5206, you asked:
What are we going to say when C-130J/Merlin/JSF/Typhoon/Apache crash because of a software error that can't be traced but the safety case is weak?
The short answer I suppose is that it may be very difficult to conclusively prove a software fault was too blame.
Many years ago I discussed a project to look at 'instrumenting' real time critical software systems to aid post incident investigation. It would in theory I believe be possible to do, however, in practice there are significant issues to contend with, eg timing overheads, increased complexity etc.
As to the safety case being weak: A standard approach to improving integrity in critical systems is design and development diversity, for example the FCS architectures in modern airliners. Now have a look at the avionics and flight control architectures of some of the aircraft cited above, multiple lanes of identical hardware, catering for random hardware failure. Unfortunately often running identical software which will fail systematically. Have a look at Ariane 501 for a good example of what can happen. So in these situations, are the safety cases already weakened ?
Safety_Helmut