Re: Certified C compilers for safety-critical embedded systems

From: Chris Hills (chris_at_phaedsys.org)
Date: 12/30/03 

Date: Tue, 30 Dec 2003 18:23:24 +0000

In article <bebbba07.0312261939.2e6469b0@posting.google.com>, Russ
<18k11tm001@sneakemail.com> writes
>Chris Hills <chris@phaedsys.org> wrote in message news:<vUh5muAofB7$EAZb@phaedsy
>s.demon.co.uk>...
>> In article <bebbba07.0312242000.7b6f33bc@posting.google.com>, Russ
>> >But that's just my opinion. If you want the opinions of experts at
>> >DoD, MISRA,
>>
>> that will change in 3 months time with MISRA-C2
>>
>> > ARINC, NASA, and CENELEC,
>> 61508 has C (with subset etc) as HR the same as Ada.
>> > check out the one-page summary I
>> >put together at http://RussP.org/Ada-recommend.pdf . Check out the
>>
>> You will need to modify it.
>>
>> Whilst looking though some notes I found a table in the IEE Computing &
>> Control Engineering Journal Vol 11.1 The edition was loking at 61508 the
>> paper by R. Bell and PA Bennett.
>>
>> The table shows failures in safety related systems
>>
>> 44.1% were due to specification faults
>
>That's interesting, and I should probably look up this paper (is it
>online?).

Yes if you are an IEE member with access to the library

>What I am getting at, in a roundabout way, is that, as you probably
>realize, "specification faults" have nothing to do with the choice of
>programming language. That's an engineering problem.

Yes.

>So it is as
>irrelevant to the choice of language as, say, drug abuse in the
>workplace, just to give an off-the wall example.

Judging by some of the code I have seen the two may not be unrelated :-)

> Would you argue that
>the choice of programming language is of minimal importance if half of
>the critical errors were due to drugged programmers? Of course not. So
>why are you implying that language choice is unimportant because
>engineering is important?

I was arguing that the larger problem is the engineering process rather
than which language. However (catch 22 time again) if you have a good
engineering process you are less likely to make errors and be more
meticulous because the sort of people that would set up and ruin a good
engineering process will by definition try and "do things right"

So a good team with a good system will do a good program irrespective of
if it is C or Ada... Ie if C they would use a C subset, static analysis
coding standards, code reviews, full test plans etc...

If Ada they would use SPARK

However a bad team using a poor engineering system is likely not to
worry too much about the rest of it. SO in that case the enforced parts
of Spark Ada probabluy would be an advantage over C

That was a generalisation!!!! I know everyone can pull up their own
exception!

The Arriane 5 rocket show the problem. Ada but from what I understand
the corners were cut on the testing due to management pressure to do
with launch windows.... Good language. "adjustments" to the system the
rocket failed.

>> 20.6 due to changes after commissioning
>Is that what we sometimes call "maintenance"? My impression is that
>Ada excels in this stage.

Maintenance is that which is done by other people after we have all
finished the design and implementation and moved on to the next
excepting project.

Ditto testing :-)

Ditto documentation :-)

>> So it's not down to the language as much as specification and
>> process.....
>Of course it isn't. If the engineering isn't done right, the best
>programmers and software engineers in the world are unlikely to
>salvage the project.

But will get blamed for it :-(

>Are you claiming that the Arianne 5 wouldn't have failed
>catastrophically if the same bug had occurred in C code? If so, that's
>definitely interesting. I'm certainly not knowledgable enough here to
>comment, but I'm sure others on this forum are.

Definitely. C is not strongly typed. You can chuck a long into a char
and nothing will complain. So IN THIS PARTICULAR CASE an error would not
have been raised and the rocket continued..... However in the 99 similar
cases you would have wanted it to flag an error and it would not have
done so :-)

There are many who point out that had it been written in C it would not
have lifted off anyway due to other errors that would inevtiabley been
in the system.(and the crash would not have occurred ergo C is safe :-)

>> With a good process in place and proper engineering removing the vast
>> majority of errors we start to discover the differences in languages is
>> less important. More important is how good the tools and support tools
>> for a language are.
>
>You lost me there. As I explained above, I agree that the choice of
>language has little effect on the engineering. But the point is that
>the choice of language has a strong effect on the software design and
>development process. Isn't that what we're talking about here? If not,
>sorry, wrong number.

I was making the point that a language, no matter how theoretically
good is only as good as the implementation of the tools to support it.
Ada has less of a problem as compilers can be validated and certified.
Not something that happens with C.

I would agree that the choice of language does have an effect on the sw
and development process. Ada AFAIk is usually taught and used in a
strong safety critical and Enginering way. C is often badly taught and
certainly not (usually) with any sort of Engineering or safety critical
ethos. In fact often due to it's history quick and dirty and hacking
seem more related :-(

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/\
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/

Relevant Pages

  • Re: += in ada
    ... So efficiency is no longer an issue. ... engineering judgement. ... Pascal, Fortran, and Ada. ... demise of a computer language and presence of one will cause programmers ...
    (comp.lang.ada)
  • Re: Learning embedded systems
    ... >written in Ada. ... The implementation of the tools and the Sw Engineering process are more ... important than the language. ... The Modula2 system was bug written and unreliable. ...
    (comp.arch.embedded)
  • Re: Re-Marketing Ada (was "With and use")
    ... > perception that Ada is a dying language before profs (or anyone else, ... General Purpose language. ... They think it's a language for Engineers because of all the engineering ... before the GPS (Gnat programming system) thre also was nothing ...
    (comp.lang.ada)
  • Re: Current status of Ada?
    ... Not because they couldn't pick up Ada, but because they wanted to keep their C skills polished in case they found a better position elsewhere. ... the government programming we do requires us to use Ada." ... I have discussed these issues with many programmers and it is a somewhat pervasive attitude that not keeping their C language skills honed places them at a competitive disadvantage. ... I did not really understand software engineering very well. ...
    (comp.lang.ada)
  • Re: shame on MISRA
    ... As the language was "safe" if the program compiled it was OK. ... not taught SW engineering of process and testing." ... "If C were taught in the same way Ada is with the same emphasis on high ... When I do things in Ada, I make mistakes. ...
    (comp.arch.embedded)