Re: Ariane 5 Failure - Summary Report

[rav@goanna.cs.rmit.edu.au (++ robin)]

	Ken Garlington <garlingtonke@lmtas.lmco.com> writes:

	>Ken Garlington wrote: <nothing!>

	>Don't know what happened there, but I was just going to point out
	>that the Ariane 5 report is at:

	>  http://www.esrin.esa.it/htdocs/tidc/Press/Press96/press33.html

	>Be sure to read the full report, which is linked to this page. It
	>goes into some length about the sequence of events (which includes
	>an Ada exception I never heard of before, Operand Error?

---That's fixed-point overflow.  Converting a 64-bit 
floating-point value to a 16 bit signed integer.
The conversion was unchecked (programming error--
the other conversions in the same module were
checked; the assumption was made that the value would
be within range); consequently the error condition was raised.
The exception-handling routine was to record the
status of the error and to then shut down the system.

	 Maybe it's user 
	>defined, or there's a language difference at work).

	>Definitely good "lessons learned" about:

	>1. The limits of exceptions (they are only as good as what you can do
	>when they are raised).

	>2. The problems with reusing items outside their original environment.

	>3. The need to check inputs and outputs aggressively.

	>4. The pitfalls of assuming that testing all of the components of a 
	>system equates to testing the system, as well as the need to use 
	>realistic test scenarios.

	>5. The problems with isolating the safety-critical components of a 
	>system.

	>So, anyway, we now have another software package written in Ada that
	>caused the loss of a system, and again specification and design issues 
	>outside Ada's control are the culprit.