New Theory for MH370: Oxygen fire, west toward the Maldives.

A new theory on the fate of Malaysia Airlines flight 370 has been proposed by Stuart Yeh, an associate professor at the University of Minnesota. As you can see from his profile, he is no stranger to analyzing complex problems

Like all good theories, this one incorporates previously known, but incongruent observations left out of most previous theories.

The synopsis is that the airplane suffered an electrical malfunction and fire in its crew oxygen system. This ruptured the fuselage, resulting in a decompression. Because the crew oxygen system was affected, the crew's estimated time of useful consciousness was only about 20-30 seconds at 35,000 feet. 

A similar fire had occurred in an Egypt Air B-777 in July 2011—its serial number was only 3 numbers different than the B-777 flown by MH370. That fire occurred on the ground, was quickly attended to by the crew,  yet burned a significant hole in the right side fuselage, and completely damaged the cockpit.

The theory supposes that the crew, in an attempt to fight the fire by removing electrical power to the highest degree possible, shut down the aircraft's generators (two overhead switches) which resulted in the apparent failure of the transponder. 

In the Egypt Air case, the accident report states that "the fire was easily seen from the outside."  In the MH370 case, Mike McKay, a New Zealander working on the Songa Mercur oil drilling platform in the South China Sea observed an aircraft at high altitude burning in one piece about 50-70 km from his location, shortly after MH370's first officer radioed his last message.  His letter is here

There were very few radar hits on MH 370 after ATC radar  contact was lost with the loss of the transponder. The theorized flight path from the few contacts it had with military radar indicate the airplane was heading westbound until it intercepted an arc constructed by analysis of data from an INMARSAT satellite that had brief hourly contact with the aircraft. That turn of over 90° is perplexing and generally unexplained, but probably would have had to have some type of crew action to make it happen.

In Mr Yeh's theory, that unexplained turn didn't occur at all and the airplane continued on its westerly heading.  

The satellite contact data has never been used to locate an aircraft before, and an analysis of that communication record yielded patterns of doppler shifts and latencies that were used to plot a line of positions for those hourly transmissions. Some assumptions had to be made in those calculations. One of them assumed that the time it took to process the signal was the same throughout the flight. 

Mr Yeh, finds that those same signal processing delays can occur by flying closer to the satellite's position over the earth—which a westbound flight would have done. He states:

 The theory that MH370 crashed off the coast of western Australia rests entirely on a single premise: that the Inmarsat analysts correctly accounted for signal processing delays that would normally contribute to the total ping delay of any signal received from MH370. However, as I explained in my article, the procedure used by the Inmarsat analysts is unable to account for the increase in signal processing delay that would be expected if indeed MH370 traveled west toward the Maldives and toward a position 'under' the Inmarsat-3 F1 satellite. The Inmarsat analysts measured the signal processing delay prior to MH370's departure from Kuala Lumpur; this procedure is inherently unable to account for any increase in the signal processing delay after takeoff.

Also, at about the estimated time of fuel exhaustion, residents of Kudahuvadhoo in Dhaalu atoll in the Maldives reportedly saw a low-flying white aircraft with red stripes flying north to south-east around 6:15 am local time on the morning of March 8, flying so low that the aircraft doors were clearly visible. No regular flights fly over the atoll at that hour. Dhaalu atoll is 1900 miles due west of Malaysia, on the last known flight path of MH370. The markings on the unknown aircraft are consistent with the markings on MH370.

Finally, the acoustic signal detected by two sets of underwater listening devices off of the coast of western Australia matches the hypothesis that MH370 crashed near Dhaalu Atoll, but is inconsistent with the hypothesis that the aircraft crashed off the western coast of Australia. Researchers used the information from the two devices to "triangulate" the distance to the source of the signal and eliminated the possibility that the source was located off of the coast of western Australia.

The sea west of the Maldives is extremely deep, like the Austrailian search areas, often 12,000 feet or more. The area is remote. Black box locator beacons (pingers) are long expired, any floating debris will be far from a crash site with the prevailing current flowing west toward Africa.

So, what's to be done? 

Mr Yeh states:

The analysis that I offer suggests that search efforts should be redirected to the area southeast of Dhaalu Atoll in the Maldives. I suggest that the towed underwater sonar device be used to sweep this area in an effort to locate debris that presumably sank to the ocean floor. While some debris may have remained afloat and may eventually wash ashore on the east coast of Africa, the aircraft is a metal structure and, therefore, most of it would have sunk to the bottom of the ocean in the vicinity of the crash location, just as much of the debris from Air France 447 and the debris from TWA 800 was eventually located on the ocean floor.

How can we know that this is the correct location? I cannot offer a guarantee that this is the correct location. However, there is an array of seemingly odd information that appears to only make sense if my hypotheses are correct. I believe that I have assembled the known facts into a coherent explanation of those facts. It is an educated guess, but I believe that it is a better guess than has previously been offered.

As the report is refined and updated, the current version of Read Stuart Yeh's report is always posted here:
http://works.bepress.com/cgi/viewcontent.cgi?article=1018&context=stuart_yeh

All the documents cited in the article can also be found and downloaded from this Box.com site:
https://app.box.com/s/jbfrbkpwcuq7uf8apjxp 

Five years ago AF447 crashed, lessons learned, progress still needed.

It was five years ago, the night of May 31^st, 2009 when Air France flight 447 crashed in the Atlantic Ocean on its way from Rio de Janerio, Brazil to Paris, France.

The crew flew into a line of thunderstorms in the intertropical convergence zone north of Brazil with little effort to deviate around it. That storm has been estimated to top over 50,000 feet.
In an occurrence not anticipated by the design engineers, the aircraft's three pitot tubes—the speed measuring sensors—clogged, causing the loss of accurate airspeed indications. While the odds of simultaneous failure of three independent systems is measured in the billions, there was no actual system failure. Instead, all three systems were subjected to the same adverse environmental conditions.  Even though the design exceeded the regulatory requirements by a wide margin, the actual conditions exceeded those anticipated by the regulations. Those conditions exceeded the pitot tubes' capacity to deal with the obstruction for about 40 seconds. Those seconds were enough time to put the airplane in serious trouble.

The loss of airspeed indications caused the autopilot, flight director, and autothrust to disconnect—as they require airspeed information to operate. The airplane's handling characteristics also changed as the high-tech airplane's fly-by-wire flight controls degraded from its Normal to Alternate law. Lost also were the airplane's automatic protections built into Normal law, including stall protection. The pilot operating the controls struggled to maintain aircraft control, and in the process climbed nearly 3000 feet losing over 100 knots of critical airspeed. The airplane's stall warning went off for over 50 seconds, but the pilots were poorly trained on how to handle such an event at such a high altitude. They responded by applying full power, as their low-altitude stall training had taught them, but little additional power was available and it did no good. The airplane became deeply stalled. The airplane shook from the poor airflow around its wings, the nose pitched up and down as the airplane rolled side to side as the airplane descended at vertical speeds approaching 20,000 feet per minute. The rapid descent took it into the ocean in less than 3½ minutes.

Even with the nose pitched up 16° the airplane's trajectory was a 45° angle downward. It hit the water going down as fast as it was going forward—123 mph. While 123 mph doesn't sound fast for a jet airplane, imagine an aluminum car hitting a solid concrete wall at that speed you get an idea of the force of the impact. All 228 people on board we instantly killed in the violent impact that completely destroyed the airplane, spreading a cloud of debris over a ¹⁄₃ mile long path on the ocean floor 12,000 feet below.

During the event maintenance messages from the airplane relayed the resulting cascade of error messages to Air France, leaving little doubt when and where the airplane had impacted the water, with strong clues as to why. Floating debris and fifty of the victims were recovered from the surface starting five days after the crash.

Two years and four undersea searches later, sonar scanning vehicles found the debris field on a flat area on the bottom surrounded by mountainous terrain. Had the debris settled in the mountains, it may never have been found.

Studying aircraft accidents, the factors that lead to them and learning from those findings is one reason that air travel is the safest mode of transportation today. That doesn't just happen by itself. A lot of people work very hard every day to make that a reality.

There were many lessons to be learned from the crash of Air France 447. Many have to do with pilots being trained and able to hand fly the airplane at any time without reliance on automatic systems and with partial instrument failure. Those same automatic systems aid in the safe and efficient operation of the airplane nearly 100% of the time in daily operation, but constant reliance on them can weaken a pilot's skills. Those skills can be essential when failures occur.

Changes have been made in the years since the accident's findings. The FAA has encouraged airline pilots to maintain proficiency in hand flying. Aircraft manufacturers have adjusted their stall recovery techniques. Airlines have improved training in high altitude recoveries and manual flying, and emphasized techniques for proper control of the airplane when faced with instrument failure.

But more can be done, and progress needs to continue. More robust autoflight systems can be designed that are tolerant of data loss, perhaps switching to an attitude-hold mode until the pilot can take over when workload permits instead of simply disengaging when things start to go wrong. Better training in upset recovery techniques using actual aircraft, and reinforced with simulator training . These programs are available, but not part of any major airline's standard curriculum.

Air France 447 was the first airliner lost at sea for decades. Out of its investigation came recommendations including the triggering  of transmissions indicating the airplane's location as soon as an emergency condition is detected on board and to extend the transmission life of underwater locator beacons from 30 to 90 days. Those systems are only now being developed. Both of those recommendations certainly ring true in the case of Malaysia flight 370 whose location, after months of searching is still a mystery.

Thoughts and Perspective on MH 370

I remain unconvinced of the terrorism angle, or some intentional behavior on the part of the crew to hijack their own plane.

I've had the honor of having two articles posted on the CNN Opinion page, 6 days apart. In the first,  http://www.cnn.com/2014/03/10/opinion/palmer-malaysia-aircraft-air-france/, published two days after the crash, the assumed location and search area was the Gulf of Thailand.

I calculated the search area (shore to shore distance x glide range) to be about the size of Pennsylvania, an analogy that was since widely used. It's a large area, with an average depth of about 150 feet. A difficult search, but I had confidence that the airplane would surely be found.

I made the assertion that the lack of an immediate distress call didn't necessarily mean foul play. I cited the aviator's priorities in that article: aviate, navigate, and communicate , in that order, and that has since been repeated by numerous other pilots interviewed, including famed aviation author and TWA pilot Barry Shiff. Shiff stated "If you have a serious problem aboard a jetliner like a fire, one thing you're going to want to do is get on the ground as soon as possible and turn back towards Malaysia, towards a large airport. It's the first thing I would do. The most imperative thing is to take care of that fire. The last thing you're going to do is communicate unless you have the time to do it because no one on the ground can help you."   To look back at a real-life example, the AF447 pilots knew they were having trouble for 4 1/2 minutes, but they were too busy trying to control the airplane to make a distress call.

It also appears that the trouble may have started with some incident that took out the communications capability, making a distress call, even if attempted, unsuccessful.

Media reports today (3/18) report that the transponder stopped working before the now famous "all right, good night" final words. The inference, and it's often reported as much stronger than an inference, is that the pilots shut it off before saying good night to the Malaysian controller.

By the way, the words "all right, good night" are absolutely routine. Every pilot that news reporters have asked about these final words have said the same thing. Yet for some reason, the reporters seem to believe that it was something more sinister.

If a transponder fails, usually the only indication is the controller asking the pilots to reset it. There is no indication in the cockpit of when the transponder is working or not, just an ON switch. The transponder could well have failed as a result of some mechanical malfunction going on in the equipment bay below them, and they never knew about it.

The left turn observed on radar, after this time could have been initiated, as the New York Times reported, by programming the change into the flight managment computer. This would be a quick and easy way to head to an emergency diversion alternate airport, several have been suggested including the 13000 foot runway at Palau Langkawi, with an approach over water and no obstacles.(google maps link). It could also have been inserted with a single push of the Heading Select button, flown by hand, or possibly even a result of the autopilot failing. There is no publicly revealed proof that the method used was to intentionally enter a new TO waypoint into the airplanes' flight management system. Even if it did, it doesn't reveal the reason - ill intent, or emergency diversion.

In the second article, http://www.cnn.com/2014/03/16/opinion/palmer-malaysia-flight-370/, I made the point that the recently revealed strange altitude path, ranging from the original cruise altitude to a reported 45,000 feet down to 23,000 feet, followed by another climb, was not necessarily the work of a "skilled aviator" but could very well be the result of the airplane flying by itself, crew incapacitated, with the autopilot off. Afterall, what "skilled aviator" can't hold altitude within 20,000 feet?

In light of the westerly turn, the possible locations have grown from the size of Pennsylvania to all of North America (my estimation at 8.2 million sq nautical miles), the search area, being somewhat smaller than that at 2.9 million sq miles.

In contrast to the average depth of the Gulf of Thailand at 150 feet (maximum 260), the average  depth of the Indian Ocean is over 12,000 feet, with maximum depth values of more than twice that value.  The breadth and depth of the possible locations is a concept few have managed to grasp. This is evidenced by statements wondering how a 777 can "just disappear."

AF447 Vertical Stabilizer

One should realize that a B-777 is not going to be floating on top of the waves for someone to find. Looking back at previous water landings, and there haven't been many, yields a possible range of what will be left:

In the case of AF447, which impacted the water at a vertical speed of 109 knots, the airplane was completely and utterly destroyed. Some floating debris remained, the largest being the airplane's vertical stabilizer.The debris was scattered subject to 5 days of drifting before it was located.

AF447 Surface Debris

.
In the case of AF447, investigators had a pretty good idea where to look. The initial search area was about 5,000 square nautical miles. It took 5 days to find the first bit of floating debris, and two years to find the remains spread across the ocean floor below.

The current 2.97 million square mile search area for MH370 is 594 times larger than that for AF447!
For an interesting presentation on the search see this presentation.

The USAirways flight 1549, "miracle on the Hudson" aircraft remained partially afloat for some time, but would not likely have remained so for days.
Had an airplane remained intact on touchdown, which would have required a pilot directed ditching, there may not be anything left  of the aircraft on the surface, except rafts of any possible survivors.


This brings us to the pingers, those acoustic beacons to help locate the airplane's flight recorders. They activate when submerged.

According to the AF447 investigation report, the underwater locator beacons (aka pingers) have a "maximum range" of about 2000 meters (6500 feet). This means that considering the 12000+ depth in most of the Indian Ocean, searchers will need to have underwater listening devices (subs, or sensors) more than 6000 feet down and in a tight search grid.

The water pressure at 12,000 is over 5400 psi. The AF447 recorders survived that depth, designed to withstand up to 20,000 feet, but the locator beacons were not operational when recovered, probably damaged in the crash.

By the way, the wiki article on maximum sub depth states "Modern nuclear attack submarines like the American Seawolf class are estimated to have a test depth of 490 m (1,600 ft)." Their listening capability is probably pretty darn good, but still implies the necessity for a very tight search grid on an extremely wide area.

2000m is about 1 nautical mile. With the reported 2.5 million square miles search area, a back-of-the-napkin calculation equates to about a million miles of deep water listening. The tow rate is very slow, a couple of knots, let's say six knots. That's 167,000 search hours (19 years) for a single vessel. Oh, and the pingers only ping for 30 days. In the three weeks remaining for the pingers, if it's in the search area, that would require over 300 deep-listener equipped search vessels going 24/7. There aren't anywhere near that many.

There many mysteries surrounding this flight due to the utter lack of reliable data. The location of the aircraft and its recorders is absolutely essential to unraveling them. The sad fact, however, is that the task is so difficult that it is very possible the remains of the airplane will never be found and it will join the ranks of Amelia Earhart (1937), Northwest Airlines 2501 (1950), Pan American Airways Flight 7 (1957), and others.

Automation Dependency Review

A now classic video out of American Airlines, often referred to as "Children of the Magenta Line", this video provides a great refresher on attitudes on Automation Dependency.

Discussed are the levels of automation and what level is appropriate for what situation. That the autopilot is INCAPABLE of doing many things, like recovering from an upset condition, traffic avoidance and more. But most importantly, what we must do to avoid becoming automation junkies and incapable of handling an in-flight emergency requiring manual control - such as the famous Air France 447 tragedy.

The presenter, like myself advocated turning it all off to maintain pilot proficiency. To use my analogy, when you're called on stage to do your surprise solo performance, you want to have been practicing.

The video concludes: "To maintain pilot proficiency: AP and ATHR OFF".
I'll add one more very important step: FLIGHT DIRECTOR OFF.

For the flight director does 75% of the thinking.  Hand flying while following the flight director is well named. For, it's only your hands that are doing the flying, while your brain is may not be fully engaged. Indeed, the FD is doing the thinking! I have seen  that when the FD is turned off, pilots suddenly realize that they don't know what pitch attitude to fly for the desired performance. Their scan has to expand from the 1/2 square inch where the FD bars come together. They have to select and maintain a bank angle  using the roll reference, not just following the bars. Yes, hand flying with the FD off is a different skill that needs to be practiced.

So, set aside the next 25 minutes and prepare for some time well spent.

Fly By Wire: Simple or Complex?

A reader wrote to me, who has been very interested in FBW (Fly by Wire) planes for a number of years. He described himself as an an old burned out computer programmer, though he's written for Scientific American on self healing flight systems, so he was far from a novice in the field.

He said that:
 "over the years I've honed a very strong belief in user interfaces that match an Einstein saying - 'everything should be as simple as it can be, but no simpler'. Simple computer systems are the easiest to work with, get to market quicker and are easier to maintain than more complex systems.

Using that approach, I see flight systems as unnecessarily complex. Plus I believe that when a crisis arises, a simple system has a better chance of helping the pilot save the day. ( Although I note that you have several examples of Boeing planes which crashed without the "benefit" of a computer. )

I just like simple systems....

Here's my answer:
Perhaps we should differentiate between the internal simplicity of the system and the apparent simplicity of it to the user.
After all, the Airbus FBW system comes down to just a stick, and a set of rudder pedals,  the same controls used for airplanes dating back 100 years.
The interface is simple and familiar. The transition from control wheel to sidestick is fairly natural.
Pilots are also used to certain behavior from the machine. Even there, what those behaviors are may differ depending on the pilot's past experience. Not every pilot has the same training and experience.
Some of the natural characteristics of an airplane's natural behavior may be viewed as negative (at least by engineers).
There are characteristics that present a danger at the edges of the normal envelope (stall, overspeed, structural limits, and attitudes that present an increased danger of loss of control). There is also a historical accident record and various human factors studies from which to draw design goals and decisions.
It is interesting to note the similarities and differences between the approaches that Boeing and Airbus designers each took to answer the same realities of aerodynamics and human interfaces.

For example, both eventually  chose a g-load demand (C*) pitch command law , and rate of roll demand law for roll ("eventually" because the 777 was direct in roll, but 787 is roll-rate demand). However, Boeing chose to mimic the historical and natural aerodynamic pitch stability in speed (C*U pitch law) (for a positively static stable airplane) while Airbus apparently viewed the constant use of pitch trim for the pilot as additional workload that could be eliminated.

The Airbus design is more simple to operate (i.e., no trim switch or constant trimming necessary) while the internal functions to carry it out are arguably more complex. Therefore, which is the simpler system? Einstein is perhaps the right person to be able to address the paradox.

A similar design philosophy juxtaposition occurs with the thrust levers: moving vs. non-moving. One is arguably simpler on its face, yet has different internal functionality not necessarily carried forward from a pilot's past history. The other mimics more historical behavior, yet requires the use of additional switches to make selections (e.g. climb thrust). The historical (moving) thrust levers are also an extension of the past systems that were simply conventional thrust levers driven by a very simplistic analog computer and motor -it was all it could do. The non-moving design is easily looked at as a fresh (clean sheet of paper) design given the current state of system capabilities.

There are similar differences in the flight management / autoflight systems. Each must address the functionalities required of the real world ATC environment, and many functions are similar. But, like two word processing programs, the path to the goal is often provided by two different approaches to organizing the interface (in this case the FMS interface).  Personal bias and paradigms of how the system is organized cannot help but play a part in each person's evaluation of which system is "better."

The answer may depend on your point of view.

Which of these depictions is simpler?

It is interesting to have operated several generations of navigation systems (the earlier ones cannot by any measure be called flight management systems) and see the evolution of one to the next as system capacity and functionality increased.

Still, often times the demands of the real world are not met by the design of the system and user feedback is an important element in the continual design evolution. For example, the original FMS design used by Airbus did not allow for a change in the descent speed basis once the descent had begun (this is what the idle descent VNAV path is based on); but often times ATC will change that speed in the descent. Pilots then either have to trick the system into letting them change the planned speed, or know that the resulting path information is now incorrect. Operator feedback to the manufacturer asked for the ability to change that speed at any time.

>>I think one reason for our differences is that you're looking at these things like a pilot and I'm looking at them as an old burned out computer programmer !<<
Yes, that is indeed an issue and a problem! For the system is for the PILOT to use! Yet, in many cases is build using the perceptions of the engineer ( who does not use the airplane daily in the ATC environment). It must also be within the constraints of the engineer's abilities , which includes the computational abilities of the machine. There are also (apparently ) artificial limitations in the design that allow the pilot to do only certain things to keep the design interface from being overly complex. But, limiting the types of entries possible for creating a waypoint (for example), while seemingly reducing the number of formats a pilot must know also requires additional time and complexity when the desired point cannot be created with the toolbox provided and  an alternative solution or manual operation has to be employed.

I once worked with a software engineer who was making flight simulators. He was designing the instructor interface, but had never even sat in on a real instruction session to see exactly how the instructor actually worked. Therefore his perceptions of what would be "cool" and functional was often not quite right.
I ended up having a lot of influence on the design and prototyped some functionality myself which was then incorporated into the interface.

The successful design required knowing not only what was needed, but what was possible.  The designer has his preconceptions of what the user needs. and the user might not even know enough to be able to ask for a certain functionality, not realizing what was even possible.

>Simple computer systems are the easiest to work with, get to market quicker and are easier to maintain than more complex systems.<<
Simpler systems, however,  may take more effort to operate in a demanding environment.  Are cars better without anti-skid braking systems? Certainly those without are simpler. But even there, where there is only just a simple brake pedal control, the way to use that control is different in the modern (better/safer version) than it was historically , due to the previous design's limitations. Drivers must be educated on it. Eventually new drivers will assume it was always like that - perhaps the future of fly-by-wire.

A great analogy perhaps can be seen in the evolution of the phone. I recall that in the 60's the phone company had to run ads showing people how to use a push-button phone. They had to sell the idea and how to use it (and it wasn't a slam dunk sale either). Now if you show a 6 year old a rotary phone, they don't even know what it is, or have any idea how to use it (nor do they know why we say "dial" a phone number.)
But there had to be a paradigm shift in the whole phone system for that to work. The switching had to go from counting clicks to decoding tones. Which was simpler?