Normal Accidents: Living with High-Risk Technologies

CUNY B r o o k l y n C o l l e g e Department of Computer and Information Science
CIS 763X: Software Methodology
with Dr. D. Kopec Fall, 2000

Back to Individual Class Presentations

by Charles Perrow

Aircraft and Airways (pp. 123-169)

Presented by Trinavenez Walcott

Abstract

The present day contains different structural conditions in the aircraft and airways industry that encourages safety, and despite complexity and coupling, technological fixes can work in some areas. We continue to have accidents because aircraft and the airways still remain somewhat complex and tightly coupled, but also those in charge continue to push the system to its limits. The technology and the skilled pilots and air traffic controllers remain ahead of the pressures, and the outcome has been that safety has continually increased. While crashes have decreased, and mid-air collisions almost disappeared, little has been done about cabin fires and cabin missiles after a crash, which has killed hundreds needlessly.

It is important to separate accidents in airplanes and in the airways since flying (the aircraft and crew) is more hazardous than navigating the airways (the aircraft, crew, other aircraft, and ground control). Some near-accidents have happened because, to save fuel, pilots are required to start up their third or third and fourth engines at the last minute before turning onto the runway for takeoff.

As Safe as Driving

In many respects air travel appears to be much safer than automobile or rail travel. Jerome Lederer, often call the father of modern flight safety, suggest that if we used the statistic of fatalities per 100,000 hours of exposure, highway travel would be the safest mode of transportation. Comparing types of flying there is an obvious hint as to why it has become safer; the more commercial the activity, the safer it is. Jetliners are the safest mode, followed by corporate jets, then commuter airlines, and then general aviation and at some distance, military flights.

Considering the rate of fatal accidents per million miles of aircraft flight, commercial flights are sixty-five times as safe as general aviation flying. Comparison of either with military flights must be done cautiously. Military flights take place in weather no commercial flight would fly in, and in simulated combat conditions. The risk will be there no matter how much attention is paid to safety.

There is an enormous incentive to make commercial aviation safe. Airline travel drops after large accidents, airframe companies suffer if one of their models appears to have more than its share of accidents. There is a strong union at work to protest unsafe conditions-ALPA, the Airline Pilots Association. The Federal Aviation Administration is charged with both safety and facilitating air travel and air transport, and spends significant amounts of tax dollars pursuing safety studies and regulations. An independent board, the NTSB, conducts investigations and prods the FAA to set new safety requirements.

There are structural conditions that foster safety. A trivial one is that industry elites and regulatory elites and politicians all fly themselves, and thus have a personal stake in safety. Experience accumulates fast; there are thousands of flights every day, with all the dangers of takeoff and landing and mid-air collisions; new aircraft are introduced every few years, permitting the introduction of safer designs. The performance of operators is closely monitored, even recorded, and the environmental conditions that exist are a matter of record.

The technological fixes have frequently only enabled those who run the commercial airlines, the general aviation community, and the military to run greater risks, in search of increased performance. As the technology improves, the increased safety potential in not fully realized because the demand for speed, altitude, maneuverability, and all-weather operations increases. The task is much simpler than flying itself. It is just to keep aircraft from bumping into each other in the airways and from bumping into the ground.

Generally, system accidents stem from either the aircraft or the airways system alone, not in the interaction of the two. Commercial flights are very safe, and they are safer than other forms of flight because they cover longer distances and at higher speeds carrying more people, thus reducing the risk of departures and landings per person, and hours of exposure per mile traveled. In terms of miles traveled and hours of exposure, travel on major scheduled flights is about as risky as automobile travel. The safety of both automobile travel and airline travel (and military and general aviation) has increased dramatically in this century, but since the 1960's and 1970's the safety curve has flattened out.

Aircraft

Within the arms reach of the crew there are an enormous number of devices to alter the aircraft's behavior. They can check or flip or set or increase or decrease perhaps a thousand parts, scores of units, and a dozen or so subsystems in the aircraft system. Much of the crew's intervention is prior to takeoff setting and checking-and after landing. Despite the automation, the complexity of the system keeps the crew extremely busy at peak times. Theoretically, the whole flight could be programmed into the computers and executed automatically, without any attention from the crew.

The computers do handle the very delicate matters of maintaining the proper altitude under varying atmospheric conditions such as temperature and air density, of increasing or decreasing power the proper amount with the automatic throttle system, and of running the inertial navigation system (INS). This latter, which only the newest airliners have is based upon a system of gyroscopes and accelerometers, which are sensitive to all motion from a predefined starting point on earth. The pilot can intervene, but does not have to.

