PPRuNe Forums - View Single Post - Chinook - Still Hitting Back 3 (Merged)
Thread: Chinook - Still Hitting Back 3 (Merged)
View Single Post
Old 14th Apr 2010, 21:56
  #6309 (permalink)  
engpil
 
Join Date: Apr 2010
Location: Near Seattle
Posts: 1
Likes: 0
Received 0 Likes on 0 Posts
Software effects
Version:1.0 StartHTML:0000000105 EndHTML:0000011206 StartFragment:0000002315 EndFragment:0000011170
This correspondence has concentrated on whether the pilots made an error, and on whether the Air Marshals and consequently the Ministers made a different kind of error in condemning the pilots.

I believe the more significant factor is that few people understand software failure behaviour.

(1) All software, like hardware, contains design errors, which can become failures when the software/hardware is run.

(2) When software commits a failure, it is usually impossible to find it by running the software under some "test conditions". One reason for this is that when the software is re-initialised or the equipment switched off and on again, you now have, in effect, as-new software with no evidence of the failure. Those who are not educated in software then say "There you are, no fault". This occurs quite widely (and is probably relevant to Toyota's present problems). Even the senior avionics officer at the CAA a few years ago claimed that the lack of maintenance reports blaming software showed that there was no significant software problem.

(3) There is no in-service built-in test that can identify a fault as caused by software rather than hardware.

(4) Published papers have suggested that, variously, 50% to 80% of software failure modes never recur.

(5) Any software running a safety-related function should therefore not be assumed to be fault free even if the fault cannot be reproduced.

(6) These conditions make it easy for the suppliers of the software to disclaim responsibility, since proof is difficult.

(7) Since few people of senior rank in any organisation understand this, they are easily led to blame other causes for mishaps.

(8) There are ways to compensate for the inevitable software failures, but they mean spending more. (One of those methods is thorough logical and functional analysis, such as is done by Praxis, for example). Standby redundancy may also be needed, as is used in the Space Shuttle guidance, navigation and control computing.
engpil is offline