Transcript CO Suggestion Box - Flight Test Safety

Lessons Learned from the Inadvertent
in-flight Termination of a
Tomahawk Cruise Missile
CDR Eric “Homey” Holmberg
Chief Test Pilot, VX-31 - 8 May 2008
NAVAIR Public release YY 08-229
Distribution: Statement A – “Approved for Public Release”;
Distribution is unlimited.
Lessons Re-Learned (or Not Learned) from the
Inadvertent in-flight Termination of a
Tomahawk Cruise Missile
CDR Eric “Homey” Holmberg
Chief Test Pilot, VX-31 - 8 May 2008
NAVAIR Public release YY 08-229
Distribution: Statement A – “Approved for Public Release”;
Distribution is unlimited.
Some Test Hazards are Obvious
Test Background Facts
•
•
Tomahawk Facts:
–
Contractor: Raytheon Company (Tucson, AZ)
–
Unit Cost: $729,000 (FY 04-08 Multi-year)
–
Propulsion: Solid-fuel thrust-vectoring booster – Ship or Submarine Launched
Turbofan cruise engine (550 lbs thrust)
–
Weight: 2,900 pounds (3,500 pounds with booster)
–
Range: 700 - 1350 nautical miles
–
Speed: High-Subsonic
–
Payloads: 1000 lb class, Conventional Unitary, Conventional Sub munitions, Nuclear
–
Dates Deployed: IOC - 1986; Block III - 1994; Block IV – 2004
Reasons for Test:
–
Development and Operational Test of New Variants and enhanced capabilities
–
Verification of Fleet Inventories
–
Fleet training
Many test assets – Lots of Test Money.
Scheduling:
-Ships Schedule
-Training
-BriefsX2
-Three Range Periods
-Four Aircraft blocked off for one week
P-3
Flow Overview
-2 FA-18s on missile
-Tanker shadows package high, at ~15K MSL
-1 FA-18 hangs on tanker, works FAA comms &
traffic calls
51
Test Package:
-Two Ranges
-FAA/LA Center/Low Level
-Two weapopns
-Sea Range Clearance Aircraft and Boats
-Launch Submarine
-3 FA-18s for Chase
-KC-135 Tanker
-P-3 for telemetry relay
-Two Recovery Helicopters (capable of lift)
-Range Control Groups both at Pt. Mugu and
China Lake
Remote Command and Control
(RCC) System
•
The RCC is operated by an Airborne Missile
Flight Safety Officer (AMFSO) in the aft seat of
each F/A-18.
– Take Navigational Control of the Tomahawk
• Air Traffic and Weather Avoidance
• Correct Navigational Errors
– Terminate the Tomahawk in the event of an
emergency
•
•
Each F-18 carries two Tomahawk Control Pods.
Pod controller mounted on either left or right aft
side console.
The Pressure is on.
•
•
First Launch attempt: Day 1
(23 JUL)
–
TFR Delayed shot
–
NOTAM cancelled by FAA over
weekend – was a mistake.
–
Unable to Open IR-200 MISSION CANCELLED
DAY 2 (24 JUL, 319Q)
–
•
Failed Launch Attempts
DAY 3 (25 JUL, 319QR)
–
Day of the Inadvertent
Termination
Chase Aircraft Launch Timing
1+30
1+00
MISSILE
BOOST HDG
350-400 KIAS
COSO-52
500 FT
COSO-51
500 FT
3-5 SEC
IN TRAIL
0+30
0+00
3/4 TO 1 NM
SEP AT LAUNCH
INBOUND @ BOOST HDG +45 DEG
45 DEG
Launch Video
Transition to China Lake Land Ranges
Tanker
53
51
P-3
N
Brief Lost Sight
51
P-3
N
Coso 51 passes control to Coso 52 and
proceeds to tanker
P-3
N
Coso 51 Rejoins
and asks for control back
51
P-3
N
RCC Control Transfer
• Control Transfer accomplished by on-coming AMSFO
turning his power on, while off-going AMFSO turns his
power off.
• Off Going AMFSO
– Confirmed Control Room ready and On-coming AMFSO was
ready
– “RCC swap in 3,2,1 … Off”
Termination Video
Weapon is Terminated
• Program Office Reaction?
So what went wrong?
• Off-going AMFSO inadvertently
actuated Terminate switch
instead of Power switch.
• Simple – he moved the wrong
switch ! But how? Why?
• Failure investigation board
established.
• Many Lessons that apply not just
to cruise missile test but to
testing of any system with flight
termination or crew vehicle
interfaces where critical functions
are a single switch throw away.
Main Causal Factor
• Human Factor: AMFSO mis-prioritized procedural
responsibilities by not visually verifying proper switch
activation and substituted terminate switch for the
planned power switch.
• “No fast hands in the cockpit !”
• AMFSO looked at switch, placed hand on it, removed hand, then
started count down.
• Other lesser tasks were distracters:
– Maintaining sight of weapon following lost-sight.
– Simultaneously keying mic, counting down “control transfer in
3,2,1….off”.
Other Causal Factors
• Supervisory factor: Inadequate function and design of
the control panel elevated the risk for inadvertent
termination switch activation.
–
–
–
–
Power and Terminate Switches identical
Limited Real Estate = very close switches
Panel location in aircraft not ideal
Terminate switch lacked two-step“are you sure?” functionality.
Other Causal Factors
• Supervisory factor: Test Team, Chief Test Pilot and Chief
Test Engineer failed to accurately assess the hazard of
inadvertent termination activation and ensure mitigating
steps were developed.
– Hazard and risk analysis didn’t think of this one and therefore did
not develop a THA to mitigate it.
– Human factors analysis of control box had been previously
completed with no issues
– Of course THAs now exist.
• Supervisory factor: Incomplete training was provided on
the function and design of the control panel.
Other causal factors
• Supervisory Factor: The Test Wing “Firebreaks”
Instruction was not broad enough to apply a two-step
switchology to flight termination systems (FTS).
– Firebrakes are procedures/rules created to address accidental
weapons firings/releases.
• 1992: USS Saratoga Sea Sparrows versus Turkish destroyer.
– Accomplished this by requiring two “firebreaks” or a two-step
safety process when there is no intent for release.
– Until very recently – did not apply to FTS systems which have
similar risks to people and property.
Lessons Learned
1.
No fast hands in the cockpit.
•
•
2.
Deficiencies in Crew-Vehicle Interface, even for flight test systems, can and
will bite you eventually.
•
3.
Task Prioritization is critical
Look, think, act slowly before you throw the big switch
Take the time to human-engineer controls
There’s almost always a hazard out there that you probably didn’t think about
– or mitigate.
•
Installation of an FTS system carries numerous new hazards. You need to ensure
those hazards outweigh the benefits.
4.
Aircrew “get-it-done attitude”. Cultivating test aircrew to question 'why'
things are designed this way and 'what if-ing' the consequences of those
designs can raise awareness to potential risks.
5.
Sufficient training is critical in reducing flight-test risk.
6.
Critical functions with potentially catastrophic results must have an “are you
sure” step – or a two step process.