I agree with you re the need to minimise checking and only do it at defined times - engine start-up being the obvious one - and if the report is accurate then I'm very surprised that a missing config file wasn't detected during the start-up checks.

However, I disagree with your comments about exceptions: the whole point of exceptions is that you drop into an exception handler. If that handler can't cope with the exception that has occurred then that is a design fault with the software. It's not a fault of the exception mechanism or the language that provides it.

In the Ariane case, the problem was not that an exception occurred but that it wasn't propagated up. So a horizontal velocity sensor went out of range, thought that it had suffered a fault and put diagnostic data on the data bus. Systems reading the bus, however, didn't realise and interpreted the diagnostic data as instrument data and this led to the destruction of the rocket.

