PPRuNe Forums - View Single Post - BA038 (B777) Thread
Thread: BA038 (B777) Thread
View Single Post
Old 13th Aug 2008, 14:02
  #1647 (permalink)  
bsieker
 
Join Date: Jul 2007
Location: Germany
Posts: 556
Likes: 0
Received 0 Likes on 0 Posts
Diversity / Dissimilarity
DozyWannabe, Pacplyer, VnV, others, ...

This is about the B777's FBW system (more specifically, the PFCs).

The approach of having three separate coding teams, isolated from each other, was initially attempted, but eventually rejected. Iin his paper "Design Considerations in Boeing 777 Fly-By-Wire Computers" Y. C. (Bob) Yeh wrote:

In the design diversity experiment at UCLA [10], the isolation rules were employed in which programming teams were assigned physically separate offices for their work and that inter-team communications were not allowed. The research at academe [10],[11] indicate that multiple versions of programs developed independently can contain similar errors.

Boeing experience is that among sources of errors it is most often the basic requirements which are erroneous or misinterpreted. The key to a successful software implementation is the elimination of errors. The errors due to misinterpretation can be reduced by very close communication between the system requirements engineers and the software designers. In fact, the software designers can help the engineers recognize limitations in the software design when the requirements are being written. There is much benefit from this interactive relationship, which is precluded by the dissimilar software design approach, where systems and software teams much be kept segregated.
So this sounds like diversity is theoretically a good idea, but hasn't been proven to be beneficial in practice.

Coding diversity will not eliminate the most common form of errors, which are requirements errors

I know that the A320's most important flight control computers, the ELACs, each contain one Motorola 68000 and one Intel 80186 processor, which run the same algorithms, but I do not know if their software was developed by isolated teams. There are 2 redundant ELACs, and if they both fail, there are 2 SECs, which also provide pitch and roll control, albeit in a degraded mode (alternate or direct law.)

I do not know about hardware/software redundancy within each FADEC channel, neither for Trent nor for CFM56.


Bernd
bsieker is offline  
Reply