Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Error Caused Soyuz/Galileo Failure

Posted by samzenpus on from the put-that-anywhere dept.

schwit1 writes An investigation into the recent failed Soyuz launch of the EU's Galileo satellites has found that the Russian Fregat upper stage fired correctly, but its software was programmed for the wrong orbit. From the article: "The failure of the European Union’s Galileo satellites to reach their intended orbital position was likely caused by software errors in the Fregat-MT rocket’s upper-stage, Russian newspaper Izvestia reported Thursday. 'The nonstandard operation of the integrated management system was likely caused by an error in the embedded software. As a result, the upper stage received an incorrect flight assignment, and, operating in full accordance with the embedded software, it has delivered the units to the wrong destination,' an unnamed source from Russian space Agency Roscosmos was quoted as saying by the newspaper."

95 of 157 comments (clear)

  1. Russian Programmer's are Brilliant! by Giant+Electronic+Bra · · Score: 1

    I've been hearing all this about the much vaunted chops of these Russian coders, but frankly I don't ever see it. They obviously haven't even heard of SQA. What gives?

    --
    "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    1. Re:Russian Programmer's are Brilliant! by Anonymous Coward · · Score: 1

      All their big league programmers are hacking banking and credit card systems, doing black hat stuff. Space program stuff is now for the people who couldn't get the good jobs.

    2. Re:Russian Programmer's are Brilliant! by QuietLagoon · · Score: 1

      Do not underestimate the Russian programmers. If you have not seen their "vaunted chops" you are fortunate.

    3. Re:Russian Programmer's are Brilliant! by Anonymous Coward · · Score: 1, Insightful

      I've been hearing all this about the much vaunted chops of these Russian coders, but frankly I don't ever see it.

      I've heard American programmers are brilliant but then Mars probe crashed because it used wrong units (why didn't it warn that parameter was too low?) ... or the "cloud" services crashed due to (leap year, HD error, "unspecified error", etc.. etc..)

      I've heard European programmers are brilliant, but then Ariane explodified itself due to an overflow

      I've heard Japanese programmers are brilliant, but then the Honda thing happened, causing cars to go out of control.

      They obviously haven't even heard of SQA. What gives?

      Easy to blame things in hind sight and be all grand about it. If you haven't yet fucked up, it's because you have yet to achieve anything yourself.

    4. Re:Russian Programmer's are Brilliant! by viperidaenz · · Score: 2

      Ukraine is Russia now

    5. Re:Russian Programmer's are Brilliant! by Anonymous Coward · · Score: 1

      The Beatles reported that the Ukraine girls really knocked them out. Said they left the West behind.

    6. Re:Russian Programmer's are Brilliant! by Charliemopps · · Score: 1

      I've been hearing all this about the much vaunted chops of these Russian coders, but frankly I don't ever see it. They obviously haven't even heard of SQA. What gives?

      You're assuming this wasn't intentional.

    7. Re:Russian Programmer's are Brilliant! by R3d+M3rcury · · Score: 2

      Yeah, but Moscow girls made them sing and shout.

    8. Re:Russian Programmer's are Brilliant! by Smerta · · Score: 1

      I agree with the sentiment about programming skill, but I think Toyota, not Honda, had the more significant unintended acceleration issues (according to CBS News and NHTSA, as many as 89 deaths).

    9. Re:Russian Programmer's are Brilliant! by flyingfsck · · Score: 1

      Bingo! They don't want super accurate NATO cruise missiles coming in.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    10. Re:Russian Programmer's are Brilliant! by K.+S.+Kyosuke · · Score: 1

      Russia: "U kraine now?"

      --
      Ezekiel 23:20
    11. Re:Russian Programmer's are Brilliant! by AftanGustur · · Score: 1

      I've been hearing all this about the much vaunted chops of these Russian coders, but frankly I don't ever see it.

      There is also the possibility that the project was sabotaged by an external actor.

      Maybe it is a coincidence but the one who profits the most from this failure is the same as has been working hard during the last 10 years to get rid of the Galileo program and is also the same nation as is known for being the most technically capable in electronic warfare/hacking.

      --
      echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
    12. Re:Russian Programmer's are Brilliant! by CrimsonAvenger · · Score: 1

      No, but they might be interested in a few more customers for GLONASS....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    13. Re:Russian Programmer's are Brilliant! by paysonwelch · · Score: 1

      You can classify programmers into many categories. Two of them are those that write really complex code that is hard to read and not easy to maintain, and they say they are brilliant because no one else can read it / figure it out (easily that is). They may also make it explicitly convoluted and take extra steps to make it more complicated that it needs to be, unbeknownst to them. Then there are the experienced programmers that write easy to read, modular and maintainable code because they don't want to have headaches down the road and don't mind letting others edit or revise their projects.

    14. Re:Russian Programmer's are Brilliant! by deadweight · · Score: 1

      My Toyota had this issue. The gas pedal would just stay at full throttle. I lurched my way to the dealer to get it fixed and the mechanics had a good laugh at my expense. The floor mat was ripped and catching up in the pedal. 1 new floor mat later and I was on my way. This was in about 1999.

    15. Re: Russian Programmer's are Brilliant! by nedlohs · · Score: 1

      Some cases were due to people pressing the wrong pedals. But some were also due to a the software screwing up - http://www.sddt.com/Commentary...

    16. Re: Russian Programmer's are Brilliant! by ericloewe · · Score: 1

      The software was certainly not the best, but considering that most "unintended acceleration" events happened after a couple of nasty accidents (caused by faulty/incorrect floor mats, not a design flaw in the throttle system), I don't buy it, other than for maybe a freak instance.

      The vast majority was made up of people who either maliciously covered up their mistakes by blaming the car or should not have been driving at all and genuinely believed they had done nothing wrong.

    17. Re:Russian Programmer's are Brilliant! by Mister+Liberty · · Score: 1

      Another satellite state that has fallen into low orbit.

    18. Re: Russian Programmer's are Brilliant! by nedlohs · · Score: 1

      Sure, media buzz meant people blamed their errors on that. However, that doesn't mean there wasn't also a problem. That Toyota lost that particular court case seems a reasonable indication there was in fact a problem.

    19. Re: Russian Programmer's are Brilliant! by kyjellyfish · · Score: 1

      And Georgia's on my my my my my my my my my mind!!

  2. In other news... by msauve · · Score: 5, Funny

    A software error in Russian GLONASS receivers has resulted in thousands of Russian troops innocently crossing the border into Ukraine.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:In other news... by rubycodez · · Score: 5, Funny

      two months ago software error in a 9M317 missile controlled by a BUK missile system rendered it unable to avoid being struck in midair by the careless pilot of Malaysian Airlines Fligh 17MH. Sadly, the missile was a total loss.

    2. Re:In other news... by SuricouRaven · · Score: 1

      The most plausible explanation I've seen so far is that the separatists were supplied with the missiles but, due to the need for Russia to maintain deniability, not an expert in their use - just a crash course in how to fire the things, without full training in target identification. That would explain how they were able to make such an error as mistaking a giant passenger airliner for a small military aircraft.

      It's possible that Ukraine shot it down, they use the same missiles, but their army consists of trained professional soldiers who would be less likely to make such an error. The separatists have some of those now (Russians who just happen to be on leave and came to fight 'voluntarily'), but didn't at the time of the incident.

    3. Re:In other news... by lagomorpha2 · · Score: 1

      It's possible that Ukraine shot it down, they use the same missiles, but their army consists of trained professional soldiers who would be less likely to make such an error.

      ... unless the Ukrainians knew it would end up getting blamed on the Russians/separatists which would (and did) cement European support for sanctions against Russia.

    4. Re:In other news... by Anonymous Coward · · Score: 1

      > It's the fucking Malaysian Airlines fault. Nobody in his right mind fly civilian aircraft into a war zone.

      Nope. The airspace was opened above a certain altitude. This is not Malaysian Airlines fault. And Malaysian airline was definetely not the only airline to go trhough that route, many others were.

      Separatists fired a russian missle at a civilian aircraft. Because they are morons. That's what happened.

    5. Re:In other news... by rubycodez · · Score: 1

      "Legitimate?" Those "separatists" are in violation of the law of their land, they are armed terrorists. Do you think you would be legitimate if you illegally possessed heavy weapons and declared war on Washington DC, and were shooting down civilian aircraft, blowing up vehicles and killing people? Of course not.

  3. Misleading title... once again by x0ra · · Score: 2

    From the linked article (emphasis mine): "Galileo Satellites Incident Likely Result of Software Errors", there is still an uncertainty. Though, I guess I should not be surprised, this is /. afterall....

    1. Re:Misleading title... once again by Megane · · Score: 1

      I wouldn't call it a software error if it was "programmed for the wrong orbit". That sounds more like a human error to me. But to be fair, TFA doesn't state that in such specific words.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  4. Pfffft by Tablizer · · Score: 5, Funny

    It's not like it's rocket science to get it right

    --
    Table-ized A.I.
    1. Re:Pfffft by PPH · · Score: 1

      Its not even rocket surgery.

      --
      Have gnu, will travel.
    2. Re:Pfffft by viperidaenz · · Score: 1

      It's not like it's brain surgery

  5. Given current tensions, ... by theycallmeB · · Score: 4, Interesting

    the strategic value of satellite navigation and general asshole-erly at the top of the Russian government, I am guessing that Europe's very expensive satellites ended up exactly where Russia wants them.

    1. Re:Given current tensions, ... by QuietLagoon · · Score: 1

      bingo.

    2. Re:Given current tensions, ... by Guppy06 · · Score: 4, Interesting

      The Russian GLONASS has its own problems, and the whole point of Galileo is a GNSS that is independent from the US. Do you think the Russians like falling back on US technology? Or do you think they're planning to rely on Beidou?

    3. Re:Given current tensions, ... by SuricouRaven · · Score: 1

      I think they would be very happy if the rest of Europe were utilizing GLONASS, a system they can shut down or manipulate if they need to. There's a reason for the four different sat-nav systems currently under operation or construction: No country wants to be dependent on a system operated by someone else. It follows that they would like other countries to be dependent upon theirs.

    4. Re:Given current tensions, ... by Guppy06 · · Score: 1

      I think they would be very happy if the rest of Europe were utilizing GLONASS, a system they can shut down or manipulate if they need to.

      But they themselves can't get it to work, as was highlighted in the link I posted. So why would a Europe unable to deploy Galileo use GLONASS instead of GPS?

      And it certainly isn't like Europe doesn't have its own space launch capabilities.

      Russia has absolutely nothing to gain and much to lose by trying to fuck with this launch.

    5. Re:Given current tensions, ... by SuricouRaven · · Score: 1

      A joint effort between many nations who, in the event of conflict, will act as one allied block. Probably alongside the US.

  6. Not A SW error! by Anonymous Coward · · Score: 5, Insightful

    This is not a SW error! The software put them right where they were told to. The orbital parameters were wrong! This is a data error not a SW error!

    1. Re:Not A SW error! by mirix · · Score: 1

      Bingo. If someone sets a GPS to go to the wrong location, you don't say the GPS had a embedded software problem.

      More like a failure to double check settings or something.

      --
      Sent from my PDP-11
    2. Re:Not A SW error! by qpqp · · Score: 1

      More like a failure to double check settings or something.

      - "Are you really sure you want to trash those two satellites?"
      <click>
      - "Did you get your boss's approval?"
      <click>

    3. Re:Not A SW error! by Kittenman · · Score: 2

      More like a failure to double check settings or something.

      - "Are you really sure you want to trash those two satellites?" <click> - "Did you get your boss's approval?" <click>

      Or... the Russian version of Clippy,..

      "Hi - it looks like you're trying to trash two satellites. Do you want a hand with that?"

      <click>

      --
      "The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
    4. Re:Not A SW error! by Yoda222 · · Score: 1

      That's not what I understand from the article (my understanding of the article don't exclude your interpretation, but I see it differently) You are right, the control software of the Fregat did exactly what it was told to do (assuming the article is correct) but the input was wrong. But was the input directly done by an human or is it the result of another software (more likely) which had an error? If this is the case, then it's a software error. (this could also be an human input error before this software)

    5. Re:Not A SW error! by jythie · · Score: 1

      I am actually rather impressed that the software managed a stable orbit even with user error. Yet this has turned into who knows how many posts of people complaining about how bad 'programmers' are.

      In a way this reflects how the blame game in development often seems to work. Programmers are faced with shifting requirements, tight deadlines, undersized testing teams, pressure to work hours that result in fatigue and higher error rates, decisions being made by marketers and MBAs who do not understand the consequences of various changes, but blame tends to fall on the programmers for writing buggy software.

    6. Re:Not A SW error! by tomhath · · Score: 1

      The satellites weren't trashed. They are in a perfectly good orbit, just the wrong orbit for their intended use.

    7. Re:Not A SW error! by Rich0 · · Score: 1

      Programmers are faced with shifting requirements, tight deadlines, undersized testing teams, pressure to work hours that result in fatigue and higher error rates, decisions being made by marketers and MBAs who do not understand the consequences of various changes, but blame tends to fall on the programmers for writing buggy software.

      Meh, it seems that more and more the blame is shifting to whoever wrote the requirements or the project manager. But, without fixing all that other stuff, there isn't much they can do either.

      The whole reason Agile was created was to try to deal with some of these pressures, which many consider unavoidable. The problem is that many companies just don't grok it, and insist on a fixed scope in a fixed time at a fixed cost. This approach fits in better with annual planning cycles. If you have a million dollars, a set of objectives, and a year to achieve those objectives it makes sense from the manager's perspective to tell the developers to just deliver that whole set of objectives. The problem is that after a year it turns out the objectives weren't quite right, the situation was more complex than people realized, a million dollars wasn't quite right, and so on.

  7. "Programmers" shouldn't write critical software by Brannon · · Score: 5, Insightful

    There's almost no overlap between the skills & techniques necessary to write & verify critical software (e.g. when lives or huge amounts of money are on the line) vs. what is considered to be "programming". Modern software engineering's approach to reliable system design is about where hardware engineering was fifty years ago, and about where civil engineering was 100 years ago.

    SQA is a joke. Reliable systems are made using way more robust techniques, including: (a) a severely restricted state space, (b) redundancy, (c) formal proofs, (d) fully (and formally) specified interfaces, (e) random simulation, (f) several different types of coverage, (g) physics-based analysis, etc.

    The failure of the software community to understand this distinction is why I'm scared to death about the coming world of driver-less cars and robots performing surgery. How many people are going to be killed by C++ in the next decade?

    1. Re:"Programmers" shouldn't write critical software by ShanghaiBill · · Score: 4, Insightful

      I'm scared to death about the coming world of driver-less cars and robots performing surgery.

      Your fears are not rational. Self driving cars and robotic surgeons are tested for thousands of hours, under live conditions. SDCs are not perfect, but they already have a far better safety record than the average human driver. I had LASIK eye surgery done by a robot. I trusted it far more than I would a human surgeon. Getting rocket software right is difficult precisely because there is no way to do a live test. It has to work perfectly on the very first attempt. Very few other applications have such a severe constraint.

      How many people are going to be killed by C++ in the next decade?

      A lot fewer than would have died without it.

    2. Re:"Programmers" shouldn't write critical software by gl4ss · · Score: 5, Insightful

      it seems to me that in this case the programmers job was done 100% perfect.

      but the program was given wrong place to take the satellites to.

      --
      world was created 5 seconds before this post as it is.
    3. Re:"Programmers" shouldn't write critical software by radtea · · Score: 1

      How many people are going to be killed by C++ in the next decade?

      None. However, a few will be killed by C++ programmers. I say this as someone who has written code to guide surgeons, but my mantra was: "The surgeon is in control", and I have in fact seen surgeons over-ride the guidance information the software gives them.

      Driverless cars are actually less likely than humans to screw up, I think, but it'll take another decade to prove that. Software engineering is still a nascent field, but in another generation or three it will be at a point where we can be somewhat confident in most critical code. Unfortunately, it will still be dependent on hacked-together operating systems and heuristically designed hardware...

      --
      Blasphemy is a human right. Blasphemophobia kills.
    4. Re:"Programmers" shouldn't write critical software by Anonymous Coward · · Score: 1

      Huh, last thing the news said it was programmed for the wrong orbit. Sounds like the software was fine... It did what it was told.

      Programmed for the wrong orbit does not mean bad software programming... So it sounds like the errorthe tfa is taking about was in configuration management, which is definitely lacking nowadays in the world of fast paced social/cloud projects.

    5. Re:"Programmers" shouldn't write critical software by antdude · · Score: 1

      I do SQA testings, and I don't trust computers these days.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    6. Re:"Programmers" shouldn't write critical software by Anonymous Coward · · Score: 1

      You've missed the whole point. The parent is not saying software is 'dangerous', he is saying development techniques we use for software today are not a engineering with required and well understood formal proofs. We don't call out software people 'engineers', they aren't. They are 'developers'. Engineers have a design flow that allows for formal verification, writing software is like writing a novel.

    7. Re:"Programmers" shouldn't write critical software by Type44Q · · Score: 4, Funny

      Your fears are not rational.

      Just because he's paranoid doesn't mean C++ isn't out to get him...

    8. Re:"Programmers" shouldn't write critical software by antdude · · Score: 1

      Yeah, I also don't trust computers but humans make (mistake/error)s too. We need better development and testings. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    9. Re:"Programmers" shouldn't write critical software by Yoda222 · · Score: 1

      From what I understand (but this article is reporting that some press agency report that someone unamed told them something... the result must be very accurate) it's more likely that a software A gives a bad result to the Fregat control software B. I'm not able to determine from the article is the software A is bad or if there was a bad input to software A which result in this. I understand from the article that software A is also embedded, but see my remark in the parenthesis before about how accurate this article must be.

    10. Re:"Programmers" shouldn't write critical software by Anonymous Coward · · Score: 1

      "... where hardware engineering was fifty years ago, and about where civil engineering was 100 years ago ..."

      If your goal was to insult the engineers, you have succeeded.

      For comparing software development with civil engineering, you probably have to select a pre-Roman building.

      And hardware design was always miles ahead from engineering point of view.
      Modern out-of-order processors were created because software was not able to give the same results. So the engineers finally got frustrated enough and solved the problem in hardware.

    11. Re:"Programmers" shouldn't write critical software by DanielRavenNest · · Score: 1

      > Getting rocket software right is difficult precisely because there is no way to do a live test.

      As someone who tested software for the Space Station, there is, but it's very expensive, and seldom done. In addition to the other SQA methods mentioned, we had a simulation & test lab next to the clean room where the actual modules were assembled. We simulated all the inputs to the flight computers as if the rest of the Station was there, and flying, including testing all the possible fault conditions. That meant running hundreds of test sequences for each computer box. Before we got to the flight hardware, the simulations were run with isolated copies of the onboard computers in the lab. As a result, the test group was three times the size of the code group, and I haven't heard of critical failures in the fight software.

    12. Re:"Programmers" shouldn't write critical software by tommeke100 · · Score: 1

      > How many people are going to be killed by C++ in the next decade?

      Depends on how many missile launch systems, drones and other high-tech weaponry was implemented in C++.

    13. Re:"Programmers" shouldn't write critical software by jythie · · Score: 1

      That sounds like a self fulfilling prophecy if I ever heard one. Plenty of universities put out actual software engineers. They go through the same coursework as electrical engineers and are taught formal methods of validation and such. However if your company culture sees software people as 'just developers' and not 'engineers', I would wager that the people who do have the formal training are going to pass your place by. Nobody likes working with people who are not going to consider them 'real', esp when they are sufficiently in demand that they can get good pay elsewhere.

    14. Re:"Programmers" shouldn't write critical software by jythie · · Score: 2

      I am always surprised when I go to interview at a company and their test team is actually smaller then their development one.

    15. Re:"Programmers" shouldn't write critical software by jythie · · Score: 1

      That is something I am not clear on from the piece either. However, the fact it got to a reasonable orbit even with an error (regardless of if it was an initial input or corrupted by an upstream process) is pretty significant. It ended up in the wrong orbit instead of something catastrophic.

    16. Re:"Programmers" shouldn't write critical software by Giant+Electronic+Bra · · Score: 2

      Ah, I just love these sorts of pronouncements.

      When was the last time you heard of a 747 crashing because of a software glitch? My first job was to verify the design and implementation of a major part of the flight software for that aircraft, so I'm kind of an expert on this subject. You have no idea how multi-faceted and sophisticated the verification and SQA processes are on these projects. First of all formal logical methods are used to design and validate all the control algorithms. Then the actual system is designed, with different subsystems being individually broken out and decomposed to the component (software and hardware) level so that a complete description is created, including every single state, all modes of operation, all possible conditions under which the aircraft could operate, etc. Then the various components are designed. During that design process a complete set of failure mode analyses are performed. For every single combination of components in the system it is determined what the individual effects of failure of each one in all possible modes of failure would be, then a fault tolerance matrix is constructed which allows the analysis of all possible combinations of failures and their effects.

      Then I come in. I construct a complete simulation of the actual aircraft electrical and mechanical systems and its flight control system. Now I can literally put each card, box, subsystem, etc into a virtual aircraft and test it to determine that it ACTUALLY performs as predicted under at least the vast majority of these conditions and failure modes. This is all IN PARALLEL with the formal SQA process for the flight software in which each module is tested with all possible inputs, formal static code analysis is performed, etc.

      We didn't HAVE errors. In all the millions of lines of code that was ever under my jurisdiction we never passed a single piece of code that had any error in it that could ever effect the safety of flight of any of the 7+ aircraft that I worked on. I'm not saying everything was always perfect. There were times when we found that flight software had issues, that there were system level issues that weren't discovered in design/test/review, but they were never things that went into a production aircraft and caused a problem that could have resulted in the aircraft being lost or even not flying that day.

      The upshot of all this is I know something about quality of software. Russia's aerospace industry has a very serious issue, this is only like the 4th lost mission in the last couple years that I can count without even trying. They have to be cutting some serious corners and its BAD.

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    17. Re:"Programmers" shouldn't write critical software by tibit · · Score: 1

      "Getting rocket software right is difficult precisely because there is no way to do a live test." There is. You do hardware-in-the-loop tests where the inertial and other inputs come from simulators. I have seen testing of a jet engine controller done without an actual jet engine attached to it. There was a beefy server that was simulating the physics of a jet engine, though, and providing sensor readings.

      --
      A successful API design takes a mixture of software design and pedagogy.
    18. Re:"Programmers" shouldn't write critical software by ericloewe · · Score: 1

      And yet another argument turns into a C++ hatefest.

    19. Re:"Programmers" shouldn't write critical software by HornWumpus · · Score: 1

      You'll find that most 'software engineering' degrees are from two year diploma mills.

      The variation on EE is typically ComputerE not software E.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    20. Re:"Programmers" shouldn't write critical software by aaaaaaargh! · · Score: 1

      Classical fallacy. The safety records for human drivers include each and every moron who drives piss drunk or under other drugs or simply cannot drive. Unless you're one of those, they will give you almost no useful information for deciding whether you should consider SDCs safe in comparison to your driving skills. And by adding personal anecdotes you confirm the OPs point even more.

    21. Re:"Programmers" shouldn't write critical software by phantomfive · · Score: 1

      but they already have a far better safety record than the average human driver.

      I want you to realize that the only source we have for this is Google. It's not from a scientific journal, or an independent research team, or an auditor, it is from the same people who want you to eventually buy their product.

      Furthermore, I want you to realize that the Google team is very careful in what information they reveal. All the information they present is shaped in a way that makes them look good, and to increase demand for the car. Now, maybe they've built the perfect driverless car, and it somehow got off the ground running with a near-perfect driver record, but the information they've given us isn't enough to determine that.

      --
      "First they came for the slanderers and i said nothing."
    22. Re:"Programmers" shouldn't write critical software by Giant+Electronic+Bra · · Score: 2

      Well, it sounded pretty clear that the actual flight CONTROL software worked fine and executed a program perfectly, it just wasn't the program that was intended due to SOME sort of issue with another piece of 'management' software. It sounded like that was also in the spacecraft, but its just as likely it was something running at ground control (makes more sense to me, generally you only run the least amount of software onboard that you can, why waste money on CPU and etc that could be cheaper ground stuff?).

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
  8. Testing is not verification. by Brannon · · Score: 3, Insightful

    This is probably something that is well understood by the engineers who are building robot surgeons (and maybe even by those building driverless cars), but it certainly isn't well understood by the overwhelming majority of software engineers and it's just a matter of time until the unwashed hordes of C++ monkeys are unleashed unto critical systems.

    Bridges aren't designed and tested by "trial & error"--if they were then half of them would fall down within a few weeks. Neither are buildings or pacemakers or computer chips.

    There are some scary problems with how [many if not most] software engineers see the world which don't bode well for a world where software can kill:
    (a) by and large they've had essentially no exposure to any method of verification other than "trial & error"
    (b) they have insufficient reverence for cause and effect because most of their bugs have really low cost (as in, nobody dies)--therefore they aren't mentally trained to make disciplined decisions.
    (c) arrogance: unlike every other kind of engineer, software engineers rarely encounter the boundaries of their knowledge. A civil engineer knows when to call a materials engineer, a mechanical engineer knows when to talk to an industrial or chemical engineer, but a software engineer spends their entire lives inside a carefully constructed virtual world where they can't really do that much damage.

    1. Re:Testing is not verification. by ShanghaiBill · · Score: 4, Informative

      it's just a matter of time until the unwashed hordes of C++ monkeys are unleashed unto critical systems.

      No way. The corporate lawyers will never let that happen. Neither will the regulators. It is very hard to certify a SDC for public roads. Reams of test data are required. It is even more difficult to get a medical device approved by the FDA. Therac-25 happened almost 30 years ago, a lot of lessons were learned, and it hasn't happened again.

      Bridges aren't designed and tested by "trial & error" ... Neither are buildings or pacemakers or computer chips.

      I have never designed a bridge or pacemaker, but I have designed computer chips. I sit at a workstation, and I type Verilog code into Emacs. It is the same process as writing software, which is mostly trial and error. I write unit tests, do regression testing, etc. I watch it fail, I fix the bugs, and I iterate. Once I get all the bugs fixed, I load it into an FPGA, and watch it fail with some signal skew that I didn't think of. So I write more tests, and repeat. When it runs flawlessly on the FPGA, I ask a co-worker to test it some more, and review my code. Eventually we go to silicon, where a bug costs a million bucks. Usually everything is fine, but that isn't because it is "different" than doing software. It is basically the same process. It is more reliable because most ICs are far less complicated than even a typical iPhone app. They tend to have lots of the same cells repeat over and over. So an IC with a million gates isn't like a million lines of code. It is more like a few dozen 50 line subroutines, that are called a million times.

    2. Re:Testing is not verification. by readin · · Score: 1

      Most programmers and software engineers have the limitations you mention because consumers don't want to pay for the high quality software we want to build for them. People who go into the field tend to have some OCD-like traits, and making 'perfect' software is what they want to do. But we're not given time so we learn to take short-cuts.

      When software is used in places where it has to work the first time, we'll be more than happy to adapt to the new set of circumstances. There will likely be a few glitches as with any engineering discipline (anyone remember the Tocama Narrows Bridge?), but things will get better when the correctness of the software is important enough to pay for.

      --
      I often don't like the choices people make, but I like the fact that people make choices. That's why I'm a conservative.
    3. Re:Testing is not verification. by Anonymous Coward · · Score: 2, Insightful

      The requirements for functional safety in programming industrial safety critical systems are well known, and are very different from the requirements for programming. Boiler flame safety systems are commonly microprocessor based now, and rarely if ever fail. Here are some links explaining some of the requirements.

      PLC® vs. Safety PLC – Fundamental and Significant Differences
      FM Global Class 7605 Approval Standard for Programmable Logic Controller Based burner Management Systems
      IEC 61508 Functional Safety

      This level of care is mandated by insurance companies and legislation, due to the history of boiler explosions early in the 20th century. Searching "Boiler Explosion", and "Functional Safety" will lead to many references on this subject.

    4. Re:Testing is not verification. by jythie · · Score: 1

      Part of the problem is that, in a way, there is no such thing as a 'software engineer'. There are degrees that call themselves that, and often they are in the right direction, but I would still not put them in the same category as engineering degrees that lead to professional certification.

      Or I guess more accurately, because there is no certification process, because the field is so informal, it is hard to tell from one's title how close they are to CS vs engineering in how they were trained and continue to think. There are plenty of software engineers who fit in quite well with other engineering types including knowing the limits of their domains and collaborating well with others, but they have the same degree name and title as the ones you describe, who really should be called programmers with CS degrees.

    5. Re:Testing is not verification. by jythie · · Score: 1

      It is even more difficult to get a medical device approved by the FDA. Therac-25 happened almost 30 years ago, a lot of lessons were learned, and it hasn't happened again.

      This alone will keep the 'unwashed masses' out of such fields. Working with medical systems (or to a lesser degree, any embedded system that does not pretend to be a mini-desktop for consumers) does not have the lax attitude and instant gratification that most programmers coming out of school have grown to expect out of projects. The work is not as sexy, the tools are less likely to be bleeding edge, and for people hoping to go into something 'cool' such work is a bit of a resume stain. Which I suspect suits the people in the field just fine ^_^

    6. Re:Testing is not verification. by tibit · · Score: 1

      Yet SIL 4 is still hardwired :)

      --
      A successful API design takes a mixture of software design and pedagogy.
    7. Re:Testing is not verification. by Giant+Electronic+Bra · · Score: 1

      Exactly, and for every other industry where you have critical systems that are microprocessor based you have equivalent frameworks. There are 1000's of CPUs in your average rocket or aircraft. Their software is all designed to EXTREMELY tight specifications and under very specific processes and rules. The teams of people who do this work are experienced, stable, very skilled, and have implemented very exacting processes mandated by the FAA or military. The sorts of failures the Russians are having just don't happen these days. Back in the 60's and 70's there were some incidents of bad flight software on spacecraft, but nowadays US systems are almost 100% reliable in that sense.

      --
      "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
    8. Re:Testing is not verification. by deadweight · · Score: 1

      I got "volunteered" to make a medical device because no one else at work was good with the hardware interfaces and it was a HUGE PITA. FDA doesn't like this, they don't like that, test this 500 more times, etc. etc.....

    9. Re:Testing is not verification. by jhol13 · · Score: 1

      When has a layer done anything more than prevented use of public domain code "because it might be a problem"? I have never heard of a "regulator". I should have, if there is one.

      As is bloody obvious, space system software is programmed by the same cowboy coders as web pages. I do not believe medical equipment are done a bit differently.

      Your "once I get all the bugs fixed" was funny, though, thanks!

      Someone in this thread mentioned formal proofs - they are going to increase by two orders of magnitude next few years. That means there will be ~100 programs formally proven (during next few years) in the world.

      Seriously, generated code is "big" in the future - properly done they are much easier to test and verify.

    10. Re:Testing is not verification. by phantomfive · · Score: 1

      Bridges aren't designed and tested by "trial & error"--if they were then half of them would fall down within a few weeks. Neither are buildings or pacemakers or computer chips.

      Should we also assume that rockets are programmed with the same careful methods you (conveniently) omitted?

      Rockets are known to never fail, after all.

      --
      "First they came for the slanderers and i said nothing."
    11. Re:Testing is not verification. by cwsumner · · Score: 1

      ... Bridges aren't designed and tested by "trial & error"--if they were then half of them would fall down within a few weeks. ...

      Bridges were indeed built this way in the 1800's, during the rapid expansion of the US. And many of then did indeed fall down!

  9. How many people... by R3d+M3rcury · · Score: 3, Funny

    How many people are going to be killed by C++ in the next decade?

    4.

    I always find the "how many people will be killed" / "how many people have to die before" statements can be answered with this number.

  10. What's a "Programmer"? by thegarbz · · Score: 1

    What's a "Programmer"? Also precisely who should we get to write critical software? A maths teacher? The after hours cleaner? Maybe some random MBA from middle management? Programmers most definitely SHOULD be the ones writing critical software. It's when it is written by non-programmers or hobby programmers with full time other careers (physicists, engineers, etc) that you end up with some of the most basic mistakes and unexpected behaviour.

    Your big mistake is to assume that all programmers are the same, and that all hardware designers are the same, and that all civil engineers are the same. A civil engineer who's speciality is designing sewers and town water systems is unlikely to be the one you want designing a skyscraper. Just like in my world I have a VERY experienced instrument engineer sitting next to me, but we wouldn't ever let him work on safety shutdown systems.

    QA for software is exactly as much of a joke as people make it. At a small software house, it may be almost non-existent. At a company designing safety shutdown systems it is a whole world of hurt. Unfortunately it's management which are the biggest risks. There's never enough time to do it right, but there's always enough time to do it again.

  11. Re:Duh, it was accidentally on purpose... by flyingfsck · · Score: 1

    You mean using the EU satellites for GLONASS? Unlikely. However, they have intentionally crippled Galileo.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  12. Pun Error on Line 472 by Tablizer · · Score: 3, Funny

    They had trouble putin it in the right orbit

    --
    Table-ized A.I.
    1. Re:Pun Error on Line 472 by Megane · · Score: 2

      But in Soviet Russia, glorious President would have launched satellite with his own bear hands!

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    2. Re:Pun Error on Line 472 by ostrich2 · · Score: 2

      Russians have bear hands? I hope if we ever go to war, it's not hand-to-hand combat!

    3. Re:Pun Error on Line 472 by deadweight · · Score: 1

      I bet it cuts down on the wanking though...

  13. Garbage in, garbage out by stoatwblr · · Score: 1

    The software worked perfectly. This is a case of misprogrammed destination ("What do you mean this is Auckland? I wanted OAKLAND!")

  14. Written in Scala? by sproketboy · · Score: 1

    Probably.

  15. Hours of testing doesn't equal automatic quality by sjbe · · Score: 1

    Your fears are not rational. Self driving cars and robotic surgeons are tested for thousands of hours, under live conditions.

    Among the other parts of my job I run a Quality Assurance department for my company and I've worked in QA for several years. It doesn't matter how much you test something if the process for designing and building the product was inadequate. QA testing is like the goalie on a hockey team - necessary but even the best goalie is going to fail if the team in front of him can't play defense. Good quality comes from good designs which are rationally and systematically well executed. Testing is a part of the equation but the correlation between hours of testing and the ultimate quality of a product is a weak one.

    I had LASIK eye surgery done by a robot. I trusted it far more than I would a human surgeon.

    And you looked up the hard evidence to back up this assumption for that specific procedure? (you may have - not trying to be rude) I've had LASIK as well and while I agree that it is absolutely possible for a robot to help a surgeon do a better job, I wouldn't trust it more simply because it was a robot. Furthermore there is a difference between an autonomous robot and a robotic assistive device. Most "robotic surgery" is with devices that assist and (hopefully) improve the capability of the surgeon doing the work but it is still a surgeon operating on you at the end of the day. He's just using a fancy tool to help him be a bit steadier.

    Getting rocket software right is difficult precisely because there is no way to do a live test.

    Umm, yes there is. It's called "doing a live test". They're often expensive but they very often are possible. We did lots of them in the early days of the space program. Companies still do them to this day. They might choose not to for economic reasons but that doesn't mean they cannot be done.

  16. Most developers only know trial and error by sjbe · · Score: 1

    Most programmers and software engineers have the limitations you mention because consumers don't want to pay for the high quality software we want to build for them.

    I would lend more credence to this statement if most software engineers actually had any actual experience designing and implementing high reliability software. Most unfortunately have very little clue what that actually means or how to do it for real. They like the idea (it's a good idea!) but have zero experience or training in the implementation techniques required. You are correct that there is an economic component to the problem but that doesn't appear to be the core problem. Even when we take money out of the equation altogether with open source software, we STILL don't see software developers using the formal engineering techniques that would result in the most reliable software. I think this is in large part because most of them have no idea whatsoever how actually develop like this. Most software is designed by trial and error because that is the only way most developers know how to do it. They still code like they did when they were a teenager in mom's basement because no one showed them a better way.

    For what it's worth, this problem isn't unique to software engineers. I'm not a programmer and I see similar problems with electrical and mechanical engineers on a daily basis. Trial and error is easy to understand and quick and generally works whereas formal engineering is much harder.

    When software is used in places where it has to work the first time, we'll be more than happy to adapt to the new set of circumstances.

    Maybe but I doubt it. I really don't see developers genuinely pushing for more reliable development techniques in the real world. They talk about them in a "wouldn't that be nice" sort of way but they don't really try to make them happen.

  17. Failing to recognize limits by sjbe · · Score: 1

    unlike every other kind of engineer, software engineers rarely encounter the boundaries of their knowledge

    I'm not so sure about this. I agree about the arrogance but I think a more accurate statement might be that software engineers too often fail to recognize when they encounter the boundaries of their knowledge. I think they bump into those limits all the time and go merrily on their way past them. We've all seen software that was clearly developed by someone who clearly never actually had to use it to do the job it was designed for. I was staring at a piece of accounting software today that clearly was designed by someone who has never actually worked as an accountant. Either work flow was not a primary consideration or the programmer badly misunderstood how accountants go about their daily business. As you say, the consequences of their decisions are so far removed from their incentives and feedback that they have no real appreciation of how their work affects others.

  18. they were spending too much time on the night job by swschrad · · Score: 1

    cracking US banks.

    so their day jobs, launching rockets and calculating how far Russia could go in subjugating Ukraine, suffered.

    we all know how that works...

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  19. Can we trust the report? by jpellino · · Score: 1

    What's the old saying? There is no izvestia in Pravda, and no pravda in Izvestia.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  20. In other words, retritbution... by s13g3 · · Score: 1

    Revenge is a dish best served in the wrong orbit?

    Funny, isn't it, in the midst of all these sanctions and general brou-ha-ha over the Ukraine, with Russia taking all kinds of tit-for-tat punitive measure in response by EU attempts use economic fines in order to restrain their bad behavior, that, âoeThe nonstandard operation of the integrated management system was likely caused by an error in the embedded software," which manages to cost the EU the full use of a multi-million dollar satellite whose purpose was to provide competition with Russia's GLONASS system (in addition to American GPS)?

    They didn't even have to do anything fancy, just twiddle a few lines of code to send it off course, then blame it on random "unforeseeable" coding error that they'll refuse to accept responsibility for.

    --
    "Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage