I work for a small company developing a complex medical device with a rich UI. We are currently at the early stages of design. The application is targeted for Windows (desktop only) and preferably should be written only in C++.

After some research done we tend to choose Qt to develop the UI. It seems to answer all our needs, namely a modern-looking and highly responsive UI can be developed, the development is rather fast (after getting familiar), memory usage is somehow reasonable, free for commercial use (bonus for us).

My question is: is it reliable enough for a medical device? We absolutely can't accept any crash in the middle of an examination. I understand that first of all it depends of course on the quality of code we write but still I'd like to know if anyone has encountered any mysterious crash-related problems that were particularly hard to resolve. Especially when using QML that is a scripting language and it can naturally result in errors hard to predict and explain.

The cost of encountering such an issue in production will be very high for us, so we extremely need a right decision to be made before we go for any specific package. If you know any other Qt-related problem that could arise in our particular context (I admit that it was impossible to do a very extensive package testing), I'll highly appreciate mentioning it too.

In my opinion Qt is stable enough if you follow their coding style. I would also buy support from Digia and use a stable version of the library.

The thing comes down to:

• evaluating the risks introduced by the usage of Qt (or any other GUI library)
• act defensively against those risks (introduce new requirements and tests that cover the risks, e.g. run the GUI as a separate process that communicates with the core via TCP or whatever)
• evaluate the risk of a crash in the application and document the procedures to be followed when that scenario occurs.

In my experience with the certifications of medical devices, a loud crash of the device is preferable to a silent and erroneous operational one. When in doubt, ask the certification body that is following your case.

Also, have a look at the standards (e.g. 60601-1-4 or whatever is used now).

Usage of Qt in medical apps: http://qt.nokia.com/qt-in-use/qt-in-medical/

I would consider the basic tenets of high-reliability engineering sufficient. With those, you can use Qt. Now, Ambroz Bizjak mentions quite a few "troublesome" scenario's. They're irrelevant, when you follow the basic rules.

So, what are these rules? They're not very hard. Identify the bits that can fail, and do those at times when failure is not critical. For instance, Ambroz has a good point about window deletion. Don't do that in the middle of an examination. Dump the ojects in a defered deletion queue, and make sure they don't interfere with operations (i.e. objects must have a passive state. E.g. for widgets, that includes being invisible). Similarly, create all objects that you might need (including all possible dialog windows) before you start the examination.

You can nicely summarize this as

1. Preparation that can fail
2. Things that may not fail
3. Cleanup that can fail

I would avoid QML for the reasons already mentioned. The scheme above highlights why it's so problematic. You can't move all the suspect QML steps to the preparation phase.

I'm assuming you're not developing a safety-critical device, because you are running Windows and the Windows license agreement has a few things to say about that. So your question is really, "We are making a consumer product that must be as stable as possible or we will look really, really bad".

Personally, I could suggest using C#, because it has excellent tooling under windows and is significantly easier and safer to develop with (Garbage collectors are your friend for stability, if not performance) and slightly more convenient to unit test. Use C++ or C++/CLR for any performance critical sections, but there's no reason to use such a complex and potentially hazardous language for constructing your GUI.

From my expereience with Qt, it is a bad choice when reliability is important. For example, many crashes are caused by seemingly valid code but which did something in some specific context, that some part of Qt did not expect. Here I list some problems I've encountered with Qt regarding writing correct code:

• Deleting QObjects (read: anything) is a very painful procedure. If you delete it from a signal being emitted by this object (read: half of the time), your program will likely crash, because the code emitting the signal will not care to check if the object still exists after you signal handler returns and may continue using it.

• If you look more closely, the suggested workaround is to use QObject::deleteLater() which will make the event loop delete the object sometime, when it's safe. While this may seem acceptable, consider that during that time the object still exists and can emit signals. This introduces unnecessary intermediate states, which you have to handle, and this will introduce bugs; likely ones that happen rarely and in very specific circumstances (read: not while you're testing it). Anyway, this page discusses some problems with QObject deletion.

• Other classes in Qt have similar deletion-related problems. For example, QGraphicsScene::removeItem() may cause a crash if you remove the item from its scene (not delete it) within its mousePressEvent handler. And this does not seem to be documented anywhere.

• Qt classes are full of convenience features mixed with the core set of features, making it hard to figure out how the class actually works and how to properly use it. For example, QProcess, beside the stateChanged() signal which is the only one needed, has signals like error(), finished() and started(), whose semantics and proper handling is not entirely clear.

• Many abstract interfaces are badly designed and poorly defined. For example the class QIODevice is used for both reading and writing and both blocking and asynchronous I/O. A class is free to chose which subset of this to implement. This violates the whole idea of abstract interfaces, which is that anything that implements the interface works in a defined and consistent way.

• There is no really good and uniform way to handle events. There are two kinds of events in Qt: QEvents, for which callbacks are installed by reimplementing virtual functions, and signals. Why? Anyway, both kinds of events are in the end just about calling functions (directly, forget about queued signals here). This means that various modules, can only communicate by calling each other's functions. As has been seen, this is problematic because when a module calls another module, that other module could really have done anything, and it may be hard to consider all possible scenarios at every callback site (as we've seen, Qt doesn't, and instead crashes).

  This problem can be completely solved by adding a feature to the event loop which allows for much easier communication and synchronization across modules. I describe this design in this question.

To sum up, when aiming for maximum reliability, you do not want such design issues in the framework you base the program on, and you do not want to workaround problems with it on almost every step. Even if you properly work around all problems you could think of, how do you know there aren't more? I think you should just try writing some completely correct code in Qt (that is, read all the documentation, and think on every step what you're doing and how the framework will react). After some time, ask yourself: do you trust the framework, or do you feel like it's trying to trick you?