From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: ** X-Spam-Status: No, score=2.1 required=5.0 tests=BAYES_40,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,a48e5b99425d742a X-Google-Attributes: gidfac41,public X-Google-Thread: ffc1e,a48e5b99425d742a X-Google-Attributes: gidffc1e,public X-Google-Thread: f43e6,a48e5b99425d742a X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,5da92b52f6784b63 X-Google-Attributes: gid1108a1,public X-Google-Thread: 103376,a48e5b99425d742a X-Google-Attributes: gid103376,public From: Martin@nezumi.demon.co.uk (Martin Tom Brown) Subject: Re: Papers on the Ariane-5 crash and Design by Contract Date: 1997/03/20 Message-ID: <858850191snz@nezumi.demon.co.uk>#1/1 X-Deja-AN: 227049883 References: <332B5495.167EB0E7@eiffel.com> <33308C91.40CC@lmtas.lmco.com> X-Mail2News-User: Martin@nezumi.demon.co.uk X-Mail2News-Path: nezumi.demon.co.uk Organization: Nezumi Reply-To: Martin@nezumi.demon.co.uk Newsgroups: comp.lang.eiffel,comp.object,comp.software-eng,comp.programming.threads,comp.lang.ada Date: 1997-03-20T00:00:00+00:00 List-Id: In article <33308C91.40CC@lmtas.lmco.com> GarlingtonKE@lmtas.lmco.com "Ken Garlington" writes: > Ulrich Windl wrote: > > > > The modules computing course corrrection data both failed due to to > > problems mentioned (violating the specs for that code); they shut > > themselves down. But to me the main issue is that the module that > > received the course correction data did not detect that both computing > > modules failed and that the data was just a "test pattern" to indicate > > that event. Probably a better reaction would have been to stop making > > further corrections instead of driving the engine to its borders. > > This is the same as saying: "If the driver of an automobile has a heart > attack and dies, the steering system should ignore further inputs and > lock the wheels in the last 'good' position." It doesn't work with > automobiles, and it doesn't work with missiles, either. Whilst I am generally in agreement, it isn't usually beyond the wit of man to design in a relatively primitive hardware bias on servo systems so that they fly top dead centre with no input. Or fly round in small circles or whatever the design team decide is the least embarassing failure mode. At least that way the rocket survives for long enough that humans can decide kill or cure. The deadman's handle on a train springs to mind as an example of this sort of approach. Even so failures can still occur :( > The flight control system must > receive valid sensor data to maintain control of the aircraft. There is > generally no reasonable 'fail-safe" value for a feedback system like > this! Although the component module that failed was not producing useful course correction data at the time, it's diagnostic output was quite sufficient to wreck the flight control system. Regards, -- Martin Brown __ CIS: 71651,470 Scientific Software Consultancy /^,,)__/