A small question for the ATSB
According to the preliminary ATSB report the crew of QF32 took approximately 50 minutes to process all the Electronic Centralised Aircraft Monitor (ECAM) messages. This was despite this normal crew of three being augmented by a check captain in training and a senior check captain.
There are two obvious questions, first would the normal three man crew have been able to handle the ECAM check-list work as readily? Second should the check-list processing have taken 50 minutes which is a very, very, long time in a mid air emergency? (1)
The problem with check-lists is that they are are written by people sitting in comfortable offices and, if their paper cousins are anything to go by, even the electronic version are unlikely to have been designed with the effects on air crew performance of the stress of dealing with a challenging emergency in mind (2).
One area in which such check-lists traditionally come up short is that they tend intentionally to focus on responses to a single well defined failure, primarily because the failure analyses de-jour of the aviation industry (FMEA) only deals with single failures scenarios. Dealing with an interlocking set of multiple failure is thus simply something for which check-lists are not designed and in the case of both QF 32, and QF 72 this led to a cascading series of ECAM messages for each fault condition.
…ECAM messages that would say ‘aircraft CoG out of limits’ and was asking us to move fuel from horizontal stabiliser forward to bring it within limits and the next message would say the ‘THS transfer not available’. So one message contradicting another…
Captain David Evans (Check Captain QF 32)
In fact problems with the design of traditional paper borne check-lists have been widely recognised across several industries for a number of years, for example NASA Ames has a current project under way to address these problems (2) while the US NRC has released a guideline on HMI design that also addresses the use of check-lists NUREG 0700 (3).
Given the high workload placed on the QF32 in addressing the ECAM messages perhaps the ATSB should recognise that were it not for the additional crew the automated ECAM system would have failed the crew in this event. Maybe it’s time to design automated check-list systems to address both crew cognitive limitations under stress and multiple failure scenarios…
This post is part of the Airbus aircraft family and system safety thread.
1. For example in the ValuJet 592 Eeverglades crash the situation went from an electrical fault alert to an full blown fire alert in approximately 25 seconds. As another example Swissair 111 took 20 minutes to go from an initial odour to impact into the ocean.
2. Problems with the design of traditional paper borne checklists have been widely recognized for a number of years and in fact NASA Ames’ Emergency, Abnormal, and Off-nominal Situations (EAS) Study project is looking at these sort of issues.
3. See section 4 of NUREG 0700 which covers in some detail the principal of advanced alarm system design including nuisance, redundant and significance processing techniques as well as alarm presentation to operators. NRC work on this problem was triggered by the identified problems with the human machine interface during the Three Mile Island accident.
1. NRC, Human-System Interface Design Review Guidelines, U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, DC 20555-0001, Revision 2, May 2002.