From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,bc9bd88290383e6f X-Google-Attributes: gid103376,public From: dewar@merv.cs.nyu.edu (Robert Dewar) Subject: Re: C++ Should not be used for Medical Devices Date: 1997/01/26 Message-ID: #1/1 X-Deja-AN: 212351487 references: <3.0.32.19970125203845.006e91c0@mail.4dcomm.com> organization: New York University newsgroups: comp.lang.ada Date: 1997-01-26T00:00:00+00:00 List-Id: Robert Lief said "When it comes to safety critical software, I would certainly agree with the use of Ada. However, I would avoid a number of features including tasking and dynamic allocation. In the cases where a life is at risk whether it is a medical device, aircraft, or a rail system, stick to deterministic constructs. Once the program has completed elaboration, it should not perform dynamic operations. Also, make sure the run-time is developed, documented, and TESTED to the same degree as the application. If you don't, you have left a very large hole in the system." Robert replies: Tasking in Ada 95 is deterministic if your compiler implements Annex D faithfully (be careful to check validation results here, even some compilers that purport to support Annex D in fact fail some critical tests -- read the VSR's carefully!) This means that there is no a priori reason for avoiding tasking in safety critical software. Of course there may be reasons for avoiding the additional complexity in the runtime, but this is a reason for avoiding many things. In fact we are working now on a variant of GNAT we call GNORT (or GNAT with NO RunTime at all), precisely because the avoidance of runtime code has advantages. Similarly dynamic allocation is not necessarily non-deterministic. If you use the storage pool facility in Ada 95 to control your own use of dynamic allocation, it may be perfectly safe and provably reliable, and again, there is no a priori reason to avoid the notion of pointers in safety critical programs.