Using COTS software in high assurance control applications

The vast majority of COTS software components are not developed for high reliability applications. Using them directly in embedded systems with high reliability requirements could be hazardous, as shown in the incidents of Navy ships Yorktown, Vicksburg and USS Hue City.Challenges to Fault Avoidance Approach: Ensuring the reliability of COTS software at the users' site is not an easy task. COTS software components are not subject to customers' high assurance development processes. Customers can buy source code and then subject them to a high-assurance process and make any modifications that are needed. However, this is a high cost solution. Furthermore, once a COTS software component has been modified, it is unlikely compatible with vendors' future releases. As a result, most of the benefits of using COTS are lost. Therefore this approach - making proprietary modifications to COTS components - is inconsistent with the original motivation for their use.Challenges to Fault Tolerance Approach: There are basically two fault tolerance approaches: fault masking and forward recovery. Fault masking tries to prevent incorrect outputs from being used. For example, Recovery Block attempts to check if an output is correct before using it.Unfortunately, it is often difficult to determine the correctness of a computation without knowing what the correct answer is. Forward fault recovery attempts to recover after incorrect outputs are used and it is not suitable for all the applications. Nor is there a general domain independent approach to forward fault recovery.