Re: Ada and Automotive Industry

[wardi@rsd.bel.alcatel.be (Ian Ward)]

In article 2110383@news.geccs.gecm.com, andy.ashworth@gecm.com (Andy Ashworth) writes:
>FWIW my two-penn'orth on the issue of safety and languages. Safety is
>a property of a system, i.e. the combination of software, hardware,
>hydraulics, and other bits you can kick. I agree with Chris that the

If? What if it is not, or what if the C++ compiler is more
faulty than the Ada one.

>safety of a language is a moot point if the tool support is buggy

but what if tool support is not buggy?

 -
>while the code source file may be 
"Is"

inherently "safer" (i.e. perception
>of correctness is higher) for Ada or Modula 2 than for C or C++, when
>compiled with buggy tools the safety of the overall system is
>degraded.
>
>Having spent a number of years assessing real industrial safety
>critical systems, I have come to the conclusion that the language used
>is not an issue; 

Then I contend that you have not learnt anything, because if nothing
else (and I say "if") then software developed using these safe languages
is completed quicker, which all things being equal gives engineers more
time to look at the potential problem areas.

rather, it is how it is used that can significantly
>affect the ultimate safety levels. How the language is used is one
>function of management and IMHO it is weak management that is the

"Greatest threat" perhaps, but not the only threat.

>greatest threat to public safety where software is concerned and not
>the use of a language with weak semantics. I believe that ADA, Modula
>2 and other so called safe languages

can?

 can produce and unsafe result
>just as the unsafe languages like C

can?

 can be used to produce a safe
>system.
>
>#define rant=off
>
>Andy Ashworth
>
>Senior Software Safety Engineer
>
>Opinions are mine and not GEC's - they don't pay me enough to make
>policy!
>

Yes... I love the use of this word "can".
this is the second time within a month I have heard this
argument.

You get to hear it all the time from systems analysts.
"I know that Ada is safer than X | better for big systems |
 etc., but...

pick one
[design is [just as | more] important, if a design is faulty,
 then the software will not meet it's functional requirements,
 thereofre it is alright to use X |
 requirements are [just as | more] important, if the requirements
 are ambiguous, then the design is likely to be faulty therefore
 we can use X |
 testing is [just as | more] important, if the software is
 untested, the software is bound to have bugs, therefore, as we
 are going to test it, we can use X.]

A software lifecycle, is not like a rope, where if you have
one particular strand (such as design) all the rest of the
strands just need to be average. A software lifecycle is 
just like a chain, it is as weak as the weakest link, you can
have the greatest design in the world, but if you go and code
your 12 million line system, in some crap language, that was
never meant for big system design, then you get what you 
deserve.

The argument gets worse, it goes on, "there is no evidence to
indicate that X is any worse than Ada" so you respond with "How
many companies have the money to do parallel developments just
to get the metrics? (Hopefully, Tickit shall reveal some 
embarassing home truths in future years.) "

You then get a plethora of sentences with "could", "can" and
"should" in.
Software "could" be written in any language. It "should" be
possible to do big systems work in X. Errors "can" occur with
any language, or tool, or hardware... 

Yes, I say, "any language".

Their argument is rather like saying, I am not going to wear
a crash helment, because my motor cycle has no seat belt. If
I have an accident I am going to get hurt anyway.

I respectfully disagree with your point Andy, completely.

---
Ian Ward's opinions only : wardi@rsd.bel.alcatel.be