back to article Autothrottle problems suspected in Heathrow 777 crash

Investigators probing last Thursday's Heathrow Boeing 777 crash may be able to glean useful information from six previous engine failures on the type, one of which could prove highly significant in pinpointing the cause of the incident. The Air Accidents Investigation Branch (AAIB) has apparently ruled out bird strike and fuel …


This topic is closed for new posts.
  1. Robert Lee


    Trouble with these cases... its a very complex piece of machinary, to get everything 100% working all the time is almost impossible, so crashes are bound to happen.

    Each time an aircraft lands, they have less than a few hrs to do simple maintenence checks, so if one of the hidden fuel pipe were leaking, or a throttle cable are almost to the point of breaking, theres no way they could check, regular maintenence is always there, but like your cars, after an MOT and service, you think your car will work faultless for teh next 12 months until the next maintenence call ?

    The other danger is poor maintenence by companies cutting corners, take a look at gov computers, they have the tasks of safe guarding people's private info just like a plane have to safe guard their passengers safety, same thing will happen, just a matter of time for someone somwhere along the foodchain to miss/skip a few steps.

  2. Robert Long

    Not sure about that

    The autothrottle was overridden manually and the engines still didn't pick up their output so I'm not sure how likely that sounds. I personally suspect a simple software bug. Sadly, writing software to control an aeroplane is difficult. Very difficult. Studies, and common sense, show that different programmers presented with the same very difficult task tend to make the same errors, so in cases like this it's entirely plausable that three teams of programmers all made the same mistake even though they worked independantly and produced supposedly redundant systems.

    Having watched an A320 doing loops over Italy, I don't think I'd ever get into a fly-by-wire aircraft again.

  3. Anonymous Coward

    This press release is brought to you by the "no sh1t sherlock" department


    "...ruled out bird strike and fuel starvation as factors in the accident..."

    That was a 5 second glance then? "Is there bits of bird in the engine?" "No". "Is there fuel in the line up to the engine?" "Yes".

    Of course the engine(s) were potentially still turning. They didn't turn "off" as the papers would have you believe, and even if they did, the air flow would keep them turning.

    Ah... rant over, asbestos suit on. It's amazing what you can learn from MS Flight Sim... ;-)

  4. Anonymous Coward
    Anonymous Coward

    I remember...

    ...a security conference where the question was put out to the audience:

    "If you were sitting in a plane on the runway and found out that your company had written the plane's software, how many of you would stay on the plane?"

    One person put up their hand.

    "You must have a lot of faith in your company!" the speaker said.

    "Not really" came the reply "...if we'd written it the thing wouldn't have made it as far as the runway..."

  5. Anonymous Coward


    (caps deliberate)

    If you turn the driver's steering wheel on a car, and the real wheels don't turn to follow, is that a "steering wheel problem"?

    The autothrottle did exactly what it was supposed to, requested increased thrust (fwiw iirc on a 777 it does it by asking a motor to move the real pilot's lever forward).

    The engine didn't respond accordingly.

    There are a number of reasons why the engine may not have responded.

    But there are no "autothrottle problems" in this picture.

  6. David Harper

    Flying on one engine

    Back in December 2001, I was aboard a United Airlines 777 which had to make an emergency landing on one engine at Bangor, Maine on a flight from Chicago to London. The captain told us that an engine warning light had appeared in the cockpit, and although there seemed to be no problem with the engine, he was going to shut it down anyway, just to be safe.

    I'd seen the excellent Channel 4 documentary "21st-Century Jet" about the development and testing of the 777, so I knew that it could fly quite safely on a single engine.

    We made a perfect landing at Bangor just before midnight, and the airline put everyone up in local hotels, fed us breakfast and lunch, arranged a trip to the local mall for those of us who had forgotten to pack a change of undies in our carry-on (something that my wife will never let me forget!) and flew us home the following day on a replacement 777.

  7. Anonymous Coward

    what would Raymond do

    and that's why i only fly Qantas.....

  8. Peter W

    Re:David Harper

    interesting, since it's not on the list of engine problems does that mean they just didn't report it?

  9. Tigger in Amsterdam


    Many moons ago I did a training course and the guy teaching said he'd worked on the software that controlled the wing flaps on the (then new) Airbus. The alarming part was that he resolutely refused ever to fly on one, "because of the caliber of the tw4ts who were programming other parts of the systems".

    Another thought to comfort those of you about to fly......

    It's all well and good that fly-by-wire planes are physically able to loop the loop and fly upside down, but did anyone ever tell the programmers that it's really not a good idea?

  10. I. Aproveofitspendingonspecificprojects
    Thumb Up

    What OS?

    I have had enough crashes on my computer to want to know what they are running. I don't think it's Windows, somehow.

  11. James Pickett
    Black Helicopters

    Cherchez le PM

    I still think it was shot down by spooks jamming the airwaves for GB's motorcade. Not that we would ever be told...

  12. Anonymous Coward
    Anonymous Coward

    @ Robert

    I think you are missing the point referring to poor maintenance etc.

    The big issue here is that BOTH engines failed almost simultaneously despite multiple redundant systems to prevent exactly that occurance - this points directly at an issue that could be designed out - and should have been - unless of course it was contaminated fuel, which is unlikley since each engine has a separate supply tank (although pilots can and do move fuel around the plane during the flight).

    the likleyhood of the same problem occuring on two systems simultaneously is unlikley, thus the focus on the possibility of a software problem, which would be particuarally since no-one wants it to start raining 777's.

  13. Dries Marais


    At a Boeing "Dreamliner" (B787) conference my query regarding whether the auto-control systems on the 777 and later, can be overridden by the pilot in all instances, was answered: "In all instances".

    I was happy to hear that, as it is not the case with the Airbus design philosophy where the auto-control can override the pilot in ALL instances.

    As a flight safety practitioner and independent thinker I believe very little of what has been made public yet.

    Dries Marais

  14. Anonymous Coward
    Anonymous Coward

    risk assessment

    I still remember seeing one of the first fly-by-wire airliners plough into trees at the Paris Air Show. I'd rather trust good old fashioned control cables to software based controls - you can see wires fraying...

  15. Anonymous Coward
    Anonymous Coward

    B777 flies on ADA on specialised hardware

    An ADA forum was an interesting source of information when this story broke, mostly because it explained how disparate systems had to be standardised on one language that minised any errors that could bring the plane down. They chose ADA that compiles to run on specific hardware without an OS as such.

  16. Anonymous Coward

    Both engines failed

    does not necessarily point to an issue that could be designed out.

    It could, at least in principle, be a different common-mode problem such as contaminated fuel. I realise there may be other factors in this particular picture which say *not* fuel problem, but there is, as yet, nothing which definitively says design problem.

    Stay tuned (patiently).

  17. Anonymous Coward
    Thumb Down

    If memory serves

    Planes have to be able to fly for 2 hours on one engine. So a plane cannot be more than two hours away from an airport that can handle it. (that is why you can't fly direct across the atlantic, and go up towards greenland etc, or down passed the azores to get to the states. In times gone by it used to be an hour and certain places couldn't be reached but it has increased steadily over the years.

    Also all engines are built to be overpowered by upto 60% (depends on model) and never really run at full power for that eventuality, so for the plane to lose height it would need both engines to fail at the same time, whether throttle for power or fuel.

    It is unlikely one engine cut out and then 8 seconds later the second engine cut out and brought it down without something, somewhere raising alarms. At that speed and on autopilot with ILS knowing it is in final approach it should have raised alarms before stall speed was reached. Makes me fear computers running everything all the more, basic code not working.

    If speed of plane <= stall_speed Then

    Run pilot_alarm

    Run speed_of_plane = speed_of_plane + 50


    Not rocket science, is it. I am not a programmer and I understand basic logic.

    Lucky the pilot was still on board and awake.

    So that explanation I think is more to please the media and is not really linked to the investigation.

  18. Anonymous Coward
    Anonymous Coward

    Re: Peter W

    Controlled shutdowns for known alarms (Such as oil pressure low) are common and are not included in the NTSB's 6 previous engine "failures".

  19. theotherone

    well if it's..

    well if it's something sinister....say the spooks jamming signal, or perhaps a serious software or design flaw, maybe even a software virus/hacking, do you honestly think they'll ever tell us? and risk the collapse of the aviation industry? No, course not, they'll drum up the same old bullshit, and as long as the problem is within the scope of acceptable losses/collateral damage (about 1000 lives per year isn't it) then everything will be back to normal and our collective conscious will just forget it ever happened.

  20. John Bayly

    @Robert Long

    "Having watched an A320 doing loops over Italy, I don't think I'd ever get into a fly-by-wire aircraft again.", any change you can explain that?

    On topic though, I have to agree with AC, the autothrottle physically moved the lever (as it should do) hence it was working, the command doesn't seem to have reached the engines or was disregarded. That implies more of a FADEC issue than autothrottle.

  21. Mark Finn

    @ AnonCoward...

    Re: "If you were sitting in a plane on the runway and found out that your company had written the plane's software..."

    You Bar Steward.

    I used to be a C/Pro*C/Oracle coder in Accenture's Manchester & Dublin Offices.

    I'm in China at the moment and am due for a trip home.

    Do you have any idea how long the Trans Mongolian "Express" (an off-shoot of the Trans-Siberian) takes to run the full route? Lets just say that if you leave in late November you'll need two calendars to find your arrival date....

    I'll never sit still on a flight again.

  22. Kent Martin

    Thust vs stall

    Stall speed is a bit more complicated than just mentioned.... it is a while since I did the theory, but stall speed increases as a function of speed, and, a function of the square of the angle of bank and angle of attack.

    It is perfectly possible to stall wings with a 0 angle of bank (wings level) and a very high speed... just pull very hard.

    One would assume that this guy was coming in wings level, but, my point is, the software isn't as simple as you mentioned. Add to that gusts of wind unexpected variations in thrust & control input (commanded and uncommanded) etc, and things start to get quite tricky indeed.

    I've never heard of your 2 hours on one engine rule, but that isn't to say it isn't true, but the implication that an 'over-powerable' single engine gets you out of trouble all the time is a bit off the mark.

    Conventional aviation logic dictates that a landing approach is something that will only turn into a landing if all goes well - if the correct conditions fail to transpire a go round will be initiated. If an engine fails at the beginning of go round (or just before takeoff), it is quite possible that the aircraft will not have the performance to clear requisite obstacles etc (although this threat may be eliminated by safety regs in commercial arenas).

    Where I trained, most of the instructors said that if you lose an engine on takeoff at this airport, pull both throttles and roll through the fence and across the main road outside.

  23. Gary

    Still prefer full-overridable autopilots

    As much as I'd hate to admit it, it is sounding more plausible that it was a software glitch that caused this. Even so, I still think some piece of information is missing as I find it hard to believe that the instrumentation would also go out, as was supposedly mentioned by one of the pilots. Not that I'm trying to take credit away from them safely putting the bird on the ground, but some things just don't add up.

    I'd still prefer to fly on a jet that allows the pilots to fully override what the autopilot systems think should happen. Sometimes, it takes flying outside of the usual flight envelope to ensure a safe landing.

  24. Cameron Colley

    Basic error surely?

    I thought every sysadmin knew it was dangerous to designate anything 777.

    The Kevlar-lined hoodie, please...

  25. Andy Bright


    My Mk1 Ford Escort had the same problem - always cutting out unless I used the choke as I was coming up to traffic lights and such. I imagine they must have based their engines on the same tech, and a class act too if you ask me.

    I'll post them the fluffy dice, Chaz and Shaz window sunscreen sticker and a cosy faux fur steering wheel cover immediately. :)

  26. Anonymous Coward
    Black Helicopters

    spooks jamming the airwaves for GB's motorcade

    Lets see.

    1 The technology exists.

    2 The technology is known to be in use in GW motorcade.

    3 The US & UK spooks share everything, especially misinformation about WMD

    4 The civil service can't even be trusted to look after laptops let alone operate classified anti terrorist electronic weapons in a safe and responsible way.

    Sound plausible to me...

    The real question is can a head of state be guilty of terrorism?

  27. Anonymous Coward

    2 hour rule

    "a plane cannot be more than two hours away from an airport that can handle it. (that is why you can't fly direct across the atlantic, and go up towards greenland etc, or down passed the azores to get to the states"

    Going across the south pacific or the south atlantic must be a bit of a chore then...

    It's more to do with the fact that the middle of an ocean is not in anyone's airspace or on radar - so they travel on predetermined airways at differing heights within someone's juristiction. This ensure that they are covered by a Flight Information Region.

  28. Anonymous Coward

    Just reboot the engine computer

    Flying out of Heathrow on Tuesday and the plane has a "technical fault" with the engine as we push back off stand. Return to stand and engineers come up and do their stuff and fix it.

    As we go again, the captain comes on an explains, "As many of you who have computers know, sometimes they have glitches and the best thing to do is to switch them off and on again. We did that with the engine computers and everything is fine now."

    Now I appreciate that they don't run Windows etc. and the analogy was probably for the benefit of others, but it did make me smile and then perhaps grimace to think I was on a Boeing plane.....!

  29. Colin Miller

    @2hr rule

    Twin-Engine aircraft that aren't ETOPS (Extended-range Twin-engine Operations) certified can't fly more that 1hr from a suitable diversionary airport. Cerification seems to be based on how long an aircraft can stay up with its remaining engine running. Modern planes can glide (about 1:10 slope) for about an hour.

    See for details.

  30. Dave

    Re: 2 hour rule

    Actually the 777 is covered by ETOPS (Engines Turning or Passengers Swimming) and had a 180 minutes rating provided an airline's maintenance is up to scratch. Also missing from the incidents list is the United 777 that set the ETOPS endurance record, which turned out to be three and a half hours over the Pacific on one engine to reach Hawaii.

    Under the current rules, 4-engine aircraft such a the 747 and A340 aren't covered by ETOPS because losing a single engine means there are still three. Once a BA 747 flew pretty much all the way from Los Angeles to the UK on three (then repeated the trick from the Far East not long afterwards). Perfectly OK (despite what the FAA thought) because a 747 at the top of climb on three engines has a similar power to weight ratio as a fully-loaded one on four climbing out from the airport.

  31. Hollerith

    2 hour rule refuted by personal experience

    A flight from Santiago to Easter Island is about six hours. About two minutes after take-off, you are over the Pacific and, about one second before landing, you are over Easter Island.

    The plane then spends six hours from Easter Island to Tahiti (although I did not take that further trip).

    Believe me, there ain't nothing below you between Chile and Easter Island. For six hours.

    They are VERY firm in the life-jacket demonstration. :)

  32. heystoopid
    Black Helicopters


    hmmm , I wonder if they used those cheaper non linear sony dac's and adc's , like in their crappy expensive SADC players of old ?

  33. John Freas

    Software issue, but not autothrottles.

    It's important to understand how the current generation of electronic aircraft systems work in order to understand how this could happen:

    The engines on modern airliners use FADEC (Full Authority Digital Engine Control), in other words: throttle-by-wire. On FADEC engines the throttle levers do not typically move with inputs from the autopilot, they rest in a detent for the desired flight mode and there they stay. On take off you push them up to the forward stop and the engine computers do the rest, shortly after takeoff you pull them into the "Climb" detent and again the computers do the rest, however unlike older mechanical systems the thrust levers do not move in response to changes in engine power within a given mode.

    Therefore, if the autopilot commands more or less thrust there is no physical indication to the flight crew, only the change shown by the engine instruments. The reverse is also true, if a pilot takes over manual control, physical motion of the levers is nothing more than an input to the computer. If the computer does not process this request appropriately then you won't get the desired result. Yes, the /autocontrol system/ can be overridden "In all instances", however that only removes it's inputs to the system, it does not take the computer out of the loop (it can't since the only link to the engines is through the computer). I agree that it is not likely a problem with the autothrottle system but rather the FADEC.

    I too loathe the Airbus philosophy that the computer is smarter than the pilot (one reason I don't own a General Motors car), however this issue may well demonstrate that allowing the pilot "override" authority doesn't guarantee that full control will be obtained or maintained.

    On another note, the 2 hour rule exists. The rule only applies to twin-engined aircraft (those with 3 or more are unrestricted) and it can be extended to 3 hours on certain more capable aircraft. The rule involved is called ETOPS (Extended-range Twin-engine OPerations) for those who would like to search on the term. Thus certain twin-engined aircraft can cross the south pacific without having to stop in Hawaii, Midway, Guam, etc., although the route chosen often has more to do with straight-line Great Circle distances than the proximity of alternate landing sites.

