Version 10 – July 2016

Viewers of  Air Crash Investigators program have asked me many questions including:

• Why didn’t we evacuate the A380 immediately after stopping on the runway in Singapore?
• What are my views about the Malaysian MH370 incident?

My answers centre around how I gather, judge, store and use data.

Empirical Skeptic

I am an Empirical Skeptic.

I am motivated by facts, not by presumptions, assumptions, bias nor group think.    I assess new information for its authenticity, provenance and trustworthiness before judging whether to accept or to reject it.

In this regard I adopt Richard Dawkins’ view:

“That which can be asserted without evidence, can be dismissed without evidence.”

Tom Haueter, a  former NTSB investigator says that we should keep an open mind when trying to draw conclusion in an absence of data.  One data point changes the direction, one data point changes everything.   What we think we know today can and probably will change with the arrival of the next rumour or fact, and in our new connected world we are being flooded with “facts“.

In today’s society where everyone with a mobile phone is a journalist, the Golden Hour has gone and there has never been a greater need for full and open disclosure of the facts and personal guarantees.   We should also remember Ronald Reagan’s words:

“Trust but Verify”.

The incidents of MH370, MH17 and QZ8501 reinforce the vital roles that leaders and media must take during a crisis.   The truth is unfortunately the first casualty after most air crashes.  Everyone must restrict their focus to the facts.  We need hard facts not assumptions, presumptions and false leads dressed up as facts because eventually only one data point is needed to unwind  the time wasted following a false assumption.

Look for the underlying facts and data the next time you hear about something that scares you.  Be suspicious of all information provided without references.

Hacker

I am also a hacker.

You need to know your systems to their cores if you hope to be resilient when the black swan event strikes.

Today’s mechatronic systems comprise many layered architectures from many suppliers.  Aviation manufacturers provide pilot manuals (airframe, engine, avionics) that are high level user manuals and light reference manuals rather than deep reference manuals.   Our personal knowledge is therefore being increasingly narrowed to our local abstracted layer. The pilots’ layer is everything in the cockpit and cabin.  We don’t know very much about, and are not invited to investigate the technologies behind the switches, engines and wings.

Failure is not just an option, failure is guaranteed

No one knows it all.  We have an intrinsic trust in the software and hardware engineers to give us tools that are bug free and reliable.  Therein lies the problem.

 

Our broad knowledge of hardware and software is declining.   Aircraft engineers for example are being progressively abstracted away from their machines.  When things go wrong in the air, pilots rely on a “spare” to continue to the destination.  On the ground, engineers  then interrogate the built in test equipment (BITE) codes to tell them which “line replaceable unit” (LRU)  to replace.   We lose the wisdom to look through failures and see the underlying causes if we just use BITE to tell us which LRU to swap.  Bad things happen when the BITE is faulty.  A simple problem such as contaminated oil or fuel might thus be treated by a many changes of peripheral systems such as pumps and sensors.  A simple indication of high vibration might be missed as a sign of an impending high pressure compressor blade failure, that subsequently caused engine four to explode and at least a ten million dollar recovery bill  (QF32 page 104).

Today’s mechatronic systems are so complex, structured and layered that debugging and proving every option is now impossible. Failure is not just an option, failure is guaranteed.

Resilience for these complex systems is not in preventing failures, because we can’t.  Resilience is knowing how to recover from the unknown with little or no knowledge about what, how or why it’s failed.  This is why it’s good to be a hacker.

I am a hacker.  Hackers have independent frame of mind with a dopamine powered thirst to dig and search for knowledge and  facts deeper than the user manuals and guides.  Hackers don’t expect to be given or ask for deeper data, they go find it themselves.

I pull apart machines and reverse engineer software to discover and understand multi-layered systems to their core.   My aim is to understand systems deeper than the user guides so that when things go wrong, that I might be able to weave my mind to see through the layers and architectures to identify the real problem, then fix or bypass it.

I don’t know what will fail next.  So I don’t know if or how I will fix it.   However I am confident we will survive if  we have time and team’s deep intelligence and creative hacking skills to work the full problem.

QF32 – To evacuate or not to evacuate?

Critics have commented: “de Crespigny should have evacuated the QF32 passengers quickly down the slides rather than delay and disembark them down the steps.   The fuel pooling under the aircraft should have caught fire”.

Armchair quarterbacks are the first to offer criticisms from a distance in the absence of facts.   They were not there.  They didn’t have the mental model, the situation awareness and often the skills of the victims who have to make the best decisions in absence of complete data in the “fog of war”.

Roy Ford, my wonderful father-in-law often tells me:  those who “assume” make an “ass” of yo”u” and “me”.

We had a different reality on the “front line”. The firemen and ground engineers were our eyes and ears to the aircraft for the two long hours that we sat on the ground before the last passenger disembarked the aircraft. The firemen gave us information about the fuel leaks and any presence of fire.   They kept us informed.  We kept the passengers and crew informed.

We waited to be told if there was fire.   We were never told that there was fire.

We had assimilated much knowledge over our long careers that would perhaps become relevant:

We knew that the aircraft was certified to evacuate 873 passengers and crew through half the 16 exits in just 90 seconds.   In reality Airbus did not just satisfy this requirement, they excelled by evacuating everyone 12 seconds faster than certification required!   In our case we had all  16 exits available.  We carried only 440 passengers and 29 crew.  So theoretically, it could have taken between 21 to 25 seconds to evacuate 469 through all the doors.

Gasoline and jet fuel have very different qualities. Jet fuel is actually very hard to ignite and keep alight!

• Jet fuel has a “flash point” (fuel temperature at which vapour can be ignited) that is at least 80 degrees Celsius higher than the flash point of gasoline.

• Jet fuel “blows out” like a candle flame in a wind of just 40 kmph.     Frank Whittle, the inventor of the gas turbine engine, discovered this as he was unable to stabilise flames inside his first engine until he enlisted Shell’s help.   Keeping the engine alight is still one of the greatest challenges in today’s latest generation jet engines.     Inside an A380’s $20m Rolls-Royce  Trent 900 engine in the cruise, the outside air must be slowed from 925 km/hr (500 knots) to swirl around each of the 20 fuel nozzles in the combustion chamber at no more than about 35 km/hr!  The F111’s classic dump and burn at Sydney’s Olympic Closing Ceremony, was only possible because the engines’ after-burners were engaged to  constantly ignite the jettisoned fuel.
• A moving flame front over jet fuel spreads at only 10% of the speed that a flame front spreads over gasoline.   The “flame spread” speed of military, normal jet fuel and gasoline is about 6/30/230 metres per minute respectively.   The “Die Hard” fantasy film’s scene that showed a “fuse” of flame moving along a track of jet fuel training behind the hijacker’s aircraft is just that – fantasy!
  

  Inside one of QF32’s 11 fuel tanks.  Anti-static leads earth all fuel pipes to prevent static discharges.  Enlarge this image to view a fraction  of the massive shrapnel damage to the aircraft.   (Photo ATSB Report)

• Jet fuel has a much higher electrical resistance than gasoline.   In our case this means that passengers walking through the pools of fuel can generate sufficient friction to create static discharges within that fuel.   The principle is the same as as the electrical discharge that you feel when you walk over carpet then press an elevator button.   Even the friction of jet fuel flowing through fuel pipes is sufficient to create discharges inside those pipes – hence the reason for the many grounding leads inside fuel tanks as per the photos opposite.  (Click here to see static discharges in volcanic plumes)

Eight fire trucks surrounded our aircraft.   The fire trucks were loaded with foam and water to protect the aircraft fuselage, the passengers and their escape path.

Evacuations are dangerous.

My studies show on average about 15% of the passengers are injured when evacuating normal jet aircraft.

The A380’s doors are higher than doors on normal aircraft.   The Main and Upper Deck door sills are 5.3 and 8.0 metres above the ground respectively.  (Four percent of the passengers were injured in the latest Avro RJ100 passenger evacuation at London.   RJ100 door sills are about one quarter as high as A380 door sills.)

Many passengers injure their lower limbs during evacuations.   If a person stops or fails to clear the bottom of the slide, then following passengers crash feet first into those at the bottom, breaking their hips/legs and adding to the malaise.

Evacuations are more dangerous than suggested during certification trials.    When Airbus certified the A380, they had to evacuate all 853 passengers and 20 crew down half the exits within 90 seconds.   Congestion is a real problem at the bottom of the slides, particularly at the rear of the aircraft where the over-wing and rear exists converge to a small ground space.  Ten evacuation slides converge behind the A380’s wing.  Airbus was prepared for the congestion.   Airbus positioned eight staff at the bottom of each slide, four on each side with the sole responsibility to care for and prevent passengers congesting at the bottom of the slides.   You can see these assertive helpers in this video below:

The A380’s evacuation certification test was considered a success.   With 96 Airbus support ground staff  helping at the bottom of just half the slides the passengers suffered only one broken leg and a few light injuries.

These were real risks for us on board QF32 as we had many wheelchair and elderly passengers on board, with a toxic scene and no trained slide help outside.

To evacuate or not to evacuate – that is the question

It can take courage to commit to a right action when an easier, more accepted but also more harmful solution is present.

The previous points are relevant because we faced new threats when we stopped our A380 on the runway.  We needed different knowledge, training and experience to identify, rate and process these new risks and to make the best decisions.

The decision whether to evacuate not not to evacuate requires synthesising your lifetime of knowledge and experience, weighing it against with dynamic threats.  When disaster strikes the aim is to keep your team calm, together and making the best decisions for your circumstances.  Though your decisions might change from one day to the next, your priority and ultimate responsibility remains the same – to protect your crew and passengers.

We faced two significant threats; the possibility of fire and the toxic environment outside if we evacuated down the slides.  Timing was critical.

• If fire had been confirmed, then we were prepared to evacuate the passengers down the slides under the protection from the eight fire trucks and emergency services.   It’s not a pretty thought of the elderly and wheel chair passengers jumping onto, then sliding down a 45 degree sloped slide from an 8 metre (3 story) high floor.
• We tried to mitigate the toxic environment outside the aircraft.   We called for aircraft steps to avoid the injuries that would result from an evacuation using the slides.   We also  requested buses to ensure that we would keep the passengers away from the pooling fuel, the running engines and the fire trucks.  We tried to shut down number one engine that was still running.  Fire services was spreading foam over the spilled fuel and water over the hot brakes.

The threats reduced rapidly as the fire services covered the fuel and cooled the brakes.   The passengers and crew were still safer on board our aircraft than outside the aircraft.

The rest is history.  There were no injuries.

Success during black swan events is ultimately measured in survival.

Armchair Quarterbacks

Building  a plan in the absence of facts can result in incorrect decisions and actions and potentially dangerous outcomes.

Just before my book went to print, the ATSB informed me that after we had stopped, that the four brakes (brakes numbered 1, 2, 5 & 6) on the left wing slightly inboard from Engine 2 (and under the fuel leaks) were COLD.    All four brakes were between 30-40 degrees (ambient) Celsius!

We did not know on the day of the event that these brakes were cold.  We didn’t know that the brake’s sensors and wires had been damaged by the explosions.  We did not know that these four brakes would also be 100% useless for stopping us on the runway that day – but that discussion is for another day.

I was not able to include this information about the COLD brakes in my book “QF32”.   It would have been a Criminal Offence to release this privileged information before the ATSB published its Final Report on QF32.   The left wing brake temperatures are now shown in the ATSB report at page 240 – although the reader would have to look carefully to notice it, and few have.

We reacted dynamically to mitigate the threats that challenged us on the ground that day; what we saw, what we knew, but never what was presumed.     We did not presume that a fire was present or that it would erupt.    We wanted proof.   We knew the environment was toxic outside the aircraft, so we mitigated the threats.

How many passengers and crew would have been injured if  we had evacuated on the presumption that there would be a fire?

Other Views

1. …  a wing had been perforated, there was fuel all around the aircraft.  [They] made the decision, unique to my mind, to not evacuate the passengers.   [They] waited until the fire crews had secured the site.   To me, that flight was the finest example of mastery of the aircraft”. (Captain André Turcat)
2. Given that there was no indication of an immediate threat to the safety of those on board, and that the option of an immediate evacuation remained throughout, the crew’s decision to evacuate via the stairs likely provided the safest option. With the uncontrolled No. 1 engine, fuel leakage hazard and the large number of passengers, the airport emergency services action to control the passengers in proximity to the aircraft reduced risk to the passengers themselves, the crew and emergency services.A safety study of emergency evacuations carried out by the US National Transportation Safety Board (NTSB/SS-00/01, 27 June 2000) found that 8% of the people involved in the evacuations studied sustained injuries during evacuation (2% serious and 6% minor). A number of the injuries were related to the emergency type (for example, smoke inhalation from a fire) while others were directly related to the evacuation, such as fractures.  (ATSB report of the QF32 incident, page 30)
3. If there is a bigger safety message to be drawn from these incidents than the technical analysis done by the ATSB, it is that a perforce costly and continuing and renewing investment in pilots trained to deal with the unexpected upset situations that stalk all airliners comes with incalculable safety benefits for airlines .  Your people are your best and most vital asset.  (Ben Sandilands)

Reflection

It’s now three years after QF32 and only a few weeks after the shocking Malaysian tragedy.

I share the world’s grief.

I am continually asked: “what do you think?”

My answer has never changed:

• Our news feeds are flooded by rumours innuendos and noise.
• Pilots live or die based upon how they respond to facts.
• I’m an Empirical Skeptic.  I react only to facts and I don’t have enough facts!
• I remain incredulous of the spin, conspiracy theories and speculation.
• I don’t know!

I’ll then repeat these guiding words from Robert Heinlein:

What are the facts? Again and again and again — what are the facts?

Shun wishful thinking, ignore divine revelation, forget what “the stars foretell,” avoid opinion, care not what the neighbors think, never mind the unguessable “verdict of history”

What are the facts, and to how many decimal places?

You pilot always into an unknown future; facts are your single clue. Get the facts! 

See also

The Golden Hour

The Media Circus around MH370

Technical – QF32’S Hydraulics, Apollo 13 and the “Fog of War”

Technical Lessons from QF32

IFALPA says “Stop speculating about MH370“

 See also

 IFALPA says “Stop speculating about MH370“