In December ‘24 we listed five misconceptions on linux and functional safety that may deter system and software architects from considering Linux and hypervisors as core building blocks in context of safety related cyber physical systems:

• open-source processes and software cannot be used in context of safety-related systems.
• Linux needs to be assessed as a monolithic software-blob.
• Virtualization is a source of additional problems, requiring extra efforts for qualification and maintenance, and demands expertise that is rarely available on the market.
• Each single element of an execution environment including its libraries need to be “safe”
• There is only one architectural approach to meet all functional and non-functional requirements using Linux

In context of security it is worth to bring in and emphasize one more, which is:

• An OS-solution based on Linux requires continuous reassessment whith each and every update/ patch.

EB corbos Linux for Safety Applications shows that all the previously mentioned misconceptions are not true. The OS-solution pairs the nature of Linux that perfectly utilizes the technological advancements of the hardware alongside with compliance with the mandatory functional safety prescriptions required in various domains to perform safety functions to regulatory standards such as e.g. those on functional safety.

The approach shifts the “burden of the proof” from Linux to a “supervision software layer”, which detects when Linux does not behave dependably.

In other words, rather than trying to demonstrate that Linux is dependable, the choice has been to detect when it isn’t.

The solution implements a design that leverages the features offered by advanced hardware (whether it is a microprocessor or a system on chip) to supervise the behavior of Linux, namely its access to memory and processing resources.

Two main software elements implement this solution:

• a hypervisor provides Linux with virtualized memory and computation resources, hence the hypervisor has full control over the access to those resources by Linux.
• a supervisor software analyzes any attempt made by Linux to access memory or computation resources and detects when such an attempt is able to adversely affect the dependability of the function the system is expexted to perform.

The most immediate advantage is, that the dependability of the safety function performed by a cyber‑physical system does not rely on Linux itself, but on the above-mentioned two software elements while at the same time it allows to exploit nearly all the features of Linux.

Consequently, the design significantly reduces the effort required to maintain the software and its safety argument, as only the two above-mentioned software elements are directly involved in the process. Updating the Linux just requires low effort and, even if performed incorrectly, it would not affect the safety but only the reliability. Linux can be updated more or less independently within the overall solution.

Another remarkable advantage of this solution is that it allows executing both safety‑related (supervised) and non‑safety‑related (unsupervised) applications at the same time on the same Linux instance; the non‑safety‑related application is like any other application running on Linux and is not affected or functionally limited by the presence of the safety‑related application.

This solution has proven successful: a minimum viable product (which can be considered a technological demonstrator) has been built and is functional while an independent assessor has confirmed not only the dependability of the software, but also that a cyber‑physical system implemented using this solution is able to:

• perform safety functions up to SIL2 according to EN 61508
• fulfil safety requirements up to ASILB according to ISO 26262.

Although the independent assessment on the MVP has been performed for SIL2/ASILB, this solution offers features and functionalities that can be exploited to implement the most appropriate fault detection and mitigation techniques achieving even higher levels of integrity.

For those who want to start right away, there is a free edition available at https://www.elektrobit.com/products/ecu/eb-corbos/linux-for-safety-applications/free/ 

EB corbos Linux for Safety Applications

• is based on Linux,
• complies with the mandatory functional safety prescriptions required in various domains to perform safety functions up to SIL2 according to EN 61508 and up to ASILB according to ISO 26262,
• supports mixed-criticality which means, that safety-related and non-safety-related applications can run on the same kernel,
• supports different architectures with or without multiple domains and with or without containers,
• supports long-term maintenance (up to 15 years) and security support,
• is largely compatible with the features and interface of any Linux while considering best practices to support security,
• comes with a safety-certified toolchain and libraries, warranty and liability and
• it is available for free and ad hoc for use in demonstrators.

The free edition ensures, that anyone can start right away and today. One just has to follow the link provided above.

As part of the innovative development project together with Elektrobit Automotive GmbH in Erlangen, emlix is deeply involved in the development of the supervisor software. We will happily support you evaluating whether EB corbos Linux for Safety Applications is an appropriate approach for your development project.

Enjoy!

By the way: Jens Petersohn, from Elektrobit had the honour to pick up the CES Innovation Award for EB corbos Linux for Safety Applications at the Venetian Expo