* Re: Ada / Boeing 777
@ 1996-03-19 0:00 Sam Harbaugh
1996-03-21 0:00 ` Ian Ward
0 siblings, 1 reply; 16+ messages in thread
From: Sam Harbaugh @ 1996-03-19 0:00 UTC (permalink / raw)
Ken Garlington <garlingtonke@LFWC.LOCKHEED.COM> wrote
ron thompson wrote:
> 777 is the first 100% fly by wire, no mechanical backups
> of any kind, built in the US of A.
Ken First _commercial_ aircraft that is 100% fly by wire, no
Ken mechanical backups, built in the USA, of course.
------------------------------------
from the newspaper article:
In the unlikely event of a complete electrical system shutdown,
cables from the cockpit to selected spoilers and the horizontal tail
section allow the pilot to glide straight and level until the electrical
system is restarted.
----------------------------------
[or until impact with the earth :-) ]
---------------------------------------
Ken Garlington <garlingtonke@LFWC.LOCKHEED.COM> wrote:
Tim Rowe wrote:
>
> AIUI the Airbus range has triplicated *diverse* systems for critical
> functions. The 777 has triplicated *identical* systems (I'm trusting the
> press for this, so it may not be gospel).
Ken If I recall the TRI-Ada stuff on this, it's the same source code, compiled
Ken with three different compilers for three different targets. So, it
Ken depends on what you mean by "diversity."
I recall it being written that each of the three were programmed in a
different language, Ada, C and PL/M.
------------------------------------------------------
sam harbaugh harbaugh@acusys.com
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-19 0:00 Ada / Boeing 777 Sam Harbaugh
@ 1996-03-21 0:00 ` Ian Ward
1996-03-21 0:00 ` Stuart Palin
0 siblings, 1 reply; 16+ messages in thread
From: Ian Ward @ 1996-03-21 0:00 UTC (permalink / raw)
Sam Harbaugh wrote :
> I recall it being written that each of the three were
> programmed in a different language, Ada, C and PL/M.
There was an article in Byte magazine, late last year,
entitled "Why software doesn't work" which stated just
that. However, it was said that the two other projects
were stopped, after 18 months, and the people from
the 'C' and PLM projects became testers on the Ada project.
The reason given for this, in the article, was that
experts needed to be working together, not apart. I found
this explanation, frankly, bollocks.
This results do not surprise me, however, because, although
I know nothing about PLM, the design requirements of 'C' -
"We need a short hand assembler type of thing", certainly
confirm that is not up to the job of supporting the safety
requirements of Class 1 software. It simply was not
designed (or even redesigned) for it.
I always question why someone would use the phrase like
"nuisance disconnects" to describe the relationship
between parallel projects being coded in different
languages. This phrase I have never heard of, and
neither had any of my colleagues. If, as I suspect,
it means that one project started to fall behind, then
I wonder why the originator did not just say that. My
suspicions fall into a few main categories.
1. The author knows that his readership predominantly
use one of the languages he is just about to slag
off, and he knows that they will only continue to
buy his magazine for so long in the face of their
language's apparent attack.
People read what they are, after all, hardly any
tories in England go out of their way to purchase
a Daily Mirror. Militant feminist undergraduates
do not tend to read Playboy magazine either, they
often read Cosmopolitan. Though with naked women in
both magazines, some people read both, ahem.
2. The advertising revenue involved with not slagging
off the biggest advertisers products. I think we
can all think of one big example of this.
pragma seriousness_completely_gone_out_the_window
(ON, allow_factual_recants);
3. The author is studying for an MBA and as such
feels the need to invent confusing new acronyms and
metaphors, to disguise lack of real talent in any
one area. "Were all going Competitive Accessibility,
Nathaniel. Competitive Accessibility!" Joking aside,
I cannot slag off ALL MBA students, as I met quite
a lot just recently, and I would trust at least ten
percent of them to sit the right way round on a toilet.
I was listening to the recant of one students viva,
following the exam for acceptance on the course, which
I paraphrase : "... so I was sitting in the interview
room, and this guy said 'we've decided to take you
this year even though you were in the lowest quartile'
so I said 'Hey man, I don't know what a quartile is'
amazing eh?..."
With such capable management out there it is unsurprising
that they have spotted the flawless c++ language, and
decided to promote it.
pragma seriousness_completely_gone_out_the_window
(OFF);
Does anybody know what a nuisance disconnect is?
I think we should be told.
