“What we got (f……) hit?” exclaimed the captain of the Embraer-135 Legacy business jet, unaware that the GOL B737 was on the same airway as the two jets crossed the Amazon in opposite directions.

“I don’t know dude, just let me ah, let me fly it,” replied the first officer, who sensed (correctly) that the captain was upset.

“You got it?” the captain asked.

“Yeah,” replied the first officer, who assumed the flight controls.

A few moments later, the first officer asked, “Ahhh! Dude, did you have the TCAS [traffic alert collision avoidance system] on?”

“Yes,” he replied, then added, “The TCAS is off.”

The last protection against a mid-air collision was lost that clear day over the Amazon on 29 September 2006. The two airplanes collided at 37,000 feet as they passed, both right in the middle of the airway. The B737, its wing sliced off by the Legacy’s winglet, spun abruptly out of control, breaking up at about 8,000 feet and spewing wreckage and 154 bodies into the jungle below. The Legacy, although damaged, was flyable and diverted to a military airfield, its flight to a refueling stop at Manaus before continuing on to the U.S. forgotten. The two pilots and five passengers were unharmed.

It was the deadliest aviation accident in Brazil’s history.

A number of subtle and not-so-subtle factors led up to the accident. Complacency, both on the part of the Legacy aircrew and Brazilian air traffic controllers played a role, to be sure, but the cues from their ground-based radar and their aircraft systems were also at fault for not alerting them to the danger, according to the final December 2008 report of Brazilian authorities, the Aeronautical Accident Investigation and Prevention Center (CENIPA).

CENIPA’s 266-page final report contains 65 recommendations to prevent a recurrence. Some recommendations are more significant than others; only the highlights of the factors leading up to the accident and salient recommendations will be discussed here.

Air Traffic Control (ATC)

The EMB-135 flight crossed two air traffic control sectors. The first controller broadcast a message that the flight was authorized for 37,000 feet all the way to Manaus. No mention was made, according to CENIPA, of a “clearance limit.” However, the flight had been planned with a descent to 36,000 feet close to the boundary of the two air traffic control sectors. That flight planning, by the way, had been rushed in the haste to depart São José dos Campos airport, and the two pilots of the EMB-135, delivering the new airplane to ExcelAire Services, had never flown together, and the captain had never operated in foreign airspace.

Neither pilot had flown the EMB-135, except in the simulator, which featured a different fuel system. The first officer had flown the EMB-145 in his previous job so was somewhat more comfortable with the Embraer conventions. As the investigation revealed, the captain’s familiarity with the EMB-135 consisted of “only five hours of flight in the simulator.” Elsewhere in the report, one notes that the fuel system in the simulator was different than the one on the actual aircraft. As the investigation report observed:

“They got to the moment of departure with doubts and expectations relative to the functioning of the system of fuel transfer from the extra tanks of the aircraft, a feature that was not present in the simulator used in their training.”

There was a communication gap at the time when the EMB-135 passed from one air traffic control sector to another, and the flight crew, thinking (correctly) they had already been cleared to 37,000 feet, did not request the descent to 36,000 feet, which was what was in their flight plan (which, by the way, they had not reviewed together, as a team, before take off – the first officer attended a celebratory lunch hosted by Embraer to commemorate delivery of the airplane).

The relieving controller passed to the new controller that the flight was already at 36,000 feet, when they were not.

The receiving controller noticed that the radar target for the EMB-135 was not showing a Mode C altitude from the airplane’s transponder, but the radar – a military design – was capable of computing the airplane’s rough altitude. This was not sufficiently accurate for airplanes traveling in RVSM [reduced vertical separation minimum] airspace, which applied over the Amazon. In RVSM rules, aircraft must be separated vertically by 1,000 feet, as opposed to the 2,000 foot separation applied to non-RVSM airspace. This separation requirement was why the flight plan called for descent to 36,000 feet.

Variations shown on the radar of the EMB-135’s altitude were not enough to capture the attention of the controller, who apparently did not notice the “Z” symbol between the flight level requested and the actual flight level. The unobtrusive “Z” denoted the radar’s unreliable 3-D altitude computation (which varied from 36,000 to 38,500 feet, e.g., not nearly good enough for RVSM airspace).

The pilots, thinking they had been cleared for the entire flight to 37,000 feet, motored on. The new controller thought they were maintaining 36,000 feet, because that was in the data strip displayed for the aircraft.

The CENIPA report said:

“The attitudes of passivity and complacency displayed by the controller may have been generated by the false expectation that [the EMB-135] was maintaining FL 360. Such an expectation is corroborated by the attitude of the controller, when he altered the strip of [the EMB-135], changing FL 380 to FL 360 from TERES onwards. The impossibility to contact the aircraft, and even the fact that the flight plan filed by [the EMB-135] indicated a level change to FL 380 at TERES … were not sufficient stimuli for the controller to request support from the regional supervisor to deal with the problems, and to ask the assistant to advise the Amazonic Center of the aircraft condition.”

The U.S. National Transportation Safety Board (NTSB), in its comments to the CENIPA investigators, noted:

“The ATC computer automatic insertion of the ‘cleared altitude’ field in the displayed data block was one of the first chronological events that led to the collision … a design in which two distinctly different pieces of information (that is, requested altitude and cleared altitude) appear identical on the display is clearly a latent error … We recommend modifying the software to make it clear to controllers whether this field of the data block is displaying a requested altitude or a cleared altitude.”

The CENIPA report recommended an alert when the real flight level and the cleared flight level are not in “conformity.” This is not exactly what the NTSB recommended, and it remains to be seen whether the CENIPA recommendation, if adopted, is sufficient to resolve the confusion between cleared and actual altitude.

In any event, the ATC computer software automatically displayed a flight level that was forecast with a clearance (to 36,000 feet) that had not been issued by ATC or executed by the EMB-135 pilots. ATC software that quietly changes cleared flight level is an obvious invitation to disaster highlighted by this collision.

Cruising blithely at 37,000 feet, the EMB-135 headed directly into the path of the GOL B737.

Aboard the EMB-135 Legacy

The pilots had taken delivery of the new EMB-135 and had taken off early in the afternoon so that they would fly over the vast Amazon basin during daylight. A refueling stop, overnight, at Manaus, was planned before continuing on to Miami, Florida.

While in the air, the pilots got concerned about a NOTAM (Notice to Airmen) indicating that the runway at Manaus was restricted in usable length.

The first officer broke out his laptop computer to review the EMB-135’s weight and balance for the landing at Manaus. The investigators theorized that in holding the laptop, the first officer might have inadvertently hit the button on the RMU (Radio Management Unit) which turned the TCAS to the STANDBY mode (essentially, off). The EMB-135 featured two RMUs, one on each side of the instrument panel. The RMU also could be configured to portray fuel state; Embraer company pilots traditionally used one RMU for this purpose. However, the two pilots on this particular flight had both RMUs configured to display fuel state, as they were not totally familiar with the airplane and had concerns about fuel consumption during the flight.

Did a corner of the laptop touch the RMU button that controls TCAS? This is doubtful, although possible. The Brazilian investigators tested the hypothesis.

The investigators concluded:

“It can be seen that the control column [yoke] is an obstacle for the contact of the laptop with the aircraft panel, hindering any type of inadvertent activation of the various systems.”

What about the captain? Is it possible that he deactivated the TCAS by placing his shoe on the footrest at the bottom of the instrument panel?

The investigators discounted this possibility:

“[He] needed to twist his foot in such a way that the tip of the shoe touched the RMU button, in an angle not natural to the human being and in an intentional attempt to reach such buttons … In order for the transponder to stop transmitting, it is important to remember that the specific button … must be pushed two times consecutively in 20 seconds, which results in an extremely remote probability of this [happening] inadvertently …”

So what happened? The investigators concluded:

“[It] is possible that, while handling the pages of the RMU, the captain unintentionally set the transponder to STANDBY, by pressing the RMU button twice in less than 20 seconds, without being aware of the action.

“The fact that the CVR [cockpit voice recorder] demonstrates that the pilots appear to have noticed and then modified the status of the equipment after the collision, strengthens the hypothesis that the problem was an unintentional change of the operation mode.”

It gets worse. When the TCAS is in the standby mode, the message displayed on the primary flight display (PFD) to this effect was in white letters – not sufficient to capture the pilots’ attention. A flashing message in red, with a chime, would be preferable. As contributing editor John Sampson observes:

“Device control is changing wholesale from single function knobs to multi-function buttons. We don’t know exactly how the transponder got flipped to standby, but that a single inadvertent button push can silently put the transponder into standby is not a design philosophy that allows for human error. Perhaps an audible click and a flashing display would have alerted the crew that a button had been pushed in a non-standard fashion. The other question is whether transponder mode selection should have remained controlled by a knob. In my view, an old-fashioned multi-detented and labeled 360 degree rotary switch that points at its label is still the last word in crystal clarity, and it avoids selectability errors.

“Displaying TCAS Off in white is reasonable on the ground but needs to be more attention-getting in the air. The message likely would have been caught if either crew had an eye on the PFD when it first displayed, but the report shows that they were busy working the numbers for the landing and subsequent takeoff from the reduced length runway at Manaus.

“Same deal for the display of TCAS standby in the RMU – in the air a case could be made for it to be flashing.

“Losing TCAS in the air would seem to merit a chime and a line in the EICAS [Engine Indication and Crew Alert System] message list. It’s worth as much attention as losing a hydraulic system.”

However, the CENIPA recommendation lacks specificity, saying only that civil aviation authorities should:

“Review their regulations concerning the man-machine interface in the aircraft flight control station or flight deck, in terms of the positioning of the instruments, warnings and alerts, so as to prevent that inadvertent interactions between the crewmember and such devices affect the safety of the operation.”

This CENIPA recommendation has a footnote, acknowledging that the NTSB has submitted a recommendation to the Federal Aviation Administration (FAA). Indeed, in May 2007 the NTSB recommended that the FAA:

“Require, for all aircraft required to have a traffic alert and collision avoidance system installed and for existing and future systems designs, that the airborne loss of collision avoidance system functionality, for any reason, provide an enhanced aural and visual warning requiring pilot acknowledgment. (A-07-35)”

The NTSB clearly recognizes the need. The FAA disagreed, telling the NTSB it had no evidence of problems with TCAS’s being inadvertently turned off or to standby and that the Embraer RMU placement low on the instrument panel is unique to the EMB-135/-145 installation. The FAA said:

“If our review uncovers an installation where the transponder/TCAS controls have the potential for inadvertent operation, we will consider the need for enhanced alerting. At this time, based on the interim finding of this accident [in Brazil], the FAA does not see the need for enhanced alerting.”

In the face of this brush-off, the NTSB strangely characterized this answer as “Open – Acceptable Response.”

Note the weasel words in the FAA letter:

“If our review…”

“potential for inadvertent operation…”

“we will consider…”

In other words, actions for aural and visual signals that require pilot response in existing or future TCAS installations are highly problematic – and thus not at all likely. Oh, and the FAA did not indicate when its review would be complete (6 months, 5 years?).

What is apparent from the CENIPA report is that subtle and impassive indications at ATC and in the EMB-135 were not picked up by the controllers or the crew. The “Z” symbol on the ATC radar indicating a derived rough altitude was not instantly interpreted as an indication of TCAS Off. And the pilots were not aware of their TCAS non-functioning until after the collision.

The hard fact remains that the accuracy of today’s avionics is such that two aircraft at the same altitude headed in opposite directions will collide. The simple expedient of Lateral Offset Tracking (i.e., each aircraft sidestepping 0.1 NM in the cruise) would resolve this inevitability. The Brazilian report recommends this practice “in regions which present communication/radar deficiencies.”

There were other factors in the accident (English language non-proficiency among controllers, distraction in the EMD-135 cockpit, etc.), but the lack of system alarms both in the ground and in the air shows that designers expected too much of operators and pilots in a less-then-perfect working environment – which is to say, in the messy reality of human affairs.

(The full CENIPA accident investigation may be downloaded from http://ntsb.gov/

Aviation/Brazil-CENIPA/Midair_Collision_Final_Report_1907_(English_

Version)%5B1%5D_Redacted.pdf;  NTSB recommendations may be viewed at www.ntsb.gov/recs/Letters/2007/a07_35_37.pdf)