Governments and Industry Ignored the Warning Signs
To: The Honorable Robert A. Sturgell, Acting FAA Administrator
Copy: European Aviation Safety Agency
Subject: NTSB Safety Recommendation
Date: July 22, 2008
On January 25, 2008, a United Airlines A320 lost three of six cockpit electronic flight displays after takeoff from Newark as the plane headed for downtown New York. The landing gear would not retract, all radios died, the overhead systems panel went blank. The emergency attitude indicator failed. The copilot testified, "If Newark had fog, and my attitude indicator had not recovered, we could have crashed."
Airbus reports 49 similar incidents -- 17 when five or six displays blanked. 7 planes lost all flight displays. The UK Air Accidents Branch examined 14 display-blanking incidents. The NTSB believes these multiple losses create challenging situations. The United pilots reported multiple scrolling failure messages with corrective actions the computer removed so quickly, they were unable to interpret them. Blanking of flight displays coupled with systems failures is a significant safety risk because of increased pilot workload. Airlines have not informed their pilots, nor provided training. Crew attempts to troubleshoot these unusual problems may even lead to loss of aircraft control [PDF].
And as the London Times wrote on July 1 of this year:
The European Aviation Safety Agency is likely to be asked why it had never taken action to remedy the trouble well known within the Airbus 330 and 340 series. 'EASA has a legal and moral obligation to get to the bottom of this problem. If there is a defective system and the aircraft is unsafe then it should be grounded,' said James Healy-Pratt of Stewarts Law in London. Suspicion over the air data systems on the Airbus 330 and 340 series has increased after disclosure the aircraft experienced 36 episodes similar to the one that brought Flight 447 down.
We mourn the loss of these souls. Our hearts go out to their famlies. We share their sorrow and we hope the tragic loss of their loved ones sparks long-overdue change.
There were snakes on this Airbus -- snakes that left no trace evidence.
Can pitot tube moisture turn computers rogue, leave pilots helpless to override, and crash a plane? The Air Force gets it. The pilots of this $1.4 billion dollar B-2 couldn't override their rogue computer:
Stars and Stripes Report Faults Computer in Guam B-2 Crash.
The crash was caused by bad data sent to flight computers from three tiny wing sensors. General Floyd Carpenter: 'The B-2 was on takeoff when the computer falsely told pilots it was moving along the runway at 140 knots, fast enough to fly. The computer then sensed the aircraft was going into a nosedive just as pilots tried to lift the craft off the ground. The (rogue) computer then ordered the B-2's nose to pitch up to 30 degrees. The pilots desperately tried to override the computer, but it took the aircraft into a fatal stall. The aircraft performed as designed; all systems were functioning normally.'
Replacing Airbus pitot heaters is a good shot in the dark, but they have little to do with this tragedy. Maybe the heaters did it. Maybe a software bug did it. Maybe a rogue computer. Maybe a virus. Maybe the Tooth Fairy did it. Maybe the captain and copilot decided to commit mass murder, so flew into a thunderstorm. Maybe it was Colonel Mustard in the kitchen with the knife.
But if it waddles like a computer, quacks like a computer and crashes like a computer . . .
We may never know what happened without those missing black boxes, but need to pay attention to the computer-generated elephant sitting on our chests.
The captain that horrid night was the Little Dutch Boy, trying to jam his fingers into the leaking dike of crashing computers amid their scary screams. Only he couldn't plug holes as fast as the computers drilled more and more. He couldn't keep up with the runaway holes, then ran out of fingers. And the sea rushed in and consumed them -- murder by computer. His computers should have been fail-safe.
They were fail-deadly -- more interested in saving themselves than human beings.
Bottom line? Designers have built machines humans can't control.
Replacing the pitot heaters plugs just one of the dike holes that killed 228. At some point, you have to build a new dike.
Dr. Jordan Grafman, Chief of Neuroscience at the National Institute of Neurological Disorders, explains: "One of the big problems about multitasking is it's impossible to gain a depth of knowledge of any task you're doing; you only get surface-level knowledge."
Replacing those pitot heaters amounts to giving a cancer patient aspirin. The heaters are mere symptoms of the underlying fever. Air France 447 was a massive, beyond-human-control, China Syndome, chain-reaction computer system failure that rivals the Hindenberg tragedy that marked the end of hydrogen-filled airships.
The question is: what about this computer system's design allowed it to pinball out-of-control and why wasn't there a way for the pilots to stop it?
Dr. Lisanne Bainbridge, Engineering Psychologist at the University College London, helps us understand in her "Ironies of Automation":
The classic aim of automation is to replace human manual control, planning and problem solving by automatic devices and computers. The automation designers' view is that the pilot is unreliable and inefficient, so should be eliminated. The irony is that designer errors can be a major source of operational errors. Designers computerize the easy parts of the pilot's job and make the hardest jobs even harder, leaving pilots the toughest tasks that designers can't think how to computerize.
Designers put computers in planes because computers remember more and make quicker decisions than humans. There is, therefore, no way pilots can check in real-time if the computer is following its rules correctly. Pilots have no way to check on if what the smarter machine is doing is acceptable. So if the computer is there because human judgement and intuitive reasoning are not adequate to keep up, which decisions is the human to accept? The pilot has been given an impossible task.
John T. Halliday is the author of the forthcoming Murder By Computer as well as Flying Through Midnight. He flew the Boeing 767 and Boeing 757 for ten years as an international captain for a major U.S. airline and has worked in aviation psychology for thirty years to prevent more airline crashes.
Follow John T. Halliday on Twitter: www.twitter.com/none