From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public From: eachus@spectre.mitre.org (Robert I. Eachus) Subject: Re: Trust but verify (was Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/28 Message-ID: #1/1 X-Deja-AN: 229168895 References: <332B5495.167EB0E7@eiffel.com> Organization: The Mitre Corp., Bedford, MA. Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.lang.ada Date: 1997-03-28T00:00:00+00:00 List-Id: In article <5hfdh8$b7d@news-central.tiac.net> jws@tiac.net (Jeffrey W. Stulin) writes: > If the Ariane software engineers had the reuse mindset, NOT the > specific mechanisms of Eiffel, but the design by contract reuse > mindset, then they MAY have written the assertion, and MAY have > noticed, while integrating the modules, that the assertion would > not have been met. > I often specify "impossible" assertions because, human nature > being what it is, the impossible will happen, and it is exactly > these non intuitive circumstances which cause the most trouble... Hmm. Let me try to get the picture across. Do you remember the Saturn V moon launches? The stack seemed to sit there on the pad for the longest time, because the thrust at liftoff was almost exactly 1 G. (I seem to remember 1.03 G at t=0.) As the engines burned off kerosene and LOx the stack slowly accelerated. (And at about the point you thought you couldn't take it anymore, the noise starts to decrease, but I digress.) Now go watch a space shuttle launch. Once the solids light up, the shuttle grabs for the sky. (Varies from mission to mission, but the thrust is about 1.4 G as I recall.) The shuttle even has to throttle back to keep max Q within limits. The Ariane 4 takes off like the Saturn V, the Ariane 5 like the shuttle. I don't know the actual numbers, but how would you document a "potential problem" where a rocket that couldn't get more than a kilometer from the pad in the first minute was 10 Km away at t=40 seconds? You would decide as the Ariane 4 developers did--any such indication had to be indicative of hardware failure of one sort or another. -- Robert I. Eachus with Standard_Disclaimer; use Standard_Disclaimer; function Message (Text: in Clever_Ideas) return Better_Ideas is...