mjoelnir
Posts: 9306
Joined: Sun Feb 03, 2013 11:06 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 1:36 pm

Quoting AirPacific747 (Reply 87):
Quoting mjoelnir (Reply 82):

No you should try reading my post before commenting on it. Don't act like you didn't know what I meant.

I know exactly were you are coming from.

That was your sentence:

Quoting AirPacific747 (Reply 71):
Well, the odds of having a malfunctioning lock, combined with an incapacitated crew member or crew member with bad intentions at the same time are very small.

To repeat: "combined with an incapacitated crew member"

So I would recommend that you are reading what you are writing yourself. I talked about malfunctioning doors and what would happen when that happens in an inappropriate moment.
 
JoeCanuck
Posts: 4704
Joined: Mon Dec 19, 2005 3:30 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 6:58 pm

Air travel can never be made 100% safe...ever. It can't. There are too many things/people/procedures/etc that can go wrong at any time and we can't prevent them all, all of the time.

What we end up with is a balance between possible and practical.

Aircraft could be made bombproof, but they would be so heavy as to have no practical value.

Passengers could all be strip searched, and for good measure, x-rayed, given diapers, and strapped into their seats for the duration of the flight...but I don't think many would fly under those circumstances, so that's not practical.

Some problems are unknowable, (or unthinkable), until they happen. 9525, 9/11, the Comet, the 737 rudder servo, The Connie/DC7 accident over the Grand Canyon, hijacking....and the list goes on.

One thing all deliberate crashes have in common is people. Even the most anti social and mentally disturbed person can be very, very clever, as well as dangerous. Look at prisons...they are designed specifically to prevent people inside from getting out...yet people still get out...and that is a system with only one purpose.

The airline industry is infinitely more complex, so how can it ever be possible to protect everything from everyone, all the time?

It isn't....because the problem, (people), isn't unique to the airline industry. These same problems exist everywhere on the planet, in every society, and will manifest in unimaginable ways.

The number of people who are a potential danger to aircraft, (or anything), is almost impossibly small. Yet, the entire industry, which safely and comfortably transports millions of people every day, is held hostage by a few, deranged people.

As with fixing the more understandable mechanically caused accidents, a lot of attempts to help people with mental health problems will be well intended, but ultimately fail, possibly tragically...but you have to start somewhere.

The cockpit doors solved one obvious problem but created a unconsidered problem. Now we have to try and fix the fix.

All of this depends on, is caused by and will be improved by people. Hopefully, 9525 will go some way into at least bringing mental health issues to light, so that enough people can eventually be helped to make a repeat of this event somewhat less likely.
What the...?
 
User avatar
litz
Posts: 2359
Joined: Wed Dec 24, 2003 6:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 9:04 pm

Quoting tomlee (Reply 88):
Trains have automatic train protection now. Most upgraded systems would stop the train well before you hit the end of the line. They also have curve speed protections to prevent de-railing by suicide or micro-sleep. Can't really apply ATP directly to planes as they don't run on rails and can't just come to a dead stop while travelling.

In some areas ... I'm not knowledgeable about European regulations, but here in the US, the PTC (Positive Train Control) mandate has been pushed back many times, and the latest deadline is almost certain to pass without full implementation (whether or not it's pushed back again) ... the technology and implementation just aren't going to make the deadline.

And here in the US, the implementation can still be overridden by the engineer ... and only applies to trains and routes where passenger service occurs (and even then, only if it crosses with freight service).

The cost to make every railroad, on every line, in every state, install PTC is prohibitive. It was cheaper to land a man on the moon.

(settings aside the actual costs, many people don't realize, the vast majority of the rail in the US has no central signaling at all ... movements are under dispatcher permission, under the total control of the train crews -- essentially the railroad equivalent of VFR; and centralized signaling is an absolute prerequisite before you can even attempt a PTC rollout)
 
FlyingAY
Posts: 416
Joined: Thu Jun 21, 2007 2:26 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 9:33 pm

Quoting Pihero (Reply 91):
Flight 9525 is an altogether new - as :" it's never happened before"- event in its deliberation and apparent cool-bloodedness.

Except that the flight TM470 was crashed in almost identical way by the captain when the co-pilot took a toilet break.

Quote:
The altitude was manually changed three times from 38,000 feet to 592 feet - below ground level - and the aircraft’s speed was also changed manually, according to the preliminary report.
http://www.telegraph.co.uk/news/worl...n-intentionally-crashed-plane.html

It has happened before and it will happen in the future. It would be naive to think otherwise. Flying is still safer than most other methods of transport.
 
hivue
Posts: 2050
Joined: Tue Feb 26, 2013 2:26 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 10:11 pm

Quoting Pihero (Reply 93):
- What would you see implemented ?

Maybe two persons on the flight deck at all times -- but that's pretty much the standard here in the US. A history of significant depression or certain other mental health issues should rule out being a commercial pilot as thoroughly as being red-green color blind does. No new tech solutions please.

Quoting Pihero (Reply 93):
- Has your vision of airline safety changed ?

No. From a statistical point of view airline safety hasn't changed and I tend to take the statistical view.

Quoting Pihero (Reply 93):
- Do you feel more at risk, now, or it hasn't changed your image of the airline industry ?

No. Some time ago I got too old to believe that pilots have an average psychological fitness different from and better than the rest of us.

I could walk out the door of my building today and someone jumping off the roof could land on me. I don't feel like my work involves any abnormal risk.
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 10:15 pm

Quoting litz (Reply 102):
In some areas ... I'm not knowledgeable about European regulations, but here in the US, the PTC (Positive Train Control) mandate has been pushed back many times, and the latest deadline is almost certain to pass without full implementation (whether or not it's pushed back again) ... the technology and implementation just aren't going to make the deadline.

And here in the US, the implementation can still be overridden by the engineer ... and only applies to trains and routes where passenger service occurs (and even then, only if it crosses with freight service).

The cost to make every railroad, on every line, in every state, install PTC is prohibitive. It was cheaper to land a man on the moon.

The US/Canadian rail system is ages behind the rest of the world (Asia/Europe) is one big reason ATP/PTC isn't being used widely. Some metro train networks have automatic protections though but yes the country wide network is very poorly protected.

Implementing PTC on existing lines makes no sense as those old lines are not going to be able to carry high speed trains which would really need PTC and the cost is astronomical so you might as well only install it on newer lines if they are even ever built.
 
User avatar
AirPacific747
Posts: 9701
Joined: Mon May 19, 2008 9:52 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 11:17 pm

Quoting mjoelnir (Reply 100):

Exactly. You quoted me correctly, but you still didn't provide a valid example of that situation that I described and that you quoted yourself.
 
User avatar
TheRedBaron
Posts: 3276
Joined: Tue Mar 29, 2005 6:17 am

RE: Airline Travel In The Aftermath Of Flight 9525

Thu Apr 02, 2015 11:43 pm

Quoting mandala499 (Reply 77):
security measure that is designed to protect the people on the ground and not those onboard the aircraft.
Quoting mandala499 (Reply 96):
I feel that I am cursed with knowing too much whenever I step on board an aircraft..

Mandala, sometimes you write exactly what I am thinking!!!

Quoting JoeCanuck (Reply 101):
Air travel can never be made 100% safe...ever. It can't. There are too many things/people/procedures/etc that can go wrong at any time and we can't prevent them all, all of the time.

Amen to this!

If they removed the locks from the doors but told nobody, the public at large would never know. If the crew had the code but it was unknown to the public,same thing.

In the end if you get on a transport or something that requires a profesional to operate and he goes bazoonkas, you are done.

I would rather trust 2 pilots than more than a hundred potential wackos on the main cabin.

If fact Pihero (BTW great post and theme), once put on the MH370 Thread on how about a cockpit fire? what if indeed there was a fire a lot of smoke they flew the T7 and eventually left the cockpit only to be locked out?

Boggles the mind....

TRB
The best seat in a Plane is the Jumpseat.
 
User avatar
TheRedBaron
Posts: 3276
Joined: Tue Mar 29, 2005 6:17 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 2:29 am

Speaking of wackos:

Quote:
LONDON - An easyJet plane made an emergency landing in Rome after a passenger became disruptive and assaulted a cabin member during a flight from Geneva, the airline said on Wednesday.

Newspaper reports said a man punched a stewardess after becoming angry over having to wait for a sandwich.

"EasyJet can confirm that flight EZS1483 from Geneva to Pristina on 31 March diverted to Rome as a result of a passenger onboard behaving in a disruptive manner," the airline said.

"The aircraft was met by the police on arrival in Rome and the passenger was arrested," it added. "The safety and wellbeing of passengers and crew is always easyJet's priority."

The 180 passengers were taken on to Pristina, the capital of Kosovo, on a separate flight later in the afternoon.

crazy people...

TRB
The best seat in a Plane is the Jumpseat.
 
hivue
Posts: 2050
Joined: Tue Feb 26, 2013 2:26 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 3:28 am

Quoting hivue (Reply 104):
I could walk out the door of my building today and someone jumping off the roof could land on me. I don't feel like my work involves any abnormal risk.

Well, nobody fell on me when I walked out of the building, but just after I made that last post the building was pretty well shaken by a 3.3M earthquake just up the road a ways. Life has its risks...
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
AYVN
Posts: 61
Joined: Sun Jun 12, 2011 4:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 8:03 pm

Quoting Pihero (Reply 93):
- What would you see implemented ?

Well I see that 2 crew members in cockpit will become industry standard.

But what I personally would like to see is 2 pair of new buttons in the cockpit.
One set on both sides to lock the door, needing to be pressed at same time to lock the door. And I would like to see a panic button on both sides too. If button is pressed either side it would prevent cockpit door to lock for some period of time and give an alarm to cabin crue at the same time.

Quoting Pihero (Reply 93):
- Has your vision of airline safety changed ?

- Do you feel more at risk, now, or it hasn't changed your image of the airline industry ?

This event has had much greater impact on my vision of airline safety than any other event, including 9/11. And the reason is that previous safety risks were something I could in my mind prepare and avoid. I could avoid airline companies with known safety issues. I could avoid Airlines that would in my mind be greater risk to be targeted by terrorists. I could avoid routes where I would feel that first time travellers and their potentially dangerous cargo would cause increased risk.
Until now I have had in my opinion a system where I can reduce risk, but this is a new kind of safety issue and at least I can't find any solution how to reduce risk of being flown by suicidal nutjob.
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 9:46 pm

Quoting TheRedBaron (Reply 107):
If they removed the locks from the doors but told nobody, the public at large would never know. If the crew had the code but it was unknown to the public,same thing.

Security through obscurity is a very bad security method (people would figure out very quickly and the secret wouldn't be secret for even a moment). Fixed pin codes fix nothing because not only the crew know but others can figure out the fixed codes which never change and are probably shared amongst many planes for far too long (Which is why the lockout exists in the first place). Give the crew key cards essentially you can constantly change the codes per flight and require many crew to agree to use it.

Giving up because one bad actor exists doesn't really seem to make any sense given with stronger flight control laws would make the plane harder to crash quickly and even if you did eventually crash there may be enough time to fight back.

If your on a modern high speed train and the driver who is a professional goes nuts and tries to derail the train by over speeding a curve or ignoring a stop signal the train would stop automatically. Obviously the protection can fail but it does stop many disasters from occurring intentional or not. For planes it is more complex to provide extensive protections to the flight envelope but you could at minimum make it hard to hit the ground at full speed with forward looking terrain avoidance systems. Right now if a person goes nuts or has a terrorist plan to carry out not only are you done you get to sit and watch for minutes to hours as they carry out their plan. Unlocking the door without any secure method would just mean terrorists would try to hijack the plane and cause another 9/11 type situation and is a very knee jerk reaction.

Quoting AYVN (Reply 110):
Well I see that 2 crew members in cockpit will become industry standard.

But what I personally would like to see is 2 pair of new buttons in the cockpit.
One set on both sides to lock the door, needing to be pressed at same time to lock the door. And I would like to see a panic button on both sides too. If button is pressed either side it would prevent cockpit door to lock for some period of time and give an alarm to cabin crue at the same time.

3 persons is the only person rule that would actually work properly.

That is a lot of buttons (4 in the cockpit one for each pilot (panic, lock)) What happens if they press the wrong button by accident as they all operate on time-outs with one locking out the lock. If you have a panic button in the cabin that prevents the cockpit door from locking then your making it super easy to break in even if you give them a warning.

All that needs to be done is instead of having timeouts, pin codes, lockouts, and buttons everywhere you just have a properly designed key pool to open the door. All you have to change is the pin pad that is it no rewiring, no cable runs, no modifications to the cabin/cockpit. It is by far simpler even if it sounds complex as it really is just a key that opens a door.

Right now we have at least two pin static pin codes, arbitrary timers, overrides, lockouts, and so on and so forth (adding more buttons, more lockout modes, panic modes, and so on just heaps garbage on top of garbage).

All of that could be done with just a few key cards where all that complex logic is just in who inserts the key which is easy to remember and train people for.

Insert zero/one key to request access and many to override a lock signal, insert lock keys and the door locks. Simple all the technical details not required for use.
 
hivue
Posts: 2050
Joined: Tue Feb 26, 2013 2:26 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 10:08 pm

Quoting hivue (Reply 104):
Quoting Pihero (Reply 93):- Do you feel more at risk, now, or it hasn't changed your image of the airline industry ?

No. Some time ago I got too old to believe that pilots have an average psychological fitness different from and better than the rest of us.

In light of evidence that the FO planned this for a period of time beforehand I will modify my answer to "yes, to a certain extent."

It's looking like this event may have been the in the same category with theater/school mass shootings, just more lethal and "efficient."
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
JoeCanuck
Posts: 4704
Joined: Mon Dec 19, 2005 3:30 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 10:48 pm

There always was, and always will be a possibility that a pilot will try to deliberately crash a plane. People like to bandy about the phrase, 'fail safe', thinking that the definition is that it can't fail.

What it actually means, (in my interpretation), is the the possibility of a specific failure mode can happen, has become so low as to be considered improbable, or impossible for all extents and purposes...which isn't the same as, 'can't happen'.

One side effect is that in the closing of one avenue of probability, may have opened up another. The door is one such feature. Virtually nobody considered the possibility of a bunch of box cutter wielding psychos pulling off 9/11, nobody considered that the celebrated fix, would allow virtually the same thing to happen, just in a different way.

In both incidences, the aircraft was taken over to tragic results.

So one thing to consider while trying to fix problems is; in attempting to create solutions, are we also creating different and potentially worse problems?
What the...?
 
hivue
Posts: 2050
Joined: Tue Feb 26, 2013 2:26 am

RE: Airline Travel In The Aftermath Of Flight 9525

Fri Apr 03, 2015 11:49 pm

Quoting JoeCanuck (Reply 113):
People like to bandy about the phrase, 'fail safe', thinking that the definition is that it can't fail.

What it actually means, (in my interpretation), is the the possibility of a specific failure mode can happen, has become so low as to be considered improbable

What "fail safe" means is exactly what it says: when the system fails it fails to its "safe" condition. I had a car once where, if the spring in the spring-loaded switch that turns on the flashing hazard lights was to break, the switch would be in its "on" condition with the lights flashing. The manufacturer considered "flashing" to be safer than "not flashing."

[Edited 2015-04-03 16:53:08]
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
JoeCanuck
Posts: 4704
Joined: Mon Dec 19, 2005 3:30 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sat Apr 04, 2015 12:39 am

Quoting hivue (Reply 114):

Still, that never eliminated the possibility of a different failure route; wiring, fuses, bulbs, battery. What it did was eliminate one failure path, making the system slightly less likely to fail as a whole, but still have it possible to fail.
What the...?
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sat Apr 04, 2015 10:28 pm

Quoting JoeCanuck (Reply 113):
There always was, and always will be a possibility that a pilot will try to deliberately crash a plane.

This statement is true but you could very well design a plane so that even when a pilot tries to deliberately crash the plane FBW system delays/prevents that from happening so that others can subdue them. If damage control was automatic and ground collision avoidance was full authority in all phases (Right now it does work in all phases of flight even landing/takeoff it just can't correct any actions it just provides warnings) of flight then it would be very difficult to crash the plane intentionally.

Quoting JoeCanuck (Reply 113):
What it actually means, (in my interpretation), is the the possibility of a specific failure mode can happen, has become so low as to be considered improbable, or impossible for all extents and purposes...which isn't the same as, 'can't happen'.

This is the wrong definition/interpretation of fail safe. If something is fail safe then that specific thing if it fails (it doesn't imply anything about improbable or not) will enter a safe condition. It doesn't mean the system won't stop functioning or some other failure could still occur. It literally just means a failure in this part/system will not result in an unsafe condition. That is it. The failure could be very common just when it happens the system won't be unsafe.

The definition,
( causing a piece of machinery or other mechanism to revert to a safe condition in the event of a breakdown or malfunction )

Important bit,
( Significantly, a system's being "fail-safe" means not that failure is impossible/improbable, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. )
 
Mir
Posts: 19491
Joined: Mon Jan 05, 2004 3:55 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 1:26 am

Quoting tomlee (Reply 116):
This statement is true but you could very well design a plane so that even when a pilot tries to deliberately crash the plane FBW system delays/prevents that from happening so that others can subdue them. If damage control was automatic and ground collision avoidance was full authority in all phases (Right now it does work in all phases of flight even landing/takeoff it just can't correct any actions it just provides warnings) of flight then it would be very difficult to crash the plane intentionally.

I wouldn't feel comfortable flying on an airplane that had a protection system that couldn't be disabled by the crew. If a ground collision avoidance system malfunctioned and thought it was about to fly into a mountain while at cruise altitude, and initiated an escape maneuver, a stall could result which the pilots would be powerless to do anything about, and that could result in an accident that would kill people needlessly. Thus, every protection system needs to be able to be disabled by the crew to either prevent nuisance alarms or to prevent inadvertent activation of the system when the situation doesn't call for it. And if the protections can be disabled, then they're not going to stop a determined crewmember from doing what they want to do. The only way we're going to stop that is to get humans out of the picture entirely and have completely automated aircraft (not even ground controllers, as they too could crash the plane if they wanted to). And we're a very, very long way away from that happening.

-Mir
7 billion, one nation, imagination...it's a beautiful day
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 4:45 am

Quoting Mir (Reply 117):
I wouldn't feel comfortable flying on an airplane that had a protection system that couldn't be disabled by the crew. If a ground collision avoidance system malfunctioned and thought it was about to fly into a mountain while at cruise altitude, and initiated an escape maneuver, a stall could result which the pilots would be powerless to do anything about, and that could result in an accident that would kill people needlessly. .

Why it already has protections the crew can never disable. Flight data recorders are becoming one (isolated battery backup, could catch fire but just put it in a stainless steel box, Boeing I'm looking at you), FADECs are isolated so you can't really alter their parameters and if the control wiring to the cockpit was cut off the FADEC would still operate on its own it can even restart the engine autonomously.

Total FADEC failure means total engine failure there is no manual revision, no human backup. Engine restart is governed by the FADEC and it can be self powered. (Engines are very important to your flight and your trusting a FADEC doesn't screw up and it's self protection functions are error free because if they screw up the engine will quit or behave very badly, and since it probably is the same controller in theory a common bug could knock out all your engines and you can't do anything about it if they just shut down automatically you can't force a FADEC enter engine start if it doesn't want to due to a large malfunction)

Lets be clear here engineers and programmers working with safety critical systems understand the gravity of having a common set of software running absolutely critical systems with dire consequences if they fail. There are many legal, ethical, professional implications for being highly negligent in your work. For professional engineers a signature carries big legal implications when signing off on documents, calculations, designs, production drawings, ...

http://www.computerweekly.com/blogs/...eds-software-report-that-went.html

Also FADECs can fail and probably do have bugs (fatally too, above link), but you trust the programmers/engineers every day even today.

Quoting Mir (Reply 117):

Thus, every protection system needs to be able to be disabled by the crew to either prevent nuisance alarms or to prevent inadvertent activation of the system when the situation doesn't call for it. And if the protections can be disabled, then they're not going to stop a determined crewmember from doing what they want to do. The only way we're going to stop that is to get humans out of the picture entirely and have completely automated aircraft (not even ground controllers, as they too could crash the plane if they wanted to). And we're a very, very long way away from that happening

Automatic protection systems already exist which take priority over the human controller. To disable them it takes time and effort so even if there was a way to disable it the amount of time required would allow for other humans to intervene to prevent someone from bypassing the protection.

It is a false problem to say you either have no humans or give humans total control. Having human controllers with full authority assists to provide protections for critical safety aspects makes sense and would gracefully degrade if malfunctions occur to remain safe handing control fully to the human only when there is a need to (say an invalid command to avoid the ground when there is no ground at all and there is no fail active path for safe control)

Do we allow humans to turn off the ability to brake (cut break lines button)? No. Do we allow elevator riders to disable an elevators over speed protection with just a key, switch? No. Do we allow crane operators to drop the counterweights with the push of a button? No. (Sure there may be very very odd situations where you would have wanted to do that but it makes no sense for certain protections and systems to be easily overridden)

Automatic ground collision avoidance should only be disabled automatically or through many minutes of guided technical work and ground intervention (say generating a false depression from ground augmentation to effectively turn off the automatic protection while the airspace is cleared for you to land alone, to maliciously abuse this you would need both the ground and the flight side to be in cooperation which is like a many persons are all evil just to crash the plane into a runway scenario which seems a bit far fetched) as the resultant failure scenario is that the plane won't let the plane land and always wants to go around, planes already have requirements on how much extra fuel they need to carry which give people time to fix the problem slowly.

In the sky having the ground collision avoidance fail and try and avoid non-existent terrain would require multiple non-detected failures of GNSS, the INS, the radar/pressure alt, and so on and so forth to the point where it becomes a bit far fetched to say it cannot be detected that there is a fault or disagreement between sensors when you have a mountain of redundant data to look at. Not only that it would still have to obey automatic FBW protections so it wouldn't stall the plane and if it does screw up the worst that would happen is at cruising the plane eventually gets to a maximum safe altitude where they have time to slowly bypass the failure.

Even cars have "FADECs" or ECUs that you have no manual revision if they fail, the ABS brakes can't be turned off on most models, you can't turn off the driver seat airbags without getting NHTSA authorization and having a repair shop retrofit it in. Most cars don't even let you touch the fuse box unless you stop the car and pop the hood.

Cars with emergency automatic breaking will automatically activate brakes if a collision is certain and it can serve to significantly decrease collision energy and increase survival of occupants. If you wanted planes could operate with the same system allowing for the plane to "crash" but only if it is at a very shallow angle and low speed (To make sure planes can land even if the system is going nuts). So any nosedive into the ground situation is prohibited/prevented (How many planes need to land with a nosedive again?).

http://youtu.be/ridS396W2BY?t=46s
http://youtu.be/LBT3tB_AQQA

I'd rather have trucks/cars/planes have these automatic protections default on than not and to bury the disablement if behind many countless menus and warnings to go off so that in the rare case you want to run someone over or crash into the ground you can turn it off with great effort and a lot of time. Better still if it requires the ground to turn off the system's ground dependent system that are solely under their control so it would take many separate people to degrade the protection which would only occur when it needs to.

Sure it could screw up and it could break or someone could eventually bypass it but it would work far better than anything else and improve safety in general. Once the technology matures in cars/trucks it won't have an off switch or any choice and it will become law instead of a neat feature (ABS for a time had a switch now it requires you to pull a relay and fuse which you really shouldn't do while the car is running let alone moving). (backup cameras are becoming by law standard in models starting with 2018 for example) (Planes have had EGPWS for ages now just no one has developed it further with people disabling the system causing crashes)

If you look into airbag systems they are very complex and the controller is fully automatic and even has a crash log (the control box is usually under your seat so it senses the accelerations directly) Turning it off isn't something remotely possible to do while your driving let alone even if you wanted to you need a very strong reason to have authorization to modify your car to support disabling this fully automatic system, https://www.tc.gc.ca/eng/motorvehiclesafety/tp-tp13178-page4_e-184.htm , lets just say since it requires paperwork+mail it isn't remotely considered fast.

So no you don't need to have an off switch for every safety system.

[Edited 2015-04-04 21:49:12]
 
Mir
Posts: 19491
Joined: Mon Jan 05, 2004 3:55 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 5:09 am

Quoting tomlee (Reply 118):
Why it already has protections the crew can never disable. Flight data recorders are becoming one

That's not a protection, that's a recorder.


Quoting tomlee (Reply 118):
FADECs

They're also not a protection, they're a control system.

Quoting tomlee (Reply 118):
Automatic ground collision avoidance should only be disabled automatically or through many minutes of guided technical work and ground intervention

In the scenario I described, you don't have minutes. You need to be able to lift a guard, push a button to disable the protection, and then take control of the aircraft again.

Quoting tomlee (Reply 118):
In the sky having the ground collision avoidance fail and try and avoid non-existent terrain would require multiple non-detected failures of GNSS, the INS, the radar/pressure alt, and so on and so forth

Or a simple software bug. They happen.

Quoting tomlee (Reply 118):
It is a false problem to say you either have no humans or give humans total control.

That is, of course, not what I said. What I said was that as long as you have humans in the system, humans will be able to crash an aircraft if they want to. That's just unavoidable.

Quoting tomlee (Reply 118):
If you look into airbag systems

Again, a safety system to reduce the likelihood of injury in a crash, not a means to protect from having a crash.

-Mir
7 billion, one nation, imagination...it's a beautiful day
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 5:17 am

Quoting Mir (Reply 119):
That's not a protection, that's a recorder.

It certainly is a protection for the entire industry and flying community, hence the battery backup regardless of pilot input. No recorder, no crash data, no improvements, decrease in overall safety/confidence/...

Quoting Mir (Reply 119):
They're also not a protection, they're a control system.

Your saying the FADEC doesn't have protections built in? (Because it does)

One of its main functions over a human engineer controlling the engines manually is,
Automatic engine protection against out-of-tolerance operations

Quoting Mir (Reply 119):
In the scenario I described, you don't have minutes. You need to be able to lift a guard, push a button to disable the protection, and then take control of the aircraft again.

Why I already said in landing the plane can go around and at cruising nothing happens. You don't want people to disable it quickly because that makes zero sense.

Quoting Mir (Reply 119):
Or a simple software bug. They happen.

Yes they can and if it is in something like a FADEC you'll die (The referenced story was a failure in software engineering and the FADEC had a litany of simple bugs). You still fly in planes trusting that code which runs the engines and all its parameter protections.

Quoting Mir (Reply 119):
That is, of course, not what I said. What I said was that as long as you have humans in the system, humans will be able to crash an aircraft if they want to. That's just unavoidable.

A ground collision avoidance would prevent that from occurring so it isn't unavoidable because the plane can avoid the ground. They may be able to crash it with enough time and effort but they would not be able to crash immediately which gives the rest of the crew even more time to fight back because most people want to live.

Quoting Mir (Reply 119):

Again, a safety system to reduce the likelihood of injury in a crash, not a means to protect from having a crash.

A ground collision avoidance system is a safety system to greatly reduce the likelihood of death and injury in a crash. It can be designed to allow for a crash to occur but control it in a manner which you can't crash it in a unrecoverable nosedive as people love to say pilots can just do. (Shallow angle, low speed) Same as an airbag (decrease impact is the objective) It basically operates the same as an air bag just instead of cushioning you with an explosive actuator it uses a map. (An airbag is far more physically dangerous to you than avoiding the ground which will still result in the plane flying vs. an airbag which can impale you with metal fragments a la Takata Airbag Recall)

This would allow pilots to land a plane even if the system is going nuts even without disabling it. But it would stop pilots from crashing in a manner which there is 0% chance of survival.

[Edited 2015-04-04 22:31:29]
 
JoeCanuck
Posts: 4704
Joined: Mon Dec 19, 2005 3:30 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 7:03 am

I seriously think that FBW flight envelope protection doesn't go far enough. The one thing I remember being touted in its early days, was that it would prevent an aircraft from stalling. We know now, (some already knew), that while there is some stall protection, it isn't absolute and can be overridden by pilots.

That just seems odd to me. We have gone so far to completely trust the machine, that we no longer have direct mechanical backups to the flight controls and engines. We have input sensors, which send signals to flight computers, which weigh variables, decides what it is allowed to do in relation to the inputs and its flight parameters, then sends signals to servos which control the hydraulics that control the flight surfaces.

There is no cable from the cockpit to the flight control surfaces. For the most part, in normal mode, and within what has been decided as normal flight envelope, (G load, bank angle, rate of turn, rate of climb, etc), the plane flies as if it did have that cable from the controls to the flight surfaces.

If the control inputs would take the aircraft out of its normal flight envelope, then the aircraft would adjust the control surfaces so the aircraft would stay within the envelope.

At some point, normal mode can be overridden, and the system goes into direct mode, where there is a 1:1 ratio between inputs and flight surface movement...and flight envelope protection is disabled, and the aircraft can be accidentally or purposefully flown into the ground.

This just doesn't make sense to me. FBW systems can help give the passengers a nice, smooth ride...but won't unstall an aircraft or otherwise keep it from crashing...provided its sensors are still working. To me, that would be ultimate flight protection.

Perhaps after it pulls out of the dive, it can't land the aircraft, but at least it could go into a hold or some such thing and give people some time to trouble shoot.

Actually, the plane could be programmed to land. If conditions were such that the aircraft was put in dire peril, it could be programmed to climb and hold, or climb and fly to somewhere and even land if it came to that. It could automatically squawk 7700 or a specific auto everything squawk which would indicate to ATC that the plane was self auto control and it could land at a cat3 airport.

Even if it just flew around for a while, below 15000, it would give everyone a bit more time.

I have no idea about the details that would go into automated commands that could be trusted to that degree, but these planes already have the ability to takeoff, fly and land without human input beyond programming in route information.
It might be worth thinking about to use capabilities they already have, to prevent some accidents.

Off the top of my head; AF447, Asiana HL7742, and 9525 possibly could have been prevented if the aircraft was allowed to fly itself in an emergency.
What the...?
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 7:39 am

Quoting tomlee (Reply 118):
FADECs are isolated so you can't really alter their parameters and if the control wiring to the cockpit was cut off the FADEC would still operate on its own it can even restart the engine autonomously.

If the wires to the cockpit are cut off, as in, isolated (instead of getting commands from a box outside the cockpit), how does the engine know whether it should be on or off? How does the engine know what thrust setting it needs? It cannot. FADEC allows autonomous restart if it knows the engine is off, the aircraft is inflight, and if the cockpit wants it on/off, and the cockpit wants some thrust from it. There's a human in the link somewhere in the process. You cannot switch the FADEC on/off, but you can command the engine to be switched on or off through the FADEC.

So what airplane qualifies under totally autonomous FADEC that can restart autonomously if it has been isolated from the cockpit? I'd avoid flying it.

Quoting tomlee (Reply 118):
Total FADEC failure means total engine failure there is no manual revision, no human backup.

So what does that mean? You cannot control the engine if there's a FADEC failure?
I had a FADEC failure on a flight once, guess what we did? manual reversion... manual control of the engines. They just lose the protection... And yeah, you can switch FADEC to Alternate and the engine is no longer protected. They have this so that you can continue flying even when the FADEC goes faulty... by ignoring the FADEC's authority... the QRH says nicely that protection is no longer available.

Quoting tomlee (Reply 118):
(Engines are very important to your flight and your trusting a FADEC doesn't screw up and it's self protection functions are error free because if they screw up the engine will quit or behave very badly, and since it probably is the same controller in theory a common bug could knock out all your engines and you can't do anything about it if they just shut down automatically you can't force a FADEC enter engine start if it doesn't want to due to a large malfunction)

I guess you haven't flown a single engine FADEC then   
You do not want the engines to quit because of the FADEC. If the FADEC screws up, it will admit it, if it cannot control the engine and give up, it will admit it too. The same principle apply to multi-engine FADEC. The most it will do is to override the engine into idle... it is up to the pilot to shut it down. That's the principle on the 777, 320, and Bell Helicopters.

Quoting tomlee (Reply 118):
Automatic protection systems already exist which take priority over the human controller. To disable them it takes time and effort so even if there was a way to disable it the amount of time required would allow for other humans to intervene to prevent someone from bypassing the protection.

OK, on FADEC... switch it to ALTN on the 777, the protection goes disappears. That simple... button push. On the 320 with IAE engines, press N1 Mode on the overhead and FADEC protection disappears.
Override the protection on the 777? just press PFC DISC and the aircraft goes to Direct law with no protections. No huge effort required. On the 320, switch off the FACs, just 2 buttons, and envelope protection disappears or degrades to just G load protection. On the 330/340, switch 2 ADRs off (just 2 buttons) and you'll get the same result.

All the above are easy steps that don't take much time if you want to.

Quoting tomlee (Reply 118):
Automatic ground collision avoidance should only be disabled automatically or through many minutes of guided technical work and ground intervention (say generating a false depression from ground augmentation to effectively turn off the automatic protection while the airspace is cleared for you to land alone, to maliciously abuse this you would need both the ground and the flight side to be in cooperation which is like a many persons are all evil just to crash the plane into a runway scenario which seems a bit far fetched) as the resultant failure scenario is that the plane won't let the plane land and always wants to go around, planes already have requirements on how much extra fuel they need to carry which give people time to fix the problem slowly.

So, and inadvertent activation due to a fault, makes it difficult to disable it? You're forcing pilots into disorientation there. And then if the autopilot goes funny, you can't switch it off? Come on, you're asking for automated lawn darts there!

And what happens when you have these "automatic takeovers", would you still allow radio communications? The evil pilot can still say he's being hijacked by terrorists and asks to be shot down... and he'd still achieve his suicidal goal anyways. What happens when you have a transponder failure? Or just switch the damn transponder off... that'll create a mess on the ground if you're on this "protection".

Quoting tomlee (Reply 118):
In the sky having the ground collision avoidance fail and try and avoid non-existent terrain would require multiple non-detected failures of GNSS, the INS, the radar/pressure alt, and so on and so forth to the point where it becomes a bit far fetched to say it cannot be detected that there is a fault or disagreement between sensors when you have a mountain of redundant data to look at. Not only that it would still have to obey automatic FBW protections so it wouldn't stall the plane and if it does screw up the worst that would happen is at cruising the plane eventually gets to a maximum safe altitude where they have time to slowly bypass the failure.

So, automated takeover gets the airplane straight into icing conditions, and the pitot tubes get blocked, and the FBW gives up as it doesn't have anything to go with (which in Airbus, Autopilot goes off anyways), then what? Oh yeah, you've lost the protections too then.

Now, how would the plane "eventually get to a maximum safe altitude where they have time to slowly bypass the failure"? No need to wait. Switch off the damn autopilot and fly the damn plane!

Quoting tomlee (Reply 118):
the ABS brakes can't be turned off on most models

You can switch off anti-skid on airplanes  
Quoting tomlee (Reply 118):
If you wanted planes could operate with the same system allowing for the plane to "crash" but only if it is at a very shallow angle and low speed (To make sure planes can land even if the system is going nuts). So any nosedive into the ground situation is prohibited/prevented (How many planes need to land with a nosedive again?).

This violates the principle of "saving the airplane at all costs" for the sane pilots. This is turning airplanes into potential mass coffins.

Quoting tomlee (Reply 118):
(Planes have had EGPWS for ages now just no one has developed it further with people disabling the system causing crashes)

The ability to disable it is there for a reason, and a very real reason.

Quoting tomlee (Reply 120):
Why I already said in landing the plane can go around and at cruising nothing happens. You don't want people to disable it quickly because that makes zero sense.

Did you read about the frozen AOA on an A321 that resulted in an directive on procedure to disable the protections by switching 2 ADRs off immediately if your Airbus decides to nosedive for no reason all of a sudden? Feel free to tell UKCAA that such directive make zero sense because "you don't want people to disable it quickly".

Quoting Mir (Reply 119):
Again, a safety system to reduce the likelihood of injury in a crash, not a means to protect from having a crash.

I think there is a deficiency or misunderstanding in Tomlee's understanding the principles of safety under a safety management system, which is humanizing the human. I am disturbed that he's advocating the opposite.  
There will have to be a lot of changes before such thinking can prevail or be mandated in aviation.

Quoting tomlee (Reply 120):
Yes they can and if it is in something like a FADEC you'll die

No. FADEC isn't all that powerful that it can turn your plane into a flying coffin. On the 320 with IAE, just press N1 Mode... otherwise, just idle the damn engine and figure what's going on. On the 777, go to ALTN FADEC so it goes to dumb mode "throttle position = fuel flow" like the old days. On the Bell 407, manual reversion (override the FADEC), ff all else fail, switch the engine off and autorotate down.

Quoting tomlee (Reply 120):
A ground collision avoidance system is a safety system to greatly reduce the likelihood of death and injury in a crash. It can be designed to allow for a crash to occur but control it in a manner which you can't crash it in a unrecoverable nosedive as people love to say pilots can just do.

Birds don't have transponders or TCAS... get a flock of them flying into an airplane under "automatic takeover", would love to see what happens.
Anyway, all those measures you've mentioned, sure they're nice... But how about the Autopilot Disconnect button, and the Fuel Cut Off Switch?
As long as they exist, you will still have pilots who can, when suicidal, put the airplane into a non-survivable crash. And no, if you think the A/P disconnect button, the FBW protection "button", or Fuel Cut Off Switch, are to be eliminated to support this system, it'll never be certified.
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 7:51 am

Quoting JoeCanuck (Reply 121):
Off the top of my head; AF447, Asiana HL7742, and 9525 possibly could have been prevented if the aircraft was allowed to fly itself in an emergency.

AF447 lost the ability for the FBW to protect the aircraft and inadequate sensor input for the autopilot to be able to function to save the day. This "system" won't help.
9525, he can still shut down the engines and APU so the aircraft gets essential electricals only from the RAT, hence no autopilot, can still glide the plane into a mountain a some speed. Oh, protections? Fine, I'll kill the 2 FACs or 2 ADRs... done. This "system" is defeated.
For Asiana... well, the system ain't gonna help. I fail to see how it will help, perhaps someone can explain to me for this scenario...
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
JoeCanuck
Posts: 4704
Joined: Mon Dec 19, 2005 3:30 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 9:17 am

Quoting mandala499 (Reply 123):

That's my answer then. The plane cannot be made to protect itself against a rogue pilot.
What the...?
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 2:47 pm

Quoting mandala499 (Reply 122):
If the wires to the cockpit are cut off, as in, isolated (instead of getting commands from a box outside the cockpit), how does the engine know whether it should be on or off? How does the engine know what thrust setting it needs? It cannot. FADEC allows autonomous restart if it knows the engine is off, the aircraft is inflight, and if the cockpit wants it on/off, and the cockpit wants some thrust from it. There's a human in the link somewhere in the process. You cannot switch the FADEC on/off, but you can command the engine to be switched on or off through the FADEC.

So what airplane qualifies under totally autonomous FADEC that can restart autonomously if it has been isolated from the cockpit? I'd avoid flying it.

The FADEC software decides what to do if it is cut off whatever cabling to the cockpit and it will try to maintain some safe middle ground state. The FADEC is inside the engine itself it is integral to the engine both physically/electronically and control wise. The engine knows being on is normally a good thing as you need the bleed air, hydraulic pressure, and electricity if anything just to keep the plane going even if you can't command the engine's throttle.

The FADEC is totally autonomous and self contained within the engine itself you can cut off the fuel if you don't want to have the engine running but it will automatically try to restart if the conditions are right (engine windmilling will provide the FADEC enough power without any external electrical input or battery) and yes without a link to the cockpit there is no way to provide a throttle command it would decide that on its own. Not very useful for speed control but at least you get all the secondary resources from the engine running you would like to have.

Quoting mandala499 (Reply 122):
So what does that mean? You cannot control the engine if there's a FADEC failure?
I had a FADEC failure on a flight once, guess what we did? manual reversion... manual control of the engines. They just lose the protection... And yeah, you can switch FADEC to Alternate and the engine is no longer protected. They have this so that you can continue flying even when the FADEC goes faulty... by ignoring the FADEC's authority... the QRH says nicely that protection is no longer available.

It is not a FADEC unless it has Full Authority Digital Engine Control. The Full Authority means no manual override no manual revision, you trust the software and that is it.

What your talking about is the older EEC technology which is not being widely used right now. Alternate mode still relies on the FADEC to be operational and total FADEC failure means engine out, period, alternate mode won't work if there is a total FADEC failure as it has total full authority control of the engine.

Quoting mandala499 (Reply 122):
OK, on FADEC... switch it to ALTN on the 777, the protection goes disappears. That simple... button push. On the 320 with IAE engines, press N1 Mode on the overhead and FADEC protection disappears.
Override the protection on the 777? just press PFC DISC and the aircraft goes to Direct law with no protections. No huge effort required. On the 320, switch off the FACs, just 2 buttons, and envelope protection disappears or degrades to just G load protection. On the 330/340, switch 2 ADRs off (just 2 buttons) and you'll get the same result.

All the above are easy steps that don't take much time if you want to.

Still using the FADEC you can't bypass it your just telling it to ignore one protection. You cannot turn off the FADEC without just not having engines. FADEC isn't flight laws it is the engine control unit it has no manual control like old engine designs.

Quoting mandala499 (Reply 122):
You can switch off anti-skid on airplanes

You still can't turn off the FADEC if you want engines.

Quoting mandala499 (Reply 122):
This violates the principle of "saving the airplane at all costs" for the sane pilots. This is turning airplanes into potential mass coffins.

Why you can still do your I want to crash you just can't unrecoverable nosedive into the ground crash. This would be the opposite of saving the airplane.

Quoting mandala499 (Reply 122):
The ability to disable it is there for a reason, and a very real reason.

You can't disable the FADEC for a very real reason.

Quoting mandala499 (Reply 122):
Did you read about the frozen AOA on an A321 that resulted in an directive on procedure to disable the protections by switching 2 ADRs off immediately if your Airbus decides to nosedive for no reason all of a sudden? Feel free to tell UKCAA that such directive make zero sense because "you don't want people to disable it quickly".

You have the off switch right now don't you it doesn't mean there won't be a point where it gets taken away when the technology matures. Heck in the future the buttons might not even do what you ask them to as they will be indirect button by wire technology where the buttons all compute your intent.

Quoting mandala499 (Reply 122):
I think there is a deficiency or misunderstanding in Tomlee's understanding the principles of safety under a safety management system, which is humanizing the human. I am disturbed that he's advocating the opposite.  
There will have to be a lot of changes before such thinking can prevail or be mandated in aviation.

This is an attack on the character of a person so you can stop now.

Humanizing the human has nothing to do with automatic protections it serves the humans as a tool just as planes are a massive collection of technology.

Quoting mandala499 (Reply 122):
No. FADEC isn't all that powerful that it can turn your plane into a flying coffin. On the 320 with IAE, just press N1 Mode... otherwise, just idle the damn engine and figure what's going on. On the 777, go to ALTN FADEC so it goes to dumb mode "throttle position = fuel flow" like the old days. On the Bell 407, manual reversion (override the FADEC), ff all else fail, switch the engine off and autorotate down.

Your ignoring the bit where if there is a bug in the FADEC you lose the engine. The alternate mode still relies on the FADEC to operate so your still trusting the software even in a degraded state.

Quoting mandala499 (Reply 122):
Birds don't have transponders or TCAS... get a flock of them flying into an airplane under "automatic takeover", would love to see what happens.
Anyway, all those measures you've mentioned, sure they're nice... But how about the Autopilot Disconnect button, and the Fuel Cut Off Switch?
As long as they exist, you will still have pilots who can, when suicidal, put the airplane into a non-survivable crash. And no, if you think the A/P disconnect button, the FBW protection "button", or Fuel Cut Off Switch, are to be eliminated to support this system, it'll never be certified.

Button by wire tech will stop that from happening.
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 4:07 pm

Quoting tomlee (Reply 125):
The engine knows being on is normally a good thing as you need the bleed air, hydraulic pressure, and electricity if anything just to keep the plane going even if you can't command the engine's throttle.

You got the APU and/or RAT or the other engine's pumps and generators to do that. If I got an engine with abnormal vibrations even when at idle, I want it off thanks... unless uncontained engine failure is your preferred cup of tea.

Quoting tomlee (Reply 125):
The FADEC is totally autonomous and self contained within the engine itself you can cut off the fuel if you don't want to have the engine running but it will automatically try to restart if the conditions are right (engine windmilling will provide the FADEC enough power without any external electrical input or battery) and yes without a link to the cockpit there is no way to provide a throttle command it would decide that on its own.

FADEC's job is simple... keep the engine from going over the limits. It's job is not to decide whether it's better to be on or off. Automatic restart if the conditions are right? OK, I'll tell you one case. A320, after take off, compressor stall surge, as per procedure, idle the damn engine, still banging away. OK Shut it down. Now, you want FADEC to then decide, "No, I want it on" and have the engine restarted and the banging to continue?

Quoting tomlee (Reply 125):
It is not a FADEC unless it has Full Authority Digital Engine Control. The Full Authority means no manual override no manual revision, you trust the software and that is it.

FADEC under Normal Mode, yes. If it screws up, go to alternate (in Boeing terms), or N1 mode (in A320 IAE terms), and the engine will follow the thrust position with no protections.

So if the FADEC cannot protect the engine from overboosts, overtemp, etc, you want to rely on it's "protections" instead of letting it run without the protections? I was talking about failures in the protections, not failure of the digital engine control without protection backup.

Quoting tomlee (Reply 125):
You have the off switch right now don't you it doesn't mean there won't be a point where it gets taken away when the technology matures.

So, if you have faulty ADRs, what do you do then? Leave it on and give erroneous information to the pilot, autopilot and FBW? Airbus has now put in multiple levels of ADR self checks and cross checks to prevent a situation where you have 2 ADRs giving A, and 1 ADR giving B, and the FBW doesn't know if A is correct or B is correct, and therefore, rejects them all, go to Alternate Law (No Protections), and ask the pilots to decide which one(s) are correct.... this is after putting in theoretical versus actual AOA checks with the rest of the air data per ADR and crosscheck with the other ADRs, etc... The OFF button, is there for a reason.

Quoting tomlee (Reply 125):
This is an attack on the character of a person so you can stop now.

I am sorry if it offended you. However, what you've said contravenes basic safety management systems principles. It also takes away the credo of "aviate, navigate, communicate", where "fly the aircraft" comes first. So whenever you see the airplane doing something it is not supposed to do, you take over... mature tech or not... the same principles apply.

Quoting tomlee (Reply 125):
You can't disable the FADEC for a very real reason.

The protections, not the input to command function.

Quoting tomlee (Reply 125):
Why you can still do your I want to crash you just can't unrecoverable nosedive into the ground crash. This would be the opposite of saving the airplane.

How many suicide attempts have there been? Compare that with the number of accidents caused by systems mishaps/bugs/failures, etc.
If you want to remove trust from the pilot that he will not kill himself, then remove the pilot altogether. If you want pilots in the aircraft, you must give the pilot control. The number of times presence of pilots prevail over advanced systems screwing up overwhelms the number of cases where crashes are caused by suicidal pilots flying on duty... they just don't make the news.
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 5:18 pm

Quoting mandala499 (Reply 126):
You got the APU and/or RAT or the other engine's pumps and generators to do that. If I got an engine with abnormal vibrations even when at idle, I want it off thanks... unless uncontained engine failure is your preferred cup of tea.

I believe the situation was if the engine control was isolated and could still function the fadec can be self powered even if the apu, rat, can't provide power for a restart. You kinda want the eninge to be able to restart in those conditions. Without the fadec operational you can't restart.

Quoting mandala499 (Reply 126):
FADEC's job is simple... keep the engine from going over the limits. It's job is not to decide whether it's better to be on or off. Automatic restart if the conditions are right? OK, I'll tell you one case. A320, after take off, compressor stall surge, as per procedure, idle the damn engine, still banging away. OK Shut it down. Now, you want FADEC to then decide, "No, I want it on" and have the engine restarted and the banging to continue?

Simple as in it replaces a flight engineer. It isn't exactly a simple system. No way it is remotely as simple as a key pool door lock. If the fadec wants to shutdown you can't stop it and if it was cutoff from pilot commands it can restart provided the right conditions with includes fuel flow. In that manner it can assume automatically you want to restart.

Quoting mandala499 (Reply 126):
FADEC under Normal Mode, yes. If it screws up, go to alternate (in Boeing terms), or N1 mode (in A320 IAE terms), and the engine will follow the thrust position with no protections.

So if the FADEC cannot protect the engine from overboosts, overtemp, etc, you want to rely on it's "protections" instead of letting it run without the protections? I was talking about failures in the protections, not failure of the digital engine control without protection backup.

Alternate mode still runs through the fadec so a bug could in theory blow up the engine or kill the engine uncommanded with none abilty tonforce a restart.

Hence the you trust the software even today. Technically a ux bug could already make many controls just not respond as most buttons are button by wire and the plane runs on a packetized data bus to reduce cabling. You can't not rely on software and electronics that day is long gone.

Quoting mandala499 (Reply 126):
So, if you have faulty ADRs, what do you do then? Leave it on and give erroneous information to the pilot, autopilot and FBW? Airbus has now put in multiple levels of ADR self checks and cross checks to prevent a situation where you have 2 ADRs giving A, and 1 ADR giving B, and the FBW doesn't know if A is correct or B is correct, and therefore, rejects them all, go to Alternate Law (No Protections), and ask the pilots to decide which one(s) are correct.... this is after putting in theoretical versus actual AOA checks with the rest of the air data per ADR and crosscheck with the other ADRs, etc... The OFF button, is there for a reason.

Write a better ADR if you can mathematically prove it works and work out the bugs for a few decades you can safely remove the off switch. If you have no computers no electronic systems the plane will crash. Thus you trust it already.

Quoting mandala499 (Reply 126):

I am sorry if it offended you. However, what you've said contravenes basic safety management systems principles. It also takes away the credo of "aviate, navigate, communicate", where "fly the aircraft" comes first. So whenever you see the airplane doing something it is not supposed to do, you take over... mature tech or not... the same principles apply.

So me failing to humanize humans as in having empathy is somehow related to basic safety management. You can stop now having an automatic protection maintains the credo of don't crash as in flying is better than crashing.

Quoting mandala499 (Reply 126):
How many suicide attempts have there been? Compare that with the number of accidents caused by systems mishaps/bugs/failures, etc.
If you want to remove trust from the pilot that he will not kill himself, then remove the pilot altogether. If you want pilots in the aircraft, you must give the pilot control. The number of times presence of pilots prevail over advanced systems screwing up overwhelms the number of cases where crashes are caused by suicidal pilots flying on duty... they just don't make the news.

At least two identical suicide attempts in recent years. With hundreds dead. Most of which probably knew they were going to die for minutes which is utterly horrible to think about. Your turning death into a statistic which is ironic in a sense.
 
hivue
Posts: 2050
Joined: Tue Feb 26, 2013 2:26 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 10:53 pm

Quoting tomlee (Reply 125):
Heck in the future the buttons might not even do what you ask them to as they will be indirect button by wire technology where the buttons all compute your intent.

Here's where I think you betray your technology trumps humanity point of view. BBW would operate on the same philosophical principles as FBW. FBW does not "compute" the pilot's intent. That's not possible (I could digress into Gödel's, Turing's etc. findings regarding incompleteness and incomputibility but will avoid that temptation; you can google it). Instead it takes the pilot's control inputs and translates them into commands to the control surfaces which correspond to certain well-defined and well tested rules. I don't want to ride in any machine that tries to read the operator's mind.

[Edited 2015-04-05 15:55:31]

[Edited 2015-04-05 15:56:47]
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Sun Apr 05, 2015 11:19 pm

Quoting hivue (Reply 128):

The buttons are already button by wire if there is a software bug most of the buttons/knobs would stop working. This has nothing to do with technology trumping humanity as technology is just a tool for humans. In trains there is no automatic train speed protection override button and it makes sense why there is no reason to have an off switch for this function.

FBW does compute intent as there is no direct link between the controls and the flight surfaces even in direct control law the intent is interpreted by software and translated to physical commands and there is no way to manually convert it without the computer performing the conversion even if it is operating in a direct conversion mode. Total FBW failure means the plane crashes.

If it didn't read your mind (you inputs) then the controls would be random and uncontrollable. Certain systems like the FADEC have no manual revision, no direct control.

You trust electronics and software every day it is an integral part of human society and many parts are safety life critical.

I think technology is an integral part of humanity and anyone who thinks one trumps the other has it all wrong. You can't have technology without humanity (it doesn't invent itself) and you can't have humanity without technology (get rid of all technology and what would society look like?).

[Edited 2015-04-05 16:40:54]
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 6:14 am

Quoting tomlee (Reply 127):
If the fadec wants to shutdown you can't stop it and if it was cutoff from pilot commands it can restart provided the right conditions with includes fuel flow. In that manner it can assume automatically you want to restart.

In the case I used above, the FADEC did not want to shut the engine down. It had to be manually shut down by the crew. They saved the engine that way. Had they let FADEC take care of it, in the words of the manufacturer, "you would have lost the engine due to excess damage"
You want to override such control from the pilots?

Quoting tomlee (Reply 127):
Alternate mode still runs through the fadec so a bug could in theory blow up the engine or kill the engine uncommanded with none abilty tonforce a restart.

Alternate Mode still runs through the FADEC but the protections have been disabled. That's how FADEC is designed. If it detects a fault, it'll say, "I can't protect you". If you want full time protection that cannot be removed, the engine manufacturers disagree with you.

Quoting tomlee (Reply 127):
Write a better ADR if you can mathematically prove it works and work out the bugs for a few decades you can safely remove the off switch. If you have no computers no electronic systems the plane will crash. Thus you trust it already.

The case of that A321 nosediving due to the AoA vanes freezing, isn't due to a software bug. It did what it was supposed to do based on the information inputs. You can't write a better ADR to solve it. Garbage In, Garbage Out... Until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

The case of AF447 where the inputs from the sensors got f-ed up, the FBW knew that the ADRs were telling it rubbish, hence discounted them. The crew should have determined which ADR was telling them rubbish and which wasn't, and the ones telling them rubbish, switch them off. Otherwise, you'd be in a heap of trouble of confusion. Again, Garbage In, Garbage Out... Until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

One airline here had an FBW plane's autopilot decided to suddenly bank steeply and they had to disengage the autopilot to bring it back to where they were supposed to go. There were no software bugs found in the FBW or the autopilot found, it was a sensor input issue. Again, until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

Quoting tomlee (Reply 127):
So me failing to humanize humans as in having empathy is somehow related to basic safety management. You can stop now having an automatic protection maintains the credo of don't crash as in flying is better than crashing.

Safety has been improved, and FBW that can be overriden (Boeing) or hard protections that can be switched off when there are problems with it (Airbus), has contributed to 2014 being the safest year ever with 1 fatal accident per 2.38 million flights. Safety Management System emphasizes that humans are in control.

Quoting tomlee (Reply 127):
At least two identical suicide attempts in recent years. With hundreds dead. Most of which probably knew they were going to die for minutes which is utterly horrible to think about. Your turning death into a statistic which is ironic in a sense.

The 2 latest successful suicides result in 1 per 38 million flights. The current fatal accident rate is 1 per 2.38 million flights. Sorry, the effort and investment current better goes into improving the 1 per 2.38 million number.
We can eliminate the 1 per 38 million, but if that means the fatal accident rates due to "your innovations" result in an overall fatal accident rate more frequent than 1 per 2.38 million flights, then we have not made flying more safe, but less safe.
If you are going to eliminate 1 per 38 million flights suicide rate, but result in an overall safety of 1 fatal accident per less than 2.38 million, would you do it?

You see, safety looks at the overall effect, not just 1 aspect of accidents we see. Every measure and improvements proposed MUST be looked at to ensure it does not open up to new risk that can reduce safety overall.

In your proposed case of non-overrideable protections, the challenge is not making the non-override protection, but ensuring that you've eliminated any possibility of garbage coming into the control system or affecting it. Until you do, the "OFF" switch stays. The thing is, in aviation we know that nature can throw the unexpected, it can throw stuff beyond certification limits of input sensors, etc, that is why the "OFF" switch will stay for a long time to come.

Quoting hivue (Reply 128):
I don't want to ride in any machine that tries to read the operator's mind.
Quoting tomlee (Reply 129):
FBW does compute intent as there is no direct link between the controls and the flight surfaces even in direct control law the intent is interpreted by software and translated to physical commands and there is no way to manually convert it without the computer performing the conversion even if it is operating in a direct conversion mode. Total FBW failure means the plane crashes.

In Direct Law, it's FBW at the dumbest function. It simply mean input x% = output x% displacement on the control surface No protection. That is why it's called DIRECT. If it means additional translating processes into a different value than the input, then without the protection it is alternate.
FBW with no protection is literally, bug free in it's entirety. However, protections, may be bug free, but it's not as simple as "if it's bug free then let's take out the "off" switch".

Your suggestions are fine but as soon as you want to tell us to "remove the OFF switch", sorry. We disagree.
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 7:27 am

Quoting mandala499 (Reply 130):
In the case I used above, the FADEC did not want to shut the engine down. It had to be manually shut down by the crew. They saved the engine that way. Had they let FADEC take care of it, in the words of the manufacturer, "you would have lost the engine due to excess damage"
You want to override such control from the pilots?

Hence why you have the fuel flow control. You still rely on the FADEC to run the engines because when it fails the engine fails. You can't turn off the FBW system as you will lose all control. Your plane flys on software/electronics, total failure of these systems would be catastrophic. Hence the trusting the software already.

Quoting mandala499 (Reply 130):
Alternate Mode still runs through the FADEC but the protections have been disabled. That's how FADEC is designed. If it detects a fault, it'll say, "I can't protect you". If you want full time protection that cannot be removed, the engine manufacturers disagree with you.

Alternate mode only removes the thrust specification limit if there is a catastrophic problem which the FADEC detects internal to the engine or itself it would shut down the engine alternate mode or not.

"This puts both engines in alternate mode and removes the N1-speed offset. When in alternate mode, thrust can exceed the certified engine rating at forward thrust-lever positions."

It does not disable all FADEC control and protection functions as that would mean total engine failure. It is not in any way a manual revision mode it just allows you to exceed the thrust specification. A FADEC monitors a mountain of engine parameters and still is processing commands into various controls and if it detects a problem with itself or the engine it controls then it can shut the engine down on its own.

Quoting mandala499 (Reply 130):
The case of that A321 nosediving due to the AoA vanes freezing, isn't due to a software bug. It did what it was supposed to do based on the information inputs. You can't write a better ADR to solve it. Garbage In, Garbage Out... Until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

The case of AF447 where the inputs from the sensors got f-ed up, the FBW knew that the ADRs were telling it rubbish, hence discounted them. The crew should have determined which ADR was telling them rubbish and which wasn't, and the ones telling them rubbish, switch them off. Otherwise, you'd be in a heap of trouble of confusion. Again, Garbage In, Garbage Out... Until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

One airline here had an FBW plane's autopilot decided to suddenly bank steeply and they had to disengage the autopilot to bring it back to where they were supposed to go. There were no software bugs found in the FBW or the autopilot found, it was a sensor input issue. Again, until you solve the potential Garbage In entirely, sorry, the OFF switch stays.

Using sensor fusion with other sensors that the plane already has (INS system) could tell the system there is something fishy with the two AoA vanes because it doesn't make logical sense with other data coming from all the other systems.

This would be a pure software solution. Garbage in can be filtered out if your good at programming.

The point is to detect a garbage in situation and the programming failed to detect that if they didn't have that software problem no off switch needed. If a redundant system can't detect a sensor faults because the voting logic is dumb (which is exactly what your describing) they need a better voting system. Dynamic plant modelling would detect the fault because it continuously evaluates the state of the plane and would check against reality that feedback loop is valid. These systems can tolerate engine failures, parts of your wing being missing, the tail fine being clipped, and all manner of unstable conditions.

This would make piloting a damaged plane much more survivable because the system compensates constantly, and it would handle multiple sensor failures at the same time.

Quoting mandala499 (Reply 130):
Safety has been improved, and FBW that can be overriden (Boeing) or hard protections that can be switched off when there are problems with it (Airbus), has contributed to 2014 being the safest year ever with 1 fatal accident per 2.38 million flights. Safety Management System emphasizes that humans are in control.
http://en.wikipedia.org/wiki/Safety_management_systems

I'm not seeing the "human must be in control all the time even if malicious or asleep".

http://i2.cdn.turner.com/cnn/dam/ass...aviationdeathsbyyear-story-top.jpg

I think you got your statistics wrong unless we are counting planes as people.

Safety management systems is about preventing human error it seems.

http://www.sciencedirect.com/science/article/pii/S0001457513002972

Quoting mandala499 (Reply 130):
The 2 latest successful suicides result in 1 per 38 million flights. The current fatal accident rate is 1 per 2.38 million flights. Sorry, the effort and investment current better goes into improving the 1 per 2.38 million number.
We can eliminate the 1 per 38 million, but if that means the fatal accident rates due to "your innovations" result in an overall fatal accident rate more frequent than 1 per 2.38 million flights, then we have not made flying more safe, but less safe.
If you are going to eliminate 1 per 38 million flights suicide rate, but result in an overall safety of 1 fatal accident per less than 2.38 million, would you do it?

You see, safety looks at the overall effect, not just 1 aspect of accidents we see. Every measure and improvements proposed MUST be looked at to ensure it does not open up to new risk that can reduce safety overall.

In your proposed case of non-overrideable protections, the challenge is not making the non-override protection, but ensuring that you've eliminated any possibility of garbage coming into the control system or affecting it. Until you do, the "OFF" switch stays. The thing is, in aviation we know that nature can throw the unexpected, it can throw stuff beyond certification limits of input sensors, etc, that is why the "OFF" switch will stay for a long time to come.

There is nothing about a full authority system that doesn't mean it can't fail in a safe manner. Ensuring it doesn't miss a sensor failures and cause an unsafe condition is obviously a requirement. Doing sensor fusion on all available data would make it very hard to miss a conflict in information. If there is a conflict the system will degrade as it should and protections will be lost.

Quoting mandala499 (Reply 130):
In Direct Law, it's FBW at the dumbest function. It simply mean input x% = output x% displacement on the control surface No protection. That is why it's called DIRECT. If it means additional translating processes into a different value than the input, then without the protection it is alternate.
FBW with no protection is literally, bug free in it's entirety. However, protections, may be bug free, but it's not as simple as "if it's bug free then let's take out the "off" switch".

Your suggestions are fine but as soon as you want to tell us to "remove the OFF switch", sorry. We disagree.

Direct law still has code, software, electronics which means it can still have bugs. Mechanical law which is what is "bug free in it's entirety" by virtue of having no programming to have bugs.

Except this is going away since the industry is confident enough in FBW systems both the A380 and 787 lack mechanical backups (no off switch, total trust in the FBW system, and no actual manual control)

How about a compromise there will be an off switch for the ground collision avoidance system until it is proven to work with years of statistics building confidence in the system. It should also demonstrably save lives and prevent crashes in the course of this process. In time the system would become more integral to the control system until it lacks the off switch. Train protection systems followed a similar path most old systems had overrides or just warnings but as it proved itself the overrides got more specific/restricted and eventually for certain modes like preventing certain crashes gone altogether.

[Edited 2015-04-06 00:36:35]
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 7:53 am

Quoting tomlee (Reply 131):
I think you got your statistics wrong unless we are counting planes as people.

I didn't... There are so many ways you can look at it... as this shows...
http://bit.ly/1ICf6QH

Go to page 4 to see :
The year 2014, perhaps surprisingly given the way the two Malaysia Boeing 777 losses and the crash of the AirAsia Airbus A320 may have coloured our perception, was, in fact, still a good one for safety, with a global fatal accident rate of one per 2.38 million flights. On this limited basis, 2014 was, narrowly, the safest year ever; the exact opposite to the claims by some media agencies that it would be “the worst year ever” for air safety. The previous “best year” was 2012 with a fatal accident rate of one per 2.37 million flights.
And the table is at Page 5.

Please have a look at the table at page 6 showing the reducing number of occurences of fatal accidents.

Also if you want to talk about fatalities, please see a more complete picture than the one you used, go to page 9 and see the downward trend.

On Page 10, please also have a look at "passengers carried per fatality", the statistics is also improving.
Page 12, flights per fatal accident for western built jets, also improving.

Note that all this excludes acts of war and acts of violence. However, 1 suicide pilot per 38 million flights are not too far from the truth, and 2014 with 1 accident per 2.38 million, is fact. We are carrying more passenger per fatality, safety is still improving. I will not accept security measures which will jeopardize safety improvements.

Quoting tomlee (Reply 131):
Using sensor fusion with other sensors that the plane already has (INS system) could tell the system there is something fishy with the two AoA vanes because it doesn't make logical sense with other data coming from all the other systems.

Airplanes fly through the air, it relies on the air to keep it up, therefore, it will continue to rely on air data, including AOA vanes, or smart probes for it (which only has been accepted by Embraer).

Now, if the system realize that the AOAs are telling rubbish, how will you provide stall protection? IRS? (INS is long gone)... IRS based AOA as indicator is OK, but as protection? I wouldn't... it has been suggested to Airbus and Boeing and each refused. Argument was... the airplane flies through the AIR. If you have updrafts and downdrafts, the IRS wouldn't know. AOA vane wouldn't care and won't mistake it. However, better filtering algorithms have been developed to prevent AOA filter madness, but guess what, the OFF button is still there.

If garbage is in, how are you going to provide protection? If sensors are overwhelmed, how do you provide protection? etc, etc.

Quoting tomlee (Reply 131):
If a redundant system can't detect a sensor faults because the voting logic is dumb (which is exactly what your describing) they need a better voting system.

The voting logic is fine. The thing is, while self-detection of faults work, sometimes, it doesn't given the dynamics of flying, so it still relies on voting between the 3 ADRs too.
If you're saying it's dumb, why don't you tell Airbus what to do then.  
Quoting tomlee (Reply 131):
I'm not seeing the "human must be in control all the time even if malicious or asleep".

Have you received aviation safety management systems or discuss these ideas in commercial aviation?
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
airtechy
Posts: 743
Joined: Sun Dec 24, 2006 7:35 am

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 7:55 am

Is it possible to take the discussion of "fadecs" to the technical forum. They have no place in "this" thread.  
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 8:34 am

Quoting mandala499 (Reply 132):
Note that all this excludes acts of war and acts of violence.

Doesn't that mean it ignores suicide, terrorist, malicious actors. That is a pretty biased report to pat the industry on the back while the number of people dying absolutely went up in 2014.

Quoting mandala499 (Reply 132):
If garbage is in, how are you going to provide protection? If sensors are overwhelmed, how do you provide protection? etc, etc.

I think your ignoring what I'm saying. I said and quote, (it detects a conflict and says human fly plane, this protection is lost)

Quoting tomlee (Reply 131):
If there is a conflict the system will degrade as it should and protections will be lost.

Detecting a conflict is of utmost importance it is a critical failure to not gracefully degrade automatically.

Quoting mandala499 (Reply 132):
The voting logic is fine. The thing is, while self-detection of faults work, sometimes, it doesn't given the dynamics of flying, so it still relies on voting between the 3 ADRs too.
If you're saying it's dumb, why don't you tell Airbus what to do then.

Ask NASA to talk to Airbus they invented it. (they probably already did its a published series of scientific industry papers)

Quoting mandala499 (Reply 132):
Have you received aviation safety management systems or discuss these ideas in commercial aviation?

Yes I have received an aviation safety management system. It was a bunch of PDFs that talked about "systemic approach to managing safety, including the necessary organizational structures, accountabilities, policies and procedures. (Order VS 8000.367)"

http://www.faa.gov/about/initiatives...a/evolution_of_safety_thinking.png

It seems like SMS is self classifies itself as an "organizational" system for safety. With technical safety at the top and human factors in the middle. The general take away is SMS is about company culture for safety.

Here is an example (FAA, https://www.faa.gov/about/initiatives/sms/explained/basis/ ) that shows where SMS is useful,

Quote:

A well-designed aircraft with a history of reliable service is being prepared for a charter flight. Employees tow the aircraft from the hangar to the terminal. One employee sees wetness on the right tire as he unhooks the tow bar. However, he does not give it attention, as he is very busy and has three other aircraft to move in the next 15 minutes.
At the same time, a safety inspector is walking through the hangar when she encounters a hydraulic oil spill on the hangar floor. She notifies a janitor to clean up the slip hazard as she leaves. While cleaning the spill, the janitor wonders aloud where the spill came from. Afterwards, both the inspector and the janitor continue with their respective jobs.

Notice how human control, technical improvements, ... are not part of the example. It is about cultural improvements at a corporate/organizational level to improve safety. Take away the janitor should have reported the leak and the employee should have reported the odd right tire, serious safety culture/communication issue. Can you reference in the part where it says humans must have control over all technical systems no matter what.

[Edited 2015-04-06 01:36:52]
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 4:39 pm

Quoting tomlee (Reply 134):
Doesn't that mean it ignores suicide, terrorist, malicious actors. That is a pretty biased report to pat the industry on the back while the number of people dying absolutely went up in 2014.

What these "technical improvements" you ask for to not enable protections to be switched off to prevent suicides, represent an occurence rate of 1 in every 38 million flights (and that's only because we've had 2 relatively recently). However, your insistence on protections to be switched off because it enables suicides, puts at risk the much higher rate of non-suicide/war/terrorism accidents rate of 1 in every 2.38 million to become more frequent. It just doesn't add up rightly for me. If you cannot override these protections (for the reason of preventing suicides), you will be jeopardizing the flying public in general.

As good as programming can be, an aircraft flying will depend on air data, and these sensors at times will be at the mercy of what nature can come up that we have not previously anticipated with and then screw up... and we've seen that it can screw up airplanes "in the name of protection". In the past, the programming was deemed good enough, but still the off button is there to enable it to be killed if it goes funny.

Quoting tomlee (Reply 131):
Direct law still has code, software, electronics which means it can still have bugs. Mechanical law which is what is "bug free in it's entirety" by virtue of having no programming to have bugs.

Except this is going away since the industry is confident enough in FBW systems both the A380 and 787 lack mechanical backups (no off switch, total trust in the FBW system, and no actual manual control)

But the 787 still has the PFC disconnect switch. Therefore, the pilots can still kill the protections, because Boeing determines such ability is still required.

Quoting tomlee (Reply 131):
How about a compromise there will be an off switch for the ground collision avoidance system until it is proven to work with years of statistics building confidence in the system.

Flaps up gear up is easy.
Flaps up gear down... there are times when it's needed. You can still have total loss suicides that way.
Flaps full gear down... normal... should be exempted from the "protection", but then, you can still have deliberate total loss suicides this way.
Then there are times when it is faulty and something screws up that it doesn't disable itself... you want people unnecessarily risk injury when it's like this?
(This is where the 1 in 2.38 million, gets jeopardized, because you want to solve the 1 in 38 million without considering the effects on the 1 in 2.38 million).
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
User avatar
litz
Posts: 2359
Joined: Wed Dec 24, 2003 6:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 6:11 pm

Quoting mandala499 (Reply 122):
If the wires to the cockpit are cut off, as in, isolated (instead of getting commands from a box outside the cockpit), how does the engine know whether it should be on or off? How does the engine know what thrust setting it needs? It cannot. FADEC allows autonomous restart if it knows the engine is off, the aircraft is inflight, and if the cockpit wants it on/off, and the cockpit wants some thrust from it. There's a human in the link somewhere in the process. You cannot switch the FADEC on/off, but you can command the engine to be switched on or off through the FADEC.

FADEC's job, aside from controlling the engine, is to maintain a "failsafe" attitude ... among other things, this could include auto-relight, etc, as discussed above.

In fact, on QF32, with the damage in the wing, they found when they landed, they commanded the engine to shut down, and the FADEC never received it ... it kept things going at idle. The crew had throttle control, but could not initiate a shutdown. Weird, eh? But it was the failsafe thing to do, from the engine controller's point of view.

(note : the fire bottles didn't work either; ground crews had to snuff the engine with foam, and even that took a while as the engine really wanted to keep running ...)
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Mon Apr 06, 2015 7:33 pm

Quoting mandala499 (Reply 135):

What these "technical improvements" you ask for to not enable protections to be switched off to prevent suicides, represent an occurence rate of 1 in every 38 million flights (and that's only because we've had 2 relatively recently). However, your insistence on protections to be switched off because it enables suicides, puts at risk the much higher rate of non-suicide/war/terrorism accidents rate of 1 in every 2.38 million to become more frequent. It just doesn't add up rightly for me. If you cannot override these protections (for the reason of preventing suicides), you will be jeopardizing the flying public in general.

As good as programming can be, an aircraft flying will depend on air data, and these sensors at times will be at the mercy of what nature can come up that we have not previously anticipated with and then screw up... and we've seen that it can screw up airplanes "in the name of protection". In the past, the programming was deemed good enough, but still the off button is there to enable it to be killed if it goes funny.

You can design the system to detect failures and conflicts in the sensor data and ensure that it will not be able to get confused by bad sensor inputs without it noticing. If you combine enough diverse sensors the chances they will all somehow fail in a manner which you can't tell the difference is slim to none.

The protection not having an off switch eventually would also stop inattention or procedural errors in disabling a critical protection. The reason trains don't have an off switch for the anti-derailment speed regulator is that if you are disabling the system then the only result is going to be a crash.

Your statistic is false given it doesn't include the fact that there are 2 identical events and without changes more copycats will come. The ground collision avoidance system would not just stop suicide attempts but cultural/human errors (which is very much a statistically relevant causative factor) which have occurred where groups/people disable critical safety systems or fail to react in time in situations where the system is working properly and crash as a result.

There already exists warning only systems for complex traffic terrain avoidance determination.
http://www.thalesgroup.com/en/worldw...c-collision-avoidance-system-t2cas

Combining multiple GNSS sources + INS + FCS data the chances of being tricked into crashing the plane into the ground are slim to none. The system would only keep the plane flying which is a much safer state than say crashing into a mountain.

Quoting mandala499 (Reply 135):
But the 787 still has the PFC disconnect switch. Therefore, the pilots can still kill the protections, because Boeing determines such ability is still required.

You can't turn off the FBW you just turn off the automatic flight envelope protections so that pilots can execute moves that exceed the specifications of the plane. In theory a ground collision avoidance system would still operate normally even in direct law as it only senses impending collision with the ground and would still operate even with the PFC disconnected just you don't have aerodynamic protections any more.

Eventually the PFC switch may disappear too just as the mechanical law has. Once the electronics get cheaper/smaller/certified you probably could have 10 flight control computers and then the statistical likelihood that you would have a voting failure would be basically 0, the computers could also allow for normal + automatic envelope extension which allows pilots to exceed the specifications but not cause the plane to immediately crash.

http://www.dailymail.co.uk/news/arti...ain-charge-aircraft-plummeted.html

In airbus planes you really should not pull the power to the computer systems. It has a reset button those typically work fine and don't remove the protection. A ground terrain avoidance system could also run as its own system given that the objective of not crashing is a very important / fundamental aspect of an air-plane if there is a problem with the plane systems it would degrade to warning only and then nothing.

Boeing, Airbus both removed mechanical law in the 787 and A380 and normal law with extra leeway may be the future instead of direct law.

Quoting mandala499 (Reply 135):
Flaps up gear up is easy.
Flaps up gear down... there are times when it's needed. You can still have total loss suicides that way.
Flaps full gear down... normal... should be exempted from the "protection", but then, you can still have deliberate total loss suicides this way.
Then there are times when it is faulty and something screws up that it doesn't disable itself... you want people unnecessarily risk injury when it's like this?
(This is where the 1 in 2.38 million, gets jeopardized, because you want to solve the 1 in 38 million without considering the effects on the 1 in 2.38 million).

So if the system can proved in practice with the chances of it failing without automatically disabling itself are statistically improbably you would then be fine with it not having an off switch. (Multi-GNSS + Sensor fusion would be able to achieve that, you could also have a terrain avoidance system reset button so the pilots can tell the system they don't like what it is doing, if they press the reset button but 100% of the data are cross validating then the system continues as normal and if there is elevated uncertainty pressing the reset button causes the computer to think twice about what it is evaluating and it would drop to warnings only)

So then you agree it would improve safety with an off button and excluded from certain configurations of flight. That is a much better start than not having the system at all. With time it will include those modes and eventually be always active once proven with statistics in operation to back it up. (Once the statistics in actual operation are built up then there is no argument left in hypothetical statistics)(GPWS originally didn't work for turns or landing by the way)
 
Pihero
Topic Author
Posts: 4318
Joined: Mon Jan 31, 2005 5:11 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 8:32 pm

First, a quote :
"The “auto avoid” system, devised around 2003 by Airbus’s top safety engineers and U.S. supplier Honeywell International Inc., was intended for the Airbus A380 superjumbo jet then in development, company officials said at the time."
..."The faded interest from Airbus and many of its customers in the feature reflects divergent and shifting views of flight automation in the aviation industry.

...there is a growing sense among aviation experts that undue reliance on cockpit aids can result in unintended consequences. And some argue such technology is far from foolproof.

...“Even if such a system would be fully autonomous, there are other ways to deliberately crash an aircraft” such as shutting down both engines, said Alfred Roelen, a researcher at the National Aerospace Laboratory of the Netherlands.

...“As long as humans are in the loop somewhere in the system, it is quite impossible to provide protection against deliberate acts.”

All from an article on the WSJ Airbus Scrapped ‘Auto Avoid’ Technology Aimed at Preventing Planes From Being Used as Weapons

These are very valid points, to me.

Quoting tomlee (Reply 137):
If you combine enough diverse sensors the chances they will all somehow fail in a manner which you can't tell the difference is slim to none.

How many sensors and how many computers would you be satisfied with ?

Quoting tomlee (Reply 137):
Combining multiple GNSS sources + INS + FCS data the chances of being tricked into crashing the plane into the ground are slim to none.

Please explain that architecture and why you'd think it will, be safe. I'm quite sure that flying straight and level into the Matterhorn - an almost vertical southern face - the GPWS and your auto avoid will react too late.

Quoting tomlee (Reply 137):
The system would only keep the plane flying which is a much safer state than say crashing into a mountain.

?

Quoting tomlee (Reply 137):
Once the electronics get cheaper/smaller/certified you probably could have 10 flight control computers and then the statistical likelihood that you would have a voting failure would be basically 0,

1/- If they are sharing the same probes / sensors, your argument is in error
2/- If they have each its own sensors / data, the voting program would be very interesting... and so the price
3/- If they are identical, with the same software,; one could see a serious contamination or a unique case of failure spread all over your architecture.

Quoting tomlee (Reply 137):
Boeing, Airbus both removed mechanical law in the 787 and A380 and normal law with extra leeway may be the future instead of direct law.

There is no mechanical law on the A380. The back-up system is also FBW.

Quoting tomlee (Reply 137):
, you could also have a terrain avoidance system reset button so the pilots can tell the system they don't like what it is doing, if they press the reset button but 100% of the data are cross validating then the system continues as normal and if there is elevated uncertainty pressing the reset button causes the computer to think twice about what it is evaluating and it would drop to warnings only)

A reset button on an aircraft doing 12 km/min ? You must be joking !
If I don't like what the automaton is doing, I switch it off. A very simple method of survival.

Quoting mandala499 (Reply 135):
This is where the 1 in 2.38 million, gets jeopardized, because you want to solve the 1 in 38 million without considering the effects on the 1 in 2.38 million

I agree.
Contrail designer
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 9:03 pm

Quoting Pihero (Reply 138):

First, a quote :
"The “auto avoid” system, devised around 2003 by Airbus’s top safety engineers and U.S. supplier Honeywell International Inc., was intended for the Airbus A380 superjumbo jet then in development, company officials said at the time."
..."The faded interest from Airbus and many of its customers in the feature reflects divergent and shifting views of flight automation in the aviation industry.

...there is a growing sense among aviation experts that undue reliance on cockpit aids can result in unintended consequences. And some argue such technology is far from foolproof.

...“Even if such a system would be fully autonomous, there are other ways to deliberately crash an aircraft” such as shutting down both engines, said Alfred Roelen, a researcher at the National Aerospace Laboratory of the Netherlands.

...“As long as humans are in the loop somewhere in the system, it is quite impossible to provide protection against deliberate acts.”
All from an article on the WSJ Airbus Scrapped ‘Auto Avoid’ Technology Aimed at Preventing Planes From Being Used as Weapons

Those are old points. Funny how Boeing/NASA is working anti-tamper automation than Airbus given they are the ones that started the whole trend.

http://aviationweek.com/commercial-a...ntial-versus-reality#comment-83531

Beoing, NASA working on making the system tamper resistant.

Quoting Pihero (Reply 138):
How many sensors and how many computers would you be satisfied with ?

N number of sensors and controllers, whatever it takes to meet the regulatory, statistical, safety requirements in actual use. Computers are not exactly expensive and neither are sensors (some of which can be internal to the controllers). Computer systems on planes are very old and there is a lot of new old hardware that they can use now that decades have gone by. If there are mobile apps for GPWS you don't exactly need much, sure it takes a lot more than a pile of iPads but this isn't impossible.

Quoting Pihero (Reply 138):
Please explain that architecture and why you'd think it will, be safe. I'm quite sure that flying straight and level into the Matterhorn - an almost vertical southern face - the GPWS and your auto avoid will react too late.

A 90deg wall would qualify under the don't hit things at 90deg at speed. Sensing a large vertical face would be extremely easy with any number of sensors (maps, radar, lidar, vision, ...). It isn't like the Matterhorn is moving anywhere quickly.

Level flight avoiding terrain is the point. Pilots have run into mountains too so it isn't like people are perfect at it either the system would assist pilots in these moments of inattention or ignoring the GPWS display.

Quoting Pihero (Reply 138):
1/- If they are sharing the same probes / sensors, your argument is in error
2/- If they have each its own sensors / data, the voting program would be very interesting... and so the price
3/- If they are identical, with the same software,; one could see a serious contamination or a unique case of failure spread all over your architecture.

1/The point is obviously to have many diverse sensors hence the multi-GNSS fusion
2/How would the voting be interesting if you have more systems it is just a vote of majority with more room for failures till the probability is extremely low.
3/Best design practice is to have diverse hardware/software stacks I'm not even sure if FBW control systems do this with their code. Same with the raw data processing of the flight controls do they actually have diverse programming being used with multiple mfg sourced ADCs/MCUs even this isn't too much of a problem to achieve parts are cheap even specially qualified ones especially when you look at the price of the system in its entirety.

Quoting Pihero (Reply 138):
There is no mechanical law on the A380. The back-up system is also FBW.
Quoting tomlee (Reply 137):
Boeing, Airbus both removed mechanical law in the 787 and A380 and normal law with extra leeway may be the future instead of direct law.

Yes that is exactly what I said. Not sure what your point there is since that is part of the logic of old systems being replaced with the new systems over time as confidence builds. Mechanical law was pointless because it was too degraded and FBW electronic/computer based control proved its reliability.

Quoting Pihero (Reply 138):
A reset button on an aircraft doing 12 km/min ? You must be joking !
If I don't like what the automaton is doing, I switch it off. A very simple method of survival.

Not sure if that is advisable in all cases,

"A malfunction of the Flight Augmentation Computer (FAC) was persistent enough to cause the captain to take the "very unusual" initiative to pull the circuit breaker for the FAC, cutting power to it a few minutes before the end of the flight. The captain left his seat to access the breaker panel behind the copilot, who was in control of the aircraft at the time.[107] The FAC is the part of the fly-by-wire system in A320 aircraft responsible for rudder control. It had been the subject of maintenance problems on previous flights of this aircraft.[108] The sudden nose-up climbing condition occurred at this time, possibly because of failure of the copilot to respond to the sudden change in control characteristics due to FAC shutdown, which eliminated protection against control inputs that exceed aerodynamic limits."
http://en.wikipedia.org/wiki/Indones..._AirAsia_Flight_8501#Investigation

They should have pressed the reset button which is the procedure. The captain sure didn't like that automation and switched it off hard and they all died. The controller was still functioning properly and assisting the plane so that it would stay airborne and the moment he disconnected it the FO couldn't react in time and the plane crashed.

Not so simple after all.

Also this system would not just stop 1-2 suicides it would also help stop inattention/double incapacitation/UA93 crashes into terrain in a very obviously dangerous manner (nosedive at speed right into the ground or a wall made of ground typically called a mountain).

[Edited 2015-04-07 14:09:47]
 
Armodeen
Posts: 1233
Joined: Wed Aug 28, 2013 10:17 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 9:12 pm

Quoting BravoOne (Reply 57):
If you don't see the difference between 700 hours and 7000 hours I don't think anyone can change your mind with the facts.

Please post the facts, I would be very happy to read any well researched article in any academic publication. In fact you would be doing me a great favour as my thesis will be featuring lessons from the cockpit which are applicable to other fields.

Thanks
 
Pihero
Topic Author
Posts: 4318
Joined: Mon Jan 31, 2005 5:11 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 9:36 pm

Quoting tomlee (Reply 139):
They should have pressed the reset button which is the procedure.

1/- There is no reset button

2/- Electrical resets are governed by some very strict procedures, none of which - on the flight systems - is about pulling the circuit breaker.

Quoting tomlee (Reply 139):
/Best design practice is to have diverse hardware/software stacks I'm not even sure if FBW control systems do this with their code.

ASk Airbus

Quoting tomlee (Reply 139):
that is part of the logic of old systems being replaced with the new systems over time as confidence builds.

No, it's a matter of architecture and weight. Nothing more.
Haven't you noticed that FBW systems are getting a lot more complicated than they were initially ?.. and not by just a multiplication of the computers, boxes... ?

To me, trying to solve a human problem with a technical solution is a bad idea.

On another thread, your system would be
- A super clutter of computers
- with a multiytude of sensors / data processors... etc...
All unswichable...
But...
- with a remote control from the ground ( ATC in your opinion )
Spo, as a matter of fact yoy've just added several more layers of weaknesses in the airline industry : cascade or common cause failures / mental health of ground operators ( of course they are not suicidal pilots ! ) / hacking risks...

BTW, I'm not into looking for solutions only. I'm also interested in the public opinion and views on their safety.
This is a global problem that should be tackled in a global, human way.

The solution, IMO, will have to go to the various aspects of airline operations : training, screening, CRM and discipline, how to promote a new aspect of airmanship in the computer age...
The solution will have to go through a major change on revealing to the authorities any mental state that coud present a riosk to the air transport inb general.
That was the idea I had when opening this thread.
It certainly wasn't about - once again - getting rid of the pilot for the sake of a few Isaac Asimov's fans.
Contrail designer
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 10:03 pm

Quoting Pihero (Reply 141):
1/- There is no reset button

2/- Electrical resets are governed by some very strict procedures, none of which - on the flight systems - is about pulling the circuit breaker.

The flight panel on/off is the reset (it is a soft button not the physical circuit breaker). Pulling the power hard with the C/B isn't the procedure. He didn't use that soft button because he had to be in full control and what more is full control than just pulling the plug on the computer even when it was still working.

https://www.youtube.com/watch?v=MT0NJiRFA1s&ab_channel=MrFargoo

Quoting Pihero (Reply 141):
ASk Airbus

It is best practice, diversity is good.

Quoting Pihero (Reply 141):
No, it's a matter of architecture and weight. Nothing more.
Haven't you noticed that FBW systems are getting a lot more complicated than they were initially ?.. and not by just a multiplication of the computers, boxes... ?

You do know systems don't need more boxes to have more redundancy/safety you can fit more channels in the same box. Computer controllers by weight are probably not a large concern not to mention they are getting smaller/lighter/cheaper. Compared to things like a battery pack(s) they weigh nothing basically.

Quoting Pihero (Reply 141):
To me, trying to solve a human problem with a technical solution is a bad idea.

On another thread, your system would be
- A super clutter of computers
- with a multiytude of sensors / data processors... etc...
All unswichable...
But...
- with a remote control from the ground ( ATC in your opinion )
Spo, as a matter of fact yoy've just added several more layers of weaknesses in the airline industry : cascade or common cause failures / mental health of ground operators ( of course they are not suicidal pilots ! ) / hacking risks..

Human/Technology are not separable. No humans no technology, no technology no planes, and that is probably the least of your worries if all technology just vanished.

What makes us special compared to other animals is the fact we make extremely complex technological systems to solve our problems. Obviously not every problem has a purely technical solution but ground terrain avoidance and door locks are both areas that technology can help.

Super clusters (multi-core) processors are extremely common. Even single chips have built in redundancy with multi-core lock step processing with built in voting logic and error correction/detection are commercially available for safety critical systems. With more and more electronics being used in everyday life the expectation that it just works and doesn't create safety hazards is a clear objective. The electronics industry knows this and has integrated solutions with life safety certifications. You take those and make it even more redundant/diverse and the chances of failure are going to be far lower than before.

Where have I ever mentioned remote control being a good idea? I believe I've repeatedly stated the system must be isolated and the only controls are in the cockpit where they belong.

All auto-GCAS does is provide a safety net for pilots and passengers. If the system detects an internal fault the protection is lost. Proper design would be required to prevent malicious tampering with the systems power supply and connectivity with the FBW system.

Quoting Pihero (Reply 141):
BTW, I'm not into looking for solutions only. I'm also interested in the public opinion and views on their safety.
This is a global problem that should be tackled in a global, human way.

The solution, IMO, will have to go to the various aspects of airline operations : training, screening, CRM and discipline, how to promote a new aspect of airmanship in the computer age...
The solution will have to go through a major change on revealing to the authorities any mental state that coud present a riosk to the air transport inb general.
That was the idea I had when opening this thread.
It certainly wasn't about - once again - getting rid of the pilot for the sake of a few Isaac Asimov's fans.

The global human way also includes technological improvement coupled with improvements in SMS and Human factors. Planes are a very technically involved system to say technology has no part in the safety of the system is odd. You make all the technical improvements that are feasible and demonstrated to work and then you work on the human factors and organizational perception of safety culture. All three work in tandem to make flying safer.

Nowhere in my suggestion for auto-gcas have I stated we not have pilots in the cockpit (they have the final say after the technology fails, having tamper resistance doesn't mean the pilot is useless or a decoration), we still have drivers in high speed trains even with their working automatic protection systems with no overrides for critical safety aspects. Given how you ignored these aspects of my discussion it is pretty clear that you fear pilots becoming obsolete or replaced by technology but that isn't the point of technology it is meant to serve not to replace humans. There is no way a computer can ever achieve artificial intelligence because they just don't work like a human brain they are too reliable and pay for that in the inability to think like a human can (Our technology is designed to complement our weaknesses to making us the dominant species on the planet, technology being good/neutral/bad it is pretty much integral to humanity).

To say any one part is the only solution is very unusual.

[Edited 2015-04-07 15:41:39]
 
sierrakilo44
Posts: 199
Joined: Tue Dec 13, 2011 1:38 am

RE: Airline Travel In The Aftermath Of Flight 9525

Tue Apr 07, 2015 11:29 pm

Quoting tomlee (Reply 139):
They should have pressed the reset button which is the procedure. The captain sure didn't like that automation and switched it off hard and they all died. The controller was still functioning properly and assisting the plane so that it would stay airborne and the moment he disconnected it the FO couldn't react in time and the plane crashed.

No they wouldn't have crashed had the FO held a basic power and attitude for cruise flight. The fact he was an automation dependant P2F junkie means he couldn't. Believe it or not pilots have turned off Airbus FAC's for technical reasons before and 99.999% of the time no planes have fallen out of the sky.
How bout we drop the assumption being made out here that all airline pilots are equal.
There are some airlines who hire pilots from dubious backgrounds, with sub standard training and culture of corruption that allows incompetent personnel to remain employed. Note I'm not just blaming asian airlines here (ref Colgan 3407, AF447)
Wouldn't it be better for governments to provide better oversight to ensure these dodgy operators are forced to raise their compliance standards?
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 12:46 am

Quoting sierrakilo44 (Reply 143):

The whole FO didn't react in time is the did not hold "basic power and attitude for cruise flight". So we are saying the same thing.

Automation dependent, incompetent pilot or not. The captain should not have gotten up and hard disconnected the FAC by pulling the C/B the soft-disconnect button is the appropriate method to reset the controller. (I guess it just shows even more training/testing/cultural lapses)

Certainly they should have been able to disable the FAC without crashing but that clearly didn't happen as they almost immediately crashed. The automation can cover up complacency and poor training standards as AF447 showed as well. The error was mostly human as the controller was functioning or in Air France 447 it correctly disconnected itself when it determined it was not capable of offering automatic protections with certainty.

Company culture and training are supposed to ensure pilots know how to fly the plane without the automated assists as in those cases the plane truly is in their hands alone. This doesn't mean that there should not be automatic assists as fewer crashes have occurred with these systems than before the technology existed.

Obviously not all pilots are equal that isn't what my assumption is, I'm suggesting planes have auto-GCAS which is a safety net against incompetence, inaction, complacency, maliciousness, incapacitation of pilots while normal well trained pilots would not ever need the safety net as they would never allow their planes to enter that condition of extreme danger in the first place. Should the auto-gcas fail you then rely on the pilots to not hit the ground. In a properly designed system that NASA/Boeing are working on you would not be able to easily disable the protection given how fundamentally important not crashing into the ground is for air plane safety.
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 3:17 am

Quoting tomlee (Reply 137):
you could also have a terrain avoidance system reset button so the pilots can tell the system they don't like what it is doing, if they press the reset button but 100% of the data are cross validating then the system continues as normal and if there is elevated uncertainty pressing the reset button causes the computer to think twice about what it is evaluating and it would drop to warnings only
EXCELLENT IDEA!!!
I ABSOLUTELY AGREE TO THE RESET BUTTON!

Oh hang on... "Drop to warnings only"? That means, the pilot can just press these buttons in a suicide attempt...
So after all that, you're putting yourself back to square one.

I was being hopeful just now... OK... Neeeeeext...

Quoting Pihero (Reply 138):
...there is a growing sense among aviation experts that undue reliance on cockpit aids can result in unintended consequences. And some argue such technology is far from foolproof.

So after all those improvements, to prevent the unintended consequences from ever materializing, let's just put a reset button, which still enables a suicide. So it'll be a higher price tag, for the same thing...

Quoting Pihero (Reply 138):
Please explain that architecture and why you'd think it will, be safe. I'm quite sure that flying straight and level into the Matterhorn - an almost vertical southern face - the GPWS and your auto avoid will react too late.
Quoting Pihero (Reply 138):
1/- If they are sharing the same probes / sensors, your argument is in error

Garbage in... Garbage out.
Of course, he thinks that it can be "filtered out"... Would love to see how he'd filter out iced over pitot tubes and give protections kicking in to avoid a wall of granite in front. I'd love to see how the recovery maneuver can be done without relying on air data... Mind you, he'd probably just say "it can be programmed" without going to details.

Quoting Pihero (Reply 138):
2/- If they have each its own sensors / data, the voting program would be very interesting... and so the price

It's all about the money, money...
It's about the maximum safety for a price tag...
Absolute safety is so expensive, it's not worth flying.

Quoting Pihero (Reply 138):
3/- If they are identical, with the same software,; one could see a serious contamination or a unique case of failure spread all over your architecture.

More like "single failure leading to multiple identical failures", so, wonder how protections can still kick in with that...  
Quoting tomlee (Reply 139):
Funny how Boeing/NASA is working anti-tamper automation than Airbus given they are the ones that started the whole trend.

1.5 yrs ago I met some leading Boeing engineers. Sorry, the PFC disconnect and other buttons that will keep pilots in control will stay. "Don't believe the propaganda" was their very words.

Quoting tomlee (Reply 139):
N number of sensors and controllers, whatever it takes to meet the regulatory, statistical, safety requirements in actual use.

You don't know the number then? Oh dear.
How many are there on the Boeing FBW and how many on the Airbus FBW?

Quoting tomlee (Reply 139):
Computer systems on planes are very old and there is a lot of new old hardware that they can use now that decades have gone by.

Oh God... not this silly argument again...

Quoting tomlee (Reply 139):
Pilots have run into mountains too so it isn't like people are perfect at it either the system would assist pilots in these moments of inattention or ignoring the GPWS display.

How would it assist the pilots in moments of attention when the GPWS is giving warnings based on a data base that's erroneous? If the database thinks it's straight ahead but the pilot sees it's off to the right... and the "automatic protection" following the database wants to go to the right to avoid it, are you going to allow the pilot do the avoidance or let the GPWS do it? Choose! "Bad programming" excuse isn't an answer. These are real issues with automation and automatic protetion. If you don't believe such problems can happen, you need to sit down in a cockpit of an airplane where the GPS and IRS has gone walkabouts... real life issues. Not just "sitting on a table" rhetoric. The difference between you and those who design these things for real, is that they listen, you seem to refuse and come up with excuses like "bad programming".

Quoting tomlee (Reply 139):
2/How would the voting be interesting if you have more systems it is just a vote of majority with more room for failures till the probability is extremely low.

So how many common systems? how many unique systems? Each of those has how many identical and/or unique subsystems? Will it have dedicated sensors per system? will it have common source sensor per system? A combination of the two? or?

Quoting tomlee (Reply 139):
Not so simple after all.

NOW THIS TAKES THE CAKE... Sorry... Because...

Quoting tomlee (Reply 139):
"A malfunction of the Flight Augmentation Computer (FAC) was persistent enough to cause the captain to take the "very unusual" initiative to pull the circuit breaker for the FAC, cutting power to it a few minutes before the end of the flight. The captain left his seat to access the breaker panel behind the copilot, who was in control of the aircraft at the time.

The wikipedia segment you quoted was based on an erroneous report made by Reuters based on Bloomberg receiving a leak and publishing it. Reuters has since corrected that piece of news after meeting with the accident investigators who explicitly said to them that they have no evidence that the FAC circuit breakers were pulled.

To use it in this topic, shows you have absolutely no idea what you're talking about either.
I do suggest that you read the piece by Reuters a few days after their piece you quoted above through Wiki: http://www.reuters.com/article/2015/...sia-airplane-idUSL4N0VC30D20150202
Don't fall for the same media confusion...

Quoting tomlee (Reply 139):
They should have pressed the reset button which is the procedure. The captain sure didn't like that automation and switched it off hard and they all died. The controller was still functioning properly and assisting the plane so that it would stay airborne and the moment he disconnected it the FO couldn't react in time and the plane crashed.

Again... Incorrect. The aircraft's autopilot had switched off and the FBW entered Alternate Law No Protection, sometime before the stall.

Quoting tomlee (Reply 142):
He didn't use that soft button because he had to be in full control and what more is full control than just pulling the plug on the computer even when it was still working.

There is no evidence that he did it to the FAC, this is according to the investigators. I am in consultation with parties to the investigation so saying this puts the investigation at risk, but your misunderstanding and maybe ignorance, I think warrants the risk. This is still ongoing so this may not be what the final report will say. What they suspected was that the FAC was giving fault indications despite the resets, so (if I remember correctly it was switched off as per procedure), and based on maintenance recommendations and after consultation with Airbus on a previous occurrence, when such a thing happen inflight, pull a circuit breaker (can't tell you which, but I can tell you it is NOT the FAC circuit breaker) this then reset the rudder trim which was going haywire, and the aircraft was then able to recover albeit they had lost too much altitude.

Quoting tomlee (Reply 144):
The captain should not have gotten up and hard disconnected the FAC by pulling the C/B the soft-disconnect button is the appropriate method to reset the controller.

No evidence of such. Stop the nonsense.

Quoting tomlee (Reply 144):
(I guess it just shows even more training/testing/cultural lapses)

I wish you can hear the CVR, review the FDR, and review the systems manuals, and QRH, etc, and still say "cultural lapses" that for this particular case.... I wish... putting that phrase here is a disgrace to the aviation community.

Quoting tomlee (Reply 144):
Certainly they should have been able to disable the FAC without crashing but that clearly didn't happen as they almost immediately crashed.

Clearly there is no evidence of such.

Quoting tomlee (Reply 144):
The automation can cover up complacency and poor training standards as AF447 showed as well.

And you're there putting more ways to coverup complacency and poor training standards by proposing GCAS...
All in the name of preventing suicides... It won't prevent suicides.
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
tomlee
Posts: 610
Joined: Sat Aug 21, 2010 9:01 am

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 4:29 am

Quoting mandala499 (Reply 145):
EXCELLENT IDEA!!!
I ABSOLUTELY AGREE TO THE RESET BUTTON!

Oh hang on... "Drop to warnings only"? That means, the pilot can just press these buttons in a suicide attempt...
So after all that, you're putting yourself back to square one.

I was being hopeful just now... OK... Neeeeeext...

Pressing the reset button and having the system reset with no observed anomalies would not drop to warnings only. It just serves as a way for the pilots to say to the computer that something might be wrong. It gives the pilot a vote basically it helps break the two ADR disagree voting failure problem as the human can cast a tiebreaker which would cause the vote to fail to reach the required quorum and the system to drop to warning only. But if the majority rules there is nothing wrong then it keeps on going (all systems normal). It also isn't back to square one because even if it did drop to warning only the system still operates in cases that are not suicide but due to pilot inattention, incompetency, incapacitation.

Quoting mandala499 (Reply 145):
So after all those improvements, to prevent the unintended consequences from ever materializing, let's just put a reset button, which still enables a suicide. So it'll be a higher price tag, for the same thing...

You really don't seem to want to read what I'm writing but instead take everything and reword it as needed. Even if you could turn it off it would still improve safety in general.

Quoting mandala499 (Reply 145):
Garbage in... Garbage out.
Of course, he thinks that it can be "filtered out"... Would love to see how he'd filter out iced over pitot tubes and give protections kicking in to avoid a wall of granite in front. I'd love to see how the recovery maneuver can be done without relying on air data... Mind you, he'd probably just say "it can be programmed" without going to details.

Sensor information that behaves abnormally can be filtered out, with external sensors and position updates from multiple GNSS sources you can easily tell your pressure altitude sensors are giving conflicting and invalid results. If you have two AoA sensors that fail in the exact same position but one still reacts to flight changes you can compare other sensor data to determine that the system may be in question and automatically drop out.

1) Iced over pitot tubes will not agree with radar/GNSS/INS altitude measurements
2) AoA sensor stuck in the same position would not react to a descent command and could be ruled as defective when no change is observed even when large inputs are given and the system would disconnect automatically when it realizes the sensors or actuators may be defective and it can't tell what is the difference.

Radar, GNSS can already tell you if there is a wall of ground in front of you that is what EGPWS does.

Quoting mandala499 (Reply 145):
It's all about the money, money...
It's about the maximum safety for a price tag...
Absolute safety is so expensive, it's not worth flying.

Computers are all cheap/lightweight compared to having an extra set of engines (4 vs 2) it is nothing and this isn't absolute safety just logically sound safety on existing technology which both NASA/Military/Boeing are implementing with anti-tamper in mind.

Quoting mandala499 (Reply 145):
More like "single failure leading to multiple identical failures", so, wonder how protections can still kick in with that...

I'm guessing you never read my response to that line. Voting is simple and diverse hardware and software is best practices for safety critical design. Also pilots are often identified as a single point of failure spreading out fail between a diverse set of human and computer systems allows the overall design to tolerate failures in any area.

Quoting mandala499 (Reply 145):
1.5 yrs ago I met some leading Boeing engineers. Sorry, the PFC disconnect and other buttons that will keep pilots in control will stay. "Don't believe the propaganda" was their very words.

So this is a conspiracy now?

Quoting mandala499 (Reply 145):
How would it assist the pilots in moments of attention when the GPWS is giving warnings based on a data base that's erroneous? If the database thinks it's straight ahead but the pilot sees it's off to the right... and the "automatic protection" following the database wants to go to the right to avoid it, are you going to allow the pilot do the avoidance or let the GPWS do it? Choose! "Bad programming" excuse isn't an answer. These are real issues with automation and automatic protetion. If you don't believe such problems can happen, you need to sit down in a cockpit of an airplane where the GPS and IRS has gone walkabouts... real life issues. Not just "sitting on a table" rhetoric. The difference between you and those who design these things for real, is that they listen, you seem to refuse and come up with excuses like "bad programming".

So your saying if I provide pilots with completely wrong maps they would not crash in low visibility conditions and no EGWPS so that they have no idea they are heading toward a mountain.

The database provides information which is compared against the sensors having a wrong map doesn't mean the system will fail. All aspect radar distance measurements would still provide warning of obstructions around the plane and a shear vertical mountain face would be very easy to detect even without a map since it is a perfect wall unless it has a special stealth coating or something.

Why would the plane trust the map when the sensors say there is a mountain even though the map doesn't list it, at that point the system would determine that the map is likely faulty and rely on the sensors with the GNSS providing verification that the onboard systems are still producing good data in a relative sense.

So no excuses it would still work.

Quoting mandala499 (Reply 145):
So how many common systems? how many unique systems? Each of those has how many identical and/or unique subsystems? Will it have dedicated sensors per system? will it have common source sensor per system? A combination of the two? or?

Boeing, NASA can decide that. Having sensors on-board each controller (miniature IMUs which are 9-axis sensor platforms on a chip can also provide each controller its own isolated sensing ability independent of any outside sensor information) Depends on the mfg obviously.

The clear answer is that it won't take an impossible to achieve number and with cheaper more integrated electronics and sensors you can have more completely independent channels for far less than it took before. Integrated circuits are meant to integrate things on a chip level. Even older mechanical sensors could be replaced with a diversity of fully solid state digital sensors placed in many locations to provide even more redundancy without the failure modes of older sensors.

Quoting mandala499 (Reply 145):
The wikipedia segment you quoted was based on an erroneous report made by Reuters based on Bloomberg receiving a leak and publishing it. Reuters has since corrected that piece of news after meeting with the accident investigators who explicitly said to them that they have no evidence that the FAC circuit breakers were pulled.

To use it in this topic, shows you have absolutely no idea what you're talking about either.
I do suggest that you read the piece by Reuters a few days after their piece you quoted above through Wiki: http://www.reuters.com/article/2015/...sia-airplane-idUSL4N0VC30D20150202
Don't fall for the same media confusion...

No evidence yet is the exact wording so that wouldn't really qualify as a false report given it was a leak from the investigators themselves. The actual statement is no comment.

Quoting mandala499 (Reply 145):
There is no evidence that he did it to the FAC, this is according to the investigators. I am in consultation with parties to the investigation so saying this puts the investigation at risk, but your misunderstanding and maybe ignorance, I think warrants the risk. This is still ongoing so this may not be what the final report will say. What they suspected was that the FAC was giving fault indications despite the resets, so (if I remember correctly it was switched off as per procedure), and based on maintenance recommendations and after consultation with Airbus on a previous occurrence, when such a thing happen inflight, pull a circuit breaker (can't tell you which, but I can tell you it is NOT the FAC circuit breaker) this then reset the rudder trim which was going haywire, and the aircraft was then able to recover albeit they had lost too much altitude.

So your saying your committing a crime to prove that you have not yet seen evidence? Since this is a publicly accessible forum you either prove your link which is probably a bad idea if your saying your jeopardizing an investigation or it is all hearsay and probably on a level lower than a news leak that is in question.

If your directly involved in the investigation your in a conflict of interest to discuss internal matters and should not be leaking anything given the official response is no evidence yet and no comment.

If you put an forum discussion over an official aircraft investigation there are some serious problems going on here with your perception of safety management systems. Really I don't understand you could just say wait and see and I would say ok we will wait and see.

I'm just going to leave it at, we will see what the official report says if the C/B was pulled incorrectly. Please do not leak any internal information on an ongoing investigation that makes zero logic/ethical sense. You have no proof of your official link or source and as such it is just a rumour and you should let it stay in that state.

Quoting mandala499 (Reply 145):
And you're there putting more ways to coverup complacency and poor training standards by proposing GCAS...
All in the name of preventing suicides... It won't prevent suicides.

Who said it was just for suicides it is an advanced form of GPWS with the authority to act and a reset and off switch (initially). It would stop accidents due to non-malicious pilot error which is still a major cause of accidents. Sure in some cases they may screw up and press the off switch and the plane crashes as a result but since you need countless deaths to prove that a system is needed we would have an off switch to prove its worth with years of statistics and real world performance to back it up. It should not be immediately a full authority system as automatic train protections never started way and there simple systems started being used 110+ years ago with the first automatic train stop control system.

When the death count is in the thousands will you then change your tone about auto-gcas, if so I guess it will be a wait and see? I'm all for slow steady progress it is a good idea for safety critical systems. (Trains took a hundred years from the first precursor, maybe for planes it will take another 50-80 years) I'm in no rush even if I'm dead by then by old age I only really care about overall system safety even if it takes decades to get buy in for now I'll probably just make an app that has auto-gcas simulation so I can watch from my seat how it performs on commodity hardware in a purely entertainment grade level of programming. (Probably have it record data to microSD card(s) just in case if there is in plane wifi you could probably stream it to fr24 too)

[Edited 2015-04-07 21:43:56]
 
mandala499
Posts: 6592
Joined: Wed Aug 29, 2001 8:47 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 8:08 am

Quoting tomlee (Reply 146):
It just serves as a way for the pilots to say to the computer that something might be wrong. It gives the pilot a vote basically it helps break the two ADR disagree voting failure problem as the human can cast a tiebreaker which would cause the vote to fail to reach the required quorum and the system to drop to warning only. But if the majority rules there is nothing wrong then it keeps on going (all systems normal). It also isn't back to square one because even if it did drop to warning only the system still operates in cases that are not suicide but due to pilot inattention, incompetency, incapacitation.

This is already done. The system on the Airbus goes beyond just vote.
The current system on the Airbus is...
1. Is each ADR OK through the self checks?
2. Is each ADR OK by comparing with the others?
3. Is each ADR OK by checking with the FCPC calculations on where they should be?

Even with the 3 checks above, you can still have a "NAV ADR DISAGREE", where 1 ADR is an outlier via comparison with the other 2, and the self checks either all show OK or all show not OK, and the FCPC then asks the pilot to check them all to then pick which one is the right one. The system disallows an automatic majority rules. Under 2 ADR fault/fail or a NAV ADR DISAGREE, the FBW system goes to Alternate Law with no protection already (except G-load protection).

The crew then has to go through the ADR check procedure, which involves checking the pitch and power versus a set of tables, then the crew decides which one(s) (or none) are correct. If none are reliable then switch off all ADRs and fly with the BUSS, or fly with 1 ADR just to keep the stall warning but ignore the air data otherwise. You want that ADR OFF switch to be removed? The A350 and A380 still has those switches... for a reason.

If you want an anti suicide tool using GCAS, and you do not want it to be override-able then you must address the issue of systems degradation. How will you want the GCAS to operate with let's say just 1 or even no ADR? If you can make it operate with no ADR, hats off to you... and we'd be wondering why it hasn't been done yet. But if you cannot, then we ARE back to square one, as the ADR1/2/3 OFF button will still be required, probably for the rest of my life time.
I picked the ADR issue just as example. Same with IRS...
So, the protections, can be killed if you want it (although the question is, why would you want to unless you have to?)

Quoting tomlee (Reply 146):
Even if you could turn it off it would still improve safety in general.

If you could turn it off, doesn't that contradict your insistence that it (protections) shouldn't be able to be switched off?
So if you have an anti-suicide protection that can be switched off, we're all OK about it. It was you who went on about it shouldn't be able to be switched off.

Quoting tomlee (Reply 146):
1) Iced over pitot tubes will not agree with radar/GNSS/INS altitude measurements
2) AoA sensor stuck in the same position would not react to a descent command and could be ruled as defective when no change is observed even when large inputs are given and the system would disconnect automatically when it realizes the sensors or actuators may be defective and it can't tell what is the difference.

1. Even when they're not iced up, the static sensors will not agree with GNSS or altitude measurements due to pressure variations. Pressure and GPS altitude can vary up to several hundred feet at cruise altitudes due to the use of QNE, and at also low altitudes with very low temperatures. Pitot tubes is to measure speed, not altitude. Even when not iced up, the speed will not agree to IRS speed or GNSS speed, because the IRS and GNSS speed measures groundspeed, they cannot be used to calculate airspeed. The airspeed measured by the pitot is also an indicated/calibrated airspeed, which at altitude, gives vastly different numbers from true airspeed (true airspeed +/- wind = groundspeed). The problem is, airplanes do not fly with true airspeed.
2. The Airbus ADR Self Checks already do this. It compares the measured AoA vs a theoretical AoA calculated by the IRS using the FMGC weights. If it diverges too much, the ADR will reject itself and vote itself out of the FCPC/FCS.
One must be careful when using GPS/GNSS as a replacement for data source. The only thing used from the IRS to use in an air data display is the vertical speed indicator. You cannot use it for altitude or speed. In the BUSS, GPS altitude is used, but not for precise control, just to show you where you are at roughly and a rough AoA (pilot still flies using pitch and power). On the Airbus FBW, each ADR has it's own AOA vane.

Boeing's system is I think a little bit more complex than Airbus', but the ADIRUs still have an OFF switch on the 777, and on the 787 you don't have it. The ADRS goes through a similar validation and voting system. When it cannot determine which is correct (and the Air Data source is selected to AUTO), it'll simply revert to the back up speed (AoA) and altitude (GPS), much like the Airbus BUSS. The difference here is that the ADRS is a single unit that takes in info from 2 AOAs, 1 TAT probe and 3 sets of pitot static systems (Unlike Airbus that uses individual ADRs and the voting is done at the FCS). The thing with Boeing FBWs, the protections can be overriden by flight control inputs by the pilot. That's why they can getaway with no OFF switches. So with a Boeing, you can still, fly a perfectly good aircraft into a mountain upside down despite the envelope protection.

Quoting tomlee (Reply 146):
So this is a conspiracy now?

The PFC disconnect switch will remain to be there on Boeing FBWs for a while.
The designers at Boeing Commercial Airplanes do NOT want an airplane that doesn't enable to pilot to be able to override the computer. I did ask them, raising MS990, "even in the case of suicide?" The answer is, "even in those cases," because they do not want to take control of the rest of the pilot pool who are sane and cause more deaths through risk of systems failures despite their best efforts.
No, it's not a conspiracy. It's a common thinking between Airbus and Boeing on commercial aviation safety. Airbus provides an off switch... Boeing allows you to override it with brute force.

Quoting tomlee (Reply 146):
No evidence yet is the exact wording so that wouldn't really qualify as a false report given it was a leak from the investigators themselves.

No evidence yet, disqualifies claims of "switching the FACs off through the circuit breakers" as you quoted, as it claims to have had evidence. The claim, has no basis other than "I heard it through someone."

Quoting tomlee (Reply 146):
So your saying your committing a crime to prove that you have not yet seen evidence?

I am within the bounds of my non-disclosure agreement thank you.

Quoting tomlee (Reply 146):
If your directly involved in the investigation your in a conflict of interest to discuss internal matters and should not be leaking anything given the official response is no evidence yet and no comment.

Did I say I was directly involved? I did not.

Quoting tomlee (Reply 146):
I'm just going to leave it at, we will see what the official report says if the C/B was pulled incorrectly.

Agree, let's leave it at, there is no proof to confirm the allegation that the FAC C/Bs were pulled, until the report says otherwise. So, to make it fair and consistent, you should refrain from further claims claim that the crew of QZ8501 pulled the FAC C/Bs until the report is out and accept that your previous assertion of such is baseless as your source of the information has been disavowed by the investigators.  
Quoting tomlee (Reply 146):
I'm all for slow steady progress it is a good idea for safety critical systems.

Our goal is common. I'd love to see an automated GCAS myself. However, where we differ is in the notion of "protections shouldn't be able to be switched off". There are cases when things have to be switched off... and suicidals can and probably will exploit it.
When losing situational awareness, pray Cumulus Granitus isn't nearby !
 
BubbleFrog
Posts: 159
Joined: Thu Mar 13, 2014 7:57 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 5:56 pm

Quoting Pihero (Reply 93):
Please let's get back to the subject.
I'm especially interested in the flying public thoughts after 9525.

- What would you see implemented ?

- Has your vision of airline safety changed ?

- Do you feel more at risk, now, or it hasn't changed your image of the airline industry ?

Sorry, this is going to be a long one...

I'd like to try and answer this as a member of the flying public.
In fact, as somebody who has absolutely no connection to commercial flying other than being a passenger (and not exactly a frequent flyer, albeit a regular one). And as somebody who, until fairly recently, was terrified of flying all her life (up to, but not limited to, in-flight panic attacks when it got a bit bumpy).


What would I like to see implemented?

I don't really know. I do think the two-on-the-flight-deck rule makes total sense and is fairly easy to implement - and I do accept that it can be a pain in the backside at times for the F/A's who have their own other duties to perform.
I also see that it seems to introduce an element of, shall we say, institutional distrust, which is not necessarily desirable. But it is outweighed by the benefits, imo.

Which leads to my next point. It has been said repeatedly that post-9/11, the element of the crew being a crew (as opposed to the anonymous blokes on the flight deck and the cart-pushers in the back) is a problem for the people involved. I concur.
And without knowing too much about this, I follow the arguments made that the unbreakable barrier that the cockpit door has become a bit of a hindrance to good team work. Not sure if I agree to get rid of it, but I see the point with respect to the human factor. And I don't have a solution for this. I don't like it either way, I think.


Has my vision of airline safety changed?

Not really that much, to be honest, but it's fairly early days. I do think, however, that the solution is probably found on the ground rather than in the air. Training, screening, reporting procedures, de-stigmatising mental health issues while making (more) sure they get picked up and dealt with rather than swept under the rug due to prevailing attitudes.

To be honest, I'm not sure I had a detailed vision before your question came, so I am not sure it can change.


Do I feel more at risk, now, or it hasn't changed my image of the airline industry?

That is a really difficult question. Because the answer is yes and no. In my head, no. Pilot suicide/ murder or another cause doesn't really matter. The numbers as such don't change. It's safe. Full stop. Yet as somebody who has battled a fear of flying for as long as I can think, the facts don't help when it comes to my tummy. Again the cause doesn't make much of a difference normally, but after every single disaster, the "comfort factor" is lowered for a short while.

In this case, knowing the cause, your most important point about that fundamental trust being broken comes into play prominently. I know that slightly over 99.9% of pilots are not raving lunatics (and I perceive Lubitz as that, even knowing about mental illness personally -- I'm the outraged passenger here) and, as my mum used to say, want to go home after the flight just like us passengers. But while I can trust a plane, it's harder to trust a person I don't know at all.
So yes, the thought is there.

And I think that perception of shaken trust is rather strong. Most passengers know little about flying. Not the stats, not the technology, little to nothing about requirements for the crew to qualify as crew.

I enjoy flying now, and I can use my knowledge to subdue those ugly thoughts. A lot of people can't. A friend even asked me how I could possibly still claim that flying was safe. I can't, because those people don't even understand the argument. Numbers and a fascination with planes are meaningless to them.
So while I am in the lucky position to see my unease for what it is (the tummy grumbling), the unease is still there. Irrational and stupid as it is.

So no, I definitely don't feel more at risk, and my views of the industry as such haven't changed, once I have fought the internal argument between head and tummy. But I understand why it might be so for others.
Absolute Relativist
 
Kaiarahi
Posts: 1807
Joined: Tue Jul 07, 2009 6:55 pm

RE: Airline Travel In The Aftermath Of Flight 9525

Wed Apr 08, 2015 8:02 pm

This, echoing Pihero's sentiments, was posted on GermanWings FB page 2 days after the accident.

"Gestern morgen um 8:40 h stieg ich mit gemischten Gefühlen in einen Germanwings Flug von Hamburg nach Köln. Doch dann begrüßte der Kapitän nicht nur jeden Passagier persönlich, sondern hielt vor dem Start noch eine Ansprache. Nicht aus dem Cockpit, sondern sichtbar aus der Kabine. Darüber wie ihn und die Crew das Unglück getroffen hat. Darüber das auch die Crew ein flaues Gefühl hat, aber alle freiwillig da sind. Und darüber, dass auch er Familie hat, dass die Crew Familie hat und das er alles dafür tut abends wieder bei Ihnen zu sein. Es war völlig still. Und dann hat der ganze Flieger applaudiert. Ich möchte diesem Kapitän danken. Dafür dass er verstanden hat was alle dachten. Und dafür dass er es schaffte dass zumindest ich danach ein gutes Gefühl bei dem Flug hatte."

Rough translation:

"Yesterday morning at 8:40am, I got onto a Germanwings flight from Hamburg to Cologne with mixed feelings. But then the captain not only welcomed each passenger separately, he also made a short speech before take-off. Not from the cockpit, he was standing in the cabin. He spoke about how the accident touched him and the whole crew. About how uneasy the crew feels, but that everybody from the crew is voluntarily here. And about his family, and that the crew have a family, and that he is going to do everything to be with his family again tonight. It was completely silent. And then everybody applauded. I want to thank this pilot. He understood what everybody was thinking. And he managed to give me, at least, a good feeling for this flight."
Empty vessels make the most noise.

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos