VOCA

An aviation researcher, writer, aviation participant, pilot & agricultural researcher. Author of over 35 scientific publications world wide.

Categories

Good reads

Oil Prices

#ozaviation

Computers and Aircraft

I list the following articles by David Evans for reading:

Computer-Related Incidents with Commercial Aircraft

Air Safety Week published an article False Navigation Data Leads to Near-Crash (archived version) on 15 December, 2003.

British Mediterranean Airways, A320, false navigation data on non-precision approach. Addis Ababa, 31 March 2003

31 March 2003

Synopsis  The A320 aircraft was making an approach into Addis Ababa airport during stormy weather, with a thunderstorm off to the left. The aircraft performed one missed approach due to fluctuating navigation data from the VOR navigation beacon. After querying whether the VOR was operational and receiving an affirmative reply, they performed another approach. This approach was also abandoned close-in due to signal problems. As the crew started the go-around, the Enhanced Ground Proximity Warning System (EGPWS) announced “Too Low Terrain. The aircraft was determined to have missed high terrain only by some 56 ft.

The incident aircraft was not equipped with GPS, but only with standard ground-based navaid receivers. The EGPWS, which has a “moving map”-like display, likewise obtained its signal from the receivers for the ground-based navaids. The VOR at Addis Ababa was waterlogged, due to the weather and also that it was inappropriately sealed against water intrusion. Although ICAO rules require that VORs are installed with a self-check, which declares the signal to be invalid to receivers when it is out of tolerance, this VOR was determined to be sending “valid” signals that were up to 30 degrees off. The aircraft, tracking the VOR, was up to 3 nautical miles off course. The navigation receivers, as did the EGPWS “moving map”, showed the aircraft to be on-course.

I had predicted that EGPWS might not turn out to be the perfect terrain-avoiding device in my Inside Risks column Risk of Technological Remedy, published in the Communications of the ACM 40(11):160, November 1997. I speculated in Air Safety Week that the pilots might have found the false-reading EGPWS display to be “confirming” of the false inbound course. I was assured in correspondence with the Safety Manager of British Mediterranean Airways, Robin Berry, that this was not the case, and indeed the data on the flight confirm Robin’s assertion: go-around because of faulty data had commenced at the time that the low terrain warning occurred. Robin was actually on the accident flight.

The U.K. Civil Aviation Authority (CAA) issued Bulletin 16/2003 on receipt of the airline’s notification about the incident. The most substantial account of the incident is to be found in Robin’s slides, which I hope to publish here with his permission.

Air Safety Week published an article False Navigation Data Leads to Near-Crash (archived version) on 15 December, 2003.

David Evans, editor of Air Safety Week, wrote a commentary on 1 February 2004 about the incident, entitled Safety: Perils of a Lone Positioning Source. (see below)
By David Evans

A tiny but significant window into the sequence of a near-catastrophe at Addis Ababa, Ethiopia, came from a passenger’s naïve question during a later British Mediterranean Airways flight to Beirut. By coincidence, the passenger was sitting next to Capt. Robin Berry, the airline’s safety manager. Although the flight to Beirut was on unrelated business, Berry was by this time deeply involved in the incident flight to Addis Ababa. The passenger asked, “What does ‘Too Low Terrain’ mean?”

The innocent query confirmed to Berry that the airplane’s enhanced ground proximity warning system (EGPWS) had sounded an alert during an incident involving an A320 with 68 passengers and seven crew aboard. The British Mediterranean flight was from London via Alexandria, Egypt, to its final destination at Addis Ababa. On that dark and rainy night of March 31, 2003, the aircraft was descending toward a ridge line and, unbeknownst to the pilots, significantly off the approach path. As the crew abandoned the approach and pulled up, the airplane cleared the trees on that ridge line by a scant 55 feet (17 meters).

The case underscores the hazard of drawing all positional information from a common source. The near-accident emphasizes the need for the terrain warning system to have its own, independent means of determining the airplane’s position in the sky. Just as separate load paths are key to structural safety, independent sources of positional information may be key to navigational safety. Although the EGPWS on the incident aircraft is not intended for use in navigation, its alerting function nonetheless depends on accurate information of the airplane’s position in the air relative to the ground. In this case, belated warning was provided to the pilots only because the EGPWS “thought” the airplane was going in short.

