Re: Ariane Failure

[Richard Riehle <richard@adaworks.com>]

rjk wrote:

> What is XPers response to this? (I was going to ask a more specific
> question, but I thought I'd leave it broad until an interesting question is
> found).

The problem with Ariane V begins with Systems Engineering management.
The decisions about what to do when an exception occurs were wrong, and
not tested.    Although Design By Contract might have helped,  I doubt that
Eiffel would have been appropriate because of other issues related to
Eiffel.   I like Eiffel, but don't consider it appropriate for a project such
as Ariane V.    The SPARK approach to Design By Contract (they don't
call it that, but that is what it is)  could have worked well, especially
since it was programmed in Ada.   By the way, the Ada code worked as
it was directed to work, but it was given bad directions.

The other problem was one of software reuse.    We often tout the value of
software reuse, but here is case where it was not working as expected.

The software module that failed was originally used in Ariane IV, where
it worked fine.   Without testing, it was used on Ariane V which had
slightly different launch characteristics.   A perfect good module from
one context was used in another context without considering the full
range of issues in that new context.

We could draw the analogy of a physician who prescribes a medicine
for a patient, knowing that this medicine has worked well for other
patients with the same illness.   If the physician fails to do a complete
medical history, including an evaluation of the other medications being
used by that new patient,  there is the possibility that contradindicated
drug interactions might kill this hapless patient.

When we reuse existing modules, in safety-critical software, it is
imperative that we both inspect and test for interactions that might
kill our software.   For embedded real-time software these are
often timing issues.   Those are hard to detect.

As to the contention that XP would have prevented the failue of Ariane V,
that is mostly wishful thinking, reminiscent of what is often called
"Monday morning quarterbacking."    There are some XP practices
that might have been useful (features that predate XP by some considerable
amount of time), but XP itself would not have saved Ariane V, nor would
most of the other suggestions made by the Monday morning Quarterbacks.

At present, the French are launching the current version of Ariane quite
safely.

There are other project failures where XP might have been able to save
the project.   The one that comes to mind quickly is the Denver airport
baggage handling system.    I am sure there are others.   However, I don't
want to be accused of Monday morning quarterbacking.   That fact is that
building software is hard and it is easy to make engineering errors.  Our
tools and methods can help us do it right, but neither the languages nor
the processes can consistently save us from ourselves.

Richard Riehle