Nof S.Y. Springer Handbook of Automation
Подождите немного. Документ загружается.
1215
Flight Deck Au
68. Flight Deck Automation
Steven J. Landry
A review of flight deck automation is provided
with an emphasis on examples and design prin-
ciples. First, a review of historical developments
in flight deck automation is provided. Current
examples of control automation, warning and
alerting systems, and information automation
are then provided. A discussion of human fac-
tors, integration, safety, and certification issues
are then discussed. The chapter provides guid-
ance to managers, engineers, and researchers
tasked with studying or building flight deck
systems. In particular, the chapter provides
an appreciation of the challenges of build-
ing such systems, and the challenges facing
those who will build the flight decks of the
future.
68.1 Background and Theory ........................1215
68.1.1 Historical Developments
and Principles ........................... 1216
68.1.2 Modern Automation ................... 1217
68.2 Application Examples............................1217
68.2.1 Control Automation .................... 1217
68.2.2 Warning and Alerting Systems ..... 1221
68.2.3 Information Automation ............. 1225
68.3 Guidelines for Automation Development 1226
68.3.1 Control Automation .................... 1227
68.3.2 Warning and Alerting Systems ..... 1227
68.3.3 Information Automation ............. 1228
68.3.4 Human Factors Issues ................. 1229
68.3.5 Software and System Safety......... 1233
68.3.6 System Integration ..................... 1233
68.3.7 Certification and Equipage .......... 1234
68.4 Flight Deck Automation
in the Next-Generation Air-Traffic System1234
68.4.1 Network-centric Operations......... 1235
68.4.2 Future Air Vehicle Types .............. 1235
68.4.3 Superdensity Operations ............. 1236
68.4.4 Integration................................ 1236
68.5 Conclusion ...........................................1236
68.6 Web Resources .....................................1236
References ..................................................1237
68.1 Background and Theory
Both the USA and European countries are currently re-
searching and developing automation, procedures, and
concepts in order to transform their respective air-traffic
systems [68.1,2]. This transformation will significantly
affect aircraft flight decks for many decades. As the
shape of this next-generation air-traffic system devel-
ops, sophisticated automation will be needed to take
advantage of the new infrastructure. This need poses
many challenges, including: how to take advantage of
a likely massive increase in the amount of available in-
formation, how to increase automation in a complex
human-integrated system without reducing safety, and
how to ensure that collisions between aircraft do not
occur in the face of significantly increased density.
This chapter is designed to provide guidance to en-
gineers and researchers who will develop technologies
for new flight decks. These engineers and researchers
will need to understand the challenges of developing
automation for a flight deck, including technological,
regulatory and certification, and human factors issues.
As willbe discussed,much has beenaccomplished from
the early days of automation. There have been signif-
icant technological advances (such as satellite digital
communications), but the utilization of these technolo-
gies in flight decks has been relatively slow. Regulatory
agencies are conservative in approving the introduc-
tion of unproven technologies, and there are many
integration issues associated with bringing new au-
Part G 68
1216 Part G Infrastructure and Service Automation
tomation into complex socio-technical systems such as
aviation.
First, a brief review of historical developments
in flight deck automation is provided. Next, several
specific types of automation are discussed: control
automation, warning and alerting systems, and infor-
mation automation. This is followed by a discussion of
guidelines forflight deck automation development. This
discussion centers on human factors issues, system in-
tegration issues, safety, and certification. Lastly, several
emerging concepts that appear to be the most critical for
the US and European efforts are discussed.
68.1.1 Historical Developments
and Principles
The very earliest flight decks had no automation per se,
and only rudimentary instruments to monitor the en-
gine, magnetic heading, and orientation (with respect
to the horizon). Later additions included barometric al-
timeters to indicate altitude, airspeed indicators (for the
prevention of stalls), and sideslip indicators. It was not
until flight at night and in conditions of poor visibil-
ity was needed in the 1930s that more sophisticated
navigation instrumentation became available.
Quite likely the first piece of significant air-
craft automation, however, was introduced in 1914 by
Lawrence Sperry. Sperry, utilizing the concept of the
gyrocompass invented by Hermann Anschütz-Kaempfe
(and subsequently patented by Sperry’s father in the
USA), developed a gyroscopic stabilizer for an aircraft,
and attached it to the control surfaces of a Curtiss B-2
biplane. In a demonstration in France, Curtiss and his
mechanic (Emil Cachin)climbed out on the wingsas the
now-pilotless plane passed in front of crowds of specta-
tors, thereby demonstrating the first autopilot [68.3].
