u bet the delay is unseemly. just wondering that we in pprune have so far filled nearly 80 pages of thread and are still none the wiser than we were six months ago. :ugh:re my typin i was being modest about my laziness in picking caps . flying wise im happy to inform u that big jets merely require basic typing data input from keypads . knobs and buttons are much more user friendly:)

Don't worry about Pprune 80 filled pages, some posts are regularly removed...

Still I would appreciate some update regarding the crew's behavior between the initial loss of power and AP disconnection. Any idea about when they noticed it, how they announced it and did they leave the AP on on purpose ?
Come on, this should be known by the time, simply with the CVR, and especially since they received the BA safety medal.
How do BA expect this medal to be considered serious if they don't release the appropriate info ?

Please don't remove this message (unless my question is too much embarrassing of course).

re my typin i was being modest about my laziness in picking caps .

Ah yes, the modern 'I am too idle to do it properly and so the reader can struggle with trying to decipher the text speak, poor grammar and lack of punctuation and capital letters'.

Just plain bad manners in my book but hey, what do you care?

Mouse.

I'm with you all the way. To the old military adage of 'any fool can be cold and uncomfortable', add 'any fool can communicate sloppily'!

Couldn't agree more M.Mouse, moderating a very busy forum, I get pretty peeved with lower case texting whena full keyboard is provided and supported.
Dyslexia one can usually spot and allow for (getting very common), but am intolerant of ALL CAPS and texting styles - its dumbing down and where does it all end, in the gutter with readers having to to do the hard work... there is a good reason written English has punctuation :ugh:

Not that this thread needs it, but add my $0.02 support to advocacy for proper communication. :D

If a poster can't organize his words, does not that call into question the ability to organize thoughts?

What kind of communication are referring to ?

80 pages of posts, unavailable CVRs or crew statements and all we get after 6 months is BA's safety medal for the crew.

Is there at least any information published on when did the crew notice the problem and on what they did do with their 4 free hands while the AP was flying the aircraft from 720 till disconnection at 175 ft ?

I think after 6 months these question deserved to be answered...

Ok folks. I'm in agreement on the txtspk thing but can we stay on topic please? Someone's on their high horse and we'd hate to deny them their moment of glory :rolleyes:



Duck

arsynapsis rear.

Why do you keep banging on about this award? Upset because you didn't get one?

The AAIB have issued their preliminary findings so your comment about waiting six months is really just posturing. I don't know which part of the world you're from but here on the mainland things get done properly. The report will be issued when there's something pertinent to say. You should try that approach sometime.

I have nothing against the award which values only when the related actions are available...

I understand the AAIB may need time to investigate a very complex technical issue, but what does it have to do with the crew actions in the cockpit ? Both are alive and CVR available.

It's little bit surprising to have a crew rewarded before we know why so forgive me if my question disturbs the "mainland"'s standards but in my part of the world we like to understand before admitting. Obviously you don't have any clue about what happen in this cockpit.

The report will be issued when there's something pertinent to say. You should try that approach sometime.

So the crew's actions were pertinent enough to be rewarded but not to be mentioned... interesting approach in did.

Moderator,

You recently deleted some of these rubbish comments and my dismissive reply to same. Kindly continue the good work.........

There is a subsystem installed on each and every aircraft, with the purpose to evaluate the trajectory of the aircraft under those conditions. They call it the pilot.

Sure. However, in this case, it seems neither the operator, the training organization nor the supervising authority had deemed it necessary to prepare the pilot for this particular variant of the task. Fortunately for everyone, luck was also involved. :ok:

Who cares if someone can't spell occasionally...stop being uptight...you know when I and a few friends travelled through countries, I wasnt annoyed that they can't speak english...So stop picking on people for being different...

Having sat in on a number of flight briefings on the flight deck, if trouble occures on take off/climb out the auto pilot is engaged to fly the aeroplane while the crew go through their procedures. I GUESS it would be the same for approach?

may i ask anyone who knows how long its going to be before the aaib comes out with a FINAL report . they have had 6 months, all the facts , the airplane itself ,and the crew at their disposal. speaking as a 777 driver myself we fly everyday wondering what happened . delay in releasing reports in my experience, i am sorry to say,. sometimes indicates cover up.

May I refer you to post 852 (http://www.pprune.org/forums/rumours-news/325095-ba038-777-aaib-report-43.html#post4043766), which comments on this...

This message is hidden because sispanys ria is on your ignore list (http://www.pprune.org/forums/profile.php?do=editlist).

Another one!

Having sat in on a number of flight briefings on the flight deck, if trouble occures on take off/climb out the auto pilot is engaged to fly the aeroplane while the crew go through their procedures. I GUESS it would be the same for approach?

Whatever happened to AVIATE, navigate, communicate?

Whatever happened to AVIATE, navigate, communicate?

Perhaps I should have been a bit clearer. The briefing includes what to do in a situation and if not already engaged - engage the autopilot.

Sure. However, in this case, it seems neither the operator, the training organization nor the supervising authority had deemed it necessary to prepare the pilot for this particular variant of the task. Fortunately for everyone, luck was also involved. :ok:

Bold my emphasis

I have often found that there is truth in the saying 'luck is a residue of skill.'

No-one seems to have commented on or asked about the relevance of the B777 fly by wire system in this close to stall situation.
Would things have worked out differently if the aircraft had been an Airbus?

No-one seems to have commented on or asked about the relevance of the B777 fly by wire system in this close to stall situation.
Would things have worked out differently if the aircraft had been an Airbus?

Chris Scott has already speculated about what a similar scenario would look like in the A330. It's an interesting read (http://www.pprune.org/forums/rumours-news/325095-ba038-777-aaib-report-31.html#post3958677).

The result would have been very similar, except for an earlier AP disconnect, shortly after setting the thrust levers to maximum (TOGA) thrust.


Bernd

I must have missed that. As you say - interesting.
Thanks

Jo

Two questions, the second of which is hopelessly naive but seems important to address if only to rule out:

1. Has anyone yet any confirmed example of any cavitation-induced damage to similar HP pumps on a Boeing?

2. Why is there now no presumption of a latent serious design flaw in G-YMMM and the 400 or so similar B772ER aircraft, given the tentative findings that G-YMMM was apparently operated within a normal flight envelope by competent crew with the correct spec fuel?

My initial view on the second question after the last AAIB report came out was that not grounding similar aircraft to the one with a demonstrated but inexplicable fault in which two out of two engines fail to generate sufficient power while on finals over heavily populated areas into LHR was arguably a bit like dismissing the fact that there is an elephant in your nan's living room - whether on the part of crew, SLF, the families under its flight path, manufacturer, regulators, governments, etc. As demonstrated, the flaw would seem to manifest itself at low altitude when most of us would agree that there may be no or severely limited options to extend the glide or land elsewhere.

However I have come around to the view that it is reasonable that commercial issues dictate that a plane with a latent design flaw continues to fly until testing or at least two accidents can demonstrate that the flaw exists in a way which is more than just an unfortunate and mysterious fluke, particularly given the otherwise unblemished record of a workhorse of a plane with a huge number of trouble free sectors. A probability driven analysis of a possible "catastrophic" failure repeating itself would seem to be the most rational aviation industry response consistent with the prime objective of safety as with other risk assessments associated with flying.

There does seem to be a danger though that, by giving a nugatory risk weighting to a likely repetition unless and until someone can prove the causal mechanism behind the flaw/fluke, the industry profits from continuing to fly these aircraft with the regulators' approval and such a rationale in the face of any future catastrophe is looked on with hindsight as being more cynical than sensible on the part of the various stakeholders tacitly or otherwise supporting it.

So you suggest they ground an aircraft without knowing what caused the crash? This was debated 5 months ago on these forums, and overwhelming deemed to be totally imprudent.

You cannot enitrely avoid risk anywhere, and to try to do so would set us back in the stone age. Live with it.

I generally agree with DXZH on the question of flight certification of the aircraft which failed to operate safely within the allowable envelope. From my perspective, the TMS 777 as configured, should not be certificated in environmental conditions which resulted in the accident unless and until it can be demonstrated that such operation is safe.

The 777 is a great aircraft. Nevertheless, it failed to operate safely under conditions which resulted in the LHR accident. Given no other data, information or analysis, it seems to me that the 777 must be restricted from commercial operation which approximate and exceed the adverse atmospheric conditions experienced by BA 038,

(TMS - Type, Model, Series)

TD

To restrict or to otherwise remove the certificate of airworthiness implies that you have probable knowledge of the the degree of restriction necessary or violation of the original certificate.

That has not yet been concluded by the investigation or the regulator

It was presumed that any fleet entering service does so by carrying a degree of latent unknown risk. Historical hindsight has shown that this degree can vary over time with some risks maturing into known risks which are then addressed over time by minimizations and corrective action programs, while still newer risks develop.

The issue is not which ones are latent unknowns and which ones are known and being addressed over time, but rather the question is how much risk is being carried over what period of time.

Restrictions and/or groundings are decided on the level of risk and not just whether the total risk causes are known or unknown.

Unfortunately, everyone is waiting for someone to scream EUREKA, the problem is solved.

Interestingly, in flight shutdown events have subsided with the onset of the Northern summer?

It would be a very simple, low cost palliative to introduce a bit of heat into the tanks near the feed pipe which would ensure that ice/wax is eliminated from future possible occurrences.

Not very scientific, but IMO "prudent"

I have come around to the view that it is reasonable that commercial issues dictate that a plane with a latent design flaw continues to fly until testing or at least two accidents can demonstrate that the flaw exists in a way which is more than just an unfortunate and mysterious fluke


Well that is an incredibly frank and honest statement.

Thinking about it, what other options do FAA/EASA have? Slice something off the environmental envelope of the plane as a precaution? Require that the engines be run up at least once during a CDA approach?

One thing that gives me hope is that there are precedents for extremely improbable failures being diagnosed years after the initial accident: e.g. UA585 and US427 ... the NTSB reports were finally adopted 10 years and 5 years after the accidents, respectively.
http://www.ntsb.gov/publictn/2001/AAR0101.pdf

Fingers crossed, but not holding my breath.

This incident had a cause. Period.
The consequences could have been extremely serious if the issue had occurred just a few moments earlier.
If it has happened once, it can happen again, unless something changes. Period.

The fact that the cause remains unidentified must remain as a significant concern.
IMHO and from what we have surmised sufficient data exists to implicate a combination of fuel / fuel delivery system / and environment.
Therefore I would have expected some form of interim procedure / system change to have been introduced to reduce risk until a full explanation is unravelled.

The most surprising omission IMHO is why increased fuel temp monitoring / modified temp threshold value / increased water drain off frequency (or conditions) does not appear to have been introduced, at least on this sector or with this operator.
Maybe such an action has been taken although not reported.
Such an action would be a low cost "palliative" and would also add to data collection.

IMHO I still suspect the "fuel" (i.e. including water from the CWT) in combination with other factors.
Not that it was out of spec, but that the current spec(s) / procedures are too loose in some way.
Its the only thing that was truly common to both systems.

As I understand, one of the factors in this accident was that the problem was recognized late, with very little time to react. Would it be possible (reasonable?) to change the procedures so that this kind of problem can be found earlier, for example by avoiding "long" periods at reduced thrust?

I am sorry for not making myself clear. I am not currently suggesting that the plane be grounded - quite the reverse.

However, the recovery of the aircraft largely intact and 5 months of investigation seems to make the decision not to ground the aircraft more difficult. This is because the tentative dismissal in the several months since the crash of the extraneous factors that would typically cloud the issue (eg crew performance, operation outside flight envelope, component failure, out of spec fuel, etc) makes it more likely that the flaw/fluke is a design issue.

Again, I apologise to you for not making myself clear but I strongly agree with you that a risk based assessment is the only sensible way to proceed.

Nevertheless I believe what would be imprudent conduct as you succinctly point out without evidence may become less imprudent (or even become prudent) if hard evidence seems to eliminate the other obvious possible causes, notwithstanding the causal mechanism of the flaw appears improbable and is not understood.

> Would it be possible (reasonable?) to change the procedures so that this
> kind of problem can be found earlier, for example by avoiding "long" periods
> at reduced thrust?

Perhaps but I don't think we know enough to say that whatever caused the problem can only show up after a long period at reduced thrust.

7 months and counting.
This incident had a cause. Period.

As all accidents, it had a number of causal factors. Never only one single cause.

The most surprising omission IMHO is why increased fuel temp monitoring / modified temp threshold value / increased water drain off frequency (or conditions) does not appear to have been introduced, at least on this sector or with this operator.

Fuel temperature:
The lowest total air temperature recorded during the flight was ‑45ºC

[...]

analysis of fuel samples taken after the accident showed the fuel onboard the aircraft [...] had a measured fuel freezing temperature of -57ºC


And:


Fuel Temperature
[...]
Fuel temperature will tend to change toward total air temperature.


As to fuel and water ...

The fuel has been tested extensively; it is of good quality, in many respects exceeding the appropriate specification, and shows no evidence of contamination or excessive water.

... and:

A sump sample taken from the left and right main fuel tanks shortly after the accident revealed no significant quantities of water.

If water from the centre tank had played a role during the final approach, it would have to have melted earlier during approach to be scavenged by the main tank scavenge pumps to the main tanks, and thus water would have to have been present in the main tanks. This was not the case.

(I take it that the term "significant quantities" implies such a quantity that it might exceed the operating limitation of the water scavenge system (which is effectively a fuel/water-stirrer), the fuel delivery system, the pumps, and the engines.)

Maybe such an action has been taken although not reported.
Such an action would be a low cost "palliative" and would also add to data collection.

And what symptom, exactly, would this "palliative" treat?

Seen another way, it would be an additional cost, with no benefit.

Still not entirely out of the question is a software problem. It is very remote, but so is every other possible scenario that has arisen so far.

If we exclude every possibility that is "very remote", we must conclude that BA 038 landed safely.

Or, according to a well-known German poet:


Die unmoegliche Tatsache

[...]

Und er kommt zu dem Ergebnis:
"Nur ein Traum war das Erlebnis.
Weil", so schließt er messerscharf,
"nicht sein kann, was nicht sein darf."

(A translation from Christian-Morgenstern.de (http://christian-morgenstern.de/dcma/index.php?title=Die_unmögliche_Tatsache):

The Impossible Fact

[...]

And he comes to the conclusion:
His mishap was an illusion,
for, he reasons pointedly,
that which must not, can not be.
)


Bernd

Warning: I'm non-professional; not crew, not engineer - just scientist guest and thanks.

We have already speculated on some form of directive/restriction on ETOPS being issued before the onset of the northern hemisphere winter.

The AAIB might not issue such a document until:
1) the northern hemisphere, summer, holiday season has passed,
2) the Beijing Olympics are over,
3) all interested parties are in agreement with the need for restrictions,
4) and, the AAIB has determined that its investigations are unlikely to find a cause and solution before the northern winter.

And, maybe, we should not be surprised if the restrictions apply to all aircraft, not just Boeing 777s. That way the authorities create a commercially level playing field; probably a prerequisite for success with point 3 above.

Much has been written recently, on this tread, about the acceptance of risk. I cannot pretend to understand the basis for the statistical arguments for the low probability of a second occurrence of the BA038 incident but I remind myself that, for example, a 1 in 100 year event can occur in any year, i.e. there could be a second occurence in 2009. That's called Sod's Law.

And, I suspect that even the most competent, and confident, investigating statistician or engineer might, on hearing that his children or grandchildren were about to fly across Siberia in January-March, suggest they take another route, or have his/her fingers crossed all the way.

Can you engineers truthfully say otherwise?

(I apologise for using emotive phrasing and for appearing to attack engineers - not so; the words are chosen to highlight our collective complaisance or, in too many cases, cynical avoidance, regarding the proper understanding of risk assessments and the probability of recurrence.)

On another matter, pilots, as I understand them, have a highly developed understanding of Sod's Law. Basically they are aware, individually and collectively, that luck can run out at any time. Therefore I would be fascinated to learn if pilots have already altered their flight management behaviour, for example, spooling up the engines on descent a couple of times - just to make sure! As I've written before, better to discover a problem with a few thousand feet to spare rather than 720.

Regards, Tanimbar

Which all falls squarely on its arse when you realise that in a business where the words cannot often be used to their full and proper extent, the AAIB really are one of the last bastions of consummate professionalism, unlike some other large organisations we could mention. "Until after the Olympics"? Are you having a laugh? This isn't the Press Office of the Labour Government we're dealing with...

Granted that the AAIB might be "one of the last bastions of consummate professionalism" it nevertheless does not operate in a vacuum.

I do not denigrate the integrity of the AAIB by my comment about the Beijing Olympics. If the activation of restrictions is not required until the onset of winter why not avoid false, unwarranted passenger hysteria by delaying the release of the publication until after that event. That's just common sense and would support your view of the AAIB as consummately professional.

regards, Tanimbar

dxzh wrote

2. Why is there now no presumption of a latent serious design flaw in G-YMMM and the 400 or so similar B772ER aircraft, given the tentative findings that G-YMMM was apparently operated within a normal flight envelope by competent crew with the correct spec fuel?


You're assuming that because G-YMMM was affected it must have been particularly prone to such a failure(whatever it was).

From a statistical point of view this is not a valid assumption and the incident might actually be equally likely on other aircraft types.

We're talking tiny probabilities here and a single incident is not statistically significant.

So ithout some idea of the cause it would be difficult to justify taking action against a single aircraft type.

You're assuming that because G-YMMM was affected it must have been particularly prone to such a failure(whatever it was).

From a statistical point of view this is not a valid assumption and the incident might actually be equally likely on other aircraft types.

We're talking tiny probabilities here and a single incident is not statistically significant.

So without some idea of the cause it would be difficult to justify taking action against a single aircraft type.
Well said.

You could also add that if you restrict/ground a particular aircraft type over one incident and subsequently are unable to find anything in particular that is wrong with it, how do you logically go about de-restricting/un-grounding it? Nothing has changed in the interim yet you'll have to make a 180deg. turn in terms of decision making whilst in possession of the same facts...

This also impinges on why there are no significant procedural changes in the operation of the aircraft. If you don't know what caused the problem, how can you know if your 'solution' is making things better or worse? Airlines and manufacturers are reluctant to provide 'instant fixes' as they often come back to bite them through the law of unintended consequences.

At the moment we don't know if what befell MMM was because of:

a) something unique to that airframe
b) something that could happen to RR-powered 777s
c) something that could happen to all 777s
d) something that could happen to Boeing aircraft
e) something that could happen to all commercial jets
f) etc...

Who was it that said "Sometimes the dog of fate simply lifts its leg and pisses on the leg of science." Ernie Gann?

The quote is as follows from Fate is the Hunter:

some totally unrecognizable genie has once again unbuttoned his pants and urinated on the pillars of science

I see what you mean about this potentially applying to any aircraft and I am conscious that statistics can be used any which way by whoever chooses the assumptions and data to be analysed. I had not meant to be partisan in my choice of assumptions but perhaps I have introduced bias by trying to take into account the interim findings and you might be doing so if you do not take them into account?

To one person, a single incident of an uncommanded reduction in power of both engines is not, or is hardly, statistically significant in the general scheme of things and does not necessarily mean that any particular aircraft should be grounded or, as elsewhere suggested, restricted.

To another person, IF it can be tentatively assumed after investigation that contributory factors external to the aircraft itself such as crew and fuel can be discounted and factors specific to the aircraft such as the independence of the two engines is as certified, then the uncommanded reduction in power of both engines on an aircraft within seconds of each other and a failure to respond to further requests for power might be seen by many as either a highly unlikely event (if I may, equivalent to a sperm whale finding itself freefalling to earth with a bowl of petunias) or evidence suggestive of a flaw in its certificated design/performance. I accept the assumptions here are crucial.

Again I was only trying to consider, compared to many crash situations in which the airframe is not immediately recovered largely intact, the difficulty stakeholders may face in deciding not to ground or restrict aircraft (and no, I am not arguing for either) now that the initial investigations have been completed and so many of the other possible contributory factors have been tentatively discounted. As the airframe and crew survived, after a few months of investigation there seems to be a practical limit on the ability to obfuscate about the potential alternative contributory factors of the highly improbable uncommanded reduction in power of both engines, while apparently leaving those responsible for investigating, manufacturing and certificating the supply of fuel to the engines (whether in G-YMMM or other aircraft) in the invidious position of still being unable to explain the demonstrated critical failure in an otherwise highly reliable system and to make recommendations accordingly.

dxzh

To another person, IF it can be tentatively assumed after investigation that contributory factors external to the aircraft itself such as crew and fuel can be discounted and factors specific to the aircraft such as the independence of the two engines is as certified, then the rollback of engines on an ETOPS aircraft within seconds of each other and a failure to respond to further requests for power might be seen by many as either a statistical fluke (if I may, equivalent to a sperm whale finding itself freefalling to earth with a bowl of petunias) or evidence suggestive of a flaw in its certificated design/performance. I accept the assumptions here are crucial.


I may pick at your arguments somewhat, albeit they have many sound qualities. Remove the ETOPS argument above, as the issue equally applies to all aircraft operations.

Also to be pedantic, the term rollback has historically been used to describe a different malfunction scenario so perhaps we should only use the words released to date by the investigators.

continuing in pedantic mode

There is no such thing as a fluke in statistics, as their use is only a means of communicating natural occurences (combinations)

I remind that neither the designs nor certification imply all is perfect and free from catastrophic occurences. There will allways be the rare occurences of combinations not forseen nor even recognized after the fact, that will exist in aviation for relatively short periods of time (measured in risk per flight hour).

Some risk of unknowns is acceptable even some risk of knowns is acceptable over controlled periods of time. The issue is to be certain that the level of risk is within acceptable bounds and this is done by continued dilligence and investigation of potentially related events (either in history or today's)

So in my opinion groundings or flight restrictions are not evident at this time, but continued dilligence, (investigation and understanding) is appropriate.

show me the data and I will recommend the action

With the airline (BA), Manufacturer (Boeing) and the British AAIB-CAA etc etc involved, as well as other agencies...

Being blunt and upfront literally, -- NO offence intended to any member of the crew -- no one seems to be any further forward after almost 7 months of extreme head-bashing, early mornings - long afternoons and late nights around computer simulations, test rigs, theory upon theory etc etc etc...

No one seems to agree on any particular 'reason' for this happening. Leading on from this, when do the authorities decide to call it a day - if at all?

Is this another 'unknown' phenomenon... In which case, basically case closed...

Thanks - point taken re ETOPS, rollback and fluke.

And I agree about living with knowns and unknowns for controlled periods - we all accept a measure of risk in living our daily lives.

no one seems to be any further forward after almost 7 months of extreme head-bashing, early mornings - long afternoons and late nights around computer simulations, test rigs, theory upon theory etc etc etc...

How do you know that?

Silverstreak, sir.

Simply because we have no further information from AAIB does not mean that AAIB has no further information.

(i) I incline to the view that AAIB does not leak- it can't see the point of it, it's not a useful exercise from their perspective.

(ii) We do not set the time frame for AAIB reportage - a process which is currently well within their standard pattern. Look at some of the previous excellent postings on this.

(iii) IMHO we need to be patient.

The frustration v trust dichotomy is never an easy one to resolve! :ok:

CW

It may well be that the AAIB does not leak, but earlier in the investigation there were "leaks" from various sources.

These have dried up - maybe because discipline has improved, maybe not.

.

M.Mouse...

OK point taken :ugh: Nothing has been done so far in the quest to find out what actually happened :mad:

Nothing has been done so far in the quest to find out what actually happened

You miss my point. There is a massive amount of work being undertaken. The fact that details of the results of that work have not yet been released is not an indication that 'no one seems to be any further forward'.

May I ask a couple of questions on the 777 incident?

What was the temp on the ground while the aircraft was on turn around in China?

What temp had it been exposed to, and for how long, while en route to China?

I understand that fuel "waxing" might be an issue. Fuel does not fully dewax for some time after landing. If an aircraft flies a long haul, sits on the ground in low temps and then flies long haul again the fuel wax status may be enough to prevent required fuel flow as deposits clog filters..?

Would it be desirable to alternate an aircraft between hot and cold destinations to help reduce the possibilty of waxed fuel build up?

Just thoughts..??

People get suspicious of brand new posters coming in with deep and searching questions! What was your ID before?

There was nothing unusual about the circumstances. It might have been a little colder than normal, but aeroplanes do actually operate in very cold climates all the time, and cruise for hours at extremely low OATs. Rather than simply ask, if you feel it's relevant, try a little research on your own to answer your own questions. Do you think all that wasn't examined right at the start?

Well it's nice to be made welcome, thank you Rainboe, I appreciate your rapid reply.

You obviously have all the answers, and please be aware that you have no need to label me as suspicious. Most of my days have been spent in the airline industry....

I understand from your reaction that fuel waxing is not an issue? Maybe you could direct me to the latest studies on the properties of jet fuel at low temperatures.. I would be delighted to find my own answers as you have suggested I do!!!!!!

Peter - there is a 'search this thread' button at the top of the forum window.

Try searching for temperature specification or other words likely to be in any post answering your question.

The extracts found by Search all have a clickable link to the actual post.

Each post has a poster. If the post makes sense, click on the poster's pseudonym, then follow through to the poster's profile, and to a list of other posts by the same poster.

Note the post numbers of anything interesting, then when you refer to them in your post, your readers can find and assess the posts for themselves.

Newbies get mixed welcomes here - probably for good historic reasons.

Welcome!

Many thanks RightBase

Your welcome and guidance very much appreciated.

I do think a 330 would have done very well with hopefully no casualty as well.
But my view is slightly different from Chris Scott view (http://www.pprune.org/forums/rumours-news/325095-ba038-777-aaib-report-31.html#post3958677)

By manually fire walling the thrust levers, Go Around Auto Flight logic is triggered.
FD bars command SRS (Speed Reference System) in this case probably VAPP (VLS + 5kt)
As speed was already around VLS or even below and as bizarre we might think FD will command aircraft to pitch down (waiting for thrust increase …)
Note: AP is still ON unless manually disconnected or sidestick manipulated.
Now aircraft is below G/S but still at VAPP.
Houses are getting closer … time to refuse ground contact by pulling the sidestick (AP now disconnects)
Speed is bleeding AOA increasing to AlphaPROT … (maybe AlphaMAX but I don’t think AlphaMAX is achievable below 100 feet …) STALL protection remains active.
Less drag in the early portion and better ground effect, aircraft touches down somewhere in the grass in a nose high attitude.
V/S at touchdown depends on pilot fortune in the overall process.

Would be nice to validate (or not) this scenario on a 330 sim if ever able to simulate the thrust deficit with THR LVR in TOGA gate.



BA038 touched down in a very flat attitude witch means it had stalled already.
Combination of soft terrain + landing gear impact absorption made things very comfortable for passengers at least.

Too bad AAIB still keeps very secretive on aircraft performances as well as on front crew actions …

I understand very well your concern about the "temperature history" of BA38. http://www.pprune.org/forums/images/infopop/icons/icon14.gif

I follow this thread since post # 1 and I didn't get documented data about ground and flight temperatures the aircraft met during the flights and the days before.

We know that there was no "fuel draining" before the flight to London and that there were some fuel ice messages.

We know also that the flight was operated well higher and colder than initially planned, and that the crew didn't ask for descent into warmer temperatures over eastern Europe while other aircraft did. That's about all ...

I just hope the investigators are looking carefully into weather records.

In my past career, I got my share of temperature related problems with fuel, fuel systems and other aircraft systems as well, all in duly certificated aircrafts and components. And yes, at some points, we had to switch aircraft on cold sectors.

Welcome! http://www.pprune.org/forums/images/infopop/icons/icon7.gif

Bis47:
We know that there was no "fuel draining" before the flight to London and that there were some fuel ice messages.

However, water draining checks were performed just prior to refuelling for departure to Beijing on January 15th (see AAIB special bulletin S1-2008, page 5) and could you please explain when those "fuel ice messages" were presented to the crew? These are not mentioned in the AAIB reports.


Thanks and regards,
Green-dot

@Bis47, I guess your "fuel ice messages" reference is to the unverified report on pilotsofamerica.com forum (see UPDATE on the LHR (Heathrow) 777 incident - Pilots of America Message Board (http://www.pilotsofamerica.com/forum/showthread.php?t=19056)) on 30 January 2008 (and picked up by blogs elsewhere) as to the theories being investigated by the AAIB. One theory the unverified report mentions as being investigated is that:

"Ice in the fuel somehow limiting the fuel flow to the engines. A maintenance message indicating excessive water in the center tank was set during taxi on the two previous flight legs, although it cleared itself both times."

For what it is worth I note that the unverified report was introduced by the words "Aspects that the FAA believes the investigation is concentrating on are: [...]" but also that the alleged fact re maintenance messages is not mentioned in any AAIB statement published to date (whether Statement of accident, Initial Report, Initial Report Update, S1-Report or S3-Report).

Assuming ice in the fuel was being investigated at the time, it seems less likely to be relevant now given the subsequent analysis and AAIB statement in its S-3 Report that: "The fuel has been tested extensively; it is of good quality, in many respects exceeding the appropriate specification,and shows no evidence of contamination or excessive water".

@Peter Brown, you might also have a look at articles re flight in polar conditions at Aero 16 - Polar Route Operations (http://www.boeing.com/commercial/aeromagazine/aero_16/polar_story.html) and on fuel temperature data on polar flights at http://www.fsinfo.org/FSI-journals/4q_2000.pdf.

explain when those "fuel ice messages" were presented to the crew?

There is no fuel ice message on the B777.
There is a water in fuel message. However this is never presented to the crew. It is hidden away at the bottom of the fuel qty maint page which few people ever look at unless you have a fuel qty problem. However it is stored in EICAS NVM so can be seen by the investigators.

There is no fuel ice message on the B777.

Exactly.:ok:
That is why i wondered how Bis47 came to such a conclusion.:confused:



Green-dot

Oups, sorry for the confusion ...

"Water in fuel" messages were indeed mentionned a few times in the early pages of this thread. And they were not questionned. There seems to be a consensus that this is just a kind of "normal business", since the messages cleared.

Sorry, I don't have the courage to retrieve the references.

I encourage each of the Professional Pilots to monitor this investigation. Months have passed and today there is no guidance or direction from the investigation which would tend to make our crews and passengers less likely to experience uncommanded non-responsiveness to the command for thrust.

It is now up to our sucessors flying the line every day to stand up and challenge the AAIB, NTSB, FAA, Boeing, Rolls Royce, British Air, etal. to put their head to the cause and effect. I have sent numerous communications to the US FAA and NTSB regarding the BA038 event. There has been absolutely no response from either agency.

The accident experienced by BA 038 should never have happened. It did happen. None of us know why. None of us have heard anything from our expert authorities regarding the elimination, mitigation, or recovery from the experience our BA crews had to deal with. Where is Boeing, Rolls Royce, FAA, NTSB, FAA, etal,?

I encourage all of the PPrune community to dig deep within and nudge, nay bully a little, your respective governmental authorities to get a move on. Winter is not that far away and it was winter which laid BA038 on the apron.

Tom

Your post strikes both a pompous and naïve chord.

The investigation is not duty bound to immediately publish every single finding nor explain their actions or methodology so that the media and internet pundits can dissect every detail in their usual ignorant and often downright stupid way.

When they have something constructive and helpful to say they will say it. So far they have nothing to add to what is known that would be of the remotest use.

It is quite pointless to waste time distracting busy people with pointless demands when there is nothing to be gained.

And, by the way, it is British Airways not British Air as so many Americans insist on calling us.

M.Mouse - he didn't say "publish every single finding" or "explain their actions or methodology".

He said "get a move on", and I think he has a point.

This page serves as a reminder of what the NTSB was doing to address the concern among pilots, passengers and the industry in general in the wake of another very perplexing accident which took years to resolve:
NTSB - American Airlines Flight 587 (http://www.ntsb.gov/events/2001/AA587/default.htm)

In particular, there were frequent investigation updates, and an intermediate Safety Recommendation (addressing one of the key contributing factors - probably enough to prevent a repetition) after 3 months.

As a non-pilot, I am not remotely bothered if this information is channeled directly to pilots and to others with a need-to-know in airlines, rather than to the press. It only takes one decent PR/media relations person to ensure that is handled properly. No criticism of anyone in my mind - just keen to hear that investigation is narrowing and the people we rely on at the front end of the aircraft have some idea how to avoid a repetition, as soon as possible.

PR/Media relations are the bane of modern society. It is taken as read, at least as far as the AAIB is concerned, that they are doing all that is possible.

If they had any idea of how to avoid repitition we would have been told.

The incessant clamour for 'news' and the subsequent misreporting, analysis, misguided pressure and futile discussion is, in my opinion, why, both here and in the USA, we have government by spin not substance.

Edited for typo.

@precept

Good post!

Why not ground all 777 until there is a clue what happened?

Maybe things will go a bit faster than......

I encourage each of the Professional Pilots to monitor this investigation.
I'm sure many of us are: we've read the interim reports and now we're waiting for the final one.

Months have passed and today there is no guidance or direction from the investigation which would tend to make our crews and passengers less likely to experience uncommanded non-responsiveness to the command for thrust.
Possibly because, at present, no such guidance exists in any form?

...stand up and challenge the AAIB, NTSB, FAA, Boeing, Rolls Royce, British Air, etal. to put their head to the cause and effect.
I wonder what they've been up to the last eight months? Obviously all on holiday. :rolleyes:

I have sent numerous communications to the US FAA and NTSB regarding the BA038 event. There has been absolutely no response from either agency.
Maybe if you stopped bothering them, they'd have more time for the investigation?

AFAIK, there are no significant operational changes that have been mandated/suggested following the loss of G-YMMM. That doesn't mean there won't be any in the future if/when the root cause(s) of the accident are fully understood; in the meantime, we just have to be patient.

The AAIB, NTSB and others have to take a very broad outlook in situations such as these and that involves a large amount of dead-end investigation, conjecture and theorising. To make such ruminations public would a) slow down the progress of the investigation, b) lead to all sorts of unjustified speculation in the media and c) might lead to a reduction in flight safety if the diagnosis or the 'cure' were wrong at that time.

Just because those involved are not 'blogging' the BA38 on a daily basis doesn't mean that they aren't working hard on it. What do you want? "Today we initialised a Monte-Carlo simulation of the fuel dynamics in the inlet manifold; tomorrow we're checking the EEC wiring but not until after the pizza"?

PR/Media relations are the bain of modern society.


I'm sure many would agree with you (if not with the spelling), and I'm fairly sympathetic myself...

... I just don't think that all communications from the NTSB - or AAIB in this case - are spin. For example, I think a pilot reading the early releases from the NTSB on AA587 could probably have worked out how to prevent a repetition. Sure it took 3 years to get a Final Report published, and that was very acrimonious because of the huge financial implications for those involved. But the key safety information got out early.

In this case, the AAIB has been up-front with some updates and Special Bulletins. I just thought Precept had a point - it's fair enough for pilots and airlines in particular to keep asking for information from AAIB on this (AAIB can always quite fairly say 'nothing new to report') and since cold-related fuel flow issues are currently looking the most likely among a set of rather unlikely causes, the timing does matter.

PS: from other replies, it doesn't look as though those posting are far apart on this, just that views are being expressed strongly as usual;). I'll go back under my stone now.

Obviously ALL involved can exlude that it happens again.....

You can't fix or ever really know an "extremely remote"

Ther effort now is to assess how probable a repeat could be.

Nobody would have said before it can't happen, but then again we should not have expected it to happen.

Jesus you guys,

Obviously by now, they KNOW what happened. This is 2008. Obviously the implications are so uncomfortable that they're going to drag out this investigation ten years like they did TWA 800.

What I think happened (and it is just my opinion only) is that they are appalled at the fact the engines didn't respond to pilot input and the FADEC vender is going to release a software "update" to all 777 operators and you or I will never be told what caused these engines not to respond.

THIS IS A SOFTWARE PROBLEM in my humble opinion. I humbly ask those programers that know to anonymously post their knowledge to help aviation safety.

If you nerds ever wanted to be batman now is your chance.

Obviously the implications are so uncomfortable that they're going to drag out this investigation ten years like they did TWA 800.
This is slanderous on the AAIB, and totally contrary to how they operate.

You can give your humble opinion all you want, but most informed observers will await a report from the qualified individuals at the AAIB that actually rectifies any problem that may or may not exist fleetwide.

Hi Pacplyer, this from the AAIB Special Bulletin issued in May...

Parameters recorded on the Quick
Access Recorder, Flight Data Recorder and non‑volatile
memory from the Electronic Engine Controller (EEC)
indicate that the engine control system detected the
reduced fuel flow and commanded the fuel metering
valve to open fully. The fuel metering valve responded to
this command and opened fully but with no appreciable
change in the fuel flow to either engine.

Hope this helps....

Fair Re-Heat,

Very fair.

You place your faith in government examining themselves (bus=gov, imho)

I however, do not.

This thing stinks to high heaven, with the amount of time that has elapsed.

Somebody knows the truth.

Out with it already. The crew didn't do anything wrong, imho.

Please,

Explain to my dumb brain sector8, how a certified RR engine has been commanded to full power via the FADEC and nothing happens.

Please forgive my obvious stupidity; I don't have an E&E but as I understand the relationship, the EEC may command full power, but it is up to the FADEC to honor or modify or reject that demand. Right?

Is my understanding of the sequence incorrect?

Do I not understand the sequential relationship between EEC and FADEC?

It is quite possible I am under a misconception because now we are delving into aerospace engineering and my specialty is airline transport.

How stupid it is that we sit around f*cking with this when the obvious solution is to engineer this airplane like the 747 with a physical cable to the FCU.

But maybe I'm just old school, and didn't have to worry about sh*t like a computer deciding I didn't know what the hell I was talking about as the PIC when in the moment of truth my nanosecond brain decided that all the f*cking computers in the world were wrong and I needed MAX POWER NOW!

You modern aviators are just amazing to me. You spend your lives living under the shadow of the HAL-9000 computer.

What do you think should happen in the spilt second that the PIC decides max power is needed? A computer vote? A cyber committee? A democracy?

Survey says?

Something is rotten with with this whole event, and nobody wants to admit that nothing is adding up......

Meanwhile, I'm not going to board a 777 or any scarebus or any other FADEC machine till this is sorted out.

All JMHO's

pac

pacplyer

You're peddaling the conspiracy theory route too much. It's wasted energy.

Don't forget that events with chances that are millions to 1 can happen.

Stay away from FADEC's then. See if anyone's bothered.

Re. Fullwings about the flow simulation example...

I have learned (or was often reminded) that no simulation is really worth some real data. So what I would expect, if the situation is not clear by now (apparently it isn't), is that a bunch of aircraft of that type are being instrumented (sensors, etc) to provide the data that are missing today. If you cannot easily reproduce the event, at least be prepared to learn more, the next time something similar happens.

Pacplyer, you're being a bit unfair to the investigators.

TWA800 did not take 10 years. There was a Public Hearing after 17 months where all the main evidence was set out. Judge for yourself whether it was a useful exercise (NTSB Chairman's statement NTSB - Statement by Jim hall 12/12/97 (http://www.ntsb.gov/Speeches/former/hall/jh971212.htm) and contents list NTSB - TWA 800 Public Hearing (http://www.ntsb.gov/events/twa800/process.htm#hearing)).

I am sure that the work to model the 777 fuel system and examine flight data is taking time for scientific reasons, not because industrial or political pressure is being brought to bear. It is quite possible there will be a big wrangle about liability etc later on, but I have confidence that as soon as the AAIB have narrowed the probable cause of BA38 down enough to be able to issue safety recommendations they will do so - they don't need to wait til the Final Report, and they would be judged harshly if they 'sat on' something important - I am sure they would not do that. As Precept said at the start of today's discussion, if it is looking likely to be cold-related and if BA38's exposure was unusual (I don't see why it has to be unique - other factors could have been involved which could recur) then it would be reasonable for AAIB to issue to recommendations on flight in cold conditions before winter.

Back under my stone.

I agree the AAIB will be acting under the very best intentions. After all, some of them, and their families may well be on RR equipped 777s on their holidays this summer too.

