Return-Path: Delivery-Date: Received: from ted.cs.uidaho.edu (no rfc931) by swan.cl.cam.ac.uk with SMTP (PP-6.4) outside ac.uk; Fri, 19 Mar 1993 17:01:10 +0000 Received: by ted.cs.uidaho.edu (16.6/1.34) id AA04663; Fri, 19 Mar 93 07:11:15 -0800 Sender: info-hol-request@edu.uidaho.cs.ted Errors-To: info-hol-request@edu.uidaho.cs.ted Precedence: bulk Received: from enet-gw.pa.dec.com by ted.cs.uidaho.edu (16.6/1.34) id AA04658; Fri, 19 Mar 93 07:11:06 -0800 Received: by enet-gw.pa.dec.com; id AA27066; Fri, 19 Mar 93 07:10:57 -0800 Message-Id: <9303191510.AA27066@enet-gw.pa.dec.com> Received: from ricks.enet; by decwrl.enet; Fri, 19 Mar 93 07:10:58 PST Date: Fri, 19 Mar 93 07:10:58 PST From: "Hemendra, DEC Hudson MA USA,(508) 568-5590" To: info-hol@edu.uidaho.cs.ted, nqthm-users@com.cli Cc: talesra@com.dec.enet.ricks Apparently-To: nqthm-users@cli.com, info-hol@ted.cs.uidaho.edu Subject: FWD: shuttle s/w verification -----------------Forwarded item dated 19-MAR-1993 09:33:37.17----------------- ... Subj: shuttle software verification...tons of it Subj: some interesting notes on shuttle software... Subj: Richard Feynman on Shuttle Challenger Avionics software development "The software is checked very carefully in a bottom-up fashion. First, each line of code is checked; then sections of code (modules) with special functions are verified. The scope is increased step by step until the new changes are incorporated into a complete system and checked. This complete output is considered the final product, newly released. But working completely independently is a verification group that takes an adversary attitude to the software development group and tests the software as if it were a customer of the delivered product. There is additional verification in using the new programs in simulators, et cetera. An error during this stage of verification testing is considered very serious, and its origin is studied very carefully to avoid such mistakes in the future. Such inexperienced errors have been found only about six times in all the programming and program changing (for new or altered payloads) that has been done. The principle followed is: all this verification is not an aspect of program safety; it is a test of that safety in a noncatastrophic verification. Flight safety is to be judged solely on how well the programs do in the verified tests. A failure here generates considerable concern. "To summarize, then, the computer software checking system is of highest quality. There appears to be no process of gradually fooling oneself while degrading standards, the process so characteristic of the solid rocket booster and space shuttle main engine safety systems. To be sure, there have been recent suggestions by management to curtail such elaborate and expensive tests as being unnecessary at this late date in shuttle history. Such suggestions must be resisted, for they do not appeciate the mutual subtle influences and sources of error generated by even small program changes in one part of a program on another. There are perpetual requests for program changes as new payloads and new demands and modifications are suggested by the users. Changes are expensive because they require extensive testing. The proper way to save money is to curtail the number of requested changes, not the quality of testing for each." From Appendix F to Rogers Commission report on the Challenger accident, "Personal Observations on the Reliability of the Shuttle" Richard P. Feynman, "What do YOU care what other people think?" Pages 234-235, W. W. Norton & Co, New York, 1988 ============================================================================= ! ! ! Hemendra Talesra Mail Stop: HLO2-3/D11 ! ! Principal Engineer 77, Reed Road ! ! Semiconductor Engineering Group Hudson, MA 01749 USA ! ! Digital Equipment Corporation Phone: (508) 568-5590 ! ! Email: talesra@ricks.enet.dec.com FAX: (508) 568-4681 ! ! ! =====================================================================