lwip-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [lwip-users] lwIP for safety applications

From: FreeRTOS Info
Subject: Re: [lwip-users] lwIP for safety applications
Date: Tue, 25 Jun 2013 07:23:48 +0100
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 
> Hi,

Hello - I will provide my opinion from my experience working in the aero
space industry, and later in 61508 certification for SafeRTOS...but it
is just opinion.  What you need to do is talk to your certification body
about your plans up front, before you do anything, to get their buy in
to your approach.

You don't say which SIL level you are using, so I will assume 3 as that
is the level worked at for most of my experience.

> 
> I'm building a safety application (IEC 61508) that makes use of
> lwIP. The safety function is not dependent on the data passed by lwIP
> but if lwIP has bugs that corrupts memory that it does not own,
> things might go south. Memory protection by the CPU is an option but
> I would still like to know how "safe" it is.

Strict and provable memory protection can be accepted if you are using a
certifiable scheduler that can ensure that lwIP cannot hog the CPU by
getting stuck in a loop, etc., and that lwIP or its drivers are not
doing something bad with interrupts (running lwIP in an unprivileged low
priority task, for example).  Interrupt service routines are generally
not protectable if you are just using memory protection because they
will run privileged, so extra care is needed there.

> I'm hoping to be able to use lwIP based on the "proven by use"
> clause but in order to do that I need some kind of statistics of its
> use. Is there any such available? Or have any of you tackled this
> problem in other ways?

The practicality of this is very hard.  There are proven in use clauses
but getting a body to accept them is *very* difficult (some countries
are a lot more lenient than others).  Proven in use without strict and
proven memory protection in this case is *very* ambitious unless you
have) an unmodified old version of lwIP that has been under strict
configuration management, unmodified by its users, with a known number
of users, known use cases of your users, and a mandatory bug reporting
and documenting system, at the least.

You may convince somebody, but you have to consider if you are trying to
convince somebody to certify your product, or if you are trying to make
your product safe (which is the point of 61508).  Consider the worst
case scenario - in which you will have to convince a judge with expert
witnesses....

Hope that helps.

Regards,
Richard.

+ http://www.FreeRTOS.org
Designed for microcontrollers. More than 103000 downloads in 2012.

+ http://www.FreeRTOS.org/plus
Trace, safety certification, FAT FS, TCP/IP, training, and more...
reply via email to
[Prev in Thread] Current Thread [Next in Thread]