I recently had occasion to go through materials regarding the crash of Cougar flight 91, a nearly new $20 million Sikorsky S-92 that went into the water off the coast of Newfoundland.
The helicopter featured five big bitmap displays, all driven by on-board computers. From the (Canadian) TSB report:
Following the sudden loss of oil in the main gearbox (takes power from the two engines and sends it up to the main rotor and back to the tail rotor), the screens were displaying a MGB Oil Pressure red warning message and a main gearbox oil pressure of 0 psi. The pilots were supposed to get out the paper checklists, see that MGB red light plus < 5 psi implies “land immediately” (i.e., ditch in the sea), and then act on the result of this IF statement. It turned out not to be easy to find the correct checklist (2.5 minutes) and it was ultimately 6.5 minutes after the catastrophic oil loss that the pilots realized that Sikorsky’s recommendation was to “land immediately” (i.e., ditch in the sea despite the risk of rolling over and potentially drowning).
There were a bunch of changes recommended after the accident, but nobody seems to have questions that it was the task-saturated pilots’ job to get out paper checklists and run flowcharts.
It was a computer that was displaying the red message and a computer that was displaying the oil pressure number.
Shouldn’t the computer have an additional two lines of code to run the algorithm itself and display a “MGB FAILING: LAND IMMEDIATELY” message?
[Why wasn’t it obvious to ditch rather than try to make it back to land? In aviation it is more common to have an indication problem than a real problem. If a gauge is showing “unhealthy” but there aren’t unusual sounds or other secondary indications, it usually does not make sense to take immediate drastic action. Putting a helicopter down in the open ocean, even a helicopter with pop-out floats, entails the risk of a rollover and then occupants having trouble escaping.]
Intro to the emergency checklist section of the S-92A RFM:
After a bunch of distracting preliminary pages, the RFM does say that the reading of oil pressure below 5 psi is a secondary indication to the red warning:
Keep in mind that it is one thing to find this page in a massive book and then follow its logic while sitting at a desk drinking a latte and quite another to do it in a stricken helicopter with 16 passengers in the back and an 8-foot swell in the cold Atlantic Ocean below.
Related:
- Sikorsky released the S-92B in March 2019 and it was able to run for 500 miles without oil in its redesigned main gearbox
- “Air Crash Investigation-Atlantic Ditching” (full length video of the TV show for which I was interviewed, available on Facebook; the series is called Mayday is some markets)
Kind of mind boggling that it hasn’t been done already. Having the paper copy in the cockpit is just fine if there’s time and attention to read it in an emergency, but why not make one of the displays toggle between its current state and the checklist in the event of a serious warning message? Or if it’s too expensive to significantly alter/recertify the avionics, why not put it on a tablet (in addition to the printed copy) in the cockpit and let the avionics wake up the tablet when there’s an alarm? Build a small, easily accessible storage area for the dedicated “checklist/flowchart tablet” that keeps it charged, and whenever there’s a warning just unlatch it, slide it out and it goes straight to the appropriate checklist point/flowchart? Then make checking the checklist tablet a part of the preflight checklist.
Even cheap minivans now display basic recommended courses of action if a major component is failing or about to fail.
@Alex.
As we’ve seen from the recent Boing incedent, the companies seem to be having difficulty maintaining versions/revisions of the active software. Having automated checklists would just add another layer of complexity for software maintenance.
Maybe they don’t want the liability of the checklist software fails?
I like your tablet idea as it would be discrete and separate from the actualy flight software system.
Similar to the prehistoric design philosophy of the A380 — during the Quantas flight 32 engine out, it took the crew half an hour just to silence all the sirens in the cockpit, while it could have had the computer to suggest Priorities #1, #2, #3, and best recommended procedures accordingly, while the pilots could still possibly override the recommendations based on best judgment.
The manufacturers could definitely do better. The ship I fly will rearrange, re-order, and suppress warnings, e.g. engine failure implies low oil pressure and you don’t have to see that. Shouldn’t be too hard to give you the emergency procedure. A lot of us fly multiple models of aircraft so getting that help would be very helpful… and certainly in helicopters where you don’t have all that extra time to pull out manuals it could make a difference.