Con la llegada de una nueva generación de asistentes digitales, como ChatGPT o Bard, la inteligencia artificial ha adquirido una popularidad que antes no tenía; su uso, ya generalizado, ha deslumbrado a algunos e incluso ya se habla del siguiente paso –AGI o Artificial General Intelligence- como una evolución capaz de aprender autónomamente y sobre cualquier cosa.
El punto de inflexión o, si se prefiere, la salida del llamado invierno de la inteligencia artificial, que abarcaría la década de los 80 y gran parte de los 90, no aparece ni con Deep Blue, la máquina que derrotó a Kasparov en 1998, ni con el reciente ChatGPT; aparece con Alpha Zero, sucesor del AlphaGo que derrotaría al campeón mundial de Go, y con fuertes diferencias sobre su antecesor:
La diferencia fundamental está en que a AlphaGo, además de las reglas del juego, se le dio una enorme cantidad de información sobre situaciones y partidas jugadas por humanos; por el contrario, a Alpha Zero se le dieron las reglas, una instrucción específica de conseguir la victoria en el juego y un algoritmo de aprendizaje. Con estos recursos, Alpha Zero empezaría a jugar contra sí mismo y a generar un número de situaciones posibles inaccesible a un aprendizaje humano. ¿El resultado? El aprendiz Alpha Zero derrotó consistentemente al experto AlphaGo; el proceso se repitió con distintos juegos y el resultado siempre fue el mismo: Puede decirse que en ese momento nacía una nueva etapa para la inteligencia artificial.
A menudo se ha tratado de extrapolar este resultado a otros ámbitos, como ocurrió con Watson, sistema capaz de vencer a humanos en el concurso Jeopardize sobre conocimiento general, y que fracasó estrepitosamente cuando se creyó que su “conocimiento general” podía servir para aplicarlo a tareas como el diagnóstico médico. Aplicaciones como el ajedrez o el Go representan el terreno ideal para el uso de la inteligencia artificial: Reglas invariables, entornos cerrados y una cantidad de combinaciones virtualmente infinita. Pocas dudas caben sobre su utilidad en este tipo de entornos y su capacidad para superar ampliamente a la inteligencia humana.
Sin embargo, las cosas cambian mucho cuando se intenta aplicar la inteligencia artificial a entornos abiertos en los que un error puede tener consecuencias de una magnitud importante. Esta eventualidad se agrava cuando no es posible seguir la lógica de un sistema que es totalmente opaco a su usuario y que, ocasionalmente, puede actuar de formas que no son subóptimas sino abiertamente absurdas.
As Marcus and Davis[1] say, “A neural network that learns a particular task might score, say, 95 percent correct on some test. But then what? It’s often very difficult to figure out why the network is making mistakes on the other 5 percent, even when some of those mistakes are dramatic errors that no human would ever make, like the confusión…between a refrigerator and a parking sign. And if those mistakes matter and we can’t understand why the system is making them, we have a problem”.
Efectivamente, tenemos un problema. Cuando el sistema da una respuesta absurda, no sólo es inútil o peligrosa sino que no se sabe cómo ha llegado a ella ni, probablemente, es capaz de dar alternativas viables debido a un aspecto al que no se le suele prestar atención y que, sin embargo, es la clave que puede aconsejar mucha precaución en su uso en entornos críticos como la aviación:
La inteligencia artificial tiene una estricta separación entre aprendizaje y ejecución.
Dicho de otra forma, mientras está aprendiendo, está modificando sus algoritmos y acumulando situaciones previstas y, mientras está trabajando, no está mejorando los algoritmos sino que, en todo caso, está guardándose situaciones para utilizarlas en un futuro proceso de aprendizaje que dará lugar a una nueva versión mejorada.
En aviación, la inteligencia artificial cuenta con una oposición importante en distintas actividades en las que un error puede tener graves consecuencias, como es el caso de los pilotos o los controladores. Sin embargo, llama la atención que haya un desconocimiento generalizado del hecho de que la inteligencia artificial YA está ahí desde hace tiempo.
Por ejemplo, se dice que un Boeing 787 lleva unos 10 millones de líneas de código. ¿Alguien cree que esas líneas de código han sido desarrolladas por un ejército de programadores funcionando al estilo Crimson Permanent Assurance? No es así.
La mayor parte del código ha sido desarrollada por algoritmos de aprendizaje a los que se ha dotado de objetivos, han generado las líneas de código correspondientes y, una vez comprobado su funcionamiento, se han cargado al avión. La mejora de las distintas versiones proviene de añadir toda la experiencia operativa de los aviones en vuelo, generar nuevas soluciones, corregir fallos…y generar una nueva versión que se carga en esos mismos aviones.
¿Se ha perdido algo por el camino? Seguro que sí: La característica señalada por la que el sistema que aprende no ejecuta y el que ejecuta no aprende. Ésa es precisamente una de las características más típicas de la inteligencia artificial: Un sistema diseñado para aprender produce unas soluciones que se encargan de la ejecución; la ejecución realimenta el sistema que aprende que, a su vez, produce una nueva solución y el ciclo se repite indefinidamente.
Como ejemplo, el ya archiconocido Chat-GPT se apoya sobre una base de datos cerrada en 2021; todo lo que esté después de esa fecha simplemente no existe. Es de esperar que en algún momento se actualice y se ampliará el ámbito de soluciones, pero seguirá habiendo una separación entre aprendizaje y ejecución. El modelo de inteligencia artificial de Google, Bard, tiene acceso a Internet pero ello no garantiza que no exista la separación entre aprendizaje y ejecución ni que los criterios de selección de fuentes no estén mediatizados por intereses en el ámbito de la publicidad u otros.
¿Qué importancia tiene la separación entre aprendizaje y ejecución? Muy sencillo; la versión operativa del sistema no se diferencia de un sistema complejo basado en algoritmos y automatización. No es “inteligente” en el sentido de que la capacidad de aprendizaje está en otro sitio y, si la situación que afrontamos es nueva y no ha sido prevista en el proceso de aprendizaje -algo nada extraño en entornos muy dinámicos- el sistema será incapaz de proporcionar una respuesta; hará peticiones imposibles de recursos o entrará en un bucle sin posibilidad de dar una respuesta.
¿Cuál es la razón para este funcionamiento? El sistema capaz de aprender es la parte “pesada” de la inteligencia artificial en términos de requerimientos de capacidad de procesamiento y de acceso a información. No cabe pensar, por ejemplo, que tal sistema vaya embarcado en un avión; sin embargo, el producto resultante del aprendizaje es un sistema con un catálogo de soluciones muy superior al que tiene un piloto humano como consecuencia de su entrenamiento y éste sí puede ir embarcado. Eso sí, esta división hace que el sistema no tenga respuesta a un evento que no haya sido recogido en el proceso de aprendizaje y no tiene la posibilidad de lanzar tal proceso ante una situación desconocida.
Por su parte, el piloto humano no tiene esa separación entre aprendizaje y ejecución; su “catálogo” de situaciones previstas es mucho más escaso pero, ante una situación desconocida, puede recurrir a procesos de simulación mental y de experimentación que conduzcan a resolver un problema, aunque éste sea nuevo. El piloto humano puede resolver una situación para la que, en el momento de iniciar el vuelo, no conocía la solución.
Hay muchos casos que demuestran que este mecanismo aprendizaje/ejecución no es una mera hipótesis, sino que ha sido utilizado en eventos para los que el piloto, en el momento de afrontarlos, no conocía la solución. Casos como AA96, U232, US1549, QF32, AC143 y tantos otros han mostrado que la conjunción entre ejecución y aprendizaje en el humano permite salvar situaciones consideradas insalvables puesto que eran desconocidas en el momento de producirse. Esta opción, hoy, no está al alcance de la inteligencia artificial.
Los fabricantes, con frecuencia, se han orientado hacia una solución aparentemente viable: Tratar al piloto como un recurso de emergencia para las situaciones no previstas que, como tales, no pueden ser afrontadas por el sistema.
Stuart Russell[2] , co-autor del libro que podríamos considerer la Biblia de la inteligencia artificial[3], señaló que “handing control to the human when the vehicle is confused or out of its safe operating conditions simply doesn’t work. When the car is driving itself , humans quickly become disengaged from the immediate driving circumstances and cannot regain context quickly enough to take over safely”. Si bien Russell estaba hablando de automóviles, la cita es perfectamente aplicable al ámbito de la aviación; al piloto arrinconado por el sistema le faltarán claves para entender qué está ocurriendo y resolverlo si, previamente, ha sido expulsado de la participación en la operación o ésta se ha limitado a la ejecución de procedimientos elementales.
Buena parte de las claves para la solución de un evento anómalo pueden encontrarse en su desarrollo, es decir, qué cosas han ido pasando y en qué orden. Si el piloto se encuentra ausente de ese desarrollo, ausencia que es incluso promovida por tendencias de diseño como el dark cockpit, no puede esperarse que, una vez se presenta el evento inesperado, el piloto pueda afrontarlo con garantías de éxito. Por añadidura, si no es capaz de proponer y ejecutar una solución adecuada en unas condiciones que distan mucho de ser óptimas, cabe esperar que se utilice el conocido sello de “error humano”. Recuérdese en este sentido que casos como los B737MAX, AF447 o XL888T fueron inmediatamente atribuidos a este factor, ignorando, hasta que fue inevitable afrontarlos, los elementos de diseño que había debajo de ese error, real en unos casos y supuesto en otros.
Además de esa limitada capacidad para atender un evento en cuyo desarrollo no se ha estado presente, una solución que prime el elemento tecnológico sobre el humano está eliminando escalones necesarios para el aprendizaje. La experiencia resultante quedaría empobrecida y encontramos, corregida y aumentada, una situación como la actual en la que se anima a los pilotos a mantener la habilidad manual mientras se limitan progresivamente los momentos en que ésta puede ejercitarse.
La evolución tecnológica, incluido el uso de la inteligencia artificial, puede ayudar pero es conveniente ser muy conscientes tanto de sus limitaciones como de las necesidades del piloto humano si, realmente, se pretende que mantenga el control en situaciones normales y anormales. La vieja idea de utilizar al piloto como un fusible del sistema que, a costa de quemarse, impide el daño al sistema nunca ha servido ni desde el punto de vista funcional ni desde el ético. Ahora tampoco.
[1] Marcus, G. and Davis, E., 2019. Rebooting AI: Building artificial intelligence we can trust. Vintage.
[2] Russell, S., 2019. Human compatible: Artificial intelligence and the problem of control. Penguin.
[3] Russell, P.N., 2010. Artificial intelligence: a modern approach by stuart. Russell and Peter Norvig contributing writers, Ernest Davis…[et al.].
Hace poco tiempo, publicaba un análisis sobre la conveniencia o no de tener un solo piloto en la fase de crucero. Incidentalmente, utilicé como ejemplo el caso AF447, donde el comandante se encontraba fuera de la cabina cuando se iniciaron los problemas y, aunque los diagnosticó correctamente, no tuvo tiempo suficiente para resolverlos.
Alguien, en tono amistoso, me criticó la selección del ejemplo puesto que, en ese caso, no se trataba precisamente de una tripulación con un único piloto sino, muy al contrario, una tripulación reforzada y, por tanto, el argumento podía no ser válido.
La crítica tiene fundamento, especialmente si consideramos que, en caso de haber habido un único piloto y ser precisamente el que percibió con claridad la situación, tal vez el accidente no se habría producido.
Es posible, pero no hay ninguna garantía de que ése hubiera sido el resultado: Una tripulación compuesta por dos pilotos expertos puede encontrarse en una situación de resolución de problemas; las ideas de uno realimentan las del otro y, tal vez, de ese proceso podría nacer alguna solución que a ninguno de ellos se le habría ocurrido de forma individual. Al fin y al cabo, en este proceso y en cómo manejarlo de la mejor forma posible se fundamenta toda la práctica de CRM.
Podemos dar razones que hacen no aconsejable dejar sólo a un piloto en la cabina con el hipotético soporte de un sistema de información más avanzado que los actuales; una de ellas, fundamental y claramente perceptible, es la aparición de un evento de rápido desarrollo que pueda requerir la contribución de, como mínimo, dos personas pero…no hay datos. ¿Por qué no hay datos?
Aquí es donde tendríamos que entrar en el hecho de que un no-evento es un evento: Un accidente es un evento dramático y de alta visibilidad. Una situación que de lugar a un incidente grave puede lograr visibilidad a través de los sistemas de reporte -si es reportada- pero ¿cuántas situaciones no llegan a ser reportadas porque, simplemente, los pilotos perciben una anomalía y, al buscar su origen, encuentran un problema con capacidad para generar un problema serio?
Ahí están los no-eventos; al no ser visibles no entran en el proceso de toma de decisiones y, simplemente, son ignorados. Quizás se debería hacer el esfuerzo de darles visibilidad a los no-eventos para conseguir que sean tenidos en cuenta.
Hay sistemas de reporte excelentes como, por ejemplo, el ASRS pero, por su propia naturaleza, no están enfocados a la toma de decisiones regulatorias como admitir o no la posibilidad de que un avión a altitud de crucero tenga sólo un piloto en cabina.
Proyectos como el eMCO de EASA están enfocados a la realización de distintos análisis que permitan una conclusión final sobre la conveniencia o no de esta práctica pero, por mucha sabiduría académica que se les quiera poner a estos proyectos, les seguirán faltando datos y, sin embargo, estos datos serían muy fáciles de obtener. Bastaría con un esfuerzo por parte de los profesionalmente implicados en el asunto:
La aviación se ha distinguido por tener un conjunto de medios de información y gestión específicos para casi cualquier cosa imaginable: FDM, OBM, LOFT, LOSA, sistemas de reporte, seguimiento individualizado de elementos críticos del avión, reconocimientos médicos, grupos de soporte psicológico…
Sin embargo, en toda esa masa de información todavía falta algo que sería crítico para aceptar o rechazar una decisión tan importante como la de tener un único piloto en crucero:
Una base de datos de no-eventos, es decir, detección de señales débiles o no-señales en las que el disparador de un proceso de solución de problemas es, precisamente, que no hay disparador y, sin embargo, pueden tener el potencial de un rápido desarrollo hacia una situación crítica, evitada mediante la colaboración entre los dos pilotos en cabina.
No se trata de “jugar a la contra” sino de asegurarse de que datos muy relevantes son tenidos en cuenta en el momento de tomar una decisión final. Sin embargo, para esto, se necesitarían varias cosas:
La más obvia: Recoger información sobre casos con ese perfil: Señales débiles o no-señales con potencial para derivar a situaciones críticas y que requieran la intervención de los dos pilotos.
Evaluación de los reportes recibidos, estableciendo si cumplen las condiciones requeridas y si son susceptibles de ser atendidos con soporte tecnológico.
Utilización de los datos en la discusión correspondiente con los reguladores.
Un último apartado es la necesidad de requerir que no haya trampas desde el lado tecnológico. “Trampas” en este caso significaría utilizar los sucesos reportados para añadirlos uno a uno al sistema que, supuestamente, serviría de soporte al piloto único.
Podríamos plantearnos si eso es realmente una trampa o, simplemente, es una forma de aprendizaje tecnológico perfectamente legítima; en tal caso, la respuesta sería simple y clara: Es una trampa. ¿Por qué?
Simplemente, se trata de situaciones poco comunes y no previstas; a medida que se van reportando, se pueden ir introduciendo en un sistema como “previstas” pero seguirá habiendo muchas más que puedan aparecer y que no estarán presentes entre las previstas.
El piloto humano -cualquier humano- tiene como característica propia la capacidad para detectar un entorno completo y, al hacerlo, una señal débil o una ausencia de señal le permitirá entrar en un proceso de solución de problemas. Un sistema, por avanzado que sea, no tiene esa capacidad y se limita a las situaciones previstas: Alimentarlo con los resultados de un sistema de reporte encaminado a evaluar la conveniencia o no de tener un solo piloto en crucero contribuye a disimular pero no a eliminar un simple hecho: La tecnología puede ejecutar pero carece de sentido común y de respuesta situaciones no previstas.
Un sistema, por avanzado que sea, no tiene esa capacidad y se limita a situaciones previstas: alimentarlo con los resultados de un sistema de informes destinado a evaluar la conveniencia de contar con un solo piloto a nivel de crucero contribuye a disimular pero no a eliminar un hecho simple:
La tecnología puede realizar tareas -algunas de ellas con más precisión que los humanos y sin fatiga- pero sigue careciendo de sentido común y de la posibilidad de responder a situaciones imprevistas. Los humanos, en cambio, pueden resolver situaciones que no estaban en su «base de datos» personal.
Estos hechos deberían bastar para ser extremadamente cuidadosos a la hora de decidir los lugares en los que la tecnología tendrá un papel importante.
Permítaseme comenzar con un apartado autobiográfico: Antes de entrar de lleno al área de factores humanos, allá para los inicios de los 2000, me dedicaba al área de recursos humanos y, entre otras cosas, tenía que encargarme de análisis, planificación y adecuación de plantillas.
Un estándar muy común en planificación de plantillas es el 80%, es decir, considerar que, si el 80% de la jornada de trabajo se están realizando tareas propias del puesto, la plantilla estará bien dimensionada. Es un estándar que tiene numerosas excepciones; una de ellas vinculada con la irregularidad en el flujo de tareas. ¿Podríamos pensar en una plantilla de bomberos definida de modo que el 80% de su tiempo esté apagando incendios? ¿Y una plantilla de policías definida de modo que el 80% de su tiempo esté deteniendo delincuentes? Evidentemente, tales plantillas estarían infradotadas puesto que no tendrían capacidad para atender a un pico de trabajo.
¿Y los pilotos? Resulta curioso que la sugerencia de tener sólo un piloto a altitud de crucero aparezca precisamente en un momento en que se intenta tratar al piloto como un recurso de emergencia, dejando en la medida de lo posible, el vuelo en manos de la tecnología.
Sigamos, pues, la lógica de tratar el puesto de trabajo del piloto como un puesto cuya justificación, en buena parte, durante la fase de crucero está en la atención a posibles emergencias: Su carga de trabajo es muy alta cuando se encuentran en tierra o en las proximidades de tierra mientras que, en crucero, esta carga de trabajo normalmente disminuye mucho, pero…subrayemos el “normalmente”. Una búsqueda de eventos críticos en crucero en la base de datos de la ASRS nos devuelve 5.553 situaciones de crisis, como muestra la figura al inicio.
Añadamos que un evento grave en aviación puede desarrollarse en un tiempo extremadamente corto y su gestión puede requerir la atención plena de, como mínimo, dos personas.
Distintos eventos han demostrado que dos personas representan un mínimo absoluto que, en algunos casos, puede verse sobrepasado. Pensemos en casos como el Swissair 111, donde un incendio a bordo obligó a preparar un desvío a un aeropuerto cercano y desconocido, búsqueda de frecuencias de radio y rutas de aproximación, arrojar combustible para disminuir el peso del avión y, además, ver si había alguna forma de extinguir el incendio. No la hubo. ¿Habrían sido distintas las cosas con una persona más? Imposible saberlo.
Otros casos más afortunados como el AC143, el QF32 o el U232 nos dicen que, en una fase del vuelo en que la carga de trabajo suele ser baja, pueden presentarse situaciones que necesiten más de dos manos cualificadas para atenderlas, es decir, idéntica situación a la de los policías, los bomberos o cualquier otra profesión que, por su naturaleza, atienda a situaciones de emergencia.
Los promotores de la idea de piloto único en fase de crucero la justifican en la carencia de pilotos y tranquilizan al público hablando de un soporte tecnológico avanzado para ese único piloto. ¿Puede utilizarse la lógica de la carencia para reducir de uno a ninguno el número de pilotos a bordo?.
En cuanto al soporte tecnológico, éste cuenta con una interesante peculiaridad que se refleja en un viejo chiste: Hay quien define a un banquero como un señor que nos presta un paraguas y, cuando empieza a llover, nos pide que se lo devolvamos. De igual manera, la tecnología suele facilitar las tareas cuando, ya en origen, son fáciles y puede convertirse en un problema añadido cuando la situación es difícil y no permite realizar acciones que serían necesarias o tiene comportamientos anómalos.
La popularización de la inteligencia artificial es sólo una vuelta de tuerca más a una situación en la que ya se producían estos efectos. Con o sin inteligencia artificial, aunque más cuando ésta está presente, los sistemas pueden tener conductas extrañas derivadas de su programación y, cuando éstas aparecen, en lugar de facilitar las tareas al piloto humano, le añaden una nueva que no es precisamente menor.
-Cuando una alarma deja de sonar cuando el avión está a una velocidad tan baja que el sistema interpreta que el avión está en tierra, está añadiendo confusión.
-Cuando interpreta una pasada como un aterrizaje y corta la potencia, está añadiendo confusión.
-Cuando, muy próximo al suelo, el sistema reacciona a un aviso de pérdida y fuerza hacia abajo el morro del avión, está provocando un accidente.
-Cuando interpreta una aproximación como un sobrevuelo de un aeropuerto y borra todos los datos de la aproximación programada, está añadiendo carga de trabajo.
-Cuando las características orográficas de un aeropuerto obligan a que los pilotos tengan que “engañar” al sistema para hacer factible el aterrizaje en una pista corta, éste puede producir reacciones no previstas…
No puede olvidarse que los sistemas de información carecen de sentido común y dejar a un único piloto en sus manos como alternativa a una discusión entre expertos de una situación desconocida y a la gestión subsiguiente de esa situación, no es algo que tranquilice o represente una garantía de seguridad.
Se puede argumentar que hay otro piloto dentro del avión y que, bajo este modelo, lo único que se hace es evitar llevar tripulaciones de refuerzo. Sea, pero en ese caso, permítaseme recordar un evento: AF447: El comandante se encontraba fuera de la cabina y, cuando regresó, se encontró una situación tan inmanejable que, incluso cuando fue capaz de diagnosticar correctamente qué era lo que estaba pasando, ya fue demasiado tarde para recuperar el avión: Un suceso que no debería haber llegado demasiado lejos -la congelación de un sensor- provocó reacciones anómalas en el sistema y éstas confundieron por completo a los pilotos que se encontraban en la cabina; cuando alguien con más experiencia entró en ella, su mayor conocimiento no fue acompañado de la disponibilidad del tiempo que habría sido necesario para resolver el problema.
El último tema es el más obvio: ¿Qué ocurre en caso de incapacitación? ¿Van a utilizar prácticas como el “pedal de hombre muerto” de los ferrocarriles? No funcionó en el caso de Waterfall en Australia y podría no funcionar en un avión donde un evento puede alcanzar rápidamente el nivel que lo convierta en no manejable. Por otro lado ¿cómo se compagina la idea de piloto único a la altitud de crucero con la de que el piloto no se quede solo en la cabina, puesta en marcha tras el caso GermanWings 9525? ¿Tiene que ir acompañado por un tripulante de cabina? ¿No tiene más sentido que sea acompañado por alguien que, ante una emergencia, pueda contribuir a evaluarla y resolverla cuando, si es grave, va a requerir el concurso de ambos?
Published in Linkedin: Spanish Translation at the end
Nowadays, it is easy to recognize who are the two dominant powers among aviation manufacturers: Airbus and Boeing. However, these manufacturers have two powerful partners that are decisive in shaping the global aviation landscape: the European and North American regulators EASA and FAA.
The relationship between both regulators has always been one of collaboration not without some conflicts due to support for «their» reference manufacturer that may have led them in subtle ways to take sides in the market. However, anyone entering the aviation world knows that they must go through the certifications and audits of one or both world’s two largest regulators.
That situation could be changing in a slow and probably intentional way by a third player that does not seem to be in a hurry: The first indication of that change was the appearance of the Chinese manufacturer COMAC: COMAC, taking advantage of the size of the Chinese domestic market, decided to manufacture an aircraft with no intention of certifying it for flight on world markets but simply for use on domestic flights (ARJ21). This aircraft would serve the manufacturer to gain experience and, subsequently, to be able to compete with the major manufacturers with its C919 model.
Airbus and Boeing, apparently at least, did not attach much importance to the first move because of its restriction to the Chinese market, nor to the second since, technologically, they found it to be a far inferior product to those manufactured by Airbus and Boeing. However, both manufacturers may be losing sight of something: Perhaps it is not about competing with Airbus and Boeing but with FAA and EASA. In other words, CAAC (Civil Aviation Administration of China) might try to be the one setting the global aviation standards in the next future.
In addition to COMAC’s activity, in recent months there has been another movement that, perhaps, has not been appreciated for its real significance since it has been attributed to the political tensions between China and the USA: CAAC’s refusal to certify the Boeing 737MAX following EASA and FAA.
Both, EASA and FAA know that 737MAX should never have been certified, at least under the type certificate for the Boeing 737 issued in 1967 and doing so revealed a clear collusion between Boeing and FAA. However, they were faced with a very difficult situation: If thousands of aircraft, including already manufactured and those ordered by various airlines were not allowed to fly, a crisis in the aviation market could be triggered with consequences that are difficult to calculate: Boeing’s eventual bankruptcy could trigger the bankruptcy of many airlines with aircraft they could not use and, in addition, there would be an undersupplied market, since the other major manufacturer would not have the production capacity to fill the gap.
CAAC had fewer commitments since it has a large domestic market and much greater control over it than accessible to its FAA and EASA equivalents. Therefore, it simply denied authorization to fly the 737MAX and did not follow the big regulators in their compromise solution. At this point, many countries that are not under the authority of EASA or FAA accept those regulators as their own references and simply adopt the regulations and standards coming from them. What would be the incentive to change their reference to CAAC? Let’s go back to COMAC:
An aircraft certified to fly only in China under CAAC authority could be automatically cleared to fly also in countries that adopted CAAC as their reference authority. Africa, Central, and South America, and large parts of Asia, where China has a strong influence, could look favorably on the ARJ21 for their domestic flights or for flights between countries that had also accepted CAAC as a reference.
The later model, C919, has been manufactured with the purpose of being certified for worldwide use and, if this objective is achieved, its lower technological level could be more than compensated by favorable pricing policies that would make it accessible both to those same markets that could be interested in the ARJ21 and to the low-cost segment of aviation in countries with a higher level of development.
The moves are slow but seem to have a clear direction, aimed at establishing the Chinese aviation authority as a world reference. The possibility of a contingency that could accelerate this process, such as a new serious event involving a 737MAX, cannot be excluded. If this were to happen, the performance and motives of the still world reference aviation authorities would be called into question and, with that, the position of the third party in waiting would be favored.
The situation suggests that in the near future, global aviation will not be a matter of two but of three and, in the long term, it is still to be defined who will prevail.
AVIACIÓN: LA OTRA GUERRA
A fecha de hoy, es fácil reconocer quiénes son las dos potencias dominantes entre los fabricantes de aviación: Airbus y Boeing. Sin embargo, estas dos potencias tienen dos poderosos asociados que son decisivas para configurar el panorama de la aviación mundial: los reguladores europeo y norteamericano EASA y FAA.
La relación entre ambos reguladores ha sido siempre de colaboración no exenta de algunos conflictos debido al apoyo a “su” fabricante de referencia que les puede haber llevado en formas más o menos sutiles a tomar partido en el mercado. Sin embargo, en términos generales, cualquiera que entre en el mundo de la aviación sabe que tiene que pasar por las certificaciones y las auditorías de uno o de los dos mayores reguladores mundiales.
Esa situación podría estar cambiando de una forma lenta y probablemente intencionada por parte de un tercer actor que no parece tener prisa: El primer indicio de ese cambio fue la aparición del fabricante chino COMAC: COMAC, aprovechando el tamaño del mercado interno chino, decidió fabricar un avión sin intención de certificarlo para su vuelo en los mercados mundiales sino, simplemente, para utilizarlo en vuelos interiores (ARJ21). Este avión le serviría al fabricante para ganar experiencia y, posteriormente, poder lanzarse a competir con los grandes fabricantes con su modelo C919.
Airbus y Boeing, aparentemente al menos, no dieron mayor importancia al primer movimiento por su restricción al mercado chino ni al segundo ya que, tecnológicamente, encontraban que era un producto muy inferior a los fabricados por Airbus y Boeing. Sin embargo, ambos fabricantes podrían estar perdiendo algo de vista: Tal vez no se trata de competir con Airbus y Boeing sino con FAA y EASA. En otros términos, CAAC (Civil Aviation Administration of China) podría intentar ser quien fije los estándares mundiales de aviación en el próximo futuro.
Además de la actividad de COMAC, en los últimos meses se ha producido otro movimiento que, tal vez, no ha sido valorado en su trascendencia real y se ha atribuido a las tensiones políticas entre China y USA: La negativa por CAAC de certificar el Boeing 737MAX siguiendo a EASA y FAA.
EASA y FAA saben muy bien que el 737MAX nunca se debió certificar, al menos bajo el certificado de tipo correspondiente al Boeing 737 emitido en 1967. Sin embargo, se encontraron con una situación de hecho con muy difícil salida: Si no se permitía volar a los miles de aviones ya fabricados más los pedidos por distintas aerolíneas, se podía desencadenar una crisis en el mercado de la aviación de consecuencias difíciles de calcular: La eventual bancarrota de Boeing podía arrastrar la bancarrota de muchas aerolíneas con aviones que no podían utilizar y, además, habría que contar con un mercado desabastecido, ya que el otro gran fabricante no tendría capacidad de producción para cubrir el hueco. CAAC tenía menos compromisos, puesto que tiene un gran mercado interno y un control sobre él mucho mayor que el accesible a sus equivalentes FAA y EASA. Por ello, simplemente, denegó la autorización para volar al 737MAX y no siguió a los grandes reguladores en su solución de compromiso.
En este momento, muchos países que no están bajo la autoridad de EASA o FAA aceptan a dichos reguladores como sus propias referencias y, simplemente, adoptan la normativa y estándares procedentes de éstos. ¿Cuál sería el incentivo para cambiar su referencia a la CAAC? Volvamos a COMAC:
Un avión certificado para volar sólo en China bajo la autoridad de la CAAC podría quedar automáticamente autorizado para volar también en países que adoptasen a la CAAC como su autoridad de referencia. Gran parte de África, de América Central y del Sur o de grandes zonas de Asia, donde China tiene una fuerte influencia, podía ver con buenos ojos al ARJ21 para sus vuelos internos o para vuelos entre países que hubieran aceptado también a la CAAC como referencia.
El modelo posterior, C919, ha sido fabricado con el propósito de ser certificado para su uso en todo el mundo y, si este objetivo se consigue, su menor nivel tecnológico podría ser sobradamente compensado mediante políticas favorables de precios que lo hicieran accesible tanto a esos mismos mercados que podrían tener interés en el ARJ21 como al segmento low-cost de la aviación en países con mayor nivel de desarrollo.
Los movimientos son lentos pero parecen tener una dirección clara, encaminada a establecer a la autoridad de aviación china como una referencia mundial. No puede excluirse la posibilidad de alguna contingencia que pueda acelerar ese proceso como, por ejemplo, un nuevo evento grave relacionado con un 737MAX. Si así ocurriera, quedarían en entredicho la actuación y los motivos de las aún autoridades de referencia mundial en aviación y, con ello, se favorecería la posición del tercero en espera.
La situación, vista en su conjunto, invita a pensar que en el próximo futuro la aviación mundial no será cosa de dos sino de tres y, en el largo plazo, está por definir cuál de los tres prevalecerá.
Anyone in touch with dynamic fields can find this phenomenon: Things are faster than the rules intending to control them. Hence, if the capacity to be enforced is very strong, old rules can stop the advancement. By the same token, if that capacity is weak, rules are simply ignored, and the world evolves following different paths.
The same fact can be observed in many different fields:
Three months ago, an article was titled “POR QUÉ ALBERT EINSTEIN NO PODRÍA SER PROFESOR EN ESPAÑA” (Why Albert Einstein could not be a professor in Spain) and, basically, the reason was in a bureaucratic model tailored for the “average” teacher. This average teacher, just after becoming a Bachelor, starts with the doctorate entering a career path that will finish with the retirement in the University. External experience is not required and, very often, is not welcome.
The age, the publications and the length of the doctoral dissertation (17 pages) could have made impossible for Einstein to teach in Spain. The war for talent means in some environments fighting it wherever it can be found.
If we go to specific and fast evolving fields, things can be worse:
Cybersecurity can be a good example. There is a clear shortage of professionals in the field and it is worsening. The slowness to accept an official curriculum means that, once the curriculum is accepted, is already out-of-date. Then, a diploma is not worth and, instead, certification agencies are taking its place, enforcing up-to-date knowledge for both, getting and keeping the certification.
Financial regulators? Companies are faster than regulators and a single practice can appear as a savings plan, as an insurance product or many other options. If we go to derivative markets, the speed introduces different parameters or practices like high-frequency trading hard to follow.
What about cryptocurrencies? They are sidestepping control by the Governments and, still worse, they can break one of the easiest ways for the States to get funds. Governments would like to break them and, in a few weeks, EU will have a new rule to “protect privacy” that could affect the blockchain process, key for the security of cryptocurrencies and…many Banks operations.
Aviation? The best-selling airplane in the Aviation history -Boeing 737- was designed in 1964 and it started to fly in 1968. The last versions of this plane don’t have some features that could be judged as basic modifications because the process is so long and expensive (more and more long and expensive) that Boeing prefers to keep attached to some features designed more than 50 years ago.
In any of these fields or many others that could be mentioned, the rules are not meeting its intended function, that is, to keep functionality and, in the fields where it is required, safety as a part of the functionality. Whatever the rule can be ignored or can be a heavy load to be dragged in the development, it does not work.
We can laugh at the old “1865 Locomotive Act” with delicious rules such as this: The most draconic restrictions and speed limits were imposed by the 1865 act (the «Red Flag Act»), which required all road locomotives, which included automobiles, to travel at a maximum of 4 mph (6.4 km/h) in the country and 2 mph (3.2 km/h) in the city, as well as requiring a man carrying a red flag to walk in front of road vehicles hauling multiple wagons (Wikipedia).
However, things were evolving in 1865 far slower than now. Non-functional rules like that could be easily identified and removed before becoming a serious problem. That does not happen anymore. We try to get more efficient organizations and more efficient technology, but the architecture of the rules should be re-engineered too.
Perhaps the next revolution is not technologic despite it can be fueled by technology. It could be in the Law: The governing rules -not the specific rules but the process to create, modify, change or cancel rules- should be modified. Rules valid for a world already gone are so useful as a weather forecast for the past week.
Useless diplomas, lost talent, uncontrolled or under-controlled new activities or product design where the adaptation to the rules are a major part of the development cost and time are pointing to a single fact: The rules governing the world are unable to keep the pace of the world itself.
And one of them, Airbus, is celebrating its birthday.
Years ago, three major players were sharing the market but, once McDonnell Douglas disappeared, big planes were made by one of them. Of course, we should not forget Antonov, whose 225 model is still the biggest plane in the world, some huge Tupolev and Lockheed Tristar but the first ones never went out of their home markets while Lockheed Tristar could be seen as a failed experiment from the manufacturer.
Airbus emphasizes its milestones in the timeline but, behind these, there is a flow marked by efficiency through I.T. use.
Airbus was the first civilian planes manufacturer having a big plane with a cockpit for only two people (A-310) and Airbus was the first civilian plane manufacturer to introduce widely fly-by-wire technology (the only previous exception was the Concorde). Finally, Airbus introduced the commonality concept allowing pilots from a model to switch very fast to a different model keeping the rating for both.
Boeing had a more conservative position: B757 and B767 appeared with only two people in the cockpit after being redesigned to compete with A-310. Despite the higher experience of Boeing in military aviation and, hence, in fly-by-wire technology, Boeing deferred for a long time the decision to include it in civilian planes and, finally, where Boeing lost the efficiency battle was when it appeared with a portfolio whose products were mainly unrelated while Airbus was immerse in its commonality model.
The only point where Boeing arrived before was in the use of twin planes for transoceanic flights through the ETOPS policy. Paradoxically the ones in the worst position were the two American companies that were manufacturing three engine planes, McDonnell Douglas and Lockheed instead of Airbus. That was the exception because, usually, Boeing was behind in the efficiency field.
Probably -and this is my personal bet- they try to build a family starting with B787. This plane should be for Boeing the A320 equivalent, that is, the starter of a new generation sharing many features.
As a proof of that more conservative position, Boeing kept some feedbacks that Airbus simply removed like, for instance, the feeling of the flight controls or the feedback from autopilot to throttle levers. Nobody questionned if this should be made and it was offered as a commercial advantage instead of a safety feature since it was not compulsory…actually, the differences among both manufacturers -accepted by the regulators as features independent of safety- have been in the root of some events
Little-size Aviation is much more crowded and, right now, we have two new incomers from Russia and China (Sukhoi and Comac) including the possibility of an agreement among them to fight for the big planes market.
Anyway, that is still in the future. Big Aviation is still a game of two contenders and every single step in that game has been driven by efficiency. Some of us would like understability -in normal and abnormal conditions- to be among the priorities in future designs, whatever they come from the present contenders or from any newcomer.
Some books can be considered as a privilege since they are an opportunity to have a look at an interesting mind. In this case it’s the mind of someone who was professionally involved in many of the air accidents considered as HF milestones.
The author, Alan Diehl, has worked with NTSB, FAA and U.S. Air Force. Everywhere, he tried to show that Human Factors had something important to say in the investigations. Actually, I borrowed for my first sentence something that he repeats once and again: The idea of trying to get into the mind of the pilot to know why a decision was made.
Probably, we should establish a working hypothesis about people involved in an accident: They were not dumb, nor crazy and they were not trying to kill themselves. It would work fine almost always.
Very often, as the author shows, major design and organization flaws are under a bad decision driving to an accident. He suffered some of these organization flaws in his own career by being vetoed in places where he challenged the statu quo.
One of the key cases representing a turning point for his activity but, regretfully, not for Aviation Safety in military environments happened in Gulf war: Two F15 planes shooted two American helicopters. Before that, he tried to implement CRM principles in U.S. Air Force. It was rejected by a high rank officer and, after the accident, they tried to avoid any mention of CRM issues.
Diehl suffered the consequences of disobeying the orders about it as well as whistle-blowing some bad Safety related practices in the Air Force. Even though those practices represented a big death toll that did not make a change.
As an interesting tip, almost at the end of the book, there is a short analysis of different reporting systems, how they were created and the relationship among them. Even though, it does not pretend to be an important part in the book, it can be very clarifying for many people who can get lost in the acronyms soup.
However, the main and more important piece of the book is CRM related: Diehl fought hardly to get CRM established after a very well-known accident. It involved a United DC-8 in Portland, who crashed because it ran out of fuel while the pilot was worried about the landing gear. That made him delay the landing beyond any reasonable expectation.
It’s true that Portland case was important as well as Los Rodeos and Staines cases were also very important as major events to be used as inputs for the definition of CRM practice. However, and that is a personal opinion, something could be lost related with CRM: When Diehl had problems with Air Force, he defended CRM from a functional point of view. His point, in short, was that we cannot admit the death toll that its absence was provoking but…is CRM absence the real problem or does it have much deeper roots?
CRM principles can be hard to apply in an environment where power distance is very high. Once there, you can decide if a plane is a kind of bubble where this high power distance does not exist or there is not such a bubble and, as someone told me, as a pilot I’m in charge of the flight but the real fact is that a plane is a barracks extension and the higher rank officer inside the plane is the real captain. Nothing to be surprised if we attend to the facts under the air accident that beheaded the State in Poland. “Suggestions” by the Air Force chief are hard to be ignored by a military pilot.
Diehl points out how in many situations pilots seem to be inclined to play with their lives instead of keeping safety principles. Again, he is right but it can be easily explained: Suppose that the pilot, in the flight that crashed with all the Polish Government onboard, rejects the “suggestion” and goes to the alternate airport. Nothing should have happened except…the outcome for the other option is not visible and everyone should find reasons to explain why the pilot should have landed in the place where he tried to do it. His career should be simply ruined because nobody would admit the real danger under the other option.
Once you decide, it’s impossible to know the outcome of the alternate decision and that makes pressure especially hard to resist. Then, even if restricted to the cockpit or a full plane, CRM principles can be hard to apply in some organizations. Furthermore, as Diehl suggests in the book, you can extend CRM concepts well beyond the cockpit trying to make of it a change management program.
CRM, in civilian and military organizations, means a way to work but we can find incompatibilities between CRM principles and organizational culture principles. Management have to deal with these contradictions but, if the organizational culture is very strong, it will prevail and management will not deal with the contradictions. They will simply decide for the statu quo ignoring any other option.
Should have CRM saved the many lost lives because of its absence? Perhaps not. There is a paradox in approaches like CRM or, more recently, SMS: They work fine in places where they should be less required and they don’t work in places where its implementation should be a matter of urgency. I’m not trying to play with words but establish a single fact and I would like to do so with an example:
Qantas, the Australian airline, has a highly regarded CRM program and many people, inside and outside that Company, should agree that CRM principles meant a real safety improvement for the Company. Nothing to oppose but let me show it in a different light:
Suppose for a moment that someone decides removing all the CRM programs in the world because of…whatever. Once done, we can ask which companies should be the most affected because of that. Should be Qantas among them? Hard to answer but probably not. Why?
CRM principles work precisely in the places where these principles were already working in the background. Then, CRM brings order and procedures to a previous situation that we could call “CRM without CRM program”, for instance, a low power distance where the subordinate is willing to voice any safety concern. In this case, the improvement is clear. If we suddenly suppress the activity, the culture should keep alive these principles because they fitted with that culture from the very first moment and before.
What happens when CRM principles are against organization culture? Let me put it in short: Make-up. They will accept CRM as well as they accept SMS since they both are mandatory but everyone will know the truth inside the organization. Will CRM save lives in this organizations, even if they are enforced to implement it?
A recent event can answer that: Asiana accident in San Francisco happened because a first officer did not dare to tell his captain that he was unable to land the plane manually (of course, as usual, many more factors were present but this was one of them and extremely important).
Diehl clearly advocates for CRM and I believe he is right and with statistical information who speaks about safety improvement. My point is that improvement is not homogeneous and it happens mainly in places that were already willing to accept CRM principles and, in a non-structured way, they were already working with them.
CRM by itself does not have the power to change the organizational culture in places that reject its principles and the approach should be different. A very good old book, Critical Path Renewal by Beer, Eisenstat and Spector explains clearly why change programs don’t work and they show a different way to get the change in organizations who reject it.
Anyone trying to make a real change should flee from change programs even if we agree with the goals but one-size-fits-all does not work. Some principles, like the ones under CRM or SMS, are valid from safety point of view but, even though everyone will pay lip service to the goals, many organizations won’t accept the changes required to get there. That is still a hard challenge to be completed.
If we ask anyone what a hacker is, we could get answers going from cyberpiracy, cyberdelincuency, cybersecurity…and any other cyberthing. However, it’s much more than that.
Hackers are classified depending of the “color of their hats”. White hat hacker means individual devoted to security, black hat hacker means cybercriminal and grey hat hacker means something in the middle. That can be interesting as a matter of curiosity but…what do they have in common? Furthermore, what do they have in common that can be relevant for Air Safety?
Simonyi, the creator of WYSIWYG, warned long ago about an abstraction scale that was adding more and more steps. Speaking about Information Technology, that means that programmers don’t program a machine. They instruct a program to make a program to be run by a machine. Higher programming levels mean longer distance from the real thing and more steps between the human action and the machine action.
Of course, Simonyi warned of this as a potential problem while he was speaking about Information Technology but…Information Technology is now ubiquitous and this problem can be found anywhere including, of course, Aviation.
We could say that any IT-intensive system has different layers and the number of layers defines how advanced the system is. So far so good, if we assume that there is a perfect correspondance between layers, that is, every layer is a symbolic representation of the former one and that representation should be perfect. That should be all…but it isn’t.
Every information layer that we put over the real thing is not a perfect copy -it should be nonsense- but, instead, it tries to improve something in safety, efficiency or, very often, it claims to be improving both. However, avoiding flaws in that process is something that is almost impossible. That is the point where problems start and when hacker-type knowledge and frame of mind should be highly desirable for a pilot.
The symbolic nature of IT-based systems makes its flaws to be hard to diagnose since their behavior can be very different to mechanic or electric systems. Hackers, good or bad, try to identify these flaws, that is, they are very conscious of this symbolic layer approach instead of assuming an enhanced but perfect representation of the reality below.
What means a hacker frame of mind as a way to improve safety? Let me show two examples:
From cinema: The movie “A beautiful mind”, devoted to John Nash and showing his mental health problems shows at a moment how and why he was able to control these problems: He was confusing reality and fiction until a moment where he found something that did not fit. It happened to be a little girl that, after many years, continued being a little girl instead of an adult woman. That gave him the clue to know which part of his life was created by his own brain.
From Air Safety: A reflection taken from the book “QF32” by Richard de Crespigny: Engine 4 was mounted to our extreme right. The fuselage separated Engine 4 from Engines 1 and 2. So how could shrapnel pass over or under the fuselage, then travel all that way and damage Engine 4? The answer is clear. It can’t. However, once arrived there, a finding appears crystal-clear: Information coming from the plane is not trustable because in any of the IT-layers the correspondance reality-representation has been lost.
Detecting these problems is not easy. It implies much more than operating knowledge and, at the same time, we know that nobody has full knowledge about the whole system but only partial knowledge. That partial knowledge should be enough to define key indicators -as it happens in the mentioned examples- to know when we work with information that should not be trusted.
The hard part of this: The indicators should not be permanent but adapted to every situation, that is, the pilot should decide about which indicator should be used in situations that are not covered by procedures. That should bring us to other issue: If a hacker frame of mind is positive for Air Safety, how to create, nurture and train it? Let’s use again the process followed by a hacker to become such a hacker:
First, hackers look actively for information. They don’t go to formal courses expecting the information to be given. Instead, they look for resources allowing them to increase their knowledge level. Then, applying this model to Aviation should suppose a wide access to information sources beyond the information provided in formal courses.
Second, hackers training is more similar to military training than academic training, that is, they fight to intrude or to defend a system and they show their skills by opposing an active enemy. To replay a model such as this, simulators should include situations that trainers can imagine. Then, the design should be much more flexible and, instead of simulators behaving as a plane is supposed to do, they should have room to include potential situations coming from information misrepresentation or from situations coming from automatic answers to defective sensors.
Asking for a full knowledge of all the information layers and their potential pitfalls can be utopic since nobody has that kind of knowledge, including designers and engineers. Everybody has a partial knowledge. Then, how can we do our best with this partial knowledge? Looking for a different frame of mind in involved people -mainly pilots- and providing the information and training resources that allow that frame of mind to be created and developed. That could mean a fully new training model.
Perhaps it’s worth analyzing what happened after GermanWings crash. Some things happened immediatly and some others required some time to appear:
It was very surprising that, after a few hours, NYT was able to question the A320 safety and a pilot was able to tell that the possible problem could be in the A320 system. All of these happened a few hours after the crash when nobody knew absolutely anything about what and why happened.
Only a few days ago, I found another version: The problem was that Lubitz held a MPL license, license type that has been heavily critiziced from some sides.
I would like to make clear that I am among the people that criticized the Airbus approach to Automation and the MPL license. I still hold that position in both issues but these facts -personal positions, who pays your salary or the compromises of your organization- should never be an easy excuse to forfait an honest behavior.
Obviously, the Airbus approach to Automation did not have any relationship with the crash. If someone wanted to speak about that a few hours after the event, it seems clear that the crash was used an and excuse to get an audience for their merchandise, related or not with the event.
Something similar happens with MPL license. Some of us believe that, as an abstract idea, it could be good but the implementation has some dark faces like the development of a real stick-and-rudder ability and the capacity to decide when nobody else is there to do it.
Lubick held a MPL license but…he also was a very seasoned glider pilot. MPL syllabus can be very centered in plane systems and Lubick, unfortunately, was able to show that he knew how to use them. At the same time, the usual criticism of MPL license would not apply since stick-and-rudder skills are hard to discuss if we speak about someone who used to glide in Alps.
Moreover…Had Lubick not been a real pilot -that he was- but a «system operator», it still should not have any kind of relation with GermanWings crash.
We can speak about organizational failures since a lot of unprocessed information had always been available and it could have been used to avoid the crash but using it to raise unrelated issues -Airbus automation policy, MPLs or many others- is basically dishonest and a lack of respect for both, the people who died and the people who made their best in the subsequent research process.
Concerns about some issues can be very legitimate. Using anything, including a crash with many casualties, as an excuse to raise them is not. That’s why a call for honesty should be required regarding this case and, probably, many others.
Amalberti explains very clearly safety related concepts and, whatever the reader agrees with 100% of contents or not, it is worth to be read and discussed. He goes against some sacred cows in the safety field and his book should be analyzed very carefully. Especially, these three points should deserve a special analysis:
• People learn by doing instead of observing. Asking for a full Situational Awareness before doing anything could drive to serious accidents while the operator tries to get a full Situational Awareness.
• There are different safety models. Many markets and companies try to imitate ultra-safe models like the ones coming from Aviation and Nuclear Energy when, actually, these models should not work in other activities more expert-based than procedure-based.
• Trying to train someone for every single exceptional situation is not the safest option. People can try to explore limits instead of remaining in the safe environment.
People learn by doing instead of observing. True, and perhaps that is one of the motives that people are so bad at monitoring while some automation designs still insist precisely on that. However, Amalberti reaches a conclusión related with Situational Awareness that, in my opinion, could be wrong: For Amalberti, we should not ask for a full Situational Awareness before trying a solution because we could get paralyzed under critical situations with serious time constraints. Explained like that, it’s true and that should be the phenomenon known as paralysis because of analysis but something is missing:
Situational Awareness cannot be understood as a condition to be met in critical situations but as a flowing process. In high risk environments, design should guarantee that flow at a level that, once the emergency appears, getting a full picture of the situation is easy. If we put together this single principle with the first one by Amalberti, that is, that people learn by doing instead of observing, we could reach different conclusions:
1. Top level automation should be used only under exceptional situations, using as default levels others where human operators should learn and develop Situational Awareness by doing instead of observing.
2. Information Technology used in critical systems should be under-optimized, that is, instead of using the most efficient design in terms of technology use, the alternative option should be using the most efficient design in terms of keeping Situational Awareness. Some new planes keep Intel processors that are out of the market many years ago –for instance, B777 using Intel 486- and nothing happens. Why then should we try to extract all the juice from every programming line building systems impossible to be understood by users?
Different safety models with an out-of-context imitation of ultra-safe systems as Aviation or Nuclear Plants. This is another excellent point but, again, something could be missing: Evolution. I have to confess on this point that my Ph.D. thesis was precisely trying to do what Amalberti rejects, that is, applying the Air Safety model to Business Management field. Some years later, Ashgate published it under the name Improving Air Safety through Organizational Learning but “forgetting” the chapter where learning from Air Safety was applied to Business Management.
The first thing to be said is that, in general terms, Amalberti is right. We cannot bring –unless if we want it to work- all the procedural weight of a field like Air Safety to many other fields like, for instance, Surgery, where the individual can be much more important than the operating rules. However, the issue that could be lost here is Organizational Evolution. Some fields have evolved through ultra-safe models and they did so because of their own constraints without anyone trying to imitate an external model. Different activities, while looking for efficiency improvement, evolved towards tightly coupled organizations as Charles Perrow called them and that produced an unintended effect: Errors in efficient organizations are also efficient because they spread their effects by using the same organizational channels that normal operation. Otherwise, how could we explain cases like Baring Brothers where an unfaithful employee was enough to take the whole Bank down?
Summarizing, it’s true that we should not make an out-of-context imitation of ultra-safe models but, at the same time, we should analyze if the field whose safety we are analyzing should evolve to an ultra-safe model because it already became a tightly coupled organization.
Trying to train someone for every single exceptional situation is not the safest option: Again, we can agree in general terms. For instance, we know that, as a part of their job, pilots practice in simulators events that are not expect to appear in their whole professional life. Perhaps, asking them to practice recovery from upside down positions or from spins should be an invitation to get closer to these situations since they should feel themselves able to recover. The “hero pilot” time is over long ago but…
We have known in the past of wrong risk-assessments where the supposedly low-probability event that should not require training since it should not happen…happened. A well-known example is United 232 where three supposedly independent hydraulic systems failed at the same time showing that they were not so independent as pretended. The pilot had practiced before in a flight simulator the skills that converted a full crash into a crash landing decreasing substantially the number of casualties. A similar case is the Hudson river landing where a double stop engine was supposed to happen only above 20.000 feet…and procedures developed for that scenario made the pilots lose a precious time when the full loss of power happened far lower than this height.
Even though, instead of focusing in different events showing a wrong risk assessment that could invite us to take with care the Amalberti idea -even when he clearly raises an important point there- is a different kind of problem that has already been under major accidents: Faulty sensors feeding wrong information to computers and occupants planes getting killed without the pilots getting the faintest idea about what was going on. “Stamping” this kind of events with a “lack of training” should be a way of telling us something that, at the same time, is true and useless and, by the way, it’s opposed to the Amalberti’s principle.
Daniel Dennett used a comparison that can be relevant here: The comparison between commands and information agencies: Commands are expected to react under unforeseen situations and that means redundancy in the resources and a very important cross training. By the other side, information agencies work under the principle of “need-to-know”. Should we consider as an accident that this same “need-to-know” idea has been used by some Aviation manufacturers in their rating courses? Should we really limit the training to the foreseen events or should we really recognize that some events are very hard to foresee and different approaches should be taken in design as well as in training?
Summarizing, this is an excellent book. Even if some of us could not agree with every single point, they deserve a discussion, especially when it’s clear that the points raised in the book come from a strong safety-related concept instead of politics or convenience inside regulators, operators or manufacturers.
Factor Humano 
Debe estar conectado para enviar un comentario.