Boss/Ada: An Open Source Ada 95 Safety Kit ( A dependable open source embedded operating system for GNAT)

Ada has been successfully used in many dependable real−time applications, which have undoubtedly benefit of its major strengths: The well defined language semantics [1], the strong type checking, structuring mechanisms like packages and not to forget the Ada Semantic Interface Standard [2] supporting the development of code analysis, verification and testing tools. But an Ada system can not be more safe than the underlying operating and run time system. An dependable and certified operating system involves very high license costs and you will never see the sources. The operating system remains a black box and you become depend of the OS provider. We aim to change this by certifying our OS and Ada/GNAT interface and give it as open source public domain. Because of its concurrent nature, many safety critical applications increasingly using multithreading, which have a strong impact on the certification process and the resulting total development costs. This is especially true for Ada applications due to its powerful and therefore complex tasking semantics. Using the full range of Ada tasking power the complete Ada run time system has also be a subject of the certification process. This leaded to a definition of an Ada tasking subset called Ravenscar Profile, with a commercial implementations used in different avionics systems. The major goals of such a profile is to allow a runtime efficient and deterministic implementation of an Ada Runtime System with a simple internal organization and low memory usage. BOSS will support this profile for the open−source GNU Ada Translator (GNAT). Its current characteristics are: preemptive, prioritized, real time multithreading, OO−framework structure, C++ and Ada interface (in work). Thread switch time 10 microseconds on a PPC at 48 Mhz and under 1 microseconds on Pentium 500 Mhz. The time resolution is configurable 1 ms or 1 microsecond with at least 500K years linear time without overflow. The reaction time to interrupts is less than 3 microseconds PPC at 48 MHz Due to the fact, that complexity is the first foe of safety, BOSS is intended to be as simple as possible, so it is easier to understand, to review, to use, to certificate, to port to other platforms, etc. Some parts of BOSS are being verified mathematically and formally using model checkers and theorem provers. BOSS is based on very few and simple basic functions, which can be proved very faithfully, and these few functions are used for almost every operation of the kernel. Furthermore BOSS is open−source, so that everybody can look at it and find possible errors. We are currently developing two types of Ada interfaces to BOSS GNAT: 1. An interface for a No_Ada_Tasking environment using a general Ada binding to the BOSS primitives. This allows to write multithreading applications in Ada, without the Ada languages tasking facilities. 2. An Ada tasking subset using the general BOSS binding as a core implementation of an tasking subset comparable to the Ravenscar Profile. The core implementation is integrated into to GNU Ada Runtime Architecture. We believe that the BOSS operating system together with Ada 95 can play an important role in future safety critical applications using open−source technologies.