
Triple-Triple Redundant 777 Primary Flight Computer (1996) [pdf] - aaronbrethorst
http://www.citemaster.net/get/db3a81c6-548e-11e5-9d2e-00163e009cc7/R8.pdf
======
rplst8
I worked some of the follow on projects to the 777 that involved the next
generation 737. A lot of people may not realize this, but much of the software
and avionics that goes into Boeing aircraft is designed, built, and
manufactured by other smaller third parties. The amount of work that goes into
those embedded systems is truly impressive. Additionally, the rigor with which
it is built is exemplary. Software standards for commercial aviation are
extremely strict, disallowing the use of dynamic memory allocation, pointer
math, and other typical low-level language "features" or "shortcuts". There
are also strict code coverage test requirements, demanding that primary
partitions of the flight avionics have their code tested in what is known as
MCDC [1] Additionally, I/O code that uses low level data buses must be tested
for bit independence. The process is extremely rigorous.

[1]
[https://en.wikipedia.org/wiki/Modified_condition/decision_co...](https://en.wikipedia.org/wiki/Modified_condition/decision_coverage)

~~~
peterwwillis
Can you talk about the roles of people who enforce the standards? Is there
just a typical QC role like in the medical device industry, or are there extra
roles to verify more specialized standards, in addition to QA personnel?

------
johnm1019
This is a great reminder that some things are, in fact, complicated.
Furthermore, smart people, good process, and hard work can conquer this.

Lately I've been flying a lot and even now, after hundreds of flights, each
time the plane takes off I think about how amazing it is that this whole air-
travel system works so reliably and safely. Kudos to Boeing and Airbus
engineers.

I've worked in nuclear energy, surgical medical imaging devices, and in the
auto industry - and it really gets me in a tizzy when a fresh "agile MBA
manager" expects a "quick hack" solution to some of these problems. There just
isn't always one when quality/reliability are requirements, not nice-to-haves.

~~~
ucaetano
Nothing like a good "engineers are gods and MBAs are dumb" post to start the
day.

Sounds like you company is clearly hiring the wrong MBAs, maybe the problem is
your company :)

~~~
peterwwillis
Sounds like you haven't worked in nuclear energy, surgical medical imaging
devices or the auto industry.

Agile is designed to get a product to a customer, rapidly and adaptively. But
this is mostly useful for software that stands alone; you can't always rapidly
adapt microcontrollers, bone drill burrs, heavy turbines and optical sensors.
Even if you could make a 'quick hack' to one, there's 50 standards to
reassess, and if one fails, you have to go back and re-do your change.

The OP is right. There are problems that require longer term, complicated
solutions that have to be designed first, approved second, and implemented
third. An agile MBA is not dumb; they just don't all work on the same
problems.

~~~
ucaetano
To be honest sounds more like you're talking about agile people. Move fast and
break things doesn't work in any of those scenarios, I've seen a lot of people
during my engineering days who just wouldn't work under the pressures required
to design a system with extremely high reliability.

It goes back to hiring the right people, not to the people themselves :)

~~~
jhall1468
> I've seen a lot of people during my engineering days who just wouldn't work
> under the pressures required to design a system with extremely high
> reliability.

I think the difference is that most engineers understand when high reliability
is necessary, even if they can't deal with the pressure of implementation. An
MBA whose job is to "move the ship faster" simply isn't going to understand
the distinction between parts of the system that can be thrown together, and
parts that absolutely can't.

Hard to hire the right people when the majority of MBA's aren't engineering
undergrads.

------
samlittlewood
From a quick scan - each system also has a different sort of processor: AMD
29K, Motorola 68040, and Intel 80486

~~~
ejdyksen
Also, different compilers:

 _Each PFC channel contains three dissimilar processor lanes, and software
from Ada source code using three different Ada compilers to provide triple
dissimilarity._

------
donkeyd
It was once explained to me that the development of the flight computer
software is also done by 3 completely separate teams. Because of this, the
chance that the same bug occurs in all 3 systems is incredibly low.

~~~
sitkack
Faults in human cognition aren't randomly distributed. While n versioning
helps with these issues, it doesn't prevent them to the level one would
assume. Nor does it correct for systemic flaws in the specification.

~~~
ucaetano
That's why I only use software coded by at least 3 different species, two of
them being not-earth-based and one not-carbon-based :)

~~~
sitkack
Programmers in the future will spend the majority of their time debugging code
written by AIs

------
sitkack
This field is old and interesting

[http://www.inf.pucrs.br/~zorzo/cs/n-versionprogramming.pdf](http://www.inf.pucrs.br/~zorzo/cs/n-versionprogramming.pdf)

[https://en.wikipedia.org/wiki/N-version_programming](https://en.wikipedia.org/wiki/N-version_programming)

This is an excellent overview
[http://www.adelard.com/papers/divchap.pdf](http://www.adelard.com/papers/divchap.pdf)
in regards to
[https://appsrv.cse.cuhk.edu.hk/~lyu/book/sft/](https://appsrv.cse.cuhk.edu.hk/~lyu/book/sft/)

