bearophile wrote:
Walter Bright:
I used to work at Boeing designing critical flight systems.
Absolutely the WRONG failure mode is to pretend nothing went wrong
and happily return default values and show lovely green lights on
the instrument panel. The right thing is to immediately inform the
pilot that something went wrong and INSTANTLY SHUT THE BAD SYSTEM
DOWN before it does something really, really bad, because now it is
in an unknown state. The pilot then follows the procedure he's
trained to, such as engage the backup.
Today we think this design is not the best one, because the pilot
suddenly goes from a situation seen as safe where the autopilot does
most things, to a situation where the pilot has to do everything. It
causes panic.
I've never seen any suggestion that Boeing (or Airbus, or the FAA) has
changed its philosophy on this. Do you have a reference?
I should also point out that this strategy has been extremely
successful. Flying is inherently dangerous, yet is statistically
incredibly safe. Boeing is doing a LOT right, and I would be extremely
cautious of changing the philosophy that so far has delivered
spectacular results.
BTW, shutting off the autopilot does not cause the airplane to suddenly
nosedive. Airliner aerodynamics are designed to be stable and to seek
straight and level flight if the controls are not touched. Autopilots do
shut themselves off now and then, and the pilot takes command.
Computers control a lot of systems besides the autopilot, too.
A human needs time to understand the situation and act
correctly. So a better solution is to fail gracefully, giving back
the control to the human in a progressive way, with enough time to
understand the situation. Some of the things you have seen at Boeing
today can be done better,
Please give an example. I'll give one. How about that crash in the
Netherlands recently where the autopilot decided to fly the airplane
into the ground? As I recall it was getting bad data from the
altimeters. I have a firm conviction that if there's a fault in the
altimeters, the pilot should be informed and get control back
immediately, as opposed to thinking about a sandwich (or whatever) while
the autopilot soldiered on. An emergency can escalate very, very fast
when you're going 600 mph.
There have been cases of faults in the autopilot causing abrupt, bizarre
maneuvers. This is why the autopilot must STOP IMMEDIATELY upon any
fault which implies that the system is in an unknown state.
Failing gracefully is done by shutting down the failed system and
engaging a backup, not by trying to convince yourself that a program in
an unknown state is capable of continuing to function. Software simply
does not work that way - one bit wrong and anything can happen.
there's some progress in the design of
human interfaces too. That's why I suggest you to program in dotnet
C# for few days.
