The Linux Foundation hosted the Embedded Open Source Summit (EOSS), a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
These days, open source software can be found in almost every reasonably complex product running software. It runs in medical devices, robots, vehicles, and even outer space. In the underlying industry sectors, certification and safety integrity standards play an important role which at first glance seem at odds with the use of pre-existing open source software, not developed strictly in accordance with industry standards.
In this video, recent ELISA project deliverables in the field of elements, processes, and tools are highlighted. These include system theoretic process analysis, workload tracing, call-tree visualization on kernel level, and reproducible example use-cases from the field of medical devices and automotive. Their role in reducing the burden for companies to build and certify open source based safety-critical applications is shown. Additionally, an overview of upcoming ELISA activities in 2023 is provide and how cross project collaboration is established, as the ELISA work streams include interaction with e.g. the Zephyr, Xen, AGL, yocto, and SPDX community. A few statements on the overall challenges of safety-critical use cases using free open-source software will help to pick up those audience which is new to safety-critical or open source development.
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
Creating a critical safe or secure system generally comes down to two aspects. The system has to be able to meet the technical expectations to handle its criticality and there needs to be evidence these expectations are actually met. With today’s software systems being built by integrating various software components, more often using open source than custom proprietary solutions, it’s obvious that having complete and reliable evidence that the software is created with criticality considerations, such as safety profiles, in mind is key.
Demonstrating the technical capabilities of a system to achieve the safety and security qualities can be done by established analysis methods. However, proving that its process provides the systematic evidence that all has been implemented, tested, built and configured as required, needs evidence of traceability from requirement to tests and release. Typically this evidence is locked within proprietary tools, never 100%, needing manual tasks to prove traceability between items. With continuous changes due to security updates or continuous deploys, managing this systematic evidence gets impossible.
As part of the ELISA Project Seminar Series, Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation, and Nicole Pappler, CTO and Founder of AlectoMetis, presented a webinar titled, “Automating Adherence to Safety Profiles After Fixing Vulnerabilities.” This video will present a model using SPDX, that allows for automated checks for integrity and availability of evidence to prove the systematic capability of software consumed by critical systems. Watch the full video below.
The ELISA Seminar Series focuses on hot topics related to ELISA’s mission to define and maintain a common set of elements, processes and tools that can be incorporated into Linux-based, safety-critical systems amenable to safety certification. Speakers are members, contributors and thought leaders from the ELISA Project and surrounding communities. Each seminar comprises a 45-minute presentation and a 15-minute Q&A, and it’s free to attend. You can watch all videos on the ELISA Project Youtube Channel ELISA Seminar Series Playlist here.
The Linux Foundation hosted the Embedded Open Source Summit (EOSS), a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
EOSS hosted the Safety-Critical Software Summit, which was sponsored by the ELISA Project, that gathered safety experts and open source developers to enable and advance the use of open source in safety-critical applications. As part of the Summit, Nicole Pappler, CTO and Founder of AlektoMetis, and Philipp Ahmann, Technical Business Development Manager at Robert Bosch GmbHand Chair of the ELISA Project TSC, presented a session titled, “Coding Guidelines – to Comply or Not Comply – Some Myth Busting.”
While adhering to certain coding styles is a good practice in software projects, adhering to coding guidelines for safety critical applications is still something rather exotic in open source projects. As open source projects now more and more start to address the needs of functional safety applications, considering coding guidelines preferred by existing functional safety projects seems to become necessary. The most used rules for coding guidelines in the safety critical context are MISRA rules. While applying these can be quite beneficial for most applications, there is a significant number of exceptions where blindly following these rules causes more problems than it solves.
In this video, Nicole and Philipp discuss the most common coding guidelines, best practices and arguments when following the MISRA rules conflicts with the expectations of the project. Acceptance criteria for non-compliance cases along with examples of acceptable deviations will be presented. This is not contra coding guidelines, but illustrates how coding guidelines are beneficial for a project, what to consider when designing a project’s coding guidelines and how the lessons learned by the application of MISRA rule sets can be applied to languages that are not (yet?) covered by widely accepted rule sets.
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
Written by Philipp Ahmann, Chair of the ELISA Project TSC and Technical Business Development Manager at Robert Bosch GmbH
In June, the ELISA Project’s core contributors and affiliates came together for three days at the Bosch IoT Campus in Berlin, Germany. We discussed recent achievements, project branding and perception, upcoming goals and next steps.
