Forgot your password?

Close
typodupeerror
Programming IT Technology

In-Flight Reboot? 594

Posted by michael
from the no-problems-until-you-have-to-fsck dept.
steelem writes "The Washington Post is running a story about how the F-22 Raptor's software requires in-flight reboots. Apparently the 2 million line software project is 93% done. Knowing most projects I've been on, it'll stay that way for another few years."
This discussion has been archived. No new comments can be posted.

In-Flight Reboot? More

In-Flight Reboot?

Comments Filter:

  • Found more on Google. (Score:3, Informative)

    by Black Parrot (19622) on Friday August 01, 2003 @07:37PM (#6592827)


    The first hit on Google was this [slashdot.org] interesting take on the story.

  • Re:Why reboot systems at all? (Score:4, Informative)

    by sexylicious (679192) on Friday August 01, 2003 @07:45PM (#6592881)
    They do.

    There are several redundant systems. Let's say for example that your FLCC has 3 identical systems. If one fails, the other two take over until the watchdog timer kicks in and restarts the third (in the case of a software fault).

    Anything that is rated for piloted flight is this way, especially fly-by-wire systems or other mission critical components.

    This claim is not surprising at all, since it happens all the time.

  • Humorous (Score:2, Informative)

    by mharris007 (142886) on Friday August 01, 2003 @08:03PM (#6592988) Homepage
    In a sick, sick, way I find it humorous on how they actually brag or boast about how they decreased the reboot time of the computer.

    Sounds sort of scary to me the such a critical component needs to be rebooted at all, boy, I'm glad I'm not a test-pilot.

  • Re:LinuxBIOS in flight computers (Score:5, Informative)

    by Yokaze (70883) on Friday August 01, 2003 @08:04PM (#6592996)
    > and would be totally unacceptable if it were say, a navigation computer on a 737 with a hundred civilians on-board.

    AFAIK, civilian flight systems are three times redundant. Written by three different isolated teams in three different programming paradigms, from three different cultures to avoid similar faults due to "contamination" by other teams, or simlar faults due to similar paradigms.
    (Airbus 340 (3M LOC), Boeing 777 are said to have employed such techniques)

    And IRC, they don't fly with at least two redundant fully functional systems.

    It makes me wonder why the military has less stringent requirements.

  • Re:Why reboot systems at all? (Score:4, Informative)

    by White Manual (584363) on Friday August 01, 2003 @08:19PM (#6593087)
    There are several redundant systems. Let's say for example that your FLCC has 3 identical systems. If one fails, the other two take over until the watchdog timer kicks in and restarts the third (in the case of a software fault).
    Not exactly. The watchdog timer is the one that decides some unit has failed and, only then, gives control to a redundant unit (in addition order a reboot of the failed one). For practical purposes, the reboot will be in the background, so the time it actually takes it not that important (as long as the Mean Time Between Failures is reasonable). Much more important is setting of the watchdog timer. If it is set too long, other connected units may be wasting cycles waiting for the failed unit. If it set too short, many unnecessary reboots will be happening... A bad combination of long and short settings will produce exactly the problem that is being reported in the article. This is not really a problem except to the eyes of the uninformed press; it merely shows that the whole system is not fine tuned yet. --

  • Re:LinuxBIOS in flight computers (Score:5, Informative)

    by Tingler (56229) on Friday August 01, 2003 @08:25PM (#6593120)
    In order to make the planes more maneuverable, they need to make them less stable. A simply analogy would be a school bus is more stable & less maneuverable than a bicycle. I have read that flying a modern fighter aircraft without computers would be like steering a bicycle backwards while sitting on the hood of a car at 60 miles an hour.

    Very unstable yet very maneuverable.

