Category: Systems

Air Taxi

My daily routine once comprised of walking across a bridge over the Rhine to an office in Ottoplatz in Köln-Deutz[1]. That’s in Cologne, Germany on the eastern side of the river.

In the square outside the railway station is a small monument to a man called Otto. A small monument marking a massive transformation that took place in the way transport has been powered for well over than a century. This monument honours Nicolaus August Otto who created the world’s first viable four-stroke engine in 1876.

Today, the internal combustion engine hasn’t been banished. At least, not yet and Otto could never have known the contribution his invention would make to our current climate crisis. But now, rapid change is underway in all aspect of transport. It’s just as radical as the impact of Otto’s engine.

As the electrification of road transport gathers apace so does the electrification of flying. That transformation opens new opportunities. Ideas that have been much explored in SiFi movies now become practically achievable[2]. This is not the 23rd Century. This is the 21st Century. Fascinating as it is that in The Fifth Element the flying taxi that is a key part of the story, has a driver. So, will all flying cars of the future have drivers?

I think we know the answer to that already. No, they will not. Well, initially most of the electric vehicles that are under design and development propose that a pilot (driver) will be present. Some have been adventurous enough to suggest skipping that part of the transition into operational service. Certainly, the computing capability exists to make fully autonomous vehicles.

The bigger question is: will the travelling public accept to fly on a pilotless vehicle? Two concerns come up in recent studies[3][4]. Neither should be a surprise. One concerns passengers and the other concerns the communities that will see flying taxies every day of the week.

Public and passenger safety is the number one concern. I know that’s easy to say and seems so obvious, but studies have show that people tend to take safety for granted. As if this will happen de-facto because people assume the authorities will not let air taxies fly if they are unsafe.

The other major factor is noise. This historically has prevented commercial public transport helicopter businesses taking-off. Strong objections come from neighbourhoods effected by aircraft constantly flying overhead. Occasional noise maybe acceptable but everyday operations, unless below strict thresholds, can provoke strong objections.

So, would you step into an air taxi with no pilot? People I have asked this question often react quickly with a firm – No. Then, after a conversation the answer softens to a – Maybe.

[1] https://www.ksta.de/koeln/innenstadt/ottoplatz-in-koeln-deutz-eroeffnet–das-muss-nicht-gruen-sein–2253900?cb=1665388649599&

[2] https://www.imdb.com/title/tt0119116/

[3] https://www.easa.europa.eu/en/newsroom-and-events/press-releases/easa-publishes-results-first-eu-study-citizens-acceptance-urban

[4] https://verticalmag.com/news/nasa-public-awareness-acceptance-of-aam-is-a-big-challenge/

Corporate Failure

I watched the documentary on the Boeing 737 MAX 8 last night. It’s on Prime[1]. Called Flight/Risk. It starts with the launch of the new aircraft and ends as the aircraft returns to service and the consequences of the disaster that are still rippling through aviation. Seattle Times journalist, Dominic Gates appears frequently. His perspective is one that I was reading as the accidents and following events unfolded.

It’s a well-made production. I my view it focuses too much on whistle-blowers and too little on the appalling design errors made in certifying the aircraft. However, I can understand the choices made by the film makers. It’s primarily aimed at a public audience and not technical experts.  

This was a massive and fatal corporate failure. My recollections of working with Boeing in Seattle, in the mid-1990s are that such events could never have occurred in that era. It was a preeminent engineering company, with a proud heritage and safety was as important as the blood that flows through our veins. What happened in this last decade is beyond shocking.

Now, corrective action is being taken. Efforts are being made to re-establish an effective safety culture. All over the world technical experts have securitised the modified Boeing 737 MAX to the n-th degree. The company expects the Boeing 737 MAX 7 will be certified by the end of the year and the larger MAX 10 in the first half next year.

What is regretful is how long the design and manufacturing industries resisted the introduction of Safety Management Systems (SMS). I remember doing presentations to industry on that subject more than 2-decades ago.

So, what does a bad corporate and safety culture look like? We must recognise it, and not ignore the signs. What concerns me is, however much we have learned from the Boeing 737 MAX saga; it will soon be forgotten. Pasted over like wallpaper.

As if to give me an illustration, I was standing in a high street shop, browsing sale items in the normal way. It’s always nice to pick up a bargain. Even though it was a busy Saturday afternoon, there wasn’t many people in the shop. Behind me, were two store employees chatting away. They didn’t pay much attention to me until they had finished. They were close enough for me to hear most of what they were saying. One of them was the store manager.

Basically, they were having a whinge about the company that owned the shop. One key aspect was the waste of time, as they saw it, of being sent on company training courses where expensive consultants rabbited on to them about matters that were totally irrelevant to their day-to-day business. They blamed the corporate management. They haven’t got a clue, and it’s getting worse was the gist of the chat. They both expressed love of their jobs. It was a cry of desperation and frustration as they feared the company was on the road to go bust.

I guess that’s it. When little, or no communication exists between shop floor, literally in this case, and corporate management then that’s a big indicator of grave troubles ahead.

[1] https://www.amazon.co.uk/Flight-Risk-Karim-Amer/dp/B0B5K615MZ

Moon Mission

Wishing Artemis well in the plan to go back to the Moon

The universe is big, I mean really big, but our nearest neighbour is close by. Seeing our unique satellite orbit the Earth is as common an experience watching the weather. No need for a telescope.

The circumference of Earth (distance around Earth at the equator) is roughly 40,000 kilometres (25,000 miles). The distance to the Moon is 10 times the circumference of the Earth, or roughly 400,000 kilometres (250,000 miles[1]). That sounds like a lot but compared with the dimensions of our solar system it’s nothing much.

The first humans walked on the Moon on 20th July 1969. I was 9-years old. I watched the event in our living room on a small black and white TV. Around the globe, hundreds of millions of people watched as Armstrong stepped out on the surface of the Moon for the first time[2]. For good or ill, humanity changed on that day.

A plan for returning humans to the Moon is underway[3]. NASA’s new lunar mission is ready for launch. Called “Artemis” a mission is on the launch pad. In ancient Greek mythology, Artemis was heavily identified with Selene, the Moon.

This project will work with industry and international partners, like the European Space Agency (ESA)[4] to send astronauts to the surface of the Moon. The European Service Module (ESM) will provide for future astronauts’ basic needs, such as water, oxygen, nitrogen, temperature control, power, and propulsion.

It’s a big day. Exploration is a part of human DNA. These are the next steps. I wish the project every success.

POST: Well, we get to use that well used phrase – Space is hard. “Space is hard.” But why? — Elizabeth A. Frank (elizabethafrank.com)

[1] 225,623 miles away when it’s at its closest. The Moon’s orbit is not a perfect circle. When the Moon is furthest, it’s 252,088 miles away.

[2] https://en.wikipedia.org/wiki/Moon_landing

[3] https://www.nasa.gov/specials/artemis/

[4] https://www.esa.int/ESA_Multimedia/ESA_Web_TV

Safety Performance Indicators

What’s happening? Two words, and what seems like the easiest question in the world. Open your phone, look at the screen and a myriad of different sources of information are screaming for your immediate attention. They are all saying – look at me, look now, this is vital and don’t miss out. Naturally, most of us will tune out a big percentage of this attention-grabbing noise. If we didn’t life would be intolerable. The art of living sanely is identifying what matters from the clutter.

So, what happens in aviation when a Chief Executive or Director turns to a Safety Manager and askes – what’s happening? It’s a test of whether that manager’s finger is on the pulse, and they know what’s happening in the real world as it happens.

This is a place I’ve been. It’s a good place to be if you have done your homework. It’s the way trust is built between the key players who carry the safety responsibility within an organisation.

One of the tools in the aviation safety manager’s toolbox is that of Safety Performance Indicators (SPIs). In fact, it’s part of an international standard[1] as part of a package for conducting safety assurance. Technically, we are talking about data-based parameters used for monitoring and assessing safety performance.

The ideas are simple. It’s to create a dashboard that displays up-to-date results of safety analysis so that they can be viewed and discussed. Like your car’s dashboard, it’s not a random set of numbers, bar-charts, and dials. It should be a carefully designed selection of those parameters that are most useful in answering the question that started this short blog.

That information display design requires great care and forethought. Especially if there’s a likelihood that serious actions will be predicated on the information displayed. Seems common sense. Trouble is that there are plenty of examples of how not to do this running around. Here’s a few of the dangers to look out for:

Telling people what the want to hear. A dashboard that glows green all the time it’s useless. If the indicators become a way of showing off what a great job the safety department is doing the whole effort loses its meaning. If the dashboard is linked to the boss’s bonus, the danger is that pressure will be applied to make the indicators green.

Excessive volatility. It’s hard to take indicators seriously if they are changing at such a rate that no series of actions are likely to have an impact. Confidence can be destroyed by constantly changing the tune. New information should be presented if it arises rapidly, but a Christmas tree of flashing lights often causes the viewer to disbelieve.

Hardy perennials. There are indicators, like say; the number of reported occurrences, which are broad brush and frequently used. They are useful, if interpreted correctly. Unfortunately, there’s a risk of overreliance upon such general abstractions. They can mask more interesting phenomena. Each operational organisation has a uniqueness that should be reflected in the data gathered, analysed, and displayed.

For each SPI there should be an alert level. It can be a switch from a traffic light indication of green to amber. Then for the more critical parameters there should be a level that is deemed to be unacceptable. Now, that might be a red indicator that triggers a specific set of significant actions. The unscheduled removal or shutdown of a system or equipment may be tolerable up to a certain point. Beyond that threshold there’s serious safety concerns to be urgently addressed.

The situation to avoid is ending up with many indicators that make seeing the “wood from the trees” more difficult than it would otherwise be. Afterall, this important safety tool is intended to focus minds on the riskiest parts of an operation.

[1] ICAO Annex 19 – Safety Management. Appendix 2. Framework for a Safety Management System (SMS). 3. Safety assurance. 3.1 Safety performance monitoring and measurement.

Is Airworthiness Dead? 2/

Where I left the discussion there was a question mark. What does conformity mean when constant change is part of the way an aircraft system works?

It’s reasonable to say – that’s nothing new. Every time, I boot up this computer it will go through a series of states that can be different from any that it has been through before. Cumulative operating system updates are regularly installed. I depend on the configuration management practices of the Original Equipment Manufacturer (OEM). That’s the way it is with aviation too. The more safety critical the aircraft system the more rigorous the configuration management processes.

Here comes the – yes, but. Classical complex systems are open to verification and validation. They can be decomposed and reconstructed and shown to be in conformance with a specification.

Now, we are going beyond that situation where levels of complexity prohibit deconstruction. Often, we are stuck with viewing a system as a “black box[1]. This is because the internal workings of a system are opaque or “black.” This abstraction is not new. The treatment of engineered systems as black boxes dates from the 1960s. However, this has not been the approach used for safety critical systems. Conformity to an approved design remains at the core of our current safety processes. 

It’s as well to take an example to illustrate where a change in thinking is needed. In many ways the automotive industry is already wrestling with these issues. Hands free motoring means that a car takes over from a driver and act as a driver does. A vehicle may be semi or fully autonomous. Vehicles use image processing technologies that take vast amounts of data from multiple sensors and mix it up in a “black box” to arrive at the control outputs needed to safely drive.

Neural networking or heuristic algorithms may be the tools used to make sense of a vast amount of constantly changing real world data. The machine learns as it goes. As technology advances, particularly in machine learning ability, it becomes harder and harder to say that a vehicle system will always conform to an understandable set of rules. Although my example is automotive the same challenges are faced by aviation.

There’s a tendance to see such issues as over the horizon. They are not. Whereas the research, design and development communities are up to speed there are large parts of the aviation community that are not ready for a step beyond inspection and conformity checking in the time honoured way.

Yes, Airworthiness is alive and kicking. As a subject, it now must head into unfamiliar territory. Assumptions held and reinforced over decades must be revisited. Checking conformity to an approved design may no longer be sufficient to assure safety.

There are more questions than answers but a lot of smart people seeking answers.

POST 1: Explainability is going to be one of the answers – I’m sure. Explained: How to tell if artificial intelligence is working the way we want it to | MIT News | Massachusetts Institute of Technology

POST 2: Legislation, known as the Artificial Intelligence Act ‘Risks posed by AI are real’: EU moves to beat the algorithms that ruin lives | Artificial intelligence (AI) | The Guardian

POST 3: The world of the smart phone and the cockpit are here How HUE Shaped the Groundbreaking Honeywell Anthem Cockpit

[1] In science, computing, and engineering, a black box is a device, system, or object which produces useful information without revealing information about its internal workings.

Is Airworthiness dead?

Now, there’s a provocative proposition. Is Airworthiness dead? How you answer may depend somewhat on what you take to be the definition of airworthiness.

I think the place to start is the internationally agreed definition in the ICAO Annexes[1] and associated manuals[2]. Here “Airworthy” is defined as: The status of an aircraft, engine, propeller or part when it conforms to its approved design and is in a condition for safe operation.

Right away we start with a two-part definition. There’s a need for conformity and safety. Some might say that they are one and the same. That is, that conformity with an approved design equals safety. That statement always makes me uneasy given that, however hard we work, we know approved designs are not perfect, and can’t be perfect.

The connection between airworthiness and safety seems obvious. An aircraft deemed unsafe is unlikely to be considered airworthy. However, the caveat there is that centred around the degree of safety. Say, an aircraft maybe considered airworthy enough to make a ferry flight but not to carry passengers on that flight. Safety, that freedom from danger is a particular level of freedom.

At one end is that which is thought to be absolutely safe, and at the other end is a boundary beyond which an aircraft is unsafe. When evaluating what is designated as “unsafe” a whole set of detailed criteria are called into action[3].

Dictionaries often give a simpler definition of airworthiness as “fit to fly.” This is a common definition that is comforting and explainable. Anyone might ask: is a vehicle fit to make a journey through air or across sea[4] or land[5]? That is “fit” in the sense of providing an acceptable means of travel. Acceptable in terms of risk to the vehicle, and any person or cargo travelling or 3rd parties on route. In fact, “worthiness” itself is a question of suitability.

My provocative proposition isn’t aimed at the fundamental need for safety. The part of Airworthiness meaning in a condition for safe operation is universal and indisputable. The part that needs exploring is the part that equates of safety and conformity.

A great deal of my engineering career has been accepting the importance of configuration management[6]. Always ensuring that the intended configuration of systems, equipment or components is exactly what is need for a given activity or situation. Significant resources can be expended ensuing that the given configuration meets a defined specification.

The assumption has always been that once a marker has been set down and proven, then repeating a process will produce a good (safe) outcome. Reproducibility becomes fundamental. When dealing with physical products this works well. It’s the foundation of approved designs.

But what happens when the function and characteristics of a product change as it is used? For example, an expert system learns from experience. On day one, a given set of inputs may produce predicable outputs. On day one hundred, when subject to the same stimulus those outputs may have changed significantly. No longer do we experience steadfast repeatable.

So, what does conformity mean in such situations? There’s the crux of the matter.

[1] ICAO Annex 8, Airworthiness of Aircraft. ISBN 978-92-9231-518-4

[2] ICAO Doc 9760, Airworthiness Manual. ISBN 978-92-9265-135-0

[3] https://www.ecfr.gov/current/title-14/chapter-I/subchapter-C/part-39

[4] Seaworthiness: the fact that a ship is in a good enough condition to travel safely on the sea.

[5] Roadworthy: (of a vehicle) in good enough condition to be driven without danger.

[6] https://www.apm.org.uk/resources/what-is-project-management/what-is-configuration-management/

Safety Research

I’ve always found Patrick Hudson’s[1] graphic, that maps safety improvements to factors, like technology, systems, and culture an engaging summary. Unfortunately, it’s wrong or at least that’s my experience. I mean not wholly wrong but the reality of achieving safety performance improvement doesn’t look like this graph. Figure 1[2].

Yes, aviation safety improvement has been as story of continuous improvement, at least if the numbers are aggregated. Yes, a great number of the earlier improvements (1950s-70s) were made by what might be called hard technology improvements. Technical requirements mandated systems and equipment that had to meet higher performance specifications.

For the last two decades, the growth in support for safety management, and the use of risk assessment has made a considerable contribution to aviation safety. Now, safety culture is seen as part of a safety management system. It’s undeniably important[3].

My argument is that aviation’s complex mix of technology, systems, and culture is not of one superseding the other. This is particularly relevant in respect of safety research. Looking at Figure 1, it could be concluded that there’s not much to be gained by spending on technological solutions to problems because most of the issues rest with the human actors in the system. Again, not diminishing the contribution human error makes to accidents and incidents, the physical context within which errors occur is changing dramatically.

Let’s imagine the role of a sponsor of safety related research who has funds to distribute. For one, there are few such entities because most of the available funds go into making something happen in the first place. New products, aircraft, components, propulsion, or control systems always get the lion’s share of funds. Safety related research is way down the order.

The big aviation safety risks haven’t changed much in recent years, namely: controlled flight into terrain (CFIT), loss of control in-flight (LOC-I), mid-air collision (MAC), runway excursion (RE) and runway incursion (RI)[4]. What’s worth noting is that the potential for reducing each one of them is changing as the setting within which aviation operates is changing. Rapid technological innovation is shaping flight and ground operations. The balance between reliance on human activities and automation is changing. Integrated systems are getting more integrated.

As the contribution of human activities reduces so an appeal to culture has less impact. Future errors may be more machine errors rather than human errors.

It’s best to get back to designing in hard safety from day one. Safety related research should focus more on questions like; what does hard safety look like for high levels of automation, including use of artificial intelligence? What does hard safety look like for autonomous flight? What does hard safety look like for dense airspace at low level?

Just a thought.

[1] https://nl.linkedin.com/in/patrick-hudson-7221aa6

[2] Achieving a Safety Culture in Aviation (1999).

[3] https://www.flightsafetyaustralia.com/2017/08/safety-in-mind-hudsons-culture-ladder/

[4] https://www.icao.int/Meetings/a41/Documents/10004_en.pdf

Ockham

It’s a small Surrey village just off the A3. The Black Swan[1] in Ockham is a nice place to eat on a summer day. Although Surrey is a populous county there are many picturesque spots in its countryside. It’s best to describe the village as semi-rural as it’s an easy commute to Guildford.

It’s often a dictum used by politician, managers, and decision makers. Keep it Simple Stupid (KISS) appeals because it’s simple to remember as much as it implores simplicity.

Some sayings are plain folk-law and get repeated because they strike cord with everyday lived experience. Dig a bit and there’s little logic or foundation. KISS offers both a sense that it’s common sense and that there must be some underlying reasoning behind it. Surely, it must be more efficient to try to keep arrangements as simple as possible. That might be processes, procedures, training or even designs.

Although KISS is highly appealing it isn’t, by closer inspection, how we live our lives. Layers and layers of complexity underly everything we do. The issue is that most of the time we do not see the complexity that serves us. A case in point is my iPhone. Yes, its human interface has been designed with KISS in mind, but its functions are provided by levels of complex circuitry and software that go way beyond my understanding. So, we have an illusion of simplicity because complexity is hidden from our eyes. Quite frankly, I have no need to know how my iPhone works. It would only be curiously that would lead me to find out.

Now, I’m going to sound crazy. Because within the complexity, I have ignored there’s a simplicity. Deep in the complex circuitry and software of my iPhone is a design that has converged on the minimum needed to perform its functions. If that were not so then this handheld device would likely be the size of a house.

Ockham’s Razor[2] is a principle of simplicity. It asks us to believe that the simplest theory is more likely to be the true one. It’s like saying nature is lazy. It will not make its inner workings more complex than is needs to be. Even when those inner working can appear complex.

I remember one of my teachers saying that mathematicians are inherently lazy. What he meant was that they are always seeking the simplest way of explaining something. If there are two ways of getting from A to B why take the long one?

The popular expression of Ockham’s Razor is: “Entities should not be multiplied beyond necessity.”

Ockham did not invent the principle of simplicity, but his name is ever associated with it. He pushed the boundaries of thinking. Not bad for a 14th-century English philosopher. 

[1] https://www.blackswanockham.com/

[2] https://iep.utm.edu/ockham/

Safety in numbers. Part 4

In the last 3 parts, we have covered just 2 basic types about failures that can be encountered in any flight. Now, that’s those that effect single systems, and their subsystems and those that impact a whole aircraft as a common effect.

The single failure cases were considered assuming that failures were independent. That is something fails but the effects are contained within one system.

There’s a whole range of other failures where dependencies exist between different systems as they fail. We did mention the relationship between a fuel system and a propulsion system. Their coexistence is obvious. What we need to do is to go beyond the obvious and look for relationships that can be characterised and studied.

At the top of my list is a condition where a cascade of failures ripple through aviation systems. This is when a trigger event starts a set of interconnected responses. Videos of falling dominoes pepper social media and there’s something satisfying about watching them fall one by one.

Aircraft systems cascade failures can start with a relatively minor event. When one failure has the potential to precipitate another it’s important to understand the nature of the dependency that can be hardwired into systems, procedures, or training.

It’s as well to note that a cascade, or avalanche breakdown may not be straightforward as it is with a line of carefully arranged dominos. The classical linear way of representing causal chains is useful. The limitation is that dominant, or hidden interdependencies can exist with multiple potential paths and different sequences of activation.

The next category of failure is a variation on the common-mode theme. This has more to do with the physical positions of systems and equipment on an aircraft. For example, a localised fire, flood, or explosion can defeat built-in redundancies or hardened components.

Earlier we mentioned particular risks. Now, we need to add to the list; bird strike, rotor burst, tyre burst and battery fires. The physical segregation of sub-systems can help address this problem.

Yes, probabilistic methods can be used to calculate likelihood of these failure conditions occurring.

The next category of failure is more a feature of failure rather than a type of failure. Everything we have talked about, so far, may be evident at the moment of occurrence. There can then be opportunities to take mitigating actions to overcome the impact of failure.

What about those aircraft systems failures that are dormant? That is that they remain passive and undetected until a moment when systems activation is needed or there’s demand for a back-up. One example could be just that, an emergency back-up battery that has discharged. It’s then unavailable when it’s needed the most. Design strategies like, pre-flight checks, built-in-test and continuous monitoring can overcome some of these conditions.

Safety in numbers, Part 3

The wind blows, the sun shines, a storm brews, and rain falls. Weather is the ultimate everyday talking point. Stand at a bus stop, start a conversation and it’ll likely be about the weather. Snow, sleet, ice or hail the atmosphere can be hostile to our best laid plans. It’s important to us because it affects us all. It has a common effect.

We started a discussion of common-mode failures in earlier paragraphs. We’ll follow it up here. Aircraft systems employ an array of strategies to address combinations and permutations of failure conditions. That said, we should not forget that these can be swamped by common-mode effects.

Environmental effects are at the top of the list of effects to consider. It’s a basic part of flying that the atmosphere changes with altitude. So, aircraft systems and equipment that work well on the ground may have vulnerabilities when exposed to large variations in temperatures, atmospheric pressure, and humidity.

Then there’s a series of effects that are inherent with rotating machinery and moving components. Vibration, shock impacts and heat all need to be addressed in design and testing.

It is possible to apply statistical methods to calculate levels of typical exposure to environmental effects, but it is more often the case that conservative limits are set as design targets.

Then there are particular risks. These are threats that, maybe don’t happen everyday but have the potential to be destructive and overcome design safety strategies. Electromagnetic interference and atmospheric disturbances, like lightning and electrostatic discharge can be dramatic. The defences against these phenomena can be to protect systems and limit impacts. Additionally, the separation or segregation of parts of systems can take advantage of any built-in redundancies.

Some common-mode effects can occur due to operational failures. The classic case is that of running out of fuel or electrical power. This is where there’s a role for dedicated back-up systems. It could be a hydraulic accumulator, a back-up battery, or a drop-out ram air turbine, for example.

Some common-mode effects are reversable and tolerable in that they don’t destroy systems and equipment but do produce forms of performance degradation. We get into the habit of talking about failure as if they are absolute, almost digital, but it’s an analogue world. There’s a range of cases where adjustments to operations can mitigate effects on aircraft performance. In fact, an aircraft’s operational envelope can be adjusted to ensure that it remains in a zone where safe flight and landing are possible, however much systems are degraded.

Probabilities can play a role in such considerations. Getting reliable data on which to base sound conclusions is often the biggest challenge. Focusing on maintaining a controllable aircraft with a minimum of propulsion, in the face of multiple hazards takes a lot of clear thought.