Friends have been asking me to guess what happened to the Boeing 777 that crashed while landing at London Heathrow the other day. The preliminary report is that the pilots pushed the throttles forward for more power and the engines did not respond. How is it possible for a $50 million airplane connected to $10 million engines to fail in this manner? The connection is through a collection of software known as a full authority digital engine control (FADEC). There is no mechanical linkage from the cockpit of a Boeing 777 to the engines. If the software fails, the engines cannot be controlled.
Could that ever happen? It happened in 2006, according to
http://findarticles.com/p/articles/mi_m0UBT/is_39_20/ai_n16766814 . One engine was essentially killed by the software while the plane was trying to take off. The failure was traced to “a flawed software algorithm”. If the software flaked out on one engine and the same code runs on both engines, what is to stop the software from failing on both engines at the same time?
http://www.aaib.gov.uk/latest_news/accident__heathrow_17_january_2008___initial_report.cfm is the preliminary report and the best guess answer at this point might be “nothing stops the software from failing on both engines simultaneously”.
[September 2008 Update: Look as though we won’t be able to blame Windows Vista for this one… http://news.bbc.co.uk/1/hi/england/london/7598267.stm talks about the latest report from investigators and has a video. It looks like the problem was simply ice in the fuel system. Why the ice formed when it shouldn’t have and how the engines were both stopped almost simultaneously remain mysteries. Details: official interim report]
Strange things do happen in the most modern, all-electric computer-controlled aircraft. Another example is the Diamond Aircraft DA-42 accident last year where a transient drop in generator voltage caused the FADEC computer to reboot shortly after take-off, which had the effect of shutting down both engines: http://www.flightglobal.com/articles/2007/04/23/213371/accident-ignites-da42-engine-row.html
FAEDC has been used on many many Airplanes and Helicopters for many years.
The redundancy built in to these precludes such a failure.
I have been an A&P technician on Jet Transport category aircraft for 30 years.
I have never seen a dual failure on any redundant system . (i.e # 2 FMS fails and #2 or #3 fail at same time?)
Huge Fan Bypass Engines require several seconds to spool up.(unlike TurboJet)
Look at the Human Element for the reason (Pilot Error) they were low slow and behind the power curve.
The simplest and most probable explanation is that they ran out of fuel. Things are very automated in a 777; the plane practically takes off, flies and lands itself, and a certain complacency in the cockpit is almost unavoidable. The fuel loaded at the departure airport is usually the fuel needed to reach the destination + extra fuel to reach an alternate airport + 1 hour. The calculation might have been incorrect; the fuel operator might have been wrong; the captain may not have checked the fuel operation (which he should have) and the cockpit fuel indicators may have been misread – or not read at all.
All hydraulics appear to have worked; the flaps were extended and the wheels were down.
Or the more likely scenario is they ran out of fuel.
As in most aircraft crashes of this magnitude and with the damaged incurred to the fuel tanks in this case there is almost always a fire.
However in this case there was no fire at all and this would lead one to believe they may have run out of fuel on approach answering the question why the engines did not respond to the computer command or the manual application of the throttles.
Possibly another case of bad fuel management?
Philip: I’ve been working on avionics networking software for the past couple of years. I’m sure it will encourage you to know that, per the orders that flowed down to me, this new software is written in C. 🙂
“The fuel loaded at the departure airport is usually the fuel needed to reach the destination + extra fuel to reach an alternate airport + 1 hour”
Its quite clear this poster hasn’t actually got any real experience or knowledge of international air procedures as this statement and the supposition that it managed to “run of out fuel” with no drastic, extenuating circumstances is so wildly improbable as to be less likely than alien intervention.
As a matter of fact BA aircraft fly with enough fuel to reach three local, alternate airports, in series. This determination is deliberate and not some inane random number like “+1 hour”.
And incidentally, one might imagine that the crash team would have noticed a rather odd lack of extra fuel by now and put it into the reports, no?
Better luck guessing next time.
Not knowing the user interface of a 777, I would be surprised if there weren’t loud warnings when fuel becomes critically low. Also, the preliminary report said a substantial amount of fuel leaked from the wrecked aircraft. I’m betting on a software bug or some really strange type of pilot error.
Joe, Ken: A couple of things wrong with that “out of fuel” theory:
(1) When a fuel tank is “empty”, that means it’s full of fuel vapor, not “nothing”. Fuel vapor, while useless for powering the engines, is explosively flammable.
(2) The initial report linked to above says that, where the wing was punctured, “a significant amount of fuel leaked from the aircraft.”
Matt, your theory is similarly flawed. The initial report states:
“At approximately 600 ft and 2 miles from touch down, the Autothrottle demanded an increase in thrust from the two engines but the engines did not respond. Following further demands for increased thrust from the Autothrottle, and subsequently the flight crew moving the throttle levers, the engines similarly failed to respond.”
The airplane struck the ground 1000 feet from the runway. That’s most of the two miles. Landing speed for a 747 is about 125 MPH, or a little over two miles per minute. Thus, the time between the initial throttle request for increased power and the crash was most of a minute. The “several second” time it takes the engines to spool up that you refer to is almost irrelevant compared to that.
I’ve worked with the design and test of many FADECs for well over 10 years. These controls are one part of a very big system. Its very possible they could be the problem, but you can’t count out the any of the other aircraft systems.
I read an account where the pilot said the cockpit went blank. That could point to power buss issues or even flight deck software.
By the way, most FADECs have a default power setting they defer to when the “throttle” signal is lost. I don’t know how the 777 FADECs are set up.
ALSO… a FADEC is not just a collection of software. It is a control, a computer connected to speed, temperature, and pressure sensors that produce signals. The data provided by the signals is used in algorithms that keep the engine functioning “optimally” in a very specific band of operation. The FADEC also sends and receives signals to and from the fight deck, flight recorder, and any other device that may be connected.
I’m not defending the FADEC design because sometimes I think the testing can be better. Anyway, you should at least know what you are talking about when you guess on a culprit.
It will be interesting to hear the outcome of the investigation.
News reports are suggesting water-contaminated fuel. The AAIB initial report seems to indicate that there was plenty of fuel onboard and that “A significant amount of fuel leaked from the aircraft but there was no fire.”
http://www.aaib.dft.gov.uk/latest_news/accident__heathrow_17_january_2008___initial_report.cfm
Since the 777 has been in service for over 12 years now, I doubt they are just now encountering a s/w problem in a primary system. Typically when an avionics system responds oddly, you can almost always trace it to a sensor or input problem. This was the case a few years ago when a 777’s avionics system keep sensing a stall condition when there was none. That was traced to a pair of bad accelerometers. There is a good Q&A about the nature of that accident and the nature of the autothrottle on 777s here:
http://www.airlinesafety.com/faq/777DataFailure.htm
Even if it was a software fault the engines would still continue to run. They are design to suck fuel out of the tanks to power the engine. According to my dad who is a pilot on these type of aircraft the problem was probably down to the fuel pumps.
Most turbofans have an approach idle function, usually triggered at slat or flap extension, that resets the flight idle to a higher setting. This allows a minimal time between a high thrust command and an engine response.
The initial accident report indicated that there was a “significant” amount of fuel spillage at the accident sight. If this is correct fuel starvation would seem unlikely.
