Slashdot Mirror
Software Bug Halts F-22 Flight
mgh02114 writes "The new US stealth fighter, the F-22 Raptor, was deployed for the first time to Asia earlier this month. On Feb. 11, twelve Raptors flying from Hawaii to Japan were forced to turn back when a software glitch crashed all of the F-22s' on-board computers as they crossed the international date line. The delay in arrival in Japan was previously reported, with rumors of problems with the software. CNN television, however, this morning reported that every fighter completely lost all navigation and communications when they crossed the international date line. They reportedly had to turn around and follow their tankers by visual contact back to Hawaii. According to the CNN story, if they had not been with their tankers, or the weather had been bad, this would have been serious. CNN has not put up anything on their website yet." The Peoples Daily of China reported on Feb. 17 that two Raptors had landed on Okinawa.
As far as I remember the Space Shuttle not only has redundant computer systems, but also redundant software, i.e. the software has been developed twice to ensure that software bugs don't cause a catastrophe. I'd prefer to know that systems capable of carrying weapons which can kill hundreds of thousands of people were designed with the same safety in mind.
memomo: free web based language trainer DE-EN-ES-FR-IT
CNN television, however, this morning reported that every fighter completely lost all navigation and communications when they crossed the international date line.
I've heard of a software glitch causing a crash before, but this is ridiculous.
The theory of relativity doesn't work right in Arkansas.
The problem probably isn't with the time change. Airplanes use GMT so the local time doesn't matter. The problem is probably related to the longitude going from W179.99 degrees to E180 degrees.
We will happily sell y'all Eurofighters. Half the price, twice the bombs... and who the hell do you need stealth to fight anyway? Expecting the France to try and invasion any day now or something?
Beep beep.
That's the real reason why they don't want to give source code to foreign armies... They don't want to be covered in shame :)
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
The answer to all these problems is very simple. For any mission critical application, use UTC and only UTC. No time zones, no date line, no converting. If the software isn't even aware of the concept of date/time localization, then it's not going to run into problems.
Oh, and while they're at it, standardize on metric too. Maybe we can save our interstellar probes at the same time we are saving our warplanes.
The Bismarck battleship had a bug also: when the main turrets would fire, the aiming radars would be disabled. That's no joke when you're in the midst of a battle and everyone of those large caliber shells counts. As I understand, the radars would be disabled by the vibrations of the turret cannons firing. Not a software bug, but bug nonetheless, and you do wonder how did this battleship pass testing.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
When I worked at a high end civilian GPS equipment manufacturer, we had a test department where, among other things, a complete list of "special" dates and locations were kept on file. Any new position solution software release was regression tested against all previously known and guessed potential date/time rollovers, as well as making sure that motion across geographic coordinate boundaries didn't cause erratic behavior. Obviously whoever supplied the inertial navigation solution for the F22 hasn't quite gotten there yet... Testing in the lab is cheap. Burning a couple of tons of Jet-A and putting a bunch of people at risk is not.
Less is more.
The F-22 has a fly-by-wire control system. If there really were a crash of ALL on-board computer systems, communication and navigation would not have been the most immediate concerns!
Assuming it WAS a time issue upon crossing the International Dateline...
Design problem? Why should navigation software require "local time"? They knew they were crossing the international dateline, so they must be linked to GPS timing systems... why not just use GPS' universal time? (Sure, you want local time eventually for your displays but that's a "view" calculation, not one intrinsic to the navigation software)
Bug tracking problem? Did the testers not think of testing about a time zone change? Did they assume the above that everything would be on a universal time and therefore didn't see the need for crossing time zones?
Why wasn't this a stock reusable code module in Lockheed Martin's labs?!?
(And for a media look at this issue, check out the anime Geneshaft or the movie The Pentagon Wars)
I just want to know if this is in any way connected to the nuclear subs that lost navigation after they switched to Microsoft Windows based software. Generally, when this kind of thing happens, some external vendor is to blame.
I got to thinking if we had any decent alternatives (at least in C++). And yes there are alternatives and all of them looked equally bad to me. Looks like the F22 guys might have had the same problem finding and using a robust fault tolerant time library.
Sure, but it seems they turned Aero off..
My 0.02 cents
Are you telling me that the F-22 has no analog backup flight system? For gosh sakes even the F-16 has a similar system. A cursory google search that the F-22 is equipped with an "LN-100G Inertial Navigation System with Embedded GPS". It sounds incredible that the summary implies that the only way they would've made it home was via formation flying with a tanker? Can anyone with more detailed information on the F-22 clarify?
So, when is Service Pack 1 coming out?
You'd think they'd have learned from this one:
http://www.f20a.com/f20ins.htm
www.sjbaker.org
You are flying to Japan, Cancel or Allow?
Someone is going to get fired for this.
Welcome to defense contracting, you must be new here.
-----
PGP Key ID 0xCB8FF658
Well, whatever the issue - which is probably something similar to what you suspect - it's now fixed. Here's the transcript from CNN this morning. Since the F-22 is fly-by-wire, it's also worth pointing out that all systems didn't crash, else these F-22s would be sitting in the Pacific. I've no doubt it affected navigation, communications, and similar subsystems, and was probably related to physical location in terms of time, position over the Earth, or both, given the nature of the issue.
>> 25 Years from development to deployment, the F-22 Raptor is the most advanced fighting machine in the air. It was no match for a computer glitch that left six of them high above the pacific ocean, deaf, dumb, and blind as they headed to their first deployment. So what happened? We turn to a man that's at home in the cockpit. Retired Air Force General Don Shepperd. Let me set the scene, Don. These F-22s, headed from the Air Force base in Hawaii to an Air Force base in Japan. They were approaching the international date line, pick it up from there.
>> You got it right. You want everything to go right with the frontline fighter. $125, 135 Million a copy. The F-22 raptor is our frontline fighter, air defense, air superiority, and it can drop bombs. It is stealthy and fast. You want it to go right. On the international deployment to the pacific, it didn't. At the international date line, whoops. All systems dumped. When i say all systems I mean all systems, navigation, part of the communications, fuel systems, and they were -- they could have been in real trouble. They were with their tankers. The tankers -- tried to reset their systems. Couldn't get them reset. Tankers brought them back to Hawaii. This could have been real serious. Certainly could have been real serious if the weather had been bad. Turned out okay. Fixed in 48 hours. It was a computer glitch in the millions of lines of code; somebody made an error in a couple lines of the code and everything goes.
>> This is almost like the feared Y2K problem that happened to these aircraft. We should point out, the computer problems in 2000. The computers absolutely went absolutely haywire and became useless?
>> Absolutely. When you think of airplanes from the old days, with cables and that type of thing and connects between the sticks and the yokes and the controls -- not that way anymore. Everything is by computer. When your computers go the airplanes go. You have multiple systems. When they all dump at the same time, you can be in real trouble. Luckily this turned out okay.
>> What would have happened if these brand-new $120 million F-22s had been going into battle?
>> You would have been in real trouble in the middle of combat. The good thing is we found this out. Any time -- before, you know, before we get into combat with an airplane like this. Any time you introduce a new airplane, you are going to find glitches, and you are going to find things that go wrong. It happens in our civilian airliners. You don't hear much about it. These things absolutely happen. And luckily had time we found out about it before combat. We got it fixed with tiger teams in about 48 hours and the airplanes were flying again, and completed the deployment. This could have been real serious in combat.
>> You had these advanced air -- not just superiority but air supremacy fighters in there, up there in the air, above the Pacific Ocean, not much more sophisticated than a Cessna 152 with a jet engine?
>> You got it. They are on a 15-hour flight from Hawaii to Okinawa. When all their systems dumped, they needed help. Had they gotten separated from their tankers or weather gotten bad they had no reference and no communications or navigation. They would have turned around and could have found the Hawaiian Islands. If the weather had been bad on approach there could have been real trouble. You get refueling from your tankers and you don't run -- you don't get yourself where you run out of fuel. You
When F16s crossed the equator, the computer would roll the aircraft 180 degrees and fly inverted:
http://catless.ncl.ac.uk/Risks/3.44.html
I tried posting this on several sites but on March 11th, when the new daylight savingsregime kicks in for the first time there will probably be a lot of Java applications that will start having data issues because the latest Java version IS NOT BACKWARDS COMPATIBLE for several three character time codes that have bee removed. Several codes have been deprecated in a way that is not backwards compatible. I could be wrong about the severity, but for he last two weeks my software team has been dealing with this issue and the interaction between Oracle and Java.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Why do you guys give +5 to someone who doesn't know for sure how the date line works, and who merely looked up which SI prefix was small enough to cause a 64-bit overflow? Most likely the bug has to do with overflow in position, not time. Even assuming this has to do with time overflow, modern GPS electronics can only measure signals to within 10 nanosecond. Using femtoseconds (10,000,000x smaller) is complete BS to make his argument work.
...not to run Windows on those machines. They HAD to upgrade to Vista because of all the cool 'features' the pilots would like to see. First we had to put more ram in and an extra video card, now this... I'm telling ya, next time Microsoft gives them a better deal because they're switching to Linux, they shouldn't accept.
Custom electronics and digital signage for your business: www.evcircuits.com
Please stop. No one is using femtoseconds for uptime.
Something more reasonable is that the nav system (presumably GPS) didn't like having the date change after aquisition. You'd think that'd be a fairly normal thing to have happen, but after the horrible crap I've seen happen with Rockwell Collins' receivers (they SUCK), it wouldn't be too surprising.
To expand on the Rockwell Collins (they SUCK) theme, we eventually got them to admit to us how to retrieve their diagnostic info, including a register that counting up floating point exceptions (yay, divide by zero!). It had well and truly saturated. On a test flight of an, in part, GPS-guided missile, it once croaked right at launch. Since we never understood that we were moving, we never turned on the autopilot. However, rocket motors don't have much in the way of an off switch, so away we went without autopilot. Boink!
So there are plenty of ways for nav systems to suck (especially if they are made by Rockwell Collins (they SUCK)) without needing something completely stupid like measuring data in femtoseconds.
Hold up, I got a few more of these:
Rockwell Collins (they SUCK)
Rockwell Collins (they SUCK)
Rockwell Collins (they SUCK)
That is all.
What you state about Airbus is absolutely correct but FADEC stands for Full Authority Digital Electronics Control but many seem to remember it as E = Engine, like you do. As far as the fly-by-wire system is concerned, I might add that it has already saved at least 300+ lives - an Emirates A340 attempted to rotate with insufficient airspeed at takeoff (but past V1 so they couldn't stop either) and the FBW system stepped in and throttled up (fortunately autothrottle was on so it was permitted to do so) and rotated as soon as the aircraft had sufficient speed to take off instead of just lift and stall (and consequently crash). Emirates training got a slap on the wrist by Airbus since the crew apparently had the attitude that if there's a problem, the computer will sort it out whilst the correct procedure is to either perform maneuvers properly manually or tell the computer what you want the aircraft to do and then monitor it - even though the computer can do a lot to correct crew errors, crews shouldn't perform poorly just because it can do that. I remember an article posted on airdisaster.com in which some first officer that wanted to remain anonymous (for obvious reasons) wrote that due to the software that outperforms any human pilot, many captains he had flown with had definitely ignored the rule that whilst you should let the autopilot land if weather conditions are extremely bad, you shouldn't force it to do so if you couldn't land in those conditions yourself too because how can you judge what the limits of the autopilot are (and how close to those it is) when it is already outperforming you? I wish Boeing adopted the same design philosophy now that they've finally switched to FBW too with the 777 - there's simply no justification to let a fly-by-wire aircraft stall due to pilot error when the system could easily be programmed to prevent it (not to mention detect better how close to stalling an aircraft is instead of just giving the pilot a list of stall speeds at certain configurations).
