Just a little design fault?
 

Engineers in aviation and marine do in my opinion excellet jobs. They design the equipment to work properly in nearly every condition - fail safe or fail tolerant, depending on the case.

Let's have a look back to the scematic circuit from entry #1936. You see the left and right circuits, for notably important systems they are redundant (activated from left OR right circuit). An activated relais means the aircraft is on ground, The most probable way to fail for a relais is that it cannot be activated which means in this case that the aircraft is in the air. So far perfect...

... with one exeption: the TOWS is extremely important in ground mode - but is deactivated when the correspodend relais R5-2 fails.

Wouldn't it be better/safer to deactivate the TOWS - exactly like the aviation relevant systems - by activating a relais?! Better a warning signal too much than missing one.

Look at training records ...
 

Since this accident seems to be traced to poor airmanship both from the crew and from the technicians as well, I think that the judge in charge should pay a lot of attention to the details of the crew and technician training - in general.

Looking also at the details of the trainers as well ... At the details of the quality managers, the quality auditors, the "safety officer" ... all those who are responsible for overseeing the quality of the trainings, and improve the level of safety above bare legal (formal)minimums ...

I include the "authorities", who are responsible for effectively oversee the airline practices. Lot of people? Well, a lot of people lost their live, they desserve some real investigation.

If those who are "at the top" don't feel involved in this accident, they should be, by legal prosecution.

very good point. I thought of this a few days ago when the circuit was published. Why have a relay activate RAT heating and deactivate TOWS. They should be split so that the realy goes to the correct phase when it fails. i.e. when relaxed it should give RAT heating and TOWS active.

Stop suspecting because you suspect wrong.
The B777 uses a strain gauge in the undercarriage support beam to detect weight on wheels.

I find it rather unusual that Interpol has been asked to join the investigation:

Report: Interpol joins investigation into Spanair accident : Europe World

I'm as curious as Swedish Steve on why that configuration was chosen. There has to be a good reason --- I suppose. :confused: I'm also curious as to the history of Take-Off Configuration Warnings. The first one I saw was on a Gulfstream II, built around 1970? Yet Boeing claim a US Patent on the bones of any system, in 1978. I know something of Patents and the GII system predates the Boeing claims - no doubt. More to the point, if the Boeing Patent was valid, the GII being much simpler, it says there was no Take-Off Configuration Warning (as we now understand it) prior to 1978.

United States Patent 4,121,194
Downey , et al. October 17, 1978
Assignee: The Boeing Company (Seattle, WA)

Take-off warning system for aircraft.

Abstract. A logic controlled take-off warning system having a circuit for enabling the logic controlled take-off warning system at engine thrust levels exceeding a predetermined value which is less than minimum take-off thrust of the aircraft and greater than thrust required for normal ground operations, provided also that the aircraft is on the ground. When the logic controlled take-off warning system is enabled, a take-off warning horn is subsequently energized when any one of a plurality of undesired take-off configurations exists.

Swedish Steve:
It seemed a natural, as that's the way the 767 does it, but I do indeed suspect wrong; - thank you for the correction.

HarryMann:
Further to your question regarding cockpit indications, the 767-300 does indeed present an "EICAS" message to indicate a fault with the air-ground sensing system. The message is "AIR/GND SYS" or "NOSE A/G SYS". The AOM states that if the message is present, "Affected equipment and systems will not operate normally and therefore takeoff is not allowed".

Thanks PJ2...

I'm still thinking that rather than a warning as such, on legacy (crude?) system aircraft, a simple readout display, saying what state the Air/Ground system 'thinks' its in would be easy to refer to... prior to approach and land, one wouldn't want it saying 'GROUND' and vice versa prior to take-off .. doesn't matter so much whether it's working or not, but it's current 'state' is important for the crew to know?

As someone said, would be nice to know why this default wasn't chosen? It might have been due to more complexity and yet another relay being required in the chain...

HarryMann;
Likely because it's a very old system and at the time no one thought it necessary to guard against such a "fundamental" error. A host of side-issues accompany any such designs, such as certification, robustness, likelihood of failure and risk-analysis of the consequences of failure, (ie, would a "single-point" failure cause "loss of the vehicle", to use NASA's terminology in examining the shuttle systems).

Likely in an engineer's mind there are many scenarios against which the design must protect itself in the various ground and flight regimes either through self-diagnosis and correction (switch-over to alternate system), or through warnings to operators, (crew, maintenance) and this scenario didn't make it at the time for the reason stated. "What if" is an expensive and time-consuming question and must be triaged as any risk-intensive endeavour. I suspect you probably know all this so I say this for the sake of the dialog.

The odd thing (to me) is that many systems receive Air/Ground logic from two independent relays fed from two independent buses. I assume that the signal is commoned at single target systems so one relay failure won’t have a dramatic affect.

These systems include Stall Warning; AC Cross Tie; Approach Idle; ATC.

But look at the Take Off Warning. One relay only, when relay R2-106 on the opposite bus has unused contacts which could easily have been used to give TOWC dual inputs. … and yet another relay being required in the chain... Not so, it seems.

I'm missing something here. If previous Air/Ground TOWC incidents could have been prevented by a very simple Mod then it would have been done. Wouldn't it?

I was thinking that another relay would be required to reverse the default logic, to turn it on when the trigger signal is off, or missing...

