=Paper=
{{Paper
|id=None
|storemode=property
|title=Human-centred design in aviation
|pdfUrl=https://ceur-ws.org/Vol-696/paper6.pdf
|volume=Vol-696
}}
==Human-centred design in aviation==
https://ceur-ws.org/Vol-696/paper6.pdf
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
Human-centred design in aviation
Antonio Chialastri (anto.chialastri@tiscali.it)
Aviationlab, Rome
Abstract Safety paradigms
This paper focuses on the next challenges that, in the “If you have a hammer in your hand, every problem
near future, ergonomics has to cope with in the aviation will look like a nail”. This is assumed to be a Japanese
domain. After a short excursus, showing the accidents say and it fits well to describe the situation faced by the
dynamics along the years and pointing out the relative investigators: in fact, the spectacles that the
causes, the paper illustrates the difference between two investigators don, when they analyze an accident, let
different conception of automation: a generic human them see some items, identified as causes, while
(user) friendly versus a specific pilot-friendly concept. neglecting others. During the ‘30’s, according to a
This is useful to evaluate the impact on operational life
“way of thinking” influenced by the Neo-positivistic
of the introduction of new technologies onboard in the
next generation of airplanes. Some case-studies are
approach orbiting around the “Wien circle”, several
shown to give an example of the hidden threats, disciplines adopted a similar approach to investigate
invisible at the design stage, disseminated through the their domain. To synthesize the basic assumptions of
entire innovation process. that period, every theory should ground its thesis on
empirical observation, on measurements, using a
Introduction language that aims to be universal. During the same
Since the beginning of flight, Human Factor period, the industrial domain adopted the scientific
specialists have striven to improve the environment in management, fostered by Frederick Taylor, based on
which pilots work. Initially, the upgrading of this measurement and optimization of the workers’
environment was made following the accidents’ performance. Psychology, as well, saw the dominance
investigation. Air safety was then conceived in a of behaviorism, in which the psyche’s inner dynamics
reactive mode; ameliorations and improvements were (called the black box) were disregarded to focus on
implemented in the entire system only after a severe observable e measurable acts displayed by the
mishap and were aimed at avoiding similar accidents. behavior. Safety discipline, too, was influenced and the
Safety is conceived today in another way, called main tool to explain an accident was the “error’s
“proactive approach”. This approach aims at avoiding chain”, developed by Heinrich, to explain how a single
future accidents, preventing mishap with timely event, originated far away, propagates to affect every
interventions on the areas where possible threats lie, other system’s component as in a “domino effect”.
even if no accident occurs. The detection of weak This metaphor hold on until it was replaced by
signals helps to understand the menaces’ nature, to more functional theory, based on different paradigms.
conceive a set of countermeasures in order to achieve a In fact, from the ‘60’s on, the linear explanation was
safer system. subject to harsh criticisms. In philosophy of science,
Preliminarily, it is essential to point out which is the philosopher as Hans Kuhn proposed a different way to
safety paradigm that includes our point of view. In explain the scientific revolution as a paradigm shift,
fact, during the last seventy years, the safety paradigm based on collective enterprise either in proposing or in
changed several times and also the actions taken to accepting new theories. Moreover, the studies of Von
achieve risk-free systems, even if a zero accident Bertalannfy gave a new impulse on the systemic
system has never been experienced. Some conceptions approach that influenced a lot of disciplines, especially
will be briefly discussed as the linear conception, the in the biological domains. The stress on the collective
systemic one and the complex ones (normal accident thinking fostered a series of new approaches, spanning
theory, HRO, resilience engineering). from industrial domain where a new way of
After having set the frame to our discussion, it will be management (team work, total quality) emerged. Even
then described the accidents’ dynamics in the aviation the safety science evolved, shifting from an attitude
domain, to show how the accidents’ causes shifted where the single operator bore the blame for the
along the years and eventually we describe the macro- accident (usually the front end operator, the nearer to
area which, according to this paper, represents the next the final event leading to the mishap), to a more
challenge for air safety: ergonomics. general approach looking at the different stages of the
Some case studies will be shown to describe organizations where hidden traps lie, waiting for a
accidents really happened, in order to demonstrate the trigger to produce the conditions leading to an accident.
connection between theory and practice in aviation. This is the theory fostered by James Reason, the Swiss
Cheese Model, where safety is seen as a result of
different stages acting serially to assure freedom from
risks. Every organizational level is seen a barrier fit to
43
� CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
intercept any dynamics potentially hazardous for the between peers to exchange points of view and to share
entire system. Since every barrier has a human knowledge. Awareness of an accident is so high that
component inside, it is prone to errors. This structural everyone is sincerely committed to safety. Woods
condition represents a hole (or set of holes) in the studied some organizations revealing that the “safe
barrier, as in a Swiss cheese. From the initial mentality” is pivotal in assuring a low (if none) rate of
development of the accident dynamics, the error path accidents. On the contrary to the common say: “No
passes through all these barriers, eventually causing the new is good news” these organizations rely on the
accident. This is a more general approach, compared to assumption that “No news is bad news” and when no
the preceding one (“name and blame approach”, weak signals of pathogen elements present in the whole
focused on people to charge them legally and morally) system are detected, the management strive to (and
attributing liabilities at a much higher level, from the push the operational levels) to scrutinize in a deeper
political level, to regulators, to the top management, to way.
middle management and then front end operators. Last but not least, we mention the resilience
Nevertheless, this paradigm is still systemic but not engineering approach. It conceives a safe system as the
yet complex. one who can cope with unexpected events. It has to
Complexity is a new paradigm, emerged from late adapt itself in a flexible and still robust way to respond
‘80’s on, following a bare necessity felt by biological reliably to the challenge given by a complex system.
sciences (genetics, biology, medicine) where a Man, in this conception, is not the flaw in the system,
reductionist approach was insufficient to put under but is the main resource to assure flexibility, acting as
scrutiny thoroughly the domain. One of the main an intelligent part of the system.
philosophers that convincingly has proposed a new The safety conception assumed in this paper is
approach based on complexity is Edgar Morin. On his grounded on the resilience engineering point of view.
conception, complexity is difficult also to define, but, In fact, aviation is a complex system in which men,
as a general way of thinking, it has some common equipments and environment interact. Every of these
characteristics. It refuses the reductionist and element is complex in itself.
engineering approaches, based on an over- How should we approach the safety system in aviation,
simplification of the reality. The level of observation at then?
which we decide to stay, influences our point of view
and determines also our tools to investigate the reality A brief history of accidents
and has its own laws, not necessarily applicable at (Graphic’s explanation: decades on the x-axis,
different levels. accidents per million take-offs on the y-axis. Source:
Some scientific disciplines are almost “forced” to Flight Safety Foundation)
adopt such an approach, as genetics, but also in the Most of the corrections to existing systems or
field of management new theories are emerging to procedures, in aviation, were introduced following
improve performances and comprehension of the severe mishaps. So the path of the entire industry has
organizations. been a kind of “trial and response” dynamics:
The safety science followed with different theories innovation, mishaps, correction. According to the
in competition to explain the dynamics in complex statistics, the human error has played a pivotal role in
organizations. To comply with the paper’ length the accidents, with a higher rate, compared with other
requested we cite just three approaches: the normal factors as environment (meteorological conditions, Air
accident theory (proposed by Charles Perrow), the traffic that induces mid-air collision, and so on),
High Reliable Organizations (studied mainly by James mechanics (i.e.: structural limit exceeded, poor cockpit
Woods) and the Resilience Engineering approach (Erik design) security (high-jacking, bomb onboard, etc.).
Hollnagel is one of the most appreciated authors in this Starting from the ‘40’s, investigators wondered why
field). airplanes crash. Taken for granted that the pilots were
Perrow holds that “zero accident” is not achievable, the fallible factor in the entire system, someone started
because of the inner nature of complex system. Too to analyze “why” pilots did so many errors. At the
many elements in interaction, give way to beginning, till the mid ‘50’s, the main cause of accident
unpredictable (and sometimes, unmanageable) was identified as “Loss of control”. This category
situations. Since some domains are not completely includes situations in which pilots lost the airplane
under control, such as nuclear plants, they should be control such as: reaching (and exceeding) the structural
closed because the damage arising from an accident is limits, conditions in which the airplane stalls,
by many times higher than benefits we could gain from overbanks or experiences an unusual attitude that put in
their use. jeopardize the flight progress. The root cause of lost of
Conversely to what is thought to be a pessimistic control spanned from fatigue, to distraction, to
approach (or just realistic?) the High Reliable excessive workload, to sleepiness, and so on. Briefly,
Organizations are some empirical examples of how the the problem was identified in the main area of “human
man made organizations could be substantially risk- performances and limitations”.
free. They are based on professionalism, on a The solution thought to fix this kind of problems was
continuous feedback from the operational levels that is the engineering, to provide more systems, more aids
capitalize from top and middle managements. and more technology.
Experience is highly considered as the communication
44
� CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
The technological approach focused on two sides: Whatever the consequences of air mishaps, it is
innovation of ground-based aids and implementation of essential to understand why they keep on happening.
new instruments onboard. During the ‘90’s, the main cause of accident shifted
On the first side, two main innovations were once again, as a pendulum, swinging back to “Loss of
provided: control”, but in a different shape, compared to the one
• the air traffic controllers were equipped with experienced during the ‘50’s. In fact, today the pilots
radars to monitor the airplanes approaching have so many technological aids that is hard to
the airports and; conceive how they can lose the control of the airplane.
• the installation of ground based equipments Actually, the implementation of so many systems is the
such as ILS (Instrumental Landing System) consequence of the engineering approach to safety in
gave a strong help to pilots in order to land as which the pilots are seen as the weak ring in the
precisely as possible. industrial chain. So, automatisms are intended to
On the other side, namely the introduction of new substitute many functions played usually by pilots.
technologies onboard of the airplanes, the introduction There is a widespread opinion among authors
of auto-pilot, auto-throttle, flight director, helped to: studying human factor in aviation that in this case we
• lower the workload, when too much may talk about “over-redundancy”: too many
attention was needed to carry on the task, instruments induce a low workload that could provoke
or; complacency, inadequate training make the pilots
• relief the pilot from monitor boring unable to override the automatisms in case of their
activities, reducing duties related to failure or misbehavior.
monotonous operations.
The effects of these innovations were successful,
since the rate of accident sharply dropped. Case studies
Nevertheless, during the ‘70’s the accident rate started Here are briefly presented two case studies
to rise again, but with a different dynamics. In fact, the illustrating the relationship between pilots and
main cause of accident shifted from “Loss of Control” technology: one related to the misuse of instruments by
to CFIT (Controlled Flight Into Terrain). In this kind of pilots induced by a poor designed system and the
dynamics, a perfectly efficient airplane hit an obstacle unpredictability of a system behavior when in the real
in the nearby of the airport when full in control of the operational context.
crew. Furthermore, we have to consider that most of The first case involved an Airbus A-321 operated by
the accidents happen during the approach phase. The Air Inter who crashed in Strasbourg after the captain
investigations revealed that a poor decision making, a misunderstood the descent profile usability because of
loss in the situational awareness, a conflict (open or the similarity between the flight path angle function
concealed) was in progress between the pilots. In short, and the vertical speed function. In fact, both were
there was a problem in the human interaction onboard. displayed via a two digits figure in the same feed back
This time the solution didn’t pass through window. For instance, 3.3 could represent either a
technology, but applying a new approach, based on vertical speed of 3300 feet per minute or 3.3 degrees of
psychological assumptions on what is thought to be a vertical path. The captain selected 3.3 being sure to
good team work. We should mention that, on that descent with a vertical path selected, while he was
period, other new technologies were introduced in the descending with 3300 feet per minute, a much steeper
aviation system, but it is generally assumed that the path than the desired one. The approach was conducted
psychological approach was pivotal in improving the among high terrain around the airport and such an error
system’s safety. Courses of CRM (Crew Resource gave the crew no way out to recover timely. After that
Management) were implemented in most of the main disaster, the display onboard was changed and now
airlines to enhance the interaction between the pilots there is no way to misunderstand similar functions
(and, later, also between the entire crew, cabin during the approach phase. Furthermore, after the
attendants included). accident the French authority requested, as mandatory,
The accident curve dropped again, but during the the installation of the GPWS (Ground Proximity
‘90’s it raised again, even if in a smaller magnitude Warning System), which warns the crew in case of
compared with the past decades. The problem is that excessive approach rate to the ground. It is designed to
the overall dimension of the air transport, nowadays, avoid unintentional collision with obstacle, when not in
has inflated in the last decades and even a small landing configuration. Today this apparatus has been
amount of accidents (lower than in any other improved, becoming EGPWS, which is linked to the
transportation domain such as roads, railway, sea, etc.) satellite indication. This allows the system to realize if
could be unbearable for some reasons. Firstly, the the low altitude is consistent with the airport location
human, legal and economic cost of an accident is huge and with obstacles scattered in its vicinity. All the
and could destroy an airline’s stability, leading it out of relevant information are displayed to the pilots, who
the economic contest. Secondly, an air accident has a immediately could be aware of the presence of
worldwide resonance and could distort the real mountainous terrain close to the aircraft position.
