Free SSA books

A useful list of free handbooks, guides, and textbooks covering all of the tools of system safety and probabilistic risk assessment is available here: https://functionalsafetyengineer.com/safety-and-pra-resources/

Failure Modes & Effects Analysis (FMEA)

Fault Tree Analysis (FTA)

Probabilistic Risk Assessment (PRA)

System Safety

Software Safety

Bayesian Analysis

Bayesian Networks

An 25.1309(c) issue: FAA flags potential safety problem in layout of controls on Boeing 767 and 757 planes

An article by Dominic Gates

The Federal Aviation Administration has issued a safety alert to all operators of Boeing 767 and 757 airplanes flagging a potential problem that led to the 2019 crash in Texas of an Amazon Air cargo plane and the deaths of the three pilots onboard.

Although the first officer flying the plane was faulted in the investigation into the crash, the alert points to a potential flaw in the way the pilot controls are laid out in the flight deck that initiated the chain of events. Crash investigators believe that the first officer inadvertently hit a switch that was too close to a handle he was holding, then reacted incorrectly to the plane’s sudden change in the flight mode. Just 32 seconds after the inadvertent activation of that switch, the plane slammed into the ground, killing the captain, the first officer and a third pilot who was hitching a ride in the jump seat.

On Feb. 23, 2019, Atlas Air Flight 3591 — a Boeing 767 cargo flight operated for and in the colors of Amazon Air — was en route from Miami to Houston when it crashed into a shallow marsh near Trinity Bay, Texas. On board were Captain Ricky Blakely, 60, of Indiana; First Officer Conrad Jules Aska, 44, of Antigua; and Mesa Airlines Captain Sean Archuleta, 36, of Houston, who was traveling home before beginning new-hire pilot training with United Airlines. The flight data recorder showed that as the plane descended from 6,000 feet toward a planned 3,000 foot level on the approach to Houston airspace, the pilot flipped a switch that shifted the plane to “Go-Around” mode. This is the mode used when a pilot close to the ground and slowing down on approach decides abruptly that it’s unsafe to land. The go-around signal immediately increases the engine thrust so that the plane can climb away from the runway.
The altitude and trajectory of Flight 3591 at that moment was “inconsistent with any scenario in which a pilot would intentionally select go-around mode” the National Transportation Safety Board concluded after investigation.
And neither the captain or first officer announced a go-around, as they would have if it were an intentional activation.
What happened next doomed the plane.The sudden acceleration from the engine thrust would have pushed the first officer’s body back into his seat. If there are limited visual cues to the contrary, this can make a pilot think a plane is pitching up, a recognized phenomenon known as a “somatogravic illusion.” In fact the plane was already on a downward slope. Investigators believe that under the influence of that illusion, the first officer pushed the controls forward to point the nose further down. That “forced the airplane into a steep dive from which the crew did not recover,” the NTSB report states.

Crash investigators re-creating what happened in a simulator observed that, when the first officer flying in the right seat kept his left hand on the speedbrake lever during the descent, as is normal procedure, “his left hand and wrist could be under the thrust levers and close to the left go-around switch.” They concluded that this was the likely cause of the unintentional go-around activation. “The NTSB demonstrated in a full flight simulator, that light turbulence could reasonably cause a pilot flying that is holding the speedbrake lever to move his or her arm enough to hit the go-around switch inadvertently,” the FAA stated.

The FAA issued the safety alert to make sure pilots of both the 767 and the 757, which has a similarly configured flight deck, are aware of this potential hazard.
Boeing declined to comment.
The Flight 3591 crash investigators separately raised questions about the first officer’s competence.

Net Safety Benefit

EASA issues Certification Memorandum in support of 25.1309. The purpose of this CM is to provide an approach to the demonstration of compliance to certain CS 23 and CS 27 specifications that is in line with reference standard guidance as adapted to installation of system/ equipment that provide operational safety benefit. This is achieved by introducing credits for systems or equipment that provide operational safety benefits in the determination of the Development Assurance Level (DAL)1.
The intent of the Net Safety Benefit policy is to facilitate the introduction of new, safety enhancing technologies in the current, fleets that have been shown to provide operational safety benefits to improve the overall safety performance of the operation.
See https://www.easa.europa.eu/sites/default/files/dfu/certification_memorandum_cm-sa-001_-_net_safety_benefit_-_issue_1.1.pdf

FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

FAA files reveal a surprising threat to Airline Safety: The U.S. Military’s GPS Tests

Military tests that jam and spoof GPS signals are an accident waiting to happen (by Mark Harris)

Early one morning last May, a commercial airliner was approaching El Paso International Airport, in West Texas, when a warning popped up in the cockpit: “GPS Position Lost.” The pilot contacted the airline’s operations center and received a report that the U.S. Army’s White Sands Missile Range, in South Central New Mexico, was disrupting the GPS signal. “We knew then that it was not an aircraft GPS fault,” the pilot wrote later.

The pilot missed an approach on one runway due to high winds, then came around to try again. “We were forced to Runway 04 with a predawn landing with no access to [an instrument landing] with vertical guidance,” the pilot wrote. “Runway 04…has a high CFIT threat due to the climbing terrain in the local area.”

CFIT stands for “controlled flight into terrain,” and it is exactly as serious as it sounds. The pilot considered diverting to Albuquerque, 370 kilometers away, but eventually bit the bullet and tackled Runway 04 using only visual aids. The plane made it safely to the ground, but the pilot later logged the experience on NASA’s Aviation Safety Reporting System, a forum where pilots can anonymously share near misses and safety tips.

This is far from the most worrying ASRS report involving GPS jamming. In August 2018, a passenger aircraft in Idaho, flying in smoky conditions, reportedly suffered GPS interference from military tests and was saved from crashing into a mountain only by the last-minute intervention of an air traffic controller. “Loss of life can happen because air traffic control and a flight crew believe their equipment are working as intended, but are in fact leading them into the side of the mountain,” wrote the controller. “Had [we] not noticed, that flight crew and the passengers would be dead. I have no doubt.”

There are some 90 ASRS reports detailing GPS interference in the United States over the past eight years, the majority of which were filed in 2019 and 2020. Now IEEE Spectrum has new evidence that GPS disruption to commercial aviation is much more common than even the ASRS database suggests. Previously undisclosed Federal Aviation Administration (FAA) data for a few months in 2017 and 2018 detail hundreds of aircraft losing GPS reception in the vicinity of military tests. On a single day in March 2018, 21 aircraft reported GPS problems to air traffic controllers near Los Angeles. These included a medevac helicopter, several private planes, and a dozen commercial passenger jets. Some managed to keep flying normally; others required help from air traffic controllers. Five aircraft reported making unexpected turns or navigating off course. In all likelihood, there are many hundreds, possibly thousands, of such incidents each year nationwide, each one a potential accident. The vast majority of this disruption can be traced back to the U.S. military, which now routinely jams GPS signals over wide areas on an almost daily basis somewhere in the country.

The military is jamming GPS signals to develop its own defenses against GPS jamming. Ironically, though, the Pentagon’s efforts to safeguard its own troops and systems are putting the lives of civilian pilots, passengers, and crew at risk. In 2013, the military essentially admitted as much in a report, saying that “planned EA [electronic attack] testing occasionally causes interference to GPS based flight operations, and impacts the efficiency and economy of some aviation operations.”

In the early days of aviation, pilots would navigate using road maps in daylight and follow bonfires or searchlights after dark. By World War II, radio beacons had become common. From the late 1940s, ground stations began broadcasting omnidirectional VHF signals that planes could lock on to, while shorter-range systems indicated safe glide slopes to help pilots land. At their peak, in 2000, there were more than a thousand very high frequency (VHF) navigation stations in the United States. However, in areas with widely spaced stations, pilots were forced to take zigzag routes from one station to the next, and reception of the VHF signals could be hampered by nearby buildings and hills.

Everything changed with the advent of global navigation satellite systems (GNSS), first devised by the U.S. military in the 1960s. The arrival in the mid-1990s of the civilian version of the technology, called the Global Positioning System, meant that aircraft could navigate by satellite and take direct routes from point to point; GPS location and altitude data was also accurate enough to help them land.

The FAA is about halfway through its NextGen effort, which is intended to make flying safer and more efficient through a wholesale switch from ground-based navigation aids like radio beacons to a primarily satellite-enabled navigation system. Along with that switch, the agency began decommissioning VHF navigation stations a decade ago. The United States is now well on its way to having a minimal backup network of fewer than 600 ground stations.

Meanwhile, the reliance on GPS is changing the practice of flying and the habits of pilots. As GPS receivers have become cheaper, smaller, and more capable, they have become more common and more widely integrated. Most airplanes must now carry Automatic Dependent Surveillance-Broadcast (ADS-B) transponders, which use GPS to calculate and broadcast their altitude, heading, and speed. Private pilots use digital charts on tablet computers, while GPS data underpins autopilot and flight-management computers. Pilots should theoretically still be able to navigate, fly, and land without any GPS assistance at all, using legacy radio systems and visual aids. Commercial airlines, in particular, have a range of backup technologies at their disposal. But because GPS is so widespread and reliable, pilots are in danger of forgetting these manual techniques.

When an Airbus passenger jet suddenly lost GPS near Salt Lake City in June 2019, its pilot suffered “a fair amount of confusion,” according to the pilot’s ASRS report. “To say that my raw data navigation skills were lacking is an understatement! I’ve never done it on the Airbus and can’t remember having done it in 25 years or more.”

“I don’t blame pilots for getting a little addicted to GPS,” says Todd E. ­Humphreys, director of the Radionavigation Laboratory at the University of Texas at Austin. “When something works well 99.99 percent of the time, humans don’t do well in being vigilant for that 0.01 percent of the time that it doesn’t.”

Losing GPS completely is not the worst that can happen. It is far more dangerous when accurate GPS data is quietly replaced by misleading information. The ASRS database contains many accounts of pilots belatedly realizing that GPS-enabled autopilots had taken them many kilometers in the wrong direction, into forbidden military areas, or dangerously close to other aircraft.

In December 2012, an air traffic controller noticed that a westbound passenger jet near Reno, Nev., had veered 16 kilometers (10 miles) off course. The controller confirmed that military GPS jamming was to blame and gave new directions, but later noted: “If the pilot would have noticed they were off course before I did and corrected the course, it would have caused [the] aircraft to turn right into [an] opposite direction, eastbound [jet].”

So why is the military interfering so regularly with such a safety-critical system? Although most GPS receivers today are found in consumer smartphones, GPS was designed by the U.S. military, for the U.S. military. The Pentagon depends heavily on GPS to locate and navigate its aircraft, ships, tanks, and troops.

The U.S. military routinely jams GPS signals over wide areas on an almost daily basis
For such a vital resource, GPS is exceedingly vulnerable to attack. By the time GPS signals reach the ground, they are so faint they can be easily drowned out by interference, whether accidental or malicious. Building a basic electronic warfare setup to disrupt these weak signals is trivially easy, says Humphreys: “Detune the oscillator in a microwave oven and you’ve got a superpowerful jammer that works over many kilometers.” Illegal GPS jamming devices are widely available on the black market, some of them marketed to professional drivers who may want to avoid being tracked while working.

Other GNSS systems, such as Russia’s GLONASS, China’s BeiDou, and Europe’s Galileo constellations, use slightly different frequencies but have similar vulnerabilities, depending on exactly who is conducting the test or attack. In China, mysterious attacks have successfully “spoofed” ships with GPS receivers toward fake locations, while vessels relying on BeiDou reportedly remain unaffected. Similarly, GPS signals are regularly jammed in the eastern Mediterranean, Norway, and Finland, while the Galileo system is untargeted in the same attacks.

The Pentagon uses its more remote military bases, many in the American West, to test how its forces operate under GPS denial, and presumably to develop its own electronic warfare systems and countermeasures. The United States has carried out experiments in spoofing GPS signals on at least one occasion, during which it was reported to have taken great care not to affect civilian aircraft.

Despite this, many ASRS reports record GPS units delivering incorrect positions rather than failing altogether, but this can also happen when the satellite signals are degraded. Whatever the nature of its tests, the military’s GPS jamming can end up disrupting service for civilian users, particularly high-altitude commercial aircraft, even at a considerable distance.

The military issues Notices to Airmen (NOTAM) to warn pilots of upcoming tests. Many of these notices cover hundreds of thousands of square kilometers. There have been notices that warn of GPS disruption over all of Texas or even the entire American Southwest. Such a notice doesn’t mean that GPS service will be disrupted throughout the area, only that it might be disrupted. And that uncertainty creates its own problems.

In 2017, the FAA commissioned the nonprofit Radio Technical Commission for Aeronautics to look into the effects of intentional GPS interference on civilian aircraft. Its report, issued the following year by the RTCA’s GPS Interference Task Group, found that the number of military GPS tests had almost tripled from 2012 to 2017. Unsurprisingly, ASRS safety reports referencing GPS jamming are also on the rise. There were 38 such ASRS narratives in 2019—nearly a tenfold increase over 2018.

New internal FAA materials obtained by Spectrum from a member of the task group and not previously made public indicate that the ASRS accounts represent only the tip of the iceberg. The FAA data consists of pilots’ reports of GPS interference to the Los Angeles Air Route Traffic Control Center, one of 22 air traffic control centers in the United States. Controllers there oversee air traffic across central and Southern California, southern Nevada, southwestern Utah, western Arizona, and portions of the Pacific Ocean—areas heavily affected by military GPS testing.

This data includes 173 instances of lost or intermittent GPS during a six-month period of 2017 and another 60 over two months in early 2018. These reports are less detailed than those in the ASRS database, but they show aircraft flying off course, accidentally entering military airspace, being unable to maneuver, and losing their ability to navigate when close to other aircraft. Many pilots required the assistance of air traffic control to continue their flights. The affected aircraft included a pet rescue shuttle, a hot-air balloon, multiple medical flights, and many private planes and passenger jets.

In at least a handful of episodes, the loss of GPS was deemed an emergency. Pilots of five aircraft, including a Southwest Airlines flight from Las Vegas to
Chicago, invoked the “stop buzzer,” a request routed through air traffic control for the military to immediately cease jamming. According to the Aircraft Owners and Pilots Association, pilots must use this phrase only when a safety-of-flight issue is encountered.

To be sure, many other instances in the FAA data were benign. In early March 2017, for example, Jim Yoder was flying a Cessna jet owned by entrepreneur and space tourist Dennis Tito between Las Vegas and Palm Springs, Calif., when both onboard GPS devices were jammed. “This is the only time I’ve ever had GPS go out, and it was interesting because I hadn’t thought about it really much,” Yoder told Spectrum. “I asked air traffic control what was going on and they were like, ‘I don’t really know.’ But we didn’t lose our ability to navigate, and I don’t think we ever got off course.”

Indeed, one of the RTCA task group’s conclusions was that the Notice to Airmen system was part of the problem: Most pilots who fly through affected areas experience no ill effects, causing some to simply ignore such warnings in the future.

“We call the NOTAMs ‘Chicken Little,’ ” says Rune Duke, who was cochair of the RTCA’s task group. “They say the sky is falling over large areas…and it’s not realistic. There are mountains and all kinds of things that would prevent GPS interference from making it 500 nautical miles [926 km] from where it is initiated.”

GPS interference can be affected by the terrain, aircraft altitude and attitude, direction of flight, angle to and distance from the center of the interference, equipment aboard the plane, and many other factors, concluded the task group, which included representatives of the FAA, airlines, pilots, aircraft manufacturers, and the U.S. military. One aircraft could lose all GPS reception, even as another one nearby is completely unaffected. One military test might pass unnoticed while another causes chaos in the skies.

This unreliability has consequences. In 2014, a passenger plane approaching El Paso had to abort its landing after losing GPS reception. “This is the first time in my flying career that I have experienced or even heard of GPS signal jamming,” wrote the pilot in an ASRS report. “Although it was in the NOTAMs, it still caught us by surprise as we really did not expect to lose all GPS signals at any point. It was a good thing the weather was good or this could have become a real issue.”

Sometimes air traffic controllers are as much in the dark as pilots. “They are the last line of defense,” Duke told Spectrum. “And in many cases, air traffic control was not even aware of the GPS interference taking place.”

The RTCA report made many recommendations. The Department of Defense could improve coordination with the FAA, and it could refrain from testing GPS during periods of high air traffic. The FAA could overhaul its data collection and analysis, match anecdotal reports with digital data, and improve documentation of adverse events. The NOTAM system could be made easier to interpret, with warnings that more accurately match the experiences of pilots and controllers.

One aircraft could lose all GPS reception, even as another one nearby is completely unaffected.
Remarkably, until the report came out, the FAA had been instructing pilots to report GPS anomalies only when they needed assistance from air traffic control. “The data has been somewhat of a challenge because we’ve somewhat discouraged reporting,” says Duke. “This has led the FAA to believe it’s not been such a problem.”

NOTAMs now encourage pilots to report all GPS interference, but many of the RTCA’s other recommendations are languishing within the Office of Accident Investigation and Prevention at the FAA.

New developments are making the problem worse. The NextGen project is accelerating the move of commercial aviation to satellite-enabled navigation. Emerging autonomous air systems, such as drones and air taxis, will put even more weight on GPS’s shaky shoulders.

When any new aircraft is adopted, it risks posing new challenges to the system. The Embraer EMB-505 Phenom 300, for instance, entered service in 2009 and has since become the world’s best-selling light jet. In 2016, the FAA warned that if the Phenom 300 encountered an unreliable or unavailable GPS signal, it could enter a Dutch roll (named for a Dutch skating technique), a dangerous combination of wagging and rocking that could cause pilots to lose control. The FAA instructed Phenom 300 owners to avoid all areas of GPS interference.

As GPS assumes an ever more prominent role, the military is naturally taking a stronger interest in it. “Year over year, the military’s need for GPS interference-event testing has increased,” says Duke. “There was an increase again in 2019, partly because of counter-UAS [drone] activity. And they’re now doing GPS interference where they previously had not, like Michigan, Wisconsin, and the Dakotas, because it adds to the realism of any type of military training.”

So there are ever more GPS-jamming tests, more aircraft navigating by satellite, and more pilots utterly reliant on GPS. It is a feedback loop, and it constantly raises the chances that one of these near misses and stop buzzers will end in catastrophe.

When asked to comment, the FAA said it has established a resilient navigation and surveillance infrastructure to enable aircraft to continue safe operations during a GPS outage, including radio beacons and radars. It also noted that it and other agencies are working to create a long-term GPS backup solution that will provide position, navigation, and ­timing—again, to minimize the effects of a loss of GPS.

However, in a report to Congress in April 2020, the agency coordinating this effort, the U.S. Department of Homeland Security, wrote: “DHS recommends that responsibility for mitigating temporary GPS outages be the responsibility of the individual user and not the responsibility of the Federal Government.” In short, the problem of GPS interference is not going away.

In September 2019, the pilot of a small business jet reported experienced jamming on a flight into New Mexico. He could hear that aircraft all around him were also affected, with some being forced to descend for safety. “Since the FAA is deprecating [ground-based radio aids], we are becoming dependent upon an unreliable navigation system,” wrote the pilot upon landing. “This extremely frequent [interference with] critical GPS navigation is a significant threat to aviation safety. This jamming has to end.”

The same pilot was jammed again on his way home.

This article appears in the February 2021 print issue as “Lost in Airspace.”

This article was updated on 21 January 2021.

New Safety Data Tool Available on FAA.gov Website

New Safety Data Tool Available on FAA.gov Website

The Federal Aviation Administration (FAA) is making it easier to research aviation safety guidance material from the Office of Aviation Safety (AVS)

The Dynamic Regulatory System (DRS) combines more than 65 document types from more than a dozen different repositories into a single searchable application. This comprehensive knowledge center centralizes the FAA’s aviation safety guidance material from the Flight Standards Information System (FSIMS) and the agency’s Regulatory Guidance System (RGL).

Each guidance document includes a link to the Code of Federal Regulations provision on which the document is based. DRS contains more than 2 million regulatory guidance documents, which can be browsed or searched. A search engine allows for basic or advanced searches and different ways to sort and view the results. The system includes pending and current versions of all documents along with their revision history. Information in the DRS is updated every 24 hours.

Safety engineering changes at Boeing

Safety engineering changes at Boeing

The chief project engineer for Boeing’s 737 Max jet told House investigators that he approved a critical design change to software on the plane even though he was unaware of key details about how it worked or of a previous warning from a test pilot that if the system malfunctioned, the results could be “catastrophic.”
That was what happened in October 2018, and again the following March, when the software forced down the noses of two of the new planes in a way their pilots could not overcome, causing crashes that killed 346 people.
The engineer’s acknowledgment is one of several revelations contained in a new report released Wednesday by investigators from the House Transportation Committee. The document details myriad gaps in oversight that allowed federal regulators to certify that the plane was safe to fly even though officials at both Boeing and the Federal Aviation Administration did not fully understand how it was designed.

After months of delays by the FAA, the investigators in May were allowed to view a draft “oversight report” written months after the initial Max crash in Indonesia. The February 2019 draft report considered Boeing’s actions in the years before the deadly incident, and its conclusions shocked investigators.The FAA’s examination “did not reveal any noncompliance” by Boeing, according to the document, meaning that the company was found to have followed federal safety regulations even though the result was a flawed plane.
“That’s the bureaucratic word. It was ‘compliant.’ But the ­problem is it was compliant and not safe. And people died,” said Transportation Committee Chairman Peter A. DeFazio (D-Ore.). “Obviously, the system is inadequate.”

The final committee report on the Max offers the clearest indication yet that Boeing — or the unit tasked with overseeing the certification process on the FAA’s behalf — could have caught flaws in the Max’s flight-control system during the airplane’s design stage. FAA’s lax oversight played part in Boeing 737 Max crashes, but agency is pushing to become more industry-friendly.
But it failed to act on concerns that were raised about the flawed Maneuvering Characteristics Augmentation System (MCAS), which was identified as a factor in both crashes. The Boeing employees were driven in part by what investigators concluded was pressure to get the new planes to customers quickly and without requiring their pilots to undergo extensive retraining — a goal symbolized by “countdown clocks” on the wall of a conference room, according to the report.

The House investigators concluded that the two crashes in less than five months “were the horrific culmination of a series of faulty technical assumptions by Boeing’s engineers, a lack of transparency on the part of Boeing’s management, and grossly insufficient oversight by the FAA.”
“The facts laid out in this report document a disturbing pattern of technical miscalculations and troubling management misjudgments made by Boeing,” investigators concluded. “It also illuminates numerous oversight lapses and accountability gaps by the FAA that played a significant role in the 737 MAX crashes.”

Investigators said Boeing had “multiple missed opportunities” that could have shifted “the trajectory of the Max’s design and development toward a safer course.” The FAA had a series of its own missed opportunities, the report concluded. FAA proposes $1.25 million fine for Boeing, alleging managers pressured employees to rush inspections.
The two crashes are “clear evidence that the current regulatory system is fundamentally flawed and needs to be repaired,” investigators concluded.

FAA officials have testified that the agency has learned lessons from the crashes, and have defended the federal oversight system, saying it has helped produce a stellar safety record overall.

“These tragic accidents should not have happened,” FAA Administrator Stephen M. Dickson said in congressional testimony in June. “We continue to work tirelessly to see that the lessons learned from these accidents will result in a higher margin of safety for the aviation industry globally.” But the extent of the agency’s efforts to address its failures remains uncertain, and lawmakers in both the House and Senate are considering ways to strengthen the FAA’s oversight of Boeing and other aviation companies.
DeFazio said he is seeking bipartisan agreement in the House on legislative fixes to the oversight process, and talks are ongoing. The Senate Commerce Committee was scheduled to consider a bipartisan proposal at a meeting Wednesday, but it was pulled from the agenda as committee leaders continued to weigh amendments. Rep. Sam Graves (Mo.), the ranking Republican on the House Transportation Committee, and Rep. Garret Graves (La.), the ranking Republican on the aviation subcommittee, said they will continue to focus on “nonpartisan reports and investigations and the improvements they had identified.”

“Expert recommendations have already led to changes and reforms, with more to come,” the two members said in a statement. “These recommendations – not a partisan investigative report – should serve as the basis for Congressional action.”

Boeing, in a statement, said it cooperated “fully and extensively” with the committee’s inquiry.“We have been hard at work strengthening our safety culture and rebuilding trust with our customers, regulators, and the flying public,” spokesman Bradley N. Akubuiro said. “The passengers and crew on board Lion Air Flight 610 and Ethiopian Airlines Flight 302, as well as their loved ones, continue to be in our thoughts and prayers.”

Akubuiro noted that Boeing has incorporated many of the recommendations contained in previous reports from review committees, experts and governmental authorities, as well as from its own internal reviews, into the 737 Max and the overall aircraft design process. He said Boeing has set up a new safety organization within the company to “enhance and standardize safety practices” and has made internal changes designed to “give engineers a stronger voice and a more direct line to share concerns with top management.”

Long before the Max disasters, Boeing had a history of failing to fix safety problems

In addition, its board of directors now includes a permanent Aerospace Safety Committee, and it has expanded the role of the Safety Promotion Center. “The revised design of the MAX has received intensive internal and regulatory review, including more than 375,000 engineering and test hours and 1,300 test flights,” Akubuiro said. “Once the FAA and other regulators have determined the MAX can safely return to service, it will be one of the most thoroughly-scrutinized aircraft in history, and we have full confidence in its safety.”

The FAA said in a statement that it was “committed to continually advancing aviation safety and looks forward to working with the Committee to implement improvements identified in its report.
“We are already undertaking important initiatives based on what we have learned from our own internal reviews as well as independent reviews of the Lion Air and Ethiopian Airlines accidents. These initiatives are focused on advancing overall aviation safety by improving our organization, processes, and culture,” the agency said. The FAA said it has published a notice of a proposed rulemaking for an airworthiness directive “that will mandate a number of design changes to the Boeing 737 MAX before it returns to passenger service. The FAA continues to follow a thorough process, not a prescribed timeline, for returning the aircraft to service.”

The Max remains grounded by aviation authorities worldwide, but it is expected to be cleared to fly again in coming months, following an overhaul of the MCAS software. The process of ungrounding the planes moved ahead Monday when international regulators began meeting at London’s Gatwick Airport to review training requirements for Max pilots.

Michael Stumo, whose daughter Samya died in the second crash, said the report showed that recertification of the Max needed to be stopped. “The FAA and Boeing hid information before and are doing it again,” Stumo said in a statement, saying the victims’ families still did not have technical data on the fixes to the planes that they are seeking under the Freedom of Information Act.

Internal Boeing documents show employees discussing efforts to manipulate regulators scrutinizing the 737 Max. The report draws from interviews with key Boeing executives, top FAA safety officials and others with knowledge of the crashes. Investigators wrote that even months after two fatal crashes, officials at Boeing and the FAA still refused to acknowledge problems with the approval process. “Despite the sweeping and substantive problems that have been identified by this Committee’s investigation as well as various other investigations, both Boeing and the FAA have suggested that the certification of the 737 MAX was compliant with FAA regulations,” investigators found.
The House report highlights the roles of senior Boeing and FAA officials in the development of the jet and responding to the crashes, outlining interviews with Michael Teal, the Max project engineer; Keith Leverkuhn, Boeing’s former general manager for the Max; and Ali Bahrami, the head of the FAA’s safety branch.
The report describes the Boeing officials as “extraordinarily reluctant to acknowledge any missteps or mistakes” and Bahrami as “unphased by many of the revelations that have deeply disturbed many aviation experts and engineers about the MAX.”

Source: https://www.washingtonpost.com/local/trafficandcommuting/boeing-737-max-crashes-were-horrific-culmination-of-errors-investigators-say/2020/09/16/72e5d226-f761-11ea-89e3-4b9efa36dc64_story.html

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

EASA updates fuel tank and system lightning protection requirements in CS25 Amm 26

See https://www.easa.europa.eu/document-library/agency-decisions/ed-decision-2020024r

SAE investigating System Safety standard for UAS

SAE investigating System Safety standard for UAS

Automation plays a role in aviation safety for manned and unmanned aircraft systems (UAS). UAS rely heavily on automation through sensory feedback and direct manipulation of controls. Thanks to advancements in sensors, computation and control algorithms, the pace of UAS automation is accelerating, but human interaction still exists on both ends of the spectrum.

Any efforts on aerospace system design and safety assessments have likely been impacted by SAE’s S-18 Aircraft and Systems Development and Safety Assessment Committee, and its ARP4754: Guidelines for Development of Civil Aircraft and Systems and ARP4761: Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, two standards that are generally accepted by global aviation authorities as a means of compliance to rules for aerospace system design and safety assurance for more than two decades. ARP4754 provides recommendations for the safe development and design of aircraft and systems, taking into account aircraft functions and operating environments. ARP4761 presents guidelines for performing safety assessments of civil aircraft, systems, and equipment, particularly when addressing compliance with certification requirements.

These documents, along with a host of others currently published and in-development, are widely accepted for manned aircraft. The proliferation of UAS has prompted the S-18 committee to identify shortcomings related to specific technical aspects needed for UAS development. To lead these efforts, S-18 established the S-18UAS Autonomy Working Group. The committee’s first document, AIR7121: Applicability of Existing Development Assurance and System Safety Practices to Unmanned Aircraft Systems, is intended to identify specific gaps in both ARP4754 and ARP4761 processes that affect UAS development, the domains where the gaps should be filled, and provide a common understanding of necessary guidance needed to support development assurance and system safety for both developers and regulators.

The UAS industry is swift and dynamic, so the efforts of the S-18UAS working group is important to both industry and regulators for enabling safe UAS integration into the national and international airspace. These are global efforts, working jointly with EUROCAE WG-63 Complex Aircraft Systems on SAE/EUROCAE documents: ARP4754A/ED-79A and ARP4761/ED-135, along with the SG-1 Applicability of Existing Development Assurance and System Safety Practices to UAS and VTOL.

Source:

Planned 5G telecomms could interfere with Radar Altimeters.

Join RTCA and leaders of Special Committee 239 (SC-239) for a discussion on the planned 5G telecommunications system implementation that could interfere with Radar Altimeters. This will include a discussion on the potential risks to commercial transport airlines; business, regional, and general aviation airplanes; and both transport and general aviation helicopters. The presentation includes an overview SC-239’s new white paper: Assessment of C-Band Mobile Telecommunications Interference Impact on Low Range Radar Altimeter Operations that was written to address the potential consequences of interference events. The panel will address your questions and concerns in an interactive Q&A session. Panelists include committee co-chairs Jean-Luc Robin of Airbus and Seth Frick of Honeywell and secretary Dr. Sai Kalyanaraman of Collins Aerospace

Source: “https://register.gotowebinar.com/register/5721352046688435472?source=Curt+Lewis+Blog” rel=”noopener” target

The nuts and bolts of safety

An article by Don Porter: https://www.flightglobal.com/flight-international/analysing-the-nuts-and-bolts-of-safety/141209.article

The Federal Aviation Administration (FAA) states that flying on US-based airlines is safe. But the agency equates “safety” with the occurrence of actual accidents – not “incidents” where mechanical issues could result in an accident. An aircraft with undetected maintenance problems is, in reality, unsafe.

It is a truism that a small event can lead to a massive incident. A single match can spark a forest fire that devastates a huge area. In aviation, a tiny nut, bolt or pin – or the absence thereof – can trigger an accident that kills hundreds of people.

Tragedies can result when small mistakes trigger a chain of events

That can be seen in the crashes that led to the grounding of the Boeing 737 Max. While the post-accident focus was rightly on the jet’s automated systems, many factors figured in the demise of the Indonesian and Ethiopian aircraft. But one fact is clear in each case: the deadly chain of events that killed, respectively, 189 and 157 people, began with the failure of a small angle of attack (AoA) sensor.

Max aircraft flew in excess of 10 million passengers between their first days in service in May 2017 and their grounding in March 2019. But they flew with hidden flaws. It took the failures of those AoA sensors – through poor overhaul or damage – to trigger an automatic, computer-driven chain of events that brought the jets down. Although millions of passengers had flown in Maxes without a single accident, the possibility for a crash existed during any one of those flights.

But this is not a new phenomenon. The National Transportation Safety Board’s archives are full of incidents which very nearly became fatal accidents. For example, on 6 November 2019, as a Republic Airways Embraer 175 climbed to 2,200ft, the plane’s nose rose abruptly. The captain clicked the autopilot/pitch trim disengage switch. There was no response. The co-pilot’s trim switch being functional, the crew was able to land after 15 harrowing minutes aloft. The cause: chafed wiring connecting the horizontal stabilizer trim actuator to the captain’s switch. Compounding the error, the switch had been installed upside down.

ABORTED TAKE-OFF
On 17 August 2015, the pilots of Allegiant Air flight 436, a Boeing MD-83, aborted take-off from Las Vegas due to a missing cotter pin in the elevator linkage. No-one was killed or injured, so the event was classified as a serious incident and not an accident. The jet had completed 216 uneventful flights after a mechanic forgot to install the pin. A bolt usually retained by the pin fell out, jamming the elevator. If the crew had continued the take-off, there’s little doubt the aircraft would have crashed, probably killing many of the 162 people aboard.

Here’s what the FAA safety inspector who investigated the incident wrote to his superiors: “I recommend that a sanction be added for each of the 216 flights that were flown… in an unairworthy condition.” But his bosses disagreed, and no punitive action was taken against the air carrier or its maintenance contractor.

One does not have to look too far back to see what might have been.

On 1 September 1961, TWA flight 529, a Lockheed L-049 Constellation, crashed four minutes after departing Chicago, killing all 78 people aboard. The cause: someone forgot to install a cotter pin on a nut. It caused the elevator controls to jam, making the aircraft uncontrollable.

Three weeks later, also in Chicago, a Northwest Airlines Lockheed L-188 Electra crash killed 37. The cause: a missing 2in (5cm) piece of safety wire in the aileron linkage that someone forgot to install.

To reiterate: 115 people died because a cotter pin and 2in of safety wire were missing.

Of course, all machines are susceptible to mechanical failure, and that applies to aviation whether the aircraft was built in 1950 or rolled off an assembly line this afternoon. No-one disputes that things can go wrong; that is why aviation’s rules and regulations are so prescriptive.

But until the industry establishes greater emphasis on a workplace culture committed to safety above all else, and applies that consistently across the globe, the existing safety margin that should protect flightcrews and billions of air travellers will continue to be eroded.

Don Porter is a former FAA-licensed mechanic, technical representative, and product support manager for a major aircraft manufacturer. He has investigated hundreds of mishaps, some ending in tragedies. His latest book, Flight Failure: Investigating the Nuts and Bolts of Air Disasters and Aviation Safety, is out now.