from Hacker News

Ask HN: Languages for safety-critical embedded work?

by randomacct44 on 5/15/16, 11:43 PM with 22 comments

I'm interested to hear from the HN crowd what's out there in terms of languages / frameworks for doing safety-critical embedded development on commonly-available hardware like the ESP8266. Think at the safety level of implantable medical devices or flight control software.

My usual Google skills aren't getting me anywhere on this one :)

  • by danielvf on 5/16/16, 2:41 AM

    1. If you are developing for the ESP8266, your current choices are C, Lua, and Arduino. So you are pretty much using C by default.

    2. The automotive industry has a standard for safety critical C code. It's called MISRA C. A few of the rules are stupid, but others will save you worlds of issues. You have to buy the PDF from the committee's website for about 15 bucks, but it's worth reading and mostly following.

    3. If you are actually writing medical or flight control software, you cannot depend on a single proccesor or computer. Perfect software is not enough. Airliners have three separate computers, each containing three different processor architecture processors, each processor running code compiled on a different compiler, and all checking each others work. SpaceX runs at least five separate embedded linux computers for any critical systems. These communicate in such a way that they can tolerate even malicious actions by any two computers. Google "byzantine fault tolarance"

  • by burfog on 5/16/16, 4:02 AM

    Don't overlook the fact that lots of bug-finding tools support plain old C best. Yes yes, it needs them more, but... at least the tools exist!

    Get all the tools. There are free tools like "sparse", a tool Linus wrote for his kernel. There are expensive tools like Coverity. Get them all. Use them all.

    Build your code with all the warnings enabled. Use multiple compilers, even if they don't compile for your target.

  • by atomical on 5/16/16, 2:26 AM

  • by viraptor on 5/16/16, 12:31 AM

    Ada is known for those kind of applications. Very restrictive types / contracts make it a good choice.

    Of course a lot of safety critical stuff is still written in C or C++. They may not be perfect, but they're not terrible choices.

  • by Tomte on 5/16/16, 11:35 AM

    Depends on the field. Aeronautics and reactor control seem to use "safer languages" like Ada quite a bit.

    In factory automation I have only ever seen C, and AFAIK automotive is the same (they seem to be more open to C++, though).

    Most of safety-critical development (as I know it -- again, no satelites or nuclear stuff) is documentation, testing and FMEAs. Quite a bit of "patterns" or procedures, as well, like memory testing in the background, redundant variables, cross checks between controllers, plausibility checks etc.

    But very, very little focus on saner programming languages.

  • by eric_bullington on 5/17/16, 10:20 PM

    Ada. I personally lean more and more toward functional languages these days, but despite that, I'm incredibly impressed with modern Ada. Particularly the Spark subset of Ada, which is perhaps the best-thought out, more coherent, most secure language around for general programming. It's the epitome of a well-engineered project, with excellent tooling, and formal verification options to boot. If I had to build something safety critical, I wouldn't hesitate to choose Ada.

    And it looks like some folks have already been using Ada on the ESP8266, here are instructions: https://github.com/RREE/esp8266-ada/wiki/Steps-for-building-...

  • by kognate on 5/16/16, 12:43 AM

    The Power Of 10 is a good place to start.

    https://en.wikipedia.org/wiki/The_Power_of_10:_Rules_for_Dev...

    The summary would be:

    Use vanilla C with some rules about things like memory, testing, and recursion. Testing and static analysis are your friends.

  • by probinso on 5/16/16, 5:00 AM

    +10 points for Ada. Great language. Barnes book is a great resources

  • by samfisher83 on 5/16/16, 12:48 AM

    I work on industrial control and we typically just use C.

  • by technion on 5/16/16, 5:45 AM

    This is a tangent, but Wikipedia says this about that chip:

        The ESP8266 is a low-cost Wi-Fi chip with full TCP/IP stack and microcontroller capability produced by Shanghai-based Chinese manufacturer, Espressif.
    Am I alone in the concern that in a safety critical environment, the phrase "low cost" should be more of a concern than the choice of language?

  • by superboum on 5/16/16, 1:04 PM

    If you want to go further, you might be interested by proving your software and formal method, something like the B-Method ; https://en.wikipedia.org/wiki/B-Method

    Unfortunately, I only know their name and never use it.

  • by spraak on 5/15/16, 11:48 PM

    Really out of my realm but maybe Rust?

  • by jotux on 5/16/16, 4:51 PM