From left to right: (MBition), Gabriele Paoloni (Red Hat), (Red Hat), Olivier Charrier (Windriver), Dongni Fan (MBition), Leonard Moritz Hübner (NXP), Alex Fomichev (MBition), Christof Petig (Aptiv), Philipp Ahmann (Bosch), Kai Hudalla (Bosch Digital), Johannes Kristan (Bosch Digital), Christopher Temple (ARM), Kate Stewart (Linux Foundation) & Sven Erik Jeroschewski (Bosch Digital)
Quick recap on the three days
The workshop kicked off with a discussion about ELISA’s big picture document. The document serves as an entry point for new contributors to find their path through the ELISA deliverables and approach. It will be a living document which gets updated and enhanced when major achievements are reached. It is structured into 3 major parts and complements the project charter and mission.
The project objective
The ELISA approach (ongoing work to meet the project objective)
Using and putting ELISA results into practice
The second session focused on the creation of a pragmatic guide to best practices for open source contributors to facilitate safety analysis in the future. In this session, Kate Stewart, Vice President of Dependable Embedded Systems and and ELISA Ambassador, shared an overview of existing tools which help to make the kernel development work more discoverable, creating certain traceability, and to make analysis “more provable.” The session addressed a few next steps which the project has to look into:
Capturing current Kernel requirements
Using Linux features
Testing Frameworks
Some parts of the topics were directly addressed as part of the second day agenda. In the first session, the safety analysis approach uses a combination of risk analysis, fault injection, and a high degree of automation. Part of it is also the System Theoretic Process Analysis (STPA). This was already successfully applied within Codethink and taken forward within the Open Source Engineering Process (OSEP) Working Group. The motivation to go in this direction was also made visible and which initial work has been started.
In the following session certain limits of a traditional STPA when applied to the Linux Kernel were pointed out by Red Hat. Additional tool support may be needed which was one reason to create the ks-nav tool. The objective of this tool is to analyze the Linux kernel for safety by presenting diagrams of call trees. In this way an understanding of the interactions and dependencies among different parts of the kernel can be gained for safety analysis. To speed up the development and make the tool more visible, the ks-nav tool resides now in an own repository within the ELISA github organization.
After that, the workshop participants had a longer discussion, whether manpage derived requirements and manpage driven testing can improve the argument towards usage of Linux in safety-critical applications.
It describes a large part of the software components of Linux usage in products
It is the established format to describe and learn the software functionality provided by Linux.
It is used by a large audience.
The workshop participants agreed that there is still a lot of work to map the current kernel implementation to the existing manpages and to close the gaps between both. This will be a great contribution to the whole kernel community. Overall the ELISA project plans to take major actions in the field of Kernel documentation improvements.
In the afternoon session “targets for upstreaming to Linux kernel for the remainder of the year” the topic of upstreaming documentation within the user and admin guide of the Kernel was put into practice. The current activities of the Linux Features for Safety Critical Systems (LFSCS) WG were presented to the workshop participants. Shuah Khan (Linux Foundation Fellow) together with Elana Copperman (Mobileye, LFSCS WG lead) illustrated the different configuration parameters of the PREEMPT_RT patches which are now almost completely upstreamed. However, it turned out that the documentation of the parameter and configuration towards desired usage have large room for improvements. As many safety-critical products rely on certain real time capabilities, ELISA judges this topic as high priority and very important.
The 3rd day concentrated heavily on internal ELISA activities, project health and growth. There was a session revisiting the project messaging along with a session about review of change management workflow, and a proposed approach document to go to the working groups/TSC for approval. In another session the participants brainstormed ideas for community growth and engagement, adjacent community outreach and mutual alignment.
Although the sessions focused on internal work, especially the contributions by affiliated workshop participants representing e.g. Eclipse Software-Defined-Vehicle, ETAS, MBition and NXP added new perspectives, led to good takeaways and made the workshop a success.
Major Workshop Takeaways
During the various sessions and at the end of each day takeaways from the participants were collected and discussed. An extract of major takeaways are listed below:
Rework and structure Kernel documentation is an important element of ELISA
Strong risk of diverging, in case you write documentation by another person than the maintainer of the code.
Start identifying critical subsystems of the Linux kernel to enhance user documentation similar to “workload” and “realtime” documentation.
Identification of the “core” part of the kernel that is present in all set of config images
Looking at user APIs for the “core” parts, may be a useful focus for doing detailed analysis that others can use, and build from
Any analysis has to be tagged to specific release, as changes are happening through time.
Getting the API and subsystem analysis of key pieces upstream, combined with recommendations on testing to demonstrate the user space APIs are consistent. (Maintainer need to agree)
ELISA is not providing a safe Linux, but there are interesting tools supporting Safety with using Linux
If you push a patch to the Linux kernel you have to follow rules (e.g. checkpatch). Maybe there can be kernel tools to improve the safety part of Linux, e.g. that the proposed change/config is in line with the safety guidelines
The kernel alone does not make the operating system, you need other components to create a particular system.
