Airbus automation: is enough enough?

Airbus is considering automating another pilot function when it introduces the A350.

Highly automated aircraft include all the airline types rolling off all production lines today.

But Airbus, a child of the digital age, is often tagged as being even more automated than Boeing. This perceived difference generates a lot of heat - but very little light – among pilot devotees of one or the other genre.

Aside from the genre issue, there is the pilot ego issue: automation is a tacit decision that the system can do “it” better than the pilot can. So of course it’s going to generate heat.

But rather than slagging off one system or the other, maybe line pilots ought to be getting involved in the fundamental debate: is automation ever good? And if it ever is, what is it good for?

The latest Airbus wheeze (sorry if your English is not old fashioned English English) is to set up an automatic, laterally offset emergency descent in the event of a depressurisation to which the pilots do not react.

Remember Helios? Airbus quotes a generic scenario like Helios as justification for this potential system (not yet set in stone, so you have time to tell them what you think). If such a system had existed in that 737, a lot of people who died might be alive today. But, on the other hand, what might go wrong with the system itself?

What do you think?

Meanwhile, let’s look at an accident that might have been prevented by automation, and another that looks as if it might have been triggered by it:

Cali: that highly complex American Airlines 757 accident in 1995 might have been avoided in its last seconds if the airbrakes had retracted automatically when the pilots firewalled the throttles. But they didn’t retract and the aircraft hit a mountain ridge just below its peak.

Amsterdam Schiphol: according to the investigator’s early reports into the Turkish Airlines Boeing 737-800 crash, the trigger for the accident was an autothrottle system that “thought” the aeroplane had landed and retarded the throttles during the final approach. The crew didn’t notice the airspeed loss until too late. The reason the autothrottle thought the aircraft had landed was that the radio altimeter was faulty, and was reading just below airfield elevation.

On the other hand, the throttles didn’t retard when the TAM A320 actually landed at Sao Paulo’s Congonhas airport in July 2007, and although there was an audio “retard, retard” alert, the crew didn’t close both throttles. The aircraft overran and everybody on board was killed.

To automate, or not to automate? And if you do it selectively, when do you choose to do it?

 

 

,

12 Responses to Airbus automation: is enough enough?

  1. Tim 16 August, 2009 at 11:06 pm #

    I think Airbus is on the right track, having flown the A320 for over 2 years now I think automation together with the right pilot training is a winning concept.

    May of the accidents mentioned above can be related to pilot training and knowledge… the TAM accident for example was a pure misstake of pilots lacking the knowledge and also not performing procedures which were called upon them to do… this is not a cause of automation…

    The same thing goes for American Airlines, well that can actually be a matter of SOP, in my company we do not take our hand of the speedbrake if we are using it, in order not to forget that we are using it. This could be the effect of the crash however…

    The turkish airlines 737 is also a factor for the pilots, there were 3 pilots in the cockpit and none of them notised that the speed was dropping for almost 10 secconds and also that the thrustlevers had retared (they move on the 737 for that reason). The flying pilot should have had his hands on the thrust levers, then he would have notised what was going on, or at least scanned his airspeed….

  2. Layman 17 August, 2009 at 12:35 pm #

    David, thank you for sticking to English English- our cousins do not understand the frustration the English-speaking world faces on the internet.

    On the matter of pilot ego’s – surely we should be past the days of macho flying aces showing their mettle. Flying is a business and safety has to come first. If automation frees pilots from mundane tasks and allow them to apply their minds to the serious business of flying safely- then automation should be welcomed. I personally welcome an automated system of last resort, one that warns and then, if the warning is not heeded, acts.

    At the same time however, it would be great if the aircraft manufacturers could agree on common automated systems that operated uniformly across multiple aircraft types.

  3. David Nicholas 17 August, 2009 at 2:13 pm #

    This is not new – Gulfstream (in the G4 and 5), and a couple of other bizjet manufacturers have an automatic descent mode in the autopilot system that makes this available today. I believe that it may be optional from several other business jet manufacturers and does not seem to have caused debate until now. Unlike most other automated systems this one acts as a safety net in that it only comes into play after a set period of time if the pilots have not cancelled the impending automated descent. It also flies the aircraft accurately (avoiding the risk of loss of control!) into a max rate descent with an offset from the direction of flight to protect traffic below, and levels off at a safe altitude where breathing can be conducted normally without oxygen or need for pressurisation. Consider the possible events necessitating an emergency descent – loss of pressurisation being the main one, but also possibly windscreen damage or loss, crew incapacitation and even unauthorised “interference” with the crew. I think that this is one of those things that many pilots might like to have in their “back pocket”, for that once-a-lifetime event……

  4. Ron Ferguson 17 August, 2009 at 7:47 pm #

    I am an aircraft cyber security consultant. I’ve been doing this for several years and there aren’t many of us.

    Several years back when I worked as a security consultant at Airbus on the A380 programme, I wrote a report on the complexity of the onboard computer/automated system. In any system, the complexity of the system can be determined by the number of possible interactions among the various components. As the number of components increases arithmetically, the complexity increases exponentially, and there is a formula to measure this. Needless to say, if the complexity goes beyond a certain point, then the system is beyond human control.

    If the number of interacting components on an aircraft is 100 (a very low number on modern aircraft), then the complexity of the system is a phenomenal 63,382,530,011,411,500,000,000,000,000,000. That is, the number of possible interactions and thus the number of possible scenarios is astronomically larger than any human being can handle, including an experienced and well-trained pilot.

    So, is there such a thing as “too much automation”? If a pilot’s job increasingly is to take over if the aircraft’s automated system fails in some way, how can any human being possibly recover from a failure if the possible ways of failure are so large? How would the pilot know what to do? Unless, of course, there is a way, and the aircraft allows it, for the pilot to take control at the most basic flight level, in which case the pilot had better know how to do this, and how to do this instinctively, for there will not be any time to look for “approved procedures” in any flight manual. And it doesn’t matter if it’s an Airbus or Boeing aircraft.

    Unfortunately, I am not an optimist in this area.

  5. David Nicholas 18 August, 2009 at 12:34 pm #

    Having slept on this, and read the interesting perspective of Ron Ferguson, I have a further comment expanding upon Ron’s final comment – perhaps the optimum level of automation is the one which allows a pilot to fly intuitively (not by the seat of the pants, but in the manner that all pilots have flown – and continue to do in more basic aircraft). A pilot flies the seat in which he sits, and a level of automation that allows him to fly in a similar way any type of aircraft, small or large, will allow basic airmanship and handling skills to be refined and developed as experience is gained. Most early examples of automation, basic autopilots, powered flying controls, constant speed propellers supplemented the pilot’s skills and enabled him to manage a larger, faster, heavier aeroplane without needing the muscles of Charles Atlas or the reactions and stamina of a squash player. The advance of electronics allowed further development of equipment and what we now call avionics to enable aircraft to land automatically (arguably the first step on the slippery slope to where we are today). Computers have exponentially increased the applications available to pilots and the technical ability of aircraft. All this has distanced the aircraft and its potential scope of operation from the basic aeroplane in which the pilot would have learned his craft.
    If automation can close that distance, by bringing the handling experience of an airliner back into an envelope to which the pilot can instinctively relate, then perhaps that is the optimum level of automation to seek.

  6. Lawrence 18 August, 2009 at 4:35 pm #

    In my opinion the most serious problem isn’t automation itself but the lack of knowledge regarding the same systems. Pilot training should start to focus more on how these systems react in case of an emergency to avoid any surprises.
    Regarding the Turkish Airlines accident
    Everyone knows that there is a tendency not to monitor these systems very well because they are considered as very reliable. If I am not wrong it wasn’t the first time that the autothrottle failed during landing. It happened in the past. According to a report these automated systems should always be monitored even though some find it sort of a contradiction to monitor a computer that is doing a task that was usually done manually by the pilot.

  7. Anonymous 18 August, 2009 at 9:45 pm #

    An interesting concept, and the examples of automation contributing to accidents is also relevant. I suggest that we are close to requiring autonomous systems, rather than automatic ones (cf: http://www.caa.co.uk/docs/33/cap722.pdf).

    The distinction being one of reasoning about the action before performing it, and continually re-evaluating the action as it is performed, rather than simply performing it. I.e. if the offset descent is automatically initiated and the TCAS then goes off, with an advisory, what happens then?

    The goal is a worthy one, but due to the inherent complexity of such situations (which is why we employ highly skilled and trained human pilots) conventional automation approaches are going to become very complex themselves, i.e. a technology step is needed.

    This requires a software analogy of “situation awareness”, and alternative plans available to be executed by a software reasoning engine that is trying to achieve a goal, i.e. descend to bring the cabin altitude to around 10,000ft.

    There will be a number of plans to achieve this goal, and the system has to determine which one to apply in that circumstances. And then if an event occurs that alters the circumstances (e.g. the TCAS event) it must abandon the current plan and adopt one that achieves both goals, the descend goal and the collision avoid goal.

    These problems are now being looked at closely by the autonomous systems community, particularly for autonomous UAVs. The convergence between autonomous systems flying UAVs and assisting in manned aircraft is much closer than at first it might appear.

  8. David Connolly 21 August, 2009 at 11:45 am #

    Boeing automation puts the pilot at it’s centre and is designed for the worst pilot. Airbus automation tends to put the pilot on the periphery with no intuition or tactile feedback to keep human pilots interactive and engaged. I’d keep an open mind on Airbus auto emergency descent innovation, hopefully it will not result in too much wheezing, sweating or screaming.A mind is best used like a parachute, when opened.
    The THY B-738 stall/crash in EHAM on Feb 25 was a case of simply a crew, with a safety pilot, ironically, not seeing the wood for the trees. All the tactile feedback was there with retarding throttles. A system can be as foolproof as human imagination will allow, but a better fool will always come along. The Radalt indication of -8ft is the normal default for Q-ueens F-ield E-levation for runway gnd zero. When landed upon the mains, it is +8ft, when the nose derotates it is -8ft. the result is zero, but -8ft is displayed on the PFD.
    The AA B-757 Cali crash of Dec 20 1995 was a rich data mine indeed. Firstly, it brought the FMS/CDU Cali rule, which states only execute WPT changes on the legs page with the “Verified and Execute” concurance of the PF. Secondly, the use of speedbrakes in the air must ONLY be used with a hand around it’s handle, as Tim said. The mushroom spoiler knob on the A-320/330/340/380 is easier to overlook than a Boeing type. On the B-744 and indeed B-748 it is much longer than the B-75/67, so that the F/O as PF can reach across the 4 thrust levers. With the speedbrake lever moved aft to it’s flight detent, the inboard 2 spoilers travel full-way and the outboard 2 spoilers travel half-way. As the inboard 54ft wing root chord generates more lift than the outboard 10ft wing tip chord via it’s proportional taper ratio, the nose will pitch up significantly in level flight. This increases the cascading rollback on the PFD’s speed tape. If all spoilers deployed to the same angle, the nose would pitch up very sharply. In a descent the pitot tubes will be full, so to speak and balanced by the drag of the aircraft, so the speed will be fairly constant with a slight reduction in negative pitch. The rate of descent will be from clean cruise descent @Mach.83/340 3000FPM-Cln and 4500FPM-S/B. Transposing this config to AA’s Cali crash, auto-retracting the speedbrakes with TOGA THR REF or Firewall would result in a counter-intuitive pitch down before the thrust-pitch coupling takes effect. So making Cali a bigger disaster than it was, there would probably be no survivors unlike the 4 out of 160 that there was, had the speedbrakes retracted with the thrust lever advance.

  9. David Connolly 21 August, 2009 at 11:49 am #

    Boeing automation puts the pilot at it’s centre and is designed for the worst pilot. Airbus automation tends to put the pilot on the periphery with no intuition or tactile feedback to keep human pilots interactive and engaged. I’d keep an open mind on Airbus auto emergency descent innovation, hopefully it will not result in too much wheezing, sweating or screaming. A mind is best used like a parachute, when opened.
    The THY B-738 stall/crash in EHAM on Feb 25 was a case of simply a crew, with a safety pilot, ironically, not seeing the wood for the trees. All the tactile feedback was there with retarding throttles. A system can be as foolproof as human imagination will allow, but a better fool will always come along. The Radalt indication of -8ft is the normal default for Q-ueens F-ield E-levation for runway gnd zero. When landed upon the mains, it is +8ft, when the nose derotates it is -8ft. the result is zero, but -8ft is displayed on the PFD.
    The AA B-757 Cali crash of Dec 20 1995 was a rich data mine indeed. Firstly, it brought the FMS/CDU Cali rule, which states only execute WPT changes on the legs page with the “Verified and Execute” concurance of the PF. Secondly, the use of speedbrakes in the air must ONLY be used with a hand around it’s handle, as Tim said. The mushroom spoiler knob on the A-320/330/340/380 is easier to overlook than a Boeing type. On the B-744 and indeed B-748 it is much longer than the B-75/67, so that the F/O as PF can reach across the 4 thrust levers. With the speedbrake lever moved aft to it’s flight detent, the inboard 2 spoilers travel full-way and the outboard 2 spoilers travel half-way. As the inboard 54ft wing root chord generates more lift than the outboard 10ft wing tip chord via it’s proportional taper ratio, the nose will pitch up significantly in level flight. This increases the cascading rollback on the PFD’s speed tape. If all spoilers deployed to the same angle, the nose would pitch up very sharply. In a descent the pitot tubes will be full, so to speak and balanced by the drag of the aircraft, so the speed will be fairly constant with a slight reduction in negative pitch. The rate of descent will be from clean cruise descent @Mach.83/340 3000FPM-Cln and 4500FPM-S/B. Transposing this config to AA’s Cali crash, auto-retracting the speedbrakes with TOGA THR REF or Firewall would result in a counter-intuitive pitch down before the thrust-pitch coupling takes effect. So making Cali a bigger disaster than it was, there would probably be no survivors unlike the 4 out of 160 that there was, had the speedbrakes retracted with the thrust lever advance. The speedbrakes auto retract on the ground with advancement of thrust levers which also disarms the autobrakes for manual braking.

  10. Oliie361 24 August, 2009 at 11:59 am #

    Ron Ferguson’s intervention above explains it all.
    In more than one case, one spurious electronic signal could trigger an automatic and undesirable, if not catastrophic, intervention keeping the pilot out of the loop because of its rapid execution.
    First let us ask ourselves “cui prodest” all these automatic interventions obsession.
    Is it to increase the safety of operations or make flying accessible to anybody thus expanding the aircraft market towards unprepared clientele?
    We all feel more secure in our cars with ABS, but in a rainy day, in heavy traffic wouldn’t that encourage a distracted deriver to ignore the necessary precautions to avoid unpleasant or “slippery” situations?
    Also let us not forget that Emergency and Conditional situations are two different things. Loss of cabin pressure and explosive decompression, AMOF, are also two different things.
    Enough is really enough, give pilots a break with waht concerns eccessive automation.
    For what concerns training pilots adequately, we have this obvious handicap. Solving an undesirable flight situation on ground, no risks involved except a repetition of automatic pilot intervention is quite different fro solving that same situation up in the air where one mistake could result deadly.

  11. WhiteKnight 25 August, 2009 at 3:38 pm #

    Automation will only be as foolproof as its weakest link.

    A Malaysian Airlines aircraft performing uncommanded pitch attitude changes, because logic that isolated a failed accelerometer, in the ADIRU, years earlier, reverted back to the same accelerometer when the currently selected component also failed during climb to cruise altitude. Multiple redundancy and poor logic integration only masked this eventuality.

    Would an American Airlines DC-10, had safely recovered, if the stick-shaker had been provided with an electrical feed from the generators of the other engines, thus allowing intervention, preventing the stalling of the left wing?

    My biggest concerns to automation are not factoring in, for instance,dry solder joints in circuit boards, when probabilistic catastrophic failure analyses are conducted. Likewise moisture or ice accretion in pitot tubes providing false positives to ADIRU’s.

    Of greatest concern are technicians swapping LRU’s between aircraft due to the economics of tight turn-around times. Ticking timebombs because we are lulled into a false sense of security that electronic automation is multiple redundant and therefore infallible.

    Automatic emergency descent must also be clearly and unambiguously annunciated, else we may end up with the Aeroflot, autopilot disengagement senario.

  12. No easy answers 31 August, 2009 at 8:06 pm #

    Designing the automation to hand back basic control to the pilots – or what to do when the dog slinks off into the back?

    Flying a basic aircraft is really about making decisions most of the time than handling skills – and a PPL can go out and practice stalls, steep turns, spiral dives any time he wants and as I realised, it is a very good idea to make yourself do so at least every year. But an airline pilot is so constrained by procedures and rules – they are not allowed to think and make decisions or exercise judgement, they are always supposed to follow an SOP no matter what the situation and how can any human being be a robot like that? So when the time comes to use judgement they don’t know how because they’ve become so used to the dog biting them if they touch the controls. It’s finding the right balance between “options” and “procedures” psychology.

    The recent article showing how Sabena base training has fallen from 9 hours on type to 40 minutes was frightening. Following the whole global trend over the last 20 years for money considerations to take priority over everything.

    It concerns me when I read some years ago about a DC9 crew being given a new routing by ATC, just tuned to the VOR, ident, turned the OBS and off they go, just like in a light aircraft, while all the FMS equipped aircraft have to frantically reprogram. Unnecessary and hence dangerous complexity. Where is the ergonomics in the automation system design? That should be number one priority.