Hangar Talk: Editorial
Swissair Flight 111
The Accident that redefined CRM
by John Sampson The media seemed to be initially off on a tangent with the EVAS (plastic bag) system for maintaining internal pilot vision in the event of dense smoke in the cockpit. In light of events it may well have been a factor but only that. It's more likely to be eventually shown that there was a much greater deficiency at work in the Swissair accident; one that is shared by most of the world's airlines. The buzzword in airline flight-crew conduct and relationships for the past decade has been CRM (Cockpit [or Crew] Resource Management). Broadly speaking CRM means that, without contravening the command rank structure, any flight crew member is expected to challenge any other when he is dissatisfied with developments or excursions beyond limits- supposedly without fear of retaliation. It also means that there should be no "one-man-bands" (i.e. the workload is shared) and that during high work-load situations crews are limited to the job at hand i.e. they can't discuss last night's Seinfeld whilst lining up for take-off. Military crews have also adopted this CRM credo - but they have different imperatives to commercial airlines so they do it with a significantly different emphasis. Because of cultural differences, CRM was not always evident in many Asian-crewed cockpits and this failing showed up in a number of accident critiques of the 70's and 80's. Before we reveal the suspected SR111 deficiency it is necessary to run through a typical emergency evolution and build the case. A possible Swissair-style scenario follows.
Swissair-style scenarioPilot concern, on a black night, is not for forward vision through the wind-screen - that is essentially irrelevant at night in a radar environment until such time as the pilot flying needs to look for VASIS (Visual Approach Slope Indicator System) or HIAL (High Intensity Approach Lights) on finals (at about 2 to 3 miles) for his line-up and above/below glide-path cues. Swissair 111 never got to that stage. Loss of control in their accident was predicated by any combination of pilot incapacitation, loss of flight instrumentation or loss of control stemming from a later, sudden and drastic development. The fact that the aircraft orbited for many minutes following their advisory PAN declaration meant that reducing aircraft weight for landing was the initial and paramount consideration, not an immediate overweight landing due to a worsening situation. If the situation had been deteriorating, a distress call or "Mayday" declaration would have been made early on. The pilots upgraded their distress phase later, about 10 to 15 minutes later, and that was initially thought to be the key to the real accident cause.
Let's consider a typical sequence of events for noxious fumes or "smoke in the cockpit".
Assessment1. Probably the saddest thing about this accident is that possibly (even probably) the actual malfunction wasn't all that critical. If the system or avionics box had failed properly it would have blown its internal fuse or popped its circuit-breaker and so shut itself down - or simply failed to a dormant state. Many modern systems however will not do this because of the redundancy built into them. In a way it's self-defeating. We are not building systems with benign failure modes and sufficiently hooked into central indication warning systems (CIWS) that will tell us incontestably that a particular system has failed. We are all familiar with the confusing failure modes and resulting unfathomable messages of our desktop computer's operating systems. Aircraft computer systems are just as liable to tell you "porkies" - or worse, nothing at all.
2. It is a perilous undertaking to embark upon the "smoke" checklist because you are going to be necessarily failing your own systems in bulk. There is supposedly no other way, with current technology, to determine the root cause of an electrical fire. Most pilots would assume the cause is electrical and not airconditioning related but it takes a keen pair of nostrils to discriminate. Even if the cause is not identified and isolated the checklist should provide a solution i.e. most electrical fires will die away once the amps are removed. Unfortunately by the time the fumes and smoke begin to clear the checklist will normally (and necessarily) have been completed and the aircraft will be in a very crippled state. If the problem is seen to be resolved a mature crew will pause, sit on their hands and reassess their status for recovery. In most instances crews will be very loathe to re-activate critical or essential systems, either because it's not SOP (standard operating procedure) (i.e. there's no power-up checklist) or because they are fearful of restarting the emergency. Unlike older aircraft it will not be possible to turn off all electrical busses or trip all AC generators. Modern airliners can not function in an electrically inert state. However AC and DC distribution has been worked out such that everything except the emergency essential AC and DC buses can be "offed". Pilots should then be left with manual (hydraulics on) flight control, basic instrumentation, functioning manual throttles (i.e. no FADEC), at least one COM radio and a good generator (even if it's only the APU's or Ram Air Turbine's). The fuel system should be electrically redundant in most cases i.e. pumps going off should not induce flame-outs. However the MD11 is unusual in that, to reduce trim drag, it has an integral tail-plane fuel-tank.. Transfer pumps and fuel dump pumps are powered from different buses through different circuit breakers. Would it be possible that, with a partial electrics-out configuration, in a main wing-tank dump situation, the tail-plane transfer pumps weren't powered? It is such a long moment arm that an adverse Centre of Gravity controllability situation could soon develop? This sort of fuel transfer induced controllability loss was not uncommon in another Boeing aircraft, the B52 Strato-fortress. Undercarriage and flaps would be readily extensible. The lethal variant however is the pilot's newly configured flight instrument configuration. It will be anathema to his normal instrument scan technique and the way he's been trained. At best he will be uncomfortable - at worst he will be ricochetting from one unusual attitude to another as he is continually distracted by inert flight instruments, the demands of checklist responses and the hectic workload. In this scenario it would be easy to overlook the ongoing fuel dump.
3. Modern airline pilots rely routinely and heavily upon Flight Director Systems, head-up displays, altitude alerting, autopilot-controlled "fly-to" points (and programmed course intercepts) as well as ground Radar monitoring of their track and altitude. During and after the smoke checklist the aircraft assumes a barely "flyable" configuration in instrument-flying or night conditions that the pilots are not really familiar or comfortable with. Their situation is more precarious because of this than because of the possibility of them being overcome by fumes or toxic smoke or robbed of "inside cockpit" visibility. The possibility of an unrecoverable flight attitude developing or of the aircraft being flown inadvertently into the water during descent becomes the real hazard. The Ground Proximity Warning system may or may not be of much use in such a circumstance. Pilot input response to a high speed, high rate-of-descent GPWS alert may well cause structural failure anyway. This might have been a probable cause for SR111 heavy - but their transponder and FDR cut out at almost 10,000 ft. If the aircraft altimeter's altitude transponder output to Radar gets "offed" by the checklist, ATC will not see any dangerous descent and radio a warning.
4. Unfortunately ATC can often stimulate and stoke the criticality factor by being too helpfully voluble. Real emergencies are nowadays rare but all too frequently they take on a life of their own and the resulting R/T pressure-cooker effect can defeat the most disciplined pilot's resolve not to be panicked into precipitate action. Having said that, it is also readily acknowledged that a smoke checklist cannot be slow-tempo'd. It too has an irresistibly urgent quality. The pilots cannot afford to dither over whether or not the next debilitating step is necessary when the smoke is building up or not clearing.
5. Incapacitation should not be a real problem with a full-face oxygen mask or properly sealing goggles - but it remains a possibility. I had a personal experience in my super-sailplane when a hurriedly installed fan caused an electrical fire. I'd stupidly alligator-clipped it to the 25 amp gel-cell, utilized heavy automobile gauge electrical wire and neglected to fuse the circuit. The classic clincher was that I'd run about 13 feet of wire from the fan behind my head to the on/off switch on the panel thence to the nose battery - and strung the wire over the seat supports. Inflight turbulence eventually meant seat movement grinding the pos/neg wires together, they shorted and the resulting smoke of 13 feet of PVC insulation was memorable - but only for a few seconds because I was nearly out to it and my eyes were streaming before my hand accidentally knocked open the canopy air scoop as it felt its way to the canopy jettison handle. It can happen that fast.
6. In many (if not most) instances the modern airline pilot will be experiencing his first really dire inflight emergency and will be intensely provoked into commencing (or continuing) the recovery phase -either because it is necessary or because he sees it as the logical conclusion to the furore he's created by declaring the emergency. Resuming his route or holding off due to poor divert airfield weather will rarely be an option because one of the first steps was to dump down to a landing fuel state. Hopefully the Swissair flight crew remembered to secure the dump before it all went over the side. At the dump-rate of an MD-11 it is possible (but not likely in the accident's time-scale) that the crew simply forgot to turn off the dump until they were alerted by low fuel level warnings. This could have been what precipitated their "upgrade" call to ATC for an immediate recovery (reportedly) 10 minutes after the first advisory. Because it is an embarrassing mistake it is unlikely that a professional flight crew would want to advertise the fact that they'd compounded their own situation by oversight. The panic to then get on the ground ASAP might then disrupt disciplined procedures and a CFIT (controlled flight into terrain) or "upset" accident would become more likely - given the 5000' overcast that existed. Or perhaps there's a more likely explanation that is related to CRM resources?
Suggestions1. Having identified what I think are the problems, do I have any suggestions for modern airline flight crews or aircraft designers? Well, yes. Designers must be compelled to "design in" benign failure modes and plumb them into a CIWS so that the crews are not kept guessing. Uncertainty is a killer. Mere loss of a probably redundant system or non-critical avionic should not affect the time that the next meal is served or unduly affect navigation. But the fact that it has died should be obvious. Likewise computer monitoring of the aircraft electrical distribution system should alert pilots to any high amp load or fluctuating cycles that could be related to actual or imminent failure. It should not take a bus Circuit Breaker (or alternator or inverter) trip to trigger an alert. Push-pull circuit breakers are simple devices that trip (or pop) because of thermal overload caused by too high an amperage. If they pop and are reset they should pop again if the triggering electrical situation was other than intermittent. If they don't function as they should (particularly when reset- as is permitted) you've got the beginnings of Dante's Inferno airborne. Modern aircraft are choc a bloc with them, all of different ratings and critically so. Most, but not all, are conveniently situate on flight-deck panels, accessible to the crew, but not obvious when popped. All too often they're used by maintenance (and aircrews) as an on/off switch. It's not what they're designed for and in fact it is detrimental to too frequently cycle them (particularly ganged cb's). In fact, come to think of it, the basic design of the common garden-variety circuit breaker hasn't changed in donkey's years. Perhaps that's worth looking at. How reliable is that ancient technology once it's married to the electronics of a modern electric airliner? Most aircraft manufacturers are now conscientiously utilizing in their aircraft sophisticated wiring that will not support arc-tracking insulation fires. Simply stated it means that a short circuit will not be propagated along a wire by the burning insulation. Most home handymen and car mechanics will be familiar with a shorted-out overheating wire very rapidly melting its insulation along its full length. Glass-fibre style inert non-flammable outer sheathing tends to retard that. Many aircraft still in service, probably as many as 50%, do not sport that optional extra. The MD11 didn't. Boeing has revealed that the MD-11 uses a form of wiring insulation called Kapton. This type of wiring insulation was banned from US Navy aircraft for safety reasons. Designers must also ensure that the CVR and FDR outputs will still be forthcoming no matter what eventual electrical configuration the aircraft ends up in. Avionics plumbing must ensure that ATC can continue to provide a watching-brief backup through observation of the aircraft's transponder track and altitude. ATC-to-crew alerting of high descent rates and cleared altitude penetration is axiomatic - but the transponder must be always powered for them to do this.
2. The built-in failing of the smoke checklist is that eventually you get down to a bare-bones electrical configuration, you're struggling to retain control on partial panel and still the smoke situation's not improving. The likelihood of an unrecoverable unusual attitude developing is very high. My basic contention is that a third man (the old Flt Eng) would be a boon in off-loading the pilots in such a circumstance. I always found it to be so. I'm afraid that the SR111 crew were just overloaded into a loss of control accident in IMC that was predicated by the eliminatory type of smoke checklist that is common to all multi-engined aircraft. The fix required is an immediately selectable (one switch), yet minimally basic, electrical configuration from which you can then start to ADD buses and systems until the problem recurs. The way in which it's been traditionally done (monitoring OFF systems and buses piece by piece) never ever was going to stop the build-up of smoke and fumes in the long interim. I know from experience that it was always hard to tell when you'd had success after the smoke and fumes have built up. There seemed to be always the lingering taste and smell that was impossible to dispel via the "Smoke and Fumes Elimination Checklist". My innovative suggestion straight off kills most possibilities of the situation compounding over time yet allows you to judiciously reintroduce necessary systems, as required, over a calmer, less frenetic period. It should be a reasonably simple modification to most modern airliners.
3. Possibly relevant to the Swissair crash (or any similar event) is the logical caveat that designers must allow specific amounts of fuel to be programmed for jettison. The dump valves must auto-close at a remaining specified fuel level in whatever electrical situation the aircraft may get down to. In the absence of a flight engineer systems supervisor this is absolutely vital. In some aircraft it is presently too easy to initiate a fuel-dump early in the checklist and either forget to cease it at the appropriate time - or miss the fact that when you do actuate "dump off" at the correct fuel remaining that it does not actually cease because the ongoing checklist has removed power to the jettison circuit's bus and its solenoid actuated valve (and possibly also the fuel gauges). All you've then got left to warn of low fuel is the low-level warning lights.
4. How's about designing the flight deck so that, once it's depressurized, a manually operated ram air vent plus a high capacity batt-powered exhaust fan can discharge the nasty air directly overboard (and not simply rely, once you're depressurized, upon the reduced airflow through an open outflow valve way back aft). I wouldn't mind betting that in the MD11, once the aircon is knocked out as part of the checklist (i.e. once depressurized), the flight-deck exhaust fan (if there is one) dies as well??? That would mean the nasty air is trapped in limbo. Crews may be concerned that to do this might stoke the "fire". I don't think that's a valid concern. Electrical fires are all about overheated wires and components and charring insulation. I don't think flames will leap up or smoke intensify because of increased circulation. If they do and it's visible - so much the better (you see the source and you selectively and discretely kill its power).
5. There should be lessons learnt and resultant change when the death toll is so appallingly high. Public confidence is at a low ebb. Searching philosophical questions about CRM need to be asked. What are the lessons? Where did CRM break down? Could it happen again? What's the weak link? Can you really lay it at the door of maintenance when it might have been a design issue or started as a simple system failure? Technology is allowed to fail - but it should fail-safe or be readily isolatable. When you're stuck with only a two-man crew in the smoke and fumes situation, it is far safer to have one dedicated airframe pilot and one checklisting trouble-shooter (and I think it will be proven from the CVR that this factor was their undoing). Secondly, my gut feeling is that if they'd had a systems-supervising flight-engineer the pilots would have been able to get on with the real task - "flying the jet". That's not just being "hands on" and concentrating on the instrument flying control aspects. It includes radio navigation, listening out, looking out, R/T, liaison with cabin crew and instrument/avionics system monitoring plus the necessary ongoing ahead lookout on their weather radar. A cross-cockpit double-checking backup that is always vital may well have broken down (i.e. in their final descent, altitude cross-checks for instance). A flight-eng would look after electrics, hydraulics, pneumatics, circuit-breakers, non-FADEC'd throttles, fuel system (including the jettison), engine related systems and caution panels (and also backup the pilots if he had any spare time). In the final analysis I think you will find that the Canadian Transportation Safety Board will come out with a very honest report that reveals that the SR111 crew was simply overloaded to buggary by developments, and, was always, as a duo, one man short in extremis - and therefore a potential accident looking for a situational trigger. This is really the case with most of the cockpits flying around on RPT (Regular Public Transport). But, nowadays, particularly in long-haul Digital "Glass" cockpits with automated systems operation, the surveillance and warning kit is normally reliable. The critical third man is only the lynch-pin when the situation starts coming unglued and the automated systems are on the fritz. Unfortunately the flight engineer third man has been "designed out" since about 1975 and it will take more than an MD11 going down to reverse that. You just don't need him in a modern electrified jet until you really need him - and I think it will be proven without a doubt that SR111 would probably have coped well if they'd been so endowed with that ultimate component for CRM - the third man's capacity, systems knowledge, tempering influence and divorcement from the "hands on" flying task.
6. The "disappearance off the radar screen" I think you will find simply means that ATC lost their transponder return. Civil ATC worldwide tends to rely heavily upon challenge and reply secondary radar (IFF in military terms). Few controllers would be capable of following the primary "paint" blip of a manoeuvering target on primary radar nowadays. By the time a controller adjusted his gain, PRF, antenna tilt, sector scan and anti-clutter devices, SR111 was in the drink. The SR111 transponder became unpowered either because of a structural breakup or because of a checklist step that canned its power. Their remaining COM radio would probably be powered by the bare-bones essential AC and DC buses (the ones that are meant never to be monitored off). However crew silence would not be strange if an unusual attitude recovery was underway. Believe me, an insidious slow roll and pitch to an unrecoverable attitude can happen to the best of crews who are ensconced in a vital drill. Been there, done that. In a heavy jet, pulling out of an unrecoverable attitude and trying not to overstress in speed or "g" would be a 150% attention-getting task for both. Bearing in mind that large jets tend to frequently shed bits on finals, no-one should be surprised to find that they started their break-up mere seconds into the attempted high-speed recovery. An adverse C of G because of tail-to-main-tank fuel transfer failure during dump is an outside possibility.
7. Over-tasking begets overloading - first the pilots then inevitably the airframe. T'ain't as if it ain't happened before. It's a pity that de-regulated competition means airlines feel that economically they must persist with two-pilot crews - because the third seat is a great training ground for young airline pilots. Qantas has been doing it for many years with their second-officer program and I would not have it any other way. The Qantas safety record speaks for itself. Military crews worldwide are normally augmented because it is a recognized cheap training context for up-and-coming aircraft commanders. Many military pilots moving into commercial cockpits would nowadays have a sense of loss without quite being able to put their finger on what's dropped out of the safety equation.
Immediate ConsiderationsWhat can "smoked" aircrews do in their presently paired configuration to improve their chances?
|[Quick NAV | Aviation's Directroy]||MAY ALL YOUR LANDINGS BE GOOD ONES!|
Aircraft For Sale - FREE 90-day photo ads - AviationClassifieds.com
Pilot Jobs - America's Pilot Employment Network - Free Access - USPilot.com
LANDINGS.COM Copyright © 1994-2012
Explicit permission required for any duplication or usage