bomarc

PBL...I quoted it because I thought he was wrong then and now. call it irony.

And fly by wire...well soon we will have fly by light and that might be even better.

and elac, you make a good point about bubbers...I know him to be a very experienced pilot. but just because he might not have flown an airbus, doesn't mean too much.

optional attempt at humor, do not feel obligated to read:

I haven't tried drinking tea with arsenic...but I don't need to try it to know that I wouldn't like it!
one lump or two?

Hand Solo

No. I belive Qantas went off the end of the runway in Bangkok at some considerable speed because they had, amongst other things, not quite handled the throttles correctly. That was in a B744, whose systems are mostly from the B747 classic, which predates the Airbus and the 757 by some time. One has to ask just how far back to we have to go to find these utopian "good old days"? I gather had Qantas handled the throttles correctly they would have stopped on the runway, as no doubt the TAM crew would have done had they handled the throttles correctly too.

GlueBall

Hand Solo: The 744 QF overrun at BKK has no relationship to this CGH A320 crash. The QF captain had taken over the controls from the F/O who had attempted to initiate a go-around by advancing the throttles. [deselects auto brake]. The captain had landed half-way down the wet runway and didn't select reverse thrust because at that time it was QF policy [and training mind set] not to use reverse. The captain was late in manual brake application and mindless for not having deployed thrust reversers under the circumstances. Nothing to do with A320 logic comparisons.

ELAC

skallas,

An interesting set of logic connections you've made and kudos to you for working this through. But (you knew there was a but coming I'm sure ), the autothrust system does not ALREADY KNOW that a particular TL has been forgotten in the CLB position. Your logic presupposes that the thrust lever that moved (or appears to have moved) is the one that is expressing the pilot's intention. Though the probability is high that this is true, it is not a certainty nor is it beyond reasonable possibility that a system or human failure may make the reverse the correct case.

In the case under consideration the thrust on the TL left in CLB remains as it is not because the *computer* (which? A/T has disconnected) has chosen to ignore it because the TL has been "forgotten there", but rather because the specific TL positions (one CLB one REV) match a failure case which results in a non-standard disconnect of the autothrust thus triggering the Thrust Lock function for the TL in CLB. No distinction is made between which lever is right and which is wrong for the situation.

The rule for such disconnects is that the thrust from a TL in the CLB or MCT detent (1 Eng inop) remains at its currently commanded value until the TL moves because the thrust provided in auto conditions for a lever in the detent is variable and no change was commanded at the moment autothrust disconnected. Thrust Lock will not occur when the lever is not in the required detent. If it is either forward or aft of the CLB (or MCT as the case is) detent indicating a specific thrust command on disconnection of the autothrust the thrust moves (as necessary) to match the lever position. In this process the system makes no qualitative judgement about which TL is forgotten, and which is correct or etc.

Following from the above there is no dischord in the system logic. The autothrust system is not making an assumption of the pilot's intention from the position of the thrust levers and hence the triggering of other systems when the required actioning logic hasn't been met would not be appropriate. Any system that would automatically trigger spoiler and autobrake functions (let alone the other engine to idle as was suggested) in response to a single TL in reverse signal on ground (2 engines operating) assumes both that signal is valid (and that there is an ECAM procedure for uncommanded Rev deployment tells you there is a sufficiently high statistical probability that it may not be) and that the pilot's decision will always be to stop. Neither supposition is always true.

ELAC

prospector

" A very simple mistake may have killed many. Truly sad."

"granted...so why couldn't an experienced checkairman in the left seat stop the plane"

Makes no difference if it was a simple or complex mistake, it should not have been made, even by an inexperienced crew, and these were far from inexperienced.

bomarc

what if:

what if the simulator used to train these pilots allowed a landing with one lever in climb and the other reversed with a safe landing as the result? somehow automatically reducing power on the climb engine?????

teropa

bubbers,

Incredibly good post. That illustrates the diffrence of philosophy, that example of yours.

In a Boeing you always have everything and anything available to you, given that the systems are working. In an AB, ok, 99% of the time this doesn't cause any problems... but in this overrun accident that we are talking about here, the confusion (as it seems now) cost the lives of 200 people. Something to think about.

Tero

armchairpilot94116

bubbers and his Boeing wouldve landed ok at Congonhas because he couldve seen the lever misplacement and corrected that (moving levers help here) and he still had full control of spoilers. The A320 should still have had full spoiler control available to the pilots in spite of one engine spooling up to CLB power, due to the TL being left there after A/T ended upon landing. Why would this be a bad thing? Why couldnt or shouldnt AB program THAT logic?

Dani

The problem is not that the Airbus philosophy is wrong, but that these pilots still think they are in a non-Airbus aircraft. As long as you handle your Airbus within the correct SOPs, you will most likely have never any problems like in Sao Paolo.
Pilots have to learn on the Airbus, that SOPs are everything, that they cannot invent new ones, especially not during a malfuntion. This captain thought he was doing a bright thing because he did the same in a non Airbus-aircraft and got away with it.
Always following the SOPs is a very good thing, and it will force pilots to be accurate also in non aircraft related procedures like ATC, IFR and daily operation. This will safe many lives.
Dani

hetfield

Sure SOP are very important on every commercial/military plane. But I think you must admit that non moving thrust levers/throttles and GS which can't deployed manually were, at least to say, contributing factors in this accident.

SoaringTheSkies

Again, I dread those who, at least for my limited understanding of the language, seem to say that human error must not happen.

I hope never to fly with a pilot who thinks he won't err.

Any complex system involving human in it's control loop is only as good as it tolerates human error and uses human strengths.

Human communication requires was to recover from ambiguity and a system that does hard require unambiguous communication without redundancy is bound to fail and in some cases take lives.

Often enough, the engineers designing such systems only have a vague understanding of the people who are going to be using it and of the situations their system will be used in. Aerospace is probably better than other industries at that, but still the more complete an engineer tries to design a system, the deeper and more disconnected will his omissions be, just because they represent human error or states of man-machine communications beyond what the engineer could envision.

Leaving a thrust lever in the CLB after touchdown and not detecting it is so completely wrong, that it has not been fully considered as an error situation. It has, however, happened. An additional warning callout has been added in newer software versions. I'm not sure if that's the right patch to the problem, but it might have helped here.
The underlying issue is still: the system designer seems to have thought that this situation might never arise so he provided no means of disambiguation. Either the pilot notices that he hasn't retarded one engine or not. There's no other tiebreaker for the system.

That is the underlying issue for me, not the superficial human error.

pj

skallas

Quote:

In this process the system makes no qualitative judgement about which TL is forgotten, and which is correct or etc.

Of course you are right. I expressed my logic in far too simplistic terms. The decision , the qualitative judgement was of course made by the designers of the system. And they did decide that in such a set of circumstances (ATHR disconnect while TL in CLB or MCT) it is much more probable that the pilot has not yet had the time to move the lever to a desired thrust setting - hence the Thrust Lock.

Quote:

Your logic presupposes that the thrust lever that moved (or appears to have moved) is the one that is expressing the pilot's intention.

Actually, no. My logic is focused on the fact that the designers have designed in a state which assumes that in some specific (Thrust Lock) cases the TL does not (yet) represent the demands of a pilot.

But that was not what I was suggesting. I was NOT suggesting that one TL lever in reverse on ground should always engage reversers, spoilers and autobrakes.

My suggestion was that as the Thrust Lock state of a thrust lever effectively means that the system considers the position of that lever to be "invalid" in a sense that it does not (yet) represent power demands, that ONLY in case of one TL being in a Thrust Lock (ignored) state should the system also ignore that lever in regards to preventing spoilers and autobrakes from deploying. I.e. only if one lever is in Thrust Locked state should the system act on the other lever alone.

The logic is that double faults are extremely unlikely. Thrust Lock state is already essentially a failure scenario. Either a failure of a machine - or in this instance of a man. It is highly unlikely that in the case of Thrust Lock engaging, the other thrust lever sensors also fail.

Extending Thrust Lock so that it would not just lock the thrust but also ignore that lever position as determinant in actioning logic would definitely not kill you in RTO or go around situations. Because it isn't possible for Thrust Lock to activate in those situations.

teropa

skallas' suggestion and logic makes perfect sense to me at least.
But so very often, if something makes sense at first... there's always the But. Is there one here, too?

Tero

madherb

STS - could you please translate?

Now that's a pretty broad statement - what do the AB trainers feel about it? Not to mention the odd AB software man.........

bsieker

bubbers,

And why would you imply that this would have been any problem with an Airbus? An inoperative thrust reverser does not inhibit ground spoilers or wheel brakes on an airbus. In fact, nothing inhibits manual wheel brakes. except physics (gear up, or loss of all hydraulics systems including the hydraulic accumulator).

I believe that you are a skilled pilot on the machines that you fly (I have no reason to believe otherwise), and I also believe you would be as good a pilot on an Airbus, even if you don't. I would embark on an airbus flown by you, provided you had the proper type-rating.

I really can't see what would be the problem here with an airbus.

Why would a throttle being left "up a bit" be more obvious in a Boeing than in an Airbus? And why would it only be corrected immediately in a Boeing, and not in an Airbus?

Further: Leaving the throttle up "a bit" is no problem in the A320, if below 10ft RA, the A320 logic interprets lever angles below 15 degrees as "near idle", even though 15 is more than halfway to CLIMB (which, iirc, is at 25 degrees), which in my book is a lot more than "up a bit".

Why do you imply that mode confusion is Airbus-specific? Almost all of these modes are autopilot modes, which must be very similar between Boeing and Airbus aircraft in modern glass-cockpit airliners.

Are you saying there are no reports of mode confusion in Boeing aircraft, or that you simply choose to notice only the ones about Airbus aircraft, because they support your choice of preferred aircraft?


As has been observed, this is the other $50,000 question, but there is nothing to imply that it has anything to do with the aircraft type. On Boeing and Airbus aircraft alike, if there is no automatic braking, you brake manually. End of story.

The suggestion that a fly-by-wire Airbus aircraft was inherently less safe than a Boeing conventionally controlled (or even a Boeing fly-by-wire) aircraft would have to be substantiated by accident statistics. Which it isn't.

The suggestion that Boeing is more pilot-friendly than Airbus is, of course, a matter of personal preference, but would have to be substantiated by significant airtime in both types, and not by flying one and listening to anecdotes about the other.

I havn't flown either, and I will not make any jugdment whatsoever about which type is better to fly, but to see which one (if any) is safer, one only need to look at the statistics. If either had a significant advantage here, the other would be out of business quickly. And rightly so.

Bernd

SoaringTheSkies

madherb
hmm... sorry, I thought I was trying to be clear.

I'm thinking mainly in state machine terms here. State machines have a series of defined states and a series of required stimuli to transition from one state to another. Every state transition has it's set of requirements. In order for such state machines to work, the actual inputs in the system has to match the state change requirements otherwise, the state change won't happen.

Let's take the state change for Ground Spoilers (see PBL's paper at http://www.rvs.uni-bielefeld.de/publ...-PBL-paper.pdf).

There's three discrete states for the ground spoilers logic.

- (1) retracted and not armed
- (2) retracted and armed
- (3) deployed

State change from (1) to (2) is based on a very simple input: move the speed brake lever into the "armed" position
(2) to (3) is a bit more complex:

MLG touchdown (which is, both squat switches depressed)
OR
(TO and speed >72kts)
AND
((both thrust levers idle) OR (one thrust lever idle AND one thrust lever reverse) OR (both thrust levers reverse))

Now, the larger clause on thrust levers is the one that incorporates the "at or near idle" requirement we've spoken about many times before.
As long as this requirement is not fulfilled, the state machine won't update to the new state, or more to the incident at hand, the ground spoilers won't extend.
The autobrake system is triggered by the same state logic, so it will only kick in if the requirements for the ground spoilers have been met.

Now, this logic, per design, does just do nothing if one thrust lever is left above idle. Interestingly enough, the term

AND ((both thrust levers idle) OR (one thrust lever idle AND one thrust lever reverse) OR (both thrust levers reverse))


could be rewritten as

AND NOT (one or more thrust levers above idle)

So the logic explicitly defines this condition as an inhibitor to ground spoiler extension, which makes sense, because if you put the TLs above idle in the landing roll, a full stop landing is probably not your intention.
Now, in the case at hand, this was a false assuption. The pilots ment to stay on the ground, despite the fact that one TL was not in ilde.
That's an error condition that this logic does not take into account. There's no secondary signal that would challeng the "TL forward means you don't want deceleration" clause. Applying manual braking overrides this same logic for the wheel brakes, but not for the spoilers.

So for the requested translation:

this logic can leave the pilot in a deep hole with only one way out: to correct his very error. Now, probably the pilot error wasn't done knowingly, so it will take time to detect the error and then fix it.
Had the engineer taken into account that a TL might be accidently mispositioned in the landing roll, he could have designed in an emergency tie breaker for this logic, like there is for the wheel brakes with manual braking. A simple clause like

AND (speed > xx kts AND manual braking applied) could have saved the day.

btw, the ground spoiler logic has been amended after the Warsaw accident. The logic shown here is the original logic, as far as I'm aware, there's now a fourth ground spoiler state, let's call it

- (2.5) partially extended and armed for full extension

which has reduced requirements for the sqat switches. Basically, in the original clause

MLG touchdown

meant that both squat switches had to be depressed.
To enter (2.5) it's sufficient to only have one sqat switch activated. Reaching (3) from (2.5) requires the second one to be activated as well.
I'm not sure if autobrake will be triggered by (2.5) or just (3), though.

You could see this amendment as a form of saying "we didn't think this could ever happen". At any rate, it provides a tie breaker for the situation that had contributed to the Warsaw accident.

A similar tiebreaker for the TL not fully retarded error condition would make a lot of sense, I think.
But still, we don't know which of the system inputs can take ambiguous states that have not been considered in the design. There's always a chance of a dark logical hole lurking somewhere.

pj

ELAC

bomarc

I don't know. I'll be looking to the investigators to find out and I hope they do a good job of exploring all avenues in the quest for why as opposed to settling on whatever theory suits the prejudices or politics of the situation.

Whenever an aircraft crashes SOMETHING AIN'T RIGHT. This case is no different. So far there is no evidence (that we know of) to prove that the "something" is a failure of the aircraft's design logic or system operation.

And yet, despite that lack of evidence we seem to have a certain portion contributing to this thread who are running around waving voodoo dolls and talking as if there's an Airbus designed bogeyman hiding behind the cockpit door just waiting to snatch innocent pilots in their sleep. Meanwhile another portion, who are mostly not actual operators of the systems, but who believe that the scary stories told must be true, have become aircraft design experts bent to the task to the of finding the right clove of garlic or sachet of pixie dust to hang around our necks so we can ward off the evil spirits. Strangely though, neither of these parties when asked will tell you they've actually seen the beast in the flesh. They simply know it all to be true because the stories told around the campfire were too convincing for it not to be so.

Frankly I find that frustrating. That individuals such as yourself who hold significant professional qualifications in the industry can be persuaded to move so quickly from rational analysis to heresay and suspicion as your basis for conclusions is depressing. This is not a governing philosophy that will improve the safety of our industry, and yet pretty much every time an Airbus is involved in an accident we hear the same howling at the moon and baying of the hounds eminating from across the foggy moors. I suggest that it's time to restrain our imaginations just a bit and let Sherlock Holmes get to his work. So far most of the conclusions posted here have the hallmarks of Dr. Watson: all observation and no analysis.

But, unless you yourself put the arsenic in the tea, how do you know that the arsenic is there? You may be anti-arsenic, but it's the cup of tea that you've turned down. And if it wasn't you who had their hands on the arsenic how do you know there's none in the cup of coffee that you chose instead?

ELAC

SoaringTheSkies

Elac,

I'm not sure if or how much of your rant is directed at me, but:

I'm convinced you don't think that the development departments of any airplane manufacturer is fully staffed with high time pro pilots but with regular software engineers, hardware people and the like.

I for one am not a pro pilot, which is a choice I made (or rather didn't make) long time ago (and I don't work in he aircraft industry either, just for the record).

I've spent a considerable amount of my professional life working with logic systems and state machines, both in hardware and software.
I might not be qualified to judge airmanship, but that is exactly the reason why I'm looking at the systems level and think about omissions or flaws there.
I have designed state machines that failed in vivo because they experienced input that I had not foreseen. In my case, the failure was usually some computer-computer communications breaking down, not people dying. I usually did not blame those failures on the environment not behaving as I had thought it would when I designed my logic.

I'm also not contra Airbus, but for some reason, they're the ones that seem to get entangled into such events. I'm sure there's mutliple reasons for that. They've been the first to manufacture a fully FBW airliner, they've had spectacular accidents partly attributed to the computerized flight system by the media etc.
Boeing's decision to use the same warning horn for two different conditions as detailed in the Helios case is just as questionable.

I don't care who builds a system, but I do care for systems that are resilient enough so that the inevitable human error does not lead to disastrous failure.

pj

PBL

I am somewhat puzzled (not to say tired of seeing the same rather unilluminating arguments) about this A vs. B polarity. It is asymmetrical: B-lovers complaining that the A-system is inappropriate, not the other way round. So I went to the ASN database to look to see if it had any justification in history.

The comparable types are B737-300/400/500, which was introduced in 1984, 4 years earlier than the A320 family.

The B733/4/5 ("CFM Classic" as Flight International calls them; I shall say "B733series" hereafter) counts 1,988 delivered as of October 2006 (Flight International, 24-30 October 2006). The A320 family counts 2,880 delivered by the same date (op. cit.). So the A320 family has some 45% more aircraft flying than the B733series.

The A320 family has 40 incidents in the DB with 19 hull losses. The B733/4/5 has 40 incidents in the DB with 28 hull losses.

The A320 family has suffered the following incident types:
* 0 LOC
* 0 flameout
* 7 rwy excursion on landing
* 2 hard landing
* 4 CFIT on approach
* 2 RTO + excursion
* 3 mechanical or system failure
* 2 systems-mishandling
* 1 airshow mishandling
* 3 rwy incursion
* 8 hijack or passenger disturbance
* 3 hangar fire
* 2 ground-personnel mishandling
* 1 act of war
* 1 hailstorm damage
* 1 midair collision


The B733/4/5 has:
* 7 LOC (including US 427, and Adam Air)
* 3 flameouts
* 13 rwy excursion on landing
* 3 hard landing
* 2 CFIT
* 1 RTO + excursion
* 2 mechanical/system failure (not US 427)
* 1 system mishandling (crew incapacitated)
* 5 hijack
* 1 probable suicide (otherwise a LOC)

Differences that I would pick out as worth a very close look are:
LOC. A320 0; B733series 7
Flameout. A320 0; B733series 3
Rwy excursion on landing. A320 7; B733series 13
Hard landing. A320 7; B733series 3
CFIT on approach. A320 4; B733series 2

The only figure here that one might guess would be potentially statistically significant is the figure of rwy excursions on landing, where the B733series suffers them at three times the rate of the A320 family (about 7 per 1,000 aircraft delivered for the B733 series, 7 per 2,900 aircraft delivered for the A320 family).

But considering how many landings are made successfully,
as I mentioned earlier in the thread, something of the order of 50 million for the A320 family, and I would therefore guess two-thirds of this for the B733series, then figures of 7, or 13, excursions say, statistically, nothing.

It also means that this polarisation (as I said, asymmetrically from Boeing-lovers) is exaggerated and the history just can't support it. But one might be forgiven for considering it amusing that apparently some Boeing drivers wouldn't step in an Airbus even though their planes have run off the runway rather more often.

PBL

ELAC

I'm sorry but the only reference you made to your experience was in post #565, some 800 odd posts back when you said:

That took a while to find and is a fair ways back, so it's not surprising that the basis for your conclusions is going to be questioned, as it seems it should be. Now,

Exactly as the case would be if you were operating an A320. In fact I attended a presentation in 1999 by Grupo Taca specifically regarding A320 operations to TGU. Their conclusion was:

As to,

In subsequent discussions with some of the TACA pilots at the time I was told that there was an airfield in their system with a runway of less than 5000' in length that the A320 was regularly operated to. I'm a bit hazy on the details but I don't think these guys are any less concerned about their aircraft's capabilities than you are, and in this case they have the benefit of knowing how the A320 actually works.

Of course there are such reports, as there are for all reasonably automated aircraft including the B757. Airbus hasn't cornered the market on this. Perhaps you are using a mental filter that only sees one set of reports and not the other. A friend of mine had the opportuniity to go back to flying the B737 and then B757 after a number of years on the A320 and A330. Though he likes the B757 he often comes back grumbling and griping about what he considers the less effective Boeing designs ... and that's after about 4 or 5 years in the left seat of the B757. So whose friend is more right? Frankly either pilot's observations are insufficient for you to make a declarative conclusion regarding something of which you have little first hand knowledge but hold a strong personal bias about.

This is a debate that has a great deal of merit and should continue to be explored, but it has nothing to do with A vs. B or B757 vs. A320. As a pilot who has flown both I have seen no practical difference between the A320 and B757 in terms of recognition and response to braking effectiveness. More generally global accident rates have declined significantly over the generation since highly automated aircraft became a part of the world fleet. You don't think that's entirely coincidental do you?

ELAC