Altitude – 25,000 feet.  Three minutes – I check my oxygen saturation – 95%.  My O2 system is working with 800psi showing on the meter.  I place the monitor on the shelf above the audio panel where it will wait until my next check in 3 minutes.  Cylinder head temperatures – all in the green.  Manifold pressure is at a turbo-boosted 29.3 inches, and fuel flow is at 17.4 gallons per hour.  True airspeed shows 210 knots (241 MPH), and with the nice tailwind, we’re making 276 knots (317 MPH) over the Siskiyous on our return flight from San Jose, California to Portland, Oregon.  All is quiet on the radio, as we haven’t seen or heard any traffic for over 20 minutes since we were transferred to Seattle Center.

At FL250 (25,000 feet above sea level) the average time of useful consciousness (TUC) is a frighteningly short 3-5 minutes.  TUC is defined as the “amount of time an individual is able to perform flying duties efficiently in an environment of inadequate oxygen supply.”  In the Cirrus SR22 Turbo I’m flying, oxygen is supplied by a factory-installed PreciseFlight system and delivered via a full-face mask with built-in microphone.  For me, as a pilot, this represents a potential hazard that I work hard to mitigate.  I never venture to the flight levels (above 18,000 feet) without a co-pilot or a well-briefed passenger.  If I’m distracted, somehow kink my oxygen hose and become hypoxic, my copilot/passenger is instructed to activate the autopilot to execute a rapid descent to 12,000 feet – low enough for easily breathable air and high enough to remain clear of the terrain.  I also make a practice of checking my 02 saturation levels at least every three minutes.  This gives me a chance to always detect and react to an oxygen problem during the “perform duties efficiently” phase.  Finally, I know my own personal symptoms of hypoxia (every individual is different), and I am always watching for them.  While just about everything we do in life carries some degree of risk, understanding and managing those risks allows us to stay safe even in unusual circumstances.

Below us, the terrain is rugged.  In a single-engine airplane, we are generally taught to glide to a suitable landing site and land in the event of an engine failure.  At this altitude, my effective glide range is quite large.  In the event of a total engine failure, I could probably make any airfield within a 35 mile radius of my position.  Here, over the Siskiyous, that range is of no use at all.  The comparatively flat Willamette Valley with its abundance of roads and runways is probably a hundred miles ahead.  However, the Cirrus is equipped with a whole-airplane parachute.  If I lost my engine here, I’d almost certainly prepare the passengers, pull the power and fuel mixtures back to the stops, and pull the red handle above my head – firing a rocket-propelled parachute out the top of the fuselage.  A few seconds later, I’d be making a distress call to air-traffic control as the whole airplane floated gently downward under the chute.  Airplane engines are extremely reliable, however.  In a lifetime of flying I’ve known only one pilot to have a complete engine failure in flight.  (He and his passengers walked away uninjured.) Regardless, the parachute system provides wonderful peace-of-mind.

About two minutes later, as I’m about to check my O2 saturations again, something… happens.  The airplane (under autopilot control) remains perfectly straight and level. The pitch of the engine (with the RPMs regulated by a governor-controlled variable pitch three-blade composite prop) remains exactly the same – 2500 RPM.  Everything looks normal at a glance, but I am certain that something has just changed.  There is an almost indescribable “squish” feeling that immediately sets my senses on full alert.  My passenger has apparently noticed nothing.  She continues listening to the XM radio and looking out the window at the beautiful scenery.  I press “pilot isolate” on the audio panel, and turn off the active noise cancelling feature on my Bose headset.  I want to hear everything the airplane is telling me.  I grab the knob on the multi-function display (MFD) and bring up the engine page.  Cylinder head temperatures are all in the green, but exhaust gas temperatures are slowly rising – not to a dangerous level, but rising nonetheless.  There!  Manifold pressure is now at 22.7 inches.  That’s… wrong.  The absolute pressure controller on the turbo system is supposed to manage the waste-gate to keep the pressure at a near-sea-level 29.5 inches.  Somehow, we’ve just lost seven inches of manifold pressure.

The inter-cooled, turbo-normalized engine in the Cirrus is designed to be run lean-of-peak (with a fuel-air mixture that has surplus air rather than surplus fuel).  Since we’d lost manifold pressure, we now had less air in the mixture.  That’s why our exhaust temperatures were rising – we were now running closer to the “peak” mixture ratio (which is bad for the engine).  I gently slide the mixture control back – leaning the fuel flow to the appropriate rate for our new manifold pressure.  The exhaust gas temperatures immediately start back down toward normal.  All cylinders are running correctly (the engine display shows both exhaust and cylinder head temperature for each cylinder), so I don’t suspect any ignition problems.  We are now running at approximately 70% power (maximum high-power cruise is about 85% power).  True airspeed has dropped to about 200 knots (far above stall speed) and is stable.  I decide I have time to think.

I reason that we must have some pressure leak in the upper deck of the induction system, or a failure of the pressure controller – venting too much turbo boost from the upper deck.  Clearly, we still have turbo boost, because we could never get 22 inches of manifold pressure at this altitude if we’d had a turbo failure.  If true, what this means is that we’ve now got an engine with something less than normal turbo power, but with more power than the non-turbo version of the same airplane.  I conclude we do not have an emergency at this point.  However, if my analysis is wrong and there is some more sinister trouble brewing, I want to put us in the safest possible situation in case of a total power loss.  I look over my head to be sure the safety pin is removed from the CAPS parachute system.  I look at the GPS and see that we are about 100 miles from our next waypoint – Eugene, Oregon.  At this (reduced) speed, we’ll still be there in about 20 minutes.  I decide that my altitude and airspeed are my friends, and I do not begin a descent or change the power settings.  Every minute that the current situation stays the same, we are safer.

Oops! We have passed three minutes and I have not checked my oxygen saturation levels.  I clip the monitor onto my fingertip.  My O2 saturation is now up to 97%.  My heart rate is ticking along at a brisk 102 bpm.  Apparently the turbo problem has gotten my attention.  My passenger must have noticed something in my behavior.  “Is everything OK?”  I click off the “pilot isolate” button and explain the situation.

The next twenty minutes pass without any change.  Air traffic control (ATC) gives us a normal descent and approach into Portland International Airport.  As we descend, the manifold pressure gradually rises to normal.  This validates my theory about the upper-deck leak.  Back in the hangar, we remove the cowling and find that a vent hose on the back of the induction manifold has come loose.  Apparently a maintenance tech forgot to tighten the clamp after the last maintenance.  At the high altitude, the pressure difference was enough to work the hose off – venting induction air and dropping our manifold pressure.  This was a completely innocuous, maintenance-induced failure and, apart from a couple minutes extra flying time and a temporary escalation of my heart rate, totally harmless.

One of the things that is wonderful about the type of airplane I fly is a large and active online community of pilots.  We share our experiences with each other – asking and offering advice on a wide range of flying (and particularly safety-related) topics.  There are thousands of pilots active in the forums and a wealth of information and experience available.  In the forum, I found the account of another pilot who had experienced exactly the same failure.  His conclusion, however, was that the failure represented an engineering problem – a design flaw with the aircraft that needed to be corrected.  He argued that the potential for a simple maintenance mistake – forgetting to tighten a hose clamp – could cause a significant loss of available power, and that something needed to be changed in the design to eliminate that risk.  As is often the case, there was significant debate on the nature and necessity of such design changes, with the other pilot arguing for a major modification that would have involved numerous changes including the re-routing of oil lines.  The pilot involved seemed convinced that even the engineers debating with him were just “being lazy” and not paying attention to an obvious defect. (In these forums, some of the engineers that actually designed the turbo system get involved in the discussions – bravo for them!) 

For engineers, this situation happens often.  We focus on a particular problem or begin trying to optimize a particular parameter and lose sight of the big picture.  Sometimes (as in this scenario) outside pressures – customers, marketing – can back us into a corner of the design problem.  Certainly there were engineering changes that could make this particular failure less likely, but most of them involved creating new points of failure that would carry much more serious consequences.  An oil leak, for example, would most likely have resulted in our trying out the parachute system over the mountains rather than making an uneventful, normal landing at our home airport.  If I were trying to make this airplane safer at high altitudes, I would focus on the oxygen system.  A single hose dangling from a connector on the ceiling keeps me always within “3-5 minutes” of losing my most valuable asset – my judgment.  I choose to mitigate that risk with a number of precautions.  Some pilots are less conservative than I am – they fly single pilot at high altitude.  Others are more conservative – they use constant monitoring of blood-oxygen saturation levels and carry a backup portable oxygen supply.  If I were setting the system-level engineering priorities to make this a safer airplane, that’s probably where my attention would go.  

This effect can happen anywhere.  When I was working on logic synthesis tools, we had an engineer spend weeks trying to get a particular corner case to optimize correctly.  When he finally finished his work and merged his code changes back into the mainline, the design that he’d been working on definitely got better.  However, overall, his change had caused a 15% net loss in quality of results across our entire test suite.  He’d focused on a particular problem to which he had an emotional attachment and lost sight of the big picture.  In some areas of design, these mistakes are benign – we can live without that extra 15% synthesis QoR for a couple of days.  In others, the consequences can be severe – risking the lives of pilots and passengers rocketing through thin air over the mountains at over 300 MPH.

In our profession, we have a responsibility to maintain our perspective, our objectivity, and our holistic view of the system.  Our customers deserve nothing less.