Nancy Leveson (leveson(at)sunnyday.mit.edu)
Fri, 01 Mar 2002 10:07:39 -0500
The problem I have found in using object-oriented design in control systems is that the design becomes more complex and MUCH harder to validate or verify for safety. OOD results in the opposite of what we used to call cohesion, i.e., putting all the information related to a particular function in one module so that it becomes easier to read and to change. The goal in design was to reduce coupling and increase cohesion. OOD spreads out the operations related to a function -- potentially throughout all the objects -- and therefore it is much harder for an application expert or safety engineer who is trying to determine whether a particular function (which may be implemented using methods from dozens or hundreds of objects) to determine that the function, as implemented, is both correct and safe. Just last week I had some safety engineers complain to me that they are finding it extremely difficult if not impossible to perform safety analysis and ensure safety in systems with OOD. Nancy