Overview

The INTEGRITY-178 tuMP real-time operating system (RTOS) is the world-leading multicore RTOS for safety- and security-critical applications. Green Hills Software believes that safety and security go hand-in-hand, and INTEGRITY-178 tuMP is a unified solution for multicore processors. INTEGRITY-178 and INTEGRITY-178 tuMP are part of systems that have been certified both to the highest levels of airborne safety (DO-178B/C DAL A) and security (SKKP/EAL 6+) for over 80 airborne systems. INTEGRITY-178 tuMP was the first operating system certified conformant to the latest Future Airborne Capability Environment (FACE™) technical standard, edition 3.0, and it is certified for both the safety base and security profiles.

Supported Processors

  • Arm
    • Arm Cortex-A9
    • Arm Cortex-A53
    • Arm Cortex-A72
    • Broadcomm BCM2837
    • Broadcomm BCM2711
    • Intel Aria 10
    • Intel Stratix 10
    • NXP i.MX6
    • NXP i.MX8
    • NXP Layerscape
    • Xilinx Zynq-7000
    • Xilinx Zynq UltraSCALE+
  • Intel
    • Intel Atom
    • Intel Core i7
    • Intel Xeon E3
  • Power Architecture
    • AMCC PPC460ex
    • BAE RAD750
    • IBM 750gx
    • NXP MPC55xx
    • NXP MPC7448
    • NXP MPC8285
    • NXP MPC8548
    • NXP QorIQ P
    • NXP QorIQ T

Flexible multi-processing architecture

One of the biggest challenges today in airborne software safety certification is the complexity of validating and certifying multicore software and hardware architectures while achieving high processor utilization. The INTEGRITY-178 tuMP multicore RTOS provides the system integrator full flexibility in choosing the software multi-processing architecture, ranging from simple Asymmetric Multi-Processing (AMP) to modern Symmetric Multi-Processing (SMP) to Bound Multi-Processing (BMP) for the highest combination of determinism and utilization. Some form of BMP is required to meet the latest revision of ARINC 653 Part 1 Required Services, Supplements 4 & 5. INTEGRITY-178 tuMP is the only RTOS that provides SMP and BMP capabilities as part of ARINC 653 support at DAL A.

Multicore interference management

The principal concern for validation and certification of multicore systems is how an application running on one processor core can interfere with an application running on another core, negatively affecting determinism, quality of service, and, ultimately, safety. Certification authorities have provided some guidance on how to address multicore interference in the CAST-32A position paper. Such multicore interference is very difficult to address entirely at the application or system level because of the low-level coordination needed across processor cores. INTEGRITY-178 tuMP effectively manages interference using DAL A runtime mechanisms, libraries, and tools that address the CAST-32A objectives.

Certified highest security assurance

On the security side, INTEGRITY-178 tuMP is implemented as a separation kernel that provides a Multiple Independent Levels of Security (MILS) operating environment. INTEGRITY-178 is the only operating system certified to NSA’s Separation Kernel Protection Profile (SKPP) “High Robustness” and Common Criteria EAL 6+, and INTEGRITY-178 tuMP extends that pedigree to multicore processing systems. INTEGRITY-178 tuMP goes even further with its capability to host Multi-Level Secure (MLS) applications, such as a cross-domain solution (CDS) that filters specific information flow from higher security levels to lower security levels.