Where an obvious, or perhaps obvious after you look hard enough factor somes into play, they will put that new information to best use as soon as possible, without question.

The causes here are not like that, and they are working methodically as fast as possible and the end result will vindicate this. I've had first hand experience of the AAIB and their methods and have nothing but respect and faith in their investigators and techniques.

When you get an unexplained but similar and almost simultaneous problem to two machines (in this case two perfectly functioning RR engines) logic tells me one has to focus on points in common. Obviously the flt routing but principaly the fuel. I know the AAIB have said the fuel was OK, but was it? I just feel they cleared its suitability rather two quickly. This flt came out of China, where a very important matter is currently taking place. China would not be very happy if the real cause was put down to them. One thing is for sure, if a further incident takes place soon, then it will be a field day for the New York aviation lawyers.

Explain to my dumb brain sector8, how a certified RR engine has been commanded to full power via the FADEC and nothing happens.

Well, that is the $500m question, is it not?

Could it perhaps be the reason why there has been no further word from the AAIB/Boeing/Rolls Royce? They haven't figured it out yet.

Please forgive my obvious stupidity; I don't have an E&E but as I understand the relationship, the EEC may command full power, but it is up to the FADEC to honor or modify or reject that demand. Right?

FADEC is a concept, a "philosophy", if you will. It stands for Full Authority Digital Engine Control, and means a computer controls the fuel metering valve (the "throttle"), gives the desired thrust, and protects the engine. There is no way to manually override the fuel valve position. EEC is the actual computer that does the work. Sometimes the computer as such is also referred to as "The FADEC".

How stupid it is that we sit around f*cking with this when the obvious solution is to engineer this airplane like the 747 with a physical cable to the FCU.

Someone in the know please corerct me but I am pretty certain that the 747-400 also has FADEC-controlled engines, as all current airliners have. Hydromechanical control got out of fashion a long time ago. Concorde was the first airliner with full-authority electronic engine control, although it was not digital.

But maybe I'm just old school, and didn't have to worry about sh*t like a computer deciding I didn't know what the hell I was talking about as the PIC when in the moment of truth my nanosecond brain decided that all the f*cking computers in the world were wrong and I needed MAX POWER NOW!

Old school or not, it wouldn't hurt to check the facts. Btw, cables can break, and need constant re-adjustment due to lengthening, and on multi-engine aircraft all enginess are never adjusted equally leading to thrust-lever staggering in normal operation to get them all to the same power output.

You modern aviators are just amazing to me.

Right. Never let the facts get in the way of a good rant.

What do you think should happen in the spilt second that the PIC decides max power is needed? A computer vote? A cyber committee? A democracy?

Why do you feel entitled to make comments about stuff you obviously have no clue about?

And just so you know: The AAIB stated that the Fuel Metering Valve (the "throttle", that ultimately controls the amount of fuel going to the spray nozzles) was fully open. Just as it would have been with a mechanically controlled engine.

Meanwhile, I'm not going to board a 777 or any scarebus or any other FADEC machine till this is sorted out.

Good luck finding a passenger aircraft in service with a modern western carrier that has non-FADEC engine control.

Contrary to popular belief, fly-by-wire has nothing to do with engine control. Even most non-FBW airliners have FADEC these days.


Bernd

As I recall, the AAIB did report - or imply - a problem with the fuel. It was not getting to the fire.

The 'throttles' were open, the engines were sucking, the pumps in the tanks were pumping, but the noise stayed quiet....

on both sides.....

not quite simultaneously.

There is a silence in the report about software causes or other transitory causes.Presumably this has been covered and dismissed?

bsieker,

Who said anything about fly-by-wire? The subject of my post was thrust lever control; nothing else. What I am talking about is a well known FADEC phenomenon called rollback. You don't seem to be familiar with it or else you wouldn't swallow the fuel valve open preliminary investigation comment so gullibly.

Whether you know it or not in FADEC, code algorithms are constantly checking engine parameters and "voting" when, or if, to schedule twin spool acceleration. Since they won't allow overboost, and are concerned about thermodynamic engine life they sometimes reject a flight deck command in favor of a slower acceleration schedule. (Most of the time this is a good thing.) Sometimes they reject everything altogether and command idle logic instead (which can't happen with old 747-100's and 200's with steel cable to hydomechanical control.) Thus my position that the old design was safer from a "fail safe" consideration at spool up. A thrust lever cable breaking is extremely rare. In over twenty years of flying them I've never met anybody who's had it happen. But I have met pilots who have had unexplained rollbacks using FADEC.

bsieker, A snapshot (data point) of the sun in the sky does not mean it is daylight 24 hours a day. Fuel valve positions can be momentary recorded in the middle of transitory problems; so this report of everything being fine with the fuel valve means nothing to me.

Here's what one of the so-called "experts" who writes in aviation rags has to say:


a software glitch affecting the engine control system is among the possible causes being investigated.
An interesting article dating back to October 2006 (http://www.iasa-intl.com/folders/belfast/BA777_Unthrustworthy.htm), focuses on errors introduced with a FADEC (Full Authority Digital Engine Control) software update that affected the B.777 equipped with GE90 engines. The article reports about two thrust rollback recorded on the 777-300ERs that suffered the failure during take off (and 5 occurred in flight). Subsequent troubleshooting found that the rollbacks were caused by a glitch in the software of the FADEC and that the reductions “only likely to occur at reduced powers”. The article explains that the flawed software was installed after a FADEC software update.
So, the FADEC has already caused worries to the B.777 operators using GE engines. The British Airways aircraft was equipped with RR Trent engines, even if the software used to control them is probably the same (or mostly similar). Even discarding the possibility that the current software may still cause Loss Of Thrust Control or LOTC for the same flaw (the AD was issued in 2006 and by now the software should have been patched), the above mentioned article provides also details dealing with an Airworthiness Directory applied to the GE90 engines that confirms the risks of corruption of the FADEC signals because of clogging of the sensors feeding the engine control system. The GE90 engines incorporate now a design modification aimed to prevent signal corruption but what about Trent engines?

For pictures and a more in-depth analysis, I suggest visiting this link that was provided from a visitor: http://www.iasa.com.au/folders/Safety_Issues/others/The_BA038_LikelyCause

BA038 crash landing caused by a software glitch? « David Cenciotti’s weblog - the most visited Italian Aviation Blog (http://cencio4.wordpress.com/2008/01/22/ba038-crash-landing-caused-by-a-software-glitch/)

bsieker said:
Btw, cables can break, and need constant re-adjustment due to lengthening, and on multi-engine aircraft all enginess are never adjusted equally leading to thrust-lever staggering in normal operation to get them all to the same power output.


Seperately, who cares about staggered throttles? It doesn't hurt your flying ability to be a knob or so out of rig. But it does hurt your flying ability to have microsoft windows type crap software between you and the spray nozzles. No way to override it in time. Bad Bad design, imho. But that's how were doing it now.....

BTW, I was just being melodramatic to underscore a point. If I only got on non-FADEC controlled aircraft, of course I'd never get anywhere.

Regards

Sometimes they reject everything altogether and command idle logic instead

In X million cycles how many times has this happened?

(which can't happen with old 747-100's and 200's with steel cable to hydomechanical control.) Thus my position that the old design was safer from a "fail safe" consideration at spool up.

Did not an Evergreen 747 divert into LHR in the last year or two with unresponsive engines?


Your quote regarding from the press says:


focuses on errors introduced with a FADEC (Full Authority Digital Engine Control) software update that affected the B.777 equipped with GE90 engines.................So, the FADEC has already cased worries to the B.777 operators using GE engines. The British Airways aircraft was equipped with RR Trent engines, even if the software used to control them is probably the same (or mostly similar).


Well there's an enormous assumption if ever there was one!

Carnage,

Agree. That's why I said "so-called expert" (he calls himself that in his "about me" section on his site.)


Found this little conversation about BA038 on a maintenance forum:
I believe it's the FADEC software update that was done recently. AA had the #2 engine not respond for about 15 seconds on one of their 777 with the same FADEC update code.

RR is looking into it...I wonder the directive for now is to use or rollback to the previous update.


Heathrow B777 accident - Aircraft Maintenance Forums (http://www.forums.amtcentral.com/showthread.php?p=585)

I don't think it's one in a million odds anymore. I think dozens of fadec issues are well documented throughout the industry regardless of make. We were aware of rollbacks on both P&W and GE A310's when I flew that airplane back in the 90's. The solution was nearly always a new software "load."

There must be a FADEC code standard that is industry-wide prior to a powerplant being certified on a particular model. Where's Machaca? He's good at finding a needle in a haystack....

pac

JMHO's here.

I know the GE is a different engine, but both RR fadecs and GE fadec software versions go through the same flakey FAA appoval process.

Air Safety Week:
Trouble-shooting technicians have found that the two cases in which there were single-engine thrust reductions during takeoff were the result of a flawed software algorithm in the Full Authority Digital Engine Control (FADEC). ....

....Others might wonder how such safety critical software can make it through the validation and verification regime into world-wide fleet service. Overall, it's shades of the previous GE90 "rollback" and IFSDs (inflight shutdowns) from earlier days. The only difference was in those cases, it was in cruise and was caused by moisture freezing in the P3B and PS3 lines to the FADEC, and it was resolved by increasing the tubing diameters....

Lots more here at the source; worth reading:

Air Safety Week :: The Unthrustworthy 777 (http://www.aviationtoday.com/asw/categories/maintenance/5294.html)

pac

Software debugging is tedious and difficult process.

I am a programmer myself and have encountered several cases
of debugging mysteries, that took me weeks to solve.

My uncle worked many years for Litton, GE and NASA
as safety and quality control specialist.
(he is now retired, but still called in from time to time as a consultant)
He worked on Polaris, Delta but also Space Shuttle projects.

I asked him, is it true, that the core programme to run Space Shuttle
is still 128 kB big (no error - kilobytes).

His answer was affirmative.

He confirmed, that they checked by modelling and theoretical
calculations, that it is impossible to completely debug
(test the programme reaction to every and each input data combination)
by programme codes bigger than 128 kB.

The killer in this case is, that no redundancy can help in case when
on every of 5 computers sits the same software with the same bug.

Hence Space Shuttle files with a software smaller than that of
your modern washing machine. :}

I don't know what is the size of the RR FADEC system, but if it's
bigger than that of Space Shuttle, it will never be properly debugged.

:eek:

pacplayer,

no offence intended, maybe my words were a bit harsh.

With cooler head:

I assumed you were talking about fly-by-wire since you specifically mentioned Airbus and B777, which are the most predominant and widely-used fly-by-wire airliners. Apologies.

Whether you know it or not in FADEC, code algorithms are constantly checking engine parameters and "voting" when, or if, to schedule twin spool acceleration.

No, that's not really how it works. There are feedback-control-loops, and additional safety checks, but when, e. g. requesting TOGA thrust in flight, which almost always indicates some sort of emergency, spool up is as fast as possible while still avoiding stalls and flameouts. Engine life protection does not usually take precedence over thrust demand. Case in point: engine vibration is measured and can be displayed in the cockpit. But this, although it may seriously damage the engine, is only advisory. Full thrust even on an excessively vibrating engine is available (if mechanically possible, but physics will decide that, not the FADEC).

(And just to be nitpicking again, the Rolls-Royce Trents are triple-spool, not twin-spool.)

Pilots with fully mechanical control (which has been very rare for a long time, even before FADEC) cannot always, especially in a high-workload situation such as a go-around, do the optimal spool-up.

Voting, if at all, only happens between two or more identical (or diverse, depending on the development model) circuits, one of which alone is sufficient to control the engine. Often there is no voting, but one computer (often called a "channel") internally checks its computations with a separate processor, and if both disagree, the entire channel declares itself failed, and the fallback channel takes over.

Since they won't allow overboost,

They do not allow anything beyond TOGA thrust. But continued TOGA thrust, while not recommended, is possible, even if it significantly shortens engine life. I don't know about the 777, but on the A320, TOGA thrust is allowed for a maximum of 5 minutes (or 10 minutes with one engine out). But this limit is not enforced by the FADEC.
... are concerned about thermodynamic engine life they sometimes reject a flight deck command in favor of a slower acceleration schedule.

Yes, but the reason for that is not only increased engine life, but also avoiding stalls and flameouts.

Sometimes they reject everything altogether and command idle logic instead

No.

Even if the readings from the thrust levers fail completely (or are inconsistent, i. e. both redundant sensors read differently), FADECs do not automatically command idle thrust. A lot of throught has gone into the logic what thrust to set in case of such failures. Depending on the flight phase, either idle, MCT or the last commanded thrust is set.


(which can't happen with old 747-100's and 200's with steel cable to hydomechanical control.)

Of course it can happen. The cable could just break. Rare, I know, but so are EEC/FADEC malfunctions.

Thus my position that the old design was safer from a "fail safe" consideration at spool up.

A snapshot (data point) of the sun in the sky does not mean it is daylight 24 hours a day. Fuel valve positions can be momentary recorded in the middle of transitory problems; so this report of everything being fine with the fuel valve means nothing to me.

Yes, I am aware that there may be issues with the digital electronics involved. You are mistaken if you think I have blind faith in them.

However, I assume FMV position is recorded once every second, or at worst every 4 seconds. It seems extremely unlikely that it was oscillating at .25 Hz, and always at the point of sampling for the DFDR, was fully open, and almost closed in between. There is still the remote chance that the recording as such was faulty. Since we have no access to the EEC software, we cannot say.

As to the relative numbers of engine control cables breaking, as opposed to FADEC problems: Just consider the sheer number of FADEC-engined aircraft today, and the dwindling numbers or airframes, and low number of flight hours, for mechanically controlled engines.

Even if both were equally safe, we would expect to see more problems with the electronic variant than the mechanical ones.

On the other hand, modern digitally controlled FADEC and autothrust systems offer increased stall protection, e. g. Airbus' "ALPHA-Floor-Protection".

But it does hurt your flying ability to have microsoft windows type crap software between you and the spray nozzles. No way to override it in time. Bad Bad design, imho. But that's how were doing it now..... (my emphasis)

I know you're trying to make a point, but the development process for business software, and for safety-critical software for embedded systems cannot be compared. These are totally different things.

Not a single thing you may think you know about "Microsoft Windows" type software is applicable to embedded systems development.

I say again, this does not mean that I believe there are no problems with FADECs; I know that there are. But there are methods known in the industry to make extremely reliable software. Not all of those techniques seem to be applied with sufficient rigour all the time.

Try searching for "SCADE", "Lustre" and "SPARK" to get an idea of what embedded software development is like. Seriously no Windows-Type crap there.

----

Ptkay,

While it is true that very high software reliability cannot be shown by testing (i. e. subjecting the software to varying input combinations and checking its output), there are methods (see above) to develop very-high reliability software.

The limit is not the code size as such, but the inherent discontinuity of digital computers, i. e. even the smallest possible input variations can create a completely different output.

One name for development methods that do not rely on testing to ensure proper functioning is "Correct by Construction". Formal mathematical methods are applied to ensure that the software does what it is supposed to do.


Bernd

Ladies and Gents,

Over the last few months I have read most of this thread, perhaps I should get out more.

Some contributors seem to ignore the facts in order to support wild conspiracy theories.

My understanding of the state of the investigation is as follows:

The fuel valves were fully open but very little fuel was being delivers to the engines.
The High Pressure fuel pumps showed evidence of cavitation damage on the input side.

When cavitation occurs, the pump will not deliver the required output pressure and therefore not enough fuel will be delivered to engines.

Cavitation occurs when either the fuel is less dense that it should be or there is not enough of it reaching the pumps. In this case it seems that the latter is most likely.

Why is the investigation taking so long?

All they need to do is to put the 777 wings, tanks and fuel system in to a big fridge and run a temperature simulation of the entire flight. Then repeat this for an infinite number of different combinations of fuel contaminants. Can’t see the problem myself, (sarcasm).:)

For what is worth, I think that this accident was caused by debris/contaminants in the fuel together with the abnormal low temperatures experienced during the flight. Due to the complexity of modelling the infinite number of variables, we may never get a final answer.

TechnoFreak,

Yes.

One minor correction: The cavitation damage was on the outlet side of the HP pump. Which is to be expected, as, although low pressure in the inlet makes the bubbles form, the damage occurs when the cavities implode violently after the pressure has risen again.

Right, no problem there, just test all the possible combinations in a big fridge. Could be done in one afternoon. ;)


Bernd

Due to the complexity of modelling the infinite number of variables, we may never get a final answer.

Nah, they WILL get there.

The fuel: they have big samples of it - can test as much as they need to.
The environment: they have air temp data from the whole BA38 flight and previous flights if necessary.
The fuel system: they have the real one to test with, plus lots of copies.

They will fly test flights if necessary (remember the ATR72 icing investigation), and they will keep plugging away until they get there. They won't give up on one this important.

Bernd,

No offense taken. My bombastic happy hour posts were submitted for entertainment as much as anything to stimulate thought. :E

Yes they are triple-spooled. (Old lingo hang up.)

Bernies post:
Quote:
[Sometimes they reject everything altogether and command idle logic instead] - pac

No.

Even if the readings from the thrust levers fail completely (or are inconsistent, i. e. both redundant sensors read differently), FADECs do not automatically command idle thrust. A lot of throught has gone into the logic what thrust to set in case of such failures. Depending on the flight phase, either idle, MCT or the last commanded thrust is set.


(my emphasis)

You keep talking about what fadec is designed to do from the factory. That's not the context of the conversation I was attempting to delve into. A rollback is a well-documented software created anomaly, as I understand it, in which, for whatever reason the fadec has either miscalculated the thrust solution (thinks it's at high power and stays at idle) or has had a dual failure of both channels and is presumably trying to reboot itself at idle (since both channels are susceptible to the same software bug.)

Do you recall the Air Florida accident? That was a thrust miscalculation by the crew since the pt2 was frozen and the pt7 continued to input data to the epr system resulting in a falsely high EPR reading. The captain thought they had set max power when reality it was actually nothing close to the target.

I dare say, in some rare cases, the FADEC is not much smarter when freezing conditions are present and fadec signal sensor probes get moisture freezing on them. (If lessons learned from the GE rollbacks prove to be instructive or simular in the RR trent engs.)

Bernies post:
However, I assume FMV position is recorded once every second, or at worst every 4 seconds. It seems extremely unlikely that it was oscillating at .25 Hz, and always at the point of sampling for the DFDR, was fully open, and almost closed in between. There is still the remote chance that the recording as such was faulty. Since we have no access to the EEC software, we cannot say.

Fadec gets it's sensor data and responds up to 70 times a second. The code is too complex and it behaves differently every time when it's working right as to make that realm unknowable. Recreation simulations are not always revealing even for design engineers or accident investigators. This is why I argue for a direct cable back up of some sort.

Throw in moisture to the FADEC sensors and who knows what weird power solutions have been calculated? And what are you are really reading with that DFDR anyway? Probably not actual valve position, but rather a software command to an actuator thinking it has called for rated power. (just speculation on my part.)

Do we know for certain that the DFDR records the actual metering valve position? If so, the Next question is how does it record that? Prox sensor? rheostat? actuator drive position? Fuel flow?

I'm not ready to buy into a correct fcu fuel metering valve "positioned open" just yet. I'll agree that it was logged as being commanded open once every four seconds. I want to hear more from engineers and programers first.

[The microsoft slam was just intended as over-the-top sarcasm; but thank God we don't fly around on windows.... We'd crash twice a day!] ;)

The above is, as all my post are: only my opinion only.

pac

Wikipedia reference:
FADEC: ....True full authority digital engine controls have no form of manual override available, placing full authority over the operating parameters of the engine in the hands of the computer. If a total FADEC failure occurs, the engine fails. If the engine is controlled digitally and electronically but allows for manual override, it is considered solely an Electronic Engine Control or Electronic Control Unit. An EEC, though a component of a FADEC, is not by itself FADEC. When standing alone, the EEC makes all of the decisions until the pilot wishes to intervene.
FADEC works by receiving multiple input variables of the current flight condition including air density, throttle lever position, engine temperatures, engine pressures, and many others. The inputs are received by the EEC and analyzed up to 70 times per second. Engine operating parameters such as fuel flow, stator vane position, bleed valve position, and others are computed from this data and applied as appropriate. FADEC also controls engine starting and restarting. The FADEC's basic purpose is to provide optimum engine efficiency for a given flight condition.
FADEC not only provides for efficient engine operation, it also allows the manufacturer to program engine limitations and receive engine health and maintenance reports. For example, to avoid exceeding a certain engine temperature, the FADEC can be programmed to automatically take the necessary measures without pilot intervention...

