How Safe Is Airplane Software?
| SEATTLE AND PITTSBURGH
THE wheels leave the runway. The nose heads skyward. Now, who should fly the plane: the pilot or a computer? That's a question coming to the forefront - again - as commercial airplanes become increasingly dependent on software.
A year ago near Toulouse, France, an Airbus Industrie A-330 crashed in a test flight due to a design flaw in its autoflight system.
Now, the Boeing Company, which has been slower to automate its cockpit than Airbus, has put its new 777 jet into service with the firm's most complex computer software and hardware systems ever. As the plane took its first passenger flight earlier this summer, a Seattle Times report questioned whether the software had been adequately tested.
The challenges in the air are complicated by difficulties on the ground. For example, an air-traffic-control center responsible for six Northwestern states briefly lost all ground-to-air communication last week when a new software system crashed.
With several million passengers a day depending on flight-control systems, is arcane software creating new and unpredictable safety problems?
"It's a very important issue," says Nancy Leveson, a University of Washington researcher and author of "Safeware" (Addison Wesley, 1995), a book about software safety. While such problems can range from subway systems to atomic weapons or power plants, aerospace is one of the most difficult areas.
Relying on software raises two concerns, software experts say. First, is the software itself reliable? In one instance, Ms. Leveson says, "an F-18 [fighter plane] crashed when the computer assumed it couldn't get into a certain attitude." Most software glitches "are not coding errors. They're really errors in the software requirements," she says.
Boeing, known for taking a conservative approach, leaves pilots with maximum opportunity to control the plane and override computers, compared with other jetmakers. The 777 has stuck with that tradition, and Leveson says she knows of no safety problems with the airplane.
The second issue is the human-machine connection. Flight systems, with many modes that act differently under different situations can leave the crew momentarily confused in a critical situation.
Since the rise of more-automated cockpits in the early 1980s, "hundreds of incidents and a few fatal accidents have occurred in which pilot-computer interface was a factor," according to a report earlier this year in the magazine Aviation Week & Space Technology. All of the big three commercial jetmakers - Airbus, Boeing, and McDonnell Douglas Corp. - face this issue.
Ohio State University researchers found that many pilots did not realize that to abort a takeoff in a Boeing 737, the autothrottle would have to be disconnected, in addition to adjusting manual controls.
One driving force behind cockpit automation is the desire to keep fuel use down through better flight management. Automation also has allowed the crew in general to get better information, such as integrating data from many instruments into an intuitive map display.
"We all generally think it's a far superior way to fly," says Robert Simpson, director of the Flight Transportation Laboratory at the Massachusetts Institute of Technology in Cambridge, Mass.
The industry safety record has been improving steadily over recent decades, but Leveson says it is not clear automation software has been a factor. "Boeing's basic design philosophy ... is that the pilot is always in control of the airplane," says spokeswoman Kirsti Dunn. Airbus, by contrast, takes the view that sometimes computer systems should override pilots, preventing them from doing something wrong. The question, experts say, is whether software programming can take all possible circumstances into account.
Whatever philosophy prevails, aviation software is tested far more rigorously than the business software found in most offices, agrees Lowell Jay Arthur, an author of several software-engineering books. "They do a lot of things that a Microsoft coding wizard ... probably isn't going to think about."
Boeing's Ms. Dunn says 777 workers "have validated the airplane through the most comprehensive laboratory, ground, and flight-testing program in commercial aviation history." With some 150 computer systems linked together to help the pilots control the aircraft, Dean Thornton, former head of Boeing's commercial airplane division, called the jet "one big computer."
In the 777, Boeing has made a big effort to make the cockpit feel familiar to pilots accustomed to manual controls. Some pilots have expressed doubts about the plane. But the prevailing view seems to be one of cautious trust.
"If the pilots didn't have any confidence in it they wouldn't be flying it," says Bob Flocke of the Air Line Pilots Association union in Washington. He says pilots had unprecedented involvement in the plane's cockpit design.
"I would not hesitate to fly on a 777," adds Tani Haque, chief executive of SQL Software, a reliability management company based in Vienna, Va. But "it's still very difficult to get the software-engineering tools that are required to do as well as we can [with] software reliability."
Perhaps due to the rising complexity of flight-management systems, pilots are now being trained to learn how to understand what the automation systems are telling them, but not necessarily how the automation works. Southwest Airlines, meanwhile, has chosen to limit automation features available to its pilots, who all fly Boeing 737s.