I work on flight data recorders, mainly in rotorcraft but some small fixed wing aircraft. The current generation does use a satellite connection for real time tracking, as well as sending high level caution information, and a few data parameters. Really the cost of sending data over the satellite is the real issue. However this is coming down.
Outside of that, the ADS-B requirement is a huge help in knowing where aircraft are and where they are going.
Is there some good explanation, show a sinking titanic was heard both in london and new york, but a modern(...ish) MH-370 can just dissapear?
I'm sure that there are a bunch of factors in play, but tracking a plane seems like a relatively simple and a high priority thing to do, and relatively cheap compared to a total cost of a plane. GPS, satellite connectivity, battery backup and even in a case of a total explosion, at least you know the last location, speed and direction to try to find the wreckage.
The difference is that the mh370 pilot deliberately took actions to avoid tracking. At some point if you can’t trust the captain of your vessel, that person can disrupt or disable most any system put in place.
If the captain of the titanic intended on sinking the ship without a trace, he most certainly would have succeeded as well.
Physical access can generally circumvent any security precautions, but it seems like there are some fairly simple schemes that would work well to prevent a disturbed captain.
E.g.: disabling the tracking system could require accessing a section of the plane inaccessible while it's in flight. Combine that with a hardware interlock system that would prevent the plane from taking off when it's disabled, and that should be sufficient in the vast majority of cases to prevent 'lost' planes.
Is there ever a valid reason to disable the recorder/tracking systems in flight?
Captain needs to be able to pull a circuit breaker for virtually anything, in case of electrical fault, fire, misbehavior, needing to hard-reset some bit of avionics, etc.
Commercial passenger aircraft have redundant systems and you can disable almost anything as needed and still fly (up to a point of course) in case of emergency.
I can understand needing to have that option for most things, but a blackbox flight recorder ought to, by it's basic design, be read-only and have little to no dependencies with the rest of the aircraft. E.g.: a failed APU should not disable the blackbox, since you want to be able to record that the APU failed.
First off, there are two recorders: the cockpit voice recorder and the flight data recorded.
The voice recorder needs power which is provide by the aircraft and is a rolling 2-hour recording. If there is an incident, the captain will pull the breaker to this system to prevent the recording from being overwritten after on the ground, or, in the worst case, aircraft destruction will cause the severance of power to the device for a similar effect.
The flight data recorder a very dependent on all the systems of the aircraft, it listens on all electrical buses, senses the position of controls, and records datapoints at a defined rate for a rolling two hours of flight time. It has a small battery system to capture what it can, but if you lose engine generation and your APU, you either gliding to a crash landing in the best case or you are just hosed and it will be literally seconds before you’ve reached the ground.
Both of these things are not read only, they continually rewrite their memory because it’s usually the last bit of flight data that matters. There are pushes to make a system that can allow for 18-20 hours of flight data, but everything moves slowly in avionics.
This seems nuts to me. You want ALL the data transmitted off the vehicle to ground stations, once a second or something like that. Sure, keep on-vehicle for backup, but only for backup. You get a continuous data stream to the ground for every plane. I mean, how much data are we talking about here? A few 10s of kb/sec for voice, maybe the same for compressed sensor data? Here we are in 2023 and we can't get a 50 kb/s stream from each airplane to the ground? Really?
part of the problem is that it has to go to satellites since the Pacific exists. the other thing is that they aren't made to survive adversarial attacks by pilots. if the pilot wants to bring a plane down, they will, and a better blackbox won't tell you anything other than that you shouldn't have let them in the cockpit.
1- If the airline industry really had a problem about paying for a low bandwidth satellite data link for a 100MM $ aircraft, they could optimize things, such as using ground data links 90% of the time while switching to satellite only in the middle of the ocean.
2- If a pilot is suicidal, black boxes don't help either. It's like saying we don't a better car safety systems, if someone really wants to die they will smash their car to a tree. That's not why BBs exist.
Even knowing that a pilot was the cause of a crash helps immensely in analysing their mental state prior to the event, you know, to prevent it from happening again.
That's realy the key there, you have a 100+Tons of metal and fuel with 100:300 people on board going close to the speed of sound. It NEEDS to be safe, but unfortunately, accidents happen. In such an event you HAVE TO know what happened, know if it was an accident or a voluntary action, the fault of equipment, software, procedure, pilot, ATC , anything really. Every procedure/safety system/training/design specification/ecc.. is literally written in blood from past mistakes.
If i know I shouldn't have left that pilot in the cockpit, great! I'll make sure no other pilot gets in that same mental condition.
The advantage of a local storage is a ruggedized recorder will not need to maintain any sort of wireless com link, as it’s stored on the physical unit. If you introduce any number of factors such as in-air separation of the aircraft, trauma to any sort of connection, or just random stuff that will occur during a crash, the antenna (which will need to be mounted outside the aircraft) is very likely break or become disconnected.
Something physically attached (especially to the electrical system) can always theoretically interfere with the rest of the plane. If there is a fire, is the pilot just supposed to shrug as the plane goes up because he cannot interfere with the black box?
Optical isolators exist exactly for this purpose. They're common, cheap, only work in one direction and result in no electrical connections between both sides.
Yeah I'm sort of speculating and agree for the most part but obviously the data recorder is communicating with every other system on the aircraft for which it records data. If the data recorder had some kind of fault that was creating interference with these systems, maybe there's a scenario where you have to be able to shut it down.
If I'm thousands of feet above the ground and the system keeping me in the air has some kind of fault, when I say "Hal, shut down that faulty system" I don't wan't the answer to be "I'm sorry Dave, I cannot do that."
You could always have some breakers that could only be pulled by the chief flight attendant, or at least signal to someone in the cabin they were being pulled.
> You could always have some breakers that could only be pulled by the chief flight attendant
This would be a very bad idea.
Deadly aircraft incidents, while exceedingly rare given the number of flight hours that happen every day, often happen within seconds. If there is something that is causing an issue that requires communication to someone (who is likely doing something else) outside of the cockpit, you may not get to it in time. Safety of the passengers and crew is the number one priority, and the captain should not have anything forbidden from his or her usage.
Captain should be able to disable the transmission, but if that happens, satellites should be trained on the piece of the sky where plane was last seen, ground control should be alerted and tracking from the satellites performed. Clouds could be a problem, but planes are probably visible on SAR?
> Physical access can generally circumvent any security precautions, but it seems like there are some fairly simple schemes that would work well to prevent a disturbed captain
I can't be the only one thinking that in the situation where we postulate losing trust in the captain, whether tracking is switched on or not is a relatively minor issue, compared with - say - the captain deliberately flying the aircraft into a mountainside.
You're definitely not wrong. Most civil aviation authorities I'm aware of have some profound issues with their policies around pilots and mental health issues. Fixing that is more likely to prevent the issue in the first place. That's closer to the root cause and something that shouldn't be ignored.
But parallel to that (and unfortunately-but-most-likely in lieu of): we simply shouldn't be losing large aircraft and having no idea what happened.
The biggest issue with all policies is the same with red flag laws - and even attempted mention of potentially having an issue grounds you and you lose your job; this makes the issue that much worse.
Yes. This is dangerous because pilots are afraid to disclose depression, anxiety and other mental health conditions for fear of losing their livelihood. For example, the FAA automatically considers an ADHD diagnosis disqualifying for airline pilots: https://pilot-protection-services.aopa.org/news/2018/februar....
This results in a “don’t ask don’t tell” situation which can be even worse.
Sub-total loss is presumably much more common and it’s useful there, but the adjustments to prevent it being disabled/make it more durable would be helpful there, too.
From the article: All of the preparation is, inarguably, effective: Never has a recovered black box been so badly damaged that it yields no usable data.
That seems to me like they might be at a sufficient level of durability already.
The recorders already to work really well for the purpose they're designed for.
The "bad actor in cockpit" plus "unexplained disappearance" scenario, for which they're not designed, simply doesn't happen often enough to be worthwhile worrying about.
Short version: flight recorders aren't broken, they don't need "fixing"
Long version: imagine you were to propose a major redesign to your employer's systems to attempt to diagnose unaccountable failures which based on historical data happen 0.00000018% of the time[0], what would be the response?
Which has occurred - perhaps if we actually want to try to control for “insane pilots” there has to be some way for someone on or off the plane to force it into autopilot with cat 5 autoland at the nearest airstrip.
… which then extends the critical flight controls security surface area to entities on the ground that have no vested interest in my safety? No thank you, I’ll take my chances with the flight crew which in 99.99999% of cases are also interested in arriving home safely.
There are at least 7 commercial passenger flight suicides in history (plus the four on 9/11, though that's arguably a closed vector now, and some others on non-revenue flights). There are around 100K pilots working today in commercial aviation [not all Part 121 (airline)], so perhaps 500K, and surely less than 700K, total over the course of time. If we posit a successful suicidal action rate of 7 in 700K, that's only "five nines" over the course of their shortened career or 99.999%, but could become seven or even eight nines on a per-flight basis.
I'm 100% with you on the desire to not have ground-link control (and, for me, to keep two crew in Part 121 operations); I just figured I'd estimate the math.
I had a feeling someone would try and do this calculation. :) I would calculate it instead based on the number of flights rather than the number of airmen. It doesn’t make any sense if the units for the numerator are “number of successful suicide flights” and the demoninator is “number of airmen”.
I would not count the four flights in 2001, personally. Those are not suicide by flight personnel.
If you look at an average of say 25m flights per year since the year 2000, then you would have about 550mm flights. Even if you include the 4 tragic flights of 9/11 in the numerator, my 7 nines are very conservative.
> force it into autopilot with cat 5 autoland at the nearest airstrip.
I think CAT III C ILS have the lowest (theoretical) minimums at 0/0, although I don’t think that designation is actually used; so let’s just say CAT III in general has the lowest minimums.
One could say that about all sorts of capabilities in an aircraft that, in normal operation, seems insane. Is there ever a valid reason to fly a cargo plane inverted? See https://en.m.wikipedia.org/wiki/Federal_Express_Flight_705 for the answer.
Airliners are simply not designed to fly inverted. In Tex Johnson's famous barrel roll of a 707, he kept positive g on the airframe at all times.
One problem with flying inverted is the bottom of the airplane tends to accumulate junk - nuts, bolts, dropped tools, lunch boxes, dead mice, etc. Turning the airplane over means all that junk falls into the machinery, potentially jamming it.
Right- in the FedEx case it was a last ditch effort to literally knock the suicidal flight crew member off his balance and regain control of the aircraft. If you have a 'nanny' computer telling you that you're unable to do that, those crewmembers may have ended up dead instead.
Point being, in an unforeseen emergency, allowing crews to override the normal safety mechanisms may in fact save lives.
I guess the question is what's the likelihood of such a situation, vs the likelihood of the situation where a 'nanny' computer prevents the crew doing something dangerous?
The MAX crews had the option to turn off the stab trim. Of the 3 MAX incidents, only one of them turned it off, which is why you only hear about the other 2.
Do we care about preventing a disturbed captain from preventing recording? They can already crash the plane and kill everyone on board. I don't really care about their record keeping in that instance.
It's necessary to rule out mechanical and other system failures, i.e., to provide evidence that it was a disturbed pilot and not some other cause. Aviation incident investigations are quite thorough--orders of magnitude more rigorous than in the software industry in general.
My favorite is still the one about the fire caused by the windshield electrical heater. There is precedence on other Boeing 777s for this to have played out. It was a known problem.
If it really was a suicide drop into the ocean...why wait 8 hours...just...do it...
Wow. That escalated quickly. It has nothing to do with the fact he was Muslim and everything to do with the fact that there were no attempts to contact other planes or atc for help. I do not appreciate your false assertion and encourage you to retract your statement.
I am not an expert in the 777 electrical systems but the two minute delta between the last radio transmission - where there were no audial warnings and the pilots were calm - and the transponder ceasing to transmit seems unreasonable for a catastrophic event to take out these systems.
> The difference is that the mh370 pilot deliberately took actions to avoid tracking.
I'll bother to defend myself here -- we don't know what happened. It could have been hijacked, it could have been a CIA operation, it could have been many different things. That you conclude it was the captain doing a suicide run does smell of something strange, considering the plane was in the air for 8 hours before disappearing from satellite contact.
That's all I will say on this. Downvote me as much as you want.
The backhanded racism would have went: muslim + pilot = crash in building, not disappear in ocean. So clearly you're just trying to have a hot take here.
> If it really was a suicide drop into the ocean...why wait 8 hours...just...do it...
Even though someone might conclude that death is the preferable outcome for their situation, it doesn't mean that they won't experience an insane amount of anxiety and spend a long time reconsidering or even trying to talk themselves out of it just before pulling the trigger so to speak. They're humans until the end, with human reactions, you know?
There are several examples of “ghost planes” where the flight crew is unconscious due to the cabin depressurizing. The flight then continues on autopilot until the fuel is exhausted. By the way, one of the initial side effects of hypoxia is euphoria. You can find examples on YouTube and there is a great video by 74gear demonstrating this - see https://youtu.be/nz5d4Q_ykFc.
Depressurizing the cabin to incapacitate the other crew is definitely a possibility and I think the leading theory for what happened. Like you say there is no proof either way - so we may never know with 100% certainty.
The current theory is that the pilot of MH-370 was able to disable most of the tracking equipment, while the plane moved away from any major population centers.
The radio operator of the Titanic was trying very hard to let everybody know where they were.
The black box has nothing to do with the transponders and tracking equipment.
The black box can’t be disabled AFAIK.
The argument in favor of disabling tracking is that the equipment itself could potentially malfunction in a way that disabling it would be safer (if it were interfering with voice communications or transmitting an emergency code inappropriately).
I fly small planes and it is not unheard of for ATC to ask pilots to cycle the power on a transponder that isn’t responding as expected. I assume that airline grade equipment is more reliable, but the same principle applies
There are two components, one is the Cockpit Voice Recorder which can be disabled because it's powered from the main system and records on a 2 hr loop that may need to be preserved if there's some incident that isn't a crash. The other is the Flight Data Recorder which isn't on a circuit breaker and records on a similar loop but is more of a crash system so they just run until there's no power on the plane for some reason.
AFAIK, the FDR and CVR can both be disabled by crew to some degree. I think they can be disconnected from the aircraft's power system (by fuse/breaker), but they also have some amount of battery backup.
Part of Federal Express Flight 705's whole debacle was that the hijacker tried to pull the breaker on the CVR.
And the investigation into SilkAir 185 was hampered because the recorders had their power pulled as a apart of load shedding while trying to resolve issues onboard the aircraft.
The black box doesn’t transmit its location. If they find it, it would/will tell you some of what happened, but if you sink it in the Mariana Trench and they can’t find it, you’ve “won”.
> show a sinking titanic was heard both in london and new york, but a modern(...ish) MH-370 can just dissapear?
What do you mean by "heard both in London and New York"? The Titanic was actively sending out distress signals via telegraph as it sank, but those signals weren't strong enough to reach land. They were picked up by other nearby vessels and relayed.
Plus, lower frequencies generally have an easier time traveling long distances, especially over saltwater (and at night, hence the first part of your response).
And to answer the question about why we can't use lower frequencies on planes, part of the answer lies in antenna length, which is related to wavelength. Lower frequency = longer wavelength, which in turn means larger antenna (yes, I know this is a very broad generalization, and also not the complete/only reason). Look up the antenna required for 1Mhz.
As long as you trust the pilot with absolute authority over which equipment is running, this isn't going to happen. If something can catch fire (as in, any electronics?), it needs to have some kind of local breaker that the flight crew can switch off. The only trusted equipment there is one doing passive recording of some elements (the flight recorder).
The airframes do usually have various ELTs and beacons that can activate in a crash, but some (most?) can be disabled in some way (in case they’re accidentally on) - and others are only short range/directional.
Titanic was in the middle between London and NYC, relatively easily within reach of either by using longer waves. Titanic actively sent distress signals.
MH-370 has flown into the uninhabited area of Southern Indian ocean, far away from any places where a shorter-wave signal would be easy to receive, due to the curvature of Earth. MH-370 apparently did not send any distress signals; if it did, these would likely be received and relayed.
Aircraft have ELT that broadcast location. They are similar to the marine EPIRB or hiking PLB.
MH370 had 4 ELT, 2 on life raft, 1 in cabin, and 1 mounted to aircraft. The latter would have activated on crash but it was designed for ground crash not ocean. It would have sunk with plane. The life raft ones are water activated but probably sunk. ELT are more meant for finding survivors and not the crash site.
There are ejectable beacons but they are probably not required. It would make sense to add one for water crashes.
The pilot had a similar route to the one flown by MH370 on his home flight simulator according to the ATSB report. From Reuters:
"Six weeks before the aircraft’s disappearance, Captain Zaharie Ahmad Shah used his home simulator to fly a route that was initially similar to part of the route flown by MH370 up the Strait of Malacca, with a left-hand turn and track into the southern Indian Ocean, the ATSB said in its report."
It's highly likely that MH370 was the result of pilot suicide.
Indeed. Pilot suicide is just one theory and is not proven fact. Almost everyone thinks there was a decompression event on the aircraft. Another possibility is hypoxia causing pilot impairment as a result of decompression. Hypoxia severely inhibits brain function and turns you into an incompetent. It's similar to being extremely drunk or high on drugs. This happened on the Greek Helios flight that decompressed. The pilots can be heard on the recording becoming gradually unable to competently fly the plane and making ridiculous decisions due to brain impairment.
Well yes. Just to point out that list may be somewhat shorter that it looks as including 9/11 is somewhat of a technicality and it includes incidents that investigators think may be suicide but it remains unproven.
That list does actually mention MH370 as a possible suicide, which would be the correct way to describe it. It also states that several other theories have been offered. That's the point. The internet armchair crash investigators seems to think it was definitely suicide. Some TV commentators think it may have been suicide. However there are other valid possibilities and we just don't know.
If you want to hear about alternatives there's a good book by Christine Negroni called The Crash Detectives that goes through it in some detail including the hypoxia possibility as well as the suicide line of thinking and the pros and cons of each theory.
MH370 changed course immediately after it left airspace where it was closely monitored, followed by several more minor corrections and then there's evidence the someone was controlling the final descent after one of the engines ran out of fuel.
All of that, combined with the fact the pilot had depression and tested the same flight path in a simulator, is pretty compelling evidence that someone was in control for the entire flight and yet didn't activate a distress beacon.
That makes it pretty hard to believe any kind of technical failure was involved.
A lot of the people who refuse to say it might be suicide are just following standard and deep rooted ethical journalism rules to avoid discussion suicide, based on an assumption it will encourage more pilots to do the same thing which could land the person who called it suicide liable for those future deaths.
Even if the TV journalist thinks it's suicide and is willing to say that, their employer's legal team will often order them not to.
I imagine most airlines have operated at unsustainably low margins for the past however many years, at least here in Europe. Ticket prices have gone way up now, and I suppose it’s getting better for them.
ADS-B has the same problem -- it's hard to collect it over the oceans.
Satellites do pick up the signal, but the detection area is pretty wide, so sometimes it's just too many signals coming in all at once, overwhelming the satellite. ADS-B is also pretty chatty, so the data sizes are significant (compared, to, say AIS, which is a similar system for marine vessels).
It's gradually becoming better, satellites having more focused antennas able to gather signals only from unpopulated areas, and more computing power to filter noise out.
Yeah, my first thought in reading the article: maybe SpaceX and all the other constellations with make it cheaper to constantly stream data, and just use the expensive satellites for low speed backup. It looks like big planes will all end up with fat internet pipes for the passengers, let's hope that soon extends to avionics info.
Why is the cost of sending data such an obstacle? It seems like that reporting should be done according to regulation .. do governments not subsidize the cost? Or perhaps it’s even just hard to get international alignment on this topic?
Currently the upcoming Starlink for Aviation terminal is for much larger aircraft than we are operating on at the moment. Plus the cost is $150k for hardware, and up to $25k monthly.
My gut tells me that the number of fatal incidents that would be prevented by complete "takeoff to landing" automation vastly exceeds the number of incidents prevented by a human correcting a computer or recovering from a failed instrument or system.
I'm willing to bet that for every "miracle on the Hudson" there are ten or more "the pilots should have just let go of the controls and let the computer handle things, or trusted their artificial horizon after getting disoriented".
The number of FAA accident investigations that mention spatial disorientation is too great to be otherwise.
Autopilots disconnect all the time. They can have a pretty low threshold for the conditions they’ll tolerate. Autoland can handle moderate surface winds, but pilots can handle much more. Turbulence and autopilot function is more variable. Some autopilots disconnect prematurely, others need intervention. Pilots train for these idiosyncrasies.
The computer needs reliable data. When the data is faulty, the logic fails. This happened with AF 447. One annoying aspect of that event for me is the obtuse ways the system communicated what alternate law was in effect. Two of three pilots became confused by the computers’ confusion. The computer itself had given up. The plane stalled all the way into the ocean, one of the more simple conditions to recognize and recover from. The captain quicky recognized the condition and solution, but he had arrived in the cockpit too late to compel corrective action.
Should also have a video camera in the cockpit. Many crashes would have been resolved much sooner if they'd known what the crew was doing instead of doing a lot of guesswork.
No, FDR has 99% of useful data (signals from sensors and input controls). It's much more important than voice. Video would probably just show what toggles they touch, and FDR already has that. Voice is used just for figuring out pilots' thought process and commands received.
I've watched all the Aviation Disasters episodes, each one analyzes a crash. A cockpit video would have cleared up a couple of them, and would have resolved many more much quicker. For example, a video would show who was in which seat, who touched the controls, where the pilots were looking, what the pilots could see, etc.
It has that, but not showing who did it. Also if pilot needs to pull out a book or other manual, material, etc, FDR can't record that. Distractions of information given from attendants to the pilots is not given. Simple example: captain goes to restroom and second pilot passes out.. good luck figuring out why plane suddenly nose dived to the ground
Voice is incredibly useful for the reasons you outlined. I cannot believe that in an era of 1TB microSD that serious incidents like the Air Canada near miss can happen and the flight crew can escape accountability by allowing the CVR to overwrite itself.
For the same reason why GA aircraft still fill up on leaded fuel, the FAA doesn't really give a shit and there's no incentive from private companies to make them care.
We are on leaded fuel precisely because FAA makes it too hard to certify new GA engines. Private companies have every incentive to use better, cheaper and more reliable tech, and consumers want them too. Without FAA, we’d long be flying on automotive diesel engines.
It does exist, it has been approved by the FAA, and you can go buy the STC right now if you want[0]. The incentive is that 100LL has been banned by at least one county[1] with states[2] trying to follow (although the AOPA successfully neutered that one[3]).
They don't need to develop an alternative to 100LL. Oil companies make it in such small quantities it's a total pain in the arse to cope with.
If you adapt a car engine (like a VW Beetle or Subaru engine, both flat-fours and common lightweight GA power plants) then it just runs on ordinary 95 octane unleaded, the exact same stuff you put in your car.
Batteries are excluded for good reason. The device and battery can be a fire hazard. It needs to be capable of surviving high temperatures and pressures. The risk of any kind of electrical fault inside the recorder also needs to be exactly 0.
That's not all though. The boxes cannot actually get any data. The data needs to be sent to the black boxes from other sensors throughout the aircraft. So if the power to the blackbox is cut, it's likely that there is no power to the aircraft in general. That means there is no point in continuing to record. If we do include batteries, those batteries need to be able to power all relevant systems on the aircraft itself.
Also, technically flight recorders already have batteries. But those batteries are usually reserved for the locator beacons. Not recording. They are also located outside the black box itself. (although they are attached together and installed as one device.
It doesn't need to keep recording after a crash, and really, just a few seconds after the event that precipitated the crash is all that's necessary (I've watched every episode of Aviation Disasters).
Why? Once a plane completely loses power, especially modern planes, there's no saving it because there's no longer physical linkages between the controls and the control surfaces. FDRs also have a limited amount of storage, about 25 hours, so once it's crashed you want as much data from before the crash as possible not a few hours of zero because the sensors don't have power to send data back.
I’d like to understand how we keep losing planes. Satellite internet+GPS could enable semi-realtime location tracking for all planes. Instead we get cases like MH370, where we are completely clueless where a plane went.
A big issue with MH370 is that they turned off the equipment transmitting their location, so the only way to track it was by traditional radar. GPS and satellite internet isn't going to help with that.
Immediately after the equipment stopped operating, MH-370 made a series of course changes.
It did a ~160 degree turn (at a very high angle of bank) and flew along the border between Malaysia/Thailand border (probably assuming that military RADAR operators in both countries would assume the flight belonged to the other country). Once passed Malaysia, it then turned north to avoid Indonesia and flew along the Strait of Malacca. [1]
It doesn't show up on RADAR again, but we know it later turned almost directly south after passing the northern tip of Indonesia.
This route comes across as so calculated with the explicit intent of going missing, that it's really hard to justify any scenario that doesn't start with the equipment being turned off intentionally and maliciously.
For me the final proof was that a very very similar route was programmed into the pilot's simulation software at home days before the fatal flight. With that knowledge in hand I consider the cause of the accident pretty clear.
That's not primarily why MH570 was lost. Nobody had any idea where to begin looking. A GPS fix at the point of crash would have changed the search hugely.
How many self-serving bureaucrats, corporate executives, politicians, and union leaders, from how many different countries, would likely get in the way of actual improvements?
How tiny a percent of airline flight outcomes would be substantially improved by any sounds-good change to the Black Boxes?
Sticking with the status quo sounds pretty optimal to me.
(After several cool-sounding stories of crashes, the article comes to a similar conclusion.)
There's no impediment to any aircraft manufacturer or any airline to develop their own superior system, and augment what's required. Surely, the case could be made that it's helpful mitigating even just future revenue catastrophes?
Pilot unions actively lobby against cameras in the cockpit. Some airlines would be in violation of their contracts if they bought more cockpit monitoring systems.
It isn’t an entirely unfair gripe. The AF 447 debacle was down to “pilot error” officially. The cause of the crash was that one pilot was commanding the aircraft incorrectly and the other pilots weren’t aware because the dual controls in an Airbus dont mirror each other like in all other aircraft. The real question for me is how do you design critical control systems so poorly that one person can be flying the plane in a configuration they aren’t aware of (the stick on an Airbus will react differently to the same input differently based on conditions) , and the other two people in the cockpit aren’t able to even see this. This is a design issue.
They would have had to have seen it over by the pilots knee, known that that stick was active, and known that the aircraft had switched automatically to ALT2 in the middle of trying to figure out the equipment problem that caused the initial instrument problem.
Normally a full back stick command wouldn’t have stalled the aircraft, but because the airplane entered ALT2 mode automatically the stick allowed the pilot to do something that normally wouldn’t happen. If the pilot had done exactly what he did 5 minutes earlier, the exact same command would have not led to a crash.
In other words, the main control device for the aircraft can do something different depending on circumstance.
This would be like a car steering wheel becoming twice as sensitive when the speedometer malfunctions.
The idea is that, yes, the pilots were trained on this, so it’s their fault no matter how complex the system is.
The vast majority of incidents are brought to conclusion on why it happened. Even the one article uses as an example. I was watching a bunch of post-mortems of various accidents and just about the only thing that came up when it comes to problems with black boxes is:
* That some of them recorded voice cabin sound for too short (which was fixed in later ones but there are still some old planes flying
* That the cockpit voice recorder recorded in a loop and someone forgot to pull the fuse after accident and it got overwritten.
And overall even those would add very little to investigation.
It has simply become good enough and still are incrementally improved.
Even if you're dodging ~all the regulations which specify the current Black Boxes by adding a separate, independent system (and you'll still face a lot of regulations)...there still are three obvious impediments - (1) development costs, (2) unit costs, and (3) legal liability. Vs. the incredibly-long-odds theory that something might happen, eventually, where your new & better system would be a substantial benefit.
(BTW, my experience is that "the case could be made for X" is a polite way of saying "a valid technical argument could be made in favor of X...but in the bigger picture X is clearly the wrong theory / engineering choice / business decision".)
And, given the rarity of aircraft crashes, the benefit to some small subset of the industry adopting an incrementally better system is probably pretty much nil.
> When they DON'T move at glacial pace you get the 737 MAX.
I’d argue the existence of the 737 MAX was a response to the FAA moving at a glacial pace, if you want to look at root causes.
The 737 MAX exists because Boeing was getting their butts handed to them in the market by the Airbus A320 Neo due to its superior fuel efficiency.
Boeing engineers wanted to create a new clean sheet single aisle aircraft to replace the 50 year old 737 (+737 NG) design. However, Boeing management decided that it would take too long to design + get it past the FAA , so they pivoted to another 737 upgrade. Another factor in this decision was that upgrading the 737 would allow the airlines to transfer their pilots over with minimal training.
However, to keep the same "type" as a 737, Boeing had to keep the planes dynamics exactly the same as the previous model.
Simultaneously, Boeing went on a full on lobbying blitz to get the FAA to allow them to “self certify” aspects of the design. Boeing had a legitimate argument here, the ESEA had streamlined the type variant process years ago allowing Airbus to quickly iterate on their existing designs.
So congress/FAA finally relents and allows Boeing to bring stuff in house. However, in retrospect, this was done without the collaboration and checks that the ESEA and Airbus have implemented, ensuring that the process generates the correct results.
If the FAA I’ve been quicker to read the tea leaves and implement a collaborative model, I’d like to think that flies in the 737 MAX would’ve been caught.
A big part of why Airbus can get away with it because of their control model. It's total fly by wire, so a given input will result in the exact same roll/pitch rate, vs on a Boeing where the inputs map to control deflections. So Airbus gets "flies the same" for free.
Don’t give Boeing any leeway to excuse this, it wasn’t then innovating and the FAA moving fast:
> “Boeing has agreed to pay $2.5bn (£1.8bn) to settle US criminal charges that it hid information from safety officials about the design of its 737 Max planes. The US Justice Department said the firm chose "profit over candour"”
My hypothesis about the 737 MAX is because the FAA advanced its safety standards so much that it made sense to keep building older designs at a lower cost, which are for some reason grandfathered.
Carmakers can’t mass produce older designs meeting older standards without airbags using “the design was approved in the past” excuse, but that’s totally cool in aviation.
This is the sort of comment I come to HN for and hate that I come to HN for: rational, pragmatic, realistic, savvy, read the article, and
Fuck the world doesn’t have to be like this.
This Byzantine maze puzzle of inherited wealth and hopeless inequality and every part of it does feel inevitable and it feels naive to the point of stupid that anything could be reformed.
But I try to remember that it’s all pretty made up north of the actual physics. We put up with this because we’re collectively agreeing to.
Rather than spending more time on-line, stewing in negative emotions over the cardinality of { Imperfection in world | solving Imperfection appears ~impossible or unrealistic } ...perhaps it would feel better if you did some regular volunteering in meatspace? There's probably a soup kitchen / food bank / public park / animal shelter / school / whatever near you, where your help would have immediate and obvious benefits.
We are now doing that. Planes with ADS-B send out their position, altitude, direction and speed every eight seconds. That's how flightradar24 tracks most airplanes. ADS-B has been introduced sometime in the mid-2000s, and became mandatory in many countries in 2020. It originally depended on ground receivers or other aircraft picking up the transmission though, which is an issue if a plane goes missing in the middle of an ocean. This seems to be mostly solved now by satellites equiped with receivers.
Just FYI that not all countries require equipment for space based ADSB ( like the USA ). Many of our commercial airliners have it but mostly in the name of travel abroad.
- ADS-B can be broadcast on two frequencies (978 MHz and 1090 MHz). FAA requires aircraft operating above 18000 feet to use 1090, while either may be used by craft flying lower. (It seems like the equipment is less expensive). This means 1090 is used more heavily by large commercial craft and so 1090 is the only band the satellites currently listen to.
- Smaller private craft sometimes use belly-mounted antennas and so their hull can block signal propagation upwards
historically, aircraft have those antennas mounted on their belly and with low power they blast them at the ground for powerful receivers to catch. For "ADS-B Diversity", which is the space based version, on a generic Cessna 172 that meets current ADS-B requirements, I would need to rip out my current ADS-B system and replace it with a $9,000 (plus labor) ADS-B system that has dual broadcasting antennas. I think the top mount antenna is also more powerful but I honestly do not know.
Space based ADSB only improves coverage for mountain ranges and oceans. It's mission in a mountainous situation is to fill the gap when radar coverage is lost but you have low altitude (in relation to ground, not sea level) traffic, such as arriving and departing traffic.
assuming this map is accurate, you can appreciate how aircraft below 15,000 ft would be constantly falling in and out of ADS-B coverage if they themselves were changing altitude.
But the ocean is an other matter entirely, water is great at absorbing radio waves, and when a plane crashes and breaks up over deep waters the currents can carry far and disperse wide.
Outside of that, the ADS-B requirement is a huge help in knowing where aircraft are and where they are going.