vol 8, issue 2

Analysis: safe-code revision grapples with automated checking

28 February 2013
By Chris Edwards
Share |
Stock view of a Rover electric vehicle driving a muddy track.

Engineers from Rover developed the MISRA guidelines that have now been adopted across the automotive industry.

The Motor Industry Software Reliability Association (MISRA), a group that developed one of the most widely-used coding standards for safe, reliable software, launched at Embedded World, Nuremberg this week, marking the first major update to the standard for almost a decade.

The Motor Industry Software Reliability Association (MISRA), a group that developed one of the most widely-used coding standards for safe, reliable software, launched at the Embedded World show in Nuremberg this week the first major update to the standard for almost a decade.

The process has, however, questioned the nature of coding standards and the ability to verify that code follows them. The MISRA-C standard provides programmers with a set of coding rules that prevent the use of coding constructs that are more likely to lead to errors. Chris Hills, MISRA-C team member and CTO of tools vendor Phaedrus Systems, said the shortcomings of C were realised early on with one of its creators Dennis Ritchie calling a number of its constructs “legal but dubious”.

To try to make C safer for use in their systems, engineers from car manufacturers Ford and Rover developed the initial MISRA guidelines that have now not just been adopted across the automotive industry but sectors that include military, aerospace, and the nuclear industry.

The first revision of the standard took place in the early 2000s, resulting in MISRA-C:2004. The forthcoming update follows a complete overhaul of the standard by a close-knit team of around ten UK-based engineers, initially to add rules that covered the most recent version of the C language.

“The driving force was the C99 standard,” said Mark Pitchford, field applications engineer at code-analysis tool vendor LDRA, “but the process used the feedback from MISRA C:2004 to address peoples’ concerns and dislikes.”

Paul Burden, technical consultant at Programming Research, another supplier of static code analysis software, agreed: “We could see there were improvements to be made.”

For the new version of the standard, the committee has implemented the concept of 'decidability' to determine which rules can be checked automatically by a static-analysis tool versus those that identify good practice but which do not have clear-cut distinctions and are difficult or impossible to verify without human involvement.

“One of the troubles for the big motor manufacturers is that they have suppliers shipping in software that are supposed to be MISRA C-compliant – but how do they verify it?” said Programming Research’s Paul Burden. “If rules are not well-defined, it makes life very difficult. How do you audit compliance?”

Pitchford added: “With decidable rules, if the rule says it’s wrong then it’s wrong”.

Undecidable rules, on the other hand, rely on interpretation. For example, one rule demands that no code be put into comments – largely to prevent developers from commenting-out segments of code to disable it. However, it is very difficult for a tool to determine whether a comment contains potentially executable code.

“This work has exposed the limitations of coding rules, which are often swept under the carpet when devising coding standards,” Paul Burden believes. “So the whole concept of compliance has been exposed as a debatable area. If you are claiming compliance the best you can do is say: ‘I am testing compliance with these tools’. It’s not black and white. It’s a best-effort process.”

Despite the problem of verifiability, much of the effort in developing MISRA C:2012 was aimed at reducing the level of doubt in static code analysis. “The other key coding standard is Cert C, which is more oriented towards the security industry rather than the safety-critical market,” Paul Burden at Programming Research said. “One of the key contrasts between the two, apart from Cert C being three times the size, its ratio of decidability is far, far lower than MISRA C. Although it contains very good advice, it’s very difficult to enforce… One of the reasons why MISRA C is being used is because it fits in very closely with the use of tool-based enforcement.”

An analysis from 2011 by market watcher VDC Research found that, after in-house coding standards, MISRA C was the one most commonly in use. Burden said: “What I would say is that if you look at most in-house coding standards, generally speaking, they tend to pick up MISRA C and modify it,” said Paul Burden at Programming Research. “I would say that MISRA C today is largely dominant even though it isn’t the biggest bar on the VDC graph.”

Pitchford argued that rewriting the rules to be more descriptive is likely to propel MISRA C further into mainstream programming: “This narrowing and focusing of the standard has also seen changes in terms of the English so that’s much more descriptive. It has become an educational document and not just ‘do as you’re told’. Although MISRA C has been used widely across the safety-critical sectors, it did tend to be something that people had to use because they were being certified to it – but the change in emphasis towards ‘use this rule because it’s a good idea’ opens it out to people who just want software to work.”

A number of changes reflect the growing diversity of systems being built in the embedded space. Some of the rules are considered mandatory by the new standard for the first time. “There are a few rules that we consider to be so common-sense and uncontroversial that there can be no sensible reason to deviate from them,” argues Paul Burden at Programming Research.

Other situations are more complex. “When you can implement critical systems on anything from an 8bit [Microchip Technology] PIC to a 64bit processor, it’s hard to find a rule that’s universal,” said Phaedrus Systems’ Chris Hills. “You can’t have 100 per cent MISRA-C compliance without deviation. It’s highly impractical for embedded systems because of the different architectures of the processors.”

Some industries cannot apply some of the rules because of the way their systems operate. “Originally we banned C unions. The trouble is that if you are doing communications systems, you normally need to use unions to get things in and out of the packet stream. For the most part, you should not use unions but if you deviate from that rule in one or two functions, that’s fine,” Hills concludes.

More information:
http://www.misra.org.uk/

http://www.phaedsys.com/

http://www.ldra.com/

http://www.programmingresearch.com/

Share |
Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1606

"Where would Frankenstein and his creative mind fit into today's workplace? Should we fear technological developments or embrace them?"

E&T jobs

  • Nuclear Facilities Governance Manager

    BAE Systems
    • England, Cumbria, Barrow-In-Furness
    • Negotiable

    Nuclear Facilities Governance Manager Would you like to be accountable for all the Nuclear Governance for both existing day to day facilities on the Barrow Site in addition to the Proposed Facilities development which is part of the multi-million pound si

    • Recruiter: BAE Systems

    Apply for this job

  • Maritime Engineering Opportunities

    Defence Equipment & Support (DE&S)
    • Bristol
    • £30,424 - £35,285

    You will be working alongside a team of people who are immensely proud of what they do in providing the best possible service to our Armed Forces

    • Recruiter: Defence Equipment & Support (DE&S)

    Apply for this job

  • Engineering Manager

    BAE Systems
    • Hampshire, England, Portsmouth
    • Competitive package

    Would you like to play a vital role in managing and implementing the correct governance in order to enable BAE Systems to provide assurance and integrity of supply chain data? We currently have a vacancy for an Engineering Manager - Product Integrity

    • Recruiter: BAE Systems

    Apply for this job

  • Consultant Engineer - Test

    BAE Systems
    • Farnborough, Hampshire, England
    • Negotiable

    Consultant Engineer - Test Would you like to be a lead within an exciting team working on one of the UK's largest defence projects? We currently have a vacancy for a Consultant Engineer - Test at our site in Ash Vale. As a Consultant Engineer - Test, you

    • Recruiter: BAE Systems

    Apply for this job

  • Structural Designer

    BAE Systems
    • England, Barrow-In-Furness, Cumbria
    • Negotiable

    Structural Designer BAE Systems is looking to recruit multiple Structural Designers to join our Maritime Submarines unit to be based in our site in Barrow-in-Furness, as the Trident Replacement Programme progresses towards the start of the build stage in

    • Recruiter: BAE Systems

    Apply for this job

  • Mechanical Design Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Negotiable

    Mechanical Design Engineer Would you like to work in an interesting and challenging role with the chance to gain exposure to a number of maritime projects? We currently have a vacancy for a Mechanical Design Engineer at our site in Portsmouth. As a Design

    • Recruiter: BAE Systems

    Apply for this job

  • Operations Manager

    BAE Systems
    • England, Barrow-In-Furness, Cumbria
    • Negotiable

    Operations Manager We currently have an opportunity for an Operations Manager to join our Maritime - Submarines business area at our Barrow-In-Furness site. As the Operations Manager you will work within a Construction or Manufacturing Facility and be res

    • Recruiter: BAE Systems

    Apply for this job

  • Principal Chemist

    BAE Systems
    • Barrow-In-Furness, Cumbria, England
    • Negotiable

    Principal Chemist Would you like to play a key role in the safety and assurance of submarines for the Royal Navy? We currently have a vacancy for a Principal Chemist at our site in Barrow-in-Furness. As a Principal Chemist, you will be carrying out a rang

    • Recruiter: BAE Systems

    Apply for this job

  • Software Engineer

    BAE Systems
    • England, Hampshire, Portsmouth
    • Competitive package

    As a Software Engineer, you will be investigating how technology and data can be used to optimise the services we provide to our clients, including the Royal Navy, and will include unique pieces of equipment at the forefront of innovation.

    • Recruiter: BAE Systems

    Apply for this job

  • Principal Control Systems Engineer

    BAE Systems
    • England, Cumbria, Barrow-In-Furness
    • Competitive package

    As a Principal Engineer you will be responsible for the design and integration of control systems at a safety integrity level (SIL) 3. This will include requirements management, system design, and integration into the wider platform.

    • Recruiter: BAE Systems

    Apply for this job

More jobs ▶

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T