From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,f039470e8f537101
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-07-30 05:56:40 PST
Path: 
 archiver1.google.com!news1.google.com!newsfeed.stanford.edu!logbridge.uoregon.edu!newshub.sdsu.edu!elnk-nf2-pas!newsfeed.earthlink.net!stamper.news.pas.earthlink.net!stamper.news.atl.earthlink.net!harp.news.atl.earthlink.net!not-for-mail
From: Richard Riehle <richard@adaworks.com>
Newsgroups: comp.lang.ada
Subject: Re: Ariane5 FAQ
Date: Wed, 30 Jul 2003 05:58:49 -0700
Organization: AdaWorks Software Engineering
Message-ID: <3F27C108.14E7000A@adaworks.com>
References: <mailman.26.1058753354.24167.comp.lang.ada@ada.eu.org>
 <wqkTa.18742$0F4.18264@nwrdny02.gnilink.net>
 <pan.2003.07.23.00.31.01.14991@mail.utexas.edu>
 <1058968422.225561@master.nyc.kbcfp.com> <3F200AD0.94F79098@adaworks.com>
 <e2e5731a.0307241721.a6eae4e@posting.google.com>
 <7u9Ua.13412$634.10307@nwrdny03.gnilink.net> <3F215120.1040706@attbi.com>
 <1059151910.357790@master.nyc.kbcfp.com>
 <e2e5731a.0307251844.7ea4dab4@posting.google.com>
 <bDTUa.6456$AO6.976@nwrdny02.gnilink.net>
 <e2e5731a.0307271419.4390a02c@posting.google.com> <ud6fvzbzc.fsf@xsol.com>
 <3F248CEE.5050709@attbi.com> <3F25FB81.A81694FA@adaworks.com>
 <K9oVa.12850$AO6.11742@nwrdny02.gnilink.net>
Reply-To: richard@adaworks.com
NNTP-Posting-Host: 41.b2.40.2e
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Server-Date: 30 Jul 2003 12:56:39 GMT
X-Mailer: Mozilla 4.7 [en] (Win98; I)
X-Accept-Language: en
Xref: archiver1.google.com comp.lang.ada:41003
Date: 2003-07-30T12:56:39+00:00
List-Id: <comp.lang.ada>

Hyman Rosen wrote:

> But if the Ariane 4 code had carried the specification limits
> within it, as DbC, or as SPARK assertions, or as range checks,
> perhaps someone might have noticed that the Ariane 5 failed to
> meet those constraints.

Yet  they did design the Ariane  4 within those limits.  They would
have had to anticipate some yet unknown information regarding
future projects.

There is  limit to how much checking one can do in any system.
Industrial
Engineers raise the question of 100% checking for 0.0001 % probability
of error.   This becomes a risk management problem  as  well as a
problem in engineering economics.   Every software product carries
a certain amount of risk.   As we weight the consequences of a risk
against the cost of mitigation/prevention and the probability it will
occur, we make choices.   In the case of Ariane 4, the risk was deemed
inconsequential -- a  correct deeming, it seems.   For Ariane 5,  the
risk was significant, but the engineers failed to recognize it.

Richard Riehle