In recent years, a couple of boats, while motoring alongside BC Ferries, suddenly did a 90 degree turn into the path of the ferries ,killing all onboard in one instance, and killing the skippers family, wife and kids, in the other .
People ask " Why would anyone turn into the path of a BC Ferry." They probably didn't . Their autopilot did it for them.
When the button on an autopilot jams, it turns the helm hard over. It only takes a moment inattention to miss it. I've had this happen many times. Who amoung us has never had that brief moment's inattention?
I have urged the media, Transportation Safety Board, Coast Guard , and the Mounties to warn the public of the danger of relying on an autopilot in crowded waters, especialy alongside big ships. They have done nothing ,and my suggestions have met with indifference or sarcasm. Does their loyalty to protecting big businesses from the liability, overide their concern for public safety?
Boats should never use an autopilot in congested waters in heavy marine traffic areas, and this should be taught in all boater education courses. Is it? has anyone had this pointed out to them? Have you ever seen this mentioned on a safe boating pamphlet? Is it a question on any of the tests ?Not a chance. It was probably the cause of the accidents that gave us the mandatory pleasure boat operators certificate , yet the government agencies have done nothing to warn the public of the danger. That is what they are being paid for.
Brent

I agree that more regulations, laws and codes of conduct would be necessary. But this appears to me as the case where more brain usage is desireable, above all.
I would never rely on a bunch of stupid microchips and electromechanical devices to drive me through a zone infested by moving monsters made of 10^x tonnes of steel. ;)

When the button on an autopilot jams, it turns the helm hard over.
Actually, I would suspect more on some kind of electromagnetic interference which may result in false input signals for an autopilot. There is a plenty of powerful radio communication devices, radars etc. in heavily congested traffic routes. Would be curious to know if any research in marine industry has ever been made in this sense.

Actually, I would suspect more on some kind of electromagnetic interference which may result in false input signals for an autopilot. There is a plenty of powerful radio communication devices, radars etc. in heavily congested traffic routes.

I share this opinion and like to add that these very dense routes are mainly found close to bigger harbour entrances where landbased interference add to the problem.
just my two € 0,02

Regards
Richard

There is only one PIC
It is his call whether to stay on autopilot or not.
Somebody was clearly asleep whilst the boat swung across the bow of the approaching vessel and too damned close.
Several fatal aircraft icing accidents of late have had autopilots to blame, whilst icing conditions prevailed on both wings & engines
That is why we have live, competent pilots.
BR>Jack

As a computer science student, I fully trust a computer to do exactly as it is programmed to do.

I however don't trust the programmer to have done it correctly. (Remember, computers are only as smart as their programmers and users, so next time you go to scream about how stupid your computer is, remember that the programmer likely went to school far longer than you did.)


Have you tried writing to newspapers in your area, or tried to get marinas to post up warnings not to rely on auto pilot when too close to other ships? If you bring people's attention around to the fact that authorities have an option to prevent these accidents, but are doing nothing about it, then usually politics will rear its head and change things fairly quickly.

I said the PIC was an idiot
BR>Jack

As a computer science student, I fully trust a computer to do exactly as it is programmed to do....

True, given the same inputs, a computer program will produce the same outputs. However, in the case of electromagnetic interference, the inputs may not be what one expects them to be, and the processing may not execute the instructions correctly.

Design for EMI is a very important part of a control system, as is testing for EMI by exposing it to the design radiation levels across the frequency spectrum. I don't know how susceptible the autopilot in the incident was, but the radar on a ferry could easily be enough to upset it.

An actuator can go hard-over faster than a person can react, and even the simplest tiller pilots can produce forces that may be difficult to overcome in an emergency. For example, even the humble Raymarine ST1000+ tiller pilot can produce a force of 125 lb. and go hard-over in 4 seconds. And since it uses a lead-screw electromechanical drive, it will be locked in position and have to be lifted off the tiller before the rudder can be restored. When the boat suddenly turns into the path of a ferry, one's first reaction would probably be to grab the tiller, and only after finding out that didn't work, grab for the autopilot. By that time, some seconds have elapsed, even if the pilot was right at the controls (3 seconds is the reaction time used for FAA certification of aircraft to unexpected events like this). I've no idea what make or model of autopilot was actually used, but since the ST1000+ is the lowest end of the autopilot scale, this gives an indication of the potential hazard.

Another source of anomalous behavior, believe it or not, is cosmic rays. A cosmic ray can zap a gate in an electronic chip and change its state. The event is usually short-lived and not noticed. But if it happens to be, say, a high-order bit in a memory location, then suddenly the autopilot's brain is working on completely different information.

One way to help avoid such problems is to have a redundant system. This more than doubles or triples the cost and difficulty of developing it. For example in an aircraft fly-by-wire control system (typically triplex or quadruplex redundancy), redundancy management typically occupies 60% - 70% of the software, while the control laws are often on 20% - 30% of the software. But if the interference is random noise, then the channels will be affected differently and an errant channel can be detected and taken out of the mix before it does much harm. It's unlikely a recreational autopilot will have provisions like this, even with the falling cost of electronics - it's just too expensive.

So it's not just the incompetence of programmers that determines autopilot safety. (Actually failure to program correctly to the requirements is actually quite unusual, especially after even a modest amount of testing. But not specifying the right requirements in the first place - now there's the rub.) A single redundant autopilot simply cannot be trusted to do the right thing all the time.

Don't get me started on cosmic rays, Tom.... I have friends who work on neutrino and dark-matter detectors, and you know how sensitive those are to such interference ;) And I've seen plenty of single-redundant control systems on solar cars get cooked by EMI from the motors- everything works fine on the bench, but toss it all in at once with a few hundred high-frequency volts and everything's toast.

I really do not like it when people trust their electronics before their eyes. My runabout has a radar cross-section not much bigger than that of a B-2 stealth bomber. I've been nearly run down several times in narrow channels by big, fancy boats whose pilots were too busy watching the radar and GPS to bother looking out the windshield. This in Force 1 weather and broad daylight.

<end rant>.....

Some people trust their computers and calculators more than their eyes , experience, and logic when it comes to design issues.
Brent

Autopilots need to be "swung" before use too, most people ignore this simple part of the process....resulting in the stories above......oh, and keep the tools away from the sensor, it is magnetic don't forget.

oh, and keep the tools away from the sensor, it is magnetic don't forget.

I think that is one of the biggest issues with many automated systems these days. I don't have much experience working with auto pilots for boats, but I do work with a lot of other sytems. Lack of proper redundancy is a major point I see a lot of people over looking.

As for 'cosmic rays', they should have no effect on a properly designed system. The issue is, how often are these systems properly designed? After all, all critical memory should be stored in self error checking and correcting memory structures. (Extra data is used, and it is run through a map problem before use, if the equation works out, data is good to go, if something doesn't work out right, the data is looked at, automatically corrected, and off you go again. If it fails to correct properly, then systems should fail gracefully.) Should they be allowed to continue being used if they are so poorly designed as to not have effective third and forth tier backup redundancy on critical aspects?

on the subject of redundancy etc, the electronic engine controls made for Morse in Japan, do not have fail safe operation, the fail in the mode they are in at the time, ooooops.

Interesting thread. An autopilot is a form of robot, operating in an environment where humans can be at risk. The design requirements for industrial robots where humans can enter the "reach envelope" are strenuous, especially if the humans are likely to be untrained or members of the public.

Autopilots came about at a time when society was much less obsessive about safety than it is now. If they were being introduced for the first time you can bet tha all kinds of failure modes and effects analysis would be performed at the requirements, design and testing stages to ensure the chances of a dangerous failure were minimized or eliminated.

The same has often been said about cars; the safety research has been mostlyl about the occupant but if they were just appearing on the market all kinds of questions about their impact (nasty pun) on pedestrians would be asked.

yeah anchient, we are just too darn smart for ourselves now, it is stifling much new development work, particularly in inventions, I have found many are simply not bothering any more

It may be interesting to compare against the autopilot of an aircraft. A simple 2-axis system for a single engine Cessna, fail-passive with no autoland or other fancy stuff, is going to run you at least six thousand bucks. Up that by an order of magnitude for something you might find on a small twin-turboprop, and perhaps another order of magnitude above that for something that can guide a commercial jet to a runway.

This is equipment that's been radiation-hardened, tested to destruction hundreds of times over, its code debugged and optimized by dozens of the best software engineers around. Every component in the system is regularly inspected by trained technicians. Do the pilots trust it? Only for about half a second- they're trained to keep a close eye on everything that's going on during a landing approach, and if the autopilot makes a mistake, to switch to manual control. I've been on planes where the autopilot made a slight jolt, and the pilot immediately took over before most of the passengers realized it. That's why we still have people up front in our planes!

Now, the boat version:
You buy a non-redundant, fail-{we-don't-know-how-until-it-does}, single-servo unit for a few hundred, maybe a thousand or two, dollars. You install its actuator down below and its control head out in the open, exposed to rain, spray, etc. It receives few inspections and no maintenance unless it fails. But we trust this device to do its job, even to the point where some folks will leave the helm for a few minutes in a channel, because the autopilot can handle it?

Exactly - its the same folks who never bother to check oil & tires - their wrecks are in the CHP yards for the world to see - or who purchase a firearm and some wonk disarms & shoots them. They never went to charm school either
All this goes to the Einstein infinity versus mans stupidity thingy ... where he states categorically that he now has some serious doubts on the infinity bit. Amen!!

Surely the auto-pilot instructions have all that lawyer-inserted text that includes "do not leave unsupervised", not for steering an automobile", "do not immerse in water", "not suitable for children under seven" etc?

I recall seeing a program on a modern jet which crashed: turned out the auto-pilot was designed to stop controlling the ailerons if the pilot moved the stick but to keep operating the other control surfaces. Nobody told the pilots, so before the crash the cockpit recorder hears the pilots desperately trying to figure out why they were flying almost upside down.

I just bought a new toaster. about 3 lines on how to use it, not very clear, and reams of crap on all the ways you can kill yourself if you really want to do that with a toaster.

My wife's flowers came with care instructions which include the warning "not for consumption". Geeze, if I'd known that I wouldn't have bought them; suppose she got hungry?

You cant compare a 200dollar auto pilot with that of an aircraft, and yeas they do suddenly do this 90degree thing .If you hav'nt experienced it you need more sea time.

However -I dont think they do it any more, its been some years that I heard of one doing it, but I had one that did it twice for no reason ,compass swung, no aliens around, no one switched the radio on ,--which was always blamed.

I did not buy that brand again, Brand withdrawn for obvious reasons.

I just bought a new toaster. about 3 lines on how to use it, not very clear, and reams of crap on all the ways you can kill yourself if you really want to do that with a toaster.
From http://xkcd.com/293/ :

I keep finding lizards in the crumb tray of my toaster. I suppose they go for some crumbs.

You know the little geko things. Only in Thai they area Jingjok.

Look up the word "Dictionary" in the dictionary. A little hand comes out and slaps you in the face.
Brent

A hand held control for an auto pilot on a boat lets you walk out on the aft deck with eyes wide open and be ready to run to the helm in super fast order.

Electronics can be very reliable if it was designed to accomodate the possible hazards. If it works in a wet environment it has to be waterproofed, if there is emi it must be shielded, it should consider certain behaviour patterns and give audible alarm when certain cryteria is exceeded.

The problem is most manufacturers want to spend $5 on the product but want to sell for $1500. So they go skimpy on protective measures since it's not obviously noticable and most have the idea they hope the customer gets it wet and it packs up or a bit of static gets on an input and blows it, then have to come buy another one.

If you are on auto pilot in confined areas you should'nt leave the helm.

It says on the box--an aid to navigation and a continuous look out should be maintained.

When mine did it sometimes I would leave it to see if it would eventually return the the preset heading,- it did not, It recovered some but about half.

when trained as a pilot (aircraft) your eyes sweep the gauges every 20 seconds, 30 seconds at most. The auto pilot lets you stretch--that's all.

You cant compare a 200dollar auto pilot with that of an aircraft, and yeas they do suddenly do this 90degree thing .If you hav'nt experienced it you need more sea time.

However -I dont think they do it any more, its been some years that I heard of one doing it, but I had one that did it twice for no reason ,compass swung, no aliens around, no one switched the radio on ,--which was always blamed.

I did not buy that brand again, Brand withdrawn for obvious reasons.

Interference has been a significant problem with many pilots particularly from VHF transmission when they would commonly go hard over. The Tiller pilots were really bad for this when the input was the electronic compass and this endangered boats when running in heavy weather , not just shipping channels.

Modern autopilots work off the NMEA data stream more commonly the GPS position and derive their heading from that They seem much more reliable and better shielded and noise filtered.

From http://xkcd.com/293/ :
this sums up american lawyers, where common sense is like a kryptonite cash cow

when trained as a pilot (aircraft) your eyes sweep the gauges every 20 seconds, 30 seconds at most.

And what happens when stewardess enters the cockpit?
Hmmmm, this makes me think about the real origin of the word "cockpit"...

Ok, ok, I'll leave now...

OK, I think he's gone. So what does happen when a stewardess enters the cockpit?

He switches the autopilot on.

According to a TV program I watched a week or two back, the pilot wakes up, lifting his foot off the footrest and accidentally switching off the transponder as he does so, accepts his coffee and eyes the stewardess thoughtfully. Shortly after there is a mid-air collision. Turned out one of the planes was at the wrong altitude, courtesy of a poorly designed ground control system. If the transponder had stayed on the systems of the 2 planes would have detected the situation and an alert would have sounded.

Most automatic systems are very reliable and will do exactly what they are told with great precision. If they are told to do the wrong thing, they will do it with a perfection that no human can match.

As a former engineer I have always had reservations about control systems with a combination of human and automatic control. Theoretically it should have the best parts of its 2 components, but the worst features can come together at the wrong time. Preferably, the automatic system should back up the human not the other way around. With an auto pilot the designer may be thinking that the human pilot will take over in a situation that the machine was not intended to handle, but with highspeed aircraft the human may not be able to spot the problem in time, With shipping he/she may not even be on watch.

Sooner or later the human will be taken out of the equation altogether, it is going to happen; perhaps it is time. The technology is capable of it, properly designed of course. Let the pilot have a comfortable seat and give him automatically generated tests from time to time to keep him awake, for a few years until all the bugs are out and the crash rate falls below the current system then lay them off.

http://www.youtube.com/watch?v=reRRgEET6Kw&NR=1 :cool:

If it has no balls, no pu..y, say, if you cannot fu.. it, it will fu.. you, sooner or later! If it has B.. and P..it may fu..k you as well but you might notice in advance and take care. Thats what I told my pupils ages ago.
In our early days we have been very impressed by sophisticated systems, and have loved to own such systems as a backup for our "poor handmade" seamanship. Today people rely totally on such stuff and are in a situation where they are the "backup" for the crap! Or (often) not.
My two cent (€ as usual)

Interference has been a significant problem with many pilots particularly from VHF transmission when they would commonly go hard over. The Tiller pilots were really bad for this when the input was the electronic compass and this endangered boats when running in heavy weather , not just shipping channels.

Modern autopilots work off the NMEA data stream more commonly the GPS position and derive their heading from that They seem much more reliable and better shielded and noise filtered.

Course Over the Ground can be quite unstable for some time after a tack in a confuse sea and of little use for controlling the heading of an autopilot at that time however a stable COG could be of great use for preventing a major fluxgate compass aberration. In any case informing the manufacturer about the short coming of their product and suggesting a way of improving on the design could be more useful than just posting it in a forum. I have found manufacturers receptive and willing.

" I have found manufacturers receptive and willing."

....any examples mate.....


...In a past life I managed Chandleries...we constantly had a brand of electronics from NZ that were seriously unreliable, I wrote to them asking about helping solve some of their problems from customer feedback, and was told to show proof of my problems, I faxed a copy of the worksheet register to them, and they flatly DENIED ever doing the work......unbelievable bit true...I later owned my own shop and did not of course sell their products. They have been taken over now by one of the bigger groups...hopefylly now the problems will be addressed.

" I have found manufacturers receptive and willing."

....any examples mate.....

hopefylly now the problems will be addressed.

I would not like to promote any brand, it may be against forum rules but it may pay these days of Internet to check a brand for services before purchasing anything. If a brand runs a “ask xx” have download and upgrade freely available is good sign of willingness to help. I have had a tiller drive sent from England at no cost because the local importer would not do anything. A controller head replaced on the spot at no cost, a suspected “homicidal” course computer card also replaced at no cost, a lazy other one, (would not linearize) fixed at no cost, the amount of upgrade available for an MFD show that these people do care in improving there product at no cost to the owner. Patience, understanding and the power of Forums do help. I can read that you have not lost
hope which is good in any case if an agent give short change, go to the top.

_____snip______ informing the manufacturer about the short coming of their product and suggesting a way of improving on the design could be more useful than just posting it in a forum. I have found manufacturers receptive and willing.

mala

Why shouldn't we post observed errors of equipment on the forum?

And what makes you pre-suppose that the manufacturers didn't know about it?

For your first post you are making some silly comments. It would be more polite to introduce yourself for a start before you start grandstanding.

[QUOTE=LyndonJ;377796]mala

Why shouldn't we post observed errors of equipment on the forum?

And what makes you pre-suppose that the manufacturers didn't know about it?

Great suggestion.

I had a common name auto pilot on my 60 foot sloop. Its one of the most common wheel pilot, hydraulic.

Any way one day in the malacca straits it just took of to starboard by 45 degrees, like some one punches a new heading, Being around at the time as always I brought it back but I could not fathom out why.

I blamed it on the portable transistor radio that was the nearest to the control unit and the only thing to blame.

For the next hour or two I waited for it to do it again but it did not until months after. I dare not leave the cockpit after that.

It only did it the twice.

How many people have multiple compasses wired via a switch to their autopilots
and or wired directly assuming the software can choose and or warn of diverging errors?

It seems the most likely time for my autohelm to jam hard over is when I first turn it on. Perhaps one should watch it diligently at that moment, when the temptation is to simply hit the button before getting distracted,.

It seems the most likely time for my autohelm to jam hard over is when I first turn it on. Perhaps one should watch it diligently at that moment, when the temptation is to simply hit the button before getting distracted,.

Yes, I agree with that. I remember once leaving a harbour, held the course for a couple of minutes then switched the AP on from Stand-by. Seemed OK so I went out to take the fenders in. I sensed something was happening and looked out to see that I had turned 90 deg towards a rocky spit. Luckily, I had allowed some sea-room.

The first AP I bought, when I took it out to try it, had my wife and son in hysterics as the boat would swing round 180 degs and take the reciprocal course. When I took it back to the chandelry I had to argue for some time before they give me another, which was a newer model. They had sold me the last of the first model so I don't know if they were conning me or not. The new model worked fine and I sold it on with the boat years later.

I was on an oil-platform when a safety ship ran full-ahead under the spider deck. There were two RSJ collums, that had supported the by now missing wheelhouse, stopping it from running right through. No one was killed, it was a miracle. What happened was, they had been relieved by another vessel and were heading away to another assignment. The skipper set the auto-pilot, it looked OK so he popped down to the galley to collect a cup of coffee, and as soon as he did the boat swung round and headed straight for the platform.
When they got outside after the crash they were in a state of shock. A guy on the platform who was on overside watch called the new vessel and informed them that their mates had just rammed the platform and were trapped under the spider deck with the engines at full ahead. He replied, "you're f--ing joking, aren't you?" They launched the rib and one of them had to go below and shut the engines down. The swell was buckling the vessels topsides under the tubulars so he was quite brave. Once the engines stopped she, fortunately, drifted back out by herself. It was pretty hairy, even for us up above, as she was a big lump of a vessel.

So after all that, I don't trust auto-pilots.

It would be more polite to introduce yourself for a start before you start grandstanding.

Would that make a difference?



I was on an oil-platform when a safety ship ran full-ahead under the spider deck. There were two RSJ collums, that had supported the by now missing wheelhouse, stopping it from running right through. No one was killed, it was a miracle. What happened was, they had been relieved by another vessel and were heading away to another assignment. The skipper set the auto-pilot, it looked OK so he popped down to the galley to collect a cup of coffee, and as soon as he did the boat swung round and headed straight for the platform.
When they got outside after the crash they were in a state of shock. A guy on the platform who was on overside watch called the new vessel and informed them that their mates had just rammed the platform and were trapped under the spider deck with the engines at full ahead. He replied, "you're f--ing joking, aren't you?" They launched the rib and one of them had to go below and shut the engines down. The swell was buckling the vessels topsides under the tubulars so he was quite brave. Once the engines stopped she, fortunately, drifted back out by herself. It was pretty hairy, even for us up above, as she was a big lump of a vessel.

So after all that, I don't trust auto-pilots.

I remember a rig tender passing a 13x G oil platform few meters away at full speed in the morning and disappearing over the horizon until someone on board the rig tender did wake up. People can also be hard to trust.

I had my boat turned around by a tiller pilot. I sat next to it and the magnet in my cellphone speaker made it turn.

....try and remember also that the compass in the autopilot occassionally needs a few 360 runs to set itself up again, this is written somewhere in the text, but it was a few years back, it may still be relevant....

Too many variables, too many components in the equipment, so many manufactures for each component, circuit and chip, different suppliers for raw materials for each chip, supervisors not looking, quality control engineer on a break, so much greed and skimping on quality and reliability, improper maintenance, so little care what happens to others ..

The end result is there is just too many variables for you to take it for granted the chance of something going wrong is too high so ...
Keep your eyes in the back of your head, keep your eyes open ...
U never know when something will fail ...

Just you tube autopilot error or crash ...

Yes im paranoid but if seen too many accidents and problems not to justify my paranoia ...

I was just speaking to a couple of Captains from a well known large fleet owner and they told me each Captain has to get written permission to use the autopilot on his vessel..ouch!

Ouch ja,

I am not aware of a failure of a "Anschütz" AP ever. (Thats the standard in the commercial fleet)

And I personally don´t buy that story.

I guess autopilots are like boats you have the crap variants and the more respectable good quality ones ...

Ouch ja,

I am not aware of a failure of a "Anschütz" AP ever. (Thats the standard in the commercial fleet)

And I personally don´t buy that story.

I tend to agree that it is unlikely that a Captain has to have "written permission" to use the installed Auto Pilot.

I can imagine though, that in today's work environment where everything has to be Safety Analysed every day, or shift, Marine Officers will be signing a sheet that stipulates the procedures they must follow so that they are always in control.

I tend to agree that it is unlikely that a Captain has to have "written permission" to use the installed Auto Pilot.

I can imagine though, that in today's work environment where everything has to be Safety Analysed every day, or shift, Marine Officers will be signing a sheet that stipulates the procedures they must follow so that they are always in control.
There has been too many accidents caused by having the autopilot on and not by it failing hence the company policy.
Just having the autopilot on does not guarantee good seamanship, generally the opposite.
Just google accident with autopilot most of which would not have happened if the autopilot was off!

The company I am talking about has over 600 offshore vessels

[QUOTE=apex1;393171]Ouch ja,

I am not aware of a failure of a "Anschütz" AP ever. (Thats the standard in the commercial fleet)

An autopilot is just one link in a chain...
heading data
control over rudders
rudder feedback
wiring
seamanlike operator
etc

Was there a common brand in the failures? or where they all from different brands ?

Was there a common brand in the failures? or where they all from different brands ?
Vulkyn
There are some very good brands out there like the Raytheon/Anshuntz as Apex pointed out. Like a radar an IMO type approved autopilot needs to be very good.
What I am saying is autopilot related accidents are just about all user error hence I understood when the Captains told me they now have to get written permission to use them from head office.

There has been too many accidents caused by having the autopilot on and not by it failing hence the company policy.

Well, thats a different animal, and I fully agree! Though the topic was failure of AP units (which the thread opener has absolutely NO clue about BTW.)

Regards
Richard

In the early 80's I worked as engineer for a firm that custom built several autopilots based on gyrocompass output and a rudder indicator they were used extensively with no problems in many coastal vessels.


The electronic microprocessors that came along around that time replaced the analog circuits could be more prone to faults in the circuitry and more problematic were bugs in the programs. But after the initial shakedown they were reliable too. When I'm on a bridge now and look at the computer screens and the joysticks and the pc based navigation and autopilot I really wonder how reliable the software is and at what point some bug rears it's head.

It would be so easy for the software writers to add some watchdog code that had a bit of intelligence it's done on aircraft.

In the early 80's I worked as engineer for a firm that custom built several autopilots based on gyrocompass output and a rudder indicator they were used extensively with no problems in many coastal vessels.


The electronic microprocessors that came along around that time replaced the analog circuits could be more prone to faults in the circuitry and more problematic were bugs in the programs. But after the initial shakedown they were reliable too. When I'm on a bridge now and look at the computer screens and the joysticks and the pc based navigation and autopilot I really wonder how reliable the software is and at what point some bug rears it's head.

It would be so easy for the software writers to add some watchdog code that had a bit of intelligence it's done on aircraft.
They tested the Space shuttle OS for 8 years before they used it......
I agree PC's on the bridge are very scary considering that the IMO and all classification societys have no clue how to deal with them.
Where else on a vessel can you have a power source just plugged it????
Not to mention hard drives that crash when the typical AHTS is trying to move something that wont move. ( HDD's which are vented so they also corrode)

It would be so easy for the software writers to add some watchdog code that had a bit of intelligence it's done on aircraft.

It's not as easy as you might think and I speak as a software developer with over 30 years of experience. I quite agree with you about bugs in the code, however, but this is endemic to all software. There are the bugs that you know about, and those that have yet to manifest, but there are always bugs.

When we designed & wrote the datalogging system for our icebreaker, we deliberately did NOT use it to control the autopilot, though we could have. Instead we had a separate chartplotter that we wrote, displaying data from our instruments and processed by our software, showing where we wanted the ship to go and transferred waypoints to the commercial chartplotter software and left the autopilot strictly alone.

PDW

It's not as easy as you might think and I speak as a software developer with over 30 years of experience. I quite agree with you about bugs in the code, however, but this is endemic to all software. There are the bugs that you know about, and those that have yet to manifest, but there are always bugs.
A good point, PDW, and one that is easy to forget in this age of slick, works-out-of-the-box gadgetry.

QA for software is very, very difficult. A safety-critical system can't be cobbled together in whatever way happens to work; redundancy, fault tolerance, error checking and recovery, etc. have to flow from the original design philosophy that formed the basis of the first block diagram of the system.

For some reason, we seem to expect something "new" and "innovative" every few months. As was mentioned earlier, the space shuttle's computers took years to develop- likewise for the avionics of most modern airliners. The recreational electronics guys don't have that kind of time to wait between releases, so something has to give- and it's a hell of a lot easier to tack together repurposed code snippets and libraries you already have, than to write a safety-oriented, fail-safe system from the ground up.

A good point, PDW, and one that is easy to forget in this age of slick, works-out-of-the-box gadgetry.

QA for software is very, very difficult. A safety-critical system can't be cobbled together in whatever way happens to work; redundancy, fault tolerance, error checking and recovery, etc. have to flow from the original design philosophy that formed the basis of the first block diagram of the system.

Actually there _are_ techniques and tools out there which make very difficult (albeit not unimaginable) to make programming mistakes. But those techniques and tools are not mature, mostly because they are not used by developers.
If you are not in the industry, you would think that IT have progressed a lot lately. This is not the case with software. We may have very sophisticated hardware (and HW folks do use techniques and tools which could be used for software with minor modifications), but unfortunately most of the programmers are just dumb to have a big picture on the issue, or under management pressure to deliver something fast, no matter how buggy is it, or both.
This is much like what I am doing in boat design, but they do think they are professionals, act accordingly, and - this is the most sad part of the story - even the most incompetent software companies like Oracle and Microsoft earn orbital amounts of money every year.

I had a problem with my cellphone speaker magnet affecting the tiller pilot. It made my boat swing around and jibe when I sat next to it.

...I met a girl in a bar like that once....

gonzo....sort of like leaving a screwdriver next to the steering compass......hopefully you have learned your lesson now.....also watch where you install the fluxgate, and also use twisted wires (DC) anywhere near the compasses.

I totally forgot about the phone in my pocket. Never again.

Voltage fluctuation was the culprit in both of my autohelm nightmares. The first was on the first night of a delivery. Owner told us to please not mess with his plotter screens. Unfortunately, owner didn't sail at night and none were setup for that! So I'm on a strange boat at night with bad screens, and the captain is below finishing some work on the boat, and I'm three miles off Gun Cay under sail. I decide to start an engine. Then I go get some deck help with lights. Everything is fine until we are nearly on Gun Cay then the helm just dies. Turns out the compass was powered by the start battery and it went stupid when I started the diesel. The boat was balanced under sail and I didn't know the helm was dead for three miles. It wasn't until a week later, after two more incidents that I figured out what was going on. (but I began to fiddle with the screens immediatly!)
This could happen with the compass hooked to a house bank if a compresser started or a radio transmitter powered up. I wonder if a little DC/DC converter just for the compass might solve some of these problems?

DcDc converters to prevent voltage spikes are a good addtion to the " brain" circuit of an autopilot or any electronics..

6 Months ago I had an incident that put the use of autopilots and keeping the (power down switch within arms reach). One of the alternators on a 6LY2 malfunctioned and caused a magentic flux field that affected the Raymarine Fluxgate compass and resulted in the autopilot veering almost 90 degrees off coarse. At the time we were passing through and SPM (Single Point Mooring) field for oil tankers. As a general rule I would never leave the helm for longer than I can hold my breath; even if I am in daylight and have performed a clearing scan. .