Yeah...
Must have upgraded to Vista, lol
Experts have suggested that the simultaneous failure of both engines of the BA 777 which last week crash-landed at Heathrow must have been caused by a computer glitch, the Times reports. BA038 lost power when it was about two miles from the airport's south runway. The pilot glided the aircraft to a belly-flop short of the …
... I can't clam to be an avionics expert, but when I dabbled in investigating aircraft control systems in the 80s (it was a case study at Uni) ISTR the most reliable systems (the only ones the FAA would license to land and take off blind) had triply redundant sensors and wiring paths through different sections of the plane feeding into 3 diffrent computers running 3 separate control systems, from different vendors. The idea was they "voted" on what action to take, and the majority won (no idea if the 2-1 votes were logged or investigated).
The whole idea was to avoid what we're discussin here ..... the possibilty that it gets it so wrong as to compromise the aircrafts safety ....
I wonder if someone somewhere skimped on part of this process .... not that we'd ever know ...
Q: This device monitors radar and automatically launches targeted multiple electronic disruption counter measures when it detects objects travelling at speed towards the..........
007: What does this do.
Q: Pay attention James this afternoon you will be driving the PM to the airport and it is vitally important that you switch this device off before you... put that down really it's like trying to teach a computer user not to loose confidential documents.
Money penny: Pretending things are your penis really doesn't impress girls over the age of thirteen.
007: Got it drive the Austin
All: No
007: Sorry Drive the Jag to the airport and bring it back in one piece.
Money penny: Don't forget to pick up the PM
"Must have upgraded to Vista, lol"
no, no, no, you've got it all wrong... they're currently running on the old stuff, xp, and clearly they need to upgrade to the latest version to keep using the features that they've been using for years, like engines!
Naturally, this upgrade will require more powerful engines and control gear which just aren't economic to install in existing planes, so every airline needs a whole new fleet of planes... everyone wins - the airlines get shiny new toys that don't do anything that the old ones didn't, the likes of boeing and airbus get shed loads of new sales, and scrapyards nationwide get loads of scrap metal to boot... possibly enough to make enough tinfoil hats to make me feel safer!
... we should be searching for an Al-Qaeda cell based somewhere on the flightpath into Heathrow.
They have evidently developed a working EMP weapon, probably using common household goods (hairdryers? disposable cameras? a huge array of wired up Brillo pads?) and recently deployed it.
The MIB should be checking out lofts, or sheds in the back gardens, of houses near Junction 3 of the M4.
When mechanical systems fail and the big bird falls out of the sky, it's possible to find a sticky actuator/whatever. When the power goes off, computer systems don't leave a trail.
This is seriously alarming. As a programmer it's one thing to write something that breaks and mis-formats a report; it's an entirely different thing to write something that's 100% reliable.
I do hope there's some comprehensive audit/log files for the investigators to examine.
This has the potential to have a catastrophic impact on Boeing and other aircraft manufacturers. Still, look on the bright side, it could be an effective way of weaning people off of flying:-)
Have done work with RR engines, the things are so reliable its almost unbeliveable. I've seen the accident docs for RR engines that have ingested Albatrosses on take off from Auckland. A bit of a hiccup and the plane keeps going.
There are multiple control computers for the engines.
Either bad software or bad fuel.
After scares with Chineese pet food and Chineese toys Whats the bet that the JP40 has melamine in it?..
"The Boeing 777's computer system has in the past caused a few scares. [...] The pilot prevented a disasterous stall by turning off the autopilot [...] again obliging the pilot to disengage the autopilot."
Spot the common theme - I'll help: "Autopilot"
But that's not common to the recent crash - the autopilot wasn't the problem - it didn't make any difference once the pilot took over - they still crashed.
AC wrote: "Naturally, this upgrade will require more powerful engines and control gear which just aren't economic to install in existing planes, so every airline needs a whole new fleet of planes... everyone wins - the airlines get shiny new toys that don't do anything that the old ones didn't, the likes of boeing and airbus get shed loads of new sales, and scrapyards nationwide get loads of scrap metal to boot... possibly enough to make enough tinfoil hats to make me feel safer!"
Nah - watch "Star Trek: First Contact" and you'll see that Zephrem Cochrane's warp-powered ship is recycled missile and airliner parts. Wonder if it's running "Boneyard Linux"? :D
If the IT area is anything to go by, then there'll be some folks out there busy trying to figure out how to put Ubuntu, OpenBSD, etc on these old systems.
Oh, and every long distance flight I've be on seems to use a Linux variant for the entertainment systems...
Sat or Sun morning on a 06:45am Milan to Southern Italy flight, the crew had to ground 3 "business" self-loading-cargo before takeoff, despite at least 3 notices from Capt. Speaking, 'cause they wouldn't switch off the damn mobes. Plane type (and OS) not recorded. Apparently, the navicomputer had gone titsup, and had lost a couple of waypoints*.
The 3 fools were fined a paltry 200 Euros, and risk incrimination for compromising transports security.
*Capt.Speaking's copilot should have probably have had to revert to the maps application on his Nokia N95... Oh, DAMN!!!
Geese going into more than one engine is unthinkable? It is not only thinkable, it happened. In September of 1995 a U.S. Air Force AWACS crashed near Anchorage Alaska after sucking geese into two of its four engines.
That said, interviews with passengers on the British Airways plane say the engines were very loud just prior to impact. That suggests the engines were in workable condition, and the pilots inputs to add power eventually got through to the engines.
Way back in the day I had a milk round interview with a company which created the engine flight controllers for RR. The engine is actually all run by a 68000 processor, like modern car engines the engine is controlled by a chip. The controller measures everything from engine temp, to fuel intake. The controller receives signal like, "increase thrust" from either the pilot or some automated system.
I'd guess that one of the first things you'd look at would be this chip. Did it actually receive the signal to increase thrust, if so did it act on it ?
I'd imagine that if the pilots manually requested extra thrust - by moving the throttles by hand that the signal should have been sent to the engines.
A glitch in the software of the controller could have caused the lack of thrust. However for this same glitch to happen with both engines then both engines must have seen exactly the same set of input conditions, including temp etc. I would guess that they probably were not.
This would point the finger at the control software, did it actually pass on the signal to increase thrust ?
Of course this is all speculation, thankfully everyone survived - and the full report will make interesting reading I'm sure.
> There has been speculation that the incident was provoked
> by the aircraft striking a flock of geese, but the idea that
> bird strike could knock out both engines has been
> dismissed as "unthinkable".
Whilst computer failure could well be the cause of the problem, and lets face it, who would trust software that a) comes from Seattle and b) is written by a company that was planning to connect all the passengers PCs to the flight control systems. But I don't think the chances of a geese strike taking out engines is that unthinkable. I remember reading a story in the press a few of years ago about a Jumbo coming into one of the Canadian cities. They hit a flock of geese and lost all 4 engines. Fortunately they were somewhat higher and the pilot was able to restart enough of them to land safely. Incidentally that pilot is a neighbour. These things happen.
It's not like calculating disc failure rates and saying mirroring is OK because the chances of a pair of two disks failing at the same high is ridiculously low.
With engines, it's a question of how wide was the geese flock. If it's big enough there is a good chance it will take out all the engines.
You don't seriously think the likes of Boeing and the FAA would let Windows control safety critical stuff on a plane? That kind of stupidity is only found in places like the UK MoD in their Windows for Warships program.
Wrt triple redundancy and voting: there is triple redundant hardware in the flight computers, and dual redundant on engine controls, but within each redundancy group it's from the same vendors and afaik there was a design decision made that (within redundancy groups) they would run the same software. Now, you could argue that they shouldn't have done that, and some people did, but afaik the "multiple different sets of software is better" argument was defeated, on grounds of testability and economics.
"When the power goes off, computer systems don't leave a trail."
You presumably know about "black boxes" aka flight recorders. What you probably also know is that modern engine management units on cars have "fault code stores", and actually so do their airborne equivalents. So there is a trail, but it may take more than a few hours to decipher.
The report says the engines failed to respond to a request for increased power from the autothrottle and then from the crew physically moving the throttle levers. It's not thought that the engines "lost power" as you put it in the article.
On approach they would have been at a low RPM (not necessarily at idle) and power is usually increased closer to the ground in preparation for a go-around if necessary (jet engines don't spool up to full power immediately). It's this increase request that didn't work, not a loss of power.
Here is the initial report from the AAIB: http://www.aaib.dft.gov.uk/latest_news/accident__heathrow_17_january_2008___initial_report.cfm
Pilot : Hello our computer is acting strange
BTHelp: Yes sir be putting the cable you have to be getting with your modem into the phone jack
Pilot: Its a plane
BTHelp: Sir be putting the cable you have to be getting with your modem into the phone jack
Pilot : Were in the air a plane
BTHelp: You have no cable, please land and then phone back later and be speaking to my supervisor who is being sitting next to me
Pilot : Argh!
BTHelp : Tanking you sir, your call has been closed
All of a sudden we're missing the usual features like engine-control over idle.
Hmmm
This sounds like
All of a sudden there were a laptop without all the usual features like connectors for expansion and optical reader for installation...
This must be a well-arranged marketing-ploy from the Church-of-Jobs.
//Svein
If I read the comments it appears ll these other '"rescues" were enacted by telling the computers to go back to playing pacman and taking over control. Does anyone know if that is even possible with an Airbus? From what I've heard the computer has the last say, which doesn't make me very comfortable.
I know that *statisticallY* the computer apparently gets its more right than the human, but I'm old fashioned - it still makes me uncomfortable. Maybe I should work less with Windows :-).
Last time I read up on these things, many Autopilot and FCS systems were running a RTOS such as VxWorks and running across multiple redundant Intel 386 CPU's.
Now I seem to remember somewhere that Intel were stopping the production of 80386's, I wonder if there have been upgrades to Pentium Class machines, perhaps based upon a early 60mhz design?
A friend of mine was on a plane that had a bird strike at Heathrow. She said that there was a bump, a slight change in engine note, and then a distinct smell like roast chicken drifting through the plane... Did anyone ask if the passengers could smell dinner?
(Same friend was on a plane that was hit by lightning. Lots of people don't want to fly with her again...)
This is your captain speaking. Thanks for flying with us today from Bejing. Before we land, the first officer will be re-booting the plane. It appears we have a misbehaving DLL in the throttle control section, that won't release its unused memeory allocations. Please fasten your safety belts.
The first ARIANE-5 heavy launcher self-destructed on its test flight.
The reason was the guys who wrote the flight management software copied large chunks of it from previous smaller ARIANE launch vehicles - which flew much slower.
So a few seconds into the climb, one computer of the three redundent systems said "hey, you guys, we're going far too fast". The second responded "yes, indeedy, we are". "Shall we ask the third ?" said the first computer.
"Hell no, we out vote him two-to-one". "Right then, let's self destruct" said the first one and it did.
A couple of lines of code were changed to reflect the fact that the big ARIANE-5 flies much faster and since then, they never had another problem.
Two or more computers working in parallal do provide redundency, but not when using the same software, 'cos if there's bad code in one it'll be bad in both.
A few years ago, in a college lecture, the lecturer informed us that the Airbus crash was due to a computer error. The Airbus software was derived from military software and part of the military softwares duty was to override instructions given to it by a pilot who it determined was insane (they have to take drugs apparently in order to be able to fly the things in combat and they occasionally flip out). The Airbus crew performed some act that the computer decided was crazy and was immediately overruled. given that the 777 has had a few other close calls, this might be the same thing.
CP: This is your co-pilot speaking, I will be landing the plane today as the pilot is busy checking his e-mails....
P: Awesome! sexxxygurrl49 has sent me new naked pix!
*click* *cool scifi power down noise here*
CP: OH MY GOD THE ENGINES STOPPED! I TOLD YOU NOT TO CHECK YOUR E-MAILS ON THAT THING, ESPECIALLY WHEN THEY END IN .EXE!
</coat>
I'm sure someone will pick at the details but we got told this in University in order to make us think about specifying designs correctly.
The idea was that there were 5 computers on board - each running software from different companies - that would vote for various action plans. The idea was to make sure 1 or 2 bugs couldn't bring down the plane.
However at the first big public showing the of the new Airbus, it did a low altitude flyby at an airshow, the computers picked up the ILS beacons and thought the pilot was coming in to land and so reduced thrust to the engines.
The pilot overrode the automatics, went to maximum thrust but failed to clear the nearby wooded hills due to those vital seconds lost.
Apparently it ended up being blamed on the fact that no one had ever thought to mention "flybys" in the computer software contract or to the design teams.
I accepted the story at the time but now I have to ask why they were flying on automatic during the flyby? Perhaps the automatics kick in even when you're not on autopilot? Anyone know more? (I'll probably regret that....)
"That said, interviews with passengers on the British Airways plane say the engines were very loud just prior to impact. That suggests the engines were in workable condition, and the pilots inputs to add power eventually got through to the engines."
Aaahhh. So if the engines were slow to accept the command it must be that they ran out of RAM and it was using the swapfile.
Actually the cause of the Airbus crash was pilot error, failure to maintain sufficient airspeed and altitude to recover from a low approach to a runway with obstacles at the departing end.
http://www.airdisaster.com/cgi-bin/view_details.cgi?date=06261988®=F-GFKC&airline=Air+France
Could someone explain to me how this voting lark works? If each computer is running the same OS/software and receiving the same inputs, surely they should be unanimous in their votes? Or am I missing something? Do they only get a subset of the available information, just like wetware voters? Do they use different random seeds to give them a unique "personality"? Or do they each use a different OS and got distracted from flying the plane by a flame war?
Paris icon because a concorde got into trouble over her...
***THANK YOU***
Had been preparing to write a similar comment. The autothrottle didn't respond like it was meant to, and an accurate statement would probably be along the lines of "the pilots lost the ability to change the power output of the engines". As Jonathan points out, during descent the AT pulls the engines back to idle (or thereabouts), and in the last 3 or 4 miles increases it slightly to give more control during the final approach.
"But that's not common to the recent crash - the autopilot wasn't the problem - it didn't make any difference once the pilot took over - they still crashed."
Flying straight & level @ 20000 feet, if the autopilot freaks out, the crew have plenty of time to go to manual before anything untoward happens.
Unfortunately, @ 2000 feet, 3 degrees nose down, and 120KIA, by the time the crew notice the autopilot has died, they've just about buried themselves into Hatton Cross Tube Station - getting over that fence and pancaking on the grass was a phenomenal piece of flying.
Even firewalling the throttles would do them no good, as the engines take a fair while to spool up once you move the throttles from "quiet" to "loud".
On the contrary, they thought of it, examined the engines at the crash site and one of them (but NOT the other) shows that it was still working during the impact because the blades have dug through the soil and forcibly sprayed it all through the interior of the engine.
If I had to speculate, I think we're looking at multiple contributary causes. Hats off to the crew though, for getting the plane down as well as they did.
My favorite conspirisy would be the 777 was coming in from Bejing and the PM was about to fly out to Bejing, did some nut with a EMP device get the wrong flight?
More realistic, there they were coming in to land a 50 Chinese suits all pick up the mobile phones and good night Vienna. My on preferance would be that the plane is flown by auto pilot all the way in and the real pilot takes over just before landing. So at what point did the real pilot switch off the auto pilot and did the engines die at that moment?
Paris, cause everybody is totally clueless right now.
They were all very bloody lucky. It could have been far worse
BSOD....Blue Scream of Death!
Some years ago while traveling back from Barbados our plane was about half way back to the Heathrow UK and everyone settled down for the night flight. Suddenly without warning the engines cut to a tick over and the plane went into a VERY fast decent. So fast the cabin lights came back up bright and emergency lights lit along the floor and door exits. There was chaos on the plane while we dropped some 20,000ft in about 2 mins. I dont know how low we got to the sea but via a full moon i could see the wave tops so i guess less then 10,000ft.
Whatever the reason after some considerable delay the captain announced there was a technical glitch and we could not continue. This led to speculation that we could end up ditchin in the middle of the atlantic! Whatever we limped back at no more then 10,000ft at 200knots with the engines on very low power which took 9 hours to get to Trinidad as Barbados had no equipment to help with this type of problem. We spent the weekend in Trinidad while they fixed the plane. Someone may been on that flight with me but its not documented anywhere. However i overheard a conversation at the airport it was a computer problem that showed as an alarm for the engines.
