Re: What Makes Software Safe? (was Concord Loses #3)

From:         Pete Mellor <>
Date:         17 Jul 95 04:29:28 
References:   1 2
Next article
View raw article
  or MIME structure (ExpAero) wrote on Fri Jun 30 12:05:30 1995:-

> Consequently,  under DO-178A, software must be developed to a rigor
> appropriate to the consequences any potential "anomalous behavior" whether
> redundant n-version software is used or not.

Is there a typo here? I remember that DO-178A *did* have a get-out
clause in the small print which allowed the manufacturer to claim
that, although a given system might be critical, provided it had
a fault-tolerant design, the *software* in that system need only
be developed to DO-178A Level 2, instead of Level 1 as would normally
be the case.

I seem to remember that this loophole disappeared in version B of DO-178.

Interestingly enough, Airbus tried to argue with the FAA that the software
in the A320 EFCS was only Level 2 on account of the overall fault-tolerant
architecture of the flight control system. (The A320 was certificated
under DO-178A, the A340 and A330 were certificated under DO-178B, even
though the B version had not come into force officially at the time.)

The FAA were not overwhelmed by this argument.

Peter Mellor, Centre for Software Reliability,
City University, Northampton Square, London EC1V 0HB
Tel: +44 (171) 477-8422, Fax.: +44 (171) 477-8585,
E-mail (JANET):