From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a00006d3c4735d70 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-12-27 22:08:47 PST Path: archiver1.google.com!news2.google.com!newsfeed2.dallas1.level3.net!news.level3.com!crtntx1-snh1.gtei.net!news.gtei.net!newsfeed1.easynews.com!easynews.com!easynews!small1.nntp.aus1.giganews.com!border1.nntp.aus1.giganews.com!intern1.nntp.aus1.giganews.com!nntp.giganews.com!nntp.comcast.com!news.comcast.com.POSTED!not-for-mail NNTP-Posting-Date: Sun, 28 Dec 2003 00:08:46 -0600 Date: Sun, 28 Dec 2003 01:08:45 -0500 From: "Robert I. Eachus" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: Certified C compilers for safety-critical embedded systems References: <0ridnTmiEKohZ3Ci4p2dnA@comcast.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Message-ID: NNTP-Posting-Host: 24.34.214.193 X-Trace: sv3-nDORj9acnLbd7f3lKk4hV1KRjlUAa7cHQzsWmiqcvorXAUUSTeWQpea+YP9iH5LdzYDW1iem6xvUhn/!nDgylWg6ERSJaTpcZBXwlKzNGVI+kwkd0hNkcIOMFv6ipD1+xO0Wub3SdQnYrw== X-Complaints-To: abuse@comcast.net X-DMCA-Complaints-To: dmca@comcast.net X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.1 Xref: archiver1.google.com comp.lang.ada:3873 Date: 2003-12-28T01:08:45-05:00 List-Id: Alexandre E. Kopilovitch wrote: > I think that the following posting (of Robert I. Eachus) should be placed in > appropriate section of Ada-promoting websites, at least unofficial ones, such > as AdaPower and AdaWorld - because it is the best explanation of the Ada > adavantages at essentially popular level I ever seen. Yes, it may be enhanced > by correcting typos (I noticed at least one) and by making the explanations > of the crash cases slightly more detailed (perhaps providing simple pictures) > - not all readers have pilot experience or at least are regular readers of > Flying magazine; but even without those enhancements it is a very rare writing, > which can explain the matter for some people inlvolved into decision processes > about software - so it should be made easily accessible and referenced. I'm glad you like it, but as you said, it needs some work. What I realized I left out after I posted it was an explanation of the "Cobra Dance" crashes of F-104s. This involved the same thing that happened in the two go-around crashes. With the F-104 you could get "under the power curve" and more power to the engines increased the AoA in spite of any control inputs from the pilot. The state usually occurred on a landing approach, but no one survived to explain what happened. Finally one pilot realized he was going into a cobra dance and decided to kill all electrical power (including fuel pumps) so that he would have a chance to avoid the fatal fire (no zero altitude ejection seats back then--and regained control of the aircraft. The effect was nowhere near as bad in the A320. But setting the control mode to take-off/go-around spooled up the engines without checking the AoA. Incidently I have no real clue as to whether programming the A320 in Ada would have caught this problem. It would have been much more likely to catch the glide path problem that occurred in the Strasbourg crash. But in a way they were the same problem--cases where maximum limits should have been specified (on rate of descent and AoA). In Ada, of course, you would tend to ask what the limit on the commanded rate of descent by the autopilot should be when the aircraft was above the glide path on landing--and that would lead to lots of meetings to figure out the answer. In fact, the original "probable cause" for the Strasbourg crash was pilot error. Airbus figured that the aircrew must have set the autopilot descent rate incorrectly. It turned out later that, once the last waypoint was cleared, that setting was ignored. Hmm. The code was not as bad as that seems to suggest. If the aircraft was in the glide path, but too high, the setting was obeyed. If the aircraft was outside the glide path the limits were ignored. That is probably not a wrong choice--if the aircraft is already in the glide path when you enter the mode. (For example, if flying through a microburst, do you want to limit the potential actions if the plane is being taken entirely out of the glide path? Definitely not on the low side. On the high side, say a sudden headwind? I might prefer abort/go around to precipitous action.) In the Strasbourg crash the pilot was on approach to one runway, then was directed to land on another. His last set waypoint was fine for the first runway, deadly for the second, and the plane was probably unrecoverable before the crew had a clue that there was a problem. If you need to visualize it, the plane was instructed to approach the runway from the side, then turn into the glide path inside the outer marker. Not a landing pilots like, but better than take-offs where you have to turn immediately. However when the flight control system started "flying the glide path," it thought it was way too high, off to the side, and on the wrong heading. It tried to fix all three "problems" immediately. The AoA case is more difficult because the actual AoA is not something where you want the software to crash (or cause an exception) if the AoA is out of reasonable bounds. However, it is hard to imagine someone familar with the domain--flight control systems--letting through go around code that ignored the AoA. The reason it apparently got through shows in the name of the mode: take off/go around. It would not seem strange to ignore the AoA when spooling the engines up to take-off. Is that what happened? I don't know for sure, and I don't think anyone does. All we have are recollections years afterwards that the formal specifications were very opaque to anyone not familiar with formal logic and programming, and that there were some problems validating the specifications for that reason. This, incidently, is one of the reasons why I always say that in Ada, the right approach is not to model the solution space, but to model the problem space. That way the requirements are easy to trace, implement, verify, and if necessary modify, in terms meaningful to domain experts. -- Robert I. Eachus "The war on terror is a different kind of war, waged capture by capture, cell by cell, and victory by victory. Our security is assured by our perseverance and by our sure belief in the success of liberty." -- George W. Bush