life time of relays
 

As been said before generally all small ctrl relays are all "on condition" as lifetime limit. However all the big power ctrl relays and line contactors are life timed with flight hours or/and elapsed time. These are the only relays that are so called serialized that meens with seraial number on and can be tracked down in maintenace computersystems for installation time and ammount of flight hours accumulated. All other relays are so called consumable sparepart with no serial number and no tracking of accumulated time and therfore changed only when they fail. This is a general rule for most aircraft types.

Regards

wings 1011

"On condition", means that items which are not normally energised in flight are tested at intervals, such as flotation switches on helicopters equipped with floats which initiate automatic inflation of the floats during ditching. Items such as relays and switches which are energised during flight are said to be "tested" on every flight and would not normally be replaced until they fail. They are normally sealed units as there is less chance of any corrosion affecting the contacts. Being sealed they cannot be inspected, replacing them all during a major aircraft check could be counter productive as there is no guarantee that a new unit is more reliable, if it's not broke don't try to fix it.

Not claiming to be either advertising or a whizz-kid, but I suspect this is down to ad selection by automated keyword matching. The ads will be sourced from a large pool (likely provided by a third party agency) and will be matched to the page based on the other page content - the idea being to display "relevant" ads.

These sort of keyword matching algorithms can't yet do much about context let alone assess "sensitivity" when choosing an ad, so sometimes you get ads that no resonable person would have matched to the content. This is already leading to complaints, see eg.

ASA: Publishers must vet AdSense ads ? The Register

I don't see this changing though - replacing with a manual process won't be feasible, and the automated matching will always be (more) flawed.

Some speculations about R2-5, inspired by the new information about previous RAT heater problems.

From a systems reliability point of view the fact that the four relay contacts control totally different functions implies that a fault indication affecting any of those functions may have side effects on the other functions. This implies that, for example, any fault tracing instruction of the RAT heater system should include a test that can discover if the R2-5 relay has either failed completely, which may have been the case here, or only in the RAT heater circuit.

More generally, I wonder if the electrical fault isolation procedures are generally designed only top-down (i.e. if a system does not work, which components to suspect) or also bottom-up (i.e. if a component fails, which systems are affected). For this particular case, it seems both methods should be used.

I agree. It seems since the RAT heater can only get power if R2-5 is in air mode disconnecting the RAT heater only removed the symptom, not the cause which affected a crucial TOWS system to fail in air mode also.

Talking lifetime of relays, cb's?

Everything on any plane built needs fixing from time to time. It is up to well trained pilots and mechanics to spot problems and get them fixed PROPERLY>

I have seen enough to say: it sure seems that the pilots and mechanics at this airline were not up to snuff on the systems involved. it also seems the airline wasn't up to snuff on a boeing/douglas recommendation. it also seems that the airline did not train pilots in takeoff/departure stall recognition and recovery.

now, is anyone out there really going to argue the above?

I don't want to seem calous over the loss of life, but well maintained airplanes with well trained pilots rarely crash!

sevenstrokeroll;
Not callous at all - it's a fact in any transportation industry but especially in aviation.

Apropos this, I see that Russia has "grounded some" B737's immediately, pending "training issues". I wondered right away if there was a loss of situational awareness in this (the Russian) accident as the facts began to point to such instead of a mechanical failure; in some circumstances, a go-around, (not sure they were actually doing one here), can be as high a risk manoeuvre as a landing from a non-stabilized approach - it was 3am or so, no visible horizon, some but not much in the way of ground lighting (buildings etc), low circadian rhythm time and a low-time-on-the-airplane crew. It has to make one wonder - I certainly concur with your statement.

How many crews have experienced reduced training footprints?...reduced simulator hours for recurrent training, (from the typical 4hrs to 3 or 3.5). How many are taught how to do a visual approach with all the automatics off? Who can disconnect the Airbus thrust levers and reconnect them again without the passengers ever knowing you've done so?! How many have permitted their skills to atrophy having swallowed management's harping to engage the autopilot from right after takeoff to touchdown, (Airbus AOM statement)? How many actually do hands-and-feet flying? On raw data?

