General > General Technical Chat
Another deadly 737 Max control bug just found!
<< < (5/37) > >>
SparkyFX:

--- Quote from: EEVblog on June 27, 2019, 11:38:21 am ---A (hardware) watchdog timer usually has to restart the whole system, and I'd imagine that's not a trivial thing in a plane (that likely takes a lot of time). So you likely have to rely on the RTOS to handle that sort of stuff.
--- End quote ---
Those are the finer details of these state machines, if they are well designed, they need to be very specific about the validity of the data and which component can render which data invalid - and when. Now you add certain operating modes (like autopilot or partial autopilot-functions) to this and although switching between these modes the system as a whole still needs to work properly.

I´d consider this to be a solved problem in aeronautical engineering, with very specific requirements on startup values, validity thresholds and sanity checks. Usually such sanity checks would require a more or less sophisticated physical model to be calculated in the background and by comparison of the sensor data to this model it is able to spot a problem (hopefully), but if any component can fail, so can the calculation of the model.

sokoloff:

--- Quote from: EEVblog on June 27, 2019, 12:58:16 pm ---
--- Quote from: ptricks on June 27, 2019, 12:55:58 pm ---Too bad they can't add a toggle switch in the cockpit to cut power from the pin on the micro that controls the specific part the computer is trying to control , something like a auto/manual option.

--- End quote ---
It did/does actually have a switch that disables MCAS, and it could have saved those flights if they had been trained to use it.

--- End quote ---
There's a pair of switches in all 737s that cutout power to the stab trim and all 737 pilots have been trained to use that as a memory item (must be recalled without reference to a printed checklist) in the event of stab trim runaway.
rt:

--- Quote from: EEVblog on June 27, 2019, 11:39:31 am ---
--- Quote from: BBBbbb on June 27, 2019, 10:04:46 am ---I do hope BA got a hell of a discount on the recent order of 200pcs of these things...

--- End quote ---

I can't help but visualise a Digikey order cart...

--- End quote ---

Just for clarification what was agreed at the Paris Air Show was a 'Letter of Intent to Order' by IAG (International Airlines Group, BA's parent) rather than a firm order.  No hard contract to purchase.  The delivery dates for the 200 aircraft would be between 2023 and 2027 so IAG would expect any of the current AoA-related problems to be sorted out by then.

The list price is US$24B but big forward orders get good discounts and I would expect IAG pushed even harder on price since they were allowing Boeing to announce a first bit of 'good news' at Paris amid all return-to-flight questions and some big Airbus orders.

Also I would expect some clauses in the agreement around delivering a bug-free product with clawbacks/cancellations if not. 

rt
Sal Ammoniac:

--- Quote from: mac.6 on June 27, 2019, 11:40:10 am ---It's possible that the lockup fires the watchdog, but then you have to restart the system, then the system must recognize and correct the current situation, could take a dozen of seconds or more, enough to put the plane in the dangerous zone.
Even if the watchdog is quick enough to recover, it's an unacceptable situation, especially in this case.

--- End quote ---

It's very unlikely that any warm reset would take dozens of seconds on a control system like this one. No way. The core control functionality probably takes much less time to reset--I'd be surprised if it took more than a few hundred milliseconds.

Watchdogs aren't always effective in resetting hung systems if not used correctly. I saw one product in which the watchdog was kicked in a timer interrupt. The rest of the firmware could hang up tight and as long as that timer interrupt still fired the watchdog would be happy and not reset the system.
Kleinstein:
Those special computer with possibly some extra HW to check for faults can be difficult to program. It's likely not a normal OS - if at all a more special RTOS variant.  So it would be difficult to get programmers not used to this likely rather old system. I would not be surprised to see something like Motorola's old 88K  (not 68 K, but not that much newer) or similar.

Todays programmers tend to not really care much about computer resources and this could be a problem to an old system. Running out of computer power sounds a little like out of memory, out of stack space, interrupt saturation, latency violations or similar. A watchdog could in same cases even cause a hung system, e.g. if constantly triggered. It may only take a little more interrupt load to slow down old code to trigger the watchdog from time to time. This is kind of a hard to find error.

Still odd that the problem was found in the more official tests and not with Boing internal ones.  Though it might even be a good idea to no have internal tests - so the programmers have to make sure the program works without actually testing it without the public noticing failures. However I don't think Boing is going this far, especially not if in a hurry.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod