Clive Pigott wrote:
--------------------
As context, we are looking at a system where its primary purpose has no safety implications,
and where the preference is for an open-system/open-source platform - hence the interest in
Linux. Unfortunately, due to space constraints, the same machine needs to support a number of
safety-related applications (SIL1 or 2). So the concern is not only can we justify SIL1/2 on
Linux but how good is the separation mechanism if we have SIL1/2 code and 'SIL0' code supported
by the same operating system.
--------------------
First, when you are talking about "Linux", a question arises about the configuration.
The Linux kernel is compiled for each machine according to the drivers and other
low-level mechanisms that are required. And that's just the kernel. Then there
are the other necessary OS mechanisms.
Second, you apparently need an OS to support SIL 1/2 applications; Linux has no
specific mechanisms to do that, neither are any of the necessary properties
guaranteed.
Third, there is no partitioning mechanism that would allow you to run SIL 2 code and
untrusted code on the same machine and maintain the desired properties.
What you can do is build your own configuration from Linux source code which you
modify yourself. And then you'll have a Linux configuration which can support
certain guaranteed properties. You could likely sell it to others for a lot of money,
comparable with the enormous amount of work I guess it would take.
Or you can use one of the specific real-time operating systems designed for
running mission-critical code, have the vendor help you configure it and make
sure the vendor signs off on the required properties.
If it was my neck, I'd go for the last option.
PBL
--
Peter B. Ladkin PhD FBCS CW(hon)
Professor of Computer Networks and Distributed Systems,
Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel (Vx/msg/Fax) +49 (0)521 880 7319
http://www.rvs.uni-bielefeld.de