From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: Ken Garlington Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/19 Message-ID: <33302D5D.4270@lmtas.lmco.com>#1/1 X-Deja-AN: 226752840 References: <332B5495.167EB0E7@eiffel.com> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-03-19T00:00:00+00:00 List-Id: Thomas wrote: > > Well, what if a lot more money had been budgeted for hardware? Could > the space agency have paid the processor manufacturers to come out > with a version that was 30% faster (that should have been sufficient > to use runtime checks everywhere without changing the design)? Some problems with doing that: 1. New designs add risk, since there's not a history of use. 2. Faster usually means more power/cooling required, which reduces payload. 3. Processor manufacturers charge more for small production runs, which cuts into the profit margin. Remember that hardware is a recurring cost; software (in the absence of maintenance) isn't. > Another option could have been to add more individual processors and > use them in parallel (almost certainly harder than it sounds, but > still a possibility). 1. Adds weight, power and cooling requirements (reducing payload). 2. Costs more (more parts) 3. Adds complexity to the design, and thus risk. > Or what about choosing a less ambitious flight > trajectory and maybe lower payload so that control required less > computation? Would have made the Ariane V less competitive, and possibly non-viable. > Of course, none of those would have been easy choices to make. Design > by contract and other methodologies are useful, but I still think > without a solid foundation of runtime checks in the production code > and multiple exception handlers and recovery blocks, no methodology > alone is going to give sufficient protection from failure. In fact, > Eiffel itself, which has been mentioned here because of its assertion > system, is built on a foundation of runtime safety. However, runtime safety doesn't do much good if either/or (a) you test on the ground to see what exceptions are raised; (b) you know how to correct from the exception (in some cases, there IS no good response to certain exceptions). -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com