From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public From: rkaiser@dimensional.com (Richard Kaiser) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/20 Message-ID: <5gripj$4hk$1@quasar.dimensional.com>#1/1 X-Deja-AN: 227015470 References: <332B5495.167EB0E7@eiffel.com> <33308C91.40CC@lmtas.lmco.com> Organization: Dimensional Communications Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-20T00:00:00+00:00 List-Id: In article <33308C91.40CC@lmtas.lmco.com>, Ken Garlington <332D113B.4A64@calfp.co.uk> <332DA14C.41C67EA6@eiffel.com> wrote: >Ulrich Windl wrote: >> >> The modules computing course corrrection data both failed due to to >> problems mentioned (violating the specs for that code); they shut >> themselves down. But to me the main issue is that the module that >> received the course correction data did not detect that both computing >> modules failed and that the data was just a "test pattern" to indicate >> that event. Probably a better reaction would have been to stop making >> further corrections instead of driving the engine to its borders. > >This is the same as saying: "If the driver of an automobile has a heart >attack and dies, the steering system should ignore further inputs and >lock the wheels in the last 'good' position." It doesn't work with >automobiles, >and it doesn't work with missiles, either. The flight control system >must >receive valid sensor data to maintain control of the aircraft. There is >generally no reasonable 'fail-safe" value for a feedback system like >this! Data validity bits have been included in data messages for years. I used them in aircraft interfaces where one or more boxes could fail and the system still had to function. The error message dumped by the navigation subsystem should not have been interpretable as data. Now this may not have helped to guide the vehicle in this situation. Richard Kaiser