> Hi, Hello - I will provide my opinion from my experience working in the aero space industry, and later in 61508 certification for SafeRTOS...but it is just opinion. What you need to do is talk to your certification body about your plans up front, before you do anything, to get their buy in to your approach.
You don't say which SIL level you are using, so I will assume 3 as that is the level worked at for most of my experience. > > I'm building a safety application (IEC 61508) that makes use of > lwIP. The safety function is not dependent on the data passed by lwIP > but if lwIP has bugs that corrupts memory that it does not own, > things might go south. Memory protection by the CPU is an option but > I would still like to know how "safe" it is. Strict and provable memory protection can be accepted if you are using a certifiable scheduler that can ensure that lwIP cannot hog the CPU by getting stuck in a loop, etc., and that lwIP or its drivers are not doing something bad with interrupts (running lwIP in an unprivileged low priority task, for example). Interrupt service routines are generally not protectable if you are just using memory protection because they will run privileged, so extra care is needed there. > I'm hoping to be able to use lwIP based on the "proven by use" > clause but in order to do that I need some kind of statistics of its > use. Is there any such available? Or have any of you tackled this > problem in other ways? The practicality of this is very hard. There are proven in use clauses but getting a body to accept them is *very* difficult (some countries are a lot more lenient than others). Proven in use without strict and proven memory protection in this case is *very* ambitious unless you have) an unmodified old version of lwIP that has been under strict configuration management, unmodified by its users, with a known number of users, known use cases of your users, and a mandatory bug reporting and documenting system, at the least. You may convince somebody, but you have to consider if you are trying to convince somebody to certify your product, or if you are trying to make your product safe (which is the point of 61508). Consider the worst case scenario - in which you will have to convince a judge with expert witnesses.... Hope that helps. Regards, Richard. + http://www.FreeRTOS.org Designed for microcontrollers. More than 103000 downloads in 2012. + http://www.FreeRTOS.org/plus Trace, safety certification, FAT FS, TCP/IP, training, and more... _______________________________________________ lwip-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lwip-users
