From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,75caf4e579636dc4,start X-Google-Attributes: gid103376,public From: "Marin David Condic, 561.796.8997, M/S 731-93" Subject: Re: Ariane-5: can you clarify? (Re: Please do not start a Date: 1997/03/26 Message-ID: <97032610040621@psavax.pwfl.com>#1/1 X-Deja-AN: 228638491 Sender: Ada programming language Comments: Gated by NETNEWS@AUVM.AMERICAN.EDU X-Vms-To: SMTP%"INFO-ADA@VM1.NODAK.EDU" X-Vms-Cc: CONDIC Newsgroups: comp.lang.ada Date: 1997-03-26T00:00:00+00:00 List-Id: David Starr writes: >I say the crash was caused by the requirement for the inertial nav >software to shut down and enter hardware test mode upon exception. In >other words, the program did what it was asked to do, and it was asked to >destroy the rocket upon any kind of unforseen problem. Be careful what >you ask for, you might get it. Be a bit careful here. Remember that the software ran just fine and dandy on the Ariane 4. Hence the requirements, design, implementation, etc, must have been adequate to get the job done. (One of many possible "right answers") What caused the crash was more a case of lifting software out of Ariane 4 and making the assumption that it would be sufficient for Ariane 5. > If the inertial nav software had been required to press on regardless >there is an excellent chance the mission would have flown. > I don't think a clever programming language could be so good as to >guarantee no exceptions ever. The software was required to shut down >upon exeception. It got an exception and it shut down. > Pressing on in the face of an exception is probably better than a shutdown because on a dual redundant system the software design is common and you can presume that if you divided by zero on your side, your partner probably did as well. But you'll note my favoring the word "probably". I could easily imagine a situation where the rocket is flying along, divides by zero, and continues to fly along right into a schoolyard full of kids. You might want to presume that if you're seeing an exception in software that you didn't see in test, that you've got either broke hardware causing the exception or crazy software which is real dangerous to run. Design philosophies such as this can be debated right up until the project is cancelled. Sooner or later, you have to pick one and fly with it. Your point is well taken. The software did exactly what it was designed to do. It just didn't do what you wanted it to do. MDC Marin David Condic, Senior Computer Engineer ATT: 561.796.8997 M/S 731-96 Technet: 796.8997 Pratt & Whitney, GESP Fax: 561.796.4669 P.O. Box 109600 Internet: CONDICMA@PWFL.COM West Palm Beach, FL 33410-9600 Internet: CONDIC@FLINET.COM =============================================================================== In Vegas, I got into a long argument with the man at the roulette wheel over what I considered to be an odd number. -- Steven Wright ===============================================================================