Avatar
By Elan Head

An award-winning journalist, Elan is also a commercial helicopter pilot and an FAA Gold Seal flight instructor with helicopter and instrument ratings. Follow her on Twitter @elanhead

opinions

Safety is about more than aircraft design

There’s no question that if eVTOL aeromobility operations are to succeed at scale, they’ll need to be much, much safer than are helicopter operations today. As Sikorsky disruptive technologies lead Jonathan Hartman has pointed out, the level of safety we design into the system will determine the upper bounds of our market size.

Building an aircraft to today’s standards of one failure per million flight hours (10-6 reliability) will statistically result in one failure per year, if a fleet of 1,000 aircraft are annually logging 1,000 flight hours each. But if 50,000 aircraft are each flying 3,000 hours per year — which is the scale that many aeromobility proponents envision — the frequency of a catastrophic failure increases to one every two-and-a-half days. That will hardly be acceptable to the general public.

Wreckage of Seattle helicopter crash
Most helicopter accidents are the product of multiple factors, some but not all of which can be addressed through the design of the vehicle itself. The emerging aeromobility industry should aggressively analyze all of those factors, not selectively focus on the ones that bolster its business case. NTSB Photo

Hartman has proposed that large-scale aeromobility operations will require 10-9 reliability as a design standard. I don’t disagree, but I’m convinced that viable eVTOL air taxi operations will require a lot more than that. Even in today’s helicopters (which generally fall short of the 10-9 reliability standard) most accidents are due not solely to engineering failures, but to how the aircraft are operated. The familiar shorthand for this is “pilot error” — but focusing on fallible pilots alone appears to be leading the nascent eVTOL industry down a dangerous path.

In more than a decade of reporting on helicopter accidents, I’ve come to believe that it’s not the pilot but the operator of an aircraft — the entity responsible for staffing and maintaining it — that has the greater influence on safety. And, unlike the issues associated with cognitively limited pilots, the problems related to profit-focused operators can’t be automated out of an aircraft.

Today’s part 135 air taxi operators (referring to the applicable part of the U.S. Federal Aviation Regulations) are, for the most part, business owners, constantly under pressure to fly more and spend less. These financial pressures will likely be even more acute under an eVTOL business model that hinges entirely on low operating costs and high flight volumes, yet I haven’t heard anyone discussing the role that operators will play in system safety. Why not?

Part of the reason is because the National Transportation Safety Board (NTSB) hasn’t put a lot of focus on operators in the past, particularly in its investigations of helicopter accidents. The NTSB is charged with determining a “probable cause” for each accident, and it defines this probable cause in an exceptionally narrow, almost entirely descriptive way.

For example, one common cause of fatal helicopter accidents is loss of control after a pilot flies into clouds and becomes spatially disoriented. (I’ve experienced the onset of spatial disorientation in flight myself, and it’s terrifying.) Although it’s certainly possible to safely fly a helicopter in the clouds, doing so reliably requires some combination of technology — autopilots, navigation equipment — and regular instrument flight training for the pilot. Providing those is the operator’s responsibility, yet many helicopter operators skimp on technology and training as a cost-saving measure.

Operators often contribute to spatial disorientation accidents in other ways, too, such as by pressuring pilots to accept flights in marginal weather conditions. Yet the typical NTSB report for such an accident will list the probable cause as “The pilot’s failure to maintain aircraft control after becoming spatially disoriented.” In other words: “pilot error.”

Sometimes the NTSB actually goes out of its way to shift blame away from the operator and onto the pilot. In one spatial disorientation accident I dissected for a recent safety conference, the NTSB cited as a contributing factor “the pilot’s failure to follow company procedures.” What were those procedures? According to the NTSB, they were the company’s checklist for inadvertent flight into the clouds: “Fly the aircraft, climb to altitude, do not get in a hurry, and contact approach or center.”

Now, there’s nothing necessarily wrong with that advice, but it’s not particularly helpful, either. Far more salient to the accident was the fact that the operator didn’t provide the pilot with the regular instrument training he was promised. The NTSB did mention the pilot’s lack of instrument experience in its report — but cited it as a failing of the pilot, not his employer.

