Decision Making Theory and the Risk Matrix

There are fundamental epistemic problems with the safety risk assessment of new and high consequence systems. For new systems we generally do not have statistical data on accidents and high consequence events are (usually) quite rare so we end up arguing our case using low base rate data. In the final analysis we usually fall back on some form of subjective (and qualitative) risk assessment.

The risk matrix was developed to guide this type of risk assessments, it’s actually based on decision theory, De’Moivres definition of risk and the principles of the iso-risk contour. The matrix is widely described in safety and risk literature and has become one of the less questioned staples of risk and safety management.

Despite this there are plenty of poorly constructed, ill thought matrices out there in both the literature and standards, this article attempts to establish some basic principles of construction.

Read Full Post »

Description Errors and Irreversible Commands

Working with aerospace systems you very quickly come upon the terms ‘irreversible function’ or ‘irreversible command’ but what are they and why should we be concerned?

Read Full Post »

When All You Have is a Hammer…

Why We Automate Failure A recent post on the interface issues surrounding the use of side-stick controllers in current generation passenger aircraft led me to think more generally about the the current pre-eminence of software driven visual displays and why we persist in their use even though there may be a mismatch between what they [...]

Read Full Post »

Pilots in the Loop? Airbus and the FBW Side Stick

Airbuses side stick improves crew comfort and control, but is there a hidden cost? The Airbus FBW side stick flight control has vastly improved the comfort of aircrew flying the Airbus fleet, much as the original Airbus designers predicted (Corps, 188). But the implementation also expresses the Airbus approach to flight control laws and that [...]

Read Full Post »

Out of the Loop

The BEA’s third interim report on AF 447 highlights the vulnerability of aircrew when their usually highly reliable automation fails in the challenging operational environment of high altitude flight.

Read Full Post »

The Phantom Menace, or the Crossing that Never Was…

How the marking of a traffic speed hump provides a classic example of a false affordance and an unintentional hazard.

Read Full Post »

What the BEA didn’t say about Air France AF 447

The BEA third interim report on the AF 447 accident raises questions So I’ve read the BEA report from one end to the other and overall it’s a solid and creditable effort. The report will probably disappoint those who are looking for a smoking gun, once again we see a system accident in which the [...]

Read Full Post »

Side Sticks and Shared Situational Awareness

One of the less often considered aspects of situational awareness in the cockpit is the element of knowing what the ‘guy in the other seat is doing’. This is a particularly important part of cockpit error management because without a shared understanding of what someone is doing it’s supremely difficult to detect errors. The replacement of the central control stick with side stick ‘glass’ controllers eliminates a little acknowledged means of coordinating a common understanding of control inputs between aircrew with the potential for a hazardous loss of crew error management.

Read Full Post »

On the Brittleness of Software

Reading through the BEA’s precis of the data contained on AF447′s Flight Data Recorder you find that during the final minutes of AF447 the aircrafts stall warning ceased, even though the aircraft was still stalled. This loss of stall warning removed a significant cue to the aircrew that they had flown the aircraft into a deep stall, undoubtedly adding to their confusion. SU4CF4KDVSWQ

Read Full Post »

Through a Mirror Darkly…

Good and bad in the design of an Oliver Hazard Perry class frigates ECS propulsion control console HMI.

Read Full Post »

QF 32 and Checklists

According to the preliminary ATSB report the crew of QF32 took approximately 50 minutes to process all the Electronic Centralised Aircraft Monitor (ECAM) messages. So, two questions for the ATSB. First would the normal three man crew have been able to handle the ECAM checklist work as readily? Second should the checklist processing have taken 50 minutes which is a very, very, long time in a mid air emergency?

Read Full Post »

Pitch Ladders and Unusal Attitude Recovery

Because they have typically pitch unity ratios (1:1) scales, aircraft primary flight displays provide a pitch display that is limited by the vertical field of view. This display can move very rapidly and be difficult to use in unusual attitude recoveries becoming another adverse performance shaping factor for aircrew in such a scenario. Trials by the USAF have conclusively demonstrated that an articulated style of pitch ladder can reduce disorientation of aircrew in such situations.

Read Full Post »

Planes and Trains

I attended the annual Rail Safety conference for 2011 earlier in the year and one of the speakers was Group capt Alan Clements, the Director Defence Aviation Safety and Air Force Safety. His presentation was interesting in both where the ADO is going with their aviation safety management system as well as providing some historical perspective, and statistics.

Read Full Post »

Unpleasant surprises and the future of automation

I think it was John Norman who pointed out that accidents in complex automated systems often arise because of unintended interactions between operator and automation where both are trying to control the same system.

Now Johns comment is an insightful one, but the follow on question is, logically, how are automation and operator trying to control the system?

Read Full Post »

Is this Human Error?

James Reason would classify this as a violation rather than error, that is a deliberate departure from an approved procedure. But this is where we get into the cultural and organisational aspects of such behaviour.

Read Full Post »

Flying in the Rear View Mirror

Plan continuation bias is a recognised and subtle cognitive bias that tends to force the continuation of an existing plan or course of action even in the face of changing conditions. In aerospace safety it is recognised as a significant causal factor in accidents with a NASA study finding that in 9 out of the 19 accidents studied aircrew exhibited this behavioural bias. The economic theory of the ‘sunk cost heuristic’ may provide a simple explanation.

Read Full Post »

Let Slip the Wolves of Error

In a series of aircraft incidents air crew have consistently demonstrated difficulty in first identifying and then dealing with unreliable air data and warnings. To me figuring out why this difficulty occurs is essential to addressing a significant air safety problem.

Read Full Post »

A Thing Called Hindsight and AF447

Knowing the outcome of an accident flight does not ‘explain’ the accident Hindsight bias and it’s mutually reinforcing cognitive cousin the just world hypothesis are traditional parts of public comment on a major air accident investigation when pilot error is revealed as a causal factor. The public comment in various forum after the release of the [...]

Read Full Post »

When All Else Fails

In a previous post I discussed that in HOT systems the operator will inherently be asked to intervene in situations that are unplanned for by the designer. As such situations are inherently not ‘handled’ by the system this has strong implications for the design of the human machine interface.

Read Full Post »

AF447… What We Now Know

The BEA has released a precis of the data contained on AF447′s Flight Data Recorder and we can know look into the cockpit of AF447 in those last terrifying minutes.

Read Full Post »