Best regards,
---
Ian Ward's (learning c++) opinions only : ian@rsd.bel.alcatel.be
Fetch me the aspirin, I know c++ is a quick fix,
but all this debugger work is giving me a headache.
- What Bruce Lee might have said, were he alive today.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-21 0:00 ` Ian Ward
@ 1996-03-21 0:00 ` Stuart Palin
0 siblings, 0 replies; 16+ messages in thread
From: Stuart Palin @ 1996-03-21 0:00 UTC (permalink / raw)
ian@rsd.bel.alcatel.be (Ian Ward) wrote:
[snip]
>Does anybody know what a nuisance disconnect is?
>I think we should be told.
>
Having not read the article I do not know how it was being used in this
context, but generally in the aviation industry a nuisance disconnect is
where a safety mechanism (which usually disconnects a failing sub-system)
is triggered unnecessarily (and is hence a nuisance).
Perhaps an example might be a Web Server that abandons trying to get a
page because the connection times out - which might usually indicate that
the connection has failed. The problem is that the Net is so slow that
you get time-outs when the system is busy - a nuisance disconnect.
--
Stuart Palin
{usual disclaimers}
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
@ 1996-03-23 0:00 Sam Harbaugh (at Home)
0 siblings, 0 replies; 16+ messages in thread
From: Sam Harbaugh (at Home) @ 1996-03-23 0:00 UTC (permalink / raw)
Matt Kennel <mbk@CAFFEINE.ENGR.UTK.EDU>wrote:
>The representation (aka implementation) of angle is wrong.
>It should be a complex number of unit magnitude. Rotations in any
>direction can be implemented as complex multiplication without any
>discontinuities, wrap around errors or problems at 0 or 180 or 360
>degrees.
>This is an easy 2-d representation of the rotation group. 3-d is
>trickier: either Euler angles or quaternions.
I agree with Matt. In my posting I assumed that the Airbus software used
better than one degree integer heading values and that the original poster
was simplifying it to make his point clearer. The point of my post was to
call attention to the possible absence of domain expertise in and around the
software development activity.
I have boxes of simulator code, F4, V22, etc. and without looking I recall
that all of them use quaternions.
>
See, sometimes physicists *can* be useful. ;-)
Yes Matt, I agree. Where would we engineers be without the understanding of
nature that the physicists provide. (serious, no smiley).
sam harbaugh harbaugh@acusys.com
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
@ 1996-03-18 0:00 Sam Harbaugh
1996-03-22 0:00 ` Matt Kennel
1996-03-27 0:00 ` "Tim Rowe"
0 siblings, 2 replies; 16+ messages in thread
From: Sam Harbaugh @ 1996-03-18 0:00 UTC (permalink / raw)
Tim Rowe <digitig@CIX.COMPULINK.CO.UK> wrote:
>As an example, there was a known fault on one of the Airbus range (which
>has been flying total fly-by-wire for *many* years before the 777!) that
>meant that when flying a heading of 00 degrees, if the pilot commanded
>the aircraft to turn a bit one way, the aircraft could actually turn the
>other way. It was turning to the correct heading, but it was going the
>359 degree route, not the 1 degree route. Now, there are not many runways
>in the world that are close to north-south, but there are a few, and when
>that bug showed itself on a final approach I bet the pilots pants turned
>brown.
Point of order: heading zero is invalid in the user space. north-south
runways are marked 36 for 360 degrees, not zero. Pilots and ATC speak of
360 degrees, not zero degrees.
I wouldn't suggest that this point has anything to do with the malfunction
but maybe, just maybe, if the programmer had a pilot's license he/she would
have known this and then maybe, just maybe, he/she would have known to turn
in the proper direction.
Just maybe, just possibly maybe, if the code was written in a strongly typed
language, using human readable names, and a pilot attended a code
walkthrough, the pilot would have picked up on type heading_type being from
0..359 instead of 1..360 and started a conversation that would have lead to
discovery of the worong way turn.
I wonder what language would provide this feature :-)
sam harbaugh harbaugh@acusys.com
p.s. does this remind you of the "two values for midnight" thread of years ago?
