Things that have never happened before happen all the time.
Scott D. Sagan (The Limits of Safety)
The successful ditching of US Airways Flight 1549 into the Hudson River (15th January 2009) shows an implementation of the ‘strategic resilience’ engineered into the aviation system – in this case, the multiple layers of ‘defence in depth’ set up by to manage a total engine failure in the context of bird ingestion. Each move through one line of defence to the next is like a tactical retreat, in which sights are lowered and sacrificing decisions are made, in order to save what can be saved. At each stage, the situation gets more improbable, more variable and less controllable; the probability and potential magnitude of damage are increasing; the response options are more restricted, harder to anticipate, more constrained by time, and less reversible. So the ‘tactical retreat’ is also a shift from adaptation to de-adaptation. Hence resilience implies a combination of anticipation and serendipity: a resilient system must be both prepared and prepared to be unprepared. But there may be a negative interference between anticipation and serendipity, leading to an ‘irony of resilience’: the ‘real time’ competences needed to cope with unanticipated or extreme events at the ‘sharp end’ are exactly those which are lost in the continuous attempt to anticipate all events and to pre-determine corresponding responses at the system level. So there is a tradeoff between efficiency (linked to the degree of adaptation of a system) and flexibility (linked to the adaptation bandwidth of a system).
Many readers will probably remember the breathtaking images of the US Airways Flight 1549 ditched into the Hudson River, in New York, on 15th January 2009, with the passengers standing on the wings of the floating airliner. The entire crew was awarded, among other honours, the Master’s Medal of the Guild of Air Pilots and Air Navigators (GAPAN). The GAPAN citation read: ‘This emergency ditching and evacuation, with the loss of no lives, is a heroic and unique aviation achievement.’ Statistically, the event was indeed rare. There have been only very few documented occurrences of controlled ditching by commercial public transport aircraft. And it appears that prior to our recent US Flight 1549, only one known ditching of a passenger jet had been managed without fatalities (in St Petersburg, Russia, in 1963, an Aeroflot Tu124 jet ran out of fuel during an emergency and landed on the Neva River. All 52 people aboard survived and the jet was towed to shore).
So was the Hudson River successful ditching a miracle, a heroic achievement, or more simply an expression of some response capabilities fundamentally engineered into the aviation system, namely its resilience, as described by Hollnagel et al. (2006). And if the latter assumption is true, can we fish some good lessons from the Hudson River concerning resilience?
The main hazard at the heart of the Flight 1549 accident scenario is what aviation people call ‘bird hazard’: in-flight collisions with birds, damaging the aircraft engines or the aircraft airframe. Bird strikes are exactly the opposite of unexpected events: they have been a well recognised aviation problem for decades. Actually, the first reported collision between an airplane and a bird is apparently as old as aviation: it happened to Orville Wright in 1905 (Bird Strike Committee-USA, 2009)! Things got considerably worse with the introduction of jet aircraft. Higher speeds increased the impact energy and jet engines demonstrated both a strong tendency to inhale birds and a chronic fragility to their impact. With the growth of aviation, bird strikes have become a very common event. From 1990–2004, over 56,000 bird strikes to civil aircraft were reported to the Federal Aviation Administration (FAA) in the US. This is considered to be a mere 20 per cent of the number that likely occurred. Worldwide, the bird strike damage cost to civil aviation is estimated to be over one billion dollars. And the issue is not only losses in dollars. In the 1990s the US Bird Strike Committee estimated that there is a 25 per cent chance in any decade that birds could cause a major airline crash.
In summary, at the aviation system level, bird strikes are a well known, frequent event and the associated threat for flight safety is well understood and recognised. So why would one refer to ‘resilience’ for such a well anticipated disturbance? The quick answer is that birds cannot be kept away from the daily environment of aircraft flights, while at the same time, as the Hudson ditching illustrated, birds can inflict very severe damage to aircraft. So what is well known, frequent and anticipated at a global system level can still be a big and challenging surprise at the front line operation level.
Bird Strike Protection Strategy
A lot of effort has been made during the last decades to reduce the frequency of bird collisions by controlling wildlife where possible, in airports and their vicinity. There are a number of techniques that can reduce the number of birds in the vicinity of airports: making the environment unattractive for birds, scaring the birds or reducing the bird population. None of them can really solve the problem. An airport is a part of the local ecosystem and eliminating any one problem species will only lead to some other species taking its place. Furthermore, while the majority of encounters with birds occur at low altitudes (below 1500 feet) in the vicinity of airports, they also happen at higher altitudes and even – but very rarely – at cruise level (the world height record for a strike is 37,000 feet!). Consequently, birds are – and must be considered as – a usual component of flight environments, hence bird strikes must be considered as ‘normal’ and frequent events.
Unfortunately, aircraft are not really immune to birds. Trying to make aircraft more resistant to bird strikes has been a permanent target of airframes, wind-shields and engines certification standards for decades. Large commercial aircraft are certified to be able to continue flying after impacting birds. Jet engines are designed to withstand bird strikes, at least to some extent. They must demonstrate their ability to cope during a series of certification tests during which two-kilogram chickens, a series of eight ‘medium’ size birds and sixteen ‘small’ birds, are shot out of a cannon at their blades while running at full power. So engine blades are extremely tough, and aircraft engines routinely ingest birds without any damage. But these tests have serious limitations. Some Canadian geese subspecies weigh over 7 kg. And most of these large birds travel in flocks. No engine could be made both acceptably efficient and immune to a flock of Canadian geese. There is a trade-off here between safety and fuel-efficient air travel. As Downer (2009) puts it, ‘A pant-wetting splash in the Hudson once a decade is probably an acceptable trade for cheap and fuel-efficient air travel.’ And even flocks of small birds (e.g., starlings) can cause engine failure and substantial damage, when they are present in large numbers.
In other words, a jet engine cannot be designed and certificated to resist even rather probable encounters, not to mention the worst case scenario of flocks of large birds. So the next line of defence is set up, at the crew-aircraft system level, as follows: if any one engine is unable to continue generating thrust, the airplane will get enough power from the remaining engine or engines to safely reach an accessible runway. Hence, a commercial aircraft equipped with N engines can only be certificated if it keeps acceptable flight performance – including climb capability – with (N − 1) engines.
But when the Flight 1549 twin engine Airbus A320 carved into a flock of Canadian geese about two minutes after takeoff, at about 3000ft, several of these huge birds were sucked into both engines. This clearly exceeded the above mentioned engine certification criteria, as well as the (N − 1) engine performance condition: both engines suffered a simultaneous and sudden loss of thrust. Is there then a next line of defence available? Can it be made reasonably certain that a dual engine failure on a twin engine aircraft will only result in a ‘pant-wetting splash in the Hudson’? The answer is not straightforward.
On the one hand, a total loss of thrust is anticipated in the aircraft certification principles. Emergency flight-management resources are provided. Several systems and procedures are made available to ensure that the crew can continue to maintain some aircraft control (even if, in the case of vertical speed, this control is obviously limited). The APU (Auxiliary Power Unit – a small turbofan engine fitted in the tail of the aircraft) can be used (and was actually used by the US Airways crew), as a spare electrical power supply. A RAT (Ram Air Turbine) can be deployed (and was deployed) to produce the ultimate hydraulic pressure needed by the flight controls. Emergency procedures are provided to properly manage the remaining resources. As a matter of fact, on board flight 1549, the normal electrical supply and all three hydraulic systems remained fully operational, and the flight control law remained in ‘normal law’ at all times until the ditching. (The ‘normal law’ is the flight mode available when the whole flight control system is functioning normally: the side-stick deflection then controls the load factor independently of speed and aircraft configuration, pitch trim is automated and flight envelope protection is provided throughout the envelope.)
On the other hand, all of these emergency flight management resources can only be aiming at one thing: keeping enough control on the aircraft to pilot an inescapable descent. This is of course critical: a loss of control in flight would inevitably lead to tragedy. But what will happen at the end of the ‘controlled’ descent is much more difficult to control and most often falls into Westrum’s ‘category 3’ situation (Westrum, 2006). It heavily depends on the circumstances, that is, when and where the dual failure occurred. The situation will be very different if the engines quit during daylight, in good visibility conditions, at an altitude and distance such that the aircraft can glide to an airport and end up on a runway, than if they fail at low altitude in the middle of nowhere, amid mountains, above the sea, or above a large city. So the final outcome will depend heavily on ‘providence,’ as well as on the pilots’ gliding skills and ability to make the right decisions.
Additionally, the odds for a thrust-loss scenario over water are far from negligible, hence ditching has also been anticipated. There is a ditching procedure included to guide the crew actions. There is a set of aircraft design features intended to limit damages to the hull and facilitate the aircraft’s ability to float in case of ditching, including a ‘ditch button’ closing all valves to make the cabin watertight. There are cabin procedures for ditching and evacuation (including the routine life jacket briefing that most of us pay little attention to while settling back into our seat).
But landing a large jet on water remains a highly unusual and hazardous operation. In the case of Flight 1549, the ditching occurred 3 minutes and 30 seconds after the thrust loss. The ditching airspeed was about 130 knots – just a few knots above the minimum speed with flaps and slats in configuration 2 and landing gear up. Pitch attitude was 10 degrees nose up and the wings were perfectly level, a critical condition to avoid a potentially devastating asymmetrical impact. The aircraft fly-by-wire design and its embedded stability and stall protection and quite a large dose of luck also contributed. It was daylight, there was a clear sky and good visibility, a river rather than the open sea nearby, a smooth water surface with only a light surface wind and the crew were familiar with the area. The aircraft ability to float was reduced by severe damages to the tail generated by the impact with water with a high nose up attitude, but it floated long enough for all the occupants to be safely evacuated. The evacuation of the aircraft was a nice piece of effective cooperation among and between the cabin and cockpit crew. No boats were hit during the landing, but many were readily available at the scene to assist with the rescue.
From Anticipated Emergency to Real Time Response
What has been described above may give a feeling that the management of such an event is totally based on anticipation. As a matter of fact, even when they are well anticipated at the overall system level, emergency situations like this always come as a ‘fundamental surprise’ (Lanir, 1986) when they jump on front line operators in a handful of seconds. They immediately trigger a major cognitive conflict between current mental representations and current experience, first leading to shock and denial.
• ‘It was the worst sickening pit of your stomach, falling through the floor feeling I’ve ever felt in my life. I knew immediately it was very bad’ Chesley Sullenberger, the US Airways Flight 1549 Captain, told CBS News. ‘My initial reaction was one of disbelief. I can’t believe this is happening. This doesn’t happen to me.’
• Patrick Harten, the New York TRACON La Guardia Departure Air Traffic Controller who last spoke to Flight 1549, gave a testimony of his reaction to a Congress Panel (Committee on Transportation Infrastructure, 2009): ‘I asked him to repeat himself, even though I heard him just fine. I simply could not wrap my mind around those words.’ And when the plane disappeared from his radar screen: ‘It was the lowest low I had ever felt; Truth was, I felt like I’d been hit by a bus’ he said.
So a key question is: what capacities are needed of front line operators to properly respond to such situations? Are they specific to the emergency, or are they simply the extended implementation of daily adjustment abilities? We can see a whole set of skills and response capacities behind the Hudson success story. In spite of the initial denial phase, a very fast overall ‘operational’ comprehension of the situation was achieved. The assessment of the options was globally right and this was instrumental for the success: any decision in such a situation is a single shot. There is no ‘please try again’ button. It took a subtle balance between experience (e.g., building on past glider experience) and opportunism (e.g., taking advantage of the fortuitous presence of the Hudson amid a highly populated area; choosing a ditching location near operating boats so as to maximise the chances of rescue), self confidence (‘I was sure I could do it’ said Captain Sullenberger in a post-event interview) and awareness of limitations (a right mixture of ‘yes we can’ and ‘unable’). It took a highly dynamic (re)planning capacity, allowing for good-decisions-in-series. According to the transcript of the communication recorded between the crew and the La Guardia Departure Controller, the first intention declared by Captain Sullenberger when the engines failed was to return to La Guardia. He was then offered runway 13 by the Controller but realised it would not be possible to return to La Guardia. He then briefly considered going to Teterboro Airport and rejected this option as well.
The successful ditching also required the following of (emergency) procedures, as well as interpretation, adaptation, improvisation (e.g., the First Officer started the APU, although this was not required by the procedure) and even some kind of ‘bricolage’: a relight attempt procedure started, not finished due to lack of time, the ditching procedure started, not finished by lack of time, and so on. It also took quick and efficient communication among the crew, as well as between the crew (cockpit and cabin), and between the crew and the Air Traffic Controller.
A key issue was controlling stress. In the previously mentioned interview, Captain Sullenberger said: ‘I was not this calm then, but I was very focused.’ In his testimony the Air Traffic Controller used the same words to describe his state of mind during the event: ‘During the emergency itself, I was hyper focused, I had no choice but to think and act quickly, and remain calm.’ And ‘I was flexible and responsive, I listened to what the pilots said, and made sure to give him the tools he needed. I stayed calm and in control.’ Actually, training and experience are the key issue in this perspective: when people are well trained and experienced, they become highly focused and do not fall apart. The US Airways crew was very experienced. Captain Sullenberger had more than 19.000 flight hours, his First Officer more than 15.000, the three Cabin crew had between 26 and 38 years of experience.
Incidentally, this event also illustrates a perspective on resilience that is not directly related to systemic resilience, but is nevertheless worth mentioning here: individual (psychological) resilience to such a traumatic event. The hardest part is the postevent period. As the Traffic Controller put it: ‘It may sound strange, but to me the hardest, most traumatic part of the entire event was when it was over … when it was over, it hit me hard.’ And also: ‘Even when I learned the truth, I could not escape the image of tragedy in my mind. Every time I saw the survivors on television, I imagined grieving widows. It’s taken over a month for me to see that I did a good job.’ He could only return to his job after 45 days of paid leave, admitting that ‘it may take time for me to regain my old confidence’. Ironically, the Controller seems to have been more severely affected than, for example the cockpit crew. As a matter of fact, this is perfectly predicted by models of psychological resilience, which emphasise the role of three main enablers: involvement into action, altruism and group solidarity.
From ‘Satisficing’ to ‘Sacrificing’ Decisions
There have been some discussions after the event about the fact that the US Airways crew did not activate the ‘ditch button’ to make the cabin watertight. Beyond the fact that it would not have made a big difference, due to the damages already suffered by the airframe, it is very important to understand that, in such crisis situations, there is no error-free course of action.
In his interview by US TV presenter Larry King, Captain Sullenberger stated: ‘I expected that this was not going to be like every other flight I’d flown, for my entire career and it probably would not end on a runway with the airplane undamaged.’ This statement shows the huge amount of uncertainty that suddenly prevails in such moments, both about the current state of affairs and its short-term evolution. Suddenly, the known and anticipated world was lost. The actual status of the situation was blurred. The future was suddenly heavily uncertain, and at the same time, critically depending on (irreversible) decisions, which had to be made very quickly, and could only be based on fast judgements and generic risk-assessment with very few factual and procedural references. The lack of information about the actual situation and its potential evolution is such that decisions are never completely ‘right’ when analysed with the benefit of hindsight. Everyday human behaviour has been described (Simon, 1982) as ‘bounded rationality’. In crises situation, the bounds get far worse. The lack of time and knowledge and resources becomes overwhelming. ‘Satisficing’ (rather than maximising) decisions become ‘sacrificing’ decisions. The scenario of US Airways Flight 1549 ditching provides several illustrations of this.
A first example was the decision to ditch in the Hudson River itself. Captain Sullenberger said in the above mentioned interview: ‘I quickly determined that we were at too low an altitude, at too slow a speed, and therefore we didn’t have enough energy to return to La Guardia, because it’s too far away and we headed away from it. After briefly considering the only other nearby airport which was Teterboro in New Jersey, I realized it’s too far away.’ Post-event simulations showed that considering its speed, distance and altitude, the aircraft had actually enough energy to glide back to the La Guardia runways. But this is what we know after hours of data processing and simulations. There was nothing available to the crew to determine accurately and reliably whether or not they could make a runway. Their only reference was their experience, their airmanship, their feeling of the situation. ‘… And the penalty for choosing wrongly, and attempting to make a runway I could not make might be catastrophic for all of us on the airplane plus people on the ground.’ So there was an implacable trade-off here: either the Hudson, certainly bad but possibly not catastrophic, or surrounding airports, possibly happy ending, with minimum damage to the airplane, but almost certainly catastrophic in case of failure of the attempt. What we have here is a nice piece of risk management, through a ‘sacrificing decision’: minimising the odds of a disaster by deliberately sacrificing the most ambitious, potentially happy ending – but intolerant – branch of the options tree, to set up a kind of bottom line class of damage, associated with a ditching.
A second example was the engine relight attempt made by the crew. Both engines suffered a simultaneous and sudden loss of thrust. The A320 ‘Dual Engine Failure’ emergency procedure calls for relight attempts. At about 500ft and 200kts, the crew attempted a quick relight on engine 1, without success. But while there was no further response from engine 2, engine 1 continued to deliver some thrust (about flight idle thrust) for about 2 minutes and 20 seconds. It was still slightly moderating the rate of descent and producing hydraulic and electrical supply. A damaged engine can in some cases restart in a better thermodynamic regime (a bit like a jammed computer after a reset). But relighting also implies to stop the engine first, with the risk that it will not relight, with possibly a regression of the flight control mode to ‘direct law’. Unlike the ‘normal’ or ‘alternate’ laws, the ‘direct law’ is an emergency flight mode, available as a back up when the flight control system is heavily damaged. In this mode, artificial stability and flight envelope protection are lost and the control of the aircraft would have been much more difficult, particularly during the flare. So there was again a risk trade-off here: risking partially losing the available controllability of the aircraft, in order to potentially regain enough thrust to reach a runway, as every airline pilot knows that landing a large jet outside a runway is a potentially catastrophic event. Interestingly, what we have in this case is the opposite of the previous ‘sacrificing decision’. Once the bottom line damage was insured by selecting the ditching option, attempts were made to re-activate the ‘make-a-runway’ option (without its terrible penalty in case of failure), by attempting to relight at least one engine.
From Safety Strategies to Resilience Engineering at the System Level
While it does not officially uses the word ‘resilience’ (yet), the aviation community has its own way of recognising a hierarchy of disturbance, from normal to totally abnormal situations. Three main ‘operational safety domains’ are commonly referred to:
1. A ‘normal operation’ envelope inside which, more or less, the course of events follows pre-defined tracks, people follow procedures or expected behaviour, parameters stay within design limitations, and variations are compensated and absorbed by intrinsic flexibility within the system. In this normal flight envelope, real birds are not worse than the certification test chicken, engines can sustain their impact, and flights make it to destination on time (or nearly). The crew-aircraft system is ‘adapted’ to the situations encountered, which means that the pace and magnitude of variations and disturbances stay within its routine adjustment or tolerance capabilities.
2. An ‘abnormal operation’ envelope inside which the course of events significantly departs from normal tracks, although mainly in anticipated ways: parameters exceed design limitations, important components (e.g., engines) fail, and the like. These disturbances need to be actively handled. They are managed by specific procedural responses, intentionally built-in redundancies, intrinsic resistance, or flexibility within the system. In this ‘abnormal flight envelope,’ real birds are worse than in the certification test, one engine may suffer from their impact, and the flight may return back to the departure airport or have to divert. The pace and magnitude of variations and disturbances are such that the crew-aircraft system needs to quickly ‘re-adapt’ itself to the situation, through a predefined and active reconfiguration process.
3. Finally, an ‘emergency operation’ (open) region inside which the course of events departs from normal tracks in extreme proportions and possibly totally unanticipated ways: parameters ‘go crazy,’ critical components are lost, and exceptional disturbances threaten the possibility of keeping control on the flight. These emergency situations urgently need to be managed, by specific or generic procedural responses, creativity, built-in ultimate backups, or intrinsic toughness. In this ‘emergency flight envelope,’ real birds are far worse than in the certification test, and can shut off all engines. The flight may well end up prematurely far from its expected destination. The crew-aircraft system is both unable to ‘re-adapt’ itself to the situation, and able to keep some form of control on it, and mitigate its consequences, provided it can quickly and fully stretch its relevant capabilities.
While the notion is not commonly used in aviation safety language, one could recognise behind this hierarchy of responses a compact version of a classical ‘defence-in-depth’ strategy. For example, concerning bird hazard, the first line of defence is minimising the frequency of bird strikes. The second is the ability of the aircraft and its engines to hit some birds without damage. The third is the ability of the crew-aircraft system to continue flying and to reach a (possibly alternate) airport after impacting birds and losing one engine. The fourth is the ability of the crew-aircraft system to keep enough flight controllability after losing all engines to be able to glide towards a runway or any suitable crash-landing area. The last line of defence is the ability of the crew-aircraft system to land on unprepared terrain or ditch with minimum damage and to safely evacuate passengers.
While not a new concept, such a defence-in-depth structure can be regarded as a ‘strategic resilience’ engineered into the system at the highest, holistic level. Each move through one line of defence to the next one means a kind of tactical retreat, in which sights are lowered, sacrificing decisions are made, in order to save what can be saved from the wreckage. At each stage:
• the situation gets more improbable, more variable, less controllable;
• the probability of damage is increasing, as well as the potential magnitude of damage;
• response options are restricted, harder to anticipate, less reversible, deadlines are more demanding.
So this series of tactical retreats is also a march from well known territories to unknown areas, a shift from adaptation to de-adaptation. Associated operating procedures shift from accurate and detailed action protocols to generic frameworks. Front line operators need to refer to different models of the world, from which they need to derive both an overall sense-making (Weick, 1993) and ‘satisficing,’ then sacrificing solutions. Built-in extra robustness must also be provided in order to allow the system to cope with anticipated or unanticipated stress (e.g., sustaining a landing on water for the fuselage).
An important challenge is then to better ‘engineer’ these capacities into the system. At the whole system level, this could be obtained by doing more of what is already done: for example, increasing the efforts of controlling wildlife on airports and their vicinity, developing ground-based and airborne bird detection and avoidance systems, continuing to harden engines blades, and so on. But the main change would be qualitative: addressing the emergency situation management needs as such, at a systemic level (aircraft design, operational procedures, crew training, Air Traffic Control procedures, etc.). For example, it would not even take a second for the Flight Management System to answer a question like ‘can we make Teterboro?’ (and many others) much more accurately than crew intuition, if a specific module (an all-engine-out emergency management assistant) was incorporated.
When Systemic Resilience Efforts Undermine Resilience at the Sharp End
But the best strategy is worth nothing if it cannot be implemented at the ‘sharp end’ of the system, by front line operators equipped with the corresponding skills. So, is the current airline pilot training system efficiently providing the competences needed for a resilient system? The worldwide celebration of the heroic behaviour of Flight 1549 crew speaks by itself: Captain Sullenberger’s skills have been attributed to his personal talent, his past experience as a glider pilot, rather than to his specific airline pilot training.
The ‘ACCOMPLI’ project is a three year (2006–2009) research project funded by the French DGAC, aimed at developing pilots training approval criteria based on pilot cognitive competence development. A literature review of competence models was compared to what industry professionals (airline managers, pilot instructors, and airline pilots) describe as their perception of copilot competence needs. Ab initio training was observed from entry to line adaptation, with the aim of spotting competence building processes. Within that project, young First Officers from several European airlines were asked to fill a web-based questionnaire to identify which aspects of their job they felt confident with. All their answers mentioned flying the plane in normal situations (while they recognised at least a six-month adaptation as necessary for confidence), and handling anticipated and trained ‘abnormal’ situations. When asked what they did not feel confident with, all answers mentioned relationships in the cockpit (handling the diversity of – real – Captain personalities and practices towards company procedures) and most of them mentioned managing:
• the diversity of operational situations, with real surprises;
• ‘the edges of Standar Operating Procedures (SPO),’ induced stress when over the limits of SOPs;
• borderline situations (e.g., non stabilised approaches in a dense traffic);
• interpretation and adjustments of procedures to current situations;
• interruptions, multi-tasking and interactions;
• the diversity of accents and foreign phraseology in ATC.
Obviously, what First Officers discover in their first months of airline operations is that the real world is much more varied, unstable, uncertain, surprising and complex than the one with which they are confronted during training. When asked for improvement suggestions, they wish they had been given more generic tools to help face the unexpected and managing surprises. They suggest more training in the simulator for operations that are not ‘clear-cut’ but rather at the edge of normal operations. They want better feedback on actual operations, incidents and accidents worldwide, with realistic ‘emotional examples.’ They suggest cultivating ‘common sense’ and ‘airmanship’ by being confronted with the unexpected during training by experienced instructors (‘teachers make the difference, and not the programme’). They suggest flight simulator sessions where pilots would not been briefed before, and would not know in advance what they are about to be trained for.
These suggestions by young First Officers were easier to understand within the ACCOMPLI project from the perspective of expected cognitive competences. The following list of such competences was established through a review of literature, and questionnaires and interviews of pilots, flight instructors, training organisation managers, and airlines managers.
• To be able to construct and maintain an adequate (distributed) mental representation of the situation.
• To be able to assess risk and threats as relevant for the flight.
• To be able to assess self proficiency envelope, to know and recognise its boundaries, and to adapt one’s tactics and strategy accordingly.
• To be able to switch from a situation under control, to a crisis situation (recognition, coping).
• To be able to construct and maintain a relevant level of confidence (towards self, others, technology).
• To be able to learn, implement and maintain the routines and skills associated with the basic flight functions (fly, navigate, communicate).
• To be able to contribute to / to make a decision in a complex (uncertain) environment.
• To be able to manage interactions with aircraft automated systems.
• To know, to understand and to be able to speak the aviation ‘jargon’.
• To be able to manage interactions with, and cooperate with, crew members and other staff.
• To be able to make an intelligent usage of procedures.
• To be able to use available technical and human resources, and to re-configure them.
• To be able to manage time and time pressure.
• To be able to properly transfer acquired knowledge and know-how from a specific context to a different one.
• To be able to properly use and manage information and communication technology equipment (ICT).
These dimensions of pilot (cognitive) competence are neither mutually independent, nor do they present a specific order or hierarchical relationship. They can therefore not really be developed or implemented in isolation from each other. However, it can be easily guessed when looking at this list that a significant part of them – namely the first five, which are particularly important for unexpected or abnormal situations – will not be found in the explicit training objectives of most pilot training syllabi. They are a side product of the training rather that its central target. Even when ‘abnormal’ operations are addressed as such, the training considerably lacks realism. The syllabi are currently so time-constrained that each exercise, including emergencies, is pre-briefed, practised only once without the surprise factor, and debriefed, with little or no opportunity to reinforce lessons. The role of solo flight training for multi-crew pilots is more and more contested, although it was perceived by the interviewed First Officers as essential for building confidence and decision-making skills, as well as self-knowledge and personal limitations awareness, because it confronts trainees to the unexpected, and to the emotional context of vital decisions.
In other words, there seems to be a weakness of the current training system in building proper uncertainty management competences, and this weakness is far more than a side effect of the simplification of the world needed for any training environment. It is a direct result of a general training strategy that is just caricaturing a bit the very normative, procedural aviation safety strategy. Training efforts are completely oriented towards this very objective: learning how to recognise a set of anticipated situations, and how to respond properly to them with the relevant pre-established procedure. This leads to what Mintzberg (1994) calls the ‘fallacy of predetermination’: there is so much emphasis on anticipation and planning that there is no consideration any more for events that fall outside the anticipated envelope, and the illusion develops that the world will unfold as anticipated.
The bad news is that uncertainty management competences are not generated and maintained better by the handling of daily variations, which rather resorts to homeostatic adaptation routines. They develop from a recurrent confrontation with challenging, surprising, unexpected, threatening situations. As these are hopefully not encountered in daily operations (and the safer the system, the less they will be), substitutes must be found. An efficient feedback from incidental and accidental experience, as well as a proper use of simulation, can obviously provide such exposure. Within the European Commission Research Project ‘ESSAI,’ a specific one-day training has been developed for improving ‘situation awareness’ and crisis management capacities in the cockpit. Positive effects of the training could be demonstrated, particularly on situation awareness, and threat management. Mental simulation and counter-factual thinking have also been shown to be efficient. In a study on behavioural markers of ‘procedural excellence’ amongst a group of UK paediatric cardiac surgeons, Carthey et al. (2003) found that the best scores in terms of fatality rates or near misses were those of surgeons regularly practising ‘what if’ mental simulations of complications.
In Conclusion: Two Lessons and a Wish
The first lesson to be taken from the Hudson River ditching is that a resilient system must be both prepared, and prepared to be unprepared. Because things will happen that only are controllable if they have been anticipated to some extent and, at the same time, that will never be anticipated in detail. It means that we need a) generic anticipation schemes, providing (common) sense-making frameworks of what happens, at a level of abstraction which is high enough to wrap around all the countless and unpredictable variations of real stories, and b) fast and efficient implementation sketches and skills, capable of forcing the available generic schemes to fit the parameters of the day, under critical time constraints. In other words, resilience implies a combination of anticipation and serendipity. An efficient way to engineer this combination into a system is to set up a hierarchical defence-in-depth strategy, where a breach in a line of defence triggers a tactical retreat behind the next one, with operating procedures shifting from detailed protocols for normal situations, to a generic action framework for emergency situations.
A second lesson is that there may well be something wrong in the relationship between ‘downward’ and ‘upward’ resilience (Woods, 2006a), something like an ‘irony of resilience,’ similar to the ‘irony of automation’ described by Bainbridge (1987): the competences suddenly needed at the sharp end to cope with unanticipated or extreme events are exactly those which are lost in the continuous attempt made at the blunt end to anticipate all events and pre-determine corresponding responses, or eradicate the extreme. Proceduralisation and automation both try to reduce the uncertainty in the system by reducing variety, diversity, deviation, instability. But the side effect is that this also reduces autonomy, creativity, and reactivity. Increasing order, conformity, stability, predictability, discipline, anticipation, makes the systems better (more efficient, more reliable), possibly cheaper and generally safer within the confines of their standard environment. They also make them increasingly brittle (less resilient) outside the boundaries of the normal envelope. We have to recognize that there is a universal trade-off between efficiency (adaptation degree) and flexibility (adaptation bandwidth). Desert lizards are so well adapted that they can survive for years without water, but would disappear if the climate changed by a few degrees.
So, until Resilience Engineering has found a way to overcome the irony, we can only hope that flocks of Canadian geese chose clear skies and very senior pilots when they fly across airport departure paths.