Human Factors in Aviation Safety

Human Factors in Aviation Safety

The purpose of this project is to study fly-by-wire technology on commercial aircraft. Fly-by-wire is a system that utilizes computer-configured controls, where a computer system is interposed between the pilot and the control actuators or surfaces. This modifies the manual inputs of the pilot in accordance with control parameters. We will study this system in two parts: part one consists of a description of the technology and application of the system; part two will study the human factors involved with fly-by-wire systems. From our work on this paper we will become more familiar with the technology itself, its application in modern commercial aircraft, and the human factors considerations of a working fly-by-wire system.

Technology Application

On May 25th, 1972, Gary Krier took off from Edwards Air-Force Base, California in an F-8 that bore the tail number "NASA 802." Unique to this flight was that every command Krier gave to the aircraft went first from a joystick and through a digital computer before being relayed to the hydraulic systems that operated the control surfaces: flaps, elevators, rudder, thrust and so-on. This aircraft was the first experiment in digital fly-by-wire but it was already hip deep in the idea: without the computer, Krier would have had extreme difficulty controlling the aircraft because the designers had sacrificed stability for speed and maneuverability. So began a one-way migration away from direct human control of things and towards computer mediated control. It began with warplanes, and may yet end with people and their cars (Wenham).

Conventional aircraft control systems rely on mechanical and hydraulic links between the aircraft's controls and the flight surfaces on the wings and tail. The controls and flight surfaces are directly connected. Mechanical links are also used for the engine control

The words "Fly-by-Wire" (FBW) imply an electrically-signaled only control system. However, the term is generally used in the sense of computer-configured controls, where a computer system is interposed between the operator and the final control actuators or surfaces. This modifies the manual inputs of the pilot in accordance with control parameters. These are carefully developed and validated in order to produce maximum operational effect without compromising safety (Aircraft flight control systems).

Fly-by-wire is a means of aircraft control that uses electronic circuits to send inputs from the pilot to the motors that move the various flight controls on the aircraft. There are no direct hydraulic or mechanical linkages between the pilot and the flight controls (Fly-by-wire).

The principle used is that of error control in which the position of a control surface (the output signal) is continually sensed and 'fed back' to its flight control computer (FCC). When a command input (the input signal) is made by the pilot or autopilot, the difference between the current control surface position and the apparently desired control surface position indicated by the command is analyzed by the computer and an appropriate corrective signal is sent electrically to the control surface (Fly-by-wire).

Digital Fly-by-Wire Flight Control System fly-by-wire system is built to interpret the pilot's intention and translate it into action, where the translation process will consider environmental factors first. On old aircraft the act of pulling back on the control column would raise the elevator flaps in direct proportion to how far the pilot was pulling, but on a fly-by-wire system they usually raise in direct proportion, but the computer could make subtle changes to account for turbulence. The ratio between the control column that's in the pilot's hands and the flaps on the wing is not 1:1, it's not a direct influence (Wenham).

First Fly-by-Wire on A320

In February, 1987, the first fly-by-wire A320 -- which was also the first commercial aircraft with fly-by-wire -- rolled off the line at Toulouse. The A320's fly-by-wire technology was not only a way of improving flight controls and reducing weight. It enabled Airbus to take safety to a new level by introducing flight envelope protection. Pilots flying the A320 were free to operate it as normal, but the flight envelope protection prevented the aircraft from performing maneuvers outside its performance limits (Corporate information/history: Fly-by-wire).

Fly-by-wire also firmly established the concept of commonality which is so central to the appeal to customers of Airbus aircraft. No matter how one aircraft varies in size or weight from another, fly-by-wire commonality allows the pilot to fly them in the same way because the computer "drives" the aircraft's flight controls. This leads to considerable reductions in the time and costs involved in training pilots and crew to operate them (Corporate information/history: Fly-by-wire).

At Boeing the first aircraft to deliver with a full three-axis fly-by-wire system was the 777, which entered service in 1995.

