Why architecture matters in functional safety

“Quality is not an act, it is a habit.” – Aristotle

In the world of safety-critical software development, ensuring high quality and high fidelity is paramount. As the old saying goes, “With great power comes great responsibility,” and nowhere is this more true than in the development of software for aerospace, medical devices, automotive systems, and other critical applications. Vendors are responsible for ensuring the highest standards of development, and reducing risks of their systems failing. In this blog post, we’ll explore the key standards governing functional safety in software, with a focus on software architecture compliance and the role of various testing methodologies.

The Cost and Impact of Software Defects in Safety-Critical Systems

Understanding the prevalence and impact of software defects in safety-critical systems is crucial for appreciating the importance of rigorous development practices and standards. Let’s look at some data that illustrates the scale of the problem:

Industry Bugs per 1000 Lines of Code (LOC) Typical Project Size (LOC) Estimated Bugs per Project
Medical Devices 0.5 – 2 100,000 – 1,000,000 50 – 2,000
Automotive 0.1 – 1 100,000,000+ 10,000 – 100,000+
Avionics 0.1 – 0.5 1,000,000 – 10,000,000 100 – 5,000
Space Systems 0.1 – 0.3 500,000 – 5,000,000 50 – 1,500

Table 1: Typical Bug Rates in Safety-Critical Applications

Note: These figures are estimates and can vary significantly based on the specific project, development practices, and testing rigor.

Relative Cost to Fix
Requirements 1x
Design 3-6x
Coding 10x
Testing 15-40x
Maintenance 40-1000x

Table 2: Cost of Fixing Defects at Different Stages

Potential Consequences Estimated Cost per Incident
Medical Devices Patient injury or death $1 million – $100 million+
Automotive Vehicle accidents, injuries, fatalities $1 million – $50 million+
Avionics Aircraft crashes, loss of life $100 million – $1 billion+
Space Systems Mission failure, loss of equipment $500 million – $5 billion+

Table 3: Potential Impact of Safety-Critical Software Defects

These tables illustrate the critical importance of catching and fixing defects as early as possible in the development process. The potential human and financial costs of software failures in safety-critical systems are enormous, underscoring the need for rigorous development practices, thorough testing, and compliance with industry standards.

“The bitterness of poor quality remains long after the sweetness of low price is forgotten.” – Benjamin Franklin

Key Standards in Functional Safety

DO-178C (Aerospace)

DO-178C is the primary standard for developing safety-critical software in the aerospace industry. It emphasizes a structured approach to software development, with rigorous verification and validation processes.

FDA/IEC 62304 (Medical Devices)

This standard applies to the development and maintenance of medical device software. It focuses on risk management and quality assurance throughout the software lifecycle.

ISO 26262 (Automotive)

ISO 26262 is the international standard for functional safety in road vehicles. It provides a framework for developing safety-critical automotive systems, including software components.

ASPICE (Automotive SPICE)

Automotive SPICE is a process assessment model used in the automotive industry to evaluate the capability of software development processes.

Software Architecture Compliance

Each of these standards emphasizes the importance of a well-defined and compliant software architecture. Here’s what they say about architecture:

1. DO-178C: Requires a detailed software architecture description and emphasizes traceability between requirements, design, and code.

2. FDA/IEC 62304: Mandates a software architecture that supports risk management and modular design.

3. ISO 26262: Emphasizes the need for a clear architectural design that supports safety goals and facilitates fault detection and isolation.

4. ASPICE: Focuses on architectural design as a key process area, requiring clear documentation and rationale for architectural decisions.

The architecture of a system is like the foundation of a building. Get it wrong, and everything built on top of it is at risk.” – Anonymous

Safety & Security

“At the end of the day, the goals are simple: safety and security.” – Jodi Rell

It’s no co-incidence that in the German language, the word for safety and security is the same (“Sicherheit”). They are two sides of the same coin, or necessary and sufficient conditions for the other. You cannot have safety if your system is insecure, and if your system is unsafe, it is often vulnerable to exploitation. At Lattix, we recognized this mutual interdependence, and realized that it would be extremely helpful to view both software safety and security issues through the prism of the software architecture. This helps answer questions such as

  1. where in the software architecture are our safety and security vulnerabilities?
  2. what impact could they have on our system?
  3. are our components “red”, “orange” or “green” with respect to safety, security and compliance metrics?

Testing Methodologies and Their Importance

Static Code Analysis

Static code analysis involves examining the source code without executing it. This process can identify potential bugs, security vulnerabilities, and compliance issues early in the development cycle.

Dynamic Unit and Integration Testing

Dynamic testing involves executing the code to verify its behavior. Unit testing focuses on individual components, while integration testing verifies the interaction between components.

Code Coverage Analysis

Code coverage analysis measures the extent to which the source code of a program has been executed during testing. It helps identify areas of the code that may need additional testing.

“Testing is an infinite process of comparing the invisible to the ambiguous in order to avoid the unthinkable happening to the anonymous.” – James Bach

Dependency Structure Matrices (DSMs)

Dependency Structure Matrices represent a powerful technique for analyzing and visualizing the structure of complex systems, including software architectures. They work by representing system elements as a square matrix, where the rows and columns represent the same set of elements, and the cells indicate dependencies between them.

Here’s how DSMs can help with architecture compliance for safety-critical applications:

1. Visibility: DSMs provide a clear, visual representation of the system’s structure, making it easier to identify architectural patterns and potential issues.

2. Modularity Analysis: They help in identifying highly coupled or cyclically dependent components, which can be problematic in safety-critical systems.

3. Impact Analysis: DSMs can quickly show the potential impact of changes to one component on other parts of the system.

4. Compliance Checking: By comparing the actual architecture (as represented by the DSM) with the intended architecture, teams can easily spot deviations from the design.

5. Refactoring Guidance: DSMs can guide architects in refactoring efforts by highlighting areas where dependencies can be reduced or reorganized.

Integrating Quality Data with Lattix

Tools such as Lattix can import data from various software quality tools and present it through the prism of the software architecture. This integration allows teams to:

1. Map quality metrics to architectural components
2. Visualize the distribution of issues across the system
3. Identify high-risk areas that may require additional scrutiny
4. Track compliance with architectural rules and constraints

By combining architectural analysis with data from static analysis, unit testing, and code coverage tools, teams can gain a comprehensive view of their system’s quality and compliance status.

Conclusion

In the realm of safety-critical software development, architecture compliance and comprehensive testing are not just best practices—they’re essential for ensuring the safety and reliability of critical systems. By leveraging standards like DO-178C, FDA/IEC 62304, ISO 26262, and ASPICE, along with powerful DSM tools such as Lattix, and integrated quality analysis platforms, development teams can create software that not only meets functional requirements but also stands up to the rigorous demands of safety-critical applications.

Remember, as the great Edsger W. Dijkstra once said, “Program testing can be used to show the presence of bugs, but never to show their absence”. So keep testing, keep analyzing, and never stop improving your software architecture.

 

Related News

Why architecture matters in functional safety

In the world of safety-critical software development, ensuring high quality and high fidelity is paramount. As the old saying goes, “With great power comes great responsibility,” and nowhere is this more true than in the development of software for aerospace, medical devices, automotive systems, and other critical applications. Vendors are responsible for ensuring the highest standards of development, and reducing risks of their systems failing. In this blog post, we’ll explore the key standards governing functional safety in software, with a focus on software architecture compliance and the role of various testing methodologies.

Read more about Why architecture matters in functional safety