From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,820de86ed0dafb8a X-Google-Attributes: gid103376,public From: Simon Pilgrim Subject: Re: Help Me Please :) Date: 2000/04/06 Message-ID: <38ECEB56.8FD7596E@gecm.com>#1/1 X-Deja-AN: 607689190 Content-Transfer-Encoding: 7bit References: <89rlvr$gn9$1@nntp3.atl.mindspring.net> <38D8A607.F61F0FFF@mail.com> <8bqcu2$s0p$1@nnrp1.deja.com> <8brgcd$5kp$1@nnrp1.deja.com> X-Accept-Language: en Content-Type: text/plain; charset=us-ascii X-Trace: 6 Apr 2000 20:53:22 GMT, rc3960.rochstr.gmav.gecm.com Organization: Marconi Electronic Systems MIME-Version: 1.0 Newsgroups: comp.lang.ada Date: 2000-04-06T00:00:00+00:00 List-Id: Robert Dewar wrote: > > In article <8bqcu2$s0p$1@nnrp1.deja.com>, > reason67@my-deja.com wrote: > > "Ladies and Gentlemen, Thank you for flying on the Boeing 777 > Flight > > 633. Unfortunately, due to a minor bug in the flight control > software > > raising a predefined exception and Ada RM section 11.6, the > flight > > control software has crashed. We are now heading towards the > ground at > > 700 miles per hour. Estimated time of arrival 10 seconds. Have > a nice > > day." As one of the many engineers who have worked on the Boeing 777 Primary Flight Computer, I'd like to respond to that. > Well there was no smiley there, so let's assume the (rather > hard to believe) point is being made seriously. > > In that case it is way way off base. Any safety critical > software is validated and verified at the object level. You > never depend on the correctness of the compiler, or the > correctness of understanding of the high level language > semantics. Correct. The PFC code was module tested at object level. > Furthermore, in most safety critical software, one would never > have such a handler? Why not because it might typically be the > case that the handler code is deactivated, and deactivated code > is not permitted in many SC protocols. Right again. > Finally, 11.6 is about optimization, it is almost always the > case that you want *no* optimization for SC code. Why? Because > you want the best possible correspondence between source code > and object code. Not true for the PFC. We have a lot of code to squeeze into that frame. > So in short, the scenario above is triply unlikely! More than that. We have a triple redundant system, with three PFCs per airplane. Within each PFC are three lanes each with a different type of processor. The same source code is compiled to the three different targets with three different compilers. -- Regards, Simon Pilgrim Senior Systems Engineer Avionic Systems Division BAE SYSTEMS, Rochester, UK Views expressed above are not necessarily shared by my employer.