comment on this article

Embedded designers not paying enough attention

Despite safety depending upon high quality software, significant numbers of engineers appear not to adopt best practice

The Barr Group’s third annual survey of embedded systems safety and security has concluded there remains ‘much work to be done’ by the embedded systems design community in order to achieve a safer and more secure world. “Fortunately,” the report notes, “a lot of what needs to be done is well understood and easy to implement. What appears to be lacking is motivation.”

The survey generated 2000 responses from engineers around the world, with 52% coming from the US and Canada and 27% from Europe. Once qualification filters were applied, the survey was compiled from 1726 responses from engineers with an average design career of 17 years.

According to Barr Group CEO Andrew Girson, 19% of respondents were involved in industrial automation, with 11% in consumer electronics and 10% developing medical devices.

Asked what was the worst thing that could happen if their product failed, 28% said that could result in death or injury. Of those, 34% admitted they were either not designing to meet relevant safety standards or simply didn’t know. According to Girson: “That result should say that 100% of respondents design to safety standards.”

Looking more closely, the survey found that 17% of the subset didn’t use coding standards, 25% didn’t use code reviews – with a further 16% replying ‘maybe’ – and 32% didn’t use static analysis (see image). “Products that could kill or injure should be designed to the appropriate safety integrity level (SIL),” Gerson asserted. “Best practices are ignored by way too many developers of safety-critical systems,” he added.

The report found that ‘safety practices are not clearly better in the automotive industry than in the medical device industry, even though many more lives are at risk with automotive failures’.

Examing the security aspect of design, the survey asked whether the respondent’s product required security. There were 1014 appropriate responses and 60% of those said their product would be online ‘always’ or ‘sometime’, with half of the designs in progress having one or more wireless interfaces. Of the 1014, more than half admitted their design needed to be more secure than previously. Yet, while more than half of the 1014 respondents said they were concerned about product tampering, only 25% were worried that poor security in their product could cause death.

“The highest-ranked security concerns were more likely to relate to the company that designed the product than to the users of the product”, the report found. “Designers of a remarkably large number of potentially dangerous embedded systems are ignoring security, even as they connect their products to the Internet.”

Another finding – ‘disturbing’, said Barr Group – was that 22% of those designing safety-critical systems that would be connected to the Internet said security was not a ‘design requirement’ at all on their project.

“What horrifying deadly disaster need occur before designers of Internet-connected products will begin to take security seriously?,” the report asks.

From the survey’s results, the Barr Group identified what it calls a ‘sizeable subset of respondents’ designing products that were both potentially injurious and on the Internet. This has moved Barr Group to coin the phrase ‘the Internet of Dangerous Things, or IoDT’.

Girson noted: “As an industry, we need to do better. Security is challenging,” he accepted, “with multicore processors and different operating systems. But, while it might be hard, companies are still not paying attention.

“Time to market appears to be more important than safety and security,” he concluded, “but fewer bugs and defects will make products safer and more secure.”

Author
Graham Pitcher

Comment on this article


Websites

http://barrgroup.com/

Companies

Barr Group

This material is protected by MA Business copyright See Terms and Conditions. One-off usage is permitted but bulk copying is not. For multiple copies contact the sales team.

What you think about this article:

Security engineering needs to be in the same space as safety engineering to increase the level of rigour imposed on system design. In some IoT cases, the bottom line is the driving factor but if security was considered as a mandatory design tenet, we may not be in the position we are at the moment.

Posted by: Jeff Hall, 26/04/2017

Add your comments

Name
 
Email
 
Comments
 

Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles