INFORMED DEBATE
JimB   Here is Ray Hudson's last input. He's at the email below if you'd like to ask him any specific questions. Tom Cassidy (  wegerb@gat.com   )   is president and CEO (General Atomics Aeronautical Systems Inc) Their web-site is at   http://www.gat.com/asi/aero.html   His corporation makes most, if not all of the US drones/RPV's presently in service and under construction. He has no reservations at all about the technical feasibility or development risk of such a system (as RoboLander).   I am continually updating that RoboLander site at http://www.iasa.com.au/folders/RoboLander_files/RoboLander.htm  (and its links) as I get queries or input.   regards JS    -----Original Message-----
From: Raymond Hudson [mailto: Rainman@tree-o-life.org ]
Sent: Saturday, 22 September 2001 12:44 PM
To: safety@iasa-intl.com; fairburn_reid@si.com
Cc: rldunham@compuserve.com; TELLFAA@FAA.gov; Jim Wes
Subject: Re: [bluecoat] Re: Remote Piloted Vehicles and Exclusionary WPTs

I would have to disagree with the answers to Q1 and Q2 provided below:

  Q1.....No action on equipping airplanes with remote guidance.  This has been
considered but in light of the extensive C/B panel, anyone could disable the
airplane systems required to effect the remote pilot connection.
  This kind of
rules out remote control.  Other actions are more reasonable at the current
time.
  However, new airplanes could build a feature like this into the design
and it is feasible with current technology. <<Quite simply any CB's for a RoboLander system should be located in the on-the-ground (only) access panel (but duplicated in the E&E bay) and the system power should be via an auxiliary load-centre, accessible inflight via the E&E hatch (which would be code-locked / combination held only by the captain. He then would be in the same situation as regards his personalised ROBO squawk. Only he would know it and only he could disclose it.). The concept therefore remains fail-safe.In the future, once wiring bundles are isolated, remoted or inaccessible and circuit-breakers are physically inside the code-locked E&E bay, (being replaced in the cockpit by status lights) then would-be hijackers will be unable to down the aircraft. However the RoboLander system is presently designed only to stop normal hijackings and suicide terrorists who might otherwise repeat their 11 Sep routine. Unless systems were physically protected from their predations, hijackers operating with impunity could always "down" an aircraft. This may not be the case in future designs (hopefully).>>

Ray Hudson Answer:

Q1)  The other (green) answer to this question has the right idea.  All airplanes with CAT III have a minimum of dual autopilots (and virtually all large airplanes have 2 even if not CAT III).  One of these A/Ps could have all power sources reassigned to C/Bs on such an inaccessible panel when in-air.  Much like specific instruments are required to be  on an "essential" power bus that can power it with all gens failed (powered by batt and  static inverters).  Another solution which would leave all autoflight (or robo-flight) :-)  breakers still available  to crew  ( but not to hijackers )  would simply be to build a C/B lock-box for those critical breakers.  Many,  many solutions to this problem, and many not as expensive as you might think.

Q2.....Could not be controlled with today's airplanes since the pilot can fly it
anywhere he wants manually and that is the way it almost has to be.

One of the big considerations on systems like remote control is the importance
of not taking the pilots prerogatives away when not desired, and not limiting his
authority unnecessarily. 

Ray Hudson Answer:

  Q2) The answer provided to this one does consider the dual-tandem operation of virtually all Electro-Hydraulic Valve (EHV) control surface actuators used by autopilots (and a similar parallel redundancy for "cable grabber" autopilots that use electric motors).  Autopilot EHV's always receive their hydraulic power from a DIFFERENT hydraulic source than the pilot's control wheel, mechanically-operated hydraulic valve. This is per-design so that a cable failure to the surface will still allow the A/P to fly the airplane under this failure condition (a parallel control path).   This feature could be exploited in such a way to rob control from hijackers in the cockpit.  The system that reconfigured the aircraft to make the cockpit "go dark" could close shutoff valves to the mechanical input valves to the control surfaces, thereby only leaving the autopilot EHVs with hydraulic power. It becomes even easier when the airplane is full fly-by-wire (a la Airbus family and 777) since you can simply ignore the pilot's wheel (or Airbus side-stick) electronic inputs to the flight control system.
  I repeat from earlier EMAILs of mine: Such a system is WELL within our technology, even on older airplanes, and the operational issues are not insurmountable. I try not to be an arrogant person, but I am very much an expert in flight control system design.  I may not know much about anything else in this world (and will readily admit it) but airplanes and  autopilot design is certainly not one of them.   >One of the big considerations on systems like remote control is the importance
>of not taking the pilots prerogatives away when not desired, and not limiting his
>authority unnecessarily.    And to this I would add an observation I have made before. I design systems full-well knowing what their failure modes are.  And we design them to fail in specific ways because we know the PILOT is the strongest link for safety when it comes to equipment malfunction or external weather phenomenon that may endanger a flight.  However, in the situation of a hijacking, that strongest link immediately becomes one of the weakest links, for a hijacker only need to usurp the pilot's authority (by either killing them, or appealing to their surrender by killing others onboard). Taking away control from ANY person onboard (only in such situations as hijacking) spells "game over" for both the hijackers or any flight crew coerced by the hijackers.  It removes the option.  Of course, the safety and reliability of the system during normal (non-hijack and failure conditions) would need to be assured thru proper design, just like the Autoland systems are designed and certified.  Design criteria for such "hijacker denial" systems could be written by industry in the form of an FAA Advisory Circular (and I think the industry should begin work on such an AC).   Furthermore, ground-based control is only one option which needs to be considered and evaluated. The other is simple on-board autoflight and the "restricted WPT" feature in the FMS. Couple the secured AP to a secured FMC, and the airplane will fly itself to the ground, with minimal need for interaction by ground or ATC.  But a secure data-link to provide ATC some "inputs" to how the airplane is flown to safety certainly would be greater safety redundancy for the end-item system.   This should be done, it should be studied, and a Proof Of Concept installation on a non-fly-by wire airplane would certainly....well.... prove the concept! :-)   Kind regards, Ray  Hudson 
----- Original Message -----
Sent: Friday, 21 September, 2001 14:14
Subject: [bluecoat] Re: Remote Piloted Vehicles and Exclusionary WPTs

Other Solutions      (and answers in green/<<chevrons>> to the comments below).  

http://www.iasa-tl.com/folders/RoboLander_files/RoboLander.htm       

Basic concept   http://www.iasa.com.au/folders/RoboLander_files/Behind_Closed_Doors.htm    

Justifications   http://www.iasa.com.au/folders/RoboLander_files/robofaq.html

Ssome Comments and faq   http://www.iasa.com.au/folders/RoboLander_files/RoboLander1.html#7yrs 

GPS based precision landing system   http://www.iasa.com.au/folders/RoboLander_files/alternatives_to_cat_iii_ils_auto.htm

DGPS accuracy [as might be applied to such a system]


____________________Reply Separator____________________
Subject:    [bluecoat] Remote Piloted Vehicles and Exclusionary WPTs
Author: Daire97@aol.com
Date:       9/17/2001 10:07 PM

Dear Blues in light of recent events I must direct this question to my
engineering friends at Smith Industies, BMAC Northrop/Grumman and GE.

Q1  What has been accomplished in the field of RPV pertaining to adaptation
to (retrofit) existing commercial flight guidance and control architecture.

Q2  Would you consider an exclusionary WPT table within a WPT database that
would prevent navigation to or through prohibited airspace be it engaged in autopilot or manual?

  http://www.pprune.org/cgibin/ultimatebb.cgi?ubb=get_topic&f=1&t=015692
Author Topic: FAA Looking for Bright Ideas
RATBOY
Just another number

Member # 21333
posted 21 September 2001 18:25    
U.S. FAA is looking for bright ideas in dealing with the security of the aviation system. They have set up an EMAIL address TELLFAA@FAA.gov and a fax telephone number 202-267-5091. This is for all areas that FAA can do anything about (operations, procedures, technology) not other things that may be bothering one.
Posts: 163 | From: USA | Registered: Sep 2000  |  IP: Logged