Posts by user "PBL" [Posts: 9 Total up-votes: 0 Pages: 1]

This is nominally off-topic, being a thank you.

I haven't been on PPRuNe for well over a decade now. I stopped looking because I had the impression then that the moderators were overwhelmed, But I came on this morning to see what was so far known about the crash, and have been pleasantly surprised to find it comparatively so readable. So thank you moderators!

As to the perennial topic of who should be posting, which has been going on for at least a quarter century, it is not just professional pilots who know about aircraft accidents. Accident investigators do also. System engineers have important things to say. As do safety engineers - the kinds of people who perform the risk analyses of technical hazards for certification purposes. And some of us have developed accident and systems analysis techniques which have been adopted by major engineering companies. We can have useful things to say.

I have worked on the statistics of ultradependable software, in particular concerning the statistical evaluation of the operation history of critical software. I have a number of publications in the field, as well as working on international electrotechnical standards addressing this (not DO-178C, though).

The Boeing 787 has (I read) over 30 million accumulated flight hours on the fleet. And just the one accident in which there was a lack of adequate thrust after TO. Whatever happened is, just from these two numbers alone, "extremely remote" in Lloyd and Tye's ageless words from 43 years ago. Trying to perform any kind of probabilistic assessment on that is for the birds (to use my ageless words).

For those who wish for a bit more:- Twenty-two years ago, Kevin Driscoll (Honeywell's bus guru and Byzantine failure guru, now retired) and his coauthors published an account of a Byzantine failure mode on a common transport aircraft (unnamed, but it is one that many people here fly) which almost led to its grounding. A relevant quote from Section 5.4: "I n this case, each Byzantine fault occurrence caused the simultaneous failures of two or three \x93independent\x94 units. The calculated probability of two or three simultaneous random hardware failures in the reporting pe riod was 5 x 10^(-13) and 6 x 10^(-23) respectively. After several of these incidents, it was clear that these were not multiple random failures, but a systematic problem. The fleet was just a few days away from being grounded, when a fix was identified..... " Note those were tiny tiny probabilities derived by engineers who specialise in such calculations from hardware reliability data. Even when you are very, very good at it, probabilistic reasoning of this sort is not necessarily a helpful guide to predicting or analysing "extremely remote" but actual events.

I don't agree. There are lots of subtopics and I think the Mods are doing a commendable job in keeping the thread readable and (for me at least) informative.

I don't think everyone here realises what a lot of work it is to keep a forum like this up and running and the interactions appropriate. It's huge. And not everyone manages it. I was recently on the forums of a professional engineering society to which I belong. I had to leave. They couldn't identify or control the bots; they certainly couldn't moderate absurd or inappropriate comments -- and this with a professional moderator.

The emergency power system of the 787 surely consists of a lot more than just the RAT. The Reuters article, in its body, uses the term "emergency power generator". Now that could indeed refer to the RAT.

I'd like to stick my neck out and say what I think I know. And I do mean "know", not what I think "likely" or "possible".

1. The aircraft reached an altitude AGL rather more than one wingspan. This can be clearly seen in the still from the CCTV video posted by Cape Bloggs on 2025-06-18 at 0401. The 787-8 wingspan is 197+ ft. So it got at least 200 feet up in the air. (Info from CCTV screen shot.)

2. (a) Ground effect on lift essentially disappears on TO when the wheels are at screen height. (Info from an eminent colleague who performed the analysis.) I believe it follows that (b) he didn't get up to 200 ft by performing a zoom climb on unstick. It further follows that (c) there must have been some initially adequate lift out of GE to establish for a few seconds positive RoC.

3. The FR24 graphic posted by Musician shows that the aircraft became initially airborne "as usual", compared with other TO profiles. (Info from FR24.)

4. The aircraft lacked adequate thrust even to maintain altitude shortly after unstick.

5. Flaps 5 is minimal for TO. If you don't set it, you are told very clearly that you are misconfigured, well before TO roll. (Info from others.)

6. At Flaps 5 and likely loading (fuel, PAX, token sum for baggage) and in the atmospheric conditions pertaining, there is more than enough nominal thrust available to establish positive RoC. That obviously also holds for Flaps-more-than-5. (Info from others.)

I am not au fait with audio spectral analysis so, unlike some others here, including some whose views and experience I value highly, I am agnostic at this point about the RAT. (This is neither to deprecate those who performed this analysis, nor the views of those who know more about practical spectral analysis than I do and are convinced by it.)

Now for my personal inference so far from this.
Items 2 and 3 above suggest to me that the aircraft was adequately configured to conduct a normal TO and initially establish positive RoC for a second or two.
For me, the big question is: why wasn't there adequate thrust to maintain that? (We've been talking about those possibilities for some days now - I won't attempt to summarise.)

PBL

I wasn't here for the 737 MAX discussion, but I have given invited talks to engineering safety conferences on the engineering part of the debacle.

All sorts of people like to suggest that the MCAS issues were with software (a lawyer colleague wrote so in half a sentence in an article in a legal journal on the new concept in English law of "reliable computer system"; he and the journal were kind enough to invite me to clarify, which took 700 words). In the sense that the MCAS function (it is nominally a function of the STS - better it were called MCAF) is implemented fully in software, you can say it is a software function. It does not follow that MCAS malfunction is a software malfunction.

As far as I know, the software functioned exactly as it was specified/required to function. The problem did not lie in the quality of the software, as you suggest. It lay in the functional requirements for the function, and the hazard analysis of those requirements, and those are manufacturer tasks. AFAIK those tasks were not "offshored" (I am not at all sure they could be!)

I'll leave it at that for here, but happy to say more (extensively, backed up with documents from the US Congressional Report and its supplementary documentation) if wished.

Interesting and informative post from JustusW on 2025-06-21@ 1704 on the ins and outs of various implementations of digital logic (SW, FPGAs, ASICs) and how it has changed and is changing.

I am using my usual approach to trying to figure out what happened in this accident. Which is to perform a possibility analysis: ideally, to consider all possible scenarios and prune out ones that do not fit with the facts as we know them. Might sound easy but it's not trivial, and there aren't that many people who become really good at it (and I am not even sure that my colleagues who are good at it think that I am......).

Severe reduction of thrust, simultaneously, just after unstick is one of the "facts as we know them". The control systerns for engines and fuel systems on the 787 are based on digital-logical electronics, including SW. Every digital-logical system may have bugs. In forty years of working with and around such systems I have never encountered one which didn't. Never. (Some eminent colleagues did try to do so with the "Tokeneer" project - and it took a year or two to find the bugs).

A bug in the digital-logical FADEC is a possibility. As far as I am concerned, it stays in the possibility analysis until it can be ruled out. Which it cannot be at this stage.

For this purpose, it does not matter what the logic is based on, or whether some SW-HW architectures can be less susceptible, for whatever reasons, than others.

MCAS was originally designed for the KC-46 and runs on that aircraft.

The "bigger issue", as you put it, is Boeing company organisational and engineering effectiveness. In this accident, so far, we are looking at (at least) two nominally independent phenomena that inhibited continued safe flight, and nobody has a clue yet (or maybe the investigation team does) how those phenomena can possibly have come to be.

This singular, so far inexplicable, event occurred with an aircraft with over a decade and 30 million hours of use and no previous fatal accidents. Compare that with the A320, which had 5 fatal accidents in its first decade. The Boeing 777 had one (a refuelling incident in Denver in which the fuel operator died). Boeing organisational behaviour has been the subject of two scholarly books, one extensive US Congressional report, and a lot more (most recently since January 2025). There is a lot of information, even very interesting information. What there is not in any of that information (I ask you to take my word for it) is any indication of why two working engines simultaneously suffered serious reduction of thrust shortly after unstick. That is a different topic entirely. And in my opinion it is the topic which belongs in this thread.

With respect, it is not as simple as that, and the issues predate "USA litigation culture" by some thousands of years.

I guess I could start a new thread on this, but I'd rather just attempt to summarise in a couple of hundred words.

I/we have been advising lawyers on the causal analysis of commercial aircraft accidents since 1998. There is a jurisprudential principle, which has been established in common law since Anglo-Saxon times, that when there is a "tort" -- A's actions caused B harm -- B can ask the community for reparations from A and the community decides what those shall be. In "common law", previous judgements set a precedent for following similar cases. The US is nominally a common-law jurisdiction, although US court cases don't seem to pay much attention to legal judgements in other countries (in contrast, for example, Australia pays considerable attention to EnglishWelsh legal judgements, as does Scotland and vice versa).

The Warsaw Convention and its successors agreed a condition of strict liability for commercial aviation accidents: the operator is responsible. But that means the insurers lose money. They can, and do, go to court to rectify a tort, namely that they suffered damage in an event for which somebody else was causally to blame. The Warsaw Convention is less than a century old. Principles of tort law are over 1000 years old. If a family loses a "breadwinner" in a commercial aviation accident, they get some compensation from the carrier's insurers through Warsaw-and-subsequent-Convention payouts. But this may not compensate for the lifetime loss of family income. In most tort law jurisdictions, there is precedent for them to litigate for that inadequately-compensated loss. They may complain to the airline's insurers that they are not getting enough, but if they litigate a tort they have to go after the people and organisations that were causal. If company X made a bit of the aircraft, and that bit broke and the aircraft crashed because of that, then the tort can be claimed against company X.

It ain't "US litigation culture". These general principles apply in common law, indeed also mutatis mutandis for Roman law (much of Europe). And they are justified by a millenium-plus of jurisprudence. If our loved ones get taken out in a road accident caused by another driver, we will quickly understand the use and benefit of this part of law.

PBL