IO540

I don't think you do software either!

In the real world, programmers come from the same "school" where they learnt the same algorithms, they read the same internet programmer forums, they pick up bits of the same open-source source code, lift the same algorithms off the internet, they make the same mistakes generally (stray pointers etc etc etc), so while having three different teams write some code to the same overall spec will protect against a lot of problems, it will fall far short of protecting against all.

And in many ways, the overall system spec will plant the seeds for the three teams making the same mistake in the same place.

I've been doing hardware/software for 30 years. One can get it damn good, and trivial bits of software can be made totally (and provably) reliable, but as soon as it departs from being trivial, the reliability is no longer assured, and can no longer be proven. One can still make it damn good if one is really careful, even to the extent where no customer ever finds a bug over say 10 years in a 24/7 industrial application, and I have achieved that with a number of products, even writing in assembler, but you still never really "know" what is around the corner - because most usage patterns are similar and test only a small part of the functionality.

The other thing is that the "box" which compares the outputs of the three systems will be the new single point of failure...

I have read the entire BA038 thread, and the intermediate AAIB reports, and yes I agree it doesn't look like a control system issue because the fuel control valves were found to be fully open. Plus the cavitation damage, etc.

But I wonder how reliable is the position encoder / data acquisition on the fuel control valve. Sensors can and do fail. OK, one would not get two failing on both engines at the same time, but there is an awful lot of software between those sensors and the recorded data on the valve positions. Many millions of instructions executed to collect and store that data.