Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Transportation Software United States

Boeing 787s Must Be Turned Off and On Every 51 Days To Prevent 'Misleading Data' Being Shown To Pilots (theregister.co.uk) 140

The U.S. Federal Aviation Administration has ordered Boeing 787 operators to switch their aircraft off and on every 51 days to prevent what it called "several potentially catastrophic failure scenarios" -- including the crashing of onboard network switches. The Register reports: The airworthiness directive, due to be enforced from later this month, orders airlines to power-cycle their B787s before the aircraft reaches the specified days of continuous power-on operation. The power cycling is needed to prevent stale data from populating the aircraft's systems, a problem that has occurred on different 787 systems in the past. According to the directive itself, if the aircraft is powered on for more than 51 days this can lead to "display of misleading data" to the pilots, with that data including airspeed, attitude, altitude and engine operating indications. On top of all that, the stall warning horn and overspeed horn also stop working.

This alarming-sounding situation comes about because, for reasons the directive did not go into, the 787's common core system (CCS) -- a Wind River VxWorks realtime OS product, at heart -- stops filtering out stale data from key flight control displays. That stale data-monitoring function going down in turn "could lead to undetected or unannunciated loss of common data network (CDN) message age validation, combined with a CDN switch failure." Solving the problem is simple: power the aircraft down completely before reaching 51 days. It is usual for commercial airliners to spend weeks or more continuously powered on as crews change at airports, or ground power is plugged in overnight while cleaners and maintainers do their thing.

This discussion has been archived. No new comments can be posted.

Boeing 787s Must Be Turned Off and On Every 51 Days To Prevent 'Misleading Data' Being Shown To Pilots

Comments Filter:
  • Windows (Score:5, Funny)

    by Johnny Mnemonic ( 176043 ) <mdinsmore.gmail@com> on Thursday April 02, 2020 @05:16PM (#59902658) Homepage Journal

    I thought Windows had a clear indicator that it was not to be used for mission critical systems.

    • by Tablizer ( 95088 ) on Thursday April 02, 2020 @05:36PM (#59902788) Journal

      Rebooting a plane during a flight could make a fun SNL skit.

      Copilot: "It's asking if we to want to also upgrade now."

      Pilot: "No, just finish a plain reboot! We're losing altitude."

      Copilot: "Uh, now it's asking for a license key code."

      Pilot: "Crap, I don't remember where I wrote it down. Let me check around..."

      Copilot: "I got an idea ... [cabin speaker] Attention passengers, this is your copilot, does anybody have a working Microsoft Windows key code we can borrow?"

      Pilot: "This is a goddam jet, not a laptop. You'll make them panic."

      Copilot: "Worth a try, you got a better idea?..."

    • Comment removed based on user account deletion
  • by bugs2squash ( 1132591 ) on Thursday April 02, 2020 @05:22PM (#59902696)
    Just set up a cron job to shut down the main power on the plane every 50 days.
    • This isn't a UNIX/Linux situation....

    • by Solandri ( 704621 ) on Thursday April 02, 2020 @05:25PM (#59902714)
      What happens if 50 days 0 hours 0 min 0 seconds uptime happens to roll over in the middle of a flight?
      • isn't that what anachron is for?

        This sounds a bit like the patriot missile bug that did something like count microseconds to determine the time but the time base wasn't precise so it drifted. That resulted in the disaster in the Kuwait war.

      • by jeremyp ( 130771 )

        The operating system will crash.

    • Just set up a cron job to shut down the main power on the plane every 50 days.

      Please ensure your reboot script checks that the plane is not currently in flight, or on the run/taxi-way ...

      • by bugs2squash ( 1132591 ) on Thursday April 02, 2020 @05:37PM (#59902796)
        Typical ! I saw no mention of it in the original problem definition and only now you bring it up. I'll write up a jira but the next two sprints are full already.
      • Just set up a cron job to shut down the main power on the plane every 50 days.

        Please ensure your reboot script checks that the plane is not currently in flight, or on the run/taxi-way ...

        Nah its just easier to check if the plane is on, then run the cron script.

      • by Dantoo ( 176555 )

        If in flight, autopilot should countermand pilot input and accelerate to the ground, which is a known safe place. If the pilot tries to resist, just cycle over and over until the meat bag tires out. Boeing, Boeing, Bang.

    • Re: 0 0 */50 * * (Score:5, Informative)

      by arglebargle_xiv ( 2212710 ) on Thursday April 02, 2020 @08:13PM (#59903332)
      You don't use a cron job, it goes into the preflight checklist or, more likely, the maintenance schedule. This sounds kind of scary if you're not used to it, but there's an endless list of things in aircraft that are handled on the basis of "every X hours, do Y to Z". This is just another one of those. It's completely normal, standard practice.
    • by kiviQr ( 3443687 )
      ups .... you forgot to add "if (on_ground)"
  • by rsilvergun ( 571051 ) on Thursday April 02, 2020 @05:26PM (#59902722)
    is not something I want to hear from an Aircraft Mechanic.
    • You can glide, for a while....
    • Neither is "reboot or die."

    • I've heard it from an industrial control system vendor... and honestly after all the stories about Boeing I just assumed that people would be turning them off and on again daily just to be on the safe side.

    • by AmiMoJo ( 196126 ) on Thursday April 02, 2020 @05:45PM (#59902840) Homepage Journal

      It's a really stupid error too. Many developers will recognise 51 days. It's the time it takes a 32 bit unsigned millisecond counter to overflow.

      • by Jeremi ( 14640 )

        Advice to programmers worldwide: when storing timestamps, always spring for the extra 32 bits. It's totally worth it, just to avoid problems like this.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        That would be 49.71 days, actually, or 24.85 days for a signed 32 bit counter to go negative.

