Comments about technological history, system fractures, and human resilience from James R. Chiles, the author of Inviting Disaster: Lessons from the Edge of Technology (HarperBusiness 2001; paperback 2002) and The God Machine: From Boomerangs to Black Hawks, the Story of the Helicopter (Random House, 2007, paperback 2008)

Wednesday, February 29, 2012

Death on Elevator No. 9

This post follows up on my January 6 post about the elevator malfunction that killed Y&R advertising exec Suzanne Hart at 285 Madison Ave. in New York on December 14. I had predicted that "jumper wires" (wires that bypass a hardwired circuit by connecting two terminals on a control panel) would be on investigators' short list, and they were. 

Elevators are (usually) very safe but complicated devices, so this post is geekier than usual; if you're not into mechanical stuff, feel free to surf elsewhere.

NYC's Department of Investigation (DOI) released a ten-page report on Monday with some pretty firm conclusions, based on inspections and simulations by the Dept. of Buildings and a private forensics firm. 

Both the report and transmittal letter are available at the NYTimes City Room. The DOI says evidence supports a conclusion that a mechanic left a jumper wire in place on the controller panel of Elevator No. 9 during maintenance work earlier that morning. 

The purpose of that service call, ironically, was to bring the elevators into code compliance by adjusting the hoist-motor governors so the elevators in this bank would move about 16% slower. 

Supporting evidence included a pair of linked wires that investigators found under the grating of the elevator machine room, near No. 9's panel. It was about sixteen inches long and had the telltale signs of being used as a jumper. 

The machine room was on the fourteenth floor; Elevator No. 9 was one of a low-rise bank of elevators that served floors one through twelve. The shafts for the low-rise bank stopped at the twelfth floor.

As I said in my post last month, a jumper wire -- a short cut between two terminals -- is a standard widget in the toolboxes of people who service machines controlled by circuit boards. It's legitimate to cut out safety interlocks and alarms ... but only while the unit is out of service.

Transel mechanics started arriving at 5:09 AM that day, with several jobs to do: replacing EPROM circuit cards in the fourteenth-floor machine room, and recalibrating speed governors mounted at the top of the shafts. The work required mechanics to step from the twelfth-floor lobby onto the roof of each car to recalibrate the speed governor. With one exception -- Elevator No. 9 -- they used a local control on the car to move the car a few feet so they could reach the governor.

Why would mechanics want to climb onto the cars' steel roofs, which can be slippery with oil and offer a tripping hazard? The reason is that the governor for each elevator was located on a headframe at the top of the elevator shaft; the easiest way for mechanics to reach the governor for a given elevator was to stand on the elevator car's roof, using the car like a work platform.

From Buildipedia, here's a photo showing elevator shafts in a tower under construction.
Note the blue headframe at the top of the shafts, and the red doors marking the lobby at each level. While it's not identical to the setup at Y&R, you get the idea: when you have to work on gear at the top of a 150-foot-deep void, a convenient and quick way to reach it is to stand atop a car positioned at the top of the shaft.

To get to a car's roof following standard procedure, the mechanics had to open two sets of doors, and to open the doors they had to bypass a safety device that normally prevents the doors from opening whenever the car is out of position.

The outer set of doors, visible from the lobby, are attached to the building, so they don't travel with the elevator. The second set of doors is the inner one -- the set you see from inside the elevator car when it's moving. This set of doors (obviously!) travels with the elevator. Special techniques are needed to open the inner door when the car is a few feet out of position, because the door interlocks try to prevent doors opening in this situation. Otherwise we citizens would be tumbling down shafts every other day. 

(Why didn't they bring a ladder and climb up through an emergency hatch in the car roof, which every action-movie screenwriter knows about? That possibility isn't spelled out in the report, but my guess is that the emergency-egress openings could only be opened from the exterior. That's standard, to prevent misbehavior.)

Now to Elevator No. 9, which posed a frustrating problem the others hadn't. The mechanics on the twelfth floor couldn't get Elevator No. 9's inner door to open, and that meant they couldn't climb on the roof and use the local control to maneuver it manually into the desired position. According to the DOI report, they had expected to reach in the space between the door by hand, or failing that, had expected to use a "tomahawk tool." (A tomahawk tool, when slipped into the space between the inner and outer doors, can release a clutch that keeps the inner door from opening in such circumstances.)

For whatever reason, the mechanics couldn't get either arms or tomahawk tool through the narrow space available, so they radioed another Transel worker in the fourteenth-floor machine room to bypass the safety interlock from there, and to shift the car remotely.

According to the DOI report, the Transel employee in the machine room used a jumper wire to bypass the safety interlock, which was okay, but failed to remove it before the two mechanics on the twelfth floor, the ones working on Elevator No. 9, returned it to service. (And Transel did so without notifying the Department of Buildings, which had the authority to inspect the work before the car went back into service.)

Here's the reason such a jumper wire is so dangerous when a car goes back into service: the jumper wire in the machine room closed the safety circuit, so the car would respond automatically to summons by button-push, heedless of whether No. 9's doors were open or closed. Normally the car wouldn't have budged an inch until both sets of doors are secure, which closes the safety circuit.

While the mechanic denied leaving a jumper wire on Elevator No. 9's controller panel in the machine room, and investigators did not find one in place when they inspected the panel, the report said a jumper in place at the time of the fatality is the best explanation of why No. 9 acted with fatal results the first time anyone tried to ride it from the ground floor, minutes after the mechanics left the twelfth floor for a break.

Responding to a button push from the ground floor, Elevator No. 9 left the twelfth floor and arrived at the ground floor. The doors opened. Two people entered the car and pressed call buttons; nothing happened for a few seconds. Then as Suzanne Hart tried to enter, the car lurched upward, catching her in the opening, and didn't stop for twenty feet.

To wind up: Jumper wires left in place too long, cutting out alarms and safeties, have been a problem in many trades. The good news is that simple steps can greatly reduce the likelihood of leaving a jumper in place accidentally. Here's one: start the job with a count of jumper wires in the toolbox. Don't return the machine to service until all jumpers are accounted for. 

That's like the precaution that well-run operating rooms take: the staff tallies sponges and small instruments before and after a procedure. That avoids rolling patients off to the recovery room with foreign objects inside.

Saturday, February 25, 2012

Collisions and Copters

Thinking of a tragic incident in Arizona, earlier this week – the collision of two USMC helicopters at Marine Corps Air Station Yuma. One was an AH-1W Super Cobra and the other a "Yankee" model UH-1 Huey. Both were twin-engined. There were no survivors. This AP photo shows the ground-impact zone:
It may be surprising that people inside a helicopter ever survive a midair collision at altitude, considering the machine's dependence on a large and complex main rotor for lift. 

Even an impact limited to the tail can send the helicopter out of control; if the impact shears off the tail boom, the helicopter instantly goes into a dive (because the center of gravity shifts forward) and also into a spin (because of the uncompensated torque from the main rotor.)

Readers may recall reading news about a Feb. 19 collision near Antioch, California, involving a Beechcraft Bonanza single-engine fixed-wing airplane and a Robinson R22 two-seat helicopter. The Beechcraft made an emergency landing 20 miles away; the Robinson crash-landed. No one died in that incident and injuries were minor. Here's the Robbie, which was flown by a remarkably level-headed pilot: (photo, AP/Contra Costa Times)
Rarely do things turn out so well after mid-air collisions, which constitute on average between one and two percent of all aircraft crashes. 

When two USMC helicopters, a CH-46 and a Cobra, collided during maneuvers at Camp Lejeune, NC, in 1996, it killed 14 Marines and left a pilot and co-pilot injured. One issue: whether the night vision goggles in use were suitable.

Survivability depends a good deal on what the crash does to the main rotor systems. The pilot of the Robinson R22 collision was spared a free-fall from altitude because the landing skids took the principal impact of the Beechcraft, rather than the main or tail rotor. 

In the case of two AS-350 AStar news-copters that collided over Phoenix in 2007 while covering a car chase, the main rotors overlapped as one helicopter came up behind the other. The cameramen and pilot-reporters all died. Here's a computer animation of that crash, from two angles. One lesson: pilots shouldn't be TV reporters too. Both pilots were watching a new development in the pursuit, off to their right-hand side. The camera operators were concentrating on the monitors.

There are very few cases in which two helicopters collided in flight and people survived in both aircraft. That's because at least one of the helicopters is likely to sustain catastrophic failure of the main rotor. 

Following are top-of-the-head observations about safety and crashworthiness in helicopters:

Head on a swivel: Pilots' expression for a constant visual sweep, inside and outside the cockpit. Most midair collisions were avoidable. They happened in the daytime, in VFR conditions, when the see-and-avoid principle was in effect.

Power management: Pilots must know how much power reserve is available; otherwise the helicopter may begin settling, or turn out of control.

Nothing loose that's going to fall out: It's not unusual when operating a light helicopter to remove the doors before flight. What a view! That's how I trained in Minnesota when researching The God Machine. But my instructor made sure that nothing was loose to fly out the door, where Murphy's Law would send it into the tail rotor. 

Helmet and flight suit: One for impact, the other for fire. Many people have died after a main rotor blade crashed into the passenger cabin during a hard landing. A helmet can make a difference. When I rode in the front seat of a Cobra at Whiteman Air Force Base in Missouri for a magazine article, the commander made it clear we weren't going anywhere until I had put on a borrowed helmet, gloves, and a flame-resistant flight suit. 

He also showed me the location of the compact hammer I'd need to get out if it crashed, explaining that the Nomex wouldn't hold back flames for long. Here's what the front seat looks like:
Energy-absorbing seats and landing gear: Such machinery aims to absorb most of the energy from the crash, before it can injure people on board. Here's a paper on crash seats for crop-spraying pilots.

Saturday, February 4, 2012

Delta Mariner, Abridged: Structure's navigational lights under scrutiny

Here's an update on the Delta Mariner allision, in Q & A format.

          Is the ship still anchored at the site?
Yes, but not for long. From the Paducah Sun, here's a shot taken pointing southeast, taken earlier this week:
The salvage barge in the photo is ready to start removal of the bridge wreckage today, now that the USCG has approved the salvage plan.

          Where did it happen?
Delta Mariner hit a two-lane highway bridge crossing the Kentucky Lake Reservoir, a dammed portion of the Tennessee River. The old name of the bridge is Eggner's Ferry; on maps, it's the US 68/KY 80 bridge. The location of the mishap is the second span from the east, called Span E, three spans east from the main navigation channel, which from the images I am guessing is called "Span B." A slide show of images is here, at the West Kentucky Star. The main channel is the one that Delta Mariner should have used since it offers the highest clearance. As is painfully obvious now, Span E over the recreational channel was a Siren's call. My notes on this AP Photo for which span is which:
          The area has been mostly closed to the public. Can I get a look at it?
For a few hours today (Saturday), there will be a one-time opportunity, for people to hop in their cars and go to the Fenton camping area and see the damage at a distance. The entire area will be cordoned off again after that. Check your local news or this Land Between the Lakes website before setting out, in case salvage work has changed the schedule.

          What was Delta Mariner carrying?
  • Atlas first stage for the second geosynchronous satellite in the Advanced Extremely High Frequency (AEHF) military-communications system for USAF's Space Command
  • Centaur second stage, also for AEHF-2
  • Interstage adapter, for the Radiation Belt Storm Probes (RBSP) mission for NASA
We are told none of the cargo sustained damage.

          Is Delta Mariner a ship, or a barge, or what?
It's an ocean-going, self-propelled Roll-on, Roll-off ship, abbreviated RORO. The biggest stages are carried in a hangar-like structure in the center of the ship. After leaving the river network it takes rockets east to Cape Canaveral, Florida; or else south to transit the Panama Canal, then back north to Vandenberg AFB near Lompoc, CA.

          Has anything like this happened before?
WSMV referenced a November 2011 mishap in which a much smaller vessel hit a bridge support after taking the wrong channel. No significant damage resulted.

          Did Delta Mariner have a Voyage Data Recorder?
I speculated in the previous post that it probably did, given the vessel's work for NASA and the high-value cargo. The NTSB has sent data-recovery specialist Michael Bauer to the ship so Delta Mariner must have some kind of forensic logger on board, maybe a simplified voyage data recorder, or S-VDR. If so, it should have saved a recording of the bridge audio.

          Why did Delta Mariner hit the bridge?
No information from the USCG investigation is yet public. Even though the ship had one and perhaps two river pilots on board at the time, it was almost a thousand feet from the main channel -- which seems like a lot. In the direction that Delta Mariner was going (north), the correct channel to take is the one under the second span from the left side; instead it took the channel under the second span from the right side. It almost suggests uncertainty on the bridge about whether the ship was bearing north or south.

That's hard to believe, though, and more plausible reasons include impaired visibility, since it was dark and raining, and perhaps foggy. Problems with navigational aids might have contributed: Some of the bridge navigation lights were reported to be out of commission beforehand. Lighting repair work on the bridge was scheduled for the next day.

          What are bridge navigation lights?
The Coast Guard specifies a lighting plan for bridges on navigable waterways, marking the channels to use. Here's the generic upstream lighting plan for fixed-span bridges with main and alternate channels; Eggner's Ferry Bridge is in that class.
I haven't seen lighting details for this particular bridge, but if the diagram reflects the requirements, the center of the main channel is supposed to be marked with three vertical lights on the bridge, typically white. If the bridge lights on the side visible to Delta Mariner were burned out, that could have been a contributing cause.