[媒体名称] Boeing 787s must be turned off and on every 51 days to prevent 'misleading data' being shown to pilots
[新闻日期] 2 Apr 2020 at 14:45
[网址] https://bit.ly/3e0w5TI
[内文] 翻译蒟蒻跟感想在心得
US air safety bods call it 'potentially catastrophic' if reboot directive not implemented
The US Federal Aviation Administration has ordered Boeing 787 operators to switch their aircraft off and on every 51 days to prevent what it called "several potentially catastrophic failure scenarios" – including the crashing of onboard network switches.
The airworthiness directive, due to be enforced from later this month, orders airlines to power-cycle their B787s before the aircraft reaches the specified days of continuous power-on operation.
The power cycling is needed to prevent stale data from populating the aircraft's systems, a problem that has occurred on different 787 systems in the past.
According to the directive itself, if the aircraft is powered on for more than 51 days this can lead to "display of misleading data" to the pilots, with that data including airspeed, attitude, altitude and engine operating indications. On top of all that, the stall warning horn and overspeed horn also stop working.
This alarming-sounding situation comes about because, for reasons the directive did not go into, the 787's common core system (CCS) – a Wind River VxWorks realtime OS product, at heart – stops filtering out stale data from key flight control displays. That stale data-monitoring function going down in turn "could lead to undetected or unannunciated loss of common data network (CDN) message age validation, combined with a CDN switch failure".
Solving the problem is simple: power the aircraft down completely before reaching 51 days. It is usual for commercial airliners to spend weeks or more continuously powered on as crews change at airports, or ground power is plugged in overnight while cleaners and maintainers do their thing.
The CDN is a Boeing avionics term for the 787's internal Ethernet-based network. It is built to a slightly more stringent aviation-specific standard than common-or-garden Ethernet, that standard being called ARINC 664. More about ARINC 664 can be read here.
Airline pilots were sanguine about the implications of the failures when El Reg asked a handful about the directive. One told us: "Loss of airspeed data combined with engine instrument malfunctions isn't unheard of," adding that there wasn't really enough information in the doc to decide whether or not the described failure would be truly catastrophic. Besides, he said, the backup speed and attitude instruments are – for obvious reasons – completely separate from the main displays.
Another mused that loss of engine indications would make it harder to adopt the fallback drill of setting a known pitch and engine power* setting that guarantees safe straight-and-level flight while the pilots consult checklists and manuals to find a fix.
A third commented, tongue firmly in cheek: "Anything like that with the aircraft is unhealthy!"
A previous software bug forced airlines to power down their 787s every 248 days for fear that electrical generators could shut down in flight. Airbus suffers from similar issues with its A350, with a relatively recent but since-patched bug forcing power cycles every 149 hours.
Staleness persists
Persistent or unfiltered stale data is a known 787 problem. In 2014 a Japan Airlines 787 caught fire because of the (entirely separate, and since fixed) lithium-ion battery problem. Investigators realised the black boxes had been recording false information, hampering their task, because they were falsely accepting stale old data as up-to-the-second real inputs.
More seriously, another 787 stale data problem in years gone by saw superseded backup flight plans persisting in standby navigation computers, and activating occasionally. Activation caused the autopilot to wrongly decide it was halfway through flying a previous journey – and manoeuvre to regain the "correct" flight path. Another symptom was for the flight management system to simply go blank and freeze, triggered by selection of a standard arrival path (STAR) with exactly 14 waypoints – such as the
BIMPA 4U approach to Poland's rather busy Warsaw Airport. The Polish air safety regulator published this mildly alarming finding in 2016 [2-page PDF, in Polish].
This was fixed through a software update, as the US Federal Aviation Administration reiterated last year. In addition, Warsaw's BIMPA 4U approach has since been superseded. The Register asked Boeing to comment.
[心得]
简单说,如果 787 的总电源没有固定的关闭后重开,导致机上的电脑持续运转,那过时的传输数据可能会在 AFDX 之中传送,最严重的结果可能是机载电脑接受这些数据后,向飞行员“显示错误的数据”,这些数据包括空速,姿态,高度和发动机运作状态
而最严重的是,失速警告和超速警告系统也会因为错误数据而停止工作
而导致这种状况的原因是,787 飞行电脑的作业系统(CCS,这是基于 WindRiver 公司开发的 VxWorks 作业系统,然而 VxWorks 这套 rtOS 其实本身很稳定,许多卫星跟军用平台都是用这套系统去改写)出现问题,CGS 停止了从关键功能中过滤掉过时数据的功能
也因此,用于监视数据传输的功能可能反过来告诉 AFDX 交换器传输的正常资料是过期或异常的,进而导致交换机异常
而这种问题第一次被发现,是在全日空的 787 电池单元起火的事故中,调查中发现黑盒子中的数据被异常且不正确的数据写入,影响了调查,然而这种问题并没有被确实解决
而另外的两个问题,分别是备用电脑会在飞行中自己启动,导致自动驾驶错误地认为它是在上一次飞行的中途,而且试图重新它认为“正确”的飞行路径,而另一个问题是系统会当机且显示空白画面,这个问题可以透过通过十四个导航点的进场指引方式来触发
A350 也有过电太久候机上电脑会异常的问题,但这个相对较新的问题也经被修复