Avionics Free e-Mail Newsletter Free Aviation Job Alerts
Home Avionics Aviation Maintenance Rotor & Wing Air Safety Week Aircraft Value News Regional Aviation News Very Light Jets
View by Category:  Military | Commercial | Business & General Aviation | Rotorcraft | Air Traffic Control | Maintenance
Advanced Search


Aviation Today Market Leaders
Products and Services
Customer Support Directory
AAI Membership
Avionics Tech Reports
Issue Archives
Acronym Guide
Industry Leader Profiles
NBAA Product Showcase
Avionics Blog

Top Stories
AMC
FSEMC
AEEC
Information
Subscribe
BPA Statement
Media Kit
Monthly E-letter
Subscribe
Jobs
Podcasts
Webinars
Videos
Blogs
Databases &
   Buyer's Guides
White Papers/
   Technical Reports/
   Supplements
Research Reports
Article Archives
Press Releases
From the PR Wires
Industry Links

Top Stories
Aviation e-letter
Financial Center
Calendar
Media Kits
About Us
Contact Us

Services
Print This Page
Email This Page
Archives
Get Copyright PermissionsCopyright Permissions
Related Stories
Safety in Avionics: Blindly Following the Computer Avionics System Design: The Pitfalls of Long-Term Storage Safety in Avionics: Kudos for TCAS Stance Safety in Avionics: Needless Nakedness in the Face of Fire Perspectives: Updating the RNP Concept Safety in Avionics: Cross-Wired Controls Safety in Avionics: Time to Stop Fuel Tank Explosions

Saturday, July 1, 2006

Safety: Where’s Redundancy?

David Evans

Together with recent reports of screens going blank in the cockpit, this story does not inspire lasting or fervent confidence in automation. The Australian Transport Safety Bureau (ATSB) headlines its recent report as a "navigation system failure," although words like "system meltdown" and "locked out" come to mind.

Details of the incident set the stage. The Boeing 717-200 was taxiing at Cairns for a scheduled flight to Brisbane. The pilots had entered details of the flight plan into the flight management system (FMS). Because of intermittent rain showers at Cairns, the crew programmed the FMS with wet runway speed figures for takeoff.

Late in the takeoff roll, the manually entered wet speeds were lost from the airspeed tape on the primary flight display (PFD), and FMS-generated dry speeds were displayed. At rotation, the caution MAP FAIL appeared on both the captain's and first officer's navigation displays. This is because the MAP mode is the default display on the navigation display, and it normally shows the waypoints corresponding to the planned route of flight. If an FMC failure occurs, then MAP FAIL will be displayed. After about one and a half minutes, the MAP displays returned to normal. However, the MAP FAIL indication returned, and the crew reported, "The FMS had locked us out."

Investigators subsequently found that flight management computer (FMC) 2 was unable to sequence the 400-foot course to altitude leg associated with the standard instrument departure. The departure involves early sharp turns to intercept an outbound radial, then a prompt southbound turn to avoid terrain, and FMC 2 was unable to reconcile all the inputs and variables. As the ATSB report recounts, "The attempted sequencing was repeated, which consumed FMC processing cycles; consequently, other functions could not run." In other words, once it ran out of capacity, FMC 2 became locked in a back-to-the-drawing-board endless loop, like a cracked vinyl record.

Eventually, FMC 2 performed a software reset but was unable to recover functionality and was not available for use by the crew. A similar progression then occurred in FMC 1 but, per its design, FMC 1 remained available for use--but with the flight plan information cleared. Eventually, the crew was able to enter the ILS frequency, but FMS operation did not appear to be reliable. The aircraft was vectored by air traffic control (ATC) back to Cairns, where a visual approach was carried out and the aircraft landed some 30 minutes after takeoff.

The ATSB reports the following: "While a fault condition exists, the FMC will progress through a series of resets: warm start, cold start, software reset and latch (shutdown). The progression of resets is designed to clear increasingly larger parts of the FMC, eventually leaving the crew with a usable FMC but no flight plan data. If the software reset is unsuccessful, then the FMC will latch."

Bench testing did not uncover the problem. The manufacturer of the suspected components advised that no other FMS problems of this nature had been reported. The safety action elucidated by ATSB's report seems insufficient, given the implications for this sort of problem to repeat on the B717 fleet worldwide, or on other aircraft: "As a result of this occurrence, the operator [Jetstar] had advised that a Flight Operations Memo will be issued to all 717 pilots highlighting this incident and detailing the FMS modes which remain available during abnormal FMS operation."

In light of what is described by the ATSB as a "serious incident," one is prompted to offer a few observations. It is an obvious concern that:

*Standard instrument departure's legs should essentially topple the computer;

*Exceeding the memory size, as indicated in the ATSB report, should cause all BITE (built-in test equipment) records to be wiped out;

*The time taken for all this to happen was sufficient to launch the flight crew into a never-ending quizzical loop of "What's it doing now?"

*The failure mode and expected remedial actions were unfamiliar to the crew; and

*If this incident had happened in any sort of weather, given the high terrain around Cairns, the outcome may have been different.

To be sure, FMC outages probably would not have affected EGPWS (enhanced ground proximity warning system) or TCAS (traffic alert collision avoidance system), as these two safety systems have a high degree of autonomy by design. Nevertheless, there seem to be a multitude of inimical failure modes in modern aircraft just waiting to be discovered. Where, oh where, is the true redundancy? And the fallback?


Post a Comment

Name:
Email:
Comments:

Please enter the letters or numbers you see in the image.

 
Your message will be reviewed before it is posted.
Copyright © 2008 Access Intelligence, LLC. All rights reserved. Reproduction in whole or in part
in any form or medium without express written permission of Access Intelligence, LLC is prohibited.