Re: Self restarting property of RTOS-How it works?
From: Guy Macon (http://www.guymacon.com/)
Date: 02/11/05
- Next message: Guy Macon: "Re: Self restarting property of RTOS-How it works?"
- Previous message: CBFalconer: "Re: RS 232 Error Rate"
- In reply to: prep_at_prep.synonet.com: "Re: Self restarting property of RTOS-How it works?"
- Next in thread: Neil Kurzman: "Re: Self restarting property of RTOS-How it works?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 11 Feb 2005 18:19:09 +0000
prep@prep.synonet.com wrote:
>THe Therac problem was that no one considered what would happen if the
>operator did an ABA type mode change with out waiting for either step
>to complete.
Actually, they did consider it and concluded that it was impossible
- and they were (sort of) right. The Therac had separate well-tested
code that ran the machine, and separate not-so-well-tested code that
ran the operator interface. As originally shipped, it was impossible
to complete the data input that fast. Then they started getting
complaints about having to re-enter the data in a bunch of fields
every time, so they put in a feature where a tab would give you the
same input as was used in the last run. Because it was in the
operator interface code, it didn't get tested as well. What testing
they did do failed to show the bug because developers tend to watch
the screen looking for odd behavior, while an actual operator hits
the tab key as fast as he/she can in order to do the next run.
I still think that the biggest error was taking out the microswitch
with hardware that wouldn't let it operate if the mechanical moving
parts had not arrived where they should be. Just sending the move
command and waiting N seconds was an unacceptable system design
decision whether or not the code was buggy. The cryptic error
messages and the ability to keep trying to dose the same patient
over and over in response to an error message didn't help things.
I have worked on systems for aircraft where the software engineer
was invited to write malicious code that would damage the hardware,
with a reward of an extra week of vacation time for writing that code.
Then the hardware engineer was invited to induce a single fault that
would cause the real software to lock up, go crazy, etc, with the
same reward offer.
-- Guy Macon <http://www.guymacon.com/>
- Next message: Guy Macon: "Re: Self restarting property of RTOS-How it works?"
- Previous message: CBFalconer: "Re: RS 232 Error Rate"
- In reply to: prep_at_prep.synonet.com: "Re: Self restarting property of RTOS-How it works?"
- Next in thread: Neil Kurzman: "Re: Self restarting property of RTOS-How it works?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
