Air Safety Through Investigation - Journal of the International Society of Air Safety Investigators
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Air Safety Through Investigation APRIL-JUNE 2019
Journal of the International Society of Air Safety Investigators
The EC 225 Accident
Near Turøy in Norway
page 4
Addressing the Risks of
Erroneous Data Entry
page 8
ISASI Kapustin Scholar-
ship Essay—Off the Ac-
cident Site and into the
Hangar: Incident Inves-
tigation Using Structural
Health Monitoring
page 14
Service Provider
Investigations: New
Opportunities
page 17
Aircraft Systems
Complexity and
Software Investigation
page 23CONTENTS Air Safety Through Investigation
Journal of the International Society of Air Safety Investigators
FEATURES Volume 52, Number 2
Publisher Frank Del Gandio
4 The EC 225 Accident Near Turøy in Norway Editorial Advisor Richard B. Stone
By Kåre Halvorsen and Tor Nørstegård, AIBN—The authors discuss their investigation Editor J. Gary DiNunno
over difficult terrain of a second loss of a helicopter main rotor and the need for a change in Design Editor Jesica Ferry
certification and continued airworthiness of large rotorcraft. The authors won the award for
Associate Editor Susan Fager
Best Presentation during ISASI 2018.
ISASI Forum (ISSN 1088-8128) is published quar-
8 Addressing the Risks of Erroneous Data Entry terly by the International Society of Air Safety
By Florent Duru and David Nouvel, BEA—The authors examine the use of erroneous Investigators. Opinions expressed by authors do
parameters at takeoff that a number of safety investigation authorities have addressed. not necessarily represent official ISASI position
This paper is based on an investigation that went beyond human error to review systemic or policy.
factors—in particular, how regulators and industry endeavored to address these risks.
Editorial Offices: Park Center, 107 East Holly Ave-
nue, Suite 11, Sterling, VA 20164-5405. Telephone
14 ISASI Kapustin Scholarship Essay—Off the Accident Site and into 703-430-9668. Fax 703-430-4970. E-mail address,
the Hangar: Incident Investigation Using Structural Health isasi@erols.com; for editor, jgdassociates@
By Katrina Ertman, TU Delft University, 2018 ISASI Rudolf Kapustin Memorial Scholar- starpower.net. Internet website: www.isasi.org.
ship Recipient—The author asks: What comes next for air safety investigation? She propos- ISASI Forum is not responsible for unsolicited
manuscripts, photographs, or other materials.
es in the case of nonaccident structural faults that a promising technology emerging from
Unsolicited materials will be returned only if
the preaccident realm, continuous structural health monitoring, could assist in preventing submitted with a self-addressed, stamped enve-
future occurrences. lope. ISASI Forum reserves the right to reject,
delete, summarize, or edit for space con-
17 Service Provider Investigations: New Opportunities siderations any submitted article. To facilitate
By Richard Davies, Investigator, Qantas Group Safety; Paula Gray, Manager, Service Deliv- editorial production processes, American Eng-
ery, the Qantas Group; and Wayne Jones, Aviation Safety Consultant—The authors discuss lish spelling of words is used.
the necessity for air safety investigation teamwork between state agencies and service provid-
ers and examine ICAO Doc. 10004 Global Aviation Safety Plan 2017–2019, which establishes a Copyright © 2019—International Society of Air
strategy for prioritization and continuous improvement of global aviation safety. Safety Investigators, all rights reserved. Publica-
tion in any form is prohibited without permis-
sion. ISASI Forum registered U.S. Patent and
23 Aircraft Systems Complexity and Software Investigation T.M. Office. Opinions expressed by authors do
By Paulo Soares Oliveira Filho, Air Safety Investigations Manager, Embraer Air Safety not necessarily represent official ISASI position
Department—The author offers a discussion of the growth in aircraft systems complexity with or policy. Permission to reprint is available upon
intense usage of software. He suggests that in light of constant incoming technologies, revisiting application to the editorial offices.
some aircraft system concepts that are frequently adopted in the investigation process is
important. Publisher’s Editorial Profile: ISASI Forum is print-
ed in the United States and published for profes-
sional air safety investigators who are members
of the International Society of Air Safety Inves-
DEPARTMENTS
tigators. Editorial content emphasizes accident
investigation findings, investigative techniques
and experiences, regulatory issues, industry ac-
2 Contents cident prevention developments, and ISASI and
3 President’s View member involvement and information.
28 News Roundup Subscriptions: A subscription to members is pro-
30 ISASI Information vided as a portion of dues. Rate for nonmem-
32 Who’s Who: Bell—Above and Beyond Flight bers (domestic and Canada) is US$28; Rate for
nonmember international is US$30. Rate for all
libraries and schools is US$24. For subscription
information, call 703-430-9668. Additional or
replacement ISASI Forum issues: Domestic and
ABOUT THE COVER Canada US$4; international member US$4; do-
mestic and Canada nonmember US$6; interna-
The main rotor suddenly detached from an EC 225 LP Super Puma helicopter tional nonmember US$8.
in 2016 that was transporting oil rig workers to a platform in the North Sea.
Wreckage parts were spread over a large area both on land and in the sea near
Turøy, Norway. The main rotor landed on an island about 550 meters north of
the crash site. The impact forces destroyed the helicopter before most of the
wreckage continued into the sea. Fuel from the helicopter ignited and caused a INCORPORATED AUGUST 31, 1964
fire on shore.
2 • April-June 2019 ISASI ForumPRESIDENT’S VIEW
POSITIONS ON AIR SAFETY
INVESTIGATION ISSUES
A
ll of us who are or tion of accidents and incidents confidential until the investi- mendations—addresses the
have been professional and that our members are gation authority publishes the processing of safety recom-
accident investigators to adhere to the ISASI Code final report. mendations and the process of
and aviation safety of Ethics and Conduct. This Chapter 6: Investigators— petition for review.
personnel can benefit from section provides guidelines addresses the qualifications Chapter 12: Prevention/
reviewing ISASI’s official for conduct during an and experience for investi- Safety Programs/Accident
Positions on Air Safety Investi- investigation. gators and their initial and Prevention Program—ad-
gation Issues document that Chapter 3: Accident and recurrent training. dresses the need to examine
is posted on our website. The Incident Investigations—dis- Chapter 7: Documenta- safety programs as a routine
purpose of the document, cusses that the conduct of tion—provides minimum part of the investigation.
which was last updated in May the investigation should be standards for documenting Chapter 13: Miscellaneous—
2015, is to codify our approved accomplished in accordance investigations, disclosure of suggests that the investigative
positions on matters concern- with ICAO Annex 13 or other the master file for review or re- authority should designate an
ing ISASI’s role and policies internationally accepted search within legal restraints, official to work with the news
for air safety. investigative framework. and data retention. media. This individual should
The positions are evolu- This section also covers the Chapter 8: Witnesses—ad- provide approved and validat-
tionary in nature and are importance of quality control dresses the importance of ed information to the news
updated periodically. A and using ISASI, ISASI Forum, conducting witness interviews media without speculation
team is currently reviewing the annual ISASI and regional as soon as possible after an about causes or contributing
the positions document for seminars, and other similar occurrence, the conduct of factors. ISASI’s positions on
possible updates or inclusion arenas as a means of dissem- the interviewer, and the rights unlawful interference and
of new issues. These positions inating lessons learned and of witnesses. Witness state- family assistance are outlined.
are not mandatory for ISASI successful techniques during ments, except where confiden- This “President’s View”
members but reflect policies, an investigation to other tiality is granted, should be should only whet your
best practices, and concepts investigators. Investigators are made available on a need-to- appetite to review all 17 pages
that are beneficial to Society urged to determine all causes know basis but not outside of of the Society’s official
members. These published and contributing factors influ- the investigation. positions. I strongly recom-
positions are especially helpful encing human and organiza- Chapter 9: Recorders—ad- mend anyone who is an
when we’re approached by the tional performance as well as dresses the use of flight re- investigator or works in the
news media or other entities precursors discovered during aviation safety field to review
corders, cockpit voice record-
regarding our views on air previous investigations. these positions to enhance
ers, in-flight video recording,
safety issues. The document your overall understanding of
Chapter 4: Investigation and the use of such devices.
currently covers 13 topics. the process and to promote
Organizations—addresses the This section affirms that
safety through investigation.
Chapter 1: Introduction— authority of the organization protection from inappropriate
defines ISASI and why the and the investigator and the disclosure and misuse of re-
Society was formed in 1964. need for independence. This cordings through legal and or
It addresses the process for section provides a framework technical measures is a high
establishing policy standards for states to ensure that their priority. ISASI supports the
and ISASI’s acceptance of investigation organization full-time tracking of aircraft.
International Civil Aviation has the authority to properly Chapter 10: Accident Re-
Organization (ICAO) manuals conduct their tasks. port—addresses review and
and definitions that ensure Chapter 5: Investiga- consultation of a draft report,
investigations are conducted tor-in-Charge—outlines the the final accident report, the
worldwide in a well-docu- need to appoint an investiga- recommended format, and the
mented, uniform manner. tor-in-charge(IIC), the role an formation of safety recom-
Chapter 2: General—de- IIC plays creating the investi- mendations.
fines the purpose of air safety gation report, and the impor- Chapter 11: Actions on Frank Del Gandio
investigation as the preven- tance of keeping a draft report Reports and Safety Recom- ISASI President
April-June 2019 ISASI Forum • 3THE SECOND LOSS OF A HELICOPTER MAIN ROTOR—NEED FOR A CHANGE IN
CERTIFICATION AND CONTINUED AIRWORTHINESS OF LARGE ROTORCRAFT?
The EC 225 LP Accident near
Turøy in Norway By Kåre Halvorsen and
Tor Nørstegård, AIBN
O
n April 29, 2016, the main ro- 550 meters north of the crash site (see Fire Department performed a total of 354
tor suddenly detached from a Figure 1). The impact forces destroyed the dives. A remotely operated vehicle was
helicopter registered LN-OJF, an helicopter before most of the wreckage used in areas not covered by kelp forest,
Airbus Helicopters EC 225 LP continued into the sea. Fuel from the heli- and a purpose-built magnet sledge was
Super Puma, operated by CHC Helikopter copter ignited and caused an onshore fire. used to search for steel parts on the sea-
Service AS. The helicopter transported oil There were many witnesses to the acci- bed. Following the accident, Navy divers
workers for Statoil and was en route from dent. In addition, the combined voice and used the area for training purposes, and
the Gullfaks B platform in the North Sea flight data recorder was picked up from the last major part—the second-stage
to Bergen Airport Flesland. The flight was the seabed and successfully downloaded. planet carrier—was found and recovered
normal, and the crew received no warn- Furthermore, with information from the in late February 2017.
ings before the main rotor separated. All vibration health monitoring system,
13 persons on board perished instantly the accident sequence could be
when the helicopter hit a small island and reconstructed.
Building a robust investigation team
continued into the sea. Losing a main ro- Building a robust investigation team is
However, it was necessary to find as
tor is unacceptable. This was the second of vital importance. In accordance with
many pieces as possible to determine
rotor loss for this helicopter type. International Civil Aviation Organization
why the main rotor separated, and parts
This presentation will focus on the (ICAO) Annex 13, the French accident
from the main gearbox and its attach-
following topics: investigation organization (BEA) was
ments had special focus. On the second
• The accident site. notified as the state of design and the
day, the main wreckage was lifted from
state of manufacture. The BEA appointed
• Building a robust investigation team. the sea (see Figure 2), and the main rotor
an accredited representative to lead a
was recovered (see Figure 3). A number
• Challenges faced during the investi- team of investigators from the BEA and
gation. of key parts from the main gearbox were
advisors from Airbus Helicopters, Safran
also found at this time, including two
• The metallurgical investigation. Helicopter Engines, and later the French
segments of a fractured second-stage
bearing manufacturer. In accordance
• Certification and continued airwor- planet gear that later became of vital
with Regulation (EU) No. 996/2010, the
thiness. importance.
European Union Aviation Safety Agency
A large search operation was initiated
The accident site (EASA), the regulator responsible for the
that included members of the Norwegian
Wreckage parts were spread over a large certification and continued airworthiness
Civil Defence who searched onshore
area both on land and in the sea. The of the helicopter, was notified of the ac-
using metal detectors. Divers from the
main rotor landed on an island about cident and participated as advisor to the
Norwegian Armed Forces and the Bergen
Accident Investigation Board of Norway
(AIBN). The Norwegian Civil Aviation
Authority (CAA-N); the operator, CHC
Helikopter Service AS; and the Norwegian
Defence Laboratories were also advisors
and part of the team.
