From: "Robert I. Eachus" <rieachus@attbi.com>
Subject: Re: Ariane5 FAQ
Date: Wed, 23 Jul 2003 22:58:05 GMT
Date: 2003-07-23T22:58:05+00:00 [thread overview]
Message-ID: <3F1F12FB.2060901@attbi.com> (raw)
In-Reply-To: 1058991539.971642@master.nyc.kbcfp.com
Hyman Rosen wrote:
>> As I said, this was not arbitrary behavior, it was required behavior.
>
>
> *What* was required behavior? You have a piece of code that says
> integer_BH = convert(float_BH)
> The analysis and specification of the Ariane 4 gave a physical
> upper limit to float_BH, and the code was written in the "don't
> care" way - if for some reason float_BH does exceed the limit,
> let the code go ahead and do whatever the consequences of
> violating that limit imply. If float_BH is larger than the limit
> but smaller than the overflow value, the code keeps going,
> possibly failing at a later point or possibly not causing any
> harm. If float_BH is larget than the overflow value, the
> machine generates an operand fault.
No, if the value to be assigned to BH is out of range (presumed to
happen with the rocket on the ground, shut down THIS SRI and report the
(presumed hardware) error and diagnostics via the only channel the SRI
has for talking to the main computer. Remember this software ran for
hours before launch and a few seconds after, and bad alignment data, for
whatever reason, if detected before launch will have the effect of
delaying the launch while the system engineers look at that diagnostic
information to find out where the problem is.
This must be what is confusing you. There are hundreds of opportunities
for the SRI to detect hardware failures, loose wires, or whatever before
launch. The special circumstances here were that this piece of
"pre-launch" software ran for about 40 seconds after launch. For the
Ariane 5, that was 40 seconds too long, and for Ariane 501, a 30 or 35
second limit would have averted the disaster--but the right limit was
zero seconds. On Ariane 4 there were several times where this behavior
(shutting down and supplying diagnostics) prevented launching with bad
hardware, and one time where the feature of running after main engine
ignition was needed.
Detecting hardware faults before launch is not "don't care" it is very
important. I won't go into the calculations, but reducing the time
between when all hardware is "known good" and the time it is used
increases the probability of a successful launch from microscopic to
over 90%. All that hardware testing and checking just before launch is
important.
> There's nothing wrong with having code like that if the
> situation warrants it, which was the case in Ariane 4, where
> they were trying to save the machine cycles that a limit
> check would have cost. It's just that this kind of code is
> brittle, so these dependencies on the state of external
> data need to be made very clear, otherwise future reuse
> attempts will stumble.
That whole discussion of "protecting" the value of BH is really a red
herring in the Ariane 5 case. In the Ariane 4, if they had put in the
"protection" what it would have done was to check whether or not this
was a "critical" failure. Guess what? The answer was yes. If one of
the computers has faulty accelerometer or gyro data? Shift to the
backup. If both computers have bad input data that early in the flight?
The conclusion would be that the mission will fail. Late in the boost
phase, the SRI might try to do "dead reckoning" for the last few seconds
of burn.
But you have to understand this part of the discussion of the seven
unprotected conversions of which four were changed to protected. The
point is not "oops we missed this one." It is that very careful
consideration was given by reviews at several levels in the context of
the Ariane 4, and the conclusion was that for this failure, this was the
right answer. It wasn't accidental, or "don't care." It was if you see
this value something is bad wrong, and maybe it can be figured out from
a data dump.
Obviously if the same engineers had the Ariane 5 trajectory data, they
WOULD have reached a different conclusion:
exception
when others => if Ariane_Model = 4 then raise; else null; end if;
or more likely to insure that the alignment software shut down at T=+40
on the Ariane 4, and at T=0, or maybe even T=-3 on the Ariane 5.
--
Robert I. Eachus
�In an ally, considerations of house, clan, planet, race are
insignificant beside two prime questions, which are: 1. Can he shoot? 2.
