From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_05,INVALID_MSGID, LOTS_OF_MONEY autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,885dab3998d28a4 X-Google-Attributes: gid103376,public From: mheaney@ni.net (Matthew Heaney) Subject: Re: Ariane 5 failure Date: 1996/10/02 Message-ID: #1/1 X-Deja-AN: 186884633 references: <96100111162774@psavax.pwfl.com> content-type: text/plain; charset=ISO-8859-1 organization: Estormza Software mime-version: 1.0 newsgroups: comp.lang.ada Date: 1996-10-02T00:00:00+00:00 List-Id: In article <96100111162774@psavax.pwfl.com>, "Marin David Condic, 407.796.8997, M/S 731-93" wrote: It's not a case of saving a few CPU cycles so you can run Space > Invaders in the background. Quite often (and in particular in > *space* systems which are limited to rather antiquated > processors) the decision is to a) remove the runtime checks from > the compiled image and run with the possible risk of undetected > constraint errors, etc. or b) give up and go home because there's > no way you are going to squeeze the necessary logic into the box > you've got with all the checks turned on. > > It's not as if we take these decisions lightly and are just being > stingy with CPU cycles so we can save them up for our old age. We > remove the checks typically because there's no other choice. Funny you mention that, because I would have said take option b. My attitude is that there is a state of the art today, and it's not cost effective to try to push too far beyond that. I'm not unsympathetic to your situation, as my own background is in real-time (ground-based) systems. But when you try to push the technology envelope beyond what is (easily) available today, the cost of your system and the risk of failure shoots up. To do what you wanted to do with your existing hardware meant you had to turn off checks. Fair enough. But that decision very much increased your risk that something bad would happen from which you wouldn't be able to recover. I heard those satellites cost $500 million dollars. Was turning off those checks really worth the risk of losing that much money? To me you were just gambling. I would have said that, no, the risk is too great. Scale back the requirements and let's do something less ambitious. If you really want to do that, wait 18 months and Dr. Moore will give you hardware that's twice as fast. But if you want to do it today, and you have turn the checks off, well then, you're just rolling the dice. The state of software art today is such that we can't deploy a provably correct system, and we have resort to run-time checks to catch logical flaws. I accept this "limitation," and I accept that there are certain kinds of systems we can't do today (because to do them would require turning off checks). Buyers of mission-critical software should think very carefully before they commit any financial resources to implementing a software system that requires checks be turned off. I'd say take your money instead to Las Vegas: your odds for success are better there. -------------------------------------------------------------------- Matthew Heaney Software Development Consultant mheaney@ni.net (818) 985-1271