Checks, crosschecks, checklists, and failure: the view from the ground of Gimli Glider

Last we talked about the Gimli Glider, we looked at what happened in the air and ultimately how disaster was averted when the 767 ran out of fuel midflight.

Let's take a look at what happened to the plane before Captain Pearson encounters it in Montreal.  This will tell us about some of the cues and clues that they may have had in order to know or miss what was really going on with the plane.

Since we can't go all the way back to the big bang or when the plane was made as that wouldn't be useful for our view, we'll start with the beginning of the previous leg.

Its now July 22, 1983, the day before we last visited, and the plane is undergoing "routine checks" as it sits in Edmonton.  During these checks a technician notices that one of the Fuel-quantity Indicator Sensors (FQIS) is bad, so he notes it in the logbook and disables the bad channel.

The pilots for this flight from Edmonton to Toronto then to Montreal are Captain John Weir with copilot Captain Donal Johnson.  So the next day, they are told about the issue with the FQIS.

As is procedure, when the gauges or sensors aren't working 100%, they get a dripstick reading of the fuel.

Weir does the conversion, from centimeters, then to liters, then to killograms (which is correct).  He finds it agrees with the FQIS that is working.

Here we see a difference already, yes they did the conversion right, but they had something to help them "know" that they did it right, the working FQIS.  Its possible that if it disagreed, they'd know something was up and could investigate.

They then fly to Toronto then on to Montreal without any issues.

Montreal

Now in Montreal, Captain Pearson and First Officer Quintal take over for the flight to Ottawa.  As is normal for them, Captain Weir, Johnson, and Pearson have a brief hand-off conversation.

As Weir remembers it, they talked in general about there being a problem with the fuel system and suggests that enough fuel be loaded so that they can go to Edmonton without having to refuel when they land at Ottawa.

As Pearson remembers it, the hand-off tells him the gagues are not working and that a drip had been to do determine how much fuel was on board and that they'd been operating that way from on both the previous legs, Toronto to Edmonton and from Edmonton to Montreal where they now were.

We can see its not that Pearson just decided that everything was fine, we can see he was already anticipating different issues and coming up with mitigations and backups, taking Weir's advice to take on enough fuel to go through the whole trip without refueling.

While this is happening, an avionics tech, Jean Ouellet, heads into the cockpit.  He reads the logbook and while waiting for the fuel truck, does the FQIS self test.

In the midst of this the fuel truck shows up which distracts him.  Now the both channels, including the bad one, are left on.

Next, Pearson shows up to the cockpit and sees the gauges blank.  But he expects this because of what he took away from the parking land hand-off with Weir.

He then reads the logbook and sees Ouellet's entry:

"I001 - @ SERVICE CHK - FOUND FUEL QTY IND. BLANK - CH 2 @ FAULT - FUEL QTY 2 C/B PULLED & TAGGED - FUEL DRIP REQ'D PRIOR TO DEP. SEE MEL 28-41-2"

This is unsurprising to him, as he just had a conversation about the the processor or gauges being bad.  He flips back to the previous day and sees Yaremko's entry, under the "work carried forward section":

FUEL QTY 2 C/B PULLED & TAGGED - FUEL DRIP REQD PRIOR TO DEP. SEE MEL 28-41-2”69 @ SERVICE CHK - FOUND

To Pearson, this further confirms what he's seeing and his understanding that the plane flew from Edmonton without working gauges.

MEL says

At this point, if you read the incident report there is a lot (and I mean a lot!) written about well, the MEL says this and the MEL says that.

The MEL is the Minimum Equipment List.  This is the list of everything that needs to be present and working in order for the flight to be legal.  The FAA develops the Master Minimum Equipment List (or MMEL -- more on that later), which Air Canada develops their MEL from, and then its approved by Transport Canada.  The logbook entries are referring to this list, which is part of their Flight Operations Manual.

The investigation says of the MEL items, that "It is clear that at least two of the three fuel tank gauges must be working before a passenger aircraft can legally be dispatched. If there is more than one fuel tank gauge inoperative, then the aircraft is required to be grounded."

It seems that Captain Pearson understood this too, to some degree.  From his perspective, he says he said to "the maintenance fellow": "We are not legal to operate in this configuration”, pointing to the indicators, “with all of the fuel quantity indicators unserviceable," pointing to the gauges.

Here's what the final report makes of that:

"He appears to have consulted the MEL in a very cursory way... he took out the MEL, read the two items that seemed to apply to the situation and put the manual back."
Questions arise as to why Captain Pearson, a professional pilot of exceptional ability, did not pay more attention to the requirements of the MEL, and why he did not check the legality of the dispatch with his superiors or with someone in Maintenance Central.
The same questions apply equally to the conduct of First Officer Quintal, and of Messrs. Bourbeau and Ouellet. These individuals seem to have paid little attention to the requirements of the MEL and to have done virtually nothing to ensure a legal dispatch.

