From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,59dddae4a1f01e1a
X-Google-Attributes: gid103376,public
From: dewar@cs.nyu.edu (Robert Dewar)
Subject: Re: Need help with PowerPC/Ada and realtime tasking
Date: 1996/05/27
Message-ID: <dewar.833197805@schonberg>#1/1
X-Deja-AN: 156957347
references: <d-struble.107.001A95C3@ti.com> <1026696wnr@diphi.demon.co.uk>
 <Pine.GSO.3.92.960521204245.17309A-100000@nunic.nu.edu>
 <355912560wnr@diphi.demon.co.uk>
organization: Courant Institute of Mathematical Sciences
newsgroups: comp.lang.ada
Date: 1996-05-27T00:00:00+00:00
List-Id: <comp.lang.ada>


JP Thornley said

"My view is that code can never be judged as safe or unsafe - only
correct or incorrect.  However my usage of the words "safe" - and
"safety-critical" carries a lot of additional baggage, and it is
possible that we are differing over the meaning of these words rather
than anything fundamental.
"

I think that is completely wrong. Correctness, i.e. formal conformance
between the implementation and the specification, is neither necessary
nor sufficient for safety.

It is not necessary, because there can be deviations that are not
life-critical, e.g. if the horizon display on the pilots console
is not the specified shade of green, it is not critical.

It is not sufficient, because the formal specification may be incomplete
or incorrect.