Re: Boeing 737 and 737 MAX software

[tranngocduong@gmail.com]

On Thursday, April 18, 2019 at 7:44:17 PM UTC+7, Maciej Sobczak wrote:
> > True, airspeed needs not be computed this way. But it must be somehow computed.
> 
> Note that the airspeed had to be computed (or measured) long before the new sensor was invented, so presumably the method of computing it was not taking the new sensor into account anyway. And I don't expect that method to be changed just because some new sensor is installed.
> 
> I don't see any reason for using this addition anywhere in the system.
> 
> > True, it is possible that the software was written in Ada. But then, the fact that it didn't raise an exception
> 
> If the addition was never performed (because there was no reason to do it), then it is quite reasonable that no exception was raised.
> 
> One could imagine a contract that binds several such values in constraints that are motivated at the system-level and this is arguably where Ada could help. But I doubt such novel programming techniques would be even considered.
> 
> > indicating a failure to detect/handle so "exceptional" situations as AoA implying negative [horizontal] airspeed, is simply unbelievable.
> 
> Why? The new sensor was not installed to detect negative airspeed, but to detect stalls.
> 
> This system might have been written in Ada or C (I don't expect anything else to be even considered) with the same results. Which, arguably, is not helping to promote the language (whichever was used).
> 
> -- 
> Maciej Sobczak * http://www.inspirel.com

I'm not sure what is the "new sensor" but I'll try to explain my point in other words.

Generally, flight control softwares are supposed to use multiple, redundant, algorithms (including multiple, redundant, computers and sensors) to derive flight parameters. The derived values, if not used directly to control the aircraft, may be used to monitor the flying computer, the sensors, or the software itself. 

In particular, in the case of the 737, we may assume that sufficiently redundant computation can detect faulty AoA sensor without using any additional AoA sensor. The aforementioned addition is an example of such a (redundant) computation.

Note that this method is not novel. It is just an instance of a more general principle that every input data have to be validated.

Yet the faulty left AoA sensor went undetected. How can it be?

a) Ada was used but programmers have chosen a wrong (too relaxed) subtype, or other language was used and programmers failed to code whatever equivalent to raising and handling a CONSTRAINT_ERROR. Simply: software bug.

b) Contrary to general belief, the software was not programmed with multiple redundant computation. Simply: process failure.

I chose to believe a).