Announcement

Collapse
No announcement yet.

Sunwings Incident Writeup

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Sunwings Incident Writeup

    Well, shall we chat about the computer software IN the cockpit...

    https://avherald.com/h?article=4ac18a5b&opt=0

    "On 21 July 2017 at 1539 hrs, C-FWGH took off from Belfast International Airport with a thrust setting which was significantly below that required for the conditions of the day. Preliminary evidence indicated that, after the aircraft lifted off from the runway, one of the aircraft tyres struck a runway approach light, which was 35 cm high and 29 m beyond the end of the runway."

    ...

    The AAIB and operator carried out independent assessments of how the incorrect thrust setting might have been programmed into the FMC. Both assessments concluded that the only credible way to achieve a grossly low N1 setting was to enter an extremely low value into the outside air temperature (OAT) field on the n1 limit page. It was found that the takeoff N1 setting used on the flight (81.5%) would be calculated by the FMC if:

    a. The expected top-of-climb outside air temperature (OAT) was entered into the OAT field on the n1 limit page instead of the OAT at the airport (a figure of - 52°C as opposed to +16°C);

    and b. The correct assumed temperature9 of 48°C was entered into the FMC. No other combination of data entries was found which would achieve the same result.

    During the simulation carried out by the AAIB, the aircraft’s performance was assessed following an engine failure immediately prior to V1, with the pilot making a decision by V1 to either abandon or continue the takeoff. In the simulator, the aircraft was able to stop in the runway remaining following a decision to abandon the takeoff, but was unable to climb away safely following a decision to continue the takeoff.


    The AAIB analysed:

    The aircraft took off from Runway 07 with a thrust setting significantly below that required to achieve the correct takeoff performance, and struck a Runway 25 approach light shortly after lifting off.

    The N1 required to achieve the required takeoff performance was 93.3% but 81.5% was used instead. Independent assessments by the AAIB and operator showed that the only credible way for this to have happened was for an error to have been made whilst entering the OAT into the FMC. If the top-of-climb OAT was mistakenly inserted into the OAT field on the n1 limit page (a figure of -52°C as opposed to +16°C), and the correct assumed temperature of 48°C was entered, the FMC would have calculated a target takeoff N1 of 81.5%. The investigation will consider how such a data entry error could have been made, and whether actual aircraft performance matched that which would be expected given the N1 power setting used.

    The AAIB released two safety recommendations as result of the investigation so far:

    It is recommended that the Federal Aviation Administration, mandate the use of Flight Management Computer software revision U12.0, or later revision incorporating the outside air temperature crosscheck, for operators of Boeing 737 Next Generation aircraft.

    and

    It is recommended that The Boeing Company promulgates to all 737 operators the information contained within this Special Bulletin and reminds them of previous similar occurrences reported in the Boeing 737 Flight Crew Operations Manual Bulletin dated December 2014.




    About the crew reaction (nothing):

    The acceleration clues in this case were unlikely to have alerted the pilots that there was a problem until the visual clues of the approaching runway end became apparent. Once they realised that there was an issue, their reactions in not increasing thrust were the same as could be expected from many crews.





  • #2
    So let me get this straight:
    * Airplane has a computer in it.
    * Airplane has an outside air temperature sensor (sensors, probably).
    * Crew enters an OAT into the computer that is dramatically different from the actual temperature, which later almost causes a serious accident during takeoff.
    * When the incorrect OAT is entered into the computer, the computer which should be able to read the OAT from aircraft's sensor(s) and know the entry is incorrect, does not give any indication of a problem.

    My stupid-o-meter is reading nearly full-scale on this one...
    Be alert! America needs more lerts.

    Eric Law

    Comment


    • #3
      Originally posted by elaw View Post
      So let me get this straight:
      * Airplane has a computer in it.
      * Airplane has an outside air temperature sensor (sensors, probably).
      * Crew enters an OAT into the computer that is dramatically different from the actual temperature, which later almost causes a serious accident during takeoff.
      * When the incorrect OAT is entered into the computer, the computer which should be able to read the OAT from aircraft's sensor(s) and know the entry is incorrect, does not give any indication of a problem.

      My stupid-o-meter is reading nearly full-scale on this one...
      Pretty much Yup. What is even better, is they probably spend millions of dollars on designing the cockpit to be as ergonomic as possible and then design the worst crappy interface that lets you mix up two fields beside each other on a data entry screen...

      Comment


      • #4
        Originally posted by elaw View Post
        My stupid-o-meter is reading nearly full-scale on this one...
        Some time ago, Evan pointed out that lots of scientific engineering goes into this stuff.

        And the insider enthusiasm for TOPMS is rather lukewarm.

        Also, several years ago it was suggested that pilots be more willing to advance the throttles when things look bad- or has the computer taken away the ability to easily go to FULL power instead of the profit-driven, reduced power settings?
        Les règles de l'aviation de base découragent de longues périodes de dur tirer vers le haut.

        Comment


        • #5
          Originally posted by 3WE View Post
          Some time ago, Evan pointed out that lots of scientific engineering goes into this stuff.

          And the insider enthusiasm for TOPMS is rather lukewarm.

          Also, several years ago it was suggested that pilots be more willing to advance the throttles when things look bad- or has the computer taken away the ability to easily go to FULL power instead of the profit-driven, reduced power settings?
          Well, to begin with, there are plenty of good reasons to use derated or reduced take-off settings that are not simply about profit. They dramatically increase engine reliability over a given maintenance interval (fewer engine failures/fewer compressor disks and fan blades sailing through the economy class cabin) and can even allow for greater TOW at certain conditions. Derates/Reduction do not affect the safe performance of the aircraft; incorrect data entry does. In this regard, I agree with elaw that the avionics should cross check the entry and flag significant discrepancies. I agree with his stupid-o-moter on this one.

          Has the computer taken away the ability to easily go to FULL power? Yes and no, depending on which method is used. When selecting a derated take-off, you have programmed a new thrust limit and calculated a new Vmca. You can no longer get the full thrust capability of the engines by advancing the thrust levers during the T/O roll, but, on the upside, you are prevented from thus losing control in the event of engine failure by suddenly raising your Vmca above your airborne airspeed.

          WIth reduced (assumed temperature) take-offs like this one, your Vmca is the full thrust calculation so you can always get the full thrust capability of the engines by advancing the levers.

          But the real problem here is quite glaring. How do you enter an OAT of -52C and then an assumed temp of +48C--and have that cross-checked!--without it seeming a bit off?

          There was a failure here all right, not of reduced-thrust takeoff per se, but of reduced concentration and reduced safety culture. If those problems are present, there is no safe takeoff thrust setting.

          Comment


          • #6
            Evan, I just want to mention that you are spot-on on the difference between a derated thrust take-off and a reduced thrust take-off. The whole intent of the derated take-off thrust is to lower V1 below what would be the full-thrust Vmcg, which requires reducing Vmcg (since it is a lower bound for V1 for obvious reasons) and hence reducing the possible asymmetric thrust in case of engine failure.

            That said, it is very rare to see these derated thrust take-offs. It will (almost?) always give you an un-balanced field length, with the take-off distance being longer than the accelerate-stop distance, so it happens (almost) only when you have a clearway that is quite longer than the stopway, and (almost?) only in 3 or 4 engines planes since in that case the loss of acceleration and hence the take-off distance doesn't deteriorate so much after losing an engine.

            Finally, I don't know modern planes, but in old planes it was a procedural matter not to increase the thrust beyond the derated one, and the plane and its FADECs would happily apply full thrust if so commanded. And thinking that it (almost) always happen in 3 or 4 engines planes, it almost make sense. In a DC-10 if I lose #2 I can increase #1 and #3 with no concerns for asymmetric thrust, or if #1 or #3 fails I can increase #2, in an A340 if engine #1 (for example) fails I can increase #2 and #3. Not that it would be done, but I would not eliminate this option for the pilot.

            Finally, the discrepancy was NOT between the entered OAT of -52C and the assumed temp of +48C but between the entered OAT of -52C and the actual OAT of +16C. Still a big contrast and even without taking the indicated OAT into account, probably if you told the pilot "It's a cold day today, -52C" they would have raised an eyebrow. They never realized that they entered -52C in the OAT window.

            --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
            --- Defend what you say with arguments, not by imposing your credentials ---

            Comment


            • #7
              Originally posted by Gabriel View Post
              Finally, I don't know modern planes, but in old planes it was a procedural matter not to increase the thrust beyond the derated one, and the plane and its FADECs would happily apply full thrust if so commanded. And thinking that it (almost) always happen in 3 or 4 engines planes, it almost make sense. In a DC-10 if I lose #2 I can increase #1 and #3 with no concerns for asymmetric thrust, or if #1 or #3 fails I can increase #2, in an A340 if engine #1 (for example) fails I can increase #2 and #3. Not that it would be done, but I would not eliminate this option for the pilot.
              Talking about twins here. On engine failure, maybe it's up to pilot discretion, but I certainly hope not. I wouldn't want them to get airborne below Vmca with a single engine. AFAIK, on modern FADEC, it's not going to let you go above derated thrust limit. That might vary by manufacturer/model.

              Finally, the discrepancy was NOT between the entered OAT of -52C and the assumed temp of +48C but between the entered OAT of -52C and the actual OAT of +16C. Still a big contrast and even without taking the indicated OAT into account, probably if you told the pilot "It's a cold day today, -52C" they would have raised an eyebrow. They never realized that they entered -52C in the OAT window.
              Is there an entry field for expected top-of-climb OAT? If so, did they just mix up the two entries? I'm still confused about this. It's seems absurd to me that they would enter an OAT of -52C without questioning it. In any case, there was no safe takeoff thrust level for these pilots.

              And seriously, with 2-3 static ports capable of cross-checking the OAT, why isn't there a safeguard?

              Comment


              • #8
                Originally posted by Evan View Post
                On engine failure, maybe it's up to pilot discretion, but I certainly hope not. I wouldn't want them to get airborne below Vmca with a single engine.
                Again, derated take-off are a thing (almost?) only of 3 and 4 engines planes. If you are taking off single engine you have serious problems beyond Vmc.

                Is there an entry field for expected top-of-climb OAT?
                Yes.

                If so, did they just mix up the two entries?
                Yes.


                I'm still confused about this. It's seems absurd to me that they would enter an OAT of -52C without questioning it.
                It seems that they entered -52 in the airport OAT thinking that they were entering the expected TOC OAT. Rather than confusing the temperature they confused the field. They entered the intended temperature in the unintended field, perhaps even overwriting a previous correct entry for the airport OAT.

                And seriously, with 2-3 static ports capable of cross-checking the OAT, why isn't there a safeguard?
                I don't know. For the same reason that being an acceleration sensor there is no crosscheck between the calculated acceleration and the actual acceleration?

                --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                --- Defend what you say with arguments, not by imposing your credentials ---

                Comment


                • #9
                  Originally posted by Gabriel View Post
                  Again, derated take-off are a thing (almost?) only of 3 and 4 engines planes. If you are taking off single engine you have serious problems beyond Vmc.
                  Read up on it. Everything I've read tells me the thrust is hard-limited to the derate value once the takeoff roll begins.

                  I don't know. For the same reason that being an acceleration sensor there is no crosscheck between the calculated acceleration and the actual acceleration?
                  I'm not going as far as placing full trust in the OAT sensors. I realize there may be discrepencies between the immediate local temp of the sensors and the atmospheric conditions on the ground. But, beyond a tolerable range, there should be some kind of flashing or colored entry response. Also, modern jets should be able to use downloaded METAR data to do this. That might be the better route anyway.

                  Comment


                  • #10
                    Originally posted by Evan View Post
                    But the real problem here is quite glaring. How do you enter an OAT of -52C and then an assumed temp of +48C--and have that cross-checked!--without it seeming a bit off?

                    There was a failure here all right, not of reduced-thrust takeoff per se, but of reduced concentration and reduced safety culture. If those problems are present, there is no safe takeoff thrust setting.
                    I have been designing, writing, and using software since the dawn of personal computers. It is very easy to repeat a numbers/field mistake twice in a row, because your brain is still thinking the exact same way and goes through exactly the same process twice. Especially if it is rote kind of activity involving a bunch of numbers. Mixing up fields is one of the oldest mistakes in the book. I don't know what the cross check actually involves, but unless it is the other pilot independently entering a set of numbers or the same pilot independently entering the numbers in a different way, this is likely to happen again.

                    Comment


                    • #11
                      I'm in the software business too and one thing I've seen a thousand times is poorly-designed entry forms. For example:

                      Height

                      ------------
                      Weight

                      ------------
                      Age

                      Without looking for too long tell me: is the value to be entered on the first line the height or weight? And on the second line, weight or age?

                      Granted pilots should be familiar with the systems they're using, but when screens are poorly designed, it awfully easy for mistakes to be made.
                      Be alert! America needs more lerts.

                      Eric Law

                      Comment


                      • #12
                        Originally posted by Schwartz View Post
                        I have been designing, writing, and using software since the dawn of personal computers. It is very easy to repeat a numbers/field mistake twice in a row, because your brain is still thinking the exact same way and goes through exactly the same process twice. Especially if it is rote kind of activity involving a bunch of numbers. Mixing up fields is one of the oldest mistakes in the book. I don't know what the cross check actually involves, but unless it is the other pilot independently entering a set of numbers or the same pilot independently entering the numbers in a different way, this is likely to happen again.
                        Yes, it is easy to make such mistakes. They probably happen quite a bit. That is why there are crosscheck procedures that can't be skipped over. If you filled out a form and I checked your work and we both were well aware of the consequences of not paying close attention and very concerned about our lives and the lives of hundreds of others, I'm betting this wouldn't happen. If the software also checked against available data for egregious discrepancies I'm almost certain this wouldn't happen.

                        Comment


                        • #13
                          Originally posted by Evan View Post
                          That is why there are crosscheck procedures that can't be skipped over. If you filled out a form and I checked your work and we both were well aware of the consequences of not paying close attention and very concerned about our lives and the lives of hundreds of others, I'm betting this wouldn't happen.
                          You are delusional. This is how human factors work for you? If you really don't want to make mistakes then you won't?
                          This is how the crosscheck works: Each pilot makes their own computation and data entry and then the RESULTS are compared by reading them simultaneously (or better yet, the computer will make the left vs right crosscheck itself). The chances that both pilots commit exactly the same error independently is very remote. Now, if I am checking your work, it is not "independently" anymore. Didn't it ever happen to you that you were correcting the Math work of a kid and you failed to find a mistake because you just followed his work mistake and all? Now if you have your own answer 49 and you see the kid's answer and it is 11, it's much easier to catch. And even better if a computer compares the kid's 11 with my 49.

                          --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                          --- Defend what you say with arguments, not by imposing your credentials ---

                          Comment


                          • #14
                            Originally posted by Gabriel View Post
                            You are delusional. This is how human factors work for you? If you really don't want to make mistakes then you won't?
                            I have some experience writing code. There are short editing tasks where a simple character error will break the entire script and require a lot of work to hunt down. You concentrate during this short period. You don't make mistakes. Now imagine there are 150 souls depending on that short bit of careful concentration. That is what makes you pilot material.

                            That said, mistakes will happen. So we also have a computerized cross-check procedure. Two pilots not giving this short period of dreadful importance their careful concentration = shut it down, turn out the lights, go work in a bakery.

                            But explain to me how two quailfied (i.e. competent) pilots make this same mistake independently?

                            Either there is something wrong with the UI or something wrong with the HR.

                            Comment


                            • #15
                              Originally posted by Evan View Post
                              But explain to me how two quailfied (i.e. competent) pilots make this same mistake independently?

                              Either there is something wrong with the UI or something wrong with the HR.
                              I don't think that two qualified (i.e. competent) pilots would make this same mistake independently. I don't understand why you are asking your question. Heck, I don't even think that two stupid incompetent pilots would make the SAME mistake independently. And the investigation did not determine so far how the mistake was done: "The investigation will consider how such a data entry error could have been made".

                              But this is not you said. Let me quote you again:

                              If you filled out a form and I checked your work and we both were well aware of the consequences of not paying close attention and very concerned about our lives and the lives of hundreds of others, I'm betting this wouldn't happen.
                              This is not 2 persons making the same mistake independently. It is one person making one mistake and the other person failing to find the mistake already done by the other person. Which is a much more probable outcome than both of them making the same mistake independently. And happens all the time.

                              I have some experience writing code. There are short editing tasks where a simple character error will break the entire script and require a lot of work to hunt down. You concentrate during this short period. You don't make mistakes. Now imagine there are 150 souls depending on that short bit of careful concentration. That is what makes you pilot material.

                              That said, mistakes will happen. So we also have a computerized cross-check procedure. Two pilots not giving this short period of dreadful importance their careful concentration = shut it down, turn out the lights, go work in a bakery.
                              Even if they got it right 99.99% of the time? And I am asking literally, exactly 99.99%. Because even then we will still have 300 incidents like this per year.

                              --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                              --- Defend what you say with arguments, not by imposing your credentials ---

                              Comment

                              Working...
                              X