All complex systems have bugs that need to be ironed out....
. html ...
http://www.atimes.com/atimes/Middle_East/IB10Ak05
"Keys notes, however, that the electronic spectrum around Baghdad is polluted by the myriad jamming devices that coalition forces primarily employed to thwart remote detonations of the improvised explosive devices that have inflicted 70% of all US fatalities in that war."
"The potential problem was discovered when the first F-22s were operating near US Navy ships off the Atlantic coast. Navy radars overwhelmed the F-22's automated sensors. Even now, larger, multi-station, purpose-built electronic-intelligence-gathering airplanes encounter difficulties around the Iraqi capital because of the extreme density of jamming devices."
The F-22 is a full stealth fighter, the EuroFighter is not in any way. If you cannot understand why you cannot base a stealth plane design in any major way on something that is not a stealth plane (hell, no stealth fighter has existed before the F-22) then why are you eve talking about this as you clearly have no idea about anything involved.
And yes the F-22 is likely worth 84% more than the Eurofighter in terms of performance due to stealth alone.
Incidentally since the F-22 is what the F-35 is based on that $70billion has technically led to the creation of two planes, the later of which is being sold quite widely.
I have worked on Commercial and DoD avionics, and this type of thing is inexcusable.
Commercial avionics software of the sort described is governed by a standard called DO-178B level A or level B. The process is so rigorous that the slogan is "no-one has ever died from software failure in a commercial airliner, yet." DO-178B level A is expensive. It is virtually impossible that a software error of the nature described could get into a certified aircraft.
Having said that, the military is not obliged to follow commercial standards, but there is a trend toward using DO 178-B in military systems in part because the Europeans are starting to require commercial JAA/FAA certification for all aircraft that enter their air space. But even in the more lax military world, every line of code is typically formally reviewed and there are independent testers. The type of error described should have shown up in simulators before the first flight of the aircraft. Test flights should have stimulated the error long before a squadron ever attempted a transpacific flight.
Even worse still, avionics systems are supposed to be isolated from each other. Navigation radios typically share nothing but power with GPS or with engine instruments etc. Great effort prevents one system from disturbing the power of another too. Aircraft typically have two or more separate primary navigation systems plus inertial guidance and old fashion compass + baring/vector navigation. Military aircraft need to survive both normal equipment failures and battle damage. Military radios (including navigation) need to be isolated from other systems for security reasons too. Those NSA guarded encryption systems can not be contaminated by software that has lower security classification (like navigation)without somebody going to federal prison for a long time.
The bottom line is that something very very wrong, negligent, and illegal needed to happen for the described error mode to manifest. That makes me doubt the story.
The return on investment is HEAVILY in favor of the F-22. There is no aircraft anywhere even close. The Eurofighter is the second best fighter aircraft ever built, but it is miles from being in the same class as the F-22 Raptor.
My advice to F-22 pilots: 1) Superglue a handheld GPS into your cockpit. 2) Carry a backup radio. Superglue this to your cockpit. 3) Remove your cockpit, and superglue it onto an A-10. 4) Fly safe. Carry superglue.
How do you really feel about Rockwell Collins?
In the land of the blind, the one-eyed man is usually crucified.
What's more, one pilot tried to turn off Aero Glass -- suddenly, he lost cabin pressure.
"Strangers have the best candy" -Me
Actually they're significantly better than the Eurofighters.
Let's look at a few simple theoretical examples.
You're flying into heavily armed enemy space at night:
- You fly in 100 Eurofighters. Your enemy has 1000 missiles. You lose 100 Eurofighters
and hit no targets.
- You fly in 1 F-22. Your enemy has 1000 missiles, they never detect you. You hit your
target and leave enemy airspace.
In this case the F-22 was better than 100 Eurofighters.
