The article is complex and well written, but I am a bit perplexed by the victorious tone and never-ending praise of safety. It resembles a sales pitch a bit too much, even though no one is selling anything. Maybe it's unintentional, and being around salesmen just does that to people.
If you are like me, you've probably said “hmm…” to yourself multiple times when certain things were mentioned, because those were things that actually didn't work (that they were left intact really boosts the credibility of the author). From calculation software that had never ever been tested with out-of-ordinary data to the computer keeping the broken engine running. From pure luck with fuel tanks being almost full and unable to explode to absence of any physical kill switch to stop the engine. An hour being generously available to go through ALL the checklists to clear the notifications. An hour of passengers and crew staying on top of the poodle of fuel hoping that nothing would ignite it. Finally, pure randomness in debris flying the way it did. It's not a story of “layers of safety” overlapping, it's a story of “layers of randomness” overlapping.
What would be really interesting is a distribution of outcomes for all possible trajectories of debris, i. e., how (un)lucky they actually were. I guess corporations don't release models like those to the public.
Also, that special chamber for oil filter requiring precise drilling of a perfectly fine pipe seems “ewww” to me. It is not serviceable anyway without reinstalling everything from scratch, as far as I understand, why not make it a single piece?
The author is positive because of all the safety layers that existed and staid intact, despite how flawed humans and companies are. The culture of looking at previous accidents like the UA232, where they lost ann engine and ALL controls with it, meant the A380 control system was engineered to take even more damage and it worked.
I do agree though it did not spend enough effort focusing on the areas to improve:
- A computer controlled engine that runs for 60 seconds while on fire, and lets a dangerous part spin too fast. It seems like something that should of been covered ahead of time.
- An engine manufacturing process that is so complex it’s almost impossible to validate.
- A fault management system that only shows you 1 or 2 at a time when you have 40.
> - A fault management system that only shows you 1 or 2 at a time when you have 40.
As long as the system prioritizes the warnings/cautions with the most pressing ones shown first, this is a very good thing. In a high-stress situation, you don't want the pilots to have to deal with figuring out which of the 40 warnings need to be taken care of first.
…none of which did happen. Checklists are not made for “prioritization”. Checklists are not made for “high-stress situations”. They simply had to do that because that was the intended way to diagnose a complex black box. If you don't have an hour to hang in the air, bad luck. There is an obvious unusable model of operation, and you praise it for being good… because someone said it's good?
We're not talking about checklists. We're talking about the ECAM warnings/cautions/advisories display. It's a well known fact that overwhelming human operators with large amounts of information all at once is a bad thing -- even just in aviation, there are numerous examples. That's why there's a 'clean cockpit' rule that the FAA enforces; Distracting pilots with either useless, or extraneous and not immediately actionable information one average, causes worse outcomes. Checklists largely come into play once you start acting on the ECAM warnings.
Also, as the article says, the pilots did their job following the aviate, navigate, communicate mantra. They first made sure they had the appropriate time to follow the checklists, and only then did they proceed to follow them.
There's over 100 years of aviation experience backing many of these procedures and approaches to dealing with problems. Many are hard-won with literal blood and lives.
The situation can be described simply as «no one had expected such a grand connectivity failure to happen, so The Computer and The Manuals were not as helpful as they could be in finding out what worked and what didn't». That's it. Why are you coming to me like you are manager with 50 volumes of printed bureaucratic runarounds under his belt?
> The situation can be described simply as «no one had expected such a grand connectivity failure to happen, so The Computer and The Manuals were not as helpful as they could be in finding out what worked and what didn't». That's it.
Did we read the same article ogurchik? This situation was not simple, and the computer and manuals were as helpful as they could be given the unknown situation.
All I was trying to point out that your assumption about the ECAM system may be ignoring some reasons for why it works that way. No need to be a salty pickle about it.
I suspect the ECAM only showing a couple of failures at a time is a design feature, not a flaw, to prevent overwhelming the crew as they work through them
That’s on purpose, you don’t want an automation decide such a drastic move as shutting down an engine. That’s the pilot’s decision.
> absence of any physical kill switch to stop the engine
There is, you shut down the fuel flow with a valve. But that “kill switch” was damaged.
> An hour being generously available to go through ALL the checklists to clear the notifications
Again, pilot decision to do it if time is available. Isn’t it safer that way?
> pure randomness in debris flying the way it did
Well that’s the nature of the failure. It’s like complaining that which HDD fails in a datacenter is random.
> outcomes for all possible trajectories of debris,
Yes it’s not public data, but all positive trajectories are analyzed at the design stage, and structural and systems components are kept segregated accordingly.
I'm not an idiot (citation needed). I can see that a storm unplugging some imaginary tiny heartbeat cable, which in turn shuts down all the engines instantly, is not how planes should operate. What I don't understand is the approach to defend status quo, and pretend that “randomness is now conquered”.
It seems to me that fixing one complex problem creates 10 other complex problems. They can be rare, but it's ignorant to shift focus from them.
I've read dozens of Admiral Cloudberg articles, and when you do so you notice a pattern: in old aviation crashes, a single error or a single part failure usually took down a plane with tens of dead bodies. Also the story of how and why the sterile flight deck started in response to some crashes where the pilots were distracted talking. In modern aviation accidents, it seems very unlikely. Even with an engine exploding, the pieces ripping half the cables, a wing, the fuel reservoir, hydraulics, and the airplane is still almost perfectly flyable and landable. Do the same to any car, were nothing is redundant, and lets see how well it performs.
The beauty of it is that everyone in aviation seems eager to learn and build on errors. This event prompted new actions that makes future flying even safer, despite having no victims.
The victorious tone comes in my opinion (though I'm projecting a bit) from this graph[0].
There has been very systematic and deliberate effort to better aviation safety DESPITE commercial pressures.
The swiss cheese means that there are many more layers of randomness that have to line up. Many of those layers came from previous accidents. Those layers are not random at all. Also none of those layers are hole free.
If that disk had disintegrated differently a potentially different set of layers would have applied. Would it have meant fatalities? Possibly. Would it have instantly blown up the plane? We don't know.
But it is pretty obvious that had many of those layers not existed then the chances of a much more disastrous outcome would have been much higher.
And on other aviation systems we do examine multiple failure modes. For example, a round going though the fuselage of an Apache, tumbling and smashing and causing spalling, thousands of simulated trials. Then coupled physics models that look at dozens of unintended interactions, avgas squirting out onto electronics, hot manifolds, etc.
There a whole field of Fault Tree Analysis that looks at how adjacent faults can propagate into unrelated components, then Event Tree Analysis to determine what will happen next. Models that assess robustness against failures even when we have no idea how the failure will occur.
Reliability of cyber physical systems is a constantly evolving field, lots of recent work on concepts like probabilistic model checking, ML for anomaly detection, resistance to cyber attacks, and so on.
There is more that one way to interpret this history of “triumph of technology and human mind”, yada yada.
This flight can be seen as an expensive (thrilling, entertaining, newsworthy, etc.) experiment on live subjects whose outcome was not controlled by existing tools and procedures.
The same for everything before to which it is compared so lightheartedly.
Please don't forget that your image shows a giant graveyard.
Looking at your other comments it seems that you are just arguing out of habit or stubbornness so there is not much point in trying to point out aspects that might bring nuance to it.
That this plane was maneuverable despite a massive engine explosion that took out 65% of its roll control surfaces is absolutely a victory of the engineers of that aircraft. I was shocked when I read that.
Sheer dumb luck was certainly involved. Those discs could have cleaved the plane in half to say nothing of the humans in its way but somehow missed most of the plane entirely. We definitely need to count every single one of those blessings. It's hard not to be positive when such an episode ended with zero fatalities, zero injuries even.
To me it’s impressive because presumably shards of debris cutting through so many distinct parts of the plane at the same time like this is a rare thing compared to more localized failures which the plane would be designed for. Yet all the different failsafes still worked enough to get the plane safely to the ground.
It is very common and encouraged to add a "What went well" in post mortems. This is not a pat yourself on the back moment. It is to reflect on what failed and what didn't.
I guess it's a glass half full type situation. There's a lot of universes where that plane did not make it back and a lot of decisions aligned to ensure that it did.
They do have multiple kill switches to stop the engines, up to dumping a bunch of flame retardant into it which makes it impossible to restart. The problem was that all these systems for the #1 engine were rendered inoperable by the damage caused by the failure of the #2 engine.
Certainly there was a fair bit of luck involved as well.
If you are like me, you've probably said “hmm…” to yourself multiple times when certain things were mentioned, because those were things that actually didn't work (that they were left intact really boosts the credibility of the author). From calculation software that had never ever been tested with out-of-ordinary data to the computer keeping the broken engine running. From pure luck with fuel tanks being almost full and unable to explode to absence of any physical kill switch to stop the engine. An hour being generously available to go through ALL the checklists to clear the notifications. An hour of passengers and crew staying on top of the poodle of fuel hoping that nothing would ignite it. Finally, pure randomness in debris flying the way it did. It's not a story of “layers of safety” overlapping, it's a story of “layers of randomness” overlapping.
What would be really interesting is a distribution of outcomes for all possible trajectories of debris, i. e., how (un)lucky they actually were. I guess corporations don't release models like those to the public.
Also, that special chamber for oil filter requiring precise drilling of a perfectly fine pipe seems “ewww” to me. It is not serviceable anyway without reinstalling everything from scratch, as far as I understand, why not make it a single piece?