Preliminary assessment of Linux for safety related systems Prepared by CSE International Limited for the Health and Safety Executive 2002 RESEARCH REPORT 011

The Linux operating system is in widespread use, and there is now interest in using Linux for safety related systems. This report considers the availability and quality of evidence for the safety integrity of Linux. Three criteria are defined for the suitability of an operating system for use in safety related applications, namely that the operating system must be sufficiently well understood, that it must be suitable for the characteristics of the safety related application, and that it must be sufficiently reliable. Linux is then assessed against these criteria, and a framework for the hazard analysis of the interaction between applications and operating system is given. The overall conclusion of the study is that Linux would be, in broad terms, suitable for use in many safety related applications with SIL 1 and SIL 2 integrity requirements, and that certification to SIL 3 would be possible. However, it is not likely to be either suitable or certifiable for SIL 4 applications. An outline programme for the work necessary to certify Linux to SIL 3 is described. This report and the work it describes were funded by the Health and Safety Executive (HSE). Its contents, including any opinions and/or conclusions expressed, are those of the author alone and do not necessarily reflect HSE policy. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the copyright owner. A key element of a computer based system for protection or control is the operating system. There is a growing trend to base safety systems on general purpose commercial products such as Linux and Microsoft Windows rather than on operating systems developed specially for safety. Statutory regulators and other assessors of computer based safety systems need a practical procedure for assessing the safety integrity of a commercial operating system. The goals of this collaboration are: · To develop a description scheme which can be applied to a wide range of commercial operating systems, and which will permit an assessment of the key operating system attributes that are relevant to its use in a safety application. · To develop a forecasting model to estimate the cost of achieving a specific level of confidence in the behaviour of an operating system. · To assess in detail one or more operating …