Net Safety Benefit

EASA issues Certification Memorandum in support of 25.1309. The purpose of this CM is to provide an approach to the demonstration of compliance to certain CS 23 and CS 27 specifications that is in line with reference standard guidance as adapted to installation of system/ equipment that provide operational safety benefit. This is achieved by introducing credits for systems or equipment that provide operational safety benefits in the determination of the Development Assurance Level (DAL)1.
The intent of the Net Safety Benefit policy is to facilitate the introduction of new, safety enhancing technologies in the current, fleets that have been shown to provide operational safety benefits to improve the overall safety performance of the operation.
See https://www.easa.europa.eu/sites/default/files/dfu/certification_memorandum_cm-sa-001_-_net_safety_benefit_-_issue_1.1.pdf

FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

Military tests that jam and spoof GPS signals are an accident waiting to happen (by Mark Harris)

Early one morning last May, a commercial airliner was approaching El Paso International Airport, in West Texas, when a warning popped up in the cockpit: “GPS Position Lost.” The pilot contacted the airline’s operations center and received a report that the U.S. Army’s White Sands Missile Range, in South Central New Mexico, was disrupting the GPS signal. “We knew then that it was not an aircraft GPS fault,” the pilot wrote later.

The pilot missed an approach on one runway due to high winds, then came around to try again. “We were forced to Runway 04 with a predawn landing with no access to [an instrument landing] with vertical guidance,” the pilot wrote. “Runway 04…has a high CFIT threat due to the climbing terrain in the local area.”

CFIT stands for “controlled flight into terrain,” and it is exactly as serious as it sounds. The pilot considered diverting to Albuquerque, 370 kilometers away, but eventually bit the bullet and tackled Runway 04 using only visual aids. The plane made it safely to the ground, but the pilot later logged the experience on NASA’s Aviation Safety Reporting System, a forum where pilots can anonymously share near misses and safety tips.

This is far from the most worrying ASRS report involving GPS jamming. In August 2018, a passenger aircraft in Idaho, flying in smoky conditions, reportedly suffered GPS interference from military tests and was saved from crashing into a mountain only by the last-minute intervention of an air traffic controller. “Loss of life can happen because air traffic control and a flight crew believe their equipment are working as intended, but are in fact leading them into the side of the mountain,” wrote the controller. “Had [we] not noticed, that flight crew and the passengers would be dead. I have no doubt.”

There are some 90 ASRS reports detailing GPS interference in the United States over the past eight years, the majority of which were filed in 2019 and 2020. Now IEEE Spectrum has new evidence that GPS disruption to commercial aviation is much more common than even the ASRS database suggests. Previously undisclosed Federal Aviation Administration (FAA) data for a few months in 2017 and 2018 detail hundreds of aircraft losing GPS reception in the vicinity of military tests. On a single day in March 2018, 21 aircraft reported GPS problems to air traffic controllers near Los Angeles. These included a medevac helicopter, several private planes, and a dozen commercial passenger jets. Some managed to keep flying normally; others required help from air traffic controllers. Five aircraft reported making unexpected turns or navigating off course. In all likelihood, there are many hundreds, possibly thousands, of such incidents each year nationwide, each one a potential accident. The vast majority of this disruption can be traced back to the U.S. military, which now routinely jams GPS signals over wide areas on an almost daily basis somewhere in the country.

The military is jamming GPS signals to develop its own defenses against GPS jamming. Ironically, though, the Pentagon’s efforts to safeguard its own troops and systems are putting the lives of civilian pilots, passengers, and crew at risk. In 2013, the military essentially admitted as much in a report, saying that “planned EA [electronic attack] testing occasionally causes interference to GPS based flight operations, and impacts the efficiency and economy of some aviation operations.”

In the early days of aviation, pilots would navigate using road maps in daylight and follow bonfires or searchlights after dark. By World War II, radio beacons had become common. From the late 1940s, ground stations began broadcasting omnidirectional VHF signals that planes could lock on to, while shorter-range systems indicated safe glide slopes to help pilots land. At their peak, in 2000, there were more than a thousand very high frequency (VHF) navigation stations in the United States. However, in areas with widely spaced stations, pilots were forced to take zigzag routes from one station to the next, and reception of the VHF signals could be hampered by nearby buildings and hills.

Everything changed with the advent of global navigation satellite systems (GNSS), first devised by the U.S. military in the 1960s. The arrival in the mid-1990s of the civilian version of the technology, called the Global Positioning System, meant that aircraft could navigate by satellite and take direct routes from point to point; GPS location and altitude data was also accurate enough to help them land.

The FAA is about halfway through its NextGen effort, which is intended to make flying safer and more efficient through a wholesale switch from ground-based navigation aids like radio beacons to a primarily satellite-enabled navigation system. Along with that switch, the agency began decommissioning VHF navigation stations a decade ago. The United States is now well on its way to having a minimal backup network of fewer than 600 ground stations.

Meanwhile, the reliance on GPS is changing the practice of flying and the habits of pilots. As GPS receivers have become cheaper, smaller, and more capable, they have become more common and more widely integrated. Most airplanes must now carry Automatic Dependent Surveillance-Broadcast (ADS-B) transponders, which use GPS to calculate and broadcast their altitude, heading, and speed. Private pilots use digital charts on tablet computers, while GPS data underpins autopilot and flight-management computers. Pilots should theoretically still be able to navigate, fly, and land without any GPS assistance at all, using legacy radio systems and visual aids. Commercial airlines, in particular, have a range of backup technologies at their disposal. But because GPS is so widespread and reliable, pilots are in danger of forgetting these manual techniques.

When an Airbus passenger jet suddenly lost GPS near Salt Lake City in June 2019, its pilot suffered “a fair amount of confusion,” according to the pilot’s ASRS report. “To say that my raw data navigation skills were lacking is an understatement! I’ve never done it on the Airbus and can’t remember having done it in 25 years or more.”

“I don’t blame pilots for getting a little addicted to GPS,” says Todd E. ­Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin. “When something works well 99.99 percent of the time, humans don’t do well in being vigilant for that 0.01 percent of the time that it doesn’t.”

Losing GPS completely is not the worst that can happen. It is far more dangerous when accurate GPS data is quietly replaced by misleading information. The ASRS database contains many accounts of pilots belatedly realizing that GPS-enabled autopilots had taken them many kilometers in the wrong direction, into forbidden military areas, or dangerously close to other aircraft.

In December 2012, an air traffic controller noticed that a westbound passenger jet near Reno, Nev., had veered 16 kilometers (10 miles) off course. The controller confirmed that military GPS jamming was to blame and gave new directions, but later noted: “If the pilot would have noticed they were off course before I did and corrected the course, it would have caused [the] aircraft to turn right into [an] opposite direction, eastbound [jet].”

So why is the military interfering so regularly with such a safety-critical system? Although most GPS receivers today are found in consumer smartphones, GPS was designed by the U.S. military, for the U.S. military. The Pentagon depends heavily on GPS to locate and navigate its aircraft, ships, tanks, and troops.

The U.S. military routinely jams GPS signals over wide areas on an almost daily basis
For such a vital resource, GPS is exceedingly vulnerable to attack. By the time GPS signals reach the ground, they are so faint they can be easily drowned out by interference, whether accidental or malicious. Building a basic electronic warfare setup to disrupt these weak signals is trivially easy, says Humphreys: “Detune the oscillator in a microwave oven and you’ve got a superpowerful jammer that works over many kilometers.” Illegal GPS jamming devices are widely available on the black market, some of them marketed to professional drivers who may want to avoid being tracked while working.

Other GNSS systems, such as Russia’s GLONASS, China’s BeiDou, and Europe’s Galileo constellations, use slightly different frequencies but have similar vulnerabilities, depending on exactly who is conducting the test or attack. In China, mysterious attacks have successfully “spoofed” ships with GPS receivers toward fake locations, while vessels relying on BeiDou reportedly remain unaffected. Similarly, GPS signals are regularly jammed in the eastern Mediterranean, Norway, and Finland, while the Galileo system is untargeted in the same attacks.

The Pentagon uses its more remote military bases, many in the American West, to test how its forces operate under GPS denial, and presumably to develop its own electronic warfare systems and countermeasures. The United States has carried out experiments in spoofing GPS signals on at least one occasion, during which it was reported to have taken great care not to affect civilian aircraft.

Despite this, many ASRS reports record GPS units delivering incorrect positions rather than failing altogether, but this can also happen when the satellite signals are degraded. Whatever the nature of its tests, the military’s GPS jamming can end up disrupting service for civilian users, particularly high-altitude commercial aircraft, even at a considerable distance.

The military issues Notices to Airmen (NOTAM) to warn pilots of upcoming tests. Many of these notices cover hundreds of thousands of square kilometers. There have been notices that warn of GPS disruption over all of Texas or even the entire American Southwest. Such a notice doesn’t mean that GPS service will be disrupted throughout the area, only that it might be disrupted. And that uncertainty creates its own problems.

In 2017, the FAA commissioned the nonprofit Radio Technical Commission for Aeronautics to look into the effects of intentional GPS interference on civilian aircraft. Its report, issued the following year by the RTCA’s GPS Interference Task Group, found that the number of military GPS tests had almost tripled from 2012 to 2017. Unsurprisingly, ASRS safety reports referencing GPS jamming are also on the rise. There were 38 such ASRS narratives in 2019—nearly a tenfold increase over 2018.

New internal FAA materials obtained by Spectrum from a member of the task group and not previously made public indicate that the ASRS accounts represent only the tip of the iceberg. The FAA data consists of pilots’ reports of GPS interference to the Los Angeles Air Route Traffic Control Center, one of 22 air traffic control centers in the United States. Controllers there oversee air traffic across central and Southern California, southern Nevada, southwestern Utah, western Arizona, and portions of the Pacific Ocean—areas heavily affected by military GPS testing.

This data includes 173 instances of lost or intermittent GPS during a six-month period of 2017 and another 60 over two months in early 2018. These reports are less detailed than those in the ASRS database, but they show aircraft flying off course, accidentally entering military airspace, being unable to maneuver, and losing their ability to navigate when close to other aircraft. Many pilots required the assistance of air traffic control to continue their flights. The affected aircraft included a pet rescue shuttle, a hot-air balloon, multiple medical flights, and many private planes and passenger jets.

In at least a handful of episodes, the loss of GPS was deemed an emergency. Pilots of five aircraft, including a Southwest Airlines flight from Las Vegas to
Chicago, invoked the “stop buzzer,” a request routed through air traffic control for the military to immediately cease jamming. According to the Aircraft Owners and Pilots Association, pilots must use this phrase only when a safety-of-flight issue is encountered.

To be sure, many other instances in the FAA data were benign. In early March 2017, for example, Jim Yoder was flying a Cessna jet owned by entrepreneur and space tourist Dennis Tito between Las Vegas and Palm Springs, Calif., when both onboard GPS devices were jammed. “This is the only time I’ve ever had GPS go out, and it was interesting because I hadn’t thought about it really much,” Yoder told Spectrum. “I asked air traffic control what was going on and they were like, ‘I don’t really know.’ But we didn’t lose our ability to navigate, and I don’t think we ever got off course.”

Indeed, one of the RTCA task group’s conclusions was that the Notice to Airmen system was part of the problem: Most pilots who fly through affected areas experience no ill effects, causing some to simply ignore such warnings in the future.

“We call the NOTAMs ‘Chicken Little,’ ” says Rune Duke, who was cochair of the RTCA’s task group. “They say the sky is falling over large areas…and it’s not realistic. There are mountains and all kinds of things that would prevent GPS interference from making it 500 nautical miles [926 km] from where it is initiated.”

GPS interference can be affected by the terrain, aircraft altitude and attitude, direction of flight, angle to and distance from the center of the interference, equipment aboard the plane, and many other factors, concluded the task group, which included representatives of the FAA, airlines, pilots, aircraft manufacturers, and the U.S. military. One aircraft could lose all GPS reception, even as another one nearby is completely unaffected. One military test might pass unnoticed while another causes chaos in the skies.

This unreliability has consequences. In 2014, a passenger plane approaching El Paso had to abort its landing after losing GPS reception. “This is the first time in my flying career that I have experienced or even heard of GPS signal jamming,” wrote the pilot in an ASRS report. “Although it was in the NOTAMs, it still caught us by surprise as we really did not expect to lose all GPS signals at any point. It was a good thing the weather was good or this could have become a real issue.”

Sometimes air traffic controllers are as much in the dark as pilots. “They are the last line of defense,” Duke told Spectrum. “And in many cases, air traffic control was not even aware of the GPS interference taking place.”

The RTCA report made many recommendations. The Department of Defense could improve coordination with the FAA, and it could refrain from testing GPS during periods of high air traffic. The FAA could overhaul its data collection and analysis, match anecdotal reports with digital data, and improve documentation of adverse events. The NOTAM system could be made easier to interpret, with warnings that more accurately match the experiences of pilots and controllers.

One aircraft could lose all GPS reception, even as another one nearby is completely unaffected.
Remarkably, until the report came out, the FAA had been instructing pilots to report GPS anomalies only when they needed assistance from air traffic control. “The data has been somewhat of a challenge because we’ve somewhat discouraged reporting,” says Duke. “This has led the FAA to believe it’s not been such a problem.”

NOTAMs now encourage pilots to report all GPS interference, but many of the RTCA’s other recommendations are languishing within the Office of Accident Investigation and Prevention at the FAA.

New developments are making the problem worse. The NextGen project is accelerating the move of commercial aviation to satellite-enabled navigation. Emerging autonomous air systems, such as drones and air taxis, will put even more weight on GPS’s shaky shoulders.

When any new aircraft is adopted, it risks posing new challenges to the system. The Embraer EMB-505 Phenom 300, for instance, entered service in 2009 and has since become the world’s best-selling light jet. In 2016, the FAA warned that if the Phenom 300 encountered an unreliable or unavailable GPS signal, it could enter a Dutch roll (named for a Dutch skating technique), a dangerous combination of wagging and rocking that could cause pilots to lose control. The FAA instructed Phenom 300 owners to avoid all areas of GPS interference.

As GPS assumes an ever more prominent role, the military is naturally taking a stronger interest in it. “Year over year, the military’s need for GPS interference-event testing has increased,” says Duke. “There was an increase again in 2019, partly because of counter-UAS [drone] activity. And they’re now doing GPS interference where they previously had not, like Michigan, Wisconsin, and the Dakotas, because it adds to the realism of any type of military training.”

So there are ever more GPS-jamming tests, more aircraft navigating by satellite, and more pilots utterly reliant on GPS. It is a feedback loop, and it constantly raises the chances that one of these near misses and stop buzzers will end in catastrophe.

When asked to comment, the FAA said it has established a resilient navigation and surveillance infrastructure to enable aircraft to continue safe operations during a GPS outage, including radio beacons and radars. It also noted that it and other agencies are working to create a long-term GPS backup solution that will provide position, navigation, and ­timing—again, to minimize the effects of a loss of GPS.

However, in a report to Congress in April 2020, the agency coordinating this effort, the U.S. Department of Homeland Security, wrote: “DHS recommends that responsibility for mitigating temporary GPS outages be the responsibility of the individual user and not the responsibility of the Federal Government.” In short, the problem of GPS interference is not going away.

In September 2019, the pilot of a small business jet reported experienced jamming on a flight into New Mexico. He could hear that aircraft all around him were also affected, with some being forced to descend for safety. “Since the FAA is deprecating [ground-based radio aids], we are becoming dependent upon an unreliable navigation system,” wrote the pilot upon landing. “This extremely frequent [interference with] critical GPS navigation is a significant threat to aviation safety. This jamming has to end.”

The same pilot was jammed again on his way home.

This article appears in the February 2021 print issue as “Lost in Airspace.”

This article was updated on 21 January 2021.

New Safety Data Tool Available on FAA.gov Website

New Safety Data Tool Available on FAA.gov Website

The Federal Aviation Administration (FAA) is making it easier to research aviation safety guidance material from the Office of Aviation Safety (AVS)

The Dynamic Regulatory System (DRS) combines more than 65 document types from more than a dozen different repositories into a single searchable application. This comprehensive knowledge center centralizes the FAA’s aviation safety guidance material from the Flight Standards Information System (FSIMS) and the agency’s Regulatory Guidance System (RGL).

Each guidance document includes a link to the Code of Federal Regulations provision on which the document is based. DRS contains more than 2 million regulatory guidance documents, which can be browsed or searched. A search engine allows for basic or advanced searches and different ways to sort and view the results. The system includes pending and current versions of all documents along with their revision history. Information in the DRS is updated every 24 hours.

Safety engineering changes at Boeing

Safety engineering changes at Boeing

The chief project engineer for Boeing’s 737 Max jet told House investigators that he approved a critical design change to software on the plane even though he was unaware of key details about how it worked or of a previous warning from a test pilot that if the system malfunctioned, the results could be “catastrophic.”
That was what happened in October 2018, and again the following March, when the software forced down the noses of two of the new planes in a way their pilots could not overcome, causing crashes that killed 346 people.
The engineer’s acknowledgment is one of several revelations contained in a new report released Wednesday by investigators from the House Transportation Committee. The document details myriad gaps in oversight that allowed federal regulators to certify that the plane was safe to fly even though officials at both Boeing and the Federal Aviation Administration did not fully understand how it was designed.

After months of delays by the FAA, the investigators in May were allowed to view a draft “oversight report” written months after the initial Max crash in Indonesia. The February 2019 draft report considered Boeing’s actions in the years before the deadly incident, and its conclusions shocked investigators.The FAA’s examination “did not reveal any noncompliance” by Boeing, according to the document, meaning that the company was found to have followed federal safety regulations even though the result was a flawed plane.
“That’s the bureaucratic word. It was ‘compliant.’ But the ­problem is it was compliant and not safe. And people died,” said Transportation Committee Chairman Peter A. DeFazio (D-Ore.). “Obviously, the system is inadequate.”

The final committee report on the Max offers the clearest indication yet that Boeing — or the unit tasked with overseeing the certification process on the FAA’s behalf — could have caught flaws in the Max’s flight-control system during the airplane’s design stage. FAA’s lax oversight played part in Boeing 737 Max crashes, but agency is pushing to become more industry-friendly.
But it failed to act on concerns that were raised about the flawed Maneuvering Characteristics Augmentation System (MCAS), which was identified as a factor in both crashes. The Boeing employees were driven in part by what investigators concluded was pressure to get the new planes to customers quickly and without requiring their pilots to undergo extensive retraining — a goal symbolized by “countdown clocks” on the wall of a conference room, according to the report.

The House investigators concluded that the two crashes in less than five months “were the horrific culmination of a series of faulty technical assumptions by Boeing’s engineers, a lack of transparency on the part of Boeing’s management, and grossly insufficient oversight by the FAA.”
“The facts laid out in this report document a disturbing pattern of technical miscalculations and troubling management misjudgments made by Boeing,” investigators concluded. “It also illuminates numerous oversight lapses and accountability gaps by the FAA that played a significant role in the 737 MAX crashes.”

Investigators said Boeing had “multiple missed opportunities” that could have shifted “the trajectory of the Max’s design and development toward a safer course.” The FAA had a series of its own missed opportunities, the report concluded. FAA proposes $1.25 million fine for Boeing, alleging managers pressured employees to rush inspections.
The two crashes are “clear evidence that the current regulatory system is fundamentally flawed and needs to be repaired,” investigators concluded.

FAA officials have testified that the agency has learned lessons from the crashes, and have defended the federal oversight system, saying it has helped produce a stellar safety record overall.

“These tragic accidents should not have happened,” FAA Administrator Stephen M. Dickson said in congressional testimony in June. “We continue to work tirelessly to see that the lessons learned from these accidents will result in a higher margin of safety for the aviation industry globally.” But the extent of the agency’s efforts to address its failures remains uncertain, and lawmakers in both the House and Senate are considering ways to strengthen the FAA’s oversight of Boeing and other aviation companies.
DeFazio said he is seeking bipartisan agreement in the House on legislative fixes to the oversight process, and talks are ongoing. The Senate Commerce Committee was scheduled to consider a bipartisan proposal at a meeting Wednesday, but it was pulled from the agenda as committee leaders continued to weigh amendments. Rep. Sam Graves (Mo.), the ranking Republican on the House Transportation Committee, and Rep. Garret Graves (La.), the ranking Republican on the aviation subcommittee, said they will continue to focus on “nonpartisan reports and investigations and the improvements they had identified.”

“Expert recommendations have already led to changes and reforms, with more to come,” the two members said in a statement. “These recommendations – not a partisan investigative report – should serve as the basis for Congressional action.”

Boeing, in a statement, said it cooperated “fully and extensively” with the committee’s inquiry.“We have been hard at work strengthening our safety culture and rebuilding trust with our customers, regulators, and the flying public,” spokesman Bradley N. Akubuiro said. “The passengers and crew on board Lion Air Flight 610 and Ethiopian Airlines Flight 302, as well as their loved ones, continue to be in our thoughts and prayers.”

Akubuiro noted that Boeing has incorporated many of the recommendations contained in previous reports from review committees, experts and governmental authorities, as well as from its own internal reviews, into the 737 Max and the overall aircraft design process. He said Boeing has set up a new safety organization within the company to “enhance and standardize safety practices” and has made internal changes designed to “give engineers a stronger voice and a more direct line to share concerns with top management.”

Long before the Max disasters, Boeing had a history of failing to fix safety problems

In addition, its board of directors now includes a permanent Aerospace Safety Committee, and it has expanded the role of the Safety Promotion Center. “The revised design of the MAX has received intensive internal and regulatory review, including more than 375,000 engineering and test hours and 1,300 test flights,” Akubuiro said. “Once the FAA and other regulators have determined the MAX can safely return to service, it will be one of the most thoroughly-scrutinized aircraft in history, and we have full confidence in its safety.”

The FAA said in a statement that it was “committed to continually advancing aviation safety and looks forward to working with the Committee to implement improvements identified in its report.
“We are already undertaking important initiatives based on what we have learned from our own internal reviews as well as independent reviews of the Lion Air and Ethiopian Airlines accidents. These initiatives are focused on advancing overall aviation safety by improving our organization, processes, and culture,” the agency said. The FAA said it has published a notice of a proposed rulemaking for an airworthiness directive “that will mandate a number of design changes to the Boeing 737 MAX before it returns to passenger service. The FAA continues to follow a thorough process, not a prescribed timeline, for returning the aircraft to service.”

The Max remains grounded by aviation authorities worldwide, but it is expected to be cleared to fly again in coming months, following an overhaul of the MCAS software. The process of ungrounding the planes moved ahead Monday when international regulators began meeting at London’s Gatwick Airport to review training requirements for Max pilots.

Michael Stumo, whose daughter Samya died in the second crash, said the report showed that recertification of the Max needed to be stopped. “The FAA and Boeing hid information before and are doing it again,” Stumo said in a statement, saying the victims’ families still did not have technical data on the fixes to the planes that they are seeking under the Freedom of Information Act.

Internal Boeing documents show employees discussing efforts to manipulate regulators scrutinizing the 737 Max. The report draws from interviews with key Boeing executives, top FAA safety officials and others with knowledge of the crashes. Investigators wrote that even months after two fatal crashes, officials at Boeing and the FAA still refused to acknowledge problems with the approval process. “Despite the sweeping and substantive problems that have been identified by this Committee’s investigation as well as various other investigations, both Boeing and the FAA have suggested that the certification of the 737 MAX was compliant with FAA regulations,” investigators found.
The House report highlights the roles of senior Boeing and FAA officials in the development of the jet and responding to the crashes, outlining interviews with Michael Teal, the Max project engineer; Keith Leverkuhn, Boeing’s former general manager for the Max; and Ali Bahrami, the head of the FAA’s safety branch.
The report describes the Boeing officials as “extraordinarily reluctant to acknowledge any missteps or mistakes” and Bahrami as “unphased by many of the revelations that have deeply disturbed many aviation experts and engineers about the MAX.”

Source: https://www.washingtonpost.com/local/trafficandcommuting/boeing-737-max-crashes-were-horrific-culmination-of-errors-investigators-say/2020/09/16/72e5d226-f761-11ea-89e3-4b9efa36dc64_story.html

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

See https://www.easa.europa.eu/document-library/agency-decisions/ed-decision-2020024r

SAE investigating System Safety standard for UAS

SAE investigating System Safety standard for UAS

Automation plays a role in aviation safety for manned and unmanned aircraft systems (UAS). UAS rely heavily on automation through sensory feedback and direct manipulation of controls. Thanks to advancements in sensors, computation and control algorithms, the pace of UAS automation is accelerating, but human interaction still exists on both ends of the spectrum.

Any efforts on aerospace system design and safety assessments have likely been impacted by SAE’s S-18 Aircraft and Systems Development and Safety Assessment Committee, and its ARP4754: Guidelines for Development of Civil Aircraft and Systems and ARP4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, two standards that are generally accepted by global aviation authorities as a means of compliance to rules for aerospace system design and safety assurance for more than two decades. ARP4754 provides recommendations for the safe development and design of aircraft and systems, taking into account aircraft functions and operating environments. ARP4761 presents guidelines for performing safety assessments of civil aircraft, systems, and equipment, particularly when addressing compliance with certification requirements.

These documents, along with a host of others currently published and in-development, are widely accepted for manned aircraft. The proliferation of UAS has prompted the S-18 committee to identify shortcomings related to specific technical aspects needed for UAS development. To lead these efforts, S-18 established the S-18UAS Autonomy Working Group. The committee’s first document, AIR7121: Applicability of Existing Development Assurance and System Safety Practices to Unmanned Aircraft Systems, is intended to identify specific gaps in both ARP4754 and ARP4761 processes that affect UAS development, the domains where the gaps should be filled, and provide a common understanding of necessary guidance needed to support development assurance and system safety for both developers and regulators.

The UAS industry is swift and dynamic, so the efforts of the S-18UAS working group is important to both industry and regulators for enabling safe UAS integration into the national and international airspace. These are global efforts, working jointly with EUROCAE WG-63 Complex Aircraft Systems on SAE/EUROCAE documents: ARP4754A/ED-79A and ARP4761/ED-135, along with the SG-1 Applicability of Existing Development Assurance and System Safety Practices to UAS and VTOL.

Source:

Planned 5G telecomms could interfere with Radar Altimeters.

Join RTCA and leaders of Special Committee 239 (SC-239) for a discussion on the planned 5G telecommunications system implementation that could interfere with Radar Altimeters. This will include a discussion on the potential risks to commercial transport airlines; business, regional, and general aviation airplanes; and both transport and general aviation helicopters. The presentation includes an overview SC-239’s new white paper: Assessment of C-Band Mobile Telecommunications Interference Impact on Low Range Radar Altimeter Operations that was written to address the potential consequences of interference events. The panel will address your questions and concerns in an interactive Q&A session. Panelists include committee co-chairs Jean-Luc Robin of Airbus and Seth Frick of Honeywell and secretary Dr. Sai Kalyanaraman of Collins Aerospace

Source: “https://register.gotowebinar.com/register/5721352046688435472?source=Curt+Lewis+Blog” rel=”noopener” target

The nuts and bolts of safety

An article by Don Porter: https://www.flightglobal.com/flight-international/analysing-the-nuts-and-bolts-of-safety/141209.article

The Federal Aviation Administration (FAA) states that flying on US-based airlines is safe. But the agency equates “safety” with the occurrence of actual accidents – not “incidents” where mechanical issues could result in an accident. An aircraft with undetected maintenance problems is, in reality, unsafe.

It is a truism that a small event can lead to a massive incident. A single match can spark a forest fire that devastates a huge area. In aviation, a tiny nut, bolt or pin – or the absence thereof – can trigger an accident that kills hundreds of people.

Tragedies can result when small mistakes trigger a chain of events

That can be seen in the crashes that led to the grounding of the Boeing 737 Max. While the post-accident focus was rightly on the jet’s automated systems, many factors figured in the demise of the Indonesian and Ethiopian aircraft. But one fact is clear in each case: the deadly chain of events that killed, respectively, 189 and 157 people, began with the failure of a small angle of attack (AoA) sensor.

Max aircraft flew in excess of 10 million passengers between their first days in service in May 2017 and their grounding in March 2019. But they flew with hidden flaws. It took the failures of those AoA sensors – through poor overhaul or damage – to trigger an automatic, computer-driven chain of events that brought the jets down. Although millions of passengers had flown in Maxes without a single accident, the possibility for a crash existed during any one of those flights.

But this is not a new phenomenon. The National Transportation Safety Board’s archives are full of incidents which very nearly became fatal accidents. For example, on 6 November 2019, as a Republic Airways Embraer 175 climbed to 2,200ft, the plane’s nose rose abruptly. The captain clicked the autopilot/pitch trim disengage switch. There was no response. The co-pilot’s trim switch being functional, the crew was able to land after 15 harrowing minutes aloft. The cause: chafed wiring connecting the horizontal stabilizer trim actuator to the captain’s switch. Compounding the error, the switch had been installed upside down.

ABORTED TAKE-OFF
On 17 August 2015, the pilots of Allegiant Air flight 436, a Boeing MD-83, aborted take-off from Las Vegas due to a missing cotter pin in the elevator linkage. No-one was killed or injured, so the event was classified as a serious incident and not an accident. The jet had completed 216 uneventful flights after a mechanic forgot to install the pin. A bolt usually retained by the pin fell out, jamming the elevator. If the crew had continued the take-off, there’s little doubt the aircraft would have crashed, probably killing many of the 162 people aboard.

Here’s what the FAA safety inspector who investigated the incident wrote to his superiors: “I recommend that a sanction be added for each of the 216 flights that were flown… in an unairworthy condition.” But his bosses disagreed, and no punitive action was taken against the air carrier or its maintenance contractor.

One does not have to look too far back to see what might have been.

On 1 September 1961, TWA flight 529, a Lockheed L-049 Constellation, crashed four minutes after departing Chicago, killing all 78 people aboard. The cause: someone forgot to install a cotter pin on a nut. It caused the elevator controls to jam, making the aircraft uncontrollable.

Three weeks later, also in Chicago, a Northwest Airlines Lockheed L-188 Electra crash killed 37. The cause: a missing 2in (5cm) piece of safety wire in the aileron linkage that someone forgot to install.

To reiterate: 115 people died because a cotter pin and 2in of safety wire were missing.

Of course, all machines are susceptible to mechanical failure, and that applies to aviation whether the aircraft was built in 1950 or rolled off an assembly line this afternoon. No-one disputes that things can go wrong; that is why aviation’s rules and regulations are so prescriptive.

But until the industry establishes greater emphasis on a workplace culture committed to safety above all else, and applies that consistently across the globe, the existing safety margin that should protect flightcrews and billions of air travellers will continue to be eroded.

Don Porter is a former FAA-licensed mechanic, technical representative, and product support manager for a major aircraft manufacturer. He has investigated hundreds of mishaps, some ending in tragedies. His latest book, Flight Failure: Investigating the Nuts and Bolts of Air Disasters and Aviation Safety, is out now.

‘Grossly insufficient’: House report excoriates Boeing, FAA over mistakes that led to 737 Max crashes

From https://www.yahoo.com/news/grossly-insufficient-house-report-excoriates-090029704.html?guccounter=1

A cascade of false assumptions, mismanagement, rushed deadlines, miscommunication and outright deception led to the failure to catch the design flaws that led to two deadly crashes of Boeing’s now-grounded 737 Max jetliner, finds a congressional report released Wednesday. “Boeing failed in its design and development of the Max, and the Federal Aviation Agency failed in its oversight of Boeing and its certification of the aircraft,” concludes the House Transportation and Infrastructure Committee’s 238-page report on the jetliner.

The report pinpoints multiple times engineers questioned the safety of features that went into the jet, only to have their concerns dismissed as lacking importance or jeopardizing the development timeline or budget, the report finds. Employees charged with keeping the FAA informed about those debates didn’t pass on that information to the agency.

Despite ample opportunities to have realized the plane’s deadly shortcomings, the 737 Max passed muster with both Boeing and the FAA, which labeled it “compliant” in certifying it as safe to go into service with many airlines in the U.S. and abroad. “The problem is it was ‘compliant’ and not safe – and people died,” Rep. Peter DeFazio, D-Ore., the committee’s chairman, said in a brief statement to reporters.

A 737 Max operated by Lion Air plunged into the Java Sea 13 minutes after takeoff in Indonesia in October 2018, taking 189 lives. Five months later, an Ethiopian Airlines jet with 157 passengers and crew augered into the earth six minutes into its flight from Addis Ababa. As similar circumstances in both crashes came to light, the 737 Max has remained grounded worldwide. The FAA and other global aviation safety agencies are reviewing Boeing’s improvements to decide whether to allow it to fly again.

Those improvements focus primarily on software changes in a new system added to the jet and blamed for the crashes. In both the fatal Lion Air and Ethiopian Airlines flights, pilots wrestled with the new computer system, the Maneuvering Characteristics Augmentation System, or MCAS, that wasn’t on previous versions of the 737.

FAA’s fix-it list for 737Max

Source:  https://www.engineering.com/AdvancedManufacturing/ArticleID/20579/More-Details-on-the-FAAs-Fix-It-List-for-the-737-MAX.aspx

The Federal Aviation Administration (FAA) has given Boeing preliminary approval for its proposed fixes for the troubled 737 MAX-along with an airworthiness directive that the plane maker must comply with if it wants its planes back in the air.

Updated Flight Control Software
The agency will require that Boeing install a software patch to the Maneuvering Characteristics Augmentation System (MCAS) that implements new safeguards. The patch significantly alters the reliability of data the MCAS receives, the parameters under which the system will activate, and how the MCAS performs once it’s been triggered.

The MCAS is an anti-stall measure intended to activate only when the plane is at low speed, under manual pilot control, climbing with the flaps up, and the system detects that the aircraft is angling too high and at risk of stalling.

However, on Ethiopian Airlines Flight 302 and Lion Air Flight 610, the MCAS software kicked in at the wrong time: when the aircraft were taking off under manual control. In these cases, the MCAS forced the planes downward because it assumed the aircraft were stalling-when in fact they were operating safely. All passengers and crew were lost on those tragic flights, and the global MAX fleet has been grounded since-for almost two years.

Under the FAA’s proposed changes, the MCAS would now be governed by new flight control software, and the software would use new rules that send commands to the aircraft’s flight control surfaces, such as flaps, based on input from sensors or pilot actions.

In the case of the two crashes, the MCAS received faulty information from an angle-of-attack (AOA) sensor that told the system the plane was stalling when it was not. The MCAS then overrode the system and overpowered the crew, pushing the planes’ noses down into fatal dives.

The new flight control software would contain the following four new measures to prevent such tragic occurrences from being repeated:

1) More Than One Angle-of-Attack Sensor
The FAA requires that the MCAS rely on at least two AOA sensors. Many commercial jets rely on multiple AOA sensors; but typically, a 737 MAX relies on only one. These sensors are vulnerable to damage and malfunction-from sources such as lightning, bird strikes, freezing and faulty installation.

In the case of the two downed planes, black box data indicated that the aircrafts’ lone AOA sensor sent erroneously high input to the flight control system. This led the software to conclude that the planes were stalling, and triggered the MCAS-which repeatedly commanded the horizontal stabilizer to push the planes’ noses down.

Going forward, the flight control software would pull data from both sensors, significantly reducing the risk of a damaged sensor sending the wrong signal to the MCAS.

2) MCAS Disabled on Severe AOA Disagreement
To further strengthen the system against faulty AOA sensor readings, the updated flight control software would also compare the inputs from the two sensors to identify when a sensor is malfunctioning.

If the difference between the readings of the two sensors is above a certain threshold, the speed trim system-which includes the MCAS-would become disabled for the remainder of the flight. That threshold would be based on “the magnitude of the disagreement and the rate of change of the AOA sensor position values,” according to the FAA.

In addition, Boeing would be required to add an “AOA disagree” indicator in the cockpit to inform the flight crew of a potential sensor malfunction or failure. This should be a welcome addition for pilots: among other criticisms, Boeing has also been called out for not making an AOA disagree indicator light standard in the cockpit-a vital piece of information for a crew that was relying on a sole AOA sensor.

That indicator would have been even more important considering that Boeing had removed reference to the MCAS in its 737 MAX training materials, so many pilots-most notably the ones flying the downed aircraft-were not even aware that the MCAS existed.

3) One MCAS Activation per AOA Incident
The MCAS on board the Ethiopian Airlines and Lion Air planes were reacting to faulty sensor readings-and triggered repeatedly, which was too much for the pilots to handle. It appears that the pilots were briefly able to wrestle back some control of the aircraft-only to be overpowered by the MCAS activating again.

The new software would limit the MCAS to trigger only once during a high AOA incident-eliminating the repeated activations that contributed to the two crashes. This would allow the MCAS to properly carry out its original function as an emergency anti-stall measure.

It also means that, should the MCAS be overridden by either a faulty sensor reading, or activate during a genuine stall situation, the pilots will be unable to rely on the system for any further stall scenarios for the rest of the flight-they’ll have to handle it by themselves. But given the extensive training of most pilots, this seems like an acceptable consequence.

4) Less Aggressive MCAS When Triggered
Finally, should the MCAS kick in during a flight, its power would be significantly limited so that it can’t overpower the pilots.

The new software would keep a comparatively short leash on the MCAS, permitting it to activate and send signals to the flaps-while allowing the flight crew to retain pitch control, using the control column to maintain level flight, climb and descend. No longer would the anti-stall system be able to grab control of the aircraft away from the pilots: it would instead defer to their commands.

… But Wait, There’s More

While the software is the main focus of the fixes, the FAA will require additional corrective measures. A revised flight manual-this one actually mentioning the MCAS-would be required for all 737 MAX operators to use. Each plane’s AOA sensors would need to be tested, and each aircraft would have to undergo an operational test flight before it can be brought back into service. And finally, the wiring for the jet’s horizontal stabilizers will need to be reconfigured to comply with FAA standards.

Lots on the Line

The crashes brought both Boeing and the FAA under intense global scrutiny and scathing criticism for their repeated oversights in designing, manufacturing and certifying the 737 MAX.

So a lot is riding on these proposed fixes: the airworthiness of one of the world’s most popular aircraft, Boeing’s reputation and bottom line, the legitimacy and authority of the FAA–and the confidence of travelers around the world. If the plane maker and the regulator don’t get this right, the consequences could be severe for both-and could cause more chaos in an aerospace market already reeling from the MAX’s grounding and the COVID-19 pandemic.

Boeing will have to make significant changes to its best-selling plane.

The FAA is accepting public comment on the proposed fixes for the MCAS until September 21, 2020. If recertification goes as anticipated, we could be seeing 737 MAXs take to the air again by Halloween … but global confidence in the MAX could take much, much longer to recover.