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-18 0:00 Sam Harbaugh
@ 1996-03-22 0:00 ` Matt Kennel
1996-03-22 0:00 ` Ted Dennison
1996-03-22 0:00 ` Alan Brain
1996-03-27 0:00 ` "Tim Rowe"
1 sibling, 2 replies; 16+ messages in thread
From: Matt Kennel @ 1996-03-22 0:00 UTC (permalink / raw)
Sam Harbaugh (harbaugh@ACUSYS.COM) wrote:
: Tim Rowe <digitig@CIX.COMPULINK.CO.UK> wrote:
: >As an example, there was a known fault on one of the Airbus range (which
: >has been flying total fly-by-wire for *many* years before the 777!) that
: >meant that when flying a heading of 00 degrees, if the pilot commanded
: >the aircraft to turn a bit one way, the aircraft could actually turn the
: >other way. It was turning to the correct heading, but it was going the
: >359 degree route, not the 1 degree route. Now, there are not many runways
: >in the world that are close to north-south, but there are a few, and when
: >that bug showed itself on a final approach I bet the pilots pants turned
: >brown.
: Point of order: heading zero is invalid in the user space. north-south
: runways are marked 36 for 360 degrees, not zero. Pilots and ATC speak of
: 360 degrees, not zero degrees.
: I wouldn't suggest that this point has anything to do with the malfunction
: but maybe, just maybe, if the programmer had a pilot's license he/she would
: have known this and then maybe, just maybe, he/she would have known to turn
: in the proper direction.
: Just maybe, just possibly maybe, if the code was written in a strongly typed
: language, using human readable names, and a pilot attended a code
: walkthrough, the pilot would have picked up on type heading_type being from
: 0..359 instead of 1..360 and started a conversation that would have lead to
: discovery of the worong way turn.
The representation (aka implementation) of angle is wrong.
It should be a complex number of unit magnitude. Rotations in any
direction can be implemented as complex multiplication without any
discontinuities, wrap around errors or problems at 0 or 180 or 360
degrees.
This is an easy 2-d representation of the rotation group. 3-d is
trickier: either Euler angles or quaternions.
Don't just hack on the problem: transcend it.
See, sometimes physicists *can* be useful. ;-)
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-22 0:00 ` Matt Kennel
@ 1996-03-22 0:00 ` Ted Dennison
1996-03-22 0:00 ` Alan Brain
1 sibling, 0 replies; 16+ messages in thread
From: Ted Dennison @ 1996-03-22 0:00 UTC (permalink / raw)
Matt Kennel wrote:
> It should be a complex number of unit magnitude. Rotations in any
> direction can be implemented as complex multiplication without any
> discontinuities, wrap around errors or problems at 0 or 180 or 360
> degrees.
>
> This is an easy 2-d representation of the rotation group. 3-d is
> trickier: either Euler angles or quaternions.
...
> See, sometimes physicists *can* be useful. ;-)
Gee, your'e right.
Now go get us a cup of coffee. :-)
--
T.E.D.
| Work - mailto:dennison@escmail.orl.mmc.com |
| Home - mailto:dennison@iag.net |
| URL - http://www.iag.net/~dennison |
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-22 0:00 ` Matt Kennel
1996-03-22 0:00 ` Ted Dennison
@ 1996-03-22 0:00 ` Alan Brain
1 sibling, 0 replies; 16+ messages in thread
From: Alan Brain @ 1996-03-22 0:00 UTC (permalink / raw)
mbk@caffeine.engr.utk.edu (Matt Kennel) wrote:
>The representation (aka implementation) of angle is wrong.
>
>It should be a complex number of unit magnitude. Rotations in any
>direction can be implemented as complex multiplication without any
>discontinuities, wrap around errors or problems at 0 or 180 or 360
>degrees.
>
>This is an easy 2-d representation of the rotation group. 3-d is
>trickier: either Euler angles or quaternions.
>
>Don't just hack on the problem: transcend it.
>
>See, sometimes physicists *can* be useful. ;-)
Us Engineers come across this problem often. IMHO the best, in fact the
ONLY solution is to have something like RADIANS_TYPE, a real, and then
use subtypes and I/O converters appropriately. So if you're communicating
with a piece of kit that likes to give you BAMS, you just multiply by the
constant FROM_BAMS and convert from fixed point to real accordingly.
Similarly, for some applications, a human-readable readout of 0-359 is
good; for others, 1-360. Mils, Revs, Radians and Degrees are all useful
at one time or another: but keep your arithmetic operations in a common
format, else that way lies madness.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-18 0:00 Sam Harbaugh
1996-03-22 0:00 ` Matt Kennel
@ 1996-03-27 0:00 ` "Tim Rowe"
1 sibling, 0 replies; 16+ messages in thread
From: "Tim Rowe" @ 1996-03-27 0:00 UTC (permalink / raw)
sam harbaugh said
> Point of order: heading zero is invalid in the user space. north-south
> runways are marked 36 for 360 degrees, not zero. Pilots and ATC speak
> of
> 360 degrees, not zero degrees.
