Re: C.A.R. Hoare on liability

[rieachus@attbi.com (Robert I. Eachus)]

Mark Biggar <mark.a.biggar@attbi.com> wrote in message news:<3D14AA34.E8FFBBBB@attbi.com>...
 
> So both the check and the exception were reasonable and 
> correct for the Ariane 4 and would not have crashed it.  So it
> was reusing the code without redoing the analysis or even 
> testing it against the new flight profile that cause the 
> problems, not the check in the code.  This problem would have 
> arisen regardless of the language used.

Right, in fact the actual situation was worse than that.  I won't go
into all the gory details, but part of the assumption of hardware
failure was to dump raw data from the intertial guidance system on the
buss to the engine control system.  This caused the engines to deflect
enough to cause the "stack" to break up, and at this point the range
safety officer had to destroy the rocket.

Where were the limits on the engine deflection that should have
prevented this?  They were set for the Ariane 4.  The Ariane 5 stack
was more fragile, and the engines more powerful.  So if the Arianne 4
software developers had gotten permission to put in a local exception
handler for the piece of software that failed on the Ariane 5, the
Ariane 5 would have made it past 38 seconds into the flight--and then
would have destroyed itself if it hit wind shear at a higher altitude.

As far as I am concerned, that was the real disaster.  The complex
path that started the actual failure involved an exception raised
because the Ariane 5 exceeded one of the physical limits for the
Ariane 4.  But there were dozens of Ariane 4 physical parameters built
into the software which could have been the primary cause of failure. 
The actual failure only ran into three of them.  (Horizontal movement
from point of launch in the first 40 seconds of flight, stack moment
of inertia, maximum engine deflection.)