Post by thread:[OT] Failsafe Design - was : How many Pics to sav

AFAIR a classic example of what you described below happened with a brand new Airbus prior to their mass availability. The problem was essentially pilot error. The problem was not with the aircraft stopping him doing what he should have been able to do but with him thinking that he was going to be able to something that he knew he shouldn't do. AFAIR it was at the Orly air show - I have seen a video of the event and it is extremely fun but only because nobody was killed and a major lesson was learnt - it could have been quite different.. The aircraft made a low slow pass and then at the end the pilot tried to pull it up in a sharp climb. This violated design specs - or would have if the aircraft had let him do it. Instead the aircraft continued flying low and slow and on a slightly descending path. At the end of this path there was a (pine?) forest. The craft sank slowly into the tops of the tress and proceeded then to tear out trees and tear its wings off. I understand that what passengers there were present wre VIPs taking the show demo flight - I may be wrong on this. We had the opposite happen here in New Zealand some years ago - in this case it ended in a tragdey but thankfully a relatively limited one. A DC8 -precursor to the DC10 was being used for training. As I remember it, just after takeoff the training pilot simulated an engine out by suddenly shutting the throttles on one engine. This was meant to give the trainee an interesting excercise in enmergency procedure at takeoff. Unfortunately, the throttle gates were not correctly designed and the control slidf through a "stop" into the reverse thrust position - instead of NO thrust it had full thrust but BACKWARDS and also much more drag I imagine. They crashed. I think there were 3 people on board and 1 or more died - twas some while ago now. The main point here is that an electronic system would have not allowed the reverse thrust in this situation - it may even not have allowed the engine shutdown depending on programming. The DC8 throttle stop was subsequently redesigned to prevent further occurences. Russell McMahon From: Thomas Brandon <spam_OUTtomTakeThisOuTPSY.UNSW.EDU.AU> To: .....PICLISTKILLspam@spam@MITVMA.MIT.EDU <PICLISTKILLspamMITVMA.MIT.EDU> Date: Friday, 23 July 1999 16:52 Subject: Re: How many Pics to save JFK jr.[OT] > I feel a better question is how many PICs would it take to crash an > airplane? The answer - just 1. > Newer planes have exactly such systems. However there is controversy over > whether such systems save life or simply put more in jeopardy. The problem > is not computer error (with enough testing errors can be eliminated) it's > pilot error. > I believe it's 707s that have such a system. If the pilot attempts what >the > computer considers to be a dangerous move, it will override him. I am aware > of at least 2 seperate incidents where this has caused an accident. > One situation was as follows: > After taking off the pilot was too low with too little power. The pilot > realised this and pulled up. Unfortunately he pulled up a bit too hard. >The > computer decided that pulling up so hard with so little power was a bad > idea. So, it took over and didn't allow him to rise so sharply. The >pilot > suddenly finds the controls are trying to fight him. So what does he >do, he > panics and pulls up harder. So what does the plane do, it resists >harder. > Result: plane hits the ground, passengers die. > > Who was in the wrong? No one. The pilot really shouldn't have pulled up > quite so hard so the computer was right. Yet, pulling up so hard would most > probably not have caused an accident had he then levelled off. > > IMHO, the problem is not with the computers it's with the pilots. It's easy > to reprogram a computer. It's much harder to reprogram a person. > > Tom. > >> {Original Message removed}

Just to add my two cents to what Russell is saying: Earlier this week, when I saw the map of where JFK jr's plane went down, I noticed one thing I haven't seen in a newspaper and I haven't heard on a news broadcast. I'm interested in seeing if Aviation Week (which I'm sure will have an issue or two dedicated on the accident) discusses it as well. The thing I noticed was that the flight path taken was over water and seemed to be beyond gliding distance back to land. When I got my pilot's license, it was drummed into me repeatedly that you are never to take a single engine aircraft so far out on water that you can't glide back to land (in Canada, this is also a legal requirement and breaking this rule will get you cited). The only place I was told this was waived was taking off/landing at the Toronto Island Airport (which despite having 3600' runways is a pretty scary place to set down a Cessna). I imagine it is the same in the United States. The latest news (citing FAA air-traffic radar tapes) seems to indicate that the plane did do something unusual and the crash wouldn't have been survivable on the ground - but it is interesting to hear (from his instructor) that he never took chances when looking on a map he seemed to take a chance as big as not doing a walk-around on the aircraft. Have a great weekend, myke {Original Message removed}

>one. A DC8 -precursor to the DC10 was being used for training. As I >remember it, just after takeoff the training pilot simulated an >engine out by suddenly shutting the throttles on one engine. This was >meant to give the trainee an interesting excercise in enmergency >procedure at takeoff. Unfortunately, the throttle gates were not OK, somebody laugh at this one: Santa Claus, like all pilots, gets regular visits from the Federal Aviation Administration, and the FAA examiner arrived last week for the pre-Christmas flight check. In preparation, Santa had the elves wash the sled and bathe all the reindeer. Santa got his logbook out and made sure all his paperwork was in order. He knew they would examine all his equipment and truly put Santa's flying skills to the test... The examiner walked slowly around the sled. He checked the reindeer harnesses, the landing gear, and Rudolf's nose. He painstakingly reviewed Santa's weight and balance calculations for sled's enormous payload. Finally, they were ready for the checkride. Santa got in and fastened his seatbelt and shoulder harness and checked the compass. Then the examiner hopped in carrying, to Santa's surprise, a shotgun. "What's that for?!?" asked Santa incredulously. The examiner winked and said, "I'm not supposed to tell you this ahead of time," as he leaned over to whisper in Santa's ear, "but you're gonna lose an engine on takeoff." Andy ================================================================== Andy Kunz Life is what we do to prepare for Eternity ------------------------------------------------------------------ .....andyKILLspam.....rc-hydros.com http://www.rc-hydros.com - Race Boats EraseMEandyspam_OUTTakeThisOuTmontanadesign.com http://www.montanadesign.com - Electronics ==================================================================

Russell McMahon wrote: {Quote hidden}> > AFAIR a classic example of what you described below happened with a > brand new Airbus prior to their mass availability. > > The problem was essentially pilot error. > The problem was not with the aircraft stopping him doing what he > should have been able to do but with him thinking that he was going > to be able to something that he knew he shouldn't do. > AFAIR it was at the Orly air show - I have seen a video of the event > and it is extremely fun but only because nobody was killed and a > major lesson was learnt - it could have been quite different.. > The aircraft made a low slow pass and then at the end the pilot tried > to pull it up in a sharp climb. This violated design specs - or would > have if the aircraft had let him do it. Instead the aircraft > continued flying low and slow and on a slightly descending path. At > the end of this path there was a (pine?) forest. The craft sank > slowly into the tops of the tress and proceeded then to tear out > trees and tear its wings off. > I understand that what passengers there were present wre VIPs taking > the show demo flight - I may be wrong on this. I suspect you are referring to Air France 296, 6/26/88. There is a picture and CVR transcript at http://www.airdisaster.com. (There's a web page for everything now.) "Crashed while performing a low approach at Habsheim Airport in Southern France. On a demonstration flight for Airbus, complete with a load of 136 passengers and crew, the Captain elected to add power too late and impacted trees at the end of the runway. The subsequent explosion and fire killed 3 people." I could be wrong tho, I seem to recall another airbus incident like this, but couldn't find it. GC

> > AFAIR a classic example of what you described below happened with a > > brand new Airbus prior to their mass availability. A Foker-100 jet crashed seconds after the take off years ago, in the middle of a S‹o Paulo (Brazil) 18 Million people city, a residential place, school and everything else went in flames, burning fuel running at the street... lots of cars and houses went to hell. The problem? A simple air-brake system went open during the take off run. (The air-brake is the body of the engine that slides to the exhaust's back and deviate the jet sideways (up and down) to create a braking air-flow barrier). One engine was braking while another was pulling the airplane forward. It created a terrible situation to the pilot that accelerated to the extreme (since the plane was not gaining altitude), by the same rate the air-brake was braking harder. He deviated a school full of children and landed over few houses and in the middle of a street. The voice recording shows that maneuver. If memory serves, 80 passengers, sadly no survivors. No electronics indicated to the pilot the problem during the take-off run. A flight mechanic close to the runaway saw it and crying desperately yelled "the brake is open, the brake is open, by God somebody stop that plane..." Lots of discussions went on, Everybody said it could not happens, air-brakes doesn't open during the take off, "there are several security systems", but, perhaps a simple positioning switch connected to that brake panel, with a PIC blinking a LED at the pilot's panel could save more than 80 lives. If he knew what was happening, even after the take off, he could just shut that engine off and somehow make a safe landing at a close airport using just the "good" engine. The first big problem there was "lack of information". Years ago, a Boing 737 took off from a city close to the Amazon Forest, destined to a city at the east, the pilot let the procedures to the co-pilot. He did input the flight path wrongly, instead of 18.5 he inputted 185 degrees. The control tower use not to say the decimal point what confused the newbie co-pilot. The pilot was reading a newspaper. The plane went over the amazon, dense forest. In half an hour was out of any radar scanning. When the pilot saw the topology he not understood what was happening and tried to solve the problem. The plane went deep and deep over the Rain Forest, wasted all the fuel and landed in the middle of the dense vegetation with some survivors, including pilot and co-pilot, lots of killed by the seats jamming all together at the front. A group went walking in the middle of the forest, reached a farm and asked for help. Again, what a hell a GPS is made for? Man, if I were a pilot, even if the plane has one, I would also have my personal $87 GPS bought at K-Mart... Was the air traffic control people also wrong that did not notice the airplane was going to a wrong direction? Perhaps a PIC just checking few tables could notice the wrong input angle for that lat/longitude and not only blinks a LED but also put the pilot pants on fire. As you can see, the first example is a classical mechanic failure, the second, a terrible coincidence of several human errors, both could be avoided with better use of technology. Wagner

>As you can see, the first example is a classical mechanic failure, the >second, a terrible coincidence of several human errors, both could be >avoided with better use of technology. One could have been avoided solely by use of 6000-year-old technology - the human brain. When lives are at stake - pay attention. Come to think of it, just plain pay attention anyway. Andy ================================================================== Andy Kunz Life is what we do to prepare for Eternity ------------------------------------------------------------------ KILLspamandyKILLspamrc-hydros.com http://www.rc-hydros.com - Race Boats RemoveMEandyTakeThisOuTmontanadesign.com http://www.montanadesign.com - Electronics ==================================================================

> One could have been avoided solely by use of 6000-year-old > technology - the > human brain. > > When lives are at stake - pay attention. > > Come to think of it, just plain pay attention anyway. I have come to the conclusion that the main purpose of human life is to increase entropy by making errors. Years ago I was helping Citibank set up their computers for loans and had a bank VP ask me why I wanted to use check digits on the loan numbers since randomly the technique would only catch 1 in 10 errors. He had a funny look on his face when he was informed that humans make predictable errors and that the check digits would catch 100% of the errors they were most likely to make. The point is that student pilots have predictable behaviour that has to be trained out of them using the same technique that precedes most messy divorces, "Are you going to believe me or your lying eyes?". Tom

The thorny issues that come up in this issue of aircraft reliability are amply examined in "the Pilot's Burden". Basicly, what it's author (an airline pilot) says, is: You have a part that has to operate or the plane crashes, say the frobulator. So you put a sensor on to make sure the frobulator is working, and ring an alarm if it isn't. But the sensor might fail, so you make the pilot test the frobulator sensor before takeoff. Carry this mentality too far and pretty soon you've got the pilot so busy testing frobulator testers he's too busy to put the gear down. He analyses in detail the history of dealing with a common pilot decision - At takeoff, the pilot goes to max power and rolls down the runway. At some point the gummifrunchy overheat lamp goes on. Should he: a) take off anyway? b) Try to stop This is a hellishly complicated problem. It depends on an appreciation of the probability that the plane will actually be able to fly around and land, and an appreciation of whether the plane can stop before the end of the runway, and what's beyond the end of the runway. But the pilot doesn't get realistic training in making this critical decision in the fraction of a second s/he has to make it. Instead, flight training for this consists of memorizing complicated theoretical formulas about the situation . He gives all the formulas and factors, in thirty mind numbing pages, and at the end I had less idea how to make such a decision than when I started. Anyway, for anybody interested in design of life-dependent systems with man in the loop, I strongly suggest this book. -- Anniepoo Need loco motors? http://www.idiom.com/~anniepoo/depot/motors.html

From: Andy Kunz <TakeThisOuTsupportEraseMEspam_OUTMONTANADESIGN.COM> >>As you can see, the first example is a classical mechanic failure, the >>second, a terrible coincidence of several human errors, both could be >>avoided with better use of technology. > >One could have been avoided solely by use of 6000-year-old technology - the >human brain. > >When lives are at stake - pay attention. > >Come to think of it, just plain pay attention anyway. > Sometimes its hard to use your brain well enough - especially where multiple errors occur. Air NZ lost n aircraft in the undoubtedly world famous crash into Mt Erebus in Antarctica. Apart from factors such as the pilot flying below approved altitude, unfamiliarity with the effects of Antarctic whiteout and the controllers at McMurdo allegedly being totally stoned there were 2 main factors which killed them. I may have them backwards but it went something like this. Initially when plotting a course a person had made a minor computational error and a digit in a bearing was wrong. This put the aircraft slightly of course but safe and everyone had flown this course on inertial navigation - it went down the middle of McMurdo sound. A person was assigned the routine task of checking the data and found the error. He corrected the error and updated the records. In the process a transposition was made between 2 digits eg say 3.46 became 3.64 etc. This changed the course from down McMurdo to across the top of Erebus. They all died (including a national hero who was there for PR purposes). IF the pilot had maintained correct height OR IF the company had properly trained the pilots in what to expect OR IF the original navigation error had not been made OR IF the subsequent "correction" had not been made They would all probably not have died. Russell McMahon

On Sat, Jul 24, 1999 at 06:04:57PM +1200, Russell McMahon wrote: > Almost certainly you are right - I wasn't aware that anyone had died. > A great shame but I guess better a few at an early stage to help them > get things right than many at a later stage. There's nothing technically to get right that can be learned from that particular crash - it was human error plain and simple. The aircraft was too low and too slow, and a low altitude flypast should never have been planned with 136 passengers on board in the first place. The Airbus fly-by-wire system probably saved the aircraft from a low-altitude stall which would have killed all on board. Similarly, JFK jnr's crash was the result of bad decision making - there was still enough technology on board to save the situation if it had been used properly. The big aviation killers year after year are all fundamentally bad decisions - #1 is VFR flight into IMC, then you get things like running out of fuel, low flying etc. Mechanical or technological failures are way down the list. The worst air disaster of all time, the Canary Islands collision between two Jumbos was a communication breakdown - human communication, not equipment failure. -- Clyde Smith-Stubbs | HI-TECH Software Email: RemoveMEclydeTakeThisOuThtsoft.com | Phone Fax WWW: http://www.htsoft.com/ | USA: (408) 490 2885 (408) 490 2885 PGP: finger clydeEraseME.....htsoft.com | AUS: +61 7 3355 8333 +61 7 3355 8334 --------------------------------------------------------------------------- HI-TECH C: compiling the real world.

>So you put a sensor on to make sure the frobulator is >working, and ring an alarm if it isn't. > >But the sensor might fail, so you make the pilot >test the frobulator sensor before takeoff. <snip> >At takeoff, the pilot goes to max power and rolls down the >runway. At some point the gummifrunchy overheat lamp goes on. >Should he: > >a) take off anyway? > >b) Try to stop > >This is a hellishly complicated problem. It depends on an appreciation I got to experience this firsthand. I was on a flight through Pittsburgh (the old airport) on a Friday night. EVERYBODY wants to get home. My flight from Ft. Wayne came in on schedule. My connecting flight was 2 hours late. Turns out they had been delayed by "mechanical problems" at the originating airport. They left 2 hours late. En-route, the plane developed more "mechanical problems" - the smoke detector in the lavatory had failed, detecting smoke when none was there. They continued onward to Pittsburgh. Upon arriving in Pittsburgh, it took an hour to replace the faulty smoke detector. We boarded the plane 3 hours late (I should have been HOME 2 hours ago). Nerves were on edge everywhere. We pulled out from the gate, and started heading toward the ramps, when suddenly the plane veered around back toward a gate. Seems the NEW smoke detector failed, too! They brought the A&P's back on, they checked out the problem, and we disboarded. Turned out that the smoke detectors were working perfectly. There was a leak in the hydraulic system in the tail that was not detected by the hydraulic monitors. I was more than happy to get on a DIFFERENT airplane. I could have driven home from Pittsburgh in the amount of time I spent there. But thanks to "faulty" sensors I'm still alive. Andy ================================================================== Andy Kunz Life is what we do to prepare for Eternity ------------------------------------------------------------------ EraseMEandyrc-hydros.com http://www.rc-hydros.com - Race Boats RemoveMEandyEraseMEEraseMEmontanadesign.com http://www.montanadesign.com - Electronics ==================================================================

Andy Kunz wrote: > I was more than happy to get on a DIFFERENT airplane. I could have driven > home from Pittsburgh in the amount of time I spent there. But thanks to > "faulty" sensors I'm still alive. Hey Andy, after all this tread posts, I finally came up with this "EIATK" (Eleven Items Air Travel Kit), that should be mandatory to carry aboard by all passengers: 1) pocket working "faulty" smoke detector 2) pocket cheap $87 GPS, navigation maps, tips, etc. 3) pocket remote sensor monitoring air brakes at take off 4) pocket size altimeter and speedometer 5) pocket device to recognize a wrong input to plotting flight path 6) pocket radar (to identify other approaching aircrafts in collision path) 7) pocket reference book named "How to recognize mistakes and teach pilots to do the right thing" 8) pocket ref book named "How to recognize a dumb pilot" 9) pocket ref book to give to the pilot at the boarding time, named "Piloting for Dummies" 10) pocket size parachute (options for de-luxe or not) 11) pocket ref book statistics showing that the chance to suffer an accident traveling by car is only 2500 times bigger than by airplane. Then, I started to think about to develop another kit named "THFICTK" (Two Hundred Fifty Items Car Travel Kit), but this is another story. :) But as I can't hold things by myself, here goes just few first mandatory items (printed material): 1) Brief description about the difference between the Gas and Break pedals 2) The secret meanings for those 3 color lamps at the traffic light 3) The never told story about the meaning of the "STOP" sign. 3) The adventure of driving at 20mph at the interstate highway center lane 4) Forget your home "Nintendo System", this is for real 5) Its not too late, even you can learn "how to do back driving" 6) Why you should check tires pressure at least once each 3 years 7) Another uses for mirrors, other than to apply lipstick or remove nose air 8) Definitely you can drive and talk to the passenger without keep looking at him all the time 9) If you have a steering wheel in front of you, it is great the chance that YOU ARE THE DRIVER! Wagner.

>1) pocket working "faulty" smoke detector Nose MK I MOD 0 >2) pocket cheap $87 GPS, navigation maps, tips, etc. >4) pocket size altimeter and speedometer My GPS gives both of those items. >3) pocket remote sensor monitoring air brakes at take off Eyeballs MK I MOD 0 >6) pocket radar (to identify other approaching aircrafts in collision >path) Eyeballs MK I MOD 0 >8) pocket ref book named "How to recognize a dumb pilot" See Dilbert <G> >3) The never told story about the meaning of the "STOP" sign. I bet you mean that "Only ones with a white border are mandatory - other stop signs are optional." Andy ================================================================== Andy Kunz Life is what we do to prepare for Eternity ------------------------------------------------------------------ RemoveMEandyspam_OUTKILLspamrc-hydros.com http://www.rc-hydros.com - Race Boats RemoveMEandyTakeThisOuTspammontanadesign.com http://www.montanadesign.com - Electronics ==================================================================

Wagner Lipnharski wrote: > 10) pocket size parachute (options for de-luxe or not) I'm planning on releasing a shareware parachute- You can try it for one jump, and if you like it then pay me x dollars. If it doesn't work well for you then no charge... You can upgrade to the deluxe version for only y dollars. I'm thinking that will be a popular option, since the regular version only allows 30 seconds of open time, then it collapses in on itself. Pretty difficult to time it just right. The non registered version will only open once, the second time it's used w/o being registered it just flashes a red light and instructions for upgrading. But they do each contain a cell phone and card reader so they can be upgraded on the fly. The cell phone, however, is also shareware... -Adam