From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/17 Message-ID: #1/1 X-Deja-AN: 226213647 References: <332B5495.167EB0E7@eiffel.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-03-17T00:00:00+00:00 List-Id: In article <332D113B.4A64@calfp.co.uk> Nick Leaton writes: > But in conclusion, my experience is that people write assertions in > their code, because it is effective. How many times do people have to be told that the lack of an assertion was NOT the problem here. The assertion existed, and the deliberate decision, apparently thrashed around in several meetings at different management levels, was that on Arianne 4, this condition could only occur through hardware failure. The software designers were under no illusions about what would happen if this constraint was violated, or the conditions under which that could occur: the rocket could be way off course--which would tend to indicate a guidance failure, or one part or another of the guidance system was malfunctioning. The real problem was that the software was used unchanged and without review on Arianne 5, where these assumptions were not true. The Arianne 5 was much faster off the pad, and although it was possible to follow a trajectory which would not have run into this problem the actual trajectory did exceed the (built-in, appropriate for Arianne 4) limits. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...