F-22 Avionics Require Inflight Reboot 587
An anonymous reader writes "The Atlanta Journal & Constitution is fronting a lengthy piece on the USAF's new F-22 and its upcoming shootout with the existing fleet of F-15's & 16's. One line in the article really jumped out at me: 'When avionics problems crop up now, pilots must restart the entire system as if rebooting a personal computer.' I did some googling, and this is about as much as I could find: The hardware backbone for the system is the Hughes Common Integrated Processor, which, in turn, appears to be built around the Intel i960 CPU. I couldn't find a name for the operating system, but it appears to be written in about one and a half million lines of Ada code; more on the Ada hardware integration and Ada i960 compilers is here. Any Slashdotters working on this project? If so, why do you need the inflight reboot? PS: Gamers will be interested to learn that nVidia's Quadro2 Go GPU and Wind River's VxWorks Operating System are melded in the F-22's Multi-Function Display."
Boeing's Avionics press release (Score:5, Informative)
Both the AIL and FTB are helping reduce avionics risks and contain development costs by enabling extensive evaluation and troubleshooting before full avionics are ever installed on the F-22. Testing in the AIL and aboard the 757 FTB has allowed for early delivery of avionics Operational Flight Packages, or OFPs, to the F-22 test aircraft.
To date, Boeing has completed more than 21,000 hours of avionics testing in the AIL and 800 hours on the FTB.
Despite an accelerated delivery schedule for the year 2000 to support the Defense Acquisition Board, or DAB, requirements, the Boeing Avionics Integration team was able to integrate, test and deliver all Operational Flight Programs, or OFP's, ahead of plan. This included delivery of the Block 1.2 OFP on July 5, 2000, and Block 2/3S OFP on July 20, 2000. The AIL was also able to deliver the Block 3.0 OFP Engineering version to the Avionics Flying Test Bed aircraft a month ahead of schedule (Sept. 4, 2000) to allow for early testing and maturing of the OFP, which resulted in the first demonstration of multi-sensor fusion (Sept. 13, 2000).
The most significant accomplishment of the AIL for 2000 was the delivery of the Block 3.0 OFP, the first fully integrated avionics package, to F-22 aircraft 4005 on Nov. 21. This was a critical milestone since the Block 3.0 OFP was the first complete avionics software package to be flown on the F-22 aircraft, one of the most challenging DAB milestones accomplished to date.
The Boeing Avionics' Systems Engineering team's performance testing on the radar has resulted in all Test Performance Measurements, or TPMs, meeting or exceeding specification requirements. A significant milestone was reached on Nov. 15, 2000, when Raptor 4004 conducted its first flight, and targets were successfully detected and tracked in the air. Performance of the radar system was described as "eye-watering" by the pilot who flew the mission. A second major milestone occurred on Jan. 5, 2001, when Raptor 4005 flew for the first time utilizing Avionics Block 3.0 with the full complement of Radar Modes incorporated. Once again, targets were detected and tracked at long range, and the radar performance was outstanding.
Avionics Radar and Power Supplies Production activities continue to be a high priority. All shipments for PRTV I have been completed, PRTV II shipments are well under way, and hardware manufacturing for Lot 1 has begun. In the area of affordability, the implementation of Boeing-funded process improvements on several components of the radar/power supply systems, to include the T/R module and circulators, have been a tremendous success. The predicted cost savings have been substantiated in the first three production contracts and the targeted cost savings of $350 million dollars over the production life have been legitimized.
The next critical avionics milestone is delivery of Block 3.1 avionics. Block 3.1 will provide additional functionality to the F-22 Raptor and allow it to accomplish a significant amount of flight testing. Block 3.1 is scheduled to be delivered to Lockheed Martin this fall.
Overall, the F-22 avionics program is very much on target in the areas of performance, cost and schedule. The avionics packages have been performing exceptionally well, and all major milestones have been met on or ahead of schedule.
Contractor Breakdown for F-22 (Score:4, Informative)
Also, can anyone confirm if OSA is the name of the referenced ADA software project (1.7 million lines etc...)
Gmanske.
Re:F-22 "avionics" (Score:5, Informative)
Typically, when aero geeks talk about avionics, we're not talking about the flight control systems, even though those systems are now "aviation electronics".
Is this bad? Yes. Does it need to be fixed? You betcha. But don't worry about the planes not being able to keep the pointy end into the wind. That part seems to be working fine.
As an aside, the little anecdote about the test pilot intentionally making RADICAL configuration changes in-flight (moving fuel around, opening weapon bay doors, and wacky control inputs) producing only an easily-recoverable spin is a testament to the airplane's superb design. I mean, you do stupid things in ANY airplane and it'll bite you. The sign of a really GOOD airplane is that it then forgives you and doesn't splatter you all over the terrain.
Re:F-22 "avionics" (Score:5, Informative)
To say that the F-22 is in a controlled stall is just ridiculous. The proper way to state things is that the F-22 has relaxed static stability, which has nothing to do with a stall.
Re:Lockheed's Avionics Press Release (Score:2, Informative)
Um.. No:
ftp://download.intel.com/design/i960/perform/27
(Intel's i860 performance brief)
Re:Similar to Mars Pathfinder (Score:5, Informative)
Priority inversion is never caused by the OS, only by the interrupt/task priority design. So VxWorks shouldn't be blamed here.
There are RTOS'es that try to avoid priority inversion by temporarily raising the priority of the blocking task to the same priority as the task being blocked. This may at first look like a good solution but if the priority bumping happens too often, "medium priority" tasks may get starved because the low priority task is really running at high priority.
Perhaps the F22 is having something similar -- whenever you have a RTOS, the designer must try to anticipate when it's safe to block real time interrups and when it isn't.
Blocking interrupts may mean missing interrupts. This is a very dangerous thing to do in hard realtime systems, because what you don't know may not only hurt you but may actually kill you. If it is necessary to disable interrupts to get the system running, the system design is horribly flawed.
Re:i960 in PC's (Score:2, Informative)
Re:Similar to Mars Pathfinder (Score:2, Informative)
There is an interesting account of that here: What Happened on Mars? [cmu.edu]
unfair reporting and out of context. (Score:5, Informative)
Considering that the F-16 and F-15 designs are 25-30 years old, it might be a good thing to build something new.
Thrust vectoring, stealth, supercruise...like the article says, it's not clear what kind of threats the USA will be facing in the future, but someday the F-22 will prove itself and astonish a lot of people.
I think that's the main gist of the article, and picking the bit about a computer reset and making it sound like a big deal is right out of trash teevee.
To me, the most important part was the test pilot in the F-22 giving his opponent in the F-15 a hard time...actually telling him over the radio where he was. F-15 still could not get a lock. This is great stuff.
Re:F-22 "avionics" (Score:5, Informative)
> avionics system of a F-22 you're fucked to say
> mildly.
Avionics and flight control systems are separate
and extremely disparate.
> This plane is always in a controlled stall,
That is extremely unlikely. A stall is defined as
a condition when the wing exceeds the critical
angle of attack (Which is in turn defined as the
angle of attack where the airfoil is no longer
producing lift, but is instead experiencing
separated and turbulent airflow).
|
| / \
Cl | /
1| /
| /
| /
| /
|/
+--------------
0 5 10 15 20
AOA (Degrees)
Is a typical graph depicting Cl (Coefficient of
Lift) and its relation to Angle of Attack. Lift
(And induced drag) increases with an increase of
angle of attack or an increase in speed.
Angle of Attack, for your reference, is defined as
the angle between the chord line and the relative
wind. The chord line of an airfoil is an imaginary
line connecting its leading edge with its trailing
edge.
The 'Relative wind' is defined as the flight path
of the aircraft.
Therefore, for an airplane to be flown perpetually
in a state of controlled stall, its airfoil would
always be pitched up at approximately 17 degrees
relative to the flight path of the airplane.
Would be quite funny to watch, actually.
There's a lot of misunderstanding about 'stalls'
out there. What the F-22 may be able to do better
than more 'conventional' airplanes, and perhaps
that to which you refer, is ride the edge of an
impending stall (In a high speed, hard banked,
high-G turn, for example) without diverging from
controlled flight.
I for one don't care for fly-by-wire. Perhaps I'm
old fashioned.
I'd rather the airplane do what I told it to do
than what it thinks I should have told it to do.
