My first question is Yousif@BD subscribed to the list to see our replies? :-)
On Fri, Jan 3, 2025 at 12:20 AM Sebastien Lorquet <sebast...@lorquet.fr> wrote: > Hello, >> On 1/2/25 23:52, Alan C. Assis wrote: >> Hi Yousif, >> This is the kind of feedback we like to hear! Thank you for that! >> NuttX is used in many areas including critical real-time applications. So, >> if your question is: Is NuttX safe enough to be used in medical application, >> the answer is YES! > > NO. it is not, by design, and I am glad it is not, otherwise I would freak > every night that someone could die because of my contributions. Sebastien is correct here. Medical certification is a long expensive story because people life directly depend on that quality, its main purpose of existence is to directly save or sustain life, or provide results that indirectly impact health or life status. Its a complex process where each device (revision) and its software (revision) needs well defined assessment. https://www.who.int/health-topics/medical-devices > Apache licence here: https://www.apache.org/licenses/LICENSE-2.0 says: > > 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in > writing, Licensor provides the Work (and each Contributor provides its > Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > KIND, either express or implied, including, without limitation, any > warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or > FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining > the appropriateness of using or redistributing the Work and assume any risks > associated with Your exercise of permissions under this License. > > So no, by license there are ABSOLUTELY NO GUARANTEE, and not even remotely. Each Open-Source license contains this kind of non-liability disclosure because: 1. All work is done in best effort and good will, but often (unfortunately) free time, or some company sponsored time, so if (expensive) certifications are required these must be paid by the interested party, while the development community may adapt the code to meet the requirements. This seems a win-win scenario. 2. Developers that create code in their free time, that is then shared with the world for free, may contain components internal or external components that contain bugs (all software does), then trolls would sue the code creators directly on each bug to earn money on their best effort hard work. Instead we find bugs, we report and fix them. This is how Open-Source works and protects itself from troll$. 3. We know too much details on the internals and implementations of various systems, and we have some experience with these, mostly bad, so we share what we have, but its up to you how you use it, because we know it may be misused or mismanaged and we have nothing to do with that. >> It is used in drone, rockets (search for NuttX land in the moon), robot, >> smartwatch, appliances, cars, etc. Recently it received critical safety >> application certification for automative usage (I cannot say the company >> name, but they will announce it soon). > > That is cool. Good point in the right direction, however this is less > stringent than medical stuff. Exactly. Its great news and builds trust.. but in the automotive area. Failure in braking system will result in a crash but there are other safety systems involved to protect human live (i.e. airbags, structure, etc). You can evade certified car security system and steal the car but that does not directly impact human live. Medical equipment has direct impact on human live. There is a story from around 10 years back about famous last words "hey I got root shell on my heart pump".. but news from 2024 shows things like this happen unfortunately and this is first found random story sad both for the vendor and the user because everyone just wants good working helping product: https://www.medtechdive.com/news/abbott-recalls-heartmate-pump-70-injuries-2-deaths-reported/716197/ > https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 I prefer that highly trusted direct source of information too. And it shows all software contains security bugs. Bugs are fixed and then other bugs are found. There is no "best" solution, unfortunately, because.. > Safety is per-product and any use of NuttX in a safety product requires > certification work. The facts described by Alan are useful in showing that it > can be achieved somewhat, but nothing more. .. safety and security is highly related to a specific configuration of hardware and software components that constitutes a specific final product (revision)!! There is no simple answer here because the problem may be introduced by a specific system designers / developers even if the problem is not found on a generic solution. >> If your company decide to use NuttX, please talk about it in our NuttX >> Conference (NuttX International Workshop), this way more people with have >> confidence to use NuttX on medical devices too! > > That would be frightening, to be honest. Participating in a conference is NOT > a safety certification. I guess Alan suggested sharing back the research results with the NuttX community and the rest of the world keeping in mind this does not imply any safety certifications outside a specific product. Just as we all share our hobby and commercial projects (with more or less details). But each project is different, has different teams, budgets, timelines, and organizations. If someone manages to get a Medical Certification for a product based on NuttX that would be great news to share! > Such a medical device would require MANY certifications by independent > bodies, and it would likely require many audits to ascertain the safety of > the OS for life critical applications. > > Also, certification of ONE device run by NuttX will NEVER mean that NuttX is > generally safe whatever the product. > > I do not want anyone killed because of NuttX, and indirectly by my > contributions. So safety and prudence is of utmost importance here. Yes, anyone in this world will convince you to use their projects or product, but then after your own evaluation and time spent you will probably end up disappointed. NuttX is the best RTOS I found after playing for years with over-complexity and frequent changes of FreeRTOS, mbedOS, Zephyr, etc. But I know its limitations and weak spots too. And I am still here. Because NuttX aligns best with my own vision of design, organization, simplicity, versality, and community. Because I can fairly easy add and fix things here myself. Although I am maybe aiming at Medical Level at some time in future, I would never bet on anything that I did not verify myself before in a simple consumer grade, then industrial grade, then e-Health grade, product in the first place. Enforced changes are killing every products nowadays. Not only exponential complexity without solid foundations. But also enforced planned obsolescence that puts at most 3..5 years lifespan on your solution (i.e. high-level programming language syntax compatibility, google/apple app store update enforcement or removal, etc). No company seems to be able to avoid that nowadays. On the other hand we are not even sure how those certifications work exactly. Once I found a bug in the big Unix flavor, or commercial certified RTOS that no one found for years before, does that mean I broke certifications for all of its users? Or it was just fixed, updated, and still certified just because it was quickly fixed? How does a clinical monitor or EHR system with windoze onboard gets certification and then catches ransomware? Knowing the context here goes my proposed conclusion: This is just a win-win idea for the discussion. We have a RoadMap concept for various certifications for NuttX RTOS. We are aware that those certifications are expensive and time consuming, usually beyond powers of one organization. It may be possible that the NuttX project could help development towards specific certification assuming clear goals are set and support is provided to the project for that development. Terms of Apache License must apply (including Section 7 Disclaimer of Warranty), the results are available freely to anyone, but also interested parties will have their work set closer to their own product certifications. Medical Certifications however due to its complex and detailed nature may be out of the scope of our project no matter how much we want to help it seem to be attributed to a very specific device product itself. I am not even sure if companies then would want or be allowed to share back that information to the public. I am wondering what Greg thinks about this and possible solutions approaches ? :-) Tomek -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
