From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,f039470e8f537101 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-07-28 21:41:11 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!logbridge.uoregon.edu!newshub.sdsu.edu!elnk-nf2-pas!newsfeed.earthlink.net!stamper.news.pas.earthlink.net!stamper.news.atl.earthlink.net!harp.news.atl.earthlink.net!not-for-mail From: Richard Riehle Newsgroups: comp.lang.ada Subject: Re: Ariane5 FAQ Date: Mon, 28 Jul 2003 21:43:45 -0700 Organization: AdaWorks Software Engineering Message-ID: <3F25FB81.A81694FA@adaworks.com> References: <1058968422.225561@master.nyc.kbcfp.com> <3F200AD0.94F79098@adaworks.com> <7u9Ua.13412$634.10307@nwrdny03.gnilink.net> <3F215120.1040706@attbi.com> <1059151910.357790@master.nyc.kbcfp.com> <3F248CEE.5050709@attbi.com> Reply-To: richard@adaworks.com NNTP-Posting-Host: 41.b2.61.a8 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Server-Date: 29 Jul 2003 04:41:11 GMT X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en Xref: archiver1.google.com comp.lang.ada:40922 Date: 2003-07-29T04:41:11+00:00 List-Id: "Robert I. Eachus" wrote: > Berend de Boer wrote: > > > Except requirements it seems. And I think you should have a look at > > Design By Contract and in particular Eiffel. > > No. And that is what all the sound and fury has been about. The > mapping from requirements to actual code was perfectly done. The > problem was that the requirements which were perfectly filled were for > the Ariane 4, not the Ariane 5. I suspect Berend was referring to the concept of including the requirements as assertions in the code. DbC is a technique for doing this. However, there are other approaches to DbC that are more effective for safety-critical systems than that found in Eiffel. I am thinking here of SPARK. In general, the safety-critical community does not like the Eiffel model because it relies on assertion-errors at run-time. While this is just fine for non-safety-critical software, it is not appropriate for a system such as Ariane V, or any other similar system. Also, assertions themselves require that someone declare the appropriate assertions. In the case of Ariane V, if anyone had felt the need to do that, even thought about it, they would also have made the same mistake they made in Ada because the assumptions were wrong from the start. I favor the DbC model and admire the work done by Bertrand Meyer in refining this idea. However, it is all too easily over-simplify this kind of thing after the fact and suggest that, "If you had simply done things my way, you would not have had this problem." DbC and Eiffel would not have made a whit of difference in this engineering problem, articles and arguments to the contrary notwithstanding. Ada use correctly would have been OK. C++ used wisely would have been OK. Eiffel and DbC used carefully would have been OK. Java, of course, would not have been OK under any circumstances. In the final analysis, Arianne V was not a function of programming language, or design method, or development tools. It was an engineering mistake that began with poor management making incorrect assumptions. That same engineering mistake would have occurred regardless of tools, languages, and systems. Richard Riehle