US aviation regulator issues safety bulletins over flaws in software updates for Boeing 747, 777, 787 airliners
Autothrottle cuts to idle and flight computers fail after latest updates, warns FAA
Software updates to Boeing's Jumbo Jet, Dreamliner, and 777 introduced flaws that degraded flight safety and caused the US Federal Aviation Administration (FAA) to publish warnings to aviators.
Recent updates to the Boeing 777 and 787 autothrottle have changed how the safety-critical systems operated, prompting a warning from the FAA to airlines advising them to carefully read updates from Boeing about the flaws.
The FAA stated in November: "The 787 Flight Management Block Point 4 (FMF BP4) software currently installed introduced an auto-throttle software anomaly, which disables one element of the automatic throttle disconnect logic."
The special airworthiness information bulletin (SAIB) continued: "Several in-service reports have been received from operators that the auto-throttle remained engaged in the IDLE mode when the flight crew advanced the thrust levers to conduct a balked landing. Once airborne, the thrust levers moved back to idle."
This is comparable to your car engine falling back to idle while you're joining motorway traffic. The consequences of a power loss during a go-around were vividly illustrated in 2018, when a British Army Watchkeeper drone crashed after its operators cut power to idle and failed to realise what they'd done: it was destroyed.
Meanwhile, an SAIB published for the Boeing 747 at the same time as the 777/787 bulletin said that the most recent version of the Jumbo Jet's flight control software caused both onboard flight management computers (FMC) to fail and reset while on approach to land.
We can handle these failures, say pilots
With questions hanging over Boeing's software development practices ever since the crashes of two 737 Max airliners that killed nearly 350 people, the latest two SAIBs from the FAA will leave members of the public raising their eyebrows.
A Boeing spokesman told The Register:
Safety is and always has been Boeing's top priority. We are focused on continuously improving safety and quality as we deliver on our commitments to customers around the world. We work with the FAA to monitor the Boeing fleet for potential issues and take appropriate actions to address them. For more information about these issues, we'll refer you to the AIR-20-19 and AIR-20-18 bulletins, which include notification of operators and guidance for flight crew operations. As both bulletins indicate, we are working closely with suppliers to correct the software.
Experienced aircrew The Register spoke to downplayed both software flaws.
A 787 pilot explained what a balked landing is and how the autothrottle is normally used during one: "For a normal go-around (to all intents and purposes that's one initiated before the flare at about 30ft) the autothrottle remains connected and commands a thrust target which gives about 2000ft/min rate of climb. Pushing a TOGA [takeoff/go-around] switch a second time commands full thrust."
"In the event of a balked landing (which is anywhere between the flare and reverse thrust selection) the procedure is to apply full thrust and simultaneously disconnect the autothrottle to ensure that the thrust levers don't retard automatically. Once we're away from the ground we push a TOGA switch, which brings back the autothrottle and flight director guidance."
Flight directors tell the pilot how to manoeuvre the aeroplane to follow the pre-programmed flight route. They are explained in depth in the video below:
Insisting that the bulletin hadn't affected how his airline carried out go-arounds, the 787 pilot said: "I assume that it's less because of autothrottle anomalies and more to do with the fact that the easiest thing to do is keep it simple and fly manually instead of second-guessing the automation, as an Emirates 777 crew learned to their cost a few years ago."
Meanwhile, flight computer failures didn't faze another pilot who we asked about the 747 software flaw.
"In all honesty it sounds like the 'Jet Powered Seneca' scenario," the British aviator told The Register, referring to the Piper Seneca piston aeroplane often used in commercial pilot training. "You still have a fully functional aircraft, you've just lost the toys… on a scale of 1-10 with 1 being 'meh, I'll finish my lunch first' and 10 being 'screaming mayday down the frequency' I'd call it a 4."
While not a type-rated 747 pilot, he said the basic principle in a dual FMC failure scenario would be for the human flight crew to take over from the computers and use their finely honed skills to safely land the airliner and its passengers.
Boeing's software development process has come under intense scrutiny since the two 737 Max crashes. The controversial airliner is due to return to airline service in coming months, with Irish operator Ryanair having pledged to buy at least 75 over the next few years. ®