From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,f66d11aeda114c52 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,f66d11aeda114c52 X-Google-Attributes: gid103376,public From: Ken Garlington Subject: Re: Critique of Ariane 5 paper (finally!) Date: 1997/08/13 Message-ID: <33F253DC.1D1B@flash.net>#1/1 X-Deja-AN: 264040771 References: <33E503B3.3278@flash.net> <33E8FC54.41C67EA6@eiffel.com> <33E9B217.39DA@flash.net> <33EA5592.5855@flash.net> <33EB4935.167EB0E7@eiffel.com> <33EB754E.446B9B3D@eiffel.com> <33EBE46D.2149@flash.net> <33EF9487.41C67EA6@eiffel.com> <33F20BCE.AB3@link.com> Organization: Flashnet Communications, http://www.flash.net Reply-To: Ken.Garlington@computer.org Newsgroups: comp.lang.ada,comp.lang.eiffel Date: 1997-08-13T00:00:00+00:00 List-Id: Samuel Mize wrote: > > Robert Dewar wrote: > > > > Bertrand says > > > > < > have explained: why in our view > > software technology crucially requires the systematic use of > > Design by Contract; why Design by Contract is a > > necessary condition to avoid more Ariane-like failures; > > and what is missing in this respect in such approaches > > as Java, Ada, C++, IDL.>> > > > > Your argument at *best* says that DBC might have been a *sufficient* > > condition for avoiding the Ariane failure. Even there, it seems > > over-facile and rather academic, and does not seem to understand > > fully the exact nature of the Ariane problem. > > DBC proponents have said that using DBC IMPLIES review of > requirements, review of design, and testing the component. > In this case, the claim that DBC would "probably" have prevented > the crash is nugatory but true. Note that Mr. Jezequel, one of the authors of the DBC Ariane paper, argued for some time that the tests described in the inquiry's report were infeasible, and that DBC would substitute for them. Therefore, it does not seem valid to assume that DBC equates to full testing. See also my arguments in section 3.2 (and subsections) of http://www.flash.net/~kennieg/ariane.html > However, the claim that "widely accepted industry practices" would > not have done so is false. Requirements review, design review, and > in-situ test are standard for a mission-critical component. Not > ONE of these was done for the Ariane 5 INS. To claim that this is > "widely accepted industry practice" is disingenuous at best, and > appears intentionally misleading to a lot of us. I'm not sure that a requirements and/or design review was left out of the process. I think it is more clear to say that insufficient review by _external parties_ was performed; parties with sufficient independence and knowledge to identify the invalid assumption. > It is this false claim that destroys the argument that DBC is > "a necessary condition to avoid more Ariane-like failures." > > It's rather like saying that a new method of navigation would > "probably" have prevented the Exxon Valdez crash. True, but > only because ANY navigation would have prevented it! > > > But to make the jump from sufficient to necessary is completely > > without basis, and can only be regarded as advertising puffery. > > Which appeared in a column in IEEE Computer magazine, positioning > it deceptively as a technical item instead of an ad. I suppose for the sake of fairness, that it should be pointed out that Mr. Meyer may not consciously be attempting promotion of his products through this means. How would we know? I do get the feeling that much of his defense of his paper is based on emotion rather than logic. He has yet to engage in a discussion of the issues; most of his responses have either been in terms of his "wounded pride," or oblique personal attacks ("if only practitioners would listen to the voice of reason"), or mere filler ("we'll just have to agree to disagree," as in this latest post). Mr. Jezequel was at least willing to discuss some issues (e.g. the potential for testing), and did soften his stance in some areas as a result (as did I). However, he soon gave up the discussion, which was unfortunate. I also agree that it's unfortunate that IEEE Computer doesn't publish more critical letters. In particular, it's difficult to explain a contrary postion adequately in the space provided. It also is much less likely to be read. > > Samuel Mize