I describe two engineering issues below. In both cases, I start with what is shown in the video and wiki article because they tend to describe the safety expectation before the accident occurred. Those expectations changed during the
Brazilian investigation and NTSB reporting shown here. Although that NTSB report reveals additional information, it is often vague, ambiguous, and refers to electrical schematics that are not available online.
Issue 1:
This accident reflects an engineering mistake related to the potential failure analysis that is not clearly shown in the video or the wiki page.
I have run into it a few times in my career - and, of course, I always called it out.
The potential failure modes are described in a page of the training manual shown at 35:29 in the video. For a accidental thrust reverser deployment during takeoff, the odds are reported as 1 in 100,000,000,000 (one hundred billion) per event.
Later, at video 35:48, it shows accidental deployment at once per 1,000,000,000 (once per billion) flight hours.
And the video reports: "A failed sensor disables the lock on the right side thrust reverser". The sensor is elsewhere described as a Flight/Ground sensor. It is probably a weight-on-wheels sensor.
So, let's check out the arithmetic to see if there is anything awry with these assertions.
** Per
https://atag.org/facts-figures, there were "35.3 million scheduled commercial flights" in 2023. That's consistent with Google AI estimate of 100,000,000 ATP flight hours per year. That number sounds like the MTBF (Mean Time Between Failure) specification for a component - in this case the Flight/ground sensor. But apparently, the airspeed also factors into the reliabilty. A 200kt value is shown in documents caught in the video and is also mentioned in the NTSB reporting.
** Also apparently, there is one sensor per thrust reverser. This makes sense, we wouldn't want both engines to fail at the same time. Most commercial have 2, some larger planes have 4. So, these sensors accumulate roughly 250,000,000 hours per year.
** We should expect about one such failure every 4 years.
In rough terms, these numbers are workable. If I had to guess, the MTBF of 1,000,000,000 hours is probably optimistic and the NTSB report suggests that were revised by the manufacture after the accident. Still, such an event would be "rare" but inevitable.
The next step in the arithmetic is where this "Issue 1" comes to play. They go from a 1,000,000,000 hours MTBF to 1 failure per 100,000,000,000 take-offs. The take-off phase would be the most dangerous time to have this kind of failure. This failure combined at a higher altitude would provide ample time for the pilots to work out what was happening.
So, what is critical is a failure during takeoff - roughly 1% of the flight - if that much. Hence 1 take-off failure per 100,000,000,000 take-offs. That value, combined with the number of flights per year (above) suggests that we would be seeing this take-off scenario about once every four centuries - providing that this kind of technology remains popular for that long. Combined with issue 2 (below), it was certainly reasonable to find more productive uses of the pilots training time.
And if that determination sounds sensible to you - all I can say is "GOTCHA!".
Because that unlikely failure isn't what happened. The calculation of 1:100,000,000,000 was accurate - but it's the wrong number - it doesn't apply to this accident.
The flight was only minutes in length, but the Flight Data recorder had hours of information on it.
As
reported by the FAA (under "Accident Board Finding"): "The investigation noted that the flight data recorder showed the reverser failure was beginning on previous flights and was recorded, but the prior crews were unaware because it did not affect performance. On these prior flights it was concluded that the electrical failure prevented the flight deck alert from appearing."
So, the issue is this: If BT ("Bad Thing") only happens when A, B, C, and D occur at the same time, you may be tempted to calculate the probabilities as pBT = pA x pB x pC x pD. But each A, B, C, or D that can happen without being fixed, doesn't count. A common example of this is when you provide an emergency back-up system - with no way of continuously checking that back-up.
Issue 2:
Another factor in this accident is that the failure mode of the switch was not fully considered. In the simplest of cases, the switch would have failed, the clam shells deployed, and the safety system would force the throttle back to idle. The cable that forced the engine to idle was calculated to hold up to 632 pounds (per the video) - certainly more force than a pilot could exhert with his hand against the thrust lever. When tested, it actually was able to deliver 951 pounds of force before it snapped.
So, what would be the consequence of not training the pilots on this feature. In the rare case when this happens, the pilot might find himself alarmed that the engine was throttling back on its own and then remained stuck in that position - not great, but not critical.
What actually happened was that the switch failed intermittantly. It closed the shells three times. On the first two times, it caught the co-pilot by surprise. He couldn't stop it, but when the switch recovered, he quickly restored its position. On the third time, he was able to hold the lever in place - even against 951 pounds (or whatever it was) of force.
The engineers examining the failure mode did not consider a situation where an intermitent switch would provide practice rounds for the pilot.
