From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/07/18 Message-ID: #1/1 X-Deja-AN: 257673543 References: <33C835A5.362A@flash.net> <33CBBF4B.7BAF@pseserv3.fw.hac.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel Date: 1997-07-18T00:00:00+00:00 List-Id: In article <33CBBF4B.7BAF@pseserv3.fw.hac.com> Wes Groleau writes: > Here we go again with this myth. Probably won't help, but I'll say > one more time what others said over and over: telling people to > assert or document everything pertinent will NOT cure the failure > to recognize what's pertinent!! True, but that didn't apply to the Ariane 5 case. If you resuse software in an environment with very different requirements, and you don't do anything validate the code against the new requirements and in fact, don't do with the code--not even recompile it--and you don't do any testing--to old or new requirements--nothing with the possible exception of unadulterated good fortune can save you from the effects of your blunders. The Ariane 4 code was provably correct and acted in accordance with its design specification. However, when used in an Ariane 5, that spec effectively said, "Destroy the stack at T+38 seconds, but send real good diagnostic data while doing it!" (Actually, they had some good fortune. A gust of wind sooner could have caused the same catastophe closer to the ground, where the likelihood of fatalities would have been much higher.) -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...