-You're flying alone into enemy territory. You spot a flight of 3 Eurofighters flying in
formation. You fall into a following position on their tail. You fire 3 missiles
simultaneously and before the enemy pilots can react. They're dead.
In the Alaskan trials the F-22s ammased 144 kills to 0 losses. That's a pretty good investment. And while they weren't flying against Eurofighters, I'm not sure it would have helped. It doesn't come down to who can turn twice as fast. It's who can fight twice as smart. During this same combat exercise Raptors engaged enemy forces out numbered 4-1 and stil came out victorious.
In previous exercises a single pilot was able to engage 9 enemy fighters, and then ran out of targets, but still had some ammunition remaining. What's most impressive is the ability for the F-22 to multiply the effectiveness of the existing airforce. In the same engagement that F-22 enabled a supporting flight of older aircraft to achieve a kill/loss ratio of 83-1.
The F-15's should have headed towards the international date line....
Both of you can be correct. Each group of models of the F-16 had more digital components and less analog ones. Tim S (retired F16 Radar Repair Technician, F-16 C/D models)
Yeah... uh... you know, in the same way they simply do not and never would have the navigation system connected to the In-Flight Entertainment system in an airliner, likewise they would never slave the ejection system to anything other than the mechanical operation of that yellow handle between the pilot's knees.
As for missiles? First, they fly unarmed on ferry missions because ammo is dead weight that reduces range; and second, even if they were armed, what do you really think would happen if an AMRAAM missile was free launched without being turned on, much less having had targeting info downloaded? Drop like a stone, it would, right into the pacific. Bloop. All gone.
Say it's also a good thing water isn't flammable, otherwise fire trucks would show up to fires and only make the situation worse, right?
If a job's not worth doing, it's not worth doing right.
Only if stealth is a requirement. In a real dogfight, the Eurofighter likely wins because maneuverability was foremost in its design, whereas the F-22 has stealth as the foremost design priority. The thought is that engagements are likely to be fought a distance with missles, and the low observability tech will allow the American aircraft to engage long before the enemy can return fire. This does not jive entirely with engagements of the past, which often involve close range encounters to verify enemy, or orders to wait until fired upon to return fire.
Compare this to the ability to put twice as many aircraft in the sky, carrying more munitions (while the F-22 has some stealty weapons bays, maxed out with a full bomb load involves external mounts with has a huge impact on radar visibility). Point is, whether stealth is worth 84% more has more to do with your mission profile and expected enemy/target,
You missed a point in that story.
NASA is extremely careful with its software.
They don't fly from Dec 31 to Jan 1 because they know exactly what would happen.
Tharkban (It is a signature after all)
If you'd actually read the article you linked to.. The F- designation on the F-117 is a curious bit of aviation history and Air Force infighting, but the F-117 is a ground attack aircraft, not a fighter, and should really have an A- or B- designation, while the F-22 is an air to air combat plane with limited ground attack capabilities. The 117's internal payload capacity is huge compared to the F-22's ground attack loads (some of which have to be carried outside, destroying the stealth capability) and it's therefore unlikely the F-22 is going to completely replace the F-117 completely anytime soon.
This
Luckily they found it during simulations of the F-16. A bug in the fly-by-wire software caused the plane to think that it was upside-down whenever it crossed the equator. It would try to correct the problem immediately -- A maneuver that the plane could probably survive, but that would probably kill the pilot had it occured in real life.
Free Software: Like love, it grows best when given away.
Not quite the Eurofighters likely have RWRs so if you are using radar guided missiles they will likely detect your search, and targeting radars. So even with the newer harder to detect radars installed on the F-22 there is still a chance that they detect you from your radar emissions.
The F-22 is a fantastic aircraft, and is the best aircraft flying, but it isn't a perfect aircraft, and it doesn't have the capabilities that some people exaggerate it having. The Alaskan trails were set up by the fighter mafia at the Pentagon trying to justify their decisions in trying to keep the F-22 orders as high as possible.
It's not the first time that they have done this, during the training maneuvers against against the Indian Air Force they sent outdated aircraft and crippled the ROE and engagement envelopes of the AIM-120s. While the IAF didn't have such restrictions, at least none that we know of.
ian
His comments are based on a post-incident report that's been making the rounds on teh intardnet. I'll just paste it in here, if anybody's still reading. I don't vouch for its authority, other than A) I got it off the net, and B) it came with a note saying it was unclassified. Oh yeah, and it matches what the talking head says -- the navigation system brought down all their avionics. it also states what the QA process was that led to the problem:
Date: 12 Feb 07
To: CC
Info: CV, DS
Narrative:
1. A 1st Fighter Wing AEF 6-ship (Petro 91) departed Hickam AFB enroute to AEF location on 10 Feb. Approximately 4 hours into the mission and coincidental with crossing over the International Date Line, all six aircraft experienced a significant avionics failure including:
Both GINS 1 and 2 Fail
FLCS Degrade
Radar Fail
Fuel Degrade
Loss of all attitude references
Loss of Flight Path marker
Loss of all navigation aides (TACAN, ILS, Computed, etc.)
Loss of all heading indications
2. Aircraft communications were available via backup radio only. Only navigation available was via cockpit airspeed and altitude indications (both deemed accurate). All other aircraft systems, to include engines, electrical system and air refueling, were nominal.
3. Flight Lead, Lt Col Tolliver, initiated via the tanker a CONFERENCE HOTEL (CH) call with LM Aero. All CH team recommended workarounds (avionics restarts, date and time resets, etc.) did not resolve the problem.
4. Lt Col Tolliver assessed pressing to the AEF location but decided to turn back and return to Hickam. He also directed the second deployment cell, a 2-ship approximately one hour behind him, to return to Hickam. NOTE: This 2-ship never crossed the International Date Line.
5. Enroute back to Hickam, after crossing back over the International Date Line, avionics restarts were unsuccessfully attempted.
6. All aircraft successfully recovered at Hickam, shut down (cold iron), restarted engines and all avionics malfunctions cleared.
7. An F-22 Crisis Management Team (CMT) has convened. Two telecoms (1300 and 1700 EST) were conducted on 11 Feb. Participants included F-22 Program Office, LM, Boeing, NG and A8F personnel.
8. The F-22 Program is working 24/7 to resolve this issue. Both F-22 avionics integration labs (RAIL and AIL) have successfully duplicated the problem. The problem resides within the GINS software when the aircraft transitions between East/West Longitude. NOTE: Most RAIL and AIL testing simulate GINS inputs and past testing discovered no issues with over flying the Dateline or Poles. It took testing this weekend using actual GINS hardware and software to duplicate this problem.
9. A fix for this software problem has been developed at NG and currently is being evaluated in the RAIL. We should find out at our 1300 CMT telecom today if this fix works.
10. This fix will require an OFP update to be loaded on the aircraft. Currently no IMIS OFP loading support is on-site at Hickam. 1 FW IMIS was previously deployed to AEF location.
11. F-22 Program currently expects software fix, OFP loading hardware and LM support team in place at Hickam by mid-week. Aircraft possibly will be able to depart Hickam for their AEF location by the end of the week.
12. Updates to this issue will be provided as additional information becomes available.
Translation: The navigational system (Global Positioning Inertial Navigation Systems (GINS)) had never been physically tested crossing the date line, but only on simulated real-world inputs. When it crossed the date line for the first time, it crashed, as did the backup, bringing down with it all navigational systems and much of the aircraft's instrumentation, leaving them with backup systems reminiscent of a Cessna 172 (without the navigational stack).
Modern fighter jets are aerodynamically unstable by design. A human can not fly them alone, the computer has to correct the flight path hundreds of times a second.
The flight control software thus most certainly *does* have to keep the plane "stable".
So you say. But if you think sharks with frickin' lasers on their heads are scary, imagine sharks with fricking' AMRAAMs.
...following the principles of Heisenburger's Uncertain Cat...