Air traffic controller fatigue remains a significant issue, made worse by controllers squeezing five eight-hour shifts into four days. The result is controllers fighting sleep while they stare at radar consoles.
FAA air traffic controller at work
There are ample reports of controllers not responding to pilots’ radio queries because they had nodded off, of other controllers having to respond to the pilots, and the most scandalous case to get public notice: the controller who reportedly made a bed on the floor of the control room, complete with blanket and pillows.
“We’re trying to get a hold of Knoxville approach or Knoxville departure,” radioed one pilot as he vainly attempted to reach the snoozing controller.
In Washington, DC, two airplanes landed at Reagan Airport after the controller fell asleep and was unable to radio the requisite landing clearance. This kind of situation could have easily resulted in a plane crash.
The Federal Aviation Administration (FAA) asked the National Aeronautics and Space Administration (NASA) to study the issue, then it squelched the results. Repeated requests for the study resulted in its being belatedly made public 18 July. The FAA poor-mouthed the study, claiming, “Concerns remain that the academic approach used by NASA did not sufficiently integrate an understanding of the air traffic 24-7 operational environment with a scientific approach.” A plain reading of the paper reveals just the opposite (see ‘Controller Alertness and Fatigue Monitoring Study’, report DOT/FAA/HFD-13/001; see www.faa.gov/data_research/research/media/NASA_Controller_Fatigue_Assessment_Report.pdf). The results — cutting through the dry bureaucratic language — are troubling.
Media reaction to the survey got right to the point
The study found that nearly a fifth of controllers blamed fatigue for committing “significant errors” in their duties. Controllers averaged less than six hours of sleep, with less time sleeping before working at odd hours.
Scheduling practices allowed controllers to work five 8-hour shifts over 88 consecutive hours. In contrast, the average non-controller worker will undertake the same duty over 104 hours.
One popular work shift, dubbed the “rattler”, enabled controllers to squeeze five 8-hour shifts into four 24-hour periods. This schedule allows controllers to enjoy a three-day weekend. In the “rattler” schedule, a controller ends an 8-hour shift at 2 p.m., and then returns to duty at 10 p.m. the same day.
Here is a typical work schedule that includes the “rattler”:
Hours between shifts
Between 74-81 hours off during the preceding weekend, depending on previous week’s watch schedule
15 hours off from 11 p.m. Monday
7 a.m. – 3 p.m.
9 hours off from 10 p.m. Tuesday
6 a.m. – 2 p.m.
15 hours off from 3 p.m. Wednesday
10 p.m. – 6 a.m.
8 hours off from 2 p.m. Thursday
Off duty as of 6 a.m.
Note that this schedule guarantees maximum circadian disruption; that is, it requires alertness during the hours from midnight to dawn when the body is programmed — through millennia of evolution — to sleep. As the NASA study noted, “This circadian challenge is compounded by the fact that it is commonly difficult to sleep during the day before the midnight shift, when humans are biologically conditioned to be alert and awake.”
In addition, controllers often work overtime, either as extra hours tacked on to a regular watch or as extra days. As the NASA study observed, “This yields a 6-day schedule with potentially one day off before the next week’s schedule begins.”
The controllers’ response to a survey item was revealing about trust in leadership. Instead of “usually”, the overwhelming response was “sometimes” to the statement, “When I am fatigued at work, I feel comfortable asking for a break or rotation.”
There are obvious solutions to the supposed “dilemma” of controller scheduling and fatigue:
Instead of scheduling five 8-hour shifts over 88 hours, spread these shifts over 104 hours. Yes, the controller workforce of about 18,000 will have to be expanded. That is the price of establishing a more reasonable relationship between shift work and recuperative time.
Eliminate the “rattler”. Yes, such a move would cut into the three-day weekend, but the weekend is already short by six hours, when the controller is on watch until 6 a.m. Friday morning.
We are long past the point where schedules should be dictated by convenience instead of science. The FAA’s pooh-poohing and dismissing the NASA study for its “academic approach” is simply an admission that other factors than what is known about circadian rhythm drive the controllers’ work schedule. Life-critical decisions are entrusted to people too often fighting off sleep.
The deadly saga of rudders behaving badly may not be over. On 28 December 2014, Air Asia flight QZ8501, an A320 bound for Singapore from the Indonesian city of Surabaya, pitched into the Java Sea, killing all 162 aboard.
The recovered rudder and tailfin; it is not possible to determine from the photograph if the tailfin separation from the fuselage occurred before the crash, after impact with the water, or during recovery operations
Indonesian air investigators are expected to release their report shortly. It was supposed to have been released in August, but promises of a release date must be regarded skeptically. The political, engineering, and human factors issues could involve significant wrangling and discussions to resolve.
On a flight to Singapore, the aircraft encountered thunderstorms and their inevitable turbulence
The case has many aspects which surrounded the crash of American Airlines flight 587 in November 2001. Shortly after takeoff from New York’s LaGuardia Airport, the rudder effected a reversal — from a deflection on one side rapidly to the other — and the resultant aerodynamic forces ripped the tailfin from the A300-600. The plane plunged into the Belle Harbor residential area in New York City, killing all 260 aboard and five persons on the ground.
During the National Transportation Safety Board (NTSB) hearings into the crash, there was considerable debate over the cause of the rudder reversals that led to structural failure of the tailfin.
Some witnesses from the airplane’s manufacturer, argued that First Officer Sten Molin, the handling pilot, had a history of over-aggressive use of the rudder. To correct the flight path as a result of a wake turbulence encounter, they said he wapped the rudder to the full left/right defection limits, causing structural overload that ripped the tailfin off the aircraft and put it into an unrecoverable dive. They argued that American Airlines’ advanced maneuvering program for pilots, which Molin had completed, predisposed pilots to make excessive use of rudder inputs.
Other experts, including pilot training officials from American Airlines and assorted aerodynamicists, argued that extremely short and light forces on the rudder pedals would yield full deflection with only 1.2 inches of pedal travel, leading to aircraft pilot coupling (APC). APC is a phenomenon in which pilot control inputs can be out of phase with the airplane’s reaction, thereby negatively reinforcing the negative aircraft response.
The NTSB concluded that the rudder control system, in the memorable words of staffer Malcolm Brenner, was “an inherently unfriendly design”.
On 28 May 2004 the NTSB recommended that the rudder travel limiter on A300-600 and A310 designs be modified to prevent rudder reversals. The rudder travel limiter system progressively reduces rudder deflection with an increase in airspeed. The rudder is large and it can induce overwhelming loads on the tailfin if its movement is not restricted at greater airspeeds.
The NTSB was concerned that large rudder pedal forces in the cockpit could result in “rudder pedal position substantially exceeding the designed travel limit.”
Thus, NTSB recommendation number A-04-044 proposed a design modification to the rudder control system such that it would not be “adversely affected” by pedal forces.
What followed was the usual exchange of detailed letters between the Federal Aviation Administration (FAA) and the NTSB — five pages of fine print just to summarize the letters’ contents. The last letter from the FAA informed that Airbus has launched a thorough study of the A300-600 rudder system. On the basis of this declaration, the NTSB closed recommendation A-04-044 as “acceptable action”. Note that the original NTSB recommendation included design modifications and, by implication, their installation. Yet, three years after the accident, the NTSB was apparently satisfied with a promissory note to study the design.
Therefore, this sorry state of affairs culminated even though NTSB technical staffers had developed a means by which the rudder travel limiter design could be made safer.
The rudder travel limiter system progressively reduces the total rudder travel with an increase in aircraft speed. This feature provides sufficient yaw (left/right) control without imposing excessive loads on the tailfin.
Meanwhile, reports of uncommanded rudder movement continue to be filed with the FAA.
In August 2013, one of many Service Difficulty Reports (SDRs) submitted on Airbus rudder problems indicated for an A319: “During climb … crew reported three uncommanded rudder inputs. Each input increased in severity. Acft on autopilot… [replaced] nr 1 yaw damper servo actuator … Test flight satisfactory. Cause: actuator Airbus P/N [part number] SC47005 faulty.”
Indeed, since the crash of American Airlines flight 587, a total — as of this writing — of 37 SDRs have been filed regarding uncommanded rudder movements (yaws, kicks, surprise movements, etc.) on A300, A319 and A320 aircraft.
Pilot reports submitted anonymously to the Aviation Safety Reporting System (ASRS) — eight since the crash in 2001 — paint a more gripping picture of rudder systems behaving unnervingly all on their own.
Here are extracts of selected accounts:
In 2002 aboard an A300-600: “While moving rudder during flt ctls chk [flight controls check] … I noticed that the acft fuselage shuddered violently with an unusual vibration that seemed to start in the rear of the acft and progress forward … [maintenance investigated and cleared the aircraft] …The aircraft was again presented to me for flt on Wed night … I encountered the exact same problem while checking the rudder and taxied the acft back to the chocks. I then informed the company duty officer that I felt unsafe flying what I believed to be a defective acft. I have filed 2 flt safety rpts with company and have notified both the plt’s association union safety office and the FAA safety hotline. It is my opinion the acft has a serious defect with the rudder and I consider it totally unsafe and unfit for flt.”
In 2002 aboard an A300-600: “I was the captain of [the] flight … during climb out of 10,000 ft, co-pilot and I noticed a yawing motion of the acft, very small in magnitude, as if someone was pushing on the rudder pedals (L and R, and R and L) back and forth. We tried to identify the prob by looking at the ECAM [Electronic Centralized Aircraft Monitoring display] page and noticed slight rudder movements without either of us pushing on the rudder pedals…”
In 2007 aboard an A320, with the captain declaring an emergency and diverting the flight to the nearest airfield: “I noticed what I thought of as ‘slipperiness’. It seemed like the airplane was slipping a little, as if driving on an icy road … I disengaged the autopilot in smooth air and immediately noticed a jerky yaw. I think it had been there before, but it was more noticeable when hand-flying due to knowing which inputs were mine versus the computer’s. There was no rhythm or smoothness to it. It seemed random, would sometimes jerk left, then left again before jerking right. I told my FO [first officer] ‘that’s not me’ … we paid very close attention to the flight control page once was discovered the anomaly and, to us, it looked like the rudder was being commanded to do what it was doing … I was later asked by maintenance if it could have been a loose actuator or bearing, but having had that problem before, I don’t believe it was. There was no vibration that I could feel at any time during the flight, and the movements of the rudder were larger and more deliberate.”
In 2008 aboard an A319: “On downwind to RWY 10 L [runway 10 left] … there occurred about 3 or 4 rapid and pronounced lateral displacements of the aircraft … it felt like uncommanded rudder inputs … these occurred while the autoplt [autopilot] was engaged … upon arrival at the gate … I related our experiences to both the … maintenance crew and the oncoming aircraft flt crew. I stressed my concerns that this may indicate a very serious condition. I offered to stay and speak with the maint ctl [maintenance control] representatives (this was a layover leg), but was told that would not be necessary. I do not know what corrective actions were then taken.”
In 2014 aboard an A319: “Descending through FL [flight level] 240 [24,000 ft.] at 320 kts [knots]. On autopilot, we experienced rudder movement (back and forth wagging) with no input from the flight crew. It was significant enough to hear a thumping noise on the flight deck and enough movement to cause a flight attendant in the rear of the aircraft to fall against the wall/bulkhead… I have no idea what caused this uncommanded rudder movement. We received no ECAM malfunction indications in flight and post flight maintenance reports indicated all normal.”
There is compelling evidence — albeit anecdotal — that some Airbus jetliners have a rudder problem. Most unnerving to the pilots, the problem manifests as surprise movement of the rudder, without any pushing of the rudder pedals by the pilots’ feet.
Which brings us to the crash of the Air Asia A320. From various accounts — not yet substantiated by the overdue investigation — the following sequence of events appears to have occurred:
Approaching a line of thunderstorms at 32,000 feet, the crew made a radio call to air traffic control requesting permission to deviate left, then a second request to increase altitude to 38,000 feet. Other aircraft were in the vicinity, so Jakarta Area Control Center radioed approval to climb to 34,000 feet.
No response was received from the pilots.
A radar plot shows the aircraft climbing rapidly, making a complete circle to the left before disappearing. The cockpit voice recorder, recovered from the undersea wreckage, captured the sound of multiple warnings before impact with the water.
A rudder limiter fault was occurring, and Captain Iriyanto got out of his seat to pull the circuit breakers. First Officer Rémi Plesel, a French national, was the handling pilot.
As the captain moved to the circuit breaker panel, the aircraft started to roll, achieving 40 degrees due to the rudder dispacement. Plesel attempted to rapidly ailerson roll the aircraft back in the original direction, causing upset and loss of control, i.e., a crossed controls situation.
Captain Iriyanto had flown the aircraft previously and had experienced a rudder limiter problem. Maintenance personnel had reset the circuit breakers behind his seat. When the same ECAM message came on during the accident flight, Captain Iriyanto got out of his seat to similarly trip and reset the circuit breakers located behind him.
His actions are thought to have triggered a rudder control reaction, causing FO Plesel to subsequently over-control with side stick and rudder pedal inputs. It is not clear whether Captain Iriyanto succeeded in pulling or resetting the breakers. Pulling and resetting circuit breakers affecting flight control surfaces while under loading from pilot inputs is very questionable. It is quite different from resetting a nulled-out system on the ground. It could be likened to experimentally pulling and resetting fuel control circuit breakers in flight. You would not a high degree of optimism and sub-system knowledge not to expect an engine flame-out in consequence. There are actions that can be taken on the ground (or in a simulator) with impunity, but that should never to attempted while airborne.
What is evident is that a series of abrupt oscillations occurred, leading to excessive pitch up and roll attitudes. The captain could not get back to his seat in time to recover the aircraft — if that was even possible. It must be said that leaving one’s seat to pull and reset circuit breakers to address a flight control issue is seriously non-standard within aviation.
Plesel’s over-controlling with sudden alternating control inputs — if verified by the flight recorder — recalls the NTSB analysis of FO Molin’s inputs preceding the crash of the American Airlines A300-600 at New York in 2001.
In the Air Asia accident, the cockpit crew’s actions may come under scrutiny, if not criticism, but the aberrant rudder limiter system, the previously ineffective maintenance actions, and the basic design of the rudder control system merit a thoroughgoing analysis — and correction. Undesirable feedback, stiction, gyrations, surface flutter and other characteristics are right at the top of “undesirables” for pilots.
One could also argue that the fatal crash in the Java Sea tarnishes greatly the NTSB’s reputation for rigorous investigations and diligent follow-through. The investigation did not fully account for all the reports of Airbus rudder malfunctions (at least 13 before the crash) and did not insist on corrective actions throughout the Airbus fleet. Instead of saving lives, the NTSB may well have left the poor design door open for more lives to be lost.
When endeavoring to understand the functioning of a large bureaucracy, such as the Federal Aviation Administration (FAA), it is instructive to look beyond the noble words of senior officials to the factors that affect the pay of those working in the countless cubicles.
Let’s look first at the words of Peggy Gilligan, the associate administrator for safety, which puts her in charge of oversight and compliance with federal regulations for the airline industry (manufacturers and airlines).
Peggy Gilligan, FAA associate administrator for safety
In announcing a town hall meeting for her subordinates, Gilligan mentioned the matter of customer relationships:
“Let me underscore the bedrock of what it is we do: The mission of safety and service will not change ….
“From now on, ‘customer’ is always a reference to the flying public [emphasis in original]. The Administrator stresses that he doesn’t want any ambiguity about this point and frankly, I agree. So we’re going to use consistency and standardization initiative to continue our efforts to communicate FAA rules and policies in a standard and more consistent manner. This isn’t a question of semantics. Since the word ‘customer’ was causing some confusion about who we serve, we need to make this clarification.”
Three points bear mention:
1) Note that the mission of “service” is not to be changed. Service to whom? Another bit of jargon comes to mind: the “stakeholders”, or those who have an acute and vested interest in the FAA’s oversight, or weaknesses in same. In other words, “service” to manufacturers and airlines. Of course, Ms. Gilligan did not clarify “service” as the unwashed millions of taxpayers who provide her six-figure salary.
2) Observe that Ms. Gilligan agrees with her boss. That’s nice, although loyalty to the Administrator and his policies is a given. If Ms. Gilligan did not agree that “customer” refers to the public crammed into ever more restrictive seating, she could of course resign.
3) Note the use of a prolix title — consistency and standardization initiative — as a heading for nebulously expressing the FAA’s regulatory oversight of the industry (e.g., stakeholders). Indeed, if consistency and standardization of FAA efforts is a problem, with one office taking a hard line on compliance, for example, while another takes a more forgiving attitude, the problem is far more than semantic: it reflects a deeper source of organizational dysfunction that requires in-depth probing, not the superficial use of an awkward new title.
The logo belies deep organizational dysfunction and should have a prominent crack through the face
Rife organizational dysfunction is evident from numerous independent reports of FAA failings. These critical reports include those from the General Accountability Office (GAO) and the Department of Transportation Inspector General (DOT/IG). Rather than summarizing their numerous depressing reports of FAA management failings, let me cite from a May 2015 article by Scott Bloch, who headed the U.S. Office of Special Counsel, which dealt with numerous cases of aggrieved and abused FAA whistleblowers:
“Over and over, when the FAA is caught asleep at the wheel, those in charge rattle their sabers, fire low-level individuals and allow the management [who] refuses to play by the rules to stay in power. Soon it all slouches back into a comfy system because the FAA does not like oversight, does not tolerate whistleblowers, and will say whatever it takes for the cameras to stop rolling and the members of Congress to stop having hearings. I know because I shined the light on FAA malfeasance and cover-up for five years when I headed the independent oversight agency, the United States Office of Special Counsel (OSC).”
No doubt FAA employees read Gilligan’s missive with bored tolerance. Far closer attention was doubtless paid to the Outcomes and Expectations document, which directly affects each FAA employee’s performance rating. That rating, in turn, affects salary increases and bonus payments. Below is the part of the Outcomes and Expectations document which deals with “stakeholder” relations:
“- Customer Focus
“This Critical Outcome addresses the degree to which an employee uses customer service in routine and non-routine program, project, and other decisions. Primary measures are the degree of respect that internal and external customers display toward the employee, the use of information on customer needs to assist in priority-setting, the exercise of courtesy and consideration in interaction with customers, and the willingness to seek mutually satisfactory approaches to solutions to problems, and working relationships.”
A few comments are imperative:
1) The banned word “customer” surfaces in an internal document outlining performance expectations of FAA officials as they deal with manufacturers and airlines.
2) Note that the measure of “respect” a stakeholder accords the FAA is a criterion for evaluating said employee (as if that employee had any control).
3) The use of “customer needs” to develop an action plan for the FAA that will be “mutually satisfactory”. In other words, don’t impose deadlines which interrupt business as usual, and don’t demand solutions which require aircraft to be grounded for repairs, or certification of new aircraft designs to be delayed.
Nowhere does the Outcomes and Expectations document place primary emphasis on the FAA employee safeguarding safety. Rather, the document is shot through with admonitions to listen to the “customer” and to “balance” the agency’s desires with that of the aviation industry. Collegiality, not effectiveness, is paramount.
Which type of FAA official is likely to receive bonuses and promotions?
The FAA official who is going to treat “customers” in the industry with deference, accommodation, and the minimal approach to safety. Imposing penalties for non-compliance is a subject never broached. Model leadership behavior is expressed as “constructively works with others to achieve organizational goals.”
The FAA official who accords stakeholders a fair hearing and then gets on with ordering compliance with regulations in as rapid a pace as possible, with grounding of non-compliant airplanes or airmen a distinct possibility, with fines to follow. Model leadership behavior is “to improve safety in accordance with regulations without delay.”
Also, one might well ask, which of these two personality types is likely to rise to the level of associate administrator of the FAA? Mr. Go-along-to-get-along or Mr. Get-your-act-together?
The flying public would prefer the latter, but their views don’t count.
In a modern jetliner’s computer, the capability to move waypoints can lead to dangerous deviations from safe flight paths. Just such a subtle “pilot trap” occurred on a Virgin Australia B777 with 272 passengers aboard during an approach to land at Melbourne airport after a long 15-hour flight from Los Angeles.
A 15-hour flight across the Pacific may have left the crew — even with rest breaks — too fatigued to catch the computer error
The first officer, looking out of the cockpit, thought the airplane was too low and advised the captain, who was the pilot flying. The captain promptly agreed and leveled off the airplane at 500 feet. When the airplane intercepted the 3-degree glide slope — from below, we might add — the landing descent was continued. Passengers were none the wiser, but the August 15, 2013 incident triggered an Australian Transport Safety Bureau (ATSB) investigation. The ATSB issued its report July 15, 2015. What it reveals is that the airplane’s flight management system (FMS) is, despite its advanced state, capable of exceedingly dumb maneuvers if its programmed parameters are not double-checked six ways from Sunday by an alert and skeptical cockpit crew. Had worse judgement been employed the situation could easily have ended in a plane crash.
The ATSB concluded:
“This occurrence highlights the factors that can influence the accuracy of data entry in critical systems and any associated checks. In addition, it reinforces the importance of monitoring descent profiles, irrespective of any expectation that the descent is being appropriately managed by the auto-flight system, and taking appropriate action when a deviation from the desired profile is detected.” (Emphasis added)
Due to the flight’s wearying length, the two-person cockpit crew was augmented by two other relief pilots.
For the descent and landing at Melbourne, the captain decided he would be the handling pilot, with the first officer monitoring. The captain, with over 6,000 hours of experience in the B777, determined that the airplane’s automated systems would fly the descent to the runway 34 threshold (runway 34 being the longer of Melbourne’s two runways). He programmed various waypoints into his control display unit (CDU). The cockpit is equipped with two CDU’s, one for each pilot.
With these waypoints, the airplane’s computer (the flight management system, or FMS) will calculate commands for control of the flight path. The autopilot was set to fly the airplane right down to the runway threshold, and the captain would then take over for the last few moments of flight before touchdown.
The captain selected the runway waypoint — RW34 — from the data base. RW34 had an altitude setting of 380 feet.
So far, so good.
The captain then entered a runway extension of 2.8 NM to better align the airplane with the runway center line for landing. When he did so, the FMS created a waypoint reflecting this extension and labeled it RX34 (to distinguish it from RW34 at the threshold).
Instead of setting the RW34 waypoint for an altitude of 380 feet above sea level, the captain inadvertently programmed that altitude for RX34. As a result, the autopilot would fly a steeper approach to intercept RX34 at 380 feet, instead of RW34 at 380 feet.
The first officer noticed that the expected glide path angle for the final legs of the approach were not displayed. Not to worry, the captain advised; for a manually-constructed approach, the expected glide path was not displayed.
The first officer missed the wrong altitude entry for RX34.
When the first officer took a break, one of the relief pilots assumed his seat and double checked all the captain’s entries for the approach. He also missed the incorrect altitude for RX34.
