Crash of Flight 427

From:         Pete Mellor <pm@csr.city.ac.uk>
Date:         19 Sep 94 01:28:38 
View raw article
  or MIME structure

>From The Observer, Sunday 11 Sep. 1994, p 13:- 

                   Boeing crash baffles US investigators 

                        by Tim Cornwell, Washington 

The mystery of USAir Flight 427 deepened yesterday as data from the flight 
recorders shed little light on what experts called a "horribly unusual" 
accident. 

All 132 passengers and crew died when the Boeing 737-300 on a routine 
approach to Pittsburgh airport rolled to the left and nose-dived into 
the ground. In just 23 seconds, the aircraft plummeted 6,000ft, its 
engines apparently still turning. The air traffic controller's tape 
reportedly recorded the pilot's final words as "Oh God. Traffic emergency. 
Oh shit." 

Accident investigators yesterday continued to sift through the wreckage, 
scattered like confetti over the heavily wooded area about seven miles 
north-west of Pittsburgh. The site was declared a biological hazard because 
of the blood and body parts strewn across the area. The task of recovering 
evidence is expected to take from five days to a week. 

"We're all very much at a loss to explain this accident," said US 
Transportation Secretary Frederico Pena. "Basically, the plane was totally 
destroyed." 

"Every potential scenario", said US aviation safety expert and 737 pilot 
John Nance, "has substantial reasons why it is not likely to be the case." 

Winds were recorded at only 13 knots, on a clear day. There were no 
eye-witness accounts of fires or an explosion. 

The US National Transportation Safety Board's Carl Vogt told a press 
conference there were reports of birds, a known safety hazard, in the area, 
and engines were being checked. 

But Nance was quick to reject the suggestion. "An ingestion of birds on a 
737 sufficient to bring the aircraft down is not a credible possibility. 
It would have to be a hell of a flock, and I don't know any flock that 
flies at 6,000ft." 

There were immediate similarities between Thursday's disaster and the 
baffling 1991 crash of a 737-200 approaching Colorado Springs airport. 
All 27 people on board were killed. The NTSB has said two possible causes 
of the crash were a malfunction of the plane's rudder system, and the 
unpredictable winds of the Rocky Mountains area. 

But testing has never found a rudder problem which could make a 737 
- the most widely used jetliner in history - uncontrollable. 

The crash was USAir's fifth fatal flight in five years, a much higher rate 
than any other US carrier. British Airways owns 25 per cent of USAir, which 
has reported financial losses every year since 1989. It saw its stock drop 
10 per cent yesterday, and some passengers were reported booking on other 
airlines. 

     --------------------Article ends---------------------- 

On Sky TV news on Saturday and Sunday, Carl Vogt was filmed at a press 
conference, and stated that mid-air deployment of thrust reverser(s) was 
being investigated. He compared the accident to the Lauda Air crash in 
Thailand. 

On Radio 4's Today programme this morning, it was reported that three of 
the thrust reverser doors on the left engine had now been found and were 
in the deployed position, making inadvertent reverse thrust in the left 
engine the most likely of the scenarios currently being considered. 

     --------End of other recent reports in the media---------- 

The logic of thrust-reverser deployment, taken from the Boeing 737 Operations 
Manual, revision 001.1, April 1988, p 21.20.08, is that the Boeing 737 can 
deploy the thrust reverser on either engine if ... 

   EITHER: spin-up is detected on any two main gear wheels, 
   OR:     at least one of Captain's and First Officer's 
           Low Range Radio Altimeters reads below 10ft, 
   OR:     right main gear strut is compressed,  

... provided the Engine Fire Warning Switch is down for that engine and 
the throttle levers are in the reverse position.

The Lauda crash, in May 1991, is generally believed to have been due to 
mid-air thrust reverser deployment, although I am not aware if a final report 
ever appeared, or from where it is available. It was described in various 
news items around that time, and these were posted by various people to the 
RISKS forum. It may be relevant now to review some excerpts of these. 

The main submissions were in RISKS-11.95, 12.16, and 12.69. 

          ---------------------------------------------- 

RISKS-FORUM Digest  Friday 28 June 1991  Volume 11 : Issue 95

>From "The European", previous week's issue:- 
 
Boeing skipped essential test on Lauda crash jet      By Mark Zeller, Paris
 
[Stuff omitted] 

Examination of the wreckage and the pilot's cockpit voice recorder have [sic]
now shown that one of the thrust reversers - used to slow an aircraft after
landing - failed to lock in place when the plane was gaining height and
accidentally shifted to a high-power setting, causing the plane to turn so
rapidly that the tail was torn off the aircraft.

[Stuff omitted] 

... the FAA's administrator, James Busey, in Paris for Le Bourget air show, 
said last week that the plane had not undergone a realistic in-flight test 
of the thrust reversers, which were designed and manufactured by Boeing and 
fitted to Pratt & Whitney engines. He disclosed that Boeing told the FAA 
that the plane's sophisticated flight control computers made an accidental 
inflight [sic] deployment of the thrust reversers impossible. 

[Stuff omitted] 

P&W confirmed that if the reverse thruster had not locked properly there would
have been an indicator light advising the pilots. This warning light was heard
[sic] being discussed by the pilots on the cockpit recorder shortly before the
crash. Reading instructions from the Boeing manual, they took no action and
continued to ascend. Seconds before the crash, the co-pilot shouted that a
thrust reverser had been activated.
 
The tape concludes with a series of warning sirens, alarms, a snapping sound
and then a bang. The wreckage of the plane was found in dense jungle in
Thailand with one engine's thrust reverser deployed. The tail section was found
several kilometres away. Asked about the possibility of an accidental
deployment of a thrust reverser, Boeing spokesman Dick Kenny said: "It can't
happen."
 
But a P&W representative, who wished to remain anonymous, said it was possible.

[Stuff omitted] 

Before the crash, there had
already been at least one incident involving partial in-flight deployment of a
thrust reverser on a Boeing 767. There have also been several similar incidents
on 747s, but none of these led to a crash.

          ---------------------------------------------- 

RISKS-FORUM Digest  Monday 26 August 1991  Volume 12 : Issue 16

>From the Seattle Times, Friday August 23, 1991 (excerpts)
 
        Flawed part in 767 may be flying on other jets
          by Brian Acohido, Times Aerospace Reporter

   More than 1,400 Boeing 747, 757, and 737 jetliners may be flying with the
same type of flawed thrust-reverser system as the ill-fated Lauda Air 767 that
crashed in Thailand last spring. 

[Stuff omitted] 

   Industry sources say it appears a dangerously flawed safety device that is
an integral part of the reversers in question may be the same one that is in
widespread use on other Boeing models as well.  The device is called an
electronically actuated auto-restow mechanism.  The flaw was discovered last
week, and was considered potentially hazardous enough to prompt the FAA to
order reversers deactivated on 168 late-model 767s.  The ban is in effect until
Boeing redesigns the device.  

[Stuff omitted] 

   On Boeing jets, reversers work like this: A door on the engine cowling
slides open, simultaneously extending panels called `blocker doors,' which
deflect thrust up and out through the cowling opening.  In flight, the cowling
door is designed to remain closed, with the blocker doors retracted, stowed,
and locked.  Depending on the engine type, the reverser system is powered
either pneumatically using pressurized air, or, like the Lauda jet,
hydraulically using pressurized oil.
   The flawed auto-restow device is designed to detect the system becoming
unlocked in flight and to move quickly to restow and relock the system before
any significant control problem can occur.  According to industry sources, the
NTSB, and the FAA, here's how the complex device works:
   An electronic sensor monitors the cowling and alerts a computer if the
cowling door moves slightly in flight.  The computer then automatically opens
an `isolation valve' which permits pressurized oil or air to flow into the
reverser system.  This actuates a very crucial, and -- as was revealed last
week by the FAA -- dangerously flawed part called a `directional control valve'
or DCV.  The DCV directs the pressurized oil or air to retract the blocker
doors and shut the cowling door.  The DCV can sit in only two positions: extend
or retract.  In flight, it is supposed to always remain in the retract
position, ready to do its part in auto restow.
   In older Boeing aircraft, a mechanical part physically prevented the
directional control valve from moving off the retract position as long as the
plane was airborne.  But in newer Boeing jets, the auto-restow mechanism is
controlled and kept in the retract position by electronic means.  `The reason
they go for these electronic reversers is strictly economic,' safety expert
Sproggis said.  `It saves weight, and, in commercial aviation, weight is money.'
   When Boeing certified its electronically controlled reverser system, the
company assured the FAA that it was fail-safe.  As a result, the FAA never
required the company to calculate or test what might happen should a reverser
deploy in flight at a high altitude and high speed, as happened on the Lauda
flight.
   After the Lauda crash, Boeing tested the system anew.  An engineer wondered
what would happen if a simple O-ring seal on the DCV deteriorated, with small
bits getting into the hydraulic lines.  A test was run.  The result: the DCV
clogged in such a way that when the auto restow was activated, the DCV moved
off the retract to the extend position.  Thus, the computer thought it was
instructing the DCV to restow when, in fact, it was deploying the reverser.
   `I think they (Boeing officials) expected bits of the O-ring to run right
through the system and were shocked when they saw the reverser deploy,' said a
source close to the Lauda investigation.
   After learning of the results of the O-ring test, the FAA, which to that
point had rejected repeated exhortations from NTSB Chairman James Kolstad to
ban reverser use on 767s, did just that.

[Stuff omitted] 

   Moreover, a Seattle Times review of five years of `service-difficulty
reports,' or SDRs, filed by U.S. airlines with the FAA shows a similar pattern
of reverser troubles for 747s, 737s, and 757s.
   Airlines are required to file SDRs with the FAA showing how various problems
are dealt with.  Problems with reversers on Boeing planes are cited on 118
reports from Jan. 1, 1985 through June 25, 1991, including 44 reports on 737
reversers, 25 on 747s, four on 757s, and three on 767s.

[Stuff omitted] 

          ---------------------------------------------- 

RISKS-FORUM Digest  Monday 16 December 1991  Volume 12 : Issue 69
 
>From the Seattle Post-Intelligences, Saturday December 14:
 
             "Boeing Hush-up Charged" by Bill Richards
 
   A former Boeing computer expert said yesterday that the company ordered him
to play down his discovery of a software flaw in a critical control unit that
could have triggered last May's fatal crash of a Lauda Air Boeing 767.  Darrell
Smith, a computer software engineer employed as a troubleshooter by Boeing in
1989 and 1990, said in an interview with the P-I that he warned the company
last year of problems with software that runs the "proximity switch electronics
unit" (PSEU) on Boeing's 747 and 767 jetliners.
   The device allows the plane's computerized parts to electronically
converse.  Smith said he told Boeing officials the software could trigger a
rogue signal that would cause the plane's computer-driven systems to
malfunction.  But Smith said Boeing officials in charge of the troubleshooting
program told him they "didn't want to get anybody excited" and ordered him to
omit any mention of potential system-wide problems resulting from the flawed
software from his formal report.  Instead, he was told to report just on the
PSEU's internal problems, he said.  "They said this is a non-critical system
and I couldn't use terms like `crash' or `catastrophic' in the report because
they didn't want people to get excited," he said.
   Boeing spokesman Chris Villiers said yesterday the company hasn't had time
to study all of Smith's allegations.  Villiers said Boeing doesn't believe
the PSEU was responsible for the Lauda Air crash.  Smith's concerns about the
unit's software on the 747 has been "addressed and resolved," Villiers said.

[Stuff omitted] 

 Smith, ...,
said he told Boeing officials the software contained an "architectural flaw"
that could lead the unit to send a random signal to other electronic systems
within a jetliner, providing them with false information.  So poorly designed
was the PSEU software, he said, that he recommended that it be completely
redesigned.
   One of the electronic subsystems linked to the PSEU is the auto-restow,
which is supposed to automatically retract a jet's backup ground braking
system, the thrust reverser, if it accidentally starts to deploy in flight.

[Stuff omitted] 

   But Smith said that because the software's false messages are random, it is
almost impossible to determine in a laboratory setting if the PSEU software
isn't working.  "It all depends on what is going on with the airplane at the
time," Smith said. "There's no way to repeat the exact conditions that would
cause the messages to be sent.  It can cause the system to crash, or get false
information, or just go crazy."  For example, Smith said, the control unit
could notify the rest of the electronic subsystems that the plane's landing
gear was down while the plane was still in flight.  That would cause the
auto-restow to switch to a ground-speed mode check, Smith said.  The system
would then "see that the aircraft was going too fast, and kick in the reverse
thrusters -- while the aircraft was really in flight."

          ---------------------------------------------- 

Karl writes (airliners@chicago.com, 09 Sep 94 02:12:05):- 

> (Please *don't* post lots of little bitty details to sci.aeronautics.
> airliners, as this tends to simply clutter the group ... 

Hope this wasn't too "little bitty", Karl! :-) 

(I thought it might be useful to revise what has already come over the net 
on the subject, to set the scene.) 

Aren't electronic archives fun? :-) 

-------------------------------------------------- 
Peter Mellor, Centre for Software Reliability, 
City University, Northampton Square, London EC1V 0HB 
Tel: +44 (71) 477-8422, Fax.: +44 (71) 477-8585, 
E-mail (JANET): p.mellor@csr.city.ac.uk 
-----------------------------------------------------------------------------