The rhetorical questions could go on and on...

Do the latest Boeings and Airbuses have audible annunciation of air/ground-state change and can it be prominently displayed on the screens?
Wheel speed sensing seems to be the key to a simple (I am rolling along a hard surface, duh!) backup for the u/c poition switches and then resolved if in dispute by a ground proximity signal (dedicated device).

PJ2

Sadly, a modern pilot does not go to work thinking...SOMETHING CAN AND WILL GO WRONG TODAY.

Blow a tire, lose a gyro or display, and all at the worst possible time.

AND the simulator has become our own worst enemy. How? How come we don't practice engine failure during a windshear encounter?

A fire bell at decision height?

IF I were king...the autopilot would fail within seconds of takeoff in the sim.

And for the Airbus, damnit, I would fail everything when the gear handle is selected up and watch and see if you could 'get her round the patch'.

Let's say the poor copilot was making the takeoff...all of 100o hours total time and only with the company a few months. the captain probably thought the copilot screwed up when the plane stalled...instead of checking the flaps/slats.

Sad.

HarryMann;
The 320/340 Series aircraft do not annunciate "ground/air" condition directly. I am unaware of the 777's annunciations but I suspect neither does that aircraft.

On the Airbus 320/340 series, two LGCIU's (Landing Gear Control Interface Units) alternate operation each leg and do the air/ground sensing and "decision-making". They have inputs from many aircraft systems and sensors.

Thus, there would be indirect indications (ECAM and others) of an "air/ground" issue - for example, Avionics cooling, which is different in the air. The "ground shift" system on the Airbus takes inputs from all three oleos, the downlocks, the gear doors, flaps, as well as the cargo door positions, selector valves and locking mechanisms and cabin door sills (proximity). You can see that it is not a simple nosewheel oleo extension left-and-right switch.

As described above, the Airbus ECAM screen would annunciate several systems which were not in the proper configuration for ground. There would be ample indication that something was not in order.

Wheel speed is available for anti-skid systems but is not used for air-ground sensing. I suspect along with other sensors, wheel-truck tilt on the B777 is used for air/ground sensing.

sevenstrokeroll;
Yep.

And IATA has introduced, (and pilot associations support!) the MCPL so the emptying/retiring ranks can fill with even less experience! :ugh: The sheer idiocy and hubris of the approach to staffing would be ironic if it weren't so risky. If the trend and the problem isn't acknowledged and recognized for what it is and the stupid industry salesmanship (and equally stupid acceptance) of automation-as-pilot isn't countered with some old-fashioned aviation common sense, the fine safety record achieved through dedication, hard work, and even investment over the last fourty years is about to be torn down and replaced with accidents where knowledge, experience and training meet the bare minimum. "MCPL", Acch! :yuk:

When the going gets tough, what the h... does a pilot "know" at a 1000hrs let alone after 250hrs in the simulator for an "MCPL"? Absolutely nothing but push-and-pull and precious little of that. And where does the experience come from to command when these wonders get senior enough for the left seat, which can be months to a few years at many lo-cost start-ups and not the two decades it took me and many?

When I checked out on the 320 (from the 767) and did my promotion at the same time, we hand flew a lot, mainly because VNAV hadn't even been installed in the airplane yet. We did visuals, we learned how to actually disconnect the autothrust, (something I taught 'with a vengeance' when instructing later along with the vagaries of Idle-Open Descent), and something else was on the syllabus: Full flight control failure (ELACs, SEC's, FACs) where engine thrust, mechanical/hydraulic stab trim and mechanical/hydraulic rudder were all we had to get the thing on the ground. And we did - not pretty, but in one piece.

The problem is, too many are "comfortably numb" with success. Nothing fails like it, and nothing suceeds like failure.

off topic sorry
 

Use of QAR to sanction pilots might be at the root of this.Are you not a big supporter of QAR's if I remember correctly?Also,over-emphasis of SOP's and CRM.Re-assert the position and responsibility of the commander(I want to check the TOWS myself every flight..its not that I dont trust the First Officer just well..)and get away from this pseudo-CRM we're just one big happy team.It is a team but the skipper leads..over-assertive(read arrrogant) co-pilots who try and set the pace on the flt deck are a real pain-in-the-ass because one day the poor skipper will fly with a new guy and he'll forget to call for this and check that.Remember when I was a co-pilot,I would never prompt the skipper for the checklist until right at the last moment.Let the skipper set the tone,dictate the pace.Another thing CRM has a lot to answer for.Same with SOP..young guys lining up with 200 souls behind them and thinking of TCAS and transponders and terrain displays and NOT THE BIG STUFF.Like checking approach/rwy clear,config,actions in the event of eng failure...their displays stay stuck in MAP for the duration of the flight and theyll follow the FD wherever it takes them..training is screwy,empahsis on the wrong things,SOPs over airmanship,real flying without reliance on automation,systems knowledge(real knowledge not jjust ticking a,b or c)..thats all gone now..off-topic..not aimed at Spanair.

Surely, the altimeter and rad alt are a clear indicator of Ground to Air mode, and vica versa??

And whats all this twaddle about LGCIUs? Confusion reigns supreme. What has cargo door indication got to do with air/gnd sensing? I think you've confused the many functions of the LGCIU. At it's basic level, it gives you L/G indication, and controls it up/down. Additionally, it tells the FACs, FWC, SECs and all the other systems the state of the aircraft, so the flight envelope is modified accordingly. Everything from the CIDS, Radar, Door indication, nearly everything passes through those boxes. Only one LGCIU is in command for a sector, they swap over at each retraction selection, if that's what you mean by alternate operation. Actual air/gnd sensing is done by a combination of N,L,R oleo extensions and compressions only. It's a more sophisticated PSEU from the 767.

Truck tilt on the 777 is more to do with allowing it to be retracted into the u/c bay. Similar to the 340 where the leg has to be compressed.

Wheel speed is used for autobrake, antiskid, autospoilers and thrust reverse on some types. It depends on who makes it. Or it's a combination for backup and improved performance. An indication for Air/gnd transition would seem pretty pointless since you would have felt the bump. Going the other way, the brakes have to be applied to stop the wheels spinning, so oleo extension is the logical method by which this is achieved, wheel speed wouldn't be much use for air/gnd sensing would it?

Sorry, maybe you missed the inference for this particular thread.... a primary display of the mode the system 'thinks' it's in? I'm sure most crew know when they are in the air and on the ground.

Hence, a half way house between the systems you have now and those legacy systems that control but don't always seem to inform...

So many important systems are dependent on this change of state, that one could argue for the crew having to be blind (or deaf) to not know it doesn't correspond to reality...

Seems like this thread is drifting into another regime not very relevent to the Madrid accident.

With what we know now they took off flaps up, the TOWS was inop because a relay failed causing another problem that was missdiagnosed because of the same relay causing the RAT heater to heat on the ground and it ended up in a fatal crash. The crew, not knowing the flaps were up, rotated , got airborn, got stick shaker and stall warning and crashed. If they had realized on rotation what the problem was they could have tried to get some flaps down and used the extra few thousand feet of runway to get airborn but they didn't. After over 2000 posts is there any more information to add to this thread?

