Slashdot Mirror
Failed Avionics a Possible Cause of BA038 Crash
Muhammar writes "As you may have heard by now, both engines of the Boeing 777 aircraft flight BA038 suddenly cut off without warning at very low altitude and low speed during autopilot-assisted landing at Heathrow. A prompt reaction of the pilots prevented the stall and saved all lives aboard. The crash landing short of the runway tore off the landing gear on impact, and the fuselage plowed a long, deep gouge in the grass. With the investigation ongoing, the available information points to an electronic control problem as the most likely cause of the sudden engine power loss."
In two other instances in large jets of engine failure by fuel starvation (Air Transat 236 and Air Canada 143), the failure of the engines was not simultaneous: one engine kept working for a few minutes longer than the other.
The fact that the engines responded the same way, at the same time, strongly suggests a single point of failure in an electronic flight control system.
Toronto-area transit rider? Rate your ride.
See my journal, I write things there
These OSes typically are not custom designed. (although a few in older aircraft are) There are a few commercial rtoses that are commonly used, they are specially marketed to the avionics industry as conforming the DO-178B standard. The most common would probably be Integrity-178B sold by Green Hills Software and VxWorks 653 Platform sold by Wind River.
They probably do. This is the time to whip out An experimental evaluation of the assumption of independence in multiversion programming by Knight and Leveson. It's a 47-page paper, but here's the summary:
Of course, one would think there would be two types of redundancy: The software would be N-version programmed and there would be separate systems for each engine. The chances of two independent N-version-programmed programs failing at the same instant seems particularly low.
It's easy to jump to the it-must-be-the-computers conclusion because PCs are unreliable in everyday use compared to washing machines, cars or compact disk players. But until the accident investigators' report comes out there really isn't much evidence to base speculations upon; the problem could have been anything.
Just my $0.02
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Maybe that's your current thinking, but it doesn't necessarily reflect reality. Turbine engines don't "switch into reverse". They do have thrust reversers, but that's a mechanical device that redirects the exhaust flow. They're typically activated in the "last stages of landing" i.e. after the plane is fully on the ground.
There are a set of interlocks involving both weight being present of the landing gear and the wheels rotating to prevent the reversers deploying.
If a cell phone can do this much damage, why the hell am I allowed to bring one (several even) on a plane?! These days, a swiss army knife will maybe get you as far as row 6 before people dogpile you, and they are confiscated. But a plane has easily 50 cell phones on it at any given time. If the only thing between me and engine failure are passengers dutifully following crew member instructions, then we are all screwed. So I am going to respectfully suggest that you are mistaken, because the alternative seems ludicrous.
Yes it is likely. We are expected to believe that a single consumer grade device caused the simultaneous failure of both engines?
You're right that it's more likely than RF interference. But neither is likely at all.
A software glitch of this type (if that's what it was) has never happened in aviation history. Certainly not in the 10 year history of the 777, with more than 500 of them flying around the world, but not to any other type either.
Also, the engines didn't "fail". The engines were running both before and after the stall (and yes, the aircraft did stall, despite what the article summary says). "Failure" and "failure to respond" are two different things.
In some ways that's even more scary, because it rules out simple explanations like fuel exhaustion. It's one thing for engines to fail, quite another for them to simply ignore control inputs.
First, there were MANY credible witnesses that swore they saw a missile shoot into the sky before the explosion.
a) no, they were not credible, and
b) they by and large didn't claim they saw "a missile".
What they claimed is that they saw a "streak of light" or some variation thereof. Only a few people claimed they saw "a missile", and those people by and large are the people that made it onto the news. So it probably seemed like there were more of them than there were. The news outlets chose the most radical, attention whoring witnesses to put on the air.
But if you read the NTSB report, they break down the witness statements. Out of something like 2,000 witnesses, only a relatively small percentage (I'm remembering it being something like 25%) saw a "streak of light". Of that percentage, about half saw the light going up, half saw it going down. Some saw it going to the left, some going to the right. In other words, none of them had any idea what they were looking at.
This is pretty normal for witnesses to an airliner crash. Nobody's expecting to see what they're seeing, so their mind initially doesn't record things correctly. What the NTSB has to do is filter out the crud and see if there's anything that everybody agrees on. If there is, then they investigate that. In this case, a large enough percentage of people indicated they saw a flash of light, and that ended up supporting the mid-air explosion theory.
But the NTSB never gave any real credence to it being a missile. Neither did the FBI, for that matter. There was just never any evidence. The FBI had pretty much ruled out terrorism within 2 days of the accident.
Obviously you didn't check the website either or you'd know that the site doesn't indicate whether the plane was a 772 or 773, only that it was a 777, of which there are several different types. Other places on the net, including the news sites, say it was a 777-236ER, which is definitely a 772.
In case people are confused by people talking about a BA772 or a 773, these are standard designations. a Boeing 777-200 is referred to as a 772, the 777-300 is a 773, etc. Other common ones you'll find are things like 742 and 744 which designate 747-200s and 747-400s, respectively. Airbus planes also have similar designations.
- The autothrottle system commanded an increase in thrust from the engines which did not respond
- The autothrottle demanded further increases in thrust again with no results
- The PIC commanded an increase in thrust via movement of the throttles, with no result
- The aircraft slowed and subsequently lost height
http://www.aaib.dft.gov.uk/latest_news/accident__heathrow_17_january_2008___initial_report.cfmFor both engines to have not responded to either the autothrottle or manual throttle movements, we are looking at a software issue in either the FADEC or the EMC.
Each engine has its own separate EEC. Each EEC has full authority over engine operation. In the normal mode, the EEC sets thrust by controlling EPR based on thrust lever position. EPR is commanded by positioning the thrust levers either automatically with the autothrottles, or manually by the flight crew.
Engine flameout protection is provided for an auto-relight and rain/hail ingestion. The auto-relight function is activated whenever an engine is at or below idle with the FUEL CONTROL switch in RUN. When the EEC detects an engine flameout, the respective engine ignitors are activated.
Fuel is supplied by fuel pumps located in the fuel tanks. The fuel flows through a spar fuel valve located in the main tank. It then passes through the first stage engine fuel pump where additional pressure is added. It flows through a fuel/oil heat exchanger where it is preheated. A fuel filter removes contaminants. If the filter becomes clogged, the filter will be bypassed, passing fuel directly to the engine. In that case, a Advisory EICAS message "ENG FUEL FILTER L/R" will be displayed.
When main tank fuel pump pressure is low, each engine can draw fuel from its corresponding main tank through a suction feed line that bypasses the pumps.
No - it shows that the specification did not define what should happen with out of range conditions. The use formal specification languages to define what they want the software to do, but it is precisely these sorts of unforeseen circumstances which show that the spec was wrong, and the code only did what was specified.
Consciousness is an illusion caused by an excess of self consciousness.
Trans-Atlantic flights are often 90 minutes of flying time from a suitable runway. Trans-Pacific flights can be 3 hours or more of flying time from a suitable runway. Needless to say, airlines cannot glide with no power for hours. Air Canada Flight 143 (see http://www.wadenelson.com/gimli.html) was estimated to have a glide ratio of 11:1 with both engines windmilling. So from 40,000 ft, the maximum glide distance would have been about 100km. Sink rate was estimated at 2000 ft/sec meaning with all engines out, you will be visiting some destination at sea level within about 20 minutes.
It is substantially different. (and integrity is different from integrity-178b also)
The 653 in the name is a reference ARINC-653, which is an industry standard that specifies the api that the OS exposes to the user. (Integrity also supports this same api)
I havent used VxWorks 653, but I am very familiar with both Integrity and Intregrity-178b, and there is no question that the latter is a LOT more reliable.
There may be a little bit of code reused in these platforms, but really the name is the same for marketing reasons. (kind of like how windows CE is completely different from the windows you run on your desktop)