V-22 Osprey and exception handling

["Ken Garlington" <Ken.Garlington@computer.org>]

I haven't seen the full JAGMAN report handed out at the Marine Corps
briefing on the latest V-22 Osprey crash (and if anyone has a link, please
let me know!). However, from what was said at the Marine Corps press
briefing a few days ago, it looks like we may have a no-kidding, post-test,
primary flight control software bug that led to a fatality. This breaks a
pretty impressive string of successes by the industry, IMO. I hope it's an
aberration, and not a foreshadowing of problems we're going to have in our
increasingly-complex implementations.

Speculating further, it looks like this may be another example of what
concerns me about the use of exception handling mechanisms in
safety-critical software: being able to accurately react to the failure
condition. Ariane 5 essentially shut down processing (bad idea, as it turned
out). V-22 did a system reset (pilot commanded, but it could have just as
easily been in response to an exception) and apparently introduced an
unexpected pitch transient. Such transients are always a danger when a
feedback system "starts over," and I know other fly-by-wire aircraft that
can give you a little "bump" in pitch after pushing the FLCS reset under
certain conditions.

If you're interested, a transcript of the press briefing is at

http://www.defenselink.mil/news/Apr2001/t04052001_t405mv22.html