Aircraft, Airliner, Jetliner, AutoPilot, Auto-Pilot, Crew, Incapacitation, Crew incapacitation, Hypoxia, Thrust, Loss of thrust, Fuel, Exhaustion, Fuel Exhaustion, Stall, Vertical, Steep, Vertical dive, Steep dive
Discussion of AutoPilot Induced Steep Dives to the Surface in Response to Flight Crew Incapacitation.
Why do aircraft autopilots cause near vertical high speed dives to the surface in response to crew incapacitation when it would be so easy and cheap to correct this horrible design flaw?
In recent years several crew incapacitation events, quite possibly including the famous Malaysia Airlines Flight MH370 incident, have ended in near vertical dives to the surface, killing everyone on board and rendering accident investigations extremely difficult and limited. Aircraft autopilots seem to cause these dives. They either have no provisions to monitor thrust or fuel capacity, or they fail to utilize the information properly. So when a fuel exhaustion event occurs, in utter ignorance or overt dysfunction they attempt to maintain programmed altitude, an impossible task. This causes a full stall of the aircraft. The autopilot does detect the stall, but reacts by completely releasing control of the aircraft. In full stall condition and with no person nor equipment in control, the aircraft then immediately pitches over into a very steep or vertical dive, impacting the surface at very high speed. Survival is utterly impossible. Land wreckage is pulverized. And though impact in a populated area is generally unlikely, it's just a matter of time before that happens too. In my personal opinion this situation is manifestly indefensible.
As we all know, an unattended stall is instantly followed by a nearly vertical dive toward the surface. George should never stall his aircraft - never. If he can do so, he harbors a horrific fatal dysfunction. Let's not apologize nor shift blame for George. Let's fix him. Lives and treasure hang in the balance.
Comments (Thus far just my personal introductory rants. Others are welcome of course.)
First, airliners are superbly safe.
This is not a fright site. It is a somewhat passionate technology discussion, but it must be viewed in context. Airliners appear to be the safest means to travel. See this article for a credible discussion of airline safety. The aim of this site is to improve safety even further - not to impugn the superb safety of air travel already achieved.
Second, a combination of a credibility hedge mixed with a summary of the basic problem...
I'm an electrical engineer, my greater strength in this matter, but I've never been directly involved in autopilot design professionally. I'm also an instrument rated pilot, but limited to single engine aircraft, and have never flown an autopilot equipped bird, so I have no direct personal experience with autopilots. And I've been inactive as a pilot for many years. Nor have I studied autopilot products or their history. So while some details seem well referenced and clear to me, I can only speculate about others.
The key detail, which does seem clear, is that some autopilots can cause a stall which almost instantly transitions to a near vertical dive to the surface. Perhaps many can. Perhaps most can, as I suspect. Common autopilot design seems to assume that a conscious crew will always be available to prevent the autopilot from doing something tragically stupid. The problem is that the crew is not always conscious, in command of their wits, or in command of the flight deck (due to ancillary circumstances). And autopilot design seems to have completely overlooked these possibilities with horrible consequences. This is especially tragic because it's simply not necessary. Autopilots should not stall their aircraft. Because there's no guarantee that a human will be available or free to arrest the tragic consequences. Yet currently autopilots can and sometimes do stall their aircraft. This must be corrected before more tragedies unfold.
And ultimately the problem must be corrected in such way that the autopilot retains logical control of the aircraft. Particularly when fuel is exhausted and thus thrust is lost. At that moment the autopilot must terminate its altitude maintenance directive and execute a glide speed maintenance directive. At a minimum it should retain its original course, but more advanced solutions will provide guidance to a most suitable landing or ditching location. And the best solutions will execute full optimum landing or ditching protocols, including extension of flaps, landing gear, and flaring as suitable for the location.
My initial rants are almost certainly technically flawed in some measure. I'll try to refine my views as time allows. I think my overall premise is reasonably accurate, but my research in this matter is rather shallow at this time, and all my comments were composed in considerable haste and perhaps with too much passion. The question as to whether my inaccuracies are so substantial as to derail my fundamental premise remains to be seen. Personally I suspect not. But we'll see...
Do current autopilots 'automatically' cause a steep or vertical dive when thrust is lost?
Is this how autopilots currently function?: Maintain programmed attitude and course through all entered waypoints. Ignore all fuel exhaustion or loss of thrust events. 'Automatically' stall the aircraft in response to a loss of thrust event. Disconnect when the full stall occurs. The aircraft then pitches over to a steep or vertical dive to the surface.
In other words, is this typical of a summarized pseudo command set which is executed after a crew becomes incapacitated?:
Maintain programmed attitude and course through all entered waypoints.
Ignore (or don't monitor) fuel supply.
Ignore (or don't monitor) thrust.
Negative altitude deviation detected:
Pitch up until programmed altitude recovered.
Further negative altitude deviation detected:
Increase pitch up until programmed altitude recovered.
Full stall detected:
Completely disconnect autopilot. Do not reconnect.
Fuel exhaustion loss of thrust result: Full stall, then an immediate pitch to a steep or vertical dive. Terminal dive, midair breakup, or (if very lucky) intact stall / dive oscillation until surface impact. Almost certain loss of all life. Massive damage or pulverization of all material, severely complicating accident investigation. (Evidently in the case of the Payne Stewart tragedy loss of thrust resulted in a near vertical dive at almost mach 1, and thus extremely extensive destruction on impact.)
Here's a highly summarized rational pseudo command set:
Maintain programmed attitude and course through all entered waypoints.
Monitor fuel supply.
Loss of thrust detected:
Terminate altitude maintenance routine.
Execute best glide distance maintenance routine.
Loss of thrust verified (fuel exhaustion amplifies confidence of loss of thrust):
Execute search for best emergency landing or ditching location (ELDL) within safety margined glide distance (detail 1 below).
Load course for best ELDL (includes location to begin landing maneuvers data).
Terminate all previous guidance routines.
Execute guidance to ELDL routine.
Reduce glide speed to minimum necessary to maintain full stability and reach ELDL with safety margin.
Load specific ELDL approach and landing or ditching routine.
Monitor landing maneuvers location waypoint flag.
Landing maneuvers location flag detected:
Execute ELDL approach and landing or ditching routine (includes flap, landing gear, and flaring routines specific to each ELDL).
Result: Possible survivors - possibly full survival. Possibly minimal or no injuries. Maximally intact material for accident investigation.
What is the actual current state of affairs? Did autopilots ever operate as I described in the first example? The Payne Stewart tragedy seems to suggest so. The MH370 tragedy might suggest so as well, though from my vantage point the matter's less clear. If so, do autopilots still operate in such a profoundly flawed manner?
One would assume not - presumably the Payne Stewart tragedy alone prompted correction of autopilots so that they respond to loss of thrust by at least reliably executing a transition to maintenance of the minimum safe glide speed if no guidance function is available, or best glide distance if full functionality as I described above is available.
This is not a significant technical hurdle - the minimal addition of loss of thrust detection followed by transition to an optimum glide routine is almost trivial. The full routine I described above requires more design effort but is not difficult, nor would implementation add any mass nor anything more than very minor cost to any autopilot equipped aircraft. But I can find no discussions of the matter. Hopefully my searches simply failed. But If I understand this situation correctly and no discussion or corrective action has been taken autopilots will continue to react to crew incapacitation and fuel exhaustion events by ultimately placing the aircraft into a steep or vertical dive to the ground or water. And crew incapacitation and fuel exhaustion events will recur - they're inevitable in the course of time. And such an impact might occur in a populated area.
Can this possibly be the current state of affairs? Surely the aviation community isn't maintaining such a massive blind spot. Anyone with information please advise.
Detail 1: A very substantial number of such locations should reside in the autopilot's data storage system - it should contain a very robust global map of graded ELDLs. This is not a technology challenge - modern data storage is very robust.
H. Bruce Campbell 3 November 2016 and subsequent modest edits.
More detail and supporting arguments.
I'm not proposing a high technology nor high expense solution. And this problem is not so rare nor so insignificant that inaction can be justified - not by a considerable margin, particularly if a factor in the MH370 tragedy as might very well be the case. (In that section of the article: "If no control inputs were made following flameout and the disengagement of autopilot, the aircraft would likely have entered a spiral dive." In this scenario when thrust was lost the autopilot attempted to maintain altitude anyway until it fully stalled the aircraft, then it disconnected, allowing the aircraft to pitch over into a very steep or near vertical dive, a tragically dysfunctional and manifestly destructive response to a loss of thrust event. Forgive me please for being blunt and dramatic, but this is a massively destructive and wholly indefensible glaring design flaw.)
