-
[Music]
-
MC: so have you ever called IT only to be
told
-
have you tried turning it off and on again?
-
Today we will be talking about
pilots usually pilots are called to pilot
-
in command and we expect a pilot to be
just that in command but today's pilots
-
are turning more and more into computer
operators and have less and less actual
-
hands-on flying ability so now imagine you
are the pilot flying a gigantic computer
-
in 30,000 feet height with 200 souls
behind you only to be told by IT have you
-
tried turning it off and on again so I
would like to welcome Bernd Sieker. who is
-
a systems engineer and an aviation
accident analyst he specialized in reverse
-
engineering and he's developing formal
methods to development of safety critical
-
systems and he will enlighten us about
problems in aviation automation because
-
apparently every pilot has uttered the
words what's it doing now
-
[Applause]
BS: yes thank you thank you very much yes
-
but first I'd like to learn a bit about
the audience so how many of you here in
-
the hall today are pilots Oh quite a few
so commercial pilots? far fewer. ATP
-
anyone? yeah there's one I heard one but I
can't see. okay so some of you will know
-
about some of the stuff I hope there's a
bit new stuff for everyone let's get right
-
into it what the announcer said was a bit
of nice folklore it's not completely true
-
but there's a little bit truth to it what
I'm going to talk about is automation in
-
the aircraft and the idea is often as he
said that it's just a computer and the
-
pilot doesn't have to do anything that's
one saying that in modern airplanes there
-
will only be one pilot and a dog and the
pilot is there to watch what the the
-
pilots there to feed the dog and the dog
is there to bite the pilot if he touches
-
anything so that's not quite yet how it is
I talk a very little bit about the
-
analysis method that we use to analyze
accidents not only in aviation but mostly
-
and then I'll tell you a short tale of two
throttles or two thrust levers as they are
-
sometimes called and also talk about human
pilots how they cope with failures or
-
don't as the case may be and I haven't
seen a lot of other talks here about self-
-
driving cars although they are now
becoming a very big thing so I'll touch
-
that briefly and have a tentative
conclusion. I can't see very fine to the
-
future so I'm not sure if I'm right about
that. So what is automation in airplanes?
-
the most obvious thing is that automated
flight controls on every airliner and on
-
many small airplanes these days. there
used to be a requirement for a simple
-
autopilot even on small private single-
engine airplanes if you want to fly under
-
instrument flight rules. That has been
relaxed somewhat now but many small planes
-
still have them. so there are three levels
of fat controls there the first one is
-
manual flight where the pilot moves flight
controls and the airplane does what it's
-
told then there's the simple
autopilot where the pilot just
-
sets airspeed altitude climb rate stuff
like that and there are managed modes now
-
where there's a more sophisticated
computer which has knowledge about the
-
whole flight with waypoints and altitudes
and there are other automated systems not
-
only the flight controls spoilers on the
ground have to extend to help slowing down
-
the aircraft the high-lift devices are
automated radios maybe Auto-tuning there's
-
the computer that controls the engines
full authority digital engine control.
-
There are things like cabin pressurization
and many other small subsystems are
-
automated as they are in cars these days.
So what is automation not? It's not yet
-
except for very few specialized drones a
self flying aircraft the pilot in command
-
still is in command at all times you can
turn off the automation you can have to
-
fly the aircraft at any time if you wants
to and barring any serious errors which
-
are extremely rare in commercial aircraft
the airplane does what it's told. the
-
pilots the the autopilot really doesn't
have any decision capabilities except at
-
the very lowest level deciding on a bank
angle to make the right turn and things
-
like that it is also not a panacea for any
errors that the pilot can make now you can
-
still fly a highly computerized modern
aircraft into the side of the mountain if
-
you want to. so some military aircraft
actually have systems that will prevent
-
you from flying into a mountain if they're
active or if you have passed out but
-
airliners don't at the time and of course
the pilot in command still bears the
-
ultimate responsibility for the safe
conduct of the flight. so as I said
-
briefly manual flying is just stick and
rudder you move the stick and you move
-
your rudder pedals and the airplane moves
the control surfaces mechanically on small
-
airplanes hydrolically assisted or even
computer-assisted on some airliners on
-
most modern airliners called fly-by-wire
you may have heard about that then the
-
simple autopilot modes where you
directly select the heading and the
-
airplane flies in that heading and managed
modes as I said before where you have a
-
sophisticated flight management system
which then in turn sets headings and climb
-
rates and things like that on the
autopilot proper. they are not super
-
reliable they can be thrown off by many
things and mostly they they turn off when
-
there's any small error in any of the
small subsystems, any of the various input
-
values that you get air speed altitude
engine power anything if any of those have
-
invalid readings it'll turn off and the
pilots have to assume command in that
-
case. they cannot handle basically
anything unexpected most air sensors are
-
there then threefold so if only one of
them disagrees the other two are usually
-
taken as valid but if they all three
disagree then the system just says I don't
-
know what's true anymore what speed is and
all the automatics drop out and most of
-
the computer assisted manual flying also
is turned off in that case.
-
so this is very briefly the method
-
that we have developed at
the University of Bielefeld
-
and the professor lepkin for analyzing
accidents called why because analysis it
-
uses a formal notion of causality called
the counterfactual test and then you can
-
make a very nice graph for accidents
they're usually bigger than that but it's
-
more or less objective criterion for
causality and then different people with
-
some experience in the domain make why
because graphs of an accident they usually
-
are very similar to each other
-
so there's a lot of automation
on modern airplanes
-
and it's quite hard to get it right and
one of the reasons is that unlike for many
-
situations in cars and rail vehicles there
is no default safe state, you can't just
-
turn everything off and stop by the
roadside so we always have to decide the
-
engineers always have to plan for many
eventualities what can happen in the air
-
and decide what given a certain set of
circumstances is the safest state for the
-
airplane to be in and that is not always
unambiguous and it's a very hard decision
-
tomake and sometimes
they get it wrong and
-
sometimes you just get into that situation
where in most cases the set of values the
-
set of measured values that the system
gets when most circumstance is one set of
-
decisions is the correct one and you get
into that situation where the computers
-
get the same inputs and that decision is
the wrong one and that may still lead to
-
an accident. those are very few and very
rare but these these things can happen. so
-
a few of the decisions that the engineers
have to take when designing the automation
-
in airplanes is what to do if things fail
if certain individual things fail if a
-
combination of things fail little motors
little engines sensors fail some actuators
-
fail a hydraulic system fails anything
like that what you do in that case with
-
the remaining systems and what to tell the
pilots? well naively you might assume the
-
pilot wants to know about everything that
is broken every little valve every little
-
system that is broken on the airplane but
if a lot goes wrong at the same time then
-
the decision has to be taken which of
these things that have gone wrong are the
-
most important for the flight crew to know
and that's not trivial at all and it can
-
very easily lead to to sensory saturation
of the pilots so they don't know what is
-
what anymore because from all sides alarms
are blaring there are lots and lots of
-
displays that they have to watch and so
certain error messages are suppressed in
-
certain states of flight certain stages of
the flight so as not to overwhelm the
-
pilot. and some things that may be
essential to have on the ground some
-
functions for example the wing spoilers
those are the big the big flaps on the top
-
of the wings that come up after touchdown
are important to have on landing to dump
-
the lift so the airplane doesn't jump up
again. because it is a touchdown still at
-
the speed at which it could fly at least
for airliners, for small airplanes it's a
-
bit different but airliners are safely
above the very lowest
-
speed they can go when they touchdown so
they need to have some means to make sure
-
they don't jump up again they still do
sometimes but not very often but the
-
spoilers destroy most of the lift so
deploying them in the air close to the
-
ground is extremely dangerous so the
computer has to be absolutely certain so
-
to speak to know that the aircraft is on
the ground when it gives the command to
-
deploy the ground spoilers if it does that
a few seconds too early when the airplane
-
is still a hundred meters up above the
ground that will likely be a fatal accident.
-
so in most at least in most jet
airliners not in all propeller-driven but
-
in all almost all jet airliners there's an
automatic thrust management so the
-
computer does not only control where the
nose of the airplane points but also how
-
much power the engines produce and there
are two different one might call them
-
philosophies between the two major air
framers and Boeing and most others to use
-
back driven throttles so the computer sets
the thrust and moves the thrust levers to
-
match the commanded thrust position and
Airbus has a different system where the
-
thrust levers remain in one position
throughout the entire flight basically
-
after take off when thrust is reduced
for the main climb and cruise and descend
-
and everything they remain in one position
and the computer tells the engines
-
directly which thrust to produce. and
there are there's an argument which one of
-
the systems is better but I'll show you
accidents three accidents in which the
-
thrust system the throttle system played a
role. so the first one has a little video
-
you will see I think there are two
different camera perspectives you will see
-
two airplanes landing of the same class
they are small airliners two hundred
-
people something like that 150 to 200 now
landing and the first one is a normal landing
-
so it's already pretty slow takes
its time
-
and the next one is the accident flight.
-
it's on the same day it's only
minutes apart so on the same Airport
-
and you can see that one is slowed down
and the one other one is still going very fast
-
so there's the first one
-
and that's the second one
-
and as you can imagine that didn't end well
-
it was one of the worst aviation
accidents maybe still
-
the worst today in Brazil where 200 people
died
-
and as you can see this is a
-
transcript of of the flight data recorder
the digital flight data recorder and the
-
first two lines are the interesting ones
that says TLA that is thrust lever angle
-
and normally what happens on landing just
before touchdown the pilot pulls both
-
thrust wheels to idle now the engine
thrust goes down to to idle and then it
-
touches down engages reverse thrust
spoilers brakes everything to slow down
-
and what happened in this case is that the
pilot only moved one of the thrust to idle
-
and left the other there put the one
thrust lever in reverse but not the other
-
and that led to the computer getting
conflicting information about whether the
-
pilots actually wanted to land or not so
it didn't deploy the automatic wheel
-
brakes it didn't deploy the spoilers and
reverse thrust only on one engine so that
-
went pretty badly and some people said
well with tactile feedback from a thrust
-
levers if the pilots have been used to
that they would have noticed earlier and
-
we can't really be sure because the pilots
also died in the accident but there were
-
some people who made a case that moving
thrust levers would have been a lot better
-
in this case
-
so is that always better?
-
here's another throttle related accident
-
in this time it was a Boeing Boeing 737 at
Amsterdam Schiphol Airport there was a
-
small technical malfunction would call
which caused the computers to think the
-
airplane was actually eight feet
underground that was the reading that it
-
gave due to work through the way it works
and so said oh I'm below 30 feet I have to
-
reduce the thrust to idle and that's what
it did although it was still a couple
-
hundred feet high and the pilots didn't
notice early enough and let the
-
speed decay and the wing stalled and
crashed the airplane crashed and the nine
-
people died it was moderately only a
moderately hard crash so most people
-
survived actually though it was still a
problem and the way the auto in auto
-
throttle system works in this case if the
thrust levers had been static this
-
wouldn't have happened because the pilots
were pushed the thrust levers above a
-
certain detent and it wouldn't have
reduced thrust automatically again so it's
-
very hard to say which system in total is
better you can count the accidents maybe
-
in which it played a roll but there are so
few they're just really less than a
-
handful in each case so they're not
statistically significant so you can't
-
really say by statistics alone which
system is better than the other they both
-
have their own problems and this is one of
the decisions as engineers that you really
-
can't make a decisive argument for so one
manufacturer chooses one and the other
-
chooses the other and there's another one
is asiana flight 214 at San Francisco many
-
of you may remember that. only three
people were killed in this one because it
-
really burned out only after the crash
after everyone had evacuated and so the
-
auto throttles didn't work as expected in
this case the pilots thought oh the auto
-
throttles will hold the speed we don't
have to worry about that as far as I
-
remember there were five pilots in the
cockpit and when finally someone noticed
-
and pushed the throttles forward it was
already too late the engines take that
-
time to spool up the legal requirement is
that they may take up to eight seconds to
-
spool up from idle to the necessary power
to go around and there wasn't enough time
-
for that because after the engines have
spooled up the airplane also still has to
-
accelerate to get back to flying speed
again so in this case again the wings
-
stalled the airplane crashed just short of
the runway and three people died. and the
-
third case was even one when nothing was
wrong with the airplane except you could
-
argue it was a design flaw but it was
working as designed people who were going
-
to fly the aircraft learned how the system
worked learned everything about it
-
hopefully and so more training may perhaps
be the answer that is one thing system
-
knowledge, two. crew resource management
has been a big thing in previous decades
-
that the pilot command in command is not a
dictator on the airplane he has to listen
-
to the others to the other pilot even though
he has ultimate authority in decision.
