Hacker News new | past | comments | ask | show | jobs | submit login
United B772 at Denver on Feb 20th 2021, engine inlet separates from engine (avherald.com)
723 points by haunter 10 days ago | hide | past | favorite | 463 comments

Almost identical incident happened 3 years ago - the same type (B777-200), the same engine (PW4077), the same operator (United Airlines), the same side (right engine), the same failure (unconfined engine failure).


I would not be surprised if the whole fleet of this type/engine gets grounded for some time.

Korean Air had an incident in 2016 where a PW4000 on a Boeing 777 disintegrated during takeoff.


From the report on the previous incident (Feb 2018), it looks like NTSB determined that the root cause was a cracked fan blade in the engine that should have been spotted on a previous inspection but wasn't. That doesn't just implicate this type/engine; it implicates the inspection procedures in general.

I thought it was 'confined' if the containment ring did its job? If it had failed (like not supposed to) it would have been a whole lot worse.

The plane landed and didn’t blast enormous holes with ejected compressor blades. That’s a successful failure.

Plenty of youtube videos of a blade-off test - here's a short one [0] of an A380 Rolls Royce engine testing. That's about £9,000,000 of engine being destroyed in this (successful) test.

[0] https://www.youtube.com/watch?v=5-8_Gnbp2JA

At the beginning of the video the blades seem to be spinning at about 2RPS, but after the explosion they're spinning much faster. I presume the former was an artifact of the camera's frame rate.

They normally have high-speed cameras running; that short video is a mish-mash of super-slow-mo and regular speed footage. There are much longer versions on YT, e.g. this one [0] which covers it in more detail (watch the people in the room jump when it blows - despite being a fair distance away).

[0] https://www.youtube.com/watch?v=j973645y5AA

Is that what happenes when The fan blades fly off and hit the airplane?

Pieces on the inside of jet engines are spinning between 2,000 and 12,000 rpm. They should all be properly contained in an airliner, but before that was the case of one fan blade broke and hit the plane it could look like a bomb blew an enormous hole in the side of the plane. These small pieces have a huge kinetic energy because they’re spinning so fast.

Nothing bad happening, everyone uninjured and a plane making an orderly airport emergency landing is many layers of safety systems all working properly.

Hull penetration at altitude can lead to explosive decompression, and, depending on the specifics of the penetration, complete hull loss.

Airplanes are big fragile inflated sausages, and it takes relatively little by way of explosive to down one. An early model (the de Havilland Comet, operated by BOAC and South African Airways in the 1950s) was downed due to a design flaw leading to metal fatigue around the windows, with three aircraft lost in 12 months due to in-flight break-ups, 99 souls lost.

Even at lower altitudes, an uncontained fan or turbine failure can be rough on the cargo or passengers, either from direct shrapnel, decompression, or (partial or full) egress.


As ever, more detail and clear explanations on pprune[0].

As one commenter put it, to an ER doctor this is a shallow wound with lots of blood.

[0] https://www.pprune.org/rumours-news/638797-united-b777-uncon...

Most of the "skin" of a plane is only a few mm thick [0] it doesn't take much to puncture, I mean, it does, but thin turbine blades made to resist birds impact at 10k rpm would cut through it like butter.

[0] https://aviation.stackexchange.com/questions/45566/how-thick...

That’s almost exactly what happened on Southwest 1380[0] a few years ago.

[0]: https://en.wikipedia.org/wiki/Southwest_Airlines_Flight_1380

To add to the topic, aircraft structure and systems are made to withstand the projection of those debris hitting with "infitite" energy. That means for every trajectory possible, it's considered that a part flies through everything in its path. The aircraft still has to land.

The wing is an exceptionally strong component of the aircraft. It’s usually the freak accidents where you hear of a fuel tank being ruptured or control or hydraulic lines being cut. In all of these accidents I bet there is wing damage but the plane is able to continue as usual

WW2 fighter planes anyone?

Ugh look up QF-72 for an A380 Rolls-Royce engine containment failure...

QF-32. (BTW the pilot Richard Champion de Crespigny wrote a fantastic book on the incident. The intensity of going though procedures on an iPad and manuals as alarms were going off, while remembering to just fly the plane, was the thing that most sticks in my mind.

Sorry, right, always mixing up those two. Best lessons from the book for me are:

1- meet the designers, understand the "why"s and not only the descriptive posthoc documentation

2- when you don't trust your instruments, keep following the procedures, checklists, (for this you need an excellent, trained, cold-headed team), and eventually try to reconstruct 'what aircraft you have'

3- trust the automated checklists but not too much! Crosscheck what's asked of you, with what you know of the aircraft. Since you know the 'why's you know the automated checklist system's designers probably never expected an aircraft with that much damage to keep flying...

4- there are no hall-passes for heroes. At the end De Crespigny fails his evaluation (the flight was an evaluation flight, with an instructor on board).

All around a great, great book for systems people.

Are you sure? That was an A330, and a failure on one ADIRU.

Aaaaaah always mixing this and QF-32 :-( sorry. The book by Richard de Crespigny is a must read if you can find it. Great.

That’s my understanding - “confined” meaning nothing flying tangentially away from the engine and hitting the fuselage or wing.

Saying that, resultant vibration causing the inlet and nacelle cowling to separate isn’t supposed to happen either - because of the serious risk to the tail.

2020: (JAL 777 same engine) https://www.youtube.com/watch?v=O-_IAKCBTxc&t=10s

2018: United 777 same PW engine (seems very similar but without fire) https://www.youtube.com/watch?v=O-_IAKCBTxc&t=10s

2016: KAL 777 same PW engines (aborted takeoff after engine failure) https://www.youtube.com/watch?v=9bHrW_34kAk

All planes had zero casualties.

You posted the same link twice.

I guess the 2020 JAL one could be https://www.youtube.com/watch?v=k2ZJjYQj2bY

There's some good video off the current one on the BBC site https://www.bbc.com/news/world-us-canada-56141673

If I were an airline's insurer, I wouldn't want to gamble on the good luck lasting.

Not luck. Design. These failures are anticipated. That they can be handled so well is testimony to the energy and regulation put into engine safety over decades. Whereas once such failures could down an airline, killing all on board, they can now be handled safely.

> These failures are anticipated

Sort of. The possibility of some types of failure is anticipated in the design of other parts of the engine. But there are also inspection procedures in place to ensure that engine parts that might fail are replaced before they fail. A report on a previous incident in Feb 2018 (referred to upthread) says that the root cause was a cracked engine fan blade that should have been detected on a previous inspection but wasn't. Failures that are supposed to be prevented by inspection and replacement of parts are not necessarily also allowed for in other parts of the design. So it's quite possible that luck is involved here as well and that a future failure of this type could have much worse consequences.

fan blade failures are expected. Engines are designed to contain failed blades. There is a huge test that is done whereby a blade is "failed" at full throttle. Engine dies but damage is to be contained.


(A380 "blade off" test, rare footage of giant engine failing)

> fan blade failures are expected.

No, they're not. Fan blade cracks are expected; and fan blades are inspected for cracks so that the blades can be replaced before they fail.

Yes, it's also true that, as a second line of defense, engine housings are designed to contain failed blades. But the overall risk of the system is calculated on the assumption that that is a second line of defense, not the only line of defense. In other words, it's calculated on the assumption that a fan blade failure in flight will not be due to a crack that could have been detected at the last inspection but wasn't. It's calculated on the assumption that a fan blade failure in flight will be due to some other root cause that nobody has ever seen before. In other words, we have second lines of defense because we don't presume that we know about all possible root causes for a given failure. We don't expect fan blades to fail, but just in case one does due to some root cause we didn't know about, we design an extra layer of protection.

But what happened here is that an inspection regime designed to catch a root cause we do know about, failed to catch it. That's not within the design parameters of the system.

The requirement came after several blades left their engines, severing vital systems on a couple flights. So the requirement is that new engines be able to contain blade failures regardless of the cause. Inspections can save a blade failure from happening, but they cannot be relied upon to prevent failures, necessitating the reliance on containment of eventual non-prevented failures.

> Inspections can save a blade failure from happening, but they cannot be relied upon to prevent failures

You still are not addressing my point.

Of course inspections cannot be relied upon to prevent failures due to root causes that are not known prior to the incident.

But inspections are relied upon to prevent failures due to root causes that are known. And that's what failed to happen in this case.

Put it this way: by your argument, the NTSB's final report on this should be something along the lines of "this was an expected failure and the containment worked, so no corrective action needs to be taken". Do you really think that's what will happen?

Whereas by my argument, the NTSB's final report on this will be something along the lines of "the inspection process failed to properly catch a cracked fan blade, and corrective actions A, B, and C need to be taken to fix the process".

4:37 for the content and to skip all the typical over-dramatization of these kinds of documentaries...

How do you safely handle the debris falling to the ground?

You dont. A few pounds of engine parts is infinitely better than the previous option, many tons of airliner falling on a house.

@sandworm How about a third option where neither the plane nor the debris falls?

The risk of falling debris actually killing someone pales in comparison to the risks of it perhaps doing more damage onboard the aircraft. A loose part near/inside an engine is no longer doing its job and could cause more damage where it is. And the ground is a big place. Drop a random pin in google maps. Then zoom in to see if it is actually on someone's head. This is lottery odds territory.

Objects drop from aircraft all the time, daily. It isn't generally newsworthy unless part of a larger story. And even then, only if the object is found and recognized as being from an aircraft. Small rocks also fall daily from space, probably more by weight than aircraft-related objects, yet virtually nobody ever gets hit by space rocks.

To add to that, 100 tons of spacerocks hit eath every day. I dont think 100 tons of parts fall of airliners daily.

That being said, there was a russian spacecraft that disintegrated and hit someone house, in the middle of siberia bo less. So it does happen, but its freak ecen3ts territory.

Oh, if you are going to include manmade space-related objects there have been many deaths. Dig into how many Chinese rocket stages have landed on villages. If we include such things as "aviation" I would retract my above statements re debris. Rockets do sometimes fall on people.



"It has happened many times before, including most infamously in 1996 when a Long March 3B rocket veered off course shortly after a launch and crashed into a village. Chinese officials reported six dead from the accident, although Western sources have speculated that hundreds of Chinese citizens may have died in the accident."

Why compare two sovereign nations with vastly different safety regulations?

I didnt. I only said that rockets sometime crash on people and gave an example. Nobody is comparing countries in this thread. Aviation is about as international as any industry can be.

False equivalency. 100 T of diffuse material reaching Earth, likely burning up, isn't the same as or even remotely comparable to parts falling off aircraft due to man-made negligence. Jettisoning honeycomb cowling sections because a particular model of engine is relatively unreliable, through design, manufacturing, or maintenance, isn't an excuse for not fixing it or not using a better engine if it cannot be fixed economically.

Could you proofread and type correctly so we understand what you're saying? I can't read all of what you're saying.

I'm sure people PW is working on that, but the failure rates on commercial aircraft parts are already ridiculously low. Bad things will always happen.

"Bad things will always happen" is a despicable shrug mentality. Bad things happen when people don't have their acts together in design, engineering, manufacturing, maintenance, and operation. The failure rates should be striving for zero, unlike the stunts Boeing has pulled on 737NG, MAX, and the 787.

Totally agree with you on the recent laxness in design and the regulatory capture that allowed it. But treating zero as a feasible goal is unrealistic. I've done code inspections for safety of flight code and making sure you have 100% coverage and branch coverage not just in the high level code but in assembler still doesn't get everything. You try to make sure that redundancy saves you (seriously boeing!) But common mode errors and just human fallibility to see all the possibilities mean we miss stuff. And all this is so much easier in software than in mechanical designs where redundancy sometimes just isn't doable. We shouldn't give up best practices, but we shouldn't have unreasonable expectations of them either. And not every engineering failure implies a failure in engineering process.

I wanted to clarify my last statement. Even when best practices are followed bad stuff happens, and that doesn't necessarily mean best practices need to change.

Of course not. Make improvements rather than knowingly shove-in bad Ducommun parts on the line or crappy MCAS. Also, hold manufacturers responsible when they take cost-shortcuts, sacrifice safety, and kill people. Boeing routinely gets a slap for doing so since it's also considered a strategic defense contractor, part of the MIC that greases palms in DC.

I never said it was feasible, you did. It must be strived for, because that's the difference between excellence and crap.

And I’m supposed to fly on a 777-200 to Denver operated by United in just a few days. Yay!

The 777 has been flying for 25 years with almost no fatal accidents. Unless your flight will be flying over Russian anti-aircraft missile batteries or through a wormhole above Malaysia, you should be perfectly safe.

Another way of looking at it is that after flying and accumulating 25 years of wear and tear without major incident, we now have seen a repeatable flaw that these aircraft may encounter due to their age.

Aircraft undergo regular preventative maintenance checks, with letter codes A - D. The D check being the most comprehensive, it occurs every 6-10 years and basically the entire aircraft is taken apart and inspected, looking for among other things anything like stress fractures, corrosion, unusual wear, etc.


A commercial aircraft does not just accumulate wear and tear for 25 years until something breaks. They can basically fly indefinitely, but in reality after two or three D checks they are usually retired because the cost of the D check is more than the value of the aircraft.

Great context. I gained a lot of respect for aviation's use of checklists and procedures from the book 'The Checklist Manifesto'

In this case, something obviously went awry and it's both engineering, planning, and a miracle no one died or was crushed from debris from above. Regardless, comments like yours leave me feeling far more confident in this sort of thing.

> In this case, something obviously went awry and it's both engineering, planning, and a miracle no one died or was crushed from debris from above. [...]

Yes, though even something going wrong doesn't necessarily mean that we'd need to change any procedures.

Sensible procedures bring risks down to acceptable levels at an acceptable price. That level of risk is generally still more than 0%.

Beware of the dangers of preventative maintenance, where sometimes while replacing or inspecting or re-mounting inspected parts, the maintenance crew breaks something that was OK and probably going to be working fine for years.

But yeah, a D check is so expensive I've heard there's a habit of dumping the aircraft on less observing flying companies some thousand miles before it comes up...

A minor point, it's not based on miles, but cycles (takeoffs/landings) for structural parts or hours for engines.

You're right, thanks for the correction.

> Aircraft undergo regular preventative maintenance checks

And in a similar incident in February 2018 on a 777 (referred to upthread), one of those checks was found to have failed: the NTSB determined that the root cause was a cracked engine fan blade that should have been detected on a previous inspection (and that would have resulted in the blade being replaced), but wasn't. If this incident turns out to have a similar root cause, that means there are issues with the preventive inspection and maintenance process.

> basically the entire aircraft is taken apart

How is that safe unless you've got a production line doing it? Seems impossible to re-assemble it in the same way as it was done in factory...

It's not taken totally apart, but it is stripped of the interior down to the bare metal, all wiring is checked/replaced as needed. All mechanical parts like the flaps and landing gear are removed and checked for wear. The skin is checked for cracks. This is done every 5 years for planes, taking about 5-6 weeks to complete.

Here's https://www.youtube.com/watch?v=WLil1MZmchI

As well as two demonstrations that the aircraft meets the design specification that even a catastrophic failure in the worst stage of flight is easily recoverable. I'd expect an increased inspection rate, possibly some new mandated ND testing for fractures and discontinuities (the last one was an LP shaft failure, IIRC).

One thing that does bug me, though is that we now have two events where the shroud was lost. Were these uncontained failures (problematic because of potential for wing damage) or contained faiLures followed by aerodynamic shedding of the damaged shroud (system functioning as designed). I'm also somewhat concerned about the fire remaining in the burner stage. Might have just been lubricants, but I'd want to make sure the fire handle had been pulled and investigate whether it worked correctly.

It looks it’s the “cowling” that was lost, not the protective shroud / containment around the fan (and the rest of the engine) that keeps the fan/compressor/turbine blades from becoming high speed radial projectiles when they break off at full speed.

Agreed. The last one was pretty clearly a failure of a shaft or turbine, and the damage was much more obvious. This might be something completely different.

> As well as two demonstrations that the aircraft meets the design specification that even a catastrophic failure in the worst stage of flight is easily recoverable.

But in that type of failure, you can't control where the pieces go.


It resulted in depressurization and partial ejection/death.

That’s a different type of failure. Uncontained vs contained.

Kinda. While the 2018 incident was "contained", it still resulted in damage to the fuselage.

"Two small punctures were found in the right side fuselage just below the window belt with material transfer consistent with impact from pieces of an engine fan blade"

(From the link in parent to this thread https://avherald.com/h?article=4b4e8ca7&opt=0)

Not 'kinda'. Debris exiting the engine housing with sufficient energy and in a direction that leads to damage of other systems is the literal definition of an unconfined engine failure (i.e. it can spit as many parts as it wants to out the exhaust). There is a band of armour around the plane of the fans that should prevent any blades leaving the engine perpendicularly. If there was fuselage or wing damage from debris, that was an unconfined failure and would require investigation as a major fault.

However, loss of the shroud doesn't necessarily imply there was a confinement failure. Damage to the shroud during the event can easily lead to the cowling shedding aerodynamically, which is also part of the design: the last thing you need is more drag on the dead engine side. We can't tell which that was in this case, but it's important that we do---the design criteria specifying that the aircraft can be safely recovered from a catastrophic single engine failure during any stage of flight would assume the failure is confined to the engine.

Engine age isn’t the same as airframe age, and components don’t age linearly with calendar time; they age with flight hours or pressurization cycles. Without access to a log book, it’s impossible to know how old an engine is or when it was last overhauled.

Indeed, for a 25-year-old airframe with the utilization it would have at a major carrier like United there's basically no way the engines hanging on it now could be the same engines it was delivered with.

That isn't completely true. We don't know exactly, but the documented time between overhaul and the life of the airframe place upper bounds on those.

Some cheap airlines might ignore those rules, but none in the US. (Only the poorest, most corrup, countires in the world will ignore those limits)

> these aircraft may encounter due to their age

Unlike some codebases, aircrafts actually have mandated maintenance. Which is why most accidents are due to human error and not massive technical failures.

And often pretty silly and stupid human errors.

(That's a feature, not a bug! The pervasive checklists and general professionalism mean that most 'normal' human errors are recovered from without enough consequences to make it into the news.

So only the really unlucky and incompetent are what we usually hear about.)

Engines are separate from the airframe; on big commercial aircraft the engines get swapped/moved around all the time (the engines may well be on lease, separate to the lease on the airframe). Thus, in this sort of situation it's the engine's history that'll be important, rather than the airframes.

Until the NTSB investigates, there's no way to know whether age has anything to do with it. It might. It might not. There could be a common cause, or there isn't.

We don't know yet.

>> a repeatable flaw that these aircraft may encounter due to their age.

There are hundreds of flaws. Aircraft are not perfect. Any large airframe sees lots of little things break every year. That's what inspections and maintenance are for. But the system is designed so that such things never add up into something really bad. Be worried about the aircraft without flaws. To me, that means it either never gets used or isn't being inspected properly.

Or also if your pilots have just finished their type rating and used to fly A320s. Hopefully they remember that you actually need to manage your throttle on a Boeing!

Are you suggesting that there's a germane difference between the fly-by-wire FADECs on these two aircraft types?

Which incident are you referencing here?

And you have nothing to worry about. Statistically you really have nothing to worry about given this incident happening today.

Enjoy your flight and enjoy Denver. Get a donut from Voodoo for me.

At least it's unlikely to be that 777-200.

That specific plane will go through a lot of rebuilding, checks, thorough investigation, etc. Given a choice, I'd take that plane over another one.

Yeah but not if they rush the rebuilding and complete it in a few days. I suspect that's gonna require too much duct tape and bubble gum.

Assuming there’s no damage to the airframe itself, it could be back in the air pretty quickly. Changing the engine is a fairly routine procedure, which takes about a day:


Look on the bright side - you're probably more likely to die from catching COVID-19 from another person on the flight.

Not sure which is the worse way to go. 3-8 mins of flaming, falling terror; or weeks of facing potential death in a hospital

If you're riding in an automobile to/from the airport, you have reasonable cause for concern.

Well, wouldn't be surprised if the aircraft is literally this one, and you'll now fly on a different one.

good luck!

Animated recreation with ATC audio of that flight (UA1175):

* https://www.youtube.com/watch?v=O-_IAKCBTxc

Animated recreation with audio of this one (UA328):

* https://www.youtube.com/watch?v=G7-zh7Sebr8

* Via: https://forums.liveatc.net/atcaviation-audio-clips/ual-328-u...

The failure was blamed on lack of training for inspectors.

Also, the same destination: Honolulu. And only 1 digit difference in registration number (N773UA in 2018 vs N772UA in 2021).

Must be a bad batch. Please return by post with batch number visible for a refund and let us know what you didn't like about the product

It was a bird strike.

That quoted ground observer. Do they work for the NTSB or something?

I am 110% certain that if I saw a plane on fire in the sky, I would not have the presence of mind to remember the term "cloud deck", let alone the rest of those details.

Ground observer: "Good sir, I do say that the cloud deck was quite low so I didn't get a good look, but the engine was mildly louder than usual, and possibly had smoke, but perhaps not, and appeared to be under control the whole time."


It's very likely that they're an AvHerald reader. It's the absolute de facto gold standard website in its field, and sensationalism and drama is not appreciated -- a large chunk of the usual audience are aviation professionals. My dad was a pilot, and I've got some few hours myself. You can bet that if either of us watched this event happen, we'd mentally be documenting it as best as we possibly can, both to try to predict any useful information (e.g should we try to move!), and for any subsequent investigation.

The excellent safety record of aviation originates from a detailed and pedantic paper trail that is written in blood. It's by learning as much as possible from every incident, without fear of censure or blame, that makes the skies safer for everybody.

There is a now a comment on that article where the ground observer identifies himself and gives a few more details, so looks like you're right.

> 1) I was giving Simon a heads up to look for a report out of DEN - if it was anything, I thought it was just something like a (big) compressor stall. That was why so many caveats were there - I wasn't sure at the time that the aircraft had had a problem. I didn't realize it was going to be widely reported until my mother texted me a couple of hours later asking if any of the plane parts came down close to me

> 2) Something I omitted that I should have put in: After I got home I imagined how many thumb-widths at arm's length it would take to occlude it (from memory), and plugged that into similar triangles and the length of a 737 (didn't realize it was a 777) to get an estimated altitude and got 2-4 thousand meters. I thought the cloud deck was only 2000 feet AGL or so, so I didn't believe the numbers. I did change "a couple" to "a few" though. Turns out it was ~8000 feet AGL. I should have believed more in the math!

I can draw some parallels between that and a healthy SRE culture. Except for the casualties, of course. Wondering if the first SREs who created the guidelines had aviation industry experience.

Aviation regulations are written in blood. SRE regulations are written in lost weekends.

Depends on what systems the SRE is managing or even on the downstream clients relying on their work. Around Y2K a bug took the out the emergency call application for the fire department in Berlin at midnight New Year’s Eve. People died because dispatch was not available. It’s an IT system where people die if you mess up. AFAIR in one of the earlier prolonged AWS outages, some sort of medical provider failed and people were at risk. It’s not all just display ads on websites.

low key feel opposite - chaos engineering (to an extent obvs) would benefit flight controls...

it's like that old experiment that i cant find source for - wall st traders switched with military guys and wall st outperformed mils because they are used to dealing with uncertain information...

