Under et studieophold ved University of Southern California, Institute of Aerospace Safety and Management har major Cai Holt, Flyvertaktisk Kommando udarbejdet denne studie, der behandler mulighederne for indførelse af et informationssystem i fly sikkerhedstjenesten baseret på 3. generations data-systemer.
»Slumber not in the tents of your fathers. The world is advancing. Advance with it!«
Mazzani
Foreword
Air Force Manual 25-1 which provides guidance for all commanders in the USAF Management process states in Chapter 1 that, »All Air Force Commanders must insure effective management of human material and financial resources.« It goes on to say that, »Air Force activities must use technical and scientific advancements wherever they are applicable.« In the 51st year after the death of Lt. Thomas E. Self ridge, it seems very appropriate to take a good hard look at the statements in Air Force Manual 25-1 and relate them to the field of Safety, or as many prefer to call it, Accident Prevention. In more than half a century the face of aviation history has been marred and scarred by accidents. Accidents that need not have happened, accidents that destroyed, caused loss of lives, slowed progress, and decreased the capability of society. Each of the vast number of accidents had a story to tell, a message left for others to understand and learn from. Many of the messages have been received and understood; but far too many are still in storage somewhere waiting to tell their story. It has been said, that there is pattern of accidents, a pattern of accidents that occurred because too many good men left too much to too few. If Air Force Managers are to make sound decisions in the field of Safety, it is mandatory to create an information system which will insure that the few can do much more for the many good men. Development of any information system in a large organization presents numerous problems, and it can only be undertaken at great monetary expense. However, we cannot continue to believe that accident occurrence is a means of preventing accidents. We must make far more direct application of the facts in the form of a precedent which already exists. This can be done with an up-to-date Safety Management Information System, and there can be little doubt that the initial investment will be repaid in the long run by increased effectiveness. A modem information system is made possible by third generation computers and by the breakthrough in computer software systems. The author is mainly familiar with one computer-software combination; however, this paper deals with the general problem and is not related to the product of a given producer of software systems.
I
»Objectives and standards are useless unless they can be integrated into an information system capable of reporting actual measurements relating to the behavior of the variable over which control is to function.«
Arthur W. Gutenberg
What is a Management Information System?
One of the problems in working with Safety or Accident Prevention, Safety Reporting, and Accident Reporting is the lack of agreement in definition of terms like Safety and Accident with consequent lack of consistency of procedures employed by Safety Managers. The following examples illustrate the variety of definitions of Safety and Accident.
Safety (1)
Safety has been defined as the probability of a device or system not developing a hazardous failure or combination of failures which can cause accidents, when the device or system is operated in the environment for which it was designed.
Safety (2)
Freedom from those conditions which can cause injury or death to personnel, damage to or loss of equipment or property.
System Safety (2)
The optium degree of Safety within the constraints of operational effectiveness, time and cost, attained through specification application of System Safety engineering throughout all phases of a system.
Accident (3)
An unexpected or unsought event that does damage to persons or property and is not caused by enemy action.
Accident (4)
An accident is an unexpected and undesirable event which arises directly from a work situation; that is from faulty equipment or the inadequate performance of a person. There may or may not be personal injury and damage to equipment or property. Accidents, however, always interrupt the normal work routine and are associated with increased time delays or errors. For the purpose of clarity the following working definitions will apply throughout this paper:
Safety: Freedom from unexpected and undesirable events which arise from man-machine-medium interaction.
Accident: An unexpected and undesirable event which arises from man-machinemedium interaction. There may or may not be personal injury and damage to equipment or property. The accidents, however, always interrupt the normal work routine and are associated with errors or time delays.
Management Information System: A system designed for the purpose of communicating information relating to decision issues in an organization.
Safety Management Information System: A system communicating information relating to decision issues which are concerned with elimination of unexpected and undesirable events arising from man-machine-medium interaction in an organization. No system can function in an organization unless there is agreement as to what is to be done and how. An information system is a managerial tool which essentially is used in the control function of management. It follows that the job to be performed by the System to a large degree will be determined by the group goals of the organization as defined by management. The manager, therefore, must decide what the information system is to do and how. Let us take a look at who the managers in the Air Force are; those who must make the decisions: »In the Air Force there is only one class of managers - the commanders who are links in the chain of command. The managers and their managerial people are always ’in operations’.« (5) It will be noted that the definition of the Safety Management Information System used here is very broad and almost all encompassing in terms of the decision issues it must support. Typically the system also must provide for flow of information to commanders at all levels from top to bottom, from bottom to top, and from side to side in the organization thus making it an integrated whole.
II
»To stumble twice against the same stone is a proverbial disgrace.«
Cicero
The Safety Problem
Historically, Aviation Safety and Accident Prevention has had, and still has, a very strong after-the-fact orientation. It has been based on post mishap investigative techniques and related reporting. Accident Prevention has come of age in the short span of years since the days of the W right Brothers, and the accident investigators have become proficient in afterthe-fact determination of what caused the accident. Accident investigation in fact is considered somewhat glamorous, and in some cases it has even been divorced from and named a program seperate from accident prevention. This reasoning is illogical and very fallacious. Accident investigation has, however, provided an enormous mount of information about accident causative factors. In the Air Force the information is centrally stored in the Directorate of Aerospace Safety (DAS) at Norton Air Force Base, California. In recent years efforts have been made, through the use of operations researchers and statisticians, to provide meaningful information from the data base. The information is usually in the form of statistical reports and are records of situations past. »Management is oriented toward the future. It is interested in scheduling operations; foreseeing what results may be achieved and what environments will yield the best results, and determining what changes would increase operational effectiveness.« (5) Management has to translate the presented information into actions which will eliminate the deficiencies in the man-machine-medium relationship. Managers in the Air Force today are not provided with a good tool to support their decisions in the area of Safety or Accident Prevention for - among others - the following reasons:
a. The data base is compiled from after-the-fact information.
b. The data base is such that the manager cannot readily access data. He is forced to use a «go-between«. The process is time consuming and he often gets his information too late for it to be useful.
c. The manager cannot interact with his data base.
d. There is no interface with other Air Force Management Systems
The problem on hand is to provide the Air Force manager with a new tool which will assist him in deciding Safety issues. Today, however, an up-to-date Safety Management Information System can be designed to be just that. The System can overcome the above mentioned shortcomings, but most important, it has the capability of combining before-the-fact information and after-the-fact information into a meaningful whole. There cannot be a separation between the two; both are a part of the basic support of the accident prevention program. To leave any one of the two out is to deprive the program of its effectiveness and meaning.
III
»No army can withstand the strength of an idea whose time has come.«
Victor Hugo
The Tool
In this century of »Information Revolution« it is quite clear, despite the fact that very powerful machines exist for dealing with large masses of data, that most people have not yet learned to use more than a small fraction of this potential resource. This is not so surprising if one considers some of the problems involved when dealing with earlier generation Electronic Data Processing (EDP) machines. Most people have not acquired the ability to communicate with the EDP machine, and those who have are in short supply and cannot meet the demands. Users who are able to program often do not want to spend the time and effort to solve relatively small non-repetitive problems on large machines. From the individual user’s point of view, the cost involved in getting the problem into the computer is often not worth the time saved in the subsequent machine computation. Scientists realized the problems involved and began to work seriously and methodically towards a solution of the problem. They saw the need for machines of a general purpose nature as opposed to earlier more specialized installations, and they recognized the need for simultaneous use of the expensive machines by many persons at the same time to reduce the monetary cost. As a result of the research the first general purpose, time shared computers were put to use in the early 1960’s. The Department of Defense (DoD), which is the largest user of computers in the United States, accelerated the development of Time Shared Systems (TSS) by having the Advanced Research Pro jets Agency of the DoD sponsor several programs which were aimed at overcoming the difficulties in the use of EDP. In the mid sixties the TSS network was a reality. Recent advances in hardware design have resulted in a tremendous increase in capacity and a decrease in cost of large random-access, data storage devices; high speed, low cost, data communications equipment, and remote input and output terminals. The development of third generation central processors with complex interrupt, memory protection and parallel inputoutput features coupled with breakthroughs in construction of data base systems and user oriented languages have completed the powerful new tool waiting to be put to use by managers of the Air Force Safety ProgramSome of the capabilities of a general purpose computer system are listed below:
• The user of the system may converse directly with the computer in an on-line English dialogue.
• The user can write and alter programs at his own terminal and has the use of a number of »built-in« programming aids and error checking systems.
• The system allows the non-programmer to perform complex data management functions on-line. It has the capability to organize, manipulate and perform various other operations on large collections of data in a data base.
• The user can construct his own tables, graphs and charts, and have them displayed pictorially on a cathode ray tube scope.
• The user has total acces not only to the complete computational power of the computer, but also to the many service programs within the system.
• Several terminals can »link up« and work jointly on a problem.
• It allows the user to define his own information system elements, and to specify the browsing, searching and qualifying capabilities desired. Qualifying is based upon both magnitude of response received and rank ordering of relevant material in the file.
• It provides selective printout of document information as well as printout of total information in storage.
• The system will instantly provide and compare reports as required.
• The user can through »key acces« protect his programs against unauthorized access by other users.
• The user can learn to communicate with the computer in a m atter of 8-12 hours.
»Give me a system that will tell me how many red haired pilots, flying in a T-6, have collided with a church steeple at night.«
Andrew Reid
Until recently this was only a Safety Officer’s dream, but with modern computers systems the dream may very well come true.
IV
»If a man will begin with certainties, he will end in doubts; but if he will be content to begin with doubts, he will end in certainties.«
Francis Bacon
The Approach
With a very powerful tool now available it is possible to begin to construct the computer network which will serve not only as a Safety Management Information System for Air Force Managers but also as a very effective means of communication. It is a managerial task to decide whom the system must serve directly (on-line through terminals), whom it must serve indirectly (off-line) and how the basic inputs from the line units should be constructed in order to structure the future data base in the most meaningful way. It must be borne in mind that both pre-mishap and post-mishap information is needed.
If the computer is located at DAS at Norton AFB, the Directorate will be in control of the basic data base and in a good position to use the machine arithmetically to produce quantitative analyses of the input data. The Directorate can structure the data base and report formats for recurring reports to higher Headquarters. This is a matter of convenience as a report format in no way limits the information available to the user if and when required. It would be the responsibility of the DAS to provide the interfaces of the Safety System with other systems. In both pre-mishap and post-mishap prevention, as a minimum, there must be interfaces with the different Air Materiel Areas, the prime contractors and their computer systems. The Air Materiel Areas must provide sound technical inputs about the hardware systems in use by the Air Force (Aircraft, Missilies and Ordnance) not only in qualitative terms, but also quantitatively based on their computerized inputs from lower echelons about maintenance and supply. These inputs should be based on actual Mean Times Between Failures, and they should form the basis for reliability prognoses of the individual systems. The manufacturers (prime contractors) should provide initial reliability studies of the systems. They should, however, have full access to the information available in the data base about their product to allow for follow up of failure reports and for the purpose of feeding back information to the design departments for corrective and preventive actions to be taken during production. This would enhance modification instructions and production of kits to bring »in service aircraft« up to standard. To deny the manufacturers this information would be in direct conflict with the Principles of System Safety. Furthermore, legally speaking, »privileged information« protects only the manufacturer. It is of interest that the Royal Swedish Air Force, which is the third largest in the Western World, has had the manufacturer »on-line« for years, with remarkable improvements in reliability as a direct result. It is visualized that the TSS Safety Network should link Headquarters United States Air Force and all Major Air Commands with the computer directly, but it does appear possible to have initial input-output devices down to Air Division level; ultimately, all Wings should be given the opportunity to communicate directly with the computer. The lower the organizational level of involvement, the better the communication will be, and direct input-output work with the machine will reinforce the importance of quality control of the input data. This is very important, for even though it has been said many times it is still true that »garbage in results in garbage out.« W ith the enormous storage capacity of the modern computer, space is now available for input data, that up to now, have not been treated by machine. Systematized data from pre-mishap surveys would lend themselves quite readily for storage in the data bank along with hazard reports. However, less traditional inputs in the pre-mishap area should be looked for, and they should be given the same interest, as has been devoted to accident reports.
Inasmuch as present computers are already being used to process flying time, it appears reasonable to try to turn this into an asset for the Safety Program. In essence, when flying time is being computed, each aircraft commander is providing an input to the system for every flight he makes.
A minor modification of Air Force form 781 would allow the aircraft commander to transmit safety information to the computer on a routine basis, thus providing immediate high quality data about exposures to risk during his mission.
For example, by adding a few »squares« to the form, the aircraft commander could make the following kinds of inputs:
1. Problems encountered during operation
a. Man
(1) Air crew
(2) Ground crew
(3) Others
b. Machine
(1) Defects
(2) Critical for flight
(3) Others
c. Medium
(1) Supporting installations
(2) Weather
(3) Others
2. Categories
a. Safety of flight not directly affected
b. Safety of flight directly affected
c. Airmiss
d. Accident
3. Phase of operation
a. Ground operation
(1) Preflight
(2) Post flight
b. Take off
c. Departure
d. Cruise
e. Approach
f. Landing
g. Others
The approach outlined in this chapter is by no means a panacea. There can be no such thing in the field of Aviation Safety, but it does cover a larger portion of the mishap continuum than present systems do. It is based on sound principles of management, and there can be little doubt that if applied it will assist in prevention of accidents, conservation of combat potential, and an increase in mission readiness. Man must make the decisions, the machines can only carry out the details of man’s request. But the combination of man and machine properly used, can lead to achievements as spectacular as flying safely to the moon.
Cai Holt.
Bibliography
1. Dr. Igor Bazovsky, »Presentation on a Reliability Approach to Aircraft Safety,« given at USC on 20 May 1969.
2. Military Specification 38130A, 6 June 1966, System Safety Engineering of Systems and Associated Subsystems and Equipment: General Requirements for.
3. Air Force Regulation 127-4, Department of the Air Force, Washington, 28 June 1966.
4. Chapanuis, Dr. Alphonse. Research Techniques in Human Engineering. Baltimore, Maryland: The John Hopkins Press, 1965.
5. Air Force Manual No. 25.1, Department of the Air Force, Washington, 15 October 1964.
6. Koontz, Harold, and O’Donnel, Cyril. Principles of Management, Fourth Edition. New York: McGraw-Hill Book Company, Inc., 1968.
