Why NTSB makes a wrong analysis of Gol flight 1907 accident

Abbreviations:
ATC – Air Traffic Control
ATCO – Air Traffic Controller
BSB - Brasília
CENIPA - Centro de Investigação e Prevenção de Acidentes Aeronáuticos
FL– Flight level (x 100 feet)
NTSB - National Transportation Safety Board

“This investigation has identified many safety issues for ATC operations, but these issues need to be further highlighted. Even though the body of the report acknowledges safety deficiencies with ATC, these deficiencies are not sufficiently supported with analysis or reflected in the conclusions or cause of the accident” (NTSB).

NTSB uses inappropriate terms in an accident analysis as “need to be further highlighted” and “are not sufficiently” and don’t follow ICAO Annex 13 which settles “The sole objective of the investigation of an accident or incident shall be the prevention of accidents and incidents. It is not the purpose of this activity to apportion blame or liability”. NTSB doesn’t disagree of any actions, omissions, events, conditions, or a combination thereof, which has lead to the accident, but who should be blamed. This is not their mission; this is the mission of Justice. Their comment is not specific and don’t point “deficiencies that are not sufficiently supported”. This kind of comment is typical of a biased analysis.

Annex 13 states that the analysis should include only documented and factual information and which is relevant to the determination of conclusions and causes. Conclusions should list only the findings and causes established in the investigation. It’s not the scope of the investigation to say which event is more important then other and which should be highlighted. NTSB doesn’t disagree of any cause of the accident; they disagree of their relative importance. For instance, they don’t disagree that crew was not prepared for the flight, but argues that lack of preparation has not contributed to the accident. They don’t disagree that transponder was turned off by crew but they emphasize that ATC should ever be able to overcome transponder being turned off. A transponder being turned off is an unquestionable fact; if ATC should survive to this event are desirable features issues and recommendations. A material failure, for instance, is an unquestionable cause, but if an aircraft should be designed to survive to this failure requires further analysis and, for sure, is a learning process.

“The ATC computer automatic insertion of the “cleared altitude” field in the displayed datablock was one of the first chronological events that led to the collision. Sections 4.6 and 4.6.1 of the analysis discuss this feature; however, the only conclusion drawn is on page 219, which states that the controllers “have always operated the system in this manner.” The discussion in the report notes that the controllers did not react correctly to the information presented on the displays. However, a design in which two distinctly different pieces of information (that is, requested altitude and cleared altitude) appear identical on the display is clearly a latent error” (NTSB).

NTSB makes a huge mistake stating that the insertion of the cleared altitude in the datablock was one of the first chronological events that led to the collision. It wasn’t, and this is an expected, desirable and reliable feature of Brazilian ATC system, although it was not even well understood by CENIPA, who has investigated the accident. In both analyses, especially of NTSB, there is an intentional misunderstanding of what cleared level is and what the issuance of clearance is. NTSB makes a word game with "cleared level" expression. It must be understood that ATC resolves traffic conflicts in advance; they “clear" the path (remove obstacles, traffic) and when the aircraft are about to reach the cleared (of obstacles) leg, they issue a clearance stating the cleared level. This is the expected procedure and this is the sequence of steps: first they remove obstacles then they issue a clearance. “Cleared level” does not mean the last level that was mentioned in the last clearance issued to an aircraft, although they must walk together. Computer systems register the cleared level that must be stated in a clearance for a given aircraft and not the clearance that was issued. Radio clearances (verbal, oral) data are not registered in any computer database, it is just voice recording. Most of the time NTSB analyses refer to cleared level as the level that was authorized to the crew in a clearance. These are two distinct classes of information, with two different meanings, but unfortunately there are not two distinct words to distinguish them, and this leads to the completely wrong analysis of NTSB. It is assumed that in the proper time ATCO issues a clearance to the cleared level. Cleared level is a kind of information that exists by itself and is communicated to the crew in a clearance, and inside a clearance can be understood as an “authorization”.

"(...) the use of the automatic “cleared altitude” field change has the potential to mislead controllers, is a poor human factors design, and is a clear finding of risk. In fact, this event was one of the first that is directly tied to the accident scenario. This feature has the undesirable effect of making the ATC automation “lead” the actual clearance issued to the flight crew. A basic tenet of ATC is to have a double check of clearances. The automatic change takes away a method for the ATCO to reinforce the proper clearance in his mind. If the controller makes the entry, the action of keying in the numbers helps to confirm that he has issued the correct altitude and that the pilot has read back the clearance correctly. Therefore, the automatic change of the datablock field from “cleared altitude” to “requested altitude” without any indication to, or action by, the ATCOs led to the misunderstanding by the sector 7 controller about what altitude clearance was issued to N600XL" (NTSB).

The minimum that can be said about this analysis: complete ignorance. It is nonsense to build a system that tells someone to do something and then input the data (“keying in”) of what he was told to do; one must do exactly what he was told to do. A system signals to an agent to do something (issue a clearance) and then ATCO monitors if it was done (radar surveillance). In this accident, radar console would signal to ATCO to conduct aircraft to descend to the cleared level displaying “370=360”, which means: actual level 370 (left side), cleared level 360 (right side). FL360 at right side of datablock is absolutely not the requested level as said by NTSB; this is the cleared level that must be issued to the crew in the clearance. No one system, and Brazilian is not an exception, deals with requested level, although the cleared level usually is the requested level . Brazilian ATC system, as all the systems around the world, never displays requested levels in radar console datablock as stated by NTSB. They display the cleared level that obviously has to be planned in advance, and must be issued to the crew in the form of a clearance. NTSB names “cleared level” only when this piece of information is transmitted to the crew. This is a big mistake, because Cleared Level is a distinct class of information that has existence, has a meaning, even it was not transmitted to the crew yet. ATCO must contact aircraft, to issue a clearance to the cleared level (“...descend to FL360”) and then monitors if aircraft is following the clearance, occupying the cleared level, when the radar console will display “360=360” (actual level 360, cleared level 360) if aircrafts obeys the clearance. ATC assures that aircraft has received a clearance containing the cleared level, monitoring its altitude; they must be the same every time aircraft is stabilized. It must be understood that although a level is considered authorized until another level is issued, it doesn’t necessarily mean that this authorized level is cleared of obstacles for entire route. It is authorized but not cleared. In this accident FL370 was authorized but it was not cleared, or in a more specific form, it was not free of obstacles.

ATC amend clearances tactically, issuing new authorizations to the cleared level as the flight proceeds. In Brasilia to Manaus airway, due to airspace rules, Brazilian ATC would never clear FL370 because this level is occupied by aircrafts that comes from Manaus to Brasília. It is never cleared of traffic to aircrafts going to Manaus. There was a planned descent to FL360 that would be issued by ATC in the most proper time. The trigger to the amended clearance issuance would be, as foreseen by ATC system design, the automatic “cleared altitude” field change in the datablock, changing from “370=370” to “370=360”, that means, actual altitude of the aircraft 370, cleared altitude 360. The right side of the datablock doesn’t mean the requested altitude; it means the cleared level that should be issued to crew. It doesn’t matter if crew already received this clearance or not; ATCO must contact aircraft as soon as possible and request them to descend to the cleared level. If the aircraft had already received this clearance before, ATCO must check why they didn’t descend, if aircraft didn’t receive it before, ATCO must conduct the aircraft to descend. Every time ATCO sees this datablock (actual level different from cleared level), this is the trigger to ATCO contact the aircraft. This peace of information doesn’t mean that aircraft received this clearance before, but it is the altitude that was planned to be cleared and the level aircraft should fly. This behavior is entirely expected, desirable and safe.

If NTSB is saying this is a latent error, it is because NTSB argues that the datablock should display “370=370” because 370 is the actual level and was the last level issued in a clearance to the aircraft. Datablock displaying “370=370”, as suggested by NTSB, leads to no action of ATCO. Why this would be the desirable feature without a "latent error"? Complete nonsense. This NTSB suggestion is a huge error, which puts in risk all the aircrafts that plan level changes. If an altitude should not be maintained in the following leg, as a condition to the flight safety, as in this accident, a complete clearance, specifying the several levels, could be issued in the departure or at least, a limit should be fixed. Unfortunately, no one ATC do that. All ATCs over the world issue clearances tactically, as soon as level changes are necessary. They keep amending clearances during entire flight; conducting aircrafts to the cleared (of obstacles) levels. Older ATC systems not even support several cleared levels. They have only planned levels (by legs) and actual (current) cleared level (just a momentary single information). Every time ATCO issues a new clearance, he inputs and updates this system “cleared level” field and besides that, this field is not displayed in the datablock but just in the flight strip. This kind of system has several others “latent errors”. ATCO can issue a clearance and wrongly input it in the system or not even input it. Some older ATCs even work with paper strips.

While transponder was on, ATC system behaved as was expected and, must be said, is a very safe design. During the passing over Brasilia, there wasn't traffic and ATCO was dealing with another aircraft. Datablock displaying 370=360 last for only few minutes and then transponder was turned off. Without transponder signal the left side of datablock (actual level) began to be unstable for about 30 minutes until not being more associated as a target in radar screen. The transponder turning off was undoubtedly the first chronological events that led to the collision. ATCO didn't have enough time to the datablock trigger catch their attention to amend the clearance to the new cleared level (FL360). ATCO lost control of actual level of the aircraft in the most critical point of the route.

"In the accident scenario, because the altitude change to FL360 was planned to occur over BSB, well within sector 5 airspace, it is likely, that the sector 7 ATCO believed that the sector 5 controller (or a previous controller) had already issued the clearance to FL360" (NTSB).

Another NTSB huge mistake. It was the same ATCO that was in charge of sector 5 that has contacted the aircraft before it has reached Brasilia, said “maintain FL370”, and then, just few minutes later, he assumed that the aircraft was flying FL360 when he has transferred the traffic to sector 7 ATCO. Even sector 5 ATCO believed the aircraft was flying FL360. And why this happened? Very simple, he was trapped by the transponder being turning to standby mode. ATCO lost aircraft actual level control that would be given by transponder signal. It is absolutely conceivable in this scenario that this ATCO not even realized what level the aircraft was flying before and that there was a planned level change, even though was he who said “maintain FL370”. How would be the system design that would allow an ATCO to don’t lose control of aircraft altitude without transponder signal? There are a lot of alternatives, and it is a learning process with this accident. Although a system that records last authorized level could be a good feature, but who can assure that the aircraft is flying the last authorized level? Who can assure that aircraft has not received a complete route specifying several level changes? Accident report states that “The SIC reported that, upon arriving at the aircraft, he inserted the flight plan with the initial altitude necessary to initialize the program, but he did not program the subsequent climbs and descents, something which he planned to do later on”. If the SIC had programmed subsequent climbs and descents, autopilot would had descended aircraft by itself the same way it turned aircraft left when passing over Brasilia. Should each field of planned cleared level in the computer system database have a status flag that informs if that level was authorized to aircraft or not? There are a lot of alternatives that could solve this issue, but for sure the worst is the NTSB given in his analysis.

So, it is absolutely clear in this accident that the “system” performed as was designed to. But when transponder was turned off, ATCO lost control of the actual altitude of the aircraft, and ATCO made a wrong assumption of the actual level of the aircraft. ATCO could make an assumption that since he didn’t issue an authorization to FL360, they should be flying FL370. It would be also a guess and could be wrong. A crew could have received, for instance, a complete route clearance at departure; the aircraft could have had an equipment crash; and a lot of other possibilities. Assumptions that also could lead to accidents. So, the first chronological event that has led to the collision was transponder going standby, without doubt. This is the first unexpected event, this event made ATCO to lose control of the actual aircraft altitude, and then a second unexpected event: ATCO made an assumption of the actual aircraft altitude. He assumed that aircraft was flying at the cleared level, but the cleared level was not issued to the crew because the transponder was turned off just when there was a planned level change. He could even not have observed that there was a planned altitude change. ATCO was trapped by the losing of transponder signal just in the most critical point of the flight. He shouldn’t have assumed any level; he should have be sure of what level was the aircraft flying and made no assumption of any kind. This is the rule, this is the expected procedure, and this was his mistake. This is the analysis that should have been made. He should have contacted the aircraft and reestablished transponder signal. Then he would see in his radar console “370=360” and would conduct the aircraft to the cleared level (360). This is what would be expected, this is what the rules prescribe.

And why ATCO made this wrong assumption? First, because lack of transponder signal is a very frequent event in all over the world, and scarcely puts an aircraft in jeopardy. Second, he was trapped by a completely unusual flight plan, with unnecessary several planned levels, made by an American company – Universal Weather – not familiar with Brazilian airspace. Third and the most important, an unexpected scenario of an aircraft flying to northwest in a even level. What is the reason to burn fuel to stabilize at FL370 in a one-way airway (Legacy could fly at FL360), and then, 40 minutes later, descend to FL360, and then 40 minutes later climb to FL380? There isn't any reasonable explanation to foreseen these ups and downs. ATC never expects a plan like this one. It's completely unusual a plan that changes between evens and odds levels. The Aeronautical Accident Investigation Commission understood that this profile had been produced by the software of the Universal Weather flight plan program, which considered the winds aloft available at the several WIND ALOFT charts for the FL300, FL340 and FL390. Everybody may notice, that these charts don't distinguish FL360, FL370, F380, so there isn't any reason to choose to climb to FL370 then descend to FL360 and climb again to FL380. And more, these charts are valid only for 12 hours and the crew told the NTSB that they had contacted the Universal for the elaboration of a flight plan a few days before the departure from SBSJ, according to a determination contained in the Manual of Operations of the operator. There is not any explanation for this bizarre plan. The only reason that could explain it is that UW2 has a heading of 7º and UZ6 335º. So, the plan produced by Universal software may have chosen the levels most suitable to the headings, but didn't take in account that UW2 is a one-way airway. This bizarre plan created an unusual scenario. I have consulted FlightAware.com site and choose 30 random flights with more than 1 hour duration. I didn’t find just one flight that changed even and odd levels. This is a quite large sample to allow us to say that N600XL flight plan is completely unusual.

This scenario has led ATCO to make a wrong level assumption and he has underestimated the risk. ATCO has not realized that the clearance to the cleared level was not issued as was planned to be issued as soon aircraft passed over Brasília. And ironically he was the same ATCO that should have issued this clearance; he has not observed the signal "370=360" that was displayed in his radar console for just few minutes. If transponder has not been turned off, he would have time to observe this signal and request aircraft to descend, and flight would have followed as was planned. He was trapped by the losing of transponder signal.

"The clearance could have been issued well in advance of the airplane passing BSB by specifying where an altitude change takes place, such as “maintain FL370 until BSB, descend to FL360,” as indicated in ICAO 4444 11.4.2.5.2.2b. In fact, this clearance would have been not only acceptable but also desirable” (NTSB).

If there is no conflicting traffic, there is no need to take this action in advance. ATC requests altitude changes to separate aircrafts. If there is no traffic near the aircraft, there is no need to issue it in advance. If was true that clearances should be issued in advance, a complete clearance should be issued in the departure and not using an abbreviated format, which is infrequent done in all over the world. Clearances are issued “tactically” as conflicts emerge. Anyway, it is not mandatory and it is not expected to be issued. But, worse, this comment contradicts NTSB previous comment (“The ATC computer automatic insertion of the ‘cleared altitude’ field in the displayed datablock was one of the first chronological events that led to the collision”). How an ATC computer system can assure that a clearance was issued in advance or not? How long in advance it could be issued? So, if the clearance had been issued in advance, as suggested by NTSB as desirable, would be ATC computer automatic insertion of the “cleared altitude” correct and not a “latent error” as they said? How many altitude changes should ATC issue in advance? Should ATCO have said “maintain FL370 until BSB, descend to FL360 until Teres, climb to FL380 until Manaus”? When ATCO issues a clearance in advance, how it should be registered in the computer system? Every time ATCO says something to the aircraft, he should input this data in the computer system to register what he said? Absolutely nonsense. Concluding, NTSB argues that something is a “latent error”, but they defend an alternative that would introduce another kind of worse error. This issue makes explicit how incongruous is NTSB analysis. We would return to the discussion if clearances are tactically issued or a complete clearance to the whole route should be issued. The fact is that to the safety of air traffic it doesn’t matter at all if the clearance is issued in advance or not. What matter is, ATC clears the path and then monitors actual altitude of the aircraft, conducting them to the cleared path; this is what counts for flight safety. If actual level monitoring is lost by ATC, no guessing should be made, and contact with the aircraft must be reestablished. It doesn’t matter what level aircraft is flying; other kind of accident could happen without transponder signal. It’s simple as that. Nowadays, to monitor aircraft real altitude, and even to associate aircraft in radar screen, ATC depends on transponder signal. Of course we could admit that a better ATC system could survive to a transponder signal failure, and in the near future they will, but at the present time it is not reality in most part of the globe, particularly in inhabited regions of the world as Amazon. NTSB analysis has just one objective: minimize transponder failure making ATC answerable for this accident.

“As noted in the ATC analysis discussion, there was no reason for any pilot to believe that the assigned altitude was anything except FL370 and would remain so without further instructions, an emergency situation, or application of prescribed lost communication procedures” (NTSB).

UZ6, as shown in aeronautical chart, is a two-way Brasilia-Manaus airway. Flights going to Manaus fly at even levels (FL360, FL380, ...) and coming from Manaus fly at odd levels (FL350, FL370, ...). It is clearly indicated in aeronautical chart and it is an airspace organization fundamental all over the world. This rule completely avoids mid-air conflicts of aircrafts flying in the same airway and opposite directions. Legacy flight plan had foreseen a change level from FL370 to FL360 when entering UZ6 just to suit to airspace rules. Are these enough reasons for any pilot, who prepared himself for flight, to believe that the assigned altitude is not FL370 and other except FL360 that was settled in the flight plan? NTSB analysis, again, is nonsense.

“Beginning on page 92 and recurring throughout the report are numerous passages and citations of events that are associated with the flight crew of N600XL not being aware of the elements of the flight plan, an unusually short time elapsing between the obtainment of the printed flight plan and the departure, or the crew having an unusually short period of time to prepare for the flight. These items appear to be partly in support of paragraph (e) on page 264 of the report, which indicates, “Planning – a contributor.” We do not agree that the analysis is sufficient to support any deficiency in the conduct of the flight, which can be related to planning. The crew flew the route precisely as cleared and complied with all ATC instructions. The crew’s awareness of their current altitude and its relation to the hemispheric convention applicable to the course of flight north of Brasilia is entirely independent of the requested level in the flight plan. Therefore, we do not fully concur with contributor (e) and the citations in the report leading to it” (NTSB).

NTSB deals with “Planning” as an issue that could lead to “deficiencies in conducting a flight”. We could conclude from NTSB statement that if “crew fly the route precisely as cleared and complied with all ATC instructions”, it is not necessary to perform a preflight preparation. Nonsense. This is not the issue; planning contributes to crew situational awareness.

Endsley in “Human Factors in Aviation Operations” says that in a study of accidents among major airlines, 88% of those involving human error could be attributed to problems with situation awareness as opposed to problems with decision making or flight skills. A 1989 NTSB review of 361 General Aviation accidents concluded that 97% of the probable causes were attributable to pilot error.

FAA says “Routine tasks delayed until the last minute can contribute to the pilot becoming overloaded and stressed, resulting in erosion of performance. By planning ahead, a pilot can effectively reduce workload during critical phases of flight” (FAA-IFH, p.1-15). FAA also argues that the first accident cause factor that involves the pilot-in-command is inadequate preflight preparation and/or planning.

FAA says “Flight crews should crosscheck the cleared flight plan against charts or other applicable resources, as well as the navigation system textual display and the aircraft map display. This process includes confirmation of the waypoints sequence, reasonableness of track angles and distances, any altitude or speed constraints, and identification of fly−by or fly−over waypoints” (FAA-AIM). Even FAA arguing that flight crews should crosscheck the cleared flight plan against charts; NTSB says that “the crew flew the route precisely as cleared”, dismissing FAA. NTSB says: do what you are told to do; FAA says: crosscheck what you are told to do; FAA says crosscheck your clearance against chart. The obvious reason of FAA advice is if crew crosscheck clearances, misunderstandings are solved. Brazilian ATC didn’t intend to clear FL370 from Brasilia to Manaus; they omitted the FL370 Brasilia limit. If the crew had crosschecked the clearance facing aeronautical chart and filed flight plan, they indubitably would had known that they have been cleared as filed, and a Brasilia limit was missed in the clearance issued.

FAA Advisory Circular AC 61-84B argues the one of the key elements of preflight planning are charts. They literally say “A basic element of preflight preparation requires the use of current navigational charts on which pilots can mentally review their intended route of flight. They may or may not wish to draw a line on the chart representing the true course. Precise flight planning of log items, such as pre-computed courses, time and distance, navigational aids, and frequencies to be used will make en route errors in these items less likely. Preflight preparation is the foundation of safe flying. Accident statistics recent years indicate that adequate preflight preparation is lacking in many cases. To enhance the safety of flying, pilots are encouraged to (...) form good preflight planning habits and review them continually”.

So, there is not any doubt that preflight planning, anticipating a mental model of entire flight, is a safe flying condition. The crew lack of preflight planning contributed to accident as far as they did not prepare to descend to FL360 when passing Brasilia. If they were prepared for the flight, they would have known that they could not fly FL370 from Brasília until Manaus. When they were near Brasilia, they would be preparing to descend from FL370 to FL360 as foreseen in the filed flight plan; waiting for an ATC clearance. They would be attentive to instruments and to ATC communications. Instead, the crew was still working together on the calculations for Manaus, not realizing that the status of the transponder had changed. The transponder changed to “STANDBY”; the ATC radar lost the transponder signal of the Legacy, and reverted to the “Primary Mode”. The “TCAS OFF” warning was shown on the displays of the two PFDs, and the “STANDBY” condition was shown on both RMUs. At that moment, neither crew member perceived the alerts showing the standby condition of the TCAS system. With the Legacy at autopilot, and with the pilots focusing on the calculations at the computer, neither of them noticed the warnings on their RMUs and PFDs, because the only activity in the cockpit, minutes before and minutes after transponder status changing, was the PIC and the SIC working together at the laptop, calculating landing and takeoff parameters relative to Manaus.

So, flight planning indeed was a key accident contributor factor.