On Thu, 26 May 2005, Wouter van Ooijen wrote: >> Among other things, we included lots of sanity checks internally so >> that any inconsistency found, no matter how small, would lock the >> instrument up and display an error code with a message to call me and >> tell me exactly what this said, that I could trace this to a specific >> line of code. Those mostly served to show us the mistakes before we >> ever shipped the first instrument. But they also allowed me to >> precisely diagnose and correct an error found by a customer thousands >> of miles away. > > Good practice indeed, but how do you apply that to a space shuttle in > descent? For one thing, AFAIK a cell phone does not work at the critical > moments :( I certainly wouldn't claim that what we did solved every problem. But most of the things we did appeared to limit putting in errors in the first place and in making them very visible during development, so that they caught and fixed before being delivered to the field. I had even more extreme ideas on paper. One simple one was that most programming languages don't really provide an environment where dimensions and units of measure are supported. I had described a language where that might have caught the errors that resulted in the failures of the european satellite launch and the mars lander. I thought it was fortunate that we had nothing to do with medical or life sustaining equipment or weapons systems or industrial systems that presented the opportunities for disasters on a really grand scale. I was later interviewed for a job by a company working on drug infusion equipment. When I asked them how they ensured that their product would have no failures they proudly announced that they used fault trees. I then asked if they had seen the recent local presentation by a very qualified individual flown over from England to show that fault trees don't appear to be the answer. He explained that every major disaster, Three Mile, Brown's Ferry, the Apollo fire, Bo Pol, Chernobyl, etc. all had had a careful analysis and complete fault tree constructed, that all the fault trees seemed to guarantee was that the failure would be outside what you had thought of. They said they hadn't attended that. We discussed what I had helped do to drive down error rates. They decided I wasn't the person for their job. -- http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist