[SystemSafety] A small taste of what we're up against

Olwen Morgan olwen at phaedsys.com
Mon Oct 29 19:23:10 CET 2018 

On 29/10/2018 17:54, Dewi Daniels wrote:

<snip>

> The in-flight upset of an Airbus A300 occured on 7 October 2008, west 
> of Learmouth, Australia,. The report can be downloaded from 
> https://www.atsb.gov.au/media/3532398/ao2008070.pdf. There were 
> multiple spikes in the Angle Of Attack (AOA) output of an ADIRU (from 
> a different manufacturer). The investigators were unable to determine 
> the reason for these spikes (or even whether they were due to a 
> hardware or a software fault). These spikes kave only been observed 
> three times in 128 million hours of operation. A flaw in the design of 
> an algorithm in the Flight Control Primary Computer (FCPC) meant it 
> was unable to cope with these spikes, so it commanded the aircraft to 
> pitch down. Airbus redesigned the AOA algorithm to prevent the same 
> type of accident from occurring again. Again, I don't know what 
> programming language was used for the ADIRU or FCPC software. Again, 
> the report states that the ADIRU and FCPC software was developed to 
> DO-178A. Also, the report states that the FCPC requirements were 
> written in a formal specification language called SAO.

This brings me back to the issue of pseudorandom stress testing. There 
is a mentality among software engineers that designs a software 
component to deal only with specified inputs and rates of data arrival. 
Completely ignoring rare events is rife among such people. I have always 
viewed this as poor practice if not downright negligent. Put plainly, I 
rarely trust the inputs and loading conditions of a software component 
to lie within specified bounds and therefore write into them whatever 
fault tolerance I can get away with while still complying with the 
specified black-box behaviour.

Sometimes you cannot do this. I once worked on the code for an inertial 
sensor that applied both level and rate clips to its series of input 
values, accepting a reassurance from the guy who worked out the 
algorithm that these clips (which essentially threw away input 
information) were actually safe. It was, however, not my idea of a well 
thought-out design and I felt relieved when the company for which I was 
working did not actually get the contract from the Tier 1 supplier to 
proceed with production.


Olwen

More information about the systemsafety mailing list