Certifying software according to safety and / or security standards like DO-178B or Common Criteria is a complex process that includes to review software design, coding, validation and verification. Certification costs are very much related to the number of lines of code and the modularity of the software. Certification of monolithic software is complex and expensive. More promising is the use of a modular platform. That's where we started our considerations when we designed PikeOS Safe & Secure Virtualization as an operating system to be used in safety- and security-critical environments. As the most flexible and smallest platform we chose a micro kernel approach for PikeOS. Including additional system software it comprises less than 10K lines of code in total. The micro kernel is equipped with a modular Architecture and Platform Support Packages (ASP and PSP). The system software allows to build multiple partitions for divers OSs, APIs, and RTE. As a result PikeOS has become a small and modular platform - perfect for certification.
The immediate benefits of PikeOS for certification
During the certification process every line of software code has to be reviewed, tested and approved. All changes of code bring once again certification. The micro kernel approach of PikeOS comes with a very small code base reducing the effort of certification. In case of hardware obsolescence, the modular ASP and PSP structure allows fast and cost efficient ports to new hardware architecture or new boards. The system software enables developers to build multiple partitions for divers OSs, APIs, and RTE to use the optimal environment for each application and to reuse legacy code if appropriate. The partitions may contain applications of different levels of criticality and can be certified according to different standards. Changes or additions of software do not necessarily cause once again certification. Based on these benefits we have established PikeOS Safe & Secure Virtualization as a perfect platform for safety- and security-critical applications with certification requirements.
PikeOS Safe & Secure Virtualization
PikeOS is the first industrial implementation of the Safe and Secure Virtualization (SSV) concept which is a promising approach to solve the reconfiguration problem and to combine the requirements for multiple execution environments with the requirements for hard partitioning and deterministic real-time behavior of critical applications. This micro kernel based virtualization platform comes along with all the artifacts required for certification. Depending on the certification level it comprises planning, development, verification, configuration management, and quality assurance output documents.
Paving the way to incremental certification
PikeOS has been designed to meet today’s certification requirements but also to provide a technical answer to one of the toughest challenges industries like avionics is facing: certification cost reduction through a still under study concept, incremental certification.
To solve the issue of increasing number of functions implemented by digital electronics, and the increasing number of separate devices, each one with its own development, certification and update process and the need to maintain spare parts for all these devices in all configurations, the avionic industry and associated organizations came up with a new concept: Integrated Modular Avionics (IMA).
The definition of the IMA concept changed the way the aerospace industry works. On an IMA system, multiple function suppliers need to integrate their applications, which can only be achieved if application development and certification follow a common path. The aerospace community has developed standards which address Application Programming Interfaces (APIs) and module configuration, the data loading protocol and file formats, as well as integration and certification aspects of an IMA system.
The first generation of IMA has become successful with actual implementation in already commercialized aircrafts. But a next generation of IMA is being defined in order to keep the initial objectives of IMA but to go a step further in reducing costs and increasing performance. As a result, early work on this topic (called IMA-2G) introduced the proposed concept of Distributed Modular Electronics (DME) which introduces a physical separation of application processing and I/O functions. See below an IMA-2G architecture overview.
To illustrate the way PikeOS can bring solutions in the area of certification cost reduction, let’s consider a very concrete implementation example: when part of a driver needs to be merged into the trusted code for performance. In the case of SSV, drivers are usually implemented at user level as separate components that can impact neither the separation kernel nor the other trusted code components, except for the real time aspect that shall be taken into account properly.
In the SSV architecture, the virtual address of an application is the same for all instances, whatever its location in the physical space. Thus the memory mapping of a partition is module configuration independent. There is only one binary image for a partition whatever the number of DME configurations, and so there can be only one certificate. As the driver code is added as a separate component in a partition, it will not invalidate the certificate of other components: this is definitely the way to incremental certification.
PikeOS complies with various certification standards
The most demanding safety standard we naturally find in the avionics. It is described in the RTCA/DO-178B and defines five safety levels from A to E. To know more about this standard, please visit http://www.rtca.org/.
For functional safety of embedded devices exist several other different certification standards, mostly derived from the IEC 61508. IEC 61508 is an umbrella standard for several markets released by the International Electrotechnical Committee in 1998 and is viewed as the document that vendors follow to receive certification for Safety Integrity Level (SIL) suitability ratings for products and system components. SIL describes the potential risk for persons, systems, devices, and processes in case of malfunctions. SIL1 is the lowest level of safety integrity and SIL4 is the highest level. The standard details the requirements necessary to achieve each safety integrity level and refer to the likelihood of dangerous failures. Other standards are being refined and/or already used like EN 50128, IEC 60880, IEC 61513, or ISO 26262. Because PikeOS has been designed with the necessary level of flexibility to address different industry verticals through the concept of ‘Guest OS’, and with the absolute requirement of certification in mind, it can equally address the different certification standards.
There is a growing request from both governmental and commercial sectors for certification of security-critical applications made according to Common Criteria which reaches from CC Level 1 to 7. For the highest levels it requires not only the rigorous process of software development as also described in the safety-critical standards, but other specific evidences like for example formal verification. That’s the case with PikeOS as its implementation of SSV reduces the security kernel to the smallest possible size, making it eligible for formal verification, as in the Verisoft XT project.
PikeOS has successfully been used for various applications in the Aerospace & Defense, Automotive & Transportation, Industrial Automation, Medical Technologies and other markets with safety- or security-critical needs. PikeOS Safe & Secure Virtualization is the perfect platform for cost-efficient certification of embedded devices in all markets.