From: WhiteR@nospamplease.CRPL.Cedar-Rapids.lib.IA.US (Robert S. White)
Subject: Re: Critique of Ariane 5 paper (finally!)
Date: 1997/08/22
Date: 1997-08-22T00:00:00+00:00 [thread overview]
Message-ID: <5til7i$boi$1@flood.weeg.uiowa.edu> (raw)
In-Reply-To: 33FC66AD.9A0799D4@calfp.co.uk
In article <33FC66AD.9A0799D4@calfp.co.uk>, nickle@calfp.co.uk says...
>Let us say for the moment that in some circumstances DBC helps.
>For those that have been critising DBC, since DBC is optional, and is an
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nobody that I know of on this thread has been "critising DBC"!
What all the furor is about, is the claims that DBC _must_ be
used to create reliable software.
Ken, myself, and a few others have been arguing that you can
not always employ the executable code aspects of DBC (or Ada
run time checks) in hard real time systems with constrained
resources.
The other issue is that in the Ariane 5 case, the
methodology that was in place (system requirements review and
software requirements specification), was not followed
adequately. To quote the inquiry report once more:
"the overriding means of preventing failures are the reviews
which are an integral part of the design and qualification
process, and which are carried out at all levels and involve
all major partners in the project (as well as external
experts)"
The Ariane 4 IRS software as-is reuse should not have made it
by such reviews. Please read Ken's rebuttal paper:
http://www.progsoc.uts.edu.au/~geldridg/eiffel/ariane/
My reading of it does not indicate a general "critising DBC"
but rather it summerizes:
"In the specific case of the Ariane IRS design fault, there
is not clear and compelling evidence that DBC/Eiffel
assertions were likely to have uncovered the fault prior to
operational use, either through their documentation, test,
or execution value. Furthermore, alternative means were
available to the Ariane team to isolate the particular
fault, even without the use of DBC/Eiffel. Therefore,
although there may be a compelling claim to use DBC/Eiffel
in real-time safety-critical systems, the Ariane case
(and the Eiffel paper describing this case) does not
support such a claim."
My complaint is against the claim in the Eiffel paper:
"Does this mean that the [Ariane 5] crash would
automatically have been avoided had the mission used
a language and method supporting built-in assertions
and Design by Contract? Although it is always risky
to draw such after-the-fact conclusions, the answer
is probably yes..."
^^^^^^^^^^^^
I say, IMO, probably no for the Ariane 5 case. But I
think it is a "good thing" to use assertions and/or a DBC
methodology whenever practical. Unfortunately, IME, it is
often not practical for resource constrained hard real time
systems.
_____________________________________________________________________
Robert S. White -- An embedded systems software engineer
next prev parent reply other threads:[~1997-08-22 0:00 UTC|newest]
Thread overview: 141+ messages / expand[flat|nested] mbox.gz Atom feed top
1997-08-21 0:00 Critique of Ariane 5 paper (finally!) aek
[not found] ` <33FC66AD.9A0799D4@calfp.co.uk>
1997-08-22 0:00 ` Robert S. White [this message]
1997-08-22 0:00 ` Samuel Mize
1997-08-22 0:00 ` Samuel Mize
