Thu, 8 Nov 2001 11:06:27 +0000
<[log in to unmask]
> (message from
Mark Lundquist on Wed, 7 Nov 2001 09:21:01 -0800)
> Regarding the value of the check: it depends on not just on the
> likelyhood of the failure, but also on the consequence of the
> failure. Some failures are always "worth it" to check for even if
> they are highly unlikely; for example, if a failure might be a
> factor in causing a nuke plant to melt down.
Most folk producing high-criticality software would be required to
*prove*, as part of using appropriate tools (eg SPARK Examiner), that
exceptions could not occur. Basically, the subset of Ada that you
pretty much have to use to get independent certification for
high-criticality software doesn't include exceptions, or tasking, or
.. (name other interesting feature!).
 I mean, businesses producing SIL4 software for UK defence