From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_20,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public From: Peter Hamer Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/08/11 Message-ID: <33EF06BE.730F@nortel.co.uk>#1/1 X-Deja-AN: 263468706 References: <33CD1722.2D24@calfp.co.uk> <33D24C91.C9730CBA@munich.netsurf.de> <33D71492.6F06@uk.ibm.com> <33D9B8F9.4693018C@munich.netsurf.de> <5rh12t$jl0$1@flood.weeg.uiowa.edu> Organization: nortel.co.uk Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel Date: 1997-08-11T00:00:00+00:00 List-Id: Marinos J. Yannikos wrote: > > There is a school of thought which insists that verifying hard real-time > systems by testing them is pointless, since you can hardly simulate all > possible events, how they interact, occur at the same time ("avalanches") > etc. Insufficient, certainly. Pointless? Ask the Hubble space telescope people if they have reconsidered the wisdom of not testing for gross errors [they needed a space-walk to fix things]. Of course, they were absolutely right: the available tests would not have detected errors of the size they were designing for; just the one they had! Years ago somebody invented the analogy of the robot dentist. You were to be the first lucky customer. What validation would you like to have been carried out first? Would you be happy if validation was restricted to method X; and no testing had been carried out? Peter