Categoría: Seguridad aérea

Aviation: The other war

Published in Linkedin: Spanish Translation at the end

Nowadays, it is easy to recognize who are the two dominant powers among aviation manufacturers: Airbus and Boeing. However, these manufacturers have two powerful partners that are decisive in shaping the global aviation landscape: the European and North American regulators EASA and FAA.

The relationship between both regulators has always been one of collaboration not without some conflicts due to support for «their» reference manufacturer that may have led them in subtle ways to take sides in the market. However, anyone entering the aviation world knows that they must go through the certifications and audits of one or both world’s two largest regulators.

That situation could be changing in a slow and probably intentional way by a third player that does not seem to be in a hurry: The first indication of that change was the appearance of the Chinese manufacturer COMAC: COMAC, taking advantage of the size of the Chinese domestic market, decided to manufacture an aircraft with no intention of certifying it for flight on world markets but simply for use on domestic flights (ARJ21). This aircraft would serve the manufacturer to gain experience and, subsequently, to be able to compete with the major manufacturers with its C919 model.

Airbus and Boeing, apparently at least, did not attach much importance to the first move because of its restriction to the Chinese market, nor to the second since, technologically, they found it to be a far inferior product to those manufactured by Airbus and Boeing. However, both manufacturers may be losing sight of something: Perhaps it is not about competing with Airbus and Boeing but with FAA and EASA. In other words, CAAC (Civil Aviation Administration of China) might try to be the one setting the global aviation standards in the next future.

In addition to COMAC’s activity, in recent months there has been another movement that, perhaps, has not been appreciated for its real significance since it has been attributed to the political tensions between China and the USA: CAAC’s refusal to certify the Boeing 737MAX following EASA and FAA.

Both, EASA and FAA know that 737MAX should never have been certified, at least under the type certificate for the Boeing 737 issued in 1967 and doing so revealed a clear collusion between Boeing and FAA. However, they were faced with a very difficult situation: If thousands of aircraft, including already manufactured and those ordered by various airlines were not allowed to fly, a crisis in the aviation market could be triggered with consequences that are difficult to calculate: Boeing’s eventual bankruptcy could trigger the bankruptcy of many airlines with aircraft they could not use and, in addition, there would be an undersupplied market, since the other major manufacturer would not have the production capacity to fill the gap.

CAAC had fewer commitments since it has a large domestic market and much greater control over it than accessible to its FAA and EASA equivalents. Therefore,  it simply denied authorization to fly the 737MAX and did not follow the big regulators in their compromise solution.
At this point, many countries that are not under the authority of EASA or FAA accept those regulators as their own references and simply adopt the regulations and standards coming from them. What would be the incentive to change their reference to CAAC? Let’s go back to COMAC:

An aircraft certified to fly only in China under CAAC authority could be automatically cleared to fly also in countries that adopted CAAC as their reference authority. Africa, Central, and South America, and large parts of Asia, where China has a strong influence, could look favorably on the ARJ21 for their domestic flights or for flights between countries that had also accepted CAAC as a reference.

The later model, C919, has been manufactured with the purpose of being certified for worldwide use and, if this objective is achieved, its lower technological level could be more than compensated by favorable pricing policies that would make it accessible both to those same markets that could be interested in the ARJ21 and to the low-cost segment of aviation in countries with a higher level of development.

The moves are slow but seem to have a clear direction, aimed at establishing the Chinese aviation authority as a world reference. The possibility of a contingency that could accelerate this process, such as a new serious event involving a 737MAX, cannot be excluded. If this were to happen, the performance and motives of the still world reference aviation authorities would be called into question and, with that, the position of the third party in waiting would be favored.

The situation suggests that in the near future, global aviation will not be a matter of two but of three and, in the long term, it is still to be defined who will prevail.

AVIACIÓN: LA OTRA GUERRA

A fecha de hoy, es fácil reconocer quiénes son las dos potencias dominantes entre los fabricantes de aviación: Airbus y Boeing. Sin embargo, estas dos potencias tienen dos poderosos asociados que son decisivas para configurar el panorama de la aviación mundial: los reguladores europeo y norteamericano EASA y FAA.

La relación entre ambos reguladores ha sido siempre de colaboración no exenta de algunos conflictos debido al apoyo a “su” fabricante de referencia que les puede haber llevado en formas más o menos sutiles a tomar partido en el mercado. Sin embargo, en términos generales, cualquiera que entre en el mundo de la aviación sabe que tiene que pasar por las certificaciones y las auditorías de uno o de los dos mayores reguladores mundiales.

Esa situación podría estar cambiando de una forma lenta y probablemente intencionada por parte de un tercer actor que no parece tener prisa: El primer indicio de ese cambio fue la aparición del fabricante chino COMAC: COMAC, aprovechando el tamaño del mercado interno chino, decidió fabricar un avión sin intención de certificarlo para su vuelo en los mercados mundiales sino, simplemente, para utilizarlo en vuelos interiores (ARJ21). Este avión le serviría al fabricante para ganar experiencia y, posteriormente, poder lanzarse a competir con los grandes fabricantes con su modelo C919.

Airbus y Boeing, aparentemente al menos, no dieron mayor importancia al primer movimiento por su restricción al mercado chino ni al segundo ya que, tecnológicamente, encontraban que era un producto muy inferior a los fabricados por Airbus y Boeing. Sin embargo, ambos fabricantes podrían estar perdiendo algo de vista: Tal vez no se trata de competir con Airbus y Boeing sino con FAA y EASA. En otros términos, CAAC (Civil Aviation Administration of China) podría intentar ser quien fije los estándares mundiales de aviación en el próximo futuro.

Además de la actividad de COMAC, en los últimos meses se ha producido otro movimiento que, tal vez, no ha sido valorado en su trascendencia real y se ha atribuido a las tensiones políticas entre China y USA: La negativa por CAAC de certificar el Boeing 737MAX siguiendo a EASA y FAA.

 EASA y FAA saben muy bien que el 737MAX nunca se debió certificar, al menos bajo el certificado de tipo correspondiente al Boeing 737 emitido en 1967. Sin embargo, se encontraron con una situación de hecho con muy difícil salida: Si no se permitía volar a los miles de aviones ya fabricados más los pedidos por distintas aerolíneas, se podía desencadenar una crisis en el mercado de la aviación de consecuencias difíciles de calcular: La eventual bancarrota de Boeing podía arrastrar la bancarrota de muchas aerolíneas con aviones que no podían utilizar y, además, habría que contar con un mercado desabastecido, ya que el otro gran fabricante no tendría capacidad de producción para cubrir el hueco. CAAC tenía menos compromisos, puesto que tiene un gran mercado interno y un control sobre él mucho mayor que el accesible a sus equivalentes FAA y EASA. Por ello, simplemente, denegó la autorización para volar al 737MAX y no siguió a los grandes reguladores en su solución de compromiso.

En este momento, muchos países que no están bajo la autoridad de EASA o FAA aceptan a dichos reguladores como sus propias referencias y, simplemente, adoptan la normativa y estándares procedentes de éstos. ¿Cuál sería el incentivo para cambiar su referencia a la CAAC? Volvamos a COMAC:

Un avión certificado para volar sólo en China bajo la autoridad de la CAAC podría quedar automáticamente autorizado para volar también en países que adoptasen a la CAAC como su autoridad de referencia. Gran parte de África, de América Central y del Sur o de grandes zonas de Asia, donde China tiene una fuerte influencia, podía ver con buenos ojos al ARJ21 para sus vuelos internos o para vuelos entre países que hubieran aceptado también a la CAAC como referencia.

El modelo posterior, C919, ha sido fabricado con el propósito de ser certificado para su uso en todo el mundo y, si este objetivo se consigue, su menor nivel tecnológico podría ser sobradamente compensado mediante políticas favorables de precios que lo hicieran accesible tanto a esos mismos mercados que podrían tener interés en el ARJ21 como al segmento low-cost de la aviación en países con mayor nivel de desarrollo.

Los movimientos son lentos pero parecen tener una dirección clara, encaminada a establecer a la autoridad de aviación china como una referencia mundial. No puede excluirse la posibilidad de alguna contingencia que pueda acelerar ese proceso como, por ejemplo, un nuevo evento grave relacionado con un 737MAX. Si así ocurriera, quedarían en entredicho la actuación y los motivos de las aún autoridades de referencia mundial en aviación y, con ello, se favorecería la posición del tercero en espera.

La situación, vista en su conjunto, invita a pensar que en el próximo futuro la aviación mundial no será cosa de dos sino de tres y, en el largo plazo, está por definir cuál de los tres prevalecerá.

WHEN THE WORLD IS FASTER THAN ITS RULES

Anyone in touch with dynamic fields can find this phenomenon: Things are faster than the rules intending to control them. Hence, if the capacity to be enforced is very strong, old rules can stop the advancement. By the same token, if that capacity is weak, rules are simply ignored, and the world evolves following different paths.

The same fact can be observed in many different fields:

Three months ago, an article was titled “POR QUÉ ALBERT EINSTEIN NO PODRÍA SER PROFESOR EN ESPAÑA” (Why Albert Einstein could not be a professor in Spain) and, basically, the reason was in a bureaucratic model tailored for the “average” teacher. This average teacher, just after becoming a Bachelor, starts with the doctorate entering a career path that will finish with the retirement in the University. External experience is not required and, very often, is not welcome.

The age, the publications and the length of the doctoral dissertation (17 pages) could have made impossible for Einstein to teach in Spain. The war for talent means in some environments fighting it wherever it can be found.

If we go to specific and fast evolving fields, things can be worse:

Cybersecurity can be a good example. There is a clear shortage of professionals in the field and it is worsening. The slowness to accept an official curriculum means that, once the curriculum is accepted, is already out-of-date. Then, a diploma is not worth and, instead, certification agencies are taking its place, enforcing up-to-date knowledge for both, getting and keeping the certification.

Financial regulators? Companies are faster than regulators and a single practice can appear as a savings plan, as an insurance product or many other options. If we go to derivative markets, the speed introduces different parameters or practices like high-frequency trading hard to follow.

What about cryptocurrencies? They are sidestepping control by the Governments and, still worse, they can break one of the easiest ways for the States to get funds. Governments would like to break them and, in a few weeks, EU will have a new rule to “protect privacy” that could affect the blockchain process, key for the security of cryptocurrencies and…many Banks operations.

Aviation? The best-selling airplane in the Aviation history -Boeing 737- was designed in 1964 and it started to fly in 1968. The last versions of this plane don’t have some features that could be judged as basic modifications because the process is so long and expensive (more and more long and expensive) that Boeing prefers to keep attached to some features designed more than 50 years ago.

In any of these fields or many others that could be mentioned, the rules are not meeting its intended function, that is, to keep functionality and, in the fields where it is required, safety as a part of the functionality. Whatever the rule can be ignored or can be a heavy load to be dragged in the development, it does not work.

We can laugh at the old “1865 Locomotive Act” with delicious rules such as this: The most draconic restrictions and speed limits were imposed by the 1865 act (the «Red Flag Act»), which required all road locomotives, which included automobiles, to travel at a maximum of 4 mph (6.4 km/h) in the country and 2 mph (3.2 km/h) in the city, as well as requiring a man carrying a red flag to walk in front of road vehicles hauling multiple wagons (Wikipedia).

However, things were evolving in 1865 far slower than now. Non-functional rules like that could be easily identified and removed before becoming a serious problem. That does not happen anymore. We try to get more efficient organizations and more efficient technology, but the architecture of the rules should be re-engineered too.

Perhaps the next revolution is not technologic despite it can be fueled by technology. It could be in the Law: The governing rules -not the specific rules but the process to create, modify, change or cancel rules- should be modified. Rules valid for a world already gone are so useful as a weather forecast for the past week.

Useless diplomas, lost talent, uncontrolled or under-controlled new activities or product design where the adaptation to the rules are a major part of the development cost and time are pointing to a single fact: The rules governing the world are unable to keep the pace of the world itself.

Big Aviation is still a game of two players

And one of them, Airbus,  is celebrating its birthday.

Years ago, three major players were sharing the market but, once McDonnell Douglas disappeared, big planes were made by one of them. Of course, we should not forget Antonov, whose 225 model is still the biggest plane in the world, some huge Tupolev and Lockheed Tristar but the first ones never went out of their home markets while Lockheed Tristar could be seen as a failed experiment from the manufacturer.

Airbus emphasizes its milestones in the timeline but, behind these, there is a flow marked by efficiency through I.T. use.

Airbus was the first civilian planes manufacturer having a big plane with a cockpit for only two people (A-310) and Airbus was the first civilian plane manufacturer to introduce widely fly-by-wire technology (the only previous exception was the Concorde). Finally, Airbus introduced the commonality concept allowing pilots from a model to switch very fast to a different model keeping the rating for both.

Boeing had a more conservative position: B757 and B767 appeared with only two people in the cockpit after being redesigned to compete with A-310. Despite the higher experience of Boeing in military aviation and, hence, in fly-by-wire technology, Boeing deferred for a long time the decision to include it in civilian planes and, finally, where Boeing lost the efficiency battle was when it appeared with a portfolio whose products were mainly unrelated while Airbus was immerse in its commonality model.

The only point where Boeing arrived before was in the use of twin planes for transoceanic flights through the ETOPS policy. Paradoxically the ones in the worst position were the two American companies that were manufacturing three engine planes, McDonnell Douglas and Lockheed instead of Airbus. That was the exception because, usually, Boeing was behind in the efficiency field.

Probably -and this is my personal bet- they try to build a family starting with B787. This plane should be for Boeing the A320 equivalent, that is, the starter of a new generation sharing many features.

As a proof of that more conservative position, Boeing kept some feedbacks that Airbus simply removed like, for instance, the feeling of the flight controls or the feedback from autopilot to throttle levers. Nobody questionned if this should be made and it was offered as a commercial advantage instead of a safety feature since it was not compulsory…actually, the differences among both manufacturers -accepted by the regulators as features independent of safety-  have been in the root of some events

Little-size Aviation is much more crowded and, right now, we have two new incomers from Russia and China (Sukhoi and Comac) including the possibility of an agreement among them to fight for the big planes market.

Anyway, that is still in the future. Big Aviation is still a game of two contenders and every single step in that game has been driven by efficiency. Some of us would like understability -in normal and abnormal conditions- to be among the priorities in future designs, whatever they come from the present contenders or from any newcomer.

Published in my Linkedin profile

A comment about a good reading: Air Safety Investigators by Alan E. Diehl

Some books can be considered as a privilege since they are an opportunity to have a look at an interesting mind. In this case it’s the mind of someone who was professionally involved in many of the air accidents considered as HF milestones.

The author, Alan Diehl, has worked with NTSB, FAA and U.S. Air Force. Everywhere, he tried to show that Human Factors had something important to say in the investigations. Actually, I borrowed for my first sentence something that he repeats once and again: The idea of trying to get into the mind of the pilot to know why a decision was made.

Probably, we should establish a working hypothesis about people involved in an accident: They were not dumb, nor crazy and they were not trying to kill themselves. It would work fine almost always.

Very often, as the author shows, major design and organization flaws are under a bad decision driving to an accident. He suffered some of these organization flaws in his own career by being vetoed in places where he challenged the statu quo.

One of the key cases representing a turning point for his activity but, regretfully, not for Aviation Safety in military environments happened in Gulf war: Two F15 planes shooted two American helicopters. Before that, he tried to implement CRM principles in U.S. Air Force. It was rejected by a high rank officer and, after the accident, they tried to avoid any mention of CRM issues.

 Diehl suffered the consequences of disobeying the orders about it as well as whistle-blowing some bad Safety related practices in the Air Force. Even though those practices represented a big death toll that did not make a change.

As an interesting tip, almost at the end of the book, there is a short analysis of different reporting systems, how they were created and the relationship among them. Even though, it does not pretend to be an important part in the book, it can be very clarifying for many people who can get lost in the acronyms soup.

However, the main and more important piece of the book is CRM related: Diehl fought hardly to get CRM established after a very well-known accident. It involved a United DC-8 in Portland, who crashed because it ran out of fuel while the pilot was worried about the landing gear. That made him delay the landing beyond any reasonable expectation.

It’s true that Portland case was important as well as Los Rodeos and Staines cases were also very important as major events to be used as inputs for the definition of CRM practice. However, and that is a personal opinion, something could be lost related with CRM: When Diehl had problems with Air Force, he defended CRM from a functional point of view. His point, in short, was that we cannot admit the death toll that its absence was provoking but…is CRM absence the real problem or does it have much deeper roots?

CRM principles can be hard to apply in an environment where power distance is very high. Once there, you can decide if a plane is a kind of bubble where this high power distance does not exist or there is not such a bubble and, as someone told me, as a pilot I’m in charge of the flight but the real fact is that a plane is a barracks extension and the higher rank officer inside the plane is the real captain. Nothing to be surprised if we attend to the facts under the air accident that beheaded the State in Poland. “Suggestions” by the Air Force chief are hard to be ignored by a military pilot.

Diehl points out how in many situations pilots seem to be inclined to play with their lives instead of keeping safety principles.  Again, he is right but it can be easily explained: Suppose that the pilot, in the flight that crashed with all the Polish Government onboard, rejects the “suggestion” and goes to the alternate airport. Nothing should have happened except…the outcome for the other option is not visible and everyone should find reasons to explain why the pilot should have landed in the place where he tried to do it. His career should be simply ruined because nobody would admit the real danger under the other option.

Once you decide, it’s impossible to know the outcome of the alternate decision and that makes pressure especially hard to resist. Then, even if restricted to the cockpit or a full plane, CRM principles can be hard to apply in some organizations. Furthermore, as Diehl suggests in the book, you can extend CRM concepts well beyond the cockpit trying to make of it a change management program.

CRM, in civilian and military organizations, means a way to work but we can find incompatibilities between CRM principles and organizational culture principles. Management have to deal with these contradictions but, if the organizational culture is very strong, it will prevail and management will not deal with the contradictions. They will simply decide for the statu quo ignoring any other option.

Should have CRM saved the many lost lives because of its absence? Perhaps not. There is a paradox in approaches like CRM or, more recently, SMS: They work fine in places where they should be less required and they don’t work in places where its implementation should be a matter of urgency. I’m not trying to play with words but establish a single fact and I would like to do so with an example:

Qantas, the Australian airline, has a highly regarded CRM program and many people, inside and outside that Company, should agree that CRM principles meant a real safety improvement for the Company. Nothing to oppose but let me show it in a different light:

Suppose for a moment that someone decides removing all the CRM programs in the world because of…whatever. Once done, we can ask which companies should be the most affected because of that. Should be Qantas among them? Hard to answer but probably not. Why?

CRM principles work precisely in the places where these principles were already working in the background. Then, CRM brings order and procedures to a previous situation that we could call “CRM without CRM program”, for instance, a low power distance where the subordinate is willing to voice any safety concern. In this case, the improvement is clear. If we suddenly suppress the activity, the culture should keep alive these principles because they fitted with that culture from the very first moment and before.

What happens when CRM principles are against organization culture? Let me put it in short: Make-up. They will accept CRM as well as they accept SMS since they both are mandatory but everyone will know the truth inside the organization. Will CRM save lives in this organizations, even if they are enforced to implement it?

A recent event can answer that: Asiana accident in San Francisco happened because a first officer did not dare to tell his captain that he was unable to land the plane manually (of course, as usual, many more factors were present but this was one of them and extremely important).

Diehl clearly advocates for CRM and I believe he is right and with statistical information who speaks about safety improvement. My point is that improvement is not homogeneous and it happens mainly in places that were already willing to accept CRM principles and, in a non-structured way, they were already working with them.

CRM by itself does not have the power to change the organizational culture in places that reject its principles and the approach should be different. A very good old book, Critical Path Renewal by Beer, Eisenstat and Spector explains clearly why change programs don’t work and they show a different way to get the change in organizations who reject it.

Anyone trying to make a real change should flee from change programs even if we agree with the goals but one-size-fits-all does not work. Some principles, like the ones under CRM or SMS, are valid from safety point of view but, even though everyone will pay lip service to the goals, many organizations won’t accept the changes required to get there. That is still a hard challenge to be completed.

Published originally in my Linkedin profile

Air Safety and Hacker Frame of Mind

If we ask anyone what a hacker is, we could get answers going from cyberpiracy, cyberdelincuency, cybersecurity…and any other cyberthing. However, it’s much more than that.

Hackers are classified depending of the “color of their hats”. White hat hacker means individual devoted to security, black hat hacker means cybercriminal and grey hat hacker means something in the middle. That can be interesting as a matter of curiosity but…what do they have in common? Furthermore, what do they have in common that can be relevant for Air Safety?

Simonyi, the creator of WYSIWYG, warned long ago about an abstraction scale that was adding more and more steps. Speaking about Information Technology, that means that programmers don’t program a machine. They instruct a program to make a program to be run by a machine. Higher programming levels mean longer distance from the real thing and more steps between the human action and the machine action.

Of course, Simonyi warned of this as a potential problem while he was speaking about Information Technology but…Information Technology is now ubiquitous and this problem can be found anywhere including, of course, Aviation.

We could say that any IT-intensive system has different layers and the number of layers defines how advanced the system is. So far so good, if we assume that there is a perfect correspondance between layers, that is, every layer is a symbolic representation of the former one and that representation should be perfect. That should be all…but it isn’t.

Every information layer that we put over the real thing is not a perfect copy -it should be nonsense- but, instead, it tries to improve something in safety, efficiency or, very often, it claims to be improving both. However, avoiding flaws in that process is something that is almost impossible. That is the point where problems start and when hacker-type knowledge and frame of mind should be highly desirable for a pilot.

The symbolic nature of IT-based systems makes its flaws to be hard to diagnose since their behavior can be very different to mechanic or electric systems. Hackers, good or bad, try to identify these flaws, that is, they are very conscious of this symbolic layer approach instead of assuming an enhanced but perfect representation of the reality below.

What means a hacker frame of mind as a way to improve safety? Let me show two examples:

  • From cinema: The movie “A beautiful mind”, devoted to John Nash and showing his mental health problems shows at a moment how and why he was able to control these problems: He was confusing reality and fiction until a moment where he found something that did not fit. It happened to be a little girl that, after many years, continued being a little girl instead of an adult woman. That gave him the clue to know which part of his life was created by his own brain.
  • From Air Safety: A reflection taken from the book “QF32” by Richard de Crespigny: Engine 4 was mounted to our extreme right. The fuselage separated Engine 4 from Engines 1 and 2. So how could shrapnel pass over or under the fuselage, then travel all that way and damage Engine 4? The answer is clear. It can’t. However, once arrived there, a finding appears crystal-clear: Information coming from the plane is not trustable because in any of the IT-layers the correspondance reality-representation has been lost.

Detecting these problems is not easy. It implies much more than operating knowledge and, at the same time, we know that nobody has full knowledge about the whole system but only partial knowledge. That partial knowledge should be enough to define key indicators -as it happens in the mentioned examples- to know when we work with information that should not be trusted.

The hard part of this: The indicators should not be permanent but adapted to every situation, that is, the pilot should decide about which indicator should be used in situations that are not covered by procedures. That should bring us to other issue: If a hacker frame of mind is positive for Air Safety, how to create, nurture and train it? Let’s use again the process followed by a hacker to become such a hacker:

First, hackers look actively for information. They don’t go to formal courses expecting the information to be given. Instead, they look for resources allowing them to increase their knowledge level. Then, applying this model to Aviation should suppose a wide access to information sources beyond the information provided in formal courses.

Second, hackers training is more similar to military training than academic training, that is, they fight to intrude or to defend a system and they show their skills by opposing an active enemy. To replay a model such as this, simulators should include situations that trainers can imagine. Then, the design should be much more flexible and, instead of simulators behaving as a plane is supposed to do, they should have room to include potential situations coming from information misrepresentation or from situations coming from automatic answers to defective sensors.

Asking for a full knowledge of all the information layers and their potential pitfalls can be utopic since nobody has that kind of knowledge, including designers and engineers. Everybody has a partial knowledge. Then, how can we do our best with this partial knowledge? Looking for a different frame of mind in involved people -mainly pilots- and providing the information and training resources that allow that frame of mind to be created and developed. That could mean a fully new training model.

Published originally in my Linkedin profile

GermanWings revisited: A call for honesty

Perhaps it’s worth analyzing what happened after GermanWings crash. Some things happened immediatly and some others required some time to appear:

It was very surprising that, after a few hours, NYT was able to question the A320 safety and a pilot was able to tell that the possible problem could be in the A320 system. All of these happened a few hours after the crash when nobody knew absolutely anything about what and why happened.

Only a few days ago, I found another version: The problem was that Lubitz held a MPL license, license type that has been heavily critiziced from some sides.

I would like to make clear that I am among the people that criticized the Airbus approach to Automation and the MPL license. I still hold that position in both issues but these facts  -personal positions, who pays your salary or the compromises of your organization- should never be an easy excuse to forfait an honest behavior.

Obviously, the Airbus approach to Automation did not have any relationship with the crash. If someone wanted to speak about that a few hours after the event, it seems clear that the crash was used an and excuse to get an audience for their merchandise, related or not with the event.

Something similar happens with MPL license. Some of us believe that, as an abstract idea, it could be good but the implementation has some dark faces like the development of a real stick-and-rudder ability and the capacity to decide when nobody else is there to do it.

Lubick held a MPL license but…he also was a very seasoned glider pilot. MPL syllabus can be very centered in plane systems and Lubick, unfortunately, was able to show that he knew how to use them. At the same time, the usual criticism of MPL license would not apply since stick-and-rudder skills are hard to discuss if we speak about someone who used to glide in Alps.

Moreover…Had Lubick not been a real pilot -that he was- but a «system operator», it still should not have any kind of relation with GermanWings crash.

We can speak about organizational failures since a lot of unprocessed information had always been available and it could have been used to avoid the crash but using it to raise unrelated issues -Airbus automation policy, MPLs or many others- is basically dishonest and a lack of respect for both, the people who died and the people who made their best in the subsequent research process.

Concerns about some issues can be very legitimate. Using anything, including a crash with many casualties, as an excuse to raise them is not. That’s why a call for honesty should be required regarding this case and, probably, many others.

Navigating Safety: Necessary Compromises and Trade-Offs: Theory and Practice by René Amalberti

Amalberti explains very clearly safety related concepts and, whatever the reader agrees with 100% of contents or not, it is worth to be read and discussed. He goes against some sacred cows in the safety field and his book should be analyzed very carefully. Especially, these three points should deserve a special analysis:

• People learn by doing instead of observing. Asking for a full Situational Awareness before doing anything could drive to serious accidents while the operator tries to get a full Situational Awareness.

• There are different safety models. Many markets and companies try to imitate ultra-safe models like the ones coming from Aviation and Nuclear Energy when, actually, these models should not work in other activities more expert-based than procedure-based.

• Trying to train someone for every single exceptional situation is not the safest option. People can try to explore limits instead of remaining in the safe environment.

People learn by doing instead of observing. True, and perhaps that is one of the motives that people are so bad at monitoring while some automation designs still insist precisely on that. However, Amalberti reaches a conclusión related with Situational Awareness that, in my opinion, could be wrong: For Amalberti, we should not ask for a full Situational Awareness before trying a solution because we could get paralyzed under critical situations with serious time constraints. Explained like that, it’s true and that should be the phenomenon known as paralysis because of analysis but something is missing:

Situational Awareness cannot be understood as a condition to be met in critical situations but as a flowing process. In high risk environments, design should guarantee that flow at a level that, once the emergency appears, getting a full picture of the situation is easy. If we put together this single principle with the first one by Amalberti, that is, that people learn by doing instead of observing, we could reach different conclusions:

1. Top level automation should be used only under exceptional situations, using as default levels others where human operators should learn and develop Situational Awareness by doing instead of observing.

2. Information Technology used in critical systems should be under-optimized, that is, instead of using the most efficient design in terms of technology use, the alternative option should be using the most efficient design in terms of keeping Situational Awareness. Some new planes keep Intel processors that are out of the market many years ago –for instance, B777 using Intel 486- and nothing happens. Why then should we try to extract all the juice from every programming line building systems impossible to be understood by users?

Different safety models with an out-of-context imitation of ultra-safe systems as Aviation or Nuclear Plants. This is another excellent point but, again, something could be missing: Evolution. I have to confess on this point that my Ph.D. thesis was precisely trying to do what Amalberti rejects, that is, applying the Air Safety model to Business Management field. Some years later, Ashgate published it under the name Improving Air Safety through Organizational Learning but “forgetting” the chapter where learning from Air Safety was applied to Business Management.

The first thing to be said is that, in general terms, Amalberti is right. We cannot bring –unless if we want it to work- all the procedural weight of a field like Air Safety to many other fields like, for instance, Surgery, where the individual can be much more important than the operating rules. However, the issue that could be lost here is Organizational Evolution. Some fields have evolved through ultra-safe models and they did so because of their own constraints without anyone trying to imitate an external model. Different activities, while looking for efficiency improvement, evolved towards tightly coupled organizations as Charles Perrow called them and that produced an unintended effect: Errors in efficient organizations are also efficient because they spread their effects by using the same organizational channels that normal operation. Otherwise, how could we explain cases like Baring Brothers where an unfaithful employee was enough to take the whole Bank down?

Summarizing, it’s true that we should not make an out-of-context imitation of ultra-safe models but, at the same time, we should analyze if the field whose safety we are analyzing should evolve to an ultra-safe model because it already became a tightly coupled organization.

Trying to train someone for every single exceptional situation is not the safest option: Again, we can agree in general terms. For instance, we know that, as a part of their job, pilots practice in simulators events that are not expect to appear in their whole professional life. Perhaps, asking them to practice recovery from upside down positions or from spins should be an invitation to get closer to these situations since they should feel themselves able to recover. The “hero pilot” time is over long ago but…

We have known in the past of wrong risk-assessments where the supposedly low-probability event that should not require training since it should not happen…happened. A well-known example is United 232 where three supposedly independent hydraulic systems failed at the same time showing that they were not so independent as pretended. The pilot had practiced before in a flight simulator the skills that converted a full crash into a crash landing decreasing substantially the number of casualties. A similar case is the Hudson river landing where a double stop engine was supposed to happen only above 20.000 feet…and procedures developed for that scenario made the pilots lose a precious time when the full loss of power happened far lower than this height.

Even though, instead of focusing in different events showing a wrong risk assessment that could invite us to take with care the Amalberti idea -even when he clearly raises an important point there- is a different kind of problem that has already been under major accidents: Faulty sensors feeding wrong information to computers and occupants planes getting killed without the pilots getting the faintest idea about what was going on. “Stamping” this kind of events with a “lack of training” should be a way of telling us something that, at the same time, is true and useless and, by the way, it’s opposed to the Amalberti’s principle.
Daniel Dennett used a comparison that can be relevant here: The comparison between commands and information agencies: Commands are expected to react under unforeseen situations and that means redundancy in the resources and a very important cross training. By the other side, information agencies work under the principle of “need-to-know”. Should we consider as an accident that this same “need-to-know” idea has been used by some Aviation manufacturers in their rating courses? Should we really limit the training to the foreseen events or should we really recognize that some events are very hard to foresee and different approaches should be taken in design as well as in training?

Summarizing, this is an excellent book. Even if some of us could not agree with every single point, they deserve a discussion, especially when it’s clear that the points raised in the book come from a strong safety-related concept instead of politics or convenience inside regulators, operators or manufacturers.

I would not like finishing without a big Thank you to my friend Jesús Villena, editor of this book in Spanish under the name “Construir la seguridad: Compromisos individuales y colectivos para afrontar los grandes riesgos” because he made me know this book.

#GermanWingsCrash Solución: Dos personas en cabina

Una regla básica en investigación de accidentes consiste en no tratar de buscar una solución al que acaba de ocurrir. La razón para ello es que suele tratarse de una combinación excepcional de circunstancias que es improbable que vuelvan a aparecer juntas. Por ello, habitualmente se prefiere prevenir esas circunstancias individuales, es decir, se ataca a los componentes más que a una improbable combinación.

Esto no quita para que, si un accidente se repite -como ocurrió en el caso Spanair, repetido exactamente 21 años después de otro idéntico y con el mismo tipo de avión ocurrido en Detroit- nos preguntemos legítimamente qué se hizo en ese ataque a las circunstancias individuales para permitir que el mismo resultado se produzca de nuevo.

Tras el caso de German Wings, nos encontramos atacados por los tiempos y los miedos que introducen los medios de comunicación: ¿Puede enloquecer un piloto? Por supuesto; como cualquier otro. ¿Debemos empezar a tratar de prevenir tal posibilidad con reglas como la de dos personas en cabina? Veamos:

  • ¿Podría un miembro de la tripulación auxiliar colocar un veneno de gran potencia en la bebida o la comida de los pasajeros o en la de los pilotos? Y si también vigilamos a éstos…¿podría hacer lo mismo alguien encargado de la preparación del catering?…
  • ¿Podría un técnico de mantenimiento provocar una avería difícil de detectar pero que llevase a un avión a estrellarse?
  • ¿Podría alguien encargado de la carga de equipajes introducir algún elemento explosivo, incendiario o corrosivo junto con las maletas?

Éstas y muchas más posibilidades -algunas se me ocurren y no las voy a incluir para no dar ideas- se pueden dar y no parece que la política más acertada sea dejarse guiar por el impacto del último caso para tomar decisiones. De hecho, no deberíamos olvidar que un caso como el de German Wings ha sido posible gracias a la introducción de una puerta blindada -otra respuesta rápida a una situación de pánico provocada por medios de comunicación- que separa a la cabina del resto del avión.

Cuando subimos a un avión, y prácticamente cuando hacemos cualquier otra cosa, existe un elemento de riesgo. Tenemos dos posibilidades: Aceptar ese simple hecho y tratar de limitar al máximo lo que podríamos considerar riesgos razonables o tratar de controlar absolutamente todo…carrera estéril que no conduce a ninguna parte salvo a que el siguiente problema sea provocado por la última solución.

Quizás sería bueno para los que optan por la idea de control total revisar el caso EgyptAir 990. Ocurrió antes del 11S y aún no había puertas blindadas. De hecho, el comandante del avión entró a la cabina y trató de recuperar el avión. El piloto suicida se limitó a cortar el flujo del combustible a los motores…es decir, si alguien tiene la intención siempre puede encontrar una acción para la que el tiempo disponible no sea suficiente o jugar con el factor sorpresa para neutralizar al que se supone que le controla. En ese vuelo había dos pilotos más que, de haber sospechado qué estaba ocurriendo, podrían haber reducido al suicida…cosa que, evidentemente, nunca podrían haber hecho con una puerta blindada entre ellos, incluso con la regla de dos personas en cabina.

¿Qué tal si este tipo de situaciones se analizan en frío y sin dejarse llevar por la presión, el pánico y los tiempos que establecen los medios de comunicación? ¿Aporta algo el que le hagamos saber al piloto, por el simple procedimiento de que nunca esté solo en cabina, que es sospechoso? ¿Soluciona algo si tenemos en cuenta que otros puestos, como los mencionados más arriba, pueden ser también utilizados para un asesinato masivo?

Un poco de sentido común sería de agradecer algunas veces. Tratar de limitar los riesgos es correcto. Dejar que el terror y la paranoia decidan por nosotros, no.

#GermanWingsCrash: The use of an accident

One day after the accident, as it could be expected, there is not a clear knowledge about what happened. Some witnesses saw the plane flying near the ground in a high place and controllers reported that the plane was descending for several minutes without reporting anything. That could be enough to discard the terrorism hypothesis and not much more.

Even though, many people used this accident to sell some ideas that could be interesting for them. Thus, NYT asked if A-320 was safe while some others charged against low-cost companies, against the automation and against the recruiting and training policies applied to pilots.

All of them can be legitimate concerns -if you want, suspicious the article by NYT coming from USA where the main Airbus competitor, Boeing, comes from- but…now?

We don’t know nothing yet. Perhaps, when we have the facts, we can conclude that an official enquiry is biased -as many of us could think of cases like AF447- but now, we only can wait to know the facts. This should not be an opportunity to get a loudspeaker for our own concerns when we don’t have the faintest idea about if they are related or not with the accident. The respect for the victims of the accident demands from us not to use them in such a dirty way.

Flight-Deck Automation: Something is wrong

Something is wrong with automation. If we can find diagnostics performed more than 20 years ago and the conclusions are still current…something is wrong.

Some examples:

Of course, we could extend the examples to books like Information Processing and Human-Machine Interaction: An Approach to Cognitive Engineering published by Rasmussen in 1986, Safeware written by Leveson in 1995, Normal Accidents by Perrow in 1999, The Human Interface by Raskin in 2000 and many others.

None of these resources is new but all of them can be read by someone with interest in what is happening NOW. Perhaps there is a problem in the basics that is not still properly addressed.

 Certainly, once a decision is made, going back is extremely expensive and manufacturers will try to defend their solutions. An example that I have used more than once is the fact that modern planes have processors so old that the manufacturer does not make them anymore. Since the lifetime of a plane is longer than the lifetime of some key parts, they have to stock those parts since they cannot ask the manufacturers to send them.

The obvious solution should be renewal but this should be so expensive that they prefer having brand-new planes with old-fashioned parts to avoid new certification processes. Nothing to oppose to this practice. It’s only a sample of a more general practice: Keeping attached to a design and defend it against any doubt –even if the doubt is reasonable- about its adequacy.

 However, this rationale can be applied to products already in the market. What about the new ones? Why the same problems appear once and again instead of being finally solved?

 Perhaps, a Human Factors approach could be useful to identify the root problem and help to fix it. Let’s speak about Psychology:

 The first psychologist that won a Nobel Prize was Daniel Kahnemann. He was one of the founders of the Behavioral Economics concept showing how we use heuristics that usually works but we can be misguided in some situations by heuristics. To show that, he and many followers designed interesting experiments that make clear that we all share some “software-bugs” that can drive us to commit a mistake. In other words, heuristics should be understood as a quick-and-dirty approach, valid for many situations but useless if not harming in others.

 Many engineers and designers would be willing to buy this approach and, of course, their products should be designed in a way that would enforce a formal rational model.

 The most qualified opposition to this model comes from Gigerenzer. He explains that heuristics is not a quick-and-dirty approach but the only possible if we have constraints of time or processing possibilities. Furthermore, for Gigerenzer people extracts intelligence from context while the experiments of Kahnemann and others are made in strange situations and designed to misguide the subject of the experiment.

An example, used by Kahnemann and Tversky is this one:

Linda is 31 years old, single, outspoken, and very bright. She majored in philosophy. As a student, she was deeply concerned with issues of discrimination and social justice, and also participated in anti-nuclear demonstrations.

 Which is more probable?

  •  Linda is a bank teller.
  • Linda is a bank teller and is active in the feminist movement.

The experiment tries to show the conjunction fallacy, that is, how many people should choose the second alternative while the first one is not only wider but comprises the second one.

The analysis of Gigerenzer is different: Suppose that all the information about Linda is the first sentence Linda is 31 years old. Furthermore, suppose you don’t give information and simply makes the questions…we could expect that the conjunction fallacy should not appear. It appears because the experimenter provides information and, since the subject is given information, he supposes that this is RELEVANT…otherwise, why is the subject fed with this information?

In real life, relevance is a clue. If someone tells us something, we understand that it has a meaning and that this information is not included to deceive us. That’s why Gigerenzer criticizes the Behavioral Economics approach, which can be shared by many designers.

For Gigerenzer, we decide about how good a model is comparing it with an ideal model –the rational one- but if, instead, we decide about which is the best model looking at the results, we could find some surprises. That’s what he did at Simple Heuristics that Make Us Smart, that is, comparing complex decision models with others that, in theory, should get a worse performance and finding that, in many cases, the “bad” model could get better results than the sophisticated one.

Let’s go back to automation design. Perhaps we are making the wrong questions at the beginning. Instead of “What information would you like to have?”  getting a Santa Claus letter as an answer, we should ask what are the cues that you use to know that this specific event is happening?

FAA, in its 1996 study, complained about the fact that some major failures as an engine-stop can be masked by a bunch of warnings about different systems failing, making hard to discern that all of them came from a common root, that is, the engine stop. What if we ask “Tell me one fact –exceptionally I would admit two- that should tell you in a clear and fast way that one of the engines is stopped.”

We have a nice example from QF32 case. Pilots started to distrust the system when they got information that was clearly false. It was a single fact but enough to distrust. What if, instead of deciding this way jumping to the conclusion from a single fact, they should have been “rational” trying to assign probabilities in different scenarios? Probably, the plane should not have fuel enough to allow this approach.

Rasmussen suggested one approach –a good one- where the operator should be able to run cognitively the program that the system was performing. The approach is good but something is still missing: How long should it take for the operator to replicate the functional model of the system?

In real life situations, especially if they have to deal with uncertainty –not calculated risk- people use very few indicators easy and fast to obtain. Many of us remember the BMI-092 case. Pilots were using an indicator to know which engine had the problem…unfortunately, they came from a former generation of B737 and they did not know that the one they were flying had air bleeding in both engines instead of only one. The key used to determine the wrong engine should have been correct in an older plane.

Knowing the cues used by pilots, planes could be designed in a human-centered approach instead of creating an environment that does not fit with the ways used by people to perform real tasks in real environments.

When new flight-deck designs appeared, manufacturers and regulators were careful enough to keep the basic-T, even though it could appear in electronic format but that was the way that pilots used to get the basic information. Unfortunately, this has disappeared in many other things and things like position of power levers with autopilot, position of flightsticks/horns and if they have to transmit pressure or not or if the position should be common to both pilots or not…had a very different treatment from a human-centered approach. Instead, the screen-mania seems to be everywhere.

A good design starts with a good question and, perhaps, questions are not yet good enough and that’s why analyses and complains 20 and 30 years old still keep current.

 

 

 

 

 

 

A %d blogueros les gusta esto: