From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: Ken Garlington Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/24 Message-ID: <3336CB18.4B3D@lmtas.lmco.com>#1/1 X-Deja-AN: 228006339 References: <332B5495.167EB0E7@eiffel.com> <33308C91.40CC@lmtas.lmco.com> <5gripj$4hk$1@quasar.dimensional.com> Organization: Lockheed Martin Tactical Aircraft Systems Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-24T00:00:00+00:00 List-Id: Richard Kaiser wrote: > > In article <33308C91.40CC@lmtas.lmco.com>, Ken Garlington > <332D113B.4A64@calfp.co.uk> > <332DA14C.41C67EA6@eiffel.com> wrote: > >Ulrich Windl wrote: > >> > >> The modules computing course corrrection data both failed due to to > >> problems mentioned (violating the specs for that code); they shut > >> themselves down. But to me the main issue is that the module that > >> received the course correction data did not detect that both computing > >> modules failed and that the data was just a "test pattern" to indicate > >> that event. Probably a better reaction would have been to stop making > >> further corrections instead of driving the engine to its borders. > > > >This is the same as saying: "If the driver of an automobile has a heart > >attack and dies, the steering system should ignore further inputs and > >lock the wheels in the last 'good' position." It doesn't work with > >automobiles, > >and it doesn't work with missiles, either. The flight control system > >must > >receive valid sensor data to maintain control of the aircraft. There is > >generally no reasonable 'fail-safe" value for a feedback system like > >this! > > Data validity bits have been included in data messages for years. I used them > in aircraft interfaces where one or more boxes could fail and the system still > had to function. The error message dumped by the navigation subsystem > should not have been interpretable as data. Now this may not have helped > to guide the vehicle in this situation. I absolutely agree with both statements: 1. The flight controls should have received some indication that both IRSs failed, and 2. It probably wouldn't have helped in this situation. > > Richard Kaiser -- LMTAS - The Fighter Enterprise - "Our Brand Means Quality" For job listings, other info: http://www.lmtas.com or http://www.lmco.com