Boeing 787 "Blacklisted" From Some Air Traffic Control Services

An anonymous reader writes: A software glitch causes the Boeing 787 to report its position incorrectly, which has led Australia and Canada to 'blacklist' the aircraft from using ADB-S and until it is resolved the latest Boeing is treated as an aircraft without ADS-B capabilities. The practical implication is that the aircraft is not allowed to use reduced separation procedures and an maximum altitude limit of 29,000 feet was also considered. Boeing denies that the bug causes a safety hazard because existing services (radar) still allow safe operation. A bugfix is coming to restore ADS-B functionality.

It's not really a blacklist then, is it?

[halivar]

It's graceful degradation.

Re:It's not really a blacklist then, is it?

[Anonymous Coward]

It's graceful degradation.

No, a graceful degradation would be the plane recognizing it's not operating correctly and falling back to the older service. This is a case where the plan is actually trying to use the newer/better service, failing to do so correctly, and it not aware that it is failing to do so. The humans involved are noticing the error and have had the blacklist the plan from the newer system and manually force a fallback to the old system.

I mean seriously, the second sentence in TFA even says:
Boeing says a service bulletin with instructions for operators to correct the position reporting error will be released “imminently"

Re:

[Anonymous Coward]

no, it's one data type that's blacklisted, and the ATC system gracefully reverts to radar data as designed.

at least is not tcas off

[Joe_Dragon]

as that can end deadly.

Re:at least is not tcas off

[digitig]

I'd be interested to know where the glitch is. If it's just in the ADS-B system then with the restrictions in the article it just costs time and money. But if it's in the navigation system then the aircrew and TCAS will have wrong information about where the aircraft is, which is far more worrying.

Re:

[Anonymous Coward]

From what I gather the pilot/co-pilot are receiving the correct information, the article notes one of the first instances where the issue was noticed "The controllers alerted the crew by radio, but the pilots insisted their instruments showed they were still on course." It sounds like there is a system to pass information from the aircraft system to a separate ATC-B beacon, for some reason that system under some circumstances only passes the lat or long, not both. The ATC-B beacon then has another (what I

Re:at least is not tcas off

[DesertNomad]

I run a number of ADS-B receivers and feed the data into FlightAware. I have seen a number of a/c locally that are in very wrong positions (well over the 70 km mentioned in TFA) and suddenly jump into the "right" positions. Sounds like interface problems.

The ADS-B system is fairly simple, and as long as the right lat-lon string is inputted, it should transmit the right position. Maybe it's a "units" issue similar to the "units" issue that caused the Mars spacecrafts more than a decade ago to make an unexpected and unfortunate (very) hard landing...

Re:at least is not tcas off

[parkinglot777]

Here is the cause on the TFA (which is what Boeing said)...

In rare cases, after passing a planned turn upon crossing a waypoint, the data packets that arrived at the transponder would contain either the aircraft’s latitude or longitude, but not both. In those cases, the ADS-B transponder’s software would extrapolate the 787’s position based on the previous flight track before it made a planned turn at a waypoint. It would continue reporting the aircraft erroneously on the incorrect track until it received a data packet containing both the latitude and the longitude of the aircraft.

Re:

[Kalendraf]

Ultimately, this appears to be an issue with data atomicity. If the function is dependent upon receiving both lat and lon information, then from an architecture standpoint, the containerization of that data should be structured to be atomic if possible. However, the he network design may be using ARINC-429 words which are only large enough to contain lat or lon data, but not both. A possible fix would be to use a larger network data object (NDO) that contains both pieces of data if the network supports i

Re:

[PPH]

Otherwise, the design would need to be improved to mitigate or improve the handling of situations where only 1 piece of lat/lon data is available.

This is a good point. And it seems that the existing design accounts for the loss of one piece of data by the use of an estimation algorithm. This algorithm is the one that takes the last known heading and 'projects' an assumed position (sometimes incorrectly) along that route.

But here's the problem: That estimation algorithm is a Boeing-built (or subcontracted) piece of software, which means that it is tightly coupled to its data source. And rather than ensure that the bandwidth exists between avionics co

Re:

[nadaou]

The problem is incomplete messages being broadcast. Sometimes the lat is missing, sometimes the long is missing. In these cases the system was using dead reckoning to extrapolate the missing value based on the previous ones. Not ideal but roughly giving you the right answer when traveling in a straight line. Gives the wrong answer after turning at a waypoint. When a complete message finally does make it through the plane jumps back to it's correct position.

