> British Airways 5390: An incorrect repair causes the windshield of a plane to be blown out mid flight. A pilot is nearly sucked out.

This one is a good illustration of how better design can help prevent accidents or make them less severe.

The error the maintenance people made was that when they replaced the window and the 90 screws that hold it on 84 of the screws they used were were 0.66 mm smaller in diameter than they should have been.

The window on that model plane was fitted from the outside, so the job of the screws was to hold it there against the force of the pressure difference at altitude. The smaller screws were too weak to do that.

If instead the designers of the plane had used plug type windows which are fitted from the inside then the pressure difference at altitude works to hold the window in place. Even with no screws it would be fine at altitude. Instead the job of the screws would be to keep gravity from making the window fall in when the plane is not high enough for the pressure difference to keep it in place.

My vague memory of the Air Emergency episode on this (AKA Air Crash Investigation, Air Disasters, Mayday, and maybe others depending on what country and channel you are watching it on) is that after this accident many aircraft companies switched to mostly using plug windows on new designs.

Aviation is full of those design choices. Similar to how a multi-engine propeller plane will use oil pressure to keep the props in the flying angle, which means that when oil pressure is lost (catastrophic engine failure) it will feather giving the other engine the best chances of keeping the plane flying with the least amount of drag. While on a single-engine plane it's installed exactly opposite, in case of oil pressure loss the prop goes to fine pitch giving you the best hope of creating some trust in case the engine may still be working.

Most of these things were figured out over 100 years of carefully analysing accidents and near accidents to continuously improve safety.

> the pressure difference at altitude works to hold the window in place

Curious, is the pressure difference actually greater than the force of 800km/h wind pushing on the window? Or is it just for side windows?

Dynamic pressure of wind is 1/2 p v^2 where p is the air density and v is the velocity.

At sea level p = 1.225 kg/m^3. It goes down as altitude goes up. At sea level the dynamic pressure at 800 km/hr would be about 4.4 PSI.

At 20000 ft the air density is about half that of sea level, so around 2.2 PSI wind pressure. It would be around 1.4 PSI at 35k ft.

At cruising altitude planes are typically about 8 PSI above the outside pressure.

It would be maybe an interesting project for someone more ambitious then me to get a speed vs altitude profile of a typical airline flight and an altitude vs cabin pressure profile and figure at what part of a typical flight the screws on a plug window are resisting the most force.

The outward pressure is about 5-6x greater than the force of air resistance at cruising altitude

> plug windows

Surprisingly hard to search for this phrase

This article covers the topic though:

https://www.witpress.com/elibrary/wit-transactions-on-the-bu...

Here's another one:

Air Canada 143

- Pilot calculated incorrect fuel due to metric/imperial unit mixup, and ran out of fuel midair.

- Said pilot performed an impossible glider-sideslip maneuver to rapidly bleed airspeed just-in-time for an emergency landing at an abandoned airfield, having to completely rely on eyeballing the approach.

- No fatalties or serious injuries.

https://www.youtube.com/watch?v=jVvt7hP5a-0

It was a series of events and failures rather than simply “pilot calculated incorrect”. And it was a bit more nuanced than metric/imperial conversion.

Via wiki (but accident section is more detailed):

“ The accident was caused by a series of issues, starting with a failed fuel-quantity indicator sensor (FQIS). These had high failure rates in the 767, and the only available replacement was also nonfunctional. The problem was logged, but later, the maintenance crew misunderstood the problem and turned off the backup FQIS. This required the volume of fuel to be manually measured using a dripstick. The navigational computer required the fuel to be entered in kilograms; however, an incorrect conversion from volume to mass was applied, which led the pilots and ground crew to agree that it was carrying enough fuel for the remaining trip. ”

https://en.m.wikipedia.org/wiki/Gimli_Glider

It's not an impossible maneuver. Glider pilots do this all the time especially if they don't have spoilers

Yes. On a plane which is designed to be a good glider. I highly doubt a 767 is designed to be a glider. It's definitely not impossible (after all, it was done successfully!), but certainly a very difficult (and undocumented) one on such a plane.

I don’t think there’s much connection between a plane’s ability to do a sideslip and how well it glides. A sideslip is just what naturally happens if you apply opposite aileron and rudder inputs. I think the issue is just that it’s a rather acrobatic maneuver to perform in a large passenger jet.

Yes an airliner is not designed for it and could easily get into a deadly spin when doing it. Especially engines out because you have two huge surfaces blocking airflow. A glider can do it pretty naturally because of its extremely low stall speed.

But I wouldn't call it impossible that's all.

Since a sideslip increses air resistance by essentially flying sideways, if I didn't know that it has been done, I'd say it might even break apart a (long, thin) plane that wasn't designed for it. And it still might, but at much higher speeds than close to landing.

It's not unheard of for airliners to use a sideslip when landing in a crosswind, so I don't think structural strength is likely to be an issue at landing speeds.

https://code7700.com/pdfs/bca/bca_cross_with_care_2015-06.pd...

Also with additional control difficulty due to reduced hydraulic pressure.

> On the Boeing 767, the control surfaces are so large that the pilots cannot move them with muscle power alone. Instead, hydraulic systems are used to multiply the forces applied by the pilots. Since the engines supply power for the hydraulic systems, in the case of a complete power outage, the aircraft was designed with a ram air turbine that swings out from a compartment located beneath the bottom of the 767,[10] and drives a hydraulic pump to supply power to hydraulic systems.

> As the aircraft slowed on approach to landing, the reduced power generated by the ram air turbine rendered the aircraft increasingly difficult to control.[16]

> The forward slip disrupted airflow past the ram air turbine, which decreased the hydraulic power available; the pilots were surprised to find the aircraft slow to respond when straightening after the forward slip.

I would say it is much much harder. The wing configuration of an aircraft dictates the minimum glide speed. The more angled (for a better word) the wing, the higher the speed it needs to be at to be able to glide and not stall.

You probably mean 'swept'? That's normally the term used.

Yes. Lapsus.

Mentour Pilot is a fantastic channel.

Anyone who does on-call should look into aviation disasters. Crew resource management, the aviate-navigate-communicate loop, it's all very applicable. ('WalterBright is an excellent source of commentary on applying lessons from the airline industry to software.)

But I did burn out on Mentour Pilot after a while, I just had my fill of tragedy.

A long time ago I had a colleague turn me on to Sidney Dekker’s “Drift Into Failure”, which in many ways covers system design taking into account the “human” element. You could think of it as the “realists” approach to system safety.

At the time we operated some industry specific, but national scale, critical systems and were discussing the balance of the crucial business importance of agility and rapid release cycles (in our industry) against system fragility and reliability.

Turns out (and I take no credit for the underlying architecture of this specific system, though I’ve been a strong advocate for this model of operating) if you design systems around humans who can rapidly identify and diagnose what has failed, and what the up stream and down stream impacts are, and you make these failures predictable in their scope and nature, and the recovery method simple, with a solid technical operations group you can limit the mean-time-to-resolution of incidents to <60s without having to invest significant development effort into software that provides automated system recovery.

The issue with both methods (human or technical recovery) is that both are dependent on maintaining an organizational culture that fosters a deep understanding of how the system fails, and what the various predictable upstream and downstream impacts are. The more you permit the culture to decay the more you increase the likelihood that an outage will go from benign and “normal” to absolutely catastrophic and potentially company ending.

In my experience companies who operate under this model eventually sacrifice the flexibility of rapid deployment for an environment where no failure is acceptable, largely because of an lack of appreciation for how much of the system’s design is dependent on an expectation of the fostering of the “appropriate” human element.

(Which leads to further discussion about absolutely critical systems like aviation or nuclear where you absolutely cannot accept catastrophic failure because it results in loss of life)

Extremely long story short, I completely agree. Aviation (more accurately aerospace) disasters, nuclear disasters, medical failures (typically emergency care or surgical), power generation, and the military (especially aircraft carrier flight decks) are all phenomenal areas to look for examples of how systems can be designed to account for where people may fail in the critical path.

Something I love about Mentour pilot is that he’s started doing videos on incidents where there was a near miss but no tragedy. Just as much to learn but without the ghoulish rubbernecking aspect.

Eh. His older videos are indeed phenomenal, but newer ones are "you won't believe what happened, right after this sponsor break"

In the particular case of his channel's subject matter, I actually kind of like the dramatic cliffhanger effect that (un)intentionally heightens the narrative's tension, since his video is telling a story. Compare to doing that for informational videos where there's no need for manufactured drama.

FUD. His videos are just as consistently good as they always have been. The sponsor sections can be easily skipped (hint: SponsorBlock).

still, its annoying and he does not need it either with the number of views he gets on Youtube.

I am not that person and can't talk about his finances, nor can you.

If it's content I otherwise can enjoy for free, I don't mind sitting through a short sponsor spot every now and then, or just skipping through it if I'm in a hurry, which is still better than TV ads in that regard.

If I saw something like that on a time sensitive video (e.g. proper CPR example) or something very short then I'd rightfully be upset, but this is not the case.

Also green dot aviation has some great videos. Excellent animations. A calmer style. Both are great.

If you're focused on whether or not the pilot cares (or is even alive), you've lost the plot. The point is to keep passengers alive regardless of the pilot.

There's no real point to considering what happens if the pilot wants to murder people on board. Of course they will succeed....

The thing is, people always want something to be done. And politicians want to do something. No matter what kind of action it is, someone knifed a kid on the street, we must ban knives of a certain length. A pilot downs a plane while the other leaves the cockpit - we must mandate two pilots always present. Someone hides explosives in his shoe - we must X-ray all shoes of all passengers forever. Etc.

The human brain can't take the idea that yeah an exceedingly rare thing happened and we're not going to do anything, because rare things do happen sometimes. And the medicine can be worse than the disease. We just accept that yeah, despite best efforts, some pilots will be hostile for whatever mental reasons. Not saying that is what happened in this case, but just saying that IF that happened.

We need more tradeoff thinking, instead of do something! thinking.

I'm seeing exactly this with the Texas floods. People are criticizing them for not installing an expensive warning system. "Do something!"

But they decided that based on the frequency of floods it was not the best place to spend money.

That was a bad decision. They had major problems during the winter of 2021 too. It's all well to talk about tradeoffs but clearly Texas has under prepared for major weather events and it's getting people killed (not to single them out - they're certainly not the only ones). It's not a coincidence that there were 2 catastrophes in 4 years.

Acknowledging tradeoffs doesn't mean there aren't real problems or that something doesn't need to be done, it's only meaningful when comparing different proposed solutions. What is your alternative to the early warning system with better tradeoffs?

> What is your alternative to the early warning system with better tradeoffs?

I know little about this, I'm simply responding to the people who constantly demand that people do something, anything, and insist that all possible actions be taken without consideration to their cost.

The real world is full of tradeoffs, and it's easy in hindsight to say "That was a bad decision", it's not that easy ahead of time.

The 2021 incident is why we know it was a bad decision. They had 4 years of warning. Extreme weather is going to continue becoming more common. Texas is going to continue to face extreme weather. If they don't prepare, people are going to die. It's not really acceptable to say that it's not economical to do something about that, or unnecessary based on outdated flooding models. When there's an urgent problem - yeah, you do have to do something about it. Tradeoffs are useful to decide what we do, not whether.

I think you do your argument a disservice by using that particular example. If you're going to imply some lives were simply uneconomical to save, and when challenged say that you aren't familiar enough with the matter to discuss what else could've been done, it just comes off callous. I'm not left with the impression you don't think the alarm system was necessary because you understand the tradeoffs.

The problem isn't that Texans are valuing their lives too much and insisting on too many safeguards. The problem is that the safeguards are insufficient.

I was deferring to the judgement of the local people.

I was not making my own decision on the tradeoffs.

Also, your implication that the tradeoff is lives is unfair, I don't think that's the tradeoff, rather I think they were expecting that other types of alerts would be sufficient.

You're deploying a recent disaster, that killed scores of people, as evidence that people want something done when it isn't appropriate - and you aren't even willing to take a stance on whether what was done was appropriate? That's pretty weak tea. It really undermines your argument. If you aren't willing to take a stand on that, use a different example. Otherwise you aren't saying anything.

You're calling on people to have more nuanced discussions that include tradeoffs, but you retreat immediately from the implication that we're discussing people's lives. That's trying to have your cake and eat it too. Tradeoffs are about balancing different budgets, and it's not just a monetary budget, one of those is a budget of people's lives.

You're not quite understanding me, and I can see it's because I was not very careful in how I wrote, and that's on me.

But I'm going to let this drop because I would basically have to start over to explain myself, and I don't think there's any useful purpose in doing so.