Flight recorders are essential

Digital Flight Data Recorders (FDRs) and Cockpit Voice Recorders (CVRs) have become essential tools for accident investigation. With the Boeing 737-800, flight MU5735 having been in-service with China Eastern Airlines for less than 7 years there’s a good chance both recorders will help unravel the events leading to its fatal loss.

Accident flight recorders are dependent upon the aircraft digital and audio sources that are acquired when they are operating. Although the recorders are highly reliable in normal operation the sensors that feed them may not be so reliable[1]. For this reason, the authorities have chosen to highlight the importance of a maintenance program that includes the entire recording system[2]. It can be disruptive to an accident investigation if the information available from the recorders is insufficient, inaccurate, or of poor quality.

It’s rare for the recorders not to be found post-accident but it does happen in some remote locations. They can be recovered from enormous ocean depths and hostile terrain. In the sad story of Malaysia Airlines Flight MH370 in March 2014, neither the Boeing 777-200ER aircraft or flight recorders have been found.

In comparison with the successes of accident flight recording and replay the list of unrecovered and unusable recorders is short[3]. However, it does point to the need to constantly revisit the minimum approval standards, installation, and maintenance requirements for recorders.

Having dual independent combined recorders can increase the chances of success. This is making the recorder a more general-purpose equipment capable of taking video sources and data from the air traffic system as well as an aircraft.

Independent backup electrical power can help keep the recorders going beyond significant damage to an aircraft. This does help pick-up the last possible information from an accident timeline.

There’s a case for a longer duration audio recording and increasing the number of data parameter retained. This demand for more information is insatiable since there’s always a scenario that can be imagined where more data would help an investigation.

Video recording has long been talked about. It’s happening in a few situations but has not generally been adopted as a mandatory requirement for large aircraft operations. I think it is needed.

[1] https://publicapps.caa.co.uk/docs/33/CAP731.PDF

[2] EASA Safety Information Bulletin, SIB No.: 2009-28R1, Issued: 08 January 2015.

[3] https://en.wikipedia.org/wiki/List_of_unrecovered_and_unusable_flight_recorders

Past fatal accidents

What can cause an aircraft to plumet from high altitude in an uncontrollable way?

What can cause an aircraft to plumet from high altitude in an uncontrollable way? A selection of accidents come to my mind.

One tragic accident was Indonesia AirAsia Flight 8501, Airbus A320-216[1] in December 2014. Here a malfunction in the rudder control system was reacted to by the crew in an inappropriate way. This fatal accident was put down to pilot error. That is mishandling after an aircraft system failure leading to a stall and plunge into the sea.

The loss of control and crash of Alaska Airlines Flight 261 McDonnell Douglas MD-83[2] in January 2000 is different from the recent Boeing 737 fatal accident but it warrants inspection[3]. For a start the MD-80 series has a high tail and rear engines. However, Flight 261 had a highly experienced crew, but the failure of a critical control component meant the aircraft became unrecoverable. Also, the MD-80 series of aircraft is of a similar generation to the Boeing 737. For both aircraft types, the control of the horizontal stabilizer is necessary to maintain safe flight. The MD-60 accident involved a catastrophic loss of pitch control.

Looking at the sequence of the fatal accident of SilkAir Flight 185, Boeing 737-300[4], in December 1997 it has some similarities. The lead investigators were unable to determine the cause, but suspicion fell on the aircraft rudder controls. This accident remains controversial. The accident flight recorders either stopped because wires broke or because their power was wilfully disconnected. We will never know which was the case.

Again, an accident with an inconclusive report is that of the uncontrolled descent and crash of United Airlines Flight 585. Boeing 737-200[5], March 1991. Anomalies were identified in the accident airplane’s rudder control system, but the accident was not attributed to these problems.

As can be seen from this small sample of accidents the interaction between aircraft and crew, when a control system failure occurs is a matter of great interest.

