Experts have suggested that the simultaneous failure of both engines of the BA 777 which last week crash-landed at Heathrow must have been caused by a computer glitch, the Times reports. BA038 lost power when it was about two miles from the airport's south runway. The pilot glided the aircraft to a belly-flop short of the tarmac …
I'd ride 'er
Being one of a handful of people that worked on both flight controls and engine management I'd like to point out that you are far safer flying on one of these crates than having a shit on your toilet. (A statistical fact - find your own sources). Of course you could live life on the edge by having a shit on the plane but I find these on-board toilets are places to avoid - especially on the cattle class that I tend to travel.
From memory - the software on the flight computers was originally generated by three software teams and run on different compilers and different hardware, but this level of redundancy was reduced at a later stage and a single software team was used. The level of safety from using independent teams was calculated to be insignificant, given that everyone was coding from the same design.
Basically - if the design has a flaw then it was going to be on every computer - so if there was a conflict then it was likely due to a hardware fault or a compiler fault - that part of the computer would then be reset.
There may well be a fault in the design - which was very very well tested. In the end - when the 777 first came out - I wouldn't fly on it - but there again I wouldn't take the first flight on any plane. Let some other idiots try it out first. But it has been flying for quite a while now - and has an excellent safety record. It is also extremely comfortable to fly on - so get out of your extremely dangerous cars and toilets - and get on the 777.
However, for safety reasons, NEVER use the toilet on a plane, unless sitting next to Paris Hilton and she wants to sign you up to the mile-high club.
"And yet boing thinks it's a good idea to have the internet, entertainment , naviagtion and flight all linked together on a single computer system for it's dreamliners?"
Yeah, what if the 'puter conks out half way through the film you're watching? That's gonna be annoying!
Re: So... did the computers do the RIGHT thing???
The engine management "computers" (as opposed to N95 "multi-media computers") don't know anything about the distance to the threshold and in general don't refuse adding power even if there's something wrong. They're not trying to optimize the maintenance cost quite that directly but instead assume the pilots know what they're doing and really need to the power. Maintenance cost is minimized rather more indirectly by good airmanship (power changes are made gradually when possible, minimum power used for take-off, engines are gradually cooled down after landing etc) and by only doing maintenance when some of the measurements made by the computers indicate something should be checked/replaced. But it's not the engine that does the decisions. Once again a bit of a philosophical point but one that is displayed frequently in aviation and aircraft design.
You can't trust the passengers' recollections...
The only time I ever flew in the jumpseat on a commercial airline we had to do a fly-around on landing (a previous flight slow getting off the runway) It was very impressive - alarms going off 20-to-the-dozen as the captain took manual control, engines screaming, push in the back as we climbed out of the landing approach, etc.
When I mentioned all this to my colleagues travelling in the back, after we landed, they wondered what I was talking about - they hadn't noticed a thing.
(Oh, Boeing, BA, Heathrow, in case you wondered.)
More data Data
The Grauniad had some early quotes from AAIB - maybe somebody talking too much too soon, they're in purdah now - that had some info I've not seen elsewhere:
There's a suggestion the lack of warning may be deliberate: '... all commercial aeroplanes have programmed "inhibitions" on certain warnings so that the crew are not distracted by unnecessary alarms during the crucial takeoff and landing procedures, [but] the alarm should have been triggered when the engines failed.'
also that the plane's auxiliary power unit was still running after it hit the ground. Apparently aux is rarely used in normal flight.
Article here: http://www.guardian.co.uk/transport/Story/0,,2243357,00.html
Mean anything to anybody?
Airbus crash (and voting computers...)
As I recall things, the Airbus that crashed in the forest was an early edition being shown off at an airshow. So aircraft essentially empty except for the flight crew and a few 'guests' they'd invited aboard. The crew were trying to do a manual, slow fly-by for the crowd, so they went nose high, flaps down, wheels down, reduced power and had no issues as they flew straight and level past the crowd. The problem came when they wanted to return to a more normal flying configuration at the end of the fly-by. Here is where the story gets nasty. The never proved allegation was that the aircraft's fly-by-wire control system 'recognised' that the aircraft was in a landing like configuration and that the control changes made it assume that it was time to reduce power and set down on the strip. As has been noted when you're that close to the ground by the time you see the engines spooling down and try to override its all too late... result: aircraft landing in the forest at the end of the runway. (And you'll appreciate that since Rammstein, the crowd at an airshow is lined up parallel to the runway so they can watch landings and takeoffs without having aircraft flying straight at them.)
Then (more unproved rank conspiracy theorist speculation), the French gov stepped in to investigate. The story was that Airbus was concerned that an adverse report on the fly by wire system could affect sales of the new type that they were 'hoping' other factors could be found to take the blame. This was round the time the black boxes were found to be either unreadable or mysteriously blank (choose your conspiracy here boys and girls). So, absent much in the way of factual data and with only the cockpit crew saying the plane did it, the investigators focussed on the only other fact they had at hand. The 'guests' the flight crew had invited along. That is, the female guests they had invited into the cockpit to see what it was like. A breach of safety regs (not enough seating so I think one or two were standing?) and thus the pilot and co-pilot got an arse kicking and all the blame and Airbus were off the hook. As I say though, you'll have a tough time proving much there.
I was a little intrigued too by the discussion of 5 computers voting. Not sure someone isn't conflating things with the Space Shuttle's RSLS (redundant set launch sequencer), which is basically the configuration where the 5 on board flight systems choose to run parallel and majority vote their answers. And there the 4 'main' ones run software written by a different group from the 'backup' system. Of course a Nasa paper on software engineering suggested that after analysis that many of the same bugs were found across the two versions and that it turned out (to paraphrase) that if your spec is a piece of shit you shouldn't be surprised if it results in the same or similar shortcomings in completely separate implementations. In conventional aricraft, as has been said, the focus is more on compensating for hardware failure and more typically if there is redundancy at all it features the same firmware/software.
The groupthinkers posting "doh it was Windows..."
I read the thread on pprune, where comments from those without a professional license tend to get spiked. There was much complaining about inappropriate speculation. I just thought - you guys should try working in the computer industry, where there are no licenses and anyone who can change an IP address is a network architecture expert.
(Interestingly, although one needs a license to taxi an airliner, or indeed to serve coffee to the SLF, one does not (AFAIK, and certainly when I worked in aerospace) need a license to design the software therein. SOPs at the manufacturer are expected to substitute).
Specifications and voting
Systems from different vendors and voting are all well and good but do nothing if the original design specification is flawed since all the vendors will have been working from the same spec document.
I have a problem with formal specification methods. That problem is that if the specification is wrong the fact that formal methods and testing have been used gives mistaken confidence in the system's ability to perform. This tends to reduce contingency planning for failure as the software has been "proved" not to have any bugs.
Formal testing proves no such thing. All it proves is that the program written carries out the functions laid out in the spec. It does not prove that the spec completely and accurately reflects the task the system is to perform.
"Ladies and gentlemen, we are about to land at London Heathrow Airport. Thank you for flying with... Oh bugger! That isn't supposed to happen..."
Unfortunately the fine print of the spec may say that it is supposed to happen in whatever set of circumstances happened to arise at that time. If so Boeing will probably be very keen on keeping that quiet.
@ So... did the computers do the RIGHT thing???
No. If a computer was to make a decision that required a pilot to land a plane in an abnormal manner it would need to communicate that requirement in a prompt, clear and unambiguous manner to the pilot. The pilot was clearly not aware of any such requirement.
about Airbutt and Boeing flght control issues
regarding the Airbutt flyover that wound up a crash. The major factor has to do with the design philosophy of Airbutt versus Boeing
Airbutt uses a 'hard limit" on software/hardware which absolutely prevents the pilot from " bending" the airplane in ANY situation
Boeing uses a ' soft limit " on ALL flight control software/hardware. Which means in the Final analysis- albeit with BUCU horns- whistles, lights, etc the PILOT retains the FINAL and ULTIMATE control with a HARD push or pull - even if it means "bending" the plane.
Check your avaiation history regarding a very early 707 transatlantic flight- within the first year it went into service.
Pilots were N OT minding the store- autopilot kicked off - at night - over the ocean - plane went into a diving spiral- eventually pilot pulled it out a few thousand feet above the ocean- but actually bent the wings and popped a few rivets.
The plane was repaired - but the slight increase in wing angle was never corrected. The plane after that had one of the better- lower fuel consumption numbers in the fleet.
Point is - had the airbutt version of FBW been in existance at the time - the plane would have simply disappeared- had Boeing FBW software been in existence then as now - the plane would be bent - but flyable.
mv engine_* /dev/null
Maybe a bad software update or patch, check out http://www.boeing.com/commercial/aeromagazine/aero_05/textonly/ps02txt.html to see what the magnitude of the system is.
This bit is intersting "Spare copies of the loadable software parts are supplied on digital storage media (typically 3.5-in disks) when an airplane is delivered."
"Ok, Roger, set flaps for landing, gear down, thrust reverse armed.."
"READ FAIL DRIVE A:NOT READING. Retry, Abort, Continue? - WTFZOMG!"
What are they running on that thing? Windows?
The thing I recall most vividly about the Airbus crash mentioned above, was the pilots last word before impact - which at some point made it onto a news programme or documentary: a clearly audible "Merde".
"passengers say engines were very loud"
Wow.....what observation....I thought it was one of those new silent engined planes.
...you never see a proper Boiiing engineer for ages and then two hundred turn up at once. With big dustbin bags for stuff that no-one needs to look at...
@don sadly the auto pilot on the first generation 717/707's was actually an electro mechanical simple analog computer box full of gears and other delightful stuff which never really worked all that very well even when it was new as it could be cantankerous .
Although you could say they were fly by wire as the control yoke had direct steel cable attachments to the appropriate control surfaces with hydraulic power assist !
But they are not really relevant to the monsters that fly today and the Jet Engines powered them then were very primitive using many mechanical parts needing a rather lot of water and alcohol for tropical take off engine power boost compared the all electronic controlled monster engines of today with the high bypass ratios needed to generate the thrust hence the long spool times to full power !
The 707/717 is a red herring and irrelevant for this case as it is another age and another technology very long past it's use by date and the number still flying today is minimal due to their high operating cost and lack of viable spares !
A320 crash WAS the pilots fault
The A320 that crashed into teh trees was taken down to 100 feet above agrass runway with the engines at idle. The computers actually DID make the connection. Its just that its takes more than a few seconds for several tons of metal to spool up from idle to emergency thrust.
The pilot concerned, a senior opilot with Air France had broken the airlines rules for airshow display flying (written by himself) and took a fully laden airliner with 100 passengers down to well below the declared safe height for display flybys ( i.e over 100 feet) and pushed the throttles forward way too late.
Of course he has since published several books claiming the opposite. However its simple engineering guys. Engines may spool up instantaneously in computer games, but not in real life.
Y'all diverted on an emergency basis to Piarco instead of Grantly Adams _by choice_?! Damn, boy, what was _wrong_ with those engines?!
The closest I've ever been to something like that was the time when I was flying BA out of Norman Manley in Jamaica to Heathrow... and about three hours into the flight someone up front noticed that someone back on the ground hadn't tightened up the filler cap all the way, and the 747 had been leaking JP all the way from Kingston, so we now had about three hours fuel but five hours travel time... We made an emergency divert to Bermuda, tanked up, and this time they made sure the filler caps were closed & locked.
I've never flown BA since.
Lotto Probability - but cosmic radiation possibility
If the obvious holds no explanation then look for the weird.
Current computer microprocessor registers are tiny, of the um range. Bits in these registers (which control the plane) can be altered by passing cosmic particles.
Is it possible that exactly the right bits in the aircrafts computers were set - at just the right time - by random radiation - commanding engine shutdown? Just like winning Lotto.
Someone always wins Lotto against impossible odds!
Maybe not so good after all!
Just a thought on the universal praise dished out to the pilots over their actions in the 777 incident at Heathrow. With engines not responding to a demand for more thrust to restore the optimum glide path into Heathrow, surely they could do nothing more than sit back and hope that the glide path they were on would be good enough to take them over the perimeter fence (there are no pedals on a 777). Also, in the event of an emergency landing (which this was) it is the job of the pilots to warn passengers and cabin crew to take up emergency bracing positions (which they didn't do). O.K. they had other things on their minds but this is usually the case in any emergency situation. The co-pilot was flying the aircraft and the emergency began 2 miles out, so the the captain would have had more than a minute to switch on the mike and announce a warning, plenty of time. All I know is that in any future flights I make, I will always be worried when landing now that I know that I may not be given any warning at all if an emergency situation develops. Perhaps we should take up emergency bracing positions on every landing just in case.