  34. Gary

    More 2 hour rule

    "a plane cannot be more than two hours away from an airport that can handle it. (that is why you can't fly direct across the atlantic, and go up towards greenland etc, or down passed the azores to get to the states"

    The original poster was referring to ETOPS120 in this case. The 777 is actually capable of being certified as ETOPS180. All this in short means that the engines are well over-designed for dual-engine operations, and there should be plenty of thrust available on just one engine.

    And regarding the path that they fly, not only do they stick to known oceanic routes to stay in contact with ATC facilities, it is also to take into account great circle routes. A straight line is the shortest path between two locations, unless you're talking about across a sphere. In this case, the shortest path is actually a slight arc.

  35. Rick Brasche

    Great, Airbus quality now?

    tho it might be more Rolls Royce issues than Boeing. Most of the issues they list in the article were in the engine module itself, which Boeing gets shipped in a big crate and then hooks them up to the aircraft in Everett. IIRC, the engine's control units (driving throttle servos and handling telemetry/engine maintenance communication) are part of the package. Tho it's been years since I worked at Boeing Everett and they didn't do many 777's up there. I didn't spend too much time at the Renton plant.

    At least it wasn't the software trying to override the pilot's inputs like Airbus had issues with, causing aircraft to fly straight into forests and hills.

  36. Anonymous Coward

    777 autothrottle - like motor driven volume control

    "It's important to understand how the current generation of electronic aircraft systems work in order to understand how this could happen... The engines on modern airliners use FADEC (Full Authority Digital Engine Control), in other words: throttle-by-wire."


    "the thrust levers do not move in response to changes in engine power within a "given mode."


    The in-the-know folks, over at PPRuNe and elsewhere, quite rightly point out that on a 777 the autothrottle controls a motor which moves *the actual throttle lever*, so the pilot will see it move sometimes. I believe someone here already referred to a "ghostly hand".

    It's the same kind of thing as some hi-fis which have a remote volume control which operates via a motor which turns the volume knob. You watch it move.

    In both cases (777 and volume), it doesn't matter whether a human moves it or a motor moves it, the effect is the same. (may be too busy)

    <big snip>

    "I agree that it is not likely a problem with the autothrottle system but rather the FADEC."

    Everybody (exceot the El Reg headline writers :)) knows its not an autothrottle problem. Very few people outside the AAIB know what the real problem was (or perhaps "is", if it truly is a design fault rather than (say) mechanical failure, contaminated fuel, etc, as per list of previous 777 engine failures). Would it be better if under-informed people didn't speculate too much for now?

  37. Anonymous Coward

    @John Freas + some interesting images

    With regard to the 777 autothrottle, this does actually physically move the levers. As I understand it the autothrottle provides an indirect control input via the throttle system through a motor drive to the throttle levers, and the throttle levers (and therefore any direct input to them) retain full command authority regardless of what the autothrottle is trying to do.

    Also remember that most systems have 'off' buttons, and/or can be overridden via direct control input.

    I know where you're coming from though,as what you described is the Airbus way of doing things, where the only autothrottle indicators are on the displays.

    As for the AAIB update, I wonder what they're smoking to claim both the engines were maintaining power at above flight idle.

    Look at the following images (guess you'll have to do it manually) to see what one engine looked like after it hit the ground while still at near idle speeds:

    You might notice the way the blade tips have sheered as the lower part of the intake was pushed in, and the mud/grass on the blades. Though it doesn't look to have been doing many rpm at the time.

    Now explain to me how anyone could see the other one as having been doing anything more than windmilling as it hit the ground:

    The way all the blades are still attached and the right shape, and the lack of mud on the blades at the top sort of gives the game away, if it was still under any sort of power or even running down (as opposed to windmilling) there would have blades shed as the casing got crushed & mud picked up by the blades, as per the other engine.

    The explanation of this incident should be interesting when it finally arrives.

    (If you're interested, the above are part of a set of 24 images of the 777 on the ground, and give a better idea of the damage it sustained. There's quite a few holes in it!)

  38. Steve

    overridable autopilots

    At the end of the day it comes down to which scenario is more likely, the plane being saved by a pilot overuling a faulty computer, or by a computer overuling a faulty pilot.

    Looking at how many "accidents" end up classed as pilot screwup, compared to how many are due to mechanical failures, I think that the odds are on the computer override being statistically safer. Obviously no consolation if you're on the occasional plane where the reverse is true, but..

    Still, I hope they figure this one out before June 23rd, when I'll be on a 10-hour 777 flight.

  39. Rich
    Thumb Down


    The reason aircraft fly across the frozen North on their way from Europe to North America is that it's the *shortest route* - because the earth isn't flat, they follow a great circle. Ships do the same, but are restricted by ice - that's what the Titanic was doing up amongst the icebergs.

    I didn't know the throttles on a fly-by-wire aircraft weren't motorised, like the faders on a high-end mixing desk. I guess there's no real reason for them to be.

    Even the most hazardous aircraft are much safer than cars, BTW.

  40. John Hargrove
    Paris Hilton

    ...wait a minute...

    I get the part about the manual movement of the throttle levers not being a real interactive pilot over-ride of the fly-by-wire system in the 777. What I don't get, is why is there NOT a real manual over-ride? Perhaps via a computer/throttle "kill" switch, or a physical set of throttle controls on an adjacent console? Cost avoidance? Fear of stupid pilots?

    Also, all y'all air travelers, remember how OFTEN you've been on flights where those engines rev up before final throttle reduction to idle and set down? Pilots seem to love dropping below the red on the VASI and then dragging the bird in under spooled up power, because it takes too long for those turbines to spool back up after throttle input...(I think they just like to do carrier landings, myself).

