Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #8785

Re: Space probes was Re: in praise of type checking

From Tom Anderson <twic@urchin.earth.li>
Newsgroups comp.lang.java.programmer
Subject Re: Space probes was Re: in praise of type checking
Date 2011-10-14 14:14 +0100
Organization Stack Usenet News Service
Message-ID <alpine.DEB.2.00.1110141352280.15658@urchin.earth.li> (permalink)
References (1 earlier) <VmAjq.1736$kJ5.902@newsfe03.iad> <c7lu87lm24pmga3rul1am7s0oju6n26p75@4ax.com> <kftu87hmff3ubjti9t8eims2idhqn58l9o@4ax.com> <alpine.DEB.2.00.1110111908130.2814@urchin.earth.li> <7sudncbWtOTsrQjTnZ2dnUVZ876dnZ2d@telenor.com>

Show all headers | View raw

On Wed, 12 Oct 2011, Leif Roar Moldskred wrote:

> Tom Anderson <twic@urchin.earth.li> wrote:
>
>> - Ariane 5 and exception handling, data typing, scope creep, and unit testing
>
> The Ariane 5 incident doesn't tell us anything about exception handling, 
> data typing, scope creep or unit testing. Neither of those were the 
> culprit. It _does_ tell us a few things about requirements / 
> specification (mis-)management.

It tells us about all those things, which is why i mentioned them. And 
more - i should also have mentioned process management.

The fundamental failure was about requirements, absolutely. That's what i 
referred to as scope creep - the scope of the inertial navigation system 
was originally defined as being Ariane 4, but crept to include Ariane 5, 
without this being properly addressed.

But that was not the only failure. There were several points at which 
something could have been done differently which would have saved the 
rocket. Off the top of my head:

1. The module that failed was a pre-launch calibration daemon in the 
inertial navigation system; it had no use at all after launch. If it had 
been shut down at launch, the failure would not have occurred.

2. IIRC, the pre-launch procedure had changed such that the daemon was not 
needed anyway. If it had been removed, the failure would not have 
occurred.

3. The failure involved a cast from (in Java terms) a double (used to 
capture and instrument reading) to a short (used for calculations) which 
overflowed. If doubles had been used for calculation, the failure would 
not have occurred.

4. The cast was not protected by a suitable exception handler. If it had 
been (although i'm not sure what the handler would actually do), the 
failure would not have occurred.

5. The inertial navigation system's top-level exception handling handled a 
crash by writing diagnostic information to the same data bus used for 
output, without any metadata indicating that it was diagnostics rather 
than data; the guidance computer interpreted it as data, and went wild. If 
the diagnostic information had been written elsewhere, or had been marked 
and subsequently recognised by the guidance computer as being such rather 
than data, the failure would not have occurred.

6. The combination of a real inertial navigation system and a real 
guidance computer was never tested with real sensor inputs. The guidance 
computer was tested with a mock inertial navigation system, which did not 
accurately reproduce the real system's faulty behaviour. It was a unit 
test rather than an integration test. If the test had been an integration 
test, the fault would have been detected long before launch, and the 
failure would not have occurred.

Yes, you can identify a root cause, in the form of a mistake in the 
requirements process. But you can also identify a series of other mistakes 
which enabled that mistake to cause the failure. To pay attention only to 
the root cause and discard the other mistakes is foolish.

tom

-- 
Re-enacting the future

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

in praise of type checking Roedy Green <see_website@mindprod.com.invalid> - 2011-10-05 23:33 -0700
  Re: in praise of type checking Lew <lewbloch@gmail.com> - 2011-10-06 06:43 -0700
    Re: in praise of type checking Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2011-10-06 09:52 -0700
    Re: in praise of type checking Roedy Green <see_website@mindprod.com.invalid> - 2011-10-07 12:43 -0700
      Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-07 14:57 -0700
      Re: in praise of type checking Eric Sosman <esosman@ieee-dot-org.invalid> - 2011-10-07 20:18 -0400
  Re: in praise of type checking Robert Klemme <shortcutter@googlemail.com> - 2011-10-06 22:31 +0200
    Re: in praise of type checking Roedy Green <see_website@mindprod.com.invalid> - 2011-10-07 12:36 -0700
      Re: in praise of type checking Robert Klemme <shortcutter@googlemail.com> - 2011-10-08 16:05 +0200
        Re: in praise of type checking Lew <lewbloch@gmail.com> - 2011-10-08 09:35 -0700
          Re: in praise of type checking Robert Klemme <shortcutter@googlemail.com> - 2011-10-11 07:48 +0200
            Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-11 13:04 -0700
            Re: in praise of type checking Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2011-10-11 17:52 -0300
              Re: in praise of type checking Patricia Shanahan <pats@acm.org> - 2011-10-12 01:49 +0100
                Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-11 19:12 -0700
            Re: in praise of type checking Lew <lewbloch@gmail.com> - 2011-10-11 19:10 -0700
  Re: in praise of type checking Eric Sosman <esosman@ieee-dot-org.invalid> - 2011-10-06 20:29 -0400
    Re: in praise of type checking Robert Klemme <shortcutter@googlemail.com> - 2011-10-06 23:56 -0700
      Re: in praise of type checking Gunter Herrmann <notformail0106@earthlink.net> - 2011-10-07 13:57 -0400
  Re: in praise of type checking Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2011-10-07 07:19 -0300
    Re: in praise of type checking Roedy Green <see_website@mindprod.com.invalid> - 2011-10-07 12:39 -0700
      Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-07 15:03 -0700
        Space probes was Re: in praise of type checking Tom Anderson <twic@urchin.earth.li> - 2011-10-11 19:26 +0100
          Re: Space probes was Re: in praise of type checking Leif Roar Moldskred <leifm@dimnakorr.com> - 2011-10-12 01:15 -0500
            Re: Space probes was Re: in praise of type checking Travers Naran <tnaran@gmail.com> - 2011-10-12 07:23 -0700
            Re: Space probes was Re: in praise of type checking Martin Gregorie <martin@address-in-sig.invalid> - 2011-10-12 20:04 +0000
            Re: Space probes was Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-12 13:53 -0700
              Re: Space probes was Re: in praise of type checking Leif Roar Moldskred <leifm@dimnakorr.com> - 2011-10-12 16:55 -0500
                Re: Space probes was Re: in praise of type checking Gene Wirchenko <genew@ocis.net> - 2011-10-12 15:02 -0700
                Re: Space probes was Re: in praise of type checking Leif Roar Moldskred <leifm@dimnakorr.com> - 2011-10-13 00:08 -0500
                Re: Space probes was Re: in praise of type checking Arved Sandstrom <asandstrom3minus1@eastlink.ca> - 2011-10-13 07:48 -0300
                Re: Space probes was Re: in praise of type checking "John B. Matthews" <nospam@nospam.invalid> - 2011-10-14 07:09 -0400
                Re: Space probes was Re: in praise of type checking Martin Gregorie <martin@address-in-sig.invalid> - 2011-10-12 22:03 +0000
            Re: Space probes was Re: in praise of type checking Tom Anderson <twic@urchin.earth.li> - 2011-10-14 14:14 +0100
  Re: in praise of type checking RedGrittyBrick <RedGrittyBrick@spamweary.invalid> - 2011-10-07 11:50 +0100
    Re: in praise of [loosey goosey] type checking) RedGrittyBrick <RedGrittyBrick@spamweary.invalid> - 2011-10-07 12:20 +0100
  Re: in praise of type checking Andreas Leitgeb <avl@gamma.logic.tuwien.ac.at> - 2011-10-07 14:00 +0000

csiph-web