Re:

[Obfuscant]

Maybe it's a "units" issue similar to the "units" issue that caused the Mars spacecrafts more than a decade ago to make an unexpected and unfortunate (very) hard landing...

TFA explains what the error is. It's a missing lat or lon in data being sent to the ADS-B system by the internal packet data network, and the system is interpolating the missing data until correct data is provided. The problem appears most after the aircraft has made a course change ("turn") at a navigation waypoint, because the interpolation doesn't know about the turn and continues straight ahead.

It's not an error in the navigation systems, and the pilots know where they are. The ground-based radar knows

So the plane tells ATC where it is...

[Viol8]

... instead of ATC relying on radar. What could possibly go wrong?

Re:So the plane tells ATC where it is...

[brambus]

I know you were trying to be snarky, but you did accidentally ask a good question where the answer isn't trivial:

• Since the dawn of radar ATC, civilian radar has been SSR - Secondary Surveillance Radar, meaning, it requires cooperation from the aircraft. SSR gives you the horizontal location of the target, but not its elevation. Instead, together with the actual radar return, the aircraft responds using a short digital code that identifies it and tells you its altitude (as read from the onboard altimeter by the SSR equipment on the aircraft). SSR has numerous advantages over PSR, mainly its not as complex, doesn't require as much power and has greater range, all of which are useful in a civilian environment. Also, it has no military application, so it carries far fewer export concerns.
• Even so, SSR is still very expensive and providing good coverage is difficult to impossible. Even modern industrialized countries such as the USA have many places where radar coverage is simply unavailable (especially at lower altitudes). In less well of places, such as large areas of Africa, radar coverage is nonexistent.
• The vast majority of all aircraft (and nearly all commercial aircraft) have some sort of navigational equipment that is completely independent of radar coverage and is reasonably accurate to provide traffic separation services. Put simply, aircraft are able to navigate without any ground assistance.

And so the natural evolution is to largely abandon SSR (except for areas of extremely high traffic density) and instead place around the country only small receiver stations that listen to aircraft position reports. Using those then, ATC can build a complete traffic picture and provide separation services without having to maintain expensive ground equipment.

Re:

[Viol8]

"Using those then, ATC can build a complete traffic picture and provide separation services without having to maintain expensive ground equipment."

Until some pilot decides to switch the transponder off and the plane effectively becomes invisible. But that would never happen. Oh , wait...

Re:

[brambus]

ADS-B Out, which is the system I'm talking about, cannot be switched off. It becomes active as soon as the avionics stack is powered up.

Re:

[Chris Mattern]

ADS-B Out, which is the system I'm talking about, cannot be switched off.

I guarantee it can be switched off. You might have trouble switching it on again, but then, the guy who turned it off may not care much about that.

Re:

[brambus]

I'm trying to talk simple language here to people who are not into aviation. I'm not trying to imply you can't switch it off for nefarious purposes. Btw: SSR wouldn't help you much there either. You see a blip on the radar that doesn't communicate with you and doesn't give ID or altitude. Good job. What now? You are not the air force. Your job is not to secure the border. If you have security concerns you call the people who have the equipment that doesn't care if the target cooperates. You'd do exactly the

Re:

[BostonPilot]

ADS-B Out, which is the system I'm talking about, cannot be switched off. It becomes active as soon as the avionics stack is powered up.

What happens if I:

1) Hit the "off" button on my Garmin GTX-330 ES (1080 extended squitter)?
2) Pull the breaker?
3) Turn off the GPS that is feeding it data?
4) Similar stuff if I have a 978 UAT ADS-B out?

Sure *seems* like I can turn it off if I want to. I'd be breaking a rule for sure, but not sure what you think prevents me from turning it off?

