Aircraft Safety
Thread Starter
Join Date: Mar 2005
Location: Half Way Up The Stairs
Posts: 54
Likes: 0
Received 0 Likes
on
0 Posts
Thanks John, it seems that somethings never change. Is your paper widely available?
What I meant by "accept lower safety standards" was that the bar has been set (rightly or wrongly) and, having failed, excuses as to why accepting a lower standard of evidence is ok may be made. This as opposed to "life's getting harder"
As for pilot response, it strikes me that when things go wrong a la Mull of Kintyre, people become very interested in what went on beforehand - the Boscombe FADEC analysis etc. All this is quite right - IMHO the pilot's can't be accused of negligence because there is insufficient evidence to support this claim. However, all this after the event stuff is because of a tragedy - what is the perception of things before the tragedy (and the support for those trying to argue for a robust safety case), without the benefit of hindsight?
What are we going to say when C-130J/Merlin/JSF/Typhoon/Apache crash because of a software error that can't be traced but the safety case is weak?
Flying is risky, we engineers don't aim to take the fun out of it though.
5206
What I meant by "accept lower safety standards" was that the bar has been set (rightly or wrongly) and, having failed, excuses as to why accepting a lower standard of evidence is ok may be made. This as opposed to "life's getting harder"
As for pilot response, it strikes me that when things go wrong a la Mull of Kintyre, people become very interested in what went on beforehand - the Boscombe FADEC analysis etc. All this is quite right - IMHO the pilot's can't be accused of negligence because there is insufficient evidence to support this claim. However, all this after the event stuff is because of a tragedy - what is the perception of things before the tragedy (and the support for those trying to argue for a robust safety case), without the benefit of hindsight?
What are we going to say when C-130J/Merlin/JSF/Typhoon/Apache crash because of a software error that can't be traced but the safety case is weak?
Flying is risky, we engineers don't aim to take the fun out of it though.
5206
Last edited by 5206; 29th Mar 2005 at 16:01.
Join Date: Mar 2005
Location: On the outside looking in
Posts: 542
Likes: 0
Received 0 Likes
on
0 Posts
John,
This was from my perspective - I am not in the same organisation as the man making the decision, but he wants my advice, so all I can do is explain as best I can:
That's what I have to do, but as a systems engineer.
I like your view on the role of the tp.
sw
Safeware said ‘Tell it like it is and let whoever is responsible up the chain make the call.’ Mmmmm. Not entirely sure about that
I can only sympathise with you in trying to put across your concerns to non software literate people. But try you must, because only YOU are in possession of the facts and understanding
I like your view on the role of the tp.
sw
Do a Hover - it avoids G
Join Date: Oct 1999
Location: Chichester West Sussex UK
Age: 91
Posts: 2,206
Likes: 0
Received 0 Likes
on
0 Posts
Thanks chaps
If you have access to AGARD papers it was AGARD Conference Proceedings No 347. ISBN 92-835-0342-2
But if anybody wants the text just send me your email address
As to your point 5206 about arguing before the event I guess any case for the installation of adequate crash recorders - including retrospectively - is hardly a difficult one to justify on cost grounds. May not be a sexy cause but it sure is one good way to spend money. Look at what they are trying to establish from a heap of Herc bits in Iraq just because it had no recorder.
Future aircraft safety always has depended on learing from the past - whether that was yesterday or yonks ago. Without recorders one's learing may well be very limited. But you all know that.....
JF
If you have access to AGARD papers it was AGARD Conference Proceedings No 347. ISBN 92-835-0342-2
But if anybody wants the text just send me your email address
As to your point 5206 about arguing before the event I guess any case for the installation of adequate crash recorders - including retrospectively - is hardly a difficult one to justify on cost grounds. May not be a sexy cause but it sure is one good way to spend money. Look at what they are trying to establish from a heap of Herc bits in Iraq just because it had no recorder.
Future aircraft safety always has depended on learing from the past - whether that was yesterday or yonks ago. Without recorders one's learing may well be very limited. But you all know that.....
JF
Last edited by John Farley; 29th Mar 2005 at 16:31.
Join Date: Jan 2004
Location: UK
Posts: 14
Likes: 0
Received 0 Likes
on
0 Posts
JF- More words of wisdom from the wise, and well informed! As another poster mentioned, things don't change much.
However, how do the posters on this forum feel about the introduction of quite drastic man-power cuts on the front line? Single man see-offs, self checking / signing technicians etc.... Same Task....Less People + More Limited Supervision = Disaster (Surely?)....... Also, those self signing / supervising technicians will be working harder, that has to help.
Will this be a tough lesson in the obvious? I truely hope not.
MW
However, how do the posters on this forum feel about the introduction of quite drastic man-power cuts on the front line? Single man see-offs, self checking / signing technicians etc.... Same Task....Less People + More Limited Supervision = Disaster (Surely?)....... Also, those self signing / supervising technicians will be working harder, that has to help.
Will this be a tough lesson in the obvious? I truely hope not.
MW
Thread Starter
Join Date: Mar 2005
Location: Half Way Up The Stairs
Posts: 54
Likes: 0
Received 0 Likes
on
0 Posts
MW,
I agree that cuts at the sharp end increase risk when there is no corresponding cut in task.
IIRC, there was (about 10 years ago) a sqn boss who was v frustrated that there wasn't enough manpower to see off either 4 or 6 jets. This was just after a MAVA which had drastically cut sqn manpower - working from HAS site. Boss went to Sqn WO, responsible for manpower an demanded to know what was up. The WO run through the manpower chart - leave, courses, GDT, detached etc etc and identified that if everyone on site was thrown at the see-offs- no trade cover etc - they would be one man short. "What would that man have to do?" asked the Boss. Man a fire extinguisher was te reply. Job was done, jets seen off, Boss returns to office and declares Sqn non-op due to a lack of manpower. Went down like the proverbial.
5206
I agree that cuts at the sharp end increase risk when there is no corresponding cut in task.
IIRC, there was (about 10 years ago) a sqn boss who was v frustrated that there wasn't enough manpower to see off either 4 or 6 jets. This was just after a MAVA which had drastically cut sqn manpower - working from HAS site. Boss went to Sqn WO, responsible for manpower an demanded to know what was up. The WO run through the manpower chart - leave, courses, GDT, detached etc etc and identified that if everyone on site was thrown at the see-offs- no trade cover etc - they would be one man short. "What would that man have to do?" asked the Boss. Man a fire extinguisher was te reply. Job was done, jets seen off, Boss returns to office and declares Sqn non-op due to a lack of manpower. Went down like the proverbial.
5206
JF - many thanks for your sage words!
I am currently involved in a little discussionette with a certain aeroplane manufacturer regarding manual override for certain safety critical systems controls which they consider are not needed - software will be sufficient. Hoorah....
Really?
An ex-Harrier TP chum (Airbedane) has given me an insight into his view of the dangers of relying upon s/w after it nearly killed him - and the particular s/w I'm discussing has never been specified to be flight critical... Thus my old-fashioned and slightly jaundiced aircrew view that s/w will f**k up and I want my aircrew chums to survive that incident is reinforced by very high-priced TP opinion!
Just see the recent Virgin Atlantic expereince with the A340-600 fuel system computerised madness to see what I mean. For ex-Hunter mates, it's like having the bingo lights monitored by the fuel gauges - so if they gauge says there's plenty and the bingo sensors say there isn't, then the bingo lights are overridden.....
Until it goes quiet, that is...... Then on comes the "Oh Bugger" caption.
I am currently involved in a little discussionette with a certain aeroplane manufacturer regarding manual override for certain safety critical systems controls which they consider are not needed - software will be sufficient. Hoorah....
Really?
An ex-Harrier TP chum (Airbedane) has given me an insight into his view of the dangers of relying upon s/w after it nearly killed him - and the particular s/w I'm discussing has never been specified to be flight critical... Thus my old-fashioned and slightly jaundiced aircrew view that s/w will f**k up and I want my aircrew chums to survive that incident is reinforced by very high-priced TP opinion!
Just see the recent Virgin Atlantic expereince with the A340-600 fuel system computerised madness to see what I mean. For ex-Hunter mates, it's like having the bingo lights monitored by the fuel gauges - so if they gauge says there's plenty and the bingo sensors say there isn't, then the bingo lights are overridden.....
Until it goes quiet, that is...... Then on comes the "Oh Bugger" caption.
Registered User **
Join Date: Mar 2005
Location: Cambridge
Posts: 556
Likes: 0
Received 0 Likes
on
0 Posts
5206, you asked:
The short answer I suppose is that it may be very difficult to conclusively prove a software fault was too blame.
Many years ago I discussed a project to look at 'instrumenting' real time critical software systems to aid post incident investigation. It would in theory I believe be possible to do, however, in practice there are significant issues to contend with, eg timing overheads, increased complexity etc.
As to the safety case being weak: A standard approach to improving integrity in critical systems is design and development diversity, for example the FCS architectures in modern airliners. Now have a look at the avionics and flight control architectures of some of the aircraft cited above, multiple lanes of identical hardware, catering for random hardware failure. Unfortunately often running identical software which will fail systematically. Have a look at Ariane 501 for a good example of what can happen. So in these situations, are the safety cases already weakened ?
Safety_Helmut
What are we going to say when C-130J/Merlin/JSF/Typhoon/Apache crash because of a software error that can't be traced but the safety case is weak?
Many years ago I discussed a project to look at 'instrumenting' real time critical software systems to aid post incident investigation. It would in theory I believe be possible to do, however, in practice there are significant issues to contend with, eg timing overheads, increased complexity etc.
As to the safety case being weak: A standard approach to improving integrity in critical systems is design and development diversity, for example the FCS architectures in modern airliners. Now have a look at the avionics and flight control architectures of some of the aircraft cited above, multiple lanes of identical hardware, catering for random hardware failure. Unfortunately often running identical software which will fail systematically. Have a look at Ariane 501 for a good example of what can happen. So in these situations, are the safety cases already weakened ?
Safety_Helmut
Thread Starter
Join Date: Mar 2005
Location: Half Way Up The Stairs
Posts: 54
Likes: 0
Received 0 Likes
on
0 Posts
Found this today:
Autopilots 'turn crew into machine-minders and threaten safety'
By Barrie Clement, Transport Editor
29 March 2005
"Autopilot" is a word from aviation that has entered common usage, but the increasing use of computers on aircraft is potentially dangerous, according to pilots.
Senior aircrew believe that the growing reliance on electronics has reduced pilots to "machine minders'' with a decreasing ability to fly the planes manually.
Manufacturers are being warned that the principal cause of passenger deaths - "controlled flight into terrain", where the aircraft is deliberately aimed at the ground - is being caused by the domination of computers.
Malcolm Scott, a senior British Airways pilot, warned that in an emergency flight crew could be misled in to shutting down the wrong engine.
Writing in The Log, the journal of the British Airline Pilots' Association (Bapa), he says that Ecam, an electronic aid to decision making, can actually give the wrong advice.
He gives the example of a bird-strike encountered just after take-off by an Airbus A320. "One engine indicates an engine fire that is delivering full power, while the other engine has failed ... The Ecam prioritises the fire and instructs the crew to shut down the only engine delivering thrust. To follow the Ecam would result in the certain loss of the aircraft,'' Mr Scott writes.
He said that he had demonstrated the scenario on a simulator, but the senior training captain concerned was convinced that Ecam must be right and must be followed.
Mr Scott argued that in the late Nineties the industry was facing a crossroads - the pilots could either be progressively "designed out'' of the system or aircraft engineers could ensure that the captain's role was strengthened. Mr Scott believes the aviation industry has "more or less abandoned'' the era of the pilot.
He said his employer was increasingly discouraging manual flying on its Airbus fleet. "This has led to a de-skilled workforce with a consequent rise in manual flying errors,'' he writes. Mr Scott believes that the trend will lead to fully automated airliners. A transition phase would be a fully automatic aircraft with one human "systems monitor'' on board.
He called for better training so that instead of instructing pilots to follow computers blindly, they would be educated about their fallibility. "We need to develop procedures that take advantage of human strength while being tolerant of human weaknesses,'' he writes.
Mervyn Granshaw, chairman of the association and a working pilot, said that the industry had been warned about the concerns on the flight deck. "It might be time to get a grip on the situation, although it might be too late,'' he said. He believes that Airbus had gone further in reducing the input of pilots than Boeing.
"The great thing about computers is that they can process that amount of data and give you answers, but they are not perfect. There are scenarios that have not been thought about. It's not because we as pilots are special or precious, but that the human intellect has something to contribute."
It was here:
http://news.independent.co.uk/uk/tra...p?story=624483
So, we need more systems monitors then?
Autopilots 'turn crew into machine-minders and threaten safety'
By Barrie Clement, Transport Editor
29 March 2005
"Autopilot" is a word from aviation that has entered common usage, but the increasing use of computers on aircraft is potentially dangerous, according to pilots.
Senior aircrew believe that the growing reliance on electronics has reduced pilots to "machine minders'' with a decreasing ability to fly the planes manually.
Manufacturers are being warned that the principal cause of passenger deaths - "controlled flight into terrain", where the aircraft is deliberately aimed at the ground - is being caused by the domination of computers.
Malcolm Scott, a senior British Airways pilot, warned that in an emergency flight crew could be misled in to shutting down the wrong engine.
Writing in The Log, the journal of the British Airline Pilots' Association (Bapa), he says that Ecam, an electronic aid to decision making, can actually give the wrong advice.
He gives the example of a bird-strike encountered just after take-off by an Airbus A320. "One engine indicates an engine fire that is delivering full power, while the other engine has failed ... The Ecam prioritises the fire and instructs the crew to shut down the only engine delivering thrust. To follow the Ecam would result in the certain loss of the aircraft,'' Mr Scott writes.
He said that he had demonstrated the scenario on a simulator, but the senior training captain concerned was convinced that Ecam must be right and must be followed.
Mr Scott argued that in the late Nineties the industry was facing a crossroads - the pilots could either be progressively "designed out'' of the system or aircraft engineers could ensure that the captain's role was strengthened. Mr Scott believes the aviation industry has "more or less abandoned'' the era of the pilot.
He said his employer was increasingly discouraging manual flying on its Airbus fleet. "This has led to a de-skilled workforce with a consequent rise in manual flying errors,'' he writes. Mr Scott believes that the trend will lead to fully automated airliners. A transition phase would be a fully automatic aircraft with one human "systems monitor'' on board.
He called for better training so that instead of instructing pilots to follow computers blindly, they would be educated about their fallibility. "We need to develop procedures that take advantage of human strength while being tolerant of human weaknesses,'' he writes.
Mervyn Granshaw, chairman of the association and a working pilot, said that the industry had been warned about the concerns on the flight deck. "It might be time to get a grip on the situation, although it might be too late,'' he said. He believes that Airbus had gone further in reducing the input of pilots than Boeing.
"The great thing about computers is that they can process that amount of data and give you answers, but they are not perfect. There are scenarios that have not been thought about. It's not because we as pilots are special or precious, but that the human intellect has something to contribute."
It was here:
http://news.independent.co.uk/uk/tra...p?story=624483
So, we need more systems monitors then?
Cunning Artificer
Join Date: Jun 2001
Location: The spiritual home of DeHavilland
Age: 76
Posts: 3,127
Likes: 0
Received 0 Likes
on
0 Posts
In my earlier post I said
Much of the foregoing discussion seems to bear this out. Facing down people, who due to a lack of technical insight may try to manipulate the Risk Assessment, is part of the job; ALARP means what it says and we can't simply build in everything that anyone can possibly think of in the name of safety. Everything that adds cost must be justifiable on the basis of a proper Risk Assessment. That the assessment may sometimes turn out to be wrong doesn't necessarily defeat the argument.
Some of John Farley's discussion, especially regarding 'taking the customer down the pub', illustrates what one might need to do when testing indicates that the risk has been incorrectly calculated. Its part of the process, but I still suggest that aviation people do not deliberately ignore other folks' safety. Actually, being belligerent by nature, I find that fighting my corner is one of the most enjoyable aspects of my job; as some of you already noticed, many engineering people possess this characteristic.
Sometimes the risk assessment turns out to be wrong, true, but people don't deliberately ignore other folks' safety either.
Some of John Farley's discussion, especially regarding 'taking the customer down the pub', illustrates what one might need to do when testing indicates that the risk has been incorrectly calculated. Its part of the process, but I still suggest that aviation people do not deliberately ignore other folks' safety. Actually, being belligerent by nature, I find that fighting my corner is one of the most enjoyable aspects of my job; as some of you already noticed, many engineering people possess this characteristic.
Join Date: Jan 2005
Location: Racedo blows goats
Posts: 677
Likes: 0
Received 0 Likes
on
0 Posts
Blacksheep
The issue I discussed previously was purely a financial case, and the people I was fighting were engineers who had become project managers. Admittedly, there may have been financiers pulling the strings behind them. Whilst I agree that fighting your corner is a common trait, you are not always in the office where the final decision is made. Sometimes your objections have been paraphrased and weakened as your report moves through the system. Fortunately, I have not been in the position where "I told you so" has happened and hopefully never will.
Beagle keep fighting, I would suggest that you make them present their safety case proving they are correct. I have found this to be the path of least resistance.
Helmut
I find the common hardware case a bit scary, as systematic hardware failures are not unknown. Particularly if there is a divergence form the cleared envelope or environment. As I am sure you are aware, even with multiple redundant systems, single points of failure are found late in development. In my experience this has been either end of the system stick or control surface.
The issue I discussed previously was purely a financial case, and the people I was fighting were engineers who had become project managers. Admittedly, there may have been financiers pulling the strings behind them. Whilst I agree that fighting your corner is a common trait, you are not always in the office where the final decision is made. Sometimes your objections have been paraphrased and weakened as your report moves through the system. Fortunately, I have not been in the position where "I told you so" has happened and hopefully never will.
Beagle keep fighting, I would suggest that you make them present their safety case proving they are correct. I have found this to be the path of least resistance.
Helmut
I find the common hardware case a bit scary, as systematic hardware failures are not unknown. Particularly if there is a divergence form the cleared envelope or environment. As I am sure you are aware, even with multiple redundant systems, single points of failure are found late in development. In my experience this has been either end of the system stick or control surface.
Cunning Artificer
Join Date: Jun 2001
Location: The spiritual home of DeHavilland
Age: 76
Posts: 3,127
Likes: 0
Received 0 Likes
on
0 Posts
engineer(retard) I'm sorry to have to admit that I'm one of those turncoat project managers myself. I do try never to let safety slip - its something that was engrained in me from the very first day of my apprenticeship and I see it as one of the most important considerations in aviation.
Thread Starter
Join Date: Mar 2005
Location: Half Way Up The Stairs
Posts: 54
Likes: 0
Received 0 Likes
on
0 Posts
Safe Software
For those that don't cruise other forums, found this:
A340 Fuel computers
A good example of why the UK looks to more stringent development (and safety evidence) for High Integrity software.
And for our military aircraft with less engines, less crew??
5206
A340 Fuel computers
A good example of why the UK looks to more stringent development (and safety evidence) for High Integrity software.
And for our military aircraft with less engines, less crew??
5206
