根據統計,過往大部分空難的原因都是人為錯誤。所謂的人為錯誤,不是只有飛行員操作失誤,可能是飛機設計有瑕疵,也可能是維修、裝載或航管的錯誤。一連串的錯誤如果不斷累積,最後就釀成大禍,這就是著名的瑞士乳酪理論(Swiss Cheese Theory)。 延伸閱讀:《知識》飛航管制系統的「抗誤」及「容錯」設計
該理論將事故的發生比作瑞士乳酪的孔洞:每片乳酪都有孔洞,代表著潛在的危險因素;當多片乳酪疊加在一起時,孔洞可能會連成一線,讓意外發生。瑞士乳酪理論認為,事故的發生不是單一原因造成的,而是多個因素共同作用的結果。因此只要有其中一個危險因素被排除,就能避免空難發生。
飛行員的訓練,對於飛航安全相當重要。全世界每個地區都有各自不同的飛行訓練方式及要求。總體而言,美國的航空公司在招募飛行員時,對實操經驗要求更高,飛行員的飛行小時數至少要達到1200小時。而在錄取後,駕駛員只能從小飛機的副駕駛做起,逐步積累經驗後才能進入大型飛機的駕駛艙,這是一個漫長的過程。相較之下,歐洲航空公司對飛行經驗的要求較為寬鬆,飛行員只需滿足300-400個小時的飛行時間後,就可以成為副駕駛。延伸閱讀:《知識》如何成為航空公司飛行員?FAQ整理
另外,駕駛艙資源管理(Cockpit Resource Management, CRM)也是一個重要的議題。空難新聞中,經常可以看到,調查人員質疑失事飛機的駕駛艙資源管理是否出問題。駕駛艙資源管理是一種飛行安全管理方法,主要核心是強調飛行員之間可以很順利地協作、溝通、決策和解決問題的能力,目的是減少人為錯誤而產生嚴重後果。延伸閱讀:《知識》什麼是駕駛艙資源管理(Cockpit Resource Management, CRM)?
例如,1972年的美國東方航空401號班機空難,一架機齡只有四個月的洛克希德L-1011三星式客機,卻在降落邁阿密機場時墜落在附近的沼澤中,機上176人有101不幸罹難。調查發現,空難發生原因居然是因為一顆燈泡!原來當天夜晚東方航空進場,放下起落架時,鼻輪的指示燈卻沒有亮。當時駕駛艙內有四個人(正副駕駛、飛航工程師,以及一位搭便機的維修工程師),大家卻把焦點放在研究燈泡到底有沒有故障。機長在過程中不慎碰觸到駕駛盤,導致自動駕駛解除,飛機就在無人操縱的情況下,以淺角度逐漸下降。此時外界漆黑一片,看不出離地愈來愈近,又沒有人持續關注高度表指數。航管人員雖然發現飛機高度降低,但認為組員應該曉得狀況。直到最後發現高度太低,已經來不及反應。 這起事件除了使得航空公司開始正視,駕駛艙內組員彼此的分工職掌,必須要有明確的界定,例如由誰主飛,由誰負責對外聯絡、注意周遭狀況等。此外,在美國聯邦航空署(FAA)的要求下,地面接近警告系統(GPW),從1974年起成為民航機的標準配備。 延伸閱讀:《知識》避免飛行時撞山,飛機的「近地警告系統」
2009年,法國航空477航班A330客機由巴西里約飛回法國途中,在大西洋上空神秘失蹤。法航與空中巴士花了近兩年的時間,才在海底找到殘骸,並將黑盒子打撈上岸。分析內容才發現,當時機長正在休息,飛機又飛進了暴風雨,低溫環境導致機身迅速結冰並阻塞了飛行速度監測器,導致飛機失速,也就是升力不足,飛機開始掉高度。 從黑盒子資訊發現,駕駛艙內前後出現高達74次的失速警告聲,飛行員為何卻都沒有注意?因為一般正常情況下,飛機失速後機首應該會下垂,但是機頭卻始終保持上揚,完全不是失速狀態應有的姿態,使得其他資深機師誤認為,電腦可能發出錯誤警報。不曉得真正原因是,緊張過度的副駕駛,始終死命向後拉著駕駛桿,導致飛機雖然失速,卻始終維持機首上揚姿態。 結果,這架飛機一路維持乍看像是爬升姿勢,其實不斷向下跌,因為時速已經低到不足100海里,從37000呎一直掉到海面。其他機員終於瞭解問題所在時,剩餘高度已經不足以挽救。面對緊急情況,右座副駕駛因經驗不足,錯誤地將操縱桿使勁往上拉,左右駕駛座飛行員不同方向的操作互相抵消,導致飛機在失速狀態沒有進行任何的姿態改變,最後導致悲劇發生 。
這起事件也引發了人們對飛機操控桿設計的批評,因為它沒有考慮到飛行員反向操作的訊號抵消問題。空中巴士的操縱桿被分別設置在正副駕駛座的左右兩側,飛行員在駕駛時不易察覺對方操作,當正副駕駛的拉桿方向相反時,就會出現操作抵消的結果。而波音的操控桿被設置在飛行員身體的正前方,機長可以看到副駕駛的操作,當出現相反操作時,機長可以要求副駕駛放開操縱桿。哪一種設計更合理? 空中巴士和波音各自都給出了充分理由,這是非常複雜的問題。只是在緊急情況下,側方操縱桿的設計為正副駕駛之間的操控協調增加了挑戰,對飛行員在緊急情況下的操控能力要求更高。延伸閱讀:《影片》機器人在模擬飛行中駕駛波音737成功降落
1985年,日本JL123航班撞山事件,全機524人只有4位生還,創下單架飛機失事最慘重的死傷數字。飛機失事的原因,是由於這架波音747於1978年一次落地時仰角過高,導致機尾觸地摩擦損壞。波音公司維修時打鉚釘的方式錯誤,導致承受力不足。接下來七年不斷起落,機艙內外的壓力差的應力造成金屬疲勞,最後終於爆裂,由加壓機艙衝出的氣流灌入垂直尾翼內部,導致尾翼也爆破飛脫,更一併扯斷所有液壓管路,使得飛機失控墜毀。
1979年,美航AA191航班的DC-10客機,從芝加哥歐海爾機場起飛,就在拉起機頭升空時,左翼發動機突然脫落飛走。飛機墜毀在機場外,全機271人都死亡,外加地上兩位民眾。調查結果發現,由於航空公司自作聰明,發明出以堆高機來拆卸引擎的方式,但是在將引擎掛架以螺栓固定在機翼上時,堆高機無法把引擎對準每一個螺栓孔的位置,因此多少需要一些蠻力才能上緊螺栓,如此一來導致結構受損,終於導致在起飛時斷裂。
1996年超值航空VJ592,則是在貨艙中攜帶了一批空的氧氣罐(Oxy Cannisters)。然而飛機上的緊急氧氣,其實並非靠一般的鋼瓶來提供,而是利用化學藥劑合成,過程中除了釋放氧氣,也會產生高熱,因此四周會有隔熱裝置。從飛機上取下之後,也要套上安全帽栓,以免藥劑混合發生反應。 當天VJ592的貨艙裡,載了一批另一架飛機上拆下的過期氧氣製造器,但卻沒有套上帽栓,裝載人員也沒注意到危險性。結果在飛機滑行與起飛的顛簸中,部分氧氣產生器就被啟動,高熱引燃了紙箱等包裝材料。由於貨艙是全密閉空間,即使失火也會立刻因氧氣耗盡而熄滅,但這次卻不斷源源製造氧氣,導致機艙內火勢一發不可收拾。駕駛員即使試圖緊急返場降落,但半路上就失控墜毀。
2018年印尼獅子航空JT610航班與2019年衣索比亞航空ET302航班發生空難,合計346人喪命。兩起空難共同點是飛機皆為波音737 MAX 8,一款波音的新型飛機。最後調查失事原因是操控特性增益系統 (Maneuvering Characteristics Augmentation System, MCAS)的設計瑕疵,導致飛機正常飛行時,電腦誤以為攻角過大,讓飛機向地面俯衝墜毀。延伸閱讀:《知識》關於波音737 MAX事件「操控特性增益系統 (MCAS)」與波音企業文化的轉變 The Boeing 737 MAX Accident and the Transformation of Boeing's Corporate Culture
相對於其它交通工具,民航機其實也算是相對安全。在經歷多次失事的慘痛教訓後,目前的飛機設計已經比過去更安全,航空公司對飛行與維修人員的訓練也愈來愈紮實。希望空難發生的機會越來越低。
Why do Airplane Crashes Happen?
