Re: C++ Should not be used for Medical Devices

["Dr. Robert Leif" <rleif@RLEIF.COM>]

To: Robert Dewar et al.
From: Bob Leif

The quotation below attributed to me was from Jim Chelini
<jchelini@east.alsys.com>
I did not write it; nor do I agree with it. I previously posted my comments
on this subject to this news group. I am glad to see that I can now use
tasking. In fact, the Coulter Onyx successfully used tasking under Alsys
Ada 32 bit for DOS.

R. C. Leif, J. Sara, I. Burgess, M. Kelly, S. B. Leif, and T. Daly, "The
Development of Software in the Ada Language for a Mid-Range Hematology
Analyzer". Tri-Ada '93 340-346 (1993).

 From a marketing point  of view, for most medical products, it is NOT cost
effective to use a true embedded system. What a commercial instrument
developer wants is a pseudo-embedded system. We need the device drivers and
GUI of a standard operating system; but, would like to remove from the
operator the ability to run other programs while he/she runs our
application. I suspect the US DoD has very similar requirements.

Robert Dewar wrote:
----------------------------------------------------------------------------
----------
Date:    Sun, 26 Jan 1997 11:08:57 -0500
From:    Robert Dewar <dewar@MERV.CS.NYU.EDU>
Subject: Re: C++ Should not be used for Medical Devices

Robert Leif said

"When it comes to safety critical software, I would certainly agree with the
use
of Ada. However, I would avoid a number of features including tasking and
dynamic
allocation. In the cases where a life is at risk whether it is a medical
device, aircraft, or a rail system, stick to deterministic constructs.
Once the program has completed elaboration, it should not perform dynamic
operations.  Also, make sure the run-time is developed, documented, and
TESTED to the same degree as the application.  If you don't, you have left
a very large hole in the system."


Robert replies:

Tasking in Ada 95 is deterministic if your compiler implements Annex
D faithfully (be careful to check validation results here, even some
compilers that purport to support Annex D in fact fail some critical
tests -- read the VSR's carefully!)

This means that there is no a priori reason for avoiding tasking in
safety critical software. Of course there may be reasons for avoiding
the additional complexity in the runtime, but this is a reason for
avoiding many things. In fact we are working now on a variant of GNAT
we call GNORT (or GNAT with NO RunTime at all), precisely because the
avoidance of runtime code has advantages.

Similarly dynamic allocation is not necessarily non-deterministic. If
you use the storage pool facility in Ada 95 to control your own use
of dynamic allocation, it may be perfectly safe and provably reliable,
and again, there is no a priori reason to avoid the notion of pointers
in safety critical programs.

----------------------------------------------------------------------------
-------------


Robert C. Leif, Ph.D., PMIAC,
Vice President & Research Director
Ada_Med, A Division of Newport Instruments
Tel. & Fax (619) 582-0437
Please send e-mail to my new address, rleif@rleif.com
Thank you.