From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,885dab3998d28a4 X-Google-Attributes: gid103376,public X-Google-Thread: 107079,eca28648989efca9 X-Google-Attributes: gid107079,public From: Ken Garlington Subject: Re: Ariane 5 failure Date: 1996/10/01 Message-ID: <32512F76.58D@lmtas.lmco.com>#1/1 X-Deja-AN: 186530569 references: <1780E8471.KUNNE@frcpn11.in2p3.fr> <1996Sep27.023246.18774@jarvis.cs.toronto.edu> content-type: text/plain; charset=us-ascii organization: Lockheed Martin Tactical Aircraft Systems mime-version: 1.0 newsgroups: comp.lang.ada,sci.math.num-analysis x-mailer: Mozilla 2.02 (Macintosh; I; 68K) Date: 1996-10-01T00:00:00+00:00 List-Id: Richard Pattis wrote: > [snip] > If I were to try to create a lecture on this topic, what other similar > failures should I know about (beside the legendary Venus probe)? > Your comments? "Safeware" by Levison has some additional good examples about what can go wrong with software. The RISKS conference also has a lot of info on this. There was a study done several years ago by a Dr. Avezzianis (I always screw up that spelling, and I'm always too lazy to go look it up...) trying to show the worth of N-version programming. He had five teams of students write code for part of a flight control system. Each team was given the same set of control law diagrams (which are pretty detailed, as requirements go), and each team used the same sort of meticulous software engineering approach that you would expect for a safety-critical system (no formal methods, however). Each team's software was almost error-free, based on tests done using the same test data as the actual delivered flight controls. Note I said "almost". Every team made one mistake. Worse, it was the _same_ mistake. The control law diagrams were copies. The copier apparently wasn't a good one, because a comma in one of the gains ended up looking like a decimal point (or maybe it was the other way around -- I forget). Anyway, the gain was accidentally coded as 2.345 vs 2,345, or something like that. That kind of error makes a big difference! In the face of that kind of error, I've never felt that formal methods had a chance. That's not to say that formal methods can't detect a lot of different kinds of failures, but at some level some engineer has to be able to say: "That doesn't make sense..." If you want to try to find this study, I believe it was reported at a Digital Avionics Systems Conference many years ago (in San Jose?), probably around 1986. > > Rich -- LMTAS - "Our Brand Means Quality"