Pilot Error Led to Fiery Crash, But System Logic Didn’t Help

As the building into which they were about to crash filled the windscreen, the two pilots of the TAM A320 probably did not realize that one of their throttles was in CLIMB while the other was in REVERSE.

The TAM Linhas Aéreas A320 was landing 17 July 2007 at Brazil’s Congonhas airport after a flight from Port Alegre at about 7 p.m., and the runway was slick from rain. The aircraft veered to the left near the departure end, crossed a boulevard and hit a gas station and then plowed into a TAM air cargo service building.

Burning wreckage of TAM A320 and cargo building.

Burning wreckage of TAM A320 and cargo building.

All 187 persons aboard were killed, plus 12 people in the building. The airplane’s No. 2 engine reverser was de-activated, in accordance with the Minimum Equipment List (MEL), due to a leak in the inner actuator. However, even without the thrust reverser, the airplane should have been able to stop. But with the No. 2 engine throttle set to CLIMB power, the overrun was inevitable.

Brazil’s Aeronautical Accident Investigation and Prevention Center (CENIPA) just recently released its final report. It goes well beyond the cockpit to cut a wide swath of causes for the tragedy:

— The airline was in a period of rapid growth from 2003-2007: a 30% increase in the number of aircraft, 110% more flight hours, 115% growth in the number of pilots.

— The first officer had less than 200 hours in the A320. Crew Resource Management between the captain and the first officer was poor to nonexistent. During previous flights, five different procedures for landing with a deactivated reverser were used.

— There was internal pressure on the pilots not to divert to alternate airports because of “the consequences to the company’s image before the passengers.”

— The airline had only 21 people dealing with safety issues, as compared to 900 in maintenance. Safety was regarded by the flight crews as “a not very active sector.”

— There was no systemic evaluation of training, most of which was outsourced.

— Simulator training was done by the Operations department, disconnected from the remainder of instruction conducted by the Training department.

— The airport did not have an adequate (per international regulation) runway safety area beyond the tarmac.

— The regulator’s “inappropriate or absence” of oversight of TAM’s operation led to uncorrected problems.

— Manufacturer Airbus was deficient in its design of the A320 fly-by-wire aircraft. Specifically, according to the CENIPA report:

“It was verified that, for the A320 airplane proceeding to land, it is possible to place one of the thrust levers at the ‘REV’ [reverse] position and the other at ‘CL’ [climb], and no alerting device will advise the pilots in an efficient way. This situation may put the aircraft in a critical condition and, depending on the time it takes the crew to identify this configuration, and on the runway parameters, a catastrophic situation may occur.”

In the case of this accident, Airbus’ design of the throttle system bears examination. According to the regulations for certification, “Under all anticipated operating conditions, the airplane shall not possess any feature or characteristic that renders it unsafe.”

And the A320 is described by pilots as a steady, predictable flying machine.

But there are quirks. One is the possibility of inadvertently setting the thrust levers at cross purposes. This situation was evidently not “anticipated” (per the regulation) during the design and certification phase. Yet this has happened repeatedly, with Airbus, Boeing and McDonnell Douglas designed airliners. There have been at least 11 events since 1983. As the CENIPA report noted:

“Two are worth being highlighted, on account of the similarities to the [TAM A320] accident … the ones of Bacolod (Philippines – 1998) and Taipei (Taiwan – 2004). In both cases, the pilots were operating an A320 with the reverser of one of the engines deactivated and, during the landing, they kept the thrust lever of that engine in the ‘CL’ position, reducing only the thrust lever of the other engine to the ‘IDLE’ position and later to the ‘REV’ position. At that time, neither aircraft possessed in its FWC (Flight Warning Computer) a routine to alert the crew about any inadvertent positioning of the thrust levers.”

Following the 2004 event, Airbus developed what is referred to as the H2F3 standard, alerting the pilots to a thrust lever above IDLE during the landing. According to the French accident investigation bureau (BEA) comment in the CENIPA report:

“This situation, which had not been foreseen during certification [by the French, we should add] thus became foreseeable. In this case, two corrective actions were taken by Airbus:

— The development of the FWC (H2F3) standard to ensure triggering of a specific warning with an ECAM [Electronic Caution Alert Module] ‘ENG X THR LEVER ABV IDLE’ message.

— An operational change requiring that crews position the two thrust levers in the REV detent. This procedure prevents any inappropriate action on the thrust levers.”

TAM had not implemented these changes. Why not? Because Airbus issued them via service bulletin, which does not require adoption. If the French (and then Brazilian) regulator had issued an airworthiness directive (AD) requiring implementation of the H2F3 and crew standard, the accident might have been avoided.

As the CENIPA report indicated, the TAM A320 was not upgraded:

“Thus, the H2F3 standard represented only an improvement offered by the manufacturer through a service bulletin to all A320 operators. It was up to each one of them to decide either for its implementation (handling the respective costs) or not.”

Given the turbulent conditions at TAM, an optional service bulletin went ignored. Here’s the price of too-rapid growth and two few safety people and poor oversight.

CENIPA issued the following recommendation:

“(173/A/07) … require that the aircraft designs already certified and the aircraft designs in process of certification have their power control systems and their warning systems optimized, so as to allow the identification of the conditions in which the thrust levers are incorrectly positioned during critical phases of flight.”

Whether this recommendation will be implemented beyond the optional H2F3 standard is questionable. The BEA clearly does not see more action as necessary: “The incorrect positioning of the thrust levers cannot be considered a [system] failure since it results from an action by the crew.”

If the outcome is nil regulatory and certification reform, the question arises: at what point does inaction become negligence and an accident become culpable homicide? The TAM A320 accident may not result in any mandatory hardware or software changes (beyond the reactive H2F3 Band-Aid) despite 199 deaths. Given the extensively-documented history of this identical scenario, is this outcome acceptable?