St Louis rooftop helipad crash
This helicopter crashed while attempting to land on a rooftop helipad in unfavorable winds. Uber claims that most eVTOL aircraft will be less susceptible to the hazardous aerodynamic states that affect helicopters, but it is not clear whether they might be more susceptible to other aerodynamic hazards. NTSB Photo

It should be obvious by now that claims like “80 percent of accidents are due to pilot error” reflect structural features of the NTSB’s reporting process, not deeper truths about why aircraft crash. Yet not only are eVTOL proponents not examining these statistics critically, they’re cherry picking NTSB data to make the case that they can design away all of the safety issues that afflict helicopters now.

The Uber Elevate white paper is a disturbing example of this. Uber starts its safety discussion by asserting, “To understand the path to improving safety for urban air transportation, we need to understand the root causes of historical crashes.” OK — no argument there.

However, the white paper then jumps straight into a discussion of part 135 air taxi fatalities in Alaska, pointing out that half of these were due to pilot error described as controlled flight into terrain, mid-air collisions, and loss of control. “Since half of the part 135 crashes are related essentially to poor weather data and pilots not being where they thought they were, operating only in urban areas with real-time weather and air traffic control brings existing part 135 operations to par with the safety of driving a car.”

Wait, what? By considering only the causes of air taxi fatalities in Alaska, Uber conveniently glosses over the many fatal helicopter accidents that have occurred in urban environments, which are much more relevant to its concept of operations. Accidents like this one off a Seattle rooftop helipad, which was related to the aircraft’s hydraulic system and potentially to the checklist and training provided to the pilot. Or the crash of this tour helicopter out of Las Vegas, which was attributed to inadequate maintenance, with fatigue and a lack of clearly delineated inspection steps identified as contributing factors. Even if eVTOL aircraft are designed with 10-9 reliability, they’ll still need to be operated and maintained correctly to achieve that.

And this is giving Uber the benefit of the doubt when it comes to some of the bolder safety claims in its white paper. On May 15, a helicopter used for flights by the urban air mobility pioneer Blade crashed in the Hudson River after the pilot reportedly experienced loss of tail rotor effectiveness, an aerodynamic phenomenon that can be related to the interaction between wind and the helicopter’s rotor vortices. Uber contends that the high disc loading of most eVTOL designs will make them less susceptible to a variety of dangerous aerodynamic conditions, and that autonomy will prevent the aircraft from entering potentially hazardous states in the first place — claims that are still highly theoretical. And no matter how clever its design, a small five-passenger eVTOL aircraft will always have wind and weather limitations that must be respected by the operator. If helicopters are routinely pushed to the edges of their operating envelopes, what will prevent eVTOLs from being treated the same way?

New York Daily News cover of helicopter crash
Previous urban air mobility ventures have been derailed by high-profile crashes. New York Daily News Photo

Distributed electric propulsion designs and autonomous technologies have the potential to make tomorrow’s eVTOL aircraft inherently safer than comparably sized helicopters today. But aircraft design alone won’t solve the problem of operators pushing the limits of weather, or compromising on training and maintenance — constant temptations in an enterprise with high fixed costs and tenuous margins. Given the Federal Aviation Administration’s spotty record in overseeing part 135 helicopter operators to date, it’s not clear how they’ll manage to watch over a vastly larger number of eVTOL aircraft and, potentially, many more small operators.

Some of the solutions that have enabled the enviable safety record of part 121 airline operators could work for this emerging industry, too, although they would likely come with much more regulation and consolidation than is currently being envisioned. In any case, that’s a conversation we need to be having now, rather than pretending that vehicle design can solve all of our problems. One or two high-profile fatal accidents in city centers could effectively spell an end to aeromobility — and when that happens, it won’t matter whether it was the vehicle, the pilot, or the operator to blame.

Join the Conversation

  1. Avatar
  2. Avatar
  3. Avatar

3 Comments

  1. In-service operational safety statistics in real life are influenced by many factors other than design reliability. Maintenance, weather, pilot error, operational procedures, and other factors can contribute both positively. Many people try to fix these other contributors by simply raising design target safety levels, or use the same argument you have used here to “raise the bar”, ie. saying more operations results in more exposure, requiring higher design targets. However, this analysis is flawed and is actually a barrier to introduction of new, innovative, safety enhancing technology.

    We have “10e-2” engines that we get “10e-4” or better in service operational safety from, simply by using regular maintenance and inspection. I believe a 10e-7 design target, with fail functional, smart architectures will actually get to a better than 10e-9 operational safety target. This is based on using a 10e-6 design target in GA avionics for the past 10 years, and seeing the safety improvements that have come in the GA community from this “lower” design target.

    We mustn’t get mesmerized by the mathematical models, which are only loosely based on reality and arbitrarily raise the bar on EVTOL because it seems like the right thing to do on paper. The reality is the nature of electric propulsion and redundant multi rotor design will make them inherently safer than single rotor, single engine helicopters. Bell, Embraer, and others reflect this confidence in their new designs, as do many others.

    My hope is the aerospace industry will finally start looking at the total safety equation, and clearly differentiate design safety from operational safety. I also hope we can stop letting statistics and software development rigor be our focus and shift to well-engineered, fail functional, fault tolerant, self monitoring, dynamically consistent, resilient automation to make EVTOL safer without driving the cost to a point the market cannot bear because of the combined effects of “doing the right thing for the statistical analysis”.

  2. I couldn’t agree more with the content of the original article and Wes Ryan’s comments. But before I explain why, I must declare an interest, in that I run a UK company named Active VTOL Crash Prevention Ltd. (AVCP) which, as the name suggests, is developing a Zero Altitude – Zero Speed Emergency Safety System combining ballistic parachutes and retrorockets to provide a fully controlled soft landing at less than 2m/s in practically all emergency circumstances. Hence, I have a vested interest in the eVTOL/UAM market developing as successfully as possible and am pushing for the industry to ensure that its prospects are not damaged or delayed by unfortunate accidents at this early stage of its development, and especially when passenger services start operating.
    The objective of the AVCP system is that the aircraft occupants suffer no injuries at all (or in the un-likely event that minor injuries do occur they are not incapacitating and do not restrict the individuals’ ability to exit the aircraft un-aided.) Additionally, the aircraft should remain un-damaged, eliminating the risk of people being injured and trapped in a structurally disrupted aircraft that might well catch fire due to the high voltage electrical system and very large Li ion battery packs.

    The possibility of injured and trapped passengers being burnt to death in a crashed, damaged eVTOL UAM aircraft must surely drive everyone’s thinking if the situation is to be avoided.

    Unfortunately, the current situation is that most, if not all of the major UAM projects are intending to rely solely on system redundancy to achieve such probability levels that accidents either do not occur, and if they do then they are sufficiently ‘controlled’ that such as stroking seats, crash-worthy energy absorbing structure, and possibly airbags will be sufficient to mitigate injuries to a level that is ‘acceptable’, and reference to helicopter drop test G levels and injury criteria is now being discussed as being potentially acceptable.
    But I would suggest that if similar criteria to the helicopter crash specs such as a Ground Impact Velocity (GIV) of 30ft/s are adopted this is very likely to result in injuries to passengers, significant structural damage, and potential battery fires.
    It should be borne in mind that ‘passengers’ will not all be fit and healthy, some may be 80 year-old ladies with osteoporosis who will be very susceptible to vertical G loads, and others may already use wheelchairs, or are such people going to be excluded from using the UAM service?

    So how should the certification rules for the eVTOL UAM application be set?

    My suggestion is that the certification authorities should recognise three standards, which represent different levels of inherent safety. The analogy of ‘belt and braces’ is a good one.
    The basic scenario of just relying on system redundancy would be Level 1, where there is no separate, independent system (i.e. no belt or braces) to prevent a crash if the unlikely complete failure situation (multiple bird strikes, collision, lightning strike etc.?) occurs, which could result in a terminal descent rate of about 30 – 40m/s, which would clearly result in a disaster for the occupants whatever secondary safety features such as stroking seats, crushable structure and airbags are employed.

    This would be like not having safety belts in a car, which is OK until the accident happens. Is that the level of safety system to adopt for an UAM aircraft? Surely not.

