The up-issues have finally been released. See ARP4754B: Guidelines for Development of Civil Aircraft and Systems – SAE International and ARP4761A: Guidelines for Conducting the Safety Assessment Process on Civil Aircraft, Systems, and Equipment – SAE International
Archives: News
See FAA warning issued, further serious navigation failures reported – International Ops 2023 – OPSGROUP
The OPSGROUP has increased concerns over the situation:
- Security risk: Navigation failures are occuring in close proximity to the Iranian border. One aircraft reported almost straying into Iranian airspace (Tehran FIR, OIIX) without a clearance. This area of the border is considered sensitive by Iran: there are two large missile bases just across the boundary: one at Kermansah (a huge facility with dedicated anti-aircraft weapons), and another at Khorramabad. For context, Iran shot down a passenger aircraft in 2020 in Tehran (accidentally), and has been heard in September 2023 issuing warnings on 121.5 with threats to shoot down aircraft entering the FIR without a clearance.
- The Navigation failures are severe. The second report above highlights how the crew had no option but to request radar vectors – all the way to their final destination. In many other reports, most aircraft have no reliable on board navigation, for periods of 20-30 minutes and in some cases an hour or more.
- Compounding failures. Individually these incidents can mostly be resolved with the help of ATC. Consider however, an ATC comms failure, ATC radar failure, or an emergency situation: engine failure, decompression, or even a medical divert. The workload would quickly become extreme, and diverting at night (when most flights are transiting the area) without basic navigation capability is not a scenario we want to deal with.
- Inadequate guidance for crews: Current FCOM/AOM procedures available to aircrew are insufficient to capably deal with this new GPS spoofing issue. Having been shown to be possible, there is potential for it to occur elsewhere in the world.
An intelligence brief from Dyami Intelligence Services issued in repsonse to Monday’s reports, adds information about this new form of GPS spoofing affecting aircraft: “The surge in GPS jamming and spoofing incidents within the Iraqi FIR, along with their widespread occurrences, strongly indicates the involvement of an airborne platform (UAV). In the past, Iran has successfully intercepted a drone by GPS spoofing. Spoofing provides an attack vector that enables control over the target UAV (aircraft) without compromising the flight control software or the command-and-control radio link. Furthermore, a GPS spoofing attack can be carried out by an attacker who is equipped with an RF transmitter that can be ground or airborne-based.”
This Certification Memorandum (CM) aims at stressing the importance of considering human factors (HF) in aircraft and system safety assessments for large aeroplanes, especially in frame of the classification of failure conditions identified using functional hazard assessments (FHAs) of the aircraft and system functions. It provides applicants with a structured HF process that may be used to confirm the assumptions made about the expected flight crew behaviours.
This CM focusses on flight crew HF aspects and more specifically on:
- identifying and defining elements to complement AMC 25.1309, including cognitive aspects underlying the failure condition recognition, the elaboration of the diagnosis of the situation, and the flight crew response and post failure management,
- establishing the criteria driving the level of scrutiny required to demonstrate the validity of the assumptions,
- providing guidance for the selection of methods and means to be used to show compliance with theapplicable certification specifications.
Signals from the Global Navigation Satellite System (GNSS) are one of the main inputs used for aircraft positioning or time reference for Communication, Navigation and Surveillance functions on-board most of the Airbus aircraft.
Operators report an increasing number of events related to the loss of GNSS signals due to Radio Frequency Interference (RFI) during operations in some areas of the world.
This article explains the causes of RFI, the effects on the aircraft systems and provides recommendations for flight and maintenance crews
The FAA proposes to amend certain airworthiness regulations to standardize the criteria for conducting safety assessments for systems, including flight controls and powerplants, installed on transport category airplanes. With this action, the FAA seeks to reduce risk associated with airplane accidents and incidents that have occurred in service, and reduce risk associated with new technology in flight control systems. The intended effect of this proposed action is to improve aviation safety by making system safety assessment (SSA) certification requirements more comprehensive and consistent.
See FAA Proposes Overhaul Of Airliner Certification – AVweb and Federal Register :: System Safety Assessments
See FAA Pushes Boeing to Review Safety Documents on New 737 MAX Model – WSJ
Federal air-safety regulators have asked Boeing Co. BA -8.77%decrease; red down pointing triangle to launch a review of its safety paperwork for the 737 MAX 7, another setback for the plane maker’s push to win approval for the jet before a year-end legal deadline.
The Federal Aviation Administration is unable to review the company’s submissions “due to missing and incomplete information” related to cockpit crews’ potential reactions to catastrophic hazards, according to an Oct. 12 agency letter viewed by The Wall Street Journal. Plane makers must meet such hurdles before regulators clear jets to carry passengers.
The FAA’s request for a review covers system safety assessments for the 737 MAX 7, which is the shortest in Boeing’s family of the single-aisle jets, and which is awaiting regulatory approval to carry passengers. It comes after the agency recently said the aircraft was at risk of not being certified by a December deadline set by Congress following two fatal crashes of the 737 MAX 8, an earlier version of the jet.
focus of air-safety legislation passed by Congress in 2020, which included the deadline, is so-called human factors engineering, which deals with how pilots respond to cockpit emergencies. The fatal 737 MAX 8 accidents involved a flawed Boeing assumption about how pilots would respond to a flight-control system’s misfire. The law would require MAX jets certified after the end of the year to receive a potentially costly and time-consuming cockpit overhaul.
Boeing said safety remains the driving factor in its effort to meet all regulatory requirements in certifying the 737 MAX 7. The company said being thorough and transparent with the FAA will continue to be a priority.
The fatal 737 MAX 8 accidents involved a flawed Boeing assumption about how pilots would respond to a flight-control system’s misfire. PHOTO: MATT MILLS MCKNIGHT/REUTERS
The FAA said the letter speaks for itself. Acting FAA Administrator Billy Nolen said at a press conference earlier this month that the agency wouldn’t approve the 737 MAX 7 and another MAX model for passenger service until it was satisfied.
“When we’ve got all the information we need, and not until then, we’ll certificate the airplane,” Mr. Nolen said. “We are working through it very purposefully, and when we get there, we get there.”
Southwest Airlines Co. is a major buyer of the 737 MAX 7 and has been planning to add the fuel-efficient jet to its fleet and retire older planes.
Boeing has also been working to get the longer model of the jet, the 737 MAX 10, certified by the end of the year. Mr. Calhoun has said Boeing may have to consider canceling that model without a congressional extension. United Airlines Holdings Inc. and Delta Air Lines Inc. are among that model’s buyers.
The Oct. 12 FAA letter regarding the MAX 7 was signed by Ian Won, acting manager of the agency’s Boeing oversight office. It cites examples that, he wrote, show Boeing inadequately addressing pilots’ roles in certain cockpit emergencies, such as avoiding ignition of the plane’s fuel tanks.
See What Makes an Outstanding System Safety Professional? – Blog of System Safety (jsystemsafety.com)
Most employment ads for system safety professions will list education, areas of expertise and years of experience as requirements. They may also require certain capabilities, such as strong communication skills (written and spoken), and an ability to navigate standard desktop tools such as word processing software. Some may even have the insight to ask for specific analytical skills or the ability to systematically address specific systems or processes. Advertisements for senior or management positions may add organizational or administrative skills to the list. Descriptions of openings for top-level positions may call for promotional skills that seem more appropriate for a “company cheerleader” than for the manager of a serious technical or analytical effort.
What makes an outstanding system safety professional goes beyond a desire to do our best and the possession of the kinds of technical knowledge and skills cited in the employments ads. There is a range of personal qualities that contribute to a higher and broader level of performance. These qualities, which make up our “System Safety Character,” are an important part of everything we do and must come to the forefront in crisis situations and in the making of key risk decisions. These include:
- The ability to recognize potential risks and safety issues:
- A perspective and an imagination that identifies hazards, supported by an inventiveness that aids in the formulation of solutions
- The ability and enough healthy skepticism to recognize issues with proposed solutions to safety issues and false closure logic
- A thorough understanding of our risk analysis tools and the ability to apply them to real-life situations (which may require real-time solutions)
- A clarity and depth of vision of the safety aspects of the total operation, understanding the program as a whole and the interrelationships of the individual components
2. The ability to identify an issue must be coupled with a willingness to speak out. For example, the safety personnel present at critical meetings while Columbia circled the earth during the STS-107 mission were dedicated, and they knew the related safety assessments. Yet the Columbia Accident Investigation Board (CAIB) Report criticized their performance, noting,
“… safety personnel were present but passive and did not serve as a channel for the voicing of concerns of dissenting views.” “Safety representatives attended meetings of the Debris Assessment Team, Mission Evaluation Room, and Mission Management Team, but were merely party to the analysis process and conclusions instead of an independent source of questions and challenges.”
[CAIB Report, vol. I, p. 170]
The CAIB also drew discomforting parallels to the “silent” role of a previous generation of safety professionals noted in the Rogers Commission report on the Challenger accident in 1986. Part of the willingness to speak up is the acceptance that this may require taking an unpopular stand, even to the point of nonconcurrence with a majority opinion.
3. Every outstanding practitioner exhibits certain leadership qualities:
- The skill to “win over” others to their position, including the ability to present a position and defend it
- A sense of teamwork that encourages inputs from all parties involved
- The ability to focus on the issue and the search for the best solution
- A sense of fairness, honesty and respect for opposing positions
4. A sense of responsibility that acknowledges the expectations of the customer (developer and/or user of the product):
- Relentless pursuit of resolution of issues
- Meticulous system analysis (including hazard identification and resolution)
- Commitment to the role of safety advocate
5. The most overlooked quality in our system safety character is the ability to critically review our own performance. Successful self-assessment requires the application of all of our knowledge and skills. It requires an assessment of both the quality of the system safety effort (products and services) and how the effort is utilized. The CAIB Report observed that,
“Structure and process places Shuttle safety programs in the unenviable position of having to choose between rubber-stamping engineering analyses, technical efforts, and Shuttle program decisions, or trying to carry the day during a committee meeting in which the other side almost always has more information and analytic capability.”
[CAIB Report, vol. I, p. 187]
Clearly, this is not the kind of situation that leads to the best products or the most effective contribution to a program.
In short, we would submit that it takes more than dedication, knowledge, experience, special skills and even knowledge of the latest safety fight song. We would add system safety character, which includes a little common sense and a lot of true grit.
The authors, John Livingston and Chad Thrasher, are officers in the Tennessee Valley Chapter of the System Safety Society.
See Air France and Airbus on trial 13 years after Atlantic jet disaster | Reuters
More than 13 years after an Air France jet plunged into the Atlantic, killing all 228 people on board, the French carrier and Airbus go on trial in a Paris court next week.
After a two-year search for the A330’s black boxes, French investigators found pilots had mishandled the temporary loss of data from iced-up sensors and pushed the 205-tonne jet into an aerodynamic stall or freefall, without responding to alerts.
But the BEA accident agency also disclosed that Air France had expressed concerns about increased icing incidents before the crash and had started receiving improved speed probes. Experts say the relative roles of pilot or sensor error, as well as erratic displays or fatigue, will be key to the historic trial.
Monday’s opening hearing will mark the first time French companies have been directly placed on trial for “involuntary manslaughter” following an air crash, rather than individuals.
While corporate reputations and a long-awaited catharsis for families are at stake, the nine-week trial is not expected to lead to significant financial penalties. However, experts say larger sums have been paid in compensation or civil settlements.
The maximum fine for either company, if convicted of involuntary manslaughter, is just 225,000 euros ($220,612) or five times the maximum monetary penalty for an individual, who unlike a company can also face jail, according to French legal experts.
EASA issues CM ref CM-SA-002 Issue 01 on “Human Factors Considerations in Aircraft and System Functional Hazard Assessments”
This Certification Memorandum (CM) aims at stressing the importance of considering the Human Factors in Aircraft and System Functional Hazard Assessments for Large Aeroplanes. It provides applicants with a structured Human Factors methodology to validate the assumptions made about the expected flight crew behaviours, in the aircraft and system Functional Hazard Assessments (FHA).
This Certification Memorandum focusses on flight crew aspects and more specifically on:
- identifying and defining the elements missing in the existing guidance material, incl. cognitive aspects
underlying the failure condition recognition and the elaboration of the diagnosis of the situation, - establishing the criteria driving the level of scrutiny required to demonstrate the validity of these
assumptions, - providing guidance in terms of acceptable methods and means to be developed for compliance with the
regulations.
This CM thus impacts on your Means of Compliance to CS 25.1309(b) and CS 25.1309(c).
A new hazard for our Particular Risk Analyses: Interference to RA operations can affect:
1. Autoland functions: This is particularly critical in low visibility auto approach like Cat II or III conditions. Pilots cannot conduct CAT II and III approaches if RA is malfunctioning.
2. EICAS/ECAM: Nuisance warning after take-off or during approach which will distract crew from their tasks at hand. This will lead to deterioration of operational safety levels.
3. False or missing GPWS alert: Anywhere in proximity to ground, this could inhibit some functionalities of the TAWS (Terrain Alerting Warning System) reactive modes which would remove a safety net in case against CFIT (Controlled Flight Into Terrain). Additional distractions for crews from tasks at hand, – “too low gear” and “too low flaps”, “don’t sink”,” terrain and pull up warning” and other alerts. A big concern is GPWS not triggering an alert when it should have done so, because of interference which can result in CFIT event!
4. Unreliable instrument Indications: This could contribute to an increased number of hard landings because of errors in automatic altitude indications and voice announcements.
5. Abnormal behaviours in Automatic Flight Systems:
a. Autoland system
b. Flight Control Laws (e.g. failure to transition to Flare law resulting in a higher than expected pitch on the flare; Retard function, etc.)
c. Auto-throttle automatic stall protection.
d. Auto Speedbrake deployment
For information, see:
– ICAO Problem Statement.
– US 5G roll out ignores concerns for Air Transport safety