Originally posted by Evan
View Post
The pilots cannot be considered the third line of defense for design and certification safety
When the crew boards a revenue flight, they need to be boarding an aircraft that has already been made (and proven) safe by multiple layers of defense.
Look, you are getting quite black and white again here. Let's start with the ideal: Planes that are designed and certified correctly as passing all the requirements and have no known issues that would made them not-certifiable.
Safety is not an absolute. There are limitations on how safe something can be made and these limitations have different sources, can be practical, technological, economic... Things can ALWAYS be made safer.
It is not like something that barely meets the certification standards is suddenly safe and something that almost meets it is totally unsafe. It's not like a design load of 2.5G is a hard limit, where a plane that has a design load of 2.4G will break at the first sign of turbulence and one that has 2.6G is indestructible. Certification standards are in this sense arbitrary and have been becoming more strict as technology gets more available, small, light and affordable.
We have known issues that are allowed by certification standards, unknown issues not known or foreseen at the time of certification, and MCAS that is totally different kind of animal.
But not only that: A plane that is well designed and certified may encounter safety issues that pilots may need to address.
Maintenance errors, flight planning and dispatch planning errors, ATC errors, errors of other pilots, unforeseen natural situations (ranging from forecasted weather to birds).
Some examples:
The A300 has a rudder control design where to make a full rudder deflection you need a relatively small force (on top of the force that is needed to break the friction and initiate any movement) and a very small displacement. This is still within certification standards but makes the plane more susceptible than most to overcontrol, PIO and hence rudder reversals.
The 737 rudder hardover was not known at the time of certification, and it was a failure mode that would have been very hard to identify before it actually happened.
Yet, when found, the fleet was not grounded until all rudders were retrofitted. Pilots were trained on how to deal with the situation. At that point you had a known design issue that was left to the pilots to address until the complete fleet was retrofitted, which took many years to complete.
The A330 (and similarly in mostly any plane), upon a speed disagree it disconnects the autopilot and let the flight director give misleading commands. The pilot is expected to disconnect the AP/AT/FD, set climb thrust by moving the thrust levers out of the climb setting (and then back), and establish a pitch of 5 degrees. What of that cannot be done automatically? Couldn't the AP at least not disconnect and let the pilots disconnect it by themselves as to buy some valuable seconds of gaining situational awareness? This is perfectly within the certification standards and yet the AF 447 pilot could not cope with that. And you placed a lot of weight on the crew ability (or lack thereof) to cope with it, where it something that clearly (and somehow easily) could have been at least partially addressed with a better design.
So let me ask you this: Why would you expect that the Ethiopian pilots would have reacted any different and not_crashed had the out-of-trim situation been caused by a garden-variety, non-MCAS related, trim runaway? I know, there were additional factors of distractions (like the stickshaker) but I don't feel any confident at all that they (or the LionAir crew) would have not been affected by similar startling, confusion, panic, wrong prioritization of tasks... pretty much like the AF 447 crew did in a "perfectly" designed, certified and flyable plane. And the Ethiopian crew (unlike the LionAIr one) had the benefit of the hindsight, from which they were not able to benefit.
The comes the first line of operational defense: Familiarize pilots with the aircraft in its entirety and train them on how to deal with every system failure.
Comment