Sperry’s autopilot used the principle that a spinning
gyroscope has a strong tendency to maintain its orienta-
tion regardless of the orientation of the containing body.
Therefore, deviations of the orientation of an aircraft
from the neutral positions (as given by the axis of the
spinning gyroscope) can be determined. This signal can
then be used to drive the control surfaces of the air-
craft according to specific control laws (which will be
discussed later in the chapter). Sperry was able to pack-
age this in a device that measured 18in×18in×12 in,
and weighed only 40lb (whereas his father’s gyro-
compass was so large it could only be used on large
warships) [68.4].
Sperry’s invention was the first of what will be
called control automation, whose purpose is to replace
human control of the aircraft with machine control.
If, in considering automation, only mechanical systems
that replace human functions are considered, then there
are roughly two other categories of automation in air-
craft – warning and alerting systems and information
automation, although many systems straddle these clas-
sifications.
Warning and alerting systems replace the pilot’s
function of manually monitoring for hazardous condi-
tions. For example, airspeed indicators were developed
mainly so that pilots could ensure that they maintained
sufficient airspeed to prevent a stall, which is a haz-
ardous condition where the wings no longer produce
enough lift to counteract the weight of the aircraft
(which therefore begins to fall).In most modernaircraft,
this monitoring function is replaced by a stall warning
device, which alerts the pilot to an impending stallwith-
out the pilot having to monitor airspeed and compare it
with a memorized stall speed.
The first warning and alerting systems automation
was likely an off flag for a particular instrument, warn-
ing of that instrument’s failure. Warning and alerting
systems proliferated rapidly starting in the 1960s and
1970s, with the Boeing 707 (rolled out in 1954) origi-
nally having only a few simple warning devices (such
as engine fire warning systems), the Boeing 747 (de-
ployed in 1969) having few (if any) more (although
many have been added to it over its life), and the Boe-
ing 777 (whose maiden flight was in 1994) being the
first built with numerous warning systems as standard
equipment.
Information automation provides pilots with access
to information that they would otherwise have to lo-
cate manually or calculate themselves. For example,
pilots will follow written checklists for various portions
of flight, and have procedures to ensure that checklist
items are completed. In some aircraft, checklists are
presented in electronic format, with the system ensuring
that checklist items are completed.
Probably the first information automation intro-
duced was the flight director. This automation provided
intercept guidance for pilots, who previously would
have had to determine appropriate intercept angles for
a desired course (and glideslope – the desired descent
angle to the runway).
World War II saw a dramatic increase in the use
and sophistication of aircraft, with that trend continu-
ing through the present day. In the early 1950s, a blue
ribbon panel was convened by the US government to
study research needs in aviation. This panel was chaired
by Dr. Paul Fitts, who was one of the pioneers of ap-
Part G 68.1
Flight Deck Automation 68.2 Application Examples 1217
plying engineering and psychology together to improve
aviation safety. The Fitts report provides a convenient
milepost for the state of automation and automation
research at the time [68.5].
68.1.2 Modern Automation
Modern flight decks include a great deal of automation
of all three types (control, warning, and information)
mentioned previously, although this is highly dependent
on the type of aircraft. At the top of the sophistica-
tion ladder (for civilian aircraft) is the modern airliner,
while there are still aircraft flying today that have the
same level of sophistication and instrumentation as the
earliest aircraft.
The most sophisticated commercial aircraft have
three-axis autopilots that are driven by a combination
of inputs from a gyroscopic inertial navigation system,
global positioning system, and flight management sys-
tem into which is loaded the desired flight route in three
(sometimes four) dimensions. These autopilots can nav-
igate to any point on the globe, and can be programmed
to arrive at a precise time. Moreover, these autopilots
have the capability to control the airplane without hu-
man intervention from the time it is driven onto the
departing runway by the pilot until it reaches a point
just off the arriving runway in any weather conditions.
These aircraft also have numerous alerting and
warning systems, including systems that detect colli-
sion dangers (with other aircraft and with the ground),
unsafe configurations (such as gear not extended for
landing), control surface overspeed warnings, engine
fire warnings, wind shear alerts, alerts for deviations
from assigned/desired altitude, and others. These sys-
tems, which usually utilize relatively simple sensors,
often contain complex algorithms. Aircraft manufac-
turer and company procedures dictatespecific responses
to these alerts.