The 777 has three independent IRUs. There have been two instances of a bug causing all three to malfunction simultaneously resulting in an uncommanded aircraft pitch up.
Unknown bugs that manifest themselves suddenly due to an unusual combination of random factors can manifest themselves in several independent systems (read engines) simultaneously.
By the fact that after the left landing gear truck pushed thru the wing root and fuel proceeded to flow out of the damaged wing, indicates that fuel starvation to the engines was not the issue. The most likely scenario is that just prior to droping the landing gear the pilot had reduced the power setting too far to the critical point just above the stall speed. Once the gear was droped the parasitic drag caused by the gear,reason why the autothrottle called for more power, slowed the plane to the stall speed, or behind the power curve. Passangers seem to substantiate this possible scenario by the fact that several reported hearing the gear deploy and then immediately after the plane dropped suddenly and severly hitting the ground.
Thom
Water in blocked sink in First Class, almost crashed Qantas 747, on UK-Australia flight. Luckily plane was near Bangkok and glided into the airport, over the ocean it would have been nasty crash landing.
http://www.theaustralian.news.com.au/story/0,25197,23034490-23349,00.html
I’ll be real surprised if it was a software failure in the FADEC, for the reasons others have already posted.
My first thought was fuel exhaustion, but when I think about it I’ve never heard of fuel exhaustion causing simultaneous engine failures. Usually one engine fails at least a little bit before the other. In the Gimli glider B757 event there was a couple of minutes between engine failures, IIRC.
I’m thinking it was a fuel transfer issue, either due to software or crew error.
As an occasional traveler on 777’s (BA’s included) I am anxiously waiting to find out what happened with this aircraft. As an ex US regional FO (CRJ200) and JAA ATPL holder, I find some of the above comments and misinformation quite amusing. I personally have absolutely no knowledge of BA’s procedures and therefore I am waiting for the report to come out before speculating.
What I do think speaks volumes is the fact that, so far, no one has suggested grounding the fleet, not even for one hour, to do any checks (whether it be software diagnostics or systems checks) suggesting strongly that BA already has a pretty good idea that it points to pilot error.
AAIB BA38 B777 Initial Report Update 23 January 2008
Accident to a Boeing 777-236, G-YMMM, on 17 January 2008 at 1243 hrs
Initial Report Update 23 January 2008
Since the issue of the Air Accidents Investigation Branch (AAIB) 1st Preliminary Report on Friday 18 January 2008 at 1700 hrs, work has continued on all fronts to identify why neither engine responded to throttle lever inputs during the final approach. The 150 tonne aircraft was moved from the threshold of Runway 27L to an airport apron on Sunday evening, allowing the airport to return to normal operations.
The AAIB, sensitive to the needs of the industry including Boeing, Rolls Royce, British Airways and other Boeing 777 operators and crews, is issuing this update to provide such further factual information as is now available.
As previously reported, whilst the aircraft was stabilised on an ILS approach with the autopilot engaged, the autothrust system commanded an increase in thrust from both engines. The engines both initially responded but after about 3 seconds the thrust of the right engine reduced. Some eight seconds later the thrust reduced on the left engine to a similar level. The engines did not shut down and both engines continued to produce thrust at an engine speed above flight idle, but less than the commanded thrust.
Recorded data indicates that an adequate fuel quantity was on board the aircraft and that the autothrottle and engine control commands were performing as expected prior to, and after, the reduction in thrust.
All possible scenarios that could explain the thrust reduction and continued lack of response of the engines to throttle lever inputs are being examined, in close cooperation with Boeing, Rolls Royce and British Airways. This work includes a detailed analysis and examination of the complete fuel flow path from the aircraft tanks to the engine fuel nozzles.
Further factual information will be released as and when available
At MIT during IAP, a course in 767 automation is taught, in part, by a guy who was a lead engineer on the 777. That engineer has been called back to Boeing headquarters and will have to teach the class remotely. I mention this because it doesn’t jive with the idea that pilot error is the leading inside theory. Boeing is apparently taking this pretty seriously.
Phil, do you know if the software used to control these systems is rigorously proven? In other words, do they limit themselves to programs whose correctness can be proven mathematically? If not, I’m really skeptical of all this fly by wire crap. It’s one thing when Windows crashes, but bugs should not be worked out with people’s lives. It’s not that hardware solutions are infallible, but at least they are scrutible.
My personal theory is that software systems have a fundamentally different failure statistics than mechanical systems. I think a new software solution will probably have better initial failure rates than a mechanical one, but their complexity will cause them to converge to a worse long term failure rate than a mechanical solution. This won’t seem so bad initially, but as more and more systems become software-based, it will become a real problem.
Accelerometers/// In the early days these were mechanical units mounted on a bracket on the belly stringers. The unit fitted on to the bracket with a baulk pin to ensure correct fitting. On one BA B737 Aeroplane, a mechanic at Seattle fitted the bracket 180 deg out// therefore accelerometer mounted !back to front!
When the ‘infant’ autothrottle system was later activated, This plane responded entirely opposite. ie. when land flap was used and the a/c decellerated, power was pulled back instead of increasing thrust. Not a good idea))) As I recall, it took much time and money before this simple error was discovered. I submit that although 777 system is obviously more sofisticated, the answer to the cause could be just as simple
Turn over every leaf by all means and carry out complicated tests to get to the bottom of it. But for the sake of innocents in Cities and towns, also safety of travellers on this so called reliable aircraft// Let’s keep our basic thinking caps on and not get carried away. Find the cause; whether it be complicated or simple. Dedicated BA engineer Retired.
At the risk of sounding like a Dinosaur!!! My opinion is this// If a human is at the controls of any aircraft. that person should be able to override any electronic device in case of emergency. Many of us using PC’s have had experience of software crashes and had to re boot. Or have been victims of hackers. We sit at our desks and can repair at leisure// There are very clever evil Bxxs out there causing us grief introducing viruses, for which we spend much to destroy and guard against. Persons flying aircraft over City’s do not have the facility or time to fathom what went wrong. They could be stuck with a machine controlled by computer, without positive manual overrides. Their own lives in danger as well as all others aboard. Only option open to them, was to rely on flying controls to get them somewhere into the field and a’very lucky’ belly flop. What a good job those systems worked for BA 038 not to detract from positive action by handling pilot and commendable ‘non interfearence by captain. only P2 knows, what was in his mind in the last 60 seconds// I can guess he did not panic (panic kills)
If we rely so much on computers then we do not need flight crew// If we did not have flight crew’ then, in this case, all aboard and a large area below the flight path would have been demolished.
Let us not jump into the unknown future, before learning the lessons of the past. Computers have got to be our servants but not our Masters. Surely there is still a place for mankind on this planet.
Dinosaur Bill.
JB: I believe that fly-by-wire systems are built to DO-178B Level A standards, which is the highest level of safety requirements available for commercial aircraft systems.
But does this equate to systems that are mathematically proven to be correct? No way. What it means is the code is developed to prescribed standards, and there is a big paper trail showing how the code matches the requirements, and that it has been verified (not proven) that the code does what the requirements demand, and that the code has been reviewed by someone other than the developer, and that any changes made to the code are also reviewed.
So there are three major points of possible failure: the requirements could be broken, the code could be broken, the verification process could be broken, or possibly all of the above. Additionally, the compiler could be broken (I just found a bug in our avionics compiler last year), there could be a bug in the operating system that’s running the software (more and more frequently, some real-time flavor of Linux), etc., etc.
The most comfortable we can rest in is that the code really is thoroughly tested, so most likely there’s nothing wrong with it. The more important it is that the code work correctly (e.g., fly-by-wire compared to in-cabin entertainment systems), the more thoroughly it is tested. Simulated tests, on-ground hardware tests, in-flight tests… it doesn’t eliminate the possibility of bugs, but risk is mitigated.
To Brooks Moses,
At 600 feet and two miles, this is nothing ,the aircraft was about 20 SECONDS from a landing.
You state that a B747 lands at 125 MPH.( I doubt it) In aviation we use nautical miles per hour. Vref is closer to 140 knts. This translates to about 160MPH.
I would like to know what the spool up time is for a RR Trent approach idle to takeoff power.
I may be a bit of a dinosaur as well…
I’d be willing to bet we’ll see fuel contamination discussed in the near future. The fuel computers will show quantity of fluid in the tanks. They wouldn’t be able to discriminate between water and fuel and would easily show 10 tons of fluid in the tanks when on approach. As the airplane configures for landing the contaminant could shift to the fuel intake location and be ingested into both engines essentially simultaneously causing major power
interuptions.
Just an idea…go ahead a rip it apart!
Any chance of computer error?
None whatsoever.
Quite frankly, I wouldn’t worry myself about that.
It can only be due
to HUMAN error.
This sort of thing has cropped up before,
and it has always been due
to
HUMAN
error.
Just a few questions for thought….
The autopilot and autothrottles were engaged when the first indication of reduced thrust was encountered (2miles, 600ft radio, approx 45seconds to threshold) …..Was a cat3b autoland being attempted? Could there have been an ILS fault? Did the crew take manual control?
Thom DiGiacomo “Passangers seem to substantiate this possible scenario by the fact that several reported hearing the gear deploy and then immediately after the plane dropped suddenly and severly hitting the ground”.
I dont know the BA sop’s but I wouldnt have thought the landing gear being extended so late in the approach. Most companies as it stands…stable at 1000ftRA or 500ftRA latest. (stable=correct configuration, tracking, speed, thrust and checklict complete ideally BEFORE the heights).
If there was anything “wrong” with the FADEC, RR engines or Boeing’s design, the whole 777 fleet would have been grounded. Period.
What about pilot fatigue? Exceptionally long flight (very strong headwinds) from Bejing..
Dinosaur Jim.
In my opinion your water theory is plausible. Not to detract from the fact that you are creditably thinking in basic terms.
How about this// On a long haul sector, the plane is flying at cruise altitude -35 deg celsius; oat’ for many hours. A large quantity of water in tanks would certainly freeze. On a ‘straight in’ approach and landing, such a ‘large’ ice cube would not have time to melt, but may be ingested into fuel pumps, possibly damaging them. Of course there wold be a suction bypass, but ice could block this also.
The previous report announced that one engine failed to respond, followed shortly by the second. Since take off’s and landings require individual (tank to engine feeds) it could explain the delay in engine thrust failure and add to your ‘water in fuel’ theory. One thing though/// it was reported that engines continued to run, but did not respond to a “increase thrust” command. This is a poser.
It is expected that investigators will include rigorous checks on fuel suppliers on at least, the last three sectors prior to the accident.
My own theory includes the possibility of an electrical power spike. causing the computers to re boot at a critical stage. added to the fact that large powerful turbofan power plants take a time to spool up.
Dinosaur Bill
At 600 ft and 2 miles, they were at least 200 ft below the glideslope. Looks like they were too slow and too low. No time to get full power from a Jet.
It’s easy to point to the pilots and say “you must have been the cause.” Some times that is true and other times it’s not. The data flow a typical system is Auto Throttle -> Throttle Quadrant -> Throttle Movement -> Throttle Resolvers -> EEC (Electronic Engine Controller). Immediately prior to touchdown the throttles are commanded to retard to flight idel so that the aircraft will flare (pitch up to “dump energy”) and touch down. This retarding of the throttles is based on altitude information received from the radio altimeter. Radio altitude is received by the redundant autoflight computers, compared, voted, then used. The output of the FC computers is also voted. (The outputs are continuously compared and all computers must be in agreement to engage autoland for a CAT III approach (basically autoflight to touchdown) If there is a disagreement prior to decision height (commit to land) then is will be annunciated to the flight crew and a go around initiated. After decision height the odd computer output will be voted out (discarded) and the landing continued.
The EEC computers are dual-dual. i.e. each EEC is two independent channels. (this is speculation based on what I think I know) and if the active channel self detects a fault or stops working, the secondary channel is capable of immediately assuming control of the engine.
A systems safety analysis would have been performed to ensure that based on expected failure probabilities of hardware components, the probability of loosing one engine is less than 1 in 10,000,000 hours of fleet operation. The probability of loosing both engines would have been shown to be greater than 1 in 100,000,000 hours of fleet operation. A common cause analysis would have been performed to identify and classify single points of failure which would be capable of causing loss of both engines. If such a common cause had been identified during the design the system design would have been changed to remove that potential. Part of a common cause analysis is a “zonal analysis” which attempts to examine the system response to physical damage (a piece of wire falling between two terminals cannot cause a total loss of that particular function.) This usually results in mechanical/physical separation of terminal blocks, connector pins, wire bundles, etc.
The folks who perform these analysis are also airline customers by the way and they will take their families for transoceanic flights even KNOWING the failure modes and effects.
Couple of things based on the reports so far.
(1) Adequate fuel based on reports of fuel spill
(2) Throttles were advanced manually.
(3) Engines started to spool up, one spooled down followed a short time later by the other to a thrust “above flight idle.”
Fuel starvation seems to be discounted by (1) and (3) (lack of fuel or internal icing of fuel causing lack of fuel flow.) Failure of the auto land systems would seem be discounted by (2) (i.e. flight crew manually advanced throttles and engines did not respond.)
Based on the above data flow, a likely point to examine would be the throttle quadrant itself for an unanalyzed common mode failure. This possibly would be a mechanical type of failure caused not by an inherent fault in the design (although a different design might preclude such a fault) but on excessive wear, improper maintenance, or “external influence” (for example a cup of coffee spilled in “just the wrong place”)
Specualtion is fun, but usually is wildly wrong – which is why these investigations take so long to conclude. In the end, the cause will be, as are almost all accidents, perfectly clear and evident in the light of perfect hindsight.
SpeculationIsFun
An interesting story well put. I do not blame pilots but you did mention “a cup of coffee spilled in the wrong place”
Since it has been reported the aircraft cruised over Russia and Northern Europe with unusually low oat’s -60 or -65 deg c surely it would be prudent to consider this effect upon the normal water content in aviation kerosene. Could it not have precipitated and turned to ice? Would it not have taken considerable hours to dissolve, even at ground level temps? This ice cube may not have spilled out or have been noticed after the landing. Instead it may show a high water content on an examination of the tank dregs. May be misleading to investigators and wrongly point to fuel suppliers.
Many years ago a refined fuel spec was available, specifically for high altitude long haul flights over low temperature areas. B707 used this fuel when required. As I recall it cost 5 cents US more per Kg. at 1980 fuel prices.
It is my opinion that samples of fuel uplift from bowsers should be cold soaked at minus 65deg for several hours and examined for water precipitation. Thrust demands can not be met without the aid of fossill fuel, however reliable the software.
Dinosaur Bill
A lot of interesting speculation; inevitably “Pilot Error” is an easy conclusion – especially when there is something not-quite-right that “someone” may not want to be made public.
Running out of fuel strikes me as highly unlikely because there was spill and most airliners have a sort of header tank for every engine which provides for a significant flight time even if the main pumps are out of actio; as another correspondent says the engine-driven pumps are designed to cope with that situation.
As a mechanical engineer with over 40 years in aviation I automatically distrust electronics! But a simultaneous double failure of both FADEC units – no way. There remains, though, a remote possibility of loss of power supply to them both – maybe a drop in voltage outside the normal range – that could have tripped circuit breakers or caused them to go offline? Of course I can’t know the answer, but accident investigation requires every conceivable possibility to be examined and, only when proven not to have any connection, can it be discounted. Unless AAIB gets lucky it could take quite a while to determine the cause. Nevertheless, luck is on their side because the damaged aircraft is in good condition, not scattered on the sea bed as were the Comets and Victor XH668.
Having served a 6 year apprenticeship in the mid 1950 with Hawker SiddeleyAviation ;followed by many years with B.E.A. and British Airways;was fully aware of the importance of doing a water check on re fueling ;on a night stop aircraft and at the fuel companies bulk storage unit.With flight crews often re fueling the aircraft,I can but guess that fuel water checks as once done by the ground engineer , are a thing of the past.Perhaps when the outcome of the Boeing 777 heavy landing is known;it may become necessary to reconsider the importance of eliminating water in the fuel.I await the outcome with much interest.
To Engineer,
I agree simultaneous failure of both FADEC , no way!
But, I do not agree of a possible loss of electrical power to both.
This Category of aircraft would never have been certified with the same bus powering both FADEC.( each would have its own power source and distribution)
All systems on this aircraft are designed to be “fail safe”. No single failure can jeopardize the safety of the aircraft.
To Bill Rendell
Aircraft STILL operate in those extremely cold environments,and guess what ?
That more expensive fuel that was available in 1980 is still available. It has Prist an anti icing additive.
These aircraft have fuel heaters in the tanks and or an anti ice additive is added to the fuel to prevent water in the fuel from freezing.
hello every one , i would like to say about 777 accident is that when a big aircraft lands at air port then the wing tip vortices are formed at its behind for a longer area. so i am sure that due to that wing tip virtices air gap or pockets are formed so when 777 was coming there might be a chance that due to preceeding aircraft a air pocket was formed and 777 could not get the air for a very short period of time i am working in pakistan int airline for 1 year my p no is 62607 thanks a lot every one.
Aircraft total power failior……….unlikely.
Pilot / human eror………very likely.
Likely causes :
1) Delayed engine rev-up time……….the pilot had left it too late.
2) Computers cut power. A similar incident took place in France during the launch of the then new “highly computerized FLY BY WIRE” A320. The pilot was demonstrating a very slow pass over the guests with his flaps deployed and landing gear down. After the pass he throttled up. The computers cut power thinking the pilot had made a mistake, as he had flaps and gear deployed…….and that ment he was landing, and not taking off.
COULD THIS BE THE CAUSE ??????
The latest word from the scene.
There was plenty of fuel and there are no contamination issues.
It looks like a computer anomaly that was supposed to be so unlikely that it was considered impossible, did in fact occur. (This anomaly has occurred on the 777 before but in only one engine.)
The investigators are not sure if the problem is in the fadecs themselves or is a corruption that disabled both parallel redundant channels (each engine) that transmit thrust lever angle (TLA) to the fadecs.
D K Shahzad may be nearest to the cause.
We all know how precisely all the planes are one behind the other and at Heathrow they can be but 60 seconds apart………..they also all are so auto matically controlled on approach, that they all open up throttles for more thrust at exactly the same place. Since so many planes are nowadays so similar, being of the large twin jet type, and with millions of landings in dense convoys, it is inevitable that one day, hot exhaust gases, low in oxygen could coincide with the following plane’s giant engine intakes. This would severely compromise performance, flummox the exacting electronic engine management system or even cause flame-outs whatever the throttle position and at the critical moments.
The above silent, invisible, deadly menace could be lurking at any busy airport approach.
If this is a software fault, then the 777 needs to be grounded immediately
I don’t think they’ve ruled out pilot error yet. Capital mistake to speculate in the absence of facts.
For another example, look at the crash landing of Indian Airlines, 14th February 1990 on approach to Bangalore airport, on a clear sunny day with 10Km visibility. There was a big hoo-ha about the then new A320, but it was ultimately proven to be pilot error. Now one can say that there’s a little difference between the skills of a state owned domestic airline pilot and the pilot of an internationally renowned carrier, but at the end of the day they are both human and have the potential to make mistakes.
Two words “Human Error” , if a design or maintenance defect were suspected, the fleet would have been grounded. I suspect they know what happened and are busy trying to prove it. In the end it may be some type of obscure defect, brought to light by a screw up. Something like jump starting a DA 42 and then taking off with a dead battery. A defect found by human error. The pilots have a lot of control over the fuel in those planes, could have been plenty of fuel, all in the wrong place…….
Several things have bothered me about this crash.
1. Why weren’t all 777’s rounded? or at least
2. Why weren’t all BA’s 777’s grounded? but…
3. Why aren’t people asking more questions about this incident? A major world airline involved in an accident at an International Airport…….why are we so non-plussed about this?
Too low…too slow? “What’s that?, you want more power?” “Computer says No!”
(Little Britain, 2006)
Maybe we will cancel our next trip on a 777- seems someone is not coming clean with the potential hazards of using big twins for transoceanic crossings- Bermuda run for example .
Old (faint hearted) aviator.
guys Just a few facts that you might be interested in , On contact with the ground the port engine was still producing thrust , albeit at alow level , the starboard engine had already stopped . How do I know this ? look at the photos of MMM after impact the fan blades of the left (PORT) engine are broken off ergo it was still turning under power , right engine had no damage to the fan , why because it wasn’t turning….
Secondly the red herring about freezing fuel … This isn’t going too wash , the A/C has stand pipes in each tank which prevents bilge fuel / frozen fuel from being supplied to the fuel control systems and hence to the engines . BUT , there is some evidence that something went wrong with the fuel flow in the latter stages of the flight .The data recovered says that there was a fluctuation in the burner pressure (pressure inside the combustion section of the engines ), this could indicate either that the fuel supply was being restricted , OR there was contamination of some sort .In either case evidence suggests that despite FADEC demands , the fuel was not being supplied as demanded . The fuel systems have been checked for contamination , there is none evident down to 10 microns , so why was there insufficient flow to allow them to accelerate?
We don’t know yet , but my guess is excess water which confused the FADEC.
