Automatisering - Fantastisk lesning dette - Curt Lewis

Automation, Pilots and Preventing Accidents

 

By Captain Shem Malmquist

 

In recent FSI articles I have put forward the idea that perhaps our problem is not weak pilots who are "automation dependent." Here I will expand on the topic and offer another possible mitigation to some of the accidents we are seeing.

I'll begin with a copy of an email exchange between myself and Clive Leyman, the chief aerodynamicist for Concorde and the Chief UK Engineer for the Airbus A330 and A340. Clive has been involved in the design of aircraft for several decades now.

This discussion also involved Captain Peter Duffey, a man who started flying for the RAF in 1942 and then flew for British Airways and BOAC. He went on to become one of the first pilots to fly the Concorde as part of the development group and training captain. Along the way Duffey flew a great many aircraft to a variety of destinations including the Berlin Airlift, North and South America, Asia, Africa and Australia. Aircraft included the Liberator, DC3, Lancastrian, Argonaut, Comet 1, DC-7, Comet 4, B-707, and many more. Upon retirement he continued flying corporate on the DH 125-700. Captain Duffey was also the BOAC BALPA chairman from 1964 through 1968. I am sharing these comments with permission. When one considers the experience of these gentlemen it is fair to say that their opinions should carry a lot of weight. Here is our exchange starting with my response to Peter on the capability of pilots to avert accidents today:

 

The real issue Peter is that the industry is no longer producing pilots with your kind of background. However, it is leaders like you who keep accident rates low despite the flaws in the design and certification process.  I believe that current designs are dependent on pilots managing aspects missed during development.   In an ideal world the designs would be perfect. For the foreseeable future we will have to train pilots to manage the unexpected. That used to happen organically, as your experience illustrates, but now systems are so reliable that new pilots haven't the chance to see anything significant.

 

Clive responded:

 

It's inevitable that pilots will be called upon to manage problems that were missed in development, because problems identified during development will normally be fixed before entry into service. We should also find that as experience grows such problems will become rarer and rarer. The problem then is, as Shem says, systems are now so reliable that new pilots don't have the chance to see anything significant, except to have exposure to known problems in the simulator. This is why genuinely new problems come as a shock.

I know from personal experience just how much bench testing is done to assess the effects of system failures both internal to the particular system and of crosstalk between systems.   Even years of testing depend ultimately on what I call "requisite imagination," i.e. the engineer's ability to identify possible failure routes and combinations. Designers at least have the advantage of having a record of previous events and time to study them and take suitable precautions.

Pilots have entirely new circumstances thrust upon them and have to make decisions in real time. Inevitably there is a degree of experimentation in their response, even when successful, which cannot be mimicked by machines. So I agree with Shem - pilots will be with us for a long time.

One problem I do see is a generation of pilots that has grown up to be apprehensive of flight without the crutch of FBW enhancements. Yet underneath the glitz there is, or in my view should be, a perfectly flyable aeroplane. It might not be as easy to fly as the fully functional version, but it will still be flyable. When AI set out on their FBW path the stated intention was to give the pilots an airplane with the same impeccable handling qualities everywhere. Designers intended that the basic airframe should, indeed must, be flyable. I cannot answer for the A380 and A350, but I think [a mutual friend] will confirm that he had no real problems with the A320 and A330/340. A bit squishy at altitude certainly, but flyable in their natural state. I suspect Boeing has gone a little further down the road because the B787 had to be fitted with duplicated autonomous pitch dampers to give adequate handling in manual flight at altitude. Nothing wrong with that, the fact that the dampers constitute a completely separate system means that the consequence/probability rule is respected.

One suggestion would be a requirement that the aircraft should have adequate flying qualities. This would be no worse than 4 or maybe 4.5 on the Cooper/Harper scale. The crew training should include enough exposure to this state that pilots would not be afraid to switch all the automatics off when things go wrong and then approach trouble shooting logically. I suspect that aircraft in service already meet this standard; what is missing is the exposure to these characteristics in training.

Another issue relates to accuracy requirements stemming from things like RVSM.

 

Regarding AOA inputs into airspeed and altitude calculations, it should be mandatory to display AOA in the cockpit and to announce AOA system failures separately from airspeed failures.

Peter responded:

I agree with your views Clive. Pilots should have adequate indication of system malfunction and disagreements. This should always indicate control positions, including stab and elevator. Also there needs to be standby battery driven attitude fall back showing the other basics needed to safely complete a flight. There is nothing wrong in designing protection and augmentation systems, but their failure cases need examining and pilots should be trained to deal with these. The idea that the modern pilot need not concern themselves with these "remote" possibilities has already been shown to be overconfident.

 

All pilots, even beginners, with a qualification to fly a specific aircraft should know how to operate the machine using raw display of controls, and manual handling of controls. Such displays (Pitch, alpha, slip, altitude, control positions) will allow safe manual reversion. This should include a clear understanding of thrust control when failure or partial failure is also present. 

 

Adoption of this philosophy as a basic airworthiness requirement, may set a new target for designers, certifiers, and test pilots. It is overdue. We now know what can happen in the absence of these things. Pilots need to fly without a crutch. Aircraft should be designed to allow this.

 

Let us consider why we added automation in the first place. Relieve workload? Perhaps. Allow for the removal for the flight engineer? Certainly. However, the real aim is to make it possible for the human operator to be able to concentrate on safety critical aspects and not be task-saturated with the more basic aspects of flying. Adding this ability is an enormous safety enhancement. So what has gone wrong?

It is not, as I have stated in previous articles, that pilots have become weak. Rather, it is that pilots are doing exactly what we wanted them to do. Like a person who has learned to walk, and now is able to think and evaluate the world around them instead of concentrating on the placement of each foot, pilots have become freed to think about the "big picture." This is a good thing! However, sometimes the automated systems are not doing what the pilot expects. It is analogous to your feet sometimes forgetting how to walk. You suddenly have to divert your attention back to them.

What we do not want to do is to tell a person who is good at walking, whose feet work and do their job without thought 99.9% of the time, that now they have to start concentrating exclusively on their feet. Unfortunately, calls for more hand-flying and attention are doing exactly that. We are then losing advantages that came with the automation, without regaining a third person on the flight deck to make up for the gap. We have designed the system to allow pilots to divert their attention away from basic flying and then blame them when they do exactly that!

A better approach would be to develop ways to rapidly bring pilots into the loop when needed. Currently the system does not perform well here, with warnings and alerts coming too late too much of the time, or not being salient enough for pilots to take the quick action they need to.

It is worthwhile reiterating what Clive wrote:

One suggestion would be a requirement that the aircraft should have adequate flying qualities. This would be no worse than 4 or maybe 4.5 on the Cooper/Harper scale. The crew training should include enough exposure to this state that pilots would not be afraid to switch all the automatics off when things go wrong and then approach trouble shooting logically. I suspect that aircraft in service already meet this standard; what is missing is the exposure to these characteristics in training.

 

Finally, in response to Clive's comment about "requisite imagination, i.e. the engineer's ability to identify possible failure routes and combinations", this is where MIT's System Theoretic Process Analysis (STPA) really shines. It provides a systematic way to channel the thoughts and capture these issues that no other current method offers.

 

Captain Shem Malmquist is a veteran 777 captain and accident investigator. He is coauthor of Angle of Attack: Air France 447 and The Future of Aviation Safety and teaches an online high altitude flying course with Beyond Risk Management and Flight Safety Information. He is a Visiting Professor at Florida Institute of Technology. He can be reached at shem.malmquist@gmail.com

 

Copyright 2018 Shem Malmquist