Modern airliners also contain a great deal of
information automation as well. Among the infor-
mation automation commonly found in today’s com-
mercial aircraft are weather and ground-proximity
radar, navigation displays, electronic messaging capa-
bility utilizing communications satellites, and engine
indicating and crew alerting systems (EICAS) dis-
plays. EICAS displays are a highly integrated set of
displays covering a great deal of different informa-
tion, including engine temperature, engine pressure,
oil temperature, electrical system status, pressurization
system status, hydraulic system status, and fuel system
status.
In the next section, examples of these applications
will be discussed. This will be followed by a discussion
of guidelines for automation development, specifically
human factors issues, system integration issues, safety
principles, and certification and equipage issues. Fol-
lowing that is a discussion of principles for automation
development.
68.2 Application Examples
Many examples of flight deck automation were men-
tioned in the previous section. In this section, specific
examples of control automation (autopilots, envelope
protection automation, and automation for uninhab-
ited aerial vehicles), warning and alerting systems
(system monitoring, hazard monitoring, and collision
avoidance), and information automation (automated
checklists, cockpit display of traffic information, and
data communications) are discussed in more detail.
68.2.1 Control Automation
Aircraft are controlled through manipulation of three
rotational axes, as shown in Fig.68.1, along with con-
trol of the thrust produced by the engines. Each of
the control surfaces used to manipulate the rotational
axes utilizes the same principle as wings – increasing
camber of a surface moving through a fluid (i.e., the at-
mosphere) results in pressure differences between the
upper and lower control surfaces. These pressure differ-
ences produce a force that tries to move the surface in
the direction of lower pressure.
Control surfaces are connected by mechanical, elec-
trical or hydraulic means to controls that can be
operated manually by the pilots. The control surface
for pitch is the elevator, typically located on the hori-
zontal stabilizer near the tail of the aircraft. Manually,
the elevator is controlled by pulling or pushing the con-
trol yoke (or joystick). The control surfaces for roll are
ailerons, located near the end of each wing. Ailerons are
controlled by turning the yoke (or moving the joystick
to the left or right). Yaw is controlled by the rudder,
which is located on the vertical stabilizer, again near
the tail. The rudder is operated by stepping on pedals
located near the pilots’ feet. Throttles control the thrust
of each engine.
Part G 68.2
1218 Part G Infrastructure and Service Automation
Roll
Yaw
Vertical axis
Lateral axis
Longitudinal
axis
Pitch
y
w
x
w
z
w
Fig. 68.1 Yaw, pitch, and roll axes (after [68.6])
These axes are somewhat independent, although not
entirely. For example, stepping on the rudder pedals in-
troduces yaw, which in turn produces a rolling moment.
Increasing power through the use of the throttles results
in a pitch change; if pitch is held constant an increase in
power results in an increase in speed.
The null setting of each of the control surfaces is set
through the use of trim, which is operated electrically
(or sometimes hydraulically). Trim, however, can also
be used to manipulate the control surfaces instead of
moving the ailerons, rudder or elevator directly. In some
cases trim is a smaller version of the related control sur-
face (for example, typically the ailerons have small tabs
which can be moved independently of the ailerons and
act as the trim control surface). In other cases, the null
position of the entire control surface is set by the trim
(for example, typically the elevator null position is set
by trim).
Disturbances
Controller Plant
P(s)
uyer
C(s)
F(s)
Sensor
Output
Reference
value
Fig. 68.2 Basic feedback control loop
Autopilots
Modern-day autopilots control all three rotational axes
of an aircraft (pitch, roll, and yaw), as well as the thrust.
They accomplish this through mechanical, hydraulic or
electrical linkages with the trim surfaces and with the
throttles. This type of control provides smoother, more
accurate positioning ofthe control surfacesthan through
cable linkages, although manual movement of the con-
trols can produce larger movements in a shorter period.
The input to autopilots can be thought of as a devi-
ation from a desired rotational angle or speed, although
this may have to be derived from a desired ground track,
altitude, speed, vertical speed (i.e., rate of descent or
climb), bearing from a navigation aid or other form of
information more directly applicable to navigation. The
specific methods by which error signals are translated
into control movements are proprietary secrets of au-
topilot and aircraft manufacturers, so only a generalized
description is given here.
In basic control theory, an input (such as error from
a reference) can be transformed into an output through
a transfer function, which is commonly specified as
a function of the frequency of the signal. Such a sys-
tem is shown in Fig.68.2, where the transfer function
H(s)isgivenby(68.1) if plant disturbances are ignored
Y(s) =
P(s)C(s)
1+F(s)P(s)C(s)
r = H(s)r .
(68.1)
A simple controller can be constructed using a simple
integrator and delay. For such a controller, the transfer
function would be given by (68.2), where the time delay
is given by τ, the gain is given by k, and the integrator
is represented by the s in the denominator
H(s) =
ke
−τs
s
.
(68.2)
In such a controller, the behavior of the system would
be to dampen out the error signal, as shown in Fig.68.3.
In such a controller, the error signal from (t – delay)
seconds ago is used, resulting in some delay in the
response of the controller. That delay leads to the over-
shoot shown where the error crosses zero just after0.5s.
The error is fully damped after 3.25s.
Modern autopilots useverysophisticated algorithms
in place of the simple transfer function shown in (68.2).
Generally, automatic control in aircraft is considered
a multilevel system, consisting of a guidance loop,
a control loop, and a stability augmentation loop. The
guidance loop controls the navigation of the aircraft
by initiating commanded state changes in particular se-
quences to achieve a navigation goal. The control loop
Part G 68.2
Flight Deck Automation 68.2 Application Examples 1219
04123
Time (s)
25
20
15
10
5
0
–5
Error
Fig. 68.3 Step response of simple integrator with delay
(gain =3, delay =0.2s)
ensures that the commanded states are adhered to by
initiating control movements to dampen out errors be-
tween the actual and commanded states. Most aircraft
also have a stability augmentation loop that dampens
out undesirable aircraft modes. One such mode is Dutch
roll, which is a tendency for aircraft to slightly yaw and
roll out of phase continuously in flight.
Autopilot types are categorized in terms of the con-
ditions under which they can be used for approach and
landing. Specifically, the categories shown in Table 68.1
can be used to classify autopilots.
Pilots control the autopilot mode of operation
through a mode control panel (MCP), such as the one
shown in Fig.68.4. Using this panel, pilots select which
axes the autopilot should control, and the form of con-
trol that the autopilot should use. This form of control
is set as the mode of the autopilot. Modes that con-
trol the pitch axis usually include attitude hold, altitude
hold, verticalspeed,anddescent angle.Modes that con-
trol the horizontal axis include control-wheel steering,
heading hold,andcourse hold. Autopilots also gener-
ally have airspeed hold, mach hold, and specialized ap-
proach modes such as glideslope capture and autoland.
Fig. 68.4 Mode control panel (after [68.7])
The typical autopilot has several dozen independent
modes, each having complex dependencies with other
modes. Some modes are incompatible, and the system
must be designedto preventthese from being simultane-
ously selected. There are also combined modes, where
the autopilot will transition into a second mode at some
point as programmed into the automation.
The autopilot can be controlled manually by the pi-
lot through themode control panel,or can be set through
the flight management computer (FMC). The desired
horizontal trajectory (a sequence of latitudes and lon-
gitudes) of the aircraft can be stored in the FMC,which
then automatically controlsthe appropriatemodes of the
autopilot. The vertical profile as well as times to cross
positions or altitudes can also be entered.
These complexities make operating the autopilot
and understanding its operation difficult. In fact, several
fatal aircraft accidents have been attributed to autopi-
lot mode confusion, which will be discussed later in the
chapter.
Autopilots, as automation that literally controls the
aircraft, is safety critical, and therefore faces rigorous
scrutiny before being certified by the national aviation
Table 68.1 Aircraft autopilot categories and weather re-
quirements
Category Approach and landing
weather minimums required
I 60m/200ft ceiling
800m/0.5statute mile visibility
550m/1800ft runway visual range
II 30m/100ft ceiling
(usually with autoland)
350m/1200ft runway visual range
IIIa 200m/700ft runway visual range
(usually with autoland)
IIIb 50m/150 ft runway visual range
(IIIa with auto-rollout)
IIIc 0ft runway visual range
(IIIb with auto-taxi)
Part G 68.2
1220 Part G Infrastructure and Service Automation
authorities. For this reason, developers of autopilot soft-
ware tend to reuse or add onto existing certified code,
or have it generated automatically by systems that can
mathematically verify the code.
Envelope Protection
Airbus aircraft have a significantly different automa-
tion design philosophy than Boeing aircraft (or many
other aircraft manufacturers). While Boeing believes
that automation should never be allowed to irreversibly
override the pilot, Airbus believes that automation
should protect the aircrew from entering unsafe flight
regimes [68.8,9].