Maybe some of this will come out in the inquiry, but as PJ2 says, at the time, the TOWS was maybe not an afterthought, but not given much priority.

It may also be a case of, once you have a warning system to fall back on, that pre-take-off 'killer item' checklists become less imperative and more of a chore....
As in business, 'fail to plan' and you 'plan to fail'...

“Planning is bringing the future into the present so that you can do something about it now” - before its too late

Your question is very valid. But I'm not so sure I agree with "Better a warning signal too much than missing one". I believe many studies have shown that too many false alarms affect the attitude of the crew so that real alarms might not get the attention they deserve.

And at least in this particular TOWS circuit, your proposed relay logic would in case of relay failure [unless the TOWS includes some additional smart logic that I have missed] trigger an alarm that would sound during the whole flight as long as flaps are retracted. Does not sound like a viable solution. It would need some additional logic to enable the crew to inhibit that alarm, introducing additional potential points of failure in the TOWS system.

Today's computer systems give a totally different capability to design an idiot-proof air/ground sensing system. But the MD-80 was certified in 1980 when microprocessors were in their infancy.

...and of course we're all assuming that there were no electrical modifications in the aircraft history. Given its previous owners, who knows?

Not saying that its the case, but some of the unauthorised 'mods' I've read about over the years on pprune make me :eek:. Could be yet another gap in the gruyere.

Am I alone in thinking the following:

After ANY sort of MX, a pilot always suspects that something could go wrong that wasn't previously suspect?

That you should always check the circuit breaker panel?

Emmental maybe?

To me this sounds as a classic "man-machine", or usability problem:

A system (in this case an aircraft) should indicate to the user (the pilots) which state it thinks it is in, e.g. sitting on the ground or in the air.

Since there's a number of important systems and warnings relying on this, any fault indication should be a no-go.

Hence needed: 1) An indication to the pilots which state the AC thinks it is in 2) a checklist item verifying this.

Likewise, anything the system does automatically for the user, it should inform about. The DC9 or MD8XX that crashed after departure from Arlanda 15-20 years ago, the captain didn't know that an auto-thrust system was acting on his behalf, which wrecked the engines leading to the crash (power lost due to ice ingestion, system increased thust even more, more ice ingested, even more thrust applied, resulting in titaninum fire).

I may very well be seeing this from an uninformed and overly theroretical angle. I stand to be corrected.

Well, it seems at this point that the airplane was in the correct air/ground mode. The front (and back) wheel switches were (likely) in the correct logic state.

It was just one out of dozens of relays that failed to act correctly upon this air/ground signal, affecting ultimately only two components out of more than a hundred that depend on ground/air activation: the RAT probe heater and the TOWS (the other two systems wired to this relay being redundantly serviced from other, working relays).

If you put a couple of indicators in the cockpit wired to the ground sensors ... the airplane would've correctly indicated it was on the ground.

The change from ground to air mode was even signaled to the DFR correctly, as all the relays depending on it worked except for one (it seems).

I think the MD-82 "works", as we have seen the reasonable safety record considering how old it is, but it is indeed a bit "underdesigned" when it came to the alarm for a "potential killer item". It has a single "common" point of failure that gives very little/no warning. Maintenance manuals must CLEARLY include that probe heater on the ground inmediately must suspect inop TOWS.

Boeing solved the problem the best and cheapest way possible though: don't ever TO w/o checking TOWS first soon before.

Making modifications to the plane also introduces new, unknown risks, so it's not as simple as throwing in a couple of diagnosis or status lights which, BTW, can also fail on their own or be overlooked. I'm not saying they shouldn't study some simple one that could increase the reliability of the system.

The judge has requested the police to find the entire history of the airplane since the day it was manufactured, including any and all modifications done by previous owners.

While I don't disagree that the air/ground sensing system may not be perfect, let's not forget that the first-level "killer item" is to set the flaps, as described in the before-take-off checklist. TOWS is the second-level safety feature for that one. Then we may argue if an air/ground sensor failure alarm that would be a safety feature for inoperative TOWS is on the same or the next level. Anyway there is a limit for how many levels of fault detection, redundancy and fault tolerance are practical before the solution becomes more failure-prone than the item it's designed to protect.

Some pages back I think it was suggested that the TOWS logic should preferably be completely inverted, i.e. instead of alarming when something is wrong it would report "good to go" if and only if all sensor inputs positively indicate so. Something to think about.

Some posts mention that the MD80 TOWS shall be checked before every flight. IMHO a level 2 safety shall catch a level 1 failure, but if the level 2 has to be checked is not doing the job for what was designed.

That is something else I was trying to get at... level 2 should be automatically checked not manually and engineered to fail-safe... and hence report problem if there is one or system is not working, or fails self-test.

snowfalcon2, HarryMann;
Again, for information only, the "good to go" design philosophy was incorporated into the Airbus A320/A340 series aircraft. Testing the "TOWS", called the "T.O. CONFIG" is part of the Before Takeoff Check. This system checks the killer items plus a few others:

Slats/Flaps not in takeoff range - Red Warning
Pitch Trim not in takeoff range - Red Warning
Rudder Trim not in takeoff range, (A319, A321) - Red Warning
Speed Brake not retracted - Red Warning
Sidestick Fault - Red Warning
Brakes Hot - Amber warning
Doors - Amber warning
Park Brake ON - Red Warning
Flex Temp not set - Amber Warning

All warnings are accompanied by an auditory warning.