Alaska Airlines Plane Had Bolts Missing

 

Last month, we blogged in this space about the Alaska Airlines flight that lost a door plug and decompressed at 16,000 feet on January 5.  The aircraft involved was a Boeing 737 Max 9, and the door plug was recovered in the back yard of a Portland, Oregon resident.  Fortunately, no one was killed, although several minor injuries resulted, and the plane landed safely.

 

On last Tuesday, the U. S. National Transportation Safety Board (NTSB) announced that its investigators determined that the four bolts which retain the door plug in place were missing before it blew out.  Documents obtained from Boeing and its supplier Spirit AeroSystems show a sequence of events that points to a serious manufacturing problem, if preliminary indications are borne out by subsequent investigations.  At this point, here is what we know, based on news reports and a preliminary report by the NTSB.

 

The 737 fuselages are manufactured at a Spirit facility in Wichita, Kansas, which used to be owned by Boeing.  In 2005, Boeing spun it off to an investment firm, but it still makes fuselages and ships them via extra-long railcars to one of the main Boeing assembly plants in Renton, Washington State.  The fuselage of the plane in question arrived in Washington in August of 2023.

 

At the Renton plant, it was found that five rivets near the port-side door plug were damaged and had to be replaced.  To access the rivets, it was necessary to remove the door plug.  Except for the fact that it has no handle and other fittings that would make it a usable door, the door plug fits in the fuselage like a regular door.  There are twelve "stop pads" which engage with fittings on the plug, but in order for it to move like a door, the plug must be free to move away from these pads.  A regular door has a separate locking mechanism to keep it attached to the plane, but in the door plug, it appears that instead of a locking mechanism, four bolts retain it in place.  Without these bolts, the only thing keeping the door plug in place is the mechanical integrity of the stop-pad pins and other machinery that is not designed to keep it there, but to let it move when needed.

 

After the defective rivets were replaced by Spirit personnel at the Boeing plant, a photo was taken of the completed work.  This is the photo that shows three out of the four door-plug bolts were definitely missing (a fourth location was concealed by insulation, but that one was probably missing too, based on evidence from the recovered door plug). 

 

These events took place in September of 2003.  The aircraft was delivered to Alaska Airlines on Halloween of 2023, the end of October.  Somehow the door plug managed to stay in place for a number of flights through November and December, but by January 5, the stop pads and associated parts had fatigued with repeated pressurizations enough to fail at 16,000 feet.  If the plane had been at a cruising altitude of 35,000 feet when the plug blew, the depressurization could have sucked many passengers out and possibly crashed the plane.  So this incident was an extremely close call.

 

As a teacher, I am continually impressed with the need for an ability that is unique to humans:  the ability to pay attention.  I impress this need upon my students, but every time I grade exams, I discover what happens when attention is not properly directed, or directed on the wrong things.  Boeing and Spirit obviously have extensive procedures in place to manufacture, assemble, and inspect aircraft.  And nearly all the time, these procedures work.  But every procedure is useless if the human minds carrying them out do not perform them according to the rules. 

 

Clearly, it was someone's duty to document with a photograph the rework of the five damaged rivets.  But it is so easy to see how someone, even an inspector whose main job was to certify the correctnesss of a repair, would have his or her attention focused on the rivets, and not on the door plug only a few feet to the rear of the rivets.  The NTSB inspectors, focused as they were on the door plug, saw immediately from that photo that someone had forgotten to install the retaining bolts before the insulation and interior finish materials were installed.  And probably the first time the bolts were put in, before the rework procedure, somebody checked to make sure they were there.  But this time, because things were slightly out of the ordinary during the rivet rework, that small but critical act of looking to see if the bolts were in place was omitted.  And once everything was buttoned up, nobody could tell from outside that the bolts were missing.

 

This raises a question that occurs to a person who has disassembled and reassembled many pieces of equipment over the years.  When a technician removed the bolts to take out the door plug and gain access to the rivets, where did those bolts go?  On a workbench?  In a pile of similar bolts?  It seems like if they were just sitting around after the job was done, that would get somebody thinking about where they belonged.  This is the kind of seemingly unimportant detail that suddenly becomes significant, and I'm sure that some NTSB personnel are asking similar questions of the people involved in the rework.  I would not want to be one of the technicians who get grilled.

 

Modern technological means of documenting manufacturing processes have made it easier to trace actions such as the ones the NTSB is investigating.  In the old pre-digital-camera and pre-email days, investigators would have had to rely only on recollections of mechanics, and it's very unlikely anyone would have taken pictures at every step of the process or produced documents with as much detail as electronic data can include these days. 

 

Still, it's not robots who assemble airplanes, it's people.  And people (and robots) can make mistakes, especially when they are doing something out of the ordinary such as rework, where it is impossible to write procedures for every contingency and people are trusted simply to do the common-sense good thing.  The only problem here is, that wasn't quite good enough.  Fortunately, the consequences were a lot more benign than they could have been, and the accident can serve as a warning, or encouragement if you like, that no matter how trivial an inspector's work may seem, it can save lives—or lose them.

 

Sources:  I referred to an Associated Press report on the NTSB findings which appeared Feb. 6 at https://apnews.com/article/boeing-emergency-landing-report-alaska-airlines-8543c90b68b4d932a700cf57ff8f1b8e.  The preliminary NTSB report itself is at https://www.ntsb.gov/investigations/Documents/DCA24MA063%20Preliminary%20report.pdf.  I also referred to the Wikipedia article on Spirit AeroSystems.

East Palestine, Ohio: An Abnormal Accident

 

When a wheel bearing overheated on a train carrying five tank cars of vinyl chloride through East Palestine, Ohio on Feb. 3, a sequence of events began that turned into a major accident with nationwide political implications. 

 

Overheated bearings (so-called "hot boxes") are not new to railroading.  With the thousands of wheel bearings in use every day, it's almost inevitable that some of them will fail by running hot and basically grinding themselves to pieces.  What is new in the last few decades are a number of safety devices that the railroads have installed to deal with overheated bearings. 

 

The Ohio train's bearing was sensed by three track-side hot-bearing detectors.  The National Transportation Safety Board (NTSB) has determined that one sensor noted the suspect bearing was warm (38 F above ambient, which was a cold 10 F) about twenty minutes before the derailing occurred.  Ten miles and 12 minutes or so later, it had heated up to 103 F above ambient.  The detector system's threshold was set so that these readings did not set off an audible alarm in the cab.  But the third sensor's reading of 253 F did.

 

By that time, it was too late.  Trains up to a mile or more long can't be stopped on a dime.  Three crew members were on the train, all in the lead engine.  By the time the engineer stopped the train, they could see fire and smoke behind them.  The train dispatcher authorized the crew to set hand brakes on the lead cars and move the front engines a mile or so down the track to safety. 

 

A total of 38 railcars had left the tracks, and the ensuing fire damaged 11 more.  Firefighters determined during the following two days that some intact tanks of vinyl chloride were heating up.  This chemical, which is used to make the ubiquitous plastic PVC (polyvinyl chloride), can undergo a spontaneous polymerization reaction that can cause an explosion.  To avoid that dire consequence, firefighters released the vinyl chloride into ditches they had dug nearby and burned it. 

 

Subsequent news coverage has dealt with the environmental consequences of the release of vinyl chloride and other toxic chemicals into the air, water, and soil around East Palestine.  One news report says monitors have estimated about 43,000 animals have perished, but 38,000 or so of that number were non-endangered minnows.  Residents have complained of odd tastes in the drinking water and air, and extreme measures have been and will be taken to clean up the extraordinary mess that several tank cars of toxic chemicals can make.

 

In an interview, NTSB chair Jennifer Homendy said that the accident was "100% preventable."  On the face of it, that makes railroad operator Norfolk Southern look pretty bad.  But exactly how could this accident have been prevented?

 

Certain safety requirements such as advanced braking systems for "high-hazard" trains that the Biden White House said the Trump administration removed would not have made a difference in this case, according to Homendy.  So attempts to turn the accident into a political football seem to amount to more smoke than fire, so to speak.

 

Norfolk Southern may rethink their thresholds for hot-box detectors.  This particular bearing seems to have gone from barely sensibly warm to disintegrated in less than 30 minutes.  The spacing and sensitivity of such detectors is a matter of engineering judgment, and accidents have a remarkable way of leading designers to reconsider safety precautions and adjust them so that the previous accident, at any rate, will not happen again. 

 

Too low a threshold on the detectors would mean that the trains are stopping needlessly, as a bearing may run warm for some unknown time before it fails.  Only the railroads have the statistics on these kinds of problems, but now that we know what can go wrong if the detection system doesn't stop the train in time, there may be a lot of readjusting going on in the future.

 

Some statistics from the Federal Railroad Administration cited by National Review say that train accidents caused by axle and bearing-related failures have fallen 59 percent from 1990 to 2019, largely due to the use of hotbox detectors.  So far from doing nothing about the problem, the railroads have been steadily improving their performance in this regard.

 

Sociologist Charles Perrow devised the term "normal accident" to express the type of mishap that very complex systems such as nuclear reactors can produce when multiple interacting parts do something that is very hard to predict, let alone forestall.  The East Palestine derailment was not that complicated.  But the system that should have prevented it failed in this case, and because of the particular cargo being carried, the consequences were awful. 

 

Despite an apocalyptic-looking crash scene, no one was killed or even injured in the derailment or fire.  This accident was far less consequential in that sense than the one, also involving derailed tank cars, that devastated the town of Lac-Mégantic, Quebec, on July 6, 2013 and killed 47 people.  So as bad as the East Palestine situation is, it could have been much worse.

 

Norfolk Southern is going to be paying for the consequences of this accident for a long time.  Already, millions of gallons of contaminated firefighting water have been shipped to Deer Park, Texas, where a specialist firm will inject it deep underground.  While some would question the propriety of this type of disposal method, Deer Park is in the middle of the most concentrated cluster of oil refineries and petrochemical plants in the U. S., and a little vinyl-chloride-contaminated water way beneath their feet will trouble Deer Park residents not at all. 

 

Someone will have to pay for all the contaminated dirt to be dug up and shipped somewhere else, and so East Palestine is getting more national attention and commerce, although of an undesirable kind, than the mayor and city council ever dreamed of.  While I hope that life returns to whatever passes for normal in eastern Ohio, East Palestine will never be the same again.

 

Sources:  I referred to the following articles:  the NTSB preliminary report on the accident at https://www.ntsb.gov/investigations/Pages/RRD23MR005.aspx, a CNN piece on the report at

https://www.cnn.com/2023/02/24/us/ohio-train-derailment-east-palestine-friday/index.html, a USA Today report at https://www.usatoday.com/story/news/nation/2023/02/24/east-palestine-train-derailment-fish-animal-deaths/11337404002/, a National Review article at https://www.nationalreview.com/2023/02/whats-going-on-with-the-ohio-train-crash/, and the Wikipedia article on "Normal Accidents." 

How Old Is Too Old? The Dallas Air Show Crash

 

On Saturday, Nov. 12, an estimated four thousand or more spectators gathered at the Dallas Executive Airport about ten miles south of downtown to watch a Veterans Day air show put on by the Commemorative Air Force (CAF).  The CAF is a volunteer organization dedicated to keeping older military aircraft flying.  Their motto is "Educate, inspire, and honor."  Most of their inventory of 180 planes worldwide comes from World War II, and prominently featured during the show was a B-17 Flying Fortress, one of only a handful left from WW II service as heavy bombers.  Also featured were P-63 Kingcobra fighter planes. 

 

Around 1:20 PM, the B-17 had just flown low over the airport where the spectators were gathered.  As shown in a number of videos posted after the event, a P-63 approached it from the rear and appeared to collide with the rear section of the bomber.  Both planes fell out of the sky within seconds, and a fireball and black smoke rose from the site of the crash.

 

In a news conference later that afternoon, CAF CEO Hank Coates could provide few specifics out of deference to the National Transportation Safety Board (NTSB), which was scheduled to take over the investigation that evening.  He said the bomber was "fully crewed" which normally means a crew of five.  Adding the pilot of the P-63 means that as many as six people probably died in the crash, which occurred over an empty field.  Information from the Allied Pilots Association confirmed that two of its former members had died in the crash. 

 

In his news conference, CEO Coates emphasized that although all their pilots are volunteers, they spend many hours in training and certification efforts, and often have 20 or 30 years of experience as retired military or airline pilots.  Nevertheless, something went wrong Saturday, and it will take the NTSB some time to figure it out.

 

Once it does, what then?  Let's try to get some perspective on just how dangerous flying CAF planes is.

 

Statistics provided by the NTSB in an Associated Press story of the crash indicate that from 1982 to 2019, 23 people died in 21 accidents involving World-War-II-era planes.  Mr. Coates indicated that the CAF flies an average of 6500 hours a year.  If we assume that has been the case for the past 40 years, we can do a little math to come up with the average fatality rate per million hours flown. 

 

An airline-safety website tells me that for commercial airlines, the current fatality rate is about 0.34 per million hours flown.  General aviation (private planes) is about 50 times worse than that—say 17 per million hours.  If my assumptions are correct, the fatality rate up to 2019 for the CAF is at least 95 per million hours, or about one fatality per 10,000 hours flown—more than five times that of general aviation.

 

Now, no type of aviation is completely safe.  Any human activity, even getting out of bed, involves some risk.  The question here is whether the good that the CAF does—and there is much to be said for it—is worth the risk of getting pilots killed, and the small chance of a much larger number of fatalities.  If the crash had occurred a few hundred yards away from where it did, hundreds of spectators might have been killed.

 

Some will say that the risk, however small, is an essential part of the activity.  If it wasn't at least a little dangerous, it wouldn't be nearly as much fun.  I am not a pilot—the most risky thing I do typically is ride my bike two miles on city roads every day.  So far my worst accident happened when I was looking at the gears of an unfamiliar bike I was riding and ran into a trash barrel.  I rolled off the bike and did an unintentional backflip.  My back was sore for a day or so, but there were no other consequences.  I haven't ridden that bike since, however.

 

I'm sure the FAA has some kind of certification processes for both the hardware the CAF flies and the pilots who fly them.  We will have to wait for the NTSB's investigation to complete before knowing what caused this particular accident: pilot error, mechanical failure, or some combination thereof.  But judging by their fatality rate, it's clear that mostly retired pilots flying seventy-year-old planes is not as safe as flying a 747 to London.

 

I am sympathetic with CAF members who spend hundreds of volunteer hours doing difficult and sometimes dangerous things to keep their old planes in the air and educate the younger generation about what machines and people flying them did during twentieth-century wars.  I love the feel and look of old hardware, and if the CAF flew antique avionics as well as antique planes I'd be right in there with them (unfortunately ,they have to have modern equipment in that department for safety reasons). 

 

At the same time, there will come a day when the hazards of flying piles of fatigued aluminum gets to be simply too dangerous.  We are about out of pilots who flew the planes during WW II, so those who fly them now have had to learn from their elders, and you have a small cadre of skills that has to be handed on in order for the whole CAF to keep flying.  It would be sad to see all that come to an end so that the only place you could see a B-17 would be in a museum, not making a horrible racket as it actually takes off from the ground. 

 

But in the nature of things, that day will come.  Who decides when it comes?  Ideally, the CAF itself, but the other parties involved—the NTSB and the FAA to name two—will have some say in the matter.  I can picture the magnitude of this tragedy leading to public calls for such shows to cease, and that would be a shame.  But it might happen.  The prudent thing is to wait for the NTSB report, and then take stock of the whole situation.  But prudence these days seems to be in short supply.

 

Sources:  I referred to an AP story on the crash carried at https://apnews.com/article/sports-texas-dallas-transportation-air-shows-28e06a464b1f200cfe22b58cc8fdd7f6, a CBS news report at https://www.cbsnews.com/news/world-war-ii-planes-collision-crash-air-force-wings-over-dallas-event-dallas-executive-airport-texas/, a report at

https://www.fox4news.com/news/dallas-executive-airport-crash, and data on aviation safety at https://philip.greenspun.com/flying/safety#:~:text=If%20you're%20really%20really,times%20safer%20than%20general%20aviation.

The Thin Line of Trust: China Eastern Airlines Flight 5735

 

Back in March, we blogged about the crash of China Eastern Airlines Flight 5735, which crashed on March 21 during a flight from Kunming to Guangzhou, killing all 132 people on board.  At the time, it was too early to draw any conclusions, as the investigations had just begun and the flight data recorders had not yet been recovered.  Within days, however, the voice and data recorders were found, and the data recorders were sent to the U. S. National Transportation Safety Board (NTSB) for analysis.

 

In April, rumors began to circulate in China that the crash was caused deliberately by someone on the flight deck.  These rumors were substantiated when several U. S. news outlets, including the Wall Street Journal and ABC News, reported in May that U. S. officials had determined that someone in the cockpit had pushed the control stick forward to initiate the dive from 29,000 feet that led to the crash.  The Civil Aviation Administration of China (CAAC) has neither confirmed nor denied these reports, while grumbling that "unofficial speculation" can interfere with the ongoing investigation.  Nevertheless, until further official information is made available, it looks like deliberate action on the part of someone in the cockpit may well have caused the crash.

 

The Wikipedia article on the crash lists the three members of the flight crew:  Captain Yang Hongda, who had been a Boeing 737 pilot since 2018; First Officer Zhang Zhengping, an award-winning commercial pilot with more than a decade of experience, including the training of 100 other pilots; and Ni Gongtao, a trainee with less than 600 hours of flight experience whose official duties were simply to observe the more experienced pilots. 

 

The psychology of a flight crew is a somewhat neglected but vital aspect of the smooth functioning of the team, who must cooperate effectively under both routine and emergency conditions.  Any time there is more than one person involved in a situation, there will be questions of authority and precedence.  That is why the very titles of the flight crew indicate a precedence of authority, the captain being in charge of both first and second officers. 

 

An excessively rigorous adherence to the priorities of rank can be detrimental, as the 1997 crash of Korean Air Flight 801 illustrates.  Despite errors the captain of that flight made in his approach to the Guam airport, he was not challenged by the other two members of the flight crew until six seconds before the crash, by which time it was far too late to do anything.  Since that time, Korean Air and other flight organizations have emphasized that the authority of the captain is not absolute, and if the other members of the flight crew see that the captain has made a mistake, they should take positive action to correct it.

 

But in the case of Flight 5735, it would be hard to believe that deliberate action to crash the plane would be taken by more than one of the three flight-crew members.  If we assume that only one of the three men on the flight deck decided to crash the plane, that raises several hard questions.

 

First, one would think that two men determined to save themselves and the passengers could overpower one man bent on destroying the plane.  While I have no details of how a 737 cockpit is arranged, it's hard to imagine a way that one man could impose his will on the others and remain at the controls, if the other two were determined to stop him.

 

As long as we're imagining things, suppose the suicide pilot, let's call him, somehow smuggled a firearm along with him, and threatened to shoot anyone who interfered with him?  That would be awkward, but conceivable.  And it's not clear whether pilots go through the same security checks that passengers do, and if they do, how easy it would be to evade them in order to carry a gun on board.

 

Neither of those scenarios seem too credible.  An interesting fact from the record of the flight before the crash is that it briefly leveled off around 8,000 feet before continuing its plunge into the mountains.  This might indicate a temporary turn for the better in the cockpit battle for the controls. 

 

Another possibility is that the suicide pilot shot or otherwise disabled the other two crew members before implementing his flight to doom.  This almost makes more sense, but it still leaves open the question of how he was able to disable them:  a gun?  Some kind of spray?  A struggle would still have to take place.

 

A second question is, which of the three flight crew members may have done it?  The award-winning Zhang Zhengping would seem least likely, having invested his life in his career.  The CAAC investigated the backgrounds of all three of the crew and found nothing unusual such as outstanding debt or personal troubles that would obviously account for suicidal intent. 

 

A third possibility is that someone from the passenger area broke into the cockpit and forced the plane to the ground.  This involves the question of how mechanically difficult such a feat might be. 

 

A cursory Internet search reveals that there are no private bathrooms in airliner cockpits, meaning that the door to the passenger area has to be open to allow pilots to answer calls of nature.  Updated regulations after 9/11 mandate that at least two crew members must be in the cockpit at all times, so for example, only one pilot on Flight 5735 could leave the cockpit at a time.  A patient terrorist with a first-class seat having a view of the cockpit door could therefore wait until the door opened and make a threatening move, perhaps holding a flight attendant hostage at knifepoint (assuming he could smuggle a knife on board).  But he would still have to overpower three determined flight crew members to do the dastardly deed.

 

Well, I think we've had enough of these dismal speculations for one column.  Suffice it to say that deliberate human action looks like the most likely explanation for the fate of Flight 5735.  We may never know much more than that, unless there are clues in the cockpit voice recorders that remain to be unveiled.  Despite all the modern technology that is deployed to ensure air safety, as long as people fly the planes, we have to trust those people.  And once in a very great while, someone decides to betray that trust.

 

Sources:  I referred to the article "Flight data suggests China Eastern plane deliberately crashed:  Wall Street Journal report" posted on May 18, 2022 at https://www.cnn.com/2022/05/18/china/china-eastern-crash-wsj-report-inlt-hnk/index.html.  I also referred to the Wikipedia article on Flight 5735.   

Design Flaw Identified in FIU Bridge Collapse

Back on Mar. 15 of this year, a new pedestrian bridge across a busy highway running through the Florida International University campus suddenly collapsed, killing six people and injuring eight more.  The bridge was fabricated as a single long concrete truss consisting of upper and lower decks connected by a series of diagonal and vertical struts.  Trusses are familiar elements of steel-bridge construction, but there are special design issues involved in making a truss out of concrete.  And according to an update issued by the U. S. National Transportation Safety Board (NTSB) on Nov. 15, it looks like someone may have made a fatal error in part of the design.

When we blogged on this accident back in March, it was already known that some cracks had shown up at the north end where the northernmost vertical member and the adjacent diagonal strut went into the bottom deck.  At the time, the construction supervisors held a meeting about the cracks, but the NTSB has successfully prevented publication of the meeting minutes before their final report on the accident can be issued, which probably won't be till some time next year.  The Miami Herald reports that after the meeting, a construction worker was sent out to tighten tension rods inside the diagonal strut.  This worker appears to be the one who died when the bridge collapsed.

The modern civil engineer has abundant design resources at his or her disposal:  computer-aided modeling and stress calculations, three-dimensional visualization and planning tools, and other computational aids that take a lot of the former drudgework out of mechanical and civil engineering design.  Such aids have made possible many recent designs that would have been difficult or impossible to create using the old manual slide-rule and design-table approaches. 

But even with all the computer assistance in the world, the information about a given design has to be understood and checked by human beings.  That is why most public civil engineering projects must have their designs approved by a registered professional engineer (PE), whose stamp or signature appears on the drawings.  That stamp puts the reputation of the engineer on the line:  it is a guarantee that the design will do what it's intended to do. 

Long chains of reasoning and responsibility lie behind every decision to approve a set of drawings.  Those chains may pass from person to person, or from computer output to person.  Computer-aided calculations answer such questions as, "If this particular junction of a strut and a vertical member is under that kind of stress, will it be able to withstand the stress with a reasonable margin of safety?"  Given that the inputs to tried and tested software are correct, the software should give the correct answer, assuming that the person using the software knows how to use it and interpret the results correctly.  Furthermore, the chain of engineering integrity requires that when the PE responsible for the overall design, the person whose stamp of approval appears on the plans, asks underlings if this or that part of the design is good, the underlings must give an honest answer.  And the PE must trust that answer, or rather, the persons answering for the integrity of the plans.

In any human organization, there is always the possibility of error.  Sometimes errors can be traced to a particular person, and sometimes they can't.  The NTSB has made sure that all available sample materials from the wreckage of the FIU bridge were tested to see whether they met the minimum specified strength and other standards.  And so far the results are all positive, so it doesn't seem that the collapse can be based on defective materials. 

The death or injury of bystanders in a bridge collapse is a tragedy regardless of whether the accident could have been prevented or not.  But if a design flaw really is the reason for the collapse, it will be ironic that the design, which has been termed "unorthodox" in the Herald report, was before its installation a point of pride for FIU's civil engineering program, which specializes in accelerated bridge construction of the type that was used on this bridge. 

Back when universities were smaller and more personal institutions, engineering faculty members would sometimes contribute their professional expertise to campus projects, helping in the design of new buildings or consulting professionally with regard to campus technical issues.  The FIU civil engineering professors do not appear to have been personally involved in this particular design, however, other than to give their informal approval of the general approach and construction methods.  In fairness, many bridges have been successfully built using on-site accelerated bridge construction, which does not appear to be implicated in the collapse.  But in this case, it might have been a good idea to have qualified faculty members go over the plans, and they might have caught any errors that contributed to the collapse.

However, that is not the way most universities operate these days.  Each professor has his or her own irons in the research and teaching fires that are lit under them, and to ask one of them to stop what they're doing and check some plans for a new building or bridge would be regarded as an unfair imposition on their time, and rightly so.  They might reply that there are professionals being paid to do that, and they would be correct.

But when professionals are paid to do a job, it's up to them to do it right.  According to the latest update from the NTSB, someone (or possibly something, if we include computers) failed in that responsibility.  And physical objects are not forgiving.  The warning signs were there:  cracks in the location that subsequently failed.  We hope that the NTSB will use the embargoed meeting report to figure out what went wrong, not only in the original design, but also in the management process that led to the fatal decision to try tensioning the strut without stopping traffic underneath the bridge.  But until the final report on the accident is issued, this accident stands as a reminder to everyone who deals with technology that could kill or injure someone—a reminder that the lives of innocent people depend on how well you do your job.

Sources:  The NTSB update of Nov. 15, 2018 can be found at https://www.ntsb.gov/investigations/AccidentReports/Reports/HWY18MH009-investigative-update2.pdf.  I also referred to the Miami Herald report on the update carried at https://www.miamiherald.com/news/local/community/miami-dade/article221706575.html.  My original blog on this accident at http://engineeringethicsblog.blogspot.com/2018/03/the-fiu-bridge-collapse-more-questions.html had an incorrect date for the accident, which has now been corrected.

Some Answers About the Panhandle Cornfield Meet of 2016

A “cornfield meet” in railroad parlance is a head-on collision between two locomotive engines.  Needless to say, such occurrences are avoided if at all possible.  But on the morning of June 28, 2016, two freight trains collided head-on in the Texas Panhandle, killing three people and causing an estimated $16 million in damage.  At the time I blogged about it, the only information available was news reports.  A few weeks later, the National Transportation Safety Board (NTSB) issued a preliminary report on the accident.  While the NTSB has not made public any additional data on the accident since then, the preliminary report makes clear that human error was likely at fault.

           

The BNSF line through the town of Panhandle is a single-track line, and two-way traffic is managed with a series of sidings.  The dispatchers, probably in the Fort Worth regional train control center, planned to switch the westbound train to a siding near the town, where it would remain while the eastbound train passed by on the main line.  If the eastbound train arrived in the area of the siding too soon, before the westbound train had time to move completely from the main line to the siding, two signals were set along the main line west of the eastern switch, where the westbound train was going to leave the main line for the siding.  The first signal the eastbound train encountered was solid yellow, which means for the engineer seeing the signal to slow the train to a maximum of 40 MPH and be prepared to stop at the next signal.  The second signal was set to red, which forbids the engineer from moving any part of the train past the red signal. 

So the plan was for the eastbound train to slow down at the yellow signal and stop at the red signal, while the westbound train arrived at the eastern switch and eventually cleared the main line by running onto the siding.

What happened instead was this.  Before the dispatchers had a chance to change the eastern switch from the main line to the siding, the eastbound train passed the yellow signal on the main line going at 62 MPH and the red signal at 65 MPH, heading through the switch on the main line straight for the westbound train.  When the engineer on the westbound train saw what was happening, he managed to jump from the cab.  But his conductor died in the resulting crash, as well as the engineer and conductor on the eastbound train.  The NTSB report somewhat ruefully notes that positive train control (PTC) was scheduled to be installed on this section of track later in 2016, although planned PTC installations have suffered repeated delays in the past.

PTC is a semi-automated system that promises to reduce the chances for human error in train operations.  A PTC system would have figured out that the two trains were heading toward a collision and would have at least slowed them down, if not preventing the accident entirely.  As it stands, the physical evidence points responsibility for the accident toward the crew of the eastbound train, as they failed to respond to the clearly visible yellow and red signals in time. 

We may never know what distracted them, but people make mistakes from time to time.  And some mistakes exact a fearful penalty. 

While even one death due to preventable causes is a tragedy, some context to this accident is provided by a slim volume I have on my shelves:  Confessions of a Railroad Signalman, by James O. Fagan, copyright 1908.  It was written at a time when railroad-related fatalities (passengers and railroad employees combined) were running at about 5,000 a year, a much higher rate per train-mile than today.  Fagan’s concern was that railroad employees of his day had to deal with on-the-job pressures that encouraged them to take risks and shortcuts that flouted the rules, and that the management system was ill-equipped to discipline misbehaving employees. 

While much has changed in railroading since 1908, any system that relies on a human being’s alertness can still fail if the person’s attention flags.  And that seems to be what happened outside Panhandle, Texas on that summer morning in 2016. 

If and when PTC is installed on most stretches of U. S. railways, the hope is that fatal and costly accidents will decline to even lower levels than what we see today.  The limiting factor after that will be mechanical malfunctions, perhaps, or dispatching errors at a high enough level to overrule the PTC system.  In any case, we can expect rail travel and shipping to be even safer than it is now, which compared to 1908 is pretty safe already.

Machines and systems are deceptively solid-looking.  It doesn’t seem possible that thousands of tons of steel rolling stock and rails can change very fast.  But the way it’s used can change, and PTC promises to do that.  Eventually, I suppose that the nation’s entire rail system will be run by computers and will resemble nothing so much as a giant version of a tabletop model train, running smoothly and without collisions or hazards.  Of course, automobile drivers will still manage to stop on grade crossings and people will walk on train trestles, so those types of accidents can’t be prevented even by PTC.  To eliminate those types of accidents, we’d have to tear up the whole system and rebuild it the way the English built their rail systems from the start:  fenced-off railroad property, virtually no grade crossings (tunnels and bridges instead), and other means to keep people and trains permanently separated. 

But I suspect we as a society are not that exercised to eliminate the last possible railroad fatality from the country.  So instead, we will enjoy whatever benefits PTC brings along and hope that we personally can stay out of the way of the trains. 

And modern-day cornfield meets will at last join their ancestors as a historic footnote, a quaint disaster that simply can’t happen anymore.  Like soldiers dying on the last day of a war, the crew members who died in the 2016 accident may be among the last to depart in that singularly violent way.  But for those of us who remain, and whose continued survival depends on our being alert, whether behind the throttle of a locomotive or the wheel of a car, this story is a good reminder to keep awake and pay attention.

Sources:  The NTSB report on the June 28, 2016 Panhandle, Texas accident can be found in the agency’s listing of railroad incident reports at https://www.ntsb.gov/investigations/AccidentReports/Reports/DCA16FR008-PreliminaryReport.pdf.  For those with a certain type of morbid curiosity, there is a collection of silent movies of three or four intentionally-staged cornfield meets between steam locomotives that can be viewed on YouTube at https://www.youtube.com/watch?v=CMpdpgZxt78.  Confessions of a Railroad Signalman was published by Houghton-Mifflin. 

Too Fast and Too Slow: The Washington State Derailment and Positive Train Control

After more than a decade of planning and construction, a new section of track was opened for Amtrak passenger service south of Tacoma, Washington on Dec. 18, 2017.  The old route that Amtrak trains used to take went northwest from Tacoma along the coast of Puget Sound, around a peninsula named Point Defiance, and then down the coastline several miles until it crossed Interstate 5 south of the small town of DuPont and headed south inland.  The new shorter route uses a bypass track that goes southwest of Tacoma and hugs I-5 for the rest of the distance, crossing the interstate south of DuPont.  There is a long stretch of fairly straight track just north of I-5 past a golf course before the track makes a sharp left turn to the south to cross the bridge over the freeway.

The problem with the old route was that a number of sharp turns and single-track tunnels slowed the Amtrak passenger trains down, making the Point Defiance section something of a bottleneck.  The project map on the Washington State Department of Transportation website for the Point Defiance bypass bragged that the top speed allowed on the new route would be 79 miles per hour.

Rail fans and others interested in passenger rail transportation made plans to be on Amtrak 501 as it left the station in Tacoma on the new route.  The engineer, whose name has not yet been released, was training another railroad employee who rode with him in the cab. 

In most parts of the U. S., trains are not operated in a completely automatic mode, although in many regions a system called Positive Train Control (PTC) is in operation.  PTC is a kind of robotic supervisory system that, among other things, constantly monitors a train's speed and intervenes if the train goes too fast for a particular section of track.  About 60% of all Amtrak trains use PTC, but in order for PTC to work, the track has to have sensors installed along it, and the Point Defiance bypass was not one of those routes.  So the engineer was solely in charge.

Around 7:25 AM, the train was running on the long stretch of straight track before the turn to the bridge over I-5.  A properly trained engineer knows what speeds are safe for which parts of a route, and knows when to apply brakes in anticipation of a lower-speed area ahead, as passenger trains can take several miles to decelerate at a rate that doesn't unduly disturb the passengers.  A video exists of what was going on in the cab in the last few seconds before the train reached the I-5 bridge.  The train was still going at the maximum route speed of 78 MPH.  Six seconds before the bridge, the engineer commented about the excesssive speed of the train, but by then it was too late.  The engine and a dozen other cars left the tracks, killing three, injuring dozens, causing numerous highway-traffic crashes (none fatal), and closing Interstate 5 for many hours.  The maximum safe speed for negotiating the turn was posted as 30 MPH.

Although the National Transportation Safety Board (NTSB) will not issue its formal report on the investigation of this disaster for many months, the preliminary evidence is pretty clear that the accident was caused by human error.  Something—possibly distraction in conversing with the trainee, possibly plain forgetfulness—made the engineer neglect to slow the train before the I-5 curve.  As numerous reports emphasized after the wreck, if the train had been using PTC, it would have automatically slowed down for the curve if the engineer had done nothing, or even if he had tried to keep the speed high.  And we have no knowledge of how many wrecks of both freight and passenger trains have been prevented by PTC, because by definition such incidents that don't injure or kill anybody don't get reported.  But it is clear in this case that the absence of PTC was a contributory cause.

Congress mandated the installation of PTC after the worst train accident in the last thirty years, a 2008 wreck caused by operator error that killed 24 people.  The original deadline for all passenger trains to be using PTC was 2015.  But as the deadline approached and railroads were lagging behind in their rate of installations—in fairness to them, due to problems with government regulation of necessary radio frequencies as well as other causes—they told Congress that if the deadline wasn't extended, they would simply shut down.  How serious this threat was, we'll never know, because Congress caved and moved the deadline to the end of 2018.  And under the current business-friendly administration, we can expect if the railroads ask for another extension, they're likely to get it.

Statistically, rail passenger travel is very safe overall, with the number of fatalities most years hovering in the single digits.  Still, nobody wants to be one of the six or seven people who get killed in a train wreck or hit by lightning—dead is dead, no matter how you go. 

A utilitarian approach to the issue of PTC and passenger trains might conclude that, hey, given the low number of fatalities, let's just allow things to go the way they're going, and eventually we'll have PTC everywhere and we won't have to worry about it.  But the expense per life saved is so high with railroads that we'd be better off using political and monetary capital fighting automobile traffic accidents or promoting self-driving cars.

That's one approach.  But another approach says, "Look, here's this technological fix that will cost the railroads money and trouble, but will almost completely eliminate what is the last major remaining cause of railroad passenger fatalities:  human error.  Let's bite the bullet and make a special effort, even spend some extra money, to fix this thing once and for all."  Maybe that's the engineering approach, or even the perfectionist approach (many engineers have perfectionist tendencies).  Yes, the absolute numbers of fatalities are small.  But deaths in a train wreck share with deaths in plane crashes a peculiar horror, in that you are completely bereft of control of the situation.  And in the case of train fans who simply wanted to experience a new route for the first time and ended up paying for their hobby with their lives—well, some ironies are too much to contemplate.  I have a good friend who, if he was not otherwise engaged that day, might well have been on that train, because he simply likes to ride trains.

Better training (pardon the pun) of engineers and faster completion of the installation of PTC are needed.  And maybe if these things happen, this will be the last fatal accident involving train passengers for a long time.

Sources:  I referred to several news items on the accident, including CBS News at https://www.cbsnews.com/news/amtrak-derailment-dupont-washington-video-shows-crew-not-using-electronic-devices/, a government-run transportation statistics site at https://www.rita.dot.gov/bts/sites/rita.dot.gov.bts/files/publications/national_transportation_statistics/html/table_02_42.html, a Washington State Department of Transportation map of the bypass route at https://www.wsdot.wa.gov/Projects/Rail/PNWRC_PtDefiance/Map.htm, and a report giving the time of the crash at https://www.washingtonpost.com/news/dr-gridlock/wp/2017/12/18/amtrak-train-derails-in-washington-state-rail-cars-fall-onto-interstate-5/. 

Hot-Air Ballooning Needs Down-to-Earth Regulation

On the morning of Saturday, July 30, 2016, a group of sixteen people gathered in a Wal-Mart parking lot in Central Texas before sunrise for what they hoped would be a thrilling and memorable experience.  Several of them were married couples or newlyweds.  Ross and Sandra Chalk were 60 and 55 but recently married, while John and Stacee Gore were both in their 20s and celebrating their third wedding anniversary that week.  Others showed up as a result of a birthday present given by a loving friend or relative.  All fifteen passengers were trusting balloon pilot Alfred Nichols to take them up in his hot-air balloon, give them a wonderful experience, and return them safely to earth.  But two out of three wasn't going to be good enough.

As often happens on summer mornings in this part of Texas, low clouds drifted through the sky.  But after a short delay, Nichols decided to fly anyway, and around 7 AM, shortly after sunrise, the balloon took off with fifteen passengers and the pilot.

Photos taken during the flight show patchy clouds and fog beneath the balloon.  Evidently Nichols decided to land near Maxwell, Texas, about forty miles southeast of Austin.  Utility-company records show that at 7:42 AM, something happened to trip a protective relay on a high-voltage transmission line crossing a cornfield.  First responders soon discovered that the balloon became entangled in the transmission line, caught fire, and crashed, killing all sixteen people aboard, including Nichols.  This was the worst balloon crash ever in the U. S., in terms of fatalities, and subsequent investigations have revealed some unsavory facts about Nichols and about the industry in general.

At a hearing held Friday, Dec. 9 in Washington, D. C., the National Transportation Safety Board (NTSB) presented documentation and evidence about the crash, which is still under investigation.  Toxicology reports show that Nichols had seven different prescription drugs at detectible levels in his body.  Prior to the crash, he had been convicted in Missouri of four charges of driving while intoxicated, and at the time of the crash was not allowed to drive a car in Texas.  Nevertheless, he held a valid commercial balloon pilot certificate.  Weather reports from the day of the crash show that the cloud ceiling had lowered to only 700 feet at the time of launch, and other balloon pilots present at the hearing agreed that they would not have flown under such conditions.  Nichols appears to have been a disaster waiting to happen.

We may be seeing a pattern that is all too familiar:  a new activity or business arises with no or minimal regulation, a tragedy results in headline-grabbing deaths, and only after the tragedy laws are amended to more properly regulate the activity or business.  Although hot-air balloons were the first form of human flight to be invented back in the 1700s, balloon rides were so infrequent, and the number of people involved so small, that a light-handed regulatory environment seemed to have sufficed for decades.  But this tragedy may mark the point at which regulations will catch up with the larger volume of customers taking rides in larger balloons that present a greater danger to more people than ever. 

The Federal Aviation Administration (FAA), recognizing these dangers, has established regulations for commercial hot-air balloon pilots, and makes them undergo rigorous tests, both on paper and practical ones in a working balloon.  But beyond that, pilots are largely left on their own to follow the elaborate advice in the 252-page Balloon Flying Handbook issued by the FAA.  Most commercial balloon operations are small, like the one-man show that Nichols ran, and lack the natural supervision that working for even a small charter-plane company would entail.  The solo nature of balloon flying, plus the fact that the same person piloting the balloon is probably the one who stands to profit the most if a full-capacity flight goes forward in hazardous conditions, means that there are built-in conflicts of interest in this type of flying that are not faced by pilots who work for major airlines, for example.  For this reason alone, one would hope that regulatory oversight would be at least as rigorous as it is for commercial charter-flight pilots of fixed-wing aircraft, not less.  As it is, however, there are not even any reliable statistics on how many flight hours are logged by commercial balloon pilots in the U. S., as some public-health experts researching the problem found in 2013. 

Part of the problem is that the regulatory question is caught in a turf war between the NTSB, which investigates transportation accidents of all kinds, and the FAA, which issues flight safety regulations and requirements for both flight equipment and pilots.  The NTSB has been pushing for tighter balloon-pilot regulations for years, but the FAA has so far refused to act, trusting to private balloon-pilot organizations to do self-enforcement.  In Nichols' case, at least, this kind of enforcement failed.

It's all very well to publish books of regulations and advice, but if enforcement is left solely up to the person who also stands to profit personally if the rules are flouted, the FAA is guilty of putting too much trust in fallible human nature.  Something along the lines of periodic background checks and even surprise drug tests should be implemented for commercial hot-air balloonists who take the lives of others into their hands.  Commercial balloons can carry as many as 32 passengers, and newspaper reports have pointed out that many charter and common-carrier fixed-wing aircraft don't carry that many passengers.  The bottom-line purpose of flight regulation is to protect the lives of passengers, and the FAA's creaky system for doing that for hot-air balloon riders crashed along with the sixteen people who lost their lives on that summer day.

Balloons tend to be associated in the public mind with fun, frivolity, and pleasant times.  The balloon Nichols was piloting had a big smiley face with sunglasses painted on it.  If people are going to continue to ride balloons for pleasure, we should make sure that they aren't putting their lives into the hands of someone who can't drive them to the takeoff point because of drunk-driving convictions.  I hope the FAA and the NTSB can work out their differences to revise hot-air ballooning regulations and policies so that the tragic crash last summer is the last one of that magnitude for a long, long time.

Sources:  I referred to reports of the NTSB hearing held Dec. 9, 2016 on the San Antonio Express-News website at http://www.mysanantonio.com/news/local/texas/article/NTSB-holds-hearing-on-balloon-crash-that-killed-10777463.php and KXAN-TV at http://kxan.com/2016/12/09/witnesses-recall-lockhart-hot-air-balloon-crash-that-killed-16/and http://kxan.com/2016/10/07/hot-air-balloon-regulations-unchanged-despite-deadly-crash/.  The paper "Hot-Air Balloon Tours:  Crash Epidemiology in the United States, 2000-2011" by S.-B. Ballard, L. P. Beaty, and S. P. Baker, was published in Aviation Space and Environmental Medicine in 2013 in vol. 84, pp. 1172-1177, and is available online at 

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4888601/

  The FAA's "Balloon Flying Handbook" is available as a download at https://www.faa.gov/regulations_policies/handbooks_manuals/aircraft/media/FAA-H-8083-11.pdf.

High Time for Satellite Tracking of All International Flights

This coming March 8 will mark one year since Malaysia Airlines Flight 370 disappeared from radar en route from Kuala Lumpur to Beijing somewhere over the Indian Ocean.  The wreckage has never been found, although communications experts used some almost accidental satellite-transponder data to estimate the last known location of the plane.  At the time, I recall thinking that if I was an airline and owned a number of high-value mobile assets known as airliners, I would want some way of knowing where each one was every minute or so, anywhere in the world.   After all, the technology for tracking the much cheaper assets called semi-trailer trucks has been around for years.  The little white domes on truck cabs report minute-by-minute locations to a data center where operators can pay a monthly fee to any one of a number of firms to keep tabs on shipments, and truck drivers too, for that matter.  But there is no international requirement for airlines to do the same.

Last week, the U. S. National Transportation Safety Board (NTSB) waded in with a recommendation for all passenger airliners to be equipped with improved location technology.  The board admitted it was motivated partly by Flight 370's disappearance, and called both for improvements in in-flight tracking and in "black-box" technology. 

The in-flight tracking part seems to be pretty straightforward technologically.  It would operate more or less the same way as the truck-tracking system.  Every minute or so, a GPS receiver on the plane would send its location to a satellite in view, and the satellite would relay that information to a data center, where it would be logged and made available in the event of an incident of interest.  The only slightly tricky part would be identifying which satellite to use.  But there are already geostationary satellites in orbit such as Inmarsat which provide virtually world-wide coverage, and the missing bits of Earth near the poles could be made up for by linking to numerous low-earth-orbit satellites in polar orbits. 

The technology is not nearly so much a hurdle as the cost and the peculiar structure of international aviation regulations.  The NTSB's recommendations went to the U. S. Federal Aviation Administration, and if the FAA adopts them they will be obligatory for all U. S. airlines—but nobody else.  Because the U. S. operates only a fraction of international flights over large bodies of water where the technology would be most useful, the idea will not succeed without international cooperation, and that means the International Civil Aviation Organization, or ICAO.

The ICAO is a United Nations body in charge of international standards for, well, civil aviation, as you might expect.  As such, its rulings have no force of law in individual countries unless the countries' own aviation regulations require that its carriers follow ICAO rules as well, which most do.  It was a 2008 ICAO ruling, for example, that required all air traffic controllers and flight crew members involved in international flights to be proficient in English.  I'm rather surprised that it took until 2008, but after all, everything takes a while at the UN.

The question is whether and when the ICAO might follow the NTSB's lead if the NTSB prevails with the FAA to make international-flight GPS tracking mandatory.  Enough alphabet soup for you?  The whole process—from tragic accident to technical recommendations to changes in laws and regulations—is typical of how safety technology develops in coordination with regulations requiring its use.  And the regulatory part is particularly tricky when it involves spending money.  The requirement that pilots speak English can be met by changing hiring practices, but GPS tracking will involve both up-front and ongoing expenses for new hardware—which itself needs to be standardized somehow—and rental fees to the commercial firms that operate the satellite transponders used to convey the location data.  Fortunately, we are not talking about large bandwidths here—the equivalent of a single cellphone text message every minute or so would be sufficient.  But coordinating all this will take some doing, and coordination of any kind at the level of the ICAO is a challenging and slow-moving process at best.  If they took till only seven years ago to agree on a common language for radio communications from international flights, the ICAO isn't going to churn out new GPS-location rules overnight, you can be sure. 

The other part of the NTSB recommendations concerns the nature of the onboard flight data recorders.  Now that video cameras and recording equipment are so inexpensive, the NTSB says we should have cockpit video as well as audio recorders, and that controls for the entire system should be inaccessible from the cockpit.  (There is some suspicion that the radar-transponder system of Flight 370, which works only within range of ground-based tracking radars, was intentionally disabled by the pilot.)  Also, the NTSB floated the idea (so to speak) that the flight recorders should be housed in buoyant housings and ejected upon impact so that they can remain on the surface, where their radio signals could be more easily received than the limited-range and limited-time sonar emissions that the units currently send out underwater. 

All these are good ideas, and if the FAA adopts them they will make an already safe U. S. air-travel system even safer, or at least increase the likelihood of finding any flights that go down in deep water.  And the information from such accidents is always valuable in preventing the next one, whether it was caused by mechanical failure, human error, or evil intent.

Nevertheless, I am not going to be holding my breath until the ICAO follows suit.  You would think that the international carriers themselves would have adopted something similar to the truck-tracking systems years ago, but there may be a mentality in place that makes such a system seem unnecessary because of the vanishingly small number of incidents in which it would turn out to be useful.  But once GPS tracking for international flights is in place, I bet folks find other uses for it, for things like fuel-economy efforts and even weather tracking.  But first, the ICAO has to get in gear, so stay tuned.

Sources:  The article "NTSB:  Planes Should Have Technologies So They Can Be Found" by Joan Lowy of the Associate Press was carried by numerous outlets, including ABC News on Jan. 22 at http://abcnews.go.com/Politics/wireStory/ntsb-planes-technologies-found-28409934.  I also referred to Wikipedia articles on Malaysia Airlines Flight 370, Inmarsat, and the ICAO.

Addendum Feb. 1:  Edwin Doetzal wrote me on Jan. 31 as follows:

"Your analysis of MH370 contained a couple issues:
Airliners do often have SATCOM tracking 'like trucks'.  On MH370, this system was turned off along with the radio transponder.
ADS-B is the new satellite based air traffic control system that will replace the radio based air traffic control system and is already being implemented through efforts by NAVCanada and ICAO.
What is currently in discussion are new systems such as AFIRS that would stream amounts of data automatically or by trigger in an emergency as well as explosive jettisoned FDR/CVR units.  Knowing where an aircraft was is of course not enough without the detailed DAQ information that might explain why the emergency happened and what action was taken by the flight crew.  A truck's limited DAQ can be retrieved from the ditch.  Please be assured that an airliner is a much more sophisticated system than a truck.
It was somewhat troubling to see such an article on an 'engineering ethics' blog.  With respect, it would seem that you are speaking outside your professional scope.  A retraction would appear appropriate.
Regards,

Edwin Doetzel

Lay Person"

It was careless of me to imply that airliners had no such tracking systems, and I apologize
for leaving that impression.  In the space I had, I meant to concentrate not so much on the technology as on the international coordination that would be needed to implement it uniformly so that flights such as MH370 would not slip through the cracks.  My thanks to Mr. Doetzel for the correction.