Published Date: 2015-04-30
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident related to the Boeing 787 Dreamliner's power control units shutting down after being continuously powered for 248 days occurred in 2015 (May 2015) [35191, 35071]. 2. The incident was reported in May 2015, as per the articles. |
| System | 1. Boeing 787 Dreamliner's engine control unit software [22863, 36103, 35191, 35071, 36551] 2. Boeing 787 Dreamliner's power control units [35191, 35071, 36551] |
| Responsible Organization | 1. Boeing [22863, 35191, 35071, 36551] 2. Federal Aviation Administration (FAA) [35191, 35071, 36551] |
| Impacted Organization | 1. Airlines, including Japan Airlines, Lufthansa, United Airlines, and Cathay Pacific Airlines, were impacted by the software failure incident related to ice forming on engines of Boeing's new 747-8 and 787 Dreamliner planes during high-level thunderstorms [22863]. 2. Federal Aviation Administration (FAA) issued an airworthiness directive impacting operators of Boeing 787 Dreamliners to shut down the plane's electrical power periodically due to a software error that could result in a total loss of power [35191, 35071, 36551]. |
| Software Causes | 1. The software bug causing a complete electric shutdown of Boeing's 787 Dreamliner due to the control unit managing the delivery of power to the plane’s engines entering a failsafe mode after being left on for over 248 days [Article 36103]. 2. A software error discovered by Boeing during laboratory testing that could result in a total loss of power if the plane’s power control units were continuously powered on for 248 days, leading to a complete electrical shutdown [Article 35071]. 3. The FAA's airworthiness directive mandating a temporary fix for Dreamliners flown by U.S. airlines, requiring the electrical power to be shut down every 120 days to prevent a loss of all AC electrical power [Article 36551]. |
| Non-software Causes | 1. Ice forming on engines during high-level thunderstorms, affecting Boeing's 747-8 and 787 Dreamliner planes [22863] 2. Faulty lithium-ion batteries causing fires and overheating issues [35071, 36551] 3. Manufacturing defects and insufficient oversight in the battery manufacturing process [36551] |
| Impacts | 1. The software failure incident led to the grounding of the entire Boeing 787 Dreamliner fleet earlier in the year due to repeated faults in the planes' lithium-ion batteries [22863]. 2. Airlines were warned to avoid flying new Boeing Dreamliners near thunderstorms to prevent ice build-up on the engines, affecting 747-8 and 787 planes powered by General Electric [22863]. 3. The software error caused the Dreamliner's power control units to shut down power generators if continuously powered on for 248 days, potentially leading to a total loss of power and loss of control of the aircraft [35191]. 4. The Federal Aviation Administration issued a directive requiring operators of Boeing 787 Dreamliners to shut down the plane's electrical power periodically to prevent a complete electrical shutdown [35071]. 5. American Airlines implemented the FAA's fix by powering down each aircraft's electrical power every 120 days to address potential safety concerns related to the software error [36551]. |
| Preventions | 1. Regularly powering down each aircraft's electrical power every 120 days could have prevented the software failure incident related to the Dreamliner's power control units shutting down power generators if continuously powered for 248 days [Article 35191, Article 35071, Article 36551]. 2. Implementing a software upgrade for the control units to resolve the issue of losing all AC electrical power after being continuously powered for an extended period could have prevented the incident [Article 35191, Article 35071]. 3. Enhancing the design and testing processes to identify and address potential software limitations, such as integer limits in the control unit's software, could have prevented the overflow issue causing the error [Article 36103]. |
| Fixes | 1. Implementing a software upgrade for the control units that manage the delivery of power to the plane's engines to prevent a total loss of power [Article 35191]. 2. Powering down each aircraft's electrical power every 120 days until a software upgrade is developed and released by Boeing [Article 36551]. | References | 1. FAA (Federal Aviation Administration) [22863, 35191, 35071, 36551] 2. Boeing [22863, 35191, 35071, 36551] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - Boeing's 787 Dreamliner aircraft experienced a software error related to the power control units that could result in a total loss of power if the planes were continuously powered on for 248 days [Article 35191]. - The incident was discovered through laboratory testing by Boeing, and the Federal Aviation Administration (FAA) issued an airworthiness directive mandating a temporary fix to power down each aircraft's electrical power every 120 days until a software upgrade is developed [Article 36551]. (b) The software failure incident having happened again at multiple_organization: - The FAA ordered operators of Boeing 787 Dreamliners to shut down the plane's electrical power periodically due to a software error that could result in a total loss of power [Article 35071]. - This incident was not specific to one airline but affected all airlines operating Boeing 787 Dreamliners, indicating a widespread issue with the software control units [Article 35071]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the development phase of design is evident in the Boeing 787 Dreamliner case. The incident involved a software error that could result in a total loss of power if the plane's power control units were continuously powered on for 248 days. This issue was discovered during laboratory testing by Boeing, indicating a failure due to contributing factors introduced during system development ([#35071], [#35191]). (b) The software failure incident related to the development phase of operation is seen in the case where the FAA ordered a temporary fix for the 787 aircraft's power supply to address potential safety concerns. The fix required airlines to power down each aircraft's electrical power every 120 days to prevent a complete electrical shutdown. This issue was due to contributing factors introduced by the operation or misuse of the system ([#36551]). |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident related to the Boeing 787 Dreamliner planes was primarily within the system. The incident involved a software bug in the control unit managing the delivery of power to the plane's engines, which would automatically enter a failsafe mode and shut down the engines if left on for over 248 days [Article 36103]. This issue could lead to a complete electric shutdown of the aircraft, potentially resulting in a loss of control [Article 35191]. Boeing was working on a software upgrade to address this bug [Article 35191]. (b) outside_system: The software failure incident was also influenced by factors outside the system. For example, the incident was discovered through laboratory testing by Boeing [Article 36551]. Additionally, the Federal Aviation Administration (FAA) issued an airworthiness directive mandating a temporary fix related to the 787 aircraft's power supply to address potential safety concerns [Article 36551]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident related to the Boeing 787 Dreamliner involved a potential issue where the control unit managing the delivery of power to the plane’s engines would automatically enter a failsafe mode and shut down the engines if left on for over 248 days, leading to a complete electrical shutdown [Article 36103]. - The Federal Aviation Administration (FAA) issued a warning and maintenance order over a software bug that could cause a complete electric shutdown of Boeing’s 787 Dreamliner due to a problem with the plane’s generator-control units [Article 35191]. - Boeing discovered through laboratory testing that 787s could lose all AC electrical power after being continuously powered for 248 days, although this problem had only appeared in laboratory testing and had not actually happened on any 787 aircraft [Article 36551]. (b) The software failure incident occurring due to human actions: - The FAA ordered a temporary fix related to the 787 aircraft’s power supply to address potential safety concerns, indicating that the issue was identified through laboratory testing conducted by Boeing [Article 36551]. - Boeing reported the software issue to the FAA, which then mandated an airworthiness directive for airlines to follow through with Boeing’s recommended fix, indicating a collaborative effort between the manufacturer and the regulatory authority to address the problem [Article 35191]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident with Boeing's 787 Dreamliner planes experiencing potential safety concerns related to the power supply was attributed to a software error that could result in a total loss of power. This issue was found in the plane's generator-control units, where the electrical generators could fall into a failsafe mode if continuously powered on for 248 days, leading to a complete electrical shutdown [Article 35191]. - The FAA ordered operators of Boeing 787 Dreamliners to periodically shut down the plane's electrical power after Boeing discovered a software error that could result in a total loss of power. The issue was related to the power control units shutting down power generators if continuously powered without interruption for 248 days [Article 35071]. (b) The software failure incident occurring due to software: - The incident with NASA losing contact with the Deep Impact space probe in 2013 was suspected to be due to an integer limit being reached, which was related to software limitations [Article 36103]. - Boeing's 787 Dreamliner planes faced a software bug that could lead to a complete electric shutdown, potentially causing a "loss of control" of the aircraft. The issue was found in the plane's generator-control units, indicating a software-related problem [Article 35191]. |
| Objective (Malicious/Non-malicious) | non-malicious | (a) The articles do not mention any software failure incident related to malicious intent to harm the system. (b) The software failure incident mentioned in the articles is non-malicious. The incident involved a software bug in the Boeing 787 Dreamliner's power control units that could cause a complete electric shutdown of the aircraft if the units were continuously powered on for 248 days. This issue was discovered through laboratory testing by Boeing, and the Federal Aviation Administration (FAA) issued an airworthiness directive mandating a temporary fix of powering down each aircraft's electrical power every 120 days until a software upgrade is developed by Boeing [35191, 35071, 36551]. |
| Intent (Poor/Accidental Decisions) | accidental_decisions | (a) The intent of the software failure incident was accidental_decisions. The software failure incident related to the Boeing 787 Dreamliner involved a software bug that caused a complete electric shutdown of the aircraft if the power control units were continuously powered on for 248 days. This issue was discovered through laboratory testing by Boeing, and it was not an intentional decision but rather a mistake or unintended consequence of the software design [Article 35191]. Additionally, the Federal Aviation Administration (FAA) issued an airworthiness directive mandating a temporary fix for the 787 aircraft's power supply to address potential safety concerns. The directive required airlines to power down each aircraft's electrical power every 120 days until a software upgrade was developed by Boeing to resolve the problem. This action was taken to prevent a loss of all AC electrical power, which could result in a loss of control of the airplane, highlighting that the issue was not intentional but a response to safety risks [Article 36551]. |
| Capability (Incompetence/Accidental) | development_incompetence, accidental | (a) The software failure incident occurring due to development incompetence: - The incident where Boeing 787 aircraft may suffer from a software error that could result in a total loss of power was due to a software bug found in the plane's generator-control units [Article 35191]. - The issue was discovered during laboratory testing by Boeing, indicating a failure in the development process that led to the software bug affecting the power control units of the 787 aircraft [Article 35071]. (b) The software failure incident occurring accidentally: - The incident where NASA lost contact with the Deep Impact space probe in 2013 was suspected to be due to an integer limit being reached, which was an accidental occurrence [Article 36103]. - The FAA ordered a temporary fix related to the 787 aircraft's power supply to address potential safety concerns, indicating that the software error leading to a total loss of power was an accidental occurrence [Article 36551]. |
| Duration | temporary | The software failure incident related to the Boeing 787 Dreamliner involved a temporary failure. The incident was due to a software error that could result in a total loss of power if the plane's power control units were continuously powered on for 248 days. This issue was discovered through laboratory testing, and while it had not actually happened on any 787 aircraft, it posed a potential safety concern that could leave the air crew unable to control the plane [Article 35191]. Boeing recommended a temporary fix to address this issue, which involved powering down each aircraft's electrical power every 120 days until a software upgrade was developed and released by Boeing. The Federal Aviation Administration (FAA) issued an airworthiness directive mandating this fix, which took effect immediately [Article 36551]. |
| Behaviour | crash, omission, timing, value, other | (a) crash: Failure due to system losing state and not performing any of its intended functions - The software failure incident related to the Boeing 787 Dreamliner involved a potential complete electrical shutdown of the aircraft if the power control units were continuously powered on for 248 days, leading to a loss of all AC electrical power [Article 35191]. - The FAA ordered a temporary fix for the 787 aircraft's power supply to address potential safety concerns, where the Dreamliners could lose all AC electrical power after being continuously powered for 248 days, potentially leaving the air crew unable to control the plane [Article 36551]. (b) omission: Failure due to system omitting to perform its intended functions at an instance(s) - The software error in the Dreamliner's power control units could result in a total loss of power if the units were powered without interruption for 248 days, leading to a complete electrical shutdown [Article 35071]. - Boeing discovered that the 787s could lose all AC electrical power after being continuously powered for 248 days, which could leave the air crew unable to control the plane [Article 36551]. (c) timing: Failure due to system performing its intended functions correctly, but too late or too early - The FAA mandated a directive for airlines to power down each aircraft's electrical power every 120 days to prevent the Dreamliner's power control units from shutting down power generators if continuously powered for 248 days [Article 36551]. (d) value: Failure due to system performing its intended functions incorrectly - The Dreamliner's power control units could shut down power generators if continuously powered for 248 days, leading to a complete electrical shutdown [Article 35071]. - The software error in the Dreamliner's power control units could result in a total loss of power if the units were powered without interruption for 248 days, leading to a complete electrical shutdown [Article 35071]. (e) byzantine: Failure due to system behaving erroneously with inconsistent responses and interactions - There is no specific mention of the software failure incident exhibiting a byzantine behavior in the provided articles. (f) other: Failure due to system behaving in a way not described in the (a to e) options - The Dreamliner's power control units could enter a failsafe mode and shut down the engines if left on for over 248 days, potentially causing the engines to halt even in mid-flight [Article 36103]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, non-human, theoretical_consequence, other | (a) death: There were no reports of people losing their lives due to the software failure incident described in the articles. (b) harm: There were no reports of people being physically harmed due to the software failure incident described in the articles. (c) basic: There were no reports of people's access to food or shelter being impacted because of the software failure incident described in the articles. (d) property: The software failure incident described in the articles impacted the Boeing 787 Dreamliner aircraft, leading to potential safety concerns and the need for a temporary fix related to the power supply system [35191]. (e) delay: The software failure incident described in the articles did not mention any delays caused by the issue. (f) non-human: The software failure incident impacted the Boeing 787 Dreamliner aircraft and its electrical systems, leading to safety concerns and the need for a temporary fix [35191]. (g) no_consequence: The software failure incident had real observed consequences related to potential safety issues with the Boeing 787 Dreamliner aircraft's power supply system [35191]. (h) theoretical_consequence: The software failure incident discussed potential safety concerns and the risk of a complete electrical shutdown of the Boeing 787 Dreamliner aircraft if the power control units were continuously powered on for 248 days [35071]. (i) other: The software failure incident led to the Federal Aviation Administration issuing a directive for a repetitive maintenance task on Boeing 787 Dreamliners to address the potential safety concerns related to the power supply system [36551]. |
| Domain | information, transportation | (a) The failed system was intended to support the production and distribution of information. The software failure incident was related to the Boeing 787 Dreamliner planes, which are used in the aviation industry to transport passengers and cargo. The incident involved issues with the engines and power supply systems of the Dreamliner planes, affecting their operation and safety [22863, 36103, 35191, 35071, 36551]. (b) The Dreamliner planes are used in the transportation industry to move people and goods. The software failure incident impacted the electrical power supply systems of the aircraft, potentially leading to a complete loss of power and control, which could have catastrophic consequences during critical flight phases [22863, 36103, 35191, 35071, 36551]. (m) The software failure incident was not related to an industry outside of the options provided. |
Article ID: 22863
Article ID: 36103
Article ID: 35191
Article ID: 35071
Article ID: 36551