Then, during the descent to land, the captain was so preoccupied with activities inside the cockpit he had to be advised by the first officer that they were mighty low and that the precision approach path indicator (PAPI) lights at the runway were showing red — indicating that the airplane was well below the safe 3-degree glide path (the lights would have shown white for a descent above the 3-degree slope desired).
During the last phase of its approach, the airplane was way too low because the computer was flying it to a waypoint with an incorrect altitude
A few salient points cry out for comment:
Why did programmers who designed the system set up a situation where the new waypoint was only one letter different from the approved waypoints in the airport landing diagrams? Better to have a waypoint like AA34 to represent such an artificial and temporary point in the sky.
Where were the checks and balances? The captain apparently entered all of the data in his CDU, with no announcement and confirmation by the first officer. For example:
Captain: Entering runway extension of 2.8NM.
Captain: Waypoint RX34 created.
Captain: RX34 altitude set at 380 feet.
Why wasn’t the cockpit designed so that both pilots were required to enter the approach and landing information on their respective CDU’s, with differences in entries highlighted immediately?
Two CDU’s, but entry of data simultaneously into both, with cross-checking, is not required
Why wasn’t the cockpit instrumentation designed so that a manually constructed approach was displayed, the same way as is the case — according to the captain — for a computer constructed approach? With movable waypoints, the likelihood of error is greater — all the more reason for displaying the approach.
Finally, the captain was so preoccupied inside of the cockpit that the first officer had to call his attention to the red PAPI lights. Isn’t an instrument scan, plus being cognizant of the outside environment, the essence of good situational awareness? 6,400 hours of B777 flying experience, 12,000 flying hours in total, and the captain had to be advised that the PAPI lights at the runway threshold were showing red.
Computers still require humans to enter correct data. As the saying goes, “Garbage in, garbage out”. In this case — too low an altitude entered IN, too steep a glide path OUT.
The ATSB found that this event was not a “one off”. In January 2013, an Embraer RJ-170 on a scheduled passenger flight out of Darwin started diverging from its planned track. Apparently, the cockpit crew did not notice the deviation until advised by air traffic control. The crew had unintentionally missed a waypoint during data entry, so the autopilot simply flew to the next waypoint. As the ATSB observed, “The crew’s cross-checking processes were not effective in identifying the data input error.”
What the ATSB did not mention was obvious to this layman: ineffective cross-checking is rampant, and someday this will kill a planeload of people. Data entry should require simultaneous keystrokes by both pilots, with verbal announcement and confirmation, and the computer screens should highlight in glowing red any differences to the data just entered.
If all this data entry detracts from eyeballs looking outside of the cockpit, then all of the keystrokes should be completed before takeoff. If changes to the plans occur in flight, don’t dwell on revised data entry — just hand-fly the airplane. Data entry is not part of the definition of good airmanship, which is still regarded as the skill to competently fly the airplane to its landing destination without relying on still vulnerable cockpit computer systems.
With a flight management computer, navigational displays, and a head-up display (HUD), one would think that it would be virtually impossible for competent pilots to land their airliner at the wrong airport.
Yet it happens.
Little chinks in the defenses against such embarrassment exist. Evidence comes from the night time mistaken landing of Southwest Airlines Flight 4013, a B737 with 124 passengers, at M. Graham Clark Downtown Airport, which was a scant six miles distant from the intended destination at Branson Airport, MO.
Seen in daylight, the two airports are close to one another
More than a year and a half after this 12 January 2014 mix-up, the National Transportation Safety Board (NTSB) has still not published its investigation report. However, the Board has released a slew of pertinent documents. One 37-page paper contains summaries of investigators’ interviews with the flight crew, Southwest check airmen, and an aircrew program manager from the Federal Aviation Administration (FAA).
Pertinent extracts will set up the discussion to follow.
▪ First, the post-incident interview with Captain Ronald Horne.
For the planned approach and landing at Branson Airport (3-digit code BBG), he was the pilot monitoring (PM) while the first officer had the pilot flying (PF) duties. Horne said he checked the central display unit in the cockpit to double check the flight legs prior to departure from Chicago’s Midway field. At that time, he recalled that the approach to Branson was not entered in the display.
As they neared their destination, they were cleared to land by Branson’s tower controller.
The first officer, Kenneth Langford, did a pre-landing brief, a visual approach to Branson’s Runway 14. Horne then placed 5- and 10-mile rings around Runway 14 on the displays.
The tower controller at Branson asked if they had the airport in sight. Yes, Horne radioed; both pilots saw a beacon out ahead of them, which they assumed to be Branson Airport. Flight 4013 was cleared for a visual approach.
Captain Horne recalled that the runway ahead of them was “lit up like an operational airfield”. It was a clear, dark night and the runway appeared very bright (like the fabled Sirens who lured sailors to crash their ships on the rocks).
Horne said he was concentrating on the head-up display to make sure the touchdown zone and the runway length at Branson were dialed in, and that the airplane maintained the requisite 3-degree glide slope.
Horne said he was focused on airspeed. After they touched down, the end of the runway seemed very close (Branson’s Runway 14 was 7,100 feet long; the Downtown Airport’s Runway 12 was 3,700 feet long). Maximum braking was applied, at which point Captain Horne figured “something was terribly wrong”.
After the airplane came to a safe stop, the passengers debarked for busses called to take them to Branson Airport.
The curious at Downtown Airport gape at the Southwest airliner that mistakenly landed there
Horne said the head-up display may have contributed to being more focused on having a stabilized glide path to the runway, to the exclusion of other information in the cockpit — which would have indicated they were about to land at the wrong airport. The fact that he had never flown before to Branson Airport, while the first officer had done so, gave Horne “comfort” that all was well.
▪ Investigators’ interview with First Officer Kenneth Langford, the pilot flying.
He recalled entering Branson in the flight management computer. He said he briefed the visual approach to Branson’s Runway 14. Downtown Airport was mis-identified as Branson because it was the first set of lights they saw and it had a similar runway alignment (Downtown Airport’s Runway 12, i.e., 120 degrees alignment and very close to Branson’s Runway 14, with an azimuth of 140 degrees).
There were no centerline lights, just runway lights. Branson did not have centerline lights either, and no other airports were seen in the area.
It occurred to him that no PAPI lights were showing. These lights, located alongside the runway, indicate to the pilot where he is high, low, or on the glide slope to touchdown. PAPI is an acronym for Precision Approach Path Indicator.
Langford noticed the absence of PAPI lights, but at this point the aircraft was just 500 feet above the ground. He did not notice the number 12 painted on the runway.
When cleared to Branson by air traffic control, he had set the Branson approach on the flight management computer but when cleared for the visual approach he turned away for a 5-mile final approach; once he turned away, they were basically flying visually and not using any backup instrumentation.
▪ Interview with Daniel Menius, a Southwest dispatcher, occupying the cockpit jump seat to log required observation time.
Before the flight departed from Midway, the captain said he had never been to Branson and the first officer said he had been there only once (the first officer did not specify if he had been the pilot flying or if it had been a night flight). Dispatcher Menius said the first officer claimed he was going to be the “expert” as neither Captain Horne nor dispatcher Menius had ever been to Branson before.
Menius thought Branson air traffic control asked if the pilots had the airport in sight. The pilots said they saw the beacon, but not the runway lights. This transmission stuck out to Menius.
He thought he saw an airport in the distance, but the airplane quickly made a left turn and the runway was right in front of them. At the time he thought, “Oh, I was off, that must be Northwest Arkansas Regional over there.” He dismissed the notion that the one in the distance was where they were heading.
It piqued his interest that there was no ramp lighting whatsoever. If Flight 4013 was expected to arrive, the ramp area would have been lit up.
He did not verbalize these thoughts, as they were below 10,000 feet and the sterile cockpit rule applied.
He recalled that the runway edge lights were lit, but that was all. There were no center line lights on the runway.
When they were crossing the runway threshold, he recalled seeing the number 12 on the runway and thought, “Is this happening? This is a dream; this is not right.”
He thought, “Oh my God, this is not the right airport.” He knew for a fact that [runway] 14 was the one they were supposed to be landing on. He thought it was a dream.
It never occurred to him that the runway could be too short and that a potentially catastrophic rollout was occurring.
The crew did not discuss afterward what went wrong. They seemed a little in shock.
▪ Interview with Jerry Griewahn, FAA aircrew program manager for the B737.
He said that visual approaches at Southwest were required to be backed up by a navigational aid they had available in the cockpit. This event was all related to human factors; they crew had developed tunnel vision and “it was all downhill from there.” Both pilots saw the Downtown Airport lights and “that caught their attention and distracted them and they never went back in” the cockpit (to check their instrument displays).
▪ Interview with Denny Keller, Southwest Airlines check airman.
He did not know why runway and approach lighting were not required to be briefed for visual approaches. Some pilots would include that information and some would not.
When asked how pilots were trained to land at the correct airport, he said they were trained to use all available resources, to back up visual approaches and, when they were close in, to ensure that the runway numbers and the heading for the runway were correct.
He said the presence of a VASI [visual approach slope indicator] or a PAPI could be part of a visual approach briefing, but it was not a requirement.
▪ Interview with Craig Henrichson, Southwest Airlines check airman:
Visual approaches were required to be backed up by an instrument approach. Runway and approach lighting, he said, were not required to be part of a visual approach briefing. When asked why not, he responded, “Ask the guy who wrote it.” The lighting was also not required to be briefed on a visual approach at night.
He said that there have been no changes to procedures since the incident. A flyer was distributed to Southwest pilots re-emphasizing that visual approaches were to be backed up by instrument approaches.
Well, the two check airmen may be surprised when the NTSB’s final report is issued; there is a high probability that it will recommend some procedural changes. For example, having an instrument landing programmed into the computer as a backup to the visual landing approach is only useful if the pilots look at their navigation display on the instrument panel. It is evident that neither Captain Horne nor First Officer Langford looked at the display on the panel in front of them. The absence of a requirement to brief before landing the runway lighting at an airport for a night visual approach is almost sure to produce a corrective recommendation from the NTSB. For a visual approach at night, lighting is an essential aid.
Crew resource management seems poor. The captain was depending on the first officer; Captain Horne was fiddling with the head up display, which did not provide an identification of the airport where they were supposed to be landing. Even though the dispatcher in the jump seat was not formally part of the flight crew, he was a Southwest employee. On something related to possibly landing at the wrong airport — definitely within the bounds of permitted “sterile” conversation — he should have spoken up.
The captain’s leadership seems deficient. He failed to correctly identify the airport and to confirm that it conformed to the destination programmed into the cockpit navigation display. He did not notice the different (albeit close) runway heading, the shortness of the runway, and other cues that they were about to commit a big mistake. Above all, he never should have deferred completely to the first officer, who had not landed at Branson before at night. In short, the captain evidenced no leadership.
After the incident, the first officer retired from Southwest. The captain resumed flying after receiving additional training. The nature of that training is unknown, but the essential failure is one of leadership, not technical expertise.
The mighty manufacturers of airliners, like Airbus and Boeing, should be embarrassed. A 17-year-old high school student has developed a way to keep germs from spreading in the cabin of an airliner. Countless highly-compensated aerospace engineers have not advanced cabin health as much as one teenager.
An airline cabin is the most densely-packed public area in 21st century society. More than concert halls, sports arenas, restaurants, hospitals, supermarkets, or any other place where people congregate, an airplane cabin confines each passenger to a telephone-booth-size area in which such items like arm rests and seat-back trays are not cleaned with disinfectant between flights. The cabin is a veritable Petri dish full of micro-organisms, some of which cause colds, flu, or worse. Being seated next to someone with a cold spewing small droplets of mucous with each hacking cough means exposure from which there is no escape.
The “puffer” vents do not provide sterile air
Maybe there is some relief in sight. Raymond Wang, a Canadian high school student, received the top award at the 2015 Intel International Science and Engineering Fair last month in Philadelphia. He beat out 1,700 students from 78 countries with his device for improving cabin air circulation in airplanes. For his invention, he won the $75,000 Gordon E. Moore Award.
“With the traditional cabin, what’s happening is you’ve got two large, turbulent swirls happening. You’re spreading disease across the rows,” he explained.
Simply stated, there’s stagnant air inside the crowded aluminum tube, and when someone sneezes, there’s a “mess everywhere” — meaning that germs spread, he said.
Raymond Wang, covered in glory
Wang created computerized simulations of the air circulation inside a B737 cabin. He used those simulations to design devices that would fit inside an airplane’s existing air ducts; the small fins create a virtual “wall” around each passenger; the microscopic contamination from coughs and sneezes are pushed out of the cabin before they can spread in a turbulent burst.
Wang claims his device can be installed in the air vent with just two screws.
His prototype cost $10, and he estimates it would cost $1,000 to equip an entire airplane’s air circulation system. He may not appreciate the cost involved in qualifying something for use in an airliner, but at triple his $1,000 estimate, the benefits to passengers seem worthy.
Below is his explanation of the award-winning project:
“I tackled the issue of airborne pathogen spread in aircraft cabins, generating the industry’s first high fidelity simulations of airflow inside airplane cabins. Using my insights, I engineered economically feasible solutions that altered cabin airflow patterns, creating personalized breathing zones for each individual passenger to effectively curb pathogen inhalation by up to 55 times and improve fresh air inhalation by more than 190%.” [When this writer was a junior in high school, expressions like “high fidelity simulations” would not have come to mind.]
“Billions of people travel in airplanes annually, where isolated air in densely packed aircraft cabins can propagate disease via both direct airborne and large droplet routes … One group of researchers discovered that a passenger with H1N1 [influenza] could spread the disease to up to 17 other passengers per flight. Another group published a case study in which one SARS afflicted passenger had infected 22 others in a matter of three hours on a single flight.
A typical air-circulation system, which takes “bleed” air from the engines
“Millions of dollars have been invested into studying the exteriors of aircraft, aiming to improve factors like aerodynamics and fuel efficiency. Sadly, when we examine current research in the field of aircraft cabin airflow, we find that our understanding is largely incomplete. Because of the limited resolution of empirical measurement methods, CFD [computational fluid dynamics] analyses have come to be the preferred tools in industry. However, much of the existing work with aircraft cabin airflow, both commercially and in academia, is affected by critical errors: we find papers that have over-approximated the geometries of humans and cabin surfaces, models that have misplaced key cabin air inlets, and research that has failed to consider complex interactions between multiple physics. All of these factors add up to obscure the industry’s understanding of actual cabin airflow scenarios….”
“Every day after school, I’d spend at least three hours chugging away at my project. As I built up my confidence, I transitioned into modeling my own flow scenarios, beginning simulations with just an empty cabin, and gradually progressing in complexity…
“Through these simulations, what becomes evident is that the key issue with disease transmission occurs when a passenger sneezes inside the cabin. In a traditional cabin, airflow patterns can continually throw around the pathogen contaminants without providing them an opportunity to be absorbed by the HEPA filters in the air outlets near the bottom of the cabin.
“As this simulation demonstrates, pathogens from passenger effluents can continuously swirl around the cabin, passing by the neighbors’ breathing zones several times before ever reaching the outlets for filtration. And, while passengers are able to actively take measures, such as washing their hands, to avoid infection from contaminants on tray tables and other cabin surfaces, the effects of the global airflow situation in the cabin is significantly more difficult to counteract.”
Wang may be onto something with his concept of a “wall” of air around each passenger but, as he acknowledges, his revised airflow reduces pathogen contamination by only 55%, which leaves literally millions of pathogens to infect others as a portion of cabin air is recirculated. A steady flow of conditioned outside air would exact a fuel-burn penalty, so a portion of cabin air is sent repeatedly through the air-conditioning system.
However, intense ultraviolet light, located in the center of the air ductwork, would kill virtually all pathogens before they could be pumped into the cabin.
This pathogen-killing capability would require electric power equivalent to that of a kitchen microwave oven. Control could be automatic; when the air-circulation system is energized, the UV light in the plenum would come on, providing a reliable flow of sanitized air to the passengers.
Both technologies — Wang’s cabin airflow scheme and the irradiating UV light — would assure passengers of fresh air. Passengers might be uncomfortable in their cramped seating, but the air they breathe would not be a foul, pathogen-ridden miasma.
The FAA’s selective attitude to structural durability illustrates the agency’s activism after, not before, failures have hazarded passengers and crew in flight.
Recall the Southwest Airline captain’s radio message to ground controllers after his B737 experienced almost a 5-foot fracture of a fuselage lap joint in the top of the plane, “Request an emergency descent. We’ve lost the cabin and we’re starting down.”
By “lost the cabin” he meant the pressurization that kept the airplane safe for passengers to breathe without emergency oxygen.
Passenger Shawna Redden, seated in row 8, heard an ear-splitting BANG. Oxygen masks deployed from the overhead consoles, and the airplane pitched into a dive. As the cold blast of air at 36,000 feet rushed into the cabin, she took the hand of the man next to her. “If I’m going down,” she later recalled, “at least I want to feel connected to somebody.”
Southwest Flight 812 was able to safely land at Yuma, AZ, on that April Fool’s Day in 2011. Investigators from the National Transportation Safety Board (NTSB) arrived the next morning, cut out the failed lap joint and sent it back to their Washington DC laboratory for analysis.
The failed lap joint in the NTSB laboratory
Cracks in the same area were found on five other B737s. The B737 that made the emergency landing had last been subject to a maintenance “heavy check” in March 2010, when cracking should have been — but wasn’t — detected and repaired.
The FAA was sufficiently energized to issue an emergency airworthiness directive (AD) on 5 April 2011, just four days after the lap joint on Southwest Flight 812 with 118 passengers aboard split open with a startling crack. For the FAA, this was light speed for issuing a Band-Aid.
Emergency AD 2011-08-51 was effective on receipt and required detailed instrumented inspections — not a visual look-see — of all B737-300, -400 and -500 series models, with different schedules:
* For airplanes that had accumulated less than 35,000 flights, conduct inspections and any necessary repairs within 20 days. Since the FAA usually allows months or even years to conduct inspections, again this was requiring a light-speed response.
* For B737s that had flown more than 35,000 flights, inspect the lap joints within 5 days and, if necessary, effect repairs before further flight. The accident airplane had accumulated 39,781 flights when the lap joint tore apart and allowed hurricane speed winds into the cabin.
* For all effected airplanes, repeat the inspections every 500 flights thereafter.
The FAA has no idea about the state of all B737s covered by the AD, as it did not require reporting of findings. Whether the cracking was limited to the six airplanes mentioned by the NTSB, or 60 of the airplanes, the FAA to this day remains sublimely ignorant. It’s as if the FAA issued the emergency AD and considered the problem solved. The agency reflected a shocking lack of curiosity; just why was the cracking missed during a heavy maintenance check just months previously, when everything on and in the airplane is supposed to undergo detailed scrutiny?
The AD is just one of dozens issued over the years on Boeing lap joints. As various models age in service, the frequency of structural ADs increases.
A 2006 paper, titled “Can We Hope to Make Today’s Concern About Aging Aircraft a Thing of the Past?”, provides a positive answer.
The paper recounts the history of the DC-8, a four-engine jetliner designed in 1955. The airplane had a long history in passenger service.
The original DC-8, shown here in Pan American Airways livery
The paper contains an astounding revelation:
“The [fuselage] splice was so effective that throughout the entire service history of the DC-8 not even one AD ever was issued against this splice. Many of the DC-8s are in use as freighter [aircraft] even today. Their passenger service was discontinued because their systems became obsolete long before the airframes showed any sign of age.”
Well, there may have been some age-related corrosion problems, but no AD was issued because of the flawed (or over optimistic) design of the rivet installations on skin joints.
One of numerous concepts developed at Douglas Aircraft for improved durability of fuselage joints. ‘Minimized eccentricity’ was essential. Note that the skins do not overlap.
To what practices are owed the trouble-free joints? First, the skins were butted together smoothly, not overlapped. The result of the Douglas practice was the absence of eccentricity in the load path between the two skins. The presence of rivet holes worn to a loose-fitting oval, as found on many Boeing lap joints, was a sure sign of uneven load paths between the two, lapped skins.
The Douglas butt-splice design also featured rivets that were driven from the inside of the joint, not from the outside in. The flush, countersunk head of the rivet was formed during the process of riveting. This “cold working” of the rivet installation process filled the countersunk recess in the skin so well that corrosion was practically eliminated. Excess material protruding on the outside of the countersunk hole was shaved off for a nice, smooth appearance.
The design imposes far less risk of failure. As the paper describes:
“Unlike a butt joint, one skin is concealed under the other in the lap joint. It is, therefore, necessary to design the lap joint in such a way that the first fatigue cracks must appear at the visible location, i.e., the outer skin must crack in the first row of rivets. At the same time, care should be taken to ensure that the first row of rivet cracking does not lead to the problem of MSD.” [Multi-site damage, which prompted the latest AD on B737s]
Douglas Aircraft was eventually merged into Boeing, but the highly successful Douglas joint design was apparently lost in the shuffle — or the extra cost of the final step to shave off excess rivet material was deemed too costly. Remember, no aircraft manufacturer has ever warranted its aircraft with the equivalent of Hyundai Motors’ 100,000 mile guarantee for its autos.
Reworking thousands of Boeing jetliners to feature the superior design on the DC-8 would doubtless prove more costly than the “worth” of remaining service life. But here’s betting the less-durable overlap of the Boeing design was blessed by the FAA, despite the agency’s role in certifying the DC-8 for service with its superior butt joints.
Certainly there is nothing in FAA regulations today that requires skin joints of the trouble-free type installed on the DC-8. Obvious success stories are not replicated throughout the fleet, irrespective of manufacturer, because the FAA only watches for failures, not successes.
Here is a tale of cognitive dissonance, where the Federal Aviation Administration (FAA) thinks everything about approving the airplane for revenue service is hunky-dory, at the same time it issues directives to fix problems affecting safety of flight.
The case suggests the FAA is so compartmented that senior officials do not see the big picture. But, one would think, if a website writer can see the disconnect, maybe the FAA’s myopia is deliberate. To see the situation with 20/20 clarity would necessitate big changes and probably painful adjustments at the FAA. There would be a net gain in safety, at a cost of a few bureaucrats hides.
The B787 Dreamliner, approved by the FAA for airline service in 2011, with problems since
The sad case begins with an airworthiness directive (AD) issued by the FAA on May 1, 2015. An AD is typically issued to fix what the FAA calls an “unsafe condition”. In this case, the unsafe condition is a whopper.
AD #2015-09-07 addresses the new Boeing 787 twin-jet, which the Boeing company has dubbed the Dreamliner. It’s supposedly a dream to fly; it’s a dream to maintain; it’s a comfy, reverie-inducing experience for the passengers. To achieve this Zen-like trilogy of attributes, the jet is the most electrified ever, with traditional systems (like pressurization) now relying on electric compressors, and the cockpit featuring an array of flat-panel displays driven by multiple computers.
The hype has resulted in 264 of the new airplanes now being in airline service, with hundreds more of the jets on order.
Now consider the cold words of the recently issued AD on the B787:
“We have been advised by Boeing [that] …the software counter to the generator control units (GCUs) will overflow after 248 days of continuous power, causing that GCU to go into failsafe mode. If the four main GCUs (associated with the engine mounted generators) were powered up at the same time, after 248 days of continuous power, all four GCUs will go into failsafe mode at the same time, resulting in a loss of all AC electrical power regardless of flight phase.” [Emphasis added]
“Loss of all AC electrical power can result in loss of control of the airplane.”
The total loss of electrical power from the generators can be offset, for six seconds, by battery power to the flight deck. This appallingly short time is to provide time for the ram air turbine to deploy; its small propeller provides emergency power to enable the pilots to fly the B787 to a diversionary airport.
Continuous operation for 248 days equates to eight months’ flying service. The “solution” is to power down the airplane before that threshold. The software counters are set to zero, and apparently the B787 is “good to go” for another 248 days. The FAA regards this action as temporary, pending a software correction, to be developed and inserted at an unknown future date.
Since the airplane was approved for airline service — “certificated” is the technical term — in August 2011, the agency has had to issue at least six airworthiness directives addressing safety deficiencies on the B787. They include replacing a seat belt attachment fitting that failed in testing because the original was “understrength”. Also, an oxygen hose had to be replaced with one of different design; the B787 was outfitted with the same hose design as was involved in a serious B767 fire in June 2008. That B767 cargo plane was destroyed on the ground by an oxygen-fed fire beneath the flight deck in the electronics equipment bay.
Deficiencies in past designs are often passed on to new designs. There is no apparent FAA guardian of “lessons learned” to ensure that new aircraft designs do not repeat dangerous shortcomings in earlier designs.
Last, but certainly not least, the FAA issued an emergency AD affecting the B787 in January 2013. The emergency AD required modification of the two lithium-ion battery installations below the main deck. As the AD explained:
“This emergency AD was prompted by recent incidents involving lithium ion battery failures that resulted in release of flammable electrolytes, heat damage, and smoke on two Model 787-8 airplanes. The causes of these failures is currently under investigation. These conditions, if not corrected, could result in damage to critical systems and structures, and the potential for fire in the electrical equipment.”
From the NTSB investigation of fire in the belly hold of a B787, a comparison of the burnt-out lithium battery to an undamaged one
The six seconds battery power mentioned above as a back-up, when all electrical power through the GCUs is kaput, was threatened, too. And with widespread fire damage in the electronics and equipment bay, emergency electrical power from the ram air turbine might not get to the critical systems that need it to enable a safe emergency landing.
All things electrical are interconnected.
At the time the emergency AD was issued, the FAA announced a “comprehensive review” of the B787s critical systems. That high-level review was completed on March 19, 2014. Here is the first sentence of the report’s conclusion:
“The CSRT [Critical Systems Review Team] determined the B787 meets its intended level of safety based on (1) the fundamental soundness of the airplane’s overall design and (2) the effective processes that have been defined and implemented to correct issues that arose during and after certification.”
Despite the total loss of electrical power, the threats to back-up power, battery fires, and the vulnerability of the B787 to fire damage — of the same type that destroyed a B767 — the review team asserted that Boeing had “fully implemented corrective actions”.
Well, that may be so, but remember, this is a new airplane, supposedly put through its paces — both real and hypothetical — during the FAA certification process. However, the various AD’s issued since the airplane entered service are the equivalent of automobile recalls. During certification, the B787 was definitely not subjected to a wire-brush scrub of all its design features. For example, the generator control units were mentioned in the high-level B787 systems review report, but nary a word about their latent capability to completely shut down the airplane’s electrical system.
There is a straightforward explanation for the Critical Systems Review Team’s lack of criticism: it was not an independent effort to assess shortcomings in the certification process. The 13 members of the Review Team were all either FAA or Boeing officials — those with a career-preserving stake in finding no fault with the current superficial certification process.
A similar anodyne would not be produced by a team of independent experts. Say, former members of the National Transportation Safety Board, university professors expert in electrical systems, and safety experts in system reliability, among other candidate areas of expertise.
As is sometimes said, “a thick paper report will shield your hide from any flame”. In this case, the B787 Critical Systems Review Team report shields the FAA and Boeing from any accountability in a decidedly porous certification system. A raft of AD’s have been issued to cover safety issues that should have been addressed during certification, not months after trusting aircrews and passengers are aboard.
When considering the Federal Aviation Administration’s (FAA) latest attempt to assure structural integrity of airliners, it may be useful to recall ignored developments of the recent past. The contrast will underscore the FAA’s inadequate efforts.
The recent action concerns an FAA-issued airworthiness directive (AD) requiring inspections of a bulkhead frame on the B737-600 and -700 twinjets. AD #2015-08-09 was published in the Federal Register on 30 April 2015, with an effective date of 4 June 2015. The details of the AD are tedious for a general audience, but a couple quotes suffice to capture the essence of the problem:
“This AD was prompted by reports of cracking in the body station (STA) 727 bulkhead lower frame. This AD requires a detailed and open hole high frequency eddy current (HFEC) inspection of the left- and right-side lower frame webs and inner chords for cracking, and corrective actions and preventive modifications …
“We are issuing this AD to detect and correct cracking in a bulkhead lower frame web and inner chord, which could result in a severed frame and induced skin cracks, which could lead to rapid decompression of the fuselage…
“If a crack is found on one side, then that side must be repaired and the preventive modification concurrently installed on the other side, even if that other side is not cracked.”
Note first that the cracking was not predicted but was found on an in-service airliner. Body station 727 is approximately where the wing trailing edge meets the fuselage.
Note second that the frame could be cracked clear through, thus negating any strength or support it is supposed to provide.
Note third that the result can be lost skin integrity and blowout of pressurization; if this occurs at cruise altitude, an immediate emergency descent to lower altitude is necessary to get the airplane to dense air before the passengers’ emergency oxygen is exhausted.
Note fourth that the cracking may not revealed by visual inspection but requires HFEC to detect.
Note fifth that even if microscopic cracking is detected and repaired on one side, the opposite side requires strengthening modifications. This is due to the fact that repairing the cracked side induces new strains on the structure, with necessary compensating strengthening to the opposite side. Failure to do so could lead to excessive stress and resultant fatigue cracking on the unaffected side.
Note sixth that the AD effects 489 airplanes, approximately one tenth of the nation’s total commercial airliner fleet.
Note seven, and the intent of this discussion, is that this AD is one of many issued over the years addressing structural cracking on jetliners. Every one of these ADs was issued after cracking was discovered during maintenance or in flight. Every single AD was issued after the structural problem had progressed from a latent threat to an overt and un-ignorable hazard to flight safety.
This is a sad state of affairs, given what has been possible for years.
This latest inspection requirement illustrates the technological lag between military and commercial practice. Many aircraft in military service — including transports — are equipped with “fatigue meters” (recording accelerometers); through these devices the aging of each aircraft is “managed” according to a fatigue index (FI) derived from an ongoing, measured analysis if the airplane’s structure.
When a military aircraft reaches a certain FI, it undergoes planned rework in particular areas for continued airworthiness. This planned rework is performed before failure occurs, not after, as is the case here with the latest AD on B737 structure.
Moreover, it is possible to built a fuselage to safely fly, and resist fatigue loads, for 200 years — far longer than an airliner’s current 30 or 40-year design life. According to a 1997 paper by engineers L. John Hart-Smith and Richard Miller, the difference is in the details. Focusing on riveted fuselage lap splices, they believe they can be built to safely serve through four million flights — the rough equivalent of 200 years of airline service. Hart-Smith and Miller pointed out that most of the attention in airliner structural durability focuses on prolonging the last 10 percent of the life of the aircraft. It is in the last 10 percent of structural life that most fatigue cracks have grown to the point where they are detectable. The paper authored by Hart-Smith and Miller focused on extending the first 90 percent of the aircraft’s structural life.
L. John Hart Smith
This extract outlines the essence of their idea:
“New test data [show the] benefits to fuselage lap splices from proper rivet installation under controlled high squeeze force. Higher squeeze force alone is shown to raise fatigue life of a conventional 3-row countersunk-rivet lap splice from more than 100,000 [flight] cycles to failure with today’s installation standards to almost 500,000 cycles to failure, at the same stress level … with exactly the same rivets and joint geometry.
“Improving the design, by using … rivets installed from the inside out at both the top and bottom rows in the joint … further [increases] the fatigue lives to 1,000,000 cycles with the same number of rivets of the same diameter and the same stress in the same skin. This would correspond with a service life of 200 years before any crack grew to a detectable size.
“Combining both improvements with an increase in overlap, to reduce bending stresses, while keeping the same three rows of rivets … [results] in a life of almost 4,000,000 cycles at the same stress level.”
An illustration of a very long-lived lap joint, at right
To be sure, increasing slightly the amount of overlapped skin in the spliced joint would add weight, the designer’s bugaboo. But, as the authors explained:
“Let us suppose … that the splices add 5 percent to the weight of the aircraft’s structures. This means that the weight of a splice could justifiably be doubled if doing so permitted the skin stresses to be raised by as little as 5 percent. The longer splice tested here would indeed double the splice weight, but the total weight saving on the skin would be far greater than 5 percent — and still without reducing the fatigue life below 200 years!”
Here lies the problem: the FAA is chasing fatigue cracks, after they are found, one AD at a time, when the military uses a pro-active fatigue index to prevent cracking, and aircraft structural engineers have already developed a method of vastly increasing the durability of riveted components.
The FAA approach is totally reactive — ordering fixes after failures are discovered. The agency has not ordered the installation of accelerometers to record an airplane’s fatigue index, with repairs and modifications made before cracks are discovered. The FAA has not ordered manufacturers to implement structural practices that assure crack-free integrity beyond the usual life in service of an airliner.
The FAA has mastered the art of looking over its shoulder rather than taking a forward-looking approach that would effectively end fatigue cracking in airliner structures. It’s the aviation equivalent of accepting food-borne pathogens when procedures have been developed to circumvent the threat to public health but are not implemented.
Safety statistics seem to be geared to the audience. For the flying public, aviation officials affirm that travel by airliner is the safest form of transportation. The growing time between fatal accidents — in the U.S. at least — is often cited as proof that airliner travel is as safe as watching television in one’s home.
For the aviation industry, however, a different set of statistics is used to emphasize the need to improve air safety. The data are compiled by the Federal Aviation Administration (FAA). They are not advertized to the public, so finding the number of accidents is not easy. The record of accidents was published recently by the FAA as part of its regulatory evaluation of safety management systems, which the FAA has decreed for all scheduled airlines in the U.S., which is 90 operators, from the largest (more than 47 airplanes) to the smallest (less than 10 airplanes on the roster). In this document, intended to show why operators need to improve their safety, is an impressive and frightening list of accidents. The public has no idea.
In announcing last January the requirement for airlines to adopt safety management systems, FAA administrator Michael Huerta referred to 100 accidents in recent years as justification for the procedures mandated to pro-actively reduce them.
In his public press conference, Huerta understated the amount of mayhem and breakage. The full details in the regulatory evaluation present an absolutely stark picture. Not 100 accidents, but 123 accidents involving Part 121 air carriers for the period October 2000 through June 2010. Part 121 represents the scheduled airline industry.
In his public press conference, FAA boss Michael Huerta understated the number of accidents
It takes four full pages just to list the briefest details of each accident: date, deaths/injuries to aircraft occupants, damage to aircraft, and so forth.
The FAA’s explanation of the dollar costs of human injury and aircraft damage is revealing:
The human toll:
“From the 123 accidents, there were 424 fatalities, 27 serious injuries, and 110 minor injuries. The associated economic values (in base year 2010 dollars) are $8.9 million for an avoided fatality, $930,300 for an avoided serious injury, and $26,580 for an avoided minor injury.”
As stated, these dollar figures are for one airplane occupant. If we tote up the dollar figures for all fatalities and injuries, the cost of this bloody mayhem to the industry was in excess of $3.8 billion. Looked at another way, the carnage over the 117 months from October 2000 to June 2010 exacted a cost of more than $32 million a month. To further narrow the time window, the human toll of accidents costs the industry a million dollars a day. It is fair to state that virtually no passengers are aware of the average daily costs of deaths and injuries, although $1 million per day suggests that an average passenger could well become part of this expensive calculus.
The aircraft toll:
“In a majority of accidents used for this analysis, airplane damage occurred. To quantify benefits for averting future hull damage, monetary values are estimated based on the degree of damage to the hull. In 10 of the 123 historical accidents, airplane damage was categorized as ‘destroyed’. Destroyed airplanes are valued at wholesale price. In 85 of the accidents, airplane damage was classified as ‘substantial’. Airplanes that sustain substantial damage are valued at 13 percent of wholesale. The FAA does not have a set value for accidents in which ‘minor’ aircraft damage was incurred … the value of averting ‘minor’ hull damage is estimated to be 5 percent of an airplane’s wholesale value.”
The FAA does not give figures for wholesale prices of destroyed aircraft. However, airlines generally order airplanes in multiple numbers from manufacturers, and they leverage these group orders to obtain significant price discounts of 20% or more. A B737 twinjet can be had for less than $100 million a copy, and larger airliners can be bought at a group discount for slightly more than $100 million apiece. It is reasonable, therefore, to use an average discounted price of an airliner as $100 million. This figure will be used as the “wholesale price” for our starting point.
Given that 10 airplanes were destroyed during this period, we are looking at a cost of $1 billion. For the 85 airliners with substantial damage, the cost would be $13 million per airplane; figure a total cost of $1.1 billion. For the baker’s dozen airplanes with minor damage, assume $65 million in total damages.
Using this methodology, the total price of wrecked, beat up, and damaged aircraft exceeds $2.1 billion for the period of October 2000 to June 2010. Divide by the 117-month interval between these two dates, and damage costs exceed $18.5 million per month. Per day, the price works out to more than $60,000. Again, what passenger knows that the nation’s fleet of 4,000 airliners sustains damages of this amount, on average, each and every day?
In addition, the FAA is counting only accidents — those events that rise to a defined level of bloodletting and broken aluminum (hospitalization for more than 24 hours and at least $1 million in damages to the aircraft).
Below this threshold, there are many more incidents. How many? There are no widely-accepted figures, but industry experts generally ascribe 10 incidents to every accident. Using this metric, there were more than 1,350 accidents and incidents during the 3,300 days covered from October 2000 to June 2010. Everything from a major airline crash to a seated passenger sustaining a cut on the head from baggage spilling out of an overhead bin. Accidents and incidents, combined, occurred at the average rate of once every 2.5 days.
Hidden in-flight fire incident involving insulation blankets
Measuring the months between deadly crashes may be useful for public relations, but beneath this “tip of the iceberg”, as it were, lurks an astonishing amount of wanton damage, bent and dinged aluminum, contusions, trips, falls, dropped items, fuel spills, smoke in the cabin, near-collisions and dangerous confusion.
Whenever an industry official proclaims that airline travel is the safest form of transportation, be wary. The most casual examination, as done here, suggests that the risks of air travel are much higher than publicly proclaimed by the FAA and those within the industry the agency supposedly regulates.
Why don’t airlines compete for business on the basis of safety? The answer is obvious: the safety record is horrible.