Will he aim at your enemy?� -- from the Laiden novels by Sharon Lee and
Steve Miller.
next prev parent reply other threads:[~2003-07-23 22:58 UTC|newest]
Thread overview: 158+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-21 2:10 Ariane5 FAQ Alexandre E. Kopilovitch
2003-07-21 14:52 ` Hyman Rosen
2003-07-21 15:54 ` Vinzent Hoefler
2003-07-21 18:01 ` Hyman Rosen
2003-07-21 18:10 ` Vinzent Hoefler
2003-07-21 18:49 ` Hyman Rosen
2003-07-21 19:13 ` Vinzent Hoefler
2003-07-21 19:43 ` Hyman Rosen
2003-07-21 20:46 ` Vinzent Hoefler
2003-07-22 2:04 ` Hyman Rosen
2003-07-22 5:12 ` Robert I. Eachus
2003-07-22 19:09 ` Hyman Rosen
2003-07-22 8:03 ` Leif Roar Moldskred
2003-07-22 9:00 ` Vinzent Hoefler
2003-07-23 0:13 ` Hyman Rosen
2003-07-23 0:31 ` Bobby D. Bryant
2003-07-23 13:53 ` Hyman Rosen
2003-07-24 16:35 ` Richard Riehle
2003-07-25 1:21 ` Alexander Kopilovitch
2003-07-25 4:26 ` Richard Riehle
2003-07-25 12:35 ` Hyman Rosen
2003-07-25 15:47 ` Robert I. Eachus
2003-07-25 16:51 ` Hyman Rosen
2003-07-25 18:44 ` Robert I. Eachus
2003-07-25 21:08 ` Simon Wright
2003-07-26 1:02 ` Robert I. Eachus
2003-07-26 2:44 ` Alexander Kopilovitch
2003-07-27 17:05 ` Hyman Rosen
2003-07-27 22:19 ` Alexander Kopilovitch
2003-07-28 1:17 ` Berend de Boer
2003-07-28 2:39 ` Robert I. Eachus
2003-07-28 3:16 ` Hyman Rosen
2003-07-28 17:34 ` Mike Silva
2003-07-28 18:03 ` Hyman Rosen
2003-07-29 0:41 ` Alexander Kopilovitch
2003-07-29 16:24 ` Robert I. Eachus
2003-07-30 0:53 ` Alexander Kopilovitch
2003-07-31 21:41 ` Robert I. Eachus
2003-08-01 20:19 ` Alexander Kopilovitch
2003-07-29 4:43 ` Richard Riehle
2003-07-29 6:06 ` Hyman Rosen
2003-07-29 8:06 ` Vinzent Hoefler
2003-07-29 19:42 ` Berend de Boer
2003-07-29 21:14 ` Robert I. Eachus
2003-07-30 1:13 ` Berend de Boer
2003-07-30 12:58 ` Richard Riehle
2003-07-30 15:04 ` Hyman Rosen
2003-07-29 19:46 ` Berend de Boer
2003-07-30 6:19 ` Richard Riehle
2003-07-30 7:31 ` Hyman Rosen
2003-07-30 13:03 ` Richard Riehle
2003-07-30 13:16 ` Vinzent Hoefler
2003-07-30 15:06 ` Hyman Rosen
2003-07-30 15:15 ` Vinzent Hoefler
2003-07-30 16:46 ` Hyman Rosen
2003-07-30 16:54 ` Vinzent Hoefler
2003-07-31 8:28 ` Dmitry A. Kazakov
2003-07-31 9:36 ` Vinzent Hoefler
2003-07-31 16:28 ` Warren W. Gay VE3WWG
2003-07-29 19:34 ` Berend de Boer
2003-07-29 20:49 ` Simon Wright
2003-07-29 21:52 ` Robert I. Eachus
2003-07-28 18:01 ` Non-philosophical definition of Eiffel? (was: Re: Ariane5 FAQ) Alexander Kopilovitch
2003-07-28 18:18 ` Non-philosophical definition of Eiffel? Hyman Rosen
2003-07-29 8:43 ` Dmitry A. Kazakov
2003-07-29 13:43 ` Hyman Rosen
2003-07-29 14:56 ` Dmitry A. Kazakov
2003-07-29 16:35 ` Hyman Rosen
2003-07-29 21:39 ` Jim Rogers
2003-07-29 22:33 ` Hyman Rosen
2003-07-30 8:48 ` Pascal Obry
2003-07-30 15:19 ` Hyman Rosen
2003-07-30 18:47 ` Frank J. Lhota
2003-07-30 19:24 ` Hyman Rosen
2003-08-04 18:15 ` Robert Spooner
2003-07-29 22:02 ` Matthew Woodcraft
2003-07-30 9:19 ` Dmitry A. Kazakov
2003-07-30 16:38 ` Hyman Rosen
2003-07-31 9:58 ` Dmitry A. Kazakov
2003-07-31 15:49 ` Hyman Rosen
2003-08-01 7:57 ` Dmitry A. Kazakov
2003-08-01 13:31 ` Hyman Rosen
2003-07-29 19:58 ` Berend de Boer
2003-07-29 20:33 ` Hyman Rosen
2003-07-30 1:20 ` Berend de Boer
2003-07-30 1:49 ` Hyman Rosen
2003-07-30 2:52 ` Berend de Boer
2003-07-30 4:33 ` Hyman Rosen
2003-07-30 4:40 ` Hyman Rosen
2003-07-30 13:16 ` Matthew Heaney
2003-07-30 20:08 ` Berend de Boer
2003-07-30 3:03 ` Berend de Boer
2003-07-30 4:31 ` Hyman Rosen
2003-07-30 20:20 ` Berend de Boer
2003-07-30 21:05 ` Hyman Rosen
2003-07-29 19:51 ` Berend de Boer
2003-07-28 2:11 ` Ariane5 FAQ Hyman Rosen
2003-07-25 17:39 ` Mike Silva
2003-07-25 21:53 ` John R. Strohm
2003-07-22 18:29 ` Mike Silva
2003-07-22 18:50 ` Hyman Rosen
2003-07-22 19:00 ` Bobby D. Bryant
2003-07-22 20:47 ` Mike Silva
2003-07-22 21:11 ` Hyman Rosen
2003-07-22 21:38 ` Bobby D. Bryant
2003-07-23 13:56 ` Hyman Rosen
2003-07-22 21:52 ` Larry Elmore
2003-07-23 14:11 ` Hyman Rosen
2003-07-23 15:08 ` Vinzent Hoefler
2003-07-23 17:48 ` Hyman Rosen
2003-07-23 18:42 ` Robert I. Eachus
2003-07-23 20:18 ` Hyman Rosen
2003-07-23 22:58 ` Robert I. Eachus [this message]
2003-07-24 1:42 ` Hyman Rosen
2003-07-24 5:24 ` Mike Silva
2003-07-24 9:57 ` Vinzent Hoefler
2003-07-24 13:52 ` Hyman Rosen
2003-07-24 15:00 ` Vinzent Hoefler
2003-07-23 20:33 ` Mike Silva
2003-07-23 21:35 ` Hyman Rosen
2003-07-23 23:10 ` Robert I. Eachus
2003-07-24 5:16 ` Mike Silva
2003-07-22 4:57 ` Richard Riehle
2003-07-22 9:00 ` Vinzent Hoefler
2003-07-22 9:03 ` John McCabe
2003-07-22 12:28 ` Marin David Condic
2003-07-23 19:40 ` Simon Wright
2003-07-22 3:11 ` Robert I. Eachus
2003-07-22 9:05 ` John McCabe
2003-07-22 9:38 ` Bobby D. Bryant
2003-07-22 16:38 ` Robert I. Eachus
2003-07-21 22:03 ` Bobby D. Bryant
2003-07-22 1:57 ` Hyman Rosen
2003-07-21 18:56 ` Francisco Malpartida
2003-07-22 2:22 ` Hyman Rosen
2003-07-22 7:19 ` Tarjei T. Jensen
2003-07-22 19:06 ` Hyman Rosen
2003-07-22 21:24 ` Robert I. Eachus
2003-07-23 11:55 ` Tarjei T. Jensen
2003-07-23 19:24 ` Robert I. Eachus
2003-07-24 0:36 ` Bobby D. Bryant
2003-07-21 22:00 ` Bobby D. Bryant
2003-07-22 1:59 ` Hyman Rosen
2003-07-22 9:07 ` John McCabe
2003-07-22 13:25 ` Hyman Rosen
2003-07-22 0:16 ` Alexander Kopilovitch
2003-07-22 1:45 ` Hyman Rosen
2003-07-22 7:21 ` Tarjei T. Jensen
2003-07-21 23:24 ` Alexander Kopilovitch
2003-07-22 1:53 ` Hyman Rosen
2003-07-22 16:35 ` Robert I. Eachus
2003-07-22 18:36 ` Mike Silva
2003-07-22 19:23 ` Hyman Rosen
2003-07-22 21:50 ` Robert I. Eachus
2003-07-23 14:21 ` Hyman Rosen
2003-07-23 19:56 ` Robert I. Eachus
2003-07-23 20:26 ` Hyman Rosen
2003-07-23 23:14 ` Robert I. Eachus
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox