Airlines Need Fail-Safe Programs

My computer and most of its installed programs have features that are designed to prevent unintended mistakes. Unless I “save” this document, for example, my word-processing software will give me a warning before I can “close” the document. There are other everyday examples that can be cited of designs that help us to stay within safe or smart boundaries. It is time to apply these concepts to airliners.

It now seems possible that the EgyptAir Flight 990 disaster was caused by one of its pilots committing suicide by deliberately diving the aircraft into the ocean, obviously a flight regime that is completely outside of anything intended by the Boeing design engineers. That a pilot, acting alone, could possibly push the nose over and shut off both engines is something that the FAA needs to examine carefully and without delay.

Technology is readily available that can place bounds on the pilot’s ability to move the flight controls in such a way that the airplane’s design flight envelope is exceeded. Put in simple terms, the pilot can be prevented from pointing the nose of the aircraft sharply downward or upward beyond a catastrophic amount. Or, for example, the pilot could be prevented from performing an “aileron roll,” or from rolling the aircraft beyond something like 60 degrees of roll. Such technology, if installed in today’s airliners, would prevent the aircraft from being intentionally crashed in a manner suspected in the EgyptAir disaster as well as several other recent incidents.

Such equipment does not have to be either expensive or complex, and the FAA could mandate that it be installed in current and future transport aircraft.

As a Navy pilot, I was qualified as a “nuclear delivery” pilot; I trained and flew an aircraft that was capable of dropping a nuclear weapon. The equipment on board that aircraft positively prevented me from releasing the nuclear weapon without another crew member of equal qualifications permitting me to release it by moving a switch in tandem with me. Submarines and missile silos are comparably equipped to require the “two-man rule” before a nuclear weapon can be launched.

This concept could be extended to render “safe” the flight controls of an airliner. We already measure and record (using the flight data recorder) the relevant flight parameters. To satisfy even the most intransigent pilot, an override (such as the nuclear weapon example) could be provided. Both pilots, acting in tandem, could deliberately exceed these built-in limits, should such extreme measures be needed in a case such as an “unusual attitude” when the aircraft may be in peril. The system could be rendered “fail-safe.”

With more expense, this limiting flight control system could be employed to take advantage of present day unpiloted vehicle design. There are many “unmanned” aircraft designs that are operating successfully, some controlled from the ground and some in an on-board, programmed manner. Unmanned aircraft have been flown across the Atlantic Ocean. Indeed, we have the technology to control spacecraft orbiting and on the surface of Mars. In the airline example, we could build in a system that, once the flight controls reach a limited condition, both the air traffic control system and the airline’s operations control center would be automatically alerted. Going further, the airline control center might even take over remote control until a safe condition is reestablished.

Boeing and Airbus take different approaches to flight control design. In this case, the Airbus philosophy is closer to the concept espoused here. “Fly-by-wire” electronic control systems, in which there is no mechanical link between the pilot’s control and the elevator or other aircraft control surfaces, have been in use for many years. And some military aircraft are inherently unstable and cannot be controlled in certain parts of the flight envelope without the assistance of an on-board flight control computer. The point is, none of this is unusual to today’s aeronautical engineer.

Very few airline pilots are happy with the two-pilot design of today’s air transports. Much of the discussion has focused on economics, job protection and related issues. There is, however, a safety issue when there are only two people remaining in the cockpit. This issue is exacerbated when one of the pilots must go aft to visit the lavatory, as some reports indicate happened in the EgyptAir flight. It is a pilot’s nightmare to find oneself flying with and relying upon an unsafe--not to mention suicidal--colleague. The two-pilot cockpit is here to stay. Leaving the design of the flight control system with an antiquated concept is plainly wrong from an engineering viewpoint.

One shudders to think of a single-piloted airliner, and the idea of an unstaffed, remotely piloted airliner is almost unthinkable, even with heavily redundant computer systems. On the other hand, there may have been two pilots fighting one another on board EgyptAir Flight 990. If the “good” pilot had been assisted by a flight control limiting system, this disaster might not have happened.