Dear Lu

Thanks for that. The last line of my previous post was not very helpful, so I am not surprised you have not exactly answered it!

What I should have said was that 50 years ago when the RAE boffins were looking to achieve experimental autolands their first concern was that the automatics would properly control the aircraft and achieve a standard of approach and landing that was at least as good as the best human pilot on a good day. Once they had achieved this the next issue that had to be addressed was reliability.

At that stage of history the stats showed that human pilots were causing a fatal landing accident about every six million landings. The CAA therefore said that to certificate an autoland system you must show that it will only cause a fatal accident every seven million landings.

When the boffins looked at this requirement and did the failure analysis sums that you are so familiar with, they realised they could NEVER demonstrate such a reliability unless the system was only critical for a few seconds per approach. This led to the notion that the human pilot had to be able to take over and carry out a safe overshoot (or go-around) for all except the last few seconds before touchdown. The pilots said if we are to do this at the last moment then the way the autos fail must be a simple OFF and not a hard over failure. To ensure such a benign failure the systems were made multi channel and initially voted out a bad channel when it arose. If the remaining channels could not agree subsequently then the system was disconnected (the OFF case) and the human took over.

Now we had a plan and we progressed from Varsity workhorses to the Comet 3 and the Trident .

The Trident (as I am sure you know) was certificated for autolands in fine weather only and with specially trained BEA crews. After many years of such ops with no problems the first poor weather landings were allowed, then later when even more data had been accumulated, fog landings were allowed providing there was enough RVR for the pilot to control the direction during the rollout.

So what does all that mean? It means that the failure rates of these very complex systems turned out to be less than predicted or if you prefer the estimates were on the safe side – and a good thing too.

You and I are both in our 70’s. We have both worked in the industry all our lives – you with the emphasis on the theoretical and me with the emphasis on the practical. All I would suggest to you now is that experience has shown that in practice automatic systems have been better in service that might have been expected. I know of not a single autoland crash - unlike the ILS/GCA approach crashes that happened with monotonous regularity 50 years ago.

The prediction of simple structural fatigue has a huge scatter when correlated with practice. We are used to that. I suspect it may be time to review some of the assumptions made when predicting complex auto systems failures now we have so much experience of them in service.

Regards

John

PS I can well remember the afternoon in the mid 60’s when as a safety pilot on a BLEU Comet 3 doing high crosswind autolands being amazed at how well the automatics handled the aeroplane. Every touchdown was on the centreline in exactly the correct place and that after kicking off a drift angle that was gobsmacking. I said to the crew “I can’t do that, so if the system dumps we will have to find a runway closer to the wind.” At the time I was young, switched on, very used to flying 6-8 different types each month (some of which were quite pointy) so I think my handling skills were as good as the next blokes at that time. But I knew I could not compete with those autos.

J