This results in automatic envelope protection in Air-
bus aircraft. Short of deactivating the system, envelope
protection makes it virtually impossible to exceed the
design limitations (G-forces, maximum speeds) or enter
unsafe flight regimes (stalls, excessive angle of attack –
the angle of the aircraft to the relative wind). Since Air-
bus aircraft use fly-by-wire (the control yoke activates
the flight surfaces through an electrical signal rather
than mechanical or hydraulic linkages), the envelope
protection automation can intercept these signals and,
for example, reject control inputs that would result in
excessive accelerative forces on the airframe.
However, the transitions in and out of flight modes
that activate or deactivate certain envelope protections
are opaque. This results in additional potential for mode
confusion, and has been cited as a causal factor in sev-
eral accidents [68.10,11]. There is also the possibility
that the aircraft is put into situations unforeseen by the
designers.
Both of these situations occurred on an Airbus A-
300 flight into Nagoya, Japan in 1994 [68.12]. The
aircraft was on approach (being flown manually) when
it was inadvertently switched into a go-around mode.
When the autopilot was activated, it attempted to
abandon the approach by climbing and accelerating.
However, the pilots, not knowing the aircraft was in
this mode, attempted to continue the approach by push-
ing forward on the control yoke, commanding a pitch
down. The autopilot, utilizing the pitch trim, counter-
acted these commands by running the pitch trim to the
full-up limit. As the plane pitched up from the autopilot
pitch command, the pilots disconnected the autopilot,
but engaged the autothrottles. In response to reaching
the maximum angle of attack, flight envelope protec-
tion engaged, initiating full thrust, causing the plane to
pitch up an additional amount and stall. The pilots were
unable to recover from the stall in time and the aircraft
crashed, killing 264.
This is not to say that the Airbus philosophy is infe-
rior; records are not kept of how many accidents were
prevented by having flight envelope protection. Rather,
the Airbus philosophy has introduced a new type of er-
ror, perhaps trading this off against the possibility of
other types of human error.
Although Boeing aircraft do not have strict flight
envelope protection, there is a soft envelope protec-
tion on its fly-by-wire aircraft. In this form, the system
warns the pilot of an approaching limit by increasing
the amount of force required to move the control.
Uninhabited Aerial Vehicles
Uninhabited aerial vehicles (UAVs) represent a new
class of aircraft, and UAV use is expected to increase
significantly in the future. UAVs can range from a so-
phisticated remote control vehicle (with virtually no
onboard automation)to afully autonomousvehicle with
onboard intelligence for navigation and other functions.
Unless one includes guided weapons, UAVs are
not fully autonomous. Humans must, at least, provide
the system with goals and rules for conduct. In most
systems, humans are also involved in monitoring and
some aspect of the control loop. Control of the ve-
hicle may be only at the outermost loop (navigation
commands), at one of the inner loops (guidance or
control) or some combination. For example, the US
military’s Predator drone requires manual flight for
takeoff and landing, but can follow a programmed set
of waypoints autonomously. The Global Hawk UAV,
however, can takeoff, fly a programmed route, and land
autonomously.
UAVs are in extensive use within the military,
although their use appears to have been slowed some-
what by development problems and high accident
rates [68.13]. Some of these problems relate to the
young age of the technology, but some also involves
human error. The operation of a UAV is not unlike
the operation of a motionless flight simulator, where
vestibular and somatosensory cues are absent. The ab-
sence of these cues makes fine control difficult, such
as required when landing a UAV on an aircraft car-
rier. Since replacing these sensory cues seems nearly
impossible, the emphasis has been on providing more
autonomy to the vehicle.
One of the main challenges for incorporation of
UAVs into the airspace system is that systems may not
be able to deal adequately with a malfunction and still
ensure separation from other aircraft. For example, in
the case of a communications failure, the UAV must
be able to successfully divert to a recovery field on its
Part G 68.2
Flight Deck Automation 68.2 Application Examples 1221
own while maintaining separation from other aircraft.
Currently, validated technology does not exist for such
a function. As a result, in the US national airspace sys-
tem, the Federal Aviation Administration (FAA)has
required a lengthy approval process to fly a UAV in con-
trolled airspace, and the UAV must remain under visual
control of an operator.
68.2.2 Warning and Alerting Systems
In addition to control automation, there has been a pro-
liferation of warning and alerting systems onboard
modern commercial aircraft. Early aircraft had limited,
individual alerting systems. As the number of these
increased, corresponding to the increase in complex-
ity of the aircraft, the location of many of the visual
alerts were consolidated into an annunciator panel, and
a master caution warning was added in a highly visible
location to indicate that one (or more) of the alerts had
activated.
On aircraft that have multifunction displays(MFDs)
instead of individual gages (also called glass cockpits),
the master caution and annunciator panels are often in
a less central location. Since the most important alerts
can be displayed directly on the MFDs, a master cau-
tion and annunciator panel are typically used for less
important or infrequent alerts.
Systems Monitoring
Aircraft are complex vehicles, with numerous systems
that require monitoring. Engines, the auxiliary power
unit (APU), air conditioning, pressurization, electrical
systems, hydraulic systems, pneumatic systems, fuel
systems, and mechanical systems (such as landing gear)
all need to be monitored, and can have failures that
are independent from the other systems. On older-
generation aircraft, many of these systems (e.g., fuel,
electrical, pressurization, and hydraulic) were moni-
tored and controlled by a dedicated flight engineer;
a typical flight engineer panel is shown in Fig.68.5.
On these aircraft, each system was segmented on
the panel, and often was laid out in a pattern mimick-
ing the physical layout of the components. For example,
the fuel controls (the lower left portion of Fig.68.5)
mirrored the physical location and geometry of the dif-
ferent fuel tanks, cross-flow valves, and boost pumps.
This was accomplished to help the flight engineer con-
trol the system with fewer errors and to speed diagnosis
of problems.
When new aircraft were being built in the 1970s, it
was desired toautomate mostof thecontrol of these sys-
tems and to eliminate the flight engineer position. The
reasons put forward for this change were to eliminate
human errorand toreduce crew cost.This change meant
that the pilots would be required to handle any mal-
functions in these systems, and that systems monitoring
equipment would have to bealtered foruse bythe pilots,
who would not be able to dedicate time to continuous
monitoring or extensive diagnosing of failures.
The new systems monitoring automation is com-
monly placed on an overhead panel, outside of the
normal view of the pilots. Alerts on the front panel
(within normal view of the pilots) provide an indication
that the pilots should check the overhead panel.
Hazard Monitoring
Pilots must be aware of several different hazards, apart
from systems malfunctions. Pilots must monitor for
dangerous weather (such as wind shear and thun-
derstorms), high terrain, and other aircraft. Systems
devoted to avoiding collisions will be discussed sepa-
rately in the next section.
In 1968, a Lockheed Super Electra penetrated
a thunderstorm [68.14]. In the resulting turbulence, the
aircrew lost control of the aircraft, and overstressed the
aircraft (beyond its design limits) in an attempt to re-
cover. The aircraft broke up in flight, killing all 82
persons on board. In 1977, a Southern Airways DC-9
flew into an intense thunderstorm, losing both engines
due to heavy rain and hail [68.15]. The engines could
not be restarted, and the aircrew attempted to make an
unpowered landing on a rural highway. Sixty-two of the
87 people onboard were killed in the ensuing crash.
Modern commercial aircraft all are required to have
onboard weather radar to avoid these situations. The
system uses common weather radar technology to dis-
play areas of precipitation to flight crews.
For aircraft on which weather radar is functioning
and available, such incidents do not appear in acci-
dent report databases. However, private aircraft are not
required to have weather radar on board, and such inci-
dents are still unfortunately common.Weather radar can
accurately paint areas of heavy precipitation, enabling
pilots to avoid them (and the associated turbulence and
lightning). While encounters with such severe weather
still occur, theyare usually the result of getting tooclose
rather than flying directly into the most severe part of
the weather.
A more common risk associated with thunderstorms
(for commercial aircraft) is windshear. A windshear is
a sudden change in the speed or direction of the wind;
downdrafts are similar but involve a shaft of cold air
Part G 68.2
1222 Part G Infrastructure and Service Automation
1. Public address panel
2. Oxygen regulator panel
3. Clock
4. Total air temperature indicator
5. Interphone panel
6. Aerial refueling light panel
7. Altimeter
8. Station lighting panel
9. Electrical panel
10. Engine instrument panel
11. Fuel panel
12. Flight station pressurization panel
13. Hydraulic panel
14. Environmental panel
15. Smoke detector panel
16. Thrust reverser pressure indicator panel
17. APU fire panel
18. APU panel
19. Gasper outlet
18
17
16
15
14
13
12
11
8
9
10
119 2 3 4 5 6 7
Fig. 68.5 Flight engineer’s panels from a C-141B
sinking rapidly toward the ground. Both types of wind-
shear are extremely dangerous in that they can quickly
change the lift profile of the aircraft, and have been the
cause of numerous fatal accidents.
