From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,af986aa93b89733e X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-04-07 18:44:03 PST Path: supernews.google.com!sn-xit-03!supernews.com!cyclone-sjo1.usenetserver.com!news-out-sjo.usenetserver.com!feed2.onemain.com!feed1.onemain.com!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!dc1.nntp.concentric.net!207.230.32.3.MISMATCH!newsfeed.concentric.net!news1.i1.net!not-for-mail From: Newsgroups: comp.lang.ada References: Subject: Re: V-22 Osprey and exception handling X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Message-ID: Date: Sat, 7 Apr 2001 20:39:16 -0500 NNTP-Posting-Host: 216.162.110.246 X-Trace: news1.i1.net 986693961 216.162.110.246 (Sat, 07 Apr 2001 20:39:21 CDT) NNTP-Posting-Date: Sat, 07 Apr 2001 20:39:21 CDT Xref: supernews.google.com comp.lang.ada:6627 Date: 2001-04-07T20:39:16-05:00 List-Id: After reviewing the briefing side on the primary flight control system (FCS) software anomaly (http://www.defenselink.mil/news/Apr2001/010405-D-6570C-003.jpg), I have a couple comments I would like to share on this subject: 1. In reviewing the information on the slide, I personally would disagree that this was a "software" anomaly. I strongly suspect that the software operated exactly as the system requirement specified. In other words, the FCS software implemented the specified system-level design correctly. The root cause was most likely that the FCS requirements were incorrect and did not correctly accommodate the hydraulics system first failure. 2. The use of the term "reset" may be a little misleading to some people. In most fly-by-wire flight control systems, the reset button (if it even exists) does not do a "hard reset" such as the CTRL-ALT-DEL sequence on a PC. Rather, the reset signal is an input fed into various part of the software to reset latched failures in the signal management voters/monitors and to reset the control laws to some predetermined condition. 3. In most systems, the occurrence of such failures is accommodated by the FCS design and does not constitute what I would consider to the appropriate use of Ada's exception handling mechanism. (In the design of a typical FCS system, most of the effort is spent addressing the common "bad day" scenarios in which there are one or more failures in the system.) Normally, I use exception handling for conditions that should "never" happen like maybe a floating point overflow. In an FCS, the accommodation of a hydraulic failure does not fall into that category. 4. I would probably disagree with your comment "this breaks a pretty impressive string of successes by the industry". Over the last ten years or so, there have been a fair number of incidents which were the direct result of the errors in the system-level design of an air vehicle's flight control system. The ones that come immediately to mind include the crash of the YF-22 prototype in 1992, the crash of the JAS-39 Gripen on flight 6 in 1989, the crash of a second JAS-39 at an air show in 1993 and the crash of the DarkStar unmanned aerial vehicle (UAV) on flight 2 in 1996. As a final note, I should probably state that while I have 15+ years in software development of fly-by-wire flight control systems for military aircraft, I am not directly involved in the V-22 program.