paull, et al. Re #2099.
The numbers, with all of their complexities are in
CS 25 Large Aircraft, Amendment 5 (US equivalent - FAR 25).
The specific requirement for a TOCWS is in CS 25.703 (Page 71), with practical guidance information in AMC 25.703 (Page 368).
Before considering the ‘numbers’, note the text (page 368)
“…the takeoff warning system should serve as "backup for the checklist, particularly in unusual situations, e.g., where the checklist is interrupted or the takeoff delayed." !!!!
This is a major assumption about the crew-system interface which many contributors to this thread may have overlooked.
The discussion of system failures considers these systems to have a low level of criticality (page 369)
"… because, in themselves, are not considered to create an unsafe condition, reduce the capability of the aeroplane, or reduce the ability of the crew to cope with adverse operating conditions. Other systems which fall into this category include stall warning systems, overspeed warning systems, ground proximity warning systems, and windshear warning systems. ” … but see Sub para (3) below.
This and subsequent items should be read in conjunction with AMC 25.1309 which cover system reliability.
TOCWS …
"have a probability of failure (of the ability to adequately give a warning) which is approximately 1.0 x 10-3 or less per flight hour. … Maintenance or preflight checks are relied on to limit the exposure time to undetected failures which would prevent the system from operating adequately.”
Sub para (3) provides an important override, TOCWS are
"… not considered to result in an adequate level of safety when the consequence of the combination of failure of the system and a potentially unsafe takeoff configuration could result in a major/catastrophic failure condition. Therefore, these systems should be shown to meet the criteria of AMC 25.1309 pertaining to a major failure condition, including design criteria and inservice maintenance at specified intervals. This will ensure that the risk of the takeoff configuration warning system being unavailable when required to give a warning, if a particular unsafe configuration occurs, will be minimised.”
This presumably assumes the failure to achieve the required configuration (system or crew) and the failure of the crew to detect the incorrect config (gauge/visually) in conjunction with a failure of the warning system – the numbers get larger.
A major/catastrophic failure condition is above 10-3 up to 10-9. However, I am not sure how the above would be applied to a certification – perhaps if loss of control was possible due to both a flapless/slatless takeoff, but not any one item – an aircraft specific issue? See thread discussion about slats only take off etc.
At this stage be prepared to be ambushed by ‘Grandfather’ rights; MD 80 was a DC-9, or pre regulation? This might imply that later aircraft have better protection and different operational assumptions, i.e. an Airbus pilot has a system which meets all aspects of the regulation (and the next two pages of it), including an adequate ‘System Inop’ warning. Thus, MD pilots have to operate with a different standard of equipment
and a different set of assumptions about their performance when contributing to the system’s overall reliability, i.e. the crew has to be less susceptible to error. This is an interesting area as there are no regulations about how build or certificate a human, thus no help on how one human vs another can have a lower probability of error (we all have to be vigilant).
CS 25 attempts to contain this problem with relatively new (and lengthy) guidance in AMC 25.1302 (Page 485), i.e. human factors.
An interesting para at the end:
“.... No MMEL relief (EASA) is provided for an inoperative takeoff configuration warning. Therefore, design of these systems should include proper system monitoring including immediate annunciation to the flight crew should a failure be identified or if power to the system is interrupted.”