Certain types of failure in aircraft gas turbines can have effects which prejudice the safety of flight of the aircraft in which they are installed. The failures can be directly caused by software deficiencies in a digital engine control. The paper reviews the basic issues in achieving software safety of a level required for certification and discusses the effects of these issues. The discussion addresses particularly choice of language; specification, design validation and test procedures throughout the life of a given set of control software.

