From: Richard Riehle <richard@adaworks.com>
Subject: Re: Boeing and Dreamliner
Date: Sun, 29 Jun 2003 11:26:54 -0700
Date: 2003-06-29T18:23:52+00:00 [thread overview]
Message-ID: <3EFF2F6D.3793971@adaworks.com> (raw)
In-Reply-To: k2wLa.21663$N%6.3746@nwrdny02.gnilink.net
Hyman Rosen wrote:
> Alexander Kopilovitch wrote:
> > This is a correct sentense, it conveys truth, but in such a way that you can't
> > dissect it or extract contiguous part of it without converting the truth to a
> > lie. Actually, the SRI software code for Ariane 4 was *perfectly good for
> > Ariane 4*, although it quite probably was not so good in general -- so your
> > sentense "It was not perfectly good code." is probably true also.
>
> The Araine 4 programmers exactly reproduced the Y2K problem in microcosm.
> They wrote code that took advantage of limited input range, and sent it out
> into the world with insufficient protection against the future. It was
> perfectly good in the same way as two digit years.
A key difference between designing in Ada and many other languages
is the use of problem-space constraints. For example, a designer might
declare an integer type such as,
type Number is range 12..451;
if the problem under consideration called for that kind of constraint. If,
at some later time, I decide to use the solution bounded by that constraint
to solve a problem that requires a different set of constraints, I will have
made a mistake. The mistake, in that case, is mine, not that of the previous
designers.
What we often encourage, for Ada designs, is that the algorithmic details
be independent of some particular set of constraints. Generic components
are sometimes useful for this. For example,
generic
type Num is range <>;
function Compute(Data : Num) return Num;
where the internal algorithmic construct will behave exactly the
same way on every instantiation of Compute after associating the
generic formal parameter with a generic actual parameter.
Putting aside the option of designing with generics, since many in the
safety-critical community distrust this language feature, the issue of
specifying constraints that precisely map the solution-space to the
problem-space continues to be a useful feature of the language. If
I accept this constraint during development, many potential problems
will be identified early in my process.
If, on the other hand, I choose to bypass the language safeguards and
use unchecked features of the language, I am putting my entire design
at risk. This is one aspect of the Ariane 4 software that contributed
to the Ariane 5 event. The developers of the Ariane 4 software took
the trouble to ensure that the unchecked operations were appropriate.
The engineers on Ariane 5, many of who were the same people from
Ariane 4, failed to evaluate the potential consequences of those same
unchecked operations.
Is this a failure of the language. One might suggest that the option of
unchecked operations in Ada is a language problem. However, we
must also recognize that the language clearly specifies that unchecked
operations are "unchecked" by the compiler. In most languages, such
unchecked operations are the default, not an option. For example, in
the C family of languages, automatic type promotions rarely present
any kind of warning to the programmer. In Ada, the programmer must
bypass the normal rules of the language to achieve the same result.
So, the software design for Ariane 4 was exactly right for Ariane 4. It
was not designed for some future system. To suggest that this is the
equivalent of Y2K is interesting. It re-raises some issues related to the
original subject of this thread, that of the Boeing 7E7 and Boeing 777.
And those issues directly support the folly of even thinking about using
C++ for this aircraft. They also indicate where caution should be the
watchword when transitioning 777 software to the 7E7.
As I indicated in an earlier posting, I am confident the Boeing engineers
will understand the lessons of Ariane 4/5 when re-using Ada code from
the 777 on the 7E7. I am also confident that, pressures from resume-builders
notwithstanding, they will realize the value of using contemporary Ada,
with its excellent record for software safety, instead of a language so
characterized by unpredictability that they could never be sure that some
undetected behavior might manifest itself long after even the best of
testing has been completed.
Richard Riehle
next prev parent reply other threads:[~2003-06-29 18:26 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-20 3:18 Boeing and Dreamliner Robert Love
2003-06-20 10:29 ` Larry Kilgallen
2003-06-21 2:20 ` Mark A. Biggar
2003-06-23 10:45 ` Robert Kaiser
2003-06-23 11:43 ` Larry Kilgallen
2003-06-23 12:21 ` Martin Dowie
2003-06-23 12:23 ` Larry Kilgallen
2003-06-23 13:02 ` Martin Dowie
2003-06-23 13:02 ` Robert Kaiser
2003-06-20 14:44 ` Matt Brenneke
2003-06-20 17:23 ` Wojtek Narczynski
2003-06-21 4:28 ` rleif
2003-06-22 3:56 ` Hyman Rosen
2003-06-22 9:15 ` Preben Randhol
2003-06-23 18:00 ` Mike Silva
2003-06-22 11:51 ` Larry Kilgallen
2003-06-22 13:37 ` Marin David Condic
2003-06-22 15:06 ` James Rogers
2003-06-22 15:52 ` Dmitry A. Kazakov
2003-06-22 18:18 ` Tino Goertemoeller
2003-06-23 3:26 ` John R. Strohm
2003-06-23 5:54 ` Robert I. Eachus
2003-06-23 10:12 ` Understanding and Teaching: Who may teach Ada? Georg Bauhaus
2003-06-24 1:34 ` Robert I. Eachus
2003-06-24 12:13 ` Georg Bauhaus
2003-06-25 2:59 ` John R. Strohm
2003-06-25 4:44 ` Wesley Groleau
2003-06-25 5:55 ` Anders Wirzenius
2003-06-25 14:03 ` Georg Bauhaus
2003-06-23 21:08 ` Boeing and Dreamliner Alexander Kopilovitch
2003-06-24 3:16 ` Robert I. Eachus
2003-06-23 15:40 ` Wesley Groleau
2003-06-23 5:04 ` rleif
2003-06-22 18:07 ` Frank J. Lhota
2003-06-23 9:32 ` AG
2003-06-23 11:12 ` Larry Kilgallen
2003-06-27 16:30 ` Richard Riehle
2003-06-22 15:10 ` Vinzent Hoefler
2003-06-22 18:22 ` Robert I. Eachus
2003-06-23 18:24 ` Mike Silva
2003-06-24 2:13 ` Alexander Kopilovitch
2003-06-24 2:35 ` Hyman Rosen
2003-06-24 5:22 ` Mike Silva
2003-06-24 6:14 ` Hyman Rosen
2003-06-24 6:38 ` tmoran
2003-06-24 13:08 ` Hyman Rosen
2003-06-24 17:59 ` tmoran
2003-06-24 18:01 ` Mike Silva
2003-06-25 11:50 ` Marin David Condic
2003-06-24 10:56 ` Preben Randhol
2003-06-24 13:04 ` Hyman Rosen
2003-06-24 20:54 ` Pascal Obry
2003-06-24 12:06 ` Marin David Condic
2003-06-24 13:12 ` Hyman Rosen
2003-06-24 14:20 ` Larry Kilgallen
2003-06-24 14:33 ` Vinzent Hoefler
2003-06-24 20:37 ` Alexander Kopilovitch
2003-06-25 11:58 ` Marin David Condic
2003-06-24 7:10 ` Robert I. Eachus
2003-06-24 7:35 ` Hyman Rosen
2003-06-24 17:29 ` Robert I. Eachus
2003-06-27 17:15 ` Richard Riehle
2003-06-27 17:31 ` Warren W. Gay VE3WWG
2003-06-28 1:27 ` Wesley Groleau
2003-06-28 6:32 ` Robert I. Eachus
2003-06-27 17:38 ` Preben Randhol
2003-06-28 2:18 ` Alexander Kopilovitch
2003-06-24 16:35 ` Warren W. Gay VE3WWG
2003-06-24 10:48 ` Preben Randhol
2003-06-24 13:16 ` Hyman Rosen
2003-06-24 14:49 ` Preben Randhol
2003-06-24 22:48 ` Wesley Groleau
2003-06-25 0:41 ` Hyman Rosen
2003-06-25 10:28 ` Dmitry A. Kazakov
2003-06-25 21:15 ` Robert I. Eachus
2003-06-26 2:30 ` Alexander Kopilovitch
2003-06-27 17:19 ` Richard Riehle
2003-06-25 18:00 ` Mike Silva
2003-06-24 6:22 ` Robert I. Eachus
2003-06-24 13:21 ` Hyman Rosen
2003-06-24 16:38 `
2003-06-24 18:00 ` Robert I. Eachus
2003-06-26 2:00 ` Alexander Kopilovitch
2003-06-26 19:12 ` Robert I. Eachus
2003-06-27 2:21 ` Alexander Kopilovitch
[not found] ` <ts6hs-vk4.ln1@beastie.ix.netcom.com>
2003-06-22 18:59 ` Simon Wright
2003-06-23 18:20 ` Pascal Obry
2003-06-25 8:08 ` Thierry Lelegard
2003-06-27 16:24 ` Richard Riehle
2003-06-27 16:31 ` Hyman Rosen
2003-06-27 18:08 ` Robert I. Eachus
2003-06-27 19:00 ` Hyman Rosen
2003-06-28 0:33 ` Alexander Kopilovitch
2003-06-29 6:54 ` Hyman Rosen
2003-06-29 8:30 ` AG
2003-06-29 16:06 ` Chad R. Meiners
2003-06-29 20:20 ` Hyman Rosen
2003-06-30 13:50 ` Alexander Kopilovitch
[not found] ` <t9i7t-0i3.ln1@beastie.ix.netcom.com>
2003-07-01 11:55 ` Marin David Condic
2003-07-02 15:02 ` rleif
2003-07-03 7:38 ` Robert I. Eachus
2003-06-29 16:56 ` Alexander Kopilovitch
2003-06-29 20:22 ` Hyman Rosen
2003-06-29 21:09 ` Larry Kilgallen
2003-06-29 21:19 ` Hyman Rosen
2003-06-29 21:31 ` Larry Kilgallen
2003-06-29 21:39 ` Hyman Rosen
2003-06-30 0:07 ` Berend de Boer
2003-06-29 18:26 ` Richard Riehle [this message]
2003-06-29 20:45 ` Hyman Rosen
2003-06-30 15:55 ` Warren W. Gay VE3WWG
2003-07-04 0:21 ` Dave Thompson
2003-07-04 16:42 ` Warren W. Gay VE3WWG
2003-07-01 1:08 ` Alexander Kopilovitch
2003-07-03 16:43 ` Warren W. Gay VE3WWG
2003-07-01 1:14 ` Richard Riehle
2003-07-01 5:31 ` Hyman Rosen
2003-07-01 7:30 ` Dmitry A. Kazakov
2003-07-01 12:57 ` John R. Strohm
2003-07-04 3:56 ` Wesley Groleau
2003-07-04 5:05 ` Robert I. Eachus
2003-06-21 12:55 ` Pascal Obry
2003-06-20 19:59 ` Jeffrey Carter
2003-06-20 22:40 ` Mark Lorenzen
2003-06-20 21:21 ` Jeffrey Carter
2003-06-21 4:28 ` rleif
2003-06-21 8:05 ` Preben Randhol
2003-06-21 10:32 ` Bobby D. Bryant
2003-06-21 10:44 ` Preben Randhol
2003-06-23 16:57 ` Warren W. Gay VE3WWG
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox