Re: Critique of Ariane 5 paper (finally!)

[Ken Garlington <kennieg@flash.net>]

Robert Dewar wrote:
> 
> DBC in the sense in which Bertrand means it is a possible tool. It is
> neither necessary nor sufficient, but it is one more useful tool (I cannot
> imagine anyone contesting this point). However, use of DBC does not ensure
> reliability, and failure to use it does not guarantee unreliability!

I think we can go further. With respect to the available techniques
(Musa
et. al.) to _quantify_ software reliability, none of the models to my
knowledge require DBC. You can argue that DBC would _improve_ the
quantified values (or argue that none of the models are useful), but
there is no evidence that DBC is _required_ to have a given level
of reliability, as measured by these models. Furthermore, of the
widely-used certification techniques that attempt to _qualitatively_
establish reliablilty, either of the product directly (882C, 178B,
etc.), the only one I can think of that even potentially could be
read as "requiring" DBC is 00-55/00-56, and I know of at least
one system qualified under that standard that did not use executable
assertions. Thus, I would assume that Mr. Meyer's relucance to
cite a specific case where DBC was required to satisfy a customer
as to the reliability of a system is... because he doesn't know of
a system that requires it!

Note that reliability (like safety) is not an absolute measure.
Systems are not "reliable" or "safe," they are merely more or
less reliable/safe than other alternatives. This is a big point
of "Safeware," which I would recommend highly to anyone participating
in a discussion of safety or reliability.