On Saturday, 3 June 2017 at 09:48:05 UTC, Timon Gehr wrote:
I don't get why you would /restart/ mission-critical software that has been shown to be buggy. What you need to do instead: Have a few more development teams that create independent implementations of your service. (Completely from scratch, as the available libraries were not developed to the necessary standard.) All of them should run on different hardware produced in different factories by different companies. Furthermore, you need to hire a team of testers and software verification experts vastly exceeding the team of developers in magnitude, etc.
Yes, mission critical software such as flight control are (and should) be proven correct. There is modelling software for this very narrow field that will generate correct code.
Or as you say, you can implement 3 different versions, running on 3 different hardware platforms and shut down the 1 that disagrees with the others.
But you still have to think in probabilistic terms, because there could be problems with sensors, actuators, human errors etc etc etc..
