When it was being described the checklist a pilot has to go through before taking off, it resembled, though quite crudely and without life or death implications, the lengthy checklist the developers at our company had to follow back when we deployed everything manually. We had synchronization steps to pull modifications, couple compilation steps, we had to check if configuration files were added in order to accommodate extra services, there was cache mechanisms that had to be cleared, after that we needed to check for database migrations, then restart the systems, run the little tests we had and manually check if nothing broke. It happened often to see code conflicts, 40 to 50 with varying difficulty every release. It was insane and never quite worked, we always got weary of release days and never wanted to go through them as we didn't trust the system (with good reason).
Automation and good practices brought back confidence, so I was wondering two things.
First most obvious, how come do pilots trust a system that has these layers of manual security checks with their lives. And second, can't it all be automated? I understand aircrafts must have independent modules and every level of integration implies extra risk, but at least in security critical tests, automation would come a great way in ensuring crew safety, wouldn't it? Is it too hard? Systems are not flexible to implement automatic security checklists or is it just a culture in the field to check it all manually?
I highly recommend “The Checklist Manifesto” by Atul Gawande. One of the points that Gawande discusses is that checklists cannot be too detailed. He discovered this in working with the WHO when their first surgical room checklist attempt was a complete failure because it had too many steps (chapter 5, the first try). In chapter 6, he then revisits flight checklists and writes:
“Some tone after that first miserable try, I did what I should have done to begin with. I went to the library and pulled out a few articles on how flight checklists are made. As great as construction-world checklists seemed to be, they were employed in projects that routinely take months to complete. In surgery, minutes matter. The problem of time seemed as serious limitation. But aviation had this challenge, too, and somehow pilots’ checklists met it.”
...
“It is common to misconceive how checklists function in complex lines of work. They are not comprehensive how-to guides, whether for building a skyscraper or getting a plane out of trouble. They are quick and simple tools aimed to buttress the skills of expert professionals. And by remaining swift and usable and resolutely modest, they are saving thousands of lives.”
> First most obvious, how come do pilots trust a system that has these layers of manual security checks with their lives. And second, can't it all be automated?
It's one thing to have a script check the return code of a test suite. Often times aircraft checklists include things like physically verifying that something is present and moving in the correct manner when commanded to do so. Obviously you can add sensors, but then how do you check that the sensor is working?
At the end of the day, most of the manual checklist items are still for a human to look at or listen to a thing and make a judgement call.
> First most obvious, how come do pilots trust a system that has these layers of manual security checks with their lives. And second, can't it all be automated?
The trust comes from understanding the system and associated risk that contribute to conditions where the system is out of normal operating range. Pilots learn that doing simple checks on parts of the system that are likliest to contribute to abnormal operations is life saving in the long run. E.g. may seem simple that control locks werent taken off but it happens and it's why we check the controls prior to take off. It's why we put the engines to fill throttle to make sure oil pressure is as expected.
Anytime there is an accident many pilots will read the reports and add an additional check or reemphasize a current check that they need to continue to use.
As far as automation. It could fix it. But it increases system complexity so there will be this valley where for a while the automated system isn't much better than normal checks, infact might be worse due to over reliance. Also logic in software or hardware can lie to you in ways that mechanical realities of moving control surfaces, checking oil level, checking tire pressure can't be beat (at least with a cheap solution). This is why the FAA for critical components requires multiple systems doing the same thing and concensus algorithms.
Recently I bought a lemon for a motorcycle. The ECU started giving me error codes twenty five minutes into my first ride. Engine started cutting out. I couldn't start it. On the other hand in a Cessna I could lose all electrical power (assuming magnetos are still operating) and still operate the plane just fine, although without radio comms. The Cessna is from 1972, while the motorcycle from 2017. Granted I could've checked wires or inspected more carefully but non the less, the 2017 motorcycle is a more complex system.
The motorcycle engine is LESS reliable than a well maintained Cessna. But I suspect the motorcycle was not well maintained, perhaps not well designed, and you should not have been driving it.
Short of a teardown I don't see how the buyer of a second hand motorcycle would have a chance at spotting such a fault without driving the bike. And even a teardown might not show the fault, in fact could make it worse.
That's equally true for an aeroplane engine - the difference is that no pilot would skip performing maintenance at the required intervals and there are maintenance logs etc. in place to enforce this. What makes the Cessna engine more reliable than the motorbike engine in practice isn't a simpler design but a better maintenance and operation culture.
Sure. But the accepted norms for buying second hand aircraft versus second hand motorcycles are quite different as well, which is why it makes no sense to say that the buyer should not have driven the motorcycle. The accepted norm for cars and motorcycles is that you pay the seller and you drive them home, not that you inspect the detailed maintenance log or do an on-site teardown. Likely the seller was aware that this bike had problems and simply did not tell the buyer, something that is close to fraud, and on top of that this placed the buyer in a potentially dangerous situation, especially on a new bike.
When I buy cars I do a pretty thorough inspection and an extended test drive. Even so I once ended up with a car on which the clutch pedal would not return once every few hundred strokes or so, something that by chance did not happen even once in a pretty long test drive.
There is a middle ground, and I think people should demand more in that respect. Yes, cutting engine power is more hazardous in an aircraft than in a motorcycle. So the aircraft should produce a clear warning when takeoff power is applied but control surface locks are sensed as present. Or when takeoff power is applied and the rudder/ailerons/elevators haven't been fully deflected since startup (indicating controls haven't been checked). Or when the altimeter reading has a gross disagreement with the GPS altitude, etc. We should expect more from our automation without letting it get in a position where it can compromise safety.
I know this is a bit of a tangent, but the motorcycle didn't happen to be a Royal Enfield did it? They seem to have lots of wiring harness abrasion issues.
Moto Guzzi V7. Might end up being simple ECU reset or fix. I’m just glad I was tooling around in a neighborhood getting comfortable, and letting the failure percolate. Otherwise would’ve been much worse had I gone straight to the highway.
I flew small airplanes for fun, nothing close to a fighter jet but I'll try to answer.
> can't it be all automated
No. Some of it certainly could, notably gear related like engine checks as in your car. And yes current systems are not very flexible, the strong bias towards "tried and trusted" does slow down the arrival of fancy electronics.
But checklists also include confirming you have weather information, making sure your surroundings are clear of danger, that your fly plan is defined...
This is more about checking the human component and can't be automated.
> how come do pilots trust a system that has these layers of manual security checks with their lives
This is the best we came up with so far.
Manual checks also give you a sense of control.
> First most obvious, how come do pilots trust a system that has these layers of manual security checks with their lives. And second, can't it all be automated?
Conveniently the word "deviance" has multiple meanings, two of which apply here.
The article uses deviance in the sense of "deviation from the behavioral norm" (where that norm is a external process). I completely agree with your assessment that these processes can become cumbersome and a barrier to doing work (at most big companies the process becomes the point and dominates actually getting work done). Automation can go a long way to improving that, both in reducing cynicism and letting people spend their time on the stuff that actually moves the company forward.
However the manual checks in aviation also serve to find unexpected deviation in the shape or performance of the device. The reason the first officer walks around the aircraft is not for exercise but because she may see something "out of the ordinary" for which no test exists -- something that should be straight looks subtly out of kilter, indicating that, say, a bolt on the wheel has come loose and under load the wheel tilts slightly. This kind if check is harder to find in software which uses many fewer humans intuitions, which is why we have code stylebook and code reviews.
Pool of hydraulic fluid near the landing gear wheels is one example of such an out of the ordinary thing for which no test exists. Presumably the hydraulics would still work for take-off, a wheel assembly might end up not being stowed properly or it might refuse to descend on landing.
The example in the article is an interesting one because to an outsider it clearly looks bonkers and yet, to an experienced insider it might look workable.
Yes, but two things. Airplane technology advances happen slowly but surely. Small changes can have big consequences when flying. So rightfully any changes are thought about for a long time until they're deployed in practice. And so far airplane safety is miles and miles above any other mode of transportation, so it would appear that this cautious behavior is working.
But even if we had fully automated "turn key" planes checklists do something for the pilots. They force pilots to understand their instrument panels, where the controls are and how the plane largely operates. Things like the start up procedure can vary really radically between planes even with the same types of engine. In an emergency, say an electrical failure, this can be really crucial if certain systems need to be restarted/turned off -- it's best that pilot doesn't spend time during an emergency understanding where everything is. Even if they've flown the same plane for years, they're only human and you forget what you don't use.
An airplane is a mechanical thing and in the end you have to check that things really work physically. I am sure they have self-check mechanisms that check that the software works right and the sensors produce the right signals but you still have to check that the rudder really moves.
Many aircraft do have configuration warning systems, but they are not exhaustive. And, as a sibling commenter mentioned, many of them are physical inspection items. (Fuselage free of ice and snow, fuel appropriate for the mission, appropriate fuel loaded, pitot cover removed, etc)
I've always found this odd though - surely for pitot tubes a sensor could be installed which flags whether the cover is on? Sure, you open yourself up to a sensor failure scrubbing a mission but leaving the covers on is somewhat more disastrous.
OK, "pitot tube inlet free of mud daubers" (which incidentally gets looked at when you manually remove the cover).
Part of the walkaround/pre-flight process is me getting my head into the aviation game (and out of the "stressful workday" or "other life BS"). It's a few minutes of partial meditation as I walk around the aircraft, pushing, prodding, and inspecting.
(In my aircraft's case, the empty weight is around 2700 lbs and examples can be purchased for under $100K. There's a substantial premium on weight and [to a lesser extent] space for redundant or automated systems to give me a checklist that says "ensure green 'OK' light is lit".)
"Add a sensor" is a non-trivial exercise in the aviation world. If you're doing things correctly you need triple redundancy so you can determine when one sensor is returning bad data. Adding sensors for every little thing would add enormous complexity to what are already extremely complex machines.
Most aircraft aren't that sophisticated. When they are, like Boeing 787 and Airbus 320 series, much of the checklists are automated, but there still remain portions the pilot must perform themselves. Quite a lot of the checklist items have to do with establishing situational, contextual and sequential awareness.
Also, general aviation is a much bigger portion of aviation than scheduled passenger airline service: number of airplanes, pilots, airports, and jobs. Any automation is going to be narrowly applied outside of general aviation, it's just not yet a general purpose solution.
Automation and good practices brought back confidence, so I was wondering two things.
First most obvious, how come do pilots trust a system that has these layers of manual security checks with their lives. And second, can't it all be automated? I understand aircrafts must have independent modules and every level of integration implies extra risk, but at least in security critical tests, automation would come a great way in ensuring crew safety, wouldn't it? Is it too hard? Systems are not flexible to implement automatic security checklists or is it just a culture in the field to check it all manually?