From: "Ken Garlington" <Ken.Garlington@computer.org>
Subject: Re: Interresting thread in comp.lang.eiffel
Date: 2000/07/19
Date: 2000-07-19T00:00:00+00:00 [thread overview]
Message-ID: <g_qd5.11442$zW2.231750@news.flash.net> (raw)
In-Reply-To: 8l4u3s$3nvvm$1@ID-9852.news.cis.dfn.de
"Joachim Durchholz" <joachim dot durchholz@halstenbach.com> wrote in message
news:8l4u3s$3nvvm$1@ID-9852.news.cis.dfn.de...
> Ken Garlington <Ken.Garlington@computer.org> wrote:
> > See, you're already in trouble. Horizonal bias is not a "physical
> > parameter", in this case. It's an _output_ of the SRI, derived from
> > physical measurements of the environment, not an input.
>
> Arrrgh... do you *ever* read what I say elsewhere, or do I have to
> reiterate the *full* reasoning whenever I deal with you?
>
> I assume that the horizontal bias is a physical property, measured by
> the IRS and returned by the IRS.
Arrrgh... again, you assume wrong. Horizonal bias is not a "physical
property", in this case. It's an _output_ of the SRI, *derived* from
physical measurements of the environment, not an input. It's related to the
inputs measured by the IRS (as are most outputs), but it's not a "physical
property" like (for example) roll rate.
> In that case, the IRS has a contract that relates physical bias and
> measured bias. (If the IRS has just paper specifications, it's easy
> enough to translate them to contracts.)
Unfortunately, it's not necessarily a simple relationship between the system
inputs and outputs such as horizonal bias, so it's unlikely that a simple
contract could be written in the form you want. It's usually a complex
series of calculations, lookups to correction tables, etc.
More to the point, the *abstract* relationship between the inputs and the
output (horizontal bias) *prior to scaling* was not violated in the Ariane
5.
The relationship between the values achievable for horizontal bias (produced
by the abstract relationship between inputs and outputs), and those that
could be accepted for conversion (scaling) prior to transmission on the
output communications bus, *was* violated.
> The general flight control software somewhere, in some way, retrieves
> the measured bias from the IRS. Or the IRS spontaneously sends its data,
> then there's an interrupt routine that will receive that data. In any
> case, there is some software that uses this data; and the programmer of
> that line will very likely see the contract.
Actually, it's reasonably unlikely that the OBC (general flight control
software) programmer would see the IRS source code. Of the various flight
control programs I'm familiar with (F-16, F-111, A-12, F-22, JSF, T-50),
I've never seen a FLCS programmer ask for IRS source code. I have looked at
IRS (and FLCS) source code as part of other activities (IIV&V, etc.) but
never as part of software programming.
What the OBC programmer would likely have been given is an Interface Control
Document (a.k.a. Interface Requirements Specification, Interface Design
Document, etc.). This document would describe the messages on the
communications bus -- the senders, receivers, etc. For the IRS, he would
likely have been given a description that says (roughly):
"The horizontal bias parameter is a scaled value in the range -32768 ..
32767 (one bus word). -32768 is mapped to -5.0, and 32767 is mapped to 3.0."
He would then write a routine to take the integer value and "un-scale" it
appropriately. As mentioned previously, this definition guarantees that you
will never get an out-of-range value (say, 3.5), since there's no way to put
a value greater than 32767 (or less than -32768) in a 16-bit quantity.
However, this approach also makes it useless to do traditional range-based
contracts.
However, let's say for the sake of argument that the OBC programmer looked
at the IRS source code. What would he have seen in the output routine? A
contract that would have said: "require horizontal_bias_prescaled >= -5.0
and horizontal_bias_prescaled <= 3.0". He would have said, "Yep, that's what
my interface document says: the value will represent the range -5.0 .. 3.0,
before it's scaled." The fact that the IRS -- *prior* to the output
routine -- was capable of generating a value outside the range would
probably be overlooked by the OBC programmer, since he doesn't have enough
of a background to know how the IRS computes horizontal bias.
> He will also enter this
> contract into the contract of the software that he, in turn, is writing,
> so the contract will percolate up the software layers, until it is seen
> by somebody at a high level who *also* knows the Ariane-5 trajectories.
Well, we'll have to agree to disagree on this point. I've given specific
examples in my paper and elsewhere as to why this is untrue -- the
aeronautical engineers and managers at the prime would likely neither want
to examine a vendor's source code, nor have the resources to do so if they
did want to. I've never heard a counter-argument advanced for why your
assumption should be considered valid for a project like Ariane 5.
> *If* that high-level programmer looks at the details of these contracts,
> *then* the problem would have been detected.
You seem to believe that these projects are staffed homogenously by
programmers. I obviously can't convince you that there is a world outside of
software engineering on projects such as Ariane 5, so we'll just have to
agree to disagree on this presumption as well. (Said more explicitly - the
guy you describe ain't there.)
But let's go with your thesis that he exists. He looks at the IRS side, and
sees a contract that maps -3.0 to -32768 and 5.0 to 32767. He looks at the
OBC side, and sees a contract that maps -32768 to -3.0 and 32767 to 5.0.
What problem has he just detected? I must not be a sufficiently "high-level"
(acolyte?) programmer, because it looks OK to me!
Again, he would have to have three things to detect the problem by analysis:
(1) The actual flight profile
(2) An understanding of the (non-trivial) relationship between the profile
and a value like horizontal bias
(3) An understanding of the (much simpler) relationship between the
calculated (floating-point) value for horizontal bias and the value expected
by the scaling routine.
As you saw when you looked at the YF-22 profile, that #2 is a toughie for
someone who's not an expert in the particular domain of interest (inertial
measurements). However, if he's an expert, he's probably not also a
"high-level programmer" looking at the IRS, OBC, propulsion system...
On the other hand, you don't necessarily have to have #2 or #3 (or at least,
not a deep understanding of them) if you feed the values from #1 into the
actual IRS. At least with respect to detecting gross failures of the type in
Ariane 5, *testing* the unit (as opposed to analyzing the unit) can be
simpler. I know several projects where these sort of integrated system tests
are done successfully without any detailed examination of the source by the
test team. In test theory, these are called "black box" tests, and they can
be quite powerful, particularly for detecting these sort of
integration-class faults. They are particularly effective when supplemented
by "white-box" analyses and tests that look for internal *inconsistencies*.
next prev parent reply other threads:[~2000-07-19 0:00 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8ipvnj$inc$1@wanadoo.fr>
[not found] ` <8j67p8$afd$1@nnrp1.deja.com>
[not found] ` <39573CAB.BB90DF92@gecm.com>
[not found] ` <8j8ek0$24la$3@ID-9852.news.cis.dfn.de>
[not found] ` <3957ED3E.E64E7390@lmco.com>
[not found] ` <8k8orn$1tlh9$1@ID-9852.news.cis.dfn.de>
[not found] ` <94S95.9936$7%3.667320@news.flash.net>
2000-07-13 0:00 ` Interresting thread in comp.lang.eiffel Joachim Durchholz
2000-07-14 0:00 ` Ken Garlington
2000-07-16 0:00 ` Joachim Durchholz
2000-07-16 0:00 ` Ken Garlington
[not found] ` <slrn8leffq.ebq.gisle@spurv.ii.uib.no>
[not found] ` <395886DA.CCE008D2@deepthought.com.au>
[not found] ` <3958B07B.18A5BB8C@acm.com>
[not found] ` <y1d65.620$7%3.33446@news.flash.net>
[not found] ` <395A0ECA.940560D1@acm.com>
[not found] ` <8jd4bb$na7$1@toralf.uib.no>
[not found] ` <8jfabb$1d8$1@nnrp1.deja.com>
[not found] ` <SVH65.1596$7%3.129344@news.flash.net>
[not found] ` <8jt4i0$18ec7$1@ID-9852.news.cis.dfn.de>
[not found] ` <nSt85.5388$7%3.424540@news.flash.net>
[not found] ` <8k5a31$1p61t$1@ID-9852.news.cis.dfn.de>
[not found] ` <qlt95.7824$7%3.596314@news.flash.net>
[not found] ` <3966D7B0.5D6475E4@earthlink.net>
[not found] ` <A5J95.9237$7%3.638838@news.flash.net>
2000-07-12 0:00 ` Robert I. Eachus
2000-07-13 0:00 ` Ken Garlington
2000-07-23 0:00 ` Robert I. Eachus
2000-07-23 0:00 ` Ken Garlington
2000-07-24 0:00 ` swhalen
2000-07-24 0:00 ` David Gillon
2000-07-24 0:00 ` Ken Garlington
2000-07-24 0:00 ` David Gillon
[not found] ` <39688CA2.31B2A7EF@acm.com>
2000-07-13 0:00 ` Joachim Durchholz
2000-07-13 0:00 ` Marin D. Condic
[not found] ` <8k8p8m$1upjk$1@ID-9852.news.cis.dfn.de>
[not found] ` <0cS95.9944$7%3.667682@news.flash.net>
2000-07-13 0:00 ` Joachim Durchholz
2000-07-14 0:00 ` Ken Garlington
[not found] ` <8jhq0m$30u5$1@toralf.uib.no>
[not found] ` <8jt4j7$19hpk$1@ID-9852.news.cis.dfn.de>
[not found] ` <3963CDDE.3E8FB644@earthlink.net>
[not found] ` <8k5alv$1oogm$1@ID-9852.news.cis.dfn.de>
[not found] ` <Rmt95.7825$7%3.595826@news.flash.net>
2000-07-13 0:00 ` Joachim Durchholz
2000-07-13 0:00 ` Marin D. Condic
2000-07-14 0:00 ` Ken Garlington
2000-07-16 0:00 ` Joachim Durchholz
2000-07-16 0:00 ` Ken Garlington
2000-07-19 0:00 ` Joachim Durchholz
2000-07-19 0:00 ` Ken Garlington [this message]
2000-07-14 0:00 ` Ken Garlington
2000-07-14 0:00 ` Marin D. Condic
2000-07-14 0:00 ` Ken Garlington
[not found] ` <3963DEBF.79C40BF1@eiffel.com>
[not found] ` <2LS85.6100$7%3.493920@news.flash.net>
[not found] ` <8k5aru$1odtq$1@ID-9852.news.cis.dfn.de>
[not found] ` <Rnt95.7826$7%3.596208@news.flash.net>
[not found] ` <8k8pk2$20cab$1@ID-9852.news.cis.dfn.de>
[not found] ` <_dS95.9945$7%3.666180@news.flash.net>
2000-07-12 0:00 ` David K Allen
2000-07-12 0:00 ` Ken Garlington
2000-07-12 0:00 ` David K Allen
2000-07-13 0:00 ` Howard W. LUDWIG
2000-07-13 0:00 ` Joachim Durchholz
2000-07-14 0:00 ` Ken Garlington
2000-07-14 0:00 ` Ken Garlington
2000-07-18 0:00 ` Veli-Pekka Nousiainen
2000-07-19 0:00 ` Ken Garlington
2000-07-19 0:00 ` Bob Allen
2000-07-12 0:00 ` David K Allen
2000-07-12 0:00 ` Bob Allen
2000-07-12 0:00 ` Ken Garlington
2000-07-13 0:00 ` Bob Allen
2000-07-14 0:00 ` Ken Garlington
2000-07-14 0:00 ` Marin D. Condic
2000-07-14 0:00 ` carr_tom
2000-07-18 0:00 ` Veli-Pekka Nousiainen
2000-07-12 0:00 ` David Gillon
2000-07-13 0:00 ` Joachim Durchholz
2000-07-13 0:00 ` David Gillon
2000-07-13 0:00 ` David K Allen
2000-07-13 0:00 ` Bob Allen
2000-07-13 0:00 ` Joachim Durchholz
