Wednesday, October 24, 2007

Another example...

...of desktop computer mentality causing short-circuits in design. A Predator B crashed in april of last year while flying for Customs & Border Protection in Arizona. The accident report is very interesting:
The condition lever, which is installed in both the PPO-1 and PPO-2 consoles, serves a different function depending on whether the station is being used by the payload operator or by the pilot. In the payload operator configuration, the lever is used to control the iris of the camera. Moving the lever forward increases the iris opening, moving the lever to the middle position locks the camera's iris setting, and moving the lever aft decreases the opening. In the pilot configuration, the lever is used to control the engine fuel valve and the propeller feather servo. When in the pilot configuration, the lever has a linear analog range from 0 to 100 percent, which is divided into thirds: "normal," "shutdown," and "feather/shutdown."
Without reading the report you can probably guess the accident is the result of switching consoles (due to some software issue with the first, I gather) and not following procedures correctly, so the engine was commanded to turn off. Here's another good example:
Warning Signals There is an audible warning when an engine failure occurs. However, the same tone is used for every warning... ...The avionics technician stated that he heard the warning, but thought it was activating because they lost the Iridium satellite.
And, apparently, there is no really useful visible signal of any sort. Naturally, FAA found the accident to be the pilot's fault, but I have to place a lot of the blame on the design of the system. I never buy poor training or poor procedure for such egregious design faults. Its not like 80 years of accident investigations have taught us nothing about aircraft control design and layout. This was totally predictable. Here's another one, about software design instead of human factors, but it proves the point as well. The aircraft is controlled mostly thru a C-band radio. If you loose signal (which happens if you are out of line-of-sight) an Iridium satellite comm channel can be used. When the engine power was lost, the aircraft dropped out of range of the primary radio.
However, when the fuel was cut off to the engine and the UA began shedding electrical equipment to conserve battery power, the Iridium system was one of the items that was shed. The UA is also equipped with an auto-ignition system, but this system will not work unless the Iridium system is operable.
Who decided that the only backup control channel should be turned off? This is like (on a manned aircraft) turning off the backup hydraulics. All of this, I think, is exactly inline with many of my rants about somehow forgetting good design principles just because its a computer, and everything is new.

No comments: