In recent years there have been developments in guidance materials for system development processes and research into new approaches for system safety assessments. However, there has been limited research that has systematically evaluated how design engineers and safety analysts conduct their evaluations of systems, and how the design of their tasks, tools, training and guidance material can be improved so that the likelihood of design errors is minimised.
The LTN-101 air data inertial reference unit (ADIRU) model had a demonstrated susceptibility to single event effects (SEE). The consideration of SEE during the design process was consistent with industry practice at the time the unit was developed, and the overall fault rates of the ADIRU were within the relevant design objectives.
Although passengers are routinely reminded to keep their seat belts fastened during flight whenever they are seated, a significant number of passengers have not followed this advice. At the time of the first in-flight upset, more than 60 of the 303 passengers were seated without their seat belts fastened.
One of the aircraft’s three air data inertial reference units (ADIRU 1) exhibited a data-spike failure mode, during which it transmitted a significant amount of incorrect data on air data parameters to other aircraft systems, without flagging that this data was invalid. The invalid data included frequent spikes in angle of attack data. Including the 7 October 2008 occurrence, there have been three occurrences of the same failure mode on LTN-101 ADIRUs, all on A330 aircraft.
The existing take-off certification standards, which were based on the attainment of the take-off reference speeds, and flight crew training that was based on monitoring of and responding to those speeds, did not provide crews a means to detect degraded take-off acceleration.
The lack of a designated position in the pre-flight documentation to record the green dot speed precipitated a number of informal methods of recording that value, lessening the effectiveness of the green dot check within the loadsheet confirmation procedure.
Operation of the M-18A in accordance with Civil Aviation Safety Authority exemptions EX56/07 and EX09/07 at weights in excess of the basic Aircraft Flight Manual maximum take-off weight (MTOW), up to the MTOW listed on the Type Certificate Data Sheet, may not provide the same level of safety intended by the manufacturer when including that weight on the Type Certificate.
The operator’s training and processes in place to enable flight crew to manage distractions during the pre-departure phase did not minimise the effect of distraction during safety critical tasks.
The failure of the digital flight data recorder (DFDR) rack during the tail strike prevented the DFDR from recording subsequent flight parameters.
A number of operators of the PZL M-18 Dromader aircraft had not applied the appropriate service life factors to the aircraft’s time in service for operations conducted with take-off weights greater than 4,700 kg, as required by the aircraft’s service documentation. Hence the operators could not be assured that their aircraft were within their safe service life.
The lack of a requirement for a charter-specific risk assessment in this case meant that the risks associated with the charter were not adequately addressed.
The procedural and guidance framework for commercial balloon operations generally, did not provide a high level of assurance in regard to the safe conduct of low flying.
The Society of Automotive Engineers specification AS7477 was ambiguous in relation to the requirement to cold roll the head-to-shank fillet radius of MS9490-34 bolts.
A number of non-cold rolled bolts were installed on PT6A-67 series engines during manufacture and overhaul
The scheduled maintenance requirements for ex-military UH-1 series helicopters may not adequately address the increased risk of fatigue failures associated with repetitive heavy lifting operations that were not considered in the original design fatigue calculations.
There was no correlation between the results of the operator’s Flight Operational Quality Assurance and Air Safety Incident Report investigations.
There were no soft and hard triggers in the operator’s Flight Operational Quality Assurance system to monitor the selection of the aircraft’s landing gear during an approach.
The conflicting requirements and definitions in the operator’s publications in relation to the pilot not flying role had the potential to diminish the importance of monitoring as an essential element in an aircraft’s safe operation.
Windshields manufactured with terminal block fittings containing polysulfide sealant (PR1829) have been shown to be predisposed to premature overheating failure that could lead to the development of a localised fire.
The aircraft maintenance manuals did not include the operating specifications of the replacement cabin altitude warning pressure switch hampering the required verification of switch serviceabilty.
