Wednesday, September 29, 2010

45 minutes into our flight this morning. Click on the pics to embiggen them.

55 minutes into our flight.

10 minutes later.

For a view like that, it's almost a pleasure getting up at 4am! Almost... :)

Tuesday, September 28, 2010

This is a new one. This model flew yesterday in the UK. It's called the Demon UAV.

Here's a video of it flying.

So what's the big deal?

Well, it has no moveable control surfaces. That's right, no flaps, ailerons, elevators or spoilers. Just a wing, an engine and some holes.

First of all, the exhaust nozzle is moveable, so it can be vectored around to aid in directional control. Also, bleed air from an APU (auxilliary power unit, meaning a small engine) is blown through hundreds of tiny holes in the trailing edge of the wing to also help with directional control.

The military likes this because moveable surfaces like slots and flaps have edges and gaps, which are apparently total heat-scores when you are trying to have a low radar profile. Less edges to bounce off = more stealth, and that's generally what you are going for when you build a small UAV, most of which are used to spy on people in some way.

The advantages to this in a civilian application would be less moving parts, a stronger wing, less maintenance requirements and a cleaner wing which results in less drag, meaning less fuel burn.

You could control the boundary layer across the wing with air jets, which would also help change lift/drag characteristics for takeoff and landing.

We'll see if anything comes of this, but it sure does look promising. The one thing they will have to work out is how to control the airplane if the APU fails - presumably there'd be a way to store enough compressed air on board for a dead-stick landing. Presumably :) Now that I think about it, I'd also want some way to ensure that the holes don't get plugged with de-ice fluid in the winter... Clearly we are a few years away from hopping into a jet with no moving control surfaces, but the proof-of-concept is right there on Youtube, so it's not inconceivable that one day we might, assuming the advantages outweigh the hassles. I wonder how they'll rig the controls?

Flightglobal link here

Other link here

Wednesday, September 15, 2010

I felt like I didn't give yesterday's post enough meat so to follow up the Biggin Hill accident, I want to clarify a couple of things and maybe ramble a little bit as well. Read yesterday's post first, then this one :)

First of all, in the Citation 500 series of jet we are taught that if an engine is still providing thrust, we are in no hurry to shut it down. For example, an engine fire after takeoff - the first item on our checklist is to ignore the fire indication until we climb to a safe altitude, then calmly deal with it, without rushing.

Why don't we freak out? We have no real reason to.

On our baby jet, the engines are in the back, attached to the fuselage. If worst comes to worst, they are gonna burn off and depart the airplane, which doesn't hurt the structural integrity of the airplane at all. In my previous ride, the Mitsubishi MU-2, the engines were built into the wings, so if you left an engine fire too long it could easily burn through the wing spar (which is bad), but on our jet that's not the case. Just like on lots of Airbuses and Boeings, if one of the engines falls off they will leave the airplane with reduced thrust, but they won't cause the airframe to break up. If you are going to lose an engine soon, you might as well milk it for any excess thrust you can get before you shut it down, especially if you have just departed and are close to the ground.

That's the part I really don't understand about the accident - the engine indications would have shown that the engines were still producing thrust, but I guess the vibration from the back of the airplane caused them to think that the engine indications were faulty, and that at least one of their fans was busy digesting itself. Maybe they were concerned that an uncontained engine failure might spray the cabin with fragments of fan blades - a pretty rare thing, but if it does happen, that usually means anyone sitting in the back of the plane is going to have a really bad day. The vibration must have been bad, but there's no way it would have caused the airplane to shake itself apart in the air or anything.

Why did they pick the right engine as the culprit? I don't know - they either saw something in the engine gauges that made them think it was the right engine, or they flipped a coin. Either way, we are also taught to pull the power lever back to idle to see what happens first BEFORE shutting the engine down, and that's a standard procedure for every twin-engined aircraft I have ever flown. So suppose they did that.

My take on it is that once they were convinced that it was the right engine that was sick (the left engine would have still been producing enough thrust to keep them climbing, so maybe that's how they decided it was the right engine), and when pulling the thrust lever back to idle didn't stop the vibration (again, the vibration was the air cycle machine, which had nothing to do with the engines, and it would have continued as long as either engine was operating), they decided to shut it down completely.

So far, I can see how that would happen.

The vibration continues after the right engine is shut down, the crew goes "unfortunately it appears we shut down the wrong engine" or words to that effect, and they decide to go to plan B.

Now here's the part I don't understand:

If I have the good engine shut down, I'm not even going to bother pulling the sick engine back to idle thrust as long as it's putting out a single pound of forward thrust. I wouldn't be touching the sick engine, I'd be flying as best I could on what thrust I had, and working my ass off to get the good engine relit.

In their case, the 'sick' left engine was actually working just fine, so I don't understand why they would even try to pull the thrust back at all. However, they did, and unfortunately the missing rivet head on the left thrust lever allowed them to pull the lever all the way back to fuel cut-off, killing both engines. What an unpleasant surprise that must have been.

So they are a glider then, and have maybe a minute or so before they hit the planet. The part where they had really back luck was that the dual engine failure checklist seems to say that you can try to light up both engines as long as you wait ten seconds in between, when in reality it takes 35 seconds for an engine to go from 'dead' to producing useful thrust, and even worse, if you try to light up both engines at the same time using battery power, it will kill both engine start sequences.

They try to light up the right engine, but they aren't going fast enough (200 knots) for an airstart, so they need to use the starter, which runs on the battery if neither engine is operating and they are in the air. It takes more than ten seconds, so in a panic (the ground is rushing up to meet them), they hit the left engine start button to try to get that back and running. There's no way the small aircraft battery can handle a simultaneous double-engine start sequence, so it shuts down the flow of electrons to both starters, and all that's left is picking a soft spot to land. Unfortunately they were over a bunch of buildings, so that was that.

Anyway, I find accidents pretty fascinating, and I read about as many as I can, my logic being "If I can remember to not do all the things they did that resulted in their demise, maybe I will break the accident chain links".

What I came away from this accident with are a few things:

1. Don't assume that vibration in the back of the plane is an engine. There's other stuff back there too.
2. Confirm which engine is the bad one. Is it obvious? How? Am I absolutely sure?
3. Confirm it again before touching anything.
4. Take my time in an emergency. There are only 2 things in my airplane that require split-second action - cabin depressurization at altitude, and thrust reverser deployment in flight. For anything else, I will take a deep breath before touching anything.
5. If I ever suffer a dual engine flameout, I will only concentrate on starting one engine at a time.
6. Check the thrust levers from time to time (on the ground) to make sure I can't pull the levers to the fuel cut-off position accidentally.

Any of those steps would have helped mitigate this accident, and maybe the people involved would still be with us. Unfortunately they can't speak any more, but we can still learn from what they left behind.

I don't see aviation as dangerous but I do see it as unforgiving. I'm not that smart, but I do work hard to minimize the occasions I need to beg forgiveness, and I hope the same for you.

Tuesday, September 14, 2010

Links in a chain.

No, I don't mean handcuffs - We passed our audit, so...umm...hooray and stuff! I'll go over the specifics of the audit later - in response to some of the suggestions of the inspectors, I'm adding a whole pile of guidance material to our various manuals (Company Operations Manual, Standard Operating Procedures Manual, Safety Management System Manual, Emergency Response Manual, Flight Crew Training Manual, Maintenance Control Manual, etc) and once I'm done, I'm gonna post some of the content online so you can see what sort of paperwork is involved in keeping us airborne. That'll be a couple of weeks from now at the earliest, so until then let's talk about other stuff.

Specifically, let's talk about a Citation 500 accident that happened on March 30th, 2008 in Biggin Hill, England. A Citation 500 is the little brother to the 550 that I fly, and they share enough of the same systems that I could be qualified to fly a 500 with very little extra training.

Here's what happened:

The aircraft departed Biggin Hill for a private flight to Pau, France.

One minute after takeoff, the First Officer Radioed ATC with the following:

"We're making an immediate return to the airport, immediate return to the airport”

The aircraft was given permission to land on any runway, and the pilots indicated that they would return to runway 21, from which they had just taken off. A few second later, he told ATC that they had a bad engine vibration.

A minute after that, came the final transmission:

"And er.. we have a major problem a major power problem it looks as though we're er going in we're going in."

A few second later, the airplane struck the side of an unoccupied house in the village of Farnborough, Kent, [not the town associated with the international air show]. An intense fire quickly developed, consuming the house and the aircraft. Both flight crew and all three passengers were fatally injured. The house owners returned shortly after the accident, and as you can imagine, were treated for shock.

That sucks, right? Sounds like they had some kind of nasty engine problem that somehow brought down the light jet. The thing is, it can fly just fine on a single engine.

Unfortunately, eyewitness accounts were pretty useless at first:

Witnesses reported that the aircraft was maintaining a normal flying attitude with some reporting that the landing gear was up and others that it was down. Some described seeing it adopt a nose-high attitude and banking away from the houses just before it crashed. Some witnesses stated that there was no engine noise coming from the aircraft whilst others stated that they became aware of the aircraft as it flew low overhead due to the loud noise it was making, as if the engines were at high thrust. Two witnesses described hearing the aircraft make a pulsing, intermittent noise.

Now let's skip ahead and add a few more facts that will really bake your noodles while we are trying to figure this thing out:

1. The airframe was just fine - the wings and tail were firmly attached, and the flight controls were working correctly.
2. The airplane was correctly loaded, and was below maximum takeoff weight.
3. The airplane had lots of gas, and the gas was not contaminated in any way.
4. The engines were not damaged in any way before impact.
5. The weather was good, with light winds and scattered clouds.
6. Approximately 70 seconds before impact, neither engine was producing any power.

Wait, what?

Now here's a little history on the pilots, which may or may not prove to be relevant:

The Captain had over 8,000 hours total flying time, but had just completed his type rating on the airplane, and had a total of only 18 hours on the C500 series. On his initial checkride, he failed the "Engine Failure after takeoff" portion of his flight test, but passed it on the second try.

The First Officer had 4,500 hours total flying time, and was more familiar with the particular aircraft, with a total time of over 70 hours on that particular airplane. That's still not a whole lot of time on type.

The crash investigators certainly had a difficult job ahead of them: There were no data recorders on board, nor was one required to be. So they started going through the wreckage, sifting through the charred bits and trying to figure out what was working before the crash and what (if anything) wasn't. That's not an easy job, looking at blackened metal chunks and trying to find meaning from the debris, but their hard work eventually paid off and they found 2 things:

The air cycle machine had chucked a fit, and there was a missing rivet head on the left throttle.

The air cycle machine is sort of like an air conditioner - it takes air and heats it or cools it and circulates it through the cabin. the actual unit is housed in the tail.

Airplanes go through thorough maintenance inspections all the time. However, there was no maintenance schedule that detailed when that particular rivet head should be inspected. That particular rivet head was a physical barrier that prevented the left throttle from moving rearward past the "idle" position to the "fuel cut-off" position unless the throttle lever itself was pulled upward.

That should give you all the clues you need in order to solve this, or at least to have a pretty good idea of what likely happened. Give up? No problem, it took the investigators a couple of years to figure it out.

Now before we get to the big reveal, I've said it before and I'll say it again: accidents are usually the result of a whole bunch of links in a chain, and this case was no different.

Also, here's the emergency engine restart checklist for the C500. There's an item on it that is misleading at best:

And now the links:

1. Fresh crew, inexperienced on type.
2. Captain just got out of the simulator, and might be a little 'twitchy' after going through a whole bunch of engine-failure drills, especially as he failed that particular item on his first flight test. Nothing vibrates on a jet when it's working correctly. If a jet engine vibrates even a little bit, it's going to consume itself soon.
3. The air cycle machine is housed in the tail, right between the 2 engines.
3a. It is extremely rare for an air cycle machine to die in flight.
4. The air cycle machine ignores the statistics and decides to die anyway, and thrashes around in a relatively violent fashion.
5. The pilots feel vibration in the rear of the airplane and assume it's an engine.
6. The engine indications for both engines are normal (because they are actually operating normally) but the vibration compels the pilots to shut one of the engines down.
6a. Suppose they flip a coin or imagine some indication and decide it's the right engine that's causing the problem and shut it down.
7. The right engine shuts down, but the vibration continues because the air cycle machine is still dying a noisy death, and it's still getting power from the operating engine.
8. The flight crew decides it's the left engine, so they are faced with shutting down the left engine while trying to relight the right engine.
9. The flight crew pulls the left engine throttle back to the idle position (likely to confirm that it's the left engine that's causing the issue) and the missing rivet head (that hadn't been inspected/noticed, likely ever) lets them accidentally pull the throttle all the way back to the fuel cut-off position.
9a. Now both engines are dead. The vibration goes away, because the air cycle machine isn't being powered any more, but they have bigger problems now, namely:
10. They are at a low altitude (the airplane never climbed higher than 1,200' above ground level), with no power to either engine. Gravity sucks.

Now here's the part I really feel bad for the crew for having to deal with:

See step 4 in the "Emergency Restart - 2 engines" checklist? It says to increase the speed to 200 knots if the altitude allows. Their speed never went above 140 knots, and the altitude did NOT allow for this, which meant that restarting the engines would be more difficult and would likely require the use of the engine starters.

It takes about 35 seconds to relight a C500 engine. See step 7 in the "Emergency Restart - 2 engines" checklist? It says if the engines don't restart in 10 seconds, press either restart button momentarily.

The thing is, if one engine is spooling up but hasn't fully started and you hit the start button on the other engine, it kills the start sequence for both engines. That's likely a result of a battery limitation - an engine start pulls a whole lot of amps, and aircraft batteries are built to be as light as possible while still doing the job, so they don't have a whole lot of extra power to spare.

Unfortunately, that's exactly what happened - after the series of most unfortunate events that preceded both engines being shut down, they attempted to start the second engine before the first one was fully lit up again, and the start sequence on both of them terminated, leaving them with no power, no altitude and no options. At least the final part was over quickly.

As a result of the crash, 3 safety recommendations have been made. Time will tell if they are put into place.

1. Cessna should introduce a scheduled inspection of the throttle quadrant assembly system into the maintenance schedule on the Citation 500 series.
2. The Cessna emergency checklist should be amended to emphasize the importance of starting only 1 engine at a time.
3. Flight recorders should be installed on light aircraft so investigators have more data to work with after an accident.

Links in a chain.

Wiki on the crash

Full Air Accident Investigations Branch report: