Embedded Software Development for

Safety-Critical Systems 2nd Edition

Chris Hobbs
Visit to download the full and correct content document:
https://textbookfull.com/product/embedded-software-development-for-safety-critical-s
ystems-2nd-edition-chris-hobbs/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Embedded Software Development for Safety-Critical

Systems, Second Edition Chris Hobbs (Author)

https://textbookfull.com/product/embedded-software-development-
for-safety-critical-systems-second-edition-chris-hobbs-author/

Making Embedded Systems: Design Patterns for Great

Software, 2nd Edition Elecia White

https://textbookfull.com/product/making-embedded-systems-design-
patterns-for-great-software-2nd-edition-elecia-white/

Making Embedded Systems: Design Patterns for Great

Software 2nd Edition Elecia White

https://textbookfull.com/product/making-embedded-systems-design-
patterns-for-great-software-2nd-edition-elecia-white-2/

Software Engineering for Embedded Systems Robert Oshana

https://textbookfull.com/product/software-engineering-for-
embedded-systems-robert-oshana/
Embedded Systems Architecture for Agile Development: A
Layers-Based Model Mirtalebi

https://textbookfull.com/product/embedded-systems-architecture-
for-agile-development-a-layers-based-model-mirtalebi/

Introduction To Embedded Systems 2nd Edition K. V Shibu

https://textbookfull.com/product/introduction-to-embedded-
systems-2nd-edition-k-v-shibu/

Embedded Software Timing 1st Edition Peter Gliwa

https://textbookfull.com/product/embedded-software-timing-1st-
edition-peter-gliwa/

Dependable Embedded Systems Jörg Henkel

https://textbookfull.com/product/dependable-embedded-systems-
jorg-henkel/

Stm32 Arm Programming for Embedded Systems 1st Edition

Muhammad Ali Mazidi

https://textbookfull.com/product/stm32-arm-programming-for-
embedded-systems-1st-edition-muhammad-ali-mazidi/
Embedded Software
Development for
Safety-Critical
Systems
Second Edition
Embedded Software
Development for
Safety-Critical
Systems
Second Edition

Chris Hobbs
Cover photo by: Chuck Clark

CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

c 2020 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-0-367-33885-5 (Paperback)

This book contains information obtained from authentic and highly regarded sources. Rea-
sonable efforts have been made to publish reliable data and information, but the author
and publisher cannot assume responsibility for the validity of all materials or the conse-
quences of their use. The authors and publishers have attempted to trace the copyright
holders of all material reproduced in this publication and apologize to copyright holders if
permission to publish in this form has not been obtained. If any copyright material has not
been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted,
reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other
means, now known or hereafter invented, including photocopying, microfilming, and record-
ing, or in any information storage or retrieval system, without written permission from the
publishers.

For permission to photocopy or use material electronically from this work, please access
www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Cen-
ter, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-
for-profit organization that provides licenses and registration for a variety of users. For
organizations that have been granted a photocopy license by the CCC, a separate system
of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trade-

marks, and are used only for identification and explanation without intent to infringe.

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
Dedication

For
Alexander, Thomas,
and Edward

' ' 
, '   

v
Contents

Preface .................................................................... xiii

Software and Safety xiii
References xiv
Tools xv
Second Edition xv
Acknowledgments xvi
About the Author xvii

SECTION 1: BACKGROUND
1 Introduction ........................................................... 3
Safety Culture 4
Our Path 6
Selecting the Techniques to Describe 7
Development Approach 8
Today’s Challenges 10
References 12

2 Terminology of Safety ............................................ 13

General Safety Terminology 13
Software-Specific Terminology 20
References 25

3 Safety Standards and Certification ........................... 27

Standards Bodies 27
Accreditation and Certification 29
Why Do We Need These Standards? 31
Goal- and Prescription-Based Standards 32
Functional Safety Standards 33
vii
viii  Contents

IEC 62304 and ISO 14971 43

Machine Learning and SOTIF 45
Process and the Standards 49
Summary 50
References 51

4 Representative Companies ...................................... 53

Alpha Device Corporation 53
Beta Component Incorporated 54
Using a Certified Component 54

SECTION 2: THE PROJECT

5 Foundational Analyses ........................................... 59
Analyses 59
Interrelationships 60
Hazard and Risk Analysis 62
Safety Case 67
Failure Analysis 74
Analyses by Example Companies 80
Summary 83
References 84

6 Certified and Uncertified Components ...................... 85

SOUP by Any Other Name 85
Certified or Uncertified SOUP 86
Using Non-Certified Components 87
Using a Certified Component 92
Aligning Release Cycles 93
Example Companies 93

SECTION 3: DESIGN PATTERNS

7 Architectural Balancing.......................................... 97
Availability/Reliability Balance 98
Usefulness/Safety Balance 99
Security/Performance/Safety Balance 101
Performance/Reliability Balance 103
Implementation Balance 103
Summary 104
References 104

8 Error Detection and Handling ............................... 105

Why Detect Errors? 105
Error Detection and the Standards 106
 Contents  ix

Anomaly Detection 106

Rejuvenation 122
Recovery Blocks 125
A Note on the Diverse Monitor 128
Summary 129
References 129

9 Expecting the Unexpected .................................... 131

Design Safe State 131
Recovery 134
Crash-Only Model 135
Anticipation of the Unexpected by the Example Companies 136
Summary 137
References 137

10 Replication and Diversification .............................. 139

History of Replication and Diversification 140
Replication in the Standards 140
Component or System Replication? 140
Replication 142
Diversification 144
Virtual Synchrony 149
Locked-Step Processors 156
Diverse Monitor 157
Summary 159
References 160

SECTION 4: DESIGN VALIDATION

11 Markov Models ................................................... 163
Markov Models 163
Markov Models and the Standards 164
The Markovian Assumptions 164
Example Calculation 165
Markovian Advantages and Disadvantages 170
References 171

12 The Fault Tree .................................................... 173

FTA and FMECA 173
Fault Tree Analysis in the Standards 174
Types of Fault Trees 174
Example 1: Boolean Fault Tree 175
Example 2: Extended Boolean Fault Tree 177
Example 3: Bayesian Fault Tree 178
x  Contents

Combining FTAs 183

FTA Tools 184
Summary 185
References 185

13 Software Failure Rates ......................................... 187

The Underlying Heresy 187
Compiler and Hardware Effects 189
Assessing Failure Rates 190
Modeling the Failures 193
The Example Companies 195
References 197

14 Semi-Formal Design Verification ............................ 199

Verification of a Reconstructed Design 200
Discrete Event Simulation 202
Timed Petri Nets 211
Simulation and the Example Companies 221
References 222

15 Formal Design Verification .................................... 223

What Are Formal Methods? 223
History of Formal Methods 224
Formal Methods and the Standards 225
Do Formal Methods Work? 228
Types of Formal Methods 230
Automatic Code and Test Generation 230
Spin Modeling Tool 231
Rodin Modeling Tool 237
Formal Modeling by the Example Companies 243
Formal Methods: Summary 246
References 247

SECTION 5: CODING

16 Coding Guidelines ............................................... 251

Programming Language Selection 251
Programming Languages and the Standards 252
Language Features 252
Use of Language Subsets 257
So, What is the Best Programming Language? 259
Programming with Floating Point 259
References 260
 Contents  xi

17 Code Coverage Metrics ........................................ 261

Code Coverage Testing 261
Types of Code Coverage 262
Coverage and the Standards 268
Effectiveness of Coverage Testing 268
Achieving Coverage 270
Summary 271
References 271

18 Static Analysis .................................................... 273

What Static Analysis Is Asked to Do 273
Static Code Analysis and the Standards 275
Static Code Analysis 275
Symbolic Execution 283
Summary 285
References 286

SECTION 6: VERIFICATION
19 Integration Testing .............................................. 289
Fault Injection Testing 290
Back-to-Back Comparison Test Between Model and Code 295
Combinatorial Testing 298
Requirements-Based Testing 302
Anomaly Detection During Integration Testing 306
References 307

20 The Tool Chain ................................................... 309

Validation of the Tool Chain 309
Tool Classification 310
BCI’s Tools Classification 311
Using Third-Party Tools 311
Verifying the Compiler 312
ADC’s and BCI’s Compiler Verification 318
References 321

21 Conclusion ......................................................... 323

SECTION 7: APPENDICES
A Goal Structuring Notation .................................... 327
Background 327
Example 328
Eliminative Argumentation 330
xii  Contents

GSN or BBN? 331

References 331

B Bayesian Belief Networks ..................................... 333

Frequentists and Bayesians 333
Prior Probabilities 334
Bayes’ Theorem 335
A Bayesian Example 336
What Do the Arrows Mean in a BBN? 337
BBNs in Safety Case Arguments 338
BBNs in Fault Trees 341
BBN or GSN for a Safety Case? 342
References 344

C Calculating (2+3)+4 ............................................ 345

Introduction 345
Errors to be Detected 345
Calculation 346

D Notations ........................................................... 349

General Symbols 349
Pi and Ip 350
The Structure Function 351
Components in Parallel and Series 351
Temporal Logic 352
Vector Bases 355
References 356

Index ...................................................................... 357

Preface

I wrote this book for systems designers, implementers, and verifiers

who are experienced in general embedded software development, but
who are now facing the prospect of delivering a software-based system
for a safety-critical application. In particular, the book is aimed at
people creating a product that must satisfy one or more of the interna-
tional standards relating to safety-critical applications — IEC 61508,
ISO 26262, EN 50128, EN 50657, IEC 62304 or related standards.

Software and Safety

The media seem to delight in describing radiotherapy machines that
have given the wrong doses to patients, aviation disasters and near-
misses, rockets that have had to be destroyed because of a missed
comma in the FORTRAN code,† and many other such software-related
disasters. Less often recorded are the times where, hardware having
failed, the software prevented a disaster. One example of this is the
Airbus that landed in the Hudson River, New York, USA, in January
2009 after the hardware of the engines had failed. Without the con-
tinued availability of the flight control software, there would almost
certainly have been significant loss of life. The hardware/software di-
vide is therefore not completely one-sided.
I hope that this book provides designers, implementers, and verifiers
with some ideas that will help to increase the proportion of incidents
when software saved the day.

† Variously attributed to the Mariner and Mercury spacecraft.

xiii
xiv  Preface

References
All of the techniques described in this book may be further explored
through hundreds of academic articles. In order to provide you with
a way in, I have provided references at the end of each chapter. With
a few whimsical exceptions (e.g., Lardner’s 1834 paper on diverse pro-
gramming and Babbage’s 1837 paper on the calculating engine), I have
included only references that I have personally found useful as a work-
ing software developer.
Some of the papers and books I reference changed my ideas about
a topic and, in many cases, caused me to start programming to check
whether the concepts were actually useful.
I have to admit that I object to paying money to journals to access
published papers, and I believe that all the articles to which I refer in
the bibliographies at the end of each chapter can be freely (and legally)
downloaded from the Internet. In some cases, e.g., Kálmán’s original
1960 paper to which Chapter 8 refers, one has the option of paying the
original journal $25 to retrieve the article, or going to the website of
the associated educational establishment (in this case, the University
of North Carolina, USA) and downloading the paper for free. I leave
the choice to the reader.
I refer frequently to various international standards. These stan-
dards are continuously being revised and, when I refer to a standard in
this book, I mean the following editions:

EN 50126 2017/2018 Edition

EN 50128 2011 Edition
EN 50129 2018 Edition
EN 50657 First Edition, 2017
IEEE 754 2008 Edition
IEEE 24765 2017 Edition
ISO 14971 Second Edition, 2007 with 2009 Update
ISO/PAS 21448 First Edition, 2019
ISO 26262 Second Edition, 2018
ISO 29119 First Edition, 2013–2016
IEC 61508 Second Edition, 2010 with 61508-3-1:2016
IEC 62304 First Edition, 2006
 Preface  xv

Tools
I have used the C programming language in examples because this is
the language most strongly associated with embedded programming.
Some knowledge of C would therefore be useful for the reader, but
the examples are short and should be readable by software engineers
familiar with other languages.
From time to time I mention a particular tool. In general, I refer to
open-source tools, not because these are always superior to commercial
equivalents, but because it would be invidious to mention one com-
mercial vendor rather than another unless I had carried out a careful
comparison of the available products.
Tools are also very personal. We all know that “wars” can arise
from discussions of whether vi or emacs is the better editor. I refuse
to take the bait in these discussions, comfortable in my knowledge that
vi is far better than emacs.
So, my choice of tool may not be your choice of tool. I hope that
whenever I mention a tool, I provide enough information for you to
seek out commercial vendors.

