379 comments

[ 3.5 ms ] story [ 320 ms ] thread
Maybe they can use a service like Starlink to stream voice, location and blackbox data to a secure location on land, that way even if the flight is lost or destroyed we would know what happened, or even where the heck it is(looking at you MH370).
Why not just record more than 2 hours? Maybe two days worth of audio instead?
Indeed, the proposal is for 25 hours, and its not like recording 25 hours of audio is fundamentally more complex than 2 hours these days.
Because onboard recordings are prone to loss or destruction, intentional or otherwise.
The captain would likely also have disabled starlink and pulled the circuit breaker in the case of MH370, I wouldn’t be surprised if the VCR and FDR reveal nothing once we find them.
Maybe, but the recordings until that point would still be available, so we would atleast hear what happened to the copilot and what did they say etc.

How is that worse compared to now where we don't even know where the plane is? Just the underwater search cost $200M, with no results. Would've costed more if they didn't give up so easily.

MH370 is maybe not a good example, but AF447 is a good one.
Yeah, they can use Starlink to stream it across X, then store it (distributed, hashed, salted, and encrypted) in Tesla on-board storage. Only gold verified X users would get to access it without FAA permission.
I'm serious when Musk is in play people actually throw out their brains just get some virtual upvotes. Or just make incredibly stupid jokes.

SpaceX is US military contractor with very high security clearance. Starlink is literally used in war against nation state attackers.

It's not Musk, per se; it's that Musk is conflicting with The Narrative(TM), thus is a target. At least HN is better than Reddit, which is jam-packed with human NPCs, who react in similarly predictable ways without intelligence.

A recent Reddit post discussed something positive about Texas. The replies? Hundreds, maybe thousands, of comments by Redditors, all with no more content than some sneering variant of "Fix your electrical grid first", referring to the harsh winter storm of 2021 that knocked out power to much of the state. It was something to see.

If we can dismiss GPT as "just autocomplete", I can dismiss all those Redditors in the same way; as NPCs. At least GPT AI can produce useful and interesting output.

I actually think Starlink is a super cool project, even if I wish someone else was in charge of it. I'm grateful that Musk managed to make electric cars "cool", and that his personality will make them more acceptable to conservatives that might otherwise have a knee-jerk resistance, and I think that Tesla actually did a lot to push the technology and the economy of electric cars. I think it's wonderful that we're investing more into space, even if, again, I would prefer someone else to be in the drivers' seat.

I absolutely recognize Musk's contribution to things that I value and respect.

I also think it's a little absurd how often he's brought up in completely unrelated discussions. It's a little like how whenever someone mentions that at-home electricity storage is a bit of an open question, people bring up flywheels, even though Powerwalls are a much more reasonable approach, just because they think flywheels are rad. The amount of times people try to shoehorn a Musk-related technology, (or even say "Hey let's get Elon on this, I bet his infinite money and brains could solve e.g. food distribution with um drones and Starlink and Boring Company I don't know he'll figure it out) makes it a little hard to take his biggest proponents seriously.

(1) Starlink for airplanes is very expensive. Multiply that by many many thousands of planes and its $$$$$$$$.

(2) With that many planes you start to get into Starlink bandwidth issues. Cant it support that many? I honestly don't know

(3) Its a new complicated piece of equipment that may fail. What if the transmitter is broken? Blackbox systems are much simpler

(4) A lot of this data is already transmitted (speed, altitude, position, etc, just not voice), so no need to build a system for it.

There are many other system other then Starlink you could also use. And most airlines already have these installed anyway. And if a new plane costs minimum 25 million $, and most cost 50 million $ or more, a few 1000s to safely record data seems reasonable.

Bandwidth issue for a bunch of audio files? I think we can figure that out.

> (3)

I don't think a single person would suggest we replace the Blackbox. This would be in addition, not instead.

> (4)

I'm sue the plane produces lots of data that isn't transmitted. It would generally be smart to transmit far more data then we currently do and I'm not sure those methods are up to large increases.

But if they are, then yes that would be good.

For the cost - you are talking about the capex. Starlink would go under opex, and thats where the margins lie. You can probably make the numbers work, but no one wants to touch this.

For bandwidth - there are typically around 10k planes in the sky at any time, and that number typically grows. Thats 10k audio files streaming at a time, all day, every day. Add to that the nominal Starlink traffic that already causes bandwidth issues and you end up with probably non-trivial bandwidth issues until there is larger scaleup

Passengers can get a decent network connection on planes these days, no need to make a totally new system. But it's best effort; I'd still want a local copy that's a separate system from the uploaded audio.
Why starlink? Planes typically use Inmarsat which provides better coverage.

Various aircraft data are already uploaded in flight ("stream" would be an exaggeration though) as you can see from the MH370 example you cited. The data uploaded are increasing as companies like Rolls-Royce become more of a data company.

The black boxes are pretty robust (assuming you can find them!) and uploading the voice data is probably not worth the cost.

> Planes typically use Inmarsat which provides better coverage.

Ask the families of MH370 how well Inmarsat works.

If the pilot can disconnect Inmarsat, he can disconnect Starlink. He might even be able to disconnect Twitter and in-flight entertainment.
But we would have the communications and real time location till the disconnect happened. In case of MH370 and Alaska 737 those are lost. That would give us clues as to what happened.
We know where MH370 disappeared thanks to ADS-B, and after it was disconnected, it was still seen by primary radars.
Okay and where are the pilot comms till it was disconnected?
No need to be confrontational, I'm not opposed to FDR/CVR streaming. I just dislike solutions to problems that have already been solved, and we were just pointing out that starlink does not bring anything to the table vs. ADS-B, radars, and inmarsat.
Only if it's on a blockchain. *checks calendar* oh sorry, it's not 2021.
Currently it’s fairly common that a lot of flight data is logged during the flight, and transmitted to a server via 4G when on ground.

It doesn’t help when the aircraft gets destroyed, but it does create fairly big databases for analysis and preventive maintenance.

This is a proposal from the NTSB to the FAA to raise the CVR recording time from 2 hours to 25 hours, in line with ICAO. This is very likable scenario for everyone except pilots unions.

> The NTSB has conducted 10 investigations since 2018 where the CVR was overwritten, including four runway incursions, Homendy said.

I tuned into the NTSB press brief last night, and they emphasized understanding communication is important for the best accident analysis. Homendy stated that they now do not have any record of communication between the flight deck and cabin.

Why stop at 25? Record all of every flight and archive it.

Develop a standardized structure to make it searchable by different factors or combinations of factors (e.g., 777 model later than Z & decending & outside temp < X & throttle is > Y & etc.) When there's an accident, you could review similar circumstances.

From my ignorant perspective on air safety, it would seem to be a gold mine.

This industry is ridiculously slow compared to IT. Air traffic comms (both voice AM and text ACARS/VDL) are not only not encrypted, but also crucially not even authenticated. So you can send text messages and speak to any aircraft at any privilege level (just say you're ATC) with a simple SDR. Or you can spoof a faulty engine message on the downlink channel.
The antiquated AM mode and the lack of encryption or even digital encoding is a safety feature for air traffic voice communications. Very weak signals still have a chance of being intelligible and if two signals are transmitted at once on the same frequency, both can still be heard.
Yeah but it's terrible for security. Also digital modes work just fine at the same range - I have no problem hearing ADS-B messages from up to 200mi away from my ground level antenna, where the max range is only limited by the curvature of the planet.

And note that the real problem is with authentication (MACs, or digital signatures), not encryption. Public availability of those records is actually probably beneficial. It's a common misconception to think that you need to encrypt while in reality you perhaps need to encrypt, but first you absolutely must authenticate.

Is this an actual problem that is happening in practice, though? How many instances of "unauthenticated" airband communication have caused an accident? I don't know. Even if the answer is nonzero, I'd be willing to bet it's less than ten in decades.
There was a guy in Berlin who was issuing fake landing clearances recently: https://aviation.direct/en/berlin-falscher-fluglotse-narrte-...

It took 6 months to find him, and mind you that that guy was the opposite of clever (he was talking from his bathtub, from what I remember, and he started out not even knowing the ATC language).

Also, it really makes sense to think ahead just a bit, you know. Not everything has to be triggered with an accident, and in this case we're likely talking about terrorism, since no one would do this without realising just how bad the legal consequences are.

You don't really need more security, because if a pilot gets an ATC instruction that doesn't make sense, they're going to question it. Pilots aren't following instructions blindly, everything is mentally cross-checked against what we expect should be happening for situational awareness. (And ATC would also hear the interloper and immediately speak up.)

On top of that, almost everyone in the US also has some form of collision avoidance technology now, as well (either TCAS or ADS-B).

And there's plenty of times where the only time I could hear ATC was with the squelch full open, trying to pick a faint signal out through the static. Digital modes are terrible for this.

Eh, I get a lot of pushback in this thread. But I'll reply.

We're talking about something like a landing clearance. It doesn't have to be completely off the chart. And yes you can inject a message like that successfully, without the ATC ever knowing.

TCAS is equally broken - doesn't have authentication codes / signatures. It's actually more vulnerable since it has higher priority than ATC.

Digital modes can encode speech more efficiently than analog modes, thus reaching further on the same link budget. For example ADS-B is "audible" as far as the curvature of the planet allows - my own antenna can hear messages from up to 200mi away.

It really is a serious problem.

At least in the ham radio community, experience is that digital radio sounds better further, but at the extreme ends of signal reception the digital signal becomes completely unusable before an analog signal becomes unintelligible.

See: https://en.m.wikipedia.org/wiki/Cliff_effect

https://www.selby.com.au/blog/what-is-the-digital-cliff-2

Up in the air, I can also hear AM analog voice transmissions from 200 miles away, so that's not really a good measure of performance. Both modes already do that. Benefit of having an unobstructed line of sight from several miles of altitude. :)

I mean, to put it simply it would just work with a digital mode. But that's not the point, the main point is that there is no authentication mechanism. Such systems are indeed being abused, for example trains were recently halted in Poland. This happened because they have an un-authenticated channel of communication that allows anyone to do that:

https://cybernews.com/news/century-old-technology-hack-broug...

It's only a matter of time before this happens in aviation, but unlike in the trains case it doesn't have to be just an availability problem (all trains stopped safely), it can be a "remote code execution" problem.

This is an annoyance, not a safety issue. No aircrew is just going to blindly follow instructions routing them off to east Jesus after they already understand where they're going and how they're cleared to get there. What's more, on any given freq, you're talking to one controller.

And if another voice comes over the freq giving you instructions that don't make sense, the response is going to be a polite version of "WTF?"

Why do you think the ATC will hear it? You can use a high gain antenna. Also, you can play some really nasty tricks with things that override the ATC, such as TCAS. Or things that are independent of the ATC, like that faulty engine readings sent over ACARS that I mentioned earlier.

There really is no way to do it safe without authentication codes or digital signatures.

PS. And the readback can be just jammed.

You're absouletly right. Here's a pretty good article covering some of the attacks that could be done against radio navigation systems:

https://arstechnica.com/information-technology/2019/05/the-r...

On a foggy day when the visibility is right at minimums, I can imagine a huge risk of aircraft being sent off-course right before landing. Hopefully the pilots would still be able to recover the situation - the TOGA button is right there on the thrust levers on most aircraft - but nobody is infallible.

I would imagine that some military transport aircraft have backup, INS-based navigation systems that create a synthetic glidepath without external radio signals. Airbus have been trying to introduce such systems on commercial airliners for quite a while, although that is intended to allow landing on more remote runways rather than specifically to improve security against malicious interference.

All that is to say that the lack of fatal aviation accidents that we know were caused by malicious radio interference doesn't in any way make the attack less feasible.

Digital signatures, even with conventional X509 certificates straight out of the OpenSSL library, would go a long way to mitigate this risk. What about the risk of the signatures failing? The worst-case scenario is that the pilots get a warning on their ECAM display: "Comms not secure". That should at least alert them to the possibility of false readings even if it can't correct them.

I don't think you have a very good grasp of how aircraft operate under instrument flight rules. Lots of what you're describing is along the same lines as saying "if whole bunches of people decided to start crashing into things or firing sniper rifles from overpasses, it'd create major havoc on the roads, and therefore our roads are insecure." Well, duh. But until there's a credible threat of that occurring, it's not worth worrying about.
It takes just 1 person who knows a bit about radio and aviation and maybe $1000-$2000 worth of hardware to pull off such an attack. And we know that terror organisations go to much further lengths to make it to the press headlines.
If a terror organization wanted to do that, they'd probably end up using rifles or missiles.

https://xkcd.com/538/

Rifles do not reach airplanes, and SAM systems are quite tightly controlled. For example Hamas is unable to take out even any of the slow piston engine Israeli surveillance drones. They even have a name for them in Arabic, you can hear the sound of the drone in almost any footage from Gaza.
Rifles can reach airplanes on the ground just fine, MANPADs have a habit of popping up in inconvenient third-world conflicts, and this whole idea that we need to have secure ATC comms and need to rewire our navigation system is still an absurdity.

Every modern airliner has dual-redundant or better GPS-aided inertial navigation systems, and every professional pilot is trained on procedures for flying in the airspace system after losing all their (multiple) radios. This is literally not a risk worth spending the millions/billions it would cost to mitigate, any more than Joe Average Internet User needs to hire a professional cybersecurity firm to secure his home Wi-Fi router.

Exactly!

And while we're at it, why stop with CVRs? Software is a key component of all engineering domains today, and thus a critical safety factor.

All MacBooks (the most popular developer machine today) have built-in microphones. We should using them to record all dev conversations (after all, there's zero incremental hardware cost to doing so), as well as all keystrokes of anyone who writes software, 24/7, so that we can retrospectively analyze why they failed to avoid writing buggy code and the decisions that led to it.

Everyone who has had their PII leaked will rejoice, knowing that we can finally "get" those nasty open- and closed-source developers who created CVEs.

"B-b-but, that's different!"

But it is different. Your message could've had an entirely different tone that would have provided a thoughtful yet tangential analogy. Instead you've chosen a specious strawman approach for some reason.

There's a clear and obvious difference between a self-important person who writes software and a person who pilots hundreds of folks over top of thousands of other folks in a slow and only mildly explosive missile.

That mildly-explosive missile has software running on it too. So do a lot of actual missiles, for that matter.

If we record every action of the pilot of a plane, why wouldn’t we also record every action of the developers who wrote the autopilot software, or the fly-by-wire software?

Because the developers don't need to make snap decisions under stressful conditions with lives at stake. If you can't see the difference, sorry, that's on you.
Making snap decisions under stressful conditions has nothing to do with recording actions for later root cause analysis. If you can’t see the difference, sorry, that’s on you.
Recording every action of a pilot in the performance of their job, vice recording every action of a pilot in their daily goings on. These are two different things.

As a developer, every final action is also recorded in the performance of their job. That's what Git is for, and that history lasts for quite a lot longer than 2 hours.

You’re not seeing the parallels.

The original comment suggested recording every action from the cockpit and using it for analytical data. The final action isn’t the goal. The steps and discussion that got them to the final action is. Hence recording every step the pilot takes, and the equivalent would be also recording every discussion that the software developer made that influenced them to write the code the way they did.

Saying “the git commit is there, that should be good enough to know the result” is like saying “the pilot landed the plane, that should be good enough to know the result”. Why do we even need CVRs at all? The final action is right there, right?

So again, why record everything the pilot says but not everything the developer that wrote the autopilot says?

(comment deleted)
I think it would be helpful to qualify ‘everything the pilot/developer says’ with ‘in the past 25 hours’.

For a pilot that just flew a 12 hour flight with a malfunction that would be of obvious benefit.

For a developer that introduced a bug 8 months ago, maybe not so much. Even if you recorded every interaction the dev had over that time period nobody would be able to go through everything and get sensible information.

The comment that kicked off this chain of comments wasn’t suggesting the past 25 hours, it was suggesting recording all flights, always, and storing it forever to be analyzed at any date in the future.
I think we already record the git-equivalent of pilot data: telemetry from the plane (the inputs, the actions) are already logged.

If ‘directly responsible for lives’ is the rationale for voice recording pilots in the course of their jobs, and not developers, since developers are not directly responsible, but indirectly responsible, can we also expand the list of professions to include always recording police, firemen, and all medical professionals all the time.

I suspect making sure that surgeons know that anything they say during the course of their job, can and will be held against them in a court of law, will not serve to improve the quality of the work they do.

(comment deleted)
As if all email/Slack convos aren't already saved and archived...
Have multiple cameras on every airplane and record absolutely everything so that pilots and passengers both have skin in the game. We are relying on individual phone cams to record events which is stupid. We are in an age where this kind of information is already pushed on police officers and the public in general. The amount of safety information we can get will be extremely invaluable, especially with something like a catastrophic failure like this 737 MAX failure.
Voice recording is a big privacy concern for the crew. This is our workplace, so you would be recording every conversation, also any idle chat of which there is quite a lot in cruise flight. The current voice recording is only accepted by the crew with the agreement that it is not stored, and can only be pulled after a serious incident in which case there will be a no-blame investigation.

But what you're trying to solve, already exists without the voice recording part. It's called FOQA or Flight Operations Quality Assurance. Mandatory for airlines in Europe, not yet mandatory in the US but may be in the future.

It records hundreds of parameters from engine indications to touchdown speed, G-loading, control inputs etc. Automatically uploaded to the operator and tracked for the whole fleet. That data is de-identified and used for safety analysis and improvement.

(comment deleted)
Respectfully, it is your workplace in which you're responsible for the lives of thousands of people each week. I don't think it's unreasonable to keep proper tabs.
Respectfully: the pilots have been doing an absolutely excellent job with it for decades without us having to destroy their privacy.

An argument can easily be made that this extra stress will make flying less safe.

Edit: my next car will probably have mandatory spyware and unlike pilots there won't be a guaranteed no blame process if something happens. It is pretty easy to see how this will be abused by insurance companies and data harvesters.

I think I kind of understand the processes that lead to this. But I seriously wish tech people wouldn't be accepting it and even argue for it.

Respectfully, history is a terrible measure for carrying on as we have.

Tech people are arguing for accountability in a life/death scenario.

That there is no privacy in public spaces is a longstanding social/legal tradition. A cockpit is physically private for physical security reasons but the pilots in the cockpit are acting on behalf of public trust. Their social norms in that physical context are not their own to define.

If pilots want privacy they can quit and sit at home.

Free market at play, no airline can afford to say "well then quit and sit at home". There is a huge pilot shortage. No airline in their right mind is about to do things their workforce doesn't want.

Just to illustrate, 5 years ago a first officer on year 2 pay would make on average 40-50k per year. In 2023 that has increased to 143k per year for all three American Airlines owned regionals (plus a 165k retention bonus). Similar for Spirit, increased to 142k standard and 145k on the Airbus. And JetBlue to 160k for the A320 and 153k for the A220.

In this market, the first airline CEO to say "well then quit and sit at home" to their union will have half their workforce walk out within months.

Precisely why the FAA should implement this and not leave it up to the airlines.
So far I can't see anyone coming up with any cases were this would have made life safer or even solved a previously unsolved case.

The law of diminishing returns very much exist, and as one of my teachers in engineering once pointed out: if you really want to use surveillance to put a dent in the crime statistics you should put it in people's living rooms and in their bedrooms.

Do you feel the same way about surveillance of the inside of your car while it's on public roadways?
If I’m a taxi driver or school bus driver, yes!
You're just a able to crash into oncoming traffic as any cabbie. Why should you not be subject to the same intrusive surveillance? What are you hiding?
There's a key distinction between operating a vehicle for commercial purposes and a private operation, not just the ability to harm others. There's a reason why commercial pilots licences are in a completely different league in terms of training and responsibility to PPLs.
(comment deleted)
> Edit: my next car will probably have mandatory spyware and unlike pilots there won't be a guaranteed no blame process if something happens. It is pretty easy to see how this will be abused by insurance companies and data harvesters.

If anything, the proliferation of dash cams will (and have) lead to bad drivers being appropriately charged more for insurance than good drivers. Previously, if you were cut off and collided with someone, you were always assumed to be at fault if you were behind the other driver.

You can't imagine bad things that mass surveillance will lead to?
People have a reasonable expectation of privacy in their workplace. But expecting safety measures that could potentially prevent hundreds of deaths to be limited to preserve employee privacy is not reasonable.
Couldn’t you say about population mass surveillance too?
As I argue above pilots already have an excellent safety record.

Have you considered what the extra stress of considering ones every word during a long and stressful day can do to someones concentration?

I mean many, the thoughts about what they said earlier this morning is bad enough even if it wasn't recorded.

We already record a couple of hours or so. If you want to record more, it is up to you to come up with data for how many more air traffic accidents we can solve and also to explain how we can know that it won't make air traffic more dangerous.

> how we can know that it won't make air traffic more dangerous.

This is an argument against any change that involves unknowns. I see it often, and I absolutely hate it.

Air travel is an industry with high risk yet a good safety track record. It seems like exactly the sort of place you wouldn't want to experiment. You can argue that this incident is a blemish in that track record, but it's not obvious to me how "add every word uttered by flight crews to a permanent record" would meaningfully address this incident (at least, any more than doing the same for every other job in the supply chain, from factory workers all the way up to the executives at Boeing), and it is obvious to me how it could be harmful.
Well in this case communication broke down among the crew. A recording of that confusion could help in refining procedures.

Everything worked out in this case but that’s because every incident is a lesson.

It would also mean a lot of pilots who have have other options - and I guess those are the best ones - would consider taking those other options instead.

This means airlines will have a smaller pool of less desirable / qualified pilots to choose from.

How can pilots handle flying an airplane, including in crisis situations, if the 'stress' of recording is too much? It's hard to take the argument seriously. Customer service agents can handle it, so can you.

I get that people want their privacy, but if it saves lives, it's a workplace (like customer service and many other jobs that aren't life-threatening), that outweighs it. People get surveilled constantly in their private lives and live with the stress.

There is no evidence it will save lives, you're just exhibiting signs of poor social development by not understanding why this is an issue and being to stubborn to realize. Most people are not engineers, capable of sitting silently for several hours.
I don’t know how loud it is inside a 737 flight deck, but it seems like a reasonably foreseeable outcome of this proposal is that people would start trying to figure out ways to make idle chitchat without going through the headsets. Which would negatively affect safety: if an emergency were to happen during the chitchat, either headsets would need to be readjusted and enabled as the first step of managing it or the emergency might start being dealt with without going through the CVR.

I work on larger UAS systems where we don’t have any form of mandatory recording for the FAA. We do have wireless headsets that we use for comms between the pilot, the GCS operator, the flight director, and whatever engineering support staff are on the ground. The system would allow us to record pretty trivially but we’ve debated this and explicitly decided that we get more value from being able to keep the communication as candid as possible instead of having to worry about having every word we say over comms scrutinized if there’s an incident.

Given the problem here is Boeing, and has been for years, it makes sense to record indefinitely every conversation made while working for Boeing, especially on the golf course.
It is reasonable that passengers know that the desires for the crew to have "idle chat" are less important than safety. But t0mas88 made clear that what is reasonable is less important than what is "accepted by the crew". The crew apparently makes the decisions on safety matters.
The crew makes a lot of decisions on safety matters, that's basically the most important part of the job :-)

But joking aside, in most places there are checks and balances between privacy impact and benefit. We all accept that some government agencies know some of our data, because the net benefit to society is bigger than the loss of privacy. And you would normally try to do such things in the least invasive way possible while achieving the benefit.

Where you go wrong in your passenger rant, is in assuming there is a big safety benefit in more recording of pilots. There were a total of 2 fatalities on US airlines in the last 10 years [1], while billions of passengers were transported. The safety record of airline transport is stellar, without more recording. So yes, I believe it is very reasonable to consider what is and isn't acceptable to the crew being recorded.

[1] https://www.airlines.org/dataset/safety-record-of-u-s-air-ca...

Passenger rant?

If ICAO can require keeping 25 hours why should a crew get to choose 2?

I mostly agree with your take. Alas, I think it's ridiculous to fight a 25 hour recording requirement with the privacy argument.

The recording should anyway only be retrieved under specific conditions and in a controlled environment.

In this specific case the longer recording duration may have actually aided the investigation and thus further improve airline safety.

Agree. My comment was responding to someone saying "Why stop at 25? Record all of every flight and archive it."

There is also more nuance to the debate around the 25 hours change. Like you say it should only be used under specific conditions and in a controlled environment, but in the US unfortunately recordings have been leaked and have been used for disciplinary purposes instead of a blame-less investigation for safety.

Europe has had rules for 25 hour recording since 2021, as far as I know without any opposition. But European recordings have also not been misused before.

"Idle chat" is important for safety.

- They need to work well together, and the better rapport they have with each other the better they're likely to perform in an actual incident. Regular interaction on the job is a part of that.

- They work a job that is often remarkably boring for much of the time. Drowsiness setting in is a real concern - a degree of social interaction is good at both keeping people engaged, and at helping them gauge how alert the other crew members are.

I operate tug boats. It is also remarkably boring for much of the time. The crew knows that they have no privacy when in the wheelhouse operating hundreds of tons of steel. They do have privacy when not on watch. Regardless, decisions around safety are not made by what is "accepted by the crew".
> "Idle chat" is important for safety.

https://en.wikipedia.org/wiki/Sterile_flight_deck_rule

I agree that the crew should feel free to chat. And when there is an accident, they should expect that the recordings are kept.

This rule applies to the taxiing, takeoff, and descent into landing phases of flight only. It isn't enforced above 10k feet. Idle chatter is important for numerous reasons in any professional working environment and it isn't a reasonable conclusion to say that it should not be allowed in this one.

It's also unfathomably unreasonable to call for storage of all voice recordings of the flight deck in perpetuity. That's ridiculous and is privacy invading. If you want to improve the state of this industry, you are looking in the wrong place.

I did not argue for "storage of all voice recordings of the flight deck in perpetuity". I argued against what is "accepted by the crew" being considered.
Social media has a way higher impact on human well being than aviation safety; maybe we should record all idle chatter and boardroom meetings of people working at these companies to ascertain liability when we finally realize they're akin to tobacco companies.
> Respectfully, it is your workplace in which you're responsible for the lives of thousands of people each week. I don't think it's unreasonable to keep proper tabs.

Should all medical device software developers have the entirety of their working lives be archived in a similar manner?

Eh, as a software engineer, every piece of text I produce -- from chat to email to memes -- is sitting around, archived and backed up, for years if not longer, waiting to be combed through and potentially taken out of context. A great deal of that is social, idle chat, or complaining about my employer, or outright gossip.

First they came for, etc, but they came for me a long time ago.

But they're not archiving your chit-chat with your coworkers over the water cooler. For pilots, they are (in the cockpit). So I can halfway see the pilots' point.

[Edit: I mean, voice chit-chat. Just talking to each other. That gets recorded for pilots, and not for software engineers, no matter how long they keep our (text) chats for. Stuff gets said in person, by voice, that would never get typed out in a chat.]

I would be shocked if most companies are not maintaining long duration archives of employee emails, Slack, Teams, whatever medium.

Chat logs are tiny.

I’d be shocked if most companies are retaining these logs longer than the legally mandated minimum. This kind of information is radioactive from a legal perspective. Slack and Teams even advertise automated deletion as a feature.
Long-duration archives can be used against the company in a lawsuit - whoever's suing you would love to get decades of material to look through to help make their case.

As such, it's a large liability, and most companies retain those sorts of records for the minimum amount of time acceptable by law/regulation/customary expectations.

The equivalent of what you described is archiving your outputs. In flight, that would be a pilot's flight control inputs. That seems entirely uninvasive.

The equivalent of an always-on cockpit voice recorder would be... screen recording all of your digital devices during working hours? And, turn a mic on just to be safe?

It's not just my work output, though.

I'm a programmer on a team with other programmers, many of us remote.

We're not standing around a water-cooler talking. We're on team chats. We're reply-all'ing to email-chains. We're sharing memes. Half the time we talk across chat when we're sitting in the same room.

These aren't formal design docs or code output [the analogy to flight controls], this is our water-cooler talk, and it can all be subpoenaed in a variety of situations, to be read into court record and taken out of context for the rest of time.

That sounds like a fair point.

But are all zoom calls required to be archived, specifically in the medical device industry?

Certainly you have the option to make a phone call to a teammate, or walk over to someone if not remote, and say something without any record. Don't you?

Which, if a company has a policy of recording all work communications, sounds a bit like you're bypassing the monitoring systems in place.

Mind you, that is how people mostly work anyway. Even if I generally trust an employer to not be intrusively monitoring my communications, for anything sensitive I'm ideally going to talk in person or failing that, at least go with a personal cell call.

I mean, a pilot subject to constant audio recording could learn ASL, or scribble notes on a piece of paper, or whisper in someone's ear.

But we aren't talking about how to circumvent monitoring. We're talking about working when your idle socializing (while working) is monitored and logged.

Logged for 25 hours anyway. Stuck in a box in the airplane, that can only reasonably be opened by a technical crew.

I could deal with it if my laptop did that.

I think this thread started with a suggestion to permanently log and archive it though, the 25 hour part is less controversial
The proposal was that it would be automatically uploaded and searchable by corporate.
Yes, and talks between air traffic control and pilots are recorded.

Would you be okay with a recorder being beside your desk at all times? Catching every conversation, even personal ones?

Currently it's your choice to participate in sending memes over email. You also have the choice to walk over and have a private conversation.

Would this be any different from walking out of the cockpit to have a private conversation?
Pilot's shouldn't be encouraged to walk out of the cockpit mid flight, also after 9/11 all cockpit doors are locked during flight
> Eh, as a software engineer, every piece of text I produce -- from chat to email to memes -- is sitting around, archived and backed up, for years if not longer, waiting to be combed through and potentially taken out of context.

If this is true your legal team is committing malpractice.

You have no way of knowing this is the case unless you know where they work, the industry they operate in, the country they live in, the country their employer is domiciled in, and what agreements they've signed prior to and during employment.
(comment deleted)
True I made an assumption and skipped the qualifiers. That’s how I keep my comment word count below 450,000.
If you know the qualifiers will put your word count above 450k, maybe it’s not a very applicable comment?
Ok I’ll keep it down to 449,999.

Will you too?

How about instead of that nonsense we just have a reasonable conversation and assume best intentions?

It's hard to have a reasonable discussion when someone flippantly says an entire legal team is committing malpractice when talking about something they have no way of knowing anything about.
More akin to doctors and nurse rooms to be monitored which sounds fair.
Sounds like you will be a big fan of Neuralink Archive®!

But seriously, why did you skip over the software devs? Their errors could kill many more people than a bad doctor.

Because software dev work is certified and doctors/nurses are allowed to do whatever they want - starting with patient abuse and ending with drug and alcohol abuse.

Right now tons of public activity is monitored already but almost in all cases it's to catch customer abuse and never for business abuse. Monitoring everything 100% will become one of the greatest equalisers. Only people rejecting this are people in abusive power.

All the software deverrors that could kill people are already logged.
Why do you think it's needed to record all conversations to "keep proper tabs"? That's purely a gut feeling based on no data at all.

Aviation is by far the safest form of transportation. In the last 10 years of data (2012-2021) there were a total of 2 passenger fatalities on US airlines across several billion passengers for that time period [1].

If you want to start recording workplaces to improve safety, there are a lot of industries to look at before aviation.

[1]. https://www.airlines.org/dataset/safety-record-of-u-s-air-ca...

> If you want to start recording workplaces to improve safety, there are a lot of industries to look at before aviation.

This is irrelevant to the discussion about recording pilots.

We already looked at policing. Police unions have a similar stance about body-cams? They are more invasive because they follow officers to the bathroom, and I am sure they're are safety/effectivenes stats that argue those are unnecessary.

Most civilians don't seem to have much sympathy.

Police unions indeed have similar objections. That's why police officers can turn their cameras on and off themselves, so they are not recorded when talking to a colleague or going to the bathroom: https://www.engadget.com/police-reform-bill-body-cameras-215...
Coincidentally, this is also why those cameras get "accidentally" turned off quite a lot whenever a use of force is about to occur.
I've often thought we should record all surgeries so that the patient can view them later. Wouldn't you want to know what is done to your body while you're under anesthesia? Of course surgeons will fight this, but aren't we entitled to know what happens to our bodies?
Even just regular doctor appointments. People are paying hundreds of dollars for 5 minutes of a doctors’ time, and they have no way to have someone double check if a doctor did or did not check something they should have.

I have looked at my kids’ pediatrician visit summaries, and they will state “doctor did this and that”, when I know for a fact the doctor did not. So I have to send a mychart message to document that the doctor did not do those things.

Now, I understand that excessive liability is probably driving doctors to do unnecessary things and so 95% of the time, there is no ill intent, but rather shrewd judgment of not wasting time, however writing (or copy pasting) a false visit summary is not the answer.

I have never tried recording a doctor visit. Is that something a doctor would would resist?
Without a doubt they would object, based just on signage I've seen at the doctor's office. Also I think it would run the risk of appearing like you're a litigious nut.

Note: All of this is U.S. perspective, I have no idea about healthcare anywhere else.

Given how hard it is to even find half-decent doctors even taking new patients, or having appointments available this quarter let alone soon, the doctor likely doesn't need you nearly as much as you probably need a doctor. They're going to be fully booked even if they ask you to leave and decline to be filmed, so they don't have any reason to consent to it. This is one place where the "try to make the customer happy" conventional wisdom about transactional relationships seems to not apply one iota.

This is already a thing. My grandfather got a video of his cataract surgery. A friend of mine got a video of his arthroscopic knee repair.
Then every software company should have every software engineer recorded at all times, as everything we work on is composed together in ways that hold dramatic sway over others lives.

I'd like to point out that one thing the tech industry is bad about is figuring out which technology to definitely not build. In fact, we've collectively resisted any attempt at so doing.

And what are your thoughts on police body cams?
Not th0mas88, but my thoughts: police body cams are a whole different story.

For one police officers are often able to turn on and off recording themselves, so it becomes as much of a protection for them as for everyone else. That is: if they are good police officers.

Secondly, unlike pilots, the police force in many countries does not have a stellar track record.

Edit: I do have some concerns. Yes, police brutality absolutely exists. But there also seems to exist a subset of the population - also represented here - who think police can be like superman and whenever they aren't that's because they are evil and enjoy harming innocents.

Police body cams are not "always on", the officer turns the camera on when they're interacting with the public and turn it off when they're in their car talking to a colleague: https://www.engadget.com/police-reform-bill-body-cameras-215...

So I guess they had similar objections to being recorded 24x7 and that was accommodated in the rules around body cams.

(comment deleted)
I can't follow the logic of how a recording is not stressful in the two hours it is stored, but then suddenly becomes stressful when it has been stored for 2+ hours?
Then you lack imagination. Perpetual recording has a chilling effect on communication.
Imagine you knew every on-the-clock interaction you had with a colleague was being stored away someplace that an unspecified number of people had access to as "needed." I'm pretty sure most developers here would object pretty strongly to such an arrangement (and would probably get onto ways to circumvent it).
>Imagine you knew every on-the-clock interaction you had with a colleague was being stored away someplace

Storing something for two hours is still storing it. The point was why is it bad if it is listen to for X minutes in a month, but okay if it is listen to for X minutes today? I can see no reason at all why two hours is okay if five isn't. I could understand if the argument was that nothing should be stored at all.

The issue is the difference between 2 hours on board the airplane and forever with corporate access.

> The point was why is it bad if it is listen to for X minutes in a month, but okay if it is listen to for X minutes today?

That wasn't the point and the problem is who is listening, why, and what they may do with the information.

That wasn't the point.

What can you say that I can hear on a recording that would stress you out if I listen in 3 hours but not if I listen after 1 hour? Is 2 hours okay but 2,5 is perpetual suddenly? That's a strange hill to die on. Zero hours make sense. 2 and no more or less seems ... strange. Why 2 and not 3? 33? 0,3?

> That wasn't the point.

Actually yes, it is the point. As has already been exhaustively pointed out in this thread the issue is the difference between two hours on the airplane that auto-erase and perpetual recording available to the company for whatever purpose they can dream up.

> Is 2 hours okay but 2,5 is perpetual suddenly?

That's not what the word "perpetual" means. "Perpetual" means "forever" as in "we never delete these recordings".

Don't put words in my mouth. OP very clearly said:

>"This is a proposal from the NTSB to the FAA to raise the CVR recording time from 2 hours to 25 hours, in line with ICAO."

You are arguing two hours is fine, but 25 hours is "perpetual recording". That is a strawman.

Does anyone have privacy at work outside the restrooms?
Assuming you're talking about a physical workplace? Yes... most places.

When I go into the office to meet with customers or whatever, there aren't cameras and microphones everywhere. I can use a personal cell phone (which is all I have these days anyway). And, honestly, for something personal but not in any way getting into legal issues, I have no problem communicating over chat or a video call.

If the concern is privacy, then access should be the focus, not time.

So long as the recording is properly encrypted, and the access is properly managed, privacy will be preserved.

If those things aren't true, then there is a privacy violation, regardless of the 2 hour time constraint.

> This is our workplace, so you would be recording every conversation, also any idle chat of which there is quite a lot in cruise flight.

My workplace is my laptop, and I’m fairly certain that it records more than the airplane does. I certainly have no expectation of privacy while using it. Any meeting is recorded regardless of what is being said.

I’m sure my casual conversations would be if anyone felt I said anything valuable while muttering at my screen.

Not saying that’s great. Just saying that airline staff may currently have more privacy than most.

This already exists for aircraft parameters. Not audio.
[read me elsewhere]
In this case it would be the airline pilot and/or flight attendant unions.
I can't find it now, but there was a Reddit thread from a US flight instructor at the time of the China Eastern Airlines crash of 2022 who had previously trained pilots in China. He claimed the airline policy was to record cockpit audio of every single flight and have multiple people review that flight for anomalies. Any deviation from the standard procedure was logged and marked against the offending pilot. The pilots were extremely reluctant to act outside the guidelines of their training in a way that this person thought put safety at risk.

As you can imagine, this is not a situation that US pilots want to be subject to and they are probably right that safety would actually be made worse.

For flight data metrics, this makes sense, but this is significantly already happening with aircraft systems transmitting data back to central monitoring systems in realtime. Pilots can see an errant value (say a moderately high temperature somewhere) and call up an engine specialist and ask them if it's a concern and that specialist can look at a plethora of data on the plan in flight. The planes can also "phone home" and report things which should be looked over or fixed during the next downtime and maintenance organizations can proactively order parts or schedule personnel to fix issues before the plane even lands. This is all being done in the name of efficiency, but, it no doubt has positive safety benefits too. Airlines and manufacturers can already run a query like "how many hours between replacement of part X on average" and "how many hours between replacements of part X for planes which regularly fly to middle eastern countries (hot and dry)"

For audio recordings, in the absence of an incident, I see no reason to do it.

> Pilots have also opposed the move [to add 25 hr recording], with the union representing pilots for air-freight company Atlas Air telling the FAA the longer recordings would be an invasion of worker privacy.

> "(It) would significantly infringe upon the privacy rights of pilots and other flight crew members, as well as drastically increase the likelihood that CVR recordings will be misused or disseminated without authorization," the union said in a Dec. 28 response to the FAA's 25-hour proposal.

I'm not sure I agree that flight crews of passenger aircraft should have an expectation of privacy while flying planes. It seems like one of those kinds of jobs where the risks involved and need to gather forensic data in the event of an accident should outweigh the pilots' privacy concerns. Maybe add some regulation w.r.t. disseminating the recordings outside of releases by the NTSB as part of accident investigations.

    It seems like one of those kinds of jobs 
    where the risks involved and need to gather 
    forensic data in the event of an accident 
    should outweigh the pilots' privacy concerns
Reading between the lines, I think the concern is that pretty much any flight might contain minute violations of things like the "sterile flight deck rule"[1] and it would probably be easy to find a reason to fire any given pilot if airlines could just comb through endless amounts of recordings.

[1] https://en.wikipedia.org/wiki/Sterile_flight_deck_rule

If you're chitchatting in the cockpit and that causes things to get missed, that's very pertinent to the investigation. I don't care if that chitchat is about some sportsball banter, some personal info about relationships/work/etc, or anything. If you can't focus on the job while you're on the job, that's something that needs to be understood. So I'm very much in agreement that this privacy claim is nonsense when these "private" conversations directly affect the lives of 150+ passengers/crew. It's not like a couple of coders chatting away. Lives are not on the line.
Weird how the "privacy heavy" EU manages to have 25 hr recording requirements...
Yea, weird how CVR recordings don't leak over there.

You could probably overcome the pilot objections if there were real penalties for misappropriating the recordings, like they have in the "privacy heavy EU". As it stands today, the pilot objections aren't really unreasonable.

How much data can 25h of voice and instrument recordings be? Even with multiple channels and uncompressed it can barely be more than a couple gigabytes.
Idk how the devices work but if you have to replace them to get the extra capacity, it would still cost the airlines money, and the FAA has historically been very friendly with airlines.
It's not about cost or technology. The pilot's union is against longer recordings.
And cost, according to a FAA quote in the linked article.
Retrofit would cost money. But mandating years ago that new planes and anything going throw certain levels of maintenance would have update would not be that expensive.
You’re applying a technical standard to a people problem.

The issue here is likely legal liability, as evidenced by the pilot’s union opposition to longer recordings.

Given that Boeing currently has to ship planes to Europe with 25 hours of recording capacity, and that this plane is only a few months old, I'd guess it already has 25 hours of capacity and it's artificially limited to 2 because it was shipped to the US, due to the opposition from pilot's unions.
Not necessarily, could very well be that US planes are shipped without 25 hours of recording capacity.
Don't be so dense. Even if that is the case, it it probably is not, there exists a certified flight recorder module with 25h capacity. They should not have to go through any 'soup to nuts' certification process for a new module with this capacity. They could simply take the current module they use in europe, give it a quick once over ( assuming european standards are at least as strict as american standards.. which i'm sure they are ) and say 'yup, buy and install those in all new craft'.
Aircraft certification is, well, peculiar. And believe me, modifying a delivered aircraft is nowhere near as easy as "install that certified box", because said box has to be compatible with the aircraft you want to install it on.

And as I said, no idea how US-only aircraft differ, hardware and software wise, from their European airspace brethren. Do no, it is propably not as easy as going into maintenance mode and set a toghle from 2 to 25 hours on the voice recorder firmware.

any 737 in europe uses such a module as it is required.
[flagged]
Do you have references to share?
> The International Brotherhood of Teamsters (IBT) Local 2750, representing the pilots of Atlas Air, is submitting for the record the following comments regarding the Federal Aviation Administration (FAA)'s proposed rulemaking

> A twenty-five hour recording mandate significantly encroaches upon the privacy of flight crew members. Conversations and activities in the cockpit, whether or not related to flight operations, being recorded and potentially scrutinized, unnecessarily creates a sense of continuous surveillance and severely undermines the trust and morale among crew members

https://www.regulations.gov/comment/FAA-2023-2270-0006

This is hardly proof for the alledged conspiracy between maintenance crew and pilot unions to cover up flight crew fuck ups by limiting CVRD to two hours...
This is a very long running issue for labor unions. This is far from the first example of people "forgetting" that data will be erased.
Starting to over-write after two hours is, according to the article, standard for the US by law. No need to spill anti-Union conspiricies and propaganda.
So if the mechanics union takes two hours of time to retrieve the device then that's a solid.
No, why? In case of an incident, circuit breakers are pulled, and the data isn't over written. Also, I am not sure if the CVDR is recoring while the plane is switched off on the ground.

By the way, the union isn't retrieving anything, the maintenance people are.

Maintenance union then. It does not take a genius to see the incentives playing out. All it takes is a pilot saying "fuck these shitty planes I'm never flying one again"... err Earl can you go take one of your legendary shits and then go get the flight recorder? Wink You got it boss! Wink Really I didn't mean to make a dig at unions because you can get those same incentives without a union, however the pilots union is arguing against longer recorder times.
And if ypu wpuld care to read the details, you'd see why. Labour protection is a lot weaker in the US, and pilots are already worling under shitty conditions to begin with there as well. Handing over a 100% surveillance right to employers under these conditions actually does seem like a bad idea.
(comment deleted)
> This was not a accident - no one "forgot" to go turn it off.

IIRC, it is a pilot's responsibility to pull the breaker on the CVR supply after landing in an incident scenario, not the mechanics'.

Do you have evidence or possibly do you work in aviation, maybe as a mechanic?
Yeah, this is an inane, self-inflicted, and completely trivially solvable problem.

The voice recorder overwrites itself on a two-hour loop. Two hours of voice data takes about a gigabyte of space at most. There is no technical barrier to right sizing this, and there is nothing special about the aerospace use case that prevents it.

Why would anyone think a two-hour buffer for something so critical would be appropriate? And why would it continue to overwrite itself after it’s grounded? Why is there no backup? Has it never been thought relevant to gather, say, an entire flights worth of data instead?

This highlights a complete failure on multiple levels and an inability to critically think about the problem space. How much time was spent implementing a system that under most circumstances where it would be needed would render itself entirely useless?

>most circumstances where it would be needed

I think if the plane is still operational for 2 hours then the data is a lot less important than the alternative scenarios.

In this particular case it doesn’t seem very useful at all. The pilots had no idea why the door plug ejected. They landed the plane as per normal. They are still alive to tell us what they did know, which is probably nothing relevant.
> Why would anyone think a two-hour buffer for something so critical would be appropriate?

Probably people in the 70s who thought having a recording at all is star trek stuff.

That would be the same 1970s when the American president was forced to resign because of the extensive voice recordings he made.

This wasn’t sci-fi stuff even back then.

Tape recorders are a century old, and tape loops were how answering machines, toys, instruments like the Melotron, and many other devices worked until the digital era.

There a lot of things today that are less human-usable than they were a half-century ago, but also much more flexible and less expensive. We're still in a weird transitional phase post-transistor.

From the article:

>Debate about whether to adopt the longer recording standard weighs considerations about cost and privacy implications against safety.

>The U.S. FAA has previously rejected the NTSB's call for mandating the retrofitting aircraft with new cockpit voice recorders, saying the costs would be significant at $741 million versus $196 million under incremental upgrades it proposed.

>Pilots have also opposed the move, with the union representing pilots for air-freight company Atlas Air telling the FAA the longer recordings would be an invasion of worker privacy.

Whether or not a "technical barrier" exists is a non-sequitur. Just because you can get a $10 audio recorder on aliexpress that records 200 hours, doesn't mean it takes $10 to implement this change per plane.

> Whether or not a "technical barrier" exists is a non-sequitur. Just because you can get a $10 audio recorder on aliexpress that records 200 hours, doesn't mean it takes $10 to implement this change per plane.

I bet many investigators would be very happy with the aliexpress implementation ...

In this case the aliexpress implementation would have worked, but not in cases where the aircraft is literally pulverized on impact, like in the 737 MAX crashes of 2018 and 2019 (https://en.wikipedia.org/wiki/Ethiopian_Airlines_Flight_302 - "The aircraft impacted the ground at nearly 700 miles per hour (610 kn; 1,100 km/h) [...] Both the cockpit voice recorder and the flight data recorder were recovered from the crash site on 11 March.")
You've constructed a false dichotomy. You can have the current 2-hour system and a cheap 24-hour system at the same time.

Then you can gradually harden the new addon. This could be a way to make it all even more expensive.

I hope you don't design avionic systems, or any other safety critical piece of hard or software...
Hardware is hard. There are so many more things that can go wrong.

If your cheap 24-hour system decides to self-immolate, it might be the cause of the incident rather than just help determine what the cause was.

You can make up 1000 different potential failure modes to try and make yourself feel smart.
And you can ignore those failure modes and kill hundreds of people at a time.
Did you conduct the extensive study into all the possible failure modes if we allow pilots to wear smart watches? Or cork-soled shoes?

It is appropriate to use caution and care. You are right about that. It is obstructionist to demand every possible mode of failure be used as an excuse to block progress. It is possible to use flaky hardware that will increase risk. But it isn't that hard or expensive to use reasonable care to avoid it while dramatically improving the tech. To pretend that any new tech would automatically lead to hundreds of deaths and should therefore never be considered is ridiculous on its face.

Airlines have dress codes for pilots.

“Reasonable care” is expensive for airline grade hardware. You don’t just add features because they sound good. You don’t throw tech at the wall and see what sticks. You engineer reasonable solutions to real problems.

It’s nothing like building a webpage.

I am fairly certain NTSB flight incident investigators understand fully well the safety implication of integrating an AliExpress recorder in the avionics suite of an aircraft. And wouod hence oppose such an idea quite strongly.
Counterpoint: what price would it have to cost to make it not worth doing? I contend the actual cost will almost invariably be less than that.
If privacy is the concern then it seems it would need to be bound to a certain protocol where in the event of an anomaly the transcript continues on for some extremely long time effectively unbounded by typical flight scenarios. The current situation acts as a backdoor to deletion.
(comment deleted)
It makes sense that retrofitting is expensive - that's labor and plane downtime for 5-7k commercial jets.

This airplane was brand new. It should be using something more modern.

Cost of retrofitting? This particular Alaska MAX 9 is a plane that was just built and delivered late 2023. The 737 MAX family only went into service in 2017.

Im starting to wonder if the yet to be certified 777X will store for more than 2 hours as it takes 16 hour flights.

25 hours if sold (operated?) to EASA regulated carriers.
It doesn't need to be a cheap aliexpress recorder. Couldn't they just drop in whichever 25hr recorder is used in Europe? Already tested and probably installed in the same type of plane
> the longer recordings would be an invasion of worker privacy

Workers responsible for multi-million dollar machines and sometimes hundreds of human lives. I doubt anyone but the pilots care one bit about their on-the-job privacy.

I do. Because pilots being worried about what they say in the cockpit can have a negative impact on their reaction times, behaviour and crew management. All.of ehich can negatively impact flight safety. I want my pilots to feel comfortable while flying.
The privacy concerns can be mitigated by some rule changes.

Mandate the 25hr recording duration.

Mandate that full playback can only be done for accident investigation purposes By NTSB, unless requested by the crew(s). Some limited duration carve-out to allow maintenance crews to listen to last 15 mins to verify operation.

Agree. And I assume that in this case unions would oppose the 25 hour recordings.
Too latebto edit: I mean Union wpupd NOT oppose 25 hour recordings, if privacy and labor concerns would be properly adressed.
Indeed. This is how it works in Europe, with a 25 hour recording requirement for aircraft manufactured after 2021.
The problem with your viewpoint is that all major air carriers are unionised. So the opinion of the unions on privacy is a lot more important than what "anyone but the pilots" thinks about it.
Is unionization really a problem though? I’m ok with the status quo where flight crews have a say in aviation safety but random Internet commenters don’t.
No not at all. I meant unions are a good thing here, giving flight crews a say in things affecting their workplace instead of random internet commenters deciding they would like to record everything.
> privacy

That’s silly. And we all know it. Nothing in a cockpit is “private” in this regard when it comes to transport of hundreds of people.

> cost

There it is. That’s all it ever is. If the cost of doing it right is higher than the fines of gambling with doing it wrong, the wrong way will always be chosen.

This is bog standard corporate life under capitalism.

This is incorrect. It's not cost, if cost were the concern we would not have recorders at all. Cearly the cost of a longer recording is inconsequential once you have agreed to install a recorder at all.

It is about privacy, it's easy to verify the history of pilot's unions concerns and objections.

> at all

Incorrect. This is a struggle of ratio between regulation and lobby..

If pilots have a privacy problem with it, then put the onus on pilots to not forget to turn off the recording. If they forget, they should be held accountable, ie lose their piloting license. Otherwise, they can't have it both ways, saying "we need our privacy" and also "it's not our fault we forgot to save the recording!"
Easy to armchair quarterback. But it's quite reasonable for the overall workforce to have some objections against 24x7 recording of everything they say. I'm surprised the Hacker News crowd, often quite pro-privacy and anti tracking, does not understand that.

And then suggesting to revoke the licenses of a crew that at one of the most stressful moments in their career, right after a major incident, forgets to pull a circuit breaker is ridiculous. Luckily that is not how things in the aviation industry are done.

On other hand I don't find 25 hours being recorded unreasonable with some of the very long flights we now have like 17-19 hours. Something early in flight could be critical clue in incident analysis.
Indeed, the FAA has just proposed to start doing that for new aircraft. Same as Europe where this has been put in place for aircraft manufactured from 2021 onwards.

The problem in the US is that there has also been more disciplinary use of the recordings (by the company, not the NTSB). In Europe things are a bit more strictly regulated and there wasn't any resistance to the 25 hour change.

unions. necessary, but often given too much leeway to overstep
And costs, so airlines and the pilot unions are fully alogned, in the US, on that question so far.
What about management? Congress? It's an issue of power, not of unions.
> Why would anyone think a two-hour buffer for something so critical would be appropriate?

This sort of negligence is intentional. My guess would be it started as a requirement for analog recording and was carried over without change and purposefully left at two hours when equipment went digital. The fact that EU has a 25 hour length requirement and the FAA refuses to update their rules to extend to some reasonable length tells us everything we need to know about this situation.

> The fact that EU has a 25 hour length requirement and the FAA refuses to update their rules to extend to some reasonable length tells us everything we need to know about this situation.

i'll bet lunch the actual recorder hardware in the airplanes is the same with the only difference being a knob set to EU rules or FAA rules.

Same reason why the car industry encountered chip shortages, despite there being plenty of chips. They don't want to have to go through the time and expense of re-certifying everything due to all of the red tape. As a result, you end up with the system "that always worked fine".
Learning more and more about all these air accients, there is so much that has improved about plane safety and how good it is and so on. But then there are some fucking baffling omission.

Its unbelievable how often the voice recording gets overwritten. This has been a problem for literally decades. How this is not solved is mind blowing.

This would be trivial to store, and trivial to upload. People have wifi in the plane but somehow we can't upload a few voice recordings and other flight data. (and before somebody jumps on me, yes its not 'trivial' but its a hell of a lot easier then about 1000 other things a modern plane does). And private as an argument doesn't' really work either.

The amount of valuable data lost is mind blowing. Not just in cases where things fail, but also in cases where everything goes right.

And then, somehow they don't have cameras that allow pilots to see the engines and other vital parts of the plane. Somehow passenger can fucking watch movie. But if a captain wants to know if the engine fell of the plane they have to send somebody from the cabin crew to run around and look out of the window.

(comment deleted)
> Why would anyone think a two-hour buffer for something so critical would be appropriate?

For the most severe incidents, recording stops at the end of the incident. The current two hours is an increase of the previous 30 minutes. The old 30 minute limit made a little more sense at the time considering the mechanical nature of the recorders at that time.

Airline pilot privacy.

CVRs were always highly contentious when introduced, due to exactly the situations you see today in the media. The pilot unions were concerned that these recordings would be released to the public, both out of context and releasing private personal data not relevant to the public - especially if anything at all salacious could be found.

There were strict protections about CVR data never being released, but of course those restrictions more or less no longer exist today in reality - leaks abound.

I think those that dismiss this concern entirely are the folks who cannot think critically. It highlights a legitimate concern for workplace privacy, of which the Overton window has shifted drastically into less privacy expectations over my lifetime. The public will nearly unanimously call for 25 hours here, but this was not the case even 40 years ago.

I think the benefit outweighs the concerns in this particular case, but you are now seeing the same fight regarding cockpit video recorders. I can't say the pilots are wrong given the history of CVR data breaches.

If I were a pilot I'd grudgingly support the existence of the CVRs, but I can't say I'd really like the idea. I've seen how sound bites get taken completely out of context and sound worse than they were intended at the time. I've also seen how CVR data is absolutely critical in resolving some accidents. It's all a tradeoff, but certainly not an immediately obvious one unless you value privacy at zero.

Edit: The idea behind the 2 hours thing, was that 2 hours would be plenty of time to record anything relevant to an actual accident. Either the plane is in pieces and recording has stopped, or the recordings get pulled on successful landing after declaring emergency. The entire intent was to limit what was available to only the accident sequences - not general chit chat 5 hours prior to any event while they were waiting for taxi clearance. Technical limitations at the time also didn't hurt this argument.

Also I think it's good to point out that relying on the pilots to pull the breaker after an incident is not ideal and one of those things that the union has absolutely kept in as a feature, not a bug. This has obviously been abused.

> I think those that dismiss this concern entirely are the folks who cannot think critically.

So if you don't agree, you can't think critically. Got it.

Or maybe, we did think about it critically and simply don't agree.

There are various way this can be solved. We have modern encryption that could make this far, far safer then it is today. We have methods from data leaking. We have process to only allow data to be decrypted if required.

This would actually force us to really think critically about who has what access when. In planing this the airlines, unions, FAA should sit together with some technical experts and think of this critically.

This seems less complex to me then a modern high bypass turbo engine.

> There are various way this can be solved. We have modern encryption that could make this far, far safer then it is today. We have methods from data leaking. We have process to only allow data to be decrypted if required.

There are not. You cannot solve a social problem with a technical solution. If the data exists, it can and likely will be used.

> This highlights a complete failure on multiple levels and an inability to critically think about the problem space. How much time was spent implementing a system that under most circumstances where it would be needed would render itself entirely useless?

I was responding in particular to this. It does not highlight an inability to think critically unless you value privacy at zero and only look at these recordings as a technical problem. Under most circumstances when it's needed this system has functioned exactly as designed. You read about the failures because they are the exception. Believing that CVRs as-designed fail under "most circumstances" would be a lack of critical thought to me. I was limiting my scope to this statement.

I would actually agree with you in general if for not that comment. It simply means we disagree. But it surely does not mean no one has thought critically about this subject when it was introduced or since.

> There are not. You cannot solve a social problem with a technical solution. If the data exists, it can and likely will be used.

Except in reality we use often use technical solution to solve social problems. Or rather technical capabiltiy gives us the means to approach a social problem in a different way.

> unless you value privacy at zero

The assumption that privacy is 100% impossible if something is recorded and stored is simply categorically false.

> only look at these recordings as a technical problem

I didn't do that. I suggested that the FAA, the Unions, the Airlines and the manufactures sit together and come up with a solution of what the exact data access policies are.

> Under most circumstances when it's needed this system has functioned exactly as designed.

And yet when going threw the history of air incidents, there are lots of cases where this isn't the case. Most isn't good enough.

> You read about the failures because they are the exception.

Sure and a server crashing is the exception, and yet somehow most of use still run 2 server if we want things to work continuously.

The argument 'mostly its fine, its just occasionally that a couple 100 people die and we don't know why' just doesn't work for me. Yes in most cases its not that dramatic, but it would still be very useful.

> . Believing that CVRs as-designed fail under "most circumstances" would be a lack of critical thought to me. I was limiting my scope to this statement.

Fair.

What privacy? They’re recording conversations made in company livery while getting paid on the job, with notice of that fact in advance. If the recorders were recording them after they exited the plane that’d be a cognizable privacy violation, but that’s not what we’re talking about here.
Are we willing to have our cubicle conversations recorded while we’re on the job to increase the data available in the event of a software defect?
It depends. Are people’s lives at stake?
Are you willing to have a camera pointed at you - not other drivers, you - as you drive to and from work every day? People's lives are at stake, driving is objectively more dangerous than flying, and it can be tied to work by the simple reason that you wouldn't be behind the wheel if you weren't heading to or from work.

This smacks of "Privacy for me but not for thee", to say nothing of the effect it would have on the perpetual low-level pilot shortage due to things like working conditions.

It depends. Am I at work and being paid as a professional driver?

> the perpetual low-level pilot shortage due to things like working conditions.

There are a lot of pilots “waiting in the wings” at smaller carriers, currently being paid peanuts, to get nice cushy jobs at major carriers with union protections who won’t mind having their voice recorded and stored for 24 hours while on the job behind the yokes.

Don't forget frequently leaked out of context, for all the laymen and public to gawk at, and cast judgement upon those involved. "This is normal" say industry experts, "and your second quote is missing some very important context. None of which most HR departments will hear about, leaving me objectively worse off searching for a new job."

Tech-bros will read this and say nobody died due to their software, but that's neither true nor the point. Giving every supposedly private interaction at work a chance to leak only sounds reasonable when it's not you

While I value my privacy at the office, these kinds of comparisons need a bit more work to become apples-to-apples. Consider:

1: Are we clicking buttons that could kill hundreds of customers without any chance of it being stopped by external oversight and review? To underscore the danger, is the cubicle secured by an anti-terrorist door which was installed after thousands died when terrorists attacked a similar cubicle before?

2. Are the recordings specially sequestered and regularly overwritten by default, as opposed to being kept indefinitely in a big database for anybody in my reporting chain to look at on a whim?

_____

For example, if I was "coding" inside the control room of a nuclear power plant and developing scripts to help automate the next hour of control-rod movements, I think I would be wayyyy more accepting of a 24-hour disaster recording loop in a box for the US Department of Energy.

Any Zoom or Slack communication is recorded and available...so is this not the state we're in today?

This is not just the state of things in most companies, but it is a legal requirement in companies subject to the Sarbanes-Oxley Act.

fwiw I don't particularly like either state of affairs, but pragmatically some business interns somewhere at JP Morgan has all of their communication recorded and preserved for regulatory oversight, the fact that pilots don't is a testament to their union, and not because it wouldn't be considered normal in today's working world.

This is exactly the Overton window I mentioned.

Your opinion/take on this is relatively new. While technically (legally) correct, there was a whole lot of social pushback on this statement or idea even in my lifetime.

This take on workplace privacy has not been the social standard for very long, and is certainly not a universally shared opinion.

Edit: To avoid comment spam here on an irrelevant side-subject. I didn't say it was a regression or a bad thing. I simply am pointing out it has massively shifted in a relatively short period of time. There was serious public debate about introducing these at all just a generation ago. Now it's seen as completely normal to have your entire workday recorded with zero expectation of privacy. It's a rather drastic shift in society.

The pilots have a union. A lot of people here seem to like the idea of unions. The union negotiates with the airlines (and FAA) over working conditions, rules, and terms. The pilots have privacy concerns about the voice recordings, the union negotiated that, and the compromise was the two-hour recording.
>I think those that dismiss this concern entirely are the folks who cannot think critically

I will absolutely, unreservedly dismiss the concern of a pilot for privacy in the cockpit because I can think critically. The notion that someone deserves privacy in the cockpit of commercial aircraft is outrageously silly and utterly indefensible. Pilot your own personal aircraft if you want that privacy.

And there is absolutely an "Overton window", but it is wrong to think that whatever way it moves is a regression or worsening (which is the classic "everything is always getting worse" melodrama). Sometimes the way things are is not rational or optimized, but just are.

The 2 hour thing was nothing but a technical limit (a literal loop of magnetic tape), and every other justification is retconning.

> The 2 hour thing was nothing but a technical limit (a literal loop of magnetic tape), and every other justification is retconning.

The 2 hour thing was 30 minutes when it was magnetic tape. It moved to digital a while ago and that's when the unions negotiated it to 2 hours after some incidents. The 2 hour limit was not based on anything technical that I'm aware of.

The privacy stuff is absolutely not reconning. Heck, it was pretty much the most talked about topic over the water cooler when I was doing some IT contract work for ALPA in my teens.

My memory is certainly fuzzy but not quite that fuzzy.

> recordings get pulled on successful landing after declaring emergency

Declaring an emergency (standing alone) should not be a reason to pull the CVR, IMO. There should be an aviation-safety related reason at a minimum. (Declaring an emergency to facilitate expedited handling for a passenger medical emergency should not trigger a need to preserve the CVR recordings, as one concrete example.)

Additionally, this might make pilots more reluctant to declare an emergency, which would have a negative impact on safety.
Indeed! It's mind-blowing the number of conversations I've had online and in-person where pilots say something like "I didn't want to declare an emergency, because I didn't want to do a lot of paperwork." Invariably, someone (sometimes me) asks "for those of us who have declared an emergency, how much paperwork was involved?"

In ~95% of declared emergencies, there is zero paperwork or followup required. In over half of them, the pilot elected to (voluntarily but advisedly) fill out a NASA ASRS form (which is about a 15 minute task and something they probably would have done under the same circumstances without the emergency declaration). ( https://asrs.arc.nasa.gov/docs/ASRS_ProgramBriefing.pdf )

The paperwork is often NOT government mandated; there may be corporate mandates, too around it.

(I've technically declared pan-pan once, there was no paperwork.)

This might well be somewhere that you can improve with training. It reminds me of the situation for CAPS (the Cirrus Airframe Parachute System, a ballistic parachute for Cirrus small planes). Once you train pilots to specifically plan to use CAPS when things go wrong, rather than relying on them realising in time after something has gone wrong but before fatal injury is inevitable that the CAPS can save them, you get significant improvements in save rates.

It may be that training pilots specifically to declare emergency as soon as there's a problem rather than waiting until they're sure they can't solve the problem and need outside assistance will improve overall safety outcomes.

There's a tragic case I watched a safety video about where the private pilot, very low on fuel, asks if he can land at a (closed) airbase whose traffic controller he's talking to. The base's controller says he cannot land unless he's an emergency. That was his last chance to survive, all he needs to do is say he's an emergency - "I'm on fumes, I need to land right now" she'd turn the base's lights on, he puts it down on a strip that's not meant for civilians and maybe he spends the evening explaining to some MPs how he fucked up - but he's not dead. Instead he accepts this as a "No" and flies on for a few more miles until he runs out of fuel and crashes.

Indeed the improvements in Cirrus training and communications has had a fleet-wide positive effect. I do think calling all of the no-life-lost deployments "saves" is disingenuous at best and more likely intentional shading of the truth. We don't call every airbag deployment without loss of life a "save" but we can draw database-wide conclusions about how many net lives were saved. In CAPS case, I don't believe the most accurate estimate of lives saved (vs a counterfactual where the airplanes did not have CAPS) is 258 across 126 events, as many of those occupants would have also survived the event without CAPS.

PS1: I saw what I think is that same ASF video ( https://youtu.be/fLlWf-Fk_YM?t=10m ). Really frustrating, especially how obvious it was an emergency to everyone except the two people on the radio (where the bulk of blame belongs to the pilot of N4975S.

PS2: One of my instructors was in CAPS Event #59. I talked to her afterwards; she was a fan. :)

I think the airbag comparison is a bit off, airbag deployment is automatic, so it may be that all the humans involved were like "This is fine" but you tripped the impact limits and so now there's an airbag deployment, CAPS isn't like that, a human has made the conscious decision to deploy.
Yes, but the outcome is still a statistical improvement over a non-zero baseline. Some of the stricken Cirrus would have been landed with zero fatalities (likely including my flight instructor's case).

Calling them all "saves" is overstating the incremental benefit.

I think the problem is that the CVR is supposed to stop after landing but there are many successful landings where this is skipped, either because of overwork like here or because the pilots discounted the situation.
Every airplane type is a bit different, but typically, if the aircraft is powered then the CVR is recording. Even if it’s at the gate with nobody onboard— the CVR does not know nor care.

The only way to stop the CVR from recording is to depower the airplane (which is one of the steps you take prior to an emergency evacuation) or to pull the circuit breaker if the airplane needs to stay powered.

A pilot would never pull the circuit breaker without confirmation from management or safety to do so. It’s just not done routinely. Depending on the airline, it may not even be the pilot’s responsibility to do so. Every airline has a binder (likely, several binders) full of procedures to follow after a NTSB-reportable accident. No one person is expected to do the job of many.

Seems like a decent compromise would be to record a 2 hour loop but as soon as the words "declaring emergency" or similar are detected it stops looping and just records everything till the storage is full. Say 25 hours worth. The point being that at the end of 25 hours it's no longer recording as there is no chance of anything relevant still being said at that time.

Could even have some indicator in the cockpit that it's in emergency mode for the pilots to turn it back to loop mode in case of a false positive.

Pilots aren’t stupid. You have created a disincentive to declare an emergency and added to the crew workload in an emergency. Human systems are complicated.
This pilot with a popular youtube channel about aviation and air disasters has an video on the topic, if you want a pilot's perspective on something that as a techie seems obviously outdated in 2023: https://www.youtube.com/watch?v=qMWZCuTQpds

At least the voice recorder is 2 hours instead of half an hour now. But watching those incident videos I've seen a couple that ended up being investigated but the pilots didn't pull the circuit breaker and the investigation was based on the flight recorder, specially in those cases where things end up fine.

Would the CVR have helped in this specific situation? I'd assume this was a flaw of the plane and the lack of recording is probably not that big of an issue.
No, but it would tell a lot about the response of the pilots, and whether they took any actions that might have endangered the plane more, even though the outcome was good.
> Would the CVR have helped in this specific situation?

In the next one, yes. Note the goal is not to do blaming and shaming, but to reduce anything similar happening, and to increase effectiveness of response. For example did multiple alarms go off, so it took longer for the crew to establish what the problem was? How quickly and effectively did the crew respond to the problem, and did the procedures they followed work effectively? How saturated were the crew with things to do? How well did training scenarios correspond to the actual event? How well did CRM work? [1]

As a result of looking at those, changes like the following could be made (and have been done as a result of previous investigations):

* Updating how alarms are prioritised and presented

* Updating flight management systems

* Updating the procedures to troubleshoot and respond to this kind of event

* Reducing workloads

* Updating training scenarios

* Using the incident as a good example of something being handled

[1] https://en.wikipedia.org/wiki/Crew_resource_management

Probably not, but with a 25 hour recording window one could make sure that the previous crews did not notice any irregularities (that they might not have reported) or anything else that might have lead up to this incident. That's pretty mind boggling that a modern age voice recorder doesn't even support storing the timespan of an intercontinental flight.
In this case the decompression blew away the reinforced cockpit door and the rushing air took away their checklist (and almost a headset) so they had to use the reference handbook (and/or do stuff from memory) so it would be interesting to hear how exactly it went. Also their communications were a bit confusing (no mayday?!) perhaps it was discussed in the cockpit.
I'm reminded of the Gell-Mann Amnesia effect when I read the comments that express outrage at how technically easy it is to have longer recordings from the microphone that your employer has installed at your desk that automatically records everything you say at work.
well, they do record my slack messages for 2-3 months, and I am ok with that, even though that's my main method of communicating with my colleagues, and includes a number of personal conversations with them. Now, if my work required me to be able to verbally communicate with my colleagues, and the consequence of miscommunicating was the loss of 100s of lives and millions in property, then I would expect them to record every single thing I said, spoken or written, judiciously.
This two-hour thing also means that if we ever find MH370 we will still never know what actually happened at the beginning of the flight when it diverted.

It really should have enough to save at least the longest flight possible.

Depends on how quickly the captain was able to disable the CVR.
That assumes the prevailing theory of malicious pilot was correct. Indeed if he did manage to turn it off early it might have contained something.

However if that theory is indeed true, it's clear that he wanted to disappear without a trace. In that case it would have made sense to keep it running especially because it only keeps the last 2 hours.

But yeah if it had been longer he would have turned it off in that scenario. It would be best if the CVR had a backup battery (and internal protection is that shorting out). In fact I remember reading in several admiral Cloudberg articles that the CVR and CDR data was incomplete due to bus power loss during accidents.

This interests me as a former neurosurgical anesthesiologist (38 years; retired in 2015). If you told me the anesthesia machine will have a microphone that will record voice in addition to the various physiological parameters recorded by the myriad monitors on the machine, I wouldn't have any problem with it.
You're not at your anesthesia machine during your breaks. Pilots are in the cockpit ±the whole time.
At least one pilot is in the cockpit the whole time. On long haul flights they take turns sleeping in a dedicated small room off the cockpit.

Breaks during cases don't happen when you're in private practice in anesthesiology.

oh ffs, the fact that it's only 2 hours remains stupid: these same aircraft are sold in the eu that apparently requires more than that, it's clearly not some hard engineering problem, presumably someone doesn't want to pay $50 more per aircraft.

But add to that the requirement that pilots have to remember to pull the CVR fuse to stop it overwriting, and then the malicious case where pilots have seemingly intentionally pulled the CVR fuse prior to illegal actions in order to disguise those actions, this is clearly a beyond brain dead system.

The local recording should be more than two hours, but these days there's no justification for it not also being continuously uploaded.

It's technologically trivial, today, to perform an automated secondary backup (local or otherwise - but ideally remote) of days - months, years - of this telemetry and voice recorder data.

(as well as to keep it private & encrypted, and only accessible with a warrant from a judge)

If the FAA does not mandate, at least, this from now on, it will just add to the pile of evidence that they are in Boeing's pocket.

PS: Secondary backup. No existing system has to change. Just an outer layer of backup tapping into the existing data recording loop.

PPS: Give me USD 15M + 10K per aircraft + 10 cents per transported/flown passenger ever protected by this System, and I'll design and implement it for you - with quadruplex redundancy.

(disclaimer: Founder tier pricing. General pricing may vary - up)

This comment is peak HN arrogance, or pretty close to it...
Oh, but you haven't seen nothing yet - what about, on top of that, even some extra credibility:

Former NASA Engineer, baby B-)

Impressive. Just tell me, when did NASA develop and build civilian aerospace components?
Not the point - these are just peak HN arrogance credentials ;)
Absolutely the point, because none of what you propose is easy, let alone trivial... As you would know if you came close to civil aerospace development, certification or change management.

You also ignore that it is more a policy than a technical problem, Europe has 25 hours and not 2 like the US. No idea how easy it is to retrofit the 25 hours into US certified aircraft with 2 hour recording, which might pose another problem.

Bit hey, use your NASA credentials, apply to YC or any other VC, and launch your "trivial" tech solution.

Thanks for the venture offer, but I'm busy frying bigger fish right now.
I read it more like an annoyed take on the aviation industry's change management process.
Based on my experiences with modern technology I don’t want aviation learning anything from tech.
Actually I found it makes a great point.

> peak HN arrogance

Take peak HN arrogance, balance it against peak bureaucratic promises plus peak actual cost, and let me know what you come out with.

Is it arrogant to wish to survive a common civilian airplane flight?
No, but pretty ignorant to propose something that makes it easier to investigate crashes and incidents while having zero impact on incident prevention.
Assuming zero impact is the arrogance. These systems are complex and human. You can’t make changes without side effects. Nothing is free and actions can have unintended consequences.
All the same, not changing anything changes nothing.

And any change involving tech/gear are preferable to changes involving procedure (either more of it, or changes to it).

Extending the recording length on voice recorders to a higher number seems pretty straightforward (and already done elsewhere).

Extending to 25 hours is a lot different than extending it forever. Using “cheap” and “easy” recording devices is frankly reckless. Look around this comment section at the ignoramuses willing to throw SD cards at commercial airliners. Everyone’s an expert.

Yes, voice recorders should last long enough to capture everything that happens on a flight. But at the same time pilots should have protections to make them feel safe from retaliation.

Aviation safety is an incredible achievement that we as technologists should learn from. It’s not fertile ground for self-proclaimed “engineers” to piss their pet theories upon.

You're the one thinking of SD cards - no one else (that I'm aware) mentioned anything of the sort.

The aviation industry, and its monopolies, have to stop being treated as sacred cows and be subjected to thorough - consequent - scrutiny and accountability at all stages of the aircraft lifecycle. It certainly hasn't been the case with the 737 MAX - the system, as is, clearly failed the almost 400 people that already died. And if the MBA-types continue to have their way, the deaths won't stop there.

Finally, I'm not going to engage in insults, they only qualify yourself.

To be fair, investigating incidents and crashes is how you get incident prevention. Most safeguards today are a result of the lessons learned from NTSB investigations.
I had assumed it was satire so you’re absolutely right if it was not!
Well I think that one flew right over your head. Something Boeing couldn't achieve, so clearly the poster must have worked for Nasa.
Err - it is an EASA requirement that Boeing already conforms to, I believe.
I think he was punning about the flying over the head being something Boeing couldn’t achieve
Startup culture is basically entirely about disruption and challenging status quo. It's not really any more arrogant than general startup mentality, which admittedly is very often arrogant (facebook for dogs, seeking $1B in investors!)
Someone just invented DropBlackBox.
I'll make sure you get some royalties for that name suggestion ;)
Just get an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem.

/s

rcs. you meant rcs. and uucp.
But it needs to be more enterprise-y, X.400 with maybe X.25 should do nicely.
Just dont use Azure....
>> only accessible with a warrant from a judge

What's your technical solution to this aspect? The solution must be "technologically trivial" which I take to mean implementable today or in the near future with no change to how current regulations or laws work or to how current workstreams outside of the secondary backup system work (i.e., no change is required like having the judiciary start using crypto). We are also using the strict definition of "only." It should be technologically impossible for any person or entity to access the data without a warrant.

I mean my System will have a layer of encryption protection. And if the FAA, Unions, etc., so wish, it can be made to completely preserve privacy and only unlocked when the applicable judiciary (or whoever) sees fit.
So you don't have a technical solution. Got it.
But I absolutely do:

Elective during (and after) the System's procurement, you can also option it with a "Board-of-Trustees-as-a-Service" to decide when to open the Seal of Privacy and disclose the System's Recordings - if ever.

(prices for this option are in Swiss Francs)

Asymmetric cryptography isn't a rocket science. Airline keeps encrypted recording and public key, certain government institution keeps private key, you need both to decrypt.
This violates rule 1 by requiring a government institution to keep a private key: no change to how current regulations or laws work or to how current workstreams outside of the secondary backup system work (i.e., no change is required like having the judiciary start using crypto)

This violates rule 2 by not assuring that a warrant is necessary because somebody at the government institution has the private key (assuming that institution is not the judge): It should be technologically impossible for any person or entity to access the data without a warrant

No it doesn’t - it will just cost you the BoTaaS service I’m providing, payable in Swiss Francs.
> It should be technologically impossible for any person or entity to access the data without a warrant

I don’t understand why you’d impose restrictions on this system that do not exist elsewhere? What makes cockpit voice recordings sensitive enough to warrant more secure storage than people’s bank accounts?

Or they could just implement the 25-hour recorder like they have in Europe. This was a policy choice, not a technical limitation.
It’s not that simple. Europe has a different regulatory environment. Do pilots in the US have the same protection from retaliation for example? Has the 25 hour recording period improved safety? Have there been undesirable side effects?
> If the FAA does not mandate, at least, this from now on, it will just add to the pile of evidence that they are in Boeing's pocket.

I don't see how it's in the interests of Boeing to keep the mandate at 2 hours. If it gets extended, it's likely that in future incidents they will have more evidence of pilot error than they do now since that is the primary cause of accidents (even for Boeing), plus I am sure they can print some nice invoices for the costs of the upgrades to existing fleets.

Well, could be, but another possibility:

- most pilot errors resulting in an incident occur close to the incident and thus the # of times it's their fault will drop off with longer recording time

- the longer recording time may allow for some complaints about the Boeing aircraft or some clunking noises to be identified which could indicate an issue with the aircraft

The key concept here is: “clunking noises”.

(aka “aircraft defects”)

PS: I mean it.

Not all clunking noises are defects and not all defects make clunking noises.
Free hint: “metaphor”.
(comment deleted)
(comment deleted)
why do you think the lack voice recordings protect Boeing instead of the people being recorded?
There are human lives on the line - thorough records are clearly warranted.

(not same as open-access: judge must authorize playback)

> There are human lives on the line - thorogh records are clearly warranted.

I'm not suggesting otherwise.

> it will just add to the pile of evidence that they are in Boeing's pocket.

I don't understand the connection between the lack of voice recordings and how that is proof of the FAA protecting Boeing rather than the lack of voice recordings as proof of the FAA protecting the pilots.

FAA has the final word - over manufacturers, unions, etc.
Aviation has a healthy blameless culture which has created willingness on the part of air crews to self-report deviations. If you make a mistake and own up to it you suffer no consequences. Keeping recordings forever may disincentivize crews from communicating freely if their comments could come back to haunt them years later. This may still be a good idea but it’s not as simple as changing the retention period on recordings.
Only warrant-issued-by-judge-mandated disclosure.

Full privacy preservation.

Aviation is safe because the participants all trust each other. Blanket recording for undefined future use undermines that trust. This has a chilling effect on communication. Crews will be reluctant to communicate with each other. The risk of a warrant being issued at all creates an adversarial relationship between crews and investigators. This is a horrible idea and suggesting it betrays a cliche misunderstanding of the domain that is the stereotype of modern technologists.
Yes, the blameless culture is a critical safety feature and it could be ruined very easily if the failed leadership in the industry starts looking for scapegoats.

It's sad too because analyzing every cockpit conversation with AI to highlight things that may cause common confusion could be invaluable. Instead, the short-sighted leadership in today's business world will use it for (job) performance analysis and to penalize workers for failing to act like robots :-(

Possibly. But as a technologist I don’t trust AI to actually deliver such a result in our generation. The system will inevitably be created by modern technologists without intimate domain knowledge. It will be motivated by short-term deadline chasing and MVP culture. The cockpit of an airliner is no place for bleeding edge technological innovation. I don’t need an Airbus with Siri. Pilots already spend hours in training every year. Is reviewing the output of this AI system really a better use of their time? What problem is it even solving?
What would it take to make you trust AI?
Decades of development and successful deployment first in non-safety-critical settings then further demonstration in progressively higher stakes environments. In addition demonstration that the technology has any benefit to this domain at all.

My concerns have more to do with the technology industry than AI itself. AI is a buzzword and the technology as it exists is of dubious benefit here. We have an unhealthy tendency to deploy technology too early and for the wrong reasons. These are undesirable impulses in aviation.

Thank you for your honesty. Are there any other industries that you hold at a similar standard?
I can't speak for GP, but "safety critical" is the term relevant to this thread I think. Any situation where people die if you screw up, where that includes screwing up at a higher level, such as introducing ill-thought-out process changes.
Thank you. That's a good grounding that helps orient toward what I feel is being conveyed.

I sense there's a lot of overlap with SCADA-enabled infrastructure: transportation, nuclear, industrial control, &c. And we should be hesitant to deploy AI in those environments. Am I getting that right?

Analysing cockpit voice recordings for confusing terms (using AI or not) does not strike me as something that would affect the operation of the aircraft in any shape or form?
You’re assuming the AI works and does what you expect. Neither of those are reasonable assumptions.

Everything has an opportunity cost. To be beneficial AI has to be better than the status quo to be. In aviation that’s a much higher bar than “not nothing”. It has to be better than the time saturation flight crews already experience.

I’m not assuming the AI works at all. Maybe we are talking about different things?

If the flight is over, and some analysis spits out a bunch of garbage, how does that hurt anyone? Nobody is going to tell pilots that they should stop using the word ‘and’ even if the AI spits that out as a possible point of improvement.

If the AI doesn’t work it is a waste of everyone’s time to even look at the output. As I already said nothing is free. There’s always an opportunity cost. Collecting data for unknown benefit has a cost in dollars, time, and potentially human life. “The AI doesn’t have to work” is exactly the thoughtlessness that aviation avoids and technology breeds.
> If the FAA does not mandate, at least, this from now on, it will just add to the pile of evidence that they are in Boeing's pocket.

It's the pilots' union that is opposing this. I doubt Boeing cares either way. If anything they'd want the extra data.

(comment deleted)
I think you would find pushback from far more than just Boeing. Airbus, APA, ALPA, etc. Nobody in the industry would find it reasonable to broadcast something that isn’t meant to come out.

I think the reasons for the missing data need to be established before we go calling for sweeping change.

EDIT: It appears the recorder had continued operation and thus overwrote the data. This is a failure in procedure. Procedures are in place for securing evidence in incidents such as this and for some reason the ball was dropped.

It seems that the main disadvantage of the current system is a 2-hour loop of storage, which can be overwritten in long flights and hence missing. The change needs to be either longer storage which would be a approvals nightmare, or something like OP proposed which isn't too ridiculous. I have certain compliance paperwork that needs to be retained for 5+ years, why not cockpit audio also?
Plenty of other commenters have established why it’s ridiculous. Cost, bandwidth, privacy, questionable value.

The ICAO 25 hour standard seems reasonable to me as someone in the industry.

The argument about privacy is a bit of a red-herring IMHO. The audio should be recorded for each flight plan (whether one segment or multiple) in its entirety. The system can automatically delete all recordings finished N or more hours ago on next power up (say 6 hours).

In a crash scenario obviously power will be lost at some point and not return so the data is safe.

In a malfunction scenario standard procedure would be to pull the box before powerup so even if maintenance doesn't get to the plane quickly or the pilot's incident report arrives after a few hours the recording related to it is still present and maintenance can go back and grab it. Or for scenarios where a malfunction beings on the early part of a multi-segment flight plan the data would still be available.

But for pilot privacy the recordings are not held forever. During normal operations the plane will be powered down, eg while parked in-between flights, and when powered up older recordings get truncated.

All telemetry should be streamed to a cloud service in real time. Absolutely no reason not to do that. No one should ever need to "search" for a plane or wonder what happened to it.

> In a crash scenario obviously power will be lost at some point and not return so the data is safe.

Catastrophic crash scenarios are not the only scenarios where data preservation is desirable.

> Catastrophic crash scenarios are not the only scenarios where data preservation is desirable.

That's exactly why I said "In a malfunction scenario" in my comment.

Modern aviation uses essentially a blameless post-mortem incident reporting process where pilots are encouraged to report when something unexpected happens - even though the airplane wasn't damaged and no one was injured. This has helped tremendously both in discovering issues that could be the cause of a crash in the future as well as improving training for other pilots.

But very rarely is any data recovered in these situations. If things worked as I noted maintenance would have enough time to grab the data after the report without storing the recordings forever.

The privacy concern is legitimate because these aren’t servers, they’re people. If you change the data retention policies their communication patterns will change as well.
Is this a bad thing, or will it simply lead to better communication about the tasks at hand? Genuinely curious on thoughts here.
Good question. That’s exactly the point. This isn’t obvious and the question needs to be answered before changing airline regulations.
> no data was available on the cockpit voice recorder because it was not retrieved within two hours - when recording restarts, erasing previous data

In a post iPod era and with a budget greater than the cost of an iPod, this is a non-issue. I wonder what the real issue is.

It's not a non-issue when every single staple, bolt, device, and piece of cloth needs certification and approval from a government agency.
The "real issue" is that CVR and FDRs are very complicated and specially built devices. They record detailed data and must protect it against ANY danger. Massive fires, being stuck at the bottom of the ocean, a plane slamming into the ground at a 90-degree angle, etc.

They must allow data to be recovered in as many cases as possible, prioritizing that over raw data storage amount or convenience.

It's not really about storage amount or convenience if the data is lost. That's no different than not surviving a fire.

The "it took longer than 2h to retrieve the voice recorder" seems one of the dangers then. And at least just as likely as many others, e.g. it's easy to imagine this happening together with "being stuck in a remote place".

It is not about how long it took. It's because the pilots forgot to pull the circuit breaker.

In most crashes, both recorders lose power so it's not a problem. In cases like this and the plane is fine, the pilots need to pull the breakers.

Recorders have been found months after accidents and still retain all data.

> no data was available on the cockpit voice recorder because it was not retrieved within two hours - when recording restarts, erasing previous data.

> The U.S. requires cockpit voice recorders to log two hours of data

So.. what happens when a crash happens at 2:01 into a flight, you have just one minute of audio? how is that in line with the requirement to keep 2 hours of audio?

> The maintenance team went out to get it, but it was right at about the two-hour mark

> The plane's flight data recorder and cockpit voice recorder were sent to NTSB labs on Sunday to be read but no voice data was available

So as soon as that 2-hour mark is hit, the CVR secure-erases everything it recorded and starts anew? (data-recovery was not possible???) ... I feel like something is missing here...

It doesn't clear every two hours, it's a rolling two hour recording. Since the plane was still operational, it continued recording and it was just over 2 hours before maintenance crews disabled the recorder.
OK, what you're saying is that the 2 hours of audio leading up to the crash were overwritten by the recording having continued for another 2 hours after the incident? So, it's just poor wording in the article?
It's technically possible to make the recorder encrypt the recording in real time using asymmetric cryptography and a symmetric ratchet. Using a private key only the NTSB or some other agency would have, and create a legal framework where they need a court order to decrypt the ephemeral key and release it to investigators.

This will eliminate the possibility of your employer or some technician spying on you through this vector as it would require the government to also have a significant interest in a single case.

Two hours is ridiculous
They should just bump it to a day, like in Europe. Easy to justify if you can see it working well elsewhere.