The UK’s Air Accidents Investigation Branch (AAIB) is still investigating the case with assistance from manufacturer Airbus and Ethiopian aviation authorities. However, carrier officials who traveled to Addis Ababa shortly after the event believe they have a sufficiently refined picture to reconstruct what occurred.
“It was an accident that only just didn’t happen,” says Berry. It was near the end of a long day for the two pilots, as the aircraft approached Addis Ababa about 2 a.m. local time. The aircraft was fitted with a standard flight management system (FMS) utilizing a combination of ground-based radio navigation aids updated by its inertial reference system (IRS) during flight segments between the widely spaced ground navaids. The aircraft also was fitted with EGPWS. Neither the EGPWS nor FMS was capable of determining the airplane’s position via GPS, however.
The local weather report indicated broken clouds and rain. The rain, as it turned out, would play a surprising role in the events that unfolded.

Landing was planned for Addis Ababa’s Runway 25L utilizing the airport’s VOR signal. The crew lost the signal about 1,200 feet above aerodrome level and discontinued the approach. What the pilots didn’t realize was that they’d missed a ridge north of the airport by some 600 feet.

As they held over the airport and checked out their systems, the tower controller advised that the VOR was functioning properly. In truth, it wasn’t.

The crew attempted a second approach. The FMS display showed them on course. The terrain displayed by their EGPWS showed them in the same location, easily clearing a ridge line north of the airport. As one commentator familiar with the situation said of the instrument displays, “Everything’s lovely, come on down!”

Yet they were off course, a good 3 miles north of the final approach and headed to the ridge line they’d unwittingly flown over during the aborted first approach. This time, they were coming much closer. The only indication of anything amiss was the nondirectional beacon (NDB) pointers telling the crew they were off course. But a thunderstorm south of the airport gave the crew a “credible” reason to believe the NDB equipment was anomalous and to discount the information on the map display.
These hints aside, there was no indication of anything amiss until the pilots received the 1,000-foot callout from the radio altimeter a good 7 miles from their intended touchdown point—much too early in the descent. The callout was followed shortly by the radio altimeter’s 400-foot alert—again, much too early. The two alerts, one following the other in unusually short order, prompted the pilots to start questioning the navigation displays in front of them. They elected to abort the descent and divert to their planned alternate airfield at Djibouti.

At about this same time, the EGPWS sounded the alert, “Too Low Terrain”—but not because it was accurately comparing the airplane’s position to the ground below. It wasn’t. It sounded because the designers of EGPWS fortuitously had built a terrain-clearance “floor” into the system extending a few miles out on both sides of the runway. With the airplane descending toward this artificial floor, the EGPWS alerted to prevent what it perceived as an imminent landing short of the runway. There’s a lesson here on behalf of built-in safety buffers–they can help in unintended ways.

The EGPWS sounded as the airplane was just 110 feet above the ground, roaring over the ridge line, barely clearing. In terms of controlled flight into terrain (CFIT) accidents, this near-CFIT was about as close as one can get without impacting. Since it was at night, in rain, no one aboard knew the closeness of their brush with disaster. The crew returned to Addis Ababa from Djibouti the next day and made an uneventful landing under visual flight rules.

Because of the missed approaches during the rainy night before, the pilots filed an incident report with their company. They also reported the apparent VOR failure to air traffic control (ATC) at Addis Ababa upon their return the next day, when they noticed the error in the VOR signal because of the visual reference. ATC disregarded the failure because they had no alert from the VOR. The monitor had failed for the same reason as the VOR—water ingress. The VOR and the monitor electronics were housed in the same unit.

“Bear in mind that this was a random failure that only existed for a few hours after heavy rain,” says Berry. “Most of the other operators go in [to Addis Ababa] during the day when it had all dried out and there was no problem.”

The carrier also has a flight operations quality assurance (FOQA) program. “We always look at go-arounds,” says Berry. The data was pulled from the quick access recorder (QAR), and at that point it was evident that something had gone very wrong, and that mere feet and fractions of a second separated this near-CFIT from an approach that could have ended with smashed aluminum and shivered bodies littering the ridgeline.

In addition to notifying the authorities (Civil Aviation Authority, AAIB), British Mediterranean “started a full company investigation, sending the QAR readout to Airbus and the EGPWS flash memory to Honeywell [manufacturer of the EGPWS],” says Berry.

There is nothing like good data, and from multiple sources, to reconstruct situations like this. For example, the pilots said they’d turned left, as required, onto the 193-degree radial, as called for during a missed approach on the chart. The data from the FMS indicated that the crew initially turned right, then left. On the second approach, the pilots could not agree exactly on what warning they had heard from the EGPWS. The passenger’s query on the later flight to Beirut was Berry’s confirmation of the EGPWS’ aural warning (the 30-minute cockpit voice recording having been taped over).
On both approaches, the airplane was well north of the specified path on the airport approach plate. How did the airplane get nearly 3 miles off track with “correct” cockpit indications?

Ethiopian authorities examined the VOR transmitter. They found evidence of rainwater seepage into the interior parts of the VOR antenna. Virtually every time it rained, the leakage was causing random deviations off the correct VOR bearing. On the night of the incident, the signal may have been as much as 30 degrees off.

A short time before the incident, the antenna had been removed for the purpose of taking accurate measurements to install new equipment. According to the Ethiopian’s interim report, “The same sealant material used to seal off the opening that let in rain water also failed again and led to a similar incident.”

The VOR was the only ground navaid within 400 miles that the flight management guidance computer (FMGC) on the aircraft could use to update its IRS position. The FMGC will produce an interpolated position based on the IRS and radio position (see above). Because the FMGC position shift was equal to the erroneous shift in the VOR signal, all cockpit indications looked sensible, Berry explains. Both the VOR “raw data” and the FMGC showed the airplane “on track” during the inbound leg of the approach.
Why didn’t the EGPWS alert earlier, before it was at the artificial terrain floor? Since it receives its position from the FMGC, the EGPWS display also showed the aircraft on the seemingly correct inbound track to the runway. No terrain hazard was presented and no alert sounded until the last moment, when the artificial terrain floor was activated. “The EGPWS was actually reinforcing the wrong picture,” says Berry.

It took this flight to a distant destination, across 400 miles without a ground navaid update, for the latent hazard to be revealed.
According to Berry, the incident raises a serious question: “Is EGPWS without the independent location provided by GPS a valid option, especially for remote area operations?”

Regulators certified the EGPWS without requiring GPS, he adds, thereby embedding the potential for a common position error in both the FMS and the EGPWS. Berry believes an independent positioning source should be fitted to the terrain warning system. The electronic card and other components could be installed overnight, providing an effective fix.

The Addis Ababa incident also showed the virtue of FOQA in a new way. “We now freeze and collect a lot more data,” says Berry.
Human factors issues are involved also. “On both approaches, the ‘raw’ data matched the FMS data, providing the pilots with a powerful mental picture of being in the right place on the right track,” says Berry. Or, more simply, the faulty information from the VOR was causing the FMS position shift, and that shift matched the VOR error. Berry confesses that “the type and degree of error in the ground aid information was outside the crew’s experience and, indeed, outside the experience of nearly everyone I have spoken to since this incident.”

Basic lessons emerging from this case include:

For the crewmen: if things don’t seem right, they probably aren’t. The premature altitude callout was the tip-off. Trust your instruments, up to the point of contrary indications.
For the machine: it’s preferable to drive positional warning systems like EGPWS from independent, stand-alone source data like GPS. The single positional source to two “independent” systems came within a hairsbreadth of fooling both pilots.
For the regulators: this case seems to constitute a watershed event as far as failure modes and effects analysis (FMEA), and the role of this safety-assurance process in the design and certification of avionics systems.

Meanwhile, changes have occurred both at Addis Ababa and within British Mediterranean. The ground situation at the airport has improved dramatically with a new VOR having been installed.

As for the airline, Berry said the GPS engine was fitted to the incident aircraft’s EGPWS about three months ago. The story is far from complete, and the AAIB investigation continues.

“There is still a lot that we do not understand about the mechanics of this incident. The failure process is still taxing much more informed minds than mine,” Berry says. “We think we know the underlying cause, but not why it had such a disastrous effect on the navigation and other protective systems on the aircraft.”