Hello Walter,
bearophile wrote:
You have to think about proofs as another (costly) tool to avoid
bugs/bangs, but not as the ultimate and only tool you have to use (I
think dsimcha was trying to say that there are more costly-effective
tools. This can be true, but you can't be sure that is right in
general).
I want to re-emphasize the point that keeps getting missed.
Building reliable systems is not about trying to make components that
cannot fail. It is about building a system that can TOLERATE failure
of any of its components.
It's how you build safe systems from UNRELIABLE parts. And all parts
are unreliable. All of them. Really. All of them.
Agreed. You can make a system that can tolerate failures (e.g. not do something
damaging), but that doesn't make it acceptable (e.g. continue to do what
it's supposed to). Pure redundancy aside, if a part not working didn't degrade
the system, you would remove it from the design. Making parts more reliable
will increases the amount of time the system is in a non depredated state.
--
... <IXOYE><
