"Safety Critical Software and Development Productivity" by Oddur Benediktsson is over a decade old, but in my opinion, this paper has some stunning results.
We all know that building safety-critical software is hugely expensive. When the code must be utterly reliable the effort expended in getting it right skyrockets. That's why avionics and similar products are so expensive.
Except that conventional wisdom may not be entirely true.
In the paper Benediktsson looks at IEC 61508, which is a widely-used functional safety standard. It is commonly used (or is sometimes is the father of similar standards) in the automotive, nuclear, rail and other industries. It defines four "safety integrity levels" (SILs) with consequences as follows:
SIL1: Minor injuries at worst
SIL2: Major injuries to one or more persons
SIL3: Loss of a single life
SIL4: Multiple loss of life
The standard lists practices that are recommended, or highly recommended, for each SIL. The use of coding standards, for instance, is highly recommended for every SIL. Formal methods are recommended for SIL2 and 3, and highly recommended for SIL4.
The author relates the effort needed—derived using the Constructive Cost Model (COCOMO) method—to the difficulty of verifying correctness at various safety levels. Unsurprisingly that goes up by rather a lot as one goes from the lower SILs to higher ones. SIL3 is about 1.7 times more effort than a nominal, non-safety-critical product.
He goes on to relate productivity to process maturity, using the Capability Maturity Model as an example model. At CMM4 he finds schedules are almost half those for nominal (NOM) products.
Tying it all together results in this table below:
In other words, as one progresses to higher levels of process maturity (the CI values—NOM is CMM1, CI3 is CMM4) the effort to build SIL3 systems is no greater than that needed for non-safety-critical systems.
That's a pretty stunning result.
Or, a dysfunctional company can go to high levels of process maturity and get the same crap for half the price.
- 上一篇: On leaks and drains
- 下一篇: mbed: An unusual IDE
文章评论(1条评论)
登录后参与讨论-
用户3671694 2016-04-18 17:49
- What would you change about C?
- If you’re an old-timer you’ve most likely written code in a large number of languages that have ma...
-
- A look at a new embedded heap manager
- Many of us don’t give much thought about the math our compilers do. Toss off a call to a sine func...
-
- Why names are critical
- The Linux printk function has various logging levels, which include KERN_EMERG, KERN_ERR and other...
-
- What do you think of ultra-low power watchdogs?
- I have written extensively about designing ultra-low power systems that operate from coin cells. U...
-
- Comment headers: The best and the worst
- I read a great deal of code. The vast majority is in C with some C++ and a bit of assembly sprinkl...
-
- What's your take on knobs?
- In a recent Embedded Muse Richard Wall reviews the latest version of Digilent’s Analog Discovery U...
-
提升毫米波信号测试精度 直播时间: 12月18日 14:00 -
EE Talk主题专访系列直播-对话:释放 Wi-Fi 7 在高带宽应用中的技术潜力 直播时间: 12月19日 10:00
/2 
-
返回顶部
-
用户3840987 2012-11-10 12:16
Wouldn't being at a higher level of process maturity imply less disfunctionality? Therefore at CMM4 you can attain a higher SIL level for the same equivalent effort.