SIL2LinuxMP ...

By: Nicholas Mc Guire

why Open Source/Open Proof is the right way to go for safety

Safety in many ways is a different set of technologies than many of the traditional embedded system solutions. Not so much at the level of technical detail but at the procedural and even more managerial side. The Safety Critical Linux Working Group, founded in 2007, set out to prepare for the, in our view, obvious next arena - use of GNU/Linux in safety related systems. During the annual Real Time Linux Workshop, at SUPSI in Lugano-Manno, Switzerland this year, we held our safety track – which clearly showed the breadth of the problem, from tools and their qualification to OS level certification issues and strategic decisions regarding the use of FLOSS and more specifically open-proof, in highly complex application fields. The abstracts of the related presentations can be found at this URL.

While the annual safety track of OSADL at the Real Time Linux Workshops as well at the Embedded World Conference in Nuremberg, demonstrate clear interest, we face the additional constraint that safety related developments are long-term – in the 3 to 5 year range – and that makes it harder to get moving on concrete issues. Preparing this long-term effort was essentially the mission of the Safety Critical Linux Working Group – and these efforts have reached a level of readiness that we in 2012 decided to kick off the SIL2LinuxMP project. Since then continued efforts on SIL2LinuxMP have been steadily advancing the project – the clear focus being the procedural issues.

SIL2LinuxMP - targeting safety integrity level 2 on multi-core systems - has been initiated by a group of OSADL members to address the upcoming demands for certification of GNU/Linux running Linux RTOS (aka PREEMPT_RT) for industrial use. This use ranging from rail systems, traditional automation, automotive systems to medical devices and even aerospace – put practically the entire range of safety related systems is on the table as potential users of Linux based systems. While we were aware of the transition that is ongoing in industry in general (any project without Linux on the short-list of OS anymore?) it was a bit of a surprise at what breadth this transition is also being contemplated in safety-related systems. In hindsight we only can say we did not start a day too early when we decided to kick off the Safety Critical Linux Working Group at OSADL.

At RTLWS15 we held a meeting of interested companies and academia members of OSADL to push forward the SIL2LinuxMP project. At this meeting companies from automation, automotive, medical systems and aerospace were present - again showing how wide this transition is. After an initial presentation of the current work status, a technical as well as management related discussion followed. During the discussion of the approach, notably driven by participants of TÜV Süd (Munich, Germany) details of the methodology proposed could be further clarified. These discussions not only help increasing the assurance in the approach taken but also show that the strength of public reviews and open-proof can be utilized to their full extent to minimize the risk (economically and technically) of such an undertaking and prevent multi-level disasters as recently published at the EDN Network regarding automotive industries. We must of course be fair – it is always easier to point at deficits at projects actually completed while making claims about a project that has not actually taken off yet – but if such complex software projects had received public review, it is hard to imagine that this harrowing list of defects would have made it into the final product.

SIL2LinuxMP is not primarily about certification of some particular system that happens to utilize GNU/Linux it is more about filling in a blind spot of the current methodologies – that of using open-source. Pre-existing software is covered in many standards, notably in the generic top-level IEC 61508 Ed2 but details of the procedures and methodologies that are suitable are not readily present, notably in part 7 where methods outlined neither take the specifics of open-source nor the fundamental advantage of public review and/or open-safety into account. Building a strong and coherent set of methods into a systematic safety life-cycle for project based primarily on Open Source components is what we at OSADL anticipate as outcome of SIL2LinuxMP.

---