From: P.G.Hamer@nortel.co.uk (Peter Hamer) Organization: BNR Europe Ltd, London Road, Harlow, England. Date: 07 Jul 96 14:15:59 References: 1 2 3 Followups: 1 2
View raw article or MIME structure
To pick up one point in a long and interesting posting. In article <airliners.1996.1022@ohare.Chicago.COM> Tom Speer <email@example.com> writes: >Charles Radley wrote: >> ...It is less effective than some techniques, more effective than >> others. It can be accomplished more easily than Formal Methods, but >> is probably less effective.... > >I looked into the pro's and con's of N-version programming, and ran >accross some interesting studies. ... > >The reason for this striking finding is that all versions were coded >from common requirements (naturally). Where the requirements >specification is ambiguous or hard to understand, it's difficult for >everyone. Plus, programmers tend to have similar backgrounds, and so if >one person has misconceptions, then many people can share the same. So >people tend to make many of the same mistakes. > >So, if you have to convince a certification authority that there is no >possiblilty of a software fault, then formal methods are your only hope. >You can't rule it out with N-version programming. If the weak-link in N-version programming is the fact that the requirement is ambiguous and difficult to understand, surely the same holds true for formal methods? The formalization of the requirements might be internally water-tight, but its chances a of capturing the intentions of a large and complex informal spec are questionable. I'm not arguing against formal methods, just saying that a system development path using them shares some of the failure mechanisms of more traditional system development paths. Finding out what the user needs [ie should have asked for] remains a hard problem. Peter PS Somewhat off topic, I remember a correction to a pilots handbook giving a new minimum-fuel flight path for landing. The new path had the advantage of remaining above ground-level at all times! Sometimes important details are difficult to fit into a chosen formalism or support in its reasoning mechanisms.