That might look a statement of the bleedin’ obvious, but the initial explanation of both engines failing at the same time leaves me rather concerned. Clearly, there is a common mode failure, so it’s not an issue of two engined intercontinental planes vs. four engined ones (increased engine reliability sorted that out many years ago). What I find worrying is that there is a total failure with no warning. Most systems are duplicated at least, and often triplicated.
Given this redundancy in design, I can think of only three reasons that this could happen – an in-flight event (like the Paris Concorde), sabotage, or a systematic failure somewhere in the flight control systems. The in-flight event such as multiple bird-strike or some complex wind shear effect that put out the engines feels rather unlikely since no-one else experienced similar issues. Engines are tested to handle large bird-strikes, and we don’t have eagles flying around London (at least not in large numbers). I guess it could be a flock of birds but that also feels unlikely since it hasn’t been widely encountered, and Heathrow has been there for decades.
Sabotage does feel at least theoretically do-able, with the trigger being a radio signal from the ground as the plane approached. The motive could be to disrupt international travel, since it would require much more tightly controlled maintenance, access and security, and would clearly affect confidence of fliers. An attack on BA would be consistent, since you would want it to appear that no airline is safe. No-one has claimed responsibility, which would surprise me, though that could be by design to keep the generic concern raised for a longer period, or due to lack of a spectacular event (no loss of life thankfully). But, for maximum effect I would have thought that they would attempt to bring the plane down much earlier than the airport – say over central London. Also, the window of opportunity for such attacks is bound to be small, so I would have assumed that they would try multiple near concurrent attacks, and a couple of days have now passed so the window is shutting fast. So, I don’t think this is hugely likely
So, we get to systematic failure. It is initially re-assuring that the 777 has been flying for over a decade without any such issues becoming apparent. But, it would indicate again just how hard it is to design truly robust systems. The pre-approval checking of new planes is huge, with enormous focus on the fly-by-wire systems. And, there have been hundreds of thousands of flying hours on 777s since then, and I presume that there have been no similar issues, or the planes would be grounded after this incident. But, this sounded like a major failure, since the plane didn’t respond to the automatic pilot or to the pilot throttle levers. As noted earlier, every system downstream is supposed to be fault tolerant and have redundancy, so this would point to a downstream failure that is either not redundant (which would point to bad design) or does not indicate a failure, so making the redundancy massively less valuable; or that the flight control computers have defective code at a pretty low level.
Failure of redundant systems, such as a series of mechanical failures with the final one occurring just on approach, initially look unlikely, but possible, and would be somewhat consistent with the superb safety record of the 777. But, I would have expected occasional failures on previous flights, at a rate higher than Boeing had calculated – to have multiple failures on this flight and hardly any single failures before would be statistically nearly impossible unless the failures were not picked up on inspections, which would invalidate the point of redundancy. Lack of redundancy would point to design defects. I don’t know about fuel systems/feeds, but assume that is true for them as well – two independent feeds for each engine, each of which can power the engine normally.
Given the historic focus on fly by wire safety, failure of the flight control computer is ironically the most reassuring to me since it must be an improbable event or it would have occurred before, or in flight envelope testing. The pilot reports that neither the auto-lander or the throttle control sticks responded. I know that the Airbus systems will vote down the pilot if they try to do something that will cause the plane to fail (e.g. demanding such a attack angle/speed that the plane will stall). I don’t know if the Boeing systems are similar, or if it has an impact in this case, but it would be concerning. But if there are ten times less crashes due to mistakes the computer makes than mistakes a pilot would make then that feels probably acceptable – it would be perverse to go back to a model where more crashes occurred because we mistakenly assumed pilots were less fallible. I’d still iek to know that the cause was understood and remedied though.
Drawing all these threads together, what surprises me is that there do not appear to have been changes in how 777 safety is viewed. External events do not seem likely (to pilots who fly into Heathrow, not just my amateur view). Sabotage does not seem likely since there have been no repeats (yet). Failure of something on the 777 seems the most likely. Either there is a lack of redundancy, a failure to pick up failures in redundant systems, or a systematic failure in the flight control computers. None of these make me feel great. So, notwithstanding the great safety record to date, I don’t think I’ll be getting on a 777 until the cause is known. And, unless there is a very strong, ‘benign’ (i.e. unlikely) and so far undeclared hypothesis, I am surprised that the planes aren’t grounded for now.