From: john@assen.demon.co.uk (John McCabe)
Subject: Re: Papers on the Ariane-5 crash and Design by Contract
Date: 1997/03/20
Date: 1997-03-20T00:00:00+00:00 [thread overview]
Message-ID: <33307a43.1705970@news.demon.co.uk> (raw)
In-Reply-To: tz8n2s1hrdc.fsf@aimnet.com
nouser@nohost.nodomain (Thomas) wrote:
>Well, what if a lot more money had been budgeted for hardware?
The bid would probably never have been accepted.
>Could
>the space agency have paid the processor manufacturers to come out
>with a version that was 30% faster (that should have been sufficient
>to use runtime checks everywhere without changing the design)?
The European Space Agency has been funding a lot of development work
over the years, effectively the GPS MA31750 was funded by ESA, and
look at the performance that has produced (as I mentioned before
1.3MIPS @ 10MHz for the I iteration). When we first looked at using
the MA31750, GPS data books spoke of a 22Mhz version (the JMA31750),
but that was never built. We then found out that the latest version
available was the G Iteration which, while specced at 10MHz, didn't
work at >6MHz. We then looked at the H which was again specced at
10MHz but didn't work properly above 8! We finally used the I version
which was specced at 10MHz, and almost worked at that speed apart from
a few data dependent instructions (which didn't work at any speed!).
So again, it's not as simple as it looks.
ESA's thrust now is on a project called ERC32 (see the ESA web pages
at http://www.estec.esa.nl/ (I think)), which is basically a Rad-Hard
Sparc chipset being developed by the French company MHS. It is very
powerful compared to any previous attempts at using up-to-date
technology in space (at least Rad-Hard technology anyway), but because
of this uses a lot of watts!
>Another option could have been to add more individual processors and
>use them in parallel (almost certainly harder than it sounds, but
>still a possibility). Or what about choosing a less ambitious flight
>trajectory and maybe lower payload so that control required less
>computation?
You would of course increase cost and power consumption in this way,
and also complexity, however, I'm not so sure about that being harder
than it sounds, there's a lot of this technique about these days**. A
lot more thought would have to have gone into it to repartition the
functionality of the system, but this would probably have been a very
good thing to do anyway by the sounds of the original ESA/CNES report.
**The system I have just finished working on uses 1 microprocessor and
2 ASICs. One of the ASICs is very complex and includes a 1553 protocol
handler and a DMA controller interfacing with the processor. That
functionality could have been implemented by another microprocessor
except we had certain restrictions that made that impossible.
>Of course, none of those would have been easy choices to make. Design
>by contract and other methodologies are useful, but I still think
>without a solid foundation of runtime checks in the production code
>and multiple exception handlers and recovery blocks, no methodology
>alone is going to give sufficient protection from failure. In fact,
>Eiffel itself, which has been mentioned here because of its assertion
>system, is built on a foundation of runtime safety.
I am a bit unhappy with the way the paper has been written. As I
mentioned in another posting on this thread, the fundamental problem
was that the developers did not have Ariane 5 trajectory data to work
with. It was apparently "agreed at various contractual levels" that
this would not be provided, so using the Ariane 5 failure as a
demonstration of how useful Eiffel's assertions (or even Design by
Contract possibly) could have helped is fundamentally flawed!
>It's good to hear from someone in the industry, by the way; thanks
>for participating.
You're welcome, I'm happy to be contributing.
Best Regards
John McCabe <john@assen.demon.co.uk>
next prev parent reply other threads:[~1997-03-20 0:00 UTC|newest]
Thread overview: 254+ messages / expand[flat|nested] mbox.gz Atom feed top
1997-03-15 0:00 Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Jon S Anthony
1997-03-19 0:00 ` Papers on the Ariane-5 crash and Design by Contract Chris Brand
1997-03-23 0:00 ` the one and only real true kibo
[not found] ` <tz8ohcjv7cc.fsf@aimnet.com>
1997-03-16 0:00 ` Robert Dewar
1997-03-17 0:00 ` Please do not start a language war (was " Jean-Marc Jezequel
1997-03-18 0:00 ` Richard Irvine
1997-03-18 0:00 ` Ken Garlington
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Trust but verify " Robert S. White
1997-03-25 0:00 ` Bertrand Meyer
1997-03-26 0:00 ` Robb Nebbe
1997-03-27 0:00 ` Ken Garlington
1997-03-28 0:00 ` Jeffrey W. Stulin
1997-03-31 0:00 ` Ken Garlington
1997-03-28 0:00 ` Karel Th�nissen
1997-03-28 0:00 ` Ken Garlington
1997-04-07 0:00 ` Jean-Marc Jezequel
1997-03-29 0:00 ` the one and only real true kibo
[not found] ` <199703190839.JAA02652@stormbringer.irisa.fr>
1997-03-19 0:00 ` Please do not start a language war " Ken Garlington
1997-03-20 0:00 ` Roger T.
