Re: Critique of Ariane 5 paper (finally!)

[Ken Garlington <kennieg@flash.net>]

Samuel Mize wrote:
> 
> Robert Dewar wrote:
> >
> > Bertrand says
> >
> > <<As convincingly as I could, my colleagues and I
> > have explained: why in our view
> > software technology crucially requires the systematic use of
> > Design by Contract; why Design by Contract is a
> > necessary condition to avoid more Ariane-like failures;
> > and what is missing in this respect in such approaches
> > as Java, Ada, C++, IDL.>>
> >
> > Your argument at *best* says that DBC might have been a *sufficient*
> > condition for avoiding the Ariane failure. Even there, it seems
> > over-facile and rather academic, and does not seem to understand
> > fully the exact nature of the Ariane problem.
> 
> DBC proponents have said that using DBC IMPLIES review of
> requirements, review of design, and testing the component.
> In this case, the claim that DBC would "probably" have prevented
> the crash is nugatory but true.

Note that Mr. Jezequel, one of the authors of the DBC Ariane paper,
argued for some time that the tests described in the inquiry's
report were infeasible, and that DBC would substitute for them.
Therefore, it does not seem valid to assume that DBC equates to
full testing. 

See also my arguments in section 3.2 (and subsections) of
  http://www.flash.net/~kennieg/ariane.html

> However, the claim that "widely accepted industry practices" would
> not have done so is false.  Requirements review, design review, and
> in-situ test are standard for a mission-critical component.  Not
> ONE of these was done for the Ariane 5 INS.  To claim that this is
> "widely accepted industry practice" is disingenuous at best, and
> appears intentionally misleading to a lot of us.

I'm not sure that a requirements and/or design review was left out
of the process. I think it is more clear to say that insufficient
review by _external parties_ was performed; parties with sufficient
independence and knowledge to identify the invalid assumption.

> It is this false claim that destroys the argument that DBC is
> "a necessary condition to avoid more Ariane-like failures."
> 
> It's rather like saying that a new method of navigation would
> "probably" have prevented the Exxon Valdez crash.  True, but
> only because ANY navigation would have prevented it!
> 
> > But to make the jump from sufficient to necessary is completely
> > without basis, and can only be regarded as advertising puffery.
> 
> Which appeared in a column in IEEE Computer magazine, positioning
> it deceptively as a technical item instead of an ad.

I suppose for the sake of fairness, that it should be pointed out that
Mr. Meyer may not consciously be attempting promotion of his products
through this means. How would we know? I do get the feeling that
much of his defense of his paper is based on emotion rather than
logic. He has yet to engage in a discussion of the issues; most of
his responses have either been in terms of his "wounded pride," or
oblique personal attacks ("if only practitioners would listen to the
voice of reason"), or mere filler ("we'll just have to agree to
disagree," as in this latest post). Mr. Jezequel was at least willing
to discuss some issues (e.g. the potential for testing), and did
soften his stance in some areas as a result (as did I). However,
he soon gave up the discussion, which was unfortunate.

I also agree that it's unfortunate that IEEE Computer doesn't publish
more critical letters. In particular, it's difficult to explain a
contrary postion adequately in the space provided. It also is much
less likely to be read.

> 
> Samuel Mize