UNCERTAINTIES OF THE QZ8501 INVESTIGATION

Hello World,

After a wait for almost a year after the QZ8501 accident, the final investigation report was released recently. The report indicates the cumulative effects of mechanical/system failures and pilot action as the cause of the accident. However, the report attributes pilot-action as the major cause of the accident. I looked up a few documents and the story seems to be something more than what’s being thrown at us in the form of official conclusion. In this post, I wish to look into the uncovered/ignored aspects of the investigation. Based on my understanding of the facts [as released] and further research, there were system inadequacies that forced the flight crew to attempt over-riding system-driven flight protocols and their efforts could not be completed on time, due to which the aircraft went down with the crew and passengers.

Findings of the Investigation:

Exhibit A:

Oddity 1:

Cracking of a solder-joint [of both channels] leading to a loss of electrical continuity indicates the electrical side of failure I had already warned of in my previous post on the accident. If there is no electrical supply to the system, the system will remain inactive unless it is powered by a back-up power line. 

The ambiguity that stands out to me is:

Was it ‘one’ solder joint that connected both channels [A&B]? 

Or

Was it ‘one’ solder joint for channel A and ‘one’ solder joint for channel B? [Both channels connected to the RTLU separately]

If it were two solder joints, one for each channel, then it should be two separate failures in which case the relationship between the two needs to be ascertained. 

If it was just one solder joint that connected channel A with channel B, then it is clear that the system did not have the needed electrical redundancy, indicating a serious design flaw considering the key flight-critical status of the equipment [the flight came to an end because this failed].

Irrespective of the real nature of the finding, the questions that remain are:

Why is ambiguity being installed in the very beginning of an accident report? 

Also failures such as these are usually a sequence of events. 

If the investigation could go the level of solder-joint failure, what led to the failure of the solder-joint? 

What type of load on the joint increase that it had to fail? 

Why is that side of the failure not being discussed in the report?

Oddity 2:

An ‘unresolved repetitive fault’ occurred 4 times during the flight and the responses registered indicated that the 4^th response was not in accordance to that of the message. 

The question that stands out is:

For the first three times, the repetitive fault did not subside or revert based on the ‘message-compliant’ responses from the flight crew. 

Why is this not being discussed in the report?

If the procedural response fails to provide the relief for a crisis situation, the failure needs to be attributed to the ‘Non-fail-Safe’ nature of the system [a design flaw]. If the flight crew did not get the result of ‘message-compliant’ responses, then it is natural for them to resort to out-of-procedure efforts to resolve the crisis as the flight of the aircraft was in deterioration when such off-procedure input was given by the flight crew.

Why hasn’t the report indicated the ‘state of vulnerability’ of the platform?

My Findings 

Exhibit B1:

I came across this patent where the inventor has granted the assignment to Airbus Operations SAS [Assignee on the patent]. Now Airbus is the manufacturer of QZ8501 that went down. This patent, deals with the process for limiting the steering angle of control surfaces. 

The movable parts of an aircraft [the airframe to be specific], visible from the outside, apart from the doors and landing gear are the control surfaces [These are found on the wings, tail-plane and tail-fin]. These are used to control the aircraft’s flight at all times. 

This patent covers the process to control steering angle for control surfaces, specifically the rudder [the one on the tail fin that stands upright on the tail-end of an airplane].

Here’s Exhibit B2:

This description shown above clearly indicates the significance of the technology covered in this patent. Engine failure is being used as an example of abnormal flight condition and the observation describes the way an aircraft will behave when an engine fails. 

As per this observation, the rudder, the control surface on the tail-fin of an airplane will be required to bring back the aircraft to the flight line when an engine fails and the aircraft gets destabilized.  Through this observation, the patent implies, that the rudder will need higher steering clearance so it can produce the force necessary to bring the aircraft back to its flight line [control the destabilization faced by the aircraft].

Here’s Exhibit B3:

As shown in the figure above, the patent moves on to describe the traditional system’s inability to restrict the pilot from sending several commands. This indicates the intent of this technology/process as something related to restricting pilot activity in operating control surfaces under certain ‘abnormal conditions.’

Here’s Exhibit B4:

The patent then describes the outcome of such abnormal conditions when the pilot is allowed to send multiple commands to the rudder, will lead to dangerous failure modes. The patent specifically mentions that the tail-fin may break under these conditions. 

Now look at this picture below.

Exhibit C:

http://redwiretimescom.r.worldssl.net/wp-content/uploads/2015/01/redwire-singapore-air-asia-qz8501-black-box-1.jpg

The tail part was recovered separate from the rest of the airplane. Now there could be multiple theories for how the tail might have separated from the aircraft. However, the wreckage captured in the image directly reflects what the patent describes as a worst case scenario.

Now read this.

Exhibit D:

The Airworthiness Directive issued by FAA indicates the regulator’s acceptance of a finding that under certain conditions the allowable load limits on the vertical tail plane can be reached and possibly exceeded. The directive, as specified by the regulator, is valid for all Airbus model A318, A319, A320 and A321 series airplanes. The directive also mentions that the directive is valid from Dec, 29, 2015, indicating that the finding and directive have happened in the recent past. 

Such findings and directives going out so recently indicates that the A318, A319, A320, A321 series airplanes have so far been flying in a state of vulnerability and they have been lucky to escape such accidents simply because of the low probability of such failures. 

So the aircraft can fail under certain conditions. This is something that is always thrown out of the ‘Consideration Box’ used for any air accident investigation. The ideal case scenario of all-aircraft-are-safe is being thrust into our minds through carefully planned press releases and cover-up activities….All after hundreds of human beings went down into the ocean along with the aircraft.

Sadly the story doesn’t end here.

Exhibit E: 

EASA had issued a Proposal for an Airworthiness Directive dated 23rd July, 2014, indicating the need for a correction, failing which the aircraft will stand vulnerable to lose its tail fin during during flying conditions. The image above indicates that this directive was deemed applicable for a wide range of Airbus aircraft including Airbus A320-216, the one that went down.

The proposal also says Airbus has developed modifications within the Flight Augmentation Computer [FAC] to activate a conditional aural warning within the Flight Warning Computer [FWC] to prevent pilot-induced rudder doublets. 

So the European regulator was aware of such a ‘condition of vulnerability’ that Airbus aircraft were under and proposed an Airworthiness Directive [AD]. Irrespective of whether the AD was implemented or not, the fact that Airbus aircraft had vulnerabilities including that of losing the tail-fin during specific flight conditions. As I have always pointed out, the probability of occurrence of any event should have no bearing on the risk perception of the same. Potential impact, in this case is, loss of aircraft and therefore it should have higher priority. For some reason, frequency and probability of occurrence is being used as a key criteria for prioritising any risk-mitigation effort.

Further research back into the past reveals this:

Exhibit F: 

‘Safety First,’ The Airbus Safety Magazine dated January, 2005 featured an article on the need for enhanced pre-flight checks involving risk conditions, with one of them being the failure of the Rudder Travel Limiter Unit [RTLU]. The article, as you can see the image above, classifies it as an ‘event of undue rudder travel limitation.’

2005 is long back and even then, there had been vulnerabilities with respect to the RTLU in Airbus aircraft. This indicates that Airbus aircraft, like any other aircraft has always stood vulnerable to abnormal flight conditions, including those that concerned the RTLU, the system which failed during the QZ8501 accident.

Conclusion

Based on the oddities and interpretations I derive from the observation of the exhibits presented above, this is what I think happened with QZ8501.

The aircraft, like any other had remained vulnerable to specific abnormal flight conditions and the supplier’s effort to mitigate this risk [concerned with the RTLU] resulted in restricting the pilot’s capacity to take control of the aircraft. 

What was deemed as too-much-freedom for error resulted in a change that took too-much-of-necessary-capacity from the flight crew during those specific abnormal flight conditions. 

So when the aircraft went into what was deemed a ‘very-low-probability’ scenario, it deviated away from its dedicated flight-line and it had to be recovered. The flight crew had responded as per procedure three times to recover the aircraft but realised that the risk-mitigation change was not allowing them to do the same. The 4th time, the flight crew had no other choice but to try to disconnect the controls from the flight computer that was implementing the ‘pilot-restricting’ control criteria. Unfortunately, they couldn’t achieve the recovery in time and the aircraft went down with the crew and passengers.

While the nature of the abnormal flight conditions is still kept out of our minds through ‘official’ statements comprehensively covering obscurity and generality, we can recall what the patent describes as a possible abnormal flight condition: engine failure. This is why I wanted to know if the engine part of the wreckage was recovered and if yes, the details of the engine wreckage inspection. 

Summing up, many events must have occurred in a certain unfortunate sequence that led to system failure and the eventual loss of the aircraft QZ8501. We may never come face-to-face with the truth since the truth will stand in the way of a multi-billion dollar market that hangs on the ‘perception of reliability’ the aircraft brands thrust into the operators’ minds. However, we can be sure that solder joint failures leading to electrical discontinuity don’t occur out of the blue just like that. Also pilots are not fools to try to disconnect the flight computer unless the situation demands such an effort. 

When a report says, someone lost their life because of a knife entering their back and that the victim had by some means consciously maintained proximity to a sharp knife during the event, it is absolutely obvious that someone might have stabbed the victim. Just because the report doesn’t use the word stab doesn’t mean the victim absolutely walked into a knife protruding out of something uncertain [in this case the hands of the assailant]. Just my thought.

Regards,

UNTOUCHED POSSIBILITIES OF THE GERMANWINGS CRASH

Hello World,

Another commercial plane went down and again the blame is on the pilot. The Germanwings 9525, an Airbus A320-211, crashed into the Alps mountains after what is being defined as a constant descent, beginning few minutes after a routine contact with air traffic control. I sincerely believe, this accident has more to do with the aircraft than the pilot. Here are the reasons why I do not buy the ‘Crazy-Pilot’ theory.

This time, instead of waiting for the media to speculate, the Crisis-Management efforts have efficiently used the media elements to prevent the general public from thinking anywhere near the actual root-cause of the incident. 

Firstly, the very fact that the prosecutors’ claims are being published as key findings and then publishing the findings as support indicates that this effort is avoiding the acceptance and analysis of possibilities that will indicate the mistake of individuals other than the flight crew. 

How did a German media-house get hold of cockpit voice recording (or its transcript) at a time when no such information was officially released? If the report was alleged and the claim unsupported by facts of the leak, what actions are being taken against the German media-house that published such a report? [Nobody will talk about it because it probably was a paid media campaign]

As long as something is published in a large scale, it will be deemed factual and this element of mental heuristics is being used by the Crisis-Management team here.

One of the mentions that has been prominent in the news reports is that the aircraft (Germanwings 9525) was approved for ESG1 in 2012. ESG1 stands for Extended Service Goal-1 and the approval has come from EASA qualifying A320-200 for ESG1 exercise through a suitable revised/re-compiled version of the Airworthiness Limitations Section (ALS) Part 2 Rev. 01. 

According to this ‘extension-of-life’ program, as approved by EASA, as long as the aging A320-200 series aircraft undergo the required package of structural and systems modifications, before the aircraft reaches its Design Service Goal (operational life limit, typically 48000 Flight Cycles or 60000 Flight Hours), the aircraft can be approved for an extended operational life with the revised limits being 60000 Flight Cycles or 120000 Flight Hours.

Red Flag No.1:

FAA has rejected a request from Airbus and American Airlines (AAL) to amend an existing FAA Airworthiness Directive to include ESG1. FAA, in its Proposed Rule published on 05/28/2014, has issued a Supplemental Notice of Proposed Rulemaking where it has disagreed with the proposal of including ESG1, among other elements of the request. FAA’s evaluation has determined the existence of unsafe condition and its likelihood to exist and develop on other products (within the scope of the directive which includes A-320-200 series including A-320-211).

Please find the concerned paragraphs of the FAA’s Proposed Rule in the pics below:

https://www.federalregister.gov/articles/2014/05/28/2014-12251/airworthiness-directives-airbus-airplanes#h-13

https://www.federalregister.gov/articles/2014/05/28/2014-12251/airworthiness-directives-airbus-airplanes#h-13

 Feel free to look into the official FAA announcement here:

https://www.federalregister.gov/articles/2014/05/28/2014-12251/airworthiness-directives-airbus-airplanes#h-18

Germanwings 9525 aircraft had an ‘operational-life-extension’ approved in 2012, which includes a procedure that has been approved by EASA but not the FAA. The aircraft had been received by Lufthansa in February, 1991 which indicates its age to be around 24 years at the time of the crash. The aircraft had got the ESG1 approved in 2012, and remained with Lufthansa until January, 2014, when it was handed over to Germanwings, indicating it has gone through the necessary structural and system changes prior to its reaching the Design Service Goal. 

Interpretation:

The aircraft that crashed got an approval of life-extension based on practices accepted by one regulator but rejected by another on the grounds of existing unsafe conditions. An aircraft at the end of its life, getting a questionable life-extension approval, can be safely assumed to be vulnerable to risks of varying types covering diverse levels of failure-modes.

Questions:

If the ESG1 procedure and related maintenance tasks can indeed enhance the safety of the aircraft, why did FAA’s evaluation find existence of unsafe conditions pertaining to ESG1?

Why hasn’t it been highlighted that the aircraft got approved over a procedure that did not get a global acceptance from the civil aviation regulators?

Why hasn’t anyone raised the question on the age of the aircraft and its vulnerability to failure? (The aircraft was almost near the end of its operational life, otherwise, it couldn’t have got the ESG1 approval in 2012)

To be fair, we need to look into the elements of ESG1 and analyze its implications so as to make sure, the Airbus life-extension program can actually impose any risk whatsoever on the aircraft involved.

Red Flag No.2:

The ESG1 program was approved by EASA through the approval of ALS-Part-2-Rev.01 in 2011 and as per Lufthansa Technik’s understanding, ESG1 has imposed changes on the inspection methods followed by operators which included elimination/relaxation of inspections such that only 40% of the tasks remain unchanged.

Let’s look into some excerpts (published data) from Connection, the Lufthansa Technik Group Magazine, specifically the issue dated 4^th July, 2012:

Excerpt-1

“By the end of 2011 all the engineering data had been assessed, the results had been accepted by the Structure Task Group (STG) – comprising Airbus, leading operators, MRO companies and the certification authorities – and finally compiled into a new Airworthiness Limitations Section (ALS) Part 2 Rev. 01 approved by EASA. In a first stage this major effort has been accomplished for the A320-200 (with the exception of some unique operational environments). The other models will follow in a second stage scheduled for mid-2014.”

Interpretation:

The ESG1 program is a very recently approved program, approximately 3 years old at the time of the Germanwings crash. 

Excerpt-2

“The new ALS introduces changes in the mandatory structural inspection program based on a 2.00 FH/FC average mission. As these requirements also apply below DSG, any A320 family aircraft in service is affected.”

Interpretation:

 The new ALS (that includes ESG1) has introduced changes in the structural inspection program and these changes were expected to affect any A320 family aircraft in service. However, we cannot conclude if the impact could be negative or positive from this statement alone.

Excerpt-3

“Taking into account that approximately 200 such tasks exist, some of which require wing tank access or the removal of cabin interiors, the challenge operators face over the next months becomes clear.”

Interpretation:

This was published in July, 2012 and this mentions the challenges that the ESG1 program will impose on the operators. Although we cannot conclude on the diversity and intensity of challenges imposed, it does indicate the possibility for the operators to reschedule, revise, or even skip procedures in an attempt to comply with the ESG1 program which might subject the aircraft to further risk of failure during operation.

Excerpt-4

“At the same time, the extensive test data computed by enhanced analysis methods have made it possible to depart from the conservative approaches adopted in the design phase three decades ago, allowing the elimination or relaxation of a significant number of inspections. At the end of the day only 40 percent of the tasks remain unchanged.”

Interpretation:

Test data from the recent past was used as the basis for deciding to eliminate/relax inspections such that only 40% of the tasks remain unchanged. This means that the inspection methods for aging aircraft were revised based on recent test data and the revision largely covered elimination and relaxation of inspections. This indicates that the new program basically forced the Risks of Failures Going Undetected or Improperly Identified on the operators who complied with the new program.

Questions:

How come they had the direct knowledge of the risks involved and still allowed the ESG1 approval for the Germanwings 9525 aircraft?

Even if the aircraft had not gone through the changes in full/part, it was rendered vulnerable when the operator had the aircraft approved for ESG1. Why is this not raising any question on the details of the past 3 years’ maintenance tasks executed on the Germanwings 9525 aircraft?

However may be the advancement in technology, why would anyone agree to the elimination or relaxation of 60% of inspections, that too for an aircraft that is over 20 years old?

However suspicious the ESG1 program elements may sound, one cannot just blame the decision to eliminate/relax inspections as dangerous without looking into the testing methods, based on which the decision was taken. 

Red Flag No. 3:

In the 2009 book titled ‘ICAF 2009, Bridging the Gap between Theory and Operational Practice: Proceedings of the 25^th Symposium of the International Committee on Aeronautical Fatigue, 27-29 May, 2009, Rotterdam, The Netherlands,’ on page 226, under ‘BACKGROUND OF A320 ESG PROGRAM,’ we find this:

“To achieve approval for the Extended Service Goal package, Airbus is carrying out full-scale fatigue tests on new production standard aircraft sections, enhanced with special structural features. The original A320 configuration will be taken into consideration, as well as the specificities of other family types. All of the results will be compiled to show the fatigue behavior of the complete aircraft family."

Interpretation:

They used new production standard sections for the fatigue tests and used that result to derive the data which was subsequently used as the basis for achieving regulatory approval. The whole basis for the request for approval for ESG program was built on the educated guesswork or mathematically-supported May-Be-Approximation of a test data that was believed to represent those of the old aircraft.

If this has to be right, then we can test a car from 2015 and use the data to reflect on cars from 1992 and say that based on our tests on a 2015 car, its 1992 equivalent will have about the same effects as the new one, except we can reduce the margins slightly to accommodate the 20+ years and abuse the 1992 car went through. Also we can decide how to modify the 1992 car so it can run smoothly for the next 5 years, based on what we find from the 2015 car. If this doesn’t ring a bell, nothing will.

The methodology is not entirely wrong but definitely incomplete in terms of addressing the real issue which happens to be deciding on maintenance methods and upgrades to extend the life of 23-24 year old aircraft.

Questions:

When the objective is to extend the life of aging aircraft (that are over 20 years old), why hasn’t the testing used aircraft sections from used A320 aircraft?

What was done to include (in the testing) the element of operational wear and tear and the impact of harsh environments the aging aircraft would have gone through?

Red Flag No.4:

The recent claims seem to point at the possibility of a pilot allegedly locking out another from the cockpit and the locked-out pilot trying hard to get it. Apparently, there is a way to get inside a locked cockpit. Watch the video below:

Interpretation:

Prosecutors’ claims of information that can support the possibility of one pilot getting locked out of the cockpit may not be true. In fact, it still remains to be proven beyond doubt that the co-pilot was in and the pilot was out of the cockpit when the plane crashed.

Questions:

So far the investigation seems to be pointing at the co-pilot locking-out the captain. What element of the voice recording confirms that the co-pilot was the one inside and the captain was stranded outside?

Why did the captain not use the emergency cockpit-access procedure to enter the cockpit?

Why isn’t the possibility of the ‘incapacitation of pilot’ and/or electrical-system failure being considered which may have left the pilots unconscious and/or the communication systems dead?

Deliberate Human Responsibility???!!!!

Just because so far there is no evidence released that points to a technical system failure, the possibility of deliberate human responsibility is being thrusted into the minds of the general public (or may be the regulators too) so they can just assure themselves that it was indeed the co-pilot who crashed the aircraft.

How about accepting the inability to conduct fair investigation as a consequence of lack of evidence?

Views of a Journalist:
John Rosenthal has provided a neutral analysis of the crash investigation in his report:


http://www.geopoliticalmonitor.com/the-trouble-with-germanwings-flight-9525/

Conclusion

In my view, the aircraft was an aging platform, well near or over its design operational life and it might have been subjected to a very questionable ‘Life-Extension-Program’ which in part or full might have rendered the aircraft vulnerable to multiple unidentified failure modes, one of which struck the aircraft during its final flight that ended in the crash. The Life-Extension-Program was approved by EASA but FAA refused to allow its inclusion. If one regulator finds enough evidence to agree why does another find enough evidence to disagree? What does that tell about the very viability of the Life-Extension-Program and its impact on the aircraft it is approved for, irrespective of its full/partial implementation?

The possibility of co-pilot deliberately crashing the plane is a story being cooked up to cover up this incident so as to protect multiple commercial interests. In the end, as it turns out, pilots can no longer divulge their health issues or personal fronts to their managements as those details will be cleverly used against them, when they are not even alive to defend their stand.

At this point I am even curious to learn if those individuals who get angry at speculators online (and drag the discussion to the most insignificant bolt on the plane) might be part of a specially constituted online-clean-up team reporting to the crisis-management team that is trying to keep operator, manufacturer, maintainer and the regulator from any possible blame, every time a plane goes down (debris recovery is irrelevant here).

How in the world do these stakeholders remain untouched while pilots alone get blamed for ‘tendencies’ and ‘depressions’ based on what everyone proudly calls ‘initial reports’?????

The lack of exceptions in this trend is what keeps me wondering what really happens to these untouched possibilities of plane crashes.

On a very different note [a shameless plug], if you are interested in unique tamil short films, feel free to visit https://www.summamovies.com/. I couldn't tolerate the mass masala entertainers anymore and decided I will do my best to produce content with substance. I have a long a way to go as a producer and a start-up founder, but I am glad our journey has begun. I look forward to your support. Each film on our site costs INR 15. Thanks!!!


Some references:



http://www.lufthansa-technik.com/documents/100446/160376/Technik+Connection+4-2012.pdf

http://www.airfleets.net/ficheapp/plane-a320-147.htm

http://www.lufthansa-technik.com/documents/100446/160376/Technik+Connection+4-2012.pdf

http://www.theguardian.com/world/2015/apr/02/germanwings-crash-second-black-box-found

http://www.reuters.com/article/2015/04/03/us-france-crash-idUSKBN0MU0MA20150403

http://www.wsj.com/articles/germanwings-plane-was-accelerated-on-descent-say-french-investigators-1428055460

http://blogs.webmd.com/breaking-news/2015/03/germanwings-crash-is-depression-really-to-blame.html?ecd=soc_tw_033115_blog_germanwings

http://airflightdisaster.com/index.php/the-ironic-tragedy-of-germanwings-flight-9525/

http://en.wikipedia.org/wiki/Germanwings_Flight_9525

http://transport-central.com/Germanwings+Flight+9525

http://www.flightglobal.com/news/articles/airbus-begins-tests-to-extend-service-life-of-a320-family-220962/

http://www.ainonline.com/aviation-news/air-transport/2009-06-09/airbus-expects-minor-mods-keep-a320-flying-years

https://www.friedlnews.com/article/analysis-crash-of-germanwings-flight-9525-investigation-and-latest-responses

https://books.google.co.in/books?id=-B4HBw1-RgcC&pg=PA226&lpg=PA226&dq=airbus+esg1+approved&source=bl&ots=P3cD1QinOJ&sig=nL52j7idy8pB2ldT_CU18WMKIDU&hl=en&sa=X&ei=agMlVYaUKoOzuQTj0YHYCw&ved=0CB0Q6AEwAA#v=onepage&q=airbus%20esg1%20approved&f=false

http://www.planespotters.net/Production_List/Airbus/A320/147,D-AIPX-Germanwings.php

http://www.flightglobal.com/news/articles/analysis-germanwings-crash-accident-investigation-410749/

http://www.liveleak.com/view?i=d42_1427636702

Regards,