-T / T / +T | Comment(s)

Friday, March 1, 2002

Safety in Avionics: RoboLander Revisited

David Evans

In the wake of the multiple coordinated hijackings of Sept. 11, 2001, numerous suggestions have emerged that would have the pilot of an airliner threatened by hijackers press a "big red button," which would instantly place the airplane under ground control. This remote control would frustrate the hijackers in their attempt to use a fuel-laden airplane as a weapon.

Even President Bush suggested such a system in his Sept. 27, 2001, remarks at Chicago’s O’Hare International Airport. The concept has acquired various monikers, such as a refuse-to-crash system, an automated ground proximity avoidance system, and the RoboLander system (see November 2001, page 53).

With no less than the president of the United States putting the idea on the table, the Federal Aviation Administration (FAA) convened a team of experts to assess the idea’s potential. Herman Rediess, director of the FAA’s Office of Aviation Research, led the effort. In generally deprecatory terms, the resulting report said, basically:

  • Equipping new-production, fly-by-wire (FBW) aircraft with such a system would cover only a small percentage of available aircraft (which knowing terrorists would shrewdly avoid),

  • Retrofitting to non-FBW airplanes would be horrifically expensive, and

  • Buying an airplane and turning it into a radio-controlled flying bomb would be within the means of determined terrorists with access to millions of dollars.

Significantly, the Rediess team report conceded that these various automatic or remote control concepts are "technically feasible." It can be done.

The major challenges, the study says, involve aircrew acceptance (since the concept involves the ultimate loss of pilot discretion and command authority), safety certification, and the scope and speed of the system’s implementation.

The Rediess report deals with each of these major considerations. John Sampson, who has articulated the RoboLander concept in his capacity as technical advisor to the International Aviation Safety Association (IASA), also presents comments. Here are the point/counterpoint views:

Technical Issues

Report: "In order to implement the restrictions, the aircraft’s primary control system and probably engine throttles would have to be modified to preclude the pilots from overriding the restriction. Primary flight control and throttle systems are designed specifically to assure that the pilot never loses control of the aircraft…Boeing aircraft would be more difficult to limit pilot control with no ability to override…Airbus already has implemented an envelope-limiting system (on its FBW aircraft)…If the concept is to land the aircraft after taking over control, other subsystems such as the flaps, slats, landing gears, brakes, etc., would have to be controlled by the automatic system with no way for an onboard pilot to override…All of these are very costly retrofits, and for many of the older aircraft totally impractical–too many systems and subsystems would have to be replaced."

IASA: "[We] agree that ‘control constraint’ would be an expensive proposition. Incorporating increased automation in present autoland systems would be a complex task. However, not if we skip to the next generation of airliners and see automation as ‘designed in.’ An impartial analysis would reflect more on ‘how to’ rather than ‘how hard to.’ NASA spacecraft have had these same autonomous capabilities for decades now and RPV [remotely piloted vehicle] drones have proven themselves in a combat environment–as far back as Israeli use in the Bekaa Valley in 1982."

Safety Issues

Report: "Even though these systems would be used for very rare occurrences and operate for a relatively short period of time, they must meet strict safety requirements and be certified…The system elements would have to have at least the same reliability as FBW systems…If the system depends on a digital terrain data base, the data base becomes a flight critical item, which must be certified and maintained up to date for all geographic areas in which the aircraft could operate."

IASA: "Systems that are meant never to be used except in extremes, such as fire detectors and extinguishers, can still be relied upon. EGPWS [enhanced ground proximity warning system] is a critical flight system used to avoid CFIT [controlled flight into terrain]. It already relies wholly upon a GPS [global positioning system] derived digital terrain data base."

Policy/Acceptance Issues

Report: "For the concept to be an effective deterrent, all transports and similar aircraft capable of operating near high value assets would have to incorporate the systems…Even going from an Airbus envelope-limiting system, which pilots understand is for their safety, to a refuse-to-crash type system that limits the pilot’s ability to fly in certain airspace may not be that easy for pilots to accept."

IASA: "Insurance actuaries and governments would look favorably upon the concept. So would the passenger clientele. In certain scenarios, ground-based control could be relinquished back to the aircraft captain."

Implementation Issues

Report: "Just considering the worldwide fleet of Boeing and Airbus aircraft, there are about 2,304 with FBW systems…There are 8,663 non-FBW Boeing and Airbus commercial transports. To cover all aircraft that could be commandeered by terrorists, it would be necessary to modify all the other transports, regional and commuter aircraft, cargo, chartered and leased aircraft, and even the larger business aircraft. For the near future, no airline will have the financial resources to even modify the FBW aircraft."

IASA: "Terrorism is likely to be around forever and airplanes as weapons of mass destruction are now only second to clandestine NBC [nuclear, chemical, biological] warfare in the terrorists’ armory. They demonstrated their efficacy on Sept. 11, 2001. Mandated large-scale change has always been necessarily progressive in the world airline industry. Turbine engine noise categories were introduced and phased in over decades…Accommodating airline anti-terrorist technology and tactics also may have to occur over a phased and layered process–but eventually [will be] a decreed prerequisite–if access to highly desirable hubs is required. San Diego- based Cubic Corp. already has applied for a patent and has committed publicly to developing a concept akin to RoboLander [see www.cubic.com/corp/news/Pressreleases/2001/cubic safety device.htm]…If you reflect on what technical directions might come out of the Afghanistan War…UAVs [unmanned aerial vehicles] for surveillance, real-time battlefield intelligence, and autonomous attack will be right up there as an emerging ideology. As we know, it takes the civilian realm no time at all to find commercial applications for military-funded technological enhancements and innovation."

Effectiveness Issues

Report: "If all the world’s fleet of commercial transports were protected, what about chartered, purchased or leased transport aircraft? With the financial backing al Qaeda seems to have, they could purchase an unmodified, used transport or business jet as a personal aircraft with their own pilots…It is possible to modify the autopilots and add a remote control data link and turn an ordinary transport, business jet or high-end GA [general aviation] aircraft into a remote controlled UAV."

IASA: "Doing this and getting access to all the necessary hardware while remaining undetected during its development? [That would be] highly unlikely in the now enhanced intelligence surveillance era of high anxiety and paranoia."

Timing Issues

Report: "None of these concepts, including the refuse-to-crash type, is a potential near-term intervention. Airlines are in no financial condition to make required modifications, even for the easier modified Airbus transports. Modifications of non-FBW aircraft are likely to be several decades off…Modifying 18 to 20 percent of the fleet does nothing to increase security, because terrorists would just select unmodified non-FBW aircraft as their target for hijacking."

IASA: "Agreed, it is a longer-term measure. But hijacking and unlawful interference have been…so resiliently pervasive only because too little was done to preclude success. Mandating plastic cutlery, heavy-set doors and optional stun-guns is like staving off a mouse plague by buying a cat, a trap and a screen door."

Another Viewpoint

Let us introduce into the debate a third party: Raymond Hudson, an expert in avionics systems design with decades of industry experience. To Hudson, the FAA’s concession that, technically, an anti-hijacking system can be designed "justifies at least a proof-of-concept (POC) demonstration program."

"No matter what the eventual result, you would gain a lot of knowledge simply by doing the design and development of a ‘common denominator’ airplane type," he argues.

"If I can build it, I can then learn how to optimize it," Hudson adds. "The things we learn will more than pay for the initial effort. If you invest less than $100 million total in a research and development program, it would pay for itself in the cost of a single widebody airplane that doesn’t get destroyed," he asserts.

A deeper question exists: how far to proceed with automation? If aircraft are designed and equipped with systems that allow control to be ceded to a ground station in an emergency, the next logical step may appear to pilots to be a Godzilla emerging from the mists. Pilots are just along for the ride, monitoring avionics, and ground controllers are in charge.

(Note: An extended version of this exchange of views may be viewed at www.iasa-intl.com/RoboLander.htm).

Live chat by BoldChat