From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,f66d11aeda114c52 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,f66d11aeda114c52 X-Google-Attributes: gid103376,public From: Ken Garlington Subject: Re: Critique of Ariane 5 paper (finally!) Date: 1997/08/23 Message-ID: <33FFA21C.5F09@flash.net>#1/1 X-Deja-AN: 268272174 References: <33E503B3.3278@flash.net> <33E8FC54.41C67EA6@eiffel.com> <33E9B217.39DA@flash.net> <33EA5592.5855@flash.net> <33EB4935.167EB0E7@eiffel.com> <33EB754E.446B9B3D@eiffel.com> <33EBE46D.2149@flash.net> <33EF9487.41C67EA6@eiffel.com> <33F22B91.167EB0E7@eiffel.com> <33F7C3C0.446B9B3D@eiffel.com> <33FA748A.35FE@flash.net> <33FBD62C.3DD3@invest.amp.com.au> Organization: Flashnet Communications, http://www.flash.net Reply-To: Ken.Garlington@computer.org Newsgroups: comp.lang.ada,comp.lang.eiffel Date: 1997-08-23T00:00:00+00:00 List-Id: Robert Dewar wrote: > > DBC in the sense in which Bertrand means it is a possible tool. It is > neither necessary nor sufficient, but it is one more useful tool (I cannot > imagine anyone contesting this point). However, use of DBC does not ensure > reliability, and failure to use it does not guarantee unreliability! I think we can go further. With respect to the available techniques (Musa et. al.) to _quantify_ software reliability, none of the models to my knowledge require DBC. You can argue that DBC would _improve_ the quantified values (or argue that none of the models are useful), but there is no evidence that DBC is _required_ to have a given level of reliability, as measured by these models. Furthermore, of the widely-used certification techniques that attempt to _qualitatively_ establish reliablilty, either of the product directly (882C, 178B, etc.), the only one I can think of that even potentially could be read as "requiring" DBC is 00-55/00-56, and I know of at least one system qualified under that standard that did not use executable assertions. Thus, I would assume that Mr. Meyer's relucance to cite a specific case where DBC was required to satisfy a customer as to the reliability of a system is... because he doesn't know of a system that requires it! Note that reliability (like safety) is not an absolute measure. Systems are not "reliable" or "safe," they are merely more or less reliable/safe than other alternatives. This is a big point of "Safeware," which I would recommend highly to anyone participating in a discussion of safety or reliability.