Ganssle 1 MAPLD 2005/S110 Learning from Jack Ganssle Disaster.
-
Upload
myra-barnett -
Category
Documents
-
view
223 -
download
1
Transcript of Ganssle 1 MAPLD 2005/S110 Learning from Jack Ganssle Disaster.
Ganssle 1 MAPLD 2005/S110
Learning from
Jack Ganssle
Disaster
Ganssle 2 MAPLD 2005/S110
The Tacoma Narrows Bridge
The Tacoma Narrows Bridge4 months after opening, Nov 7, 1940
Ganssle 3 MAPLD 2005/S110
Forgotten Failures
Montrose Bridge, Scotland 1838 Menai Strait Bridge, Wales, 1839
Basse-Chaine Bridge, 1850
Roche-Bernard Bridge, France, 1852
Wheeling Suspension Bridge, 1854
Dryburgh Abbey Bridge, Scotland, 1818
Niagara-Lewiston Bridge, 1864
Niagara-Clifton Bridge, 1889
Bronx-Whitestone, 1939
Deer Isle Bridge, 1939
Ganssle 4 MAPLD 2005/S110
Costs
George Golden Bronx- TacomaWashington Gate Whitestone Narrows
Completed 1935 1937 1939 1940 Span 3500 ft 4200 ft 2300 ft 2800 ft Cost $59.5m $35m $19.7m $6.4m
Ganssle 5 MAPLD 2005/S110
Lessons
• Cheaper is often more expensive• Management decisions do not repeal the
laws of physics• Not learning from the past means
repeating the past – endlessly• Codes are a powerful way to insure
projects are done correctly
Ganssle 6 MAPLD 2005/S110
Clementine
Lessons learned:• Schedules can’t rule
• Tired people make mistakes
• Error handlers save systems
• Never sacrifice testing
Ganssle 7 MAPLD 2005/S110
NEARLessons Learned:• Tired people make mistakes.• Use the VCS
• Test everything!
• Engineers rock!
• We must learn from disaster
Ganssle 8 MAPLD 2005/S110
Mars Polar Lander/Deep Space 2
Lessons learned:•Tired people make mistakes
• Test everything!
• Test like you fly; fly what you test
Ganssle 9 MAPLD 2005/S110
Pathfinder
• Error handlers save systems
Lessons learned:• There’s no such thing as a glitch – believe your tests!
Ganssle 10 MAPLD 2005/S110
Mars Exploration RoverLessons learned:• Test like you fly; fly what you test
• We must learn from disaster
• Poor error handler
Ganssle 11 MAPLD 2005/S110
Titan IVb CentaurLessons Learned:• Test like you fly; fly what you test
• Use the VCS
Ganssle 12 MAPLD 2005/S110
Ariane 5
Lessons Learned:• Improve error handling• Assume software can fail
• Test everything!• Be careful with ported code
Ganssle 13 MAPLD 2005/S110
Chinook
Lessons Learned:• Do reviews… before shipping!
• Test like you fly; fly what you test
Ganssle 14 MAPLD 2005/S110
Therac 25
Lessons Learned:• Use tested components
• Use accepted practices• Use peer reviews
Ganssle 15 MAPLD 2005/S110
Radiation Deaths in Panama• May ‘01: Over 20 dead patients• Possible to enter data in such a way to confuse machine; unit prints a safe treatment plan but overexposes.
Lessons Learned:• Test carefully• Better Requirements• Use a defined process & peer reviews
Ganssle 16 MAPLD 2005/S110
Pacemakers
Lessons Learned:• Test everything!
• Flash is not a schedule enhancer
Ganssle 17 MAPLD 2005/S110
Near Meltdown
Lessons Learned:• Test everything!
• Improve error handling
Ganssle 18 MAPLD 2005/S110
Lessons Learned:• Be careful with ported code• Blame the engineers
Uwatec dive computer (1995) The Challenger
Ganssle 19 MAPLD 2005/S110
A Hot Day
Lessons Learned:• Test everything!
Ganssle 20 MAPLD 2005/S110
Lessons Learned:• Choose your IP carefully
Ganssle 21 MAPLD 2005/S110
Forgotten Failures
2000 - Ford Explorer recall2004 - Grand Prix leap-year glitch
1992 – Crash of only F-22 prototype
2003 – BMW traps Thai politician
2003 – BMW recalls 15000 745is
2000 – Ford Explorer recall
747, 767, A340 avionics lockups
2003 – Slammer worm attacks nuke
1974 – Loss of a job for 7 years
1991 – Patriot missile failure
Ganssle 22 MAPLD 2005/S110
Our Criminal Behavior
No Peer ReviewsImplicated in the Chinook helicopter, Multidata Radiotherapy device, Therac 25.
Average uninspected code contains 50-100 bugsper 1000 LOC. Inspections find most of these. Cheaply.
Ganssle 23 MAPLD 2005/S110
Our Criminal Behavior
Inadequate testingImplicated in the Clementine, NEAR, Mars Polar Lander, Pathfinder, Mars Expedition Rover, Titan IVb, Ariane, Sea Launch, Chinook, Therac 25, Multidata, pacemakers, Los Alamos incident, huge digital thermometer.
Implicated in the NEAR, Pathfinder, Titan IVb, EFF, and FAA incidents.
Ignoring or cheating the VCS
Ganssle 24 MAPLD 2005/S110
Our Criminal Behavior
Lousy error handlersImplicated in the Ariane, Los Alamos incident, Clementine, Yorktown, Mars Expedition Rover, and many others
This means adopting a culture of anticipating and planning for failures!
And for FPGA users it means adopting a philosophy that things do fail!
Ganssle 25 MAPLD 2005/S110
Our Criminal BehaviorThe use of dangerous tools!
• C (worst) 500 bugs/KLOC• C (average) 167-26• ADA (worst) 50 • ADA (average) 25• SPARK (average) 4
Ganssle 26 MAPLD 2005/S110
The Boss’s Criminal Behavior
Corollary: Tired people make mistakes
Implicated in the Clementine, NEAR, Mars Polar Lander and many others
Schedules can’t rule:
0
20
40
60
80
100
120
140
0 0.2 0.4 0.6 0.8 1 1.2
Ganssle 27 MAPLD 2005/S110
The Boss’s Criminal Behavior
Be wary of financial shortcuts!Implicated in the Takoma Narrows Bridge, Ariane, MGM fire, and many others
Reuse is extremely difficult. See “Confessions of a Used Program Salesman” by Will Tracz
Implicated in the Ariane, Uwatec and many others.
Reuse is not a panacea
Ganssle 28 MAPLD 2005/S110
Are we criminals?
Or are we still in the dark ages?
But there’s a lot we do know, so we’re negligent – and will be culpable – if we don’t consistently use best practices.