Null references (oh no, not again!)

Thu Mar 5 01:20:28 PST 2009

Nick Sabalausky wrote:
> "Walter Bright" <newshound1 at digitalmars.com> wrote:
>> I started my career doing flight critical mechanical designs for Boeing 
>> airliners. I had it pounded into me that no matter how perfect you 
>> designed the parts, the next step is "assume it fails. Now what?" That is 
>> why Boeing airliners have incredible safety records.

Yup. That's what McDonnell didn't do with the DC-10. They were crashing 
mysteriously in mid-fligt, and nobody survived to tell.

The DC-10 had three entirely separate steering systems: a mechanical (as 
  in wires from cockpit to ailerons), a hydraulic one, and an electrical 
system.

After a superior pilot(1) actually brought his plane home after disaster 
struck, it was found out that the reason to all the crashes was a cargo 
door lock, which could be shut carelessly and then, if the ground guy 
was strong enough, lock the latch by force, leaving it only partly 
locked. Once in the air, the airpressure blew the door open, resulting 
in the passenger floor collapsing, and shredding the steering systems.

The "non-Boeing" designers had drawn all three steering systems next to 
each other, above the cargo door, below the passenger floor.

>> Assume the parts break. Assume the hydraulics are connected backwards. 
>> Assume all the fluid runs out of the hydraulics. Assume it is struck by 
>> lightning. Assume it is encased in ice and frozen solid. Assume the cables 
>> break. Assume a stray wrench jams the mechanism. Assume it rusts away. 
>> Assume nobody lubricates it for years. Assume it was assembled with a bad 
>> batch of bolts. Etc.

My father was an airline pilot, who had participated in crash 
investigations. Ever since I was a kid I got it hammered in my head that 
things break, period. And people make mistakes. Double period!

For example, it happens that car tires blow. In the old days, a front 
tire blowing usually meant you ended up in the ditch or a tree. 
Volkswagen designed the first car not to veer off the road when that 
happens, the Golf. The front suspension geometry was such that you 
didn't even have to have your hands on the steering wheel when the tire 
blows. No problem.

(But the funny thing is, the average driver shouldn't know about that, 
or he will compensate it with even sloppier driving.)

>> If software is in your flight critical systems, the way one proceeds is to 
>> *assume skynet takes it over* and will attempt to do everything possible 
>> to crash the airplane.
> 
> You're dodging the point. Just because these failsafes might exist does 
> *NOT* excuse the processes from being lax about their reliability in the 
> first place. What would Boeing have said if you designed a bolt with a fatal 
> flaw and excused it with "It's ok, we have failsafes!".

Recently, in Sweden, it became known that supervisors in this ultra safe 
Nuclear Power Plant regularly drank beer on duty. "Why stay alert when 
nothing ever happens, and even if it does, this plant will shut itself 
down in an orderly manner." Homer Simpson, anyone?

(1) A superior pilot: he learns more than the teachers force him to. He 
tries to Understand the mechanics and machinery, as opposed to just 
using it by the manual. He constantly conjures up disaster scenarios and 
figures out how to deal with them (methods). He also "preloads" such 
methods in his brain during the various phases of flight.

At sudden danger, it is much more efficient to have the preloads at 
hand, rather than having to start inventing graceful exits when the 
cockpit is full of hands on the wheel and the knobs.

These practices have saved my car from being totalled more than once. 
While it may look difficult to apply this to software development, 
especially in one-man projects, the value of this can't be 
underestimated. When a habit and team practice, it helps productivity. 
Design by contract is but one example in this direction.

PS: it turned out that the DC-10 can be flown without flight controls. 
Since the three engines make a triangle (as looked at from the front), 
one can control the plane enough. The engine controls were not drawn 
next to the cargo door.