Slashdot Mirror
In-Flight Reboot?
steelem writes "The Washington Post is running a story about how the F-22 Raptor's software requires in-flight reboots. Apparently the 2 million line software project is 93% done. Knowing most projects I've been on, it'll stay that way for another few years."
They do.
There are several redundant systems. Let's say for example that your FLCC has 3 identical systems. If one fails, the other two take over until the watchdog timer kicks in and restarts the third (in the case of a software fault).
Anything that is rated for piloted flight is this way, especially fly-by-wire systems or other mission critical components.
This claim is not surprising at all, since it happens all the time.
> and would be totally unacceptable if it were say, a navigation computer on a 737 with a hundred civilians on-board.
AFAIK, civilian flight systems are three times redundant. Written by three different isolated teams in three different programming paradigms, from three different cultures to avoid similar faults due to "contamination" by other teams, or simlar faults due to similar paradigms.
(Airbus 340 (3M LOC), Boeing 777 are said to have employed such techniques)
And IRC, they don't fly with at least two redundant fully functional systems.
It makes me wonder why the military has less stringent requirements.
"Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
In order to make the planes more maneuverable, they need to make them less stable. A simply analogy would be a school bus is more stable & less maneuverable than a bicycle. I have read that flying a modern fighter aircraft without computers would be like steering a bicycle backwards while sitting on the hood of a car at 60 miles an hour.
Very unstable yet very maneuverable.
This isn't flight control software we're talking about. This is sensor fusion software. The flight control system is unaffected.
The sensor fusion software's task is to combine the data from all of the various sources (radar, RWR, multiple datalinks etc.) and redistribute it among the systems that could benefit from it. For example, a target detected by radar would show also up on the Horizontal Situational Display, and would also be re-transmitted via datalink to JSTARS and/or AWACS and any other datalink-capable aircraft. In addition, contact information can correlated for maximum accuracy. A target's radar emissions could be detected by the Radar Warning Receiver, and that information could then be used by the radar for Non Cooperative Target Recognition allowing the radar to display the type of target (though NCTR in the F/A-22 reportedly works differently from this). All of the numerous sensors on the F/A-22 have their resources and products pooled together, allowing for extremely effective target detection, tracking and ID. Sensor fusion is an incredible development in avionics and is one of the foundations of 5th generation fighter aircraft technology.
The F/A-22 does not need IFF with datalink and NCTR. Some USAF aircraft are not currently even equipped with IFF (the F-16 for example) and they have done quite well.
The APG-77 has a terrain following mode. And the widely spread weak emissions from it are much harder to detect than those from a conventional radar.
The Martin-Baker ACES II ejection seat can save a pilot's life from zero feet of altitude (that's why it's called a "zero-zero" ejection seat- effective down to zero altitude and zero speed)
I work as a pilot for a regional airline. And I can tell you that "rebooting" (we rather call it resetting) a computer during flight happens, causes no havoc whatsoever, and is well over 2 minutes. The operation is pretty straightforfard: whenever the "flight warning computer", which is watching all the rest, detects a failure in a computer : -Either it is _very_ important, and then you have sufficient redundancy to just leave it so (and you don't want to re-use a computer that failed once on something critical...in case the next failure goes undetected !) -Or you are on the ground with time on your hands, or in flight and it is some secondary stuff: you just pull the circuit breaker for that computer, count 2 minutes, then put it back on. The computer is then usually usable within a minute. For mission-critical system, such as flight control computers, which control the autopilot, everything is tripled. If two agree and one disagrees, the odd one is declared faulty. On such failures, the crew is often not advised while in flight, as there is nothing to be done. The failure is declared by the flight warning computer after landing, for the benefit of maintenance. Obviously, you can't take off again in that situation. And if the failure happens before takeoff, the rules are different: in case of a failure, and if the reset is ineffective, you check the remaining equipement against the minilum equipement list, which tells you if the remaining redundancy is sufficient or not. It can allow you to take off, sometimes with restrictions, or forbid the flight. As a rule, redundacy is such that the fault of a single computer or system (even an engine) is not a problem. Nice to know, isn't it ? ;-)