This is possible as very cold temperatures during the flight down to -60 were recorded, which would suspend the water in flight , however on the descent /approach this may have melted and mixed with the fuel to confuse / affect the fadec. BUT THIS IS ONLY A THEORY … Lets wait for the resuls from the AAIB…
A fan around 3mtrs diameter with an airflow of at least 100kts can not have been stopped//. my guess is that tip damage occured due to intake ovality upon impact, even if they did not break off. Both fans were turning.
Guys i have been told what i believe is the hot oil.Stop blaming the Pilots.The aircraft came out of base maintenance 3 weeks earlier.They got a filter bypass warning.You will never guess what they found in those filters.Like to tell you but the witch hunt is on.I don’t feel sorry for BA they wanted to cut costs.Great.
Here’s the correct link to the Heathrow article:
http://www.aaib.gov.uk/latest_news/accident_to_boeing_777_236__g_ymmm__at_heathrow_airport_on_17_january_2008___initial_report_update.cfm
There’s nothing in the report to suggest software was at fault. While you may be correct, there’s not enough information to know at this stage.
Michael Krigsman
ZDNet blog: http://blogs.zdnet.com/projectfailures
Twitter: http://twitter.com/mkrigsman
Michael: Thanks for the link. Remember that my original post uses the word “guess” twice. I would fully expect my guess to be wrong. The fuel system stuff confuses me. My experience is with light twins (piston through turbojet). In all of the planes that I have flown, the left and right fuel systems don’t share anything. They have separate fuel tanks, separate fuel pumps, separate fuel filters, etc. I can’t think of anything in the fuel system on a Cessna Mustang, Twin Commander 1000, or Piper Seminole that would cause both engines to lose power simultaneously.
philg centre wing tank.I’m not interested in sealing CAA thunder.I will wait for the announcement.Can you see the human factors vultures sitting on the fence waiting to fly in and feast.I can.
Of course, filter contamination combined with bypass blockage is a possibility.
Partial blockage can have permitted sufficient fuel flow for flight idle power, but not for higher thrust demands.
Practicing Airline Maintenance Engineers are made aware of the necessity for extreme vigilance, while working in such critical areas; also, the legal requirement for ‘independent duplication of inspection tasks’ after the maintenance of ‘safety critical’ systems such as flying controls and power plant control systems. (including avionics)
All reputable Airlines, provide approved training courses in such matters at high costs. BA are among the leaders in this field.
As Toss has said “I will wait for the announcement” Surely Airlines as well as Regulators, will learn much from this expensive (albeit, lucky) accident and take appropriate action to ensure the future of air safety.
It appears that ‘Posters’ may have run out of ideas on the causes of this accident// Nevertheless It was an interesting debate, with inputs from ‘obvious’ professionals and others. Most of them valid and based upon expertise in their various areas of aviation technology and human fallibility. It is to be hoped that CAA and AAIB are able to determine the causes without too much delay.
I guess most of us realise just how much we rely upon Safe Air Transport in this day and age. In my experience (after 50 years in the business), it is the safest means we have in getting from A to B and back.
Each and every incident (however rare) must be treated as a lesson to be learned. Never to be finalised as ‘another isolated occurrence’
Our forbears looked after their horses and carriages// We must now do the same for our flying machines, cruising 8 miles or so above ground and water.
The Human factor is always a possibility; however, should there be a rotten apple in the barrel it has got to be removed before it spreads and contaminates/// Let’s all hope for a positive reason for thrust failure, so it can be stamped out, never to occurr again.
For those who may not have seen it:
AAIB S1/2008 SPECIAL BULLETIN Reveals details of some fuel system anomalies.
Although conclusions have not yet been drawn, it would tend to weaken a case for pilot error. The final report is probably still some time off but, I would make a guess that the crew will not be found guilty. (in fact they will be commended)
I have no connection with any of the Flight deck,or Cabin crew on the flight, but I congratulate each and every one of them.
In my opinion they acted brilliantly to minimise injuries in very difficult ‘possibly tragic’ circumstances.
Howdy,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Good Greetings to All
Heads Up! This not the first problem from China fuel contractors. For those aircraft operations requiring refueling in China, it might be prudent to be very selective and closely (personally) attend to the refueling operations. Dip sticks won’t cut it.
Subject: British Airways — London — Boeing777 Complete Power Loss (Approach to Landing — Heathrow Int’l. Airport, London)
This snippet of early findings came from several sources such as Boeing 777 powerplant engineers, Boeing777 pilots and feed back from our British cousins.
The magic word again is China. The subject of the dead Boeing777 is showing early signs of fuel contamination as to primarily fuel/water ingestion. The flight originated in China. The suspected water mix probably migrated to the bottom of the tank. It was an extremely long flight so cruise occurred with a high fuel/water ratio for most of the flight. During the landing approach phase, as the fuel supply reduced to normal approach quantity, the ratio changed more toward water. Due to the many hours of cruise -50 C temp the water in the bottom of the tank was either frozen or of a high viscosity sludge. As power was reduced at some late stage on final approach, the engine fuel pumps provide less suction pump power and as the throttles were advanced — the fuel filters were now probably clogged.
There is also evidence that the RAT (Ram Air Turbine) had deployed automatically by sensing lack of hydraulic pressure indicating that both engines had now failed. The RAT probably saved the day in that the world’s largest glider still had enough hydraulics to provide flight controls allowing control to the clear way at the end of the runway.
The Boeing777 then slid through the overrun and onto the runway that provided a surface that was at least survivable. All aboard survived. Obviously the fuel and the fueling operation originated in China which has repeatedly demonstrated a lack of quality control or concern in many areas.
None of this has yet been officially confirmed. Typically engines do not share much in the way of common components except fuel and in the new age possibly computer software, which is also a player. Based on the complete isolation of the engines the Feds have long ago signed off on the concept that all engines would not fail simultaneously.
Now we know differently at this point of the accident investigation Phase One. The NTSB, FAA and the British National Safety Bureau will eventually determine the dual-engine failure as to the primary and secondary causes and factors.
The copilot (First Officer) made the the approach and “landing” which addresses the left seat’s (Captain’s) cool measure of confidence in the lad.
Note: The RAT (Ram Air Turbine) senses a lack of hydraulic pressure and automatically or manually deploys into the airstream.
Stay safe, stay well and stay positive.
Best regards to all,
Jerry K. Loeb
Alternative suggestion from the British magazine “Private Eye” regarding the 777 crash this week. They state that the software development was compromised such that what should have been developed by three separate teams working separately to produce completely different control systems thereby creating redundancy in the systems was in fact produced by one company with three internal teams. Despite “Chinese walls” production controls in fact, say Private Eye, there was, via Boeing, a high degree of interworking such that in effect, there is only one software set operating the electronics. This for hundreds of thousands of lines of computer code. Reliable?
Not sure.
Duncan Stewart, Chartered Member Chartered Institute of Logistics & Transport, Associate Member British Computer Society
Better than 30 days since BA38 made the runway at close to stalling due to insufficient power response from both engines. Not one word of advice to operators of this “Queen of the Skies”, aka, “Titanic”….. What would you think of a clever electronic jamming of FADEC signals to the engines.. eg. “minimum power only”. Most distant seating to the FADEC’S from center aircraft, 15-20 mtrs?
I’ve been flying professionally (military,corporate, airlines) since 1973 and trained by USN Post Grad School, as an Aircraft Mishap Investigator. Never in my entire aviation career have I ever seen such a “Blackout” from the professionals regarding an aircraft problem with such potential for a “poor outcome” if repeated. Really folks….. we have a plane, the crew, and the best brains of the industry. I fly this machine, and, the “blackout” really bothers me!
So, maybe they (the pro’s) know so much about the cause of this mishap that they view it as highly improbable to ever be repeated…. and that is their justification to keep everything cool. But, it did happen…. and, they (the pro’s) have convinced everyone that it could never happen.
My uncle is 81yr old and huge aviation fan, although a retired minister,and, a B-17 gunner of hundreds of missions in theatre, and several patents of electronics…… his first question to me post mishap BA38…. How do those engines get their fuel signals? Are the motors highly shielded from electronic interference? Think about it!
China fuel? That should have been established by now, after bowser checks.
Fuel freezing? Still more than a possibility of high water level in sumps, proportionate to ‘end of sector’ fuel contents.
Solid contaminants and debris at LP pump inlets? Still more than a possibility; resulting in (damage to vanes at LP and HP pumps and damage to matrix of the oil heated fuel heaters)
Ecc software? A possibility, if recent updates or modifications were applied to both engine systems at the same time. In my day it was considered prudent to modify only one ‘critical’ system until results of the alteration were proven in service.//
Being an engineer, not a pilot. I believe we should turn every stone in our own areas and disciplines, before even a mention of ‘pilot error’ They accept our signed certificates that all is in order. They are at the coal face if anything goes wrong. In this case it did, (and seriously)//
Crew reaction and expertise, resulted in a hard landing, loss of an aircraft, but only one serious injury. Well executed by all crew aboard.
A further consideration in the area of fuel pump cavitation.
The possibility of partial or complete blockage in the fuel cell ‘venting’ system has ocurred to me.
If the vent system were defective or blocked, ambient pressure above the fuel head would not increase as normal during descent; therefore, differential pressure between LP pump inlet and outlet would be adversely affected . This flow ‘reduction’ would be passed on to HP pump and engine injectors.
Apart from the structural effect upon wings, fuel flow to the Engine burners could have been severely reduced, such that a ‘increase in thrust’ demand would not have been met. (however hard fadec or other electronic devices worked on it).
Let’s face it// Trust devices need fossil fuel energy to produce power// These motors did not get enough of it at a critical stage; however much it was required.
We can either guess and blame software, or dwell on more simple and basic causes.
My own guess is that forces of nature had the winning hand in this incident// Fuel starvation resulting from adversely low temperatures over a long flight time period.
Wow. This is a great comment thread.
I want to hone in on something Paul said “In the end it may be some type of obscure defect, brought to light by a screw up.” This reminded me of Noam Chomsky debunking 9/11 conspiracy theories (video on youtube) and explaining that even in highly controlled scientific experiments, unexplained coincidences and events happen. I see landing a huge aircraft as a usually well controlled and incredibly routine experiment in physics — but increasingly, electronics and embedded systems programming too. As much as you can test, validate, verify, run disaster simulations, have redundant backups, etc. you are still depending on increasingly complex systems to perform the same task that a a few pulleys and cables performed for decades. So to me it seems possible that as Paul speculates, there might combination of factors, which one could “put…in some kind of pattern…which may be completely meaningless” as Chomsky puts it about the WTC collapse.
Having read the thread though, I think the fuel argument is a compelling one. But to related it to the point I was trying to make about complex systems and strange coincidences, allow me to totally, wildly speculate with a little science fiction. What if on a first-generation passenger jet aircraft (747), the fuel pump works like that an older car. It just pumps with a primitive feedback mechanism. This is probably not true but let’s say it was. On a jet with ice sludged fuel, the throttle – however that works on a jet engine – will open, and be partly block by the slush, but enough gets through that the engine spools up, just a little slowly. On a computer controlled aircraft, we can precisely modulate the fuel pump to match the demand from the engine. Computer signals throttle to open. Engine doesn’t response as quickly as computer predicts it should. Who knows why. It just sucked in a bird or the ice has already been blocking the flow. Computer freaks out, adjusts PWM of fuel pumps to put them in super pumping mode. Because maybe the throttle is jammed and the jammed-thottle detector is sending ambiguous signals and the only thing it can think to do is the rev up the fuel pumps to push more fuel in. Oops! The incredible suction now magnifies the problem, sucks in much more slurpee slush, and lifting it from the tank bottom, than the former pump that puttered along at the same rate would have done. And maybe, just maybe, most pilots like to slowly edge that throttle up, linearly, as they approach. For whatever reason this pilot decides to use more of an log shaped throttling, uniquely (given the bad fuel and mis-programmed fuel doohickey) triggering this unfortunate outcome.
Of course I KNOW this is all absolutely incorrect. I’m sure people who actually know _anything_ about jet engines or flying them – and I don’t -might well be laughing. Fine. It’s just a hypothetical example of how well-meaning automation could compound the problems of “unintended consequences” in a complex system event like an aircraft landing with bad fuel. I’m sure it can’t be something so simple because Boeing has a huge collective of millions of experience-hours designing jets…but even the huge collective could have missed something really obscure.
BTW I only happen to know about fuel pumps (not being much of a gear head myself), and to have thought of them in this case, because once or twice a summer or so my Accord refuses to start. (never had this happen in 12 years of driving 3 different Camrys) First time it happened I asked a guy at work who’s a Honda gear-head what to do. Instantly, he said, “Leave the key in the on position for 5 seconds. Turn it to the off position but then immediately start it.” Works every time. Systems have quirks.
David has produced some interesting points, using basic physics and creditably, not confusing them ‘with high tech jargon’
Another, ‘AAL’ B777 aircraft powered with RR TRENT engines was involved in a similar incident on approach to Los Angeles from Miami. On this occasion it occurred at around 2000ft and probably, away from interference from any ground electronic devices ‘such as PM’s mobile’. The a/c was on autothrottle.
A demand for more thrust was answered by the right engine but the left engine hung at approach idle for a ‘trembling’ period of 10 to 15 seconds and then spooled up to the demanded power. This indicates to me, that the electronic controller was functioning correctly, but fuel supply was not sufficient.
I submit: what else but a fuel system defect, ice or other contamination, would prevent this mighty thrust provider from getting it’s food. (kerosene) Probably, the AAL flight was using the standard fuel specification on that sector. ie. not containing low temperature anti icing chemicals.
Kerosene contains water in suspension:
Aviation fuel supplied to a/c operating at high altitudes, at very low temperatures over long time periods, should contain an anti icing additive to minimise freezing effects. Also, engines incorporate a heat exchanger device to cool the engine oil and heat the fuel at the inlet to the high pressure pump (engine driven).
One point to be considered: On descent, when motors are running at low power, engine oil temperatures are obviously lower; therefore the “hot oil” effect upon fuel heating is possibly less than required. Could it be, that at this stage a significant reduction in safety margins takes place???
Could it be that on initial descent the heat exchanger cooling the engine oil or heating the fuel supply inlet to HP pump is not able to pass sufficient BTU’s to prevent ice contamination?? Is this not ‘food for thought’ ??
Another point for consideration: Fuels containing the anti icing additive are usually more expensive than standard specs. Could it be that certain suppliers are capable of uplifting standard specs but charging for ‘more expensive’ low temp specs ??
This is not intended as an accusation; simply more food for thought ??
Please comment.
One can submit what else but a fuel system defect (kerosene) could prevent such a ,mighty thrust provider from gett ing its food……. and one can answer that. The kerosene needs oxygen to burn well and the mighty inlet fan needs a steady supply of cold dense air. Compromise either of these by warm, vitiated, potentially vortex-ridden exhaust streams from the convoy of planes and their giant engines exactly in line in front……and you could really flummox the fadecs. These risks are slight; but if they occur millions of times per year, one day they could cause exactly the symptoms seen at the 777 crash landing. I for one will be very glad when Heathrow operates both runways in mixed mode to space out take offs and landings more.
So true Peter// kerosene and oxygen are certainly the two most important food supplements for thirsty giant jet engines.
Airplanes approaching the worlds busiest airport are now probably less than 90 seconds apart at peak times. However. Hot air rises, according to physical laws; your theory should surely affect other traffic in the same approach path.
This aircraft was well below the glide slope at 2 miles out. Surely there would be an abundance of oxygen at that level.
I have been in the line waiting to take off at Heathrow// If the oxygen theory is plausible then it would surely affect ‘heavily laden’ aircraft taking off behind others at high power settings, much more than approaching traffic at low powers. Good thinking but I don’t think so. Regards//
Regarding my posting on March 8th: AAL 777 aproach to Los Angeles from Miami. I have learned that the speed brake lever is positioned to the left of the port engine thrust lever// Therefore, if Captain was handling, then P2 would need to pass his hand over and above thrust levers in order to operate speed brakes. An auto throttle demand for thrust increase moves levers fwd of course; but apparently, only approx 1.5 lb restriction is sufficient to halt movement.
Could Left engine lever have been restricted by P2’s arm, thereby causing the ‘hang up of the engine power response to auto throttle demands??
That incident may not be allied to BA 777 since P2 was the handling pilot in that case. However, I submit, it is more ‘food for thought’ in relation to revising operating procedures. If restriction or friction to thrust lever movement is able to prevent a power increase demand from taking effect!! then perhaps the Jan 28th posting by ‘Speculation is Fun’ holds water//// ‘a cup of coffee spilled in just the wrong place’ Let’s think on it//
Awesome thread everyone! Have you noticed the miraculous presence of the longer clearway before the runway and then NO approach lights?!?!? Imagine the destruction and explosion of that aircraft decelerating thru approach lights. How does one of the busiest international airports in the world not have approach lights?! And if this is primarily a takeoff runway, then thank Goodness they landed here. Remember the AA crash in LIT June 1999….approach lights were the killer. Thanx all for your deeply insightful posts.
Mark 777 loyalist. Please take another look//
Runway 27L does have approach lights. They go all the way up to A30. opposite the fence. This flight could easily have contacted them at 60 feet lower. (and the vehicles passing under it’s path). Regards//
I’m a frequent flyer, after noticed the BA 777 accident, I remembered that, before I had the strange experience on Beoing 777s, on both Japan Air Lines (JAL) and Air China (CA) 777s, during the final approaching stage, I don’t know the altitude, maybe 3,000~5,000 ft, engines generated normal sound and some slight “vibration” that made you feel the engines were running, but suddently, there were about at least 30 seconds of ” very slient and quiet ” period, it’s so strange to me, that you could not feel any sign that the 2 giant engines were running, that made people nervous about the possibility of engine stall in the mid air during the final approaching stage. maybe FADEC works well, but personally, I would prefer the mechanical linkage as the back-up.
Weng, I notice the same feelings. It’s either adjustment of flaps, lowering of undercarriage, or the more likely movement of wax in the ears as cabin pressure changes giving moments of silence and then normal hearing.
Or was it something else…..the deadly, silent, invisible menace at the approach to busy airports……streams of vortices from the planes in front (can cause slight aircraft movements to the aircraft behind), or hot low density vitiated exhaust gases that cause far less power and noise from the giant inlet fans….and sudden loss of thrust! Yes I know hot air rises…..but it rises up into the descending flight path of the plane behind. Older long thin turbo-jets would be unaffected by poor inlet conditions.
peter field. Referring to your last comment. Final sentence.
Why would older long thin turbo jets be unaffected by poor inlet conditions??
It has been my experience that a starvation of oxygen or a reduction in mass air flow through the engines of ‘older’ jets due to compressor inefficiency, resulted in a serious rise in JPT or EGT causing immediate concern to flight deck crews. (Bird strikes etc. sometimes caused compressor damage) They would then have taken action to (manually) throttle the affected engine to prevent further damage, after observing the sudden rise in turbine temperature.
This of course, was way before the introduction of FADEC that apparently takes the option out of their hands. We await the official final report, but I will hold to the fuel starvation ‘due to ice formation’ probability. It would be interesting to learn how you arrived at the conclusion in the last sentence of your post.
The Engineer Officer was responsible for monitoring parameters on the older jets// now he is redundent. We now have machines and software doing his job. More food for thought??
Bill, you were right to challenge my over simplistic last sentence that older thin turbo-jets would be unaffected by unsatisfactory inlet conditions. I meant that in days past, bad inlet conditions would be less likely to compromise thrust so severely. There are several reasons.
Older “heavies” tended to have 4 engines, thus reducing risk of all exactly in line to scoop up bad conditions; the long sleek engines had a far smaller inlet cross sectional area so less lileky to scoop up vast volumes of bad air; the sleek engines had a far smaller radius of gyration so could spool up quicker to compensate for compromised conditions; the older engines got the same “oomph” (mass of air times velocity rise) by more velocity and less mass flow, so less affected by compromised mass flow; the giant 110″ fans of the 777 do most of the thrust and are very affected by vortices/temperature. My gut feeling is larger numbers of smaller diameter compressors are less prone to trouble. Compromised conditions on older engines could temporarily give poor performance but didn’t have the extra complication of fadecs scratching their heads working out best adjustments which can take valuable seconds; older planes may not have all followed such an accurate flight path where all planes add thrust (and dump extra exhaust gases)at exactly the same place; large fan jets need extra fuel (and exhaust gases) to accelerate the 110″ fans first before extra thrust is obtained.
But you are right; most likely cause is a fuel problem per se or a mixture of fuel problem and fadec confusion.
Its just that when one sees (from the M25 at night) convoys of jets one after the other,coming in to land, millions of times globally in a year, one wonders that a chance in ten million of gathering hot vitiated gases lingering, could just cause a mysterious mishap such as this.
April 7 WSJ article on engine icing:
“The odds of both of a plane’s engines shutting down at once were supposed to be about one in a billion. Since 2002, however, internal ice has been blamed for at least 14 instances of dual-engine shutdowns, called “flameouts,” and several times that many single-engine outages. Investigators now believe that since the mid-1990s, so-called crystalline icing has prompted dramatic power drops or midair engine stoppages in more than 100 jets. So far, the flameouts haven’t been blamed for any crashes, because the engines on big commercial jets have always managed to restart.”
Peter, Thanks for your plausible and detailed explanation of my query about older slimmer power plants// I found it interesting and could identify with your line of reasoning.
PAPIS or ‘line ahead’ approaches may easily cause the ‘big boys’ to dump thrust or eject exhaust gass, in precisely the same area. Combined with 50% reduction of power against 25% on thinner 4 motor jets; as well as the added penalty of increased spool up times, could well reduce the margins we have been used to. (add to this the fuel icing probability in this case)
Living in a quieter area close to Heathrow, I have also observed the apparent reduction in the ‘line ahead’ distance between approaches. The ‘supply and demand’ effect upon traffic density can surely only reduce the expected safety margines// unless modern technology is capable of (at least) keeping abreast. But at what cost??
I am sure an alternating !curved! approach path would help to reduce the compressor contamination theory, but of course in turn, would cause concern for residents living below the 3 flight paths’, as well as commercial considerations of costs (and who will pay ???)
After very many years in aviation, I know, that maintaining ‘even minimal’ safety and quality standards do not come cheap. However, Jo Public will most likely try to fly with an ailine charging less than the pioneers. (Band Wagons??)
There is yet another lesson to be learned from this accident. Let us hope it will be learned and that “All” will take note//
http://www.aaib.gov.uk/cms_resources/S3-2008%20G-YMMM.pdf
For those who have not yet seen it. Above, is the reference for the latest aaib report.
Perhaps (if it is not aready underway) it would be prudent to investigate possible restriction of the tank vent system and its effect upon’a less than ambient’ pressure head above the fuel, on descent.
Its taking a very long time for a complete report to come out.
Where can fuel turn to slush, not freeze, and reduce the flow to the engine after a long cold soak at altitude ?
Filters?
Fuel cooled oil coolers ?
I do not want to even take a chance on guessing as to when the B-777 investigation will be complete. Now, with the stakes being so high .That is, the Boeing Vs Air Bus competition for sales being what they are at the moment. However, had the BA B-777 accident occured in France instead, the JAA investigation would by now be history.
The British have this unwritten attitude and behaviour towards the Americans. Go anywhere and we will blindly follow you. Yeah, be it to Iraq , Iran or Timbuktu. Worry not how you blunder , we’re there to muffle the thunder.
The truth will however come out in the open. It always does.
Sirs, the report on the 777 accident is now published, to quote a lady in a letter to a newspaper eloquently commenting on a 2 year study by a university in Belgium ” After 2 years hard study they have come out with the bleeding obvious”
As time went by after the occurrence we heard many theories given by both manufacturers and pundits, strangely enough the airline was staying very quiet, this led to people ‘experienced aviation people being very suspicious’
HP pump cavitation, both at the same time, hardly!
Some sort of fuel contamination? FM procedure is for straight feed on approach each engine dependent on its own tank.
Fuel shortage? with FMS you would have to work at running out of fuel ‘Fuel on Board, Distance to Go, Fuel remaining at Destination, all on permanent display two separate CDU’s.
There was only one common denominator “ICE” the general need for Engine ant-ice ‘ below +5c with visible moisture, “those conditions did’nt prevail”
Cold soak! in a later report the CAA stated that the A/C had encountered an area of very cold air -74 deg C over Siberia/Scandinavia the aircraft I believe was using fuel with a freeze point of -47 deg C.
An extract from the fuel management section of the B747 FM states that fuel tank temp should not be allowed to decrease to within 5 deg’s of min fuel freeze point. If total outside air temp approaches -65 deg’s then tank temp should be monitered as indicated temp is TOAT minus 25, action to be taken is to shake the wings and if this is not successful descend to a lower altitude.
Flying many times between Alaska and London we would get a TOAT of approaching -65c and the fuel temp would be hovering around -35, but then the F Eng had a gauge that could be monitored (two things missing on the triple 7) I find it hard to believe that with a prolonged temp of -74 the tank fuel did not fall below -34. Also as the vol/mass of fuel in the tank decreases conduction of hot to cold increases and in descent with idle power there is little fuel movement. As for the FADEC I think in 2000/1 there was a special check initiated on the American engine this entailed checking the joints of the pipes supplying air data to the FADEC to eliminate moisture that had frozen and caused nil response to thrust demand.
Well the report is published but I fear it is a compromise as ever between the aviation authorities, manufacturers and airlines. The push towards full automation, need to know training, min cost, min crew, min fuel, min engines and min diversion distances.
Having seen the new, very detailed AAIB report, ice may well be a contributory cause. But now having seen the layout of the kerosene fuel system, a thousand times more risky is the spill return from the fuel metering valves passing back into the inlet of the h.p pumps AND the fuel preheater just upstream. Any problems with the control of the preheater, receiving very hot lub oil from the engine, and the kerosene could easily get up to gassing temperature… a situation exascerbated by the spill back control. The very constant fuel flows of 5000 and 6000 lb/hr in the last 40 seconds, could be caused by the pumps handing an amalgam of gases and kerosene. This is the elephant in the room. The Report cleverly does not mention fuel temperature AFTER the preheater, how the preheater is controlled; or how the flow meters work. The actual liquid kerosene flows could have been a lot lower than the above figures.
The AAIB report is very detailed as expected. However, it does include more than a few estimations and presumptions. I would have expected such a report would be confined to established facts. However it is interesting reading that provokes thought by all interested parties.
I dont believe much attention was paid to the probability of a reduction in engine oil temperatures after a lengthy ‘staight in’ descent. Thus reducing fuel heating efficiency. In turn, adversely affecting dispersion of ice into EDP’s.
Should that be a possibility, then certainly, oil/fuel heat exchangers ‘do’ require modification to include an alternative means of maintaining efficiency under those conditions.
To Peter Field// The lube oil may not be that hot; using supercooled fuel to remove heat from it, after a legthy period at flight idle.
Let’s trust it will be sorted soon.. A similar accident surely would not meet the same fortunate conclusion///
The 777 fuel system is one of the most advanced fuel system of any commercial aircraft. It is not a old capacitance system it is Ultrasonic. Water detection, fuel density are just a part of the triangular calculation to determine fuel weight.
The idea of the FADEC code being the same for both engines is highly unlikely as the dual redundant system addresses are totally different. What I am wondering is if BA had equipped their 77s with a different engine other than RR would this incident have even occurred.
Bill RendellMarch 27, 2010 @ 8:59 am
77
Alex
Good to see you are keeping Phil’s Web Thread going into 2010. My opinion is, it has produced an interesting compilation of ideas and comments from many individuals. ‘Almost’ all, posessing an avid interest in aviation and safety.
It could be considered as a ‘Think Tank’ where all ideas are consulted; (however likely or unlikely). No idea or opinion is ridiculed and basics are treated equally with specialist technical opinions. Congratulations to all contributers.
Of course safety is paramount, but comes at a high cost to designers, manufacturers and the Airline (end users). They are constantly monitoring events ‘on a budget’ and applying corrections (enforced or otherwise)
On the other hand, ‘Jo Public’ is looking on line to find the cheapest fare to his holiday destination. He does not know the cost of operating and maintaining a modern aircraft.
To say “That is the real world” may be an understatement. Could cost cutting in fares lead to short cutting in maintenance? (“Get it out// it has to make the xxxx alloted service slot to Geneva”)
None of this is intended to reflect upon the 777 accident, only to provoke thoughts on dollas and pounds. But for the exemplary action by Handling pilot and Captain, This could have been a catastrophy involving thousands of deaths under the flight path.
Keep the thread going///