According to statistics, most airplane crashes are caused by human error. This can include pilot error, but it can also include problems with the design, maintenance, or loading of the aircraft, or with air traffic control. When a series of these errors occur, it can lead to a disaster. This is known as the Swiss Cheese Theory.The Swiss Cheese Theory compares the occurrence of an accident to the holes in a piece of Swiss cheese. Each hole represents a potential hazard. When multiple pieces of cheese are stacked on top of each other, the holes can line up, creating a path for an accident to happen.
The Swiss Cheese Theory suggests that accidents are not caused by a single factor, but rather by the combination of multiple factors. Therefore, if even one of these hazards is eliminated, it can help to prevent an airplane crash.
Pilot training is essential for aviation safety. Different regions around the world have different approaches to pilot training and requirements. In the United States, airlines generally require pilots to have at least 1200 hours of flight experience. After being hired, pilots start as co-pilots on small aircraft and gradually gain experience before moving on to larger aircraft. European airlines have more relaxed requirements for flight experience. Pilots can become co-pilots after meeting the minimum flight time requirement of 300-400 hours.
Cockpit Resource Management (CRM) is an important concept in aviation safety. It is a set of training procedures that help pilots work together effectively to avoid accidents. CRM emphasizes the importance of communication, cooperation, and decision-making in the cockpit. CRM is important because it helps to reduce the risk of human error. When pilots are able to communicate effectively, share information, and make decisions together, they are less likely to make mistakes.
In 1972, Eastern Air Lines Flight 401 crashed into the Everglades near Miami, Florida. The plane was a Lockheed L-1011 TriStar, only four months old. 101 people were killed. The investigation found that the crash was caused by a light bulb. When the plane was landing, the light bulb that indicated that the nose landing gear was down didn't light up. There were four people in the cockpit: the captain, the first officer, the flight engineer, and a maintenance engineer who was riding along. They all focused on trying to figure out why the light bulb wasn't working. In the process, the captain accidentally touched the autopilot controls, disengaging them. The plane began to descend gradually, without anyone controlling it. It was a dark night, and the crew couldn't see that they were getting closer and closer to the ground. No one was paying attention to the altimeter. Air traffic controllers saw that the plane was losing altitude, but they assumed that the crew knew what they were doing. By the time they realized that the plane was too low, it was too late. This accident led to several changes in the aviation industry. First, airlines began to emphasize the importance of clear communication and teamwork in the cockpit. Second, the Federal Aviation Administration (FAA) required all commercial aircraft to be equipped with ground proximity warning systems (GPWS).
In 2009, Air France Flight 447, an Airbus A330, disappeared over the Atlantic Ocean while en route from Rio de Janeiro, Brazil to Paris, France. It took nearly two years for Air France and Airbus to find the wreckage on the seabed and recover the black boxes. Analysis of the black boxes revealed that the captain was resting at the time, and the plane had entered a storm. The cold temperatures caused the airframe to ice over quickly, which blocked the airspeed sensors and caused the plane to stall. This means that the plane did not have enough lift to stay in the air. The black boxes also revealed that the cockpit received 74 stall warnings. Why didn't the pilots notice? Under normal circumstances, when a plane stalls, the nose should drop. However, the nose of Air France Flight 447 remained pointed up, which is not what happens in a stall. This led other experienced pilots to believe that the computer was issuing false warnings. What they didn't know was that the co-pilot, who was overwhelmed by the situation, was pulling back on the stick too hard. This kept the nose of the plane up, even though it was stalled. As a result, the plane appeared to be climbing, but it was actually falling. The airspeed had dropped below 100 knots, and the plane fell from 37,000 feet to the ocean. By the time the other pilots realized what was happening, there was not enough altitude left to save the plane. In an emergency, the inexperienced co-pilot pulled up on the stick too hard, while the pilot in the left seat tried to push down. The conflicting inputs from the two pilots prevented the plane from recovering from the stall, and the tragedy resulted.
The crash of Air France Flight 447 also raised questions about the design of the Airbus sidestick. The sidestick is a small joystick that is located on either side of the cockpit. This design allows for more space in the cockpit and makes it easier for pilots to reach the controls. However, it also means that pilots cannot easily see what the other pilot is doing. In the case of Air France Flight 447, the co-pilot was pulling back on the sidestick while the captain was pushing down. This conflicting input prevented the plane from recovering from the stall. This incident has led to criticism of the Airbus sidestick design. Some people argue that the side-by-side location of the sidesticks makes it difficult for pilots to coordinate their actions in an emergency. They also argue that the sidestick is too sensitive and can be easily over-controlled. Airbus has defended the sidestick design, arguing that it is safe and efficient. The company says that the sidestick allows for more precise control of the aircraft and that it is less likely to cause fatigue than a traditional yoke. Boeing, on the other hand, uses a traditional yoke in its cockpits. The yoke is a large, circular control wheel that is located in the center of the cockpit. This design allows pilots to see what the other pilot is doing and to coordinate their actions more easily. So, which design is better? There is no easy answer to this question. Both the Airbus sidestick and the Boeing yoke have their own advantages and disadvantages. Ultimately, the best design for a particular aircraft will depend on a number of factors, including the size and type of the aircraft, the airline's operating procedures, and the preferences of the pilots.
In 1985, Japan Air Lines Flight 123 crashed into a mountain, killing 520 people and injuring 4. It was the deadliest single-plane accident in history. The crash was caused by a series of events that began in 1978, when the Boeing 747 involved in the accident made a hard landing. The impact caused damage to the rear pressure bulkhead, which was repaired by Boeing using faulty rivets. Over the next seven years, the stress of repeated pressurization and depressurization cycles caused the metal in the bulkhead to fatigue. Finally, the bulkhead ruptured, causing a sudden decompression of the cabin. The escaping air rushed into the vertical stabilizer, causing it to break off. This also severed all of the aircraft's hydraulic lines, rendering it uncontrollable. The plane crashed into a mountain, killing all but four of the people on board. The crash of Japan Air Lines Flight 123 led to a number of changes in the aviation industry. Boeing redesigned the rear pressure bulkhead on the 747, and airlines began to implement more rigorous maintenance procedures. The accident also highlighted the importance of proper training for flight crews in dealing with emergencies.
In 1979, American Airlines Flight 191, a McDonnell Douglas DC-10, crashed shortly after takeoff from Chicago's O'Hare International Airport. All 271 people on board were killed, as were two people on the ground. The investigation found that the crash was caused by a design flaw in the way the engine was attached to the wing. American Airlines had developed a new method of using a forklift to remove and install engines, but this method did not allow for precise alignment of the engine with the bolt holes in the wing. As a result, the bolts had to be tightened with excessive force, which eventually caused the structure to fail. The crash of American Airlines Flight 191 led to a number of changes in the aviation industry. McDonnell Douglas redesigned the engine attachment system on the DC-10, and the Federal Aviation Administration (FAA) issued new regulations governing the maintenance of aircraft engines.
In 1996, ValuJet Flight 592 crashed into the Everglades, killing all 110 people on board. The crash was caused by a fire in the cargo hold, which was started by a shipment of oxygen generators that were not properly secured. The oxygen generators were being transported from one aircraft to another. They were not equipped with safety caps, and they were not properly secured in the cargo hold. As the plane taxied and took off, the vibration caused some of the oxygen generators to start operating. The heat generated by the oxygen generators ignited the cardboard boxes and other packing materials in the cargo hold. The cargo hold is a sealed space, and a fire would normally extinguish itself due to lack of oxygen. However, the oxygen generators continued to produce oxygen, which fueled the fire. The fire quickly spread out of control and the pilots were unable to save the plane. The crash of ValuJet Flight 592 led to a number of changes in the aviation industry. The FAA issued new regulations governing the transportation of hazardous materials, and airlines began to implement more stringent safety procedures.
In 2018 and 2019, two Boeing 737 MAX 8 aircraft crashed, killing a total of 346 people. The crashes were caused by a design flaw in the Maneuvering Characteristics Augmentation System (MCAS). The MCAS was designed to prevent the plane from stalling. However, it had a design flaw that could cause it to activate even when the plane was not in danger of stalling. This caused the plane to pitch down, or nose down, without the pilots' input. In both crashes, the pilots were unable to recover from the MCAS activation. The planes crashed into the ground, killing everyone on board. Read More: The Boeing 737 MAX Accident and the Transformation of Boeing's Corporate Culture
Commercial aviation is a relatively safe mode of transportation. Despite the occasional accident, the overall safety record of the aviation industry is very good. Of course, no system is perfect, and there will always be the risk of accidents. However, the aviation industry is constantly working to improve safety, and the overall trend is towards a safer and more reliable air travel system.