  41. Anonymous Coward
    Black Helicopters

    RE: spooks jamming the airwaves for GB's motorcade

    shall we start a petition on the e-gov site to ask them to rule it out?

    I'm not saying I think it happened, but, in the unlikely event that it couldn't be ruled out...

    would they ever admit it?

  42. BatCat

    Maybe it was the pilot / co-pilot's fault after all...

    Anybody remember the case of the 'plane that crashed near east midlands airport in the UK in 1989? Apparently, a warning light came on indicating a fault in one engine and the pilot shut down the other good one by mistake.

    "As the aircraft began its descent the remaining engine failed too.

    Experts said later the chance of suffering such a double engine failure was a hundred million to one. "

    "A report by the UK Air Accidents Investigation Branch later found the flight crew had shut down the wrong engine."

  43. lglethal Silver badge

    As my aerospace lecture liked to joke

    The perfect cockpit of the future will have 2 occupants - A Dog and a Pilot. The Pilot's job is to feed the Dog. The Dog's job is to bite the Pilot if he tries to touch anything.

    I have no problem with the autothrottle having precedence over a pilot as is the Airbus philosphy as in 99.9% of cases, a crash is caused by a problem on the aircraft being exacerbated by the pilot. The computer has a much better idea of what exactly is happening on the aircraft then the pilot and so it can usually react much faster and better then a pilot, its only in these extremely isolated instances when a problem occurs in the computer that a pilot comes in handy...

  44. James

    Wind shear

    John Hargrove - the increase in thrust immediately prior to landing is often caused by the aircraft dropping into a slower moving head wind - wind at ground level is less that at even a few hundred feet. This results in the aircraft losing airspeed, hence the increase in thrust to maintain safe approach speeds when you get close to the ground.

    You (hopefully) don't get too many cowboys behind the steering wheels of big places, most of them value their careers too much.

  45. Anonymous Coward


    ... as the saying goes : "Engines Turn Or Passengers Swim".

  46. Mike Lovell

    @Robert Lee

    "its a very complex piece of machinary, to get everything 100% working all the time is almost impossible, so crashes are bound to happen."

    I hope you're not a sales executive at Boeing, no wonder sales are plummeting!

  47. Michael Hoffmann Silver badge
    Paris Hilton

    All These Experts

    Why the hell they bother with a lengthy investigation is totally beyond me.

    It's so obvious from all the comments that all they need to do is read this thread on The Reg for the answers!

    I mean some here have HUNDREDS of hours in Microsoft Flightsim and have poured down PINTS of beer with the cousin of the mate of the dog whose owner actually once looked into the cockpit of a 777. That clearly makes them experts. Not that they actually *fly* or are at least aeronautical engineers or such minor details.

    Typical guvmint inefficiency...

    PH icon because she knows as much about aviation as the majority of posters.

    Good gods..........


  48. John Edwards

    Good Advice

    If it aint a Boeing I'm not going

  49. Charles Manning

    @ Die by wire

    Over 25-odd years in the embedded industry, I've seen/heard this before in the context of other planes, car braking systems etc. This, apart from being a tight fist, is why I still drive a 1984 Toyota which has almost no electronics (and none of it programmable or critical).

    The silly part of this is that no development teams are any better/worse than the others. By dodging the devil you know, you just end up flying with the devil you don't know.

    The people developing embedded systems typically have no special training on designing robust systems. Most of them are either electrical engineers (with no clue about software architecture) or recycled desktop programmers and come from the "all software has bugs"/"did you try a reboot" mindset

    As embedded electronics complexity has increased, it becomes ever more difficult to verify a whole system. The larger microcontrollers of today will run more code (more code == harder to verify) and are easier to write code for (easier coding == sloppier coding). Even if individual subcomponents work to specification, they don't always work reliably as a system. More complex systems mean more corner cases with less chance of finding all failure modes.

  50. Anonymous Coward

    "the throttle levers retain full command authority " - NOT!

    In this picture, the throttle levers DO NOT retain full command authority in the traditional sense.

    As John Freas points out, and as others have already mentioned, on any plane with a FADEC (which is pretty much any modern airliner or military aircraft, among others), the "full authority" (FA) is the "digital engine control" (DEC). Hence FADEC. The throttle lever angle is one of a number of inputs to the FADEC computer, and the computer has full control over the fuel flow rate. The aircraft has no reversionary mode which cuts the computer out of the loop. Turn off the computer's power, and lose control. Fortunately they're not your ordinary computer, and, whether you knew it or not, whether you like it or not, they've been in control for at least ten years now. And not a virus or a Windows Update to be seen.

  51. Robin Baker

    ...extra info...

    Just to add what I know about the systems:

    The AIMS and FADECs are only linked at the throttle levers, AIMS drives servos and resolvers determine the angle selected for the FADEC thrust setting.

    The FADECs on the B777, R-R engines are NOT programmed in ADA - most of the rest of the plane is, true, but not those particular items.

    The teams that developed the software for the FADEC are VERY experienced professionals who have had safety-critical training. Not that we can't make mistakes just the same, just not very likely.

    (anyone spot the 'we' there - oh, what a give away!!!)

    I am not second guessing the AAIB, I will leave that to the PPRUNE massive, who seem to have attracted even more speculators than a gold-rush. And, I do post there too, trying to keep the arguements to the facts, though it's an uphill struggle.

    at which point, pass my anorak and show me the door

  52. Anonymous Coward

    What I'd like to know is.....

    Is this plane ever likely to flight again?

    Whatever about all of the fear about fly-by-wire systems, I think they've proven themselves to be reasonably safe. How the carbon-fibre fuselage of the Boeing Dreamliner will cope with regualr freezing/thawing is what my major fear will be once these planes go into service.