1997-08-23 0:00 ` Ken Garlington
[not found] ` <33FFA4B1.3543@flash.net>
1997-08-26 0:00 ` Nick Leaton
[not found] ` <3403940F.4154@pseserv3.fw.hac.com>
1997-08-27 0:00 ` Design By Contract Ted Velkoff
[not found] ` <5u3c6v$gtf$2@miranda.gmrc.gecm.com>
1997-08-28 0:00 ` Patrick Doyle
1997-09-06 0:00 ` Joachim Durchholz
1997-09-06 0:00 ` Patrick Doyle
[not found] ` <34058808.3BF@pseserv3.fw.hac.com>
1997-08-28 0:00 ` Darren New
[not found] ` <JSA.97Aug27180328@alexandria.organon.com>
1997-08-28 0:00 ` W. Wesley Groleau x4923
1997-09-03 0:00 ` Don Harrison
1997-09-03 0:00 ` Jon S Anthony
1997-09-04 0:00 ` Don Harrison
[not found] ` <EFM140.Fy9@syd.csa.com.au>
1997-08-28 0:00 ` Robert Dewar
1997-08-29 0:00 ` Don Harrison
1997-08-28 0:00 ` Jon S Anthony
1997-08-29 0:00 ` Patrick Doyle
1997-08-29 0:00 ` Jon S Anthony
[not found] ` <EFqDw0.3x7@ecf.toronto.edu>
[not found] ` <JSA.97Aug30145354@alexandria.organon.com>
1997-09-01 0:00 ` Patrick Doyle
1997-08-29 0:00 ` Don Harrison
1997-08-29 0:00 ` Jon S Anthony
[not found] ` <EFqE8L.4Eq@ecf.toronto.edu>
[not found] ` <JSA.97Aug30145058@alexandria.organon.com>
1997-09-01 0:00 ` Patrick Doyle
1997-09-02 0:00 ` Don Harrison
1997-09-02 0:00 ` Jon S Anthony
1997-09-03 0:00 ` Don Harrison
[not found] ` <JSA.97Sep3201329@alexandria.organon.com>
1997-09-04 0:00 ` Paul Johnson
1997-09-05 0:00 ` Jon S Anthony
[not found] ` <5un58u$9ih$1@gonzo.sun3.iaf.nl>
1997-09-06 0:00 ` Building blocks (Was: Design By Contract) Joachim Durchholz
1997-09-08 0:00 ` Paul Johnson
1997-09-08 0:00 ` Brian Rogoff
1997-09-09 0:00 ` Veli-Pekka Nousiainen
1997-09-09 0:00 ` W. Wesley Groleau x4923
1997-09-09 0:00 ` Veli-Pekka Nousiainen
1997-09-09 0:00 ` Jon S Anthony
1997-09-09 0:00 ` Matthew Heaney
1997-09-09 0:00 ` Brian Rogoff
1997-09-09 0:00 ` W. Wesley Groleau x4923
1997-09-10 0:00 ` Robert A Duff
1997-09-12 0:00 ` Jon S Anthony
1997-09-10 0:00 ` Paul Johnson
1997-09-10 0:00 ` Matthew Heaney
1997-09-10 0:00 ` Darren New
1997-09-10 0:00 ` Robert Dewar
1997-09-12 0:00 ` Paul Johnson
1997-09-14 0:00 ` Robert Dewar
1997-09-14 0:00 ` Robert Dewar
1997-09-15 0:00 ` John G. Volan
1997-09-14 0:00 ` Robert Dewar
1997-09-12 0:00 ` Jon S Anthony
1997-09-12 0:00 ` Robert Dewar
1997-09-16 0:00 ` Brian Rogoff
1997-09-08 0:00 ` Design By Contract Nick Leaton
1997-09-08 0:00 ` Matthew Heaney
1997-09-09 0:00 ` Paul Johnson
[not found] ` <EFzLn7.481@ecf.toronto.edu>
1997-09-04 0:00 ` Jon S Anthony
[not found] ` <EFz0pD.E6n@syd.csa.com.au>
1997-09-05 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-05 0:00 ` subjectivity Matthew Heaney
1997-09-10 0:00 ` subjectivity Don Harrison
1997-09-12 0:00 ` subjectivity Jon S Anthony
1997-09-16 0:00 ` subjectivity Don Harrison
1997-09-16 0:00 ` subjectivity Jon S Anthony
1997-09-10 0:00 ` subjectivity Don Harrison
1997-09-10 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-10 0:00 ` subjectivity W. Wesley Groleau x4923
1997-09-11 0:00 ` subjectivity Don Harrison
1997-09-05 0:00 ` Design By Contract W. Wesley Groleau x4923
[not found] ` <JSA.97Sep4172912@alexandria.organon.com>
[not found] ` <EG0oz8.F6M@syd.csa.com.au>
1997-09-05 0:00 ` Jon S Anthony
1997-09-05 0:00 ` Nick Leaton
1997-09-08 0:00 ` Jon S Anthony
1997-09-09 0:00 ` Nick Leaton
1997-09-10 0:00 ` Paul Johnson
1997-09-06 0:00 ` Patrick Doyle
[not found] ` <EG0rp7.GtL@syd.csa.com.au>
1997-09-05 0:00 ` Matthew Heaney
1997-09-09 0:00 ` Robert A Duff
1997-09-09 0:00 ` Matthew Heaney
1997-09-02 0:00 ` Joerg Rodemann
1997-09-02 0:00 ` Jon S Anthony
[not found] ` <349224633wnr@eiffel.demon.co.uk>
1997-08-27 0:00 ` Design by Contract Robert Dewar
1997-08-29 0:00 ` Don Harrison
[not found] ` <3406BEF7.2FC3@flash.net>
[not found] ` <3406E0F7.6FF7ED99@calfp.co.uk>
1997-09-02 0:00 ` Critique of Ariane 5 paper (finally!) Ken Garlington
-- strict thread matches above, loose matches on Subject: below --
1997-08-22 0:00 Marin David Condic, 561.796.8997, M/S 731-96
1997-08-22 0:00 Critique of Ariane 5 paper (finally) AdaWorks
1997-08-03 0:00 Critique of Ariane 5 paper (finally!) Ken Garlington
[not found] ` <dewar.870870888@merv>
[not found] ` <33E8FC54.41C67EA6@eiffel.com>
1997-08-07 0:00 ` Juergen Schlegelmilch
1997-08-07 0:00 ` Ken Garlington
1997-08-07 0:00 ` Ken Garlington
[not found] ` <33EB4935.167EB0E7@eiffel.com>
1997-08-08 0:00 ` Bertrand Meyer
1997-08-08 0:00 ` Ken Garlington
1997-08-08 0:00 ` Ken Garlington
1997-08-11 0:00 ` Don Harrison
1997-08-11 0:00 ` Bertrand Meyer
1997-08-12 0:00 ` Robert Dewar
1997-08-13 0:00 ` Bertrand Meyer
1997-08-13 0:00 ` Ken Garlington
1997-08-16 0:00 ` Robert Dewar
1997-08-16 0:00 ` Robert Dewar
1997-08-17 0:00 ` Bertrand Meyer
1997-08-19 0:00 ` Ken Garlington
1997-08-20 0:00 ` Robert Dewar
[not found] ` <33FB3B29.41C67EA6@eiffel.com>
1997-08-20 0:00 ` Bertrand Meyer
[not found] ` <5tv9cs$85q@nntpa.cb.lucent.com>
[not found] ` <340341CA.2F1CF0FB@eiffel.com>
1997-08-27 0:00 ` Samuel Mize
1997-08-29 0:00 ` Ken Garlington
1997-08-20 0:00 ` Robert Dewar
1997-08-21 0:00 ` Thomas Beale
1997-08-21 0:00 ` Robert Dewar
[not found] ` <33FD8685.AAAE3B4F@stratasys.com>
1997-08-22 0:00 ` Robert Dewar
[not found] ` <3401811D.1700E7BE@stratasys.com>
1997-08-25 0:00 ` Jon S Anthony
1997-08-29 0:00 ` Ken Garlington
1997-08-29 0:00 ` Jeff Kotula
1997-09-02 0:00 ` Ken Garlington
[not found] ` <33FE8732.4FBB@invest.amp.com.au>
1997-08-26 0:00 ` Nick Leaton
[not found] ` <33FFA324.4DB9@flash.net>
[not found] ` <34013F3E.27D4@invest.amp.com.au>
1997-08-29 0:00 ` Ken Garlington
1997-08-23 0:00 ` Ken Garlington
1997-08-21 0:00 ` W. Wesley Groleau x4923
1997-08-22 0:00 ` Bertrand Meyer
1997-08-22 0:00 ` W. Wesley Groleau x4923
1997-08-13 0:00 ` Samuel Mize
[not found] ` <33F22AD8.41C67EA6@eiffel.com>
1997-08-13 0:00 ` Bertrand Meyer
1997-08-13 0:00 ` Ken Garlington
[not found] ` <33F28DBF.794BDF32@eiffel.com>
1997-08-13 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Ken Garlington
1997-08-15 0:00 ` Jon S Anthony
1997-08-16 0:00 ` Ken Garlington
1997-08-14 0:00 ` Robert S. White
1997-08-15 0:00 ` Ken Garlington
1997-08-16 0:00 ` Robert Dewar
1997-08-14 0:00 ` Jon S Anthony
1997-08-14 0:00 ` Matthew Heaney
1997-08-14 0:00 ` geldridg
1997-08-14 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Jon S Anthony
1997-08-14 0:00 ` Samuel Mize
1997-08-15 0:00 ` Thomas Beale
1997-08-15 0:00 ` Samuel Mize
1997-08-15 0:00 ` Bertrand Meyer
1997-08-15 0:00 ` Jon S Anthony
1997-08-16 0:00 ` Ken Garlington
1997-08-13 0:00 ` Ken Garlington
1997-08-09 0:00 ` Marinos J. Yannikos
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox