Yup.

In terms of mechanical failure, it's pretty easy to argue that operating something from a menu that can be displayed on any of 4-6 PFDs through redundant and self-testing computers is more reliable than something that can only be operated by one unmonitored switch. It's also harder to have a latent/hidden failure.

See both LOT 16 (767) and FedEx 1376 (757): hydraulic failure blocking normal gear extension. Easy. Unnoticed pulled breaker and broken wire respectively? Time for a belly landing.

If it's not monitored in such a way that an alarm is thrown if it fails, it may as well not exist. High levels of machine safety call for >99% of internal dangerous faults (by probability of occurrence, I believe) to be detected and redundant channels present. A single switch with no monitoring would not I think even reach PLb, certainly not PLc or d. Airbus at least uses redundant ganged switches and systems for the (widebody) alternate gear extension.

I am presently working my way through this series on design and analysis of machine safety systems; it's quite a different approach to what we see espoused here.

OK, so not a pilot - of any sort - let alone an airliner pilot. And; 'electrical' engineer nerd, who reads safety reports, as opposed to electronics engineer, or electronics design engineer ?

Just to take a couple of your points:


Oh, you mean Transformer Rectifiers, TRs ? Yes, we have those fitted already; two or three on each aircraft to run the DC services, with redundancy. And you know why aircraft use both AC and DC, don't you ?
But remember my point about "What if it goes wrong?". If you replaced the APU with batteries feeding existing inverter(s), how would that work if the existing inverter was what went wrong ?

Yes it is. And one that has been extensively tried and tested in the real World, and the real atmosphere; and which works extremely well. If it's not broken, don't fix it.




You are seriously suggesting that the Purser now has a panel and reads the TAFs, ATIS and NOTAMS to determine which airport to divert to ? And they also have a way of calculating the landing distance required after whatever failures have occurred to the aircraft. Mrs Uplinker is a purser, and she is very clever, but she is also busy with passengers, cabin crew and cabin duties, especially during an emergency diversion.

How is that going to work when an aircraft has engine and pressurisation failure in mid ocean, and has to emergency descend, and turn towards a suitable airfield, taking into account the weather, and what aircraft systems have been lost ? And the Comms is on unreliable HF radio ?

Wouldn't it be a lot easier to have a second person always present in the cockpit to help the single pilot ? You could train this second person to obtain, read and understand the weather reports and NOTAMs etc, do landing distance calculations, and also support the single pilot - handle the radio to ATC, and read checklists etc, and help monitor the aircraft systems and perform cockpit tasks for the single pilot ?

Oh wait; if you also trained this second person to fly and land the aircraft, then, if the single pilot felt unwell, or passed out, the second person - who would already be in the (locked) flight-deck, could take over and safely land the 'plane.

Yes, that might work quite well; You could call this second person "Pilot Monitoring" perhaps ? :ok:



There is nothing wrong with imagination and thinking laterally, but there is a world of difference between (say) fibre optic data systems in a fixed engineering or chemical plant, and an airliner flying where the outside air is at -56° C and the oxygen partial pressure is unsurvivable.

What might sound perfectly feasible, doable and sensible in theory, often does not work in practice in Real World conditions and challenges. Have a read of some aircraft test-pilot biographies and accounts to see that design is not a single-shot process. You have to design to the best of your knowledge, but then modify the design as problems are encountered and discovered.

You might be surprised to learn how unreliable data-bus systems are in motor cars - with the vibration and weather - and how often they lead to unserviceability of one or multiple computers or services.

Having airliners relying on such systems where they are also subject to vibrations but also extremes of temperature and conditions, and then only having one pilot to sort it all out if it goes wrong - particularly if your imaginary infallible air-ground data links have also failed - is not sensible. Especially when the only reason is to save money. Just put the ticket prices up a bit, they are absurdly cheap as it is.
.

I think he's actually referring to the growing trend of using more advanced power electronics — including within the generators themselves. Since engines don't always run at a constant speed, yet we still require stable 400Hz AC, you're either looking at a mechanical constant-speed drive or power electronics to stabilize the frequency. The latter is increasingly preferred.

The move toward DC networks is visible in many sectors. While AC has the major advantage of being easy to transform between voltage levels, we're in the 21st century now — power electronics have progressed significantly. And let’s not forget, AC comes with its own baggage, namely reactive power issues, which you’re surely aware of as an engineer: :)
Not only would he be surprised, but I would be too. I've owned my car — which relies entirely on CAN/LIN/FlexRay buses with a Bosch ECU — for five years now, driving it nearly every day. I’ve never had any issues related to the electronics. And I don't have a maintenance crew checking on my ECUs at regular intervals! Same story goes for friends with even older vehicles.

(Granted, I do know someone whose coolant pump failed after three years in his BMW X1… You can insert a joke here about Germans not being able to build cars — but let’s be honest, if we’re known for anything, it’s engineering well-built ones.)

All jokes aside: Current aircraft are already heavily reliant on data bus systems like ARINC 429, and newer generations are increasingly using AFDX. So I don't really see the point in arguing that data buses are too failure-prone to trust, when modern aircraft already rely on them extensively.

As for the idea of single-pilot or even fully autonomous cockpits — I remain skeptical, to be honest. But programs like Airbus’ DragonFly and ATTOL definitely point to where the industry could be heading. Even if the focus is on providing emergency backup automation rather than eliminating pilots outright, it’s a strong signal of the direction of travel.

I said instead of. The primary reason for DC & AC buses is that big power on aircraft comes from generators (AC), AC motors are better, and mechanical AC circuit breakers are better than mechanical DC, but reliable power comes from batteries (DC). You'll find that aircraft have a whole bunch of 28VAC buses not listed in the FCOM (because why rectify if you don't have to), and the 787 probably has a bunch of ~600VDC buses in that 'large motor power centre'.
Bingo. DC-DC converters are now much smaller, lighter, and more efficient than AC transformers at mains frequencies. They're probably on par at 400Hz, if not already better.
More relevant for aircraft is that DC networks are much happier with paralleling sources, especially if you don't want to carry around constant-speed drives (and yes, an Integrated Drive Generator includes a constant speed drive). That means no-break power transfers, mesh distribution, and rightsized generators because you don't have to account for power imbalances between the different buses.

Note though VSCF generators weren't that reliable. They can't do reduced-frequency motor starting, so take a beating on inrush.

With a wild-frequency AC system, those frequency converters are generally one-per-motor so that you can control each motor's speed individually and have low starting current. Lose an inverter, lose one hydraulic pump, or one cabin air compressor, or one fuel pump. I suspect, though, that on the 787 at least a smaller number of inverters are being switched between loads probably with some M-to-N redundancy, as you don't need the engine or APU starter motors during normal operation.

On a DC system, I'd expect strict one-to-one between motors/generators and inverters. Each engine starter-generator would have its own drive - no need for a fancy active front end when it's a DC bus. If you're familiar with the term 'four-quadrant' you can see why the inverter to let you start the engine is also capable of being the rectifier to deliver higher-voltage DC from the (permanent magnet?) AC generator.

I wouldn't be surprised to find a redundant pair of general-purpose 400Hz output inverters and a bunch of 28VDC isolated converters, but I suspect the former would be supplying a mix of off-the-shelf gear that didn't justify a redesign for DC input (so small, lower power) and IFE gear (sheddable in the event of a failure).

Ah, I guess that's why the A380 and A350 are just scaled up copies with no changes made, and the 787 is just a big 737/767. Sorry, my bad.

I'm not sure if we're talking single-pilot, single-pilot-but-incapacitated, or no-pilot?

The former can be done by Dispatch when they re-route the plane. Failing that, machine-readable TAFs & ATIS are basically here; machine-readable NOTAMs need to happen automation or not, because if there's one thing this forum agrees it's that they're not human-readable.

Landing distance calculations need to be fixed by the manufacturer. If there's one thing computers are good at, it's following flowcharts and tables to calculate distances. Doing them from more basic principles (ROPS) is probably more effective.

If there's an ETOPS-type failure mid-ocean, the purser doesn't need to do anything: the plane is going to descend & divert regardless as per flight planning, and tell anyone who'll listen. A, N, C.

My comments about the purser having diversion control are mostly about either an incapacitated pilot or no-pilot operations, whether the purser might need to initiate a divert for medical or other reasons.

We could even call the first pilot Otto!. And put lots of them in there 'cause they're small and light and you only have to train them once?


I'm not disagreeing. Boeing has clearly shown that a good FMEA and test program supported by in service experience is essential for safe EIS and operation.

But you realise almost every HV transmission line is topped by OPGW cable incorporating optical fibre, which continues functioning even in Canadian blizzard conditions? There's fibre in space. There's fibre in Antarctica. There's fibre ten kilometers under the sea. With good routing and installation, fibre is one of the most resilient and reliable connection methods there is. Fibre is far more reliable than copper communications plant despite many customers sharing the same line.

There's also already fibre on aircraft.

The number of aviation accident reports where the immediate cause was a bad termination in a plug that wasn't detected as an actual fault seems to give a pretty good argument for moving to redundant buses with actual end-to-end checksums. We might also see fibreoptic sensors being used for e.g fire loops, too.

Side-note; my reading is that on the A220, every mode except AFCU Direct requires flight control signals to be sent via a bus, and I'm not totally certain about the latter. Apparently they did get the message on splitting the avionics bay in two, though.

As I've said several times, I think improved automation is justified even if you keep two pilots in the cockpit.

The initial idea behind much of this thinking was what is necessary to make EgyptAir 804 survivable? Out-of-control oxygen fire made cockpit basically unusable and spread to the avionics bay below the cockpit. I'll let you read the arguments on exactly what happened and why fire suppression failed, but currently both the cockpit and the main avionics bay are major single points of failure: lose them and the plane will go down. Avoiding that requires a second avionics bay with enough computers to land the plane autonomously. There isn't really any other alternative unless you want to try and stick a second cockpit somewhere, or put a firewall down the middle.

Including AFDX over fibre on at least the 787.

More-or-less agreed. I think the airside tech is mostly available but it's ATC, airports, and NOTAMs that will be the limiting factors. It's also worth keeping in mind the varying timelines proposed - what's feasible for a 787neo or 2030s NSA isn't the same as what's feasible for a 2150s new build.

Just a comment on fiber (or fibre) optic use on aircraft.
Boeing spent a lot of time and money looking at fiber optic - and it is used currently for (IIRC) non-critical functions like passenger entertainment (note that I've been out of the game for over 8 years, so usage may have spread since then). It has a lot of advantages over copper - including being immune to EMI. But at least when it came to my area (engines), the big stumbling block was connectors. Engines and FADECs get removed/replaced on a regular basis - often under adverse conditions. No one had come up with a fiber optic connector that dealt well with being regularly disconnected and reconnected, especially in a dirty environment. Stuff inside the fuselage pressure vessel don't need to deal with that nearly as much, but it's a major issue for engines and engine components.

Makes sense. There are 'rugged' fibre connectors out there, but dust intrusion while (un)mating is still going to be a big issue.

Moving the optics/media converter to the connector body could be an option but it would be really nice to have a means of connecting them narrow enough to blow down microduct, without using a fibre splicer. I don't think that exists.

Interesting discussion on automation evolution. From the maintenance diagnostic perspective, we're already seeing significant advances in automated fault detection and system health monitoring that could inform this broader automation discussion.

Current challenges in maintenance automation include:

• Complex failure mode interactions that require contextual understanding
• Environmental factors affecting sensor reliability (GPS spoofing mentioned earlier)
• Integration between multiple aircraft systems during cascade failures

What's interesting is that, maintenance operations are actually a good testing ground for aviation automation concepts - lower immediate safety risk than flight operations, but similar complexity in decision-making processes.

The diagnostic intelligence we're developing shows that even experienced maintenance professionals benefit significantly from automated pattern recognition and decision support. This suggests a hybrid approach might be optimal - enhanced human decision-making rather than full replacement.

The key insight from maintenance automation: the most successful implementations augment human expertise rather than replacing it entirely

SLF & retired Software Engineer.
I sometimes wonder how many slow-burn problems there are that might benefit from automatic detection and action.

The only one I can positively identify is the treatment of slow ice buildup. Here the autopilot handles the growing problem, until it doesn't. When the pilot is handed -- without warning -- a mis-trimmed plane.
Surely it would be better to warn the pilot of the developing situation and allow them to take over earlier (and also consider action appropriate to the developing icing conditions, such as re-routing).
I appreciate that there is a need to avoid too many simultaneous/conflicting warnings.

I agree on this; there are a reasonable number of accidents where the autopilot has slowly run out of authority, and then suddenly disconnects and hands over to the crew a plane that is in the process of rolling over. An alarm that the autopilot has reached 75% authority and may disconnect soon seems obvious.

It's part of the broad trend of assuming that pilots are capable of actively monitoring and reacting instantly to everything on the plane; see also the discussions in the Vilnius crash about the 737 not having any warnings that the flaps haven't deployed to the selected position.

I remember when …
 

I remember back in the days when aircraft autopilots had indicators of servo motor torque - how close to their limit, and trim indicators and trim alerting for potential out of trim conditions or their slow (limited) operation by design.

In the intervening years technology has improved, system reliability is well in excess of that required by regulation, although design will tend to close the gap, yet with inevitable failure the effects appear proportionately more severe.
The nature of a rare system failure tends towards the limit of acceptability, crews unfamiliar with the more extreme situations, and surprised by the infrequency of the event.

The better the machine the greater demands made on human performance, but perhaps this is not the issue.
Look to the instances of failure, the age and design of the aircraft, and differences in design philosophies and level of safety in comparison to new types - ask your 'grandfather' what is was like in past days; we should improve the older designs
Considering the big picture, the overall level of safety over those years has significantly improved. Chasing fixes for the last accident (old aircraft) with more automation is futile, you never experience 'exactly' the same event twice.

Look at the achievements of technology - and the human contributions, education, operational environment which have contributed to safety - that which is being done every day and seek more of it (what is 'it').

Safety overview, note different generations of aircraft.
https://accidentstats.airbus.com/wp-...2025-links.pdf

My main point was suggesting the identification of trends might be useful. Here it could warn about longish-term deteriorating performance -- and hence the possibility of icing conditions --- before it has a significant effect on handling. Leaving more time to safely confirm and exit the icing conditions.

I'm not exactly sure what you're trying to say here? Yes, the torque alarms/gauges are an old idea that I assume mostly died with the FE position. I am not sure if newer FBW aircraft are quite so susceptible to the same failures that mean you need them. Most of the advancement in the past few decades has been in widebodies and we just don't see so many cycles, so accidents to learn from are fewer.

Safety has absolutely improved, no doubt about it. A good chunk of that is designing to prevent previous classes of accidents, even if not the same accidents. EGPWS and TCAS have been fairly successful at that, for example.

There's also dreaming up (i.e. FMEA) new possible failures and ways to prevent them, especially if your changes provide new failure modes (MCAS...).

Yeah, my example of the pre-disconnect alarm was only an example of an exceptionally simple warning device that isn't being used.

I think I've alluded previously that I think this could/should be done by closing the loop on the FMGS/FMS fuel/performance calculations. The idea that they can't handle calculating fuel burn on a gear-down diversion is simply ridiculous in the 21st century.

If you have an actual model (even if simplified) of how the aircraft is flying vs how it should be flying, you can:

• detect icing or other performance degradation
• detect incorrect take-off weights or thrust settings on takeoff acceleration, rather than overrun the runway
• predict range based on current fuel burn e.g. if fuel burn is 1.5% above target during climbout accounting for climb rate, speed, configuration, expect it to be 1.5% high in cruise.
• better detect instrument failures, even if an entire class of instruments has failed (e.g. the AoA vanes on XL 888T), and potentially even synthesize replacement values allowing you to stay in normal law (AF447)
• determine all-engine-out gliding range and an accurate path to a desired/feasible landing zone that delivers you there without having far too much energy left over or needing glider experience
• in the more distant future, perhaps an on-the-fly calculation of v-speeds / go/no-go and stopping distances (extension of ROPS) allowing more flexibility in rejects -
  • there have been suggestions that Ural 178 was on a runway long enough that they could have safely rejected even after hitting birds during rotation, and landed straight ahead, rather than in a field
  • measuring the V1 point by speed rather than position exposes you to a bunch of risks if take-off data or performance is wrong, but is easy to measure. Doing it by position was harder to measure but is now feasible, and is much more accurate.

While it remains almost entirely unclear what happened in India, I thought this post might have some relevance to what we were discussing:

Monitoring position/speed/acceleration during the early takeoff roll (say, up to 60-80kt or with double the calculated stopping distance remaining) allows checking that both engines are actually delivering the requested thrust (there are issues with EPR sensors failing), that the aircraft total weight is correct, and perhaps that the start of the takeoff roll happened in the correct location (calculate full length but take off from intersection...)

Better to throw a config/no-accel alarm a third of the way down the runway than see the end approaching and realise you haven't reached V1.

Interesting.. I hadn't thought about this thread in reference to Air India...

On one hand, the advanced, fully automated system that looks to the outside world for input that we have imagined probably would not allow engines to be shut down in an initial climb under any circumstances.

On the other hand, if somebody wants to bring the aircraft down, there are still many other ways to do it.

It is already standard equipment on airbus aircraft where TOS2 and TOM is available.

https://safetyfirst.airbus.com/takeo...ing-functions/

That's a reasonably small pool of aircraft, but hopefully it will expand.
Agreed that dual shutdown on climbout definitely wouldn't be allowed. Even if you've eaten birds in both engines, that's not a good reason to shut them down. Same goes for switching off all generators, all flight control computers, all hydraulics (unless flight control can be assured electrically e.g. A350/A380) etc. Use M-of-N logic so that while you can disable any individual equipment, you can't disable enough that flight is unsafe. Effectively an airborne MEL.

Nosing over would probably be option 1, but treating EGPWS like alpha-floor and forcing a pull-up + add thrust should handle that. Forcing a dive/low-energy state then shutting down one engine might work.

Unwarranted flap retraction and/or speedbrake extension can simply just be stopped.

Dumping fuel or flying circles over the open ocean could be an issue; it would need to be able to recognise an impending fuel emergency and initiate a forced diversion.

Alternate gear extension mid-ocean, so you don't have fuel to continue to destination?

Depressurise the cabin but continue flying at FL410; force descent and diversion.

Handling situations where you need to do an off-runway landing or ditching would potentially be hard, especially where it's not caused by a systems failure like dual engine failure or fuel starvation. Perhaps you could use canned smoke to convince it there's a raging cabin fire. Kind-of the Habsheim A320 hole.

I expect the most reliable method would be what happened to the Delta CRJ in Toronto: Screw up the landing at the last moment in a near-catastrophic manner, in such a way that it doesn't have time to fix it.

Of course, this is assuming it's not premeditated enough to sabotage something during the walkaround.

TOM has been a Dassault Falcon bizjet feature for a number of years. I’ve always been surprised it hasn’t been more widely used.