NASA proves once again that, for it, the impossible is not even difficult.

The point here, I think, is that your ideas about how much to budget may be grossly wrong because of:

a) unforeseen synergies between components/subsystems whose behavior, alone, is believed to be fully understood

b) not recognizing that a nominally "understood" system still has testing holes in it, and "it's been done this way for years" only helps you up to a point.

c) the fact that this is essentially "happy testing" - test boundary cases, test some random spots in the operating parameter envelope.

I would never assert that a system has been fully tested - I would only assert that it has been put through a test plan designed to cover documented use cases under supported environmental conditions for the equipment. Obviously there are massive holes in this statement, gnawed by professional weasels.

Conversely, we CAN prove that human-operated systems CANNOT be counted on, due to failures in the human, so then why are we counting on them? It's a question of cost and perceived risk.

Even if you had such a method, how would you know that you had applied it correctly, or that the underlying hardware behaved (and will carry on behaving) according to your current understanding of physics?

I can't speak about this business, but your remarks remind me of something I was told about 20 years ago in a quantum mechanics tutorial. We were making the idle remarks that students make about particles tunneling through barriers. Our supervisor asked us what confidence limits we could place on the "impossibility" of such behaviour in the real (macroscopic) world, based only on observations made by humans in the real world. So we noted that since the dawn of recorded history no-one had ever seen it happen, except for a few people who were always dismissed as cranks (ahem!), and made our estimate.

For tunneling in a macroscopic system our confidence limit was many orders of magnitude *more likely* than the probability predicted by quantum mechanics. So our supervisor concluded that "QM is just common sense, only

Robert Myers had sent: |----------------------------------------------------------------------| |"[..] | | | |In the case of fly-by-wire systems, you have to assume the worst. The| |system *will* eventually fail by some method that you never would have| |guessed or predicted, and you *must* have the capacity to fall back on| |clumsy mechanical controls that do not depend on electronics in any | |way." | |----------------------------------------------------------------------|

What is to stop quantum physics from teleporting the mechanical controls to somewhere light years away from the rest of the vehicle just when they are needed?

Robert Myers had sent: |----------------------------------------------------------| |" I don't understand why drive-by-wire is any different."| |----------------------------------------------------------|

It should be illegal to allow a vehicle to have enough momentum to be fatal.

Robert Myers had sent: |----------------------------------------------------------------------| |"What's | |the point of a study that can't prove (or is very unlikely to prove) | |anything? [..] | |[..] | | | |Robert. | | | | | | | |We can't prove that drive-by-wire systems can be counted on, so then | |why are we counting on them? Until someone can prove otherwise or | |until we have a lot more experience than we already have, safety | |analysis at the government level should be focused on planning for the| |worst." | |----------------------------------------------------------------------| Del Cecchi has sent on February 9th, 2011: ################################################################################## #"[..] # # # #As a famous guy once said, "we don't know what we don't know. We only know what# #we know." # # # #However this all reminds me of the run away audis. It was a design defect until# #they put an interlock on the transmission and that made it go away. Apparently # #the design defect was that folks didn't actually have their foot on the brake # #like they swore up and down they did, but on some other pedal. # # # #[..]" # ##################################################################################

No thing exists nor can exist, such that it is possible to know it. Therefore proofs are impossible.

