From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: fac41,2c6139ce13be9980
X-Google-Attributes: gidfac41,public
X-Google-Thread: 103376,3d3f20d31be1c33a
X-Google-Attributes: gid103376,public
X-Google-Thread: f43e6,2c6139ce13be9980
X-Google-Attributes: gidf43e6,public
X-Google-Thread: 1108a1,2c6139ce13be9980
X-Google-Attributes: gid1108a1,public
From: peb@transcontech.co.uk ("Paul E. Bennett")
Subject: Re: The stupidity of all the Ariane 5 analysts.
Date: 1997/08/01
Message-ID: <870438757snz@transcontech.co.uk>#1/1
X-Deja-AN: 261276194
References: <33E06929.59F6@easystreet.com>
X-Mail2News-Path: tcontec.demon.co.uk
Reply-To: peb@transcontech.co.uk
X-Mail2News-User: peb@transcontech.co.uk
Organization: Transport Control Technology Ltd.
Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel
Date: 1997-08-01T00:00:00+00:00
List-Id: <comp.lang.ada>


In article <33E06929.59F6@easystreet.com>
           achrist@easystreet.com "Al Christians" writes:

> 
> It would be nice if there could be a clear spec that includes everything
> that might happen in the real world,  but when the real world does
> something that the spec didn't anticipate, do we want the software to
> just curl up and die?

If such a spec could be produced it would probably be too large to 
understand in reasonable time. Instead, we need to construct our systems 
so that out-of-the-ordinary stimulii do not cause un-expected activity of 
the system. This involves knowing what happens in the system when the 
stimulii exceed the design limitations. This takes some effort in FMECA
and the designing in of "Inherent Robustness" for the system to become
dependable.

If we are going to re-use components, we need to be more certain about
what the effects are for component failure. In the A5 flight systems
situation, there were other factors in the organisation which blindly 
accepted the decision for non-provision of flight profiles. A risk 
assessment for the decision should have been conducted to determine if 
this was a reasonable decision.


-- 
Paul E. Bennett ................... <peb@transcontech.co.uk>
Transport Control Technology Ltd.   <http://www.tcontec.demon.co.uk/>
+44 (0)117-9499861                  <enquiry@transcontech.co.uk>
Going Forth Safely