On 26/11/16 07:50, Walter Bright wrote:

> I'd like to know what really happened with the code.
>
> But as someone who has worked on flight critical systems for airliners,
> the designs are required to account for any single failure of anything.
> That means all inputs must be validated for "reasonableness", and the
> same for outputs. If any of this is outside reasonable bounds, there
> must be failover to a backup method.
>

My experience is slightly different. More accurately, I think your experience is too narrow.

Yes, civilian aviation code gets a very high level of scrutiny. Number's I've heard range from 1:9 to 1:18 ratio between resources spent writing the code and resources spent testing it. Code is written to extremely high standards, that relate to the level of dependency flight safety has on the code.

So, code actually flying the aircraft > code used to display flight critical information to the pilot > code used to display information the pilot may depend on > code used to display generic information.

That last category, BTW, may run Windows and off the shelf applications.

So that part corroborates Walter's story, BUT

THIS ONLY APPLIES TO CIVILIAN AIRCRAFTS

This level of standard does not apply to:
* Military aircrafts
* Spaceships
* Auto car industry
* Medical equipment
I'm sure there's more

Even drones, until fairly recently (around 2008), were completely unregulated. I'm talking about huge unmanned flying platforms, some as big as four seat airplanes.

In some of those fields, things aren't as bad as that. The car industry is slowly getting better. High financial stakes in the space field cause caution. The military aviation field is done by much of the same players as the civilian aviation, and thus some care is carried over.

As far as regulations go, however, we're screwed.

Shachar

I can confirm. i know some people in the car industry and that software fall into the same bucket as law and sausage: you don't want to know how it's done.

On Sunday, 27 November 2016 at 05:43:11 UTC, Shachar Shemesh wrote:
> On 26/11/16 07:50, Walter Bright wrote:
>
>> I'd like to know what really happened with the code.
>>
>> But as someone who has worked on flight critical systems for airliners,
>> the designs are required to account for any single failure of anything.
>> That means all inputs must be validated for "reasonableness", and the
>> same for outputs. If any of this is outside reasonable bounds, there
>> must be failover to a backup method.
>>
>
> My experience is slightly different. More accurately, I think your experience is too narrow.
>
> Yes, civilian aviation code gets a very high level of scrutiny. Number's I've heard range from 1:9 to 1:18 ratio between resources spent writing the code and resources spent testing it. Code is written to extremely high standards, that relate to the level of dependency flight safety has on the code.
>
> So, code actually flying the aircraft > code used to display flight critical information to the pilot > code used to display information the pilot may depend on > code used to display generic information.
>
> That last category, BTW, may run Windows and off the shelf applications.
>
> So that part corroborates Walter's story, BUT
>
> THIS ONLY APPLIES TO CIVILIAN AIRCRAFTS
>
> This level of standard does not apply to:
> * Military aircrafts
> * Spaceships
> * Auto car industry
> * Medical equipment
> I'm sure there's more
>
> Even drones, until fairly recently (around 2008), were completely unregulated. I'm talking about huge unmanned flying platforms, some as big as four seat airplanes.
>
> In some of those fields, things aren't as bad as that. The car industry is slowly getting better. High financial stakes in the space field cause caution. The military aviation field is done by much of the same players as the civilian aviation, and thus some care is carried over.
>
> As far as regulations go, however, we're screwed.
>
> Shachar

My real world experience differs from yours but probably it comes down to the organisation you're with and for larger companies even which group. I've worked in military aviation, commercial drones for mining and exploration, not military, and medical devices and it was all heavily regulated software. I haven't come across too many cowboy outfits. I cannot speak for the other industries you mention such as automotive.

The problem we face today in medical is not the lack of scrutiny and regulation but that regulations have not caught up with the security issues. The latest FDA guidelines address this somewhat for for pre and post market devices but there are many devices out there running a full linux with nothing more than SSH disabled. The majority will still have a root user account and probably even enable root over serial console.

bye,
lobo

On Sunday, 27 November 2016 at 05:43:11 UTC, Shachar Shemesh wrote:
> THIS ONLY APPLIES TO CIVILIAN AIRCRAFTS
>
> This level of standard does not apply to:
> * Military aircrafts
> * Spaceships
> * Auto car industry
> * Medical equipment
> I'm sure there's more

 With them pushing self-driving cars, if that gets off the ground we will be having a lot of accidents. Some will inevitably be due to overflows, misinformation from Google servers.

On 11/27/2016 1:21 PM, Era Scarecrow wrote:
>  With them pushing self-driving cars, if that gets off the ground we will be
> having a lot of accidents. Some will inevitably be due to overflows,
> misinformation from Google servers.

Frankly, Google needs to hire some engineers from the aviation industry, who know how to do these sorts of things. From the accounts of how the Toyota car computers were set up, they have no idea how to do it.

On Friday, 25 November 2016 at 17:06:14 UTC, Patrick Schluter wrote:
> This accident also gave Bertrand Meyer (Eiffel) a lot of wind for his sails about design by contract
> https://archive.eiffel.com/doc/manuals/technology/contract/ariane/
> in that context it might be even interesting for the D language, as it is one of the few languages that have (inbuilt) contracts.

The mistake was that hardware was upgraded, but software and tests weren't, contracts wouldn't help unless it was spark.