Honeywell's Airplane Information Management System (AIMS) project consists of the largest central computer on the jetliner; it runs 613,000 new lines of code (defined as body semicolons), taking up 15,656 kilobytes (KB) of disk space and 4,854 KB of random-access memory (RAM). With redundancy, the software runs to 46,191 KB and 10,732 KB of RAM. A multiprocessor, rack-mounted system, the AIMS replaced many of the line-replaceable units and reduced hardware and software redundancy.Two AIMS boxes handle the six primary flight and navigation displays: two sets are located in front of both the captain and copilot so that they can move from one seat to the other, and two central sets of engine parameters are shared by the pilots. The primary flight instruments indicate pitch and roll attitude, direction, air speed, rate of climb, altitude, etc. The AIMS also includes the central maintenance function, which receives reports from the 777's other computers and then gathers the data into a central maintenance report for the mechanic. Its monitoring system gathers data on how other functions are doing, and can determine, for example, that an engine is degrading, before it actually fails. Other AIMS functions include a data-conversion gateway, flight data acquisition, data loading, an Ada conversion gateway, and thrust management.
Honeywell's massive effort on the 777 involved over 550 software developers. The company built the AIMS computer as a custom platform based on the AMD 29050 processor. It was unique among aviation systems for integrating the other computers' functions; in other systems, each function resides in a different box [the central maintenance had its own box with its own input/output (I/O), its own central processing unit (CPU), etc.]. AIMS combines all these functions and shares the CPU and I/O among them: it uses the same signals for flight management and for displays, so that the data comes in only once instead of twice; one input circuit provides data to all of the functions; each of the functions gets a piece of the CPU, as in a mainframe computer, where systems use part of the CPU but not all of it; and every function is guaranteed its time slot. Engineer Jeff Greeson said that "The federated system is obsolete. Putting all the functions in one box is a jump ahead in technology that we've brought to the industry."
Another innovation is that the disk drive can read files formatted for the Microsoft Disk Operating System, which provides maintenance with access to the terminal communications. The mechanics can transfer files for data loading over the airplane bus, because Honeywell built the program to accept new data and to change the software. In fact, most of the equipment on the airplane has that ability, only a few classic systems do not (such as the ground-proximity warning system, which has proven sufficiently trustworthy and not in need of change).
Designing a new architecture simultaneously with a new language was "quite exciting," Greeson said. "The organizational details were difficult to put together." With Ada, managers were able to delegate the seven main functions to groups of 60-100 software engineers. The separate software entities have minimal interface with other parts of the software, and not all of the software is integrated. By working with loosely coupled pieces, the project leaders were able to farm out the functions to other groups. The loose integration, however, does not tie the software to the 777 platform, and will assist in Honeywell's using the code for other targets. "We needed the maximum ability to port it to other places," Greeson said.
Ronald Ostrowski, director of Engineering, claims that the Boeing twinjet is already the most tested airplane in history. For more than a year before the flight, Boeing tested the reliability of the 777's avionics and flight-control systems around the clock, in laboratories simulating flight. Design changes were made only after six months of testing the endurance of three engine types (Pratt & Whitney, Rolls Royce, and General Electric).
One compelling reason behind the extensive pre-testing was Boeing's desire to meet the Federal Aviation Agency's (FAA's) Extended Twin Operations (ETOPS) standards ahead of schedule. The original ETOPS rule was drafted in 1953 to protect against the chance of dual, unrelated engine failures. Unless a newly designed and produced aircraft has at least three engines, it usually had to wait, sometimes as long as four years, before the FAA and the Joint Airworthiness Authorities (JAA) will allow it to fly more than one hour from an airport; after a time, the new aircraft is deemed a "veteran" and is allowed to fly three hours away. A shortened trial period would drastically increase Boeing's sales.
Granville Fraser, a propulsion engineer at Boeing, said that a company protects itself better from engine failure by preventing in-flight problems {outside} the engine, such as faulty warning lights, than by concentrating solely on the engine's mechanics. "Over 50 percent of engine shutdown is irrelevant to the core engine," he said. "It has to do with electrical, fire systems, etc." On the 777, those outside systems are programmed in Ada.
Pratt & Whitney laboratories can, therefore, test the engines, but the quality of the software will have an equal role in determining the reliability of the 777's engines and its conformation to the ETOPS standards.
On the maiden flight, with the Boeing Telemetry room in constant contact with the plane, the engines performed better than expected. The 777 proved itself an ETOPS "veteran" on its first flight out, becoming the first twin-engine plane to win FAA approval for "ETOPS out of the box." The trend towards more reliable hardware and software are revolutionizing aviation and can be found in aircrafts other than the 777.
Good Find, guess we'll just have to wait now.
That scares the hell out of me. I'm a software engineer, 20+ years doing it, with a MS in Comp Sci... I also have a Mechanical Engineering degree and ... This just doesn't sound right. You absolutely want the systems necessary to keep the bird in the air isolated from the more mundane "nice to haves."
Yes, Ada as a language, and Ada certified compilers are great. You almost have to try to shoot yourself in the foot with Ada. I've used it, even though I'm a C++/Java weenie now. By comparison, Java has at least a trigger lock. C++ loads the sidearm, chambers a round, pulls back the hammer, and hands you a scotch on the rocks... ;-)
In any complex system you can have unexpected, unintended emergent behavior. Sure, the flight control tasks no-doubt have highest priority, are well isolated logically from the other tasks, say the cabin environmental controls etc. But what about something unexpected? I'm sure the Honeywell guys are top notch. But in such a complex system can they really say they've accounted for all possible combinations/interactions? Every possibly failure mode of every sensor and system (hardware/software) connected to this CPU that performs all these wonderful functions? It just seems like a very bad design decision up front to not have isolated the primary flight control system.
Yes it costs more, so what? How much does one of those embedded computers cost? Compare that with the cost of the aircraft - 150 to 230 million? It's not like they're Ford or GM or Toyota, turning out a few hundred thousand of these aircraft. They'll probably only build a few hundred, maybe a couple thousand tops if they're lucky.
The fact that the code is written in Ada has less to do
with anything than the extent to which the code coverage
and 178-B compliance was done. There is C/C++ code in existence that is DO-178B certified.
I hope that the Special Branch/MI5 is looking at possible
external causes for the dual engine failure to increase
power. Some sort of EMP/directed energy weapon should not
be ruled out.