Subject: Re: [boost] Use of boost in safety critical work
From: Niall Douglas (s_sourceforge_at_[hidden])
Date: 2014-12-05 07:41:23
On 5 Dec 2014 at 9:37, Andrew Marlow wrote:
> I am currently considering a job which involves embedded safety critical.
> It is for a neonatal ventilator so the safety critical aspect really is
> critical rather than just 'jolly important'. The company says the
> development will be in C++ but they have not even heard of boost, let alone
> use it. They introduced me to a new acronym, well new to me anyway: SOUP.
> It stands for Software of Unknown Pedigree. They classify boost as SOUP.
> I have used boost before in embedded work but I have never done safety
> critical work before so I don't know how widely boost is used there. Can
> anyone who *has* worked on safety critical stuff comment please?
I will caveat everything I am about to say in that it's been over a
decade since I last worked in safety critical, and my knowledge on
developments since is incomplete.
Safety critical C or C++ usually means no dynamic memory allocation
nor exception throwing, which poses obvious problems for any STL type
design including the STL. You can use custom STL allocators which
indirect to fixed sized and thread local pools, but it's a pain, and
all it requires is an accidental slip in use of ::operator new by
code you can't modify and it's game over. Most C++, including any
STL, also assumes you can always throw exceptions.
You also have an enormous problem with lack of *verified* C++
libraries as in ones formally verified as being correct which is an
enormously expensive undertaking. Well, lack is the wrong word, there
are plenty, it's more they very much lack in features. I am unaware
of any complete C++ 98 verified STL for example. Maybe things have
All that said, there are many SIL4 verified C++ solutions currently
powering nuclear reactors, trains, cars and so on. C++ is
surprisingly popular given it would be my last recommendation for a
SIL4 implementation language, but there you go. I helped out in QNX
getting their BB10 derived version recertified for SIL3, and you'd be
surprised at how much "modern" C++ ends up in safety critical
applications. BTW, if your neonatal unit is running a SIL verified
RTOS as I would assume it must, it will heavily constrain your
toolset anyway probably to something not hugely capable of running
Finally, for a neonatal ventilator you will find that only a tiny
part needs to be 99.999999% reliable. The part which does the UI may
only require 99.9% for example. That latter part should run on a
separate CPU, and be verified as safe to watchdog reboot without
affecting the safety critical part. You can use Boost, or Java, or
whatever in the 99.9% reliable bit, and I'd also strongly consider an
easier to program OS like Linux. I would strongly recommend in the
strongest possible terms against using C++ or C or any unverified
RTOS in the 99.999999% reliable bit, there are better languages (ADA
et al) for that part which are easier to write to reach a verified
and proven formal correctness.
And good luck with the project. It is worth doing at least one
actually safety critical project at least once in your career. You
never program the same again after.
-- ned Productions Limited Consulting http://www.nedproductions.biz/ http://ie.linkedin.com/in/nialldouglas/
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk