From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: Martin@nezumi.demon.co.uk (Martin Tom Brown) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/17 Message-ID: <858625151snz@nezumi.demon.co.uk>#1/1 X-Deja-AN: 226356255 References: <332B5495.167EB0E7@eiffel.com> X-Mail2News-User: Martin@nezumi.demon.co.uk X-Mail2News-Path: nezumi.demon.co.uk Organization: Nezumi Reply-To: Martin@nezumi.demon.co.uk Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-03-17T00:00:00+00:00 List-Id: In article eachus@spectre.mitre.org "Robert I. Eachus" writes: > In article <332D113B.4A64@calfp.co.uk> Nick Leaton writes: > > > But in conclusion, my experience is that people write assertions in > > their code, because it is effective. > > How many times do people have to be told that the lack of an > assertion was NOT the problem here. The assertion existed, and the > deliberate decision, apparently thrashed around in several meetings at > different management levels, was that on Arianne 4, this condition > could only occur through hardware failure. > > The software designers were under no illusions about what would > happen if this constraint was violated, or the conditions under which > that could occur: the rocket could be way off course--which would tend > to indicate a guidance failure, or one part or another of the guidance > system was malfunctioning. To summarise - it was rather unfortunate that the ability to survive the launch trajectory of Arianne 5 was not a design requirement of the original software, and that no fullscale simulation test was done when the Arianne 4 unit was adopted for use in the later system. > The real problem was that the software was used unchanged and > without review on Arianne 5, where these assumptions were not true. > The Arianne 5 was much faster off the pad, and although it was > possible to follow a trajectory which would not have run into this > problem the actual trajectory did exceed the (built-in, appropriate > for Arianne 4) limits. It also adds insult to injury that the data from the guidance unit which failed was meaningless once Arianne 5 was off the launch pad, and the only reason it was running was to allow Arianne 4 countdowns to hold and restart without excessive delays. :( Regards, -- Martin Brown __ CIS: 71651,470 Scientific Software Consultancy /^,,)__/