15 June 2015
Safety in the Air: Technology, People and Practice
Professor John Turner
This lecture covers the issues behind air safety, primarily in the context of commercial air travel but also drawing on lessons from elsewhere. For those nervous about flying, air travel is one of the safest modes of travel in the world. But we can only understand air safety by appreciating the threats and the outcomes if safety fails, so discussion of aircraft accidents and other potentially disturbing aspects is important, if only to learn how past tragic events have contributed to making flying today safer. This subject’s complexity prevents examination here of all of the issues or of any in real depth so this lecture provides just glimpses as it covers what is needed to make a flight safe, the regulators, what we can do to help ourselves and today’s air travel safety record.
A SAFE FLIGHT REQUIRES …
Where the air passenger sees just an airport with its security and shops at the beginning and end of their journey, and in between the inside of an aircraft and its crew, for a proper perspective we must understand all of the many strands that need to be in place to produce a safe flight. A safe flight requires:
· a safe air vehicle to be flown in …
· a safe environment by …
· a safe crew operating to …
· safe procedures and supervised by …
· safe management
This five-pronged approach comes from a BAE Systems flying governance document that covers all that Company's aviation activities, worldwide. Although those activities include unmanned air vehicles, experimental manned prototypes and production aircraft, display flying, airliners, military training & target aircraft, test pilots, flight test engineers, airline pilots and the company’s employees when they get on an airliner to travel on business, these principles work in every case.
There is no mention of Regulation; under a multi-national company’s corporate responsibility, regulators can sometimes become almost irrelevant as the company tries to apply equal levels of care to all its employees, regardless of whose jurisdiction they come under. However, aviation regulators do play an important part in establishing the minimum levels of air safety within their own jurisdictions.
SAFE AIR VEHICLE
A safe air vehicle needs to be:
· Designed safely
· Manufactured safely
· Maintained safely
· Prepared for flight safely
A successful airliner will operate at relatively high speeds, carrying lots of passengers and their bags with the fuel needed to travel a long distance. Jet engines are most efficient at high altitude so it must operate at low outside temperatures and pressures while sustaining a warm, low altitude environment in the cabin so we do not need to wear thermal suits and oxygen masks when we fly off on holiday.
The airliner must be strong enough to withstand repeated exposure to turbulence throughout its life, to absorb strikes from lightning without degrading its electrical systems or giving the passengers an electric jolt, cope with ice accretion and hailstones, and other natural phenomena like birds. The designer will also want to build in some margin to allow for the occasional heavier than perfect landing by the pilots; for transport category aircraft approved by the Federal Aviation Administration (FAA) and the European Aviation Safety Agency (EASA) a minimum factor of 1.5 is required. The designer looks at the worst that can happen under any circumstance and then applies the safety factor to determine the structural strength required. Safety factors apply to all aspects of a design such as structure, systems and software.
There are fundamental requirements, such as ensuring that no single failure would lead to a dangerous situation. For example, “Each aircraft door must be designed so that, during pressurized flight, no single failure in the locking system would prevent the locks from restraining the latches necessary to secure the door.” It is also important that the design eliminates the potential for a single fault developing into an unsavoury chain of events that could hazard the aircraft.
Over the relatively short (112 years) life of manned heavier than air aviation, design specifications, detailing how the aircraft must be built, the required safety margins, and means of demonstrating compliance with those regulations have grown in size and complexity each time something was learnt about aircraft structure, systems and their behaviour in the real world when operated by real people. FAA Part 25 requirements for design extend to over 1,800 items in 86 detailed sections covering everything imaginable in detail such as § 25.820 that states, “All lavatory doors must be designed to preclude anyone from becoming trapped inside the lavatory. If a locking mechanism is installed, it must be capable of being unlocked from the outside without the aid of special tools.”
The aircraft manufacturer has a vested interest in the safety of their aircraft (not least because the Technical Director (and others) can end up in jail if the design is faulty) but once the design is complete it falls to the manufacturing teams to actually build the design. Manufacturing is usually a large, multi-skilled team, often working shifts, that is faced with transforming design instructions – on paper or a computer screen - into structure and interdependent systems.
Built as Designed?
Even with modern computer aided design, there are still occasions in initial build when, through differences in engineering tolerances, subcomponents do not to fit preciselyas the designers expected. This can be reconciled quickly if manufacturing and design teams work these issues together but it is sometimes tempting for a manufacturing team under pressure just to ‘make it fit’, even though that means the same issue will persists on follow-on items.
This is where a company’s internal culture is important. All humans are prone to make errors and design and manufacturing teams are no exception. The question is how the company reacts to these errors. At one time, companies assumed everyone was either perfect or incompetent. Acknowledging or pointing out an error was considered a sign of weakness and a reason for dismissal; today we would call that a ‘blame culture’. The behavioural reaction to a Blame Culture is silence and cover-up; it invites a downward spiral of risk and incidents and is a major inhibitor on learning and safety so that if an item does not fit, it gets a little ‘percussive adjustment’ with a hammer until it does. These actions would appear eventually, perhaps during acceptance flight test when expensive remedial action would be needed; sometimes they might only become apparent in service.
Just Culture Today’s aerospace industry has embraced ‘Just’ Culture. Just Culture, which must be instigated and supported by the senior management of a company; it means that people are treated fairly, with empathy and consideration when they have been involved in a safety incident or have raised a safety issue. Just Culture encourages the honest and open reporting of errors or omissions as and when they occur. This not only allows immediate corrective action, it also allows any systemic errors, such as errors in design drawings or sub-component manufacture to be fixed. It is important to understand that a ‘Just’ Culture is not a ‘No-blame’ Culture, which allows a blanket amnesty for all unsafe acts. In a Just Culture, reckless or deliberate wrongdoing will be punished severely. Culture has a massive influence on safety and we will re-visit it later.
Aircraft build brings together elements of structure, hardware and software and putting the right parts in the right place is absolutely critical. With physical parts it is relatively easy to check; colour, shape and serial number stamped on the side will identify the component and standard being fitted and if it is missing you can see the empty space. With software it is much more difficult and computers control almost every function within the aircraft, including engines, pressurisation, electrics, hydraulics, landing gear, navigation controls, nose-wheel steering and flying controls. The code inside these computers is inserted or updated by connecting up a storage device to the aircraft, squirting in the code and then removing the device. Only the person connecting the device knows it has been done but they may not be aware of the precise nature of the code they have just ‘squirted ‘ in; someone else may have loaded the memory device. This means that ‘Configuration Control’, the control of the hardware and software standards being installed on the aircraft is fundamental to aircraft safety. Because it lacks physical characteristics, delivery of software to the aircraft has to be strictly controlled, both in manufacture and throughout its working life.
Most of us think of software as fairly easy to use and pretty reliable. Day to day we accept that our computers freeze - usually just before we have saved an important piece of work; none of us would want that to happen in aircraft software! Aircraft software is produced and classified according to the criticality of the function it provides. At the highest level, flight control software will be written by different teams and coded into different boxes to avoid any common mode failures. The code will also be double-checked by independent scrutinisers. Much lower down, the entertainment software will be compiled following normal domestic arrangements, and be no more reliable. Despite recent news reports, the critical and the trivial software areas are kept well separated from each other for safety and also to make upgrades simpler to perform.
During aircraft development, we conduct detailed tests on the ground and in flight to ensure the systems work as expected and that the aircraft meets the safety and performance standards demanded by airworthiness certifying authorities such as FAA or EASA, but that would be several weeks worth of lectures. Suffice to say here that oncethe development phase is complete and the aircraft is in production, every aircraft is put through Production Flight Acceptance Test, to ensure it operates as intended and achieves the full performance levels. This is a final ‘quality assurance’ check conducted before the aircraft is delivered to a customer.
In 1985, Japanese Airlines Flight 123 suffered an explosive failure of the rear pressure bulkhead that caused extensive damage to the rear of the aircraft, severing the hydraulic lines of all four systems and damaging a large portion of the aircraft’s horizontal stabilizer and vertical rudder. This was attributed to an improperly executed repair several years prior to the accident that led to undetected local fatigue cracking, which undermined the bulkhead's strength, eventually leading to a catastrophic failure of the entire bulkhead.
Inspection, repair, replacement
Maintenance means the on-going routine of inspection, repair and replacement of life-expired or worn parts, generally conducted under three regimen as follows:
· ‘A Check’ - every 250 flight hours or 200-300 flights, 20-50 man-hours, often overnight while the aircraft is parked at an airport.
· ‘B Check’ - approx. 6 monthly, 120-150 man-hours in an airport hangar.
· ‘C Check’ - every 20-24 months or by manufacturer-specified flight hours, inspecting alarge majority of the aircraft's components. Invariably occurs in a maintenance area. Takes 1-2 weeks and up to 6,000 man hours; the aircraft remains out of service until complete.
Licenced maintenance engineers + approved manuals
Maintenance crew performance is just as important as the flight crew and aircraft maintenance engineers are licenced in a similar way. They are only permitted to sign off work for which they are qualified and they work to maintenance manuals that detail each step of each process, showing not only what should be done but also what must be recorded in the aircraft documents.
Work on critical systems such as flight controls is subjected to 'two person checks' where one person will carry out the work and another will verify it has been done before the work is signed off. This is another area where working culture has a significant impact on safety and where regulators expect to see Just Culture at work.
Prepared for flight safely
Separate from maintenance is the daily servicing activity, a mixture of technical (replenishment of essential fuel, engine oils, hydraulics, catering and drinking water and emptying of toilets) and non-technical Ground Handling which International Air Transport Association (IATA) defines as ‘…the complex series of processes required to separate an aircraft from its load (passengers, baggage, cargo and mail) on arrival and to combine it with its load prior to departure’.
Ground handling occurs outside in all weathers with hazards like noise, jet engines that can suck in the unwary at one end and blow them over at the other, (or whirling propellers) and many vehicles manoeuvring around the aircraft with everyone under pressure to achieve an on-time departure. In 2007, ground handling aircraft damage incidents were recorded at a rate of one per 5000 flights, mainly while the aircraft was parked.
These have safety implications for the aircraft (and cost implications for the airlines) and prompted the Dutch National Aerospace Laboratory to develop, and EASA to endorse,a Human Factors (HF) training package on “Ramp Resource Management”. Despite its title, this course is for all who work on the ramp, not just the managers, to make them aware of not only ground handling processes and safety regulations but also issues such as team working, threat and error management and human performance and human limitations. HF training helps create and reinforce a positive safety culture and is a critical and cost-effective first step in identifying, recognizing, understanding and managing human performance issues that play such a major part in ground handling accidents. It is not yet mandated but it is a positive discriminant for airlines selecting a handling agent.
Weight and Balance
The flight crew will be concerned that the aircraft has been loaded correctly so that it is within its maximum weight and correctly balanced for flight. Weight has a critical impact on take off performance and the engine thrust and pitch trim settings that will be used, yet much of the loading occurs out of sight of the crew. If the aircraft is not balanced correctly, so that its centre of gravity is in the correct place, it will not fly at all well. This is another area where data control and accuracy is vital.
Finally, we have the passengers and items they introduce to the aircraft. Passengers will have checked in bags that will be locked in the hold and carried on (hopefully) smaller items. Most small electrical devices such as mobile phones, tablets, laptops, electric toothbrushes, razors, etc. etc. use batteries. Today’s lithium batteries can store greater energy in a smaller volume than earlier types; they can also fail and generate exceptional amounts of heat for their size. These are a new type of hazardous air cargo; many cargo airlines refuse to carry them in bulk and new rules have been introduced to cover them in passenger aircraft. There is still some variation around the world but in general small batteries (less than 2gm for lithium metal batteries and less than 100Wh for lithium ion batteries) are allowed in passenger hand and hold luggage. Spare batteries, electronic ‘e’cigarettes and “security-type” equipment containing lithium batteries are prohibited from the hold. There are also strict rules on safety matches and lighters. All the rules are based on the risk profile these items pose to the operation. Since they can vary depending on the regulator, it is wise take a close look at the airline website the next time you fly, to see exactly what needs to be packed where. This will save you any possible embarrassment and make the flight safer for everyone else.
Our safe operating environment starts with the aerodrome fire and rescue capability, which is usually invisible to passengers. It is sized and equipped be able to start fire-fighting operations anywhere on the airfield within 2 minutes and bring any aircraft fire under control within 1 minute. This is always the case if you are flying on a commercial scheduled flight.
Air Traffic Control
Air Traffic Control (ATC) trigger the fire & rescue teams when necessary but normally just coordinate movement of the aircraft from and its stand, to the runway, into the air, onwards to its landing destination and gate for disembarkation.
Most commercial flights are planned along air routes that segregate airliners from un-known aircraft and provide safe separation from each other. These routes were established to run from radio beacon to radio beacon which aircraft used to find their way, following a pointer needle on their compass display. With satellite-based navigation systems, aircraft now track precisely down airway centrelines, passing directly over each beacon and exactly over the top of each other. This increased accuracy has therefore reduced separation between aircraft by taking out the variability in tracks that the old systems had provided. (As a result, airliners are now permitted to set their navigation system to follow a track to the right of the airway centreline by up to a mile, restoring separation distances.) How close together do airliners fly? The rules reflect the capabilities and limitations of radar and aircraft altimeters.
Altimeters measure atmospheric pressure and can be set to indicate height, altitude or flight level. For many years, a minimum vertical separation of 1,000’ up to 29,000’ increasing to 2,000’ from 29,000’ to 41,000’ (because pressure variation with height is reduced at the upper levels) the atmospheric pressure is lower) was used. With increased altimeter accuracy, the higher-level separation was reduced to 1,000’ in March 1997 when ICAO and member states introduced Reduced Vertical Separation Minimum (RVSM) but aircraft must have inter alia two independent altimeters and pass an altimeter accuracy monitoring flight every two years.
In contrast, the minimum lateral separation is measured in miles, limited by the relatively poorer discrimination of air traffic control radars, where the reflected radar blip was too spread out to allow a controller to safely permit aircraft inside of 5 miles from each other. Transponders have made aircraft more visible to the ATC controllers and now transmit large blocks of data about the flight and verify the ‘blip’ return. Five miles lateral separation remains the general rule, though this reduces to 2 miles or less when radar and the latest aircraft transmitted identification systems permit. Significantly, ATC can now separate aircraft flying into Heathrow by time rather than distance which helps to sustain arrival rates (at one aircraft every two minutes) regardless of wind conditions. So, sometimes airliners can be as close as 300 metres vertically, but rarely less than 2 nm horizontally and usually more than 5 nm.
Traffic Collision Avoidance System
Transponders also provide additional protection. Aircraft equipped with Traffic Collision Avoidance System (TCAS, pronounced T-Cas) also detect other aircraft’ transponder pulses and use these to flag up to the crew potential conflicts or to issue resolution guidance if necessary. TCAS provides audio-visual alerts and indicates any rate of climb/descent required to ensure separation if necessary. Following a tragic mid-air collision in 2002 the aviation community internationally all adopted the same rules for responding to TCAS alerts, requiringpilots to obey and follow TCAS resolution guidance regardless of any ATC contrary instructions until the TCAS indicated an ‘all clear’.
Transponders & future developments
Advanced transponders such as mode S and Automatic Dependent Surveillance-Broadcast (ADS-B) use satellite navigation information and transmit automatically theirprecise position, velocity (both vertical and horizontal), altitude and other details to controllers and nearby aircraft; they can also receive data from the ground such as weather and air traffic service information. This is at the heart of a USA project called ‘Next Generation Air Transport System (NextGen) that by 2025 should transform the US air traffic system from ground (radar) based to a satellite-based system with increased system capacity and reduced delays with aircraft flying direct from departure to destination airfield; the expectation is that lateral separation minima will also be reduced. Direct routing will not only reduce journey times it will further reduce the environmental impact of air travel. EUROCONTROL, an intergovernmental Organisation with 41 Member States has similar plans for air traffic management across Europe.
Satellite-based surveillance depends on cooperation by aircraft carrying and operating the necessary equipment so there will be challenges in ensuring that every aircraft carries the necessary equipment and that it is serviceable; its basic modes might have to be activated automatically whenever the engines are running. There will be those in civil aircraft – and smugglers are the obvious people – who have an interest in remaining undetected, as may some military aircraft such as the Russian bombers that frequently test our air defence forces. All this means that the demise of radar is probably a long way off
Weather has a major influence on aviation, especially in parts of the world where it presents much more extreme phenomena than it does in the UK. The aviator’s defence consists of accurate pre-flight forecasts, in-flight updates and flight deck technology that detects heavy rainfall associated with thunderstorms, plus radios and Aircraft Communications Addressing and Reporting System (ACARS) that allows messages, including weather information, to be transmitted between aircraft and ground stations.
The atmosphere behaves like a fluid. It is subject to variable heating that makes parcels of air move up and down relative to each other causing turbulence; whole air masses will also rise and fall depending on relative temperatures. Falling air generates high pressure at the surface while rising air creates low pressure; the air then tries to flow from the high pressure to the low pressure. However, our earth’s rotation creates the Coriolis effect so that in the northern hemisphere the air circulates anti-clockwise around areas of low pressure and clockwise around areas of high pressure. At the global level, Coriolis effect deflects the winds blowing from subtropical highs to arctic lows to the right, giving the UK its prevailing southwesterly wind. Global wind patterns influence long international flight times which is why (for example) flight time from Toronto in Canada to London Heathrow is generally only a little under 7 hours but takes closer to 8 hours in the opposite direction.
Prior to flight, pilots receive a briefing on en-route wind and weather with particular emphasis on predicted areas of thunderstorms (cumulonimbus clouds) and jet streams, both of which are associated with turbulence, as well as forecast weather at their destination and alternate airfields in terms of visibility, amount, height and types of cloud and anticipated weather. We always plan an alternate airfield in case the destination becomes unsuitable for any reason. Once in the air, the flight crew continue to update forecast information and monitor actual conditions at their destination and any alternate airfields; this gives them a ‘feel ‘ for the likely accuracy of any forecast and suitability of the weather at destination for landing.
While you might not be impressed with the area weather reports provided by TV and radio, aviation weather briefings are usually quite accurate and becoming increasingly so as satellite information becomes increasingly detailed.
Regulators provide detailed guidance on the effects of thunderstorms and their associated turbulence for pilots, such as in the UK Civil Aviation Authority (CAA) Aeronautical Information Circular P 056/2010. However, avoidance is always the best policy and an aircraft’s weather radar provides a good indicator of thunderstorms, leaving the pilots with the task of deciding which on a best route, which can be difficult as the situation is very dynamic. The usual drill is:
· Weather Radar – to monitor the situation.
· Routing – adjusted to what appears a safe option.
· Speed – reduced to VA, the maximum speed at which full control defections are permitted, giving the most control authority for autopilot or manual flying.
· Cabin – seat belt signs on and if things look particularly inclement, cabin crew warned to secure trolleys and strap into their seats too.
Options to avoid the worst thunderstorms are bounded by the need to arrive at destination with sufficient fuel so as a rule; an early smaller heading change is preferred. Once close to a storm, individual cells can build quickly so the pilots will seek to avoid the most active areas, as well as any areas from which new cells of activity may be developing.
The pilot’s interpretation of the weather radar picture and understanding of how best to gain th information on which to base decision making is illustrated in Figures 1 & 2.
|Figure 1 - Weather Radar – Routing options||
Route A: The most direct route to destination BUT the biggest risk to both the aircraft and its occupants.
Route B: Tempting to attempt to squeeze through the gap but lower Cb cells may develop and close the gap. Tilting the radar down will explore this risk.
Route C: Appear a reasonable balance of risk versus operational need but the cell to the right has a marked change over a short distance, suggesting wind shear.
Route D: Apart from total avoidance, the lowest risk route but with operational implications on fuel reserves, timings, etc.
|Figure 2 – Weather Radar – Routing options
When faced with a wall of severe Cumulonimbus cells, it would be prudent to turn back. However, when over a large ocean or already some way into an extensive storm system, turning around may not be an option.
Then any areas where the edges of the various severity levels change rapidly e.g. Route E should be avoided.
Route Fis preferred route with the aircraft flying at speeds around the Design Manoeuvring Speed.
Thunderstorms can also occur at the airfield. The deluge of rain that accompanies a storm can precipitate sudden, strong downdrafts called microbursts; when this air hits the ground it flows out in all directions. An aircraft approaching the micro-burst experiences an increase in airspeed that becomes a sudden reduction as it passes through to the other side; all the time the aircraft’s momentum will have kept it travelling at a fairly constant groundspeed.
There is a danger that pilots (or the autothrottle) may respond to the sudden increase in airspeed by a major reduction in engine power, which then leaves the aircraft flying too slow and with little engine thrust as it exits the downdraft. Even without a thunderstorm, there can be marked variation in wind strength with height, called wind shear, creating a similar effect. Wind shear has caused several accidents in the past, as have the more severe examples generated by microbursts. Today pilots are taught to avoid making an approach to land through or beneath an active thunderstorm and aircraft and airports are fitted with equipment that can detect wind shear and alert the pilots before making an approach or about to take off.
There are non-weather hazards too. Volcanic eruptions spew vast quantifies of material into the atmosphere for the air currents to disperse over enormous areas. These present as much a challenge to the engine manufacturers and regulators in deciding what affect the volcanic dust particulates will have when ingested by an aircraft’s engines. (The manufacturers go to great lengths to test their engines before they enter service but it has not been possible to predict and then test for every type of particle that volcanoes might produce.) Despite pleas from airline passengers and operators, the safest course, when engineering cannot predict an outcome, is to avoid the situation altogether; otherwise, we undo the ‘safe environment’ requirement.
Since Iceland’s Eyjafjallajökull erupted in April 2010 and severely disrupted European and transatlantic air travel, more has been done to understand volcanic ash composition and its potential affect on aircraft engines. On 1st of this month, the UK meteorological office announced that anetwork of nine static and one mobile particle-sensing Light Detection and Ranging Systems (LiDARs) had been installed across UK to improve detection and aid forecasting of volcanic ash in the event of future eruptions.
LiDAR works by probing the atmosphere with a pulsed laser source then collecting backscattered light from suspended aerosols in a receiver (telescope) to profile the vertical distribution and characteristics of particles in the atmosphere. Each unit will be collocated with a sun photometer to support ongoing research into more accurate and timely estimates of particle concentration levels.
Met office forecasts are used by the National Air Traffic Service (NATS) to make decisions on flight safety across UK airspace, based on the thresholds set by the Civil Aviation Authority (CAA) and the International Civil Aviation Organisation (ICAO). This will all contribute to reducing disruption from future events.
Seagulls flying over a nesting colony show how adept they are at keeping out of each other’s way. Unfortunately, birds are not always so successful in avoiding faster moving aircraft. Aerodromes go to great lengths to keep bird populations away from airports. Measures include growing the grass long, so that feeding birds cannot seek approaching predators and move off to somewhere safer, bird scaring with loud noise or recorded distress calls and sometimes using real or mechanical raptors, again to dissuade birds from the area. Each aerodrome also safeguards its surrounding from any developments such as rubbish tips that might attract birds in large numbers.
Birds usually dive when they spot an approaching plane so that impacts are relatively rare. However, when they occur they can be quite dramatic; this was the result of a single goose that failed to get out of the way of a Hawk flying at low level at 420 kt in 1983. The damage continued inside as the goose penetrated into the foot well of the front seat, taking out most of the aircraft avionics and electrics on the way; this was my first occasion to call “Mayday” but escaped media attention. In contrast, Capt. ‘Sully’ Sullenberger quite rightly made the news when he achieved a safe ditching on the Hudson after a flock of Canada geese disabled both the engines of his twin-engine Airbus A320 in January 2009. His ability to quickly weigh up the situation, appreciate the lack of options and then, in a completely unscripted and unpractised manoeuvre, glide his aircraft onto the water probably had much to do with his earlier experience in the Air Force and in accident investigation. His professionalism and judgement saved all 155 people on board, most of whom were completely uninjured.
There is a threat from irresponsible people trying to illuminate aircraft with high-powered laser pointers. Aviation is not the only form of transport prone to this type of attack, which can dazzle and temporarily blind a pilot. Nor is it confined to the UK, but this year there have been two instances of pilots suffering permanent eye damage from a high power laser in UK. An intergovernmental UK Laser Working Group is collating evidence and investigating what measures, such as import controls and changes in the law could provide an effective deterrent.
It costs about £100,000 to complete an integrated training course and gain an airline pilot’s licence. This involves some 200 hours of flying, nearly 800 hours of ground instruction in aircraft systems, international weather, aviation theory and law and successfully passing 14 multiple-choice exams set by the CAA on behalf of EASA. This of course assumes that the student had the aptitude to become a pilot as well as the financial support necessary. (Some flying schools will accept anyone with the necessary funds but the Air Pilots offer an independent assessment based on the aptitude tests used by the Royal Air Force at Cranwell for those contemplating a career as a pilot.)
Gaining a licence is just the first step. Next you must complete ‘Type Training’ to learn about the aircraft you will fly with the airline. This is more ground instruction, usually computer based training (CBT) and then simulator lessons and a flying test. This kicks off a cycle of training and testing that will continue until retirement with an annual Licence Proficiency Check (LPC) examination of manual flying skills in the simulator accompanied by Operators Proficiency Checks (OPC) to monitor compliance with airline standard operating procedures (SOPs) and ‘Line Checks’ flown with company training pilots.
Automation has become something of a conundrum. Over recent decades, as aircraft systems became increasingly reliable, the proportion of accidents attributed to human (and often pilot) error increased. This led a drive for increasing automation and complex Advanced Flight Control Systems (AFCS) that were not only capable of protecting the aircraft from stalling but could also control the aircraft from just after take off to landing have become increasingly common.
An aircraft stall is very different from a car engine stall. Aircraft fly because the wing shape makes the air flow faster over the top surface than the bottom, producing lower pressure above the wing than below and ‘sucking’ the aircraft upwards. The upward force is called ‘lift’ and increases gradually as the angle of the wing to the airflow, known as angle of attack (AOA), is increased. However, as AOA is increased further, there comes a critical angle where the airflow above the wing cannot flow smoothly but breaks down into turbulent eddies; the low pressure area is lost, disrupting lift, and the eddies create additional drag and reduce roll control so the aircraft adopts the characteristics of a stone, until smooth airflow can be re-established by reducing the AOA.
Increased use of automation then reduced the rate of human error incidents, so airlines mandated their crews not to ‘hand fly’ unless it was essential; some now insist that the pilot retains the auto-throttle engaged even when hand flying. Eventually, it seemed, we would be able to dispense with the pilot altogether!
Two accidents suggested there was a problem. In each case, the aircraft entered a stall from which the pilots were unable to recover. On both occasions the accidents occurred at night and the the autopilot disengaged unexpectedly. In one, the aircraft was already stalled when the autopilot disconnected; in the other, the pilot inadvertently stalled the aircraft after the autopilot disconnected. Other factors were involved but both accidents indicated that the crews had not been prepared for a sudden, unexpected reversion to manual flying. A number of Upset Prevention and Recovery Training (UPRT) initiatives have occurred as a response.
Medicals and other training
Each year, increasing to every six months as they get older, the pilot must pass a medical assessment with a qualified Aviation Medical Examiner (AME) doctor. The medical looks inter alia at the heart, lungs and kidney functions, circulation, hearing, eyesight, internal organs, and reflexes and includes a review of the candidate’s physical health since the last medical as well as an assessment of mental attitudes. It is, in effect, a ‘spot check’ and within Europe there is not yet a consensus on whether it is intended as a health screen or an assessment of likelihood of incapacitation for the period of the medical certificate.
Pilots and cabin crew also receive training on fire fighting techniques (including practice at finding and extracting survivors from within a smoke-filled aircraft cabin), first aid and the use and location of all the aircraft emergency equipment. Cabin and flight deck crews also have regular Crew Resource Management (CRM) training, looking at Human Factors and how they can be deployed effectively to improve flight safety and effectiveness.
Armoured flight deck doors, capable of withstanding small arms fire and a grenade, were introduced rapidly in all the larger airliners following the 2001 9/11 attacks on USA. This not only made the use of an airliner as a weapon much less likely as intended, it also curtailed incidents of hijack and, more importantly, the number of people kiiled in hijack events. The number of hijacks of passenger airliners/innocent deaths had risen from 4/0 in 1950’s, 12/11 (disappeared in N Korea) in 1960’s, 42/195 in 1970’s, 26/156 in 1980’s, 16/258 in 1990’s, reducing to 15/2 in 2000’s and 6/0 in 2010’s
At first the door was generally disliked by crews because it posed a new barrier to effective cooperation and understanding between the flight deck and cabin crews; almost all communication was now restricted to the interphone rather than face-to-face. It was also a major distraction until security cameras showing the vestibule were introduced so the door could be opened (to receive drinks and snacks) without one pilot leaving their seat. However, over time the increased security became accepted and appreciated, albeit flight crews – and cabin crews - had to accept that the door would always remain locked if there was any sign of altercation in the cabin, regardless of what was happening to the cabin crew.
With the locked door in place, all communication (other than an occasional passage of refreshments) had to be through the Interphone, rather than face to face. For instance, a means of establishing that it was safe – in the security sense - to open the door (to receive the refreshments) had to be established. In the increasingly unlikely event of a technical fault, the flight crew will action emergency checklists and may need to divert to an alternate airfield rather than continue to destination. In the process, the flight crew need to ensure the cabin crew are fully briefed on the Nature of the emergency, their Intentions, the Time to any possible landing and any Special instructions such as whether it will be necessary for the passengers to evacuate using escape slides after landing or if the aircraft will taxi to a stand as normal. The Nature, Intentions, Time, Specials (NITS) format is pretty universal in airline operations; the formulaic briefing ensures the flight crew do not forget to mention anything important and the cabin crew anticipate and receive structured essential information. It also removes any temptation to digress to the irrelevant.
Good procedures remove uncertainty and in normal operation provide a sequence of familiar and practiced trigger events. For instance, after passengers have boarded and the doors closed, the Captain can confidently give a ‘welcome’ to the passengers on the PA, knowing the cabin crew will not start their emergency briefing until he is starting the engines. As another example, the cabin crew will hear the reduction in engine setting when starting final descent to the destination airport and the flight crew will confirm this with a ‘bing-bong’ on the PA system. Another ‘bing-bong’ will warn the cabin crew when there is only 10 minutes to landing. At about 1,000 ft above the airfield, the landing gear will be lowered and the cabin crew asked to strap in for landing, following which the senior cabin crewmember will check all locations via interphone before indicating to the Captain that the cabin is secure for the landing.
Similar flight deck procedures allow the pilots to coordinate relatively complex actions during departure, climb, cruise and descent and approach and landing with the minimum of conversation other than challenges read from the checklist by the pilot monitoring and responses from the pilot flying. During the busy take off, departure, arrival and landing segments, airlines adopt a ‘sterile’ flight deck procedure during which the pilots are not interrupted by the cabin crew and the pilots restrict themselves to discussion and action of operational tasks only.
These internal procedures provide a defence against human error by establishing a flow of events and best practice for set situations. They also establish ‘this is how we do things around here’ so that, for instance, if a checklist is significantly interrupted part way through – or some checklist items are temporarily ‘undone’ – everyone knows the only safe course is for the checklist to be started again.
Standard Instrument Departures, Standard Arrivals, Final Approach Departure and arrival flight profiles are determined by the airfields and, after much scrutiny, approved by regulators. This ensures that aircraft can depart and arrive in safety, taking account of airliner performance under normal and failure conditions.
The first requirement of management is to ensure all the above is in place and that the operation is safe with all risks brought to as low a level as is practicable (ALARP). A management team that has a good understanding of the unusual risk factors in aviation and the things that will aggravate or mitigate those risks should be well placed. Many airlines are well managed, and these are the airlines that pilots want to work for and which keep hold of their pilots to retirement age of 65.
Safety Management Systems
One way to ensure all levels of management retain visibility of the risks inherent within their business is through a Safety Management System (SMS). This is structured to cover:
· Safety policy and objectives, starting with a statement by the airline’s accountable manager/chief executive officer to indicate top management buy-in.
· A description of whom in the organisation is accountable and responsible for safety.
· A statement of the risks carried by the operation and their mitigations.
· A description of how continuing safety is assured through incident reporting and investigation.
When constructed thoroughly and used properly, this document describes how the organisation keeps itself safe and, through regular review, captures any developments that threaten continued safety. However, it is important that management does not believe that they are safe because they have an SMS. Having an SMS does not keep you safe but using one properly really helps to do so.
Maximums & Minimums
Aviation regulators apply limits – either maximum or minimums - to many aspects of an airline’s operation as they feel necessary to ensure safety. For example, there is a limit on the number of hours a pilot is permitted to fly each year and minimums placed on rest periods required between flights. Quite understandably, when a regulator sets a limit, the operator wants to work right up to it; to do otherwise might place them at a commercial disadvantage to other airlines who might (e.g.) need less crew to complete the same flight schedule.
This also applies to flight and cabin crew training, which inevitably becomes the regulatory minimum. Aircraft manufacturers also seek regulator agreement on reduced training hours for their new aircraft types; this might be logical if all the new equipment made life easier for the pilot rather than adding complexity and additional features to be learnt and understood. These pressures of reduced mandated training appear to be significant factors in the automation issues mentioned earlier. Some airlines have already introduced additional training while others will await their regulator’s mandate, insisting that if it is not mandated it is not necessary.
Some airlines have started to adopt novel employment practices on the basis of fiscal efficiency, e.g. charging their new pilots for the privilege of flying – while carrying fare paying passengers – knowing the new pilot needs to build up flying hours and experience to be employable more widely within the industry and with the ‘better’ employers. This is called “Pay 2 Fly”! Some airlines that are busy with holiday traffic in the summer have adopted 7-8 month contracts to avoid retaining pilots over the lightly loaded in the winter months. Commercial pressure and a steady supply of low hours pilots emerging from the training schools has skewed the employment market place. It appears there are always jobs for freshly qualified pilots at the low end of the pay scale who will cover the cost of Type Training themselves, yet few for the more experienced (and more expensive) first officers who were laid of for the winter and unable to find re-employment. These types of arrangements creates uncertainty within the airline industry and has led to pilots switching airline more frequently and sometimes flying for more than one airline at the same time. This disrupts the sequence of annual training topics and reduces pilot familiarity with an airline’s procedures. Denmark is leading an investigation into the implications of these types of pilot contract and should report its findings to EASA.
In the past, airlines would register aircraft and base their operation in a single county and be overseen by a single regulator. With aviation’s increasingly international nature, we now see airlines registering aircraft in one country and basing in another with major portions of the operation in a third. This might make perfect commercial sense but fragmentation of regulatory regimes in this way would obstruct any single regulator’s understanding of the operation, with the potential for aspects to fall in the gaps between regulators and be missed.
This is not to suggest that such behaviour is wrong, but that it is contrary to what most regulators, who are charged with ensuring the safety of the over-flown population as well as the travelling passenger, have become accustomed to overseeing. EASA has now established a ’New Business Models Working Group’, with representatives from 11 nations (including UK) and the European Commission, to investigate the business and safety issues of such arrangements.
Inclusive Safety Culture
Transition from Blame Culture to Just Culture improves operational safety markedly, though its effectiveness is only as good as the treatment last received by someone raising a safety concern. To move this forward, further work on aviation company culture suggests that the real requirement is to establish an Integrated Safety Culture, which brings together the elements described in Table 1.
|Table 1 – Elements of an Integrated Safety Culture.|
|Open culture||• Staff feel comfortable discussing safety incidents and raising safety issues with both colleagues and senior managers.|
|Just culture||• Staff are treated fairly, with empathy and consideration when they have been involved in a safety incident or have raised a safety issue|
|Reporting culture||• Staff have confidence in the incident reporting system and use it to notify managers of incidents that are occurring, including near misses
• Barriers to incident reporting have been identified and removed:
· staff are not blamed and punished when they report incidents
· the confidentiality of the reporter is respected
· they receive constructive feedback after submitting a report
· -the reporting process itself is easy
|Learning culture||• The organisation:
- is committed to learn safety lessons
- communicates them to colleagues
- remembers them over time
|Informed culture||• The organisation has learnt from past experience and has the ability to identify and mitigate future incidents because it:
- learns from events that have already happened (for example, incident and fatigue reports and investigations).
These elements working together ensure that safety issues are addressed appropriately and effectively rather than being hidden. Furthermore, the table above probably represents the kind of culture in which we would all like to work. Company culture is a top-down process; it has to be agreed and adopted at the highest levels first, then introduced through all layers of an organisation. As with SMS, this is another area where it is not enough to have a policy; it is essential for everyone to behave in the way the policy requires to achieve a progressive reduction in human factor errors that otherwise lead to unsafe practice, unsafe aviation and unnecessary company expense.
As already mentioned, regulators play an important role in setting and monitoring safety standards.
Aviation’s international coordinating body is called the International Civil Aviation Organization (ICAO). ICAO is a UN specialized agency, that originated in 1944 when 52 states signed of the Convention on International Civil Aviation (Chicago Convention). The Convention now has 191 Member States and ICAO works with these and global aviation organizations to develop international Standards and Recommended Practices (SARPs) which States reference when developing their legally enforceable national civil aviation regulations. ICAO can only make recommendations to the States, it has no executive power over them so agreement of ICAO recommendations can take a long time - 14 years is not unknown, even for a no-cost change to be adopted – and then countries may adopt only those ICAO recommendations with which they agree.
There are currently over 10,000 SARPs reflected in the 19 Annexes to the Chicago Convention which ICAO oversees, and (as ICAO puts it) through which – together with ICAO’s complementary policy, auditing and capacity-building efforts – today’s global air transport network is able to operate close to 100,000 daily flights, safely, efficiently and securely in every region of the world.
FAA & EASA
The USA has long had its FAA providing oversight and guidance on aircraft build and aircraft operations. Its requirements are now largely mirrored by the much younger EASA that has authority over Europe’s airlines, having taken that over from the individual States. The take-over was not without trauma; logic might suggest that the safe way to integrate European aviation was to apply the most stringent rules of any of the nations, but this ignored different states having developed different requirements to meet their particular situation. There are other significant regulators around the world including those in Canada and Australia but in general all are converging towards very similar requirements.
As already discussed, regulators establish the minimum standards that airlines must meet – which in many cases will be the best an airline gets. The availability of different regulators around the world could be a considered a factor that might slow down the introduction of significantly more stringent changes where these might leave one regulator’s operators at a commercial disadvantage. That does not prevent changes being made but it does make those changes more difficult. Nonetheless, a significant event such as 9/11 can quickly lead to an update in requirements that rapidly becomes a worldwide standard. Similarly, ICAO responded quickly to the disappearance of Malaysia Airlines MH370 by proposing new requirements for aircraft tracking and location beacons.
Flying is as safe as….?
This question is really, "How likely am I to have an accident?" Before talking about statistics, we will look at some past accidents that (I hope) will help to put this into context. This for two reasons:
· First, any organisation will have an agenda and choose statistics that best support that agenda. That leaves the same thing being reported by different numbers, with different definitions and presentations. Most of my data will be raw from ICAO which includes cargo-only flights but is the category most of us are in when we buy an air ticket.
· Second, statistical analysis usually ends with a numerical or percentage level of risk, while in real life, those figures can be meaningless – there is no such thing as 23% dead. I will stick to whole numbers!
An airline history
A western airline (that I like to fly with) had 8 accidents reported in the 44½ years since 1st January 1970, one of which did not seem to be an accident in the usual sense. Fatal accidents in the 1970s involved a mix of human factor and technical failures but the 1983 fatal accident aircraft landed safety. 1997 and 2015 concerned accidents in the landing phase; the latter remains under investigation. In 2008 people were injured when the aircraft flew through the wake of another airliner that was some 10 nm away; a timely reminder to keep your seatbelt fastened when in your seat.
In 1983, a toilet fire caused electrical problems and spread causing dense smoke. After landing, the aircraft was evacuated immediately but 23 people perished. This event caused the introduction of smoke detectors and a ban on smoking in the lavatories; it also prompted the installation of emergency lighting on the floor to indicate which way to go while crawling beneath a layer of smoke. The investigation also revealed that cabin crew did not receive sufficient training or practice in the use of fire fighting equipment that was on board the aircraft, prompting a change in training requirements.
The 1983 accident started with unserviceable fuel gauges, which left the flight crew reliant on the daily servicing team who loaded the correct quantity of fuel required, but in pounds and not kilograms; the tanks contained less than half the fuel expected. First one engine stopped, then, as they were flying towards the nearest suitable airfield, the other. Without electrics and hydraulics normally provided by the Boeing 767’s engines, the pilots had just a few basic instruments and hydraulics from a windmill-type pump that extended automatically into the slipstream; there was nothing in the emergency checklist about flying without any engines. The Captain was an experienced glider pilot and the First Officer (FO) started calculating their glide performance, from a mechanical altimeter and range to the airfield from ATC. It quickly became apparent that they would be on the ground before they reached the airfield.
The First Officer suggested they try for a disused air force base where he had served in the past, not realising that part of the runway had been turned into a race track and there was a race in progress. The Captain had to use a gliding manoeuvre (deliberate sideslip), to control glide angle and achieve a touch down heavily but successfully on the remaining half of the runway, only 17 minutes after running out of fuel. There was no fire and no serious injuries amongst passengers or crew.
In January 2008, the First Officer on a Boeing 767 became unwell, appearing disorientated and confused. He was removed from the flight deck and the Captain assisted by a passenger who had flight experience, though not a professional licence, during the diversion to a nearly airfield. The unusual nature of the event meant it was reported to the regulator and appears in the list of airline accidents though many might not see it as such. However, this is a good time to discuss another First Officer event that ended very differently.
The French authorities’ accident report into Germanwings 4U9525 on 24 March noted six other instances that appeared to be pilot suicide/murder. One I discount because only the pilot was on board. Pilots are not super human but just a segment of Humanity with the same variety of traits, life-pressures and behaviours as everyone else. You will see that the accidents span the introduction of locked flight deck doors and some occurred with two pilots on the flight deck. The FAA required two people on the flight deck at all times in parallel with the locked door, more to ensure there was someone able to open the door from the inside, rather than to prevent pilot suicide; following the Germanwings accident, the ‘two person rule’ is becoming common practice. T
4U9525 has also prompted a re-evaluation of the medical oversight of professional pilots and of the visibility afforded personal medical data in some parts of Europe. In UK, Aviation Medical Examiners (AME) are considered part of occupational medicine. Their first duty is to their patient and in any case it would be extremely difficult for an AME to detect if a pilot were determined to hide a problem at a routine medical examination. However, UK doctors are legally required to report to the correct authority if they feel that a patient’s condition could pose a potential danger to public safety; that would be a judgment call and difficult to quantify or indeed identify exactly when that might be necessary.
These rules vary between countries; Germany, for historical reasons and contrary to EASA demands, does not permit external transmission of medical notes, even to support (or deny) the issue of another country’s flying licence; Germanwings parent company Lufthansa had no sight of the first officer’s medical records of severe depression and suicidal thoughts. We might expect changes in those areas.
UK AMEs point out that there is a considerable difference between a reactive depressive pilot, some of whom are known to be flying quite safely using medication, and someone with an imbedded desire to die. We should be reassured that these matters are under review despite the tiny number of instances (in comparison to the total number of flights that occur every day).
Pilot ‘catches’ Some of the media suggested that pilot-less airliners would be a good solution but we have already heard of two instances where pilots were able to save their passengers despite devastating technical issues. With the addition of two more incidents we eclipse the number of lives lost with a greater number saved by pilots.
A final thought before the hard figures. In some accidents the aircraft floats or lands heavily but relatively intact. When I’m a passenger I always read the safety card to note how the doors are opened; I don’t want to get to a door and not know where to feel for the release. I also pay particular attention to how the life jacket is secured because these vary tremendously from aircraft to aircraft. Finally, I glance at the brace position but more importantly recall advice from an RAF Flight Safety Magazine of many years ago reporting into the British Midland accident at Kegworth in 1989:
· Seatbelt fully tight and low on your lap.
· Legs not under your seat or the one in front, geometrically locked with heels firmly on the floor.
· Head below the height of the seat in front and protected by our hands, one on top of the other with the hand you’d use to release the belt buckle underneath. – Iffingers are interleaved, both hands will be broken by heavy items from the overhead lockers.
The aim is to be ready and fit enough to exit the aircraft as quickly as possible.
The number of flights annually is on the rise again and in the first 45 minutes of this lecture, more than 2700 airliners will have taken off around the world. In 2014 there were only 21 fatal air transport accidents, which despite the 990 deaths recorded make it the safest year for air travel. These figures include the shoot-down of MH17 in Ukraine, the disappearance of MH370 and an ambulance flight that crashed in Libya. Breaking those figures down gives us 4 scheduled passenger flights, 4 regional and commuter passenger flights and one ambulance flight; the remaining 12 were cargo-only flights.
A review of annual deaths for global air travel verses those for pedestrian deaths in just Great Britain shows that today we are as likely to be killed crossing the road as the global population is to die in an air transport accident. In the USA, annual pedestrian deaths (in a country that tends to drive everywhere) run at about 4,700, which dwarfs even the 990 air transport deaths in 2014.
Air travel today is exceptionally safe. Many airlines have an enviable record. Air safety will need to respond to new technologies, as it has to the introduction of lithium batteries, and to continuing commercial pressures on airlines. The drive for reduced (and less personalised) training, founded on a belief that each airliner is easier to fly than its predecessor, is at last under challenge as regulators begin to see the need for more training to stop the automation conundrum. Hopefully this will be matched by a public awareness that piloting is a highly skilled profession operating in a complex and sometimes challenging environment and is not about just pressing a few buttons.
Finally, recent trends show that your chance of being involved in an airline accident is exceptionally small; you really should be more worried about driving your car or crossing the road than about taking a trip by air.
© Professor John Turner, 2015
 BAE SYSTEMS Corporate Flying Standard Policy 2010
FAA Part 25 CFR 25.303, EASA Part 25 CS 25.303
 FAA Part 25 CFR 25.783 (d) (3) (iii)
 ‘Aircraft Accident Investigation Report Japan Air Lines Co Ltd Boeing 747 SR-100. JA8119 Gunma Prefecture. Japan August 12, 1985’, Aircraft Accident Investigation Commission, Ministry of Transport, June 19 1987 <Tentative translation from the original in Japanese>
 ‘Safety of ground handling’, A D Balk, NLR-CR-2007-961, Nationaal Lucht- en Ruimtevaartlaboratorium http://easa.europa.eu/essi/ecast/wp-content/uploads/2011/08/NLR-CR-2007-961.pdf
 EASA’s European Commercial Aviation Safety Team (ECAST) Ground Safety Working Group and the Netherlands’ National Aerospace Laboratory (NLR) report NLR Air Transport Safety Institute NLR-TR-2012-483 December 2012
 The number of fire vehicles, their foam making capacities and the number of fight fighters are established on the basis of the weight, size and passenger capacity of the aircraft using the airfield.
 Total of 3 minutes to control the fire compares favourably with FAA/EASA Part 25 certification requirement that the cabin to be unaffected by any wheel fire for at least 5 minutes after aborted take off at maximum all up weight.
 May not be the case for a business jet flying to smaller airfields in some parts of the world.
 On the night of 1 July 2002 a Bashkirian Airlines 2937 (Tupolev Tu-154M with 60 passengers and 9 crew) and a DHL 611 (Boeing 757-23APF cargo aircraft with 2 pilots) collided over the towns of Überlingen and Owingen in southern Germany. All 71 were killed.
 Unserviceable/unavailable fire and rescue facilities of the standard required for the aircraft, runway
 Continental Connection Flight 3407 flying into Buffalo-Niagara International Airport, New York and Air France 477 flying towards Paris
 On 1 November 2003, ICAO Annex 6 Chapter 13.2.2 amended to “all passenger-carrying aeroplanes of a maximum certificated take-off mass in excess of 45,500 kg or with a passenger seating capacity greater than 60 shall be equipped with an approved flight crew compartment door that is designed to resist penetration by small arms fire and grenade shrapnel, and to resist forcible intrusions by unauthorised persons. This door shall be capable of being locked and unlocked from either pilot’s station”
 Lamb, B. & Clutton, N. (2010) “Crew Resource Management within interprofessional teamwork development: Improving the safety and quality of the patient pathway in health and social care.” Journal of Practice Teaching and Learning, Vol 10(2), 4-27.
 On average, 1.16 flights take off each second of the day!
 If you are a private pilot or going for a flight with a private pilot your risk of an accident is many times higher than for a commercial flight. Gyrocopter pilot accident rates were once as high as one death every 1,300 flying Tooilhours but have improved considerably over recent years.