Brent Chapman was one, and he worked in volunteer search and rescue.

Only looked up Aviation Herald after you mentioned. Very informative, almost HN like, but even more dense and topical.

> aviation originates from a detailed and pedantic paper trail that is written in blood

The saying is “aviation regulations are written in blood” because each new regulation is usually in response to crash. https://aviation.stackexchange.com/questions/13081/why-do-pe...

You don’t keep a “paper trail written in blood”.

No offense towards the average bear, but I would probably have dictated a statement the same way.

I’m not an average bear though. I regularly read and refer to things learned from airlines and other high criticality career fields, and talk about them at conferences. My sister is an airline pilot and I might have been if I wasn’t medically disqualified.

I do participate in government emergency response work and that looks like the type of statement that would come from a trained observer who knows how to express directionality as unambiguously as possible.


I grew up about 5 miles from an airport and for many years I had a recurring dream that I was looking out the window at an airliner that looked odd somehow or other, until I realized with growing horror it was going to crash in the back yard.

I never saw anything like it in real life, nor was it ever a concern for me whether I was in a flight path when deciding where to live, but evidently my subconscious had a "to do" list that included "be prepared for planes dropping out of the sky".

Strangely, I didn't have nightmares ever that I can remember about being on a plane in distress. Even though as I got older I got more anxious about flying.

The first Final Destination movie starts with a ground observer scene of about that distance of a plane crashing right after takeoff.

I don't know whether your age fits, but maybe you saw this and recalled it in your sleep every so often.

I have the same recurring dream a few times a year. I believe for me they started after 9/11.

Add that to the recurring dreams of losing all teeth, going to school only to realize there's a 20 page essay due, dinosaur attacks (inspired by Jurassic Park), and barely missing my school bus (that was just this morning).

Btw I'm 35 now.

Ugh, that "loosing all teeth" dream is very disturbing, quite annoying and even painful! Good thing is that I usually don't get it unless I had quite a few drinks the night before.

Pretty sure he was a pilot or a sea captain. I definitely would not refer to the right hand engine as "starboard engine".

You'd be surprised. Years back, I saw what looked to be a near midair collision, including a smoke trail from one of the involved aircraft, and watched for a while from the front right seat of the Jeep my boss was driving us to a job site in. Presence of mind isn't really an issue. You're more just trying to understand and follow what you're seeing.

Today, of course, I'd be watching through my 500mm lens and taking pictures all the while. This was long before I got back into photography, though, and long before you could get a 500mm tele that didn't cost as much as a car. Even so, it was interesting, not frightening - remember that the sky is a long way away, and so are most things that happen there, weather notwithstanding.

Never did find out what actually happened.

I recently listened to one of the radio correspondents (Herbert Morrison) [1] that was observing the hindenberg coming in - and it amazed me the things he thinks of while he's talking about it (how the people waiting for the passengers will be distressed) and the eloquent language used. ("Oh, the humanity!")

That said, he definitely also got distressed, but mostly remembered to describe.

[1] https://www.youtube.com/watch?v=DJ2qP4wd4LE

I expect the person interviewed is a pilot?

Or an engineer?

That's crazy, in the Netherlands today there was another flight that dropped engine parts (much smaller though, they're said to have been turbine blades) that hit cars and people. It was also an airliner (747-400).

Considering how rare an occurrence is, it's really weird to have both happen on the exact same day.


By the way I'm surprised that fire keeps going on the B772. I assume the fuel was cut off, especially as the turbine seems to be just spinning in the wind. I'd imagine the remaining fuel would burn off quickly?

This would really be scary being a passenger (especially when you know the wing it's hanging under is full of fuel).

Random = clusters happen.

In fact, mathematicians were hired during the Battle of England to estimate whether the Germans were aiming for specific buildings (“why is there a cluster of bombs around this church???” or around some secret offices) or just spreading randomly. Verdict: They weren’t aiming, it was random chance that bombs made some clusters onto some buildings. This is what random looks like: No even distribution, sometimes you get a cluster which looks like a series.

I think it depends on how frequent the thing in question is. If an engine losing parts is something that happens yearly, twice in one day is still pretty rare.

But then you have to deal with degrees of freedom as well. If your search space is just 'two uncorrelated ~yearly events', there's enough of them that you'll always find false positives.

For independent, random occurrences, the probability distribution for delta-T follows an exponential decay. I.e. the most likely time is "right after". Of course, that "most likely" can still be small. Fun fact: This is true for any chosen point in time, i.e. the prob that this happens exactly one day after your birthday is higher than that it happens two days later.

I've tried to find a non-clustering pseudo-random function.

Anybody knows the name or urls of those?

Maybe quasi-random is what you are looking for?


There’s the (descriptively named) “low-discrepancy sequence”, the most famous one being the Sobol sequence.


This is exactly it! Many thanks for the name.

Where I have read this before, Gravity's Rainbow?

Grinstead & Snell in the part on Poisson distributions maybe?

Poisson distribution, higher probability of short periods between failures than long ones.

Anyone care to elaborate? I don't understand what he means, but I feel like this is an interesting thread to pull.

Briefly: if you expect 10 failures in 10 years evenly distributed then you would expect 1 per year.

If it is a Possion distribution then you'd expect them to bunch up and get years with none, then them concentrated over a few years.

Possion distributions usually imply a time factor. That's concerning in this case as it implies maintenance isn't effective.

how would this apply to disparate aircraft on different maintenance cycles?

It has nothing to do with aircraft, and everything to do with random chance. Basically, it is more likely for time-series data to have clumps than to be perfectly even.

Imagine you throw a three darts a board. Which is more likely: all darts are equidistant, or 2 of the darts are closer to each other than the 3rd? Now imagine it's 3 events in time rather than 3 darts on a board. And the same logic applies to an arbitrary number of events, of course.

it seems to me that there is a lot of room between "perfectly even" and "twice on the same day"

I read on the German news about the Dutch incident and came to HN because I knew that somebody would've posted about it here. Found this thread and didn't fully read the headline, just "Boeing" and "engine failure". It took me a few seconds to realize that this was a completely different incident.

The Dutch incident is a relatively common one, the reason it's in the news is that turbine blades fell down on a residential area and someone got minor burns from picking one up.

It's more typical to have this kind of failure early in the take off where the parts would fall on the airport and nobody would talk about it.

All the rest of the news about circling at 10,000ft and then landing at a nearby airport is completely standard procedure that gets practiced all the time in the 6 months simulator checks. Basically you climb high enough to be able to dump fuel without it reaching the ground (minimum 6000ft, preferably higher) and still not too high such that you're burning a lot of fuel quickly because at 10,000 ft fuel usage is way higher than at 30,000. Then when the fuel dump is complete, engine secured, checklists done it's a relatively normal landing. Especially if you have 4 engines but even with 2 it's a landing every pilot can do and is trained for all the time.

It could be oil that's on fire

There is a saying, something like "once is bad luck, twice is a coincidence, three times is enemy action". So, if you get more than two big planes crashing in the same day, it's likely something like Al Qaeda (sp?) on 2001/09/11. If it's two planes, it's likely bad luck.

If anyone else is wondering what ZIMMR means in this context, it is a specific feature of the Denver airport: https://ja.flightaware.com/resources/airport/DEN/DP/ZIMMR+TW...

A specific location. Waypoints used in IFR approaches are given unique, 5-letter, usually pronounceable, names.

As well as being unique they're chosen to avoid similar sounding ones being near each other. So KITES and SITES might both exist but they'd never be anywhere that you could confuse one for the other.

How come the discrete audio on 120.15 was not available?

LiveATC uses volunteers to record well-known frequencies at various airports. 120.15 may have been stood-up in an ad hoc fashion, so there was no radio configured to record it.

* https://en.wikipedia.org/wiki/Airband

When control described it as "discrete" was it because they know that listeners wouldn't be prepared to monitor it? I find it odd that a public frequency would be described as discrete without some greater barrier to listening in.

You are thinking of "discreet":

* careful and circumspect in one's speech or actions, especially in order to avoid causing offense or to gain an advantage.

The word they were using was "discrete":

* individually separate and distinct.

120.15 is/was not used for anything else at Denver, so people could talk about the situation on the ground without effecting the operations elsewhere. Once the problem was 'contained', the rest of the airport could go back to operating 'normally' on the other runways.

I see. Thank you for clarifying that.

I'm still a bit surprised that the audio went uncaptured. It is interesting how much information that would be interesting to the public still spills into the ether.

The right engine was out and the pilot chose to do a left turn. Is the choice related?

It's good airmanship to turn into your "good" engine.

Why? Surely it's easier to turn the other way? Then again, it's not a dogfight, so maybe less chance of losing control if turning into the working engine?

Because you may not be able to get out of your turn that way. The aircraft 'wants' to turn over the bad engine so you could easily get caught in a feed-forward situation.

> Surely it's easier to turn the other way?

That's exactly why. Because then it helps you getting out of your turn, instead of fighting against it.

WRT the debris video: personally, I would be paying more attention to looking for anything falling in my direction. The debris may flutter like falling paper, but they are much more substantial.

Those are heavy objects falling onto a kids soccer field and nobody yells "HEADS UP!", "FORE!" or "RUN FOR COVER!". How considerate.

It looks like they've got plenty of time to move out of the way.

I'd guess looking upwards at some awkward shaped objects falling down, it's not easy to guess where they will come down.

If this ever happens to you and it seems like the falling object is not moving in your field of view: run away at a 90 degree angle.

Pretty nice view of the burning engine from inside the plane,


Reading this sentence makes me uncomfortable

Oddly enough, something similar happened today just a few kilometers from where i live.


today was quite weird for Boeing airplanes, as well as for United. United Flight 1832 (a 737-8) from Cancun to Houston had a single engine shutdown on the way and had to divert to New Orleans.

I'm an Air Traffic Controller at Houston Center, and a regular user of this website. Today I was the Radar Associate controller in the Ocean West sector when that aircraft flew through.

The Radar Associate works alongside the Radar Controller, and performs coordinations and other actions to assist the Radar Controller. It is the Radar Controller who talks with the aircraft on frequency.

In the Ocean West sector, the Radar Associate controller coordinates with Mexico's Air Traffic Controllers to determine safe routes, altitudes, and crossing times at the FIR boundary, as well as pass along any other pertinent information.

I won't answer any questions about today's event here, but if anyone has any other questions, feel free to ask. I will also double-check the FAA's social media guidelines when I go back to work tomorrow. So, if I don't answer your question today, please check tomorrow.

TF or "Tango Foxtrot" are my operating initials - something which every Air Traffic Controller has and is unique per facility. We use our operating initials to identify ourselves when we perform coordinations via the landline.

I was also a Radar Associate controller at HCF Center (in Hawaii) for United Flight 1175, a Boeing 777, from San Fransisco to Honolulu when it lost its engine cowling back in 2018.

The views expressed here are my own and not necessarily those of FAA.

Actually, one thing I was wondering after I got the alert about the 7700 (via flightradar24) - is there anything I'm missing in terms of a reasonably reliable way to figure out what Center frequency a given airplane is currently communicating on, when not low enough to be talking to Approach? I'm assuming there isn't, because handoffs from departure seem to vary frequencies when I fly.

You would need charts that show the different sector boundaries and their altitude or flight level stratums. Sectors can be combined, so you might be given a different frequency in the same area at different times of the day and/or days of the week.

With Approach, sector boundaries can also change depending on which runway(s) they're landing.

You could potentially call up the facility and ask for copies of the sector charts, but I don't know what kind of response you will get.

Right now due to COVID-19, facility tours are not allowed, otherwise you could see ATC in-person and ask to take a look at their charts then, as well as ask the Controllers any questions, workload-permitting.

The facilities that I've worked at (HCF Center and Houston Center) have been happy to give tours, but they have to be during normal business hours, and you have to be a United States citizen. For a tour, I suggest organizing a group of pilots or others interested in aviation, rather than just going by yourself.

The views expressed here are my own and not necessarily those of the FAA.

Is RADAR Controller the senior position and RADAR Associate the junior position? That is, does one normally progress from Associate to Controller? How long does it take to progress from one to the next? Is it common/expected for people in your position to move to different airports?

Radar Controllers and Radar Associates are just staffing positions.

Some background information to build on…

An Air Traffic Controller's job title when they start out is Air Traffic Control Specialist. An Air Traffic Control Specialist starts out in the AG pay band (Academy Graduate). When that Controller gets certifications, they move up to the D1 pay band (Developmental), then to D2, D3, and when they get all of their certifications or "fully certify", they end in the CPC pay band and their job title changes to Certified Professional Controller.

The Radar Controller position is also called the R-side, and the Radar Associate position is also called the D-side. A trainee needs to certify on all of their D-sides before they start training on their R-sides.

So basically the answer to your first two questions is "yes". However there can be a more experienced controller working the D-side while a new controller is working the R-side. The Air Traffic Controllers rotate through the different positions throughout the day. It is based on when someone arrives for their shift, or comes back to the control room from their break, they check with the controller that has been on a position the longest, and asks that person if they want a break. If not, the Controller moves on to the next person who has been working the longest, and so forth.

ARTCCs or Air Route Traffic Control Centers or just "Centers", are divided into "specialties" (or "areas") that controllers are assigned to. Each specialty is divided into sectors. At the minimum, each sector needs to staffed by a Radar Controller. If the sector is busy with a lot of traffic or is complex due to weather events, or maybe traffic being rerouted from another sector, then a Radar Associate position will be staffed at that sector. If traffic is very light, for example in the middle of the night, sectors can be combined and one Radar Controller will work multiple sectors and talk to multiple aircraft on different frequencies.

The time it takes to get certified depends on many factors. It could be anywhere from one month, to six months. From starting out to get fully certified, can take anywhere between two years, to five years. It depends on many factors, such as personal ability, training opportunities, training backlogs, etc.

It is common for people to switch facilities at least once. Some stay at their first facility, some move several times. When a Controller graduates from the FAA's training facility (that's where "Academy Graduate" comes from), they are given a short list of facilities to chose from. The list constantly changes based on the FAA's staffing needs.

The FAA does do "direct hires" for people with previous ATC experience (usually through military) directly into certain facilities, but a new hire without experience won't know where they'll go when they start out.

The views expressed here are my own and not necessarily those of FAA.

What expertise is it that ATC folks build up in all of those years of training? Is it knowledge of plane behavior by model, familiarity with the region, radar behavior? Or is the majority of it the less tangible “getting a feel for the flow of traffic to instinctively pick out unusual behavior”?

(Edit to my parent comment: " It could be anywhere from one month, to six months" to certify on a single sector, but it's really more like one to three months.)


All of the above.

Whenever an Air Traffic Controller transfers to a new facility, or even transfers to a new specialty within a facility, they have to train and get certified on all of the new sectors. Each sector is different due to traffic flow, types of traffic, equipment limitations, etc.

For the Houston Center Ocean specialty, equipment familiarization is very important for Controllers. There are 5 sectors: Ocean West, Ocean East, Offshore West, Offshore Central, and Offshore East. Ocean West and East deal primarily with aircraft flying between the United States and Mexico. There are different airways that aircraft can take, and each one has different characteristics (crossing airways, airways defined by RNAV fixes vs bearings off of VORTACs, radio coverage, and radar coverage).