For my base proposal, refinement of ordinary autopilots to include thrust monitoring and a simple transition to a controlled glide when loss of thrust is detected is, in my personal electrical and software engineering experience, literally an almost trivial engineering task. A reasonably experienced engineer could complete the basic design and coding modifications in one day, then revise a stock autopilot to render it ready for testing within another day. (Someone with direct autopilot design experience could probably complete both tasks within one day.) Thorough testing through certification would take longer of course, but only because the certification process for all design revisions is fundamentally labor intensive and cumbersome. But very little extra system cost would result - only a very modest increase to amortize the design, testing, and certification labor, with the certification labor by far the largest component in my estimation. (Depending upon preexisting access to thrust or fuel data, or the possibility of sufficiently inferring loss of thrust in software, no extra manufacturing cost would be involved since no significant hardware design changes are involved.) The full system I propose is certainly more complex and would require much more design, testing, and certification time. But only readily available off the shelf technology is required. And similar technology in the form of auto-landing systems already exists and presumably has proven capable in practice. Even the full system I propose is a relatively moderate design and development task.
Let's keep this in perspective. The costs involved in my base proposal would be absolutely trivial compared to the costs involved in the MH370 incident. Had the 777 simply cruised at minimum glide speed to impact with the surface lives might have been saved and the search, with all of its massive expenses, wholly unnecessary. My full system proposal might have saved even more - if the MH370 crew was incapacitated rather than on a conscious mission of destruction, a full system would have landed the aircraft at the highest level ILS within the 777's very substantial range, possibly saving all lives, and very likely preventing the loss of the hull, and certainly eliminating all the search costs. I haven't tried to rough in the accounting, but I suspect the MH370 losses alone eclipse the cost of development and implementation of my proposed full system. And another big bonus: In either case the accident investigation would have been swift, solidly conclusive, and, especially with my full system proposal, dirt cheap.
I do not propose a science fiction level solution, but rather an off the shelf technology level solution - ordinary current technology is more than sufficiently capable of accomplishing either of my proposals. And I do not propose a system which overrides crew authority - the system routine refinements I propose may be adjusted or terminated by the crew at any time as an ordinary control panel tasks. These refinements are not directed to terrorist nor suicide events - they address crew incapacitation related tragedies.
And I reiterate that this appears to be a massive blind spot. Given the evident number of crew incapacitation related incidents in recent years and the sheer magnitude of the worst of them, this is a critical design oversight which must be corrected. And such tragedies will recur - recent experience suggests so clearly. And while autopilot caused steep or vertical dives to the surface in response to crew incapacitation and subsequent fuel exhaustion have only involved unpopulated surface areas thus far, that won't remain true forever.
Do we really need yet another tragedy to prompt action to address this issue? I encourage experienced avionics engineers and accident investigators to join this discussion. I suspect we could develop a consensus rather rapidly, especially for my base proposal.
H. Bruce Campbell 4 November 2016 and subsequent modest edits.
Could a simple software modification reasonably eliminate the autopilot's stall inducement, and thus the horrific fatal dive problem, almost immediately and at almost no cost?
I can't be certain of course, but perhaps so. The idea is to add code which would enable the autopilot to detect rapidly decreasing cruise speed as occurs when an autopilot maintains altitude under zero thrust conditions, deduce that fuel exhaustion or complete engine failure had thus occurred (and that the crew might be incapacitated), then automatically replace its altitude maintenance directive with a minimum safe glide speed directive. This would prevent the fatal horrific stall, subsequent autopilot disconnect, and near vertical dive to the surface sequence. Instead the aircraft would maintain course in a minimum speed glide to the surface. If an incapacitated but live crew then recovered their wits, they would then release autopilot control and manually fly the aircraft to the nearest suitable airport. If no human was able to restore manual control, the aircraft would glide at minimum safe speed, on its normal course, to a surface impact. While a simple controlled glide to impact isn't an ideal way to end a disabled crew flight, it's obviously immensely better than a horrific and unsurvivable high speed near vertical dive to impact. A minimum speed glide to impact provides a chance for crew recovery and resumption of safe control, a chance for passenger and crew survival even if resumption of safe control isn't achieved, and greatly reduces structural damage to the hull, thus making accident investigation far easier, more fruitful, and cheaper.
I've not yet considered whether such a software modification could introduce new safety risks, though my initial sense is that's unlikely. Nor do I know whether most autopilots have operating software (aka firmware) which is easy to update and has sufficient capacity for the relatively modest additional code required, though I suspect so, at least in the case of large modern airliners.
Since this approach might eliminate the most egregious fatal sequence very quickly and cheaply, I think it should be carefully but swiftly considered and, if deemed viable, swiftly implemented.
Because if you're a passenger in a flight in which the crew became incapacitated, which would you prefer after all - a horrific near vertical dive to your certain death, or a minimum speed controlled glide during which the crew (or a passenger) might recover and regain control, or at least a far, far less destructive impact with the surface which you might survive, possibly even sans injury? And a rather simple operating software update might be all that's necessary to provide that good chance for survival. In my personal opinion this option should be immediately vigorously investigated, then if reasonably viable swiftly implemented as a first corrective measure. Lives are at stake.
H. Bruce Campbell 4 November 2016 and subsequent modest edits.
Sweating the details.
Autopilots vary in capability, complexity, and cost. Presumably some have access to a wide array of flight data but others have access to only a bare minimum of data. Autopilots with robust data access and a modern digital operating system can be easily modified to operate wisely in incapacitated crew circumstances. That doesn't mean they do so already - the MH370 Boeing 777's autopilot evidently was not capable of operating wisely in such circumstances, and may have sent the aircraft into a steep dive to the surface. But such autopilots, assuming they have access to thrust data, are likely very easy to revise so that they'll operate safely.
However, some autopilots have no access to key data, the most critical of which is thrust. That complicates matters. But it doesn't necessarily mean they can't be modified in a practical manner so as to eliminate the possibility that they'll stall their bird. If for example they have a software based operating system their code can be modified or new code added to infer loss of thrust from other flight data. In the most data deprived examples, where even airspeed isn't available, it might be possible to sufficiently infer loss of thrust from a time and magnitude envelop of pitch up commands. That is, if the autopilot must increase pitch up constantly, or nearly so (allowing for turbulence), within a certain time envelope in order to maintain altitude, then loss of thrust is almost certain. The autopilot must then terminate its altitude maintenance directive and execute a glide speed maintenance directive, and of course sound and flash alarms.
There is a possibility that an algorithm which must infer loss of thrust from indirect information might misjudge. For example a very broad downdraft might cause such an error. That's an unfortunate limitation. However, a transition to a glide, alerted with alarms, is obviously a far more benign error than a transition to a near vertical dive, alarms notwithstanding.
The bottom line is that autopilots must not stall their aircraft - if they can't maintain altitude, they must transition to an optimum glide. Clever engineering can be leveraged to achieve this even in autopilots which have very limited data access if they're processor based. I suspect most are, including very basic models, but I'm just speculating about that.
But in any case an autopilot must not stall it's bird. In my personal opinion, if it can't be modified to insure that and the aircraft serves commercial duty (carries passengers or cargo for profit), it should be replaced.
There does come a point when liberties must be respected of course. If the aircraft is not involved in commercial service then in my personal view the suitably informed aircraft owners and operators should be free to weigh their own safety versus cost tradeoffs. The vast majority of the risk is to them alone after all (discounting risk to people on the ground), and thus the decision should be theirs.
But when I purchase a ticket to cross the Pacific Ocean, I want it to secure me in a bird equipped with an autopilot which will not stall the aircraft under any circumstances (the sole exception being an intentional full flare stall at the moment of a planned landing touchdown). I don't want the autopilot in my bird to send me into a vertical dive to my death...
H. Bruce Campbell 5 November 2016 and subsequent modest edits.
A Boeing 727-200 Home The next dream: Airplane Home v2.0 ConcertOnAWing.com
Yuko Pomily: Uniquely superb original music by a truly remarkable young composer and performer. Purchase her magic.
NoSpam Notice: UCE (spam) or any unsolicited subscription based email distributed on an "opt out" basis is absolutely prohibited. Do not ever send any such email to any DeadlyAutoPilot.com nor AutoPilot.tech address.
UCECage@DeadlyAutoPilot.com. UCECage@AutoPilot.tech. Report mail misconduct to UCE@FTC.gov.