From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: fac41,2c6139ce13be9980
X-Google-Attributes: gidfac41,public
X-Google-Thread: f43e6,2c6139ce13be9980
X-Google-Attributes: gidf43e6,public
X-Google-Thread: 103376,3d3f20d31be1c33a
X-Google-Attributes: gid103376,public
X-Google-Thread: 1108a1,2c6139ce13be9980
X-Google-Attributes: gid1108a1,public
From: WhiteR@nospamplease.CRPL.Cedar-Rapids.lib.IA.US (Robert S. White)
Subject: Re: Safety-critical development in Ada and Eiffel
Date: 1997/08/10
Message-ID: <5sl1ug$lji$1@flood.weeg.uiowa.edu>#1/1
X-Deja-AN: 263321179
References: <EDCo7K.Ezr@syd.csa.com.au> <EDEnp2.1K3@syd.csa.com.au>
 <33CD1722.2D24@calfp.co.uk> <dewar.869108550@merv>
 <33D24C91.C9730CBA@munich.netsurf.de> <33D71492.6F06@uk.ibm.com>
 <33D9B8F9.4693018C@munich.netsurf.de> <5rh12t$jl0$1@flood.weeg.uiowa.edu>
 <slrn5upcrm.jue.someone_else@a0.complang.tuwien.ac.at>
Organization: The University of Iowa
Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel
Date: 1997-08-10T00:00:00+00:00
List-Id: <comp.lang.ada>


In article <slrn5upcrm.jue.someone_else@a0.complang.tuwien.ac.at>, 
nino@complang.tuwien.ac.look-in-sig says...

>There is a school of thought which insists that verifying hard real-time
>systems by testing them is pointless, since you can hardly simulate all
>possible events, how they interact, occur at the same time ("avalanches")
>etc. 

  I'll grant that regression Formal Qualification Tests do not verify
all possible timing combinations, but the point is to run the embedded
system through some normal usage scenarios to _try_ to find defects
that have escaped the net of design reviews, code inspections, and
low level tests.  The level and degree (usage extremes) of the 
regression tests depend on what the safety requirements, warrenty 
requirements, customer, software quality assurance, etc. demand versus
time, equipment and money resources.  Yes it is a level of gray, not
black and white.

> Some other approaches might be taken, a good one is (IMHO) static
>scheduling and checking of time constraints, which is possible if you
>reduce the scope of the language the code is written in (e.g. no infinite
>loops allowed).

  It would be a difficult paradigm shift for my co-workers and I to 
give up using tasks with infinite loops that wait for events to be
signaled or for certain amounts of time to elapse.  Of course this
also requires the ability to detect task "cycle slips".  I've been
doing this for the last 12 years using both Jovial and Ada83 and
have been able to deploy reliable hard real time systems.  This is
not just a language issue as RTE's and RTOS's can be used by a lot
of different languages. I'm trying to visualize just what this
approach you are talking about would involve that does not use
any loops.  Guess I have to copy down one of the papers you cite.
_____________________________________________________________________
Robert S. White         -- An embedded systems software engineer