Re: Ada and Automotive Industry

[George Romanski <romanski@east.thomsoft.com>]

Chris Hills wrote:
> 
> In article <dewar.849497905@merv>, Robert Dewar <dewar@merv.cs.nyu.edu>
> writes
> >Chris says
> >
> >"I am ammussed by the comment "for saftey reasons" ADA is no safer than
> >any other language. It is only safer in theroy. It depends on the
> >standard of the compilers and tools etc.

The quality of a compiler and the associated tools are an important
factor.  There are however no "Qualified" compilers that I am aware of.
(DO-178B definition of Development tool qualification) so verification
must be performed on the result of the compilation process.  

There are "Qualified" verification tools, and indeed under FAA (JAA 
in Europe) a verification tool must be qualified before it can be used
in testing for credit.  There are Qualified Ada verification tools, 
there may be some for C but I don't know of any.

> >--snip

> 
> >Chris says
> >>"I was once told to use Modula 2 because it was "safe" It turned out
> >>that the compiler suite had been written in Intel assembler
> >>(supposedly a very unsafe language) and was full of bugs! In the end

--snip

> 
> I may not understand "AT ALL the concept of saftey in the design of a
> language" but my sw has to run and work without error day in day out.
> (My current Sw when finished is expected to run for 15 years from switch
> on (24 hours a day) with down time of 15 min a year for planned
> upgrades). The last system I did (also in C) has run for 2 years without
> problems.

Look in the safety guidelines and standards for software.  

IEC 1508 (current Draft) 

says subsets of Modula, Pascal and Ada are Highly recommended for systems 
at all integrity levels.  C and subsets of C are not.

MISRA guidelines - "Motor Industry Software Reliability Association"
Report 1: 

"Some safetycritical software pundits deprecate the use of C due to its 
poor IOS definition resulting in many aspects of the language being 
undefined, unspecified or implementation specific.  In these aspects 
it is vieved as being weaker than assembler.

Languages recommended for high integrity applications are ISO Pascal 
subset, Modula-2 subset or Ada subset."

> 
> The Ariane 5 rocket had Ada Sw (a "Safe" language) and crashed after 39
> seconds (a bit of a red herring as Ada was not directly to blame and the
> same could have been done in C or Mod2) SO what is the excuse here? the
> Sw team did not understand the use of the language? If it is that hard
> to use and that easy to miss use it is unsafe in practice.

It was a system design/reuse error.  The exception was triggered correctly,
handled correctly ont the first computer and had inappropriate code in 
the handler of the second computer.  Note that in C it would not have been 
detected in the first place.   

> 
> As I repeatedly say the theory is fine (it's what accademics are good at
> :-) but is it safe in practice?

Ada is safe in practice.  Having been involved with the development 
and verification of  Nuclear Shut-down systems, Flight control systems, 
automatic brake control systems and so on I understand the requirements 
of software verification and the costs associated with demonstrating
this to the certification authorities.  

I feel confident of this with Ada, verifying C code scares me silly.

George Romanski
Director Safety Critical Software
Aonix.