perception of air safety in the public opinion. The second case involved an A-300 approaching
Miami. Due to bad weather around the airport the crew
45
� CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
expected to enter an area of turbulence. The crew was time available to detect every single variation, the
instructed to hold over a radio-facility. During the process of interpretation of multiple data. In a pilot’s
descent, with engine at idle thrust, the auto-throttle mind, symmetry is more important than a precise
(managing the engine thrust, via an automatic indication. Here it is an example:
movement of the throttle governing the necessary
thrust) disengaged with no evident signal displayed to
the crew. In the proximity of the holding pattern, the
airplane leveled-off, reducing its speed well below the
minimum required to sustain the flight. During the
initial turn in the holding pattern, the airplane stalled,
down-spiraling and losing about three thousand feet.
This is a very serious condition for a wide-body
aircraft. While spiraling downward, the crew lost all
the attitude indications for few seconds, that looked
(according to the captain, interviewed after the
incident) an eternity. In fact, the only useful
instruments in such a situation are the attitude and the
speed indicator. The attitude indicator was, by design,
conceived to go blank in case of oscillations exceeding
some amplitude and frequency. This assumption, made
at the design phase, comes from the idea that such
oscillations are very unlikely in the airline flight.
Reality, alas, is much more unpredictable than the
engineer’s fantasy.
Given the same figures, it is obviously easier to spot
Human factor and technology a difference on the left side display, called “field
There are different conceptions of Ergonomics, as vision”, versus the “analytical vision” on the right side.
emerges from the evolution of the discipline along the The same applies to the speed indicator, such a speed
years. Initially, ergonomics was conceived as tape, set on the left of the modern attitude indicator
corrective ergonomics: expert tried to understand how (PFD: Primary Flight Indicator). They have the great
to make system better, after the misuse of something advantage, compared to the older version (analogue
badly designed. indicator) of speed indicator: it can represents also the
Here it is an example: the design of an airplane with speed related to the entire operational envelope, such as
variable wings. In the engineer’s mind, it was quite flaps and slats operating limitations, over speed,
simple to conceive an airplane with variable wings, approach to stall warning et cetera. The problem, as a
setting them from straight wings to swept wings. philosophy of flight is that things appear to go better
Actually, the straight wings are used at low speed, when the workload is low (inducing perhaps
whilst the swept wings are useful at high speed. To one complacency) while they go worst when there is a main
person observing an airplane is intuitive to understand failure. In fact, all those useful indications are removed
how to imagine the command lever to change the from the speed tape, leaving the pilot to strive with a
wings configuration: putting the lever forward, you get higher mental workload.
straight wings, if you put the lever backward, you get
swept wings. It looked quite simple, but some Conclusion
accidents happened cause by pilots’ misuse of the In this short introduction to the problems arising
command lever. In fact, for a pilot’s point of view, from the implementation of new technology in a
every action linked to the idea of speed leads him to modern cockpit, this paper tried to point out the
move forward: increasing the thrust? Throttle forward. difference between the user friendly concept, as
Increasing the speed in case of sudden loss? Pitch imagined by the airplane designer, and the pilot
down, putting the yoke forward. So when the new friendly concept, that follows a mental pattern given by
system was implemented, a lot of pilots misused it, experience and knowledge of the sharp end operators.
following their mental pattern related to the speed. To obtain a higher level of safety, everyone should
Nowadays, human factor experts are involved at strive to make it resilient. The history of airplanes’
early stage in the design process, to keep the system accidents shows quite clearly that new solutions bring
user friendly. Actually, what is required is the expertise new problems. In this phase we may say that an
of someone who can translate an engineering necessity excessive use of technology could make the entire
in an operational suitable system. Let’s think about the system less resilient. In fact, the pilots are used to have
number display onboard. knowledge of the airplane they fly, based on a kind of
According to the Gestalt principles, human mind is “over-learning”. This ample knowledge gives the pilot
more concerned about general configuration rather than some flexibility, allowing the user to utilize the
in analytical vision. This is more than true inside a machine in a non standard way, whenever necessary.
cockpit, because the number of the displays, the short At the time in which new generation of airplanes (Fly-
46
� CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
by-wire, dark panel, Flight Management System) were ICAO, (1998), Human Factors Training Manual, Doc
conceived, the pilot has been set at the edge of the 9683-AN/950.
innovation process. That induced some kind of IATA (1994), Aircraft Automation Report, Safety
accidents due to poor interaction and basically to a Advisory Sub-Committee and Maintenance
misunderstanding of the system inner logic. Advisory Sub-committee
Paradoxically, to many instruments, thought to be a Norman Donald (2005), La caffettiera del masochista,
substitute for humans, could bring two main problem, Giunti Editore, Firenze
from a pilot’s point of view. Firstly, they induce a low Ralli Marcello (1993), Fattore umano e operazioni di
workload when things are running normally and this volo, Libreria dell’Orologio, Roma
low workload could induce complacency on the
Reason James, (1990) Human error, Cambridge
system’s reliability. Over-reliance is at the core of
University Press, Cambridge
some accidents, when pilots could not regain the full
Tichauer E. R., (1978), The Biomechanical Basis of
control of the aircraft after the automatisms failed.
On the other side, when pilots are in emergency they Ergonomics: Anatomy Applied to the Design
need more help. Conversely, much of the aids normally of Work Stations, New York: John Wiley &
available to pilots are removed during an emergency Sons,
situation. We may, in short, say that the paradox of
automation onboard could be said as: “When good,
better; when bad, worse”.
In my experience, I see that to enhance safety via an
engineering approach, it is necessary to take into
consideration the pilot’s point of view, to implement
new systems at the same time useful and usable. But,
before introducing new technologies, we should first
set the frame to make clear which is our safety
paradigm and which is the intended outcome.
The expertise given by the final user is, in this context,
highly valuable, since it represents the necessary
connection between aims and tools.
References
Cooper, G.E., White, M.D., & Lauber, J.K. (Eds.)
(1980) "Resource management on the
flightdeck," Proceedings of a NASA/Industry
Workshop (NASA CP-2120)
Dekker, S., Johan Rignér, (2000) “Sharing the Burden
of Flight Deck Automation Training”, The
International Journal Of Aviation Psychology,
10(4), 317–326 Lawrence Erlbaum
Associates, Inc.
Dekker, S. (2001) “Reconstructing human
contributions to accidents” Technical Report -
01, Lund University School of Aviation
Dismukes, Berman, Loukopoulos (2008), The limits of
expertise, Ashgate, Aldershot, Hampshire
Goeters k.M. (2004), Aviation Psychology: Practice
and Research, Ashgate Publishing Ltd.
Aldeshot Hampshire.
Hollnagel E., Woods D., Leveson N. (2006) (a cura di),
Resilience Engineering – Concepts and
Precepts, Ashgate, Aldershot Hampshire
Hollnagel Erik, (2008) “Critical Information
Infrastructures : should models represent
structures or functions ?”, in Computer Safety,
Reliability and Security, Springer, Heidelberg
Hollnagel Erik, (2009), The ETTO Principle –
Efficiency-Thoroughness Trade-Off, Ashgate,
Surrey, England
47
