[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
> the bug ... was dependent on abstruse aspects of the way the
> operating system worked... A good lesson when you fly COTS
> [commercial off-the-shelf] stuff--make sure you know how it works.'
Many years ago, when commercial RTOSes were new, a mentor suggested that such things were generally a bad idea simply because they encourage programmers to use overly-fancy features that they don't really need and don't understand.
Long ago, I concluded that for critical systems, the guiding principle is to keep it as simple as possible, and the presence of an operating system with unused features and, much worse, features whose subtleties were not thoroughly understood by those using them, introduces complexity and unknowns that must be avoided because, if for no better reason, the cost of V&V became prohibitive. Therefore, for critical systems I strongly advocate either a commercial RTOS where the unused features can be #ifdef'ed away and the source code is available, or simply writing one's own kernel.
Unfortunately, the consensus in P-1583 seems to be that V&V is not appropriate to voting equipment because it would make the devices prohibitively expensive, that thorough testing as specified in other IEEE standards on software engineering is "unreasonable". I find this attitude appalling, especially when mandated an independent audit trail is also out of the question. It has oft been publicly argued that "we trust computers to fly airplanes, so why can't we trust them to count votes?", but that is very dishonest because the in-flight software and voting equipment software are radically different; if one told the FAA that voting equipment software, where even a line-by-line peer review has been rejected thus far as too costly, were as well tested as in-flight software, they would, to borrow David Chaum's idiom, asphyxiate themselves with laughter.
----------------- Commence Original Message -----------------
Whole article at
"... the technology on Mars looks awfully like that on your desk--a general
purpose, standards-based platform like many others running a commercial
operating system doing custom tasks."
Relating the problem to previous problems years before with Pathfinder, a
spokesperson said, "the bug wasn't in their code, but was dependent on
abstruse aspects of the way the operating system worked. Linked to that, the
mission engineers had to have an extraordinary knowledge of the guts of the
operating system. As a report after the event said: 'A good lesson when you
fly COTS [commercial off-the-shelf] stuff--make sure you know how it
[Also other instructive one focuses on FLASH memory at
Pete Klammer / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
3200 Routt Street / Wheat Ridge, Colorado 80033-5452
(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@ACM.org
Idealism may not win every contest, but that's not what I choose it for!