From: Steve O'Neill <smoneill@sanders.lockheed.com>
Subject: Re: Ariane 5 - not an exception?
Date: 1996/07/30
Date: 1996-07-30T00:00:00+00:00 [thread overview]
Message-ID: <31FE35BC.1A0D@sanders.lockheed.com> (raw)
In-Reply-To: 4t9vdg$jfb@goanna.cs.rmit.edu.au
++ robin wrote:
> ---I think the real lessons are that
> 1. real-time programming requires special expertise.
Agreed wholeheartedly
> 2. the choice of language is suspect. A better-established
> language such as PL/I -- specifically designed for
> real-time programming -- with robust compilers, and
> with its base of experienced programming
> staff could well have prevented this disaster.
I disagree completely! The language was not the problem the design decisions in how the language
was used were. Ada is completely capable the realm of real-time programming, has robust
compilers and tools, and has quite a few experienced software engineers capable of implementing
just about any requirements thrown their way (been there, done that).
Had the designers of the system allowed the implementors to use Ada exception mechanisms fully
and properly they could have localized the failure to, at worst, the alignment function (which
was not necessary at the time of the failure anyway) without shutting down the entire device.
Instead, as is common practice in the safety-critical world, local exception handlers are
frequently banned and a global 'shut it all down' handler is the only stop gap measure.
Unbelievably the rationale for disallowing local handlers is because they make it difficult to
verify complete code coverage since they are only executed in the case of exceptional conditions
(i.e. given the expected data (Ariane 4 profile) the handlers are not executed and therefore we
can't prove that all of our code has been exercised at least once). I find this logic suspect in
the extreme! As somebody once said "expect the unexpected". In addition to trying for fault
avoidance through analysis we should also be planning for fault resiliency in the presence of
reality.
You're other conclusions are right on target though - you should never shut a system down
(unless its presence is impacting system performance as in the case of babbling nodes et.al.) but
do indicate its distress to a higher authority who then can take this into account in using the
information provided.
--
Steve O'Neill | "No,no,no, don't tug on that!
Sanders, A Lockheed Martin Company | You never know what it might
smoneill@sanders.lockheed.com | be attached to."
(603) 885-8774 fax: (603) 885-4071| Buckaroo Banzai
next prev parent reply other threads:[~1996-07-30 0:00 UTC|newest]
Thread overview: 194+ messages / expand[flat|nested] mbox.gz Atom feed top
1996-07-25 0:00 Ariane 5 - not an exception? Simon Bluck
1996-07-25 0:00 ` Multiple reasons for failure of Ariane 5 (was: Re: Ariane 5 - not an exception?) Kirk Beitz
1996-07-26 0:00 ` ++ robin
1996-08-05 0:00 ` Darren C Davenport
1996-08-06 0:00 ` U32872
1996-08-07 0:00 ` Robert Dewar
1996-08-08 0:00 ` Pascal Martin @lone
1996-08-09 0:00 ` Robert Dewar
1996-08-10 0:00 ` dwnoon
1996-08-11 0:00 ` Robert Dewar
1996-08-15 0:00 ` dwnoon
1996-08-16 0:00 ` Robert Dewar
1996-08-20 0:00 ` dwnoon
1996-08-12 0:00 ` Ken Garlington
1996-08-15 0:00 ` Richard Riehle
1996-08-22 0:00 ` ++ robin
1996-08-23 0:00 ` Ken Garlington
1996-08-31 0:00 ` Ada versus PL/I " Richard Riehle
1996-09-02 0:00 ` ++ robin
1996-09-02 0:00 ` Richard A. O'Keefe
1996-09-03 0:00 ` ++ robin
1996-09-03 0:00 ` Robb Nebbe
1996-09-17 0:00 ` shmuel
1996-09-17 0:00 ` Jay McFadyen
1996-09-18 0:00 ` John McCabe
1996-09-20 0:00 ` shmuel
1996-09-03 0:00 ` ++ robin
1996-09-04 0:00 ` Robert Dewar
1996-09-07 0:00 ` ++ robin
1996-09-06 0:00 ` PL/I or PL/1 Larry Hazel
1996-09-03 0:00 ` Ada versus PL/I (was: Re: Ariane 5 - not an exception?) J. Kanze
1996-09-07 0:00 ` Robert Dewar
1996-09-09 0:00 ` ++ robin
1996-09-09 0:00 ` Robert Dewar
1996-09-09 0:00 ` Ken Garlington
1996-09-11 0:00 ` Multiple reasons for failure of Ariane 5 " J.Worringen
1996-09-12 0:00 ` Ken Garlington
1996-09-14 0:00 ` David Alex Lamb
1996-09-14 0:00 ` Use DejaNews to retrieve Ariane discussion David Alex Lamb
1996-09-19 0:00 ` Earl H. Kinmonth
1996-08-11 0:00 ` Multiple reasons for failure of Ariane 5 (was: Re: Ariane 5 - not an exception?) ++ robin
[not found] ` <4uibvh$References: <Dv45EJ.8r@fsa.bris.ac.uk>
1996-08-16 0:00 ` A. Grant
1996-08-08 0:00 ` bohn
1996-07-26 0:00 ` Robert I. Eachus
1996-08-23 0:00 ` Jon S Anthony
1996-08-23 0:00 ` ++ robin
1996-08-23 0:00 ` Richard A. O'Keefe
1996-08-23 0:00 ` Ken Garlington
1996-08-26 0:00 ` ++ robin
1996-08-27 0:00 ` Ken Garlington
1996-08-28 0:00 ` Larry Kilgallen
1996-08-29 0:00 ` Ken Garlington
1996-08-30 0:00 ` ++ robin
1996-08-30 0:00 ` David Weller
1996-09-04 0:00 ` Ken Garlington
1996-09-06 0:00 ` Sandy McPherson
1996-09-09 0:00 ` Ken Garlington
1996-08-30 0:00 ` Jon S Anthony
1996-08-26 0:00 ` Ken Garlington
1996-08-26 0:00 ` Dave Jones
1996-08-27 0:00 ` Ken Garlington
1996-08-30 0:00 ` ++ robin
1996-09-04 0:00 ` Ken Garlington
1996-09-06 0:00 ` ++ robin
1996-09-18 0:00 ` Merlin Dorfman
1996-09-20 0:00 ` John McCabe
1996-08-30 0:00 ` ++ robin
1996-08-30 0:00 ` John McCabe
1996-09-06 0:00 ` Jon S Anthony
1996-09-06 0:00 ` Robert Dewar
1996-08-23 0:00 ` Jon S Anthony
1996-08-26 0:00 ` ++ robin
1996-07-26 0:00 ` Ariane 5 - not an exception? ++ robin
1996-07-29 0:00 ` Bill Angel
1996-07-29 0:00 ` Paul_Green
1996-07-30 0:00 ` Lloyd Fischer
1996-07-30 0:00 ` Ken Garlington
1996-07-30 0:00 ` Bob Kurtz
1996-07-30 0:00 ` Nancy Mead
1996-07-31 0:00 ` Tucker Taft
1996-07-31 0:00 ` Steve O'Neill
1996-08-01 0:00 ` root
1996-08-01 0:00 ` Tucker Taft
1996-07-30 0:00 ` Richard Shetron
1996-07-30 0:00 ` ++ robin
1996-08-04 0:00 ` Richard Riehle
1996-08-05 0:00 ` Fergus Henderson
1996-08-05 0:00 ` Nigel Tzeng
1996-08-06 0:00 ` John McCabe
1996-08-05 0:00 ` John McCabe
1996-08-13 0:00 ` ++ robin
1996-08-13 0:00 ` Ken Garlington
1996-08-13 0:00 ` Kirk Bradley
1996-08-14 0:00 ` Ken Garlington
1996-08-18 0:00 ` PL/I Versus Ada (Was: Arianne ...) Richard Riehle
1996-08-19 0:00 ` Robert Dewar
1996-08-20 0:00 ` Lon Amick
1996-08-21 0:00 ` Tim Dugan
1996-08-21 0:00 ` Lon D. Gowen, Ph.D.
1996-08-21 0:00 ` Tony Konashenok
1996-08-28 0:00 ` Richard Riehle
1996-08-29 0:00 ` Lon D. Gowen, Ph.D.
1996-08-30 0:00 ` Tony Konashenok
1996-08-30 0:00 ` Adam Beneschan
1996-08-30 0:00 ` John McCabe
1996-08-23 0:00 ` arbuckj
1996-08-22 0:00 ` Ariane 5 - not an exception? ++ robin
1996-08-22 0:00 ` Ken Garlington
1996-08-13 0:00 ` Darren C Davenport
1996-08-14 0:00 ` John McCabe
1996-08-19 0:00 ` Chris Papademetrious
1996-08-22 0:00 ` ++ robin
1996-08-22 0:00 ` John McCabe
1996-08-23 0:00 ` Ken Garlington
1996-08-24 0:00 ` John McCabe
1996-08-26 0:00 ` Byron B. Kauffman
1996-08-27 0:00 ` John McCabe
1996-08-28 0:00 ` Byron B. Kauffman
1996-08-28 0:00 ` Robert Dewar
1996-08-29 0:00 ` Ted Dennison
1996-08-30 0:00 ` John McCabe
1996-08-22 0:00 ` Martin Tom Brown
1996-08-23 0:00 ` Bob Gilbert
1996-08-24 0:00 ` Robert I. Eachus
1996-08-25 0:00 ` John McCabe
1996-08-27 0:00 ` Tom Speer
1996-08-26 0:00 ` Jon S Anthony
1996-08-20 0:00 ` Richard Riehle
1996-07-30 0:00 ` Steve O'Neill [this message]
1996-07-31 0:00 ` Martin Tom Brown
1996-07-31 0:00 ` Nigel Tzeng
1996-08-02 0:00 ` Ken Garlington
1996-08-03 0:00 ` Thomas Kendelbacher
1996-08-01 0:00 ` ++ robin
1996-08-01 0:00 ` Ken Garlington
1996-08-05 0:00 ` John McCabe
1996-08-06 0:00 ` Mark van Walraven
1996-08-06 0:00 ` Ken Garlington
1996-08-06 0:00 ` Ken Garlington
1996-08-02 0:00 ` Pascal Martin @lone
1996-08-03 0:00 ` Dr. Richard Botting
1996-08-05 0:00 ` system
1996-08-06 0:00 ` ++ robin
1996-08-08 0:00 ` Darius Blasband
1996-08-10 0:00 ` dwnoon
1996-08-12 0:00 ` Thomas Kendelbacher
1996-08-13 0:00 ` ++ robin
1996-08-13 0:00 ` ++ robin
1996-08-13 0:00 ` Roy Gardiner
1996-08-13 0:00 ` Lance Kibblewhite
1996-08-13 0:00 ` Ken Garlington
1996-08-15 0:00 ` Richard Riehle
1996-08-05 0:00 ` Steve O'Neill
1996-08-06 0:00 ` Francis Lipski
1996-08-07 0:00 ` Martin Tom Brown
1996-08-09 0:00 ` Ken Garlington
1996-08-06 0:00 ` Frank Manning
1996-08-08 0:00 ` Steve O'Neill
1996-08-09 0:00 ` Pat Rogers
1996-08-09 0:00 ` JP Thornley
1996-08-13 0:00 ` ++ robin
1996-08-13 0:00 ` Steve O'Neill
1996-07-30 0:00 ` Ken Garlington
1996-08-02 0:00 ` Craig P. Beyers
1996-08-01 0:00 ` Jon S Anthony
1996-08-02 0:00 ` James Kanze US/ESC 60/3/141 #40763
1996-08-06 0:00 ` Stefan 'Stetson' Skoglund
1996-08-06 0:00 ` Robert I. Eachus
1996-07-26 0:00 ` Bob Gilbert
1996-07-29 0:00 ` Martin Tom Brown
1996-07-30 0:00 ` John McCabe
1996-07-31 0:00 ` Greg Bond
1996-08-03 0:00 ` John McCabe
1996-07-26 0:00 ` JP Thornley
1996-07-29 0:00 ` Ken Garlington
1996-07-29 0:00 ` Nigel Tzeng
1996-07-29 0:00 ` JP Thornley
1996-07-30 0:00 ` Robert I. Eachus
1996-07-31 0:00 ` JP Thornley
1996-08-01 0:00 ` Alan Brain
1996-08-02 0:00 ` JP Thornley
1996-08-01 0:00 ` Ken Garlington
1996-07-26 0:00 ` Theodore E. Dennison
1996-07-29 0:00 ` Ken Garlington
1996-07-27 0:00 ` Bill Angel
1996-07-30 0:00 ` Dr. Richard Botting
1996-07-30 0:00 ` David Weller
1996-07-30 0:00 ` Robert Dewar
-- strict thread matches above, loose matches on Subject: below --
1996-08-08 0:00 Marin David Condic, 407.796.8997, M/S 731-93
1996-08-09 0:00 ` John McCabe
1996-08-13 0:00 Marin David Condic, 407.796.8997, M/S 731-93
1996-08-15 0:00 ` John McCabe
1996-08-13 0:00 Marin David Condic, 407.796.8997, M/S 731-93
1996-08-15 0:00 ` John McCabe
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox