Reacting to a pair of landmark NTSB recommendations addressing potential safety vulnerabilities in autopilots, the FAA this month is amending airworthiness standards for automatic flight control systems in transport-category airplanes. The revised standards cover newly certified business jets with an mtow of more than 12,500 pounds.
The FAA is rewriting air- worthiness standards for autopilot, autothrust and flight-guidance systems based on a 2004 internal proposal and input from researchers and airframe and avionics manufacturers. Beginning May 11 the amended standards require automatic flight control design changes that bring FAA guidelines closer to those championed by the NTSB and currently used by European airworthiness authorities.
The amendments add auto-pilot override, speed protection and cockpit annunciation features to future autopilot and auto- thrust designs. The changes are aimed at increasing pilots’ awareness of system failures that under current standards might provide only subtle clues that anything is amiss. As a result, cockpit aural warnings and alerts will be a standard feature of future autopilots, as will automation logic that prevents upsets should the pilots manually try to override the automation.
The changes, affecting all transport-category airplanes including airliners, were developed in response to a number of accidents and incidents blamed on an ever-increasing use of automation on the flight deck and improper pilot interaction with automated systems. Business jet manufacturers and avionics makers participated in an aviation rulemaking advisory committee that drafted the amendments, and OEMs have already incorporated some of the new features in their latest autopilot designs, according to the General Aviation Manufacturers Association.
The changes to the airworthiness standards were prompted in part by the September 1999 fatal in-flight upset of a Greek government-owned Falcon 900B. According to investigators, the high-profile incident followed a failure in the pitch-feel system and was triggered by the pilot pulling back on the yoke before disengaging the autopilot. Seven passengers aboard the airplane were killed, including Greece’s deputy foreign minister.
In the wake of an earlier accident in Japan involving an Airbus A300-600 operated by China Airlines, the FAA formed a human-factors team that included experts from NASA, Europe’s JAA and three major U.S. universities. The group looked closely at the 1994 accident, focusing on difficulties the flight crew had in their managing and interacting with the airplane’s automation.
Investigators ruled that the pilots’ fatal mistake was in trying to manually correct the autopilot’s commands. The combination of an out-of-trim condition, near-maximum engine thrust and retracted flaps led to a stall and subsequent crash that claimed the lives of 264 passengers and crewmembers.
Although this particular event involved a non-fly-by-wire A300-600, other accidents and incidents demonstrated that the problem was not confined to any one airplane type, manufacturer, operator or geographic region, the FAA said. Somewhat reminiscent of the Greek Falcon upset, on July 13, 1996, a McDonnell Douglas MD-11 operated by American Airlines experienced an in-flight upset near Westerly, R.I.
According to the NTSB, the airplane was cleared to descend to 24,000 feet and the first officer dialed in the altitude on the autopilot control panel. With about 1,000 feet left to go, the captain became concerned that the airplane might not level off at the assigned altitude and instructed the first officer to slow the rate of descent.
The copilot adjusted the pitch thumbwheel on the autopilot control panel, but the captain determined this action was ineffective. He took manual control of the airplane, began applying back pressure to the control column and disconnected the autopilot. The flight data recorder showed the airplane experienced an immediate 2.3-g pitch upset followed by several more oscillations, resulting in four injuries in the cabin.
This incident prompted the NTSB’s recommendation calling for certification standards that prevent upsets when manual inputs to the flight control are made while the autopilot is connected. Professional flight crews flying with advanced flight-control systems are taught that only one pilot (human or automatic) should be operating the airplane at any given time. Yet despite this widely accepted practice, in each of the cases studied by human-factors researchers and the NTSB, pilots tried to override the autopilot by physically grabbing hold of the controls.
More Knowledge of Autopilot Needed
The FAA’s research team identified several other disturbing trends related to cockpit automation, perhaps the most startling being the lack of understanding on the part of pilots of automation’s capabilities, limitations, modes and operating principles. The researchers noted that they frequently heard stories about automation “surprises,” described as involving situations where the automation behaved in ways the flight crew did not expect. Researchers noted that the pilots, from operational experience, commonly asked: “Why did it do that?” “What is it doing now?” and “What will it do next?”
Equally troubling was the fact that pilots often failed to recognize failures in automated systems, particularly when the failure caused only subtle changes to the flight path, such as a slow pitch change after an autopilot servo failure. An airplane might be gradually departing from its intended flight profile unbeknownst to the crew, yet by the time the pilots realize what is happening, it could have already gotten into a dangerous profile, such as a high angle of attack and low energy state.
This is precisely the scenario envisioned by the NTSB, but the related recommendation, calling for aural cockpit alerts when the airplane’s pitch or bank exceeds the autopilot’s maximum command limits, came in response to a crash that occurred under far different circumstances. On Jan. 9, 1997, an Embraer EMB-120 Brasilia went out of control near Monroe, Mich., while holding in IMC and freezing conditions. The NTSB blamed the crash in part on the FAA’s failure to establish adequate aircraft certification standards for flight into known icing.