One of these accidents occurred in 1975. An East-
ern Airlines Boeing 727 crashed on landing at Kennedy
Airport in New York, killing 112 of the 124 persons
onboard [68.16]. The aircraft encountered windshear
on final approach, and impacted the ground 2400ft
short of the runway. This incident spurred the US Fed-
eral Aviation Administration (FAA) to have a low-level
windshear alerting system (LLWAS) developed, and
prompted airlines to install onboard windshear alerting
systems.
The original LLWAS worked by detecting vector
differencesin wind through pole-mountedanemometers
placed at midfield of the airport and at five locations
around the airport. The system alerted if a 15kt vec-
tor difference in the winds was detected, but was prone
to false alarms [68.17]. Current LLWAS systems utilize
Part G 68.2
Flight Deck Automation 68.2 Application Examples 1223
12–32 sensors, placed at points based on the geometry
of the airport and typical convective weather activity,
and use more sophisticated algorithms for detecting
windshear and microburst activity.
Simple flight deck windshear alerting systems work
by monitoring actual and predicted winds entered into
the flight management computer. This capability is
often augmented by monitoring the groundspeed of
the aircraft. Systems have also been developed to use
forward-looking infrared radar, Doppler radar or other
systems to predict windshear.
Another hazard that aircraft need to avoid is terrain.
As a result of a spate of accidents labeled controlled
flight into terrain (CFIT),instrument manufacturers cre-
ated a ground-proximity warning system (GPWS). The
intent of this system is to detect when an aircraft is ap-
proaching the terrain in an unsafe manner (i. e., when
not intending to land).
GPWS, and the later enhanced GPWS (EPGWS),
utilizes as its primary inputs a radar altimeter (which
measures height above ground level – AGL), the baro-
metric altimeter, landing gear position, vertical speed,
and airspeed. The EGPWS also utilizes a terrain
database and the current aircraft position.
The hazardous condition that the GPWS was at-
tempting to detect was unsafe closure to terrain. Several
states of the aircraft were used to determine whether
this condition existed, including the altitude of the air-
craft, the descent rate of the aircraft, and the status of the
landing gear and flaps (to detect when the aircraft was
intending toland). Values ofthese states were combined
to produce envelopes of safe operation with respect
to terrain; operation outside of these envelopes would
constitute a hazardous situation. An example envelope
(from a GPWS installed on a US Air Force C-141B) is
showninFig.68.6.
The output of the GPWS is either nothing (if
a hazardous condition is not detected) or an alert (if
a hazardous condition is detected). In the earlier mod-
els of the GPWS, an alert consisted of a red light on
the GPWS panel and a whooping tone followed by
a computerized voice that annunciates pull up several
times. This very distinctive alarm was intended to pro-
vide pilots with clear guidance regarding the presence
of a hazard and the desired response.
Unfortunately, a number of incidents in which pi-
lots silenced the alarm without complying with the
mandated response have occurred, resulting in aircraft
crashing into terrain. These incidents were particularly
troublesome since the aircraft was perfectly capable,
0 1000 2000 3000 4000 5000 6000 7000
Radar altitude (ft)
Barometric altitude sink rate (fpm)
4000
3000
2000
1000
0
Fig. 68.6 Ground-proximity warning system envelope (mode 1)
and all the pilots needed to do to avoid crashing was
to comply with the alert’s desired response.
One supposed reason for this was that the system
produced spurious or false alerts [68.18, 19]. These
alerts caused trust in theautomation tobe eroded, result-
ing in pilots’ failing to comply with the alert response.
For example, if the system failed to detect that the land-
inggearwasdown,theGPWS would sound when the
aircraft approached the ground for landing, even if the
descent was controlled. In these situations, the pilots
would realize that thelanding gear was down andignore
the alert.
However, even if the landing gear was down, the
GPWS may sound if the aircraft is descending in an un-
safe manner (such as would be the case if the aircraft
were out of position such that terrain posed a threat to
the aircraft). In such a case, merely checking the state
of the landing gear would be insufficient. If the pilots
assumed that the GPWS was malfunctioning due to it
misreading the state of the landing gear, an accident
may result.
To assist the pilot with sorting out why the alert was
occurring, additional voice alerts were provided as part
of the EGPWS, which would help indicate which con-
dition was detected by the system. In addition to pull
up, the system would also state glideslope (if the air-
craft were deviating from the desired descent glideslope
for landing), terrain (if terrain closure were detected),
and combinations of these alerts would become increas-
ingly salient if the condition persisted. The low number
of such incidents over the last decade suggests that this
system has considerably reduced instances of failure to
adhere to the ground-proximity warning system.
