From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public From: Ken Garlington Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/19 Message-ID: <33308C91.40CC@lmtas.lmco.com>#1/1 X-Deja-AN: 226880333 References: <332B5495.167EB0E7@eiffel.com> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-19T00:00:00+00:00 List-Id: Ulrich Windl wrote: > > The modules computing course corrrection data both failed due to to > problems mentioned (violating the specs for that code); they shut > themselves down. But to me the main issue is that the module that > received the course correction data did not detect that both computing > modules failed and that the data was just a "test pattern" to indicate > that event. Probably a better reaction would have been to stop making > further corrections instead of driving the engine to its borders. This is the same as saying: "If the driver of an automobile has a heart attack and dies, the steering system should ignore further inputs and lock the wheels in the last 'good' position." It doesn't work with automobiles, and it doesn't work with missiles, either. The flight control system must receive valid sensor data to maintain control of the aircraft. There is generally no reasonable 'fail-safe" value for a feedback system like this! > If the modules to compute course correction data would have failed in > a more paraniod way (the module had an exception due to overflow and > shut itself down. If it would have continue with the appropriately > signed maximum possible value, well I don't know). > > Maybe one could postulate "Every part in a software system that must > not fail that receives an unexpected exception should handle the > situation as good as possible, even if it can't guarantee its > specification". This sounds contrary to programming by contract, but > sometimes this can help. Theoreticans might say "quit on the first > error encountered" while real hackers might say "continue as long as > you can". Sounds good. Unfortunately, sometimes there is not an obvious way to continue. This is the fallacy of the "add exception handlers to make code safer" crowd - there has to be a reasonable response to the failure available to the designer. Sometimes, there isn't one. Adding exception handlers where there isn't a reasonable response only makes the design more complex - which generally means a greater risk of failure! > > (Excuse my non-rocket vocabulary, but this is from memory, and English > is not my first language, too) > > > > > Successful reuse requires that what you reuse be equipped with a > > specification - a contract. That's the point made Jean-Marc Jezequel > > and I made in the article at > > http://www.eiffel.com/doc/manuals/technology/contract/ariane/index.html. > > Ulrich -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com