Why are many parts of an airliner required to be triplicated, but not the "parts" most likely to malfunction (i.e., the pilots)?

Question

Many components of airliners are installed with three redundant systems to reduce the risk of equipment failure causing accidents. However, there are only two of the "components" most likely to "malfunction" and cause an accident: the pilots. Why are there not three pilots to match the triplicated redundancy of other critical systems?

Answer 1

Triple redundancy is often used when you need to know correct value even in case of single failure. Think (airspeed) sensor for example. (But the same can apply to output of flight computer or any other value in system.) The sensor has no (completely reliable) self-diagnostic, it is simply outputting one number. With only two sensors, one of which is malfunctioning, you get two different numbers and can't know which is the correct one. Average or any other "merge" will be for sure incorrect. With three sensors, you can sort the values by magnitude and take the middle one. It will be close to "correct" even if one sensor gone wild.

It is not intended for situations where 2 of three systems fail (because if failure rate is so high, that failing two systems simultaneously has still non-negligible chance, then failing all three won't be too far away). If you can isolate and identify failed system, double redundancy is sufficient. Or if it is enough to know "something is wrong", because there is particular action to be taken in response which is always safe.

Tricky part with failing systems is to know which has failed (and that it has failed). And here is triple redundancy and voting an useful approach.

Piloting of airplane is not decided by "voting", so adding a third pilot would not help in this sense. For human interaction and time-critical situations, having third independent opinion, even if maybe useful in theory, tends to not turn out so well in practice. I would expect (personal opinion only) that having three "redundant" pilots would make it less safe.

Answer 2

Having three or more pilots on board does indeed offer a wider margin of safety than two. This is called "augmented crew". Augmented crews are mandatory on long-range flights to meet crew rest requirements, and also happen as a side effect on check-rides. They are also universally used, even if not mandated, on acceptance flights, early in the life of the new model, and on many non-standard flights.

This study details the performance of augmented crews extensively.

Additional pilots in an augmented crew don't have controls and act in an advisory or supervisory capacity. More than two sets of controls aren't necessary, and they would enlarge the flight deck, increase its cost, complicate control mixing, and possibly have a negative psychological effect when a regular 2-pilot crew is used.

The tradeoffs against mandating a larger crew are:

• Cost: Pilot hiring, training, currency, and of course pay
• Dispatch reliability: It's easier to get 2 pilots available than 3
• Extra weight: Permanent station and rest areas for larger augmented crews

Pilot error can be both of a positive nature (taking the wrong action) and a negative one (failing to take the right action). Augmented crews improve the latter and help catch the former. Three sets of controls might have prevented one or two conflicting input accidents that have happened, but could also slightly increase the rate of positive errors.

Overall, commercial aviation is a field of tradeoffs. More crew members can be useful, but they cost more as well. It's done when necessary. So far, the accepted compromise is to provide two sets of controls, but include jump seats to augment the crew occasionally.

P.S.

Personally, I feel that there is room for improvement in cockpit tech. AR helmets, as used in the military, can help in zero visibility and replace smoke hoods. ML can be used to augment autopilots with human input derived models, for higher autonomy. But overall the level of safety is good already, so it's not a priority in commercial design.

Answer 3

The short answer is humans have more means to tell whether another person is making mistakes, compared to systems with limited, and predetermined, functions and test capabilities.

On the other hand it's not exact the common aerospace rule is triple redundancy. Actuators are as important as the pilots, they are needed to execute pilot orders, still most actuators are not triple-redundant.

The triple-redundancy is first used for sensors and computers, when you can't decide if a sensor/computer is delivering wrong data unless you can compare with (not one but) two other.

Before answering your question, let's keep in mind a reality: Risks cannot be completely mitigated.

Basic principle: Statistical significance

Any engineering activity is imperfect, and failures are expected to occur. The rate of failures can be further limited by adding protections. But protection design, implementation and maintenance have a cost.

A balance has to be found between cost, failure likeliness/consequences. This is globally known as risk management, and this is based on statistics.

The manufacturer, the operator, the crews and the passengers have no choice but to accept the unmitigated risks. Of course nothing prevent a manufacturer to design more safe aircraft, but usually this means a higher price and less sales.

However in order to protect crews, passengers and public, this industry is regulated to limit the residual risks to an acceptable likelihood. If we judge by the current frequency and consequences of incidents and accidents, this industry if by far safer than most other activities.

Current techniques used for risk mitigation include both the triple redundancy and the two-pilot crew.

Triple redundancy: Need arbitration

If you have only two systems and they disagree, can you tell which one is wrong?

You can't know. You need a third one to bring out a majority. From Wikipedia:

In this case you will assume the majority is right. This assumption is most of the time right, though this is not guaranteed, and accidents have happened due to simultaneous errors occurring in triple-redundant systems.

Pilots: Crew resource management

Most large aircraft can be handled by a single pilot, though in a degraded way. Having two pilots is already a mitigation for pilot incapacitation. The statistics for both pilots incapacitation is insignificant despite being common in movies.

For pilots, there is no need to have a third pilot to know if the other is starting to make mistakes, or is failing to react. One pilot, assuming he/she is not incapacitated, can evaluate the condition of the other and take control over if required.

In case of doubt a discussion can occur to clarify the situation and decide what to do. This possibility is at the base of crew resource management, and doesn't require a crew of three.

This is not a perfect process, but triple-redundancy isn't either. It's not clear whether involving a third pilot in the process would be real improvement, e.g. an unnoticed slow depressurization may affect the third pilot as well.

Actuators: Rarely tripled

Beyond decision making, there is the special case of actuators, to execute the decision. E.g. after a flight controller has determined what to do with the ailerons, the corresponding action must be triggered. Of course the corresponding actuators can fail.

Some of the important actuators are actually dual, e.g. both electric and hydraulic (hybrid actuators). But they are rarely tripled:

Source.

The preference in case of total failure of an actuator (or in the transmission chain) is to use other actuators on other surfaces to get a more or less equivalent result. This is the principle used by Airbus with the control law reconfiguration:

See this answer for Airbus laws.

E.g. if the ailerons actuators have failed, or the ELACs controllers, using SECs controllers and spoilers is a bypass.

Answer 4

Props to Therac for mentioning it, but a large number of these answers sidestep or ignore a very important point: everything must be a calculated tradeoff. Especially in commercial airline operations, every decision is made in terms of cost and benefit.

It may be nice to think that anyone may practice, "safety at any cost." However, this is not reasonable.

The safest option is not to fly.

To prevent airliner crashes, prevent airliner flights. This doesn't work out for a commercial airline. The whole point of the business is to fly people around. There are already trains and buses, which serve other purposes and have other advantages and disadvantages, for various reasons. An intentional choice is made, to be unsafe, and fly people around in pressurized metal tubes.

(I am not ignoring that commercial aviation is much safer than many other modes of transportation. Taking a human being off the ground, especially at Mach 0.8, is just inherently a risk, regardless how much you make it safer.)

Why stop at 3?

If you make the argument that 2 pilots is not enough, why do you think that 3 will solve all of the problems? Why not 4, or 7, or 118?

The existing number, 2, isn't arbitrary. Decades of experience has shown that for an average commuter hop, 2 pilots minimizes the dollars per safely arriving customer. Other longer flights are staffed differently.

Adding another pilot (or flight engineer, navigator, etc.) costs a lot of money. I suspect most passengers would answer no to:

If I charged you 650 instead of 300 for your 1-hour flight, and instead of a one-in-a-million chance of dying in a plane crash, you had a one-in-a-trillion chance, would you pay extra?

(The numbers are arbitrary but they're reasonable and demonstrative. Also most people are really bad at probability.)

Adding a third airspeed sensor also costs money. The amount of money it costs is way less though, and it provides a giant benefit when units 1 and 2 fail or give faulty readings. Redundant hydraulic systems are much more expensive, but commercial airliners tend to have them anyway because the benefit is sufficient to match the extra cost.

Note that this decision is also made very differently in military aviation because there are more and greater risks.

The more common solution to this problem is to make the airplane easier for a single person to fly (in the case of catastrophic failure of one of the pilots), and still be able to land in the case of a fairly significant problems. This solution is more common because there are many more means to solve it rather than requiring more pilots in the cockpit.

Answer 5

Some systems are "redundant" only two deep, or not redundant at all.

One or two engines. Two wings. One rudder. One nose gear.

Why aren't there "3" pilots? Because many decades of commercial airline ops have shown it to not be necessary.

Answer 6

It is a common mathematical problem in aerospace industry (especially in space industry), how to protect your system against component failure. And the solution to the problem is well known. And there are many solutions. If you need to protect your system from a component failure triplicate the number of components is not enough (although there is an exception). Say you want to protect your aircraft from a failure of a computer measuring the flight speed. You need at least four computers to be able to establish the real flight speed in case of a failure of a single computer.

A more general answer is you need 3n+1 computers to mitigate the failure of n computers.

And you can't just pick the mean, median, or mode of the results of all four computers. There is an algorithm to establish the correct answer. As I said, there are many well known, ready made, easy to find algorithms.