From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,5ac12f5a60b1bfe
X-Google-Attributes: gid103376,public
X-Google-Thread: f43e6,5ac12f5a60b1bfe
X-Google-Attributes: gidf43e6,public
X-Google-Thread: 101deb,f96f757d5586710a
X-Google-Attributes: gid101deb,public
From: Martin Tom Brown <Martin@nezumi.demon.co.uk>
Subject: Re: Ariane 5 - not an exception?
Date: 1996/08/07
Message-ID: <839455168snz@nezumi.demon.co.uk>#1/1
X-Deja-AN: 172905307
distribution: world
x-nntp-posting-host: nezumi.demon.co.uk
references: <Dv45EJ.8r@fsa.bris.ac.uk> <4t9vdg$jfb@goanna.cs.rmit.edu.au>
 <31FE35BC.1A0D@sanders.lockheed.com> <4totv7$o9f@goanna.cs.rmit.edu.au>
 <32065615.77C7@sanders.lockheed.com> <4u7fdm$e6m@morgan.vf.lmco.com>
x-mail2news-path: nezumi.demon.co.uk
organization: Nezumi
reply-to: Martin@nezumi.demon.co.uk
newsgroups: comp.software-eng,comp.lang.ada,comp.lang.pl1
Date: 1996-08-07T00:00:00+00:00
List-Id: <comp.lang.ada>


In article <4u7fdm$e6m@morgan.vf.lmco.com>
           g1006@fs1.mar.lmco.com "Francis Lipski" writes:

>   If all conversions and other possible overflow conditions are protected,
> and then an overflow occurs, what action should be taken?  

The most obvious choice is drop back to a simple, but not necessarily
accurate primitive hardware backup system like levers and gyroscopes.
I have much more faith in the ability of mechanical and electronics
engineers to tolerance their designs for adverse conditions. When my
neck is on the line I like to see physical hardware interlocks in place.

> The system has just had a random hardware failure.  
> Continue to operate with known bad hardware?  

This decision is a hard one, but when the choice is between self-destruct 
now or flag the problem and press on and pray. I know which I'd chose.
It also depends to a large extent on the damage which could occur
if failure is delayed vs the cost to abort the mission.

> In the case of an overflow, set to max value, continue and 
> hope for the best?  

Not ideal, but neither was sending random diagnostic test data 
to the trajectory computation masquerading as IRS data packets.
With hindsight (a wonderful commodity, but in short supply)
we now know that ignoring the overflow would have been OK.

Regards,
-- 
Martin Brown  <martin@nezumi.demon.co.uk>     __                CIS: 71651,470
Scientific Software Consultancy             /^,,)__/