Because people don't check things they think are addressed or OK.  In fact, he did check, he checked the lines in the MEL he thought applied.  He says that he told the maintaince person about it too.

This is especially interesting because at one point in the report they almost acknowledge this:

What Captain Pearson saw when he boarded the aircraft and looked at the gauges was exactly what he expected to see, namely, blank fuel gauges.

He even says so:

Well, absolutely everything made me believe that it was legal: reading the log book, maintenance clearance. Right from the time I arrived at the parking lot till we pushed back, every single thing that happened in relation to this problem only reinforced my belief that it was legal.
Of course, if I didn’t believe that, I would never have considered operating the aircraft...

So if the MEL was so clear about that, and Pearson even seemed to realize this, then why did they fly?

Overrides and rules vs reality

As Pearson said in his testimony, if he didn't believe it was legal to fly to fly, he wouldn't have.  He flew because he thought it was legal to do so.  We've talked about how almost everything he encountered beforehand helped reinforce this.

There's one more element we haven't looked at though, and that's the routines and rules of taking off.  It turns out even this ended up supporting his belief that it was legal to fly.

Here, the report devolves into two different points of view, which I don't really find useful, "objectively" and "subjectively."

The "objective" view says:

there was an illegal dispatch, which Captain Pearson had the authority to avoid.

As Pearson said "every single thing that happened in relation to this problem only reinforced my belief that it was legal." So there isn't an issue with his "authority."  This is just a roundabout way of saying "if only he'd not done the thing he did," while placing blame for it.

If you doubt he's being blamed, the report goes on to say:

An examination of the various factors which prompted Captain Pearson to leave Montreal with inoperative fuel gauges leads to an understanding of his decision, but it does not, and cannot, justify his decision.

Why can't it?  But that's also part of the problem in an investigation like this, this final one, being conducted by a court.  They need justification, they are specifically in a place designed for blame and fault.

They even say they've come to an understanding of his decision, but that's not enough.

So why did he fly?  Because his understanding was that Maintenance Central had the ability to override the MEL.  It was his understanding that they had a more detailed list, a Master Minimum Equipment List, which they would then consult and make a decision on.

This wasn't just an assumption on his part:

Well, I knew because of the way things operate that we are at times - if something is contrary to our MEL, there are times when we are cleared by Maintenance Central to operate, despite the fact in our MEL we are not, and in fact the Master - the question of the Master MEL is now -I don’t know when it first - when the words first came into use in our manual, but they are there today with reference to the Master MEL.

He told the Transport Canada investigators similarly:

I know in my career that there have been times when, ‘Captain, we’ve got clearance from Lockheed, or Boeing,’ or whatever, you know. Every day this is taking place, that pilots are being told that it’s legal to operate, whether they always get an explanation or not, you know...We did not get an explanation and I probably would have asked for an explanation had I not assumed that we were not breaking new ground. The aircraft was being operated as it came in.

Captain Weir expressed a similar understanding, that maintenance would have a more detailed version of the MEL and said that he expected that all pilots would believe the same.

Failsafes and failure

At this point, you may be asking yourself, what happened with the sensor?  The tech had the recent training and was told that it should have failed over in exactly such a situation as this, so what happened?

It turns out that the power supply for channel 2 had failed.  Making it more confusing, it failed in a way that allowed itermittent function, but when it malfunctioned it prevented the intended failovers from working.

Without 5 volt logic, the system couldn't write the fault state of channel 2 to the non-volatile memory the system was expecting it to be in.  Additionally, without power the switchover logic would default to channel 2, the same one that was bad in this case.

As we've discussed previously, a few times, reliability techniques that were originally developed for hardware such as redundancies can add complexity and possibily contribute to failure.

Takeaways

  • What cues and clues are available influence people's analysis and decision making.  Everything he saw or experienced told Pearson the plane was OK to fly.
  • What is written in policy doesn't matter if people are trained to operate in a different way.  If a rule can be overridden in practice, then it is no longer a hard and fast rule.
  • People check and double check things they think are relevant, not things that aren't.
  • You can't realistically just give someone a giant, complex list and expect them to check everything every time.
  • Things that are intended to help, like redundancy or fallbacks can add complexity to incidents and diagnosis.

References

← RR Episode 7 - Checklists
The complexity of success and failure: the story of the Gimli Glider →

Subscribe to Resilience Roundup

Subscribe to the newsletter.