From: email@example.com (ExpAero) Organization: America Online, Inc. (1-800-827-6364) Date: 30 Jun 95 03:47:08 References: 1 Followups: 1
View raw article or MIME structure
I can't argue with much of your analysis except in two areas: 1. As I said in my post, world wide "experts" disagree on this subject. Since you mention the development of DO-178B (SC-167), a committee of which I was also a member, you will recall that although there were several members who wanted, to formalize safety credit for N-version software implementations, the committee as a whole did not agree. Consequently, under DO-178A, software must be developed to a rigor appropriate to the consequences any potential "anomalous behavior" whether redundant n-version software is used or not. 2. Your conclusion that n-version software used in three lanes of a redundant system will always vote out an anomolous result from one lane while the same system using similar software will not, is perhaps not totally accurate. In a system with three lanes of similar software, for a malfunction not to be voted out, it must occur simultaniously in at least two of the three lanes. If those lanes are asychronous, i.e operate independently, and use different data in performing their functions the realities of complex system behavior would appear to make simultanious functional error very improbable. This is exactly the logic used in justifying similar software and hardware in FADEC systems. The question then becomes, as you say, is worth the cost of n-version development to preclude a risk of very low probability?