Re: Variable comparisons

["Peter G. Neumann" <neumann () csl sri com>]

> The two solutions to this are:
>
> . design simpler systems
>
> . employ the highest calibre coders you can find, and stick them onto bug 
>   fixing (yeah, right!).

Simplicity is a mirage if you are dealing with intrinsically complex
requirements.  The best answer I can come up with has to do with
composability, and is considered in a report I am working on for the DARPA
CHATS program (Composable High Assurance Trustworthy Systems), which I 
might summarize as follows:

  Intrinsic complexity can be made tenable only through an architectural
  approach that decomposes the problem into predictably composable simpler
  abstractions, whereby the individual components, their interfaces, and
  their interactions can be more readily understood and analyzed --
  iteratively as you incrementally combine everything into the system you
  wish to develop.

See 
  http://www.csl.sri.com/neumann/chats4.html 
(or .ps or .pdf if you want to print intstead of browse).

Incidentally, the only sensible solution to the DECOMPOSITION problem
(e.g., removing the 95% of windows you do not need for a particular
application) is through COMPOSITION: compose it out of just those
carefully designed pieces that you actually need in the first place.

With this philosophy you need a good architect, but you don't need the
fantasy that you can keep it simple when it isn't (particularly in
anticipating everything that can go wrong in execution) and you don't
necessarily need superprogrammers to do the entire development.  (You
still need programmers who are aware of the critical requirement issues,
such as security, reliability, real-time performance, etc.)

PGN