ROBOLandER Risks - some ATA Opinions

PAGE  1 of 2

Let me attempt to reply to both Chris and Peter in one post:

[Chris]  The natural reaction of the operators of your systems is distrust.

True. But there are two sources of this distrust. One is a "normal" and healthy conservative attitude towards anything that one cannot be "in control" of. This is the one I think you are referring to. The other source of distrust is from ignorance. I do not find ignorance acceptable in any situation where someone must ask "who's life is on the line?" If one is ignorant and still chooses to use/employ some system/feature, then "Caveat Emptor" is all I can say to that! :-)

[Chris]  I also say that, as a professional pilot, I don't care about the pax behind me - it's my life that I always try to ensure will survive any scenario.

Similar to my philosophy when I am designing any feature that I know is/may be prone to hazards: "Would I accept this if I were in the seat?" There have been many times when I have flown a particular hazard in the sim and rejected the design approach simply because *I* did not feel comfortable. If *I* didn't feel good about it sitting in my cozy little sim, what would a pilot on the line think?

[Chris] This is the reason that new systems are always frowned upon by professional pilots. You will also find that, after they are proven to work and the failure modes are identified on the line, pilots are also some of the most technologically embracing professionals in the world.

There is a better way than simply accepting the "fact" that pilots will frown on anything new. And it is not just pilots, BTW. Most people are skeptical of something new if they have had no input (or at least visibility) into the design process. (Which, as I always point out, contains much of the "whys" for how a system operates). This is why I believe both pilots and controllers need to be "full-participants" in the global ATM design process. Line pilots and line controllers....not their management.

[Chris] Seeing both screens go blank as a similtaneous reboot of both FMCs as you depart into a terrain limited area with extensive thunderstorm activity is where we feel let down by the techology.

Perfect example of the safety/certification basis of a system! One of the primary reasons that this is permitted to happen (yes...PERMITTED by the design) has to do with the hazard level under which the system was certified. As a "rule of thumb" here are the hazard classifications to which several pieces of the flight control system may be certified under:

Level C - Flight Management System (!)

Level B - Basic (fail passive) autopilot (no landing, limited APPR)

Level A - Full-up autoland

Again, these are "rules of thumb". All you technocrats out there avoid "correcting" me, for I know the details. I am trying to make this explanation somewhat easy. Now, these classifications for software-driven systems each have their own level of required testing. As you can guess, the level of testing required for a Level A system is MUCH MUCH more stringent than that of a Level C system. Hence, because the FMS is certified to a lower-level of criticality, it is acceptable (to the FAA, not necessarily to a line pilot) for the system to encounter an error where it may have to reset. You will find VERY few such errors in an autoland system (for obvious reasons). Typically, the only failures which would allow an FCC to "reset" would be ones where the potential hazard is total loss of control of a control surface. Thus, the certification basis is what permits FMCs to timeout.

[Peter] This does not mean that one cannot design reliable systems.

Thank you, this was my main point. And based on my experience I would amend your sentence to read "This does not mean that one cannot design *highly* reliable systems." You may not agree, but I've seen some awfully reliable (and fault-tolerant) systems that could meet their design requirements.

[Peter] The design process seems to be quite effective, but no operational data you can ever hope to collect can show that any system actually meets this 10**9 MTBF.

Now we are getting to the areas where having been through the design and certification process helps one understand the "real" goal and how you get there. MTBF is *not* the metric used to measure reliability of such critical systems as autoland. Rather, it is the combinatorial probability of catastrophic failure (not just any simple failure). I would bet that you already understand this Peter, but your quoting of MTBF would seem to indicate you do not. To illustrate the difference, an MTBF for any specific component means that it has suffered *a* failure (any failure). Whereas an autoland fault tree would ONLY consider that failure as how it may (or may not) apply to the top-event in the tree (i.e. catastrophic loss of the airplane during an autoland).

The other issue (which I know Peter is aware of) is "exposure time". This relates to the time during any flight cycle wherein the airplane is "exposed" to that hazard. Probabilities (and failure rates) in an autoland fault tree are tempered by this exposure time, because the only time during a flight where that hazard "matters" to the fault tree is during the approach/landing segment.

But now that we have cleared-up that a fault tree (and its safety analysis) is NOT based on mere MTBFs, I would hazard to guess (pun intended) that there IS indeed quite a bit of operational service data to support a <10^-9 probability of catastrophic failure during autoland. How many Fail-Op autolands have you ever heard of resulting in loss of control (much less loss of the airplane)?

[Peter] I happen to agree with Charlie's sentiment that automatic landing systems on plane-fulls of people without human control looks like a significant risk, given current standards and practices. Not that I have done the required analyses, though.

That's fine, that is your opinion, and thank you for clarifying that you don't have supporting data. Such opinions are the very reason we MUST do the safety analysis for any given design. My philosophy is "you tell me the hazards, then bring me the design details, and I will tell you if there is a hope of you minimizing specific (or average) risks." One can guess (or intuit) all they want as to whether some goal is achievable, but until you do the design, and evaluate, you don't really know, now do you? Down through history it has always been the job of pundits and analysts to tell someone "can't be done." But then some scientist or engineer has to ruin their day, by actually going out and DOING IT. :-)

[Peter] To repeat, no stats you can ever hope to collect can justify any assertion of 10**9 hours MTBF, unless you already knew that by analysing the design purely mathematically.

And again, don't confuse simple component reliability (MTBF) with the much bigger (and more complex) issue of hazard exposure and probability. Indeed, the whole MTBF issue is why AC 120-28C/D requires Fail Operative systems! We are aware that a component (like the FCC) may suffer a failure, and it may even be a failure that has a direct bearing on the potential for exposure to the catastrophic event.....so you put two whole (and independent) systems onboard to minimize the probability that BOTH systems will suffer the same failure at the same time. Furthermore, this is also why we use complex, dissimilar sensor monitoring...to prevent a single failure from making the system unavailable to complete it's mission. If I can DETECT a failure, and disengage the one system that experienced the failure, I have significantly reduced the probability that said failure will cause the hazard event to occur.

Rainman

 

-----Original Message-----

From: ATA-bounce@@ATA.org

[mailto:ATA-bounce@@ATA.org]On Behalf Of Raymond Hudderson

Sent: Tuesday, 2 October 2001 8:48 AM

To: ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

 

Todd wrote: (how's it going at MITRE these days?)

> The issue is not whether this capability can be developed - it's been done already - but rather whether the tens of millions of dollars per aircraft that such a system would cost....

Whoops! Gotta bring you (and your numbers) back to reality here, Todd. I think you are at least an order of magnitude too expensive in your guesstimate. I am quite sure that the modifications required to make an existing autoland aircraft capable of being "hijack-proofed" would be below even $10 million per copy. Especially if you were able to amortize the development Non-Recurring Engineering costs over a large number of airframes (like ALL of them).

Here is a good barometer for judging mod costs these days (and I need to be careful here so some folks don't get ticked-off at me for telling too much):

A certain operator was able to purchase an entirely new (glass) cockpit for their older, analog airplanes. Said mod included most of the big "bells and whistles" (CAT III, FMS, GPS, etc.). The unit cost of such a mod has less than 7 zeros on the left side of the decimal. (And this cost was obviously not amortized over the worldwide fleet).

That is all I will say.,

Rainman

 

====== ATA Mailing-list : ATA@@ATA.org ====================

To change your address, be removed from the list, or web transfer

see http://www.ATA.org/unsub.html or mail mailing-list admin

Jim Messina <jmessina@@ATA.org>

see also http://www.ATA.org http://www.neosoft.com/~sky/ATA

 

David M. Jones wrote: >Now you can shoot ME down. What am I missing?

[Ray Hudderson] I'm not here to shoot anyone down (in fact, my profession is quite the opposite!) :-) But I *am* here to impart some knowledge and understanding...so here we go:

> Earlier someone posted auto-land/CatIII dispatch rates of 92-98%. That's not nearly good enough.

I think you did not read carefully enough, or perhaps you misunderstood. Those numbers are AVAILABILITY, which means ability to achieve the precise mission they were dispatched for, namely "dispatch Fail Op, and complete a Fail Op autoland." I also mentioned that if you were to include those which were "Dispatch Fail-Op, complete a Fail-Passive arrival" that the numbers are solidly above 99%.

> For a system like this to work and be accepted, you'd would need 100% dispatch reliability.

First: again, you are confusing the narrow view of dispatch reliability, with system (or function) availability. Your MEL controls dispatch, and it is written in such a way to allow you to get high dispatch reliability (and yes, having certain equipment INOP *does* increase risk).

Second: You will *never* get to 100% of ANYTHING in this world. This is why autoland systems are certified to very small probabilities like 10^-9... because we know we can never get to 100%. Rather than focus on a number, what we need to focus on is what is the definition of "acceptable risk"....for every time you take off you are accepting some level of "acceptable risk".

> I again suspect that the maintenance burden would be astronomical.

Folks often said the same thing of autoland back in the 60s. Yes, the FAA does require higher levels of maintenance standards to allow an operator to fly below CAT II minimums...as it should be... and yes, this does increase the cost of maintenance....but "astronomically".....hardly. Plus, there are inspections and maintenance requirements that can be employed (preventive maintenance) that go a long way to keeping availability high, and costs manageable.

>It would need to be cheap to be used. Or passengers would need to be willing to bear the cost.

Care to define "cheap"? Cost-Benefit analysis is what anything boils down to. If the "cost" were to add a couple of bucks to every ticket, and the "benefit" would be to avoid loss of life not ONLY on the subject airplane, but by people in the buildings being crashed-into, I think most passengers might be willing to bear a couple bucks for that kind of security....moreso than a couple more bucks because the cost of fuel went up!!

My point in these past few posts is not so much "it can be done and therefore it should be done." Rather, it has been to caution people from throwing around phrases, numbers, and measures of performance, esp. if they are not familiar with them from a design/certification standpoint. The above assumptions about "cheap" and "astronomical maintenance costs" are based on David's intuition. It is fine to have these beliefs, but I claim that it is NOT fine to use such beliefs in making decisions about what is "appropriate". Hard-fast numbers, compiled and analyzed by those who's job it is to do this....this is how technical decisions need to be made.

With all due respect,

Rainman

-----Original Message-----

From: Robert Dunham [mailto:rldunham1@@compuserve.com]

Sent: Tuesday, 2 October 2001 9:40 AM

To: INTERNET:ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

 

Blues,

Please let me interject. I know a LOT of pilots do not relish the thought of auto control. But as one Blue has stated: "The issue is not whether this capability can be developed - it's been done already - but rather whether the tens of millions of dollars per aircraft that such a system would cost might better be spent on airport security, positive ID of all passengers, providing air marshals on all flights, and securing cockpits. "

Yes, it's been done, and done, and done for the past twenty five years that I am familiar with as a function of the US Air Force and Navy's Weapons Test and Evaluation Programs. And the cost of converting old (even 1954) aircraft to full remote control auto-land platforms is in the hundreds of thousands (not even millions) of dollars. And, the systems are reliable, maintainable, and safe enough to be employed near major population areas. So that issue is not an issue.

What is the issue is the concept and the deterrent factor of a function of the on-board flight controls that can take away control of the airplane from anyone, anyone who might choose to do harm with that platform. What would you say today, had those four planes been "commandeered" by remote controllers ( or control transferred by the assigned pilots before their deaths)? There would have been many lives spared and the world would be a much different place.

Whether you like the idea or not, consider the deterrent factor in trying to hijack an airplane that has such a capability. What do you think your probability of success would really be? Do you think it would be even worth a try? Give it some thought before you trash even one possible solution.

Respectfully, Bob D.

-----Original Message-----

From: Raymond Hudderson [mailto:Rainman1@@tree-o-life.org]

Sent: Tuesday, 2 October 2001 9:49 AM

To: bareyno2l@@earthlink.net

Subject: Re: [ATA] [ATA]: Large Aircraft as Remote Piloted Vehicles

 

Hi Brian,  Some thoughts on a Remote Piloting capability. Good design issues...shows you think with a design-mind, and not an emotional one (as many pilots are now thinking). This is the kind of thinking that would be required to address the issues in any design... and I know that you know that! I think you've done a great job of enumerating the "big hitters". Only one comment on one of your items:

> 7) By definition, this system would remove the capability of anyone controlling the aircraft from the flight deck, including authorized crew members.

Not a complete "given". No one has said control could NEVER be given BACK to the "real" flight crew. This is something that also needs to be part of the study: under what circumstances and conditions (and with what "interlocks") could control be returned to the human? (Again, I do not ASSUME that ground-controlled flight is the only answer, it may be onboard "secure" systems do the lion's share of the work)

>The questions should be "This is one solution, is it the best?"

This would imply you are only pursuing ONE solution. I claim that a "hijack-proof" flight deck is one solution. Certainly it is not the FIRST solution....we all agree that a stronger cockpit door is first on our list.

But it IS one solution in a spectrum of solutions...one which should be considered based solely on the ability to COMPLETELY take away all ability to use the airplane as a weapon. Question: Given that one option is to shoot the airplane down (and lose the souls onboard) don't you think the "hijack-proof" airplane would be a better idea, given that you MAY be able to save the people onboard???

> Intelligence and Security address Prevention,

And so can "revocation of  local control". In fact, it can out-perform Intelligence and Security when those two have already failed!

> when stouter doors, and a more robust flight deck access policy would have thwarted this last attack.

Can you say this with certainty? I can't....nor can I say that my "solution" would have certainly thwarted it. But what I CAN say about my idea is that if the stouter doors and robust flight deck access policies ARE thwarted, then there would still be an option left for thwarting! :-)

Thanks for the reasoned thinking....as I say, they show you as a true designer!

Rainman

-----Original Message-----

From: ATA-bounce@@ATA.org

[mailto:ATA-bounce@@ATA.org]    On Behalf Of Raymond Hudderson

Sent: Tuesday, 2 October 2001 9:59 AM

To: ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

 

Bob D. wrote:> What would you say today, had those four planes been "commandeered" by remote controllers ( or control transferred by the assigned pilots before their deaths)? There would have been many lives spared and the world would be a much different place.

I think Bob understands the point I am trying to make here. But here is another good point to drive it home:

Let's say the stronger cockpit door is still broken-down.

Let's say access to the cockpit is still achieved.

Let's say the pilots (even if they are armed!) are still eliminated.

Now let's look at two possible worlds under this situation:

World #1 - No "hijack-proof" technology exists on the airplane (what some are calling "Robolander"). The ONLY remaining option here is to shoot down the airplane, and sacrifice the souls on board to prevent greater loss of life elsewhere.

World #2 - In this world the "Robolander" was developed, and it is one more option (one more weapon) to be used to thwart the murderous terrorists.

Which of these two worlds would you rather craft for our future?

Rainman

-----Original Message-----

From: ATA-bounce@@ATA.org

[mailto:ATA-bounce@@ATA.org] On Behalf Of Gerry einperson

Sent: Tuesday, 2 October 2001 11:29 AM

To: ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

 

I believe that this form of pseudo logical approach to comparing the options leads to more problems for the Robolander than the locked cockpit door Ray.

If we can postulate failure, and failure of backups, it is entirely logical to give the same treatment to the Robolander. So we probably could suggest...

Lets say the Robolander fails, taking control of the airplane from a perfectly normal and unsuspecting captain, Let's say the pilot cannot retrieve control,

Lets say the FAA landing god is unaware of the situation, or unable to take over  (Robolander has failed remember)

Now lets look at two possible worlds under this situation:

World #1 - There is no problem - Robolander hasn't been invented or installed, so with the improved security doors now available, the aircraft proceeds to complete it's mission, the pilot and pax all arriving peacefully at their destination, never realizing that there was even a threat. In the very unlikely (extremely unlikely) event that a hijacking takes place on this flight, there is the very real probability that the locked cockpit door will fail in say, for argument's purposes 1 in 20 attempts to breach it. And suppose that the weapon that is available to the captain also can not be used in, again for argument's sake - say 1 in 50 attempts. Assuming these events are independent, the system will fail once in 1000 terrorist hijacking attempts. In ALL other circumstances neither the door or the weapon pose any threat to the flight or the passengers. Please excuse me for not having up to date numbers on these probabilities, or even the probability of any hijacking, but I believe all are small - probably extremely remote.

World #2 - There is Robolander.  It is functional and installed on every aircraft. It connects to and controls all essential navigation and flight control systems. As you have said, nothing is 100% reliable. It will fail. The overwhelming number of flights will also probably ensure that it will fail unsafe, leading to a crash on at least one occasion. Because hijackings are very remote, it will undoubtedly happen when there is no other threat to the aircraft or passengers.

Now there's an irony. In a Robolander world, the only threat you really need to fear is Robolander. To kill people here, you don't even need the terrorist or the hijacking. I would not have any difficulty in choosing between these worlds.

I believe that we engineers should also look at the medical field for advice occasionally. In this instance, it would be the admonition to "do no harm".

Gerry

Rainman wrote...

Let's say the stronger cockpit door is still broken-down.

Let's say access to the cockpit is still achieved.

Let's say the pilots (even if they are armed!) are still eliminated.

Now let's look at two possible worlds under this situation:

World #1 - No "hijack-proof" technology exists on the airplane (what

some are calling "Robolander"). The ONLY remaining option here is to

shoot down the airplane, and sacrifice the souls on board to prevent

greater loss of life elsewhere.

World #2 - In this world the "Robolander" was developed, and it is

one more option (one more weapon) to be used to thwart the murderous

terrorists.

Which of these two worlds would you rather craft for our future?

Rainman

-----Original Message-----

From: ATA-bounce@@ATA.org

[mailto:ATA-bounce@@ATA.org]On Behalf Of Robert Dorsett

Sent: Tuesday, 2 October 2001 12:22 PM

To: ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

 

>Now let's look at two possible worlds under this situation:

>World #1 - No "hijack-proof" technology exists on the airplane (what some are calling "Robolander"). The ONLY remaining option here is to shoot down the airplane, and sacrifice the souls on board to prevent greater loss of life elsewhere.

>

>World #2 - In this world the "Robolander" was developed, and it is one more option (one more weapon) to be used to thwart the murderous terrorists.

>Which of these two worlds would you rather craft for our future?

World #3.  A couple of trained armed Federal guards to help prevent this *implausible* scenario. Clinton wanted to field 100,000 new police officers. How about 50,000 new air marshals? How *little* would it take to improve airline security a thousand fold? Hire some security checkpoint attendants with IQs above 80, X-ray baggage, and some air marshals. Heck, go for a probabilistic model and even field 10,000 new marshals.

Forget the armored doors and other stuff  (how many of you think there'll actually be unique keys/keypads per airplane?). This will do it for the vast majority of incidental (crazies wanting to go to Cuba/make a speech) or intentional attacks.

You want to calculate the cost of security? Here in Austin at our shiny new airport, we have three checkpoints leading to/from the gates. Max staff, maybe 20, including supervisors. I don't know what goes on underneath the terminal. Probably police since it's run by the airport. Let's figure ops 20 hrs/day, that's 20 agents *

$7/hr * 1.15 * 20 (customary contract agency mark-up). Or $3220/day. Now, let's look at the average operating costs OUT of Austin. Figure 2.5 hour average flight duration. ~130 departures out, let's figure $500 in crew costs, that's $500 * 130 * 2.5 = 162,500/day. So of the aggregate airline budget, they spend less than 2 per cent on visible security.*

This is pathetic.

Let's face it, folks, the next airliner attack will likely be a bomb (yet again), or otherwise the nuts will go for some other nasty attack (bio/chem/nuclear). The next fanatics (or drunks, cited with apologies to Jim) that try to take over an airliner are likely going to have to face a passenger population on a hair trigger. It's been done. The element of surprise is gone. What's clear about the WTC attacks is that the enemy has given up on symbolic hijacking of airliners a la 60s/70s, and instead is after incurring strategic casualties. It's not the environment of the 70s, 80s, or 90s anymore. This means they'll use whatever means necessary to accomplish the toll they want to achieve. A whole new ballgame, one which even Israel has yet to go through.

So let's stop trying to barricade the barn door closed: the horse IS, indeed, gone, leaving 6000+ casualties in its wake.

So foregoing the *technical* considerations, and focusing on politics and my perceptions of risk, I think even discussing a self-landing UAV airliner is nuts.

My ever-so-humble $0.02 worth,

R.

* These numbers are HIGH, assuming 100% airplane utilization. Lest you think I pull these stats out of the nether regions, Austin reports ~600,000 passenger emplanements per month. AvLeak and the WAD present some operating cost data.

PS: I go with scenario #3.

 

Peter,

Not a bad train of logic. Certainly, anything is possible. As stated earlier, there is no SURE thing in life, and this round of discussion serves to prove that. However, I do believe that most any system can be designed and built relatively "fool proof" if the desire is significant enough.

I would certainly hope that we have the sincere desire in this case - at least now.

As for using the "remote autoland" systems, I can see a scenario in the near future whereby we have filled the skies to capacity with planes.

In order to maximize the use of that airspace, we must revert to the speed and efficiency of the computer to sequence, align, and to control the planes - especially in the terminal area. In this case, the transfer of control would be a two way system whereby pilots transfer control to the "downstairs" system at (perhaps) an arrivel fix. The arrival computer controls all planes and lines them up for the approach (arguably the most complex task at this date). Once on final approach, it would be the pilot's prerogative to continue the automated approach or reassume control and revert to "on board" systems for approach and landing.

As a "peacetime" option, this would ensure that the remote controlled systems are function checked routinely, and they would also serve as useful tools in providing enhanced capacity at our busiest airports. For the "emergency" situation, the only difference would be the transfer switch you use. And, as any system that you HAVE to rely on, it'll work or not depending on whether it's your day.

Just my opinion. Yours may vary.

Regards, BOB D.

Subject: [ATA] Re: Safety, Risk, Design & Certification

 

The concept of automatic or remote control is a good one. Due to some of the reason suggested here, I would prefer to see only automatic on-board control and not remote control. Any Cat IIIb autopilot coupled with a FMS could guide the airplane to the nearest airport equipped with an ILS, while notifying ATC that the aircraft has been hijacked. Cat III airports are not a requirement under these circumstances.

As an Avionics Systems engineer the only really safety issue would be the inadvertent engagement of this system. Remember the inadvertent engagement does not mean the airplane will crash, it only means the airplane will land without the control of the pilot. It would still need to be demonstrated that inadvertent engagement of this function would be improbable (<10-9).

For those concerned about the airplane not being under pilot control are forgetting one important element. The pilot would only engage this mode when he is giving up control of the airplane anyway. The question is would you rather have the airplane under the control of the avionic systems on-board the airplane that can and do routinely land the airplane safely or a terrorist? Either case, the pilot does not have control.

====== ATA Mailing-list : ATA@@ATA.org ====================

To change your address, be removed from the list, or web transfer

see http://www.ATA.org/unsub.html or mail mailing-list admin

Jim Messina <jmessina@@ATA.org>

see also http://www.ATA.org http://www.neosoft.com/~sky/ATA

 

Will someone explain to me what the MTBF of the human pilot is? What chance do we give the human pilot of making a mistake during landing or flight? And what

difference is there in the airplane systems when the human is in charge from when the black box is driving??

 

reid

____________________Reply Separator____________________

Subject: [ATA] Re: Safety, Risk, Design & Certification

Author: "Peter B. Ladkin" <ladkin2@@rvs.uni-bielefeld.de>

Date: 10/2/2001 9:02 AM

Ray,

What Chris is concerned about and what I am concerned about are similar. Namely, conventional sophisticated engineering calculations of likelihood of catastrophic failure (let's call these CSECLCF) do not, indeed cannot, arrive at figures which accurately represent operational likelihood of failure.

There are many reasons for this. I'll mention just one. As the Air Transat incident shows yet again, no amount of CSECLCF can take into account the likelihood of improper maintenance, because there are no techniques to estimate such a likelihood reliably. Indeed, as you know, CSECLCF does not take such phenomena into account. But maintenance is not perfect, and never will be.

There have actually been two such incidents of failure of supposedly highly-reliable systems this year. The other was the miswired PFCS on the Lufthansa A320.

Consider a system with a one-billion-hour CSECLCF. Consider that it has at least two potentially catastrophic failures within a time of the order of some two to three orders of magnitude less that that.

You can probably calculate the likelihood that the operational failure rate is accurately represented by the CSECLCF, and it isn't very high.

Now, Chris is concerned with actual operational failures and failure rates, and so am I.

> [Peter] [...] no operational > data you can ever hope to collect can show that any system actually meets this 10**9 MTBF.

>

> [...] MTBF is *not* the metric used to measure reliability of such critical systems as autoland. Rather, it is the combinatorial probability of catastrophic failure (not just any simple failure). I would bet that you already understand this Peter,

I don't know what to make of an argument which suggests I am misunderstanding something, but then suggests that maybe I really do know what I am talking about.

In any case, complaining about my use of terminology in this case is just sophistry. We were talking about systems whose failure to perform *any* required function is potentially catastrophic. MTBF and CSECLCF are thus the same for such systems. So it is quite accurate for me to use MTBF when talking about such systems, if I want to. But this seems to me to be a red herring, which is why I am using CSECLCF in this message instead (and if you don't like that name, let's just call it "French Fries" for the sake of discussion).

It follows that a claim, such as yours lower down, which I will not quote here, that CSECLCF and MTBF are different for these systems, is mistaken.

> [...]I would hazard to guess [.....] that there IS indeed quite a bit of operational service data to support a <10^-9 probability of catastrophic failure during autoland.

I don't know quite what to make of this claim either. It seems flatly to contradict basic results in the field (Littlewood-Strigini,Butler-Finelli) of which I would have assumed you were aware.

> [Peter] I happen to agree with Charlie's sentiment that automatic landing systems on plane-fulls of people without human control looks like a significant risk, given current standards and practices. Not that I have done the required analyses, though.

> That's fine, that is your opinion, and thank you for clarifying that you don't have supporting data.

Well, that may be persuasive rhetoric, but it makes a poor argument. It is the same argument used to support the Challenger launch in the face of the Thiokol engineers' concerns that the low temperatures expected during launch would not allow the amount of beyond-design distortion of the O-rings they had seen on some previous launches.

Their concerns were overruled on the basis that they did not actually have "supporting data" concerning the performance of the O-ring material at those temperatures. As Feynmann memorably demonstrated during the hearings, you only need general physical knowledge to make that judgement. But it helps to have a glass of ice water and a bit of O-ring to convince the remaining sceptics.

Similarly, although we know that maintenance snafus cannot be taken into account during a CSECLCF calculation, it helps to have an Air Transat incident to convince people that, despite all that clever engineering, single points of failure of thrust originating with the engines are still possible.

PBL

--

Peter B. Ladkin PhD FBCS CW(hon)

Professor of Computer Networks and Distributed Systems,

Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany

http://www.rvs.uni-bielefeld.de

NOTE:  A. The Air Transat incident could have been only a fuel leak incident if the mechanics hadn't made a mistake (at the direction of engineering management) and then the pilots hadn't made checklist mistakes and errors of judgement. Hardware is allowed to fail in a fail-operational system- but when humans pick up that failure ball and then run with it to an own goal, that's hardly a fault in engineering design.

               B.  It could similarly be argued that the Challenger accident was a conscious (although fatally flawed) decision to operate outside the vehicle's design envelope - and thjereby trust to luck and the fact that it had been a reliable case (to date) of "so far so good".

Just a short comment about the magic autopilot system that will take over in the event of a hijacking. I recently spent a long time looking at a number of Loss of Control Accidents. Some of the accidents involved landing. One of the solutions to preventing accidents where pilots were controlling the aircraft during the landing was to make all landings automated. This does not work for a number of reasons. However, one of the reasons, that is applicable to this automated system which will take over and safely return the aircraft, is that such a system must work all the time. First, it has to be installed and retrofitted on all aircraft, which is impossible and highly cost prohibitive. Next, on those aircraft where it is installed, it has to work. It cannot be deferred. The aircraft cannot be flown if any of the thousands of components and functions, including those on the ground under FAA (or someone's) control, must work. If any component or function does not work then the aircraft (or possibly all aircraft involved) cannot fly.

Does anyone really think such a system will ever be built or installed in either commercial aircraft or in the Air Traffic Control system which I seem to recollect is having a bit of trouble keeping its systems updated so that it can provide aircraft separation?

Benny

The concept of automatic or remote control is a good one. Due to some the reason suggested here, I would perfere to see only automatic on-board control and not remote control. Any Cat IIIb autopilot coupled with a FMS could guide the airplane to the nearest airport equipped with an ILS, while notifying ATC that the aircraft has been hijacked. Cat III airports are not a requirement under these circumstances.

I've seen very bad autolands and have had to take-over from the automatics when attempting an autoland on a non-CAT ll or lll approved ILS. Our company allows autolands ONLY at approved facilities and bans them (for good reason) at any other facility. Example of this is RWY 06 at TPE which is CAT l only but really screws up the flare due to a maintenance hangar built next to the threshold. It complies very well with CAT l but no good for autoland.

>As an Avionics Systems engineer the only real safety issue would be the inadvertent engagement of this system. Remember the inadvertent engagement does not mean the airplane will crash, it only means the airplane will land without the control of the pilot. It would still need to be demonstrated that inadvertent engagement of this function would be improbable (<10-9). So, the activation of the system must be reasonably difficult to achieve (not a big red button marked Emergency Only) but we must be able to activate it at a moments notice - mutually exclusive design criteria.

>For those concerned about the airplane not being under pilot control are forgetting one important element. The pilot would only engage this mode when he is giving up control of the airplane anyway. The question is would you rather have the airplane under the control of the avionic systems on-board the airplane that can and do routinely land the airplane safely or a terrorist? Either case, the pilot does not have control.

Which primary control systems do not have a circuit breaker to disable the system on an aircraft? I'm sure that this would need one too. Which terrorist organisation is not going to be aware of the position of this CB?

Chris

[mailto:ATA-bounce@@ATA.org]        On Behalf Of Raymond Hudderson

Sent: Wednesday, 3 October 2001 9:06 AM

To: ATA@@ATA.org

Subject: [ATA] Re: Passenger-Carrying UAVs

Gerry wrote:

> I believe that this form of pseudo logical approach to comparing the options leads to more problems for the Robolander than the locked cockpit door

[Ray] It was not intended to be logical, or even pseudo-logical. It was intended to be based upon (and elicit) an emotional response. Here is part of the "double standard." A pilot (who may not even be an engineer) makes an emotional response about his perception of the risk of "Robolander".

No one calls him on it, people just assume he knows what he is talking about (poor assumption). Now along comes an engineer (who does have experience in the subject domain in which the pilot made his emotional comment). Not only must the engineer defend himself with science, but if the engineer makes an emotional statement of his own, he is chastised for not using "logic".

> Now lets look at two possible worlds under this situation:

The difference between your hazard situation and mine is that mine just occurred on Sep 11th, and yours has yet to occur. And I must again point out that anyone can make up any "gotchas" they want with respect to automation and potential problems; however, without a definition of a design, you cannot evaluate whether or not the hazard is even probable! Hazard probability is based on design just as much as it is based on circumstances and environment.

And finally:

>I believe that we engineers should also look at the medical field for advice occasionally. In this instance, it would be the admonition to "do no harm".

If you truly believe this admonition, then every single airplane in the world should be parked right now, for even the concept of trying to defy gravity can bring harm. Indeed, doctors can (and do) "do harm" when they incorrectly diagnose and/or prescribe. And do you wish me to believe that the plethora of medicines that are flooding the market for everything and anything that ails you are "doing no harm?"

No, comparisons between medicine and design activities is tenuous, at best. For medicine is about "servicing and curing" the human body. Doctors do not have the burden of designing bodily systems to meet hazard probabilities. And when the medical industry does need something designed, do they ask the doctors? Nope, the engineers get the call again.

Sorry, Gerry, I just can't accept your argument. It is just as emotional as my original emotionally-charged scenario. It's a nice story, but that is all it is.

Rainman