Re: Not intended for use in medical devices

[kaz@vision.crest.nt.com (Kaz Kylheku)]

In article <dewar.862916681@merv>, Robert Dewar <dewar@merv.cs.nyu.edu> wrote:
>Kaz says
>
><<<<I agree with R. Dewar: your concerns are misplaced, and don't make a good case
>for avoiding inspections of the object code. In a safety critical system, an
>incorrect translation of a correct program could lead to death, injury or
>property damage. There is no other way to catch this sort of error except to
>compile the code and then inspect the results of the translation.>>
>
>  I certainly agree with this. In fact I never heard of a people using a
>  process for generating safety-critical code that did not require this
>  kind of review, and certainly the formal standards require this.
>
><<In some ways, this could make somewhat of a case for using assembly language in
>the first place, since in the process of reviewing object code, you have to
>acquire an understanding of the program at the machine language level anyway.
>I can at least appreciate where this extreme viewpoint is coming from.>>
>
>  I strongly disagree with this, and find it surprising that anyone would
>  suggest this. The review of the object code is just one of many aspects
>  of the total methodology required for safety critical code. Another
>  important aspect is more emphasis on the use of formal methods in
>  developing and analyzing the code at a high level, and these are
>  very much language dependent, and make assembly language quite useless.

I see that now. I've been thinking about this problem a lot to try to see the
object code review in its proper perspective. The scope should be verifying the
translation against the higher level specification (the Ada source program) and
only against that specification. One would not, e.g., criticize the programmer
intent in an object code review.

The higher level specification is separately tested for correctness at a
different level of abstraction, of course.  If you develop in assembly
language, then you only have one level of specification, and the object code
review has a *much* more difficult scope.

Also here is another little thought that I had: in a safety critical system, 
one way to deal with the safety issues is to identify the hazards and then
work backwards to identify scenarios in the software that could lead to the
hazards. Clearly, not every module of the code will necessarily lead to a
hazard if it contains a defect. So the object code review doesn't have to give
equal weight to weight to every instruction sequence, but should perhaps
pay extra attention to the critical code that can create a hazard.