Safety Critical HCI Systems in Modern Aviation
By Ben Tristem

Contents

Introduction

Human Computer Interaction concerns the interface between user and machine. HCI plays a key role in the effectiveness of human user system in terms of the way information is passed between man and machine. Whatever task is being carried out, this interface must be intuitive and representative of the real world. The aim is to allow the user to interact naturally, concentrating on the task at hand and not on the technicalities of operating the computer. Both the way in which the computer interprets the users actions and vice-versa are controlled by the design of the interface.

In real time / safety critical systems, the effectiveness of HCI becomes critical. What better example than the cockpit of a modern aircraft? Gone are the days of hundreds of discrete, mechanical instruments. The modern 'glass cockpit' comprises of two or three computer screens! Here we have an example of human lives depending on how effectively a computer system can interpret control input from a pilot, and indeed on how it relays information back to the pilot.

Aircraft represent two-way interactive, safety-critical, real-time systems. There is a loop of information passing as follows:

  • The pilot provides an input which the computer must interpret and use to control the mechanics of the aircraft.
  • Mechanical sensors return information to the computer, this is processed and passed to the pilot for interpretation via HCI.
  • Using the information presented to him by the computer, the pilot provides more input at which point the loop repeats.


    • Pilot To Aeroplane

    A new concept in aircraft control is 'fly-by-wire' Gone are the days of mechanical links from the pilot's controls to the control surfaces of the aircraft. By reading the pilot's actions into a computer and relaying this information through optic fibres, it is possible to save considerable weight, whilst increasing agility and efficiency. More importantly, the pilot no longer directly controls the aircraft! The computer controls the aircraft to produce the effect that it believes the pilot desires according to his classical knowledge of flying an aircraft. The fact is that the majority of modern aircraft cannot fly at all without the help of a computer!

    This is an example HCI providing an interface to the real world to feel 'natural' So much faith has been built in a computer's ability to fly aircraft that, in a lot of cases, it has the last say in an emergency situation! From the point of view of simply controlling the aircraft, I personally believe that a computer is more suited, than a human, to the fast and clinical decision making that may be required to save lives in a rapidly developing emergency situation. However, strong reliance is still put upon the human being to give the computer the correct information about the environment which it is in.

    There are numerous examples of accidents caused by failure of a pilot to enter information into a flight computer accurately, resulting in the computer making a poor last second decision costing human life! The computer's ability to take into account external factors such as weather, human behaviour, birds etc. will be expanded upon in the next article. I will also be considering whether the pilot should have any direct control over the aircraft, with examples supporting both the elimination of the pilot and the reduction of automation.

    Aeroplane To Pilot

    A lot of the information that a pilot receives in a simple aircraft requires some mental manipulation before it is of use. This introduces the possibility of human error, increases pilot workload and takes precious time in an emergency. Modern aircraft do this translation for the pilot saving both time and mental capacity. The problem is that as these translations become increasingly complex, there is the risk that the pilot is not getting the information which he requires to make a solid judgement.

    A modern pilot's job involves a considerable proportion of time spent monitoring the status of the aircraft. In an attempt to reduce pilot workload, a new concept of the computer deciding what information the pilot needs to see has been developed. This leaves the computer to monitor its self, showing the pilot only what it considers to be of concern! Great care must be taken in the design of such systems to ensure that the pilot knows exactly what information he is being given. He must be aware of the mechanics of the translation mechanism, and be able to intuitively see that the indications are correct. As soon as the translation becomes too complex for this, the pilot is no longer helping the safety of the aircraft and must implicitly trust the computer's judgement. At this stage, I believe that pilot should be removed all together as he may me tempted to make a foul decision based on his unclear perception of the situation his aircraft is in.

    Conclusion

    Peter G. Neumann has carried out some research into the relative numbers of cases involving deaths and risks to lives due to computer failure in various environments. He finds that aviation (commercial and military) constitutes by far the most incidents, with 84 cases versus the next worst at just 30! This is good evidence to support my further specialised investigation in subsequent articles.

    We must also bear in mind that 'computer failures' refer the incidents that are almost always attributable to human error be it at the concept, design, testing or usage stage! I will be ignoring errors caused by highly improbable events effecting the operation of the computer such as power supply glitches etc. After all, it is human error if the hardware design allows these errors to occur anyway! I will be going on to concentrate on what must be considered at the design stage to ensure efficient and correct interaction between pilot and aircraft.

    Bibliography

    Peter G. Neumann, 'Computer related risks', 1995

    (1000 words)