Re: Ariane Crash (Was: Adriane crash)

[rav@goanna.cs.rmit.edu.au (++ robin)]

	rgilbert@unconfigured.xvnews.domain (Bob Gilbert) writes:

	>In article <4ta1vu$m1u@goanna.cs.rmit.edu.au>, rav@goanna.cs.rmit.edu.au (++           robin) writes:
	>> 
	>> ---Is this a euphemism for a programming error?  because that's
	>> what it was -- a programming error.
	>> 
	>>    The error was in assuming that a value would not overflow.

	>The error was assuming that the Ariane 4 design would be adaquate
	>for the Ariane 5 system.

	>> The specific error was that a conversion of a double-precision
	>> floating-point value (~58 significant bits) to 15 significant
	>> bits caused fixed-point overflow.  The conversion was not
	>> checked for overflow.  It should have been.

	>It was checked, hence the exception and an exception handler to
	>take corrective action.

---The SRI computer (& its backup) had an exception
handler, to be sure, but it did not have an exception
handler to take corrective action.  The exception handler
shut the computer down.

	> Unfortunately the corrective action was
	>to assume that the SRI had failed and to shut it down.  The
	>software performed exactly as designed.

---The software did not performed as designed.  It was
intended to shut down the computer only in the event of
a hardware error.  The software shut down the computer
because of a programming error.  The software performed
only as written!

	>>  This is, after all,
	>> a real-time system.  It's a fundamental check that a programmer
	>> experienced in real-time systems should have carried out.
	>> 
	>>    Control was then passed to the interrupt handler, which
	>> shut down the system.

	>Exactly as designed.

---Again, not as designed.  It was designed to shut down only
in the event that the SRI computer failed.  Then the backup
would be used.