University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root

Comments on aspects of Mary Schiavo's book
"Flying Blind, Flying Safe"

Keith Hill

Consultant, FAA Designated Engineering Representative for Level A software
Seattle, WA

10 April 1997


I dealt with the FAA for a number of years as a Boeing employee and as a Designated Engineering Representative (DER). I was Chief Engineer for embedded software for the 777 airplane, and was ultimately responsible for embedded software for all Boeing airplanes.

Without doubt the FAA is an agency that has much room for improvement, but many of Ms Schiavo's criticisms are not justified. The book has evidently been hastily compiled, and contains many factual errors. The author's view is that the FAA is accountable for virtually all failures related to air travel. Despite her distrust of the FAA, the author believes that more government regulations and/or more rigorous inspections will cure whatever ails the air transport industry.

FAA Footdragging?

The FAA is in a tough position. They have the unenviable task of making decisions that affect safety while keeping in mind the impact to the industry. In contrast, the NTSB has no such restrictions. They are free to make all manner of recommendations to the FAA without regard to cost or installation implications. The FAA is taken to task several times in the book for failure to implement NTSB recommendations. In some cases the criticism is justified, but in other cases the preponderance of the evidence is that the incremental benefit is far smaller than the cost.


Information sources are presented as an appendix to the book. Unfortunately the sources are broken down only by chapter so it is left to the reader to try to tie the references to specific areas of the text. I am, however, very familiar with the articles in the Seattle Times and the Computer Weekly that related to certification and software issues of the 777 airplane.

The Seattle Times articles were written by Byron Acohido - the aerospace correspondent. For years, Byron had refused to report Boeing information in a balanced way, and Boeing was forced to exclude him from getting access to their briefing data. (Other Seattle Times reporters' access was not affected). Lack of information did not slow Byron down. The articles he wrote continued to have a strong anti-Boeing bias, and were filled with misinformation he had gathered from various sources including the Computer Weekly.

The Computer Weekly articles were, if anything, worse that those from the Seattle Times. I recall that the Computer Weekly somehow got hold of a minority position paper I authored for the RTCA DO-178B committee, which explained why Boeing was not in favor of a proposed addition to DO-178B. The new process concerned routine software-related audits to be conducted by the FAA on airframers' subcontractors. Eventually the difference was amicably settled, and the audits actually took place on several 777 software suppliers. Somehow the Computer Weekly managed to distort the wording in the position paper into the idea that Boeing was opposed to FAA tests on safety critical software, and created a headline to that effect.

I suspect that headline lead to the comment on page 182 of Ms. Schiavo's book, "When the FAA asked Boeing to test its software, the aircraft manufacturer refused….." Other excesses of the Computer weekly involved the Boeing decision to use common Ada source code compiled to 3 different microprocessors for the Primary Flight Computer software. The original plan was to use source code in three different languages. It is generally recognized that there are advantages and disadvantages for each of these two design approaches. After extended study and much discussion, Boeing concluded that the single language approach was the better choice. Interestingly, by making the decision when they did, the (short term) costs to Boeing actually increased. The Computer Weekly quoted 'experts' who stated that Boeing "defied the principles" relating to dissimilar redundancy and that wording has carried over into "Flying Blind, Flying Safe".

777 Development and Certification

The 777 development is described in Chapter 9 , "Who watches the Manufacturers?". The novel aspects of the mechanical design of the airplane - reliance on 3-D computer modeling is described, but Schiavo says (page 181) that no prototype 777 was ever built! Is she confused between a full scale mockup and a prototype?

I cannot begin to imagine the sources for the author's perception that the 777 avionics was designed without redundancy or backup systems and without regard to the effects of software errors. She writes that the 777 Fly By Wire system consists of "One central computer and one central computer cable (which) control the plane like the brain and the spinal column". If you want to sell books or newspapers, this can make for very exciting reading. The truth is less exciting.

She also wrote: "Rumors circulated that scientists at NASA...had determined that the complex software required by the 777 would probably suffer over 80 glitches (sic) per system.….NASA, for it's part refuses to make public the study that analyzed the 777 software system". There is no implication in the book that NASA studied any particular system's software, but rather drew conclusions presumably based upon their own development and test methods and Boeing's published SLOC counts.

During my tenure at Boeing, I never asked for such a study, nor were any results provided. The practical difficulties - proprietary data agreements etc. would be immense. Boeing never made any secret of the 777 SLOC count and anyone with that data could come up with some interesting macro level speculations. Boeing is a big company and has many NASA contracts - but to the best of my knowledge the 777 program was not involved in anything of this sort.

Other 777 topics are covered in an attempt to make the case that the FAA caved in to Boeing pressure to certify the 777. These include the early ETOPS approval, fan blade loss vibration and the unwillingness of Boeing to demonstrate in-flight thrust reverser deployment!

The early ETOPS approval was an industry first. As with any effort that breaks new ground, it was not without difficulties. There were many meetings between Boeing and the FAA technical specialists to deal with the issues that came up. The bottom line is that the FAA was ready to deny early ETOPS if the airplane was unable to meet the established criteria. From a software point of view, the early ETOPS effort helped software maturity considerably, as the suppliers were forced to complete verification earlier than on a normal program, so the production software had many more hours of test fleet exposure before going into revenue service.

The FAA brought up the fan-blade loss vibration issue very late in the 777 program. The FAA position was that this was a certification issue and found the initial analysis Boeing had done comparing the 777 with other models to be inadequate. Boeing was willing to provide the data the FAA requested, but needed up to 2 years to do a complete analysis of the vibration at the most critical flight conditions. The disagreement was largely over the timing of the FAA request. The certification basis is supposed to be established at the beginning of each program.

The certification process requires many issues to be resolved. The DERs are involved in all certification- related meetings, and most issues are resolved at that level. Other problems are discussed at meetings with the FAA. I never saw evidence that the FAA gave way on significant issues, and far from the FAA and Boeing being a cozy team, in some cases the meetings were rather acrimonious.

The DER system is an easy target for those who have not seen how effective DERs are in the design and test processes, and the author makes the inevitable comparison to students setting and scoring their own tests. She tempers these criticisms later with the observation that airframers probably do care about safety.

Other Inaccuracies

Ms. Schiavo writes that GPS cockpit equipment bounces signals off a satellite, that oxygen is added to outside air so that cabin air "will not be too thin", and consistently includes cockpit voice recorders and flight data recorders in lists of safety enhancement devices. The book contains many other inaccurate statements which for me anyway, dilute the legitimate aspects of the message Schiavo is trying to convey.

Back to top

Back to "Computer-Related Incidents"

Copyright © Keith Hill, 1999-02-08
Last modification on 1999-06-15
by Michael Blume