From: "Marin David Condic" <dont.bother.mcondic.auntie.spam@[acm.org>
Subject: Re: Ariane Failure
Date: Mon, 1 Apr 2002 10:08:50 -0500
Date: 2002-04-01T15:08:51+00:00 [thread overview]
Message-ID: <a89t63$6nk$1@nh.pace.co.uk> (raw)
In-Reply-To: 3CA4B8E5.72909C9B@adaworks.com
I beg to differ on the "Bad Directions" part. Note that the software in
question was designed for the Ariane IV which had a different flight
profile. The FDA thinking for the module in question went sort of like this:
"Any number that shows up here big enough to generate a hardware overflow
interrupt has got to be so far out of the flight profile that it would most
likely indicate a bad sensor. The accommodation for this failure should be
to transfer control to the other side where we might still have a good
sensor..." This logic worked fine in Ariane 4 and would likely have detected
a sensor failure and accommodated it appropriately. In my mind, that sounded
a lot like "Good Directions" :-)
The problem arose when the assumption was made that software that was
designed for Ariane 4 and that worked just fine in that environment was
therefore fit to fly Ariane 5 WITHOUT being tested and validated against the
Ariane 5 flight profile. That's a pretty basic and fundamental error that
goes well outside the realm of control of a programming language or
methodology.
MDC
--
Marin David Condic
Senior Software Engineer
Pace Micro Technology Americas www.pacemicro.com
Enabling the digital revolution
e-Mail: marin.condic@pacemicro.com
"Richard Riehle" <richard@adaworks.com> wrote in message
news:3CA4B8E5.72909C9B@adaworks.com...
>
> The problem with Ariane V begins with Systems Engineering management.
> The decisions about what to do when an exception occurs were wrong, and
> not tested. Although Design By Contract might have helped, I doubt
that
> Eiffel would have been appropriate because of other issues related to
> Eiffel. I like Eiffel, but don't consider it appropriate for a project
such
> as Ariane V. The SPARK approach to Design By Contract (they don't
> call it that, but that is what it is) could have worked well, especially
> since it was programmed in Ada. By the way, the Ada code worked as
> it was directed to work, but it was given bad directions.
>
next prev parent reply other threads:[~2002-04-01 15:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ee2a195b.0203260725.a02dbfe@posting.google.com>
2002-03-29 18:56 ` Ariane Failure Richard Riehle
2002-03-29 20:56 ` Michael Feathers
2002-03-30 1:02 ` Bill
2002-03-30 3:20 ` Keith Ray
2002-03-30 12:12 ` John Roth
2002-03-30 13:36 ` Michael Feathers
2002-04-01 15:22 ` Marin David Condic
[not found] ` <a8oo51$tsk$2@slb2.atl.mindspring.net>
2002-04-08 13:59 ` Marin David Condic
2002-04-09 12:49 ` John Roth
2002-04-09 14:58 ` Steve O'Neill
2002-04-09 15:04 ` Steve O'Neill
2002-04-09 23:00 ` John Roth
2002-04-10 12:52 ` Steve O'Neill
2002-04-10 12:59 ` Marin David Condic
2002-04-11 0:48 ` Steve O'Neill
2002-04-11 13:17 ` Marin David Condic
2002-04-11 13:47 ` Ted Dennison
2002-04-11 14:15 ` Marin David Condic
2002-04-11 12:12 ` fdebruin
2002-04-11 14:33 ` Larry Kilgallen
2002-04-11 18:16 ` Ted Dennison
2002-04-11 18:30 ` Marin David Condic
2002-04-09 19:07 ` Bill
2002-04-09 19:44 ` Marin David Condic
2002-04-01 15:08 ` Marin David Condic [this message]
2002-04-02 18:32 ` Wes Groleau
2002-04-02 18:42 ` Marin David Condic
1996-06-28 0:00 Robert B. Love
1996-07-01 0:00 ` Ken Garlington
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox