From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,885dab3998d28a4 X-Google-Attributes: gid103376,public X-Google-Thread: 101deb,885dab3998d28a4 X-Google-Attributes: gid101deb,public X-Google-Thread: f74ae,eca28648989efca9 X-Google-Attributes: gidf74ae,public From: Alan Brain Subject: Re: Ariane 5 failure Date: 1996/10/12 Message-ID: <325F6898.4C31@dynamite.com.au>#1/1 X-Deja-AN: 188765239 references: <52a572$9kk@goanna.cs.rmit.edu.au> <843845039.4461.0@assen.demon.co.uk> <1996Oct1.093107.47351@ucl.ac.uk> <325572AA.4663@delphi.com> <53fhsg$45$1@goanna.cs.rmit.edu.au> <325BE79B.7610@sanders.lockheed.com> content-type: text/plain; charset=us-ascii organization: @Home mime-version: 1.0 reply-to: aebrain@dynamite.com.au newsgroups: sci.astro,comp.lang.pl1,comp.lang.ada x-mailer: Mozilla 3.0 (Win16; I) Date: 1996-10-12T00:00:00+00:00 List-Id: Steve O'Neill wrote: > I would have expected that in a mission/safety critical application > the proper checks would have been implemented, no matter what. And in a > 'belts-and-suspenders' mode I would also expect an exception handler to > take care of unforeseen possibilities at the lowest possible level and > raise things to a higher level only when absolutely necessary. Had these > precautions been taken there would probably be lots of entries in an > error log but the satellites would now be orbiting. Concur completely. This should be Standard Operating Procedure, a matter of habit. Frankly, it's just good engineering practice. But is honoured more in the breach than the observance it seems, because.... > As outsiders we can only second guess as to why this approach was not > taken but the review board implies that 1) the SRI software developers > had an 80% max utilization requirement and 2) careful consideration > (including faulty assumptions) was used in deciding what to protect and > not protect. ... as some very reputable people, working for very reputable firms have tried to pound into my thick skull, they are used to working with 15%, no more, tolerances. And with diamond-grade Hard Real Time slices, where any over-run, no matter how slight, means disaster. In this case, Formal Proof and strict attention to the no of CPU cycles in all possible paths seems the only way to go. But this leaves you so open to error in all but the simplest, most trivial tasks, (just the race analysis would be nightmarish) that these slices had better be a very small part of the task, or the task itself must be very simple indeed. Either way, not having much bearing on the vast majority of problems I've encountered. If the tasks are not simple....then can I please ask the firms concerned to tell me which aircraft their software is on, so I can take appropriate action? ---------------------- <> <> How doth the little Crocodile | Alan & Carmel Brain| xxxxx Improve his shining tail? | Canberra Australia | xxxxxHxHxxxxxx _MMMMMMMMM_MMMMMMMMM ---------------------- o OO*O^^^^O*OO o oo oo oo oo By pulling Maerklin Wagons, in 1/220 Scale