Proposal skelteon

4 Real-time Systems

Development of safety critical systems is an important area of work within the scope of real-time systems. Today, safety critical real time systems play an important role in our society. Their application extends to a large variety of domains, including the automobile, railway, avionics and space domains. Computer systems in such domains are submitted to very stringent dependability requirements, in particular in terms of safety (non-occurrence of catastrophic consequences after a failure). Besides, they must meet very stringent timing requirements, typically referred to as deadlines. The missing of a deadline can entail the failure of the system (hard deadlines), what in certain cases can become catastrophic in terms of human lives or economic losses (critical real time systems).

Linux is rapidly becoming the dominating operating system for developing real-time applications. More and more real-time operating system (RTOS) users, specially large companies looking for cost savings, are considering migrating to Linux, avoiding royalties on commercial operating systems (OSs), and leveraging on open source bases without being locked-i with a single vendor or on a single kind of hardware platform.

In addition, real-time systems are more and more demanding in terms of other features. Most systems get connected to the larger world through IP. Therefore, such systems require a validated IP stack. Given the pace of evolution in such a domain, it is cheaper and safer to rely on systems such as Linux rather than on proprietary OSs which have to run behind the latest evolution in terms of network features. Windowing systems, data bases, management and control software are also “general purpose” software, which may be leveraged on when joining the Linux world.

There is however a possible limitation to this move: the Gnu Public License! RTOS users and developers who have invested in their proprietary environment, may not want to give to the community their drivers if they carry some major IP providing a competitive advantage. This is however not an issue for companies whose main added value resides above the operating system in the application's world. Another issue related to licensing in this context is liability.

One more factor slowing or hindering the move to Linux is the existence of legacy applications and drivers that users do not want to rewrite or adapt to a Linux environment, mostly for time and economic constraints.

There is a high level of interest to enhance Linux (as a commodity OS) with real-time features. Expression of such interest may be found in the specifications edited by the Carrier Grade Linux work group of OSDL⁹. The Embedded Linux Consortium,¹⁰ although more interested by small configurations, has also some focus on real-time APIs. The OCERA IST project¹¹ works on extending Linux with the new real-time functionalities.

Depending upon the needs of the targeted applications, different means are used for providing different real-time capabilities:

• 
  Soft real-time is provided by means of specific modifications to the Linux kernel to improve the preemptability of the system, or to provide O(1) scheduler. This approach is used by MontaVista.
  
• 
  Hard real-time requires more drastic control on the resources. A number of systems address this by running real-time systems alongside the Linux kernel. Such systems are loaded as modules of the Linux kernel and are therefore dependent on Linux itself. This mechanism is used by RT-Linux and RTAI.
  

Another indicative move is for non-Linux OS developers to provide a Linux interface: QNX is claiming they have a Linux API, which enables them to run Linux applications on top of the QNX systems.

Here is a (non-complete) list of Real-Time Linux vendors: MontaVista, Jaluna-2, LynuxWorks, TimeSys, RTLinux (FSM Labs), RTAI/Lineo.

We will consider Jaluna work in detail to demonstrate how industry approaches this. Jaluna offers different OSs: Jaluna-1 and the Jaluna-2 family.

Jaluna-1 is an RTOS which is the latest version of the ChorusOS product line previously developed by Chorus systems and Sun Microsystems. Jaluna-1 provides a quite complete POSIX API. It is based on the C5 micro-kernel (formerly Chorus microkernel) and has an OS layer derived from FreeBSD 4.1. Jaluna-1 comes with a Host-Target development environment. It addresses the carrier-grade requirements of real-time, embedded elements of network equipment, such as PBXs, switches, bridges, routers, etc. It provides a number of high-availability features including error confinement, hot restart, service reconfiguration, as well as simple and efficient means to securely manage system resources.

Jaluna-2/RT OS brings together Linux and real-time capabilities for embedded systems. A hardware resource dispatcher enables the C5 microkernel and Linux kernel to run side by side. The overhead imposed by the dispatcher is really small permitting the real-time properties of the C5 environment to be maintained. Thus Linux performances are really close to those of a native Linux implementation.

This approach is further extended within the J2/VL system, which enables multiple Linux instances to run alongside the C5 microkernel. In this configuration, each system is almost isolated from the others. This work bears some similarities with Virtual Machine Monitors, but avoids most of the overhead usually incurred by such approaches, thus allowing a real-time environment to be supported.

Academia Research

There are many good reasons why nowadays universities are not developing new RTOSs. But there is one interesting development we would like to mention: it is the FIASCO¹² system developed by Dresden University in Germany within the DROPS project (the Dresden Real-Time Operating System Project). This project develops design techniques for constructing distributed RTOSs that support applications with Quality of Service requirements. To achieve this every component of the OS guarantees a certain level of service to applications. The key component is L4Linux, - the Linux server on top of the L4 microkernel. In addition, separate real-time components - designed from scratch - provide deterministic service to real-time applications.

An important trend today is to build safety critical real-time systems from COTS software components, particularly from COTS real-time operating systems. The use of COTS software can enable the time-to-market and development costs of real-time applications to be reduced. However, the development process of the COTS components does not usually match the stringent requirements imposed by safety critical systems. A conceptual and experimental framework for dependability benchmarking of COTS-based systems (the DBench project) can provide system developers with means for identifying malfunctioning or weakest parts of the system, and comparing the dependability of competing solutions based on COTS real-time operating systems (e.g., RTEMS).

The RTOS market is highly fragmented with many commercial providers and many more home-grown systems. One of the reasons for this fragmentation lies in the need to customize the system to the dedicated application area. These specific needs might be related either to foot-print and memory cost constraints (mobile phones, car equipments, etc.) or to requirements for proof-based certifications (for aerospace embedded systems, automotive systems, etc.). Here is a partial list of the main non-Linux based RTOSs: Windriver (VxWorks and pSoS), QNX, OSE, Microsoft WinCE, Symbian, Jaluna-1, LynxOS, ThreadX, RTEMS.

As may be feared, there are a lot of systems and many APIs for very similar services. However there have been several attempts to have these systems converged at least from the API point of view. Among the standardization efforts, one may quote:

• 
  POSIX Real-time extensions and profiles¹³
  
• 
  ITRON¹⁴: a Japanese standardization effort
  
• 
  OSEk¹⁵: an industry standard for an open-ended architecture for distributed control units in vehicles
  
• 
  Embedded Linux Consortium¹⁶; this is defining Linux profiles to have it work in the embedded space. Although the Consortium is more interested by small configurations it has also some focus on real-time APIs.
  
• 
  Carrier Grade Linux¹⁷: Commercial companies having interest in Linux for the telecommunication industry are working together to define the evolution of Linux to make it cope with telecom requirements. This includes many aspects among which real-time features.
  

Embedded systems are mainly small (for example, mobile phones) but can sometimes be extremely large (for example air traffic control systems). For small embedded applications, sequential languages like C and C++ reign supreme. For the larger real-time high integrity systems, Ada still dominates. In the telecommunications market, CHILL is popular. In Germany, Pearl is widely used for process control and other industrial automation applications.

Although there is little doubt that the Java language has been immensely successful in a wide range of application areas, it has yet to establish itself completely in the real-time and embedded markets. The introduction of a Real-Time Specification for Java could dramatically alter the status quo. In the future, if MicroSoft’s C# programming language starts to gain momentum, extensions will inevitably be considered to make it more appropriate for real-time systems.

Rather than consider all possibly real-time programming languages, this section focuses on two representative of the landscape: Ada and Real-Time Java (in particular the Real-Time Specification for Java). Ada represents the class of concurrent real-time programming languages which were developed in late 1970s and early 1980s (including Pearl and CHILL). These have been extended over the years to embrace object-oriented programming and to give better support for real-time and distributed systems. Real-time Java represents the current trend of supporting architecture-neutral real-time systems potentially in an open environment (and points to the direction that languages such as C# might take in future). Synchronous languages (such as Esterel, Signal or Lustre) and functional languages (such as Erlang) are not considered, as their use is either confined to a particular company (e.g. Ericsson and Erlang) or targeted at supporting only reactive systems (e.g. Esterel). Sequential languages such as C and C++ are also not reviewed as their advantages and disadvantages are well known. Research-oriented languages are not covered as they are not in widespread use.