关键系统有软件保障吗?

发布于 2024-07-13 10:11:11 字数 1542 浏览 12 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

莫多说 2024-07-20 10:11:11

在现实世界中,高完整性应用程序的编码通常涉及跳过一堆 QA 环节。 有时,这些障碍实际上与软件的正确性有关。

美国的医疗器械行业受 FDA 监管。 他们发布了一系列涵盖“设计”的法规,其中包括所有软件开发。 这些法规基本上是 ISO 9000 的强化版。 你必须有一堆由审阅者编写、标记、用审阅意见更新并由高级经理签署的文件。 由于这些法规受到法律支持,FDA 希望看到这些记录未被篡改的证据,例如在看到测试给出的结果后写下测试的“预期结果”。 因此,您要么必须拥有一个锁定的完全安全的 CM 系统,要么必须在纸上签名并注明日期(包括源代码)。 FDA检查员拥有真正的执法权; 如果他们认为合适,他们可以与武装联邦元帅一起检查您的源代码。 然而,他们不是软件专家:他们的工作不是判断您的代码质量,只是确保您遵守所有规定。

航空业必须遵循 DO-178B,它也是 ISO-9000 的强化版。 您必须生成大量文档并证明它们之间的可追溯性。 我不知道 FAA 的质量保证方法是否与 FDA 相同。

问题是没有人真正知道如何开发能够实现预期功能的软件。 因此,我们采用了一种货物狂热的方法,我们制作大量文档,希望这能够提高我们的软件的质量。 确实,高质量的软件通常具有明确的需求和简单的逻辑架构,但这并不意味着编写“需求文档”或“架构文档”就能改善问题。

有证据表明,对代码正确性影响最大的因素是创建代码的团队。 但是你不能对团队制定法律约束。 因此,负责质量管理工作的人员必须对流程编写约束条件,并模糊地希望这会产生类似的效果。

Coding for high integrity applications, in the real world, generally involves jumping through a bunch of QA hoops. Sometimes these hoops actually have something to do with getting the software right.

The medical device industry in the USA is regulated by the FDA. They publish a bunch of regulations covering "design", which includes all the software development. These regulations are basically ISO 9000 on steroids. You have to have a bunch of documents which are written, marked up by reviewers, updated with the review comments and signed off by a senior manager. Because the regulations are backed by law the FDA want to see evidence that these records have not been tampered with, for instance by writing the "expected result" of a test after you saw what result the test gave. So you either have to have a locked down totally secure CM system, or it all has to be signed and dated on paper (including the source code). The FDA inspectors have real law enforcement powers; if they see fit they can inspect your source code with an armed federal marshal. However they are not software specialists: their job is not to judge the quality of your code, just to make sure you have complied with all the regulations.

The aviation industry has to follow DO-178B, which is also ISO-9000 on steroids. You have to produce lots of documents and demonstrate traceability between them. I don't know if the FAA has the same approach to QA as the FDA though.

The problem is that nobody really knows how to produce software that does what it is supposed to. So instead we have a kind of cargo cult approach where we produce lots of documentation in the hope that this will imbue our software with quality. Its true that quality software generally has clear requirements and a simple logical architecture, but that doesn't mean that writing a "Requirements Document" or an "Architecture Document" will improve matters.

The evidence suggests that factor with the biggest impact on code correctness is the team that created it. However you can't write a legal constraint on a team. So instead the people with the job of mandating quality have to write constraints on process instead, in the vague hope that this will have a similar effect.

泛泛之交 2024-07-20 10:11:11

请参阅他们写出正确的内容了解有趣的内容看看他们如何为航天飞机开发软件。

摘抄:

但是该软件做了多少工作
这并不是它引人注目的原因。 什么
令人瞩目的是
软件有效。 这个软件从来不
崩溃。 它永远不需要
重新启动。 该软件没有错误。
它是完美的,像人类一样完美
众生已成就。 考虑这些
stats :最近三个​​版本
程序——每42万行已长
每个只有一个错误。 最后 11
该软件的版本共有
共 17 个错误。 商业计划
等效复杂度为 5,000
错误。

See They Write The Right Stuff for an interesting look at how they develop software for the Space Shuttle.

Excerpt:

But how much work the software does is
not what makes it remarkable. What
makes it remarkable is how well the
software works. This software never
crashes. It never needs to be
re-booted. This software is bug-free.
It is perfect, as perfect as human
beings have achieved. Consider these
stats : the last three versions of the
program -- each 420,000 lines long-had
just one error each. The last 11
versions of this software had a total
of 17 errors. Commercial programs of
equivalent complexity would have 5,000
errors.

蹲墙角沉默 2024-07-20 10:11:11

查看 Walter Bright 的这篇专栏,基本上认为编写完美的软件几乎是不可能的,因此 最好的办法就是快速失败并建立冗余。

Check out this column by Walter Bright, basically arguing that it's virtually impossible to write perfect software, so the best thing to do is fail fast and build in redundancy.

淡看悲欢离合 2024-07-20 10:11:11

是的,有些系统已经开发出来并具有正确性证明。 Praxis 多年来一直使用 SPARK Ada 来做到这一点,现在我们正在使用 C 和 Escher C Verifier 来做到这一点。 它不是万能的,因为即使我们证明代码满足规范,通常也很难确定规范是否适合相关应用程序。

更广泛采用形式化证明的障碍之一是现有的航空软件标准 DO-178B 对形式化技术不友好。 目前正在进行的 DO-178C 重写应该可以解决这个问题。

Yes, there are systems out there developed with proof of correctness. Praxis have been doing this for years using SPARK Ada, and now we're doing it with C and Escher C Verifier. It's not a panacea, because even though we prove that the code satisfies the specification, it's usually difficult to be certain that the specification is appropriate for the application concerned.

One of the barriers to more widespread adoption of formal proof is that the existing aviation software standard DO-178B is not friendly to formal techniques. The DO-178C rewrite currently in progress is supposed to fix that.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文