From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,5ac12f5a60b1bfe X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,5ac12f5a60b1bfe X-Google-Attributes: gidf43e6,public X-Google-Thread: 101deb,f96f757d5586710a X-Google-Attributes: gid101deb,public From: nigel@access1.digex.net (Nigel Tzeng) Subject: Re: Ariane 5 - not an exception? Date: 1996/07/31 Message-ID: <4toidc$lam@access1.digex.net>#1/1 X-Deja-AN: 171538390 references: <4t9vdg$jfb@goanna.cs.rmit.edu.au> <31FE35BC.1A0D@sanders.lockheed.com> <838805582snz@nezumi.demon.co.uk> organization: Express Access Online Communications, Greenbelt, MD USA newsgroups: comp.software-eng,comp.lang.ada,comp.lang.pl1 Date: 1996-07-31T00:00:00+00:00 List-Id: In article <838805582snz@nezumi.demon.co.uk>, Martin Tom Brown wrote: >In article <31FE35BC.1A0D@sanders.lockheed.com> > smoneill@sanders.lockheed.com "Steve O'Neill" writes: [snip] >It goes further back than that - the requirement specifications were >seriously at fault and incomplete. It was *not* a stated requirement >that the unit would function correctly on the Ariane 5 trajectory. Well, it also states that had adequate simulations been done the fault would have been detected fairly early in the sims. The biggest flaw in their simulation testing was not actually using flight s/w and hardware during the testing (well, at least using the Engineering Test Units for simulation). Many compounding errors were required to create this problem. [snip] >This was what surprised me - coming from an environment (not safety critical) >where continued function even if degraded is preferred to hard shutdown. >It seems unduly perverse to guarantee total system failure once an >untrapped exception occurs. Is it really safer to blow the thing out of >the sky than inject its payload into an inaccurate orbit? >After all the hardware failsafe *will* destroy it automatically >if the trajectory deviates sufficiently - as happened when the IRS >started feeding the navigation computer diagnostic bit patterns as data. Well, that surprised me a little. Granted that their facilites are in the middle of nowhere I still would have expected that range safety would have destroyed the vehicle given description of the attitude deviation (20 degree AOA...that must have been interesting) rather than having the breakup of the vehicle initiate the destructs...then again it happened only 4 seconds after the nozzles were commanded to extreme positions. Anyone know off the cuff what the ER or WR would have done in this case? I'm assuming that they can see the relevant telemetry...at least the LCC I'm working on has requirements that they can but I'm new to the launch vehicle world. [snip] >Regards, >-- >Martin Brown __ CIS: 71651,470 >Scientific Software Consultancy /^,,)__/ Nigel