ESC Boston and BIOMED Boston is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

BIOMEDevice Boston 2019 Schedule Viewer


Welcome to the Biomed Boston & ESC Boston 2019 Presentation Store. Here you can view and download conference and/or show floor theater presentations before, during, and after the event. If you’re looking for a presentation from a specific session that you’re unable to find here, note that it’s likely because the presenter has not provided permission for external use or has not yet shared their presentation with us. Please check back after the event for a more complete catalogue of available presentations.

Avoiding Unsafe & Insecure Complex Software

Jay Thomas (Director, Field Engineering , LDRA)

Location: 107B

Date: Thursday, May 16

Time: 3:15pm - 4:00pm

Track: ESC Boston, Track B: Embedded Software Design & Verification

Vault Recording: TBD

In everyday language, the words "complex" and "complicated" are synonymous. A complex cake recipe is complicated. But in development circles, software complexity is more specifically concerned with the extent to which a system is difficult to comprehend, modify and test, and not the complication inherent in the function it is designed to fulfil. Two systems equivalent in functionality can therefore differ greatly in their software complexity. And the more complex the code, the more difficult it is to understand, test and maintain, and the more likely it is that problems will arise.

The learned committees responsible for functional safety and security standards are unanimous in their distaste for complexity. For example, IEC 61508 and its derivatives include clauses related to Low Complexity Software, and require that evidence of low complexity is presented as part of the certification process. From a security perspective, one of SEI CERT's "top 10" secure coding practices is to "keep it simple" and hence avoid complexity.

This presentation will discuss why the avoidance of complexity features so highly in the standards, how it is enumerated, and how it can be minimized. It will contend that metrics such as McCabe's cyclomatic complexity need to be considered in the context of the application itself; more as a comparator than an absolute measure. And it will argue that mission-critical application or not, complexity is a "bad thing" and something to be avoided.


Attendees will learn to differentiate between necessary complexity, and complexity introduced as a result of poor coding style. They will understand why that differentiation matters, and how metrics can be applied to quantify it.