Autopilot Automation: Friend and Foe

Vulnerable. Thats essentially how Eric Geisleman and a group of aviation safety researchers described flight crews when it comes to operating the flight control systems in transport-category aircraft.

Vulnerable. Thats essentially how Eric Geisleman and a group of aviation safety researchers described flight crews when it comes to operating transport category flight control systems. Are general aviation pilots just as vulnerable? That's debatable.

One article (Flight Deck Automation: Invaluable Collaborator or Insidious Enabler?)that was published in the July 2013 Ergonomics in Designfocused on two high-profile 2009 crashes-Colgan Air in Buffalo and Air France off the coast of Brazil-concluded that current autopilot design and automation is flawed and "creates unnecessary emergencies by surprising pilots during critical, high-workload episodes."

The two-series article, co-written by Christopher M. Johnson and David R. Buck, responds to claims that airline pilots may be losing their ability to manually control aircraft because overreliance on automation is eroding basic manual flying skills.

Geisleman and his co-authors have combined expertise as airline pilots, flight instructors, crew resource management instructors and human factors researchers. According to their research, modern cockpit automation does not, among other things, effectively communicate to the pilots two of the most common modes of autopilot operation: heading command and navigational tracking.

In another article (Flightdeck Automation: A Call for Context-Aware Logic to Improve Safety) to appear in the October 2013 issue of Ergonomics and Design, the researchers suggest that flight displays can be redesigned using a more context-aware navigation interface. Moreover, the researchers state that placing blame solely on pilots for automation-related airline disasters fails to delve deep enough into the human-machine interface and note that better training is only a partial solution.

Using real-world examples, the researchers describe the scenario of an airliner in cruise flight, with the autopilot coupled in navigation mode and flying a preprogrammed route. ATC then instructs the crew to fly the current heading to avoid a traffic conflict, requiring the crew to switch the autopilot into heading command mode and continue flying straight ahead. Once cleared back on course (which is still straight ahead) the scenario has the pilot forgetting to reengage navigation tracking mode and missing the next waypoint in the FMS-programmed flight plan-sending the airliner off course and deviating from ATC instructions.

This scenario points out that although the autopilot tracking mode has changed (and is properly annunciated) the navigation display, which still shows the FMSs active flight plan, looks no different in autopilot heading mode than it does in navigation tracking mode and is a critical piece of data that complacent flight crews can miss.

The researchers suggest that a more context-aware navigation interface would differentiate between a route flown in heading and navigation mode, while alerting the pilot of a deviation. One example is an updated display that shows a virtual corridor of the aircrafts course (and where the aircraft wont be flying in the current autopilot state) when deviating from a programmed route.

The report goes on to describe other scenarios of airliners overflying destinations by hundreds of miles because crews failed to notice which mode the autopilot was in, compounded bydialing an incorrect ATC comm frequency that put the crew out of radio contact. The authors note that a more context-aware system could have utilized geographic location to alert the crew of the erroneous radio frequency and the missed descent point.

What lessens might general aviation pilots learn from these blunders? For starters, it's to maintain a healthy level of awareness as to what mode the autopilot is flying while avoiding automation-induced complacency. On the other hand, autopilot manufacturers we spoke with know this isn't as easy as it sounds, despite designing the new breed of autopilots with large amounts of failsafe features and pilot-friendly operating logic.

Autopilot Automation for the Rest of Us

While the research didn't focus on the automation that's found in smaller cockpits, the manufacturers we spoke with had some valuable insight to help pilots avoid ugly situations and pointed out that it's up to the pilot to closely monitor the system and act quickly and correctly when the system fails.

According to Garmin's Bill Stone, the most important thing a pilot can do is read the aircraft flight manual supplement to become thoroughly familiar with all aspects of autopilot operation and its interface with other systems in the aircraft. He also knows that pilots aren't doing enough reading.

"An awful lot of time and effort goes into producing the content of a flight manual supplement and pilots really need to read and understand what's in that supplement, particulalrly when it comes to autopilots. You know as well as I do that this isn't happening," Stone told AVweb.
Garmin's GFC700 is a full-featured, digital autopilot that's a major part of the company's G-series integrated flight deck. You'll find it in a wide variety of small and large airframes, including models from Cirrus, Cessna and Beechcraft, to name a few. Stone made it clear that the system is designed with sizable amounts of self-diagnostic and crew-advisory technology.
"The GFC700 has tremendous amounts of redundant safety monitoring in it, including two seperate paths for comparing ADAHRS inputs, two seperate paths for monitoring servo direction, speed and torque-all of which are measured and compared by two seperate processor boards. The likelyhood of a system runaway is extremely small," said Stone.
Should a pitch, trim, roll or yaw channel fail, the GFC700 will alert the pilot through interactive warning messages. From there, it's up to the pilot to acknowledge these warnings and react appropriately. It's important to understand that a failure may or may not automatically disconnect the autopilot. Garmin's Stone offered good advice for these situations.
"The pilot should be prepared for the autopilot-to-hand-flying handoff. This includes gripping the controls-tighly-because the aircraft could be in an out of trim condition, requiring sizable amounts of control force to counteract. If the autopilot hasn't disconnected, it's up to the pilot to do so. These kinds of procedures are clearly stated in the flight manual supplement and pilots need to be have these procedures memorized because they are as important as memorizing procedures for dealing with a critical engine failure," warned Stone.
This is good advice for any autopilot, especially for older analog pilots that don't have the sophisticated channel monitoring that the GFC700 has. This means that the pilot should know the proper procedure for disconnecting the autopilot. While this sounds trivial, it's an important part of quickly gaining control of the aircraft. Speaking of gaining control, certified autopilots are required to have drive servos that can be overridden. This means that a capable pilot should have enough strength to slip the servo clutch.

When disconnecting most autopilots, the preferred method isto use the yoke or panel-mounted disconnect button. Thisdisconnect circuitry immediately removes the input drive-voltage from the servos. Disconnecting the autopilot by chopping power at the main autopilot master switch could leave residual voltage on the servo clutch-preventing it from disengaging and keeping the controls locked. Of course, if all else fails, pull the autopilot circuit breaker. Again, consult the flight manual supplement for specific instructions on the system you are flying with.

Whose Aircraft?

The researchers note that, by regulation, autopilot disconnect functions do not adhere to the CRM (crew resource management) protocol for a postive exchange of aircraft control between humans.

One of the aspects of autopilot automation that Geiselman and his co-authors say needs to be changed is the process of acknowleding that the autopilot has been disengaged. They believe that pilots need more advanced warning before the autopilot disconnects and use the Air France Flight 447 Airbus accident as an example.

Approximately two hours after takeoff, the airspeed data was disrupted due to a sensor malfunction, which caused the autopilot and the autothrust systems to disconnect. No warning was provided to the aircrew prior to the disconnection. After the autopilot disconnected, the airplane performed an uncommanded right roll, before the crews' situational awareness progressively began to unravel and the aircraft became uncontrollable.

Ultimately, theaccident was attributed to the crew misdiagnosing the aircraft state and inappropriate reaction to the loss of airspeed information. The actions of the pilot flying who executed excessive roll and nose-up inputs were attributed to being surprised by the sudden autopilot disconnection. Also, according to researchers, multiple aural/visual alerts and warnings created a confusing environment.

"The sudden disengagement of the autopilot is analogous to a pilot suddenly throwing up his or her hands and blurting to the co-pilot, 'Your plane!'', said Geiselman. His point is that before control of an aircraft shifts from the autopilot to the pilot, the system should require the receiving pilot to acknowledge that he or she has assumed control of the aircraft.

The researchers also cite the Colgan Air Flight 3407 crash, where a contributing factor was the lack of forewarning when the autopilot automatically disconnected during the landing approach. Again, their point is that a positive exchange of control-with clear and concise communication about why aircraft control is being transferred-is what's required between two pilots that are flying and it should be required before the autopilot disconnects, too.

Built-in Envelope Protection

That's the design philosphy behind Avidyne's DFC90 retrofit autopilot (it's designed to fit into an existing S-TEC 55X installation and interface with Aspen's Evolution PFD and the Avidyne R9 integrated flight deck system).

According to Avidyne's Jake Jacobson, the company designed the DFC90 flight computer to be a natural extension of the pilot. This includes an architecture that's molded not around the behavior of professional flight crews but instead, around the pilot who may not always be in complete control of the aircraft. Avidyne's intent was to build in as much envelope protection as possible, while designing a feature set that creates no confusion as to what the autopilot is doing or what mode it's in.

"The pilot who's barely hanging onto a rope a mile behind the airplane and the better pilot who is on his or her game. We build in as much envelope protection as we can for both kinds of pilots. The DFC90 is a tightly-coupled and tightly-integrated system, with modes that are logically more helpful for a wide variety of pilots," according to Jacobson.

The DFC90 and higher-end DFC100 have internal monitors and internal comparitors that act as aircraft-level diagnostic self-test units. This includes monitoring of trim tabs, control rigging, drive servos and the electrical inputs to the critical components that a pilot may not have any idea are out of specification.

On a recent flight, Avidyne's Jacobson demonstrated the impressive capabilities of the DFC90, including intercepting a final approach course within a quarter-mile of the final approach fix- at a 150 degree angle, at high speed and with a tail wind. The idea behind the demonstration is that the system can handle situations that a pilot who's behind the aircraft might find themself in. There's also a straight-and-level mode, for unusual attitude recovery and stall protection.

As for the graphical interface issues the researchers say needs to be changed, Avidyne has already done so, attempting to create an autopilot mode annunciation logic that's intuitive,specifically designing the system so that different autopilot modes present differently on the PFD. This includes Vector Mode-a dashed magenta line on the PFD that's overlaid over the flight plan-responding to changes made with the autopilot heading bug. At the same time, you can manually create your own vector or course intercept that visually differentiates between what's loaded in the flight plan and what the autopilot is actually flying. The current mode of tracking is always displayed at the top of the PFD.

Increased Vigilance

If there's a lesson to be learned from the examples of automation-gone-wild in airliner cockpits, it's that vigilance is needed when flying behind the automation in smaller cockpits, too. This includes understanding and learning newly-installed retrofit interfaces, reading the flight manual supplement and following along with the autopilot when it's flying. Most important is being preloaded to quickly react to failures.

Even basic autopilot systems like the Cobham/S-TEC System 30 require a self-test before every flight to ensure the servos move the controls in the proper direction, the disconnect circuitry works correctly and that the pilot can override the system.

Bottom line: You want to avoid the automation-induced complacency, surprises and confusion that occassionally gets the best of professionally-trained airline crews.