life critical software

[Walter Bright]

In article <286 at proton.UUCP> proton!nusbaum at ucrmath.ucr.edu (R. James Nusbaum) writes:
>Does anyone have any thoughts on the use of gcc (a relatively new
>compiler as compilers go) vs. using Sun's C compiler in a medical
>software project where software failure could cause loss of life?

If your software fails, and causes loss of life, even if a particular bug
in a compiler caused the problem, it is YOUR fault. All life critical
software must be exhaustively and thoroughly tested. All life critical
software must have a backup system.

I worked for Boeing designing flight control systems. Since a failure meant
we'd be picking bodies out of the mud, all software and electronics were
considered to be inhabited by demons. This meant that all computer systems
were assumed to be capable of doing the pathologically wrong thing at the
wrong time, and so the system had to be designed so that this wouldn't
cause an accident.

A typical approach for software would be to have two parallel systems.
Each system used a different microprocessor, a different algorithm,
a different language, and different programmers. The two systems
had to always agree, or they were automatically shut down. Also, the
pilot was always able to override them. Boeing airplanes are a marvel
of safety and reliability as a result of such attention to detail.

I've worked in software for too long to risk my life on a single piece
of software not having any bugs in it. Face it, compilers have bugs
in them, and your software has bugs in it, and you don't bet lives on
either.