From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,7c1ca6be7961c074 X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news2.google.com!border1.nntp.dca.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!backlog2.nntp.dca.giganews.com!nntp.brightview.co.uk!news.brightview.co.uk.POSTED!not-for-mail NNTP-Posting-Date: Fri, 05 Jun 2009 15:35:07 -0500 Date: Fri, 05 Jun 2009 21:35:02 +0100 From: Tim Rowe User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: OT?: AF 447 and avionics software References: <78pifuF1k9uvuU1@mid.individual.net> <9ab9c181-bad4-4859-97f6-5ee70acf0ad9@c36g2000yqn.googlegroups.com> In-Reply-To: <9ab9c181-bad4-4859-97f6-5ee70acf0ad9@c36g2000yqn.googlegroups.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-ID: X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-pxb3B75Dalg4kf+PJlIu/+kqPWmSht7VSUxuaL2EmLJQCSb9IpBydX7JZ8kLgVvzprxlmewuaICVMZy!qaZBFOePgMyUoCbJgjWEQXMHLtIkUwx7ZVv8grn9k6NNnBtTaY1ZJO+LmwS6e04oX/QN43nID8fl!31iAj4kolVkafXymnrDWyeXO+k8= X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.39 X-Original-Bytes: 2044 Xref: g2news2.google.com comp.lang.ada:6315 Date: 2009-06-05T21:35:02+01:00 List-Id: Ludovic Brenta wrote: > The most critical subsystems are usually certified to the DO-178B > level A standard; this means that unit tests must cover 100% of the > code and 100% of the decision paths; it's called MC/DC testing > (Modified Condition/Decision Coverage). I think the problem is confusion between testing the behaviour of the /code/ and the behaviour of the /system/. Even if we could achieve perfect confidence in the behaviour of the software, in the case of fly-by-wire it's still difficult to be sure that it's what you /want/ it to do for all situations the aircraft finds itself in. This requirements problem is far from unique, of course, but it's important to remember that no language and no amount of proof against requirements will help if we're unsure of the requirements!