Linux Becomes Ready for Safety: SIL2LinuxMP enters its second phase
After one and a half years of intensive work, OSADL’s SIL2LinuxMP project has reached its next milestone in the safety certification effort of the Linux operating system.
The OSADL organization aims to promote and support the development of Open Source software for the industrial products. Since its inauguration in 2005, the community has driven the two aspects of the Linux operating system, real-time responsiveness and safety qualification, which are mission-critical for many industrial products.
The SIL2LinuxMP project certifies the base components of an embedded GNU/Linux real-time operating system running on a multi-core industrial computer board utilizing commercial off-the-shelf CPUs. It includes boot loader, root filesystem, Linux kernel, the C library bindings, i.e., the glibc library, and busybox to access the Linux kernel.
In the first phase of the SIL2LinuxMP project, the requirements from the four full partners have been consolidated into a single generic use case. The partners offer safety-related products in various domains: A&R Tech offers products for railway systems, BMW Car IT for automotive systems, KUKA for industrial robotic systems, and Sensor-Technik Wiedemann for mobile machines. All of these domains allow for qualification to be based on the generic functional safety requirements from IEC 61508 Ed 2, which thus constitutes the basis for SIL2LinuxMP.
Although the partner’s products are intended for different use cases and domains, the SIL2LinuxMP project has successfully consolidated the requirements from these four partners into a single generic use case. Further, the SIL2LinuxMP project refined and traced the requirements of this use case to the selected functionality of the Linux kernel and glibc library.
Along with mapping existing tools to standard methods, a set of specific methods for GNU/Linux RTE have been developed.
The Linux development follows a typical development process for large open-source community projects. Each change to the kernel must be properly argued, is reviewed by multiple independent experts and maintainers, is tested on different hardware systems, and undergoes several iterations of improvements until it is finally merged into mainline development.
For high-quality components such as the Linux kernel, the effective process mimics the requirements of IEC 61508 surprisingly well.
In the process of Linux kernel development, a huge amount of data is produced that the SIL2LinuxMP project uses to show the process is followed stringently and that individual mistakes in this process are unlikely to lead to critical malfunctions. As the Linux kernel development has undergone more than half a million changes since 2005, this evidence must be provided via automated analysis based on stringent statistical arguments.
SIL2LinuxMP developed methods and metrics to calculate the quality of the selected parts of the Linux operating system based on the publicly available material and data from Linux kernel development.
SIL2LinuxMP also mastered the challenge of the hardware selection. The general prevalent opinion was that there are many qualified hardware boards with multi-core processors available. However, the investigation of the board’s safety manuals uncovered that some boards only allowed to use a single core exclusively when running a safety-related application. As a surprise to our initial assumption, only a few multi-core systems allowed to run safety-related and non-safety-related applications concurrently on multiple cores, which is one of the key requirements of the generic use case. After the investigation of the industry’s hardware portfolio, the full partners agreed on a selection of hardware boards and a roadmap for qualification of the software-hardware interface. The partners agreed on a common board as first reference hardware to continue the qualification effort.
In the second phase, the SIL2LinuxMP project will complete the details of safety argumentation and create tools that allow to continuously assess the quality of the Linux development process.
As full partner in this collaboration, BMW Car IT GmbH is interested in the further progress of the SIL2LinuxMP project. “We already use the Linux operating system for our BMW infotainment systems.”, says Dr. Würtenberger, CEO of BMW Car IT GmbH, “Using Linux for the next-generation safety-related driving assistance functions is a natural next step in the evolution of automotive software, and we are optimistically looking forward to the second phase of the SIL2LinuxMP project.”
To share the project’s results, the SIL2LinuxMP project also opens its door for new partners. If interested companies would like to join the SIL2LinuxMP collaboration as reviewing partners, they can contact Carsten Emde at OSADL to follow the second phase of the Linux qualification effort.