When developing the A330/A340 flight control primary computer software in the early 1990s, the aircraft manufacturer’s system safety assessment and other development processes did not fully consider the potential effects of frequent spikes in the data from an air data inertial reference unit.
One of the aircraft’s three air data inertial reference units (ADIRU 1) exhibited a data-spike failure mode, during which it transmitted a significant amount of incorrect data on air data parameters to other aircraft systems, without flagging that this data was invalid. The invalid data included frequent spikes in angle of attack data. Including the 7 October 2008 occurrence, there have been three occurrences of the same failure mode on LTN-101 ADIRUs, all on A330 aircraft.
For the data-spike failure mode, the built-in test equipment of the LTN 101 air data inertial reference unit was not effective, for air data parameters, in detecting the problem, communicating appropriate fault information, and flagging affected data as invalid.
In recent years there have been developments in guidance materials for system development processes and research into new approaches for system safety assessments. However, there has been limited research that has systematically evaluated how design engineers and safety analysts conduct their evaluations of systems, and how the design of their tasks, tools, training and guidance material can be improved so that the likelihood of design errors is minimised.
The implementation of Patrick Terminal’s safety management system resulted in an environment where Patrick Terminal management and stevedores were disconnected in relation to the management of some of the day-to-day workplace safety risks. As a result, there was little ownership of the safe work instructions by the stevedores, and some of the more experienced stevedores were probably no longer aware of the risks posed to them when they undertook unsafe ‘workarounds’ in the workplace and these were not identified by Patrick management.
Patrick Terminals’ risk assessment process for lashing and unlashing operations had not anticipated a fatal accident resulting from being struck by items falling from a portainer or cargo, or from being struck by a moving container. As a result, while the appropriate risk control for this occurrence had been covered during employee training, this was not reinforced in safe work instructions, an important risk control measure.
The culture which existed in the Patrick terminal did not encourage the reporting of non-compliances or unsafe acts. Consequently, two critical parts of an effective safety system, which had a direct impact upon its ability to effectively manage safety in the terminal, the ‘reporting’ culture and the ‘just’ culture, were either not present or were misunderstood in Patrick’s safety system.
Although passengers are routinely advised after takeoff to wear their seat belts when seated, this advice typically does not reinforce how the seat belts should be worn.
Single event effects (SEE) have the potential to adversely affect avionics systems that have not been specifically designed to be resilient to this hazard. There were no specific certification requirements for SEE, and until recently there was no formal guidance material available for addressing SEE during the design process.
The recognised safe practices of not working under or near a container being loaded is not well reflected in national and international guidance published to assist container terminal operators develop their own safety policies and guidelines.
The existing take-off certification standards, which were based on the attainment of the take-off reference speeds, and flight crew training that was based on monitoring of and responding to those speeds, did not provide crews a means to detect degraded take-off acceleration.
The operator’s training and processes in place to enable flight crew to manage distractions during the pre-departure phase did not minimise the effect of distraction during safety critical tasks.
Operation of the M-18A in accordance with Civil Aviation Safety Authority exemptions EX56/07 and EX09/07 at weights in excess of the basic Aircraft Flight Manual maximum take-off weight (MTOW), up to the MTOW listed on the Type Certificate Data Sheet, may not provide the same level of safety intended by the manufacturer when including that weight on the Type Certificate.
A number of operators of the PZL M-18 Dromader aircraft had not applied the appropriate service life factors to the aircraft’s time in service for operations conducted with take-off weights greater than 4,700 kg, as required by the aircraft’s service documentation. Hence the operators could not be assured that their aircraft were within their safe service life.
The lack of a designated position in the pre-flight documentation to record the green dot speed precipitated a number of informal methods of recording that value, lessening the effectiveness of the green dot check within the loadsheet confirmation procedure.
The failure of the digital flight data recorder (DFDR) rack during the tail strike prevented the DFDR from recording subsequent flight parameters.
The lack of a requirement for a charter-specific risk assessment in this case meant that the risks associated with the charter were not adequately addressed.
The procedural and guidance framework for commercial balloon operations generally, did not provide a high level of assurance in regard to the safe conduct of low flying.
A number of non-cold rolled bolts were installed on PT6A-67 series engines during manufacture and overhaul
The Society of Automotive Engineers specification AS7477 was ambiguous in relation to the requirement to cold roll the head-to-shank fillet radius of MS9490-34 bolts.
