The INTEGRITY-178 tuMP real-time operating system (RTOS) is the world-leading multicore RTOS for safety- and security-critical applications. Green Hills Software believes that safety and security go hand-in-hand, and INTEGRITY-178 tuMP is a unified solution for multicore processors. INTEGRITY-178 and INTEGRITY-178 tuMP are part of systems that have been certified both to the highest levels of airborne safety (DO-178B/C DAL A) and security (SKKP/EAL 6+) for over 80 airborne systems. INTEGRITY-178 tuMP was the first operating system certified conformant to the latest Future Airborne Capability Environment (FACE™) technical standard, edition 3.0, and it is certified for both the safety base and security profiles. INTEGRITY-178 tuMP is the first and only RTOS to be part of a multicore certification to DO-178C and CAST-32A.
Flexible multi-processing architecture
One of the biggest challenges today in airborne software safety certification is the complexity of validating and certifying multicore software and hardware architectures while achieving high processor utilization. The INTEGRITY-178 tuMP multicore RTOS provides the system integrator full flexibility in choosing the software multi-processing architecture, ranging from simple Asymmetric Multi-Processing (AMP) to modern Symmetric Multi-Processing (SMP) to Bound Multi-Processing (BMP) for the highest combination of determinism and utilization. Some form of BMP is required to meet the latest revision of ARINC 653 Part 1 Required Services, Supplements 4 & 5. INTEGRITY-178 tuMP is the only RTOS that provides SMP and BMP capabilities as part of ARINC 653 support at DAL A.
INTEGRITY-178 tuMP includes Time-variant Unified Multi-Processing (tuMP) scheduling for increased flexibility and ease of scheduling applications over multiple processor cores. INTEGRITY-178 tuMP is “unified” in that a single operating system runs across the multiple cores, enabling optimized SMP and BMP under full user control. The time-variant capability of INTEGRITY-178 tuMP allows the grouping of cores and applications to vary over time, thereby providing the added flexibility to change the assignment of tasks to cores or even change between AMP, BMP, and SMP for different time windows.
Multicore interference management
The principal concern for validation and certification of multicore systems is how an application running on one processor core can interfere with an application running on another core, negatively affecting determinism, quality of service, and, ultimately, safety. Certification authorities have provided some guidance on how to address multicore interference in the CAST-32A position paper. Such multicore interference is very difficult to address entirely at the application or system level because of the low-level coordination needed across processor cores. INTEGRITY-178 tuMP effectively manages interference using DO-178C DAL A runtime mechanisms, libraries, and tools that address the CAST-32A objectives.
Certified highest security assurance
On the security side, INTEGRITY-178 tuMP is implemented as a separation kernel that provides a Multiple Independent Levels of Security (MILS) operating environment. INTEGRITY-178 is the only operating system certified to NSA’s Separation Kernel Protection Profile (SKPP) “High Robustness” and Common Criteria EAL 6+, and INTEGRITY-178 tuMP extends that pedigree to multicore processing systems. INTEGRITY-178 tuMP goes even further with its capability to host Multi-Level Secure (MLS) applications, such as a cross-domain solution (CDS) that filters specific information flow from higher security levels to lower security levels. The NSA and the National Cross Domain Strategy Management Office (NCDSMO) have a new set of security standards called "Raise the Bar," and INTEGRITY-178 tuMP is the first and only commercial RTOS to be part of a Raise the Bar CDS system certification.