The Risks of Automated Flight

The Risks of Automated Flight

Posted February 16, 2011

DAVID LEVIN: You're listening to a NOVA podcast. I'm David Levin.

Most passenger jets today fly under computer control, at least to some extent. A pilot is still in command but spends most of his or her time overseeing those systems. Usually, computers make flying safer. But like any machine, they sometimes break down. Computer failures may have caused the fatal crash of Air France Flight 447 back in 2009. That's unclear, since the wreckage is still on the bottom of the ocean—but some aviation experts think the crash should prompt us to rethink the way we train pilots.

Bill Voss is president of the Flight Safety Foundation, a nonprofit group dedicated to making flying safer.

BILL VOSS: Over the decades, we've done an awful lot about automating the aircraft and giving pilots tools to control where the airplane goes. You know, they're highly automated, but we have not done nearly as good a job in teaching people how to manage the new automated systems. Our training is very, very outdated.

DAVID LEVIN: So how should we be training pilots differently?

BILL VOSS: The reality is we still really train people for things like engine failure on takeoff. But that's very much Cary Grant, cigar-hanging-out-of-the-mouth, black-and-white movie stuff. You know, engine failures aren't the big deal anymore, and frankly, if you have an engine failure in a highly automated aircraft, it's a non-event. You just leave your feet flat on the floor and try not to touch anything you shouldn't. And the aircraft flies itself out of it brilliantly. Well, now the problems are when you misinterpret, misunderstand, or misprogram what's going on with the automation, now you have new ways you're going to get in trouble.

DAVID LEVIN: Details of the Air France crash are still kind of sketchy, but it looks like automation and sensor errors may have played a role. So has automation been a factor in other accidents?

BILL VOSS: Yes. One of the most fascinating stories is the accident in Amsterdam of the Turkish Airlines crash recently. The Turkish Airlines crash—it didn't have an airspeed sensor problem, it had a radio altimeter out.

DAVID LEVIN: That's a sensor that tells you how far off the ground you are.

BILL VOSS: So, yeah. So there's a sensor that has an input to the automation system that wasn't working right, and they knew it, but they didn't understand the implications that would have on the automation. And they got themselves into a loss-of-control situation and had a fatal accident on approach to Amsterdam.

You know, another way to get an automation system failure is to have the pilot give it the wrong data. That happened in Melbourne, Australia. They misentered the takeoff weight by something like 100 tons or something huge. And they ended up realizing something was wrong because the aircraft wasn't accelerating properly, right at the end of the runway, staggered off the ground while scraping the tail on the runway, actually scraped through the skin of the aircraft. It then ran through the grass, through the antennas, and disappeared over a cliff, and flew below surface elevation for 90 seconds between the trees until it eventually climbed up and was able to dump fuel.

DAVID LEVIN: Wow. That's incredible.

BILL VOSS: Yeah. So this issue of making sure you understand what the automation's doing is really a very big deal. But it wasn't being pursued with as much vigor as it is now post Air France 447.

Now, that doesn't mean the system has gotten less safe because of automation. On the contrary, you can't ignore the fact that the accident rate over the last decade has had a spectacular improvement, to the point that it's remarkably good. And some of that you have to credit to these highly automated platforms that catch mistakes and don't let pilots make mistakes. So you can't throw the baby out with the bathwater.

DAVID LEVIN: Yeah, it seems almost like you have to rethink flying a plane to be just as much hands on control as computer engineering in a way.

BILL VOSS: Yeah, and the funny thing is, the engineers aren't real fond of the idea that their stuff is gonna break, because they're all going to tell you, "Of course this won't break." But the fact is, you put it out there in the rain and the cold and you cycle it a few thousand times, and all of a sudden, "poof," it breaks.

DAVID LEVIN: Now, in the case of the Air France accident, they didn't lose just one instrument. Crash investigators think all three of the plane's pitot tubes, its airspeed sensors, were blocked by ice, and its automation would have needed input from those to control the plane. So was it just a freak accident that all three were blocked, or could that happen again?

BILL VOSS: Well, we don't even know if they were blocked, you know? But yeah. So we're speculating, but if they were all blocked, that's a pretty extraordinary occurrence. I mean, you wouldn't have thought three would actually have a problem like that. And it's not like it's happened a lot before, either.

DAVID LEVIN: But right before the crash, The European Aviation Safety Agency actually recommended that type of pitot be replaced.

BILL VOSS: Yeah, that was dealing with the way that it's heated, and different drain holes, and the ability to melt and disperse icing.

DAVID LEVIN: And did they think that type of pitot could have had something to do with the Air France accident?

BILL VOSS: It was at least a legitimate vulnerability. Nobody knows what happened, but they found out that could happen in their testing, and so they decided to do something about it. Tough to say whether it did or it could, but it could be the problem is enough for people to take action.

DAVID LEVIN: So the Air France crash was sort of an extreme case. They were flying through major thunderstorms. But in most normal cases, if your automation suddenly goes haywire at 40,000 feet, can you just drop everything and say, "Hey, give me total manual control?"

BILL VOSS: Yeah, absolutely you can fly it out by hand, and that's precisely the issue that we have to get around. Maybe the response is push a button, maybe the response is take over the control of the aircraft, but we really need to start having those type of drills instead of, you know, there's an engine fire, and your girlfriend's watching from the terminal. You know, the Cary Grant scenarios. I think that we haven't been as honest with ourselves as we could have been about the potential failure modes that exist in this highly automated environment.

DAVID LEVIN: Bill, thanks for speaking with me.

BILL VOSS: Alright. No problem.

Audio

Produced by

David Levin

Image

(aircraft cockpit)

© Ratstuben at iStockphoto.com