[SystemSafety] New paper on MISRA C
Olwen Morgan
olwen.morgan at btinternet.com
Mon Sep 17 17:07:18 CEST 2018
Paul Sherwood wrote:
>>> Hi folks,
>>> I'm new here, but somewhat confused.
>>> The group is "SystemSafety", which I take to mean that this
community understands that safety is a property of a system, not
component level. As I understand it MIT and others have successfully
debunked the notion that system safety is correlated with component
reliability.
>>> So a simple question, and sorry for being blunt ... Why is MISRA C
still considered relevant to system safety in 2018?
Safety and reliability are different dependability properties. A system
can be unreliable yet safe - e.g. an airliner that won't power up
properly and is sitting on the tarmac. It can also be reliable but
unsafe - e.g. it may have instruments that keep on working but give
incorrect readings.
AFAI am aware, except in limited cases, there is no robustly
reproducible evidence that attributes of software components have any
demonstrable correlation with overall system dependability properties.
Anyone who claims that making code comply with a coding standard helps
to make it safe or reliable is missing the point.
The aim of coding standards is to mitigate the introduction of defects
at the coding stage of the software life cycle. A defect in a software
component may compromise system safety, system reliability or both.
Think about Ariane 5. It's guidance algorithm led to an unrecoverable
attitude deviation (unreliability), as a consequence of which it had to
be destroyed (unsafe for anyone under the falling debris). Software
defects can be precursors to both unreliability and unsafe states
depending on overall system design.
There is, however, one area in which software reliability relates more
directly to system safety. That is when a piece of software is designed
solely to provide a safety function. The classic case here is in machine
safety, where a PLC may implement a function that removes power from a
machine shaft when certain conditions are detected, e.g. if a
light-curtain is breached. For the particular sub-case of functions that
are there exclusively for safety, there is a direct connection between
reliability and safety. If the PLC does not reliably remove power when
the light-curtain is breached, then one is liable to have to dismantle
the machine to retrieve some poor individual's mangled body parts.
I am not aware of the MIT work to which you refer. perhaps you could
give a reference?
regards,
Olwen
More information about the systemsafety
mailing list