Date: Thu, 10 Oct 2002 06:48:03 -0400 From: "Nelson, Trent ." <tnelson@switch.com> To: "'Ted Faber'" <faber@ISI.EDU>, Terry Lambert <tlambert2@mindspring.com> Cc: "Nelson, Trent ." <tnelson@switch.com>, "'hackers@freebsd.org'" <hackers@freebsd.org>, "'questions@freebsd.org'" <questions@freebsd.org> Subject: RE: FreeBSD usage in safety-critical environments Message-ID: <8F329FEDF58BD411BE5200508B10DA7607D71A15@exchptc1.switch.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Ted Faber [mailto:faber@ISI.EDU] > Sent: Wednesday, October 09, 2002 10:59 PM > To: Terry Lambert > Cc: Nelson, Trent .; 'hackers@freebsd.org'; 'questions@freebsd.org' > Subject: Re: FreeBSD usage in safety-critical environments > > On Wed, Oct 09, 2002 at 12:26:14PM -0700, Terry Lambert wrote: > > Life support systems require formal proofs of correctness for code; > > since neither Linux nor FreeBSD is formally correct, in total, you > > would need to be insane to deplaoy either of them as, for example, > > a part of an air traffic control system. > > I suspect that's a bad example, or that you mean an embedded aircraft > control system. Ron Reisman and James Murphy gave a fine invited talk > at USENIX 02 (http://www.usenix.org/events/usenix02/tech/#11am) about > the growing number of UNIX components in the US ATC system. I reject > the conclusion that the FAA is collectively insane for that reason. I'd have to concur. I'm working on a large rail engineering project in the UK that is implementing a two-phased deployment of a Railway Control Centre System. The first phase will be using a combination of Tru64 UNIX and Linux systems, with an investigation being taken place for the second phase to move completely to Linux. There is a huge difference between systems rated at SIL 1 and 2 (which is what ATC/rail CCS would fall under) and those rated at 3 and 4. I was not referring to life-support or life-critical systems, as these will almost certainly be a proprietary hardware/software package that has been certified and accredited to a high level of safety integrity. What I was referring to were systems running on UNIX that control and interface to these safety-critical systems. For railway, Control Centres may suggest an erroneous route that would result in two trains colliding (although such a system will be commissioned on the basis that it wouldn't allow such a route to be suggested), but the 'vital', safety-critical interlocking would prevent such a route being set. The resulting safety-integrity level for the Control Centre would be SIL 2. The analogy between ATCs & embedded aircraft control systems isn't as tight as there isn't a physical interface between the two (well, at least as far as I know). The deployment of FreeBSD, or any BSD variant, (or ANYTHING other than Linux) in environments such as this, is what I was originally getting at. Oh, and Terry, I think you'd be astonished if I informed you of how many rail control systems in the US and around the world use either Linux or some of the commercial variants such as Tru64 UNIX or Solaris. > Ted Faber faber@isi.edu > USC/ISI Computer Scientist http://www.isi.edu/~faber > (310) 448-9190 PGP Keys: http://www.isi.edu/~faber/pubkeys.asc Regards, Trent. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8F329FEDF58BD411BE5200508B10DA7607D71A15>