This will be the last of these stories for a while. The previous two stories pretty much sank without trace, so I thought I'd finish and submit this one, then stop writing them up and re-think the effort.
This was a great story with all kinds of lessons about the things we do every day and understandable by almost anyone, including people new to our industry.
This will be the last of these stories for a while.
RiderOfGiraffes, I urge you to reconsider...
The previous two stories pretty much sank without trace
Which probably means nothing. There are many reasons stories do or do not get votes, with quality and interest only two of them. You must also consider time of day, day of week, competition from other stories, competition from other sites, competition from non-internet activities, competition from work, mix of people on-line at that time, mix of lurkers, mix of people who don't vote yet, etc., etc., etc.
Over the years I have made the exact same comment multiple times just to see if the reaction would vary, and it always did. One comment got over 60 up-votes and 6 months later got none.
What does this mean? Nothing. Just keep on posting.
...then stop writing them up and re-think the effort
It's perfectly normal to re-think the effort, but don't stop writing while you're rethinking.
This is a place for builders and entrepreneurs. We may eventually quit, but usually long after others would.
I have 2 signs over my desk, "It Doesn't Matter" and "Jabez Wolffe". When things get tough, the former keeps me from having a stroke and the latter keeps me from quitting. Jabez Wolffe attempted the English Channel 22 times without success. Once, when he didn't know where he was and conditions were dangerous, he quit 100 yards from shore.
Don't be Jabez Wolffe. Your next story may make a big difference in someone's life. If I'm on-line at the time, I'll vote it up. Keep 'em coming.
It sounds like one of these stories with educational/entertainment purposes rather than a description of an actual problem or event. I did find one reference -
"D. E. Stevenson attributes this story to Nancy Leveson, Software System Safety, STAR '93, Ontario at Darlington, Ontario. 1993.
A torpedo was designed to self-destruct if it turned 180 degrees. Unfortunately for the test ship the torpedo stuck in the tube and the captain turned the ship around for port "
It sounds mildly more plausible since it doesn't begin with the rather improbable torpedo design problem of 'submarines shooting themselves with their own torpedo'.
Still, if tasked with designing a reasonably safe torpedo, one of the very first things you're likely to come up with are 'armed' and 'safe' modes with the torpedo staying in 'safe' mode until it is about to be launched. The next obvious safety feature would be to make the torpedo return to 'safe' mode the moment significantly abnormal conditions are encountered - say, stuck in tube, wildly off-course, etc.
Adding a self destruct mechanism seems highly unsafe - there's the problem of the self-destruct mechanism malfunctioning and activating at an inopportune time. Additionally, if the torpedo has no idea where it is, the last thing you probably want is having it blow up - possibly near you or a friendly.
The actual stories of the difficulties developing WWII torpedoes are quite interesting and offer plenty of lessons in complex systems design, testing and deployment - see:
A design flaw that must have been particularly galling: "The conventional contact exploder was designed for the earlier, slower, 33 knot, Mk 13 torpedo. The newer, faster, 46 knot, Mk 14 torpedo had higher inertial impacts that would cause the firing pin to miss the exploder cap. " In other words, the more squarely you hit your target, the more likely the torpedo would fail.
It's a pity people don't seem to be reading these. As a young coder, I find tales of the earlier ages of computing and electronics fascinating, and they serve as a good reminder that even today there are areas of computing where the philosophy is completely different from the release early/release often nature of the web development sector I work in.
It would be a very sad thing if that's what it took to get stories to the front page. Unfortunately it seems that quite a few people have adopted your 'tactic', I always find it a little suspicious when links have been posted literally minutes ago and already have 3-5 upvotes without any comments, especially if they then scroll off the new page without receiving further upvotes.
My guess is that those are simply sockpuppets used for the initial votes. The sad thing is that plenty of times the strategy seems to work.
Seems implausible to me. Rather than a self-destruct, it would be more plausible to just disable the explosive trigger altogether. If a torpedo fails to hit target for whatever reason (including, but not limited to the original problem) you don't necessarily want it to explode in some random place. Nor is it clear how, if this failure did occur with loss of all hands, we would ever have known about it.
Despite this, I take the point of the story to be that self-corrective failure detection mechanisms should not be capable of causing greater harm than the maximum plausible damage of the problem they were intended to correct.
Possibly because you don't want your adversary to get one of your unexploded torpedos and copy / reverse-engineer / exploit a design flaw. Tactically that'd be far more devastating than losing a ship or two.
Interesting (and depressing) story. On one of your posts you say:
"Sometimes because of the nature of my work I get to hear stories from a greybeard with a past that is, well, "interesting." And again, because of the nature of my work, or more accurately, because of the nature of their work, the stories can't be verified."
I'm in the commercial world producing kit (hardware and software) to assist with the analysis of real-time data used in quasi-governmental organisations. That means I work regularly with military and ex-military personnel, and they talk to me off the record.
You can probably track me down if you like, but I generally try not to make the connection between my on-line persona and real-life work obvious. Feel free to email me if you'd like to know more.
If the sub sank with loss of all hands--not unlikely if a torpedo went off in the tube--how did anyone know about this? A hell of a lot of submarines never came back to base in WW II, and in most cases a) there were no survivors, b) very little debris seen.
I also wonder about the basis of the story. The USS Tang was sunk by its own torpedo in October 1944. That leaves about 8 months for the changed torpedoes to operate.
Precisely. I was trained as a mechanical engineer, and IMHO software guys really need to appreciate just how much freedom they have in terms of engineering. I'm not going to go on a rant about lazy engineering and patches and whatnot: such is the nature of our craft.
Just keep in mind that engineers in other industries do not have many of the same freedoms we do. They don't get patches, do-overs, and "oops our bad" opportunities.
Sorry -- agile was the wrong weird to use. I didn't mean agile as in loose engineering standards -- I meant agile as in "ability to react quickly and decisively to unexpected events". You can't possibly plan for every contingency, as the story proved, so it's crucial that your organization can quickly and easily fix problems as they come up. This has implications for both engineering and people systems. OODA loop is a better description of what I was thinking of (http://en.wikipedia.org/wiki/OODA_loop).
So having modular, cleanly separated subsystems would matter as much for hardware as for software.
I know it's a joke, but the truth is that this is exactly the kind of bug that unit tests won't find. The unit tests would have simulated a bunch of gyro settings, with and without a single gyro failure (but not two gyro failures, as that was an accepted design limitation).
Running the gyros with the torpedo still on the boat, however, would not have been tested because the designers didn't think of it. If they had thought of it, the failure wouldn't have happened in the first place.
Testing can verify that your software works within the space of behavior that you already know about. It can't make up for your failure to understand the problem fully.
It's the unknown and unanticipated failure modes that cause the worst problems. Predicted failure modes at least have code to deal with them, even if it's buggy. Unit tests reduce the bugs, but non-existant code for unanticipated failures, while it doesn't have bugs, doesn't solve the problem.
Sure, writing tests can find design bugs. But that's not really the question at hand here. The specifics are that we have a clear and obvious requirement ("torpedo should self-destruct if it turns a full 360 degrees") that turns about to be missing an important point ("EXCEPT IF IT IS ON THE BOAT").
No amount of testing the former will lead you to realize the latter. Sure, you might happen to come to the realization while writing the test, but you might do so over breakfast too.
I'm not saying "don't do testing". I'm trying to point out that it has limits. The fact that you've written tests and they pass doesn't get you off the hook for design bugs.
I think his point is that the test itself isn't the useful bit. The useful part is that thinking about what to test can uncover bugs.
This is what FMEA (Failure Modes Effects Analysis) does: you assume failures of every part of the system, rank their likelihood and the end effect and see how your design handles it. A good FMEA assumes everything will fail and analyzes the impact. Unfortunately, comprehensive FMEA is expensive and time consuming so it's usually only done for critical subsystems.
I guess I can't argue with that, as it's essentially unfalsifiable. But it's worth pointing out that writing a unit test, which is the subject that started this discussion, is definitely not a time when you're "fully considering potential failure scenarios". Unit tests are narrow and focused, and aimed at verifying features.
What you're talking about is something I'd call white box QA. Which is valuable, though it's essentially just an extension of design, and has the same limits.
My broad point still stands: you can't "process" your way out of this with extra testing. Some bugs are just inherent, and stem from the fact that we're human.
Unit tests are narrow and focused, and aimed at verifying features. What you're talking about is something I'd call white box QA. Which is valuable, though it's essentially just an extension of design, and has the same limits.
It seems like most negative arguments regarding "unit tests" start by defining them as a small subset of what can be usefully tested, and then arguing against the value of testing such an incomplete subset.
I don't see the point of drawing such an arbitrary line. I leverage "unit" tests to automatically test units of code as completely as possible (not just 'verify features'), and I expect the same of tests that others write.
Written as a joke, but in my line of work (embedded systems) this is a big problem. Because most of a product's operation may depend on external inputs, it can be impossible to write a suite of unit tests that are useful without also building and automating hardware to generate the external stimuli.
We've come up with some creative responses to this, but nothing remotely like what's possible when you're just moving data around and not, e.g., testing the hardware's ability to start a 300hp diesel engine at it's low-temperature limit.