On 5 Dec 2014 at 9:37, Andrew Marlow wrote:
I am currently considering a job which involves embedded safety critical. It is for a neonatal ventilator so the safety critical aspect really is critical rather than just 'jolly important'. The company says the development will be in C++ but they have not even heard of boost, let alone use it. They introduced me to a new acronym, well new to me anyway: SOUP. It stands for Software of Unknown Pedigree. They classify boost as SOUP.
I have used boost before in embedded work but I have never done safety critical work before so I don't know how widely boost is used there. Can anyone who *has* worked on safety critical stuff comment please?
I will caveat everything I am about to say in that it's been over a decade since I last worked in safety critical, and my knowledge on developments since is incomplete. Safety critical C or C++ usually means no dynamic memory allocation nor exception throwing, which poses obvious problems for any STL type design including the STL. You can use custom STL allocators which indirect to fixed sized and thread local pools, but it's a pain, and all it requires is an accidental slip in use of ::operator new by code you can't modify and it's game over. Most C++, including any STL, also assumes you can always throw exceptions. You also have an enormous problem with lack of *verified* C++ libraries as in ones formally verified as being correct which is an enormously expensive undertaking. Well, lack is the wrong word, there are plenty, it's more they very much lack in features. I am unaware of any complete C++ 98 verified STL for example. Maybe things have improved. All that said, there are many SIL4 verified C++ solutions currently powering nuclear reactors, trains, cars and so on. C++ is surprisingly popular given it would be my last recommendation for a SIL4 implementation language, but there you go. I helped out in QNX getting their BB10 derived version recertified for SIL3, and you'd be surprised at how much "modern" C++ ends up in safety critical applications. BTW, if your neonatal unit is running a SIL verified RTOS as I would assume it must, it will heavily constrain your toolset anyway probably to something not hugely capable of running Boost. Finally, for a neonatal ventilator you will find that only a tiny part needs to be 99.999999% reliable. The part which does the UI may only require 99.9% for example. That latter part should run on a separate CPU, and be verified as safe to watchdog reboot without affecting the safety critical part. You can use Boost, or Java, or whatever in the 99.9% reliable bit, and I'd also strongly consider an easier to program OS like Linux. I would strongly recommend in the strongest possible terms against using C++ or C or any unverified RTOS in the 99.999999% reliable bit, there are better languages (ADA et al) for that part which are easier to write to reach a verified and proven formal correctness. And good luck with the project. It is worth doing at least one actually safety critical project at least once in your career. You never program the same again after. Niall -- ned Productions Limited Consulting http://www.nedproductions.biz/ http://ie.linkedin.com/in/nialldouglas/