Interview: Wind River's John Bruggeman

It depends on what you would call complex. Describing a triply redundant system appears to me
to be of the same complexity as say parallel programming. Designing a high availability data
driven website (Google, Slashdot, et al) may even compare to a degree, it's a different
domain, but the problem is largely the same. Those inter-bank payment systems and flight
booking systems probably come close, where data lossage is an absolute no-no.

It might just be he calls it "very, very complex" because those standards are hard to read for
all the legalese they're couched in.

In other words, I'm guessing as much as you are.

I suspect it's more a matter of the process to get the software certified being complex,
rather than the standards themselves. 

For real high-integrity software, I think it would be very difficult to get Linux certified. A
big part of it is a verification of the development process, and you'd have an incredibly hard
time showing that Linux went through any sort of rigor (mainly because it didn't ;p). You
would probably have to take a snapshot of the kernel, rip out everything that isn't needed,
and then do code review and testing in-house, replacing or removing things that fail review or
don't conform to MISRA-C. By the time that's done whatever benefit there was to using Linux
over an in-house OS would likely be gone. 

Does the process serve to inflate the profits of a company like Wind River? Probably, but then
again, Aerospace has a culture of safety that doesn't exist in most other areas where software
is developed and used. The fact that Avionics have been remarkably free of people-killing bugs
is a pretty good validation of the process.

Software for airborne systems must be DO178B certified in the US, in 
Europe there's a similar standard, can't remember the abbrev. right now. 
There are different levels for that, depending on the criticality of the 
software. E.g. the inflight entertainment system requires a less strict 
level of certification than the fly-by-wire software, since this can kill 
people.

For the highest criticality levels you need things like testing with 100% 
code coverage, you need to track all requirements and you have to be able 
to document in which lines of code each requirement is implemented, you 
must not have code where you don't have a requirement for it, each line 
of code must be "signed" by at least two developers, etc.

I think the Linux kernel is just too big and moving too fast to do this. 
Or, as somebody else already said, if you snapshot a kernel, strip out 
unneeded drivers, then start the testing, documenting etc., you are 
probably not better off than with another solution (months or years 
behind Linus tree, patches don't apply, behaviour is different because 
you changed so much, etc.).

So for these systems really a small OS (in LOC) is a good choice, it is 
just easier to certifiy (there are also free RTOS). RTOS in general are 
not necessarily something very sophisticated or complex, often they are 
actually quite simple and stripped down compared to a general purpose OS. 
But this makes them easier predictable and also certifiable.

Alex