Re: Ariane 5 Failure - Summary Report

[Alan Brain <aebrain@dynamite.com.au>]

Ken Garlington <garlingtonke@lmtas.lmco.com> wrote:

>So, anyway, we now have another software package written in Ada that
>caused the loss of a system, and again specification and design issues 
>outside Ada's control are the culprit. 

Not just design and specification, the implementation as well.

Firstly, the brain-dead attitude of "handle all exceptions by shutting down and 
going to the backup" on a complex piece of equipment without many, many redundancies 
is ... incredible. Only duplication? Glad I'm not riding it... So that's a 
Specification fault.

Secondly, the notion that conversion from a 64-bit value to a 16 bit value will 
always be OK, and that any time it isn't means a total failure of the unit, is a bit 
hard to swallow. In a complex piece of software, incapable of strict mathematical 
verification, I'd expect this to happen sometimes, not because of any soft failure 
or random hardware failure, but because Software Has Bugs. That's no excuse for 
losing a payload! This is a design fault.

Thirdly, assuming either of the above, not checking that an arithmetic operation of 
this kind before it's fully complete is just plain silly. And such a check is un 
morceau de gateaux. This is an implementation fault. 

Jeez, Ada provides safety belts, Anti-lock brakes, etc but if people don't buckle 
up, and don't even bother to use the brake peddle, what can you do?