Windows® and Safety-Critical Applications

Role of Operating System

The range of Windows® Operating Systems is extremely powerful and capable, but it is not designed for safety-critical applications. Using Windows® for safety-critical diving applications puts divers' lives and health at risk and does not meet modern standards for occupational safety. As we will see, Windows® is appropriate for some applications in diving, but when system failure puts lives and health in danger, safer options exist and must be employed.

Windows®, Mac OS® and similar desktop operating systems prioritize performance. These operating systems can run an extraordinary range of applications including performing complex calculations and presenting stunning interactive graphics. But users pay a price for this performance in the form of frozen screens, unexpected delays, lost data and a wide range of other glitches.

In recent years, a number of diving and hyperbaric control products have been developed based on the Windows® operating system family of products. In some applications the use of Windows® was appropriate. In others it was inappropriate and put divers and patients at inappropriate risk.

Microsoft states clearly that Windows products should not be used for applications which could “result in foreseeable risk of injury or death to any person” (See Sidebar:EULA).

Some recent diving and hyperbaric projects have used Windows® as a primary monitoring or control system and have also implemented high integrity independent systems to prevent Windows® faults from resulting in injury. For some applications, this approach is quite effective, but for other applications it is not realistic for the independent system to provide an effective safety net given the complexity of the processes under control. For manned applications, real-time pressure control and real-time decompression management are two examples where use of a Windows® operating system is not appropriate no matter what mitigations are put in place.

Unfortunately, some vendors have used Windows® based systems for chamber pressure control. This is a risky approach and will leave divers and patients exposed to unnecessary danger.

Rather than using Windows® or other desktop operating systems, a real-time operating system designed for safety should be selected. Real Time Operating Systems (RTOSs) are available off-the-shelf from such vendors as QNX, Wind River and Green Hills software and have been designed for safety critical applications. Primary features that promote reliability include a small kernel to the operating system, isolation between components, resource scheduling in support of guaranteed response times as well as fault detection, isolation and recovery mechanisms. RTOSs designed specifically for safety and reliability are standard in safety-critical applications in many industries including aerospace, nuclear power, rail transport, road transport, weapons systems and medical devices.

Real Time Operating Systems designed for safety represent the worldwide standard for developing safety-critical electronic systems. Selection of a desktop operating system such as Windows® for an application which has substantial potential to cause injury or death exposes divers and patients to inappropriate risk.

(Windows®, Mac OS® and associated logos are trademarks of Microsoft Corporation and Apple Inc and are used for identifying purposes only.),

Sidebar: EULA

The following is an extract from a Standard Windows End User License Agreement (EULA). The EULA states explicitly that Windows is not to be used in safety-critical applications.

“The Microsoft software was designed for systems that do not require fail-safe performance. You may not use the Microsoft software in any device or system in which a malfunction of the software would result in foreseeable risk of injury or death to any person.”