forget

I'm as curious as Swedish Steve on why that configuration was chosen. There has to be a good reason --- I suppose. I'm also curious as to the history of Take-Off Configuration Warnings. The first one I saw was on a Gulfstream II, built around 1970? Yet Boeing claim a US Patent on the bones of any system, in 1978. I know something of Patents and the GII system predates the Boeing claims - no doubt. More to the point, if the Boeing Patent was valid, the GII being much simpler, it says there was no Take-Off Configuration Warning (as we now understand it) prior to 1978.

United States Patent 4,121,194
Downey , et al. October 17, 1978
Assignee: The Boeing Company (Seattle, WA)

Take-off warning system for aircraft.

Abstract. A logic controlled take-off warning system having a circuit for enabling the logic controlled take-off warning system at engine thrust levels exceeding a predetermined value which is less than minimum take-off thrust of the aircraft and greater than thrust required for normal ground operations, provided also that the aircraft is on the ground. When the logic controlled take-off warning system is enabled, a take-off warning horn is subsequently energized when any one of a plurality of undesired take-off configurations exists.

PJ2

Swedish Steve:
It seemed a natural, as that's the way the 767 does it, but I do indeed suspect wrong; - thank you for the correction.

HarryMann:
Further to your question regarding cockpit indications, the 767-300 does indeed present an "EICAS" message to indicate a fault with the air-ground sensing system. The message is "AIR/GND SYS" or "NOSE A/G SYS". The AOM states that if the message is present, "Affected equipment and systems will not operate normally and therefore takeoff is not allowed".

HarryMann

Thanks PJ2...

I'm still thinking that rather than a warning as such, on legacy (crude?) system aircraft, a simple readout display, saying what state the Air/Ground system 'thinks' its in would be easy to refer to... prior to approach and land, one wouldn't want it saying 'GROUND' and vice versa prior to take-off .. doesn't matter so much whether it's working or not, but it's current 'state' is important for the crew to know?

As someone said, would be nice to know why this default wasn't chosen? It might have been due to more complexity and yet another relay being required in the chain...

PJ2

HarryMann;
Likely because it's a very old system and at the time no one thought it necessary to guard against such a "fundamental" error. A host of side-issues accompany any such designs, such as certification, robustness, likelihood of failure and risk-analysis of the consequences of failure, (ie, would a "single-point" failure cause "loss of the vehicle", to use NASA's terminology in examining the shuttle systems).

Likely in an engineer's mind there are many scenarios against which the design must protect itself in the various ground and flight regimes either through self-diagnosis and correction (switch-over to alternate system), or through warnings to operators, (crew, maintenance) and this scenario didn't make it at the time for the reason stated. "What if" is an expensive and time-consuming question and must be triaged as any risk-intensive endeavour. I suspect you probably know all this so I say this for the sake of the dialog.

forget

The odd thing (to me) is that many systems receive Air/Ground logic from two independent relays fed from two independent buses. I assume that the signal is commoned at single target systems so one relay failure won’t have a dramatic affect.

These systems include Stall Warning; AC Cross Tie; Approach Idle; ATC.

But look at the Take Off Warning. One relay only, when relay R2-106 on the opposite bus has unused contacts which could easily have been used to give TOWC dual inputs. … and yet another relay being required in the chain... Not so, it seems.

I'm missing something here. If previous Air/Ground TOWC incidents could have been prevented by a very simple Mod then it would have been done. Wouldn't it?

HarryMann

I was thinking that another relay would be required to reverse the default logic, to turn it on when the trigger signal is off, or missing...

Maybe some of this will come out in the inquiry, but as PJ2 says, at the time, the TOWS was maybe not an afterthought, but not given much priority.

It may also be a case of, once you have a warning system to fall back on, that pre-take-off 'killer item' checklists become less imperative and more of a chore....
As in business, 'fail to plan' and you 'plan to fail'...

“Planning is bringing the future into the present so that you can do something about it now” - before its too late

snowfalcon2

Your question is very valid. But I'm not so sure I agree with "Better a warning signal too much than missing one". I believe many studies have shown that too many false alarms affect the attitude of the crew so that real alarms might not get the attention they deserve.

And at least in this particular TOWS circuit, your proposed relay logic would in case of relay failure [unless the TOWS includes some additional smart logic that I have missed] trigger an alarm that would sound during the whole flight as long as flaps are retracted. Does not sound like a viable solution. It would need some additional logic to enable the crew to inhibit that alarm, introducing additional potential points of failure in the TOWS system.

