From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,abd508cccb4803ea X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2002-06-23 08:47:24 PST Path: archiver1.google.com!postnews1.google.com!not-for-mail From: rieachus@attbi.com (Robert I. Eachus) Newsgroups: comp.lang.ada Subject: Re: C.A.R. Hoare on liability Date: 23 Jun 2002 08:47:24 -0700 Organization: http://groups.google.com/ Message-ID: <45fd8ad1.0206230747.721b6ad9@posting.google.com> References: <3D0E09BA.A492AA3D@despammed.com> <5ee5b646.0206210355.3533be8f@posting.google.com> <3D1390D0.7040709@attbi.com> <5ee5b646.0206220514.55f8cf9a@posting.google.com> <3D14AA34.E8FFBBBB@attbi.com> NNTP-Posting-Host: 24.61.239.24 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Trace: posting.google.com 1024847244 23780 127.0.0.1 (23 Jun 2002 15:47:24 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: 23 Jun 2002 15:47:24 GMT Xref: archiver1.google.com comp.lang.ada:26626 Date: 2002-06-23T15:47:24+00:00 List-Id: Mark Biggar wrote in message news:<3D14AA34.E8FFBBBB@attbi.com>... > So both the check and the exception were reasonable and > correct for the Ariane 4 and would not have crashed it. So it > was reusing the code without redoing the analysis or even > testing it against the new flight profile that cause the > problems, not the check in the code. This problem would have > arisen regardless of the language used. Right, in fact the actual situation was worse than that. I won't go into all the gory details, but part of the assumption of hardware failure was to dump raw data from the intertial guidance system on the buss to the engine control system. This caused the engines to deflect enough to cause the "stack" to break up, and at this point the range safety officer had to destroy the rocket. Where were the limits on the engine deflection that should have prevented this? They were set for the Ariane 4. The Ariane 5 stack was more fragile, and the engines more powerful. So if the Arianne 4 software developers had gotten permission to put in a local exception handler for the piece of software that failed on the Ariane 5, the Ariane 5 would have made it past 38 seconds into the flight--and then would have destroyed itself if it hit wind shear at a higher altitude. As far as I am concerned, that was the real disaster. The complex path that started the actual failure involved an exception raised because the Ariane 5 exceeded one of the physical limits for the Ariane 4. But there were dozens of Ariane 4 physical parameters built into the software which could have been the primary cause of failure. The actual failure only ran into three of them. (Horizontal movement from point of launch in the first 40 seconds of flight, stack moment of inertia, maximum engine deflection.)