by
John A. Wise Mark A. Wise
Embry-Riddle Aeronautical University University of Central Florida
Daytona Beach, FL Orlando, FL
Presented at and in the Proceedings of the
Workshop on Flight Crew Accident and Incident Human Factors.
McLean, VA, 21 - 23 June 1995
It is argued that it will be difficult to identify potential problem areas in new technology areas a priori because of the lack of theory and/or hypotheses to tell one were to look. Random searches, or searches based on theory relevant to old technology, will be of limited value. Some non-standard approaches to the problem area are discussed.
"All men by nature desire to know." Aristotle, Metaphysics, (p.1)
Rapid advances in technology and software have provided the capability to develop very complex systems that have highly interdependent components. While this has permitted significant increases in system efficiency and has allowed the development and operation of systems that were previously impossible (e.g., negative stability aircraft), it has also brought the inherent danger of system induced catastrophes. Perrow (1984), in his book Normal Accidents, has demonstrated that highly-complex systems with highly interdependent components have an inherent disposition toward massive failure.
Systems that have high intradependence often create new types of failures. Interrelated components that were previously independent can cause unpredicted failures in each other. For example, the tests of wide-bodied aircraft initially used the same criteria for cabin depressurization as older narrow bodied aircraft. As a result, when the DC-10 lost a cargo door in flight (an unskilled ground crew could not lock it properly because of the complexity of the procedure), the insufficient means of depressurizing the cabin caused the floor to buckle jamming the controls. The unpredicted intradependence between ground personnel skill, procedure complexity, cabin pressure, and flight controls resulted in a crash and the loss of many lives.
As complex systems become more intradependent, interdisciplinary issues become more critical. Nowhere is this more true than in the person-machine interface. It is likely that new operational interface problems will reside in locations where disciplines (and the system components relevant to their domain) meet and interact. It is in these intellectual intersections that most new compromises and cross-discipline trade-offs are made. And it will be in these intersections, that new interface induced failures will emerge that will probably not have been anticipated. It is also in these intersections that it will be the most difficult to determine where to look for potential faults a priori.
Given the above issues, it is difficult to argue against the goal of this meeting: to identify ways of predicting where problems will exist &endash; before they occur &endash; so as to mitigate their consequences. However, we will argue that the odds of such an undertaking being successful are low. The history of science is ripe with debates on this issue, but it is generally accepted today that any search is alway guided by some theory or hypothesis. Pirsig (1974) in his classic book Zen and the Art of Motorcycle Maintenance debated the origin and value of knowledge and quality. He noted that there has been a long debate within the philosophy of science of how science and scientific theories develop. Pirsig was describing the arguments of the French philosopher and mathematician Henri Poincaré when he wrote:
Which facts are you going to observe? he [Poincaré] asked. There is an infinity of them. There is no more chance that an unselective observation of facts will produce science than there is that a monkey at a typewriter will produce the Lord's prayer. (Pirsig, 1974, p. 237)
The equivalent in the current discussion would be that "there is no more chance that the unselective observation of aviation data will produce insight into future accidents than there isÉ" So one needs to ask the following basic questions/. How do we develop selective observations in areas where little theory or other insight exists? How do we know where to selectively look when we are using a new technology or when we are using a procedure that has never been applied?
The scientific model, as Poincaré has noted, is particularly weak at making predictions without an underlying theoretical base. As a matter of fact many philosophers of science have argued that it is impossible for science to work at all without theory to guide the search. The scientific method itself is rooted in the empiricist philosophy of the John Locke, George Berkeley, and David Hume. These philosophers maintain that all knowledge is gained through empirical, a posteriori experience or observation. These scholars have taught us that step one of the scientific method is the statement of the problem and step two involves developing hypothesis. Scientific research involves the testing of the hypotheses, without a statement problem or hypothesis, inquiry can not proceed within the scientific method.
The analysis and prediction of future errors or events is based primarily on the ability to infer from those which have previously occurred, and a belief that there is justification for believing that these events will or could happen again (Hume, 1748). However, to predict those events which have no historical correlate, requires something much more &endash; foresight. If, as the old adage states "hindsight is 20/20," then foresight would be at least functionally blind. History suggests that no matter how diligently and methodically a system is tested a priori, there still exists a possibility for failure. Take for example "The Unsinkable Ship," the Titanic &endash; it sank. Thus, the question becomes, "How do we form reasonable hypotheses about future?"
Even if it were possible to identify the hypotheses, the scientific method would still be extremely difficult to apply. To address the current inquiry within the scientific paradigm, the following problem statement might be established: "What events will lead to undesirable situations within the aviation system?" However, further attempts to break this problem down into more manageable tasks, proves laborious, if not futile. The complexity of the interface between human and machine provides a number options which, when analyzed mathematically approach infinity, especially when coupled with time and highly unpredictable environmental factors (both physical and psychological).
Hume (1748), Mason and Mitroff (1973), and others have also argued that science is basically a consentual method of inquiry. That is, the "truth" of a scientific theory is based on the amount of consensus for the theory exists among the scientists of that field (i.e., does it win a referendum vote?). If the topic area is new (e.g., new technologies or new procedures) there will not be much consensus, there will be much disagreement and debate. Mason and Mitroff observed that if the consentual position is at all suspect (i.e., there is not a large majority supporting a given theory) then something other than traditional science may be needed.
Unfortunately modeling and simulation, while they are extremely powerful tools in structured problem spaces, have problems when it comes to new technologies and/or procedures. Modeling and simulation use a formal (often mathematical) representation of the problem space by starting from a set of basic "truths" and then systematically build a network of more formal propositional truths.
Modeling and simulation normally have high value because they can be tested by the exacting tests of logic and mathematics, such as internal consistency, completeness, comprehension. Mason & Mitroff (1973) have argued that simulation and modeling are extremely powerful when working on well structured problems for which an analytic solution exists. Their weakness however, overlay the area of the proposed inquiry: the future of relatively unknown technologies. For example, if one had used a formal model to investigate the impact of the automobile on pollution when it was originally introduced, the result no doubt would have been that the automobile would drastically reduce pollution. (The principal pollutant at the time was horse manure which was ubiquitous and a serious health hazzard in most large cities. ) The model's basic truths would have probably not included anything issues associated with air pollution, and thus it would not have been predicted.
Several non-traditional methods of inquiry have been suggested in the literature. For example, some (e.g., Mitroff & Betz, 1972) have argued that dialectical inquiry may be the best method of investigation into future events. Dialectical inquiry (which involves an dynamic argument over common data by persons holding two polar worldviews) has the advantage that the participants will always attack the assumptions on which the opposition's predictions are made. The attacks on assumptions are critical when addressing the future. Assumptions about the future can often be treated dogma (e.g., they will never change), because it is often difficult to imagine alternative models of the world based on not yet evolved systems behaviors. For an example of this phenomenon, one only need remember a few years ago, when the real estate purveyors were telling everyone that real estate prices could only increase. A dialectical inquiry would have attacked that assumption, and at least made the public aware that a fall was possible and should be considered.
Dialectical inquiry does not guarantee any better conclusions, but it does maximize the chance that the results obtained are held with caution. As a matter of fact, dialectic inquiry would demand that an antithesis to the conclusion be immediately formed and begin to attack its weaknesses.
An other approach is to "go with what you know." Use data and knowledge that is generalizable to all systems. Following the path of experience, examine possibilities that can be reasonably inferred from the past, even if they fall upon the outer edge of the path. Additionally, it often helps to examine systems, however new or complex in a top-down manner (Wise & Wise, 1994). That is go from the systems level to the directly applied. Both of these approaches allow one to build on relevant experiences from other domains (e.g., computer science, space exploration) and form reasonable hypotheses and identify successful methods of inquiry.
Hume (1748) has argued that:
All inferences from experience suppose as their foundation, that the future will resemble the past, and that similar powers will be conjoined with similar sensible qualities. If there be any suspicion, that the course of nature may change, and that the past may be no rule for the future, all experience becomes useless, and can give rise to no inference or conclusion (p. 24).
If Hume is correct and human knowledge about the probability of future aviation accidents is based on experience or data (e.g., Aviation Safety Reporting System) will be limited to current systems and procedures. However, if there is a situation, such as the development of highly complex and intradependent systems, which have no correlate to data that we have on the past, then no conclusion can possibly reached which would lead one to discover or predict future events.
The underlying problem, with the sort of inquiry desired by the aviation community (i.e., predicting future problems), is that it is a process of searching for an answer where no question has been (or can be) defined. Additionally, the complexity and intradependence of current and future systems, coupled with the unpredictable nature of a human operator, creates an near infinite number of contingencies, making a search of all possibilities impossible. The desired inquiry is analogous to a pathologist trying to predict diseases that will occur twenty years from now. Who would have predicted the genesis and spread of HIV 30 years ago? All of the leads and clues were there, but they were impossible to perceive, to piece together. In much the same way that the clues which would lead to the prediction of future pilot and system errors do exist, however they will be virtually impossible to see without the gift of hindsight.
It should be noted that the arguments being posed here are NOT arguing that the proposed effort not be undertaken &endash; in fact, the authors would argue in its favor (see Wise & Wise, 1993; 1994). The aim of this paper has been to point out the weaknesses of traditional inquiring methods in dealing with future events. Especially, when it is anticipated that these events may have no necessary connection to past or previously examined events.
In order not to fall into an inquiry trap, in which the search for an answer is limited or defeated by using an inappropriate inquiry method, the approach that will be taken during this probe is equally as important (or more so) than the probe itself.
The cautious words of Confucius may best summarize the proposed inquiry.
"To know that you know what you know; and that you do not know what you do not know &endash; that is true knowledge." Confucius
A major question at the workshop was "What data should be included in an accident prevent database?" Given the above arguments about not being able to predict future questions a priori, it follows that one cannot predict a priori the data will be needed to answer those questions. There will always be a need for some set of fundamental data (e.g., basic flight parameters), but new technologies and new operational paradigms (e.g., free flight) will generate their own problems that will have specific data needs that will not be obvious until the problems surface. Thus, the most important data goal for the system must be flexibility! Flexibility to quickly adapt its data acquisition tools to collect new types of data in an effective and efficient manner. Flexibility to acquire relative large amounts of data on a new topic in a short period of time. Flexibility to develop new tools to collect data that has no current acquisition device. If the system is not flexible in its data acquisition capabilities, it will only help solve problems for which we already have solutions.
Aristotle, Metaphysics, (p.1)
Hume, D. (1748/1977). An Enquiry Concerning Human Understanding. Indianapolis: Hackett Publishing Co.
Mitroff, I.I. & Betz, F. (1972). Dialectical decision theory: A meta-theory of decision making. Management Science, 19, B-634 -B-648.
Perrow, C. (1984). Normal Accidents: Living with High-Risk Technologies. New York: Basic Books.
Pirsig, R.M. (1974). Zen and the Art of Motorcycle Maintenance. New York: Bantam New Age Books. (May 1982 Edition)
Wise, J. A. & A. Debons (Eds.). (1987). Information Systems: Failure Analysis. Berlin: Springer-Verlag.
Wise, J. A., V. D. Hopkin, & M. L. Smith (Eds.). (1991). Automation and Systems Issues in Air Traffic Control. Berlin: Springer-Verlag.
Wise, J.A., & Wise, M.A. (1993). Basic considerations in verification and validation. In: J.A. Wise, V.D. Hopkin, & P. Stager (eds.) Verification and Validation of Complex Systems: Human Factors Issues. Berlin: Springer-Verlag.
Wise, M.A., & Wise, J.A. (1994). On the systems approach to certify advanced aviation technologies. In: J.A. Wise, D.J. Garland, & V.D. Hopkin (eds.) Human Factors Certification of Advanced Aviation Technologies. Daytona Beach, FL: Embry-Riddle Aeronautical University Press.