in the current business climate.

He then presented the roadmap looking forward to where the forum was going showing some deliverables for 2001/2002 such as:

• Test suites for RT POSIX
• Certification program for POSIX profiles
• White papers
  • POSIX conformance
  • Security for RTES
• Security profile for RTES
• Additional test and certification program

The next meeting is to be in Anaheim, near Los Angeles in January 2002. He then mentioned in closing the following:

• Beta testing for Profile 52, which commences November 5. This includes a new modified version of the TET framework for embedded systems. Those who wish to participate should contact Andrew Josey.
• Hard RT Java requirements. There is a further session tomorrow
• RT requirements for devices in the pervasive computing environment
• Requirements for additional POSIX 1003.13 profiles. The POSIX realtime working group will be meeting co-located at the next Forum and will be working on the revision to the profiles.

Safety-Critical Software

Dave Emery, Principal Engineer, The MITRE Corporation

It is always good start with some definitions so what is Safety-Critical software?

• Software that contributes to the function of a system where a failure of the system can cause a risk to human life
• Software developed under the provisions of a systems safety program, such as
  • DO-178B (avionics)
  • FDA 247 (medical devices)
  • ANS 7.4.3.2 (nuclear power plants)
  • Mil-Std 882d (weapon systems)

These are not necessarily a complete list. We are talking about system failures, not software failures

Characteristics of a safety program

• • The System has hazards (e.g. "airplane engines stop in mid-flight")
  • Hazards have consequences ("airplane proceeds to fall like a rock, killing all aboard")
• Most safety standards identify severity levels of hazards
  • Hazards require mitigations ("prevent engines from stopping")
• Mitigation strategy based on severity level of the hazard
  • System is certified that hazards have been mitigated

There are multi levels of hazards so the mitigation strategy should be based on the hazard and its severity. If something is not likely to cause loss of life then the requirement is much less stringent. Software can perform correctly but the system fails and vice versa

DO-178B is an example

• 5 Levels of Failure Condition
  • Ranging from A - Catastrophic, to E - No Effect
• 5 Levels of software effects
  • Ranging from 1 - causes Level A failure, to 5 - No Effect on operational capability or pilot workload

You cannot talk about safe software only safe systems. In most safety systems there is a human in the loop and this is usually a good thing. More requirements are being put on computers to do things that humans used to do; this means that safety-critical becomes more and more important.

DO - 178b defines more about processes rather than specific behavior

• Software Planning
• Software Development
  • Requirements, Design, Coding, Integration
• Software Verification
• Software Configuration Management
• Software Quality Assurance
• Certification Considerations

Software verification gets the most attention because 80% - 90% of the money can go into it. Verification is the real key because that is where the money is.

Software verification

• "Detect and Report errors introduced during the development process".
  • "System requirements properly allocated to software requirements"
  • "High-level requirements decomposed into lower level requirements [including derived requirements]"
  • "Requirements developed into source code"
  • "Executable object code implements requirements"
  • "Means used to satisfy these objectives are technically correct and complete for the software level"
• Software Testing
  • "Software satisfies requirements"
  • "Errors leading to unacceptable [hazards] have been removed"

DO-178B section 6

You want to show that all the requirements that are allocated to software are mapped to points in source code. Also you should not have source code that is not being mapped to. You need to show that every instruction produced the right answer.

Traditional development will involve the following points:

• Performed by prime and subs according to rigorous, predefined process and procedures
  • All code developed from scratch
  • Processes pre-defined to facilitate safety verification approach
• Reuse limited to code developed by the team under the same/similar procedures
• Higher levels of software more restrictive

• E.g. no allocated storage allowed at level 1

The higher up you go in certification the more restrictive software becomes. Much of the higher level goes towards preventing errors at lower levels - thus no storage allocation is allowed at higher levels.

Certification is an iterative process and goes through these steps:

• Inspection on the full set of processes
• Developer proposes a "means of compliance"
• Certifier approves "means"
• Developer provides evidence of conformance to "approved means"
• Certifier reviews evidence

First you have to show that you did what you said you would do and then you must show that the results were what were expected.

There are two key cost drivers for safety critical software:

• Cost to develop
  • Rigor in design process, traceability
  • Impact of restrictions on language features
• Cost to verify/certify
  • Testing, other verification measures
  • Certification documentation

Impact of COTS

• Common avionics developer term for COTS: SOAP (Software of unknown pedigree)
• "Pedigree" includes development process, test process, verification process, CM process
  • Bottom line to prime contractor is ability to certify the system (as part of delivery)

Because of cost there is a lot of interest in commercial software but it is not known as COTS rather SOAP.

The question is therefore how to achieve cost savings via reuse of COTS, without compromising safety?

If these 2 are met then there is a case to use COTS.

If you remember nothing else remember the following:

• Safety is a property of Systems, not Software
  • Software can perform correctly and system is unsafe
  • Software can perform incorrectly and system is safe

What can COTS developers do?

• Design/develop applications that meet development process requirements
  • Test applications that meet test process requirements
• Provide documentation and other assistance to verification process

This is a big question to get to a common set of documents acceptable to many vendors.

If we can get it to this stage then it becomes "Open" and this means safety.

• "Open" means that a piece of software is potentially suitable for use in a variety of safety-critical systems
  • In particular, across system safety standards
• "Open" also means that a piece of software can potentially be replaced by a functionally equivalent piece of software
• Finally, "Open" means that appropriate access is provided to software and documentation

The technical man can say that he knows what he is going to get whilst the businessman knows what the costs are.

This is therefore a potential Open Group Agenda:

• A common model of development practices
  • e.g. what is required at each level of DO-178B, FDA 247, etc
  • No consensus within the system safety standards community to date…
• Common model of artifacts for verification
  • e.g. Documentation, test reporting, source code access
• Common model of COTS vendor support for certification activities

Advantages (+) and disadvantages (-) are:

• +Costs of development & certification spread across all users of COTS products
• +Increased competition, larger market

• Number of software-intensive safety-critical systems growing substantially...
• Applicability of safety techniques to other 'mission-critical' aspects of systems
• -Increased risks for primes due to less control over COTS vendors
• -Less understanding of behavior of software in a specific system

The challenge is does The Open Group want to be involved in this way? We have to be able to justify it with ROI. It is a significant project. We can make a difference if use of COTS can reduce development costs, and reduce test and development times over doing it yourself.

Using LynxOS in Safety-Critical Applications

Chris Clark, LynuxWorks

This session was from LynuxWorks, an OS vendor, giving their experiences of working with a customer building a safety critical application. The agenda for the session was as follows:

• LynxOS overview
• An example, real
• Software Certification Support Program

He explained that the company had been around for over a decade focusing on two early events in the early 90s; Selected by IBM/NASA for Space Station

and HP licenses LynxOS as HP/RT for PA-RISC.

He went on to describe LynxOS highlighting the following points:

• POSIX and MMU protection, a foundation for building high availability and safety critical applications
• Fast performance with full determinism
• Modular OS services
• Reliability, availability and serviceability foundation
• Mission critical applications
• "5-Nines"
• DO178B certifiable - LynuxWorks commitment for Level A

• Tested and certified by LynuxWorks' ISO9001 process

He started on an application example of a navigation system employed in the A340 Airbus. It incorporates FANS (Future Air Navigation System). He stressed the capacity problem in being able to fly aircraft closer together as well as navigate new routes. One of the objects of FANS is to enable an aircraft to change route without compromising the safety inherent in the original flight plan.

He showed a slide where the aircraft becomes a node in a communications network involving satellite plotting. The Aerospatiale ATSU (Air Traffic Services Unit); integrates all services dedicated to data communication between the aircraft and the air traffic centers, all the needed resources to implement the future ATN Network, as well as the present ACARS functions (Aircraft Communication Addressing and Reporting System).

He went on to discuss EADS Airbus requirements which included:

• Source and Binary compatibility of application between development host CPU and target hardware
• Temporal & Spatial partitioning of system resources
• Compatibility with UNIX, POSIX.1, 1b, 1c
• Support of x86 and PowerPC architecture
• Small kernel footprint (Flash EPROM)
• Bounded interrupt handling & task response time
• Performance Measurements:
• Boot time < 200 ms
• System behavior under load

He described the LynxOS reliable process model allowing a spatial representation of the tasks running on the system and then showed a graph representing the deterministic behavior of the kernel. Here he stated the importance of what really distinguishes RTOSs is what happens to them under load.

Then he moved on to describe LynxOS's kernel architecture with sample sizes of the separate modules.

Dave Emery asked what the mapping was in the slide to the POSIX functionalities. Chris said it was not exact. Dave stated that one needed to be able to configure LynxOS to the POSIX functionality. Dave said that it was possible to end up with the whole thing. A discussion ensued about the need of threads vis-à-vis memory detection.

Chris then outlined the project process that included the following:

• Port of LynxOS to Aerospatiale hardware (Intel 486 based)
• Driver development for specific avionic interfaces
• Kernel extensions for scheduling & system call filter
• Kernel instrumentation to measure test coverage (100% required for critical functions)

• Development of new tests to obtain required coverage

• Audit of Lynx Engineering, QA & Technical Support processes

• DO178B Certification complete system DONE

Dave asked whether the highest level of criticality went up to level A? Chris said only to level C.

He then presented a slide showing the DO178B software criticality levels which are:

• Level A - catastrophic failure
• Level B - hazardous/severe failure
• Level C - major failure
• Level D - minor failure
• Level E - no effect on aircraft operations

He said that most of the demand was now for level A and level B. Then he went on to discuss the LynxOS software certification program saying that it assisted customer certification and acted as a foundation for customer tailoring. The documentation and testing they are providing is for the core part of the kernel. He said they had drawn the 'proverbial line in the sand' where the basic documentation and verification material has been prepared for the kernel common portion of the operating system. Those functions that are not processor independent or are called through the application software are not addressed. However, Customer Solutions is available to address these issues on a customer project basis.

They are providing the data and source code for what they call the kernel common:

• Startup and Shutdown
• Process/Thread Management
• Scheduling
• Memory Management
• Inter-process Communication
• Input/Output and File Management
• Exception handling
• Time Management

He moved on to address the design data and software before looking at the verification data and customer solutions support. He concluded that people are putting more and more functionality into embedded systems. It is being seen in safety critical systems as well. The 3 main concluding points he talked about are:

• Proliferation and sophistication of embedded systems is driving COTS RTOS usage.
• More industries becoming interested in safety standards and certification
  • automotive, medical, transportation, military …
• Increasing demand for safety and certification expertise.

Question:

How did you deal with the Aerospatiale contract commercially?

Answer:

We use a lot of the stuff developed for them generally now. In fact it was one of their requirements that this was so in order to make it more generally supported.

Question:

Have done an analysis in growth of safety-critical system?

Answer:

No

Question:

What do you do about h/w failure?

Answer:

We have built a lot of checks into the kernel

Certifying an RTOS to DO178B: Tips and Tales

Vance Hilderman, President, Enea TekSCi

Is it healthy exercise to certify RTOS? Even though we know it's healthy why don't we exercise? It takes time, it costs money, and it is not fun. So what is involved in making RTOS healthy:

• Good technical expertise
• Read standards and processes
• Exercise standards and processes
• "Health": on-schedule, under-budget, full compliance, and maximum reusability

He continued with some very good analogies so why certify an RTOS? These are some of the reasons:

• There are over 100 commercial RTOS's
• No Standard for RTOS quality/reliability
• RTOS's are the most important "engine component" to your embedded project
• Increasingly used on Safety & Life critical projects, and High Availability
• Like humans, all RTOS's are not equal; must prove superior quality & reliability

And Vance went on to give these reasons why one should use DO178B for certification:

• DO178B is perhaps the most stringent standard in the world
• If it flies commercially, must be DO178B certified
• Once certified to DO178B, all other certs easy …!

DO178B has 3 basic areas of work:

• S/W planning
• S/w development process
• Correctness and confidence

He then went on to show where the time goes on a certification project before looking at the DO178B structure.

He said that a snapshot of DO178B could have the following points:

• System Aspects
• Software Lifecycle Processes
• Planning and Development
• Test,
• CM/QA,
• Liaison (DERs) Designated Engineering Representative

Next he considered common themes within DO178B and then reiterated the 5 levels of criticality, A through to E. 80% of all the systems on an airplane are level A or B.

He then showed some 20 or so data items in the software life cycle before considering the relationship between certified and certifiable. Thus:

• "Certified" applies to:
  • An entire system, where each component (hardware and software) meets applicable certification requirements.
• "Certifiable" applies to:
  • A component within a system, whose standalone operation cannot be sufficiently assessed for certification; such certification can only be applied to a system.
• "Qualified" applies to:
  • Tools used to eliminate, reduce or automate processes defined in D0178B.
  • Development tools whose output is part of the airborne software, and
  • Verification tools used to detect errors.

He then ran through the top certification mistakes made by his company as well others that included:

• Incomplete/inadequate requirement definition
• Inadequate or non-automated traceability
• Rework or audit failure due to code changes and lack of regression strategy
• Too many, or too few, structural test cases
• Obscure software; difficult to review, test, approve
• Knowing where you are at and when you are 'done'

He then questioned what the future for certification was? He felt it was increasingly required due to the convergence of standards. It would find increased use in DoD, nuclear and ground systems. There are now pre certified tools available.

He concluded with a very funny story about the 3 software teams.

The Cost-Effectiveness of Precision

Peter Amey, Praxis Critical Systems Ltd.

Early reasoning can raise standards and reduce costs. He introduced himself and his company. He then stated that critical systems were those where reliability was more important than:

• Efficiency
• Cost
• Time to market
• Functionality

It is not just a question of "being more careful" when producing critical software. One has to be able to show, before there is any service experience, that a system will be safe enough. He said that everybody used formal languages however readable it is and said that a typical development process was one of an informal semi-opaque black box leading to precise object code.

Precise languages can provide a framework for precise reasoning; they are qualitatively different. Precision could be increased in requirements, specifications and code. He exemplified this by a pedestrian/traffic light/road example; here the fact that drivers stop at red lights is assumed but is not part of the system.

He gave some examples of systems that Praxis had developed in particular SHOLIS. Because this was the first project done Praxis recorded everything, including the number of commas changed and showed the results in a histogram displaying faults found versus effort.

In order to prove something you really have to think about what you are doing with the specification. The fact that you know you have to prove it means that you change the way you will write it.

He then turned to code. Programming languages are seductive because the code "looks" like mathematics. But lurking in the background there are all sorts of things such as program overflow etc. A precise programming language will amplify the value of activities such as reviews, allows static analysis and leads to early error elimination. SPARK is a precise programming language.

He then gave an example of why early error detection save a pile of money in certification. The results obtained during integration testing may differ from those obtained during unit testing.

He moved on to talk about MULTOS, which is for smart cards. Applications can be loaded on to the card. The CA had some unusual requirements. He went into quite a lot of detail about it.

He felt that some positive trends are improved tool support, model checking and "formality by stealth" (tools that have mathematical underpinning but do not hit you with it). Some negative trends are deliberate adoption of imprecision, done because it appears to make the job easier and because it conceals the hard stuff.

He concluded that you cannot retrofit quality, there is correctness by construction and formality by stealth has been successful.