In a recent blog entry, John Bruggeman considered the role of Linux in Automotive applications. He discussed the blurring of the distinction between car infotainment systems and driver assist systems. This got me thinking about the adoption of Linux in the Aerospace & Defence market, in particular the potential use of Linux and safety-critical avionics and military vehicles, which I hadn’t really thought much about before.
It seems to me that people’s attitudes towards Linux can be rather polarised at times – a bit like Marmite (wikipedia), people either love it or hate it. Over the years I’ve written applications and device drivers for a range of enterprise UNIX platforms and real-time operating systems, and whilst I’ve experienced for myself the relative merits of each of theses OSs for particular types of application, I’ve never felt threatened by the advent of Linux, I’ve just been curious as to its potential. So, I want to form a view on Linux in A&D from rational fact-based discussions not from emotive arguments and prejudice.
I’ve noticed the increasing adoption of Linux in A&D for mission-critical enterprise and embedded applications in recent times, for example RSTA-MEP and the Linux Crewstation (LinuxJournal) and Boeing P-8A Multi-Mission Maritime Aircraft (Linux Sys-Con) respectively. I suspect that this may be related to the maturing of the Linux kernel and the Carrier Grade Linux specification – these topics were recently discussed in Paul Tingey’s blog Is Carrier Grade Linux Winning New Friends?, and Paul Anderson’s blog Raising The Bar.
In the case of avionics there are different classes of systems: safety-critical systems,
such as the head-down primary guidance flight displays (which use
safety-certifiable RTOS such as VxWorks/Cert and VxWorks 653 and others); and
non-critical systems (a.k.a. mission critical systems), which include
secondary guidance systems such as digital map display (such as TARDIS) and Head-Up Displays (HUD), which although they do not have an RTCA DO-178B safety certification requirement today, this could possibly be mandated in the future.
In the case of military vehicles: there are programmes developing vehicles with electric
motor propulsion under software control, such as SEP (Army Technology). As well as charging across battlefields, I imagine that such vehicles will be driven on public roads, which is quite similar
to the civil automotive scenarios described in John’s blog, and it’s reasonable to expect that they would require safety certification under ISO/IEC-61508.
So, for these classes of A&D applications, what are the options for safety-certification using Linux?
There are Linux distributions which use a pristine source tree, so could this conceivably be used as a foundation for traceability and requirements-based testing for DO-178B safety certification?
What about the safety-certification cost (assuming DO-178B Level B-D), could this become economically viable if a trusted Linux profile with a reduced source lines of code (SLOC) count were defined?
If not, another alternative might be to consider a virtualization approach, perhaps using a MILS (Multiple Independent Levels of Security) architecture?