Evaluation of Commercial Off The Shelf (COTS) Operating System (OS) Malfunction Mitigation Methods

摘要

The increasing demand for COTS OS use in safety critical applications has generated a lot of guidance in safetyengineering process literature regarding the need for Middleware and Wrappers. Much of this discussion is focusedon the need for middleware that can isolate the application from the horrors of the operating system. The assessmentnecessary to certify an OS, develop middleware for safety-critical applications, or to verify their integrity is acomplex and costly task. For some applications, acceptable risk can be achieved by utilizing a software architecturethat restricts safety-critical functionality to a subset of operations whose failure modes can be mitigated within theapplication, rather than in a middleware layer. This paper discusses this methodology, and provides analysistechniques to help assess the applicability of application-based mitigations when using a COTS OS in a safetycriticalsystem. This methodology was used by the authors on a US Army remotely controlled weapon usingWindows 2000 for the OS in the controller. The paper provides an approach for determining the cost benefiteffectiveness of various mitigation approaches, an example of OS/application interaction partitioning, and clue liststo aid in assessing OS and application mitigations. The paper shows that Middleware for the type of systemsdiscussed may not be needed, may not be cost benefit effective, and may actually be detrimental because it addsanother layer in which malfunctions can occur. These fault conditions must also be mitigated safely and in a mannerthat does not reduce reliability (dependability).