|Boeing 737 Max Software Fix Is Too Slow|
|Written by Harry Fairhead|
|Wednesday, 10 July 2019|
The situation with the Boeing Max 737 is rapidly becoming a textbook case on how not to implement embedded systems and how not to deal with problems. It now seems that the software fix that will return the plane to the skies overloads its flight computer.
The New York Times has a report that in flight simulator tests of the new software a pilot was unable to follow the procedure to regain control of the plane. The key quote is:
"The issue discovered last week is linked to the data-processing speed of a specific flight control computer chip, according to the two people with knowledge of the matter. In the test, the F.A.A. pilot encountered delays in executing a crucial step required to stabilize an aircraft."
This seems to imply that the flight computers aren't up to the job of running the new software. Put simply, the engines in the Max are forward of the center of gravity and when power is increased the lift from the larger nacelle causes the nose to rise, which isn't allowed under regulations for it to be certified as a 737. After trying some hardware solutions, the problem was "solved" by software, MCAS, detecting the change in angle and automatically pushing the nose down. An alternative to MCAS would have been, and might still be, to give up the 737 certification, certify it as a new plane and get pilots to train to fly it.
However MCAS is likely to have been fatally flawed from the start. What seems to have caused the problem is that a single angle-of-attack sensor was used and this fed the computer false data. This design is strange in itself as most avionic systems are at least doubly redundant.
The objectives of the new software are described by Boeing as:
These are the changes that are seemingly overwhelming the computer. It has been suggested that the computer wasn't powerful enough to handle the inputs from two sensors, but this seems unlikely as an optional extra was available that would display the angle and a warning if the two sensors were in disagreement. The one that sounds difficult to me is:
"never command more stabilizer input than can be counteracted by the flight crew pulling back on the column".
It is difficult to find out the exact nature of the computers in use, but it is suggested that a dual 80286 with CPUs from different manufacturers is the most likely. There are two of these systems and either are capable of handling the demands of the plane in most situations. However according to one ex-Boeing engineer:
The 737 dual-dual architecture is very unique. The decision to make speed trim single channel, single processor goes back to the 737 classic. The MCAS function is just another FCC software module that behaves, at a high level, like speed trim, whose architecture would have then been replicated.
This seems to be saying that the MCAS system that is being revised only runs on one of the processors in one of the systems. A 80286 is an old processor, circa 1986, with a single core running at 20MHz or so.
There was a time when it was thought of as a fast processor, but it is more than just a cliche to say that it is now outclassed by most mobile phones. Programmed at a low level in C or assembler, it should be capable of a great deal and it is difficult to see how changes such as Boeing proposes could overwhelm it - it's a matter of careful design. Of course, at a time when 500 planes are sitting idle, 1 billion dollars has been wiped off Boeing's financials, contracts are being cancelled and if any planes are being sold at all it is at a heavy discount - careful might not be the most important metric.
It is cute to remember that we sent men to the moon using a computer that would have trouble playing tetris, let alone running a mobile phone, but when something as ancient as the 286 is said to be at the heart of a complex safety-critical machine like the Boeing 737 Max, it is not so funny. Changing the processor would be as hard as fitting new wings and would take a lot of time to get certification for. This is where technical debt really matters.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 10 July 2019 )|