How can we program systems which behave in a reasonable manner in the presence of software errors? This is the central question that I hope to answer in this thesis. Large systems will probably always be delivered containing a number of errors in the software, nevertheless such systems are expected to behave in a reasonable manner.
I apologize to Joe for using his thesis as an example, but it seems that the entire computer industry has swallowed Fred Brooks’ “No Silver Bullet” arguments regarding the relationship between complexity and reliability, hook, line and sinker. This is very unfortunate because, as I explain on the Silver Bullet page, Brooks’ arguments are fundamentally flawed. The COSA philosophy is that unreliability is not an essential characteristic of complex software systems. As I wrote in a previous article, there are situations where safety or uptime is so critical that not even extreme reliability is good enough. In such cases, unless a program can be guaranteed 100% reliable, it must be considered defective and should not be deployed. Achieving rock-solid reliability in a complex software system is not impossible.
First and foremost (and this is what is missing in Erlang and other concurrent languages), the timing of all processes in the system must be 100% deterministic and must be based on change. Nothing should happen unless something changes. Second, the system must automatically enforce the resolution of data/event dependencies in order to eliminate blind code. The only way to achieve these two goals is to adopt a software model that is based on elementary, concurrent, non-algorithmic, synchronous, communicating processes. In COSA, these concurrent processes are called cells of which there are only two types: sensors and effectors. The main difference between a COSA cell and a concurrent process in other languages is that COSA cells are synchronous, meaning that their execution times are equal. Every COSA cell executes its elementary function in exactly one system cycle. This result in deterministic timing, a must for reliable software.
Note: There is a difference between synchronous messaging and synchronous processing. COSA and most concurrent languages use asynchronous messaging, i.e., the message sender does not have to wait for a reply before continuing it execution.