Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on specific runways
Thread Starter
Join Date: Dec 2016
Location: Manchester
Posts: 58
Likes: 0
Received 0 Likes
on
0 Posts
Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on specific runways
https://www.theregister.co.uk/2020/0...een_blank_bug/
https://www.federalregister.gov/docu...pany-airplanes
Seven runways, of which five are in the US, and two in South America - in Colombia and Guyana respectively – trigger the bug. Instrument approach procedures guide pilots to safe landings in all weather conditions regardless of visibility."All six display units (DUs) blanked with a selected instrument approach to a runway with a 270-degree true heading, and all six DUs stayed blank until a different runway was selected," noted the FAA's airworthiness directive, summarising three incidents that occurred on scheduled 737 flights to Barrow, Alaska, in 2019.
This AD requires revising the airplane flight manual (AFM) to prohibit selection of certain runways for airplanes equipped with certain software. This AD was prompted by reports of display electronic unit (DEU) software errors on airplanes with a selected instrument approach to a specific runway. The FAA is issuing this AD to address the unsafe condition on these products.
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
This is symptomatic treatment at its best. What about fixing that f***ing display software?
Join Date: Oct 2001
Location: UK
Posts: 99
Likes: 0
Received 0 Likes
on
0 Posts
"The FAA has confirmed that the faulty version of DEU software has already been removed from all airplanes conducting scheduled airline service into the affected airports. This AD is intended to address unscheduled diversions and Boeing Business Jet (BBJ) flights into the affected airports"
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
Seems they already have
"The FAA has confirmed that the faulty version of DEU software has already been removed from all airplanes conducting scheduled airline service into the affected airports. This AD is intended to address unscheduled diversions and Boeing Business Jet (BBJ) flights into the affected airports"
"The FAA has confirmed that the faulty version of DEU software has already been removed from all airplanes conducting scheduled airline service into the affected airports. This AD is intended to address unscheduled diversions and Boeing Business Jet (BBJ) flights into the affected airports"
Some combination of data have triggered this bug and 7 approches have been identified.
So who guarantees that no 7 + x approches exist right now or are inserted later with DB updates?
Still find it strange.
It would be a fairly trivial task to crunch one of the FMS data providers' runway databases and determine which ones are aligned at exactly 270° (plus or minus whatever the tolerance is).
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Oct 2001
Location: UK
Posts: 99
Likes: 0
Received 0 Likes
on
0 Posts
"Not all runways with a 270-degree true heading are susceptible; only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior"
I don't see any obvious pattern in the lat/long values. A very curious bug.
Great Circle Mapper
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
From the AD:
"Not all runways with a 270-degree true heading are susceptible; only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior"
I don't see any obvious pattern in the lat/long values. A very curious bug.
Great Circle Mapper
"Not all runways with a 270-degree true heading are susceptible; only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior"
I don't see any obvious pattern in the lat/long values. A very curious bug.
Great Circle Mapper
Shortly after EIS of the 747-400, Boeing came out with an EICAS s/w update to correct some issues with the original s/w. However it wasn't just a s/w update, it required a hardware change as well. Well, there was a certain operator who couldn't be bothered to update the hardware and so wouldn't incorporate the update. This operator also happened to be the launch customer and so had most of the affected aircraft. So finally the FAA issued an AD mandating the new s/w. Due to the unfortunate wording of the AD, it meant that every single time Boeing updated the 747-400 EICAS software, Boeing had to obtain an 'Alternate Method of Compliance' (AMOC) to the AD (which isn't trivial).
Join Date: Jun 2001
Location: FL430
Posts: 86
Likes: 0
Received 0 Likes
on
0 Posts
I’ve been operating strictly to company and Boeing SOPs for the last 30 years on different Boeing products.(to cover mine and everyone else’s back including Boeing) I’m old enough and have so much experience that I’m beginning to not trust certain things that I always took for granted, and would maybe now go for my own very experienced seat of the pants flying instinct instead of Boeing QRH etc to save the day .. Not the way it should be I know !. Maybe Boeing can’t be trusted anymore, and that makes it up to me to be safe these days. Any thoughts. ?
Join Date: Apr 2019
Location: Toronto
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts
I'm a software developer, and this makes me very angry. The fact that a "magic value" can trigger a bug like this indicates that there is something rotten in the fundamental approach the developers of this particular software took.
There had to be multiple pairs of eyes looking it over, too, and either no one was confident enough to speak up and say "Hey, this isn't the right way to do this", or they were and were then overruled by someone with more authority than sense.
To be clear, I see this kind of thing all the time. I just don't work with safety-critical software, and I had hoped the standards were materially different for that.
I'd love to see the technical explanation of the bug and/or overview of the code, but I suspect it would just make me angrier.
I also quote this post from The Register article's comment page, with which I agree completely:
There had to be multiple pairs of eyes looking it over, too, and either no one was confident enough to speak up and say "Hey, this isn't the right way to do this", or they were and were then overruled by someone with more authority than sense.
To be clear, I see this kind of thing all the time. I just don't work with safety-critical software, and I had hoped the standards were materially different for that.
I'd love to see the technical explanation of the bug and/or overview of the code, but I suspect it would just make me angrier.
I also quote this post from The Register article's comment page, with which I agree completely:
The bug itself is very troubling, but what is much troubling is what the bug implies about the quality of the software at large. First it implies a lack of bounds checking on the display unit. Second, a lack of testing on the display data inputs. Third, no checking of what the FMS is pushing out. Fourth, no one bothered to write a rational error-handling on the display unit in case values were out-of-bounds (especially since this causes the entire display to go dark instead of just a single value).
But what really worries me is that a software glitch can trigger a failure of all display units simultaneously, rather than just ones showing specific pages. SO would a bad value that is only displayed on one of those tertiary EIS display pages cause the displays to go out as well? What about garbage from the WX Radar?
But what really worries me is that a software glitch can trigger a failure of all display units simultaneously, rather than just ones showing specific pages. SO would a bad value that is only displayed on one of those tertiary EIS display pages cause the displays to go out as well? What about garbage from the WX Radar?
Edit: Came across the following website because a certain drone suddenly was unable to fly when the magnetic database changed on Jan1. https://www.ngdc.noaa.gov/geomag/WMM/ I don't know the particular correlation to the avionics side of this but looking at the loops and whorls of the magnetic field leaves me dizzy. They track not only the current offsets but the rate at which the offsets change; apparently 9 dimensions all together.
Join Date: Mar 2019
Location: Europe
Posts: 32
Likes: 0
Received 0 Likes
on
0 Posts
True, but the magnetic heading can effectively change overnight. It's a weird side effect of the magnetic poles not staying put.
Edit: Came across the following website because a certain drone suddenly was unable to fly when the magnetic database changed on Jan1. https://www.ngdc.noaa.gov/geomag/WMM/ I don't know the particular correlation to the avionics side of this but looking at the loops and whorls of the magnetic field leaves me dizzy. They track not only the current offsets but the rate at which the offsets change; apparently 9 dimensions all together.
Edit: Came across the following website because a certain drone suddenly was unable to fly when the magnetic database changed on Jan1. https://www.ngdc.noaa.gov/geomag/WMM/ I don't know the particular correlation to the avionics side of this but looking at the loops and whorls of the magnetic field leaves me dizzy. They track not only the current offsets but the rate at which the offsets change; apparently 9 dimensions all together.
So a combination of particular magnetic headings, latitude, longitude and mag variation might cause the Nav display to output nonsense, but all six displays blanked??
Why the PFD?. Why the Engine/system display?
Please tell me this is untrue or that at least the PFDs are given a higher level of coding security.
Why the PFD?. Why the Engine/system display?
Please tell me this is untrue or that at least the PFDs are given a higher level of coding security.
What is unclear is why there is also a connection to latitude and longitude.
I looked at the airports - based on data from https://www.airnav.com these are the deviations in degrees from 270:
82V -0.009377087
KBJJ 0.001984966
KCIU -0.024015687
KCNM 0.017476942
PABR -0.00926391
AirNav provides Lat/Long for each end of the runway which I converted with ATAN to a degrees variation. It did not list the last two.
SKLM, is listed as runway true heading: 272.4 on SKLM - Jorge Isaac Airport and
SYCJ is listed at 271.9
So it's a mystery. While I can imagine truncating the true heading to one place would be a problem, I can't see where they would truncate the true heading by more than 2 degrees.
So a combination of particular magnetic headings, latitude, longitude and mag variation might cause the Nav display to output nonsense, but all six displays blanked??
Why the PFD?. Why the Engine/system display?
Please tell me this is untrue or that at least the PFDs are given a higher level of coding security.
Why the PFD?. Why the Engine/system display?
Please tell me this is untrue or that at least the PFDs are given a higher level of coding security.
The 737 is rumored to be running an 80286 processor which is a well understood design. However I don't see the architecture for the software. It should have an independent watchdog timer processor to automatically reboot if there is a fundamental software failure, but maybe only the thread/task/subsystem to update the displays failed and the watchdog reset and all other controls is still running. I've seen software fail because it was awaiting feedback that never happened. It may be that one display got a message it could not handle and never responded. That would quickly stop the task to update the displays. If the displays are programmed right they should have their own watchdog timers to stop displaying when too long a time has passed without an update rather than freezing and giving the impression they are still functioning.
There was a question of why not every runway was tried on the software. While hindsight is great on this sort of problem, it also suggests trying every combination of: altitude, airspeed, pitch, AoA, lat, long, N1, fuel load, weight, true airspeed, relative airspeed, and on and on.
The reason I wondered about the magnetic heading earlier is because this last year cannot be the first time a 737NG flew into Barrow, Alaska. Can it?
The last two airports on the list are nearly 2 degrees from a true heading of 270 degrees. It's not likely for that to result in a divide by zero problem.
It's a shame, but I doubt the actual source of the problem will be revealed.
Ahh, true heading - OK.
What is unclear is why there is also a connection to latitude and longitude.
I looked at the airports - based on data from https://www.airnav.com these are the deviations in degrees from 270:
82V -0.009377087
KBJJ 0.001984966
KCIU -0.024015687
KCNM 0.017476942
PABR -0.00926391
AirNav provides Lat/Long for each end of the runway which I converted with ATAN to a degrees variation. It did not list the last two.
SKLM, is listed as runway true heading: 272.4 on SKLM - Jorge Isaac Airport and
SYCJ is listed at 271.9
So it's a mystery. While I can imagine truncating the true heading to one place would be a problem, I can't see where they would truncate the true heading by more than 2 degrees.
What is unclear is why there is also a connection to latitude and longitude.
I looked at the airports - based on data from https://www.airnav.com these are the deviations in degrees from 270:
82V -0.009377087
KBJJ 0.001984966
KCIU -0.024015687
KCNM 0.017476942
PABR -0.00926391
AirNav provides Lat/Long for each end of the runway which I converted with ATAN to a degrees variation. It did not list the last two.
SKLM, is listed as runway true heading: 272.4 on SKLM - Jorge Isaac Airport and
SYCJ is listed at 271.9
So it's a mystery. While I can imagine truncating the true heading to one place would be a problem, I can't see where they would truncate the true heading by more than 2 degrees.
As for the FAA's assertion that "only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior", I suspect that only runways of over a certain length (5000 feet?) at civil airports have been considered. There are around 150 runways in total with true headings in the above range, but once short runways and military fields are excluded (and, for some reason, airports with parallel runways) there are only about a dozen left worldwide.
I don't think that mag variation has anything to do with the criteria.