In the Offshore sectors, radio coverage is harder to manage. There are multiple transmitters and receivers that are located on different offshore platforms, and the ocean elements and weather can affect the equipment. At our positions next to the radar scopes, there are touchscreens with many different buttons to select which frequencies we want to monitor, transmit on, use primary or backup sites, etc. Most sectors do not have to toggle between different transmitters, but in the Offshore sectors, that's a common occurrence. There are also different transmitter sites for the Ocean sectors, so we commonly get pilots saying that they're losing us on the radio when we are talking to another aircraft a hundred miles away, and we can hear the pilot just fine.

In the Ocean sectors, radar doesn't cover the middle of the Gulf of Mexico, so we have to rely on aircraft position reports unless they have ADS-B.

At HCF Center, there are mountains which block radar coverage, so it's good to know where we can expect to lose or establish radar contact with aircraft.

Yes, there is an element of becoming familiar with the routine traffic. You see many of the same flights every day, so you know where they are going. It got to the point at HCF Center, where if someone told me a flight number, I could tell them the departure and destination airports without looking.

However, just like pilots, Air Traffic Controllers cannot let routine turn into complacency. We can never just assume anything, if we are unsure, we have to ask or restate something. Safety is our number one priority.

The views expressed here are my own and not necessarily those of the FAA.

You can hear the air/ground communications for this flight here via LiveATC.net. The pilots declare an emergency and then a mayday call beginning at 1:15 of the audio. https://forums.liveatc.net/index.php?action=dlattach;topic=1...

"Mayday" is the internationally agreed code, so that's one reason to use that - but US accident investigators also noticed a pattern that American pilots are often too reluctant to declare emergency status when it's appropriate as it is here, because they feel it's "not that bad" yet. Having them say it's an emergency without saying "Mayday" is good enough and might mean a few more cases that should have been emergencies are declared as such.

I might look for the link later, but there's an incident with a Youtube reconstruction where a private pilot is nearly out of fuel, the weather is poor, and he's approaching a USAF base en route to his last hope landing site. Airbases are military facilities, closed to civilian traffic. He asks the controller if he can land there. She says he can't... unless it's an emergency.

He should say "Yes, this is an emergency, I'm on fumes here and the weather is much worse than I expected". She'd turn on the airfield's powerful landing lights, and maybe he'd spend the evening explaining his screw up and apologising to a base commander or at worst spend the night in a cell. Nobody dies. Instead he pressed on, and his dire situation only became clear to her when it was too late and he was already doomed.

Listening to the audio, the pilot first says, "We've experienced an engine failure, need a turn." ATC does not respond, so he calls again and says "Mayday" in order to unequivocally get their attention.

There are actually two different emergency calls. There is "mayday", and there is "pan-pan", which is a less urgent version of "mayday", but that is hardly ever used.

PAN-PAN is used more often than you might think, at least outside the US. In particular, any medical emergency would be a PAN-PAN.

Here's an interesting example where two aircraft had declared PAN-PAN for quite different reasons, while coming into Sydney. https://www.youtube.com/watch?v=DfidHywKmZI

‘Panne’ is French for ‘breakdown’. (Like ‘m'aider’ is French for ‘help me’.)

Pan-pan is used for maritime distress calls when a ship is sinking.

I landed on a private runway due to bad weather. I saw it was private on the chart but seriously did not care.

It was over a mile long and had landing lights. It was owned by some Texas billionaire brothers who kept their jet there. The people there were actually super nice and loaned us a car to get lunch.

This one? https://www.youtube.com/watch?v=fLlWf-Fk_YM

Fear of declaring an emergency seems to be fairly common in GA incidents with lower airtime pilots.

Experienced pilots don't mind calling mayday, but:

1) Often ATC will ask you a lot of distracting questions. It starts with what the problem is and how many souls are on board, but can be lengthy and doesn't solve your problem.

If you listen to the Sully Hudson flight, you can hear how terse Sully is to avoid a conversation with ATC while he's busy flying.

2) You may be asked for a written letter afterwards, or an investigation may start. Your airline would be interested.

3) ATC is not responsible for your plane, and cannot fly it for you. Most ATC don't even have an airplane rating.

Pilots have a "get out of jail free card" by filing a NASA report for non-intentional violations. You can search that database.

I filed one once when I was flying an old rental with sketchy navigation equipment into Class B just in case the gauges were out of tolerance.

Source: commerically-rated pilot.

You can hear the fire alert going off before the mayday.

The fact that they requested a left turn at first it meant the controller knew the right engine was out and they'd need left turns to come in. Always find the level of training impressive and I'm glad they made it back safely.

Aviate, Navigate, Communicate

I don't follow how the right engine being out means left turns. Seems like you'd have extra thrust on the left side and you'd want to make right turns. They wanted to keep the right engine high? I'm not sure what I missed.

That's exactly the problem, turning too heavily into the side of the dead engine can introduce a situation where it's impossible to pull out of that turn.

When turning into the dead engine, there’s a tendency to overbank as the plane will yaw towards the inoperative engine.

Turning into the live engine is more controllable. When you turn toward the dead engine, the tendency is to turn more. You can do it, but it’s not as stable.

Can't wait for the synopsis on the Blancoliro YT channel.

EMERGENCY- A distress or an urgency condition.

DISTRESS (MAYDAY)- A condition of being threatened by serious and/or imminent danger and of requiring immediate assistance.

URGENCY (PAN-PAN)- A condition of being concerned about safety and of requiring timely but not immediate assistance; a potential distress condition.

“Declaring an emergency” is US specific. The rest of the world doesn’t recognise this phrase you have to use either “Mayday” for immediate danger to life or “Pan Pan” for less severe problems. As I understand it, “Declaring an emergency” is the equivalent of a Mayday and the US is very slowly switching away from this non standard phraseology.

"Declaring an emergency" isn't even correct in the US. The FAR/AIM only lists "mayday" and "pan pan". (Yes, it's oddly common here in the US for some reason. I think some pilots are afraid to say the "m" word.)

That said, controllers are human. As long as you get the message across somehow they'll do everything they can to help, even with non-standard phraseology.

Of course, the risk of non-standard phraseology is that you might be misunderstood - especially in countries where English isn't the primary language. It's still good to stick to standard ICAO phraseology whenever possible.

For sure, I think in an English speaking country you would probably get your point across. They would most likely come back with asking for confirmation that you are declaring 'mayday', but you would probably cause varying degrees of confusion in many other countries.

I suppose the aim is to make it absolutely clear as quickly as possible that you want ATC to press the big red button labeled 'crash' which sets off the alarms in the airport fire station and causes other controllers to start diverting flights away and telling planes on approach to go around.

These two podcast episodes about the last major crash at Heathrow are pretty interesting if you want to know what happens in ATC during something like this. The fire appliances were already en route before the plane hit the ground. http://airlinepilotguy.com/adam-spink-and-speedbird-38-part-... http://airlinepilotguy.com/adam-spink-and-speedbird-38-part-...

Curious, I had always heard it should be repeated 3 times, but here they’re consistently repeating just twice.

You’ll find that there’s a gap between what the books say about ATC comms and how things are actually done. No one is being pedantic in an emergency.

If anyone is curious about what the books say, US Air Traffic Controllers use phraseology prescribed by FAA General Order 7110.65.

Also known as the 7110 or the point sixty-five, it includes rules that Air Traffic Controllers must follow to ensure safe and effective operations. So if you're a pilot and are wondering why you have a Hold For Release or are told "unable", you might find the reason in this document.

The Wikipedia article [0] links the PDF version as well as the online version.

[0] https://en.wikipedia.org/wiki/FAA_Order_7110.65

Happy to see a controller here. Thanks for all the clearances. :)

It’s slightly different for marine radio, where it follows the MIRPDANIO mnemonic you might be thinking of that?

3 times is just to "ensure" it gets heard.

