[SystemSafety] More on my contretemps with PBL ...

Olwen Morgan olwen at phaedsys.com
Fri Jul 10 19:07:04 CEST 2020


On 10/07/2020 14:20, Roderick Chapman wrote:

<snip>
>  We (meaning my colleagues and predecessors at Praxis and SPARK team) 
> have never advocated for the complete removal of all dynamic 
> verification activities. Rather, we noted (particularly arising from 
> the SHOLIS project in the late 90's) that traditional "one unit at a 
> time" testing did not produce useful results for a reasonable effort 
> on units that were coded and already verified using SPARK. 
> Requirements-based integration and system testing remain absolutely 
> vital though - an approach deployed on later projects like MULTOS CA, 
> Tokeneer, and iFACTS.
<snip>

This gets to the basis of my objection to what PBL said. Considered in 
risk terms, UT was adding hardly anything to risk reduction. .... BUT .....

This was code specified and implemented by experienced, disciplined 
SPARK-competent engineers. Cystopia (the dystopian world of C) is not 
like that. There, you really do need to worry about the integrity of 
your tool chain and whether omitting UT exposes you to unacceptable 
risks. As David Crocker pointed out, [in Cystopia] unit testing provides 
a check that your tools are working properly.

... and this is quite apart from long-span functional requirements.


Olwen




More information about the systemsafety mailing list