[OT] OT: Null checks.

Wed May 7 00:40:06 UTC 2025

On 5/6/2025 9:29 AM, Timon Gehr wrote:
> This only works because the plane keeps its own state independent of the 
> electronics.

I know what I'm talking about on this subject. There are many ways to detect 
that an avionics box has gone bad. Some are detected by the avionics box itself, 
some by external monitoring, some by comparing outputs with outputs from another 
box that does the same function but uses different algorithms. All result in 
instant electrical disconnection.

Logging is done with the flight data recorder.

There are several aspects of D that are influenced by my experience as an 
aerospace engineer.

> At some point you'll just have to accept that most use cases are not like this. 
> Then you will maybe also figure out that it is not about what kind of person you 
> are, but about what kind of external factors are relevant to your work. (Hint: I 
> am not currently writing software for avionics.)

It's the same situation if you write stock trading software. You might not die 
if it goes haywire, but you certainly could go bankrupt.

There's also the situation of minimizing the risk of malware injection. That 
could certainly ruin your whole week.

> And BTW, it appears an ESA mars mission failed partly because an acceleration 
> sensor actively refused to operate for an extended amount of time after 
> acceleration went out of the range it was rated for for a small amount of time. 
> It did so by sticking to one of the ends of the rated range, making the probe 
> compute that it was underground.
> 
> This demonstrates that your tools thinking they know better than you how to 
> react to an error condition is also fatal in "critical" applications.

The anecdote only demonstrates that the design had no backup plan for a failed 
sensor.

Here's another: the 737MAX MCAS system kept functioning despite receiving bad 
data from the AOA sensor, and moved the flight controls far outside of the envelope.

There was another incident long ago where the autopilot decided to turn the 
airplane upside down. That was fun for the crew and passenger.

And another where the stabilizer jammed. The pilot, rather than leaving the 
jammed thing alone and doing an emergency landing, decided he would keep trying 
to unjam it. He eventually succeeded so well the nut broke off the end of the 
jackscrew and the stabilizer then broke free.

Don't keep trying to work broken systems. They get more broken when you do that.