zzuf

DaveReidUK

Yes, that was my point, supported by the FDR trace.

alf5071h

Speed of Sound

DaveReidUK

Peter Lemme, in the link you quoted in your previous post, states:

kilomikedelta

perhaps if the software and sensor device drivers were written in assembler by programmers who understood the hardware inter-relationships,these accidents could have been avoided.
I suppose machine language and assembler are foreign languages these days with few practitioners but the MBA's want things done cheap and dirty especially if they can outsource if offshore.

alf5071h

quentinc

I would imagine the forces at the stabilizer, played some part in the setting of VMO, which had now been exceeded.

SteinarN

The friction per definition should be the same. However the force required will not be the same.
Think of this as pushing a car uphill against a slight inclination versus pushing it downhill the same inclination. The friction from the wheels running on the ground is the same in both cases, but in the first example you have the added force from the uphill inclination to overcome versus in the downhill example the force from the downhill inclination helps you pushing the car.

DaveReidUK

The aircraft was more-or-less level and only just above Vmo at the point where those two brief applications of trim occurred.

The widely quoted 500 kts was subsequent to that, the result of the last episode of MCAS AND trim kicking in and the unrecoverable descent.

threemiles

This is a serious system design matter. MCAS does its job as planned. It is just the wrong job. There is no need for assembler to speed anything up. It makes code harder readable, less maintainable and certifyable ... oops.

bsieker

In hindsight that is probably a shortcoming of the risk and hazard assessment of the ADIRUs of the A330, yes. But the rationale for regarding all air data invalid at indicated air speed below 60 knots is that it was simply not known how the aircraft would behave in that regime. And it is sometimes a better idea (although that, too, requires careful evaluation and assessment) to flag all data as invalid (or not deliver it at all) rather than deliver data wich may be wrong.

As far as I recall the A3330 was not flight tested into a full stall, and very few other ways of flying that slow can be envisioned.

On the other hand it is not clear that the "reverse logic" (pitch down in a deep stall: stall warning comes on, raise the nose again: stall warning stops) of the stall warning at very high angles of attack and very low indicated air speeds was a causal factor in the accident: There are some indications that the crew did not only not react to the stall warning, but that they literally did not perceive it. It was lost to cognitive overload.

While the absolute value may be valid (although 75° is probably a bit of a stretch, even AF447 never even reached 50°. but the 25° or so from Lion Air is clearly in an attainable range), some things can also be deduced about the validity by evaluating rate of change, or cross-checking with other values, such as static and total pressures, vertical speed, pitch angle, acceleration, etc., even without cross-checking with the other-side AoA.


Bernd

threemiles

Also, they were in a 30 degrees bank turn when things started to really go wrong. Almost no pitch, 340 kts, no ability to pull or trim ANU, how can that work out? Before the bank had increased slowly over 2 to 3 minutes for whatever reason.
Then they were flying at 10000 feet, inside a MSA sector of 14000 ft, heading towards range with a peak of 11000 MSL, with little to no climb rate. Albeit in VMC, this alone is brutal.

bsieker

That is possibly the worst suggestion so far.

Assembly code is almost impossible to analyse for correctness in any meaningful way. It is far better (and provably so) to write in a well-specified (i. e. not C) language, prove the source code correct (for which scalable and practical techniques exist today), or define and prove correct a finite state machine and have code generated from it. That still leaves one with a need to have reasonable confidence in the compiler, but in many cases the service history for the most-used language core, and, in some recent cases, formally verified compilers, take care of that.

Just because you have one hero programmer who claims to have done it "Right" in assembly does not help you in any way because you need to demonstrate that it does what it is supposed to do (reliability), and never does what it is not supposed to do (safety), and ideally also never fails (availabilitiy). And this cannot be demonstrated by testing alone to the extremely high requirements needed in aviation. Assembly and machine code are avoided like the plague in safety-critical programming, and rightly so. Where some parts require it, extreme care must be taken to get it right, and the amount must be kept to a minimum.

Besides, as threemiles has pointed out, the implementation is not the problem (as far as we can tell, it may be flawless), but the specification. "Working as specified" can also mean that it did the wrong thing.

Bernd

.Scott

Having programmed in machine language, I would NOT recommend it. It would be very difficult to reach the level of confidence for direct machine code (or even assembly) that would be required for this software.

Just to be clear, we are talking about software that must not allow the MAX to do a mid-flight back flip and/or break up while also not dooming the plane to a high-speed nose dive. And if it fails and is disabled, the pilot may not be able to act fast enough to recover. It's hard to image a software component on an ATP flight that is more critical.

The sequence would be: requirements, requirements review, design, design review against the requirements, test development based on the design, test procedure review, coding, code review, code testing. This requires code that can be examined by several team members with no chance of misinterpretation.

So what is needed it a well exercised development environment - one that's been around for several years and has been very widely used - with a good reputation and version release notes that reflect a solid tool.

ecto1

I know some plane computers are properly built and programmed and that part of the industry works ok. That's exactly what I meant with 《we know how to do it》.

What I meant is that there is a 《all or nothing》spirit that doesn't quite cut it. Either is a 8 year development with millions of man hours on it ,or a terrific patch that looks like done overnight. No middle ground.

I'm all in for a cheap patch. The cheapest possible, no need to doom the plane and start over. But if the computers in the plane have no room for improvement, a software patch in 1980s style is not going to be enough. We need sanity checks, cross sensor checks and history checks on ALL sensors. Not only AOA.

Precisely, no software patch will fix the issue of mcas being useless for real life (too slow).

unworry

Indeed.

.Scott

I doubt that they used C or C++, but given appropriate coding standards, I do not have problems with either. In fact, a major issue with keeping the code in alignment with an understandable design is in what kind of awkward and extraneous semantics the programmers needs to go through to getting the code to do what they want. Languages like C# are advertised as "safer" because they prevent certain types of errors - like memory management. But they add a major layer of code that is unrelated to the final functionality. That makes the really important parts of the code diffused and harder to review.

When I say "appropriate coding standards", the issue is reviewability. So using the C++ support for object oriented coding is good. Using polymorphism or the "virtual" keyword is avoidable - and for an application like this, should be avoided.

.Scott

Interesting. I guess somewhere in this thread is a revelation that the MCAS hardware was too slow - I hadn't heard that. It it's from the 1980's, where they using Ada? That was one of those "safe" languages - but may come with a lot of overhead. If it had been coded in C, there would have been no practical problem with the machine speed.

If I was the FAA, I would not allow the plane to fly without having simulators available that fully simulate operations where the MCAS can work and fail - and then require that the pilots go through the different failure modes before visiting the MAX cockpit. If the MCAS hardware needs to be replaced, replace it.

I think that if Boeing tackles this problem correctly, they could have the planes flying safely in about four months. Or they can go for Micky Mouse fixes and risk either an ineffective fix or a recovery timeline that goes well beyond four months.

FlightDetent

MelVic's original remark read to me that accepting 75° raises questions how was the input validation done if at all.