Why don't more planes crash?

In My Humble Opinion
21

I don’t feel like looking up the actual stats, but growing up in the 1980s and 90s it seemed like there was a major plane crash in the US about once a year. Today we go many, many years between serious crashes. It really is amazing how much safety has improved in commercial aviation over the past couple of decades.

That reminds me of a crash from I think the early 1970s, a United DC-8 if I remember correctly. The circumstances were somewhat similar to Avianca flight 52 in that they ran out of fuel after being put in an extended holding pattern. But in their case the captain apparently was completely oblivious to the fact that they were running low on fuel, and neither the first officer nor flight engineer felt comfortable pointing it out to him (as I recall the captain had a reputation of being a real asshole).

22

CRM principles (notably, the use of checklists) have been adopted in surgical operations. Encouragement of juniors (i.e. residents, nurses) to challenge surgeons when something is perceived to be wrong apparently has a ways to go.

https://www.sciencedirect.com/science/article/pii/S0007091218312819

Southwest Airlines was going to use this line in their TV ads but some killjoy decided against it.

23

When I read about a 747 being unceremoniously set upon the tarmac at, I think, Orly, it occurred to me that the simplest solution would be to have permanent gear pins that the gear would seat vertically onto by weight of the plane itself so that retraction would only be possible in flight.

24

This is very often true for disasters in general. National Geographic used to air a show called “Seconds from Disaster,” where plane crashes, building collapses, etc. were re-created. Very few disasters are the result of one thing going wrong; it’s usually a combination of 3-5 things going wrong.

25

This is a known phenomenon, sometimes called the “Swiss Cheese” theory. Think of slices of Swiss cheese, all having holes in them (falling through any of which could be fatal), but the slices are all stacked up and it’s less common for the holes in the slices to line up. Only when the holes in all of the slices line up do you get a serious mis-hap.

26

This is actually a good example of how airplanes are designed for multiple fail safes.

In many gear systems, the gear goes down and locks in an overcenter condition so that it is simply impossible to raise the gear with a substantial amount of weight on it - it would have to literally lift the airplane up to be able to retract.

In other aircraft, the gear will have squat switches that should disengage the gear switch when weight is on the gear. And, in large aircrft the gear will be safed on the geound with locking pins by the ground crew. So for the gear to go up on the ground, three independent errors would have to be made.

Also consider the case of the ‘Gimli Glider’, the 767 that ran out of fuel over Manitoba. It took a long chain of errors for that to happen:

27

I recall reading of a (near?) crash where a large jet had all the engines fail one after another. What? How can all the independent engine systems fail near-simultaneously?

According to the news report - the engines had all their lubricant changed at the same time by the same person - who installed the new filters incorrectly. Now I wonder if there is a new rule: “Stagger all of the service dates for redundant systems.”

28

A four-engine passenger jet experiences engine trouble, and the pilot comes on the intercom, saying, “Passengers, we apologize, but we have experienced an engine burn-out. The plane can still fly on the remaining three engines, but we’ll be delayed in our arrival by two hours.”

A few minutes later, the airplane shakes, and passengers see smoke coming out of another engine. Again, the intercom crackles to life.

“This is your captain speaking. Apologies, but due to a second engine burn-out, we’ll be delayed by another two hours.”

The passengers are agitated. Suddenly, the third engine catches fire. Again, the pilot comes on the intercom and says, “I know you’re all scared, but this is a very advanced aircraft, and it can safely fly on only a single engine. But we will be delayed by yet another two hours.”

A man in business class raises his voice and shouts, “This is ridiculous! If one more engine goes, we’ll be stuck up here all day!”

29

The Wiki page for the Gimli Glider even mentions the Swiss Cheese model. Even there, the Swiss Cheese model saved the day. For all the holes that lined up to make that incident happen, there were several more holes that didn’t line up that saved them.

Airplanes can glide when their engine(s) fail.
The pilot had glider experience.
There was an old abandoned airport within gliding distance.
That old airport was used by kids with their go-karts, but somehow the pilot managed to miss all of them.

30

Another interesting wrinkle…when apartheid in South Africa was a thing, they weren’t welcome to use the air space of a lot of African countries, so they flew around.

According to this video a special South African 747 had a fire on board. I guess these 747s are called “combis” for “combination.” They don’t use the entire seating area…they have a movable (?) wall behind the last row of seats and can load additional cargo there as needed. So the fire was in the cargo area but inside the same level as the passengers, not in the belly of the plane.

Had they been above one of those countries that disapproved of apartheid, would air traffic still have refused to let them land? It didn’t come down to that, but I imagine they’d make exceptions for emergencies.

According to the video they tried opening the doors to the outside in mid flight, hoping to clear smoke from the cabin.

Wikipedia says

At some point during the flight, believed to be during the beginning of its landing approach, a fire developed in the cargo section on the main deck which was probably not extinguished before impact. The ‘smoke evacuation’ checklist calls for the aircraft to be depressurised, and for two of the cabin doors to be opened. No evidence exists that the checklist was followed or that the doors were opened.

The video says that even before the crash, some of the passengers had died from smoke inhalation.

I wonder if any of the episodes cover Payne Stewart’s death. For those unfamiliar with the name, he was a famous golfer.

Says Wikipedia

On October 25, 1999, a month after the American team rallied to win the Ryder Cup and four months after his U.S. Open victory, Stewart was killed in the crash of a Learjet flying from his home in Orlando, Florida, to Texas for the year-ending tournament, The Tour Championship, held at Champions Golf Club in Houston. National Transportation Safety Board (NTSB) investigators concluded that the aircraft failed to pressurize and that all on board died of hypoxia as the aircraft passed to the west of Gainesville, Florida. The aircraft continued flying on autopilot until it ran out of fuel and crashed into a field near Mina, South Dakota.[34][35]

31

Reading this thread this morning, I was thinking I’d never heard of Haviland, but then I did remember — an old Jimmy Stewart movie I saw on TV when I was a kid. It was called No Highway in the Sky. I remembered Stewart’s character (supposedly a British scientist – he didn’t even try) was trying to solve the crash issue and identified metal fatigue. I don’t recall other details, except that his daughter’s name was Elspeth, and that’s the first time I’d ever heard that name.

I had to google to refresh my memory but it was similar to what I had remembered. It was totally fictionalized though. The planes were called Rutland Reindeers, but it was essentially about discovering metal fatigue was causing the jets to crash. It was based on a Nevil Shute novel, and Wiki says the book had supernatural elements (including automatic writing!), but the movie dropped them.

32

The thing with the Comet was not strictly about metal fatigue but about design principles. The plane had ordinary windows, which had corners, and the natural flexing of the fuselage caused cracks to form at the corners. Lesson learned. Modern aircraft may have corners in the cockpit windows, which are not subject to nearly as much flex as windows along the sides, but there are no corners in the side windows.

33

They were chip detectors: magnetic probes installed at key locations in oil lines. They are periodically removed and inspected for the presence of metallic particles/flakes/hunks that would indicate failing internal parts. In that place the chip detectors always came with the packings ( o-rings ) pre-installed. In that particular instance, they did not. Complacency, norms, two of the “dirty dozen” conditions that can occur in A/C maintenance.

There is, and have been for some time. ‘ETOPS’. Basically now it’s “Extended Operations”, especially over water, nee- “extended twin operations”, or as some wags said: “engines turn or people swim”. There are many strictures regarding procedures and mechanical make-up for A/C, but the one to address your point is whereby dual engine mtc is not to be accomplished. This can be the same person can not perform the same task on critical systems of both engines, or that maintenance is not to be performed on critical systems of both engines. This is just a very rough guide in deference to brevity.

34

This reminds me of a funny nugget the instructors told me about my current jet. The first versions had chip detectors in the engine / oil systems, but they were over-sensitive and threw a lot of warnings that were false positives. It was decided in later models to not utilize them, which turned out to be fine because the system is very robust and they weren’t really necessary.

But the way they described it to me was, “The chip detectors kept detecting chips, so they got rid of them.”

35

And isn’t it required to periodically extract a small sample of the oil and send it off to a lab for analysis?

36

The de Havilland Comet was an interesting case. It was not unknown weakness in the square window design to metal fatigue - the design was tested rigorously and pronounced safe. But it was the testing procedure that was flawed: https://www.globalsecurity.org/military/world/europe/comet-accidents.htm

"Although any aircraft will have varying levels of stress concentrations, the Comet’s unique squarish window corners resulted in especially high stress levels. De Havilland tested their prototype to 2P, twice the expected operating pressure. The pressure overload combined with the very high stress levels at the window corners, created stress levels at the concentrations great enough to change the material characteristics at these locations. Each time de Havilland increased the pressure load, the material characteristics progressively changed. Upon achieving the highest load of 2P, these locations had fundamentally different material characteristics than a production Comet. The process by which the material characteristics changed is called cold-working.

Cold-working is not, in itself, a safety issue. The testing to 2P proved the Comet could withstand excessive pressure loads. The significant mis-step was the decision to perform the fatigue test on the same prototype fuselage that had undergone the pressure test and had been cold-worked. The prototype fuselage withstood 16,000 cycles before failure, due in large part to the fundamentally different material characteristics of the cold-worked material at the window corners. This characteristic change actually improved the fatigue properties at these locations, which would mask the true fatigue vulnerability of the production Comet."

37

Mayday is one of my favorite shows!

Watch the one about Air Transat Flight 236, another complete engine flameout due to lack of fuel. Only this was over the mid-Atlantic! Pilot stupidity lead to the flameout, but incredible pilot skill brought the plane in with no fatalities.

As for crew management, watch the one about Tenerife. The senior pilot in command wasn’t just senior, he was literally the poster boy for KLM. When KLM learned of the crash, they wanted to send their best pilot to lead the investigation. Trouble was, he was already first to the scene of the accident.

38

Two major air crashes stick in my mind as exceptionally disturbing for some reason, and they are almost opposites – one, the result of a seemingly very minor problem, the other a very major one.

The first is the now-famous mid-ocean crash of Air France 447 in 2009, en route from Rio de Janeiro to Paris. There is something about the fact that it literally fell out of the sky in pitch blackness over the middle of the South Atlantic that is just downright eerie. And the proximate cause was simply icing of the pitot tubes, such that it wasn’t getting accurate airspeed indication. The caused the autopilot to disconnect, and despite being senior and experienced, the flight crew got confused and ultimately disoriented and did all the wrong things. The scenario that was recreated in the investigation was truly nightmarish: after the A/P disconnect, there were an increasing series of audible and visual warnings, building up one after another in what must have been a cacophony of noise and confusion. In the end, they inadvertently stalled the plane, and investigators concluded that the Airbus A330 hit the ocean on its belly coming almost straight down, and disintegrated.

The other one that gives me the shivers is American Airlines 191, a DC-10 that crashed in 1979 on takeoff from O’Hare. American, along with United and Continental, had developed a shortcut to the manufacturer’s procedures for engine overhaul that saved hundreds of man-hours. The manufacturer called for the engine and pylon to be removed separately for inspection and maintenance. The airlines figured it would be simpler to remove them as a single unit. In principle, this could and did work, but it was riskier and more prone to problems. In this case, the assembly was damaged during the maintenance process, in part because of the bad timing of a shift change midway through.

From then on, every takeoff was a risk to everyone on board, but the engine held on, with the pylon getting weaker and weaker with every cycle. Until, on one fateful day in May, 1979, operating flight AAL 191, the engine separated on takeoff, pulled away by its own thrust, flipped over the wing, and vanished. In the process, it severed the hydraulic lines and damaged the leading edge of the wing. Due to perhaps a bad design decision, the DC-10 required positive hydraulic pressure to maintain the leading-edge slats in the extended position. With the loss of hydraulic pressure, the slats retracted. In combination with damage to the leading edge, the wing lost lift and stalled. There is a picture on Wikipedia that shows the plane is flying on its side, missing one engine, close to the ground and completely out of control. There was absolutely nothing the pilots could do at that altitude that would have saved the plane.

39

The pilots had no role in that disaster; the loading was done by a third party hired by the airline. The flight crew wouldn’t have had any way of knowing what they had done, and once one went off, everyone was doomed.

The one that always amazes me is Air New Zealand Flight 901, which flew directly into the side of Mount Erebus in Antarctica, instantly killing 257 people. The plane’s flight path had been incorrectly programmed, which led to it being on a path to the mountain, but what remains a mystery is why the pilots didn’t see a mountain in front of them. They were not in clouds, and visibility was fine; in fact, they were commenting on visual landmarks right up to hitting the mountain, and there was no indication they ever saw it until the ground warning went off just seconds before they crashed.

40

A major advocate for this has been Atul Gawande, a surgeon, writer, health care activist, and among many other things the Assistant Administrator for Global Health at USAID since last year. His book Checklist Manifesto lays out the principles for adapting airline CRM practices to health care. He is also the author of several other superb books on the practice of medicine which I highly recommend: Complications, Better, and Being Mortal. We need more physicians like Dr. Gawande in the public eye and fewer like that hack on CNN, Sanjay Gupta.