Desktop version

Home arrow Engineering

  • Increase font
  • Decrease font

<<   CONTENTS   >>

Changes and Technologies Required for a Safe Autonomous System

Reviewing the published pilot homicide events, the underlying findings of the subsequent investigations indicate that the commercial flight crews have a full understanding of their respective aircraft, including the vulnerabilities and limitations of all the technical systems. All the life support system controls are located inside the reinforced flight deck. While the manufacturers may have intended pilots to have the final decision as to disabling such systems, historical events indicate that some systems should not be switched- off by a flight deck occupant without first declaring an emergency, as the continued support of human life aboard the aircraft is dependent on the Environmental Control System functioning correctly. Likewise, the full electrical systems (including the communication systems and transponder) are all controlled and isolated from within the flight deck.

ECS Life Support

For such critical systems that affect life support and the normal powered operation of the aircraft, the justification for switching-off such systems inflight is highly questionable. In extreme cases, such as a double thermal event on the aircraft air-conditioning packs (forming part of the ECS), in addition to making an immediate unscheduled landing, it would be prudent for the manufacturers to change the procedure for disabling such systems in-flight. The current protocol is for the manufacturer to cover the switch with a spring-loaded wire cage - but that can be operated by a single person inside the flight deck. If, however, two separate and unique alphanumeric codes were required to be entered by both pilots into the flight computer in order to isolate these systems (when the aircraft was weight off wheels in a flight condition), this would mitigate the risk of deliberate subversion. Ironically, as the ECS is fully computer-controlled, another viable solution could be modification of the ECS computer software to fully remove the pilots from the in-flight 'isolation' controls, and only allow the manufacturers via the satellite uplink to securely make any necessary system isolations. The same protocol should be applied to the electrical systems - requiring both pilots to input a unique personal code into the aircraft, or having the manufacturer take control of the systems via a secure satellite uplink.

Circuit Breakers

Currently, the circuit breakers (C/Bs) for all the aircraft's electrical power connections are located either on the overhead panel (above the centre pedestal), the general flight deck compartment side panels or inside the electronic and electrical bay (usually underneath the flight deck). All these circuit breakers can be isolated by pilots in-flight, but the location being within easy reach is based on the pilots' historic troubleshooting abilities to work around problems. While this 'can do' strategy might have been highly advantageous in the post-Second World War (WWII) years, the current complex aircraft often require advanced computing to identify and rectify technical problems. Many of these technical diagnoses and rectification tasks are performed by highly trained qualified avionic licensed engineers. The justification to have all the C/Bs within easy reach of pilots, giving the flight deck occupants the ability to switch off all electrical power in-flight based on the pilot’s wishes, cannot continue to be justified in light of various homicide events. One possible solution would be to relocate the current C/Bs to an unpressurised part of the aircraft, removing the possibility of in-flight resetting or opening. If a C/B does open due to operational difficulties, then a decision should be made by the airline's maintenance team (with input from the pilots) whether to land at a nearby airport to perform an unscheduled maintenance task, or to press on to the final destination.


The transponder operation likewise requires some modification. The current process is to allow flight crews to decide (selecting the operation using a rotary switch) when to switch the system on and off. The events surrounding MH370 have indicated that having such a capability is a significant security weakness for the industry. A simple modification would be to change the operation logic in the computer-based controls. Once the transponder is set with the four-digit code (on the ground), the aircraft takes off, and it should not be possible what-so-ever to switch off the system. Deactivation of the transponder should be automatically performed when the aircraft has landed (weight on wheels), the ground speed (from GPS data) is shown to be zero and the park brake is set to on. Only then should the transponder Mode S cease transmissions.

One Time Use Codes

Aviation and aircraft security are complacent as an industry. Small general aviation aircraft require the occupant to use a metal key to be able to start the aircraft's piston engine, as the aircraft has a new retail value up to $750,000 USD - depending on the size, avionics, etc. Perversely, a new B787 is around $250,000,000 USD and a B777 320,000,000 USD, yet large heavy commercial aircraft have no keys, no security codes to start the engines. The theft of Horizon Air's aircraft by a ground staff member demonstrates this fact very aptly. Airports rely on deterrents in the form of fences, razor wire, cameras and patrols. Yet, these defences are regularly tested and breached by stowaways, members of the public who have no hostile intent, etc. Ironically, the security levels applied to the travelling public are excellent, i.e. the security screening inside the passenger terminal. A computing-based solution is necessary, to provide a one-time code that contains 'all the information necessary' for the aircraft to be operated correctly. For example, if an aircraft undergoing maintenance requires a ground run, the maintenance base should be able to issue a code to an engineer that would allow for the engine to be switched on and operated. If the system detects that the ground speed of the aircraft (from GPS data) is greater than the maximum taxi speed, the aircraft computer should automatically cut the fuel to the engines. For commercial flights, the expected route including waypoints, intended airways, etc., should be inputted into the flight planning software as normal. The onetime use code is then generated by the flight planning software in conjunction with the OEM server and АТС flight planning submission, issued to the pilots and used to start the engines after pushback from the terminal. If during the flight the pilots significantly deviate from the filed flight plan, this is automatically brought to the attention of both АТС and the airline. One-time use codes such as this are standard use by freight forwarding companies, allowing customers to track their shipments. Assuming the aircraft's Flight Management Computer (FMC) has Wi-Fi access or Satcom data when parked at the gate, the single-use code could also be used to download the flight's full route into the FMC. This integrated approach would prevent pilots from flying the incorrect sector which has happened in recent years on more than one occurrence.

Satellite Communication Uplinked Continuous Data

Many commercial aircraft are fitted with satellite communication technologies. Some airlines use the data communication capability to communicate between the aircraft and the airline (via the OEM's data server), such as the Airbus Skywise service. Newer aircraft also have the possibility to use the Satellite data transmission for up-linking the ADS-B aircraft performance data (including the transponder information) to АТС, etc. However, the use of such services has financial implications associated with it the subscription and transmission/receipt of data from/to the aircraft, and the subscription to the OEM's maintenance software. It is feasible for the operational data of the aircraft to be compressed into very small packets (of data) that can be uplinked via the satellite communications, so the information is more compact and efficient. If all the data that is stored in the DFDRs and DCVRs was compressed and continuously uploaded via satellites to a cloud-based service, in time the regulators might allow for the final removal of 'black boxes', because the final moments of the aircraft will be available.

With mature micro-sized charge-coupled devices (CCD) forming optical capture devices (e.g. mobile phone front and rear cameras), it is now possible to embed numerous streamed CCD images to a cloud service. The flight deck and entrance from the cabin to the flight deck would be the prime locations, in addition to the external positioning that many aircraft already have (e.g. B777-300 with nose gear camera, wingtip views from top of vertical stabiliser). The inclusion of the external coverage of the aircraft would give a safer ground manoeuvring capability, reducing the possibility of unexpected air- craft/equipment/vehicles striking the aircraft. Likewise, for in-flight operations, the opportunity to view a turbine engine unexpectedly discharging fluids from one of the drain masts, or a partially extended main landing gear leg would allow for more precise performance-based decisions to be made. Such CCD devices are so small, inexpensive and light, the justification not to fit them on the grounds of saving weight or cost is not a valid argument.

The Justification and Driver to Introduce Ground Monitored Technologies

The world's aviation businesses are based upon the carriers (i.e. the airlines) being able to transport revenue, passengers and freight, with the principle objective for the airline business to be profitable. In the purest and most simplistic terms, if an airline fails to make sufficient profits, then bankruptcy is guaranteed. From a passenger's perspective, they identify the route they wish to fly from, the destination, the time/date of proposed travel and the class of travel (economy to first class). Choices for travel are based on the total travel time, the route and most importantly, the total price of the flight ticket(s). Most travellers are sensitive to price in the selection of the flight. In Europe and North America, all the airlines are very carefully regulated and monitored by the national aviation authorities: minimum maintenance standards are maintained, and the overall level of safety is incredibly high in terms of extremely low accident/incident rate. Statistics indicate that the passengers travelling from home to the airport are significantly more likely to be involved in an accident in the surface transportation phases versus the flying phase. The travelling public are savvy to the aviation accident rate, and their expectation is that the flight they will travel on will be routine and free from problems or risk, all underpinned by the extremely low fatal accident rate. This expectation is based on past personal experience.

<<   CONTENTS   >>

Related topics