        Now, for a different real world example, Microsoft IIS (3.x, I think it was) had a bug where the date/time fields in W3C format log files would stop incrementing after only 40 days. Wonder what size counters they were using?

    • turn it upside down and shake it - I think I've been on flights like that
    • by antdude ( 79039 )

      I had to power cycle my king ant's HP OfficeJet printer yesterday morning (couldn't even shut it down with its power button). I never had to power cycle a printer before. Geez.

    • I guess the only thing worse would be that guy saying: "hang on, I have to get some Microsoft support for that one..."
    • Re: (Score:3, Interesting)

      That's actually a surprisingly common troubleshooting technique on pretty much any large airplane. Primary Flight Control Computer failed? Just turn it off and on again. No longer failed? Good to go!

      Especially on Airbus this usually solves most problems. We're constantly pulling and resetting circuit breakers. Boeing is actually a bit better in that regard, mainly because the systems are simpler and less interconnected. Either it works, or you need a mechanic to physically repair it.

      I also used to fly the D

  • by account_deleted ( 4530225 ) on Thursday April 02, 2020 @05:30PM (#59902744)
    Comment removed based on user account deletion
  • 32 bit counter (Score:5, Informative)

    by andrewbaldwin ( 442273 ) on Thursday April 02, 2020 @05:35PM (#59902772)

    51 days is pretty close to 2**32 milliseconds.

    Sounds like an overflow of a 32 bit counter.

    Resetting that would avoid a Microsoft style 'turn it off and on again' reboot. But there may be more than one of them so a power cycle to set them back to zero sounds a safer (if less convenient) way

    • Re:32 bit counter (Score:5, Interesting)

      by Moblaster ( 521614 ) on Thursday April 02, 2020 @05:39PM (#59902810)

      That's only 49.7 days in milliseconds. Probably a 42-bit counter counting microseconds, which is much more appropriate resolution given how fast a plane travels - and that's 50.9 days until turnover, which is much closer to the estimate.

      • Perhaps 49.7 days plus a worst case mid-flight cushion.

      • Makes you wonder why they don't recommend turning it off every 2 weeks. Then someone would have to screw up this basic maintenance three times in a row for it to be a problem.

        • Shutting and restarting a plane might be considerably more involved than your lap top reboot. Many systems may have to be resynchronised and certified. So it could be done only on maintenance base with certified mechanics. So a larger window would be provided to give the operators some lee-way
      • by xpiotr ( 521809 )
        It's probably a tick counter stored in a uint32_t variable
        And the tick speed is probably something like
        1 tick = (1000/1024) ms
        Counts per day: (1000*1000/1024 ) * 24*60*60 = 84375000
        UINT32 Max 0xFFFFFFFF = 4294967295
        4294967295 /84375000 = 50.9....
    • by dgatwood ( 11270 ) on Thursday April 02, 2020 @05:42PM (#59902830) Homepage Journal

      The really funny thing is that this isn't the first bug in the 787 requiring a reboot. I was thinking that this was a dupe, because I remembered reading a similar story a while back. Turns out that the previous bug occurred at 248 days [theguardian.com] and was even more serious....

      Oh, and another one at 22 days [popularmechanics.com].

      It's almost like Boeing rushed this thing into production. Oh, wait....

  • Think of all the Windows updates they'll have to wait for
  • by Sebby ( 238625 ) on Thursday April 02, 2020 @05:36PM (#59902786)

    Pilot 1:"So what your plane's uptime? Mine's 2305hrs and counting..."

    Pilot 2:"I've got a 787, so mine at 1223.89hrs.... OH SHIT! Hold on one min..."

  • Should have used an OS designed for such, like QNX
  • With COVID news taking up most of the air time and attention, NOW is the time for companies to put out bad news! It will slip under most radar and be forgotten soon.

    By the way, how many 787 are still flying and not being grounded?

    • by Dunbal ( 464142 ) *
      Oh and give us $60 billion dollars so we can dodge any consequences deriving from our own stupidity.
  • I tell my users to restart every single day
  • I'm fairly sure... (Score:4, Insightful)

    by jd ( 1658 ) <`imipak' `at' `yahoo.com'> on Friday April 03, 2020 @03:06AM (#59904036) Homepage Journal

    ...that DO-178C's software requirements, not to mention other vehicular coding standards, NASA's Power of Ten, and unit testing that's supposed to look for non-fatal state corruption bugs of this sort should prevent cumulative errors and stale data.

    Of course, that assumes Boeing sticks to standards.

    The MAX8 incidents, along with reported computer issues with the 777, make me think Boring are winging it.

    I'm increasingly of the opinion that if you put any unexplained situation involving a modern Boeing down to a computer glitch, you've an excellent chance of being right.

    The question is, do we have too many standards? Incoherent/Unusable standards? Conflicting standards?

    There are even standards designed for specific projects, such as the Joint Strike Fighter.

    What's clear is that we've no shortage of tools to prevent these sorts of bugs and that Boeing (and to some extent Airbus) aren't using any of them.

  • Mid air over the Pacific sounds like as good a place as any to reboot the thing.

  • I'm posting this using the aeroplane's wifi.

    Oh look, I've found it's running an ssh server.

    jeremyp@Magenta ~ % ssh 192.168.1.2 -l pilot
    Password:
    Last login: Fri Apr 3 13:54:54 2020
    pilot@787 ~ % uptime
    13:56 up 50 days, 23:59, 3 users, load averages: 2.73 2.38 2.23
    pilot@787 ~ %

    Oh, shi

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...