From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/18 Message-ID: #1/1 X-Deja-AN: 226481333 References: <332B5495.167EB0E7@eiffel.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-03-18T00:00:00+00:00 List-Id: I said: > How many times do people have to be told that the lack of an > assertion was NOT the problem here. The assertion existed In article <332DA14C.41C67EA6@eiffel.com> Bertrand Meyer writes: > Where? In lots of places, including the code. The assertion was quite clear, as was the run-time action: out of range data here indicates a hardware failure. Switch to the other processor, run the diagnostics and send the data down the telemetry channel. Let me interrupt for a second. There has been a lot of discussion about the fact that this condition was not "handled" correctly in the code. But the assertion was there, it was detected by the compiler that this condition could not be ruled out at compile time, and the software engineers suggested a "better" way to deal with it. It is only at this point that the error handling becomes an issue. But the compilers and other development tools, AND their users made no silly mistakes or omissions. The software was explicit, and the compiler diagnostics essentially said: "Rocket can crash here." Whether to change this was debated--look at the report--by several layers of management, and in the end five of seven such issues were closed by adding local handlers in the code. Two, including this one, were closed with a proof that if the software detected that condition, it indicated a hardware flaw. This was perfectly correct--on the Arianne 4. The fact that the hardware "switched to the other computer" and resulted in diagnotic data going to the engine actuators was extremely bad hardware design, but that is not the issue here. (I said:) > [...] The real problem was that the software was used unchanged and > without review [from Ariane 4 to] Ariane 5, where these assumptions > were not true. (Back to Bertrand:) > The real problem was that the assertion was not part of the software. However, the assertion was implicit and explicitly in the code. But that was not where this reuse went wrong... > Successful reuse requires that what you reuse be equipped with a > specification - a contract. Exactly. Good specifications existed, but no one was ever tasked to see if there were any conflicts between the specification of the Ariane 5, and the specifications of the Ariane 4 guidance software. This was not a "one-line" miss. There were pages and pages on the float to integer conversion issue, and volumes on running the alignment software after liftoff. (Including the fact that this capability had been used on at least one Ariane 4 launch.) My guess is that tasking one software or systems engineer to do such a review would have found the problem--and resulted in a much more thorough requirements scrub! By the way, even worse was the fact that the Ariane 4 software designers were told they had no "need-to-know" the Ariane 5 specs when designing the system for the Ariane 4. I'm sure if they had been allowed to see the Ariane 5 specs, the specs would have been used as "ammunition" in the local handler debate. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...