Recreation simulations are not always revealing even for design engineers or accident investigators. This is why I argue for a direct cable back up of some sort.

Yes, that's what I was trying to say with my remarks that high-reliability in software cannot be shown by testing. The argument can be made for mechanical backup, but also for better software development methods (Correct by Construction, instead of "Validation by Testing", which is proven to be insufficient.)

Throw in moisture to the FADEC sensors and who knows what weird power solutions have been calculated? And what are you are really reading with that DFDR anyway? Probably not actual valve position, but rather a software command to an actuator thinking it has called for rated power. (just speculation on my part.)

Good software will have a lot of sanity-checks, i. e. will check its input parameters for consistency. Very simple checks are correspondance between EPR vs. N1/N2 (and even N3 in this case), or commanded/actual FMV position vs. actual fuel flow, or fuel flow and N1 vs. EGT, ...

There is another indication that the reduced fuel flow was not the consequence of the FMV not opening, but was present before, and also that the actual FMV position is measured independently of the EEC's commands:

The EEC recorded in its NVRAM that reduced fuel flow had been detected. Probably this would only be recorded if it was unexpectedly low. In consequence, the FMV was commanded to open more and more, up to fully open. (cf. AAIB SB 2008-03, p. 2):

Parameters recorded on the Quick Access Recorder, Flight Data Recorder and non-volatile memory from the Electronic Engine Controller (EEC) indicate that the engine control system detected the reduced fuel flow and commanded the fuel metering valve to open fully. The fuel metering valve responded to this command and opened fully but with no appreciable change in the fuel flow to either engine.

Do we know for certain that the DFDR records the actual metering valve position? If so, the Next question is how does it record that? Prox sensor? rheostat? actuator drive position? Fuel flow?

No, we cannot. And these are fair questions that we all have asked. To highlight the difficulty, the A320, with which I am more familiar, has 8 thrust lever angle sensors for each thrust lever. Two for the FADEC (high precision, contactless angle resolvers), and a pair of potentiometers for each of the three SECs for spoiler/autobrake conditions. I do not know which of these is used for the DFDR data. I assume it's one of the resolvers, but I just don't know. Similar question will be asked (by the AAIB, among others) for the B777's Fuel Metering Valve position.

I'm not ready to buy into a correct fcu fuel metering valve "positioned open" just yet. I'll agree that it was logged as being commanded open once every four seconds. I want to hear more from engineers and programers first.

I seem to recall that the actual position is measured and recorded independently of the EEC (FADEC), and not just the commanded position, since the FMV is such a crucial piece.

The developers who know for certain probably won't be allowed to tell us.

[The microsoft slam was just intended as over-the-top sarcasm; but thank God we don't fly around on windows.... We'd crash twice a day!]

Yes, I didn't think you'd mean that literally. :cool:

The really ugly part of this accident really is that every conceivable scenario is, a priori, "extremely unlikely", so if anyone can figure it out, it's the guys with all the data (AAIB, NTSB, RR, Boeing, QinetiQ, ...).


Bernd

What do you think should happen in the spilt second that the PIC decides max power is needed? A computer vote? A cyber committee? A democracy?


Actually the n-version engineered software does vote if memory serves me right. A fault that resides through n-versions is somewhat unusual unless it directly relates to the software specification. I recall reading the Z notational definition of the 744 FADEC Software at University. Most impressed and find it hard to believe that the Software is actually at fault.

Bsieker
The EEC recorded in its NVRAM that reduced fuel flow had been detected. Probably this would only be recorded if it was unexpectedly low. In consequence, the FMV was commanded to open more and more, up to fully open. (cf. AAIB SB 2008-03, p. 2):

...until the air to fuel mix parameters were out of range for a correct and effective burn I'd say.

Q1: how exactly is the fuel flow measured? mass? capacitance? delta P?
Q2: would a density difference for this type of special winter fuel influence the real fuel flow metering?

GD&L

A BA engineering source known to me (being vague deliberately) today has reported that the current gossip is that a valve in the fuel pump is currently a major suspect. It would appear that the fuel flow around it causes turbulence and that they (CAA/RR/FAA) have been able to reproduce icing and fuel flow restrictions under test.

The fuel pumps in the 777 are not engine specific and the architecture differs from that on other aircraft, so whilst the authorities may never be able to say with certainty what caused the crash, the current thinking is the probability is fuel and fuel pump related.

If so, then there could be some redesign of the fuel pump valves in the near future.

If confirmed this is excellent news indeed!!

@ TopBunk:
What pump would be incriminated? The feeding pump in the fuel tanks or the high pressure pump in the engine?

Per TopBunk:
The fuel pumps in the 777 are not engine specific and the architecture differs from that on other aircraft, ...

I infer from this that the LP pumps (aircraft side) are implicated, and not the HP pumps (which are certainly engine-specific).

However, it may also be that the specific R-R HP pump is somehow more susceptible, compared to Brand X or Brand Y, to whatever LP-side shortfall may exist. Time will time I hope.

TopBunk -- Curious if the removal or discharge (or both) check valves are the subject of deeper scrutiny.

http://i337.photobucket.com/albums/n385/motidog/BoostPump1.jpg

If the boostpump discharge check valve or the inlet valve are suspect:

- That would suggest that all 4 boost pumps in the LH/RH main tanks failed to deliver due to above suspect reason (as explained by TopBunk) at almost the same time?

- What happened to suction feed in that case? That should have provided engine fuel feed in such a scenario. Certainly sufficiently enough with engines normally required to accelerate to somewhere above approach idle during adjustments on final approach in landing configuration.

By the way, the inlet valve (removal check valve) is a valve that closes when you remove the pump. This permits you to remove the pump when the tanks contain fuel. Therefore, i don't see how this particular valve could be a factor unless clogged with ice.


Green-dot

Someone in the know please corerct me but I am pretty certain that the 747-400 also has FADEC-controlled engines

Not sure if this has been answered. The -400 is only EEC controlled, which, though a componenet of FADEC, is a little different on its own.

Green Dot, you are right. It's a pity Top Bunk's information is not more specific: perhaps it does in fact refer to the HP Pump (independently on each engine, with an interval of a mere 8 seconds). Hmmm.

By the way, I think you meant "gravity feed" rather than "suction feed"? Wasn't it you and Swedish Steve who proved a long time back in this thread that we are talking about wing tanks? And the aircraft was at sea-level, with plenty of atmospheric pressure available.

Quote from pacplayer [yesterday, 1212z]:
You keep talking about what fadec is designed to do from the factory. That's not the context of the conversation I was attempting to delve into. A rollback is a well-documented software created anomaly, as I understand it, in which, for whatever reason the fadec has either miscalculated the thrust solution (thinks it's at high power and stays at idle) or has had a dual failure of both channels and is presumably trying to reboot itself at idle (since both channels are susceptible to the same software bug.)
[Unquote]

I would be very surprised if both channels are susceptible to the same bug. Although Boeing decided not to follow Airbus's lead, I believe, in trying to create and segregate two independent software design teams, they would have done their utmost to avoid this obvious trap.

Chris

Some years ago, a particular aircraft type with which I was involved, was experiencing false fuel indications. I observed research into this, which involved a transparent vessel of fuel being vibrated at various frequencies to represent vibration levels and frequencies seen in-flight.

When the vibration level was varied, it was possible to create what can only be described as a 'black hole', into which bubbles dissolved air from the surrounding fuel would head. Slight variation of the vibration level could make the 'black hole' move up or down in the fuel.

The supposition for our investigation was that if such a black hole occurred in a fuel probe stillwell, this could lead to a loss of signal and hence the erroneous level reading.

As I recall, the vibration levels in this case pretty well matched those seen when the aircraft throttled back from climb to cruise RPM, which tied in with the in-flight occurrences.

What I'm wondering is if a particular vibration level and rate of change could have caused a similar 'black hole' to occur near the fuel pick up point.

The fact that this event occurred on the final part of the flight, after the fuel had been 'degassed' of air in the cruise, would suggest not, and it seems highly improbable that it would occur in both wings at the same time, but if the system is symmetrical, who knows?

To Chris Scott:


By the way, I think you meant "gravity feed" rather than "suction feed"? Wasn't it you and Swedish Steve who proved a long time back in this thread that we are talking about wing tanks?


The OEM AMM officially refers to it as the Engine Fuel Suction Feed.

Swedish Steve, CONF iture and I had analysed that there was sufficient fuel on board in the main tanks (wing tanks) and that the center tank was empty. Determining approx. volume by the area of frost on the wing lower surface and comparing it with the fuel quantity reading on the flight deck of another B777-200ER. See posts #844 thru #878 for details.


Green-dot

I apologize for yet another ignorant question (please delete if inappropriate). To get the fuel out of the tanks, air has to go in... What happens if that vent is obstructed? (Can it?)

In response to Pax2908; if the tank vent is blocked, the air pressure in the tank will drop, and probably result in at least partial deformation of the structure, as wings are not designed to be a vacuum chambers!

This is what happened to an HS125 with a blocked vent (type 'blocked' in the find box): www.flightsafety.org/fsd/fsd_jul02.pdf

pacplyer,
Your reply to Chris Scott makes me doubt your competence, if not your actual provenance and education....

Where I come from (admittedly some time ago), channel A and channel B software were maybe not actually written by two different companies, but definitely by two different teams, using different compilers, etc. etc.

"I submit that both channels use the same code."
If so, things have changed a long way from "my days", and maybe... "Houston, we have a problem"?
Duplicating a mistaek doesn't make it any less of a mistaek.

Duplex hardware monitoring works fine. The chances of any two op-amps, RAMs, PROMs, transistors, or whatever, failing identically, in the identical location in channel A and B are infinitesimal.
But if both channels run exactly the same crudware... when both of them execute exactly the same faulty instruction at the same time, no kind of monitoring is going to catch it.

I'm not suggesting this is really relevant to BA038. I DO think it's relevant to pacflyer's misinterpretation of software reliabilty.

CJ

AAIB says the computers ordered the valves to open and the valves did open and were found open but the engines acted as if they didn't get fuel.

How is software relevant?

The "blocked vent" theory might be viable; there could be enough air entering the tanks to sustain the engines through TOD down to approach altitude, albeit at less-than-spec inlet pressure to the HP pumps.

But once the controls demanded accel in late approach, the blocked vents placed a real limitation on the amount of fuel delivered to the HP pumps. Ergo cavitation and failure to accel.

It might not be enough "vacuum" (i.e. tank pressure below ambient) to permanently deform the wing skins, but enough to starve the donks.

Quote from Green Dot:
The OEM AMM officially refers to it as the Engine Fuel Suction Feed.
[Unquote]

I stand corrected: thanks. The point I was trying to make was that, in the event of failure of all the tank pumps we are not actually relying – as you know better than I do – on the ability of the HP Pump to suck fuel from the wing tanks to the engine: gravity will do the job. On all the aircraft I flew with pylon-mounted engines, this mode of operation was known as gravity feed, not suction feed. I wonder why the B777 uses a different term.

Thanks also for the references to the posts in which you established beyond reasonable doubt that the wing tanks had plenty of fuel remaining: I remember the discussion only too well. It's worth mentioning that, if the remaining fuel had all been in the centre tank and the centre tank pumps had failed, the only possible way of getting fuel to the engines would be by suction. This was, however, plainly not the case.


pacplyer,

Suggest you read my post again more carefully?

Chris,

I misread you post, my apologies. I have deleted it.

ChristiaanJ,

Good post, that's what I wanted to know.

Sorry all, I was not quite myself last night.

Cheers

....I wonder why the B777 uses a different term.

It doesn't! the same term is used for the 747 'Engine fuel suction feed' AMM 28-22
.....The "blocked vent" theory might be viable
Better make that two blocked vents then because there is a NACA duct and flame arrestor on each wing. Plus of course the relief valves!:8

What's that a drawing of Machaca:confused: It doesn't look much like a triple seven BP housing...Try this:8:ok:http://img.photobucket.com/albums/v462/gaspath/untitled-1.jpg
Incidently the outlet check valves have a habit of shedding the their 'rubber' face seals and are being modded for valves without the seal. Awkward but can be changed without going into the tank... After emptying of course:)

SLF but 40 years operating pumps. Interesting comment on the discharge NRV.
When a Booster pump discharge NRV fails in service and the pump is stopped for operational reasons, what stops the flow of fuel from another booster pump in service from discharging its fuel back through the defective pump NRV and into the fuel tank? (Are there motorised discharge valves on each booster pump which close automatically when a booster pump stops?) In the oil busines this is know as pump cross circulation. It has happened many times and action similar to what you have mentioned taken to minimise the risk. In systems where a failure of this nature would be a life or process threatening event, two NRVs of different manufacture are mounted in series on the critical pump discharge.This cross circulation would also result in a very significant fall in the booster pump header discharge pressure.
Obviously if all booster pumps are running whilst A/C in flight, there would be no backflow and no prospect of fuel starvation to the HP pump from this NRV failure mode.

Better make that two blocked vents then because there is a NACA duct and flame arrestor on each wing. Plus of course the relief valves!


To be clear, if a scoop or flame arrestor becomes blocked, a pressure relief valve in the surge tank opens to make a vent.

There is a pressure relief valve in the inboard access door of each purge tank.

The pressure relief valve is normally closed. When it is closed, the valve is in line with the bottom of the wing. If a pressure difference opens the valve, it moves up as it opens. A spring holds the valve open until you close it. You have to pull a reset handle to move the valve back to the closed position.

When you do an inspection, you must look at the pressure relief valves to make sure they are closed. An open pressure relief valve is an indication of a blocked vent scoop or flame arrestor. The pressure relief valve can also open to relieve air or fuel pressure if there is too much pressure during refueling.

Sounds to me both the vent scoops/flame arrestors and pressure relief valve position are pre-flight/walk around items and should be snagged/corrected if any deviation from the normal was noticed.

Personally, while most issues focus on possible causes at subsystem level, i remain wondering if the cause to this accident should be viewed against the total scheme of things. Observing the aircraft as a whole with all systems interacting with each other. Why is no effort made to rebuild the original frame?

It is a unique opportunity with the aircraft relatively intact. Attach 2 serviceable engines (as far as the AAIB reports sofar engines are no suspect), re-attach the original gear, LRUs and wiring as much as feasible, put it on jacks and in the freezer, and do an air mode simulation with all systems operating and selected between TOD and moment of failure? Oh, and put the tail back on, the only reason i can figure why they took it off is either because it makes the frame sensitive to strong gusts or to remove the reference to the BA logo on it.

Who knows what such simulations may reveal?

Like i mentioned, just a personal thought.

Green-dot

Oh, and put the tail back on, the only reason i can figure why they took it off is either because it makes the frame sensitive to strong gusts or to remove the reference to the BA logo on it.

Not BA's property anymore! As soon as the a/c was recovered the insurance co. payed out and the title changed hands. The fin was removed (by BA) at the request of the insurance co. so they could sell it. :suspect: and also to prevent the hulk from 'weathercocking'.
It is a unique opportunity with the aircraft relatively intact. Attach 2 serviceable engines
Only the trouble is the fuel manifolding has been removed.:8

Only the trouble is the fuel manifolding has been removed.


When they have tested it and find absolutely nothing out of the ordinary with it, they can put it all back in. :ok:


Green-dot

The fuel pump pictured at Post #1636, lower item in the sketches, is the scroll case (etc) housing for the pump impeller, as manufactured in the UK by Eaton Aerospace Ltd for the B777. The impeller is on the same shaft as the motor and part of that assembly which is not shown; it enters the pump housing from the left. The fuel inlet is axial from the right, and the fuel discharge is upward and turning to exit horizontally to the right. The maximum discharge pressure (at zero discharge) is 30.5 psig [pressure edited for particular pump used in 777-200 aircraft].

Its motor is 200 V, 400 Hz, 3 phase, [12000 rpm, explosion-proof, fuel-cooled, drawing nearly 9.5 amps approximately constant over all discharge rates from 0 to 40000 lb/hr at 12 psig--[correct option identified by edit and dc & var frequency options omitted as n/applicable]]. The printed flow rate maximum per pump is 35000 lbs/hr, which may account either for discharge backpressure in the piping of this particular airframe or for operation at altitude. The performance graph suggests a discharge pressure of 16 psig for this rate; the graph does not identify data as applying at standard conditions (ie, sealevel pressure, etc) as do some of the other graphs. Four such pumps are fitted to the aircraft when the Eaton equipment is used; they are each two-stage pumps. [Last three sentences specific to the Eaton application in the 777-200 were added by edit.]

The first fuel pump pictured at Post #1545 is a similar arrangement, but is shown opposite hand, and includes the motor, showing it assembled into the scroll casing of the pump (a note implies the impeller is in the motor area, but it would be in the area of the scroll casing, although it would disassemble attached to the motor assembly). There is a Goodrich Corporation fuel pump made in the USA for the B777; I assume this may be it, but my computer locked unable to read a PDF fueling brochure (I lack latest Acrobat reader). Of interest is that Goodrich makes FADECs and what they call an integrated fueling system.

I hope this info may be of help. Again, I don't know [whether Eaton or Goodrich equipment] is in this aircraft [reworded on edit]. Just an experience footnote, I used to design and troubleshoot hydrant fueling systems for both fighters and very large transports.

OE

ChristiaanJ:
Where I come from (admittedly some time ago), channel A and channel B software were maybe not actually written by two different companies, but definitely by two different teams, using different compilers, etc. etc.
My knowledge on the subject is admittedly 10 years old, but as I learnt it that statement is 100% correct. In addition to that, when the code is reviewed if even the slightest correlation in the two methods is found, the code is rejected and one or both of the teams has to rewrite it from scratch using a different methodology.

Pacplyer, I know you're aware of this but I can't emphasise enough that real-time and embedded software engineering is a completely separate discipline from application development, with a completely different definition of 'finished product'. I'm groping for an analogy here, so bear with me, but if application development could be described as an engineering discipline like building an F1 car (lots of whiz-bang features and cutting edge technology, but expected to only be used for a short period of time and to have frequent problems), then real-time software is more akin to engineering the Forth Bridge (old and proven technology, redundancy up the wazoo and designed to last for centuries if necessary).

1. How much water would be needed to allow enough "icing" to develop in each of the relevant valves (mentioned by Top Bunk) sufficient to restrict them?

2. Is this really realistic given that the AAIB reported that there was no significant quantity of water in the main tanks?

3. If true, would the recognition of "icing" conditions in a turbulent fuel flow in or near these valves open up a Pandora's box, namely the much discounted possibility of ice forming elsewhere in the fuel supply system (eg at other valves or scavenge pump discharge outlets in the tanks)?

Any 777 guys know what caused the a/p disconnect? Eg %Vs, stick shake, no more pitch authority etc etc?

Any 777 guys know what caused the a/p disconnect? Eg %Vs, stick shake, no more pitch authority etc etc?Not totally relevant to the cause of the crash, you'll admit.
But since we're now 83 pages into the subject... I was asking myself the same question as an A/P ancient, and maybe we can be allowed a post or two on that subject without being banned to JetBlast.
Alpha? Or one of the reasons you mentioned?

Good points Dozy,

I agree that's the time-tested ideal formula for success: split teams . What I worry about/suspect is corporate corner-cutting:

The finished product is handed off to another senior manager who knows one team has a better product than the other.... and starts rationalizing that since he already has redundancy and since the team B load became ultra stable and has never crashed.. why take a chance on the "A team" screwing up a reliable product.....? (and no time to start over with a third team...)

Now if that were to happen (both A and B channels identical stable code,) you could be facing an unlikely dual-bug-crash should Murphy's Law present itself.

This is all, an improbable, 100% fictitious example on my part, but: recall others in the industry in this thread have voiced concern that we are already into a highly unlikely probability with this double engine failure in of itself.

