Re: IEEE Computer article on Ariane 5

[Ken Garlington <GarlingtonKE@lmtas.lmco.com>]

On the whole, I agreed with much of what was said in the subject
article.
However, there are a few points to consider:

1. It may be misleading to say that the Ariane IRS did not "handle" the
exception.
As I read the report, it was handled in a higher level exception
handler, at which
time an "orderly" shutdown of the IRS was intentionally performed. This
action was
consistent with the view that a failure of this type was more likely a
hardware
failure than a software design fault.

2. It's unclear to me whether the explicit declaration of the conversion
assumption
in the source code would have been any better from a documentation
standpoint. The error was only obvious once the differences between the
Ariane 4 and 5 flight profiles were
understood. Based on my experience, it's unlikely that the engineer
writing the IRS
software would have been privy to this knowledge. More likely, a systems
engineer at
Arianespace would have this information. Unfortunately, it is probable
that a systems
engineer on a project like this is reading more compact and higher-level
documentation than
the IRS subcontractor's source code. As a result, documentation in the
source code would
have been quite "obscure" -- to the person who could have challenged the
assumption.

3. I also am less than convinced that having the assumption tested at
run time would
have improved the situation. Putting aside the obvious reluctance of the
IRS subcontractor
to add such a test (based on their not using the available Ada exception
mechanism), what
would they have done with the _results_ of such a test? Most likely,
they would have
logged it, and then raised the exception to the global handler --
exactly what happened
in the actual flight. In other words, the mind set of the IRS
subcontractor would most
likely have led to choosing the wrong reaction to the test, even if they
had included it.

Overall, I disagree Eiffel's approach to programming by contract would
have significantly
improved the odds of catching this problem prior to flight. Despite your
assertion that this was more a technical than a management issue, I
believe that this was very much a case of humans making mistakes in
judgement, under the normal pressure to reduce costs and meet schedules.
Given that the reuse was done at the system ("black-box") level, rather
than at
the source code level, the only way to detect this faulty assumption
once it was made
would have been via an integrated system test with realistic flight data
for the Ariane 5.
This is standard practice for a critical aerospace system; not doing
such a test for the
Ariane 5 based on over-confidence in the reused system was, IMHO, the
most disasterous of
all the mistakes made in this episode.