. We analyse the description of the operation of the Airbus A320 braking systems contained in the Flight Crew Operating Manual. We use the predicate-action diagrams of Lamport to express and to complete the description, and give reasons why such a more rigorous expression is preferable. 1. Introduction On September 14th, 1993, an Airbus A320 landed at Warsaw Airport in Poland in a thunderstorm. It overran the end of the runway, surmounted an earth bank, and came to rest on the other side. Two people died and others were injured in this accident [FI.93a, FI.93b, FI.93c, FI.93d, FI.93e]. This paper analyses the specification of the A320 braking system contained in the Flight Crew Operating Manual [FCOM]. Airplanes are procedurally-oriented machines. Manufacturers devise ways in which they shall be flown as part of the certification process, and descriptions of these methods, as well as descriptions of the system design, are required documentation on every aircraft that flies [FAR, Part ...

Standards demand that assurance cases support safety critical developments. It is widely acknowledged, however, that the current practice of post-hoc assurance—that the product is built and only then argued for safety—leads to many engineering process deficiencies, extra expense, and poorer products. This paper shows how the Problem Oriented Software Engineering framework supports the concurrent design of a safe product and its safety case, by which these deficiencies can be addressed. The basis of the paper is a real development, undertaken by the second author of this paper, of safety-related subsystems of systems flying in real aircraft. The case study retains all essential detail and complexity.