University of Bielefeld - Faculty of technology | |
---|---|
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D. |
|
Back to Abstracts of References and Incidents | Back to Root |
Peter MellorCenter for Software Reliability, City University, Londonpm@csr.city.ac.uk |
In February 1995, the UK media carried an item based on the newly published final report by the Air Accidents Investigation Branch (AAIB) of the UK Department of Transport (referred to as AAIB 2/95) on an incident concerning an A320 operated by Excalibur Airways Ltd., which had to return to Gatwick after the pilot found that he could not turn left. The media reports implied that it was a "maintenance problem".
A reading of AAIB 2/95 reveals that there was rather more to it than that. The following summary of this incident (drawn entirely from official published sources: see reference list at end) analyses the way in which computer systems (both ground-based maintenance management systems and airborne avionics systems) contributed to this incident. (Although the particular failure condition was not critical, had the flight crew not reacted in the right way, and in particular, had they blindly followed the advice presented to them automatically by the warning systems, the outcome might have been a total hull loss and the deaths of 192 people.)
Acronyms are expanded and (usually) technical terms are explained when first used. There is a glossary at the end of the article. Directly quoted passages from the sources are labelled with section and page number. Author's comments within these passages are in square brackets.
Any errors of fact or interpretation that were not already present in the published documents are the sole responsibility of the author. The views expressed are not necessarily the views of the Centre for Software Reliability, nor of any joint research project of which CSR is a partner.
After the replacement of the right-hand outer flap (following damage from an earlier bird strike) the aircraft was handed over to the flight crew at 1500 hours UTC on 26 August 1993. The pilots carried out the usual pre-flight checks, during which they observed nothing amiss, and began the take-off roll at 15.30.
At the take-off rotation at 153 kt., an uncommanded roll to the right occurred. The co-pilot, who was the Pilot Flying (PF), at first attributed this to cross-wind, and applied left stick. When full left stick did not contain the roll, he assumed his sidestick was faulty and handed control to the commander, who immediately found that he too needed full left stick to keep the wings level.
As the aircraft passed 1,700 feet the Electronic Centralized Aircraft Monitoring (ECAM) system sounded a repetitive chime and displayed on its upper screen the messages F/CTL ALTN LAW and F/CTL SPLR FAULT, indicating a significant fault which had caused the Electrical Flight Control System (EFCS) to go into "alternate law" and that the fault involved the spoilers. Roll control improved slightly after flap retraction.
The co-pilot notified Gatwick Air Traffic Control (ATC) that they were returning, and was told to take up the holding pattern at Mayfield (10 nm SE of Gatwick) at 3,000 ft. This required several left turns. Unfortunately they could only turn right. ATC obliged with alternative directions.
The crew reviewed the warnings displayed on the ECAM screen and responded with the necessary actions. ECAM provides what is in effect a "help" facility to the pilots, and in this case instructed them to do a FLAPS 3 landing (22 degrees of slat and 20 degrees of flap) at 10 kt faster than normal reference air speed, and to allow for a 20% increase in landing distance. ATC guided them via right turns to intercept Runway 08 ILS centreline at about 8 nm.
They told the cabin crew to strap the passengers in and announced that they were returning to Gatwick as a result of a slight technical hitch.
As they prepared to land, they first selected FLAPS 1 (18 degrees of slat and 0 degrees of flap) and noticed no change in their (already poor) roll control. When they went to FLAPS 2 (slats 22 degrees, flaps 15 degrees) the commander found that once again he required full left stick to keep the wings level. Having judged landing to be unsafe in these conditions, they reverted to FLAPS 1 and went around.
The co-pilot looked at the Quick Reference Handbook (QRH) and at the Flight Crew Operating Manual, Volume 3 (FCOM 3), Section 2 "Abnormal and Emergency Procedures", for advice on a FLAPS 1 landing, but could not find the pages he wanted (containing the corrections to be made to the normal approach speed and required landing distance in various flight surface failure conditions). The commander then pulled from his flight bag a photocopy of the relevant section from an earlier version of FCOM 3, on which he had renumbered the pages according to the latest release. With the help of this the co-pilot was able to locate the correct manual page, and obtain the correction data for a FLAPS 1 landing (25% increase in approach speed, 30% increase in required landing distance).
They landed in FLAPS 1 configuration at 168 kt in "direct law" and came to a stop without difficulty. (Runway 08 was easily long enough to accommodate the increased landing distance required, and they left the runway at an exit 370m from the end.) The aircraft was towed to the stand, where the passengers disembarked normally.
During taxiing, it was observed that several spoilers were up, and inspection revealed that right-hand spoilers 2, 3, 4 and 5 were in "maintenance mode". These were returned to "operation mode", a duplicate inspection of the spoiler function was carried out, and the aircraft was returned immediately to service.
The AAIB did not get the chance to examine the aircraft until the night of 30/31 August, by which time the relevant portion of the Cockpit Voice Recorder (CVR) tape had been overwritten. The Digital Flight Data Recorder (DFDR) tape was found to be mostly unusable.
Notes:- i) The A320 is a "fly-by-wire" aircraft in which the pilots' commands are interpreted by the computers in the EFCS, which computes the signals to be sent to the flight control surface actuators to achieve the desired manoeuvre. The pilots use "sidesticks" instead of conventional control columns. The sidestick is operated by one hand (left for the commander, right for the co-pilot). ii) The EFCS can operate under several "laws" which govern the way in which the aircraft responds to the pilots' commands. "Normal" law is used most of the time in flight, and provides a high degree of automatic assistance and numerous protections against unsafe manoeuvre. The EFCS reverts to "alternate" law in certain failure conditions (including loss of all spoilers): the degree of automatic assistance is reduced, and some protections are lost. In "direct" law, the extensions of the control surfaces are proportional to the sidestick deflection. The EFCS reverts to direct law in certain multiple failure conditions, or when landing gear is lowered while the EFCS is in alternate law. (FCOM 1.27.30 "Flight Controls - Abnormal Control Laws") iii) The A320 has 5 pairs of spoilers, numbered from 1 (inboard) to 5 (outboard). These are controlled by three Spoiler and Elevator Computers (SEC) which are part of the EFCS. On the A320, the spoilers assist in controlling roll (the ailerons are the main roll control surfaces), as well as acting as speed brakes in flight and "lift dumpers" immediately after landing. A more detailed description of the function of the spoilers is given later.
----- Begin extract from AAIB 2/95, Section 3 Conclusions, p 60 ------
(b) Causes
The following causal factors were identified:
(1) During the flap change compliance with the requirements of the Maintenance Manual was not achieved in a number of directly relevant areas: During the flap removal the spoilers were placed in maintenance mode and moved using an incomplete procedure, specifically the collars and flags were not fitted. The re-instatement and functional check of the spoilers after flap fitment were not carried out.
(2) A rigorously procedural approach to working practices and total compliance with the Maintenance Manual was not enforced by local line management.
(3) The purpose of the collars and the way in which the spoilers functioned was not fully understood by the engineers. This misunderstanding was due in part to familiarity with other aircraft and contributed to a lack of adequate briefing on the status of the spoilers during the shift handover.
(4) During the independent functional check of the flying controls the failure of spoilers 2 to 5 on the right wing to respond to right roll demands was not noticed by the pilots.
(5) The operator had not specified to its pilots an appropriate procedure for checking the flight controls.
----- End extract from AAIB 2/95, Section 3 Conclusions, p 60 ------
Using the information contained in the AAIB report (which is factually fairly thorough) it is possible to draw further conclusions about the causal role played by computer systems.
The official conclusion could be paraphrased as:-
"All aircraft systems were performing as specified. The incident was due to:- (a) maintenance crews releasing for service an aircraft on which several spoilers had been left in maintenance mode, and (b) failure of the flight crew to assure that all control surfaces were functioning as required for flight."
The report does, however, include the following points in its findings:--
(1) The maintenance manuals were based on a computer database system. Although this is easily readable by those with on-line access, the third party maintenance organisation whose engineers were carrying out the work that night only had access to a copy on microfilm. Worksheets could be printed from this, but it was not easy to follow up all the cross-references in order to obtain a complete set of instructions for the job.
(2) The maintenance engineers had little experience of this type of unscheduled maintenance. Some essential tools and fittings were not provided, and obtaining them caused delay.
(3) The "maintenance mode" of the flight surfaces on the A320 is significantly different to that on other aircraft (e.g., B737, A310). Although the design was chosen with the best of intentions (to avoid maintenance engineers' fingers being amputated) the manuals do not make these differences sufficiently clear and the engineers were not aware of them.
(4) Pressure to deliver the aircraft to service by an unrealistic deadline resulted in the maintenance teams cutting a few corners in the defined procedures. Their attention was divided between this and other jobs. There was a change of shifts in the middle of the job.
(5) A delay in giving certain warnings, designed into the ECAM software with the intention of avoiding nuisance alarms, defeated the purpose of the pre-flight check. *NOWHERE* in the manuals is this delay stated to the pilots, nor did their training on type cover the proper check procedure.
(6) All aircraft systems were performing as specified. However, the possibility that surfaces could be left in maintenance mode had not been taken into account when the functional requirements of the EFCS were specified. The "safe" response designed into the EFCS therefore aggravated an already dangerous situation.
(7) The ECAM automatically displayed advice to the crew which was inappropriate to the failure condition (loss of four outboard spoilers) and did not make them aware of the true cause of the problem. When they referred to the printed manuals, because of the poor layout of the relevant pages of FCOM 3, they used the wrong factors to correct the landing distance for landing in abnormal configuration. Apart from this, the pilots reacted correctly to cope with their degraded roll control.
(8) The DFDR yielded little usable data, and the portion of the CVR relating to the incident had been overwritten. The investigation therefore could not ascertain what had happened at certain crucial times during the incident.
A fairer, and more thorough, conclusion might be that, although the immediate causes of the incident were (a) and (b) as above, the following root causes and contributory factors must also be taken into account:-
(c) The maintenance crews were under pressure, faced with unrealistic schedules, inadequate tools and confusing documentation. The essential post-maintenance procedure which was omitted, to reset spoilers to operational mode, was poorly emphasised in the manual.
(d) The flight crew were unaware of delays in the response of the on-board warning systems to certain fault modes. As a result, their pre-flight check procedures were ineffective. These delays are not documented in the manuals, nor covered in training.
(e) The flight control system was not designed to cope with a failure condition (spoiler in maintenance mode) which has been found to occur relatively frequently in operation. The warning systems also responded inappropriately.
The following sections consider each of points (1) to (8) above in turn.
The maintenance was carried out by Gatwick Support Unit (GSU) using Excalibur's Maintenance Manual for G-KMAM, which is derived from the generic A320 Maintenance Manual supplied by Airbus Industrie. The material is organised according to the standard Air Transport Association (ATA) chapter headings. The manual is in Aircraft Maintenance Task Orientated Support System (AMTOSS) format and is intended to be held on a computer database for on-line retrieval of chapters and easy follow-up of cross-references to associated tasks. The working copy held by GSU was on microfilm, and although relevant pages could be printed for use on the shop floor, assembling all of the information for a given job was not easy.
Since flap replacement was not part of regular scheduled maintenance, it was not in the Approved Maintenance Schedule (AMS) and no pre-prepared "stage sheets" (printed sheets detailing all tasks to be performed and their sequence) were available. The stage sheets for this job therefore had to be prepared specially.
---- Extract from AAIB 2/95 Section 1.17.2 Maintenance Manuals, pp 22-23 ----
The Airbus Industrie A320 Maintenance Manual is in AMTOSS format and the Maintenance Manual has been complemented with the Production Management Data Base (PMDB). The PMDB contains exhaustive material and planning data which operators previously had to collect from numerous individual documents. The Maintenance Manual procedures are linked to the PMDB by unique task and subtask numbers. The Maintenance Manual and PMDB are issued on computer media, paper and microfilm. The A320 Maintenance Manual, in AMTOSS format, conforms to the text interchange standard adopted by the ATA and known as Standard Generalised Markup Language (SGML). The A320 was the first aircraft to have a Maintenance Manual prepared in this format, which is becoming the standard format prepared by all airframe manufacturers. The McDonnell Douglas MD-11 has a similar format Maintenance Manual, and the Boeing 757 and 767 manuals are becoming available in the format.
In an AMTOSS Maintenance Manual there may be many subtask references on a single page, however these will not require any further cross referring by the engineer as the subtask is fully described. Related Tasks, as opposed to subtasks, are listed at the beginning of any procedure under "Referenced Information" and do require cross referring if the detailed steps of the task are needed.
The A320 Maintenance Manual describes the removal of an outboard flap at ATA Chapter 27-54-62. It begins with several warnings associated with Health and Safety at Work, then describes the fixtures, tools, test and support equipment required to undertake the task. It then lists "Referenced Information", which consists of thirteen associated Tasks to be found elsewhere in the Maintenance Manual, although not all are effective for any one aircraft. It then describes the Job Set Up procedure and the removal task itself, with paragraphs annotated for specific aircraft effectivities. The first subtask described under "Job Set Up", 27-54-62-865-053, is to operate two circuit breakers for the flight control system. The Maintenance Manual then describes five further subtasks on the same page. A total of 17 subtasks are called up in the 9 pages of text which describe the overall Task.
