February 12, 2015 Sam Siewert

SE300

Software Engineering Practices

Lecture 8 – Interactive Architecture and

Design Case Study – Flight 447

(System Architecture and Design)

Business This Week

Return and Go Over Mid-Terms – Thursday

Return Assignment #2 This Week

Turn in Assignment #3 This Week

Form Teams for Assignment #4 to #6

Go Over Assignment #4 Before Break

Sam Siewert 2

Interactive Architecture – Case Study

Best Effort, Predictable Response, Hard Real-Time

Quality of Interaction

– Latency – Time Between Real Event and Presentation or Input and Realization or Actuation

– Lag (Over Networks) – Transport of Event Data

– Jitter – Variation in Latency and/or Lag Over Time

Presentation of Information – Graphics, Video, Indicators, Text

Input – Keyboard/Mouse, Hand Controller, Data Glove, Gestures, Voice, Eye-trackers, Other

Flight 447 Investigation – Official Documents

Sam Siewert 3

Copyright {c} 2014 by the McGraw-Hill Companies, Inc. All rights Reserved.

6-4

Four Common Types of Systems

(a) Interactive subsystem

a

b

c

c

z

y x

a

a/x

b/y c/z

b

(b) Event-driven subsystem

(c) Transformational subsystem (d) Database subsystem

Aerospace Interactive Systems Avionics

– Flight Management System

– Flight Control System

– Auto-Pilot

– Instrumentation

– Health and Status Indicators

UAV/UAS Operations

Satellite Mission Operations and Control (POCC, MCC)

Air, Ground and Space Multi-Segment Systems

Security and Safety Threat Monitoring Systems

Many more …

Sam Siewert 5

Interactive Architecture & Design Flight 447 Case Study – A330, Fly-by-wire, Rio De Janeiro to Paris – PBS Nova

Did Interactive Features of Avionics Have Anything to Do with Crash? – Multiple Factors Contributed, But Root Cause is What?

1. Weather and RADAR limitations

2. Multiple Pitot Tube failures linked to Auto Pilot shutdown

3. Air Speed / Auto-thrust, Lack of thrust feedback?

4. Side-stick controllers? - Boeing vs. Airbus Viewpoints on Yoke/Side-stick

5. Pilot error? – Standard Op for Speed Maintenance (const. thrust, pitch)

6. Cascading Alarms? (Ignore at Key Times)

7. Stall Likely, But Should Not be fatal

8. Design of avionic interactive system itself?

– Last report 350 miles on route as expected at 1:35am, lost from RADAR as expected in mid-Atlantic due to Earth curvature

– Weather Issues Developed 3 hours into 11 hour flight

– Deep Sea Digital Flight Recorder and Radio Black-Box Recovery – Nearly Impossible

– ACARS maintenance text messages start at 2:10am, shows failure log (24 critical faults)

What Could be Done to Improve Systems?

Sam Siewert 6

BEFORE BB RECOVERY

Watch NOVA PBS Flight 447 – Amazon Library, Local, Youtube

Sam Siewert 7

BB Recovery May 2011 2 Years Later (Value of BB Recorders?) – INMARSAT Location (Similar to MH370, But More Data Limited

Search Area Based on Cooperative ACARS uplinks)

– ATC Primary RADAR and Secondary Transponder Ground-stations (Holes in Many Locations, Esp. Transoceanic flights)

– ATC NextGen Satellite Link – ACARS, AFIRS, ADS-B

BEA (Summary of Contributing Facts) 1. temporary inconsistency between the measured speeds, likely as a

result of the obstruction of the pitot tubes by ice crystals, causing autopilot disconnection and reconfiguration to alternate law;

2. the crew made inappropriate control inputs that destabilized the flight path;

3. the crew failed to follow appropriate procedure for loss of displayed airspeed information; the crew were late in identifying and correcting the deviation from the flight path;

4. the crew lacked understanding of the approach to stall;

5. the crew failed to recognize that the aircraft had stalled and consequently did not make inputs that would have made it possible to recover from the stall

Sam Siewert 8

Lessons Learned? BEA (Causal Analysis) 1. feedback mechanisms on the part of those involved made it

impossible to identify and remedy the repeated non-application of the procedure for inconsistent airspeed, and to ensure that crews were trained in icing of the Pitot probes and its consequences;

2. the crew lacked practical training in manually handling the aircraft both at high altitude and in the event of anomalies of speed indication;

3. the two co-pilots' task sharing was weakened both by incomprehension of the situation at the time of autopilot disconnection, and by poor management of the "startle effect", leaving them in an emotionally charged situation;

4. the cockpit lacked a clear display of the inconsistencies in airspeed readings identified by the flight computers;

5. the crew did not respond to the stall warning, whether due to a failure to identify the aural warning, to the brevity of the stall warnings that could have been considered spurious, to the absence of any visual information that could confirm that the aircraft was approaching stall after losing the characteristic speeds…

Sam Siewert 9

AFTER BB RECOVERY

Watch Follow Up Stories on Flight 447 – Local, Youtube

Sam Siewert 10

Much More to This Story

Combination of Errors – Weather + System + Crew

Issues with Automation – Crew Confusion, Fatigue,

Overload, Collaboration (E.g. Side-stick Issues)

Auto-Pilots, Intelligent Transportation – Safer?

Avionics Design Flaws? HCI Design Flaws?

Why is Aircraft Tracking Still Unreliable & Inaccurate

– 2009 to MH370, Almost 5 Years Later, Lost, BB Not Recovered

– MH370 Sat Transponder May Have Been Turned Off, Youtube,

PBS NOVA, Local

Sam Siewert 11

Qantas 32 – A380 Highly Automated Aircraft

Well Coordinated Crew (5 Pilots)

Engine #2 Blow Out

Wing Damage, Fuel Leak

– Youtube - Recreation

– Health and Status, Check-lists for Managing

Damaged Aircraft to Safe it for Emergency Landing

– Human Inspection of Damage

– Training Typically Far Less than Cascade of Issues

Seen in Real Scenario

– Ground Support from Qantas Operations Center

and Singapore ATC

– Automated Landing Gear Hydraulics

– Ends Well After Ground Shutdown Issues

Sam Siewert 12