From: JP Thornley <jpt@diphi.demon.co.uk>
Subject: Re: Need help with PowerPC/Ada and realtime tasking
Date: 1996/06/02
Date: 1996-06-02T00:00:00+00:00 [thread overview]
Message-ID: <845806664wnr@diphi.demon.co.uk> (raw)
In-Reply-To: 31AEC06C.1EB@lmtas.lmco.com
Ken Garlington writes:
> 1. You can have the system stop processing when an unexpected event
> occurs, ...
> 2. You can create a "kernel mode," representing a subset of the
> requirements that are absolutely necessary for safe operation. ...
> 3. You can use checkpoint/rollback techniques ...
>
and Robert I. Eachus writes:
> ...... I much prefer
> the design philoshy that things can go wrong, and you do want sanity
> checks in the software.
I have no problem in agreeing with any of this, and would expect to see
appropriate safeguards such as these and others being built into the
software, but all of these techniques create system level behaviours
that cannot be defined solely by the software engineer - the resulting
system states must be visible in the system description and an obvious
place is the software requirements. If they are not in there as written
then they should be introduced as the software implementation creates
the need/opportunity to define them.
One certain sure route to unsafe systems is allowing the software to
create undocumented system states that have not featured in the system
safety analysis.
A factor that has not been mentioned yet is traceability, and I had
rather assumed that everyone else was in a situation where every feature
of the software is required to be traceable to a software requirement.
So a correct (in my terms) implementation would also include the safe
(in your terms) features that you are both asking for.
Ken Garlington also writes:
> Personally, I think it's better to use failure modes and effects
> analysis on the requirements,
Agree absolutely - so this stuff has to *be* in the requirements -
> and do FMET testing after development, than to depend on this
> stuff.
FMET is a new one on me (?Failure Modes Effect Testing??). If that
guess is right then I must admit to feeling uneasy about the ability
of anyone to test thoroughly for all the effects of various wierd
failures.
--
------------------------------------------------------------------------
| JP Thornley EMail jpt@diphi.demon.co.uk |
------------------------------------------------------------------------
next prev parent reply other threads:[~1996-06-02 0:00 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
1996-05-17 0:00 Need help with PowerPC/Ada and realtime tasking Dave Struble
1996-05-18 0:00 ` JP Thornley
1996-05-20 0:00 ` Robert I. Eachus
1996-05-21 0:00 ` Michael Levasseur
1996-05-21 0:00 ` Richard Riehle
1996-05-25 0:00 ` JP Thornley
1996-05-27 0:00 ` Darren C Davenport
1996-05-30 0:00 ` Ralph E. Crafts
1996-05-31 0:00 ` JP Thornley
1996-06-03 0:00 ` Ken Garlington
1996-05-28 0:00 ` Tasking in safety-critical software (!) (was Re: Need help with PowerPC/Ada and realtime tasking) Kevin F. Quinn
1996-05-25 0:00 ` Need help with PowerPC/Ada and realtime tasking JP Thornley
1996-05-27 0:00 ` Robert Dewar
1996-05-28 0:00 ` JP Thornley
1996-05-29 0:00 ` Ken Garlington
1996-05-29 0:00 ` Robert A Duff
1996-05-30 0:00 ` Software Safety (was: Need help with PowerPC/Ada and realtime tasking) Ken Garlington
1996-05-30 0:00 ` Robert Dewar
1996-06-02 0:00 ` JP Thornley
1996-06-03 0:00 ` Robert A Duff
1996-06-05 0:00 ` Norman H. Cohen
1996-06-07 0:00 ` Ken Garlington
1996-06-12 0:00 ` Norman H. Cohen
1996-06-12 0:00 ` Ken Garlington
1996-06-08 0:00 ` Robert Dewar
1996-06-08 0:00 ` Robert A Duff
1996-05-31 0:00 ` Robert A Duff
1996-06-03 0:00 ` Ken Garlington
1996-05-30 0:00 ` Need help with PowerPC/Ada and realtime tasking JP Thornley
1996-05-31 0:00 ` Ken Garlington
1996-06-02 0:00 ` JP Thornley [this message]
1996-06-03 0:00 ` Ken Garlington
1996-05-28 0:00 ` Robert I. Eachus
1996-05-30 0:00 ` JP Thornley
1996-05-28 0:00 ` Robert I. Eachus
1996-05-30 0:00 ` JP Thornley
1996-06-03 0:00 ` Ken Garlington
1996-05-31 0:00 ` Robert I. Eachus
1996-06-03 0:00 ` Ralph Paul
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox