Embedded Linux and safety are two domains which have been successfully united for almost 20 years now; be it the medical technology, mechanical, or automotive sector. Two-channel solutions as well as hypervisor based architectures have long been in use. 

In March 2024 a completely new solution received a positive and far-reaching assessment from TÜV Nord. This assessment is applicable both to ISO26262 (ASIL B, SEooC) as well as to IEC61508 (SIL2): As part of an innovative development project together with Elektrobit Automotive GmbH in Erlangen, emlix has developed a Linux Safety Monitor which reliably supervises the Linux kernel, enabling a SIL2 application to be run directly on Linux. This allows bridging the gap between safety and open source solutions which has existed until now.

This solution is immediately available for integration into projects in domains such as medical technology, industrial automation, and power engineering.

Embedded Linux has been in use in various safety-critical applications for years. However, it is ordinarily reserved for non-safety-critical functions, most commonly communication, networking, update-functionality, and visualisation. 

If a safety load is placed on the Linux system, a redundancy approach is predominantly used. This redundancy approach creates costs, both direct, such as for hardware, as well as indirect, for example for maintenance. As a rule, two different operating systems with two separate maintenance lifecycles will run on the two separate SOCs. The maintenance also requires the corresponding experties in both operating systems as well as communication at the interfaces. 

This new architecture allows using a single SOC with one CPU and a Linux operating system. 

Running rust, C, and C++ applications directly on the Linux system is no longer a problem with the Linux Safety Monitor and corresponding safety compiler. Further programming languages and compilers can also be used as long as they produce Linux-compatible ELF binaries. 

Alongside the usual communication channels, a shared memory interface enables low latency communication, which safety applications can use to interact with each other. Futhermore, there exists a similar interface to a non-safety virtual machine available to safety applications.

The approval against the requirements of both ISO26262 and IEC61508 massively expands the range of deployment possibilities in various industries.

In the industrial automation domain an example would be certain aspects of the control of safety-critical lasers. The configuration of the lasers could still be carried out by a non-safety-critical application. A safety-critical application would then ensure that the values never lie outside certain hard upper and lower limits. For example, these could be the intensity of the laser beam or the maximum angle of the orientation.

Another example, this time from the medical technology domain, demonstrates the potential of a Linux system supervised by the Linux Safety Monitor: displaying safety-critical information on the same screen as non-safety-critical information. A concrete example would be the vital signs of a patient together with alarm functionality, both of which must be entirely reliable, paired with some convenient information for the medical personal.

The display of safety-critical information cannot be corrupted by non-safety-critical data because the rendering happens in a separate layer that can never be overwritten. Critical data is then only rendered once a final check by the safety-related application has occurred.

These two examples show how the software architecture can be reimagined. Hardware costs will be reduced, although the real leverage lies in the massively reduced complexity of the lifecycle maintenance.

Through the integration of non-safety-critical and safety-critical applications on a single SOC it becomes possible to implement lower latency communication between the applications as well as to use the inherent performance of a Linux system.

The relevant standards like IEC62304 or IEC 61508 do not only have requirements in regard to the development phase but also the lifecycle management of the software. Due to growing demands for data security and manipulation protection of the mostly network integrated devices these task become increasingly complex. Today, a „never touch a running system“ approach would no longer be possible.

Consequently, the software in the field has to be continuously monitored for any improvements for the software. And it has to be a conscious decision whether to implement such a finding or not. For the Linux system a contiuous monitoring for all actually used packages has to be implemented. This has to ensure that security issues and fixes as well as functional improvements and updates are detected in good time. If there are relevant findings a new release has to be provided to the customers.

Based on long-term experience in software maintenance and modification of embedded Linux systems emlix supports its customers in these lifecycle phases. In doing so we are closely involved in our customers‘ PRM/CRM processes. In safety-critical applications we do not only analyse whether a potential modification is of relevance for the concrete software version. We also perform an impact analysis to make sure that a specific modification does not interfere with safety-critical attributes.