- Email: [email protected]
Man-machine-interface in modern transport systems from an aviation safety perspective
Aerosp. Sci. Technol. 5 (2001) 495–504 2001 Éditions scientifiques et médicales Elsevier SAS. All rights reserved S1270-9638(01)01126-9/FLA
Man-machine-interface in modern transport systems from an aviation safety perspective Thomas W. Baberg General Manager Flight Safety, Lufthansa, Germany Received 9 March 2001; revised 18 October 2001
Abstract
The early long-range-jets were operated by five cockpit crew members: Captain, Copilot, Flight Engineer, Navigator and Radio-Operator. Nowadays even the big jets are flown by only two pilots. This development could only be achieved by introducing new technologies to the airline industry and automating aircraft systems. Due to the scientific progress made in the last decades today’s aircraft are most reliable – a fact which is clearly reflected by accident statistics. Technical failures became more and more unlikely and the lack of manpower on the flight deck was more than compensated. However, starting in the late 80s a number of accidents occurred to highly automated aircraft, which alarmed accident investigators worldwide. In most of the cases automation was a factor or at least one link in the accident chain of events. The Federal Aviation Administration (FAA) launched a study on “The Interfaces Between Flight Crews and Modern Flight Deck Systems” and came up with numerous findings. In the following article I like to discuss the topic ‘ManMachine-Interface in modern Transport Systems’ from an Aviation Safety Perspective. 2001 Éditions scientifiques et médicales Elsevier SAS
Zusammenfassung
Die ersten Langstreckenjets wurden von fünf Cockpitbesatzungsmitgliedern geflogen: Kapitän, Copilot, Flugingenieur, Navigator und Funker. Heutzutage werden sogar die Großraumjets nur von zwei Besatzungsmitliedern gesteuert. Diese Entwicklung konnte nur durch die Einführung neuer Technologien und die Automatisierung von Flugzeugsystemen erreicht werden. Durch den wissenschaftlichen Fortschritt, der in den letzten Jahzehnten gemacht wurde, sind die heutigen Flugzeuge höchst zuverlässig geworden – eine Tatsache, die sich auch deutlich in der Unfallstatistik widerspiegelt. Technisches Versagen wurde immer unwahrscheinlicher und damit die Reduzierung der Cockpitbesatzungsmtglieder mehr als kompensiert. Ende der 80er Jahre verunglückten eine hohe Anzahl von hochautomatisierten Flugzeugen, was Unfalluntersucher weltweit alarmierte. In den meisten Vorfällen war die Automatik ein Faktor oder zumindest ein Glied in der Unfallkette. Die Federal Aviation Administration (FAA) gab die Studie “The Interfaces Between Flight Crews and Modern Flight Deck Systems” in Auftrag und kam darin zu zahlreichen Ergebnissen. Im folgenden Artikel möchte ich das Thema “Mensch-Maschine-Schnittstelle in modernen Transportsystemen” aus der Perspektive der Flugsicherheit betrachten. 2001 Éditions scientifiques et médicales Elsevier SAS
1. Man is not designed to fly Man is not made for flying and probably will never be. You might be surprised to hear this statement from an airline Captain with more than 15 000 flight hours. The dream to fly like an eagle and navigate like a bat is what E-mail address: [email protected] (T.W. Baberg).
it is – a dream. Icarus (figure 1) was the first aviator and at the same time the first victim of aviation. We are designed to live on the surface of the earth. There are other species which can hear better, run faster, see better, jump higher and farther, carry more weight in relation to their size and
496
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 2. Basic (standby) instruments.
Figure 1. Man is not designed to fly.
some can fly. In addition to that, we are very fragile – being dropped out of our own height of approximately 6 feet we might be badly injured if not dead. Blindfolded or in thick fog we loose orientation very quickly even in our two-dimensional world. However we have one organ, which is superior – some may call it an undesirable development of the evolution – the brain. Our brain enables us to invent, design and produce machines, which are used as tools to overcome our natural limitations. The moment the first machine was used the problem of the man machine interface was born. Figure 3. A320 standby instruments.
2. Basic (standby) instruments The human being has no sense for speed. We perceive acceleration and deceleration but we cannot tell if we are flying with 280 km/h or Mach 2, twice the speed of sound. Because speed is essential to produce lift the Air Speed Indicator (ASI) was designed which indicates the velocity of the aircraft in relation to the surrounding air mass. We also have no sense for height. Because this is another important parameter in aviation the Altimeter (ALT) was invented. It basically works like a barometer. For navigation a Compass (COMP) is needed for directional control. It guides the aircraft along its lateral axis (figure 2). As mentioned before especially under low visibility conditions our orientation is limited – even on the surface of the earth. But when it comes to flying in space under Instrument Meteorological Conditions (IMC) orientation is lost completely. The artificial horizon (HSI) provides information along the horizontal (pitch) and longitudinal (bank) axis. These four instruments, also known as basic instruments, are essential for flying an aircraft according to Instrument Flight Rules (IFR). Students training for an instrument rating learn to read, interpret, cross check and rely on these indicators in order not to get fooled by their own senses. The phenomenon of vertigo is well known in the first stages of the training.
Even modern, highly computerized aircraft in addition to their normal instrumentation are equipped with these, also called Standby Instruments (figure 3). The artificial horizon is connected to a separate electrical power source, in most cases to the hot battery bus. The altimeter and the airspeed indicator are provided with air pressure by an independent pitot and static system. A higher degree of redundancy of vital information is reached. In case of a total loss of all other systems the Standby Instruments are the last resort to fly and safe the airplane. 3. A long and stony road From the first powered flight of the Wright Brothers in 1903 to a brand new B777 in the year 2000, aviation travelled a long and stony road (figure 4). – In the early days flight controls were moved by levers, cables and cable drums. As aircraft grew bigger and control surfaces were more difficult to move, the Flettner rudder was invented. In the beginning of the jet age, hydraulic powered flight controls were introduced still backed up by cables. To save weight, which is a permanent goal in aviation, the new generation of jets was fitted with hydraulic powered controls only. But this was not the end; to trade even more aircraft weight for payload, hydraulic pumps, cylinders and motors are now fitted directly to the flight controls and
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
497
Figure 4. A long and stony road.
Figure 5. Jet operational total losses 1958–1999.
receive electrical signals directly from the cockpit. Therefore the new technology is called ‘fly by wire’. – The pioneers navigated solely by terrestrial means. During World War II the first steps in radio navigation were taken, and at the end of the war simple ground based radar stations were available. Celestial navigation was adopted from sea-navigation for long range flights and radio navigation was refined. The Inertial Reference System (IRS) was introduced on wide body aircraft in the late 1960s and meant a remarkable step forward in accuracy and independence from ground based stations. The system was further improved and is now called Inertial Navigation System (INS) and is still used today. A new milestone in this development is the Global Positioning System (GPS). Using the GPS we are not talking about kilometers in accuracy, we are talking about meters. While INS and IRS are only certified for area navigation the GPS may be used for approaches as well. – The first power plants used on aircraft were piston engines, heavy and not very efficient. The tur-
boprop was the successor but was limited to a certain speed because the propeller tips reached the speed of sound and therefore became insufficient. In the late 1950s commercial jets such as the Coronado, B720 and DC-8 were equipped with the first generation of jet engines. A tremendous improvement has been made since then, using the high bypass engines of today. Fuel consumption, noise and air pollution were remarkably reduced. At the same time thrust was increased to an unexpected level using new materials and technologies. – The first aviators used signs and lights for communication with ground stations. Radio telephony communications (RT), first on HF and later on VHF was implemented very quickly and are still in use today. VHF is limited to the quasi-optical range of about 250 to 300 nautical miles at an altitude of 33 000 feet. That is the reason we still have to use HF on long over water flights, which is boring and does not contribute to flight safety. Satellite communication is available but seems to be too expensive for the aviation industry. So we concentrate on the non-verbal data link today.
498
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
4. Jet operational total losses 1958–1999 In this time frame 612 western built jet aircraft in excess of 20 metric tons maximum take off weight were lost in operational accidents (figure 5). 21 532 passengers and almost 2500 crew members were killed. If you include the non-operational total losses, such as training or test flights, war, terrorist (e.g. PAN AM in Lockerby) or sabotage related occurrences the number increases to 777 aircraft. It has to be pointed out that jet aircraft below 20 tons, turboprops and eastern built aircraft are not considered in this statistic. The all over loss rate between 1958 to 1999 is 15.0 aircraft per year. In the last 10 years we encountered 19.9 total losses per year. The average of the last 5 years is 20.0 jet aircraft destroyed. In 1999 21 aircraft were lost. 4.1. World jet aircraft hours, sectors flown and fleet size At the end of the year 1999 13 849 western built heavy jets were in service worldwide (figure 6). Traffic is growing with an average rate of approximately 6% per year. In 1999 35.4 million hours and 19.7 million sectors (take off and landing) were flown. 4.2. Total losses per million sectors (30 years period) During the last 30 years – from 1970 to 1999 – a significant improvement in the rate, which means aircraft lost per million sectors, has been achieved (figure 7). The
average rate in this period was 1.60. In the first decade between 1970 to 1979 the rate was 2.02. In the following 10 years the rate dropped to 1.49 and in the 1990s the rate was lowered to 1.29. In 1999 1.07 aircraft were lost per million sectors. This is definitely a positive trend. However, the rate seems to stabilise around 1 total loss per million sectors. Considering traffic growth that means the total number of total losses will almost double in the next decade, which probably will not be accepted by the public. A joined effort of manufacturers, regulatory authorities and operators is necessary to progressively lower the rate. 4.3. Total loss rates by aircraft type 1958–1999 According to their date of entry into service jet transport aircraft are divided into four groups. First generation jets as the Comet, Caravelle, B707 and DC-8 and so on are gathered in group one. The average loss rate of this group is 1.70 aircraft per million sectors (figure 8). 1.50 is the rate for the second generation aircraft including e.g. the early B737, DC-9 and F28. The rate is lowered to 0.89 in the third group, containing amongst others DC10 and A300. The modern generation of jets, also called glass cockpit aircraft, is the largest fleet and reached a rate of 0.63. This positive trend was achieved by progressive improvements in technology and design. The rate of the MD-11 (6.12) is statistically significant. In only 3 years 5 aircraft were lost, 3 of which were freighters. There are also various types of jets, e.g. Concorde, A330, A340, B777 and F70, which show a zero loss rate. 1 5. The cause of an accident
Figure 6. World jet aircraft hours and sectors flown.
Figure 7. Total losses per million sectors (30 year period).
According to ICAO Annex 13 the authority of the country where the accident happened is responsible for accident investigation. The findings of the investigation, the probable cause of the accident, the contributing factors and recommendations for improvement will be published in an official report. In most cases manufacturers, authorities, operators and pilot’s unions have different opinions about the probable cause (figure 9). The Safety Committee of IATA (SAC) [4] is analysing all accidents in an early stage of the investigation. The Committee uses a different approach in asking what could have prevented the accident rather than what caused it. The results of this method are various factors that create the accident chain of events. Normally 6–12 factors are identified which led to the accident. There are four main categories and several sub categories of factors. The four main categories are environment (e.g. Air Traffic Control, weather), organisation (e.g. management, latent failures in the system), human and technical (figure 9). To clarify the method the copper 1 Statistics are only until 1999.
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
499
Figure 8. Total loss rates by aircraft type 1958–1999.
Figure 9. Accident investigation according to ICAO Annex 13 – the copper link and battery model.
link/battery model is used. In this model the factors are copper rings linked to a battery. When the chain is complete a short, and in our case the accident, will happen. A missing link interrupts the chain. The model is also used for accident prevention. Links, which are identified and removed, do prevent accidents. 6. American Airlines flight 965 Let me give an example of an accident, which shows some typical factors and is related to a man/machine interface problem. On 20 December 1995 American Airlines Flight 965 crashed near the city of Buga approximately 20 nautical miles short of its destination (figure 10). The flight was on its way from Miami to Cali, Columbia. The accident happened in darkness at 21 : 41 EST. 151 passengers and 8 crew were aboard the B757. There were only 4 survivors. It turned out later that this was a typical CFIT (Controlled Flight Into Terrain) accident. CFIT means that a technical fully intact airplane in controlled flight collides inadvertently with the surface of the earth or buildings. AA965 was inbound to Cali on a southerly heading. According to the prevailing wind the crew planned to pass over the airport and circle in a left turn to land on runway 01 in northern direction. Because the wind
was calm now the tower controller offered a straight in approach to runway 19 for landing. At that time the aircraft was about 35 nautical miles north of the field. The crew accepted the clearance. Because the distance to touchdown was much shorter now than planned the flight was too high and too fast. Power was reduced and speed brakes extended resulting in a high descent rate. The workload for the crew was remarkably high. Approach charts had to be changed, the Flight Management System (FMS) had to be reprogrammed and the approach had to be briefed. The controller now cleared AA965 to fly direct to ROZO, a radio beacon 2 nautical miles short of runway 19. As usual the Captain looked up the identification of ROZO which was ‘R’, entered it in the FMS and executed the entry. However, ‘R’ was the wrong entry because in the FMS database ‘R’ stands for a radio beacon near Bogota. The aircraft turned consequently to the left heading for Bogota. Due to the high workload the crew did not immediately recognise the turn. When they found out that something had gone wrong the aircraft had turned already 90◦ . The Copilot turned the plane back to the right in order to regain the centreline; however, the aircraft was still descending into mountainous terrain. 11 seconds before impact the Ground Proximity Warning System (GPWS) went off calling “Terrain, Terrain, Pull Up, Pull Up”. The Copilot reacted immediately, applied full power and increased the pitch attitude to 30◦ nose up. The aircraft started to climb but was significantly reduced in performance because the speed brakes were still extended. Flight 956 crashed only 200 feet below a mountain ridge. The accident chain (figure 11): – first of all, CFIT accidents do not happen during daylight and good visibility. At the time of the accident it was dark and hazy. One can not remove this link but have to exercise extreme caution especially at airports surrounded by high terrain; – the second link is a clear violation of Standard Operating Procedures (SOP). Before executing a
500
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 10. American Airlines flight AA965, 20 December 1995.
Figure 11. The accident chain.
command in the FMS the plausibility has to be checked. If the Captain would have checked his entry before executing it he would have noticed that the FMS is going to steer the airline to the left which makes no sense on a straight in approach; – according to American Airlines SOPs the pilot flying, in this case the Copilot, has to cross check and confirm all entries in the FMS before execution which was obviously not done due to high workload; – the fourth link is an organisational error from the manufacturer of the FMS database. Navigational aids are normally selected by entering their identification as the Copilot did, and not by their name. ROZO was an exemption from this rule; – the situational awareness of the crew was not adequate. First of all they should have noticed that the aircraft was turning. Later, when they found out that they were several miles off track over mountainous terrain instead of descending further down, the approach should have been abandoned;
– Cali airport is not equipped with radar. A radar controller might have picked up the diversion from the flight path and warned the crew; – the aviation authorities contributed also one link to the accident chain. The distance between Bogota and Cali is roughly 150 nautical miles. It is not advisable to install two navigational aids with the same frequency and identification in such a close distance; – in some planes the speed brake is retracted automatically when a certain amount of power is applied. The B757 has this function only in the Go Around Mode; – and finally, knowing this, the crew should have retracted the speed brake manually during the terrain avoidance manoeuvre. 7. Areas of concern 7.1. Introduction of new technologies Introducing new technologies always bears the risk of incidents and accidents with it. In the early 1960s, when the change from propeller driven aircraft to jets was made, many accidents occurred. There had been cracks in the fuselage, which led to a series of total losses. But also handling of the new type of aircraft was difficult for the pilots. Jets fly almost twice as fast as propeller aircraft, things happen much faster. Because of its swept wing, jets have a completely different flight characteristic. Piston engines react immediately to throttle movement and prop wash generates additional lift to the wing. Jet engines react much more slowly than piston engines. It can take up to 8 seconds until a selected power setting
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
is reached. That means, e.g. that during descent with the engines in idle the jet will descent for another 8 seconds when power is applied. The results were some landing accidents where the jet crashed short of the runway. 7.2. Hard/soft flight envelopes It is no secret that there are two different philosophies concerning flight envelope protection. On this side of the North Atlantic the hard envelope is favoured. The design of the aircraft does not allow the pilot to exceed certain limits e.g. bank or g-loads. On the other side of the North Atlantic the soft envelope is used. The pilot receives a warning when the flight envelope is reached but he may exceed the limits, if needed. A hard envelope may contribute to flight safety but the problem is that the environmental impacts and circumstances are so numerous and complex that it is impossible for the designer of the system to foresee all eventual situations. The hard envelope, which was designed as a safety feature may turn into a trap for the pilots. 7.3. Erroneous indications An erroneous oil pressure indication is not a big problem but when the basic instruments show false indications the pilot may become confused. Two major accidents prove this very drastically. Birgenair lost one B757 because a pitot tube was blocked. They got a wrong airspeed indication and the pilots became so disorientated that they stalled the airplane and crashed into the sea. The other case was the Aero Peru accident where maintenance blocked the static ports with adhesive tape during maintenance actions. Because they did not remove it before flight the pilots ended up with wrong speed and altitude indications and the aircraft also crashed into the ocean. 7.4. False and nuisance warnings Most of engine fire warnings are nuisance warnings. Hot air from a ruptured duct is blowing on the engine fire loop and generates a warning. The fire detection system is working properly as designed but there is no fire. More problematic is a false (system failure) or nuisance (system design imminent) terrain warning of the GPWS, which requires immediate actions by the pilots. In a survey we found out that 95% of the warnings were false or nuisance. The problem is that the pilots loose confidence in the GPWS. In case of a genuine terrain warning they may react reluctant or not at all. 7.5. Basic flying skills Basic flying skills must be trained permanently in order to stay proficient. Use of the auto flight system changes
501
the pilot from a participant into an observer. However in emergency situations the auto flight system might not be working any more and the pilot has to depend on his basic flying skills under more difficult circumstances. 7.6. Design change versus procedure implementation When a design failure of a system is detected it should be corrected as soon as possible. The implementation of a procedure to cover the failure can only be a temporary solution. Otherwise, according to Murphy’s law, someone will come someday and step into the trap. It is frustrating to see that there are numerous examples where flaws in a design were detected and the design was only changed after one or even more fatal crashes had happened. 7.7. Programming of the Flight Management System (FMS) 85% of the total losses happen during only 7% of the flight time. That is during take off, initial climb, intermediate descent and landing. This is a well-known fact in the industry. Therefore several safeguards were established as e.g. the 10 000 feet rule. According to the rule no private conversation between the cockpit crew is allowed below 10 000 feet above ground level. The cabin crew is also instructed not to disturb the cockpit crew in that period, except in an emergency situation. The FMS is a helpful tool to manage flying. However, in case of a runway change, which is offered below 10 000 feet the crew has to change data in the FMS which, is a demanding task. The chances to become distracted in this critical flight phase are immense. The American Airlines case is a good example for that. 7.8. High accuracy of navigation The GPS enables us to navigate with very high accuracy. The horizontal separation between flights can be reduced and more aircraft can use the same limited airspace. However, if there should be a mistake in vertical separation for whatever reason, oppositely travelling traffic will unavoidably collide. Two years ago a TU-154 of the Luftwaffe and a C-141-B of the USAF collided in Namibian air space. Both aircraft were equipped with GPS. Recently two B747 almost collided over Urumchi. They missed each other by only 200 meters laterally. Fortunately only one aircraft was equipped with GPS. 7.9. Multiple data formats Not very user friendly but error inviting are the 13 different standards to express 50◦ North and 30◦ West (figure 12). A worldwide industrial standard should be implemented.
502
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 12. Various formatting conventions for a given geographical fix.
Figure 13. Autoflight system mode awareness.
7.10. Autoflight System Mode Awareness For a safe autoflight operation it is necessary that the flight crew is fully aware in which mode the system is working and understands the capabilities of the different modes. This was relatively easy in the begin-
ning of automation where only a few modes were available and the modes were indicated on a separate electronic/mechanical indicator, here e.g. of the B737-200 (figure 13, right side). In the B747-400 there are 9 pitch modes, 10 roll modes, 5 auto throttle modes and 6 autoland modes, and combinations of these (figure 13, left
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
503
Figure 14. Mode changes during take-off and initial climb out after encountering an engine failure at V1 (B744).
side). Each mode or combination has different functions, limitations and protections. The actual modes are displayed on a multifunctional screen together with many other digital and analog indications. Mode changes are indicated for 10 seconds by a blinking frame. Some modes must be manually selected, others change automatically. In a high workload situation this may lead to data overload and mode confusion especially when the pilots are under stress and encounter the phenomenon of tunnel vision. According to a joke the most often heard sentence in a modern cockpit is: Ah, what’s this bastard doing now? True or not, in any case it is a clear expression of mode confusion. When encountering an engine failure during take off on a B747-400 the autoflight system steps through 11 mode changes (figure 14). An additional problem is the amount of digital indications. Everybody owning a digital clock knows the problem. The time on an analogue clock can be seen by a glance, a digital display must be read (figure 15).
Figure 15. Left: digital display; right: analogue display.
8. Principles to improve flight safety2 – Minimize human error. It is impossible to prevent all human error without removing the human flexibility and adaptability that contributes significantly to safety. Moreover, it is the negative consequences of error that we wish to eliminate, not necessarily the errors themselves. However it is still desirable to minimize errors that are design or system induced. 2 From [3].
504
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
– Increase error tolerance. The systems should be designed to aid the flight crew to detect errors when they occur. Also, the systems should be designed such that errors that do occur have bounds on the undesirable consequences that result. – Avoid excess complexity as perceived by the users. The systems should be designed to support the flight crew, and should not be perceived as unnecessarily complex. – Increase system observability, especially by improving system feedback. – Evaluate new technology or operational changes introduced in the aviation system, especially the flight deck, for their effect on human performance. – Invest in human expertise. This investment should include flight crews, designers, operators, regulators, and researchers. We want to reinforce and strengthen the human contribution to safety in a proactive, rather than reactive, way. – The Team recognizes the economic pressures that inhibit making changes that may increase safety when there is not a strong tie to an accident. However, we believe that if action is not taken soon, the vulnerabilities identified have the potential to lead to more accidents and serious incidents. 9. Conclusions Without any doubt automation not only contributed to a higher degree of safety in aviation it also reduces routine cockpit workload, enables us e.g. to perform low visibility CAT III approaches, and, last not least, to operate more economically. However, these advantages are not without problems. Despite its extreme reliability, automation can still and will fail. Because this will happen very seldomly it will come as an unexpected sudden surprise to the crew. In addition, interconnection of different automated systems leads to an enormous complexity and a flood of information which may leave the crew in uncertainty about their real problem. This was already addressed by John Lauber
years ago, at that time member of the National Transportation Safety Board (NTSB), when he stated: “Some of the new technology has resulted in the creation of new opportunities for entirely new categories of human error”. The solution to this problem is to keep the crew in the loop by ergonomically designed systems, training and adequate standard operating procedures (SOP). The myth that modern aircraft permit the employment of less qualified and trained pilots was already destroyed years ago by accidents and incidents. Experience shows that the contrary is the case: “A well trained flight crew provides the best opportunity to prevent accidents, designers can not anticipate” (Dr. Curtis Graeber, Human Factors Specialist). From a flight safety perspective the following four requirements for future flight deck automation design should be fulfilled, in addition to the principles cited from the FAA study: – human flexibility and capacity must not be restricted; – respect human limitations; – system reactions must be foreseeable and easy to understand; and – the aircraft must be fully controllable when automation fails. In other words fly the “Human Centered Approach” because: “Man is not as good as black box for certain specific things, however, he is more flexible and reliable. He is easily maintained and can be reproduced by relatively unskilled labor” (WG CDR H.P. Ruffel Smith, RAF). References [1] Allied Signal, Flight into Terrain, Don Bateman, Annual Edition, 1999. [2] Data from Airclaims Ltd., London, 1999. [3] FAA, The Interfaces Between Flight Crews and Modern Flight Deck Systems, 18 June, 1996. [4] IATA, Jet Safety Report, 1999.
Man-machine-interface in modern transport systems from an aviation safety perspective Thomas W. Baberg General Manager Flight Safety, Lufthansa, Germany Received 9 March 2001; revised 18 October 2001
Abstract
The early long-range-jets were operated by five cockpit crew members: Captain, Copilot, Flight Engineer, Navigator and Radio-Operator. Nowadays even the big jets are flown by only two pilots. This development could only be achieved by introducing new technologies to the airline industry and automating aircraft systems. Due to the scientific progress made in the last decades today’s aircraft are most reliable – a fact which is clearly reflected by accident statistics. Technical failures became more and more unlikely and the lack of manpower on the flight deck was more than compensated. However, starting in the late 80s a number of accidents occurred to highly automated aircraft, which alarmed accident investigators worldwide. In most of the cases automation was a factor or at least one link in the accident chain of events. The Federal Aviation Administration (FAA) launched a study on “The Interfaces Between Flight Crews and Modern Flight Deck Systems” and came up with numerous findings. In the following article I like to discuss the topic ‘ManMachine-Interface in modern Transport Systems’ from an Aviation Safety Perspective. 2001 Éditions scientifiques et médicales Elsevier SAS
Zusammenfassung
Die ersten Langstreckenjets wurden von fünf Cockpitbesatzungsmitgliedern geflogen: Kapitän, Copilot, Flugingenieur, Navigator und Funker. Heutzutage werden sogar die Großraumjets nur von zwei Besatzungsmitliedern gesteuert. Diese Entwicklung konnte nur durch die Einführung neuer Technologien und die Automatisierung von Flugzeugsystemen erreicht werden. Durch den wissenschaftlichen Fortschritt, der in den letzten Jahzehnten gemacht wurde, sind die heutigen Flugzeuge höchst zuverlässig geworden – eine Tatsache, die sich auch deutlich in der Unfallstatistik widerspiegelt. Technisches Versagen wurde immer unwahrscheinlicher und damit die Reduzierung der Cockpitbesatzungsmtglieder mehr als kompensiert. Ende der 80er Jahre verunglückten eine hohe Anzahl von hochautomatisierten Flugzeugen, was Unfalluntersucher weltweit alarmierte. In den meisten Vorfällen war die Automatik ein Faktor oder zumindest ein Glied in der Unfallkette. Die Federal Aviation Administration (FAA) gab die Studie “The Interfaces Between Flight Crews and Modern Flight Deck Systems” in Auftrag und kam darin zu zahlreichen Ergebnissen. Im folgenden Artikel möchte ich das Thema “Mensch-Maschine-Schnittstelle in modernen Transportsystemen” aus der Perspektive der Flugsicherheit betrachten. 2001 Éditions scientifiques et médicales Elsevier SAS
1. Man is not designed to fly Man is not made for flying and probably will never be. You might be surprised to hear this statement from an airline Captain with more than 15 000 flight hours. The dream to fly like an eagle and navigate like a bat is what E-mail address: [email protected] (T.W. Baberg).
it is – a dream. Icarus (figure 1) was the first aviator and at the same time the first victim of aviation. We are designed to live on the surface of the earth. There are other species which can hear better, run faster, see better, jump higher and farther, carry more weight in relation to their size and
496
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 2. Basic (standby) instruments.
Figure 1. Man is not designed to fly.
some can fly. In addition to that, we are very fragile – being dropped out of our own height of approximately 6 feet we might be badly injured if not dead. Blindfolded or in thick fog we loose orientation very quickly even in our two-dimensional world. However we have one organ, which is superior – some may call it an undesirable development of the evolution – the brain. Our brain enables us to invent, design and produce machines, which are used as tools to overcome our natural limitations. The moment the first machine was used the problem of the man machine interface was born. Figure 3. A320 standby instruments.
2. Basic (standby) instruments The human being has no sense for speed. We perceive acceleration and deceleration but we cannot tell if we are flying with 280 km/h or Mach 2, twice the speed of sound. Because speed is essential to produce lift the Air Speed Indicator (ASI) was designed which indicates the velocity of the aircraft in relation to the surrounding air mass. We also have no sense for height. Because this is another important parameter in aviation the Altimeter (ALT) was invented. It basically works like a barometer. For navigation a Compass (COMP) is needed for directional control. It guides the aircraft along its lateral axis (figure 2). As mentioned before especially under low visibility conditions our orientation is limited – even on the surface of the earth. But when it comes to flying in space under Instrument Meteorological Conditions (IMC) orientation is lost completely. The artificial horizon (HSI) provides information along the horizontal (pitch) and longitudinal (bank) axis. These four instruments, also known as basic instruments, are essential for flying an aircraft according to Instrument Flight Rules (IFR). Students training for an instrument rating learn to read, interpret, cross check and rely on these indicators in order not to get fooled by their own senses. The phenomenon of vertigo is well known in the first stages of the training.
Even modern, highly computerized aircraft in addition to their normal instrumentation are equipped with these, also called Standby Instruments (figure 3). The artificial horizon is connected to a separate electrical power source, in most cases to the hot battery bus. The altimeter and the airspeed indicator are provided with air pressure by an independent pitot and static system. A higher degree of redundancy of vital information is reached. In case of a total loss of all other systems the Standby Instruments are the last resort to fly and safe the airplane. 3. A long and stony road From the first powered flight of the Wright Brothers in 1903 to a brand new B777 in the year 2000, aviation travelled a long and stony road (figure 4). – In the early days flight controls were moved by levers, cables and cable drums. As aircraft grew bigger and control surfaces were more difficult to move, the Flettner rudder was invented. In the beginning of the jet age, hydraulic powered flight controls were introduced still backed up by cables. To save weight, which is a permanent goal in aviation, the new generation of jets was fitted with hydraulic powered controls only. But this was not the end; to trade even more aircraft weight for payload, hydraulic pumps, cylinders and motors are now fitted directly to the flight controls and
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
497
Figure 4. A long and stony road.
Figure 5. Jet operational total losses 1958–1999.
receive electrical signals directly from the cockpit. Therefore the new technology is called ‘fly by wire’. – The pioneers navigated solely by terrestrial means. During World War II the first steps in radio navigation were taken, and at the end of the war simple ground based radar stations were available. Celestial navigation was adopted from sea-navigation for long range flights and radio navigation was refined. The Inertial Reference System (IRS) was introduced on wide body aircraft in the late 1960s and meant a remarkable step forward in accuracy and independence from ground based stations. The system was further improved and is now called Inertial Navigation System (INS) and is still used today. A new milestone in this development is the Global Positioning System (GPS). Using the GPS we are not talking about kilometers in accuracy, we are talking about meters. While INS and IRS are only certified for area navigation the GPS may be used for approaches as well. – The first power plants used on aircraft were piston engines, heavy and not very efficient. The tur-
boprop was the successor but was limited to a certain speed because the propeller tips reached the speed of sound and therefore became insufficient. In the late 1950s commercial jets such as the Coronado, B720 and DC-8 were equipped with the first generation of jet engines. A tremendous improvement has been made since then, using the high bypass engines of today. Fuel consumption, noise and air pollution were remarkably reduced. At the same time thrust was increased to an unexpected level using new materials and technologies. – The first aviators used signs and lights for communication with ground stations. Radio telephony communications (RT), first on HF and later on VHF was implemented very quickly and are still in use today. VHF is limited to the quasi-optical range of about 250 to 300 nautical miles at an altitude of 33 000 feet. That is the reason we still have to use HF on long over water flights, which is boring and does not contribute to flight safety. Satellite communication is available but seems to be too expensive for the aviation industry. So we concentrate on the non-verbal data link today.
498
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
4. Jet operational total losses 1958–1999 In this time frame 612 western built jet aircraft in excess of 20 metric tons maximum take off weight were lost in operational accidents (figure 5). 21 532 passengers and almost 2500 crew members were killed. If you include the non-operational total losses, such as training or test flights, war, terrorist (e.g. PAN AM in Lockerby) or sabotage related occurrences the number increases to 777 aircraft. It has to be pointed out that jet aircraft below 20 tons, turboprops and eastern built aircraft are not considered in this statistic. The all over loss rate between 1958 to 1999 is 15.0 aircraft per year. In the last 10 years we encountered 19.9 total losses per year. The average of the last 5 years is 20.0 jet aircraft destroyed. In 1999 21 aircraft were lost. 4.1. World jet aircraft hours, sectors flown and fleet size At the end of the year 1999 13 849 western built heavy jets were in service worldwide (figure 6). Traffic is growing with an average rate of approximately 6% per year. In 1999 35.4 million hours and 19.7 million sectors (take off and landing) were flown. 4.2. Total losses per million sectors (30 years period) During the last 30 years – from 1970 to 1999 – a significant improvement in the rate, which means aircraft lost per million sectors, has been achieved (figure 7). The
average rate in this period was 1.60. In the first decade between 1970 to 1979 the rate was 2.02. In the following 10 years the rate dropped to 1.49 and in the 1990s the rate was lowered to 1.29. In 1999 1.07 aircraft were lost per million sectors. This is definitely a positive trend. However, the rate seems to stabilise around 1 total loss per million sectors. Considering traffic growth that means the total number of total losses will almost double in the next decade, which probably will not be accepted by the public. A joined effort of manufacturers, regulatory authorities and operators is necessary to progressively lower the rate. 4.3. Total loss rates by aircraft type 1958–1999 According to their date of entry into service jet transport aircraft are divided into four groups. First generation jets as the Comet, Caravelle, B707 and DC-8 and so on are gathered in group one. The average loss rate of this group is 1.70 aircraft per million sectors (figure 8). 1.50 is the rate for the second generation aircraft including e.g. the early B737, DC-9 and F28. The rate is lowered to 0.89 in the third group, containing amongst others DC10 and A300. The modern generation of jets, also called glass cockpit aircraft, is the largest fleet and reached a rate of 0.63. This positive trend was achieved by progressive improvements in technology and design. The rate of the MD-11 (6.12) is statistically significant. In only 3 years 5 aircraft were lost, 3 of which were freighters. There are also various types of jets, e.g. Concorde, A330, A340, B777 and F70, which show a zero loss rate. 1 5. The cause of an accident
Figure 6. World jet aircraft hours and sectors flown.
Figure 7. Total losses per million sectors (30 year period).
According to ICAO Annex 13 the authority of the country where the accident happened is responsible for accident investigation. The findings of the investigation, the probable cause of the accident, the contributing factors and recommendations for improvement will be published in an official report. In most cases manufacturers, authorities, operators and pilot’s unions have different opinions about the probable cause (figure 9). The Safety Committee of IATA (SAC) [4] is analysing all accidents in an early stage of the investigation. The Committee uses a different approach in asking what could have prevented the accident rather than what caused it. The results of this method are various factors that create the accident chain of events. Normally 6–12 factors are identified which led to the accident. There are four main categories and several sub categories of factors. The four main categories are environment (e.g. Air Traffic Control, weather), organisation (e.g. management, latent failures in the system), human and technical (figure 9). To clarify the method the copper 1 Statistics are only until 1999.
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
499
Figure 8. Total loss rates by aircraft type 1958–1999.
Figure 9. Accident investigation according to ICAO Annex 13 – the copper link and battery model.
link/battery model is used. In this model the factors are copper rings linked to a battery. When the chain is complete a short, and in our case the accident, will happen. A missing link interrupts the chain. The model is also used for accident prevention. Links, which are identified and removed, do prevent accidents. 6. American Airlines flight 965 Let me give an example of an accident, which shows some typical factors and is related to a man/machine interface problem. On 20 December 1995 American Airlines Flight 965 crashed near the city of Buga approximately 20 nautical miles short of its destination (figure 10). The flight was on its way from Miami to Cali, Columbia. The accident happened in darkness at 21 : 41 EST. 151 passengers and 8 crew were aboard the B757. There were only 4 survivors. It turned out later that this was a typical CFIT (Controlled Flight Into Terrain) accident. CFIT means that a technical fully intact airplane in controlled flight collides inadvertently with the surface of the earth or buildings. AA965 was inbound to Cali on a southerly heading. According to the prevailing wind the crew planned to pass over the airport and circle in a left turn to land on runway 01 in northern direction. Because the wind
was calm now the tower controller offered a straight in approach to runway 19 for landing. At that time the aircraft was about 35 nautical miles north of the field. The crew accepted the clearance. Because the distance to touchdown was much shorter now than planned the flight was too high and too fast. Power was reduced and speed brakes extended resulting in a high descent rate. The workload for the crew was remarkably high. Approach charts had to be changed, the Flight Management System (FMS) had to be reprogrammed and the approach had to be briefed. The controller now cleared AA965 to fly direct to ROZO, a radio beacon 2 nautical miles short of runway 19. As usual the Captain looked up the identification of ROZO which was ‘R’, entered it in the FMS and executed the entry. However, ‘R’ was the wrong entry because in the FMS database ‘R’ stands for a radio beacon near Bogota. The aircraft turned consequently to the left heading for Bogota. Due to the high workload the crew did not immediately recognise the turn. When they found out that something had gone wrong the aircraft had turned already 90◦ . The Copilot turned the plane back to the right in order to regain the centreline; however, the aircraft was still descending into mountainous terrain. 11 seconds before impact the Ground Proximity Warning System (GPWS) went off calling “Terrain, Terrain, Pull Up, Pull Up”. The Copilot reacted immediately, applied full power and increased the pitch attitude to 30◦ nose up. The aircraft started to climb but was significantly reduced in performance because the speed brakes were still extended. Flight 956 crashed only 200 feet below a mountain ridge. The accident chain (figure 11): – first of all, CFIT accidents do not happen during daylight and good visibility. At the time of the accident it was dark and hazy. One can not remove this link but have to exercise extreme caution especially at airports surrounded by high terrain; – the second link is a clear violation of Standard Operating Procedures (SOP). Before executing a
500
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 10. American Airlines flight AA965, 20 December 1995.
Figure 11. The accident chain.
command in the FMS the plausibility has to be checked. If the Captain would have checked his entry before executing it he would have noticed that the FMS is going to steer the airline to the left which makes no sense on a straight in approach; – according to American Airlines SOPs the pilot flying, in this case the Copilot, has to cross check and confirm all entries in the FMS before execution which was obviously not done due to high workload; – the fourth link is an organisational error from the manufacturer of the FMS database. Navigational aids are normally selected by entering their identification as the Copilot did, and not by their name. ROZO was an exemption from this rule; – the situational awareness of the crew was not adequate. First of all they should have noticed that the aircraft was turning. Later, when they found out that they were several miles off track over mountainous terrain instead of descending further down, the approach should have been abandoned;
– Cali airport is not equipped with radar. A radar controller might have picked up the diversion from the flight path and warned the crew; – the aviation authorities contributed also one link to the accident chain. The distance between Bogota and Cali is roughly 150 nautical miles. It is not advisable to install two navigational aids with the same frequency and identification in such a close distance; – in some planes the speed brake is retracted automatically when a certain amount of power is applied. The B757 has this function only in the Go Around Mode; – and finally, knowing this, the crew should have retracted the speed brake manually during the terrain avoidance manoeuvre. 7. Areas of concern 7.1. Introduction of new technologies Introducing new technologies always bears the risk of incidents and accidents with it. In the early 1960s, when the change from propeller driven aircraft to jets was made, many accidents occurred. There had been cracks in the fuselage, which led to a series of total losses. But also handling of the new type of aircraft was difficult for the pilots. Jets fly almost twice as fast as propeller aircraft, things happen much faster. Because of its swept wing, jets have a completely different flight characteristic. Piston engines react immediately to throttle movement and prop wash generates additional lift to the wing. Jet engines react much more slowly than piston engines. It can take up to 8 seconds until a selected power setting
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
is reached. That means, e.g. that during descent with the engines in idle the jet will descent for another 8 seconds when power is applied. The results were some landing accidents where the jet crashed short of the runway. 7.2. Hard/soft flight envelopes It is no secret that there are two different philosophies concerning flight envelope protection. On this side of the North Atlantic the hard envelope is favoured. The design of the aircraft does not allow the pilot to exceed certain limits e.g. bank or g-loads. On the other side of the North Atlantic the soft envelope is used. The pilot receives a warning when the flight envelope is reached but he may exceed the limits, if needed. A hard envelope may contribute to flight safety but the problem is that the environmental impacts and circumstances are so numerous and complex that it is impossible for the designer of the system to foresee all eventual situations. The hard envelope, which was designed as a safety feature may turn into a trap for the pilots. 7.3. Erroneous indications An erroneous oil pressure indication is not a big problem but when the basic instruments show false indications the pilot may become confused. Two major accidents prove this very drastically. Birgenair lost one B757 because a pitot tube was blocked. They got a wrong airspeed indication and the pilots became so disorientated that they stalled the airplane and crashed into the sea. The other case was the Aero Peru accident where maintenance blocked the static ports with adhesive tape during maintenance actions. Because they did not remove it before flight the pilots ended up with wrong speed and altitude indications and the aircraft also crashed into the ocean. 7.4. False and nuisance warnings Most of engine fire warnings are nuisance warnings. Hot air from a ruptured duct is blowing on the engine fire loop and generates a warning. The fire detection system is working properly as designed but there is no fire. More problematic is a false (system failure) or nuisance (system design imminent) terrain warning of the GPWS, which requires immediate actions by the pilots. In a survey we found out that 95% of the warnings were false or nuisance. The problem is that the pilots loose confidence in the GPWS. In case of a genuine terrain warning they may react reluctant or not at all. 7.5. Basic flying skills Basic flying skills must be trained permanently in order to stay proficient. Use of the auto flight system changes
501
the pilot from a participant into an observer. However in emergency situations the auto flight system might not be working any more and the pilot has to depend on his basic flying skills under more difficult circumstances. 7.6. Design change versus procedure implementation When a design failure of a system is detected it should be corrected as soon as possible. The implementation of a procedure to cover the failure can only be a temporary solution. Otherwise, according to Murphy’s law, someone will come someday and step into the trap. It is frustrating to see that there are numerous examples where flaws in a design were detected and the design was only changed after one or even more fatal crashes had happened. 7.7. Programming of the Flight Management System (FMS) 85% of the total losses happen during only 7% of the flight time. That is during take off, initial climb, intermediate descent and landing. This is a well-known fact in the industry. Therefore several safeguards were established as e.g. the 10 000 feet rule. According to the rule no private conversation between the cockpit crew is allowed below 10 000 feet above ground level. The cabin crew is also instructed not to disturb the cockpit crew in that period, except in an emergency situation. The FMS is a helpful tool to manage flying. However, in case of a runway change, which is offered below 10 000 feet the crew has to change data in the FMS which, is a demanding task. The chances to become distracted in this critical flight phase are immense. The American Airlines case is a good example for that. 7.8. High accuracy of navigation The GPS enables us to navigate with very high accuracy. The horizontal separation between flights can be reduced and more aircraft can use the same limited airspace. However, if there should be a mistake in vertical separation for whatever reason, oppositely travelling traffic will unavoidably collide. Two years ago a TU-154 of the Luftwaffe and a C-141-B of the USAF collided in Namibian air space. Both aircraft were equipped with GPS. Recently two B747 almost collided over Urumchi. They missed each other by only 200 meters laterally. Fortunately only one aircraft was equipped with GPS. 7.9. Multiple data formats Not very user friendly but error inviting are the 13 different standards to express 50◦ North and 30◦ West (figure 12). A worldwide industrial standard should be implemented.
502
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
Figure 12. Various formatting conventions for a given geographical fix.
Figure 13. Autoflight system mode awareness.
7.10. Autoflight System Mode Awareness For a safe autoflight operation it is necessary that the flight crew is fully aware in which mode the system is working and understands the capabilities of the different modes. This was relatively easy in the begin-
ning of automation where only a few modes were available and the modes were indicated on a separate electronic/mechanical indicator, here e.g. of the B737-200 (figure 13, right side). In the B747-400 there are 9 pitch modes, 10 roll modes, 5 auto throttle modes and 6 autoland modes, and combinations of these (figure 13, left
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
503
Figure 14. Mode changes during take-off and initial climb out after encountering an engine failure at V1 (B744).
side). Each mode or combination has different functions, limitations and protections. The actual modes are displayed on a multifunctional screen together with many other digital and analog indications. Mode changes are indicated for 10 seconds by a blinking frame. Some modes must be manually selected, others change automatically. In a high workload situation this may lead to data overload and mode confusion especially when the pilots are under stress and encounter the phenomenon of tunnel vision. According to a joke the most often heard sentence in a modern cockpit is: Ah, what’s this bastard doing now? True or not, in any case it is a clear expression of mode confusion. When encountering an engine failure during take off on a B747-400 the autoflight system steps through 11 mode changes (figure 14). An additional problem is the amount of digital indications. Everybody owning a digital clock knows the problem. The time on an analogue clock can be seen by a glance, a digital display must be read (figure 15).
Figure 15. Left: digital display; right: analogue display.
8. Principles to improve flight safety2 – Minimize human error. It is impossible to prevent all human error without removing the human flexibility and adaptability that contributes significantly to safety. Moreover, it is the negative consequences of error that we wish to eliminate, not necessarily the errors themselves. However it is still desirable to minimize errors that are design or system induced. 2 From [3].
504
T.W. Baberg / Aerosp. Sci. Technol. 5 (2001) 495–504
– Increase error tolerance. The systems should be designed to aid the flight crew to detect errors when they occur. Also, the systems should be designed such that errors that do occur have bounds on the undesirable consequences that result. – Avoid excess complexity as perceived by the users. The systems should be designed to support the flight crew, and should not be perceived as unnecessarily complex. – Increase system observability, especially by improving system feedback. – Evaluate new technology or operational changes introduced in the aviation system, especially the flight deck, for their effect on human performance. – Invest in human expertise. This investment should include flight crews, designers, operators, regulators, and researchers. We want to reinforce and strengthen the human contribution to safety in a proactive, rather than reactive, way. – The Team recognizes the economic pressures that inhibit making changes that may increase safety when there is not a strong tie to an accident. However, we believe that if action is not taken soon, the vulnerabilities identified have the potential to lead to more accidents and serious incidents. 9. Conclusions Without any doubt automation not only contributed to a higher degree of safety in aviation it also reduces routine cockpit workload, enables us e.g. to perform low visibility CAT III approaches, and, last not least, to operate more economically. However, these advantages are not without problems. Despite its extreme reliability, automation can still and will fail. Because this will happen very seldomly it will come as an unexpected sudden surprise to the crew. In addition, interconnection of different automated systems leads to an enormous complexity and a flood of information which may leave the crew in uncertainty about their real problem. This was already addressed by John Lauber
years ago, at that time member of the National Transportation Safety Board (NTSB), when he stated: “Some of the new technology has resulted in the creation of new opportunities for entirely new categories of human error”. The solution to this problem is to keep the crew in the loop by ergonomically designed systems, training and adequate standard operating procedures (SOP). The myth that modern aircraft permit the employment of less qualified and trained pilots was already destroyed years ago by accidents and incidents. Experience shows that the contrary is the case: “A well trained flight crew provides the best opportunity to prevent accidents, designers can not anticipate” (Dr. Curtis Graeber, Human Factors Specialist). From a flight safety perspective the following four requirements for future flight deck automation design should be fulfilled, in addition to the principles cited from the FAA study: – human flexibility and capacity must not be restricted; – respect human limitations; – system reactions must be foreseeable and easy to understand; and – the aircraft must be fully controllable when automation fails. In other words fly the “Human Centered Approach” because: “Man is not as good as black box for certain specific things, however, he is more flexible and reliable. He is easily maintained and can be reproduced by relatively unskilled labor” (WG CDR H.P. Ruffel Smith, RAF). References [1] Allied Signal, Flight into Terrain, Don Bateman, Annual Edition, 1999. [2] Data from Airclaims Ltd., London, 1999. [3] FAA, The Interfaces Between Flight Crews and Modern Flight Deck Systems, 18 June, 1996. [4] IATA, Jet Safety Report, 1999.