Aonix ObjectAda and Aonix Perc Solutions
Software now pervades almost every aspect of daily life. Transport systems depend on safe software for control of vehicles and their infrastructure. Financial institutions rely on secure software for accounting and the transfer of money. Industrial software controls equipment and manufacturing processes. Hospitals depend on software for managing patient records and for control of life-support systems. The use of software has grown dramatically over the last decade with the availability of low-cost, high-performance hardware. It is clear that the safety of much human life and property depends directly or indirectly upon the correctness and deterministic properties of software.
Atego has been active in the safety critical community for over a decade, offering the first off-the-shelf certifiable kernels, with applications in use in many of the most demanding and rigorous systems upon which lives and property are dependent.
Atego has been actively involved in developing standards for safety critical Java (see links below)
Atego is also active in the growing area of multi-level secure systems. Recent collaboration between Atego and Wind River has produced an integration of Aonix Perc Ultra virtual machine technology with the VxWorks MILS platform, representing the first marriage of Java productivity with MILS security.
Artisan Studio Solutions
Notorious and tragic systems failures such as the 1986 Challenger Shuttle painfully reinforce the consequences of failures in systems characterized as safety-critical or life-critical. Unlike business, commercial, and entertainment systems, these systems affect not just the senses and finances of humans but their physical well-being as well and, as such, have significant death potential. The stakeholders of such systems—purchasers, owners, users, auditors, designers, and engineers need to assure that these systems are correctly specified, perform as specified, perform only as specified, and degrade gracefully with minimized human harm.
Safety-critical Systems Engineers rely on several methodologies, methods, and process artifacts to specify and implement these systems and to verify and demonstrate that these systems conform to their constraints. Methodologies and specifications include DO-178 for US Commercial Aviation Systems, Part 571 FMVSS for US Automotive Systems, and FDA 21CFR for Medical Systems. Methods include Effective and Frequent Collaboration, Requirements Specifications and Engineering, ISO and CMMI Process Maturity, Documentation, Formal Methods, Model-based Systems Engineering, Model-Driven Architecture, Reliability Analysis such as Failure Modes and Effects Analysis (FMEA), Simulations, and Verification and Validation. Artefacts include: Specifications, Requirements Capture Databases, Workflow and Process Milestone Forms, Documentations, Traceability Reports, Models, Test Cases, Simulation Results, and Verification Reports.
Artisan Studio capabilities for collaboration, Model-based Systems Engineering, Requirements Management, Document Generation, Simulation and MDA greatly assist in specifying, auditing, implementing, and verifying safety-critical systems and supporting the relevant specifications, methodologies, and methods. Additionally, the extensibility capabilities of Artisan Studio have been utilized by Atego to integrate these capabilities with primary Systems Engineering tools in the industry such as: Telelogic DOORS, Geensys Reqtify, Microsoft Office, and Mathworks Matlab/Simulink.
Artisan Studio’s MDA capabilities such as ACS/TDK are used to implement software code generators for languages such as Ada and Praxis High Integrity System’s SPARK-Ada. The language Ada and its safety-critical subsets has long been recognized as the best available language for the implementation of safety-constrained, resource-constrained systems. Artisan Studio has demonstrated the effectiveness of utilizing UML in complex, life and safety critical applications.
MILS Java
Recent collaboration between Atego and Wind River has produced an integration of Aonix Perc Ultra virtual machine technology with the VxWorks MILS platform, representing the first marriage of Java productivity with MILS security.
Today’s world has dramatically changed the way we think about secure systems and has escalated the rush to implement applications within a multi-level secure environment. At the core of these systems is a new realization of secure and safe RTOSs that meet the stringent requirements and policies being set by the U.S. Government for acquisition of IA products in DoD, Homeland Security and other departments. These systems will likely find adoption in the commercial sector where security is also a critical need, such as the financial sector.
Multiple Independent Levels of Security (MILS) identifies the implementation framework to allow time and space separation or partitioning of execution to allow applications with different levels of security to co-exist safely within the same system.
A number of RTOS vendors are addressing this market with MILS implementations. For instance, recent work at Wind River has yielded the VxWorks MILS family of products to meet security demands while maintaining consistent, deterministic system performance. TheRTOS enables developers, whether the need is for a few partitions or dozens of partitions, to create and implement a secure system.
But even with the advent of MILS, one thing that hasn’t changed is the need for efficient, dependable, and predictable software development—the kinds of benefits commonly associated with the Java development paradigm.
Atego, a decades-long industry leader in real-time and safety critical tools, and pioneer in Java platform technologies, has brought together these two strengths to meet the needs of today’s mission critical developers. As a participant in the Java Community Process and a key contributor to the development of standardized RTSJ profiles for hard real-time and safety critical applications, Atego is uniquely positioned to make this technology a reality.
While MILS platforms are currently commercially available, there is more work underway to take them to the next level. In a recent article by Rob Hoffman, vice president and general manager, aerospace and defense at Wind River, published in COTS Journal, he stated, “What does it take to build a real-time system suitable for high-EAL Common Criteria evaluation? Simply put, it can take several years. But even after investing years of hard engineering time and effort, high-EAL certification does not guarantee adequate functionality or performance. Today, there are no high-performance, multilevel secure systems based on the MILS architecture and a commercial operating system.”
