From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,83340673cd192d7f X-Google-Attributes: gid103376,public From: Ken Garlington Subject: Re: IEEE Computer article on Ariane 5 Date: 1997/01/06 Message-ID: <32D13BD9.73CB@lmtas.lmco.com>#1/1 X-Deja-AN: 208102941 references: <32D070EE.2781E494@eiffel.com> to: Bertrand Meyer content-type: text/plain; charset=us-ascii organization: Lockheed Martin Tactical Aircraft Systems mime-version: 1.0 newsgroups: comp.lang.ada x-mailer: Mozilla 3.01 (Win95; U) Date: 1997-01-06T00:00:00+00:00 List-Id: On the whole, I agreed with much of what was said in the subject article. However, there are a few points to consider: 1. It may be misleading to say that the Ariane IRS did not "handle" the exception. As I read the report, it was handled in a higher level exception handler, at which time an "orderly" shutdown of the IRS was intentionally performed. This action was consistent with the view that a failure of this type was more likely a hardware failure than a software design fault. 2. It's unclear to me whether the explicit declaration of the conversion assumption in the source code would have been any better from a documentation standpoint. The error was only obvious once the differences between the Ariane 4 and 5 flight profiles were understood. Based on my experience, it's unlikely that the engineer writing the IRS software would have been privy to this knowledge. More likely, a systems engineer at Arianespace would have this information. Unfortunately, it is probable that a systems engineer on a project like this is reading more compact and higher-level documentation than the IRS subcontractor's source code. As a result, documentation in the source code would have been quite "obscure" -- to the person who could have challenged the assumption. 3. I also am less than convinced that having the assumption tested at run time would have improved the situation. Putting aside the obvious reluctance of the IRS subcontractor to add such a test (based on their not using the available Ada exception mechanism), what would they have done with the _results_ of such a test? Most likely, they would have logged it, and then raised the exception to the global handler -- exactly what happened in the actual flight. In other words, the mind set of the IRS subcontractor would most likely have led to choosing the wrong reaction to the test, even if they had included it. Overall, I disagree Eiffel's approach to programming by contract would have significantly improved the odds of catching this problem prior to flight. Despite your assertion that this was more a technical than a management issue, I believe that this was very much a case of humans making mistakes in judgement, under the normal pressure to reduce costs and meet schedules. Given that the reuse was done at the system ("black-box") level, rather than at the source code level, the only way to detect this faulty assumption once it was made would have been via an integrated system test with realistic flight data for the Ariane 5. This is standard practice for a critical aerospace system; not doing such a test for the Ariane 5 based on over-confidence in the reused system was, IMHO, the most disasterous of all the mistakes made in this episode.