Re: Boeing and Dreamliner

["Robert I. Eachus" <rieachus@attbi.com>]

Hyman Rosen wrote:

> The main problem was that the people who wrote this software
> didn't leave any indication behind that it was valid only for
> data which could be encountered by an Ariane 4. Pure and simple,
> the Ariane 4 programmers left a buffer overflow bug in their
> code, and the Ariane 5 people tripped over it. The fact that it
> was in Ada helped not at all.

First, wrong!  The software was well documented.  And since the 
programmers had appealed the decision not to protect that particular 
conversion with a local exception handler, it was a very well documented 
part of the design.

But the tean that wrote the software never saw the Ariane 5 
requirements, and the people who could have checked the SRI 
documentation against the Ariane 5 requirements didn't have access to 
the SRI documentation.  Any attempt to put the two together would have 
resulted in a much bigger "Hey, wait a minute!"  Since the control laws 
depended on Ariane 4 physical parameters.

Changing the control law parameters to match the Ariane 5 was such a 
simple and obvious necessity, that it took almost Byzantine maneuvers to 
insure that it didn't happen.  I was a boy in short pants when I saw the 
American space program learn this lesson the hard way.  Not letting one 
contractor's employees talk to the other constractor's employees can 
cause bad things to happen.

The particular case I had in mind though was a Navy vs. Air Force 
disconnect on the Polaris program.  The Range Safety Officer at Patrick 
AFB was an Air Force Officer, but of course, some Polaris missile 
testing was done from Navy submarines.  The test plan called for a 
missle to be launched at an angle to see if the guidance system could 
recover.  As was expected the guidance system commanded the missle to 
loop.  (When the missle attitude was too great, the only way to recover 
was to gain altitude then loop quickly. You can't throttle solid fuel 
rockets, and the nozzles on the original Polaris were fixed with the 
only directional control from internal deflectors.)  The missle was 
almost out of the loop when the Air Force RSO destroyed it.  My father 
was a consulting engineer (actually as a radar expert), and I got to 
spend a couple more days on the beach, which I didn't mind.

But I still remember when my father came back to the motel and told us 
to start packing, the rest of the explosion was going to happen in the 
Pentagon.  The test plans were of course classified, but some (hmmm, 
jackass is probably the politest term I heard used) had decided that the 
  range safety officer did not need to know the test objectives.

So we stopped in D.C. on the way north, and I gather that Rickover "went 
nuclear" when he found out what had happened.  The "stem to stern" 
review security policies on the program found over a dozen cases where 
contractors were not considered to have need to know for key technical 
information.  The example that made my father's job easier, was that the 
radar contractor finally found out what the radars were supposed to be 
tracking.  (Uh, there's all that aluminum in the fuel, and the missile 
casing is wound fiberglass?  No wonder we keep getting screwy velocity 
readings.  We're tracking the exhaust.  What was my father there to do? 
  You guessed it.  Figure out why the radars were getting incorrect 
velocity data...)

For the record, AFAIK, my father never told me anything that was 
classified.  But there were many cases where I could put two and two, 
and recently declassifed data together.  Then, once I showed the 
declassified information to my father, I could get the inside story. 
The Polaris radar problem was one such case.