enforce()?

[Sean Kelly]

Walter Bright Wrote:

> Sean Kelly wrote:
> > Regarding DbC, I can't say that I've ever worked on a system where lives hung
> > in the balance (an admittedly extreme example of where DbC is useful),
> 
> I have, and here's how it's done:
> 
> http://www.drdobbs.com/blog/archives/2009/10/safe_systems_fr.html
> 
> http://www.drdobbs.com/blog/archives/2009/11/designing_safe.html
> 
> I really wish this was more widely known in the software engineering business. 
> It's frustrating to see it relearned the hard way, over and over.
> 
> And not just the software business, I saw a technical overview of the BP oil 
> spill failure, and the rig design violated just about every principle of safe 
> system design.

A coworker of mine knows a guy who had workers on that rig and told me this story the other day.  Apparently, there's a system on the drill that when a failure occurs a cap drops over the hole and shears the drill.  The BP rig was drilling unusually deep though, and as a result the drill had to be incredibly hard.  For this and other reasons, the safety system was estimated to have a 70% failure rate.  Furthermore, the rig was known to be on the verge of failure.  He implored the BP folks to shut it down, but they refused so in desperation he hired people to fly his team off the rig, fearing for their safety.  The rig failed a few hours after his team was evacuated.

While I've never worked on systems where lives hang in the balance, I have worked on systems where 100% uptime is required.  I favor the Erlang approach where a system is a web of interconnected, redundant processes that terminate on errors.  I've found this design an extremely hard sell in the internet server world though.  The design takes more planning and people are in too much of a hurry.