The UK Air Accidents Investigation
Branch (AAIB), along with the metallur-
gical laboratory at QinetiQ, Farnborough,
UK, had relevant experience from the
investigation of a similar fatal helicopter
accident of an Airbus Helicopters AS 332
L2, registered G-REDL, off the coast of
Scotland in 2009. For that reason, they
were asked to assist during the investiga-
tion. The AAIB appointed an accredited
representative and advisors from Qine-
tiQ as part of the team. Advisors with
Figure 1. The accident site. expertise in tribology and certification of
4 • April-June 2019 ISASI Forum(Adapted with permission
from the authors’ technical
paper titled AIBN the EC
225 LP Accident near
Turoy in Norway present-
ed during ISASI 2018, Oct.
30–Nov. 1, 2018, in Dubai,
the United Arab Emirates.
The theme for ISASI 2018
was “The future of Aircraft
Accident Investigation.”
The full presentation
can be found on the
ISASI website at www.
isasi.org in the Library
tab under Technical
Presentations.—Editor)
Figure 2. Main wreckage being lifted from the sea.
helicopters later joined the team. istrative body. However, the AIBN waited between two
The German accident investigation to six months before receiving some of the documents
organization was later notified as the from EASA. The ABIN also understands that design
state of manufacture of the fractured gear information is sensitive and proprietary, but studying
bearing. requested documentation at Airbus Helicopter’s premis-
The transparent cooperation among es is not an effective way of reviewing such information.
these team members turned out to be a Additionally, legal issues drew resources away from the
success. Documents were shared via investigation. The AIBN notes that Regulation (EU) No.
controlled access to a secure file cloud. 996/2010 states, “free access to any relevant information
Kåre Halvorsen
or records,” whereas ICAO Annex 13 states, “unham-
pered access to wreckage and all relevant material.”
Challenges faced during the
Safety recommendations SL No. 2018/10T and SL No.
investigation 2018/11T are issued based on this experience.
Shortly after the accident, the EC 225 LP
helicopter was grounded by the CAA-N
and the CAA-UK. In early June 2016, the The metallurgical investigation
AIBN submitted a safety recommendation Two recovered segments of the fractured second-stage
asking EASA to take immediate action planet gear, which makes up approximately half of a
to ensure the safety of the main gear box. gear, got special attention (see Figure 4, page 6).
EASA issued a flight prohibition for both Detailed metallurgical examinations carried out at
helicopter types, AS 332 L2 and EC 225 QinetiQ confirmed that the gear had fractured due to
LP. The flight ban was lifted by EASA five fatigue. The different examinations revealed the se- Tor Nørstegård
months later, based on an agreed-upon
corrective actions package for return
to service between EASA and Airbus
Helicopters. In this situation, EASA had
at least two different roles: being respon-
sible for continuing airworthiness and
an advisor to the AIBN. This pressure
was high for all parties involved and
influenced to some degree the sharing of
information. From the AIBN’s perspective,
it sometimes seemed that lifting the flight
prohibition was the first priority.
The AIBN came to understand that
patience is necessary when asking for
certification and design information. The
AIBN appreciates EASA’s obligation to
follow its procedures as a public admin- Figure 3. The main rotor gear.
April-June 2019 ISASI Forum • 5Certification and continued
airworthiness
The helicopter main gearbox is both a
mechanical drive train and a structural
element without any redundancy. Any
structural failure during flight will be
catastrophic. The helicopter main gear-
box must be regarded as one of the most
safety critical components in the aviation
industry.
The EC 225 LP is the latest member of
the Super Puma family that started with
the SA 330 in 1970. The EC 225 LP is de-
rived from the earlier AS 332 L2. The 2004
certification of the EC 225 LP is based
on JAR 29 Change 1. The second-stage
planet gears were certified under FAR
29.571, Fatigue Evaluation of Flight
Structure Paragraph C replacement time
evaluation: “It must be shown that the
Figure 4. The rotor gear assembly showing the second-stage planet gear.
probability of catastrophic fatigue failure
quence of the breakup of the gearbox (see and scratching one or more rollers. is extremely remote within a replacement
Figure 5). This likely caused a band of local work time furnished under section A29.4 of
The fractured gear clashed teeth with hardening and associated micro-pitting Appendix A.”
other gears and caused an abrupt seizure at the outer race. The AIBN concluded Crack initiation and propagation with
and rupture of the gearbox, which lost its that the fatigue fracture was neither a limited spalling was not expected or fore-
structural integrity. consequence of a mechanical failure or seen during design and type certification
The fatigue fracture initiated from a misalignment of another component in 2004. It was assumed that if rolling con-
surface micro-pit in the upper outer race nor due to material unconformity. More tact fatigue occurred, spalling would re-
of the bearing (inside the second-stage research is needed to understand the sult and be detected prior to gear failure.
planet gear), propagating subsurface fatigue behavior of the material. It The AIBN believes that more could have
while producing a limited quantity of has not been possible to determine been learned from the AS 332 L2 accident
particles from spalling before turning a conclusive crack propagation rate, in 2009. The AS 332 L2 and EC 225 LP
toward the gear teeth and fracturing the but it must have developed within a have near-identical gearboxes. Using all
rim of the gear. Four spalls were observed maximum of 260 flight hours since the information and hypothesis might have
centered along the line with maximum gearbox was inspected and repaired challenged the design basis. Even though
contact pressure (see Figure 6). at Airbus Helicopters. The repair was small changes were made to the main
It is probable that the failure was initi- done following a road transport gearbox following the 2009 accident, the
ated by debris caught within the bearing incident. certification aspects were not adequately
reviewed.
Less than 10 percent of all second-stage
planet gears in the AS 332 L2 and EC 225
LP helicopters ever reached their intend-
ed operational time before being rejected
during overhaul inspections or nonsched-
uled main gearbox removals due to signs
of degradation. Airbus Helicopters did
not perform systematic examination and
analyses of unserviceable and rejected
second-stage planet gears in order to
understand the full nature of any damage
and its effect on continued airworthiness.
Two catastrophic events (G-REDL and
LN-OJF) and the service experience with
many planet gears removed from service
after relatively short service exposure
may suggest that the operational loading
environment on both AS 332 L2 and EC
225 LP is close to the limit of endurance
Figure 5. An estimate of the fracture sequence. for the design.
6 • April-June 2019 ISASI ForumFigure 6. Investigators found spalling inside the second-stage planet gear.
