Power Cycle Your Boeing 787 To Keep It Flying
Written by Mike James   
Sunday, 05 April 2020

Boeing has so many bigger problems that this one could go unnoticed, but it is of special interest to us programmers. The FAA has issued an order that 787s have to be switched off and on every 51 days.

The directive doesn't give any real clue to what might be wrong, but that 51 days is a little strange as numbers go. A quick sum reveals that there are 73400 seconds in 51 complete days, which is suspiciously close to 64536 the largest number a 16-bit int can represent. Unfortunately my guess didn't work out, as a 16-bit second counter rolls over in 45 days, so a recommendation to reboot in 51 days wouldn't really help.

After this lesson in how to work out the possible rollover, I resorted to the most sophisticated programming tool on the planet - a spreadsheet! Calculating the rollover for different units of time quickly revealed that 42-bit counter running at 1MHz rolled over at 50.9 days. The 42-bit part is a little unusual, but there are 42-bit hardware counters in a number of chips and you could result from using part of a larger register.

odometer

The directive doesn't go into much detail but does say:

"The FAA has received a report indicating that the stale-data monitoring function of CCS may be lost when continuously powered on for 51 days. This could lead to undetected or unannunciated loss of CDN message age validation, combined with a CDN switch failure. The CDN handles all the flight-critical data (including airspeed, altitude, attitude, and engine operation), and several potentially catastrophic failure scenarios can result from this situation. Potential consequences include:

  • Display of misleading primary attitude data for both pilots.
  • Display of misleading altitude on both pilots' primary flight displays (PFDs).
  • Display of misleading airspeed data on both pilots' PFDs, without annunciation of failure,
  • coupled with the loss of stall warning, or over-speed warning.
  • Display of misleading engine operating indications on both engines."

It sounds as if the time stamp on the data rolls over and old data is displayed instead of new data.

Of course, this is just a guess but I wouldn't be surprised as rollover is still the biggest cause of this sort of error and it is typical that a reboot solves the problem. Also, this isn't the first time this has happened in flight software and we have a report of an earlier incident, see Reboot Your Dreamliner Every 248 Days To Avoid Integer Overflow.

What is more worrying is that this is surely among the most safety-critical software we create and it seems that we still can't avoid such mistakes.

dreamliner2

More Information

US-2020-06-14 : Integrated Modular Avionics - Electrical Power - Repetitive Cycling

 

Related Articles

Reboot Your Dreamliner Every 248 Days To Avoid Integer Overflow

MIT Finds Overflow Bugs       

Code Digger Finds The Values That Break Your Code       

Toyota Code Could Be Lethal        

Robot cars - provably uncrashable?       

Do cars have bugs?       

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

 

Banner


Enterprise Users Moving To Open JDK
27/05/2020

Changes to the Java Release Cycle coupled with Oracle's changes to its licensing model, so that only those with a paid commercial subscription plan receive updates to Java, have provided a market  [ ... ]



Microsoft Open Sources Fluid Framework
29/05/2020

Microsoft is open sourcing Fluid Framework, its development platform for collaborative ways to work with documents. Fluid Framework was first announced at the 2019 Ignite conference, and has grown in  [ ... ]


More News

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Sunday, 05 April 2020 )