Wind River and other MILS implementers are working within the international standards body (ISO/IEC 15408) to create solutions that meet the stringent requirements and test profiles and to begin the process of proving them through accredited test labs. While this work continues, early adopters are beginning system development using current MILSofferings available and Aonix is pleased to be there to support those efforts with the most appropriate language for their implementation and deployment.
Safety Critical Ada
Software now pervades almost every aspect of daily life. Transport systems depend on software for control of vehicles and their infrastructure. Financial institutions rely on software for accounting and the transfer of money. Industrial software controls equipment and manufacturing processes. Hospitals depend on software for managing patient records and for control of life-support systems. The use of software has grown dramatically over the last decade with the availability of low-cost, high-performance hardware. It is clear that the safety of much human life and property depends directly or indirectly upon the correctness and deterministic properties of software.
Software can provide users with considerable operational flexibility. However, this flexibility brings with it a greatly increased chance of error. There is now an increasing awareness that strict control is needed in order to reduce the risks of errors in what has come to be called safety critical software – that is, software systems whose failure may lead to loss of life or severe injury.
As a result, there is a growing concern in all major industrial nations regarding the legal and ethical obligations of companies and their officers to ensure that systems do not violate safety regulations.
Many industries are in the process of setting, or have already set, specific standards for the development, testing, and certification of safety critical software. As these standards emerge, the focus is on the use of best practice. In some areas, standards mandate specific techniques for the development of safety critical systems. In all cases, a reasoned justification for the techniques actually used is required, together with evidence to show that the life cycle development processes are being followed.
Example of Failure
A passenger airplane is circling in a prearranged location off the coast of Florida. The landing is delayed because of bad weather conditions. As the plane is banking into a turn, a sudden updraft causes the plane to roll much faster than the software control system expects. The software “assumes” a glitch, and the computers are set into an automatic reboot process. The pilot looks on with horror as all of the navigation displays turn blue with a white line through them. At a most crucial moment, when the pilot needs information to stabilize the aircraft, the computers are performing memory checks and restarting the display software.
Fortunately, the pilot has enough height and time to fly the plane by “feel” until the displays are functioning correctly. Had this error occurred when the plane was landing, the consequences could have been catastrophic.
What is Safety?
MIL-STD 882B (1984) defines safety as follows:
• Freedom from those conditions that can cause death, injury, occupational illness, or damage to or loss of equipment or property
The terms safety, reliability, security, and correctness should not be confused. Leveson [Leveson 86] defines the differences among these terms as follows:
• In general, reliability requirements are concerned with making a system failure free, whereas safety requirements are concerned with making it mishap free…
• Is concerned with every possible software error, whereas safety is only concerned with those that result in actual system hazards…
• Even if all failures cannot be prevented, it may be possible to ensure that the failures that do occur are minor consequences, or that even if a potentially serious failure does occur, the system will, “fail safe”…
• Unfortunately, in many complex systems, safety and reliability may imply conflicting requirements, and thus a system cannot be built to maximize both…
Software is a set of instructions and data that makes a general-purpose computer into an application specific one. Software itself is neither safe nor unsafe. However, if software controls the functionality of a safety critical system, then it becomes safety critical software.
A study of system safety is described in “Safeware – System Safety and Computers” by Nancy Leveson [Leveson 95]. An extensive discussion of safety critical systems, which are usually also real-time control systems, is found in the reference [Pyle 91].
Criticality Levels
Most standards assign a criticality level to a system based on the severity of a potential catastrophe and the probability of its occurrence. These are then mapped onto categories for the system criticality levels. If software controls these safety critical systems, then the software too is assigned a criticality level. The software criticality levels correspond to the failure conditions that would result if the software were to fail.
The Federal Aviation Administration (FAA) recognizes five categories of failure conditions and five software-level definitions:
• Level A – Catastrophic-prevent continued safe flight or landing
• Level B – Hazardous/Severe-Major-potential fatal injuries to a small number of occupants
• Level C – Major-impairs crew efficiency, discomfort or possible injuries to occupants
• Level D – Minor-reduced aircraft safety margins, but well within crew capabilities
• Level E – No Effect-does not effect the safety of the aircraft at all
Safety Critical JavaAs an industry leader in safety critical solutions for two decades, we have now applied Atego safety critical expertise to Java development. For the first time, Java programs can achieve the highest levels of criticality, such as DO-178B Level A.Aonix Perc Raven, based on our ground-breaking Aonix Perc Pico technology, implements a small and very fast “bare-target” runtime system which offers the advantages of our Aonix Perc Pico technology but with additional safety-critical constraints and capabilities. Aonix Perc Raven is perfectly suited for hard real-time and safety-critical applications. It also provides access to the reliable, feature-rich toolset most critical system developers need to help them build an efficient, provable, verifiable and certifiable, deterministic real-time application.Whatever your real-time needs, Atego is there to help with our world-class support team. We have the experience, tools and runtime environment for real-time Java that is second to none in the industry. Aonix Perc Raven has all the advantages of small size, fast speed, hard real-time response, safety-critical and high-reliability characteristics.In addition to the tool chain itself, DO-178B certification artifacts can be created for the Aonix Perc Raven runtime and libraries, in support of end-application certification needs.