I think my copy of PC-Lint cost me $185 close to twenty years ago. When I left that employer, I had the license transferred. I still get free updates for it. Best development money I have ever spent.

I strongly believe in using the best tools and that the tools help you become a better developer. I have joined several development teams in trouble and my first step is often to guide the other developers to adopt tools. There is usually some resistance. However, in my experience, six months into a project most developers will buy in. (If they haven't, either the tool isn't much good or the developer needs to be replaced.)

I consult for a medical startup that was releasing a navigation application for a FDA 510K submission. The first submission a few months after I started was a nightmare. They weren't using version control and working code could only be built on a certain computer. My first step was convincing everyone to use SVN which helped immensely. The project managers were impressed they could access the released code (and always get the correct version). The software developers were relieved when the same code could be built by everyone and we could track changes. We also started using a defect/issue tracker. (TeamForge/Redmine/Track/Bugzilla/etc.) We managed to get the submission in, but realized we needed process, code, test, and documentation improvements.

The next step to improve code quality was to use Lint and stamp out the Clang build warnings. Cleaning up the build caught a number of program crashes that had been haunting the code. Having less warnings in the output helped the new warnings stand out. Gradually, we bumped up the Clang compiler warning level and developers improved their coding as they were prodded by the warnings and realized the benefits. We were able to use the defect/issue tracker to prioritize efforts. Developers started to enjoy working smarter rather than harder and project management gained confidence in the risks/timelines for the next 510K submission. We started unit testing our code to find the remaining issues and Doxygen to document the design.

With these basics under control, we started improving the software development process. The first submission had created some of the process and design documents at the last moment for the submission rather than following a SDP. Now that developers and managers could see some of the benefits of the tools they realized that many difficulties were caused by poor planning and incomplete requirements. I think this is always a work in progress but at least people were realizing the benefits in following a SDP. The results we had from using VC, tracking, unit testing and Doxygen helped immensely with the next submission. The next project will go a lot smoother now that project managers and developers understand why/how to use the tools to follow a development process.

I realize I am rambling, so I will try to summarize the tools I have found essential over 30 years of software development:

Version Control - I've used many. PVCS, Perforce, SourceSafe, and now primarily use Subversion and some Git. The repository should be hosted on an external server and there is no excuse for software development that isn't in VC. For Windows, TortiseSVN is wonderful.

Defect/Issue Tracking - This will simplify life as a developer and help project managers understand the project state. Also useful for creating required documentation. There are some nice tie ins between VC and tracking software to link code changes to issues. (Redmine, Bugzilla, TeamForge, etc..)

Coding - I use PC-Lint for almost all my coding. I can use it with Visual Studio, TI Code Composer Studio, Atmel Studio, etc... Using a single tool across multiple platforms is nice as I know the options and how to interpret the warnings. I put Lint in the IDE prebuild step so it runs before the compiler. I also do a global lint in the post build prior to the link. On the Mac, I use Clang. One client I work with uses LDRA for some aviation and military projects. I'm one of the few developers that request them to use LDRA for projects I am involved in. It's a little extra work as they only have a few seats of LDRA. It is a bit of a hassle since I need someone else to run the analysis. There is a benefit as I get a code review by some of their best developers when they run the analysis.

Build Configuration - I maintain a test build, debug build (with lots of ASSERT() and VERIFY()), and possibly a dedicated release build if my debug build executes too slowly.

Documentation - I use Doxygen to comment my source code. I have a few clients that have bought into the idea of the Doxygen output serving as the detailed design document. This warns me if I miss documenting a function or variable and I have found some of the Doxygen warnings actually prompt me to improve code structure. This saves me a ton of documentation work and ensures the documentation is complete and consistent. I find this much easier than any other software documentation method I have tried. Many years ago we used the similar LaTeX CWeb on a Ford automotive project. We had the output documentation bound with a hard cover and the Ford managers were amazed.

Unit Testing - I haven't settled on one framework that works on all platforms. On new projects, I try to unit test most my functions. I can run automatic testing on my Mac projects, but I still have to manually select and run test builds on my embedded projects. This is an area for improvement when I settle on a testing tool. Unit testing is a great place to run timing tests on critical code. It's also a good way to verify a code change does what it is supposed to. I often compare old functions with the new improved version in my unit tests. I have worked on several projects where the specification is given as a Simulink or Matlab example. The unit test code runs the same data through the embedded code and Matlab and compares the results.

We have done MISRA-C:2004 compliant development. This was for an automotive company. They also used QAC by PRQA for static analysis of code. That tool is very comprehensive.

As you rightly point out, the process compliance rules are harder to be confident about than the coding compliance rules.

There were some things we had to work through. One of the modules we designed was the non-volatile memory manager. This was a table driven module where the data was predefined so not an arbitrary chunk manager. But it still handled it and wrapped it for storage on a variety of NVM options. Both the MISRA checker and QAC threw complaints about use of pointer math. So a design review and design walkthrough were done to look at the code and the design and it was signed off as OK.

Our client’s understanding of the value of MISRA is that you need a compliant process, which is not hard if you start a project with that in mind, and you need to review and sign off on exceptions. They used a requirements allocation matrix so that made that part of the process easy. You can go to market with exceptions as long as they are reviewed and signed off. What MISRA is intending to do is prevent the most frequent types of serious errors getting into a design without it being looked at carefully.

As an example, unions are very useful for communications stream handling, but are required to not be used under MISRA (required 18.4). This is because alignment and other issues cause a large number of system errors, often at the interface rather than with an individual system. While it is possible to write code that uses unions in these circumstances, it is actually safer to not do it and be explicit. So we used typed pack and unpack routines instead. In this case, I think it is a reasonable rule. And you get to deal with endian issues automatically.

Another example is on the minimisation of run time errors by use of at least one of:

• Static analysis tool/technique

• Dynamic analysis tool/technique

• Explicit coding checks to handle run time faults

This is requirement 21.1. I think you should always do the third of these so we never write anything that isn't compliant with this rule. Plus we use static analysis tools (RSM & PCLint) and we do monitor run time behaviour including logging asserts.

An example of a rule we had to adjust our coding standard for is requirement 2.2 which insists comments must be of the /* comment */ variety and not // comment. So a minor issue but I had got used to the C++ commenting style.

A great tip I picked up from writing the NVM manager is that for debugging, our client used asserts to throw to a handler you can fall through, but released code throws to a NVM log and records the incident for later review. If you are writing mission critical code and have an NVM management module this becomes another ring buffer and isn't so hard to add and you only have to consider the impact on run time performance and storage of the extra logging. Ideally, nothing gets logged. In practice, design requires assumptions and sometimes they are wrong!

So overall, the idea of having a coding standard, using design principles, avoiding or being careful in areas of common error and doing some checks that your code is running as expected are all good things.

There are lots of things that you would expect to be standard practice in SW development let alone embedded development but which seem to be unknown, untaught and unused. Our experience with hiring is that almost no-one has heard of, let alone done any:

• Unit testing

• Test harness

• Any test methodologies

• Have an understanding of what test driven development is about

• Know what the difference between a debug version and a release version and what is going to be different in the compiled code

• Integration testing as something other than “it builds”

• Know what design patterns are

• Design review (or even what documenting a design means)

• Peer code review

• Mocks

• Agile software development ( also unhelpfully called extreme programming)

• Static analysis

• Code quality metrics (cyclomatic complexity for instance)