Latest News
Search   Next >>
SSA in rotorcraft
Too many airplane systems rely on too few sensors

"Sensors do fail, but even when that happens, automated systems can be safer and more efficient than human pilots. As flight becomes more automated and increasingly reliant on sensors, it is imperative that flight systems cross-check data from different sensor types, to safeguard against otherwise potentially fatal sensor faults"  See full article here:

Carlos Varela
Associate Professor of Computer Science, Rensselaer Polytechnic Institute


In test of 737Max, pilots had 40 seconds to fix error

A 737 Max 8 at Boeing's plant in Renton, Wash. In simulations of a suspected problem in the crash of a Max 8 in Indonesia last fall, pilots had just moments to disengage a faulty system.CreditCreditRuth Fremson/The New York Times

During flight simulations recreating the problems with the doomed Lion Air plane, pilots discovered that they had less than 40 seconds to override an automated system on Boeing's new jets and avert disaster.

The pilots tested a crisis situation similar to what investigators suspect went wrong in the Lion Air crash in Indonesia last fall. In the tests, a single sensor failed, triggering software designed to help prevent a stall.

Once that happened, the pilots had just moments to disengage the system and avoid an unrecoverable nose dive of the Boeing 737 Max, according to two people involved in the testing in recent days. Although the investigations are continuing, the automated system,known as MCAS, is a focus of authorities trying to determine what went wrong in the Lion Air disaster in October and the Ethiopian Airlines crash of the same Boeing model this month.

The software, as originally designed and explained, left little room for error. Those involved in the testing hadn't fully understood just how powerful the system was until they flew the plane on a 737 Max simulator, according to the two people.

Compounding the flaws, pilots received limited training about the system before the first crash. During the final minutes, the captain of the Lion Air flight flipped through a technical manual trying to figure out what was happening.

In a tacit acknowledgment of the system's problems, Boeing is expected to propose a software update that would give pilots more control over the system and make it less likely to trigger erroneously, according to three people, who spoke on the condition ofanonymity to describe the private meetings.

There are common procedures in place to counteract MCAS, as currently designed. If the system starts pushing the plane's nose down, pilots can reverse the movement via a switch at their thumb, a typical reaction in that situation. In doing so, they can potentiallyextend the 40-second window, giving them more time to avoid a crash.

To fully neutralize the system, pilots would need to flip two more switches. That would shut off the electricity to a motor that allows the system to push the plane toward the ground. Then the pilots would need to crank a wheel to correct whatever problemshad emerged.

The pilots, in the simulations, followed such procedures to successfully shut off the system and land safely. But they did so with a far better understanding of how it worked and prior knowledge that it would be triggered - benefits that the pilots of the fatal737 Max crashes did not have.

If pilots don't act hastily enough, attempts to disable the system can be too late. In the Lion Air crash, pilots used the thumb switch more than two dozen times to try to override the system. The system kept engaging nonetheless, most likely because of badreadings from a sensor, until the plane crashed into the Java Sea, killing all 189 people on board.

John Cox, an aviation safety consultant and a former 737 pilot, said pilots are highly likely to use the thumb switch to extend the 40-second window to several minutes. But that may still not be enough time to diagnose and solve the problem, especially if thepilots, like the Lion Air crew, were not informed of the system.

"There is a limited window to solve this problem, and this crew didn't even know that this system existed," he said.

A Boeing spokesman said that existing procedures for flying the 737 Max include how to respond to similar conditions. The spokesman added that Boeing had reinforced those procedures in a bulletin to pilots after the Lion Air crash.

"Our proposed software update incorporates additional limits and safeguards to the system and reduces crew workload," the spokesman said in a statement.

The new software system was designed to be a safety feature, operating in the background to help avoid a stall. Taking data from a sensor, the system would engage if the nose of the jet was too high. It would then push down the nose of the plane to keep itfrom stalling.

The planes flew in similar erratic patterns, suggesting to experts that an automated system might have malfunctioned on both flights.

In the current design, the system engages for 10 seconds at a time, with five-second pauses in between. Under conditions similar to the Lion Air flight, three engagements over just 40 seconds, including pauses, would send the plane into an unrecoverable dive,the two people involved in the testing said.

That conclusion agreed with a separate analysis by the American Airlines pilots' union, which examined available data about the system, said Michael Michaelis, the union's top safety official.

One of the people involved in the training said MCAS was surprisingly powerful once tested in the simulator. Another person found the system controllable because it was expected. Before the Lion Air crash, Boeing and regulators agreed that pilots didn't needto be alerted to the new system, and training was minimal.

At least some of the simulator flights happened on Saturday in Renton, Wash., where the 737 Max is built. Pilots from five airlines - American, United, Southwest, Copa and Fly Dubai - took turns testing how the Max would have responded with the software runningas it was originally written, and with the updated version, known as 12.1.

In the simulations running the updated software, MCAS engaged, though less aggressively and persistently, and the pilots were also able to control the planes.

Boeing's software update would require the system to rely on two sensors, rather than just one, and would not be triggered if the sensors disagreed by a certain amount, according to the three people. Given that the 737 Max has had both sensors already, manypilots and safety officials have questioned why the system was designed to rely on a single sensor, creating, in effect, one point of failure.

The update would also limit the system to engaging just once in most cases. And it would prevent the system from pushing the plane's nose down more than a pilot could counteract by pulling up on the controls, the three people said.

In conversations with pilots and airline officials over the weekend, Boeing executives didn't directly address why MCAS was designed with such flaws, one person with direct knowledge of the meetings said. Instead, the company stayed focused on the softwareupdated, the person said.

The software changes still require approval by the Federal Aviation Administration. Pilots' unions have said they are comfortable with the proposed changes but want to review them before making a decision. Pilots will be required to complete a training on theupdated system on their iPads.


Boeing fix will prevent repeated activation of anti-stall system

SEATTLE/LONDON, March 25 (Reuters) - A Boeing Co software fix for the grounded 737 MAX will prevent repeated operation of an anti-stall system at the centre of safety concerns and deactivate it altogether if two sensors disagree widely, two people familiar with pilot briefings said.

The anti-stall system - known as MCAS, or Maneuvering Characteristics Augmentation System - has been pinpointed by investigators probing October's fatal Lion Air crash and faces new scrutiny in the wake of another fatal accident in Ethiopia.

Those accidents, which killed nearly 350 people, triggered the worldwide grounding of Boeing's flagship 737 MAX aircraft and ignited a debate over the proper balance between man and machine in piloting the latest version of the 50-year-old 737.

The MAX has bigger engines, mounted further forward, which can force the plane's nose higher, threatening a stall. MCAS was designed to counter this but some experts say it overcompensated and the latest changes give some authority back to the pilot.

Airline briefings on the software upgrade, which is designed to address the situation faced by pilots of the doomed Lion Air jet last October, started on Saturday.

Pilots have been told that the MCAS system - which forces the nose downwards to avoid a stall, or loss of lift - will only operate one time for each event rather than impose repeated corrections like those believed to have pushed the Lion Air jet into a dive, the two people familiar with the briefings said.

Additionally, MCAS will be disabled whenever two sensors that measure the 'angle of attack' - a parameter that determines how close a plane is to an aerodynamic stall - differ too much.

"Otherwise it would be garbage in, garbage out," a third person familiar with the briefings said.

This is a change from the previous set-up which only linked MCAS to one sensor at a time, ignoring the other, and which may have resulted in a single point of failure on Lion Air 610.

The pilot will be able to deduce that MCAS is no longer working in the background because the system will show a warning message labelled "AOA disagree", indicating the two sensors are producing values that differ by an excessive margin.
Previously the "AOA disagree" warning would not have halted the MCAS software because the system was designed to focus on either the left or right sensor, alternating between flights. It was oblivious to whether readings from the sensors were aligned.
Boeing said on Monday its software patch would incorporate more than one angle of attack input, limit trim commands and limit authority but gave few details.
"We've been working diligently and in close cooperation with the FAA on the software update. We are taking a comprehensive and careful approach to design, develop and test the software that will ultimately lead to certification," a statement said.

The change sheds light on Boeing's previously reported decision to make the warning light a standard feature, since the change in flight control laws now makes it indispensable.

The third person said Boeing would need to give pilots in their training a full explanation of what the fix is and why it is being implemented. Both the software fix and the training have to be approved by the Federal Aviation Administration.

Other methods for holding the nose of the aircraft in the right position, known as manual or electric trim, are unchanged as is the ability to cut out the automated trim system altogether using a standard step-by-step checklist.

Boeing has previously said that existing crew procedures, which include using a pair of cut-out switches, would have addressed a condition known as a stabilizer trim runaway and by doing so, automatically deal with any problem with MCAS.

But it has faced criticism for designing a system that potentially out-runs the ability of pilots to recover by repeatedly forcing the nose down using hefty forces, as the pilots in the doomed Lion Air flight experienced. (

(Reporting by Eric M. Johnson in Seattle, Tim Hepher in London, Allison Lampert in Montreal; Editing by Lisa Shumaker

Opinion: The Time Is Ripe For Live Flight Data Streaming

The fallout from two fatal Boeing 737-8 accidents in five months, still in its early stages, is likely to be substantial. Changes to the 737 MAX are in the works, though the seeds for the much-needed flight-control upgrades were sown following last October’s Lion Air Flight 610 (JT610) accident. Certification processes could change as well. Will regulators delegate less to industry? And to what degree will a regulator accept a fellow agency’s technical analysis rather than verify for itself that a foreign-made article meets its local standards?
Simply put, many are demanding more certainty.
The way the MAX was grounded was a marked departure from past airline accidents, when the U.S. FAA and sister agencies around the world worked in coordination and did not rush to judgment. But within 24 hr. of the Ethiopian Airlines Flight 302 (ET302) crash, regulators and operators, wary of two 737-8 accidents in such a short period of time, began banning MAX flight operations. The little data available from ET302 was not enough to link it to JT610, but the pressure to act first and validate later was significant. The fleet was grounded more than two full days before the ET302 flight data recorder (FDR) information was downloaded.
Public support of the grounding was overwhelming, and many in the industry, from union members to some operators, lauded the proactive move. The FAA—the last regulator to issue a MAX operations ban as it held out for more information, preferably from the ET302 flight data recorder—was seen as a dinosaur. Reports suggest that the White House, not technical experts, made the final call.
That is disturbing.
The desire to play it safe is understandable, but the air transport industry’s steadily improving fatal accident rate is not the result of hedging bets. It is driven by a deliberate, data-driven approach to risk analysis. The process takes time, however, which is something that a public increasingly expecting instant answers may no longer be willing to accept. When the next air transport aircraft goes down, will the public accept a wait-and-see approach?

Credit: Boeing/Leo Dejillas
It turns out that it may not have to—and data-driven safety experts might not have to compromise much, either.
A path to a middle ground is being blazed based on work that stems from the disappearance of Malaysia Airlines Flight 370 in 2014 and Air France Flight 447 in 2009. The most widely discussed resulting changes from those two accidents are new International Civil Aviation Organization standards for tracking aircraft, included in Amendment 40 to ICAO Annex 6. But Amendment 40 includes another element that could ultimately prove to be more useful: timely access to flight data.
Airlines could meet the ICAO standard, which goes into effect in 2021, by streaming FDR data while in flight. And providers of the necessary hardware, software and communications services are teaming up to offer timely flight data to operators. On Boeing’s most recent EcoDemonstrator trials, for example, data streamed from the Fed-Ex 777F used in the tests offered a live snapshot of the aircraft’s activity, plus a 20-min. buffer of data both before and after the so-called triggering event, such as an abrupt altitude change.
The data stream also was used to create a live, graphical depiction of what the aircraft was doing, complete with key flight deck instruments, visible to participants on the ground. The tests, which utilized the Inmarsat and Iridium global satellite networks, included a dedicated microphone that captured and off-loaded cockpit sounds, too.
Widely implementing triggered flight data would require resolution of some issues such as: What triggers the system? Which parameters are streamed? Where does the data go? How would access to it be managed? And, critically, how can the information be kept secure? But none of these are insurmountable.
If the FAA and other regulators had had access to ET302 data, the grounding scenario would have been different. If it could have been confirmed that the causes of the ET302 and JT610 accidents were similar, as now seems to be the case, MAX aircraft would have been parked quickly and with justifiable data to support the move. This would have satisfied both the public’s concern and the safety community’s insistence on reasonable, measured actions.
Making a call on whether to ground an aircraft based on a brief look at FDR data may not be ideal. But it is far more reasonable than making the call without it

Safety Analysis for a flight control system on the MAX was flawed
EASA issues CRD 2014-02: Specific risk and standardised criteria for conducting aeroplane-level saf

This Comment-Response Document (CRD) contains the comments received on Notice of Proposed Amendment (NPA) 2014-02 (published on 27 January 2014) and the responses provided to them by the European Aviation Safety Agency (EASA). It also contains the draft resulting CS-25 text. Compared to the NPA 2014-02 proposal, several changes have been made to the proposed CS/AMC 25.1309 (system safety assessment) and CS/AMC 25.671 (flight control systems) to clarify various elements based on the comments received while keeping the main elements of the NPA proposal. Some provisions have also been added to address controllability during ditching with no engine power. Concerning the changes to the domain of structure, the proposed amendments to CS 25.629(b), AMC 25.629 and Appendix K are withdrawn; however, the proposed amendments to CS 25.629(d) are maintained. Finally, the proposed amendments concerning reversing systems in CS/AMC 25.933 are maintained. Stakeholders are invited to review the draft resulting text (Appendix B) and provide their reactions, if any. EASA will then prepare the next amendment of CS-25, taking into account the reactions received, if any.


RTCA Is No Longer an FAA Advisory Committee

Work Largely Continues as Group Becomes a Standards Development Organization

RTCA, which for decades has developed standards and worked through technical challenges at the behest of the Federal Aviation Administration, is no longer a Federal Advisory Committee (FAC) for the agency.

The FAA declined to renew its contract with RTCA and will instead take over some of what RTCA was doing - though, for now, the changes will be limited.

RTCA is now an independent Standards Development Organization (SDO) though it continues to work with the FAA using nearly the same RTCA committee structure it has for years. The group will also continue working with EUROCAE, its European counterpart, to develop joint standards.

"Mindful of the FAA's desire to continue without interruption, the production of high-quality standards and guidance materials, RTCA is committed to a seamless transition," saidRTCA President Margaret Jenny in a prepared statement.

Indeed, most everything will continue as it has before and aviation officials will still be represented at the meetings.

"The FAA will still request standards from us," Jenny told Inside GNSS. "They've still indicated that they will be invoking them as a means of compliance. So the thing that changes is that where we would have had a government person on every committee called a designated federal official - that's required for a federal advisory committee - they would just become more of a liaison to the committees. Their intention is to stay involved so that part really doesn't change."

One distinct change is that the Drone Advisory Committee and the NextGen Advisory Committee will be managed by the FAA, at least until a contractor can be found to handle day-to-day operations - a contractor that could potentially be RTCA.

"The NACand DAC have new charters as stand-alone FACs," the FAA said in a statement sent to Inside GNSS."They are identical and intact as they are today.They will still be administered by RTCA or another vendor.They will be working on the same issues.All the benefits of these two advisory councils are still in place and valued."

Given the effort to maintain stability it is not entirely clear what prompted FAA to drop its advisory committee arrangement with RTCA, which has been in place since 1976. Two sources who requested anonymity to be able to discuss the matter believed that it was fueled by a desire within the administration to cut the total number of advisory committees.

"What we were told is that the Department of Transportation was doing a thorough review of all their federal advisory committees to determine whether they needed to stay in place," Jenny said. "When they looked at RTCA, we are a little bit unique in that we are a utilized Federal Advisory Committee and all we were told was they determined that they would prefer to have it run by the FAA as opposed to an outside entity."

A utilized advisory committee is where an organization outside of government runs the FAC.

The shift is entirely not without potential consequences. It may cause something of a delay in the work of both the Drone and NextGen groups. The FAA cannot issue new tasking statements for the two groups until 15 days after Federal Register notice of the new groups being chartered (launched). The notices for each group appeared May 31.

Though the shift may be causing some confusion the next meetings for the two panels are supposed to proceed on the same day though there might be changes in location. The FAA will advise committee members.

There is at least one other potential consequence as well. RTCA, as a more independent body, will now be able to work on standards at the behest of industry. In fact industry-requested standards could be an opportunity for RTCA to grow, Jenny said.

"So we could do those kinds of things without FAA requests," she said. "We would just make sure that, number one, they (they requestors) had multiple companies and number two, anything we do as a standards organization will be compliant with all U.S. antitrust laws."

If industry did seek a standard there likely would still be FAA involvement, she said.

"We would typically talk to the FAA about whether they would invoke it," Jenny explained, "and then we would make a decision with our industry members on whether we felt we should go ahead and start a voluntary standard that they would use for compliance or use, basically, to make sure that they're building according to the standards."

Wake Turbulence

The European Aviation Safety Agency has published safety information bulletin SIB 2017-10 to remind pilots and air traffic controllers about the risks associated with wake turbulence encounters at high altitude and applicable precautionary measures. “With the increase in overall volume of air traffic and enhanced navigation precision, wake turbulence encounters in the en route phase of flight have progressively become more frequent in the last few years,” the bulletin said.

The document comes just six months after a Bombardier Challenger 604 at FL340 was severely damaged and its occupants injured when it encountered wake turbulence 12 nm from an Airbus 380 that had passed overhead in the opposite direction at FL350. As the bulletin noted, the so-called “heavy” and “super heavy” aircraft—such as the Airbus 340 and 380 and Boeing 747—are more prone to generate stronger vortices, although there is also potential from other large aircraft types.

Considering the high operating airspeeds in cruise and the standard 1,000-foot vertical separation in RVSM airspace, EASA said that wake can be encountered up to 25 nm behind the generating airplane, but “the most significant encounters are reported within a distance of 15 nm.” The bulletin concludes with illustrations that show various scenarios of wake turbulence encounters and recommended avoidance techniques.


EASA says airlines' tech ban may compromise safety

Europe's aviation regulator voiced concern on Wednesday over the risk of battery fires in the cargo holds of passenger planes after U.S. and British authorities banned certain electronics from passenger cabins despite U.S. assurances that its agency had been thoroughly briefed on the proper handling of electronics.

The European Aviation Safety Agency, which is responsible for safe flying in 32 countries, said personal electronic devices (PED) carried a fire risk due to their lithium batteries and should preferably be carried inside passenger cabins so that any problems could be identified and dealt with.

In regard to the European agency's concerns, the U.S. Transportation Safety Administration said it had "coordinated closely with the FAA" (Federal Aviation Administration) on the logistics of the ban and that the agency had provided information to airlines regarding appropriate handling of electronics and lithium batteries.

The European agency, however, warned in a bulletin: "When the carriage of PEDs in the cabin is not allowed, it leads to a significant increase of the number of PEDs in the cargo compartment. Certain precautions should therefore be observed to mitigate the risk of accidental fire in the cargo hold."

Computers in checked baggage must be completely switched off and "well protected from accidental activation," it added.

The Cologne, Germany-based agency issued its guidance two weeks after the United States and Britain banned gadgets larger than a smartphone from passenger cabins on flights from certain countries because of security concerns.

The European safety recommendation is not mandatory, but is likely to rekindle a debate about the new rules, which some airline chiefs have criticized as inconsistent or ineffective.

A group representing 38,000 European pilots said last week it was "seriously concerned" about the ban, on the grounds that it could create new safety risks.

"With current airplane cargo hold fire suppression systems, it might prove to be impossible to extinguish a lithium battery fire in the cargo hold, especially when the batteries are stored together. Therefore, any event of this nature during flight would more than likely be catastrophic," the European Cockpit Association said.

It is not the first time regulators have called for personal devices to be carried in the cabin, but possibly the first time such measures have clashed so directly with security considerations.

In 2015, international regulators urged airlines to transport lithium-powered hoverboards in the cabin following reports of the popular devices catching fire. Several airlines went even further and banned them altogether, but travel experts say such a draconian ban on computers would carry little support from the industry or its lucrative business travelers.


Security experts say the decision to place electronics into checked bags on U.S.-bound flights from eight Middle East or North African countries suggests Washington has intelligence that enough material can now be packed into a laptop, usually disguised as its battery, to cause catastrophic damage.

Placing such objects in checked baggage would expose them to greater screening for explosives and reduce the chances that a hidden bomb could be deliberately placed next to the cabin wall.

France has been studying whether and how to apply similar restrictions on cabin baggage, security sources say.

Last year, a suspected suicide bomber tried to blow up a Somali jetliner as it was taking off from Mogadishu by placing a computer bomb near the window. He was sucked out of the jet without causing it to crash, but the incident focused attention on the threat of bombs hidden inside ordinary-looking gadgets.

Reuters last month reported that the rules banning many items from passenger cabins on U.S.- and Britain-bound flights would, however, force a rethink on fire safety concerns now that they were being consigned to the hold.

EASA's warning highlights the struggle to juggle rules on safety with increasingly stringent security protections and the wider risk that rules to solve one problem can lead to another.

FACT BOX European guidelines on carrying computers on airplanes
The FAA says such "unintended effects" are one of the common themes it has identified in its database on lessons learned from past crashes.

"The recent laptop ban on certain routes to the USA has brought into sharp relief exactly this challenge," said UK-based aviation consultant John Strickland.

"Simply taking items powered by lithium batteries and stashing them in the hold is not an option unless done with sufficient attention to safety," he added.

Safety regulators have focused for years on the growing headache caused by temperamental lithium-ion batteries.

In 2015, the FAA told airlines not to let passengers pack extra lithium-ion batteries inside their checked baggage.

Airlines had already been alerted to the risk of carrying large shipments of lithium batteries as cargo after a UPS Boeing 747 cargo jet crashed in 2010, killing both crew.

But current FAA advice suggests it has fewer concerns than its European counterpart about the threat of fires from batteries already installed in individual passenger's devices.

Integrating SMSs: Dutch safety probe urges more collaboration

An investigation by Dutch aviation safety officials found that all aviation stakeholders need to work closer together to maintain high safety levels at the international airport.

While it found no evidence to suggest that safety at Schiphol is inadequate, the investigation did reveal a number of safety risks that need to be tackled and Michiel van Dorst, chief executive of Air Traffic Control the Netherlands (LVNL), said the recommendations are in line with a number of initiatives already started by the air navigation service provider.

He cited the training of air traffic controllers and the development of systems that, for example, give the air traffic controller in the tower an additional warning when an aircraft makes a go-around.

In the current situation, aviation stakeholders each have their own certified safety management system. The Dutch Safety Board advised better cooperation between the parties from these sectors, with the Schiphol Safety Platform having an important role in this regard. LVNL said it embraced this recommendation and, together with KLM and Schiphol Group, has already begun investigating the advantages of a coordinating, integrated safety system.

"This would put Schiphol in the lead worldwide," said Van Dorst. "You need to keep looking at your own organisation, but also at how you can be more effective together. Aviation is the safest form of travel. This is a status we must keep earning. That is why this report contributes so much, in our opinion."

The Dutch Safety Board also noted that further growth of Schiphol will require more than marginal adjustments to the existing policy."This calls for a fundamental debate on the future of aviation in the Netherlands and on the options and limitations regarding Schiphol's further growth," it said.

In a statement, Dutch flag carrier KLM called the DSB report 'beneficial'. "Safety is our top priority. For this reason, KLM has implemented a progressive, state-of-the-art safety management system. All operational choices made at KLM are assessed within this system, thereby ensuring that safety is our priority under all circumstances."

"KLM shares the opinion of the DSB that safety at and around Schiphol of a high standard. KLM feels that the recommendations issued by the DSB provide a firm foundation for further improvement of the safety management system. KLM will closely scrutinise the study and looks forward to working with Air Traffic Control the Netherlands and Amsterdam Airport Schiphol to further improve safety standards."

The Dutch State has final responsibility for the integral safety of air traffic at and around the airport.

EASA aims to fine-tune safety-risk analysis


Forty years after the worst accident in civil aviation history, European authorities are transitioning to a new method of assessing safety risk.

Safety performance has typically been monitored through the blunt tool of counting accidents and serious incidents.

But the European Aviation Safety Agency states that this method is "not a good risk measure".

In a preliminary safety review covering 2016 the authority says the accident rate of European-operated commercial air transport has been broadly downwards since 2012, to around three per million flights.

The overall number of accidents last year, 18, was the lowest figure for a decade but, in contrast, the number of serious incidents, more than 100, was the highest in the same period.

"This increase was mainly attributable to occurrences relating to technical failures of aircraft systems, medical, runway excursion and loss of separation," says EASA.

EASA says a new common risk-classification scheme due for implementation this year will "provide a better picture" of safety risks.

The scheme emerged from a European Union directive requiring development, by May 2017, of a mechanism by which necessary rapid action could be identified through analysis of individual safety occurrences.

"Such a scheme should help the relevant entities in their assessment of occurrences and in determining where best to focus their efforts," the directive states.

IATA states that the commercial airline industry's accident rate declined to 1.61 per million flights last year, from the previous level of 1.79.

It released its accident statistics days before the 40th anniversary of the Boeing 747 runway collision in Tenerife in March 1977, which resulted in over 580 fatalities and remains the highest-casualty accident in civil aviation history.

The major jet accident rate increased slightly to 0.39, one of the parameters in which the association acknowledges the industry took a "step back".

But the relative rarity of accidents means that the statistics are easily skewed by individual occurrences, highlighting the need for a more finely-tuned method of analysis.

The European scheme is intended to collate occurrence reports in a format which will facilitate information exchange.

EASA says: "The scheme will help to shift the focus to the probable potential harm of identified hazards to the European aviation system instead of directly measuring the severity of a realised outcome."

Aviation industry in standoff over making 'black boxes' deployable and able to share data faster

Two possible technology updates are deployable recorders, with transmitters for easier location from crash sites, and streaming data devices

A Malay couple watch Malaysia Airlines aircraft at Kuala Lumpur International airport on Jan. 23. Malaysia Airlines Flight 370 went missing in March 2014 while traveling from Kuala Lumpur to Beijing with 239 passengers aboard.


Three years after Malaysia Airlines Flight 370's unresolved disappearance sparked efforts to implement new flight-data recorder technology, the global aviation community is deadlocked over the best way to ensure investigators will have timely access to vital clues in future crashes.

Technical, marketing and jurisdictional disputes-pitting Boeing Co. and U.S. regulators against Airbus Group SE and European authorities-have blocked consensus over prospective changes to today's "black boxes" that help unravel accidents.

The most prominent disagreement involves "deployable" recorders, devices designed to capture real-time flight data and cockpit conversations, just as damage-resistant black-box recorders do.

But while conventional black boxes are intended to be recovered from wreckage, the alternative devices, already used in a broad range of military jets and helicopters world-wide, are designed to be jettisoned automatically prior to impact and to float.

Airbus AIR, -0.14% and other proponents say that supplementing current systems with deployable technology would lead to easier searches, with features including built-in emergency transmitters that can pinpoint locations on the surface of water.

In the opposing camp, Boeing's BA, -0.12% position is that the deployable technology is unnecessary partly because there are so few crashes of big jets, and the recorders are expensive to maintain and potentially hazardous if ejected by mistake. The disagreement has played out in various forums, both in public and private. Federal Aviation Administration officials say it is hard to justify the costs of deployable recorders versus the safety benefits.


EASA rulemaking task (RMT.0049) on CS25.1309

Design improvements may limit the probability of technical failures. With 45 % of fatal accidents involving some sort of technical failures during the past 10 years, this is both a major accident outcome and a precursor of other types of accident.  This statement is coming from EASA's Annual Safety Review 2016. It does not necessarily mean that the technical failure was the direct cause of the accidents, but that a system component failure was identified in the sequence of events of 1 of the 5 fatal accidents in CAT Aeroplanes during the past 10 years (out of a total of 11). This could be an engine failure, an avionics system failure or some other recoverable technical failure. The cause of the accident is usually the result of a combination of circumstances and events that can only be understood after reading the investigation report.

Specific analysis work is ongoing to identify the systemic safety issues that may be present in the domains of airworthiness, maintenance and production. Non-accident data will be used for the analysis

RMT.0049:   Specific risk and standardised criteria for conducting aeroplane-level safety assessments of critical systems
To define a standardised criterion for conducting aeroplane-level safety assessment of specific risks that encompasses all critical aeroplane systems on large aeroplanes (i.e. in particular update AMC to CS 25.1309), based on the results of the Aviation Rulemaking Advisory Committee (ARAC) Airplane-level Safety Analysis Working Group (ASAWG).
In addition, to amend AMC 25.1309 taking into account the latest updates of industry documents, such as ED79A/ARP4754A.
To update CS 25.671 on safety assessment of flight control systems, based on the results of the ARAC Flight Controls Harmonisation Working Group (FCHWG).
For both objectives, harmonisation with the FAA, the Transport Canada Civil Aviation (TCCA) and Agência Nacional de Aviação Civil (ANAC) will be ensured as much as possible.

A decision is expected during Q4 of 2018. See NPA for more details:


NPA 2016-15: Instructions for continued airworthiness: certification maintenance requirements


This NPA proposes amendments to CS 25.1309, CS-25 Appendix H, and AMC 25-19 in order to improve the guidance material in relation to CMRs.

EASA to update CS25.1309

To define a standardised criterion for conducting aeroplane-level safety assessment of specific risks that encompasses all critical aeroplane systems on large aeroplanes (i.e. in particular update AMC to CS 25.1309), based on the results of the Aviation Rulemaking Advisory Committee (ARAC) Airplane-level Safety Analysis Working Group (ASAWG).
In addition, to amend AMC 25.1309 taking into account the latest updates of industry documents, such as ED79A/ARP4754A.
To update CS 25.671 on safety assessment of flight control systems, based on the results of the ARAC Flight Controls Harmonisation Working Group (FCHWG).
For both objectives, harmonisation with the FAA, the Transport Canada Civil Aviation (TCCA) and Agência Nacional de Aviação Civil (ANAC) will be ensured as much as possible.
Affected stakeholders:  DAHs
Start: 2010
Next deliverable: CRD/2017

BREXIT: The impacts on the aviation regulatory regime
Pitot Tube problems receiving ongoing scrutiny

Pitot probe vulnerability is again receiving scrutiny from regulators following detailed reports on two inflight emergencies traced back to the systems.

The first, involving a United Airlines Boeing 757 descending into Dublin in October 2013, was chronicled in a recent issue of this magazine (AW&ST May 23, p. 32). The report by Irish investigators cited two probable causes: A temporary blockage of the right main pitot tube due to icing, leading to an inaccurate low-airspeed indication on the first officer's display and the crew's non-standard response to the low-airspeed reading. The Irish Air Accident Investigation Unit's report included eight recommendations, including for the FAA to "study whether a safety deficiency exists in pitot probe icing protection" for aircraft certified before January 2015, when enhanced certification standards went into effect. Those changes were triggered in part by the investigation into the June 2009 Air France Flight 447 accident, which determined that inconsistent airspeed readings between the captain's and first officer's displays started the chain of events that led to an aerodynamic stall.

A month after the United incident, industrious mud-dauber wasps took less than 3 hr. to build a nest in the pilot's-side pitot probe of an Etihad Airways Airbus A330 on the ground at Brisbane Airport in Australia, triggering a series of troubling events, an Australian investigation found. The undetected blockage of mud resulted in an aborted takeoff that was followed by an inconclusive troubleshooting effort by maintenance technicians and a second takeoff for Singapore. That departure was quickly followed by a Mayday call by the pilots, who promptly returned to Brisbane. Several organizations affected by the incident instituted changes based on the investigation, an Australian Transport Safety Bureau's (ATSB) report explained. The airport instituted multiple operational changes, Airbus modified its maintenance troubleshooting manual, and Etihad began requiring ground crews to install pitot probe covers at Brisbane "irrespective of ground time."

Investigators determined that the nest blocked the captain's pitot tube, resulting in a red "speed flag" display on the avionics as the aircraft accelerated through 50 kt. on the first takeoff attempt. Per standard operating procedures (SOP), the captain rejected the takeoff. The A330 has three open-face pitot tubes-a captain's probe, first officer's probe and standby probe-on the underside of the fuselage near the nose, devices that measure ram air pressure that is converted to airspeed readings by the avionics.

Maintenance technicians relied on two procedures in the A330 troubleshooting manual (TSM), neither of which identified the pitot probe as a possible root cause for the airspeed indication problem. The ATSB noted that Airbus had sent out a service letter to operators prior to the incident, linking airspeed discrepancies to potential pitot probe problems. The airframer in October 2014 updated the TSM to include the additional information.

The A330 was cleared for departure after a few minor avionics configuration changes, but the captain's airspeed indicator again failed during the takeoff run, this time at a speed where SOPs called for continuing the takeoff. The ATSB questioned the captain's recollection that the airspeed failed after "V1" (151 kt.), the speed at which crews are advised to continue the takeoff, noting that the flight data recorder information showed that the failure flag should have appeared after reaching 50 kt.

Once airborne, the sensor issues caused the A330's fly-by-wire flight control logic to revert to alternate law and various slat and flap warnings occurred. The pilots declared an emergency and landed at Brisbane at an aircraft weight of approximately 200 metric tons, 18 heavier than the A330s 182-metric-ton maximum landing weight.

UAV: New system helps aircraft automatically avoid mid-air collisions

A research effort associated with DARPA's Aircrew Labor In-Cockpit Automation System (ALIAS) program recently conducted the first successful flight tests of a shoebox-sized, plug-and-play system designed to enable manned and unmanned aircraft to automatically detect and avoid potential mid-air collisions. An unmanned air vehicle (UAV) repeatedly used the technology demonstration system to detect and track in real time a Cessna 172G aircraft approaching from various vertical and horizontal distances.

See image here

See video here.

An unmanned air vehicle (UAV) repeatedly used the technology demonstration system to detect and track in real time a Cessna 172G aircraft approaching from various vertical and horizontal distances.

The integrated sense-and-avoid (SAA) system includes a single optical camera that provides imagery for detection and tracking. The system also incorporates passive ranging features that assess the likelihood of an incoming aircraft intersecting the flight path of its host aircraft, and collision-avoidance capabilities to determine the best way to steer the host aircraft out of harm's way.

The work is part of a DARPA effort to create a low-cost, easily installed system to detect oncoming or crossing aircraft and determine the best avoidance strategy compliant with standard rules that set minimum vertical and lateral distances between aircraft during flight.

"This successful flight test is a step toward adding external perception to ALIAS' toolkit for advancing in-flight automation," Dan Patt, "What pilot wouldn't want to set a box on their dashboard that would provide an additional pair of eyes to alert of potential collisions? This SAA system has the potential to enable a wide range of manned and unmanned systems to safely integrate into an increasingly populated and complex airspace."

DARPA has been developing this capability over the past two years and put the technology demonstration system through extensive preliminary testing before the recent flight tests, which evaluated only detection and tracking. Based on the success of those flights, DARPA is planning another phase of the effort, which includes joint funding from the U.S. Air Force Research Laboratory (AFRL).

This follow-on research would shrink the system size; further test the ranging and collision-avoidance features; mature additional capabilities of the system such as detecting aircraft below the horizon and in poor light conditions; and improve calculations for optimal aircraft trajectories to avert impending collision.

The system could ultimately serve as a line of defense in future layered air-traffic management systems that could include Automatic Dependent Surveillance-Broadcast (ADS-B) transponders and ground-based radar systems that are part of the federal NextGen effort. There is particular potential applicability for unmanned air systems or aircraft with reduced crew sizes.

The ALIAS program envisions a tailorable, drop-in, removable kit that would enable high levels of automation in existing aircraft and facilitate reduced need for onboard crew.

The program intends to leverage the considerable advances that have been made in aircraft automation systems over the past 50 years, as well as the advances that have been made in remotely piloted aircraft technologies, to help shift and refocus pilot workloads, augment mission performance and improve aircraft safety.

Boeing, FAA warn 787 pilots of bad airspeed data

Boeing 787 pilots are being warned not to make sudden control inputs in response to a "sudden, unrealistic" drop in airspeed shown on cockpit displays.

The US Federal Aviation Administration (FAA) will adopt an airworthiness directive on 1 April requiring 787-8 and 787-9 operators to update the flight manual with the warning message.

The FAA accelerated the release of the airworthiness directive, bypassing the normal rulemaking process to make operators adopt the change as quickly as possible.

Boeing made an identical recommendation to 787 operators on 4 March, which the FAA directive will make mandatory.

The fleet has made three reports of displayed airspeed plunging significantly below actual airspeed, the FAA says. In each case, the 787 was flying in conditions involving significant water ingestion and possibly icing of two of the three pitot tubes feeding speed and altitude information to the air data system.

The FAA and Boeing are continuing to investigate the cause of the erroneous displayed speed changes.

In one case, the pilot reacted to the inaccurate data by commanding a "significant" nose-down dive, over-riding the auto-pilot in the process.

Boeing and the FAA are concerned that a pilot might command a dive that exceeds the structural limits of the 787, as a response to erroneous information from the air data system.

While the cause of the erroneous data is being investigated, 787 operators must update the manual to instruct pilots to not apply "large, abrupt control column inputs" in response to an "unrealistic" drop in displayed airspeed.

See also

Search   Next >>