Re: Trim Activated by the Autopilot

Date:         31 Dec 99 02:09:33 
From:         Pete Mellor <pm@csr.city.ac.uk>
References:   1
Next article
View raw article
  or MIME structure

John M. Hunt <johnmhunt@ipa.net> asks:
> Where am I wrong?

IMHO, John, you are absolutely right. You might find the following
article of interest, in which I describe my experiences this year
for the Safety Critical Systems Club newsletter.

Regards,

Pete Mellor
----------------------------------------------------------------------------

                           The Nagoya Case

Introduction

A case for damages has been brought by the survivors and over 200 of the
relatives of those killed in the crash of an A300 at Nagoya airport,
against Airbus Industrie and China Airlines jointly and severally.

In July 1998, I was invited by Koga & Partners of Tokyo to appear as an
expert witness on behalf of the plaintiffs. The decision to become
involved could be described as a ``no brainer''. Apart from my wish to
assist the victims, I rapidly found that the analysis of the accident
posed a fascinating intellectual challenge.

In this article, I summarise the accident sequence and explain the reasons
behind my testimony, which emphasised the role of the design of the
automatic flight system (AFS).

The Crash

On the evening of 26th April 1994, China Airlines Flight 140 (an Airbus
A300B4-622R) from Taipei (Taiwan) to Nagoya (Japan) was on final approach.
The first officer (F/O) was the pilot flying (PF). Both autopilots (AP)
were disengaged and the F/O was flying manually, but following the ``glide
slope'' beam down to the threshold of runway 34. This beam was being
tracked by the instrument landing system (ILS), and guidance was provided
by the flight director (FD) bars on the primary flight display (PFD)
screen. The captain had advised the F/O also to look outside and use
visual cues to guide his approach. Flaps were extended and the landing
gear was down. Landing check list had been completed, including the
programming of a ``go-around'' altitude of 3,000 feet. (This routine step
was to ensure that, in the unlikely event of the crew having to abort the
landing, the APs could be engaged and would then fly the aircraft up to
this safe altitude with minimal action by the crew.) The landing was
proceeding normally.

Then (at a height of around 500 feet) the F/O touched the go-around lever
(GO-lever) below the hand-grip of the thrust lever, where his left hand
was resting. This was presumably an unintentional action, and its cause is
a mystery. The AFS went into go-around (GA) mode. The engines began to
spool up automatically, and the flight path levelled off, departing from
the glide slope. The captain reacted in surprise and told the F/O to
``Disengage it'', and to ``Push down'' (push forward on the control column
to lower the nose), presumably in order to regain the glide slope.

At this point, one of the crew engaged both APs. This was another
mysterious action. It is likely that the F/O did it, but this cannot be
determined from the cockpit voice recorder (CVR). The AFS was already in
GA mode, and so the AP began to take the aircraft up to the pre-programmed
height of 3000 feet.

The F/O continued to push forward on the control column. At the level of
modification of the AFS software on that aircraft, while the AFS was in GA
mode, the pilot could override the APs by force on the controls (so moving
the elevators). However, the APs remained engaged, and issued ``autotrim''
commands to move the trimmable horizontal stabiliser (THS) in the nose-up
sense, opposing the nose-down commands of the F/O. In less than 20
seconds, the THS reached its extreme nose-up position, in which it
remained even after the F/O disengaged the APs a few seconds later.

The aircraft was now grossly ``out of trim''. Unless the F/O exerted great
force continuously on the column, the nose would rise sharply. The ``angle
of attack'' (AOA or Alpha: the angle between the aircraft and the air
through which it is moving) increased to over 12 degrees, and ``Alpha
Floor'' protection was activated. This increases power automatically if
the aircraft comes near to stalling, but the thrust of the engines
increased the nose-up moment, and the aircraft began to ascend. The
captain took over control and, alarmed by the force required to push the
column forward, decided to go around.

The aircraft shot up to over 1700 feet, but it was still out of trim, and
its pitch angle reached 52 degrees nose-up before it stalled, and came
down out of control to pancake on to the ground next to the runway
threshhold. Of 271 souls on board, all but 7 perished. To the end, the
pilots seem to have remained unaware that the aircraft was out of trim.

The Causes

Like most accidents, the Nagoya crash was the end result of a complex
sequence of events, involving both human error and system design.

The pilots made mistakes at several levels.

The F/O unintentionally touching the GO-lever was apparently a ``slip''.

Their errors of procedure might have included engagement of APs while in
GA mode. (Pilots are trained to rely on the A300 AFS as much as possible,
and the F/O might have instinctively engaged APs when things started to go
wrong. Note that this is speculation!) The crew also did not follow the
procedure to get out of GA mode, even though this is routinely done at the
end of a real go-around, and they had actually discussed this procedure
earlier in the flight. When executing the final deliberate go-around, they
withdrew the flaps too rapidly, contrary to go-around procedure, so
increasing the tendency to stall.

However, their main mistakes were due to lack of knowledge. They did not
know that the AP would oppose attempts to override it. (The F/O might even
have engaged APs without the captain being aware.) They did not know that
the aircraft was out-of-trim. (They could very easily have corrected this,
either by using the trim wheels which move the THS manually and also
disengage the APs, or by first disengaging APs with the instinctive
disconnect button and then operating the electrical trim switch. Both
button and switch are conveniently mounted on the control column.)

The design of the AFS also played a crucial role. The philosophy of Airbus
is stated in the Flight Operations Manual (FOM), as follows:

``The design philosophy of the A300-600 includes the use of the latest
technology to reduce pilot operational workload, thus subtly changing the
bias of his task from that of operator to that of monitor.
Inherent in this philosophy is the use of autopilot from just after take
off to, if necessary, the end of the landing roll-out.''

The APs can always be disengaged deliberately. Also, the pilot can
override the AP by exerting considerable force on the controls, but this
does not automatically disengage the AP, which ``fights back''. This
``feature interaction'' can leave the aircraft out of trim. Also, the
movement of the THS by the AP is not accompanied by the audible warning
(``whooler'') which is given if the pilot moves the THS continuously using
the electrical trim switch.

In the original design of the A300 AFS, automatic AP disengagement by
force on the controls was not enabled in any flight mode or at any height.
However, after three ``out-of-trim'' incidents (none resulting in a
crash), the AFS software was modified. First, automatic AP disengagement
was enabled in flight modes other than LAND mode below 400 feet and GA
mode. A second modification enabled automatic AP disengagement in GA mode
above 400 feet. Warnings were inserted into the FOM that the prolonged use
of override in pitch could leave the aircraft out of trim.

China Airlines had not implemented the second modification. (This was only
``Recommended'', not ``Mandatory''.) Also, it seems that the pilots had
not received training in a simulator which was capable of reproducing the
interaction between pilot override and AP.

The purpose of the override facility is variously stated in the FOM and
other documents to be to make small corrections to assist in capturing the
glide slope beam during landing approach, or to allow the pilot to correct
an uncommanded control surface movement resulting from AP malfunction.

Neither of these justifications for retaining the override facility while
not enabling automatic AP disengagement by control force makes sense.
Certainly since the first modification to the AFS software permitted
disengagement in LAND mode above 400 feet, the first justification fails,
since both glide slope and localiser beams are captured during the
approach well above that height. The second justification fails since a
far simpler design solution to the potential problem would be to disengage
the AP.

The Case

Sources of information on the crash included the official accident report
and a video produced by Airbus, of a reconstruction of the accident
sequence in a simulator and a description of nine ways in which the crew
could have recovered the flight after the unintentional operation of the
GO-lever.

In July 1999 I appeared in the District Court of Nagoya for direct
examination by the plaintiffs' counsel. In September I returned for
cross-examination by the defendants' counsel. The preparation was intense,
and each hearing was like a five hour viva, although the translation of
all exchanges from or to Japanese afforded a little respite and thinking
time.

The other expert witness for the plaintiffs was Barry Schiff, a retired
airline pilot and instructor with an impressive list of publications on
air safety. He dealt mainly with the contribution of pilot error to the
accident.

My testimony emphasised the role of the design of the AFS. I presented a
model of system failure in which a latent design fault is activated by a
particular combination of environmental circumstances, the internal state
of the system and operator action (which may include operator error). If
no corrective action is taken, the resulting failure can cause an
accident.

The interaction between pilot override and the response of the AP
constitutes (I claimed) a fault in the design of the AFS. Counsel for the
defendants raised several objections, which I tried to rebut:-

Objection: Not to allow AP disengagement by force was a deliberate design
decision, and so cannot be considered to be a ``fault''.

Rebuttal: Inadequate specification of functions is a common source of
system failure. International standards recognise this and define failure
as a departure from ``required'' function, not from ``specified''
function.

Objection: To allow AP disengagement by force would have courted the
opposite risk of accidental disengagement, as occurred in the crash of
Eastern Airlines flight 401 in Florida in 1972.

Rebuttal: The opposition of the pilot's override commands by AP on the
A300 leads immediately to a hazardous configuration. The disengagement of
the AP on EAL 401 merely permitted a descent to begin, and the crew did
not detect it for 5 minutes (due to other factors). The two accidents are
not comparable. An uncommanded AP disengagement can occur for other
reasons (e.g., equipment failure) and during landing the PF must have both
hands on the controls in order to be able to resume control instantly.

Objection: The interaction could not have been foreseen.

Rebuttal: It should have been detected by a hazard analysis. Whether
foreseeable or not, it is still a fault. It was actually known about after
the first ``out-of-trim'' incident (in France, March 1989).

Objection: The three previous incidents show that the problem can easily
be overcome by a competent pilot.

Rebuttal: These incidents actually show that pilots cannot be relied upon
to understand the interaction of AP with override, and that the fault
should have been corrected immediately. In the third incident (Moscow,
February 1991) in particular, the flight came within a hair's breadth of
disaster, and the two experienced Lufthansa pilots were still unaware of
the cause of their problem when interviewed on the ground later.

Objection: The warning notices in the FOM and in service bulletins should
have alerted all pilots to the possibility of the out-of-trim condition.

Rebuttal: A notice in the manual is an inadequate protection against a
critical design fault. It is useless unless reinforced by training. This
was ``an accident waiting to happen''. It was only a matter of time before
a crew who did not understand the interaction stumbled over it with fatal
consequences.

Objection: (The ``64 thousand dollar question''!) ``Would you not agree
that, at the time of the accident, all systems were behaving as
specified?''

Rebuttal: ``They were behaving as specified, but not as required to ensure
the continued safe flight of the aircraft!''

Conclusion

In summary, I testified that the main cause of the accident was the
manifestation of a design fault in the AFS, where:-

- the latent design fault was the feature interaction whereby the pilot
can override the APs while the APs remain engaged and oppose the override,

- the environmental conditions were that the aircraft was at a certain
height,

- the internal state was that APs were engaged with the AFS in GA mode,

- the operator action was the prolonged attempt by the F/O to override APs
in pitch,

- the system failure was the aircraft becoming out-of-trim, and

- the crew did not take appropriate corrective action since they were
unaware of the out-of-trim configuration (which occurs without any audible
warning).

As a result of the Nagoya crash (and well before the case was brought),
mandatory Airworthiness Directives have been issued by the DGAC and FAA
requiring modification of the AFS software on all A300 and A310 models to
allow automatic AP disengagement if the pilot applies more than 15Kg force
on the controls in any mode of flight and at any height.

The case continues.