 So welcome We're here to talk today about Alisa and what's happening in the project as well as moving our and you know What's emerging what's interesting? So we've got a pretty good lineup here for you For those who want to join we have a zoom room going and if you want to take a picture of that QR code The information is there and hopefully if you are wanting to interact with us We don't have a chat channel. So if you wanted to get into the zoom room and Chat or ask questions that may be a way of getting some interaction going between the virtual participants and the people here in the room today And I will just leave that up for another minute So let's go there we go so for today we've got We're going to start off with a bit of an introduction about Alisa and And then we'll be telling you discussion about the automotive use case. That's one of our more active groups and Then we will be having at 230. We'll have a virtual participant coming in and She'll be going through how we've been looking at analyzing the links kernel and Subsystems we'll have a bit of a break and then come back at looking at analyzing Linux as part of a wider system and then we will I Think we've just heard that our aerospace person can't make it today So we may not be skipping that part forward and trying to give a little bit of information there But not much and then just questions. So that's the outline for today If people have things they want to interject into the schedule, you know, please come see us at the break Phillip is here. I'm here from the project and we'll happy to take the discussion where we want it to go So with that What does it mean to have Linux in a safety critical system? That's what Lisa's standing for enabling Linux and safety critical systems Well at the whole of it all we have to assess whether the system is safe and that requires understanding a system It's not just Linux. It's actually understanding your system that Linux is participating in and You know understanding Linux in the context of that system and what parts of Linux are being used That's what we have to be focusing on to do the analysis properly and then Realistically links is a variety of components. It's a very very rich ecosystem And so how do you assess which pieces are actually getting engaged in a potential safety function? And then quite frankly, we've got a lot of gaps here and how do we identify the gaps? So these are the thinking that was have gone in behind the elisa story and you know in safety critical systems The least cool has a large development ecosystem, which is the strength is probably one of the most active projects out there Stats I keep in my head are nine commits an hour and one commit about the bug fixes per hour an LTS back porch So we see a lot of change happening in that code base. There's a lot of focus on security There's a lot of analysis that goes on in this space For fuzzing and so forth and things that help improve the quality There's multi-core support. There's you know, the hardware support is unmatched in the least kernel and We have many experts available So a lot of the pieces that we need are effectively there the challenge becomes okay Can we have hard real-time well actually That's finally getting merged upstream and hopefully we should be there any day now And then you know, do we have proven safety compliant development processes? Well, that's the chat one of the bigger challenges because the standards were not written with something like Linux in mind And so how do we start doing the analysis in a way that we can actually be effective? and this is you know how we tackle these differences and this has been the problem that's out there and We know Linux is being used in safety critical systems The people won't admit it because it's all under NDA But we know it's out there and the question is, you know, how do people do the analysis so they can trust it and What are the required key requirements and so forth so? How we can sort of get these tap gaps tackled is our challenge so what we've been trying to look at is you know Functional safety at the heart of it. It seems to be about managing the risk in product development And you know to understand the risk in the system you have to understand the system and the kernel knowledge and Not a lot of people have that deep for lunch There's a lot of kernel experts out there that have the knowledge But surfacing it in a way that they people can consume it has been one of the challenges So I think you know, there's a lot of starting points for understanding this But nothing's really pulling it together in a way that's digestible and consumable be it for the people who are doing the assessments or the developers doing things so What we need to do is figure out how we can you know Collaborate between the people who are doing the assessments and the people who are actually developing products My apologies. I'm coming up. I'm just getting over a cold and it's showing up Anyhow part of the challenge right now for us is understanding the limits Of what we can collaborate on You know, this project does not want to make a system safe. Okay, we can't engineer it We can't ensure that when we come up with processes that you'll apply them properly But we can at least come up with things that we can recommend And you know, we kept creating out of tree links kernel that is fit for all safety critical applications There's always that continuous process improvement that's happening and there are companies that want to make a business model of that and that's good But But we can and we can't relieve you of your responsibilities and legal obligations But we can provide people to collaborate with and build up industry norms so Getting it to the stage where we all agree on a common way of doing things helps us move forward and These are some of the people who are collaborating today with us So we've got a fairly wide set of participants Who I've been willing to be visible without saying they're trying to collaborate here to make this better Including a lot of open source projects like some of the structure automotive grade Linux and so forth There are actually supporting the project and are