Re: C++ Should not be used for Medical Devices

[dewar@merv.cs.nyu.edu (Robert Dewar)]

Robert Lief said

"When it comes to safety critical software, I would certainly agree with the
use
of Ada. However, I would avoid a number of features including tasking and
dynamic
allocation. In the cases where a life is at risk whether it is a medical
device, aircraft, or a rail system, stick to deterministic constructs.
Once the program has completed elaboration, it should not perform dynamic
operations.  Also, make sure the run-time is developed, documented, and
TESTED to the same degree as the application.  If you don't, you have left
a very large hole in the system."


Robert replies:

Tasking in Ada 95 is deterministic if your compiler implements Annex
D faithfully (be careful to check validation results here, even some
compilers that purport to support Annex D in fact fail some critical
tests -- read the VSR's carefully!)

This means that there is no a priori reason for avoiding tasking in
safety critical software. Of course there may be reasons for avoiding
the additional complexity in the runtime, but this is a reason for
avoiding many things. In fact we are working now on a variant of GNAT
we call GNORT (or GNAT with NO RunTime at all), precisely because the
avoidance of runtime code has advantages.

Similarly dynamic allocation is not necessarily non-deterministic. If
you use the storage pool facility in Ada 95 to control your own use
of dynamic allocation, it may be perfectly safe and provably reliable,
and again, there is no a priori reason to avoid the notion of pointers
in safety critical programs.