The AMTOSS A320 Maintenance Manual and PMDB is formatted to facilitate the use of computer based information retrieval systems. Operators who use such systems can extract all the pages and related information for each Task by entering a single ATA chapter number or keyword but the user is still required to select such additional Tasks as needed from the "Referenced Information". In this case the layout of the document is not a problem, however not all operators can use such systems. The automated use of an AMTOSS manual is closely associated with the PMDB and this database is constructed around the manufacturers maintenance schedule. For operators where their [sic] AMS is not the same as manufacturers maintenance schedule there are differences and incompatibilities. For those operators and units which do not use the automated AMTOSS facility the extraction of all the relevant information for a procedure is at best slow. In addition, the information is cluttered with subtask references which do not improve the readability. The process is time consuming and tedious when the document is being used manually on a film reader, however when used with a computerised retrieval system, it is quick and efficient.
The Airbus A320 manual format has been the subject of criticism from engineers. This criticism seems to be partly a criticism of the content, and partly of the AMTOSS format. Some airlines are considering the use of non-AMTOSS manuals and Airbus Industrie are preparing non-AMTOSS manuals for operators who request them.
--------- End of Extract from Section 1.17.2 of AAIB report ----------
Although readable by machine, the Maintenance Manuals were not so easily readable by flesh and blood engineers!
The night-shift engineer was given a hard copy of section 27-54-62 of the manual (40 pages long) which had been printed earlier so that the special tooling could be identified and ordered from Heathrow by Gatwick Fleet Control. He printed a further 20 pages describing the "Adjustment of the Flap Rigged Position" (section 27-50-00). Although referred to in section 27-54-62, Task 27-60-00-866-001 which describes the isolation and extension of the spoilers and the attachment of the collars and flags (see below) was not printed off. (AAIB 2/95, Section 1.6.5, p 13 and Section 2.5, p 38)
As described in AAIB 2/95, Section 1.6.5, pp 14-15, the procedure for flap replacement according to the Maintenance Manual is as follows. In each case it is indicated whether the step was performed on the night in question. :- i) Retract flaps, isolate hydraulics, tag relevant circuit breakers and flap lever. (Done) ii) Remove various flap covers for access and disconnect angle gearbox. (Done) iii) Isolate the four outboard spoilers, placing them in "maintenance mode", and manually extend (raise) them. (Done) iv) Attach spoiler collars and flags. (NOT done) v) Manually extend flap. Attach sling to take weight of flap. Remove flap carriage bolts and lift away flap. (Done) vi) Lift replacement flap in sling, attach with flap carriage bolts, manually retract flap, reattach angle gearbox and replace flap covers. (Done) vii) Remove spoiler collars. Return spoilers to "operational mode". (N0T done) viii) Retract (lower) spoilers. (Done) ix) Reinstate hydraulics, removing tags from circuit breakers and flap lever. (Done) x) Check flap is functioning. (Done) xi) Check spoilers are functioning. (NOT done)
A few words of explanation:-
"Flags" are pieces of red ribbon on bits of string attached to any fitment that is used during maintenance and that must be removed afterwards. They carry the statement (white letters on red background) "REMOVE BEFORE FLIGHT".
The "collars" in question fit around the hydraulic pistons which move the spoilers. They are put in place after the spoilers have been set to "maintenance mode" and manually extended (raised). Each collar has a flag attached to it.
Spoilers are set in "maintenance mode" by operating a "maintenance device" on the spoiler's hydraulic actuator with a "hand tool". (From the diagram in AAIB 2/95 Appendix 3, this seems to mean turning a small hexagonal cam through about 90 degrees with a spanner.) No attachment is required, and no flag is used to indicate this, therefore on the A320 **THERE IS NO VISUAL INDICATION OF THE FACT THAT A SPOILER IS IN MAINTENANCE MODE**.
When spoilers are in maintenance mode (on the A320, but not on other models such as the A310, B757 and B767) the hydraulic circuit is by-passed. If hydraulic pressure is inadvertently applied during maintenance, **THE SPOILERS CANNOT MOVE**. The hydraulic fluid simply goes around an open circuit, and the spoilers can be moved freely by hand. This design feature is intended to make maintenance safer. One function of the collars might be to stop the spoiler being kicked down by a passing engineer strolling along the wing. However the A330 and A340 have hydraulic actuators with a very similar design and the spoiler panels are heavier, but no collars are used, and flags *are* attached to the maintenance devices on the hydraulic actuators.
One of the safety recommendations of the AAIB is that in future flags should be attached to caps which are fitted to the hexagonal heads of A320 spoiler maintenance devices.
With reference to the steps listed above:-
iii) and iv) No spoiler collars and flags were included in the set of tools sent from Heathrow. Hoping it would not be necessary to extend the spoilers, the team carried on. It became obvious on attaching the flap sling that a cable might foul one of the spoilers. The spoilers were then isolated (set to maintenance mode) and extended.
v) G-KMAM was of a different "build standard" to the other examples of the same type with which the GSU engineers were familiar. One of the minor differences meant that the standard sling for the job required threaded adaptors to attach the G-KMAM flap to the sling. These adaptors were also not included in the tool set. The job could not proceed without them, and a two hour delay was incurred while they were being obtained. In the meantime, the team worked on other aircraft.
vi) A sling cable broke while the replacement flap was being lifted, causing further delay.
vii) Having to remove spoiler collars and flags might have reminded the team to reset the spoilers to operational mode, but they were not available. It is not certain how well the status of the spoilers was communicated when the night shift handed over to the day shift. There seems to have been some verbal mention of the spoilers. The task of isolating the spoilers was referred to in the stage sheets, but had not been printed out in full. The stage sheets for the later refitting were disposed of, and so the investigators could not ascertain if they contained instructions to reinstate the spoilers.
vi) and viii) To adjust the flap after re-attachment, rigging boards were placed on the wing, and it was probably at this point that the spoilers were retracted, without first being reset to operational mode. From now on, **NO VISUAL INSPECTION WOULD HAVE REVEALED THE MISTAKE**.
xi) The deadline for handover had already been extended from 07.00 to 15.00. Pressure was on. Although the duplicate inspection engineer checked the flap function, **NO-ONE CHECKED THE SPOILERS**.
The scene was now set. An apparently airworthy aircraft was handed over to the flight crew at 15.00 with the four outboard starboard spoilers retracted, but in maintenance mode, which meant that they would float freely. The commander's visual inspection, of course, revealed nothing amiss.
There was some concern expressed in discussion between the engineers at the handover between the night shift and day shift (between 06.00 and 07.00) that the spoilers might move if hydraulic pressure were applied. This would have been true of a B757, B767, or A310, but is not true of the A320. The maintenance engineers in GSU were more familiar with the former types.
On the Boeing 757 (AAIB 2/95 Section 1.17.7) the hydraulic Power Control Actuator (PCA) on each spoiler has a manual release cam operated with a hand tool and very similar in appearance to the maintenance device on the A320. However, after manual extension, the spoiler *will* retract if hydraulic power is applied, and a PCA lock must be fitted around the extended ram to prevent this. There is a notice under each spoiler to warn maintenance engineers not to enter unless this has been done. Although the B757 PCA lock is similar in appearance to the A320 spoiler collar, and also has a flag attached to it, its function is rather different.
The maintenance teams seem to have misunderstood the significance of "maintenance mode" on the A320 spoilers, and the manual does not make this totally clear.
The pressure on the maintenance teams has already been alluded to. Missing tools from the maintenance kit (and the inclusion of other, irrelevant items), delay, frustration, distraction, and the flap sling breaking, all contributed to their problems.
At the handover between 06.00 and 07.00, it was pointed out to the outgoing night-shift engineer that he had used the wrong forms when preparing the stage sheets. He rewrote the instructions for the removal of the flap on the correct "Aircraft Maintenance Continuation Sheets" (AMCS), but did not similarly transcribe the instructions for refitting. Both the rewritten stage sheets, and the originals on the incorrect forms were handed over. The originals later went missing, and so the investigators could not discover what written instructions had been used for refitting.
The original 07.00 deadline was absurdly unrealistic. The aircraft had been delivered to the hangar around midnight. Some time later (after the problem with the missing threaded adaptors for the flap sling) the night-shift engineer estimated that a further 16 hours were required. The deadline was renegotiated to 10.00. At the preinstallation check at 07.30, the day-shift engineer revised it again, first to 12.00 and then to 15.00.
The maintenance teams worked in a repeated shift cycle consisting of: 12 hour day-shift, 12 hours off, 12 hour day-shift, 24 hours off, 12 hour night-shift, 12 hours off, 12 hour night-shift, 4 days off. Shift changes occurred at 07.00 and 19.00 local time. On the night in question, the night-shift were at the end of their cycle, and the day-shift were at the beginning of theirs. Circadian rhythms were desynchronised. In such circumstances adherence to defined procedures and written instructions are essential to avoid human error.
GSU had a comprehensive quality programme (AAIB 2/95 Section 2.3, P 35). However failure to comply totally with the Maintenance Manual had been known to occur in the past, but had not resulted in adequate reinforcement, and neither the engineers on the shop floor nor the local line management appeared to regard the lack of tools and confusing manual format as "reportable matters". The engineers had a professional attitude and cared about quality, but regarded it as being more important to deliver the aircraft to service as soon as possible rather than stick to the exact letter of the procedure.
The only hope of avoiding an incident in flight was now the pre-flight check. The procedure in the Flight Crew Operating Manual Vol. 3 issued by Airbus Industrie is as follows:-
---- Extract from FCOM 3, Section 03.04 "ENGINE START AND TAXI" ----
[The relevant paragraphs read as follows:-]
[Subsection "AS TAXI BEGINS & TAXI OUT" includes (Page 03.04.08):-]
C, FO Rudder and sidestick controller...........................CHECKED
Captain announces flight control check. This alerts the FO to observe the flight control positions on ECAM. The captain's scan continues outside the cockpit and announces position of sidestick during the check, i.e. left, right,
up, down, rudder left, right. Do not check the left sidestick when the right sidestick is being checked. Press the PEDAL DISC switch while checking full pedal travel. Check that the sidestick position index on the PFD responds to control inputs. Confirm all flight control positions return to neutral. When the captain has completed the flight control check and no abnormalities were observed, the first officer states "CHECKED." First officer checks the sidestick on ECAM silently. The FO does not need to wait for the captain to conduct his flight control check (see Taxi Flow Pattern - First Officer).
[Subsection "TAXI FLOW PATTERN - First Officer" includes (Page 03.04.09):-]
FLIGHT CONTROLS.................................................CHECKED
Do not check flight controls until flaps are extended. There is no need to wait until after captain's flight control check. Check full travel of the elevator and ailerons (including spoiler displacement). The ECAM FLT CTL page is brought up automatically when the sidestick is deflected out of neutral. Confirm all flight control positions return to neutral and ailerons droop. To complete the check, the captain must check the rudder and sidestick controls. Do not check both sidesticks at the same time. The first officer will
monitor the FLT CTL page for both left and right flight control checks.
---- End of Extracts from Flight Crew Operating Manual, Vol. 3 ----
Note that the checks are interdependent. Captain and first officer (FO) carry out the sidestick movements independently, but the FO checks the screen in both cases. (The instruction about not checking both sidesticks at the same time is given because the captain's and FO's sidestick displacements are added algebraically by the EFCS before the resulting command is processed. Equal deflections of the two sidesticks in opposite directions would result in no movement of the surfaces.)
Excalibur have their own "Normal Procedures" section of FCOM 3. The flight control check procedure in the Excalibur FCOM 3 (AAIB 2/95 Appendix 7) is less detailed than the Airbus Industrie FCOM 3 in its description of the actions to be carried out. Also, although it requires the check to be done prior to the start of taxi, when there are fewer distractions, it does not require the FO to observe the ECAM screen during the captain's check. In the Excalibur procedure, the two checks have become independent rather than interdependent (AAIB 2/95 Section 2.10.3.3 Organisation of the check procedure, p 45).
What the pilots did not know was that **ECAM WILL REPORT A FAILURE OF A FLIGHT CONTROL SURFACE TO RESPOND ONLY IF THE STICK IS HELD IN THE DEFLECTED POSITION FOR 3.5 SECONDS**.
It will be seen that there is no reference to this delay in the relevant parts of FCOM 3 extracted above. In addition, it was not mentioned in any of the Operations Engineering Bulletins (OEB), FCOM Bulletins, the associated Aeroformation Training Memo 2058 version 2 (AAIB 2/95, Appendix 6), nor the Excalibur check procedure. Excalibur's pilot training did not enforce the 3.5 second pause when teaching the check procedure.
A few words of explanation:-
The crew are required to establish "full and free movement" of all flight control surfaces and will not take off if any surface does not move in response to command. On aircraft with mechanical signalling of control surface actuators (e.g., some B737 variants), tactile feedback (via mechanical "artificial feel") will inform them immediately of any lack of movement.
On aircraft with electrically signalled hydraulic actuators such as the B757, B767, and A320, the crew are dependent on instrument feedback. On the A320, they must look at the Flight Control (F/CTL) page presented on the ECAM screen. The spoilers are shown in diagrammatic form as short lines. A spoiler extended by more than 2.5 degrees is shown as a little "fir tree". If all is well, these indications are in green. If a fault is detected, the colour changes to amber.
The ECAM drives the pilots through the pre-flight checks, automatically displaying the necessary screens of data. If the pilots make a manual selection of a specific page, the automatic sequencing does not resume until the manual selection is cancelled. In this case it appears that they had manually selected a page for some reason and not cancelled it, since they reported that they had to call up the F/CTL page manually before checking the flight control surfaces. This should not have affected the check, however.
Both of the crew did their independent pre-flight checks, and failed to notice the state of the right spoilers. Why?
1. Although experienced generally, the crew had relatively few hours on type. (Commander: 10,977 hours total, 324 on A320; First Officer: 3,287 hours total, 279 on A320.) Both had gained most of their previous experience on aircraft types that have no cockpit instrument display of the positions of flight control surfaces.
2. They had not been trained in a detailed procedure for moving the sidestick and checking the indications on the ECAM screen.
3. The operator's reorganisation of the check procedures had reduced coordination between the pilots, and neither was involved in the other's flight control check. The requirement in the standard FCOM procedure for the captain to call out sidestick positions while the FO checks the ECAM screen and acknowledges each check would tend to cause the sidestick positions to be held longer.
4. During his check, the commander also monitored the flap movements (which the co-pilot was controlling). The F/CTL ECAM page was on the lower ECAM screen, and the flap positions were shown on the upper screen. Dividing his attention between the two could have distracted the commander sufficiently that he did not notice that the right spoiler indicators did not change.
5. The response of the ECAM display to left or right stick is that the aileron indicator changes first, and the spoiler indicators a fraction of a second later. If they saw the aileron move, they might have looked away, assuming all was well, without waiting for the spoiler indicators to change.
6. The pilots could have observed the aileron and two outboard spoilers directly by looking out of the window. This is not in the procedures, and they did not do this.
Although it is not clear why they failed to notice the lack of response on the ECAM screen, if either pilot had held his sidestick fully over to the right for 3.5 seconds during his check, then the spoiler indicators would have remained showing "spoilers retracted". After 3 seconds, the indicators would have changed to amber on screen, and after a further 2 seconds (whether or not the pilot returned the stick to neutral in the meantime) a repetitive chime would have sounded. In this case, the F/CTL screen would have been displayed, whatever previous screen selection had been made. These responses of the system were confirmed by AAIB tests on G-KMAM (AAIB 2/95, Section 2.9.2, p 41).
The DFDR did supply a certain amount of useful information prior to the take-off roll. From this it was ascertained that the commander's complete flight control check took between 5 and 6 seconds, and the co-pilot's between 6 and 7 seconds. Neither demanded right roll for 3 seconds. The left spoilers moved during the check, the right spoilers 2 to 5 did not.
The 3 second delay in registering a flight control surface fault is a deliberate design "feature" of the warning systems, intended to suppress nuisance warnings which might be given spuriously due to the delay in the response from the position feedback transducer to the EFCS that a surface has moved as commanded. (The transmission of the electrical signal and consequent movement of the hydraulic actuator take a certain amount of time.) Airbus Industrie claim that this delay cannot be reduced (AAIB 2/95, Section 2.9.2, p 41).
The safety recommendations of the AAIB are that training should be improved and the procedures (including the 3 second pause during flight control check) fully documented in FCOM 3.
Following take-off, the pilots noticed a problem with roll control. Spoilers 2 to 5 on the right wing were floating, and were lifted by the airflow. However, only as they passed 1500 ft radio altitude did a warning sound. The Centralized Fault Display System (CFDS) detected the malfunction at 15.31, immediately after take-off (as shown by its automatic records, which were interrogated by the AAIB investigators).
The justification for this delay is slightly different. Since the aircraft's speed is above decision speed, it is better to let the pilots concentrate on the serious business of keeping the wings level rather than distracting them by informing them that their problem is due to the fact that several of their spoilers are not functioning. The report approves of this design philosophy and states that "... the suppression of the warning until 1,500 feet radio height [sic] contributed positively to the safe handling of the incident." (AAIB 2/95, Section 2.9.4, p 43)
The A320 EFCS is designed overall as a fail-safe system. Uncommanded control surface movements must be "extremely improbable". Unfortunately, when the EFCS functional requirements were being specified, another condition that was considered to be "extremely improbable" was that an aircraft would be dispatched with half its spoilers still switched to maintenance mode. This was **NOT A DESIGN CASE**. The only conditions that were considered to be capable of causing simultaneous faults on spoilers 2 to 5 inclusive were faults in all three Spoiler and Elevator Computers (SEC) and/or in all three hydraulic circuits (AAIB 2/95, Sec. 2.9.3, p 42). Note that loss of all SECs or of all hydraulic circuits would be fairly bad news! In particular, complete loss of hydraulic power would mean that only "mechanical backup" (control of pitch by moving the Trimmable Horizontal Stabilizer (THS) with the pitch trim wheels and of rudder through the pedals) would be available.
The accuracy of the assessment of these probabilities is shown by the fact that (to the best of the author's knowledge) no triple SEC failure nor triple hydraulic failure has occurred in the entire service life of the type, whereas **THREE** incidents in which an A320 took off with a spoiler in maintenance mode have been reported: in April 1990, August 1991 and March 1993 (AAIB 2/95, Section 1.17.8, p 30).
Spoiler actuators on the A320 have four modes:-
1. Active: Actuator extends or retracts the spoiler in response to electrical signals from the appropriate SEC (normal operational mode).
2. Biased: Actuator retracts spoiler. Occurs if a valid signal from the SEC is lost (e.g., if the appropriate SEC fails) but hydraulic power from the appropriate circuit is still available.
3. Locked: A valve closes in the actuator preventing spoiler extension, but still allowing retraction. Occurs if hydraulic power is lost, in the hope that aerodynamic forces will eventually retract the disabled spoiler.
4. Maintenance: Spoiler is isolated from hydraulic pressure and moves freely, with no control whatsoever. A spoiler in maintenance mode in flight (which of course should never happen) will simply flap in the breeze.
It will be seen that, in response to the two foreseen failure conditions (loss of hydraulic pressure, loss of control signal) the affected spoiler will retract, or will eventually be pushed into the retracted position.
The design of the EFCS logic is therefore: "If the spoiler is not working (i.e., no valid signal from the position feedback transducer), it must be retracted. Therefore send the retract signal to both the faulty spoiler and to the matching spoiler on the opposite wing and disable them." The intention was to minimise any residual tendency to roll following the loss of one or more spoilers. In the incident to G-KMAM, this meant that the left wing spoilers were not available to the pilots to counteract the enduring uncommanded right roll produced by the floating right wing spoilers.
The conclusions of the investigators regarding in-flight response of the EFCS are well summarised in the following passage:-
---- Extract from AAIB 2/95, Section 2.9.3, p 42 ----
... although changes to the spoiler logic and fault detection systems might prevent a recurrence of unwanted spoiler retraction, this incident demonstrated that the aircraft remains controllable by aileron alone and that it can be landed safely. The expense of flight testing software changes and modifying aircraft in service would be inappropriate if a recurrence of the chain of events which led to the incident can be prevented by changes in the maintenance and flight control check procedures. Since there is ample scope for improving these activities, no changes to the flight control system are proposed.
---- End of extract from AAIB 2/95, Section 2.9.3, p 42 ----
It is interesting that the pilots were unable to diagnose the cause of their problem, given the assistance of the ECAM.
In normal operation, the upper ECAM screen contains the Engine/Warning Display (E/WD) and the lower screen the System/Status Display (SD). The E/WD shows the main engine parameters, and the SD one of the 12 "system" pages. This is usually a page (DOOR, WHEEL, ENGINE, or CRUISE) appropriate to the current phase of flight, e.g., the CRUISE page contains data about cabin ventilation and some secondary engine parameters, such as vibration indicators. However, the pilots may select a particular system page manually. (System pages are also referred to as "synoptic" pages, since they show a synopsis of a particular system, e.g., HYD (hydraulic), FUEL, F/CTL (flight control), etc.)
If a failure occurs in any system, the relevant warning messages appear in lower part of the E/WD, together with actions that the pilots must perform. The system page (if any) relevant to the first warning message is automatically displayed on the lower screen. Once the pilots have performed any required actions, the STATUS page is shown on the lower screen, containing a summary of the operational status of the aircraft, e.g., inoperable equipment, limitations on speed, correction factors for approach speed and landing distance, etc. Pushing the "Clear" pushbutton (CLR PB) returns the ECAM displays to normal, except that a STATUS prompt is included on the E/WD. (In the case of secondary failures or multiple independent failures it may be necessary to go through several synoptic pages.)
AAIB 2/95 states that the pilots reported that the messages "F/CTL ALTN LAW" and "F/CTL SPLR FAULT" were displayed on the upper ECAM screen, and a repetitive chime sounded. The investigation of ECAM behaviour seems to have been less than thorough, given the discrepancies between the events described and the specified behaviour in FCOM 1.31.25 "Indicating/Recording Systems: ECAM Sequence", and in FCOM 1.27.40 "Flight Controls: Controls and Indicators".
AAIB 2/95 states that the alarm appeared at 1700ft but that "... most warnings are inhibited during takeoff until 1,500 feet radio height in the climb" (p 4).
In fact, both these cautions are inhibited until 1500ft or 2mn after lift-off, and would have been given immediately after one of these two conditions was fulfilled (whichever was first). AAIB 2/95 states that "... ECAM sounded a repetitive chime to indicate a significant failure" (p 4). In fact, both the messages relate to Level 2 cautions, and are accompanied by a single chime.
The report goes on to state (p 5): "The pilots then reviewed and actioned the ECAM warnings; each action, when completed, was cleared from the ECAM display by pressing the appropriate button. Both pilots recalled that at no time was any `affected system' page displayed." This is extremely odd.
AAIB 2/95 states that the pilots remember seeing the STATUS page relevant to the F/CTL ALTN LAW message. (FCOM 3, 02.27.10: This is the STATUS page that advises a FLAPS 3 landing at Vref+10 allowing for a landing distance increased by a factor of 1.15.) The F/CTL ALTN LAW caution is not accompanied by any synoptic page. Presumably (though this is not clear from FCOM 1), the appropriate STATUS page is displayed immediately. In response to any caution or warning message, what the pilots have to do is carry out the list of actions that *accompanies* the message on the E/WD page. If no actions are required, presumably (though again this is not clear from FCOM 1) they simply press CLR PB.
If a primary and secondary failure occur, e.g., low hydraulic pressure in one circuit (primary) affects some flight control surfaces, then the primary message (B SYS LO PR) is shown in a box on the left of E/WD, and the *system* (F/CTL) affected by the secondary failure on its right. (Example from FCOM 1.31.25.)
However, the pilots reported seeing *both* messages. Independent multiple failures *are* displayed simultaneously on bottom left of E/WD, each with its own action list. The investigators appear to have made no serious attempt to discover *what* actions the pilots performed, and lists of actions that might accompany caution messages are not given in FCOM 1 nor in FCOM 3.
This raises a number of intriguing questions:-
1. In which order were the F/CTL ALTN LAW and F/CTL SPLR FAULT messages displayed?
2. If they appeared in the order given, why was this, since the EFCS goes into alternate law *after* loss of all spoilers is detected?
3. What action list (if any) accompanied each message, and what did the pilots *do* in response?
4. Does the fact that these messages appeared simultaneously indicate that the ECAM regarded the two failure conditions as independent?
5. If they were regarded as independent, was this because ECAM (as well as EFCS) had been designed on the assumption that no spoiler actuator could ever be in maintenance mode during flight?
Given the rather sketchy description in AAIB 2/95, these questions must remain open for the time being.
In any case, had the pilots looked at the F/CTL synoptic page (which should have appeared on the lower ECAM screen if they had pressed CLR PB to clear the F/CTL ALTN LAW STATUS page from it) and seen the status of the spoilers (particularly that some had failed in the extended position) they might have realised what was going on. As it was, they took (more or less) the correct action to cope with degraded roll control but remained blissfully unaware of its cause until after landing.
AAIB 2/95 contains an interesting passage relating to this:-
---- Extract from AAIB 2/95 Section 2.10.5.3, p 50 ----
The omission arose because, at the time of the incident, they were content to trust the ECAM wholeheartedly. This trust was a conditioned response [sic!] of their training and a reflection of their limited experience on type.
The system designers intended that the ECAM would monitor the aircraft systems, diagnose any faults, inform the flight crew of significant faults at an appropriate stage of flight, and then present them with instructions on how to deal with the malfunction. Almost all the instructions for abnormal or emergency operation of the aircraft in flight were automatically presented on the ECAM as and when they were required, and the pilots had only to follow the displayed checklists, item by item, to resolve any difficulties. In this way, the need to refer to written checklists or manuals was minimised.
The operator's training staff had endorsed this philosophy and instilled in its pilots the requirement to adhere strictly to the procedures displayed on the ECAM. Moreover, until this incident, the pilots' experience had been that the ECAM was reliable. Consequently, both pilots trusted the ECAM instructions and followed them implicitly. It was not until the further degradation in roll control as the flaps were lowered beyond position 1, that they realised that the ECAM instructions were inappropriate to their situation. At that stage the commander instigated a search for written material in the somewhat unfamiliar "Abnormal and Emergency Procedures" section of the FCOM 3.
---- End of extract from AAIB 2/95 Section 2.10.5.3, p 50 ----
So, having discovered on their first approach that following ECAM's advice to land in FLAPS 3 configuration was not a bright idea, the pilots decided on a FLAPS 1 landing, and now needed their "written checklists or manuals". As already stated, FCOM 3 Section 02 was poorly indexed, and it took the co-pilot some time to find FCOM 3.02.80 p 15 "Approach Speed - Landing Distance: Corrections for Failures".
The table shows that, for FLAPS 1, use Vref+25 and multiply landing distance by 1.3, and, for three or more spoilers out, use Vref and multiply landing distance by 1.3. Either they did not know that they had four spoilers out, or they did not read the small print at the bottom of the page that stated that for multiple failures, the landing distance coefficients should be multiplied. Either way, they used a landing distance correction factor of only 1.3, not 1.69. Fortunately, this made no difference to their successful landing.
The DFDR was a Loral F800. This type of recorder has been found to give poor performance on the A320, and the investigators discovered that the DFDRs on all four of Excalibur's A320s had a history of problems, including random track changing, incorrect Built-In Test Equipment (BITE) indications, and corruption of data (AAIB 2/95 Sections 1.11 and 2.11). The track changing and BITE problems were cured by the replacement of a certain Electrically Erasable Programmable Read Only Memory (EEPROM) unit, a modification which Loral made mandatory only in response to considerable pressure from industry and regulatory agencies.
The data corruption appeared to be due to vibration. The anti-vibration tray on the A320 had not been tested to the requirements of Radio Technical Commission for Aeronautics (RTCA) document DO-160 "Environmental Conditions and Test Procedures for Airborne Equipment". Trials after the incident showed that the recording quality was improved by mounting the DFDR on a tray conforming to the DO-160 standard.
(AAIB 2/95 specifies the DFDR as "Loral F800". The DFDR on F-GFKC which crashed at Habsheim in 1988 was referred to as a "Fairchild F800" and that on F-GGED which crashed at Strasbourg in 1992 as a "LORAL-Fairchild F800" in the appropriate reports. Presumably these are all references to the same make and model of DFDR.)
Since 1989, Airbus Industrie have used a different make of recorder for all test and certification flights. It is stated (AAIB 2/95 Section 1.11, p 17) that the Loral recorder is fitted only on delivery to the customer. Precisely what the status of the airworthiness certificate is following this modification is not clear!
The DFDR on G-KMAM yielded very little usable data for the incident flight. It did enable the timings of the flight control checks to be established (see Section 5 above), but little accurate data could be read back for the period from the start of take-off roll until the aircraft was airborne, and during the remainder of the flight there were "intermittent losses of data synchronisation" whose frequency increased when the aircraft made any manoeuvre.
The AAIB investigators therefore had to rely largely on the memories of the pilots, and their recollections were not always clear, as AAIB 2/95 points out in several places. It was not possible to ascertain precisely why the pilots failed to diagnose the source of their problem after take-off, and accurate DFDR data might have helped here. However, it is worth noting that the DFDR on the A320 is not designed to capture certain important parameters (e.g., the mode of the EFCS). It does not record the contents of cockpit display screens, and it is not clear if the identity of the ECAM pages which were on display would have been recorded even by a working DFDR. This has been found to be a problem in other investigations, e.g., F-GFKC at Habsheim, and F-GGED at Strasbourg [MELL94A].
In an accident (as opposed to incident) investigation, the DFDR recording is often the only way of establishing accurately the history of the flight. These failures are therefore a serious matter, and are the subject of four safety recommendations by the AAIB to the CAA:-
a) All A320 aircraft with Loral F800 DFDRs to be fitted with a tray approved to RTCA DO-160. (Accepted by the CAA.)
b) Ensure Loral F800 DFDRs on other aircraft types give an acceptable quality of recording in all phases of flight, and are fitted with an approved tray. (Not accepted by the CAA on the grounds that there is no evidence that the Loral F800 has given problems on other types.)
c) Publicise problems of Loral F800 DFDRs on A320s to other regulatory bodies. (Accepted by the CAA.)
d) Introduce procedures for determining serviceability of DFDR installation, for ensuring use of correct replay techniques, and for keeping records to alert the authorities to similar shortcomings of other recorders. (Accepted by the CAA.)
The report contains a particularly interesting passage:-
---- Extract from AAIB 2/95 Section 2.11, p 54 ----
... there are no equivalent procedures or standards for assessing the installed performance of DFDR systems. DFDR installations have become so complex that system serviceability tests are often impractical. The mandatory annual replay is no longer sufficient as a means of determining the serviceability of DFDR installations. This is particularly so because there is no standard by which those carrying out DFDR replays can assess the quality and accuracy of the recovered data. A number of factors exacerbate replay difficulties. Firstly there are no procedures to regulate the suitability and accuracy of DFDR replay equipment or training of replay operatives. Secondly airframe manufacturers are reluctant to release, to third party organisations, the information necessary to decode and reduce the data. [NO COMMENT!!] Thirdly there is no formal procedure to ensure that DFDR manufacturers or the regulatory authority is made aware of recurring defects and/or poor performance of specific DFDR installations.
---- End of extract from AAIB 2/95 Section 2.11, p 54 ----
Finally, it is worth noting that the AAIB investigators were able to use the CFDS recording, and examined the recording of conversations with ATC, although no transcript of this is appended to the report. (The CVR tape had been overwritten, as stated earlier.)
In the Strasbourg accident, the DFDR was completely destroyed by fire, but the Quick Access Recorder (QAR), which holds the same data, was not so badly damaged, and supplied a lot of information to the investigators. It is not clear if G-KMAM was fitted with a QAR, and if so, why the investigators did not attempt to use it. (There is no mention of a QAR in AAIB 2/95.)
The conclusions of the AAIB as to the causes of the incident have been quoted at the start of this report. The following further conclusions can be drawn concerning the way in which various aspects of system design, and particularly of the computer systems on board the A320, contributed:-
1. The maintenance manual had been put into a format suitable for on-line retrieval using a computer database system, without adequate consideration of its usability by engineers who do not have on-line access.
2. The hydraulic spoiler actuators were designed with a "maintenance mode" which operated in such a way that (as intended) it improved the safety of maintenance engineers, but that had an unforeseen adverse effect on flight safety.
3. In any complex system, the human operators, their procedures and their manuals are all part of the system. That an essential aspect of the pre-flight check procedure (hold stick in position for 3.5 seconds while checking flight control surfaces) should have been completely undocumented and inadequately covered in pilot training, is a major oversight on the part of the manufacturer and of the airlines.
4. A design trade-off (3 second delay in reaction of the warning system to lack of response from flight surface position feedback transducer) was made in favour of avoiding nuisance alarms, but at the expense of requiring a procedural work-around (hold stick position for 3.5 seconds) to ensure a thorough pre-flight check.
5. The "safe" response of the flight control system (designed into its software) was inappropriate for a failure condition which left spoilers floating freely and resulted in a residual enduring uncommanded roll tendency. This design choice might have been made because of an incorrect prediction of the probability of this condition (spoilers left in maintenance mode) arising.
6. Pilot training instilled excessive confidence in the automatic systems in general, and in the warning system (ECAM) in particular. Only when the pilots realised that "land with FLAPS 3" was inadvisable did they query the instructions they were being given automatically. It appears that the response of the ECAM also might have been inappropriately specified for this condition. In this respect, it should be noted that a paper manual is sometimes a useful thing to have around!
Although it is perhaps too easy to second-guess the designers' decisions with the advantage of hindsight, it does appear that a number of design features are present in the systems on board the A320 which can interact in an unsafe fashion. The fact that the AAIB does not make any safety recommendation which involves modifying the logic of these systems, but instead relies upon improvements to procedures to avoid the preconditions for such an incident as this, means that these features should interact in a similar way again fairly soon!
AAIB 2/95: "Report on the incident to Airbus A320-212, G-KMAM at London Gatwick Airport on 26 August 1993", Air Accident Report 2/95, Air Accidents Investigation Branch, Department of Transport, ISBN 0 11 551681 6. Available (price 25 pounds sterling net) from: HMSO Publications Centre, PO Box 276, London SW8 5DT, Telephone orders: +44 (171) 873 9090 General enquiries: +44 (171) 873 0011 Fax orders: +44 (171) 873 8200
"Flight Safety: follow-up action on occurrence report", Research and Analysis Department, Civil Aviation Authority, Aviation House, Gatwick Airport South, West Sussex RH6 0YR, Tel.: +44 (293) 878753, Fax.: +44 (293) 573792.
FCOM 1: A320 Flight Crew Operating Manual, Vol. 1: "Systems Description", Issued by Airbus Industrie.
FCOM 3: A320 Flight Crew Operating Manual, Vol. 3: "Flight Operations", generic version issued by Airbus Industrie. (Individual operators may have their own variants.)
MELL94A: Mellor P.: "CAD: Computer-Aided Disaster", High Integrity Systems, Vol. 1, Iss. 2 (Oxford University Press: 1994) pp 101-156
AAIB Air Accidents Investigation Branch, UK Department of Transport
ALTN LAW Alternate Law
AMCS Aircraft Maintenance Continuation Sheet
AMS Approved Maintenance Schedule
AMTOSS Aircraft Maintenance Task Orientated Support System
ATA Air Transport Association
ATC Air Traffic Control
B SYS LO PR
"Blue hydraulic system has low pressure" (message on ECAM screen)
BITE Built-In Test Equipment
C Captain ("commander" in AAIB 2/95): Sits in left seat.
CFDS Centralized Fault Display System
CLR PB "Clear" pushbutton (controls ECAM displays)
CVR Cockpit Voice Recorder
DFDR Digital Flight Data Recorder
E/WD Engine/Warning Display
ECAM Electronic Centralized Aircraft Monitoring
EEPROM Electrically Erasable Programmable Read Only Memory
EFCS Electrical Flight Control System
F/CTL Flight Control System (or Flight Control synoptic page on ECAM)
FCOM A320 Flight Crew Operating Manual
FCOM 3 A320 Flight Crew Operating Manual, Volume 3: "Flight Operations"
(The pilot's Bible!)
FCOM Bulletin:
These are supplementary pages filed in a particular section
of FCOM 3 containing information on procedures, system descriptions,
performance, and other explanatory material which it is difficult
to incorporate into the body of the manual.
FO First Officer ("co-pilot" in AAIB 2/95): Sits in right seat.
FWC Fault Warning Computer
FLT CTL Flight Control
GSU Gatwick Support Unit
HYD Hydraulic
ILS Instrument Landing System
kt Knots (nautical miles per hour)
nm Nautical miles
OEB Operations Engineering Bulletin. OEBs are supplementary pages
filed in a particular section of FCOM 3. They are issued by
Airbus Industrie to transmit information quickly to pilots when a
specific problem which has an operational impact is detected.
PF Pilot Flying, i.e., in control of the aircraft. Either C or FO may
be PF at any given time.
PFD Primary Flight Display
PNF Pilot Not Flying - see PF
QAR Quick Access Recorder
QRH Quick Reference Handbook
RTCA Radio Technical Commission for Aeronautics
SD System/Status Display
SEC Spoiler and Elevator Computer
SGML Standard Generalised Markup Language
SPLR Spoiler
THS Trimmable Horizontal Stabilizer
UK United Kingdom
UTC Coordinated Universal Time, aka Greenwich Mean Time
Vref Reference speed: standard speed (in knots) for landing approach.
Vref+10 indicates "Reference speed plus 10 knots" (for example).
I am grateful to my friend and colleague David Sheryn (Information Science Department, City University) for drawing my attention to the recent lecture given to the Balloon Club by Mr. Gordon Sharp, Head of Aviation Regulation Enforcement & Investigation Branch, Civil Aviation Authority, to Mr. Gordon Sharp himself for his assistance in obtaining the relevant documents, and to everyone who commented on the first draft.
This report was prepared with the assistance of the SHIP project (Safety of Hazardous Industrial Processes in the presence of design faults, ref. EV5V 103), supported by the CEC within the Environment Programme (sub-theme: Major Industrial Hazards).
Every effort has been made to ensure this text is syntactically identical
to the original source.
Peter Ladkin gratefully acknowledges Peter Mellor
for permission for this use of his material.
Back to `Incidents and Accidents'.
Peter B. Ladkin, 1999-02-08 | |
by Michael Blume |