Ganssle 1 MAPLD 2005/S110 Learning from Jack Ganssle Disaster.

Slides:



Advertisements
Similar presentations
CSE 599F: Formal Verification of Computer Systems.
Advertisements

A Gift of Fire, 2edChapter 4: Can We Trust the Computer?1 PowerPoint ® Slides to Accompany A Gift of Fire : Social, Legal, and Ethical Issues for Computers.
Social Implications of a Computerized Society Computer Errors Instructor: Oliver Schulte Simon Fraser University.
CS 4001Mary Jean Harrold1 High Cost of Software Failure Denver Airport Baggage System (1995): $280M Ariane 5 Explosion (1996): $7B Mars Rover (2004): Unknown.
An Investigation of the Therac-25 Accidents Nancy G. Leveson Clark S. Turner IEEE, 1993 Presented by Jack Kustanowitz April 26, 2005 University of Maryland.
1. Software in our lives, then and now  Medical (processing and analysis, Computer Aided Surgery, other various equipment)  Financial and business (banking,
Therac-25 Lawsuit for Victims Against the AECL
Syllabus Case Histories WW III Almost Medical Killing Machine
Software Engineering Disasters
Slides prepared by Cyndi Chie and Sarah Frye. Fourth edition revisions by Sharon Gray. A Gift of Fire Fourth edition Sara Baase Chapter 8: Errors, Failures,
1 Basic Definitions: Testing What is software testing? Running a program In order to find faults a.k.a. defects a.k.a. errors a.k.a. flaws a.k.a. faults.
EAS 140 Engineering Solutions Lecture #27 How Engineers Learn from Failure.
Motivation Why study Software Engineering ?. What is Engineering ? 2 Engineering (Webster) – The application of scientific and mathematical principles.
Software Engineering Module 1 -Components Teaching unit 3 – Advanced development Ernesto Damiani University of Bozen- Bolzano Lesson 4 – Software Testing.
Sources of Risks CIT304 University of Sunderland.
A Gift of Fire Third edition Sara Baase
A Gift of Fire Third edition Sara Baase
Jacky: “Safety-Critical Computing …” ► Therac-25 illustrated that comp controlled equipment could be less safe. ► Why use computers at all, if satisfactory.
Mysteries of Earth and Mars Mars Facts and Exploration.
ECI 2007: Specification and Verification of Object- Oriented Programs Lecture 0.
Software Failures Ron Gilmore, CMC Edmonton April 2006.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Why is software engineering worth studying?  Demand for software is growing dramatically  Software costs are growing per system  Many projects have.
Chapter 8: Errors, Failures, and Risk
The Ariane 5 Launcher Failure June 4th 1996 Total failure of the Ariane 5 launcher on its maiden flight.
CSE 403, Software Engineering Lecture 4 Documenting and Using Requirements.
Software Engineering Background Dr. David A. Gaitros.
B. Todd AB/CO/MI 30 th January 2008 Safety in Mind…
Slides prepared by Cyndi Chie and Sarah Frye1 A Gift of Fire Third edition Sara Baase Chapter 8: Errors, Failures, and Risks.
Testing CSE 140 University of Washington 1. Testing Programming to analyze data is powerful It’s useless if the results are not correct Correctness is.
CS 430/530 Formal Semantics Paul Hudak Yale University Department of Computer Science Lecture 1 Course Overview September 6, 2007.
Security and Reliability THERAC CASE STUDY TEXTBOOK: BRINKMAN’S ETHICS IN A COMPUTING CULTURE READING: CHAPTER 5, PAGES
SECURITY ENGINEERING 2 April 2013 William W. McMillan.
Dimitrios Christias Robert Lyon Andreas Petrou Dimitrios Christias Robert Lyon Andreas Petrou.
SAFETY FIRST PROGRAM  SAFETY IS #1 – ACCIDENTS National focus on Safety Training Unit Managers #1 priority Can be eliminated Leadership is the key –
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Yazd University, Electrical and Computer Engineering Department Course Title: Advanced Software Engineering By: Mohammad Ali Zare Chahooki 1 Machine Learning.
Where We Are Now 14–2. Where We Are Now 14–2 Major Tasks of Project Closure Evaluate if the project delivered the expected benefits to all stakeholders.
Therac-25 CS4001 Kristin Marsicano. Therac-25 Overview  What was the Therac-25?  How did it relate to previous models? In what ways was it similar/different?
SEN 460 Software Quality Assurance. Bahria University Karachi Campus Waseem Akhtar Mufti B.E(UIT), M.S(S.E) AAU Denmark Assistant Professor Department.
Testing. Today’s Topics Why Testing? Basic Definitions Kinds of Testing Test-driven Development Code Reviews (not testing) 1.
PRESENTER PRIYANKA GUPTA.  Testing the complete system with respect to requirements.  In System testing, the functionalities of the system are tested.
1 Software Quality Assurance COMP 4004 Notes Adapted from S. Som é, A. Williams.
Testing CSE 160 University of Washington 1. Testing Programming to analyze data is powerful It’s useless (or worse!) if the results are not correct Correctness.
29 March Software Quality and Testing. Why do we care? Therac-25 (1985) Multiple space fiascos (1990s) Ariane V exploded after 40 seconds (conversion)
CSE 403, Software Engineering Lecture 6
1 Chapter 1- Introduction How Bugs affect our lives What is a Bug? What software testers do?
Software Development Languages and Environments. Computer Languages Just as there are many human languages, there are many computer programming languages.
SOFTWARE FAILURES.
Thanks to Atif Memon from UMD for disaster examples
Why is software engineering worth studying?
Why study Software Design/Engineering ?
Ethics and Software Reliability
Testing UW CSE 160 Winter 2017.
Section 8 Discussion Points
Formal Methods (i.e. mathematical, algorithmic) for Software and Hardware Designs and, more generally, Design Tools and Technologies
Backup your Data © EIT, Author Gay Robertson, 2017.
Disaster Learning from Jack Ganssle
The Top 10 bugs
Testing UW CSE 160 Winter 2016.
Thanks to Atif Memon from UMD for disaster examples
A Gift of Fire Third edition Sara Baase
Reliability and Safety
(some of) My Research Engineering is about getting technology to do what it does well so humans can do what they do well Jeff Offutt Professor of Software.
Week 13: Errors, Failures, and Risks
Engineering responsibilities in Disasters
Thanks to Atif Memon from UMD for disaster examples
A Gift of Fire Third edition Sara Baase
Software Engineering Disasters
Presentation transcript:

Ganssle 1 MAPLD 2005/S110 Learning from Jack Ganssle Disaster

Ganssle 2 MAPLD 2005/S110 The Tacoma Narrows Bridge 4 months after opening, Nov 7, 1940

Ganssle 3 MAPLD 2005/S110 Forgotten Failures Montrose Bridge, Scotland 1838 Menai Strait Bridge, Wales, 1839 Basse-Chaine Bridge, 1850 Roche-Bernard Bridge, France, 1852 Wheeling Suspension Bridge, 1854 Dryburgh Abbey Bridge, Scotland, 1818 Niagara-Lewiston Bridge, 1864 Niagara-Clifton Bridge, 1889 Bronx-Whitestone, 1939 Deer Isle Bridge, 1939

Ganssle 4 MAPLD 2005/S110 Costs GeorgeGolden Bronx- Tacoma Washington Gate Whitestone Narrows Completed Span 3500 ft 4200 ft 2300 ft 2800 ft Cost $59.5m $35m $19.7m $6.4m

Ganssle 5 MAPLD 2005/S110 Lessons Cheaper is often more expensive Management decisions do not repeal the laws of physics Not learning from the past means repeating the past – endlessly Codes are a powerful way to insure projects are done correctly

Ganssle 6 MAPLD 2005/S110 Clementine Lessons learned: Schedules can’t rule Tired people make mistakes Error handlers save systems Never sacrifice testing

Ganssle 7 MAPLD 2005/S110 NEAR Lessons Learned: Tired people make mistakes. Use the VCS Test everything! Engineers rock! We must learn from disaster

Ganssle 8 MAPLD 2005/S110 Mars Polar Lander/Deep Space 2 Lessons learned: Tired people make mistakes Test everything! Test like you fly; fly what you test

Ganssle 9 MAPLD 2005/S110 Pathfinder Error handlers save systems Lessons learned: There’s no such thing as a glitch – believe your tests!

Ganssle 10 MAPLD 2005/S110 Mars Exploration Rover Lessons learned: Test like you fly; fly what you test We must learn from disaster Poor error handler

Ganssle 11 MAPLD 2005/S110 Titan IVb Centaur Lessons Learned: Test like you fly; fly what you test Use the VCS

Ganssle 12 MAPLD 2005/S110 Ariane 5 Lessons Learned: Improve error handling Assume software can fail Test everything! Be careful with ported code

Ganssle 13 MAPLD 2005/S110 Chinook Lessons Learned: Do reviews… before shipping! Test like you fly; fly what you test

Ganssle 14 MAPLD 2005/S110 Therac 25 Lessons Learned: Use tested components Use accepted practices Use peer reviews

Ganssle 15 MAPLD 2005/S110 Radiation Deaths in Panama May ‘01: Over 20 dead patients Possible to enter data in such a way to confuse machine; unit prints a safe treatment plan but overexposes. Lessons Learned: Test carefully Better Requirements Use a defined process & peer reviews

Ganssle 16 MAPLD 2005/S110 Pacemakers Lessons Learned: Test everything! Flash is not a schedule enhancer

Ganssle 17 MAPLD 2005/S110 Near Meltdown Lessons Learned: Test everything! Improve error handling

Ganssle 18 MAPLD 2005/S110 Lessons Learned: Be careful with ported code Blame the engineers Uwatec dive computer (1995) The Challenger

Ganssle 19 MAPLD 2005/S110 A Hot Day Lessons Learned: Test everything!

Ganssle 20 MAPLD 2005/S110 Lessons Learned: Choose your IP carefully

Ganssle 21 MAPLD 2005/S110 Forgotten Failures Ford Explorer recall Grand Prix leap-year glitch 1992 – Crash of only F-22 prototype 2003 – BMW traps Thai politician 2003 – BMW recalls is 2000 – Ford Explorer recall 747, 767, A340 avionics lockups 2003 – Slammer worm attacks nuke 1974 – Loss of a job for 7 years 1991 – Patriot missile failure

Ganssle 22 MAPLD 2005/S110 Our Criminal Behavior No Peer Reviews Implicated in the Chinook helicopter, Multidata Radiotherapy device, Therac 25. Average uninspected code contains bugs per 1000 LOC. Inspections find most of these. Cheaply.

Ganssle 23 MAPLD 2005/S110 Our Criminal Behavior Inadequate testing Implicated in the Clementine, NEAR, Mars Polar Lander, Pathfinder, Mars Expedition Rover, Titan IVb, Ariane, Sea Launch, Chinook, Therac 25, Multidata, pacemakers, Los Alamos incident, huge digital thermometer. Implicated in the NEAR, Pathfinder, Titan IVb, EFF, and FAA incidents. Ignoring or cheating the VCS

Ganssle 24 MAPLD 2005/S110 Our Criminal Behavior Lousy error handlers Implicated in the Ariane, Los Alamos incident, Clementine, Yorktown, Mars Expedition Rover, and many others This means adopting a culture of anticipating and planning for failures! And for FPGA users it means adopting a philosophy that things do fail!

Ganssle 25 MAPLD 2005/S110 Our Criminal Behavior The use of dangerous tools! C (worst)500 bugs/KLOC C (average) ADA (worst) 50 ADA (average) 25 SPARK (average) 4

Ganssle 26 MAPLD 2005/S110 The Boss’s Criminal Behavior Corollary: Tired people make mistakes Implicated in the Clementine, NEAR, Mars Polar Lander and many others Schedules can’t rule:

Ganssle 27 MAPLD 2005/S110 The Boss’s Criminal Behavior Be wary of financial shortcuts! Implicated in the Takoma Narrows Bridge, Ariane, MGM fire, and many others Reuse is extremely difficult. See “Confessions of a Used Program Salesman” by Will Tracz Implicated in the Ariane, Uwatec and many others. Reuse is not a panacea

Ganssle 28 MAPLD 2005/S110 Are we criminals? Or are we still in the dark ages? But there’s a lot we do know, so we’re negligent – and will be culpable – if we don’t consistently use best practices.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.