From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a83c46b54bacb7f6 X-Google-Attributes: gid103376,public From: rracine@myremarq.com (Roger Racine) Subject: Re: JOB:Sr. SW Engineers Wanted-Fortune 500 Co Date: 2000/02/02 Message-ID: <3898271c.2593829980@news.draper.com>#1/1 X-Deja-AN: 580784911 References: <3894A823.92EC75D1@bondtechnologies.com> <874b7r$mj9$1@nnrp1.deja.com> <38967537_1@news.jps.net> <2000Feb1.153921.1@eisner> X-Complaints-To: abuse@draper.com X-Trace: news.draper.com 949497551 28067 140.102.40.31 (2 Feb 2000 13:19:11 GMT) NNTP-Posting-Date: 2 Feb 2000 13:19:11 GMT Newsgroups: comp.lang.ada Date: 2000-02-02T13:19:11+00:00 List-Id: On 01 Feb 2000 16:19:12 -0500, Hyman Rosen wrote: >kilgallen@eisner.decus.org (Larry Kilgallen) writes: >> And some small fraction of automobile collision victims who are not wearing >> safety belts are "thrown clear". Exceptional cases do get more press. > >I am clearly in need of enlightenment, so please explain to me. After >you have decided that a given situation is impossible, will you >nevertheless add an error handler for that impossible situation, so >that if it happens anyway, you can recover gracefully? To what level >of detail and impossibility will you go? When you write Ada code, how >many exception handlers for Program Error do you put into your code? I am currently working on a fault tolerant computer project. The faults we are tolerating are -hardware- faults. We assume that -anything- can happen if hardware fails. If you just checked that X = 3, it does not matter. As Pat Rodgers said, in a space environment X could experience a singe-event-upset that could change its value to 2. So for our system, we have 4 processors each running the same software. RAM scrubbing checks memory. Presence tests check that the software is in the same place at the same time on each processor. Voting of inputs guarantee that a maximum of 1 processor will have bad data (if any do). Outputs are voted at the actuators. This protects against any single hardware failure from affecting the system. With our system we can tolerate 2 hardware failures if they happen sufficiently long enough apart for the software to have reconfigured after the first failure. The numbers folks have given this sort of system about a probability of 99.999999999% of success (defined as the computer system not failing during the mission). I might have missed some "9"s, but it is at least this good. For comparison, a single computer that is performing Built-in-test periodically has a probability of about 95% or less (depending on the radiation environment). If the system has a design error (such as Ariane 5), nothing can save the system. It is similar to getting 4 failures at the same time in our system. That is what testing, proofs, peer reviews, etc are for. To get rid of design and manufacuring errors (where manufacturing errors for software would be coding errors). Getting back on the initial track of this thread, Ada helps to prevent coding errors. It certainly can not stop design errors. Can one trust C or C++ in a pacemaker? Probably. Could the errors that were found during the extensive testing been prevented if used Ada? Some. Could they save time and money by using Ada? Very likely. Would maintenance be easier? Definitely. Can you re-use the software on another system without somehow verifying the new system? NO! Roger Racine