Tuesday, September 14, 2010

Links in a chain.

No, I don't mean handcuffs - We passed our audit, so...umm...hooray and stuff! I'll go over the specifics of the audit later - in response to some of the suggestions of the inspectors, I'm adding a whole pile of guidance material to our various manuals (Company Operations Manual, Standard Operating Procedures Manual, Safety Management System Manual, Emergency Response Manual, Flight Crew Training Manual, Maintenance Control Manual, etc) and once I'm done, I'm gonna post some of the content online so you can see what sort of paperwork is involved in keeping us airborne. That'll be a couple of weeks from now at the earliest, so until then let's talk about other stuff.

Specifically, let's talk about a Citation 500 accident that happened on March 30th, 2008 in Biggin Hill, England. A Citation 500 is the little brother to the 550 that I fly, and they share enough of the same systems that I could be qualified to fly a 500 with very little extra training.

Here's what happened:

The aircraft departed Biggin Hill for a private flight to Pau, France.

One minute after takeoff, the First Officer Radioed ATC with the following:

"We're making an immediate return to the airport, immediate return to the airport”

The aircraft was given permission to land on any runway, and the pilots indicated that they would return to runway 21, from which they had just taken off. A few second later, he told ATC that they had a bad engine vibration.

A minute after that, came the final transmission:

"And er.. we have a major problem a major power problem it looks as though we're er going in we're going in."

A few second later, the airplane struck the side of an unoccupied house in the village of Farnborough, Kent, [not the town associated with the international air show]. An intense fire quickly developed, consuming the house and the aircraft. Both flight crew and all three passengers were fatally injured. The house owners returned shortly after the accident, and as you can imagine, were treated for shock.

That sucks, right? Sounds like they had some kind of nasty engine problem that somehow brought down the light jet. The thing is, it can fly just fine on a single engine.

Unfortunately, eyewitness accounts were pretty useless at first:

Witnesses reported that the aircraft was maintaining a normal flying attitude with some reporting that the landing gear was up and others that it was down. Some described seeing it adopt a nose-high attitude and banking away from the houses just before it crashed. Some witnesses stated that there was no engine noise coming from the aircraft whilst others stated that they became aware of the aircraft as it flew low overhead due to the loud noise it was making, as if the engines were at high thrust. Two witnesses described hearing the aircraft make a pulsing, intermittent noise.

Now let's skip ahead and add a few more facts that will really bake your noodles while we are trying to figure this thing out:

1. The airframe was just fine - the wings and tail were firmly attached, and the flight controls were working correctly.
2. The airplane was correctly loaded, and was below maximum takeoff weight.
3. The airplane had lots of gas, and the gas was not contaminated in any way.
4. The engines were not damaged in any way before impact.
5. The weather was good, with light winds and scattered clouds.
6. Approximately 70 seconds before impact, neither engine was producing any power.

Wait, what?

Now here's a little history on the pilots, which may or may not prove to be relevant:

The Captain had over 8,000 hours total flying time, but had just completed his type rating on the airplane, and had a total of only 18 hours on the C500 series. On his initial checkride, he failed the "Engine Failure after takeoff" portion of his flight test, but passed it on the second try.

The First Officer had 4,500 hours total flying time, and was more familiar with the particular aircraft, with a total time of over 70 hours on that particular airplane. That's still not a whole lot of time on type.

The crash investigators certainly had a difficult job ahead of them: There were no data recorders on board, nor was one required to be. So they started going through the wreckage, sifting through the charred bits and trying to figure out what was working before the crash and what (if anything) wasn't. That's not an easy job, looking at blackened metal chunks and trying to find meaning from the debris, but their hard work eventually paid off and they found 2 things:

The air cycle machine had chucked a fit, and there was a missing rivet head on the left throttle.

The air cycle machine is sort of like an air conditioner - it takes air and heats it or cools it and circulates it through the cabin. the actual unit is housed in the tail.

Airplanes go through thorough maintenance inspections all the time. However, there was no maintenance schedule that detailed when that particular rivet head should be inspected. That particular rivet head was a physical barrier that prevented the left throttle from moving rearward past the "idle" position to the "fuel cut-off" position unless the throttle lever itself was pulled upward.

That should give you all the clues you need in order to solve this, or at least to have a pretty good idea of what likely happened. Give up? No problem, it took the investigators a couple of years to figure it out.

Now before we get to the big reveal, I've said it before and I'll say it again: accidents are usually the result of a whole bunch of links in a chain, and this case was no different.

Also, here's the emergency engine restart checklist for the C500. There's an item on it that is misleading at best:

And now the links:

1. Fresh crew, inexperienced on type.
2. Captain just got out of the simulator, and might be a little 'twitchy' after going through a whole bunch of engine-failure drills, especially as he failed that particular item on his first flight test. Nothing vibrates on a jet when it's working correctly. If a jet engine vibrates even a little bit, it's going to consume itself soon.
3. The air cycle machine is housed in the tail, right between the 2 engines.
3a. It is extremely rare for an air cycle machine to die in flight.
4. The air cycle machine ignores the statistics and decides to die anyway, and thrashes around in a relatively violent fashion.
5. The pilots feel vibration in the rear of the airplane and assume it's an engine.
6. The engine indications for both engines are normal (because they are actually operating normally) but the vibration compels the pilots to shut one of the engines down.
6a. Suppose they flip a coin or imagine some indication and decide it's the right engine that's causing the problem and shut it down.
7. The right engine shuts down, but the vibration continues because the air cycle machine is still dying a noisy death, and it's still getting power from the operating engine.
8. The flight crew decides it's the left engine, so they are faced with shutting down the left engine while trying to relight the right engine.
9. The flight crew pulls the left engine throttle back to the idle position (likely to confirm that it's the left engine that's causing the issue) and the missing rivet head (that hadn't been inspected/noticed, likely ever) lets them accidentally pull the throttle all the way back to the fuel cut-off position.
9a. Now both engines are dead. The vibration goes away, because the air cycle machine isn't being powered any more, but they have bigger problems now, namely:
10. They are at a low altitude (the airplane never climbed higher than 1,200' above ground level), with no power to either engine. Gravity sucks.

Now here's the part I really feel bad for the crew for having to deal with:

See step 4 in the "Emergency Restart - 2 engines" checklist? It says to increase the speed to 200 knots if the altitude allows. Their speed never went above 140 knots, and the altitude did NOT allow for this, which meant that restarting the engines would be more difficult and would likely require the use of the engine starters.

It takes about 35 seconds to relight a C500 engine. See step 7 in the "Emergency Restart - 2 engines" checklist? It says if the engines don't restart in 10 seconds, press either restart button momentarily.

The thing is, if one engine is spooling up but hasn't fully started and you hit the start button on the other engine, it kills the start sequence for both engines. That's likely a result of a battery limitation - an engine start pulls a whole lot of amps, and aircraft batteries are built to be as light as possible while still doing the job, so they don't have a whole lot of extra power to spare.

Unfortunately, that's exactly what happened - after the series of most unfortunate events that preceded both engines being shut down, they attempted to start the second engine before the first one was fully lit up again, and the start sequence on both of them terminated, leaving them with no power, no altitude and no options. At least the final part was over quickly.

As a result of the crash, 3 safety recommendations have been made. Time will tell if they are put into place.

1. Cessna should introduce a scheduled inspection of the throttle quadrant assembly system into the maintenance schedule on the Citation 500 series.
2. The Cessna emergency checklist should be amended to emphasize the importance of starting only 1 engine at a time.
3. Flight recorders should be installed on light aircraft so investigators have more data to work with after an accident.

Links in a chain.

Wiki on the crash

Full Air Accident Investigations Branch report:


fche said...

In a light twin prop job, it is drilled into a student pilot that before an engine shutdown, there is to be a verify step, intended to preclude shutting down the wrong engine. In jets, do you totally shut down things right away, or do you pull the throttle back for a couple of seconds to see if it makes a difference?

Anonymous said...

In the British Midlands crash of a 737, they had an actual engine vibration, but shut down the good engine.

Checklists and procedures are great but you need to think a little bit too. Nothing needs to be done *right now* and if you're close to the ground and the airplane is still flying, getting to a safe altitude is the first priority.

Bringing the throttle back to see if the vibration reduces is probably the first thing to try.

Anonymous said...

There, but for the grace of God...

Aviatrix said...

Awesome posts, both of them on this topic. Real life is rarely as cut and dried as the flight test.