From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public From: JP Thornley Subject: Re: Ariane 5 - not an exception? Date: 1996/07/31 Message-ID: <687081688wnr@diphi.demon.co.uk>#1/1 X-Deja-AN: 171689259 x-nntp-posting-host: diphi.demon.co.uk references: <285641259wnr@diphi.demon.co.uk> <483202904wnr@diphi.demon.co.uk> x-mail2news-path: relay-4.mail.demon.net!post.demon.co.uk!diphi.demon.co.uk organization: None reply-to: jpt@diphi.demon.co.uk newsgroups: comp.lang.ada Date: 1996-07-31T00:00:00+00:00 List-Id: In article: eachus@spectre.mitre.org (Robert I. Eachus) writes: > First, I think of mission critical as a different category than > safety critical. In safety critical systems, fail safe is often an > option where in mission critical systems you need to fail operational. Hmmm, hadn't come across that distinction before, but it does seem to make sense in some cases. But making fail operational a defining characteristic of mission critical systems seems a bit too strong - how many 'glass cockpit' aircraft have no backup suck and blow instruments to use when all the screens go blank? > And yes, systems can be safety AND mission critical. Those are the > expensive ones. > Again, in my terminology, the development standards for mission critical are wholly subsumed in those for safety-critical code, so classifying something both as no real effect on the software development methods used. > Having said that, this software should have been classed exactly > that way, given the amount of miscellaneous missle parts that ended up > scattered over the launch site, and the possibility that a guidance > failure could put the missle anywhere in the world. > As I read the report, the recommendation that "software should be assumed to be faulty until applying the currently accepted best practice methods can demonstrate that it is correct" is saying that if the system design is to be based on the assumption of correct software then they will have to build that software to safety-critical standards. I wonder if they realise just how expensive that is going to be. Phil Thornley -- ------------------------------------------------------------------------ | JP Thornley EMail jpt@diphi.demon.co.uk | ------------------------------------------------------------------------