From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Subject: Re: Boeing 737 and 737 MAX software
Date: Thu, 18 Apr 2019 18:13:02 +0300
Date: 2019-04-18T18:13:02+03:00 [thread overview]
Message-ID: <ghrifuFssqbU1@mid.individual.net> (raw)
In-Reply-To: <ee336443-cddc-4a26-bba2-610efb82d9be@googlegroups.com>
On 19-04-18 16:53 , tranngocduong@gmail.com wrote:
> Generally, flight control softwares are supposed to use multiple,
> redundant, algorithms (including multiple, redundant, computers and
> sensors) to derive flight parameters.
Yes.
[snip]
> Yet the faulty left AoA sensor went undetected. How can it be?
The descriptions of the MCAS system that I have seen say quite clearly
that it used only one of the two AoA sensors mounted on the aircraft
(and that this single-sensor design is unacceptable for a flight-control
system that ended up with this level of authority and criticality).
I have not seen any statement about other standard SW that would be able
to flag an AoA sensor as faulty. There was an optional addition that
could do it, not mounted on the planes that crashed. The whole MCAS
system was an add-on and perhaps for that reason not well integrated
with the rest of the flight SW (this is speculation on my part).
> a) Ada was used but programmers have chosen a wrong (too relaxed)
> subtype, or other language was used and programmers failed to code
> whatever equivalent to raising and handling a CONSTRAINT_ERROR.
> Simply: software bug.
>
> b) Contrary to general belief, the software was not programmed with
> multiple redundant computation. Simply: process failure.
>
> I chose to believe a).
From the descriptions I have read, it is clear (to me) that (b) was the
case, at least that MCAS used a single AoA sensor and there was no
cross-check against the other AoA sensor or other sensors or
computations. Moreover, the descriptions of the planned correction to
the 737 MAX focus on using both AoA sensors and warning the pilots if
they disagree, which is coherent with (b) but not with (a).
On the issue of Ada subtypes, it seems to me that if the SW
specification, design and coding considers sensor faults (as it of
course should), the normal approach for such critical SW is _not_ to use
strongly constrained subtypes and rely on Constraint_Error handling. The
normal approach is to add explicit and specific range checks and
sensor/computation cross-checks. That would be much easier to specify
and test, and would also make it much easier to identify the faulty
sensor(s) and to handle such situations properly.
--
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
. @ .
next prev parent reply other threads:[~2019-04-18 15:13 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-05 21:16 Boeing 737 and 737 MAX software Paul Rubin
2019-04-06 1:16 ` Jere
2019-04-06 19:05 ` Paul Rubin
2019-04-18 22:04 ` Paul Rubin
2019-04-19 9:13 ` tranngocduong
2019-04-06 17:30 ` Dennis Lee Bieber
2019-04-06 18:45 ` Niklas Holsti
2019-06-28 23:45 ` Paul Rubin
2019-06-29 2:52 ` Dennis Lee Bieber
2019-06-29 3:38 ` Paul Rubin
2019-06-29 16:29 ` Dennis Lee Bieber
2019-08-07 6:06 ` robin.vowels
2019-11-08 1:12 ` Paul Rubin
2019-11-08 15:32 ` Dennis Lee Bieber
2019-11-18 11:16 ` robin.vowels
2019-11-18 15:32 ` Optikos
2019-04-12 7:46 ` tranngocduong
2019-04-12 22:15 ` Dennis Lee Bieber
2019-04-17 17:27 ` Maciej Sobczak
2019-04-18 9:45 ` tranngocduong
2019-04-18 12:44 ` Maciej Sobczak
2019-04-18 13:53 ` tranngocduong
2019-04-18 15:13 ` Niklas Holsti [this message]
2019-04-18 16:21 ` tranngocduong
2019-04-18 18:20 ` Niklas Holsti
2019-04-20 0:29 ` tranngocduong
2019-04-18 20:36 ` Randy Brukardt
2019-04-18 20:51 ` Paul Rubin
2019-04-18 20:20 ` Paul Rubin
2019-04-18 16:39 ` Dennis Lee Bieber
2019-04-19 2:39 ` Dennis Lee Bieber
2019-04-22 19:36 ` Norman Worth
2019-04-28 18:27 ` russ lyttle
2019-04-18 13:50 ` Simon Wright
2019-04-18 15:07 ` tranngocduong
2019-05-05 14:29 ` robin.vowels
2019-05-06 13:54 ` robin.vowels
2019-05-06 15:12 ` Dennis Lee Bieber
2019-08-07 5:51 ` robin.vowels
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox