If the avionics industry can't get HMI right, what makes us think we can?

Rich Merritt is a contributing editor to Control. He wrote an op ed piece for his local newspaper, the Cedar Rapids Gazette,  last week, and has given me permission to post it on Soundoff!! Rich's point hit me pretty hard. We've always pointed to the avionics industry and their intense insistence on human factors engineering as a model for the "control room of the future." Maybe we're further away from preventing disasters in process plants and refineries and oil platforms than we thought.

Here's Rich's editorial:

Flying is becoming more dangerous, and avionics—the computers that fly airplanes—are contributing to the problem.

As reported by the Gazette on Monday, February 16, Flight 3407 that went down last Thursday because of ice on the wings was on autopilot: "The Dash 8 Q400 plane operated by Colgan Air was equipped with a ‘stick shaker’ mechanism that rattles the yoke to warn the pilot if the plane is about to lose aerodynamic lift, a condition called a stall. When the stick shaker engaged, it would have automatically turned off the autopilot…"

I warned about this in my 2004 column in Control magazine, where I said, "…the automatic pilot may be correcting for a situation–such as wing icing–but not informing the pilots that it is having a difficult time. When it can no longer keep the plane flying safely, it suddenly disengages, and the plane corkscrews toward the ground. The pilots…are suddenly presented with a violently acting airplane in a dangerous flight condition and they have no idea why."

In that column, I was discussing a book, Taming HAL: Designing Interfaces Beyond 2001 (By Asaf Degani, St. Martin's Press, ISBN 0 312 29574), in which the author describes how ships run aground and airplanes crash. In all cases, he says, the mishaps are because of an operator interface that wasn’t up to the job.

I see that no one in the avionics industry took Degani’s warnings seriously.

Modern avionics are so good, they can fly an airplane from the moment it lifts off until it almost touches down. The pilots don’t have to do anything. So, in some cases, they don’t even look out the window. When a business jet collided with a 737 at 37,000 feet over Brazil on Sept. 29, 2006, none of the pilots reported seeing the other aircraft.

The Brazil mid-air collision was attributed to pilot error, mainly because the business jet pilots had turned off the auto-transponder that alerts other airplanes in the vicinity. If that had been on, the collision avoidance systems on both planes would have detected each other in plenty of time.

If this incident had happened ten years earlier, the airplanes probably would have passed within a half-mile of each other with no adverse effect. But modern avionics, with pinpoint accuracy from GPS technology, kept each plane exactly on course—one flying north and one flying south—so they hit each other nearly dead center.

In both accidents, the avionics was doing exactly what it was programmed to do. I have a little experience along these lines, having written avionics software for the F16, Shuttle and Skylab, so I know how rigorously these systems are tested. There is absolutely nothing wrong with the avionics, except for the pilot warning systems.

A tiny indicator light that flashes for three seconds is not as effective as an alarm horn and a loud voice that thunders, “The wings are icing and I can’t control the aircraft,” or “Turn the auto-transponder back on, you big dummy!”

Rockwell Collins produces the finest avionics equipment in the world right here in Cedar Rapids, so I hope they take it upon themselves to correct this situation.

Nevertheless, when I get aboard my flight to Florida next month, I think I’ll stick my head in the cockpit and ask, “Is the auto-transponder on? If we have icing, please don’t put it in autopilot.”

Nah, I better not. I’d probably get arrested. Talking to pilots is probably considered to be almost as dangerous as flying on autopilot.