Ryanair flight landed at Manchester airport with six minutes of fuel left
theguardian.com714 points by mazokum 3 days ago
714 points by mazokum 3 days ago
That is very exceptional. I've written fuel estimation software for airliners (cargo, fortunately), and the number of rules regarding go-arounds, alternates and holding time resulted in there usually being quite a bit of fuel in the tanks on landing, by design. I've never heard of '6 minutes left' in practice where it wasn't a massive issue and the investigation into how this could have happened will make for interesting reading. A couple of notes: the wind and the time spent on the three go-arounds + what was necessary to get to the alternate may not be the whole story here, that's actually factored in before you even take off.
I'd be very wary to get ahead of the investigation and make speculative statements on how this could have happened, the one thing that I know for sure is that it shouldn't have happened, no matter what.
The context you're missing is that Ryanair have routinely declared fuel emergencies in the past, and it seems an operational tactic - they want to carry less fuel to burn less fuel, and then have to regularly mayday to jump the stack on inbound, saving cash. That's not covered in the article, but you can sure as hell expect the CAA are going to take another look at them and their operations planning.
On this one, they did 3 attempted landings at Prestwick. [Edit: I now see that the third attempt was at EDI] What happened between the first and the second landing that made them think on their second go-around that a third attempt was more likely to succeed than the previous two? Was the wind dying down, or was the captain just feeling a bit braver or stupider? [Edit: I'm still curious as to what information they gathered that landing conditions were significantly different at EDI to make that diversion, given its relatively close and so likely to have similar weather].
Why was their final reserve Manchester when there were literally dozens of closer suitable airports, at least some of which are likely to have had better wind conditions by virtue of lower gusts, or more aligned to runway direction so not dealing with a strong crosswind?
There are many reasons I won't fly Ryanair, but not least because they have been shown over and over again to make reckless planning and operational decisions, and they are fortunate to have not had hull losses as a result. Time is ticking down, variance will catch them one day, and a sad & tragic catastrophe is only a matter of time. People will go to prison as a result, because this pattern of behaviour shows that this isn't "bad luck", it's calculated risk taking with passenger and crew lives to save money.
> There are many reasons I won't fly Ryanair
I swore off them a decade ago when I realised how adversarial their relationship with their passengers is.
Until an accident does happen, I have no doubt they'll trouser a lot of cash.
Not just adversarial to passengers but to their employees also.
I hadn't heard about this. They can't be having fun if that's the case, caught in between the treatment of their employer and the customers they pay it forward to (for money).
I fly with them all the time and never have any kind of issue at all. They offer a good deal, ok there’s a couple of obvious dark patterns in their app and way of doing business but they’re hardly unique in that respect. Feels like getting a fast bus between European cities nowadays.
Well that revolver didn't go off the last 5 times I pointed it at my head and pulled the trigger. Surely on the 6th pull we can guarantee the same outcome!
I once had a board member who was also on the board of Ryan Air, and he casually told me a story about when their CEO gave a presentation on adding a credit card -powered interlock on the cabin lavatories. He told them, “They’re my planes and if you have the nerve to shit in them you should have to pay for the cleanup”.
My colleague thought he was portraying the CEO as a cool guy and decisive manager, but I thought the guy sounds like a sociopath.
Naively as an outsider, this situation seems like everything worked as intended?
On a nominally 2h45m flight, they spent an extra 2 hours in the air, presumably doing doing fuel intensive altitude changing maneuvers, and were eventually able to land safely with their reserves almost exhausted.
I’m a little confused by what there is to investigate at all.
How much fuel should they have landed with?
In safety-critical systems, we distinguish between accidents (actual loss, e.g. lives, equipment, etc.) and hazardous states. The equation is
hazardous state + environmental conditions = accident
Since we can only control the system, and not its environment, we focus on preventing hazardous states, rather than accidents. If we can keep the system out of all hazardous states, we also avoid accidents. (Trying to prevent accidents while not paying attention to hazardous states amounts to relying on the environment always being on our side, and is bound to fail eventually.)
One such hazardous state we have defined in aviation is "less than N minutes of fuel remaining when landing". If an aircraft lands with less than N minutes of fuel on board, it would only have taken bad environmental conditions to make it crash, rather than land. Thus we design commercial aviation so that planes always have N minutes of fuel remaining when landing. If they don't, that's a big deal: they've entered a hazardous state, and we never want to see that. (I don't remember if N is 30 or 45 or 60 but somewhere in that region.)
For another example, one of my children loves playing around cliffs and rocks. Initially he was very keen on promising me that he wouldn't fall down. I explained the difference between accidents and hazardous states to him in childrens' terms, and he realised slowly that he cannot control whether or not he has an accident, so it's a bad idea to promise me that he won't have an accident. What he can control is whether or not bad environmental conditions lead to an accident, and he does that by keeping out of hazardous states. In this case, the hazardous state would be standing less than a child-height within a ledge when there is nobody below ready to catch. He can promise me to avoid that, and that satisfies me a lot more than a promise to not fall.
If you haven't done so: please write a book. Aim it towards software professionals in non-regulated industries. I promise to buy 50 to give to all of my software developing colleagues.
As for 'N', for turboprops it is 45, for jets it is 30.
I want to write more about this, but it has been a really difficult subject to structure. I gave up halfway through this article, for example, and never published it – I didn't even get around to editing it, so it's mostly bad stream of consciousness stuff: https://entropicthoughts.com/root-cause-analysis-youre-doing...
I intend to come back to it some day, but I do not think that day is today.
Just started reading the linked text after reading your comment and I agree, this is high quality education, and enjoyable. It's an art, really. Thank you for sharing your work and please keep it up.
Just a thought I had while reading your introduction: this is applicable even to running a successful business model. I'm honestly having trouble even putting it into words, but you have my analytical mind going now at a very late hour... Thanks!
Ok. I am impressed with your ability to take such complex subjects and make them plain, you are delivering very high quality here. The subject is absolutely underserved in the industry as far as I'm aware of it, and I would love to have a book that I can hand out to people working on software in critical infrastructure and life sciences that gets them up to speed. The annoying thing is that software skills are values much higher than the ability to accurate model the risks because that is only seen as a function of small choices standing by themselves. A larger, overall approach is what is very often called for and it would help to have a tool in hand to both make that case and to give the counterparty the vocabulary and the required understanding of the subject in order to have a meaningful conversation.
Edit: please post your link from above as a separate submission.
Write it as a children's book. A literal ELI5.
(Knowing, of course, that it will still be read mainly by engineers. But that's the charm.)
Your writing is good, please keep at it. I think it would help a lot if you made it clearer when you're talking between root-cause-analysis for software, aviation, other things, or generically.
Also, your train-of-thought is pretty deep; bulleting runs out of steam and gets visually confusing, especially with the article table-of-contents on RHS, you're only using <50% of screen width. Suggest you need numbered/lettered lists and section headings and use the full screen width.
Thanks, I would buy your book. But I understand the effort necessary all too well.
If he aims it toward five year olds as he had explained it, bet it would be even more applicable to our profession.
Having spent some time with my five year old nieces and nephews, sometimes I wonder if five year olds could run companies better.
(note: obviously sarcastic but kids really do have some amazing insights that we forget when trying to chase KPIs or revenue)
See also: various points in the Evil Overlord list[0]. Selected examples:
#12: One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.
#60: My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.
#74: When I create a multimedia presentation of my plan designed so that my five-year-old advisor can easily understand the details, I will not label the disk "Project Overlord" and leave it lying on top of my desk.
Google’s SRE STPA starts with a similar model. I haven’t read the external document, but my team went through this process internally and we considered the hazardous states and environmental triggers.
https://sre.google/stpa/teaching
Disclaimer: currently employed by Google, this message is not sponsored.
Seconded! This was an extremely well written and well thought out explanation of this idea. Would love to read more along these lines.
(Will now be checking out your blog.)
Seconded.
That being said: I have - for some years now - started to read air accident board reports (depending on your locale, they may be named slightly different). They make for a fascinating read, and they have made me approach debugging and postmortems in a more structured, more holistic way. They should be freely available on your transportation safety board websites (NTSB in America, BFU in Germany, ...)
> Trying to prevent accidents while not paying attention to hazardous states amounts to relying on the environment always being on our side, and is bound to fail eventually.
The reason they had less than 30 minutes of fuel was because the environment wasn't on their side. They started out with a normal amount of reserve and then things went quite badly and the reserve was sufficient but only just.
The question then is, how much of an outlier was this? Was this a perfect storm that only happens once in a century and the thing worse than this that would actually have exhausted the reserve only happens once in ten centuries? Or are planes doing this every Tuesday which would imply that something is very wrong?
This is why staying out of hazardous conditions is a dynamic control problem, rather than a simple equation or plan you can set up ahead of time.
There are multiple controllers interacting with the system (the FADEC computer in the engines, the flight management computer in the plane, pilots, ground crew, dispatchers, air traffic controllers, the people at EASA drafting regulations, etc.), trying to keep it outside of hazardous conditions. They do so by observing the state the system and the environment is in ("feedback"), running simulations of how it will evolve in the future ("mental models"), and making adjustments to the system ("control inputs") to keep it outside of hazardous conditions.
Whenever the system enters a hazardous condition, there was something that made these controllers insufficient. Either someone had inadequate feedback, or inadequate mental models, or the control inputs were inoperational or insufficient. Or sometimes an entire controller that ought to have been there was missing!
In this case it seems like the hazard could have been avoided any number of ways: ground the plane, add more fuel, divert sooner, be more conservative about weather on alternates, etc. Which control input is appropriate and how to ensure it is enacted in the future is up to the real investigators with access to all data necessary.
-----
You are correct that we will not ever be able to set up a system where all controllers are able to always keep it out of hazardous states perfectly. If that was a thing we would never have any accident ever – we would only have intentional losses that are calculated to be worth their revenue in additional efficiency.
But by adopting the right framework for thinking about this ("how do active controllers dynamically keep the system out of hazards?") we can do a pretty good job of preventing most such problems. The good news is that predicting hazardous states is much easier than predicting accidents, so we can actually do a lot of this design up-front without first having an accident happen and then learning from it.
> This is why staying out of hazardous conditions is a dynamic control problem
I don't think this philosophy can work.
If you can't control whether the environment will push you from a hazardous state into a failure state, you also can't control whether the environment will push you from a nonhazardous state into a hazardous state.
If staying out of hazardous conditions is a dynamic control problem requiring on-the-fly adjustment from local actors, exactly the same thing is true of staying out of failure states.
The point of defining hazardous states is that they are a buffer between you and failure. Sometimes you actually need the buffer. If you didn't, the hazardous state wouldn't be hazardous.
But the only possible outcome of treating entering a hazardous state as equivalent to entering a failure state is that you start panicking whenever an airplane touches down with less than a hundred thousand gallons of fuel.
My understanding is that the SOP for low fuel is that you need to declare a fuel emergency (i.e., "Mayday Mayday Mayday Fuel") one you reach the point where you will land with only reserve fuel left. The point OP was making is that the entire system of fuel planning is designed so that you should never reach the Mayday stage as a result of something you can expect to happen eventually (such as really bad weather). If you land with reserve fuel, it is normally investigated like any other emergency.
Flight plans require you to look at the weather reports of your destination before you take off and pick at least one or two alternates that will let you divert if the weather is marginal. The fuel you load includes several redundancies to deal with different unexpected conditions[1] as well as the need to divert if you cannot land.
There have been a few historical cases of planes running out of fuel (and quite a few cases of planes landing with only reserve fuel), and usually the root cause was a pilot not making the decision to go to an alternate airport soon enough or not declaring an emergency immediately -- even with very dynamic weather conditions you should have enough fuel for a go-around, holding, and going to an alternate.
[1]: https://www.casa.gov.au/guidelines-aircraft-fuel-requirement...
Landing at an alternate location is significantly more expensive, so I assume Ryanair put pressure on its pilots to avoid that…?
We'll find out in the investigation, but "get-there-itis" is a very common condition amongst pilots and can lead to them delaying making decisions (such as going to alternates) so it's possible that this happened without explicit (or implicit) pressure from management.
That being said, the fact that (AFAICS) they first tried to divert to a closer airport where the weather was similar rather than an alternate with clear weather was probably one of the causes of this event.
Well said, will think about asking this attitude towards my child, seems very helpful
That's very enlightening. I'm casually interested in traffic safety and road/junction designs from the perspective of a UK cyclist and there's a lot to be learnt from the safety culture/practices of the aviation industry. I typically think in terms of "safety margins" whilst cycling (e.g. if a driver pulls out of a side road in front of me, how quickly can I avoid them via swerving or brake to avoid a collision). I can imagine that hazardous states can be applied to a lot of the traffic behaviour at junctions.
As others have said, final fuel reserves are typically at least half an hour, and you shouldn't really be cutting into them. What if their first approach into MAN had led to another go around?
With a major storm heading north-easterly across the UK, the planning should have reasonably foreseen that an airport 56 miles east may also be unavailable, and should've further diverted prior to that point.
They likely used the majority of their final fuel reserve on the secondary diversion from EDI to MAN, presumably having planned to land at their alternate (EDI) around the time they reached the final fuel reserve.
Any CAA report into this, if there is one produced, is going to be interesting, because there's multiple people having made multiple decisions that led to this.
Suspect they were IFR. All your points stand. First time flying things with a jet engine, I was shocked how much more fuel gets burned at low altitude. It almost always works out better to max climb to altitude and descend than to fly low and level. On a small jet, things can get spicy fast when ATC route you around at 5000' for 15 minutes or so. Three aborted landings would gobble gas like crazy.
§ 91.167 Fuel requirements for flight in IFR conditions.
(a) No person may operate a civil aircraft in IFR conditions unless it carries enough fuel (considering weather reports and forecasts and weather conditions) to—
(1) Complete the flight to the first airport of intended landing;
(2) Except as provided in paragraph (b) of this section, fly from that airport to the alternate airport; and
(3) Fly after that for 45 minutes at normal cruising speed
They were most definitely IFR. Not because of the weather but because IFR is required above certain altitude 18,000 ft in the U.S. and typically lower in Europe (depends on a country). Jets including small private jets are almost always on IFR. Airliners with passengers - always.
Why does it burn fuel so fast?
My guess is higher air density means more wind resistance, which acts as negative forward acceleration.
Not just that. Jet engines are efficient at higher speeds because the exhaust of the jet engine is fast.
If the plane is going fast as well, that exhaust is more or less stationary relative to the ground. The engine works to exchange the position of the plane with the position of the air in front of it.
If the plane is going slow, it's accelerating the air backwards. That's where the work is going, making the engine less efficient.
Think about it this way: if the jet airplane is tied to the ground, its engines are running at 0% efficiency, working hard to blow the air backwards. You wouldn't want to stand behind a jet engine when the plane is about to take off, when that's effectively the case.
The same applies to propeller-driven planes, of course. But those can vary the prop speed as well as propeller pitch, having more control on how fast the air is being pushed backwards. This allows the engine to be efficient at a wider ranger of speeds, particularly, at the slower range.
But the propeller has a limit of how fast it can push the air back. When the prop blades start reaching the speed of sound, weird shit starts happening [1]. So propeller-driven aircraft have a limit on speeds at which they can go efficiently.
Jet engines (turbofans when it comes to airliners) trade off low efficiency at low speed / low altitude (where the airplane is spending a small percentage of flight time) for higher efficiency at high speed / high altitude.
Variable pitch turbine fans[2] aim to address this tradeoff, but the tech has yet to catch on.
[1] https://en.wikipedia.org/wiki/Republic_XF-84H_Thunderscreech
That sounds like Oberth effect in rocketry, where the faster you go the more efficient your rocket be: https://en.wikipedia.org/wiki/Oberth_effect
You are right that accelerating the air backwards more reduces efficiency but I think it should be mentioned that the jet engine has to accelerate the air backwards to do any work pushing the plane forward. Picking it up and setting it back down affects the air with a net force of zero and therefore the force pushing the plane forward is also zero.
So perhaps the differential air speed between the intake and exhaust is a big factor in the efficiency equation? The bigger the difference the more work is needed..
Variable pitch turbine fans sound very interesting! Perhaps in the future as tech improves and fuel efficiency incentives continue to increase.
I think about it like this:
Jet needs to suck air from front. If air is stopped, sucking is hard. If air is already being thrown at you, you don't even need to suck, just let it come in.
Just reaching altitude again to make it to the first and later second alternate are mostly likely the biggest factors in the extra fuel consumption. That's very expensive.
The 30 min reserve is on top of the fuel needed to reach the alternate and do a landing there, so only the flight to the second alternate, plus the 2nd and 3rd landings at the initial destination would have cut into the reserve.
With 100mph winds I could easily see the 30 min reserve being eaten up by the flight from Edinburgh to Manchester. It's 178 miles! It takes a good 15-20 minutes to cross that distance when flying normally, add ascent & descent time and the landing pattern and you're easily at 24 minutes.
Edit: in other comments here, it seems like Edinburgh to Manchester is a 45 minute flight. So yeah, they could easily have been outside of reserves when they did the go-around at Edinburgh and still had only 6 minutes left at Manchester.
Yeah, although it depends what the alternate was in the flight plan. It may have been Manchester. Although I think its more likely it was Edinburgh, which in the circumstances was too optimistic. Too much concern about the minimal costs of fuel tankering to add a bit more gas? Or saving time by not refuelling?
Ive never flown on Ryanair and dont intend to.
As far as I’ve heard, Ryanair will cut into literally everything (including comfort and decency) for the sake of efficiency – other than safety. Even if they wanted to, they're subject to the same commercial aviation regulations as everybody else.
Do you have anything other than this single incident to back up your insinuation that they’re less safe than a full service airline?
I don't know how true this is but I have heard Ryanair will use the absolute legal minimum amount of fuel whenever possible whereas other airlines might fly with a bit more.
In theory though that shouldn't matter because as you say, the legal minimum should really be enough.