Comments on proposed formula with only slight tongue in cheek
 

Planes should be modified with the following formula
Slats announce =(Slats UP) and ( any weight on wheels including Nose wheel ) and (Take off thrust in either engine)
slats announce == A programmed chip with the voice of P or CP's, SO or Boss yelling
"Slats down dumba$$ or you die"
if no SO (Significant Other) then program with lover saying in her/his sweetest voice
"Slats down, Honey, If you ever want to see me again"
Which voice chip programming would be based on the Psych Profile of individual Pilots,
whichever the Pilot or CP responds to the quickest in SIM,
using a small black box that would warn if the chip is not inserted prior to take off with a few wiring changes to implement the formula.

In response to suggestion to have a light showing On Ground or In Air which relay contacts would you use?
I would want the light using my formula for the voice chip

Unfortunately that is what that MD82 had through the R2-5 relay but the relay didn't work that day.

R2-5 is only on the nose wheel , the formula that works better is any weight on wheels that means weight on Left main landing gear OR weight on right main landing gear OR nose relay R2-5, any one of those conditions AND TO Thust in either engine with Slats UP
announces voice.

Not much new.

We already know the main issues surrounding this accident, and it will become even more clear and confirmed around next Tue/Wed when the preliminary report is planned to finally be made public.

Meanwhile, and for what it's worth, here are some previously unseen photos of the wreckage. The usual warning: it is not for everybody, so don't look at them if you don't feel it's appropiate.

interviu - portada

Also, the judge has asked Interpol to request FAA and AESA to clarify operation requirements for the MD-82. Has requested Boeing for flight procedures for the MD-82 and details on when and how and to whom it informed of updated procedural changes.

He has done the same with Spanair, down to the name of the person in charge of receiving manufacturer's alerts and incorporating them in the SOP. He has also requested the actual manuals Spanair personnel used as guide in the "repair" of the RAT probe heater.

Just to clarify some dates that were "wrong" before:
Aug 2nd: When thrust applied for TO, airconditiner pressure indicated 0.
Aug 5th: Brakes on 4th wheel low pressure - Tire replaced.
Aug 6th: lock in cabin door fixed as the key wouln't work
Aug 9th: Autoslat failure lamp when flaps 15 selected.
Aug 17th: Right reverser deactivated
Aug 18th: Autoslat fail light again.
Aug 19th: RAT probe measured 90º while taxing.
Aug 20th: RAT probe heater was noticed on while on the ground an hour before the accident.

Also, one of the survivors has a certain detail that could be of interest (understandibly not all that trustworthy, but for what it's worth).

Leandro O., in seat 3E, declared: "During the airplane repairs (which by the way, involved the captain having to abandon the cockpit to let the technicians work around his seat ... he talked to the flight attendants meanwhile), he didn't hear anyone demanding to leave the plane, although a few complained for the delay.

On the take off, he noticed the sudden roll to the right, HOW THE PILOTS WERE GIVING THE AIRPLANE MORE POWER, but the rolls kept happening". He adopted a modified safety position, with legs and hands pressing/holding the seat in front of him.

You can tell from the proceedings that the judge is pissed that the accident had 3 "simple" ways to be avoided:
-Flaps down OR
-TOWS tested OR
-TOWS working

Any SINGLE ONE of those three actions, and the accident would've likely not happened. Responsability for the first action can not be asked for, as the pilots, who were licensed and trained in the proper procedures to extend the flaps, had enough experience in their jobs, and were not overworked or under extreme pressure, perished.

So why did the later two failed, he wonders? TOWS, like anything electric, can obviously fail at any time w/o a whole lot of warning. But in this instance, maintenance technicians were "on the case" (or near enough). Why didn't they realise a potential problem?

Then there is the TOWS test. Although the crew could've performed one if they so wished, why weren't they required "by law" (procedures) to do it, if precedents (Northwest) had suggested it was the due course of action?

We'll see what kind of answers the judge gets and if they convince him that there was no intencional or negligent wrongdoing by any person holding a responsability on their jobs.

Rananim;

I would like to avoid thread-drift, but to respond to your comment, yes, I support FDA Programs as preventative safety initiatives when done properly. "Properly" in my books means the pilots' association has control of the data and contacts crews for further information.

In my view of FDA, management has no role in an FDA Program except to respond to what is being seen in the data in terms of trends, events and heightened risks. The pilot association representatives accept the due diligence and without identifying specific crews, can report that individual issues are being handled. That is accomplished through a carefully thought-out agreement between the association and the airline. If there is no such agreement, there is, in my view, no possibility of an effective FDA Program at that airline. Pilots must buy in and take part.

Professionals are professionals; a data program merely reinforces what is either already known so it can continue, or what is constantly strived for so it can change. It isn't magic or a panacea which can substitute for good airmanship and professionalism. Ethics do not reside in software.

Mis-handled, FDA Programs are exactly as you say and if that is the concept and the intent, I would do all I could to kill such a program as swiftly as I and the association could.

Apologies for the drift.

Just a little design fault?
 

Engineers in aviation and marine do in my opinion excellet jobs. They design the equipment to work properly in nearly every condition - fail safe or fail tolerant, depending on the case.

Let's have a look back to the scematic circuit from entry #1936. You see the left and right circuits, for notably important systems they are redundant (activated from left OR right circuit). An activated relais means the aircraft is on ground, The most probable way to fail for a relais is that it cannot be activated which means in this case that the aircraft is in the air. So far perfect...

... with one exeption: the TOWS is extremely important in ground mode - but is deactivated when the correspodend relais R5-2 fails.

Wouldn't it be better/safer to deactivate the TOWS - exactly like the aviation relevant systems - by activating a relais?! Better a warning signal too much than missing one.

Look at training records ...
 

Since this accident seems to be traced to poor airmanship both from the crew and from the technicians as well, I think that the judge in charge should pay a lot of attention to the details of the crew and technician training - in general.

Looking also at the details of the trainers as well ... At the details of the quality managers, the quality auditors, the "safety officer" ... all those who are responsible for overseeing the quality of the trainings, and improve the level of safety above bare legal (formal)minimums ...

I include the "authorities", who are responsible for effectively oversee the airline practices. Lot of people? Well, a lot of people lost their live, they desserve some real investigation.

If those who are "at the top" don't feel involved in this accident, they should be, by legal prosecution.

very good point. I thought of this a few days ago when the circuit was published. Why have a relay activate RAT heating and deactivate TOWS. They should be split so that the realy goes to the correct phase when it fails. i.e. when relaxed it should give RAT heating and TOWS active.

Stop suspecting because you suspect wrong.
The B777 uses a strain gauge in the undercarriage support beam to detect weight on wheels.

I find it rather unusual that Interpol has been asked to join the investigation:

Report: Interpol joins investigation into Spanair accident : Europe World

I'm as curious as Swedish Steve on why that configuration was chosen. There has to be a good reason --- I suppose. :confused: I'm also curious as to the history of Take-Off Configuration Warnings. The first one I saw was on a Gulfstream II, built around 1970? Yet Boeing claim a US Patent on the bones of any system, in 1978. I know something of Patents and the GII system predates the Boeing claims - no doubt. More to the point, if the Boeing Patent was valid, the GII being much simpler, it says there was no Take-Off Configuration Warning (as we now understand it) prior to 1978.

United States Patent 4,121,194
Downey , et al. October 17, 1978
Assignee: The Boeing Company (Seattle, WA)

Take-off warning system for aircraft.

Abstract. A logic controlled take-off warning system having a circuit for enabling the logic controlled take-off warning system at engine thrust levels exceeding a predetermined value which is less than minimum take-off thrust of the aircraft and greater than thrust required for normal ground operations, provided also that the aircraft is on the ground. When the logic controlled take-off warning system is enabled, a take-off warning horn is subsequently energized when any one of a plurality of undesired take-off configurations exists.

Swedish Steve:
It seemed a natural, as that's the way the 767 does it, but I do indeed suspect wrong; - thank you for the correction.

HarryMann:
Further to your question regarding cockpit indications, the 767-300 does indeed present an "EICAS" message to indicate a fault with the air-ground sensing system. The message is "AIR/GND SYS" or "NOSE A/G SYS". The AOM states that if the message is present, "Affected equipment and systems will not operate normally and therefore takeoff is not allowed".

Thanks PJ2...

I'm still thinking that rather than a warning as such, on legacy (crude?) system aircraft, a simple readout display, saying what state the Air/Ground system 'thinks' its in would be easy to refer to... prior to approach and land, one wouldn't want it saying 'GROUND' and vice versa prior to take-off .. doesn't matter so much whether it's working or not, but it's current 'state' is important for the crew to know?

As someone said, would be nice to know why this default wasn't chosen? It might have been due to more complexity and yet another relay being required in the chain...

HarryMann;
Likely because it's a very old system and at the time no one thought it necessary to guard against such a "fundamental" error. A host of side-issues accompany any such designs, such as certification, robustness, likelihood of failure and risk-analysis of the consequences of failure, (ie, would a "single-point" failure cause "loss of the vehicle", to use NASA's terminology in examining the shuttle systems).

Likely in an engineer's mind there are many scenarios against which the design must protect itself in the various ground and flight regimes either through self-diagnosis and correction (switch-over to alternate system), or through warnings to operators, (crew, maintenance) and this scenario didn't make it at the time for the reason stated. "What if" is an expensive and time-consuming question and must be triaged as any risk-intensive endeavour. I suspect you probably know all this so I say this for the sake of the dialog.

The odd thing (to me) is that many systems receive Air/Ground logic from two independent relays fed from two independent buses. I assume that the signal is commoned at single target systems so one relay failure won’t have a dramatic affect.

These systems include Stall Warning; AC Cross Tie; Approach Idle; ATC.

But look at the Take Off Warning. One relay only, when relay R2-106 on the opposite bus has unused contacts which could easily have been used to give TOWC dual inputs. … and yet another relay being required in the chain... Not so, it seems.

I'm missing something here. If previous Air/Ground TOWC incidents could have been prevented by a very simple Mod then it would have been done. Wouldn't it?

I was thinking that another relay would be required to reverse the default logic, to turn it on when the trigger signal is off, or missing...

Maybe some of this will come out in the inquiry, but as PJ2 says, at the time, the TOWS was maybe not an afterthought, but not given much priority.

It may also be a case of, once you have a warning system to fall back on, that pre-take-off 'killer item' checklists become less imperative and more of a chore....
As in business, 'fail to plan' and you 'plan to fail'...

“Planning is bringing the future into the present so that you can do something about it now” - before its too late

Your question is very valid. But I'm not so sure I agree with "Better a warning signal too much than missing one". I believe many studies have shown that too many false alarms affect the attitude of the crew so that real alarms might not get the attention they deserve.

And at least in this particular TOWS circuit, your proposed relay logic would in case of relay failure [unless the TOWS includes some additional smart logic that I have missed] trigger an alarm that would sound during the whole flight as long as flaps are retracted. Does not sound like a viable solution. It would need some additional logic to enable the crew to inhibit that alarm, introducing additional potential points of failure in the TOWS system.

Today's computer systems give a totally different capability to design an idiot-proof air/ground sensing system. But the MD-80 was certified in 1980 when microprocessors were in their infancy.

...and of course we're all assuming that there were no electrical modifications in the aircraft history. Given its previous owners, who knows?

Not saying that its the case, but some of the unauthorised 'mods' I've read about over the years on pprune make me :eek:. Could be yet another gap in the gruyere.

Am I alone in thinking the following:

After ANY sort of MX, a pilot always suspects that something could go wrong that wasn't previously suspect?

That you should always check the circuit breaker panel?

Emmental maybe?

To me this sounds as a classic "man-machine", or usability problem:

A system (in this case an aircraft) should indicate to the user (the pilots) which state it thinks it is in, e.g. sitting on the ground or in the air.

Since there's a number of important systems and warnings relying on this, any fault indication should be a no-go.

Hence needed: 1) An indication to the pilots which state the AC thinks it is in 2) a checklist item verifying this.

Likewise, anything the system does automatically for the user, it should inform about. The DC9 or MD8XX that crashed after departure from Arlanda 15-20 years ago, the captain didn't know that an auto-thrust system was acting on his behalf, which wrecked the engines leading to the crash (power lost due to ice ingestion, system increased thust even more, more ice ingested, even more thrust applied, resulting in titaninum fire).

I may very well be seeing this from an uninformed and overly theroretical angle. I stand to be corrected.

Well, it seems at this point that the airplane was in the correct air/ground mode. The front (and back) wheel switches were (likely) in the correct logic state.

It was just one out of dozens of relays that failed to act correctly upon this air/ground signal, affecting ultimately only two components out of more than a hundred that depend on ground/air activation: the RAT probe heater and the TOWS (the other two systems wired to this relay being redundantly serviced from other, working relays).

If you put a couple of indicators in the cockpit wired to the ground sensors ... the airplane would've correctly indicated it was on the ground.

The change from ground to air mode was even signaled to the DFR correctly, as all the relays depending on it worked except for one (it seems).

I think the MD-82 "works", as we have seen the reasonable safety record considering how old it is, but it is indeed a bit "underdesigned" when it came to the alarm for a "potential killer item". It has a single "common" point of failure that gives very little/no warning. Maintenance manuals must CLEARLY include that probe heater on the ground inmediately must suspect inop TOWS.

Boeing solved the problem the best and cheapest way possible though: don't ever TO w/o checking TOWS first soon before.

Making modifications to the plane also introduces new, unknown risks, so it's not as simple as throwing in a couple of diagnosis or status lights which, BTW, can also fail on their own or be overlooked. I'm not saying they shouldn't study some simple one that could increase the reliability of the system.

The judge has requested the police to find the entire history of the airplane since the day it was manufactured, including any and all modifications done by previous owners.

While I don't disagree that the air/ground sensing system may not be perfect, let's not forget that the first-level "killer item" is to set the flaps, as described in the before-take-off checklist. TOWS is the second-level safety feature for that one. Then we may argue if an air/ground sensor failure alarm that would be a safety feature for inoperative TOWS is on the same or the next level. Anyway there is a limit for how many levels of fault detection, redundancy and fault tolerance are practical before the solution becomes more failure-prone than the item it's designed to protect.

Some pages back I think it was suggested that the TOWS logic should preferably be completely inverted, i.e. instead of alarming when something is wrong it would report "good to go" if and only if all sensor inputs positively indicate so. Something to think about.

Some posts mention that the MD80 TOWS shall be checked before every flight. IMHO a level 2 safety shall catch a level 1 failure, but if the level 2 has to be checked is not doing the job for what was designed.

That is something else I was trying to get at... level 2 should be automatically checked not manually and engineered to fail-safe... and hence report problem if there is one or system is not working, or fails self-test.

snowfalcon2, HarryMann;
Again, for information only, the "good to go" design philosophy was incorporated into the Airbus A320/A340 series aircraft. Testing the "TOWS", called the "T.O. CONFIG" is part of the Before Takeoff Check. This system checks the killer items plus a few others:

Slats/Flaps not in takeoff range - Red Warning
Pitch Trim not in takeoff range - Red Warning
Rudder Trim not in takeoff range, (A319, A321) - Red Warning
Speed Brake not retracted - Red Warning
Sidestick Fault - Red Warning
Brakes Hot - Amber warning
Doors - Amber warning
Park Brake ON - Red Warning
Flex Temp not set - Amber Warning

All warnings are accompanied by an auditory warning.