From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: f43e6,5ac12f5a60b1bfe
X-Google-Attributes: gidf43e6,public
X-Google-Thread: 103376,5ac12f5a60b1bfe
X-Google-Attributes: gid103376,public
From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Multiple reasons for failure of Ariane 5 (was: Re: Ariane 5 - not
 an exception?)
Date: 1996/07/26
Message-ID: <EACHUS.96Jul26191839@spectre.mitre.org>#1/1
X-Deja-AN: 170353450
references: <Dv45EJ.8r@fsa.bris.ac.uk> <kdk9vs9cln.fsf@henning.camb>
organization: The Mitre Corp., Bedford, MA.
newsgroups: comp.software-eng,comp.lang.ada
Date: 1996-07-26T00:00:00+00:00
List-Id: <comp.lang.ada>


In article <kdk9vs9cln.fsf@henning.camb> johndoe@zaphod.nosc.mil (Kirk Beitz) writes:

  > after reading the failure analysis, it seems a little
  > irresponsible to even hint about the failure of the rocket being
  > based solely on the lack of proper exception handling.

   One way of looking at the failure is that:

   1.  The software detected an out-of-range condition on horizontal
       velocity. 

   2.  The exception handler for this condition regarded it as a
       non-survivable hardware failure, and proceed to save failure
       data to help in the crash analysis.

   3.  The diagnostic data was regarded as valid navigational input...

   (Sounds preposterous, but read the report!)

   The first two are not obviously broken in isolation--in the Ariane
   4 the software was designed for, that high a horizontal velocity
   early in the fligh would be either a bogus reading or a severe
   hardware failure.  Point three, of course, is only acceptable if it
   can only occur AFTER catastrophic failure.

   But if your read the report, several levels of management reviewed
and agreed to 1 and 2.  So the software functioned correctly, if you
regard correctly as adherence to specifications.  If you want more for
your money, the reason that several levels of management looked at
points one and two was that, in Ada, it was obvious that there were
potential problems here.  Management literally decided that item 1
could never happen, and that the diagnostic information was "that
important."

    So the exception was handled exactly as management wanted, even
after being asked, "Are you sure?"

    To be fair, the managers asked about the out of range horizontal
velocity check answered correctly in the context the question was
asked.  And the software designers never knew to reraise the issue,
since they never saw the Ariane 5 flight profile data.  The managers
who goofed were the ones who decided to use the same software on
Ariane 4 and 5 without doing any checks against the new requirements.
That is NO checks as in no specification reviews, no code review and
no testing.

--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...