The NASA Space Shuttle Challenger disaster was 100% preventable. Why this claim, when cold weather is commonly cited as the cause of the O ring malfunctions that allowed hot gases from the solid rocket booster to penetrate the big orange liquid fuel tanks?
NASA engineers and rocket maker Morton Thiokol engineers had seen O ring failures on several previous shuttle solid rockets recovered after launch. The solid rocket booster bodies parachute back to earth, landing in the ocean in less than an hourafter shuttle launch. The rocket bodies were designed to be recovered, refurbished and put back in use on a subsequent shuttle launch. It had been during several of these refurbishment procedures that engineers discovered that hot solid rocket gases had breached the O rings used to seal the joints between segments of the rocket body joined together to form the ful solid rocket several hundred feet tall.
Rocket engineers had actually redesigned the joint between these segments. However, the solid rocket boosters on the January 1986 Challenger were from the last remaining remnants of the older original design, that had suffered O ring burn through on previous Shuttle launches. It was for this reason that engineers revised launch criteria to be ambient temperatures above 48 F degrees, to allow sufficient flexibility of the solid rocket motor body segment joint seals to prevent burn through during the solid rocket burn of the initial launch phase.
Engineers decided that the below freezing temperatures at the launch site and throughout that portion of Florida’s East Coast, during the night prior to launch, had rendered the O ring material too brittle to perform its ability to seal in hlt solid rocket gases during launch burn.
Their decision was scientifically based on what they knew and what they had previously observed. Delaying the launch of Challenger was a logical choice, and one the NASA Launch Team at the Florida launch site was more than capable of rescheduling and completing under more favorable weather and temperatures.
The executives who chose to ignore and then override the engineers’ decisions, did so out of what appears to have been a political gamble to make the then Republican President Reagan look good for the Jan 1986 nationally televised State of the Union Address before Congress that same evening. Their decisions were not based on science, engineering or observation.
The cold weather was not to blame, since cold weather is merely a natural phenomena. Rather, it was the executives’ decision to override the engineers’ No Go decision because of the cold weather, that was to blame for the Chalkenger disaster. This disaster was therefore 100% preventable, and knowable beforehand. The United States, the astronauts and their families, NASA and all humankind lost big that historically infamous morning due to the gamble of a small handful of politically motivated executives. And for what? Who could really doubt that Reagan would have rationally chosen to not delay the launch knowing that the temperatures at launch time were out of engineering criteria? Wouldn’t Reagan have chosen the safer course of action? Reagan was never known as a gambler.
Judgment to delay for weather is most often seen as wisdom in leadership. Here are some notable examples. General Eisenhower delayed D-Day for bad weather. British General Cornwallis delayed his retreat across the York River, from then General George Washington due to bad weather. Napoleon and Hitler lost their military adventures into Russia due to ignoring the severe bad weather of winter.
The Challenger disaster was the very sad outcome resulting in to a gambler’s decision to ignore the engineers who knew the physical limits of their equipment caused by the effects of bad weather.
The Safety Purpose is to prevent dangerous events from reoccurring by eliminating the hazard(s) that caused the initial mishap. But does it appear that the FAA regulators have once again failed at the Safety Purpose?
Denver United B-777 with engine failure appears to have been powered by the Pratt and Whitney PW-4000 high bypass ration turbofan engine.
In Dec 2020 a Japan Airline B-777 powered by PW-4000 turbo fan engines suffered a similar engine failure. It too was also able to land safely.
See this file video of a United B-777 powered by the PW-4000 engine taking off: https://m.youtube.com/watch?v=yAsH9vRu0Ng
From Pratt and Whitney, information on the PW-4000 high bypass ratio turbo fan engine originally built in mid 1980s:
Kobe Bryant and family and companions died in a helicopter flown by a pilot who flew into a cloud, then flew into a mountain, instead of turning around and remaining clear of clouds. Was the pilot instrument rated by the FAA? Was the helo equipped for instrument flying and certified by the FAA? Was the flight operation company certified by the FAA to conduct instrument flight ops in instrument weather? If not, why was the pilot permitted by the FAA to operate commercial flights? Was there actually any FAA oversight of this company or any VIP or celebrity air transport company?
Are Kobe Bryant and family companions dead because someone did not do their job?
Has that hazard been corrected? Or are there other VIP and celebrity air transport flight services operating in the US outside of FAA instrument regulations?
However, I noticed three glaring omissions, in my opinion:
Flightcrew Landing Training.
FAA Part 121 Landing Procedures
FAA Runway Engineering
Yes, the FAA has requirements for approach training, but landing training is not emphasized other than currency.
As context, US Navy carrier based flight crew practice “FCLP” or field carrier landing practice dozens of times under direct supervision of a Navy Landing Signal Officer or LSO, prior to going to the boat to actually land on an acft carrier. Emphasis? Three items: 1. Being precisely on glideslope, not a little high or a little low, but spot on center meatball; 2. Line up, being both on centerline and not having any drift off of centerline; 3. Being on speed at L/D max.
US Navy procedures were one thing, but it was the supervised practice, practice, practice that made all the difference.
I just do not see that kind of supervised practice required by the FAA, EASA or any other regulator for commercial airline operations.
Second point: FAA Landing Ref speed includes as much as a 30% turbulence safety fudge factor above L/D max. That is good in turbulent air landings.
But, you could reduce that speed by some of that 30% buffer in non-turbulent air and land 10-15 knots slower and still be well above L/D max. Advantage? Less stopping distance required by the square of the speed, which is important on slick and short RWs.
Third point: The Europeans, the Canadians, ICAO and much of the world still have not embraced. FAA Crowned and Grooved Runways standards (AC-120).
FSF has had FAA Runway Engineers give Crown and Groove briefings at various seminars. (I know because I arranged two when I served on FSF EAC, and once when I was the Navy ASO in Pensacola.)
But Crowning and Grooving engineering remains a hard sell.
Were the Air France 447 Airbus 300-200 flight crew members trained in stall recognition by:
A) Angle of Attack (AoA) based stall warning alarm system or
B) Loss in altitude, as displayed on the altimeter, due to loss of lift?
C) Both A and B
D) Neither A nor B?
1. A stall of relative wind flow over the Airbus 330 wing occurred at Stall AoA, setting off the flight crew cockpit stall alarm system. The stall warning signaled that the AoA had increased above the Relative Wind Flow Stall AoA, and by aerodynamics, the wing was no longer producing enough lift for flight, and so the altimeter was unwinding rapidly, telling the flight crew that the aircraft was descending. But did the flight crew see the loss of altitude as a symptom of trouble, or the exacting cause of the trouble and their cue to enact stall recovery procedures? If they understood the loss of altitude as their cue that they were in a stall, why did they not immediately begin stall recovery procedures, such as lowering their nose attitude? I do not think that the other multiple alarms and warnings confounded the flight crew. I think that they did not see the unwinding altimeter as the stall recognition cue. If they did, they would have lowered the nose at 37,000 feet and resumed level flight. What was the confusion therefore, that confounded the AF 447 flight crew?
2. Is not the altimeter a very good and reliable indicator of a stall? Along with the AoA Stall Warning system, didn’t the flight crew have this very reliable and verifiable stall indicator, all the indication that they needed to solve their problem? Without a doubt, a rapidly decreasing altimeter is a very good stall indication, especially when the crew has nose up control inputs. Acting on that information alone, the crew would have been able to carry out published stall recovery procedures of lowing the nose to lower the AoA.
3. I would argue that, as the Air France Airbus descended from above 37,000 feet to the surface of the sea, loosing its altitude due to loss in lift, the flight crew never recognized that the loss of altitude was their stall recognition cue. As a result, the crew never attempted standard operating procedure stall recovery by lowering the nose. Was the reason that the flight crew never realized that they were in a stall, due to the fact that they did not understand that the decreasing altitude as displayed on their altimeter, was the stall indication? Why was that the case for AF447? Is that still the case today at many commercial airlines around the globe?
4. From their stall recognition and stall recovery training at Air France Airbus training program, were the flight crew trained to recognize and recover from stall based only on the installed AoA-based stall warning system? Did AB and AF not require the altimeter as the next instrument to be checked for decreasing altitude, in the stall recognition and recovery procedure? How many other commercial pilots are their out flying the line, that do not understand stall recognition and stall recovery procedures?
5. Once a stall is recognized by observing the decreasing altitude on the altimeter, wouldn’t the next procedure in stall recovery be the same procedure of decreasing the nose attitude, just as in the case for stall recovery for AoA based stall warning? In the altimeter case, doesn’t the altimeter substitute for the AoA-based stall system for the stall recognition? Since the AF 447 flight crew never attempted stall recovery procedures, is it correct to conclude, that they never recognized that they were in a stall at all?
6. Should Air France, all airlines flying Airbus, and Airbus Training, and perhaps all commercial airlines, shift stall recognition and stall recovery procedures from focusing solely on AoA-based stall warning for recognition and reaction, and rewrite procedures and redirect training to include scanning the altimeter for loss of altitude, as part of the procedures for stall recognition and stall recovery? Is this a new idea that should be considered by all airlines and training facilities?
Perhaps you could pass this procedural good idea on to your airline’s training department and your pilot association’s training committee? By understanding aerodynamics, you can enjoy safe flying. Remember that $afety Pay$.
Aerodynamics for Naval Aviators was written by Harry Hurt in 1959 and published by the US Navy in 1960. It is still in print and is still in use as an authoritative handbook for pilots to learn the aerodynamics behind the safe operation of aircraft through all areas of the flight envelope. Whether going very fast, or very slow, whether going very high in the sky or flying low to land, the aerodynamic principles explained in this book have helped many aviators fly safely in all manner and variety of aircraft.
On stall recovery in Chapter One, Basic Aerodynamics, Hurt states, “Recovery from stall involves a very simple concept. Since stall is precipitated by an excessive angle of attack, the angle of attack must be decreased. This is a fundamental principle which is common to any airplane.” (See Aerodynamics for Naval Aviators, Ch 1, Effect of High Lift Devices, pg 29).
In my flying experience, there are two ways to reduce the angle of attack (AoA) and a third step in the stall recovery procedure. The first way to reduce AoA is to lower the nose of the aircraft with the elevator towards or even below the horizon. The second way is to add all the power you have and accelerate the aircraft. The third step is to roll wings level. While this does not directly influence the AoA, this step does re-direct the lift force vertical and opposite the weight of the aircraft.
In Chapter Four, Stability and Control, Hurt writes, “The initial tendency to continue in the displacement direction is evidence of static instability and increasing amplitude is proof of dynamic instability.” He writes further, “In most cases, the contribution of the fuselage and the nacelles is destabilizing.” Under the topic of Longitudinal Dynamic Stability, Hurt writes, “dynamic instability will exist when the amplitude of motion increases.”
(See Ch 4,, ibid, Dynamic Stability, pg 245, 256, 279).
According to public media reports of various B737 MAX mishap investigations, the Maneuvering Characteristics Augmentation System or MCAS moves the elevator trim relatively rapidly and to a large displacement angle, in much the same manner that a pilot, hand flying a stall recovery would move the elevator. (See: https://news.yahoo.com/ethiopian-airlines-crash-mcas-system-boeing-737-max-194126559.html). Interestingly enough however, the MCAS does not engage the auto throttle system to add full power. Not sure why?
So while the concept that the MCAS is improving the longitudinal stability of the B737 MAX, most likely due to engine nacelle longitudinal destabilization factors, this is the engineering argument offered for the MCAS system not being a pilot procedural controlled stability control, such as an elevator, in actuality the MCAS acts very similar to the control inputs of a pilot recovering from a high AoA induced stall, by moving the elevator due to input of a high AoA.
In that regard, it might be a very good idea to:
-first rely on several AoA probe inputs to validate the high AoA data input is in fact a high AoA
-second to display that reading in the cockpit for all to see
– and third let everyone in on what appears to be both a longitudinal stability augmentation system and stall recovery system, so that the owners and operators can maintain it well and operate it safely.
Is the discussion about the optional equipment of B737MAX angle of attack AoA data comparator systems diverting the discussion from two of the most central safety issues, safety hazard reporting and rapid response, and the full extent of flight crew training?
Why ask that question? First, the specific hazard of a malfunctioning AoA probe and/or data value input to the flight control system computers, ordering an erroneous massive nose down stab trim control input, was reportedly known to exist on the B737MAX acft before both the Lion Air mishap or the Ethiopian Air mishap. Who knew and who reported it? According to reports from pilot groups, 3-5 US based passenger carrier flight crews experienced a similar malfunction and reportedly entered same in the acft maintenance log book, and may have written an airline safety event report as well. Thus at least one or more US certificated airlines may have known of this hazard, meaning that their FAA (principal operating or operations inspector (POI) and their principal maintenance inspector (PMI) either knew or should have known of this hazard, and thus through their Boeing reps, the manufacturer knew or should have known of the hazard. This is to some degree speculation based on reports and the reported procedures for reporting and sharing flight safety hazards between flight crew members, the airlines, the regulators and the manufacturers.
This could mean that FAA and Boeing, if knowing of the hazard, should have immediately and rapidly issued a safety of flight notice to all B737MAX certificated operators, informing of: A. the flight hazard B. the maintenance fix C. the aircraft operators procedures, either standard, supplemental, non-normal or emergency, as appropriate to respond to this hazard if encountered in operations.
Did FAA or Boeing do this? It is not clear yet how far along this path the FAA and Boeing proceeded. News reports of the Boeing fix underway in January 2019 show that some action was underway prior to the Ethiopian mishap.
Second, and more specifically, a Lion Air flight crew reportedly experienced this hazardous malfunction, on the mishap acft, during the flight previous to the mishap flight. How did Lion Air respond to the reported hazard? Was the hazard reported? Why did Lion Air maint management and flight ops management assign that acft to fly again, knowing it had experienced the hazardous malfunction on the previous flight? Had that hazard had been resolved? Was the event entered in the aircraft maint discrepancy log book? What possible justification was used to clear the maint discrepancy? Was the airline’s Boeing maint rep asked what to do in this case? Why or why not?
If an additional crew member (ACM), [ACM because he was on the flight deck vs in a passenger seat in the cabin, where he would have been a dead heading crew member DH], a qualified and certificated airman was on the flight deck, assisted the operating crew members by either moving the horizontal stab motor cutoff switches or recommending the same to the operating crew, was that event recorded by Lion Air Flight Safety Manager, investigated and this information promulgated immediately by Lion Air Safety to all Lion Air flight crew members and to their CAA regulators and the manufacturer Boeing? Why or why not?
Why did one flight crew member, the ACM, know how to turn off power to the trim motors with the horizontal trim cutoff switches, and know to turn off the power at that time as a response to the malfunction, but other crew members, and the operating crew members did not? Boeing B737 Runaway Horizontal Stabilizer Trim Emergency Procedures are published in the Boeing Aircraft Operating Manual or AOM, and Quick Reference Handbook or QRH, and are very similar to the procedures on most or all Boeing passenger acft, such as the B757 and B767. Why did some certified and trained Lion Air crew members know that and others seemed to not know that? Why did the Ethiopian Air flight crew apparently not know that? How is that possible?
Would have having an AoA comparator and disagreement warning system have made a difference if the system did not automatically disengage the horizontal stab automatic trim system known now reportedly as the MCAS Maneuvering Control Augmentation System? If the flight crew was not trained on MCAS, how would a comparator system have helped them? Even without a comparator, merely knowing to flip the horizontal stab trim cutoff switches at the first instance of uncommanded horizontal stab trim movement, should have resolved the runaway stab trim issue enough to allow the flight crew to land the aircraft, in our opinion.
So, in our opinion, these mishaps reveal two massively glaring safety of flight issues: First, why are known and reported equipment hazards and procedural short falls not resolved quickly, rapidly and universally by the airline, their CAA, EASA or FAA regulators and the equipment manufacturers such as Boeing or Airbus? Why does the hazard reporting system seem to work most of the time but not all of the time? Is there a regulator difference in hazard reporting system and resolution? If so, why? Second, why are some flight crew members trained, qualified and certified to operate with only a bare minimum FAA type rating training at some airlines in the global commercial scheduled airline community, and then little or nothing else further, while flight crew members at the three major US based airlines are given four to five times more training subject-wise, twice as deep training hands-on sim-wise, trained to competence and then regularly receive repetitive in the cockpit line oriented safety audits, line checks with immediate feedback, Advanced Qualification Program or AQP reviews, plus take home systems and procedural tests, exposures to safety forums, monthly or weekly ASAP Event Review Team reports and FOQA training reports? Why is there such an enormous difference in flight crew procedural training? Do you think that flight crew training and flight safety are closely related and perhaps that is an unaddressed global or international commercial scheduled airline safety issue?
In the opinion of SafetyForecast, two issues may be being ignored here, two issues which are literally the foundation elements for mishap -free commercial scheduled airline flight operations: [Yes we believe that mishap free commercial scheduled flight operations can be achieved by constantly reporting and resolving flight safety hazards and by training flight crew members on all procedures, equipment , limitations available and repeating and refreshing that training regularly.]
First, where is the flight hazard reporting and resolution safety program in non-US based airlines? Does it exist and how robust is it? Does it seek to both report safety of flight hazards and rapidly resolve these hazards? “All safety is local.” Citation: Paul Miller, SafetyForecast.com Better Safe Inc.
Where is the hazard reporting and resolution interface joint safety program between the manufacturer, regulator, certificated commercial scheduled airline and the certified flight crwe member?
Remembering that “All Safety Is Joint”, (Citation Paul Miller, SafetyForecast.com Better Safe Inc.) meaning that safety is really a joint effort between the certificated airmen, the certificated airline, the CAA regulator and the equipment manufacturer.
Second, where is the highly developed, broad based and in depth flight crew procedural based training program, above and way beyond type training, globally, in many non-US based airlines? Why are some operating flight crew certified in type and then given little if any additional training? “If you seek one level of safety in commercial airline operations, should you seek one level of training?” (Citation: Paul Miller and David Williams, SafetyForecast, Better Safe Inc and Safety Net Inc.)
There is a much bigger flight safety story here, in our opinion and it involves both safety hazard and resolution programs and flight crew training programs.
Paul Miller, int’l B757/767 captain, retired, 43 years of line and instructional flying David Williams, US FAA designated airline check airman and airline captain, retired
In my opinion, the issue is not that the flight crew received “aircraft differences training” (systems, limits and operating procedures differences between the B737-800 and B737-900, and the B737 MAX) on an iPad. Don’t shoot the messenger. The use of an iPad as a syllabus media is not invalid and may be likened to reading a book on a computer tablet.
From the point of safety management, the real first issue is that the Maneuver Control Augmentation System (MCAS) may not have been included in the aircraft differences training syllabus. The differences training syllabus may have been created by Boeing as an FAA certification requirement. The MCAS had been engineered, tested, installed and delivered on the new B737 MAX by Boeing, as a flight control system on the B737 MAX, a system different from the flight controls on B737 -800 and -900.
The second issue is that the FAA signed off on both the B737 MAX aircraft as certified safe for flight and signed off on Boeing’s B737 MAX “aircraft differneces training syllabus” as sufficient for flight crew training for passenger airline flight crew members certified to operate the B737-800 and B737-900 passenger aircraft.
The third issue is that neither Boeing nor the FAA informed passenger carrier airlines about this different, new and additional B737 MAX flight control system.
The fourth issue is that, after airline pilots reportedly submitted flight hazard incidents of apparent uncommanded pitch trim movements to their airlines, and the airlines reported these flight hazard incidents to Boeing and the FAA, that neither the manufacturer Boeing nor the regulator the FAA apparently took any actions to resolve the flight hazard or inform other airlines of the occurrence of the reported flight hazards.. This allowed a known flight hazard to exist unresolved amongst airline operators of the B737 MAX, which then apparently and eventually resulted in two fatal passenger airline disaster mishaps, when the hazard reoccurred.
As with many airline disasters, both the hazard and the failure to rapidly respond to the known and reported hazard has resulted in what could be considered two totally preventable fatal mishap disasters.
Effective commercial flight safety programs of Safety Forecasts and Plans should not only have both the ability to detect and report flight hazards, but also have the ability to rapidly respond with an immediate hazard procedural response, an interim hazard policy remediation and a long term hazard resolution.
Contact SafetyForecast Director of Safety Policy Captain Paul Miller today for further consult and assistance. Our goal is to save your operation from fatal mishaps, costly material losses and the diversion of time, talent and resources away from the main goals of safe and profitable flight operations. PaulMiller@safetyforecast.com
In low visibility, at night, as the sun dawns and as the sunsets, flight crew members mistaking ramps, taxiways, parking lots and other places for the approach to the landing runway, can pose an unexpected challenge to commercial flights. One cloudy and shadowy late afternoon, I sat as PM with a great international captain as PF, who momentarily become mis-directed by several flashing yellow lights on ground support vehicles. Just at this moment of time, while the PF was transitioning his/her gaze from inside to outside, these three lights were lined up perfectly in a slight right arc. This arc just happened to be very similar to the white right arcing lead in-lights to an old and famous Pac-rim coastal airport and a distraction occurred at the end of a 10 1/2 hour flight and a 12 hour duty day.
As the pilot-monitoring, I’d fortunately procedurally had the chance to be looking outside long enough to have already picked up the actual runway. The runway was another 45 degrees to the right, in our right banked 90 degree turn to final. I saw the captains eys lock onto the point of the three flashing yellow lights and noted his/her confusion that there was no runway to be seen.
Without a word, I tapped him/her on the shoulder and pointed to the right. The captain quickly corrected and moments later, we completed an uneventful 10 1/2 hour flight, in the shadows of a summer sunset, with a smooth touchdown.
On another flight, while looking directly into the rising sun, the morning mist became almost impenetrable. So when the pilot flying lined up on the bold black asphalt taxiway, out of a right 180 approach circling turn and not the concrete runway, which, by lack of contrast with the surrounding runway environment, had literally become camouflaged by the mist, I was not surprised. “Go around,” seemed wise, as we were both fatigued. A salvage at that point would have been possible, I suppose, but unwise, so “Go around,” is what I said. The second approach and the landing by this great first officer PF was perfect. The explanation to tower was that we’d lost visual on the runway in the sun.
On another occasion, while breaking out of a stormy night overcast at the end of a seven hour international flight, the first few white lights we saw, just happened to be lined up in a row and had red flashing lights atop. This image looked like something near or around an airport, but in a moment I realized it wasn’t the runway environment at all. The lights those of a nearby athletic stadium parking lot.
Just a moments distraction can be very difficult to recover from when things are happening fast. Fortunately for us, in another moment we had the real runway environment in sight and we landed safely.
So how can a pilot avoid landing on the wrong runway during 43 years of flying? I would champion communications. Yes, simply good and ongoing and free-from-restrictions communications between the PF and the PM. 1. Brief what to expect during the approach brief: various lights, configurations, markings and signage around the runway environment. 2. Always, always, always tune up the ILS, just to have good glide slope and the localizer support. This is free and invaluable. Never bypass this step. 3. Double check and brief magnetic headings. Many runway configurations at large aerodromes can be confusing especially if you are doing a circling approach. 4. Keep talking during the approach with the flight crew, give everyone a chance to say what they are thinking. You’ll be surprised what golden nuggets can save your bacon. 5. Use the electronic magic, but only as a tool, not as a crutch. Plan also wha to do in the event that you loose all electrics. Know what to do. It’ll save you once or twice in 40 years of flying. 6. Most of all remember to communicate with your crew, with ATC and your inner gut feelings. When everything is lined up right, you will know. If you are at all confused, say something, ask the PM or ask tower if you are lined up correct. It costs nothing to ask. 7. Trust your instruments, not because they are electronic, but because you’ve set them up right, you’ve cross checked them, you’ve gotten a good audio morse-code ID check, and the maps, both paper and electronic, all line up with what you are seeing outside. 8. Lastly, if you see something out of place, say something! You might be the only member of the crew, who at that point in time, has the correct picture, ensuring your flight does not line up to land on a taxiway.
Visit Skybrary for training resources on a wide range of operational issues, human factors and other subjects. By incorporating these training tools into your commercial operation, you may be able to drive your operation towards zero mishaps.✈️