Same reason I like Unix- I don't want my airplane,
or my computer, doing what it thinks I meant
rather than what I told it.
-Kysh
Re:F-22 "avionics" (Score:3, Informative)
Pictures of F-22 (Score:2, Informative)
You can find a selection of pictures here [af.mil]. The fourth and fifth rows from the botttom of the page have photos of the F-22. The best one is here [af.mil].
In my past experiences... (Score:4, Informative)
Re:Unfortunately, they are using Ada (Score:4, Informative)
Because for mission critical applications the US Department of Defence consider C, C++ and Java to suck.
See here [liv.ac.uk] for a brief history about why the US Department of Defence found that they were using 450 odd languages and needed to standardise on one common one that did everything right.
They produced a specification of what the language should do and found that nothing out there did what was required well enough. So a competition was born and ADA was the language that won it.
Re:Ada ? (Score:3, Informative)
> respect? I only know a little about Ada, so this
> is a serious question. My understanding is that
> Ada and Java have very similar safety goals
> (especially with respect to exceptions) so I'm
> curious about what you think Ada gets right and
> Java gets wrong.
Let me be fair.. as a language, I'm not terribly
familiar with java. I have spent a great amount of
time supporting Java developers on the system
level, however. I have seen developers write java
code that crashes in very gnarly ways, and had to
support them. I've seen java interpreters just
spontaneously die. Now this could certainly be
buggy implementations, and not a bad language
specification. While that was not the impression I
was given by the developers in question, I don't
deny the possibility. I have, personally, never
seen an Ada program 'crash'. I have never seen an
Ada program exit in any way other than an
unhandled exception or a normal exit. I've seen
Java do a lot worse.
I will not say that java, as a specification, is
less 'safety critical' than Ada, only that I am
not aware that it is as much so. If the
implementation is the problem, as I mentioned that
it could be above, then pending better
implementations, I'll check back in with this
topic.
In closing, though, I have to say that, from the
information I have, an Ada program is about a
billion times more reliable than a Java program,
when you're talking about large (Or huge)
applications. Ada also has the benefit of a big
experience base, mathematical analysis, review,
etc.
I'm open to comments regarding Java
implementations, stability, and the
safety-critical methodologies present (Or lacking)
in Java from those more familiar with the
language.
Respectfully,
-Kysh
Re:Ada ? (Score:1, Informative)
Because Java is so easy to learn and to use it "seduces" you to do lazy programming. You don't use exceptions all the time because you are too lazy do so. IMHO Java programmers have internalized rapid prototyping so much that they don't care about really good software design. Finally they are only interested in producing solutions in shortest time. Good design doesn't matter so much. In Ada you cannot afford to think this way.
I use Ada 95 for web application development. I came from C/C++ to Java and Ada95 afterwards. Java was no problem for me to learn because it is so similar to C. But I was not satisfied with it (no enumerations, no templates, no subtyping, can be decompiled) so I tried Ada95. This language was the first that satisfied me. It was pretty hard to learn but I haven't regret so far. Ada95 is nearly as platform-independent as Java. There are free compilers (GNAT) for several platforms. It can even be compiled to Java Bytecode. In Q4/2002 you can get a Visual Studio C++ like IDE for Ada ("GPS" from AdaCore Technologies).
http://www.adapower.com
http://www.gnat.com
h
This is nothing new, or overly scary (Score:5, Informative)
An example is the F18 Super Hornet. Correctly we're working on have the ability to drive the HUD display from the fuel control computer. It needs to be able to drive it for 7 seconds, which is the amount of time it takes for the primary and secondary HUD systems to reboot.
Say what you want about the military, one thing they do when it comes to their planes is provide backup systems. You can fly a C130 using hand cranks in the fuselage to control the avionics (couple hundred cranks to fully elevate the flaps).
Avionic OS's and Reboots. (Score:5, Informative)
At anyrate, the OS's aren't OTS, but designed and coded for each plane (Ada for all the military boxes). As for reboot, if the system becomes hosed, for any number of reasons, the Avionics will reboot. This is true in all aircraft, even your passenger planes.
They key thing to remember is that all of these systems are atleast dual redundant, meaning that the entire system doesn't reboot, just one channel. When that channel does reboot, the reboot is done in less than 200ms. (Usually faster).
This isn't like Windows where a reboot can take minutes, and you'll blue screen when it's finally running anyway. These are unique, tried and tested OS's, which operates with a Probability of Loss of Control around 0.3%
The risks of fly-by-wire: Crash Video (Score:3, Informative)
In 1988, a brand-new Air France Airbus A320 crashed into trees during maneuver at an airshow in France. The aircraft failed to gain height during a low-altitude pass with the landing gear extended. Three of the 136 passengers were killed.
The A320 was the first civilian aircraft to use fly-by-wire, which replaces conventional stick and rudder control with 3 computers and miles of electronic cables. The pilot uses a game-like joystick to his side.
Some good video of this accident is available here [wox.org], among other places.
Ultimately, the pilot was blamed (when in doubt, claim human error). But you have to wonder what role the computer played in this crash, even if it simply confused the pilots or acted differently than they expected. Apparently, this wasn't the only A320 crash where its flight control system was suspected, either.
It's interesting to note that Airbus has a different design philosophy vis-à-vis fly-by-wire: they believe the computer should restrict the pilots from putting any undue stresses on the airframe, or doing anything that the system thinks is "unsafe". This is contrary to Boeing, who program their computers to allow even the most dangerous manuever, with the intention of giving the pilots ultimate control over the aircraft.
Re:Unfortunately, they are using Ada (Score:5, Informative)
Because quite a few years ago when all source code was Assembly, the US sponsored a Compile-off between high-level languages. The idea was that they'd adopt a single language and build compilers for it suitable for the thousands of different processors we use in all of the various systems around the world.
So Ada won, even though it was developed by a French consulting firm. Even now we maintain an Ada compiler for every single CPU type in existence. In fact, this is why Oracle's PL/SQL code looks so much like Ada. When Oracle was looking to make a PL for their database, a few gov't guys said: "Hey, why don't you make it like Ada. We'll buy it and our programmers won't have a high learning curve to tackle."
Re:In my past experiences... (Score:4, Informative)
1. What do you mean *ALMOST* as anal? It's more anal.
2. You won't be using GNAT in an avionics systems. You'd be using a Validated platform. That means that the compiler, OS, *AND* target platform have been validated together. It costs a bundle.
3. DoD has removed the mandate that ALL new software be written in Ada, but most avionics are written that way for safety reasons (editorial: Ada83 sucked, but Ada95 is a fairly decent language).
Slight difference - These reboots are much faster (Score:3, Informative)
A "personal" computer reboot takes > 30 seconds nd would be unacceptable. These reboots are near instantanious.
(I could be wrong, maybe this is a different aircraft and a different type of reboot than the researcher was talking about.)
Re:In my past experiences... (Score:3, Informative)
Ada wasn't designed to be small and clean. It was designed as a 'catchall' language, able to do everything from low level system programming - replacing assembler & C to the highest possible level application program. You can't really make a small & clean language, and hit both ends of this spectrum. On top of that, it was realized that a lot of the 'bugs' in programs are preventable, because they are caused by the programmer not properly handling error conditions. So they added in features which make it harder for the programmer to screw up. Together, this means that Ada is a very large language compared to other languages of the 70's, however you don't have to know all of Ada to write a program, especially if you're only working in one problem domain.
As for the requirement, as of 1994, is that Commerical off the Shelf (COTS) is the prefered choice, whenever it meets their needs. Failing that, Ada is required, but waviers can be granted if they are cost effictive, and that the proposed alternative does not compromise the goals of the project - in particular the safe programming practices that Ada requires.
Re:Similar to Mars Pathfinder (Score:2, Informative)
Yes, but it is WindRiver's fault.
The default configuration of all semaphores within 5.x VxWorks modules is to be 'simple'. In order to change these initialization values, you had either hunt through symbol tables and assembly code dumps or put a gun to the head of some poor slob in Windriver tech support.
To have a non-inversion safe objects inside a network stack is simply stupid design.
Re:Why java cannot be used in a realtime environme (Score:1, Informative)
And you meant to say the garbage collector is synchronous (blocking) as opposed to asynchronous (non-blocking). Although now there are garbage collectors of both types.