Linux as a real-time Hypervisor for the automotive industry

Andreas Platschek and Nicholas Mc Guire, OpenTech EDV Research GmbH

There are various reasons why utilizing Linux as a real-time hypervisor in safety critical systems might be a good idea.

The boom of virtualization in various fields of computer science started already more than 40 years [1] ago, while it has just recently been introduced into safety and
mission critical systems (ARINC 653/AUTOSAR). Under the alias IMA (Integrated Modular Avionics), the avionics industry has introduced virtualization techniques into modern fight jets and airliners, in order to fully utilize the computing power provided by modern COTS CPUs (A380/B777 [2]), to reduce weight and power consumption and encourage the reuse of software modules. Of course these savings in hardware as well as the reuse of already certified software has a big impact on the financial side of developing a safety critical software system. So far this approach of replacing federated by integrated systems has not been carried out of avionics into other fields, but we are convinced that the advantages would be very interesting in almost all of them.

A second aspect justifying this project is the fact that Linux has already been used in several different safety critical systems [3,4]. The obvious next step is to employ it as an hypervisor, in order to run several independent safety critical applications on one hardware node with appropriate isolation.

This paper presents a first step into employing Linux as a real-time Hypervisor for safety critical systems. The approach taken is to use a virtualization mechanism already available in Linux, analyze its real-time capabilities and put existing, diverse FLOSS implementations [5,6] of OSEK OS on top of the Linux Hypervisor. Furthermore, this paper determines the SIL level according to IEC 61508 that can be achieved by the proposed system. Although it cannot be expected that the resulting system is suitable for high safety critical systems, it can be expected that it can be used to run systems with lower criticality without decreasing the safety as compared to current solutions.

While the above arguments for a FLOSS implementation may seem like replacing well tested proprietary solutions by less or untested FLOSS solutions - the essential point lies in the upcoming demands for security in safety related systems. With safety related systems allowing for remote maintenance, error reporting and software update, security is becoming a major issue (IEC 61508 Ed 2 CD 2008), and that is a field where GNU/Linux not only has reached a high level of maturity (i.e. RH Distributions at EAL4 [7]) but where the necessary know-how is well entrenched in the community. Finally, with ever growing complexity of safety related systems, the ability of small dedicated teams to manage the full scope of safety at the system level are becoming less and less realistic - an open approach with community participation in the review is a potentially effective and far reaching mitigation.

[1] http://en.wikipedia.org/wiki/CP/CMS

[2] http://www.aviationtoday.com/av/categories/commercial/8420.html

[3] SICAS ECC - die Platform für Siemens-ESTW für den Nahverkehr, Peter Sieverding, Detlef John, Signal und Draht 05 2008

[4] FS20: Firecontrol System, D 100 P, Mainline Kenrel 2.6, SLIND, http://www.sbt.siemens.com/

[5] Trampoline: http://trampoline.rts-software.org/

[6] FreeOSEK: http://opensek.sourceforge.net/

[7] http://www.redhat.com/solutions/government/certifications/