FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

Military tests that jam and spoof GPS signals are an accident waiting to happen (by Mark Harris)

Early one morning last May, a commercial airliner was approaching El Paso International Airport, in West Texas, when a warning popped up in the cockpit: “GPS Position Lost.” The pilot contacted the airline’s operations center and received a report that the U.S. Army’s White Sands Missile Range, in South Central New Mexico, was disrupting the GPS signal. “We knew then that it was not an aircraft GPS fault,” the pilot wrote later.

The pilot missed an approach on one runway due to high winds, then came around to try again. “We were forced to Runway 04 with a predawn landing with no access to [an instrument landing] with vertical guidance,” the pilot wrote. “Runway 04…has a high CFIT threat due to the climbing terrain in the local area.”

CFIT stands for “controlled flight into terrain,” and it is exactly as serious as it sounds. The pilot considered diverting to Albuquerque, 370 kilometers away, but eventually bit the bullet and tackled Runway 04 using only visual aids. The plane made it safely to the ground, but the pilot later logged the experience on NASA’s Aviation Safety Reporting System, a forum where pilots can anonymously share near misses and safety tips.

This is far from the most worrying ASRS report involving GPS jamming. In August 2018, a passenger aircraft in Idaho, flying in smoky conditions, reportedly suffered GPS interference from military tests and was saved from crashing into a mountain only by the last-minute intervention of an air traffic controller. “Loss of life can happen because air traffic control and a flight crew believe their equipment are working as intended, but are in fact leading them into the side of the mountain,” wrote the controller. “Had [we] not noticed, that flight crew and the passengers would be dead. I have no doubt.”

There are some 90 ASRS reports detailing GPS interference in the United States over the past eight years, the majority of which were filed in 2019 and 2020. Now IEEE Spectrum has new evidence that GPS disruption to commercial aviation is much more common than even the ASRS database suggests. Previously undisclosed Federal Aviation Administration (FAA) data for a few months in 2017 and 2018 detail hundreds of aircraft losing GPS reception in the vicinity of military tests. On a single day in March 2018, 21 aircraft reported GPS problems to air traffic controllers near Los Angeles. These included a medevac helicopter, several private planes, and a dozen commercial passenger jets. Some managed to keep flying normally; others required help from air traffic controllers. Five aircraft reported making unexpected turns or navigating off course. In all likelihood, there are many hundreds, possibly thousands, of such incidents each year nationwide, each one a potential accident. The vast majority of this disruption can be traced back to the U.S. military, which now routinely jams GPS signals over wide areas on an almost daily basis somewhere in the country.

The military is jamming GPS signals to develop its own defenses against GPS jamming. Ironically, though, the Pentagon’s efforts to safeguard its own troops and systems are putting the lives of civilian pilots, passengers, and crew at risk. In 2013, the military essentially admitted as much in a report, saying that “planned EA [electronic attack] testing occasionally causes interference to GPS based flight operations, and impacts the efficiency and economy of some aviation operations.”

In the early days of aviation, pilots would navigate using road maps in daylight and follow bonfires or searchlights after dark. By World War II, radio beacons had become common. From the late 1940s, ground stations began broadcasting omnidirectional VHF signals that planes could lock on to, while shorter-range systems indicated safe glide slopes to help pilots land. At their peak, in 2000, there were more than a thousand very high frequency (VHF) navigation stations in the United States. However, in areas with widely spaced stations, pilots were forced to take zigzag routes from one station to the next, and reception of the VHF signals could be hampered by nearby buildings and hills.

Everything changed with the advent of global navigation satellite systems (GNSS), first devised by the U.S. military in the 1960s. The arrival in the mid-1990s of the civilian version of the technology, called the Global Positioning System, meant that aircraft could navigate by satellite and take direct routes from point to point; GPS location and altitude data was also accurate enough to help them land.

The FAA is about halfway through its NextGen effort, which is intended to make flying safer and more efficient through a wholesale switch from ground-based navigation aids like radio beacons to a primarily satellite-enabled navigation system. Along with that switch, the agency began decommissioning VHF navigation stations a decade ago. The United States is now well on its way to having a minimal backup network of fewer than 600 ground stations.

Meanwhile, the reliance on GPS is changing the practice of flying and the habits of pilots. As GPS receivers have become cheaper, smaller, and more capable, they have become more common and more widely integrated. Most airplanes must now carry Automatic Dependent Surveillance-Broadcast (ADS-B) transponders, which use GPS to calculate and broadcast their altitude, heading, and speed. Private pilots use digital charts on tablet computers, while GPS data underpins autopilot and flight-management computers. Pilots should theoretically still be able to navigate, fly, and land without any GPS assistance at all, using legacy radio systems and visual aids. Commercial airlines, in particular, have a range of backup technologies at their disposal. But because GPS is so widespread and reliable, pilots are in danger of forgetting these manual techniques.

When an Airbus passenger jet suddenly lost GPS near Salt Lake City in June 2019, its pilot suffered “a fair amount of confusion,” according to the pilot’s ASRS report. “To say that my raw data navigation skills were lacking is an understatement! I’ve never done it on the Airbus and can’t remember having done it in 25 years or more.”

“I don’t blame pilots for getting a little addicted to GPS,” says Todd E. ­Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin. “When something works well 99.99 percent of the time, humans don’t do well in being vigilant for that 0.01 percent of the time that it doesn’t.”

Losing GPS completely is not the worst that can happen. It is far more dangerous when accurate GPS data is quietly replaced by misleading information. The ASRS database contains many accounts of pilots belatedly realizing that GPS-enabled autopilots had taken them many kilometers in the wrong direction, into forbidden military areas, or dangerously close to other aircraft.

In December 2012, an air traffic controller noticed that a westbound passenger jet near Reno, Nev., had veered 16 kilometers (10 miles) off course. The controller confirmed that military GPS jamming was to blame and gave new directions, but later noted: “If the pilot would have noticed they were off course before I did and corrected the course, it would have caused [the] aircraft to turn right into [an] opposite direction, eastbound [jet].”

So why is the military interfering so regularly with such a safety-critical system? Although most GPS receivers today are found in consumer smartphones, GPS was designed by the U.S. military, for the U.S. military. The Pentagon depends heavily on GPS to locate and navigate its aircraft, ships, tanks, and troops.

The U.S. military routinely jams GPS signals over wide areas on an almost daily basis
For such a vital resource, GPS is exceedingly vulnerable to attack. By the time GPS signals reach the ground, they are so faint they can be easily drowned out by interference, whether accidental or malicious. Building a basic electronic warfare setup to disrupt these weak signals is trivially easy, says Humphreys: “Detune the oscillator in a microwave oven and you’ve got a superpowerful jammer that works over many kilometers.” Illegal GPS jamming devices are widely available on the black market, some of them marketed to professional drivers who may want to avoid being tracked while working.

Other GNSS systems, such as Russia’s GLONASS, China’s BeiDou, and Europe’s Galileo constellations, use slightly different frequencies but have similar vulnerabilities, depending on exactly who is conducting the test or attack. In China, mysterious attacks have successfully “spoofed” ships with GPS receivers toward fake locations, while vessels relying on BeiDou reportedly remain unaffected. Similarly, GPS signals are regularly jammed in the eastern Mediterranean, Norway, and Finland, while the Galileo system is untargeted in the same attacks.

The Pentagon uses its more remote military bases, many in the American West, to test how its forces operate under GPS denial, and presumably to develop its own electronic warfare systems and countermeasures. The United States has carried out experiments in spoofing GPS signals on at least one occasion, during which it was reported to have taken great care not to affect civilian aircraft.

Despite this, many ASRS reports record GPS units delivering incorrect positions rather than failing altogether, but this can also happen when the satellite signals are degraded. Whatever the nature of its tests, the military’s GPS jamming can end up disrupting service for civilian users, particularly high-altitude commercial aircraft, even at a considerable distance.

The military issues Notices to Airmen (NOTAM) to warn pilots of upcoming tests. Many of these notices cover hundreds of thousands of square kilometers. There have been notices that warn of GPS disruption over all of Texas or even the entire American Southwest. Such a notice doesn’t mean that GPS service will be disrupted throughout the area, only that it might be disrupted. And that uncertainty creates its own problems.

In 2017, the FAA commissioned the nonprofit Radio Technical Commission for Aeronautics to look into the effects of intentional GPS interference on civilian aircraft. Its report, issued the following year by the RTCA’s GPS Interference Task Group, found that the number of military GPS tests had almost tripled from 2012 to 2017. Unsurprisingly, ASRS safety reports referencing GPS jamming are also on the rise. There were 38 such ASRS narratives in 2019—nearly a tenfold increase over 2018.

New internal FAA materials obtained by Spectrum from a member of the task group and not previously made public indicate that the ASRS accounts represent only the tip of the iceberg. The FAA data consists of pilots’ reports of GPS interference to the Los Angeles Air Route Traffic Control Center, one of 22 air traffic control centers in the United States. Controllers there oversee air traffic across central and Southern California, southern Nevada, southwestern Utah, western Arizona, and portions of the Pacific Ocean—areas heavily affected by military GPS testing.

This data includes 173 instances of lost or intermittent GPS during a six-month period of 2017 and another 60 over two months in early 2018. These reports are less detailed than those in the ASRS database, but they show aircraft flying off course, accidentally entering military airspace, being unable to maneuver, and losing their ability to navigate when close to other aircraft. Many pilots required the assistance of air traffic control to continue their flights. The affected aircraft included a pet rescue shuttle, a hot-air balloon, multiple medical flights, and many private planes and passenger jets.

In at least a handful of episodes, the loss of GPS was deemed an emergency. Pilots of five aircraft, including a Southwest Airlines flight from Las Vegas to
Chicago, invoked the “stop buzzer,” a request routed through air traffic control for the military to immediately cease jamming. According to the Aircraft Owners and Pilots Association, pilots must use this phrase only when a safety-of-flight issue is encountered.

To be sure, many other instances in the FAA data were benign. In early March 2017, for example, Jim Yoder was flying a Cessna jet owned by entrepreneur and space tourist Dennis Tito between Las Vegas and Palm Springs, Calif., when both onboard GPS devices were jammed. “This is the only time I’ve ever had GPS go out, and it was interesting because I hadn’t thought about it really much,” Yoder told Spectrum. “I asked air traffic control what was going on and they were like, ‘I don’t really know.’ But we didn’t lose our ability to navigate, and I don’t think we ever got off course.”

Indeed, one of the RTCA task group’s conclusions was that the Notice to Airmen system was part of the problem: Most pilots who fly through affected areas experience no ill effects, causing some to simply ignore such warnings in the future.

“We call the NOTAMs ‘Chicken Little,’ ” says Rune Duke, who was cochair of the RTCA’s task group. “They say the sky is falling over large areas…and it’s not realistic. There are mountains and all kinds of things that would prevent GPS interference from making it 500 nautical miles [926 km] from where it is initiated.”

GPS interference can be affected by the terrain, aircraft altitude and attitude, direction of flight, angle to and distance from the center of the interference, equipment aboard the plane, and many other factors, concluded the task group, which included representatives of the FAA, airlines, pilots, aircraft manufacturers, and the U.S. military. One aircraft could lose all GPS reception, even as another one nearby is completely unaffected. One military test might pass unnoticed while another causes chaos in the skies.

This unreliability has consequences. In 2014, a passenger plane approaching El Paso had to abort its landing after losing GPS reception. “This is the first time in my flying career that I have experienced or even heard of GPS signal jamming,” wrote the pilot in an ASRS report. “Although it was in the NOTAMs, it still caught us by surprise as we really did not expect to lose all GPS signals at any point. It was a good thing the weather was good or this could have become a real issue.”

Sometimes air traffic controllers are as much in the dark as pilots. “They are the last line of defense,” Duke told Spectrum. “And in many cases, air traffic control was not even aware of the GPS interference taking place.”

The RTCA report made many recommendations. The Department of Defense could improve coordination with the FAA, and it could refrain from testing GPS during periods of high air traffic. The FAA could overhaul its data collection and analysis, match anecdotal reports with digital data, and improve documentation of adverse events. The NOTAM system could be made easier to interpret, with warnings that more accurately match the experiences of pilots and controllers.

