Mission-Critical systems
Walter Bright
newshound2 at digitalmars.com
Fri Mar 19 06:32:18 UTC 2021
On 3/16/2021 8:44 PM, tsbockman wrote:
> So, definitely use LDC if you are planning to bet human lives and/or millions of
> dollars on it working fully correctly.
The first three years of my career was spent developing the flight critical
stabilizer trim gearbox for the 757. Flight critical means if it comes apart,
you lose the airplane and everyone aboard.
So I know how to build things that are critical for human life.
Generally speaking, there is no relying on any tool to be bug-free. Test and
verify everything. Design in a backup system to monitor the behavior.
For example, there was an autopilot embedded system that commanded the
stabilizer trim. We all know how a runaway stab trim system can kill people (see
the 737MAX).
There were two autopilot computers in parallel. They both had to agree, or both
were automatically disconnected. They used different microprocessors, different
software algorithms, different programming languages, different compilers. The
coding was done by different teams who weren't allowed to talk to each other. A
third independent team verified that no problem in one could propagate to the other.
Notice there is no reliance on bug-free hardware, bug-free algorithms, bug-free
code, bug-free compilers, etc.
More information about the Digitalmars-d
mailing list