From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,885dab3998d28a4 X-Google-Attributes: gid103376,public From: "Marin David Condic, 407.796.8997, M/S 731-93" Subject: Re: Ariane 5 failure Date: 1996/10/16 Message-ID: <96101610071768@psavax.pwfl.com>#1/1 X-Deja-AN: 190335026 sender: Ada programming language comments: Gated by NETNEWS@AUVM.AMERICAN.EDU x-vms-to: SMTP%"INFO-ADA@VM1.NODAK.EDU" newsgroups: comp.lang.ada x-vms-cc: CONDIC Date: 1996-10-16T00:00:00+00:00 List-Id: Robert Dewar writes: >It *is* possible to write reliable programs, though it is expensive. If you >need to do this, and are not able to do it, then the answer is to investigate >the tools that make this possible, and understand the necessary investment >(which is alarmingly high). Some of these tools are related to correctness, >but that's not the main focus. There are reliable incorect programs and >correct unreliable programs, and what we are interested in is reliability. > >Now of course informally we would like to make all programs realiable, but >there is a cost/benefit trade off. For most non-safety critical programming >(but not all), it is simply not cost effective to demand total reliability. > You are absolutely correct about the cost. The control software we build is tested exhaustively from the module level on up to the integration with physical sensors & actuators well before it gets to drive an engine on a test stand - much less fly. It *is* enormously expensive - but in the present day it's the only way to be sure you aren't trying to fly something that will break. The point is that our software testing was derived from the same mindset as our hardware testing (turbine blades, pumps, bearings, etc.) We probably test a hardware component for an engine even more rigorously and at greater expense than we do for software - which is, after all, just another "part" for the engine. The mistake that is often made when looking at software it to think that somehow (because it passed the "smoke" test?) it doesn't need the same sort of rigorous testing we'd demand of any physical device in order to be proven reliable. Who would want to fly in an airplane powered by engines, the design for which had been verified by powering up a single prototype once and running it for 10 minutes. You'd probably feel a lot safer if we ran a couple of prototypes right into the ground, including making them ingest a few birds and deliberately cutting loose a turbine blade or two at speed. If you want reliable software, the testing can be no less rigorous. MDC Marin David Condic, Senior Computer Engineer ATT: 561.796.8997 M/S 731-96 Technet: 796.8997 Pratt & Whitney, GESP Fax: 561.796.4669 P.O. Box 109600 Internet: CONDICMA@PWFL.COM West Palm Beach, FL 33410-9600 Internet: CONDIC@FLINET.COM =============================================================================== "The speed with which people can change a courtesy into an entitlement is awe-inspiring." -- Miss Manners, February 8, 1994 ===============================================================================