    Don't we regularly see chunks of the existing carbon fibre tails break off?

  53. Gerald Wilson

    Autothrottle problems my arse

    Well it is some years since I wrote avionics software. And that was A310s, which were pre-Ada. And I did fly in them, too - trusting, over-confident, arrogant, or what? And it's also some years since I wrote Ada. But nothing in the AAIB's update suggests an Autothrottle problem, so the Reg's headline is rubbish: you should let Lewis Page do these bits. Software in FADECs is still in the frame. But it looks more like a Mysterious External Influence on the electronic signals sent to the engines.

    Notice that AAIB reports a five-second delay between one engine spooling down and the other following suit. So which went down first, Port or Starboard? and which road route was Gordon Brown's motorcade following? You see how this works: aircraft is on finals from east; motorcade crosses under flightpath at an angle; malign electromagnetic influence reaches first one engine and a few seconds later the other... I think a bit of sketch-work with Google Maps and a stopwatch is called for here...

    But then, I failed to persuade BAE against Windows-for-Warships (TM), didn't I, so what would an old avionics programmer know, anyhow.

  54. Darkside

    Uninformed speculation

    Isn't that what these discussions are here for?

    Mine's the ski jacket... yes, on Sunday... well, ski charters actually perk up and passengers grin when there's a bit of unscheduled excitement.

  55. Phil the Geek

    Trusting the machine

    FADECs have been around a lot longer than fly-by-wire airliners. They manage engines efficiently, saving fuel (=money) and prolonging life (=money). An engine control computer local to the nacelle is overall more reliable than a complex monitoring and control system linking cockpit and engine.

    A further FADEC benefit is that they irritate control freaks. The FA (Full Authority) part of the acronym refers to the computer having authority to shut down the engine in case of emergency without asking the crew first. If there's a manual over-ride, it's not a FADEC. Think about that the next time you're on a 767, my FBW-hating friends :-)

    Like world+dog I have my pet theory as to what went wrong, but until we get the final AAIB report I'm going back to "who shot JFK?".

  56. Steven Jones

    Motorised throtlles

    "I didn't know the throttles on a fly-by-wire aircraft weren't motorised, like the faders on a high-end mixing desk. I guess there's no real reason for them to be."

    I would have thought that there is every reason to motorise them. If a pilot does have to take manual control and the levers had been left in some random position then either the switch would involve a rapid change in engine output (or at least a rapid change in the instructions to the engine - jet engines don't change power output as rapidly as a car engine). I suppose a pilot could estimate the right new position or it would also be possible to motorise the throttles so they move to the right place only when you switch to manual, but what's the point apart from maybe reducing a bit of wear-and-tear? Much better to motorise the throttle levers and that also has the great advantage of giving an immediate indication of the autothrottle working. It also means that a manual override be affected simply by grabbing the throttles and overriding a clutch mechanism (or some such equivalent). In reality I would have thought the whole throttle assembly and its ergonomics would be very carefully thought out to allow for rapid manual override.

  57. Vladimir Plouzhnikov

    RE: Wind shear

    While the difference in windspeed at altitude and at ground level may be important that's not the main reason why aircraft need increased power before landing.

    At slow speeds at landing configuration airplanes operate behind power curve - the slower they fly the more power is needed. This is because to generate enough lift at slow speed you must increase the angle of attack and high angle of attack generates high induced drag. You need more thrust to overcome the increasing drag.

  58. Anonymous Coward

    "FADECs on the B777, R-R engines are NOT programmed in ADA"

    They're not? So what are they programmed in then, given that it's presumably something acceptable to Rolls, Boeing, FAA and CAA and airlines and ... for safety critical software (which probably rules out Visual Basic and a few others)? Inquiring minds may want to know.

    Or are you drawing a distinction between "designed in" and "programmed in"? Some folks might think it a bit devious to say a system wasn't "programmed in" Ada if it actually needed an Ada compiler as part of the process to get from code to PROM (I have no idea if that is the case here).

    Pointers to definitive papers etc very welcome.

    Don't forget not to cross the picket line on Monday:

  59. Robin Baker

    ...OK - just a bit more info...

    The FADECs on the B777 are the last generation to use a modular assembler language developed specially for engine systems by Lucas Aerospace. It has no assocation with ADA, no need for any ADA complier, it has its own unique interpreter. I am not sure that there are definitive papers on this but I will try to find something that may satisfy.

    The design was done using Yourdon methodology with Teamwork and a lot of sweat and tears.

    The picket line doesn't apply to me but I will get a Lucas pension in 2012 - should be 67p a year!

  60. Neil Stansbury


    Don't know why everyone is so up in arms about FBW control systems - Concorde was the first commercial airliner to have full fly by wire and including electronic engine control (though not a glass cockpit), and she would have retired after 34 years with a perfect safety record had it not been for FOD on that fateful Paris runway.

  61. Anonymous Coward
    Gates Horns

    as far as thrust on landing...

    From a pilot's perspective, when you are behind the power curve as Vladimir pointed out; you are controlling altitude with power and airspeed with pitch. You're descending with one power setting and want to level out (even with the ground only a few feet above)? Increase power. For the same reason, a touch of power right before touchdown makes you touch down more softly. They don't usually do this in the airliners because the pilots are beyond professionals and can usually round out at the right height that simple deceleration and a good flare will you get you down softly, but it can happen; especially in smaller and private planes. Flying non-pilots always seem to forget that the pilots in front have literally thousands of hours of experience and recieve special training for this specific make and model of aircraft. They know what to do, what they can do, what the plane can do, and how to execute a safe flight. The safety and professionalism in aviation (training of personnel, planning, design, maintenance, etc.) make it second in quality, technology and safety only to space flight. As with anything else humans do, mistakes can happen, but it drives me insane when people complain about aviation safety and pilot errors. You spend thousands of dollars and invest years of your life studying and practicing, perfecting your skills and then we'll see what you have to say. And thats all I am going to say.

    Now, where did I leave my coat....?

  62. John Hargrove
    Paris Hilton

    ...wait a minute...

    James and Vladimir - Thanks for your reminders of basic aerodynamics. I never seem to be able to get everything into any of my posts, so I apologize!

    Given that, I don't think I will back off my contention that jet jockeys never like it when their fans drop below thrust rpm's. Flameouts occur at low rpm's, regardless of airspeed, wind shear/inertia complications, computers, what-have-you, and are even more likely in wind shear conditions. Being able to totally trust the computers to spool up the engines after approach zero-thrust rpm, in my reading and hangar-flying experience, is rare. Then, after beginning to spool up, to inexplicably drop back to zero thrust... well, another couple of sceptics are born, if they live long enough.

    I'm not saying that lack of pilot over-ride caused the 777 engines to abort throttle-up inpupt instructions and flame out or drop back to zero thrust - I am saying that all pilots, fly-by-wire or with total computer control of engine speed, land with their hand on the throttle levers. We all learned that in basic flight training and it is so ingrained in us we probably would still keep our hand on the throttle even after the wings fall off, jet turbine or recip prop.

    I continue to believe all aircraft should have pilot over-ride (computer by-pass) in their basic control systems, no matter how wonderful computers control the aircraft. 99.9% ain't good enough. In this forum several have played with the idea of external electronic incursion into the on-board computer system. If this is even only remotely possible, which I tend to see as VERY remote, a manual over-ride system seems desireable and even dictated.

  63. John Hargrove
    Paris Hilton

    ...wait a minute...

    Where did I ever imply these airline pilots are not qualified? Anon Coward seems to think I'm attacking pilots, or airliners, or programmers, or God knows who else!

    This is an opinion forum, and, being a pilot, I think I have as much a right to an opinion as most of the other intelligent posters on this thread.

    Of course little tin SEL's are not the same as turbine airliners; of course low-time (relative to the airline jet jockeys) white-knucklers cannot even approach the skills and training of jet pilots; of course guys who program and plan the computer control systems of complicated aircraft work long and hard anticipating every eventuality; of course... well, enough.

    I'd still feel better back in my passenger seat if the guys up front could over-ride computer control systems if they had to.

    And that's all I'm going to say.

    Now, where did I leave my sunglasses? :^)

  64. Anonymous Coward

    EMI and FADEC

    There have been several comments thus far citing the presence of Mysterious Electromagnetic Interference Coming From an Indistinct Black Box of Unknown Origin and Attached to a Car, and as one of the maligned ground crew (avionics), it really makes me smile.

    Most of these systems are fairly well shielded, as is the wiring that is associated with them. The idea that some random radio or another causing these things to fail (and also causing the redundant systems to go as well) is something that I don't think is within the realm of that which is reasonable.

    Something that ought to be established here is that there are tests that these systems go through to ensure they will stand up to electromagnetic interference (EMI) far beyond what they would see in a lifetime of normal operating conditions. I've been working with aircraft electronics, avionics, and related systems for about 15 years now and have seen one EMI induced failure.

    That specific incident was caused when the aircraft I was working with was hit by the beam from a U.S. Navy phased-array radar at approximately 0.5 miles from the antenna. It ought to be understood that this particular radar isn't something that you could easily vehicle mount, as the antennas are designed for shipboard use and have output power in excess of 4 MW. (I don't care how big your alternator is, or what kind of capacitors you've got wired up to the stereo, you aren't lugging one of these around under your jacket.)

    Furthermore, the specific failure was limited to a piece of equipment that dealt with the reception of RF at that particular band. (Melted receiver module, lots of smoke, otherwise harmless.) What I would like the tinfoil hat set to note here is that the FBW and automatic flight control systems in the plane worked fine before, during, and after the event. What I would also like them to note is that a common thing to do with this particular receiver is to wrap it in silvered barrier paper (read: plasticized aluminum foil) to prevent this sort of thing from happening. (For those of you in the tinfoil hat set that may be a little on the slow side: I just said that wrapping your heads in tinfoil really does work. However, fine copper mesh works much better. You should also wrap it around your entire body, not to forget the bottoms of your feet, because the signals can still get under the hat and into your brains.)

    I would be positively amazed to find that the mishap investigation cites EMI-induced total FADEC failure as the sole primary causal factor for the event. Again, the probability of the entire system, as well as the redundancies, failing simultaneously is too high.

  65. Jim
    Dead Vulture

    @EMI and FADEC

    Hang on... So if I understand you correctly, it is perfectly safe to use cellphones or other personal electronics at all times in a flight? I don't seem to remember any of these devices being available in the MW range. That means... oh my god... I've been lied to... Quick! Hand me some of that copper mesh stuff...

    BTW, love the way that the yanks (I'm guessing) managed to find a way to blame the non-US engines rather than the US plane. It kinda reminds me of the (rather sick imo) relief when the as-it-happens reporters of the Rockaway crash discovered that the aircraft involved was European rather than a Boeing as first thought - they went all pensive again when it was announced that the engines were possibly to blame and they were GE.

  66. Robin Baker

    EMC canard - dead duck?

    The FADECs are under investigation, not fried, still functional, as far as I know.

  67. Anonymous Coward
    Anonymous Coward

    Not Ada? Originated by Lucas Aerospace? Then I assume it's...

