[SystemSafety] A small taste of what we're up against

Phil Koopman phil.koopman at hushmail.com
Thu Oct 25 14:21:09 CEST 2018 

I while back there was a discussion that amounted to asking where the 
hard proof was that cars actually ship with deadly software defects.

I recently posted the results of a limited search of US automotive 
recalls that are linked to software defects.  (The caveats are in the 
notes after the list.)  In general, recalls only happen when there have 
been incidents or loss events in sufficient numbers or of sufficient 
severity to get regulator attention.  Determining the role of the 
particular language used vs. all the other factors is of course not 
easy, especially when seen through the lens of the automotive recall 
reports.  But clearly there is room for improvement overall.

https://betterembsw.blogspot.com/2018/09/potentially-deadly-automotive-software.html

The list is long. It would be longer but I just haven't had the time to 
go through much of the database.

In my experience software of older vehicles is usually in C. More 
recently a lot of it is in Simulink or similar model based design (I'll 
let others comment upon that topic if they like).

-- Phil Koopman



On 10/25/2018 5:30 AM, Michael J. Pont wrote:
> A slightly different perspective.
>
> I get involved with several automotive projects every year (as well as
> safety-related / safety-critical projects in other sectors).  In the
> automotive sector, I help organisations to design both individual 'boxes'
> and complete vehicle control systems.
>
> The software for these projects is invariably written in C or (less
> commonly) C++.
>
> Various recent comments on this list suggest that the project managers (or
> the bosses, or the consultants) in the organisations responsible for these
> projects are - at best - irresponsible, because they have not insisted that
> the project software is implemented using Ada (or preferably SPARK).
>
> Can anyone give me a real-world example of an injury or death that can be
> directly linked to the use of C or C++ in an automotive system?
>
> I don't believe that such an example exists.
>
> Without clear evidence of a problem, I think we could be accused of
> scaremongering.
>
> In my view, many of the concerns about use of C are largely historic.
> Modern IDEs (and use of standards / guidelines / subsets such as MISRA C)
> address any serious deficiencies in the language spec for the majority of
> users, in the majority of real-world systems that I see.
>
> After we have sorted out issues with recording of requirements and use of
> appropriate software architecture (which are, in my view, much more
> important), then a change in programming language might be worth considering
> again - but I doubt it.
>
> Simply my take.  I know that other people on this list see the world
> differently.
>
> Michael.
>
> Michael J. Pont, PhD
> SafeTTy Systems Ltd
> www.SafeTTy.net
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>

More information about the systemsafety mailing list