From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/20 Message-ID: #1/1 X-Deja-AN: 227082115 Distribution: world References: <332B5495.167EB0E7@eiffel.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-20T00:00:00+00:00 List-Id: In article <5gqrkt$bp1$1@news.irisa.fr> jezequel@irisa.fr (Jean-Marc Jezequel) writes: > In general, this may be true. But in this particular Ariane 501 > crash, I maintain that such "stuff" would have been enough, for a > team fully embrassing design by contract, to specify this > particular assumption. By the mere definition of design by > contract, they should have done this. Then, with the process > explained in another of my posts, the constraint (along with many, > many others) would have propagated to the boundaries of the SRI > module, as a constraint on the environment where the module could > be reuse. All this was done for Ariane 4. When it came time to reuse the software on Ariane 5, the plan was to verify that the Ariane 4 software and hardware met the Ariane 5 requirements by testing. The testing rig was cancelled as too expensive and behind schedule, so the software was reused without testing and without a requirements review. > I would expect that you could agree with me on that, because it is > just a bare bone application of design by contract... Get it through your head. There is no evidence that the Ariane 5 flight dynamics requirements were EVER in the same building or possibly the same country as the Ariane 4 guidance system specs. If even the most cursory spec review was done, it would have caught and fixed the problem. The problem is not the in the way design by contract was or was not implemented on the Ariane 4. It is that the software was reused without ever checking that it was fit for its new role. If you had a 1993 Audi engine controller chip and put it in your new 1997 Audi, it might work. Or it might burn up the engine. Or the engine might not run at all. Or... You get the picture. This is precisely what Arianespace did. The chip fit the socket so they plugged it in and tried it. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...