As I mentioned in "Re: Intel plans to tackle cosmic ray threat (actually they have been working on it for at least five years...austin)" on Fri, 18 Apr 2008 12:21:08 +0200: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %"[..] % % % %Logic is theoretical whereas the devices are actually subjected % % to physics. A VHDL simulator can not replace SPICE for % % electromagnetic compatibility issues and SPICE can not replace % % empirical experiences and extrapolating empirical experiences % % to untried conditions can work but it can also fail. % % % %Similar points had been admitted in the book Thomas Kropf (editor), % % "Formal Hardware Verification: Methods and Systems in Comparison", % % Springer, 1997; in the final sentence of Section 5.3 of the book % % He Jifeng, C. A. R. Hoare, Jonathan Bowen, "Provably Correct Systems: % % Modelling of Communication Languages and Design of Optimized % % Compilers", 1994; in Section 12.1 What Are Formal Methods? of the % % book Jim Woodcock and Martin Loomes, "Software Engineering % % Mathematics: Formal Methods Demystified", 1988; on Page 181 (though % % oddly enough, almost the opposite was argued on Page 180) of the book % % Fenton and Hill, "Systems Construction and Analysis: A Mathematical % % and Logical Framework", 1993; and Dr. Fleuriot (who had been involved % % in collision and detection issues for aeronautics) of the University % % of Edinburgh said to me in a personal conversation on January 24th, % % 2008 "[..] there's no such thing as one hundred per cent guarantees % % [..]". % % % %In an even more impressive triumph of missing the point than % % Fenton's and Hill's Pages 180 and 181, Zerksis D. Umrigar, % % Vijay Pitchumani, "Formal Verification of a Real-Time % % Hardware Design", Design Automation Conference 1983 contains: % % "[..] If there are no errors, inconsistencies or ambiguities % % in the specifications, and no errors in the correctness proof, % % then a successful proof enables one to be totally confident % % that the design will function as desired. [..]" % % % %[..]" % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

There was a study done by one of the eminent US universities on software reliability, reported in Scientific American several years ago. One of the things they found (or at least asserted) was something like this, I may have the exact numbers wrong, I also can't recall what the basis of the study was.

That implies that a very significant fraction of all your bugs aren't going to emerge for thousands of years.

When I saw a film of the Tacoma Narrows Bridge failure as a freshman in physics, I thought nature had been really unkind to the designers. Now that I understand instability in pitch and the relationship between vorticity and lift, I can't help wondering how the designers could have been so naive.

Similarly, I still don't understand how anyone would fail to recognize that the John Hancock building in Boston is practically a laboratory model for an airfoil with a design that would induce leading edge separation and big unsteady lifting forces as a result. Thus, I don't understand why the panes of glass crashing to the ground came as such a big surprise.

"What's different about this design?" is always a good question to ask.

We're not ready yet, as a species, to be flown or driven to our death by microprocessors. That's the bottom line.

Even if there's a greater chance of our dying if we make it easier to disable the electronics, most people would rather envision grievous injury or even death at the hands of a panicked driver or pilot than trapped in a cyborg that is just doing what it thinks it was told to do.

Those human factors are part of engineering, too.

Robert Myers.

So a fully loaded 18-wheeler is constrained to 0.03 MPH? Or a normal passenger car is restricted to less than 7 MPH?

Mitch

Un bel giorno Robert Myers digitò:

What makes you think that adding some clumsy mechanical redundancy would actually reduce the probability of failure?

same architect in approx. same period also had bldg. across the charles on MIT campus that also had problem with windows poping out. the "fix" was revolving doors on the ground floor (to minimize air pressure differences with opening ground floor doors).

there was a parady of the shuttle disaster with the booster rockets and the "o-rings" ... while there was a lot of attention payed to the operational characteristics of the "o-rings" ... the parady was the only reason that o-rings were required at all ... was because congress mandated that the booster rockets to be built near the rockies ... and then transported to the cape (requiring them to be in sections for transportation; resulting in the o-rings when they were assembled).

the parady was that somebody in the queen's court convinced her that columbus's ships had to be built in the mountains (where the trees were), then cut into three pieces for transportation to the harbor ... and glued back together and then launched (as opposed to transporting the trees from the mountains to the harbor for construction of the ships). enormous resources then were focused on technology of gluing a ship back together after it had been sawed into three pieces (as opposed to deciding that ships could be built in the harbor and avoid having to saw them in pieces at all).

More to the point, under that rule, basically all vehicles are illegal, all the way down to skateboards. Hell, even somewhat enthusiastic _jogging_ would have to be made illegal.

Completely different. That is a simple application of physics to a structure. The synergy issue to which I was referring is more along the lines of "here's Fred, we know how he thinks. Here's John, we know how he thinks. Therefore we know what answer they will reach when collectively asked to solve a problem". Multidimensional.

Anti lock brakes are a real example of manual and automatic control systems in one system. This is a classic example of microprocessors doing a better job at stopping a vehicle.

There are other such system such as power steering originally a servo system

and now with electric and hybrid electric power steering is micro processor driven usually coupled with power management

It reminds me of early Russian tube computers. To get reliability up the Russians burned in tubes for 500 hours used them for 20 hours then swapped them out as part of mandatory maintenance.

The alternative approach was to create a system with redundancy with a higher component count and more parallel terms.

There is not a simple solution which approach is better.

Regards,

w..

-- Walter Banks Byte Craft Limited

On 2011-02-10, MitchAlsup wrote: |-----------------------------------------------------------------------| |"On Feb 10, 6:25 am, Paul Colin Gloster | |wrote: | | | |> It should be illegal to allow a vehicle to have enough momentum to be| |> fatal. | | | | So a fully loaded 18-wheeler is constrained to 0.03 MPH? | | Or a normal passenger car is restricted to less than 7 MPH? | | | | Mitch" | |-----------------------------------------------------------------------|

Why waste money on a car when you can cycle much more quickly than seven miles per hour without killing anyone? Do you prefer to allow dangerous drivers to kill people with dangerous cars, so long as they do not kill you?

But stuff does happen. My parents owned one of the Ford station wagons (early 70's) that had a defective transmission lock and were prone to slipping out of parking gear.

It happened in a mall parking lot. My mother came out of the mall to find her wagon had backed across the aisle and hit another car. The only reason anyone believed the vehicle was faulty was that there were witnesses to the car moving by itself, and the police had arrived before my mother returned and had found the doors locked and the gear shift still in "park".

George

Cars make good noise {Ferraris, Vettes, ...} look good {Pinninfarina, Berton=E9,...} and the old one made for good smells {catless with the old Sunoco 260}.

I have personally driven over 170 MPH without killing anyone. And I enjoy air conditioning, something that is a requirement down here in Texas summers. Try riding you pedal bike uphill to work in 103dF heat and arrive with a crisp shirt looking good and smelling good.

I prefer to live with the system we currently have and asses the risks I face myself, rather than have someone else make those choices for me. It is called freedom. Not having someone looking over my shoulder is called liberty.

Mitch

If it was, he was quoting someone else. That is a very old saying ... I've heard a number of variations of it throughout my life.

George

Please refrain from making statements that could potentially give the goobermint an idea.

George

I don't like to see innocents harmed, but I'm a big fan of stupid people getting hurt themselves. I have a real problem with the ever growing number of "nanny" laws intended to protect fools from themselves.

FYI: the government has absolutely no concern for your safety ... it's one and only concern is to protect it's tax rolls. If politicians could figure out how to tax the dead, they'd happily kill us all.

George

re:

superfreakonomics has a bit on how cities of the world had much more severe polution problem before the advent of automobiles and internal combustion engine ... and that NYC had higher rate of traffic deaths per thousand from the horse era than they now have from automobiles.

it also explained why the brownstones in NYC where so high above the ground (with front steap steps) ... because of the horse manure piled so high on the streets.

Unfortunately our freedom to make choices is steadily being eroded by the proliferation of "nanny" laws designed to protect fools from themselves.

I love this quote from the movie "Gone in 60 Seconds". Donny Astricky (Chi McBride), telling a student driver she has failed the road test, says "... Shit, I can't swim, I know I can't. So you know what I do? I stay my black ass out the pool!"

An awful lot of stupid people could learn from such wisdom.

George