Navigating Aeronautical Safety–Part 1

Three weeks back, I called for the addition of AOA indexers/indicators to commercial airliners and associated training of flight crews to minimize stall risks in the future. Turns out Air France already beat me to the punch:

It seems that we are locked into a spiral in which poor human performance begets automation, which worsens human performance, which begets increasing automation. The pattern is common to our time but is acute in aviation. Air France 447 was a case in point. In the aftermath of the accident, the pitot tubes were replaced on several Airbus models; Air France commissioned an independent safety review that highlighted the arrogance of some of the company’s pilots and suggested reforms; a number of experts called for angle-of-attack indicators in airliners, while others urged a new emphasis on high-altitude-stall training, upset recoveries, unusual attitudes, flying in Alternate Law, and basic aeronautical common sense.

Naturally, AOA indexers are still the province of fighter aircraft only (simple solutions are never an option in aviation), but the heart of the problem is related to William Langewiesche’s truly galling statement about automation:

Automation is an integral part of the package. Autopilots have been around since nearly the start of aviation, and component systems have been automated since the 1960s, but in glass-cockpit designs, the automation is centralized and allows the systems to communicate with one another, to act as parts of an integrated whole, and even to decide which information should be presented to the pilots, and when. At the core are flight-management computers—with keypads mounted on central pedestals—which are largely pre-programmed on the ground according to optimizations decided upon by airline dispatchers, and which guide the airplane’s autopilots through the full complexity of each flight. By the mid-1980s, many such airplanes, both Airbuses and Boeings, had entered the global fleet, for the most part leaving their pilots to simply observe the functioning of the systems.

I suppose I could outsource a response to Langewiesche’s stupid pronouncement…

A comparison between flying and medicine is maybe the best one: modern technology helps a pilot fly a plane the way it helps a surgeon perform an operation. A jetliner can no more “fly itself” than an operating room can remove a tumor or perform an organ transplant “by itself.” Cockpit automation is not flying the plane. The pilots are flying the plane through the automation. We still need to tell it what to do, when to do it, and how to do it. There are, for example, no fewer than six different ways that I can set up an “automatic” climb or descent on the Boeing that I fly, depending on circumstances. There are periods of high workload, and periods of low workload, but you’d be surprised how busy a cockpit can become – to the point of task-saturation – with the autopilot on.

It’s true that pilots have come to rely on a somewhat different skill.. Seat-of-the-pants talents are a smaller part of the job than they were in decades past. Still, even the most routine flight is subject to countless contingencies and a tremendous amount of input from the crew. And for the record, more than 99 percent of landings, and a full 100 percent of takeoffs, are performed the “old fashioned” way – by hand, with either the captain or first officer (copilot) physically at the controls.

…but addressing this requires for more research:

In 1987, Airbus took the next step by introducing the first fly-by-wire airliner, the smallish A320, in which computers interpret the pilots’ stick inputs before moving the control surfaces on the wings and tail. Every Airbus since has been the same, and Boeing has followed suit in its own way.

These are generally known as “fourth generation” airplanes; they now constitute nearly half the global fleet. Since their introduction, the accident rate has plummeted to such a degree that some investigators at the National Transportation Safety Board have recently retired early for lack of activity in the field. There is simply no arguing with the success of the automation.

I’m about to.

The designers behind it are among the greatest unheralded heroes of our time.

No, they aren’t. Automation is a pointless sideshow, easily demonstrated with simple logic—how did the crash rate drop so low if over half of the global airliner fleet is first, second, and third generation models?

How to Kill Yourself

Automation proponents are the biggest shysters in history. In the past five years, American airline pilots have been subjected to a massive increase in the number of RNAV SIDs (Standard Instrument Departures) and STARs (Standard Terminal Arrival Routes). Denver International Airport (DEN) used to have 2 STARs per “Gate” with arrival routing from the Northwest, Northeast, Southeast, and Southwest. With the addition of 18 RNAV STARs, DEN currently has 26 STAR routes with no net increase in traffic volume. How is this possible? Because the non-RNAV STARs could be used for landing North (runways 34R, 35L+R), South (runways 16 L+R, 17R) or other configurations (DEN often lands on 26 or 7 if 8 or 25 is not needed for departures). The RNAV STARs, however, are configuration-dependent (and run over the same four NW, NE, SE, SW gates), thus requiring two STARs where one sufficed previously.

Naturally not all aircraft are capable of RNAV arrivals (or RNAV-capable aircraft lose that capability for a variety of mundane, mostly mechanical, reasons), and the original eight STARs remain in effect. The same goes for SIDs, as RNAV SIDs have been added to “augment” the original four (antagonize might be a better word). Thus, the only people smiling must be Jeppesen distributors as pilots curse the fact that doing DEN revisions has become three times more onerous, with 3x risk of paper cuts (and a wish to slash one’s wrists).

The safety factor of these RNAVs is clear—they are highly dangerous. These procedures have added a “climb via” and “descend via” verbology that no longer requires ATC controllers to state an assigned altitude. At Houston Intercontinental (IAH), RNAVs to 26L, 26R, and 27 have three different altitudes dependent on runway assignment (and naturally Houston Approach is not shy about changing runway assignments).

More dangerous still is the mounting confusion on RNAV SIDs—if a controller says “climb to FL230” does that mean “climb via” or “climb unrestricted”? Some fixes indicate the aircraft should cross at or below on climb-out. Controllers in the past would not assign a higher altitude until crossing traffic was clear…in the future are midair collisions going to be a much greater risk due to automating climbs and descents for “optimization?”

How to NOT Kill Yourself

No…so long as TCAS is still working. Traffic Collision Avoidance System uses the altitude-encoding mode on transponders (Mode C and Mode S) to measure lateral and vertical distances between aircraft aloft. Should an “intruder” close too rapidly with a TCAS-equipped aircraft, a TA (Traffic Alert) will sound, followed by an RA (Resolution Advisory) should an altitude change become necessary. Following an RA is mandatory above every ATC clearance, a lesson that was painfully emphasized in the skies above southern Germany in 2002:

Sadly, the Überlingen mid-air collision was not even the most recent midair collision above Germany, but what should be clear is that automation does not save lives. Modern autopilots track the center of airways and maintain altitude so precisely the “Big Sky Theory” has been utterly disproved. The solution is a double-edged sword.

At first glance, TCAS is a triumph of automation. However, the proof is in the procedures. Pilots are rigorously trained to hand-fly RAs, along with an RA-like maneuver when performing ILS PRM (Instrument Landing System Precision Runway Monitor) approaches. Training syllabuses claim the reason for this is pilots can react faster, but the truth is a mixture of the lessons of Überlingen and JAL 907/JAL 958 on 31 January 2001:

The controller noticed confliction alert between them, but instead of ordering JAL958 to descend, he ordered the JAL907 to descend.

Immediately after this instruction, the crew of JAL907 was given an aural TCAS Resolution Advisory to climb in order to avoid a collision, but the captain of JAL907 followed the instructions of the air traffic controller by descending. Both airplanes remained on a collision course, because JAL958 had started to descend as well, following the advisory of his TCAS. Both airplanes were visually recognized by each other. Just before crossing each other’s flight path, the pilot of JAL907 abruptly forced the aircraft to dive based on a visual judgment. A collision was averted when 100 crew and passengers on JAL907 sustained injuries due to the emergency maneuver, while no one was injured on JAL958.

 photo JAL2001incident.png

TCAS is in reality navigation, not automation. The best possible outcome is both sets of pilots see the others’ aircraft and both crews respond faithfully to the RA, but so long as a midair collision is averted lesser outcomes are tolerated (100 injuries on JAL 907 was a much smaller price to pay compared with the 664 fatalities that would have been suffered otherwise).


One thought on “Navigating Aeronautical Safety–Part 1

  1. Pingback: Navigating Aeronautical Safety—Part 2 | In The Corner, Mumbling and Drooling

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s