  • Re:Ejection Seat (Score:2, Informative)

    by Wyatt Earp (1029) on Friday August 01, 2003 @08:46PM (#6593217)
    A modern ejection seat does alot of stuff.

    http://www.martin-baker.co.uk/

    Propulsion System - an adaptive propulsion system is provided that performs to best suite the prevailing ejection conditions e.g. pilot boarding mass, ejection speed, aircraft attitude. This comprises the proven Mk16-type, self regulating ejection catapult design, and a new switchable under seat rocket motor that allows one of 4 modes/thrust levels to be selected, under the control of the seat microprocessor sequencer.

    In F-22 they use the ACES II.

    The seat picks the mode of ejection based on conditions, speed, G, etc. The seat automaticly picts the mode of parachute deployment. In a typical ejection the following happens.

    Rocket-Catapult Fires
    Drogue Deploys
    STAPAC Ignites
    Parachute Deploys
    Drogue Releases from seat
    Seat Releases from Crewman
    Parachute Inflates
    Survival Kit Deploys

    This stuff happens automaticly and more stages can be added for things like firing pyros to destroy black boxes, restraining limbs during the ejection, firing transponders, auto deploying life vests and so forth.

  • Re:Why is this a big deal? (Score:5, Informative)

    by mnemonic_ (164550) <`ude.hcimu' `ta' `cemaj'> on Friday August 01, 2003 @08:52PM (#6593239) Homepage Journal
    This isn't flight control software we're talking about. This is sensor fusion software. The flight control system is unaffected.

    The sensor fusion software's task is to combine the data from all of the various sources (radar, RWR, multiple datalinks etc.) and redistribute it among the systems that could benefit from it. For example, a target detected by radar would show also up on the Horizontal Situational Display, and would also be re-transmitted via datalink to JSTARS and/or AWACS and any other datalink-capable aircraft. In addition, contact information can correlated for maximum accuracy. A target's radar emissions could be detected by the Radar Warning Receiver, and that information could then be used by the radar for Non Cooperative Target Recognition allowing the radar to display the type of target (though NCTR in the F/A-22 reportedly works differently from this). All of the numerous sensors on the F/A-22 have their resources and products pooled together, allowing for extremely effective target detection, tracking and ID. Sensor fusion is an incredible development in avionics and is one of the foundations of 5th generation fighter aircraft technology.

  • Re:Avionic stability? (Score:5, Informative)

    by mnemonic_ (164550) <`ude.hcimu' `ta' `cemaj'> on Friday August 01, 2003 @08:59PM (#6593267) Homepage Journal
    The F/A-22 does not need IFF with datalink and NCTR. Some USAF aircraft are not currently even equipped with IFF (the F-16 for example) and they have done quite well.

    The APG-77 has a terrain following mode. And the widely spread weak emissions from it are much harder to detect than those from a conventional radar.

    The Martin-Baker ACES II ejection seat can save a pilot's life from zero feet of altitude (that's why it's called a "zero-zero" ejection seat- effective down to zero altitude and zero speed)

  • More details from Code One magainze (Score:2, Informative)

    by mnemonic_ (164550) <`ude.hcimu' `ta' `cemaj'> on Friday August 01, 2003 @09:08PM (#6593324) Homepage Journal
    From the October 2003 issue of Code One magazine:

    Avionics testing faces two major challenges: software stability and missile shots. "We are struggling with some stability problems," Tomeny says. "The problems are similar to a home computer freezing when a program is launched. The computer has to be restarted. When our software works, it works very well. When the software related to a particular system freezes, we have to deal with restarts for that system. We're getting the bugs out of the system so it starts correctly and works for the entire flight. These problems are encountered in every development program. We discover most of them in the lab and in the flying test bed. But other problems still crop up when we load software on the airplane. That, unfortunately, is the nature of software development."

    http://www.codeonemagazine.com/archives/2003/art ic les/apr_03/fa22testing/index.html

  • Re:What does reboot even mean in this context? (Score:3, Informative)

    by afidel (530433) on Friday August 01, 2003 @09:16PM (#6593362)
    Usually it means a watchdog timer ticked off without being cleared. At this point the secondary or tertiary systems are given controll and the failed system loads its software fresh from firmware and comes back up to speed on the current input data, depending on the design of the system controll may be handed back to the freshly rebooted system or it may become the new secondary/tertiary. Reboots for all software systems are averaging 36 seconds per flight (probably meaning one reboot per two flights). So one redundant system is encountering a non-recoverable error per two flights, not too bad but not stellar. This is however a great improvement over some previous system where the HARDWARE had problem rates almost this high (F-16 is what my memory is throwing at me, I believe a targeting related chip had an error that would cause problems pretty regularly so rather than create a new chip they just made it 4X redundant rather than the standard 3X)

  • Re:Hah (Score:3, Informative)

    by 680x0 (467210) <vicky@[ ]eds.com ['ste' in gap]> on Friday August 01, 2003 @09:22PM (#6593392) Journal
    When a Unix computer crashes, it's often due to a kernel panic... the Unix equivalent of a "blue screen of death" (Windows).

    Yeah, I know, if I have to explain a joke, it's not funny. Oh well...

  • The apollo computers (Score:1, Informative)

    by Anonymous Coward on Friday August 01, 2003 @11:19PM (#6593801)
    They didn't "reboot", not the way you think of it because there was no OS.

    THey ran a program. If the program crashed, you'd just restart the program. Its that easy. Think of Apple II or TRS-80, and you have a computer with 100 times the ability.

    These things were a lot simpler than you're thinking.

  • F-16 IFF (Score:1, Informative)

    by Anonymous Coward on Friday August 01, 2003 @11:21PM (#6593806)
    Schwa? F-16's have had IFF capabilities going back to 1986 [f-16.net] for some models. BAE just received a contract to provide AIFF for USAF F-16C aircraft as well. The basic technology is present in my Piper Cherokee, for that matter.

  • Re:Su-30 series or Quality/Quantity (Score:3, Informative)

    by Phanatic1a (413374) on Saturday August 02, 2003 @12:02AM (#6593957)
    Anyone who has ever seen the Su-27 do the cobra manouver or the thrust vectored Su-30MKI or Su-35 do the 360 degree Kulbit manouver can attest to what these planes can do in close air combat. These are extreme manouvers that western planes cannot do

    Um...bullshit.

    The F-15 had to perform the cobra in acceptance testing. It's covered in 4.2 of Mil Std 1787. There are other aircraft that can also perform the maneuver. The cobra is nothing more than a pitch overshoot in response to a "stick snatch." It's part of routine acceptance testing, although it's usually performed at medium to high altitudes.

    Some aircraft perform it easier than others. For still other aircraft, the manuever gets easier if you set the plane up for it, as they do with Su-27s at airshows (you've got to manipulate the cg and override the FCS).

    Many aircraft simply aren't cleared to perform the maneuver, and it's not covered in pilot training, even with the Su-27. The reason for this is that it's a very showy maneuver that has no use in the practical or tactical realms. That "Goose, I'm gonna hit the brakes and he'll fly right by" is bullshit Hollywood crap; in a real dogfight, the guy behind you might overshoot when you dump that much speed that fast, but all that means if that now you're meat on a stick for his wingman.

    The Mig-25 was already obsolete then in terms of technology but the sheer speed of the plane (Mach 2.8+) is unmatched by any other fighter.

    Note that shortly after reaching that top speed, it needs new engines.

  • Quantum Gate (Score:3, Informative)

    by runlvl0 (198575) on Saturday August 02, 2003 @12:22AM (#6594022) Homepage Journal
    I think that you must be thinking of Quantum Gate: The Saga Begins... [adventurecollective.com] by HyperBole Studios. Essentially it boils down to Stargate SG-1 gone really bad. You go through this "quantum gate" to gather a mineral required to rescusitate Earth's ecology after... blah, blah... hostile aliens... blah, blah... we turn out to be the bad guys. If you're really interested in the story, there's actually a novelization [amazon.com] available.

    The "sequel that never happened" happened around 1995 and was called The Vortex: Quantum Gate II [adventurecollective.com], it continued your adventures on the other side of the quantum gate. They actually released a soundtrack [amazon.com] to this one.

  • WRONG (Score:2, Informative)

    by kcb93x (562075) <kcbnac@[ ]c.biz ['bna' in gap]> on Saturday August 02, 2003 @12:33AM (#6594050) Homepage
    Wrong. My father actually lead the design team for the navigation box. He was one of three seperate COMPANIES doing this. (Box has 4 CPUs in it...all running at *exactly* the same time, regardless of difference in clock speed)

    Besides, I'd love to see three sets of hardware (all totally different) run the *same* software. Without any modification.

  • Re:What's it written in? (Score:2, Informative)

    by von Moltke (224011) <wmkrug@noSpAM.gmail.com> on Saturday August 02, 2003 @12:33AM (#6594051) Homepage
    Ada and assembly using the Tartan Ada compiler on VAX.

  • Re:Su-30 series or Quality/Quantity (Score:4, Informative)

    by Tailhook (98486) on Saturday August 02, 2003 @01:13AM (#6594186)
    "There is a good example of an air combat situation atht happened in the first gulf war. The only western plane to be shot down in air combat was an F-18 on an attack mission that was intercepted by an obviously experienced Iraqi Mig-25 pilot. The Mig-25 was already obsolete then in terms of technology but the sheer speed of the plane (Mach 2.8+) is unmatched by any other fighter. The Mig-25 went on after shooting down the F-18 to buzz an EF-111 raven that was providing ECM for the mission causing the raven to have to manouver to avoid the incoming missiles and drop back from the attack mission which was then unprotected by ECM and subsequently another F-18 was shot down by a SAM. No less than two F-15's and two F-16's all attempted to intercept the Mig-25, two of them firing missiles, but the Mig-25 used it's tremendous speed advantage to easily avoid the interceptors and reach its base."

    The Mig-25 borders on a desparation weapon. It was designed specifically to counter high altitude bombers and spy planes that the United States routinely flew over Soviet airspace. In that it failed. It's fairly clear today that a Mig-25 could not sustain the speed or attain the altitude necessary to attack an SR-71.

    The Soviet Union pawned off various models of the Mig-25 to the third world. Iraq had probably 15 Mig-25s at the start of the Gulf War (the first), of which perhaps 7 were operational.

    The shootdown happened because the Mig was misidentified multiple times as it flew past an American strike package. Had it been identified, it would have been killed. The shootdown was more the result of tactics than technology. That Mig pilot was both brave and lucky.

    The Mig was not moving at Mach 2.8. A Mig-25 can only do this at high altitude (70K+) and only for a short time. The shootdown happened between 25-30K, where the F-18's were operating. Flying at almost Mach 3 destroys the engines of a Mig-25. This isn't a problem if you're goal is to hit one high-value, high-altitude target and glide back to base. It does matter if you intend to engage in sustained warfare.

    In 1976, a Soviet defector landed a 1976-built Mig-25 in Japan. A few interesting things [wvi.com] were learned; with a full load of weapons and fuel a Mig-25 can handle only slightly more than 2Gs of force. At it's best it can handle about 5gs. This is no dog fighter. An F-4 can do better, much less any modern aircraft.

  • Re:Su-30 series or Quality/Quantity (Score:3, Informative)

    by theolein (316044) on Saturday August 02, 2003 @01:37AM (#6594275) Journal
    I agree that the Mig-25 is not the state of the art and would be at a loss in a dogfight, but my point was about the pilots, not the aircraft. But, as i said in a post lower down, the Mig-31, which succeded the Mig-25 has done away with most of these problems. It has been exported to China and could theoretically see use there in some war with Taiwan.

    For the record, I misquoted the story. Here's a link [lucia.it].

    I quote: "Gulf War Experience -

    Did you know that a MiG-25PD recorded the only Iraqi air-to-air kill of the Gulf War? It dropped an F-18C on the first night of the war--then went on to fire another missile at an A-6 and buzz an A-7, all while avoiding escorting F-14s and F-15s.

    An isolated incident? How about the single Iraqi Foxbat-E that eluded eight sweeping F-15s then tangled with two EF-111As, firing three missiles at the Ravens and chasing them off station. Unfortunately, the Ravens were supporting an F-15E strike, and the EF-111's retreat led to the loss of one of the Strike Eagles to a SAM. Oh BTW, the Foxbat easily avoided interception and returned safely to base.

    There's more. When F-15 pilots were fighting for the chance to fly sweeps east of Baghdad late in the war, itching for a chance to get a shot at an Iraqi running for Iran, they weren't expecting the fight that a pair of Foxbats put up. Two Foxbats approached a pair of F-15s, fired missiles before the Eagles could get off shots (the missiles were evaded by the Eagles), then outran those two Eagles, four Sparrows and two Sidewinders fired back at them. Two more Eagles maneuvered to cut the Foxbat's off from their base (four more Eagles tried, but were unable to effect an intercept), and four more Sparrows were expended in vain trying to drop the Foxbats.

    The Iraqis had a total of twelve MiG-25PDs at the beginning of the war, of which maybe half were operational at any given time. Imagine what trouble they would have caused if there had been more. The Foxbats, when well flown, proved capable of engaging allied fighters and avoiding them at will. Only the limitations of their weapons proved a problem."

  • Re:The apollo computers (Score:1, Informative)

    by Anonymous Coward on Saturday August 02, 2003 @01:48AM (#6594303)
    You Gen-Xers need to read a few history books. The OS didn't "reboot". The computer had less capability than your calculator - there wasn't an OS. They had accidently left the docking radar on during the descent causing an interrupt to occur at a high rate of speed. (The system wasn't capable of doing the descent and docking at the same time). The unexpected interrupts caused the software to exceed the timing of its execution frame, thereby causing an alarm to go off. Mission Control correctly figured out what the problem was and told them they could ignore it. Armstrong was manually landing the Eagle anyway since he found large boulders in the landing zone. Read the book "Moonshot" for details.

  • Re:LinuxBIOS in flight computers (Score:2, Informative)

    by Mr. Feely (23410) on Saturday August 02, 2003 @01:54AM (#6594312)

    AFAIK, civilian flight systems are three times redundant. Written by three different isolated teams in three different programming paradigms, from three different cultures to avoid similar faults due to "contamination" by other teams, or simlar faults due to similar paradigms.
    (Airbus 340 (3M LOC), Boeing 777 are said to have employed such techniques)


    Not necessarily true. To certify software systems using the currently accepted civilian standards for software development (DO-178B), you need to show through analysis that the failure rate of the entire system is below some threshold. One way to attain that threshold is to use multiple, redundant systems that have a higher-than-threshold failure rate, such that the combined failure rate is below the threshold. There is no requirement to use redundancy; it just happens to be an effective way to meet the failure threshold.

    I have developed avionics software for business jets and I can tell you that the system on which I worked was designed to be only two-times redundant, and it was redudant with another instance of itself, not a wholly independent system. That level of redundancy was sufficient to meet the required failure threshold.

  • Re:What does reboot even mean in this context? (Score:1, Informative)

    by ksni (684287) on Saturday August 02, 2003 @02:18AM (#6594389)
    'Edge cases' will persist into the weapons systems service life (fact). (in the case of fly by wire, flight controls) Multiple computing systems typically summate / argue and the cencensus wins out. Those systems may be written by different development teams, but they are written to the same requirements and development methodology. The issue tends to be the fact that multiple teams have the potential to make similar style mistakes in similar problem spaces - hence we uncover issues into the service life of airplane. I recollect an in-service airplane landing and (on landing) the software commanding the nose to continue to rotate down - with the effect the commander had little to do with the fact the nose leg had collapsed (other than be an observer). Good old ADA.

  • Re: LinuxBIOS in flight computers (Score:3, Informative)

    by Black Parrot (19622) on Saturday August 02, 2003 @03:18AM (#6594530)


    > The language used for all of this is ADA, which is one devious language to program in.

    Actually, I find Ada [sic] quite elegant to program in.

    > Everything requires exception handling, and every exception needs to be handled.

    Actually exception handlers are optional. But in avionics you probably do want to handle exceptions, regardless of which language you're using.

    > The 2 million lines of code is surprising, not because it seems like a lot, but because it seems like so little.

    Ada is somewhat verbose because it uses "begin" and "end" instead of "{" and "}", and a few other things along that line, but it's absurd to pass judgement on the size of a program without the slightest idea how many function points it implements.

    In my experience, the more familiar I become with Ada the more lean and elegant my programs are. As with virtually every other programming language, you can set up abstractions and program at "a higher level" than Joe Noobie would do. Possibly the F-22 avionics were programmed by noobies or idiots, but somehow I doubt it.

  • Re:LinuxBIOS in flight computers (Score:5, Informative)

    by a low-flying penguin (694530) on Saturday August 02, 2003 @05:31AM (#6594778)
    I work as a pilot for a regional airline. And I can tell you that "rebooting" (we rather call it resetting) a computer during flight happens, causes no havoc whatsoever, and is well over 2 minutes. The operation is pretty straightforfard: whenever the "flight warning computer", which is watching all the rest, detects a failure in a computer : -Either it is _very_ important, and then you have sufficient redundancy to just leave it so (and you don't want to re-use a computer that failed once on something critical...in case the next failure goes undetected !) -Or you are on the ground with time on your hands, or in flight and it is some secondary stuff: you just pull the circuit breaker for that computer, count 2 minutes, then put it back on. The computer is then usually usable within a minute. For mission-critical system, such as flight control computers, which control the autopilot, everything is tripled. If two agree and one disagrees, the odd one is declared faulty. On such failures, the crew is often not advised while in flight, as there is nothing to be done. The failure is declared by the flight warning computer after landing, for the benefit of maintenance. Obviously, you can't take off again in that situation. And if the failure happens before takeoff, the rules are different: in case of a failure, and if the reset is ineffective, you check the remaining equipement against the minilum equipement list, which tells you if the remaining redundancy is sufficient or not. It can allow you to take off, sometimes with restrictions, or forbid the flight. As a rule, redundacy is such that the fault of a single computer or system (even an engine) is not a problem. Nice to know, isn't it ? ;-)

  • Correct (Score:2, Informative)

    by Crea (604460) on Saturday August 02, 2003 @09:14AM (#6595094)
    Absolutely. The stability of the plane is in large part to do with the angle the wings make with the fuselage. Upward pointing dihedral wings are far more stable, but offer less maneuvrability. Anhedral wings, on the other hand, make the plane aerodynamically unstable, thus allowing it to turn far faster. It's pretty intuitive really. A dihedral (upward sweeping) wing, is lengthened horizontally when the plane turns (because it's tipped towards the horizontal) therefore generating more lift and righting the plane. An anhedral wing, on the other hand, is shortened when the plane banks, further reducing the lift on the banking side, and accelerating the turn. Anhedral winged planes are essentially impossible to control without computer aid. Hence they are restriced to fighter planes and such...

  • Re:Recorded radio chatter of the future (Score:3, Informative)

    by buysse (5473) on Saturday August 02, 2003 @12:42PM (#6595733) Homepage
    That would be "Red 5," my friend.

You have all eternity to be cautious in when you're dead. -- Lois Platford

Close