Second Edition
The first edition of this book appeared in 2015 and the world of safety-
critical embedded software has changed substantially in the years since
then:

 I have helped apply eliminative argumentation to the production

of a safety case and found this to be an extremely powerful tech-
nique. I have therefore added a section on page 330 to describe
this technique.
 The Safety of the Intended Functionality (SOTIF) has become
an important topic, particularly in the area of autonomy in the
automotive industry. At the time of writing, this whole area is
still very volatile, but I have taken the opportunity to provide
some information about it; see page 45.
 Security has become increasingly important for safety: it has
long been known that an insecure system cannot be safe, but the
increasing sophistication of attacks against insecure systems has
made it even more necessary to incorporate security information
into the safety argument. This is difficult because, although
safety arguments tend to change quite slowly, security arguments
can change overnight. The publication of a vulnerability such
xvi  Preface

as Meltdown or Spectre in a hardware device can invalidate a

security argument immediately; see page 72.
 New safety standards, such as EN 50657, have been published
and existing standards, such as ISO 26262, have been up-issued.
I have updated the ISO 26262 references in this book to reflect
Edition 2 of that standard.
 I have added a very simple example of coded processing in Ap-
pendix C.
 There were various misprints in the first edition which readers
pointed out. I have corrected these and no doubt have intro-
duced new ones.

We live in interesting times — times in which we will need to handle

a storm of security problems, problems arising from accidental system
and problems arising from machine learning.

Acknowledgments
This book has evolved from material used by QNX Software Systems
(QSS) for a training module covering tools and techniques for building
embedded software systems in safety-critical devices deployed in cars,
medical devices, railway systems, industrial automation systems, etc.
The material in this book has emerged from my professional work
and, of course, I have not worked alone. I am grateful to QSS man-
agement, and in particular my direct managers, Jeff Baker and Adam
Mallory, for allowing me the space to develop many of my ideas, and
for allowing me to use the training material as a foundation for this
book.
There are many people whom I need to thank for providing me with
ideas and challenges. These particularly include (alphabetically) Dave
Banham, John Bell, John Hudepohl, Patrick Lee, Martin Lloyd, Ernst
Munter, Rob Paterson, Will Snipes and Yi Zheng — a stimulating
group of people with whom I have worked over the years.
Even with the ideas, creating a book is not a trivial task, and I
would like to thank my wife, Alison, who has read every word with a
pencil in her hand. I cannot count how many pencils she has worn out
getting this book into a shape that she finds acceptable. I thank her.
I also thank Chuck Clark, Adam Mallory and the anonymous readers
provided by the publisher for their extremely thorough and detailed
proofreading.
The cover picture was provided by Chuck Clark. Many thanks for
the permission to use this photograph.
 Preface  xvii

About the Author

To some extent, I have been shaped by three events. The first I can
date precisely: December 24, 1968, at about 8 pm. I was home from
university where I was a first-year undergraduate studying a general
pure mathematics course. I had completed the first term of my first
year, and before leaving for the vacation, I had grabbed a book more
or less at random from the library in the mathematics common room.
I opened it on Christmas Eve and met Kurt Gödel’s incompleteness
results for the first time. In those days, these meta-mathematical re-
sults were not taught in high school, and the intellectual excitement
of Gödel’s argument hit me like a juggernaut. I went back after the
vacation intent on studying this type of mathematics further and had
the incredible opportunity of attending tutorials by Imre Lakatos at
the London School of Economics. Even now, when I know a lot more
of the context within which Gödel’s paper was published, I still think
that these results were the highest peak of intellectual creativity of the
20th century.
The most recent event had a gentler introduction. On a whim in
2002, I decided to learn the 24 songs that comprise Franz Schubert’s
Winterreise song cycle. Seventeen years later, I am still working on
them with my wife as accompanist, and, from time to time, feel that I
have lifted a lid and been allowed to peep into their enormous emotional
and intellectual depth.
The intermediate event is of more direct relevance to this book and
is recounted in Anecdote 1 on page 4. This event led me to the study
of the development of software for safety-critical systems.
It may seem strange to link Gödel’s results, safety-critical software
and Winterreise, but I feel that each represents a first-rank intellectual
challenge.
I met a project manager recently who said that developing software
for a safety-critical application is just like developing software for any
other application, with the overhead of a lot of paperwork. Perhaps I
should have dedicated this book to him.

Chris Hobbs
Ottawa
BACKGROUND I
Chapter 1
Introduction

We’re entering a new world in which data may be more

important than software.
Tim O’Reilly

This is a book about the development of dependable, embedded soft-

ware.
It is traditional to begin books and articles about embedded software
with the statistic of how many more lines of embedded code there are
in a modern motor car than in a modern airliner. It is traditional to
start books and articles about dependable code with a homily about
the penalties of finding bugs late in the development process — the
well-known exponential cost curve.
What inhibits me from this approach is that I have read Laurent
Bossavit’s wonderful book, The Leprechauns of Software Engineering
(reference [1]), which ruthlessly investigates such “well-known” soft-
ware engineering preconceptions and exposes their lack of foundation.
In particular, Bossavit points out the circular logic associated with
the exponential cost of finding and fixing bugs later in the development
process: “Software engineering is a social process, not a naturally oc-
curring one — it therefore has the property that what we believe about
software engineering has causal impacts on what is real about software
engineering.” It is precisely because we expect it to be more expen-
sive to fix bugs later in the development process that we have created
procedures that make it more expensive.
Bossavit’s observations will be invoked several times in this book
because I hope to shake your faith in other “leprechauns” associated
with embedded software. In particular, the “100 million lines of code
3
4  Embedded Software Development for Safety-Critical Systems

in a modern car” seems to have become a mantra from which we need

to break free.

Safety Culture
A safety culture is a culture that allows the boss to hear
bad news.
Sidney Dekker

Most of this book addresses the technical aspects of building a product

that can be certified to a standard, such as IEC 61508 or ISO 26262.
There is one additional, critically important aspect of building a prod-
uct that could affect public safety — the responsibilities carried by the
individual designers, implementers and verification engineers. It is easy
to read the safety standards mechanically, and treat their requirements
as hoops through which the project has to jump, but those standards
were written to be read by people working within an established safety
culture.

