President's Message From the Editor's Desk Outside the Lines In the Spotlight: A Tribute to Trevor Kletz Making Safety-Related Decisions Gains from Losses: System Safety Commentary on Accidents and Other Events Special: 26th International System Safety Conference: Innovations and Legacy Tech Corner Chapter News Mark Your Calendar About this Journal Classifieds Advertising in eJSS Contact Us Puzzle

Vol. 44, No. 6 • Nov.-Dec. 2008
Gains from Losses: System Safety Commentary on Accidents and Other Events
There is More to 'Human Error' Than Just Pilot Error

by John Livingston

Shortly after the International System Safety Conference (ISSC) in Vancouver, there was an Associated Press article in our local newspaper entitled "Human Error Behind Predator Crashes" that caught my attention. The reporter discussed the findings of an Air Force researcher, which focused on lack of training and the role of peer pressure in DoD accidents.

The Air Force researcher had linked the growing number of Predator accidents in recent years with the need to supply pilots to meet the increasing use of the Unmanned Aerial Vehicle (UAV) aircraft in military operations. The researcher noted that in the initial phases of the Predator program, pilots typically had two or more tours in a piloted craft before coming to the UAV effort. Now, the average has dropped to one tour.

Predator mishaps were characterized as resulting from three types of human errors: inadequate skills and knowledge necessary to operate the aircraft, lack of teamwork and lack of situational awareness [Ref. 1]. It was also noted that the inexperience (and "peer pressure") were contributors to losses in failed landing attempts. The article identified a problem in the growing military use of UAVs that reminded me of a paper from our recent ISSC in Vancouver.

The paper was entitled "The Hidden Human Factors in Unmanned Aerial Vehicles," and it was authored by Dr. Chris W. Johnson and Dr. Christine Shea [Ref. 2]. The authors used a non-military Predator B accident to address factors beyond those addressed in the newspaper story. The incident cited was an April, 2006, crash of a Predator B near Nogales, Arizona. Because the craft was owned by the U.S. Customs and Border Protection agency (being operated under a contract with a private company) and was flying in United States air space, the accident was investigated by the National Transportation Safety Board (NTSB).

The flight was being flown from a ground control station located at Libby Army Airfield in Sierra Vista, Arizona. The station control consists of two nearly identical pilot payload operator (PPO) consoles, PPO-1 and PPO-2. Normally, a certified pilot controls the Predator B from PPO-1, and the camera payload operator (typically a U.S. Border Patrol agent) controls the camera, which is mounted on the UAV, from PPO-2. Although the aircraft control levers on PPO-1 and PPO-2 appear identical, they have different functional configurations depending on which console controls the UA flight (flaps, condition lever, throttle and speed lever).

As the event progressed, the pilot became aware that the UAV was losing altitude, and he began to troubleshoot the situation. He shut down the ground data terminal to trigger the UAV's lost-link procedure. This procedure (stored in the vehicle) called for the UAV to climb to 15,000 feet above mean sea level and fly a predetermined course until contact could be re-established. Because the craft had lost engine power, the UAV continued to descend below the loss-of-signal altitude level, and contact was never re-established with the Predator. The craft (OMAHA 10) collided with the terrain approximately 10 nautical miles northwest of the Nogales International Airport, in Nogales, Arizona [Ref. 3].

The ISSC paper used events and causal factors (ECF) diagrams to build an assessment. The authors started with the NTSB primary finding that the loss of the Predator was caused by the pilot's failure to use an appropriate checklist when switching control from one pilot payload operator position (PPO-1) to another (PPO-2). In making this change, he forgot to alter the position of the controls in the new position. This resulted in the fuel valve inadvertently being shut off, which, in turn, starved the engine, leading to the eventual loss of the aircraft.

The objective of the paper was to explore the contribution of regulatory and organizational factors to the event. The authors noted that the initiating event for the transfer from PPO-1 to PPO-2 was a "lock up" in the PPO-1 console, a hardware event that had occurred in the past and was procedurally controlled rather than fully corrected. While the use of an approved checklist or procedure might have helped the pilot to identify the need to reset the PPO-2 control levers, the condition of hardware and the associated maintenance practices contributed to the accident chain of events. The authors also observed that while engine data and fault annunciations were presented on the display areas for both PPO-1 and PPO-2, the information was integrated with a mass of other parameters which may have contributed to the pilot's uncertainty over the cause of the UAV's loss of altitude.

In their conclusions, the authors singled out the need for safety management structures to be used beyond the design phases, as well as the importance of adequate incident reporting and accurate maintenance logs during operational service. From an operational standpoint, they identified the need for structured risk assessment techniques to support detailed mission planning. Interestingly, they also argued for expanding the safety analysis effort to address degraded modes of operation and planning for contingency operations.

Another recent paper presented at a different conference [Ref. 4] used the Human Factors Analysis and Classification System (HFACS) approach to identify many of the same contributors as the ISSC paper did. Table 2 from that paper includes a list of "errors grouped by category," which identifies several operational and organizational issues that were part of the accident story. While the focus of the paper's recommendations is directed at crash investigations, the authors' point that there is a need to identify the complete set of root causes is also true for the system safety efforts throughout the complete program lifecycle.

This mishap certainly involves more than "pilot error." An inherent safety defect in the basic PPO design philosophy was an underlying cause. While a provision for using the second position (PPO-2) as a backup function for controlling the UAV has merit, the implementation should have been a simple "flip of a switch" rather than a multiple-step checklist to re-figure PPO-2 under contingency conditions. Procedural controls have long been recognized as the weakest form of hazard control. Systems that require operator responses, at least, need very dominant caution and warning systems to alert the operator to induced hazardous conditions. There are many aspects of this event that should be taken to heart by UAV designers and operators, as well as by the system safety community in general.

References:
1. Lindlaw, Scott. "Human Error Behind Predator Crashes," Associated Press news article, Huntsville (AL) Times, August 31, 2008.
2. Johnson, Chris and Christine Shea. "The Hidden Human Factors in Unmanned Aerial Vehicles," Proceeding of the 26th ISSC, August, 2008.
3. National Transportation Safety Board. "Aircraft Accident Report, Predator B OMAHA 10, Libby Army Airfield, Arizona, 24 April, 2006, in Technical Report NTSB-AAR-CHI06MA121," National Transportation Safety Board, Washington, 2007.
4. Carrigan, G.P., D. Long, M.L. Cummings and J. Duffner. "Human Factors Analysis of Predator B Crash," Proceedings of AUVSI 2008, Unmanned Systems North America, San Diego, CA, USA, June 10-12, 2008.

Copyright © 2008 by the System Safety Society. All rights reserved. The double-sigma logo is a trademark of the System Safety Society. Other corporate or trade names may be trademarks or registered trademarks of their respective holders.