What follows is a post about the “brains” of the 777. They seem to be at the heart of how someone could possibly make a 777 disappear and this post will serve as background for such speculations.
The 777 is a marvel of engineering, being the world’s largest twinjet and Boeing’s first fly-by-wire airliner, and the first commercial airliner designed completely on computers. All flight controls are computer-mediated in the brains or “neural network” of the 777. A panoramic tour of the Main Equipment Center (MEC) where the “brains” are kept can be had by clicking the picture below (courtesy of the font of knowledge):
Photo tours are here and here. The black boxes on the upper right of the photo above are essentially the computer brains known as AIMS. These boxes and many other units in the plane are as known as Line Replaceable Units (LRUs). They communicate with each other and the rest of the plane using standard protocols and interfaces, so each one can be designed individually, swapped out and replaced at will and each does a portion of the work necessary to fly the plane. Units can be added to provide extra functionality, and upgrades, for example retrofitting from AIMS-1 to AIMS-2 as mentioned in the previous post. See also here (PDF).
The various systems, particularly communications that have been talked about as part of the MH370 disappearance are controlled by LRUs: ACARS, navigation and SATCOM are all associated with one or more LRUs.
The avionics bay (MEC) is located in the belly of the plane to the rear of the flight deck. There are three ways to access this avionics bay via:
- the passenger cabin near the galley as shown in the video in the last post,
- an exterior hatch in the belly of the plane, and
- via a door connected to the forward cargo bay. On MH370, passenger luggage was kept in this cargo bay per the Factual Information Report.
The nervous system
There is a rat’s nest of communication protocols used. ARINC 629 (technical PDF) was new for the 777 and patented by Boeing.The older ARINC 429 is also used, presumably to be compatible with older available equipment. An optical fiber ethernet-like (10BaseT) network similar to the familiar Local Area Network (LAN) you may have in your home is also used for high speed communications between LRUs. There are a host of other buses, but those are the major ones.
The ARINC 629 is the main mission critical nervous system of the plane, however, and for good reason as it is quite ingenious. A single twisted pair of wires up to 100 meters long can connect up to 120 LRUs. This simplifies plane wiring by using a single communications bus or wire. If you’re familiar with a typical office wired LAN, there is a cable going to each computer or device on the LAN from a router – lots of wires. The bus is two-way, and any LRU could talk to any other if they know the language, and every LRU can listen to all of the conversations. Connected LRUs politely wait their turn to talk following a set timing protocol. There is no central point of failure as there can be with a router. If one LRU goes down, the others can still talk. Except for redundant control timers to allow each LRU to decide when it’s time to talk, there is no control, and it is robust to failure.
Connection of a device (LRU) to the bus is the ultimate in simplicity. Only a Current Mode Coupler is needed, which is a simple enclosure around the twisted pair of wires. No splicing is needed (or allowed):
If you are into electronics, you can order a desktop B777 ARINC 629 simulator.
There are different ARINC 629 buses for different purposes, because while ARINC 629 is fast, many units talking could overwhelm capacity. The bus needs to be underutilized most of the time so a given LRU can squawk away if need be in critical situations. The simplicity of a single twisted wire bus means you can easily break the communications bus into several pieces to provide this and isolate communications by topic, and there are 11 ARINC 629s altogether. The 777 uses a separate bus for flight controls, for example.
Necessary complexity is added for redundancy and fault-tolerance. There are three buses with triplicate LRUs. If lightning or birds strike the plane, and one bus is knocked out, there is backup, since LRUs are connected to multiple buses. If one LRU fails, there are two backups in some cases.
The B777 flies on 99% ADA, a computer language developed by the US Department of Defense. Even potential software and hardware bugs are dealt with ingeniously: Triple-redundant key LRUs such as the flight computer are “dissimilar” on each of the three ARINC 629 buses on purpose. Each LRU has a different processor from a different manufacturer (Motorola, AMD and Intel) and thus different compilers, so a bug in one compiler or processor does not bring down the plane.
To conceptualize: imagine having home computers that are 3-in-1: an Apple Mac, Windows PC, and Linux system. As you are working a spreadsheet, the spreadsheet is updating on all three, and a lockup, failure or software glitch in one will allow you to continue your work unaffected. When you finish (land), you can fix the broken one. Further imagine the computers each have their own separate power source and are each triplicated (9 total) and physically separated in groups of three, so if part of your house collapses, it does not destroy all of them. This is analogous to the design of the 777 brain.
There is constant monitoring of each system through BITE (Built-In Testing Equipment). Faults can occur, but due to the redundancy, the plane stays flying. Faults are recorded and downloaded, and the system can be repaired on the ground. Presumably Boeing receives some of this information, and periodically provides upgrades to the software via the MAT/PMAT system described in the previous post.
Boeing went so far as to try to physically separate the teams programming each device for “design diversity,” but it didn’t work out quite as they hoped (Yeh, 1998):
The development of the PFC software during the 7J7 program confirmed that the three separate teams, in order to code their logic from the requirements, were having to ask Boeing so many questions for clarification of the requirements that the independence of the three teams was irreparable compromised. This is the reason why Boeing elected to revert to the usual and customary method of creating and certifying flight critical source code.
In the end, all critical systems on the plane are triply redundant, from the brains to the electrical to the hydraulic controls. The 777 is designed very robustly against faults, but was designed in a pre-9/11 era. In future posts, I’ll discuss the implications of all this.