Flight safety

Safety-II: the brand new concept of the “complex” Swiss Cheese Model 2/2

Here is the 2nd part of Captain Pierre Wannaz blog article about the Swiss Cheese Model. Pilot training and pilot debriefing are some linchpins of flight safety. Let’s discuss openly this subject before the World Aviation Training Summit (WATS) 2019 with this new blog series published every Tuesday!
By Capt. Pierre Wannaz - Apr 09, 2019

Part 2/2: A closer look at a tragic accident: lessons learned

#PilotTraining #LineTraining #FlightSafety #SafetyII #SwissCheese #CRM #investigation #FlightDebriefing #incident #accident #prevention #APilotsView

Through the Swiss cheese plates… Facts & suppositions

After last week’s article, let’s take a concrete and hard example.

A few years ago, an A330 has been lost over the Atlantic while crossing the ITF (Inter-Tropical Front, an area with huge thunderstorm clouds), having his pitot tube obstructed by ice for a short period of time.


Applying the Safety-II approach concept, what could have been influenced (with a more resilient system)?

Let’s see what happened chronologically and applied with Safety-II, all the “could” below would be outcomes, green in the graph above that would have been stopped by the next safety plate:

1. Approaching the ITF, the copilot on the right seat expressed some concern to the captain about the weather ahead. It was almost at the same time when the captain was allowed to go for his rest.

  • Could the captain have stayed longer in the cockpit during the crossing of this severe weather area?
  • Could the control have been given to the other copilot who had much more experience?
  • Could the captain have made a detailed briefing about his strategy on how to cross the ITF?

The crew action (orange in the graph above) let the aircraft pass through the 1st safety plate!

2. Approaching the ITF, a massive thunderstorm area was located on the foreseen route and the crew started a deviation of their intended flight path.

  • Could they have deviated to the right instead of to the left?
  • Could they have deviated at a larger distance of the cloud system than what they did?
  • As other traffics were on the same route and took much more drastic deviations, would they have followed these successful flight paths too?

… The crew action let the aircraft pass through the 2nd safety plate!

3. Then, the aircraft arrived in an area with ice crystals or very high humidity and the pitot tube got stuck with ice for a short moment. In this complex situation, with a lot of warnings and degradation of flight laws, the crew actions led to the loss of the A330.

If the first two subjects are resilience points based on what can be learned from the experience and crew resource management, the third point is much more complex to solve.

How could the flight safety department raise the resilience of a crew confronted with a sudden demanding and complex situation?

A pitot tube is a mechanical device that in many circumstances can be stuck. Ice or heavy precipitations, volcanic ash, bird strike, insects in the tube, ice accretion or any form of aerodynamic disturbance in front of the pitot position will lead to erroneous Air Data values!

It is basically not an aircraft problem, all planes worldwide are still using an almost 300-year old system invented in 1732 by Mr. Henri Pitot and this very old technology is used to feed information in a modern digital computer.

On the A330 fleet, previous to the above-mentioned accident, dozens of similar cases of stuck pitot tubes had been reported.

Pilots' nominal reactions to an event Safety-I to Safety-II

As the involved crew successfully solved the problem, they did react in the “green part” of the graph above showing pilots’ nominal responses to an event. The industry didn’t catch the real challenge and difficulty of such a situation.

The way to solve an “unreliable airspeed” situation seems to be extremely simple out of the books:

  • Switch OFF autopilot / FD
  • Switch OFF Autothrust
  • Fly a PITCH and a given POWER

The reality in this situation is much more complex to fly as it seems. A modern aircraft is a network of computers, many of them use air data as a source of information. If the information of the air data is corrupted, many systems will display a failure message or worse, just react erratically.

In the numerous cases reported prior to the crash, a few pilots confronted to unreliable airspeed massively overperformed, they immediately realized the situation, applied the correct procedure. As in all cases reported, the indicated airspeed is usually available within 2-3 minutes maximum. In the case of the lost aircraft, the first speed indicator that recovered correctly was just after about 30 seconds.

On the other side, many pilots wrote reports mentioning the initial confusion, the startle effect they had during the first seconds.

What could have been learned from these pilots to enhance safety?

It is a fact. Today’s safety approach (Safety-I) didn’t realize the potential danger of the loss of data from the air data systems despite the numerous reports. They were not located in the “red square” of the graph above, the actual focus of Safety-I, and so went ignored or at least not realized in their full magnitude.

Reporting on written form (today’s approach) via the “Safety Management System” didn’t catch the severity of such an event, why?

  1. Firstly, because describing a dynamic situation in a written form is not easy. To make the complex and rapid sequence of events understandable is very difficult, if not almost impossible.
  2. Secondly, these reports are only based on pilots’ memory that was most probably quite saturated during such an event. The quality of these reports is limited to what the pilots realized from the sequence of events.
  3. Thirdly, the reports are in the multicultural environment of the airline, sometimes written in a different language than the mother tongue, thus missing all the “finesse” and sensitivity as the way to express is being always limited in a foreign language. The reports are mainly only based on facts (easy to express) and not on the pilot’s perception of an event. The threat, based on subjective perception, is not realized to its full potential.
Safety-II is here the way to understand and a solution exists, thanks to flight data animation

implementing the Safety-II approach

I am convinced that a visual representation of such an event is the best way to fully realize and explain what happened, what is the cascade of problems and failures and what are their consequences.


Most airlines already have some form of visualization system used by the flight safety department like CEFA FAS. Apparently, these systems with the current Safety-I approach have not always been used in their full potential to present better and more didactic animation.

With CEFA AMS, a flight data animation service made available on pilots’ tablets right after landing, each pilot is in a position to replay an event on his own! The quality of reports will be massively increased by being able to replay and understand the whole situation.

Imagine the potential improvement, in a non-punitive environment, that such an animation can bring. Possibilities are numerous:

  • sharing the animation with the flight safety department, in order to have those colleagues aware of the complexity of events that are located in the “green range” (see graph above) and today ignored with Safety-I – thus allowing the subjective perception and the real potential danger of a situation to be fully realized!
  • having the possibility to share the experience by showing an animation. Why not imagine a forum displaying such experiences in an anonymous way within the airline or even via the manufacturer to the entire pilot community…
  • having our electronic computer flight bags with dynamic links in the FCOM (Flight Crew Operating Manual) or in the QRH (Quick Reference Handbook) that could show us an actual example to realize the real-time dynamic and complexity of some technical problems that seem today unfortunately and erroneously so easy to solve out of the books.

By combining today’s technology with an efficient reporting system using animation and by implementing the Safety-II approach concept, the potential to improve flight safety can be easily and massively enhanced, at low costs with the correct tools!


Now, what do you think? Share your personal thoughts in the comments below! Don’t forget to read the 1st part of this article. 

Also, you can come & discuss with Pierre personally on CEFA Aviation stand, booth #210 during the World Aviation Training Summit (WATS) in Orlando, USA, from 30th April to 2nd May 2019.

Next to be read:The resilience of pilots: a definition – how to enhance it?

Find all Pierre’s other articles gathered here.

You can also contact him via LinkedIn or via this link. Talk to you soon!