This here is a post which you probably shouldn't read if you hate to fly. A pilot raising safety-related questions about airplanes just doesn't make for good bedtime reading if you're squeamish about these things.
I had to catch a flight up to Montreal the other day, so that I could spend the next day in a hotel before flying the airplane back to Kentucky. Then go home. (Now that's my idea of a back-breaking work week.) Anyway, the flight out of O'Hare up to Montreal was on a new Embraer 170, a new airplane design which I'd seen taxiing around but hadn't ridden on yet. It looks like a mini Airbus A-319, a generic modern twinjet. Inside, it has a three-row 2/1 first class section, and about 18 rows of 2/2 economy class for roughly 80 passengers. Nice airplane. I stopped by the cockpit on my way in to chat with the flight crew about their new toy.
I used to fly an Embraer E-120 "Brasilia" at my first airline job, and while not a very big airplane, it was my first plane with an airline cockpit, one which is operated like any other large airplane. (I remember the stories about the ordeal of going down to Brazil to pick up new airplanes from the factory as they were produced. A substantial amount of cash--a couple hundred grand per airplane--was needed for payoffs in order to get the airplane out of the country. I wonder if these stories were true and if the practice continues.) The Brasilia was not, to me, a very impressive airplane. It was fast, but we had lots of maintenance issues with it, and the propeller systems needed to be treated with respect, as prop mishaps at other companies had brought down, or nearly so, several airplanes (the propeller system of a turboprop is a hardy system, but mechanical mishaps with the system can be problematic; the lack of this system on a jet is one of the things that makes jets statistically safer). The new E-170 is a jet, so that problem needn't come into play.
But on our way out to the runway the pilots reported that they had an electronic glitch caused, they thought, by a strong blast of jet exhaust to one side of our airplane from a taxiing 767. This caused (I'm speculating now) the sensors on one side of the airplane--pitot tubes, static ports, angle of attack indicators, etc.--to register a "weather" phenomenon that the other side did not agree with. Ergo, error message. That's simple enough, but what's odd to me is that it's a non-clearable error. Their solution was to completely de-power the airplane and let it sit dark for seven minutes and then reboot things. Like rebooting your computer (exactly like that, actually), this was the generic system reset that would fix things, so they speculated. And they were right. They gave us the option of going back to the gate and going inside while they did it, or just agreeing to sit in darkness out by the runway. We all chose the latter, and after a few minutes' pause we were up and running and on our way to Montreal. End of story, I suppose.
Now, I've flown a couple electronics-intensive airplanes in my career, and I recall doing exactly this thing (come to think of it, at exactly the same spot on the O'Hare field in one case). But here's my issue: in the airplanes I flew, these electronic glitches might have caused my navigation display to show erroneously, or maybe one of my systems warning panels (air conditioning, hydraulics, etc.) to annunciate incorrectly. But this new Embraer is, like virtually all Airbuses and all Boeings from the 777 onward, a fly-by-wire airplane. This means that the pilots, by manipulating the flight controls, are actually operating computer input devices--joysticks, essentially--that tell the computer what they want to do, and the computer arbitrates whether that's a good idea or not. The computer is doing the flying, and the pilots are inputting to the computer. The safety built into this system is that the airplane is prohibited by programming from doing things like going too fast or too slow or rolling upside-down.
But the real motivation in using fly-by-wire technology in a civilian airplane is economic. I don't want to give a lesson on aerodynamics here, but the stability of a traditional airplane is a function of its weight distribution, and that built-in stability costs fuel in the form of additional drag. The main rationale for civilian fly-by-wire use is that the basic airframe can be designed to be neutrally stable, that is, without any inherent (and fuel-sucking) stability; and the stability and docile flying manners are then supplied by software. This setup saves gas, pure and simple. (Military aircraft also can be designed to be inherently UNstable for maneuverability benefits, and then made flyable by electronics; basically, the survival parameters stipulated by having an organic-matter pilot on board are programmed into a computer, keeping that pilot safe in an airplane whose capabilities vastly exceed his or her own.)
So my question is this: if it's actually a computer system which is in ultimate control of the airplane, what prevents an electronic glitch in THAT system in flight, a non-clearable error in the flight control system? De-powering an airplane is not an option in flight, and especially when electricity is the only connection between pilot and flight controls. The electronics-intensive airplanes I flew were actually regular, mechanical airplanes with some sophisticated electronic systems, so this issue did not apply. Likewise, my DC-8 is flown with cables and judicious use of hydraulics, and it has considerable backups in case of a malfunction in any of those mechanical systems. We rely on electronics for very little in the old steam-powered DC-8, so this issue just doesn't come up for us. But fly-by-wire airplanes are the wave of the future.
I can't say I'm worried about it, because I'm confident the issue is addressed in some way--otherwise (like claims that the aspartame in my beloved Diet Coke causes cancer) I think we'd see ample evidence of a problem at this point. But I'm curious, because I've not been shown how they get around this potential problem. I remember something about the space shuttle using five identical computers and giving each one a vote, and then going with consensus opinion. Is that the way? Do redundant computers reboot themselves, one at a time? The question may well be more interesting than the answer, but I'd love to know. (I have a couple friends who fly the Airbus A-320--the world's first commercial jetliner with a fly-by-wire control system--and maybe they'll come to my rescue here.)
Lastly, I can't help thinking that Burt Rutan and Boeing and Beechcraft and many others have developed airframes with canard wings which provide all lifting surfaces--that is, airplanes who achieve the same or better efficiency as fly-by-wire without resorting to this isolating electronic layer. Beech's airplane, a turboprop pusher, was called the "Starship," and it went into production but never amounted to much. Boeing's idea was called the Sonic Cruiser, and it looked beautiful, like a huge jet version of the Starship. But the public just couldn't be brought along when the airplane looked so different. And so the solution we're stuck with to keep bodies in the seats is one which seems much less satisfactory to me (though I honestly don't know whether the Sonic Cruiser was meant to be fly-by-wire or not). I know I've never met any pilot who thinks the basic idea that a computer does the flying and the pilot informs the computer is a good one. Maybe we're all overconfident control freaks, but giving the final say in things to a computer goes against all our training. And when there are predictable problems with giving computer control to any other system, you have to wonder...
OK. You can open your eyes now. Scary stuff all gone.
9 comments:
I am still waiting for an Airbus driver to weigh in here, but I can state that I am certain that the computer systems in a fly-by-wire aircraft are redundant. There is no way that any of these airplanes would be designed with a single flight control system that had no backups.
I am also certain that the computer systems can be restarted independently with no affect on the operation of the aircraft.
What scares me about this whole scenario is that it is possible to completely shut down the entire system from the cockpit. Even if it is a difficult operation, this seems like something that should not be possible in a fly-by-wire aircraft. There is just too great a chance for disaster due to a shutdown. To do a total system shutdown it seems as though some sort of externally accessible key-switch or something should be required. I am not sure that it makes sense to be able to do a total shutdown at all on such an aircraft.
Well the shutdown we did was exactly what you'd do at the gate at the end of the flight: engines off, power off, systems off--totally dead. I remember having to do this with the Brasilia a couple times, and we could do it while leaving the engines & auxiliary power unit running, but shutting off the generators and the battery power. So power units remained operating, but electrical power was gone.
To me this is no different than having the ability to shut down an engine (or all of them) from the cockpit in flight.
We must live with the precept: there are some things you ought not do!
... but even with built-in redundancy and eighteen backup processors and fuel-saving-enhancement-featuredegook and all of that, isn't it a little bit disconcerting to know that at some basic level, you just really aren't actually flying the plane?
I think that's a core resistance among many pilots to the very concept of fly-by-wire (at least in civilian applications). It's conceivable that I as a pilot might find myself in a situation where I would wish to override the computer's strictures and could not do so. (An early version of the Airbus A-320 is on film--found on YouTube, I'm sure--crashing into the trees at an airshow; during a low pass with flaps and gear down the computers said "OK, we're landing" and the pilots couldn't get out of that mode. A crash resulted.)
On the other hand, by far the greatest bulk of air crashes (still a much lower number than driving, remember) are attributable to human error, and a computer "overseer" might catch some of these.
The question becomes: who is ultimately in control? And if it's a computer, how fail-safe is that system? Compared to human propensities for error?
It's interesting stuff (at least to me).
The A320 airshow crash was quite the spectacle. I think that Airbus was showing their latest and greatest to a crowd of potential customers. Their chief pilot was flying and could do nothing as the plane flew itself into the trees. I think they had to do a little reprogramming before airlines were willing to start buying.
If done right I think I would trust the flight computer more than even an experienced pilot. The problem is that I am not convinced that the flight computers are perfect yet, so it is debatable whether they will always do better than a pilot.
Also, not all fly-by-wire systems put the computer in total control of the plane. It is my understanding that while the newer Airbus and others work that way the newer Boeing aircraft are fly-by-wire, but with the computer in a subservient role to the pilot.
I think you're right about that latter. I think in a 777 the pilot gets the final say.
Your ultimate trust in the computer and my skepticism exactly reflect our career choices! But in principle I agree with you. In a perfect world and with perfect programming, I think the computer should be able to be far more comprehensive than a human operator (and the accident statistics rather bear that out).
But all the training we do is for those very rare circumstances where something goes wrong. With good enough reliability, you could remove the pilots altogether (which is a trend that will eventually happen, I think). The reason we still have two on board, and the design of that human / computer interface, results from the need to react to the unexpected. And so far (the point of the post) the unexpected still too often involves the very computers which are being used to save us.
Eventually, computers will do all of this; they already advise us in emergencies in ways no human can duplicate. So maybe we're just in that fascinating no-man's land between epochs.
I think we are not all that far away from the day when we'd be better off with no pilots on board (nothing personal about any specific pilots here).
However, I don't think we'll see it happen for a very long time, if ever. The folks riding on the plane want a person up there (at least one) to use his brains and skills to handle the unexpected things that can happen. Just how skilled that pilot will be when he has spent his whole career instructing the autopilot on the current destination rather than actually flying remains to be seen, but there will still be a demand for the live bodies up front.
We've got a nifty computer-driven light rail system in our metro area that has live "drivers" on board when I am fairly sure there is absolutely no need for them (and the trains still crash with misguided cars and pedestrians every one in a while). If we can't even get comfortable with an automated train that just shuttles back and forth between the ends of a single track I think we are pretty far from accepting an aircraft with no pilots (well, maybe the boxes in the brown planes wouldn't care).
"Just how skilled that pilot will be when he has spent his whole career instructing the autopilot on the current destination rather than actually flying remains to be seen..."
This may actually be in play to a small degree already. My Airbus-flying friends (every Airbus but the A-300 which we fly--the A-300 is not fly-by-wire) say that a normal crosswind landing is not really possible in these computer-flown aircraft. A normal crosswind landing requires a deliberate mis-coordination between ailerons and rudder, and the computer on a newer Airbus won't allow this, so you just have to Hail Mary your way down that last couple feet.
After a while, I wonder what happens to your crosswind landing skills (probably the most difficult thing physically that pilots are called upon to do--that and hand-flying an ILS).
Also interesting, Airbus was conscientious in designing the pilot's workload so as to keep the pilot in the loop. Otherwise they might, as you suggest, have gotten along quite well with the pilot just sitting there in standby mode!
It sounds like there is still room for improvement in the A320 computer systems. You'd think that it ought to be able to recognize a cross-wind landing, and not only allow for the appropriate mis-coordination, it should perform the proper mis-coordination itself. The system should be designed to operate as close to ideally as possible.
Post a Comment