From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f43e6,5ac12f5a60b1bfe X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public From: Ken Garlington Subject: Re: Ariane 5 - not an exception? Date: 1996/08/01 Message-ID: <3200DF57.193A@lmtas.lmco.com>#1/1 X-Deja-AN: 171518767 references: <285641259wnr@diphi.demon.co.uk> content-type: text/plain; charset=us-ascii organization: Lockheed Martin Tactical Aircraft Systems mime-version: 1.0 newsgroups: comp.lang.ada,comp.software-eng x-mailer: Mozilla 2.02 (Macintosh; I; 68K) Date: 1996-08-01T00:00:00+00:00 List-Id: Robert I. Eachus wrote: > > First, I think of mission critical as a different category than > safety critical. In safety critical systems, fail safe is often an > option where in mission critical systems you need to fail operational. > And yes, systems can be safety AND mission critical. Those are the > expensive ones. Actually, safety-critical systems can either be fail-safe or fail-op, just like mission critical systems. A nuclear reactor might be able to be fail safe, but a flight control system might have to be fail op. You can get a lot of definitions of safety critical if you work at it. Here's AFISC SSH 1-1's definition: "Those software operations that, if not performed, performed out-of-sequence, or performed incorrectly could result in improper control functions (or lack of cotnrol functions required for proper system operation) which could directly or indirectly cause or allow a hazardous condition to exist." "Hazardous" usually gets defined as loss of life, serious injurity, or major property loss. If the absense of the software function doesn't lead to a hazardous condition, then the system can be fail-safe. If the software function must be present to avoid a hazardous condition, then it usually has to be fail-op. However, there's not exactly a hard and fast rule here. It depends on the system. -- LMTAS - "Our Brand Means Quality"