Re: Ariane 5 failure

["Marin David Condic, 407.796.8997, M/S 731-93" <condicma@PWFL.COM>]

Robert Dewar <dewar@MERV.CS.NYU.EDU> writes:
>It *is* possible to write reliable programs, though it is expensive. If you
>need to do this, and are not able to do it, then the answer is to investigate
>the tools that make this possible, and understand the necessary investment
>(which is alarmingly high). Some of these tools are related to correctness,
>but that's not the main focus. There are reliable incorect programs and
>correct unreliable programs, and what we are interested in is reliability.
>
<snip>
>Now of course informally we would like to make all programs realiable, but
>there is a cost/benefit trade off. For most non-safety critical programming
>(but not all), it is simply not cost effective to demand total reliability.
>
    You are absolutely correct about the cost. The control software we
    build is tested exhaustively from the module level on up to the
    integration with physical sensors & actuators well before it gets
    to drive an engine on a test stand - much less fly. It *is*
    enormously expensive - but in the present day it's the only way to
    be sure you aren't trying to fly something that will break.

    The point is that our software testing was derived from the same
    mindset as our hardware testing (turbine blades, pumps, bearings,
    etc.) We probably test a hardware component for an engine even
    more rigorously and at greater expense than we do for software -
    which is, after all, just another "part" for the engine. The
    mistake that is often made when looking at software it to think
    that somehow (because it passed the "smoke" test?) it doesn't need
    the same sort of rigorous testing we'd demand of any physical
    device in order to be proven reliable.

    Who would want to fly in an airplane powered by engines, the
    design for which had been verified by powering up a single
    prototype once and running it for 10 minutes. You'd probably feel
    a lot safer if we ran a couple of prototypes right into the
    ground, including making them ingest a few birds and deliberately
    cutting loose a turbine blade or two at speed. If you want
    reliable software, the testing can be no less rigorous.

    MDC

Marin David Condic, Senior Computer Engineer    ATT:        561.796.8997
M/S 731-96                                      Technet:    796.8997
Pratt & Whitney, GESP                           Fax:        561.796.4669
P.O. Box 109600                                 Internet:   CONDICMA@PWFL.COM
West Palm Beach, FL 33410-9600                  Internet:   CONDIC@FLINET.COM
===============================================================================
    "The speed with which people can change a courtesy into an
    entitlement is awe-inspiring."

        --  Miss Manners, February 8, 1994
===============================================================================