Bjorn’s Corner: The challenges of airliner development. Part 4. How safe is safe?

By Bjorn Fehrm, Henry Tam, and Andrew Telesca

May 21, 2021, ©. Leeham News: After giving an overview of the types of certification rules last week we now describe why the rules can vary so much between projects.

We cover some general concepts around acceptable levels of safety that influence how the regulations get applied to specific projects.

Figure 1. Air vehicles and their classification. Source: Aviation & Flying.

Why different rule sets?

When trying to understand the range of rules that can apply to an aircraft development program, it is important to first recognize that safety is a continuum, not just a binary concept. The governing bodies, including regulators and industry bodies, generally strive to keep aviation risk “As Low as Reasonably Practicable” (ALARP). 

There is inherent risk to flight that must be accepted to achieve the operational intent of a vehicle, but the regulations seek to minimize that risk without compromising the ability to achieve an operational capability desired by the public. 

The regulators also recognize that the public acceptance of risk varies — we care much more about an accident involving a large twin-aisle airplane than a small helicopter (well, unless there is a celebrity onboard).

To account for this the regulations attempt to balance the level of risk against the level of practical avoidance & mitigation of that risk, which results in a different level of expected reliability and safety for different product categories. This is similar in many ways to ground transportation. No one expects riding a motorcycle to carry the same risk as riding a bus, and indeed that is the case, as a 2013 study by Northwestern University noted a motorcycle fatality rate in the US of 212 deaths per billion passenger miles vs. 0.11 deaths in bus operations. Of course, commercial aviation is still king with a rate 36% lower than buses.

A clear example of this use of regulation to manage safety risk can be seen in the recent EASA Special Condition for VTOL aircraft. In the figure below you can see the general system safety guidelines based on the size and operational regime of a VTOL aircraft on the left, and the decreasing risk tolerance that must be applied as you move rightward (higher consequence) and upward (larger). 

Figure 2. Relationship among VTOL classes and safety objectives. Source: EASA

Simply put, the one-in-a-billion (per flight hour) failure rate expectation that is applied to individual catastrophic failure conditions in a large transport airplane is neither practical, nor necessary, for a small single passenger general aviation vehicle that cannot accept the weight and cost impacts of ultra-high reliability and redundant systems. This same logic is applied to targeted regulations in addition to general safety levels. Drawing again from EASA’s VTOL rules (VTOL.2250), smaller aircraft are only expected to perform an emergency landing after impact with a 1kg bird, while larger UAM, or commercial passenger operations require the vehicle to achieve continued safe flight and landing.

Knowing these expectations & categorizations when choosing how to size and configure your vehicle can be a key factor in whether you will be able to meet the certification rules and enter into service. On the flip side, figuring out what the public acceptance of risk looks like for new and innovative products — from electric to supersonic aviation to autonomous drones — is one of the great challenges facing today’s regulatory bodies. An autonomous passenger drone as safe as a 777 may be impossible with today’s technology, while one as safe as a motorcycle could be right around the corner.

In the next Corners, we describe some typical projects and show how the rules are applied — and adjusted — to their size and complexity.

37 Comments on “Bjorn’s Corner: The challenges of airliner development. Part 4. How safe is safe?

  1. One interesting aspect are Aircrafts with old type certificates that are amended (like the 737 and A320), which new regulations must be incorporated and which are not Required for certification. Looking at accidents one can conclude that old piston Engines (and some newer models initially) have much worse failure statistics compared to jets. How can the FAA/EASA improve on this (not everyone can send them for special rebuild at Power by Victor…)

    • The cause of the incidents (not accidents) is what should be looked at.

      In the case of the smaller commercial ops as well as non commercial ops (twin engine on down) the pilot is often the cause.

      Relatively few are aircraft failures.

      The big improvement would be in the pilots but the same problem is the cost to get a high capable pilot and maintain it with associated training.

      In short, there are no full motion simulator for a Caravan.

      Alaska has a major small aircraft ops, commercial, so called flight seeing (we just had a helicopter crash that killed a Czech billionaire) as well as private pilots.

      Two years ago I eye witnessed a float plane cut across in front of another float plane that was clearly visible and all planes were doing a South Approach pattern down the channel. The pilot did it deliberate so they could land before the next one. Crash was avoided by the one being fowled by slowing down and weaving, but that demonstrates the kind of stupidity that occurs (and decision to do stupid route, weather conflict etc. – the goal being money vs safety)

      • The trend is to evermore automation driven by our ability to put a full set of gyroscopes and accelerometers into a single chip inertial navigation system.

        Elon Musk is famous for saying “One day it will be illegal to drive on a public road”. I think we will get to that for automobiles and aircraft using main airports. If cell phone road navigation apps told motorists 25 seconds ahead of time that the traffic lights were about to change red and also what speed to drive to avoid having to come to a dead stop vast sums of fuel and brake lining would be saved, the amount of traffic roads could carry increased and time taken for a journey would reduce as flows of traffic would switch through intersections without ever stopping.

        The problem would be those not using it because they don’t understand or those exploiting the system by over taking cars coasting to slow speed. Then there is general incompetence, bravado, selfishness.

        Perhaps its better to just get rid of the human factor. Aircraft could transmit their position, velocity, heading continuously to a central air traffic system that would ‘deconflict’ them as well as broadcast to those aircraft within a few kilometres.

        I can’t believe that aircraft are still stalling or becoming unstable either.

        • @ William
          Thank you for raising ATC. That is an area of aviation in which more automation is badly needed. There are algorithms for directing air traffic far more efficiently than is currently done, and the sooner the better they’re implemented: use multiple back-ups, developed by different teams, and a voting mechanism in case of conflicts.

          Excellent point as regards fundamental issues like stall. Tail strikes are another such unnecessary phenomenon. All easily avoided using (properly written and implemented) software solutions.

          Perhaps the Chinese approach to certification will allow more modernization of aircraft systems: the ultra-rigid certification methodology currently used by FAA/EASA tends to have a stifling effect on innovation.

          • Only FAR 23 (which is light aircraft allows innovation)

          • Good laugh that Chinese certificate is a way forward and Boeing self certification is (rightly) a disaster.

            ATC has its issues, but its not a matter of a program and then turning it over to auto control.

            Even if you cold the ensuing crashes would terminate it.

            There is no single pat answer. Its been deemed not in the public interest for transportation to be used as an experiment .

            So yes, there are restrictions.

            Or like Tesla, we wind up with cars that crash because you simply can’t program the variables.

            And what happens when the comms go down? It all comes down to system built by people with faults unknown or failures in maint.

            Equally, a stall proof airliner is not an economical one. Cost to travel is huge, economies fail as travel is part of what makes the economic system work.

            Its a balance and all that means is you have not fallen off the high wire, it does not mean you have not wound up leaning out one way or the other.

            Too bold and we get Li Ion battery issues. Its seems worth it, but the approach to get there was faulty.

            And clearly you can innovated, but you have to do it sanely.

            Airbus pulled Li Ion off the A350 until that was sorted (787 was dependence on them design wise, Airbus was backup not the more elecrial of the 787 that virtual had to have them). A350 could substitute in Nicad without a huge impact though at some weight affect.

            By turning it over to the RTC and getting real viable standards set, the innovation was there.

            Equally all the cockpit automation has been approved. Generally its been good but it also has its down sides and the cause of crashes.

      • Just compare the PT6 vs a regular Lycoming or Continental and the PWC engine is approx 100 times safer of 0.15 per 100,000 flight hours. Still pilot route and emergency planning and skills have a huge impact on the outcome of a single engine IFSD. But one would expect the FAA/EASA to have more severe testing requirements of new engine models so operators don’t need to cope with problems like in India on the PW1100G before PWA had got all SB’s in. Like 3-redline for 2000 cycles with idle hold times. Another safety issue is inlet distortion at FBO that could be verified at and ground testing with flight inlet and fans blowing to simulate M 0.8 climb and then do the fan blade-out so the inlet will see the same aero forces as it flexes at high speed during blade out test.

  2. The reliability and failure rate evaluation for catastophic events needs more intense focus these days. When Boeing was betting the companies future on the 747, Bill
    Allen had to make some very difficult decisions. A lawyer, who lead Boeing for decades, initially didn’t want the job as he didn’t feel he had the background to run a large technical industrial company. Joe Sutter, the Lead Engineer of the 747, had multiple problems as most new aircraft designs do, with the wing flutter, engine problems, etc.
    He had to ask Bill Allen for more time and more Engineers at a time when Bill Allen was looking at huge cost overruns and huge cash flow issues. He didn’t cut any corners
    when confronted with issues leading them between a rock and a hard place. There was no “can’t we just” thinking at the time. Small failures of components in an aircraft can
    lead to huge ramifications. Missing a small lock washer can cause a bolt to fall out, causing a fuel tank rupture, causing a plane to burn up.
    The recent Sriwijaya Air accident, still under investigation, has prompted the FAA to issue an AD involving a flap synchro wire failure, which the Auto throttle computer
    might miss. How often has a wire failure happened in the past? The critical paths involved in these newer complex control systems must fill an encylopedia. lots can’t
    seem to hand fly aircraft any more, even if they wanted to. In a lot of emergency drills, the sequence starts as 1) shut off the Auto Pilot, 2) shut off the Auto Throttle.
    (in the Sriwijaya air accident, the Left throttle under Auto-Throttle control was retarded, but, the investigation is ongoing)
    With all of the added complex systems being put into aircraft these days, we may need to bring back the flight engineer position. Especially in terms of how integrated the control systems are now. How important is one sensor reading, one wire failure, one missing lock washer? Do we have redundancy in enough critical areas?

    • Richard:

      While you have some very good points, looking at Eastern 401 and Delta 191, both with flight engineers did not stop either.

      Equally, AF 447 had two experienced pilots at the controls and the chief pilot and none of them got that a rate of 10,000 FPM down was a stall (along with the nose being way up)

      The US and the EU have both instituted training to address just what you bring up (hands on flying), unusual attitudes and recovery, non standard emergencies (ie not the rote same thing over and over and over again).

      FedEx in fact recognized the issue from their crashes (4 in recent history as I recall) and instituted it before it was mandated.

      Prior there was a bit emphasis on take off and landing. Unless you put in an emergency like a loss of engine, take off and landings are the one thing each aircraft does each flight. Doing so is demonstrated to all each flight and at that point if you have to practice, you have a pilot who should get another career.

      Equally, if you look at alarm systems, many do not work. Often they swamp the crew with screams buzzer, dings , squawks, voice when the pilot just needs the single issue (AF 447, stalled).

      In fact, the EASA mandated the stick shaker disable to allow pilots to deal with a MAX issue without the distraction. Once it shakes, you either correct the stall immediacy , or its a false issue (MCAS 1.0) and it distracts seriously from dealing with the real issue.

      While I never had that occur in an aircraft, I did on equipment where you just wanted to stab the alarm annunciator with a screwdriver so you could focus on what you needed to do.

      The huge issue is that no one ever researched alerts that worked, they just kept putting alarms in on top of alarms. Ask anyone who has worked on a dirt spread. Dump Trucks had nothing to start with, then bell clankers on the rear wheels, then an audible and now lights and audible . 15 minutes of that and your brain ignores it.

      No Aircraft mfg has studied what works vs just putting in whatever the engineers think works (and engineers without data are a hazard)

      Cockpit automation has each mfg doing it their way.

      There was a reason that the Aviation Authorities put into regulation how aircraft instruments were to be laid out finally.

      But now the backup is a small display between the two pilots when each side should have its own and large enough to be used, not just a minimal thing it is now.

      Boeing has been cited by the NTSB for its junky auto throttle ops (one part but key to the Assiana crash at SFO)

      And too often its purely pilot disorientation that causes crashed and there is no reason for that to occur in this day and age.

      In flying there is a well know mantras, FLY THE AIRPLANE!!!!!!!!!!!!!

      But along with a sane and consistent system ops, pilots have to be trained as to what that means.

        • Mister Fallows’s assertions in that old Atlantic hit-piece
          seem questionable to me, though he did at least preface
          them with those of a qualified airline pilot’s.

          IIRC, Fallows is a journalist/ member of the Club, with some private-pilot rating.. clearly, clearly qualified™ to pass judgment..

          One needs to understand the role of rags like The Atlantic.. narrative-shaping is What They Do.

          • Well they clearly werent as capable in those circumstances as their ‘hours’ might suggest. Is that ‘shaping’ to say that the plane crashed because of fairly basic pilot errors

          • The pilots (and the passengers) were victims of the system.

            The requirement for the Ethiopia First Officer in the MAX crash was 250 hours.

            By the standards in place at the time, both the Flying Pilot and the 2ndf officer were well qualified having been through not only the hours flying but all the simulator time that entailed.

            To say 6500 and 3000 hours is not experienced is damned stupid. If that is not, what is?

            So no, boring holes in the sky and building hours does not equate to skill, but there is a correlation of experience that also applies.

            The AHJ in US and EU have recognized that sitting there managing a flight director is not the same.

            But for those who contend this is new? We have had auto pilots since before WWII. Pilots have alwyas used them when its level and dull and for a good reason.

            You will note that the PIC who came forward ALSO failed to understand what the instruments were telling him. I guess he was only qualified to clean biffies with 11,000 hours.

            Post crash, analysis loss of other Speeds, they have found two knee jerk reactions are common. Both are horribly wrong, one more so than the other but still horridly wrong.

            One is to pull back on the controls – that is contrary to all loss of speed training .

            But, clearly its a humans factors issue that has been failed to be addressed at the time.

            The other is to push forward. While that is common to regain lost speed, clearly it also is failure to fly the airplane as you do not go from 500 knots to nothing unless you ran into a mountain and are dead.

            The fact that training did not catch these (some 13 identical almost all did the wrong action initially) is a system failure.

            Training to Pre WWII standards also is a fact that the training never evolved and was assessed that, the system have changed to an incredible degree, the training has not.

            That has been assessed and the noted revisions are being done int the Western world.

