Re: JOB:Sr. SW Engineers Wanted-Fortune 500 Co

[rracine@myremarq.com (Roger Racine)]

On 01 Feb 2000 16:19:12 -0500, Hyman Rosen <hymie@prolifics.com>
wrote:

>kilgallen@eisner.decus.org (Larry Kilgallen) writes:
>> And some small fraction of automobile collision victims who are not wearing
>> safety belts are "thrown clear".  Exceptional cases do get more press.
>
>I am clearly in need of enlightenment, so please explain to me. After
>you have decided that a given situation is impossible, will you
>nevertheless add an error handler for that impossible situation, so
>that if it happens anyway, you can recover gracefully? To what level
>of detail and impossibility will you go? When you write Ada code, how
>many exception handlers for Program Error do you put into your code?

I am currently working on a fault tolerant computer project.  The
faults we are tolerating are -hardware- faults.  We assume that
-anything- can happen if hardware fails.  If you just checked that X =
3, it does not matter.  As Pat Rodgers said, in a space environment X
could experience a singe-event-upset that could change its value to 2.

So for our system, we have 4 processors each running the same
software.  RAM scrubbing checks memory.  Presence tests check that the
software is in the same place at the same time on each processor.
Voting of inputs guarantee that a maximum of 1 processor will have bad
data (if any do).  Outputs are voted at the actuators.  

This protects against any single hardware failure from affecting the
system.  With our system we can tolerate 2 hardware failures if they
happen sufficiently long enough apart for the software to have
reconfigured after the first failure.

The numbers folks have given this sort of system about a probability
of 99.999999999% of success (defined as the computer system not
failing during the mission).  I might have missed some "9"s, but it is
at least this good.  For comparison, a single computer that is
performing Built-in-test periodically has a probability of about 95%
or less (depending on the radiation environment).

If the system has a design error (such as Ariane 5), nothing can save
the system.  It is similar to getting 4 failures at the same time in
our system.  That is what testing, proofs, peer reviews, etc are for.
To get rid of design and manufacuring errors (where manufacturing
errors for software would be coding errors).

Getting back on the initial track of this thread, Ada helps to prevent
coding errors.  It certainly can not stop design errors.  Can one
trust C or C++ in a pacemaker?  Probably.  Could the errors that were
found during the extensive testing been prevented if used Ada?  Some.
Could they save time and money by using Ada?  Very likely.  Would
maintenance be easier?  Definitely.  Can you re-use the software on
another system without somehow verifying the new system?  NO!

Roger Racine