Re: What Makes Software Safe? (was Concord Loses #3)

From: (ExpAero)
Organization: America Online, Inc. (1-800-827-6364)
Date:         30 Jun 95 03:47:08 
References:   1
Followups:    1
Next article
View raw article
  or MIME structure

I can't argue with much of your analysis except in two areas:

1.  As I said in my post, world wide "experts" disagree on this subject.
Since you mention the development of DO-178B (SC-167),  a committee of
which I was also a member, you will recall that although there were
several members who wanted, to formalize safety credit for N-version
software implementations, the committee as a whole did not agree.
Consequently,  under DO-178A, software must be developed to a rigor
appropriate to the consequences any potential "anomalous behavior" whether
redundant n-version software is used or not.

2.  Your conclusion that n-version software used in three lanes of a
redundant system will always vote out an anomolous result from one lane
while the same system using similar software will not, is perhaps not
totally accurate.  In a system with three lanes of similar software, for a
malfunction not to be voted out, it must occur simultaniously in at least
two of the three lanes.  If those lanes are asychronous, i.e operate
independently, and use different data in performing their functions the
realities of complex system behavior would appear to make simultanious
functional error very improbable.  This is exactly the logic used in
justifying similar software and hardware in FADEC systems.    The question
then becomes, as you say, is worth the cost of n-version development to
preclude a risk of very low probability?