Interesting documentary on SBS about the Germanwings tragedy, if you want a deeper insight see my post on the dirty little secret of civilian aviation. By the way, the two person rule only works if both those people are alive.
Archives For Germanwings
The problem with people
The HAL effect, named after the eponymous anti-hero of Stanley Kubrick and Arthur C. Clarke’s film 2001, is the tendency for designers to implicitly embed their cultural biases into automation. While such biases are undoubtedly a very uncertain guide it might also be worthwhile to look at the 2001 Odyssey mission from HAL’s perspective for a moment. Here we have the classic long duration space mission with a minimalist two man complement for the cruise phase. The crew and the ship are on their own. In fact they’re about as isolated as it’s possible to be as human beings, and help is a very, very long way away. Now from HAL’s perspectives humans are messy, fallible creatures prone to making basic errors in even the most routine of tasks. Not to mention that they annoyingly use emotion to inform even the most basic of decisions. Then there’s the added complication that they’re social creatures apt in even the most well matched of groups to act in ways that a dispassionate external observer could only consider as confusing and often dysfunctional. Finally they break, sometimes in ways that can actively endanger others and the mission itself.
So from a mission assurance perspective would it really be appropriate to rely on a two man crew in the vastness of space? The answer is clearly no, even the most well adjusted of cosmonauts can exhibit psychological problems when isolated in the vastness of space. While a two man crew may be attractive from a cost perspective it’s still vulnerable to a single point of human failure. Or to put it more brutally murder and suicide are much more likely to be successful in small crews. Such scenarios however dark they may be need to be guarded against if we intended to use a small crew. But how to do it? If we add more crew to the cruise phase complement then we also add all the logistics tail that goes along with it, and our mission may become unviable. Even if cost were not a consideration small groups isolated for long periods are prone to yet other forms of psychological dysfunctions (1). Humans it seems exhibit a set of common mode failures that are difficult to deal with, so what to do?
Well, one way to guard against common mode failures is to implement diverse redundancy in the form of a cognitive agent whose intelligence is based on vastly different principles to human affect driven processing. Of course to be effective we’re talking a high end AI, with a sufficient grasp of the theory of mind and the subtleties of human psychology and group dynamics to be able to make usefully accurate predictions of what the crew will do next (2). With that insight goes the requirement for autonomy in vetoing illogical and patently hazardous crew actions, e.g “I’m sorry Dave but I’m afraid I can’t let you override the safety interlocks on the reactor fuel feed…“. From that perspective we might have some sympathy for HAL’s reaction to his other crew mates plotting his cybernetic demise.
Which may all seem a little far fetched after all an AI of that sophistication is another twenty to thirty years away, and long duration deep space missions are probably that far away as well. On the other hand there’s currently a quiet conversation going on in the aviation industry about the next step for automation in the cockpit, e.g. one pilot in the cockpit of large airliners. After all, so the argument goes, pilot’s are expensive beasts and with the degree of automated support available to day, surely we don’t need two men in the cockpit? Well, if we’re thinking purely about economics then sure one could make that argument, but on the other hand as the awful reality of the Germanwings tragedy sinks in we also need to understand that people are simply not perfect, and that sometimes (very rarely (3)) they can fail catastrophically. Given that we know that reducing crew levels down to two increases the risk of successful suicide by airliner one could ask what happens to the risk if we go to single pilot operations? I think we all know what the answer to that would be.
Where is a competent AI (HAL 9000) when you need one? 🙂
1. From polar exploration we know that small exploratory teams of three persons are socially unstable and should be avoided. Which then drives the team size to four.
2. As an aside, the inability of HAL to understand the basics of human motivation always struck me as a false note in Kubrick’s 2001 movie. An AI as smart as Hal apparently was, and yet lacking even an undergraduate understanding of human psychology, maybe not.
3. Remember that we are in the tail of the aviation safety program where we are trying to mitigate hazards whose likelihoods are very, very rare. However given that they aren’t mitigated they dominate the residual statistic.
Amidst all the soul searching, and pontificating about how to deal with the problem of pilot’s ‘suiciding by airliner’, you are unlikely to find any real consideration of how we have arrived at this pass. There is as it turns out a simple one word answer, and that word is efficiency. back when airliner’s first started to fly they needed a big aircrew, for example on the Comet airliner you’d find a pilot, copilot, navigator and flight engineer. Now while that’s a lot of manpower to pay for it did possess one hidden advantage, and that was with a crew size greater than three it’s very, very difficult (OK effectively impossible) for any one member of the flight crew to attempt to commit suicide. If you think I exaggerate then go see if there has ever been a successful suicide by airliner where there were three or more aircrew in the cockpit. Nope, none. But, the aviation industry is one driven by cost. Each new generation of aircraft needs to be cheaper to operate which means that the airlines and airline manufacturers are locked in a ruthless evolutionary arms race to do more with less. One of the easiest ways to reduce operating costs is to reduce the number of aircrew needed to fly the big jets. Fewer aircrew, greater automation is an equation that delivers more efficient operations. And before you the traveller get too judgemental about all this just remember that the demand for cost reduction is in turn driven by our expectation as consumers that airlines can provide cheap mass airfare for the common man.
So we’ve seen the number of aircrew slowly reduce over the years, first the navigator went and then the flight engineer until we finally arrived at our current standard two man flight crew. There’s just one small problem with this, if one of those pilots wants to dispose of the other there’s not a whole lot that can be done to prevent it. In our relentless pursuit of efficiency we have inadvertently eliminated a safety margin that we didn’t even realise was there. So what can we really do about it? Well the simple ‘we know it works’ answer is to go back to three crew in the cockpit, which effectively eliminates the hazard, of course that’s also a solution that’s unlikely to be taken up. In the absence of going back to three man crews well, we get what we’re currently getting, aspirational statements about better management of stress and depression in aircrew, or the use of cabin crew to enforce no go alone rules. But when that cockpit door is closed it’s still one on one, and all such measures do in the final analysis is reduce the likelihood of the hazard, by some hard to quantify amount, they don’t eliminate it. As long as we fly two man crews behind armoured doors unfortunately the possibility and therefore the hazard remains.
Happy flying 🙂
The Germanwings A320 crash
At this stage there’s not more that can be said about the particulars of this tragedy that has claimed a 150 lives in a mountainous corner of France. Disturbingly again we have an A320 aircraft descending rapidly and apparently out of control, without the crew having any time to issue a distress call. Yet more disturbing is the though that the crash might be due to the crew failing to carry out the workaround for two blocked AoA probes promulgated in this Emergency Airworthiness Directive (EAD) that was issued in December of last year. And, as the final and rather unpleasant icing on this particular cake, there is the followup question as to whether the problem covered by the directive might also have been a causal factor in the AirAsia flight 8501 crash. That, if it be the case, would be very, very nasty indeed.
Unfortunately at this stage the answer to all of the above questions is that no one knows the answer, especially as the Indonesian investigators have declined to issue any further information on the causes of the Air Asia crash. However what we can be sure of is that given the highly dependable nature of aircraft systems the answer when it comes will comprise an apparently unlikely combinations of events, actions and circumstance, because that is the nature of accidents that occur in high dependability systems. One thing that’s also for sure, there’ll be little sleep in Toulouse until the FDRs are recovered, and maybe not much after that….
if having read the EAD your’e left wondering why it directed that two ADR’s be turned off it’s simply that by doing so you push the aircraft out of what’s called Normal law, where Alpha protection is trying to drive the nose down, into Alternate law, where the (erroneous) Alpha protection is removed. Of course in order to do so you need to be able to recognise, diagnose and apply the correct action, which also generally requires training.