Re: Need help with PowerPC/Ada and realtime tasking

[JP Thornley <jpt@diphi.demon.co.uk>]

In article: <dewar.833197805@schonberg>  Robert Dewar writes:
> 
> JP Thornley said
> 
> "My view is that code can never be judged as safe or unsafe - only
> correct or incorrect.  However my usage of the words "safe" - and
> "safety-critical" carries a lot of additional baggage, and it is
> possible that we are differing over the meaning of these words rather
> than anything fundamental.
> "
> 
> I think that is completely wrong. Correctness, i.e. formal conformance
> between the implementation and the specification, is neither necessary
> nor sufficient for safety.
> 
> It is not necessary, because there can be deviations that are not
> life-critical, e.g. if the horizon display on the pilots console
> is not the specified shade of green, it is not critical.
> 
> It is not sufficient, because the formal specification may be incomplete
> or incorrect.
> 

But I am talking only about those software components of the system that 
have been rated as safety-critical - so, by definition, a failure of 
that component to meet its requirements creates an uncontrolled risk of 
a hazard occuring.  I would be surprised if the exact shade of green 
on a display were to be rated safety-critical.  (I suspect that it is 
unusual for any part of a display to be rated as safety-critical as 
there will always be multiple independent sources of information).

Incomplete or incorrect requirements for a software component affect 
*system* safety - just as they would for any other type of component.  

Clearly it is a software engineering responsibility to check the 
requirements for incompleteness and ambiguity but, for example, if an 
algorithm is specified incorrectly and this results in a valve opening 
instead of it remaining closed, I do not see what is gained by claiming 
that the software which implements that algorithm is unsafe.  As another 
way of looking at this, what actions can a software engineer take to 
create safe sofware from potentially incorrect requirements (apart from
being a better domain expert than the systems engineer and getting the 
requirements changed).

-- 
------------------------------------------------------------------------
| JP Thornley    EMail jpt@diphi.demon.co.uk                           |
------------------------------------------------------------------------