From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_05,INVALID_MSGID, TO_NO_BRKTS_PCNT autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public From: "Marin David Condic, 561.796.8997, M/S 731-96" Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/07/18 Message-ID: <97071811124101@psavax.pwfl.com>#1/1 X-Deja-AN: 257594282 Sender: Ada programming language Comments: Gated by NETNEWS@AUVM.AMERICAN.EDU X-Vms-To: SMTP%"INFO-ADA@VM1.NODAK.EDU" Newsgroups: comp.lang.ada X-Vms-Cc: CONDIC Date: 1997-07-18T00:00:00+00:00 List-Id: Samuel Mize writes: >Correct me if I'm wrong. > >My understanding from the previous threads was that there was >a specific management decision to not consider Ariane 5 >requirements for the Ariane 4 INS design. The check removal >was reasonable in the Ariane 4 context. > I read the report some time ago and memory fades - but my recollection is that they needed to gain some speed and decided to do so by removing the runtime checks. However, they performed an analysis first which indicated that across the entire Ariane 4 flight profile, the routine could not see any numbers big enough to cause the error. The mistake was in accepting Ariane 4 code for Ariane 5 and *presuming* that it was going to work just fine without checking it out across the Ariane 5 flight profile. >Now, Meyer et al. never stated outright that using Eiffel (or >assertions) would have prevented the crash; they stated that >using Design By Contract (DBC) would prevented the crash. > Point taken. But it still seems to me that the software design was 100% adequate in it's original context. (And the keyword here is "adequate" - "good enough" is not nearly so wonderful a thing a "perfect", but it's "good enough!") The mistake was to accept what was an adequate design in one context and presuming it would work fine without retesting it in the new environment. An analogy would be if I designed a wheel for a Honda Civic and then presumed (because wheels are wheels, right?) that I could mount the same wheel on a Lincoln Towncar. It might even work for a while until I took a really tight turn and the excess weight caused it to fail. Hence the fault was not with the design methodology - whatever methodology was originally used (including design by Ouija board, if you like) was *adequate* to produce a working product. The failure lies in the management decision - for which I'm sure someone caught some serious heck. MDC Marin David Condic, Senior Computer Engineer ATT: 561.796.8997 Pratt & Whitney GESP, M/S 731-96, P.O.B. 109600 Fax: 561.796.4669 West Palm Beach, FL, 33410-9600 Internet: CONDICMA@PWFL.COM =============================================================================== "A government that is big enough to give you all you want is big enough to take it all away." -- Barry Goldwater ===============================================================================