The ESL Edge

The loss of Air France flight 447 is a tragedy principally in terms of human life, but also in the possible knock-on effect that it could have in the high-tech industry. Many years ago, I was a designer of flight control computers for Airbus and I remember at that time how uncomfortable I felt about fly-by-wire in civilian aircraft. We designed and built the systems, without simulators, without anything that would be considered a modern tool by today’s standards. Design was at the gate / board level. Verification was based on a few tests on a prototype and then relying on the test pilots to unearth the remaining problems. One of the early complaints that the test pilots had was that they had no feedback. They could not feel what the plane was doing, what forces were acting on it.

Where there was a lot of redundancy in the system, and special steps were taken to try and remove any single point of failure, it always seemed to me that there was a glaring problem with that. Someone, somewhere was deciding what was normal and what was abnormal. While everything was normal, the plane would operate normally. When abnormal conditions appeared, the computers had to decide if they believed the instruments, the other computers they were connected to, or the pilots. We were told when to “not believe the pilot”. Protocols were established whereby the pilot could say “just do it”, even if the computers knew it would lead to something bad happening. In the old, mechanical, analog systems few such discrete points existed, even if sometimes the ability to bring a plane back under control was limited by the strength of the pilot.

How could one person, or a group of people decide what was abnormal? It is like trying to find all of the corner cases in a complex verification problem, except that there is nothing to enclose the list of possibilities. Anything can happen, and you have to decide how to react – who to believe.

Fly-by-wire is attractive to airlines because it directly equates to lower weight and that in turn means lower fuel costs. Under normal conditions, it can also mean a smoother flight as the computers are better at making automated fine adjustments. While I also love that this means lower fares, is it a good tradeoff? I also accept that flying is the safest form of transportation and I will never stop doing it, but when as engineers do we feel uncomfortable with the product that we build? When do we stand up and say that we are not comfortable with the amount or completeness of the verification we perform – especially when an error can result in the loss of life. How can engineers handle the cost tradeoffs under these conditions, or feel good when a tragedy like this happens, especially if you know that it may have been avoided if you or someone else had made a different decision?

In most professions, people are held accountable for the decisions that they make and can be sued for making wrong ones. I hope that this does not happen as it would lead to highly escalating costs and it would scare away many people from the industry. Would you continue to design and verify the things you do if you could be held liable?