User Interface that causes a Nuclear Disaster & Flight Crash
The Three Mile Island nuclear disaster in 1979 is of particular interest to interface designers as the control panel design was considered a major contributing factor to the partial nuclear meltdown.
In 1979 Three Mile Island nuclear power plant was the site of a partial nuclear meltdown. It was the worst nuclear accident in the history of commercial nuclear power with small amounts of radioactive materials released into the surrounding environment. Investigations were carried out to determine the exact cause of the nuclear meltdown and it was concluded that a pilot-operated relief valve (PORV) was stuck in the open position, allowing substantial amounts of nuclear reactor coolant to escape from the system.
The User Interface Design Problem
The nuclear disaster may be of particular interest to interface designers as the control panel design was considered a major contributing factor to the partial nuclear meltdown. The PORV was opened and closed by operators who controlled the valve through a control panel. Many felt the operators were to blame as they misinterpreted the information relayed through the interface. However, there was a fault with the valve as the control panel indicated that it was closed when it was actually in the open position. The information provided by the control panel was actually just an indicator of the electrical signal to the valve, not the position of the valve. The operators had been informed the system worked in this way and the information was not an indicator of valve position. The operators falsely believed that the valve was still in the closed position as the light on the control panel had gone out, unfortunately the information merely meant that the electrical signal had been interrupted and the valve was in fact still open.
The Design Solution
The nuclear disaster highlights the importance of designing user interfaces so signals represent the status of the functions they control. If the control panel had been designed so that the information was directly related to valve position the operators could have detected the valve was ‘open’ and ensured it was returned to the closed position, preventing the coolant from escaping, stopping the system overheating and the ensuing partial meltdown. Therefore, design should take into consideration the way users expect devices to work and reflect this accordingly in the user interface.
Air France Flight 447
On 1 June 2009, Airbus A330–203 — servicing Air France Flight 447 (abbreviated to AF447) — crashed into the Atlantic Ocean, resulting in the deaths of all 216 passengers and 12 crew members. The wreckage was located two years after the accident, which restricted initial investigation into the cause of the crash. The aircraft’s black boxes were eventually recovered from the ocean floor in May 2011. The final report stated that Airbus A330–203 crashed following temporary inconsistencies between the airspeed measurements — thought to be caused by ice crystals on the aircraft’s pitot tubes — leading the autopilot to disconnect, and the incorrect information being passed on to the crew who chose the wrong course of action, as a direct result.
Design Problem One
Human error was cited as one of the major contributing factors in the AF447 plane crash, as investigations following the accident showed the pilots’ actions led to the plane stalling, which ultimately resulted in their rapid descent into the ocean. Just prior to entering the turbulent conditions that started the tragic sequence of events, the Captain had left the two less-experienced pilots in charge to have a sleep break, as some reports suggest at that point they were operating on just one hour sleep each.
Unfortunately, upon entering the turbulent conditions the pilots were given a series of inconsistent airspeed readings by the cockpit computers. The inaccurate airspeeds meant the pilots lacked the necessary information to adjust the flight speed according to the external conditions.
As stated by the crash investigators, airspeed inconsistencies can have two possible consequences: the pilots go too fast, which could result in the aircraft breaking up midair, or the pilots go too slow, which could result in the aircraft stalling. From the final investigation, the crash inspectors determined that the aircraft had broken on impact with the ocean surface, rather than in flight, which indicates the plane was going too slow and had stalled as a result.
Design Problem Two
Whilst the airspeed inconsistencies prevented the pilots from accurately judging the aircraft’s speed when it entered turbulent conditions, one of the pilots also raised the plane’s nose, which was the wrong approach and directly contributed to the plane stalling. The pilot took the decision to raise the nose following the plane’s autopilot cutting out, due to the pitot tubes (which measure the velocity) icing over. Although this was the wrong decision, the cockpit design did not support distributed cognition, which is the knowledge one gains from the social and physical aspects of their surroundings.
In the Airbus range, pilots control the A330 ascent and descent using separate side sticks, which are similar to joysticks used in computer game consoles. However, when one pilot alters the position of their side stick the information is not relayed back to the other pilot through their side stick. In order to see what their co-pilot had done, they would have to look over the other side of the cockpit whilst the side stick was moved, as the control would go back to its original position once the manoeuvre was completed, with the onboard system automatically maintaining the direction and angle (e.g. a 20 degree right turn). Therefore, it was difficult for one pilot to determine what the other was doing as their side stick stayed in neutral regardless of the position of the other pilot’s side stick.
Furthermore, the high pressure, time-constrained conditions in which the FF447 pilots were operating would have impacted on the captain and co-pilot, who appear to have falsely attributed the aircraft’s continued ascent to the malfunctioning system, when in actual fact the inexperienced pilot had simply chosen the wrong course of action in response to the inconsistent airspeed readings and intermittent error messages.
Whilst many pilots still support the use of this design, as the high-level automation enables them to direct their attention to other aspects of the cockpit user interface, the side sticks do not provide the feedback necessary to instantly identify the actions of their co-pilot. Following analysis of the flight records from the recovered black boxes, which showed the plane was responsive right until impact, the lack of informative feedback was acknowledged as a possible contributing factor to the incorrect sequence of actions taken by the pilots, as neither the captain nor co-pilot realised that the side stick of the most junior pilot, Pierre Cedric Bonin, was holding the nose of the plane aloft for the whole period leading up to the crash.
A leaked recording of the conversations between the AF447 pilots suggest the captain and Bonin’s co-pilot only realised his mistake when it was too late to recover from the stall and remain airborne. It seems reasonable to conclude that had the control system highlighted Bonin’s incorrect response to the emergency that the captain and co-pilot would have had enough time to override his actions, prevent the plane from stalling and ultimately avert the disaster.
Design Problem Three
Another design feature on the airbus A330 that might have confounded the situation was the onboard computer system, which does not relay information back to the manual controls when engine thrust is automatically maintained. Once again, the Airbus design has its fans as pilots do not have to continually adjust controls in order to maintain a particular speed. However, the ‘Autothrust throttle’ never reflects what is going on in the onboard system, so the pilots cannot use the control nearest to them to determine the power setting; instead, they must refer to the computer screens, which many feel demands more attention and concentration from the pilots.
While Airbus maintain this is a necessary design feature, many have their reservations, including Boeing who use an onboard system where the manual controls move even when the throttles are in automatic mode. Boeing told the Telegraph: “We have heard again and again from airline pilots that the absence of motion with the Airbus flight deck is rather unsettling to them”.
Therefore, the lack of physical feedback through the pilots’ controls may have been an unhelpful aspect of the A330 on Air France Flight 447; increasing the pilots sense of confusion and heightening their anxiety, which ultimately led to their failure to correct the aircraft’s speed and flight angle.
