Autopilot malfunction?
Posted on 01/19/2008 8:39:33 AM PST by GovernmentShrinker
THE pilot of the British Airways aircraft that crash-landed at Heathrow said he feared the flight would end in “catastrophe” as he struggled to cope with a double engine failure just two miles from touchdown. First Officer John Coward, 41, said both engines lost power simultaneously, leaving him with just seconds to bring the aircraft down.
-- snip --
Investigators examining the wreckage of flight BA038 are now focusing on the theory that the crash was caused by a failure in the avionics and electronics systems that control the plane’s engines. . . . A senior industry source said: “. . . The AAIB has identified that the problem seems to be connected with the avionics and and electrics which link the flight deck to the engines.
-- snip --
A former 777 pilot said that it was extremely unlikely that both engines would have suffered failure at the same time. “For two engines to fail at that stage of the flight - it’s not lack of fuel or contamination,” he said. “It’s got to have been commanded \[by the automatic control systems\]. We are all aghast.”
(Excerpt) Read more at timesonline.co.uk ...
He dropped the nose of the aircraft , got up some speed, and then brought the nose up so she would drift in.
If he had pulled up for a go around, they all would be dead.
WOW!
Question: Electronic interference ( cell phone, microwave, etc. ruled out?)
Could be some Tangos out there , shooting their electro-nuts.
Any landing you can walk away from . . . . . . .
Right Stuff Ping
Autothrottle malfunction ?
WTH do avionics have to do with the engines shutting down?
Still sounds like the fuel was cut off.
But, too early to tell.
Fortunately, we have the remains intact, so we will only have to wait a year or so for the report. /s
....With no actual mechanical linkage to the throttle body??
THISsssss.....
....Is the worst case scenario!!
************
Also see this thread if you haven’t already — http://www.freerepublic.com/focus/news/1956225/posts?page=1 (posted by Virginia Ridgerunner) — an article from the Daily Mail including the tidbit:
“Inquiries by the Air Accidents Investigation Branch appear to rule out any form of pilot error in the approach for landing. One area of specific interest will be the electrical system after it emerged yesterday that there had been at least 12 serious incidents of overheating, causing “major damage” to power panels on at least four occasions.”
The fancier they make the plumbing...?
Flight comming from Bejing. Makes ya wonder who was fooling around with what last?
I think that President Bush was secretly on board and demanded to fly the airplane, thus leading to the crash.
(Or has the DU’ies already claimed this?)
Good picture. I didn’t know Mitt flew commercial jets.
If anyone thinks that avionics software is somehow built better than your average computer software, think again. It has more paperwork involved but that paperwork is pencilwhipped.
Honeywell's Airplane Information Management System (AIMS) project consists of the largest central computer on the jetliner; it runs 613,000 new lines of code (defined as body semicolons), taking up 15,656 kilobytes (KB) of disk space and 4,854 KB of random-access memory (RAM). With redundancy, the software runs to 46,191 KB and 10,732 KB of RAM. A multiprocessor, rack-mounted system, the AIMS replaced many of the line-replaceable units and reduced hardware and software redundancy.Two AIMS boxes handle the six primary flight and navigation displays: two sets are located in front of both the captain and copilot so that they can move from one seat to the other, and two central sets of engine parameters are shared by the pilots. The primary flight instruments indicate pitch and roll attitude, direction, air speed, rate of climb, altitude, etc. The AIMS also includes the central maintenance function, which receives reports from the 777's other computers and then gathers the data into a central maintenance report for the mechanic. Its monitoring system gathers data on how other functions are doing, and can determine, for example, that an engine is degrading, before it actually fails. Other AIMS functions include a data-conversion gateway, flight data acquisition, data loading, an Ada conversion gateway, and thrust management.
Honeywell's massive effort on the 777 involved over 550 software developers. The company built the AIMS computer as a custom platform based on the AMD 29050 processor. It was unique among aviation systems for integrating the other computers' functions; in other systems, each function resides in a different box [the central maintenance had its own box with its own input/output (I/O), its own central processing unit (CPU), etc.]. AIMS combines all these functions and shares the CPU and I/O among them: it uses the same signals for flight management and for displays, so that the data comes in only once instead of twice; one input circuit provides data to all of the functions; each of the functions gets a piece of the CPU, as in a mainframe computer, where systems use part of the CPU but not all of it; and every function is guaranteed its time slot. Engineer Jeff Greeson said that "The federated system is obsolete. Putting all the functions in one box is a jump ahead in technology that we've brought to the industry."
Another innovation is that the disk drive can read files formatted for the Microsoft Disk Operating System, which provides maintenance with access to the terminal communications. The mechanics can transfer files for data loading over the airplane bus, because Honeywell built the program to accept new data and to change the software. In fact, most of the equipment on the airplane has that ability, only a few classic systems do not (such as the ground-proximity warning system, which has proven sufficiently trustworthy and not in need of change).
Designing a new architecture simultaneously with a new language was "quite exciting," Greeson said. "The organizational details were difficult to put together." With Ada, managers were able to delegate the seven main functions to groups of 60-100 software engineers. The separate software entities have minimal interface with other parts of the software, and not all of the software is integrated. By working with loosely coupled pieces, the project leaders were able to farm out the functions to other groups. The loose integration, however, does not tie the software to the 777 platform, and will assist in Honeywell's using the code for other targets. "We needed the maximum ability to port it to other places," Greeson said.
Ronald Ostrowski, director of Engineering, claims that the Boeing twinjet is already the most tested airplane in history. For more than a year before the flight, Boeing tested the reliability of the 777's avionics and flight-control systems around the clock, in laboratories simulating flight. Design changes were made only after six months of testing the endurance of three engine types (Pratt & Whitney, Rolls Royce, and General Electric).
One compelling reason behind the extensive pre-testing was Boeing's desire to meet the Federal Aviation Agency's (FAA's) Extended Twin Operations (ETOPS) standards ahead of schedule. The original ETOPS rule was drafted in 1953 to protect against the chance of dual, unrelated engine failures. Unless a newly designed and produced aircraft has at least three engines, it usually had to wait, sometimes as long as four years, before the FAA and the Joint Airworthiness Authorities (JAA) will allow it to fly more than one hour from an airport; after a time, the new aircraft is deemed a "veteran" and is allowed to fly three hours away. A shortened trial period would drastically increase Boeing's sales.
Granville Fraser, a propulsion engineer at Boeing, said that a company protects itself better from engine failure by preventing in-flight problems {outside} the engine, such as faulty warning lights, than by concentrating solely on the engine's mechanics. "Over 50 percent of engine shutdown is irrelevant to the core engine," he said. "It has to do with electrical, fire systems, etc." On the 777, those outside systems are programmed in Ada.
Pratt & Whitney laboratories can, therefore, test the engines, but the quality of the software will have an equal role in determining the reliability of the 777's engines and its conformation to the ETOPS standards.
On the maiden flight, with the Boeing Telemetry room in constant contact with the plane, the engines performed better than expected. The 777 proved itself an ETOPS "veteran" on its first flight out, becoming the first twin-engine plane to win FAA approval for "ETOPS out of the box." The trend towards more reliable hardware and software are revolutionizing aviation and can be found in aircrafts other than the 777.
Sounds like some good flying on the part of the pilots!
Good Find, guess we'll just have to wait now.
More correctly, I should have said it looks like the “out of fuel” explanation is off the table. The cessation of fuel getting to the engines, for for some other reason than there not being any, is still on the table, but avionics/electrical problems could well be the cause of that.
My mouth and nose doth speweth coffee upon yon monitor.
Probably because control systems are fly-by-wire these days.
Don’t airlines fuel jets with just enough fuel for the route they’re flying? Perhaps they didn’t top off the tanks with enough fuel?
The Air Accidents Investigation Branch (AAIB) initial statements said that both engines did not respond to demands for an increase in thrust from the autothrottle and later manual pilot input.
They did not say the engines shut down.
>They did not say the engines shut down.
>First Officer John Coward, 41, said both engines lost power simultaneously...
This pilot kind of just did.
It will be very interesting to hear what happened.
Report coming out that passengers’ digital clock devices (watches, cell phones, notebooks, etc.) were running three or four minutes slow at touchdown: shades of x-files!
KGB troublemakers with some kind of electronic pulse weapon?
OR:
The pilot made a sharp turn for short final at a slow speed; is a stall possible?
I asked him about it - and he said:
"That ain't supposed to happen."
He is no dummy (obviously) but even he was stumped.
Rules governing IFR flights require enough fuel to make the flight as planned, plus additional fuel to make it to backup airports.
No way is any commercial jet pilot making a sharp turn when he’s less than 1000 feet off the ground. If they had, alarms would have been going off in the control tower and investigators would already know about it and wouldn’t be yammering about looking for flaws in the avionics or electrical systems. I’m no expert but I’ve flown on commercial flights enough to know they’re always lined up for a straight-in landing WAY before that point. This plane was 40 seconds from planned touchdown when the problem was first noticeable.
EMPs are a slim possibility. Very unlikely, I’d say, but then again I would have said that about an assassination with polonium 201 in London . . . until about a year ago. Al Qaeda would be more likely than KGB in this case — there hasn’t been a peep about any bigwig on the flight who might have been a KGB target, but Al Qaeda’s MO is terrorizing ordinary people. If it was a terrorist act involving EMP weapons, it didn’t go as planned — they would have wanted it crashing into the highway or buildings, killing everyone on board, making everyone afraid to fly AND afraid to go near the airport. I doubt it though. Terorists wouldn’t be likely to take down a plane over a populated area in connection with a landing. Take-off is when the thing is loaded with fuel and capable of spectacular destruction.
Source please?
Shirley you can’t be series.
Does it run on Windows?
Basically, that’s the direction the investigation in pointing in.
"Another innovation is that the disk drive can read files formatted for the Microsoft Disk Operating System,"
That's what the media is summarizing. I'll stick with the official report until further facts are known.
Some have looked at the pictures of the damaged front engine blades and determined that the engines were running.
I wonder if they would have been better off if they had pulled up the gear and made a belly landing. They probably would have made it to the runway and done less damage to the plane. As it is they were probably only about a hundred feet or less from buying the farm.
That scares the hell out of me. I'm a software engineer, 20+ years doing it, with a MS in Comp Sci... I also have a Mechanical Engineering degree and ... This just doesn't sound right. You absolutely want the systems necessary to keep the bird in the air isolated from the more mundane "nice to haves."
Yes, Ada as a language, and Ada certified compilers are great. You almost have to try to shoot yourself in the foot with Ada. I've used it, even though I'm a C++/Java weenie now. By comparison, Java has at least a trigger lock. C++ loads the sidearm, chambers a round, pulls back the hammer, and hands you a scotch on the rocks... ;-)
In any complex system you can have unexpected, unintended emergent behavior. Sure, the flight control tasks no-doubt have highest priority, are well isolated logically from the other tasks, say the cabin environmental controls etc. But what about something unexpected? I'm sure the Honeywell guys are top notch. But in such a complex system can they really say they've accounted for all possible combinations/interactions? Every possibly failure mode of every sensor and system (hardware/software) connected to this CPU that performs all these wonderful functions? It just seems like a very bad design decision up front to not have isolated the primary flight control system.
Yes it costs more, so what? How much does one of those embedded computers cost? Compare that with the cost of the aircraft - 150 to 230 million? It's not like they're Ford or GM or Toyota, turning out a few hundred thousand of these aircraft. They'll probably only build a few hundred, maybe a couple thousand tops if they're lucky.
The fact that the code is written in Ada has less to do
with anything than the extent to which the code coverage
and 178-B compliance was done. There is C/C++ code in existence that is DO-178B certified.
I hope that the Special Branch/MI5 is looking at possible
external causes for the dual engine failure to increase
power. Some sort of EMP/directed energy weapon should not
be ruled out.
Sooooooooo, would you buy one of those new cars with Sync, powered by Microsoft?
The probably apparently started just after they lowered the gear. If they couldn’t get the engines to respond at that point, I doubt they could have gotten the landing gear to come back up either. And those things take a little while to move in or out. This plane was, per the co-pilot who was at the controls, 40 seconds from planned touchdown when the first sign of trouble became apparent. If he’d wasted time trying to get the gear up, he wouldn’t have had time to do the few things he did to keep the plane in the air a few seconds longer.
There’s probably an ADA progammer muttering to himself “Was that integer or floating point?”
Real-time operating systems (RTOS) are the foundation software for computing systems. They manage the computers' other software programs and orchestrate these programs' requests for services. And they must be robust enough to deal with unexpected events without causing an aircraft to lose a flight critical function.In the past, many aerospace companies developed their own, proprietary operating systems and software tools, which were optimized for specific functions. Honeywell, for example, created the digital "engine" operating system (DEOS)...
Collins and LynuxWorks now are partnering to achieve acceptance of the LynxOS-178 kernel and POSIX application programming interface (API) as a reusable software component (RSC) under the guidelines described in advisory circular 20-148, issued by FAA in December 2004. Among other things, the new approach will allow FAA to accept third-party utility software, even though the software is only a part of a larger application, such as a flight management system (FMS) or a flight control system. The third-party RSC developer has to partner with an avionics system developer as part of a technical standard order (TSO), type certificate (TC) or supplemental type certificate (STC) project, but the RSC developer controls the distribution of the RSC approval letter.
Wind River Systems describes a technology approach to RTOS reuse for some military customers. They will be able to move applications between various "platforms," which contain an operating system, development environment and other software. They can move between the "general purpose platform" and the "platform for safety critical" as soon as the latter software platform adopts the development environment used in the general purpose package. This is scheduled to occur later this year.
Today avionics manufacturers still use homegrown RTOS and stripped-down, single-purpose operating systems known as runtime executives. But they are becoming more comfortable with third-party, commercial off-the-shelf (COTS) products, as well.
Recent aircraft provide striking evidence of this trend. The Boeing 787 Dreamliner will use COTS operating systems by Green Hills Software and Wind River Systems in core avionics systems.
Smiths Aerospace chose Wind River Systems' VxWorks 653 RTOS for the B787's common core system (CCS), a cabinet that will host 80 to 100 applications, including Honeywell's FMS and health management software and Collins' crew alerting and display management software. Multiple utility management applications relating to landing gear, electrical power, hydraulics, environmental control and even "lavs and galleys" management also are hosted on the CCS, according to Mike Madden, Smiths' program director for B787 common core system. (CCS also includes the common data network and remote data concentrators.)
The Wind River RTOS is part of the CCS infrastructure software, which also includes the Smiths common operating environment and a certified configuration management tool set. Smiths is integrating the "architecture and configuration tool set," which incorporates software from Smiths, Wind River and Rockwell Collins.
Smiths also plans to use the RTOS on the B767 global tanker transport aircraft's avionics flight management computer, a traditional line replaceable unit with VMEbus cards. The FMS software and the related operating environment will be part of an STC, the RTOS' first FAA, DO-178B acceptance. The operating environment, including the RTOS, will be certified to DO-178B, Level B, but the artifacts "will be developed to Level A for use on future applications," says John Armendarez, Smiths' director of military air transport programs.
Green Hills' Integrity-178B is present on the Dreamliner, as well. Honeywell chose the RTOS for the B787's fly-by-wire flight control electronics. Integrity-178B is to run in the B787's flight control modules, which are distributed among the four flight control electronic cabinets the integrator will supply each 787. Outputs from the software in these flight control modules drive Honeywell actuator control electronics units, which in turn communicate with the actuators that move the control surfaces.
Honeywell chose Green Hills because it provides a DO-178B, Level A, certified time and space partitioned operating system with a tightly coupled development environment, says Don Morrow, Honeywell's director of Boeing business development. Both Green Hills and Wind River have effectively been "certified," Morrow says. "They already have convinced FAA that they have systems which are compliant with ARINC 653." This standard concerns RTOS "partitioning," the services the RTOS supplies to enable the running of multiple applications on the same processing resources.
Honeywell is particularly interested in commercially available tools, such as compilers, linkers and debuggers. The company had to create the operating system and tools for its highly integrated airplane information management system (AIMS) on the B777. "It costs a lot of money, and it's not our core business," Morrow says
Honeywell and Collins have not gotten out of the operating system business completely. Honeywell uses DEOS in the Primus Epic integrated avionics suite and in the flight control system of the Embraer 170 and 190 regional jets.
(typo alert) My last should have started: “The PROBLEM . . . “
Pictures show APU inlet door open. The APU is typically not started until taxi in.
Islamofascists hacked into the computer?
Hmmmm. I can see how they could determine that the blades were turning from a crash scene photo. I don't think that allows one to determine whether the blades were powered, or just windmilling in the slipstream.
IIRC, the definitive blades are after the combustion chamber, if sand and grit are melted onto the blades the fire was on...
VxWorks, Integrity and DEOS all have certified level-A
kernels. No implementation of Windows is certified
(that I know of) under 178B or any other FAA cert.
There is no Windows software on any aircraft operating
any safety critical system, although they well may use it
in secondary logging or entertainment systems. MS probaly wouldn’t see any profit in carving out a certifiable kernel
out of Windows CE and providing source access to third parties, and most importantly investing in all the specialized software engineering expertise it takes to do code coverage analysis.
The code coverage requirements are pretty comprehensive
for A level software and I think its pretty unlikely
for something this catastrophic to be purely software
related. Of course, unloaded guns also kill people occaisionally.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.