ATM Modernization, Commercial

Safety: Where’s Redundancy?

By David Evans | July 1, 2006
Send Feedback

Together with recent reports of screens going blank in the cockpit, this story does not inspire lasting or fervent confidence in automation. The Australian Transport Safety Bureau (ATSB) headlines its recent report as a "navigation system failure," although words like "system meltdown" and "locked out" come to mind.

Details of the incident set the stage. The Boeing 717-200 was taxiing at Cairns for a scheduled flight to Brisbane. The pilots had entered details of the flight plan into the flight management system (FMS). Because of intermittent rain showers at Cairns, the crew programmed the FMS with wet runway speed figures for takeoff.

Late in the takeoff roll, the manually entered wet speeds were lost from the airspeed tape on the primary flight display (PFD), and FMS-generated dry speeds were displayed. At rotation, the caution MAP FAIL appeared on both the captain’s and first officer’s navigation displays. This is because the MAP mode is the default display on the navigation display, and it normally shows the waypoints corresponding to the planned route of flight. If an FMC failure occurs, then MAP FAIL will be displayed. After about one and a half minutes, the MAP displays returned to normal. However, the MAP FAIL indication returned, and the crew reported, "The FMS had locked us out."

Investigators subsequently found that flight management computer (FMC) 2 was unable to sequence the 400-foot course to altitude leg associated with the standard instrument departure. The departure involves early sharp turns to intercept an outbound radial, then a prompt southbound turn to avoid terrain, and FMC 2 was unable to reconcile all the inputs and variables. As the ATSB report recounts, "The attempted sequencing was repeated, which consumed FMC processing cycles; consequently, other functions could not run." In other words, once it ran out of capacity, FMC 2 became locked in a back-to-the-drawing-board endless loop, like a cracked vinyl record.

Eventually, FMC 2 performed a software reset but was unable to recover functionality and was not available for use by the crew. A similar progression then occurred in FMC 1 but, per its design, FMC 1 remained available for use–but with the flight plan information cleared. Eventually, the crew was able to enter the ILS frequency, but FMS operation did not appear to be reliable. The aircraft was vectored by air traffic control (ATC) back to Cairns, where a visual approach was carried out and the aircraft landed some 30 minutes after takeoff.

The ATSB reports the following: "While a fault condition exists, the FMC will progress through a series of resets: warm start, cold start, software reset and latch (shutdown). The progression of resets is designed to clear increasingly larger parts of the FMC, eventually leaving the crew with a usable FMC but no flight plan data. If the software reset is unsuccessful, then the FMC will latch."

Bench testing did not uncover the problem. The manufacturer of the suspected components advised that no other FMS problems of this nature had been reported. The safety action elucidated by ATSB’s report seems insufficient, given the implications for this sort of problem to repeat on the B717 fleet worldwide, or on other aircraft: "As a result of this occurrence, the operator [Jetstar] had advised that a Flight Operations Memo will be issued to all 717 pilots highlighting this incident and detailing the FMS modes which remain available during abnormal FMS operation."

In light of what is described by the ATSB as a "serious incident," one is prompted to offer a few observations. It is an obvious concern that:

*Standard instrument departure’s legs should essentially topple the computer;

*Exceeding the memory size, as indicated in the ATSB report, should cause all BITE (built-in test equipment) records to be wiped out;

*The time taken for all this to happen was sufficient to launch the flight crew into a never-ending quizzical loop of "What’s it doing now?"

*The failure mode and expected remedial actions were unfamiliar to the crew; and

*If this incident had happened in any sort of weather, given the high terrain around Cairns, the outcome may have been different.

To be sure, FMC outages probably would not have affected EGPWS (enhanced ground proximity warning system) or TCAS (traffic alert collision avoidance system), as these two safety systems have a high degree of autonomy by design. Nevertheless, there seem to be a multitude of inimical failure modes in modern aircraft just waiting to be discovered. Where, oh where, is the true redundancy? And the fallback?

Receive the latest avionics news right to your inbox