Re: Ariane 5 Failure - Summary Report

[rav@goanna.cs.rmit.edu.au (++ robin)]

        Ken Garlington <garlingtonke@lmtas.lmco.com> writes:

        >Ken Garlington wrote: <nothing!>

        >Don't know what happened there, but I was just going to point out
        >that the Ariane 5 report is at:

        >  http://www.esrin.esa.it/htdocs/tidc/Press/Press96/press33.html

        >Be sure to read the full report, which is linked to this page. It
        >goes into some length about the sequence of events (which includes
        >an Ada exception I never heard of before, Operand Error?

---That's fixed-point overflow.  Converting a 64-bit
floating-point value to a 16 bit signed integer.
The conversion was unchecked (programming error--
the other conversions in the same module were
checked; the assumption was made that the value would
be within range); consequently the error condition was raised.
The exception-handling routine was to record the
status of the error and to then shut down the system.

         Maybe it's user
        >defined, or there's a language difference at work).

        >Definitely good "lessons learned" about:

        >1. The limits of exceptions (they are only as good as what you can do
        >when they are raised).

        >2. The problems with reusing items outside their original environment.

        >3. The need to check inputs and outputs aggressively.

        >4. The pitfalls of assuming that testing all of the components of a
        >system equates to testing the system, as well as the need to use
        >realistic test scenarios.

        >5. The problems with isolating the safety-critical components of a
        >system.

        >So, anyway, we now have another software package written in Ada that
        >caused the loss of a system, and again specification and design issues
        >outside Ada's control are the culprit.