PBL

Actually not. There is a network (not a chain) of states and events (not of events alone) "leading up to" an accident. Rephrasing, the chain of causal factors leads back from the accident (when one considers causal factors of causal factors and so on iteratively), and the structure so derived forms a directed graph.

Indeed so. Removal of any of the necessary causal factors of an accident avoids the accident. That follows directly from the definition of necessary causal factor.

That is an argument for the prioritisation of crew's competent handling of the situation over those factors which remain constant throughout the playing out of the accident event - states of the runway, states of the navaids, state of the weather, *but not* design of the automation. The "but not" comes from the observation that it is the *behavior of* automated devices during the playing-out that is most immediately causally involved: the design is the cause (causal factors of) the behavior, and the behavior in turn (some of) the causal factors of the accident. That is true for pilots also, BTW. The behavior of the pilots in the Cali case was causal; the training, experience and expectations were (essentially) causal of their behavior (modulo questions of psychological causality and free will). That is why terpster's putting the finger on the US piloting environment (as he did in his quote from his 1996-7 work) is essentially as accurate a partition of the particular set of causal factors he is interested in as the behavior during the playing-out.

It does not by itself allow one to prioritise the behavior of the automation over the behavior of the crew as a set of causal factors.

Of course a professional pilot focuses on what heshe, as a professional pilot, can do to avoid.... Just as an avionics system safety specialist will focus on what heshe, as a professional system safety specialist, can do to avoid .... and an ATCO will focus on what heshe, as a professional, can do to avoid...

But an accident analysis takes all factors into account. An objective prioritisation of some takes application of an explicit criterion (such as that above) and in my experience such criteria are always open to question by others. But making the criteria explicit allows the discussion to proceed as to whether the criteria are appropriate (serve such-and-such purposes, or not).

People here might be surprised at how often this crew-behavior versus kit-behavior argument gets played out, often behind closed doors and for very high stakes indeed. To my mind, the arguments are evolving from "the crew screwed up; end of story" to "the crew played their role in an environment set by the behavior of the avionics, ATC, weather, and so on. How did each of these classes of factors contribute to the outcome? How did, for example, the avionics provide a benign or a hostile environment in which the crew could execute (what they understood to be) their tasks?"

It wouldn't surprise me if in fifty years we didn't think along the mirror image. That is, the designers of the kit can in peace, quiet and with all the time in the world think how their kit can best operate with help from the pilots, and when the pilots attempt to achieve what they think is task A but which has different outcome B, or to monitor what they think is task A but which turns out to be task B, the design is faulted because the pilots are operating under heavy resource constraints with the usual human weaknesses, and the designers should have accounted for it. (That won't happen until the execution of complex functions is as well understood and standardised as the T-display of essential flight data, but this understanding and standardisation is very likely to come about within fifty years, I think.)

PBL