VASAviation already has the radar/ATC video up: https://www.youtube.com/watch?v=G7-zh7Sebr8

One of the best parts of everyone carrying a camera in their pocket is you can get high-resolution images of incidents like these as a matter of course.

and yet no good video of a UFO.

Of course, you can explain your way out of that one too: The aliens found out we got smartphones, so they decided to stop making appearances now that they know they can be recorded.

I worked at a Large Internet Infrastructure Company for a long time, and saw software development practices that made my hair curl. All I could think was, "Gee, I'm glad we're not working on aviation software!"

Seriously, though: software "engineering" could actually earn the name, if we had rigorous professional standards, regulatory oversight, and product liability.

There have been attempts (the "Keep the Space Shuttle Flying" method): https://github.com/kubernetes/kubernetes/blob/ec2e767e593953...

Exists for these reasons secure coding standards, MISRA and BARR and others. If we had same restrictions as other engineering profession maybe we still use COBOL. In important places with big safety concern we follow better guidelines, in webshit front end are do more, not so much concern with a mistaking. This is the best way, the allow of breaking in unimportant but make rule in important.

General software requirements can change drastically in a short period. Heck one of our clients requested major parts of our solution to be rebuilt for the third time within 6 months to accommodate the whims of their new leadership.

You don't see that happening with aviation software where requirements are set in stone.

So raise the price of the software so that you can afford more/better software engineers, to produce a more robust and flexible project. Then it'll be aerospace quality, aerospace costs.

So your solution is to charge more and throw more engineers at the problem? Sounds like one of my ex-bosses.

Apple does that and they couldn't be further apart from aerospace engineering quality. Their software and hardware has been historically littered with problems and bugs.

One thing that sets software apart from other engineering disciplines is that they are grounded in physics (bits running on a semiconductor doesn't matter for this discussion) and have been around (in some form) for thousands of years. How do we know if a design is sound? We can check it by doing the math. How do we know if a program is sound (what does that even mean? There's our first problem)? Well, we rely on a large compendium of heuristics that are based on nothing but experiences compiled over the past ~60 years. Also, that compendium is constantly being added to. Also, virtually everyone disagrees on what should/shouldn't be in this compendium.

I'm wading into waters that are way over my head here, but my understanding is that it is possible for software to be provably correct, in the mathematical sense of "proof."

I'm well aware of the admixture of folklore, experience, and caffeine-fueled inspiration that constitutes much of the software that runs our world.

Source: I work on static analyzers, so I'm biased to that.

We can not prove everything, as others pointed out the fundamental issue here is the "halting problem". However, this doesn't mean we can't prove anything. Wikipedia says:

> In computability theory, Rice's theorem states that all non-trivial, semantic properties of programs are undecidable.

I often feel like the "trick" is to push the trivial stuff to be as useful as possible. You can work from several vectors: 1. You build better static analyzers (difficult and computationally expensive the further you push it - but that's what we're doing) 2. reduce the complexity of the "analyzed thing" (high level language, assembly,...) to allow for easier analysis, while still being useful (a assembly language only supporting 'nop' is trivial to analyze, but pretty useless overall; otoh you can disallow some constructs in C to make the language easier to analyze).

There are of course other forms of "provably correct". E.g. programming in a language that has proofs attached to it, like coq [which is the name of a proof assistant]. Disclaimer: I've never used coq myself, but know plenty who do. I think that's something that might interest you. [And thanks to the genius who christened that tool: No, seriously, I'm not trying to be rude!]

[edit] Didn't check that link, but maybe you find it interesting https://www.cs.princeton.edu/courses/archive/spring13/cos510... There are of course other approaches than coq, e.g. Isabelle is often mentioned. See the "See also" on https://en.wikipedia.org/wiki/Coq

There's work going on in formal verification but it has many limitations.

I'd also point out that in MechE/CivE fields, you're still dependent on materials (and maintenance) working as advertised. It's also often the case that operating conditions just end up being different from what was designed for or certain failure modes weren't considered. See, e.g. the Citibank Building in NYC http://www.slate.com/blogs/the_eye/2014/04/17/the_citicorp_t...

You can, but first we need to figure out what correct is in the first place. I can prove hello world doesn't overflow buffers, but it is a bit harder to prove that my font renders the letters vs some random scribbles.

It is possible to prove software adheres to a certain specification. This is time consuming, and how feasible it is depends a lot on how your specification was written. It generally also depends on how your software was written.

The big issue is that writing a useful specification can be hard. Especially if you want to also make the specification easy to check.

A side issue is that your proof will make assumptions about how a computer works that are simplified.

Have a peek a metastability[1], any time a digital system crosses a clock domain there's basically statistics making sure the whole thing doesn't fall over.

From need a better MTBF? Throw a couple more inline flip-flops.

[1] https://en.m.wikipedia.org/wiki/Metastability_(electronics)

I think being able to prove that a program can be correct is getting close to P=NP territory.

It's very difficult but there have been strides in that direction: http://web1.cs.columbia.edu/~junfeng/09fa-e6998/papers/sel4....

Cannot prove some program is correct, in general, because that’s effectively the halting problem. But in practice it is sufficient to enforce (prove) the absence of behaviors via constraints like types or contracts.

You just don't need that in software when most of the industry is low consequence. It's only losing money at most tech companies, not killing your coworkers. This hasn't happened to me personally, but it's not cool when Rob the test pilot, whose family you've hung out with and that you've gone on hikes with, literally dies next day in a fiery crash. But that's the risk any test pilot accepts.

That's the excuse I keep heading. Then, I find out that the "low consequence" software I've worked on is being relied upon in very consequential contexts.

Can I tell your customers that the software you're selling them is only built for "low consequence" applications?

Simon (the founder & proprietor of The Aviation Herald) is an incredible force for good in the world. His work on that site, for well over a decade now, is legendary.

Fun fact: the response header [1] of that website suggests it is powered by Apache and Perl. Which is amazing in itself. And it's still responsive despite being #1 on HN.

[1] Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.2r mod_perl/2.0.4 Perl/v5.10.0

Why is that suprising? Serving static content is easy

...and yet, very rarely done. That the correct technology for a news site (static content) was done, is the surprising part.

It would also be the correct technology for most sites - you don't need fancy Javascript for just the contents.

Navigation, ads, etc., maybe, but not the contents itself. Most webpages could be perfectly useful with Javascript completely disabled.

Sadly, many aren't.

Fancy JavaScript has nothing to do with serving static content. JavaScript itself is (or should be) static content anyway.

If you're talking about using JS to load content on page load, for whatever reason, that async content can also be static. For example some sites use the URL fragment (hash parameter) to load content, but the server does not receive this:

The fragment identifier functions differently to the rest of the URI: its processing is exclusively client-sided with no participation from the web server - https://en.wikipedia.org/wiki/URI_fragment

I mean. How much is classic Perl used in web applications these days?

0.1%, not much!


But concatenating strings together is the same in any language, right?

You should see the accident from the day before: https://avherald.com/h?article=4e35302b&opt=0

The plane began to "distribute engine parts". The pictures show us just how impressive the distribution was.

same day, actually - this was only about 8 hours ago.

I like how people are just standing next to pieces of plane and playing soccer in the background, going like just another day with pieces of plane falling out of sky [0]

[0] https://avherald.com/img/united_b772_n772ua_denver_210220_3....

Better than that they move the pieces. Finding the pieces in their exact location + weather pattern can give important clues as to the reason why this happened in the first place.

Well once they've already fallen there's not much more to it.. It's not like it's a continuous stream of debris coming from somewhere. But it does look dangerous when it would have first fell though.

No doubt this was a happy ending, but modern airplanes like the 777 are perfectly capable of flying, even climbing with one engine. So, while it seems very heroic on the part of the pilot, it is pretty ordinary and non news.

What I do think is a happy outcome is the debris from the disintegrating engine did not fall on someone and kill/injure them.

Source: Pilot.

Flying on one engine is one thing. Flying one engine while the other is on fire due to unknown causes is another. Still newsworthy in my book.

Source: also a pilot

Respectfully disagree. When you are flying with one turbofan, it does not matter why the other engine is on fire. The checklist says, shut off the fuel, if W&B allows, move fuel off the wing and drown the engine in CO2.

Source: Over 3500 hours turbine time.

Im not saying that following the checklist is particularly hard, or the mechanics of what you need to do is outside the skill level of any competent pilot.

I’m saying that practicing engine-outs/fires is psychologically different than bringing a flaming aircraft safely to the ground with several hundred souls on board.

Some honest questions here for experts:

0. Why was the engine flaming in the first video? Why didn't the pilots cut fuel to that engine immediately and use the other engine to land?

1. What is the best way to communicate issues to the pilot if you're a passenger and see something the pilot can't see? For example once I was sitting in the back of the aircraft on Airtran and I saw a screw on the jet loosening and almost falling out. I told a flight attendant but they were just kind of "Um hmm okay thanks for letting us know! Would you like any orange juice?"

> 1. What is the best way to communicate issues to the pilot if you're a passenger and see something the pilot can't see?

Flight attendants is the passengers' interface to the whole flight environment. BTW there's seniority rank among the attendants too, chain of command, so to speak.

I would think that your observation was likely being noted, not sure if relayed to the pilots. Juice is the best option, noone needs to have a panic in the cabin.

Did you try to mention that observation again but at the arrival, during the "Thank you, good bye!" time? Sometimes you may even see the captain there.

P.S. Once, my flight was cancelled (all boarded already) because the crew discovered a missing "Exit" sign in the cabin and the mechanics at the airport could not find the exact part for the plane model. Call this an attention to details!

Once had a flight delayed for maybe an hour because an overhead bin wouldn’t close. Mechanic had to tape it shut with special FAA duct tape, then sign the tape, then do an impressive amount of paperwork right there and then.


- 8 January 1989

- The Kegworth air disaster - British Midland Flight 92, a Boeing 737-400

- Pilots had an engine issue and shut down the good engine by mistake.

> The pilots throttled back the working right engine instead of the malfunctioning left engine. They had no way of visually checking the engines from the cockpit, and the cabin crew — who did not hear the captain refer to the right hand engine in his cabin address — did not inform them that smoke and flames had been seen from the left engine.

> Several passengers sitting near the rear of the plane noticed smoke and sparks coming from the left engine.

> The pilots mistakenly shut down the functioning engine. They selected full thrust from the malfunctioning one and this increased its fuel supply, causing it to catch fire. Of the 126 people aboard, 47 died and 74 sustained serious injuries.

I have no idea what the best way to communicate would be, but this is an example of an incident where it could have saved lives. It would be good if there was a protocol. (Perhaps requiring the captain's address to mention which engine they believe has the issue).

Not an expert, but: if there had still been fuel supplied to that engine, the fire would have been a lot worse. If you watch the video the fire clearly becomes less intense over time, and the footage of the landing suggests it's out by then. Remember that fuel isn't the only flammable thing there - engines need oil for lubrication, and in combination with whatever residual fuel was in the system and potentially sprayed everywhere, it's not surprising that you'd have enough to burn for a short time.

0. Airliners have fire bottles filled with Halon to extinguish flames, but they're ineffective if the cowling separates from the engine. That's assuming this uncontained failure didn't damage the bottle or wiring to it.

1. Kudos, that's exactly the way to do it. If it was a screw on top of the wing though, it was likely communicated later as one screw coming off a panel isn't a big deal.

Lucky it didn’t happen half way. Could have been several hours on one engine and the other one shaking and on fire.

Luckily flight plans are always required to be within a certain number of minutes of a place to land, and are certified to operate on one engine for that period.


Very rudely, I'd like to mention the popular backronymn for ETOPS: "engines turn or passengers swim"...

Indeed. The scary part here isn’t the loss of (function in) one engine, it’s structural issues, fire and so on. A violent engine failure can give a whole range of problems beyond just the loss of the engine. It would likely have been ok even half way to Hawaii, but it would have been scary.

ETOPS helps but it assumes that the engine is just shut down. Here you have compromised aerodynamics and potentially the wing, tail or other systems damaged by the parts of engine

Of course. But simply an engine not working shouldn't be a concern. Obviously land as soon as possible, but it's not really that dangerous (assuming the other engine doesn't fail for the same reason)

Turbine blades failing and piecing a hydraulic line on the other hand...

138 is a certain number of minutes. It’s still a long time.

How do you account for oceans?

By staying as close to land as required to ensure safety. until fairly recently, flights to Hawaii were largely served by 3- or 4-engine jets. It's only in the last several decades that ETOPS regulations have shifted enough to allow regular twin-engine service to Honolulu.

See the 3rd response... https://www.airliners.net/forum/viewtopic.php?t=119921

The regulations have been shifted but only time will tell if it should be shifted. I guess we'll find out in 20 years.

Thanks for the recommendation on that 3rd response, it was an excellent reply

The "certain number of minutes" includes being over oceans. If you're too many minutes, you can't fly there. ("Minutes" are fairly large. I believe at least one Airbus aircraft is now at 4 hours.)

Transoceanic aircraft need lots of ETOPS time. For example the boeing 777 (twin-engine, transoceanic) has an ETOPS of 330 minutes, so it always needs to be 330 min away from an airport (which is 11 hours of flight from airport A to airport B, not taking wind into account)

By having airports on islands, or by pushing up the number of minutes that the engines/operator are certified for.

Note that ETOPS goes beyond just engine ratings, it also requires the operator meet all sorts of additional requirements (what if you DO have to divert - can you have the passengers retrieved within 24 hours, do you have food and shelter if you have to divert to a non-commercial airport along the flight path, are your technicians doing proper maintenance, etc).

Good point. Edited my comment to add that :)

For transatlantic flights, two important "backups" are in Iceland and in the Azores. I wonder how often airplanes actually have to detour to these airports...

Happens fairly regularly but for passenger issues rather than technical- medical emergencies and disruptive passengers usually.

Airlines have contracts with companies who provide a sat phone link to doctors who have the flight information and medical facilities at possible diversion airfields. Eg MedAire.

It happens: I was on an London - USA flight that detoured to Iceland some years ago. (Fortunately nothing was seriously broken, burning, etc., but there was a warning indication of some kind that the pilot wanted to have checked.)

The view coming in to Keflavik, with whales swimming in the ocean below, was pretty cool.

Years ago I was on a 747 from SFO to LHR that landed in Iceland - oil pressure problem in an engine. A guy drove out with a pickup truck, climbed into the engine using a ladder in the back of the truck, and started hammering away. After a few hours in the terminal we got back on the plane and flew the rest of the way to LHR. I kept wondering just how qualified he was...

Last I know of is https://en.wikipedia.org/wiki/Air_Transat_Flight_236 running out of fuel.

You stay close to land as much as possible. For example, LA to Tokyo, you basically fly up the west coast, give Canada's west coast a high five, and then come around below Alaska. It's less direct than it could be, but it's much safer in the event of an emergency.

It is more.direct than it sounds though because the earth is round and so the shortest distance between two points curves.

ETOPS accounts for oceans. Please read the link.

i think in part by having more than 2 engines on those flights

Very few in service aircraft in commercial passenger fleets have more than two engines, and even the ones with more than two engines have modified ETOPS rules to comply with.

The two that come to mind are the 747 and a380

Generally transatlantic jetliners have more than 2 engines, although I suppose that’s beginning to change.

The vast majority of transatlantic airliners today are two engine aircraft. For four engines, you’re basically looking at 747s and maybe the odd a340 that has somehow escaped retirement. The last large four engine airliner will go out of production next year.

That really hasn't been true since 747s started to be retired so it started to change years ago and 2-engine is now essentially the norm.

This has not been true for a decade

The shaking would concern me.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact