"— ^. ;v'?***^
%:.^
UNGLAS
1.0 ^
I.I
132
tri^
ilitt II
1.4
1^
1 2.2
120
!.8
1.^
MICROCOPY RESOLUTION TEST CHART
NATtONAL BUREAU OF STANDARDS
STANDARD REFERENCE MATERtAL ^Q^Oa
f ANSI and ISO TEST CHART No 2)
NASA Technical Memorandum 103885
/yy-o(^
F. / / ^
Human-Centered Aircraft
Automation: A Concept
and Guideilnes
Charies E. Billings
■K
..- \ "'
\ \'-
August 1991
Quick Release - This Technical Memorandum is
a preliminary, unedited report. It is being released
in this format to quickly provide the research
community with important information.
fVIASA
Natonai Aeronautics and
Space Administration
NASA Technical Memorandum 103885
Human-Centered Aircraft
Automation: A Concept
and Guidelines
Charles E. Billings. Ames Research Center, Moffett Field, California
August 1991
IW\SA
National Aeronautics and
Space Administration
Ames Research Center
Moffett Field, California 94035-1000
D.
^^^^^..j^t^^M
DEDICATION
ACKNOWLEDGEMENTS
aU o?S,e^ir^Wn'^d^SSVsr^^^^ Space does not pcnnit acknowledging
ir^o^^n>onitS^Ms^X^%c^Lhi?.^i:'' T^'^^ m formulating the conclptf
time to review the fust^^ffJZ^M^^^i^^^f^^^ specifically those who took (he
and review of the second draT^^^^^SJ^i^i*^^ who assisted in the prepamtion
Dr.KathyRAbboa
Dr- Kevin Corker
William W. Edmunds, Jr.
DelmarM.Fadden
Dr. Richard Gabriel
E. James Hartzell
Charles S. Hynes
Dr. James Jenkins
Dr. John K. Lauber
George Lyddane
Dr. Evercn Palmer
Ussa Price
Ronald Rogers
Dr. William Rogers
William Russell
Dr. Thomas B. Sheridan
Dr. Michael Shafio
Harty G. StoU
Dr. David Woods
NASA Langley Research Center
NASA Ames Research Cfenter
Air Line Pilots Associati<Mi
Boeing Commercial Aiiplanc Group
Douglas Aircraft Company
NASA Ames Research Center
NASA Ames Research Center
National Aeronautics and Space Administration
Nanonal TranspOTtation Safety Board
Federal Aviation Administration
-NASA Ames Research Center
Sterling Software, Inc.
Air Line Pilots Association
Bolt, Baianek and Newman
Air Transpon Associaticm of America
Massachusetts Institute of Technology
NASA Ames Research Ctnter
Boeing Commercial Aiiplane Group
Ohio State University
Tran^"AsSSi'y"/^.'L^J!L^;Siir^i'i*^^ "■'^ T«k Force of .he Air
RABE I ' INTENTlONAUy BUU«K
ni
PRECEDING PAGE BLAT^K NOT FILMED
TABLE OF CONTENTS
ACRONYMS
INTRODUCnON
I: CONCEPTS
Assumptions arid Dctinitions
The Piloting Dcunain
Mission
Functions
Tasks
Resources
Development of Pilot Aiding Devices
A Ccmcept of Huinan-Centcied Autcmiation
The Role of the Human in Highly Automated Systems
Principles of Human-Centered Automaticxi
n. AIRCRAFT AUTOMATION, PAST AND PRESENT
Intioducti(»i
Aircraft Functic»; s
Mission Functions
The Tasks of the Pilot
Control Automaticm
Flight path oKitrol
Power control
Landing gear
Aircraft subsystems
Discussion of Control Automation
Flight path ccmool
EiTor resistance and error tolerance
Power control
Aircraft subsystems
Hie control-management continuum
The Future of Control Automation
Information Automation
Flight path displays
Power displays
Configuration displays and alerting systems
Subsystem displays
Information displays
I>iscussion of Information Automatic
inight path displays
Power displays
Configuraticn displays and alerting systems
Aircraft subsystem displays
Monitoring of autonoaticm
The Future of Infomudon Automati(Hi
Electronic library systems
Hlectnxiic checklists
Air-ground digital CQmmui!ia!!icms
1
3
6
6
7
10
11
12
14
14
15
16
17
x8
21
22
22
23
23
24
24
25
26
30
33
34
37
38
39
41
42
42
44
44
45
48
48
48
48
49
i
?i»fct.
ittktS*'
wi**^^
Him
PKECEDli.C PAGE BLA;\SK NOT FiLMEO
'f^m^^mtaammmmm
Management Automadm
TTic context of managenient auKKnation
Flight management system functions
Right management system controls
Flight management system displays
Discussion of M^agement Automation
Flight management system operation
Flight management system displays
The Future of Management Autcxnation
III. THE esfVIRONMENT OF AIRC3iAFT AUTOMATION
Intrcxiuction
The/iiicraft
The Physical Environment
The Opeiaticmal Environment
The Human Operators
IV. ATTRIBUTES OF HUMAN-CENTERED AIRCRAFT AUTOMATION
Introduction
System Goals
Attributes of Aircraft Auttxnation
Accountability
Sub(ndinati(Hi
Predictability
Adqnability
Comprehensibility
Sin^Ucity
Flexibility
Dependability
Informadveness
Etrar resistance
Error toterance
Discussion of Kttributes
V. GUIDELINES FOR HUMAN-CENTERED AIRCRAFT AUTOMATION
Introduction
Principles of Human-Centered Automation— General Guidelines
Guidelines for Human-Centered Control Automaticm
Guidelines for Human-Centered Information Autwnation
Guidelines for Human-Centered Managenvnt Automation
Some Thoughts on Aircraft Aatomation
The use of artificial intdligence in future automation
The effects of automation on human operators
The flight criticality of aircraft automaticHi
VI. CONCLUSION
APPENDIX: Aircraft Mishaps Qted in Text
REFERENCES
50
50
50
52
53
54
54
55
56
58
59
60
60
63
66
68
70
70
71
72
73
74
74
75
76
77
78
79
80
81
81
85
88
91
94
94
94
95
96
97
106
VI
^m
MHtti
I NiMJnnpmpisKHp^vpppHii
'^fmm^mmmmmm
2
3
4
6
7
8
9,
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
4!.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
FIGUREj
Elements of the piloting domain
Pilot control and management continuum
A brief chronology of aircraft automation
Increasing complexity of aircraft autonTation
A construct of aircraft automation
First principles of human-centered aircraft autoi-nation
Control and display loops
Pilot information requirements
Control automation
Precision enroute and approach navigation aids: VOR and U.^
Dual-cue and single-cue flight directors
Overhead panel of AC electiical system
CRT synoptic display for system depicted in figure 12.
ToucF sensitive screen switches on a CRT display
A contmuum of aircraft control and management
Infomiation auKHiiation
Primary flight instruments
Electronic primary flight display
Pathway m the sky display
Electromechanical navigation instruments
Electronic map display
Primary EICAS display
Electronic display of flap-slat pc; iticms
Flight control confifmaticm display
Hydraulic system synoptic page
Quick reference handbook checklist
Simplified PFD presentatitxi
Egine thrust parameters and trciMi
Electronic display of switch position and function
Araoimts of information presenicd by various electromechanical displays
CRT displays of system information
Hierarchy of subsystem displays
Interaction of flight noanagement computer with other aircraft avionics
Honeywell FMS cwitrol and display unit
Control and display unit screen
FMS mode screens
Present and future options for management of air traffic
Aircraft in the future system
Tlie physical hazards '
Management of air traffic is shared
The air traffic control syston
Training is essential for uniformly effective performance
Monitoring and control functions
Accountability of autcnnation
Subordination of automation
Predictability of automaticm
Adaptability of automation
Comprehensibility of automation
Flexibility of autcmaticni
E>ependability of autCKiiation
Infonaativcness of autcmiation
Error resistance of autcxnaticKi
Error tc^eiance of automation
5
6
7
8
9
10
15
16
18
19
20
25
25
26
27
33
34
35
35
36
37
:.7
38
39
40
41
44
44
46
46
47
47
51
52
53
53
56
58
60
61
62
64
66
70
71
72
73
74
75
76
77
78
79
vu
^
r>
GLOSSARY OF ACRONYMS AND ABBREVIATIONS
^^rff.v^^r appropriate, acronyms and abbreviations used herein conform to FAA-approved
acronyms as used in t/ic Airman's Information Manuai and other nrgulatory and advisow maten^
SS^Si^c^ST'^'^'""^ "^^' ^°^ ^°^^'^ ^^^'^ 'y specificnnanu^facturersrrn"p?c';&
AC
ACARS
AERA
ARINC
ASC
ASRS
ATA
ATC
CADC
CDU
CFTT
CRT
CVR
DME
Di^pler
E-MACS
BAD
ECAM
EEC
EGT
EICAS
ESPRIT
F-PLN
FAA
FADEC
FMC
FMS
GPS
GPWS
GS
HSI
ILS
LNTTC
Abbreviation for "aircraft".
ARINC (^0 Communications and Address Reporting System
^^^^Jl^^'T,^'^'^^''i^''''h ^' ^^^'^ advanced ATC system concept
AcronauttcaJ Radio. Incorporated, provides data forwaiding services for air carrien
Aircraft System CoiitroUer(McDonneU-DouglasMD-ll) ^ ^"^ air earner.
Airpo! t Surface Detection Equipment (radar)
I^tl-:^ ^^ !fsxi^^i^'""^ ' ™"'"'"'y- -"M'™^ ■'■'"<^« -port"?
Ceriral air data computer.
Cathode ray tube.
Cc ckpit voice rccoider.
?i^fiJ^"""^ equipment, an element Ln the common navigation system.
S^tion "'^^'^°" 'y^'^"^ "^"g "5^ of Doppler radar'to sen^ rate of change
Engine Monitoring and Control System (lef 61)
Engine and Alert Display (McDonneU-Douglas MD-1 1)
Electronic Centraliad Aircraft Monitoring System (Airbus Indu
.Electronic Engine Controller (Boeing 757/7671
strisAHlO, A,320).
I£xhaust gas temperature.
ntSSi'"'¥-''*^°° ^"^^"^ ^^"^^^ ^y*^™ <^°^"^g 757/767, 747-4(». 777)
wSS^on'So^;^!^"" ''"''^' "^"^"^ '"^ ^"^^^ ^"'^ Development in
Abbreviation for 'flight plan".
Federal Aviation Administration.
Full audiority digitfil engine controller.
Flight miaTiageineniL computer.
Flight management system.
Global positioning system, a satellite-based navigation system
Orcund proximity warning system.
Prli^ji^P*"' *? ''^^''''} P*^ generated by a surface transmitter for instrument
approaches; an element of the instrument landing system. msmiment
Horizontal situation indicator, either electromechanical or glass cockpit display.
Instmmem landing system, consisting of localizer and glide slope transmitters on the
f^Z ^"^/"^ "^ *^^** ^ *PP«>^h conducted using II.S k^idancr
Aobreviation for "intersecrion", a waypoint in a navigation plar/ ^''^''''-
D.
INS
WSI
K1.M
LAF
LCD
LOG
LORAN
MC?
MrmE
MLS
NASA
NTSB
PERF
PFD
QRH
RMI
RNAV
SAS
SID
STAR
TCAS
UHF
VHF
VOR
Inertia! navigation system, an airborne system of gyroscopes sjid accelcrometers tha^t
keeps track of aircraft movcn^nt in thiee spatial axe5*.
Instantaneous vertical speed indicator, an electromechanical irstniment using air data
quickened bjr acceleration data; also the display of such information on a primary flight
display in a glass cockpit aircraft.
Royal Dutch Airlines.
Load Alleviation Function (Airbus Industrie A320), automation that acts on wing
contrcl surfaces to smooth the effect of gusts in flight
Liquid crystal display.
Localizer, a surface transmitter that delineates a patli to an instrument runway; a
component of the ILS. Also, the path so delineated.
Long-range navigation system, ^ound-bascd low-fiequency radio aids providing
triangulaiion-based position derivation for aircraft and surface vehicles.
Mode control panel: the tactical control panel for the autoflig it system; almost always
located centrally at the top of the aircraft instrument panel
MITRE Corporation, an engineering firm that conducts systems analyses and provides
engineering technical support and guidance to the FAA, Department of Defense and
others.
Microwave landing system, a high-precision landing aid which provides the capability
for curved as well as straight-in approaches to a runway, and conveys certain other
advantages. The system if in advanced development and veriiicarion testing by FAA.
National Aeronautics and Space Administration.
National Transportation Safety Board.
Abbreviation for ''performance".
Primarv' flight display, usually electronic.
Quick reference handbook, a booklet containing aircraft operating procedures,
especially abnormal and emergency procedures.
Radio magnetic indicator, an electromechanical instrurocn! showing niagnetic heading
and bearing to VOR or low frequency nonditectional radio bc£cons.
Area navigation system, a generic acronym for any device wliich is capable of aircraft
guidance between piiot-defmed waypoints.
Scandinavian Airlines System.
Standard instmrnent departure procedure.
Standard arrival route, like SID, an FAA-approved arrival nouie and procedure.
Traffic alen and collision avoid*aiCc system.
Ultra-high frequency, a portion of the electromagnetic sp(?cti*um used for aeronautical
communications and rtavigation.
Very high frequency, a pt^rtion of the electromagnetic spctcn-um used for aeronautical
comimunications and niivig^ation.
Very high frequency Onanidirccnonal Range, a siorface radio navigation beacon
transmitter which forms ihe core of the common short-range navigation system for
aircraft.
INTRODUCTION
TTie purposes of this document are to examine aircraft automation and its effects on the
behavior ot tlight crejvs, and to propose guidelines for ;he design and use of automation in
d-anspon aircraft, xn order to stimulate increased dialogue between desigTiers of airciaJ-t. autonSbon
^"nTi'-^'^ aircraft operators and pilots. The goal is to explore the means bywSh aStlon
con be made a more effective tool or resource for pilots without compromisingfand hopefuDv with
an increase in. aviation system safety. Human error i^- the dominant cause of aircrat^accidents
Most of these accidents are avoidable. The most imp. ;tart p-jrpose automation r^ sei^c is to
make the aviation system more error resistant and more error toier£t.
Automation at some level has been applied to aircraft since before World vvar I (ref 1 ) It has
been ai^ invg^^uabie aid to pilots flying special missions from 1930 onward. On Juiv 24" 1933 the
.„H 5«*^entercd automation principles incoiiioradng automated devices that assist in fUeht oath
safely with a crew of two rather than three persons, jusi as the development of automated area
im^ation systems (Doppler, INS, LORAN) had replaced the navigator «ome ye^ S^d
oTK''S^fHen?'f-?'\'?""'"'''*"T"' had supplanted the radio operator still eiS^ ^e^^n
f.. f,^ "^^"^ ' Task Force on Aircraft Crew Complement stated, "We believe that from^
airci^t systems stanapoim the level of safety achieved by the B-757, B-767. and A-310 St £
rXdi^*"'' '^^V^'' ^'J'''^"'^ ^" prcsenc-generation aircraft as a result of the irxrfased
redundancy, rchabiuty and improved information that are to be provided the flignt crews Sroulh
more extensive use of digital avionics and cathode ray tube (CRT) displays" (ref. 3)
More recently, aircraft have been Lntroduc-ed v,iih fly-by-wire conu-ol systems incorooratine
envelope protection that p.revents pilots from flying outside a predetemS mgh??J?e?oti
advanced flight management systems that automate navigation arid fUght path rnaSge^m Td
automatea suasystems irianagea, .nt computers that rebeve the crew of esseSy aTrouti^e
subsystem managcmem tasks, indeed, the McDonnell-Douglas MD-1 1, now enlenng s^u:e
reconfigures aircraft subsystems automatically after certain hafeware failures reducSsf^EhT^w
mvolvememm subsystems management shU further (ref 4). The MD-11 alsoSimptf toifeMhe
intentions of the pilots m cetain flight regimes and adjusts aircraft and enS DiTiiiJters
mor^nc^ly to conform with .ec -mended'operating p.x.5edures for jlo" pb^fs of Sr^
a.SSSf J Z: XA"h'^' '^"' '""^ ''■ ■' """'" ^^'^^ "^^y incorporate electroni? libraries which idll
automate much of the mioimanon uianagement now performed raanuaUy (ref. 5).
Two-person, highly automated aircraft have been in service for ten years, during which time
accident rates in United States air transport have remained level except for s^cuSvSonTr
have declined The President's Task Force in 1981 commented that ''ihtTncJelSi use of
autornanon on the DC-9-80 has led to a change in the number, but not the natoe of the^ks tha-
^e pilot performs compared to the DC-9-50. The role of the pilot is unchange?^'(ref 3^ ^ere is'
certainly no evidence that trar.sport flying has become less safe since the introduction of Si v
automated aircrait. and there is some evidence that safetv has unproved ??^at then i the
protlem that motivates this document? And why, m the face of this safety record h^ ihe Ai^
Transport Associanon (ATA) of ,i^Tierica cited aircraft au-omation as the todenSnfm it^
Naaonai Plan to Enhance Aviatior -rv through Human Factors IinproveninS" (refT)^
Although accident rates have been stabJc or h^ve declined di'ring the past tM^-o decades,
evaluation of individual accident and incident repom reveals two contrarv- trends. First, there has
been a sharp decline in accidents caused by controlled flight into terrain (CFn) since the
intioduction of ground proximity warning systems (GPWS) into transport aircraft in 1975 There
's soiree evidence that CFTT accidents have been replaced by incidents mvohing "controlled flight
toward terrain (ref. 7). but it appears that the Congicssionally-mandated introducdon of automated
. 'rrain proxmuty sensors and alerting systems has been largely successful in preventing most
accidents of this type in Aircraft of the nations that require GPWS.
The success of GPWS has been one of several factors that has motivated the U.S Congress
to require the installanon, dunng the next two years, of wind shear alerting devices and collision
avoidance systems in transport aircraft (rcfs. 8 and 9). Like GPWS. these devices can detect
conditions that may not be obvious to human pilots. Also like G?WS, these devices are advisory
ju nature; they alen pilots to the presence of a problem, but do not perform avoidance maneuvers at
There is a contrary trend, however. Several aircraft accidents and a larger number of incidents
have been associated with, and in some cases appear to have been caused by. aircraft automation
or. more accurately, by the mteraction between the human operators and the automation in the
?f n ; P ?T* ^'^^^' ^?°"S ^^^ ^ Nonhwest MD-82 at Detroit (ref. 10) and a Delta B727 at
uaiJas ^ref. 1 1 ), automated configuration warning devices failed or were rendered inoperative In
T5?m?'5'' ^' ^«^°°^"^»<=o ^-10 on departure from Frankfun (ref. 12) and an Indian Airlines
A320 landmg at Bangalore (ref 13), automation has operated in accordance with its design, but in
a mode mcompatible with safe flight under paiticular circumstances. In stiU other cases, automated
devices have not wmied, or flight crews have not detected, that the devices were operating at their
limits, as m the China Airlines 747 accident offshore from San Francisco (ref 14) or were
operanng unreUably, as in the SAS DC- 10 landing accident at New York (ref. 15).
4ncr,l?*H^ from incident reports also suggest that automated information systems, originallv
installed 25 backup devices for pUots. have become d^ facto primary alerting devices after ^liod^
of aependablc service. These devices were originally prescribed as a "second line of defense" to
warn pilots when they had imssed a procedure or checklist item. Altitude alerting devices and
configuration waromg devices are prime examples (ref 16). In the Nonhwest and l>:lta accidents
mentioned abcve. the flight crews should have, but apparently did not, check the configuration of
their aircraft before takeoff as dieir procedures required. The automated w^ing systems failed to
warn them that they had not performed these checks. In these cases, the present of (and reliaia
sS^«i b"^^' autoir^uon may have affected the mind-sets and behaviors of the pUots being
Accidents and incidents associated wiLh or caused, in whole or in part, by automation
constitute a new class of potentially preventable mishaps in transport aviation As such thev
represent a new threat to safety, the paramount concern of the aviation industry. It is estimated that
passenger enpianements wiU increase 75% by the turn of the centuiy (ref 17). It is not cnoueh to
mauitam accident rates at a-ry non-zero level in die face of our current surge in air transport activity-
the number of highly pubhcized. enormously expensive accidents will rise unless rates can te
reduced fimher. It is for this reason that the ATA's National Plan stated that "During the 1970's
and early 1980 s.. the concept of automating as much as possible was considered appropriate
The expected benefits were a reduction in pilot woridoad and increased safety... Although many of
these benefits have been realized, serious questions have arisen and incidents/at jidents have
^ w!]^ ^ question the underlying assumption that the maximum available automation is
.ALWAYS appropnate or that we understand how to design automated systems so that they arc fullv
compatible with the capabilities and limitations of the humans in the system."
th. iZJ.^ f ^^ ""^^ discussed spa:ific issues, and went on to say, "The fundamental concern L*
the lack of a scientifically based philosophy of automation which describes the circumstances under
which tasks arc appropriately allocated to the raachitie and'or the pilot." The nspon then defined an
approach to this doiuain, which in large part has been the motivation for this document.
To sumnnarizc: if there is a perceived probleni, tliere is probably a real problem Whether it is
precisely the problev: that is perceived is often susceptible to analysis but may be of little
importance m the lony ran. The aviation communiry clearly perceives that automation conveys
important benefits, but it also perceives in automation a potential threat to air safety Most
automation-relateo mishaps may be preventable, ji st as most accidents involving human factors are
pTcwcnt&bie. We rous? therefore try by even- means at our command to prevent them.
^ If automation is requLred, there must be an internally-consistent philosophy to govern i's
JcsigTj ana apphcanon. Accident, incident (ref. 18), and field studv (rcf. 19) data indicate that tiie
concerns of the aviation community (ref. 6) are well-founded— that automation conveys important
benefits but that it can ^so pose new problems. We suggest a concept for a philosophy of human-
ccntcnsd automanon and wiU attempt herein to define its elements in terms of what is taiown about
numan behavior and air transpon operations.
Tliis paper docs not purpon to be a designer's handbook. We have not attempted to cover in
any detai] the mynao details of human factors engineering that detennine how a cockpit should be
designed once a designer has determined what that cockpit should contain. Rather, we attempt to
suggest quesuons diat should be answered before beginning the design of the automation suite for
an advanced-technology aircraft. The report is aimed pi^marilv at three groups: cockpit designers
purchaser of automated aL-craft and the pilots who must fly them in line operations. Thev are'
bought of, respectively, as th^ creators, purchasers and end users of advanced aircraft automation
10 be effective, automation must meet the legitimate needs and constraints of each of these groups.
It is hoped that this document will provoke discussion within our community about what
autoimnon should be hke in future aircraft: what roles automation should play in future aircraft
how much authority it should have, how it will interact with the human operator, and what if any'
roles should be reserved for the human. We draws exten.sively on the automation of today
wathout m any sense intending to be critical of the enonnously capable aircraft now being flown
safely m our aviation system. But the perfect design has never existed and probably never will- too
many tradeoffs must De maoe m the course of the design process, and automation "design involves
complex and imprecisely understood interactions between human cognition and sophisticated
imormation processing machines.
In tiie first section of tiiis paper we define some teniis, look briefly at the development of pilot
aiding devices then present our concept of human-centered automation and of the role of the
human in highly automated systems. In the second section we examine in more detail various
kinds of aircratt automanon that have been used to date in an effon to discern what has worked
wel , what has worked less well, and why. We also examine trends m automation that may be
applied m aircraft in the near-term future in order to identify issues that may arise from us
implementation. In the third section we look at the environment m which new automation will be
introduced and used, and th; people who will use it, to determine factors that may interact
favorably or unfavorably, with that automation. In the fourth section we review guidelines that
have been proposed m the past and suggest desirable attributes for present and futi^ automation
rhe final section is devoted to a more detailed discussion of suggested guidelines for the
application of human-ceniered aircraft automation. An appendix provide.^ brief descriptions of
aircraft imshaps cited in the text ^
The style of presentation is essentiaUy didactic, though we attempt to explain the basis for our
conclusions- Automation is an an as much as a science, just as architecti're is an art as well as an
engmeenng disciphnc. It cannot be approached from the standpoint of pure reason nor can we
^^^,1^1'^'' of oeheving that there is but one best way to design, construct or even operate
automated devices. Many elements ot this document arc therefore arguable, but we suggest thrt
S^cSJSSdof ^^'"^ ''^''" **"" "^^ ^ '"^"^ '^"^ "' ''^°'''' '"^ ""^ «°*^ ^f effective, safe
^,f;~^*^ ^^'^^.^""'^ '^^'^^ P^°?^" ^' 35 years of observing and working with pilots, operators air
n-afnc controllers and a:rcraft manufacturers to try to build a safer nadona! aviation .V^tern It ^
hoped ihat this repon will be perceived as useful by the community whose ^u^dan^e and
forbearance over a long period of time made its creation jissible. feu.aance and
Charles E. Billings
August, 1991
-1
1
■1
B
u.
I: CONCEPTS
Assumptions and Definitions
!,. «,P^ ^;T^ '^'''^•^'■' ^^'■■^°" "^^^^ ^^'■'^^ '^^'^^ •" "s 1^89 report. "7/./.? p/fln aTvurr^. that
human will continue to manage and direct the National AviationSysterr through the\Ta'r''20%
Tne pilot ana the controller will both be mtegrai pans of the air and ground syS A u'ormtio^
lcS^£:^l^' '''''''' '' ^^"^^ ^"^ -^™--^ ^^ capabilUie^oAh^Sn^rn^;^"-
nr-,j!",t"^5''"' ^' "''''^.^«!?i"' ^^fers to "fl r>5/e/« or method in which many of the processes of
aevices etc. He.e, our concern is witft aircraft automation specifically, though ve will di<;ri,cc
because the curcraft is the device managed or controlled in the aviation system reeard'e« nf hrvi^
that conttol IS exercised or where the locus of control may be. Even ?emS:cXolSl Jr^Z
tnust su^l be controlled or managed by a pilot; the automation through wS?f ^e Si t rf^S
r^^J^ -F^^"^ ^"""'^ y autonomously, and the automation, we would argue. muS S hui^
centei^ if the system is to operate effectively. Wc do not consider air trX cmtSl exc«t inili
as It influences the management and control of aircraft. ^
some capacity to learn and then to proceed independenriy to accomplish! task SniaHoni;
simply one of many resources available to the human operator, who r? a ns tie LpoSfS
management and airecnon of the automation and the overaU system. rcsponsibiiiry tor
The Piloting Domain
We conceptualize piloting as the use by a human operator of a vehide (an aircraft^ tn
accomplish a mission (to move passengers and cargo betw^n twoJJTif! ) Rouse ?ref
fo TMrh^t^^.""^ °'J''^If ^'.""^ "^ ^ suppon humans to acni^rheoplfaioJS^^^^^
'^ll^elamk^J^^^ l'^^^'' perspective, the purpose of a ^t is ZttX £
Sr.?^n"^1jrS^^Xl^^^^^^ °f ^^ ^^^-^ - - suppon theW
The mission requires more-or-less
simultaneous i^ccOiUplishment of five
categories of functions: inner-loop control of
aiiplane attitude and state, control of the fbght
path m three dimensions, management of
airplane position, management of its systems,
and maintenance of communications with the
entities responsible for its movements. Eacn
of these funcnons may be decomposed into a
number of tasks, which may somenmes
mvolve several sub tasks. Tasks (many o^
which may be carried out either by humans or
by machines) are performed utilizing a
combination of resources.
Figure i : Elements of the piloting domain
D.
The resources available to the pilot include his or her own perceptual, cognitive and
psychomotor skills, the knowledge and skills of other flight and cabin crewmembers, the
knowledge and information possessed by other persons with whom the pilot may be able to
commimicate, and a variety of infonr don sources and control devices, including the automated
devices, withm the aircraft. These resources are controlled arid managed by a pilot in command,
who is ultimately responsible for safe mission accomplislunent.
Control and management of an aiicraf t may be viewed as a series of levels, which are categorized
by the degree of direct or immediate mvolvement of the pilot (tig 2).
2:
o
<
C
<
AUTONiOfVlOU^:
0-PE«ATi0N
HIGH
INVOLVEMENT
LOW
Figure 2: Pilot control and management continui m
Development of Pilot Aiding Devices
Not ail of thft functions required for mission accomplishment in today's complex aircraft are
within the capabilities of the unaided human operator, who lacks the sensory capacity to detect
much of the information iiequired for flight and who is unable to rrake certain decisions or take
actions based on them within the time avaiiable for accomplishment of certain critical tasks. In the
early days of aviation, the pilot set forth unaided, with only human perceptual capabilities to
provide necessary information. It was soon discovered that th^ >e were insufficient, and aircraft
sensors and instruments were developed to augment the hmited human capabilities.
Even before the first powered flight in 1903, aircraft designers had recognized the instability
of their machines and had begun to work toward providing pilots with assistance in controlling the
vehicles. The V^rights worked toward development of a stability augmentation device in 1907 (fig.
3); they were preceded by Sir Hiram Maxim, who patented the first such device in 1891 (ref. 21).
Orville Wright was awarded the Collier Trophy in 191 3 for a demonstration of hands-off flight
using an automatic stabilizer. By the 1930s, autopilots were considered essential for long-distance
fiyiiig. The inaxxiuction of retractable landing gear was accompanied by a requirerrient for
configtration warning systems. The introduction of four-engine aircraft led to the development of
automatic propeller synchronizing devices. Some World War I! aircraft were difficult to control if
an engine failed on takeoff; automatic propeller feathering device^ were consex^uentiy introduced
for tliese aircraft. The development of improved electronics led to the capability for automatic
navigation. The introduction of digital computers enabled \i. lesign of on-board flight and
performance management systems ar^ later, of tailored fbght conuol systems.
a.
IT
1900
"^7o "io 1^ ^5^
19*50 -^ T^
>^I > M I , I, II , I .,. - M ,4 m„
1?
4 i
>
FBW WTTH ENVELOPE
paoTEcnowiA-asfoj
PERFCRMANCS l»GT.
svsrrEMS{MO-«o;
fUGHTMGT. SYSTEMS
jl^CTIVE COMTROLS, ADV.
AUTOPILOT (L1011-5O0)
TR»*LEX AUTOPILOT ♦ AUTOLAMC
FUU-CAPAaitrTY FLIGKT OIRECTOn
SPERRY -ZERO-READER" DIRECTOR
COUPLED MAVIGATIO«{DO«)
AUTOMLOr IN WORLD FUGHT (HUGHES?
AUrrOPtLOT « WORLD RJGKT (POST)
rM3: '■'''' TYfO-AXISNOt«3yROSAS(TAPUN) '-■'J;}-,^^:,^^^^^
COUPLED STABILIZER (SPERRY)
STAB. AUG. SYSTEM (WRK3HT)
aYROSCOPIC STABUZER (lOAXM}
Figure 3: A brief chronolog^ of aircraft automation
Since shortly after World War n, nearly all o-anspon aircraft have made extensive use of
automated devices to assist and augment the capabilities of the flight crew. The advent of turbojet
transports during the 1950s introduced new requirements for automation. These aircraft were
considerably faster than their predecessors, and were less aerodynan:iically suble. The requirement
for very precise control, particulaily during approach tc landing, led to the development of new
classes of pilot aids including flight directors, expanded and quickened displays, and stability
augmentation devices.
The demands on the pilot-vehicle system became progressively greater, both in the area of
precision navigation and in requirements for more reliable all-weather opcraticin. Precision
navigation over land was enabled by the introduction of very high frequency (VHF)
omnidirectional range systems (VOR) and, later, distance measuring equipment (DME). Long-
range navigation over water was immeasurably aided by the development of area navigation
systems — first Doppler, later inertial navigation devices that freed aircraft fro^i dependence on
ground radio aids. Precision approach aids, primarily instrument landing systems (ELS) and
improved approach and touchdown 2one lighting were introduced. Static-free VHF
communications equipment became standard for short-range radio communications.
The development of compact solid-state electronics made it possible to accomplish much more
computation within the aircraft. Contemporary aircraft may contain well over 100 computers and
microprocessors, which assist in the control of aircraft state and energies, flight path management
and aircraft systems management. They may also assist cabin crew in certain of their duties.
Flight and performance management computers perform most tacilcal navigation chores;
sophisticated digital autopilots, interfaced with the flight managcmeni systems, control aircraft
attitude and thrust from takeoff to landing roll-out. Electronic flight displays are managed by
computers, as are the detection and monitoring of aircraft state and system parameters. In the
newest vehicles, aiicraft systems management has also been increasingly automated (refs. 4, 22,
and 23).
u.
AIRCRAFT
AIRCRAFT
X
coffmoLS
CONTROLS
I "
PILOT
fl920«1
AUTOPILOT
I
RLOT
■■■■■■
:i»4o«i
INCREASINS COMPLEXITY, DECREASING DIRECT PILOT CONTROL
'° " "°'"™'" ' ' ffi!MiMi i iiBiit!aiitB<WWW M Wm ^ ^^
Figure 4: Increasing conTplexity cf aircraft automation
The introduction of these automated devices and system, has iniprovcd system performance
and has considerably simplified cenain aspects of the piloting task, but it has also increased
complexity in the cockpit (ref. 21). The versatility of contemporary autopilots has provided the
puot widi many more modes of operation by which the aircraft can be controlled pr^isely but it
also requires that the pilot remain apprised of much more information about the automated systems
(fig. 4). Contemporary flight managemept systems relieve the pilot of routine navigation chores
but also require pilots to perform new programming and management tasks and to monitor system
performance more closely. New displays have enabled the presentation of much more information
regarding aircraft systems, state, and environmental factors, but they have also considerably
increased the human operator's information processing load.
These trends toward more information, greater complexity, and more automatic aircraft
operation have the potential to isolate the pilot fh)m tiie vehicle and to decrease his or her
awareness of die state and situation of the aircraft or system being controlled (ref 24). This can
occur either because of information overload, leading to channeling of attention and failure to
perceive all relevant information, or because redundant perceptual cues have been reduced. It has
become necessary to ask whether the richness of the information supplied to the pilot and the
complexity of the automation (or at least its perceived complexity, &om die viewpoint of the pilot)
makes it less likely that the pilot will remain fully in command of the situation.
Humans cannot assimilate ver>' large amounts of raw information in a shon period of time
nor can they handle tasks of great complexity under tight tiice constraints. A major objective of
this document is to facilitate discussion of how much information or complexitv is too much
Another is to explore how increasingly complex information processing and control task5 can be
simplified so as to remain witiiin the capabilities of tire persons who must pcrfOTm them.
10
A tliird objective is to consider how much automation is necessary, and why. If systems are
sufficiently simple (ax^d this should always be a design goal), automation may not be needed. If
tasks can^'Ot >>e ^irnpbned, or are so tirae-critical that humans may be unable to perform them
effectively, autom2uo\ must be utilized. Even then, simpler automation will permit simpler
interfaces and bencr human understanding of the automated systems. In particular, tlie structiire or
architecture of automation tools must be simple enough to permit them to be effectivelv managed
by the human operator (fig. 5).
MANAGEMENT
RESOURCES
FMght
Crew
OheckJtsts
Flight
Management
SysiBfT
X
(^4S, ONS.
GPS, VHF
Stored
Data
i
NFORWAT'ON
RESOURCES
S A^C
■,y. Rwsouroes
::.;■::;:,:-:■.]
Flight Piarming
System
'■:■::-':■.
1
Environmental
SurvaJttarcQ
Systems
K
■r:-r::::;T:r:r,,y :■:■:;::■::
V.;-^":
AMT?ane
Systems
'■■■■n-
\
■ ■ :
:;4
OiagnostJcA
Maintenance
Systems
:::;S;-:i
EMMMt
:: ■ ..■ ■■ ■■■■ ■ ■"■■■"■■
Figure 5: A construct of aircraft automation
A Concept of Huinan>Centered Automation
"Human-ccRtered automation" is a systems concept. Its focus is a suite of automated systems
designed to assist a human operator/controUer/manager to accomplish his or her responsibilities
The quality and effectiveness of the pilot-automation system is a function of the degree to which
the combined system takes advantage of the strengths and compensates for the weaknesses of both
elements. To bound this concept, a fully autonomous, robotic system is not human-centCTCd, by
definition. The human has no critical role in such a system once it is designed. Conversely, a
fully nianual system contains no automation. None of today's complex human-machine systeins
is at either extreme, however; nearly all provide automatic devices to assist the human in
performing a defined set of tasks, and reserve certain functions solely for the human operator. Our
concern is with these partially automated systems in which humans play a central and in the case
of aviation, a commanding, role.
The Role of the Human in Highly Automated Systems
We have already inferred that current aircreft automation is able to perform nearly all of the
continuous control tasks and roost of the discrete tasks required to accomplish a mission Why
then, IS the human needed in such a system? Could automation to accomplish the rest of the tasks
no; be constnicted? Would it not be easier and even cheapei to design highly reliable automata that
could do the entire job without worrying about accommodating a human operator?
11
D.
Under optimal circumstances, the "mechanical tasks'' of getting an aircraft from one point to
another could be accomplished automatically. The aviation system, however, is not an optimal,
fully controlled system. Many variables uathin that system are highly dynamic and not fully
predictable (the severity and movement of weather systems arc prime examples). Aircraft
themselves, while very reliable, sometimes fail in unpredictcd and unpredictable ways, as was seen
m the catastrophic engine failure of a United Airlines DC- 10 at Sioux City in 1989 (rcf. 25), the
structural failure of a United 747 cargo door the same year (ref, 26), and the fuselage failure, of an
Aloha Airlines 737 over Hawaii in 1989 (lef. 27V
Automation can also fail in unpredictable ways. Minor system or procedural anomalies can
cause unexpected effects that must be resolved in real time, as in an air traffic control breakdown in
Atlanta terminal airspace in 1980 (ref 28). These effects are complex; some are poorly
understood. Even if the effects themselves could be pre^cted and modelled, th^. computational
engine that can cope with such state variability in real time has not been constmctcd.
Though humans aie far from perfect sensors, decision-makers and controllers, they possess
three invaluable attributes. They are excellent detectors of signals in the midst of noise, they can
reason effectively in the face of uncertainty, and they arc capable of abstraction and conccpmal
organization. Humans thus provide to the aviation system a degree of flexibility that cannot now,
and may ri^vcr, be attained by computational systems. They can cope withi failures not envisioned
by aircraft and aviation system designers. They arc intelligent: they possess tiie abiUty to learn
from experience and thus the ability to respond quickly and successfully to new situations.
Com-puters cannot do this except in narrowly defined, well understood domains and situations
(refs. 29 and 92).
The abilities of humans to recognize and bound the expected, to cope with the unexpected, to
innovate and to reason by analogy when previous experience docs not cover a new problem arc
what has made the aviation system robust, for there are still many circumstances, especially in the
weather domain, that aie neither directly controllable nor fully predictable. Each of these uniquely
human attributes is a compelling reason to retain the human in a central position in aircTaft and in
the aviation system.
Principles of Hunian*Centered Automation
RRBMISB
nie pikM bbais m« uftiTMU^ m^MnafaOiy for !h» tBf«ty of any 1^
AX!OM-
Th« hurrvm opefator must b» in oofnmand.
COf^OLLARIFS:
To command effeciivftty, !he human operttor must be ffYVolv>sd
To b« invo^vd, the human operator mutt be irttomned.
The human operator fm»i be able to monitor the auiornaied sycaiems
Automated systems must therefore be predksable.
The aUoma^ed systems must also be tth to momior the human opsfstor
Bach elemeff* of the system must have knosvtedge of the others' inlent.
Figure 6: First principles of humanHz^ntered aircraft automanor
Figure 6 summarizes our view of
hunaan-center^ aircraft automation.
We assume that the human operator
will continue to bear the ultimaii
responsibility for the safety of flight
operations (ref. 6). Federal Aviation
Regulations confer on the pilot in
command essentially unlimited
authority to permit him or her to fiilfill
this ultimate responsibility. This is
axiomatic in civil aviation. We
bebeve that certain corollaries devolve
from this axiom. They are described
briefly here and discussed in more
detail in the Guidelines (section V).
12
To command effectively, the human operator must be involved.
To remain in command of a vehicle, operation, or situation, the commander mus v>
involved in the operation. He or she must have an active role, whether rlSrSS^^fs to^o, trd
Se^tef " "' ''' ""'"''''' ^'^ "''"^^ '' '"^'^^^"^ ^^^°"'-"=' ^^' -^i^h cc:nt;o! has Seen
To be involved, the human operator must be informed.
Without mformatjon about the conduct of the operation, involvement becomes randon-
S^ th? oIIS^?' """'• ^'^' ' '°"^""^"S "°^ °^ infomation concerning the sSe Id Z^^s
Jj^L ^''^''^l °' '^"'"^ '° '^^'"^^^" involvement with it. The information must be
:u^^nZ"'ntr^'''T''''^ responsibilities of the pilot; it must include all^fa neceTs^ to
suppon the pilot s involvement in tne operation. ^^»^<xjy lo
The human operator must be able to monitor the automated systems.
The ability to monitor the automated systems is necessary both to oermit the niiot tn
^^^^i?rf '":' "^"'^°"' ^^ ^^° ^^^"^ automate^yJtems J?S bfe 'FlSht
aiDcal digital computers, m particular, arc likely to fail in unpre<icted ways at unpredictfble
Automated systems must be predictable.
The human comniander must be able to evaluate the peiformance of automated sv^rem.
against an internal model fonned through ?cnowledge of the normal^hav or S^elvstem^^^^^^
SshTn c?n°/h?r '' '"^ "" <^ffective. Only if the systems normally behave n a pSSle
The automated systems must also be able to monitor the human operator.
.,n..nS"T^,^' Of course, are not infallible either, and their failures may likewise be
unpredictable, although a good deal has been learned about human faiLrem^es ?or tha^
TmS/V ""^^''"^ ?^^ ^"^ ^' ^^'^ '' ^^^'^hine perfon^crbe mSed M^nv
cTrS^rT"^^- ?^^''='=' are in use in aviation tcSy, but the ava^abX of highW
r^m co^'Puters with access to much of the needed information makes ^Wsibleo
bin done St;.'"' " ' "°" '^'^"'°^ '^^'^°"' ^° "^°""- P^^°^ P^iS^^c'^San has
Each element of the system must have knowledge of the others' intent.
th^ nSS»^*'""^""^- ^'^^ **'^^ ^ ''^^"^^'"^ ^ *^ "^^""O'- understands what the operator of
the momtored system is tiymg to accomplish. To obtain the benefits of effftrrivlTmSiS
the intennons of the human or automated systems rnSt b^Lownr^fs app^^^^^^^
i3
H: AUTOMATION: PAST, PRESENT AND FUTURE
Introduction
In this section we look at automation that has been used in the past. We discuss some of the
ways in which automation has been chaiactcrizcd, using the functious that a pilot must perform as
a base. We examine automated systems that have worked well and some that have not been as
successful, and attempt to draw from these examples issues thai need to be considered by
designers and operators. Finally, we attempt to project current automation technology into the
future in the hope of discerning new developments that may pose new or additional questions
regarding the roles, functions and forms of automation technology in the next generations of
aircraft. The emphasis is on fonning the questions that should be considered in specifying and
designing automated systems. Section III examines pertinent characteristics of the environments in
which automation will be applied, and the people vvho must operate automated systems.
Aircraft Functions
The range of functions that an airplane can perform is really quite limited. An airplane,
properly controlled, can move about on a prepared surface. It can dcpan from that surface and
once above the earth, in the atmosphere, it has freedom of motion in all spatial axes. Finally, it can
return under control to a precise area on the earth's surface, land, and again move about on a
prepared surface, coming to rest at a predetermined spot. All of the sophistication of current
aircraft is devoted to insuring that this limited range of functions can be performed with complete
reliability and safety.
All aircraft controls and systems are devoted to the performance of this narrow range of
functions. Faddcn's (rcf. 30) taxonomy is very useful. Control automation assists or supplants a
human pilot in guiding the airplane through the maneuvers necessary for their safe performance. If
aircraft flew only under visual meteorological conditions over familiar routes between familiar
airports, experienced pilots would need only very simple, straightforward automated devices to
assist them m performing their missions.
Control automation includes devices devoted to the operation of aire aft subsystems, which
are quite complex in modem aircraft These systems control fuel, hydraulic power, alternating and
direct cuneni electrical power, pneumatic engine and anti-icing systems and pressurization, landing
gear and brakes, and sometimes other functions.
Much of the automation found in contemporary aircraft is not devoted to controlling the
aircraft, but rather to informing the pilots about tiie airplane's state and location and the location of
real or imaginary sites on the surface of the earth. Fadden has called this ^'information
automation*^ It includes all of the displays and avionics devoted K) navigation and environmental
surveillance, and also digital communications with air traffic control and airline operations,
I tformation automation is expanding rapidly at this point in time; the next generation of transport
aircraft may incorporate electronic library systems containing much of the data now stored on
board in hard-copy form.
A third category can be added to this automation taxonomy, which one could call
'marMgement automation*' This term denotes automation which permits the pilot to manage the
conduct of a mission. Roughly speaking, management automation permits the pilot to exercise
strategic, rather than simply tactical, control over the performance of a mission. In this sense,
management refers to goal-directed rz^tr than function-directed behavior, Vt\t pilot establishes a
set of goals; management automation directs control automation in the performance of the required
functions and directs information automation to keep the pilot informed of the state of the airplane
and of progress toward satisfying the specified goals.
14
mm^tam^M
con^S^S^L'hf^T^^nS!^''' ^^V^«s^ by these categories of automation, may be
cons..aereci as an hierarchy of closed loops, as shown m figure 7. The arincioaJ differ-nce in tho«.
tasks as one proceeds from inner loop to outer loop control is one of bandwidth ^^^^
automation relieves the pilot of the high-bandwidth requirements of dLct abcraP cTtr-S
ollJiSSn^^S^X^SrcllSg^^^
Inputs from
Environment
ATC
inputs
Company
inputs
Y\
[
Pilot
!T
Aircraft
Systems [*-
Controis
Sub-system
control
computers
Aircraft
sub-systems
h
,^ Flight j^
Ck>ntrol$
1
Mocfe
coTitrol
panel
Flight contro, r> . , ^
computer *- ^°"*^''' surf?ces _^
FADEC Powerplanls
ze:
Autopilot
Controiiar
"1
L
1
Control
display
unit
MCP displays
T
I
Sensors
Flight
Management
system
«H CDU displays
Inner loop
Intermediate loop
Outer loop
Figure 7: Contro! and display loops
Mission Functions
safely i^d efficiendy. cJ^l"^!^i^go^in^c^,^^TJ°^"r^
B
15
Sfc Xw^ "*" "^^ ■^"^hou. us nigh,, all 0,c While Observing airlin. and ai,
lerrain weath-Taid Sr -?^J;f, !^ ' 1? "" ""«"« of environmf.ntal threats including
CO™ mrbl« ;; S tirSs "Sit m^SnTfii""" 5' '"T of their aiiplane, its systems and m
..u.tethc«.ahUsh^;;;=o?^.T^?^JS'p^Sin'S=Xl^^^^^^
AUTOPILOT
STATE
FMS
STATE
AIRCRAFT
STATE
ENERGY
STATE
ENERGY
RESERVES
STATE OF
AUTOMATION
AIRCRAFT
TRENDS
SYSTEM
ANOMALIES
SYSTEM
TRENDS
SYSTEM
INTENT
ATC
INTENT
ENVIRONMENTAL
THREATS
Figure 8: Pilot infcmnation reouirements
The Tasks of the Pilot
pos.don.ofwheLthcT^tsn^'nSLnJS.,^:;;;';:^:;!^^^^^^
lo successful mission accorapUshmenL Finallv thrv mu^rr/Lm„-7i L lu^^' ^Jo^ th^ais
their compar.y, and scmctinis other aix^'L old ^^ITZyt^Z"^'^ .""T"'
avxate, navigate, comr^unicate." TlKxagh these axe so fundi^SrST^LIt^f t^t ^^c^
16
fl
b.
Air Lines L 10 i 1 that craslwd w 'he Everglades did so because of a failure to maintain surveillance
of the airplane's flight path while on autopilot (itf 31 ). A DC-8 crashed at Portland after running
out of fuel because the flight crew was preoccupied with preparations for an emergency landing
(ref. 32). Many "controlled flight into terrain" accidents have occurred because of failure or
inability to maintain positional awarsness. Tnc worst accident in air canicr historv, tlie collision of
two 747s ai Tenerife. occurred because of a faUure to communicate unannbiguousiy (ref. 33).
These tliree tasks are simple enough when deconnposcd, bui they can create severe workJoao
burdens when pertbnned sinr^ultaneously under demanding conditions. Such conditions are often
not of the flight crew's making; figure 7 indicates that there are open- loop forcing inputs from air
traffic control, from airline companies, and from the environment. Automation can lighten this
burden on piUots, first by relieving them of the burden of inner-loop control, second by providing
integrated infonnation, and third by allowing them to manage at a higher ievei. The' figure also
suggests, however, that each of these kind.? of automation increa.ses the information processing
burden upon pilots, by requiring them to keep track of additional systems and data. Thus, while
aatomaiion has decreased the bandwidth of pilots' t&sks, it has increased mental (percepmal and
cogninve) demands upon them. It has also increased the "overhead": the knowiefige and
informatior necessary to operate the automation itself.
^ An automation paradox: Herein lies a paradox of aircraft automation. To the extent tliat it
uas taJccn over inner and intermediate loop tasks, it has changed the tasks of the oilot,
notwithstanding the conclusions of the President's Task Force on Ciew Complement. Whether it
has lightened them depends to a considerable extent on the demands of the task, and on the amount
of information and attention required to operate and monitor the automated svststns and displavs.
It has been observed (refs. 19 and '34) that automation may decrease workload when it is already
comparatively low, during cmise fUght and at liigh altitude, but that it mav increase workload when
It is ab;eady high, durmg climbing or descending flight in terminal areas. It should be noted
immediately thai ir is not clear whether this is an inherciu automation problem, or whether this is
because we have not provided simple enough interfaces through which pilots interact with
aut.>maaon. In short, have we automated die wrong things, or have'we simply done an inadequate
job :n some of our efforts to implement higher levels of automation in a simple enough manner?
The point of this discussion is that our information concerning the effects of automadon and
particularly its unwanted effects, does not usually differentiate between "good" automation, poorly
implemented, and "bad" autonaation, in terms of roles and functions. It is critica] that these he
differentiated m any discussion of automation, and we shall try to keep this difference in m^nd as
we proceed to a discussion of the automation that has been developed to date.
Control Automation
Here we wi?l describe automation -liai has been implemented in transpon aircraft to date lliis
list is not exhaustive, but it attempts to place new automation in the context of increasing
requirements and in the context of other enabUng technology. Figure 9 illustrates the conuol asoect
of the pilot's task. *^
17
^ii
\ Inputs from
\
I ATC
inputs
■^ Displays -»
Foi.
Displays
PItOT
[ Company y^
i inputs
Aircraft
Systems
Controls
Sub-svstdm
control
computers
\ Sensors U^
Aircraft
sub-systems
FADEC i
Right _ ^^^1^,"^^'|| , I Control sudmces
r^«*r«i*. ^ computer, h^» .
controls ,-*«^^ . Powerpi^ms
iTdmBn^MHtai
A!RCRAR
Figure 9: Control automation
Flight path control: As indicated in the introduction, control automation has bczn around
for a long ume. The first automated controUcrs simply maintained attitude in the roll axis* later
generations of such devices have been called *'wing levelers" and they continue to be available for
general aviation aircraft today. Originally introduced to ease pilot workload in Hying extremely
unstable airplanes, they still perform that function, though aircraft stability has improved
dramatically. Autopilots, as such devices came to be called, added other axes of control; the device
used in the world flight of Post's Winnie Mae was a three-axis device which maintained the aiitraft
m pitch, roll and yaw. the three inner-loop functions required (ref. 2).
In the early generations of autopilots, the gyroscope which sensed roll and yaw was also used
as a heading, or directional, gyro in the cockpit. Sensors in this device permititd a constant
heading to be specified by the pUot and held by the autopilot, though the gyroscope wa? subject to
precession and its direcoonal component had to be reset frequently by reference to the aircraft
magnetic compass. Some autopilots of this period later incorporated a relative barometric altitude
sensor which could be used to hold alrimde as well, once the proper altitude was attained and
inoicated to the sensor. In these developments, wc sec the beginnings of intermediate loop control
m which the pilot was able to specify heading and altitude to be maintained, rather than simply roll
and pitch attitude.
, • ^^ gcr beyond these tasks required many years and tiie dcvelcpmcnt of complex electronic
Devices. The advent of precision radio navigatiwi systems capable of providing both azimu^hal and
distance mfomiation occurred during the late 1940s and early 1950s. Very high frequency (VHF)
navigational radios ehminated problems due to radio frequency interference fixjm thumierstorms
but they were limited to iine-of-sight coverage. VHF omnidirectionai range fVOR) trans litters
Decan:.e the foundation of the "common system" of aerial radio navigation. Distance measuring
w^uipment (DME), consistmg of airborne intenogators and ground transpondcre, was co-located
with and augmented the infwmation provided by VOR transmitters (figure 10).
For precision approach guidance, VHF high precision directional "localizer" transmitters
CLOC) and ultra-high fnjjquency glide slope transmitters (GS) were located on airport runways-
together tney formed the basis for the instrument landing systems fILS) which are stiU the standard
approach aids m the current system. DI^ has more recently been co-located widi DLS as well as
with enroute navigation aids.
Tliese devices and specialized aircraft navigational radio receivers or transmitter-rereivers
(transceivers) provided aircraft with positional information of higher precision. Their signals
provided unambiguous azamuthal and distance information, which could be used either by pilots or
18
J).
h^'^aSr^H?' r''/.?!'^ intermediate loop control of aL-craft paths. D-S signals, which provided
he.ght guidance as weU, were used to penult both manual and automadc r*couD>ed"^ Drerision
S.'^/^" \T"'<' 71^'>' '"^^^^^* '^' ^^''Sr^^ ^"^ impk^i^entation of autop lots wifh a w de
raiige of capabihues including maintenance of pitch, roll and vaw, maintenance of - iack to or
gNROUTE NAVIGATION |
F^ RECiSION APPRO ACH NAVIGATION !
LOCALIZER
LEFT
cOCALlZER
RIGHT
(.^STRUMENT
LAt^OING
SYSTEM (ILS)
A80VE \
Figure iO: Pracision erjroule am? approach navigation aids VOR and ILS
.^ ?^'J, ^"'°P^.^0" ^* navigation couplers were disliked liecause of the rouahness with whinh
Swept-v^Jig jet wcraft anc susceptible to adverse yaw during banked turns Earl- • .n t^ncr.^
air^-raft (notably the Boeing KC-135 unker) requircd^ery precfse maruaT^ntSl^ Su^r^
19
tendency When the 707 derivative of the KOI 35 was introduced, yaw dampers were provided to
counter this problem. Though nomuialiy under control of the pilot (they can be nimcd off), yaw
dannpers in fact operate autonomously in all jet aircraft. The same can be said of pitch trim
compensators, used to counter the tendency of jet aircraft to pitch down at high Mach numbers.
These devices, first introduced in die DC-8. iikevidse operate essentially autoncrnously.
Figure 1 1 : Dual-cue (left) and 3ingle<ue Flighi Directoi's. Airaraft is icfl of localizer and just
below glide slope; directors are commanding a right turri md climb lo regain ccnk^rlmcs.
Swept-wing aircraft also required moi^ precise control to compensatt for decreased stability
and higher speeds, particularly at high altitudes and during approaches to landing. Flight bv
reference to precision navigational data was tnade easier by die development of flight director
displays which provided pilots with computed pitch and roll commands, displayed as shown in
figure 11. The directors were much easier to fly than unmtxlified VOR or localizer and glide slope
data, which were presented on the periphery of the same instmments used for the director displays.
Such displays rapidly became a mainstay of transpart aviation: they made it possible for pilots of
average ability ro conduct maneuvers with high precijsion, though concern was expressed about
"ioiying sight of raw data ' while rel>dng upon the directors for guidance. A Delta Airlines DC-9
impacted a sea wall shon of runway 4R at Boston during an approach in severelv linriited visibility
(nef 36); its crew is believed to have followed the flight director which was set m ^attitude" Hiode
rather than "approach'' mode, without adequate cross-checking of localizer and glide 5lcpe data.
Control of aircraft longitudinal and lateral trim is maintained by several roeans. including small
trim tabs on control surfaces. Automadc uim control devices which operate either on ihe«e
surfaces or on the aircraft control system have been components of autopilots for many years.
Most operate autonomously in cenain autoflight modes. Some newer aircraft with advanced
primary flight control systems incorporate a load factor demand law which continuously trims th.e
aircraft toward a 1 G condition. This relieves the pilot of the task of re. imming the airp.ane after
power changes, but it also removes ucrilc feedback regarding longitudinal trim. Other aircraft,
which incorporate fuel shifting to minimize aerodynamic drag by adjustiiig aircraft center of
gravity, also trim the airplane to minimize pilot attention to the load shifting. Most of these devices
require no pilot input or attention under normal conditions.
Spoilers, aerodynamic surfaces on the wing long used in glidcn to moderate flight path during
approach to landing, were installed on jet aircraft to increasf; control authority and reduce adverse
yaw, to assist in sbwing these acrodynamically clean aircraft, to permit sleeper descents arid to
dump aerodynamic lift during landings. Tnough early jets had m:iriually^ontrolled spoilers, later
gene-rations had spoilers that were activated either manually, in flight, or automatically by mam
wheel spm-up during landings. The Lockheed LlOl 1-500 incoiporatcd a soihisticated system
known as direct lift control for automatic precise fight path control during automatic approaches.
20
^m
Some of i^ic newest trarispons also incorporate autoraatic gust alleviation control using spoilers
rhe newest aircraft also provide automatic spoiler operation if power levers are nulled Mly back
dwing an aborted takeoff, and raay apply auiobraking when ground spoUers are deployed.
Some aircraft now in service (A320) Jncorcorate "fiv-bv-wire" instead of conventional
mecnamcal ornydrauUc control systems. In fly'-by-wirc .'ystet^s, the pilot's comXa lua^e
elewtronsc coniroi devices who^ outi.uts are dL-ected to hydraulic or electrical servomechanisrns-
me.e dexices actuate tne control surfaces. Ttic advent of fly- by- wire system.s has provided conn^oi
system engineers wuh great flexibility to ta;lor the control responses to match desiS
ta^e oStf'^i ^^T^ unstable airplane can be made to feci, to die pilot, like al. ex^erie v
I >naf,lw^ ;?ft 'ndeed, some ot these a:rcratt deliberately incoiporate a degree of reduced
longitudinal stabdits whicn is corrpersated for by a stability augmentation svstem Even
";fT"^^;^iS."''''^"^. "'^' "' ^""h ^'^"^^^ '' ^''""^ accomplished by one or morfcLputers
inteiposed between ti.e pilot and die machine. > ^ ^» -r. computers
fl;«h?^'^ T"^' ^'^!lj^'^^'^'« offers other opportUu.ues to the designer, who may now iin-nj rhe
^!^nZ^°r^ ^'^'"'^^ f^'"^^^' '^"'P^^ <^g^«<iation of flying qualities as safe operau^g" iinSs
are approacned. or simply render u impossible for tne pilnt to exceed certain bounSrie. tw
It is iiJcely that rnost or all fumre large transports will incorporate flv-by-wire 'or flv-bv-Jish'
using eiectro-optical conduits for control signals) as docs the A320.- Along with flv iJvS
.; emJ r^f'"" " ^^"^''^^^^l'^ '"'^^^^^ ^^ the flexibility of autopilot and Uxml^^Z
ni^^SL^^r'^':'' Tu"^^ **^^l' ^^' "^^y "^«i«s of operation, each of which rfust be
understood oy the puot if they are to be used appropj lately.
n.rSr.^'^Z ''"''""r^** ^^^'iP^^r^t'^ng engine aircraft had only limited inner-loop automation of
control systems. Autotimac mxture conorols which uuHzfid barometric altitude data toSst LT
ai>: raaos were installed in the DC-3 and later transporLs. Automated control 5^0^06^1:4 * as
Sfw- '^ "^"f^ '^^ ^^^^\ ^•°^. ^°"g ^'^^ conS^Uable-pitch DropeS f aTm;]d-:Linr
S^:T?in 2 "^ ^""""^ synchromzauon of propeller speeds to rtini^ze vibra::T.n and SiSy ng
^ ii^^. ^"^''f ' P'^^^ir autosynchronizers were developed to rratch the propeller speeds of
aL engines. ThrotUes. propeUer and mixmrc controls were not integrated, however m,rlS?Senr
introduction mto general aviation of a Mooney airplane poweSl by a new Csche e^fre
incorporaDng a single power controller. y * "cw rorscne en^me
Hv/^iT.""^ ^'^^'^ ''"'^ °' '"^?"' ™^^^ ^''^^^ ^«=^ purchased in considerable numbers by
f.^l3f h T- ^"'^ ?""' required civil registration to sundards quite different from Aose
imposed by the anned forces m the heat of war. Some of these aircraft had undesirable fN^^e
SS"^. ?n?f ft' '^"'f '^^^^"^^tf ces. In particular, some were extremeVSemringTSy
after an engine tailurc at low speed dunng or shortly following takeoff. To ease the asvtfj^e&^r
drag causec by a windmiUing propeller and assist pilots in maintainim? control during thrSS
momems after takeoft, automatic propeller feathering systems were ^Lodnced m some aSS
■n^c^ aevices sensea a lossjof thmsr in a malfuncdoning engine and rapic% mlvi i s proSSTt^
a fully feathered pc ion. Tne dcvHces provided critical assistance when they funcdSp?^t^ W
h'Lf.K^1 '""'^"^^ occuired after fully funcdonaJ engines were shut down L?onomofslv X^'
fn^hvf ^? f cidcnts. such as that of an Aerospatiale Nord commuter airplane at Lo. AnS?
It^fh ^'IT *'^'^.'^"' ^^"^ '^"^ remaining er>gine after an autofeatheringsVstem has ope^K
make the other, malfunction mg engit-e ineffective (ref. 37). Autofeathcring systems on^ea^<S
by pilots, an- mdrpendent of pilot control and they do not roofy the piloTiS t^ne ILdcn -^^
that extent, they remove a portion of the pUot's authority, a topi . on which^^vlS^Sf S iatc
21
The earliest autothrcttie systems in turbojet transports simply controlled fuel fiow to uirboiet
engiaes. They were rtladvely crude and wert .lot liked (or much used) by pilots because* of the
roughness of their power control (which disturbed passengers). Later devices, more sophisucafed
controllers and better powerplani models improved tiie operation of autothrottle systems. More
recentl> the development of full-authority digital engine controllers (TADEC) has improved siiU
farther the precision with which jet powerpiants can be controlled. Nearly all contemporary jet
aircraft incorporate autothrust systems which arc used to set engine power lo automaticaliy-
detenmined narameters even during the takeoff roil.
Landing gear: Landing gear retracdon and extension is still a manual procedure in ail
transport aircraft, but information automation in the form of configuration warning systems has
been used since it was first discovered by a hapless pilot that retractable gear aircraft could be
larded with the gear retracted. Most such systems have provided a warning if ilirordes v/tvt pulled
back. The use of idle power routinely during descents in jet aircraft required that the landing gear
warning system be modified to take account of barometric alritude or other factors that could
indicate that landing was not contemplated at the time. Aircraft without such modifications
provided large numbers of nuisance warnings to pilots. In an imaginative attempt lo circumvent
the problem of gear-up landings, the Piper Aircraft Company developed and installed an automatic
gear-lowering device on its Arrow series of general aviation aircraft. The device used a simple
pitot mounted in the propeller airstream t sense reduced power and air speed. It worked
autonomously and effectively, but it also required the pilot to exert continuous pressure on a
bypass switch to prevent gear extensior uuring intentional low-speed maneuvers at alrimde, a
difficult task when both hands were required for aircraft and power control
Vinually all jet aircraft have anti-skid or anti-lock braking systems, in which wheel rotational
speed is sensed and used to Tt*xiif>' brake application. New er generations of transport aircraft also
incorporate autoniatic braking upon wheel spin-up. The braking force is chosen by the pilots prior
to landing; brake application using the selected schedule is then automatic.
Aircraft subsystems: In early generations of jet aircraft, the many aircraft subsystems
were operated in the conventional way, with switches in the cockpit controlling most aspects of
system operation. Three-person flight crews included a flight engineer whose primary task was
the operation and surveillance of these systems: electrical, hydraulic, pneumatic and fuel systems.
In some aircraft designed for a crew of two persons, attempts were made to simplify system
operations somewhat to decrease flight crew workload. Seat belt and no smoking signs were
activated automatically; automatic load shedding was introduced to simplify electrical system
reconfiguration following a generator failure; air conditioning pack deactivation was automatic
following an engine failure on takeoff, etc. These and other measi^s represented a piecem-al
approach to the problem, however; subsystems were still considered in isolation by designers, and
until recentiy, system operation during failures was still complex.
The DC9-80 (now designated the MD-80) innoduced a somewhat simpler architecture and
more subsystem automation in 1980 (ref. 38). The Boeing 767/757 series of aircraft incorporated
simplified procedures and a structured *'need-to-know" concept in its information automation. An
engine indicating and crew alening system (EICAS) provided pictorial and alphanumeric
information on cathode-ray tubes (CRT) in the cockpit. Pilots were informed by alphanumeric
messages of failures that required crew action; the aircraft "Quick Reference Handbook" (QKH)
provided ti^e required actions in checklist form. The "do" lists were also considerably siniolified
(r3f. 39).
When the Airbus A3 10 was introduced it incorporated an electronic centralized aircraft
monitoring system (ECAM). This system provided synoptic diagrams of aircraft subsystems
which displayed system condition in pictorial form on cathode ray tube (CRT) screens (ref. 40).
Paper checklists were still used to handle faults, which were annunciated in alphanumeric form on
22
-i).
a separate screen. Thr .atcr A320 had a very similar system. In the ''47-400. the first 747 model
uesigr.ed for a crew of two persons, Boeing incorporaied system synoptics into its EICAS system
while retaining a)phanumenc aieaing messag-s and pap?r checkUsts that informed pilots of aii
acuons to be ta^en loUowing an ann.mciatecl condition, as in its 767,757 types (ref. 22).
in ] qS' ^f^il""' 4^^ mhST^^^ ^'-'^^ ^ somewhat different direction in its MD- 11 , introduced
» ,,i .!':[. f^' ^*.^^^:'^ »« ^ ^ery long-range derivatJ.ve of the veiy successful DC- 10, but
v,.th a radicaJiy i-edesigned tv/o- person cockpit. Douglas cockpit designers were very concek^ed
wOTx^oad .Quid be achaeyed by automating aircraft subsystem operations. To quote Douglas ' chief
:fin^; V «P^^'!«o']?';.<^"^,of our fundamer:tai strategics ha5 bin: if you icnow what you want the
hv?hiV°^.'^°" ' f' ^u' '^'^ '' ''^^- '^^)- ^^y "^'^ subsystem functions formerly performed
by the fligh: crew have been automated; handling of faults is also largely automatic. ^"""^^
ahovr^^h^^thV !!!fi''^^*^ "^^^ '"'P^'y' ^^> ^ superficially similar to the systems described
above but the subsystem management approach is markedly different. Most subsvstwn
wrSf^er^^'lh'^vZVT^Tr"^
With an alen, they may cancel the associated alerting message by selecting and viewing the
Snr^TJT^T-J^'' f "^"o^^ "^^ ["'^"^^ imt^ediately' however, sini the ao^opriate
SS itions. ^ ^^"^ checklists are still used as a reminder of requi^ flight
^nrr^^riPc'fic-^ '^I' T\'v ^^'Sn,wm incorporate electronic checklists with some level of
automate sensmg of checklist items (ref. 5). It will remind pilots of skipped actions and wil
permit the crew to skip back and forth between checklists if requml because of^iultipkfSer
Discussion of Control Automation
Flight path control: Control automatioo has a long and honorable history Most asoects
fl ;hTc'^\^n,'°°^'^°" "^ r ^ T^"^ «^d are not con^versial. Taken smg?^most autoS
?o^wf ^e Shr' ^^T^ "^ comparatively simple models that can be explained fairly osHv
.0 pilots. The behavior of these systems is predictable. Inf omiation concerning the actions of the
au^mauon is observed in airplane behavior, this mformation is usually, Sghnm in vi?ablv
S5 Sr* *° T!T P^°^ "'^^^X?^"^ It is also usually sufficient to p^^SpX/to So^
rh» S^Ji!r°' «^^^^"^^"0"- I^fWems m monitoring contK^l automation have^xciSJd when
uhe devices were behaving reasonably, but incorrectly (as in the SAS DC-10 accident atS YcrtT
Phinl i r ^^^JlP>J°\^ere not alert, for whatever reasons, to the state of tlie automation ^e
Cmna Airlines 747 mishap near San Francisco, ref. 14). Contit>l automation data to thi. tirne^S?
^^L'SSIiSi^tirpSeX"^ ^"" '^''-'' ^^ discussion of er/lo^
s.diS°f Sy^ '^^^i^i^^'^^t^^^^ys^^z
effecnvely. though the proliferation of control modes in the newest fly-by- w^TylSms^ses
many more potential problems than did earlier generations of control automation in whkh So
was more directly coupled to the control surfaces. In the past, as an insunce the la?ee
displacement control yokes used by the two pilots were directly Ld physically couS- they wire
also coupled to the automation and thus moved perceptibly when the LtW made cSm^Hnput^
In the Airbus A320, small-displacement sidestick controUere are installed; they are not cross-
coupied. arid mputs by one pilot are not visible or tactually perceptible bvihe othS A fSlv
complex mixing algonthm, a lockout device and visible indicator lights are 'pm^iSd to afsist^e
f± "^J°*°T^ "^^V^ "^ '^°^'''°^ ^^ "^ ^^^^ «"="^- I^ s^o^ld ^ mention^ thanhe C* con^l
law used in this airplane is not speed stable, so different feedback l^ops may be reauSd
Autopilot control inputs are not fed back to the sidesticks. The lack of tactile feedbik^S^e
23
sidesdcks is not ioiown to have presented problems thus far, but it has led to questions regarding
the usefulriess of such feedback in transport aircraft
The large number of control modes in highly automated aircraft has also been of concern. The
A320 autopilot *'open descent" mode, and its coupling to the flight dirstctor systetm of the airplane,
may have been a faaor in the Indian Airlines landing accident at Bangalore, in that there appears to
have been a late recognition on the pan of the flying pilot regarding the need tc switch both
directors to another mode pnor to the final approach (ref. 13). Incident reports have documented
similar occurrences with earlier recovery. This mode, like all others, is annunciated in ext on the
flight mode annunciation panel; the problem rather appears to be a lack of understanding of a
relatively complex, highly integrated set of automated systems and of their interactions. Air
carriers operating the A320 have injtirated procedures designed to prevent open descent below a
safe transition altitude on final approach, but it must be asked whether procedural approaches to
such problems arc as effective as designs that are easier to understand or that are not susceptible to
misunderstanding.
Error resistance and error tolerance: System modes such as this necessitate a
consideration of human error in the opcTation of such systems. It is known that human errors will
occur; such errors are contributory factors in roughly two-thirds of air carrier accidents. Indeed, a
desii e to minimize such errors has been a part of the rationale for the implementation of advanced
aircraft automation. At least two approaches can be taken to minimize the effects of human error.
A system may be designed to be highly error-resistant; that is, to make it v^ difficult for the
human to make an error in the operation of the system. Simplicity in system architecture and the
provision of cle^r, unambiguous information on display interfaces are important tools with which
to improve error-resistance. (Gee Nagcl, ref. 42. for discussion of these concepts.)
Attacking the problem of human error by design of error-resistant systems .5 not enough,
however; it is also necessary that system designs be error-tolerant, able either to trap en-ors or to
mitigate their effects. Such error-tolerance can be strengthened by designing monitoring
capabilities into the automation, as is done in configuration monitoring systems, or by introducing
system envelope limitations, as is done in the A320 flight control system and several power control
systems. The use of procedural controls as a substitute for desiginng inherentiy eri'or-iesistant and
error-tolerant systems may be effective, bur is less foolproof. In the case mentioned above,
procedures have been evoked to make the system error-resistant, since it is not inherentiy error-
tolerant. Both error resistance and error tolerance, discussed further in section IV, inust be
paramount aims of the cockpit design team.
Power control: The A320 also incorporates thrust levers that do not move when power is
applied or withdrawn by the autothrust system. Visual ECAM displays indicate both power
commanded and power delivered, but ancillary tactile or visible feedback is not provided by the
levers themselves. This difference from previous aircralt has evoked fairly widespread concern in
tlie operational conununity, though it should be said immediately that the concem does not appear
to tyt manifested by airlines operating this aircraft type.
Based on limited operating experience to date, it appears that pilots are usually able to obtain
all needed mformation concerning flight and power control either with, or without, tactile feedback
of control movements instimted by the automatic systems. This may be a case in which there is not
*'onc best way/' based on empirical or analytical knowledge, to automate a system, and in which,
therefore, any of several approaches may be effective, provided that piU ts are provided with
sufficient information to permit them to monitor the systems effectively. Unfortunately,
information concerning the rare cases in which a particular innovation is not effective in providing
adequate feedback may not come to light unless a iri?hap occurs. Rescar:h into the proper
complement of control and monitoring functions for automated cockpits is badly needed.
24
f.^AuJ^r^^\ ^M&Jj'srtfws: Automated flight control systems usually provide immediate
Sis ^^^^^ nT""^ functioning. Feedback conceding ainrraft subsystem
tnll^^. A f ""^T^^ ^^"^"^ three-person aircraft incorporated a mulripUcity of lights
tinlfff '.^^^^^^^ ^t' '""^T'^' ^^'''' ^1^ ^^^^ infomSon; cockpit amoiS^tionT^d
.;? efforts have attempted (with consiacable succ.^^ s) to minimize tiie amount of system
mformaaon which the crew must monitor. The provision of simpler interfaces, however has nm
been due cr.tirely to the design of smiplcr aircraft subsystems. On the contrarv, ystem compte^aw
^n some cases has increased greatly. Whet^ simpler interfaces reflect simp er^ suSyS^^
benefits are' obvious. Wlien a sm.ple interface hides a functionally complex system, the^ i^y we'
IK covert problems waiting to emerge during a difficult emergency. ^
Cockpit simplification has included drastic
reductions in the number of subsystem controls
and also standardization of those controls,
nearly all of which are now lighted pushbuttons
with legends. CMtical buttons may be guarded.
The switches are usually located in subsysimi
diagrams (figure 12). The use of pushbuttons
of identical shape and size in place of a variety
of toggle sv/itches has cleaned up the overhead
panel, but it has made more difficult the
location by feel of a given switch.
Manufacnjters state that their "dark cockpit"
concept, in which buttons are lighted onlv if
they require attention, indicates those that must
be used, and point out that buttons should be
actuated only after visual confirrnanon of which
button to press. As noted above, Douglas
Aircraft Co. has automated large segment^ of
the subsystems management task (a backup
manual mode is provided, and all switches
necessar>' for subsystem control are on the
Fig. 12: Ovemead panel. AC electrical system, 747^. overhead panel).
Practices with respect to the provision of ' ■
information regarding subsystems have varied,
from the Boeing 767/757 "need-to-know"
concept, to the provision of synoptics simply
for pilot information in the 747-400 (figure 13),
to synoptics that are the primary means of
subsystem feedback in the MD-li and A-
310/320 types. The A320 also presents a
limited number of normal checklists on its
ECAM screens; a broader implementation of
electronic checklists with automatic sensing of
skipped actions is under consideration for the
Boeing 777, now in design, and will likely be
seen in many future transpon aircraft. Such
automation will permit the flight crew to
alternate among several checklists when
necessary to resolve compound faults, though
automated prioritization schemes for such faults
are under consideration by human factors
researchers.
Fig. 13: Synoptic display for system shewn in fig. 12
cxri A^u:
ATUa iXTl
25
Jul
M^i^iatti^^^ik
Fig. 14: Touch-sensiuve screen switches on a CRT di^lay
Research is underway on CRT screens
on which subsystem synoptics containing
"soft switches", touch-sensitive areas
overlying switch depictions, would be
depicted. Subsystem control would be
affected directly through such screens,
which would respond to switch actuations.
The advantages and disadvantages of this
approach can he hypothesized but are not
yet clear. Dedicated panels in which
switches are always in the same place
permit memorization of switch locations
and set patterns of behavior, but
pushbutton switch legends conuin small,
sometimes cryptic aJphanunacric legends,
and presbyopic older pilots may have
difficulty reading legends on tiie overiiead
unless they arc fitted with special correcting
lenses. Synoptic subsystem diagrams will
itquiie familiarity with a number of differ-
ent switch locations, distinct ^or each system depicted. The legibility of touch screens on the
primary display panels should be considerably better, but operation of touch-sensitive switches
may be more difficult in turbulence; they will also be farther from the pilots. Research will be
needed to determine whether the potential advantages of "soft switches" outweigh their drawbacks.
The amount of aircraft status information that must be provided is a function of the hur.*an
operator roles in naission accomplishment If humans ar?5 expected to control aircraft subsystems,
they must be given that minimum of information necessary to perform those tasks. Il the
subsystems are controlled autonomously and the human's only role is to remain cognizant of their
status and the effects upon mission accomplishment, a quite different quantity and type of
information concerning system stams may be called for, though it is necessary in this case that the
operator undentand not only the system controlled but also the automation that is controlling it, so
that automation failures can be detected. In this case, it may not be necessary that non-flight critical
inforrcation be txiade available at all. For these reasons, it is necessary to consider the range of
control and management options to be provided the pilots of advanced, highly-automated aircraft
The controUmanagement continuum: It is implicit in the above discussion that pilots
may play any of a variety* of roles in the control and management of highly automated aircraft.
These roles range from direct manual control of flight path and all aircr^t systems to largely
autonomous operations in which the pilot's role is mininial. The development of highly capable
automation makes it necessary to consider these roles in more depth. A control-management
continuum is presented in figure 15 to facilitate this discussion (ref 43).
None of today's aircraft can be operated entirely at cither extreme of this spectrum of control
and management Indeed, an aircraft operated even by direct manual control may incorporate many
kinds of control automation, such as yaw dampers, a pitch trim compensator, automated
configuration warning devices, etc. Conversely, even remotely piloted vehicles are not fully
autonomous; the locus of control of these aircraft has simply been moved to another airborne or a
ground control station. Nonetheless, today's airplanes, and those of tomorrow as well,
mcorporate elements at or near the extremes, and the full range of opticms must be considered
The ability to control an airplane without the assistance of automation Tnust be demonstrated
by any pilot before a type lating for that airplane can be issued, if the aircr it itself is certified for
such operation. This includes tihe ability to handle the machine without even the automation aids.
26
D.
such as yaw dampers, ?hat normaily operate full-time in an autonomous mode. That flying task,
however, can be extremely demanding in a machine in which stability is relaxed and stability
augi:ientauon is provided by ndundant. fait-operadonsvJ systems.
AUTOMATION PJNCTiO?^
f^iot not u&ijaJiy intarrwd
Sysiflm fney c may not oe c*p«W« of
Es»«fitMiiy autonomous operatjon
Ai.(tofT»tK: roconfjgiirttwn
System jnfDfTTw puiot «nd
monitors mdpon«««
HUMAN RJNCTJONS
Pvk>{ 9«n©faily ha« no fO*« m op«mlion
Monitofing i« i(mit€N3 to ?«iit dewctjor
GoaJs Rre w*if-<j«fined. pilot normaliy
heis no reason to intervene
Full automattc contro' of
aircraft and flight
iryyad. d«i;nc>itk: and
pnamptinfl functions provitiac
Ajj^Jot & •utottvottia control
of flight path
AulDfT»t»c cormuinicabons and
ntvh>llo«Mng
Enhainoed conttoi trvi Qutdarce;
Smart a<V»sory sv^wrrts;
Pctantiai flight path and other
pradictor dispteys
Fiight director FMS, riavfnodujes;
Data link with manua) masaaees;
Momtofing of fJtght paih control
and CKcreft systems
Normal warnings and aierts provided,
Routma AC>kRS commirtcations
performed autcmatictitHy
Pitot jnforrrted of syster? intent.
Must consent to cntjcal dectawns.
May ntervene tw reverting v) kwwr
Pitot must consent tc state chang«<s.
checkiis! execUion, anomaly f*«o(utor.,
Manuai execution of cnt)cai actuns
Ptot co'^wnends hdg, alt speed;
Wanuai t'' ooupted nevigation;
Commands system operatkons.
checKJiats, communications
Pilot in controi through CWS or
enveJope-protected syslem;
May utilize advisory systems;
System marwgement manual
Drect authority over alt systems;
Manual control, aided k»y F/D and
enhanced navigation dispiay«
FMS IS availade; trend tnfo on requeat
t>rect authority over ail systems;
Manual conirai utlatng raw data;
Uhaided <£»dci»on- making:
Mar>uai comrnunicatkons
Figure 15: A continuum of aircraft control and management
Most fiying today is assisted to a greater or lesser extent, if only by hydraulic amplification of
control mputs. Hight directors, stability augmentation sy5tems, enhanced displays, and in newer
aircraft various degrees of envelope protection, assist the pilot in his or her manual control tasks
To some extent, pilots can specify the degree of assistance desiied, but much of the assistance
operates full-tui:e and some of it is not intended to be bypassed. The pilot remains in the control
loop, but it is an intermediate rather than the inner loop.
Whether pilots of Umited experience should be lequined by regulation to have and demonstrate
this level of manual control ability in today's airplanes, which incorporate highly redundant
automated control assistance, is beyond the scope of this document Airbus has rendeied this is<iue
moot lo some extent by providing shared control as the A320's basic control mode. Pilot control
mputs are considerably modified and shaped by the flight control computei^; envelope limitations
prevent him or her ft om exceeding pre-detemiined parameters. In this airplane, pilots are provided
ath considerable assistance even during control failure modes; manual flight capability is limited
13 Pidder control and stabilizer trim and is designed only to maintain controlled flight while the
? utomated systems are restored to operation. Under normal circumstances, the aircraft automation
is responsible for much of the inner loop control, though controi la vs arc tailored to respond in
ways that seem natural to the pilot. In the MD-IL a combination of longitudinal stabiiitv
augmentation and control wheel steering is in operadon at all times; roil control wheel steering is
available as an option. ^
When an autopilot is used to perform flight path (and/or power) control usks, the p4ot
)ccomes a manager rather than a controller (this is also true to some extent of the shared control
27
option). The pilot may elect to have the juitc^ilot perform only th^ most basic functions: pitch, roll
and yaw control (this basic autofUght level is not available in all systems); be or she may direct the
automation to maintain or alter heading, altiuidc or speed, or may direct the autopilot to capture and
follow navigation paths, either horizontai or vertical. This is motigement by delegation, though at
differing levels cf management, from fairly immediate to fairly remote. In all cases, however, the
aircraft is carrying out a stt of tactical directions supplied by tlic pilot. It will not deviate from
these directions unless it is incapable of executing them.
As always, there arc exceptions to the generalizations. The A320 will not initiate a
programmed descent from cruise altitude without an enabling action by the pilot (This is the first
instance of which we are aware in which management by consent has been embodied in aircraft
automation.) Other modem flight management systems require that the pilots provide certain
inputs befoie they will accept certain conditional instructions.
Management by consent implies a situation in which automation, ones provided with goals to
be achieved, operates autonomously, but requires consent from its manager before instituting
successive phases of flight, or certain critical procedures. An example is given above. The
consent principle has important potential advantages, in that it keeps pilots involved and aware of
system intent, and provides them the opportunity to intervene if they believe the intended action is
inappropriate at that point in time, (Taking the princin e to itr logical conclusion, it can be argued
Lhat even yaw damping in older airplanes is by consent since the pilots can disable the function.
This may not be the case in future aircraft, however, in which more of the automation will be
transparent to the flight crew.)
This management mode may become more important as "smart" decision-aiding or decision-
making systems come into use (see page 94). A protracted period of close monitoring of these
systems will be necessary; requiring consent is one way to monitor and moderate the potential
influence of these systems. While management by consent is an attractive option worthy of further
exploration, it must be informed consent More fundamental human factors research is needed to
identify how to implement it without tte consent becoming perfunctory.
Management by exception refers to a managen^nt-control situation in which the automation
possesses die capability to perform all actions required for mission completion and performs them
unless the pilot takes exception. Today's very capable fli^t management systems will conduct an
entire mission in accordance with pre-programmed instructions unless a change in goals is
provided to the flight management system and enabled by the pilots. This occurs relatively
frequently when air traffic control lequii^s a change in the previously-cleared flight path, most
often during descent into a terminal area.
As previously stated, the desire^ to h>htt^n the pilot's workload and decrease the required
bandwidth of pilot involvement led to n., *i of the control automation now installed m transport
aircraft. The more capable control and management automation now in service has cenainly
achieved this objective, with benefits to satety, reliability and productivity. It also has the capacity,
however, to decrease markedly the pilot's involvement with the flying task and even with the
mission. Today's aircraft can be operated for long periods of time with very iittie pilot activity.
Flight path control, navigation, and more rccentiy subsystems management are almost entirely
automatic. The capable, alert pilot will remain conversant with flight progress despite the low level
of required activity, but even capable, motivated pilots get tired, lose their concentration and
becon^ diverted, or worry about personal problems unrelated to the flight. A critical task of the
designer is to find ways to maintain pilot involvement during operation at higher levels of
managcn>ent
This is less simple than it sounds, for pilots will both resent and find ways to bypass tasks
that are imposed merely for the purpose of ascertaining that they are. still present in the cockpit.
Tasks to maintain involvement must be flight-relevant or even flight-critical, and equally important.
28
?Ji^l^. Pe.rccivcd by pilots to be relevant Designing pilot involvement into highly automated
S^n^oT """ ^ **'y ''"' '^''".'^ accomplished to minimize boiedom and complacency,
paaicularly in very .ong range airoaft which spend many hours in ovenvater cruise. The progress
of avionics, satellite naviganon and communications, and data link mav verv well have an optSsite
result unless this umquely human L tor receives more consideration than it has to dau:
^ioK?"°^-^'^ ^^"^^ ^ °^^^" '^^"*'" *^ ^°"^^ ^^ ^«y ai-c to manage, because interacting with
tto?r^^r^"!^ul/^''T'' ^^^^"^Pi^-^hed primarily by entry of llphanumericlSomatTon^
Rcprogramming today s fagm management computers can be cumbersome, and such night pa'h
S^^^bv a r^nf rv 'iZ%'''t ^^.^^'^P^i^.^ed by reverting to a lower level of automatir aK
t^ian by altcnng Lhe FMS instructions. Tnis m itself may be a problem because some of the
rXTh'rf' '^ '''' ^"-' '^"^^""^'^ configuration liy be x^moveS^^v such ^venfon On
M^H^a tK •'^;"''"°^'^°'t^"^ "" ^'^'"Py ^"«""°" ^^t ™ght better be directed elsewhere
Malang this mtcraction easier and less error-prone is a majj task facing the human f^cfo«
community, and a number of research efforts are underway to litigate this^btem.)
,.'!^^"^'^'^oP^''afion denotes opcrar on in accordance with instnictions vwvided bv svstem
;^^?^.T;°°, *'''"''°" or management is required of the pilots. Until rece J?y?^tively Tew
SnSJ^^J '^'•*'"' ""^^'^ autonomously. With the introduction of the A320 and MD-U
however, major systems operate m this way. ivii^ 1 1 ,
all ti^^f^rwr^; n!i^^/ conffol system incorporates envelope limitation; this system operates at
^n^K r^^ parameters (b^ angle, pitch or angle of attack) cannot be exceeded by die pilot
except by turning off portions of the flight control computer systems or flying iS^ Scmoff
I^rfcSeTc^ w ?r"? *" ^^^-^^^ flyover priof to rhelvluhouse-lLfheimlSto (ref
44). Predetciminec thmst parameters also cannot be exceeded. 'Hie MD-1 1 incoroorates an^lV nf
F^S di^Jrrin^n'H : If""^^' systems also operate autonomously, to a considerable degree
Si^L ?i r.^. ^ ^" u'l^ w"? «<^onfig'^auon are also autonomous if the aircraft sySem
controllers (ASQ are enabled (the normal condition). Any system may be operaS manuS^
though the piotecnons provided by the ASC systems are not av Jlable during^^^^n ^^ '
Systems £tesigned for autonomous operation pose serious philosophacal questions with resnect
l^ft f h^'^'^h'" '"^^^ f P"**' involvement. These questions arose^first in theTs'^of fiS^J
i- -^r™^f^^"^** ^'Shttr s fly by wire control system incoiporatcs "hard" limits which 'W^rv^
r--- w "^Z""** "*"»^ imui!,. inc riigni ecitonai points out that "There is however
anomer appnoach avaikble. to develop a 'softer' fly-by-wire system which al ows S ScrSTto To
to higher limits than before but with a progressive degradation of flying qualities as Sf highS
rSS ^ -^^T^i^-.:' '' ?i' ^^'^ phUosophy which has been adopted bvlhe Sov ets S
fighters hkc the MiG-29 and Sukhoi Su-27. It is not, as Mikoyan's chief tesVuHoradr^t?
neccssanly a philosophy which an air force wiU prefer." He sayrhowe4? "AlSS
Se ^iSfr. f^'^K^ greater efforts.,.it guarantees a significant increaLnT overall qS of
iJwcV *^ ^ • ^- "^. ^°^^ approach has been taken in the MD-1 1, which Dcrmits
pilots to ovemde automate protection mechanisms by application of additional control fSce^
rs^v ^i;^ "''^ ^^ "^ "°* f^ ^ *^' ^^ fo ^ fighter whose maneuverability is limited
they do on occasion have to take violent evasive action (see also page 86), and the- rS^ on
extremely rare occasions need control or power authority up to (or even beyond) sSufn^aSS
engme hmits to cope with very serious failures. The issue is whether the pnorwhoTSaSv
responsible for safe mission compktion, should be permitted to operate to or cv;n TvorS S>S
^ts when he or she ctetermines that a dre emergeiSy requires sSch operation ?^eis°aeSTo^
be smiply resolved, and the rarity of such emergencies mSes it difficult to obtain ^p Sc^ ^^
29
for one or the other philosophy. Nonetheless, the issue is a fundamental one. Pilots must
approach such limitations on their authority with cxtienic wariness; designers must recognize that
hard iiniits place them, rather than pilots, in the position of ultimate command, given the capability
and flexibility of automated systems. Pilots must also be concerned about the effects such systems
may have on their perception of their responsibilities, which remain despite whatever protective
systems may be installed Such systems can fail.
Another fundamental question is how wide a range of conirol and management options should
be provided. This may well vary across functions; indeed, pilots will often operate at a rai.ge of
levels, for example coniroliing thrust manually while managing the autopilot and using the flight
director to monitor navigation. Pilot cognitive styles vary; their skill levels also vary somewhat as
a function of the amount of recent flying ihey have done, how tired they are, etc. These factors
lead us to argue that a reasonable range of options must be provided, but widening Lhe range is
expensive in terms of equipment costs as well as of training time and time required to maintain
familiarity with a broad spectrum of automation capabilities.
One way to keep pilots involved in the operation of the aircraft is to limit their ability to
withdraw from it by invoking very high levels of management. Another, perhaps preferable way
is to structure those higher levels of management so that they still require planning, decision-
making and procedural tasks. The use of a management by consent approach, rather than
management by exception, could be structured to insure that pilots must enable each successive
flight phase or aircraft change of status, as an instance. It has been suggested by one air carrier
that long-haul pilots should be given the tools witli which to become involved in flight planning for
maximum economy on an ongoing basis; this is another approach to maintaining higher levels of
involvement.
Control Automation in the Future
Control automation is ahneady highly advanced and highly competent. What may we
reasonably expect to see in the way of furtlier advances? What additional factors should be
considered in this donaain?
There is increasing concern regarding the problem of runway incursions, as airports become
more and more congested. Several studies (rcfs. 47 and 48) have highlight^ this problem; two
recent accidents, at Detroit and Los Angeles, have underscored its seriousness (ref . 84). Improved
radar surveillance of airpon surfaces is technically feasible and new devices aie scheduled for
installation; light systems at mnway-taxiway intersections have been tried in the United States and
are in use elsewhere, but neither of these approaches will be fully effective in nnitigating the
problem of human (either pilot or controller) error (ref 49).
More error-It sistant and error-tolerant approaches to this problem arc needed, especially given
problems of low visibility and contaminated taxiway surfaces which can obscure markings
temporarily. Suggested approaches include some degree of automation in control and conduct of
movements on the airpon surface. Automation has not been extended to control of aircraft on the
airpon, though techniques for lane-holding have been attempted in automobiles on roadways with
embedded wiring. Highly precise satellite navigational aids, particularly when accuracy is
enhanced by fixed-installation comparison techniques such as differentiarCPS (ref 50), may
provide the means for true all-weather control of airplane positions on the ground. If airpon
features can be described precisely, automatic control of aircraft during taxi is possible, though it
will requinr< very large databases in the flight management systems that will access the information
and very ace. 'ate map displays in the coc^it
It needs to be pointed out that if automated control of aircraft on the airpon surface becomes a
reality, pilots will be unable to verify the correct operation of the automation under conditions of
severely limited visibility. Before such technology is implemented, it will be neccssaiy to consider
30
gU7
i).
m^nj^."!. ^"'^"i °«^^«>J^g capability can be provided. One possibility may be the use of
mimmcter- wave radar and the provision of synthetic visual dispiav devices in the cockpit (Vuoh
llT'^l'^^u^'^f^^y^ovidtindcpendcra inonitoring capability during low-visibiMt™^^
;;^i^rinf ^pt^r Jw^^^^^^ "''^^''' ^^ ^'^ ''^^'^y^- -^^^^ p-^^ ^^«p--- ^-^^
ar^d thL'^r°,n!w'^^'' '^"^^ ^^r."^"" capabilit>' to follow an ILS localizer centerline accmatelv
and this capability is made use of dunng automatic landings, automatic takeoffs using center in'
guidance are not perfonned, probably because of concern about asymmetric power fadii^raLdth;
uertaml> the pilot is more quickly able to counter variations in direction if he or she is invo'ved in
'^^'^^^'^^!,:S:-^^ '^ ^-""^ ^^ P^- ^- .ntrcxl.ces%^%tr^:S 1^
ofm^om^p^i-t!^^^^^^
imngaang some noise problems for communities in the vicinity of airrins (reT 5?'" R^ng ve^
SSLL'fra^'au^ldc^ "'^^^^ '"^ flighf crewrorkload, howevere'venTf
ine approaches are automatic. Alternate means arc being explored to enable equivalent aonroaches
usmg exisung equipment capabihties, but these too will involve higher ccXrw^S^ A'
tran^S^rri^ ?P^' "^ "^^ """"^ *Hghly integrated autotnation suites in virtuallv all future
nanspon aircraft A higher level of integration may permit simpler automation architectures that «^
open question. Even before the advent of the present generation of aircraft incident* ZJr^
<. stall at high altitude m the case of an Acromexico DC-10 departing FranSSt fref 2 the
S'"SSr^ '"'" "^^^ '"^"^ '^'^ ^°^^^ P^^"^' ^-^^ ^'^^-^ Sown on
^^nHJl!*]*®"!? '^ ^^^. out again that problems such as this may be due to the automation of a
T^U'^-'^^'m a^''^^' fhould not have been automated, but they niy equally weU te S to fdhire
fL^^n i"r'?'^ function sufficiently obvious, that is to poor impSntatiorof^ ap^oSaS
th^^T ? ^"^^T""*"!:- ^"^ ^"^^ principles state that the^ilot must be invo'v^- ^ev £S e
that the pilot must be informed, and this includes piominentlv being informed ar^7^w^eL^?i5
(rnSrJ^S^ '^ ;^po«.«,///«^., of the airplaiie and autoWnon ch^SSsricf^t S^timeT A^
IS pomted out several times here, too much infonnation may be as bad as too Uttle the critical rv^irt
IS that the pilot must be able to maintain state and situation awarenesi ^
As subsystem automation becomes more capable and more common we shall have m
consider carefully whatsubsystem management actions should not be autoi^ J ^S^l MB n
n^Iflt, '^^"^J^.^"-' automating fully any tasks that are irreversible Salmis of to eff-a
on the airplane s ability to complete its mission. In future aircraft, we mrst consider ^weM
^Sierrat^feTn^^S tT^^ ^-^'^ 'P^^ ^*^^ ^^^" ^^ ^^ automationTh^; iX
proscnfiecl, or at least made to require confirmation or consent. There have been two casrs in
which pilots shut off fuel to both engines of a twin-engine transpon shorty after tSeSf Sng
Aat diey were operating its elcctromc engine controllers (ref. 52): Ir, these cas-sdSd^sSS
did not recogmze the potential for Lhe specification of procedures that coSd te hS^Sus orT a'r
earners did not understand the (designer's) intent foV the EEC enabk/^sa^Sctiori ort)S;
^Sfp^Sn?.^ r^Z ^^^';S^^^ - -^^' -- -'^--^ automa^^rr,t%S^S;:
31
Our first priacipics suggest that the autotnation must be able to monitor the pilots. Momtonng
automation could certainly be designed to question certain classes of pilot actions that can
potentially compromise mission completion, though for the automation to proscribe such actions
would again limit the authority of the pUot. It is hoped that more serious thought will be given to
the piloi-aiitomation and automation-pilot moratoring functions, both of w'-.ch arc enabled by the
highly competent digital computers row in place in advanced aircraft
32
J).
Information AiUomation
M ,n^!J!^? e'taniine what Fadden has termed information automation. Though primitive i'vels
of im >rmanon automation have been present for some time, information autotrS?i"n tegan i
V^o^^Ti;:%;^'^^'^'l "^'^f "^^^^^ ^^^^'P»'' ^" ^hich CRT Greens ^pac^
sonu or dj of tr.e olcer electromechanical instruments. Even prior to this develo^nifnT
mfonnation management had become a major problem in aviation. Sgs iZKiZdC^^lr
Ser^rllerr. r^-i? of V-^rfV ^'^^•- ^"'i' '^" *^'>' ^^^^ study found information
u ^srer p.oDiems jn , 37c of 1 2,000 consecutive incident reports (ref. 54).
,^c .P*/^^*"^ °' ^'^' ^^««"s in cockpits made it possible for designers botii to ijroWde mor?-
was Ovoomiug avauhble, the temptanon was ver\' great to provide nilots with mnrh mnr^
;fS^i ^ ^^^^ ^^ ^*^°"^' expenmcntal studies have found that pilots want as t^ irh
information as may possibly be relevant, even at the cost of increased wSoSd (ref 55)
.i^^3J°"^^?u°"°u"'^^'^.^;^"*"'=^5 ^" pijilosophy exist among the major suppliers of transnon
aircraf . most ha%'e been fairly conservative abom new cockpit displa^ It shS Id te re^^nbS
Ujat automation which enables moi^ information to be prese?te4 Series Stt^s^i/^^^^
of the amount of mfo^mation required to monitor the auSLteSfunctionra/srown iifgj^etr
Inputs troiT^
Environrrwm
^'ig\3jt 16- Information automation
33
D.
Despite this conservatism, new alerting, systems have been introduced, several mandated bv
Congressional decree, each requires the presentation of new infonnatinn to pilots. Ground
proximity warriing systems, mandated in 1974, provide visual and aural warnings. Tr«*ffic alert
and collision avoidance systetris (TCA.S), now bemg installed in all transport ircralt, provide
visual displays and visuai and voice warnings of traffic threats. Windshcar advisory systems
mc?x.dated lor mstailation during 1991- 1993, will also introduce visual and aural warnings,
Tliough map dispiays have greatly simpUficd tiie pre.scntation of navigationaJ information, Lhe
integration of weather radar data md TCAS traffic displays with navigational data has complicated
tno f displays comzdcrabiy, especially on smaller CRTs. The coming of digital data link for ATC
messages wil, add stul further visual displays Lhat must be attended to. We will now examine the
kinds ot mforraation m the cockpit, the ways in which it is displayed, and the effects of autometion
on the information provided to flight crews to enable mission accomplishment.
Flight path displays: Pilots arc physiologicaUy unable ro maintain a stable airplane attitude
by reference only to their own sensoo' inputs because of limitations in their ability to sense motion
and acceleration m ad spanai axes (ref. 56). The first anempts by DcKslitde and others to develop
systems xor instrument flight (ref. 57) were prom-pted by the recognition of this fact. Gyroscopic
turn indicators and ball shp indicators provided data concerning turn rate and sideslip; airspeed and
alaiudc indicators providcc coarse information concerning climbs and descents Two-axis
gyroscopes provided sensing for the more intuidve artificial horizon, which accurately displaved
oank and pitch angle on a single device; another single-axis gyroscope provided heading
mfomiauon when set in accordance with a magnetic compass. Vertical speed instruments were
added to show rate of change of barometric altitude (figure 17) i^umcms were
Figure 17: Pnman- Oighi mstruments; airspeed indicator, artificial horiaon, Lhiw-pointer aliimeicr
tum and bank indicator, direcoonal gyro, vertical speed indicaior. The airplane is ir a left turn
without sideslip, at 147 tnots, descending from 1340 f'xi at 630 fecj per minute
34
Mtti
^* J
ffli (NDICATOH ?*IJ^^'^HS^ fe
AiRSPEED I
i VERTICAL
' SPEED
^DiRECTsON ^m^m^^m^
Figure 18: Electronic primary flight display.
The information provided bv
these six instruments has been the
foundation of instrument flying e/er
since. Analogous information,
though derived in many cases froin
different sensors (air data computers
and inertia! reference platforms), is
still the basis of the primary flight
display in the newest and most
sophisticated aircraft (figure 18). The
several sources of data, in different
formats, require considerable mental
integration to permit the formation of
a coherent perception of the airplane's
attitude, state, and rate of change. In
advanced electronic displays, a
variet ' of aids is made available to
assist the pilot in maintaining this
perception, but (he basic information
displayed is not fundamentally
different.
more integrated, displays could increase training requi^ments and perhaps comp^^se s^et^
Figurt 19: Pathway m the sky display.
35
in older aircraft, several displays are also used to provide navigational (moir properly,
position ) infcnnation to pilots. In essence, pilots are inforrned of their bearing and distance from a
radio navigation aid. or during menial flight, from a geographic waypoint defined in the flight
management computer. During approaches, they are infonned of their lateral and vertical
deviations frcin localizer and glide slope centerlines. This information, like attitude information,
must DC considerably transfc-med to permit die derivation of present position. Figure 20 is a
sketch of this information. It : hows a horizontal situation display containing a heading indicator
(whose data now comes from a remotely-mounted, stabilized magnetic compass), a digital display
of pME distance, and a radio magnetic indicator (RMI), showing the bearing to two VOR stations
or low-free ue icy rad^o beacons. The RMI also contains a heading indicator, whose inputs are
normaiiy from a second independent magnetic compass urjL
Figure 20; Flectrome4:haiiicai navigation instruments: radio magnetic indicator (RMI) lo lefu horizontal situation
display (HSI) to right. The 180* radial of the VOR being tracked is 12* to the right; the VOR is 10.2 miles away
Aircra^ is flying paraDei to that radial. The HSI ako shows glide slope deviations when tuned to an ELS frequency.
The introduction of CRT screens in the cockpit made possible drasticallv simplified navigation
displays. Although cor ventional HSI displays like that shown above atr still provided, nearly all
pilots of glass cockpit a:rplanes use map displays for most enroute flying. The map displays udiize
data stored in the flight nrmnagement system to provide a pictorial planform display of present
position and future navigation waypoints. In some aircraft, terrain obstructions and airports can
also be selected. In nost glass cockpit aircraft, weather can also be depicted on the display-
displays of other traffic ire, or will be, provided by TCAS equipment.
When all of thes€ o )tions are exercised at once, screens can be cluttered if significant weather
or a great deal of nearby traffic is present, but the displays still require less mental cffon on the part
of the pilot. Many n?ivi j ation displays can also be used in a "north-t^p mode" to display the r.ute
pro^pramrned in the ¥MS computers. The scale of the navigation display can be varied; some
i CaS units also permit .iJtitudc filtering. Figure 21 shows such a navigation display, li includes
flight plan, present and p edicted flight path, waypoint and radio navigation aid locations, location
of weather, altitude r:Elau^e to planned altitude, incrtial ground speed :knd wind din^ction and speed.
36
1
i
0AM
03iC.4
^f^
^
^
m> 1
,
-o^
WXR
/ /
^S
i/
von L
m/
-
FigTire 2i : Electronic map display showing wcaiher. Right plar
rou; and nav aids.
Map displays have immeasurably
cased the cognitive tasks of pilots by
giving them an instantaneous, easily-
mterpreted picnire of their location
with respect lo their plan, Wiener
(1989) reported that rhey arc the mosi
desired single feature of advanced
automation. As with flight directors,
:t is not difficuh to lose sight of the
raw navigation data. Map displays do
not make it particularly easy to
evaluate the raw data from which
position is derived, and it has been
necessar>' to introduce special display
elements to aid in this task. American
and British incident repons (ref. 60)
describe circumstances in which the
apparent position was incorrect, and
the clarity and apparent precision of
tne displays can be seductive.
/^
T*T ♦jic 0-Toi ♦aa J
).M 1JO f^v iji
SlSa !I22 UM SSI
rr
I ^
BHG 3 FIRE
BHG 3 SHUTDOWN
YAW DAMPER UPR
CON IGWmON
^^^ ^^^ SEATBELTB
iss um QSi EMS r
250 243-124
I
G£AA
I^ C^D CSD Gsa
JI
V.
12
OUCTfhIEM 12
CAAM.T
7500 (UT£ -250
Tor*iFUCl 362.6
LOOM-T
20C A^ 5.6
TBi^ +10C
Figure 22: Primary EICAS display, Boeing 747-400.
iKn^^^'f"' '^"P^'^ys- The Boeing
/57/767 introduced electronic engine
status displays. These displays
provided enhanced electronic
depictions of information that had
been available on electromechanical
instruments, together with adaptive
EGT limits, data on commanded vs.
actual thrust for autothrust operation
e c. Ihe later Airbus A320 provided
a simi ar set of electronic displays and
alphas, umeric information The
Boeing 747.400 electronic power
displays -ere the first to utilize a
simpUfied tape to roat on a rimary
and secondary displav ('figure" 22). A
compacted format showing analog
tape and alphanumeric data is also
available. These displays were based
on research showing that pilots were
better able to evaluate engine prob-
lems with displays tailored to the
number of engines. The MD-II
primary and secondary power
displays are again CRT represen-
mtions of the earUer clectromechanicai
displays.
.ha. ™^'^?Sgt#™".^'Xtirg"'^S.^'SS^^°^^ =; ^--^ .^-'Ti' -vigation displays,
37
concept for a considerably* simplified set of power displays using bar graphs which show relative
data vs. appropriate values for engine parameters (ref. 61). (See page 44 for discussion.) The
engine monitoring and control systcno (E-MACS) concept will be evaluated in flight simulations as
a part of the NASA Aviation Safety/Automation concept demonstrations .
ConfiguratiGn displays and alerting systems: In older aircrafi, a variety of lights and
gages were used to show the configuration of landing gear, flaps and slats, control surfaces,
aircraft doors and other faght-criticaJ systems. Nearly all current-generation aircraft have displays
thai provide such information in graphic fomi, though Au^bus Industrie has gone farther than odier
manufacturers in showing the configuration of com.poncnts of these systems as well as the svstems
as a whole.
Figure 23. Electronic display of flap-slat positions in A320.
Figure 23 shows an elegant litde
icon used in the A320 to indicate flap
and slat position. The diagram
appears on the engine display screen
together with engine data, status and
alerting messages. The number refers
to flap selector position.
Alerting messages and aural
signals are still used m newer aircraft
for critical items prior to takeoff and
approaching landing, as in earlier
generations. These takeoff and land-
ing configuration warning systems have prevented many accidents, but their occasional failure, and
their ability to generate spurious or nuisance wamui^^s, raise a problem of a more general nature.
Devices that are extremely reliable will come, over time, to be rclied upon by pilots. In the rare
cases when they fail, or are disabled, pilots may not be sufficiently alert to detect the condition for
which the device was originally provided. This occurred in two recent attempted takeoffs with
flaps and leading-edge devices retracted The aircraft crashed with heavy loss of life (refs. 10,1 1).
The other side of this coin is that devices that produce too many 'false alarms" will be
mistrusted by flight crews. In the extreme case, they will simply be ignored after pilots have
become accustomexl to them. This was the case when the earliest rr-xiel of the ground proximity
warning system (GPWS) was introduced. At least two accidents have occurred because pilots
ignored, disabled or were slow to respond to warnings that were appropriate. Later GPWS
models incorporated more complex algorithms and the number of nuisance warnings dropped
dramatically. We are now seeing similar problems with large-scale implementation of TCAS-U.
Altitude alerting systems, introduced to alert pilots when approachmg a selected aitinjde and to
warn them if they thereafter depart from that altitude, provided both aural and visual alerts many
times in the course of routine flights. They were reliable and came to be depended upon; altitude
excursions resulted when the devices malfunctioned or were ignored because of distractions.
Pilots objected, however, to the number of aural alerts approaching altitude, and FAA amended its
requirements to permit the use of only a visual signal approaching altitude. After this change was
made, pilots accustomed to hearing the aural alert before reaching their selected alti^ade were also
involved m altitude cxcursicHis because it was no longer present (ref. 62).
Color is used in all cockpits to indicate problems (red or amber, depending on severity),
though display symbology and color-coding for CRT displays has not yet been standardized The
Society of Autonootive Engineers S-7 Committee is working on such a recommended standard. In
most cases, redundant shape or size coding is used in addition to color, to minimize detection
problems for color-deficient pilots and to maximize legibility in bright suaiight (though CRTs used
in cockpits undergo stringent testing to insure readability in veiy bright light).
38
GBY
SPD BRK.
i
Y"
1
!
BG k
LAP DEGRADED
ei^c 11
i
SEC 1
i].
R
AIL
GB
!
ELEV
BG
]
PITCH TRiM GY
13^ •up
CI — RUD-O 1
RUD
GBY
^ — jL--**
ELEV
YB
TAT
SAT
h19
.18
23 H 56
G.W 60300 KG
J
Figure 24: Flight cofitrol configuration display, A320.
The complexity of configuration
displays can be high because of the
number of items that are pertinent
(figure 24). Tlicugh color can help to
direct a pilot's attention to parameters
that arc abnormal a good deal of
information must still be scanned.
Cockpit designers have done an
excellent job of eliminating large
numbers of discrete "lights, bells and
whistles," v.ithin limits imposed by
cerdfication regulations, but they have
substituted large amounts of discrete
data integrated into a smaliei number
of displays.
This topic is discussed in more
detail in following sections, but it
should be said here that current
operational constraints often inquire
pilots to review, by whatever uieans,
a great deal of important status
information prior to takeoff and
during approach, periods that are
already busy. Ways of summarizing
. - , , . this inforaiation that can alen pilots if
a potential problem is: pn^sent are highly desirable, but onlv if they are trustworthy, for pilots uill
come to depend on such aids. **Automation must be predictable," but i: mus? also ^^m
unmistakably when it is unable to perform a flight-critical function.
Subsystem displays: Though tliere is still a philosophical controversy about ti'e necessity
or even the desirability of providing synoptic subsystem infomiation in the cocicpii, pilots and
operators clearly find u desirable to have such displays and they are provided in most ^>iass cockpit
airo-aft. Synoptics of simple systems may increase the risk of misinterpreution, though they are
probably advantageous for the depiction of more complex svstems. Some of the controversy
probably relates to certification issues; manufacturers and operators alike wish to mcorporate as
few essential systems as possible to avoid grounding airplanes when they fail, and the overhead
panels on i.iese aircraft permit full m-inual operation of all subsystems.
Like configuration displays, subsystem synoptic displays can be very complex, though most
manufacturers have made them as simple as possible- Multiple faults, however, will still require
careful pilot attention to tiie screens to understarid fully the namrc of the problems. Herein lies
anotner facet of tiie contmversy. Modem airplanes are designed to require specific actions Casually
as few as possible) m response to any fault or combination of them. The requiied actions are
spelled out in checklists which are designed to be followed precisely. These aircraft are also
designed to require no more than checklist adheience for safe flight completion There is
continuing conceni among designers that providing too detailed information on subsystem
configurauon may lead some pilots to adopt more innovative approaches to complex pix^blems and
thereby negate the care the manutacturer has taken to simplify fault rectification Such behavior
has cau;>ed senous mcsdcnts in the past and will probably continue to do so in the future despite the
best efforts of designers to achieve simplicity and clarity in their designs and procedures.
On tiie other hand, pilots argue, with justification based on experience, tha^ faults not
contemplated^by the nrniufmmtr may we'^ occur in line operations. They pcmt. as one instance
to a LlOll that was landed safely at Los Angeles after its crew was faced with a completely
39
unandcipated control surface fault for which no book solution existed (rcf. 63). They do nor wish
tc be dcpnved of any infonnation that could assist them in coping with such problems.
,u ■?c'?.°fi"^ 757,^67 cockpit, as indicated above, does not provide subsystem synoptics,
though EiCAS messages provide a great deal of information on aircraft system status. Since not
ai! intonnation can be presented, the questions that must be answered is at what point the
appropnate comproimse can be found. Better models both of system behavior and of cognitive
Tespon.ses to malfunction information are needed to answer this quesdon. Such research is
underway within the NASA Aviation Safety/Autoir-tion program (ref 64)
HYDRAUUCS(t/2)
ijasQ
0,000
— — ~<|HjH'
{[m! ^
1/ADC
5^
UfT
I HYP SYS 1 FAIL |
CONSEQUENCES
FLIGHT COWTROL EFFECT flEOUCET
>USEMAX15FUkPS
CPWS CVRD IF nAP& LESS THAN 3S
!F FLAPS *35 SPO*LEIBS AT MOSC
GR Oh GND & THROTTLES lOLE
- AurroptLOT 2 mop
PRESS HYD AGAIN TO COrfTINUE -
J
Figure 25 Hydraulic system synoptic page» MD-1 1.
synoptic diagram) after low systetK A hydraulic quantity
hydraulic fluid reservoir is also shown.
As noted above, Dougl^ Aiicraft
has taken a different approach ^o
subsystem management in that it has
autonijated most normal and abnormal
actions in the MD-11 s;;bsy stems.
The synoptics in the MD-11 are
simplified diagrams of each
subsystem. When an abnonnal
condition is detected, the appropriate
system controller takes action; an
alerting message is displayed on the
engine and alert display. The
appropriate subsystem pushbutton on
the systems control panel is also
lighted. When actuated, this
pushbutton brings up the synoptic,
which will show the system diagram
with altered icons indicating the fault,
what action has been taken, and a list
of the consequences for the conduct
of the remainder of the flight. Figure
25 shows an example of a level 2 alcn
(system A hydraulic fluid loss) which
has been resolved automatically bv
inactivation of the two system A
hydraulic pumps (systemat Icftof the
was detected. The depleted system A
Here, the synoptic display is ver>' clear (and compelling); there is no question about what has
taded and what has been cone about it, although a failed sensor could produce the same display as
a tailed system and the pilot must still differentiate between these two conditions. This leads to a
question about whether such systems should be permitted to be reconfigured autonomously
without pilot consent The designer of such a system bears the heavy burden of insuring that the
action taken by the automation is always appropri .i . and that it will not under any circumstances
worsen the situation. Ascertaimng this may be comparatively simple for manv faults- for others it
may not be. The design philosophy appears to lave been ciTective in lightening pilot workload;
more expenence will be necessary to determine whether it has unwanted eft'ects as well aside from
the minimal burden of momtoiing the automation. Alerting messages appear if 'any of the
automatic aircraft system controllers fail; thf computers reconfigure the subsystem for manual
operation if botn of the dual cliannels become inoperative.
It must be kept m mind that seasors, processing equipment or display generators can fail and
that when incorrect information is presented, or correct information is not presented, there is the
40
Q
a2oS^*L^I/'°^^."!i?li"^'^^ ""^"S-^^ '^^ P^^°"- "^^^ ^dds complexity but must be
dccominodaicd. The mfarmanon must be unportant enough to wanant the added complexity-.
AVNOS COWiPT ©VHT
NOTE: This al^rt will be Bccompam^d by the TRIM AIR
AVNCS OVHT tight on the ovBrhead panel, which will rs-
main ilkjfvinai&d until reset by maintenance.
Ar Systom
TRIM AIR .
Vcnirr MANUAL
VERiPi^OFF
< r _ AVNCS CQMPT QVHT- ALERT REMAINS DISPLAYED
[no] "^ — —'
N^^ ?='ACKS1 A3..... ^ ,-...,..,. OFF
1>
'AVNCS COMPTOVHr ALERT
^REMA^NS DISPLAYED
PACKS 1 & 3 mast remain off for remainder
of fiigh t.
(end)
PACK1 .__..^ ON
(''AVJ
''AVNCS COMPT OVHT ALERT
DISPLAYED AGAIN
1^
>
PACK^ OFF
W;ien -AVNCS COMPT OVHr alert is no
'jngsr displayed,
PACKa ON
AVNCS COMPTOVHr ALERT
SP LAYED AGAIN
>
PACKS OFF
Packs 1 & 3 must rerriain off tor
reminder of flight,
end!
J,
(end)
I
1
I Pack 1 must remain off for remainer of
flight.
T (^
Pack 3 must remain off for remainder of flight.
fENDl
Figure 26: Quick Reference Handbook checklist, MD-1 L
It has been suggested here that
though many subsysrem displays,
and some systems, have been
considerably simplified, other
subsystems have become more
complex. Older aircraft contained
several hundred discrete cockpit
alerting and warning signals (ref 65).
In carrcnt-technology aircraft, a small
area on the primary EICAS or ECAM
screen is considered adequate for the
presentation of all warning and
alerting messages (though scrolling
through such messages may be
necessary with compound faults).
The messages themselves are highly
abbreviated; quick-reference hand-
book checklists contain procedures
for each abbreviated alerting message.
While the number of discrete
alerting devices has decreased
markedly, the number of discrete
alerting messages that may be
displayed and may require action is
still large, though the number of level
3 (emergency) warnings has been
kept as small as possible and non-
essential warnings and alens are
inhibited during takeoff and final
approach. Nonetheless fault
management may still be complex,
and newer aircraft are operated by a
crew of two instead of the former
three persons, so there nnay be more
for each crew member to do. It is
largely for diis reason that Douglas
has automated many MD- 1 1
subsystems management tasks. A
sample QRH page i^ shown in figure
26- It contains the checidist to be
followed in the event of ar avionics
compartment overheat alert. A
manual troubleshooting procedure is
diagnmmed logically.
to tne ^lane s track. This infonnanon was previously avaiiabis on the FMS alDhanmn?,Sr
screen but the arrow provides the information in a tnore ii4.ediately untetanSe& n Se
sanie diagram, a curved predictor display shows where the airplane wUl be at some S S Ae
41
future if it continues in its present turn. In figure 18, a snoall arrow pointing dowmvaid from
preseu airspeed is a arnd vector, it points to the airspeed of the airplane 10 seconds hence if its
present rate of deceleration continues. These are just a few of a large number of enhanced
information displays maae possible by autonaated systems in glass cockpit aircraH
A good example of enhanced intormation displays is the use of the navigation display for
flight plan verification. The entry of geographic waypoints into the FMS prior to departure is
known to be an error-prone task: elaborate procedures involving the entire flight crew have been
instituted to decrease the likelihood of errors in perfoniiing this task. Nonetheless, input errors do
occur, arc not obvious, and can be cxtrcmely serious. The destruction of a Korean Air Lines 747
over Soviet airspace is thought to have been due in pan to an INS programming error that occurred
many hours earlier, before takeoff from Anchorage (ref. 66), In a more recent case, a Delta 747
and a Continental DC- 10 nearly collided over the Atlantic due to an input error by the Delta crew
before takeoff (ret. 67).
Newer automation permits the use of the navigation display for graphic visualization of flight
plans. An expanded range (up to 640 NM in the 747-400 and MD-11), north-up presentation of
the flight plan enables the flight crew to detect obvious or gross errors in the waypoints tiiey have
inserted into the FMS. At present, no terrain or other geographic orienting features arc contained
in FMS databases, but it is expected that future electronic library systems (see below) will contain
such features; they can be used to provide even more assistance to the crew in detecting errors in
flight plan construction. As always, there will be the added cost of learning to manage the new
system and of stiU more information availability.
Even older aircraft incorporate a variety of more-or-less automated information displays; the
altitude alen system discussed on p?ge 38 is an example. A manually-set digital altitude reminder
is compared with actual barometric altitude; alerting signals indicate when the airplane appmaches,
attains or later departs from the selected altitude.
Aircraft equipped with flight management systems but electromechanical instruments utilize a
small monochiDmatic CRT display in the FMS CDU for the presentation of alphanumeric
information derived from the FMS> These screens will undoubtedly also be used for digital data
received by data link units in such aircraft- TCAS incorporates a plsuifonn display of traffic in the
vicinity of one's own aircraft In some installations a dedicated CRT is used; in others, TCAS
information may be shown on a color ractr screen, while in others, a new color display combines
a presentation of the instantaneous vertical speed iruiicator (IVSI) with a snisdl pianform display of
traffic. This instrument replaces the conventional fVSL In nearly all glass cockpit aircraft, it is
expected that the information will be shown on navigation and flight displays.
Discussion of Information Automation
The purpose of information automation in the cockpit is to enhance the flow of information to
the flight crew. This information is necessary to permit the crew members to maintain full
awareness of their situation. "Situation awareness" is a term in wide use, but it has been difficult
to define at all precisely. It is thought that much of the difficulty in arriving at an acceptable
definition may he semantic rather than substantive; like other terms of art. it may be more difficult
to detlne than to understand- Sarter and Woods have reviewed the literature and have suggested
ways of delimiting the term more effectively (ref. 24).
In situation awareness, we include the crew's perception of the state and status of their
airplane, its position in space, and the state of the physical and operational environment in which it
is operating and will operate in the immediate future. Information automation, like all other aircraft
automation, moist assist the crew in maintairung situation awareness.
42
co4;|*/„'^*^^S «--;^^^^^^^ Uiccn Place .„ „e..
appeared in transport aircraft. In fact the vkrm^, S^ f'^J'^y^S^^ ^^'splays have not vet
represent a step forwatxi, in that Lkc?nfZS^o^^!^i;sutZ^^'^^ ^^°^" "' ^'^^« '« <^^'
oeen combined on one screen, car.fuliv desiened S nmi.i 1 ''" ^'^^ °' '''' instruments has
much contioversy w.th respec' to Lhe>St^ '"^ °^^" '=^'^^"«"ts. There i
should have higher numbers above or teLT how ,^?,l? i'' ''•'^"' ■*'^^^'^' *^ aurspeed tape
phases of flight, etc., but almost nori amiZo^r,^^tf'''^T'' '^^"^^ ^« ^^«^" in varioS
format should be letained. ^ operators and manufacturers about whether the bam'
P^"^.^!^ -XVrctcir^oS^c?Sf .T"^^ -ore ^nfonnafon on a s.ngle
mdicauons, m particular, have been in"ei^ pl^^^K^'l^f'"^ """'^P'^ ^^P^^^^- The airsneed
manual pointers on the circutnfeienc^S Srsni:^]^ in? .^"^^''^ ^^"^^^ ^° ^^^ "^'-^g^- f .mall
current aircraft, these are presented autn,i;ftJI?f^ indicator; as reminders of critical speeds- in
FMS database. WhetherTavTnf to Sin iV" ^^^^^ ^P^' ^^ ^^y ^ sS Tn the
improved pilot awareness of thim S whether fnvS^'' t^"^?' "'"""^'^ *" °lder aircraft
automancaiiy.isnot Wn. ^^ ^r^^tnl'^llZt:^^^^^ ^^em
ex^L^ililS^^ aiso be available, as are not-to-
limits for ma^.mium perforicc are shown oJth.^l^^*"t'=°"^^^^^on ^ank and pitch
decision height limits, indications tisat key ^it^defarfSi^a ''^^'^^^o^- P^e-selected altitude or
also provides rate of change information irrlc , ■ ^^^ *^ ^^ extreme right of the PFD
chmb or descent to avoid coXti^ Sc is Lo .h''n'°^""''Vt.ii°^ information requMng a
wammgs. Windshear advisory infonnatioi ? l^ u °" "^"^ '^^^ ^^ ^^ reinforced by vok:e
accompanied by voice warning? '"'°™^^°" '^ '^ ^Iso be shown on Lhe PFD and will Lo te
woui?TuSe« X^tlff^r. ^°^X1 SSf n^^ ^^ «^^ P"-^ ^'^P-rience to date
quantity of information onto the sSce of «c???"i-^*'f" 1°'^ ^^ *= compresTion of a i^ee
personal communication) that at S som- nS' "^^'^ '^ • '^'^^ ^ indications VJSn
airspeed and altitude precisely whSi the^Se^vCSfo^rH'"^ T"", ^^^^"^^^ ^" maintaining
round-dial format. This may be due toTuhS^l^J ™^^°." J' <i"Play«l in a tape ratlier thar
n^prove the displays do not ap^ to have reS ^e'nShl' "^^ "^r^.^'^^^ys, though eSs to
b^own to have caused significant difficulti^str^iTr,^ ^"^ ^^^^^^ ^ Phenomenon is not
been conducted to determine this Sere have ^.n-^^^^ ^"^'' "° '^'^''^ research na
airspeed (presented in tape fonnat) hafScaJS m h ^' ^" "e^^technology aircraft in wS
^ W%' '"^ "k" "°^ P^^^^^^ ^° dete-me Serl^s'^^^^^ "T^^ approaches to
re^.ce on other protective features of the automation Jhl^ff ^"^ ^''P'^^ "^^^^' ^^^ ^o over-
mode bemg used. "'*' automation which were not, in fact, operative in the
E)espite the apparent effectiveness nfPRTTw^ «• .. -
continue to expIoi?*kiemative foS'invSSIf^ ^ *^\^' ^'^^^y- ^""^ factors re<^an;hers
state and fumre path. Tne linSSl^l^SX^/h."?^ P^^'^^^^d display of attimi! pS^JS
c^ be an effective substitute fo^ *e c?n^ nntal S^S^^p^^^^^^^^ '"^^^ ^^^^ d^s^'vs
there are conditions under which such disnlav. wr,nM ^e conditions studied, but whether
known, and it is also not known wSthi such^nnitl''' ^T'"^^ ^^^cknt infomoation is not
^J'^:r^"'''''''^^'y°'''''^^^^-^^on^^^^^ r.""^^ convey significan
(page 33). manufacnire. and operators have electSd^s?^ ^^ '^T^Zf^^^^
43
simplification of the information displayed would not be appropriate during cruising flight on
autopiiot.
1 MACH
1 HOLD
A/PCMD
F/DNAV
ALT ink Hi \
MOLD MAV OUIE \
■ Icou^mj :
Figure 27: Simplified PFD presentation.
Such an approach is shown in
figure 27, which depicts a com-
pressed presentarion of the data
required under such circumstances.
Research would be required to deter-
mine whether such truncated displays
m fact permitted performance
equivalent to present displays under
all conditions, and whether detection
of anomalies was as easy as with
present formats. The use of different
displays in different management
modes might reinforce pilot aware-
ness of the operating mode.
MAX
NML-
THRUST
The primary flight display is not interactive; pilots cannot nxxiify it, as they can the navigation
displays, to suit their circun5stances or cognitive styles- Whether this should be penmitted, or is
needed, also deserves discussion. If some degree of PFD reconfiguration or de-cluttering is to be
implemented, should it be at pilot discretion or should it be done automatically as a function of
flight phase or automation in use? Should a range of PFD options be available? If so, why?
Power displays: The pilot requires conrinuous information about the power being
developed by each powcrplanL and information about any anomalies in the propulsion system. Is
more than this needed on primary power displays? Abbott and colleagues (ref 61) have suggested
that detection of power anomalies might be considerably enhanced by simplified disp)avs. They
point to the Air Florida 737 accident on takeoff from Washington National Airport, in which,
despite contlicring information on the various enghie parameters due to icing of temperature
probes, *e takeoff was continued v/ith engines developing much less than takeoff Lhiust (ref 68).
As noted above, raw data on
several engine parameters is displayed
even in highly automated aircraft.
The Air Florida case points out the
importance of maintaining a scan of
all of them, and the display shown in
figure 22 attempts to case this task.
But what the pilot needs to know is
simply the instantaneous thrust being
developed by each engine, and
perhaps any trends in thrust. This
could be done by modem automation
driving a very simple display, as
shown diagramnaatically in figure 28.
Configuration displays and alerting systems: Much progress has been made in
simplifying alerting and warning systems. In view of ti:*eir very high reliability, it is necessary to
consider how pilots can be kept alen to the possibility of the failure of such systems. This has
traditionally been done by relying upon pilot knowledge as the primary tool for configuring the
aircraft, reinforced by the use of checklists to verify completion of the required actions. The
autOiDated warning systenas are a backup check that the most essential items have been attended to.
This approach has been extremely, though not invariably, successful, as the Dctn^it and Dallas
Figare 28; A simplified display of engine thrua t^rameters and
trends. Engine 4 is still accelentting but is conimanded to reach
normal takeoff thrust.
44
takeoff accidents make clear (refs in An^i ^%\ n.- ~ u j
resistant? Each added kverof^utomarSn i„J;^ more be done to make the system error-
more devices that Sff Jr.^ automation introduces still further complexity and expense, and
alter oiiSJ5'atralS.Td"vS I? ^^'^ '^^ ^^^^'^ -^^-^^ion and
functioning of aiftransporf^ mstoSdrSJhtl^f.S^^^^ "^ ''''""'*^ ^° ^-^ successful
redundancy than thev do now so^zt S. L ^"^"^^^ ^^'^g systems -ncoiporate more
safety. Would such i approach YuSfe/i^^^^^ '']''T '''"'^^^ ""• ^Womise
recognition that we have aSv tlSriS 7 ; ^ ""' '.''^"^^ ''°'^' °^ '^'^^^ u simplv be a
now build automation^tl^rXSL^m^StSS^^^^^ ^- - --
but one of a number of kinS of S ^sS to as^^lh^ ^ ^^ ^°"^'.d««^ automatxo'n to be
now aa essennaliool in certain rS^cS^T^fs£,wnrv1S A^:>n^^^ f'^''"- T'' ^"«>n^tion is
primary flight control be the only case? C> SonlH nthi I ? ^^ flight control system. Should
fault-tolerant architectures and h^dtare^^tf we InJ^^^^^^^^^ ^^^« incorporate
despite highly capable autornation to S^ist tf^^,^ i n ^^^^^ ""'*''?" ^" ^^^^^ humans foiled
acknowledge that such fail^ ^ en<Sust?x^ns"ve I^^^^^^ ^ff =^"^^y' ^^ "^"^^
human operator error, we must o^c^^t c„.k ff i ?■ "^^ ^P^^ider all that is known about
Are there^ays to ixiake thrhuS^^Jc^Tyt m^^^^ ? ''f'' f^^^' ^^ ^<1 ^0).
detection of configuration problems? erro. -resistant and error-tolerant in the
s.4it^m^LntnTn.I^:^^^^^ "^Tirra^^"^'""' ''^ ^ -'^-^^- -^ --aft
tri^nagement, as discussed on pfge 3^^^^^^ ^^^' ^^'^f^ control and
about subsystem operation and subsystem cU^I^s^ "^ ^""'''°"' ^^^' ^""^^"^ ^^n be asked
mves?gSit^rtiSX^^^^ -itches is under
feasible is no longer in doubl TouTVen?^?v?^or^ embedded control devices are technicaliv
Miether they are fuitcd fOT^crirct:S is^^^^^^ ?"^°*^ ^ commonplace ,
wiu- issues related to safer.- MdaSa^SSiStS^n q ^"^2' ^^ ^' ^»«-''^o^ » confounded
clear, have to be it^dundL^f S^re S^ome thSv' '^'^^T ^^^^"^^^ °«dia) would
the othc- hand, the coming iii!erimrion^?^fe?4^?.r\r ^°^ On
suggests u r desirabiUty of locaSTSie .v"^^ i^ ^T checklists on system CRT screens
checklist. (assummgthat^,^Sti(i?conttu?Jn^^^^ '^°'^ '° ^°^^ ^^ ^y"°Pti«^5 and the
probably will for critical ^mLS^^^ ^ T"^ operation to some degree and n
reach). Qew input e^S; S ^ £^eriS1ffll ^ ^^ ^ P^^^^ ^- -Vv
on the display. What would S the ne^Tllrr^ ^S^^^osts I^S^^^ S^^^^Sl^^-^
paneJon^r IS^cJ^^r^S^h^oSr^^^^^^^^ -^^>-- control
synoptic screens. The lack of tactile feSbark Snf^L ? 2^ '^*'' "'^^ ^'^ well-designed
compensated for by an auc^wf cLck ^e^sud? sw^X T'"^^' °V ^^P^'> ^^"^'^ perha^be
switch should have a visible effect on Sii^rT r^^ ^^"^^"^ ^"^^ "^^ oP^^^tion of the
likely to be. a feature of electioniTcKsS^hl?^ nnl $^"f ^iP^^^^^^J.^^sing and verification is
either or omission or corm^^nZ^^^^^Z^^,^^^^^^ '^^T^ '^«^^ against errors
that more automated checklists may dec^Se S rwai^ness^^^^^^^ '^''"' ^""'^ '"^gests
system status, and this may be an impom^ni cLt r^^^^
evaluate the benefits and cos4ofinct^Sti::SiiSn.'^^^^ ^^ -'^'--ay to
Regardless of the approaches that may be taken in th^ fnf,.r« ,^ » r
45
the likelihood of pilot actions that can threaten flight safety is warranted as a means of improving
failing dunng flight
nusmanagemen:
engines
SWITCH D!3PLAV
Outpjt I
SwRch respond,
nova^s r»spon6o
(npu
owich re«pon««
and valve r»sDonae
\
Figure 29: Electronic display of switch position and function
The advent of synoptic displays
in cockpits h.is given rise to another
question about the display of synoptic
information. On such a screen,
should a switcn display indicate the
sensed position of the switch itself, or
of the device affected? In older
aircraft, disagreement between
physical switch position and the
control actuated was usually
indicated. This can be done on CRT
displays by sensing and displaying
both function (fiow, pressure or
voltage) downstream from the switch
or valve while mdicating switch
position on the switch icon, as is
suggested in figure 29. This
approach would increase display
redundancy as well
How much information does the pilot need under various circumstances? A variety of
displays is used even in older aircraft, depending on how much informadon regarding a given
function is, or may be, required (figure 30). The formats available aie limited, though either dial
or tape representations of data can be used. Each level of display ha5 bcnctlts and costs in temis of
iegibiiity, required space and weight, and mental workload necessary to assimilate the information.
TJe questions must always be asked: "How much information is enough? How much is too
much? Though pilots always wanv more mformation, they aie not always able to assimilate ii To
provide too much information simply guarantees that pilots under high workload will ignore some
of 2t, and which data they will ignore under particular ciicumstances is not predictable
SYSTEM
QUALITATIVE
DATA & TREND
atAwrrrATiVE
DATA ONLY
Ql)A^mTATIVE
DATA & TREND
MORE EXACT
DATA ft TREND
Figure 30: Araounts of infomiaran presented by various electromechanicai displays.
46
[S YS 2 ON]
fsusp
I
SYSTEM
FUNCTION
SYSTEM
CONTSNUir/
NODES AND
CONTINUITY
NODES AND
SYSTEM DATA
The glass cock'jit has
made it possible to tailor
displays mo/e effectively, ar.d
to provide alphanumeric,
graphic or iconic represen-
tations of data. A continuum
of displays is again possible,
from the simplest indication of
overall subsystem function or
failure, through very simple
diagrams of system contin-
uity, to displays of systems
nod^s and continuity, to more
complex displays that tsrovide
quantitative data regarding
these functions, as shown in
figure 31.
by a^os't r SS SSTt^e^ ^Sot'ed'atrS^ ^^';?;> ?-P^«ity is again accompat.ied
penalties of additional instnirSnt^'a^^'aSLcS^^^^^^ ^' ^^^^^^ -^' P-ce
malfSLToZ? 'S^e'jSsU'lJ^rh;.^^^^^^^^^ P-PJf^y^than .hen they are
data would be prtsentul when a subrnt^^i wa^ woS^^^ ' ^"^"^""^ of
cither automatically or on request when Tsv«em n^?l,n^ ^' T^ '^^ ^^"^<^ '^ pT«sented
switches were being used,Sy woirbecSTvaTi^rS?^" >r« detected. If touch- sensitive
approach to a fuel system is illumtSS fi?^ 3? t?^^^^ ^'^^''' ''^'f ^ ^^ ^^^- Such an
diagram on the left, and a more comS»r^ dS, w.tll^t I °? ^ ^^'^^^ simplL-ied synoptic
the nght. Would such an appxoSXvtd7S,r4?n ^n "f ^"' T"""^ '^'''''^ operation on
pilots when it was not required'> mformaaon as needed without needlessly distracting
Figure 31 : CRT displays of system information.
£L!EL12
FOB 116,300
FUEL ?,2
FOB 116,300
[ 3 ]
Kgurc 32: Hic^y of subsys^rr. Ui^iays; simpLAed fuei sr-tem .ynoptic « .ft
expanded synoptic wxth u»i..V ^^e! swiu;hes aVr^t ^^ ■^'*
47
■il
v-ri^!?™^''"^ °f^'^^°"^'^'>^' ^n an automated aircraft, pilots must be able to monitor the
S nS?S'e^;n^^l?^^.^ "?^ ^ the iunctions cont:x)ll^ by the automation. Mos. cl4m
•^?^rf ^hU fhf^^^ ^'^" ""' "5-^'*^ pushbuttons to irdicate computer failures. Is this enoueh
L'^^ the flight crew remains aware of automation status ^nd pn^.per funcfionmg^' OrTc
another synopdc devoted specificaJIy to the automaiicn required? ut.un.ng.uii.
th.i wi-^rl^ri^^v' r''!?^'''''' ^T' "^u* "^^'^ "'"y ^' ^^^"'^ necesiar>' to indicate degrad^tior
thai vviJ not be obvious because backup channels or processors are in use? Manv o'-Se diir'
FIX?',? ^°f P"*^^%^" current use do not indicate to piiors that one of the ^'^^^^^
faiieo, though the informaDon is logged in maintenance databases and, in some urciff thi'
^i^^!!''''-?.'' T '^''■'^\' ^^ T-i^ ^^ ^" ^-^ ^^"'-^-^ I^ ^^^ inf ormanon needed^ n £ ' r . ^
necessary to alert Uiu pdot when manual operaaon becomes necessary, as in the MD-Ii ASC
architecture It can also be argued, however, that pilots should be able to ascertain th^tlhe I^sen^e
capability oi the autom^uon is less because a backup processor is in use.
The Future of Information Automation
Electronic library systems, designed to reduce the amount of paDer now reauired ir
^,Sf '^^'''' "^ ""^' ^?7 development by at least t^^o airc?afrLJXS^s Sd iverS
^S' ^^vWS^.^^t^^ *° ^ ^'"^"^ ^" ^^"^"^^ ^"^ ^"^"^^ generations oT^s^n
aircrait mv.y wiU probably be able to access dau stored in flight management system romnutV-s
but they may not be permitted to interact with those computers J avoid clSon ^bS
each^r^^7f't!;eJT.?trii5^M ^ '^*' '^^'''' ^l^^o^e^ d^d^cated CRT or flat-panel display for
eacr. piiOc if they are to be able to present graphic information in fine detail (annroach nlate.
etc ) display resolution will be a serious issul! Tlie organisation of LfotS^S^^n Set
qLSSv wCftl^ni^H'^^ considerable research to tnsuie that infonnation^:n be iSc?^^
quickly when it is ne Jed. and such systems may add to the cockpit mformation glut.
b?ndbS''wfn^fk?i!f'''^^' 'V*"^"? °' '^'''^'"'^ P^P^^ ^^'^'^^^"^ a"d quick reference
handbooks, wih also be introduced in the next generation of aircraft. Depending on dieir
capabUmes, these systems may reUeve some, or a considerable r.an. of the rou^Le wIrSoS o^^
pilots. A continuum of elecoonic checklist automation can be mx)posS: workload of
FROM: • 1. Paper checklists prcsendy in use
• 2. CRT depiction of data on checklist, with scrolling on command
• 3 CRT depiction of checUist data \^'ith internal nionitoring of status of items
and aufo-scroiling
• 4 . CRT depiction of checklist with automatic execution on command of flight
• 5 . EICAS statement of checklist required or a problem, with execution of
appropnate checklist after consent by flight crew
• 6 EICAS statement of problem foUowed by automatic execution of checklist
without need for action by flight crew
TO:
• 7 . Automatic checklist execution when required; subseauent status announced
to ilignt crew
• 8 . Fully automatic checklist execution when required; flight crew not notified
48
iM^
D.
This approach is similar to that proposed by Sheridan in n discussion of task allocation and
supervisory coiiRol (ref. 73). The approaches currently in usj in the A320 and MD-11 differ
somewhat from those dcscnbed m this Ust. though the MD-11 utilizes option 7 for subsystem
reconf(gu.ration^ Elec^tronic checidjsts are presently under investigation by Paimcr and Decani at
.V AS A- Ames Reseaich Center {ref. 71). Whether pilot situation, or more properly^ state
awareness is enhaDC<?d by iiaving to perfonii checklists is not known, though it is known that
preseni practices, v,ith rega«I to checklist completion are by no means optimal (ref. 74).
Air-ground digitai communications: The technology for digital communications
between ground and aircrait is already m wide use (ACARS). Mode S transponder links will be as
widely u.sed wuhin the next few years. Satellite communications will extend high-qualitv digital
commumcation to aircraft flying beyond line-of-sight range from land. The bandwidth of
communication.s cnannels wii] increase enormously, leading to the capability to transfer much more
information to the cockpit
The most important issue raised by this new capability is what information needs to be
trans.eTTed, in what form, under what circumstances, and over what channels {voice or digital) for
what reasons. Desi^ers as a community need to be involved in considerations of these auestions
now m order to be able to troplement cockpit information management in consistent and rational
ways and to oe able to integrate mforamtion automation into cockpit automation as a whole. There
will be considerable pressure to utihze the additional capacity for information that may not be
reiateu to the critical tasks of the pUot. and this pressure must be resisted or channeled to more
appropriate persons or systems. There is quite enough information in current cockpits, and not
enough integration despite advances in recent years.
49
4
Management Automation
system, the functions it perfor4 i"s i^Ka^es Jth The fl"^^ *' '^?^"' ^'^'^' management
this technologv We w^V ^uee-s- wh-rp ni„hfl, *^ ^'^^^ '^^'' ^'^ ^^ questions raised by
what new problems mav t^stnthkdn^i^^n^ autor^.tion may go in tne future, and
opera'itsrw'r^r-^l.^r^rS^^^^^^^ comparatively recently, atriine
despatch were extn^melTSTm^nswf luTtL^^ H.ght and c^w scheduling and
taken over niany of the chores of flmhrnr^^^i changed riadically; digital computen have
flightpians are now dcv^S onl?^t L S?^^^^^^^^ ^f^ '''"'^'- C^'^P"^'^^ g^n-^^ted
are high; diversion panen« ^ Tu'^Sd hv° oJ^^T ' f''''^ ^l^""'' c^pccia^'ly when fuel costs
at air carrier stationrS .SS St I^^^^^ T "." ""^^^ '^°''^ °^ ^"^^^^ ^^P^^^^"^
take mto account such variSri^ntemn?.^ "^ extremely sophisticated; they
«.htt^ageLnt5"Sfth?,"£.^^^^^^^^^^^^^
decides what is best fo4is ot he? flff^t nS .P "' ^^'""^ '° '^^ P^°^' ^"^ ^^- Captain alone
and Address ReponSg SvTte ^ (a!? VR^f h^^ ^^^ Comniunications
between pilots and co4^v Income c^^e^b^^ °^ '^^ ^°"^^"^ ^""^^g^ ^^^^^
airplane parameters used t6 detennin^^S^'o^c • ""^^^"^^ recently have sensed only a few
g^e arriv'Il Uhough e"ven tiislS^caj'bi?^^^^^^^ f ^
landing at and immediately (and illeeallV) takhio nff fr«f If ^^^ ^"^ *" g"*^ *^="' after
companies. Everylne irv^lS^l^^^^^^^^^^ ^^' ^ down-linked to
direct interaction S^ATCcCpute^aS^^^^ '^^ ^*"^' '° ^^'^^^'^ ^"^'^^'^"-^ ^e
potentialfort^dicalchangesX^c^ci^trofi^^^^
devefoptet ^t^TtS'SaTirnr "ern^?^^^^^^^ Ifl '^ ^^" ^^^^^^ - ^ ^^g^ ^^- o^
operations, for it is by no meiisceSnwhTr..^^^^^^^ larger context ot aviation system
for the basic allocation of" l^^^^d^ctnVh^^^^^^^^^^ "P^''"'" ^"^ P°"^"d
Tl.e implications for the human, who op.r^i\r!^Sc\'ysS^'^Tn^^f. "^ ""^^^^^^ °^^^^^°"^-
com^tco";Zro7^L:\Tn&^^^^^ ?rZ°T "^^J^ management systems are
systerns as well as v^t^ Sot pSuS 33 s ,n^r f "^ "'"^ ' ^=" ^^^ "'^'^^ ^^'^^^
operational program (co^iS iS this cas^^/v.Ti/rff"'';"' computer (FMC). includes an
base,andap^ianLS"tSIVorSraSrn whiT^^^^^ ^ --^-- ^-
50
F^gu.. 33: Interacdon oi P.,k. management computer w.th other a^craf. av.on.cs (Tioncy^eli FMS for MD-l 1).
The RvlS software executes these functions:
Navigation
Performance
Electronic instrument system
Control-djspla\ uni»
Input/output
Built-in test
Operating system
Aatomatjc radio tuning, deiennination of position
velocity and wind.
ri3jector>' deienainaaon, definition of guidance and
control targets, flight p^;h predictions.
£n-or determination lateral steering and contrc!
command generation.
Computation of map and situation daia for display.
Processing of JceystiDkes and flight plan construction.
Pn)cesaing of received and transmiucd data.
System moniiohng. self testing and record keeping.
Executive control of tiie operational program
memory majiagcmsnt, and stored routines.
The data base, £loSdl specific S c"^"om^^^ ««-"•
and airway rout, structure data. The stoied data Scffi th. iS or of WF nr^^"""?" ^T
airports, runwavs, geographical ref^re-«» r^^w or,J ZZ 1^*"°.'^ o^ ^^nF navigation aids,
staJ^dardinstruriemdep^fsmSd^?;" oul^f ^"^'^ as
additional waypoims c^n be enVeS^i'^'r^;;.^^ ^^^^^ ^' ^^^P-V ^o>^tes. Up to 40
51
^m
The FMC perforamnce data base reduces the need for the pilot to mfer to performance manuals
during flight; it provides speed targets and aldtudc guidance with which the flight control computer
develops pitch and thrust commands. The perfo^-mance data base is also used by the FMC to
provide detailed predictions dong Lhe entire aircraft trajecto^^^ The data stored in the data base
includes accurate airplane drag and engine model data, maximum altitudes, and maximum and
mmimmn speeds.
Functions performed by the FMS include navigation using memal data from inertial reference
units aboaisi the airplane and a combination of radio aids whet^ available. It provides lateral
guidance based on a stored or manually entered flight plan, and vertical guidance dma navigation
during cbmb and descent based on gross weight, coiit index, predicted winds at cruise ainrudes,
and specific ATC consnuints.
Flight management system
controls: Interaction with all flight
management systems is through a
control and display unit (CDU) which
combines a monochromatic or color
CRT or LCD sciecn wth a keyboard
An example of a CDU is shown in
figure 34.
s
e
e
B
B
fr
^
iBBai
ftm
ssamm
J /7\r7Y^irLnr7!i^Tir7iii'.
DQDlQBElHBa
Figure 34: Honeywell FMS control and di^lay imii, MD i L
The unit contains a CRT display
screen, six line select keys on each
siile of the CRT, a brightness adjust
knob, 15 mode select keys, two
annunciators on each side of the
keyboards, an alphabetic keyboard,
and a numeric keyr)o;ird- The mo(k
select keys provide quick access to
FMS function pages and data; the
alphanumeric keypads pcmnit entry of
data into the computer.
The newest FMSs provide a
number of routines to minincuze pilot
workload. Among them are the
"ENG OUT' function, which pro-
vides automatic or manual access to
the flight plan (F-PLN) or
prformance (PERP) pages to assist
in evaluating and handling an engine
failure condition. The function
enables FMS engine-out operation
modes.
Entr> of data is accomplished by
using the keypads. The entered data
arc shown on a scratchpad hne (see
below); when a line select key is
pushed, the data are trdnsfened to the
indicated line if they are Ln a format
acceptable to the computci.
52
Di
pages.
S^^'crrSr' n-, '^ft'4,^lSV.&l^^^^^^^^^^^^ of." i-SC n™^r of
=ach containing up fo U ™sSf iphai'Sr^c inSr^fSo^' i^ g^ 31
6
C3
—
I CO ROU
F-PININST
A L T *^ R o U T E
N4138,8
F LT NO
AAL1234
CHZ LEVELS
290.330/37D/410/I
TEMP/WiND
-4S1f TL120
A L * G N f' O S
r ROM /TO
KORD / LSZH
A L T N
EDDfJ
LONG
W06754.3
iRS STATUS >
V.
CPr/MAX FIT
2S0/32a
(SCRATCHPAD LINE)
100
Figure 35: Control and disrpf^y unit scre^, MD-1 1.
The CDU screen shown here is
tht one that would appcai whcTi the
"INIT* mode select key is actuated.
The title line, at top, shows that thi^ is
the first of three flight plan screens;
the ethers may be accessed with the
PAGE key, T*he scratch pad line is at
me bottom of the display. VenicaJ
arrows indicate that tlje arrow kevs
may be used to increment values
The snaall font displays are predicted
default or FMC-calculatcd values, and
labels.
Tnt 50 CDU pages are arranged
in a *'trce" architecture. Portions of
the architecture are accessed by 12 of
the mode select keys. A ponion of
this logical, but complex, architecture
IS shown below in figure 36.
/
{ HEIGHT
J PLAN
\
DESTSNATION
(NEF-TIA..
REF SYSTEM
^ STATUS
H twrrft^
\
1 IAl!?AT)ON
\
^
W€(GMT(Krr-
iAtlZATKX
^ ECONOMY
CIJMS
FORECASrr
,1
/
CtiMB 1
\"
«=«/
\
ALTTO '
THRUST
LWfTS
' MANUAL '
T4RUST
LIMITS
ra—
P*^£SaECT
CRUISE
u^a,^
N
V
\
PWESEi-ECT
D£:5CE^n'
DESCENT 1
FO«FCAST \
i
Figure 36: FMS mode screens, MD- 1 1.
These diagrams show the tree
structure for two modes of this FMS.
There are 12 such structures. While
each IS logical within itself, studies
have shown that the actual number of
necessary paging sequences is much
larger. In a study of another FMS of
the same generation, it was found that
the number of sequences was several
times the number planned for by the
manufacturer (rcf. 76) These
structures, as well as the displays,
vary greatly among aircraft types and
avionics manufacturers.
This large number of potential
trees involves a considerable atten-
aonal ctemand upon the pilot, even if
he or she is fully proficient in the use
o. the FMS. Since flight plan
changes arc most commonly rcquiit^d
dunng depanure and arrival re-
programming the FMS can divcn a
significant amount of anendon that
may be needed for outside scan and
for cross-cockpit monitoiing.
53
Discussion of Managerr .->nt Automation
Flight management system operation: Both piJots may interact with the MD-11 FMS
simuitaiieousiy. however the system will accept flight pian modifications only one at a time.
1 nere are two FMCs. each of which may accept data from cither CDU; one FMC is designated as
master, and beta must confirm data entry- before new data will be accepted. The two computers
communicate with eacn other through a private data bus.
Ln all FMSs the complexity of the mode and display architecture poses substantial operational
issues. Much has been done to simplify rcutme data entry, but recovery from errors in
programming can be difficult. Entry of certain types of data r r ,ins cumbersome and ttme-
consummg and diverts attention from other Hying tasks, as discus^-1 > -low. If aii incorrect entiv
us attempted, it is rejected, but without explanation of the error thai i.;d to the rejection as one
instance. *^ *
Ali mteracnon with tiie FMS is through one of two or iliree identical CDUs mounted on the
center console. Even ^mth color io assist, operation of the FMS lequires close visual attention to
the screen, Mid precision in entenng data on the keypads. Alphanumcnc data entry is known to be
subject to human errors: numbers may be recalled incorrectly from short-term memory
(iransposmon !s most coniraon). they may be input incorrectly, or they may be misread when the
! r.!f-^ '^ in the scratchpad before enuy into the computer. Some data must be entered in
aii%" deS?wT^:;^e"L^r^^^^^^^ '"""^ ''^ °" ""^ '^^'^^ ^" p--p^^ - -^
Avionics and aircraft manufacturers have made niany effons to n^e interaction with the FMS
more error-resistant. Standard or frequently-used routes are stored in the navigation data base and
may be recalled by number. SO^s and STARs are also in the data base; if a change is re^ut^^v
l^ln;..'' L r^"f^f n '^w^ P'lpc*^"^."^^^ be. entered. Changing the arrival ninway autoJiatically
changes the route of flight. Appropn-^te navigation radio frequencies axe auto-tuned as required
Perhaps most important, newer FMSs interact directly witJi navigation displays: pilotr. are shown
nl«n k rlfcnn^,hf ??K ^y^^' ^^^ ^^ ^""^^'^ ^^^ '^'^^ ^^ *"^^ ^^^^^ ^^' ^n alternative flight
efS:t ^ ^^^^ (though not necessaniy what was requested by ATC) befon> putting it into
In some new aircraft, entry of tactical flight plan modifications (speed, altitude, teadine
vertical speed) can be done through the mode control panel rather than the CDU. These entri-s
may eimer supersede FMS data temporarily, or may be entered into the FMS directiv from the
panel. Expenence with these improvements has been limited; it is thought Lhat they n^av resolv-
iSS^criSJs ' '*'' ^^^'""^ *^^ ^''^' ^°"^^ ^'^""^^ ^""^^ ^^^P ^^''^ °^ """^ potential mode
Vertical navigation profiles generated by the FMS take account of standard ATC altitude
constraints as weh as airpl^e perfoiroance constraints, though the air traffic control system is not
at this time., able to take full advantage of the capabilities of management autonition which
calculates profii^ based on actual rather than best average aircraft weight. Optimal descent profiles
will thereforcdiffsrencugbtocauseseqtjencing problems for ATC. *^ h c»
r-T^Tf" 'il*'^'^ aircraft manual tuning of navigation radios is possible only by interacting with the
CDU- Many pilots, have complained that alphanumeric entry of frequency data is more time-
consuming and requires more prolonged attention inside the cockpit than setting the rotary selector
knobs in older aircraft. b j> *»-iwua7i
Though flight management systems Duly permit pilots to manage, rather than control their
au-craft., the dynamic nature and increasing congestion of today's operational environment has
54
strained Uie capabilities of the human-machine interface (sec below). Despite this, the systems are
extremely effective and have enabled many improvements in operational efficiency and economy.
Flight management system displays: The greatest improvement in FMS display
capabaity has be^n its integration witl> aircraft navigation displays, freeing the svsiems from some
of tiie constraints impiosed by small alphanumeric CRTs. The addition of color to the CDU display
(early displays .vcre mvanably monochromatic) may help, though the resolution of the color
displays is less and the usefulness of color in this application has not received much systematic
study. The design of pages, however, still represents a compromise between the amount of
alphanumenc data per page and the number of pages necessa.-y to enable a particular function.
As shown above, the displays are complex and the number of pages is large. The attention
required for re -programming has led to undesirable ad hoc procedures in the cockpf an
appreciable number of pilots prefer not to interact with the systems below 10,000 feet during
descent, m order not to compromise aircraft management and scan for other traffic (ref 19 77)
rhis approach permits human resources to be devoted to more important tasks, but at the cost of
losmg some of the benefits of the FMS during flight in the terminal area (such as its knowledge of
altitude restiicuons). This is clearly a problem of human-system interface design, rather than a
problem m the design of the systems themselves. A number of research and development efforts
are underway to improve these interfaces and specifically to make them less totally dependent on
cumbersome alphanumenc data entry, but considerable attention to the CDU displavs is also
wammted. There remain mtportant questions about the integration of these systems into the overall
cockpit and automation design, and it is these integration issues that most need to be resolved.
The Future of Management Automation
Flight management systems have been brought to a highly-advanced technological state in a
very shon penod of ume. New systems will be able to take advantage of new navigation aids, in
panicular satellite navigation, without appreciable further development. Future systems may
provide further assistance to pilots by providing autotuning of communications, as well as
navigation, radios when new communications frequencies are uplinked to aircraft by data link this
means of communication will also beconjs the channel through which clearances and subsequent
amendments are transmitted to aircraft, and may become the primary means by which pilots assent
to or request modification of such clearances.
It is this technology and tiie uses that will be made of it that raises the most serious questions
concenung tiie future of management automation. Data linked clearances wiU require only consent
from puois to be entered automatically into the FMC, and acted upon thereafter. Will pi'ots fully
consider the potential impact of a clearance change before accepting it? WDl they be as aware of iis
impact given the ease with which new clearances can be transferred to the FMS'> Will situation
awareness be maintained? When the airplane is being manually controlled, will the flyin- pilot
whose visual attention is largely centered on the flying task, be fully aware of the changed when
they arc presented visually, rather tiian by voice as is the case today?
Pilot refusal to accept a new or amended clearance, on die otiier hand, will t«quire negotiation
between the pilot and conioller. How wUl such negotiations be conducted? Will thev be between
aircraft and ATC computers, or will voice communications be used in such cases? If between
computers, how will the pilots (and controllers) remain direcdy involved? How will intent be
communicated between the pilots and controllers? If the negotiation process is slow or onerous
some pilots will be tempted to simply accept a clearance rather tiian argue about it, especially wheri
thcjT workload is high. Ways must be found to avoid such problems.
Will tiie coirect reception of uplinked data be verified with the ATC computer before the data
are acted upon by the FMC? How will errors in automatic clearances be detected'' This is a
dilticult problem under high workload conditions today: errors in clearance readba-^ks arr, not
55
a
infrequently missed by controllers if indeed there is time between transnciissions to read them back
(ref. 78), Will the architecture of the new communications systeiris be designed to improve c.iui
resistance?
Error resistance could be materially improved by comparison of pilotHsntered FMS data with
clearance amendments, and by companson of critical data in the FMC with ATC computer data to
verify that an airplane is indeed proceeding in accordance with ATC^s intentions for it. This could
drastically cecrease the iarge number of altitude excursions that occur in the present system (ref.
79), and most important, could pxevent many such excursions before they occur rather than
detecting them only after they occur. Advanced ATC automation will look much farther into the
future to detect potential conflicts and resolve them prospectively (ref. 80); if the FMC is to
communicate with ATC computers, new metiiods of detecting and especially of avoiding potential
future errors also become possible and should be considered.
It is clear that the integration of the air and ground eletnents of the aviation system will proceed
at ail accelerating rate. At this point in time, when the architecture of the more integrated system is
being developed, all system participants should be considering how to improve system safety by
increasing error resistance and error tolerance, both by more effective digital communication and
by including data that can be used for error detection and mitigation. If this is not done prior to
ATC data link system design, it will be rruch more difficuh later.
Arc
COMPUTER
PRESENT
MANAGEMENT
OPTIONS
FUTURE
MANAGEMENT
OPTIONS?
FLT. CTL, I
COMPUTER
AIRCPAFT
Figure 37: Present and future options for management of air oraffic.
Questions regarding future managemeni automation do not relate to flight management as it is
now accomplishi^ but rather to the respective roles of the humans and computers (figure 37). At
this time, the pilot closes die flight control and manageroent loops. The coming availability of data
link between aircraft and air traffic computers creates the potential for other management options
56
that remove che pilot and concroller from the loop however Win ♦?,*«. y^„
options? It is accepted that human<: wiilreih fnlf ^.r!. .^ , V^ ^ P™^^"^ ^° "^^^ ^^o^e
bowever.rernainu,Lcomn^d;f'th:lTa"^^^^^^ f°^ ^^^^^"^ '^^'y- Will they.
level operating guidelines fS^ a^ ^1?fic^,^|"r^' when A^^^ ^^'' ^'^'' ^"'^^^^ ^''^^
states that, '-onHou.rs wfien AERA 2 becomes operational m 1999 '
4
1
Tt
■Responsibility for safe operation of
"Respons
controller
aircraft remains with the pilot in command
?n'Sf ^^'^^>' '°'' ^^P^^"^'^' between controlled aircraft remains with the
automated) system to detect ^o&:^^^^};^;^^-^^^:!lZ Z
I^TidTl^aKrb?^^^^^^^ -eais that separadon
estimation.. Therefore alem mfctwi ^f to uncenamty in trajectory
In it.s Executive Summary, the rrrpon states,
"The controUer will use amomation to the maximum extent possible."
'^^^nS^^^^AtZ^'^^^^^ ^'TST^I ^ ^/. toexet^ise more than
air traffic. Will advances in aSgTound ttomltirnTac' tS.^nnf ^ ""'P^"'-?^' ^"^ ^^ ^^^^' ^^
appropriately, given the concept of hurn^ cemt?-d Fuf^^^ ^'^°^ i" I '^"^^^ position? More
document, how can we design MdoSSSrfhf^f automauon set forth at the beginning of this
happen? ^" ^'^ °P^^^^ human-centered automation so that this does not
57
sm
^^M«lb
ni: THE ENVIRONMENT OF AIRCRAFT AUTOMATION
Introduction
It is not sufficient to consider aircraft automation independent of the environment in which it
exists and is used. All tools are products of the societies and technologies and individuals which
developed them; aircraft automation likewise is a product of the environmeni and context wnhin
whicn u was developed, and it is a tool for the people who operate and manage the aviation
system. Aviaaon is somewhat different from manufacturing, however, m that the production units
may oe both operated or controlled, and managed, by the same persons. To that extent, both
manuax and cogr.iove skills are required to be resident in the same operator, and the sharp division
between doing and -thinking" Lhat characterizes Taylor's scientific management notions (ref 8 1)
is not present. '
The European ESPRIT program emphasizes the '-human-centered workplace", and much
research that preceded it or has been done under its auspices has been motivated by socioloeical
and cultural concerns (ref. 82). This is relevant in this context, because in r.viation more than in
most endeavors, the concept of social "class" is blurred. The worken, to a considerable extent
are a^ o the managers m flight operations and in air traffic control as well, and failure to recognize
this d.ality has brought more than a few operations to grief. Despite the best efforts of those who
seek a clear denoarcaoon between labor and management, pilots and controllers alike persist in
acung in both capacities and do not, on the whole, behave consistently as one or the other:
In this section, we consider the context of aircraft automation: the vehicles, the physical
enyironment ano the operational environment in which they fly, and the people who operate them
AU have changed considaably in recent years and wUl change further in the near future. To remain
an extective resource, aircraft automation, now an essential tool for aviation system safety and
producnvity, must take account of these changes. '
Figure 38; Aircraft in the future system.
58
The Aircraft
semce\'3Tr'p^'p?H!S" J''*' "* ' "'* ^"f^™"''^ ^"spon wl"=i> coiila vastly improve
?« p^"m!v r^<Sr£" S^vi^T'S^i! '^^"'"^'^'^iy l^'«<= P»s«nser leads ,n less thL S ihe
C<,„cSr* haJ Sen S^i"lfn.ic V^e-r"!^^ '•'==^'- >"" '"= Aero.pa,:a)c
electiomechamcai instmSnS" comiittniSn^^^^^^^^ ^"^"'P^"" '^^^^P"^ contained
navigation systems ofSS caS!f cSlt f "^ autothr^t systems, and radio and inertial
Pilots could nwi-.agcLhe?^S?fvS^^ *^^ ^^"^ <="^^y ^^ n^eans of voice.
They must still instruct the autSma" L how u' c^^^^^^ T^^^^ ^' "' destination,
will be abie to be cormnunicated dSv ?o rh^ S5q i^ ,?. ^'^H' ''^°"^/' ^"f""^ "'^^^ instructions
shon duration at eSr endShf w.f^ ^ 'P '°"? ™5' may well conduc. flights of very
lennh "'Sh™, h,rf ■ ? 7 '™8W 'ughts; these shon flights may be one hour or le« ,r
air<^,,,iiffer,nii;ies^„'^'sS"JS^,StK^'"atffS^^ '"" '^^ °'
desiens High levf-k nf aiitr^moi^:^^ /. ^*^r^: *"*^^Ai. uuier suu iess in tuture denvat: vc and new
to ar'^tS^jj^^^rsrs^ii^r'^^' ™'^' " '°"'-'"'' "^"""- -■ "~ f-"
avet^^jS^psTth'S^ oro?%ch^; Tit'l' f '^"'^ =nvi„,n,«„t, aircraft flew, on
optinlzalton of sch^tSStf This to Sea^,' nmf™„H 1™' """" "°" '"'"°''=^ "'^^ f'«>"=^ by
aircraft equipn,ent; the fconol'TpSy vteptfraf I'S? n^
maintenance is sirnolv too mat rn n^rm;t.rr«,,«^iT^ an airplane on the ground awaiting
Redundancy of sy^£L^as^nS^a«S^ JIv?n^i ' T'!""^' ^T ^^ ''"^ ^^^"^ malfunctions^
awaitine^ repair hLS in^Sl^aS^ ^T^^fff^' ^"^ "^^ ^^ inoperative components
airlines: but like^many^erlSrw^rh?^^ of contention between pilots and
fact of life. It does T^uli p.lots'tSt';^p^\'ol'aSS£llU^^^^^ s^'^o!^^'"'- ' '' '
which they have become used to having nowever and tTrSratit.t.LTr ^ ^ ^^ equipment
.0 a variety of o^a„8 ^d ,nanage„'"K=Vs^ST4"iiI'fa^ta^"effig^^^^^^
59
m
Indeed, the proliferation of aircraft models within a single type and carrying a single type
cerdficate has also posed potential problems. During a flight sequence pilots in some carriers may
fly both early (197C vintage) and just-delivered modem variants of the same aircraft, c^jrving
vastly different amounts of automation, instrumenution and other cockpit aids. The enomiously
successful Boeing 737 series, of which more than 2000 have been delivered between 1967 and the
present, spans the entire developnrx:nt of advanced automation. The MD-90 cames ihe same type
certificate a^: the original DC-9-lG\ first delivered in 1963, and pilots in some airhnes may^fiv
severai of us seven models. Pilots are given differences training to' acquaint them with the feanWs
of tlie various models, but cockpit operations may differ substantially across models, some of
which may contain modem flight management svstems while others have onlv a simple autopilot
and fuiiy manual subsystems.
The Physical Environment
rnough aircraft have changed dramatically, they are still operated by "Mark F' humans in a
"Mark I" physical environment. What has changed is the amount of pressure on airiincs to
maintain schedule regularity in the face of uncontrollable variations in weather (figure 39), The
increase in aircraft flying hours on tighter schedules and the growing use of the "hub-and-spokc"
concept of airline operations have imposed increasingly severe penalties for delays and diversions.
A single non-arrival at a hub early in the morning can affect as many as ten departures later in the
day, Atrime gates are in short supply, particularly at hubs; this again increases penalties for a late
(or even an early) arrival.
Figure 39: The physical hazards: thunderstonns, high terrain, snow.
Though pilots still remain the sole arbiters of their operations when safety is threatened by
weather or unfavorable runway conditions, the tighter economic climate, reinforced by the demise
of many inefficient carriers, has affected everyone in the air carrier industry. Airlines and pilots
alike find themselves forced to operate profitably in a real world whose physical constraints have
not changed. They have doiie so in pan by gathering and disseminating more and better
intormation aboi:t the state of the physical environment, in part by the use of automated scheduling
and planning aids, and in pan by utihzing the flexibility of the human operator, who lemains the
primary defense against operations beyond safe limits tiird may be difficult to discern at the time.
This defense has not always been effective, as was shown in a Delta Airlines LlOll accident
following a microburst encounter at Dallas-Fon Wonh (ref 83). That they have usually been able
to do so in the face of unrelenting pressure says a great deal about the effectiveness of airline
training and supervision; it also says a great deal about the effectiveness of regulatory and
certification authorities in setting reasonable but safe minimum standards for air transport
60
li^
Q.
The Operational Environment
operatfots^st^rofth'e ^^.1^^ afcSen'eac.' "■^''" managen,ent system and the flight
must operate. The aul^ffTmlZc^nsy^t^ "^'^'^ '"^ ^''^'' ^^^'^ ^^'^^^ P^l ^ts
earner aircraft. AL^ earner fl^S?re^?on1 .v^^^^^^^ and controls all movements of air
traffic mar.gen.nt. P-ade a cJ^S^g^r^^^^ ^y air
Figun.40:i^e™e„.ofa.t:afficissh^a™o„gFlowCor.ta>l.ATC,A.i,neSche^^^^^^
a considerable degrel. Aow^nSent ?S ^f"^' nmnagement has b-^n automated to
tecome seriously STerloadedn^TeSesc^^^^^^^ ^^^tem does nm
flow of air traffic during contingencnnerat^om 1^^
emergences in ptog^ss. lUidef the^S^niTwlfct^^^^^^^^^^ -
landing slot at a congested auport) bSlme SaSbL^n^ eff^ ^^ '' ^ ^^^^'^^ ^'^'^^ ^^^iting a
ground at their points of de^ii Sei^Sse^? fh^TTr"" "^^^/^.^oW aircraft on §)e
stnke m 1981 forced the Federal Aviatio^AShtSfrinn i.^ '^"'""1 ^"""^ the controller.'
capacity of the national airspace svste,^ Sw ctT,^ wS L nH^^^^ ^'''°"^^" """^^ °" the
system was able to operate within^he caSiaTs^f thfJ^t ^? ^°"g^ ^"^^-^^ the
steady increases in air carrier traffic dui^ng the T980s coudI^ ^fhthP^'^^^rY*^ '""''^•^^- ^he
stnjce, again strained the capabilities of thf ai^soace sv^SS flo ^ ^^"^"'^ '^o^'^'^' ^^^"^ the
and increasingly autoiruted. provid^ the s^feS/S '°"''°^' considerably improved
61
obtaining a takeoff slot. Not so the ATC system, which controls literally every movement of cvei^
a^r earner airplane horn gate to gate. Air traffic coij'jollers and pilots together are the operators oV
Uie system; they share responsibility for safe mission completion.
Air traffic controllers operate a largely manual au- traffic control svstem under an extremely
comprehensive set of r.:ies and procedures designed to cover virtually every eventuality that mav
arise m die conduct ot flight operations. Though controilers have been freed to some extent from
purely proceaural control of au traffic by the adven.' of radir and altitude-encoding transponders
^-nich provide them witii three-dimensional indications of aircraft locanons, consnaints imoosed
by the mcreasmg volume of air traffic sdli force them to work largely by inflexible rules a source
ot continuing annoyance both to them and to pilots who are unable, by virtue of those' niles to
operate as etficicndy as diey would uke to and as theL- airborne automation would permit them' to
.he discrepancy between airborne equipment capabilities and die abilitv of ATC to permit the use
ot those capadiimes has increased and become more obvious since the introduction of h'lthly-
automated aircraft widi vertical navigation options.
irigure 41. The air uaffic control system.
The inherently manual nature of air traffic control forces it to operate in a highly ordcriv
manner (figure 41). The present system is highly intolerant either of disorder or of human en-of
as was tragically demonstrated m two recent collisions between two aircraft on runways at L<cs
Angeles and I>etroit (ref • 84), Incident reports demonstrate tiiat in-fiight emergencies also, while
generally well-handled, may in mm precipitate odier problems involving other aircraft (ref 85)
Indeed the ability of the system to handle anomalies is largely due to the flexibilitv of its human
controllers, who demonstrate great professionalism ar»d skiU in theii conduct under diflicult
circumstances.
The FAA has embarked on a major re-equipment program to provide ATC widi better tools
with which to conduct its opcraaons. Massive automation of the ATC system dunng Lhr next tvi'o
decades will penmt the limited capacity of U.S. airspace, and particularly its heavllv-congested
terminal areas, to be utilized to the fuUest extent possible, though widiout new runwav capacity die
^pacc system will continue to be onder severe strain into the foreseeable future As indicated in
the previoiis section, ATC automation will force drastic changes in the role of the air traffic
controller, it inay also cause major changes in the processes by which air Eraffic connx)ilers and
pilots have worked together to accompUsh the mission.
-Not ail of these changes will be bad, by any means; the automated en route system should be
able to accommodate pilot and company route preferences much more often than is now the case.
62
AERA by itself will not, however, be able to improve terminal area operations apptrciably, and
research h now underway both within FAA and NASA to assist terminal area traffic rranagemcnt
by providing controllers with automated decision aids to improve arrival traffic flows ^.-^f 64,86).
If, however, an automated ATC sys:em inhibits the abilit>' of controilen and pilots to work
cooperativeiy to resoive problems, it will severely limit the fle'xibiliry of the system, and the loss of
that flexibihty couid undo much of the benefit expected Srom a more automated systeiiL
Unfortunately, the gains in capacity from improved airspace usage will be limited at best
-without new runways or radical differences in operating methods. The social and political
p;oblems posed by new airport constniction have thus far seemed insunnountable, despite the
g owing dependence of the public on air transpon for both the conduct of its business and its
le 3ure (ref. 17). This problem is beyond the scope of this document, but the fact that it has thus
far been insoluble is forcing aircraft to operate to tighter and tighter tolerances. Separation
standards long considered invdolate have been relaxed in the Los Angeles and six other tcmiinal
areas; FAA and NASA will shordy begin to examine ways of pemutting aircraft to conduct much
more closely-spaced parallel or converging approaches to landing under instrument meteorological
conditions (ref 87). The latter change may be enabled, in part, by new collision avoidance
displays, along with better ground radar, but it may also require more automated operations under
these conditions, and both changes will ceriainly require higher levels of vigilance and will
probably place higha' cognitive demands on pUots and controllers alike.
It should be noted that the mles and regulanons governing air transpon have not been
conclusively proven to be '*safc enough" to produce ;m extremely safe system, though most of the
accidents that occur are due to contravention of those rales and regulations or to errors in carrying
them out. But we do not know how much of a margin of safety is embodied in those rules, for air
carriers and ATC have usually operated to a standard somewhat higher than the mles require. We
are now being forced by increasing traffic congestion to operate to the limits of the rales for air
traftlc management, and in some carefully-considered cases to relax them. This is an exercise
fraught with peril and it must be approached with the greatest care, tempcre^^ by common sense and
careful research and operational testiag. Improvenxnts in automation technology can help humans
io accomplish new and more difficult tasks, but autotnadon should no( be used tc increase system
throughput beyond the limits of human capabiht}' to operate manually in the event o^ autornation
failures if humans are to remain fully responsible for system safety. There is increasui^^: evidence
that this could be allowed to happen diuing the coming decade, at least in air traffic ccntio.
The Human Operators
In considering the context of aircraft automation, the most important facet is the human being
who operates, controls or manages that automation in the pursuit of human and social objectives.
Though in a previous section we made reference to improved aircraft still operated by the *'Mark r
human, this is tme only in a general sense. Individual human capabilities have not changed very
much in the shon history of aviation, but human operators, considered collectively, have changed a
great deal, in the course of learning to design and underrtanding how to operate the advanced
technolog)* that characterizes aviation.
de
An unprecedented expansion of air carrier tlight operations during the 1980s, coupled with a
.._ciine in the num.ber of available military pilots and changes in Federal regulations concerning
iiiring, has precluded the carriers from continuing to rely ahnost totally on fully-trained military
pilots for their new entrants. Person.s v/ithout military experience, often with more limited aviation
sackgroiuids, have been hired m large numbers ir recent yeai^. A large proportion has come from
the ranks of commuter airlines, some of which have regularly experienced turnover of well over
50^0 per year because of this. Morp women, minorities, and older pcx"sons have been permitted to
enter the air carrier work force. The overall compiexion of the air carrier pilot population is
changing more rapidly than at any prr^vious oine m history.
63
^-
Though this has had many effects, good and bad, it has meant that airlines can no longer
^u'"^^ a common pool of shared experie»>ce in their new pilots, ll-.ev must thfcrcfore develop a
shared adherence to their desired standards through new-hiie training, initial operating experience,
ana continued training m line operations. Airlines have alwavs rehed upon their captains to
conduct much of their training, and the system has worked well, but airline expansion ha<! also
meant that pilots progress much more rapidly to captain sutus: tor thi.s reason, captains also may
have less expenence than their counterparts of a decade ago. These factors, rapid prorre.ssior,
through different seats and different airplanes, and other ivlated factors pose another threat of a
Qitferent sort to operational safet>'. The NTSB has commented unfavotablv en the pairine of cr^w
members, both with very limited experience in the aircrati being fiown. in several atxidents
notably ,i Conunental Airhnes DC-9 takeoff accident at Denver (ref. 88) and the US Air B-717
taiceoti acciaent at LaGuardia Airpoii in ?Jew York (ref 89j.
Experts solve problems quite differently from novices (ref. 90). As we trail a more
heterogeneous population of air carrier pilots, we must also train problem-solving skills, a topir we
have tended to take for granted in the past. In particular, it will be necessary to crain at leasfsome
o. the new entrants in probiem-soadng under time pressure, a t^sk for which cockpi' rroccdures
trainers and more capable simulators are well-suited. "
Each of these factors makes rule-based operations a virtual necessity; rhe imiKJsition of
standard rules^and standard operating practices can do much to maintain unifonr^ operating
standards in a diverse group of people. Benigcr pomts out. however, that while "piDgrams control
by detenmning decisions , Godel's incompleteness theorem says that in any formal system there
exists an undecidable formula and that the consistency of such a system is also undecidable (ref
• ALnS'n f^ifif' '^'""k'^' the "de-skilling" effect of automatizing behavior and derides the
American fallacy of the one best way" (ref. 92).
K^.K^^"™^" ^ "°' automata, and it was noted above that pilots, in particular, persist in behaving
both liKe operators and managers. Too much reliance on rules produces both a decrease in
mcenave and over-rebance or. set behavioral formulas in an environment in which the unexpected
can be confidenUy predicted to occur. The point of this is that while standard operating procedures
are necessarv' and desirable, they cannot in all circumstances be considered aVubstiiute for what
our Bntish coUeagues call "aumanship": the ability to act wisely in tiie conduct of flight opcratior^
under dLfficult circumstances. ^ i^ onui..
TRAINING
^
Figure 42: Training t? sssentiaJ for uiiif«Tnly effecUve performance.
Training is expensive and time-consurning. Trainees must be pa-d while in training time
spent in training is lost from production, and a trauiing staff must be riointaincd. Air carriers have
6-4
AMM
JJ.
;^ j;,"^'i''''r7f ^J* '^^^^ ^? "^"^^ ^""^^^ ^« ^'hi^e improving the quality of their training
programs; the FAA has recently issued a major revision of its ^licies reg^ding tinning (^rQsf
Nonetheless, a less expenenccd. more diverse pilot population ^now the object of^Sie SnS'
aL students must be brought to airli-e standards (figure 42). The iritriluctioT^S^adirii'
automaaon does ,u>i reouce training requiT^ments; on thf conaaA'. pilots Sno^°ea?i to ooeSe
very cotP^pIex auton^tion as well as the other airplane systexZ^fr^unmg :;inager^^ a^^^^^^
phots have expressed concern about whether training time fonxierly devoted to T'?,Drr;vinp
^^:^^^ss'?r^^!r '''''^' ^^^^^^^ -^ibout^^i^^sSs
CHmer'nHnTfo?i'r"^ff? '^'^' '"^^""'^^ automation may be able topemiit the selection as air
fr nft^r. li ? ' S^ahflea persons tnai. have been required heretofore Indeed in o her
ndustnes employing advanced automation (notably the nuclear power industry ■ operators^iSour
advanced educauon and experience have been the rule. In aviarion however 'tlSeS?b^ennr
tendency thus tar to take this approach, and the need for pilots and aL-trTiccot^ Poller ^h4.
nSSl'^'tn^, manual siciils to their jobs has not lessened. Ex^rin^emS^^^^^^^^^
S>xDrelt^;-LTcWM f "^^^ P'-^°-' '" '^'•'^S ^^^^^"^ ''^"g ^» 'h^*^ Ssks a high degree b^Ih
ot expresMvit)' ,socia. skills) and mstrumcntaiiiy. or task orientadon (ref Q5) One threat D<^<;pdhv
tt,t!llt:%7TV: ^^^ " "^y ^f' }^^S' too simple and rSy remove f^rS'fi^>?ng the
prolS'ion nowoffer^ro'^^^^^^^ ""' '^"f 2' ^" '^go-g^adficatior. and job satisfaction '^haf he
K ng else ^ '' "^'^ ^^ ^^'^"^ ^^"^^ •""" ^^^'^^ ^ ^-yi^g fo^ « living than doing
65
^m
^mtUtO^
IV: ATTRIBUTES OF HUMAN-CENTERED AIRCRAFT AUTOMATION
Introduction
In a landmark paper ii^ 1980, Wiener and Curry- discus: ed **Fiight*Deck Automation: Promises
and .^ob'eir^s'' (ref. 35). They p*oiatcdout that even at that titrje, the quesdon was "not whether a
funciion cart be automated, but whether it should be, due to ihe various human factor questions that
are n ised/' They questioned the assunnpaon that automation con eliminate human error. They
rvainird out failures m the intcrdction of humans with autouiation and in auiorn^^tion itself.
MUO-
MONfTOR
FUMCnOMS
COMPOTEn
MONfTORiNG
PILO"^
CONTROLLING
• BOREDOM
-COMPLACENCY
• tROSiON OF
COMP^SNCe
MANUAL- 5
, MANUAL AUTO
' HiGH WORKLOAD CONTROL FUIIC7IONS
lliey discussed control and mon-
itoring automation and emphasized
the independence of these two forms
of automation (figure 43j; *'it is
possible to have various levels of
automation in one dimension inde-
pendent of the other."
The authors then discussed
system goals anc design philosophies
for control ana -nonitonng auto-
mation. They viggested some
generalizations aboLi advanugcs and
disadvantages of automating human-
machine systems, and went on to
propose some automation guidelines
for the design ar'^ use of automated
systems in aircra. .
Figure 43: Monitoring and control functions
(re<Jrawn from Wiener and Curry. 1980).
It h worth i^calling Wiener and Cuiry's guideliL ^, because they foresaw many of the
advantages and d:sadv?jitages of automation as it is used tou y. Tlie following are abstracted from
iheir guideline statements.
CoTttrol iasks
1 System operation should be easily interpretable by the operator to facihtate the
^ietection of improper operation and to facilitate the diagnosis of malfunctions.
2- IXisign the automatic system to perform the task the way the user wants it done. ..this
may require user control of certain parameters, such as system gains (see guideline
''). Many users of automated systems find that the systems do not perform the
function in the inanner desired by the operator. For example, autopilots, especially
older designs,.havc too much "wing waggle" for passenger comfort when tracking
j^TOund- based navigation stations. ..Thus, many airline pilots do not use this feature...
3. Design the automation to prevent peak levels of task demand from becoming
excessive.,, keeping task demand at reasonable levels will insure available rime for
rnonitoring.
4. ...T^e operator must be trained and motivated to use automation as an additional
re^ >urce (i.e., as a helper).
66
5 . Operator, should be traiiied, motivated and evaluated u> monitor effectively.
6. If automation reduces task demands to low levels, provide meaningful duties to
niamtam operator involvement and resistance to disuaction it is ex«melv iSU^
that ain- additional d.mcs be meaningful !not "make-worn". """""^^^ important
7 . Allow for different operator -st>'les" (choice of automation) when feasible.
'■ styTeTof ol^TaS..^^"^^" P^^^"^'-^^ -^' '^ -----^ ^- 'i^ff-en: options, or
9. Provide a means for checking the setup and uiformauon input to automatic systems
Many automatic system failures have been and wiJI contmu? to be due^ s^tuo eC
ratner ±.n hardware failures. The automatic system itself carvSeck s'^me nfT.'
S"ipro%"'^=^="^'^^-^^-^"^-^"^^
'''■ onrtoTns'TSer^^^HS'^^^^^^ "°^^^"^ ^'" ^"^°^'^^«^ ^"^P^^"^' ^ot
omy lo insure proper operation and setup, but to impan a knowledge of correrr
o^rano. (to anomaly det^cfon) and Jlf„„cdo„ pLedu>S (forTgts^Tnd
MSQilsnngjasJc^
' ' ■ e'Scce'sslvel^t^aS;:). "^^^" ^^^^^^^^'^ ''"^'^ ^"-^-^ ^^^ t-havioral effect of
S^for^m^Sf Jf'^ T"" r°^^- ""' "'°"= ^^ °"«^ condition that can trigger the
a]am for a mode, must clearly indicate which condition is responsible for the Sai^
i:
I ?. When response ti.73c is not critical, most operators will attemor to check the validi-v nf
tl^T- ?°^^ information m the pro^ fonnat soXTSi vS^l chik Si? S!
^ntlfto1a'^lSr?.t^;s^ P^^^!f^ ^' «P^^^°^ with SSiS an^
controls .o diagnose die uutomaac system and warning system operation.
' ^' ^t^^'!!f SS'^1'«» >?1 possibly training hariware...» insm thai flightnrws
automation tntil the .LiifemS^ cSS JndetS^ wfrtL" h f"" ^ "^f,'? '^"'Mt
designins, atiaiyzing. and installing atttSfr ^ysKms"^, S^lS^^', .^T""' '='^' 5^,*°^
additional decade of experience and hindsight gu-oeiines with the benem of an
z^:
67
»;
Mi
Syslem Goa!s
Before consideriag guidelines for aircraft automation, it is wsc to remind ourselves of wha£
the aviatior system is alJ about, to consider how and why automation is necessary and bcnr ficial,
ajnd iD review those aspects of autoniaDLon thai may need improvement
Wiener ^.nd Cuirv (ftf. 35) ouUincd several sysiem gocd? from the viewpoint of the user
L To p-ovide a flight (from pushback io docking) with infinitesimal accident
probs^bility.
2. To provide passengers with the smoothest possible flight (by weather avoidance,
seiecnon of th^e least nubulent altitudes, gxadual turns and pitch changes, and eradual
aJtimde changes).
3, To conduct the flight as economically as possible, rninimizdng flight time, ground
delays, fuel consumpticn, arid wear on the equipment.
4 To minimize the effect of any flight on the ability of other aircraft to achieve the same
goals (e.g., by cooperation with ATC in rapidly departing altitudes when cleared,
freeing them up for other aira^aft).
5 . To provide a pleasant, safe and healthful working environment for the crew.
W c suggest a very similar list as the minimum which must be attained; we feci also that the list
must be sufficient from the viewpoints of all involved: the manufacturer, the airline, the pilots, the
air traffic management system, and the passenger. Not all (nor indeed any) of these participants
Will be saasfied with every flight, but aJi must agree in general with the goals of the system. We
believe these are the goals of the air transportation system:
1 Safety: To conduct all flights, from pushback to docking, without harm to persons
or property.
2. Reliability: To provide reliable transportarion without interference from weather or
other vcuiables,
3. Economy: To conduct all flights as economically as possible.
4. Comfort: To conduct all flights in a manner that maximizes passenger and crew
health and comfon .
These goals may obviously conflict; tradeoffs among them in operations as well as in design are
often required.
Safety has always been proclaimed by the aviation industry as its primary objective even at
the expense of the other goals. The Federal Aviation Act of 1958 (ref, 96) lequircd the'pAA to
control air carrier operations to maintain "the highest level of public safety," but even this term is
elusive. Taken literally, it can be read to require that any step that noay improve safety, no matter
how expensive or burdensome, must be implemented. Taking a slightlv less extreme approach,
the pmase could be interpreted to mean that any step that can be proven to increase safety udli be
raJcen. This is fairly close to the approach that has guided the industry in the past, despite
occasional unfortunate exceptions. Reliabilit), ccot^omy and comfort have Wn secondary goals
though they are critical to the survival of this critical element of the national economy.
68
Has aircraft automation contributed to the fuifdlment of these system goals? An examination
?i,!f r?v'"^^^''S'^^^ ^^' ^"H°^n and colleagues (rcf. 97) suggests that more highly automated
am:«ft have h^ substantiaJly less acadents thaxi earlier aircraft. Ten years after their iniixxiuction,
me Boeing 757^67 types have been involved in only one fatal mishap fTTiailand. 1991 under
mvesogauon), a truly remarkable recozd in view of the propensity of new types to accumulate most
of their accident expenence during their earliest years of operation. There have been fatal accidents
.though a very small number) involving oiher current- generation aurraft. but Lautmann's finding
oide^nee? ^^'^'' " ""^^ ^"^*^'' *'*^" ^^^ *^ ^"^'^' ^^^''' "^*^'' ^"^^^ ""^ ^'^^^ replaced th?
Nonetheless, the same study showed that some air carriers, nations and regions of th^ world
operate considerably raov^ safely than do others. As these other carriers, nation, and regions
become more prosperous and acquire more advanced-technology aircraft, will their safctv r^cotds
I'Jcewise improve dramatically? The infrastructure of aviation ui many ^as of the v^ofln^V
sorely lacking and it takes more than excellent aircraft to make an excellent safety record Will
li^^^ifr. ^^^^^^°^y t a^'le to compensate for deficient r^avigation aids and iirports-^ Can
automation Itself make the system more error-resistant?
n™f^^ reference systems and map displays certainly make an aircraft less dependent on
as?^1«L1^tST;^ navigation aids and improve position awareness, the lack of which is still
Sr^.?5njr appreciable number of oir earner accidents. Will such improvements, together
with satellite navigation systems, compensate for the greater complexity of advanced automation?
f];.>,?* Kf^PV ^^^ ^".in^'Proved; autoland-capable automarion has increased the number of
n^^&iis able to land at destinations obscured by very low visibility, and windshcar detection device
.^Semrv;?^ Sn 1^'"°" hS^"^ ^^^ "^^ "^^ ^^ ^PP^«"^ ^° P^^^^*- CoUision-avoTdlnce
Zrt^ } ^ ^?'^'^' ^^l^oonal protecuon against an ir)creasingly frequent hazard Will
improvements m aircraft automation be able to counteract, to some extern, the delay^rced bv
na'v^^S lZiZTf'\ ^' f^""''^ ''''"''■. Time-based CTour-dimens^na'l " or 4 D)
navigation, a probable featiue of the next generation of flight raanagemeni systems will at leas
permit us -o make most effective 'ise of the fixed volume of iirspace.
Economy ha.s been improved by flight management systems that can take costs into account
Srv'tS^'i^SS^^^A^^' "^"^^^ ^'^^ '*"!=^^ ^J^' ^ '^'^ computation, have Sen SS
sho^d^ m^rnv^ ^ at)^'"'"' "^ P«niit aircraft to operate on most cost-efficient profiles. This
should be improved by ATC automanon dunng the coming decade, as well as bv time-based
naviganon software in new flight ma«agement systems. '
Comfort has been improved by gust aUeviation algorithms in some of the newest aircraft as
well as by die ability of newer aircraft to fly at higher altitudes; comfcn in the cocS has^?o ^en
improved by better ergonomic design. Greater flexibility enabled by ATC amoSon^S^^ Sennit
pilots to utilize a wider range of options to achieve more comfortable flight pa^s "^^ P^""''
In what respects are we stiU deficient with respect to these system goals? It is not the purpose
^ff*\'? 'Sr'^"' '° ^^""^ ^•^^^ ^^ ^^^y '^^ accompUshed. but to examine what canl^ SS
affect further improvement, and in die introduction we suggested that further irnorove^nt k
clearly possible. Most of our accidents can be traced to the hurnS o^rS of t?f Xm Id
some can be traced to the interactions of humans with automated systems. We believe that m^rr
can be done to make aircraft automation more human-centered, but perhaps even more importiit'
Z^^^^Z'^^'ffT'^ ^jnnation can be designed and used to make the svstem rfwhoS^S
resistant to and tolerant of human errors in the design, the implementation and the oDcSiiS^
h?.'^^''T;- ^"^ H« ^^^i'-^l^ccordingly emphasi^l this aspect of automatiorone tKe ?hiii
has received less attention m the past than it deserves. » ^ i<iai wc -uiut
69
Attributes of Aircraft Automation
We will discuss here several a^mbutcs that human-centered aircraft automation should
possess. Our discussion of these attributes may seem anthronocentric. but humans are used to
thinking m these terms. If automation is to be ar. effective and valued member of the coclcpit
management team, u, like the other members of the team, should possess these characteristics
■bach attribute is named, defined, described and discussed briefly- Our first guideline mi^ht be
simply that human-centercd aircraft automation should possess these attributes iii proper measure.
The reader of this section must keep in mind that these requirements are not mutually
exclusive An automation sune that possesses some, or even maiiy, of these attributes may sdU be
a failure if they are considered m isolation during design, for severrJ are interrelated. As in any
engineenng enierpnse, it is necessary that the right compromise among them be sought The onlv
u ay to be sure that an effective compromise has been reached is the evaluation of the total svstem
m actual or simulated operation by a variety of pilots of differing degrees of skill. Such tesdre is
expensive and time'Consunoing; it must often be conducted late in development, under extreme
pressure to certificate and deliver a new aircraft on time. Nevertheless, it is the only wav to prove
the safety and effectiveness of an automation concept.
We are indebted to Fadden (lef. 98), who has pointed out that many of these attributes arc to
some extent bipolar, though not truly opposites. That is, increasing the attention to certain
attributes may require ie-emphasizing others. We will discuss these attributes, shown here in the
manner suggested by Fadden. Human -centered automation must be*
Accountable
Predictable
Comprehensible
Dependable
Error-resistam
<-
<-
<-
<-
<-
— >
— >
~>
~>
— >
Subordinate
Adaptable
Flexible
Informative
Error-tolerant
Accountable means "subject to giving.. .5^ justifying analysis or explanation/' In older
aircraft, automation executed acdons only at the specific and immediate instruction of a human
crew roember. Advanced automation, however, is capable of more independent action (modifyine
a cjunb or descent based on pre-dctenmined strategic objectives such as fuel conservation, cnterini
or eav^ng a holamg pattern, resolving a conflict, etc.). Automated decision-aiding or decision
making systems, already m development for transport aircraft, will suggest or carry out courses of
action whose rationale may not be obvious to flight crews.
i Automation must be accountable. I
It must infonn the pilot of ite actions
and be able to explain them on request
Figure 44; Accountability of automation.
70
lion
rfi ,n J?ii^"'^ '" command must be able to request and receive a justification for such decisions
(figure 44), This is a pamcular problem in aviation; there may not be time for the humanTomtor
^f?™S' ,^hj?;f .J^5/*t)le automaaon must anucipate the pilot's re<iuest and pravidf advance
'iSf.. K n^^^ '^°^,' by providing traffic advisories prior to i^^uinng action to avoid S
mminen nazard) or its rules of operation in a particular, annunciated circumstance must be Tn
tnorough ly understood by pilots that its acnons m that case are alxeady undSS^d aSeSt^ ft
Se expil^anorV '^''^^'''^^ ^^ '^<^^ explanation:, must be appropriate to the pilot's need for
In th'Se cSe^^ ^ B^Ss^carf.^^^.?"?"""' '^' action autonomously when certain failures occur.
s^S^ ff trmfn^^hc ¥k "»^-^""^^'°" regarmng the faults by examining the system
nrStJ.ii^ PfT"^- ^*^®y ""^"^^ '■""■^'■5* *« actions taken, if necessary, bv revertine to
manual operation of the reconfigured subsystem, though such action is not encomaed As mn^
autonomous systems are introduced, however, it may^bc increasingly ScSh for Stsio kS
track of what the airplane (or its automation) is doing, and incrlasinglv d y^uirS^h^^
bipolar attribute of accountaoiluy is subordination, to be discussed beiow great care must be takeS
to insure that this cannot ever become msubordination. The 2001 "h2" sS^m?^ Smost v^!S
S^pSiXgr^l^W'or '' "" "^^^^"'^'^ philosophically as long as human^oj^^rrrerj;
of hump's «;f "^'^ "P^^'^'* "" °^ occupring a lower class, rank or position " Our definition
t^r? :^''^T1^ automation requires that the automation, while aTimportant t^I rSn
suborxunate to the human pilot or air traffic controller, who mus remainTn ^oSid (fi°^ 4?)
Automation mu^X be subordirv^te,
Exoep! in pr^KJefined situations, it should rmmr assume command
In those situations, ft must b9 abte to be countermanded easily.
Figure 45: Subordination of automation
There arc situations in which it is
accepted that automation should
perform tasks autonomously, as
indicated above, xMore such sit-
uations will be proposed for imple-
mentation in the future; in particular,
it is expected that ground proximity,
traffic avoidance and windshear
advisory systems will be provided
with the means to act independently.
Other similar situations are likely to
be proposed in future, involving the
interaction of aircraft and ATC.
Should these be permitted?
^Ve have sw;n cases in which automation acted in ways not expected nor desired bv Dilots In
one case, aircraft occasionally turned toward the outbound rather t£n the inboSd^a^k of an n ^
oc^^er In another, a paiticular automation mode pemiitted descent at?ieX^sr^Iw
to safe nunimuiii operanng altitudes. As automation becomes moie self suSrS^
complex, It will be mcreasingly diff. alt for pilots to remain aware of ^fSns S tSn
aiuonornously and thus increasingly difficult for them to be aware of exactly whaS^^^
doing and why^ Such a situation will tend to compromise the commrj aX^^rrnd
responsibility of the human operators, but more imponant, it rnay iean^^m to a no^^,^^
extreme distrust of thei. automation, which could corSpron^i^ St^^^^^^^
^^^^"".^?'^^ ^TZ!"^' ^P^^^ '^^' P"^^^ ^^ highly automatc§^Sre4ft fx^^^^^^^^
What s u domg now? Why is it domg thaf^" (ref, 99). These questions should notte ne^s^s^^
71
MM
AHUifa
Automated systems must be predictable.
INPUT lj MNPUT2J f INPUT 3)
Predictable is defined as "able to be foretold on tlie basis of observation or experience " It
)s an important chaiactenstic; recent occurrences in which automation did not appear to behave
predictably, i.e.» as expected by pilots, have led to major repercussions due in large oan to
aviators ^ inherent distrust of things over which they ao not have control. Sorr-e of these
occurrences are cited above. Here again, the level of abstraction at which automation is explained
or at which n provides explanations, is critical to the esublishmem and maintenance of trust in it'
Ilie third quesuon too often asked by pilots of auton-^ted aircraft is *^liat's it going to dc next?"
As automation becomes more
adaptive and intelligent, i: will acquire
a wider repertoire of behaviors under
a wider variety of circumstances.
This will make its behavior more
difficult for pilots to understand and
predict, even tiiough it may be
operating in accordance with its
design specifications. It will also be
more difficult for pilots to detect
when it is not operating properly.
If such a system is not
predictable, or if it does not provide
pilots with sufficient indication > of its
intentions, its apparently capricious
behavior will rapidly erode the trust
that the human wishes to place in it.
Some automated devices in aircraft
have simply gone unused because of
this mistrust. Altitude capture
rnodules in some high-perfbnnance
aircraft have appeared unpredictable
because their [ ;gh rate of approach to
a selected altitude has not provided
rlie pilots sufficient confidence that
they would stop the airplane's climb
at the selected point, even though tliey
were functioning properly — until
disabled by the pilots in attempts to
slow the rate of climb, which negated
the capture function (refs, 62, 100),
Advanced automation must be designed bodi to be, and to appear to be, predictable to its
human operators (and these are not always the same thing, which is why explanations may be
necessary) (figure 46). As noted earlier, when digital computers fail, they may do so in quite
unpredictable ways; the difference between these failures and their normal behavior must be
immediately apparent to the pilot
Adaptability (discussed below) and pre-dictability are, m a sense, opposites, in that highlv
adaptive behavior is liable to be difficult to predict The behavior of the human organism which is
charactenzed by a very high degree of adaptability may be difficult to predict (ref, 70) a fact that
we constantly try to overcome by training, standard operating procedures, line and proficiency
checks and a vanety of other safeguards. This suggests the necessity for constraints on the
adaptabibt>' of automation in a context in which the human must be able to monitor tl*e automation
and detect either shortcomings or failures in order to compensate for its inadequate behavi*3r
Figure 46: Predictability of automation.
72
c. "^^Pf^J^^^^ used here, means "capable of being modified according to changing circum-
stances. This charactcnstic is a^xady incorporated in aircraft automation: control laws iLy differ
m cuxferent speed regimes; certain alerts and warnings are inhibited during takeoff, descent or
approach; some displays are reconfigured or de-clunercd in specific circumstances- some
mtormacon may be unavailable either in flight or on the ground.
Automation should be adaptable. I
it should be confautBbie within a wide
range of pilot prete'-erices and needs.
Figure 47: Adaptability of automation.
airci5!?fL?^'47TVrc ^I'T'^ ^''^' * '^""^^ °^ °P^°"' ^°' '^°"»™^ ^'i management of their
mrcratt ^figure 47) Tms range of opuons is necessary to enable pUots to manage ^eir workload
nt' «'?''""' of diffenng levels of proficiency, and compensate for fatigue, S^tio^sTX;
rZTrH T^'' "'''''''''"• ^"^ ^^' ^-^ automation tfuly acts as an Lutional merSber o°^e
receivS bJ^ SRS^^JQTfT'mn h'"'"^!^^^ '' ^^ ? ?* '''^' attributes). An incident irpon
^nmarh inc^H^ t^r ^r , ^ ^01) dcscnbcd a wide-body aircraft which was turned onto final
!E!^«i ^ ^^l final approach fix with autopilot in control wheel steering mode and
autodirottles engaged. Dunng the flair, at 10-20 feet altimde. the airplane seamed to "h^ir the
Jf..i,? ^^^'fl^^l "^^ ^"^ "31*' <^4 degrees nose-up) and on touchdown the tail cone aid ^'
fuselage contacted the runway. The autopilot had not been disengaged prior to touchdown and
none of the crew members had noticed that the airplane was stiU teing ^ided by mS inpms
SSe!,?£ ""TT^ "'^i "?'='; ^ ^ ^^' column-to-controls mSlT Some^a^SSeAXve
o'^oJTs'avaiSKSS:^'"' ^"^""^ '^ '^ newly-dehveied aiiciaft to lessen the iSgt^f
.ir^ft -"""*'*' Of a range of options is enough? At this point in time, control automation in some
aucraft requires only mana^eoiem by exception. In an earlier section, we have asked whethe^^Tt
would be wiser, m order ic* maintam pilot involvement at a high level, to requiitt management bv
consent with respect to com-rol tasks. We have also asked whether the caSbiiitTfor unSted
manual control should be a ^.^uired option (and have pointed out that this option is foiSlSIn
some flight phases by at least one flight control system) lureciosea in
Adaptability increases apparent complexity and is shown above contrasted with predirtabilitv
to emphasize that extremely adaptable automation may be relatively unpredicmblTin c.mh
S'^iTrS^LS'M^T ^' ?"''^Pl«.of human-centered automation states SaauJoSon
must be predictable, if tnc human is to remain in comn:and
73
mmam
Comprekensibh is "intelligible." Many critical automation functions are now extremely
ccmpiex, with several layers of rrsdundancy to iFisure that they axe fault-tolerant, is it really
necessarv' that the human operator understand how these functions are accomplished or will
simpler models suffice to permit humans to lemain ir command of the functions (figure 4S)?
Automation must be comprehensible
Automated system
Figure 48: Comprshen&ihility of auiamation
It has been noted Lhat n-aining for advanced automated aircmft is time-consuming and
expensive, and that much of the extra training time is spy^nt learning about the automation. If
simpler models that still permit reversion in the case of failures could be devised, they might rtsult
in training benefits. It should be remarked, however, that while automation can be used to make
complex functions appear simpler to the pilot, the consequences of failuie modes can appear highlv
unpredictable to that pilot unless the modes are very thoroughly considered in the design phase.
Simplicity has not been named as a necessary attribute for human-centered automation, but
it could well have been. It is vital diat systems either be simple enough to be understood by human
operators, or that a simplified construct be available to and usable by them. If a system is simple
enough, it may not need to be automated. If it caimot be nnade to appear reasonably simple, the
likelihood increases that it will be misunderstood and operated incorrectly.
Technological progress is often equated with increased complexity. A careful examination of
any reasonably capable vidco-casette recorder wU support this assertion and indicate how far we
have yet to go to make high technology intuitive and simple to operate. It is worth noting that new
technolog) has had to be developed to simplify the operation of VCRs and that many computer
manufacrarf;rs have provided several ''help" levels at vhich their machines can be operated. We
have not provided this range of options in aircraft automation, perhaps we should consider douig
so, at least in training.
74
m.
-^^ ■ ■ —^ ^— ■
Flexible -& tactablc; characterized by a ready abUity to adapt to new, different, orchangire
requirements. The term is used here to characterize automation that is able to be adapted to a
vanety of environmental, operational and human variables (figtiie 49)
; Automation should iae flexible
An appropriate range of control
and managemer?tc^>tions
should be availaU)l«.
Figure 49: Fiexibiiity of automation.
It was suggftsted immediately
above tiiat computer and software
raanufacturers have gone to
considerable efforts to n-!ake their
products smsple to operate by people
of widely diffe'ing sidll levels. The
term u:°d by the trade is "user-
friendly." Though overworked, this
term denotes a devace or application
that a wide variety of users can
operate comfortably and effectively
with comparatively little instruction or
practice, surely a worthy aim for any
human-machine system but one to
which, thus far, too iitde anenhon has
been paid by avionics designers. It
would be desirable to allow pilots to
tailor the degree of assistance they
wish under given circumstances.
Advanced avionics systems now receive nnuch of their knowledge base from periodic updates
by means of disks or cassettes. We believe they could as easily receive informatibn reganJUnTthe
pilots for a given flight by die same means, and that this information could assist in iSloring the
systems ano displays both to the preferences of specific pilots and to any limitations under which
.miif^v,^ T^^lS-^u^ ^"^^ (increased minimums, etc.). The cassettes could be updated
Un^Tii^ ^^''*' ^/^\ '^ ^'^J""^ * '""^"2 ^S^' ^«S' types of approaches conduct^, etc.
If nnprov^ monitonng of pilot performance becomes a pan of aircrafVautomation. a subset of
momioiwl data sabred on the cassenes after flight might also be of use to flight training depaxtments
in tadonng penodic trauimg to individual pilot needs. ucpdinncnis
This son of fiexibiliq^ might be of real assistance both to individual pilots and to companies
by easing tne pilot s cockpit setup tasks and also by improving safety thrcjsh more effective
training. It has been observed m military studies that pilots of advanced strike aircraft rarely make
use of nioie than a sub«5t of the available attack modes; by limiting die options that dvcy use pilots
n^f «?i'''?r,^ ^' P«lfi"*^"* '".^ei^ "se. Airtransport pilots may not need to be proficient in the
use of the fuU range of automation opnons, as long as they arc able to get the job done effccnvclv
under both nomaai and anomalous circumstances. The major reason for having a wide range of
automation options is to provide flexibility for a wide range of pilots wid, experience that varies
trom very litUe to a great deal and cognitive styles that vary as widely.
Flexibility was shown above as bipolar with comprehensibilit)-. Give:. Lhz tendency to an
mverse relanonship between these variables, comprehensibility must .lot be sacrificed for
flexibility, because the abdity ot pilots to understand dieir automation is central to their abilitv to
mamtain command. But Jcy can be given more help in understanding it and in manipulating ii by
tne means used m otiier fields. Providing that help in recognition of differing needs and sty W
atnong pilots can help to improve die error resistance of the total system b> pe^tring individual
pilots, widim the constramts imposed by flight operations, to conduct dieir tSks in ways that^
most comfortable tor them. "^ ' ai tus.
75
-•,,.%
Dependable, as used here, means **capable of being.. .rrUf4 upon or trusted*' (figure: 50) In
a cooperative human-machine system, the issue of trust becomes paramount- Pilots will not use,
or win regard wth continual suspicion, slp.v aircraft device or function tbat does not behave
reliably, or that appears to behave capnciously. This distrust can become so ingrained as lo nullify
the intended puTX)se of the designer. I: may be wiser to omit d function entirely, even a strongly-
desired function, ramer than to provide or enable it before it can be certified as rehable. This issue
came up dunng mitia.^ implementation of GPWS. It has recently surfaced again as a renih of a
small number ot apparently paradoxical resolution advisories provided by TCAS-IL leading some
members of the comm=jnity to suggest that the resolution advisorv' mode of die system be drsabied
undl its aJgorithrns are made fully dependable under all circumstances.
Automation must be depenoab^e.
It shouta do, depondab!/, what it is ordered to do
It shocid never do whai it is ordered net To do.
ft must never make the situation worse.
Figure 50: Dependability of automation.
Another example of undependable automadon was cited above, that of th^ localizer capture
mechanism which occasionally directed the aircraft to turn away from, rather than toward, the
landing runway during the captiae process. From the pilot's viewpoint, xt makes little difference
whether such behavior is caused by the hardware, a software error, or ^in improperly-defined
function; the net effect is a deterioration of trust.
Dependability is of panicalar importance with respect to alerting and warning systems. We
have observed before d\e problem of '"false alarms*' witii early ground proximity warning sysrems
and the tragic results due to mistrust of iegitimaie warnings by those systems. Unfortunatelv, any
increase in the sensitivity of such a warning system will be accompanied by an increase in false
warnings, a decrease in sensitivity will be accompanied by an increase in failures to warn when a
warning is needed. Increasing the complexity of the algorithms to miraxnize faJse warnings while
increasing sensitivity is accompanied by a decrease in reliability or dependabihty of the system,
This dilemma exists today with regard lo TCAS algorithms, already very complex, in the face of
large numbers of *'naisance" alerts in certain congested terminal areas,
Dependabihty is shown as bipolar with irforraativeness* discussed immediately below. If a
system were perfectly dependable in operauc n, there might be no need to inform the pilot of its
operation. Perfection is impossible to achicv-, however, ard thf. informadcn provided must be as
nearly foolproof as possible, bearing in mini that each increase in information quantity makes it
more likely that the infonnation may be crissed, or even inconect. Simplicity of systems brr^cds
df^pend ability; when faced with a diiemn a such as this, any system simplification that can be
achieved will probably pay dividends.
76
UH
hvr^f'^^^^T''^')'^''^^"^ is Simply the condition of ^imparting knowledge/^ Our fct p-incinles of
hurm.;-centered auromation state that the pilot rr.ust always have basic Sfor.mdoM W § l /^
Autonnation rnust keep the pilot inlormed^
What is the airplane doing^ -^
What is the automation doing?
Have i any problems? -^
Whiere am
Where dc i <
When do I do rt^
Figure 51; Informativeness of automation
i m^ys jmvc pri.uicraica, ana tnat Jiis is not aii unmixed b essme Tht^ nilm^: r\f m^ a'-i-ia
can r'^ri^S '"f"™*""" 'se^agh'' Ho»- mui.h iFifomauon is too much'' Pilots wajii aU thev
suppt^sston dunng a,dcal fltsh, ph»^,): a stj; a,«,an, m^^ilJ,°co,iv?vXonaltS°''
77
Error resistance: Ideally, aircraft automation should prevent the occurrence of all errors, its
own and those of ihe human operators. This is uoreaiisnc, but it is possible to desigri systems to
oe as crror-resistajit as possible, bothi with respect to their own errors aiid those of the operator.
Resistance is '*an opposing or retarding force," a disi^^finition that lecogmzes the relative nature of the
phenomenon. Resisiixnce to error m automation itself involves internal testing to determine tihat the
system is operating within its design and software guidelines. Resisunce to human enor is inortt
subtle, it may involve comparison of human actions with a template of pemrntted actions, a
software proscnption against cenain forbidden actions under speci^^^ed conditions, or simpl> clear.
uncompiicated displays and sirriple, inuiitive proceiiures tomininiize \i\t liJkeliho-xl of errors.
1^ AutoiTiation must be error-resistant.
It must keep pilots from committing
errors wherever that is possible.
Figure 52: Error resistance of automacon.
Auromation of unavoidably complex procedures (such as fuel sequencing and transfer among
a large number of widely-separated tanks to maintain an optimal center of gravity) is necessary and
entirely appropriate provided the human is "kept in the loop'' so he or she understands what is
going on. The system must be able to be operated by the human if the autoniation fails, and it must
provide unambiguous indication that it is functioning properly. Guidance in performing complex
tasks (and fuel balancing may be such a usk) is helpful, whether it is in a quick reference
handbook or in the form of an electronic checklist. Prompting has not been used as effectively as it
couid be in aircraft hi;m^r*-system interfaces.
Questioning of critical procedures (those that irreversibly alter aircraft capabiiities). cr
requiring that ciitical orders be affirmed by pilots before they are executed, can^be additioral
safeguards agunst errors. These queries can also be automated, either by thenvselvcs or is part d^
a procedure?^ monitoring module which compares human acdons wiLh a model of predicted acaons
under various circumstances. Such models have been d.£veloped m research .settings (ref 102).
78
frecu^cvM^r ""^iTlm^T' '"^ '""""f ' apparently random, unpredictable errors with some
uequenc> (rets, 70 and 103); it :s c.xtrtmely unlike y ih?t dcsieiicrs w5!l ever be ahl- ♦-. ^^v^e^
b> ^•hi.h Pilots can detect the laci that a ha.-nan, or an automanor. error has orcirred Su'^h
u^arrung. must oe provided .n eno.gh time lo perrmi pilots to isolate : le en-or aiS a nean-. r^H
he provided by wriKh to correct iht error once it is found Where rhi< irnrrn n.th'r'X
consequences of a., action must be queried befonr the action itself ^ flowed Jo ?^^e^' ^^'
Error^ioUrance: Since error-resistance is r-iauve rather thar absolute there needs to he -i
pSi' rt-'nl^esS' a" 'tTn ^-^..^--^^-^-ng ^v.tcr.s to resis't e-^ors^'niucfa
poisioie, K 1 , nevessa->' d-., highly desirable lo make systems tolsrar.t of error Toieraicf rr,e3i<;
he act of aliov^ing sorrr :nin.- in this case, it covers the entue vanoclv of m'a.. ' tha'Set ed
to .nsure t.nat wnen an er or i. conuiv.tted, it is not allowed to jecDardi7.e sale^
jAutomation must be error-tolerant.
^^■'^•■.<*y.<-,;-^.K-C'j.,i.iiiji!^ ■w't^y;!%.C:
■'^^''V>^-ii!^Jk^msii<iiii^^
Si^lp^i ^^^ ^*^^'s wnl occjr. even in a hsghiy error^resistant svstem Wmm&\
:P|^^ AiitofTiation must detect and nitigati the e&cS'5^^ ppillt
Figure 53: Error colwance of automatiori.
As was suggested above, checks of actions against rx;asonablene<;s mt-rb ma„ k* .«„
for an au-crafUn the eastern hemisphere, a west^lon JiSe waJi^nt b^w?^^^^^^
clJi^fhi'/''''"^'^ ''°' appropnate. An attempted manual de^essunzSrof an ^mf ^ca^^^^
rSd'be-coSS^^S--— ^^
transporc, an action that has occuned at least tw.cf. is almost cei^Lw-^^T^^^^^^ Sl^mTSI'^
Given uhar u is impossible either to preven* or to tran all nr^^cihi^ h.,^^,.
79
?a!fnc! -I'l^n • ^^'^f 5*' '''*"^*^ ^^ ^ imminent threat to safety. The latter should be guarded
against regaitUess of their reported frequency. (See also Rouse, reference 20. )
Discussion of Attributes
^uJ^Z ^^^ K^^^ ^*^ '^T^ ^°^«^"^« ^ "<5^ opposites, 05 mig.^t be inferred from the bipolar scale
sr.own at Lhc beginrang of th s secaon; on tl.e contrary', they are complementary in evefy respect
rhn „f ^. ^^^ '' K,"l-''^^i^ ^'"^ necessary; many aspects of automation today incoiporaie both'
In? Ih^i^nf; ^'^^ili"'^'l"'-^'°^'f^"^ '' ^'''^^'- "^'^ °^^^ ^^^*^"^^^ ^-^ '"o^ neWly bipolar,"
and a balance must be struck amt ng them. ^
The attributes we have suggested are not mutually exclusive; Uiere is overlap among them Our
nrst principles suggest a rough prioritization where compromises are necessary. Ve have stated
nfLiJ!T^\^l '° ^ '" -'ommand, they must be informed. Accountability' is an importiint facet
of mforming the human operator, as weU as an important means by which the operator can monito
rtm^n H?Sd°^h?nrT^^°t Co'^P^hensibibty is another critical trail if the i^Trr^^fZ
<i^^ vl^ ft ° '^^ """'' ^ *^'! ^ ""^"^d without ambiguity what the automation is
doing. Each of these traits is an aspect of informativcness.
TTii^i'ISfn^^I^^^f T^ "^ interpreted to imply a system that provides information beyond the
rS h is^S^^E"" h' °^^^' *' cquipmei:t, though we do not intend this implication.
Sf^rSkoon afSf SJe??nH ^"°^ «P=«^oJ: ^ ^"fo?ned e^ectively of at least that minimum of
mtormanon at all times, and mfoimed in such a way that there is a very high probability that the
information will be assmiilated. In those cases where it may not be endiSy cIea?X a system is iS
obCi's ' ""^""^ "^ «Planation should be readily avail/ble if it is not^aliS^j Sown ?r fa^lj
Th JjJif ?>.^' "^^ ^^ ^^^!^^ dependability is degraded by the addition of more information
Though thi.. can be countered m pan by adding redundancy and error-checldnp the predS^^ v
anc comprehensibihty t>f the system may be degraded thereby. On the otb^r hS, weK how o
K?e"^s ^fl ;/l^^SS^:f ^^^^ control systems; ai^ hig&y reliable, fault-toTera^tttoSon
s> siems any less important ^ (See also page 95.)
thi.^\T"l^,^^II!i1f'^'^ ^'"^ adaptability and flexibility are frills ratlier than necessities. To argue
this IS t aigue diat humans can be made to behave uniformly, and to a considerable extent thii is
indeed true, as demonstrated by the enormous success of the air transport ind^rtn, ThrjoVts of
producing inflexible systems, however, are considerable increases in tr^ning co.sts'to prcxiu- Lha
un^ormity m the humans who operatr them, and a possible decr^^ase in humli oirato?S"^ve i
nsky enterprise in an mdustiy that requires a high degree of human cognitive fle3bility^ ' "
The question of subordination has not loomed large until vei^ trendy and it should rot h.
contcnnous today, given that humans bear the ultimate responsibility for the safew of flUt
operations. Despite this assertion, which is agreed to by regulators iid the public alike th
thought mat the degree of independence of automation mav te a major battle ^S during Ihe
coming decade, as the ground clement of the air transportation system is automatexJ We^gue
simply that automation that bypasses the human operators will of necessity dimini^; TheTr
involvement ,n and theu abihty to command the aviation system, which in turn ^^^ dimfnk-n ^
ability to recover froin faUurcs or compensate for inadequacies in Lhe. automated subsystems" That
such madequacies wiU not exist or that such fail'.LT>:s wiii not occur must be proven cStTvclybv
automanon designers before t.ie aviation community can consider an alternative view.
So a balance must be struck, where compromises are necessary, they must err on the side of
keepmg the human operator in the loop so that he or she wiU be there when needed. This will be far
easK^r if he or she is there all Uie time.- if the pilot is helped to remain activelyimS^ved in ninn^ S
wjMl as abnomial operations. ExacUy the same statement can be made about tiie air traffic cSict
of course, ar,d about the desirability, if not the necessity, of maintaining and using^ cc cEeTs
ot communicati.on between them so that each can remain co '.ri^ant of the other's inLtions.
80
\J*
V. GUIDELINES FOR HUMAN-CFNTERED AIRCRAFT AUTOMATION
Introduction
,;., ".f "S ^"""^ ^^\^f -5^ ^^^'"^ ^^"•' requirements that can be applied to all human-centered
aircraft automation? We bciieve there are. though their "firmness' must be tempered by th.
impc.ccv state oi our Knowiecge of human behavior, by the compron-iiscs that zit. inevitable in th^
design process and by the constraints inherent in the aircraft cenification process. In this f-nal
secion, we wih set forth cenam guidehnes that we- believe flow from our review of nast a-d
present automauon and our best guesses as to the future of this technology. " "
It is necessary to remind the reader again that no attempt has been made lo cover the
engineenng aspects of human factors m tihis document. In accordance with the call of the A'r
iranspon Association, we nave attempted lo construct a philosophy of human -centered
automation. One definition of philosophy is "rhe pursuit of wisdom/' 'and while we ma J^
aSmmid to *' 'oySce° ''^^-^'^^^ we hope oui results will further the dialogue we have
Principles of Human-Centered Automation ^Genera! Guidelines
Kri.fTv^'fn'c^'^r''?' "^^ *^" ^^'*'''*' ^^*' '^'^ principles of human-centered automation set fonh
.h.^^ ^"°'' ^ ^°"^"^^^ 2 reasonable foundation upon which to build^ We therefore repeat
them here as general guidelines, with some further discussion of each of them, rpage numbere in
parentheses refer to .±scu£s:ons in uhis docun.cm. WC number ,cic. lo the VvirSr ;:rS C^^^^
guidehnes on pages 60 and 67.) ^.^ — ^.
• The kuman operator must be in command,
fuxnl^MJ^Tr '''''' ^^^^^ 7 '"^ automated en mute air iraiTic control system of the
f^^' \?^ Coiporauon stat^ unequivocally that even when die automated system is in
tu.. operation ResponsioiJity for safe operation of an aircraft remains with the pilot in
^o^S"'" f Responsibility for separation between controlled aircraft remains with the
We^wtv. .K^r^^ '' ^^^' '"^ '^^u^'^^ °' dominate by position; authority to command."
^^] fl A ^^^' ^ '"^ "^'^^ ^^^ responsibility for safe operation or separj^don of
djcratt, pilots and controders must retain the authority to command those operadons Further
uiere f Dpears to be no appreciable argument concerning this point The issues" relate to
wheth r pilots and controllers will have the authonty nec»,L-v .0 execute die t^sjinsSes
AT/-^^ Js a^'undamental rc:;ci -jf our concept of human-centered auiumation diat aircraft (and
\ A "-"■ -^^^;:e" ^*^s^s fo assist pilots (and controders) in carrying out their responsibilities as
stated above. Oar reasoning is simple. Apan from Jie statutorv responsibility of the human
S?,T'ttr^ systern automation is not infallible; lilce any o her machine, it is subject to
mmt Funh -r. digital devices fail unpredictably, and produce unpredictable manifestations
liiZl'- ' ^h""^'^" ' «n""^"'^^^ ^"'^"^^ ^^^^^~""g such failures, correcting d^ei
manilestauons, and contmuing the operation safely unul die automated systems can rt^urre
tneir normal functions. v-..uw.v
Since automation cannot be made failure-proof, automation must not be designed in such
Vn^' "^^ !' ^^"^ '"*'-^^" "^^ ^'^^'?'^ °f ^^ ^"^^^ operator's responsibilities, f^nVwSich it
follows that automation must not be used to configure the airplane or load the svsterr, bevond
human capacity to control and manage a if the automation f£ls. For a contrary concern sS
^^J'iS-TTf?''''' the MITRE report on page 57, which present a considerabiv ^f%4m
view of air traffic control automation. (See pp. 7, 12. 5"?.) ' "''"''^'"
81
To command effectiv^ely, the human operator must be involved.
To exercise effective command of a vehicle or operation, the commander must be
involved in the operat3on. Involved is '*io be d^'^v aV'; the commander must have ar active
role, whether ibm role is to control the aircratt (or traffic) directly, or to manage the human
and/or machine resoun^cs to which control has be«n delegated. The pilot^s involveiriens,
however, musr be consistent with his or her command rtsponsibilmcs; the priorities of the
piloting tasics remain mfiexible, and the pilot cannot be allowed to become pieocc pied by a
welter of detail. Automation car. assist by providing appropnarc information.
Modem aircraft automaiion is extremely capable; it has made it possible for the aircraft
commander to delegate nearly all tactical control of an opcraaon to me machine. We believe
that at least some of the aircraft tnishaps citcid herein can be traced at least in pist to the human
operators being too nemote from the details of machine operation; the China Air 747 mishap
near San Francisco is one example. We suggest tha^ human- centered aircraft automation must
be designed, and operated, in such a way thai it does not permit the human operator to become
too remote from operational details, by requiring of that operator meaningful and relevant
tr;ks throughout the conduct of a fight, (See pp. 28,30, WC 6.)
To be involved, the human operator must be informed.
Without information conccniing the conduct of an operation, involvement becomes
unpredictable and decisions, if they are made, approach randomness. We have suggested
what we believe to be the minimum amount of information necessary to apprise the
commander of the progress of a flight operation. The level of detail provided to the piici may
var>\ but certain information elements cannot be absent if the pilot is to irsmain involved, and
more important, is to remain able to resume direct control of the aircraft and operation in the
event of automation failures.
On the other hand, too much information concerning the conduct of the operation can be
at least as dangerous as too little. Both the content of the information made available and the
ways in which it is presented must reinforce tiie essential priorities of the piloting task; in
particular, situation awareness must be supported and reinforced at all times, (See pp. 14, 16,
TV Vu^ 1 ^' /
In automated aircraft, one essential information clement is ; ^formation concerning the
automation. Just as the pilot must be alert for performance decrem*. nts or incapacity in other
human crew members, he or she m.ust be alert for such decrements ii automated systems thai
are assisting in the conduct of the operation. This leads to the requirement that:
The human operator must be able to monitor the automated systems.
The essence of command of automated systems is the selection and use of appropriate
means to accomplish an objective. The pilot must be able, from information about the
systems, to determine Lhat system performance is, and in all iikeliliood will continue to be,
appropriate to the flight situation.
To monkor, or "keep track of/' automated systems, the hunran must have access to data
concerning the functionality both of the hardware in those systems and of the software that
instructs them. Because of the difficulty of verifying software while it is functioning, most
fiight-ciitical automation involves eittier duplicate (or triplicate), or dissimilar software
performing the saiiae task in different processors, usually with a comparison module that
indicates any differences in the results of the calculations performed by the two units. Some
triplex systems conduct continuous **voting*' to insure continued function; anomalous rtsults
in one processor lead to its exclusion from the operating sysiera
82
in most aircraft systems to date, the huinan operator is informed oniv if there is a
discrepancy l«tween or among the units responsible for a particular function or a fa ikri of
those units sufficient to disrupt or disable the perfonnance of the function Kse ca eTthe
Geia> It -s neces.Ar>' that the human operator be provided witi; information concemins the
operations to d^te if these are not evident from the behavior of the aimlane o^ vftirr
controlled. Ic s thus necessary that the pilot b. aware both of th/funcnon%Tdy4ncaon o^'
the automated system, ana of the results of its laoors. on an ongoing basri^^h. dHo^^s Z
Automated systems must be predictable
airoiIeS!rh.'1'f?i??r'f " '"^ "'*' ^"^ "°' "^ "'^^' "^^ P'^°*^ "°"st be able to predict how the
SSr^ . L. '^'^'^ K"^^' automation, not only at the time of selection but^ueho^t the
r, ,.c,^.£!^°^' '""v' monitor automation against the likelihood of failures as we assert thev
n-1 ,1^^^^*^""^^ ^^* ^^ "°"^ behavior of automated sysf^ms be predictable and rhat fh^
The cutomaud systems m-M clso be able to monitor the human operator.
maKing all cntical elements of the aviation system redundant, ilioueh new technololx. k vriii
detect. Desigmng warning systems to detect failures of warning synen/s ca^ te^ fnSt«
chain, but It is necessary that we recognize the human tendency "o i^K S?n iS^aMe^.tf rr
and consider how much additional redundancy is required in essinSj'alertng system' '
We also believe that information now resider.t in ilieht mana«T«.mpnt an^ «»i,«, • r
computers can be used to monitor pUots more comprehens vS^K^^^^
83
they were committed. This would seem to be a productive area for error-detection modules,
and thert: are several others which arc mentioned herein. Research should be conducted using
accident and incident data to determine other areas iv which errors are common or have
panicalariy hazardous imphcanons, and ways should be devised to detect such errors and aien
piiois to their presence.
The most difficult task, of course, is to monitor pilot cognitive performance and deciiuon
milking. When a pilot consciously decides to do nothing, his decision cannot be differenriated
from a failure to do Gomethiag. Further, advanced automation has made the need for
decisions and actions infrequent during cruising fiighc. The advent of extremely long haul
aircraft has emphasized the problem of moniioring human aienness and functionally. This \t^
the motivation for our emphasis on keeping pilots involved in a meaningful way in the
operation.
Thei^ is no way to make the system totally foolproof, and each additional piece of
hardware or software has a potential decremcntal effect on system reliability, but as we
pointed out in our discussions of error resistance and error tolerance, a layered defense against
errors is essential if we are to make the system as foolproof as possible (See pp. 32, 78-79,
WC90
Each element of the system must have knowledge of the others* intent.
Cross- monitoring (of machine by human, of human by machine and ultimately of human
by human) can only te effective if tlic agent monitoring understands what the monitored agent
is trying to accomplish, and in sonrte cases, why The intentions of both the automated
systems and the human operators must be known and communicated; this applies equally to
the monitoring ot automated systems by pilots, of aircraft by human controllers on the
ground, aiid of air traffic control by human pilots in flight. Since humans arc so much more
versatile than any nriachine, uldraate responsibility for monitoring of human behavior rests
upon the other humans in the system.
Under normal circumstances, pilots communicate their intent to ATC by filing a flight
plan, and to their FMS by inserting it into the computer or calling it up from the navigation
data base. ATC, in turn, communicates its intent to the pilots by granting a clearance to
proceed; data link in the near future will make this information available to the FMS as well.
The MITRE document referred to above mentions specifically that "Information on aircraft
flight intent can be sent from aircraft to the ATC system so that conflict prediction and
resolution capabilities of AERA use the best data available'* (ref 80). The document is silent
with respect to communication of intent in the other direction, however, and such
communication must be a two-way channel.
It is when circumstances become abnormal, due cither to environmental problems or to
in-flight emergencies, that communication of intent among the various human and machine
agents becomes less certain. ASRS and other data provide evidence of the frequency with
which the handling of an in- flight emergency may lead to other anomalier in the system, most
commonly involving aircraft other than those involved in the emergency. In one study, the
handling of in-flight emergencies led in approximated one-third of cases to another problem
(ref 85).
It cannot be stated with certainty from the ASRS data that communication of intent would
have avened these secondary problems, but it seems likely that it would have prevented some
of them. Further, the communication of intent makes it possible for all involved parties to
work cooperatively to solve the problem. Many traffic control problems occur simply because
pilots do not understand what the controller is trying to accomplish, and the converse is also
true. Finally^ automation (or ATC) cannot monitoi pilot pcrforaiance effectively unless it
84
havel^'iirSl^ir.lr^ «,^- - -^ add a few other .uideii.es of a general nan., wh.h
• Functions should be automated only if there is a good reason for doing so.
a'^areness' Wouid^oV doing io tnn^^^^^^^^^^^ '"'P'"^'"" P^^°^ capabilities or
abilicv to remain in comnand^ We t w! i ' So? ^^"^"'^«"'eni, situation awareness, or
to the consideration ot^^H^. et.?nt o/ali^^^ L?^^^^^^^^^^^^
unde^cSfSrconddSnTuT^^^^^^ ^'T^ ^" ^^^^^^^^ ^^ ^ "f-™«l
below-average abibtv Yet these ^ni?5^vr^° ''^'u^'^^ '"'^ distracted pilots of
needed. W? u?ge Sat s!mpl?citrcEt^iL fn^^^^^^ ^^""^ ^'^ ^^^^^« Wbe most
autom;aondesi|.l forthcTw?] m^^^ a.^O"g the cornerstones of
strictly speaking^ i; n° t Sie nmvircf of h. ?. ^"^ "'°'' ^^'^^'^^^ ^°°' '^^"gh training,
design of cockptt sy?temTa?noSwlnecf S'J^'^ "^"" be considereiduring the
60, 63-65. 74, 78-79 WC? 10 150 ^'^" '" ^'''''^'''- ^^" P^' ^ ^' ^•''' ^^' ^9.
Guidelines for Kuman-Cenlercd Control Automation
automation. We fo2 consider con^aSSSo^ '^'^'' ^"^"^^^""^ '°^ human-ceme^
• .^.r ^/2rr.e^nr^^^^^ ::%ni!ir;;ir' '-'-''- '- -' --^ *^
(Wr'^r^^.e^'S^Zo'^d'^m^^^^^^^^ r^^^ ^-ve the way pUots do
utilize automation that belW^ if a f^T^ L Z ' ^^T ^'^\ ^ ^^^ '^^^'^ »« accept and
they will be mo,^ Sy to ^^gnf^ ^^^f^ ^d perhaps more impSnant,
continues to perform. IS ^^^^nJ^^J^^Z T ^ Pf ^^^^^--^ ^^ the automation
automadon,pSalOT^ncipi;m^WsT«vrv^^^^^ ""^^ fault-tolerant control
usually does not chSge ^Whe^erTc^o^ Sl''""'^ ^"'"^^ ^^^^^^ behavior
the pilot informed alio n™o b^ coSJh ^ ^^""f^ ^^^nounced in order to keep
redundancy remains in SieSoSt^^ysSl^"'^^' '^ '^'P'"''^ '" ''^^ "^"^^ ^""'^tioni
failuJSiyTt'chlnr^So^^^^^^ P°^-^-^ hazard, m that its
Such failufes must \i ^^^lSnM^oLt^^n. "^t ^"?^'"? ^' ^ ^ ^^^'^ ^^""'iition.
active control of the macLre AuSSf sho M^^^^^^^^ '^'^ "^^ P'^^"" inmiediateiy i^sume
in charge"; niiots mustSv avk^'Vv/-. .f /h u ^'^'^' ^ '''"^^^" ^" ^^'^J' '"" one is
is for this reason Aa a3ot dTconne^K 1 .?,^,«^^^^^ delegated control to the autopilot. It
alerting signals. (See pp. 4. 19 24 "Tr^ usually announced by both visual and aural
85
■J-
Control automation should be delimited in its authority,
permitted to become insubordinate.
It should not be
Control automation should not be able to endanger an aircraft or to nnake a difficult
situation worse. It should not be able to cause an overspeed, a stall, or contact with the
ground without explicit instructions from the pilot, and possibly not then.^ if the pilot
approaches safe operating lirmts, the automauorj should warn the pilot, giving him or hcrtinie
to recognize the problem and take corrective action.
Some current electronic engine controllers withdraw engine power to flight idle
autonomously if an overspeed is detected, without regard to whether other engines are
operating. This feature cannot be locked out at present We would argue that this is
potentially insuix)rdinate automation.
The pilot should not be permitted to select a potentially unsafe automatic operating mode;
autcmauon should either foreclose the use of such modes or should aien the pilot that they
may be hazardous, and why, (Sec pp. 30, 71, 80, WC 4.)
Do not foreclose pilot authority to override normal aircraft operating limits
when required for safe mission completion without truly compelling reasons for
doing so.
Limitaticns on pilot authority may leave the pilot unable to fulfil his or her responsibility
for safety of tlight. A recent ASRS incident repon, one of nnany, underscores the need to
preserve pilot capability to do what is necessary; an abrupt 50' banked turn was required for
coliisior avoidance in an advanced technology wide-body airplane (ref. 104). There have
been several cases in which pilots have violated legal G limits; in nea.dy all of these, the
aircraft have been recovered, though with damage. These riiaaeavers v/ould not have been
possible had hard envelope limits been incorporated. We suggest that the "soft limits''
approach represents a way to avoid limiting pilot authority while enhancing flight safety. (See
pp. 21,29-30, 39-40, WC 7.)
Design control automation to be of most help during times of highest workload,
and somewhat less help during times of lowest workload.
Field studies of aircraft automation have suggested that it may appreciably lighten
v^orWoad at times when it is already low, while imposing additional workload during times
\*'htn it is already high, during climbs and particularly descents. While much of the additional
buixien relates to problems in interacting with the flight managCTrient system (see below), the
end product of that interaction is the control and guidance of the airplane as it moves toward its
riesnnaaon.
Avionics manufacturers have made appreciable strides in easing this workload by
providing lists of arrival and runway options at particular destinations, but air traffic control at
busy terminal? may utilize procedures that differ from those listed. In particular, "sidestep"
nraiieuvcrs to alternate parallel or converging runways are a problem in this regard, especially
if clearances are altered late in a descent. Easing such problems may require a beuer
understanding by ATC of what is, and is not, reasonable to ask of a highly automated
airplane. Given the congestion at our busiest tenmnais, however, ATC is likely to continue to
seek more, rather than less, flexibility and any short-sierm improvements will have to be in the
cockpit (see also management automation guidcUnes).
During cruise flight at aitirude, the maintenance of pilot involvement is important (see
above). Workload may be very low and should quite possibly be increased during long flight
segments. {St<: pp. 17, 28, 47, WC 3, 6.)
86
■ Keep the flight crew involved in the operation by requiring of them meaningful
and relevant tasks, regardless of the level of management being utilized by
them. "^
High ievels of strategic management h?ve the potential to decrease pilot involvement
beyond desLrable linuis. Control automation should not permit this degree of detachment, lest
the pacts \yt unable to reenter tlie loop in the event of its faiiwe. Keeping pilots involved may
require less automauon rather Lhan more, but involvement is critical to their ability lo remain in
command of an operatic r .
Much critical flight data is now accessed from lookup tables in aircraft performance data
bases resident within the FMS. (Cntical speeds for approach and landing are examples ) {f it
IS necessary to be more certain that pilots arc aware of these data, the designer may wish to
consider requinng that the data be either entered manually, or verified bv the pilots before
use. Thelatteropdontakeslesstime, butmay belesseffertive.
We have sugeested that requiring management by consent rather than management by
excepnon may be one way to maintain involvement, though it has also been pointed out that
**^ A T^^^ * ^* ^° ^^^^ consent from becoming perfunctory, and this must also be
avoided One way io assist may be to give more attendon to workload management, as i-^
suggested in the preceding guideline. (See pp. 28-29, 65, 94, WC 6.)
Control automation should be designed for maximum error resistance and error
to I erance.
Both automated control systems and their associated disolays should be made as enor
resistant as is feasible by designing clear, simple displays and unambiguous responses to
commands Thereafter, safety- hazard analyses should be performed to elucidate remainine
points at which etrors can be comn^tted. The designs should then be modified to incorporate
me highest possible degree of error tolerance as well, by prosaibing potentiallv hazardous
mstrucuons or by providing unambiguous warning of potential consequences that can en'-ue
trom an instiucaon. Accident and incident data should be reviewed on an ongoing basis 'o
idennfy xiKeiy human and machine deficiencies and these deficiencies should receive snec ial
attention in this process. *
Human errors, some enabled by equipment design, bring more aircraft to grief that any
other .actor. Error resistant systems can protect against many of these e-ors bu- it is
necessary to give pilots authority to act contrary to normal operating practices when necessary
ana tnis requires that designs also incorporate error tolerance. (See pp. 24, 56, 78-79, WC 1 ,
Control automation should provide the human operator with an appropriate
range of control and management options.
The control and management of an airplane must be safelv accomplished by pilots whose
abilities vai-y under circumstances that vary widely. To provide effective assistance to
whomever is flying, under whatever condidons, a degree of flexibility is required ^n aircraf-
automation. The aircraft control-management continuum has been discussed- probl-ms at the
extremes of this continuum have been indicated (high workload at the''ow end "of the
spectrum, possible decreased involvement at the high end of the spectrum) Tlie range of
control and management options appropriate to a given airplane must be wide enouSh to
encompass the full range of pilots who may operate it, under the full range of operating
conditions tor which It is certificated. (Secpp. 26-29, 73, WC 7, 8.) «> >- 6
87
Guidelines for Human-Centered Information Automation
It will have been noied that some of the guidelines above relaie to information provided to the
pilots as well as to the control of the aL'planc and its subsystems. It is not always possible to draw
a clear distinction between control and inforaiation automation, for all automation involves the
requirement to keep pUots informed. The following are suggested euidelines specificaliy for
infonnanon automation. " ^
• The primary objective of information automation is to maintain and enhance
situation awareness. All displays should contribute to this objective.
We have indicated (p. 77) what we believe are the minimum elements of information
required by pilots at all times. Many other information elements art also required in some
.oirn however (p. 16). The question is not whether these are needed, but in what form thev
win best reinforce the pilot's awareness of his or her situation and state. The remaining
guidelines m this section address this issue in general terms. (See pp. 23-24, 35, 42, 43, 63.)
• Assume that pilots will rely on reliable automation, because they will.
Once pilots have flown an automated airplane long enough to become comfortable with it
they will come to know which cc-trol and information elements can be trusted. Thereafter
most (though not all) pUots will become increasingly reliant upon the continued reUability of
mose elements and therefore less liable to be suspicious of them if they become unreliable
hor mat reason, the designer must not make flight-criticai information available unless it is
reliable (and must also provide the pilot with information concerning the status of the
automaaon as well as of the element cOTtrolled by that automation).
If information is derived or processed, the designer must insure that the data from whi-h
it is denved is also either visible or accessible for verification. If it is not critical information
tor a particular flight phase, make it available only on request, but insure that it remains
scccssioic
Future automated decision support systems may pose a serious problem in this regard if
pilots come over time to rely on the quality of the machine decisions. A poor decision may be
(See pp. 4. 37, 38-39.
much more difficult to detect than an aberrant subsystem operation
48, 76, 95, WC 15.)
• Automated systems must be comprehensible to pilots.
As automation becomes more complex and integrated, with more potential interactions
among modes, pilots must be assirted to understand the implications of those interactions
especially to interactions which can be potentially hazardous at a critical point in flight'
Systems need to be as error resistant as possible in this respect, for the iikehhood that pilots
Alii remember aU such potential interactions is not high if they are not encountered frequently
Ihe memory burden imposed by complex automation is considerable; infrequently-usoi
knowledge may not be immediately available when ii is needed. (See do 21 2'^ "'4 ^^ fS
74-75, WC 1, 12, 14, 15.) ^^' ' ' ' "' " '
• Alerting and warning systems should be as simple at. ' foolproof as possible.
Warning systems for discrete failures do not present a particular problem; whether
rcconriguratiort should be autonomous remains an open question awaiting experience with tiie
IVID-1 1 systems. The problem of quantitative warning sy.>tem sensitivity and specificity has
been discussed False or nuisance warnings must be kept to reasonable levels to avoid the
unwanted behavioral effects of excessive alarms .
88
/ j^\S^ " providing pilots with more informaaon than they need to know, we believe
(as did Wiener and Cuny) that it may be appropriate to provide pilots \^ith trend information
betorc a parameter reaches a level rcquaing action, to improve their awareness of a potential ly
senous siiuatioa. This serves the added purpose of increasing their trust of the automated
monitonng systems, We have suggested some ways in which trend information might be
provided on simplified system displays.
TCAS provides traffic alerts with respect to traffic that mav in the near futuic po<e m
imminent hasard, which gives pilots time to attempt visual acquisition of the traffic An
avoidance maneuver is advised if the traffic thereafter is assessed as a serious liTreat ^uch
systems in-^ease puoi involvement, but this can pose a problem under conditions of high
workioaa. li is possible that "low" and "high" sensitivities could be used during shon and
longer flights, or that non-cntical alens could be inhibited during flight at low altitudes a-- is
already done in newer aircraft.
When warnings are provided and response time is not cndcal, many pilots will attempt to
evaluate die validity of the warning. Means should be provided for them to do so quickjv and
accurately. ^
Warnings and alerts must be unambiguous. When common signals are used to denote
more than one condition (as are the master caution and m^ter warning signals), there must be
38^39" 44 45^48 76 WC^^^*'^ condition which is responsible for the alert. (See pp. 23, 25,
Less information is generally better than more information, if it is the right
information for a particular circumstance.
There is no conflict between our guideline of keeping die pilot informed and the
recognition that too much information may prevent the pilot from assimilating the most
important information. It is a matter of understanding what the pilot needs to know at a
particular time 01 m a particular situation. Cockpit designers have generally done a
commendable job of providing the most important information; thev have not always done as
wen in keeping that information at the forefront of the pilot's awareness or in reducine the
amount of non-essential information. ^
^ Uss information is generally beaer than more information, bat only insofar as no critical
eiement of situation awareness is neglected. Selective de^luttcring of pnmaiy flight displays
analogous to what has been done with navigation displays, should be coiisidered; as indicated
m the text, more mtegrated PFDs are under study. See also the description of the "dark
^^^'\ concept on page 25. (See pp. 10. 17. 26, 33, 36-37, 39, 41, 4344. 46, 48, 49, 77,
Integration of information does not mean simply adding more elements to a
single display.
Integration in psychology means "the organi-afion of various traits into one harmonious
personality. An integratec display combines disparate information elements into a single
picture that renders unnecessary many cognitive steps the pilot would otiierwise have to
perform to octam a concept. It riius relieves the pilot of mental workload. Primary night
displays arc not integrated; ratiier, they combine information previously shown on mmv
mstruments on a singie screen. The elements, however, are still distTete and die mental
workload of adducmg aircraft state is still required.
Clutter in displays is urdesu-ablc for the piiot may fail to notice the most impoiiant
mfomiation or may focus on les.s imponant data. It is for this reason tiiat we have suggested
89
that fairly radical de-cluttering of the PFD would still provide the pilot flying at ciuise on
autopilot with the information nequired to monitor the autopilot and return to the control loop
rapidly if required.
Subsystem displays can also be made more sample and intuitive. Again, the controlling
variable should be what the pilot needs to know under parricur^r circumstances. As long as nil
mfonnation necessarv' to take over manual control of these system? is available when required,
it is not necessary^ that other dau^ be visible in circumstances where they are not central to fhe
pilot's tasks, though we believe thai power information, perhaps in simplified form, is needed
ai all times because it is an element of flieht path contrcL (See pp. 34-35, 37-38, 39. 42, 44.
47, 54-55, 77, WC 12.)
Automation poses additional monitoring requirements; insure thai pilots are
able to monitor both the status of the automation and the status of the functions
ionirolled by that automation.
On page 46, it was asked whether displays should show the position of a switch, or the
position of the device controlled by that switch. Should automation status be announced, as
well as the stams of the function being controlled? One can argue that it should be, by some
means, vvhiic the *'dark cockpit" concept (no annunciations as long as evcr^/thing is normal)
has distinct advantages in preventing information overload, no information can mean either
that everything is normal or that the annunciator has failed. No inforaiation is quite different
from negative information. In the case of subsystems* where nothing happens for long
periods of time, pilots need some type of reassurance that the automation is still monitonng the
systems.
Automation can fail cc/ertly as well as overtly, and in either case, the pilot must become,
or be ready to become, a controller rather than a manager. To do so, he or she must know by
some means ti^at the automation has failed, and the condition of the controlled elements or
functions. (See pp. 33-34, 40, 48, 82, WC 5, 9, 10.)
Emphasize inf or nation in accordance with it% importance.
The most important informanon should be most obvious and most centrally-located.
Information relevant to aircraft control deviations, power loss or impending collisions with
obstacles is ?(Iways more important than infomiation concerning other facets of the operation
Symbolic information should be redundantly coded (shape, size, color, use of two or m.ore
sensor^' modaiities) to insure Lhat it is defected, Audtory (sounds) or tactile information
displays can be used to reinforce, or in some cases to substitute for. visual information; Lhis
can be particularly useful during periods of high \'isual workload (p. 38).
It should be noted that a strenuous and largely successful attempt has been made to
decrease the large number of discTcte auditory- warnings that were present in older cockpits.
The use of discrete voice warnings is increasing, nowever; GPWS, TCAS and windshear
alerts all incorporate voice signals, and an increasing number of aircraft also incorporate
synthetic voice altitude caliouts on final approach. This may be less of a potential problem as
digital data Unk replaces some of the voice communications now required, but there remains
the potential f'>r interference among voice messages, as well as the potential for overuse of
voice signals leading to diminished aU'rntiveness to voice emergency rriessages.
The question of tactile information transfer has been brought to the fore by the A320
control systems (p. 23,24). The tv/o pilot sidestick controllers are not interconnected, and
therefore do not provide information concerning control inputs from, the other side of the
cockpit. Because the airpiarie utilizes a load factor demand control lav/, pilots cannot detect
changes in aim from control column ptf >sure:^. Also, the thrust levers do not move when the
90
autothrust system changes engine powei. The discussion points out that this may be
appropnate automation and that companies flying this airplane do not manifest concern
regarding these features, but it is also necessary ro recogni?:? that certain elements of the
feedback previously provide4i to pilots are not present in tliis airplane. Continued scrutiny of
• A320 operations is needed to determine whether the absence of this feedback mode nas'any
undesirable consequences, or whetiier the redundancy of the infoniiation it provides in other
aircrait is not tniiy necessar>^ (See pp. 26, 35, 45, 77, WC 12.)
• Design automation to insure that critical functions are monitored as hcU as
executed.
Tne safety benefits of independent monitoring art mdisoutabie. ATC radai- permits
controllers to monitor flight path control; TCAS permits pilots to monitor controller actions.
liiere are functions tliai ait not independently monitored at this time; airplane acceleration with
respect to runway remaining during takeoff is one, ILS guidance during instalment
approacnes is another. A thud is aircraft position on the airport surface, at most facilities
Momtonng of input to aircraft systems espetu,: y Lhe FMS, remains a problem despite the
monitoring capability provided by map displays. In the first two cases mentioned new
technology will be required. In the latter case, FMS software could be provided to monitor
as well as assist m, pUot interactions with the system. Where critical errors could compromise
safety, independent monitoring of inputs (perhaps by downlinking of FMS data for
comparison with ATC cieai-ance data) should be enabled.
It is not clear at this point in time that airplarie-to-ATC digital data link will be used to
confirm diat clearance data has been received and entered into die FMC correctly. Such a link
could also be used to confLrro that manually-entered flight p : data conforms to ATC
intentions If such a n-,onitoring link is not provided for, an important element of redandancv
will have been lost . See pp. 48, 56, 78, 79, WC 9),
• Consider the use of electronic checklists to improve error resistance and
tolerance.
Depending on how they aie implemented, electronic checklists have the potential to
improve error resistance, by perforrrjng checklists on command, and error tolerance bv
remmduig pilots of checklists that need to be performed and bv providing reminders of items
no* completed. Checklist usage is known to be somewhat variable (ref. 74) and failure-? to
pe..oira checklists have been associated wiia serious mishaps (refs, lO.ilK "Sen'^ed"
checklists (those that verify that most or all items have been completed) wll be more enor
tolerant than those that rely entirely on pilot confirmation of actions taken, and this mav
suggest a desirable minimum architecture for such modules. On the other hand, data from
recent checklist studies suggests that automated checklists may reduce pilot vigilance for
aircraft system faults (ref. 7 1). (See pp. 48-49, WC 9.)
Giiideiines for H'lman-Centcred Management -Automation
Management automation has been a remarkably successful tool m the cockpit; die developm-nt
of air trafhc automation will further improve as utility and effectiveness. It has made the aviation
system much more eiror resistant, though it has also enabled new errors in the cockpit, as does any
new equipment that must be operated by humans. We offer the following guidelines for future
flight management systems.
91
N9I-32I36.UNCLAS
1.0
«^ iM pfJ2 2
I.I
1
1 1.8
.25
i.4 1 !.6
{^
Management automction should make airplanes as easy to manage as they are to
The major pToblem with flight managemcrt systems is that they are often cumbersome to
operate. Under some circumstances, it is easier to operate without them than to use them,
with the predictable msult that they are apt to be bypassed under these circumstances. This is
a pity, for the enxir resistance that they bring to flight path management i^ also bypassed. One
panial solution to this problem is to improve the interfaces between system and pilot so Uiat
they can be manipulated more easily
This will not be a trivial task, for it may requL-* estabhshing a diffei^nt level of interface
between the pilot and the system, one vhich involves a high-level interaction rather than the
present point- by-point description of desired ends. On the other hand, data link may enable a
higher-level interaction and may even require it for effective interaction with ATC, most of
which may be through the FN!S.
Within the constraints of present-generation systems, cffons to improve system
operability in high workload segments of flight would be most helpful to pilots* and would
improve system safety. The problem of manually tuning navigation radio aids rapidly has
been mentioned; providing alternate interfaces throiigh which such tasks coufd be
accomplished more readily is worthy of consideration. (See pp. 27-28, 29, 54, 55.)
Flight management system interfaces must be as error tohiant as possible.
In view of tiie known problems in data entry. FMS software should accomplish as much
error trapping as is possible. Some ways of doing this have been suggested above. When
dau link is available, the data entry process may be sim.plified, but that does not necessarilv
imply that data entry errors will be eUi. inated. (See pp. 52, 53.)
As noted earlier, CDUs wili refuse to accept incorrecdy-foramtted entries, but they do not
provide feedback as to why an entry was rejected. If the computer knows, why doesn't it teil
the pilot? Some data entr>' errors are obvious, but others may be less obvious and pilots may
be tired or distracted by other problems.
Future flight management system and aviation system automation must insure
that the pilot cannot be removed from the command role.
We have indicated our concern that increasing automation of the ATC system and
increasing integration of the ground and airborne elements of that system have the potential to
bypass the humans who operate and manage the system. One way to guard against this is to
design fumre flight mianagement systems so that the pilot is shown the consequ -ces of any
clearance before accepting it; another is to insure that the pilot must actively consent to any
requested modification of flight plan before it is executed. A third, more difficult way is to
make it possible for pilots to negotiate easily with ATC on specific elements of a clearance,
such as altitude changes, rather than having to accept or reject an entire clearan:;e or
modification. All three, and possibly other wa, " as well, may be required to keep uilots
firmly in command of then operations. (See pp. 5:i, 54,)
These steps will require more than simply software changes. They will require careful
negotiations between the operating community and air traffic management system designers.
In view of the rapidity with which the enabling technology is being pursued, the long-term
goals and objectives of system designers and planners need to be known with precision. We
do not beheve that they have been set forth with sufficient clarity thus far, and we believe also
that the consequences of fundamental changes in the locus of command of the system aie so
major as to require consensus before proceeding farther with system design.
92
5 . -'^ G
Ir:.ure .H. fli.nt opera.ons remain .UHin tHe capacities of tHe Human operator.
eacn.I]S"n"^ra:Smauo;!%Sron^ such prcc.s.on rhat they have been
are less than 200 feet and v,sSs^a;e kfs th^ ir^^.'f ^' (approaches when ce.hngs
pneraily accepted that pUot perc;pt^rcap"b'ms mav no ^ ^f/^^P'^- 1' has been
landing from approaches under Liese vei^bad wea hTr Lnni* ^''^^}^'''^' «^ Pennit a safe
hov ver. pilots have not been asked tn%.nc« conditions. With these exceptions
unaided. "^^"^ ^'^^'^ ^« ^"g^fe ^ »" operations that they cannot complete
system ^^S^J^P^^^^^^^^ intensive effons to increase
As noted earlier, this includes studies^f clS^ c^a?^^^^ T ^™^"^ ^"P^^^
r-f.^rrneCi:SrrL:S^^^^^
automation will ^ cied ■^Pon^pe^r^TSSS ^^^
sufficfiet ^mSn't^f MuSi'awie^^^^ -^ --'-"g capabilit>^
and with ways of escaping fim? the mS^euve^?JHv ^ ^'^Z'^^'^^ °^ "^^ maneuve,?,
conungency either wiSi/the aimlan^^fthe '^f^- ""m ^^P^^^^^^'V »" t^e event of a
Jsplays may weU be necessary if pS 2^ toVmifn n . '"0"«onng automation and
We must confess our conceinXut rSit^te???r " f ^^^^dunng such maneuvers.
assun^^t the automation has pmvSS a?SSi t^ n^lh? "T^'^f "^"^^ ^^^ controllers
pp. 56-57, 63, 95.) cjniiici-tiee flight path for controUed traffic (See
93
Q.
Some Thoughts on Aircraft Automation
What follows is some comments tliat need to be made but that do not seem to fit elsewhere in
this document. They are not conclusions; rather, they are issues that need to be considered by
designers and operators, and perhaps by the human factors research community as well
The use of artificial intelligence in future automation: We have made reference :n
several places in this document to the development of decision suppon or decision making syste rss
as a future thrust m aircraft automarion. Despite tht promise of artificial intelligence (Al)
technology in limited applications to date. AI remains a promise — an exciting one, but one whose
bounds we do not yet understand. It is our belief that truly "smart" systems will find their way
into the cockpit only slowly, and that those applications will be accept^ by aircraft manufacturers
only after protracted evaluation in less safety-critical environments. This is as it should be; the
paramount interest in safety of all members of the aviation community requires a considerable
degree of conscr\'atism with respect to new and largely untested technologies.
This, of course, suggests that cognitive systems may be a long time coming, and that the
introduction of sman systems should initially be for the control or management of non-critical
functions. AI systems for the management of information in electronic libraries have been
suggested; this might be such an application. It has been implied here that decision making
systems should probably not be adaptable, because that would decrease their predictability and the
human operator needs automated systems that are predictable. Pilots admittedly adapt to
inexperienced copilots who learn as thi> accumulate operating experience, but the pilot in
command is liiccly to be less confident of an ir animate system whose inner workings are less clear.
In an effon to take advantage of decision suppon technolog>' without foreclosing the decision
authority of the human operators, researchers have turned to decision-aiding systems that assist
both pilots and air traffic controllers in decision-making (refs. 64, 86, 105). These systems
provide options to the human operator, based on understood rules, but they leave decisions about
the use of those options in the hands of the operator. (See also p. 88.)
The effects of automation on human operators: We have referred to the considerable
and growing litcramie on human-centered workplaces, Cooley. among others, has discussed the
problem of *'dcskilling" in highly automated :\ ; ' i ments. Aviation is certainly such an
environment, though it differs in apprcciaole r- . j. j^ from the usual production environment.
Nonetheless, automation does cause behavioral anc dttitudinal effects over time in those who work
with it. Depending or how ii is built and operated, these effects can range from a sense of
growing mastery over another complex machine system across the spectrum to complacency and
boredom in the face of tasks made routine and mechanical.
Scientists and physicians in the Soviet Union who have worked extensively with cosmonauts
during long missions report that under the severe confinement and other stresses inherent in such
missions, their charges become increasingly intolerant of boring, repetitive, routine tasks, to the
extent of severely diminished performance (ref 106). On the other hand, they remain capable of
being stimulated and challenged by novel, intellectually demanding tasks even after many nwnths
of exposure in this most difficult and constrained environment It is their belief t^iat great care must
be taken to insuie that tasks remain challenging and stimulating.
There is much that is boring and repetitive in die cockpit environment as well, especially in
long haul overwater f ying. Few tasks are more soporific than watching a highly automated
vehicle drone on for many hours, directed by three inertial navigation systems all of which agree
within a fraction of a mile. This boredom can be compounded by fatigue during operations that
often traverse the hour's of darkness and normal sleep. Maintaining involvement in such a task, let
alone a sense of challenge and intellectual demand, will be a real challenge to cockpit designers, but
it must be met. Pilots are people who like challenges and have chosen aviation because it is a
94
'^^
'<'.
filw ^"^K°^''"P*^°u"- ^ *'« ^ »o ^^P them from becoming ineffective, we must cksign iheu-
asks in such a way that they can maintain their int.;rest in them, and thus their perfonnlnce of
them. This, we beheve, is tne foremost challenge facing those who design and shape the aircraft
automation of the furore. ^ ». «ii
.iiotP^if '^*''*'"^"'f^'^ ''^^'''/'r''^^ ""tomation. We have suggested in this document that
pilots will come to i-ely on reliable automation. There is much evtence that they do so though
L.ere have not been to date, mdications that the potentially deskilHng effects of control automation
amnoi be countered by inatjased emphasis on nujiual flying for a short time before reverting to a
e.s automated aircratt tj-pe. Will this continu. •. be the case in the futuie, as more pilot^eceive
i^nJw^ if J"*" =''Pf "^ in higWy automated aircraft^' As automation becomes increasingly
TX^r^ir^^^ ^'"^ considerable experience in fully functional automated aircraft remain^as
able to manage those aircraft when the automation is degraded? Finally, will pilots most or all of
whose expenence is in aircraft with highly tailored flight control systems^[,e abk to convemo Z%
aircr.aft which do not provide them with the protection such systerns a.ffoiti?
oneratorf '^^t^^'Jlll^T' ^' *^ T^^"' '^'^°"' ^^^'" ^° ^^ ^^^^^'' "^ automation on human
amomS ,^>t^i ^ 1° ^°*^' quesnon, perhaps more difficult to a.nswer. In highly
fhf^S!^ ^^ ?°'*' ™"*'^ automation should be considered essential for safe operation under
the wide variety of circumstances that may be encountered in hne operations^ At present
amonfa??,Tn'S^,'^'^"''?!r\^'?^'^^ '"'^^^ ''^^'^^' ^'^""^ subs'Ltial elements of the
L^nnif ? "0^^"y P-«vidcd. We have indicated the reasons for this in several places We
Slv iriff^ctrvet^/. r^^^^ "P ^^ ^^S^>' ^"^^^"^"^^ ^^ft' -^" '^P'^^
readily and effectively to the demands of a more manual style of operation as have their
S^S'Sr ^ '"^ autom.ation after considerable operating experience mfargdy
The demands of the aviation system have motivated much of the automation we now take ^or
granted, and those demands will increase, not abate, m the future. Is it prudent Siereffre to
s';Sytss".'^?sr"°^-"^^^^"^-^^
subs>^SS?»^^^
under circumstances unlikely to be encountered in line f.ying. Despite the SS cai wkh wS
regu^toiy authonnes and manufacturers have approached the certification pSSss wTer oSv
a subset of conditions, failures, and pilots can be evaluated irrhis^nle aSa^e v
representative of the population of pilots Ld conditions that may S cnS, JnSt^^^e S D«^
lon1S;?S? ''°'''"''' c,rcui..tances to which the airplane may be exposed during^s
rh. ^^ answers to these questions are not known and may never be known conclusively given
in^ '^'"'^^ "" "^"^ '^"T ^"^ **= '^^""'^^ '^"y °f ^SP0« aircraft accittents ^In^ tWs
fn ^?f"^' ""^ ""T^^ "^ '™P'y with how little automation is enough for pilots accustoined to (^d
in the iuum= perhaps accustomed only to) a great deal more. We do believe the ques^rnSdTto
be considered as we approach the time when highly automated aircraft supplant earlitm^ S
tiie airline fleet We have asked repeatedly in this document how much auSmation is enS L^S
how much may be too much. We wiU dose by asking how little automation is enou^'' Se^
ri;;;^^ ^cf H^ ^"^^^ ?r ^^^ ^^^^^ demography and experience of the pilot Jopdation an^
the uiCTcasing demands of the aviaGon system? ^
95
kL^^
■HP
in^
VI: CONCLUSION
Humans must remain in command of flight and air traffic operations.
Automation can assist by providing a range of management options.
Human operators must remain invoived.
Automation can assist by providing better and more timeiy information.
Human operators must be better Informed.
Automation can assist by providing explanations of its ciC*ions and intentions.
Human operators must do a better job of anticipating problems.
Automation can assist by monitoring trends and providing decision support.
Human operators must understand the automation provided to them.
Designers can assist by providing simpler, more intuitive automation.
Human operators must manage all of their resources effectively.
Properly designed and used, automation can be their most useful resource.
This is human-centered automation.
It has been suggested in this document that automation evolution to date has been largely
technology-driven. This is clearly true, but it is a' so unfair in one sense; designers of new aircraft
in recent years have made a determined attempt to help humans do what they may not do well in the
press of day-to-day operations. In doing so, they have eliminated some causes of human error,
while enabling others directly associated with Lhe new technology.
If there has been a shortcoming of automation as implemented to this time, it is perhaps that it
has not been sufficiently thought out in terms of the average pilot's needs during worse-than-
average conditions on the line m an air traffic system that is not yet able to take advantage of what
airplanes are now able to do. That is not a criticism of the designers of the automation; rather, it
implies that a more holistic view of the aviation system is necessary. Pilots fly airplanes in a
complex and increasingly crowded airspace environment, working with controllers who must deal
with whatever comes their way. We have automated the simple functions; it is now up to us to
leam to assist the humans who manage and control the aviation system, wit n the intent of further
enhancing their perfamance under the most difficult circumstances we can envision. This will be
as great a challenge as any that has confronted us.
96
D.
IfHiM
APPENDIX: AIRCRAFT MISHAPS CITED IN THE REPORT
Northwest Airlines DC9.82, Detroit Metro Airport. Romulus, Ml, 8116187 (ref. 10}
PhoeI?x "'Si'^S.Sli^^' "^'^"^ ^"^!' ^"^^^y ^^^r takeoff from mnwav 3C> enn,ure to
^ r :. ll^ airplane began its rotaDon about 1200-1500 tect from the enrt nf rh^s^snn ^
Miy°S^" cXf'v^ci'^^Tr™; *=7»i""S «"«' «-P» "Hi ieading edge sU<s were
OriM >4,>/,»„ B727.232, DaUas-Port Worth Airpon, TX, 8131 ISS („f. ,1)
Citv^Th^^fftfJl' ' ""• '^'■f Jl^ly after takeoff from mnwav 18L eiroule to Sal. Lake
.ndaf.e.beingai,^f^SrJi"?r5^L^™'S&%^f„T^Ts',;^^
The investigation showed that the flaps and slats were fullvretracteH FxHrf^„.*.
there was an intennittent fault in the talcwiff warn^n^^ ./ ^u Evidence suggested thai
dunng the last n^-nance^^r^-^irSLTie:^^^^^
disciJJi'Sd^^^rLf.L'^ff ^ -^ ^-^ ^ffi'^-'^ -^^iequate cockpit
was not Vropcr^ZZ^^Q^^Z^^^:^;'^'^ ^ ^^ *<= ^^^ that the airplane
procedural ^mc^^TZdA^^^Jll^ contributing factr.s certain manage., -nt and
deficicnciesTnlS ^c^^sS^^ "? ^^A to cor^.t known
conversations and the lengthy S,^^5S^cocl^,^f^fi^^^ note of extensive non^luiy related
crews vigilance in ^r.s^l^^^C:ZX^r^''^^'i^-^^'' ^^^^ ^- ^S^^
Aeromexico DC-IO-SO over Luxembourg, 11/11/79 (ref. 12)
elevators and the lower fuselage .S';t^tSL^'ic«s dcL^teSstag" ^"" °' ""* ""'^^^
I
5!!"%Tof^ "JT^^ercd to indicaa- Lheir magnetic heading to the nearest lO'- ^-^n- r . -,
from 26-35-) Parallel runways aUo have letS designators' lifeft cS'i«?, r!" g^ht.^^"^''
97
The flight data recorder showed th«t the airplane slowed to 226 kt during an autopilot climb,
quite possibly in vertical speed mode rather than indicated airspeed mode. Buffet speed was
calculated to be 241 kt. After initial buffet, the #3 engine was shut down and the airplane siowrd
to below stall speed.
The NTSB found the probable cause to be failure of the flight crew to follow standard climb
procedures and «• adequately monitor the airplane's flight instruments. This resulted in the aircraft
entering into prolongt ■ *^tall buffet which placed it outside the design envelope,
Indian Airlines Airbus AJ20, Bangalore, India, 2114190 (ref. 13)
(OfficiaJ report not available) This airplane crashed short of the runway during an approach to
land in good weather, killing 94 of 146 persons aboard including the pilots. The best available
data indicate that the airplane had descended ai idle power in the *1die open descent" mode until
shortly before the accident, when an auempt was made to recover by adding power but too late to
permit engine spool-up prior to impact. The airplane was being flown by a Captain undergoing a
route check by a check airman.
The crew allowed the speed to decrease to 25 kt below the nominal approach speed late in the
descent The recovery from this condition was started at an altitude of only 140 ft, while flying at
minimum speed and maximum angle of attack. The check captain noted that the flight director
should be off, and the trainee responded that it was off. The check captain corrected him by
stating, **But you did not put off mine." If either flight director is engaged, the selected autothrust
mode will remain operative, in this case, the idle open descent mode. The alpha floor mode was
automatically activated by the declining speed and increasing angle of attack; it caused the
autothrust system to advance the power, but this occurred too late for recovery to be affected
before the airplane impacted the ground.
China Airlines B747'SP, 300 miles northwest of San Francisco, 2/19/SS (ref. 14)
The airplane, flying at 41,000 ft f .iroute to Los Angeles from Taipei, suffered an inflight upset
after an uneventful flight. The airplane was on autopilot when the #4 engine lost power. During
attempts to relight the engine, the airplane rolled to the right, nosed over and began an
uncontrollable descenL Tlie Captain was unable to restore the airplane to stable flight until it had
descended to 9500 ft.
The autO' ilot was operating in the performance management system (PMS) mode for pitch
guidance and altitude hold. Roil commands were provided by the INS, which uses only the
ailerons and spoilers for lateral control; rudder and rudder trim axe not used. In light nirbulence,
that airspeed began to fluctuate; the PMS followed the fluctuations and retarded the throttles when
airspeed increased. As the airplane slowed, the PMS moved the throttles forward; engines 1, 2
and 3 accelerated but #4 did not. The flight engineer moved the #4 throttle forward but without
effect. The INS caused the autopilot to hold the left wing down since it could not correct with
rudder. The airplane decelerated due to the lack of power. After attempting to correct the simation
with autopilot, the Captain disengaged the autopilot at which xinx the airplane rolled to tr^ right,
yawed, then entered a steep descent in cloud, during which it exceeded maximum operating s^a ed.
It was extensively damaged during the descent and recover}^; the landing gear deployed, 10-1 1 ft of
the left horizontal stabili.xr was torn off and the no. 1 hydraulic system hnes were severed. The
right stabilizer and 3/4 of the right outboaixi elevator were missing when the airplane landed; the
Agings were also bent upward.
The NTSB determined that the probable cause was the Captain's preoccupation with an
inflight malfunction and his failure to monitor properly the airplane's flight instruments which
resulted in his losing control of the airplane. Contributing to die accident was the Captain's
98
^Hf^^'T"" ^\^M t"*°P"^^ ^'^ * lo«« of ^'« on #4 engine. The Boaid noted that the autODilot
effectively masked the approaching onset of loss of control of the aiipl^T^ ^
SranAnavian Airlines DCIO-SO, /. f. iC^^n^rfy AirporL NY, 2128184 (ref. 15)
s-opped or, thj runway. Ii was sKered lo t».e ngh. and came lo re", ta water MO?, frZrfc
;s,r Sdte 4t/:r^ef '"^■^"'^ "^"^ '"^^' "^^ '--«- "--H^; r^'rj
(ref. 25)
Vnited Airlines DC-IO-IO, Sioux City, lA, 7/19/89
studies, the Board found *.mS^ SS^geTL'S^ane .Lu.r H^hl^
United Airlines 3-747-122, Honolulu, HI, 2/24/89 (ref. 26)
The airplane rcramed to Honolulu and landed safelv after a carpn H«or «rv.«-^ n u
99
N 'I
^^
Aloha Airlines B'737-200 near Maui, Hawaii, 4128188 (ref. 27)
Ti *:. 'irplane experienced an explosive decompression due to a structural failure of the forward
fuselage at 24,000 ft whUe enroute from Hilo to Honolulu. Approximately 18 ft of cabb skin and
structure aft of the cabin entrance door and above the passenger floorline separated from the
airplane during flight. One flight attendant was swept overboard: eight persons received serious
injuries. TTie airplane landed safely.
Tne NTSB found the probable cause to be failure to detect the presence of significant
disbondir.g and fatig.- damage of the fuselage of an old airplane. This accident prompted a very
major study of the "aging aircraft" problem by operators, aircraft manufacturers, the FA A and
NASA. Major changes in inspection and n-£imtnmc>x procedures have resulted.
Aircraft Separation Incidents at Athmta Hartsfield Airport, 10/7180 (ref. 28)
This episode involved several conflicts amojig aircraft operating under the direction of air
traffic control in the Atianta terminal area, ip a? least two cases, evasive action was required to
avoid collisions. The conflicts were caused by '....iltiple failures of coordination and execution by
several controllers during a very busy period.
The NTSB found that the near collisions were the result of inept traffic handling by control
personnel. This mepmess was due in part to inadequacies in training, procedural deficiencies and
soti^ difficulties imposed by the physical layout of the control room. The Board also found that
the design of die low altitudc/confUa alert system contributed to the controller's not iwognizing the
conflicts. The repon stated that, "The flashing visual conflict alert is not conspicuous when the
data tag is also flashing in the handoff status. The low altitude warning and conflict alerts utilize
the same audio signal which is audible to all control room personnel rather than being restricted to
only those immediately concerned with the aircraft. This results in a 'cry wolf syndrome in which
controllers are psychologically conditi«ied to disregard the alarms."
Eastern Air Lines L-lOIl, Miami, FL, 12129172 (ref. 31)
The airplane crashed in the Everglades at night after an undetected autopilot disconnect The
airplane was flying at 2000 ft after a missed approach at Miami because cf a suspected landing gear
malfa'ction. Three flight crcwmcmbcrs and a jumpseat occupant became immenicd in diagnosing
the nialfiinction. The accident caused 99 fatalities among the 176 persons on board.
The NTSB believed that die airplane was being flown on manual throttle with the autopilot in
ontrol wheel stecnng mode, and that the altitude hold function was disengaged by light force on
le wheel. The crew, did not hear die altitude alert departing 2000 ft and did not monitor the flight
istrumcnts untiJ the final seconds before impact. It found the probable cause to be the crew's
failure to monitor the flight instruments for thw final 4 minutes of the flight and to detect an
unexpected descent soon enough to prevent impact with the ground. The Captain failed to assure
that a pilot was monitoring the progress of the aircraft at all times. The Board discussed
overrehance on automatic equipment in its report and pointed out the need for procedures to offset
the effect of distractions such as the malfunction during this flight (ref 31, p. 21).
United Airlines DC-8'61, Portland, OR, 12128178 (ref 32)
This airplane, flight 173, crashed into a wooded area during an approach to Portland
International AirporL The airplane liad delayed southeast of the airpcrt for about an hour while the
^^ ght crew coped with a landing gear malfunction and prepared its passengers for a possible
"ftency landing. After failure of all four engines due to fuel exhaustion, the airplane crashed
ai 5 miles southeast of the airport, vwth a loss of 10 persons and injuries to 23.
100
0.
.nd t?'iIJJnd%'?oMy toT'o^^^^^^^^^^ ^« -«"«- the fuel state
i^a. American B.747 and KLM 5-747, Santa Cruz de Tenerife, 3127177 (ref. 33)
Visibility varied between 1000 and 5000 ft in fosK^^^^ ^^ ^^ °" ^he parking ran^p.
made a 180* turn at the end in nmLr^„ V " , ?• ^^ ^*^ °"t using the single runway and
minutes later with inr^Sons ffi^f^ s^S?S /'• ^^ ^"^ ^°"°-«^ ^b°"» ^
end. A few minutes later after coSmnn?,.^!!^ a specified taxiway enroute to the depanure
clearance, the KLM aliSt^^^tS^rS^a^Jl "^^°"' ^P^^^^''^ '^^^^^
tower was requesting Pan Am to ^x^^^JTi^J^T ^^' ^^ ^ "°'^ ^^ takeoff." as the
we'll report when wl're cle^''°u7t^w?^fi^U",^^ ^" '^.^l- ^^ Am responded, "OK,
574 fatalities among the 644 p^ri^ns on S^'thf^1>Sft. "''^'"'^ ^^' ^"^ ^^ "^^ "^'^
witho'Jt^trce^Siri^X"^^^^^ ^^^^ ^P-" took off
learning Pan American was still onTerunwT and in «Swo T T^^^' ^'' ^"°^^°"
regarding Pan Am's position affirmed LVprnAr^KoJi ^^l^ ^ *"" ^'^^^ engineer's query
Captain was an extreSily exp^r^eTS m AfS^^^J^^ ?^^*! '^"^^y- ^t was noted thit the
some time the first officeVh^ES 7^' mX «^^^^^ Sif^'M^'J^"'' ^°"'^ ^^^^^ ^"
duty time limits; to have delayed would havf n-nnfitn fs ^^ °™'*' ^*^ ^^^ "ear its
Tenerife ovemight. ^ ^ required the crew and passengers to remain m
Delta Air Lines DC9-31, Boston, MA, 7131173 (ref. 36)
land^r^^irJSghXtBSS'^t^^^ ^-ng an approach for
impact was 165 ft right of the rSwav 4R rfm^nL -?^^^^? P^"^"" °" ^"^^ '^^ Point of
threshold. 7.e weathi ^^^^l:^'^T^^2T4 M^^^letuf^^."^ ^"^^^
ciata;?don W Li'tSng'' "^^l^S^^^. ' crewmember had stated, "You better go to x.w
approach due to vfsSiS^y tlow rrSSS "^^T?;^ ^ "TTJ ^^^^' '"^^' ™^^
Northeast Airlines to a Delta Air Je^c^Sim^ort^-At?] f^\"f. ^^ ,'^" "°."""^^ ^^^^ ^
director had been replaced uith a Si)eriVS?rhr^ Ko^ ^' ^^ '^^'''^' ^ime the Collins flight
deficiencies since tlSt time. "Rie &d£S comm.nH ^" ""'^i^.f ^^*^"P^ ^^^ mechanical
for the two presentations), as werelhel^ sw^STln^^.r'^ f ^^"J ^'^ ^'^^ ^^' P^g« ^0
were fomier Northeast Airlines pTlots ?f^e crew had S^nn^^^^^^ flight director. The^crew
which required only a slight extra motion of tL^^.t operating m the go-around mode,
h-^-^jved steeLg a^i irgrvXg'g^rdSi&^
altitude caUouts were not made during the approach. guidance. Requu-ed
The NTSB found the probable cause to he th*- fiiinr* «f ,u
passage through decision height during an un«I?^,^L ^"^ tojnomtor a.titudc and its
meteorological conditions Th» unstaSId .nnr^!?K ^ approach in rapidly changing
above the flide slope, fast, in pa^. d.e tot^stiS^ ^^'^^^ ^' ^^^ «"ter m4er
tne^night crew-s preoccupa/on w.. .ueSbtlnl^L^rp^Lt^d';^^^^^^
101
The Board commented that, *'An accumulation of discrepancies, none critical (in themselves),
can rapidly deteriorate, without positive flight management, into a high-risk situation.., the first
officer, who was flying, was preoccupied with t^ic inforaiation presented by his flight director
system, to the detriment of hJs attention to altituc^, heading and airspeed control.."
Swift Aire Aerospatiale Nord 262, Marina Del Rey\ CA, 3110/79 (ref. 37)
This commuier aircraft was taking off at dusk from Los Angeles enroute to Santa Maria, CA,
when a crewmcmber transmitted "Emergency, going down" on tower frequency. Witnesses stated
that the right propeller was slowing as the airplane passed the far end of the runway: popping
sounds were heard as it passed the shoreline. The airplane turned north parallel to the shoreline,
descended, ditched smootlily in shallow water, and sank immediately. The cockpit partially
separated from the fuselage at impact. The accident was fatal to the two crewmembers and one
passenger.
The flaps were set at 35% the right propeller was fully feathered and the left propeller was in
flight fine position. It was found that the right propeller pitot pressure line had failed; the line was
deteriorated and would have been susceptible to spontaneous rupture or a leak. The left engine fuel
valve was closed (it is throttle-actuated). Once the fuel valve has been closed, the engine's
propeller must be feathered and a nonnal engine start initiated to reopen the valve. The aircraft
operating manual did not state this and the pilots did not know it-
The NTSB found that the right engine had autofeathered when the pitot prtisuie line had
failed; the pilots shut down the left engine shortly thereafter, probably due to improper
identification of the engine that had failed. Their attempts to restart the good engine were
unsuccessful because of their unawareness of the proper starting sequence after a fuel valve has
been closed. Engine failure, procedures w^re revise^d following this accident
Air France Airbus A320, Mulhouse-Habscheim, France, 6/26/88 (ref. 44)
This airplane crashed into tall trees following a very slow, very low altitude flyover at a
general aviation airfield duiing an air show. Three of 136 persons aboard the aircraft were killed;
36 were injured. The Captain, an exptnenced A320 check pilot, was demv^nstrating the slow-
speed maneuverability of the then-new aii plane.
The French Comnnssion of Inquiry found that the flyover was conducted at an altitude lower
than the minimum of 170 ft specified by regulations arid corsiderably lower than the intended 100
ft altitude level pass briefed to the crew by the captain prior to flight. It stated that, 'The training
given to the pilots emphasized all the protections from which the A320 benefits with respect to its
lift which could have given them the feeling, which indeed is justified, of increased
safety ...However, emphasis was perhaps not sufficiently placed on the fact that, if the (angle of
attack) limit cannot be exceeded, it nevertheless exists and sdll affects the performance.*' The
Commission noied that automatic go-aroand protection had been inhibited and that this decision
was compatibb with the Captain's objective of maintaining 100 ft. In effect, below 100 ft, this
protection wa,^ not active.
The Commission attributed the cause of the accident to the very low flyover height, very slow
and reducing speed, engine power at flight idle, and a late application of go-around power. It
commented on insufficient flight preparation, inadequate task sharing m the cockpit, and possible
overconfidencc because of the envelope protection features of the A320.
102
^ii
J).
Delta Air Lines B.767, Los Angeles, CA, 6i30IS7 (ref ^2)
,.J^^^xs^^ XuTJs^^sr '""^ *"■■'= ^^^-^ -""^- -^ ^
t//iited Airtnes B.767. San Francisco. CA, 3/3I/SS (ref. 52)
it laScd wiil«>Si inciteir tS^ <^T^SS^.r? ' ^'""= "'"™'=<' '° ^^ Francisco, where
anempBd lo sJ^lch tarn mTi^T^^Sf^.?"' '"^ ,(»*" was lost when the (light crew
arc glided. It is believed riiaiiS^^^i, ' '5* " "*?"« "•" '=''""' Th« EEC switches
Delta Air Lines L-lOll, Los Angeles, CA, 4112177 (ref. 63)
shoru'J'iS'S^L^^^ti' Sii^o ^e m^ci^ 't ^^-^ J-f^ - the ftzll up position
airplay by any n<i^ wT^SnnitH^S ^^ ^""^^ themselves unabh to conVoI the
difficulty, fo resw^lL^T^ of S «ni .^f.^'' ^i^'^' were able, after considerable
three en^nes. UsS| SS^en^S^iJLer to m^^ '°"''? ^^ "'^"8 differential power on the
maintain direction^fo^^^lvX^fr^^^ f "^ wing engines differentially to
during an emergency approaclTK) iSf ASiCf °^" *^ each successive configuration chiige
and wWt daxLge'toTS^ ^l^^^t'^^'^^lS""'"^'^ " '"^''"^ ^^ ^^^^ ^^^'^^
(ref. 66)
ATorem Air Una B.747 over SakhaUn Island, USSR, 913183
after?^e^i;» ffSKi'^-^^f h""^ missiles fired ftx-n, a Soviet fghter
had twice Wotoed So^lS^dS to^f"Srff.hfS,T ^7"'' ^ "" »^'^=
were not recovered fmn die s£ Afta^lrinri^™]? J^ht jiaa and cockpit voice recorders
Organi^don, i, was bebt^ii^^:S^?flTgrpf^°°:^>^Vr"~r,f'?'"' '"™''""
inconect sets of waypoints loaded into fte INS sys'S ^ri* XI^LrAn^X" """
fre'/l7f" "'" '■■'<""^'""""-'-> Airlines B.747 «„ A.lanlic Ocean. 7im7
other aircraft but not, apparently, b/S^ Sir^rwas^lie;;?,"\?''^L"^' °^''""=^ *■>
mconecdyfasertedwaypo'iitinttlitaaiS^e^iJ^S^^or^J'i"^':"' '~=" ^^"^"^^ '.y an
Air Florida B.737. Washington National Airport, DC. 1/WS2 (ref. 68)
.ro.'Ss^?sS"i:!i?^'?„^L"?u'si'Lri^
ain-lane had been de-iced 1 hr"before dep^^TuV.^utlaLtS^^'riSTtl » STlapS
103
since that operanon before u reached takeoff position. The engines devcio^d substantially less
than takeoff power danng the takeoff and thereafter due to incorrect setting of takeoff power by the
piiOts. It was beUeved that the differential pressure probes in die engine were iced over providing
in incorrect (too high) EGT :ndication in the cockpit. This should have been detected by
••\?mir.anon of the other engine mstmments, but was not perceived by the captair flying.
The NTSB found that the probable cause of the accident was the flieht crew's failure to use
engine and-ice dunng ground operation and takeoff, their decision to take off with snow/ice on the
airfoils, and the captain's failure to reject the takeoff at an early stage when his attention was called
to anoinalous engine instrument readings. Contributing factors included the prolonged ground
delay after deicmg, the known jiherent pitching characteristics of the B-737 when the vong leading
edges are contaminated, and the limited experience of the flight crew in jci transport winter
operations c
Delta Air Lines L-lOll-SSS-J, Dallas-Fort Worth Airport, TX, 8/2/85 (ref. 83)
"Diis aiiplanc crashed during an approach to landing on runway 17L. 'W'hile passing through a
rain shaft beneath a thunderstorm, the flight encountered a microburst which the pilot was unable
to traverse successfully. The airplane struck the ground 6300 ft north of the runwav. The accident
was fatal to 1 34 persons; 29 sur\'ived. " «'«"»"cui
The NTSB found the probable cause to be the flight crew's decision to initiate and continue
the approach into a cumulo-nimbus cloud which they had observed to contain visible Ughmine a
lack of specific guid^a, procedures and training for avoidance and escape from low-altioide wnd
shear, arid lack of definitive, real-time wind shear hazard inforrnation.
Northwest Airlines 8-727 and DC-<f, Detroit Metro Airport, MI, 12/3/90 (ref. 84)
These two aircraft collided while tlie 727 was taking off and the DC-9 was lost on the airport
in severely restricted visibUity. Both aircraft were on tiie ground The accident site was not visible
from the tower due to tog; ASDE was not available. The investigation is not complete at this time.
US Air B.737 and Skywest Fairchild Metro, Los Angeles, CA, 2/1191 (ref. 84)
This accident occunned after the US Air airplane was cleared to land on runwav 24L at Lo
Angctes while the Commuter Metro was positioned on the runway at an intersection awaiting
takeoff clearance. There were 34 fatalities and 67 survivors in tiw two aircraft. The Metro mav not
have been easily visible from the control tower, airpon surface detection radar equipment (ASDE)
was available but was being used for surveiUance of the south side of the airpon. The controUer
was very busy just pnor to the time of the accident.
The NTSB investigation of this accident is underway at this time, but it is reponcd that the
controller cleared the Metro mij position at an intersection on runwav 24L, 2400 ft from the
threshold, two minutes before the accident. One minute later, the 737 was given a clearance to
land on runway 24L. It is believed that the stroboscopic anti-collision lights on the Metro were not
operatmg at the tiinc of the crash, as it had not yet received lis takeoff clearance.
Continental Airlines DC9'14, Denver, CO, 11/15/87 (ref. 88)
TTiis airplane crashed immediately after takeoff on ruTiw>;v 35L enroutc from Denver to Boise
ID. The weather was sky obscured, ceiling 300 ft, visibiHty 3/8 mile in moderate snow and fog'
winds irom 030 at 10 kt, gusting to 18 kt, runway 351. visual range 2200 ft. The airplane hS
t)ccn dc-iced 2/ mm before takeoff. It rotated rapidly and crashed immediately after leaving the
ground. There ^fcre 28 fatalities; 54 persons survived.
104
r>
Dunng the investigation, it was found that the flight had not requested taxi clearance and the
tower was unaware of its taxi to the de-icing pad. The Captain's experience in the airplane was
hmitsd (133 hr DC9, 33 as a DC9 Captam); the first officer, who made the takeoff, had onlv ^6
nours of jet and DC9 expeneni i, and hid been off duty for 24 days before this flight.
The NTSB found tlie probable cause to be the Captain's failure to have the aircraft de-iced a
second time after a delay thai led to upper wing surface conta:- lination and loss of control during a
rapid takeoff rotation by the first officer. Contributing causes were tiie absence of regulatory^or
management controls goveming operations b\ newlv qualified flight crewmembers. The Board
quesuoned the Captain's decision not to have the airplane de-iced a second time and ro permit the
inexpenenced first officer to make the takeoff under difficult weather conditions. It commented
that "Painng of pilots with limited experience in their respective positions can, when combir -d
with other factors, such as adverse weather, be unsafe and is not acceptable," and made
recommendations to avoid such pairings.
US Air B-737-400, LaG. ardia Airport, Flushing, NY, 9/20/89 (ref. 89)
This airplane crashed into a pier past the departure end of runway 3 1 during takeoff enroute to
Charlotte, NC. Two passengers suffered fatal injuries. As the first officer began the takeoff roll
he felt the airplane drift to the left. The Captain used nosewheel steering to correct the drift. As he
ta^oft run progressed, the crtw heard a "bang" and a continual rumbling noise. The Captain then
took over control and rejected the takeoff but was unable to stop the airplane before running off the
end of the runway into Boweiy Bay.
The NTSB found the probable cause of the accident to be the Captain's failure to exercise
c-ommand authonty m a timel;,' manner to reject the takeoff or to take ;uff cient control to continue
the takeoft, which was in;tiat<^ with a mistrimmed rudder. Also causal was the Captain's raiiure
to detect the mi-^trimrned niddttr before the takeoff roll was aaempted.
The Board noted that the :akeoff configuration warning system does not include an alarm for a
imstn/nmed nidder, and stated that this is proper because the aircraft is not unflvable. There were
abundant charices to detect L'le out-of-trim condition through visuaJ, tactile and proprioceptive
n^ans. There was also a miscommunication; the Captain said "got the steering," advising the first
officer to correct the airplane's track with right rudder. The first officer heard "I got the steering "
said okay" and gradually relaxed his pressure on the right rudder pedal. It was thought that
neither pilot was m full coniro thereafter, this problem continued after the takeoff was rejected.
The Board noted that "both pilots were inexperienced in their respective positions the first
officer was conducting h < fm-t unsupervised line takeoff in a 737 and also his fu-st takeoff after a
39-day non-flying penod. The Captain had 5525 hr total flying time, 2625 hr in the 737, but onlv
o^/JLf^ c ^^f'^" '" ^^^ 737-400. The first officer had 3287 hr total time, 8.2 hr in the 737-
..00/400. Several crew coordination problems and multiple errors by both pilots were commented
upon by Lhe Board.
105
REFERENCES
1 - Pallett, E.HJ.: Automatic Right Control, Ed. 2. London: Granada Publishing. Ltd., 1983
2. Mohler, S.R., and B.H. Johnson- Wiley Post. His Winnie Mae, and the World's First
Pressure Suit. Washington. Smithsonian Institution Press. Washington, 1971.
3. Arion.: Rep)ort of the President's Task Force on Crew Complement. V/asMington, Julv 2,
1981.
4. Anon.: MD-ll Advanced Flight Deck and Aircraft Systems. Long Beach, CA: Douglas
Aircraft Co. Division of McDonnell Douglas Corporation, Febniarjs 1989,
5. Anon.: 777 Flight Deck. Seattle, WA: Boeing Commercial Airplane Group, December,
1990.
6. Anon,: National Plan to Enhance Aviation Safety through Human Factors Improvements,
Washington, Air Transport Association cf America, April, 1989.
7 . Porter, R.F., and J.P. Loomis: An investigation of reports of controlled flight toward terrain
Mountain View, CA: Battelle ASRS Office, NASA CR-166230, April, 1981.
8. Traffic Alen and Collision Avoidance Systems, Amendment 14CFR121-201, January 10,
1989,
9. Wind Shear Advisory Systems. Amendment 14CFR121-216, April 9, 1990.
10. Anon.: Northwest Airlines DC-9-82, Detroit Metro Wayne County Airport, Romulus,
Michigan, 8/16/87. Washington: National Transportation Safety Board repon no. AAR-
88/05, 1988.
1 i . Anon,: Delta Airlines 6727*232, Dallas Fon Worth Airport, Texas, 8/31/88. Washington,
National Transportation Safety Boand report no. A.AR-89A)4, 1989.
12. Anon.: Aeromexico DC-10-30 over Luxembourg, 11/11/79. Washington, National
Transportation Safety Board repon no. AAR-80-lO, 1980.
13- I.^norovitz, J.M.: Indian A320 crash probe data she v o'ew improperly configured aircraft.
Aviat. Week & Space TechnoL 132: 6/'25/>0, p. 84-85, 1990.
14. Anon.: China Airlines B-747-SP, 300 NM northwest of San Francisco, CA, 2/19/85.
Washington, National Transportation Safety Board report no. AAR-86/03, 1986.
15. Anon.: Scandinavian Airlines DC-10-30, J. F. Kennedy Airport, New York, 2/28/84.
Washington, National Transportation Safety Board repon no. AAR-84-i5, 1984.
16. Anon.: Factoi-s associated with altitude overshoots, excursions and undershoots. In: NASA
Aviation Safety Reporting System Third Quanerlv Repon. Washington, NASA TM X-
3546, May, 1977.
17. Aviation Systems Concepts for the 21st Century CFAA/T^'AS/^yMIT Symposiuni),
Cambridge, MA, Sept, 28-29, 1988.
106
l:^
18. Orladv. RW: Advanced technology aircraft safety issues. Mountain View, California:
Batteue ASRS Office unpublished repon, October, 1989.
19. Wiener. E.L.: Human factors of advanced technolog: (''glass cockpit") transpon aii-craft
Coral Gabies, FL; University of Miami, NASA CR 177528, June, 1989.
20. Rouse. W.B.: Design for Success. New York, John Wiley & Sons, 1991.
'^' ^.'J^^^P' ^■^■- "^o^^d ^ ^"f^an-centcred automation philosophy. Columbus Ohio Proc
Hfth International Symposium on Aviation Psychology, 1989 (also Intl. J. Aviadon Psvch
1991, m press).
^^" tg^g- '^'^'^''^^ ^ight ^<'^- Seattle, WA: Boeing Commercial Airplane Group, March,
23. Anon.: A320 Ri^ght Deck and Systems Briefing for Pilots. Blagnac, France: Airbus
industnc, September, 1989.
24. S^r, N.B., and DX) Woods: Simation awareness: a critical but ill-defined phenomenon.
Intl. J. Aviat. Psych. 1(1), 45-57, 1991.
25. Anon.: United Airlines DC-10-10, Sioux Gateway Airpon, Sioux City, lA, 7/19/89
Washington, National Transportation Safety Board report no. AAR-90/06, 1990.
26. Anon.: United Airlines B-747-122, Honolulu, Hawaii, 2/24/89. Washington, National
Transponanon Safety Board repon no AAR-90/10, 1990.
27. Anon.: Aloha Airhnes B-737-200, near Maui, Hawaii, 4/28/88. Washington, National
Transportation Safety Board report no. AAR-89/03, 1989.
28. Anon.: Aiicr^t Separation Incidents at Hansfield Atianta Intl. Airpon. AUaiita. GA 10/7/80
Washington, National Transportation Safety Board report no. SIR-81-6, 1981.
29. Wiener, E.L and D C. Nagel: Human Factors in Aviadon, Section Two: Pilot Performance
San Diego, Academic Press, Inc., 1988.
30. Fadden, D.M.jAircraf: Automation Challenges. In: Abstracts of AIAA/NASA/FAA/HFS
Symposium, ChaUenges m Aviation Human Factors: The National Plan. Washireton
American Institute of Aeronautics and Astronautics, 1990.
31. Anon.: Easteni Air Lines L-1011. Miama, FL, 12/29/72. Washington, National
TransportationSafetyBoardreportno. AAR-73-14, 1973.
32. Anon.: United Airlines DC-8-61, Portland, OR, 12/28/78. Washington, National
TransportationSafetyBoardreportno. AAR-79-7, 1979.
^^" xPT'/^ American World Airways B747/KLM B-747, Santa Cruz de Tenerife 3/27/77
Madnd. Spain: Spanish Commission of Accident Investigation unnumbered report Also
see: Anon.: Aircraft Accidem Report: PAA/KLM, Tenerife, Canary- Islands 3/27/77
Was. jngton: Air Lme Pilots Association Engineering and Air Safety, undated.
^"^ P^iS-l5?9^'6 ^8?'* ^"^''"'^^°"" ^" "^^^ °^ ^ philosophy Washington: SAE Technical
107
-^jB^*
^5. Wiener, E.L., and R,E. Curry: Flight-deck automation: promises and problems. Moffeu
Field, CA: NASA TM 81206, June, 1980.
36. Anon.: Delta Air Lines Douglas DC-9~31, Boston, MA, 7/31^?. Washington, National
Transportation Safety Board lepon no. AAR-74 j, 1974,
3'?. .Alton.: Swift Aire Lines AerospatiaJe Nord 262, Manna D-1 Rey, CA, 3/10/79. Washington,
National Trail sportat ion Safer/ Board repon no. AAR-79-i3. 1979
38. Anon.: DC-9-80, A step forward in cockpit autonnation. Lnteravia 33(12): 1 197-8, 1978
39 Ropelewski, R-R.: Boeing's new 767 ease^ crew workload Aviat. Week & Space Technol.
117: 8/23/82, pi 40-50, 1982.
40. Uchtdorf, D., and P. Heldt: Survey on cockpit systems B737-300/A310-200. In: Flighicrew
Info, Frankfurt, Lufthansa Flight Operations Division, April 1989.
41. Hopkms,H.: Masterfully digital (MD-)ll. Right International 138; IC 24-30/90.
42. Nagel, D.C.: Human error in aviatior operations. In: Wiener, E.L., and D.C. Nagel:
Human Factors in Aviation. San Diego: Academic Press, Inc., 1988.
43. Graeber, R,C., and C E. Billings: Human-centered automation: development of a
philosophy. In: Morello, S.A.: Aviation Safety/Automation Program Conference.
Washington, NASA Conference Publication 3090, 1990.
44. Anon,: Investigation Commission Fmal Repon concerning the accident which occurred on
June 26th 1988 at Mulhouse-Habscheim (68) to the Airbus A320, registered F-GFKC.
Paris: Ministry of Planning, Housing, Transport and Maritime Affairs, 11/29/1989.
Extracted in AviaL Week & Soac? TechnoL 132: 6/4/90, p. 107; 6/18/90, p, 99: 6/25/90, p. 98;
133: 7/9/90, pL 60: 7/23/9(.s p. 90; 7/30/90, p. 90, 1990.
45. Anon.: Hard limiiN soft options. Flight Intl. 138:10/31-11/6/90.
46. Farley, I: Supreme SovHiet. Hight ind, 138:10/10-16/90.
47. Billings, C.E . and D.B. 0*Hara: Human factors associated with runway incursions. In:
NASA ASRS Eighth Quarteriy Report Washington, NASA TM 78540, October, 1978.
48 Tarrel, RJ.: Non-airborne confiicts: the causes and effects of runway transgressions.
Mountain View, CA: Battelle ASRS Office, NASA CR-177372, Sept., 3985.
49. Anon.: News item in Aviation Daily, 304: 2/22/91, p. 353, 1991.
50. McNally, B.D.; A precision code differential GPS system for terminal area positioning and
guidance Albuquerque, NM: Institute of Navigation 4tli International Technical Meeting,
Sept. 11-13, 1991.
51. Scon, B., T, Goka and D. Gates: Design, development and operational evaluation of an
MLS/RNAV control display unit Los Angeles: Tenth EEEE/AIAA Digital Avionics Systems
Conference, Oct. 14-17, 1991. See also: Anon,: Introduction to MLS. Washington, Federal
Aviation Administration, 1987,
108
"■ W8Vp"ffos1''trL''o°S??/'^* """,":"=: ■^"^■- W«k & Space Tcchnol. 127-
W=ck Xipi^ciL!^. n°-4wl6 ;TT9t^"'"' '*' ^'" '"^"'Ver loss. Av,^,!
'"' -iS'SIn-^^- ™:C"^ *^'^"S/J-?^^^^^^ of ,„c,d=n, .pon.„g for
.2/13^. ^Ms.«. L ■■T.raL;i^'^s,^!?-;\i=;«^^^
" llliinfs' C I" and f s" rh'^n""^ Kmemions of the i„fa™a,ion Wnsfer problem In
57. Bilstcm. R.E.: TOgh, i„ America, 1900-1983. Baldmo:e: Johns Hopkms Unfv. Press, 1984.
'*■ S^^dv; «n!,e/4&1'lt* folKf 'Ha^"1^ "L %=°"'^ .er-ge„=ra,ed
Center, NASA TR 1736 l^*^' ^ '"""""S- Hampion, VA: NASA Langley Research
moni.cri.,a„dco„«„,sys«„di.pi;y°^SS^'g!rkll'r^2?«:^^^^^
''■ SS/rpSgS^^;:^„*^i»^.'^«-°" "'""^- ^°""-'" ^'-- ^A: Ba„el.e ASRS
"■ sSc.is^!:^^?i^t"src:;s^'^,".^S'"^^ -- -<'™^-"
"■ J-etop-n^n'.'a^^ev^aluaSfl';^^^^^^^^^ ^"^ '-™- 'ac,or= issues in ,he
RP 1055, January, 19E0 ^ ' "^ "'"'"8 ^V^ems. Washington, NASA
**■ ?S^'."S™ '"^^""Al^f J; STir «^"°" '"- A™- Week & Space Technol
Technol, 119: 9/lM3.pp 18-23, ms"" "'"^'™" ™"'=' '" Av,a,. •ftTcek & Space
"■ ^ac^r?ch";,,;12t7^4.^'^'M'3'2Mf87^ """ "'"""'^"^ ™*^--- ^viat. Week &
109
D.
68. Anon.: Air Florida B-737-222, Collision with 14th Street Bridge, near Washington National
Airport, DC, 1/13/82. Washington, National Transportation Safety Board report no. AAR-
82-8, 1982.
69. Norman, D.A,: Commcntar>': Human error and the design of computer systems-
ComniumcaLions of the ACM 33: pp. 4-7, 1990.
70- Wiener, E.L.: Fallible humans and vulnerable systems: lessons learned from aviation. In,
Wvse, J.A„ and A. Debons, eds.: Information System*^: Failure Analysis. NATO ASI
Senes, Vol. F-32, Berlin: Springer- Verlag, 1987.
7 1 . Pahner, E., and A. Degani: Electronic checklists: an evaluation of two levels of automation.
P^oc. Sixth Symposium on Aviation Psychology, Columbus, OH, April 1991 (in press).
72. Rouse, W.B., N,D. Geddes and R.E. Curry: An architecture for intelligent interfaces: outline
for an approach supporting operators of comph.x systems. Human Computer Interaction
3(2): pp. 87-122, 1987.
73. Sheridan, T.B.: Task allocation and supervisory control. In: Helander, M., ed,: Handbook
of Human-Computer Interaction. North-Holland: Elsevier Science Publishers, BV. 1988.
74. Degani, A-, and E.L. Wiener: Human factors of flight-deck checklists: the nomial checklist.
Coral Gables, H.: University of Miami. NASA CR 177549, May. 1990.
75. Anon.: MD-11 Flight Management System Pilot's Guide, Phoenix, AZ: Honeywell
Commercial Bight Systems Group, PUB No. 28-3643-01-00, September, 1990.
76. Corker, K.M., and T. Reinhardt: Procedural representation techniques applied to flight
management computer systems: a software representation svstem. Cambridge, MA: BBN
Systems and Technologies, Inc., contract no. W288'386, BBN report ret. 5653, June,
1990.
77. Curry, R.E.: The introduction of new cockpit technology: a human factors study. Moffett
Field, CA: NASA TM 86659, May, 1985.
78. Monan, W.P.: Readback related problems in ATC communications- the hearback problem
Mountain View, CA: Battelle ASRS Office, NASA CR 177398, March, 1986.
79- Anon.: Altitude devi?,tions data. Mountain View, CA: Battelle ASRS Office, Search Request
SR-1933 (unpublislied), November, 1990.
80. Ceilo, J.C: Controller perspective of AERA 2. McLean, VA: MITRE Corp. Repon MP-
88W00015, Rev, 1, February, 1990.
8 1 . Taylor, F.W.: On the art of cutting metals. New York, ASME, 1906.
82. Rauner, F,, L. Rasmussen, J.M. Corbett: The social shaping of technology and work:
human centred CIM systems. AI and Society 2: pp 47-61, 1988.
83. Anon.: Delta Air Lines Lockheed L-101 -385-1, Dallas-Fort Worth Airpon, TX, 8/2/85.
Washington, National Transportation Safety Board report no. AAR-86/05, 1986.
110
^^.^
91. Beniger.J.R.:ToeConiiolR.voljtio„. Cambridge. MA: Harvard University Press. 1986
93. Advanced Qualification Progrm. Amendment 14CFSU1.2I9. Oct 2. 1990.
94. Van Acker, J.P.: Personal communication 1990
96. Federal Aviation Act of 1958. Public Law 85-726. August 23 1958
98. Fadden, D.M.. Personal communication, 1990.
99. Wiener, EX.: Unpublished data, cited in personal communication, 1991.
'""■ Sp".^l%p'u"SJ^Tra?u^:'?g?^- "°""'^" ^*-- ^^^ «=-»= ASRS Office Study
111
l>.
101. NASA Aviation Safety Reporting System incident repon number 00362. 1976.
102. Palmer, E., CM. Mitchell and T. Govindaraj: Human-centered automation in the cockpit-
some design tenets and related research projects, Washington: ACM SIGCHI Workshop on
Computer-Human Interaction in Aerospace Systems, 1990.
103 Norman D.A.: Psychology of Everyday Things. Npw York: Basic Books, Inc., 1988.
104. NASA Aviation Safety Reporting System incident repon no. 59282, October, 1986.
105. Abbott, KJ.: Robust Fauii •, lagnosis of Physical Systems in Operation. New Brunswick.
NJ: Unpublished Ph.D. Duvsertation, Rutgers University, May, 1990.
106. Kwias, N.^ Psychosocial support for cosmonauts. Aviat. Space Environ. Med. 62(4): pp.
112
D.
REPORT DOCUMENTATION PAGE
Form Appro ¥9d
OMBNo 0704-01B8
I »ef ftt<iuc(
Kno m \m unto* of Mtf«aQ«*!«m mrti ftL^w^t t>M\AMii«jfc il.^^w- t^^^^ wm^i aT^. ^^ ^^
1. AOENCY USE ONLY rt«««* M^m*;
. « TITLE AND SUBTITLE
no w w qnie« o( Imtntqti^m »)a Bt^t, j>«p«nw(ti a»Aicaen PmKa (e7)>*^0HI). WMMnyen DC «)9C3
REPORT BATE
August 1991
». REPORT TYPE AMD DATES COVERED
Technical Memorandum
Human -Centered Aircraft Automation: A Concept and Guidelines
«. AUTHOa(S)
Charles E. Billings
9. FUNOINO NUMBERS
505-64-13
7. PERFORMJNa ORGANIZATION NAME(S) AND AODRESS(ES)
Ames Research Center
Moffen Field, CA 94035-1000
SPONSORINO/HONITO»IMQ AGENCY NAME(S) AND AO0RES8(ES)
National Aeronautics and Space Administration
I Washington. DC 20546-0001
a. PERFORMING ORGANIZATION
REPORT NUMBER
A-91192
10. SPONSORING/MONITORING
AGENCY REPORT NUMBER
NASA TM- 103885
IV SUPPLEMENTARY NOTES
Point of Contact: Charles E. BiUings, Ames Research Center. MS 200- 1 6, MofFctt Reld CA 9403^- 1000
(415) 604-5500 or FTS 464-5500
12«. OlSTRIBUTtOM/AVAiLABiLrrY STATEMENT
Unclassified-Unlimited
Subject Category - 06
12b DISTRIBUTION CODE
13. ABSTRACT (UmKlmum 20C wordm) ——^
Thisr=p«Bml«gepm.rttponseto.n«ndaeoftf«A,rTr««portA«oci^^^
wtachdescnbes d. cmnmwmoes und« wtach «sks «e .ppropr«i«ly .lloc««l to the m«:hine mAI^ the pOof This document wietmHs
m^be n«de . ««ximrily effective tool or «so»cc for pUots without compromiring human .mhority ^.3 w:th «, mcT«se a, sysu«n
J^J^^ ""*' "^"^ '^.'^'^ pikH «d brief discussion of .he hbtory of «x«ft wtomatioa . co«=epc of -fmnnr.-
«dm«»gemem«,tom«Km.lT,eel«r««sofe«h«cansid«edfofc^^
Tl« envmmnem «nd context of «rcr«ft ««om«ion « then oonskfaed Th* e)em«K include th- «icr.ft themselves the phJS
.^ttoMl envBojment .^tf^ hum., op««r«. Sysi«a goals «d gu^lines for fUghl^k m^am»LKm set fonh m a linin^k
hpolar iMture of several puis of desaabte atmbutes unA the tradeoffs that .re inescptble in the design process
^-S^ *T*^'w '"'™»^'««» •i««'' «ilom«io„ « then presented. cio.s-rrf«Te«ced to the p,«^dmg d»scu«iom A to of
t4 SUBJECT TERMS ■'
Aircraft automation. Human-centered automation. Advanced aircraft,
Human factors
17 SECURITY CLASSIFICATION
OF REPORT
UncIassiHed
NSN 754<K}V280-S500
1». SECURITY CLASSIFICATION
OF THIS PAGE
Unclassified
19. SECURITY CLASSIFICA+ION
OF ABSTRACT
IS HUMBEftOF PAOES
122
16.
PRICE CODE
A06
IC. LIMITATION OF ABSTRACT
Standard Form 296 (FWv. 2-89)
*^nm«Hum4 toy A»<si ••«. z»»-i •
Live Music Archive
Librivox Free Audio
Metropolitan Museum
Cleveland Museum of Art
Internet Arcade
Console Living Room
Books to Borrow
Open Library
TV News
Understanding 9/11