Not really related, but something I have never ever understood.
Follow me:
1) Planes are, if not almost, totally, controled by computers. Fly by wire, if You will.
2) We are all familiar with the "turn off your mobile" and warnings alike. The reason is (allegelly, at least) to prevent interfence with the avionics.
3) I know of 2 or 3 tellings of real problems caused by mobiles/laptops in flight.
Now, tell me: Why (oh, why?) they didn't shield properly this things? Please. Millions of people use airplanes everyday. Each airplane costs hundreds of millions. And they can't protect it from a laptop?
I know I MUST be missing something. Could anyone care to explain me?
Pure speculation here, so feel free to publish this in the Daily Mail.
If we assume that:
a) The reports are true that both autopilot and bag of mostly water pilot requested increased thrust, and;
b) The engines were running but did not increase output;
Then it follows that the engine control systems MUST have been responsible. Note, there is no evidence that they went into "idle only" mode at the same time, just that they were both already in this mode when power was demanded.
The questions are: Does the engine control system have an "idle only" mode for maintenance purposes? Could they have been left in "switch to idle only mode after ten hours" when they were last attended to? This all sounds to me very much like a chain of events in the mechanical/control area which resulted in something ending up in the wrong mode at the wrong time.
Just to complete the daily dose of humourless pilot pedantry... Autothrottle doesn't increase thrust to "increase control" or "prepare for go-around," it increases it because it attempts to maintain constant airspeed despite increasing drag (gear coming down, flaps being extended) and constant glide angle. Roughly speaking.
(But you could say that a part of the motivation for the last drag-but-not-lift-increasing notch of flaps in some aircraft is to improve speed stability, i.e. help with the task of flying at constant-but-low airspeed. In that sense the last bits of flaps requiring the last tweaks of power are there to help with control...)
To put an OS X spin on this, in the interests of faireness...
Imagine the scenario - Pilot approaches landing and decides now is a good time to stop watching South Park TV shows on his MFD and start paying attention. So he tried to quit itunes, and takes a trip to twirly beachball heaven.
It takes a minute or so for OS X to realise it's not having a kern panic, a couple more for the process to kill and return control to the user, whereapon he realises the AT/AP process has hung and needed killed since Itunes sucked away all system resources. A couple seconds more to kill that too, and few more to spool up the engines on manual and bingo - a 777 needs new belly paint.
If the engines were very loud right before landing, it may not be a hardware problem at all. When I first read about the crash, it sounded like an airburst to me: at the tail end of flying through an airburst, you can send all the power you want to the engines, and it won't do you a lick of good
I'm not sure this was true with the 777, the AIMS system seems to be at the heart of everything, it seems like they put a lot of trust in the robustness of ADA as a language and as a consequence didn't isolate in the same way as they had done on previous aviation systems projects.
Perhaps this led to some common decision tree login somewhere ?
- I'm not a developer so may be barking up completely the wrong one, I have been workinbg in support for far too long and this looks fishily like a sw bug to me though.
Multiple redundant voting is there to detect a failure of the computing system itself. It is not meant to make the system "wiser", hoping that some computers may actually be smarter than the others and come up with a better way of doing things.
The voting is to try to detect the moment when one or more units go caput and the system can't be relied upon anymore. In contrast, non-redundant system may fail and noone will know about it until too late.
In order for such system to work optimally, each redundant component should be identical to the others, otherwise it will be (practically) impossible to tell if a particular disagreement occured because of a failure or just due to a different logic implementation, thus defeating the whole purpose of the redundancy.
This does NOT protect against things such as bugs or mistakes in the logic or flight control laws because the system is a computer and not an AI. It will do whatever was programmed into it, no matter how stupid it may seem given particular circumstances.
Recently, there were more and more discussions about the feasibility of pilotless passenger aircraft with the general opinion inclining towards that being a good idea, even inevitable. I wonder if some people who were enthusiastic about that concept would not think twice now, after this incident...
Thanks! :)
Although it is true to say that firewalling the throttles wouldn't give an immediate increase in thrust for a jet, so the increase in thrust on a normal approach to maintain final approach speed once you've dropped everything and slowed it down would also aid in the event of a go-around. Which I think is what I was trying to get at! :)
I vaguely remember hearing the cause of the Paris crash was that in order to get into the nose up attitude adopted by the pilots they had to switch off the height computer.
The Pilots tried to add power - but the plane - not realising that it was only a few feet off the ground, thought that a shallow dive would be a more efficient way of gaining a sensible flying position - stalemate - the solution of course was to switch on the height computer.
Motto: either switch them all off or none of them!
http://www.mirror.co.uk/news/topstories/2008/01/18/gordon-brown-just-25ft-from-death-in-heathrow-crash-89520-20289514/
Gordon Brown stared death in the face yesterday as the stricken Heathrow jet came hurtling in just 25 feet above his head before crash landing.
The Prime Minister was being driven to a VIP lounge along an airport perimeter road when the Boeing 777 lost all power and plummeted towards the ground.
He had arrived for a flight to China which was waiting on the ground. Already on board the jumbo was Mirror Political Editor Bob Roberts.
One aide told him of the terrifying moment the PM and his entourage feared they were about to be wiped out. The insider said: "It was just yards above our heads, almost skimming a lamppost as the plane came in fast and very, very low."
Problem with any event, and particularly one as quick as this, is the temptation to ascribe a similarly quick cause. The reality is, most catastrophic failures (apart from the Prime Minister) are the product of a sequence of events and a multiplicity of causes.