            While its been blamed on lack of hand flying, the stuff you really need to understand and have a feel for has to be done in a Simulator or in a Single Engine aircraft with no passengers on board.

          • Transworld, I personally have an aversion to solutions that require ‘pilot training’ as I see it as a cover for inadequate engineering and certification. In this case AF447 probably wouldn’t have been lost with all souls had it had synthetic air data or sensor diversity and Lion Air and Ethiopian MAX flights had they had a proper sensor triplication. You obviously have a keen interest in aviation safety and so probably recall the de Haviland Comet 1 losses due to metal fatigue from pressurisation cycles. Before those two hull losses from metal fatigue there were two hull losses from pilots who over rotated the aircraft during take-off. The over rotation led to the aircraft been stalled and incapable of lift off. To counter this ‘minimum unstick speed regulations’ were developed to prevent a stall from over rotation. In the comet the engineering solution was a reprofiled wing.

            Bryce: Thanks. I had through the Synthetic Air Data was a done deal. Synthetic Air Data was clearly used in a range of vehicles (mainly missiles and drones). Given how cheap Inertial Sensors are its time has come I feel. Pilots have bad days and the young PF 1st officer on AF447 was complaining about bad Jet Lag on the CVR.

            SAM1 I strongly suspect you are right.

          • William:

            Thank you, I am deeply interested in the Aircraft safety which in many ways is not Automation and Pilots (not mechanical failures and often engine when I was a kid)

            I grew up on FAA stations in Alaska, aviation was the main part of our existence.

            While I wound up in a totally unrelated field, I did get a Commercial Pilots license early on. I believe today you have to get the instrument rating with it, back then it was separate and I had both. Instruments flying was the one area I was very good at (no idea why, it fitted me to a T as to how I think and react)

            None of this is to brag or pat myself on the back. I was a decent average flyer overall, nothing special, little ego. I did not think because I could fly I was a a gift to humanity. I could make decent landings and the air maneuvers were decent but nothing special.

            As part of Private (you get that first or did in those days) as well as the Commercial, unusual attitudes was very focused at the school I went to (I don’t know if it was just them or not, long ago)

            Most people do not know how that is done, let alone understand what its like to be disoriented oriented in an airplane. You have to experience it to understand it.

            You are put under a blind hood with your head down, the instructor puts the aircart in various up, down and turns and get your inner ear spinning. His last move is to put you into a close stall, dive, steep turn or a spiral.

            Then you are told to look up and your job is to determine what you need to get the aircraft straight and level.

            Normally the instructor did mild turns and did not put you into near critical conditions, he still had to save the aircraft if the student lost it (and most did at least initially).

            We both got bored with that as it was not a challenge for me. Something about, assess first then act was some kind of built in norm.

            So he asked if he could really try to shake things up and I was good with it. Despite his most fiendish efforts he never could shake me (he also never told me how extreme he went with my head down, he may have done barrel rolls).

            He also had us at extreme edge of stall, dive and turns though he was ready to recover if needed. He never did.

            I view aviation from that perspective. Anyone can do straight and level, virtually anyone can do a take off (its pretty easy). Many are really good at the Chandells and the other required flight maneuver, far better than I was.

            But push comes to shove, its how you handle a crisis that is the heart and soul of what a pilot should be about and trained for, not the routine rote stuff. .

            We saw in WWII that tens of thousands of people from every walk of life and skill or none could be trained as a pilot. Most were decent, some like Yeager, Johnson, Bong etc were brilliant in various ways. Yeager was the epitomize of an engineer and extremely good pilot (and some luck which never hurts)

            Pilots tend to put themselves on pedestals which I never liked nor agree with. Its a skill that can be taught and not all have to be Yeager.

            The heart and soul of what they are now teaching in US, EU and maybe Brazil, Singapore etc. crisis, unusual attitude, emergencies, not the rote.

            Prior it was rote take off and landing (a total waste, every flight has a landing the pilot gets to demonstrate though you hope its at least a decent one)

            I also surveyed, and that is the most intense of picky details you can image as a tiny error can be a huge bust. Feedback, verbal exchange, no ego, make sure the party chief has the right numbers and has repeated them back as you gave them. Check your numbers to be sure you were correct.

            My career that I worked at the most was building equipment (HVAC) (Fans, refrigeration , pumps, Generators, Switch – gear). All that was relay logic or a combination of relay logic and pneumatics controls.

            About the time I got into it we had just stared the transition into
            processors to control building fans, Air Condition auto starts stop and ops, pumps running or not. While the relays system could b complex, the logic was simple. Once it got over 58-60 deg outside air temperature, turn on the Air Conditioners , drop the dampers to 20% (AC needed heat load) and then a logic board that determined what was the best ops of 100% outside air or the minimum of 20% (now its 30% for health/ventilation needs)

            What was simple logic to relay world got very complex in programs for something as simple as a fan. The options for the various possible faults branched into pure nutty at time.

            When my first processor crashed and an entire building shut down, no heat in late November.

            I had to come up with ways to bypass the programs, get the key relay run the pumps and boilers, get the fan to run for ventilation, set dampers by hand to maintain the supply temperatures

            Just adding more and more processor and control to it never stopped faults and failures. Even having backup meant you really needed 3 to ensure you had one (and more than once I was down to one when two of the three backups were inop)

            In the end, while I agree that you can add equipment and improve things, I don’t believe from experience you can solve the problems by just adding equipment. It all fails and the complexity to program spirals out of control and to a degree already is.

            A pilot still has to be able to fly.

            If you look at most crashes now, those are where the pilot looses orientate (he looks outside thinking he can tell where he is at and he ignores the instruments that tell him where he really is at)

            And yes, we trained on multiplier instrument failures and how to sort out the bad ones from the good. Part of the training was to take away two of your instrument and you had to fly on what you had.

            I have yet to hear of one of those pilots who were disoriented and did not fly the aircraft had acualy loose an instruments . They simply reverted to feel and outside vs looking at the Flight Display that tells you exactly what your attitude really is.

            Unless you automate a pilot out of control entirely, your pilots need to be competent . Not brilliant, but competent .

            And complete automation is at this point not possible. And if it was, how much more complex is the backup?

            The question I had with AF447 was if Airbus was so convinced that automation (FBW is a means to an end there) was the answer, then why did they not program the computer to put the aircraft into 5 deg up attitude and 85% power?

            Instead it went into an alternative control law where it gave that control to the pilot who were badly trained and totally unprepared.

            Its easy enough to program that in, but they did not do it.

            Not so easy would be the same situation on takeoff.

            One of the issues is what they call MODES. Takeoff is a mode, landing is a mode, decent is a mode, climb to cruise is a mode, cruse is a mode.

            Computers have to be told what the mode is. hmmm.

            There is no difference between take off and go around modes other than the start point. Its almost impossible to program that in that a pilot trained handles seamlessly.

            Pilots in their brains shift into those various modes seamlessly.

            A human brain is the best processor around, it has to be trained but once it is, its amazingly capable. If not trained or trained right and challenged in that training, no.

            But I have run into endless program failures as well that shut the system down for no known reason.

            Something like Synthetic Speed (to be put on the -10 and on the 787) is an assist to a system that does have its issues (Pito static)

            A pitot static system is amazingly sensitive and can be damaged by maint, bugs, dirt and ice up as seen.

            The AF447 failure was in part due to the system not dealing with the Thales problems but it also showed fatal pilot short comings in training that had been slathered over by the same old same old.

            But Speeds loss is a known failure and it was trained to some degree (its one of the those that should acualy be Sim Time and test and I believe all US and EU do that now).

            note: There is a lot of training that is non sim, only the critial flight stuff should use limited Sim time wisely)

            Each layer of equipment adds more complexity. You still need Pitot if you have synthetic and you need to know Pitot failure if you have both.

            I have yet to see a rational explanation of why AOA was added to commercial aircraft. It is not used for anything (its a pretty gross measiemet0. )

            Where its use is would be Fighters. In air combat maneuvering e l (ACM) that is where its place is.

            Ergo, lots of fighter pilots became commercial airline pilots and they wanted the comfort of the AOA. I saw the complaints for a number of years.

            But if you look at what they do? Its just another added stall indicator (which we had more than adequate before).

            its not used for cruise, decent or landing, the Speeds, Attitude Indicator , rate of decent, altimeter etc all are finer or measurements – thing s AOA doe not (no pilot would fly to a 5 deg error in attitude, you use the Flight Display and down to probably to one or half a degree)

            There are 3 pitot on an aircart. The 737 has them, one feeds a completely independent backup system that displays out between the two pilot (too small in my view and wrong location but it is there)

            And how far do you go? The vote 2 out of 3 is fine on paper, but when you loose 2? Which one do you believe? Yep, you have to revert to other instruments to determine what the aircraft is doing.

            So you loose the Synthetic and which one of your Pitots is right? Where do you display them?

            And that in the end boils down to a pilot, scanning the instruments and using the Altimeter, turns and back, the backup instrument, The Artificial Horizon (on the Flight director) the Vertical Speed Indicator (another special instrument )

            Where do you put it all? There is only so much display space. And your glass cockpit if it looses the display?

            While I could fly instruments with VSI and Turn and Bank (US fighter pilots only had that to start WII) it was extremely hard as they were not nearly as good as the (AH) Artificial Horizon that presented your attitude in easy format.

            But the AH can fail so you need to be able to use the backups, acualy more important as they are harder to use (The backup in a LCA has its own AH so that is easier but its not in a good location either0

            The AH is on the FD and very accurate, as is the speed, VSI, altimeter etc. The Backup Display has all that in a smaller format, no so easy to read and not in front of you.

            There is a balance there. Yes you need the instruments, all of them except AOA.

            Synthetic speed is a good idea (needed modern computers) but your pilot still has to know how to deal with its loss and even loss of the other speeds.

            Properly trained pilots are the key along with good instrumentation and good automated logic.

            But when it all goes away, the pilot with the minimum of basic instruments can still fly the airplane.

            The controls and instruments if they fail cannot fly without the pilot.

        • I don’t think there is any science behind US laws that mandate a large sum of hours in smaller aircraft before moving on the regular passenger jets. Those laws seem to have been a distraction from the real cause of several serious crashes in the US which is pilot fatigue, inadequate rest facilities etc.

          I will become on topic but I’d like to mention the problems that happened in the AF 447 cockpit. Firstly: the decision not to route around bad weather, this indirectly caused the pitot static tubes to freeze and Secondly that air crew just weren’t being trained to fly aircraft without air speed data. They understand the theory but if subject to a real even at night flying at coffin corner its different. To much to expect these men to react like they were seasoned Trident pilots who had done 50 night sorties in a Lancaster 20 years previously. There was also a breakdown in communication in the cockpit with duel stick input nulling out the two pilots actions (despite alarms).

          In terms of certification, There is #1 big one: The Thales Prandle or pitot static air speed sensors. The aircraft had been certified with other brands and types. How were the new sensors certified and substituted? The anti freeze heating was clearly ineffective. How could that happen? Was the certification test inadequate?

          It seems other brands exceeded cortication tests by a large margin and so experienced no in service failures whereas the new one exceed them by narrow margin.

          The #2 in my opinion was the limitations of Airbuses otherwise triplicated architecture where the 3 pitot static sensors were of the same type often of the same brand and in the same medium so vulnerable to ‘common mode failures’ whereby all sensors fail at the same time in the same way. A diversity of sensors by addition of Honeywell and Goodyear was used to allow the A330 to keep flying in Thales equipped aircraft. The best solution is what Boeing has done to the MAX (borrowed from B787) which is to use synthetic air data. This is much better than an actual 3rd sensor. As AF447 stalled to the sea surface the alpha sensors were deactivated because without pitot static data no airflow was assumed over the sensors. There was valid speed, altitude data from the INS and GPS to allow those sensors to stay active and indeed to fly without any sensors.

          I think Airbus is going to be faced with updating its FBW system. Introducing Synthetic Air Data may be what they need to do. If they don’t do this and face the certification and training issues it raises they may end up painting themselves into a corner like Boeing did with the B737.

          • William:

            The first thing to deal with is that there is a know and safe procedure for exactly the situation they faced. 85% Thrust setting and 5 degree up. That removes it from the so called Coffin corner.

            The FP failed to do that per his training.

            The FO failed to recognize he not only failed but what he had done.

            The PIC failed to assess and correct the whole issue when he got to the cockpit.

            I will totally disagree on the weather issue. While the simulation on TV had it as bad, it was not.

            And heated Pitots are heated for exactly the reason of freezing up. You cannot find routes A-B that do not have that possibility.

            If you cannot trust the engines to work or the pitots to heat you just don’t have a viable commercial system.

            Thales had an issue but there was standard training to deal with it.

            It was a System Failure that failed to recognize that people need to be trained in those emergency and not waste take off and landing sim time.

            Its possible that all airline pilots should also be sent up in a Single Engine aircrat with an instructor and put through unusual attitudes several times a year.

            The Pilots failed to execute per their training but the training failed to show that the pilots would fail and it failed to correct that.

            And, if pilots can’t deal with unexpected situations, they should be removed. T

          • “The best solution is what Boeing has done to the MAX (borrowed from B787) which is to use synthetic air data”.

            As far as I’m aware, this isn’t yet a “done deal” — Boeing is still only talking about it at present.

            On other points: returning to more manual flight would fly in the face of the trend in many/most other high-tech areas. Humans can suffer from fatigue, confusion and hubris, regardless of their level of experience: machines don’t suffer from these shortcomings. Remember that the KLM 747 captain who caused the Tenerife disaster in 1977 was one of the airline’s most experienced pilots: in this particular case, human arrogance/impatience appear to have been a weak link.
            And in the Asiana 777 crash in 2013, cultural intricacies of deference and hierarchy in the cockpit played a major role in the incident.

          • Bryce:

            And when your synthetic fails?

            While all the equipment has been developed and improved since the dawn of Aviation, a constant is, pilots need to be able to fly.

            So one off slam dunk answers to a problem simply reveal that you do not understand the systems. MCAS 1.0 was the trigger for the MAX crashes, but the inability of the Indonesian pilot to be able to transfer control to the FO while he worked the problem also is a factor.

            They have not developed a crashless drone yet. Look at Tesla and its on one dimension playing field not the 3 of aviation .

            I gather you never worked on machinery!

            You should be fully aware that things can and do fail. I made a living fixing that stuff. And if you don’t think there can’t be an intermittent in an electronics system you are fooling yourself. And its every bit as bad as a fatigued pilot. There can and does.

            That is what we have pilots for, to deal with the situations that are beyond a rational level to program.

            The failure is in actually training pilots correctly. There has been major improvement in the US and EU in that regard.

            There was nothing unusual about a Pitot failure and those pilots wee trained in what to do.

            MCAS defensible was out of training and I well understand the confusion that resulted.

            If both pilots in both crashes has a full on current US and EU training I think both could have been avoided. There were clues there to be worked with.

            That is not to blame the pilots, the failure was Boeing’s.

            In Indonesian case, a spare pilot did keep that flight from crashing.

            In the case of AF447, the PIC with 11,000 hours did not recognize what was going on.

            Synthetic speed is a good idea, pilots still have to know how to fly the aircraft.

            The system needs to research what works for that and then execute it in training.

          • Maybe it will be covered later in the series, but in addition to money, politics doth enter into decision making. The inferior de-icing Thales air data pitot tubes on the AF A330 were made in Europe. The Goodrich ones in Minnesota.

          • @ TW
            You’re the only one talking (or, actually, ranting) about pilotless flight.
            The rest of us are talking about adjusting/optimizing the degree of manual vs. automated flight: I haven’t seen any commenter advocating that we should have 100% of either.
            You evidently didn’t pick up on that subtlety (again).

          • Bryce:

            You are commenting in areas you clearly have no experience in. You don’t understand the comments because you don’t understand flying.

            I have it in both flying as well as programing control systems.

            The basis of it is a pilot that knows how to fly the aircraft when systems and program fail (they can and do)

            You think there is no penalty to adding a system but there is.

            One small change and the whole thing has increased in complexity. It also has to be displayed , backups have to shift and the final backup goes where? There is only so much panel space.

            The pilot then has to know and be trained in that added complexity.
            The MAX crashes are exactly the kind of failure that adding systems can entail.

            So no, I am not an advocate for full automation.

            I am also not an advocate to keep adding equipment on top of equipment.

            I am an advocate of good pilot training because that is the basis of ops as they exist today.

            Good Pilots were flying aircrat long before there was automation.

            All the automation int he world does not make a good pilot.

            I will take a good pilot over all the automation in the world any day of the week.

            The reality is that its a blend of the two but the pilot comes first, the automation should assist the pilot, the pilot should not be dependent on automation.

    • > With all of the added complex systems being put into aircraft these days, we may need to bring back the flight engineer position. <

      I'll go with "should", rather than "may". With 100-450+ souls
      dependent on the flightcrew on very flight, three well-trained, intelligent persons in the cockpit seems a necessity to me.

      • We have had a history of crashed with flight engineers as well.

        At what point do you stuff 150 pilot into the airplane?

        Or, do you test and train your pilots so they don’t make those kind of screw ups?

        I will take 2 pilot who can fly over 3 who cannot (AF447 at 3 pilots in the cockpit in short time and they still went in)

        Only at the very end did the PIC finally get his head sorted and, oh, duh, 10,000 fpm down and nose up, we are stalled.

        That is so basic single engine private aircrat training let alone commercial aircraft training (of which I have both)

        Or have the automation take care of it all, all you have to do is program the system to go to 85% thrust and 5 deg up attitude.

  3. Another interesting development relating to certification:
    “Airbus starts the structural assembly of its 1st A321XLR”

    “Airbus teams have reached a significant milestone in the making of the first A321XLR – production has started in Germany with the structural assembly of the Centre and Rear fuselages.
    The RCT, which is unique to the new long-range A321XLR, is a permanently installed high-capacity fuel tank that makes maximum volumetric use of the aircraft’s lower fuselage. Integrated in fuselage Sections 15 and 17 and located behind the main landing gear bay it holds up to 13,100 litres, which is more fuel than several Additional Centre Tanks (ACTs) combined could previously hold in the A321 aircraft Family.”

    Recently, BA voiced “concerns” about possible safety issues associated with use of a conformal RCT by Airbus. At the time, aviation analysts interpreted this as an early indicator of an attempt by BA to delay certification of the A321XLR so as to try to improve chances for its own NSA/NMA — a neat demonstration of how regulation is always interwoven with vested interests.

    It will be interesting to see what will happen if the A321XLR is certified by EASA but the FAA drags its feet. Will carriers in Asia/Africa/South America take it anyway, thus ignoring what the FAA has to say? After all, the Asia/Pacific region is currently ignoring what the FAA has to say regarding the MAX.

  4. If you measured airplane fatality rate per flight hour then they are worse then cars. 0.4 per 1m hours flown vs 0.17 per 1m hours driven.

    • Its fatalities per mile that really is the metric.

      A LCA travels 500 miles in an hour, a car travels 50 (average)

      And LCA carries 150 people per flight (very ugly average for comparison sake)

      A car carries maybe two people average.

      Conversely, a car wreck is not alwyas fatal (speed, airbags, seat belts) and an air crash tends to be fatal (some exceptions but normally, fatal. )

      Its likely impossible to really calculate a comparison.

      Is a slow speed in town trip really comparable time wise to a long road trip via car.

  5. And another interesting development relating to certification:
    “Airbus to boost A220 jet’s range, newest operator says”

    “Airbus will go ahead with plans to increase the range of its smallest jet, the A220, its newest operator said, allowing airlines to open more niche routes internationally.
    The upgrade would require an extra fuel tank, which means Airbus would also have to increase the plane’s maximum take-off weight in order to preserve and then improve performance. Airbus has already announced some increases in that metric.
    “We need to get up to 4,000 (nautical) miles,” Neeleman said. The A220-300 currently flies about 3,400 nm (6,300 km).”

    • A 4000 nautical mile range is 7408km or 4603. Interesting to see what a ETOPS rated 4000NM A220 will do to the market. The entire US East Coast can get to Western Europe. Smaller city pairs will work. You can probably get from Richmond Virginia to Munich/Nuremberg and Prague as well as a multiple of smaller airports non stop. West Coast US to Siberia etc.

  6. Can’t comment inline, so-

    TW said: “..One small change and the whole thing has increased in complexity. It also has to be displayed , backups have to shift and the final backup goes where? There is only so much panel space..”

    Very true, though there an so many issues with these notions of full automation; how to handle the so-called ‘edge cases’, which
    in fact happen all the time..

    Another more philosophical one is what kind of goals- particularly social ones- are “we” working towards?

    If machines are doing all the work (they can’t, for now;
    and AI is just some eternally-redefined dream), what will
    we humans do? Will our overlords “allow” us to live if we’re
    not directly useful to them? Not an idle question, BTW.

    • While not as critical, hospitals deal with that alarm issue in that the equipment mfgs program every miner variation as an alarm.

      One Hospital finally formed a team to look at why all the monitors were yelling and screaming at them all the time.

      Upshot was they eliminated the ones that did nothing, made the parameters wider on the ones important but were catching short normal variations that had nothing to do with a crisis.

      They stopped 80% of them.

  7. Basic engineering common sense for BA employees, part 1:

    “In the wake of the electrical grounding problem that resulted in a five-week halt in deliveries of 737 MAXs and grounded more than 100 planes in service, Boeing technical leaders last week reminded engineers that design changes must be reviewed for their potential electrical impact.
    An internal memo notified design engineers of two potential safety pitfalls when they introduce a new automated machining process that can inadvertently interfere with electrical grounding of components on airplanes.”

    The memo points engineers to a Boeing Design Manual released March 18 specifically informing them that “requirements for electrical bonding and grounding will require a review by the appropriate program engineering functions.”
    That manual was published three weeks before Boeing told airlines and the Federal Aviation Administration about the MAX problem in early April.
    Boeing says the manual’s cautionary notification is unrelated to what happened on the MAX and the timing is coincidental.”

    • > Boeing technical leaders last week reminded engineers that design changes must be reviewed for their potential electrical impact. <

      When I first read the quoted bit I thought it was satire.

      Alas, it's not. [shakes head, sighs.]

  8. Tim Clark provides more embarrassing press for BA regarding the 777X:

    “Emirates president Sir Tim Clark has warned US plane manufacturer Boeing that the Dubai-based carrier will not accept any of the ordered 777X aeroplanes unless they are at 100 percent of what was agreed.
    Clark, who criticised Boeing for a history over “over-promising” on new aircraft, insisted they would not be accepting anything less than perfect from the new deliveries.
    “What I’ve said to Boeing is we will not accept an aeroplane unless it is performing 100 percent to contract, for the same reason they expect us to pay 100 percent to contract at delivery,” he said.
    “Unless it is doing what they said it would do, we will not take that aeroplane,” he added.
    According to the Boeing website, the 777X will deliver ten percent lower fuel use and emissions and ten percent lower operating costs than the competition. The 777-9 has seating for 426 passengers and a range of over 13,500km.”

    On FG, Clark was complaining that he hadn’t yet seen any engine performance data from BA, even though that data has been available to BA for a year now. He evidently smells a rat.

Leave a Reply

Your email address will not be published. Required fields are marked *