Safety-Critical Systems Developed Using C++

Safety-Critical Systems Developed Using C++

[Ken Garlington]

I'm trying to generate a list of safety-critical software-intensive systems
that have been developed in C++ and subsequently put into production. So
far, I have found vague references to:

Bay Area Rapid Transit (BART) train control system
Air Traffic Control system in U.S.
European train control systems

Does anyone have any pointers to others, or confirmation/additional details
as to the list above?

Re: Safety-Critical Systems Developed Using C++

[Richard Andrews]

In article <GG896.7342$J%.740891@news.flash.net>, "Ken Garlington"
<Ken.Garlington@computer.org> wrote:

> I'm trying to generate a list of safety-critical software-intensive
> systems that have been developed in C++ and subsequently put into
> production. So far, I have found vague references to:
> 
> Bay Area Rapid Transit (BART) train control system Air Traffic Control
> system in U.S. European train control systems
> 
> Does anyone have any pointers to others, or confirmation/additional
> details as to the list above?

I got the feeling that the European train control systems were written in
Eiffel, but I might be wrong. It was used as a design-by-contract success
story in a seminar I went to last year.

Re: Safety-Critical Systems Developed Using C++

[Mario Grgic]

Well, most operating systems and web servers have been developed in C/C++
and they are very mission and safety critical.


"Ken Garlington" <Ken.Garlington@computer.org> wrote in message
news:GG896.7342$J%.740891@news.flash.net...
> I'm trying to generate a list of safety-critical software-intensive
systems
> that have been developed in C++ and subsequently put into production. So
> far, I have found vague references to:
>
> Bay Area Rapid Transit (BART) train control system
> Air Traffic Control system in U.S.
> European train control systems
>
> Does anyone have any pointers to others, or confirmation/additional
details
> as to the list above?
>
>
>

Re: Safety-Critical Systems Developed Using C++

[Ian Wild]

Mario Grgic wrote:
> 
> Well, most operating systems and web servers have been developed in C/C++
> and they are very mission and safety critical.


The question was about C++, not about C.

Re: Safety-Critical Systems Developed Using C++

[Steve Nester]

I don't believe I'd classify a webserver as safety critical.  No one has
ever died because a webserver crashed.

Your point is well taken but I'd leave webservers out of it.

Steve

"Mario Grgic" <mario@ineural.com> writes:

>Well, most operating systems and web servers have been developed in C/C++
>and they are very mission and safety critical.


>"Ken Garlington" <Ken.Garlington@computer.org> wrote in message
>news:GG896.7342$J%.740891@news.flash.net...
>> I'm trying to generate a list of safety-critical software-intensive
>systems
>> that have been developed in C++ and subsequently put into production. So
>> far, I have found vague references to:
>>
>> Bay Area Rapid Transit (BART) train control system
>> Air Traffic Control system in U.S.
>> European train control systems
>>
>> Does anyone have any pointers to others, or confirmation/additional
>details
>> as to the list above?
>>
>>
>>

Re: Safety-Critical Systems Developed Using C++

[Wes Groleau]

> I got the feeling that the European train control systems were written in
> Eiffel, but I might be wrong. It was used as a design-by-contract success
> story in a seminar I went to last year.

At least one is in Ada.

-- 
Wes Groleau
http://freepages.rootsweb.com/~wgroleau

Re: Safety-Critical Systems Developed Using C++

[Greg Comeau]

In article <G7BFtt.9yB@world.std.com>,
Steve Nester <nester@world.std.com> wrote:
>I don't believe I'd classify a webserver as safety critical.  No one has
>ever died because a webserver crashed.
>
>Your point is well taken but I'd leave webservers out of it.

I don't know it it's never occured, but I could imagine it
happening inside say a hospital and numerous other places.
Why the heck not?

- Greg
-- 
Comeau Computing / Comeau C/C++ "so close" 4.2.44 betas NOW AVAILABLE
TRY Comeau C++ ONLINE at http://www.comeaucomputing.com/tryitout
Email: comeau@comeaucomputing.com / WEB: http://www.comeaucomputing.com

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

Mario Grgic wrote:

> Well, most operating systems and web servers have been developed in C/C++
> and they are very mission and safety critical.
>

How many people die if a web server goes down? :-)

Not exactly my interpretation of a "safety critical" system. Most OS's and web
servers can withstand a fatal error that causes a restart or reboot and not
much is at stake. Obviously, money could be lost by eBay if they are down for
any substantial time, but it just doesn't seem to me to be the same thing as a
plane falling out of the sky because a flight control did a divide-by-zero.

MDC
--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[John Luebs]

In article <3A664EC4.6F679BE0@acm.org>, "Marin David Condic"
<mcondic.auntie.spam@acm.org> wrote:

> You'll get a lot of argument there from this crowd! :-)
> 
> I had a ten year study of error rates in embedded code for safety
> critical systems. Moving to Ada reduced the error rates by a factor of
> four. Same programmers. Same problem domain. Same sort of system
> architecture. No way around it. Ada's compile time checking, strong
> typing, etc., reduced the error rates. And not by just a little.
> 

Ada reduces error rates! So that's why the DoD abandoned it as fast as
possible!

