|
Now is time for deep thought about
Air France 447 crash
There are still so many questions that it is hard to say which
lessons we are going to learn from Air France 447. However, we
should consider the thoroughness of investigation that this
accident requires.
In more than a century of aviation history, we have only two
pieces of air accident research acclaimed worldwide as outstanding:
Air Ontario 1363 and Mount Erebus. These events have a common
point: their investigators went beyond visible causes and, even
when their professional status could have been comfortable with
limited conclusions, they both decided to seek the truth.
The research of Los Rodeos was very good but the difference
between the outstanding quality of the work to determine what
exactly happened and the trivial conclusions drawn from this work
make this investigation far from masterly. The same can be said of
the research into the mid-air explosions of the Comets. It was a
very good job but strictly limited to technical variables.
There are some other accidents where it is easy to think that
the investigation should have gone deeper. For instance, would the
accident of Swissair-111 have happened if the flight had been
performed by a DC-10 instead of the newer MD-11? An analysis of the
workload for two or three people in the situation they confronted
could suggest that the DC-10 – the older model – could have been
better equipped to deal with the problem. If that seems
reasonable…could not we reach conclusions about secondary effects
of technological evolution? What about AeroPeru 603? In an older
plane, would the pilots have been trapped by tunnel-vision centered
in as trivial a variable as “rudder-ratio”? What about AA-965 and
the automation of navigation?
The analysis of Air France 447, if the present hypothesis is
confirmed, could be made in two different ways:
- A minor bug in the design, under external and exceptional
environment, triggers the sequence of facts leading to the
accident. Improve the design and compensate those affected.
- A minor bug in the design triggers some automatic reactions
from the plane starting a snowball effect, so that the pilots are
either unable to make the right decision or prevented from carrying
it out. There is a systemic problem and the conclusions could be
far-reaching.
Systemic problems make investigators nervous because they mean
questioning rules and practices already accepted by the market and
regulators. That is why many of them could take the easy way out:
the investigation is limited to the most immediate evidence.
Furthermore, systemic problems do not have a clear and
easy-to-identify guilty party. Everyone, from the manufacturers to
the operators and regulators tries to conduct their business in the
right way but this “right way” is included in a hard to handle
global dynamic. If any of the stakeholders decides to act by
himself, he is probably going to lose most or all of his market
share.
Even if the theory of a bad design proves accurate it would be
unfair to point to Airbus or any other manufacturer as careless.
Manufacturers are in a permanent war against inefficiency because
efficiency means cost-reduction and operators convert
cost-reduction into lower prices. Since the competition is fierce,
operators evaluate very carefully the efficiency they can get from
every plane and this is a critical variable when making decisions
about fleet composition. Since passengers are convinced that
aviation is safe per se, the one who rejects the efficiency war,
loses it and, hence, the market.
All of this is not new. Charles Perrow, in his book Normal Accidents, advised against
something that he called ‘tightly-coupled organizations’ due to the
risk linked to a search for efficiency. Jens Rasmussen established
a rule as the base-line for safety maintenance: The operator has to
be able to run cognitively, the programme that the machine is
running. More recently, James Reason in The Human Contribution
pointed to different situations where only people could save a
situation. To make this possible requires the condition established
by Rasmussen: a deep knowledge of the system or plane. The
situation is exactly opposite and is known as ‘automation paradox’:
As complexity of a plane increases, required training to fly it
decreases. Furthermore, this could be one of the main incentives
for automation.
Against this ‘alarmist’ position, actions of manufacturers and
operators, accepted by regulators and passengers, have shown an
opposite view:
- Perhaps, not having a radio-operator in a plane is profitable
but accidents like Avianca 052 or the requirement from ICAO about
English say that something has been lost with the
radio-operators.
- Perhaps, not having a flight-engineer is profitable but
accidents like Swissair 111 show situations where they were missed
and in some others as Los Rodeos a more assertive position from the
flight engineer could have avoided the accident.
- Probably, the cross-crew rating is economically justified but
there are many situations of negative-transfer where pilots have
produced behaviours adequate for planes different from the one they
were flying at that moment.
- Probably, long-range flights with twin planes are justified but
it is hard to get enough statistical information about the
ability, and reliability, of ONE engine working solo to get the
plane flying with asymmetric thrust.
- Probably, the reduction of training time in pilots is justified
but the increasing technological complexity and labels as
‘need-to-know’ and ‘nice-to-know’ can lead us to situations of
‘If-only-I-had-known’.
We cannot ignore that, despite this, safety indicators have been
improving for a long time but this is only a part of the reality
and could drive us to get the wrong message.
The accident rate is lower but it is not possible to ignore that
the typology of accidents seems to be different and that requires a
specific analysis.
The label ‘situational awareness’ in the past was usually
applied to navigation and ‘situation’ was usually a synonym for
‘spatial situation’. Nowadays, the same label points to a wider
reality that sometimes means confusion not related with navigation
but with working-modes. There is improvement because things that
designers and pilots already knew are done in better and more
efficient ways. At the same time, strange situations can be harder
to manage and that is why new accidents arise.
It would be nonsense to accuse the manufacturers because they
play a game where they do not control all the pieces. It is enough
to observe the two biggest manufacturers to see that they have
imitated each other to get the most efficient solution:
- The A-310 solution, without a flight engineer was followed by
Boeing 757 and 767, even when the wide cabins able to have a flight
engineer were not in the final design.
- When Boeing introduced twin planes for long-range flights, the
sincerity of the complaints by Airbus was tested when they started
to sell the 330s and now the 350s.
- When Airbus introduced FBW (fly-by-wire) technology in the
320s, Boeing showed a more conservative position, but only for a
short time as the 777 and the new-brand 787 easily prove.
The path is clear: efficiency wins and, with it, automation,
complexity and training requirements arriving to extremes as
Multicrew Pilot Licenses.
Some years ago, when automated planes started to appear in the
market, an old pilot said something that became notorious: 'I’m
ready to fly a plane as automated as you want…as far it has a red
button that converts it instantly into a DC-9.'
It seems commonsense to have this possibility that is, in
colloquial terms, something quite similar to the Rasmussen rule
that requires two conditions to be met:
- The pilot has to be able to fly a traditional plane like the
DC-9.
- The plane, once all the software is out, needs to have a design
making it possible to be flown by hand without big stability
problems or lack of basic information.
Are these two conditions met in the most modern planes and with
the present training practices?
It would be good if the investigation of a big accident like the
AF-447 could go beyond the change of a component. It would be good
if someone decided to use this opportunity to make an overhaul of
the air transportation system, including the role of the passenger
who lives in a kind of Matrix believing that aviation is a
non-risk activity instead of a controlled-risk activity.
If the passenger were conscious of this fact, perhaps he would
be start to be interested about who controls the risks, and
how.
The present path of growing automation and complexity and
decreasing training is not good but there is not an individual
actor prepared stop it because that would mean losing position in
the market.
Errors in efficient organizations and efficient machines are
also efficient because they use the same channels to produce their
effects; those of the normal operation. Now, the accident of AF-447
appears and, if the expected cause is confirmed, while it won’t be
the first time that this dynamic produces a bad outcome, it could
be the worst to date.
All the stakeholders have a big decision in their hands: to
change a little piece of a plane and wait for any other little
piece that, under an unforeseen environment, shows a defective
design and starts an snowball effect, or to challenge the whole
system.
Efficiency dynamics could be evil because nobody has the
resources to stop the war. Many of the readers can remember the
cold war where it was impossible to stop the armaments race because
the one doing it could lose. The one deciding to fix the situation
by himself loses. The defective piece could be today from Airbus
and tomorrow from Boeing but the problem is far beyond Airbus or
Boeing. There is a race that somebody – everybody – has to
stop.
The Rasmussen rule keeps its validity. Applied to aviation, it
means that the pilot has to know every single moment what the plane
is doing, how it is doing it and why, and if required, he has to be
able, without limitations to get a full control of the plane. To do
that, ‘user knowledge’ is not enough.
We have to know how to differentiate false from authentic
decreases in complexity. Many pilots fall in love with the screens
because of the quantity of information they can obtain from them.
Boeing pointed out that the model 747-400 had decreased controls
and indicators by two thirds when compared with earlier models.
That is the false complexity reduction and it is very easy to show
with an example: is it easier to handle a radio with a single
button and a lot of modes or one that, for the same functions, has
20 single-mode buttons? Probably, the second one is going to be
easier.
The advances have been important and they have been made
following a path with big secondary effects. To go back is
impossible and, perhaps, not even convenient. However, the course
can be changed and this change needs to be by everyone, including
the passenger.
José Sánchez-Alarcos Ballesteros
|