From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,5ac12f5a60b1bfe
X-Google-Attributes: gid103376,public
X-Google-Thread: f43e6,5ac12f5a60b1bfe
X-Google-Attributes: gidf43e6,public
From: "Theodore E. Dennison" <dennison@escmail.orl.mmc.com>
Subject: Re: Ariane 5 - not an exception?
Date: 1996/07/26
Message-ID: <31F8FD5F.41C67EA6@escmail.orl.mmc.com>#1/1
X-Deja-AN: 170318247
references: <Dv45EJ.8r@fsa.bris.ac.uk>
content-type: text/plain; charset=us-ascii
organization: Lockheed Martin Information Systems
mime-version: 1.0
newsgroups: comp.software-eng,comp.lang.ada
x-mailer: Mozilla 2.0 (X11; I; SunOS 4.1.3_U1 sun4m)
Date: 1996-07-26T00:00:00+00:00
List-Id: <comp.lang.ada>


Simon Bluck wrote:
> 
> It is most unfortunate, but must be accepted as true, that if the
> Ariane software had been written in a less powerful language the
> numeric overflow might have gone unnoticed, the computers would have
> remained switched on, and the rocket would have continued its upward
> flight.

If the Ariane software had been written in a less powerful language, 
the overflow might have gone unnoticed, while writing garbage in a 
nearby data/code location. This could easily have caused the exact
same result, with the important difference that the committe could
never have isolted the problem as well as they did.

> You _never_ switch off a computer, but you may have cause to mark all
> data emanating from it as suspect.  Leave it up to the users of the
> data to decide if they want to use it or not - they may have no
> choice.

Silly. If you _never_ switch over to the standby computer, there is
no point to having it, is there?

I could see the logic in rewriting the code on the backup machine
to try to continue with "best effort" data when an error is detected,
but I can't agree with the logic that the primary machine should 
continue to spit out data, even when it knows it has errors (and there
is a backup machine available), which is what the committe seems to
be suggesting.

-- 
T.E.D.          
                |  Work - mailto:dennison@escmail.orl.mmc.com  |
                |  Home - mailto:dennison@iag.net              |
                |  URL  - http://www.iag.net/~dennison         |