> It's hard to argue with data that demonstrates a reduced error rate. All
> programmers make mistakes. Stronger checking up front catches more of
> them and reduces the cost of fixing them.
> 
> MDC

Re: Safety-Critical Systems Developed Using C++

[Ken Garlington]

"Mario Grgic" <mario@ineural.com> wrote in message
news:3a65b899$1@news.sentex.net...
: Well, most operating systems and web servers have been developed in C/C++
: and they are very mission and safety critical.

Are there specific examples of operating systems (COTS or otherwise) written
in C++ (not just C, or C compiled with a C++ compiler), that have been used
in a system generally considered to be safety-critical? (For the purposes of
definition, assume loss of life is likely to result if the system fails to
operate.)

Re: Safety-Critical Systems Developed Using C++

[k_e_n_s_a_i]

I suppose it's irrelevant, but the integrity of a program depends on
the skill of the programmers rather than the language it is coded in.
Any syntactically correct language should be equally stable, excluding
compiler flaws, etc.


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

You'll get a lot of argument there from this crowd! :-)

I had a ten year study of error rates in embedded code for safety critical
systems. Moving to Ada reduced the error rates by a factor of four. Same
programmers. Same problem domain. Same sort of system architecture. No way
around it. Ada's compile time checking, strong typing, etc., reduced the
error rates. And not by just a little.

It's hard to argue with data that demonstrates a reduced error rate. All
programmers make mistakes. Stronger checking up front catches more of them
and reduces the cost of fixing them.

MDC

k_e_n_s_a_i@my-deja.com wrote:

> I suppose it's irrelevant, but the integrity of a program depends on
> the skill of the programmers rather than the language it is coded in.
> Any syntactically correct language should be equally stable, excluding
> compiler flaws, etc.
>
> Sent via Deja.com
> http://www.deja.com/

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Lao Xiao Hai]

John Luebs wrote:

>
> Ada reduces error rates! So that's why the DoD abandoned it as fast as
> possible!

1)  The DoD did not abandon Ada.

2)  Ada continues to be used for many important DoD projects.

3)  We continue to teach Ada in the DoD sponsored academic environments such
as West Point,
      USAF Academy, and Naval Postgraduate School.

4)  The DoD did issue a memorandum relaxing the Ada policy in favor of a
broader view
      of language selection.  That memorandum provides for an SEPR (Software
Engineering
      Process Review) that includes selecting a programming language for a
project on the
      basis of its appropriateness for the project being planned.   When
safety-critical is the
      overriding issue, intelligent planners select Ada.   Others, guided not
by technological
      concerns but political ones, may choose something else.

5)  Anyone who would choose C++ of Java for a DoD safety-critical weapon
systems program
     is maknig that choice on the basis of concerns that have nothing to do
with reliability or
     correctness of the technology.

6)  There continue to be good engineers who understand the value of Ada for
weapon systems
      development.   Of course, we do need more, but we are fortunate to still
have a few.

I keep encountering this kind of misinterpretation of DoD policy regarding
Ada.   It seems that even
those who have read Mr. Paige's directive on this subject fail to read it in
its entirety.  All they
see is the relaxing of the mandate, not the continued support for Ada.

Richard Riehle

Re: Safety-Critical Systems Developed Using C++

[Ken Garlington]

"Lao Xiao Hai" <laoxhai@ix.netcom.com> wrote in message
news:3A66AC63.74ECBADB@ix.netcom.com...
:
: 5)  Anyone who would choose C++ of Java for a DoD safety-critical weapon
: systems program
:      is maknig that choice on the basis of concerns that have nothing to
do
: with reliability or
:      correctness of the technology.

Which brings me back to the original question: Does anyone know of a
specific safety-critical application (military or non-military) that was
implemented in C++ and subsequently put into operational use? Alternately,
can anyone suggest a newsgroup that might be more appropriate for this
question?

Re: Safety-Critical Systems Developed Using C++

[Peter Amey]

Ken Garlington wrote:
> 
> "Lao Xiao Hai" <laoxhai@ix.netcom.com> wrote in message
> news:3A66AC63.74ECBADB@ix.netcom.com...
> :
> : 5)  Anyone who would choose C++ of Java for a DoD safety-critical weapon
> : systems program
> :      is maknig that choice on the basis of concerns that have nothing to
> do
> : with reliability or
> :      correctness of the technology.
> 
> Which brings me back to the original question: Does anyone know of a
> specific safety-critical application (military or non-military) that was
> implemented in C++ and subsequently put into operational use? Alternately,
> can anyone suggest a newsgroup that might be more appropriate for this
> question?

Ken,  

This is by way of being a "nil return".  Despite keeping a reasonably
close eye on this corner of the market place I am not aware of any such
system.  This doesn't mean someone won't eventually answer your question
positively but it does suggest that these systems are not enormously
common.  Certainly all of the critical C++ I have seen turned out to be
C compiled with a C++ compiler on closer inspection.

Peter


-- 
---------------------------------------------------------------------------   
      __         Peter Amey, Product Manager
        )                    Praxis Critical Systems Ltd
       /                     20, Manvers Street, Bath, BA1 1PX
      / 0        Tel: +44 (0)1225 466991
     (_/         Fax: +44 (0)1225 469006
                 http://www.praxis-cs.co.uk/

--------------------------------------------------------------------------

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

John Luebs wrote:

> Ada reduces error rates! So that's why the DoD abandoned it as fast as
> possible!
>

Isn't "Military Intelligence" supposed to be a contradiction? Nobody ever said
the DoD did everything that makes sense. :-)

There are more issues to language selection than merely error rates. Some of
them rational and logical. Some of them perceptional and emotional.

I was disputing the notion that with respect to error rates, language choice
has no impact. In a former incarnation, I was in charge of collecting and
distilling project metrics. I had TEN YEARS of data on software productivity
and error rates. Switching to Ada just about doubled productivity and reduced
error rates by a factor of four.

You can like any language you want and you can use any language you want for
whatever reasons you want. Still, I had hard data that showed that Ada made
life better on at least two important measurements. There are similar studies
out there with similar results. Those who argue that "any competent
programmer" should be able to write reliable code in any language are missing
the point. In the Kingdom of God, there won't be any software errors. As long
as we are writing code in this world, we have to deal with human errors and
occasional incompetence. The language you use can be demonstrated to have a
big impact on errors getting to the field.

If you're curious, look up John W. McCormick in the Computer Science
Department at the University of Northern Iowa. He had what is as close to a
controlled experiment in productivity/errors within software development as
you can get. It involved real time programming of model railroads - one set of
experiments in C and another in Ada. There was a dramatic difference between
the two. Ada won out big time in this area.

MDC
--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

This is why I didn't like the directive. I *know* the intent was to relax the
rules so that other languages could be considered where they made sense. The
problem is the *PERCEPTION* that it created - that somehow the DoD was admitting
that Ada was a big mistake and should never have been invented in the first place.
Those who have a pre-determined dislike of Ada for whatever reasons jumped on this
as validation of their prejudice. That was never the intent, but that was the
outcome.

Yes, there are a large number of defense related programs that use Ada. Yes, the
usage of Ada on these programs is strictly voluntary - not mandated. Yes, that
does show that intelligent engineering decisions get made in favor of Ada -
especially in safety critical areas. But the Anti-Ada-Ites out there seldom want
to look at hard facts - just the things that validate their own biases.

MDC

Lao Xiao Hai wrote:

> I keep encountering this kind of misinterpretation of DoD policy regarding
> Ada.   It seems that even
> those who have read Mr. Paige's directive on this subject fail to read it in
> its entirety.  All they
> see is the relaxing of the mandate, not the continued support for Ada.
>
> Richard Riehle

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Ted Dennison]

In article <3A664EC4.6F679BE0@acm.org>,
  Marin David Condic <mcondic.auntie.spam@acm.org> wrote:

> I had a ten year study of error rates in embedded code for safety
> critical systems. Moving to Ada reduced the error rates by a factor of
> four. Same programmers. Same problem domain. Same sort of system
> architecture. No way around it. Ada's compile time checking, strong

That's interesting. Rational performed a similar study on their compiler
codebase using data culled over 11 years of development, and found that
their Ada code had 1/7th the defect rate of their C code and requied
only half as many fixes per SLOC. Even compensating for differences in
experience, training, function, and language expressivenes, the big gap
was still there. Perhaps that's why many of Rational's heavy-hitters
(including Grady Booch of UML fame) are big Ada proponents.

Of course this study was for a large end-user application (a compiler
and associated tools), not for a safety-critical system.

For those interested, the full report is available at
http://www.rational.com/products/whitepapers/337.jsp .

--
T.E.D.

http://www.telepath.com/~dennison/Ted/TED.html


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Sahan Amarasekera]

On Thu, 18 Jan 2001 15:24:41 GMT, Ted Dennison <dennison@telepath.com>
wrote:

>In article <3A664EC4.6F679BE0@acm.org>,
>  Marin David Condic <mcondic.auntie.spam@acm.org> wrote:
>
>> I had a ten year study of error rates in embedded code for safety
>> critical systems. Moving to Ada reduced the error rates by a factor of
>> four. Same programmers. Same problem domain. Same sort of system
>> architecture. No way around it. Ada's compile time checking, strong
>
>That's interesting. Rational performed a similar study on their compiler
>codebase using data culled over 11 years of development, and found that
>their Ada code had 1/7th the defect rate of their C code and requied
>only half as many fixes per SLOC. 

Did they get any data on how Ada compared to C++ ??

----
Sahan Amarasekera

to email me, remove animal in email address:
sahan_aDOG@amarasekera.freeserve.co.uk



>Even compensating for differences in
>experience, training, function, and language expressivenes, the big gap
>was still there. Perhaps that's why many of Rational's heavy-hitters
>(including Grady Booch of UML fame) are big Ada proponents.
>
>Of course this study was for a large end-user application (a compiler
>and associated tools), not for a safety-critical system.
>
>For those interested, the full report is available at
>http://www.rational.com/products/whitepapers/337.jsp .

Re: Safety-Critical Systems Developed Using C++

[r_c_chapman]

> Which brings me back to the original question: Does anyone know of a
> specific safety-critical application (military or non-military) that
was
> implemented in C++ and subsequently put into operational use?

Simply put: no!

I thinking of all our internal projects, plus all of our clients
(which represent a fair corss section of the UK Defence, and the
European Railway industry) for the 5 years that I've been with
PxCS.  I can't think of a single example of a fielded life-critical
system in C++.

The relevant standards (Def Stan 00-55 for UK defence, and CENELEC
50128 for the rail industry) offer clear advice on this topic.
 - Rod Chapman
   Praxis Critical Systems



Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[k_e_n_s_a_i]

In article <3A664EC4.6F679BE0@acm.org>,
  Marin David Condic <mcondic.auntie.spam@acm.org> wrote:
> You'll get a lot of argument there from this crowd! :-)
>
> I had a ten year study of error rates in embedded code for safety
critical
> systems. Moving to Ada reduced the error rates by a factor of four.
Same
> programmers. Same problem domain. Same sort of system architecture.
No way
> around it. Ada's compile time checking, strong typing, etc., reduced
the
> error rates. And not by just a little.

hehe... excellent point.  I should have qualified my original statement
by saying that I was speaking abstractly.  I've never programmed in
ADA, but will certainly grant that some languages are more prone to
introduce or exacerbate programmer error than others.  C/C++ has always
been my example of an unforgiving and error-prone language, I just also
happen to like it.

Still, I would think it unlikely that military systems or other
critical applications would be programmed in C/C++, even if some
departments/projects seem to be switching to Windows as the foundation
for their systems (someone please explain that one to me... not to drag
this into the real of advocacy).  Also, it takes a long time for things
to get approval for military use in the US, which immediately excludes
C++ from the list of possible candidates.


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Ted Dennison]

In article <vu4e6tc8rqjvpu21q9t4aancrnuk0fn6se@4ax.com>,
  sahan_aDOG@amarasekera.freeserve.co.uk wrote:
> On Thu, 18 Jan 2001 15:24:41 GMT, Ted Dennison <dennison@telepath.com>
> wrote:
> >That's interesting. Rational performed a similar study on their
> >compiler codebase using data culled over 11 years of development, and
> >found that their Ada code had 1/7th the defect rate of their C code
> >and requied only half as many fixes per SLOC.
>
> Did they get any data on how Ada compared to C++ ??

No. Their data was collected over an 11-year period ending at about
1994, during which no C++ code existed in their codebase (and precious
little outside of it).

They do address C++ in the last section:

  "Some may look at this study and conclude that C++ will tame C's problems.

Our early experience does not support that conclusion.

Bug rates in C++ are running even higher than C,..."

However, there is no hard data presented, so I'd take this section with
a grain of salt (if not a whole shaker).

--
T.E.D.

http://www.telepath.com/~dennison/Ted/TED.html


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Britt Snodgrass]

k_e_n_s_a_i@my-deja.com wrote:
> 
> 
> Still, I would think it unlikely that military systems or other
> critical applications would be programmed in C/C++, even if some

I know of several safety critical systems programmed in C (not C++)
where the software has been developed and verified in accordance with
RTCA DO-178B Level A (most stringent) standards.  These include
instrument landing system (ILS) units used to help land large commercial
aircraft.  Safe software can be written in C; it just takes more time
and money than doing it in Ada.

One technical reason for using C is that the ILS units use unique
processors such as 16-bit fixed-point DSP CPUs for which there is no Ada
compiler available.

Britt Snodgrass

Re: Safety-Critical Systems Developed Using C++

[Phil Staite]

"Ken Garlington" <Ken.Garlington@computer.org> wrote in message
news:awC96.8457$J%.852855@news.flash.net...

> Which brings me back to the original question: Does anyone know of a
> specific safety-critical application (military or non-military) that was
> implemented in C++ and subsequently put into operational use?

I've worked on some DoD projects where support gear for specific weapons
systems was coded in C++.  If the support gear doesn't work right, then it
could certify a system as available when it wasn't, with obviously bad
consequences.  Of course, when the systems work right, they generally have
bad consequences for someone else...

I'm also working on a real-time medical system (EKG/heart monitoring) that
is 100% C++ based.  Can't go into any details due to NDA.

Finally, any system running on an IBM AS/400 since the early 90s is running
on an OS where the low-level code is C++.  I imagine there are a fair number
of hospitals using AS/400s.  Also, I believe a number of places use AS/400s
to control telephone switching gear. (I know of one entire country that uses
them)  Lots of life or death information passes over phones.