1997-03-21 0:00 ` Jean-Marc Jezequel
1997-03-24 0:00 ` Ken Garlington
1997-03-21 0:00 ` Ken Garlington
1997-03-20 0:00 ` Robert S. White
1997-03-20 0:00 ` John L. Ahrens
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Wolfgang Gellerich
1997-03-21 0:00 ` Robert S. White
[not found] ` <tz8913l930b.fsf_-_@aimnet.com>
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Gavin Collings
1997-03-18 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war Roedy Green
1997-03-17 0:00 ` Papers on the Ariane-5 crash and Design by Contract Paul Johnson
1997-03-17 0:00 ` Enrico Facchin - Sartori E.T.
1997-03-19 0:00 ` Anders Pytte
1997-03-18 0:00 ` Ken Garlington
1997-03-17 0:00 ` John McCabe
[not found] ` <tz8n2s1hrdc.fsf@aimnet.com>
1997-03-20 0:00 ` John McCabe [this message]
1997-03-20 0:00 ` Jean-Marc Jezequel
1997-03-20 0:00 ` John McCabe
1997-03-21 0:00 ` Niall Cooling
1997-03-21 0:00 ` Gavin Collings
1997-03-27 0:00 ` Joachim Durchholz
1997-04-03 0:00 ` Robert I. Eachus
1997-04-04 0:00 ` Chris Beer
1997-04-04 0:00 ` Derek Clarke
1997-04-03 0:00 ` Gavin Collings
1997-04-03 0:00 ` Ken Garlington
1997-04-04 0:00 ` Derek Clarke
1997-04-04 0:00 ` Derek Clarke
1997-04-06 0:00 ` Robert Dewar
1997-04-07 0:00 ` Ken Garlington
1997-04-09 0:00 ` Gavin Collings
1997-04-04 0:00 ` Ken Garlington
1997-04-04 0:00 ` Robert Dewar
1997-04-03 0:00 ` Robin Rosenberg
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Thomas Beale
1997-03-26 0:00 ` Ken Garlington
1997-03-20 0:00 ` John McCabe
1997-03-21 0:00 ` "Paul E. Bennett"
1997-03-22 0:00 ` Nigel Tzeng
1997-03-23 0:00 ` John McCabe
1997-03-17 0:00 ` Robert I. Eachus
1997-03-17 0:00 ` Martin Tom Brown
1997-03-17 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-18 0:00 ` Kent Tong
1997-03-20 0:00 ` Ranan Fraer
1997-03-17 0:00 ` Bertrand Meyer
1997-03-18 0:00 ` John McCabe
1997-03-18 0:00 ` Ray McVay
1997-03-27 0:00 ` Robert Dewar
1997-03-29 0:00 ` the one and only real true kibo
1997-03-30 0:00 ` Nick Roberts
1997-04-06 0:00 ` Doctorb
1997-04-08 0:00 ` Ron Crocker
1997-04-11 0:00 ` Richard Riehle
1997-03-17 0:00 ` Alexander Anderson
1997-03-17 0:00 ` Nick Leaton
1997-03-17 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Nick Leaton
1997-03-18 0:00 ` "Paul E. Bennett"
1997-03-19 0:00 ` Nick Leaton
1997-03-24 0:00 ` Joachim Durchholz
1997-03-25 0:00 ` Robert Dewar
1997-03-31 0:00 ` Jan Galkowski
1997-03-31 0:00 ` Joachim Durchholz
1997-04-02 0:00 ` Robert Dewar
1997-04-03 0:00 ` Martin Tom Brown
1997-04-04 0:00 ` Jonathan Egre'
1997-04-06 0:00 ` Robert Dewar
1997-04-06 0:00 ` Nick Roberts
1997-04-04 0:00 ` Derek Clarke
1997-03-31 0:00 ` Alexander Anderson
1997-04-01 0:00 ` Alexander Anderson
1997-04-02 0:00 ` Ken Garlington
1997-03-20 0:00 ` John the Hamster
1997-03-18 0:00 ` Richard Kaiser
1997-03-18 0:00 ` Nick Leaton
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Richard Kaiser
1997-03-19 0:00 ` Fergus Henderson
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-19 0:00 ` Ken Garlington
[not found] ` <tz8g1xtzx9y.fsf@aimnet.com>
1997-03-18 0:00 ` Anders Pytte
1997-03-18 0:00 ` Jean-Marc Jezequel
1997-03-18 0:00 ` Anders Pytte
1997-03-18 0:00 ` Anders Pytte
1997-03-19 0:00 ` Programming language fanaticism! Louis Bastarache
1997-03-20 0:00 ` Anders Pytte
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Matt Kennel (Remove 'nospam' to reply)
1997-03-24 0:00 ` Joachim Durchholz
1997-03-24 0:00 ` Anders Pytte
1997-03-26 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-29 0:00 ` Anders Pytte
1997-03-29 0:00 ` Steve Furlong
1997-03-26 0:00 ` Robert Dewar
1997-03-27 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` the one and only real true kibo
1997-03-29 0:00 ` Nick S Bensema
1997-03-30 0:00 ` the one and only real true kibo
1997-03-21 0:00 ` Ken Garlington
1997-03-21 0:00 ` Bertrand Meyer
1997-03-21 0:00 ` William Clodius
1997-03-21 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` the one and only real true kibo
1997-03-23 0:00 ` William Clodius
1997-03-22 0:00 ` Fergus Henderson
1997-03-22 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` the one and only real true kibo
1997-03-23 0:00 ` Anders Pytte
1997-03-24 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Alexander Anderson
1997-03-24 0:00 ` Alexander Anderson
1997-03-23 0:00 ` Papers on the Ariane-5 crash and Design by Contract Anders Pytte
[not found] ` <3335BC24.13728473@eiffel.com>
1997-03-23 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` Robert Dewar
1997-03-31 0:00 ` Ken Garlington
1997-04-01 0:00 ` Bertrand Meyer
1997-03-25 0:00 ` Ken Garlington
1997-03-24 0:00 ` the one and only real true kibo
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` John Hogg
1997-03-24 0:00 ` Ken Garlington
1997-03-26 0:00 ` Robert Dewar
1997-03-26 0:00 ` Ken Garlington
[not found] ` <E7ox17.MKx@syd.csa.com.au>
1997-03-28 0:00 ` Ken Garlington
1997-03-18 0:00 ` Laurent Moussault
1997-03-18 0:00 ` Robert I. Eachus
1997-03-18 0:00 ` Ulrich Windl
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Jon S Anthony
1997-03-19 0:00 ` Ron Forrester
1997-03-21 0:00 ` Ken Garlington
1997-03-22 0:00 ` Ron Forrester
1997-03-18 0:00 ` Jon S Anthony
1997-03-18 0:00 ` Ken Garlington
1997-03-19 0:00 ` Eric M. Boyd
1997-03-19 0:00 ` Jeffrey W. Stulin
[not found] ` <3345cd60.2092398@news.sydney.apana.org.au>
1997-04-03 0:00 ` Ariane-5 crash , Eiffel and Ada Nick Leaton
1997-04-03 0:00 ` Jeffrey W. Stulin
1997-04-08 0:00 ` AdaWorks
1997-03-18 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-18 0:00 ` Tarjei Jensen
1997-03-19 0:00 ` Nick Leaton
1997-03-19 0:00 ` Jon S Anthony
1997-03-20 0:00 ` Paul Johnson
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Design by Contract in C++ (was Re: Papers on the Ariane-5 crash and Design by Contract) Anders Pytte
1997-03-20 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jean-Marc Jezequel
1997-03-24 0:00 ` Ken Garlington
1997-03-19 0:00 ` Karel Th�nissen
1997-03-19 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Karel Th�nissen
1997-03-19 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-19 0:00 ` Ken Garlington
1997-03-20 0:00 ` Richard Kaiser
1997-03-24 0:00 ` Ken Garlington
1997-03-20 0:00 ` Martin Tom Brown
1997-03-21 0:00 ` Frank Manning
1997-03-21 0:00 ` Martin Tom Brown
1997-03-23 0:00 ` Frank Manning
1997-03-25 0:00 ` Ken Garlington
1997-03-19 0:00 ` Karel Th�nissen
1997-03-19 0:00 ` Jon S Anthony
1997-03-20 0:00 ` Robert I. Eachus
1997-03-20 0:00 ` Robert I. Eachus
1997-03-20 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Nick Leaton
1997-03-20 0:00 ` Karel Th�nissen
1997-03-20 0:00 ` Nick Leaton
1997-03-21 0:00 ` Papers on the Ariane-5 crash and Design by Contract Alexander Anderson
1997-03-23 0:00 ` "Paul E. Bennett"
[not found] ` <tz8sp1qiywm.fsf@aimnet.com>
1997-03-21 0:00 ` ae59
1997-03-21 0:00 ` Ulrich Windl
1997-03-21 0:00 ` Please do not start a language war (was " Jon S Anthony
1997-03-22 0:00 ` Bertrand Meyer
1997-03-23 0:00 ` Dale Stanbrough
[not found] ` <3335E18E.33590565@eiffel.com>
1997-03-23 0:00 ` FUD (Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-24 0:00 ` William Grosso
1997-03-24 0:00 ` Brad Appleton
1997-03-24 0:00 ` William Clodius
1997-03-24 0:00 ` Bertrand Meyer
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robert Dewar
1997-03-24 0:00 ` Manners (was Re: Papers on the Ariane-5 crash and Design by Contract) Bertrand Meyer
1997-03-25 0:00 ` the one and only real true kibo
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Bertrand Meyer
1997-03-22 0:00 ` Anders Pytte
1997-03-23 0:00 ` Steve Furlong
1997-03-24 0:00 ` Anders Pytte
1997-03-24 0:00 ` Simulating Eiffel-style assertions (was: Papers on the Ariane-5 crash and Design by Contract) Wolfgang Reddig
1997-03-24 0:00 ` Anders Pytte
1997-03-25 0:00 ` Wolfgang Reddig
1997-03-25 0:00 ` Anders Pytte
1997-03-31 0:00 ` Joachim Durchholz
1997-03-26 0:00 ` Alan Brain
1997-03-26 0:00 ` Wolfgang Reddig
1997-03-29 0:00 ` How old time languages survive EJon
1997-03-22 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-28 0:00 ` Matt Kennel (Remove 'nospam' to reply)
1997-03-22 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Stuart Yeates
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Alexander Anderson
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Jon S Anthony
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) William Clodius
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Robb Nebbe
1997-03-24 0:00 ` Ken Garlington
1997-03-24 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-24 0:00 ` Nick Leaton
1997-03-24 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-27 0:00 ` Joachim Durchholz
1997-03-31 0:00 ` Ken Garlington
1997-04-06 0:00 ` Joachim Durchholz
1997-03-25 0:00 ` Robert I. Eachus
1997-03-25 0:00 ` Ariane-5: can you clarify? (Re: Please do not start a language war) Ken Garlington
1997-03-25 0:00 ` David Starr
1997-03-25 0:00 ` Ken Garlington
1997-03-26 0:00 ` Papers on the Ariane-5 crash and Design by Contract Ken Garlington
1997-03-26 0:00 ` Jon S Anthony
1997-03-26 0:00 ` Alexander Anderson
1997-03-27 0:00 ` Trust but verify (was " Robert I. Eachus
1997-03-28 0:00 ` Robert I. Eachus
1997-03-28 0:00 ` Jon S Anthony
1997-03-31 0:00 ` Ken Garlington
-- strict thread matches above, loose matches on Subject: below --
1997-03-17 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-20 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-25 0:00 ` Nick Roberts
1997-03-24 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-03-27 0:00 Marin David Condic, 561.796.8997, M/S 731-93
1997-04-03 0:00 Adrian B.Y. Hoe
1997-04-05 0:00 ` Nick Roberts
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox