[SystemSafety] Critical systems Linux


Paul Sherwood
 

On 2018-11-20 17:40, Chris Hills wrote:
A subversion of the thread to answer one of the points raised by Paul and
almost every Linux aficionado

-----Original Message-----
bielefeld.de] On Behalf Of Paul Sherwood
Sent: Sunday, November 4, 2018 8:54 PM
One anti-pattern I've grown a bit tired of is people choosing a
micro-kernel instead of Linux, because of the notional 'safety cert',
and then having to implement tons of custom software in attempting to
match off-the-shelf Linux functionality or performance. When application
of the standards leads to "develop new, from scratch" instead of using
existing code which is widely used and known to be reliable, something
is clearly weird imo.
The question is:-
As Linux is monolithic, already written (with minimal requirements/design
docs) and not to any coding standard
How would the world go about making a Certifiable Linux?
Is it possible?
And the question I asked: why do it at all when there are plenty of other
POSIX Compliant RTOS and OS out there that have full Safety Certification to
61508 SIL3 and Do178 etc.?
While systemsafety may be the leading community for public discussion around systems (and software) safety, it is not the only ML that has an interest in this topic so I'm cross-posting to some other (including Linux) lists in the hope that we may see wider discussion and contribution.


Paul Sherwood
 

Now to attempt to answer the question...

On 2018-11-20 18:45, Paul Sherwood wrote:
The question is:-
As Linux is monolithic, already written (with minimal requirements/design
docs) and not to any coding standard
How would the world go about making a Certifiable Linux?
Is it possible?
Some initiatives have already started down this road, for example SIL2LINUXMP (in cc)

But my personal perspective is

1) it may be the the certifications themselves are inappropriate. It's far from clear to me that the current standards are fit for purpose.

2) there are many cases of folks retrofitting documentation to support compliance with standards, so perhaps that would be a feasible thing to attempt (although there is far too much code in the Linux kernel and associated FOSS tooling and userland components to make this something which could be achieved in a short time)

3) if we could establish justifiable concrete improvements to make in Linux (and the tools, and the userland), we could hope to persuade the upstreams to make them, or accept our patches.

4) we could construct new software to meet the ABI commitments of Linux (and other components) while adhering to some specific standards and/or processes, but I'm unconvinced this could be achieved in a time/cost-effective way.

And the question I asked: why do it at all when there are plenty of other
POSIX Compliant RTOS and OS out there that have full Safety Certification to
61508 SIL3 and Do178 etc.?
My understanding is that existing certified RTOS/OS tend to be microkernels with limited functionality, limited hardware support, and performance limitations for some usecases. I'd be happy to be wrong, and no-doubt advocates of some of those technologies can explain the reality by return.

br
Paul


Paul Sherwood
 

Hi again...
The question is:-
As Linux is monolithic, already written (with minimal requirements/design
docs) and not to any coding standard
How would the world go about making a Certifiable Linux?
Is it possible?
Sadly most of the followon discussion seems to have stayed only on systemsafetylist.org [1] which rather reduces its impact IMO.

I cross-posted in the hope that knowledge from the safety community could be usefully shared with other communities who are (for better or worse) considering and in some cases already using Linux in safety-critical systems. For example Linux Foundation is actively soliciting contributors expressly for an initiative to establish how best to support safety scenarios, as discussed at ELCE [2] with contributors from OSADL (e.g. [3]) and others.

Perhaps I'm being stupid but it's still unclear to me, after the discussion about existing certificates, whether the 'pre-certification' approach is justifiable at all, for **any** software, not just Linux.

As I understand it, for any particular project/system/service we need to define safety requirements, and safety architecture. From that we need to establish constraints and required properties and behaviours of chosen architecture components (including OS components). On that basis it seems to me that we must always prepare a specific argument for an actual system, and cannot safely claim that any generic pre-certification fits our use-case?

Please could someone from systemsafetylist.org reply-all and spell it out, preferably without referring to standards and without triggering a lot of controversy?

br
Paul

[1] http://systemsafetylist.org/4310.htm
[2] https://www.osadl.org/Linux-in-Safety-Critical-Systems-Summit.lfsummit-elce-safety.0.html
[3] https://events.linuxfoundation.org/wp-content/uploads/2017/12/Collaborate-on-Linux-for-Use-in-Safety-Critical-Systems-Lukas-Bulwahn-BMW-Car-IT-GmbH-1.pdf