Some Thoughts on Evidence-Based Training and a Strategy of Margins, Constraints and Risk Avoidance
Steven Green, FRAeS
Principal at Flight Operations Research
Underhill, Vermont
Author, Pilot Competency and Capability – Responsibilities, Strategy, and Command
During the final few years of my career, my employer developed a threat-and-error management (TEM) model that utilized three concentric circles, green in the center, then yellow and red. The green zone was associated with ability of the crew to effectively manage threats and errors at the highest level, which was the target, while the outer red ring was associated with a significantly diminished ability to manage threats. The idea was to evaluate and locate where the cognitive capacity of any individual, or the crew collectively, was on this envisioned target; as that cognitive capacity drifted outward, through the yellow and into the red, actions needed to be taken to return it to the green zone.
This was quite a useful tool in some respects, and potentially misleading in others. The very last thing I did before entering a runway for departure was ask the First Officer, “Are you in the green?”. Everyone knew what that meant, and it was a way of opening the door for evaluation and discussion of any concerns. It was also a great reminder that, in the end, we needed to be “in the green”.
On the other hand, as I tried explaining to nearly every instructor who taught TEM in recurrent training, many accidents have occurred without the crew having the slightest perception that their cognitive state had departed the green zone until it is too late. While we might attribute this to poor situational awareness or the challenges of cognitive dissonance, those aspects are only part of the problem. The elephant in the room is how we, as humans, think, and how our modes of thought influence the ability to differentiate between specific risk and probabilistic risk.
TEM, CBTA / EBT and If / Then
Threat-and-error management is the cornerstone of competency-based training and assessment (CBTA), and the related evidence-based training (EBT). My contention is that a common interpretation of TEM is reactive, using an “if, then” structure applied to “threat, countermeasure”, or “threat, management”, leading to an “if yellow, then act to restore green” correlation to the color model.
The use of language containing a conditional phrase, such as an “if” clause, creates a narrative, and narrows the discussion to specific risk, an unsafe condition based on the assumption that all credible events that could be known are assigned a probability of one, and considered as individual “ifs”. This generates a family of “ifs” associated with corresponding “thens”, but such a family can only capture a tiny sliver of possibility.
We need to consider cases in which, at any point in time, there is no apparent “if”, meaning no conditional language, no identified specific risk, and no narrative. This is probabilistic risk, the probability of unsafe conditions resulting from the average estimated probabilities of all unknown events.
The dichotomy in how we think is immediately apparent in a phrase used in the discussion of TEM contained in ICAO Document 9868, Procedures for Air Navigation Services – Training (as well as other documents):
Regardless of whether threats are expected, unexpected, or latent, one measure of the effectiveness of a flight crew’s ability to manage threats is whether threats can be anticipated so as to enable the flight crew to respond to them through deployment of appropriate countermeasures.[1]
Anticipated threats, responded to through deployment of countermeasures, function in the form of “if” (fill in the threat), “then” (deploy the countermeasure). This is a narrative, capturing a credible event that now has a probability of one… specific risk. Practically on the same page of both documents, unexpected threats are defined as those that occur unexpectedly and without warning, and latent threats are defined as threats not directly obvious to, or observable by, flight crews. Under those definitions, the notion that a flight crew could exhibit an ability to anticipate threats, regardless of whether they are expected, unexpected, or latent, is a conflation of specific risk with probabilistic risk, and is perilously close to oxymoronic.
Why we make such statements requires some unpacking. We can begin by considering two very important ideas.
It is impossible to foresee all plausible accident scenarios, especially in today’s aviation system where its complexity and high reliability mean that the next accident may be something completely unexpected.
– ICAO Document 9995, Manual of Evidence-Based Training[2]
The threat-error linkage is not necessarily straightforward and it is not possible to establish a linear relationship, or one-to-one mapping between threats, errors and undesired states.
– IATA Evidence-Based Training Implementation Guide[3]
These are remarkable and pivotal statements, versions of which appear in many other documents making the case for competency-based or evidence-based training. Both of these statements affirm a paradigm of uncertainty in proactive accident prevention initiatives and programs. They are rather decisive, almost amusingly so, refutations of the axiom that appeared as late as 1958 in FAA publications, which stated that
The capable and competent pilot will never allow an airplane to crack up…[4]
Such a paradigm shift may seem intuitive, in light of the great progress in human factors, complexity theory, and ideas like Perrow’s normal accidents and Taleb’s black swans. In fact, the paradigm shift is much more challenging than we might think, as it requires a shift between two modes of human thought. This turns out to be a persistent problem.
Two Modes of Thought
Jerome Bruner described what he believed to be the two principal modes of human thought: the narrative and the paradigmatic. The paradigmatic mode, he said, “attempts to fulfill the ideal of a formal, mathematical system of description and explanation”[5]. It is the language of logical argument. The narrative mode, on the other hand, “deals in human or human-like intention and action and the vicissitudes and consequences that mark their course”[6].
A good narrative features a sudden reversal of circumstances, often referred to in literature as a peripeteia. Bruner argued that, “These narratives typically depict a canonical state of things and a deviation from that state. Stories are means for making these deviations comprehensible, if not acceptable.”[7]
Bruner went on to explain that narrative is comprised of two different landscapes:
One is the landscape of action, where constituents are the arguments of action: agent, intention or goal, situation… The other landscape is the landscape of consciousness: what those involved in the action know, think, or feel, or do not know, think or feel.[8]
Both the ICAO and IATA statements are derived from the paradigmatic mode of thought, making logical arguments based on an understanding of theory and data. They describe a paradigm of uncertainty.
The 1958 FAA statement creates a universal narrative about accidents, using the words capable and competent to create a story in which the correct landscape of consciousness will constrain the landscape of action such that the airplane never cracks up. The use of the word “never” anchors a paradigm of certainty.
The narrative mode of thought largely constrains us to understanding safety in terms of specific risk, an unsafe condition based on the assumption that all credible events that could be known are assigned a probability of one and considered individually. Each credible event is a peripeteia, a deviation from the canonical state. Engine failures, cabin fires, and, in the 1958 FAA statement, incompetent pilots, are all deviations from a canonical state.
Green Zone of Risk Management
The green zone of risk management ability is a type of canonical state; the drift through the yellow zone into the red is a deviation from that canonical state.
On the other hand, the paradigmatic mode allows us to contemplate probabilistic risk, the probability of unsafe conditions resulting from the average estimated probabilities of all unknown events, as well as the fat tails of those probability distributions that result in black swans. There is no single peripeteia in probabilistic risk; the paradigmatic mode of thought does not tell a story.
Nevertheless, the completely unexpected has always been present, even back in the good old days of low reliability and systemic simplicity. In fact, all accidents throughout history have been grade-A, card-carrying black swans to the people who experienced them, regardless of the shape of the probability distribution. The reality of any accident is that you will never, ever, not even in a million years of data analysis, see the one coming that gets you. The reason the next accident may be completely unexpected is the same reason it always has been… we cannot think of a thought until we think of it.
And right there is the problem. As soon as we think of it, the thought becomes a conditional statement, forming the basis for a story, and we are pulled inexorably back into the narrative mode of thought. Things become explainable, and the uncertain takes on a guise of certainty, becoming a known-unknown, coloring in an infinitesimally tiny portion of the area occupied by unknown-unknowns.
Accident reports are written in the narrative mode. In the aftermath, the accident can be described as a story; indeed, it must be described as a story for it to make any sense. Because logical, mathematical, and testable analysis is used extensively to recreate a landscape of action, accident reports can appear to function within the paradigmatic mode of thought. Nevertheless, the report is almost always pulled firmly back to the narrative mode because of the primacy of “human or human-like intention and action and the vicissitudes and consequences that mark their course”. The landscape of consciousness, what the pilots know, think or feel, is inevitably obscure, leading to a ubiquitous backfilling of narrative to create comprehensibility.
The same can be true for all reactive safety data, such as incident reports and mandatory or voluntary safety reports. Each event describes a complete narrative, containing all of the basic parts of Bruner’s narrative structure… canonical state, deviation from the canonical state, action taken to return to the canonical state, resolution and moral. Simple categorizations, such as loss of control, controlled flight into terrain, and failed to obtain/maintain airspeed, distinguish different peripeteia, identifying different families of narrative.
Expectations of Pilots
The narrative mode of thought does not work well with probabilistic risk, primarily because there is no peripeteia. Nothing has happened… yet. Discussion of probabilistic risk is confined to the paradigmatic mode of thought. Within logical analysis, we can create statistical distributions and ideas such as six sigma and fat tails.
Remaining within the paradigmatic mode can be challenging, however, particularly when we start discussing what to do about uncertainty. For example, if I am not going to see the accident coming, what actions are possible to prevent it? The challenge is that actions are part of Bruner’s narrative structure, represented within the landscape of action; in a story, actions are aimed at returning to a canonical state from some deviation, using agency, intention, and goals within a situation identified though a landscape of consciousness. But if nothing has actually happened, what actions would I take and why would I take them?
It is much easier to discuss potential actions by assuming that something has happened, creating the basis for a narrative. This is the limitation of the color-coded concept of risk management ability; it only works after the deviation from the green zone has been cognitively perceived. Similarly, the introductory text of ICAO Document 9995, the EBT Manual, goes on to state that
Mastering a finite number of competencies should allow a pilot to manage situations in flight that are unforeseen by the aviation industry and for which the pilot has not been specifically trained.[9]
Here, the paradigm has shifted, from the paradigmatic argument of unexpected accidents, to a narrative argument of deviations from a canonical state (situations in flight), that must be resolved through action (managed) to return to the canonical state. Any situation in flight is something that has already become apparent. It is no longer under a bell curve; it now has a probability of one. It may have been unforeseen by the aviation industry, and the pilot may not have been specifically trained for it, but it is clear that the pilot is expected to identify and manage the situation. The resolution of the deviation requires a specific landscape of consciousness as well as appropriate arguments of action. In effect, this passage is almost identical to the 1958 FAA axiom, essentially arguing that a competent pilot should be able to manage any situation such that the airplane is not allowed to crack up.
The distinction is subtle but critical. In the same vein, the IATA discussion of threat-and-error management shifts from explaining that a linear linkage between threats, errors and undesired aircraft states is not possible, to language written in a way that communicates exactly such a linkage:
… archival data demonstrates that mismanaged threats are normally linked to flight crew errors, which in turn are oftentimes linked to undesired aircraft states.[10]
The same kind of transition in the mode of thought has occurred here. Mismanaged threats, flight crew errors, and undesired aircraft states are also forms of perpeteia. They are all identified deviations from a canonical state, and they each form the basis for narrative. In both cases, the paradigmatic thoughts expressed regarding uncertainty have defaulted back into narrative thoughts expressing open-ended, but ultimately concrete, certainty.
Safety-I – Quantifiable Risk
There is really no other way to think about identified situations, threats, errors, or undesired aircraft states other than the narrative mode, and it exerts a powerful pull on the interpretation of uncertainty. This is the Safety-I problem, which Erik Hollnagel has described as presuming “that things go wrong because of identifiable failures or malfunctions of specific components: technology, procedures, the human workers and the organizations in which they are embedded.”[11] Safety-I data is largely derived from the retrospective decomposition of unsafe conditions to create a quantifiable risk analysis. The data literally are stories, and to the extent we can identify them proactively, they are incredibly valuable for decision making. This is precisely the point made in the IATA threat-and-error management text when they state that
Threat management provides a highly proactive strategy to maintain safety margins in flight operations by mitigating safety-compromising situations[12]
Nevertheless, this statement assumes the management of identified safety-compromising situations, just as the ICAO assertion assumes the management of identified situations in flight. Both are constructed in the narrative mode of thought, and refer to deviations from a canonical state and the action necessary to restore that state. If we are not aware of a deviation, have not spotted the threat, or recognized the situation in flight, then there is no apparent narrative, and there is nothing to manage. Neither the ICAO phrase regarding the mastering of competencies, nor the IATA language regarding threat management, resolve the problem of the completely unexpected accident.
This raises a difficult question. Is it possible to proactively prevent an accident without ever identifying a threat? To put it more acutely, is it possible to proactively prevent an accident without ever knowing of its possibility? Indeed, is it possible to tell a story in which nothing happens?
All zebras look very hard at the grass around the watering hole, and remain acutely aware of unwanted odors, as they attempt to identify stalking lions. The possibility of unseen lions somewhere in the grass is probabilistic risk; the identification of a lion, or simply assuming the presence of a lion, creates a specific risk. The zebra is able to take actions in response to specific risk; they can run, and they can even kick the lion in the teeth. But they won’t spot every lion. It turns out that zebras have stripes for a reason; stripes are a countermeasure aimed at probabilistic risk. They may confuse lions, including those yet unseen, and they may also confuse the zebra’s other highly probabilistic threat, several million horseflies. In the engineering world, probabilistic risk is well understood, and managed without the identification of any single threat or deviation, through the use of safety factors, margins, and redundancy. The inherent assumption when building in a structural safety factor is that the anticipated loads will be exceeded at some point, for reasons as yet unknown. The Mark’s Standard Handbook for Mechanical Engineers explains this approach:
The factor should be selected only after all uncertainties have been thoroughly considered. Among these are the uncertainty with respect to magnitude and the kind of operating load, the reliability of the material from which the component is made, the assumptions involved in the theories used, the environment in which the equipment might operate, the extent to which localized and fabrication stresses might develop, the uncertainty concerning causes of possible failure, and the endangering of human life in case of failure.[13]
A Safety-I approach would look for a structural failure due to intentional overload, material compromise, or engineering miscalculation, all of which could be retrospectively corrected, eliminating the threat in future cases. Safety-I considers the narrative and identifies the necessary arguments of action and the associated landscape of consciousness required to correct the deviation. As further individual deviations are identified, Safety-I expands the arguments of action and the landscape of consciousness. This is precisely the paradigm described in the first paragraph of the ICAO EBT Manual background page, which states that
existing airline pilot training requirements in national regulations are largely based on the evidence of hull losses from early generation jets.[14]
Safety-II – Resilience for the Unexpected
In fact, safety factors and margins are really a part of what Hollnagel defines as Safety-II, a shift from “ensuring that ‘as few things as possible go wrong’ to ensuring that ‘as many things as possible go right’.”[15] He further explains that
Safety-II… relates to the system’s ability to succeed under varying conditions. A Safety-II approach assumes that everyday performance variability provides the adaptations that are needed to respond to varying conditions, and hence is the reason why things go right. [16]
The entire premise of the competencies defined within the EBT footprint is to create a skillset for the adaptations that are needed to respond to varying conditions, in other words, resilience. The goal is to reduce the systemic brittleness that was inherent in traditional approaches to flight training. A key attribute of brittleness is thin or non-existent margins of safety.
Yet as critical as the idea of margins is to the management of probabilistic risk, the only references to safety margins in the ICAO EBT Manual refer to “unacceptable reductions in safety margins”, and the identification of situations that result in such reductions. What the term safety margin means is left to the imagination, almost as if it is universally understood. However, a reduction in a safety margin is exactly the deviation from a canonical state that we need to move the discussion of probabilistic risk out of the paradigmatic mode of thought into the narrative mode, creating a narrative that manages probabilistic risk.
The IATA statement on the proactive use of threat-and-error management also refers to maintaining safety margins without offering any discussion of what margins are. But the IATA discussion goes on to explain the broader concept of countermeasures, stating that:
Examples of countermeasures would include checklists, briefings, call-outs and SOPs, as well as personal strategies and tactics. Flight crews dedicate significant amounts of time and energies to the application of countermeasures to ensure margins of safety during flight operations. Empirical observations during training and checking suggest that, as much as 70% of flight crew activities may be countermeasures-related activities.[17]
This language is very important; the reference to flight crews dedicating significant amounts of time to ensuring margins of safety are protected, as well as a later explanation of planning countermeasures as essential for managing anticipated and unexpected threats, opens the door to consideration of threats that are not identified and never will be. This is a very different landscape of action than the reactive landscape associated with managing a situation in flight; in fact, this paves the way to constructing a narrative that manages not just situations in flight, but which manages the flight so as to reduce exposure to situations, in other words, a narrative that manages probabilistic risk. This raises another question: what should the landscape of consciousness look like within such a narrative?
Ecology of Action
Edgar Morin has argued for an idea he calls the “ecology of action”:
As soon as a person begins any action whatsoever, the action starts to escape from his intentions. It enters into a sphere of interactions and is finally grasped by the environment in a way that may be contrary to the initial intention. Ecology of action means taking into account the complexity it posits, meaning random incidents, chance, initiative, decision, the unexpected, the unforeseen, and awareness of deviations and transformations.[18]
This idea establishes a baseline level of uncertainty and instability, and gives substance to the varying conditions described in Safety-II. The corresponding adaptability derived from everyday performance variability… the difference between work-as-imagined and work-as-done… is captured within the context of strategy.
Morin explains that strategy elaborates a scenario of action, which we can consider to be a landscape of action as described by Bruner, based on an appraisal of the certainties and uncertainties, the probabilities and improbabilities of the situation. It allows for the inherent complexities, and can be modified in the course of action in response to chance, information, change of context, hazards and threats. Most importantly, a strategy always provides for, in the words of Morin, “the eventual torpedoing of an action that may have taken a harmful course”.[19]
The introduction of the ecology of action, uncertainties and inherent complexities speaks directly to the ICAO statement that the next accident may be something completely unexpected. In concert with the IATA statement that it is not possible to establish a linear relationship between threats, errors and undesired states, this suggests that strategy be considered as the predominant countermeasure. It is this continuous appraisal of the certainties and uncertainties, and the probabilities and improbabilities, leading to the creation of a scenario of action, that bring into focus the day-to-day difference between work-as-imagined and work-as-done.
The Strategy of Margins
This is really the argument for Safety-II, the consideration of how things go right. Safety-II expects things to go wrong, for actions to take a harmful course, and the protection of the applicable margins, as well as the expansion of those margins when appropriate, create the space for such actions to be torpedoed. In contrast to the statement that threat management is an effective strategy for the protection of margins, this view argues that the protection of margins is an effective strategy for threat management. The former is limited to identified threats; the latter has no such limitation. The protection of margins, regardless of whether any threats have been identified, is therefore the first goal of strategy, and a predominant competency for the professional pilot.
There are five categories of margins within the scope of flight operations:
- Aerodynamic, including such things as
- Angle of attack,
- Airspeed,
- Bank angles,
- G-loading, and
- Thrust or power.
- Altitude, including such things as
- Grid MORAs
- Minimum IFR altitudes
- Decision heights and minimum descent altitudes
- Driftdown requirements.
- Performance, including such things as
- Takeoff obstacle clearance
- Landing distance
- Fuel reserves, including all classes of navigation
- ISA variation at the planned cruise altitude
- Airworthiness, including such things as
- Proper aircraft and system configurations
- MEL provisions
- QRH provisions
- MNPS requirements
- EROPS requirements
- Residual Attention, including such things as
- Workload management
- Managing aircraft speed and vertical profile to ensure all crewmembers retain the necessary attention to accomplish required tasking and remain situationally aware.
These margin sets are all inter-related. While aerodynamic and altitude margins are absolutely critical to safety… the rest don’t matter if you are no longer flying… margins of performance and airworthiness are closely related; the prop has to be feathered in order to obtain the required climb performance. And a margin of residual attention must always be protected in order to ensure the cognitive capacity to protect all the other margins.
The Strategy of Constraints
The second objective of strategy lies with the protection of constraints. A constraint is type of structure, physical or procedural, that is placed specifically at one level of a complex system to prevent systemic interactions that may lead to emergent phenomena at a higher level. The idea of constraints has gained important prominence with relatively recent concepts such as Systems Theoretic Process Analysis (STPA) and Systems Theoretic Accident Modeling and Processes (STAMP); however, constraints have always been present to one extent or another.
Aircraft are designed with numerous physical constraints, such as gear warning horns, throttle interlocks, alpha floors and really the entire set of envelope protections. In parallel with these, constraints are built into air traffic control procedures, operational control, flight operations policies, and certainly government regulations. Many constraints are specifically designed to protect margins. Standard operating procedures also represent a set of constraints; indeed, standard operating procedures are largely designed around constraints intended to protect all five categories of margins.
Constraints need to be respected and protected. For example, as a general policy, we don’t reset a circuit breaker to see if it will pop again; to do so creates a threat to the margins of airworthiness. A strategy is designed to ensure that such a level of discipline is applied to all constraints, until the constraint fails to protect an applicable margin, at which point the protection of the margin takes precedence.
The Strategy of Avoidance
The third goal of strategy is the avoidance of recognized mistakes, mistakes we already know we do not want to make. This aspect draws on all of the Safety-I data that we have at hand, the lessons learned, the specific risks that we have studied, and the considerable library of narratives already recorded.
We know, for example, that we do not want to arrive at the alternate airport without enough fuel to go-around and shoot a second approach, a mistake that threatens margins of residual attention and aircraft performance. We know that we do not want to land beyond the touchdown zone, a mistake that also threatens margins of performance. We know that we do not want to disconnect a generator or shut down an engine inflight without confirming that we have selected the correct generator or engine, mistakes that are concurrently well-protected through procedural constraints aimed at protecting margins of airworthiness.
The structure of strategy thus outlines three distinct deviations from the canonical state for which we can construct actions to resolve and return to normalcy: the degradation of an applicable margin, the degradation or failure of a constraint, and exposure to a recognized mistake. The ecology of action means that these deviations are ubiquitous, creating an ever-changing situation within the landscape of action. The agency, goals and intentions within that landscape are aimed at correcting those deviations, fleshing out a narrative that manages probabilistic risk. The moral of a story that manages probabilistic risk is what Karl Weick refers to as a “dynamic non-event”[20].
Prudence and Responsibility
The relationship between a landscape of consciousness and a landscape of action that creates a strategy is constructed through prudence. There are three components to prudence: taking counsel, judging of what is learned, and executing command. Taking, judging and executing are not passive verbs; they represent distinct acts of self-agency using free will. Free will is the active selection of options; it is implicit in the concept of responsibility.
The three components of prudence are supported by eight elements, the first and foremost being foresight, followed by caution, circumspection (a willingness to change the plan), and subordinately, memory, reason, understanding, a willingness to learn, and finally the ability to make quick decisions when information is scarce.
These ideas are salted throughout the behavioral indicators contained within the eight competencies defined by EBT, such as
- Applies relevant procedural knowledge
- Listens actively and demonstrates understanding when receiving information
- Asks relevant and effective questions
- Employ(s) proper problem-solving strategies
- Improvises when faced with unforeseeable circumstances to achieve the safest outcome
- Anticipates accurately what could happen, plans and stays ahead of the situation
- Develops effective contingency plans based upon potential threats[21]
It is essential to recognize that the competencies identified in EBT play a very important role in constructing the relationship between a landscape of consciousness and a landscape of action necessary to create strategic narrative. Conversely, many of the elements supporting prudence can be recognized as behavioral indicators.
But the basic components of prudence… taking counsel, judging of what is learned, and executing command… remain as distinct acts of self-agency necessary to fulfill a duty of care. These acts go beyond behavioral indicators, and beyond competencies, to the proactive agency required to execute responsibility.
The term responsibility is rather noticeably absent from almost all material related to evidence-based training, and this is particularly curious with respect to the “attitudes” term in the phrase “knowledge, skills and attitudes.” All civil aviation regulatory structures place the final responsibility for the safety of the flight with the pilot-in-command. Responsibility in this context refers to an implicit duty of care. Yet the word responsibility, in both the ICAO and IATA documents, is largely associated with state responsibility; the only time it appears with respect to the pilot is in the behavioral indicator described as “Admits mistakes and takes responsibility”.
The absence of association between the regulatory, final and ultimate responsibility for the safety of the flight, and the behavioral indicators identified within the EBT footprint, coupled with the narrow focus on recognized situations in flight, raise questions about how the pilot’s role is perceived within the aviation system.
The recent evolution of that perception is widely described as having shifted from stick-and-rudder skills toward that of a systems manager. Better representations of this evolution emphasize a dynamic balance between stick-and-rudder skills and flight deck management. Indeed, recent FAA advisory material has refocused emphasis on manual flying skills, concurrently with the management of sophisticated automation, and this is clearly delineated in the EBT competencies.
Human in the Loop
Nevertheless, with the advent of greater automation, as well as the increasing complexity of the aviation system itself, and in particular, a systems approach to safety, the question of the role of humans with respect to both hardware and the system infrastructure has become problematic. ICAO Document 9859, Safety Management Manual, states that
A total system safety approach considers the entire aviation industry as a system. All service providers, and their systems for the management of safety, are considered as sub-systems.[22]
Within this definition, the flight crew is appropriately identified as a sub-system, as are all other human-comprised entities within the overall system. However, the Flight Safety Foundation’s discussion on the systems approach, contained within their document entitled Learning from All Operations, Concept Note 2, Systems Approach, accurately points out that
The presence of a human in a system presents unique opportunities and challenges including an intrinsic capability to learn and adapt, as well as sensitivity to a wide array of pressures and trade-offs of performance over different time horizons. This results in system behavior that is less predictable.[23]
Diminished predictability is problematic for systems management, leading to a very natural desire to make human behavior more predictable. This raises the question of who is responsible for human performance: the human in the cockpit, or the humans who designed the system within which that cockpit and its occupants are a sub-system?
This reaches back to Reason’s concept of the sharp end and blunt end of a system. Where does the final responsibility reside within a system design? The codified final responsibility assigned to the pilot, and the associated duty of care, remain where they always have been, while the contemporary understanding of a systems approach can perceptively diffuse the responsibility. The challenge is to avoid conflating the concept of a human sub-system with the concept of a system component.
Major David Blair and Captain Nick Helms have argued that, in the world of military special operations, the human is always more important than the hardware. Their idea of what they refer to as the capability approach states that technology (and we may expand that word to include the structural and organizational aspects of the aviation infrastructure), exists to enable people to fulfill the mission. In their argument, the goal is to amplify human will, better enabling humans to make something of the world. They state that
By exercising dominion through technology, people gain greater command over their environment.[24]
They further explain that the alternative is to consider humans as important to operate the hardware, viewing people as subsystems within larger socio-technical constructs. This view, they argue, encloses humans within closed control loops that regulate systemic variables within set parameters. This approach they call the cybernetic approach.
Stick-and-rudder skills, flight deck management and literally everything in between are critical to the execution of the final responsibility for the safety of the flight. All eight competencies addressed in the EBT footprint can be viewed as capabilities that exist to gain greater command over the environment, enabling people to fulfill the mission. However, when the perception of risk defaults from probabilistic risk to specific risk, as it does when that risk is limited to managing known situations in flight, and the predominance of responsibility is omitted, the landscape of action within the resulting narrative can be perceived as one of a closed control loop, moving the pilot toward a cybernetic position, leading to more predictable system performance. This raises a further question: are we training a component within the system to become resilient, leading to an envelope of predictability that can be tailored from the blunt end, or are we teaching resilience as a tool for to gain greater command over the environment, leading to people successfully executing responsibility at the sharp end?
This is not an easy question to answer, particularly when the actions and choices made by humans within one subsystem can so profoundly affect the broader duty of care residing farther back at the blunt end of the system, away from the cockpit. Beginning at the level of the state, and continuing down to the level of the individual operator, the management of a socio-technical system naturally leans toward a hierarchical structure. The location of the final responsibility and authority with less-predictable humans, in a sub-system well out on the sharp end of that hierarchy, can be counterintuitive to many people’s perception of system design, and particularly with the term system management.
Normative or Ecological Training?
To bring this into better focus, it is worth considering Rene Amalberti’s differentiation between what he calls the normative approach to training, and a different model, which he refers to as the ecological approach to training.
In his words, the normative approach is described by three characteristics:
- Aviation operations can be entirely specified through standardized procedures, programs, schedules, rules, nominal tasks, certification, selection, norms
- Safety improvement will result from more specification and more discipline from the operators;
- The human operator is one more “black-box” coupled through inputs (perceptive data) which are transformed into outputs (actions) according to specified targets (goals) using adequate transfer functions (procedures, skills,..)[25]
On the other hand, he describes the ecological approach to training with these ideas:
- Aviation operations cannot be entirely specified through standardized procedures, programs, and the like. One reason is it includes Humans.
- Safety improvement will result from a better respect of the “ecology” of the system and a better acknowledgment of its self-protection mechanisms
- Human operators are auto-organized structures, coupled through recursive processes of self-regulation, and ultimately governed by their internal intentions[26]
Strategy: Margins, Constraint, Avoid Mistakes
The blunt end of the aviation system is largely unaware, in real time, of the variations in conditions encountered at the sharp end of the system. The point of training is to expand and strengthen the auto-organized structures of the human operators, instilling the resilience necessary to gain greater command over the environment at the sharp end. A greater command over the environment is a margin in itself, constructed through the educated use of technical and non-technical tools and skills, both internal and external to the cockpit, all of which rests upon the protection of margins, constraints and the conscious avoidance of recognized mistakes… strategy.
Strategy constructed, on any given day, to protect the margins, expand the margins when necessary, use the constraints built into the aircraft itself as well as the standard operating procedures, to both support the protection of margins and to trap errors, and to avoid recognized mistakes, probably explains why the vast majority of flights land uneventfully. This occurs routinely despite the inherent complexities and ecology of actions that generate a body of threats that are almost certainly never seen. The easiest example of such a strategy is the stable approach, protecting aerodynamic, altitude, performance and margins of residual attention all together, regardless of whether any particular threat has been identified. Strategy creates arguments of action which guide the recursive processes of self-regulation, aiming the inherently human auto-organization squarely at executing responsibility and successfully completing the mission.
With a comprehensive understanding of strategy in place, the crew is also well positioned to manage situations in flight… specific risks. Routine specific risks such as deviation around thunderstorms and diversions to alternate airports are largely managed through the application of strategy. Morin also points out, quite importantly, that while short-term programs (such as standard operating procedures) work well in a stable environment, they can become stuck in unstable environments. He argues that strategy must always prevail over program; in the cockpit, this means that the protection of all applicable margins must prevail over the SOP if that SOP has become stuck, and threatens a critical margin.
This speaks directly to Amalberti’s notion that “aviation operations cannot be entirely specified through standardized procedures, programs, and the like.” For example, in cases such as Qantas 32 and Southwest 1380, the modification of strategy in response to chance, information, change of context, hazards and threats ensured that standard operating procedures, such as managing ECAM warnings or a standard engine-out landing configuration of flaps 15, did not become stuck, so-to-speak, thereby protecting critical margins of safety.
The transition from Amalberti’s normative approach to training to the ecological approach may better capture the aim of the paradigm shift described in the EBT introduction, moving from a “black-box”, closed-control-loop repetition of known events to a paradigm founded on completely unexpected events, anchoring the focus on probabilistic risk. In fact, it is likely that optimizing the ecology of the system is precisely what flight crews are doing, and always have been doing, during the significant amounts of time and energies they dedicate to the application of countermeasures to ensure margins of safety are protected during flight operations.
With all of this in mind, we may be able to better define the objective stated in the ICAO EBT manual, changing the wording to read:
Mastering a finite number of competencies should allow a pilot to construct, modify and execute the necessary strategies to ensure that the safe outcome of the flight is never manifestly in doubt, while always protecting the margins in anticipation of uncertainty.
We can also better describe the effectiveness of a flight crew’s ability to manage threats in this way:
Regardless of whether threats are expected, unexpected, or latent, one measure of the effectiveness of a flight crew’s ability to manage threats is
the construction of strategy to protect the margins of safety, respect constraints, and to avoid recognized mistakes, and the modification of that strategy in response to random incidents, chance, initiative, decision, the unexpected, the unforeseen, and awareness of deviations and transformations.
Both of these revised statements capture both specific and probabilistic risk.
There should be little doubt that a comprehensive understanding of threat-and-error management, as well as the competencies described within the EBT footprint, represent substantial tools for the management of the complexity inherent in contemporary aircraft design and the associated socio-technical system. The challenge is to continually question the narrative within which those competencies are described, and ask ourselves, what story are we telling? Because a frame of reference that attempts to capture the spirit of Safety-II while using the language of Safety-I will not achieve Safety-II goals.
[1] International Civil Aviation Organization, Procedures for Air Navigation Services – Training, Document 9868, Third Edition, 2020
[2] International Civil Aviation Organization, Manual of Evidence-based Training, Document 9995, First Edition, 2013
[3] International Air Transport Association, Evidence-Based Training Implementation Guide, First Edition, July 2013
[4] U.S. Civil Aeronautics Authority, Civil Aeronautics Bulletin No. 5, Flight Instructor’s Manual, June 1, 1939
[5] Jerome Bruner, Actual Minds, Possible Worlds, Harvard University Press, 1986, Chapter 2, “Two Modes of Thought”
[6] Ibid.
[7] Ibid.
[8] Ibid.
[9] International Civil Aviation Organization, Document 9995
[10] International Air Transport Association, Evidence-Based Training Implementation Guide
[11] Erik Hollnagel, Robert L. Wears, Jeffrey Braithwaite, “From Safety-I to Safety-II: A White Paper”, published by the authors, 2015
[12] Ibid.
[13] Theodore Baumeister, Editor, Marks’ Standard Handbook for Mechanical Engineers. Seventh Edition, McGraw-Hill, Inc., 1967
[14] International Civil Aviation Organization, Document 9995
[15] Hollnagel, “From Safety-I to Safety-II: A White Paper
[16] Ibid.
[17] International Air Transport Association, Evidence-Based Training Implementation Guide
[18] Edgar Morin, Seven Complex Lessons in Education for the Future, United Nations Cultural Organization, November 1999
[19] Ibid.
[20] Karl Weick and Kathleen Sutcliffe, Managing the Unexpected – Sustained Performance in a Complex World, Third Edition, Wiley, 2015
[21] International Civil Aviation Organization, Document 9995
[22] International Civil Aviation Organization, Safety Management Manual, Document 9859, Fourth Edition, 2018
[23] Flight Safety Foundation, Learning from All Operations, Concept Note 2 – Systems Approach, March 2022
[24] Major David J. Blair, USAF, Captain Nick Helms, USAF, “The Swarm, the Cloud, and the Importance of Getting There First”, Air and Space Power Journal, July-August 2013
[25] Rene Amalberti, Training Situation Assessment and Decision Making – A Rule Making Approach, Powerpoint presentation, https://www.slideserve.com/elkan/amalberti, March 14, 2022
[26] Ibid.