From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_00,TO_NO_BRKTS_PCNT
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,885dab3998d28a4
X-Google-Attributes: gid103376,public
From: "Marin David Condic, 407.796.8997, M/S 731-93" <condicma@PWFL.COM>
Subject: Re: Ariane 5 failure
Date: 1996/10/03
Message-ID: <96100315315293@psavax.pwfl.com>
X-Deja-AN: 187005877
sender: Ada programming language <INFO-ADA@LISTSERV.NODAK.EDU>
comments: Gated by NETNEWS@AUVM.AMERICAN.EDU
x-vms-to: SMTP%"INFO-ADA@VM1.NODAK.EDU"
newsgroups: comp.lang.ada
x-vms-cc: CONDIC
Date: 1996-10-03T00:00:00+00:00
List-Id: <comp.lang.ada>


Ken Garlington <garlingtonke@LMTAS.LMCO.COM> writes:
>So what did you do when you needed to build a system that was bigger than the
>torpedo hatch? Re-design the submarine? You have physical limits that you just
>can't
>exceed. On a rocket, or an airplane, you have even stricter limits.
>
>Oh for the luxury of a diesel generator! We have to be able to operate on basic
>battery power (and we share that bus with emergency lighting, etc.)
>
    Just as you have physical limits and need to leave physical
    margins, software has timing limits and needs to leave timing
    margins. Both to accommodate the inevitable change and growth as
    production units are fielded, but also as a *safety* factor. What
    would happen to the Ariane 5 if that 80% utilization went to 105%
    because the software hit an untested "corner case"? It's a good
    reason to insist on leaving some margin.

    You have emergency lighting? Lucky dog!

>What if your brand new CPU requires more power than your diesel generator
>can generate?
>
>What if your brand new CPU requires a technology that doesn't let you meet
>your heat dissipation?
>
>Doesn't sound like you had to make a lot of tradeoffs in your system.
>Unfortunately, airborne systems, particular those that have to operate in
>lower-power, zero-cooling situations (amazing how hot the air gets around
>Mach 1!), don't have such luxuries.
>
    You get zero-cooling? Lucky dog! My box just keeps getting hotter
    and hotter until it burns up. Hopefully *after* the mission is
    over.

    You get *air???!*! And never mind that Mach 1 stuff - my box is
    strapped to the side of a blow-torch!

    You're absolutely right about the engineering tradeoffs - In
    flight systems especially since the biggest constraint is
    typically weight & space. (Two commodities that are *much* easier
    to compromise on when you get to sit on the ground - or sink under
    the ocean) I'd gladly give my eye teeth to get double the CPU
    speed I've got. Unfortunately, this is the best that can be done
    within the current CPU technology and adding a second processor is
    out of the question at this time: The box can't get heavier or
    bigger without risking payload, power consumption and heat
    disapation go up, etc. etc. etc. If it weren't for the megabucks
    and the chance to meet chicks, I'd quit the engineering business
    because of the headaches.

>And, if you had only got 20MB per second after all that, you would have
>done...?
>
    Anyone can afford to be a purist right up to the point where they
    have to tell their boss that they're at 105% utilization and that
    the project they've invested millions on won't work. At that
    point, you start looking at what you might inline to avoid
    procedure call overhead, recode sections in assembler because you
    can be smarter at it than the compiler, and yes, remove all those
    extraneous runtime checks and prove out your code instead.

>Certainly, if you just throw out range checking without knowing its cost,
>you're an idiot. However, no one has shown that the Ariane team did this.
>I guarantee you (and am willing to post object code to prove it) that
>range checking is not always zero cost, and in the right circumstances can
>cause you to bust your budget.
>
    Amen! Let's say you have 20 computations. Lets say that the
    runtime checks total time is 5uSec. (Not unrealistic on many
    processors where the average instruction uses 0.5 to 1.0uSec)
    That's 100uSec. Suppose this code needs to run once every 1mSec.
    Your runtime checks just consumed 10% of your CPU.

    We did *exactly* this sort of analysis (both bench checking and
    running sample code) and concluded that the runtime checks were
    out or the project wouldn't work. And we're using one of the
    *best* Ada compilers available for the 1750a - the EDS-Scicon
    XD-Ada compiler.

    MDC

Marin David Condic, Senior Computer Engineer    ATT:        561.796.8997
M/S 731-96                                      Technet:    796.8997
Pratt & Whitney, GESP                           Fax:        561.796.4669
P.O. Box 109600                                 Internet:   CONDICMA@PWFL.COM
West Palm Beach, FL 33410-9600                  Internet:   CONDIC@FLINET.COM
===============================================================================
    Glendower: "I can call spirits from the vasty deep."
    Hotspur: "Why so can I, or so can any man; but will they come when
    you do call for them?"

        -- Shakespeare, "Henry IV"
===============================================================================