    ...LUCOL (or is it Lucol), which as you say "has no assocation with ADA, no need for any ADA complier".

    It isn't interpreted though (but I can see where that confusion may arise). Nor is it compiled. It's "translated", by a simple process which is too complicated to explain here.

    The language itself is remarkably simple (which is good). The implementation is also simple (which is good). It's designed for speed of execution and simplicity of development and runtime environment (which is good). Ada arguably does not have these characteristics, and arguably that is not good, but Ada was/is trendy and has taken over the safety-critical world whereas Lucol has largely gone the same way as Coral.

    Because the origins of Lucol in the early 1980s predate the Interweb (and predate usable embedded-Ada setups), and because Ada had out-trendified Lucol by the time the Web caught on, there are very few web-accessible bits documenting Lucol in any detail. Googling for Lucol and Dolman (surname of man in charge of development team) finds pointers to some documents (books, papers, proceedings, etc) which those in the trade may be able to access, if they're that interested.

    Or in your particular case, e.g. if you want to clarify the "not interpreted" thing, there may still be a few people around who were there when the first Lucol stuff flew. They may not be around much longer, hopefully their Lucas pensions will amount to more than 67p.

  68. Andus McCoatover

    Two engined planes?

    I can't remember where I heard it, but (apocryphal, I'm sure)

    Passenger to pilot: What happens if one engine fails?

    Pilot to passenger: The other engine takes you straight to the scene of the accident...

    </coat> (not even bothering to take it off....)

  69. Robin Baker

    Sorry - my mistake:

    Quite right LUCOL it is, and it is translated not interpreted and its overhead in timing and memory is far lower than compiled languages. The typical box it runs in is a hansom cab compared to a PC being an F1 car. And ADA (I can do that too) is complicated, was trendy and could have been excellent, but only a sub-set is really safe enouigh to fly with (IMHO, of course).

    Personally, I don't need to G**GLE for LUCOL or Dolman, though I did try last night just out of interest, but as AC reports above you tend to get results that point you at restricted sites. Should I want information I can read my own notes (should have done that first, would have got over the interpreted/translated error) or have a beer or two with the guys who really wrote LUCOL that I am still in touch with.

    I was around when it first flew, I still am and I intend to be around for quite a while longer thanks, but if Goodrich get their way my 67p might appear over-generous!

  70. Anonymous Coward
    Anonymous Coward

    There's no limit to ill-informed opinion ...

    "They're not? So what are they programmed in then, given that it's presumably something acceptable to Rolls, Boeing, FAA and CAA and airlines and ... for safety critical software (which probably rules out Visual Basic and a few others)? Inquiring minds may want to know."

    ADA *is* often used in aero software but most is still written in 16 or 32-bit assembler.

    Real-time, y'see?

    And no: there is no operating system as such. The hardware *is* the operating system.

  71. Anonymous Coward
    Anonymous Coward

    Life Jackets

    "They are VERY firm in the life-jacket demonstration. :)"

    Off-Topic I know - but as the world's expert seem to be here - how many safety demonstrations have there been, and how many times have they been actually used successfully?

    I've flow many times from London to Scotland, would pilots ever aim at Lake Windermere?

  72. Ian P

    Ice Shock for Rolls-Royce?

    The following story has just emerged about the Boeing 777 with Rolls-Royce engines. It MAY be a total coincidence but its timing is bad news for Rolls-Royce and its operation up in Derby.

    Following the Boeing 777 accident at Heathrow last week, the American Federal Aviation Administration (FAA) has just released an Airworthiness Directive (AD) with the following title:-

    [This AD has been issued] to prevent internal engine damage due to ice accumulation and shedding, which could cause a shutdown of both engines, and result in a forced landing of the airplane.

    This AD becomes effective February 27, 2008.

    Details here:-

    Note that at this time the UK AAIB (Air Accidents Investigation Branch) has not commented on the finding.

  73. Anonymous Coward

    Interesting thread this

    Thanks for the info Robin, others

    This thread reminds me of a Yes minister quote;

    "There nothing worse than accurate uninformed speculation" (-:


  74. Anonymous Coward
    Anonymous Coward

    Assembler ? Fuel contamination ?

    I'm aware that there is lots of software out there still in assembler. I would be surprised (sometimes I am surprised) if much of it is recent and non-trivial, especially if it is safety critical. If you have publishable (especially documented) examples, folk might be interested. (I'm not sure what classes as non-trivial but it could probably be argued that anything a 16bit (64k address) micro can do is relatively trivial)

    In other news, Aviation Week is mentioning investigations into possible fuel contamination:

  75. Daniel B.

    Suddenly I remember something...

    "so for the plane to lose height it would need both engines to fail at the same time"

    I suddenly remembered that Darwin Award where some dudes that sounded like Beavis & Butthead took an RJ-200 up to 41,000 feet (the design ceiling for the aircraft) and managed to stall/kill both engines. The black box recordings by themselves are priceless, you'd think someone was transcribing "Beavis & Butthead on a Plane" or something like that. Ironically, they overrode the automatic stall prevention system, and it was their doing that ended up killing them; while the "usual" fly-by-wire incidents are because of the system overriding the pilot and screwing up everything.

  76. Robin A. Flood

    Electromagnetic interference

    Can manufacturers spend a fortune ensuring their billions of cars have EMC (Engine Management Computers) which are not susceptable to electromagnetic interference from any source, right ? Right. So Land Rover Freelanders from the first five years of production frequently had to be towed away when parked near any Italian police station, because the Italian police use radios which locked the Freelander's Immobiliser. The manufacturer screwed up. So unlikely on aircraft systems ?

This topic is closed for new posts.