    The second Level 2 scenario could include the use of such as a ballistic parachute system which would reduce the GIV to about 7 – 10m/s, but crucially does not work below a minimum height leaving a ‘Safety Gap’, which with current designs is about 250ft, although new systems can probably reduce this to about 100ft. Nevertheless, a fall from 100ft could probably result in a GIV of 15 – 20m/s, better than the 30 – 40m/s Level 1 scenario, but is still surely not really satisfactory for the UAM application.

    The Level 3 option could include such as rapid-opening ballistic parachutes and retrorockets which would provide a controlled landing at less than 2m/s in almost all circumstances, a speed at which only the simplest and lightest secondary systems such as crushable structure and small airbags would be necessary to virtually guarantee that the occupants are not injured. Equally, the aircraft should not be damaged sufficiently for there to be much risk of an electrical system or battery fire. Furthermore, the relatively slow descent rate allows more time for anyone on the ground to escape from the landing site.

    There may be other physical systems than those I have specified above for Levels 2 and 3, although the basic problem of an out-of-control mass (the aircraft and its load) at a height above the ground is pure physics, and I am not aware of any other practical physics options which would provide the same results in terms of the critical GIV number.

    Hence my proposition is that the authorities define the Level 2 certification performance based on the target GIV of say, 10m/s to be achieved by the systems employed, but also noting the issue that this does not cover the inevitable ‘Safety Gap’ height where the parachute(s) cannot open quickly enough and a 15 – 20m/s GIV might result in those circumstances. It is also to be noted that it is in the VTOL phase of flight that these aircraft will be most vulnerable to a problem.
    If the Level 1 option is agreed as permissible by the certification authorities, then it is up to the aircraft designers to chose which level of safety they are targeting:-
    a) no additional safety system beyond system redundancy (Level 1),
    b) the Level 2 ‘belt’ solution using ballistic parachutes, or
    c) the Level 3 ‘belt and braces’ option which would provide the best possible safety for the aircraft occupants (and the whole eVTOL/UAM industry itself.)

    There is a perception that the Level 3 solution will be heavier than the other options, but that is not correct. Rocket motors are the most efficient (i.e. lightest) way of delivering the thrust/impulse required to slow the aircraft just before landing, and because they are doing most of the work in slowing the aircraft the parachutes used can be smaller and lighter than those required for the Level 2 option. The smaller parachutes also open faster, reducing the minimum height at which they are effective, which also minimises the size and weight of the rocket motors required.

    The overall result is that the complete ‘belt and braces’ safety system is very little heavier than the Level 2 option, and it obviates the need to use expensive and space-consuming stroking seats and add more structure for crush energy absorption.

    It is my opinion that the whole industry should now have a very serious debate about what target level of safety (based on potential GIV?) should be adopted, and there is an excellent opportunity to do this through coordination of the various ASTM, GAMA, VFS, EUROCAE, EASA, FAA, and CAA Safety Committee activities to achieve an International consensus.

  3. While it is patently clear that factors other than rotorcraft design usually play a part in their accidents, it would be foolish, if not negligent, to not focus on various elements of design as, at the very least, offering opportunity to limit or reduce their potential contribution. All one need do is look at the increasing mechanical complexity aimed at ‘improving the numbers’ of the costs of capital, maintenance, power production and accidents. Tall orders almost invariably call for greater investment of capital, design and productivity. Those struggling to find suitable investors or, in many cases ‘any,’ may indeed have the highest hurdle to pass.
    It’s most interesting to note how little input appears to come from the ultimate recipients of such a flurry of ‘development,’ reportedly well over 200 current projects. The operators, as end users of it all, who will either adopt new designs, contributing to their success or failure, fade from their ranks, or achieve new heights, will surely be as responsible for any success as the producers of the aircraft.
    Although rhe aforementioned mechanical complexity is likely most often driven by increasing operational demands, it has a propensity to feed on itself, exacerbating its ‘downsides.’ Efforts to date to overcome the public’s perception of helicopters as noisy and prone to accidents have not focused successfully have, quite obviously, been predominantly circumvented.
    Let’s just hope and pray that a striking panacea for the helicopter’s ills to date shoulders it’s way through the horde and shines.

Leave a comment

Your email address will not be published.