2000-07-18 0:00 ` Veli-Pekka Nousiainen
2000-07-19 0:00 ` Joachim Durchholz
2000-07-14 0:00 ` Ken Garlington
2000-07-18 0:00 ` Veli-Pekka Nousiainen
2000-07-19 0:00 ` David Gillon
[not found] ` <Rnt95.78 <L6vb5.16117$7%3.988701@news.flash.net>
2000-07-14 0:00 ` Nick Williams
[not found] ` <396502D2.BD8A42E7@earthlink.net>
[not found] ` <RSsa5.11075$7%3.784507@news.flash.net>
[not found] ` <6aHa5.113$6E.23141@ptah.visi.com>
[not found] ` <396B4A68.458FA3BC@maths.unine.ch>
[not found] ` <u6hp4i16$GA.283@cpmsnbbsa07>
2000-07-11 0:00 ` Ken Garlington
2000-07-12 0:00 ` Bob Allen
2000-07-12 0:00 ` Ken Garlington
2000-07-12 0:00 ` David Starner
2000-07-12 0:00 ` Peter Amey
2000-07-12 0:00 ` Peter Amey
2000-07-13 0:00 ` Joachim Durchholz
2000-07-11 0:00 ` cropt
[not found] ` <39654639.B3760EF2@eiffel.com>
[not found] ` <i4k95.7512$7%3.571616@news.flash.net>
[not found] ` <oqog45g1j0.fsf@premise.demon.co.uk>
[not found] ` <85Fa5.11419$7%3.818927@news.flash.net>
2000-07-11 0:00 ` Aspects (Re: Interesting thread in comp.lang.eiffel) tom
2000-07-12 0:00 ` Steve Merrick
2000-07-12 0:00 ` Frank Mitchell
2000-07-14 0:00 ` Jubilation
2000-07-14 0:00 ` Frank Mitchell
2000-07-15 0:00 ` Jubilation
2000-07-12 0:00 ` Veli-Pekka Nousiainen
2000-07-12 0:00 ` tom
2000-07-12 0:00 ` Design by Contract (was " David Kristola
2000-07-12 0:00 ` Greg
2000-07-12 0:00 ` Matthew J Heaney
2000-07-13 0:00 ` Eirik Mangseth
2000-07-12 0:00 ` Howard W. LUDWIG
2000-07-12 0:00 ` Greg
2000-07-12 0:00 ` Eirik Mangseth
2000-07-13 0:00 ` Joachim Durchholz
2000-07-14 0:00 ` David Kristola
2000-07-14 0:00 ` Matthew J Heaney
2000-07-16 0:00 ` Joachim Durchholz
2000-07-17 0:00 ` David Kristola
2000-07-19 0:00 ` Joachim Durchholz
2000-07-25 0:00 ` Richard Riehle
2000-07-18 0:00 ` Interesting thread in comp.lang.eiffel Veli-Pekka Nousiainen
2000-07-19 0:00 ` Ken Garlington
[not found] ` <i4k95.7512$7%3.571616@n <397D8CC3.BB0C9001@ix.netcom.com>
2000-07-29 0:00 ` Writing better software was: Design by Contract (was Re: Interesting thread in comp.lang.eiffel) Kent Paul Dolan
2000-07-29 0:00 ` Ken Garlington
2000-07-31 0:00 ` Stefan Skoglund
2000-08-01 0:00 ` Ken Garlington
2000-08-01 0:00 ` Kent Paul Dolan
2000-08-01 0:00 ` Ken Garlington
2000-07-31 0:00 ` Simon Brady
2000-07-30 0:00 ` John Magness
2000-08-01 0:00 ` Simon Brady
2000-08-01 0:00 ` Ken Garlington
2000-08-01 0:00 ` Simon Brady
2000-08-04 0:00 ` Robert I. Eachus
2000-08-04 0:00 ` Simon Brady
[not found] ` <8j7i54$j7d5@news.kvaerner.com>
[not found] ` <395887EB.8D612FC7@deepthought.com.au>
[not found] ` <395A190E.FD4D8978@easystreet.com>
[not found] ` <6Yt65.3417$MS3.72586@news1.online.no>
[not found] ` <395A7E7E.FE57E036@easystreet.com>
[not found] ` <8jermi$5cb2@news.kvaerner.com>
[not found] ` <395BCE66.2BE8EE0A@eiffel.com>
[not found] ` <wccaeg3gj61.fsf@world.std.com>
[not found] ` <395D113D.1F654A68@eiffel.com>
[not found] ` <dus75.5086$MS3.105182@news1.online.no>
[not found] ` <395E5D16.C4D109F1@eiffel.com>
2000-07-18 0:00 ` Interesting thread in comp.lang.eiffel Veli-Pekka Nousiainen
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox