Inside the brains of a Boeing 777

What follows is a post about the “brains” of the 777.   They seem to be at the heart of how someone could possibly make a 777 disappear and this post will serve as background for such speculations.

The Cortex

The 777 is a marvel of engineering, being the world’s largest twinjet and Boeing’s first fly-by-wire airliner, and the first commercial airliner designed completely on computers.  All flight controls are computer-mediated in the brains or “neural network” of the 777.   A panoramic tour of the Main Equipment Center (MEC) where the “brains” are kept can be had by clicking the picture below (courtesy of the font of knowledge):

The brains of a 777 (click for a panoramic tour).

Photo tours are here and here.  The black boxes on the upper right of the photo above are essentially the computer brains known as AIMS.   These boxes and many other units in the plane are as known as Line Replaceable Units (LRUs).    They communicate with each other and the rest of the plane using standard  protocols and interfaces, so each one can be designed individually, swapped out and replaced at will and each does a portion of the work necessary to fly the plane.  Units can be added to provide extra functionality, and upgrades, for example retrofitting from AIMS-1 to AIMS-2 as mentioned in the previous post.  See also here (PDF).

The various systems, particularly communications that have been talked about as part of the MH370 disappearance are controlled by LRUs:  ACARS, navigation and SATCOM are all associated with one or more LRUs.

The avionics bay (MEC) is located in the belly of the plane to the rear of the flight deck.  There are three ways to access this avionics bay via:

1. the passenger cabin near the galley as shown in the video in the last post,
2. an exterior hatch in the belly of the plane, and
3. via a door connected to the forward cargo bay.  On MH370, passenger luggage was kept in this cargo bay per the Factual Information Report.

The nervous system

There is a rat’s nest of communication protocols used.   ARINC 629 (technical PDF) was new for the 777 and patented by Boeing.The older ARINC 429 is also used, presumably to be compatible with older available equipment.  An optical fiber ethernet-like (10BaseT) network similar to the familiar Local Area Network (LAN) you may have in your home is also used for high speed communications between LRUs.  There are a host of other buses, but those are the major ones.

The ARINC 629 is the main mission critical nervous system of the plane, however, and for good reason as it is quite ingenious.  A single twisted pair of wires up to 100 meters long can connect up to 120 LRUs.   This simplifies plane wiring by using a single communications bus or wire.   If you’re familiar with a typical office wired LAN, there is a cable going to each computer or device on the LAN from a router – lots of wires.  The bus is two-way, and any LRU could talk to any other if they know the language, and every LRU can listen to all of the conversations.   Connected LRUs politely wait their turn to talk following a set timing protocol.  There is no central point of failure as there can be with a router.  If one LRU goes down, the others can still talk.  Except for redundant control timers to allow each LRU to decide when it’s time to talk, there is no control, and it is robust to failure.

Connection of a device (LRU) to the bus is the ultimate in simplicity.   Only a Current Mode Coupler is needed, which is a simple enclosure around the twisted pair of wires.   No splicing is needed (or allowed):

Connecting an LRU to the ARINC 629 ( Y. C. Yeh. Design considerations in Boeing 777 fly-bywire computers. In Proceedings Third IEEE International High-Assurance Systems Engineering Symposium, pages 64–72, Washington, DC, USA, 1998)

If you are into electronics, you can order a desktop B777 ARINC 629 simulator.

ARINC 629 B777 simulator.

Triple-triple redundancy

There are different ARINC 629 buses for different purposes,  because while ARINC 629 is fast, many units talking could overwhelm capacity. The bus needs to be underutilized most of the time so a given LRU can squawk away if need be in critical situations.  The simplicity of a single twisted wire bus means you can easily break the communications bus into several pieces to provide this and isolate communications by topic, and there are 11 ARINC 629s altogether.  The 777 uses a separate bus for flight controls, for example.

Necessary complexity is added for redundancy and fault-tolerance.  There are three buses with triplicate LRUs.   If lightning or birds strike the plane, and one bus is knocked out, there is backup, since LRUs are connected to multiple buses.   If one LRU fails, there are two backups in some cases.

The B777 flies on 99% ADA, a computer language developed by the US Department of Defense. Even potential software and hardware bugs are dealt with ingeniously:  Triple-redundant key LRUs such as the flight computer are “dissimilar” on each of the three ARINC 629 buses on purpose.   Each LRU has a different processor from a different manufacturer (Motorola, AMD and Intel) and thus different compilers, so a bug in one compiler or processor does not bring down the plane.

Triple-triple redundancy (Yeh, 1998)

To conceptualize:  imagine having home computers that are 3-in-1: an Apple Mac, Windows PC, and Linux system.   As you are working a spreadsheet, the spreadsheet is updating on all three, and a lockup, failure or software glitch in one will allow you to continue your work unaffected.  When you finish (land), you can fix the broken one.   Further imagine the computers each have their own separate power source and are each triplicated (9 total) and physically separated in groups of three, so if part of your house collapses, it does not destroy all of them.  This is analogous to the design of the 777 brain.

There is constant monitoring of each system through BITE (Built-In Testing Equipment).   Faults can occur, but due to the redundancy, the plane stays flying.   Faults are recorded and downloaded, and the system can be repaired on the ground.   Presumably Boeing receives some of this information, and periodically provides upgrades to the software via the MAT/PMAT system described in the previous post.

Boeing went so far as to try to physically separate the teams programming each device for “design diversity,” but it didn’t work out quite as they hoped (Yeh, 1998):

The development of the PFC software during the 7J7 program confirmed that the three separate teams, in order to code their logic from the requirements, were having to ask Boeing so many questions for clarification of the requirements that the independence of the three teams was irreparable compromised. This is the reason why Boeing elected to revert to the usual and customary method of creating and certifying flight critical source code.

In the end, all critical systems on the plane are triply redundant, from the brains to the electrical to the hydraulic controls.  The 777 is designed very robustly against faults, but was designed in a pre-9/11 era.  In future posts, I’ll discuss the implications of all this.

Would the waypoint SCCI (Punta Arenas) even be in the plane’s navigation system?

Good question.

The Flight MH370 Boeing 777-200ER was originally delivered to Malaysia Airlines on May 31, 2002.  It was the 404th 777 built.  It most likely came installed with a first generation AIMS-1 Airplane Information Management System.   Second generation AIMS-2 did not arrive until 2003.  Although the B777 can be upgraded, there is no public record of this and the Malaysian Factual Information Report simply refers to the system as “AIMS,” which can be taken as a generic name for AIMS-1/2 or what AIMS-1 was referred to as before AIMS-2 came along.

This is important, because the AIMS-1 avionics system has very limited memory (PDF document from MITRE Corporation) for navigation and airport databases.  In fact, with databases continually growing, it not possible for an AIMS-1 system to hold the entire world catalog.   Databases are provided by suppliers (Boeing’s Jeppesen, Lufthansa’s LIDO, or Navtech/ EAG) in ARINC 424 format.   It is not clear which supplier Malaysian Airlines used for their 777s, but Lufthansa’s LIDO system was selected for Malaysian Boeing 737s and Airbus A380s.  Airlines practice database capacity management by restricting what is loaded to grid squares or use other techniques such as restricting airports, which consume a lot of space.  Another strategy could be to restrict airports by runway length.  World databases for runways of 5000 feet or more are around 8MB in size, whereas the AIMS-1 stores 2 MB, but by restricting to only 777-capable runways, the size would be less. It’s not clear if restricting to longer 777-capable runways, the world would fit in AIMS-1.  Airlines actually have limited capability to modify these databases, but would coordinate with the vendor.  GIven the popularity of the 777 as a “worldliner,” they have no doubt come up with solutions.

Accuracy is very important and navigation databases are generally regulated to be refreshed every 28 days, so every 28 days, 9M-MRO (MH370) should have received an upload of the latest database on a floppy disc (yes, typically a 3.5-inch floppy disc unless they had AIMS-2 and something better like Alaska Airlines).  The pilot and copilot can display the current database version and expiry dates on their respective displays (Control Display Unit or CDU).  According to Boeing, the diskettes are intended to be kept in a binder on the airplane. The uploads would have been done with something like a Maintenance Access Terminal (MAT) or Teledyne Controls Portable Maintenance Access Terminal (PMAT) (PDF).  PMATS can be kept in the aircraft’s E/E Bay (Main Equipment Center (MEC)), but there is a MAT terminal and PMAT port on the flight deck, and PMAT ports in the nose and right wheel wells and the Jack Screw area.  Here is an incredible video tour of a 777 E/E bay in-flight, with a shot of a PMAT device and the AIMS system (courtesy LGHamiltonUSA).

Newer versions of dataloaders are wireless, for example Teledyne’s eADL Wireless Ground Link.  These airborne data loaders can save airlines money, not to mention the hassle of floppy discs.  Such system are available for 777s but It is not clear what kind of system Malaysian Airlines would have used.

Malaysian Airlines flew to Buenos Aires, Argentina as recently as 2012, so it’s conceivable they would have had ARINC 424 format South American region navigation data on hand, at least in old versions.   These filghts were by Boeing 747s, however, likely due to ETOPs restrictions (twin engine planes are limited to how long they can fly on one engine in case of engine failure) on 777s that only recently were revised.  Punta Arenas’ Carlos Ibanez del Campo International has a runway capable of landing a 777 and would easily be in such a regional database as an alternate airport, I would guess.  If not, it could simply be there as a waypoint.

ATSB, in their June Underwater search areas report examined the possibility that MH370 flew through the waypoint RUNUT as discussed in The Destination.  This could perhaps be included in a southeast asia regional database, but it’s not clear whether ATSB was guessing or actually knew what was installed on MH370.

It is unknown what Malaysian Airlines may have subscribed to for their regular navigation database (NDB) subscriptions, or what regions they specified to be installed on their 777s.  Different planes could easily have different regions installed.   9M-MRO flew all over the world in it’s history, so it’s unclear how MAS would have managed the limited AIMS-1 memory for this plane.

All that to say: I don’t know, but it’s unlikely if the aircraft was using AIMS-1, depending on Malaysian Airlines navigation database policies.  Unless someone intentionally installed it there, however, the path coincidentally fits.

On the reasons for this site

Everything should be made as simple as possible, but no simpler

or perhaps more accurately:

It can scarcely be denied that the supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience.  – Albert Einstein

The main reason for the creation of this site began a couple of weeks ago, when I decided to immerse myself in the latest developments in the search for MH370.   I became somewhat known for reverse-engineering the Inmarsat BTO data the authorities would not release about three weeks after the disappearance, and a week after formulating the Waypoint Hypothesis.  This allowed independent researchers a small breakthrough in cracking the code of the satellite data and examining possible locations.  Turns out my work was only as good as the poor diagram we had to work with, but it was a start.  Eventually the raw data was released.

From that core, the Independent Group (IG) eventually emerged and began trying to crack the other half of the code, the BFO (Burst Frequency Offset) or Doppler that allowed Inmarsat to say the plane went north or the plane went south.  Eventually, Inmarsat released the methodology (or the IG cracked it first, I’m not sure) and the IG and others came up with their own analyses to match and compare to the official investigation.  Legend has it the IG became influential in steering the official investigation towards a more reasonable search location indicated by the satellite data, though they (officials) won’t admit to it.

I strongly support the current search of the IG/ATSB combined swath.   It is arguably where the satellite data alone points as most likely, but other areas can be made to fit, including the Waypoint Hypothesis I believe, and that gets back to the quote at the top of the page.

It’s prudent to compute the most likely location holistically, taking into account human factors and any other relevant data.  Satellite data alone may be too simple, and subject to interpretation that leads to a wide swath, and limited search resources spread too thinly.   There are ways to further narrow the search if the current campaign that ends in May 2015 does not find MH370.  The search must continue if so.  I believe  “X” Marks the spot type analyses are warranted for the next phase.  A holistic view can lead to new insights and understanding as possibilities are ruled out.  It is prudent to set down the computers for a moment and ask “Why?”

Welcome

The Waypoint Hypothesis is a simple hypothesis of the unprecedented loss of MH370.  It’s a hypothesis based on simple assumptions. It provides a detailed location that MH370 may rest at that so far hasn’t been searched.

It’s compatible with all of the evidence, as far as I know.  To read more click the links/menu above or start with About.