lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Designing safety-critical systems is not a software problem, it is a _system_ problem, and the system design should be done by a system engineer who is experienced in designing safety-critical systems (safety engineering). The changes you list are improvements to make Lua more useful for real-time control (which is the computer's ability to guarantee it can issue commands within the time constraints imposed by the system specifications).

I have worked on safety-critical systems (semi-conductor equipment control software). The software was written using a combination of batch files, C, C++, and Object Pascal. We could have used scripting languages, but didn't due to the fact the original software was written before the widespread use of Python and Lua.

The key system design steps that our team used to determine the overall safety of the system included doing a hazard analysis of the system, and performing a Safety Analysis. The safety analysis was structured much like a Failure Mode and Effects Analysis (FMEA).

From a safety engineering point of view, the overall system design should be safe if any of these event occur --

1. The computer itself has hardware faults and commands the system to go into an unsafe state.
2. The software running on the computer commands the system to go into an unsafe state.
3. Faulty inputs to the computer cause the software to command the system to go into an unsafe state.
4. The software on the computer goes into an internal state (i.e. infinite loop, segment fault, kernel panic, etc.) where it stops issuing commands to the controls -- i.e. a "watch dog timer".

In general, assume that your software has bugs in it, and the underlying operating system and libraries you are using have bugs in them that can cause your software to fail at any time.

For a system to be considered "safe", it needs to be designed so that it takes failures in two or more independent components to even get to an unsafe state. Thus, the computer and the software running on it cannot be relied upon as the sole means of preventing the system from getting into an unsafe state, nor should it be the sole means of placing the system into a non-hazardous state should it get into an unsafe state.

None of this has anything to do with the specific language you use.

--Jay


On Sun, Feb 5, 2023 at 1:07 PM Roger Leigh <rleigh@codelibre.net> wrote:
Hi folks,


I'm new to the mailing list, and would be interested to know if anyone has used Lua in any sort of safety-critical system, in particular for regulated industries such as automotive or medical.  If anyone has any examples of such use in a real product that would be really interesting and much appreciated.

For a bit of context, I'm currently investigating use of Lua in an embedded device running as a dedicated RTOS thread for high-level scripting of actions.  I have developed an initial proof of concept with several safety mitigations including a custom pool allocator and made some other small modifications to make Lua work in this constrained environment. From a purely technical perspective, everything is working very well.  However, without being aware of any precedence for Lua being used for this type of application, it is a potential regulatory risk, and so any pre-existing use of Lua for this type of situation would make it a less risky proposition.

If making the stock Lua source code work on embedded systems is of wider interest, I can potentially feed back some of the changes I've made which include:

  - disabling of all file I/O for systems without any file system or FILE streams [mainly a handful of ifdefs]
  - replacement of the random functions using clock() and time() with a hardware RNG [would weak symbols with a LUA_WEAK macro be acceptable, or should this go into Lua_State as a function pointer like for the memory allocator?]
  - replacement of some of the output/logging functions to use alternative means of logging in the absence of FILE streams (same question as for the random functions regarding weak symbols or function pointer)


Many thanks,
Roger