Re: Ariane Crash (Was: Adriane crash)

[rav@goanna.cs.rmit.edu.au (++ robin)]

	john@assen.demon.co.uk (John McCabe) writes:

	>JOINT ESA/CNES PRESS RELEASE N  33-96  -  Paris, 23 July 1996

	>Ariane 501 - Presentation of Inquiry Board report

	>-------------------------------------------------------------------

	>Hope this is useful. So basically it _was_ a software fault

---Is this a euphemism for a programming error?  because that's
what it was -- a programming error.

   The error was in assuming that a value would not overflow.
The specific error was that a conversion of a double-precision
floating-point value (~58 significant bits) to 15 significant
bits caused fixed-point overflow.  The conversion was not
checked for overflow.  It should have been.  This is, after all,
a real-time system.  It's a fundamental check that a programmer
experienced in real-time systems should have carried out.

   Control was then passed to the interrupt handler, which
shut down the system.

   The question is, basically, why was Ada used for this work?
PL/I has specific facilities for real-time programming,
and especially for simulating exactly this (and other)
exceptions -- as if the exceptions had actually occurred.
The SIGNAL statement is designed for this purpose.  The
programmer would have discovered this problem the FIRST time
he used it!  And he could have included an exception handler
for this and other similar kinds of trivial errors.  These
exception handlers would have returned control to the code.

   A PL/I programmer and/or a real-time systems programmer
would have OBJECTED to the stupid requirement of shutting
down the system when a trivial error occurred.

	>What I want to know is, who wrote that software, and if their was an
	>ESA representative responsible for it, who was he!
	>Not that I want to apportion blame of course, just interested!

	>Best Regards John McCabe <john@assen.demon.co.uk>