← Back to context

Comment by goblin89

6 years ago

Bug-free software of any complexity is at the very least exceedingly improbable, so there is always a tradeoff to be made and a lesser evil to be chosen.

Aircraft firmware requiring mandatory reboots in alignment with maintenance schedule, but working reliably otherwise, inspires more confidence than firmware advertised to run bug-free forever.

20 comments

goblin89

Reply
paulryanrogers  6 years ago

Aren't Ada and similar languages designed for safety critical cases like this?

When lives are on the line software should be tested for reliability beyond 51 days. Having to restart is a symptom of reckless disregard for safety IMO.

  • tjr  6 years ago

    When lives are on the line software should be tested for reliability beyond 51 days.

    Avionics software is written a world of verifiable requirements.

    For how many days should the software be required to operate?

    Is it acceptable to add that many [more] days to the software verification schedule in order to verifiably demonstrate that it works according to requirements?

    Why is 51 days not long enough?

    • paulryanrogers  6 years ago

      Taking a plane from design to commercial delivery takes years. I'm sure they can spare 2-3 months to do some long running tests. Especially if those can run in parallel with other fit-and-finish work unrelated to software.

      10 replies →

  • goblin89  6 years ago

    I’d be more alarmed about the fact that FAA had to issue a directive to deal with this situation. Either Boeing did not include the reboot in operation or maintenance procedures, or operators did not follow those procedures.

    The requirement of a reboot on its own, though, would not strike me as a blatant disregard for safety, as long as the period between reboots is long enough to exceed the maximum possible length of flight (taking any emergencies into account) with leeway to spare.

    • munk-a  6 years ago

      I wonder how many days before you hit 51 is the cutoff where planes need to be grounded - obviously a continuous 51 day flight can't happen without a lot of fancy stuff going on that doesn't apply to the 787, but let's say you're at 49.2 days and considering a .6 day flight, is that allowed or is .2 days within the expected probable variance of your flight time? What if it's closer?

      1 reply →

  • threeseed  6 years ago

    > Having to restart is a symptom of reckless disregard for safety IMO

    No it's a symptom of having bugs in your code.

    And they can be there for a host of reasons ranging from "this is a once off accident" to "systematic failure in the software engineering process".

    • paulryanrogers  6 years ago

      Bugs may be inevitable but reasons and outcomes matter. If the entertainment system goes down then no big deal. If the pilot is misinformed and the plane crashes then how is it possible for the company to get such slop certified?

      1 reply →

nitrogen  6 years ago

I have audio devices which, when installed, will run flawlessly until power or hardware failure. The firmware isn't bug free, but the operation never encounters bugs.