Ian W

You have obviously not worked developing safety critical software.

The software in the ADIRU is not developed as if it were a video game or a university project: it is developed in line with RTCA DO-178 and ARINC 653. These are very strict standards with a lot of testing. However, despite all the testing some faults may/will be found and in most cases the system is designed that a fault in one module will be contained as part of a Failure Mode Effects Analysis. It would appear that a fault was successfully contained and then unmasked when another module was updated.

Now at that stage with safety critical software the FAA and Honeywell reverted back to the previous version - which had worked without a problem using an AD. Honeywell would then have had a 'MUST FIX' top emergency software fix to carry out. In many organizations that means NO new software version can be delivered unless that fault is fixed.

Your attitude that they would have left it on the old version as that was 'good enough' is just not the way the industry works.

I would expect that the fault was fixed within days and then after recertification testing with the FAA and Boeing, Honeywell would have delivered a new ADIRU software build with all known bugs including this one fixed. The longest part of that effort will have been testing, and the particular issue that caused the ADIRU to fail would be included in the new acceptance test suite. Almost certainly there would also have been some effort to defend against ADIRU faults in the FMC software as part of the FMEA work.

High availability safety critical software development demands getting things right, designing systems to be resilient to subsystem faults, and rapid resolution of any faults found.

2dPilot

@Ian W,
Unfortunately the best testing can only test for what you are looking for.
Test scripts will only be based on what are considered possible scenarios.
Furthermore, the IT industry is now full of people who have been taught to program, not learnt to program.
One would like to think an operating system like windows would be fully tested, yet a host of bug-fixes are released every month, for years.

holdatcharlie

One of the many frustrating and ironic twists in this baffling accident is that, if and when the CVR is finally found (and recovered), it will in all probability, just contain two hours of silence - because only the last two hours of cockpit audio is retained on the CVR. All preceding audio is over-written thus denying investigators arguably their best clues to this bizarre tragedy.

My question is this - How complete is that over-writing?

We all know that deleted data from a PC hard drive can still be read - if you know the right (maybe that should be 'wrong') people. We have already seen this demonstrated with regard to the Captain's flight sim. data.

Could this also be made easier by being over-written by continuous silence? Could there be recoverable 'soft' data under that pure white over-write? Or are there some subtle technical differences between delete, erase and over-write?

YYZjim

I have speculated that the ADIRU failure experienced by 9M-MRG, which led to a sudden climb, was experienced by 9M-MRO (on route MH370) on March 8, 2014. The sudden increase in the pressure differential across the hull may have led to another problem recently experienced by two other B777-200s.

On April 13, 2012, an Alitalia B777-200 (EI-ISB on route AZ-8320) flying from Rome to Dubai at FL370 declared an emergency near Athens. The first officer's windscreen had cracked. The crew descended rapidly to 6000 feet and diverted to Athens.

On July 3, 2012, an Air France B777-200 (F-GSPL on route AF-85) flying from San Francisco to Paris at FL370 declared an emergency over Hudson's Bay. The windscreen had cracked and the crew reported problems maintaining pressurization in the cabin. The crew descended to 10,000 feet and diverted to Montreal.

All three aircraft are of pretty much the same vintage:
Alitalia EI-ISB first flight December 18, 2002
Air France F-GPSL first flight June 12, 2000
Malaysian 9M-MRO first flight on May 14, 2002

One would need to know the number of cycles, rather than simply the calendar age, to determine if windscreen problems are fatigue-related, and possibly represent a systemic problem which is just now coming to light in the B777 fleet.

Rightbase

My concern is a systems concern,

The software engineer works in an environment that makes assumptions about its upstream inputs (eg, a sensor might fail - et al,) and downstream consequences.

Within that is the acknowledgement that the downstream resources (eg. fault condition SOPs - et al.) cannot cater for all eventualities and so must rely on pilot professional competence & expertise.

The assumptions (eg middle value is safe - et al.) exploiting multiple redundancy can render the remaining two of three working transducers worse than a singleto, since failure of either would give an erroneoous result - the Australian 777 episode exemplified this,

Iin that case, flying with a faulty third channel was worse than the system having no redundancy, Has this now been built into all triple redundancy middle value systems?

In both that case and the ill fated Air France episode, incorrect transducer readings were not sufficiently visible to the pilots - the last resort safety sytem - for it to be obvious to them just what was happening. Even the last resort 'hand fly the beast' option has to be negotiatedwith a software system that is already percieved - at lest partially - as working otherwise than as intended,

It is the combination of reliance on the pilot and being unable to guarantee to present the information the pilot needs that give the total system a level of vulnerability that can make a safely redundant system dangerous in the presence of a known failure.

An MEL that says a defective component can be tolerated must demonstrate a safe system (including a suitably informed pilot) in the event of ANY subsequent failure.

And when the statisticians do their sums, making standard 'independence' assumptions, they must be obsessive about them, as must everybody from people buying components to the authors of safety procedures,

JamesGV

Windscreen failure.

Accepted. At FIR handover ? Divert then to Penang.

Northern route ? Then change to Southern route at 180/182 ?
We forget "no trans", "no acars/satcom".

olasek

Actually they were, the rest of your stuff is so convolutely written, it is impossible to follow.

GHOTI

"Prior groundings such as the Comet I (c. 1952), Lockheed Electra (c. 1959), the DC-10 (1979) and 787 were based on physical evidence of a potentially catastrophic problem with the aircraft. In this case, such physical evidence is, to date, completely lacking."

The L-188 Electra fleet was never grounded. Restrictions on max IAS were imposed until the flutter problem was worked out, but unlike the DC-10s and Comets, they continued to operate. That was a decision based on the economics of an airline whose sole equipment was the L-188, and also because no-one knew how the two mid-air breakups they suffered had related causes.

500N

Green

I think part of the reason it is "boring" is the JACC / Angus Houston and others are not prone or see any need to having unwarranted news conferences and have succeeded in damping down media speculation.

And apart from the basic info on the search each day, not much else.

That will of course all change when they find something !

PAXboy

holdatcharlie asks the CVR question.
Question asked and answered much earlier in the thread. The answer (as I recall) was that analogye CVRs might have some trace left - although two hours of continues erase means probably not. However, the CVR unit on this aircraft was digital so the answer is Zero. (I sit to be corrected).

mm43

AMSA have recently defined the search area as within a circle of 10km radius centered on the 2nd ping detection. That area is defined by the White circle on the graphic below. The rectangular area on a major axis of 030°/210° represents what previous AIS position reports indicate the area the Bluefin 21 AUV is working in. Each days positions are a different color, and the first position for today (20/04:03z) is shown in a Cerise color.

The Red stars represent when pings were acquired, and the sequence is numbered anticlockwise starting at the top. The White star is the position that the pings associated with the first ping were lost (LOS).



NOTE: Use Ctrl+ as many times as needed to enlarge the image, and Ctrl 0 will return the page size to normal.

joy ride

The speculation about possible ADIRU software and windscreen problems being an issue in this case begs the question:

<< IF >> one or both of these had been a contributory factor, and assuming substantial recovery of wreckage, would the investigators have any chance of finding evidence of it? Particularly as a windscreen cracked by altitude/pressure changes might resemble one cracked on contact with water.

susier

Just on the issue of windshield failure, there is an interesting digression on the manufacture of the above, in the TSB report pertaining to


AIR FRANCE
BOEING 777-228ER F-GSPZ
CHURCHILL, MANITOBA 290 nm NE
17 OCTOBER 2002


where an arc resulting from overheating in the J5 terminal caused a small fire and the windshield to crack.


I won't link as I can't get it through moderation,

but anyway comms were not affected (obviously)

so if this were a contributing factor in the present case we would need to find a reason for lack of comms.


ETA (from the report)


'Boeing has undertaken a program to redesign the window terminal block to eliminate the screw connection. The new window blocks were scheduled to be incorporated into Boeing 777 aircraft, Line Number 471 (delivery date February 2004). The new design incorporates a locking pin/socket, which will address issues concerning loose or cross-threaded screws and inset ferrules. All Boeing 747, 757, 767 and 777 windows delivered thereafter, either on new aeroplanes or as spares, will have the new terminals installed. Boeing intends to deliver spares in kit form with the new wire end terminals included. The operator will have to remove the existing wire end terminal and splice in the new one when replacing windows on existing aircraft. The intent is to eliminate concerns with arcing at the window power terminals.


Boeing released a Fleet Team Digest article to B757 operators in May 2003, discussing terminal arcing and overheating. The article detailed actions to incorporate re-designed terminals into the affected cockpit windows.'




I'm not sure how relevant this might be, but it looks like there was no retro-fitting of the new system so as far as I can figure out, 9M-MRO will have had the original sort.

PPL Hobbyist

Holdatcharlie,

As other people above have stated, when data on a PC or MAC has been deleted, the sectors on which the data resides is only flagged as deleted in the file allocation table. On the old 30 minute analogue tape CVR, it may still have been possible to recover over written audio, because the erasure head isn't always perfectly aligned with the recording head. or may not reset every magnetic fibre on the tape But on modern solid state digital CVR it is impossible because the memory modules only has 30 minutes or 2 hours of storage space depending on which model is on the plane, so the oldest data is constantly being over written by new data. The older data is completely erased.

I hope this helps.

barcino

The hope is on finding more cabin recordings based on passengers' personal devices being used during those dramatic final hours (i.e. smartphones, videocameras, etc.). Their memories might still be readable if sea water has not degraded its components seriously.

mixture

Yawn !

You've already been told above not to compare the generic IT industry to the niche part of the IT industry that deals with safety-critical systems.

Windows and such like are not subjected to the same formal design process that safety critical systems are. Thus of course you will get a greater number of bugs, some of which may cause substantial issues to the stability of the system. Bleeding edge generic IT projects these days can use agile development.....no such thing in safety critical systems.... in safety critical systems there is a traceability requirement for you to be able to show that a given line of source code fulfils given requirement specifications, the level of detail is truly excruciatingly tedious... but it all serves a very important purpose !

Sure there's always scope for issues, but the whole point of the almost obsessive-compulsive development methodology for safety critical systems is that failure or bugs won't kill anyone !

JamesGV

On another note....

"Malaysian authorities are considering issuing death certificates for the missing passengers of MH370.
It's part of the plan to provide financial assistance to the families of passengers.
Deputy Foreign Minister Hamzah Zainudin, head of the next of kin committee, said no decision had been made on how much each family might receive".

Er ? The Montreal Convention.
Or is the carrier going to prove that they are totally "without fault".

Mike-Bracknell

It's quite a mute point to be fair, because given the advances in technology if you're going to revisit the black box (and I think AF447 and MH370 prove there's at least a need for an updated spec, even if the cost-benefit analysis doesn't include retrofitting) then you'd include enough non-volatile storage per box to take many many hours of recording (along with other things such as an extendable, floating additional antenna).

lpatrick

I think I have read every forum page but have heard no news of the analysis of the two oil slicks, did I miss it ?

Two to Tango

Review the JACC media release recently. Confirmed oil not from a plane.