Long Uptime Makes Boeing 787 Lose Electrical Power

jones_supa writes: A dangerous software glitch has been found in the Boeing 787 Dreamliner. If the plane is left turned on for 248 days, it will enter a failsafe mode that will lead to the plane losing all of its power, according to a new directive from the US Federal Aviation Administration. If the bug is triggered, all the Generator Control Units will shut off, leaving the plane without power, and the control of the plane will be lost. Boeing is working on a software upgrade that will address the problems, the FAA says. The company is said to have found the problem during laboratory testing of the plane, and thankfully there are no reports of it being triggered on the field.

Very unlikely to be triggered in the field

[Brandano]

A commercial plane will most probably undergo through several maintenance events and checks during that sort of time frame, where cycling the power is part of the procedure.

Re:If Boeing believed in software QA....

The Primary Flight Computer software for the 777 was written in England by GEC. Indeed the hardware for the PFC was designed and built by GEC.

I was on the software QA team for the PFC code. There were tens of us working three shifts 24 hours per day devising tests of the PFC against it's requirement spec. There were even more doing unit tests on all the Ada code.

That is perhaps why you don't see Boeing advertising for QA engineers. They outsource the hardware and software.

Re:3 shifts?

The reason for the three shifts was that we were using actual PFC computers connected to hardware that could simulate all the inputs and read all the outputs.

That hardware was a big complicated rack of electronics and there were maybe 8 or 10 such units in a lab.

As such, to optimize use of the facilities it was necessary to have three shifts 24 hours per day. This went on for a year or more.

Very good planning in fact.

Now I could tell you stories of the real corners cut to meet the schedule. But that's a complicated story.

 

Re:Oh come on.

[SJHillman]

Which is apparently what Windows does:

https://www.ctm-it.com/it-supp...

You'd think they would have learned since Windows 95/98 did the same thing.

https://support.microsoft.com/...

But hey, at least it goes 10 times as long now.

Re:queue the..

[jones_supa]

As a sidenote, there exists a somewhat famous bug in Windows 95 and 98 (later patched) that caused these operating systems to stop functioning after 49.7 days of uptime.

Enough of this

[confused+one]

This story is being way overblown. Yes, it's a bug. Yes, it should be fixed. However...

248 days of continuous operation is well past the scheduled major maintenance for the aircraft. By this point, a 787 would have to go through many minor maintenance cycles which would have required shutting down the electrical system. In addition, loss of all 4 generators would not result in a loss of vehicle because there are batteries, an APU (a backup generator) and Ram Air Turbines (RATs), generators that deploy from the wing if the APU won't start. To have to rely on any of these would not make for a good day for the pilots; but, they would certainly provide the necessary power to safely land the aircraft at the nearest airport. They might even be able to continue on and finish their flight if they successfully reset the generators.

This is not the OMG Planes Are Going to Fall From The Sky! event the media is making it out to be.

Re:Oh come on.

[fisted]

In C, overflowing a signed integer type is undefined behaviour; unsigned type wrap around to zero in a defined manner.
Of course, either is often undesired, but the latter at least doesn't allow basically anything to happen.

Re:queue the..

[dunkelfalke]

Only theoretical, though. Windows 9x would crash long before reaching this uptime.

Re:If Boeing believed in software QA....

[Required+Snark]

You have no idea what you are talking about. All FAA certified aircraft software has to conform to the DO-178B / DO-178C standard. The standard imposes design, testing, process and documentation standards that are extremely demanding.

QC isn't just a department or a step in the release process, it is built into the full life cycle of the software. Safety is the goal, and the requirement for good practice starts at the beginning of the process, with the requirement documents.

For example, there are five levels of error severity defined from A to E. E has no impact on safety and A is catastrophic, where a crash could occur. The level of software test and validation depends on the severity level.

The number of objectives to be satisfied (eventually with independence) is determined by the software level A-E. The phrase "with independence" refers to a separation of responsibilities where the objectivity of the verification and validation processes is ensured by virtue of their "independence" from the software development team. For objectives that must be satisfied with independence, the person verifying the item (such as a requirement or source code) may not be the person who authored the item and this separation must be clearly documented. In some cases, an automated tool may be equivalent to independence. However, the tool itself must then be qualified if it substitutes for human review.

Your inability to find a "QC" position is because you don't know the structure of aerospace software development and have no idea of the job titles or terminology used to describe the standards used. You are projecting your lack of knowledge into a inconceivable lapse of competence on the part of Boeing and the FAA. In what universe would there be no software safety requirements for the civilian aircraft industry? All you have shown is that you are ignorant and have a basic lack of common sense.