Open Sourcing the Red Hat requirement tool would be a great benefit for the wider open source safety community
Use the requirements tool to export SPDX safety linkage SBOMs for the Linux Kernel
Reach out to Eclipse SDV and AGL with SOAFEE to talk about an example system as part of Systems WG
SDPX and System SBOM may be of interest for Eclipse Foundation (SDV)
OEM may be a must have to work on a real use case in certain domains (especially automotive).
The puzzle pieces on the table may not yet be complete and people may use puzzle pieces differently
Workshops are a good place to learn how the different pieces fit together, SBOM, OSEP, ARCH…
Getting involved
The ELISA Project is open to anyone to participate. While membership is not required for participation, we always love to welcome additional members to join us in the mission of enabling Linux in safety applications and to collaborate with other members who are committed to this effort.
If you are interested to learn more about ELISA or want to participate in one of the working groups or recently started activities, just send an email to the technical forum mailing list. Or you can get advice on where to contribute best by joining the Technical Steering Committee (TSC) meeting which is held every other Wednesday at 13:00 UTC.
Last but not least the next in person workshop is only a few months away. ELISA members currently plan to meet again most likely in Munich, Germany, October 16- 18. Please join the mailing list and/or subscribe to @ProjectElisa or our LinkedIn page or our Youtube Channel to learn more about the next workshop.
The Linux Foundation hosted the Embedded Open Source Summit (EOSS), a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
Many organizations would like to deploy open source software in safety-relevant systems, but face extreme challenges in demonstrating that the results would be safe and compliant with relevant standards such as ISO 61508 and ISO 26262.
In this video, Paul explains RAFIA (Risk Analysis, Automated Testing, Fault Injection, Mitigation and Compliance), a methodology devised by Codethink and shared in public via the ELISA Project, which helps us to establish confidence in the use of open source software to support specific safety goals and demonstrate compliance with applicable standards. The component steps of RAFIA will be covered in detail with examples, as well as lessons learned by Codethink in developing and applying the process for an embedded Linux-based operating system supporting a safety-relevant in-vehicle workload.
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
The Linux Foundation hosted the Embedded Open Source Summit (EOSS), a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
Shuah Khan
EOSS hosted the Safety-Critical Software Summit, which was sponsored by the ELISA Project, that gathered safety experts and open source developers to enable and advance the use of open source in safety-critical applications. As part of the Summit, Elana Copperman, ELISA Ambassador, Linux Features for Safety-Critical Systems WG Chair and Systems Safety Architect at Mobileye, and Shuah Khan, ELISA Ambassador, member of the ELISA TSC and Linux Fellow at The Linux Foundation, gave a presentation titled, “RTL in Safety-Critical Systems: The Potential and the Challenges.“
The Real Time Linux (RTL) collaborative project was established to help coordinate the efforts around mainlining Preempt RT and ensuring that the maintainers have the ability to continue development work, long-term support and future research of RT. The RTL project has been active in adding Preempt RT features in to the mainline kernel. It is time for a closer look on how these features can be used in Safety-Critical Systems.
In this video, we provide a brief overview of Real Time Linux and potential usage in Safety-Critical systems. In addition, we discuss how these features may be relevant to support system safety. We go over the following areas that are most relevant:
1. Tools for analysis of system workload resource usage and performance impact.
2. Kernel configs, guidelines on usage.
3. Relevant system parameters, generic and architecture specific.
4. Test frameworks and how they may be used to investigate and demonstrate safety features.
The PPT presentation can be found here or watch the video below.
https://youtu.be/ShcEarZTcRY?si=5CYTxWOkiOvoHzQ1
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
The Linux Foundation hosted the Embedded Open Source Summit (EOSS), a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
Safety is important to software everywhere human lives are at risk. In these environments, safety standards must be followed to minimize the risk to humans and to follow regulations. Safety standards such as ISO 26262 come with a series of requirements and processes that sometimes clash with well-established Open Source software development practices. How do we reconcile safety certifications and Open Source?
This presentation will provide some insights to answer that question, using the Xen hypervisor as an example. Xen has a micro-kernel design and provides a virtualization solution for embedded and automotive while having a code base small enough to make certifications possible. This presentation will go through the changes to upstream processes that the Xen community adopted during the last 12 months to align community activities with safety-certification requirements. It will discuss any additional changes planned for the near future. The talk will also cover the latest updates from the Xen FuSa working group on MISRA C, traceability, testing, etc. Watch the video below:
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
The Linux Foundation hosted the Embedded Open Source Summit, a new umbrella event for open source embedded projects and developer communities to come together under one roof for important collaboration and education, in Prague, Czech Republic, on June 27-30. More than 1,300 people registered for the conference – representing 375 organizations across 56 countries around the globe.