The reason I discount LP side fuel problems (by themselves) is that Boeing had experience with long range 747SP's that stayed aloft for 18 hours for over thirty years without cold-soaking tank issues leading to multiple engine failure (to my knowledge.) Lots of pumps would have to fail (or already be defered) to loose tank to engine LP fuel feed right? And cavitating pumps were not unheard of in Boeing fuel systems. Various baffle mods and other fixes were put out if my memory serves.

And in the Case of BA038 the suction/grav feed fuel source should have backed it up on at least one side... wouldn't you think?

What about a compound problem? Momentary system selection of dry tanks (slug of water/ice) followed by a FADEC that couldn't resolve conflicting code since it's signal sensors got frozen like the GE engines did.

The FADEC turns into a HAL-9000 so to speak. (I'm sorry Dave, I'm afraid I can't allow you to do that.")

This might be a scenario where this particular subroutine of the software is unknowingly unable to cope with a fuel source interruption of some type since it is faked-out by a frozen FADEC signal sensor and causes the software to stay in it's current state (idle) since it couldn't interpret either corruption in the software load or non-sensical FADEC signal data. While maybe not technically a "rollback" (because we're already at idle,) the result is the same: a temporary loss of engine control.

Refresh my memory here: were the RR and GE development programs a cooperative effort for this class of engine? I can't remember now...

Anybody feel free to comment; I won't bite you today..... :E

This is all, an improbable, 100% fictitious example on my part, but: recall others in the industry in this thread have voiced concern that we are already into a highly unlikely probability with this double engine failure in of itself.


Such as temporary, uncommanded closing of the spar valves perhaps?

In the Questions section of PPRune an incident was briefly posted regarding a B757 with an engine rollback immediately after take-off. The C/B of the spar valve for the affected engine had tripped but was ok when scanning the breakers during preflight. Any one have any information about the outcome of that incident? As far as i know, no other replies were added to that post after i made the suggestion about a possible uncommanded closure in that incident.

Here is a link to that post:

http://www.pprune.org/forums/questions/330157-757-engine-roll-back-t-o.html


Regards,
Green-dot

For those people who have jumped with interest on the possibility of looking at a valve in the fuel pump(s) - I would ask how they explain the almost exactly simultaneous occurance of this previously unrecorded (?) problem in two separate pumps (albeit working in similar conditions) and the even more remarkable fact that the power (i.e. fuel passing) ended up almost exactly the same through both affected pumps.

If this was a single incident the pump theory might well be worth looking at. However, the real problem is the simultaneous, and almost completely similar, effects on both engines/fuel systems.

.

What I worry about/suspect is corporate corner-cutting
Again, it's a completely different kettle of fish to your average bit of Silicon Valley skullduggery. If your hypothetical "senior manager" did that, then the person cross-checking *his* work would reject the code and send it back. Real-time software as it applies to aviation is treated in much the same way as flying the thing. *Everything* is cross-checked at least twice as I understand it.

Us software folk (even lowly app developers like myself) have enough problems with people's distrust of computers without shooting ourselves in the foot like that! You may hear stories of cutting corners in the non-safety-critical world, but even there we're constantly trying to make it harder to turn in bad code. Real-time developers are probably the strictest when it comes to adhering strictly to engineering principles of any of us.

Re my previous post (8/8 @ 1825):

I have been at work for the last few days. I will see is I can get any more specific details from my source. It may take a few days. I will report back.

Again, it's a completely different kettle of fish to your average bit of Silicon Valley skullduggery

Airframe manufacturers DID cut corners in the past.
[Documented facts ... with authorities complicity]

Airbus software got thousands of "improvements" along the years ... Improvements, or corrections? An sure enough, the specs were not set with proper user inputs ...

Business is business ...

The typical scenario for a software development like this is :
- original design has all the bells and whistles required and will be developed by two seperate software teams, full system testing of all paths will be achieved
- schedule starts to slip, new project manager brought in, functionality now reduced to 'basic system only' but still retain two seperate development teams as this is critical
- schedule slips further, decision taken to have single software development team but increase the level of testing substantially to mitigate against the loss of the second independent development team
- development is now on critical path, is very late, no chance of meeting schedule dates, functionality of basic system reduced to bare basics, extra testing abandoned, only minimum testing achieved
- product delivered but the functionality bares no resemblance to what was originally planned and does not meet the quality requirements set out at the start

Herc708:
Do you have a source for that, or have you merely grafted cherry-picked details of real-time development (like two separate teams) and applied them to a rant about software application development you found on the internet?

Bis47:
I presume you're referring to the DC-10 cargo door incidents, or possibly the Comet 1- in both cases those are down to an insufficient level of understanding of a systems-level failure (the door failing, causing the floor to fail and take the cables and hydraulic lines with it in the case of the former, and the fuselage being stress-tested in sections but never as a whole in the case of the latter). In the case of safety-critical software, systems-level failure is something that was understood from the get-go.

Again I'm groping for an analogy, but the level of discipline required for application development as compared to safety-critical real-time software is like comparing the discipline levels of an occasional Sunday jogger to an Olympic-level marathon runner.

And the "improvements" to the software (just as with airframe hardware) come from lessons learned while flying the line. No airframe, whether controlled by string and pulley, hydraulics or FBW has got it right straight from launch.

(Waits for 411A to post "But the TriStar...." ;) )

Herc708,

This hardly merits an answer, I think DozyWannabe got it right.

Your rant has absolutely nothing to do with real-time safety-critical embedded systems development. To start with, such software is never specified with "Bells and Whistles", and there is no way it can be delivered performing something different than what it was originally designed, specified and contracted to do.

What is originally specified is what it must do, the engine will not work if it does any less (barring requirements and specification errors, which do occur). And the fact that engines usually do work, incredibly reliably compared to previous generations, speaks for itself.


'nuff said.

Bernd

Err, Dozy, bis47 said software problems; not hardware problems like doors.

bis47
Airframe manufacturers DID cut corners in the past.
[Documented facts ... with authorities complicity]

Airbus software got thousands of "improvements" along the years ... Improvements, or corrections? An sure enough, the specs were not set with proper user inputs ...

Business is business ...


The quote below is from Wikipedia on aerospace software development problems where mysterious software "new loads" showed up on everybody's airbuses due to non-responsive engines reportedly before/after this accident

Air France Flight 296 - Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/Air_France_Flight_296)
A320 operation anomalies
Third-party investigations into the crash dispute the official findings.[2] Captain Asseline asserted the altimeter read 100 feet (30 m) despite video evidence that the plane was as low as 30 feet (10 m). He also reported that the engines didn't respond to his throttle input as he attempted to increase power. The month prior to the accident, Airbus posted two Operational Engineering Bulletins indicating anomalous behaviour noted in the A320 aircraft. These bulletins were received by Air France but not sent out to pilots until after the accident:
[edit]OEB 19/1: Engine Acceleration Deficiency at Low Altitude
This OEB noted that the engines may not respond to throttle input at low altitude.
[edit]OEB 06/2: Baro-Setting Cross Check
This OEB stated that the barometric altitude indication on the A320 did not always function properly.
These malfunctions could have caused both the lack of power when the throttle was increased, and the inability of the crew to recognize the sharp sink rate as the plane passed 100 feet into the trees.
[edit]Investigation irregularities
According to French Law, the Flight Data Recorder and Cockpit Voice Recorder are to be immediately retrieved by the police in the event of an aircraft accident. However, the recorders were taken by the civil aviation authorities and held for 10 days until they were finally confiscated. When the recorders were returned, they had been physically opened and the magnetic tape may have been tampered with. It could not even be verified that they were the original recorders. The four seconds of recording immediately prior to the crash were missing. In view of this, a judicial report alleged that the aircraft's flight recorders could have been tampered with shortly after the crash.[1].

Any assertion that software development teams can't make development mistakes is patently absurd. Anybody who's subscribed to AW&ST knows aerospace has experienced a lot of these over the years. Even NASA lost two mars missions due to schoolboy errors in not converting values.

Here is the video of the Tourlouse, Frace A320 accident in 1988. Although denied by airbus, the crew stated in AW&ST in 1995 that they shoved the power all the way to the firewall and nothing happened. If this had been a cable 747-200 everybody would have lived, because it wasn't up to a fadec computer to schedule a gradual EGT longevity spoolup. Also considerable overboost to clear the trees is possible with the old hydro-mechanical cable design.

Overboost for emergencies is not possible with FADEC. Better to cook the motors and clear the trees imho. But your HAL-9000 FADEC doesn't know that. :uhoh:

YouTube - A320 Airbus Down (2 of 2) (Mulhouse, France - 1988) (http://www.youtube.com/watch?v=Ea28bUTUfiM&feature=related)

The above post is all just my opinions only.

Any assertion that software development teams can't make development mistakes is patently absurd.
I never made that claim. However the chance of software produced by two independent teams who have submitted two *completely* different implementations coming up with the same erroneous value has to be considered pretty damn remote.

Anybody who's subscribed to AW&ST knows aerospace has experienced a lot of these over the years. Even NASA lost two mars missions due to schoolboy errors in not converting values.
Not to disrespect NASA, but I think their coding standards were far less stringent than the teams writing Airbus and Boeing's control software.

And the old Airbus-Habsheim debate has been done to death. The crew screwed up. M.Asseline was way below alpha-floor protection height and the delay in spool-up time was caused *not* by the FADEC control commanding a gradual thrust increase (otherwise you'd have had multiple fatal failed go-arounds by now), but because the A320 uses high-bypass engines that do take a few seconds to spool up compared to the older low-bypass type. M.Asseline should have aborted the pass the second he went under 100ft RA.

The FBW protections did actually keep the A320 level when it hit the trees. Not only would a 747-200 not have survived a similar incident (it would never have been able to make that maneouvre in the first place - hence why Airbus were so keen on that demonstration), but without the protections the A320 had it would have probably augered into the trees wing-down and killed everyone.

pacplyer,

I'm going to be a bit kinder to your post than CJ has been, particularly as you have promised not to bite. ;) DozyWannabe has nicely summarised the main points of the A320 accident you have cited, but I hope he and the moderators will forgive me for commenting on your argument in greater detail, as your post demands.

You shouldn't believe everything you read in Wikipedia, and your quoted phrase from an AW&ST interview with the crew about 7 years after the accident is fairly meaningless, taken out of context.

Although I was flying A320s for another airline at the time (Summer 1988) of the Air France accident to which you refer – it was actually at a small airstrip at Habsheim, near Basel/Mulhouse – I was not aware of the OEBs referred to. I do not recall any prior or subsequent warning of "engine acceleration deficiency at low altitude". [I presume "altitude" means "height".] The other quoted OEB refers to barometric altitude, which is irrelevant to A/Thr or FADEC operation.

The captain evidently decided to manoeuvre the aircraft deliberately into a part of the flight envelope from which he believed it would extract itself automatically, using its unique (at the time) combination of FBW and A/Thr flight-envelope protections. The crew were apparently unaware, despite clear references in the FCOM, that the A/Thr protective mode they relied on, known as Alpha-Floor (previously well-proven on the A310 and A300-600), is inhibited below 100ftRadio, to avoid undesired operation during landing. Wikipedia quotes the captain as asserting that the "altimeter read 100ft", despite video evidence that the plane was as low as 30ft. It does not say which altimeter. We were certainly not experiencing any problems with our RadAlts over paved or unpaved surfaces. If it was the barometric altimeter, then it was the wrong one to be using (as I don't have to remind you), even if it was set to a correct QFE.

The crew would have clearly seen, despite the increasing pitch angle, that they were flying roughly level with the approaching tree tops, so they could hardly have thought they were above 100ft. Because the approach had been rushed, the thrust was still at idle, judging from the sound track of the video.

At some stage, as the trees loomed nearer, it was realised that Alpha-Floor was not providing the sudden command of TOGA thrust that they had relied on, so they "fire-walled" the throttles. The main question is: did the FADEC unnecessarily limit the engines' acceleration from whichever idle mode they were in (gear and flaps extended).

Because of the abysmal way the investigation was handled, we may never know for sure. But from the sound track, the acceleration sounds normal enough. The aeroplane was at or close to Alpha Max (just below the stall). I'm sure you are well familiar with the swing we used to get on take-off on airplanes like the 707 if we failed to "stand up" the thrust levers to let the engines stabilise at 1.2EPR (JT3D) before selecting take-off thrust (does it also happen on 747 Classics?). Now apply that swing to an incipient stall situation.

The programmed acceleration provided by the FADECs may have prevented a yaw-induced wing drop near the stall. [The FBW prevented a stall into the tree tops, ensuring the nose did not drop much, and the wings remained level.]

[If you want more information on Alpha-Floor logic and the Habsheim accident, you could start by looking at this link]:
http://www.pprune.org/forums/tech-log/316096-lh-a320-rough-landing-hamburg-22.html#post3973073


Although a spontaneous FADEC malfunction could have been responsible for the failure of an engine to accelerate in the BA038 accident, whatever unprecedented series of coding that produced the error is unlikely to have been replicated 0 – 8 seconds later in the other engine's FADEC, as phil gollin and many others have previously commented in relation to various failure mechanisms.

:) Good points everybody.

Chris Scott: good post. Our posts crossed at the same time. Glad to have an A320 driver here; my understanding of level change is limited to the predecessor A300 series; I could very well be wrong about everything here. Thanks for the link I'll read it.

Dozy said:
And the old Airbus-Habsheim debate has been done to death. The crew screwed up. M.Asseline was way below alpha-floor protection height and the delay in spool-up time was caused *not* by the FADEC control commanding a gradual thrust increase (otherwise you'd have had multiple fatal failed go-arounds by now), but because the A320 uses high-bypass engines that do take a few seconds to spool up compared to the older low-bypass type.

Dozy;
Corvair automobile owners screwed up and crashed, but it doesn't follow that the design that Ralph Nader finally got killed was faultless. This over-reliance on confusing automation is what caused the above airbus A320 accident, and not the old catch-all refrain "pilot error" imho.

These were experienced airbus [test?] pilots. The only screw up the crew made was not distrusting the automation sooner and switching to full manual early (which is what we are trained to do now.) The problem was that by the time they got done trying to analyze why the automation was not promptly applying climb thrust, it was [nearly] impossible (behind the power curve) to clear those trees even with GA thrust applied. They did override the throttles (about) four seconds prior to impact but [prompt climb] thrust had previously been rejected by FADEC in favor of a gradual level change/slow spool up routine. I've used this "level change" mode a million times on A300's. Nearly always (back then) in "level change" mode [when the machine has a small change in altitude sitting in the alt sel window], a two to four second delay would happen before you saw any appreciable power come up at all. Then you still had to wait another ~five or six seconds before target power showed up. It used to be a lot worse before the software changes came out. Still these are modes that you don't want to be in close to the ground even though airbus didn't used to have any restrictions on it.

747-100's & 200's have had thousands of super low & slow flybys and not one has ever failed to command all the thrust you can handle in six seconds. It has nothing to do with different types of engines or spool up times. Those were also high-bypass ratio engines that required a "flight idle" to get you out of bad go around situations.


M.Asseline should have aborted the pass the second he went under 100ft RA. The FBW protections did actually keep the A320 level when it hit the trees. Not only would a 747-200 not have survived a similar incident (it would never have been able to make that maneouvre in the first place - hence why Airbus were so keen on that demonstration), but without the protections the A320 had it would have probably augered into the trees wing-down and killed everyone.


Naaaa. A 741 or 742 would have never got that slow in the first place because the autopilot was not certified to be engaged below mins except on approach and the AOA is not in charge. A hand flying pilot would feel the required backpressure happening on the yoke and do something about it. The autopilot doesn't possess this airmanship "cowboy" instinct at all (regards to christianj). I don't think the hand-flown A320 sidestick provides a backpressure "feel" does it? In the 747 case, immediate overboost thrust and intentional flight below stick-shaker momentarily to clear trees is possible (like in modern wind shear training.) These "coffin corner" non-book emergency actions (over-boost and momentary extremely high deck angle in ground effect) are not available in the A320 if I understand the limits of FBW combined with FADEC. BTW, we did use them to escape FAA "non-survivable" t/o wind shear down-burst scenarios in the 727, 747, DC10. Sometimes you missed the ground by a whisker and sometimes you weren't so lucky. At least you had that capability if it was needed.

[Down low] Alpha Floor flight is dangerous with the level change mode and should never have even been attempted (we know now of course; and IF that's what actually happened.) There's the possibility that he was in "thrust latch" (A/T mode) at some point: but he stated that nothing happened so he cycled the thrust levers.

The problem with aerospace programers is they think they can anticipate every eventuality and therefore a pilot is just redundant. But what happens when the [Baro] altimeter malfunctions in this case as corrective airbus 320 directives allege it was (according to Wikipedia's et al contributors?) [You fly off the baro altimeter right?, the RA is just a backup.]

Now you don't get prompt power applied on a toga button push and the trees are coming up. :eek:

Not to say that a software corruption is what caused BA038. Just making the point that the FADEC between the hand and the spray nozzels is one more weak link that the PIC must use in an emergency GA whether he likes it or not.

Will it work? I know a steel cable will because I just used it hand flying the descent.

Quote:
"However the chance of software produced by two independent teams who have submitted two *completely* different implementations coming up with the same erroneous value has to be considered pretty damn remote."

My experience of software development is limited to non safety-critical applications (test and implementation of custom software in print media.) I am not, and have never been, in the aviation industry and I also lack formal training in computer science, so I'm excessively unqualified to make any kind of comment here... However I've heard it said that the above assumption is significantly undermined by a "common culture" shared by programmers.

Whether this gotcha is now compensated for by appropriate strategies, I have no idea, but it does seem to me a real hostage to fortune to assume that any area of human endeavour has reached the stage of unblemished perfection - least of all software!

However I've heard it said that the above assumption is significantly undermined by a "common culture" shared by programmers.
Said by whom?

And no one was talking about software attaining perfection. Merely that the probability of two completely separate pieces of imperfect software prohibited from sharing any common logic coming up with the same computational error is extremely remote.

You're just going to have to trust me that the only thing that safety-critical software development has in common with what we, the public, encounter as 'computer software' daily is that it all works on binary logic eventually.

I cannot stress enough that the development process for saftey-critical real-time software is unique in the industry.

As we seem to have drifted back to FADEC software and its construction may I add something which will probably scare those of you who are already concerned:

The Trent FADECs run the same software, developed by the same team in both lanes of the FADEC, these are also hardware identical.

However, the design and construction, code, test* etc. are so different from the commercial world that I do have confidence in the correctness of function. There are so many cross-checks - sanity checking is a good term - that I doubt that any of the scenarios painted so far could happen.

But, as I was on that team, I would say that wouldn't I???

Last time I posted on this thead I got a dire warning, so unfortunately I can't add much more.

Safe flying :}

VnV...

*check my moniker.

Finally,

The truth is fleshed out. Thank you immensely VnV2178B. That was what I was hoping would emerge by posting so many inflammatory posts.

A true pillar of software honesty has emerged ladies and gentlemen. And I will not soon forget it.

Please, please,

The direction of my inquiry, dozy, and others, is not to implicate aerospace software vs. the pilot input as some kind of culprit. My intent only, is to increase aviation safety; as now I find myself in the back, with knowledge and experience in commanding both Boeing and Airbus products (and a rudimentary degree in Computer Science.)

That I hate automation and aviation software? Nothing could be further from the truth. Software flying is never going to go away and I know it. That is not what I am arguing for. The days of John Wayne are over and I know it (although those days were better for professional pilots.)

What is important now, is that we allow flight crews to stay proficient at John Wayne skills for the day that the software hit's an endless loop and gives up.

I really hope that you my friends in programing can discern the subtle difference that I am advocating. Obviously, I have failed to convey that intent.

Fraternally,

pacific plyer

(the above is all and only: just my opinions only.)

OK, but comparing it with the A320 incidents is now no longer a valid position, as the A320 software *did not* let go.

VnV, I'd *love* to know the sanity checks you guys put this code through, because I'd still be very concerned there was no fallback or cross-check in day-to-day operation.

DW,

I would post, but, as I noted above, I got a dire warning last time about revealing stuff not already in the public domain.

However, as a guide, the inputs are all duplicated and cross-checked, there are performance models of the engine and the FMV and the expected outputs are compared with the actual outputs, there are reversion modes should there be a loss of a speed, temperature or pressure input (the GE scenario of freezing probes is unlikely to fool the R-R FADEC), the FADEC hardware is continually checked for correect function etc, etc.

The whole lot is validated to be what is wanted and verified for function, starting with the lowest assembler and finishing with a full-up systems rig test.

I have faith in the product, I have flown on 777s since the incident without qualms!:)

VnV...

Said by whom?

And no one was talking about software attaining perfection. Merely that the probability of two completely separate pieces of imperfect software prohibited from sharing any common logic coming up with the same computational error is extremely remote.


This is (roughly) the main hypothesis behind NVP (n-version programming). Knight & Leveson famously claimed to have disproved this experimentally http://sunnyday.mit.edu/critics.pdf. Specifically, they claimed that errors were correlated between independently developed versions of the software. This might be counterintuitive, but it wouldn't be the first counterintuitive result in the history of science.

Also worth noting that Boeing dropped NVP when developing the 777 flight control software. They engaged a single contractor for triplex development (three separate teams with "chinese walls" between), but changed to one team part way through development, apparently because the teams were asking such similar questions about the spec it was felt independence was compromised anyway ("common culture" perhaps...).

All of which is not relevant to the FADEC software which is a different beast and may well have used a different (but still safety-critical) development methodology.


With regards to this incident, based on the information published so far all the software appears to have functioned correctly, which means we are looking at a different cause (although I take the point that there could have been something going on between sampling intervals or a sensor failure).

Hmm - I suspect the 777 processes were still under wraps when I was at Uni then, as NVP was still considered as a very good thing. Knight and Leveson's criticisms were mentioned, but very much in the context of the jury being out.

DozyWannabe, Pacplyer, VnV, others, ...

This is about the B777's FBW system (more specifically, the PFCs).

The approach of having three separate coding teams, isolated from each other, was initially attempted, but eventually rejected. Iin his paper "Design Considerations in Boeing 777 Fly-By-Wire Computers" Y. C. (Bob) Yeh wrote:


In the design diversity experiment at UCLA [10], the isolation rules were employed in which programming teams were assigned physically separate offices for their work and that inter-team communications were not allowed. The research at academe [10],[11] indicate that multiple versions of programs developed independently can contain similar errors.

Boeing experience is that among sources of errors it is most often the basic requirements which are erroneous or misinterpreted. The key to a successful software implementation is the elimination of errors. The errors due to misinterpretation can be reduced by very close communication between the system requirements engineers and the software designers. In fact, the software designers can help the engineers recognize limitations in the software design when the requirements are being written. There is much benefit from this interactive relationship, which is precluded by the dissimilar software design approach, where systems and software teams much be kept segregated.


So this sounds like diversity is theoretically a good idea, but hasn't been proven to be beneficial in practice.

Coding diversity will not eliminate the most common form of errors, which are requirements errors

I know that the A320's most important flight control computers, the ELACs, each contain one Motorola 68000 and one Intel 80186 processor, which run the same algorithms, but I do not know if their software was developed by isolated teams. There are 2 redundant ELACs, and if they both fail, there are 2 SECs, which also provide pitch and roll control, albeit in a degraded mode (alternate or direct law.)

I do not know about hardware/software redundancy within each FADEC channel, neither for Trent nor for CFM56.


Bernd

Thanks for the intervention and returning the thread, Bernd. The Habsheim item comes up anytime Airbus automation and software is discussed - sorry for the thread-drift!

Bernd,

I agree that requirement definition is a difficult task to get right. My experiences of systems engineering is that they speak a sufficiently different dialect for there to be a considerable margin for misinterpretation.

Having spent some time with Airbus I found their approach refreshing in as much as we had meetings at which all the stakeholders were supposed to agree the wording, implementation and testing of every requirement. This meant that problems of interpretation could be caught early in the process. I hope they still do this as I, for one, found it useful.
I would expect a badly worded requirement to be subject to the same problems from every diverse team that encountered it as most implementers would have come through the same education process.

VnV...

VnV - I was told that the stakeholder meeting was still a big factor in AI's development process in 2001 - no idea about now, but I can't think of a reason they'd abandon it.

DW,

my Airbus experience was later than 2001: so it was still being used 2003/4ish.

Perhaps some current AUK/AI person could enlighten us, and perhaps a Boeing person could do the same on their elicitation process.

VnV...

VnV2178B,
I like asking daft questions every now and then, even when I don't expect an answer, but can you say whether the R-R FADEC software/hardware has been investigated in relation to the BA038 incident?

The spirit of this enquiry is: If you don't ask, you don't get.

Regards, Tanimbar

Tanimbar,

I actually don't know as I am not involved anymore.

I assume (dangerous!) that R-R has been looking into all aspects of the systems, including the FADEC software.

From what I have read and memory I would not point the finger at the software myself as all the reports state that it functioned as designed, demanding more fuel when the reduced flow was detected.

I won't post more here - I too think this discussion is not news and should be tech log, I only wanted to clarify the software process.


VnV...

In the comments section of The Register May 13, a Heathrow mechanic for 777s said large transports landing from long flights at altitude in cold conditions were showing up with booster pumps with frozen intakes and that check valves held open with solid ice were also seen. He states he personally changed some of these pumps. I took booster pump to mean the LP pumps in the wing tanks. This may be a reliable report, because it seemed to fit with the physical test program AAIB stated in their May 12 supplemental report (3 pages). Here is the link:

From The Register, London, publ 5-13-2008, URL = Heathrow 777 crash: Siberian cold to blame? | The Register (http://www.theregister.co.uk/2008/05/13/aaib_777_update/)

His comments are easy to find among the few on the website, at the AAIB story.

My own thoughts are that something like closing the throttles to flight idle at some reasonably high altitude in the landing regime would increase the LP pump discharge pressure. In turn, this would decrease pressure at the impeller area of a centrifugal pump, as this pump is. I know this is very counter-intuitive (so pump engineers tend to be specialists). Under the right adverse conditions, a decrease in pressure within the fluid fuel column could cause ice crystals to precipitate out of solution or entrainment, where before the water content may have been causing no problem.

OE

My own thoughts are that something like closing the throttles to flight idle at some reasonably high altitude in the landing regime would increase the LP pump discharge pressure. In turn, this would decrease pressure at the impeller area of a centrifugal pump, as this pump is. I know this is very counter-intuitive (so pump engineers tend to be specialists). Under the right adverse conditions, a decrease in pressure within the fluid fuel column could cause ice crystals to precipitate out of solution or entrainment, where before the water content may have been causing no problem.


At low altitude, even if the pumps would have encountered such conditions as you describe, suction feed bypass valves in the engine feed system would have opened to feed the engines. Those are check valves and not sensitive to the conditions the pump impellers are subjected to according to your explanation. No ice crystals would precipitate out of solution at those suction feed bypass valves with the fuel quality being within specs as tested by the AAIB. A scenario whereby both the boost pumps and the suction feed bypass valves would have been blocked by ice therefore seems very remote. This could perhaps have occurred with a much higher water content in the fuel (way outside the required specifications) than was actually sampled from the fuel in G-YMMM's tanks.

Just my thoughts, something other than ice in the fuel must have (partially) restricted fuel to the engines to less than required. It may have been a "manifold" of circumstances (holes in the swiss cheese) interacting in the same slice of time that made it so. Something not recorded.


Regards,
Green-dot

At low altitude, even if the pumps would have encountered such conditions as you describe, suction feed bypass valves in the engine feed system would have opened to feed the engines. Those are check valves and not sensitive to the conditions the pump impellers are subjected to according to your explanation. No ice crystals would precipitate out of solution at those suction feed bypass valves with the fuel quality being within specs as tested by the AAIB. A scenario whereby both the boost pumps and the suction feed bypass valves would have been blocked by ice therefore seems very remote.


Thanks for reminding me of the alternate fuel route. I agree with what you say in regard to the suction feed bypass valves.

I don't think that this (alleged, but assuming it did occur to some A/C) LP pump icing, particularly accumulation of ice in the area of the LP discharge check valve, is at all likely without some severe restriction of fuel flow rate somewhere along the normal path of fuel flow. Otherwise, such ice crystals as might form in the low-pressure region of the pump would not have time to grow beyond very small size and quantity before being swept into the higher pressure region of the discharge, which would stop their growth.

So yes, it well may be a swiss-cheese situation. It's certainly possible that ice, if any, could have been just an effect of a more primary chain of events.

OE

Green Dot:

I repeat my theory here, since you mention the suction bypass system. Boeing acknowledge that gas or air can be trapped in the suction line and cause flame out or thrust reduction under suction conditions.. If some unusual circumstance ( excess gas in the fuel trapped under pressure in the line or LP pump icing reducing manifold pressure) caused the suction line NRVs to open, enough gas could be introduced, almost simultaneously, into both sides of the fuel supply manifold and starve both engines of fuel. There would be no evidence of that after the event.

777fly: I agree, a scenario such as you describe could be amongst the plausible possibilities if both left and right engine feed systems had low manifold pressure due to ice contaminated boost pumps (all 4 pumps in the main tanks) and enough vapor trapped near the suction feed bypass valves. Or, if not vapor, leaking connections in both left and right engine feed manifolds, which would reduce suction feed effectiveness with boost pumps failing to deliver. On the other hand, if boost pump pressure dropped due to ice in the pumps, the crew would have been alerted (pressure lights in the pump switches on the overhead panel and the master caution light (including aural alert) would most likely have been presented). No such alerts have been reported by the AAIB. So even if there was no evidence of it after the event, there should have been evidence of it just prior to- and while the event took place, in the form of alerts mentioned above. Green-dot

Has there been an accident report or are they still investigating? Can anyone fill me?

Still investigating - see www.aaib.dft.gov.uk

Hi there.

The B777 is designed to initiate an automatic re ignition if a flame out occurred where no ignition was already on, but as the engines were still above idle (no ENGINE THRUST alert to crew) during the initial phase of the approach, this is a moot point. Once the configuration for landing was initiated, continuous ignition is applied.

If an icing related event had occurred at the intake of the FP due to pressure drop or otherwise (other restrictions that may have existed in the system) then the interruption of fuel to the engine would have been temporary, the engine driven fuel pump has suction feed capability at low altitudes/thrust levels, and reignition would have occurred.

The dynamics of the event require that some thrust remained from the engines, at least in the latter phases of flight.

In respect to the isolated development of software, the design constraints and group backgrounds/experience and training will tend to develop similar solutions in isolation. The engineers natural tendency for frugality in memory overhead certainly comes to mind, as does the limited inputs available and the specific task output constraints as drivers towards similar solutions.

Personally, I remain concerned in respect to the number of the B777's that have opted to have single TAT probes fitted vs the option for dual probes. I have had on another Boeing 4 holer all engines rollback to idle at rotate (while in HOLD mode...) as the TAT probe had failed and driven the EPR limit to near idle. This is not the case with the BA aircraft, but remains a potential vulnerability to the pilot.

Interesting discussion.

regards :)

It now appears the fuel composition might be an issue.....high content of waxy substances and very low temperatures....

It now appears the fuel composition might be an issue.....high content of waxy substances and very low temperatures....
Appears from where, exactly ??

Reference please.

I have also heard a whisper that an announcement is due soon. Sorry no sources or references though (and I know pics or it didn't happen)

No attribution and so extreme care needed ....and (i) we were told categorically that the fuel was within indeed exceeded spec and (ii) doubtless we shall get the "but it's after the Olympics now" brigade out soon.

Yes I've read every post.

CW

Yes I've read every post.


Even some of the better ones like mine in Jet Blast:confused:

So when is the official report of the accident coming out?

Lets have some experts from the NTSB (or eq in UK) stating the problem, although I am bearing in mind all your tech knowledge and interesting speculations and rumours :}

Feels it has been too long now... Someone trying to hide anything maybe? Or just hoping that people "forget" about the whole thing? Yay- more speculations :D

For Viking 101
I have no idea when the AAIB will issue another interim report, or a substantive report. You may wish to bear the following in mind when considering the time-scale for the issue of a further report.
Fluid mechanics is one of the most demanding disciplines in physics.
AFAIK, fuel systems for all aircraft are designed using Newtonian-fluid mechanics principles, since aviation fuel is a “Newtonian fluid”. If however a fuel becomes ‘waxy’, its properties and transport may (only ‘may’) then be governed by “Non Newtonian” fluid mechanics. Checking the modelling of the fuel flow design against Euler and Navier-Stokes equations, analysing Computational Fluid Dynamics data for both Newtonian and non-Newtonian fluids is not a quick job and will probably need to be run many times with different temperature and fuel viscosity regimes. So we wait.
Rgds.

It's not unusual for final reports to take more than a year. The latest formal reports page on the AAIB site here.. Air Accidents Investigation: Formal reports (http://www.aaib.dft.gov.uk/sites/aaib/publications/formal_reports.cfm)
lists 4 reports from accidents in 2006 and 2 reports from 2005. None from events in 2007 yet.

Last report I read suggested the manufacturer was building possibly complex test rigs to simulate conditions so not surprised that takes time.

In any investigation like this, in order to find the facts and the reasons why, the time it takes to reach a conclusion is of secondary importance.

We do not control the day, the day is controlling us . . . . .

Green-dot

Feels it has been too long now... Someone trying to hide anything maybe? Or just hoping that people "forget" about the whole thing? Yay- more speculations

A Professional Forum like this is really no place for puerile conspiracy theories... please desist.

So when is the official report of the accident coming out?

Lets have some experts from the NTSB (or eq in UK) stating the problem, although I am bearing in mind all your tech knowledge and interesting speculations and rumours

Feels it has been too long now... Someone trying to hide anything maybe? Or just hoping that people "forget" about the whole thing? Yay- more speculations
If you had been paying attention, you would have seen posts 852 (http://www.pprune.org/rumours-news/340666-ba038-b777-thread-post4043766.html#post4043766) and 1006 (http://www.pprune.org/rumours-news/340666-ba038-b777-thread-post4090353.html#post4090353), where I note:-

"I've just crunched the data on published formal reports by the AAIB back to 2006... The average length of time from incident to final report publication is 25.6 months, i.e. a little over two years. This does not and has not stopped them issuing recommendations, where appropriate, before the final report."

Hairy man, take it easy with your choice of words! I might get offended :p I dont think I have been the only one with theories... How many posts are put into this thread? Thought so. Maybe you want to "desist"?

RTFM, I am sorry I did not read your post- most illuminating! Thanks for the constructive info!

Pettifogger- Excellent :ok:

I have also heard a whisper that an announcement is due soon.


Wall Street jounal says

U.S. and European air-safety regulators, concerned about potentially dangerous ice buildups in the fuel systems of certain long-distance jetliners, are about to issue new operating rules for around 220 Boeing 777 aircraft, according to people familiar with the matter.
The mandatory safety directives apply only to planes with engines manufactured by Rolls-Royce PLC, which account for about one-third of the ...( I have not subscribed to read further )


ITN lunchtime says report is out later today.

Reporter suggests that the report says fuel OK but believed report will say ice formed in fuel lines.

Reuters item today

(Reuters) - U.S. and European air-safety regulators, concerned by potentially dangerous ice build-ups in the fuel systems of some long-haul jets, will issue new operating rules for about 220 Boeing (BA.N: Quote (http://www.reuters.com/stocks/quote?symbol=BA.N), Profile (http://www.reuters.com/stocks/companyProfile?symbol=BA.N), Research (http://www.reuters.com/stocks/researchReports?symbol=BA.N), Stock Buzz (http://reuters.socialpicks.com/stock/r/BA)) 777 planes, people familiar with the matter told the Wall Street Journal.
The mandatory safety directives apply only to planes with engines manufactured by Rolls-Royce PLC, which comprise about a third of the Boeing 777 fleet world-wide.
But under prodding from British officials, Boeing will analyze whether similar precautionary measures should be extended to the rest of its 777 line, people familiar with the matter told the WSJ.
The rules are expected to be released in the next few days.

AAIB has announced issue of Interim report today:

Air Accidents Investigation: Interim Report - Boeing 777-236ER, G-YMMM (http://www.aaib.dft.gov.uk/latest_news/interim_report___boeing_777_236er__g_ymmm.cfm)

BBC COPY:
The British Airways Boeing 777 that crashed at Heathrow in January was PROBABLY brought down by ice in its fuel system according to the latest findings of a report by the Air Accident Investigation Branch.
The pilots of the plane managed to get it down safely, and 136 passengers and 16 crew escaped without serious injury.
The AAIB now believes the flow of fuel dropped shortly before the engines on the plane lost power -- at 720 feet above ground, less than a minute before touchdown and that ice could have clogged the fuel system.
But the investigators say they still don't know how the ice could have formed. Water is naturally present in aviation fuel -- the investigators believe there may have been around 5 litres within this aircraft's fuel load. But the report says levels of water recovered the fuel after the crash were very low for a Boeing 777.
They dismiss the suggestion that the fuel itself froze or became 'waxy' as icing occurred.
The interim report says the plane flew through unusually cold air over Siberia while en route from Bejing to Heathrow. The fuel temperature fell to minus 34 degrees centigrade. But jet fuel should not freeze until it is at less than minus 57 degrees centigrade, and the report says the temperatures involved were not "unique".
The investigation into the crash of flight BA038 continues with testing at Rolls Royce in Derby, and Seattle in the US, home of Boeing.
Water in aviation fuel can be dissolved at the molecular level, or simply float as free water, suspended in the fuel. As the fuel gets colder tiny droplets can form and freeze.
The mystery facing investigators is why this might have happened on an apparantly fully-functioning aircraft.
Water in the fuel is controlled by draining it regularly out of the fuel tanks -- and on the Boeing 777 a so-called 'scavange system' pumps it out.
Ice can form when the fuel temperature drops to around -1 to -3 degrees centigrade. Generally the ice crystals simply float and drift in the fuel without causing harm.
Only when the temperature falls further does the ice stick together. Within the fuel system a heat exchanger is used to increase the fuel temperature, but its possible the blockage might have occurred before this point.
The investigation team have build a test rig and introduced pre-prepared ice into the fuel system to see if it would clog up. But the amounts they had to put in to make this happen were far greater than is normal.
Despite that the scenarios being considered by the AAIB are based on the idea that the ice formed gradually in the system and was released as the plane prepared for landing.
But the report makes three safety recommendations -- that the US Federal Aviation Administration and the European Aviation Safety Agency introduce interim measures to reduce the risk of ice forming on the Boeing 777 powered by Trent 800 engines.
The other recommendations are that the agencies should consider the implications for other aircraft types, and review the requirements for new engines.
This accident remains an enormous for the investigation team. But their reported stresses the rareness of this crash.
"The accident flight was unique", it says, "in that this has been the only recorded case of a restricted fuel flow affecting the engine performance to the extent of causing HP pump cavitation" - the damage found within the pumps that alerted the investigators to the loss of fuel pressure.
The report goes on: "this is the first such event in 6.5 million glihht hours and places the probability of the failure as being 'remote'."

I am very late to this thread as a result of receiving the below link. I don't have time to read all the way back through the thread, with no disrespect intended.
I assume that this item has been thoroughly disected and probably dismissed in the thread and I would be grateful if someone could kindly refer me back to the definitive post#.


BA038 - The Truth About Flight BA038 (http://ba038.terapad.com/)

Your linked page gave me a laugh. I've not read so much idiotic nonsense for some time now!

Carnage Matey:


Your linked page gave me a laugh. I've not read so much idiotic nonsense for some time now!


Yes I know. I just wondered if earlier Posts had reached any conclusions as to who might go to such trouble to produce a professional looking web page. Competitor Airline or ex-wife?!!

My money is on a nerdy plane spotter/Walter Mitty fantasist who lives with his mum, has no girlfriend and wants to feel important.

CNN airing a news bulletin at 1430Z concerning a new update on the BA038 accident. Fuel icing cited, but awaiting full report....

British Airways Plane Crash At Heathrow: Fuel Flow Restricted By Ice | UK News | Sky News (http://news.sky.com/skynews/Home/UK-News/British-Airways-Plane-Crash-At-Heathrow-Fuel-Flow-Restricted-By-Ice/Article/200809115093167?lpos=UK%2BNews_0&lid=ARTICLE_15093167_British%2BAirways%2BPlane%2BCrash%2BAt% 2BHeathrow%253A%2BFuel%2BFlow%2BRestricted%2BBy%2BIce)

"BA038 - The Truth About Flight BA038"

Probably written by the same 10 year olds that still think the world is flat. What a complete load of baloney.

The Graudian: (http://www.guardian.co.uk/uk/2008/sep/04/transport.britishairways)

Investigators blame ice for BA plane crash at Heathrow

It is still an Interim report and it states that ice PROBABLY contributed to the reduction in engine thrust. The AAIB is still not prepared to state definitively the cause of the accident.
I still suspect that it was a programming error in the engine management software. A combination of events during the descent, the hold and the final approach produced an event that did not figure in the long list of IF/THEN statements that control how the engines operate in any given scenario.
Flame me if you like but I maintain that, if it was ice, then the problem would have surfaced long before now.

Xeque:
I still suspect that it was a programming error in the engine management software

Perhaps you can explain how an error in the software caused cavitation in the pumps?

Ah, I thought not.

if it was ice, then the problem would have surfaced long before now.

Xeque - consider yourself flamed

To all of us that said "fuel flow restriction caused by wax or ice crystals or both" lets pour ourselves a large Gin & Tonic. With ice, of course.

Pinkman

I heard early on that they'd apparently had low fuel temp warning messages, but there was nothing to substantiate this.

BBC NEWS | England | London | 'Ice in fuel' caused BA jet crash (http://news.bbc.co.uk/1/hi/england/london/7598267.stm)

ECAM Actions.

I haven't read the whole thread, so apologies if this has been asked before.

But re "BA038 - The Truth About Flight BA038" : WHY is it "baloney", please? I don't expect chapter and verse, just one or two pointers.

Not a wind-up, a straight question. I'm just an interested and reasonably well informed observer and I can't see anything in it which is obviously wrong or impossible.

I think this investigation is in the hands of the very best professionals. If ice in the fuel resulting in pitting in fuel pumps is the interim conclusion of the cause, then I am sure that is with very good grounding.

There are, however, a few obvious questions:

1. Since the lifting of overflight rights by the Soviets, quite a few years ago, thousand if not millions of aircraft have flown from HKG and Chinese airports over Mongolia and Siberia to Europe with few, if any, similar problems. Also, in the event of fuel freezing, warnings would alert crew to reduce altitude and, whilst understanding that this would not necessarily apply if water was the cause,the problems occured just before landing and, therefore, having already more than adequately responded even should warnings have been made. And there is no suggestion that they were. Did BA038 make a very rapid descent so as not to allow unfreezing or were the pumps so badly pitted by that stage that the ice alone was no longer the problem? Is this, then, a problem unique to the specific design of the fuel pumps in the RR engines on the 777? Is this the reason why UK authorities are "Prodding" Boeing to investigate other engines also?
2. There are other reported incidents (MH ex PER etc.) of unusual 777 power responses to automated commands in conditions far less likely to involve freezing of/in fuel Whilst of course all incidents are entirely different, one wonders which engine types were involved in prior incidents and, if not, what if any other similarities might exist?

If you believe ice bought this Jet down you'll believe anything!

Xeque

Read the report, it clearly explains that the engine control units did exactly what they are designed to do, correctly detecting and reacting to the events of the last 720ft of the descent.

It also clearly states that this incident is unique in 6.5 million flight hours, so your assertion that it would have surfaced before doesn't fit with the observed instances of the event.

Fascinating report, and clearly some more tests that exactly recreate a 777/Trent 800 installation will be needed to accurately pin down the details of what and why as the tests that have been done show some differences from the recorded parameters on BA038.

The BBC is reporting that the US FAA will be producing new procedures tomorrow which will also include fueling.

I've read 95% of this thread and the AAIB reports. Anyone know if the fuel used on the outbound flight was checked for water content?

In response to post #1713:

Apart from the fact that nearly all of it is factually incorrect, there is nothing wrong with "The Truth About BA038".

In response to post #1718:

Why the outbound flight?

ECAM Actions.

As always a very informative and clear AAIB report. As they say themselves, many questions remain, I was thinking about the following items not mentioned in the report:

- what was the impact of the high air humidity during the approach? (intake through vents?)

- could the fuel temperature in some more exposed parts of the pipework (ex. the pylon) be considerably lower than the temp measured by the single main tank probe, where I assume the temps are influenced by the great mass of fuel, even in the coldest areas of the tank. Could this have caused icing or even waxing of the fuel in those cold spots downstream of the boost pumps?

the AIIB report states that military aircraft use a fuel additive that lowers the freezing point of water in the fuel.
Does anyone know why this is not used on civil aircraft.

I think the most interesting/important part of the report is this:

However, it should be recognised that throughout the investigation all of the testing and research into the root cause of this accident has been conducted on the Boeing 777 / Trent 800 aircraft engine combination, and it is unknown whether other aircraft / engine combinations that have already been certificated might also be vulnerable to this previously unforeseen threat.

Therefore:

Safety Recommendation 2008-048

It is recommended that the Federal Aviation Administration and the European Aviation Safety Agency should take immediate action to consider the implications of the findings of this investigation on other certificated airframe / engine combinations.

Which opens up the possibility that the BA38 scenario might not be confined to the RR 777, or indeed to the 777 at all...:ooh:

Does anyone know if the aircraft internal fuel piping is different for each type of engine installed on the 777? This would have a bearing on whether the problem is unique to the 777/Trent combination.

I am extremely dissatisfied -

Having worked my way through the report I still do not understand two issues :


1: Why are the restrictions only to apply to Rolls-Royce powered aircraft - there seems no logic or evidence ? There seems no specific reason to restrict the recommendation to Trent powered aircraft other than there have not been the equivalent tests carried out on 777s powered by other engines. Could someone explain ?


2: Obviously they seem to have been able to show that the cavitation damage can be caused in the laboratory by having approx 95% of the cross-sectional area blocked.

However, they also detail the series of engine accelerations during the final approach and, indeed, state (under one assumed scenario) : “Testing by the engine manufacturer has shown that sufficient ice accretion could not have occurred on the face of the FOHE or the LP pump inlet, prior to the final series of accelerations. If it had, then the rollback would have occurred earlier during the first acceleration of the final approach series”.

The other assumed scenario includes the statement : “In this case the ice might then travel and be ‘caught’ in the pipework, spar valve, LP pump inlet or on the face of the FOHE, thereby causing a restriction to the fuel flow” but fails to state how this could have happened so close together in two separate systems and to almost exactly the same degree (1.06 versus 1.07).

There seems no scenario or explanation laid out in the report that actually takes into account the actual occurances, i.e. the slight delay in the two engines rolling back - BUT the nearly identical rolled-back thrust. This would imply that a completely unknown icing phenonomen occured in two separate systems (obviously facing the same climatic conditions) but was so disimilar that the roll-back occured a few seconds apart, but so similar that the rolled-back thrust were almost exactly the same 1.06 and 1.07. This icing effect must have been pretty remarkable to affect the engines both differently in time, but similarly in effect.

The report doesn't really explain anything and seems to be grasping at the only thing it can reproduce.

As I said, I am dissatisfied.

the AIIB report states that military aircraft use a fuel additive that lowers the freezing point of water in the fuel.
Does anyone know why this is not used on civil aircraft.

From memory, it's diethyl glycol monoethyl ether. If it's less than 0.02% by volume, then the fuel supplier doesn't have to seek agreement of the customer. However, if it is agreed that it is used, then the concentration is supposed to be between 0.10% and 0.15% by volume.

borghha,

- what was the impact of the high air humidity during the approach? (intake through vents?)
From P.12 of the interim report:
In addition, it is estimated that a maximum of 0.14 ltr of water could have been drawn in through the fuel tank vent system during the flight to Heathrow.


- could the fuel temperature in some more exposed parts of the pipework (ex. the pylon) be considerably lower than the temp measured by the single main tank probe, where I assume the temps are influenced by the great mass of fuel, even in the coldest areas of the tank. Could this have caused icing or even waxing of the fuel in those cold spots downstream of the boost pumps?
From P.11:
On long flights the temperature of the fuel in the main wing tanks will tend towards the temperature of the boundary layer around the wing, which can be up to 3°C lower than TAT. On the accident flight the minimum TAT was -45°C (-49°F).
I take that to mean that nothing gets colder than TAT-3, though I stand to be corrected...

phil gollin,

1: Why are the restrictions only to apply to Rolls-Royce powered aircraft - there seems no logic or evidence ? There seems no specific reason to restrict the recommendation to Trent powered aircraft other than there have not been the equivalent tests carried out on 777s powered by other engines. Could someone explain ?
See my previous post #1723 for quote of Safety Recommendation 2008-048

At least one of the two main aircraft manufacturers is carrying investigations on icing and behaviour of the fuel system at low/very low temperatures.
The presence of water (even in small quantities) is also problematic.

The report states that icing under -20°C is not known. Ice crystals do not behave like they do at -5°C or in your freezer.
This interim report is not surprising and does not firmly give a cause to this accident. But the effect of icing should not be underestimated.

Warning: I'm non-professional; not crew, not engineer - just scientist guest and thanks.

I've only speed-read the report so far but wanted to make a couple of points.

Previously I wrote,

The AAIB might not issue such a document until:
1) the northern hemisphere, summer, holiday season has passed,
2) the Beijing Olympics are over,
3) all interested parties are in agreement with the need for restrictions,
4) and, the AAIB has determined that its investigations are unlikely to find a cause and solution before winter.

Some here took exception to these remarks, especially the point about the Beijing Olympics. I want to reiterate that I was trying to think as the AAIB might and was not being sensational just for the sake of some silly notoriety on this thread. I now suggest we can applaud the AAIB's professionalism and look forward to industry-wide support for sensible restrictions this coming winter.

On another matter. The AAIB interim report states (Water ice in fuel, p12),


As the fuel temperature is further reduced, it reaches the Critical Icing Temperature, which is the temperature at which the ice crystals will start to stick to their surroundings. When the fuel temperature reduces to approximately ‑18°C (0°F), the ice crystals adhere to each other and become larger. Below this temperature little is known about the properties of ice crystals in fuel and further research may be required to enable the aviation industry to more fully understand this behaviour.

I read this with disbelief. The words, "little is known" is, well, shocking.

Until today I had thought that the industry had fully experimented, tested and evaluated the effects of temperature on fuel (at all operating ranges).

By the way, my money is still on stratification ( no, don't respond to this; I need to read the report more carefully and may change my mind).

Regards, Tanimbar

Full wings :

See my previous post #1723 for quote of Safety Recommendation 2008-048

Precisely, The AAIB seem to restrict their requirements to Trent powered 777s solely because they haven't done the equivalent tests on 777s powered by other engines, without any logic or explaination why these other aircraft would be immune from what might have occured to the accident plane.

Doesn't make sense to me, maybe someone can explain how a (so far)one-off icing condition will only affect Trent powered 777s ?

.

Phil Gollin

This icing effect must have been pretty remarkable to affect the engines both differently in time, but similarly in effect.

The report doesn't really explain anything and seems to be grasping at the only thing it can reproduce.



very astute

maybe we need a coin tap test on the fuel-oil cooler

zzzzzzzzzzzzzzzzzzzzz

As an academic pureish chemist I applaud the clarity, thoroughness and measured tones inherent within this interim report. As ever, impressive stuff from the AAIB.

I have learnt that with 20 20 hindsight "on", I suppose it's blindingly obvious that water - even at the ppm level and at levels well within the fuel's spec, can be a problem if there's enough of the fuel being cold soaked to generate enough ice to block the HP pump inlets.

I will do some sums when I have a little more time.

As has been pointed out already, the implications of all this could be far reaching. Fly lower when it's "cold" is obvious but we shall need to redefine parameters based on proper data and there looks to be a lot of work to do here.

Fuel costs will be likely to rise and be yet another pressure on ticket prices.

CW

Phil G. - Indeed, an astute observation that the almost identical failure of two virtually independent systems within seconds of each other has the AAIB considering the probable root cause to be a hithertobefore completely uknown icing event occurring identically and almost simultaneously in both of the independent systems.

Iomapaseo - The report shows a schematic diagram of the fuel system which indicates a separate Fuel-Oil Heat Exchanger (FOHE) for each of the two independent engine/fuel systems which suggests that both FOHEs would had to have failed identically and almost simultaneously should FOHE failure be the cause.

Phil G. - With regard to a one-off icing condition affecting other certificated aircraft ,then in fairness to the AAIB and as quoted and pointed-out by FullWings, their published Safety Recommendation 2008-048 does state:

"It is recommended that the Federal Aviation Administration and the European Aviation Safety Agency should take immediate action to consider the implications of the findings of this investigation on other certificated airframe /engine combinations."

It would seem appropriate for the investigation to be considering root causes that would more plausibly (than prior unknown icing on this aircraft) cause both independent systems to fail identically and almost simultaneously. For example, causes that are common to both systems. Although it does appear from the continuing "data mining" exercise that the low temperatures for long time periods experienced on this flight do place it at the extreme end of all known flights for this aircraft type.

OK, someone has to ask.....what is the 'coin tap test on the fuel-oil cooler?'?

I think only Trents are specified for this because being 3 spool, it's such an amazingly efficient engine the fuel flows are lower so the danger of stagnant fuel icing up is greater!

I'm not sure this adds up. The "amazingly efficient" Trent with more spools, and more bearings, probably has more heat generated in the oil, and thus any "stagnating" fuel will be exposed to more BTU transfer, leading to LESS probability of icing in the fuel-oil heat exchanger.

Often the most severe design point for the cooler is early in descent, when lube heat rejection is still high, yet fuel flow (the heat sink) is very low.

:confused::confused:

The other assumed scenario includes the statement : “In this case the ice might then travel and be ‘caught’ in the pipework, spar valve, LP pump inlet or on the face of the FOHE, thereby causing a restriction to the fuel flow” but fails to state how this could have happened so close together in two separate systems and to almost exactly the same degree (1.06 versus 1.07).

As far as I understand, fluid dynamics is a field where science has not yet reached even close to the near-100% understanding that we have about mechanics, to name one example. Remember chaos theory: a minute difference in the input conditions can cause huge differences in the result. Maybe the sun had warmed the left (south) engine 0.049 degrees more, requiring an additional chunk of ice before the left engine's fuel flow was restricted. We just don't know yet. But I've seen enough strange ice and slush formations in nature to appreciate that it's not a simple thing to research.

the AIIB report states that military aircraft use a fuel additive that lowers the freezing point of water in the fuel.
Does anyone know why this is not used on civil aircraft.Erm, money?

Interesting intrim report.
Lots of technicolour graphs!
No CVR Transcript.
Have I missed something?

OK, someone has to ask.....what is the 'coin tap test on the fuel-oil cooler?'?


Its a corollary to Occam's razor.

When the most complex of causative explanations are chosen to explain an accident the most simplest of corrective actions should be chosen to address it.

In the end it has the same liklihood of being correct

No CVR Transcript.
Have I missed something?

No, but the crew's conversation is hardly relevant to the the root cause of this accident.

It becomes interesting when looking at how they handled the emergency, but that's a secondary topic to the investigation, despite all the discussion of possible "stretching the glide" we've had in this thread. Hopefully it will be addressed in the final report, but the most urgent thing is to clarify the root cause.

A pilot must ensure that the flight can be safely made.

Is this pilot error?

NO!

It just proves that we cannot cater for all eventualities all of the time.

Our knowledge of aviation is not absolute and on this occasion it caught us out.

FOK :)

FOK
As SLF I think think this is not pilot error.

However it does show that good training & good skills from flight crew can save a situation which might have led to ++ fatalities. Nothing prepares for all eventualities but learnt skills go a long way to helping.

nhs

FOR IMMEDIATE RELEASE: September 4, 2008 SB-08-37

NTSB ACTING CHAIRMAN EMPHASIZES INTERNATIONAL COOPERATION IN BRITISH BOEING 777 RECOMMENDATIONS

Washington, DC - National Transportation Safety Board Acting Chairman Mark V. Rosenker today praised the work of all the investigators looking into the crash of a Boeing 777 at London's Heathrow Airport in January, saying that the recommendations issued today "show how international cooperation can lead to safety improvements that benefit the aviation community worldwide."
The United Kingdom's Air Accidents Investigation Branch (AAIB), which is leading the investigation into the January 17, 2008, accident in which a British Airways Boeing 777- 236ER landed short of Runway 27L at London Heathrow Airport, issued an interim report today on the progress of the investigation.
The interim report contains recommendations aimed at addressing a circumstance identified by investigators relating to Rolls Royce-powered Boeing 777 aircraft. The investigation has shown that both engines lost power in the final minute of flight because the fuel flow to each engine was restricted; most probably due to an accumulation of ice within the engine fuel feed system. The ice is likely to have formed from water - which exists naturally in the fuel - while the aircraft operated for a long period, with low fuel flows, in the cold environment associated with high- altitude flight.
In accordance with established international arrangements, the National Transportation Safety Board, representing the State of Design and Manufacture of the aircraft, appointed an Accredited Representative to participate in the investigation. The Accredited Representative is being supported by a U.S. team that includes NTSB specialists, the Federal Aviation Administration, and Boeing. Rolls-Royce, the engine manufacturer, is also participating in the investigation. British Airways, the operator, is cooperating with the investigation and providing expertise as requested by the AAIB.
This interim report updates and provides further details on the history of the flight and the research done by teams in both the U.K. and U.S. using data obtained from the accident aircraft, and similar aircraft in the British Airways fleet.
The report further details the aircraft fuel systems and describes testing performed in laboratories, on an adapted fuel rig using actual aircraft components, in an engine test facility, and on an exemplar engine. In conclusion, the report provides recommendations for both interim action and longer term changes to certification criteria.
Acting Chairman Rosenker stated, "When it comes to aviation safety, there are shared interests that transcend national borders." Rosenker noted that the U.S. Accredited Representative and technical advisors fully participated in the development of the factual material and supporting research and that the recommendations are supported by the U.S. team.
The investigation team indicated that a change to the fuel system design would make the system more resilient, but would take time to implement. Therefore, to reduce the risk of recurrence interim measures need to be adopted until such design changes to the fuel system are available.
Therefore, the AAIB recommends that:

The Federal Aviation Administration and the European Aviation Safety Agency, in conjunction with Boeing and Rolls Royce, introduce interim measures for the Boeing 777, powered by Rolls Royce Trent 800 engines, to reduce the risk of ice formed from water in aviation turbine fuel causing a restriction in the fuel feed system (AAIB 2008-047), that
The Federal Aviation Administration and the European Aviation Safety Agency should take immediate action to consider the implications of the findings of this investigation on other certificated airframe/engine combinations (AAIB 2008-048), and that
The Federal Aviation Administration and the European Aviation Safety Agency review the current certification requirements to ensure that aircraft and engine fuel systems are tolerant to the potential build up and sudden release of ice in the fuel system (AAIB 2008-049).

A very informative and well written interim report. It answers many questions with respect to findings on several systems and subsystems.

Specifically with reference to the spar valves, such as their possible uncommanded movement being a recorded FDR parameter, therefore ruling out the possibility they contributed to the cause to this accident. I assume the FDR recordings of the spar valves parameters implies any movement from the open position is recorded, even if they were to only partially close (up to 95%?) and not reach the fully closed position before opening again.

Of course I leave it to the experts in charge of the investigation but I do wonder what is meant by extensive testing of the spar valve control system. Was such system bench tested only or were such tests also conducted with the control system installed in the subject aircraft in conjunction with other aircraft systems operating? And regarding HIRF and EMI, to which power levels have these tests been conducted since the report only states "well in excess of published standards . . ." Perhaps the final report will be more specific.

Furthermore, I am not convinced if, in the event of uncommanded movements of the spar valves, a warning will enunciate on the flight deck under all circumstances as mentioned in the report. But that issue seems irrelevant now since all indications are that the spar valves worked as advertised.



Regards,
Green-dot

Phil Gollin

You ask how so similar a thing can occur in two separate places but with a time difference between them.

I have to say that I can't see that there is much difference in reality, six or seven seconds can be accounted for by a slightly different amount of ice (in some form) being present and the 'detaching' behaviour of that accumulated ice by the slightly different fuel flows noted in each engine.

Since this is the only case ever seen of this nature, there are no statistics with which to determine whether the similarity seen is a coincidence or not.

Let's face it, it has been shown that ice is the only remaining possibility, and how else can such a restriction occur other than that some form of solidified ice arrives at a constricted area in high concentration, overwhelming the ability of the fluid part of the flow to pass at sufficient rate.

The presence of a quantity of water in the tanks has been determined. Whilst it would appear to have been small is there any possibility that the location of the water (or ice at that stage) could have become focused/concentrated in one or two particular areas and then gone through to the engines as a slug?

I appreciate that the volume of water present does not appear to have been sufficient to cause the problems experienced.

Could it have been underestimated? Could it have been in the wrong place at the wrong time?

Jim

Training & Value
FOK
As SLF I think think this is not pilot error.

However it does show that good training & good skills from flight crew can save a situation which might have led to ++ fatalities. Nothing prepares for all eventualities but learnt skills go a long way to helping.

Actually according to some "not-easy-to-dismiss" sources, had the autopilot been disconnected immediately, and the A/C flown in "longest glide" mode, it would have (barely) made to the runway, and landed almost normally.

If you're curious, read the thread with a title like "BA038 pilots given a medal" or something like that.

Another thing that can surprise you, is that there is no training for "dead stick" landings (dual engine failure), in any airline of the world.

All in all, the positive outcome of this incident is due to sheer luck. Sorry if this lessens your trust in the safeness of flying.

Jim,
Almost certainly in the wrong place at the wrong time...and yes, the drift seems to be with such a small quantity of water, that it perhaps layered or was picked up all at once due to the change in attitude during the latter stages of approach.

It's interesting to note that one of the recommended changes in operational procedures may be to vary throttle settings more before or during descent (the implication being I think, so to stir up or purge wtaer/ice near the scavenge pumps)

A question I put on one of the early pages of this thread was along the lines of '... is it really possible that the throttles might not have been moved from the top of descent right up utnil the drag increase of landing configuration took place'The answers to that were along the lines of... 'Yes, quite possible, and there has even been a move towards that situation due to approach profile that specifically encourage it' (fuel usage and noise abatement I believe)

[please clarify or correct if you feel this is wildly inaccurate, I haven't re-scanned those responses as yet]

Actually according to some "not-easy-to-dismiss" sources, had the autopilot been disconnected immediately, and the A/C flown in "longest glide" mode, it would have (barely) made to the runway, and landed almost normally.

And they may well have taken a couple of roofs and the aiport fence with them too - not to mention the need to take action within seconds when the nature of the problem is unclear.

Actually according to some "not-easy-to-dismiss" sources, had the autopilot been disconnected immediately, and the A/C flown in "longest glide" mode, it would have (barely) made to the runway, and landed almost normally.Apart from the "not-easy-to-dismiss" sources bit !
I'd say that statement is very easy to make in retrospect, from one's armchair, very, very easy and even then maybe not so accurate, unless immediate means immediately the engines didn't pick up i.e. how does one know they aren't about to pick-up when they have for every flight one has ever flown before, how long does one wait for an uncertain event... there is little if any training for 'engines not picking up after throttle re-adjustment 720' agl runway ahead' , surely?

Yes, there was luck, and there was also some correct and non-panicky actions taken on the fight deck that ensured BA038 just got over the peri-fence and flared heavily enough with what remaining airspeed it had such that vertical speed at touch-down was low enough to prevent a complete break-up - as we know from Madrid, almost always resulting in fire and fatalaties.

However, I would like to add that I think parading the pilots in front of the press the next day was in extreemly poor taste and judgement... whoever planned that should be fired, they both looked horrified at having to endure that!

Another thing that can surprise you, is that there is no training for "dead stick" landings (dual engine failure), in any airline of the world.


Maybe not, but there have been instances before where all power has been lost and crew have "controlled" the AC. i.e. a BA 747 SIN to PER when it encountered volcanic ash over Indonesia and lost all 4 engines. They did manage to re-start them before their collision with the planet.
I think that all PF would have innate ability to naturally react to flight needs - as in this case where it was reported that PF lowered the nose to stop the stick-shaker.

Flynerd

I did not want to stir debate again on the matter of how the lading should have been flow, not having even a tiny bit of the necessary competence on the matter. I also recognize that anything said now is purely retrospective.

I just wanted to inform nhs that there are different opinions on the matter, so he/she can look in the relevant thread and form an informed opinion from there.

However rib4t4, on the subject of "need to take action within seconds", well that is exactly what the crew didn't do, at least regarding the autopolit/autolanding, that was left engaged for the last critical seconds of the landing.

Again, I don't know if the a/c would have taken roofs or fallen from the sky if flown manually. What I know is that some real pilot did a real sim test and it seems like a normal landing could have been completed. Do wath you want with this notion, and if you think that in these dramatic seconds the Cap.n came the conclusion that A/P would have landed acceptably despite virtually no thrust, and consciously left it engaged instead of taking control, that's OK with me.

Finally be assured that I do not have any agenda or position to defend, and be assured this is my 2nd and last post in this thread.

Erm, money?

Can´t be too expensive, since everything in NATO from tent stoves, jeeps and tanks to fighter aircraft run on the stuff. (F-34 / JP-8)

And civ a/c too come to think of it.....

'... is it really possible that the throttles might not have been moved from the top of descent right up utnil the drag increase of landing configuration took place'The AAIB report says power was increased upon entering holding. It even specifies the fuel flow rates at that time.

"And they may well have taken a couple of roofs and the airport fence with them too


For those not familiar with LHR ( Hatton Cross tube station area). A little local geography expanding on the the BBC map of the area.
The BBC showed a car hire depot but not the filling station next door.
Sadly a BP petrol (gas) station seems more newsworthy.
The busy A30 4 lane major road is only a fence from the perimeter road.
The Green Man pub ( the noisiest pub in the world near a civil airport ?) is also one of the roofs that had a near miss.

A view from Hatton Cross underground station across the A30
with a normal approach of a SQ 747 shows how close the 777 was from an even worse event.

http://farm1.static.flickr.com/50/135602210_c1ff0d30d0.jpg?

http://farm1.static.flickr.com/50/135602210_c1ff0d30d0.jpg?v=1158408144



A view from the other side of the station
The peri track is past the green traffic lights.
Just and only just to the right of the traffic lights is the landing location.

http://www.oxford-chiltern-bus-page.co.uk/upload031102/HattonCross-VS-A340-buses.jpg
http://www.oxford-chiltern-bus-page.co.uk/upload031102/HattonCross-VS-A340-buses.jpg

Another thing that can surprise you, is that there is no training for "dead stick" landings (dual engine failure), in any airline of the world.


I disagree. A certain 737 operator did train for that event. If I remember correctly the number was outbound over the marker at 5000 above FE, complete normal PT and return for landing. It worked in the SIM!

Feathers ;

I have to say that I can't see that there is much difference in reality, six or seven seconds can be accounted for by a slightly different amount of ice (in some form) being present and the 'detaching' behaviour of that accumulated ice by the slightly different fuel flows noted in each engine. .........

......... Let's face it, it has been shown that ice is the only remaining possibility, and how else can such a restriction occur other than that some form of solidified ice arrives at a constricted area in high concentration, overwhelming the ability of the fluid part of the flow to pass at sufficient rate.


But this is like having your cake and eating it.

The engines had their commands at the same time, but the roll-backs occured at slightly different times, HOWEVER the effect on final thrust was almost exactly the same.

You say "ice is the only remaining possibility" - but this is what annoys me. They can only reproduce one aspect (the cavitation damage) but without any real expalantion (the two icing scenarios are not really supported by the report) so grasp that one straw. If they could reproduce the icing that leads to the cavitation damage AND show that that icing condition can be variable in time but not effect - THEN they would have something that would convince me.

Don't get me too wrong, as a cautious warning (as opposed to a "finding") I would be happy, but fail to see why this mysterious icing wouldn't affect 777s powered by other types of engines.

.

TREE

my airline also did some dual/all engine flameout landings in the sim.

I think that we could all benefit by this training.

Dual Engine failure "dead stick " not taught anywhere in the world?

Not so.

Dual Engine failure has been trained on each conversion I've had since about 1999, (two different airlines).

el #

Not correct. A large British Airline based at LHR includes total engine failure landing training in at least one of its current two engined fleet types.

What are you basing your statement on??

How long would it take to recognise this was an engine problem rather than an autopilot/ILS problem? Did I hear an early TV report that GA was called or am I mistaken?. They were still running and they had been cycling to maintain GS - it may not have looked like an engine failure for some moments?

Excellent report...

but I don't understand the apparent lack of logic between the prudent requirement for..."interim measures for the Boeing 777, powered by Rolls Royce Trent 800 engines" but only a recommendation that the authorities consider the implication to other engined 777's and aircraft in general.

Maybe they didn't want to get into commercial politics and passed the buck.

Since the specific mechanism is not understood I would have expected whatever interim action is taken on Trent engines to also apply to GE.

How much more efficient are the Trents?
To what extent does this reduce fuel flow in terms of cross sectional pipework terms? Significant?
The two Trent engines were exhibiting different (measured at least) fuel rates anyway!

My interpretation of the report is that the blockage was due to ice in the fuel delivery system prior to the engine unique part of the installation.

My conclusion would have been to consider both engines types equally subject to whatever caused the restriction at least until the exact mechanism is understood.

Comments?

<Phil Gollin>
Feathers ;

I have to say that I can't see that there is much difference in reality, six or seven seconds can be accounted for by a slightly different amount of ice (in some form) being present and the 'detaching' behaviour of that accumulated ice by the slightly different fuel flows noted in each engine. .........

......... Let's face it, it has been shown that ice is the only remaining possibility, and how else can such a restriction occur other than that some form of solidified ice arrives at a constricted area in high concentration, overwhelming the ability of the fluid part of the flow to pass at sufficient rate.


But this is like having your cake and eating it.

The engines had their commands at the same time, but the roll-backs occured at slightly different times, HOWEVER the effect on final thrust was almost exactly the same.
</Phil Gollin>

I like cake!

On the assumption that a similar ice/fuel mixture was present, then the fuel flow that could pass the obstruction would be limited by the consistency of the ice and the throat area it is trying to pass. This will be the same in both engines (although perhaps there is a 'handedness' to the fuel piping, I do not know).

<Phil Gollin>
You say "ice is the only remaining possibility" - but this is what annoys me. They can only reproduce one aspect (the cavitation damage) but without any real expalantion (the two icing scenarios are not really supported by the report) so grasp that one straw. If they could reproduce the icing that leads to the cavitation damage AND show that that icing condition can be variable in time but not effect - THEN they would have something that would convince me.

Don't get me too wrong, as a cautious warning (as opposed to a "finding") I would be happy, but fail to see why this mysterious icing wouldn't affect 777s powered by other types of engines.
</Phil Gollin>

Well, the latter statement is quite correct, and you will see that AAIB are saying that an urgent investigation into precisely that condition is needed, it clearly isn't just a Trent issue it's just that the one instance so far happened to be on a Trent-powered airframe.

As for the reproducibility, yes, so far they have shown that a problem is seen in circumstances not that alike to the real fuel system. More work is to be carried out to improve the test to mimic reality better. They may not succeed, but they have to try.

The ultimate mimic though would be a 12 hour flight from China in similar TAT conditions and flight profile with the same approach clearances, descent rates, power profiles. If they are lucky they get to see it happen again, but maybe this time with a 777 embedded in Hatton Cross tube station.

The other thing to note, they state quite clearly that very little is known about the precise effects of ice in fuel under varying circumstances. So a major research task would be called for to understand it better, that will take time.

Do you feel that it wasn't ice? Because there surely are precious few other culprits lurking.

Apparantly you airline types have been using the wrong technique for landing. In todays Daily Telegraph their esteemed Jorno David Millward - Transport Editor suggests that you use "Reverse Thrust"to slow the aircraft for landing. And there was me thinking it was a balance of thrust vs drag from flaps !!!. It any of you chaps would like to try this new technique, I will keep an eye on Sky News to see the results. I know that the Concorde could do this, on the inboard Olympus engines, but dont try this at home chaps

Front page top of far right column

There seems to be an assumption that the effective temperature within the wings is reasonably uniform and similar to or above the TAT.
Is this correct ? Are there no cold spots resulting from different aerodynamic conditions ?

Tree and others, I didn't knew about the fact that such situations are actually practiced in certain companies and apologize for having said that is not so.

My information was based on the fact that in many many cases I've read on pprune that because is considered "negative training", dual engine failure is not part of the training. It's great news that not everyone thinks that way and thank you for correcting me.

I have just read the latest report - interesting reading and thorough work, but many questions remain.

According the report (page 12): the estimated amount of water in the tanks at departure from PEK was max. 5 liters plus maybe some water left from the flight to PEK, but the aircraft was sumped before departure and on the day before, so I suppose that it will be safe to assume that the amount was rather small. (?)
The A/C had almost 100 000 liters of fuel at departure from PEK - and the 5 liters of water "was evenly spread throughout the fuel".

How could this extremely small amount of water have produced severe problems on just this flight and not on thousands of other flights in the past - the actual temperatures along the route were low, but not unusually low?

Which factor(s) made this flight so special? The report mentions some - but again 5 liters of water!?

I am looking forward to the final report.

I admire the crew for their excellent A/C handling.

El #

You say "What I know is that some real pilot did a real sim test and it seems like a normal landing could have been completed."

Well I personally know a real pilot who did a real test on a B777 full motion category A simulator. There is no way a normal landing could be made, ie reaching the runway.

Although many pilots practice total engine failures it is usually at a height that allows a glide approach to a runway. The BA038 was fully established on the ILS with flap 30 set. Airlines do not practice total engine failures at that stage as it is negative training as the plane will inevitably land short, ie crash. El # The pilots have been exonerated of blame in the latest AIB report. Please do not infer otherwise. Please accept the facts that it was impossible to reach the runway with the power available. A manual landing was achieved in which all the passengers survived.

If you want more pontification by people who think they know everything, check this thread out:

Comments on ?Ice in fuel caused Heathrow 777 crash? | The Register (http://www.theregister.co.uk/2008/09/04/heathrow_777_verdict/comments/)

Conspiracy theories are being spouted about now... :-)

S.

Feathers :

I like cake!

On the assumption that a similar ice/fuel mixture was present, then the fuel flow that could pass the obstruction would be limited by the consistency of the ice and the throat area it is trying to pass. This will be the same in both engines (although perhaps there is a 'handedness' to the fuel piping, I do not know).

Not as much as me (I) !

The reproduceable result (IF I have read correctly) was a 95% reduction in the area before the valve. Somehow this occured in two separate systems at different times, but to the same effect. Somehow the UNKNOWN ice phenonomen managed to be dissimilar in the two systems enough to affect the valves at slightly different times, but to near-enough the same extent. (N.B. there is a possibility NOT NOTED IN THE REPORT that the 95% figure has a large margin of error - but ??????)

Still dissatisfied.



Well, the latter statement is quite correct, and you will see that AAIB are saying that an urgent investigation into precisely that condition is needed, it clearly isn't just a Trent issue it's just that the one instance so far happened to be on a Trent-powered airframe.

As for the reproducibility, yes, so far they have shown that a problem is seen in circumstances not that alike to the real fuel system. More work is to be carried out to improve the test to mimic reality better. They may not succeed, but they have to try.

The ultimate mimic though would be a 12 hour flight from China in similar TAT conditions and flight profile with the same approach clearances, descent rates, power profiles. If they are lucky they get to see it happen again, but maybe this time with a 777 embedded in Hatton Cross tube station.

The other thing to note, they state quite clearly that very little is known about the precise effects of ice in fuel under varying circumstances. So a major research task would be called for to understand it better, that will take time.

Do you feel that it wasn't ice? Because there surely are precious few other culprits lurking.


I still see no reason why ALL 777s aren't affected by the AAIB report.

I am dissatisfied because the report is NOT stating anything firm (both icing scenarios proposed are left dangling) - they are merely grasping the reproduceability of the 95% blockage causing cavitation. They have got a "one" and a "one" and made "ten" because the other eight parts of the puzzle are still to be found.

.

The AAIB report records, but does not comment on, that the fuel flows to the left engine were generally lower than those to the right engine, whilst the EPR of the right engine reduced first and to a value slightly higher than that of the left engine.

If, as is hinted, the engines (or rather some of their pumps) were separately sucking fuel from the pipework downstream of blockages at similar points in the two sets of pipework, it seems reasonable that the less thirsty engine could run for a few seconds longer. The extra pipework leading to the APU could possibly give the left side system a little more volume to suck from - but this would depend on the position of the constriction.

However, whilst possibly explaining the time difference between the rollbacks, I might expect that with similar restrictions the less thirsty engine might develop the larger, rather than smaller, EPR.

On a different theme, a couple of questions that physical chemists may be able to answer with a definite NO: does the presence of dissolved water alter the increase the temperature at which some waxing compoents solidify; and do the variations in composition of the Chinese fuel from normal Jet A1 modify the response to the previous question?

And finally: would it not be possible to provide the QAR with enough battery or even capacitor backup energy to enable it to write the volatile memory to non-volatile memory on failure of external power?

Warning: I'm non-professional; not crew, not engineer - just scientist guest and thanks.

A more detailed reading of the AAIB interim report leads me to the following conclusions:
1) The AAIB strongly suspects that an unknown (or possibly forgotten - reference the mentioning of B52 operations) fuel condition led to a blockage (partial) in the fuel delivery system.
2) The AAIB does not understand the details of how the blockage occurred.
3) The AAIB does not think any other organisation has a current understanding of how very cold fuel behaves.
4) The AAIB strongly suspects that aircraft type, operator, manufacturer (airframe and engines) are irrelevant to the root cause of this accident, i.e. the accident could, and may, happen to any aircraft using that fuel type in similar operating conditions.
5) Given point 4 then this incident is extremely important to the industry, not only for those now manufacturing or operating, but also for the future design and operation of aircraft. Put another way, this incident, and the avoidance of recurrence, will be very expensive.

There seems a strong possibility that a rigorous research programme will be initiated, probably involving multiple organisations not directly related to commercial concerns, to study very cold fuel.

I wouldn't be surprised if a flying test rig was involved maybe operated by an outfit like NASA.

Following on from the AAIB reference to B-52s and FSII, I wonder if some poor souls are not already deep into the RAF and USAF/SAC archive records looking for those papers that covered their 1950-60s tests on cold weather flying.

What has been written, and the quick response from the NTSB, suggests that the AAIB has already had detailed discussions with all the interested parties, that there is common agreement on interim measures and, hopefully, agreement on a research programme to find the eventual cause. The final AAIB report is years away.

I still think the fuel within the main tanks stratified in some form and that a pulse of "gloop" entered the delivery systems and partially blocked them.

But, I'm intrigued by the some of the hints in the AAIB's report about low maximum fuel flow rates from the main tanks and two flights in very cold circumstances separated by a cold stop in Beijing. Are the AAIB thinking that ice built up over two flights in the fuel lines/systems emanating from the main tanks and that a new operating procedure of some kind should be considered to 'purge' the lines under similar circumstances? Time will tell.

Regards, Tanimbar

Doesn't the answer come from page 17?:

Analysis of fuel flow from the 13,000 flights shows that 10% had fuel flows less than 10,000 pph during step climbs (the accident flight did not exceed 8,896 pph), and 10% had had fuel flows greater than 10,000 pph during the approach phase (the accident flight was greater than 12,000 pph). Although these were not unique, they were at the edge of family for the data analysed. However, when analysed in conjunction with the fuel temperature data above, all of these factors make this flight unusual within the 13,000 flights analysed.

Maybe we should infer that the absence of high fuel flows in the cruise (gentle cruise climbs) promotes ice formation while the high flow on descent encourages any slug that has formed to move; take away either and you break the chain. Since, as others have said, it isn't obvious that there is anything special about the RR engine in all this, maybe this analysis will be continued to the other 128000 PW and GE powered 777 flights. If BA38 is still ' unusual' in the bigger data set, that would be more than interesting.