-
so do pilots always screw up if
the automation fails? no luckily not if
-
other systems fail in this case not the
automation really but there are two
-
cases which I would briefly mentioned
Chesley Sullenberger everybody knows about
-
him the movie has just been out the
ditching in the Hudson superb pilot great
-
decision making to find the biggest flat
surface in the area to pull it down and
-
Peter Burkhill he'll many other so who
knew about Peter Burkhill? A few. he was
-
the one saved about as many people as
Sullenberger when on approach to london
-
heathrow both engines lost thrust most of
the thrust anyway and he managed to put it
-
down within the airport but short of the
runway it was a crash landing the airplane
-
was destroyed but nobody died so it was a
pretty good outcome.
-
so airplanes are one thing,
another thing are cars
-
and anyone here has a
self-driving car? Or at least a
-
lane assist or something? Not many so not
many people don't trust these newfangled
-
systems I guess. one of the big
differences is that pilots who are going
-
to fly highly automated aircraft have to
take a long training course beyond their
-
pilot's license to learn the specifics of
operating this specific aircraft and
-
maintenance is very highly controlled and
regulated so that's another thing. and the
-
things for cars in general if something's
wrong with the engine you can just pull
-
over to the right and stop in most cases
and cars cannot just take off and take
-
evasive action in the third dimension and
-
there are lots and lots of obstacles
on the ground there are trees
-
cars people houses everything whereas
the air is mostly empty not entirely
-
air-to-air collisions happen midair collisions do
happen but they are very very few. in the
-
automatic systems in the self-driving cars
or the autonomous cars that we have today
-
require constant monitoring and if the
systems work too well then drivers may
-
actually forget about it and think they
are perfect and let their attention
-
wander. pilots sometimes are prone to do
that as well but the thing is that in
-
Cruise in cruise flight if the automatics
drop out the pilots have on the order of
-
minutes to react really at least several
seconds whereas on a road car if the
-
automatics drop out and you're in a curve
you have fractions of a second to save the
-
car with the current state of the
technology.
-
some of you probably have heard about the trolley
problem or trolley-ology as it's sometimes called.
-
it basically boils down to that a
fully autonomous car a highly
-
automated car may eventually have to make
the decision between killing the occupants
-
and killing people on the road. and I
think that is fundamentally an unsolvable
-
ethical problem that we cannot just leave
to the engineers or the car manufacturers
-
to decide that maybe the occupants are
always more important than people on the
-
road? what if there's only one person in
the car and there's a crowd on the road
-
and you have to decide between steering on
the car into to the tree and killing the
-
sole occupant or killing several people
that are in front of the car these are
-
situations that may actually happen. so I
really can't see what the right answer is
-
to that if there is one and maybe there
isn't one. some engineers have actually
-
suggested that making a random decision in
that case is the answer. I'm not too sure
-
about that either but whatever the
decision the software takes at that moment
-
then people will die and they will take
the blame either way and we don't know yet
-
how that's going to turn out in front of
the courts.
-
so automation is hard to get
-
right and in some cases self-driving cars
it may be impossible to get it absolutely
-
right. which stage is the safest for the
systems to be in and at what time who
-
knows it's very very hard to get it right
even in limited systems such as airplanes
-
and what to display to the operators and
when in many cases it would help the
-
pilots a lot when the automation drops out
to know intimate details of how the system
-
works internally. airbus has some logic
diagrams in their pilots handbook but they
-
are labeled 'for info' which means they
are not required for any exams it's just
-
interesting to know but in case of the
logic for extension of the ground spoilers
-
it's quite helpful to know which
conditions exactly have to be satisfied
-
for the ground spoilers to deploy.
-
but some of these problems I think cannot
-
be left to engineers and scientists alone
and we need psychologists and maybe
-
sociologists other people who know about
the psyche of people who know about how
-
people think how people react how people
process information to make good
-
engineering design decisions to build
safer systems. and as I said some of the
-
fundamental ethical problems may turn out
to remain unsolvable.
-
thank you I think we have a little bit of
time for questions
-
[Applause]
-
MC: yes we actually do we have some time
-
for questions and we're gonna start with
the internet if there are any questions no
-
there are not then it's microphone number
three
-
Q: yes you mentioned the ethical problem
of the decision making the trolley problem
-
so whenever this comes up regarding
automated driving systems whether it be
-
flight control or car driving I always get
a little bit mad when philosophers come up
-
with that the there is one decisive
decision you can make and that is the
-
whole thing should act predictably
especially in road traffic the uttermost
-
importance is that all participants behave
predictably swerving out of lane is the
-
most dangerous thing you can do
H: And what's your question?
-
Q: and if you have to make
this decision people say you
-
have to make a decision then I say no
there is a definitive safe state that is
-
drive with enough distance to the guy in
front of you don't tailgate don't speed up
-
because if you're a regular driver
MC: no no please ask your question
-
Q: okay question is why are people always
saying it's ethically not decisive
-
decidable?
BS: it isn't because if if just keeping
-
enough distance we solve all problems that
would be that would be fine but cars are
-
not the only participants in traffic there
are people right and they can just jump in
-
front of a car. that is not predictable,
yeah you can you can require people to
-
behave predictable but good luck with
that.
-
Q: I would like to counter that
[Applause]
-
MC: okay I'm sorry there's not much room
for discussion right now but microphone
-
number two please ask a concise question
Q: okay let me try so you said about
-
automation in airplanes that whenever
there is a small malfunction the autopilot
-
will disconnect and expect the pilots to
fix the situation right so it is my-
-
BS: yeah it's not not the smallest problem
but some yeah
-
Q: okay so but it is my understanding that
the pilots are still expected to follow
-
procedures and not make any random gut
decisions in most cases. my question is do
-
you have statistics when the standard
procedures were actually not applicable in
-
how many cases and in how many of these
cases did the pilots actually managed to
-
save the flight?
BS: no I'm not aware of any statistics and
-
one of the problems with that is that in
general the data recorder is only read
-
when there was an accident and it is
strictly off-limits in all other
-
circumstances some airplanes have a quick
access data recorder which they can
-
routinely read but only anonymized so and
I don't think the airplanes published
-
statistics about that
MC: okay last question microphone number
-
four please
Q: yeah I'm just I just want to bring this
-
back to this sort of the IT security part
where what I find very good about about
-
the way accidents are handled in in
aviation is that the report is completely
-
public so if you want to read you know the
Challenger cut this show if you can you
-
can actually read all the technical
details and all that all the stuff that
-
happened and and all that information is
there and the question is is why is this
-
not happening in the IT sector where
clearly millions of people are being
-
affected and somehow you haven't reached
this stage where the the the data and the
-
analysis of the data is public so we can
all learn from it and get better as it has
-
been you know the way
BS: I think the short answer is excuse me
-
Q: no it's good
BS: I think the short answer is because
-
there is no legal requirement and if there
weren't for accident reports to be
-
distributed then many airlines wouldn't do
it .
-
Q: but why? It's very clear [???]
BS: it's because it's embarrassing if you
-
have an accident it's basically the thing
I think
-
MC: ok very last question microphone
number one please
-
Q: hey so one of the reasons we have
automation in aircraft in the first place
-
is to reduce pilot workload where too high
pilot workload is a major cause of
-
accidents it seems like one of the issues
we're talking about here is that in a
-
situation where something's gone wrong the
presence of that automation are needed to
-
understand it means you've got a higher
pilot workload in that situation the
-
question what is it doing now what's the
industry sort of approach to that effect
-
and what do you think about that?
BS: I think the traditional approach is to
-
just pile on more automation so then if
that fails the pilot has an even higher
-
workload but the current thing is that
manufacturers and the airlines go back
-
very very slowly to letting the pilot hand
fly more often and for a long time the the
-
mantra was use automation whenever
possible the highest level of automation
-
that is appropriate for the situation so
only the takeoff and touchdown were flown
-
by hand and now it is very often use the
appropriate level of automation and that
-
means if there's not very high workload
and not a lot of traffic then hand fly the
-
approach for example. so to to keep in
good practice and right to maintain
-
proficiency for all situations hopefully.
-
MC: thank you and please give a warm hand
of applause for Bernd Sieker.
-
[Applause]
-
[Music]
-
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!
