warsaw airbus accident
TRANSCRIPT
Warsaw aircraft accident, 1993 Slide 1
Warsaw airbus accident 1993
Ian Sommerville
Warsaw aircraft accident, 1993 Slide 2
What happened• A Lufthansa Airbus on a flight from
Frankfurt landed at Warsaw Airport in bad weather (rain and strong winds)
• On landing, the aircraft’s software controlled braking system did not deploy when activated by the flight crew and it was about 9 seconds before the braking system activated
Warsaw aircraft accident, 1993 Slide 3
• There was insufficient runway remaining to stop the plane and the aircraft ran into a glass embankment
• Two people were killed and 54 injured
Warsaw aircraft accident, 1993 Slide 4
Causes of the accident• As with most accidents, there were multiple
factors that contributed to this accident. The three main contributory causes were:
– The aircraft pilots were given outdated information on the wind speed and direction by the landing controllers
– The aircrew failed to notice that the on-board information about the wind direction was inconsistent with that provided by the controllers and that their approach speed was higher than recommended
Warsaw aircraft accident, 1993 Slide 5
• The aircraft braking control software specification had failed to take into account the landing conditions encountered
Warsaw aircraft accident, 1993 Slide 6
Focus on software
• The braking control system on the Airbus behaved exactly as specified
• There were no bugs or errors in the software
• This is an example of a situation of where a reliable software system was unsafe
Warsaw aircraft accident, 1993 Slide 7
Aircraft braking• Aircraft braking depends on
deployment of spoilers which are flaps on the wings that are deployed to slow down the plane
• It also makes use of ‘reverse thrust’ which means that the engines are run ‘backwards’ so that their effect is to counter the speed of the aircraft
Warsaw aircraft accident, 1993 Slide 8
• It is critical to the safety of the flight that neither the spoilers nor the reverse thrust is deployed while the plane is in the air
• Therefore, the braking system software includes checks to ensure that the plane has landed before the braking system is deployed
Warsaw aircraft accident, 1993 Slide 9
Weight on wheels
• The landing gear includes sensors that can detect if the wheel struts are compressed i.e. that there is weight on the wheels.
• The software specification was that landing could be recognised if there was weight on both wheels
Warsaw aircraft accident, 1993 Slide 10
Wheel rotation
• Each wheel included sensors that checked whether the wheel was rotating or not.
• The software specification was that the aircraft had landed if the speed of wheel rotation was greater than 72 knots
Warsaw aircraft accident, 1993 Slide 11
• The braking system could be deployed if either of these conditions were true
• This was checked by the braking system control software
Warsaw aircraft accident, 1993 Slide 12
• The software specification did not anticipate a situation where neither of these conditions would hold during landing
IF weight-on-both-wheels OR (left-wheel-turning OR right-wheel-turning) THEN
braking-system-deployment := permitted
Warsaw aircraft accident, 1993 Slide 13
• In this case, because of the weather conditions, the plane landed at an angle so that one wheel touched the runway first
• The runway was wet and that wheel ‘acquaplaned’ so skidded along the runway without turning
Warsaw aircraft accident, 1993 Slide 14
What went wrong?• The pilots were told that there was a
crosswind across the runway
• Standard procedure for a crosswind landing to bank the aircraft so that initial touchdown is on one wheel and the crosswind then acts on the wing to push the other wheel onto the runway
Warsaw aircraft accident, 1993 Slide 15
• However, in this case, the wind had changed direction so that it was a tailwind rather than a crosswind
• This meant that the landing speed was higher than normal and there was no need for a single wheel touchdown
This was not noticed by the pilots and the higher speed was a contributory factor to the accident
Warsaw aircraft accident, 1993 Slide 16
Warsaw aircraft accident, 1993 Slide 17
Warsaw aircraft accident, 1993 Slide 18
• The Warsaw Airbus landed on one wheel but there was no crosswind to push down the other wheel so, for 9 seconds, the plane was landing on a single wheel
• Because there was only weight on a single wheel, the on-ground condition of weight on both wheels in the braking system did not hold
Warsaw aircraft accident, 1993 Slide 19
Acquaplaning
Warsaw aircraft accident, 1993 Slide 20
• The single wheel on the ground was acquaplaning rather than turning so the condition that one or both wheels should be rotating at more than 72 knots did not hold
• After about 9 seconds, the 2nd wheel made contact with the runway and the braking system deployed
• But it was too late to stop the aircraft and the accident occurred
Warsaw aircraft accident, 1993 Slide 21
Warsaw aircraft accident, 1993 Slide 22
Conclusions• In practice, it is impossible to make any
system completely safe
• It is impossible for system designers to anticipate every possible condition and they have to make assumptions such as the pilots being given correct wind information
• No blame in this case was associated with the software but it was modified to take this particular situation into account should it happen again