平衡操作系统以实现安全关键应用

Linux, as open source software, has become the backbone of the globaltechnology infrastructure. Powering the majority of the world’s servers andsupercomputers — and mobile devices, via Android — Linux has becomeomnipresent in the modern digital ecosystem.Linux, as open source software, has become the backbone of the global technology infrastructure. Poweringthe majority of the world’s servers and supercomputers — and mobile devices, via Android — Linux has becomeomnipresent in the modern digital ecosystem.It makes sense to reuse, to build on collective knowledge and drive economies of scale through commontechnology use. This enables organizations to accelerate development and avoid the pitfalls of older approaches.This instinct to leverage the good work done in other industries has led to a lot of recent buzz around the idea ofusing Linux in automotive applications. Again, this approach makes sense — to a point.But when it comes to safety-critical applications, Linux as we know it is not an appropriate operating system.Efforts to force-fit Linux into safety-critical situations have been attempted for more than a decade, and littlesuccess has been achieved.Instead, automotive companies should use a software architecture that leverages best-fit solutions for thediffering requirements of automotive software. Linux can be used for many non-safety–critical systems.Android has long since won the battle for in-vehicle infotainment. And proven and certified real-time operatingsystems (RTOSes) such as VxWorks®are best for safety-critical functions. This best-fit approach can even beaccommodated on a single SoC, via high-performance hypervisors such as Wind River®Helix™VirtualizationPlatform.Importantly, this hybrid architecture can also achieve the goals that companies are looking for in next-generationsoftware architectures and cloud-native paradigms, leveraging the advances developed for other industries inways that make the most sense in the safety-critical world. Safety-critical applications are essential in industries such as automotive, aerospace, healthcare, and industrialautomation, where system failures can lead to severe consequences, including loss of life, significant financial loss, orenvironmental damage.The operating system (OS) plays a crucial role in these applications by managing hardware resources, ensuring real-time performance, and maintaining system reliability and stability. A well-balanced OS for safety-critical environmentsmust provide robust safety features, support real-time operations, and facilitate the certification process to meetstringent industry standards such as ISO 26262 or DO-178C. By carefully balancing these factors, the OS ensures thatsafety-critical applications perform reliably under all conditions, mitigating risks and safeguarding both users and theenvironment.Wind River has a 20-year history with Linux, including 20 years of releasing Yocto Linux for embedded systems and 10years of releasing CentOS Linux and Debian Linux for enterprise systems. In 2024, we founded a Debian (Enterprise andEdge) community project called eLxr. We are cofounders of multiple Linux open source projects, including the OpenHandset Alliance (which became Android Linux), Yocto Linux, eLxr Debian Linux, and StarlingX (based on Debian Linux).This legacy includes decades of open source contributions and leadership. True open source principles, leadership, andLinux are core to Wind River’s DNA.This means that we have a deep understanding of Linux’s strengths, and we are a vocal proponent of them. We continueto offer an expanding range of Linux operating system products for our customers. We value Linux’s vast and activedevelopment ecosystem, the collaboration among developers across industries, and the ability to avoid vendor lock-in.Because of these strengths, we know that Linux plays a role in the software-defined vehicle.We also know Linux has significant challenges when it comes to safety certification. These include:•Certification complexity:Certifying Linux for safety standards such as ISO 26262 is extremely complex. The Linuxkernel is vast, with millions of lines of code, so validating every component for safety compliance is challenging.Certification requires rigorous documentation, testing, and verification, which is difficult for large, general-purposesystems such as Linux. The Linux kernel contains more than 30 million lines of code. This number varies with eachrelease as new features are added, bugs are fixed, and old code is removed. Compare that to a real-time operatingsystem, which may have only 1 million lines of code.•Lack of pre-certified distributions:Unlike some proprietary RTOSes that come with pre-certifications or havebeen designed with safety standards in mind, mainstream Linux distributions do not inherently meet ISO 26262 orsimilar safety standards. Companies need to invest significant time and resources in the certification process, oftendeveloping their own safety-certified