The EC 225 LP satisfied the require- SL No. 2018/03T improve safety outcomes.
ments in place at the time of certification. The AIBN recommends that EASA
However, the AIBN has found weaknesses amends the acceptable means of com- SL No. 2018/07T
in the current EASA certification specifi- pliance to the certification specifications The AIBN recommends that EASA
cations for large rotorcraft (CS-29), for large rotorcraft in order to highlight makes sure that helicopter manufac-
and the AIBN has issued nine safety the importance of different modes of turers review their continuing airwor-
recommendations addressing these component structural degradation and thiness program to ensure that critical
shortcomings. how these can affect crack initiation and
components found to be beyond ser-
The following safety recommendations propagation and fatigue life.
viceable limits are examined so that the
were issued in order to enhance certi-
fication specifications and continued full nature of any damage and its effect
airworthiness of large rotorcraft: SL No. 2018/04T on continued airworthiness is under-
The AIBN recommends that EASA revises stood, either resulting in changes to the
the certification specifications for large maintenance program; design,
SL No. 2018/01T rotorcraft to introduce requirements as necessary; or driving a mitigation
The AIBN recommends that EASA re- for main gearbox chip detection system plan to prevent or minimize such dam-
searches crack development in high-load- performance. age in the future.
ed, case-hardened bearings in aircraft
applications. An aim of the research
should be the prediction of the reduction SL No. 2018/05T SL No. 2018/08T
in service life and fatigue strength as a The AIBN recommends that EASA devel- The AIBN recommends that EASA
consequence of small surface damage ops main gearbox certification specifica- reviews and improves the existing
such as micro-pits, wear marks, and tions for large rotorcraft to introduce a provisions and procedures applicable
roughness. design requirement that no failure of in- to critical parts on helicopters in order
ternal main gearbox components should to ensure that design assumptions are
lead to a catastrophic failure. correct throughout service life.
SL No. 2018/02T
The AIBN recommends that EASA as-
sesses the need to amend the regulatory SL No. 2018/06T SL No. 2018/09T
requirements with regard to procedures The AIBN recommends that EASA devel- The AIBN recommends that EASA
or instructions for continued airworthi- ops regulations for engine and helicopter researches methods for improving the
ness for critical parts on helicopters to operational reliability systems that could detection of component degradation in
maintain the design integrity after being be applied to helicopters that perform helicopter epicyclic planet gear
subjected to any unusual event. offshore and similar operations to bearings.
April-June 2019 ISASI Forum • 7ADDRESSING THE RISKS OF
ERRONEOUS DATA ENTRIES
By Florent Duru and David Nouvel, BEA
T
he safety issue related to the use of destination without any further incident. some cases of engine failure) and therefore
erroneous parameters at takeoff cannot be considered a robust barrier.
has been addressed these past years
Erroneous data entry during flight
by a number of safety investigation
preparation Specific improvements to be undertak-
authorities (SIAs). This paper is based on
an investigation that went beyond human After deciding on an extra fuel load, both en (operator/manufacturer)
error to address systemic factors—in par- the captain (PM) and the copilot (PF) tried Uniformity of weight data handled
ticular, how regulators and industry have to anticipate the new takeoff weights and The analysis pointed to the variety of
endeavored to address these risks. made some calculations. Both entered the weight data formats and denominations
The investigation also analyzed the same erroneous weight in their respective handled by the Air France crew during
handling of previous safety recommenda- electronic flight bag (EFB) performance the flight preparation. Homogenization of
tions on the same issue. Such an approach, tool, off by 100 tonnes from the correct the data among the media would make it
which takes into account state safety weight. As a result, they departed with possible to both facilitate simple equality
programs (SSPs) and safety management highly incorrect takeoff speeds, config- checks and reduce the cognitive load. The
systems (SMSs), also aims to provide more uration, and thrust settings. A detailed goal is to give meaning to the numbers
convincing safety recommendations, as description of the scenario will be availa- handled in order to allow a better acquisi-
laid out in the BEA’s strategic plan for ble in the final report. tion of the usual values and a more system-
2018–2022. atic use of orders of magnitude.
The BEA will address a safety recom-
Effective barriers and associated mendation to Air France.
The F-GUOC serious incident limitations
A serious incident occurred during takeoff Tail strike protection provides a timely Checking robustness of procedures
from Paris’ Charles de Gaulle Airport on elevator input to help avoid tail strikes on Air France, aware of the error-prone nature
May 22, 2015, and involved the B-777-F takeoff. If the tail strike protection had not of the procedures associated with the cal-
registered F-GUOC and operated by Air been activated during this takeoff, Boeing culation and entry of takeoff parameters,
France. The captain (PM), the copilot (PF), estimated that there would have been had initiated an internal working group
and two relief copilots were on board for runway contact about one second after the concerning the use of the EFB perfor-
this commercial air transport (CAT) opera- activation of the protection. This was an mance tool. One of the main objectives
tion (cargo) to Mexico. effective barrier against one of the possi- of this group was to prevent the use of
The B-777 took off at low speed (see ble outcomes associated with the use of erroneous parameters at takeoff. The work
Figure 1), and the tail strike protection of erroneous parameters at takeoff. However, of this group was not carried through to
the airplane was activated. The aircraft did it does not provide protection against completion. Following the serious inci-
not gain altitude. The crew then applied other associated major outcomes such as dent, modifications were made, clarifying
full thrust (TOGA). The airplane flew collision with an obstacle or a high-speed certain sequences and adding an overall
over the opposite threshold at a height of runway excursion. consistency check among the weights of
approximately 170 feet and continued to Moreover, it took the crew eight seconds the three media (EFB, final load sheet, and
climb. During the climb, the crewmembers to opt for TOGA thrust and to apply it. This FMS). While these modifications introduce
discussed the causes of the incident and period seems consistent with the element beneficial features, they add further checks
realized they had made a mistake of 100 of surprise, the unknown problem. The to already demanding procedures—the
tonnes in the weight used to calculate application of full thrust is not the sole robustness of which must be assessed not
the takeoff performance parameters. The and obvious solution. Indeed, it can be only during implementation but also over
crewmembers continued their flight to the counterproductive (the risk of tail strike, time.
The BEA will address a safety recom-
mendation that asks Air France to check,
in operational conditions, the robustness
of the procedures for calculating and en-
tering takeoff parameters in order to take
into account the constraints inherent in
the flight preparation phase.
Protections against entering erroneous
speeds on the B-777
Figure 1 Following the serious incident, the Dutch
8 • April-June 2019 ISASI Forumsafety board (DSB) contacted the BEA by individual techniques. (Adapted with permis-
because it had to investigate two very Previous safety investigations and safety studies main- sion from the authors’
similar serious incidents involving B-777s ly led to the identification of three areas of concern: technical paper titled
in which an error of 100 tonnes was made. • operational procedures, Investigating How
Regulators and Industry
The F-GUOC serious incident is the third • knowledge of orders of magnitude, and Endeavor to Address
low-speed takeoff on a B-777 in which the Risks of Erroneous
• existing software user interface.
flight crews did not detect or understand Data Entries presented
the “V Speeds Unavailable” FMS message In the scope of these safety investigations and safety during ISASI 2018, Oct.
that is triggered when the FMS can no studies, SIAs addressed several safety recommenda- 30–Nov. 1, 2018, in Dubai,
longer compute reference speeds. The tions to certification authorities worldwide; 13 have the United Arab Emirates.
message was not sufficiently salient and been listed in the F-GUOC safety investigation report The theme for ISASI 2018
explicit and can be deleted directly by the (nonexhaustive list). The listed safety recommendations was “The future of Aircraft
crew. Boeing’s operational documentation focused on the following systems: Accident Investigation.”
• Onboard weight and balance systems: two safety The full presentation
on the calculation of reference speeds and
recommendations since 2005. can be found on the
on the conditions in which the V Speeds ISASI website at www.
Unavailable message is activated is incom- • Gross error detection/warning systems: six safety isasi.org in the Library
plete. It does not allow operators to assess recommendations since 2006. tab under Technical
the risks and develop robust procedures. • Takeoff performance monitoring systems: three Presentations.—Editor)
The request from operators for Boeing to safety recommendations since 2006.
improve the flight crew operating manual
documentation about this message was • EFBs: two safety recommendations since 2011.
not followed up. In addition, the aircraft
systems do not warn crews of the loss of F-GUOC and historical areas of concerns: converging
protection preventing the entry of speeds findings
below V1min, VRmin, and V2min normal- Regarding the F-GUOC serious incident, the BEA con-
ly calculated by the FMS. In the F-GUOC cluded that the following elements may have contribut-
event, because the system authorized the ed to the 100 t error not being detected and its propaga-
crew to enter the speed data, the crew tion:
thought that takeoff was possible. • the crew’s handling of takeoff weight data in numer-
The BEA will address two safety rec- ous formats, on various media, and with various
ommendations to Boeing to update denominations.
documentation and to review its alerting • the “nonmobilization” of orders of magnitude partly
systems. related to the increasing use of performance optimi- Florent Duru
zation tools.
Use of erroneous parameters at takeoff: • the number of basic checks required, incompletely
taking into account the operational context and
background overview how the crew works. These procedures are notably
Previous safety investigations and safety
based on an independent double calculation, a
studies simple verbalization undermining this independ-
From 1999 to 2015, more than 30 acci- ence. These procedures did not include a means of
dents and serious incidents related to the detecting gross errors or a simultaneous check of
use of erroneous parameters for takeoff the three media using weight data ( final load sheet,
led to safety investigations worldwide. EFB performance tool, and FMS).
In addition to these case-by-case safety
investigations, the BEA (2008), the Austral- These three elements are in line with the main areas
ian Transportation Safety Board (2009),
and NASA (2012) published safety studies
of concern highlighted by previous safety investigations
and studies. One of the F-GUOC investigation team
David Nouvel
focusing on this issue. members, a human factors specialist who participated in
One of the immediate findings of the the BEA study in 2008, confirmed this convergence. This
safety studies was that these incidents and is why the BEA decided to steer the focus of the inves-
accidents have involved different aircraft tigation toward why the general situation seems not to
manufacturers and different aircraft mod- have improved.
els operated by various operators around
the world. They are equipped with differ- Risk management by Air France
ent systems to process takeoff parameters. The risk of an entry error has been the subject of several
It was also observed that flight prepara- initiatives by Air France, either continuously or follow-
tion is prone to errors at multiple points ing a significant incident in 2004 on one of the airline’s
and that these errors are frequent but A340s. These initiatives took the form of ad hoc analy-
generally detected by the application of ses, notably on the basis of incident reports collected
standard operating procedures (SOPs) or via aviation safety reports, the inclusion of the topic in
April-June 2019 ISASI Forum • 9the training program, the modification of This information may serve as a cross- A takeoff monitoring (TOM) system was
certain operational media, requests for check (secondary system) or as the source developed by Airbus in 2015 and certified
modifications addressed to manufacturers, (primary system) for the weight and on the A380 in February 2018. A retrofit on
or internal publications. balance values used in the performance other programs is planned.
When EFB performance tools were in- data process. To the BEA’s knowledge, Boeing did not
troduced from 2009 on the airline’s B-777-F Airbus and Boeing successfully devel- develop a TOM.
(cargo), Air France launched an internal oped OBWBS. Airbus certified it on the
working group and participated in the A330/340 in 1993, and a system is cur- Investigating SMS
study conducted by the BEA. Nevertheless, rently in use on the B-747-8. However, it Early analysis and decision
the working group did not continue its dis- is available on a very limited number of On starting the investigation into this new
cussions because Air France was beginning aircraft models and leads to operational serious incident, the BEA assessed the
to use manufacturers’ documentation. Air constraints and additional maintenance situation as follows:
France considered that these documen- costs. Airbus has no plans to develop any • Use of erroneous parameters at takeoff
tation changes were making this internal new OBWBS. still occurs frequently.
work less relevant.
Flight audits have limited effectiveness • Outcomes are still potentially cata-
Automated entries or checks related to strophic.
in this area due to the focus on compli- aircraft takeoff performance
ance. The checks carried out by type rating • Safety barriers still consist mainly of
Airbus developed a takeoff securing func-
examiners are not intended to assess the SOPs and of the appropriate detection
tion that detects inconsistencies in the and reaction by crewmembers.
robustness of the reference frames but parameters entered in the FMS. It includes,
essentially the crews’ performance within • In this context, the BEA had in mind
in particular, checks and dedicated warn-
these reference frames. its own input in this safety issue, as
ings for the zero fuel weight range, takeoff
Before the F-GUOC serious incident, Air well as the inputs from its counter-
speed consistency with takeoff weight,
France had begun exploring two ways of parts worldwide:
trim setting, aircraft position, and takeoff
detecting such events through its flight • Previous findings have shown that op-
distance.
data monitoring (FDM). While an incident erational safety barriers are important;
Boeing implemented different checks
such as the one concerning F-GUOC was however, numerous events and studies
and associated alerts in the FMS. Some
actually detectable, the system was still have shown that there are occasions
examples for the B-777 include where they are not effective.
not considered effective enough to detect
• V speed checks (minimum V speed
the various data entry errors that can be • For 15 years, SIAs have issued safety
made. In this initiative, Air France reported protection, relative V speed check),
recommendations regarding the intro-
not having received the expected assis- • configuration checks, duction of technology to prevent and/
tance from manufacturers. • an optional feature to uplink FMS data or detect erroneous parameters.
to the EFB in order to reduce manual Based on this initial analysis and on the
Systems developed by the aviation
entries. A comparison feature can apparent status quo, the BEA considered
industry
warn the crew if the difference be- the appropriate scope for this new investi-
The aviation industry is searching for
tween the FMS weight and EFB weight gation. Carrying out an in-depth analysis
systems to reduce the number of take-
is too great. of operational deficiencies, assuming that
off-related incidents and accidents. These
Solutions are not limited to aircraft sufficient data is available in the absence
systems are either intended to reduce
manufacturers. For example, LINTOP of CVR data, could contribute once again
manual entries, detect input and output
(Lufthansa systems) is an on-the-ground to the experience feedback. However, what
errors by built-in crosschecks in takeoff
remote-performance calculation system would the benefits be with regard to the
performance–related aircraft systems, or
that can compare the weight entered in global state of knowledge and to this status
ultimately by monitoring the actual takeoff
the ACARS page by the crew with the quo? Therefore, what would the actual
performance.
weight used during flight preparation. If benefit be in terms of risk management?
The BEA noticed that solutions devel-
the deviation is too high and if the weight Naturally, the decision was to focus on
oped by industry were very heterogeneous.
entered is lower, the crew is warned (in “risk-based approaches,” in particular at
Currently, it depends on the manufac-
percentage of difference). the level of aviation authorities. In the
turers’ philosophy. Some solutions are
scope of this paper, the term designates
optional or provided by third parties, • Risk management as part of continued
which means that the choice remains with Takeoff performance monitoring system
airworthiness, especially from the cer-
the operator. A takeoff performance monitoring system tification authorities’ points of view,
This range of approaches will be wider (TOPMS) monitors the acceleration of the as they were the addressees of various
in the future, and this also raises the issue aircraft during takeoff by comparing the safety recommendations;
of retrofit. performance data entered. The system
• Safety management as defined by
makes it possible to detect an erroneous ICAO in Annex 19. In the context of
Onboard weight and balance system takeoff weight, a degraded aircraft perfor- this investigation, it refers to SMSs to
An autonomous onboard weight and bal- mance, or an abnormal contamination on be implemented by operators and
ance system (OBWBS) provides pilots with the runway. It provides pilots with associ- to SSPs to be implemented by
actual weight and balance information. ated warnings. authorities.
10 • April-June 2019 ISASI ForumThrough new protocol questions recent- • their actions. European Organization for Civil Aviation
ly included in its audit program related In doing so, the BEA pays particular Equipment (EUROCAE). Past initiatives
to Annex 19, ICAO invites SIAs to analyze attention to avoid the following two biases: by manufacturers were reviewed by this
SMSs and SSPs in the scope of the • To limit its analysis to the observation group. In 2013, the working group stated
investigations. that risk management failed. Even if that it was in favor of standardizing such a
the assertion is exact, it could be con- system. It was only at the end of 2015, after
Investigation principles sidered the expression of a retrospec- the serious incident involving F-GUOC,
Like other organizations and authorities, tive bias. that the group was reactivated with the
SIAs have limited resources. It is their • To express a disagreement with a new mandate to define minimum oper-
responsibility to define the scope of their managerial decision based on a value ational performance standards. In the
investigations, taking into account this judgment only (e.g., regarding the meantime, EASA left the chairmanship of
constraint and the lessons that can be acceptability and hierarchy of risks, the group to the industry, thus accepting
drawn for the improvement of aviation choice of mitigation measures, etc.). that it would be less able to control actions
safety. SIAs should understand and accept and timelines.
In this context, SSPs and SMSs are one that decisions are the responsibility Gross error detection/warning
possible line of investigation. The BEA of safety managers (within competent systems—In 2009, in response to safety
authorities, operators, etc.). Inputs recommendations from the U.S. Nation-
does not systematically explore this line
from SIAs are limited to risk analysis. al Transportation Safety Board, the U.S.
but assesses on a case-by-case basis the
relevance of investigating safety man- Federal Aviation Administration (FAA)
agement processes. Detailed criteria for Management of this safety issue by released acceptable means of compliance
this do not exist. Nevertheless, there are aviation until the F-GUOC incident applicable to new airworthiness approv-
situations that raise questions. This is the As mentioned, in the scope of previous als of FMS, including warning systems
safety investigations and safety studies, intended to detect grossly erroneous
case, for instance,
• when the type of event is recurrent, SIAs addressed several safety recom- parameters. However, the FAA decided
potentially catastrophic, and when mendations to certification authorities not to extend them to existing FMSs,
the remaining safety barriers, if they worldwide. Among the listed safety recom- considering that operators’ policies (e.g.,
exist, have a robustness that raises mendations, two concerned OBWBS, six including normal cross-check procedures)
questions. concerned gross error detection/warning were sufficient barriers. For its part, EASA
systems, three concerned TOPMS, and two did not conduct a review of these systems
• when the type of event is potentially
catastrophic and, during the investiga- concerned EFB. as the agency had suggested it would do in
tion, the organizations involved do not EFB—EASA’s work on EFBs resulted in 2011, following the BEA’s recommendation
seem to demonstrate their ability to the publication of Acceptable Means of issued in 2008. However, gradually various
manage the risk effectively. Compliance (AMC) 20-25 in 2014, provid- aircraft and equipment manufacturers,
ing guidance material (risk assessment, based on different approaches, have de-
The BEA’s overall investigation method-
main principles regarding the interface veloped systems to deal with gross errors.
ology aims to identify and analyze safety
design or SOPs, testing program, etc.) to As with the serious incidents involving the
principles that are intended to
operators for their use prior to their imple- F-GUOC and two similar incidents iden-
• prevent an unsafe situation from
mentation or any changes. At the time of tified by the DSB, several accidents and
appearing,
the F-GUOC serious incident, Air France serious incidents among those identified
• ensure recovery from this unsafe by EASA resulted from entering clearly
situation, or had not had the opportunity to refer to
AMC 20-25 for its B-777 fleet, since no erroneous parameters into the FMS, which
• mitigate the consequences of the pos- change was scheduled or being conducted such systems could have detected and
sible subsequent accident. regarding the use of EFBs. brought more clearly to the attention of
In this respect, the investigation of SMS Even if relevant with regard to the the crews.
is consistent with the BEA’s methodology. failures highlighted by the F-GUOC serious TOPMS—From 2006 onward, Trans-
The BEA has not developed a formal incident, AMC 20-25 puts the ball in the port Canada (TC), in response to a safety
method to explore risk-based approaches. operator’s court. Previous safety investi- recommendation issued by the Trans-
In any case, an investigation has to adapt gations and studies have already demon- portation Safety Board of Canada, has
to the specific processes implemented by strated that because of organizational indicated that there was not any suitable
the stakeholders. Bearing in mind the usu- and operational contingencies, operators system to monitor takeoff performance. It
al steps of a safety management process, cannot completely manage the risk alone. has also stated that the industry was the
the only principle followed by the BEA is to Incomplete and ineffective initiatives by best placed to take the lead in developing
explore the consistency between Air France before the serious incident are a TOPMS. The research project established
• the data available to the safety manag- one example. This meant that the BEA had by the TC in 2007 came to a standstill
er/analyst, to pay particular attention to what had in 2009 due to the lack of appropriate
been undertaken (designed, developed, funding. In 2012, in response to a safety
• their implicit reasoning (processing of
data), certified, standardized, or implemented) recommendation issued by the BEA, EASA
with respect to aircraft systems. initiated a dedicated working group under
• their explicit arguments, OBWBS—A working group was initiated the auspices of EUROCAE. The group
• their decisions, and in 2010 by EASA under the auspices of the concluded in 2015 that standardization
April-June 2019 ISASI Forum • 11was not possible. Despite that conclusion, tification and operational standards) on and insufficient.
it should be noted that in parallel Airbus this risk-based approach. However, the largest number ( five) of
started to develop its own TOM system, The use of erroneous parameters at new actions listed by EASA concerned
which meets certain TOPMS criteria. takeoff was one of the first safety issues barriers to be managed by operators. Re-
processed through the SRM process; anal- garding aircraft systems, the list includes
Summary of management of this safety ysis started two months before the serious the continuation of work on OBWBS
issue until the F-GUOC serious incident incident. EASA continued its work in par- and the acknowledgement that work on
The overall approach of the civil aviation allel with the investigation performed by TOPMS had come to a standstill. EASA
authorities regarding the previously men- the BEA. Some of the documents were pro- also suggests that manufacturers should
tioned systems has been to let the industry vided to the BEA during the investigation. improve their FMSs to make them more
decide on both the development and certi- EASA issued specific cautions regarding sensitive to erroneous parameters inputs
fication of advanced systems and to decide their reading, noting that and calculated data, compared to current
whether to standardize. The authorities • the documents provided to the BEA gross error checks.
did not closely monitor the progress made are draft versions; they were not
by the industry regarding design features shared with advisory bodies and Preliminary impact assessment
to better protect against risks associated could not be considered as officially Preliminary impact assessments (PIAs) are
with erroneous takeoff parameters. This validated. new activities that evaluate the impact of
did not allow these authorities to • the SRM process is ongoing; findings actions envisaged by EASA in terms of cost
• influence the timing of the standard- should not be considered definitive. efficiency and implementation time crite-
ization activity, as evidenced by the • the whole process is still in develop- ria. The PIA carried out by EASA in 2016
recent postponements of the con- ment. As an example, data sources for regarding the use of erroneous parameters
clusions regarding the possibility to risk monitoring and assessment are at takeoff was the first one that it had ever
standardize OBWBS. not consolidated. Therefore, quanti- conducted. It was in line with the safety
• encourage the introduction of the tative results have to be considered analysis conducted in 2015. The updated
most effective features, in particular carefully. version provided to the BEA in 2018 was
the retrofit of aircraft systems (e.g., still in draft form.
Nevertheless, the conclusions and
to make the improved warning of the The objective claimed by the agency
findings of this work were directly used to
B-787 available to the B-777). at the beginning of the document was to
define EASA’s action plan on this topic.
• detect that the state of the art had The SRM process designed by EASA reduce the severity level of the risk from
become favorable to the development includes five steps: risk identification, “secure” to “monitor” (“monitor through-
of new and relevant systems (e.g., suffi- risk assessment, determination of safety out the routine database analysis” accord-
ciently mastered technology enabling ing to ARMS methodology).
actions, implementation of safety actions,
Airbus to communicate on the TOM Three actions were listed.
and risk monitoring.
system in 2015). • Action 1: publication of a safety infor-
In March 2015, EASA initiated a review
Work conducted by major aviation and assessment of the safety issue relating mation bulletin (SIB) on the ”use of
authorities, particularly through their han- to the use of erroneous parameters at take- erroneous parameters at takeoff.”
dling of safety recommendations, did not off. It considered 31 investigation reports • Action 2: OBWBS EUROCAE Work-
lead to the F-GUOC being equipped with and several safety studies issued since ing Group 88—on board weight and
sufficiently reliable systems to prevent the 1999. Among the 31 events during CAT balance system.
use of erroneous parameters at takeoff. operations that were listed in this review, • Action 3: EASA Rulemaking Task
The industry had progressively developed there were three fatal accidents (outside (RMT) .0601—improve the use of EFB
more effective systems than those on the EASA member states). with the updated provisions of AMC
F-GUOC, but authorities either seemed Based on these occurrences, EASA 20-25.
to ignore these developments or did not stated that the risk level associated with • To assess the safety benefit of the SIB
consider how their use could be extended this safety issue was “secure” (level 6 out of (Action 1), a survey was conducted by
and what their own role could be in this 10), which corresponded to the following EASA between October and December
respect. definition according to the Aviation Risk 2015. Eighty-six operators answered
Management Solutions (ARMS) Working this survey, reporting 128 occurrences
Since 2015: safety management by EASA Group methodology: “The risk level and during the 2010–2014 period. These
related to erroneous data entry its trend needs to be monitored contin- operators were divided into three
Authorities in charge of rulemaking, uously…in order to prevent escalation to categories:
certification, and continued airworthi- an unacceptable level. Reinforcement of • Category 1: operators without FDM.
ness, as well as safety oversight in other existing measures should be discussed
• Category 2: operators with FDM but
domains, have started implementing ICAO at the next convenient opportunity…and without criteria related to this issue.
Annex 19 requirements regarding safety taking further reduction measures should
management, in particular those related be considered.” • Category 3: operators with FDM and
Moreover, the fact that serious incidents adapted criteria to this issue.
to SSPs. EASA has recently designed and
implemented a new process called safety and accidents continue to occur almost Based on the comparison between
risk management (SRM). EASA has also every year means, according to EASA, that operators in Categories 2 and 3, EASA
restructured to organize its activities (cer- the current risk barriers are inadequate concluded that an operator could reduce
12 • April-June 2019 ISASI Forumthe number of incidents of this nature by EASA recalled that among the risk mitiga- of possible levers. As a last recourse, the
at least 70 percent with an adequate FDM tion measures that can be implemented promotion of aircraft systems related
system. Data collected through this first are systems such as OBWBS or systems to to identified safety issues has to be
survey was considered not sufficiently detect gross errors in the values entered. It systematized.
reliable by EASA to complete the com- has to be noted that the development and
parison. The BEA agrees with EASA on the availability of these systems is not the Summary of postserious incident safety
the difficulty of estimating safety benefits responsibility of the operators to which management by EASA
based on such a dataset. However, the BEA the SIB is addressed. Nevertheless, this The BEA fully understands that aviation
believes that this incomplete reasoning is a first step to promote technology, and authorities and the industry set priori-
may have led to an overestimation of the it would benefit from more details about ties, even and especially when it comes
overall safety benefit of the SIB. Indeed, the products available for each aircraft type. to dealing with safety issues. In this, the
data collected through the survey indi- above observations must be considered
cates that many operators estimate they European Risk Classification Scheme with reference to the priority level of this
already have an adequate FDM system and More recently, this safety issue (use of particular safety (No. 23 in the CAT airlines
that their contribution to the total number erroneous parameters at takeoff) was portfolio).
of commercial flights is 80 percent. As a assessed by EASA through the European However, overestimating the capac-
result, based on this data the overall bene- Risk Classification Scheme (ERCS). Ac- ity of operators and crews to preclude
fit for the SIB would be 14 percent. Even if cording to this work, the “entry of aircraft gross parameter errors by relying only on
not accurate, this is an order of magnitude performance data” is not a priority as it is procedural barriers could compromise
that questions the impact of measures to ranked as the 23rd safety issue. It is not up the assessment of the priority level of this
be implemented by operators, and EASA to the BEA to challenge the prioritization risk, the intended safety benefit for the
should take this into account. In compar- of risks. However, the BEA in its safety SIB, and therefore the consistency of the
ison, EASA estimated the safety benefit of study released in 2008, other SIAs, and action plan. For these reasons, it could be
the OBWBS at 50 percent. EASA have already pointed out the fragility reasonable not to wait for the SIB perfor-
On a scale of 0 (low) to 10 (very high), of operational barriers against errors that mance monitoring and for the unknown
the cost of publishing the SIB was assessed occur frequently and that could have cat- future conclusions of the EUROCAE
at 3, and the implementation time was astrophic outcomes. The F-GUOC serious working group regarding OBWBS prior
assessed to be two years. EASA could incident is an additional confirmation. The to drawing up a wider action plan. In this
not assess the cost and the time for the ERCS score is based on these three criteria. respect, it would be necessary to assess the
implementation of OBWBS because these In the future, in order to convince avia- potential benefits of the different technol-
parameters depend on the results of the tion stakeholders, EASA could describe ogies among those available or to come.
EUROCAE working group, which was still its methodology to both assess individual Then an informed decision could be made
preparing the specifications at the date of occurrences and to aggregate each occur- in coordination with each type certificate
publishing the investigation report. The rence assessment to arrive at a global score holder regarding the most appropriate
timing of the associated RMT.0116 has for a safety issue. technology(ies) for the types of aircraft. In
been revised (postponed) several times in this respect, the BEA will address several
recent years. Certification of the Airbus-designed TOM safety recommendations to EASA to be
The third action (EFB) was not assessed system for the A380 coordinated appropriately with the FAA
in the first versions of the PIA. As noted, the TOM system was certified and other certification authorities.
EASA has temporarily concluded that by EASA for the A380 in February 2018.
the SIB to alert operators and flight crew Regarding this improvement, EASA ex-
Conclusion
of operational mitigation measures would plained that
By focusing on and investigating the
be the most cost-effective measure. In the • since the risk level does not reflect an
safety management performed by aviation
event that it does not lead to the expected “unsafe condition” as defined in AMC
21.A.3B(b) related to Regulation (EU) authorities, the intention of the BEA was
outcome ( following a monitoring assess- not to lead to a situation in which there
ment), the regulatory action on the devel- No. 748/2012, such a system could not
be made mandatory (i.e., by an airwor- was less commitment from crews and
opment of specifications for the OBWBS operators. The immediate conclusions of
thiness directive).
could be the second-preferred option, once the investigation refer to human errors and
the EUROCAE working group has con- • calling for a standardization direct-
to the poor effectiveness of the operator’s
firmed the feasibility of such specifications. ly based on this existing product is
impossible since it would create a SOPs. New systems (standardized or not)
Based on this action plan, EASA estimat- should be considered as complementary
ed that the remaining risk would be at the competitive advantage to one manu-
facturer detrimental to the market. safety barriers only, meaning that efforts
“monitor” level. have to be made locally to improve safety.
EASA published the SIB “use of erro- • organizing the promotion of this new-
However, the F-GUOC serious incident
neous parameters at takeoff ” on Feb. ly certified system had not yet been
again highlights that flight preparation is
16, 2016. The objective of the SIB was to considered.
prone to errors at multiple points and that
increase the awareness of operators and This tricky situation highlights the need the operators should not be considered as
competent authorities with respect to the for aviation authorities to closely monitor able to manage the risk completely alone.
safety issue of using erroneous parameters the early progress made by industry so
at takeoff and to manage this safety issue. that they preserve the maximum number (Continued on page 30)
April-June 2019 ISASI Forum • 13You can also read
