[SystemSafety] Comparing reliability predictions with reality

Robert P Schaefer rps at mit.edu
Mon Feb 24 20:52:51 CET 2025 

hi,
  my last project was MOXIE on the NASA mars Perseverance rover, it was NASA class D, which means minimum software process
  even so, the code designer had to make a case to a board to be allowed write a bespoke executive. 
  I (at Haystack) wrote a simulator/emulator for the embedded code and found a uninitialized pointer that caused the code to 
  randomly crash, NASA found the same bug independently, but it was too late to fix before launch, it was fixed by an 
  after-launch software update - there were multiple banks of RAM and EEPROM. EEPROM was locked down before launch.
  Other than that it worked flawlessly on Mars but the code size was small, maybe less than 10,000 LOC, and written by one person
  (not me) supported by a huge JPL team.

  My experience with military avionics (again over a period of 2 decades that ended more than a decade in the past)
  was mil-std-2167a which was a generic but tailorable process for any military project that called it out as a requirement, 
  there were no specific safety requirements. 
  My efforts, on multiple various projects, my knowledge of avionics software was more or less random and learned on the job, 
  ranging from digital signal processing to prototyping displays to countermeasures. Overall, there was more concern on security than safety,
  I got the impression it was better the craft crashed rather than secrets leak.

  If there was a military spec dedicated to software safety I didn’t see it then. The safety aspect tended to go to the systems people 
  who appeared concerned with the need for low weight, where safety was measured as physical redundancy, and the tradeoff on how 
  redundancy negatively affected weight. I guess if its too heavy to fly, then reliability doesn’t matter. I seem to remember one fighter
  had ongoing carbon monoxide issues. And another fighter’s countermeasures avionics was redone from scratch (from Ada to C) while
  the Ada was being integrated. 

bob s
l
> On Feb 24, 2025, at 2:06 PM, Prof. Dr. Peter Bernard Ladkin <ladkin at causalis.com> wrote:
> 
> On 2025-02-24 19:55 , Robert P Schaefer wrote:
>> hi,
>> 
>>   You have me there, I can’t speak to DAL A and would like to know more.
>> 
>>   Could you reference a software engineering or computer science textbook that covers the topic?
> 
> I can't, but others here (such as Dewi Daniels) maybe can. The relevant standards are RTCA DO-178C and RTCA DO-333. They of course cost money, but NASA has oodles of tech reports on the topic.There are NASA experts on this list who could say more.
> 
>>   Do you know if there’s an equivalent for military avionics?  (doesn’t matter whose military)
> 
> I don't. But I am pretty sure there are others here who do. Please tell!
> 
> PBL
> 
> Prof. Dr. Peter Bernard Ladkin
> Causalis Limited/Causalis IngenieurGmbH, Bielefeld, Germany
> Tel: +49 (0)521 3 29 31 00
>

More information about the systemsafety mailing list