Blackout Bug: Boeing 737 cockpit screens go blank if pilots land on specific runways
https://www.theregister.co.uk/2020/0...een_blank_bug/
Seven runways, of which five are in the US, and two in South America - in Colombia and Guyana respectively – trigger the bug. Instrument approach procedures guide pilots to safe landings in all weather conditions regardless of visibility."All six display units (DUs) blanked with a selected instrument approach to a runway with a 270-degree true heading, and all six DUs stayed blank until a different runway was selected," noted the FAA's airworthiness directive, summarising three incidents that occurred on scheduled 737 flights to Barrow, Alaska, in 2019. This AD requires revising the airplane flight manual (AFM) to prohibit selection of certain runways for airplanes equipped with certain software. This AD was prompted by reports of display electronic unit (DEU) software errors on airplanes with a selected instrument approach to a specific runway. The FAA is issuing this AD to address the unsafe condition on these products. |
Originally Posted by slfool
(Post 10656886)
https://www.theregister.co.uk/2020/0...een_blank_bug/
https://www.federalregister.gov/docu...pany-airplanes This is symptomatic treatment at its best. What about fixing that f***ing display software? |
Originally Posted by BDAttitude
(Post 10656907)
OMG!!!
This is symptomatic treatment at its best. What about fixing that f***ing display software? "The FAA has confirmed that the faulty version of DEU software has already been removed from all airplanes conducting scheduled airline service into the affected airports. This AD is intended to address unscheduled diversions and Boeing Business Jet (BBJ) flights into the affected airports" |
This is the problem when you keep building code on top of legacy code. Certain combinations can trigger unintended consequences.
|
Originally Posted by malanda
(Post 10656926)
Seems they already have
"The FAA has confirmed that the faulty version of DEU software has already been removed from all airplanes conducting scheduled airline service into the affected airports. This AD is intended to address unscheduled diversions and Boeing Business Jet (BBJ) flights into the affected airports" Some combination of data have triggered this bug and 7 approches have been identified. So who guarantees that no 7 + x approches exist right now or are inserted later with DB updates? Still find it strange. |
747s could lose all 6 DUs until the EIUs got changed. Happened twice in-flight, IIRC.
|
Originally Posted by BDAttitude
(Post 10656948)
So who guarantees that no 7 + x approches exist right now or are inserted later with DB updates?
It would be a fairly trivial task to crunch one of the FMS data providers' runway databases and determine which ones are aligned at exactly 270° (plus or minus whatever the tolerance is). |
Originally Posted by DaveReidUK
(Post 10657115)
Runways tend not to move overnight. :O
It would be a fairly trivial task to crunch one of the FMS data providers' runway databases and determine which ones are aligned at exactly 270° (plus or minus whatever the tolerance is). |
You have to be carefull you do not fix the problem but cause a worse one.
|
Originally Posted by BDAttitude
(Post 10657135)
That's just about every second round here - the others being 07 to 09 - pedominantly westerly winds :O. Who needs FMS approach page anyway :}.
"Not all runways with a 270-degree true heading are susceptible; only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior" I don't see any obvious pattern in the lat/long values. A very curious bug. Great Circle Mapper |
Originally Posted by malanda
(Post 10657241)
From the AD:
"Not all runways with a 270-degree true heading are susceptible; only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior" I don't see any obvious pattern in the lat/long values. A very curious bug. Great Circle Mapper |
Originally Posted by BDAttitude
(Post 10656948)
So there's a fix and they do not mandate it?!
Some combination of data have triggered this bug and 7 approches have been identified. So who guarantees that no 7 + x approches exist right now or are inserted later with DB updates? Still find it strange. Shortly after EIS of the 747-400, Boeing came out with an EICAS s/w update to correct some issues with the original s/w. However it wasn't just a s/w update, it required a hardware change as well. Well, there was a certain operator who couldn't be bothered to update the hardware and so wouldn't incorporate the update. This operator also happened to be the launch customer and so had most of the affected aircraft. So finally the FAA issued an AD mandating the new s/w. Due to the unfortunate wording of the AD, it meant that every single time Boeing updated the 747-400 EICAS software, Boeing had to obtain an 'Alternate Method of Compliance' (AMOC) to the AD (which isn't trivial). |
I’ve been operating strictly to company and Boeing SOPs for the last 30 years on different Boeing products.(to cover mine and everyone else’s back including Boeing) I’m old enough and have so much experience that I’m beginning to not trust certain things that I always took for granted, and would maybe now go for my own very experienced seat of the pants flying instinct instead of Boeing QRH etc to save the day .. Not the way it should be I know !. Maybe Boeing can’t be trusted anymore, and that makes it up to me to be safe these days. Any thoughts. ?
|
I'm a software developer, and this makes me very angry. The fact that a "magic value" can trigger a bug like this indicates that there is something rotten in the fundamental approach the developers of this particular software took.
There had to be multiple pairs of eyes looking it over, too, and either no one was confident enough to speak up and say "Hey, this isn't the right way to do this", or they were and were then overruled by someone with more authority than sense. To be clear, I see this kind of thing all the time. I just don't work with safety-critical software, and I had hoped the standards were materially different for that. I'd love to see the technical explanation of the bug and/or overview of the code, but I suspect it would just make me angrier. I also quote this post from The Register article's comment page, with which I agree completely: The bug itself is very troubling, but what is much troubling is what the bug implies about the quality of the software at large. First it implies a lack of bounds checking on the display unit. Second, a lack of testing on the display data inputs. Third, no checking of what the FMS is pushing out. Fourth, no one bothered to write a rational error-handling on the display unit in case values were out-of-bounds (especially since this causes the entire display to go dark instead of just a single value). But what really worries me is that a software glitch can trigger a failure of all display units simultaneously, rather than just ones showing specific pages. SO would a bad value that is only displayed on one of those tertiary EIS display pages cause the displays to go out as well? What about garbage from the WX Radar? |
Originally Posted by DaveReidUK
(Post 10657115)
Runways tend not to move overnight. :O
It would be a fairly trivial task to crunch one of the FMS data providers' runway databases and determine which ones are aligned at exactly 270° (plus or minus whatever the tolerance is). Edit: Came across the following website because a certain drone suddenly was unable to fly when the magnetic database changed on Jan1. https://www.ngdc.noaa.gov/geomag/WMM/ I don't know the particular correlation to the avionics side of this but looking at the loops and whorls of the magnetic field leaves me dizzy. They track not only the current offsets but the rate at which the offsets change; apparently 9 dimensions all together. |
Originally Posted by MechEngr
(Post 10657553)
True, but the magnetic heading can effectively change overnight. It's a weird side effect of the magnetic poles not staying put.
Edit: Came across the following website because a certain drone suddenly was unable to fly when the magnetic database changed on Jan1. https://www.ngdc.noaa.gov/geomag/WMM/ I don't know the particular correlation to the avionics side of this but looking at the loops and whorls of the magnetic field leaves me dizzy. They track not only the current offsets but the rate at which the offsets change; apparently 9 dimensions all together. |
So a combination of particular magnetic headings, latitude, longitude and mag variation might cause the Nav display to output nonsense, but all six displays blanked??
Why the PFD?. Why the Engine/system display? Please tell me this is untrue or that at least the PFDs are given a higher level of coding security. |
Originally Posted by ReturningVector
(Post 10657596)
I think the article related the bug to the true direction, not the magnetic direction of a runway.
What is unclear is why there is also a connection to latitude and longitude. I looked at the airports - based on data from https://www.airnav.com these are the deviations in degrees from 270: 82V -0.009377087 KBJJ 0.001984966 KCIU -0.024015687 KCNM 0.017476942 PABR -0.00926391 AirNav provides Lat/Long for each end of the runway which I converted with ATAN to a degrees variation. It did not list the last two. SKLM, is listed as runway true heading: 272.4 on SKLM - Jorge Isaac Airport and SYCJ is listed at 271.9 So it's a mystery. While I can imagine truncating the true heading to one place would be a problem, I can't see where they would truncate the true heading by more than 2 degrees. |
Originally Posted by Uplinker
(Post 10657651)
So a combination of particular magnetic headings, latitude, longitude and mag variation might cause the Nav display to output nonsense, but all six displays blanked??
Why the PFD?. Why the Engine/system display? Please tell me this is untrue or that at least the PFDs are given a higher level of coding security. The 737 is rumored to be running an 80286 processor which is a well understood design. However I don't see the architecture for the software. It should have an independent watchdog timer processor to automatically reboot if there is a fundamental software failure, but maybe only the thread/task/subsystem to update the displays failed and the watchdog reset and all other controls is still running. I've seen software fail because it was awaiting feedback that never happened. It may be that one display got a message it could not handle and never responded. That would quickly stop the task to update the displays. If the displays are programmed right they should have their own watchdog timers to stop displaying when too long a time has passed without an update rather than freezing and giving the impression they are still functioning. There was a question of why not every runway was tried on the software. While hindsight is great on this sort of problem, it also suggests trying every combination of: altitude, airspeed, pitch, AoA, lat, long, N1, fuel load, weight, true airspeed, relative airspeed, and on and on. The reason I wondered about the magnetic heading earlier is because this last year cannot be the first time a 737NG flew into Barrow, Alaska. Can it? The last two airports on the list are nearly 2 degrees from a true heading of 270 degrees. It's not likely for that to result in a divide by zero problem. It's a shame, but I doubt the actual source of the problem will be revealed. |
Originally Posted by MechEngr
(Post 10657663)
Ahh, true heading - OK.
What is unclear is why there is also a connection to latitude and longitude. I looked at the airports - based on data from https://www.airnav.com these are the deviations in degrees from 270: 82V -0.009377087 KBJJ 0.001984966 KCIU -0.024015687 KCNM 0.017476942 PABR -0.00926391 AirNav provides Lat/Long for each end of the runway which I converted with ATAN to a degrees variation. It did not list the last two. SKLM, is listed as runway true heading: 272.4 on SKLM - Jorge Isaac Airport and SYCJ is listed at 271.9 So it's a mystery. While I can imagine truncating the true heading to one place would be a problem, I can't see where they would truncate the true heading by more than 2 degrees. As for the FAA's assertion that "only seven runways worldwide, as identified in this AD, have latitude and longitude values that cause the blanking behavior", I suspect that only runways of over a certain length (5000 feet?) at civil airports have been considered. There are around 150 runways in total with true headings in the above range, but once short runways and military fields are excluded (and, for some reason, airports with parallel runways) there are only about a dozen left worldwide. I don't think that mag variation has anything to do with the criteria. |
That's even weirder. How can there be significantly different values for a fundamental measurement? Tiny fractions of a degree are one thing, but 2 degrees? I guess the two airports aren't going to have automated landings so a couple of degrees isn't a problem, but this seems like purposeful misinformation in comparison.
Anyway, if the the values they are using are from the same source as yours, then rounding to the nearest 0.1 degree would set them to 270. That still loops around to why the software to having a problem. The reverse approaches are 0 degrees true, and 0 is just as problematic for trigonometry as 180 is. I can see where the opposite problem would be more likely to exist - a database of the lat/long coordinates for each end and a failure to determine the correct arctangent, but the ones I looked at aren't exactly 270 so the arctangent should not be infinite nor zero. Puzzling. |
Originally Posted by MechEngr
(Post 10657685)
It should have an independent watchdog timer processor to automatically reboot if there is a fundamental software failure, but maybe only the thread/task/subsystem to update the displays failed and the watchdog reset and all other controls is still running
I recall a widely-distributed maths library function that could take literally years to execute with certain near-zero inputs. Could be something like that. |
Didn't a squadron of F22s (7 I recall) have their screens "dump" when they all crossed the international dateline.
No doubt the word "dump" (probably refers to OS dump) which is now a common term in FJ territory which will probably also become standard in civvie street. And to think some are espousing autonomous flight using these very same software developers. |
At least it's reproduceable, that is a big head start over something intermittent.
|
Originally Posted by MechEngr
(Post 10657733)
That's even weirder. How can there be significantly different values for a fundamental measurement? Tiny fractions of a degree are one thing, but 2 degrees?
