From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: 107d55,a48e5b99425d742a X-Google-Attributes: gid107d55,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public From: Alexander Anderson Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/04/01 Message-ID: X-Deja-AN: 229888144 Distribution: world X-NNTP-Posting-Host: almide.demon.co.uk References: <858728022snz@transcontech.co.uk> Organization: ALMA Services Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada,comp.lang.java.tech Date: 1997-04-01T00:00:00+00:00 List-Id: In article <333FD855.2781E494@digicomp.com>, Jan Galkowski writes >I heartily agree with you and have left a job because of management's >willingness to ship such code over the objections of some technical >people. Worse, I can entirely understand how Ariane 5 happened if only >because in the rush to get paid, contractors sometimes rush and shortcut >systems acceptance tests, justifying their actions with rationales that are >little more than handwaving and the equivalent of "Well, it worked on Ariane >4...." > >But the problem is, unfortunately, many people who need to make a choice >between taking a strong stand in favor of correctness and possibly putting >their jobs on the line and just keeping quiet, doing what they are told, will >opt for the latter. This makes the job of the relative few who do want >code to be right very much more difficult: Management says "How come >you're the only one objecting...." > >I don't mean to imply what you say isn't valid: It is. It's just the >world of aerospace and military contracting is more complicated than that. On hearing sense like the above, I've found myself going over the Report again, listening to my guts, as it were. There are a number of points skirted around in the Inquiry Board's Ariane 5 Failure Report, that are telling: (from 2.2 COMMENTS ON THE FAILURE SCENARIO) The reason for the three remaining variables, including the one denoting horizontal bias, being unprotected was that further reasoning indicated that they were either physically limited or that there was a large margin of safety, a reasoning which in the case of the variable BH turned out to be faulty. It is important to note that the decision to protect certain variables but not others was TAKEN JOINTLY BY PROJECT PARTNERS AT SEVERAL ******************************************** CONTRACTUAL LEVELS. ****************** -- I'm sure there's a huge story lying beneath the surface of this last legalese phrase -- (from the FINDINGS) n) During design of the software of the inertial reference system used for Ariane 4 and Ariane 5, A DECISION WAS TAKEN that it was not necessary to ******************** protect the inertial system computer from being made inoperative by an excessive value of the variable related to the horizontal velocity, a protection which was provided for several other variables of the alignment software. When taking this design decision, it was not analysed or fully understood which values this particular variable might assume when the alignment software was allowed to operate after lift-off. p) Ariane 5 has a high initial acceleration and a trajectory which leads to a build-up of horizontal velocity which is FIVE TIMES MORE *************** RAPID than for Ariane 4. The higher horizontal ***** velocity of Ariane 5 generated, within the 40-second timeframe, the excessive value which caused the inertial system computers to cease operation. -- clearly, SOMEONE knew that there could just be problems (theoretically) not far beyond the envelope, even on Ariane 4 then. What was the nature of this variable, that could overflow if speeds (or accelerations?) were only 5 times greater? -- s) It would have been technically feasible to include almost the entire inertial reference system in the overall system simulations which were performed. FOR A NUMBER OF REASONS it was *********************** decided to use the simulated output of the inertial reference system, not the system itself or its detailed simulation. Had the system been included, the failure could have been detected. (from the RECOMMENDATIONS) R9 Include external (to the project) participants when reviewing specifications, code and justification documents. Make sure that these reviews CONSIDER THE SUBSTANCE OF ARGUMENTS, *********************************** rather than check that verifications have been made. These phrases, "A DECISION WAS TAKEN", "FOR A NUMBER OF REASONS", and to make sure reviews "CONSIDER THE SUBSTANCE OF ARGUMENTS", suggest, to me, a picture of a deeper malaise running through the history of the project organisation. In other words, if you got people in private, you'd hear individual professional worries over morale, over how things were being handled, and they'd insist you kept them anonymous. The last excerpt, R9, from the recommendations, is to my mind, particularly telling. Sandy /* -- // Alexander Anderson // Home Fone +44 (0) 171-794-4543 // London, UK http://www.almide.demon.co.uk/ */