Part G 68.2
1224 Part G Infrastructure and Service Automation
Collision Avoidance
Avoiding collisions with other aircraft is a shared
responsibility between flight crew and air-traffic con-
trollers. When operating visually (under visual flight
rules – VFR), controllers are not required to provide
any assistance and pilots must see-and-avoid other air-
craft. When operating primarily on instruments (under
instrument flight rules – IFR), controllers continuously
monitor the separation of aircraft using processed radar
returns, manually monitoring and projecting the posi-
tions of aircraft, interveningwhen potential conflicts are
identified.
In addition to see-and-avoid, aircraft collision
avoidance systems (ACAS) have been developed. These
systems utilize information transmitted from aircraft
equipped with an appropriate transponder system to
determine relative bearing and closure rate. Should
the closure rate and relative trajectories exceed some
thresholds, an alert sounds, warning the pilot of a po-
tential collision.
A particular implementation of ACAS is the traffic
collision avoidance system (TCAS), whose current im-
plementation isversion II. Version I ofTCAS (TCAS I),
is mandated for aircraft with more than 10 but fewer
than 31 seats; TCAS II is used for aircraft with more
than 30 seats. TCAS II, which requires that a particular
type of transponder (mode S) is in use on the aircraft,
coordinates resolution maneuvers if both aircraft are
equipped.
TCAS systems detect the transponder signals of
nearby aircraft (out to 14nmi), determining their hor-
izontal range, bearing, and vertical separation from
a series of interrogations of the transponders of nearby
aircraft. Closure information is calculated from a series
of interrogation responses, which is then translated into
the time to closest point of approach (CPA).
TCAS has two types of alerts: traffic advisories
(TAs) and resolution advisories (RAs). TAs are used
to assist the pilot in identifying aircraft that are prox-
Table 68.2 Alert threshold for TCAS II version 7 (after [68.20])
Actual altitude Sensitivity τ (s) DMOD (nmi) Thresholdaltitude (ft)
(ft)
level TA RA TA RA TA RA
Below 1000 2 20 – 0.3 – 850 –
100–2350 3 25 15 0.33 0.2 850 300
2350–5000 4 30 20 0.48 0.35 850 300
5000–10 000 5 40 25 0.75 0.55 850 350
10000–20 000 6 45 30 1 0.8 850 400
20000–42 000 7 48 35 1.3 1.1 850 600
above 42000 7 48 35 1.3 1.1 1200 700
imate and may pose a collision danger. No response is
required to a TA. RAs warn the pilot of a near-imminent
collision danger; specific instructions are included with
the alert to avoid the collision. This instruction is a ver-
tical maneuver that has been calculated to avoid the
collision. In TCAS II, if both aircraft are equipped,
these maneuvers are coordinated.
TCAS must contend with both multipath problems
and a condition called garble. Multipath refers to one
message being received multiple times – once directly
from the aircraft, other times after the message is re-
flected off the ground or other obstacles. TCAS must
know which of these is the original signal. Garble refers
to the overlap of signals. Since the messages are 21μs
long, several messages can overlap; TCAS must still be
able to decipher messages under these conditions.
TCAS must also balance the probability of miss-
ing a detection (MD) against likelihood of a false alarm
(FA). As mentioned previously, FA has a deleterious ef-
fect on automation trust; however, one also would like
all hazardous situations to be detected. In TCAS,the
sensitivity level (SL) of the system can be modified to
change the tradeoff point between MD and FA.
A sensitivitylevel of1, in whichthe aircraft does not
issue any alerts, can be selected by the pilot, or occurs
whenever thesystem goesinto standby mode (for exam-
ple, when the mode S transponder fails). The pilot can
also select a SL of 2, where the system only transmits
TAs. Sensitivity levels 4–7 are selected by the system
automatically, depending on the altitude of the aircraft.
As the altitude of the aircraft increases, the sensitivity
level goes up. With higher sensitivity levels, the system
alerts sooner.
TCAS uses both a time to CPA (τ) and the abso-
lute horizontaland vertical separations between aircraft.
The primarydeterminant of the alerts isτ, but when clo-
sure rates are very low, aircraft can come very close to
one another without violating τ (imagine aircraft on al-
most parallel courses, slowly converging). If τ (both the
Part G 68.2