The human system.
If we accept the idea of the crew being an "total aircraft management system", we can look at how it works using typical PF/PM duties. Historically the duties of the co-pilot have been called those of the "Pilot Not Flying" (PNF), but a deliberate attempt is now made to change the negative emphasis of this designation ("NOT Flying") to the more positive and assertive "Pilot Monitoring" (PM).
One standard CRM textbook describes it this way: "The PM has many tasks to accomplish in support of the PF but the primary job of the pilot monitoring is to monitor the progress of the flight and PF's performance to detect any threat or error that can lead to negative consequences. If a threat or an error is detected, that crewmember's job then becomes an assertive challenge that will identify the threat so the error does not occur, or identify the error so there are no negative consequences".
Or, as succinctly put by Boeing's Chief Pilot for Regulatory Affairs: "The task of the Pilot Monitoring is to prevent the Pilot Flying from killing the crew and passengers and from damaging the airplane".
This arrangement can be analysed from two different perspectives. One is a “mechanistic” approach, looking at it from a system design perspective, in terms of crew members as components with interconnections and reliability criteria. There is also what could be called a “humanistic” approach, with a social interactions perspective, dealing with relationships and perceptions, society and culture. However, either approach points to the same conclusion: the basic crew co-ordination SOP must be changed to meet today's safety challenges.
A fail-safe system design?
Envisage a aircraft system like that in the next diagram.
It has a primary and a secondary control unit, manufactured to have the same basic design characteristics. However the “primary” unit is processing more input parameters than the “secondary” (5 compared to 3). It is also more powerful (100w output compared to 50w), and has a higher reliability (10-4 vs. 10-3).
In the total system's normal operating mode, the secondary unit includes the output of the master unit as one of its inputs. Its normal function is to process all the inputs in the same way as the master unit, and compare its own output with the master unit's. If both are the same, the secondary adds its output to that of the primary controller.
The overall control system also has an alternate mode.
In this alternate mode, the secondary controller must detect and rectify faulty outputs from the primary, and if the fault continues, disconnect the primary system and take over with its own, correct, output.
But when we examine this, we can see there are a number of flaws.
- The secondary unit lacks some of the inputs of the master.
- One of its inputs is that of the master unit itself.
- It is less reliable than the master unit so it is more likely to be in error if it computes a different output to the primary.
- It has less output power to operate the “torque switch” and take over, if it correctly detects a failure in the primary.
Few engineers, and not many pilots, would see this as a "fail-safe", 10-7 reliability, system. A "Failure Mode and Effects Analysis" would reject this design system as inherently unsafe. Engineers would soon find a simple solution - they'd switch the initial function between the two units, and put the comparator in the master unit. Then an inherently unreliable system would become much safer.