“Why is Flight so Safe?
How Could it be Safer”
-An Overview
April 28, 2003
Kenneth A. Pickar
J. Stanley Johnson Professor
Visiting Professor of Mechanical Engineering
California Institute of Technology
pickar@caltech.edu
www.its.caltech.edu/~kpickar
Subjects for today’s Lecture
– Safety statistics
– Equipment Design and Manufacturing
Processes
•
•
•
•
•
•
•
Design for Reliability
Safety Equipment
Redundancy
Error management
Risk and risk reduction
Post mortum analysis for root cause(s)
Testing
– Regulation
• Certification
• Process
• Management of “near misses”
– Air traffic Control
Subjects for today’s Lecture
– Environmental Issues
• Weather
• Icing
– Maintainance
– Cultural Factors
•
•
•
•
Hierarchy
Openness
Conservatism
Ethical Considerations
– Future Improvements
• Security
• Congestion
• Human control vs Automation vs
Automation assist
Accident Rates
(Source Boeing Co.)
U.S. Aviation Accident Rates per 100,000 Flight Hours
Year
General
Aviation
Total/Fatal
Air Taxi
Total/Fatal
Airlines
Total/Fatal
Corporate/
Executive*
Total/Fatal
Business#
Total/Fatal
1992
8.36/1.80
3.86/1.22
0.146/0.032
0.210/0.080
2.17/0.86
1993
8.94/1.74
4.16/1.15
0.181/0.008
0.230/0.070
2.02/0.52
1994
8.96/1.81
4.58/1.40
0.168/0.030
0.180/0.070
1.81/0.51
1995
7.72/1.55
4.39/1.41
0.267/0.022
0.250/0.110
2.04/0.67
1996
7.09/1.34
4.44/1.43
0.276/0.036
0.140/0.060
1.71/0.34
1997
7.26/1.39
2.65/0.48
0.309/0.025
0.230/0.060
1.41/0.39
1998
7.47/1.41
2.08/0.45
0.297/0.006
0.091/0.000
1.14/0.30
1999
6.42/1.15
2.36/0.36
0.296/0.011
0.230/0.130
1.40/0.40
2000
6.32/1.18
2.25/0.62
0.311/0.016
0.125/0.060
1.28/0.37
2001
6.56/1.22
2.12/0.53
0.239/0.036
0.108/0.031
1.06/0.23
Comparison of Travel Modes
US Passenger Fatalities per million passenger miles
YEAR
Autos1
Buses2
Railroads3
Airlines4
U.S. PASSENGER FATALITIES PER 100 MILLION PASSENGER
U.S. PASSENGER FATALITIES PER 100 MILLION PASSENGER
1989
1.12
0.04
0.06
0.09
1990
0.99
0.04
0.02
0.003
1991
0.91
0.04
0.06
0.03
1992
0.83
0.04
0.02
0.01
1993
0.86
0.02
0.45
0.01
1994
0.91
0.03
0.04
0.06
1995
0.97
0.03
0.00
0.04
1996
0.96
0.02
0.09
0.08
1997
0.92
0.01
0.05
0.01
1998
0.86
0.05
0.03
0.00
1999
0.83
0.07
0.10
0.003
2000
0.80
0.01
0.03
0.02
0.88
0.03
0.08
0.02
10-Yr.
Avg.
http://www.air-transport.org/public/industry/display1.asp?nid=1036
Annual Airline Traffic
Year
Revenue
Passenger
Miles (X
1000)
•
•
1960
1970
1980
1990
2000
1,200 4,949
9,369
17,628
27,431
One revenue passenger transported one mile in revenue service.
Source:
http://www.bts.gov/publications/nts/html/table_air_carrier_profile.html
How did Air Transport become
so reliable?
•
•
•
•
Not an accident
Full systems view of issue
Engineering plus Culture
Obvious causes have already been found
(single point failures)
• Accidents now occur through an “unlikely” chain
of events
• Improvements continue to be driven by the
increase in passenger traffic (despite recent
downturn)
• Security now the hot button
• Equipment Design and Manufacturing
Processes
– Design for Reliability- In design process
assure that entire system is robust against
failure
•
•
•
•
•
Redundancy
Error management
Risk and risk reduction
Post-mortum analysis for root cause(s)
Testing
How do you make a very
complex system reliable?
• Redundancy
• Test each component and then test entire
system
Design for Reliability
•Functional hazard assessment--identifies and categorizes
conditions that might result in a system failing or other serious
consequences to the airplane
•Failure modes and effects analysis (FMEA)--systematically
identifies system-and component-level failure modes and then
looks at the effects on the design
•Fault-tree analysis--assesses the likelihood and effects of
combined failures within a given system
•System separation and survivability analysis--assesses
the ability of an airplane’s systems to survive damaging events
and identifies changes to enhance the likelihood that the plane
and passengers will survive an accident.
Failure Modes and Effects
Analysis
• FMEA - Failure Mode and Effects Analysis
a pro-active engineering quality method
that helps you to identify and counter weak
points in the early conception phase of
products and processes
FMEA
Failure Modes and Effects Analysis
Consider
• Part
• Function
• Failure Mode
• Cause
• Result
• Consequences
• Severity
• Probability
• Minimization Approach
FMEA Root Cause Analysis
Fault Tree analysis
Seal Regulator
Valve Fails
Valve Fails Open
when commanded
closed
Excessive
leakage
1
Next
Page
Excessive
port leakage
6
Excessive
case leakage
7
Regulates
High
Regulates
Low
Fails closed
when commanded
open
2
3
4
Fails to meet
response time
Excessive
hysteresis
5
Fails to meet
response time
8
Fails to meet
response time
9
Reliable Manufacturing
– In-process testing
redo until right
Build in Quality
– Qualify product
Qualify Process
– Meet specifications
Control Variations
– Focus on Yield
Focus on Defects
(Six Sigma)
Aerospace manufacturing- effect on safety
(compared with consumer products)
Plusses
• Very long product
cycles (Enables
learning)
• Parts traceability
• Certification process
•
•
•
•
Minuses
Extreme complexity
Very low volumes
(slow learning curve)
Very narrow supply
base (and shrinking)
Tradition of high cost
Reliability as a function of System Complexity
Why computers made of tubes cannot be made to work
# of components
in Series
Component
Reliability =
99.999%
Component
Reliability =
99.99%
100
250
500
99.9
99.75
99.50
99.01
97.53
95.12
1000
10,000
100,000
99.01
90.48
36.79
90.48
36.79
0.01
Testing
•
•
•
•
At component level beginning early
Modularized software
At Systems level
HAST (Highly Accelerated Stress Testing
to failure)
• Cp, Cpk design
• Physics-Based predictive failure
– E.g., Ultrasound probe for metal fatigue
Reliability Physics
Bathtub Curve
Failure Rate
Infant
#/million hours
Mortality
Useful life
Replace
Burn-in
Time
Wear out
Testing of the A6
• “A number of ground tests were done to simulate
long term effects on the aircraft. The most
important of these tests was the fatigue failure.
Although the test airframe developed (23
October 1975) a crack at about the 5,000 hour
point (80% of expected lifetime), an airframe
strengthening modification was incorporated into
the test assembly and testing was successfully
completed to the expected lifetime point of 6,000
hours”
– Ref
http://www.wpafb.af.mil/museum/research/attack/a6/a
6-16.htm
Airframe reliability
Messenger M.38 2A 6339 G-AIEK RG333 Airworthy Bristol p/s England
Built in December 1946;
For sale in 1998
DC-3
Although the basic design of the aircraft is now almost 70 years old, hundreds of
DC-3s and C-47s remain in military, commercial and private use worldwide
http://www.nzwarbirds.org.nz/dakota/history.html
B52 bombers will stay in service to their 90th birthday (2040s)
Aloha Airlines
April 1988
“Pre-existing fatigue cracks in the fuselage from numerous takeoffs and landings”
Maintenance
• Most profitable part of the business (“razor
blade business”)
• Some Issues
– Counterfeiting and substitution of nonqualified parts
– Short cuts/errors
Cockpit equipment designed to
enhance safety
• Black Boxes
• CFIT (Controlled Flight into Terrain) and
EGPWS (Enhanced Ground Proximity
Warning System)
• TCAS ( Collision Advoidance System)
http://www.egpws.com/general_information/videos/mov/mode1.mov
Black Boxes
Black boxes-
To learn from accidents
• Radio and acoustic beacons that aid in retrieval
• Flight Data Recorder
– Captures speed, heading, altitude, rate of climb or descent,
accelerations, and decelerations.
– Engine thrust and the position of control surfaces
– Flight crew and autopilot control actions
• Cockpit voice recorder:
– All cockpit noises, including radio communications, flight
crew announcements, and flight crew conversations.
Culture of pilots
•
•
•
•
•
•
Careful, methodical
Apprenticeship
Training
Simulation
Qualification
Regulation
Influence of Culture
The Influence Of Culture On Cockpit Communication
• Regions with high accident rates also share similar cultural
values, such as power distance
— the inability of subordinates to question the actions of
superiors and recommend alternative courses of action
— and uncertainty avoidance, which emphasizes rigid
adherence to rules and procedures that reduces the
directness and bluntness of communication. Direct and rapid
communication, though, is often essential if accidents are to
be avoided or critical situations surmounted.
James Schultz
Quest January 2002 • Volume 5 Issue 1
Influence of Culture
• Litigious American Culture
– Finger pointing in accident inquiry
• Engineering Culture
– Fix the problem
• Business Culture
– Damage limitation
•
A380: ‘More Electric’ Aircraft Imagine the weight and complexity of an all-hydraulic flight control system on a 500-to-600-passenger aircraft. Airbus has thought of that possibility and turned, in part, to electrically powered
actuators.By Charlotte AdamsFor years engineers have dreamed of an all-electric aircraft. They have envisioned a concept called "power-by-wire," in which electrical power moves aircraft flight surfaces. Gone would be the
complex, heavy, maintenance-intensive, and (in combat) vulnerable hydraulic systems with their flammable liquids operating at high temperature and pressure. Gone, too, would be the miles of tubing, the pumps and valves.
Weight could be shifted from plumbing to passengers, fuel or mission payloads. The transition to an all-electric aircraft is still many years in the future. But aircraft engineers have tested electrohydrostatic actuators (EHAs), which
combine electrical and hydraulic power: hence the evolutionary "more electric aircraft" idea. EHAs are electrically powered but use small hydraulic pumps and reservoirs that transform electrical power into hydraulic power. Airbus
has worked with EHA flight control technologies for more than a decade. A320 and A340 flight test beds have operated since 1993-94 and 2000, respectively. The U.S. military’s Joint Strike Fighter and C-141 Electric Starlifter
programs have tested EHA systems, as well. Airbus has baselined EHA flight controls for its coming super jumbo aircraft. A related concept baselined on the A380 is variable-frequency (VF) power generation, which will enable
the production of additional power more reliably, at lower maintenance cost, and for less weight, compared to current systems.Tackling a Big JobThe A380’s sheer size seems to dictate a new approach to flight control
technology. Its wingspan is about 262 feet (80 m)—nearly the size of a football field—and its length is slightly less, making the plane the largest conventionally configured aircraft ever built, Airbus says. The twin-deck fuselage is
equivalent in size to an A340 cabin atop a Boeing 747 cabin, according to Airbus. Although the A380’s vertical and horizontal stabilizers were made "small," relative to the overall aircraft size, to save weight, they are outsized
compared to earlier Airbuses. The A380’s vertical stabilizer has the area of an A320 wing and the new airplane’s horizontal stabilizer is equivalent to a pair of A310 wings.To move these huge surfaces hydraulically, only, was
considered but was discarded in favor of a hydraulic-plus-electric flight control architecture. When Airbus began to work on the A3XX concept, as the A380 was known four or five years ago, the company started with a baseline
similar to the A340, says Michel Comes, Airbus director of engineering systems for the A380. (The A340’s flight controls are powered by three hydraulic systems.) But because there are more and larger control surfaces than in
previous generations, the A3XX would have required much more hydraulic power—more tubes and fluid. This would have added weight and complexity, with hydraulic power generation and distribution elements. However,
hydraulic power, which has been used for decades and is well understood, is the primary power source for A380 flight control, says Dominique van den Bossche, Airbus department head for actuation and hydraulics.Among other
considerations, the A3XX’s larger dimensions would have required the use of long, large-diameter hydraulic lines to minimize pressure loss, making them heavy and more difficult to install, says van den Bossche in a recent
paper. And the aircraft’s larger engines would have made the routing of hydraulic lines in the fuselage more difficult. Triply BeneficialThe use of electrically powered actuators, however, allows designers to efficiently segregate
power distribution channels and save weight, the Airbus paper adds. Increased hydraulic pressure in the remaining hydraulic circuits—from 3,000 psi to 5,000 psi—also saves weight. It reduces the size of components,
generation equipment, tubing, and the amount of fluid required, and makes installation easier. Overall, the benefits are clear: improved reliability and maintainability; reduced weight and increased cost savings; and increased
safety margin because of the use of dissimilar power sources. "Because of the dissimilar [flight control] architecture, if we lose hydraulic power, the aircraft does not lose any flight handling capabilities," Comes explains. "There is
no impact on the performance of the aircraft."Electrohydrostatic actuation will generate large weight savings. "The combinati on of the higher hydraulic pressure and the ‘more electric’ flight control architecture led to a weight
reduction of approximately [3,307.5 pounds] 1,500 kg for the aircraft," Comes explains. For variable-frequency power generation, "weight was not the driver," he adds. That decision "was more oriented to reliability and
maintenance cost.""It’s clear that we are oriented more and more toward the ‘more electric aircraft,’" Comes says. "We have worked more than 10 years on electrohydrostatic actuators to see whether we could have a more
dissimilar architecture for flight control." Airbus has defined a "two-plus-two" architecture, he explains. "The flight control actuation system is powered from four independent power sources—two hydraulic and two electrical
circuits. These power sources are distributed on the actuator set." Airbus is working on electrohydrostatic technology with TRW, Liebherr and Smiths Industries (formerly Dowty). An electrohydrostatic actuation award or awards
had not been announced at press time.Airbus also has baselined variable-frequency (VF) electrical power generation. VF power generation allows designers to discard the complex, heavy and difficult-to-maintain equipment
necessary to convert variable-speed mechanical power produced by the engines to constant-frequency electrical power traditionally used by aircraft systems. Recently, Airbus chose a joint venture of Thales and TRW
Aeronautical Systems (formerly Lucas Aerospace) to provide the VF electrical power system for the A380.Not surprisingly, because of its use of "more electric" flight controls and the cabin and galley power demands of this huge
aircraft, the A380 requires more electrical power than a comparably sized, hydraulically powered plane. Airbus plans to use four variable-frequency electrical power generators, each outputting 150 kilovolt amperes (kVAs). The
company anticipates a near-term requirement of 380 kVAs in cruise, Comes says. Moving to variable-frequency power generation increases reliability, Comes says. "We don’t need the constant-speed drive, one of the main
fragile parts of generators." He expects power generation reliability to increase by about 50 percent. TRW pioneered variable-frequency technology on Bombardier’s Global Express business aircraft, which uses the company’s
40-kVA variable-frequency generators. TRW also has designed 90-kVA and 120-kVA generators and is developing a 150-kVA unit for the A380.Variable-frequency power generation is new to large aircraft, says Klaus Fuchs,
vice president of technology and engineering for TRW Aeronautical Systems. Power frequency, or cycle time, is constant for 80 to 90 percent of a flight but can vary from 400 to 800 Hz during takeoff and landing. EHAs have
been designed to be compatible with VF, he says. TRW’s VF developers also wanted to ensure power quality. They adopted Mil-Std-704E power quality standards for VF technology in order to reduce any impact on user
equipment. They also developed advanced electromagnetic technology, high-speed electronic voltage regulation and system protection to maintain high-level power quality over the wide output range. VF technology increases
overall power system reliability, reducing operating costs, Fuchs says. TRW estimates airlines will save up to $16 in operati ng cost per flight hour from the change in generator technology. The new variable-frequency generators
also are designed to be cheaper than current systems. TRW also envisions the emergence, in 10 to 15 years, of distributed electronic engine controls. The company, for example, wants to introduce a "smart" electronic fuel
metering unit. "The idea is to reduce weight and increase reliability," Fuchs says. TRW sees the day when engine control will be distributed rather than centralized. "In the future," Fuchs predicts, "each individual unit will have
electronics built into it." That will pave the way for the next step—to give engine units "smart diagnostics." Distributed electronic controls will reduce the weight of engine control systems and allow superior engine monitoring and
diagnostics.Such an engine control architecture will increase reliability, save weight and reduce costs, Fuchs predicts. "With a decentralized system, you don’t need the thousands of feet of wire [now attached to a central control
box]. "You only need to link the local control computers [into a network] via a data bus." A large civil aircraft engine with electronic controls could shed about 100 pounds (45 kg) through the simplification of wire harnesses, TRW
claims. TRW already has demonstrated a three-node engine control system incorporating a "smart" fuel valve. The system features a two-channel electronic controller embedded in the fuel valve that takes fuel flow demand data
from the data bus and correspondingly adjusts valve position. Smart engine control units, the company estimates, can isolate faults with "100 percent certainty" and save 20 to 30 percent of engine maintenance costs. The
concept of decentralized control also can be extended to the flight control actuators, Fuchs says. With more electronics in the actuators, "you could predict how long an actuator will last." Today airlines have to perform actuator
maintenance checks "irrespective of whether the actuator could still fly for another 1,000 hours," he adds. Electric Engines?Further down the road, TRW hopes to replace fuel pumps, still driven by a mechanical gearbox, with an
electrically driven pump, although this enhancement would still be classed in the "more electric" range. With additional changes to electrically powered components, however, the "all-electric" engine comes into view. This system
could focus on producing thrust and predominantly electrical power. TRW has been working closely with Rolls Royce on "more el ectric" engines. Vulcan: A Revolutionary ForebearThe Royal Air Force’s famous delta-wing
Vulcan bomber, a key nuclear deterrent at the height of the Cold War, employed electrohydraulic-powered flight controls in the 1950s. The Avro factory in Woodford, Manchester, built 134 of the type from 1954 to 1962. Although
nearly half a century has passed since then —and many generations of flight control equipment—the Vulcan is a revolutionary forebear of today’s electrohydrostatic actuator (EHA) technology. The Vulcan was one of the last
British-designed and -manufactured large military aircraft, about the size of a Boeing 737.The Vulcan’s electrohydraulic powered flying control units (PFCUs) were designed in the early ’50s by Boulton-Paul, which became part of
Dowty Aerospace, now Smiths Aerospace, says Robert Pleming, director of the Vulcan Operating Co. Ltd., an organization dedicated to returning XH558, the RAF’s last Vulcan, to flight under civilian auspices. The Vulcan’s flight
control system was primarily electrically powered. In addition to an airborne auxiliary power plant, each of the aircraft’s four engines had its own alternator. Each alternator could provide enough power for the PFCUs. This
"massive redundancy" meant that "even if you lost multiple engines, you could still have all flight surfaces working," Pleming says. "There are 10 PFCUs on the Vulcan, four on each wing for the eight elevons [elevators plus
ailerons] , and two units (main and auxiliary) for the rudder," Pleming explains. "Each PFCU consists of an electric motor driving main and servo hydraulic pumps and a hydraulic jack to move the control surface." Movement of
the cockpit controls operates the assembly, supplying hydraulic fluid to the appropriate side of the jack and moving the control surface.The PCFU includes a stoke limiter "to prevent excessively harsh movements of the control
surface," Pleming says, "and a lock valve to prevent the control surface from flapping in flight in the case of a hydraulic pressure failure." A bleed valve "allows pressure in the jack to equalize slowly, allowing the control surface to
trail to a no-load position in case of failure."Although in Vulcan’s heyday, there was no such thing as a reliability database, the RAF flew the aircraft from 1957 to 1984, including action in the Falklands campaign. Given the
elegant and powerful aircraft’s enduring popularity, the RAF continued to fly it in air shows until 1993, when the last of the type, a B2 configuration that had entered service in 1960, was retired. A major reason the restoration
project has gained wide support from the original manufacturer (now considered to be BAE Systems) is Vulcan’s "exemplary in-service safety record, the result of its highly redundant design," Pleming says. The UK Civil Aviation
Authority also strongly supports the project, he adds. The Vulcan Operating Co. hopes to return XH558 to flight in 2002. Visit www.tvoc.co.uk. A380 Flight Controls—Up CloseThe Airbus A380 has two elevators on each side of
the horizontal stabilizer. Each elevator has one hydraulic and one electrohydrostatic actuator (EHA). There are two rudder surfaces, each of which uses two electrical backup hydraulic actuators (EBHAs). These add backup
electrical power through a local electric motor and an associated hydraulic pump. EBHAs are hydraulically powered in the normal mode and electrically powered in backup mode. The tail’s trimmable horizontal stabilizer (THS)
will be driven by a ball screw actuator powered by two hydraulic motors and a standby electric motor, explains Dominique van den Bossche, Airbus department head for actuation and hydraulics.Each elevator surface has dualredundant power sources, as the four independent sources are distributed across the control surfaces. Each rudder surface has quad-redundant power sources.The new aircraft features three ailerons per wing, each moved by
two actuators. Inboard and median ailerons use one hydraulic and one EHA actuator, while the outboard ailerons use two hydraulic actuators. Spoilers (eight per wing) are hydraulically powered. Two or three of the spoiler
actuators on each wing, however, will have backup electrical power, combining servocontrol and EHA functions in a single unit, the EBHA.Wing flaps and slats are driven by mechanical rotary actuators connected to powered
control units (PCUs) by means of a torque shaft transmission system, van den Bossche says. The flap PCU includes two hydraulic motors; the slat PCU includes one hydraulic and one electric motor.Back to October 2001
Avionics News and HighlightsInformation about Avionics
Send your comments to the Avionics staff
Ask the Experts| Home | Subscribe | Newsstand | Search | Special Reports | Aircraft Values |
| Safety | Ask the Experts | Calendar | Industry Links | Forum | Career Center |
| From the Wires | Media Kit | Catalog | About the Site | Helpdesk | Copyright © 2003 PBI Media, LLC. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of PBI Media,
LLC is prohibited.
http://www.aviationtod
ay.com/reports/avionic
Conservatism
“Avoidance of new technologies, or the
capabilities they make possible, unless they
provide distinct safety, operational, or efficiency
advantages and do not compromise existing
safety.
Advancements that fail this simple test simply
do not fly aboard Boeing jetliners. Why?
Because the ill-considered application of new
technologies can lead to unintended
consequences that compromise the safety
already achieved.”
http://www.boeing.com/commercial/safety/pf/pf_
manufacturers_role.html#four
FAA and Regulation
• Strategic Goal: By 2007,
– Reduce U.S. aviation fatal accident rates by 80
percent from 1996 levels.
– Fatal Aircraft Accident Rate: By 2007, reduce the U.S.
aviation fatal accident rate per aircraft departure. . . by
80 percent from the year average for 1994-1996.
• FY 2001 Performance Goals:
– Commercial Air Carrier Fatal Aircraft Rate. Reduce
the fatal commercial aviation fatal accident rate
per100,000 departures to 0.043 by FY 2001.
•
What is Safer Skies About?
• Disciplined, Focused Approach
– Data driven
– Analysis of past accidents/incidents
– Identification of precursors
– Specific interventions to address precursors
– Use knowledge gained to identify future
aviation system improvements
– Safety plan a living document
FAA and regulation
• Aviation Safety Reporting System (ASRS)
– incident reporting system
– Voluntary, confidential and anonymous
• Accident/Incident Data System (AIDS)
– NARRATIVE: ON CLIMB OUT FROM UTICA, NUMBER ONE
CHANNEL OF THE AUTOPILOT FAILED. NUMBER TWO WAS
ENGAGED AND PROGRAMMED FOR 160 KNOT CLIMB. DURING
THIS CLIMB, THE AUTOPILOT CLIMBED AT A STEEPER ANGLE
AND A SLOWER AIRSPEED THAN WHAT WAS PROGRAMMED.
AND SHORTLY AFTER THIS, THE NUMBER TWO CHANNEL
FAILED. WE ALSO EXPERIENCED ERRATIC FLIGHT DIRECTOR
INFORMATION. THE FLIGHT CONTINUED FOR APPROXIMATELY
15 MINUTES WITHOUT THE USE OF ANY AUTOPILOT. WHEN A
TURN TO THE RIGHT WAS ATTEMPTED, THE CONTROLS WERE
JAMMED. BUT A TURN TO THE LEFT WAS POSSIBLE. IT WAS AT
THIS TIME THE CREW ELECTED TO SEPARATE THE ROLL
CONTROLS. IT WAS DISCOVERED THAT THE AILERON WERE
JAMMED. THE AIRCRAFT WAS FULLY CONTROLLABLE WITH THE
USE OF THE ROLL SPOILERS. IT WAS DECIDED TO FLY TO OUR
MAINTENANCE BASE IN VFR CONDITIONS. LANDING WAS MADE
AT MANASSAS WITHOUT INCIDENCE. MAINTENANCE
PERSONNEL DETERMINED THAT THE ROLL SERVO ACTUATOR,
HONEYWELL PART NUMBER 7002260-923 HAD FAILED. THE
COMPONENT WAS REPLACED AND THE AIRCRAFT RETURNED
TO SERVICE. OPERATOR SUBMITTED MDR ON THIS EVENT
Safety Programs at FAA
• International Aviation Safety Assessment (IASA)
Enhanced Airplane Security Program
Aviation Safety Action Program
Air Transportation Oversight System (ATOS)
Advanced Qualification Program
Aviation Safety and Health Program
Whistleblower Protection Program
National Simulator Program
Safe Flight 21/Capstone
Certification, Standardization, Evaluation Team
(CSET) Includes new entrant certification procedures)
A local resource
Aviation Safety Program Management
Aircraft Accident Investigation
Helicopter Accident Investigation
Gas Turbine Engine Accident Investigation
Human Factors in Aviation Safety
Safety Management For Aviation Maintenance
Accident/Incident Response Preparedness
Legal Aspects of Aviation Safety
The Role of the Technical Witness In Litigation
Photography for Aircraft Accident Investigation
System Safety
Software Safety
Incident Investigation and Analysis
EPGWS
• http://www.egpws.com/general_informatio
n/videos/videos.htm
• http://www.airlinesafety.com/
• THE TOP 10 AIRPORTS
WHERE RUNWAY
INCURSIONS OCCUR MOST
FREQUENTLY (1997 TO 2000
DATA)
• 1. Los Angeles (33)
2. St. Louis (30)
3. Orange County (27)
4. North Las Vegas (26)
5. Long Beach (25)
6. Dallas/Fort Worth (23)
7. San Francisco (21)
8. San Diego/Montgomery
Field (20)
9. Fort Lauderdale Executive
(20)
10. Phoenix (18)
http://airlinesafety.com/editorials/RunwayIncursions.htm
Performance Goals
Air Carrier Accident Rates/Targets
per 100,000 departures
Rate per 100,000 Departures
0.12
0.1
Baseline FY 1994 - FY 1996 = 0.051
0.08
0.06
0.04
0.02
0
1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
Year
Human Factors
Primary contributor to more than 70 percent
of all commercial airplane accidents.
Far more likely cause of an airplane crash than
mechanical failure or adverse weather conditions
Error management tools
Failure to follow procedures or improper use of
equipment, includes
procedural event analysis tool (PEAT)
maintenance error detection aid(MEDA)
Methodology
to investigate errors, understand root causes and prevent accidents,
rather than place blame on people for errors.
PEAT
• Event Occurs
• Investigation reveals procedure deviationassumes error is an “accident”
• Interview Crew Members
–
–
–
–
–
–
Contributing Factors
Ideas for Process Improvement
Follow-up to obtain additional contributing factors
Add to PEAT database
Make process Improvements
Provide feedback to all organizations affected
• Similar process for maintainance
Environmental
• Wind Shear- 7th most common cause of
fatal accidents in last 10 years
– Ground based doppler radar
– Pilot training on simulators
– On board predictive and reactive systems
Ethical considerations in
Engineering Design
How much is a human life ‘worth”?
“Society has a duty and responsibility to provide the best available
medical care and treatment to try and save a human life. To do any
less is to declare a death sentence in the name of cost effective
treatment, corporate greed, budget balancing, or some other dollar
associated reason. And that is morally and ethically corrupt, bankrupt,
and wrong.”
http://www.sambarpress.com/chuck/whatsa.htm
•
•
National Highway Traffic Safety Administration
calculation of the value of a human life
Ford Motor Company argues why certain safety measures are not "worth" the
savings in human lives.
Calculation of estimated societal cost every time someone is killed in a car
accident.
COMPONENT
1971 COSTS
Future Productivity Losses
Direct
Indirect
Medical Costs
Hospital
other
Property Damage
Insurance Administration
Legal and Court
Employer Losses
Victim's Pain and Suffering
Funeral
Assets (Lost Consumption)
Miscellaneous Accident Cost
$132,000
41,300
700
425
1,500
4,700
3,000
1,000
10,000
900
5,000
200
TOTAL PER FATALITY: $200,725
http://www.motherjones.com/mother_jones/SO77/worth.html
Ethical considerations in
Engineering Design
And expensive. . .
•Tort lawyers use these engineering
numbers to set damages.
•The fact that prices are put on human
life is taken as proof of corporate
callousness
•Serve as the basis of punitive
damages
•Paradox: the higher the number, the
higher the damages.
Consider the design of an air
transport system. . .
• Can an airplane be built that enables
passengers to survive a crash?
But. . .
• What if you could make a “safer vehicle”
but it would increase the cost of the
vehicle by 10X and thus greatly increase
the cost of a passenger ticket?
• What if you could decrease the hijack
probability to the level of El Al at the cost
of significantly fewer flights and more
check-in time
A Methodology
• List all candidate safety improvement ideas
• Calculate the increase in safety gained in terms
of lives saved over the lifetime of the airplane
• Rank order the improvements
• Execute the improvements
• When the savings become less than an agreedupon value (The “value of a human life”), stop
• Repeat periodically
• (example bombproof cargo containers)
Future safety enhancements
Boeing
Airplane-based GPS guided landings to replace present ground-base.
New display technologies for flight decksintuitive graphic of descent profile and surrounding terrain.
(EGPWS +?)
A "taxi display" for ground traffic around an aircraft
Intelligent Pilot’s assistant to assist with complex procedures and
heavy workload situations.
Technologies to alleviate wake vortex and mitigate turbulence.
"Synthetic vision" for better situational awareness with day-like visual
Diagnostic systems to monitor all other systems for developing problems
(jet net)
http://www.boeing.com/commercial/safety/pf/pf_manufacturers_role.html#four
Safety Enhancements -Honeywell
Strengthening cockpit doors
Explosion-resistant cargo containers and holds incorporating Spectra® fiber
Maintaining cockpit audio links – with back up satellite links or VHF
Air Traffic Control transponder system to alert controllers of an emergency
situation when activated by the flight crew. Override systems that prevent
unauthorized shutdown of critical aircraft systems, such as transponders, radios and
flight recorders
GPS-based system (in development) to continuously broadcast position
Cabin Awareness and Warning System - video monitoring of cabin, capture
on flight data recovery
Improving flight data recovery – Delivery now is under way for dual,
combination flight data-cockpit voice recorders, for all new commercial aircraft
starting in January 2003 with retrofits required by January 2005. They double the
likelihood that useable investigative data could be recovered in a worst-case scenario
Safety Enhancements -Honeywell
Airport Security
Monitoring key sites – Monitor potential security
breaches at airports
Tracking personnel –constantly track all tagged
personnel and assets using a wireless system
Integrating safety systems –
Recent “Future Considerations”
Security (Gore Commission 1996)
• New bomb detection equipment,
• Background checks of ramp personnel
• Certification of security personnel
• Passenger profiling
– Prohibitions on compiling profiles of potential terrorists
– No generalizations permitted such as frequent travel to
known terrorist countries
– Limit profile records to information on known hijackers,
terrorists
• Bomb detection equipment remains problematic
Recent “Future Considerations”
Security (Gore Commission 1996), continued
Fault-checking airport/airline security systems using adversary
testing
Study of the chemical weapons threat (the subway attacks in Japan
should serve as writing on the wall)
Review viability of anti-missile defense systems.
Mitigate the likelihood that terrorists could obtain or use surface-toair missiles. (Recommendation: The State Department should study the expansion
of conventional arms agreements to include man-portable surface-to-air missiles, and
the U.S. Representative to the International Civil Aviation Organization (ICAO) should
propose a new convention addressing these weapons).
Passenger/checked luggage match, initially based on profiling, to be
implemented no later than December 31, 1997.
Provide anti-terrorism airport security training at non-U.S. airports
which serve airlines flying to the U.S.
Caltech-type improvements
• Much better weather data, detection, and
evasion
• Redesign air traffic control system (freeflight?)
• Really-smart “Pilots Assistant” (situational
awareness)- spin-off of military programs
• Predictive failure of aerospace parts
• Others. . .
• Lecture will be posted on
www.its.caltech.edu/~kpickar