You could've been watching the drag racing on the scruffy old runway at Gimli in Canada back in the Eighties and had to dive for cover when a Boeing 767 passenger aircraft suddenly came in out of the blue with no engines and damn near no controls.
And you could've speculated on everything from double bird strike to avionics failure and still failed to take into account that, actually, Canada went metric only a few weeks before.
No-one here is going to have the answer to what happened at Heathrow anymore than no-one could possibly have imagined the chain of misfortunes that led to the Gimli crash. Or Air Canada's epic stupidity.
Perhaps the computers deliberately blocked increasing engine thrust as they either discovered or "thought" the engines had a problem. The quorum elected it was more dangerous to increase thrust than gliding given the proximity to the runway and the pilots were able to land the plane safely.
Interestingly enough, many years after the Airbus accident there STILL seems to be disagreement over the precise cause (witness the posts in this thread) and that was with both the black-box AND the pilot being alive.
Whatever the causes, I have visited the Boeing 777 factory floor (damned impressive) and was SERIOUSLY impressed with the dedication and professionalism displayed by the people there. The fact that everyone escaped unhurt is not just due the unquestioned skill of the flight-crew, it is also down the build-quality of the plane.
And I shall be telling myself that as I step onto a 777 bound for London on Wednesday!
If Gordon Brown's head was only 25ft below BA038 (Mirror World Exclusive) then Cameron must've decapitated it, run with it all the way to the perimeter fence, and then chucked it in the air.
British newspapers tend not to employ journalists anymore, but schoolkids who nip back behind the bike sheds for a fag after writing their idiotic crap. . .
Including the Sky News' "expert" who repeatedly advised viewers that the voice recorder was going to be of "crucial value" to accident investigators as they could then establish precisely what was said between the pilots and ATC.
Right. A lengthy conversation that was.
"3 diffrent computers running 3 separate control systems, from different vendors. The idea was they "voted" on what action to take, and the majority won (no idea if the 2-1 votes were logged or investigated)."
So what happens if one system fails, and the remaining 2 decide to vote against each other?
It's certainly true that any landing you can't walk away from was a bad one...
Regarding the A320's infamous crash, after looking it up it appears that the black box had been messed with - if that's true then no-one knows what happened.
Although it would also mean that someone wanted to hide something.
most newer planes ARE well shielded against RF interference. HOWEVER
1) Part of the navigation involves detecting RF signals, so of course they can be interfered with by the nature of their purpose.
2) No matter how well shielded things are, they will never manage to test every electrical device on the planet to see if it interferes with the plane, so to be safe they just say turn it off.
I Quote:
"Whatever the causes, I have visited the Boeing 777 factory floor (damned impressive) and was SERIOUSLY impressed with the dedication and professionalism displayed by the people there. The fact that everyone escaped unhurt is not just due the unquestioned skill of the flight-crew, it is also down the build-quality of the plane."
I sadly think that the build quality of the plane has very little to do with the fact that everyone thankfully survived.
I can just imagine the conversation in the cockpit:
PILOT: "F**K! WE HAVE NO ENGINES!
CO-PILOT " Don't worry mate, just sit back. its a Boeing. Made with Pride in the good ol' U. S of A. , Worst case is we lose our no claims bonus, and need a new under carriage. Job Done....................."
...someone forgot to re-connect something important after servicing the electronics, or someone forgot to install some important element after a rebuild, or forgot to patch the software.
Most computer problems are 'user error' and if there was a serious 'bug' in the control system the fleet would have been grounded.
I've found you can crash those inflight entertainment computers just by bashing on the control buttons constantly for while playing a game, it comes up with atari type backend IIRC. There is even a multiplayer where you can play other people on the plane by seat number for hangman and other games.
To the subject, this is obviously pilots scared of losing their jobs to computers so the union engineer accidents now and then, this one just got out of hand.
Half of them are constanlty pissed up or hungover according to the press reports, so anything could be the cause.Most likely whisky in the control panel al la "The Thing" if I know my stuff.
Will the passenger in seat 57 please turn off your Mac Book Air as it has crashed the main and auxiliary flight control computer systems and we are unable to use the reset button !
But then again , it reminded me of a some what fatal computer control board glitch event down under in Sydney Town OZ which ultimately proved to be anything but fail safe ! The ultimate solution was to rewire the entire control board into sequential follow the colour code layout rather then the usual makers idea of where the cables came out of the hole in the wall is where the switches were always placed or something that Westinghouse Nuclear Engineers always swore by as a mantra to cut costs to the bone to maximise profits when building any power station !
Life seems to move in the same endless circle of profits first and foremost with both passengers and customers always last for consideration in this corporate world of ours , for it looks like just another computer programming rush job asthe senior management as usual went with the Alpha one programs to get the plane up and flying the wide blue yonder !
Looks like fly by wire has a few hidden bugs to iron out over the old mechanical controls of yesteryear !
Perhaps they should consult Paris for the answers to the unanswered unasked questions ?
That's true true in that the (design) decision to give the plane a maximum flap setting that only increases drag and not lift does help you during go-around (faster spool-up and nearly instantaneous decrease of drag available through partial retraction of flaps). But when _flying_ the approach the go-around is still not prepared for in any way (except mentally by briefing the procedure). Increasing power in the final approach "just in case" wouldn't make sense as it would either change the glide slope (well if you know that you want to do that then you obviously know you're going around anyway) or it would cause your airspeed to increase (in which case why did you slow down in the first place), depending on what you do with the elevator.
Ok the point is that flying the approach is actually a more simple procedure than you (well not you specifically if you're a pilot) might think - you use the elevator to keep a constant airspeed (or AOA in case of a delta-wing) and the throttle to control the rate of descent. If you lose all engine power then you just lose control of the glide slope but still have control over airspeed and everything else and can try to avoid obstacles etc. And you can possibly do something clever with the remaining kinetic energy right before touchdown (hop over an obstacle and then stall right after that but if you're low enough you'll just be landing hard, seems the pilot did something like that in this case). But that's it. A go-around on the other hand means just pulling the AOA to the maximum (yes, until you feel/hear the stall warning, that's what the warning is there for) and selecting full power and take-off flaps. You may not start climbing immediately but at least you get immediate _acceleration_ to the right direction and once the descent has changed to a climb the angle will be as steep as it gets which is what you appreciate if you're trying to avoid an obstacle. Sounds brutal and simple but that's what the things are designed for, no matter how many computers and autopilots aboard.
(Right, I'll shut up now, I'm aware of beginning to sound like an over-eager flight-sim enthusiast while I actually do most of my flying in real "complex single but not exactly 777" airplanes, hence the coat)
The pictures of the aircraft indicate that there weren't bird strikes on the engines or elsewhere, and at least one had shut down prior to hitting the mud. The other had damage indicating it was still rotating but the power state isn't obvious, though given the state of it I don't think it was at full power, maybe stuck at flight idle.
While there are redundant systems & on- & off-board power sources for the engine controls I don't believe any kind of majority voting between boxes is involved, only internal self check (by comparison between internal duplicate) & external control logic.
Much of the redundancy comes from having two fully independent engines, each with two controllers, and each able to be self-sufficient, and it being extremely unlikely two will fail at a time for any reason, and that if they do fail that there should be time to recover.
This is generally considered more than adequate as there is a clear path of control logic, and there are obvious strategies for the various failure modes. And yes, one way of dealing with an engine control fault is to shut it down & start it up again!
As I remember it on the 777 the autothrottle works by driving the throttle levers with a motor, with the throttle levers being directly responsible for the engine control. On an Airbus the throttles are just ignored & overridden further down the chain.
So in theory there's no difference between using autothrottle or manual control of the engines, and also in theory external systems can't tell the engines to do something while ignoring the throttles. Exceptions would be in the case of induced failures (e.g. pulling breakers) or mechanical/electrical failure (signal cable to throttle box coming off) which lead to a loss of controls, which would (should!) in turn put the engines into a failsafe mode of flight idle. Which would be adequate for salvaging most situations, especially if only one engine has a problem.
Indeed it's usually more of a problem to shut down an engine after a control failure than it is to keep it running because of the whole 'fail safe' thing - supposedly when the A340-600 crashed into a wall recently during ground tests it took 7 hours for the fuel to run out & the engine(s) to shut down after the controls were wrecked.
Software can cause problems though. One example (maybe quoted above) involved a 777 trying to recover from overspeed & stall conditions simultaneously, which is a bit difficult given they're mutually exclusive... In that case I seem to remember a dodgy software update to a navigation system caused problems with some of the airspeed data, which in turn caused the auto-recovery systems to kick in erroneously. Though that sort of thing still wouldn't lead to an un-commanded engine shutdown, and was fixed by the simple expedient of turning off the autopilot. Not so easy to explain though are the occasional glitches that turn off the cockpit power...
In any case the real cause should be revealed in the near future, so anything else prior to that is mere speculation.
I seem to remember is that at least some of the historical Airbus incidents have involved a perfectly functional autopilot and a pilot who knows what he's doing but just a misunderstanding between the two - the autopilot was in the wrong mode, trying to do one thing (e.g. fly an approach) while the pilot was trying to do something else (fly a go-around). So the error is really an ergonomic one. It's the aim of good human-machine interface design to prevent that from happening.
@Marcelo Rodrigues
"Now, tell me: Why (oh, why?) they didn't shield properly this things? Please. Millions of people use airplanes everyday. Each airplane costs hundreds of millions. And they can't protect it from a laptop?"
Aircraft wiring and avionics are by design VERY carefully shielded against known EM threats. The point is that if you have an aircraft (for example) that entered service 10 years ago and was on the drawing board 15 years ago, chances are that the shielding concept is not 100% protecting you against modern day threats, especially those originating from inside the aircraft (like modern mobile phones). As aircraft wiring and connecting hardware make up a significant part of the overall aircraft system weight, shielding concepts need to be designed to provide sufficient protection against (known) EM threats, but not much more than that for obvious (weight and production cost saving) reasons. Finally, in the real world wiring systems (including shielding) degrade (wear & tear, maintenance actions, environmental effects). This may lead to local "leaks" in the EM shielding.
Although all this may not have anything to do with the B777 incident, my advice would be: Switch phones and other electronic devices off when you're told to do so by the crew. There are good reasons for doing so ... trust me.
Being one of a handful of people that worked on both flight controls and engine management I'd like to point out that you are far safer flying on one of these crates than having a shit on your toilet. (A statistical fact - find your own sources). Of course you could live life on the edge by having a shit on the plane but I find these on-board toilets are places to avoid - especially on the cattle class that I tend to travel.
From memory - the software on the flight computers was originally generated by three software teams and run on different compilers and different hardware, but this level of redundancy was reduced at a later stage and a single software team was used. The level of safety from using independent teams was calculated to be insignificant, given that everyone was coding from the same design.
Basically - if the design has a flaw then it was going to be on every computer - so if there was a conflict then it was likely due to a hardware fault or a compiler fault - that part of the computer would then be reset.
There may well be a fault in the design - which was very very well tested. In the end - when the 777 first came out - I wouldn't fly on it - but there again I wouldn't take the first flight on any plane. Let some other idiots try it out first. But it has been flying for quite a while now - and has an excellent safety record. It is also extremely comfortable to fly on - so get out of your extremely dangerous cars and toilets - and get on the 777.
However, for safety reasons, NEVER use the toilet on a plane, unless sitting next to Paris Hilton and she wants to sign you up to the mile-high club.
The Luddite.
The engine management "computers" (as opposed to N95 "multi-media computers") don't know anything about the distance to the threshold and in general don't refuse adding power even if there's something wrong. They're not trying to optimize the maintenance cost quite that directly but instead assume the pilots know what they're doing and really need to the power. Maintenance cost is minimized rather more indirectly by good airmanship (power changes are made gradually when possible, minimum power used for take-off, engines are gradually cooled down after landing etc) and by only doing maintenance when some of the measurements made by the computers indicate something should be checked/replaced. But it's not the engine that does the decisions. Once again a bit of a philosophical point but one that is displayed frequently in aviation and aircraft design.
The only time I ever flew in the jumpseat on a commercial airline we had to do a fly-around on landing (a previous flight slow getting off the runway) It was very impressive - alarms going off 20-to-the-dozen as the captain took manual control, engines screaming, push in the back as we climbed out of the landing approach, etc.
When I mentioned all this to my colleagues travelling in the back, after we landed, they wondered what I was talking about - they hadn't noticed a thing.
(Oh, Boeing, BA, Heathrow, in case you wondered.)
The Grauniad had some early quotes from AAIB - maybe somebody talking too much too soon, they're in purdah now - that had some info I've not seen elsewhere:
There's a suggestion the lack of warning may be deliberate: '... all commercial aeroplanes have programmed "inhibitions" on certain warnings so that the crew are not distracted by unnecessary alarms during the crucial takeoff and landing procedures, [but] the alarm should have been triggered when the engines failed.'
also that the plane's auxiliary power unit was still running after it hit the ground. Apparently aux is rarely used in normal flight.
Article here: http://www.guardian.co.uk/transport/Story/0,,2243357,00.html
Mean anything to anybody?
Pete
As I recall things, the Airbus that crashed in the forest was an early edition being shown off at an airshow. So aircraft essentially empty except for the flight crew and a few 'guests' they'd invited aboard. The crew were trying to do a manual, slow fly-by for the crowd, so they went nose high, flaps down, wheels down, reduced power and had no issues as they flew straight and level past the crowd. The problem came when they wanted to return to a more normal flying configuration at the end of the fly-by. Here is where the story gets nasty. The never proved allegation was that the aircraft's fly-by-wire control system 'recognised' that the aircraft was in a landing like configuration and that the control changes made it assume that it was time to reduce power and set down on the strip. As has been noted when you're that close to the ground by the time you see the engines spooling down and try to override its all too late... result: aircraft landing in the forest at the end of the runway. (And you'll appreciate that since Rammstein, the crowd at an airshow is lined up parallel to the runway so they can watch landings and takeoffs without having aircraft flying straight at them.)
Then (more unproved rank conspiracy theorist speculation), the French gov stepped in to investigate. The story was that Airbus was concerned that an adverse report on the fly by wire system could affect sales of the new type that they were 'hoping' other factors could be found to take the blame. This was round the time the black boxes were found to be either unreadable or mysteriously blank (choose your conspiracy here boys and girls). So, absent much in the way of factual data and with only the cockpit crew saying the plane did it, the investigators focussed on the only other fact they had at hand. The 'guests' the flight crew had invited along. That is, the female guests they had invited into the cockpit to see what it was like. A breach of safety regs (not enough seating so I think one or two were standing?) and thus the pilot and co-pilot got an arse kicking and all the blame and Airbus were off the hook. As I say though, you'll have a tough time proving much there.
I was a little intrigued too by the discussion of 5 computers voting. Not sure someone isn't conflating things with the Space Shuttle's RSLS (redundant set launch sequencer), which is basically the configuration where the 5 on board flight systems choose to run parallel and majority vote their answers. And there the 4 'main' ones run software written by a different group from the 'backup' system. Of course a Nasa paper on software engineering suggested that after analysis that many of the same bugs were found across the two versions and that it turned out (to paraphrase) that if your spec is a piece of shit you shouldn't be surprised if it results in the same or similar shortcomings in completely separate implementations. In conventional aricraft, as has been said, the focus is more on compensating for hardware failure and more typically if there is redundancy at all it features the same firmware/software.
The groupthinkers posting "doh it was Windows..."
I read the thread on pprune, where comments from those without a professional license tend to get spiked. There was much complaining about inappropriate speculation. I just thought - you guys should try working in the computer industry, where there are no licenses and anyone who can change an IP address is a network architecture expert.
(Interestingly, although one needs a license to taxi an airliner, or indeed to serve coffee to the SLF, one does not (AFAIK, and certainly when I worked in aerospace) need a license to design the software therein. SOPs at the manufacturer are expected to substitute).
Systems from different vendors and voting are all well and good but do nothing if the original design specification is flawed since all the vendors will have been working from the same spec document.
I have a problem with formal specification methods. That problem is that if the specification is wrong the fact that formal methods and testing have been used gives mistaken confidence in the system's ability to perform. This tends to reduce contingency planning for failure as the software has been "proved" not to have any bugs.
Formal testing proves no such thing. All it proves is that the program written carries out the functions laid out in the spec. It does not prove that the spec completely and accurately reflects the task the system is to perform.
"Ladies and gentlemen, we are about to land at London Heathrow Airport. Thank you for flying with... Oh bugger! That isn't supposed to happen..."
Unfortunately the fine print of the spec may say that it is supposed to happen in whatever set of circumstances happened to arise at that time. If so Boeing will probably be very keen on keeping that quiet.
@ So... did the computers do the RIGHT thing???
No. If a computer was to make a decision that required a pilot to land a plane in an abnormal manner it would need to communicate that requirement in a prompt, clear and unambiguous manner to the pilot. The pilot was clearly not aware of any such requirement.
regarding the Airbutt flyover that wound up a crash. The major factor has to do with the design philosophy of Airbutt versus Boeing
Airbutt uses a 'hard limit" on software/hardware which absolutely prevents the pilot from " bending" the airplane in ANY situation
Boeing uses a ' soft limit " on ALL flight control software/hardware. Which means in the Final analysis- albeit with BUCU horns- whistles, lights, etc the PILOT retains the FINAL and ULTIMATE control with a HARD push or pull - even if it means "bending" the plane.
Check your avaiation history regarding a very early 707 transatlantic flight- within the first year it went into service.
Pilots were N OT minding the store- autopilot kicked off - at night - over the ocean - plane went into a diving spiral- eventually pilot pulled it out a few thousand feet above the ocean- but actually bent the wings and popped a few rivets.
The plane was repaired - but the slight increase in wing angle was never corrected. The plane after that had one of the better- lower fuel consumption numbers in the fleet.
Point is - had the airbutt version of FBW been in existance at the time - the plane would have simply disappeared- had Boeing FBW software been in existence then as now - the plane would be bent - but flyable.
Don
Maybe a bad software update or patch, check out http://www.boeing.com/commercial/aeromagazine/aero_05/textonly/ps02txt.html to see what the magnitude of the system is.
This bit is intersting "Spare copies of the loadable software parts are supplied on digital storage media (typically 3.5-in disks) when an airplane is delivered."
"Ok, Roger, set flaps for landing, gear down, thrust reverse armed.."
"READ FAIL DRIVE A:NOT READING. Retry, Abort, Continue? - WTFZOMG!"
@don sadly the auto pilot on the first generation 717/707's was actually an electro mechanical simple analog computer box full of gears and other delightful stuff which never really worked all that very well even when it was new as it could be cantankerous .
Although you could say they were fly by wire as the control yoke had direct steel cable attachments to the appropriate control surfaces with hydraulic power assist !
But they are not really relevant to the monsters that fly today and the Jet Engines powered them then were very primitive using many mechanical parts needing a rather lot of water and alcohol for tropical take off engine power boost compared the all electronic controlled monster engines of today with the high bypass ratios needed to generate the thrust hence the long spool times to full power !
The 707/717 is a red herring and irrelevant for this case as it is another age and another technology very long past it's use by date and the number still flying today is minimal due to their high operating cost and lack of viable spares !
The A320 that crashed into teh trees was taken down to 100 feet above agrass runway with the engines at idle. The computers actually DID make the connection. Its just that its takes more than a few seconds for several tons of metal to spool up from idle to emergency thrust.
The pilot concerned, a senior opilot with Air France had broken the airlines rules for airshow display flying (written by himself) and took a fully laden airliner with 100 passengers down to well below the declared safe height for display flybys ( i.e over 100 feet) and pushed the throttles forward way too late.
Of course he has since published several books claiming the opposite. However its simple engineering guys. Engines may spool up instantaneously in computer games, but not in real life.
Y'all diverted on an emergency basis to Piarco instead of Grantly Adams _by choice_?! Damn, boy, what was _wrong_ with those engines?!
The closest I've ever been to something like that was the time when I was flying BA out of Norman Manley in Jamaica to Heathrow... and about three hours into the flight someone up front noticed that someone back on the ground hadn't tightened up the filler cap all the way, and the 747 had been leaking JP all the way from Kingston, so we now had about three hours fuel but five hours travel time... We made an emergency divert to Bermuda, tanked up, and this time they made sure the filler caps were closed & locked.
I've never flown BA since.
If the obvious holds no explanation then look for the weird.
Current computer microprocessor registers are tiny, of the um range. Bits in these registers (which control the plane) can be altered by passing cosmic particles.
Is it possible that exactly the right bits in the aircrafts computers were set - at just the right time - by random radiation - commanding engine shutdown? Just like winning Lotto.
Someone always wins Lotto against impossible odds!
Just a thought on the universal praise dished out to the pilots over their actions in the 777 incident at Heathrow. With engines not responding to a demand for more thrust to restore the optimum glide path into Heathrow, surely they could do nothing more than sit back and hope that the glide path they were on would be good enough to take them over the perimeter fence (there are no pedals on a 777). Also, in the event of an emergency landing (which this was) it is the job of the pilots to warn passengers and cabin crew to take up emergency bracing positions (which they didn't do). O.K. they had other things on their minds but this is usually the case in any emergency situation. The co-pilot was flying the aircraft and the emergency began 2 miles out, so the the captain would have had more than a minute to switch on the mike and announce a warning, plenty of time. All I know is that in any future flights I make, I will always be worried when landing now that I know that I may not be given any warning at all if an emergency situation develops. Perhaps we should take up emergency bracing positions on every landing just in case.
philb