Edwyn Edwards, a human factors engineer states all this automation has not reduced the workload of the pilot a great deal; instead, it has increased the operational effectiveness of the system. Airplanes are able to fly faster leaving less time for navigation, communications with ground control and system management. All of these automatic systems make the craft more "efficient" in terms of commercial or military criteria but each bit of automation, more difficult performance in worse weather or traffic conditions is demanded.

Thus, argues Edwards, there is not net reduction in workload on the crew. It appears that workload has become more "bunched" with long periods of inactivity and short bursts of intense activity. Both of these are error-inducing modes of operation. With each of the automatic devices follows the inevitable residual potential for error.

While each new device reduces some chances of error, it also introduces its own bundle of error possibilities. Engineers speak of a "control loop" in which the "man in the loop" is the problematical element. This is the human component in a series of sequentially interacting pieces of equipment that control or adjust a function. But when the pilot is suddenly and unexpectedly brought into the control loop as a result equipment failure, he is disoriented.

A government study even recommended that one key device be disabled for all but a few long-distance flights. The study concluded that the altitude alert system had resulted in decreased altitude awareness by the flight crew. This resulted in more frequent "altitude busts"-instead of leveling off at 10,000 feet the craft keeps climbing or keeps descending. A study of altitude busts noted that they rarely occur in bad weather when the crew is most attentive. There is no doubt these automated systems are highly effective, in terms of both efficiency and safety.

What then, is left to cause accidents? One obvious possibility is human error. The crew may be inactive on long legs of a flight. Other than that they are very busy with hundreds of small duties and a few large tasks. There is plenty of room for at least small errors in this instance.

There is one study of errors on the flight deck. It suggests rampant errors without any catastrophic consequences; that is, the errors primarily concern small adjustments, and recommended but not required procedures and sequences. The study was made for a European airline flying short hauls. They found an incredible rate of more than one error every four minutes. The vast majority of these errors is caught very quickly or is insignificant.

When accidents are involved, the studies indicate 50 to 70 percent of the cases stem from human error (the rate is over 90 percent for ground controllers). Here's one example of the industry blaming the victim for its own failures. According to the official report of a New Zealand inquiry board, New Zealand Airways Limited tried to hide its own ineptitude by deliberately falsifying or destroying evidence concerning that 1979 crash of a DC-10 sightseeing airplane into a mountain in Antarctica. New Zealand Airways blamed one of the 257 victims, the captain. The widow of the pilot but contested the initial inquiry, which found pilot error as the cause, particularly by the pilots' union, and a subsequent, more thorough investigation was conducted.

A Few DC-10s

DC-10s have been involved in some dramatic, catastrophic, and highly publicized accidents. Jetliners are very safe. But they are still subject to system accidents as well as component failure accidents. Any actions by private companies that knowingly compromise safety increase the risk of both types of accidents, while prudent management, on the other hand, can reduce the frequency of such accidents.

The crash of the American Airlines DC-10 at Chicago's O'Hare Airport on May 25, 1979, with 273 victims, after the engine tore off as a result of an engine pylon failure was not, strictly speaking, a system accident. There are multiple failures but they had a common cause, even though they were in independent systems.

The ultimate "cause" of the accident was determined to be poor maintenance practices by American Airlines wherein the engine was removed for servicing in a one-step procedure, which could possibly cause damage to the pylon that holds it onto the wing. Losing an engine, even one that comes completely off the wing, should not disable, the DC-10 completely, for the plane is designed to fly with two of its three engines. When the engine and pylon ripped off, they severed cables that controlled the leading edge slats, which are extended on takeoff to provide more lift to the wings. The slats on one wing then retracted.

The fine distinction between loss of control and probable cause can determine hundreds of thousands of dollars in retrofitting and vastly more in the assignment of blame in legal proceedings. The Safety Board blamed the accident on a "maintenance-induced crack", but not also on a design failure that allowed the slats to retract if the wing were punctured. Because of this careful distinction by the NTSB, McDonnell Douglas,
the manufacturer, was not required to change the design, nor could the company be charged with a design deficiency.

In various studies performed by McDonnell Douglas, the chance of (1) loss of engine power, (2) with resulting slat damage, (3) during takeoff was estimated to be less than one in a billion. Yet this highly improbable event had now occurred four times in DC-10s. McDonnell Douglas finally came around, and was, as of spring of 1982, installing a device that costs only a few thousand dollars and can be installed in a few hours, which will prevent slat retraction in such emergencies.

One of the worst accidents in aviation history was the crash of a Turkish airline DC-10 near Paris on March 3, 1974, with 346 deaths. For two days after the accident the authorities held to the theory that bomb had exploded in the airplane; there were serious problems with bombs in those years. John Godson, an English journalist, proposed a theory of the crash, which was eventually accepted. The cargo door blew open, resulting in rapid decompression of the cabin. This caused the cabin floor to collapse.

The collapse wrecked all the major control cables and hydraulic lines, which has been placed under the cabin floor. A Dutch engineer had warned McDonnell Douglas of this in 1969, when the first prototype of the DC-10 was being built; by a McDonnell Douglas subcontractor in the spring of 1970 who predicted one the cargo doors would come off during flight during the twenty-year life of the airplane because of the latching and locking design.

Buffet Boundaries and Small Jets

Pilots must contend not only with management errors and equipment malfunctions, but also with the constant and unpredictable forces of nature. The complexity of the airplane-environment interaction comes from high-altitude flights in clear weather conditions. Small jets are more vulnerable to these problems than large carriers. An airplane creates air turbulence around it as it flies.

The basic problem is that the craft is unstable when flying at high altitudes, close to the speed of sound. While various safety devices were required which push, pull and shake the stick, sound alarms, and disengaged automatic systems, these devices themselves create problems because they misled, fail, or require reactions of extraordinary strength and speed.

Disorientation

Flying into bad weather, where one cannot tell up from down, and right from left, is so disorienting that some pilots ask to be routed around heavy clouds or thunderstorms. If the pilot is inexperienced, he or she may tear the airplane apart.

In a safety recommendation regarding pressure/vacuum pumps that operate directional gyroscopes and attitude indicators, the NTSB reviewed five accidents, four of them with Cessna 210N model planes. In all five cases, the pilots lost their attitude and directional instruments, were in or had to enter clouds, became spatially disoriented, and had their planes break up as a result of losing control or making sharp maneuvers, or went into steep dives from which they could not recover.

Summary: The Aircraft System

What prevents the aircraft system from being more risky than it is at present is probably the extensive operating experience gained in several decades of flying. Each new model builds upon the lessons of the previous ones.

In the aircraft system, more than in any other industry there has been the time, incentive, resources, and talent to design-in buffers and safety devices, and provide comparatively exemplary training for unusually expert operators. It is also apparent that for the commercial success of air transport, accidents must be reduced. The hard core of system accidents, while small, will probably not get smaller. This is because with each new advance in equipment or training, the pressures are to push the system to its limits.

The Airways System

The life of a controller and the pilot he or she deals with. It is a story of production pressures, juggling errant aircraft, pilot dilemmas, and perhaps unsafe airports. Familiarity is what allows systems to function smoothly; things that we are familiar with we do well. The pilot of an airplane must share his attention with a vast array of instrument panels, his radio, and that part of the sky that can be seen from those small windows. Safety devices contribute to complacency and inattention.

The complacency that comes with high-tech solutions to problems is noted in a NASA study of seventy-eight near midair collisions in the airspace controlled by the terminal. The study found that half of the collisions involved an aircraft that ATC did not know about-no transponder, no flight plan, only a spot, if that, on the radar. Many pilots under radar control believe that they will be advised of traffic that represents a potential conflict and behave accordingly.

They tend to relax their visual scan of other aircraft until warned of its presence; when warned of a conflicting aircraft, they tend to look for it to the exclusion of within-cockpit tasks and scanning for unreported traffic. It is plain that at least some pilots receiving services believe that they will be told about all traffic that represents a threat, yet controllers can handle traffic only with regard to threats they can see.

A near mid-air collision occurred at the Atlanta, Georgia Airport in October 1980. The events were very complicated, but essentially the controller did not take control of a plane handed off to him by another controller as it entered the terminal airspace he controlled, and as a result of changes in the landing pattern of the other planes (a routine event), collision avoidance alarms were sounded four different times. One of the near-collisions involved four planes that were occupying the same 2-square mile area. In two of the events, a pilot had to make severe emergency avoidance maneuvers; one of the pilots exceeded the limits of his three engines.

Planes passed each other within a few hundred feet. The workload was not high for the controller (and the weather was clear and bright), but within the twelve minutes, fifteen aircraft were in the space he was controlling. Five of these were involved in collision avoidance alarms, some twice. In the ATC room, in additions to four collision avoidance alarms, low altitude alerts sounded three times. The sound is the same, and controllers tend to ignore them since they are preoccupied with their duties. No accident occurred, but this example gives some circumstantial evidence for the interactive complexity of the ATC system.

Getting Cooperation

The vast sky is surprisingly populated with small, unconventional, and sometimes uncooperative objects, making the controller’s life difficult. Glimpse into the life of a controller: One of the big problems they complain of concern what controllers around the New York City sectors call FLIBS-general aviation aircraft.

They land at the wrong airports, and are surprised not to find their cars in the parking lots. They land, or take off, on the wrong runways (so do commercial aircraft, but less frequently). They leaver their transmission button on the radio depressed after talking to the tower, which means they cannot be called, nor can anyone else use that frequency.

Air Traffic Control

The air traffic control service has two primary functions. Safety and expediting the production of commercial passenger service. The two are in some conflict, even though each needs the other. The increase in safety brings more aircraft into the airways system, and increases the density, thus the danger. An increase in numbers, and thus
density, interferes with the economics of commercial travel and freight, because it lengthens and delays flights. With the many-fold increase in fuel costs, it is importantthat the jet transports fly the most direct route possible, at the mot economical altitudes, and with the least delay of departure or delay of landing when they reach the airport.

ATC enables the commercial transport system to meet these goals. Each morning a central office of ATC surveys the weather across the United States (and foreign countries) and advises the airlines on possible delays in departure and landing because of the combination of weather and density of traffic.

It does not tell the airlines when to take off, but they are able to adjust their schedules and the number of flights on a route to minimize departure and landing delays. The problem of “holding” over an airport, circling until there is room to land, has been greatly reduced. Instead, the “holding” is done prior to takeoff-which is cheaper, less inconvenient for passengers, and certainly safer.

ATC had laid out more skyways, set up more beacons, and divided the sky into more efficient packages, through which the airplanes can fly and be handed off from one control facility to another as they move along and finally land. This has enabled the density of aircraft to increase substantially, and their traveling speed to increase, and the separation of airplanes to be reduced from 20 miles to 5.

The goal of preventing mid-air collisions conflicts with the production demands placed upon the airways system. Fewer aircraft, at greater separations, flying in a larger number of jet ways, spread out more evenly over daylight hours, and flying at slower speeds would greatly increase the production costs. The problem, then, for ATC has been to keep collision risks low while increasing the occasions for collisions.

The Reduction of Complexity and Coupling

Unexpected interactions can occur when aircraft enter the airspace that are not under the control of ATC or even not seen by them. This is a proximity problem, similar to when a short in a cable disables a nearby cable that holds the safety device meant to correct any fault that might occur in the first cable. As the ATC system expanded, with the potential for more unexpected interactions in airspace, it met this problem by restricting access to various spaces of air.

There are also important alternative methods of meeting the goal of preventing collisions and directing the aircraft to where it should be. Re-routing because of crowding is common. If crowding does occur the system can be “expanded”-more space
used; speed reduced; aircraft held on the ground, or routed to other sectors.

The airlines, for financial reasons, are pressing for a reduction of flight crews from three to two on the grounds that computers and other devices reduce the engineering load. The FAA is pressing for more automation in its system, thereby reducing the number of controllers extensively.

FAA, The Carriers, and Safety

Safety involves two factors-accident prevention, and damage mitigation after an accident. The industry and the FAA have been preoccupied with the former, because each improvement there has meant greater density, higher speeds, and more customers. The latter, damage mitigation, has little or no effect upon these economic variables. It appears that the air transport industry welcomes and supports efforts to allow more efficient, economical, and reliable flights, and these efforts improve safety.

Conclusions

The aircraft and airline industries are uniquely favored to support safety efforts. Profits are tied to safety; the victims are neither hidden, random or delayed, and can include influential members of the industry and Congress. The airways system is high on interactive complexity and on tight coupling, but these will respond to a considerable extent, although not completely, to management and technological innovations, which have been forthcoming. Production pressures may be quite excessive in commuter airlines. With some slight inconveniences and expense the system could be made even safer.

References

Perrow, C (1999). Normal Accidents (2nd ed.), Aircraft and Airways (pp. 123-169). Princeton, New Jersey: Princeton University Press.

Comments and suggestions e-mail to Sergey D.