Re: What Makes Software Safe? (was Concord Loses #3)

From:         Pete Mellor <pm@csr.city.ac.uk>
Date:         17 Jul 95 04:29:28 
References:   1 2
Next article
View raw article
  or MIME structure

expaero@aol.com (ExpAero) wrote on Fri Jun 30 12:05:30 1995:-

> Consequently,  under DO-178A, software must be developed to a rigor
> appropriate to the consequences any potential "anomalous behavior" whether
> redundant n-version software is used or not.

Is there a typo here? I remember that DO-178A *did* have a get-out
clause in the small print which allowed the manufacturer to claim
that, although a given system might be critical, provided it had
a fault-tolerant design, the *software* in that system need only
be developed to DO-178A Level 2, instead of Level 1 as would normally
be the case.

I seem to remember that this loophole disappeared in version B of DO-178.

Interestingly enough, Airbus tried to argue with the FAA that the software
in the A320 EFCS was only Level 2 on account of the overall fault-tolerant
architecture of the flight control system. (The A320 was certificated
under DO-178A, the A340 and A330 were certificated under DO-178B, even
though the B version had not come into force officially at the time.)

The FAA were not overwhelmed by this argument.

Pete
----
Peter Mellor, Centre for Software Reliability,
City University, Northampton Square, London EC1V 0HB
Tel: +44 (171) 477-8422, Fax.: +44 (171) 477-8585,
E-mail (JANET): p.mellor@csr.city.ac.uk
-----------------------------------------------------------------------------