Tuesday, March 1, 2005
Reducing Mode Errors Through Design
Mode errors can cause everything from minor inconveniences to fatal accidents. Avionics manufacturers face special challenges in seeking to prevent such miscues.
Technology has allowed avionics manufacturers to build more features into smaller pieces of equipment. While this enables sophisticated systems for smaller aircraft, it raises the level of interface complexity and increases the potential for certain types of pilot error. "What's it doing now?" has become a common question in the flightdeck since the introduction of flight management systems (FMS). It usually expresses some degree of mode confusion.
Because panel space is limited, the number of functions often far exceeds the number of controls available to access those functions. Many controls have to perform multiple duties. Thus the mode of an avionics device or system is key. It often determines which function can be activated through a particular control.
A Mode Defined
Modes are collections of system actions associated with different system states. An avionics mode is analogous to the universal remote for controlling your television, DVD and radio. Have you ever pressed the power button to turn on the DVD player but turned off the TV instead? Unknown to you, the remote was in the TV mode rather than the DVD mode. Some users, including pilots, have gotten so tired of making these mode errors that they have thrown away the universal remote and now use separate remotes for the various products. They prefer the clutter of multiple remotes to the inconvenience of constant mode errors.
Mode awareness is more critical in aviation because similar pilot inputs--in different modes--can produce drastically different results. In the case of a mode error, the pilot assumes a unit is in one mode, when it is actually in another mode. In some aircraft systems it is relatively easy to slip from one mode into another without knowing it. And sometimes the transition between modes is automatic, not commanded by the pilot.
While mode errors in the flightdeck can cause minor inconveniences, they also can lead to fatal accidents. In 1991, for example, an Airbus A320 crew mistakenly selected a negative vertical speed rather than a flight path angle descent, resulting in a much steeper descent than they had intended (see Sept. 2004, page 42). In that case, the flight control unit was in vertical speed mode when the crew assumed it was in flight path angle mode. While this was a relatively simple input error, accidents also have resulted from crews' failing to understand complex mode transition and reversion logic. Several companies are working on new avionics designs to reduce the likelihood of such errors and improve crew understanding of aircraft modes.
Input and Display Modes
Mode errors can occur at several levels. At the device level, they can be limited to errors involving the selection or control of functions within a single unit. Selecting flight path angle vs. vertical speed--like turning off the TV with the universal remote--is a device-level input error because it happens within the autopilot. The likelihood of committing such errors increases as the number of functions built into a product expands and, in particular, as the number of functions accessed by a given control rises.
Small-panel avionics boxes that host multiple applications--such as traffic alert collision avoidance system (TCAS), terrain awareness warning system (TAWS), weather radar, communications and navigation--are particularly susceptible to such problems. In these cases manufacturers should analyze pilot goals and associated inputs in all possible modes to ensure that no potential mode errors can produce hazardous states.
Displays also can have modes, and a pilot can produce mode errors when he takes an action in the belief that the interface is in one mode when it is really in another mode. A common example of display modes is Track Up vs. North Up on the navigation display. Confusion between these modes may have contributed to the crash of a Thai Airways International A310 in Nepal. In this accident, the crew executed a go-around after failing to land. But instead of proceeding south to set up for another attempt, they flew north into the mountains. The cockpit voice recorder clearly indicated that the crew was confused about the aircraft's direction. While the intended procedure involved a 180-degree turn to the south, the crew continued the turn to 360 degrees and ended up pointing north.
The accident investigating committee noted that the crew would have been changing navigation display modes during the procedure and that the displays that were used did not have salient directional cues. The investigators called for improved depiction of cardinal points and a more obvious map display mode indicator to prevent such reading errors in the future.
System-level modes involve the coordination of avionics "behaviors" among a collection of devices or functions. In aviation, flight control modes are the most common example of system-level modes, and they pose some of the most difficult usability problems on the flightdeck.
Flight control modes can involve the coordinated actions of the FMS, flight director, autopilot and autothrottle. Each of these devices is complex on its own, so the combinations of these devices and the mode logic controlling them can become exceedingly complex.
For example, in 1983, a Korean Airlines Boeing 747 was shot down by Soviet fighters after it strayed into Soviet airspace following a failed mode transition. After following an autopilot heading from Alaska, the crew should have engaged the inertial navigation system (INS) to follow a track across the Pacific. While they may have failed to select the proper mode, it is also possible that they selected the track mode properly on the glareshield controller, but that the aircraft never achieved the proper conditions for the mode to trigger.
According to the radar data, the Korean Airlines plane never turned toward the track. It thus never satisfied the 7.5-mile (14-km) distance from the track required for the mode transition from the autopilot heading to the INS track to take place. Consequently, the crew, having performed the required mode selection, may have assumed the mode would trigger as usual. They probably failed to realize that it never did.
A NASA study, involving researchers from the space agency, Honeywell and the University of Colorado, found that 289 rules govern the transitions between vertical modes in the McDonnell Douglas MD-11, but that the pilot training material documented fewer than half of the rules. The researchers also found that although many mode annunciations appeared similar on the flight mode annunciator, they could produce very different trajectories and behaviors. (The flight mode annunciator is the region, typically above the primary flight display, where the current and armed modes are shown.)
Designer vs. Pilot
Because of the inherent complexity of modes, designers often make decisions about mode logic that may be contrary to pilot expectations. For example, the flight level change mode of the MD-80 will "capture" the selected altitude --i.e., level off the aircraft at that altitude--but the vertical speed mode will not. From an engineering perspective, the vertical speed mode is intended to command a constant rate of climb or descent and does not logically involve an altitude target. However, a consequence of this design was that pilots who adjusted the vertical speed to smooth out an altitude transition would inadvertently remove the selected altitude from the glareshield window because adjusting the vertical speed invoked the vertical speed mode instead.
This design approach caused a number of altitude exceedances, or "busts," when the aircraft first entered service. From the pilot's perspective, there was no logical reason why adjusting the climb or descent rate should erase the altitude target. This example clearly illustrates the differences between how a design engineer and a pilot may think about the aircraft's operating logic, and how a design that is logical from one perspective can create a "trap" from the other viewpoint.
Another area of concern is automatic transitioning between modes, since the crew doesn't intentionally command such transitions and, therefore, may not know they have taken place. In some aircraft, if the ILS signal is lost during approach, the plane may transition from approach mode to vertical speed mode at the same descent rate. This is to allow the aircraft to be in the correct position when the signal is reacquired. However, if the vertical speed mode causes the aircraft to maintain a constant climb or descent rate until the crew intervenes, reversion to that mode during the approach may cause the aircraft to continue at that rate until it hits the ground.
This happened in a China Northern Airlines MD-82 accident in Urumqi, China. The autopilot disconnected during the approach and then reconnected in the vertical speed mode at 800 feet (244 m) per minute until the plane crashed short of the runway.
Researchers from Ohio State University, also with NASA funding, have investigated a variety of potential mode logic traps in full-mission Boeing 737 and Airbus A320 simulations. Nadine Sarter and David Woods placed pilots in a series of scenarios known to contain counterintuitive mode behaviors to determine how well they anticipated the behaviors and responded to them. Scenarios included:
--Aborting takeoff below 64 knots with the autothrottle engaged. (In the B737 the autothrottle continues to provide takeoff thrust, and the pilot must manually disengage it.)
--Disengaging the approach mode after ILS capture. (The approach mode cannot be disengaged by reselecting the approach mode button or attempting to select another mode in the B737.)
--Initiating a go-around below 100 feet above ground level (AGL).
Regarding the third scenario, in the A320, the autothrottle will remain engaged above 100 feet but disengage below it. With the throttle lever in the Takeoff/Go Around position and the autothrottle disengaged, the lever selects full thrust. This is because the throttle handle acts as both a mode selector and a conventional throttle control. When the auto throttle is engaged, its position selects the autothrottle mode (Takeoff/Go Around or Climb), and when the autothrottle is not engaged, the handle commands thrust like conventional throttles.
The Ohio State researchers found that a significant number of pilots failed to correctly anticipate the aircraft actions in the three scenarios. Only one out of 18 pilots successfully flew the go-around maneuver in the A320 from below 100 feet AGL without overspeeding the flaps, and he did so only by completely disengaging all of the automation and flying the aircraft manually. Five of the pilots allowed the aircraft to reach maximum operating speed near the ground.
What to Do?
Several companies and universities are designing concepts to eliminate the chance of mode errors, make the mode behaviors more intuitive to pilots, or make the modes more obvious to prevent loss of mode awareness. Researchers at the University of California at San Diego have developed a display concept that more clearly depicts the relationship between thrust, elevator and commanded climb performance. The intent is to help the pilot understand how thrust and elevator are affecting airspeed and climb rate (whether speed is on pitch or thrust) and, therefore, what the aircraft's response to pilot input will be. Because behaviors will differ between modes, researchers thought that this display will make aircraft response to pilot input more predictable regardless of the current mode.
A team of researchers at Honeywell, led by this author, developed a pilot interface concept for flight planning and flight control. The idea is to eliminate modes by giving the pilot the ability to string actions and flight path targets together into command strings that emulate the syntax of air traffic control clearances. Called the Cockpit Control Language (CCL), the concept allows glareshield, graphical user interface, and FMS control display unit (CDU) inputs to be combined into commands that tell the airplane what flight path targets to use (airspeeds, altitudes, waypoints, procedures, etc.) and whether to fly to, from, above, below or between the targets. Usability testing showed that pilots were able to learn to use the system with only about 15 minutes of training and enter complex commands--such as holding patterns around unpublished waypoints, airway intercepts and other difficult procedures--in less than an hour. This contrasts with the hundreds of hours required to learn to use a conventional flight management system.
On the CDU layout developed for the CCL, the traditional function keys have been replaced with "action" keys, such as AT, CROSS, HOLD, etc. The screen and line-select keys are now used to choose from the next likely available options. These are determined by a natural language parser, which analyzes the current command string and decides what words probably would be additions to the string.
For example, if the clearance is to "Cross Farmington above FL230," the pilot would press the CROSS action key and type in the waypoint identifier, FMN. The parser determines that the waypoint can be crossed ABOVE an altitude, AFTER reaching a position, or when AT a position, and provides the appropriate options on the line-select keys. This makes entering command strings both intuitive and efficient.
As part of the testing of this concept, researchers also compared the learning time and ease of the CCL's use with a modern graphical flight planning environment to determine whether the improvements were due to the graphical user interface or to the underlying logic of the control language. Using both systems, 10 pilots planned a route and entered a series of route modifications in response to clearances. All of the pilots using the CCL completed the scenarios in about half the time required, using the graphical flight planning tool. One pilot was unable to complete the graphical flight planning scenarios due to difficulty and lack of time. All of the pilots reported frustration with the graphical flight planning manipulations and difficulty remembering the associated procedures.
Furthermore, even though a graphical-use interface was available with the CCL, the pilots ended up using the CDU almost exclusively because the redefined logic made it easy to use, and the keyboard input was faster than the graphical manipulation.
These results demonstrated that designing a "modeless" interface, whose interaction logic takes advantage of existing pilot knowledge of air traffic control procedures, can improve usability more than simply making the conventional FMS graphical. This concept is still under development at Honeywell labs in Minneapolis.
Simplifying the Panel
Boeing is developing its own answer to the mode awareness problem. The company's autopilot interface redefines the traditional flight control modes, based on pilot goals and resulting airplane flight path, rather than on arbitrary avionics definitions. Pilots, for example, can more directly select "normal," "early," "passenger comfort," "drift down," or "emergency" descents, instead of managing the conventional modes of vertical navigation (VNAV) path, VNAV speed, vertical speed, flight path angle, and so forth.
The Boeing glareshield control panel provides regions for lateral, vertical and airspeed control. Each region has buttons to select the desired task, a knob to enter the target value, and a display showing the currently active target, the next flight plan target, and a preview field for entering new data. Every control on the panel has a simple, dedicated function and is not overloaded with multiple or conditional functions. This minimizes the likelihood of autopilot-related device mode errors. Labeling, prompting and feedback lead the pilot through tasks and help catch errors.
Each axis (lateral, vertical and airspeed) can either be "linked" to the flight plan (using FMS flight plan heading, altitude or airspeed targets) or "unlinked," using pilot-entered tactical targets. Although the design still uses modes, the modes are much more intuitive to pilots because they closely match pilot objectives. The pilot no longer has to think about how the modes provided by the aircraft should be managed to accomplish the current goals. These efforts could reduce the time required for pilot training and improve safety by decreasing mode errors.
The Most Common Mode Errors?
Mode errors have bedeviled pilots since the advent of complex avionics systems such as flight management computers. We list some of the most common types of mode errors below.
Selecting the wrong descent mode,
Misreading a display because of mode confusion,
Failing to understand flight control logic in a given mode,
Failing to recognize automatic (uncommanded) mode transitions,
Failing to recognize the lifting of flight control protections in a given mode, and
Assuming automation will perform a task when it is not enabled in the current mode.