technology deployed Standards Update
What Coding Standards Can Do for Critical Embedded Software Development Especially in projects that don’t require certification, subsets and deviations provide ways for developers to leverage the benefits of standards while controlling cost and development time. by Chris Tapp, LDRA
R
eviews of faults and failures in highreliability embedded systems ranging from medical devices to military systems show that all too frequently the source of the problem lies in software errors. A variety of standards such as ISO 26262 and IEC 62304 introduce the requirement to adopt a language subset enforced by means of a coding standard. Indeed, there are significant benefits to be found in using coding standards even when a company does not need to certify to an industry or international standard. However, there is a cost involved in working to a standard, both in terms of time and money. The good news is that organizations not compelled to certify have the freedom to not only choose which coding standards to follow as best practices to improve their products, but also to reduce the cost of compliance by adopting only a subset of a given standard. This requires an understanding of how coding standards work and how to define subsets in a way that does not render the standard ineffective. Here, we will explore how development teams can determine which coding standards or their subsets will deliver the most value, how to adapt them most ef-
48
DECEMBER 2012 RTC MAGAZINE
fectively and establish variants when required, and how to configure automated tools to ease the process.
Understanding a Coding Standard Subset
A coding standard is a term used to describe a collection of guidelines, in which a guideline is a requirement or set of requirements that aims to help ensure that the quality attributes of a project are appropriate to its integrity level. The requirements
of the guidelines within a coding standard must be met to support a claim that a project complies with that standard. Coding standards used within a formal-methods environment often contain “absolute� guidelines, which may never be violated. While it may be desirable to have strict enforcement of a coding standard, it is not always practical. For example, the C programming language contains many implementation-defined behaviors that should generally be avoided (e.g., using the absolute position of bits within a bit-field), but whose use is essential under certain conditions (e.g., when mapping on to hardware registers). A coding standard intended for use with such a language needs to allow some flexibility so that guidelines can be violated in a controlled way. The implementer of a coding standard for a language such as C has to balance the strictness of the guidelines against the effort required to follow them. The guidelines are generally chosen to provide as much protection as possible against any undesirable language behavior, even if this means considerable effort is necessary to comply with the coding standard. Safety is considered more important than ease of use. This ensures the standard provides the maximum level of benefit when used within a high-integrity project, but it may mean that the cost associated with its use for a high-reliability system is excessive. The introduction of subsets relaxes strict standards, allowing them to be used more cost-effectively at lower integrity levels (Figure 1).
Figure 1 A selection of some of the popular standards including MISRA C, MISRA C++ and CERT C.