From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 101deb,f96f757d5586710a X-Google-Attributes: gid101deb,public X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,5ac12f5a60b1bfe X-Google-Attributes: gidf43e6,public From: "Craig P. Beyers" Subject: Re: Ariane 5 - not an exception? Date: 1996/08/02 Message-ID: <32020FE5.1116@mail.amsinc.com>#1/1 X-Deja-AN: 171572053 references: <4t9vdg$jfb@goanna.cs.rmit.edu.au> <31FE0730.1205@lmtas.lmco.com> content-type: text/plain; charset=us-ascii organization: American Management Systems, Inc. mime-version: 1.0 newsgroups: comp.software-eng,comp.lang.ada,comp.lang.pl1 x-mailer: Mozilla 2.02 (Win95; I) Date: 1996-08-02T00:00:00+00:00 List-Id: Ken Garlington wrote: > > Actually, the amount of communication between a primary and a > backup system is another tough system problem. We went through > this on the F-16. In general, the backup shouldn't trust state > data from the primary, since this can create a common mode failure. > On the other hand, with _no_ state data, the backup may be unable > to take over from the primary. Add to this the desire to keep the > backup software identical to the primary, to reduce the amount of > unique software to analyze and test, and it's a non-trivial thought > process.Clearly (from the report at least) the two IRS's were intended to provide redundant position capability. The back-up IRS is there to reduce the risk of hardware failure. But the Ariane folks missed the problem of software failure and left the bird without any backup. It's interesting to note, too, that the back-up IRS failed first for the same reason the primary failed, leaving the rocket nowhere to turn (pun intended). Worse, it appears that no one anticipated both IRS's failing concurrently, so there's no provision in the s/w to at least center the nozzles and at least attempt to get the bird up higher and further out over the water--and thus safer--before destroying it. To me, the provision for the Ariane 4 re-start fix (the 50-sec. alignment function) sounds like an "easy" fix that did not receive the proper study. Worse, it doesn't apply to the Ariane 5. Pretty expensive s/w error? Of course not--it's not a s/w error by a set of errors in decisions, since it appears that the s/w did exactly what it was supposed to do with the data it received! Sort of "the operation was a success but the patient died" situation. CPB -- American Management Systems, Inc. "Achieving breakthrough performance through the intelligent use of information technology" 703-267-7194/703-267-2222 (fax); craig_beyers@mail.amsinc.com