Re: Boeing 777 - Totally Irresponsible?

Date:         27 Dec 96 13:32:20 
From: (FMCDave)
Organization: AOL
References:   1
Followups:    1
Next article
View raw article
  or MIME structure

Date: 12 Dec 96 03:49:23
From: "Bernie Gracy, Jr." <> wrote
>The keynote speaker of the 1996 Pacific Northwest Software Quality
>Conference reviewed the 10^9 (ten to the ninth power) problem.  Years of
>testing a PC program are required to believe that it won't fail within a
>week of release.  To meet the FAA standard of 10^9 hours of failure free
>operation would require 100 years of testing assuming that one could
>execute 1 test/sec (there are about 10^7 seconds in a work-year).

>He went on to say that because of the millions of lines of code written
>for the 777 that it would be impossible to test all of the failure
>conditions, and therefore was irresponsible to design and deploy such an
>aircraft.  He vowed never to fly on one...

>How was the 777 tested?  Is it safe?  Or is it "unsafe at any airspeed?"

This keynote speaker demonstrated a basic lack of knowledge as to the
rules governing the certification of aircraft systems with software.  The
much quoted "10^-9" actually has absolutely nothing to do with software.
He should have researched the FAA Advisory Circular 25-1309-1A.  The
reliability number is associated with piece part failure which may
contribute to a Catastrophic failure.  The question of safety by Mr. Gacy
is also really the wrong question.  You cannot "test safety into the
airplane".  Safety is designed into the airplane and
verification/validation are used to demonstrate that the design handles
all of the potential failures and mitigates those effects.  It is not
possible to completely describe the process; but briefly it includes
Functional Hazard Analysis and Safety Analysis activities which occur well
before the implementation stage.  There are definitive processes defined
for performing those activities....both hardware and software.  One of the
problems which can occur when looking at this subject is that people tend
to look at the software issue outside of the entire system.  That is  an
incorrect view.  If someone is interested in this process, they should
obtain a copy of AC25-1309-1A and a copy of RTCA document DO178B (or it's
companion EUROCAE ED-12B).  Basically, the processes defined in the AC
(and it's references) define the process for identifying hazards (and
mitigating the hardware hazards).  The mitigation of failure conditions
which may be induced by software is defined in DO178B.  You might find it
quite interesting.

The bottom line is that aircraft software is not developed to the same
standards as non safety related software.  Hardware architecture is used
to mitigate the potential contribution of software to hazards in most
casts and stringint design/verification/validation methodologies (DO178B)
are used to demonstrate the absence of errors.  I think his lack of
confidence stems froma lack of knowledge.
David Allen
Opinions are mine and not my employer's