The tragic loss of all those on board China Eastern Airlines Flight MU 5735 continues in my thoughts and prayers. It’s good to hear announcements that progress is being made at the crash site.

It’s excellent news to see, from photographs published, that the aircraft accident recorder Crash Survivable Memory Units (CSMUs) are intact. Both the Digital Flight Data Recorder (DFDR) and Cockpit Voice Recorder (CVR) have been recovered.

The CVR records at least 2 hours of flight audio on a solid-state memory. Special procedures exit to recover the recordings from the recorder’s internal memory chips. This becomes difficult if the memory chips have suffered impact damage, like a crack for example. Investigators and the equipment manufacture are incredibly skilful extracting what data can be extracted.

The DFDR records at least 25 hours of flight data on a solid-state memory. There should be around 1000 parameters available for the analysis.

The technical specifications for these accident flight recorders were originally developed in the 1990s. At that time there was a transition from magnetic tape-based recordings to the use of solid-state memory. If the records are fully recoverable there should be a story of what happened in the critical moments before the aircraft started its fatal dive.

It’s possible to synchronise the recordings from the CVR and DFDR to reconstruct the actions of the crew. There are no video recordings. However, the audio and flight data can give a comprehensive picture of what happened during the accident.

Pilot commands and flight control system positions are recorded.

In parallel to the investigation of the material coming from the crash site, no doubt the authorities will be checking that no defect or deferred maintenance was reported in the technical log before departure of the aircraft.

By bringing all the evidence together a complete picture can be constructed. There are over 4,500 Boeing 737-800s now in service worldwide. This investigation will have a global impact.

Unsurprisingly, China Eastern Airlines has now grounded its fleet of Boeing 737-800s. This popular and well-used civil aircraft has a good safety reputation. Until more is known, the airline is taking a precautionary approach. 123 passengers and 9 crew members have been lost.

If the video evidence from a security camera is to be taken as reliable, then the dive of the Boeing 737 was uncontrolled and significant structural damage was evident. The on-line pictures show the aircraft at a relatively low altitude. So, it’s not possible to say at what point prior to these images that structural damage occurred. The speed of the dive could have either caused or contributed to the aircraft’s break-up. 

Whatever it was that suddenly led to a complete loss from 30,000ft remains mysterious. Looking at the aircraft transponder data, the indications are that the flight was normal up until a point where an unexpected event occurred that was immediate and devastating. Even if the flight crew did have some recognition of failure conditions on-board, it does seem that little time to intervene was available. One assumption in aviation is that crews are provided with training in respect of emergency and abnormal procedures and can act accordingly when failures occur.

A great deal hangs on the recovery and replay of the two accident flight recorders.

The accident flight recorders are separate and installed in the rear section of the aircraft. This is done to increase their chances of survival in most accident and serious incident scenarios. Each requires electrical power. Several means of providing power are available including the aircraft’s batteries. However, if the electrical power wiring to the recorders is severed then they will stop recording. This is true for wiring from their aircraft data sources too.

Let’s hope that there is a complete recoverable record.

The crash of China Eastern Airlines Flight MU 5735 is deeply saddening. My thoughts are for the families, friends, and loved ones of those who were on board that ill-fated flight.

Watching video that has been circulated in social media the signs are that the China Eastern Airlines Boeing 737-800 dived and hit the ground at very high speed. The aircraft appears to have plummeted more than 20,000 feet in about a minute.

The aircraft crash site is in a difficult to get to location[1]. Authorities in China are searching the hillside looking for evidence as to what happened and recovery of the aircraft accident flight recorders[2]. Given what is suspected to have been a high-speed impact, damage to the accident flight recorders can’t be ruled out. They are made to withstand high impacts but are not invulnerable.

It’s most likely that the flight recorders will be of the solid-state type. This is where memory devices are enclosed in a strong crash protected metal box. So, much of the flight recorder could have severe damage but the recordings inside should be preserved.

On this type of public transport civil aircraft, there are usually two accident flight recorders fitted. One Cockpit Voice Recorder (CVR) and one Flight Data Recorder (FDR). To ensure that they meet rigorous technical requirements accident flight recorders are approved by aviation authorities. The technical requirements for approval are called: Technical Standard Orders (TSO)[3][4].

In both the US and European systems, TSO 123 is applicable to CVRs, and TSO 124 is applicable to FDRs. These two TSOs call up the applicable industry standards of EUROCAE ED-112A, MOPS for Crash Protected Airborne Recorder Systems[5]. This comprehensive technical document defines the minimum specification to be met for all aircraft required to carry flight recorders which may record flight data or cockpit audio in a crash survivable recording medium to be used for aircraft accident investigation.

One of the tests described in this long-standing international standard requires manufactures to shoot a crash protected module into a target at high speed. This test is often done by loading up a large pneumatic cannon, charging it and firing a module at a specially made target. To pass the test the module must survive sufficiently well to replay a recorded record.

So, there is a good chance that the on-board crash-protected recorders of MU 5735 might have survived. Let’s hope so.

---

[1] https://www.nytimes.com/2022/03/22/world/asia/china-eastern-crash-explained.html

[2] https://www.theglobeandmail.com/world/article-investigators-search-for-survivors-and-answers-after-china-eastern/

[3] https://www.faa.gov/aircraft/air_cert/design_approvals/tso/

[4] https://www.easa.europa.eu/domains/aircraft-products/etso

[5] https://eurocaeshop.azurewebsites.net/eurocae-documents-and-reports/ed-112a/#non-member

Part 5

It’s my 62^nd birthday in a couple of days. I live on a residential road where there’s a large education college. Around here, it’s impossible, during term time, to go anywhere without being faced with gaggles of 18-year-olds. They are finding their way, on the first steps shape the world of the future.

Although there’s 44 years between us, I don’t feel that much different from the engineering apprentice that I was at Yeovil College[1] in 1978. It’s true that I know a lot more but the curiosity, fascination with how things work and sense of wonder that I had then remains.

In my career, I’ve been fortunate in having experiences in, and working with a wide range of organisations across the globe. Therefore, I’ll not be reticent in expressing a view on what works and what doesn’t.

Those 44 years have been a transformative time. It really has been a dramatic shift from a primary analogue to the predominantly digital. What engineering organisations do, and how they organise has changed far further than was predicted by pragmatic futurists in 1978.

I’m going to relate this to the story of the Boeing 737. It is the most populous civil aircraft in everyday use around the world. It has, if you aggregate all the hours of in-service flying experience, an excellent safety record. More pilots know how to fly it and more mechanics know how to fix it than any other civil aircraft type.

These facts make the MAX saga even more galling. How on earth did such an experienced engineering organisation like Boeing make such a fatal mess? The question has been asked by a lot of people in the past 5-years. There plenty of analysis, investigation, and speculation for the public to chew over. From highly technical reports to sensationalist documentaries.

Is there a phenomenon at the core of the succession of mistakes that were made? I think there is. It has to do with the reason why chains of events don’t break easily when there’s a high level of commitment to a course of action.

This occurs in aircraft accidents when a pilot knows that they should turn back but chooses not to do so, with fatal effects. It’s often called: Press-on-it is[2]. Organisations can have “goal fixation” as much as individuals can. That fixation can come about due to commercial pressure or pride or a naturally competitive spirit. A corporate urge to carry on regardless overtook Boeing, and the FAA and others.

From its inception to an aircraft that I might board tomorrow, the basic 737 is as ancient as I am. At its core it’s a 1960s aircraft that has undergone several big transformations. Bit like the dramatic shift from a primary analogue to the predominantly digital world.

Aircraft manufacturers, of all types are faced with this question. When is enough, enough? When do we stop modifying, upgrading, or converting a basic aircraft type?

I did design work for the BAe Advanced Turboprop (ATP)[3], The aircraft was a redesign of the Hawker Siddeley HS 748[4]. A long lived and successful aircraft type. Unfortunately, it was a redesign too far. Too many compromises, facing hot competition in the twin turboprop market. The ATP achieved limited sales and production was terminated. A decision was made to stop. I think that if BAe had started with a clean sheet of paper in the 1980s there’d still be a successful aircraft flying.

Back to the MAX saga. In my opinion it was a change too far. However, once committed to that change there was no turning back. Noone was able to decide to stop or rethink. A strong corporate urge to carry on regardless blinded people to the reality of the situation that was unfolding.

The MAX is a derivative of a derivative. The 737 went from “classic” to Next Generation to MAX over 4-decades. The story is not over but the last 5-years will never be forgotten by the aircraft industry.

---

[1] https://www.yeovil.ac.uk/

[2] https://skybrary.aero/articles/press-itis-oghfa-bn

[3] https://www.aerospace-technology.com/projects/bae_atp/

[4] https://www.baesystems.com/en/heritage/avro-748—avro-748mf

Part 4

What goes around comes around[1], so it is said. I think that idiom is often about bad things but can be about good things too. In other words, something done years ago can pop-up and have an impact on the here and now.

Some Microsoft PowerPoint presentations from the 1990s are difficult to read. One that I kept did convert into a readable format. The subject was Safety Management Systems (SMS). In the mid-90s, as a UK CAA Surveyor, I was presenting at a national workshop on design and production issues talking about the need for SMS. Describing what that term meant and how it should be used by approved organisations in the UK.

Airworthiness is about past, present and future. It’s about aircraft, procedures, and people. It’s about design, production, maintenance, repair, and overhaul. It’s a long-lived discipline that has developed over decades and delivered a remarkably good level of aviation safety performance.

What we were looking at 30 years ago was not only the experience of civil aviation but the results of investigation of tragic accidents in other industries. In 1986, the Space Shuttle Challenger was lost. 35 years ago, saw the Zeebrugge car ferry[2] disaster that killed 193 people. In 1988, explosions destroyed the Piper Alpha oil platform in the North Sea. Each accident pointed to the need for stronger safety management. Often the question was asked: how could such fundamental errors have been made? One response was: “Of all God’s creations, corporations seem to have the shortest memories of all”[3].

Lots of good people agreed that civil aviation needed to practice safety management but primarily on a voluntary basis. Not only that but there were numerous interpretations as to the meaning of SMS as applicable to the different disciplines in aviation. So, Air Traffic Services and Aircraft Operations went ahead with their own versions of SMS. Unfortunately, design and production organisations lagged. In the background, some specialists were attempting to distil a generic template for SMS.

It was the year 2005 that shook the tree. Measuring safety performance everyone had become accustomed a story of constantly improving global aviation safety. That year saw a series of major accidents which shook confidence and led to a High-level Safety Conference[4] at ICAO’s Headquarters in Montreal. This HLSC brought together Directors General of Civil Aviation and aviation organisations from most of ICAO’s Member States. Resulting from the HLSC was the Recommendation 2/5 and it was dramatic. It called for a new ICAO Annex on SMS. And so, ICAO Annex 19 was born.

It’s 2022. You might reasonably ask – why is it that we are only now implementing SMS for design and production organisations? Good question.

---

[1] The results of things that one has done will someday have an effect on the person who started the events.

[2] 6 March 1987, the roll-on, roll-off passenger, and freight ferry capsized 4 minutes after having left harbour.

[3] Safety Management, Strategy and Practice, Roger Pybus, Butterworth-Heinemann 1996.

[4] https://www.icao.int/Meetings/AMC/HLSC/HLSC%202010%20Report/HLSC.2010.DOC.9335.EN.pdf

Part 2

Make “challenging” better. It’s generally better to have more than one set of eyes on an issue.

The classical challenge is to perform an audit. To take a sample of the work being performed and check that its everything that it’s said to be. This can be done at any stage: design, development, test, production, and in-service. Unfortunately, audits can get bogged down in process, procedures, customs, and practice that get so heavy as to distract from the essences of the task.

There’s a focus on the tangible aspects of work too. How many reports? How many corrective actions? Show me the measurements. Nevertheless, well focused auditing is a powerful tool.

It would be wise not to discount the intangible benefits of an audit. Such activities provide a chance to view the more intangible aspects of work. Here’s a few anecdotes.

Often when being taken for an official guided tour around a design or production facility there time to look beyond what the hosts want you to see. I often found a moment to look at notice boards around a factory, or office and they gave a hint as to the culture in that organisation. Cartoons and jokes of good humour led me to put a “normal” tick in the box. But if they strayed into harsh lampooning of the management or the way of working then there was something to note.

Siting in a manager’s office being briefed as to the timetable for an audit it’s as well to take in the whole scene. All those certificates displayed on the wall. Were they pertinent? Were they there to show off? Or were they showing genuine pride in the achievements of the organisation?

Timetables for an audit are necessary but can be a menace if every second is filled. But an auditor should never be intimidated by a timetable. On occasion, I’ve walked past a pile of records only to turn back and say – and what about this one? Then being told we must hurry on. To which my reaction was to dig in and follow the trail.

It’s true that the environment has changed. Digitisation has made the random selection of a sample more difficult. Digital records lend themselves to more pre-prepared situations.

Mealtimes can be a revelation on organisational culture too. This doesn’t happen anymore, I’m sure. The factory canteen that serves alcohol is truly a thing of the past. However, an auditor being taken out for lunch is still commonplace. It’s possible to get moralistic about such invitations only to miss out on getting a sense of those intangibles that might help understanding.

Additionally, I will warn that there’s the small danger of vexatious challenge. It’s a rarity but obsessions can follow even the most capable of people around. There’s a risk too that focusing on one pet subject can mean gapping great holes are missed. Each subject needs to be taken proportional to its potential impact.