From: (Mark Brown)
Date:         22 Jun 95 03:07:37 
References:   1 2 3 4 5
Next article
View raw article
  or MIME structure

Christoph Bernhardt writes:

... deleted about bugs and crashes attributable to them ...

If you count software coding bugs as "real" software errors, then the
answer is none. I can think of no FBW aircraft crashes that have been
due to coding bugs (but perhaps that's a limitation of my "Mk I
computer" -- or is it a bug ^_^). However, if you mean an error in the
_specification_ or the "interface", then that's a lot more.

There have been a few military and experimental crashes due to
control law problems: the Gripen's two crashes for example.
This is a specification/design error. Tom Morganfeld's PIO in the
latest US whizzbang fighter may have been another.

I would say that a design error or over-complex design of the systems
contributed to the Warsaw crash --- the tortuous logic of the brake
and spoiler system which the pilot is expected to understand. Instead,
when he pulls the lever for reverse, he wonders why nothing
happens. Can he really be expected to remember the logic involved in
all circumstances? (A corollary: there was a heavy landing involving a
n A320 -- the aircraft bounced on landing, the first bounce wound the
speed of the wheels up to above the threshold where the system logic
said "ok, wheels spun up, lift dump spoilers out" whilst the aircraft
was still in the air. Result, down to earth with a thump. I also
vaguely recall a case of a Fokker aircraft not being able to brake
properly on touchdown because a WOW switch was frozen in the "flight"

In order to avoid being partisan (anti-AB) I would like to say that
there have been incidents in Boeing aircraft where the pilot has been
left almost hanging out to dry by the autoflight systems, although not
to the extent of the crashed A330 crew. A Monarch B757 out of
Manchester was bitten; the system was programmed to take them up to a
certain altitude, whereupon the autothrottles retarded but the pitch
command remained the same -- nose high aeroplane rapidly running out
of flying speed due to unexpected behaviour of the autoflight systems:
sounds familiar? Had the A330 pilot been at the same height, he would
have recovered.

I would agree with others that the lack of control movement feedback
(and trim state -- thanks Robert!) on AB FBW aircraft removes
important cues from the pilot. However, this is not the whole story.

Automatic systems can be complex and difficult to understand. I am
currently doing an unrelated study involving air traffic controllers
from London Heathrow airport, and they say that when the 757 and 767
were first introduced, they got a lot of pilots saying "what's it
doing now?". In order for a pilot to be able to leap in and take over
when George screws up, he's got to have an up-to-date mental model of
what the aircraft is doing and how it will behave -- its called
"keeping the pilot in the loop". However, modern autoflight systems
are so complex that it may not be possible for the pilot to be able to
keep track of what the system will do under all possible combinations,
and indeed it may be difficult to keep track of the state of the
system at the current time.

Had the Bangalore pilots recognised the consequences of their aircraft
being in "open descent mode" would they have crashed?

If the pilot of the JAL DC-8 which made an ignominious landing in the
water short of SFO (no-one hurt, but a damp DC-8) had realised that
his autopilot/flight director hadn't captured the glideslope but had
gone into another mode, would he not have landed correctly?

Some would say that if there are back-up sources of information
available, these should be referred to.

However, pilots have been trained to trust their instruments --
especially primary flight instruments in IFR conditions. Where does
one draw the line and say "this system is trustworthy, this one is

How many pilots cross reference what the nice graphical display on the
ND is telling them against raw VOR/DME/NDB readings, map shift

Just me 2d worth, for wot its worth !


          Heaven and earth are limitless. Po yeh poh loh me!
Mark A. Brown; Dept. of Computer Science; QMW College (University of London);
Mile End Road; London E1 4NS; UK.  Tel: +44 (71) 975 5220.