Re: Safety-Critical Systems Developed Using C++

[Mike Silva]

In article <6Hu96.4848$rw.42689@e420r-atl2.usenetserver.com>,
  "John Luebs" <jkluebs@luebsphoto.com> wrote:

> Ada reduces error rates!

Yes, it does!  The literature documents it!  We've seen it in our own
code!  Do you have evidence to the contrary?!

> So that's why the DoD abandoned it as fast as
> possible!

And your source for this assertion is?!

Mike!




Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

In my 10 years of data, we didn't have any specific C++ examples. However,
the kinds of errors that typically happen in C due to weak typing, parameter
passing mechanisms, pointers, array indexes, etc. are also common to C++. In
other words, adding Classes to C doesn't stop C from failing to do compile or
runtime checks for correctness. It is the catching of incorrect code at
compile time that really helps reduce the error rates and save you some
bucks.

As for the productivity numbers? There I wouldn't make such a strong case
just from my data. On could postulate that the additional features of C++
would enhance productivity over C, so it wouldn't be fair to say from my data
alone that Ada would be more productive than C++. (Perhaps someone else has
such a study?)

MDC

Sahan Amarasekera wrote:

> Did they get any data on how Ada compared to C++ ??
>
> ----
> Sahan Amarasekera
>

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

Not entirely true. The DoD doesn't get into approving languages for use -
they simply make the contractor justify their choice.

I hear tell that the THAAD program is going to be getting done in C++. I
think this is a mistake - for reasons of safety - but the program
management seems to think that if this is what the rest of the world does
then they should be doing it too. (And I can hear my mother in the
background saying "...so if Johnny decides to jump off a cliff, are you
going to do it too???" :-)

Windows as a foundation for a safety critical real-time app would be a bad
idea. You can't guarantee latency and priority with Windows. I've seen
Windows add-ons (see: http://www.vci.com/ for example) where someone wrote
a real-time OS that executes Windows as an application. Then you might be
O.K.

MDC

k_e_n_s_a_i@my-deja.com wrote:

> IStill, I would think it unlikely that military systems or other
> critical applications would be programmed in C/C++, even if some
> departments/projects seem to be switching to Windows as the foundation
> for their systems (someone please explain that one to me... not to drag
> this into the real of advocacy).  Also, it takes a long time for things
> to get approval for military use in the US, which immediately excludes
> C++ from the list of possible candidates.
>
> Sent via Deja.com
> http://www.deja.com/

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

Thats one of the reasonable justifications for using C (or some other
language with less safety features than Ada) for an embedded, critical
system. There just don't exist Ada compilers targeted to every processor
that is out there. (Still, there seem to be plenty of processors that *are*
supported!)

And you're right - you can build safe systems in any language. It just means
more effort expended to verify correctness and/or fix the bugs. The big
advantage to Ada in this realm is that it catches a lot of potential bugs up
front in the process where they are quick and cheap to fix. Finding it in an
integration test or somewhere else down the pipeline, it gets real costly to
fix.

MDC


Britt Snodgrass wrote:

> One technical reason for using C is that the ILS units use unique
> processors such as 16-bit fixed-point DSP CPUs for which there is no Ada
> compiler available.

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Jeffrey Carter]

Marin David Condic wrote:
> 
> Thats one of the reasonable justifications for using C (or some other
> language with less safety features than Ada) for an embedded, critical
> system. There just don't exist Ada compilers targeted to every processor
> that is out there. (Still, there seem to be plenty of processors that *are*
> supported!)

Given the existence of at least 1 Ada compiler that produces ANSI C as
its intermediate language, this is not really a justification for using
C. I'll let STT take over now with details.

-- 
Jeff Carter
"Now go away or I shall taunt you a second time."
Monty Python & the Holy Grail

Re: Safety-Critical Systems Developed Using C++

[Flavius Vespasian]

In article <3a65b899$1@news.sentex.net>, "Mario Grgic" <mario@ineural.com> wrote:
>Well, most operating systems and web servers have been developed in C/C++
>and they are very mission and safety critical.

Tell that to Microsoft. They obviously don't think so. 

John - N8086N 
Big brother is watching. Disable cookies in your web browser.
-------------------------------------------
Wise man says "Never use a bank with the initials F. U."
-------------------------------------------
Are you interested in a professional society or
guild for programmers? Want to fight section 1706?


See www.programmersguild.org
Newsgroup: us.issues.occupations.computer-programmers


EMail Address:
_m-i-a-n-o_@_c_o_l_o_s_s_e_u_m_b_u_i_l_d_e_r_s._c_o_m_

Re: Safety-Critical Systems Developed Using C++

[Gerhard Häring]

Uh? Apache and the likes are not written in C? I don't recall a lot of
HTTP servers that are written in anything but C. There are few written
in Java. Some have most of their extension modules written in a
scripting language. But the core is C. Like it or not (I don't). It's
the same game with OS. Except IIRC VMS was written in something other
than C, and it's considered very secure and stable. What a coincidence.

Gerhard

Flavius Vespasian wrote:
> 
> In article <3a65b899$1@news.sentex.net>, "Mario Grgic" <mario@ineural.com> wrote:
> >Well, most operating systems and web servers have been developed in C/C++
> >and they are very mission and safety critical.
> 
> Tell that to Microsoft. They obviously don't think so.
-- 
Sorry for the fake email, please use the real one below to reply.
contact: g e r h a r d @ b i g f o o t . d e
web:     http://highqualdev.com

Re: Safety-Critical Systems Developed Using C++

[Daryle Walker]

[Changed follow-ups to just c.l.a]

Ken Garlington <Ken.Garlington@computer.org> wrote:

> I'm trying to generate a list of safety-critical software-intensive systems
> that have been developed in C++ and subsequently put into production.
[SNIP examples and request for more information.]

<unhelpful>
And this question was also posted to comp.lang.ada because?...
</unhelpful>

-- 
Daryle Walker
Mac, Internet, and Video Game Junkie
dwalker07 AT snet DOT net

Re: Safety-Critical Systems Developed Using C++

[Ian Wild]

Daryle Walker wrote:
> 
> [Changed follow-ups to just c.l.a]
> 
> Ken Garlington <Ken.Garlington@computer.org> wrote:
> 
> > I'm trying to generate a list of safety-critical software-intensive systems
> > that have been developed in C++ and subsequently put into production.
> [SNIP examples and request for more information.]
> 
> <unhelpful>
> And this question was also posted to comp.lang.ada because?...
> </unhelpful>

<sarcasm/...because c.l.a. readers are the ones most likely
to be picking up the pieces?/

Re: Safety-Critical Systems Developed Using C++

[Tarjei T. Jensen]

Phil Staite wrote
>Finally, any system running on an IBM AS/400 since the early 90s is running
>on an OS where the low-level code is C++.  I imagine there are a fair number
>of hospitals using AS/400s.  Also, I believe a number of places use AS/400s
>to control telephone switching gear. (I know of one entire country that uses
>them)  Lots of life or death information passes over phones.

I've read elewhere that the AS/400 OS is written in Modula-2. If they have
moved it to a microkernel on a later date, then it might well well be written
in C++.


Greetings,

Re: Safety-Critical Systems Developed Using C++

[Dewi Daniels]

Les Hatton, who is a leading proponent of the use of C for safety-
related systems, has said concerning C++: "the safest approach is
simply to throw away everything and use a safer subset of C alone" and
"use of this language in any application involving high-integrity is
discouraged as recent measurements suggest that it does not
beneficially affect the defect density".

See, for example, http://www.oakcomp.co.uk/Lang.C++.html


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Ken Garlington]

<k_e_n_s_a_i@my-deja.com> wrote in message
news:947ddu$jpd$1@nnrp1.deja.com...
: In article <3A664EC4.6F679BE0@acm.org>,
:   Marin David Condic <mcondic.auntie.spam@acm.org> wrote:
: > You'll get a lot of argument there from this crowd! :-)
: >
: > I had a ten year study of error rates in embedded code for safety
: critical
: > systems. Moving to Ada reduced the error rates by a factor of four.
: Same
: > programmers. Same problem domain. Same sort of system architecture.
: No way
: > around it. Ada's compile time checking, strong typing, etc., reduced
: the
: > error rates. And not by just a little.
:
: hehe... excellent point.  I should have qualified my original statement
: by saying that I was speaking abstractly.  I've never programmed in
: ADA,

Who has? :)

: but will certainly grant that some languages are more prone to
: introduce or exacerbate programmer error than others. C/C++ has always
: been my example of an unforgiving and error-prone language, I just also
: happen to like it.
:
: Still, I would think it unlikely that military systems or other
: critical applications would be programmed in C/C++, even if some
: departments/projects seem to be switching to Windows as the foundation
: for their systems (someone please explain that one to me... not to drag
: this into the real of advocacy).  Also, it takes a long time for things
: to get approval for military use in the US, which immediately excludes
: C++ from the list of possible candidates.

Actually, current military directives don't require centralized approval of
languages. Depending upon the contract, the contractor often has complete
freedom in the choice of languages.

Re: Safety-Critical Systems Developed Using C++

[Ken Garlington]

"Daryle Walker" <dwalker07@snet.net.invalid> wrote in message
news:1enea9s.158txaupbwrwoN%dwalker07@snet.net.invalid...
: [Changed follow-ups to just c.l.a]
:
: Ken Garlington <Ken.Garlington@computer.org> wrote:
:
: > I'm trying to generate a list of safety-critical software-intensive
systems
: > that have been developed in C++ and subsequently put into production.
: [SNIP examples and request for more information.]
:
: <unhelpful>
: And this question was also posted to comp.lang.ada because?...
: </unhelpful>

(Mr. Wild's response being not too far off the mark... ;)

Because some c.l.a. readers keep track of some things -- apparently, more so
that c.l.c++ readers (which I thought might be the case!)

:
: --
: Daryle Walker
: Mac, Internet, and Video Game Junkie
: dwalker07 AT snet DOT net

Re: Safety-Critical Systems Developed Using C++

[David Kristola]

On Fri, 19 Jan 2001 0:22:26 -0800, Daryle Walker wrote
(in message <1enea9s.158txaupbwrwoN%dwalker07@snet.net.invalid>):

> Ken Garlington <Ken.Garlington@computer.org> wrote:
> 
>> I'm trying to generate a list of safety-critical software-intensive systems
>> that have been developed in C++ and subsequently put into production.
> [SNIP examples and request for more information.]
> 
> <unhelpful>
> And this question was also posted to comp.lang.ada because?...
> </unhelpful>

Three reasons come immediately to mind:
   1) Ken is a regular participant on c.l.a.
   2) Safety-critical systems are of general interest on c.l.a (no 
matter what language they are coded in).
   3) Because Ken is looking for information that someone reading c.l.a 
might have.


-- 
--djk, keeper of arcane lore & trivial fluff
Home: David95036 plus 1 at america on-line
Spam: goto.hades@welovespam.com

Re: Safety-Critical Systems Developed Using C++

[Philip Anderson]

Gerhard H�ring wrote:
> 
> Uh? Apache and the likes are not written in C? I don't recall a lot of
> HTTP servers that are written in anything but C. There are few written
> in Java. Some have most of their extension modules written in a
> scripting language. But the core is C. Like it or not (I don't). It's
> the same game with OS. Except IIRC VMS was written in something other
> than C, and it's considered very secure and stable. What a coincidence.

I don't think he was denying that "most operating systems and web
servers have been developed in C/C++", but that _most_ "are very mission
and safety critical"; in particular, would many people claim that
Microsoft s/w should be used in such an environment?

Of course there are C-based operating systems used in
mission/safety-critical systems, with the safety case supported by their
track record; but few if any HTTP servers are safety-critical (unless a
hospital has NO back-up sytem perhaps)

-- 
hwyl/cheers,
Philip Anderson
Alenia Marconi Systems
Cwmbr�n, Cymru/Wales

Re: Safety-Critical Systems Developed Using C++

[Phil Staite]

I'm sure it is C++, since I was part of the teams that recoded the SLIC
kernel below the MI as they call it.  Our little sub-team alone had over
140K SLOC.  Above the MI, in the part of OS/400 called XPF it may very well
be a combination of Modula, C++, etc. (I never got that far "up" in the OS)

The AS/400 has always had a "machine interface" layer with an abstract
high-level instruction set. (way ahead of NT's HAL IMHO)  However, SLIC is
anything but a microkernel -- its huge, robust, and full featured.  The
AS/400 came out in 1987, and the SLIC rewrite was well underway by 92 when I
joined it.

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

Well, this is not always an attractive solution if the processor you are
targeting has a nice, slick, well integrated development kit that uses C. The
argument quickly becomes "Then why not just do it in C instead of adding an extra
step?" One can argue for the safety features, etc, of doing it in Ada, then
running the C into the development kit, but its a really hard sell to make.

MDC

Jeffrey Carter wrote:

> Given the existence of at least 1 Ada compiler that produces ANSI C as
> its intermediate language, this is not really a justification for using
> C. I'll let STT take over now with details.

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[ian.kerr2]

Ted Dennison <dennison@telepath.com> wrote in message
news:9471rc$8cj$1@nnrp1.deja.com...
> In article <3A664EC4.6F679BE0@acm.org>,
>   Marin David Condic <mcondic.auntie.spam@acm.org> wrote:
>
>
> That's interesting. Rational performed a similar study on their compiler
> codebase using data culled over 11 years of development, and found that
> their Ada code had 1/7th the defect rate of their C code and requied
> only half as many fixes per SLOC. Even compensating for differences in
> experience, training, function, and language expressivenes, the big gap
> was still there. Perhaps that's why many of Rational's heavy-hitters
> (including Grady Booch of UML fame) are big Ada proponents.

> For those interested, the full report is available at
> http://www.rational.com/products/whitepapers/337.jsp .
>
Unfortunately

The file you requested could not be found.
 We have recently redesigned our site, and during the process, some paths
 were changed.
 The information you seek probably still exists. Try visiting one of these
 pages to locate the information you need.

 Ian

> --
> T.E.D.
>
> http://www.telepath.com/~dennison/Ted/TED.html
>
>
> Sent via Deja.com
> http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[tmoran]

> > http://www.rational.com/products/whitepapers/337.jsp .
> >
> Unfortunately
>
> The file you requested could not be found.
>  We have recently redesigned our site, and during the process, some paths
That's odd.  I just went there and got that paper with no problem.

Re: Safety-Critical Systems Developed Using C++

[Larry Kilgallen]

In article <3A6774DA.E999CEF7@acm.org>, Marin David Condic <mcondic.auntie.spam@acm.org> writes:
> 
> Thats one of the reasonable justifications for using C (or some other
> language with less safety features than Ada) for an embedded, critical
> system. There just don't exist Ada compilers targeted to every processor
> that is out there. (Still, there seem to be plenty of processors that *are*
> supported!)
> 
> And you're right - you can build safe systems in any language.

As a customer (victim?) rather than provider of air travel,
I am less interested in the theoretical possibility of
getting it right and much more concerned about what the
probability is they got it right on some particular plane.

Re: Safety-Critical Systems Developed Using C++

[Ken Garlington]

<tmoran@acm.org> wrote in message
news:JZ7a6.1019$Ah2.57360@news1.frmt1.sfba.home.com...
: > > http://www.rational.com/products/whitepapers/337.jsp .
: > >
: > Unfortunately
: >
: > The file you requested could not be found.
: >  We have recently redesigned our site, and during the process, some
paths

: That's odd.  I just went there and got that paper with no problem.

I was able to access it fine from the link as well. However, the same study
is at:

http://www.adauk.org.uk/pubs/zeigler.htm

There is also a summary of this study in the NAS report, see either of the
following:

http://books.nap.edu/books/0309055970/html/92.html#pagetop

http://sw-eng.falls-church.va.us/nrc/nrc6.html#92

Re: Safety-Critical Systems Developed Using C++

[dvdeug]

In article <945eeq$vmk$1@nnrp1.deja.com>,
  k_e_n_s_a_i@my-deja.com wrote:
> I suppose it's irrelevant, but the integrity of a program depends on
> the skill of the programmers rather than the language it is coded in.
> Any syntactically correct language should be equally stable, excluding
> compiler flaws, etc.
>
> Sent via Deja.com
> http://www.deja.com/

[Sorry if you get this twice; my main news server seems to be broken]

Take, for example, the first place entry to the 1999 International
Conference on Functional Programming (ICFP) Programming Contest by the
INRIA OCaml team.  http://caml.inria.fr/icfp99-contest/ has a report on
their entry, pointing out that any exception raised by an optimizer
would be caught by the main program, and cause it to ignore that
optimization round. The same thing could be done in Ada, and would catch
many of the same errors, like array overflows. OTOH, that same program
written in C, on an array overflow, might crash or overwrite unrelated
data. So this program was protected from bugs that might have caused its
C competitors to fail, through a technique enabled soley by choice of
language.

--
David Starner - dstarner98@aasaa.ofe.org


Sent via Deja.com
http://www.deja.com/

Re: Safety-Critical Systems Developed Using C++

[Marin David Condic]

I'll be the *last* one to claim that Ada doesn't enhance reliability and reduce risk. I hope that's
clear. My statement that it is possible to write reliable software in C relates more to the fact
that there are more ways of insuring correctness than just compiler/language features. For example,
extensive code-reads, thorough unit testing, integration testing, language preprocessors (lint?)
automated test tools, various forms of analysis, etc. all figure in to building a reliable piece of
software. If I don't have language support, I can rely more heavily on some of the other available
tools. Albeit, at considerably more expense. And therein lies the rub. If it costs lots more to
insure reliability in C then there is less likelihood it will get done.

I'm still a proponent of the notion that in safety critical systems, Ada should be used where
possible. Its just that you don't always have this capability. And let's remember that there were
safety critical systems that were written in assembly language and they worked fine too. So it *can*
be done. Just not as easily.

MDC

Larry Kilgallen wrote:

> As a customer (victim?) rather than provider of air travel,
> I am less interested in the theoretical possibility of
> getting it right and much more concerned about what the
> probability is they got it right on some particular plane.

--
======================================================================
Marin David Condic - Quadrus Corporation - http://www.quadruscorp.com/
Send Replies To: m c o n d i c @ q u a d r u s c o r p . c o m
Visit my web site at:  http://www.mcondic.com/

    "I'd trade it all for just a little more"
        --  Charles Montgomery Burns, [4F10]
======================================================================

Re: Safety-Critical Systems Developed Using C++

[Robert Dewar]

In article <3A6C4FC5.28DD7268@acm.org>,
  Marin David Condic <mcondic.auntie.spam@acm.org> wrote:
>
> I'll be the *last* one to claim that Ada doesn't enhance
reliability and reduce risk. I hope that's
> clear. My statement that it is possible to write reliable
software in C


Note that the subject line talks about C++ so I am not quite
sure what the relevance of the above statement is here.

Of course it is possible to write reliable software in any
language, plenty of safety critical software has been written
in assembly language!

But discussing the suitability of C is really not relevant to
the subject line or original question.

I have trimmed C++ off the newsgroups, it seems inappropriate
to subject the C++ folks to Ada advocacy, and is not likely
to be helpful. I wonder if people even realize this was
cross-posted?


Sent via Deja.com
http://www.deja.com/