Date: 31 Dec 99 02:09:33 From: Pete Mellor <firstname.lastname@example.org> References: 1
View raw article or MIME structure
John M. Hunt <email@example.com> asks: > Where am I wrong? IMHO, John, you are absolutely right. You might find the following article of interest, in which I describe my experiences this year for the Safety Critical Systems Club newsletter. Regards, Pete Mellor ---------------------------------------------------------------------------- The Nagoya Case Introduction A case for damages has been brought by the survivors and over 200 of the relatives of those killed in the crash of an A300 at Nagoya airport, against Airbus Industrie and China Airlines jointly and severally. In July 1998, I was invited by Koga & Partners of Tokyo to appear as an expert witness on behalf of the plaintiffs. The decision to become involved could be described as a ``no brainer''. Apart from my wish to assist the victims, I rapidly found that the analysis of the accident posed a fascinating intellectual challenge. In this article, I summarise the accident sequence and explain the reasons behind my testimony, which emphasised the role of the design of the automatic flight system (AFS). The Crash On the evening of 26th April 1994, China Airlines Flight 140 (an Airbus A300B4-622R) from Taipei (Taiwan) to Nagoya (Japan) was on final approach. The first officer (F/O) was the pilot flying (PF). Both autopilots (AP) were disengaged and the F/O was flying manually, but following the ``glide slope'' beam down to the threshold of runway 34. This beam was being tracked by the instrument landing system (ILS), and guidance was provided by the flight director (FD) bars on the primary flight display (PFD) screen. The captain had advised the F/O also to look outside and use visual cues to guide his approach. Flaps were extended and the landing gear was down. Landing check list had been completed, including the programming of a ``go-around'' altitude of 3,000 feet. (This routine step was to ensure that, in the unlikely event of the crew having to abort the landing, the APs could be engaged and would then fly the aircraft up to this safe altitude with minimal action by the crew.) The landing was proceeding normally. Then (at a height of around 500 feet) the F/O touched the go-around lever (GO-lever) below the hand-grip of the thrust lever, where his left hand was resting. This was presumably an unintentional action, and its cause is a mystery. The AFS went into go-around (GA) mode. The engines began to spool up automatically, and the flight path levelled off, departing from the glide slope. The captain reacted in surprise and told the F/O to ``Disengage it'', and to ``Push down'' (push forward on the control column to lower the nose), presumably in order to regain the glide slope. At this point, one of the crew engaged both APs. This was another mysterious action. It is likely that the F/O did it, but this cannot be determined from the cockpit voice recorder (CVR). The AFS was already in GA mode, and so the AP began to take the aircraft up to the pre-programmed height of 3000 feet. The F/O continued to push forward on the control column. At the level of modification of the AFS software on that aircraft, while the AFS was in GA mode, the pilot could override the APs by force on the controls (so moving the elevators). However, the APs remained engaged, and issued ``autotrim'' commands to move the trimmable horizontal stabiliser (THS) in the nose-up sense, opposing the nose-down commands of the F/O. In less than 20 seconds, the THS reached its extreme nose-up position, in which it remained even after the F/O disengaged the APs a few seconds later. The aircraft was now grossly ``out of trim''. Unless the F/O exerted great force continuously on the column, the nose would rise sharply. The ``angle of attack'' (AOA or Alpha: the angle between the aircraft and the air through which it is moving) increased to over 12 degrees, and ``Alpha Floor'' protection was activated. This increases power automatically if the aircraft comes near to stalling, but the thrust of the engines increased the nose-up moment, and the aircraft began to ascend. The captain took over control and, alarmed by the force required to push the column forward, decided to go around. The aircraft shot up to over 1700 feet, but it was still out of trim, and its pitch angle reached 52 degrees nose-up before it stalled, and came down out of control to pancake on to the ground next to the runway threshhold. Of 271 souls on board, all but 7 perished. To the end, the pilots seem to have remained unaware that the aircraft was out of trim. The Causes Like most accidents, the Nagoya crash was the end result of a complex sequence of events, involving both human error and system design. The pilots made mistakes at several levels. The F/O unintentionally touching the GO-lever was apparently a ``slip''. Their errors of procedure might have included engagement of APs while in GA mode. (Pilots are trained to rely on the A300 AFS as much as possible, and the F/O might have instinctively engaged APs when things started to go wrong. Note that this is speculation!) The crew also did not follow the procedure to get out of GA mode, even though this is routinely done at the end of a real go-around, and they had actually discussed this procedure earlier in the flight. When executing the final deliberate go-around, they withdrew the flaps too rapidly, contrary to go-around procedure, so increasing the tendency to stall. However, their main mistakes were due to lack of knowledge. They did not know that the AP would oppose attempts to override it. (The F/O might even have engaged APs without the captain being aware.) They did not know that the aircraft was out-of-trim. (They could very easily have corrected this, either by using the trim wheels which move the THS manually and also disengage the APs, or by first disengaging APs with the instinctive disconnect button and then operating the electrical trim switch. Both button and switch are conveniently mounted on the control column.) The design of the AFS also played a crucial role. The philosophy of Airbus is stated in the Flight Operations Manual (FOM), as follows: ``The design philosophy of the A300-600 includes the use of the latest technology to reduce pilot operational workload, thus subtly changing the bias of his task from that of operator to that of monitor. Inherent in this philosophy is the use of autopilot from just after take off to, if necessary, the end of the landing roll-out.'' The APs can always be disengaged deliberately. Also, the pilot can override the AP by exerting considerable force on the controls, but this does not automatically disengage the AP, which ``fights back''. This ``feature interaction'' can leave the aircraft out of trim. Also, the movement of the THS by the AP is not accompanied by the audible warning (``whooler'') which is given if the pilot moves the THS continuously using the electrical trim switch. In the original design of the A300 AFS, automatic AP disengagement by force on the controls was not enabled in any flight mode or at any height. However, after three ``out-of-trim'' incidents (none resulting in a crash), the AFS software was modified. First, automatic AP disengagement was enabled in flight modes other than LAND mode below 400 feet and GA mode. A second modification enabled automatic AP disengagement in GA mode above 400 feet. Warnings were inserted into the FOM that the prolonged use of override in pitch could leave the aircraft out of trim. China Airlines had not implemented the second modification. (This was only ``Recommended'', not ``Mandatory''.) Also, it seems that the pilots had not received training in a simulator which was capable of reproducing the interaction between pilot override and AP. The purpose of the override facility is variously stated in the FOM and other documents to be to make small corrections to assist in capturing the glide slope beam during landing approach, or to allow the pilot to correct an uncommanded control surface movement resulting from AP malfunction. Neither of these justifications for retaining the override facility while not enabling automatic AP disengagement by control force makes sense. Certainly since the first modification to the AFS software permitted disengagement in LAND mode above 400 feet, the first justification fails, since both glide slope and localiser beams are captured during the approach well above that height. The second justification fails since a far simpler design solution to the potential problem would be to disengage the AP. The Case Sources of information on the crash included the official accident report and a video produced by Airbus, of a reconstruction of the accident sequence in a simulator and a description of nine ways in which the crew could have recovered the flight after the unintentional operation of the GO-lever. In July 1999 I appeared in the District Court of Nagoya for direct examination by the plaintiffs' counsel. In September I returned for cross-examination by the defendants' counsel. The preparation was intense, and each hearing was like a five hour viva, although the translation of all exchanges from or to Japanese afforded a little respite and thinking time. The other expert witness for the plaintiffs was Barry Schiff, a retired airline pilot and instructor with an impressive list of publications on air safety. He dealt mainly with the contribution of pilot error to the accident. My testimony emphasised the role of the design of the AFS. I presented a model of system failure in which a latent design fault is activated by a particular combination of environmental circumstances, the internal state of the system and operator action (which may include operator error). If no corrective action is taken, the resulting failure can cause an accident. The interaction between pilot override and the response of the AP constitutes (I claimed) a fault in the design of the AFS. Counsel for the defendants raised several objections, which I tried to rebut:- Objection: Not to allow AP disengagement by force was a deliberate design decision, and so cannot be considered to be a ``fault''. Rebuttal: Inadequate specification of functions is a common source of system failure. International standards recognise this and define failure as a departure from ``required'' function, not from ``specified'' function. Objection: To allow AP disengagement by force would have courted the opposite risk of accidental disengagement, as occurred in the crash of Eastern Airlines flight 401 in Florida in 1972. Rebuttal: The opposition of the pilot's override commands by AP on the A300 leads immediately to a hazardous configuration. The disengagement of the AP on EAL 401 merely permitted a descent to begin, and the crew did not detect it for 5 minutes (due to other factors). The two accidents are not comparable. An uncommanded AP disengagement can occur for other reasons (e.g., equipment failure) and during landing the PF must have both hands on the controls in order to be able to resume control instantly. Objection: The interaction could not have been foreseen. Rebuttal: It should have been detected by a hazard analysis. Whether foreseeable or not, it is still a fault. It was actually known about after the first ``out-of-trim'' incident (in France, March 1989). Objection: The three previous incidents show that the problem can easily be overcome by a competent pilot. Rebuttal: These incidents actually show that pilots cannot be relied upon to understand the interaction of AP with override, and that the fault should have been corrected immediately. In the third incident (Moscow, February 1991) in particular, the flight came within a hair's breadth of disaster, and the two experienced Lufthansa pilots were still unaware of the cause of their problem when interviewed on the ground later. Objection: The warning notices in the FOM and in service bulletins should have alerted all pilots to the possibility of the out-of-trim condition. Rebuttal: A notice in the manual is an inadequate protection against a critical design fault. It is useless unless reinforced by training. This was ``an accident waiting to happen''. It was only a matter of time before a crew who did not understand the interaction stumbled over it with fatal consequences. Objection: (The ``64 thousand dollar question''!) ``Would you not agree that, at the time of the accident, all systems were behaving as specified?'' Rebuttal: ``They were behaving as specified, but not as required to ensure the continued safe flight of the aircraft!'' Conclusion In summary, I testified that the main cause of the accident was the manifestation of a design fault in the AFS, where:- - the latent design fault was the feature interaction whereby the pilot can override the APs while the APs remain engaged and oppose the override, - the environmental conditions were that the aircraft was at a certain height, - the internal state was that APs were engaged with the AFS in GA mode, - the operator action was the prolonged attempt by the F/O to override APs in pitch, - the system failure was the aircraft becoming out-of-trim, and - the crew did not take appropriate corrective action since they were unaware of the out-of-trim configuration (which occurs without any audible warning). As a result of the Nagoya crash (and well before the case was brought), mandatory Airworthiness Directives have been issued by the DGAC and FAA requiring modification of the AFS software on all A300 and A310 models to allow automatic AP disengagement if the pilot applies more than 15Kg force on the controls in any mode of flight and at any height. The case continues.