From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,5ac12f5a60b1bfe
X-Google-Attributes: gid103376,public
From: "Marin David Condic, 407.796.8997, M/S 731-93" <condicma@PWFL.COM>
Subject: Re: Ariane 5 - not an exception?
Date: 1996/08/13
Message-ID: <96081314152009@psavax.pwfl.com>#1/1
X-Deja-AN: 174277526
sender: Ada programming language <INFO-ADA@LISTSERV.NODAK.EDU>
comments: Gated by NETNEWS@AUVM.AMERICAN.EDU
x-vms-to: SMTP%"INFO-ADA@VM1.NODAK.EDU"
newsgroups: comp.lang.ada
x-vms-cc: CONDIC
Date: 1996-08-13T00:00:00+00:00
List-Id: <comp.lang.ada>


John McCabe <john@ASSEN.DEMON.CO.UK> writes:
>The point I am trying to make here is that I believe that the success
>of a mission should never be traded off against such an arbitrary
>requirement as a loading margin.
>
    Well, I have to agree that the important thing is mission success,
    not loading margin. But the general reason you establish some sort
    of "goal" for margin is to insure mission success. When going to
    Zero Margin (or worse) means dropping the rocket in the drink, not
    leaving yourself some room for "corner cases" which you never
    tested could be construed as imprudent - just as turning off
    checks could be considered imprudent. Had the "unanticipated case"
    never occurred, the software developers would have been "heros"
    and would have been given a certificate with their name on it in a
    cheap plastic frame. They took a gamble and lost, so now they get
    to be the scapegoats for us to kick around for a while.

    I'll admit that I also dislike setting some absolute number for
    CPU margin and sticking to it blindly. Eroding margin simply
    erodes the level of confidence and you can afford to do that
    sometimes. Especially if you're willing to do the work to
    demonstrate that you really have found the worst-case behavior or
    that the system is sufficiently deterministic that you can run
    with less margin and maintain sufficient confidence. (Define
    "sufficient confidence...")

    Lots of people have tried to make the case that you should never
    turn off the runtime checks that Ada provides because they're
    critical to the safety of the system you are developing. I'd like
    to agree and certainly Ariane 5 is an example of where this might
    have prevented disaster. But sometimes us poor saps who have
    nothing to work with but a Mil-Std-1750a are stuck making
    tradeoffs between safety checks and building a system that will
    work at all.

    Anybody want to make me a rad-hard, space tested, 200mips
    processor that I can buy in small lots at $40 a piece and has a
    full suite of development tools (including Ada95 compiler)
    available for it? (Sober up, Marin! ;-)

    MDC

Marin David Condic, Senior Computer Engineer    ATT:        407.796.8997
M/S 731-96                                      Technet:    796.8997
Pratt & Whitney, GESP                           Fax:        407.796.4669
P.O. Box 109600                                 Internet:   CONDICMA@PWFL.COM
West Palm Beach, FL 33410-9600                  Internet:   CONDIC@FLINET.COM
===============================================================================
    "Being in a minority, even a minority of one, did not make you
    mad. There was truth, and there was untruth, and if you clung to
    the truth even against the whole world, you were not mad. 'Sanity
    is not statistical.'"

        --  G. Orwell, "1984"
===============================================================================