Safety in the air.
We began to assess the effects of automation on aviation safety in the previous "Inside RISKS" (January 1994).
The design of displays is an ongoing issue. Faced with small CRTs, a transient technology limitation, manufacturers tend to use "tape" formats for airspeed and altitude monitoring, despite their well-known cognitive problems. Similarly, many systems indications are now in a "digital" format, rather than the old analog formats. This can result in the absence of trend cues, and, perhaps, introduces an unfounded faith in the accuracy of the readout.
Related to the interface problem is the use of artifical control laws. The use of unconventional devices, such as uncoupled sidesticks, dictates innovations in control, to overcome their limitations. Consequently, some flight-control qualities are not what experienced pilots expect. Moreover, "protections" can limit pilot authority in unusual situations. Since these control laws are highly proprietary--not standardized, and not a simple consequence of the natural flying qualities of the airplane, there is potential for significant training problems, as pilots make transitions between airplane types.
The improvement of communications means that ground personnel are more intimately connected with the flight. The role of an airliner captain has been similar to that of a boat captain: his life is on the line, and he alone is in a position to make critical safety judgements--by law. With more real-time interaction with company management or ATC, there are more opportunities to second-guess the captain, resulting in distributed responsibility, and diminished captain's authority. Given the increasingly competitive, "bottom-line" atmosphere under which airlines must operate, this will help drive personnel requirements down, and will hurt the safety equation.
The effect of software complexity on safety is an open issue. Early inertial navigation systems (INS) had about 4K of memory; modern flight management systems (FMS) are pushing 10MB. This represents a tremendous increase in complexity, combined with a decrease in pilot authority. Validating software to the high levels of reliability required poses all but intractable problems. Software has allowed manufacturers to experiment with novel control concepts, for which the experience of conventional aircraft control gathered over the previous 90 years provides no clear guidance. This has led to unique engineering issues. For example, software encourages modal thinking, so that more and more features are "context-sensitive."
A Fokker F.100 provided a demonstration of such modality problems in November 1991: while attempting to land at Chicago O'Hare, the crew was unable to apply brakes. Both air/ground switches on its landing gear were stuck in the "air" position. Since the computers controlling the braking system thought the plane was in the air, not only was the crew unable to use reverse thrust, but, more controversially, they were also unable to use nosewheel steering or main gear braking-services that would have been available on most other airliners in a similar situation.
For further illustration, the flight control laws in use on the A320 have four distinct permutations, depending on the status of the five flight control computers. Three of these laws have to accommodate individual component failure. On the other hand, in a conventional flight control system, there is but one control law, for all phases of flight.
The regulatory authorities are providing few direct standards for high-tech innovation. As opposed to conventional aircraft--where problems are generally well understood and the "rules" codified--much of the modern regulatory environment is guided by "collaborative" industry standards, which the regulators have generally approved as being sound: typically a manufacturer can select one of several which he will follow. On many issues, the position of the authorities is that they wish to encourage experimentation and innovation.
The state of the industry is more suggestive of the disarray of the 1920s than what one would expect in the 1990s. There are many instances of these emerging problems: Boeing and Airbus use different display color-coding schemes, not to mention completely different lexicons to describe systems with similar purposes. Even among systems that act similarly, there can be significant discrepancies, when one gets to the details. This can place tremendous demands on the training capacity of both airlines and the manufacturers--all of which affect the safety equation.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Inside RISKS|
|Author:||Dorsett, Robert D.|
|Publication:||Communications of the ACM|
|Date:||Feb 1, 1994|
|Previous Article:||Career opportunities.|
|Next Article:||Editorial Pointers.|