From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,CP1252 X-Google-Thread: 103376,f039470e8f537101 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-07-23 11:42:27 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!headwall.stanford.edu!newshub.sdsu.edu!elnk-nf2-pas!newsfeed.earthlink.net!wn14feed!wn13feed!wn12feed!worldnet.att.net!204.127.198.203!attbi_feed3!attbi.com!rwcrnsc54.POSTED!not-for-mail Message-ID: <3F1ED712.2070405@attbi.com> From: "Robert I. Eachus" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: Ariane5 FAQ References: <1058799152.775376@master.nyc.kbcfp.com> <1058810510.375902@master.nyc.kbcfp.com> <1058813341.841940@master.nyc.kbcfp.com> <1058816605.566685@master.nyc.kbcfp.com> <1058969472.350716@master.nyc.kbcfp.com> <1058982513.114816@master.nyc.kbcfp.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit NNTP-Posting-Host: 66.31.71.243 X-Complaints-To: abuse@comcast.net X-Trace: rwcrnsc54 1058985746 66.31.71.243 (Wed, 23 Jul 2003 18:42:26 GMT) NNTP-Posting-Date: Wed, 23 Jul 2003 18:42:26 GMT Organization: Comcast Online Date: Wed, 23 Jul 2003 18:42:26 GMT Xref: archiver1.google.com comp.lang.ada:40717 Date: 2003-07-23T18:42:26+00:00 List-Id: Hyman Rosen wrote: > By having lots of meetings, and coming up with a > definite specification for what to do. The result > will be some hard numbers - if the reading is less > than this, it's good, otherwise it's suspect. Then > the code is written to implement the decision. WHICH IS EXACTLY WHAT HAPPENED. I don't know why you keep running around trying to defend the indefensible. But since you don't seem to know what went on, let me tell you, from the Ariane 4 point of view. The software module involved was used for aligning the gyroscopes, etc. before launch. It took over an hour of data to do its job. When it was finished BH was set equal to zero, and was reset to zero continously until launch. In the Ariane 4, there was a possibility that the launch could be aborted within 6 seconds of engine ignition. In such a case, the problem that caused the abort could be corrected and the launch countdown restarted quickly. But then it would have to delay until the alignment software had been restarted and realigned the guidance system. So the decision was made to run the alignment software for a period after T=0, but not too long. Lots of calculations were done, and the decision was made to run it until T = +40 seconds. This allowed time for the guidance system to reset after an abort, and also insured that, for physical reasons BH would never overflow. This (late abort) actually happened on at least one Ariane 4 launch with this guidance system. The guidance system was reset and launch proceeded with minimal delay. All of this was well documented--in the Ariane 4 REQUIREMENTS. This was clearly a requirement, and was documented as such. > It's also perfectly valid to say "go ahead and write > this code as if this variable will never exceed this > value". The first way detects the problem at the > point where the bad value is noticed, while the second > way propogates the bad value through the program, so > that it will behave in some arbitrary way. As I said, this was not arbitrary behavior, it was required behavior. > Now, often that arbitrary way will in retrospect be > exactly what you wanted, while the range check could > cause an entire abort, so it's not a given which > approach to use. In the Ariane 5 case, it turned out > that this approach caused an unhappy outcome. Because the Ariane 5 first stange engines were more powerful with regard to the weight of the total system, this was definitely not a requirement for Ariane 5. In fact a late abort would probably spatter rocket and payload all over the launch pad. So compared to the Ariane 4, the Ariane 5 was committed to launch at the same point in the countdown. (After engine ignition but before full thrust.) It all comes back to the same issue and the real failure. The (SRI) hardware was the same, but the engines and the rest of the Ariane 5 were significantly different from the Ariane 4. This resulted in different REQUIREMENTS. The SRI and its software were never checked to see if they met the Ariane 5 requirements. That was the major and sole cause of the disaster. Technically the bounds checking on the engine deflections was expected to be done in the main computer. But if the requirements check had been done, the potential for the SRI to command engine deflections too extreme for the Ariane 5 would have been noticed. Whether the limiting was done in the SRI or the main computer, a requirements review would insure that the requirement for limiting the engine deflections was met. -- Robert I. Eachus �In an ally, considerations of house, clan, planet, race are insignificant beside two prime questions, which are: 1. Can he shoot? 2. Will he aim at your enemy?� -- from the Laiden novels by Sharon Lee and Steve Miller.