From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,3d3f20d31be1c33a
X-Google-Attributes: gid103376,public
From: Samuel Mize <smize@link.com>
Subject: Re: Safety-critical development in Ada and Eiffel
Date: 1997/07/17
Message-ID: <33CE8ECD.41DE@link.com>#1/1
X-Deja-AN: 257501328
References: <97071709562795@psavax.pwfl.com>
Organization: Hughes Training Inc.
Reply-To: smize@link.com
Newsgroups: comp.lang.ada
Date: 1997-07-17T00:00:00+00:00
List-Id: <comp.lang.ada>


Marin David Condic, 561.796.8997, M/S 731-96 wrote:

> The Ariane software specifically and very deliberately *removed*
> the checks because of time constraints.

Correct me if I'm wrong.

My understanding from the previous threads was that there was
a specific management decision to not consider Ariane 5
requirements for the Ariane 4 INS design.  The check removal
was reasonable in the Ariane 4 context.

Then there was a specific management decision to not review
for Ariane 5 the requirements to which the INS was built, or
to retest it in the new conditions.

Given these decisions, the problem would not have been caught,
no matter what assertions were in the code.

Now, Meyer et al. never stated outright that using Eiffel (or
assertions) would have prevented the crash; they stated that
using Design By Contract (DBC) would prevented the crash.

This is trivially true.  Traditional methods of specification
review or design review or test would ALSO have prevented the
crash.  Saying "DBC could have prevented the crash" creates a
misleading suggestion that this demonstrates a DBC advantage
over other methods.

The Ariane crash proves that properly-managed DBC would be
better than DBMG (Design By Management Guesswork).  It neither
supports nor refutes the thesis that DBC is better than other
responsible/traditional engineering methods.

I can't say that Meyer et al. intended to imply otherwise, but
it is certainly a reasonable inference for the reader to draw,
given the paper.  That inference angered some people.

Samuel Mize