On June 12, 1994, the Boeing 777 jetliner took off on its maiden flight. A year later, television viewers around the country got a closer look at that flight courtesy of a Public Broadcasting Service (PBS) documentary, "777 -- First Flight." Watchers held their breath as the twin jet engines roared and the airplane lifted off the ground. Those in the Ada community, though, could be certain that the flight would be a success when the pilot entered the cockpit, switched on the control panel, and announced that all systems were go.

Since 1990, when Boeing first decided to program the 777 in Ada, the avionics community had been waiting to see if the software would prove to be as dependable and efficient as Ada advocates predicted. During the 777's first flight, and in every flight since, the software-controlled electronic systems have worked perfectly together, keeping Ada’s promise.

"Working Together" is the project name Boeing chose in 1990 when it first entertained the idea of producing its 777. The Seattle-based avionics company intended for the 10,000 people involved in the jetliner project to accept the company's policy of openness and non-competitiveness, among both internal divisions and external suppliers. Management asserted that "working together" was the way to achieve the highest possible quality in every part of the system, from the secondary hydraulic brake to the auto-pilot system.

One challenge to the “Working Together” model was Boeing's insistence that the software be written in the Ada programming language. According to Brian Pflug, engineering avionics software manager at Boeing's Commercial Airplane Group, most companies disliked the idea of a standard language at all, and then seriously objected to Ada as too immature. In addition, one supplier was already six months into the development of their part of the project and had used another language.

Honeywell approached the request by conducting an extensive study into the benefits of Ada versus the C programming language. When the results were in, Honeywell agreed with the decision to use Ada: the study concluded that Ada's built-in safety features would translate into less time, expense, and concern devoted to debugging the software.

Sundstrand, the supplier already in development, agreed to the switch and reported that, after beginning again, the development effort continued without a hitch. "We had to start all over again," Dwayne Teske, Program Manager for the 777's main electrical-generating system, said in a recent telephone interview. "But the project went really smoothly after that, so Ada had a lot of positives."

Because of their involvement with Ada in the 777, these and other suppliers (including Hydro-Aire, the brake control system supplier) have continued to use the language in other system development projects. In carrying their experience to new systems, the companies have further enjoyed the benefits of Ada’s portability and code reuse.

Once committed to Ada, each company's first task was to find a compiler of good quality for the specific job at hand.

Honeywell was to develop the cockpit's primary flight controls in two projects, the Boeing 777's Airplane Information Management System and its Air Data/Inertial Reference System. For these projects, Honeywell purchased DDC-I, Inc.'s Ada Compiler System, using it as the front-end source for Honeywell's symbolic debugger. The two companies worked together for a year and a half to build the compiler's final debugger and the entire back-end, targeted to an Advanced Micro Devices (AMD) 29050 microprocessor. According to a recent telephone interview with Jeff Greeson, Honeywell's project leader for the 777 project's engineering, the companies "were able to build into the compiler a lot of optimization features specific to our hardware."

Hydro-Aire selected Alsys’ Ada software development tools for the brake control system project. The supplier used AdaWorld cross compilers with the Smart Executive and Certification package to ensure meeting real-time and FAA requirements. The compilers are hosted on Hewlett-Packard HP 9000/300 platforms; they targeted the Motorola 58333 microcontroller, making Hydro-Aire one of the first companies to use the new chip.

Each 777’s brake control system includes two Motorola microcontrollers programmed entirely in Ada. Harry Hansen, Hydro-Aire’s Manager of Software Engineering reported that “We find Ada an excellent language for the development of real-time applications.” The processors control the built-in test (BIT) and auto-brake functions. The BIT includes both an on-line interface to the central maintenance computer and off-line maintenance capability. The auto-brake applies the correct amount of brake pressure during landings and applies the maximum amount of pressure -- without causing a tire blow-out -- during aborted take-offs. Additionally, the system includes hardware and software to prevent skids, sensors and transducers to external systems, and hydraulic valves.

Sundstrand, too, chose a compiler from Alsys, Inc. (now Thomson Software Products, Inc.). Running on a PC host, it generated code targeted to an Intel 80186 microprocessor. The Certifiable Small Ada Run Time (CSMART) executive code that interfaces with the language resides inside the run-time controller and, therefore, had to be tested and verified. It was a major undertaking, but not a long-term inconvenience. "Ada continues to be our baseline language for future electrical systems," Teske said, "for reasons of cost and efficiency. We are now able to reuse code. We pull out certain chunks of airplane software and put them into new projects."

In a recent telephone interview, senior software engineer Malkit Rai, who led the effort on the Sundstrand 777 electrical power project, agreed on the importance of Ada's support for reuse. Ada has permanently replaced the shop's previous high-level language, PLM, which was developed by Intel and is based on PL/I. "Ten to 15 percent of the 777 Main Channel Electrical Power Generating System is already in reuse," he said. Two new projects, for the Gulfstream V business jet and the Comanche helicopter, were able to integrate Sundstrand's library of common generic packages written in Ada for the 777.

In fact, the Sundstrand power systems' 80,000 lines of code were in themselves reused by 10 to 15 percent. The embedded software's small size proves that Ada is well-suited for projects under 100,000 lines of code, as well as for large efforts. The 777's Cabin Management System, for example, is a communications module mounted on the 777's back seats and offers passengers a variety of services and is only 70,000 lines.

In comparison, Honeywell's Airplane Information Management System (AIMS) project consists of the largest central computer on the jetliner; it runs 613,000 new lines of code (defined as body semicolons), taking up 15,656 kilobytes (KB) of disk space and 4,854 KB of random-access memory (RAM). With redundancy, the software runs to 46,191 KB and 10,732 KB of RAM. A multiprocessor, rack-mounted system, the AIMS replaced many of the line-replaceable units and reduced hardware and software redundancy.

Two AIMS boxes handle the six primary flight and navigation displays: two sets are located in front of both the captain and copilot so that they can move from one seat to the other, and two central sets of engine parameters are shared by the pilots. The primary flight instruments indicate pitch and roll attitude, direction, air speed, rate of climb, altitude, etc. The AIMS also includes the central maintenance function, which receives reports from the 777's other computers and then gathers the data into a central maintenance report for the mechanic. Its monitoring system gathers data on how other functions are doing, and can determine, for example, that an engine is degrading, before it actually fails. Other AIMS functions include a data-conversion gateway, flight data acquisition, data loading, an Ada conversion gateway, and thrust management.

Honeywell's massive effort on the 777 involved over 550 software developers. The company built the AIMS computer as a custom platform based on the AMD 29050 processor. It was unique among aviation systems for integrating the other computers' functions; in other systems, each function resides in a different box [the central maintenance had its own box with its own input/output (I/O), its own central processing unit (CPU), etc.]. AIMS combines all these functions and shares the CPU and I/O among them: it uses the same signals for flight management and for displays, so that the data comes in only once instead of twice; one input circuit provides data to all of the functions; each of the functions gets a piece of the CPU, as in a mainframe computer, where systems use part of the CPU but not all of it; and every function is guaranteed its time slot. Engineer Jeff Greeson said that "The federated system is obsolete. Putting all the functions in one box is a jump ahead in technology that we've brought to the industry."

Another innovation is that the disk drive can read files formatted for the Microsoft Disk Operating System, which provides maintenance with access to the terminal communications. The mechanics can transfer files for data loading over the airplane bus, because Honeywell built the program to accept new data and to change the software. In fact, most of the equipment on the airplane has that ability, only a few classic systems do not (such as the ground-proximity warning system, which has proven sufficiently trustworthy and not in need of change).

Designing a new architecture simultaneously with a new language was "quite exciting," Greeson said. "The organizational details were difficult to put together." With Ada, managers were able to delegate the seven main functions to groups of 60-100 software engineers. The separate software entities have minimal interface with other parts of the software, and not all of the software is integrated. By working with loosely coupled pieces, the project leaders were able to farm out the functions to other groups. The loose integration, however, does not tie the software to the 777 platform, and will assist in Honeywell's using the code for other targets. "We needed the maximum ability to port it to other places," Greeson said.

The data interfaces that do exist between the software units are fairly uniform, Greeson said, because Ada helped the software engineers to implement certain rules at compilation time. "Ada forces you keep it straight there rather than at the lab," he said, "where it helped minimize our difficulties in getting it integrated and running." Because of the high level of accuracy during the compilation, less time was spent on debugging the code. Thus, Honeywell's initial study proved correct. "I'm convinced that, because of Ada, we had a minimal amount of interface problems, with which we would have killed ourselves if we had had C or Pascal," Greeson concluded. "It went much smoother than past programs."

Using common logic to predict the project’s success, skeptics might have predicted higher costs and schedule overruns, based on the suppliers’ inexperience with Ada and the introduction of a new target. Instead, four and a half years after laying out the program, the 777's electrical power systems were delivered on schedule. Boeing was able to turn on the power a full six months before the maiden flight. Sundstrand's Malkit Rai agreed that the conversion from PLM to Ada did not retard production and the company made a swift transition. "We conducted a pilot program to evaluate the use of Ada in Sundstrand products," he said, "and realized that on-the-job training would be sufficient with our programmers. Within two weeks we were up to speed on Ada."

The initial flight of the 777 was three hours and 48 minutes, taking Chief Pilot John Cashman from Paine Field in Everett, Washington, to Puget Sound, over the San Juan Islands, then east, crossing the Cascade mountain range, before turning back home. The jetliner was then tested for extremes of temperature, wind conditions, and potential failures.

Ronald Ostrowski, director of Engineering, claims that the Boeing twinjet is already the most tested airplane in history. For more than a year before the flight, Boeing tested the reliability of the 777's avionics and flight-control systems around the clock, in laboratories simulating flight. Design changes were made only after six months of testing the endurance of three engine types (Pratt & Whitney, Rolls Royce, and General Electric).

One compelling reason behind the extensive pre-testing was Boeing's desire to meet the Federal Aviation Agency's (FAA's) Extended Twin Operations (ETOPS) standards ahead of schedule. The original ETOPS rule was drafted in 1953 to protect against the chance of dual, unrelated engine failures. Unless a newly designed and produced aircraft has at least three engines, it usually had to wait, sometimes as long as four years, before the FAA and the Joint Airworthiness Authorities (JAA) will allow it to fly more than one hour from an airport; after a time, the new aircraft is deemed a “veteran” and is allowed to fly three hours away. A shortened trial period would drastically increase Boeing's sales.

Granville Fraser, a propulsion engineer at Boeing, said that a company protects itself better from engine failure by preventing in-flight problems {outside} the engine, such as faulty warning lights, than by concentrating solely on the engine's mechanics. "Over 50 percent of engine shutdown is irrelevant to the core engine," he said. "It has to do with electrical, fire systems, etc." On the 777, those outside systems are programmed in Ada.

Pratt & Whitney laboratories can, therefore, test the engines, but the quality of the software will have an equal role in determining the reliability of the 777's engines and its conformation to the ETOPS standards.

On the maiden flight, with the Boeing Telemetry room in constant contact with the plane, the engines performed better than expected. The 777 proved itself an ETOPS "veteran" on its first flight out, becoming the first twin-engine plane to win FAA approval for "ETOPS out of the box." The trend towards more reliable hardware and software are revolutionizing aviation and can be found in aircrafts other than the 777. The systems in the cockpit talk to the other systems through the programming language, and in new airplanes, such as the Beechcraft 400A, the Learjet series, and some English jets, the language of choice is Ada.

Sales for the Boeing 777 both nationally and internationally have been excellent; as of Aug. 2, 1995, Boeing had received 164 firm orders and 108 options. In addition to high sales in the present, Boeing’s financial future is also healthy, in part, because of reusable code. As Brian Pflug has said, the ultimate value of Ada is in rapidly transferring the 777's code into the aircraft and architectures of the next millennium.

For those who would like to obtain a copy of the PBS documentary on the 777’s first flight, the video is available for $19.98 from PBS, 800/828 4PBS.