From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public From: Ken Garlington Subject: Re: The stupidity of all the Ariane 5 analysts. Date: 1997/08/01 Message-ID: <33E2B58E.7FCA@flash.net>#1/1 X-Deja-AN: 261839289 References: <33E06929.59F6@easystreet.com> <870438757snz@transcontech.co.uk> Reply-To: kennieg@flash.net Organization: Flashnet Communications, http://www.flash.net Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel Date: 1997-08-01T00:00:00+00:00 List-Id: Paul E. Bennett wrote: > > In article <33E06929.59F6@easystreet.com> > achrist@easystreet.com "Al Christians" writes: > > > > > It would be nice if there could be a clear spec that includes everything > > that might happen in the real world, but when the real world does > > something that the spec didn't anticipate, do we want the software to > > just curl up and die? > > If such a spec could be produced it would probably be too large to > understand in reasonable time. Instead, we need to construct our systems > so that out-of-the-ordinary stimulii do not cause un-expected activity of > the system. This involves knowing what happens in the system when the > stimulii exceed the design limitations. This takes some effort in FMECA > and the designing in of "Inherent Robustness" for the system to become > dependable. Also, FMECA/FMET is quite valuable in that it usually is not solely driven by the specification, but also includes past experience driven from failure records. We've found FMET in particular to be quite useful in finding holes in the specification. > If we are going to re-use components, we need to be more certain about > what the effects are for component failure. In the A5 flight systems > situation, there were other factors in the organisation which blindly > accepted the decision for non-provision of flight profiles. A risk > assessment for the decision should have been conducted to determine if > this was a reasonable decision. > > -- > Paul E. Bennett ................... > Transport Control Technology Ltd. > +44 (0)117-9499861 > Going Forth Safely