Anecdote 1 I first started to think about the safety-critical aspects

of a design in the late 1980s when I was managing the development
of a piece of telecommunications equipment.
A programmer, reading the code at his desk, realized that a safety
check in our product could be bypassed. When a technician was work-
ing on the equipment, the system carried out a high-voltage test on
the external line as a safety measure. If a high voltage was present,
the software refused to close the relays that connected the technician’s
equipment to the line.
The fault found by the programmer allowed the high-voltage check
to be omitted under very unusual conditions.
I was under significant pressure from my management to ship the
product. It was pointed out that high voltages rarely were present and,
even if they were, it was only under very unusual circumstances that
the check would be skipped.
At that time, I had none of the techniques described in this book for
assessing the situation and making a reasoned and justifiable decision
available to me. It was this incident that set me off down the road
that has led to this book.
 Introduction  5

Annex B of ISO 26262-2 provides a list of examples indicative of

good or poor safety cultures, including “groupthink” (bad), intellectual
diversity within the team (good), and a reward system that penalizes
those who take short-cuts that jeopardize safety (good).
Everyone concerned with the development of a safety-critical device
needs to be aware that human life may hang on the quality of the design
and implementation.
The official inquiry into the Deepwater Horizon tragedy (reference
[2]) specifically addresses the safety culture within the oil and gas in-
dustry: “The immediate causes of the Macondo well blowout can be
traced to a series of identifiable mistakes made by BP, Halliburton, and
Transocean that reveal such systematic failures in risk management that
they place in doubt the safety culture of the entire industry.”
The term “safety culture” appears 116 times in the official Nimrod
Review (reference [3]) following the investigation into the crash of the
Nimrod aircraft XV230 in 2006. In particular, the review includes
a whole chapter describing what is required of a safety culture and
explicitly states that “The shortcomings in the current airworthiness
system in the MOD are manifold and include . . . a Safety Culture that
has allowed ‘business’ to eclipse Airworthiness.”
In a healthy safety culture, any developer working on a safety-
critical product has the right to know how to assess a risk, and has
the duty to bring safety considerations forward.
As Les Chambers said in his blog in February 2012† when comment-
ing on the Deepwater Horizon tragedy:

We have an ethical duty to come out of our mathemati-

cal sandboxes and take more social responsibility for the
systems we build, even if this means career threatening
conflict with a powerful boss. Knowledge is the tradi-
tional currency of engineering, but we must also deal in
belief.

One other question that Chambers addresses in that blog posting is

whether it is acceptable to pass a decision “upward.” In the incident
described in Anecdote 1, I refused to sign the release documentation
and passed the decision to my boss. Would that have absolved me
morally or legally from any guilt in the matter, had the equipment
been shipped and had an injury resulted? In fact, my boss also refused
to sign and shipment was delayed at great expense.

† http://www.systemsengineeringblog.com/deus_ex_machina/
6  Embedded Software Development for Safety-Critical Systems

Anecdote 2 At a conference on safety-critical systems that I at-

tended a few years back, a group of us were chatting during a coffee
break. One of the delegates said that he had a friend who was a lawyer.
This lawyer quite often defended engineers who had been accused of
developing a defective product that had caused serious injury or death.
Apparently, the lawyer was usually confident that he could get the en-
gineer proven innocent if the case came to court. But in many cases
the case never came to court because the engineer had committed sui-
cide. This anecdote killed the conversation, as we reflected on its
implications for each of us personally.

Our Path
I have structured this book as follows

Background material.
Chapter 2 introduces some of the terminology to be found later
in the book. This is important because words such as fault, er-
ror, and failure, often used interchangeably in everyday life, have
much sharper meanings when discussing embedded systems.
A device to be used in a safety-critical application will be de-
veloped in accordance with the requirements of an international
standard. Reference [4] by John McDermid and Andrew Rae
points out that there are several hundred standards related to
safety engineering.
From this smörgåsbord, I have chosen a small number for
discussion in Chapter 3, in particular IEC 61508, which relates
to industrial systems and forms the foundation for many other
standards; ISO 26262 which extends and specializes IEC 61508
for systems within cars; and IEC 62304, which covers software
in medical devices.
I also mention other standards, for example, IEC 29119, the
software testing standard, and EN 50128, a railway standard,
to support my arguments here and there in the text.
To make some of the discussion more concrete, in Chapter 4
I introduce two fictitious companies. One of these is producing
a device for sale into a safety-critical market, and the other
 Introduction  7

is providing a component for that device. This allows me to

illustrate how these two companies might work together within
the framework of the standards.
Developing a product for a safety-critical application.
Chapter 5 describes the analyses that are carried out for any
such development — a hazard and risk analysis, the safety case
analysis, the failure analysis, etc. — and Chapter 6 discusses
the problems associated with incorporating external (possibly
third-party) components into a safety-critical device.
Techniques recommended in the standards.
IEC 61508, EN 50128 and ISO 26262 contain a number of tables
recommending various techniques to be applied during a soft-
ware development. Many of these are commonly used in any de-
velopment (e.g., interface testing), but some are less well-known.
Chapters 7 to 19 cover some of the less common techniques.
For convenience, I have divided these into patterns used dur-
ing the architecture and design of a product (Chapters 7 to 10),
those used to ensure the validity of the design (Chapters 11 to
15), those used during implementation (Chapters 16 to 18), and
those used during implementation verification (Chapter 19).
Development tools
One essential, but sometimes overlooked, task during a devel-
opment is preparing evidence of the correct operation of the
tools used; it is irrelevant whether or not the programmers are
producing good code if the compiler is compiling it incorrectly.
Chapter 20 provides some insights into how such evidence might
be collected.

I introduce the goal structuring notation (GSN) and Bayesian belief

networks in Chapter 5, but relegate details about them to Appendices
A and B, respectively. Finally, there is a little mathematics here and
there in this book. Appendix D describes the notations I have used.

Selecting the Techniques to Describe

I have used three criteria to guide me in deciding whether a particular
tool or technique should be described:

1. It should be explicitly recommended in IEC 61508 or ISO 26262

or both. I believe that I have included only one technique not
directly recommended in those standards.
8  Embedded Software Development for Safety-Critical Systems

2. It should not be in common use in the majority of companies

that I have recently visited.
3. I should have made direct use of it myself.

Development Approach
There are many development methodologies ranging from pure water-
fall (to which Bossavit dedicates an entire chapter and appendix in ref-
erence [1]), through modified waterfall, design-to-schedule, theory-W,
joint application development, rapid application development, timebox
development, rapid prototyping, agile development with SCRUM to
eXtreme programming.
I do not wish to take sides in the debate about which of these tech-
niques is the most appropriate for the development of an embedded
system, and so, throughout this book, I make use of the composite
approach outlined in Figure 1.1. During a development, certain tasks
have to be completed (although typically not sequentially):

Initial design cycle.

During the initial design cycle, shown at the bottom of Figure
1.1, the requirements for a component or system are analyzed
and proposals made for possible designs. These are subject to
“quick-and-dirty” analysis (often a Markov Model: see Chapter
11) to see whether they could possibly offer the dependability
required to form the basis of the final design.
Detailed design cycle.
Once one or more candidate designs are selected, a full failure
analysis is performed. Whether the failure analysis is carried
out by means of a simple Markov model, or by more sophis-
ticated techniques such as fault tree analysis (Chapter 12), the
predicted failure rate of the software must be known. Determin-
ing the failure rate of software is a thorny issue which I address
in Chapter 13.
Design verification cycle.
When the elements of the design have been selected, the de-
sign must be verified: Does it handle all possible circumstances,
could the device ever lockup and not make progress, etc.?
Implementation cycle.
Once the design is complete, implementation begins and pat-
terns must be chosen to implement and verify the implementa-
tion of the product.
 Introduction  9

Implementation
Verification

Implementation Cycle
Selection of
Implementation Implementation
Patterns

automatic code manual code

generation generation

Design
Verification

Safety Case
e
y cl
nC

Failure
a ti o

Analysis
r i fi c

le
n Ve

yc
nC
D e si g

si g
De
il e d
D eta

Gross
Dependability
Analysis

Selection of Initial Design Cycle

Analysis of
Design
Requirements
Patterns

Figure 1.1 The suggested approach.

Note that I have carefully avoided saying whether these cycles are fol-
lowed only once for the development of a device (a waterfall process),
or are followed for each component, perhaps repeating once every few
weeks (an agile process) or even daily (eXtreme programming).
Given this spectrum of methodologies, I have my personal belief
about the end of the spectrum most likely to result in a successful
project delivered on-time and on-budget and meeting its safety require-
ments, but that opinion is irrelevant to this book — the techniques I
describe are necessary whatever approach is chosen.
However, one point can be noted from the list above: I have placed
a lot more emphasis on design and design verification than on imple-
mentation and implementation verification. That is deliberate, and
in Chapter 15, I try to justify my claim that the skills required for
10  Embedded Software Development for Safety-Critical Systems

designing and for implementing are sufficiently diverse that it is un-

likely that one person can do both. ISO 26262-2 specifically calls out
“heavy dependence on testing at the end of the product development
cycle” as an example of a poor safety culture.
Another point emphasized by Figure 1.1 is the crucial role played
by the safety case. All of the analyses and decisions made during the
project must become elements of the safety case. This essential analysis
is described in Chapter 5, starting on page 67.

Today’s Challenges
Although the last two decades have seen a tremendous growth in tools
and techniques that we can apply to the development of safe, embedded
systems, challenges still remain and new ones are emerging.

Security
In the past, many embedded systems were physically secure, being
locked in the driver’s cab of a train or behind a locked fence on a
shop floor. Today almost every electronic device supports external
communications through Wi-Fi, Bluetooth, USB drives, or from GPS
satellites, and these channels are all security vulnerabilities.
Safety is interlinked with security — the behavior of an insecure
device is effectively unpredictable once a hacker has found a vulnera-
bility. Safety and security are normally antagonistic (increase one at
the cost of the other) and this security/safety balance is described on
page 101. There are moves to combine safety and security cases; see
page 72. However, no general methodology exists yet for combining
security and safety issues.

Tools for Balancing Architectural Needs

Chapter 7 describes how a designer needs to balance the availability,
reliability, performance, usefulness, security, and safety of a system.
These characteristics interact, and a design decision in one area affects
all the others. I know of no tools that can help an analyst manipulate
these system characteristics and trade them off against one another.

Hardware Error Detection

As described on page 145, processor and memory hardware has become
significantly less reliable over the last decade. This is a result of the
Another random document with
no related content on Scribd:
con sus cristalinas aguas regaua.
Y que todos aquellos campos que
con gran impetu yua discurriendo,
se llamauan el campo de
Mondego, y el castillo que delante
los ojos tenian, era la luz de
nuestra España. Y que este
nombre le conuenia más que el
suyo proprio, pues en medio de la
infidelidad del Mahometico Rey
Marsilio, que tantos años le auia
tenido çercado, se auia
sustentado, de manera que
siempre auia salido uençedor, y
jamas uençido, y que el nombre
que tenía en lengua Portuguesa
era Montemor o uelho, adonde la
uirtud, el ingenio, ualor, y
esfuerço, auian quedado por
tropheo de las hazañas, que los
habitadores dél, en aquel tiempo
auian hecho; y que las damas que
en él auia, y los caualleros que lo
habitauan, floresçian oy en todas
las uirtudes que ymaginar se
podian. Y assi le conto la pastora
otras muchas cosas de la
fertilidad de la tierra, de la
antiguedad de los edifiçios, de la
riqueza de los moradores, de la
hermosura y discreçion de los
Nimphas y pastores, que por la
comarca del inexpunable castillo
habitauan, cosas que a Felismena
pusieron en gran admiraçion, y
rogandole las pastoras que
comiesse (porque no deuia uenir
con poca necessidad dello) tuuo
por bien de acçeptallo. Y en
quanto Felismena comia de lo
que las pastoras le dieron, la vian
derramar algunas lagrimas, de
que ellas en estremo se dolian. Y
queriendole pedir la causa, se lo
estoruó la boz de un pastor, que
muy dulçemente al son de un
rabel cantaua, el qual fue luego
conosçido de las dos pastoras,
porque aquel era el pastor
Danteo, por quien Armia terçiaua
con la graçiosa Duarda. La qual
con muchas lagrimas, dixo a
Felismena: Hermosa pastora,
aunque el manjar es de pastoras,
la comida es de Prinçesa: qué
mal pensaste tú, quando aqui
uenias, que auias de comer con
musica! Felismena entonçes le
respondio: No auria en el mundo
(graçiosa pastora) musica más
agradable para mí, que vuestra
uista y conuersaçion, y esto me
daria a mí mayor ocasion para
tenerme por Prinçesa, que no la
musica que dezis. Duarda
respondio: Más auia de ualer que
yo quien esso meresçiesse, y
más subido de quilate auia de ser
su entendimiento para entendello,
mas lo que fuere parte del
desseo, hallarse ha en mí
cumplidamente. Armia dixo contra
Duarda: Ay Duarda, cómo eres
discreta, y quanto más lo serias si
no fuesses cruel. ¿Hay cosa en el
mundo como esta que por no oyr
a aquel pastor que está cantando
sus desuenturas, está metiendo
palabras en medio, y occupando
en otra cosa el entendimiento?
Felismena entendiendo quién
podia ser el pastor en las
palabras de Armia, las hizo estar
atentas, y oylle, el qual cantaua al
son de su instrumento esta
cançion, en su misma lengua.

Sospiros, minha lembrança

não quer, porque uos não
uades
que o mal que fazem
saudades
se cure com esperança.

A esperança não me ual,

polla causa en que se tem,
nem promete tanto bem,
quanto a saudade faz mal;
mas amor, desconfiança,
me deron tal qualidade,
que nem me mata saudade,
nem me da uida esperança.

Errarão se se queyxarem
os olhos con que eu olhey,
porque eu não me queyxarey,
en quanto os seus me
lembraren,
nem poderá auer mudança,
jamas en minha uontade,
 ora me mate saudade,
ora me deyxe esperança.

A la pastora Felismena supieron

mejor las palabras del pastor, que
el combite de las pastoras, por
que más le pareçia que la cançion
se auia hecho para quexarse de
su mal, que para lamentar el
ageno. Y dixo, quando le acabó
de oyr. ¡Ay, pastor, que
uerdaderamente paresçe que
aprendiste en mis males, a
quexarte de los tuyos!
Desdichada de mí, que no ueo ni
oyo cosa, que no ponga delante
la razon que tengo, de no dessear
la uida, mas no quiera Dios que
yo la pierda, hasta que mis ojos
vean la causa de sus ardientes
lagrimas. Armia dixo a Felismena:
Paresçeos (hermosa pastora) que
aquellas palabras meresçen ser
oydas, y que el coraçon de
adonde ellas salen se deue tener
en más de lo que esta pastora lo
tiene? No trates, Armia (dixo
Duarda) de sus palabras, trata de
sus obras, que por ellas se ha de
juzgar el pensamiento del que las
haze. Si tú te enamoras de
cançiones, y te paresçen bien
sonetos hechos con cuydado de
dezir buenas razones,
desengañate que son la cosa de
que yo menos gusto reçibo, y por
la que menos me çertifico, del
amor que se me tiene. Felismena
dixo entonçes fauoresçiendo la
razon de Duarda: Mira, Armia,
muchos males se escusarian, y
muy grandes desdichas no
uernian en effecto, si nosotras
dexassemos de dar credito a
palabras bien ordenadas, y
razones compuestas de
coraçones libres, porque en
ninguna cosa ellos muestran tanto
serlo, como en saber dezir por
orden un mal, que quando es
uerdadero, no ay cosa más fuera
della. Desdichada de mí, que no
supe yo aprouecharme deste
consejo. A este tiempo, llegó el
pastor Portugues, donde las
pastoras estauan, y dixo contra
Duarda, en su misma lengua: A
pastora, se as lagrimas destes
olhos, y as magoas deste
coração, são pouca parte para
abrandar a dureza, com que sou
tratado, não quero de ti mays,
senão que minha conpanhia por
estos campos te não o seja
importuna, ne os tristes uersos
que meu mal junto a esta
hermosa ribeira me faz cantar, te
den occasião denfadamento.
Passa, hermosa pastora, a sesta
a sombra destes salguyeros, que
ho teu pastor te leuará as cabras
a o rio, y estará a o terreyro do
sol, en quanto ellas nas cristalinas
agoas se banharen. Pentea,
hermosa pastora, os teus cabellos
douro iunto a aquella clara fonte
donde uen ho ribeyro que çerca
este fremoso prado, que eu irey
en tanto em tanto a repastar teu
gado, y ter y conta com que as
ouelhas não o entren nas searas
que ao longo desta ribeyra estão.
Desejo que não tomes traballho
en cousa nenhua, nen eu
descanso em quanto em cousas
tuas não trabalhar. Si isto te
paresçe pouco amor, dize tú en
que te poderey mostrar ho bem
que te quero: que nao ha amor
final da pessoa dizer uerdade, en
qualquer cousa que diz, que
offreçerse ha esperiençia dela. La
pastora Duarda entonçes
respondio: Danteo, se he uerdade
que ay amor no mundo, eu ho tiue
contigo, e tan grande como tú
sabes, jamays nenhun pastor de
quantos apascentão seus gados
pollos campos de Mondego, e
beben as suas claras agoas,
alcançou de mí nem hua so
palabra conque tiuesses occasião
de queyxarte de Duarda, nem do
amor que te ella sempre mostrou,
a ninguen tuas lagrimas, e
ardentes sospiros mays
magoarão que a mi, ho dia que te
meus olhos não uiam, jamays se
leuantauan a covsa que lhes
desse gosto. As uacas que tú
guardauas erão mays que
minhas, muytas mays uezes
(reçeosa que as guardas deste
deleytoso campo lhes nam
impedissem ho pasto) me punha
eu desde aquelle outeyro, por uer
se pareçião do que minhas
ouelhas erão por mi
apasçentadas, nem postas em
parte onde sem sobresalto
pasçessen as eruas desta
fermosa ribeyra: isto me danaua a
mí tanto en mostrarme sojeyta,
como a ti em haçerte comfiado.
Bem sey que de minha sogeicão
naçeu tua confiança y de tua
confiança hazer o que fizeste. Tu
te casaste con Andresa, cuja
alma este en gloria, ¿qué cousa
he esta, que algum tempo não
pidi a Deos, antes lhe pidi
uingança dela, y de ti? eu passe y
despoys de uosso casamento, o
que tú e outros muytos saben,
quis minha fortuna que a tua me
não desse pena. Deyxa me goxar
de minha liberdade, y não
esperes que comigo poderas
ganhar o que por culpa tua
perdeste. Acabando la pastora la
terrible respuesta que aueys
oydo, y queriendo Felismena
meterse en medio de la
differençia de los dos, oyeron a
una parte del prado muy gran
ruydo, y golpes como de
caualleros que se conbatian: y
todos con muy gran priessa se
fueron a la parte donde se oyan,
por uer qué cosa fuesse. Y uieron
en una isleta que el rio con una
buelta hazia, tres caualleros que
con uno solo se combatían: y
aunque se defendia
ualientemente, dando a entender
su esfuerço y ualentia, con todo
esso los tres le dauan tanto qué
hazer, que la ponian en
neçessidad de aprouecharse de
toda su fuerça. La batalla se hazia
a pie, y los cauallos estauan
arrendados a unos pequeños
arboles que alli auia. Y a este
tiempo ya el cauallero solo tenía
uno de los tres tendido en el
suelo, de un golpe de espada,
con el qual le acabó la uida: pero
los otros dos, que muy ualientes
eran, le trayan ya tal, que no se
esperaua otra cosa sino la
muerte. La pastora Felismena,
que uio aquel cauallero en tan
gran peligro, y que si no le
socorriesse, no podria escapar
con la uida, quiso poner la suya a
riesgo de perdella, por hazer lo
que en aquel caso era obligada, y
poniendo una aguda saeta en su
arco, dixo contra uno dellos:
Teneos afuera, caualleros, que no
es de personas que deste nombre
se preçian, aprouecharse de sus
enemigos con uentaja tan
conosçida. Y apuntandole a la
uista de la çelada, le acertó con
tanta fuerça, que entrandole por
los ojos passó de la otra parte, de
manera que aquel uino muerto al
suelo. Quando el caualllero solo
uio muerto a uno de sus
contrarios, arremetio al terçero
con tanto esfuerço, como si
entonçes començara su batalla,
pero Felismena le quitó de
trabajo, poniendo otra flecha en
su arco, con la qual, no parando
en las armas, le entró por debaxo
de la tetilla yzquierda, y le
atrauesso el coraçon de manera
que el cauallero lleuó el camino
de sus compañeros. Quando los
pastores vieron lo que Felismena
auia hecho, y el cauallero vio de
dos tiros matar dos caualleros tan
valientes, ansi vnos como otros
quedaron en extremo admirados.
Pues quitandose el cauallero el
yelmo, y llegandose a ella, le dixo:
Hermosa pastora, con qué podre
yo pagaros tan grande merced,
como la que de vos he reçibido en
este dia, si no en tener conosçida
esta deuda para nunca jamas
perdella del pensamiento?
Quando Felismena vio el rostro
del cauallero, y lo conosçio,
quedó tan fuera de si, que de
turbada casi no le supo hablar:
mas boluiendo en si, le respondio:
Ay don Felis, que no es ésta la
primera deuda en que tú me
estás, y no puedo yo creer, que
ternás della el conosçimiento que
dizes, sino el que de otras muy
majores has tenido. Mira a qué
tiempo me ha traydo mi fortuna y
tu desamor, que quien solia en la
çiudad ser seruida de ti con
torneos y iustas, y otras cosas
con que me engañauas (o con
que yo me dexaua engañar) anda
aora desterrada de su tierra y de
su libertad, por auer tú querido
vsar de la tuya.
Si esto no te trae a conosçimiento
de lo que me deues, acuerdate
que vn año te estuue siruiendo de
page, en la corte de la prinçesa
Çesarina: y aun de terçero contra
mí misma, sin jamas descubrirte
mi pensamiento, por solo dar
remedio al mal que el tuyo te
hazia sentir. O quantas vezes te
alcançé los fauores de Celia tu
señora, a gran costa de mis
lagrimas! Y no lo tengas en
mucho, que quando estas no
bastaran, la vida diera yo a
trueque de remediar la mala que
tus amores te dauan. Si no estás
saneado de lo mucho que te he
querido, mira las cosas que la
fuerza del amor me ha hecho
hazer. Yo me sali de mi tierra, yo
te vine a seruir, y a dolerme del
mal que suffrias, y a suffrir el
agrauio que yo en esto reçebia: y
a trueque de darte contento, no
tenía en nada biuir la más triste
vida que nadie vivio. En trage de
dama te he querido, como nunca
nadie quiso, en habito de page te
serui, en la cosa más contraria a
mi descanso, que se puede
ymaginar: y aun aora en trage de
pastora vine a hazerte este
pequeño seruiçio. Ya no me
queda más que hazer, sino es
sacrificar la vida a tu desamor, si
te pareçe que deuo hacello, y que
tú no te has de acordar de lo
mucho que te he querido, y
quiero: la espada tienes en la
mano, no quieras que otro tome
en mí la vengança de lo que te
merezco. Quando el cauallero oyó
las palabras de Felismena, y
conoçio todo lo que dixo, auer
sido ansi: el coraçon se le cubrio,
de ver las sin razones que con
ella auia vsado: de manera, que
esto y la mucha sangre que de las
heridas se le yua, fueron causa
de vn subito desmayo cayendo a
los pies de la hermosa Felismena,
como muerto. La qual con la
mayor pena que ymaginarse
puede, tomandole la cabeça en
su regaço, con muchas lagrimas
que sobre el rostro de su
cauallero destilaua, començo a
dezir: ¿qué es esto, fortuna? ¿es
llegado el fin de mi uida, junto con
la del mi don Felis? Ay don Felis,
causa de todo mi mal, si no
bastan las muchas lagrimas que
por tu causa he derramado, y las
que sobre tu rostro derramo, para
que bueluas en ti: qué remedio
terna esta desdichada, para que
el gozo de uerte no se le buelua
en ocasion de desesperarse? Ay
mi don Felis, despierta si es
sueño el que tienes, aunque no
me espantaria si no lo hiziesses,
pues jamas cosas mias te le
hizieron perder. Y en estas y otras
lamentaçiones estaua la hermosa
Felismena, y las otras pastoras
Portuguesas le ayudauan quando
por las piedras que pasauan a la
isla, vieron uenir una hermosa
Ninpha, con un uaso de oro, y
otro de plata en las manos, la
qual luego de Felismena fue
conosçida, y le dixo: Ay Dorida,
quién auia de ser, la que a tal
tiempo socorriesse a esta
desdichada, sino tú? Llegate acá,
hermosa Nimpha, y uerás puesta
la causa de todos mis trabajos en
el mayor que es possible tenerse.
Dorida entonçes le respondio:
Para estos tiempos es el animo, y
no te fatigues, hermosa
Felismena, que el fin de tus
trabajos es llegado, y el prinçipio
de tu contentamiento; y diziendo
esto, le echó sobre el rostro de
una odorifera agua, que en el
uaso de plata traya, la qual le hizo
boluer en todo su acuerdo, y le
dixo: Cauallero, si quereys cobrar
la vida, y dalla a quien tan mala, a
causa vuestra, la ha passado,
beued del agua deste uaso. Y
tomando don Felis el uaso de oro
entre las manos, beuio gran parte
del agua que en él venía. Y como
vuo un poco reposado con ella, se
sintio tan sano de las heridas que
los tres caualleros le auian hecho,
y de la que amor, a causa de la
señora Çelia, le auia dado, que no
sentia más la pena que cada uno
dellas le podian causar que si
nunca las uuiera tenido. Y de tal
manera se boluio a renouar el
amor de Felismena, que en
ningun tiempo le paresçio auer
estado tan biuo como entonçes: y
sentandose ençima de la verde
yerua, tomó las manos a su
pastora, y besandoselas muchas
uezes, dezia: Ay, Felismena, quán
poco haria yo en dar la uida a
trueque de lo que te deuo: que
pues por ti la tengo, muy poco
hago en darte lo que es tuyo. Con
qué ojos podra mirar tu
hermosura, el que faltandole el
conosçimiento, de lo que te deuia,
osó ponellos en otra parte? Qué
palabras bastarian para
disculparme, de lo que contra ti
he cometido? Desdichado de mí,
si tu condiçion no es en mi fauor,
porque ni bastara satisfaçion,
para tan gran yerro, ni razon, para
disculparme de la grande que
tienes de oluidarme? Verdad es,
que yo quise bien a Çelia y te
oluidé: mas no de manera, que de
la memoria se me passasse tu
valor y hermosura. Y lo bueno es,
que no sé a quién ponga á parte
de la culpa que se me puede
attribuyr, porque si quiero ponella
a la poca edad que entonçes
tenía, pues la tuue para quererte,
no me auia de faltar para estar
firme en la fe que te deuia. Si a la
hermosura de Çelia, muy clara
está la ventaja que a ella, y a
todas las del mundo tienes. Si a la
mudança de los tiempos, esse
auia de ser el toque donde mi
firmeza auia de mostrar su valor.
Si a la traydora de ausencia, tan
poco paresçe bastante disculpa,
pues el desseo de verte, auia
estado ausente de sustentar tu
imagen en mi memoria. Mira,
Felismena, quán confiado estoy
en tu bondad y clemençia, que sin
miedo te oso poner delante las
causas que tienes de no
perdonarme. Mas qué haré para
que me perdones, o para que
despues de perdonado, crea que
estás satisfecha? Vna cosa me
duele más que quantas en el
mundo me pueden dar pena, y es,
ver que puesto caso que el amor
que me has tenido, y tienes, te
haga perdonar tantos yerros,
ninguna vez alçaré los ojos a
mirarte que no me lleguen al alma
los agrauios que de mí has
recibido. La pastora Felismena
que uio a don Felis tan
arrepentido, y tan buelto a su
primero pensamiento, con
muchas lagrimas le dezia, que
ella le perdonaua, pues no suffria
menos el amor que siempre le
auia tenido: y que ansi pensara
no perdonalle, no se vuiera por su
causa puesto a tantos trabajos, y
otras cosas muchas con que don
Felis quedó confirmado en el
primer amor. La hermosa Nimpha
Dorida, se llegó al cauallero, y
despues de auer passado entre
los dos muchas palabras y
grandes offresçimientos de parte
de la sábia Feliçia, le suplicó, que
él, y la hermosa Felismena se
fuessen con ella al tenplo de la
Diana, donde los quedaua
esperando con grandissimo
desseo de verlos. Don Felis lo
conçedio: y despedido de las
pastoras Portuguesas (que en
extremo estauan espantadas, de
lo que auian visto) y del affligido
pastor Danteo, tomando los
cauallos de los caualleros
muertos, las quales sobre tomar a
Danteo el suyo, le auian puesto
en tanto aprieto, se fueron por su
camino adelante, contando
Felismena a don Felis con muy
gran contento lo que auia
passado, despues que no le auia
visto, de lo qual él se espantó
estrañamente, y espeçialmente
de la muerte de los tres saluages,
y de la casa de la sábia Feliçia y
suçesso de los pastores y
pastoras, y todo lo más que en
este libro se ha contado. Y no
poco espanto lleuaua don Felis,
en ver que su señora Felismena
le vuiesse seruido tantos dias de
page, y que de puro diuertido en
el entendimiento, no la auia
conosçido, y por otra parte, era
tanta su alegria, de verse de su
señora bien amado, que no podia
encubrillo. Pues caminando por
sus jornadas, llegaron al templo
de Diana, donde la sábia Feliçia
los esperaua, y ansi mismo los
pastores Arsileo, y Belisa, y
Syluano, y Seluagia, que pocos
dias auia que eran alli venidos.
Fueron reçebidos con muy gran
contento de todos, espeçialmente
la hermosa Felismena, que por su
bondad, y hermosura de todos
era tenida en gran possession.
Alli fueron todos desposados con
las que bien querian, con gran
regoçijo, y fiesta de todas las
Nimphas, y de la sábia Feliçia, a
la qual no ayudó poco Sireno en
su venida, aunque della se le
siguio lo que en la segunda parte
deste libro se contará, juntamente
con el sucçesso del pastor, y
pastora Portuguesa, Danteo y
Duarda.

FIN DE LOS SIETE LIBROS DE

LA DIANA DE GEORGE DE
MONTEMAYOR
 NOTAS:
[1270] M., de que con mayor cuidado andaua huyendo.
 LA DIANA ENAMORADA
CINCO LIBROS QUE PROSIGUEN LOS VII DE
MONTEMAYOR

POR

GASPAR GIL POLO

A la muy ilustre señora doña
hieronyma de castro y bolea,
&. gaspar gil polo.

Tanto le importa á este libro tener

de su parte el nombre y favor de
V. S., que de otra manera no me
atreviera á publicarle, ni aun á
escribirle. Porque según es poco
mi caudal, y mucha la malicia de
los detractores, sin el amparo de
V. S. no me tuviera por seguro.
Suplico á V. S. reciba y tenga por
suya esta obra, que aunque es
servicio de poca importancia,
habido respecto al buen ánimo
con que se le ofresce y á la
voluntad con que libros
semejantes por Reyes y grandes
señores fueron recebidos, no se
ha de tener por grande mi
atrevimiento en hacer presente
desta miseria, mayormente
dándome esfuerzo para ello la
esperanza que tengo en la
nobleza, benignidad y
perfecciones de V. S. que para
ser contadas requieren mayor
espíritu y más oportuno lugar. El
cual, si por algún tiempo me fuese
concedido, en cosa ninguna tan
justamente habría de emplearse
como en la alabanza y servicio de
V. S. Cuya muy ilustre persona y
casa nuestro Señor guarde y
prospere con mucho aumento. De
Valencia á nueve de Hebrero M.
D. LXIV.

A la ilustrissima y
excelentissima señora mia
luisa de lorena, princesa de
conti.

En un siglo tal como el que agora

posseemos, en el cual el trato es
tan doblado, y tan lleno de todas
miserias, ¿quién se podrá
escapar de las mordaces y
perniciosas lenguas, que todo su
ejercicio es buscar tachas en lo
más apurado; sirviéndose de las
colores más falsas y engañosas,
sin acordarse de los ya passados,