A Blunder Down Under
In a modern jetliner’s computer, the capability to move waypoints can lead to dangerous deviations from safe flight paths. Just such a subtle “pilot trap” occurred on a Virgin Australia B777 with 272 passengers aboard during an approach to land at Melbourne airport after a long 15-hour flight from Los Angeles.
The ATSB concluded:
“This occurrence highlights the factors that can influence the accuracy of data entry in critical systems and any associated checks. In addition, it reinforces the importance of monitoring descent profiles, irrespective of any expectation that the descent is being appropriately managed by the auto-flight system, and taking appropriate action when a deviation from the desired profile is detected.” (Emphasis added)
Due to the flight’s wearying length, the two-person cockpit crew was augmented by two other relief pilots.
For the descent and landing at Melbourne, the captain decided he would be the handling pilot, with the first officer monitoring. The captain, with over 6,000 hours of experience in the B777, determined that the airplane’s automated systems would fly the descent to the runway 34 threshold (runway 34 being the longer of Melbourne’s two runways). He programmed various waypoints into his control display unit (CDU). The cockpit is equipped with two CDU’s, one for each pilot.
With these waypoints, the airplane’s computer (the flight management system, or FMS) will calculate commands for control of the flight path. The autopilot was set to fly the airplane right down to the runway threshold, and the captain would then take over for the last few moments of flight before touchdown.
The captain selected the runway waypoint — RW34 — from the data base. RW34 had an altitude setting of 380 feet.
So far, so good.
The captain then entered a runway extension of 2.8 NM to better align the airplane with the runway center line for landing. When he did so, the FMS created a waypoint reflecting this extension and labeled it RX34 (to distinguish it from RW34 at the threshold).
Instead of setting the RW34 waypoint for an altitude of 380 feet above sea level, the captain inadvertently programmed that altitude for RX34. As a result, the autopilot would fly a steeper approach to intercept RX34 at 380 feet, instead of RW34 at 380 feet.
The first officer noticed that the expected glide path angle for the final legs of the approach were not displayed. Not to worry, the captain advised; for a manually-constructed approach, the expected glide path was not displayed.
The first officer missed the wrong altitude entry for RX34.
When the first officer took a break, one of the relief pilots assumed his seat and double checked all the captain’s entries for the approach. He also missed the incorrect altitude for RX34.
Then, during the descent to land, the captain was so preoccupied with activities inside the cockpit he had to be advised by the first officer that they were mighty low and that the precision approach path indicator (PAPI) lights at the runway were showing red — indicating that the airplane was well below the safe 3-degree glide path (the lights would have shown white for a descent above the 3-degree slope desired).
- Why did programmers who designed the system set up a situation where the new waypoint was only one letter different from the approved waypoints in the airport landing diagrams? Better to have a waypoint like AA34 to represent such an artificial and temporary point in the sky.
- Where were the checks and balances? The captain apparently entered all of the data in his CDU, with no announcement and confirmation by the first officer. For example:
Captain: Entering runway extension of 2.8NM.
Captain: Waypoint RX34 created.
Captain: RX34 altitude set at 380 feet.
- Why wasn’t the cockpit designed so that both pilots were required to enter the approach and landing information on their respective CDU’s, with differences in entries highlighted immediately?
- Why wasn’t the cockpit instrumentation designed so that a manually constructed approach was displayed, the same way as is the case — according to the captain — for a computer constructed approach? With movable waypoints, the likelihood of error is greater — all the more reason for displaying the approach.
- Finally, the captain was so preoccupied inside of the cockpit that the first officer had to call his attention to the red PAPI lights. Isn’t an instrument scan, plus being cognizant of the outside environment, the essence of good situational awareness? 6,400 hours of B777 flying experience, 12,000 flying hours in total, and the captain had to be advised that the PAPI lights at the runway threshold were showing red.
- Computers still require humans to enter correct data. As the saying goes, “Garbage in, garbage out”. In this case — too low an altitude entered IN, too steep a glide path OUT.
- The ATSB found that this event was not a “one off”. In January 2013, an Embraer RJ-170 on a scheduled passenger flight out of Darwin started diverging from its planned track. Apparently, the cockpit crew did not notice the deviation until advised by air traffic control. The crew had unintentionally missed a waypoint during data entry, so the autopilot simply flew to the next waypoint. As the ATSB observed, “The crew’s cross-checking processes were not effective in identifying the data input error.”
What the ATSB did not mention was obvious to this layman: ineffective cross-checking is rampant, and someday this will kill a planeload of people. Data entry should require simultaneous keystrokes by both pilots, with verbal announcement and confirmation, and the computer screens should highlight in glowing red any differences to the data just entered.
If all this data entry detracts from eyeballs looking outside of the cockpit, then all of the keystrokes should be completed before takeoff. If changes to the plans occur in flight, don’t dwell on revised data entry — just hand-fly the airplane. Data entry is not part of the definition of good airmanship, which is still regarded as the skill to competently fly the airplane to its landing destination without relying on still vulnerable cockpit computer systems.
To learn more about how Nolan Law Group can represent you, contact the firm today online or call 312.630.4000.