One aircraft could lose all GPS reception, even as another one nearby is completely unaffected.
Remarkably, until the report came out, the FAA had been instructing pilots to report GPS anomalies only when they needed assistance from air traffic control. “The data has been somewhat of a challenge because we’ve somewhat discouraged reporting,” says Duke. “This has led the FAA to believe it’s not been such a problem.”

NOTAMs now encourage pilots to report all GPS interference, but many of the RTCA’s other recommendations are languishing within the Office of Accident Investigation and Prevention at the FAA.

New developments are making the problem worse. The NextGen project is accelerating the move of commercial aviation to satellite-enabled navigation. Emerging autonomous air systems, such as drones and air taxis, will put even more weight on GPS’s shaky shoulders.

When any new aircraft is adopted, it risks posing new challenges to the system. The Embraer EMB-505 Phenom 300, for instance, entered service in 2009 and has since become the world’s best-selling light jet. In 2016, the FAA warned that if the Phenom 300 encountered an unreliable or unavailable GPS signal, it could enter a Dutch roll (named for a Dutch skating technique), a dangerous combination of wagging and rocking that could cause pilots to lose control. The FAA instructed Phenom 300 owners to avoid all areas of GPS interference.

As GPS assumes an ever more prominent role, the military is naturally taking a stronger interest in it. “Year over year, the military’s need for GPS interference-event testing has increased,” says Duke. “There was an increase again in 2019, partly because of counter-UAS [drone] activity. And they’re now doing GPS interference where they previously had not, like Michigan, Wisconsin, and the Dakotas, because it adds to the realism of any type of military training.”

So there are ever more GPS-jamming tests, more aircraft navigating by satellite, and more pilots utterly reliant on GPS. It is a feedback loop, and it constantly raises the chances that one of these near misses and stop buzzers will end in catastrophe.

When asked to comment, the FAA said it has established a resilient navigation and surveillance infrastructure to enable aircraft to continue safe operations during a GPS outage, including radio beacons and radars. It also noted that it and other agencies are working to create a long-term GPS backup solution that will provide position, navigation, and ­timing—again, to minimize the effects of a loss of GPS.

However, in a report to Congress in April 2020, the agency coordinating this effort, the U.S. Department of Homeland Security, wrote: “DHS recommends that responsibility for mitigating temporary GPS outages be the responsibility of the individual user and not the responsibility of the Federal Government.” In short, the problem of GPS interference is not going away.

In September 2019, the pilot of a small business jet reported experienced jamming on a flight into New Mexico. He could hear that aircraft all around him were also affected, with some being forced to descend for safety. “Since the FAA is deprecating [ground-based radio aids], we are becoming dependent upon an unreliable navigation system,” wrote the pilot upon landing. “This extremely frequent [interference with] critical GPS navigation is a significant threat to aviation safety. This jamming has to end.”

The same pilot was jammed again on his way home.

This article appears in the February 2021 print issue as “Lost in Airspace.”

This article was updated on 21 January 2021.

New Safety Data Tool Available on FAA.gov Website

New Safety Data Tool Available on FAA.gov Website

The Federal Aviation Administration (FAA) is making it easier to research aviation safety guidance material from the Office of Aviation Safety (AVS)

The Dynamic Regulatory System (DRS) combines more than 65 document types from more than a dozen different repositories into a single searchable application. This comprehensive knowledge center centralizes the FAA’s aviation safety guidance material from the Flight Standards Information System (FSIMS) and the agency’s Regulatory Guidance System (RGL).

Each guidance document includes a link to the Code of Federal Regulations provision on which the document is based. DRS contains more than 2 million regulatory guidance documents, which can be browsed or searched. A search engine allows for basic or advanced searches and different ways to sort and view the results. The system includes pending and current versions of all documents along with their revision history. Information in the DRS is updated every 24 hours.

Safety engineering changes at Boeing

Safety engineering changes at Boeing

The chief project engineer for Boeing’s 737 Max jet told House investigators that he approved a critical design change to software on the plane even though he was unaware of key details about how it worked or of a previous warning from a test pilot that if the system malfunctioned, the results could be “catastrophic.”
That was what happened in October 2018, and again the following March, when the software forced down the noses of two of the new planes in a way their pilots could not overcome, causing crashes that killed 346 people.
The engineer’s acknowledgment is one of several revelations contained in a new report released Wednesday by investigators from the House Transportation Committee. The document details myriad gaps in oversight that allowed federal regulators to certify that the plane was safe to fly even though officials at both Boeing and the Federal Aviation Administration did not fully understand how it was designed.

After months of delays by the FAA, the investigators in May were allowed to view a draft “oversight report” written months after the initial Max crash in Indonesia. The February 2019 draft report considered Boeing’s actions in the years before the deadly incident, and its conclusions shocked investigators.The FAA’s examination “did not reveal any noncompliance” by Boeing, according to the document, meaning that the company was found to have followed federal safety regulations even though the result was a flawed plane.
“That’s the bureaucratic word. It was ‘compliant.’ But the ­problem is it was compliant and not safe. And people died,” said Transportation Committee Chairman Peter A. DeFazio (D-Ore.). “Obviously, the system is inadequate.”

The final committee report on the Max offers the clearest indication yet that Boeing — or the unit tasked with overseeing the certification process on the FAA’s behalf — could have caught flaws in the Max’s flight-control system during the airplane’s design stage. FAA’s lax oversight played part in Boeing 737 Max crashes, but agency is pushing to become more industry-friendly.
But it failed to act on concerns that were raised about the flawed Maneuvering Characteristics Augmentation System (MCAS), which was identified as a factor in both crashes. The Boeing employees were driven in part by what investigators concluded was pressure to get the new planes to customers quickly and without requiring their pilots to undergo extensive retraining — a goal symbolized by “countdown clocks” on the wall of a conference room, according to the report.

The House investigators concluded that the two crashes in less than five months “were the horrific culmination of a series of faulty technical assumptions by Boeing’s engineers, a lack of transparency on the part of Boeing’s management, and grossly insufficient oversight by the FAA.”
“The facts laid out in this report document a disturbing pattern of technical miscalculations and troubling management misjudgments made by Boeing,” investigators concluded. “It also illuminates numerous oversight lapses and accountability gaps by the FAA that played a significant role in the 737 MAX crashes.”

Investigators said Boeing had “multiple missed opportunities” that could have shifted “the trajectory of the Max’s design and development toward a safer course.” The FAA had a series of its own missed opportunities, the report concluded. FAA proposes $1.25 million fine for Boeing, alleging managers pressured employees to rush inspections.
The two crashes are “clear evidence that the current regulatory system is fundamentally flawed and needs to be repaired,” investigators concluded.

FAA officials have testified that the agency has learned lessons from the crashes, and have defended the federal oversight system, saying it has helped produce a stellar safety record overall.

“These tragic accidents should not have happened,” FAA Administrator Stephen M. Dickson said in congressional testimony in June. “We continue to work tirelessly to see that the lessons learned from these accidents will result in a higher margin of safety for the aviation industry globally.” But the extent of the agency’s efforts to address its failures remains uncertain, and lawmakers in both the House and Senate are considering ways to strengthen the FAA’s oversight of Boeing and other aviation companies.
DeFazio said he is seeking bipartisan agreement in the House on legislative fixes to the oversight process, and talks are ongoing. The Senate Commerce Committee was scheduled to consider a bipartisan proposal at a meeting Wednesday, but it was pulled from the agenda as committee leaders continued to weigh amendments. Rep. Sam Graves (Mo.), the ranking Republican on the House Transportation Committee, and Rep. Garret Graves (La.), the ranking Republican on the aviation subcommittee, said they will continue to focus on “nonpartisan reports and investigations and the improvements they had identified.”

“Expert recommendations have already led to changes and reforms, with more to come,” the two members said in a statement. “These recommendations – not a partisan investigative report – should serve as the basis for Congressional action.”

Boeing, in a statement, said it cooperated “fully and extensively” with the committee’s inquiry.“We have been hard at work strengthening our safety culture and rebuilding trust with our customers, regulators, and the flying public,” spokesman Bradley N. Akubuiro said. “The passengers and crew on board Lion Air Flight 610 and Ethiopian Airlines Flight 302, as well as their loved ones, continue to be in our thoughts and prayers.”

Akubuiro noted that Boeing has incorporated many of the recommendations contained in previous reports from review committees, experts and governmental authorities, as well as from its own internal reviews, into the 737 Max and the overall aircraft design process. He said Boeing has set up a new safety organization within the company to “enhance and standardize safety practices” and has made internal changes designed to “give engineers a stronger voice and a more direct line to share concerns with top management.”

Long before the Max disasters, Boeing had a history of failing to fix safety problems

In addition, its board of directors now includes a permanent Aerospace Safety Committee, and it has expanded the role of the Safety Promotion Center. “The revised design of the MAX has received intensive internal and regulatory review, including more than 375,000 engineering and test hours and 1,300 test flights,” Akubuiro said. “Once the FAA and other regulators have determined the MAX can safely return to service, it will be one of the most thoroughly-scrutinized aircraft in history, and we have full confidence in its safety.”

The FAA said in a statement that it was “committed to continually advancing aviation safety and looks forward to working with the Committee to implement improvements identified in its report.
“We are already undertaking important initiatives based on what we have learned from our own internal reviews as well as independent reviews of the Lion Air and Ethiopian Airlines accidents. These initiatives are focused on advancing overall aviation safety by improving our organization, processes, and culture,” the agency said. The FAA said it has published a notice of a proposed rulemaking for an airworthiness directive “that will mandate a number of design changes to the Boeing 737 MAX before it returns to passenger service. The FAA continues to follow a thorough process, not a prescribed timeline, for returning the aircraft to service.”

The Max remains grounded by aviation authorities worldwide, but it is expected to be cleared to fly again in coming months, following an overhaul of the MCAS software. The process of ungrounding the planes moved ahead Monday when international regulators began meeting at London’s Gatwick Airport to review training requirements for Max pilots.

Michael Stumo, whose daughter Samya died in the second crash, said the report showed that recertification of the Max needed to be stopped. “The FAA and Boeing hid information before and are doing it again,” Stumo said in a statement, saying the victims’ families still did not have technical data on the fixes to the planes that they are seeking under the Freedom of Information Act.

Internal Boeing documents show employees discussing efforts to manipulate regulators scrutinizing the 737 Max. The report draws from interviews with key Boeing executives, top FAA safety officials and others with knowledge of the crashes. Investigators wrote that even months after two fatal crashes, officials at Boeing and the FAA still refused to acknowledge problems with the approval process. “Despite the sweeping and substantive problems that have been identified by this Committee’s investigation as well as various other investigations, both Boeing and the FAA have suggested that the certification of the 737 MAX was compliant with FAA regulations,” investigators found.
The House report highlights the roles of senior Boeing and FAA officials in the development of the jet and responding to the crashes, outlining interviews with Michael Teal, the Max project engineer; Keith Leverkuhn, Boeing’s former general manager for the Max; and Ali Bahrami, the head of the FAA’s safety branch.
The report describes the Boeing officials as “extraordinarily reluctant to acknowledge any missteps or mistakes” and Bahrami as “unphased by many of the revelations that have deeply disturbed many aviation experts and engineers about the MAX.”

Source: https://www.washingtonpost.com/local/trafficandcommuting/boeing-737-max-crashes-were-horrific-culmination-of-errors-investigators-say/2020/09/16/72e5d226-f761-11ea-89e3-4b9efa36dc64_story.html

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

See https://www.easa.europa.eu/document-library/agency-decisions/ed-decision-2020024r

SAE investigating System Safety standard for UAS

SAE investigating System Safety standard for UAS

Automation plays a role in aviation safety for manned and unmanned aircraft systems (UAS). UAS rely heavily on automation through sensory feedback and direct manipulation of controls. Thanks to advancements in sensors, computation and control algorithms, the pace of UAS automation is accelerating, but human interaction still exists on both ends of the spectrum.

Any efforts on aerospace system design and safety assessments have likely been impacted by SAE’s S-18 Aircraft and Systems Development and Safety Assessment Committee, and its ARP4754: Guidelines for Development of Civil Aircraft and Systems and ARP4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, two standards that are generally accepted by global aviation authorities as a means of compliance to rules for aerospace system design and safety assurance for more than two decades. ARP4754 provides recommendations for the safe development and design of aircraft and systems, taking into account aircraft functions and operating environments. ARP4761 presents guidelines for performing safety assessments of civil aircraft, systems, and equipment, particularly when addressing compliance with certification requirements.

These documents, along with a host of others currently published and in-development, are widely accepted for manned aircraft. The proliferation of UAS has prompted the S-18 committee to identify shortcomings related to specific technical aspects needed for UAS development. To lead these efforts, S-18 established the S-18UAS Autonomy Working Group. The committee’s first document, AIR7121: Applicability of Existing Development Assurance and System Safety Practices to Unmanned Aircraft Systems, is intended to identify specific gaps in both ARP4754 and ARP4761 processes that affect UAS development, the domains where the gaps should be filled, and provide a common understanding of necessary guidance needed to support development assurance and system safety for both developers and regulators.

The UAS industry is swift and dynamic, so the efforts of the S-18UAS working group is important to both industry and regulators for enabling safe UAS integration into the national and international airspace. These are global efforts, working jointly with EUROCAE WG-63 Complex Aircraft Systems on SAE/EUROCAE documents: ARP4754A/ED-79A and ARP4761/ED-135, along with the SG-1 Applicability of Existing Development Assurance and System Safety Practices to UAS and VTOL.


Planned 5G telecomms could interfere with Radar Altimeters.

Join RTCA and leaders of Special Committee 239 (SC-239) for a discussion on the planned 5G telecommunications system implementation that could interfere with Radar Altimeters. This will include a discussion on the potential risks to commercial transport airlines; business, regional, and general aviation airplanes; and both transport and general aviation helicopters. The presentation includes an overview SC-239’s new white paper: Assessment of C-Band Mobile Telecommunications Interference Impact on Low Range Radar Altimeter Operations that was written to address the potential consequences of interference events. The panel will address your questions and concerns in an interactive Q&A session. Panelists include committee co-chairs Jean-Luc Robin of Airbus and Seth Frick of Honeywell and secretary Dr. Sai Kalyanaraman of Collins Aerospace

Source: “https://register.gotowebinar.com/register/5721352046688435472?source=Curt+Lewis+Blog” rel=”noopener” target

The nuts and bolts of safety

An article by Don Porter: https://www.flightglobal.com/flight-international/analysing-the-nuts-and-bolts-of-safety/141209.article

The Federal Aviation Administration (FAA) states that flying on US-based airlines is safe. But the agency equates “safety” with the occurrence of actual accidents – not “incidents” where mechanical issues could result in an accident. An aircraft with undetected maintenance problems is, in reality, unsafe.

It is a truism that a small event can lead to a massive incident. A single match can spark a forest fire that devastates a huge area. In aviation, a tiny nut, bolt or pin – or the absence thereof – can trigger an accident that kills hundreds of people.

Tragedies can result when small mistakes trigger a chain of events

That can be seen in the crashes that led to the grounding of the Boeing 737 Max. While the post-accident focus was rightly on the jet’s automated systems, many factors figured in the demise of the Indonesian and Ethiopian aircraft. But one fact is clear in each case: the deadly chain of events that killed, respectively, 189 and 157 people, began with the failure of a small angle of attack (AoA) sensor.

Max aircraft flew in excess of 10 million passengers between their first days in service in May 2017 and their grounding in March 2019. But they flew with hidden flaws. It took the failures of those AoA sensors – through poor overhaul or damage – to trigger an automatic, computer-driven chain of events that brought the jets down. Although millions of passengers had flown in Maxes without a single accident, the possibility for a crash existed during any one of those flights.

But this is not a new phenomenon. The National Transportation Safety Board’s archives are full of incidents which very nearly became fatal accidents. For example, on 6 November 2019, as a Republic Airways Embraer 175 climbed to 2,200ft, the plane’s nose rose abruptly. The captain clicked the autopilot/pitch trim disengage switch. There was no response. The co-pilot’s trim switch being functional, the crew was able to land after 15 harrowing minutes aloft. The cause: chafed wiring connecting the horizontal stabilizer trim actuator to the captain’s switch. Compounding the error, the switch had been installed upside down.

On 17 August 2015, the pilots of Allegiant Air flight 436, a Boeing MD-83, aborted take-off from Las Vegas due to a missing cotter pin in the elevator linkage. No-one was killed or injured, so the event was classified as a serious incident and not an accident. The jet had completed 216 uneventful flights after a mechanic forgot to install the pin. A bolt usually retained by the pin fell out, jamming the elevator. If the crew had continued the take-off, there’s little doubt the aircraft would have crashed, probably killing many of the 162 people aboard.

Here’s what the FAA safety inspector who investigated the incident wrote to his superiors: “I recommend that a sanction be added for each of the 216 flights that were flown… in an unairworthy condition.” But his bosses disagreed, and no punitive action was taken against the air carrier or its maintenance contractor.

One does not have to look too far back to see what might have been.

On 1 September 1961, TWA flight 529, a Lockheed L-049 Constellation, crashed four minutes after departing Chicago, killing all 78 people aboard. The cause: someone forgot to install a cotter pin on a nut. It caused the elevator controls to jam, making the aircraft uncontrollable.

Three weeks later, also in Chicago, a Northwest Airlines Lockheed L-188 Electra crash killed 37. The cause: a missing 2in (5cm) piece of safety wire in the aileron linkage that someone forgot to install.

To reiterate: 115 people died because a cotter pin and 2in of safety wire were missing.

Of course, all machines are susceptible to mechanical failure, and that applies to aviation whether the aircraft was built in 1950 or rolled off an assembly line this afternoon. No-one disputes that things can go wrong; that is why aviation’s rules and regulations are so prescriptive.

But until the industry establishes greater emphasis on a workplace culture committed to safety above all else, and applies that consistently across the globe, the existing safety margin that should protect flightcrews and billions of air travellers will continue to be eroded.

Don Porter is a former FAA-licensed mechanic, technical representative, and product support manager for a major aircraft manufacturer. He has investigated hundreds of mishaps, some ending in tragedies. His latest book, Flight Failure: Investigating the Nuts and Bolts of Air Disasters and Aviation Safety, is out now.

‘Grossly insufficient’: House report excoriates Boeing, FAA over mistakes that led to 737 Max crashes

From https://www.yahoo.com/news/grossly-insufficient-house-report-excoriates-090029704.html?guccounter=1

A cascade of false assumptions, mismanagement, rushed deadlines, miscommunication and outright deception led to the failure to catch the design flaws that led to two deadly crashes of Boeing’s now-grounded 737 Max jetliner, finds a congressional report released Wednesday. “Boeing failed in its design and development of the Max, and the Federal Aviation Agency failed in its oversight of Boeing and its certification of the aircraft,” concludes the House Transportation and Infrastructure Committee’s 238-page report on the jetliner.

The report pinpoints multiple times engineers questioned the safety of features that went into the jet, only to have their concerns dismissed as lacking importance or jeopardizing the development timeline or budget, the report finds. Employees charged with keeping the FAA informed about those debates didn’t pass on that information to the agency.

Despite ample opportunities to have realized the plane’s deadly shortcomings, the 737 Max passed muster with both Boeing and the FAA, which labeled it “compliant” in certifying it as safe to go into service with many airlines in the U.S. and abroad. “The problem is it was ‘compliant’ and not safe – and people died,” Rep. Peter DeFazio, D-Ore., the committee’s chairman, said in a brief statement to reporters.

A 737 Max operated by Lion Air plunged into the Java Sea 13 minutes after takeoff in Indonesia in October 2018, taking 189 lives. Five months later, an Ethiopian Airlines jet with 157 passengers and crew augered into the earth six minutes into its flight from Addis Ababa. As similar circumstances in both crashes came to light, the 737 Max has remained grounded worldwide. The FAA and other global aviation safety agencies are reviewing Boeing’s improvements to decide whether to allow it to fly again.

Those improvements focus primarily on software changes in a new system added to the jet and blamed for the crashes. In both the fatal Lion Air and Ethiopian Airlines flights, pilots wrestled with the new computer system, the Maneuvering Characteristics Augmentation System, or MCAS, that wasn’t on previous versions of the 737.

FAA’s fix-it list for 737Max

Source:  https://www.engineering.com/AdvancedManufacturing/ArticleID/20579/More-Details-on-the-FAAs-Fix-It-List-for-the-737-MAX.aspx

The Federal Aviation Administration (FAA) has given Boeing preliminary approval for its proposed fixes for the troubled 737 MAX-along with an airworthiness directive that the plane maker must comply with if it wants its planes back in the air.

Updated Flight Control Software
The agency will require that Boeing install a software patch to the Maneuvering Characteristics Augmentation System (MCAS) that implements new safeguards. The patch significantly alters the reliability of data the MCAS receives, the parameters under which the system will activate, and how the MCAS performs once it’s been triggered.

The MCAS is an anti-stall measure intended to activate only when the plane is at low speed, under manual pilot control, climbing with the flaps up, and the system detects that the aircraft is angling too high and at risk of stalling.

However, on Ethiopian Airlines Flight 302 and Lion Air Flight 610, the MCAS software kicked in at the wrong time: when the aircraft were taking off under manual control. In these cases, the MCAS forced the planes downward because it assumed the aircraft were stalling-when in fact they were operating safely. All passengers and crew were lost on those tragic flights, and the global MAX fleet has been grounded since-for almost two years.

Under the FAA’s proposed changes, the MCAS would now be governed by new flight control software, and the software would use new rules that send commands to the aircraft’s flight control surfaces, such as flaps, based on input from sensors or pilot actions.

In the case of the two crashes, the MCAS received faulty information from an angle-of-attack (AOA) sensor that told the system the plane was stalling when it was not. The MCAS then overrode the system and overpowered the crew, pushing the planes’ noses down into fatal dives.

The new flight control software would contain the following four new measures to prevent such tragic occurrences from being repeated:

1) More Than One Angle-of-Attack Sensor
The FAA requires that the MCAS rely on at least two AOA sensors. Many commercial jets rely on multiple AOA sensors; but typically, a 737 MAX relies on only one. These sensors are vulnerable to damage and malfunction-from sources such as lightning, bird strikes, freezing and faulty installation.

In the case of the two downed planes, black box data indicated that the aircrafts’ lone AOA sensor sent erroneously high input to the flight control system. This led the software to conclude that the planes were stalling, and triggered the MCAS-which repeatedly commanded the horizontal stabilizer to push the planes’ noses down.

Going forward, the flight control software would pull data from both sensors, significantly reducing the risk of a damaged sensor sending the wrong signal to the MCAS.

2) MCAS Disabled on Severe AOA Disagreement
To further strengthen the system against faulty AOA sensor readings, the updated flight control software would also compare the inputs from the two sensors to identify when a sensor is malfunctioning.

If the difference between the readings of the two sensors is above a certain threshold, the speed trim system-which includes the MCAS-would become disabled for the remainder of the flight. That threshold would be based on “the magnitude of the disagreement and the rate of change of the AOA sensor position values,” according to the FAA.

In addition, Boeing would be required to add an “AOA disagree” indicator in the cockpit to inform the flight crew of a potential sensor malfunction or failure. This should be a welcome addition for pilots: among other criticisms, Boeing has also been called out for not making an AOA disagree indicator light standard in the cockpit-a vital piece of information for a crew that was relying on a sole AOA sensor.

That indicator would have been even more important considering that Boeing had removed reference to the MCAS in its 737 MAX training materials, so many pilots-most notably the ones flying the downed aircraft-were not even aware that the MCAS existed.

3) One MCAS Activation per AOA Incident
The MCAS on board the Ethiopian Airlines and Lion Air planes were reacting to faulty sensor readings-and triggered repeatedly, which was too much for the pilots to handle. It appears that the pilots were briefly able to wrestle back some control of the aircraft-only to be overpowered by the MCAS activating again.

The new software would limit the MCAS to trigger only once during a high AOA incident-eliminating the repeated activations that contributed to the two crashes. This would allow the MCAS to properly carry out its original function as an emergency anti-stall measure.

It also means that, should the MCAS be overridden by either a faulty sensor reading, or activate during a genuine stall situation, the pilots will be unable to rely on the system for any further stall scenarios for the rest of the flight-they’ll have to handle it by themselves. But given the extensive training of most pilots, this seems like an acceptable consequence.

4) Less Aggressive MCAS When Triggered
Finally, should the MCAS kick in during a flight, its power would be significantly limited so that it can’t overpower the pilots.

The new software would keep a comparatively short leash on the MCAS, permitting it to activate and send signals to the flaps-while allowing the flight crew to retain pitch control, using the control column to maintain level flight, climb and descend. No longer would the anti-stall system be able to grab control of the aircraft away from the pilots: it would instead defer to their commands.

… But Wait, There’s More

While the software is the main focus of the fixes, the FAA will require additional corrective measures. A revised flight manual-this one actually mentioning the MCAS-would be required for all 737 MAX operators to use. Each plane’s AOA sensors would need to be tested, and each aircraft would have to undergo an operational test flight before it can be brought back into service. And finally, the wiring for the jet’s horizontal stabilizers will need to be reconfigured to comply with FAA standards.

Lots on the Line

The crashes brought both Boeing and the FAA under intense global scrutiny and scathing criticism for their repeated oversights in designing, manufacturing and certifying the 737 MAX.

So a lot is riding on these proposed fixes: the airworthiness of one of the world’s most popular aircraft, Boeing’s reputation and bottom line, the legitimacy and authority of the FAA–and the confidence of travelers around the world. If the plane maker and the regulator don’t get this right, the consequences could be severe for both-and could cause more chaos in an aerospace market already reeling from the MAX’s grounding and the COVID-19 pandemic.

Boeing will have to make significant changes to its best-selling plane.

The FAA is accepting public comment on the proposed fixes for the MCAS until September 21, 2020. If recertification goes as anticipated, we could be seeing 737 MAXs take to the air again by Halloween … but global confidence in the MAX could take much, much longer to recover.

Flying over the poles

An interesting article from https://thepointsguy.com/news/radiation-flights-over-north-pole/

Racing around the world at 43,000 feet, you may think that the biggest threat is hitting the ground below you. However, have you ever thought of what’s hitting the aircraft from above?
Cosmic radiation is all around us, but its effects are seen more at altitude, and particularly at the Poles, than on the ground. However, some of the most time and fuel-efficient flight routes take aircraft well into the Arctic Circle and close to the North Pole.
So how does this radiation affect us and how do pilots fly these remote routes?

Radiation exposure
Every time you get out of bed (and when you’re in it for that matter) your body is exposed to radiation. It’s all around us and is, for the most part, unavoidable. Some of this radiation is useful and other types are not so useful.
The effects of non-ionizing radiation, such as ultraviolet light, radio waves and microwaves, very much depend on the intensity of the radiation received. It can damage the skin and eyes (hence why we wear sunglasses and sunscreen) and if it penetrates the body, can cause damage to organs by heating them.
For the most part, this is the type of radiation we put up with day to day, utilizing the benefits to rapidly heat food in our microwaves and give our skin a much sought-after sun-kissed glow.
Ionizing radiation, such as cosmic rays, X-rays and that from radioactive material is the kind which tends to get peoples’ attention. The greatest worry about ionizing radiation is the increased risk of malignant diseases and genetic malfunctions.
Once again, the risks of ionizing radiation very much depend on the amount of exposure.

Cosmic radiation and the earth’s magnetic field
Cosmic radiation originates from two sources. Most of it originates from outer space, but some of it comes from the sun, which produces a constant stream of particles that billow out into space at almost one million mph. This is known as the solar wind and consists primarily of protons and electrons.

Meanwhile, back on earth, currents of electricity which flow deep in the molten core create a magnetic field. These currents are hundreds of miles wide and flow at thousands of miles an hour as the earth rotates. The magnetic field extends out thousands of miles into space where it acts as a shield against incoming radiation.

As the charged incoming particles hit the magnetic field, they are deflected away and are prevented from coming into contact with the atmosphere. However, there is a weakness in the magnetic field.

Due to the shape of the geomagnetic field, the intensity of the charged cosmic radiation is higher at the poles than it is in equatorial regions
Due to the shape of the geomagnetic field, the intensity of the charged cosmic radiation is higher at the poles than it is in equatorial regions.
The magnetic field is thickest at the equator and virtually nonexistent at the poles. Added to this, parts of the magnetic field deflect the incoming particles to the areas around the poles.
As a result of this gap in the shield, a greater amount of radiation gets into the earth’s atmosphere at the poles than at the equator. The earth’s atmosphere does a good job of stopping most of the radiation from reaching the ground and it’s this interaction which causes the Aurora Borealis.
However, the amount of radiation in the upper atmosphere remains higher than on the ground.

Great circle routing
This is all very interesting but what relevance does it have to commercial aviation? Why would aircraft need to be flying by the North Pole anyway?
The answer lies in the curvature of the earth (sorry, flat earthers) and the shortest distance between two points on the surface. This is known as a Great Circle.
Everyone knows that the U.S. is west of the U.K. In fact, most of it is southwest. However, if you’ve ever flown from London to the west coast of the U.S. and watched the moving map, you will have noticed that the flight initially routes north toward Scotland.
This isn’t because the pilots are lost, its because it is actually the most direct route.
When planning the route of a flight, airlines will naturally try and take the shortest route possible, the Great Circle track. However, sometimes its beneficial to deviate off this route to take advantage of (or to avoid) strong winds. Even though the distance may be longer, the flight time (and subsequently the cost) will be reduced.
So with flights routing over the North Pole, what risk is there to the passengers and crew from cosmic radiation?

Radiation study
A December 2019 study looked to see whether the length of the flight or the routing of the flight had the greatest effect on the amount of radiation an aircraft was exposed to.
It sampled 15 of the longest commercial flights in operation, including four of which flew over the Arctic. These included flights to Los Angeles from Doha, Abu Dhabi and Dubai.
The image above shows the routes taken to Los Angeles by flights from the three Middle Eastern hubs and also the route from London for comparison.
Contrary to what the scientists were expecting, the study found that it wasn’t the duration of the flight but the route which has the greatest effect on cosmic radiation exposure. Aircraft that flew closer to the North Pole experienced greater radiation than those flying more southerly routes, even if they were airborne for longer.

Do I need to be worried?
A study by NASA found that polar flights during the solar storm of 2003 we exposed to 12% of the annual radiation limit recommended by the International Committee on Radiological Protection. Whilst this isn’t a problem for individual flights, it could start to pose problems for those who fly these routes frequently. Such as pilots and flight attendants.
Airline crew are categorized as “radiation workers” by the U.S. federal government, a classification that includes X-ray technicians and nuclear power plant workers. According to NASA, the average airline pilot receives more radiation a year than does a fuel-cycle worker in a nuclear power plant.
A survey of flight attendants in Europe and North America also found higher rates of skin, breast and prostate cancer, as well as acute myeloid leukemia than the average person.
For the average passenger, there is little to worry about. Even for the frequent flyer, the doses of radiation experienced on normal flights are not considered to be excessive. However, if you find yourself regularly flying between the Middle East and North America, you may want to give this some thought.

Flying across the Poles
So how do we fly polar routes and do we do anything different to avoid the cosmic radiation? Simply put, not really. As the radiation depends more on the route than the altitude, there is little we as pilots can do to reduce the exposure when flying these routes.
However, any flight across the Poles requires a bit more thought before departure. By definition, the routes are particularly isolated and careful consideration has to be given to diversion airfields. Cold air masses may affect fuel temperatures, potentially taking them below the minimum allowed temperature.

Polar routes
For aircraft to be able to take advantage of routes across the North Pole, very much like across the North Atlantic, a Polar Track structure has been created. However, unlike the North Atlantic tracks which move in location depending on the winds, the polar tracks are fixed. To ensure that there is no conflict between the two sets of tracks, the polar tracks are well north of the airspace used by the North Atlantic tracks.
The use of the polar tracks is similar to those crossing the Atlantic. Before reaching the start of the track, pilots must receive an ATC clearance. This includes the flight level, speed and track which the crew must adhere to.
However, as the polar tracks are less busy than the North Atlantic ones, pilots can normally plan on flying the track at the altitude and speed of their choice, normally those optimum for the flight.

Low fuel temperatures
While you’re seated enjoying a glass of wine in a pleasant 70 degree Fahrenheit cabin, outside your window it’s bitterly cold, normally around minus 67 degrees Fahrenheit in temperate regions. In Arctic areas, it can get even colder, minus 97 degrees Fahrenheit over Siberia is my personal record. When temperatures get this low, a conventional fuel would freeze.
The Jet A-1 powering the engines has a freezing point of minus 52 degrees Fahrenheit, so why doesn’t the fuel freeze when it’s minus 67 degrees Fahrenheit outside?
Take an average spring day out of London where it’s 59 degrees Fahrenheit. For this example, let’s say the fuel is also 59 degrees Fahrenheit. As the aircraft climbs, the outside air temperature decreases. Nominally by 35 degrees Fahrenheit every 1,000 feet. This means that by the time it reaches 35,000 feet, the outside temperature will be minus 67 degrees Fahrenheit. This is called the static air temperature, or SAT. This is the temperature you’d feel if you were stood on a passing cloud.
If the aircraft was just sitting on that cloud with you, the surfaces would chill to minus 67 degrees Fahrenheit, as would fuel in the wings. However, the aircraft isn’t stationary. It’s flying through this cold air mass at hundreds of miles per hour.
The speed of air over the wings creates friction, which actually heats the surfaces. By knowing the airspeed, you can work out what this heating effect will be. Adding this value to your SAT gives you your total air temperature or TAT. It is this TAT value that is chilling the wings and thus affecting the fuel temperature.
If I was to tell you that a typical TAT value at 38,000 feet is just minus 6 degrees Fahrenheit, you’ll now be able to understand why the fuel doesn’t freeze.
he wing material also has an effect on this chilling. The composite structure of the 787 Dreamliner wing means that it cools far slower than a conventional aluminum wing resulting in much warmer fuel temperatures.
What happens if the fuel temperature gets close to minus 52 degrees Fahrenheit?
It is possible that, if flying for prolonged periods in extremely cold air masses, the fuel temperature could drop toward the freezing point. However, pilots are alert to this possibility and will take proactive steps to ensure that this doesn’t happen. Each aircraft type has a threshold at which the crew are alerted to low fuel temperature.
On the 787, that threshold is around minus 35 degrees Fahrenheit. If this happens, the crew have two options. Either fly faster to increase the heating effect of the air or descend into warmer air. Since aircraft tend to fly as fast as they are designed, normally the only viable option is to descend.

Communications can also be problematic. Most areas of the world are well served by SATCOM. Pilots simply pick up the Sat phone, dial a number and can be connected to any telephone in the world in an instant. Unfortunately, when flying above 82 degrees north, SATCOM is unavailable.
In order to maintain communication with the ground, pilots must ensure that they establish high frequency (HF) communications with the relevant ATC unit. Fortunately, they do not need to listen to the painful static for the whole flight.

SATCOM doesn’t work above 82 degrees north.  A system called SELCAL enables the crew to turn the volume off when they are not communicating with ATC. A SELCAL notification activates in the flight deck, very much like a phone ringing, to let the crew know that ATC needs to speak with them.

True versus magnetic
As the aircraft gets closer to the Pole, the magnetic compass becomes less reliable as the position of the aircraft relative to the Pole is changing so quickly. It gets to the point where pilots consider it totally useless. Instead of using magnetic headings and tracks, we use true headings and tracks.
Unlike the magnetic North Pole, the true North Pole doesn’t move. It is in effect the “top” of the earth. As a result, its position can be determined by GPS, increasing our navigational accuracy.

Bottom line
Whilst cosmic radiation should not be of concern to most passengers, it’s an occupational hazard of the job for the crew. There is greater exposure to radiation when flying routes over the Poles than those closer to the equator. This is down to the lack of protection from the earth’s magnetic field at the poles.
That said, the threat of radiation over the poles does not alter how pilots fly their aircraft. The cold temperatures and lack of communications do provide more of a challenge than on other routes but flight safety is never compromised. No matter what route your flight takes, your pilots will ensure that you arrive safely at your destination – leaving you blissfully unaware of the challenges such flying poses.