Slashdot Mirror
Failed Avionics a Possible Cause of BA038 Crash
Muhammar writes "As you may have heard by now, both engines of the Boeing 777 aircraft flight BA038 suddenly cut off without warning at very low altitude and low speed during autopilot-assisted landing at Heathrow. A prompt reaction of the pilots prevented the stall and saved all lives aboard. The crash landing short of the runway tore off the landing gear on impact, and the fuselage plowed a long, deep gouge in the grass. With the investigation ongoing, the available information points to an electronic control problem as the most likely cause of the sudden engine power loss."
A bit of FUD here I think - unless I read TFA wrong, the entire thing is under investigation and no one is saying anything for at least a month. The autopilot apparently sensed the need for more thrust and warned the pilots of this. It might be premature to say that a software problem is the likely cause of failure...
"As the intrepid kobold companion continues his journey, he begins to wonder... if priests raises dead, why anybody die?
They actually have a decent excuse for lost luggage for once.
If you haven't made a developer cry, you've wasted a day.
The pilots then manually increased throttle - to no avail.
For both engines to malfunction like this at the same time greatly seems to point to a fuel delivery problem.
This does not necessarily mean "running out of gas" - as a plane like this has multiple tanks, valves and pumps, all of which can be configured multiple different ways - which change during the flight.
A simplistic example: they could have been running both engines off one tank - which went dry - though another was full - or both engines were being fed from a common fuel pump which failed, etc. These things *shouldn't* happen - but the investigation will tell...
"It might be premature to say that a software problem is the likely cause of failure..."
Unless it was running on an OS like Windows for Aircraft, "now with fewer crashes".
Yes, I know it's all custom designed. But thinking about the infamous Windows for Warships I couldn't resist
"It is a greater offense to steal men's labor, than their clothes"
Now we're all going to be forced to re-learn Ada!
What I've read is that the pilots observed a relatively gradual loss of power symmetrically on both engines. This tells me that I can rule out engine problems with FADEC and fuel. It all points to the auto-throttle. Autopilot tells where it wants the plane to go and autothrottle calculates how much throttle is needed. It then commands both engines FADECs via the bus system which is doubly redundant. What I'm thinking is that auto-throttle is supposed to be backed up, bypassed by a manual direct control to the engine FADECs from the cockpit throttle control?
Any B777 avionics mechanics around - I only know military jets...
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
Actually, it's more like "nucular", "gubmint", and "librul".
If it is a software problem, then expect more public scrutiny of software based machinery.
That is not likely. More likely is they had a glitch from a strong RF field someplace. Knowing the timing, it is likely to be either a radar or other high power beam or a very near lower powered source such as a cell phone inside the farady cage. Very likely the radio source is from something like this; **RING** **RING** "Hi hon, we are landing now.. Oh no, somethings wrong.."
The truth shall set you free!
Let's just wait for the official forensics rather than patched together rumours shall we?
AT&ROFLMAO
It's uncanny how they made the flight control system sound just like my wife.
As Coward stared at the controls, the autothrottle demanded more thrust.That's a feature that is sadly lacking, though.
Show me on the doll where his noodly appendage touched you.
The word "hero" is thrown around a lot these days...
I believe what they meant, was that the pilots realized that things were going wrong, and the "normal" reaction would be to add thrust. When they realized that they couldn't add thrust, that this would result in loosing airspeed, entering a stall, and crashing
So they realized that an alternative was to lower their angle-of-attack, preventing the stall, and maintaining a bit of airspeed. This would have the unfortunate side affect of landing well-short of the runway (and perhaps airport) and destroying the aircraft - but given the information available - was a bad - but the best alternative
So they implicitly decided the best course of action was to glide the airplane and ditch it in a field - not a decision that would have exactly won them any praise had they read the situation wrong - but it saved everyone
To my mind, if you manage to get 300 tonnes of falling metal out of the sky and on the deck with nothing worse than a broken leg, you've done something right.
[FUCK BETA]
Given that the plane is heavily instrumented, available, and didn't burn, this should be a simpler case to examine. Hopefully, a lot can be learned. At least more than if it crashed and burned in a jungle, or into the ocean.
A little bit of perspective here.
First, there were MANY credible witnesses that swore they saw a missile shoot into the sky before the explosion. Of course, it turned out to be the different trajectories of the airplane pieces, but that was only figured out after a detailed analysis of radar records.
Second, prior to Flight 800 the terrorist explanation WAS more likely - I don't think a modern airliner had EVER exploded by itself before that, but there had been a few that did it with outside help.
Finally, the intelligence and police agencies were careful NOT to peg it on terrorists as the only theory. It was the news media that ran with the "Arabs and Stingers and Bombs Oh My" stories incessantly. Yeah, the government floated the idea - because it was a definite possibility. What are they going to say? "We have some eyewitness acounts of what looks like a missile launch, but we have definitely ruled out terrorist involvement."
As an aside, where are the Flight 800 "Truthers"? Why isn't anyone blathering about the conspiracy to hide the REAL reason Flight 800 blew up?
"As God is my witness, I thought turkeys could fly." A. Carlson
Actually, they have given up creating multiple implementations of the code. There were only ever two implementations, scattered across several computers. However, when developing the systems for this very aircraft type, Boeing decided that they now have tools which can verify precisely that the software matches the specification, and where they actually need to put the effort in is in checking that the specification makes sense. Rather than wasting effort in having two teams implement implement the specification, and verify that using automated tools, you use the extra effort to look closely at the specification.
Consciousness is an illusion caused by an excess of self consciousness.
In principle, the airplane could have been landed on the runway without damage, if the right variables had come together -- but low and slow, in a big heavy airplane, with full flaps and no power, you're pretty well boxed in. I don't think they could have done better.
rj
That said, my paranoia meter says this could have been caused by some nut near the airfield with a HERF Gun.
May the Maths Be with you!
or a very near lower powered source such as a cell phone inside the farady cage
While already moderated funny, I'll just clarify that this is a myth. A more likely explanation for the cellphone ban on planes is due to the networks not being able to handle several hundred clients moving at 800km/h in view of tenths maybe hundreds of base stations.
it's in my head
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Maybe that's your current thinking, but it doesn't necessarily reflect reality. Turbine engines don't "switch into reverse". They do have thrust reversers, but that's a mechanical device that redirects the exhaust flow. They're typically activated in the "last stages of landing" i.e. after the plane is fully on the ground.
There are a set of interlocks involving both weight being present of the landing gear and the wheels rotating to prevent the reversers deploying.
If a cell phone can do this much damage, why the hell am I allowed to bring one (several even) on a plane?! These days, a swiss army knife will maybe get you as far as row 6 before people dogpile you, and they are confiscated. But a plane has easily 50 cell phones on it at any given time. If the only thing between me and engine failure are passengers dutifully following crew member instructions, then we are all screwed. So I am going to respectfully suggest that you are mistaken, because the alternative seems ludicrous.
Yes it is likely. We are expected to believe that a single consumer grade device caused the simultaneous failure of both engines?
You're right that it's more likely than RF interference. But neither is likely at all.
A software glitch of this type (if that's what it was) has never happened in aviation history. Certainly not in the 10 year history of the 777, with more than 500 of them flying around the world, but not to any other type either.
Also, the engines didn't "fail". The engines were running both before and after the stall (and yes, the aircraft did stall, despite what the article summary says). "Failure" and "failure to respond" are two different things.
In some ways that's even more scary, because it rules out simple explanations like fuel exhaustion. It's one thing for engines to fail, quite another for them to simply ignore control inputs.
First, there were MANY credible witnesses that swore they saw a missile shoot into the sky before the explosion.
a) no, they were not credible, and
b) they by and large didn't claim they saw "a missile".
What they claimed is that they saw a "streak of light" or some variation thereof. Only a few people claimed they saw "a missile", and those people by and large are the people that made it onto the news. So it probably seemed like there were more of them than there were. The news outlets chose the most radical, attention whoring witnesses to put on the air.
But if you read the NTSB report, they break down the witness statements. Out of something like 2,000 witnesses, only a relatively small percentage (I'm remembering it being something like 25%) saw a "streak of light". Of that percentage, about half saw the light going up, half saw it going down. Some saw it going to the left, some going to the right. In other words, none of them had any idea what they were looking at.
This is pretty normal for witnesses to an airliner crash. Nobody's expecting to see what they're seeing, so their mind initially doesn't record things correctly. What the NTSB has to do is filter out the crud and see if there's anything that everybody agrees on. If there is, then they investigate that. In this case, a large enough percentage of people indicated they saw a flash of light, and that ended up supporting the mid-air explosion theory.
But the NTSB never gave any real credence to it being a missile. Neither did the FBI, for that matter. There was just never any evidence. The FBI had pretty much ruled out terrorism within 2 days of the accident.
In this case, then, the quote needs to be properly attributed and sourced, which I neglected to do. Apologies. The quote comes from this thread, post #6 by a user named IADCA.
Yes, but it doesn't make for as a striking newspaper headline as Coward the Hero!.
Each engine has its own separate EEC. Each EEC has full authority over engine operation. In the normal mode, the EEC sets thrust by controlling EPR based on thrust lever position. EPR is commanded by positioning the thrust levers either automatically with the autothrottles, or manually by the flight crew.
Engine flameout protection is provided for an auto-relight and rain/hail ingestion. The auto-relight function is activated whenever an engine is at or below idle with the FUEL CONTROL switch in RUN. When the EEC detects an engine flameout, the respective engine ignitors are activated.
Fuel is supplied by fuel pumps located in the fuel tanks. The fuel flows through a spar fuel valve located in the main tank. It then passes through the first stage engine fuel pump where additional pressure is added. It flows through a fuel/oil heat exchanger where it is preheated. A fuel filter removes contaminants. If the filter becomes clogged, the filter will be bypassed, passing fuel directly to the engine. In that case, a Advisory EICAS message "ENG FUEL FILTER L/R" will be displayed.
When main tank fuel pump pressure is low, each engine can draw fuel from its corresponding main tank through a suction feed line that bypasses the pumps.
No - it shows that the specification did not define what should happen with out of range conditions. The use formal specification languages to define what they want the software to do, but it is precisely these sorts of unforeseen circumstances which show that the spec was wrong, and the code only did what was specified.
Consciousness is an illusion caused by an excess of self consciousness.
Trans-Atlantic flights are often 90 minutes of flying time from a suitable runway. Trans-Pacific flights can be 3 hours or more of flying time from a suitable runway. Needless to say, airlines cannot glide with no power for hours. Air Canada Flight 143 (see http://www.wadenelson.com/gimli.html) was estimated to have a glide ratio of 11:1 with both engines windmilling. So from 40,000 ft, the maximum glide distance would have been about 100km. Sink rate was estimated at 2000 ft/sec meaning with all engines out, you will be visiting some destination at sea level within about 20 minutes.
Indeed. If I'm piloting a turbine engine aircraft, I much prefer for the engines to just fail then for them to ignore my commands. Fly-by-wire is pretty cool until the engines ignore your commands and you have no way to shut the fuel off to them.
Another data point to consider is that the failure was not transient. Normally if you introduce some noise into the channel then you lose some symbols here and there, or the clock even. But the higher level protocols take care of that. Pull the network cable, for example - your SSH session will stay alive for half a minute, until TCP timers run out. I am sure that in an airplane loss of a message will be first noticed and logged, then reported as a potential trouble, and if it continues then some other emergency action will be taken. But if the error ceases to be then the message gets through and you can continue using the controlled device.
Since the malfunction occurred quite far from the airport, and it did not fix itself after the aircraft moved away from a possible jammer location, then in my uneducated opinion the relevant controls just "wedged" somewhere, asking for a hard reset. It will take some Boeing engineers with the diagrams to find out where two independent engine control paths merge or at least get close to each other. And they still have the physical electronics of the airplane, most of it probably undamaged. On top of that they have every single bit from every single flight data recorder, and those are of improved type that record more parameters than usual.
In addition, if the two engines are identical (as they should be) and have the same firmware loaded into their controllers, then the same command sent to both engines could easily take them out at the same time. It could be a fairly complicated sequence, for example, but as long as both engines are operated by another computer (autopilot / autothrottle) then you can be fairly sure that the two engines would be as much in sync with each other as possible, and the "ping of death", so to say, would affect both.
It may not be just a software bug. It may be that the software cannot handle some unforeseen hardware state, as happened on the Malaysian Airlines incident a few months ago (that incident was a near-miss but did not result in a crash-- the problem was that the software was unable to handle properly bad data coming in from an accelerometer). Whether this counts as a "software bug" or a "hardware failure" I don't know....
You can prove that the software is bug free for any set of foreseen inputs. The question becomes whether there are unforeseen inputs which can cause problems. Suppose for example, that a sensor fails in an unexpected way-- for example shorting a circuit instead of breaking it, or by sending incorrect data to the computer. In essence you not only have to handle valid inputs from sensors, and normal sensor failures, but you also have to handle sensors which fail in unexpected ways, and you also have to handle every possible electrical fault as well. And then you *still* have to make some assumptions about the underlying communictions between the remaining components.
How, here is the real issue:
Software exists only to process information on underlying hardware. When you have failures in that hardware which cause the information to be corrupted, you cannot count on any results on the software. Hence you software can only be proven bug-free within a reasonably limited set of circumstances. Or, in simpler terms, garbage in? garbage out.
LedgerSMB: Open source Accounting/ERP
It's certainly not without precedent. No case of air/fuel mixture explosion was found in 747's until TWA 800 in 1996, and 1,396 of those were built since the 747 started flying commercially in 1970.
I think a single software glitch is unlikely to be the cause of the failure. However, best guess at the moment is that the engine issues were software initiated.
You can only mathematically prove that software is bug free given some basic assumptions about hardware performance. If those assumptions fail, then your bug-free software is now buggy because the hardware is buggy and it can't sort out valid from invalid information.
TFA mentions another avionics glitch where a failed accelerometer caused a near accident on a 777 in Australia. The software inappropriately responded to the failure because the failure condition wasn't foreseen.
Most likely the root cause is hardware-related, not software-related. For example, maybe water-based corrosion on some contacts somewhere where the seal was damaged, or a short circuit on some sensor somewhere else. The issue is that this may have triggered failure conditions that were not previously foreseen in the software design.
The 777 has an impressive safety record. However incidents where, say, water gets into circuitry and causes problems, or some previously unforeseen failure situation arises, there will be problems.
As for the "first of its kind" remark-- this is not the first software initiated problem in the 777 if indeed that is the case. It *is* however, the first 777 crash ever. Which ought to make one a little less inclined to question previously unforeseen problems.
LedgerSMB: Open source Accounting/ERP
IAAAE (I Am An Aeronautical Engineer) and to take serious issue with that statement.
According to the Times today, there have been at least 2 reported computer 'glitches' on 777s in the last 3 years. One lowered the airspeed from 270 to 158 knots along with putting the a/c in a 3000'/min climb causing it to stall. The other caused an uncommanded lurch to the right.
There have been numerous other computer (software AND hardware) glitches and failures in many aircraft, some leading to accidents (remember the A320 landing in the woods?) but most detected and corrected by the pilots. A brief search of the AAIB database should show that.
Of course it stalled. It hit the ground short of the runway - the pilots were doing everything possible to get over the fence. After flaring the aircraft, it is usually lowered to the ground. By holding off till stall (at a few metres above the ground), they probably got an extra 20 or 30m of flight. This was probably enough to get the aircraft onto the tarmac where it stopped, easing the evacuation and recovery. It did not, however, stall during flight when the error began.
Is crushing a suspect's child's testicles illegal?
John Yoo: "No, [if] the President thinks he needs to do that."
I doubt the aircraft stalled: a large aircraft like a Boeing 777 will _not_ recover from a stall in 600 ft, and everyone would have been dead. If it stalled at all, it would have been just before touchdown while the crew were trying to arrest whatever sink rate they could before impact.
As for fuel exhaustion - that was ruled out very quickly - plenty of fuel leaked from at least one breached fuel tank. It's the first thing the investigators would have done - look in the tanks and see if there was fuel. That doesn't rule out fuel STARVATION though - you can have plenty of fuel on board, but something stopping it from reaching the engines.
Oolite: Elite-like game. For Mac, Linux and Windows