By Byron Acohido, Last Watchdog
JEFFERSON BEACH, Wash.—Could a computer malfunction have contributed to the stunning disappearance of Malaysia Airlines Flight MH370?
That scenario is gaining a modicum of credence six days after the Boeing 777-200 twinjet, with 239 souls on board, mysteriously vanished over the South China Sea.
The Associated Press this morning reported that an electrical system failure, while unlikely, could explain why the jetliner’s transponders, which continually identifies it to civilian radar systems and other nearby planes, suddenly stopped working on March 7.
Keep in mind authorities have ruled nothing out. Another possibility, the AP points out, is that the pilot, or a technically-savvy passenger, could have switched off the transponders in the hope of flying undetected.
I was the Seattle Times aerospace reporter for 13 years. From 1989 through 1994, I wrote extensively about the 777, from its inception on paper to its first flight. I was standing alongside, Alan Mulally, when the first 777-200 took flight on June 12, 1994, at Boeing Field, in Everett, Wash. Back then, Mulally, who moved on to become Ford’s CEO, was the 777’s brilliant young program leader.
Giant flying computer
Boeing makes big bets. And with the 777, the company — under then CEO Phil Condit — made a couple of huge bets that troubled many in the aviation safety community at the time. Striving to leapfrog Airbus’ hot-selling fly-by-wire models, Condit and Mulally announced that the 777 would be Boeing’s first fly-by-wire model, a 209-foot-long, 506,000-pound flying computer with no cable-and-hydraulics backup systems, ala the Airbus models. Boeing also eschewed the “joystick” controller that orient Airbus pilots to their computer-centric controls.
Instead, Boeing went with a more traditional set up. The steering wheel/columns you find in a 777 cockpit are, in effect, elaborate computer mouses configured to spoof the look-and-feel of the mechanical yoke that, in all previous Boeing models, actually give the pilots direct cable-and-pulley control of the moveable surfaces on the wing and tail.
Boeing is known for redundancy. And computing and mechanical redundancies in the 777 are voluminous. But the penultimate fail safe boils down to something called a RAT, or Ram Air Turbine, a rudimentary mechanical device designed to deploy from the belly of the aircraft in an extreme emergency. Passing air spins this turbine providing limited backup electrical and hydraulic power in the event of a multisystem failure.
Should electrical failure surface as a contributing factor to the disappearance of the Malaysian 777, the design and electrical systems service records of the 777, will take center stage. And we should hear more about its RAM. Did it come into play? Why didn’t it work? Why didn’t it at least supply power for the transponders to give its position and for the pilots to issue a may day?
Aircraft computer glitches are not unheard of. In 2007, the fuel subsystems and communications computers for several U.S. Air Force Lockheed F-22 Raptor fighter jets were knocked off line as the aircraft flew across the International Date Line. A computer glitch triggered by crossing the IDL was subsequently discovered to be the cause. The fighter jets were guided to a safe landing in Hawaii by Air Force fueling tankers.
Shrinking safety margin
When the 777 first began flying commercially in 1995, I would not have been surprised if serious system problems played out in early service. But to Boeing’s credit, any design weaknesses that did manifest were addressed and the model has enjoyed a good safety record.
That said, I chronicled how competitive pressures drove Boeing to aggressively rewrite the accepted approaches for instilling a robust margin of safety into new jetliner models. The success of the 777 hinged on replacing long-held notions of how to ensure a robust margin of safety with a new paradigm, driven by commercial imperatives.
Boeing put 777 development, testing and entry into service on an unprecedented fast track to gain the necessary Federal Aviation Administration approvals. The company redoubled planning; made unparalleled use of computers to design, build and fly the airplane; and set in motion unprecedented collaboration with customers and suppliers.
Condit and Mulally all but guaranteed the 777 would be virtually glitch-free when the first paying passenger got on board. That approach ran counter to standard practice of working out technical and mechanical glitches out of a new airplane during the first few months of limited service.
What’s more, responding to competitive pressure from Airbus, Mulally cajoled the FAA into rewriting the rules under which jetliners with only two engines can fly long, overseas routes without first going through in-service trials.
By rewriting the safety rules known as ETOPS (Extended-range Twin-engine Operations) the FAA helped Boeing market the high-tech, economical 777 twinjet against the McDonnell Douglas MD-11, a tri-jet, and the Airbus Industrie A340, a four-engine model.
But it meant throwing out the accepted wisdom that if one engine goes out on a transoceanic flight, it’s much safer to have two or, better yet, three other working engines to complete the journey.
I interviewed Boeing engineers who asserted a much different logic: it’s safer to have just two engines on a long flight, they argued, because there are numerically fewer potential failures with two engines than there are with three or four. Extrapolating that reasoning, one engine would be safer than two and zero engines safest of all.
Yet using that logic, Boeing asked the FAA to permit the 777 to fly as much as three hours’ distance from the nearest emergency landing site. It needed the three-hour rating for the 777 to fly to Hawaii, across the Pacific and on longer routes between Europe and the Americas.
Mulally persuaded the FAA that a fully loaded 777 could theoretically fly on one engine for three full hours at a low altitude across the open ocean, if it had to. The remarkable part: he got the FAA to make that rule change effective from day one of the new model’s entry into commercial service, instead of first having to prove the 777’s reliability on shorter flights, the longstanding protocol.
Pushing the edge of the safety envelope
Malaysia MH370 was a comparatively short flight, so ETOPS rules probably did not come into play. However, should it turn out that a failure of one or both engines be implicated, the aviation safety community may need to revisit the rationale for using twinjets on long transoceanic flights.
It should be noted that Mulally’s success changing ETOPS rules to suit the 777 paved the way for use of smaller twinjets on very long flights. The best-selling Boeing 737 is now routinely flown to Hawaii.
Meanwhile, Boeing has continued to quietly push the edge of the safety envelope for commercial reasons. Last November the company got the FAA to approve special conditions under which the 777 is now permitting to make use of “novel or unusual design features associated with the architecture and connectivity of the passenger service computer network systems to the airplane critical systems and data networks.”
So look for Boeing to begin putting into service an onboard network system “composed of a network file server, a network extension device, and additional interfaces configured by customer option.”
The FAA’s ruling notes that “the applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.”