[1] https://bea.aero/uploads/tx_elydbrapports/Final_Report_PK-AXC-reduite.pdf

[2] https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR0201.pdf

[3] https://www.nytimes.com/2000/02/14/us/safety-board-says-wear-was-found-on-jet-in-1997.html

[4] http://knkt.dephub.go.id/knkt/ntsc_aviation/Revised-MI185%20Final%20Report%20(2001).pdf

[5] https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR0101.pdf

Flight recorders found

The tragic loss of all those on board China Eastern Airlines Flight MU 5735 continues in my thoughts and prayers. It’s good to hear announcements that progress is being made at the crash site.

It’s excellent news to see, from photographs published, that the aircraft accident recorder Crash Survivable Memory Units (CSMUs) are intact. Both the Digital Flight Data Recorder (DFDR) and Cockpit Voice Recorder (CVR) have been recovered.

The CVR records at least 2 hours of flight audio on a solid-state memory. Special procedures exit to recover the recordings from the recorder’s internal memory chips. This becomes difficult if the memory chips have suffered impact damage, like a crack for example. Investigators and the equipment manufacture are incredibly skilful extracting what data can be extracted.

The DFDR records at least 25 hours of flight data on a solid-state memory. There should be around 1000 parameters available for the analysis.

The technical specifications for these accident flight recorders were originally developed in the 1990s. At that time there was a transition from magnetic tape-based recordings to the use of solid-state memory. If the records are fully recoverable there should be a story of what happened in the critical moments before the aircraft started its fatal dive.

It’s possible to synchronise the recordings from the CVR and DFDR to reconstruct the actions of the crew. There are no video recordings. However, the audio and flight data can give a comprehensive picture of what happened during the accident.

Pilot commands and flight control system positions are recorded.

In parallel to the investigation of the material coming from the crash site, no doubt the authorities will be checking that no defect or deferred maintenance was reported in the technical log before departure of the aircraft.

By bringing all the evidence together a complete picture can be constructed. There are over 4,500 Boeing 737-800s now in service worldwide. This investigation will have a global impact.

What causes a dive?

It’s now been confirmed that the crash of the China Eastern Boeing 737-800 had no survivors. It’s with great sadness that the news was released. This is a devastating event that will echo down the years.

The Chinese authorities continue to press-on with a sense of urgency. So far, in the tests that have been done, no signs of explosives have been found at the accident site[1]. The rain-soaked hillside terrain continues to make the investigation difficult to conduct. They continue to look for the Flight Data Recorder (FDR) in the mud.

What is known is that the abrupt nosedive into a mountainous area occurred just before the crew would have started a descent to the airport in Guangzhou. If the FDR is recovered and replayed, it should give an indication as to the state of the aircraft as the dramatic upset initiated.

One thing with the Boeing 737 is that it is such a populous aircraft. It has a long history. As such, even given its excellent safety record there’s a large amount of information on previous serious incidents and accidents.

Since, amongst a large population of aircraft, one-off accidents are extremely rare it’s likely that some clues concerning these events are there in the current records. However, knowing where to look is not so easy. Some major events are written-up in detail while others remain only as scant records. A lot depends on the thoroughness of the investigating authorities.

In my previous article, for the purposes of elimination, I listed several common causes of catastrophic civil aircraft accidents. What is it that can cause an aircraft to abruptly nosedive without the opportunity to recover?

For the moment, I’ll put aside the notion that the aircraft crew had that opportunity to recover. There’s such a thing as the startle factor that can reduce a crew’s ability to take emergency actions, but we will not know anything of that factor until the accident recorders are replayed and the recordings well understood.

The two significant factors that are plausible are unrecoverable aircraft control failure and structural failure. It could be that both factors are linked in one way or another. They are certainly both hazardous but somewhat dependent upon degrees and the sequence of events.

A Boeing 737-800 has powered flying controls, as does all similar aircraft types, but it’s not a fly-by-wire aircraft. Therefore, it does not have the flight envelope protection that is available on a fly-by-wire aircraft type.

What can go wrong with those powered flying controls? Putting aside inappropriate crew action, there are both electronic systems and hydromechanical systems that can fail in a catastrophic way. In the event of electronic systems failing, they can be immediately disconnected but that’s not so simple with hydromechanical systems.

Illustrative of what can go wrong is this serious incident to a Boeing 737-700 in January 2009[2]. This was a post-maintenance check flight and so the crew were prepared. This aircraft’s descent rate was notable, reaching a maximum of 20,000 ft/min. It all ended well but just imagine the scenario occurring on a routine flight without expectation that anything was wrong.

[1] http://www.xinhuanet.com/english/20220326/6a8f099fbd7947caa1233da797bf9f1d/c.html

[2] https://assets.publishing.service.gov.uk/media/5422f73640f0b613420005db/Boeing_737-73V__G-EZJK_09-10.pdf

What are the likely scenarios?

When dealing with aircraft system safety, I often found it difficult to encourage design engineers to look at aircraft level effects. It was more common to address each set of systems as if they were the only ones that counted.

Safe continued flight and landing depends on a whole host of interactions. Picking up a technical specification, for say an autopilot, reading it and understanding it is one thing. It’s harder to appreciate how it interacts with every other part of an aircraft in flight.

Considering a large commercial aircraft there are only a few general conditions that can create a total catastrophe. I’m using a specific meaning of that well used word. In this case, catastrophe is a complete aircraft level failure situation that is non-recoverable. A chain of events that leads inevitably to fatalities and a total hull loss.

There are only a few general conditions because there are design commonalities between modern civil aircraft. For example, they all need surfaces that generate lift and surfaces that enable aircraft control. They all have propulsion systems that generate thrust. If they are for civil passenger transport, they all have environmental control systems that maintain a habitable environment within a pressurised area.

In flying, they all are subject to the effects of weather. That is any hostile situation that can exist in the atmosphere, from ground up.

With what is so far known about the crash of China Eastern flight MU5735, when thinking about potential aircraft level events, it’s not possible to rule out many scenarios.

However, it’s extremely difficult to conceive of a weather event on the day of occurrence that could have led to such a disastrous outcome. No great storm activity was reported. So, this is unlikely to have been an accident like Air France flight AF447 in 2009[1]. A high-altitude stall can be recovered if no other significant negative factors come into play.

Additionally, it’s extremely difficult to imagine this accident as a depressurising event. So, this is unlikely to have been an accident like Helios Airways flight 522 in 2005[2]. Unless there was a massive explosive decompression that caused structural and control damage. Japan Air Lines Flight 123 in 1985 had such a tragic fate[3].

Engines can fail in a spectacular way but that does not normally destroy a whole aircraft. A total loss of propulsion turns a large aircraft into a large glider. The trajectory of this aircraft suggests something happened that was far more devastating than the loss of one, or both engines.

Issues related to communication and navigation can put to one side given that the accident from start to finish was so rapid. No crew communication is reported to have taken place.

Following the deductions made above the remaining possibilities that warrant consideration are to do with either or both, structural failure, and unrecoverable aircraft control failure. The accident investigators working on-site will be looking at the deformations found in the recovered wreckage. They will be looking at collecting and putting together what remains of the aircraft control system. They will be saving every electronic circuit board they can find.

By far the remotest possibility is a wilful act of destruction. It’s better to first rule out more likely aircraft scenarios before posing questions that bringing into question those on-board.

Global commercial aviation has a tremendous safety record. China’s aviation safety record is a strong one. As has been said by commentators: planes don’t just drop out of the sky like that one. The urgency of the accident investigation is all too evident. The sooner there’s a plausible theory the sooner corrective action can be put in place.

[1] https://bea.aero/docspa/2009/f-cp090601.en/pdf/f-cp090601.en.pdf

[2] https://aaiasb.gr/imagies/stories/documents/11_2006_EN.pdf

[3] https://www.mlit.go.jp/jtsb/eng-air_report/JA8119.pdf

MU5735

Unsurprisingly, China Eastern Airlines has now grounded its fleet of Boeing 737-800s. This popular and well-used civil aircraft has a good safety reputation. Until more is known, the airline is taking a precautionary approach. 123 passengers and 9 crew members have been lost.

If the video evidence from a security camera is to be taken as reliable, then the dive of the Boeing 737 was uncontrolled and significant structural damage was evident. The on-line pictures show the aircraft at a relatively low altitude. So, it’s not possible to say at what point prior to these images that structural damage occurred. The speed of the dive could have either caused or contributed to the aircraft’s break-up.

Whatever it was that suddenly led to a complete loss from 30,000ft remains mysterious. Looking at the aircraft transponder data, the indications are that the flight was normal up until a point where an unexpected event occurred that was immediate and devastating. Even if the flight crew did have some recognition of failure conditions on-board, it does seem that little time to intervene was available. One assumption in aviation is that crews are provided with training in respect of emergency and abnormal procedures and can act accordingly when failures occur.

A great deal hangs on the recovery and replay of the two accident flight recorders.

The accident flight recorders are separate and installed in the rear section of the aircraft. This is done to increase their chances of survival in most accident and serious incident scenarios. Each requires electrical power. Several means of providing power are available including the aircraft’s batteries. However, if the electrical power wiring to the recorders is severed then they will stop recording. This is true for wiring from their aircraft data sources too.

Let’s hope that there is a complete recoverable record.

Crash-protected flight recorders

The crash of China Eastern Airlines Flight MU 5735 is deeply saddening. My thoughts are for the families, friends, and loved ones of those who were on board that ill-fated flight.

Watching video that has been circulated in social media the signs are that the China Eastern Airlines Boeing 737-800 dived and hit the ground at very high speed. The aircraft appears to have plummeted more than 20,000 feet in about a minute.

The aircraft crash site is in a difficult to get to location[1]. Authorities in China are searching the hillside looking for evidence as to what happened and recovery of the aircraft accident flight recorders[2]. Given what is suspected to have been a high-speed impact, damage to the accident flight recorders can’t be ruled out. They are made to withstand high impacts but are not invulnerable.

It’s most likely that the flight recorders will be of the solid-state type. This is where memory devices are enclosed in a strong crash protected metal box. So, much of the flight recorder could have severe damage but the recordings inside should be preserved.

On this type of public transport civil aircraft, there are usually two accident flight recorders fitted. One Cockpit Voice Recorder (CVR) and one Flight Data Recorder (FDR). To ensure that they meet rigorous technical requirements accident flight recorders are approved by aviation authorities. The technical requirements for approval are called: Technical Standard Orders (TSO)[3][4].

In both the US and European systems, TSO 123 is applicable to CVRs, and TSO 124 is applicable to FDRs. These two TSOs call up the applicable industry standards of EUROCAE ED-112A, MOPS for Crash Protected Airborne Recorder Systems[5]. This comprehensive technical document defines the minimum specification to be met for all aircraft required to carry flight recorders which may record flight data or cockpit audio in a crash survivable recording medium to be used for aircraft accident investigation.

One of the tests described in this long-standing international standard requires manufactures to shoot a crash protected module into a target at high speed. This test is often done by loading up a large pneumatic cannon, charging it and firing a module at a specially made target. To pass the test the module must survive sufficiently well to replay a recorded record.

So, there is a good chance that the on-board crash-protected recorders of MU 5735 might have survived. Let’s hope so.

[1] https://www.nytimes.com/2022/03/22/world/asia/china-eastern-crash-explained.html

[2] https://www.theglobeandmail.com/world/article-investigators-search-for-survivors-and-answers-after-china-eastern/

[3] https://www.faa.gov/aircraft/air_cert/design_approvals/tso/

[4] https://www.easa.europa.eu/domains/aircraft-products/etso

[5] https://eurocaeshop.azurewebsites.net/eurocae-documents-and-reports/ed-112a/#non-member

Responding to tragedy

News has come in of a tragic aviation aircraft accident in China. A relatively young Boeing 737 aircraft has been lost with all soles on-board. The Boeing 737-800 (B-1791) was built in 2015. As is often the case, social media is full of speculation. Even at the earliest moments after this catastrophic event, comment was being made of the limited information available.

There is a divide. Some people, out of respect for those who have perished make a point of saying that they will not speculate around the information that’s public. Other responses fit into a couple of camps. Let’s just say that there’s informed comment and ill-informed comment.

It’s reasonable to feel that ill-informed comment can step over into the realms of the disrespectful and inconsiderate. That rarely daunts a lot of users of social media.

A first response should be one of compassion. When a great number of passenger and crew fatalities occur the question of – why has this happened? Will come up soon enough. In the first instance a tragedy deserves a moment of reflection. It’s our natural human empathy. The pain and suffering of the families and friends of those who are not coming home, should be at the front of our minds.

After a moment has passed the call for action is rightly the next most urgent response. However, action based on scant information is a most difficult step. Often, such actions are precautionary. Imagining, the worst-case scenario, like the potential for reoccurrence of the accident, and then act accordingly. The cry is rightly – something must be done.

At this stage, as an aviation professional I have no problem with informed speculation. In this fast-moving digital world, that we live in, the flow of information is like a torrent. It cannot be easily stopped. At least not in our free and open societies. Therefore, it’s better that informed comment be given a space, otherwise the ill-informed variety will dominate.

Comments appear not only on the fatal accident but the response that has followed. That can be tough to hear when the first responders, emergency services, investigators and regulators get armchair critics commentating immediately on their performance.

Again, I’m not going to say this should stop. Transparency is vital if the public are to have confidence in the civil aviation. So, tolerating rough commentary that turns out to be wrong is part of the realpolitik. Although, it would be good if such commentors admitted when they had got it wrong.

Post tragic event, as information flows start to become more reliable so informed comment becomes more of an honest reflection of what happened. It’s as well to be remind that fatal aviation accidents with the loss of all on-board are rare. It’s always crucial to analyse what happened and act rapidly to prevent any possibility of reoccurrence. Whatever the commentary and speculation, that must not effect the work of the bodies who have the responsibility to take corrective action.

A wing and a prayer

Gaps

Fascination with the new. Who can resist? Advanced Air Mobility (AAM) provides just that. Often visualised in Science Fiction, plans for flying cars, taxies and autonomous machines buzzing around our heads are as popular as ever. A long-held dream of taking the imagination and making it real is the business of a lot of new entrants in aviation. The proliferation of projects is astonishing. Even with all the hype aside, there’s a strong chance that some organisations will suceeed in changing our skies forever.

This is great. It’s a way of decarbonising but continuing to fly. It opens new ways of undertaking vital tasks, like getting drugs and vaccinees to remote regions of the world. Emergency services can benifit in getting people from A to B faster and less expensivly. It may help get internal combustion engines off our congested roads in major cities. Air quailty may then improve for densly populated areas.

Nothing is for free. The shear complexity of the problems that need to be solved are taxing some smart people all over the globe. Not only that but the accommodation of aviation’s hundred-year legacy must be factored in too. That’s one reason why research and technical programmes are swallowing up the funds with a voracious appetite. Academics, consultants, and engineers are tapping into the pool of funds that Governments are making available.

Aviation has a pitfall that in that it is very unforgiving when errors and failures occur. It’s why the refrain that fits into every safety advocate’s lexicon is – safety is our number one priority. I will not argue as to how sincere those words are spoken. In the vast majority of cases, people mean what they say.

The awareness that in-service aircraft accidents can sink businesses is not lost on most protagonists. Health and Safety practitioners often say: “If you think safety is too expensive, try an accident”.

This note is more about the gaps that are evidence. Reading several publications on advanced air mobility safety and operations, I’m struck by the vagueness and wooliness of the material available. Or at least that’s how the material often starts. Then there’s a rush into infinitesimal detail to crack problems that seem more tangible. There are two problem spaces. There’s the part where uncertainty prevails. Then there’s the part where the nicely bounded nutty, gritty technical problems exist.

There are often far more questions than answers. Documents that proport to have answers are littered with questions. I’m reminded of the HHGTTG[1]. Talking about the invention of the wheel and a group considering what to do with it: “Well, if you’re so smart – what colour should it be?”

Asking the right questions is a must but there’s a lack of clarity too. Before going into painstaking detail on a set of scenarios a sound report should states its underlying assumptions first. It’s not a good idea to bypass the fundamentals. For AAM to go beyond a novelty, real world difficulties need to be faced head on. Context matters. Sharing the airspace with existing users must be considered[2]. Safety assessment must take account of interactions with General Aviation, ballons, recreational activities, aerial work, emergency services and military operations[3].

It wouldn’t be a bad idea to consider how accident investigation will be conducted, even at this early stage. No doubt lots of data will flow from AAM but will it be what’s needed when things go wrong?

[1] https://www.bbc.co.uk/programmes/b03v379k

[2] UK CAA CAP2272, October 2021

[3] https://www.mitre.org/sites/default/files/publications/pr-19-00667-9-urban-air-mobility-airspace-integration.pdf

How can we prevent organisational accidents?

Part 5

It’s my 62^nd birthday in a couple of days. I live on a residential road where there’s a large education college. Around here, it’s impossible, during term time, to go anywhere without being faced with gaggles of 18-year-olds. They are finding their way, on the first steps shape the world of the future.

Although there’s 44 years between us, I don’t feel that much different from the engineering apprentice that I was at Yeovil College[1] in 1978. It’s true that I know a lot more but the curiosity, fascination with how things work and sense of wonder that I had then remains.

In my career, I’ve been fortunate in having experiences in, and working with a wide range of organisations across the globe. Therefore, I’ll not be reticent in expressing a view on what works and what doesn’t.

Those 44 years have been a transformative time. It really has been a dramatic shift from a primary analogue to the predominantly digital. What engineering organisations do, and how they organise has changed far further than was predicted by pragmatic futurists in 1978.

I’m going to relate this to the story of the Boeing 737. It is the most populous civil aircraft in everyday use around the world. It has, if you aggregate all the hours of in-service flying experience, an excellent safety record. More pilots know how to fly it and more mechanics know how to fix it than any other civil aircraft type.

These facts make the MAX saga even more galling. How on earth did such an experienced engineering organisation like Boeing make such a fatal mess? The question has been asked by a lot of people in the past 5-years. There plenty of analysis, investigation, and speculation for the public to chew over. From highly technical reports to sensationalist documentaries.

Is there a phenomenon at the core of the succession of mistakes that were made? I think there is. It has to do with the reason why chains of events don’t break easily when there’s a high level of commitment to a course of action.

This occurs in aircraft accidents when a pilot knows that they should turn back but chooses not to do so, with fatal effects. It’s often called: Press-on-it is[2]. Organisations can have “goal fixation” as much as individuals can. That fixation can come about due to commercial pressure or pride or a naturally competitive spirit. A corporate urge to carry on regardless overtook Boeing, and the FAA and others.

From its inception to an aircraft that I might board tomorrow, the basic 737 is as ancient as I am. At its core it’s a 1960s aircraft that has undergone several big transformations. Bit like the dramatic shift from a primary analogue to the predominantly digital world.

Aircraft manufacturers, of all types are faced with this question. When is enough, enough? When do we stop modifying, upgrading, or converting a basic aircraft type?

I did design work for the BAe Advanced Turboprop (ATP)[3], The aircraft was a redesign of the Hawker Siddeley HS 748[4]. A long lived and successful aircraft type. Unfortunately, it was a redesign too far. Too many compromises, facing hot competition in the twin turboprop market. The ATP achieved limited sales and production was terminated. A decision was made to stop. I think that if BAe had started with a clean sheet of paper in the 1980s there’d still be a successful aircraft flying.

Back to the MAX saga. In my opinion it was a change too far. However, once committed to that change there was no turning back. Noone was able to decide to stop or rethink. A strong corporate urge to carry on regardless blinded people to the reality of the situation that was unfolding.

The MAX is a derivative of a derivative. The 737 went from “classic” to Next Generation to MAX over 4-decades. The story is not over but the last 5-years will never be forgotten by the aircraft industry.

[1] https://www.yeovil.ac.uk/

[2] https://skybrary.aero/articles/press-itis-oghfa-bn

[3] https://www.aerospace-technology.com/projects/bae_atp/

[4] https://www.baesystems.com/en/heritage/avro-748—avro-748mf