How aviation has become one of the safest forms of transport AVIATION SAFETY Putting it into practice By Dr Simon Bennett, Director, Civil Safety and Security Unit, University of Leicester hanks to the jet engine, better navigation aids and human-factors training, aviation safety has, since the 1960s, shown an improving trend. Having said that, aviation, by its nature, has the capacity to kill large numbers of people in an instant. This characteristic is demonstrated by the Boeing 737 MAX-8 crashes, in which 346 passengers and crew died. The MAX-8 crashes spotlighted systemic failings at Boeing and the Federal Aviation Administration, as well as design flaws in the aircrafts Manoeuvring Characteristics Augmentation System (MCAS). Aviations partnership with academia has proved fruitful, with the work of several academics including Professors Charles Perrow, Erik Hollnagel, James Reason, Sidney Dekker and Robert Helmreich contributing to improved safety. Some of the theories that have helped aviation become one of the safest forms of transportation are described below. Interactive complexity and coupling A system such as an aircraft can be described in terms of its interactive complexity and coupling. The greater the number of components in an aircraft, and the more those components interact one with the other, the greater its interactive complexity (Figure 1). Technological systems that afford limited opportunities for intervention are referred to as tightly coupled. Technological systems that afford many opportunities for intervention are referred to as loosely coupled. Other things being equal, the less interactively complex a system, the safer it is. And the more loosely coupled a system, the safer it is because there are many opportunities for intervention and corrective action. Non-linear systems are safer than linear systems. Professor Erik Hollnagel posits a positive relationship between safety and the ease with which a system can be corrected (tuned) by a human operator. Hollnagels socio-technical view of safety frames operators as assets rather than liabilities. In 1983, during NATOs annual Able Archer military exercise, a Soviet satellite mistook reflected sunlight for missile launches. A Soviet defence computer informed the Early Warning Centres Duty Officer, Stanislav Petrov, that the United States had launched five missiles against the USSR. Fortunately, the Soviet system was not so tightly coupled that it did not afford Petrov the opportunity to evaluate the satellite data. Although protocol required Petrov to recommend a retaliatory strike, he resiled. Convinced that the United States would have launched all its missiles in a first strike, Petrov reasoned the satellite data was a false positive. Because the Soviet early warning system invited Petrov to use his judgement, he was able to de-escalate the crisis. In the language of systems engineering, human operators act as buffers, loosening tightly coupled systems and adding safety. The Union of Concerned Scientists observed of the episode: [T]he strongest, and one of the few, safety links in the chain was the judgement of the officer in command of the early warning centre [Petrov]. The safest systems are those that provide operators with feedback and opportunities for corrective action. The looser the coupling, the safer the system. Avionics designers should take note. Common-cause or common-mode failure A common-cause or common-mode failure occurs when a single event causes the failure of multiple components or systems. The phenomenon of common-mode failure means that redundancy may not deliver expected safety benefits. The greater the complexity and density of an aircraft the more tightly packed its components the more vulnerable it is to common-mode failure. In 1989, the number two engine in a DC-10 suffered a catastrophic failure that severed all three of the aircrafts hydraulic lines. Even though the lines were physically separated the number one and number two lines were on the port side while the number three line was on the starboard side the engine failed so catastrophically that all were cut. A single failure simultaneously killed three safety-critical systems. The American Institute of Chemical Engineers defines a common-cause failure as a failure which is the result of one or more events, causing coincident failures in multiple systems leading to system failure. The source of the common cause failure may be either internal or external. Redundancy a commonly-used engineered defence may, under conditions of common-cause or common-mode failure, not deliver anticipated safety benefits. Figure 1: A Rolls-Royce Trent 1000 installed on a Boeing 787. The aircraft was under maintenance at Birmingham International (BHX). Engines are interactively complex Opacity and intractability Absentia adequate and timely feedback, complex, high-speed systems are difficult to understand and control. Inadequate real-time feedback renders systems opaque and intractable. In their best-selling 1962 novel Fail-Safe, political scientists Eugene Burdick and Harvey Wheeler speculated about the consequences for peace of opacity and intractability in tightly coupled, high-speed defence computers. Fail-Safe tells the story of how a minor malfunction in a computer sees nuclear bombers dispatched to eviscerate Moscow. The defence computers tight coupling, speed of operation and limited feedback stymied operators attempts to understand and rectify the malfunction. Moscow was bombed. And 47 years after Burdick and Wheeler published Fail-Safe, an Air France A330, en route from Rio to Paris, plunged into the Atlantic. Immediate causes included: Icing of the pitot probes The pilots failure to appreciate that the aircraft was stalling The pilots poorly executed stall recovery. Proximate causes included Air Frances failure to train its pilots to reliably identify and recover from aerodynamic stalls, and an avionics suite that did not provide pilots with a constant readout of angle-of-attack data. In its July 2012 final report, the Bureau dEnqutes et dAnalyses (BEA) noted: The aeroplanes angle of attack is not directly displayed to the pilots It is essential in order to ensure flight safety to reduce the angle of attack when a stall is imminent. Only a direct readout of the angle of attack could enable crews to rapidly identify the aerodynamic situation of the aeroplane and take the actions that may be required. Consequently, the BEA recommends that EASA and the FAA evaluate the relevance of requiring the presence of an angle of attack indicator directly accessible to pilots on board aeroplanes. The opacity of the A330s avionics contributed to the disaster. Airframers and operators frame automation as a panacea, a means of reducing the ambient level of human error while reducing costs. While well-designed automatic systems help reduce error, poorly designed systems provoke error as demonstrated by the Air France A330 disaster. When automation deprives pilots of vital information, latent errors accidents waiting to happen are created. This trap is well understood by academics. In 1983, psychologist Lisanne Bainbridge discussed the problems created by opacity and intractability in her seminal paper Ironies of Automation. Bainbridge wrote: If the human operator is not involved in on-line control, s/he will not have detailed knowledge of the current state of the system. One can ask what limitations this places on the possibility for effective manual takeover, whether for stabilisation... or for fault diagnosis. Bainbridge could have been writing about the 2009 Air France A330 disaster. Pamela Munro, a Boeing human-factors specialist, argues it is vital that pilots be kept in the loop: Engineers dont always realise that automation can lull people into complacency... People are expected to be able to jump in when something goes wrong, but if they havent been getting feedback, they lose the ability to analyse the situation. During the US House of Representatives Subcommittee on Aviation investigation into the Boeing 737 MAX-8 accidents, Captain Chesley Sullenberger commented: [W]e must provide detailed system information to pilots that is more complete We should all want pilots to experience challenging situations for the first time in a simulator, not in flight with passengers and crew on board. We owe it to everyone who flies to do much better than to design aircraft with inherent flaws that we intend pilots to compensate for and overcome Socio-technical systems theory After World War II, the British government determined to increase coal production introduced mechanised coal-cutting into Britains deep mines. Small, multiskilled, self-directed, pick-and-shovel coal-cutting teams were replaced by large, specialised shifts operating mechanised coal-cutters and conveyor belts. The first shift cut the coal. The second loaded it. The third advanced the cutters and belts. The changes proved disastrous. Productivity and morale declined. Absenteeism and employee turnover rose. Miners became fractious, turning on management and one another. After studying the problems created by the mechanisation of Britains deep mines, academics Eric Trist and Kenneth Bamforth (an ex-miner) recommended that employers pay more attention to the link between productivity and the way in which work was organised. Specifically, they suggested employers pay more attention to the fact that small, multiskilled, autonomous teams that encouraged members to contribute what they could and whose members looked out for one another, in work and outside of work were happier, more productive and safer than large, management-directed specialised shifts. Through their studies, Trist and Bamforth established that safety and efficiency are linked to teamwork, psychological safety and feelings of self-worth. Despite the valuable work of industrial psychologists such as Trist and Bamforth, commercial aviation paid little attention to teamwork until a series of high-profile disasters in the 1970s highlighted the consequences for safety of ignoring the psycho-social aspects of flying. The socio-technical approach to the organisation of work stressed the importance of: Allocating responsibilities clearly and unambiguously during an emergency Creating a flight-deck culture that is empathetic and collegial Creating an overall work environment that is supportive, respectful and reasonable. Safety/risk imagination The 9/11 terrorist attacks signalled a failure of the international communitys risk imagination. The attacks should have been imagined. They were not. Aviations lax security should have been rectified. It was not. As happened with Japans December 1941 sneak attack on Pearl Harbor, the 2001 terrorist attacks were facilitated by naivety. The theory of safety/risk imagination, a cornerstone of degree-level riskmanagement courses, has been defined by academics Nick Pidgeon and Michael OLeary as: [A] critical and self-reflective process that seeks to challenge the default assumptions about the world and its hazards [with a view to using] this interrogation to interpret the significance of external warning signs and events. The Lion Air and Ethiopian Airlines 737 MAX-8 crashes killed nearly 350 people. Had Boeing used its safety/ risk imagination when designing the MCAS, it might have specified that it be given data from two angle-of-attack sensors, rather than one. That is, had Boeing used its safety/risk imagination, it might have applied to the design of the MCAS the proven safety principle of engineered redundancy (also known as defence in depth). In his June 2019 testimony to the House of Representatives Subcommittee on Aviation, Captain Chesley Sullenberger commented: These crashes [Lion Air and Ethiopian Airlines] are demonstrable evidence that our current system of aircraft design has failed us We owe it to everyone who flies to do much better than to design aircraft with inherent flaws that we intend pilots to compensate for and overcome. Conclusions Social theories of risk, such as those described above, have much to offer aviation. For safetys sake, airframers, operators, regulators and employees must apply them consistently and with rigour. Theories pertaining to complexity, coupling, common-cause failure, sociotechnical design, teamwork and safety/risk imagination can help make a safe industry even safer. Dr Simon Bennet (sab22@le.ac.uk) welcomes feedback on this article Aircraft fuselage