Today's computer systems give a totally different capability to design an idiot-proof air/ground sensing system. But the MD-80 was certified in 1980 when microprocessors were in their infancy.

Pinkman

...and of course we're all assuming that there were no electrical modifications in the aircraft history. Given its previous owners, who knows?

Not saying that its the case, but some of the unauthorised 'mods' I've read about over the years on pprune make me . Could be yet another gap in the gruyere.

sevenstrokeroll

Am I alone in thinking the following:

After ANY sort of MX, a pilot always suspects that something could go wrong that wasn't previously suspect?

That you should always check the circuit breaker panel?

HarryMann

Emmental maybe?

Gargleblaster

To me this sounds as a classic "man-machine", or usability problem:

A system (in this case an aircraft) should indicate to the user (the pilots) which state it thinks it is in, e.g. sitting on the ground or in the air.

Since there's a number of important systems and warnings relying on this, any fault indication should be a no-go.

Hence needed: 1) An indication to the pilots which state the AC thinks it is in 2) a checklist item verifying this.

Likewise, anything the system does automatically for the user, it should inform about. The DC9 or MD8XX that crashed after departure from Arlanda 15-20 years ago, the captain didn't know that an auto-thrust system was acting on his behalf, which wrecked the engines leading to the crash (power lost due to ice ingestion, system increased thust even more, more ice ingested, even more thrust applied, resulting in titaninum fire).

I may very well be seeing this from an uninformed and overly theroretical angle. I stand to be corrected.

justme69

Well, it seems at this point that the airplane was in the correct air/ground mode. The front (and back) wheel switches were (likely) in the correct logic state.

It was just one out of dozens of relays that failed to act correctly upon this air/ground signal, affecting ultimately only two components out of more than a hundred that depend on ground/air activation: the RAT probe heater and the TOWS (the other two systems wired to this relay being redundantly serviced from other, working relays).

If you put a couple of indicators in the cockpit wired to the ground sensors ... the airplane would've correctly indicated it was on the ground.

The change from ground to air mode was even signaled to the DFR correctly, as all the relays depending on it worked except for one (it seems).

I think the MD-82 "works", as we have seen the reasonable safety record considering how old it is, but it is indeed a bit "underdesigned" when it came to the alarm for a "potential killer item". It has a single "common" point of failure that gives very little/no warning. Maintenance manuals must CLEARLY include that probe heater on the ground inmediately must suspect inop TOWS.

Boeing solved the problem the best and cheapest way possible though: don't ever TO w/o checking TOWS first soon before.

Making modifications to the plane also introduces new, unknown risks, so it's not as simple as throwing in a couple of diagnosis or status lights which, BTW, can also fail on their own or be overlooked. I'm not saying they shouldn't study some simple one that could increase the reliability of the system.

The judge has requested the police to find the entire history of the airplane since the day it was manufactured, including any and all modifications done by previous owners.

snowfalcon2

While I don't disagree that the air/ground sensing system may not be perfect, let's not forget that the first-level "killer item" is to set the flaps, as described in the before-take-off checklist. TOWS is the second-level safety feature for that one. Then we may argue if an air/ground sensor failure alarm that would be a safety feature for inoperative TOWS is on the same or the next level. Anyway there is a limit for how many levels of fault detection, redundancy and fault tolerance are practical before the solution becomes more failure-prone than the item it's designed to protect.

Some pages back I think it was suggested that the TOWS logic should preferably be completely inverted, i.e. instead of alarming when something is wrong it would report "good to go" if and only if all sensor inputs positively indicate so. Something to think about.

FrequentSLF

Some posts mention that the MD80 TOWS shall be checked before every flight. IMHO a level 2 safety shall catch a level 1 failure, but if the level 2 has to be checked is not doing the job for what was designed.

HarryMann

That is something else I was trying to get at... level 2 should be automatically checked not manually and engineered to fail-safe... and hence report problem if there is one or system is not working, or fails self-test.

PJ2

snowfalcon2, HarryMann;
Again, for information only, the "good to go" design philosophy was incorporated into the Airbus A320/A340 series aircraft. Testing the "TOWS", called the "T.O. CONFIG" is part of the Before Takeoff Check. This system checks the killer items plus a few others:

Slats/Flaps not in takeoff range - Red Warning
Pitch Trim not in takeoff range - Red Warning
Rudder Trim not in takeoff range, (A319, A321) - Red Warning
Speed Brake not retracted - Red Warning
Sidestick Fault - Red Warning
Brakes Hot - Amber warning
Doors - Amber warning
Park Brake ON - Red Warning
Flex Temp not set - Amber Warning

All warnings are accompanied by an auditory warning.

FrequentSLF

PJ2

Being a SLF I stand to be corrected.
But what you mentioned sounds more like a check list of the killer items, not a comprehensive "go configuration". IMHO the two thinks are different. What will happen to such list if the a/c "thinks" to be in air mode? Maybe the Airbuses are more sophisticated than MD80...

PJ2

FrequentSLF;
It's definitely as close to a "good to go" system as one can get withtout walking back to physically check the slats, (and let's not get into that unproductive discussion again!), and is not a "checklist" except in the most generic way. The crew are not involved in the automatic check except for pushing the "TO Config" button. It takes about 2 seconds for the system to indicate that the aircraft is configured correctly for a safe takeoff or there is a problem. Either way, there is a clear and unmistakable annunciation to the crew.

Without any intention of starting the usual comparison discussions, I think all here who fly would agree that the Airbus 320/340 design concepts and execution are more sophisticated than the MD80 series simply because twenty-plus years separate their initial design stages. That said, controversy will always surround which is better. So far, with Airbus 320/340 series anyway (as that's what I flew for the past sixteen years before retiring) I am unaware of a single "air/ground" sensing problem. It is possible to takeoff with an incorrect flap setting but that is a performance error associated with the calculation of takeoff data. A number of serious tailscrapes and even fatal accidents have resulted from this error but that is not associated with the TOWS. As has been pointed out a number of times by different contributors, the slats are the critical flight control surface, being "worth" between 20 and 50 knots when considering stall speeds, depending of course on other factors, (WAT limits, etc).

A stuck and/or overpressurized nosegear oleo can put older designs into the "air" mode - it's happened before although we don't know for sure such a cause occurred here - I think the Spanair accident has deeper roots both in, broadly speaking, management of training, and narrowly speaking, in reasons the aircraft was likely in the "air" mode which may not be wholly associated with the nosegear switch(es).

Although one can never pronounce with 100% assuredness especially with the Airbus, for reasons already given, the same circumstances are not likely to occur in the B767/B777 or the Airbus series under discussion. The systems are, in other words, more robust than previous designs, again, likely for reasons given (in response to HarryMann).

The Airbus has other traps for young and/or inexperienced players but not likely this one.

PJ2

BOAC

- agreed, but again isn't EVERY system only as good as its weakest link? What about a software bug or stray minivolt that says flaps are 'OK' when they are not? No different in reality to the MD80 TOWS, although 'better and cleverer'. What it comes down to is, while we have 'umans up front, we need to make sure THEY get it right. Then even with a duff TOWS or AB thingy, it still flies - from the correct runway.

Somewhere else on PPRune there was a suggestion of having 'killer items' checked as an SOP on entering the runway. I fully support that and have been doing it for many years (silently) as it is 'frowned upon' in the SOP driven airlines with whom I have worked - "not necessary if you do the checklist properly, young man" (QED?). I saw in a thread that some airlines (?PanAm?) taught it. Certainly I was used to fast jet military where we had these checks taught. I still think that a simple check by US is the best way forward - cheap, reliable and effective and hopefully not thwarted by some relay or other or software issue. It is an admission of human falability I (and everyone) should readily accept and not fight.

PJ2

BOAC;
Of course one may paint devils on the wall at every turn with "what if...?" scenarios, essentially making the entire business impossible through possibilies. I will leave software and microchip robustness and probability of error in terms of "stray minivolts" to members like Bernd and others who have indicated a specialized knowledge of such systems. I think it is sufficient to say that software and stray electrons in and of themselves have not shown any, let alone moderate risk, and will do and perform exactly as designed, as they did for example with the B2 bomber accident at Guam, the 320 Idle-Open descent accident at Madras, the incorrectly connected spoilers of a Lufthansa 320, etc. I think it isn't unreasonable to rate the chances of such a system (the two SFCC's) either not extending the slats when commanded, while indicating on the ECAM that they were, and/or a TO Config system going astray and missing the slats/flaps not being in the takeoff position, as being about the same as, say, an N1 manufacturing error in an ingot of titanium years later causing a disc disintegration and loss of four hydraulic systems followed by a partially-successful crash landing, as being about equal...

I could not agree more strongly - training, training, training and checking that the standard hasn't slipped. In my view we ought not to even need a TOWS, but there it is. Aside from the human factors involved, we might broach the question as to why these systems have indeed actually grown more involved and "active". Why is that?, one wonders...