Re: Ariane 5 failure

[mheaney@ni.net (Matthew Heaney)]

In article <96100111162774@psavax.pwfl.com>, "Marin David Condic,
407.796.8997, M/S 731-93" <condicma@PWFL.COM> wrote:

    It's not a case of saving a few CPU cycles so you can run Space
>    Invaders in the background. Quite often (and in particular in
>    *space* systems which are limited to rather antiquated
>    processors) the decision is to a) remove the runtime checks from
>    the compiled image and run with the possible risk of undetected
>    constraint errors, etc. or b) give up and go home because there's
>    no way you are going to squeeze the necessary logic into the box
>    you've got with all the checks turned on.
>
>    It's not as if we take these decisions lightly and are just being
>    stingy with CPU cycles so we can save them up for our old age. We
>    remove the checks typically because there's no other choice.

Funny you mention that, because I would have said take option b.  My
attitude is that there is a state of the art today, and it's not cost
effective to try to push too far beyond that.

I'm not unsympathetic to your situation, as my own background is in
real-time (ground-based) systems.  But when you try to push the technology
envelope beyond what is (easily) available today, the cost of your system
and the risk of failure shoots up.

To do what you wanted to do with your existing hardware meant you had to
turn off checks.  Fair enough.  But that decision very much increased your
risk that something bad would happen from which you wouldn't be able to
recover.

I heard those satellites cost $500 million dollars.  Was turning off those
checks really worth the risk of losing that much money?  To me you were
just gambling.

I would have said that, no, the risk is too great.  Scale back the
requirements and let's do something less ambitious.  If you really want to
do that, wait 18 months and Dr. Moore will give you hardware that's twice
as fast.  But if you want to do it today, and you have turn the checks off,
well then, you're just rolling the dice.

The state of software art today is such that we can't deploy a provably
correct system, and we have resort to run-time checks to catch logical
flaws.  I accept this "limitation," and I accept that there are certain
kinds of systems we can't do today (because to do them would require
turning off checks).

Buyers of mission-critical software should think very carefully before they
commit any financial resources to implementing a software system that
requires checks be turned off.  I'd say take your money instead to Las
Vegas: your odds for success are better there.

--------------------------------------------------------------------
Matthew Heaney
Software Development Consultant
mheaney@ni.net
(818) 985-1271