[SystemSafety] At least PBL is now talking to me again ...

Peter Bernard Ladkin ladkin at causalis.com
Sun Jul 12 09:20:49 CEST 2020



On 2020-07-12 00:21 , Olwen Morgan wrote:
> 
>..... My point, .... was that by a very modest piece of data fusion using
> information from different JAR-designated aircraft subsystems, the aircraft would be able to show
> the pilots *more salient warnings* 

Well, now you are well away from technical safety and into engineering psychology, namely the design
of annunciations.

That is very far away from your original claim that "stress testing" aviation systems would lead to
design improvement.

> ... But it's one thing for an avionic system to show the mimnmum information that you need. It's
> quite another presenting in a way that focuses your attention when and where you need it to be
> focused 

There are journals about all this. And research organisations, such as the Human Systems Integration
Division of NASA Ames Research Center.

One issue is that you can test pilots and line pilots in a simulator to try out emergency
procedures, and they will all recognise the problem and do the "right thing" without fail.

Then in line flying, somebody doesn't.

So, the thing about "stress testing" human-cyber-physical systems in commercial aviation is that you
can't: real incidents are qualitatively different from simulations. The human reasons for that are
also well-known.

The most obvious and well-documented example of it is not for me to discuss. But it happened with
the MAX crashes. For some months, US pilots (represented by the officers of their pilots'
associations) were saying "we wouldn't have done that; we would have recognised the problem and
recovered." That contention was resolved when people reproduced the incidents in simulators and they
found out they couldn't. That is dealt with in Dewi's talk.

But in much less detail than it actually manifested. The "professional pilots'" forum PPRuNe saw
extensive, if not interminable (I haven't checked recently) discussion of all this.

>> If you are talking five years later, I can assure you that they had completed their 
>> reconsideration years before that.
>>
> And, AFAI could see, they were revisiting the issue in 2006/7 owing to concerns over the saliency
> and timeliness of warnings. 

Could be. None of my contacts knew anything about that.

>>>> ... As I noted, Boeing knew all they needed to know
>>>> technically about the specific safety properties of MCAS in March 2016.
>>
> With all due respect, Peter, that is not my reading of the relevant sections of the DoT IG report.

I can't help with that. It is there in black and white and I quoted it.

>>> "specific safety properties". 
>> We are talking the properties defined in 14 CFR 25, alternatively EASA CS25.
> Again, with all due respect, Peter, after searching my Inbox, I can't find any prior reference to 14
> CFR 25 or EASA CS25 in this thread. 

It is hard for me to believe that you wouldn't realise that commercial aviation safety assessment is
governed by the commercial aircraft certification regulations.

> Had you *more helpfully* given a specific reference into some
> particularly relevant part of their several hundred pages 

I don't think this is the place to give a tutorial on the safety techniques and analyses required by
aviation certification regulations.

It is based on risk-matrix concepts using severity of "none" "minor" "major" "hazardous" and
"catastrophic" and probability concepts of "probable" (subdivided into "frequent" and "reasonably
probable"), "improbable" (subdivided into "remote" and "extremely remote" and "extremely improbable".

> I don't walk around with codes
> of airworthiness requirements in my head. It's not my cognitive style to remember vast corpora of
> information 

It is actually quite compact. I suggest you download a copy of CS 25 (which includes the
regulations, Part 1, and the Acceptable Means of Compliance, Part 2) and search for the risk-matrix
keywords given above.

> And, in any case, I'm inclined to think that well-designed test-rig based
> simulated stress testing would still have stood a good chance of spotting the MCAS problem 
> *before* more costly test flights began.
Either you recognise that the issue was already known to the manufacturer in March 2016, or you
don't. In either case, I don't see much point in discussing this any further.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
Styelfy Bleibgsnd
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200712/4374026f/attachment.sig>


More information about the systemsafety mailing list