The link you supplied for SKLM shows the same latitude for both thresholds. If somebody can explain to me how two points with the same latitude and less than a mile apart can have a relative bearing other than due east/west (unless they're close to the N/S Poles) then I'd be extremely grateful. Or just plug those provided threshold values into any GC calculator, such as https://www.cactus2000.de/uk/unit/massgrk.shtml |
Maybe SKLM is an unreliable narrator.
|
Originally Posted by MechEngr
(Post 10657784)
Maybe SKLM is an unreliable narrator.
As an alternative to GC calculators, a quicker way to get a reasonably precise true heading for a runway is simply to use the ruler on Google Earth. For example EGLL 27R is oriented at 267.3° true, according to the above website, whereas the actual value is 269.7°. https://cimg5.ibsrv.net/gimg/pprune....e0885ed668.jpg |
Embedded processors can usually be configured regarding their behaviour if a division/0 occurs - ignore or trap,dump and reset. When you choose later option and feed them the same div/0 after restart they would be trapped in a reset loop until you remove it which seems easy in this case but is difficult if you read the 0 from memory.
Therefore we would not do that at the expense of having a not well defined state if a div/0 occured. Least significant bit of a heading representation in 16bit signed integer would be 0.0109866° |
If it has a serious bug, it's better to have the screens go blank than provide erroneous information.
|
Originally Posted by MechEngr
(Post 10657685)
The 737 is rumored to be running an 80286 processor which is a well understood design.
*One of the reasons Linux and other true multitasking systems had to wait for the '386. |
Originally Posted by visibility3miles
(Post 10658044)
If it has a serious bug, it's better to have the screens go blank than provide erroneous information.
I disagree. A navigation problem alone should not blank the attitude, IAS, TAS, altitude, V/S, A/P status, A/THR status, N1, EGT, etc, etc. You should just get a red flag for; heading, G/S, wind vector, ILS, VOR, map, compass, course, or whichever Nav function is unavailable, or disagrees with the other side. The whole bloody screen shouldn’t blank, nor should the screens which don’t display any Nav info. |
Originally Posted by Uplinker
(Post 10658153)
What, ALL the screens? - leaving you with just the standby instruments and nothing else?
I disagree. A navigation problem alone should not blank the attitude, IAS, TAS, altitude, V/S, A/P status, A/THR status, N1, EGT, etc, etc. You should just get a red flag for; heading, G/S, wind vector, ILS, VOR, map, compass, course, or whichever Nav function is unavailable, or disagrees with the other side. The whole bloody screen shouldn’t blank, nor should the screens which don’t display any Nav info. |
Originally Posted by Uplinker
(Post 10658153)
What, ALL the screens? - leaving you with just the standby instruments and nothing else?
I disagree. A navigation problem alone should not blank the attitude, IAS, TAS, altitude, V/S, A/P status, A/THR status, N1, EGT, etc, etc. You should just get a red flag for; heading, G/S, wind vector, ILS, VOR, map, compass, course, or whichever Nav function is unavailable, or disagrees with the other side. The whole bloody screen shouldn’t blank, nor should the screens which don’t display any Nav info. On the other hand if the boxes on the schematics represent logical components run on the same hardware, the plot thickens. What else stopped working when the displays blanked? Perhaps someone in the know can chip in? |
Well, in programming procedures, we have to deal with the legacy code, and code that exists. The lookup feature in the coding will take you to the next line. It is always not where you want to be. This is why we test the new code as much as we can.
that being said, there will always be certain inputs that will cascade to unintended consequences. I have sen many. many strange sequences in the coded flightpath, mostly in the flyby vs flyover code. I have seen, under certain flightpaths, where the AP is locked on, and no matter where you try to disengage, that internal command locks the 1 and 0 to 1, ie on. best advice is to always report these anomalies, with the combinations thereof..... All that being said, it is very easy to see how this happened, sorry it got to the flightdeck, but, well damn. |
From the limited information freely available, there are two DEUs providing data to the six displays. Now if both DEUs are fed with coordinates to display the same runway on a nav screen, causing a powerlatch because they trigger some exeption, six blank screens is what you would expect.
|
Sounds reasonable, thanks. I wasn't thinking of the bug being in the DEU's.
|
All times are GMT. The time now is 01:54. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.