From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 101deb,f96f757d5586710a X-Google-Attributes: gid101deb,public X-Google-Thread: f43e6,5ac12f5a60b1bfe X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Ariane 5 - not an exception? Date: 1996/08/06 Message-ID: #1/1 X-Deja-AN: 172335489 references: <4t9vdg$jfb@goanna.cs.rmit.edu.au> organization: The Mitre Corp., Bedford, MA. newsgroups: comp.software-eng,comp.lang.ada,comp.lang.pl1 Date: 1996-08-06T00:00:00+00:00 List-Id: In article <4totv7$o9f@goanna.cs.rmit.edu.au> rav@goanna.cs.rmit.edu.au (++ robin) writes: > "A PL/I programmer experienced with real time systems, would have > CHALLENGED such a stupid requirement that the computer be shut > down by the error-handler in the event of a fixed-point overflow. > He would have had it changed... > "This alone would have showed up the deficiency of the > overall design (that the system would shut itself down for > fixed-point overflow)." Substitute Ada for PL/I and you have it exactly right, except... Management decided not to authorize the change. This was appealed up the line, and the change was not approved at any level. Only a footnote, except that the same management approved reuse of the computer (and software) in the Arianne 5 without a requirements review. That review would have shown both that this software should not be running after launch, and that running it after launch would result in a crash. The software was, and continues to be perfectly safe in the Ariane 4, although I suspect it will be changed for configuration management reasons. Say Boeing took the flight control software for the 747-300 and used it unchanged and without a requirements review in the 747-400. Assume further that the first test flight crashed because of a computer malfunction, and it turned out the cause that the crash occured because the software decided that the (correct) center of balance value was bogus, and either 1) substitued a "maximum" value appropriate for the 747-300, 2) used the last "in-range" value, or 3) shut down and printed diagnostic data. Does which of those three occured matter? The cause of the crash was reusing the software without checking that it met the new requirements. Same here. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...