How the Airbus Fly-by-Wire Works

Since there are innumerable versions of fly-by-wire on commercial aircraft, I will look at how it works on Airbus aircraft. Most systems will have many similarities with the Airbus system, but there would be differences as well.

In the Airbus system there are three primary flight control computers. They are responsible for calculations concerned with aircraft control and with sending signals to the actuators associated with the control surfaces and engines.

There are also two secondary flight control computers. These serve as backup systems for the primary flight control computers, and control the switch automatically to the backup from the primary if the primary becomes unavailable. There is only one computer required for flight control, therefore quintuple redundancy is supported by this system. All operational computers operate in parallel so there is no switching delay.

Two data concentrator computers gather information from the flight control system and pass this to warning and display systems, flight data recorders, and maintenance systems (Sommerfield).

Safeguards for the systems include that the primary and secondary flight control computers use different processors. The primary and secondary flight control computers are designed and supplied by different companies. The processor chips for the different computers are supplied by different manufacturers. All of this reduces the probability of common errors in the hardware causing system failure (Sommerfield).

The design is such that the command unit and the monitor unit are separate channels within a single computer. Each channel has separate hardware and different software, and if the results of the channels disagree (as checked by the comparator) or are not produced at the same time then an error is assumed and control switches to another machine. The software for the different channels in each computer has been developed by different teams using different programming languages. The software for the primary and secondary flight control computers has been developed by different teams. For the secondary computers, different languages are again used for the different channels in each machine (Sommerfield).

The FCS may be reconfigured dynamically to cope with a loss of system resources. Dynamic reconfiguration involves switching to alternative control software while maintaining system availability. Three operational modes are supported:

Normal - control plus reduction of workload

Alternate - minimal computer-mediated control

Direct - no computer-mediation of pilot commands

At least two failures must occur before normal operation is lost.

There is also diversity of controls built into the system. The linkages between the flight control computers and the flight surfaces are arranged so that each surface is controlled by multiple independent actuators. Each actuator is controlled by different computers so loss of a single actuator or computer will not mean loss of control of that surface. and, the hydraulic system is 3-way replicated and these take different routes through the plane (Sommerfield).

Needless to say, fault tolerance is an integral part of the system. Fly-by-wire systems must be fault tolerant as there is no 'fail-safe' state when the aircraft is in operation. In the Airbus, this is achieved by replicating sensors, computers and actuators and providing 'graceful degradation' in the event of a system failure. In a degraded state, essential facilities remain available allowing the pilot to fly and land the plane (Sommerfield).

Problems with the Airbus Fly-by-Wire FCS

There have been few Airbus accidents that may be related to problems with the FCS. One accident (Warsaw runway overrun) has been clearly identified as a problem with the specification and not with the system itself. There is no evidence of any failures of the FCS hardware or software. However, the pilots may misinterpret how the system operates and hence make errors that it can't cope with. (Sommerfield)

Differences Between Airbus and Boeing Systems

The striking difference between the Boeing and Airbus designs for a fly-by-wire system show a contrast in thinking by the two biggest commercial aircraft manufacturers. At Boeing, in the 777, for instance, if there is an emergency situation that requires a steep turn or climb or both that is outside the normal parameters of the FCS, the pilot can override the system.

In an Airbus aircraft, if such a situation occurs, the pilot cannot override the system. The flight control protection parameters of the system will not permit the pilot to fly outside the normal flight profiles. The Airbus aircraft is protected from low-speed stall by flight envelope protection. As a result, in such conditions, the flight control systems commands the engines to increase thrust without pilot intervention and with an accuracy that no pilot could achieve.

Fly-by-wire).

Human Factors Considerations

The F/a-18D Hornet that slammed into a residential neighborhood in San Diego last December came from the first family of fighter jets with full fly-by-wire technology, where a flight control computer gathers data from on-board sensors to control flaps and other control surfaces that were mechanically driven on planes decades ago. But for all their high-tech appeal, do fly-by-wire systems distance pilots from the feel and behavior of their airplanes to the point that crashes become more likely (Milstein)?

In aviation, human factors is dedicated to better understanding how humans can most safely and efficiently be integrated with the technology. That understanding is then translated into design, training, policies, or procedures to help humans perform better (Human Factors).

The term "human factors" has grown increasingly popular as the commercial aviation industry has realized that human error, rather than mechanical failure, underlies most aviation accidents and incidents.

Because technology continues to evolve faster than the ability to predict how humans will interact with it, the industry can no longer depend as much on experience and intuition to guide decisions related to human performance. Instead, a sound scientific basis is necessary for assessing human performance implications in design, training, and procedures just as developing a new wing requires sound aerodynamic engineering (Human factors).

Because improving human performance can help the industry reduce the commercial aviation accident rate, much of the focus is on designing human-airplane interfaces and developing procedures for both flight crews and maintenance technicians (Human factors).

Even if a faulty flight computer is not directly to blame for this crash, fly-by-wire systems put distance between pilots and the airplanes they fly, so that first signs of problems might be obscured by the computer's automatic corrections. Decades ago, when pilots controlled airplanes mechanically with levers, cranks and pushrods, they felt resistance from wind and could intuitively sense if something wasn't right. Like power steering in cars, fly-by-wire makes flying easier and often smoother because computers are doing more of the work. But it also separates pilots from that touch-and-feel connection with the mechanics of the airplane (Milstein).

John Cox, an aviation consultant and former commercial pilot, said that fly-by-wire technology can sometimes mask damage to an airplane by keeping it flyable even when human pilots couldn't. That could be good, if it allows a plane to get away from populated areas before crashing, but bad if pilots do not know there's a problem. "Fortunately the systems are very good about annunciating problems -- if something goes wrong, they tell you," says Cox (Milstein).

For real-time technology, human-factors development is the task of collecting usability data from man-in-the-loop testing for components that will have a human interface (Why Use...).

An example of usability testing is the development of fly-by-wire flight controls.

Systems developers and testers have always assumed that human compensation is measurable, or, at least, that a cognizant and trained tester is able to identify and detect compensation. More than one study conducted at the Wright-Patterson large amplitude multi-mode aerospace research simulator (LAMARS) facility indicates that this is not necessarily true. Test pilots were able to compensate sufficiently to fly and meet defined performance standards on intentionally crippled aircraft flight control designs. These flight control systems (FCS) were designed to trigger pilot-induced oscillations, but, in most cases, test pilots could compensate sufficiently to prevent pilot-induced oscillations and to control the simulated aircraft (Alford).

Anecdotally, this points to a colossal deficiency in the test of highly augmented aircraft systems, such as fly-by-wire flight control systems, that has been borne out by multiple aircraft accidents in actual aircraft designs: natural pilot compensation is sufficient to allow faulty designs to reach production and operational service while hiding critical handling qualities cliffs that can lead to loss of an aircraft. This observation, if applied across the gamut of human factors experimentation, has vast ramifications for test and evaluation and development of all human interface systems (Alford).

From a human factors viewpoint, it is imperative that these systems take on roles, and provide functions, that are the most supportive to the pilot, given the stress, time pressure and workload they may experience following a FCS fault. For example, highly sophisticated fault recovery systems may be able to fly the aircraft following dramatic FCS failures without even notifying the pilot; however, such systems are not only expensive, but may not be able to compensate for all failures, may fail themselves, or may allow a pilot, believing he or she is flying a sound aircraft, to put the aircraft into a dangerous condition (Pritchett).

The biggest human factors questions are the role suitable for the technology, and its specific functioning to achieve that role. Specifically, for these systems to be effective, they must meet the fundamental requirements that (1) they alert pilots to problems early enough that the pilot can reasonably resolve the fault and regain control of the aircraft and that (2) if the aircraft's handling qualities are severely degraded, the health monitoring system (HMS) provide the appropriate stability augmentation to help the pilot stabilize and control the aircraft (Pritchett).