原创 What is the cost of quality?

2012-11-6 19:23 1900 15 16 分类: 消费电子

"Safety Critical Software and Development Productivity" by Oddur Benediktsson is over a decade old, but in my opinion, this paper has some stunning results.


We all know that building safety-critical software is hugely expensive. When the code must be utterly reliable the effort expended in getting it right skyrockets. That's why avionics and similar products are so expensive.


Except that conventional wisdom may not be entirely true.


In the paper Benediktsson looks at IEC 61508, which is a widely-used functional safety standard. It is commonly used (or is sometimes is the father of similar standards) in the automotive, nuclear, rail and other industries. It defines four "safety integrity levels" (SILs) with consequences as follows:


SIL1: Minor injuries at worst
SIL2: Major injuries to one or more persons
SIL3: Loss of a single life
SIL4: Multiple loss of life


The standard lists practices that are recommended, or highly recommended, for each SIL. The use of coding standards, for instance, is highly recommended for every SIL. Formal methods are recommended for SIL2 and 3, and highly recommended for SIL4.


The author relates the effort needed—derived using the Constructive Cost Model (COCOMO) method—to the difficulty of verifying correctness at various safety levels. Unsurprisingly that goes up by rather a lot as one goes from the lower SILs to higher ones. SIL3 is about 1.7 times more effort than a nominal, non-safety-critical product.


He goes on to relate productivity to process maturity, using the Capability Maturity Model as an example model. At CMM4 he finds schedules are almost half those for nominal (NOM) products.


Tying it all together results in this table below:

gansslecocomotable.jpg
 


In other words, as one progresses to higher levels of process maturity (the CI values—NOM is CMM1, CI3 is CMM4) the effort to build SIL3 systems is no greater than that needed for non-safety-critical systems.


That's a pretty stunning result.


Or, a dysfunctional company can go to high levels of process maturity and get the same crap for half the price.



 

文章评论1条评论)

登录后参与讨论

用户3840987 2012-11-10 12:16

Wouldn't being at a higher level of process maturity imply less disfunctionality? Therefore at CMM4 you can attain a higher SIL level for the same equivalent effort.

相关推荐阅读
用户3671694 2016-04-18 17:49
What would you change about C?
If you’re an old-timer you’ve most likely written code in a large number of languages that have ma...
用户3671694 2016-04-18 17:33
A look at a new embedded heap manager
Many of us don’t give much thought about the math our compilers do. Toss off a call to a sine func...
用户3671694 2016-04-15 17:12
Why names are critical
The Linux printk function has various logging levels, which include KERN_EMERG, KERN_ERR and other...
用户3671694 2016-03-14 19:02
What do you think of ultra-low power watchdogs?
I have written extensively about designing ultra-low power systems that operate from coin cells. U...
用户3671694 2016-02-26 21:58
Comment headers: The best and the worst
I read a great deal of code. The vast majority is in C with some C++ and a bit of assembly sprinkl...
用户3671694 2016-02-12 17:58
What's your take on knobs?
In a recent Embedded Muse Richard Wall reviews the latest version of Digilent’s Analog Discovery U...
我要评论
1
15
关闭 站长推荐上一条 /2 下一条