Had the crew contacted maintenance as required by the checklist, they would have been told to power down the airplane and restart it, clearing the errors that had been set during the aborted takeoff.
They should have rebooted the airplane? Rebooting servers at work is something I do quite frequently. Never thought that would extend to aircraft.
1 reply
“Rebooting servers at work is something I do quite frequently. Never thought that would extend to aircraft.”
It does, indeed, in the Challenger 300, which is highly automated with over 120 microprocessors involved. Essentially, virtually everything electronic in the 300 is connected to virtually everything else electronic in the 300, which creates the opportunity for problems to cascade from system to system.
In this case, the problem was driven by the fact that the rudder limiter relies on airspeed data from the air data computers (ADC) fed to it through the horizontal stab trim electronic control unit (HSTECU). Since the right ADC was only detecting about 4 knots of airspeed through the seams of the right primary pitot-static tube cover, and the left ADC was sensing over 90 knots, a miscompare state was created during the first takeoff attempt and the fault sent to other boxes in the airplane, including the HSTECU. Once a fault latches in the HSTECU, it can only be cleared by a complete electrical power-down including disconnecting the batteries for a minimum of five minutes and perhaps as much as thirty minutes. And that’s why a RUDDER LIMITER FAULT advisory in the Crew Alerting System (CAS) can indicate problems with the primary pitch trim and autopilot as well as the rudder limiter. Hence, an unextinguished RUDDER LIMITER FAULT is a “NO GO” item, and also why CL300 crews are required to check that GO/NO GO list for any unextinguished CAS message on the ground before attempting a takeoff even if they’ve already done the steps for that condition in the Quick Response Handbook but the message remains.
This message is entirely my own and does not reflect that of any other organization or agency.
1 reply
A control alt delete button has been needed ever since day one of 1st generation “highly” automated airplane arrivals on the scene somewhere in the late '90s and early 2000s. Unfortunately rebooting during my time in the industry always required going down to a completely dead airplane. Probably still does.
@rblevy appreciate the information.
It frankly leaves me uncomfortable. A crew having to shut down an airplane and let it sit for 5 to 30 minutes to achieve a reboot? That simply does not seem to enhance safety. Anything from weather windows, air traffic density, and more can change in 30 minutes, not to mention the get there pressure.
I would like to better understand the approach the aviation industry is taking towards complex software systems, and also software human factors considerations. As a former software developer, I spent my early career writing software, and was later responsible for large high reliability projects with extensive bug lists, associated CMS and MMS systems, and too many instances where despite us, fixing one bug caused another.
Now, I try to keep up with my iPhone. (This includes its surprising loss of its passcode last year - which despite all the claims of security, was met with a shrug by Apple!)
I fly mostly 1960s era airplanes. I work to help our community fly safe.
The large number of near misses from issues with avionics upgrades led us to set up a meeting with a wonderful and knowledgeable former avionics shop manager, now at a local FSDO. The FAA is finally making reporting of these kinds of avionics unsafe situations mandatory.
Russ, thanks for the efforts to keep us all informed. I don’t know about others, but would appreciate any news you come across on issues with software systems and especially human factors related to software systems. Too many accidents or near accidents in big airplanes seem to me to be related to non-pilot decision making on the software side.
1 reply
One passenger said that he had the impression that she’d just used the lav, which was next to her seat.
I understand what you’re saying, but the fact is that computer systems cannot be completely reset with certainty without complete power removal plus allowing time for residual charges to dissipate before power is reapplied. Just ask your friendly computer support tech about that when you are asked to not only “Power Off” rather than just “Restart”, but also to pull the plug from the wall for 10-30 seconds before plugging back in and pushing the “start” button. It would certainly be nice if we had one little “Complete Reset” button in the cockpit that would instantly take everything back to zero, but these are issues of electrophysics, and in the words of Starfleet Captain (Engineering) Montgomery Scott, “Ye cannae change th’laws o’physics, Captain.”
As for the issue of the passage of time resulting in changes in the weather or traffic situation, I think your comment relating that to “get-there-itis” is quite appropriate. Short-cutting procedures in order to save time is exactly how those two pilots killed their passenger. To my thinking, if one cannot subordinate one’s urge to get there quickly to one’s commitment to safety, one has no business in the cockpit. For more on Safety Culture, check the FAASTeam website for January’s Topic of the Month webinar on just that subject, which will be available at various times on various days all that month (including 7pm EST, January 14).
The report indicates that this pilot was in the habit of leaving the Smoking/Belts sign on all the time on all flights, and that the passengers were used to that. This practice apparently inoculated them to the importance of strapping in when the BELTS light was on, and the report indicated the passengers were in the habit of unstrapping whenever they felt it was OK without consulting the flight crew, and apparently the crew allowed this “normalization of deviance.” This is an insidious progression of acceptance of violation of normal procedures and safety standards so that eventually, all parties involved become inured to it.
At the end of the day, it’s up to the flight crew to enforce safety rules on their passengers even if those passengers are paying the pilots’ salaries. In air carrier operations, the crew can tell passengers that failure to obey crew instructions can result in the disobedient passenger ending up in handcuffs, but for corporate pilots, that’s a shaky tightrope to walk. I guess that’s an issue of teaching professional pilots tact and diplomacy so they can get their passengers to do things that protect those passengers from their own folly without losing their jobs.
The thing to remember about this accident is that there was never anything wrong with the aircraft. The crew screwed this up starting with an incomplete preflight and continued throughout the flight with mistake after mistake. They displayed a significant lack of knowledge of aircraft systems, disregarded company procedures and displayed poor crew communications and coordination. Flying with the A/P on while trying to solve a pitch trim problem was the icing on the cake.
A lesson for all. On any aircraft from a cub to a 787, nothing beats the final walkaround before jumping in the cockpit.