Boeing 737 Max Software Fix Is Too Slow
Written by Harry Fairhead   
Wednesday, 10 July 2019

The situation with the Boeing Max 737 is rapidly becoming a textbook case on how not to implement embedded systems and how not to deal with problems. It now seems that the software fix that will return the plane to the skies overloads its flight computer.

The New York Times has a report that in flight simulator tests of the new software a pilot was unable to follow the procedure to regain control of the plane. The key quote is:

"The issue discovered last week is linked to the data-processing speed of a specific flight control computer chip, according to the two people with knowledge of the matter. In the test, the F.A.A. pilot encountered delays in executing a crucial step required to stabilize an aircraft."

This seems to imply that the flight computers aren't up to the job of running the new software. Put simply, the engines in the Max are forward of the center of gravity and when power is increased the lift from the larger nacelle causes the nose to rise, which isn't allowed under regulations for it to be certified as a 737.  After trying some hardware solutions, the problem was "solved" by software, MCAS, detecting the change in angle and automatically pushing the nose down. An alternative to MCAS would have been, and might still be, to give up the 737 certification, certify it as a new plane and get pilots to train to fly it.

However MCAS is likely to have been fatally flawed from the start. What seems to have caused the problem is that a single angle-of-attack sensor was used and this fed the computer false data. This design is strange in itself as most avionic systems are at least doubly redundant. 

737sensors

The objectives of the new software are described by Boeing as:

  • Flight control system will now compare inputs from both AOA sensors. If the sensors disagree by 5.5 degrees or more with the flaps retracted, MCAS will not activate. An indicator on the flight deck display will alert the pilots.

  • If MCAS is activated in non-normal conditions, it will only provide one input for each elevated AOA event. There are no known or envisioned failure conditions where MCAS will provide multiple inputs.

  • MCAS can never command more stabilizer input than can be counteracted by the flight crew pulling back on the column. The pilots will continue to always have the ability to override MCAS and manually control the airplane.

These are the changes that are seemingly overwhelming the computer. It has been suggested that the computer wasn't powerful enough to handle the inputs from two sensors, but this seems unlikely as an optional extra was available that would display the angle and a warning if the two sensors were in disagreement. The one that sounds difficult to me is:

"never command more stabilizer input than can be counteracted by the flight crew pulling back on the column".

It is difficult to find out the exact nature of the computers in use, but it is suggested that a dual 80286 with CPUs from different manufacturers is the most likely. There are two of these systems and either are capable of handling the demands of the plane in most situations. However according to one ex-Boeing engineer:

The 737 dual-dual architecture is very unique. The decision to make speed trim single channel, single processor goes back to the 737 classic. The MCAS function is just another FCC software module that behaves, at a high level, like speed trim, whose architecture would have then been replicated.

This seems to be saying that the MCAS system that is being revised only runs on one of the processors in one of the systems. A 80286 is an old processor, circa 1986, with a single core running at 20MHz or so.

80286

There was a time when it was thought of as a fast processor, but it is more than just a cliche to say that it is now outclassed by most mobile phones. Programmed at a low level in C or assembler, it should be capable of a great deal and it is difficult to see how changes such as Boeing proposes could overwhelm it - it's a matter of careful design. Of course, at a time when 500 planes are sitting idle, 1 billion dollars has been wiped off Boeing's financials, contracts are being cancelled and if any planes are being sold at all it is at a heavy discount - careful might not be the most important metric.

It is cute to remember that we sent men to the moon using a computer that would have trouble playing tetris, let alone running a mobile phone, but when something as ancient as the 286 is said to be at the heart of a complex safety-critical machine like the Boeing 737 Max, it is not so funny. Changing the processor would be as hard as fitting new wings and would take a lot of time to get certification for. This is where technical debt really matters.

mcas

 

 

More Information

Boeing’s 737 Max Suffers Setback in Flight Simulator Test

Boeing's Software Fix For The 737 MAX Problem Overwhelms The Plane's Computer

Boeing 737 Max Updates

737 MAX - MCAS

Related Articles

Boeing 737 MAX - Software Outsourcing Criticized

Software Quality Blamed For Airbus Crash

Reboot Your Dreamliner Every 248 Days To Avoid Integer Overflow

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

 

Banner


JetBrains Survey - Do You Dream Code?
19/06/2019

For the third year running JetBrains has conducted its Developer Ecosystem Survey and has reported on some of the answers from 7,000 developers from 17 countries. Here's a look at just a handful of th [ ... ]



WCF And WF Given To Community
17/06/2019

Microsoft has handed Windows Workflow Foundation (WF) and Windows Communication Foundation (WCF) to the community in the form of the .NET Foundation.


More News

appC

 



 

Comments




or email your comment to: comments@i-programmer.info


<ASIN:1871962609>

<ASIN:1871962455>

<ASIN:1871962463>

<ASIN:1871962617>

Last Updated ( Wednesday, 10 July 2019 )