Bis47, you have a very jaundiced view of manufacturers.
In addition to the test pilots, most manufacturers have many training Captains, highly experienced in airline operations. Furthermore, many operators (flight and ground crews) will participate in the final certification flight trials involving workload, reliability, and ‘operability’
To design and build a successful aircraft the manufacturer must have a sound grasp of the market, which is normally centered on safe as well as economic operations.

The manufacturer’s initial checklists are approved by the certification agency; operators may change these with the regulatory authority’s approval (no technical objection), but normally the operator is referred to the manufacturer as the content and order of checks may have been chosen to meet certification requirements, e.g. frequency of first flight checks vs forecast system reliability.

If, as is possible in this accident, the reliability of a system is questioned, then the frequency or order of a check can be changed. However, the manufacturer and certification authority has to ensure that no new problems are introduced by the change, e.g. if crews should check the config warning system (test the horn) before each fight in addition to the pre take of config check (no horn), what are the safe guards against crews becoming so familiar with hearing a horn they mistake it as the normal condition where there is actually a failure.
Many might argue that this ‘could not’ happen – it wouldn’t happen to me … (the old view of human error). However, the same might be said for the probability of taking-off without flaps, either due to both crew members suffering error and/or a system failure; checklists are designed to prevent this, to achieve safety in proportion to the risk of introducing other problems.

If a major contribution to this accident is human error, then the investigation needs to look deeper for the reasons why the human(s) suffered error. What is the frequency of system failures, how often are system faults misdiagnosed /inappropriately repaired, mal-use of MEL, and how often do crews forget to set flaps – to be caught by someone/ something - ‘last minute checks’? This is best achieved in a no blame environment.

All of us should review our normal operations – not what the SOPs say, but what we actually do, our norms / habits. Amongst these might be some examples of the defenses which achieve the required level of safety in operations, even though we face the same problems identified in this accident, i.e. what do we every day to ensure safety.
How do we identify mis-selection of flaps, how often do we detect other mistakes, and how is this achieved – we have to identify the successful ‘norms’ and the reason for them, and then if necessary, change the checks.

Theory versus practice
 

Hmmm!

Did boeing seek advice from all those experienced people to react to a design flaw (TOWS) by a simple (and ineffective) recommandation?

Did Airbus really care about airline pilots defiance against their "engineers" philosophy ? How many accidents (stupids accidents) or serious incidents in Toulouse?

Sure, manufacturers know their aircraft. Sure they compile most accidents/incidents reports, worldwide.

Chief pilots are interested too, and they have their own analysis. They can have better solutions to avoid new occurences in view of the specific context of their own operations ...

Got any stats - How often do people forget.
 

Surely someone on this thread knows how frequently a TOWS saves the day.
I thought that flight data was routinely downloaded and analyzed so
"How often do people forget?"

TOWS
 

Good point. I also think that it could be interesting to know how often the TOWS prevents pilots from taking off insecurely.

More often than you want to imagine, believe me.

Hopefully this accident will make more people (silently at least, if their SOP's don't approve it) check killer items before T/O. That could be one positive legacy of this tragedy, even if other measures are not fully adopted by all the Aviation authorities.

"Did boeing seek advice from all those experienced people to react to a design flaw (TOWS) by a simple (and ineffective) recommandation?"

You are undermining your own argument. The recommendation might not have been strong enough, but Boeing made it, not the chief pilot. He -- maybe not alone -- is the guy who said "this measure is not necessary".

DESIGN FLAW?

just out of curiosity, if the plane had a complete and total electrical failure, would you blame the design of the takeoff warning system for not warning the pilots?

I think this thread should be locked, and a NEW one created. TITLE: Official Report Results Madrid Crash.

Every gadget has its limitations. Every gadget has its own set of instructions to the user to make it work right.

IF the plane crashed because flaps/slats were not set properly, then BLAME SPANAIR for not training its pilots and mechanics about the plane and its systems. AND BLAME EVERY DUMB ASS CHIEF PILOT FOR NOT DEMANDING A "KILLER ITEM" CHECK  ON THE RUNWAY.

A gadget that has to be tested every time before use IMHO has a design flaw.

Not at all. In fact, it may well indicate that the gadget is perfectly well designed.

Checks of aircraft equipment functions are required (whether conducted per flight, by crews, or per 1,000s of hours by maintenance) are a consequence of a need to assure a given system reliability/availability. Given the competing system design demands for function when required and no nuisance failures, a regular check may be the only suitable approach.

Consider, for example a stall pusher system. It is necessary that it perform its intended function when necessary (i.e. 'push' at stall) but also necessary that it not push inadvertently. Failure to do the former, or doing the latter, are both critical cases. In order to ensure that the probability of an inadvertent push is sufficiently improbable, it's common to design a pusher system as dependent upon two independent inputs, and to require that both be commanding a 'push' before the push is initiated. But now, although the inadvertent push is addressed, we run the risk of a single channel failure disabling the 'push when required' case. The solution is to check, on a regular basis, that such a dormant failure is not present. The frequency of such checks is dependent upon the required failure mode probability to be achieved.

The alternative to having checks to address dormancy is to have systems with high levels of fault monitoring/detection, but that's an inherent increase in complexity, which isn't necessarily advantageous, and also again raises the system false warning rate.

Mad (Flt) Scientist

I do agree 100% with your post, however I am disputing the "design flaw".
If I understood correctly from previous posts the "MD8X TOWS check before flight" was recommended after the aircraft entered service, therefore the system was not performing as designed, thus it is in my opinion a design flaw.

Killer Items Final Check SOP?
 

Sevenstrokeroll:

Reading back through this long thread, I believe that I was the first to raise this as a possible action. My suggestion, as a non-pilot, was based on logic having read the inputs from experienced pilots who did this anyway based simply on good airmanship considerations. My post was negatively responded to by experienced pilots and I, of course, accepted that. It now seems that these objections may have been as a result of "Institutionalised" responses that reflect the official view that this should not be necessary if line SOP's are followed. My original query was along the lines that if this is the case, then why do so many highly experienced pilots do this anyway? And why did PanAm and BOAC train this?

I know that technology improves and this may not apply to the latest Buses, but it still seems that there might be a need on older pre=ECAS types for a new SOP for a final check of the killer items whilst lining up OR alternatively a revision to the sequence of checks so that TO configuration is set FIRST before taxi (Except when de-iceing before TO)and then checked again LAST whilst lining up?

Again, as a non=pilot, I will stand corrected as necessary.

Checklists / SOPs are not foolproof, and aircraft are not operated by fools.
Similarly humans in design are not immune to error, but they are part of a process which has more time, skill, and, facilities, than the average operator for checking their proposals. But even this does not ensure an error free design, just something which is acceptable to the regulator, who, with the manufacture is open to operator feedback / incident reporting to trigger design improvements. A ‘design flaw’ as such might only represent the limits of knowledge at the time of design, in service knowledge provides opportunity for review and change if necessary – crew checks are an easy change, but not necessarily ‘foolproof’.

One of the cornerstones of modern safety thinking is that error, in all forms, cannot be totally eliminated; thus the object is to minimize the occurrence (design / checklist input), detect and correct the error (operator / checklist input), or minimize the consequences (design / operator input). This is the basis of an in-depth defense, which further reduces the occurrence of the combination of factors that contribute to an accident.

Even the better designed TOWS have weaknesses; e.g. what duration of operator input (button press) is required for a system to achieve a successful test - 20 ms or 2 sec - do the crew know this, do they test the system for the required time?
[Accident report somewhere (BAe146?) indicated a 20 sec TOWS reactivation time after reset, this was the 20 sec during takeoff before V1 – why did the crew reset the system, no checks, no SOPs, no knowledge, no thinking?]

One attribute of this forum is that the reality of everyday operation surfaces.
TOWS saves “More often than you want to imagine …”, and no doubt the engineers will recount similar human failings / saves during maintenance or with system reliability.
If these events are ‘relatively’ frequent, then what in our high safety industry stops them coming together? Identifying this aspect will improve safety, and might well indicate changes to checks / SOPs, which is part of an essential process of gaining experience – industry experience which goes into design/certification, corporate experience for every operator, and individual experience, which has to be shared – not left residing with each chief pilot (many of whom in my experience are not well equipped to judge modern system designs).

The numbers?
 

Sorry, I am a statistician so perhaps I am biased but I am horrified that no-one has provided statistics as to how often the KILLER ITEMS would happen without warning systems. If they really are KILLER ITEMS I would expect you all to know the percentages, just as any poker player would.

As an earlier poster mentioned there is a very real risk that the human brain has adjusted to the fact that some system is watching their back, much along the lines that wearing seat belts make us drive faster and revert to acceptable levels of risk. (See also cycling and headgear)

So, Berndt and colleagues, what is the list of top10 killers and what would they be without automated warning systems? I guess this is available based on the flight data that is routinely uploaded for flights that do not end in tragedy.

In something as mundane as bottling beer, it takes an average of 17 near misses to have a real accident, but if no-one counts the near misses then they are unlikely to avoid the real thing.

In all of these threads we are missing context of what is expected and what is a surprise. Why not calculate how many emergency descents we expect to have in the first 6mths of the year and ban anyone creating a thread about it until we exceed the threshhold.

ATC could play back every flight-track history and calculate the chances of a positive level bust at any place or time. Compounding this with the chances of an agrevating negative level bust would tell us how often we can expect a midair collision. That way we would know what was "normal" and we could discuss only the events that surprised us.

So, what are the figures for your business, PLEASE tell me that you are more on the ball than your average bottling plant!

I think that a proper analysis of the times that all but one hole lined up in the swiss cheese is more worthwhile than examining the inevitable jackpots when it all came together. After all, better that we all learn to identify N-1 holes than we all say "it could not happen to me" on getting it all lined up.

Yours, SLF

With tongue only halfway in cheek, I would suggest going back to the pre-jet era, when back-up warning systems were thin on the ground, and see what the statistics were like. Of course some of the newer complexities were not waiting to trap the unwary (slats, autothrottle, and autobrake come to mind there are probably lots more) but there were old ones to substitute, prop controls, mixtures, ADI injection, supercharger, carb heat, cowl flaps, 10-tank fuel systems, etc, etc.
Of course in the old days without FDR and CVR, evidence from the smoking heap could only indicate "probable cause". Don't know how statisticians would deal with that.

I am heartened that some of the last posts mention the desire for statistical studies to observe the failure rate of crews vs the failure/success rate of warning or backup systems. I mention this same need in the early pages of this thread when flaps were first postulated as a problem area.

OK it's good that we recognize the need for data. However, don't expect that this data will be placed in the public domain like this board. This data is the stuff that the safety experts at both the operators/Pilot unions and the designer routinely use in providing safety related updates to procedures or designs. Both the regulator and the investigator community should attend to this review to ensure that it is used in developing recomendations relative to this accident investigation.

I await with interest the results.

Just wait for the investigation to be finished
 

I do not agree with the conclusions some of you are reaching based on gossips and newspapers, and i think we should be very careful of what is said in the forum, we must wait for the ongoing investigation to be finished , only then we will know the real facts, and not a lot of crap writen by some tosser in a hurry to sell more newspapers.

A former MD pilot explained me today that the MD does take-off with no flaps (flpas 0 deg. but with slats deployed) and is normal operation , just some food for thought for those of you talking about the pilots forgeting to set the flaps correctly.

I am not saying the pilots are not at fault , i just D'ONT HAVE ENOUGH INFORMATION to reach a conclusion as most of you.

FOR JUSTME69

Spanair has a outstanding safety culture and their crews are well trained, they stick to SOP's as i have never seen in any other company, just an example, they do 4 refreshers a year instead of the 2 that most of the operators do for their crews, that is in my opinion about why most spanish pilots wont think of pilot's error as the first cause of this particular accident.

LEVC

Please excuse me, this is the first time I have made a posting.

I have been watching this thread with interest and have noted that whatever technical problems with the warning systems might have occured the feeling of the contributors seems to be that the primary cause must have been human error. This was especially apparent in recent postings which indicated that the Spanish authorities were doing their best to avoid using this phrase. I also note the comment that the "MD does take-off with no flaps (flaps 0 deg. but with slats deployed) and is normal operation". I therefore thought that the folowing article in El Pais, 27 September would be of interest, especially the problems on 9 and 18 August with the slats. This indicates that it may just be that the pilots DID select the flaps appropriately but that the slats failed to deploy. Not being an airline pilot, I don't know whether it would be impossible to take off in this configuration. I have given my own amateur translation of the article and repeated the article itself in case those who know better find any mistakes.

Failure of the slats at 11 degree angle.

The Guardia Civil (national police force) took a statement on 1 September from a Spanair employee who gave a detailed account of the incidents involving the crashed aircraft. These are some of them occuring between 1 and 20 August, the day of the accident:

2 August. Air pressure. "When power was applied for takeoff, the pressr of the right air conditioning system read zero, The inspection was carried out in Valencia by Iberia".

5 August. Worn out brake. "The number 4 brake of the main undercarriate was found to be worn out and was changed".

6 August. Cabin door fault. "The cockpit security door could not be opened manually with the key. The mechanism was taken to pieces and the system was freed (or changed), manual operation of the door achieved. OK".

9 August. 'Auto slat' failed when 11 degrees of 'flap' was selected. Pilot Reporter: "Auto slat fail when 11 degrees of flaps selected". Actioned by TMA (aeroplane maintenance technician). Stall system reset (turned off and on). Test carried out. OK flap and slat function carried out several times, the fault did not appear.

17 August. Right Reverse thruster de-activated. "Right reverse thruster, accumulator warning light on. Right reverse thrustere de-activated with the agreement of MEL. Reverse valve locked in the DUMP position".
18 August. Auto slat system failed. "Auto slat system failed when slats extended. Checked by TMA, stall warning computer, systems reset and test carried out, OK, the various functions of the flaps and slats were found to be satisfactory, impossible to repeat the breakdown. Action carried out in Madrid by Spanair (...) The auto slat fail light did not illuminate".

19 August. Overheating. "During the taxy, the RAT temperature reached 90 degrees three times...System reset OK. Please report if it fails again".
20 August. RAT showed 99 degrees on ground before takeoff. "Before takeoff, the RAT temperature reached 99 degrees (...) the heater of the RAT sensor activated on the ground. Removed and isolated. The system needs to be checked".

Fallo en los 'slats' a 11 grados de inclinación

La Guardia Civil tomó declaración el 1 de septiembre a un trabajador de Spanair que relató con detalle las incidencias del avión siniestrado. Éstas son algunas de ellas entre el 1 y el 20 de agosto, día del accidente:

2 de agosto. Presión del aire. "Cuando aplica potencia para despegar, la presión del sistema de aire acondicionado derecho marca cero. La inspección se realizó en Valencia por Iberia".

5 de agosto. Freno desgastado. "Se encuentra el freno número 4 desgastado en el tren principal y se cambia".

6 de agosto. Falla puerta de cabina. "La puerta de seguridad de la cabina de pilotos no se puede abrir manualmente con la llave. Se desmonta el mecanismo y se suelta el sistema, operación manual de la puerta realizada. Ok".

9 de agosto. Fallo 'auto slat' cuando se selectan 11 grados de 'flaps'. Reporter [informe] del piloto: "[Sistema de] Auto slat [alerón delantero] fail [fallo] cuando se selectan 11 grados [de inclinación] de flaps [alerón trasero], acción de TMA [técnico de mantenimiento aeronaves]. Reseteado [apagado y encendido] el sistema de stall [sistema de aviso de pérdida], el test realizado. OK funciones de flaps y slat realizadas varias veces, el fallo no aparece.

17 de agosto. Reversa derecha desactivada. "Reversa derecha, luz de precaución del acumulador encendida. Reversa derecha desactivada de acuerdo al MEL[lista mínima de equipos, en sus siglas en inglés]. Válvula de la reversa derecha blocada en la posición de DUMP [vaciado]".
18 de agosto. Sistema de 'auto slat' falla. "Sistema de auto slat fail (fallo) cuando se extienden los slats. Acción de TMA chequeado, stall warning computer, sistemas reseteados y realizado el test, OK, varias funciones de los flaps y los slats se encuentran bien, imposible repetir la avería. Acción realizada en Madrid por Spanair (...) No se ha encendido la luz del auto slat fail (falla)".

19 de agosto. Recalentamiento. "Durante el taxeo (cuando el avión va en rodadura), por tres veces la temperatura del RAT [medidor de temperatura del aire en vuelo] se va a 90 grados... Sistema reseteado OK. Por favor informar si falla de nuevo".

20 de agosto. RAT a 99 grados en tierra antes del despegue. "Antes del despegue, la temperatura del RAT alcanza 99 grados (...) el calentador de la sonda del RAT activada en tierra. Sacado y precintado. El sistema debe ser chequeado".

The numbers ... and assumptions !
 

paull, et al. Re #2099.
The numbers, with all of their complexities are in CS 25 Large Aircraft, Amendment 5 (US equivalent - FAR 25).
The specific requirement for a TOCWS is in CS 25.703 (Page 71), with practical guidance information in AMC 25.703 (Page 368).

Before considering the ‘numbers’, note the text (page 368) “…the takeoff warning system should serve as "backup for the checklist, particularly in unusual situations, e.g., where the checklist is interrupted or the takeoff delayed." !!!!
This is a major assumption about the crew-system interface which many contributors to this thread may have overlooked.

The discussion of system failures considers these systems to have a low level of criticality (page 369)"… because, in themselves, are not considered to create an unsafe condition, reduce the capability of the aeroplane, or reduce the ability of the crew to cope with adverse operating conditions. Other systems which fall into this category include stall warning systems, overspeed warning systems, ground proximity warning systems, and windshear warning systems. ” … but see Sub para (3) below.
This and subsequent items should be read in conjunction with AMC 25.1309 which cover system reliability.
TOCWS … "have a probability of failure (of the ability to adequately give a warning) which is approximately 1.0 x 10-3 or less per flight hour. … Maintenance or preflight checks are relied on to limit the exposure time to undetected failures which would prevent the system from operating adequately.”

Sub para (3) provides an important override, TOCWS are "… not considered to result in an adequate level of safety when the consequence of the combination of failure of the system and a potentially unsafe takeoff configuration could result in a major/catastrophic failure condition. Therefore, these systems should be shown to meet the criteria of AMC 25.1309 pertaining to a major failure condition, including design criteria and inservice maintenance at specified intervals. This will ensure that the risk of the takeoff configuration warning system being unavailable when required to give a warning, if a particular unsafe configuration occurs, will be minimised.”
This presumably assumes the failure to achieve the required configuration (system or crew) and the failure of the crew to detect the incorrect config (gauge/visually) in conjunction with a failure of the warning system – the numbers get larger.
A major/catastrophic failure condition is above 10-3 up to 10-9. However, I am not sure how the above would be applied to a certification – perhaps if loss of control was possible due to both a flapless/slatless takeoff, but not any one item – an aircraft specific issue? See thread discussion about slats only take off etc.

At this stage be prepared to be ambushed by ‘Grandfather’ rights; MD 80 was a DC-9, or pre regulation? This might imply that later aircraft have better protection and different operational assumptions, i.e. an Airbus pilot has a system which meets all aspects of the regulation (and the next two pages of it), including an adequate ‘System Inop’ warning. Thus, MD pilots have to operate with a different standard of equipment and a different set of assumptions about their performance when contributing to the system’s overall reliability, i.e. the crew has to be less susceptible to error. This is an interesting area as there are no regulations about how build or certificate a human, thus no help on how one human vs another can have a lower probability of error (we all have to be vigilant).
CS 25 attempts to contain this problem with relatively new (and lengthy) guidance in AMC 25.1302 (Page 485), i.e. human factors.

An interesting para at the end: “.... No MMEL relief (EASA) is provided for an inoperative takeoff configuration warning. Therefore, design of these systems should include proper system monitoring including immediate annunciation to the flight crew should a failure be identified or if power to the system is interrupted.”

Agree, these are certified design numbers and justify the adequacy of the design. However my experience would examine the regulation of the operation, including maintenance to validate these design assumptions regarding adequacy of the protective systems. There are several possibilities to be explored including failure rates of the subsystems far beyond design assumption and/or latent failures of a critical protective layer.

Post 2099
If you are into accident statistics, CAP 776 has lots.

CAP 776: Global Fatal Accident Review 1997-2006 | Publications | CAA