Would you fly in a plane without a pilot?
Some time ago, I had a friendly discussion with an IFALPA member about this issue.
His opinion, even though he was not very glad about it, was that the future of aviation was in the pilotless plane. The mine, even though I am not so concerned about, was and still is the opposite one.
The first question: Is technically feasible to fly without a cockpit and, hence, without a pilot? Nothing to discuss about it. Far before the recent experience with a passenger plane and drones, we know that during II World War the famous V1 were launched over England. These flying bombs already were pilotless planes taking off from a ramp and, for obvious reasons, without requirements about how to land. Furthermore, some of them were built with a cockpit to solve a technical problem at the beginning. Since then, technology has evolved so much that we do not need to speak about present feasibility. We do not need even to speak about planes where the pilot is grounded. We can speak about planes without a pilot…onboard nor grounded. When VLJ started and they were certified for a single pilot, someone spoke about a TMH (Take Me Home) switch to be used in case of uncapability of the only pilot in the plane.
There are the plain facts about feasibility. If we speak about costs, we’ll find important advantages if compared with the present situation. If the installation of a cockpit can be avoided, design is simplified and costs decrease. If we need grounded cockpits…should we need as many of them as planes or the number of cockpits could be lower than the number of planes? Could be use a cockpit to control more than a plane model?
We do not need to speak about costs linked to salaries and travel costs of crewmembers and flight time limitations enforcing pilots to remain in place after a long flight. If we speak about cargo, more savings appear as the feasibility of operating planes without requirements of cabin pressure.
Furthermore, in more than 100 years since the beginning of powered aviation, we have learned very much. We know many things about plane behavior, about materials, about engines, about meteorology, about control systems, about communications….in other words, it seems that not many unforeseen situations could appear.
With all of these pieces… should a pilot be thinking about looking for another job? Pilots have a technical training and, hence, they are very often driven to a technical mentality in the sense that “if something can be done, it will be done”…even though it should be against their interest and they could fight against any development that could be so damaging for them but knowing or thinking that they are defeated in advance.
I hope all of this can reflect accurately the reasoning of someone who believes in this kind of development…someone who thinks that this is unstoppable and going against it should be equivalent to try to stop a train with the hands. However, that is not the real situation.
Some pilots say that every year they avoid three or four accidents and they are paid to do that. This value of Human Factor is something that many people have written about, since well-know ICAO members like Daniel Mauriño to authors like Sidney Dekker, James Reason or, if I’m allowed to be in this group, myself. Data like the 64% of accidents coming from Human Factores published by Boeing just before changing the classification criteria can drive to a serious mistake, even assuming the data as correct.
OK. Let’s suppose that this is the reality and, furthermore, let’s suppose that these are not errors happened as a wrong reaction after a technical problem. Let’s suppose that all of them are unforced piloting errors. Certainly, it is to much for a supposition but that is fine. Let’s accept it. Now, the reasoning mistake clearly identified by people from Behavioral Economics field like Dan Kahnemann: Does that mean that by eliminating pilots we could avoid 64% of accidents? It seems so but it should be a false assumption:
The complement of 64% should not be the remaining 36% but the number of Non-Accidents that happened due to human -and often, trivial- intervention. These Non-Accidents coming from human intervention will be a number much bigger than 36% but we do not have information to know the exact figure. That should be the point where the pilots should have to fight back. Why these situations, that everyone knows about their existence, are not counted? Why not to set up a system similar to ASRS where, instead of speaking about committed errors everyone could speak about sound actions? Cases of Non-Accidents in situations that, leaving the system to behave as planned, could have finished in an accident are a first-class argument against passenger planes without a pilot.
Does the present knowledge guarantee that unplanned situations are not going to happen? A recording about the manufacturing process of Airbus A-380 showed how the main gear resisted to go down. Someone could ask if we do still not know how to design a gear working at the first attempt…of course, all of this happened before the QF32 case that showed much more unforeseen situations. Interactions among different systems in the plane are so complex than unforeseen situations appear even in parts of the system that are supposedly fully controlled.
Bigger knowledge is not a guarantee of having everything foreseen. Some centuries ago, Pascal said that knowledge is like a sphere that, as it grows in size, has a bigger number of contact points with the unknown. That principle is as true today as it was in the moment it was established.
Revolutions that enforce change in aviation happen almost everyday. The attempt to guarantee the operativity in dense traffic, with hard meteorology and others produce important change enforcing to review from time to time everything and driving to the situation that Charles Perrow defined as “tightly-coupled organization” where a little problem can start a process finishing in a disaster. The only element in the system that can break the snowball effect once started even by a trivial fault is precisely a person.
If planes have to be flown by automatic systems, those trivial situations should be planned and resulting systems should be even more complex and, hence, prone to unforeseen situations coming from their own design. Can we avoid it? As a part of the answer, I would like you to meet Mr. Charles Simonyi, person defined by Wikipedia as software developer and spatial tourist. Simonyi was the person who managed the creation of Microsoft Office and, especially, the one who promoted the idea known as WYSIWYG (What You See is What You Get) that makes easier the task of the user because, as name shows, the printer will print things that we see on the screen.
Some years later, Simonyi started to worry about his own work because WYSIWIG was introducing more complexity and was producing problems hard to fix. The reasoning is easy: Early information systems were programmed directly in machine code or something similar called Assembler. When a problem appeared, it was not hard to find where to look: The order given to the computer was wrong. However, the power of programming languages was growing and the correspondance with machine code was decreasing, entering in a kind of abstraction scale that had more and more steps. WYSIWYG was, when it appeared, the last step of this stairs but the abstraction scale had “leaks” driving to differences between the code written by the programmer -even if he did not commit any mistake- and the action performed by the machine because the problem could be buried in any intermediate step. A programmer does not program machines anymore; he programs programmes whose products are other programmes.
The present ambition of Simonyi -with many skeptical people about it- is starting a new generation of information systems working on something that he calls “intentional software”, that is, to avoid the abstraction stairs and all of its steps because there are the problems that systems are unable to foresee because they are an intrinsic part of the design and a part of the tools used to perform the design itself. When Simonyi speaks about present problems in information systems is hard to deny its existence. If these are the pieces that supposedly are going to be used to build unbreakable automatisms…are they going to be as unbreakable as expected? In aviation, the pilot has to understand the functional model -not only the operating one- of the onboard systems to be able to diagnose and to be an alternative to a failing system.
If a sneaky company wanted to get rid of pilots, the sequence to do so should be very well defined and, probably, that sequence is already in the mind of some manufacturers or operators:
- Start working with pilotless planes in cargo flight where the risk is only related with goods.
- Once the results are presented as good enough to justify the use of pilotless planes in passenger transportation, some more things should be required:
- An explanation about how good the system was in cargo flights…even if some details were convenient to be omitted.
- The passenger chooses but there should be a big difference in price or in features like punctualicty and others.
- Complains about pilots and how they are an obstacle to progress.
- Any human error related accident should be widely publicized.
These pieces could be enough to gain the public opinion creating an idea of pilots as people that did not provide value, contributed to high prices and could be responsible for accidents that, without them, had not been produced. In this way, nice profits could come in the short term even though they could be the equivalent of using a vehicle with nitroglicerine as fuel. Perhaps it could be faster bus the risk of a big explosion could be always present.
Now, pilots, passenger and even regulators are in a situation where a message of “unavoidable progress” is shown and, at the end of the day, planes without a cockpit should be an improvement in safety, costs and, of course, anyone opposing this should not have a reason different from reluctance to progress or personal interest. Perhaps this is the moment where the real value of human factor has to be made clear through some specific actions:
1. Specific records about unforeseen situations where a good outcome came from human flexibility.
2. Good information to consumers and their organizations instead of crafted messages designed to keep them ignorant.
The mirage of a technological development aimed to reduce remaining uncertainties and allowing us to eliminate human factor is simply that: A mirage. The behavior of technological development regarding unforeseen situations is similar to the one of a hydraulic press where, if we increase the power, the pressed material occupies less space but, at the same time, it is harder and more difficult to introduce a hand to operate it. In other words, an increasing capacity from a 90% to a 95% is not always good news. Actually, it could be worse if, at the same time that we increase the percentage, we introduce a full inability to manage the remaining 5% of unforeseen situations.
In aviation, the technological mirage have been working for a long time. That’s why a very relevant author in Artificial Intelligence like Daniel Hillis offered himself as a passenger in a pilotless plane programmed by an artificial intelligence system able to generate programmes hard to understand for a human being but able to fly. Hillis said that he did not know how the system could work but, at the end of the day, he did not know how a human pilot worked. However, that is a half-truth. Certainly, we do not know how a human pilot works but we know something that could be enough:
There is a very high probability that the human pilot will want to enjoy a happy retirement and he will make any thing that can be required to get it. From the scope of the passenger in a flying plane, this simple purpose is a full guarantee that should not be removed and, of course, this is a guarantee that cannot be offered by any artificial system.
Technology development model, safety and security: Time to change?
Many people had been warning about a wrong technological development years ago; you can find an example in the frame of this blog under the name “Improving Air Safety through Organizational Learning”. However, the development model did not change at all and nobody paid attention. Statistical information, in a high level analysis, could justify this behavior but, in the last years, many things have happened that can be seen as a serious warning hard to ignore. The so-called ”black swans”, meaning facts impossible to forecast, start to become a full flock. Some cases:
- Economic crisis: We can speak about greed, opportunism and many other things. The fact is that the financial system was so complex that it was impossible to have a real surveillance and many people understand parts of it but ignore secondary effects in different parts of the same system. Perhaps, the best explanation about what happened is a humoresque one: http://youtu.be/mzJmTCYmo9g Opening any newspaper can show how hard is an agreement about the diagnostics and, hence, about the solutions. Depending on the expert one asks, forecasts are going to be different. Even, with emergent issues like BitCoin, there is not an agreement among experts about what the consequences are going to be.
- AF447: This air accident should mark a change: Experts with interest in the market went running to show that, at the end, everything was coming from a sensor and a human error. Is that right? If a faulty sensor and a tired pilot are enough to crash a plane…something is seriously wrong about air safety. Journalists ready to help manufacturers and regulators emphasized the time required by the pilot to go back to the cockpit. Have you ever seen the layout of a long-haul plane? Perhaps, you have observed a door in the middle of the plane where crewmembers come and go through. This door allows crewmembers to access the bunks that are downstairs. Now, watch in hand, try to find how long it takes to arrive from the bunk to the cockpit. Why bunks were removed from a position near to cockpit? The reality is that crewmembers got confused and a system that does not give enough information about what happens is, at least, questionnable because under unplanned events, it can produce confusion and inability to find the right action to perform.
- Cyberattacks: About two years ago, Iranian said to be able to get control over a U.S. drone forcing to land. The feasibility of that was rejected by U.S. officers but, only days ago, something happened inviting to think that it was a real possibility: http://www.businessweek.com/articles/2013-04-12/hacking-an-airplane-with-only-an-android-phone If a mobile phone is enough to get control over a manned plane…can we seriously affirm that it is not possible with more advanced technology over an unmanned one? Aviation is not the only activity where things like these can happen: http://arstechnica.com/information-technology/2013/04/the-spammer-who-logged-into-my-pc-and-installed-microsoft-office/ It’s said months ago that something bigger than 11S could come from powerful cyberattacks that could make useless vital installations. Even some technology managers are worried about the possibility of an undetected cyberattack that could convert a sophisticated weapon into something useless at the critical moment. Beyond cyberattacks, the feasibility of an EMP (http://en.wikipedia.org/wiki/Electromagnetic_pulse ) with similar but longer term effects is another real and present danger.
- Food fraud: Is it so hard identifying the kind of meat -if so- that hamburgers have inside? Perhaps it is hard for users but…also for regulators? Why every other day a new scandal appears with products containing something that it is not in the declared composition? Not only horse or moose meat but dogs…what else?
- Aviation safety: Beyond AF447…is the average passenger informed and concerned about what is the real safety level? Does the passenger know that, when crossing an Ocean in a twin plane, if one of the engines fails, the plane is certified to fly for hours with the remaining engine? Manufacturing processes are the ones that are certified or, as some people say, different? http://www.thedailybeast.com/newsweek/2012/03/19/is-boeing-s-737-an-airplane-prone-to-problems.html . What about the air quality onboard? http://www.achooallergy.com/air-quality-airplane-cabins.asp What about the practice in some airlines of having a flight student as a first officer paying to fly in a plane with passengers?…
In short, technology has kept the same track and it is more and more hard to understand and check. Regulators cannot be trusted -independently of their knowledge or professional attitude- if final user cannot check their work. If users cannot check how the regulators protect their interests, the expected results should be that the regulators should take care of their own interest, that not always could be the same that the ones of users.
The old Rassmussen rule, “the operator has to be able to run cognitively the program that the system is running”, is not followed time ago. However, as times goes by, we find that the problem goes beyond operators. Designers themselves understand specific parts without a clear understanding of the full product and, hence, unable to foresee consequences coming from interactions among different parts of the system. AF447 was a big warning light but it is not the only one and, perhaps, it is not even the worst one. It should be the right time for an assessment of technology development model. Otherwise, consequences will be worse and worse.
“Seconds to Disaster” by Glenn Meade and Ray Ronan
When I read my doctoral dissertation -you can find two versions in the blog frame depending of your kind of interest: Aviation or Organizational Studies- I remember especially one of the persons who had to evaluate it, Secundino Valladares. He said: “Now, I’m sure that I will never fly again”. I cannot blame him: To justify every finding, I put two or three paragraphs, extracted from official reports about major Aviation accidents. It was quite easy to reach that conclusion. After reading the book by Meade and Ronan, I have started to think of myself as a soft nun, regarding the kind of things they bring to the discussion.
For instance, the existence of compromises between regulators and main manufacturers is crystal-clear and there are many facts that can show how the European regulator does not look with the same eyes at both, Boeing and Airbus, and the same can be said about FAA but, of course, in the opposite side. Even though, the chapter that the authors devote to Boeing 737NG shows something far beyond a “friendly eye”. Nothing new; some of us are old enough to remember what happened with DC-10 and how 325 avoidable deaths (Turkish Airlines 981) were required to fix a problem that was previously known. The authors speak too about AF447 -you will find in this blog several posts dealing with AF447- and, for a moment, I had the feeling of not being alone with my conclussions about this case: The stamp “Lack of Training” is very comfortable to close a report avoiding entering in design issues. However, this stamps does not answer the main question: If that is true…why did you have people lacking training to fly a big plane over Atlantic Ocean? We can go beyond: Is that a training practice by Air France or is it shared worldwide? Still, we can go beyond: Is it possible, due to design complexity, provide pilots and engineers with the training level that they could require under an extreme situation? Once we get here, we could be around the root of the problem: Profit aimed design.
A few days ago, I published something about how average passengers boarding a twin plane for a long-haul trip does not know what are the rules: He does not know that, in the event of an engine-stop, the plane is certified to fly more than 5 hours from the nearest airport with only one engine working and full of passengers. This and many of the things that the authors of “Seconds to Disaster” say are unknown to the flying public. Perhaps, this is the first thing to change if we want to change something.
Drones: Is that the future of Aviation?
Many people seem to be very worried about drones, its use, possibilities and risks. Certainly a drone, since nobody is inside, can be little enough to pass without being seen. It can be used -actually it is- as a deadly weapon, targetting preys from places impossible for a manned plane. Some people start to speak about privacy since surveillance tools as little as a bird can be placed everywhere and, beyond privacy, it is hard to protect anyone from a weapon that can be self-destroyed and little enough to access even to the most protected places or people.
However, there are other fields where the discussion is not so alive:
1- A drone can be hacked: When authorities say that the next big threat after 11S can come from Internet, it is not a joke. If someone can enter systems where electricity, water supply, traffic or many others are controlled, the results could be catastrophic. If a system so protected as a military plane is supposed to be…do safe systems exist? Probably not. Certainly a manned plane could be hacked too but, at least, in many of them the human operator could keep the control. If the operators does not have a direct access since it comes through a communication line, that is harder.
2- Problems with traffic control: This is a problem that is happening once and again. Near misses are happening in many places putting at risk civilian airplanes loaded with passengers. In some cases, it has been found that the pilots did not have the required license, something harder to control since the pilot can be anywhere and there is not a checkpoint like it can be at any airport.
That is happening right now but…what about the future? Nowadays, nobody speaks openly about drones carrying passengers but they could be used for cargo transportation. If so, that should mean a much bigger number of drones and, hence, the pointed risks could grow at an unacceptable level.
And drones for passenger transportation? At the present moment, no one seems to think seriously about it. I think there are many good reasons to avoid it but, nowadays, the discussion should be sterile. If we think about things that are feasible already, we have enough to be worried. We do not need to think about future for that.
The war between efficiency and safety
I’m going to use some examples from air safety but I have something to add: The problem is much more general than Aviation. Actually, Aviation has an advantage that many people, involved in Management, does not use: Safety is critical in Aviation. Therefore, if problems arise in Aviation, it could be expected that these problems are going to appear in the short term in Banks, manufacturing plants and many other places. That was precisely the sense of my thesis and I was very surprised to see that many people from Aviation field was interested in it -it was adapted as a book under the name “Improving Air Safety through Organizational Learning”- but the main findings, bringing conclusions from Air Safety to Management were simply ignored. They are still as valid as they were 11 years ago.
Nobody could discuss that a CATIII landing -landing virtually without visibility- is an improvement for safety. However, before CATIII capabilities, pilots simply rejected landing if visibility was under minimum. Then…is the improvement aimed to better safety or to bigger efficiency? Furthermore, the human pilot is a kind of voyeur that cannot perform by himself this kind of landing. He has to trust an automatic system and his possibilities to check it are limited. Is that an Aviation issue? I’m afraid not.
Look at meteorologists: The number of stations providing data is big enough to make impossible to get conclussions in the old way. If a meteorologist tries to process all the information coming from these stations, his conclusions could arrive weeks or months after the situation to be foreseen. It could be a little bit useless forecasting a hurricane weeks after it blew a whole city. Same situation. People cannot challenge the computer that provides the weather forecast since the processing should be very slow and the software manufacturers probably won’t fully disclose the model that the computer uses. That explains why weather forecast is not anymore served by meteorologists in TV. A good anchorman speaking convincingly can be enough.
What about Banks? Could you imagine going to your Bank to complain about interest if you think that calculations are not properly made? What about derivatives? Software instructed to buy or sell when a specific limit is reached. Since many of the programmes could have similar limits, a little increase can trigger an enormous increase and, by the same token, a little decrease, can drive to a crisis. Who controls this? Nobody. Companies have bought speed but it comes at the price of preventing them from any kind of control.
Nassim Taleb in The Black Swan speaks about the impossibility to forecast the most important facts to come. I agree: When someone says that the world always had crises and the Nihil novum sub solem can be used to describe the present situation, I think that something is lost: In the past, we could expect that wars, movements and revolutions could be absorbed by the stabilizing mechanism that the world always had. Not anymore: Movements are sudden and violent enough to make stabilization processes useless. We gain efficiency, especially under the shape of speed, but we lose control over what’s coming next.
Aviation, as many other critical systems, is interesting because it can be used as a light to know what is coming in many other fields. The dynamics is simple: Gaining speed at the cost of control. Keeping this way, we’ll arrive someplace…but it is impossible to know where. Einstein said that he did not know which weapons should be used in the Third World War but he was sure that the Fourth one should be fought with sticks and stones. Probably, he was right.
“El vuelo” o el gusto de los directores por las utopías en aviación
Lo confieso: Ha habido un momento en que he empezado a ver películas en las que un avión tiene un papel más o menos protagonista para ver cuántas barbaridades imposibles se veían. El record, por ahora, lo lleva una película de la que ni recuerdo el título pero con un logro fuera de lo común: Una niña, sola en la cabina de un avión en vuelo, después de que alguien le diga que no puede desconectar el piloto automático -tampoco se sabe por qué- consigue lo imposible por el expeditivo procedimiento de golpear con un bate de baseball sobre el indicador luminoso. Chapeau.
Aviador tiene también una bonita escena, por cierto parecida a una que puede verse en El vuelo en la que un avión va cortando los tejados de las casas como si fueran de mantequilla y -atención- ello lo hace no sólo sin romper el ala sino sin alterar lo más mínimo su rumbo mientras va cortando tejados. En 2012, protagonizada por un Nicholas Cage con una cara de susto permanente, un avión a punto de estrellarse va arando el suelo con la punta de una de las alas sin que, de nuevo, el ala se rompa ni el impacto haga girar al avión clavando el morro en el suelo.
Siempre es admisible que haya ciertas licencias en el cine como, por ejemplo, el ADN de dinosaurio en un mosquito mantenido en ámbar de Parque Jurásico pero un poco más de documentación tampoco vendría mal.
En El vuelo, con una buena actuación de Denzell Washington en una película que se puede hacer larga y aburrida, hay algo más que licencias: La película se inspira lejanamente en el accidente del vuelo Air Alaska 261 pero con algunas diferencias importantes. En el vuelo tomado como inspiración, el estabilizador horizontal -la parte horizontal de la cola- quedó suelto debido al fallo de la pieza que explican al final de la película en lugar de quedar bloqueado. Si la pieza hubiera quedado bloqueada, como en la película, es probable que hubieran mantenido bastante control utilizando los controles convencionales para contrarrestar la superficie bloqueada pero supongamos que no. Supongamos que la cola del avión ha quedado bloqueada en la posición incorrecta y que no hay forma de contrarrestar el hecho…el avión no habría entrado en picado sino que habría seguido cambiando de dirección -es lo mismo que si en un coche a la salida de una curva no se endereza el volante- hasta que, en caso de que la estructura hubiera aguantado, hubieran conseguido su bonito vuelo invertido sin necesidad de hacer nada…eso sí, el vuelo invertido lo habrían conseguido tras un bonito looping exterior con lo que el avión estaría volando en sentido contrario del que llevaba al inicio.
Olvidemos ese pequeño detalle y concedámoslo también como licencia cinematográfica…supongamos que el avión ha picado y cuando está apuntando al suelo el piloto inicia el giro que les dejaría volando cabeza abajo. ¿Alguna idea de la pérdida de altura que en un avión no acrobático y de ese tamaño representa la maniobra? No especulemos; basta con ver este video en que el piloto de pruebas de Boeing Tex Johnston hizo eso mismo con un Boeing 707. Aunque el piloto defendió después que la maniobra no tenía riesgo, puede verse la pérdida de altura que representa como para pensar que es posible lo visto en la película y, cuando están cerca de tierra, pueden volver a colocar el avión en su posición normal sin estamparse contra el suelo.
Se les incendian los motores aunque no se sabe muy bien por qué. Ya puestos ¿qué tal unas cuantas anacondas o tigres de Bengala que fueran en la bodega y se escapan para dar animación al asunto? De nuevo, aceptémoslo como licencia cinematográfica. Extinguen el incendio del motor y luego piden potencia máxima…por supuesto, la extinción del incendio deja el motor totalmente incapacitado para dar mucha ni poca potencia pero, además, van en invertido -no se sabe de dónde están tomando el combustible las bombas aunque tengan el detalle de poner el aviso de que falla la alimentación- y han estado arrojando todo el combustible antes del “aterrizaje”. Para concluir, la torre golpeada con el ala, aunque hubiera sido de papel, habría bastado para romper el ala o, como mínimo, para desviar la trayectoria del avión en la dirección del impacto y no al revés como ocurre en la película.
Si a alguien se le vuelve a ocurrir hacer una película sobre accidentes de aviones, le sugiero que tome como modelo este otro caso más creíble sin necesidad de recurrir a tantas licencias cinematográficas e igualmente útil para reflejar el drama del héroe alcohólico. El director no ha podido sobreponerse a la tentación de colocar en su película un avión de pasajeros en vuelo invertido y sale lo que sale…lo de siempre.
What happens with Boeing 787?
Some journalists have started to compare 787 with Comet. That is not the right comparison:
De Havilland Comet was the first jet, by far, more little than the present ones, and it developed a nasty habit: Exploiting in mid-air. Comets were flying higher and faster than propeller planes but the engineering was the same and there was the problem: The difference of pressures between the cabin and the outside were fatiguing the materials until the final crack. Of course, this final crack happened at a moment when the difference of pressure was at its peak, that is, flying at cruise level.
Perhaps a nearer plane to compare should be the DC-10 by McDonnell Douglas. The final scene of the plane, an also of the manufacturer, should be the accident of Turkish Airlines 981. The investigation should discover many things about the manufacturer like ignoring serious design flaws or “oiling” the regulator to pass as a recommendation something serious enough to guarantee a design change. Nothing of this kind has been seen in Boeing but an idea remains: A bad design, and DC10 was a bad design, can kill a big manufacturer.
Boeing 787 was and still is the weapon that Boeing was trying to use to reach Airbus level in commonality and cost contention. When Airbus launched, years ago, its A320 model, it was not a single plane but a platform that, repeated in different sizes and ranges, could start a full family. Boeing never had that family and the situation was even worse once Boeing had to buy the remains of McDonnell Douglas with a fully different fleet. Boeing 787 was intended to be the “A320 from Boeing”, that is, the starting point for its future models.
The plane has some very attractive things from the passenger point of view like a higher cabin pressure getting a more natural environment especially for long flights or a big increase in windows size having more natural light in the cabin…it also had a new model of batteries that seems to be guilty for almost all of the problems that the plane had during its first months of commercial life.
It’s true that it has been a problem with a window in the flight-deck but this is not the first time that this happens with a new model. Furthermore, an Airbus A380 had an explosion in one of the engines and it was very near to disaster (it is not an engine stop in one plane with 4 engines but an explosion that severed a lot of hydraulic, electric and data lines and provoked massive fuel leaks). The presentation of the A320 was also “funny”. Even though, the model and the whole family who came afterwards have been successful.
Boeing can recover from the 787 issue but time is against them, not to say competitors as Airbus and new ones as the Chinese Comac and, of course, Russian manufacturers that start to try to compete in the high-technology aviation.
“Some reflections on the loss of the Titanic” de Joseph Conrad (1921): Versión en español “El Titanic”.
Joseph Conrad alcanzó el grado de universalmente conocido con El corazón de las tinieblas pero, además, fue un experto marino y buena parte de su obra novelística está centrada en el mar. El naufragio del Titanic no podía dejarlo indiferente y el libro -traducido al español como El Titanic y editado por Gadir- es una crítica tanto a una evolución tecnológica ciega como al proceso de investigación posterior. Éstos son los puntos que un siglo después de que se hundiera el Titanic siguen estando de actualidad tanto en otras formas de transporte como el aéreo como en el propio transporte marítimo con casos como el del Costa Concordia, casi tres veces más pesado que el Titanic.
En la prensa de la época se hizo tanto énfasis en que el Titanic era insumergible como se ha hecho más recientemente en que algunos aviones no podían entrar en pérdida. En uno y otro caso, tal alegación se apoyaba, como los hechos han demostrado, en un optimismo técnico injustificado.
En el Titanic los supuestos compartimentos estancos garantizaban que, en caso de que uno de ellos se inundase, los demás mantendrían a flote el barco. Naturalmente, si en lugar de una colisión lo que se produce es un desgarro longitudinal que pueda afectar a varios de los compartimentos, la flotabilidad deja de estar garantizada. Si, además, los compartimentos no son estancos hasta la cubierta sino sólo hasta una altura que pueda ser rebasada por la inundación de uno de ellos o por la inclinación del barco…resulta que los compartimentos no son estancos y el barco se puede hundir como efectivamente ocurrió.
En cuanto a la supuesta solidez de los grandes barcos, Conrad plantea algo tan simple como que es posible hacer una caja de galletas de una enorme solidez pero el grosor de las paredes no puede ir creciendo de forma proporcional al tamaño y, en consecuencia, un barco de grandes dimensiones resultaría, a pesar de su aspecto imponente, mucho menos sólido que uno mucho más pequeño y construido con la voluntad de hacerlo resistente. En palabras de Conrad, una perfecta muestra de la moderna confianza ciega en los materiales y artilugios.
La forma en que la responsabilidad queda diluída tanto en los hechos como en la investigación posterior queda representada en una frase referida a las sociedades de responsabilidad limitada: No tenían almas que salvar ni cuerpos a los que patear y que, de ese modo, salían indemnes de este mundo y del otro de todas las sanciones efectivas impuestas por una conducta consciente. La descripción está escrita en 1921 pero bien podría haberlo sido ayer.
También tiene su apartado relativo a la costumbre de culpar al que está más cerca bajo etiquetas como “error humano”, “complacencia”, “falta de formación” y tantas otras variantes para conseguir que pague el pato el que estaba más cerca en el momento del accidente: Se alegaba que el barco era insumergible, siempre que se gobierne de acuerdo a la nueva náutica.
Al traductor de la versión española se le ha escapado algún nudos por hora como muestra evidente de que aún no ha calado el concepto de que el nudo es una unidad de velocidad y no de longitud y, nuevamente, Conrad plantea un principio que también es de aplicación hoy: Hay un punto en que el progreso, para ser un verdadero avance, ha de variar ligeramente de rumbo: La historia de la evolución humana puede medirse en términos de degradación del conocimiento individual. Autores que se encuentran entre sí en las antípodas ideológicamente como Thomas Sowell en Knowledge and Decisions y Richard Sennett en The Corrosion of Character han denunciado este simple hecho de forma separada. A medida que va creciendo la complejidad del mundo en que nos encontramos, ese deterioro del conocimiento individual a través de la especialización extrema conduce a que cada uno pueda ver su árbol -cuando no su pequeña ramita o su hoja- pero nadie se capaz de ver el bosque, tal vez y siguiendo el paralelismo, menos que nadie quienes tienen intereses en el negocio de la madera como, por ejemplo, políticos y asimilados.
La descripción que Conrad hace del Titanic se parece mucho a la que mucho más recientemente se ha hecho del Costa Concordia y, en general, de los grandes cruceros: dirigido por una especie de sindicato de hostelería compuesto por el jefe de máquinas, el sobrecargo y el capitán. Un siglo después del naufragio del Titanic se siguen discutiendo los mismos temas y en idénticos términos. ¿Para qué ha servido el siglo transcurrido y las víctimas del Titanic?
En cuanto al diseño o a la evaluación de riesgos…unos simples cálculos cuando están desasistidos de imaginación y llegan a hacerse señores del sentido común resultan los más engañosos ejercicios del intelecto.
Desde que Conrad escribió su libro, han transcurrido 91 años. La tecnología ha avanzado mucho en esos años pero, paradójicamente, los hechos denunciados y la mentalidad que llevan detrás siguen de plena actualidad.
QF32: Mal título para un buen libro y contrapunto al AF447
Raramente se le ocurrirá a alguien comprar un libro llamado “QF32″ si no sabe de antemano qué se va a encontrar dentro. QF32 es el nombre del vuelo de Qantas realizado por un Airbus 380 y que estuvo mucho más cerca de acabar en desastre de lo que sugieren las imágenes que se pueden encontrar por Internet. El autor del libro es el piloto al mando del vuelo, Richard de Crespigny, y da una serie de datos que pueden resultar de gran interés para los interesados tanto en la evolución tecnológica en general como en la seguridad aérea en particular.
Para entender por qué el avión estuvo tan cerca del desastre bastará con una idea sencilla: No se trata de un avión de cuatro motores al que le falla uno, eventualidad para la que cualquier avión de cuatro motores -incluso de dos- está preparado en cualquier fase del vuelo. Se trata de que uno de los cuatro motores -uno de los dos más cercanos al fuselaje del avión- decide comportarse como una bomba y explota repartiendo sus propias partes como metralla y provocando multitud de fugas de combustible, de fluido hidráulico y cortando cientos de cables que dejan a gran parte de los sistemas de información y de control del avión total o parcialmente inutilizados. La situación fue tan grave y las expectativas eran tan malas que, con el avión todavía en el aire, las acciones de Qantas estaban cayendo a plomo porque se daba por descontado el desastre.
El libro lleva una primera parte de apuntes biográficos de su autor y, entre éstos, hay dos elementos que resultan de interés para el caso: El primero es que no se trataba de un piloto formado en aviones de la última generación sino que había empezado su trayectoria en la aviación militar habiendo volado incluso helicópteros y el segundo es que se trataba de un personaje con gran curiosidad por la tecnología, curiosidad que le llevó desde aprender por sí mismo a desmontar una vieja moto hasta tratar de entrar en los entresijos de la tecnología de la información más allá del puro conocimiento operativo.
A partir del momento de la explosión del motor, el autor entra en una serie de detalles sobre qué estaba ocurriendo que pueden ser difíciles de entender si no se está mínimamente familiarizado con la aviación pero hay varios puntos que se pueden sintetizar:
- Los pilotos empiezan a recibir un número interminable de listas de fallos y sus listas de comprobación asociadas. Viendo que esto no les lleva a ninguna parte, acaban concluyendo que es mejor tratar de determinar qué es lo que está funcionando correctamente y, con ello, ver sus posibilidades reales.
- Hay un momento en que les aparecen datos que les invitan a desconfiar: El motor que explotó estaba pegado al fuselaje y no parecía tener mucho sentido que la explosión hubiera afectado al motor que estaba en la punta del ala contraria. En este momento comienzan a pensar que la información que están recibiendo podría no ser fiable.
- Parte de los sistemas de control del avión no sólo había quedado inutilizada sino que había dejado parte de los alerones en una posición de deflexión que le robaba sustentación al avión. La única forma real de saber cuál era el margen de velocidad que tenían para la aproximación y el aterrizaje era comprobarlo físicamente porque la información sobre las velocidades adecuadas no era fiable.
El avión aterrizó felizmente aunque con una situación complicada al final de su carrera de aterrizaje: El motor contiguo al que explotó había quedado fuera de control y los pilotos no fueron capaces de apagarlo; las múltiples fugas de combustible habían creado un charco debajo del avión sin que los bomberos pudieran aproximarse debido al motor en funcionamiento y el frenado en condiciones limitadas había hecho que los dispositivos de freno estuvieran a una temperatura que llegó a rebasar los 1.000 grados centígrados…en presencia del enorme charco de combustible que no dejaba de crecer y con pasajeros y tripulación dentro del avión.
Posiblemente el comportamiento de la tripulación del vuelo QF32 pueda servir para dar dos pistas importantes sobre cómo volar los aviones tecnológicamente más avanzados:
- Un avión no es un videojuego y los mejores sistemas de información no excusan de que los pilotos tengan claro cómo y por qué vuela un avión y de ser capaces de anticipar sus reacciones prescindiendo de la superestructura de sistemas de información.
- Es necesario perder los complejos frente a la tecnología de la información y si, especialmente en una situación degradada, se sospecha que la información o el control de que se está disponiendo no son adecuados, se debe estar dispuesto a contrastar esa hipótesis.
Por último, el libro da suficiente información sobre el piloto al mando para concluir que se trataba de una feliz combinación entre experiencia en distintos tipos de aeronave y conocimiento tecnológico. Sin embargo, aunque se destaca la figura del segundo piloto y su elevado grado de conciencia situacional, no se dispone de más información sobre él que la publicada en el informe preliminar donde se muestra que su experiencia en el tipo de avión era de algo más del doble del número de horas que tenía el piloto al mando. Puesto que también fue una figura central en el caso, habría sido interesante disponer de más información sobre su trayectoria profesional.
El caso QF32 se presenta casi como un “anti-AF447″ en el sentido de que parece haber una clara insistencia en atribuir el accidente del segundo a la falta de formación de la tripulación mientras que el primero se muestra como un ejemplo de comportamiento adecuado. Habría dos puntos que añadir en este sentido:
- Cualquier persona familiarizada con el trabajo de recursos humanos sabe que uno de los primeros pasos para determinar las competencias necesarias en un puesto de trabajo consiste en buscar modelos excelentes a imitar. Parecería lógico profundizar en las características de los tripulantes del vuelo QF32 con este objetivo; sin embargo, la información disponible sobre el piloto al mando nos muestra que es un tipo de formación y experiencia cara y escasa. En un momento en que se está optando por rebajar las características de la formación creando licencias como la MPL un caso como el QF32 debería representar una invitación a revisar las políticas de formación y licencias así como desarrollos tecnológicos con una complejidad y opacidad crecientes.
- El caso AF447 puede ser atribuido a falta de formación de la tripulación pero, para hacerlo, es necesario dar un salto en el vacío difícilmente admisible: Todos los sensores imaginables pueden fallar. Si un sensor defectuoso tiene capacidad para generar una situación de confusión capaz de poner en evidencia la falta de formación de los tripulantes…algo mucho más grave que el propio sensor ha fallado en el camino. Se puede y se debe discutir si la formación de los pilotos era o no la adecuada -el caso QF32 puede ayudar en ese análisis- estableciendo las responsabilidades y realizando los cambios oportunos. Sin embargo, un sensor defectuoso NO puede provocar la situación de confusión por alarmas múltiples y contradictorias que se produjo en el AF447 y si lo hace -y lo hizo- necesariamente hay que revisar también el diseño capaz de conducir a ese efecto. Quedarse en un sensor defectuoso y en la falta de formación de la tripulación es sólo una mitad, o menos, de la verdad de lo ocurrido en el Atlántico en el vuelo AF447.
Imposibles metafísicos: La huelga de celo
Hace años, un amigo piloto de Iberia y del SEPLA -figura especialmente odiada estos días- me hablaba de las huelgas de celo que pilotos y controladores habían protagonizado en muchas ocasiones. Su punto de vista, que no deja de ser razonable, era el siguiente:
Cuando un pasajero se queja porque trabajamos a reglamento, mi tentación es preguntarle: “Dígame, señor pasajero ¿qué parte del reglamento quiere que incumpla?”
Diversos colectivos han utilizado la figura de la “huelga de celo” como una forma de batallar por las reivindicaciones laborales pero, antes de escandalizarse porque haya quien cometa tamaña felonía ¿no habría que escandalizarse porque esto sea factible?
Nos hemos acostumbrado a que las normas digan una cosa y los hechos digan otra distinta y, además, a que si seguimos escrupulosamente las normas las cosas dejen de funcionar. ¿Para qué sirven las normas entonces?
Un alma cándida pensará que las normas están hechas por un bienintencionado regulador que piensa en el bien de los regulados pero la experiencia muestra que, muy a menudo, el regulador saca sus normas pensando en sí mismo. ¿Absurdo? Dos ejemplos:
Hace pocos años, llegó a estar encima de la mesa la propuesta de los aviones tuvieran que llevar el combustible “suficiente” para la realización del vuelo, atendiendo a la eventualidad de que el vuelo tuviera que ser desviado, etc. Desde el punto de vista del regulador, ésta era una propuesta muy atractiva ya que, por definición, si un avión se caía por falta de combustible, el hecho mismo implicaba que se había incumplido la norma y se podían señalar fácilmente responsabilidades. Para el piloto, en cambio, la perspectiva no es tan interesante: Si no se establecen unos baremos claros, puede estar sujeto a presión para limitar al máximo la cantidad de combustible. ¿Qué es mejor?
Otro ejemplo: Se han producido ya varios casos en que un piloto ha confundido el tipo de avión que iba a volar. No es broma; un A340-300 y un A340-600 pueden ser volados por las mismas tripulaciones y tener una diferencia de peso de 100 toneladas. Puesto que el peso del avión puede variar mucho en función de la carga de combustible -que puede llegar a representar un 50% del peso del avión en los vuelos de largo alcance- la introducción de un peso incorrecto puede ser aceptada porque el 340-600 con muy poco combustible puede pesar lo mismo que el 340-300 cargado a tope. Pongamos ahora una tripulación que va alternando entre los dos modelos de avión y una situación de urgencia…y el error está servido. A pesar de que ya ha habido varios casos que han podido acabar muy mal, los reguladores prefieren establecer que hay que comprobar cuál es el avión que realmente se lleva y mirar para otro lado. Cuando una situación como ésta, que induce a confusión por la similitud de las cabinas, ponga encima de la mesa dos o tres centenares de muertos ¿quién tendrá la culpa?…premio: La tripulación que no ha hecho la comprobación que le prescribe la norma.
Ahí es donde tenemos que buscar el origen de las huelgas de celo. Un procedimiento, por definición, debería ser el reflejo escrito de la mejor práctica disponible. En lugar de eso, es frecuente que se olvide la funcionalidad y se prefiera estar seguro de poder señalar a un culpable en caso de que algo ocurre. Una vez que las normas dejan de ser ayudas sino que pasan a ser máquinas de asignación de culpa ¿podemos extrañarnos de que puedan ser utilizadas como forma de paralizar una organización? ¿hay que acusar a quien las utiliza de forma torticera o a quien las impone pensando sobre todo en salvar su propia responsabilidad?
José Sánchez-Alarcos
