From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,bc9bd88290383e6f X-Google-Attributes: gid103376,public From: "Dr. Robert Leif" Subject: Re: C++ Should not be used for Medical Devices Date: 1997/01/27 Message-ID: <3.0.32.19970127112330.00704ed8@mail.4dcomm.com>#1/1 X-Deja-AN: 212656326 sender: Ada programming language x-sender: rleif@mail.4dcomm.com comments: To: "Prof. Robert Dewar" content-type: text/plain; charset="us-ascii" mime-version: 1.0 newsgroups: comp.lang.ada x-mailer: Windows Eudora Pro Version 3.0 (32) Date: 1997-01-27T00:00:00+00:00 List-Id: To: Robert Dewar et al. From: Bob Leif The quotation below attributed to me was from Jim Chelini I did not write it; nor do I agree with it. I previously posted my comments on this subject to this news group. I am glad to see that I can now use tasking. In fact, the Coulter Onyx successfully used tasking under Alsys Ada 32 bit for DOS. R. C. Leif, J. Sara, I. Burgess, M. Kelly, S. B. Leif, and T. Daly, "The Development of Software in the Ada Language for a Mid-Range Hematology Analyzer". Tri-Ada '93 340-346 (1993). From a marketing point of view, for most medical products, it is NOT cost effective to use a true embedded system. What a commercial instrument developer wants is a pseudo-embedded system. We need the device drivers and GUI of a standard operating system; but, would like to remove from the operator the ability to run other programs while he/she runs our application. I suspect the US DoD has very similar requirements. Robert Dewar wrote: ---------------------------------------------------------------------------- ---------- Date: Sun, 26 Jan 1997 11:08:57 -0500 From: Robert Dewar Subject: Re: C++ Should not be used for Medical Devices Robert Leif said "When it comes to safety critical software, I would certainly agree with the use of Ada. However, I would avoid a number of features including tasking and dynamic allocation. In the cases where a life is at risk whether it is a medical device, aircraft, or a rail system, stick to deterministic constructs. Once the program has completed elaboration, it should not perform dynamic operations. Also, make sure the run-time is developed, documented, and TESTED to the same degree as the application. If you don't, you have left a very large hole in the system." Robert replies: Tasking in Ada 95 is deterministic if your compiler implements Annex D faithfully (be careful to check validation results here, even some compilers that purport to support Annex D in fact fail some critical tests -- read the VSR's carefully!) This means that there is no a priori reason for avoiding tasking in safety critical software. Of course there may be reasons for avoiding the additional complexity in the runtime, but this is a reason for avoiding many things. In fact we are working now on a variant of GNAT we call GNORT (or GNAT with NO RunTime at all), precisely because the avoidance of runtime code has advantages. Similarly dynamic allocation is not necessarily non-deterministic. If you use the storage pool facility in Ada 95 to control your own use of dynamic allocation, it may be perfectly safe and provably reliable, and again, there is no a priori reason to avoid the notion of pointers in safety critical programs. ---------------------------------------------------------------------------- ------------- Robert C. Leif, Ph.D., PMIAC, Vice President & Research Director Ada_Med, A Division of Newport Instruments Tel. & Fax (619) 582-0437 Please send e-mail to my new address, rleif@rleif.com Thank you.