This video is a news report from "9 News" in Australia. It describes two recent air safety incidents.

The first incident was a bad case of turbulence on an LATAM flight from Sydney to Auckland, in which many people were injured as they were thrown first against the ceiling and then onto the floor. Turbulence is not unusual, especially in that part of the world, and shows why airlines strongly recommend that passengers keep their seat belts fastened while seated (although that wouldn't have helped the poor guy who was injured in the toilet). I feel sympathy for the passengers (those injured and those simply scared), but turbulence cannot be blamed on Boeing. What is much more worrying is the statement by the pilot that all his instruments went dark for a few seconds when the turbulence hit. The times that instruments are most important are when something unusual and dangerous happens, and such a failure could increase the consequences of any incident.

Modern aircraft like the 787 use virtual instruments, where data such as airspeed, altitude etc. are displayed on electronic monitors in the cockpit, rather than on dedicated physical instruments. This has a number of advantages, including better use of the display real estate in the cockpit (instruments can be hidden at times when they are not needed), but also introduces several single points of failure which can cause all instruments to be lost, as in this case. The fact that such a failure occurred simply due to some turbulence is extremely concerning. Turbulence is most common during landing and take-off, and this incident suggests that pilots could lose all their instruments during those critical and high risk phases of the flight.

The other incident involved a United Airline flight from Sydney to San Francisco, this tine on a Boeing 777. The flight turned back due to what appeared to be a leak of hydraulic fluid from the undercarriage which caused smoke to come from one of the wheels. United blamed this on a "maintenance issue". This doesn't appear, at first glance, to be so critical, but on closer inspection is also extremely dangerous. Hydraulics are used to activate brakes, to raise and lower the undercarriage, and most importantly to operate the control surfaces (on the wings and tail) that pilots use to control the aircraft. A leak of hydraulic fluid is therefore potentially disastrous.

So, to summarise, there have been air safety incidents with 737 Max, 777 and 787 aircraft. Personally, I am not eager to fly on any Boeing plane right now.

As if there had not been enough air safety incidents lately, now the BBC reports on a case from Indonesia in which both the pilot and copilot fell asleep for 28 minutes during the flight.

The pilot told his copilot that he needed to rest, and took a nap; this is not meant to happen on short-haul flights. The copilot then also fell asleep. Air-traffic control were unable to raise anyone on the flight-deck during the naps.

"Our lives in their hands!"

The BBC reports that a United Airlines flight (a Boeing 777 flying from San Francisco to Tokyo) lost a tyre (tire) seconds after takeoff.

That is not correct. One can clearly see from the video of where it landed that it is a wheel (with the tyre still attached), not just a tyre. This is an important distinction, because losing a tyre is not uncommon, tyres are lost because they break up into smaller pieces and the damage when the tyre debris hits the ground is less severe, whereas a wheel plus tyre is one piece, is heavier and the damage when a tyre hits the ground is significant (as the video shows). Losing a wheel is much less common, and is usually a symptom of poor maintenance or faulty parts, and is a major safety concern.

After two recent air travel incidents, many people will be worrying just how safe it is to travel by aircraft.

The first occurred on the 5^th of January, a door blew out on an Alaska Airlines flight from Portland, Oregon to Ontario, California, as reported by the BBC. The blow-out occurred at 16,000 ft (4,876m, causing oxygen masks to be deployed and the jet to make an emergency descent , after which it returned to Portland.

Aircraft cabins are pressurised to the equivalent of 10,000 ft, so the sudden depressurisation would certainly have been noticed by the passengers. Most people, however, can tolerate air pressure at 20,000 (I have done so, while working, including moving heavy equipment). One commentator wrote that many passengers would probably have died if the blow-out had occurred at 30,000 ft (normal operating altitude for jets), although I suspect that passing out would be a much more likely outcome.

The Boeing 737 Max has had many problems, with hundreds of deaths in two high profile crashes and the whole fleet being grounded for over a year while changes were designed and tested, and the 737 Max was re-certified. Boeing must be grateful that this latest problem doesn't appear to be their fault.

More recently a passenger noticed, while looking out of the window just prior to take-off from Manchester (England) airport, that 4 bolts were missing from a wing panel, as reported the Mirror. The Airbus A330 wing-panel has a total of 119 fasteners, so the missing bolts were unlikely to have caused a crash. Such panels are often removed for inspections as part of routine maintenance, so this is not a case of the bolts having been forgotten at the factory.

Many readers will have read that air travel is the safest form of travel. This, however, is calculated either per mile travelled, or per hour travelled, and, for me at least, air journeys are much longer (in both time and distance travelled). What I would like to see is statistics calculated per trip, so that we can all make an properly informed decision.

This is a common problem with official statistics, which often tell us what someone else wants us to hear rather than what we need or want to hear. Such statistics should more properly be designated propaganda. As they say, "never trust statistics that you didn't falsify yourself."

This article on Le Monde (in English) reports that airline pilots are concerned that they will be replaced on the flight deck by AI systems which can fly the plane.

Their worries are unfounded. Passengers will simply not accept being flown by AI systems.

What is likely to happen is that flight deck crews will be reduced in size (large long-distance flights typically operate with a crew of 3: a pilot, a copilot and a flight engineer).

There is a basic safety engineering problem preventing the complete safe replacement of flight crew with computers. Computers have no common sense, and so cannot deal with situations for which they are not programmed (in the case of AI, programming means training). That means that every possible scenario has to be foreseen, and the systems must be trained (and tested) for each scenario. Human pilots are able to fill these gaps in training with common sense, by extrapolating from situations for which they were trained, and by applying high-level principles; AI systems cannot do this; although AI capabilities are improving in these areas, it will never be possible to to have the 100% confidence in their abilities that would be needed for safety critical systems.

There is a method used in safety engineering, called failure modes analysis, which requires the designers of safety critical and mission critical systems to envisage what usage scenarios (which would include flight scenarios, in the case of flight systems) could occur, and what system failures could occur, in order to create a design that can cope with such failures and usage scenarios (known as Use Cases). Failure modes analysis relies on the application of common sense and applied paranoia by engineers. This is, however, a far cry from designing a system that can automate something such as flying an aircraft. There have been many well documented failures of failure modes analysis (e.g. the flight control system responsible for the Boeing 737 Max crashes). In fact safety and reliability engineering is notorious for its failures, through lack of common sense, inadequate paranoia, and flawed technical analysis and faulty knowledge about how mechanical and electronic components can fail.

In the short term it is likely that AI will be used to reduce the size of flight crews by providing advice on what actions the pilot should take during emergencies, negating the need for memorizing flight manuals (cockpits currently have these manuals on paper, but it often takes too long to look things up), and speeding pilot responses. This is now considered tried and trusted technology (I worked on such a system in the 1980s!).

The article on Le Monde does mention some AI based flight control systems that can fly the plane, including landing and take-off, but, for the reasons that I have listed above, these are not safe in a comprehensive sense, and will not be licensed for use without pilots; a pilot will always be needed to override any AI-based flight control system when it makes a mistake.

So yes, the jobs of some flight crew may be lost to AI, but AI is not going to completely replace humans in the cockpit, and most of the replacement will be achieved by natural wastage, not redundancies.

Boeing is in court in the USA over the 737 Max crashes, as reported by the BBC.

The suit brought by relatives of of people killed in the crashes alleges fraud by the aircraft manufacturer, and of course Boeing denies this.

I have written extensively on the subject of the 737 Max crashes and the safety of the aircraft (see here), and have made my opinion (based on my experience in the avionics industry and work on other safety-critical systems) clear: Boeing mislead the FAA (Federal Aviation Authority) about the aircraft's safety in a way that amounts to fraud.

Boeing previously avoided a trial on this issue by agreeing to pay $2.5bn, but that appears to have been a fine rather than compensation. It is time for the company to pay up! Maybe they will then learn the lessons, for example what the definition of a safety-critical system is.

I don't think this headline on the BBC is quite right. It should read "Boeing tries, and fails, to refute new safety concerns".

In one example of safety issues a 737 Max was on a flight from Boeing Field airport in Seattle, to deliver the aircraft to Brussels. After problems emerged, it returned to its point of departure. The article says "The aircraft landed safely shortly afterwards". Again, I think that is incorrect; just because it landed successfully does not mean it landed safely.

From a safety perspective the 737 Max is so broken as to not be worth repairing. The design was, from the outset, deeply flawed. No amount of "band-aid" will make it safe.

Boeing should bite the bullet and scrap the plane, and compensate the unfortunate airlines who bought them.

As reported here by the BBC, Boeing is again under the spotlight for safety issues with their Boeing 737 Max planes.