Re:

[brambus]

I should have qualified that a bit:
1) I was trying to primarily address large transport aircraft and issues of flight safety.
2) I'm NOT trying to address attempts at tampering.
Obviously as soon as you start pulling breakers, we're well past the accidental disconnection stage. SSR wouldn't help you here much either from the POV of ATC. What would you expect ATC to do with it if an aircraft intentionally disables the transponder? Fire missiles at the uncooperative aircraft? They have buddies wearing green

Re:

[BostonPilot]

Ok, fair enough. Previous poster said "Until some pilot decides to switch the transponder off" which to me meant "decides to intentionally switch the transponder off" and I thought you were saying that wasn't a possibility. Even in a transport category aircraft, I'm sure the pilot can pull the right breakers if he wants to go invisible.

I'm not sure that ADS-B was really designed with anti-hacking in mind. It seems to be designed to work as long as everybody is playing nicely. I'm wondering how long it will

Re:

[brambus]

Ok, fair enough.

My bad sir. I should have been more clear.

Even in a transport category aircraft, I'm sure the pilot can pull the right breakers if he wants to go invisible.

At present they can. We'll see about the evolution of the ATS. Maybe in the future as SSR is further reduced and self-reporting becomes more well tested, things such ADS-B might become mandatory always-on features and we'll see battery-powered kits installed into aircraft that cannot be switched off.

I'm not sure that ADS-B was really designed with anti-hacking in mind. It seems to be designed to work as long as everybody is playing nicely.

All of ATS is traditionally very much a gentlemen's club. There's nothing stopping you from hopping into your nearest non-transpondered non-radioed Supercub and generall

Re:

[Viol8]

Err, yeah. And? This is about making sure other aircraft don't collide with him amd knowing where the hell he's going and you need to know his location to do that. Clear? No? Never mind.

Re:

[Yoda222]

Just inform all the plane where the ADB-S was that there is a plane not visible by ATC in the area and that they need to take precautions. There is a lot of airspace where no radar information is available, I'm not sure when was the last time a collision occurs in these area. What's your scenario, exactly, if I take into account your previous comment? Someone takes control of a plane, deactivate the ADB-S on purpose, and then tried to take down another plane by colliding with it? Looks good for a hollywood

Re:

[Viol8]

"Someone takes control of a plane, deactivate the ADB-S on purpose, and then tried to take down another plane by colliding with it"

I guess people like you would have laughed about 3 airliners being hijacked and flown into buildings killing thousands prior to 2001.

Also were you away on Mars or something when MH370 disappeared taking 200 people with it.

Re:

[Yoda222]

The speed of building is about 100% less than the speed of another airplane. (not completely 100% if you use the air speed, but close) I have missed the news about the MH370 colliding with another airplane. Could you point me to the article?

Re:

[Viol8]

So its impossible to get up close to another airplane? You'd better tell that to the airforce.

Idiot.

Re:

[Yoda222]

No, it's not impossible. But even an idiot can understand that it takes less time and that you don't give any advance warning if you don't start by disabling the ADS-B.

Re:

[Viol8]

So if ATC see him heading for another plane when his transponder is on they won't warn the other plane? Right you are...

Idiot.

Re:

[brambus]

Also were you away on Mars or something when MH370 disappeared taking 200 people with it.

I guess you didn't know either that the disabling of MH370s transponder wasn't the real problem. It was still on military tracking radars for a while. The problem was that they *left* radar coverage and went out over the ocean. Or are you one of those conspiracy nuts who thinks they landed somewhere in Kazakhstan or were abducted by aliens?

Re:

[I4ko]

So? 200 people, 9000 people?.. Out of .. 7Billion... 0.0001314% Unspeakable personal tragedy, but on the grand scheme of things, it isn't like the 40 million in WWII. I can personally attest myself when growing up it was much more likely to get mugged on the street and come home barefoot (if lucky). Also you are largely forgetting the 4th plane and other recent incidents where people don't just sit like sheeple calculating how much they will get out of the settlement, but activate take responsibility of the

Re:

[Yoda222]

What I propose? They could use a system where the plane broadcast it's own position to ATC. They could also use some kind of communication signal between plane. Oh wait, I think some people already got that idea.

Re:

[brambus]

You are not a pilot. That much is plainly obvious from your comment, although you seem to know just enough about aviation and ATC that you managed to confuse yourself.

How do you propose that "precautions" are taken in instrument flight conditions?

All flights performed in IMC must be according to IFR and are hence controlled flights.

Aircraft only have weather radar and can't see other aircraft on it so they rely on ATC.

Which is exactly why uncontrolled flights are not allowed in IMC.

Apart from across the oceans aircraft do not fly in areas without radar coverage

I guess you've never heard about procedural control. Most small-to-mid sized airports around the world do not have radar. The bigger problem is you seem to have no idea about the hierarchy of A

ADS-B, Mode-S and TCAS

[PPH]

All share equipment and data streams. So what are the odds that a 787 broadcasting a bad position is also fooling surrounding aircraft into a collision avoidance maneuver (false positive) or tricking them into thinking the affected aircraft is not in conflict (false negative)?

In busy airspace, pilots cannot rely solely on ATC to maintain separation. So that's why these collision avoidance technologies were developed. Shame if they don't work correctly.

Re: So the plane tells ATC where it is...

[MarkH]

So at basics it is a trust relationship with the aircraft to provide accurate altitude and positional information?

The article is about specific model but is there not scenario for a small drone to lie and pretend position? I couldn't see anything in spec about shared verification.

Re:

[brambus]

The civilian ATS (Air Traffic Service) is not designed to deal with openly hostile aircraft. That's what the Air Force is for. Also, SSR isn't anywhere near sensitive enough to resolve small objects like drones. I know most people in the public at large think the national airspace is tightly controlled, but it really isn't like that. The highly controlled parts (e.g. in the vicinity of major airports) are the significant minority. Even places you might think of are tightly regulated (e.g. over most cities w

Not a safety hazard? My ass!

[LordKronos]

Nav Canada first detected a problem on 1 July 2014 when controllers noticed a 787 appearing to deviate up to 38nm (70km) from its planned track. The controllers alerted the crew by radio, but the pilots insisted their instruments showed they were still on course. Suddenly, however, the 787 “was observed jumping back to the flight plan route” on the controller’s screens, according to ICAO documents.

I'm sorry, but if a plane is reporting that it is 70km from where it actually is, that's no small deviation. That deviation is more than 10 times the required flight separation. It may not pose a safety hazard once controllers already know they have to fall back to the older system. But before this was discovered? That's a HUGE safety hazard. The only reason they can get away with claiming it wasn't a safety hazard was because they lucked out and the system only screwed up when there were no other planes around

Re: Not a safety hazard? My ass!

[Anonymous Coward]

They should go for agile - no docs or silly testing....

Re:

[PPH]

Yahoo! Air!

Navigation provided by Marissa Mayer? No thanks.

Re:

[lordlod]

Most of Australia's controlled airspace uses ADS-B for separation. Only the densely populated areas have secondary radar.

The risk of a collision is relatively low as they most commonly separate by altitude and a 70km horizontal deviation probably wouldn't reach another flight path.

It does screw up separation monitoring and safety management programs fairly badly though. Some plans also have ADS-B based collision alert systems too, which would cause lots of panic if they went off.

I am blown away that t

Re:

[Anonymous Coward]

I don't know, 38 nano-meters is a pretty accurate reading.

Re:

[PRMan]

38 nanometers = 70 kilometers?!?

I thought you Euros said this metric thing was easy!

Re:

[rwa2]

close... kt is speed. nmi is distance.

Re:

[fnj]

The abbreviation for nautical miles is knot or kt, not nm.

How about you stop talking out of your ass? Dimentional failure. A knot is a nautical mile PER HOUR. There are several abbreviations in use for nautical mile, but the most common one is NM (note uppercase).

Re:

[sjames]

That and when it reported the wrong position, it was implausibly far from the true position. It's much worse when the error is plausible.

Re:

[sjames]

That would certainly be plausible and dangerous.

Re:

[Obfuscant]

But before this was discovered? That's a HUGE safety hazard.

An aircraft being 70km from where it is supposed to be with nobody knowing it is a huge safety hazard, both to that aircraft and others.

But an aircraft being exactly where it is supposed to be, with the pilots knowing where it is and that it is where it is supposed to be, and ATC being told by the pilots it is where it is supposed to be, is not a huge safety hazard to anyone. ATC issues clearances based on the assumption that aircraft will be where they are told to be, so an aircraft that is where it was

Re:

[PPH]

There is no mention of the time interval

Enough time to travel 70 nautical miles.

The underlying problem ...

[PPH]

... is that the problem was traced back to the 787 avionics network. Information sent from the GPS (where the data originates) to the transponders (where it is sent out to air traffic control). This is the same network which attracted attention when Boeing asked for a special condition [federalregister.gov] exempting the 787 from a requirement to isolate critical functions from things like the passenger entertainment system. Now, nobody has tracked down exactly what caused this communications glitch. And they may never do so. But their innovations may be coming back to bite them in the ass.

Re:

[140Mandak262Jamuna]

Looks like you are saying "FAA requires airplanes to isolate flight critical info network from other less critical networks like the entertainment system. Boeing wanted a waiver to mix the traffic."

Is my understanding correct? Did FAA give Boeing the waiver it sought? Did Boeing take advantage of this waiver and mixed the traffic?

78 nautical miles is almost 10 minutes at cruise speed for 787. It can't be simple network delay or latency. It has to be some severe buffer overflow underflow issue with some

Re:

[PPH]

Is my understanding correct? Did FAA give Boeing the waiver it sought? Did Boeing take advantage of this waiver and mixed the traffic?

Yes.

Did this mixing of traffic result in the dropping of some GPS packets? I don't know. But if Boeing's example of error handling in this case is any example of their competency in managing critical systems in general, I'll be taking a train.

An maximum

[Lije Baley]

"an maximum altitude" -- typo, or Euro-grammar gone too far?! It's getting so hard to tell anymore.

Re:

[JaredOfEuropa]

It's metric grammar

Re:

[damn_registrars]

what's the difference between ADB-S v ADS-B

I'm pretty sure it's a typo. The link for "ADB-S" actually goes to a page discussing ADB-S, so it appears that - as often happens - the slashdot "editors" didn't edit for shit before posting to the front page. Timothy usually does better than this, but the slashdot "editors" are busy in job-hunting mode right now with slashdot up on for sale.

Re:

[damn_registrars]

Timothy usually does better than this, but the slashdot "editors" are busy in job-hunting mode right now with slashdot up on for sale.

What? Timothy and co. generally *introduce* errors into the submitted summaries.

Saying Timothy is a better editor than the rest of the gang of idiots here is like saying I'm a better at cross-country running than most squid. Yeah, it's valid, but it doesn't mean much.

bugfix?

[HideyoshiJP]

"A bugfix is coming to restore ADS-B functionality."

$adsb.model = "777-200ER";

New DHS safety feature?

[ramriot]

Perhaps the bug is really a hidden feature, only revealed by accident. ( This is a shoe in for a Bruce Schneier's Movie Plot Scenario )

Deeply buried in the ADS-B firmware is an emergency setting which, should the Department of Homeland Security get a credible security theatre warning that criminals with smartphones and GPS guided drones are planning to bring down airliners. All airliners with updated ADS-B firmware will report their position as exactly 70nm away from their real position on a pseudo-randomly

I've seen this happen

[shocking]

I log ADS-B traffic to a PostGIS DB, and as part of the deduplication and data cleaning process, I look at the position reports, time & distance between them and the logged speed to see if they make sense. I sometimes have to add a fudge factor of up to 50km. ADS-B packets can get corrupted in ways that dump1090 can't fix up or detect, and I thought that the errors were due to that. Dump1090 has its own quirks when you're pulling position reports down from its JSON interface, but it's easier than pullin

ADS-B has zero security

[jcims]

ADS-B has zero security controls. Someone with a simple transmitter could draw a murder of giant dicks swarming in three dimensional space using A-380s as pixels. It's hilariously bad.

Re:

[deadweight]

Even better, I can make my plane NEVER violate any restricted area, speed restriction, crossing restriction, or anything else I don't want it to do. I can make it always be 500 feet left of where I really am. I can make it take off for LAX at 1500 knots if people complain about what I am doing. I can make myself the leader of a 500 plane formation that spells BITE ME.

Re:

[deadweight]

Eventually maybe. BTW, a HARM is utterly useless to shoot into a mix of civilian airplanes ALL transmitting on various frequencies, even assuming such a missile had a hope in hell of locking onto an intermittent burst signal like that.

Tsk tsk

[GoRK]

FOR SHAME! It's ADS-B not ADB-S.