Well, that proves I'm not an air traffic controller or a pilot, though I
should have remembered it from a review I did with a pilot of an aircraft
distress system :-) IIRC the reports I read spoke of a heading of "due
North" (which I took to be magnetic, BTW).
[snip]
> Just maybe, just possibly maybe, if the code was written in a strongly
> typed
> language, using human readable names, and a pilot attended a code
> walkthrough, the pilot would have picked up on type heading_type being
> from
> 0..359 instead of 1..360 and started a conversation that would have
> lead to
> discovery of the worong way turn.
>
> I wonder what language would provide this feature :-)
Oh, Pascal, Modula2... :-)
I'd have wanted it picked up at a specification review (as it was on the
distress system I mentioned, BTW), rather than a code walkthrough, BTW.
Even with machine readable names it can be hard to find pilots with the
right experience to join in code walkthroughs. Magic numbers like 359 or
360 shouldn't pop up in such code without having been reviewed in a spec
document AFAICS.
digiTig
(Tim Rowe)
^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <4ia0l3INNatk@faatcrl.faa.gov>]
* Re: Ada / Boeing 777
[not found] <4ia0l3INNatk@faatcrl.faa.gov>
@ 1996-03-15 0:00 ` Thomas C. Timberlake
1996-03-18 0:00 ` Thomas C. Timberlake
1996-03-16 0:00 ` "Tim Rowe"
1996-03-18 0:00 ` Ken Garlington
2 siblings, 1 reply; 16+ messages in thread
From: Thomas C. Timberlake @ 1996-03-15 0:00 UTC (permalink / raw)
See also the article "Software Development on the 777" by
Ron Pehrson, Boeing Manager, Embedded Software. This
article appears in the STSC newsletter, CrossTalk. It is
available electronically via the STSC Web site at:
<http://www.stsc.hill.afb.mil>
follow the links to the January '96 issue of CrossTalk.
--
Tom Timberlake Member, Team Ada
Boeing Defense & Space Group Software Systems
timberlake@xavier.ds..boeing.com
Member Team Ada
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
[not found] <4ia0l3INNatk@faatcrl.faa.gov>
1996-03-15 0:00 ` Thomas C. Timberlake
@ 1996-03-16 0:00 ` "Tim Rowe"
1996-03-18 0:00 ` Ken Garlington
1996-03-18 0:00 ` Ken Garlington
2 siblings, 1 reply; 16+ messages in thread
From: "Tim Rowe" @ 1996-03-16 0:00 UTC (permalink / raw)
ron thompson <thompsor@admin.tc.faa.gov>
> The only "bugs", "problems", "burps", "hiccups", whatever
> you wish to call them that matter in an airplane are
> the ones that keep it on the ground.
This is patently wrong, and dangerously so. "bugs", "problems", "burps",
"hiccups" that keep an aircraft on the ground are intrinsically pretty
safe. The ones that *do* matter are the ones that are likely to encourage
the aircraft to *return* to the ground in an untimely and inadequately
controlled manner. Commonly called a crash.
As an example, there was a known fault on one of the Airbus range (which
has been flying total fly-by-wire for *many* years before the 777!) that
meant that when flying a heading of 00 degrees, if the pilot commanded
the aircraft to turn a bit one way, the aircraft could actually turn the
other way. It was turning to the correct heading, but it was going the
359 degree route, not the 1 degree route. Now, there are not many runways
in the world that are close to north-south, but there are a few, and when
that bug showed itself on a final approach I bet the pilots pants turned
brown. The pilot recovered it safely, but it was the subject of an
accident investigation, and I read about it in the published results. It
turned up in comp.risks, too, as you might expect. Presumably JAA is
satisfied that it's safe, but sorry, the fact that it is flying is not
any such proof.
AIUI the Airbus range has triplicated *diverse* systems for critical
functions. The 777 has triplicated *identical* systems (I'm trusting the
press for this, so it may not be gospel).
digiTig
(Tim Rowe)
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-16 0:00 ` "Tim Rowe"
@ 1996-03-18 0:00 ` Ken Garlington
1996-03-19 0:00 ` Bob Kurtz
0 siblings, 1 reply; 16+ messages in thread
From: Ken Garlington @ 1996-03-18 0:00 UTC (permalink / raw)
Tim Rowe wrote:
>
> AIUI the Airbus range has triplicated *diverse* systems for critical
> functions. The 777 has triplicated *identical* systems (I'm trusting the
> press for this, so it may not be gospel).
If I recall the TRI-Ada stuff on this, it's the same source code, compiled
with three different compilers for three different targets. So, it
depends on what you mean by "diversity."
As Levison and Knight's work indicates (and my experience bears out),
code diversity don't mean much, though.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-18 0:00 ` Ken Garlington
@ 1996-03-19 0:00 ` Bob Kurtz
1996-03-23 0:00 ` "Tim Rowe"
0 siblings, 1 reply; 16+ messages in thread
From: Bob Kurtz @ 1996-03-19 0:00 UTC (permalink / raw)
In article <314D2D86.41A8@lfwc.lockheed.com>, Ken Garlington
<garlingtonke@lfwc.lockheed.com> wrote:
> Tim Rowe wrote:
> >
> > AIUI the Airbus range has triplicated *diverse* systems for critical
> > functions. The 777 has triplicated *identical* systems (I'm trusting the
> > press for this, so it may not be gospel).
>
> If I recall the TRI-Ada stuff on this, it's the same source code, compiled
> with three different compilers for three different targets. So, it
> depends on what you mean by "diversity."
>
> As Levison and Knight's work indicates (and my experience bears out),
> code diversity don't mean much, though.
So true. Difficult software tends to be difficult for everybody. And
with most (or at least many) major software faults originating in
requirements interpretation, who is to say that different software sets
weren't *all* built wrong based on an incorrect interpretation of
(probably vague) requirements? Or worse yet, you could have as many sets
of perfect software as you like, all written to be compliant with faulty
requirements.
--
Bob Kurtz (kurtz@mustang.nrl.navy.mil)
Hughes STX Corp., US Naval Research Lab, Washington DC
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
1996-03-19 0:00 ` Bob Kurtz
@ 1996-03-23 0:00 ` "Tim Rowe"
0 siblings, 0 replies; 16+ messages in thread
From: "Tim Rowe" @ 1996-03-23 0:00 UTC (permalink / raw)
Bob Kurtz (kurtz@mustang.nrl.navy.mil) wrote:
> (probably vague) requirements? Or worse yet, you could have as many
> sets
> of perfect software as you like, all written to be compliant with faulty
> requirements.
Certainly my experience is that most serious system faults I have dealt
with have originated with the requirements. I don't think that means we
can neglect all the stuff that's being done at the moment over software
safety, but I think it gives a hint as to what needs looking at now.
digiTig
(Tim Rowe)
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Ada / Boeing 777
[not found] <4ia0l3INNatk@faatcrl.faa.gov>
1996-03-15 0:00 ` Thomas C. Timberlake
1996-03-16 0:00 ` "Tim Rowe"
@ 1996-03-18 0:00 ` Ken Garlington
2 siblings, 0 replies; 16+ messages in thread
From: Ken Garlington @ 1996-03-18 0:00 UTC (permalink / raw)
ron thompson wrote:
> 777 is the first 100% fly by wire, no mechanical backups
> of any kind, built in the US of A.
First _commercial_ aircraft that is 100% fly by wire, no
mechanical backups, built in the USA, of course.
As far as I know, the first production aircraft, including
_military_ aircraft, that was 100% fly by wire with no mechanical
backups of any kind, and built in the USA, has been in production
for about two decades now. The first _digital_ (software-based)
production yah de dah de dah has been in production for about
six years.
The F-16, of course, has the honor on both counts.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~1996-03-27 0:00 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
1996-03-19 0:00 Ada / Boeing 777 Sam Harbaugh
1996-03-21 0:00 ` Ian Ward
1996-03-21 0:00 ` Stuart Palin
-- strict thread matches above, loose matches on Subject: below --
1996-03-23 0:00 Sam Harbaugh (at Home)
1996-03-18 0:00 Sam Harbaugh
1996-03-22 0:00 ` Matt Kennel
1996-03-22 0:00 ` Ted Dennison
1996-03-22 0:00 ` Alan Brain
1996-03-27 0:00 ` "Tim Rowe"
[not found] <4ia0l3INNatk@faatcrl.faa.gov>
1996-03-15 0:00 ` Thomas C. Timberlake
1996-03-18 0:00 ` Thomas C. Timberlake
1996-03-16 0:00 ` "Tim Rowe"
1996-03-18 0:00 ` Ken Garlington
1996-03-19 0:00 ` Bob Kurtz
1996-03-23 0:00 ` "Tim Rowe"
1996-03-18 0:00 ` Ken Garlington
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox