Sunday, March 29, 2015

Germanwings 9525, Technology, Incrementalism, Trust

Germanwings 9525, Technology, and the Question of Trust - The New Yorker

This article jumps a bridge too far relative to safeguards on aircraft. The plane doesn't need to COMPLETELY fly itself, it just needs to add more "self preservation" ... which the fly by wire craft like the Airbus already have -- as do most cars now. Rev limiters, lock-outs to prevent shifts to reverse,  not starting in gear, etc. My Gold Wing won't stay running in gear with the kickstand down, thus preventing driving off and being up-ended by turning with it down.

Current planes limit the ability to pull up too fast on takeoff, fly over-speed, damage the engines, etc  -- all these elements have good and bad points. A fairly recent slide off a runway was caused when a plane had not settled enough on the gear to allow the thrust reversers to be used. There was a way to override that, but they could not find that switch fast enough.

There are ZERO systems that are "foolproof", "suicide proof" or will not have unintended side-effects as the hardened cockpit door added as a result of 9-11 did in this case. The systems analysts game is a game of odds -- prevent the big failure, weed out anything "common". First do no harm.

Current nav information DEFINITELY allows the planes systems to know where it is relative to ground and where airports are at. There is really not much of an excuse for an autopilot to accept a command to fly the plane into terrain. Such a command ought to require two pilots to type in an override code at a minimum if it is even allowed -- I fail to see a scenario where flying a jet into terrain is "the best alternative available".  It damned well better be in a landing configuration --  below 150mph, flaps deployed, etc, etc before the automation lets it get to say "1000 AGL" (Above Ground Level)

Our technology is not ready to allow commercial planes to go fly routes on their own, but it is clearly at the level where a plane ought not to allow a pilot to destroy it without putting up a very good  battle!  Certainly there need to be overrides and ways to "shut off most of the automation" -- because ALL systems can fail, but those overrides can be 2 man decision points.

Some of the more thoughtful may be saying, "Yes but, what if the other pilot is incapacitated" ... etc, etc. Again, this is about ODDS -- what are the ODDS that you not only need to disable all the automation, but ALSO the other pilot is incapacitated? Even that is possible to get around -- perhaps a flight attendant has a third code to cover that eventuality. I'm not doing a full design here -- it just ought not be as easy as it apparently was to allow one pilot to instruct a $70M plane to fly into terrain.

The choice is NOT "remove the pilots" or just go on with the same risks. There are LOTS of incremental steps that can, and I'd argue ought to have been taken already given EXISTING navigational and programmed automation capabilities to make flying a modern aircraft into off-airport terrain an act that is nigh on impossible to execute.

