How technology prevented a major aviation accident

The Times of India paper dated 20.4.17 carries an article of a near miss incident involving two planes with hundreds of passengers that came less than nine kilometres and roughly 15 seconds from each other over Varanasi before the ACAS (Airborne Collision Avoidance System) sounded an alarm and told the pilots what to do. It appears that one of the planes decended more than what he was told to do and thus allegedly caused the near miss. The incident is under invetsigation.
However the role that technology played in avoiding a disaster is highlighted in the incident. The ACAS, automatically scans for other planes that are in a collision course and warns pilots to take timely evasive action. The ACAS systems in each plane talk to each other and order one plane to descend and another to ascend, thus preventing a collision.

 
Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

NTSB Safety Alert Urges Pilots to ‘See and Be Seen’ in the Air

NTSB Safety Alert Urges Pilots to ‘See and Be Seen’ in the Air

The safety alert has parallels in Process Safety. I feel that with overdependence on automation and technology, plant operators also are slowly forgetting how to run a plant!


Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

After string of jet crashes, a struggle to re-train pilots - Reuters

 After string of jet crashes, a struggle to re-train pilots
http://www.reuters.com/article/2015/01/09/us-indonesia-airplane-training-insight-idUSKBN0KI2B520150109

Shared from News on Flipboard, your personal magazine.
Get it for free to keep up with the news you care about.

 

Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

Lithium ion battery runaway reactions

 After the completion of investigation of the battery fires incidents in the 787 aircraft, the NTSB has concluded the following in its report available at http://www.ntsb.gov/doclib/reports/2014/AIR1401.pdf:
 
"The NTSB identified the following safety issues as a result of this incident investigation:
Cell internal short circuiting and the potential for thermal runaway of one or more battery cells, fire, explosion, and flammable electrolyte release.
This incident involved an uncontrollable increase in temperature and pressure (thermal  runaway) of a single APU battery cell as a result of an internal short circuit and the cascading thermal runaway of the other seven cells within the battery. This type of  failure was not expected based on the testing and analysis of the main and APU battery that Boeing performed as part of the 787 certification program.
However, GS Yuasa did not test the battery under the most severe conditions possible in service, and the test battery was different than the final battery design certified for installation on the airplane. Also, Boeing’s analysis of the main and APU battery did not consider the possibility that cascading thermal runaway of the battery could occur
as a result of a cell internal short circuit.

Cell manufacturing defects and oversight of cell manufacturing processes.
After the incident, the NTSB visited GS Yuasa’s production facility to observe the cell manufacturing process. During the visit, the NTSB identified several concerns, including foreign object debris (FOD) generation during cell welding operations
and a postassembly inspection process that could not reliably detect manufacturing defects, such as FOD and perturbations (wrinkles) in the cell windings, which could lead to internal short circuiting. In addition, the FAA’s oversight of Boeing,
Boeing’s oversight of Thales, and Thales’ oversight of GS Yuasa did not ensure that the cell manufacturing process was consistent with established industry practices

Thermal management of large format lithium ion batteries
Testing performed during the investigation showed that localized heat generated inside a 787 main and APU battery during maximum current discharging exposed a cell to high temperature conditions. Such conditions could lead to an internal short circuit and cell thermal runaway. As a result, thermal protections incorporated in large format lithium ion battery designs need to account for all sources of heating in the battery during the most extreme charge and discharge current conditions. Thermal protections include (1)recording and monitoring cell level temperatures and voltages to ensure that exceedances resulting from localized or other sources of heating can be detected and addressed before cell damage occurs and (2) establishing thermal safety limits for cells to ensure that self heating does not occur at a temperature that is less than the battery’s maximum operating temperature.

Insufficient guidance for manufacturers to use in determining and justifying key assumptions in safety assessments.
Boeing’s EPS safety assessment for the 787 main and APU battery included an underlying assumption that the effect of an internal short circuit within a cell would be limited to venting of only that cell without fire. However, the assessment did not explicitly discuss this key assumption or provide the engineering rationale and justifications to support the assumption. Also,as demonstrated by the circumstances of this incident, Boeing’s assumption was incorrect, and Boeing’s assessment did not consider the consequences if the assumption were incorrect or incorporate design mitigations to limit the safety effects that could result in such a case. Boeing indicated in certification documents that it used a version of FAA Advisory Circular (AC) 25.1309, “System Design and Analysis” (referred to as the Arsenal draft), as guidance during the 787certification program. However, the analysis that Boeing presented in its EPS safety assessment did not appear to be consistent with the guidance in the AC. In addition, Boeing and FAA reviews of the EPS safety assessment did not reveal that the assessment had not (1) considered the most severe effects of a cell internal short circuit and (2) included requirements to mitigate related risks.

Insufficient guidance for FAA certification engineers to use during the type certification process to ensure compliance with applicable requirements.
During the 787 certification process, the FAA did not recognize that cascading thermal runaway of the battery could occur as a result of a cell internal short circuit . As a result, FAA certification engineers did not require a thermal runaway test as part of the compliance demonstration (with applicable airworthiness regulations and lithium ion battery special conditions) for certification of the main and APU battery. Guidance to FAA certification staff at the time that Boeing submitted its application for the 787 type certificate, including FAA Order 8110.4, “Type Certification,”did not clearly indicate how individual special conditions should be traced to compliance deliverables (such as test procedures, test reports, and safety assessments) in a certification plan.

Stale flight data and poor quality audio recording of the 787 enhanced airborne flight recorder (EAFR).
The incident airplane was equipped with forward and aft EAFRs, which recorded cockpit audio data and flight parametric data. The EAFRs recorded stale flight data for some parameters (that is, data that appeared to be valid and continued to be recorded after a parameter source stopped providing valid data), which delayed the NTSB’s complete understanding of the recorded data. In addition, the audio recordings from both EAFRs during the airborne portion of the flight were poor quality. The signal levels of the three radio/hot microphone channels were very low, and the recording from the cockpit area microphone channel was completely obscured by the ambient cockpit noise. These issues did not impact the NTSB’s investigation because the conversations and sounds related to the circumstances of the incident occurred after the airplane arrived at the gate and the engines were shut down, at which point the quality of the audio recordings was excellent.

The NTSB determines that the probable cause of this incident was an internal short  circuit within a cell of the APU lithium ion battery, which led to thermal runaway that cascaded to adjacent cells, resulting in the release of smoke and fire.The incident resulted from Boeing’s failure to incorporate design requirements to mitigate the most severe effects of an internal short circuit within an APU battery cell and the FAA’s failure to identify this design deficiency during the type design certification processes."


Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

India's aviation safety mechanism likely to remain downgraded | Business Standard News

India's aviation safety mechanism likely to remain downgraded | Business Standard News


If this is the state with aviation safety, we in the chemical industry should be extra careful.

Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

Similar flight numbers spark scare - Times of India

 http://timesofindia.indiatimes.com/india/Similar-flight-numbers-spark-scare/articleshow/45053195.cms

See the human factors in the above article.

Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

Technology in Aviation

Process safety and aviation are commonly linked through automation and not to mention, the human!.  A plane is a very interesting pressure vessel which is subject to cyclical pressures and rarefied atmospheres.Read an article on how cabins in planes are pressurised and provided oxygen so that we don't pass out at high altitudes in this link.


 Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

Senior pilots were asleep until minutes before Air France crash disaster

Senior pilots were asleep until minutes before Air France crash disaster

 Contribute to the surviving victims of Bhopal by buying my book "Practical Process Safety Management"

Are your SOP's clear?

There are lessons to learn from an aborted take off recently at Hong Kong airport. The aircraft commenced takeoff not on the assigned runway but parallel taxiway. The air traffic controller noticed the airplane accelerating on the taxiway and ordered the aircraft to stop. There was no other traffic on the taxiway at the time of the serious incident.A news report mentions the following:
"Hong Kong's Civil Aviation Department (CAD) released their final report concluding the probable causes of the incident were:
- A combination of sudden surge in cockpit workload and the difficulties experienced by both the Captain and the First Officer in stowing the EFB computers at a critical point of taxiing shortly before take-off had distracted their attention from the external environment that resulted in a momentary degradation of situation awareness.
- The SOP did not provide a sufficiently robust process for the verification of the departure runway before commencement of the take-off roll.
- The safety defence of having the First Officer and the Relief Pilot to support and monitor the Captain’s taxiing was not sufficiently effective as the Captain was the only person in the cockpit trained for ground taxi'.

Are your SOP's clear and are your operators trained to handle spurts in workload that occur during an emergency?

Read the news article in this link.

"Automation Addiction" in flying and its relation to process safety

Joan Lowy of AP has written an article mentioning the following:
'Pilots' "automation addiction" has eroded their flying skills to the point that they sometimes don't know how to recover from stalls and other mid-flight problems, say pilots and safety officials. The weakened skills have contributed to hundreds of deaths in airline crashes in the last five years.
Some 51 loss of control" accidents occurred in which planes stalled in flight or got into unusual positions from which pilots were unable to recover, making it the most common type of airline accident, according to the International Air Transport Association.
"We're seeing a new breed of accident with these state-of-the art planes," said Rory Kay, an airline captain and co-chair of a Federal Aviation Administration advisory committee on pilot training. "We're forgetting how to fly."
Read the article in this link.

This has direct relations to the Chemical Process Industry. With so much automation in our idndustry, I am sure that operators are really forgetting their troubleshooting skills in the event of an emergency. Dr Trevor Kletz has always propounded that things must be kept simple and the way process control manufacturers are developing and implementing "solutions" for process safety, it leaves me dumbstruck. In another post, I had written that today I see operators who are becoming "procedural robots" during emergencies and plant upsets. This is a dangerous situation. Simulators do help in keeping operators skills up to date but management often thinks that it is a waste of money. Cluster simulation training ( for processes that have the same licensor) could be started, with companies pooling in for a common simulator training facility.

Cutting cost at what cost?

Recently, a low cost airline has been grounded in Australia allegedly for safety violations. In the chemical industry, too, cutting cost and maintaining competitiveness is the order of the day. But how can you cut cost without compromising process safety? Many organizations have institutionalized risk based approaches towards cost cutting initiatives. But I find that competency of the personnel using such approaches is key to its success. Top management oversight of such risk based approaches can be effective only of someone at the top understands process safety and the implications of a cost cutting change or modification . I often observe some cost cutting changes slipping through such risk based approaches as they were wrongly evaluated by the person doing the evaluation. Ensure you have robust risk management systems and more so, that a person at the top management level is providing management oversight of the whole process. This person must be competent in process safety and risk based approaches. You cannot compromise on this. Act before it is too late. At least the aviation industry has someone external to it to oversee its safety. But in the Chemical Industry, organisations must watch out for this.

Aviation safety and Chemical Process Safety- Different approaches!

I was reading a press release by the Press Information Bureau about the improvements made by the civil aviation minsitry one year after the fatal Mangalore air crash. The report mentions the following:
"A Civil Aviation Safety Advisory Council (CASAC) was formed on May 28, 2010 with the mandate to strengthen aviation safety environment through synergisation of available expertise in areas of airlines, airworthiness, operations, air navigation, aerodromes, aircraft engineering, human performance. Special invitees to the Council include FAA, ICAO Experts, IATA, Airbus, Boeing, Bombardier etc. This is an ongoing initiative under the Chairmanship of Secretary (Civil Aviation). The Council gets its technical inputs from working groups covering Operations (Fixed wing and helicopter sub-Groups), Aerodromes, Air Navigation Services, Airworthiness General Aviation and Helicopters. Based on the reassurance drive several issues in the three areas of aerodromes, operations and airworthiness came up. Immediate actions to address the deficiencies have been taken up during the past one year. Several safety related circulars have been issued and implementation ensured. These include presence of Cabin crew in cockpit in case of one pilot leaving the cockpit, Cabin Crew to interact with pilots on intercom during period of lean cockpit activity, in the event of incapacitation of PIC, copilot to take over control and in the event of PIC not responding to calls of copilot regarding ‘go around’, assertiveness by copilot to be encouraged. Regulatory provision for penal action for reporting for duty with alcohol consumption has been made. Pilots are being subjected to Breath Analyser test prior to flights. License are being suspended for three months in case of first BA positive and on second BA positive instance, the licence is cancelled.
In a move to step up the quality of training Captains, the period of Instructorship/ Examiner-ship has been restricted to 5 years with proficiency check every 2 years. Increased oversight for selection of trainers, quality of training imparted by trainers, integrity of simulator training have been introduced. Breath Analyser Test has been mandated for approval of Training Captains and Pilots with BA ‘positive’ report have been debarred from becoming Training Captains. Existing Training Captains if found BA ‘positive’ are debarred from training Captain list for three years.The process for approval of foreign pilots has been made stringent wherein background checks are being done to ensure that these pilots have accident free record. The experience requirements for the foreign pilots have been enhanced and the pilots are subjected to Proficiency Checks before approval is granted by DGCA. These pilots are being subjected to same medical standards as the Indian pilots."  Read the press release in this link
While appreciating the efforts taken by the Government in improving air safety, I could not help comparing the status of process safety management in India after the Bhopal disaster, when compared to developed nations. The PSM rule which is mandatory in USA since 1992 is still not mandatory in India......

Where there is a human, there will be an error!

A report in the Hindustan Times about the investigation of a fire in Air India flight on September 4,2009 points out the following:
"A probe by the aviation regulator has found several safety lapses by Air India staff while evacuating 213 passengers from a Mumbai-Riyadh flight after a fire broke out in the aircraft on September 4, 2009. The Directorate General of Civil Aviation (DGCA) concluded that the AI's aircraft maintenance engineer failed to notice a fuel leak from the left side of aircraft before clearing it for take-off. "The engineer had left the bay without giving the final take-off clearance because it was raining," the report said.
Second, the airline ground staff were unable to report the fire to the pilots because the cockpit crew had switched off the radio communication equipment, violating the airline's operation manual. Worse, both the pilots left the aircraft before the evacuation process was complete and not a single cabin crew member was deployed at the end of the inflated emergency slides to assist passengers.
The report also blamed the airline engineers for failing to check the aircraft's fuel channel during routine inspection. "Constant wear and tear caused massive fuel leakage and fire," said the report.
An airport follow-me vehicle informed the air traffic controller on duty about the fuel leak but he wasted significant time in alerting the pilots, the report stated. "As per rules, the controller should have called the aircraft crew by its registration number but it kept calling the flight number," read the report.
The cockpit crew switched off the aircraft engine but was late to start the evacuation process. The cabin crew also overlooked hand signals about the fire from the ground staff."

It always takes a series of human errors to trigger an incident. In the chemical industry also, a similar situation exists. Pressure on production, lack of rest, overloading of equipment, communication gaps and top management disconnects are often common cause reasons for incidents.

Read the news report in this link.

Incident Investigations in India - Aviation and Chemical

A news article mentions that an independent committee will henceforth investigate aviation incidents in India. The article mentions

"Currently, DGCA officials conduct probe into most of the accidents. "The same authority cannot be the prosecutor, investigator and the judge," said Zaidi, referring to the need to keep the DGCA away from probe into accidents.
In the last two months, the DGCA has been trying to make the investigation process transparent. For the first time in India, investigation reports of two serious incidents were made public. The first one was the November 2009 Kingfisher Airlines ATR aircraft runway overrun accident at Mumbai airport.

The second involved the Air India Express Dubai-Pune flight, which plunged several feet after the commander left the cockpit and the first officer could not handle the flight controls.
However within days of making the reports public, the DGCA had to pull them off its website after several technical questions about the quality of the probe were raised by air safety experts. For instance, the DGCA investigation report called the Kingfisher Airlines case a "serious incident". Going by International Civil Aviation Organisation's definition though it was clearly an "accident
Currently, DGCA officials conduct probe into most of the accidents. "The same authority cannot be the prosecutor, investigator and the judge," said Zaidi, referring to the need to keep the DGCA away from probe into accidents".
It is high time that accidents in the chemical industry in India are also investigated by an independent agency.

Read the article in this link.

Diving to disaster - lessons from the Air India incident

O   On 26.5.10, Air India express flight (Boeing 737-800 NG aircraft) from Dubai to Pune, when on normal flight, suddenly plunged from 37000 feet to 30200 feet. The commander of the flight had over 6000 hours of flying with 870 hours on similar type of aircraft while the copilot had total of 1310 hours with 968 hours on similar type of aircraft. The commander was 39 years old and the copilot was 26 years old. The commander went out of the cockpit to the washroom after the plane was on autopilot. He was only out for a few seconds when the plane started diving down. The copilot was not responding to open the cockpit door. Finally the commander opened the door with an emergency access code and entered. The flight was then stabilised and landed safely later. The reasons for the incident was that the copilot, while adjusting his seat, inadvertently pushed the control column, resulting in the plane diving down. He then reportedly panicked and could not open the cockpit door for the commander to enter. The investigation report has great parallels to process safety. On reading the report the following facts emerge:

1. The commander when asked why he left the cockpit to the washroom without asking the cabin steward to be in the cockpit (as is standard practice in the aviation industry – not to leave any pilot alone in the cockpit) reported that it was not in the SOP.
2. The co pilot has reportedly told investigators that he panicked when the dive occurred and the overspeed alarm was blaring.
3. The simulator training given to qualify the pilots does not include the scenario of autopilot engaged and control column pushed inadvertently.
4. The position of chief of training for Air India has been lying vacant since June 2008.

Lessons to be learnt:

1. Make sure your SOP’s are current
2. The age of the copilot was 26 years old. He panicked when the situation occurred as he was not trained to handle the situation.Make sure your control room operators are properly trained in all scenarios. Use simulator training to educate them
3. Make sure critical positions like process safety, training and HR (other than operations) are filled up with competent personnel.

Read the full report in this link. Kudos to the DGCA for putting the report up on their website!! The transparency of the government may, I hope, slowly result in the formation of an investigating agency like the CSB for investigating chemical incidents in India!

Lessons in Process Safety Management from aviation incidents

Two air accidents that I have been tracking closely is the Air India express Mangalore air plane crash and the Qantas Airbus superjumbo incident in Singapore. Details of the CVR recordings from India express crash now reveal that the pilot had slept for 90 minutes during the flight and was suffering from “sleep inertia” when he was attempting to land. How many of you consider your poor shift crew in this light? When I was working in shifts, I have experienced this sleep inertia even though I had slept well during the day.
A news article about the Qantas Superjumbo Rolls Royce engine incident it was a “worst case scenario” when one of its four engines exploded. The article reports that the crew were inundated with 50 error messages. However for the pilots, luck was on their side, there was no fire, and they managed to land the plane safely.
''It could have been much, much worse,'' says Richard Woodward, a Qantas A380 captain and a vice-president of the Australian and International Pilots Association. ''It could probably be termed a one-in-100 million event with bits and pieces going everywhere.''
Smith, a two-time chairman of Australia's aviation watchdog, says it was lucky QF32 did not become a repeat of the Concorde crash in 2000.
Smith says that the public has come to expect the impossible - aircraft being fail-safe. ''It is almost like people believe that flying in the air is perfectly safe. Even the most disciplined person can make an error - it is the same with design.''
''One of the things in aviation safety is 'hindsight bias'. It is so easy after an accident to say they should have known,'' says Thomas Anthony, the director of aviation safety at the University of Southern California.
''It is part of the problem of new engines and new aeroplanes. Change is a frequent precondition to error,'' Anthony says. ''When you are changing things you really do need to have a very robust change management process to identify potential problems.''
The above accidents had direct parallels to process safety. Learn lessons from them!
Read the articles in these links
Air India Express Crash
Qantas Superjumbo incident
PS: I have a deep interest in aviation safety as my Dad was a pilot and I have spent many days in the cockpit with him when I was young!

Pilot Error and Process Safety Management - The human connection

Today's paper indicates that Pilot's error caused the helicopter carrying Chief Minister Y.S.R to crash.The investigation report indicates "The cockpit voice recorder showed that there was poor crew resource management among them at any given stage of flying". They noticed a snag in transmission pressure on the instrument displays but failed to co-relate it with other indications associated with the snag. Both of them were busy trying to find out the cause of the snag, with the result that they were not aware that they were veering off course. Crew Resource Management (CRM) is a big issue in the cockpit of a plane or a helicopter. In simple terms, it is how jobs are shared during an emergency.
CRM is very relevant in chemical plant control rooms also. I have witnessed incidents due to wrong actions taken by control room personnel as there was no clear direction who would do what. Having said that, it becomes very difficult to compartmentalize actions during an emergency in a chemical plant. The practical solution to this is to have a senior control room operator monitoring the actions of the DCS operators and guiding them. The senior control room operator's job is like a conductor in an orchestra. Control Room Resource Management is one area where plant simulators can be used to train the personnel.
Another point which is in my mind is the provision of a voice recorder similar to that of a cockpit voice recorder and a CCTV camera in the control room monitoring the actions of the personnel during an emergency. Now I know this is going to get a lot of brickbats thrown at me but the purpose is not to spy on them. It is to make improvements in Control Room Resource Management after emergencies.