This time it is an electrical problem, with potential effects on many systems. What is even more of concern is that there is a suggestion that this issue may have been involved in the failed sensors used by the AOA (Angle of Attack) system which caused the crashes of 737 Max planes.

As a result of the discovery of this latest problem, more than 100 Boeing 737 Max aircraft were grounded in April, and deliveries of new aircraft were stopped.

Boeing deemed that the change to manufacturing methods that led to the electrical faults was a "very minor change, so it was not notified to regulators". Again, this is not only a failure by Boeing, but also by the FAA.

Neither Boeing nor the FAA can be trusted to ensure the safety of air travellers.

Just in case you were in any doubt that Boeing deliberately put profit ahead of air safety with the development and certification of their 737 Max, the company has just "agreed" to pay a $2.5bn fine for their conspiracy to do just that; in effect they have now admitted guilt.

To cap it all, this week came news of the crash of another Boeing 737 (this time not a 737 Max, but an older design), as reported here and here by the BBC.

Given the already massive impact of Covid-19 on the airline industry, and the fallout of the 737 Max crashes, Boeing will struggle to survive (although the US government is not likely to let them go bust).

When I next take a flight, I will certainly try very hard to ensure that I will not have to travel on a Boeing aircraft.

As reported in this BBC article, the report on the crashes of the Boeing 737 Max is finally out, and it firmly blames both Boeing and the FAA (the US Federal Aviation Administration).

As was clear from Boeing's press releases on the subject, the aircraft manufacturer has a "culture of concealment". Given this is now established fact, why would any of us believe anything the company says in future? They have been more concerned with how things appear to the flying public than about the safety of their end customers.

The FAA also rightly comes in for heavy criticism, having failed in its duty off oversight and certification. The FAA only really has one responsibility, to ensure that aircraft are safe, and they failed to do so. In effect they colluded with Boeing's concealment of facts.

Now Boeing's reputation with airlines and the public is justly "in the toilet", as is the FAA's. There was a time when certification by the FAA was effectively simply rubber stamped by other certification authorities; those days are over, which will increase aircraft costs and delay the in-service dates of new planes.

As reported here, by the BBC, the European Aviation Safety Agency (Easa) has decided not to accept re-certification by the US FAA of the Boeing 737 Max.

Instead, Easa will run their own tests on the aircraft before approving its return to commercial flights. In addition they will insist:

• On an "additional and broader independent design review" by Easa,
• That the two fatal crashes were "deemed sufficiently understood"
• And that flight crews have been adequately trained in any changes to the plane.

That is good news. Clearly, with all the revelations about the 737 Max, Boeing cannot be trusted to ensure safety, and neither can the FAA.

The drama and scandal about the safety of the Boeing 737 Max continues. Here is a summary of some of the recent news stories on the subject. None of it makes me want to fly on a 737 Max.

In this BBC report Boeing's Dennis Muilenburg admitted "We clearly fell short and the implementation of this [cockpit warning light for the] angle-of-attack disagree alert was a mistake, right, we did not implement it properly". Based on other reports, that seems to be avoiding the truth. They made it an optional extra, for which airlines had to pay, and many airlines did not buy this option because they did not realise that it was essential to safely fly the aircraft.

This story on The Guardian, covers another safety issue, this time on the 787 Dreamliner. The switch used to extinguish engine fires has failed in a “small number” of instances. The switch also cuts the supply of fuel and hydraulic fluid to the engine, to prevent flames from spreading. Boeing has warned airlines that long-term heating can cause the fire extinguisher switch to stick in the locked position so it can’t be used to release the two fire extinguishers in each engine. Again, this is totally against the rules. Fire extinguishers are unarguable safety critical systems, and there is no system redundancy (such as a second switch or another way to operate the fire extinguishers) as required. Again, not only are Boeing to blame, but also the FAA.

This article on the BBC, about how the company is giving $100M to the families of the 737 Max crash victims, seems, at first, to show Boeing in a better light, until you read this piece, also on the BBC, describing how Being has been bullying the families of crash victims into signing an agreement that forfeits their rights to sue for compensation, thus preventing them from getting more money later, as more embarrassing facts about Boeing come to light.

Finally, for now, at least, is this BBC report about how Boeing seems to be trying to rebrand the 737 Max as the 737-8200. The worrying thing is that this may well work, with many air travelers. It looks to be that spending money and effort on safety is much less important than PR, for Boeing.

My general conclusion from all this is that Boeing planes are not safe, and not just the 737 Max (or 737-8200); that Boeing do not care about people affected by their lack of safety; that the FAA has the same disregard for safety as the manufacturers they are meant to regulate; and that most airlines are no better than Boeing and the FAA - they continue to order 737 Max aircraft, and are playing along with Boeing's attempts to side-step the consequences of their poor design and testing.

The 737 Max is a flawed design: am attempt to bolt new technology onto a very outdated aircraft, which has badly compromised the safety and flyability of the plane. It should probably never be allowed to fly again; I certainly don't want to be a passenger on one.

In my previous post about the Boeing 737 Max I wrote about the rules that apply to safety critical systems.

As made clear in this article on CNN, Boeing neatly sidestepped these rules, by simply deciding that the Angle Of Attack (AOA) system was not safety critical.

The AOA system being treated as not safety critical meant that there was no requirement for redundant systems or sensors. The AOA system relies on only one sensor, even though two are fitted to the 737 Max. Even two sensors would not have been enough, because, in the case where one fails, it is not possible to decide which is correct and which has failed; three sensors are needed to build a proper redundant system.

Without a third sensor, the only option is to do what Boeing is now planning to do: disable the AOA system when readings from the two sensors disagree. I have to ask, why only now, after two crashes and many deaths? The FAA has received at least 216 reports of AOA sensors failing or having to be repaired, replaced or adjusted since 2004, so the failure mode behind the two crashes should have been noticed by Boeing and the FAA.

That is, however, not really the key issue here. More important is how on earth did Boeing get away with declaring a system which can crash a plan when it fails as not safety critical? Not only are Boeing to blame for this, but so are the FAA, for failed oversight.

Due to all the press attention on Boeing and the FAA in the wake of the crashes and subsequent investigations, more safety issues have come to light with then 737 Max, including faulty parts related to the leading edge slats. If these do not deploy when they should, the plane is at risk of stalling during take-off and landing.

Some people, including some airlines which own 737 Max aircraft, are hoping and even planning on the basis that the planes will be cleared to fly again in June or July this year. That seems to be extremely premature, given that the investigations are not yet concluded, and probably won't be until the end of 2019 or later.

I think that this debacle will mean that, in future, other aircraft regulators will be less eager to accept certification by the FAA as a basis for certification in other jurisdictions. I see that as a healthy development, although it will increase costs and delays in certifying aircraft, pushing up the costs of air travel.

There has been a steady drip-feed of news about the safety of Boeing's 737 Max aircraft since the Ethiopian Airlines crash. This report, on the BBC, looks at the possible effect of the two crashes, on Boeing.

Some readers may not know so much about how aircraft designers ensure that their planes are safe. Having worked in the avionics industry, I thought that I would explain some of the basic techniques.

Part of the news piece states that "The new anti-stall mechanism on the Max relied on data from one single sensor at the front of the aircraft". This would be against policy and design guidelines. For safety critical systems, including flight control systems, redundant systems, including redundant sensors, are required: normally 3 systems or components (like sensors), so that in the event of an error or failure in one, the output of two correct systems will be selected by a voting system. Reports from other news sources suggest that the Max has multiple angle of attack sensors; the issue seems to be deciding what to do when the sensors disagree, which just seems to be bad design.

Given that design, coding and construction errors will always exist in complex systems, how do aircraft companies avoid crashes? The answer is by doing failure modes analysis. Failure modes analysis is a laborious process in which engineers imagine all the possible things that could go wrong (including multiple different failures) and then analyse how the systems will react and cope with those failures. This technique requires people (cannot be automated, even by AI) with good imagination, even paranoia, as well as an understanding of all the systems involved. It is expensive and complex, and sometimes things get overlooked, which often eventually leads to people dying or being injured.

If a proper failure modes analysis had been done for the Max's anti-stall system, the impact of one or more failed sensors would have been identified, and the necessary redesign would have been performed, this eliminating the issue. While no failure modes analysis is simple, what would be needed for the anti-stall system is far simpler than many on an aircraft like the 737 Max. The obvious conclusion is that either the analysis was not done, or more likely it was done badly.

There are, of course, many other ways that safety is assured in aircraft and other safety critical systems:

Many companies have also dabbled in formal methods: the use of mathematically based languages and methods to achieve "right first time" design. I have worked with such methods and languages; they are not yet good enough.

There are two different perspectives used in the above: validation (did I build the right thing?) and verification (did I build it right?). The inherent flaw with most of the methods listed above is that they depend on people, so things may be missed or misinterpreted; sometimes things are, therefore, missed or misinterpreted. This is the reason for the interest in formal methods, to take people out of the equation, to some extent.

For safety critical systems like aircraft, nearly all the quality assurance methods listed above are mandatory (mandated by certification authorities like the FAA), although not formal methods, executable specifications nor prototyping.

The bottom line is that, despite the huge effort, and therefore cost, applied to making systems safe, there is always a chance that a dangerous error finds its way into a product. The cost of trying to assure safety in systems is normally the majority of the cost of creating those systems, and even this is not always enough.

The other basic problem is that projects are always delayed, and over budget. When this happens, testing and other verification and validation activities get trimmed: less time, and fewer resources. The results of this are inevitable: failures and accidents.

I am very concerned about the news now percolating out about the crash of Rescue 116, which collided with Blackrock Island on 14 March. The latest report from the BBC (here) contains the very worrying information that Blackrock (an island which is well known because it has a lighthouse on it, and is therefore marked on all marine and air maps of the area) was not in the database of the obstacle-avoidance system installed on the helicopter.

Many people are probably now thinking "How terrible!" and yes, it is really dreadful that such a well known and well mapped obstacle was not in the system's database, and I am sure that someone is rushing to roll out updates to the databases of all such systems, but that is not what worries me. What concerns me is that an obstacle-avoidance system apparently relies only on a database of known obstacles; there doesn't seem to be any integration of radar data into the system.

Just look at the photo in the BBC report: the island is about the size of an aircraft carrier, and should be easily visible on radar from a long way off. Any useful obstacle-avoidance system should help to avoid not only fixed obstacles, but also mobile obstacles like ships and other aircraft. So, something is wrong: either the Irish coast-guard bought a cheap and nasty system which doesn't use radar data, or the radar was not working (either switched off, or not fit for purpose).

I began my professional career in avionics, so I do have some idea what I am talking about.

Either way, someone needs to be held accountable. In the meantime, I will not be volunteering to fly on any Irish coast-guard helicopters.

Since I posted the comment about the Malaysian Arlines' jet shot down in Eastern Ukraine, I have found a new story from the Associated Press.

There is one very pertinent statement in their story: "the rebels ... had assumed civilian aircraft were avoiding the area and that anything in the air was hostile." Apparently information about this assumption was posted online before the shooting down of MH17, on social media, and therefore accessible to both airlines and air-traffic-control.

All this really begs the question: why did the people responsible for aircraft routing continue to assume that flights over the conflict zone were safe, in contradiction to the evidence available (and common sense)?

The main thrust of the AP story is that the rebels used only half of a missile system: only the SA-11 launcher, and not the central radar command to which is is meant to be connected. They apparently don't have the central radar command units, which help to identify the aircraft detected by the launcher's targeting radar (using, for example, IFF). This is a bit like driving a car that has no brakes.

This BBC story reports the crash of a Malaysia Airlines jet (flight MH17) carrying 295 people in Eastern Ukraine., probably shot down by the pro-Russian separatist rebels. In it, and also in this story, also on the BBC, is reported that the air route over the conflict zone in East Ukraine is now closed.

I do feel a little sorry for Malaysia Airlines, still suffering from the aftermath of the loss of flight MH370, which disappeared en route from Malaysia to China in March and still has not been found.

What really worries me is that airlines continued to fly over a conflict zone (there has been fighting there for quite a while) even after the shooting down of a Ukrainian military transport on 14th July 2014, as reported in this BBC piece.

People seem to have assumed that a commercial flight at 10,000m (about 30,000ft) would be out of range of any missiles that the rebels had, but the military transport was flying at 6,500m (21,325ft): if they have missiles that can reach 6,500m, they can also probably reach 10,000m. So why did the airlines and air-traffic control continue flying through this danger-zone when it was clear that the flights were at risk? Apparently saving a little money on fuel costs is more important than passenger safety.

I am sure that Malaysia Airlines will try to claim the cost of their lost aircraft on flight MH17, and the passenger compensation costs, from their insurance company. I do hope that the insurance company gives them a really hard time over that claim, because, in my opinion, it is at least in part Malaysia Airlines' fault.