It gradually dawned on me
I had plenty of reason to suspect that corruption existed in government. Everybody knows that it does. What I did not understand is how it comes into being. It was not like what I would have expected.
I had been in FAA for about 6 years. I was the Southwest Region's first trained Mode-S installation engineer. I had been to school, which was taught by the engineers who designed and built it. They wanted us to know everything and it was an intense course. The Mode-S is a beacon interrogation type of RADAR. Beacon RADAR is not technically a RADAR. Beacon RADAR communicates with the airplane transponder, and there is no guarantee that the transponder will be working, so the actual RADAR provides a backup to make sure that there is something on the screen viewed by the controllers. A RADAR emits high energy RF (radio frequency) pulses at frequent intervals into a rotating antenna. A small bit of the energy of that pulse is reflected off many kinds of surfaces, intentionally airplanes. The reflection is received by the same antenna that transmitted it, microseconds later, and the range is determined by that number of microseconds. FAA calls these type primary RADAR. They call the transponder interrogation type secondary (or beacon) RADAR. At RADAR facilities in the US, both primary and secondary RADAR are installed. The secondary RADAR is what provides controllers with information from the transponder on an aircraft, aircraft identity and altitude. The range and azimuth are provided by both primary and secondary RADAR.
My job was to go to new RADAR sites and install new Mode-S or primary RADAR, or to go to established RADAR sites and replace the existing secondary RADAR with new Mode-S systems. This replacement kind of work has been compared to changing a tire on a car without stopping the car. Service must not be interrupted unless absolutely necessary, but the new system was going to use the same building and the same antenna as the existing RADAR. The plan that I was given to follow required powering down the existing secondary RADAR and then fire the Mode-S for brief periods in order to test the Mode-S for operation. The Mode-S could not be used for control of air traffic because it was not certifiable until it was commissioned. The Mode-S performance was recorded and good optimization required a lot of recording time, which would cause a lot of downtime and power cycling of the existing secondary RADAR system.
My goal was to optimize the performance of the Mode-S by making recordings of targets of opportunity (regular airplanes) and then analyze these recordings made using different tilts of antenna and variation of parameters in the Mode-S transmitter. The general idea is to minimize false data and maximize low altitude coverage and sensitivity. This optimized data was sent to RADAR Automation systems for further processing.
Powering down the existing secondary RADAR system with non-ancient systems was not a problem, but at the Mesa Rica ARSR-1/2 Long Range RADAR facility near Tucumcari, NM, their secondary RADAR was an ATCBI-3, which was built before transistors were in use. Tube type equipment was a lot better than nothing, but it was miserable to maintain and we were getting spare vacuum tubes from surplus supplies in Mexico. Anyway, those ATCBI-3 systems were running constantly, for years. They rarely broke, but if you turned it off, it would probably not operate when powered back up.
The procedure I was given was to repeatedly turn it off and on. The grouchy old technician who took care of that thing spoke of committing bodily harm against me if I kept breaking his ATCBI-3. He certainly wanted to, despite being an otherwise friendly fellow. Fear can be a great stimulus to innovation.
This topic gets a little complicated. There is a function in secondary RADAR called deFRUITing. FRUIT stands for False Returns Unsynchronized in Time. FRUIT is a reply from an aircraft transponder that is received by a beacon RADAR that was not interrogated by that particular beacon RADAR. In other words, it is possible, in areas where RADAR coverage overlaps between 2 or more adjacent RADAR sites, that a reply can cause a target to appear on a controller's screen that is not actually where indicated. False targets are a nightmare.
The deFRUITing function works by expecting the replies to be within a narrow period of time after the interrogation transmission is sent from the particular beacon RADAR. It removes any replies that could not have been generated for that beacon RADAR. As long as the pattern for transmitted pulses was such that it was at a different rate than the adjacent beacon system, the deFRUITers for the beacon systems was very effective at removing all FRUIT. There is also something called stagger/destagger, but for purposes of keeping it simple, I will not digress.
My idea was to look at the two beacon RADARs that were in the same room as if they were adjacent systems. I wondered if the deFRUITing function could handle the effects of constant dual interrogation. What would the plane's transponder do when hit with dual interrogations continually? Could the deFRUITers separate the two sets of replies without any problems? I decided to write a computer simulation of the transponder and deFRUITer to see how they would respond, on my own time. I had a lot of experience writing computer simulations for control systems, so this was not difficult. I just needed to know the allowable specifications for transponders, which was online.
Actually implementing this dual interrogation would mean that the Mode-S beacon system and the existing ATCBI-3 beacon system would be firing through their respective antennas in exactly the same direction, all the time. Would the transponders get overloaded? Overloading of transponders is a serious problem. It does lead to an interrogated transponder not replying, which can split the reply, making it appear as two aircraft in immediate proximity. But, running both systems would allow the ATCBI-3 to remain in service and for me to make recordings using the Mode-S beacon. The ATCBI-3 would not suffer a power cycle and the technician deeply appreciated this. One of the main reasons for developing Mode-S was to eliminate the need to repeatedly interrogate a transponder. One interrogation was enough because of something called off-boresight sensing. That was some fine engineering work.
My simulation showed that the dual interrogation would have a negligible effect on transponder performance. The replies would be slightly reduced in run-length (the number of replies stimulated by continually repeating interrogations during a scan), and only rarely. The effect would be completely insignificant. Compared to the benefits offered, it was an obviously good risk to reward ratio (no interruption of service) benefit, and a huge risk to cost ratio benefit. The equipment would not be broken by power cycling. They had a limited number of spare vacuum tubes and every time power was cycled, multiple tubes might die. Many of those spare tubes were of inferior quality and might not work at all. Restoring service was not easy because after tube replacement, alignment and recertification was required, and this was particularly difficult because the new tubes changed their behavior slightly as they broke in. The technician was not exaggerating. I would have made his job extremely difficult and he and his supervisor would be penalized for any extended outages caused by my cycling power. My ass might be covered, but my arm might be broken.
I proposed this plan of simultaneous firing to my supervisor who objected strongly and refused, without a moment's consideration. The advantage of not interrupting RADAR service and using the Mode-S during the day when there was actually traffic to record did not matter to him. The advantage of preventing long unnecessary outages due to power cycling the ATCBI-3 and the advantage of realistically optimizing the system using all altitude daytime traffic instead of only sparse high altitude night time traffic, which was the only option available if I followed instructions, did not matter to him. It was no skin off his nose, and his ass was covered. I was directed to follow the instructions.
I faced an ethical dilemma. I was sure my idea would work. I contacted some RADAR Automation engineers and told them of my idea. They believed it would work, and had no trouble seeing the advantages. I proposed trying it at night, during a scheduled service outage, and recording replies from targets of opportunity, with both beacon RADARs firing. The engineers concurred that this entailed no risk whatsoever, so go ahead. I did it. The recordings showed that there was no degradation to performance of either system compared to operating one at a time or both together. I reported this and was told, under no conditions are you to actually do this during the day. I went ahead and did it anyway. It was the only way I could hope to optimize the system. Be advised that this was for a remotely located system with very little overlapping from adjacent RADAR systems. In areas like the northeast corridor, conditions are much more RADAR dense. However, my simulation showed that even with many different beacon RADAR interrogations, the effect on replies was negligible.
I finished the job very quickly because of this advantage. The ATCBI-3 was not power cycled and my arm did not get broken.
The upshot of this story is that to do my job, I had to do something unapproved, for which I might get severely punished. The analysis of recordings with simultaneous operation proved that deFRUITing was enough to prevent target anomalies, in agreement with the computer simulation I had written. It was completely safe. I think the simulation showed that the only difference was a very small reduction in run-length, which needs to be a minimum of 4 and was typically 22. The simulation was confirmed in this detail. If memory serves, there was no increase in split rate.
I eventually learned that surviving under the domination of a bureaucracy meant doing the right thing and not getting caught. When I requested that I be allowed to carry a sidearm, I was told that I absolutely must not carry a sidearm when working alone for months at a time at a remote RADAR site, because it was disallowed. I did not understand that when this was translated from manager-speak, it meant, "YOU IDIOT, you mean you are not armed?"
The cars we used usually had government license plates. In certain areas, and increasingly so, cars with those plates receive gunfire. The facilities themselves receive gunfire. I have witnessed this. I almost always drove my personal vehicle.
When working on the Mexican border, at an ARSR-4 Long Range RADAR, as we neared the commissioning date, we had a visit from a team of military guys (84th RADES squadron and others, consummate professionals) who were there to install their own communications gear and to optimize their side of the RADAR for their purposes. FAA is not interested in a lot of things that RADAR can detect, because it clutters the screen. The military wants everything. While they were there, they told me of a message they got from an intelligence source warning them that the chatter indicated that the drug cartels were aware of our activities and they were not happy. A bounty had been placed on our heads. Then they left, and I was alone for months. I was unusually motivated.
Being in a position where doing the job right means risking losing it creates plenty of opportunity for blackmail and corrodes morale. I can tell you from my experience that the blackmail happens.
This advantage of simultaneous firing was ignored, although I circulated the idea widely. So, many RADAR sites throughout the country went ahead and incurred lengthy beacon outages, lots of unnecessary overtime and a reduction of the quality of aircraft surveillance because my method was ignored. It was ignored because the process of review to approve it would mean proposing it to a lot of people who would not understand it, who would get an opinion from somebody else who was likely equally ignorant, had the usual perverse bureaucratic incentives, and it would take years, before final disapproval. This dysfunctionality is always in the name of safety.
Dysfunctionality leads to corruption. People who understand are the ones who need to have the authority to make the decision, not somebody who happens to occupy an office and hold a prestigious title and is unwilling to delegate the decision (often for reasons of corruption or just the fear of backing up somebody who might make a mistake). This kind of thing corrodes morale and puts people like me into risky situations. It causes people to say to themselves, if the people in charge do not care about doing it the right way, then why should I?
Do you recall the DC10 that crashed in Chicago on May 25, 1979? A DC10 lost an engine *just* after taking of from O'Hare airport ... it rolled and crashed just after taking to the air ... now, there is a tremendous back story to this event, least of which I was across the lake (Lk Michigan) south of St. Joseph MI working for Heathkit (remember them?) at the time and could follow the story on Chicago TV stations ...
ReplyDeleteFor those that do not know - the tip of the Sears tower/building (which has a pair of structures atop it containing several FM and TV station antennas) can be seen *visually* with bare human Mk I eyeballs on a clear day from the high bank of the eastern Lk Michigan shoreline near the Heathkit plant building complex ... this 'visual path' BTW helps TV signal propagation, of course, TV using (at the time) VHF and UHF which are nominally LOS (Line-Of-Sight) propagation 'modes' making picking up a TV station from Chicago a 'piece of cake' using a portable TV with 'rabbit ears'.
BACK to the point of this story - turns out the engine came off the plane owing to - *no spoiler here* - I'll link to the NTSB report for the details: https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR7917.pdf
There is no particular point to this post, just maybe that there are correct ways to do things, and there are incorrect ways to do things; the maintenance staff on that particular aircraft chose the latter of those two choices ... I don't know if the FAA/NTSB determined that the mechanics consulted any engineering personnel, or did any 'stress studies' on their own before adopting their modified engine replacement technique to determine any critical 'action' or damage their new procedure might lead to ... as it was the holes in the 'Swiss cheese' lined up to create that event owing to a complication involving a forklift (one of the holes) which did not 'hold' position (due to hydraulics, in an application it was not really designed to function) ...