participating in trying to figure out what a best practice is so the mission of Alisa is To define and maintain a common set of elements processes and tools we have some code out there But that is not the main focus. It's not like a project creating code It's a project creating processes and tools and we wanted this to make things amenable to safety certification So the scope does include software and documentation development and everything is being done under an OSI approved license, but The hope is that we're coming up with processes and methodologies that people can apply outside of the context of this project and our work groups So how we're sort of approaching this from a technical strategy perspective Well, we have some deliverables coming out of the Alisa project and What we're trying to get sorry what we're trying to get with them is examples All this stuff right now happens behind NDAs and no one has examples. So when they've worked out things, they can't share it So they sort of know what they're doing and they may commit some assessors that they know what they're doing On the other hand, they can't share it. No one can live listen from it learn from it Given that they're all working with open source. It seems like a bit of a waste So what we're trying to do is do things in the open try to work through assessments in the open Work through ideas and methodologies so that we can have things that are referenced for other people to build from And then the assessors will have something to look at Thank you for your patience dealing with me with this cold. So I thank you again Now the way we're sort of working this and structure ourselves is we've got some various working groups that Some are focusing on verticals like automotive medical and aerospace You'll hear a bit of those today, but then we have groups are looking at Engineering processes for open source. How do they work? What's the architecture look like for the Linux kernel? That's a safety architecture group That's what are the features how we decompose it how we explain the interfacing and Then we have a whole bunch of a config options right now in the Linux kernel How do they implicate with safety when they're actually turned on or off? So those groups are looking at that we have another group that systems and that's trying to put it all together We've got the Linux kernel working with the Zen hypervisor working within our toss That's what systems are looking like today. We've got all these pieces coming together and coming up with something reference Becomes useful because it's an open place to experiment So we also are having tools and code implementations to help with this whole system side And all of these together become the elusive deliverables than what we're working on was a project So Let's look a little bit more about those working groups. I just introduced the safety architecture one is being led by red hat The safety architecture one is looking at the latest kernel and going down and doing analysis of parts of links kernel The links features one is the Mobile Ion Intel are taking sort of the point on that one of what is actually happening And they're sort of studying what's going on with which options and right now they're focusing on real-time because that's almost upstream The tool and investigation is coming up with tools that we work into the flows to make it available And electric bit and code thinker active there and then the OSAP one is the processes Code think is being very active on Taking the lead in that one and then systems Bosch Which you'll hear from Philip a little bit later is how we put a reference system together and pull some of all this together So those verticals Aerospace is very new And Boeing is basically pulling together people in the industry to actually look at the problems For 178 C and what the implications are for Linux The automotive working group Bosch is taking the point on that one and in medical devices. We've got an open source project and so Some of the fields from code think and myself are looking at how we can actually decompose a problem and do the analysis properly So this these are sort of what we're after you can see this This is a pointer yet does so, you know This is the HL dashboard. There's a little dangerous thing up there. That's it from a telltale That's all you know, basically, there's a lot behind getting that there and getting it working and Philip will go into that details Here is an insulin pump system. Everything is open source so we can talk about it See, you know see the problem about talking about things and So these are the examples we've been using for doing some of the analysis up till now We'll find more over time the systems working groups fitting everything together and Making it so that we can actually get the use cases Combining them in a real system having that real system be reducible without special hardware and then, you know working with things like Yachto and build systems and Coming out with intermediate hypervisors and how this all can hook together is the challenge for us and Hopefully If we can get this system set up then if people need to substitute other things in for their own environments They have places to plug into and help refine this reference That's what we're trying for anyhow Now in terms of the artifacts and activities we're going after Pretty much we're looking at elements, which are the software Processed for working with the elements tools to help us in documentation There's elements from each of these working groups Are doing parts of things and participating in these different ways And so we've got things like white papers. We've been sending things up to the next kernel for documentation on how to go about doing traces for instance and using what's in the kernel to do the Traces to get the evidence you need for the flows How the call trees are doing what the code checkers are processes? We've been really we started off a medical working with STPA proved to be a very useful technique It's being used in automotive and in the architecture group now And so adopting some of these newer techniques and showing how they can be working from the system context is good We've also got things like meta Lisa for pulling all the pieces together So a little bit later Philip will be basically going through the automotive and the systems working group in much more detail So I'm not gonna spend much time right now A little bit more on the safety architecture one though You know, what is subsystems and Linux? How do you actually get like how do they interact? Is it gonna cause problems? These are things that people, you know, we have well-defined interfaces in Linux kernel the TPI and so forth but with inside There are things that have been tested and known to be working by what but it's not documented anywhere Effectively, I think you find it in parts of documentation you find in parts of man page But looking at it is from the safety perspective doesn't seem to be there So how do we get to the stage where we can actually? Explain that yes, you're okay to use this and what are the requirements from the kernel? That should be held to that you could count on for this type of work What we're doing right now in this group is looking at STP analysis inside the kernel and Looking at tools and techniques This team came up with a call tree analysis and the curls as nav KS nav tool We're looking at representations of circuit source code to try to understand how it all fits together and interacts anyhow And so it's providing insights about how the kernel is all constructed. That's what we're trying to do with this group So Everything is up on github now Or at least it's in that direction. And so if you want to go play with it, it's there to play with For the Linux features in the safety critical system There's all sorts of Ways of trying to understand How the config options are there on the kernel may interact with the safety side of it what actually this plays together with and Understanding how the internals and externals work and what you turn on when you don't turn on Figuring out what's really relevant and get that solid understanding is what this group is trying to get at What we're sort of doing with it right now is Taking a look at the preempt RT since it's almost upstream and there's wasn't much documentation Available for it. And so this group is basically going and taking a good look hard look at what's happening with the preempt RT and helping to document it From the perspective of the safety side So anyone who's interested in the VRT side is welcome to join in on those discussions and look at the features and how they're interacting So, you know, how the memory protection works how the fault handling is working the test infrastructure For checking that you've actually satisfied and you haven't changed anything and doing effectively audit of the system requirements That are interacting with the real-time so So these are all the this is her what this group is focusing on right now So if that's an interest area to you by all means, please join in and then on the tool investigations what they're trying to do is You know, how do we make the current better, how do we improve the quality of the kernel, you know running the various Code checkers and says calories and so forth and sending patches and just starting to work with the process of the kernel So that we're not it's in a good place to on ramp into the kernel And then help you to clean up the documentation That's what this team is looking at right now And they're mostly looking at some of the CICT stuff improvement They also interact to a large extent with the systems team with some of our CI flows Now the OSEP group is looking at the processes and techniques for the safety engineering principles Being implied to systems that have the next kernel and so this in some ways is at the heart of what we're trying to do with this whole project And they're sort of trying to focus at a methodology of how do we actually start to explain this all and There's a lot of discussions and a lot of Analysis that's sort of gone on there and I think the framework is starting to emerge So you can look on the mail list and see some recent discussions on that that Paul has put up and so I'm hoping you know, we're sort of I think getting in that stage where we're moving it forward now But identifying a documenting the safety requirements using STPA is something that we've Had some success with and so you'll see a bit of that there too So what is this STPA? I keep on saying well, it's system theoretic process analysis it's a It's a way of looking at things from the process looking decomposing a system down came out of MIT there's various working groups that have been using it in the safety space for a while now and Everything is open. So again, it's a process. It's open. We can go and look at it. You can see it You can take and build from it The idea behind it is very basic It's a hazard analysis technique and what it's doing is looking at Okay different diagram of thought You know There's inputs and outputs and you're looking at control actions and then the response from the control action and it's that control action And the response from the control action and being able to analyze a system in that way That's you start to get at the interfaces and this lets you start to segment the problem into something you can deeply decompose Thank you. It was there Anyhow, so as you see you've got a controller with an algorithm of process You put a control action into your process that's getting controlled and feedback and what you do is you basically look at your entire system in this way and you Successively decompose all the way down until the level you want what you want to focus on and so You know what we've been looking at is And like in the medical devices We've been basically decomposing it from a level one level two to level three and level three is effectively in the kernel for us And so hello The background we came up with this is the artificial pancreas system and Going down successfully that level one and level two analysis that you sort of see here We actually had to rate iterated We actually came up with an initial level one and then we had to go down to level two and we went Oh, we forgot this so we could go back up to level one and realize oh We have to put the more information in and so this is a way that you can successively refine to actually get a common A good understanding of a system and build up consensus And so we started looking at you know What's happening with 62 304 for the super requirements? How does it track with the formal standards? And you know best and we started working on okay. We're into the level three right now We're trying to trace the kernel and so we came up with a white paper on how to do the tracing and you'll be hearing more from Shua a little bit later on that and how you can use some of the tools that are out there today to do the Right level of tracing to get to the point where we can do a level three analysis and so you know this is one of them and You know anything from the elder developers the open APS system. It's going to a Glucose monitor can use this monitor. There's an insulin pump and it's interacting with a human body All of this is out there and actually it's FDA approved now There's actually been FDA approval and a synalysis of it As a system and there's other open source ones that have also gotten FDA approval too and Realistically some of I can point you at papers where it's a there's been scientific studies They're showing that this is doing a better job of monitoring Glucose levels over time and keeping things at a reasonable perspective On the other hand, it's a hobbyist project and people are not making Advertising budgets out of it, but it's a good system for us to analyze because it's all available It's not behind any NDAs and so this was why we started looking at this So we're always looking for good open source systems that we can go and look at from the safety implications And we found that scpa was a really good technique for us to start to hone in on what was really important here And so as you can see when we take it down to level two We're sort of looking at the system itself. It's running on a raspberry pi off the shelf hardware, right? It's got toolkit running on it. It's got an algorithm a lot of the algorithm is what the scientific papers will focus on We're focusing on what's happening with Linux? What's happening in and out of Linux? Could Linux make things go wrong here and we find a lot of applications out there They're safe to critical have Linux sitting as a substrate that people are even not even paying attention to under there And so what we're trying to do is figure out, okay What parts of links engage when this is running and how do we start looking at are the requirements necessary? For the system to be effective being satisfied So Well the recent stuff we've been working has been looking at the workload tracing And so using a strafe and CS scope has been getting us most of it What we've been needing actually and so we got the system calls or frequencies of calls for specific workloads Which is what people will do in a safety analysis anyhow They'll basically have a whole series of workloads that they're going to talk through a to work through and we're sort of you know Coming up with this on our own and then look at what's happening from a tracing perspective To see what parts of kernel promote and then we can do an STP analysis on those pieces of kernel and see how the triggers are working Now aerospace is a new one and I haven't been sitting in many of their meetings So I can't talk too much about them, but what they're trying to do is Well, you know for a fact that links is being used in various applications Basically SpaceX has been pretty visible about it that they're using Linux today And we know that you know others are wanting to do it and I know This group is trying to figure out okay Well, what do we really need to think about here when we're working with it based on these standards, which are very high assurance levels And so for the avionics industry, you know, how do we get to that insurance level and let's sort of check So we need I suspect there'll be elements of what we found in other groups However, the women groups formed and if you're interested in the aerospace use cases, we're definitely interested in there's a spot for you to collaborate here You know, we know that it's being used It is a broader industry than just the Safety critical here. I like you know things on the back of your month your back of your seats things like that, but There's also the places where it's moving into that safety critical space And that's where we want to make sure we get ahead of it. We know that links has gone to Mars for instance We know that it's up in satellites There is aspects of it that are already being used in practice the question is when it comes safety critical Do we have the right level of analysis? And we have it visible. So There are certain applications that they're looking at the traditional aerospace the air Taxi stuff and various commercial drones. These are the scenarios that this group is looking at to try to understand what the implications are So with that, I will say If any of this is interesting to you by all means, it's an open community anyone can join in at any point in time and You know participate in the meetings to the documentation and so forth What we're trying to do though is come up with processes and so there's a few So this process discussions that are going on and that's just part of trying to get a better consensus built up There's also tooling though. So if you're interested, that's what makes you happy. There's there's there's tools that we need No question And with that Here's a link on the slides for all the various places where we're meeting For the various working groups as well as reviewing the content as it goes up to github and reviewing the various repositories And with that is anyone have any questions if there's anyone online that has questions and by all means we've got that Zoom meeting thing. So feel free to chat put questions in the chat or respond on and anyone in the room No, okay, most of these people know so With that then I will hand it over to oh go for it Yeah, we'll put the slides up there. No worries. Thanks. We'll be there before the evening, I guess Yep, just in time slides, you know that drill drill, don't you?