[SystemSafety] New paper on MISRA C

Olwen Morgan olwen.morgan at btinternet.com
Mon Sep 17 17:07:18 CEST 2018


Paul Sherwood wrote:

 >>> Hi folks,

 >>> I'm new here, but somewhat confused.

 >>> The group is "SystemSafety", which I take to mean that this 
community understands that safety is a property of a system, not 
component level. As I understand it MIT and others have successfully 
debunked the notion that system safety is correlated with component 
reliability.

 >>> So a simple question, and sorry for being blunt ... Why is MISRA C 
still considered relevant to system safety in 2018?


Safety and reliability are different dependability properties. A system 
can be unreliable yet safe - e.g. an airliner that won't power up 
properly and is sitting on the tarmac. It can also be reliable but 
unsafe - e.g. it may have instruments that keep on working but give 
incorrect readings.

AFAI am aware, except in limited cases, there is no robustly 
reproducible evidence that attributes of software components have any 
demonstrable correlation with overall system dependability properties. 
Anyone who claims that making code comply with a coding standard helps 
to make it safe or reliable is missing the point.

The aim of coding standards is to mitigate the introduction of defects 
at the coding stage of the software life cycle. A defect in a software 
component may compromise system safety, system reliability or both. 
Think about Ariane 5. It's guidance algorithm led to an unrecoverable 
attitude deviation (unreliability), as a consequence of which it had to 
be destroyed (unsafe for anyone under the falling debris). Software 
defects can be precursors to both unreliability and unsafe states 
depending on overall system design.

There is, however, one area in which software reliability relates more 
directly to system safety. That is when a piece of software is designed 
solely to provide a safety function. The classic case here is in machine 
safety, where a PLC may implement a function that removes power from a 
machine shaft when certain conditions are detected, e.g. if a 
light-curtain is breached. For the particular sub-case of functions that 
are there exclusively for safety, there is a direct connection between 
reliability and safety. If the PLC does not reliably remove power when 
the light-curtain is breached, then one is liable to have to dismantle 
the machine to retrieve some poor individual's mangled body parts.

I am not aware of the MIT work to which you refer. perhaps you could 
give a reference?


regards,
Olwen





More information about the systemsafety mailing list