The event hosted the Safety-Critical Software Summit, which was sponsored by the ELISA Project, that gathered safety experts and open source developers to enable and advance the use of open source in safety-critical applications. As part of the Summit, Peter Brink, Functional Safety Engineering Leader at Underwriter Laboratories (UL) and Steven H. VanderLeest, Chief Technologist for Boeing Linux at Boeing, gave a presentation titled, “Debating Linux in Aerospace: Objections and Paths Forward.”
Traditionally, safety-critical flight software used in aerospace is closed, proprietary code from a handful of commercial vendors. Although open-source software could provide several benefits, there are significant hurdles that prevent widespread adoption. First, we list some of the potential benefits of open source for safety-critical aerospace applications. Second, we present an overview of the key concepts and standards for flight software. Third, we identify the objections and concerns for using Linux as the avionics real-time operating system, which is software that generally needs the highest levels of assurance. For each objection, we suggest a possible path forward to address the concern.
Click here for the presentation slides. Click here to view the other videos from the Safety-Critical Software Summit.
The ELISA Project Seminar Series focuses on hot topics related to ELISA and its mission. Presenters are members, contributors and thought leaders from the ELISA Project and surrounding communities. To view past presentations, click here.
On July 18, Chuck Wolber, Software Engineer at The Boeing Company presented a seminar titled, “A Development Environment for DO-178C Level D Certified Linux.”
This video features the use of Yocto/OpenEmbedded as a tool for managing a distributed development environment, automated build and test, and ultimately delivering a DO-178C level D certified Linux platform into revenue service. It also touches on generalized aspects of traceability, team dynamics, “day one developer,” and extensibility. Watch the video:
Written by Red Hat’s Gabriele Paoloni, Alessandro Carminati & Maurizio Papini
One of the main challenges in using the Linux Kernel for safety-critical systems is conducting safety analyses in the absence of architectural documentation. As outlined in this article, within the ELISA (Enabling Linux in Safety Applications) Project, we are adopting the STPA approach at the system level. Accordingly, the Safety Architecture Working Group has been actively working on implementing and expanding this approach within the Kernel.
To conduct an STPA-inspired analysis, it is necessary to define “controller” entities, along with their corresponding control actions and feedback mechanisms. The Linux Kernel has already been divided into entities, which are maintained by different individuals based on the MAINTAINERS file.
Therefore, the Safety Architecture Working Group has made the decision to experiment with STPA analysis within the Kernel by treating the various subsystems or drivers (as defined in the MAINTAINERS file) as individual controllers. Within this context, the challenge has been to identify the control actions and feedback mechanisms between the drivers and subsystems.
The ks-nav tool set, comprising two complementary tools, is specifically designed to support the identification of such control actions.
To facilitate this, ks-nav offers subsystem call trees, which visually represent the interactions and dependencies among subsystems, starting from a given symbol. This feature allows users to identify potential interfaces between subsystems or drivers that support relevant control actions within the specific context of the symbol under analysis.
Another key feature of ks-nav is the identification of function call trees, which list functions potentially encountered starting from a given one . Such a feature could be useful to understand the subsystem or driver behavior following the invocation of a given function.
In summary, within the context of a specific symbol, ks-nav is capable of initially highlighting potential candidates for control actions between subsystems and drivers. Additionally, it allows users to “zoom in” on each subsystem as necessary to support expert judgment in semantically specifying the control actions.
To accommodate diverse analysis needs, the tool set supports multiple output formats, including dot, raster images (PNG or JPG), and vector images (SVG), facilitating effective visualization.
Flexibility is emphasized with compatibility across different database management systems (DBMS) like PostgreSQL, MySQL, MariaDB, or SQLite. This enables seamless integration with users’ preferred DBMS or existing infrastructure.
Moreover, ks-nav is able to identify indirect calls, including the x86 retpoline technique, within the kernel code, and deals with compiler code optimization.
By offering function call trees, subsystem call trees, versatile output formats, DBMS compatibility, and indirect call detection, the ks-nav tool set provides a comprehensive and efficient solution for ELISA activities in Linux kernel analysis. It provides users with the necessary tools to explore the kernel’s structure, and make informed decisions.
This initial commit of the ks-nav tool set also ensures fair test coverage, guaranteeing reliability and effectiveness in supporting ELISA activities. It marks a milestone, demonstrating the team’s commitment to continuous improvement and future advancements to refine the tool set and meet evolving needs in ELISA activities conducted by the working group.
All are welcome to try out the tools, send pull requests for improvements and bug fixes on the ELISA GitHub here.
There will also be a dedicated session on how to apply this tool at the upcoming ELISA Berlin Workshop June 20-22. Learn more about the Workshop or register for it here.
