Originally Posted by lomapaseo
Of course I wouldn't pay for it if I can already convince the regulators that what I already offer is extremely improbable to screw up.
The numbers don't lie
Two points.
First, no one has "convinced the regulators" with any numbers that FADEC SW is "extremely improbable to screw up". "Extremely improbable" is a technical term in certification and is taken to be a probability less than or equal to 10^(-9) per operational hour. The highest you can validate through testing, practically is O(10^(-5)) per op hour, four orders of magnitude too coarse.
This is of course known (although not as well known as it should be). The reliability requirements in certification only apply to HW. DO178B is a "process standard", not a "product standard". It doesn't specify quality of product, but only what steps shall be taken during a development process. It doesn't look as if DO178C will be much different in this regard.
The issue of how one can validate HW-run-by-SW to a high-reliability level when one does not - cannot - validate the SW to anything like that level is a contradiction which people working in the industry just have to ignore. There are even quite a few people working actively on the standards who don't understand the contradiction, let alone take it seriously. It's quite a problem.
Second, you missed my point. Developing a verification suite for any piece of used SW of that size is the Holy Grail for the critical-SW industry, and that is what I described. There is no doubt that a major engine manufacturer would be prepared to fork out such sums of money for a guaranteed solution to the SW verification problem. They have already forked out many times this amount in very partial work along these lines which they believe is somewhat helpful.
But solving the SW verification problem won't solve everything. It won't solve the Byzantine problems described by Driscoll et al. Things won't be perfect, even if the code is guaranteed to be so semantically.
PBL