Slashdot Mirror

← Back to Stories (view on slashdot.org)

F-22 Avionics Require Inflight Reboot

Posted by chrisd on from the ctrl-alt-boom dept.

An anonymous reader writes "The Atlanta Journal & Constitution is fronting a lengthy piece on the USAF's new F-22 and its upcoming shootout with the existing fleet of F-15's & 16's. One line in the article really jumped out at me: 'When avionics problems crop up now, pilots must restart the entire system as if rebooting a personal computer.' I did some googling, and this is about as much as I could find: The hardware backbone for the system is the Hughes Common Integrated Processor, which, in turn, appears to be built around the Intel i960 CPU. I couldn't find a name for the operating system, but it appears to be written in about one and a half million lines of Ada code; more on the Ada hardware integration and Ada i960 compilers is here. Any Slashdotters working on this project? If so, why do you need the inflight reboot? PS: Gamers will be interested to learn that nVidia's Quadro2 Go GPU and Wind River's VxWorks Operating System are melded in the F-22's Multi-Function Display."

5 of 559 comments (clear)

  1. Similar to Mars Pathfinder by Deton8 · · Score: 5, Interesting

    In 1997 the Mars Pathfinder probe had a problem with VxWorks and priority inversion. Perhaps the F22 is having something similar -- whenever you have a RTOS, the designer must try to anticipate when it's safe to block real time interrups and when it isn't. I don't know anything about the F22, but it's easy to imagine that it has hundreds of input sources with all sorts of latency requirements. AFAIK, it all comes down to some humans trying to balance these conflicting needs. Clearly they don't always get it right.

  2. Re:Ada ? by Kysh · · Score: 5, Interesting

    > This means the developers were forced to use
    > Ada, but why ? To me, it seems some suits think
    > it's especially "safe" for some reason, does
    > anyone know more about that ?

    Ada is especially safe. It is, in fact, one of the
    VERY few safety critical environments you will
    find. It's very simple- A safety critical program
    must never exit and give up control functionality
    entirely, no matter what happens. There are many
    things that you can do with C/C++/Java that will
    cause a crash unrecoverable by the system.

    Ada is designed to inherantly prevent a programmer
    who follows the appropriate standards from writing
    a program that can just crash and exit. As long as
    every possible exception has a handler, an Ada
    program can be written that will not crash.

    > But I think you can try to make a programming
    > language as "safe" as you want, it won't prevent
    > you from implementing bugs, it just causes a
    > false sense of safety instead which can be even
    > more dangerous, IMHO.

    Bugs are universal. But bugs in a C program can
    cause the controlling system to shut it down with
    prejudice (Sig 11 and others), and it doesn't
    offer the automatic safety nets Ada does. Can you
    write safety critical software in C/C++/Java?
    Certainly. It's all a matter of methodology. Ada
    enforces the methodology, which is why people hate
    it. They can't do cute, horrible hacks like they
    can in C/C++, and Ada requires explicit
    specification.. Ada has specific standards of
    implementation for software, and a good inherant
    design. It is designed, from the ground up, as a
    'safety critical' language, and for the most part
    succeeds on its own merit.

    I do understand the widespread animosity towards
    Ada. People don't like the verbose, very specific
    code. Progammers often want to bend the langauge
    over their knees and perform horrid hacks that
    make reasonable people blanch in fear, but Ada
    doesn't really allow that. Programmers are often
    forced to learn Ada in structured learning
    courses, and forced to read the Ada RM. They end
    up hating it because of the language and
    terminology used, because of the verbosity of the
    language, because of some of the difficult
    concepts of Ada, etc..

    But it really is a fine language. (I'm sure many
    people will disagree with me without really having
    an objective or informed viewpoint, but that's
    just how it goes)

    -Kysh

    --
    --=:: Wings and tail and snout and scales of blackest night ::=- A dragon stands be
  3. Re:F-22 "avionics" by Zathrus · · Score: 5, Interesting

    I for one don't care for fly-by-wire. Perhaps I'm old fashioned

    Well, sure... except that for modern fighter aircraft that's simply not viable. What the original poster was trying to say was that the F-22 is not inherently stable in flight (the AE's out there will now point out how minutely incorrect that statement is). If the flight control software goes wacky, you will be unable to fly the plane -- even if it was good ol hydralics and pneumatics.

    The F-22, like a lot of newer jets, has totally integrated flight systems. The ailerons do not work seperately from other control surfaces, particularly the directed thrust system. A human trying to control all of this at once would be overwhelmed, and have considerably lower flight capabilities than a fly-by-wire system.

    Another poster pointed out the pilot intenionally doing bad things to the aircraft - shifting all the fuel to one side, opening the weapon bay doors on that side, etc. which threw the jet into cartwheels at 45k feet. Once the pilot released the controls the jet self-stabilized. That's pretty damn impressive. Ok, sure, with fly-by-wire you're pretty well hosed if it doesn't do this because you don't have a "real" concept of what the plane is doing and reacting.

    Fly-by-wire is becoming standard on large commercial jets too. I suspect it'll be a long time before it's common place on your small, private plane though -- especially since I can't imagine a single engine prop ever being designed to be "inherently unstable" in the air :)

    One of the most impressive things I've seen a Raptor do so far (on Discovery Wings, of course, heh) is fly backwards... jet is flying straight and level, pilot pulls the throttle all the way up and the jet actually goes into a "controlled stall" and moves backwards (or so it appears visually) for a short distance. Hell if I know if it's useful in combat -- but nifty to the layperson.

  4. Re:Ada ? by foobar104 · · Score: 5, Interesting

    First, read Kysh's comment. It's better than mine.

    But the short answer is that it's possible to compile a Java program that will exit due to an uncaught exception. For many exceptions, Java forces you to have an exception handler, otherwise the code won't compile. But not for all. Runtime exceptions can send your code straight out the window.

    The idea behind Ada-- I've never done much Ada programming myself-- is that it's not supposed to be possible to compile code that can throw an uncaught exception. The compiler is supposed to prevent you from doing such a thing.

    This doesn't mean that Ada code is always perfect, but it does give you a degree of freedom that you don't get with other languages.

    I did some work about four years ago on a flight simulator project for the DoD. The first stage in the project was to build an unclassified demonstration version of the new sim. Some code related to weapons-- in this case, the AIM-120 missile-- is classified, and can't be demonstrated in an unclassified environment. So what did we do? We just didn't link in that code. (I may have my terminology wrong; I was doing HSI, not code, so I'm just going by what my friend on the other side of the hall told me.)

    With any other environment, C or Java or whatever, that would have resulted in a fatal runtime error. But Ada doesn't let you have runtime error situations without exception handlers, so when it encountered the missing chunk if AIM-120 code, the sim just dropped into the exception handler-- which basically said, ``never mind, everything's fine''-- and kept right on going. The sim dropped a couple of frames every time you fired a missile, but other than that, no problem.

    I've gotta say that I found that pretty cool. I mean, the sim just kept on going, after it found that a huge chunk of important code was simply missing! Neato!

  5. Re:Why a reboot - because the creators are bozos by TheStruuus · · Score: 5, Interesting

    not bozos, it's the government guidlines. For instance the fuel systems have redundent processor units. when started both are online with the slave electronicly disconencted. Following FAA guidlines dictates that a one strike and your out is enforced. At the first sign of CPU trouble (crash,freeze,any electronic part failing within the system) all inputs and ouputs on the unit are sent to high-z and the other unit takes over. Now the reboot part, the first unit will sit in a frozen state indefintly until it is manualy reset with a POR or full HR. But the plane will fly just fine on the redundent system. In an emergency the pilot can manualy reboot the halted system and it will either start up again (if the inital failure was some glitch) or immidiatly halt again if it was a critical falure.