> Date: Sat, 28 Feb 2004 21:11:53 +0000
> From: Clive Page <[log in to unmask]>
> On Sat, 28 Feb 2004, Peter Shenkin wrote [of the Ariane 501 failure]:
>
> > Of course, that never would have happened had they written it
> > in Fortran. :-)
>
> Well actually that's true in this case:
Not really. The oveflowed integer may have appeared as
having a changed sign (with a nonsensical numerical value)
or a small positive value of the same sign.
In either case, the magnitude would have been nonsensical.
Without a specific action to deal with that, the mission
was very likely still doomed.
Recall that the conversion was from 64 bits FPN to 16 bits.
It was fanciful to expect that a variable having the potential
to store a large value would not neeed checking on conversion
to storage one-third the size.
> the conversion of an over-range
> floating point number to integer*2 would, on most Fortran run-time
> systems, not have caused an exception. It was the exception which, having
> no handler, forced each attitude controller to shut down and hand over to
> the other.
No. That was the theory.
In fact, the backup computer shut down first.
When the main computer encountered the same problem
a few microseconds later,
it also shut down. But in this case, the backup had
already shut down, so there was no system to take over.
> When they both failed, the rocket went off course.
They didn't go off course because they both failed per se.
When the computers shut down, the failure identification
was placed on the data bus.
This failure identification was then used as attitude data
by other computer(s), which caused a sudden and violent
change of direction. The rocket then destroyed itself.
It was absolutely vital that no software exception be
generated.
> No
> exception: no handover, it would have functioned as required.
Not likely. Had no exception occurred, the value in question
would have been way off its expected value -- either appearing
as a value having a changed sign and a nonsensical value,
or a small value (again nonsensical) having the same sign.
> Not that I'm advocating using Fortran to control rockets, you understand,
> but in some cases simplicity is better than complexity.
The mission required a programming language having capabilitues
to handle real-time programming (exception handling) and the means
for testing the exception handling.
It also required programmers skilled in real-time programming.
> --
> Clive Page,
|