A very specific software bug made airliners turn the wrong way if their pilots adjusted a pre-set altitude limit.
The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left – or vice versa.
Missed approaches are used when pilots aren't confident that they're going to land safely. They are a published path that helps the pilot safely position the aeroplane for another attempt.
First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set “climb to” altitude programmed into a “missed approach” procedure following an Instrument Landing System approach. It also arose if pilots used the FMS's temperature compensation function in extremely cold weather.
In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility.
Extract from the freely available UK CAA chart for Scatsta airport, used as an illustrative example. The dotted line and '242' are the missed approach path. Click to enlarge
The bug was first uncovered when a CRJ-200 crew flying into Canada's Fort St John airport used the FMS's temperature correction function. They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen. The fault was swiftly reported to the authorities and the relevant manufacturers.
As explained to El Reg by a professional aviator, temperature correction is a function of modern FMSes that helps keep aeroplanes at a safe height above ground while following published approach paths under instrument flight rules (or the autopilot). Airport approaches are designed with a given set of atmospheric conditions, including a standard temperature, in mind. When real-world temperatures drop below certain limits, pilots must apply a correction to their altimeters in order to stay at a safe height above ground. Lower temperatures, for a given atmospheric pressure, introduce a progressively greater error in the altimeter reading.
Full details, including the maths, are available here.
In a Powerpoint presentation published (PDF) on the US Federal Aviation Authority website, Rockwell Collins explained that “an error in the design of the Pro Line 4 FMC software causes changes to the procedure-defined turn direction, during a missed approach when the procedure has been significantly modified… The FMS may change the planned database turn direction to an incorrect turn direction when the altitude climb field is edited.”
The incorrect turn direction, said the company, "is dependent on leg types and geometries of the instrument departure procedure and missed approach procedures." In other words, the bug only occurred rarely and under specific conditions.
Another document published by Rockwell Collins in late 2017 (PDF) stated: "This issue will occur in departures and missed approaches where the shortest turn direction is different than the required turn direction onto the next leg if the crew edits the 'Climb to' altitude field."
Although mitigations and workarounds for the bug were published relatively quickly, Bombardier and Rockwell Collins disagreed with the FAA on the formal steps to be taken about it; a mandatory airworthiness directive ordering operators of CRJ-200 aircraft to disable the automatic temperature compensation was published in Europe this week and goes into force in mid-June.
Both companies disagreed with the FAA's directive when it was in draft format, arguing that a software fix would be easier to accomplish than banning the use of the automatic calculator. Rockwell Collins and Bombardier have both been asked for comment.
Bugs in flight control software are rare, though not unknown. Most bugs in airliners tend to be unforeseen memory overflows, as both Airbus and Boeing have discovered over the years. A design formerly owned by Bombardier, the Airbus A220 (nee Bombardier C-series) suffered from software-induced problems with its engines last year, while the Boeing 737 was discovered to have a rare bug that completely blanked all cockpit displays if pilots tried to land on one of seven specific runways in the world.
And there's the other Boeing 737 Max software problem, but that one is very well known by now. ®