Re: over-automation with glass cockpits

From:         kls@ohare.Chicago.COM (Karl Swartz)
Organization: Chicago Software Works, Menlo Park, California
Date:         05 Aug 96 04:21:22 
References:   1 2 3 4
Followups:    1 2
Next article
View raw article
  or MIME structure

Francis Jambon replied to Don Shifris:
>Airbus use a very clever way (IMO) to solve this. Each (of three) FBW
>computer are made of two computers of differents architectures : one with
a Motorola (68000 maybe), the other one with an Intel (8086 or 8088 ?).
>The two parts of the computers are made by differents teams and, to avoid
>communication between the teams, different manufacturers : Thomson and
>Sextant.

You seem to have entirely missed the point of the article to which you
were replying, the key point of which is contained in the following
sentence from Don's article:

    The problem is that since these people tend to be educated the
    same way, they tend to solve the problem the same way, so it is
    very likely that the same, possibly bad, underlying assumption
    were used in all solutions.

N.L. Schryer (then of AT&T Bell Laboratories) gave an Invited Talk at
the 1992 Summer Usenix in San Antonio, titled A Case Study in Testing:
Floating-point Arithmetic.  It provided many excellent examples of
cases in which surprisingly different designs exhibited similar modes
of failure.  (This in allegedly well-tested designs, no less!)  For
example, machines as varied as the Apple ][ Plus and the Cyber 205
exhibit Really Bad Precision for some seemingly simple cases.  In
another case, implementing "if (x<y)" as "if ((x-y)<0)" appears to be
innocuous enough, yet without care causes very small numbers that are
close together (but not identical) to be declared equal.  Computers
from the Cray 1 to the desktop HP 9836 were found to suffer this flaw.

While his talk did not provide any specific examples of common errors
in the Motorola 68000 family and Intel 8086 family, the engineers who
designed those processors likely have at least as much common back-
ground as those who designed the Apple ][ Plus and the Cyber 205, and
thus might have unintentionally designed some similar failure modes
into the two processors.

Far from being clever, the Airbus approach foolishly fosters a false
sense of security.

For what it's worth, on the 777, Boeing started off with a similar
strategy, but ended up abandoning both hardware and software diver-
sity.  Instead of spending several times as much money to support
several development efforts, they spent the money saved on doing more
rigorous review and testing of the software.  It remains to be seen
whether the result was better, worse, or just different, but at least
they didn't bet on an illusion of diversity.

--
Karl Swartz	|Home	kls@chicago.com
		|Work	kls@netapp.com
		|WWW	http://www.chicago.com/~kls/
Moderator of sci.aeronautics.airliners -- Unix/network work pays the bills