Aviation safety analysis
Author(s)Ausrotas, Raymond A.; Hansman, Robert John.
Transportation Systems Center.
Massachusetts Institute of Technology. Flight Transportation Laboratory
MetadataShow full item record
Introduction: Just as the aviation system is complex and interrelated, so is aviation safety. Aviation safety involves design of aircraft and airports, training of ground personnel and flight crew members' maintenance of aircraft, airfields, en route and terminal area navigation and communication facilities definition and implementation of Federal Aviation Regulations (FARs)l air traffic control procedures and much more. Ultimately, every part of aviation has a safety aspect. No other transportation mode has its safety record so rigorously scrutinized. In part this is due to the general societal (and media) fascination with infrequent large disasters in part because U.S. legislators have a personal interest in air safety, as they rely upon aircraft for their seasonal commutes to Washington, and in part because people in the industry are aware that their paychecks ultimately depend on their customers' perception that travel by air is as safe as possible. (Various airlines still conduct aircraft familiarity classes for travelers who have a fear of flying, although as the younger generation of Americans gains experience with airlines, this particular phobia should become less prevalent.) Aside from the industry's self-enforcement attempts, the Federal government tries to assure safety of the traveling public through regulation. The National Transportation Safety Board (NISB) investigates all major air carrier accidents and subsequently makes safety recommendations to the Federal Aviation Administration (FAA) - which the FAA may or may not choose to accept. One of the long lasting standoffs in aviation safety is between the NPSB (backed by Congressional committees), whose sole concern is safety,and the FAA, which must also take the economics of safety regulations into account-unless it wishes to run into a buzzsaw of industry reaction every time it changes (or issues) a FAR. On the international side, the International Civil Aviation Organization (ICAO) issues technical rules affecting aviation safety, although such decisions as its upcoming ruling on twinjet aircraft over-water flights may be tinged with economic considerations as well. But for safety regulations, whether external or internal to the aerospace industry, to make any sense, they must be grounded, to some degree, in reality, i.e. they must be backed up by some technical, statistical, or economic factors which people can address on their own merits. The more quantitative the supporting data are for rule justifications or changes, the greater the likelihood is that the regulations will be successfully promulgated and accepted by industry. Thus aviation safety analysis came into existence. Most broadly stated, the purpose of safety analysis is to improve safety. The spectrum of analysis ranges from the investigative to the predictive. At one end of the spectrum is the after-the-fact investigation of accidents and a search for causes at the other end is the attempt to seek out likely causes (or, more typically, combination of causes) of system failure before the system is put into operation. However, the great quandary of aviation system analysis is the lack of sufficient data to make probabilistic statements - even while the goal of this analysis is the elimination of the very accidents that provide the data. Practitioners of classical statistics, who have grown up considering probability as the likely outcome of an event based on a large number of repeated trials, face a mental hurdle when asked to accept the concept that an event which has never taken place can nevertheless be assigned a 0.95 probability of success. This is essentially the dichotomy between the investigative and the predictive ends of safety analysis - one is based on few accidents (but real accidents nonetheless), the other is based on more subjective probabilities of system (and subsystem) failures.(cont.) But safety analysts cannot throw up their hands and say that there is insufficient data after only one accident occurs and simply wait for the next one to happen. They must combine forces with their predictive brethren and attempt to head off the next accident. Only when this becomes the rule will aviation safety analysis rest on a sound base. Until this millennium, however, much remains to be done to improve safety analysis at each end of the analysis continuum, and also where the two occasionally intersect by chance. The investigative techniques depend on data: of incidents, accidents, near misses, and the like. The FAA, NASA, NSB, ICAO, aircraft manufacturers, airlines, etc., all maintain various types of data bases, most of which are incompatible (in the sense that they keep track of slightly different variables). A further complication is that some bases are computerized (different data base management systems are usually involved) and some are manual. The safety analyst, attempting to establish broad trends, is immediately faced with this incompatibility problem. Still, if the focus of the investigation is narrow enough (for example, a failure of a mechanical part on a specific aircraft), it may be possible to extract enough information from the various data bases to find a definitive cause. This is especially true when the cause of the incident is, in fact, mechanical - it is here that repeated failures should be noticed, isolated, and corrective action taken. Flight International (1984) provides a typical example that an alert safety analyst (or system) should have anticipated and caught: "Mis-rigging of the baggage door operating mechanism and the failure of the door warning arrangements to give adequate warning of door safety led to the fatal crash of a Dan-Air BAe 748-2A in June 1981, according to the official report. The baggage door at the rear end of the cabin, blew out and became fixed on the tailplane, thus making the aircraft uncontrollable. Subsequently, the wings were overstressed and suffered structural failure. The condition of the door operating mechanism, says the report, made it impossible to lock the door fully using the outside handle. But it was probably by the outside handle that the door had last been closed. Crew checks failed to discover the fault because of "a combination of shortcomings in the design, construction, and maintenance of the door warning systems and the appearance of the visual indications". The report notes that there have been 35 instances of the 748 baggage door malfunction reported in the past". Very rarely do accidents have such obvious design-induced crew error precursors. Most accidents result from interactive causes, rather than one specific factor, and one of the causes is, invariably, a human being - the pilot, the air traffic controller, or the maintenance worker. These acts of human beings do not fit readily into data banks, there to be identified by a specific parts number, and the safety analyst must now switch to the other end of the spectrum and try to isolate the sequence of events that lead to "pilot error". These accidents involving human performance usually turn out to be oneof- a-kind events - and it should be the aim of the safety analyst to ensure that they remain so. Data unavailability and incompleteness, however, are always present and it is up to the skill (and luck) of the analyst to uncover the sequence of events leading to the accident. If a procedural error is found, it can be immediately correctedy more difficult are those amorphous incidents where it is not at all clear why there was human error. (If it were possible to obtain quantitative estimates of human performance, such as human error rates per task, it would be a simple matter to incorporate them into operational reliability equations to determine system reliability.) Just as the role of analysis of incident and defect reporting systems should be to find mechanical failures before they become accidents, the human incident reporting systems should be designed to cause humans to "confess" their incidents so that the analyst can isolate potentially dangerous trends and practices before they too become accidents. (The Aviation Safety Reporting System (ASRS) managed by NASA is a step in the right direction.) It is the purpose of this report is to discuss various aspects of aviation safety analysis, ranging from general aviation to the public transportation system, and then to make some recommendations for improving the methodology of safety analysis.*
April 1984Includes bibliographical references
Cambridge, Mass : Massachusetts Institute of Technology, Dept. of Aeronautics & Astronautics, Flight Transportation Laboratory, 
FTL report (Massachusetts Institute of Technology. Flight Transportation Laboratory) ; R84-1
Aeronautics, Safety measures