Time and again, EGPWS breaks the accident chain

 - January 22, 2008, 5:31 AM

Since the introduction of the enhanced ground proximity warning system (EGPWS) in 1996, more than 16,000 airplanes worldwide have been fitted with the Honeywell-manufactured safety device. In that time, the CFIT (controlled flight into terrain) accident rate among aircraft that carry EGPWS has dropped to zero. Specifically, the statistics show that after more than 60 million flights over a seven-year span, not a single airplane flying with EGPWS has fallen victim to CFIT. Quite the contrary, on dozens of occasions pilots have reported that the device probably prevented a crash from occurring or broke the chain of events that was leading toward a dangerous situation.

And yet the man most responsible for the development of EGPWS, Honeywell chief engineer Don Bateman, is the first to admit the system’s limitations. Few are more versed than Bateman on the subject of CFIT accident statistics or as passionate when arguing that such catastrophes can be prevented. He seems to know by rote the circumstances of every major CFIT-related air disaster in the last 20 years, describing each in ways that convey to the listener that he is deeply and emotionally invested in his chosen profession.

“It breaks my heart every time I hear about one of these crashes,” Bateman said. He added that he realizes no piece of hardware installed in the avionics bay can cut the chances of a crash happening to zero forever.

The Achilles’ heel of EGPWS, and every other FAA-approved terrain awareness and warning system (TAWS), is the device’s internal terrain and obstacle database, said Bateman. The database stores in its memory a digitized topographical map of the earth’s surface that is constantly compared with GPS-derived position to keep aircraft from running into the ground or hitting towers and buildings. Fly too close to terrain or an obstacle and EGPWS will provide a caution alert to the pilot. Get closer still and the unit will issue a warning and subsequently command a climb maneuver, at which point the pilot should immediately roll the wings level, add maximum power and raise the nose about 20 degrees above the horizon. In a few seconds, based on the computing logic of EGPWS, the warnings should cease–this is the pilot’s cue that the aircraft will safely clear the terrain or obstacle ahead.

Terrain Errors
A color display in the cockpit, which shows the location of terrain and obstacles in pixels of red, yellow and green, serves as a visual tool to enhance situational awareness. Simply put, pilots want to avoid areas of red or yellow on the display. The unsettling reality, however, is that just keeping away from blocks of color may not ensure the crew and its passengers will be safe in every single instance.
The reason? Bateman said that in spite of the engineers’ best efforts to enhance
the fidelity of the terrain database, it continues to contain errors, some of which could be significant.

As he explained: “The easy part is the look-ahead algorithms, the way EGPWS calculates distance and closure to terrain. The hard part is the database. In all these years we’ve kept working the data over and over and it’s still not perfect–not even close. We keep digging into the database, and we learn something new every day.”

During early flight tests of EGPWS over the Cascade Mountains north of Honeywell’s Flight Safety Systems division in Redmond, Wash., where Bateman and his engineering group are based, the test pilots were surprised to discover that a particular mountain in the database was actually 1,000 feet higher in real life than EGPWS thought. The reason for the discrepancy was an error in the topographical map for the region. This led the engineers to conclude that similar errors probably existed elsewhere and, based on what they already knew about the maps they had in hand, the errors were probably worse in remote parts of the world and in countries that had chosen to withhold data.

In the early 1990s, in the days before the Honeywell merger when Bateman’s team was part of AlliedSignal, a dedicated group of engineers in Redmond was given the task of buying or otherwise obtaining topographical charts from every corner of the world. Much of the data was highly accurate, some of it less so. The dissolution of the Soviet Union, as one example, revealed a treasure trove of excellent data on Eastern Europe. AlliedSignal spent millions of dollars buying these maps, and then digitized them to build the database that made the introduction of EGPWS possible.

Since that time, more than two dozen updates have been made to the original EGPWS database to fix known errors (all available for free download to EGPWS owners at www.egpws.com). One of the revisions to the database involved shifting every hill and mountain in an entire country because of differences in worldwide standards for establishing precise terrain location.

What Are the Chances?
When it comes to air disasters the facts are indisputable. Professional pilots take risks every time they strap into the cockpit of an airliner, business airplane or helicopter. Accident statistics collected and analyzed over the past 50 years bear out this unfortunate reality time and again. But how great are the risks, really, and how do they compare when stacked against hazards inherent in other professions or activities? In other words, is there a way to calculate or quantify the chances of a tragedy occurring on any given flight?

The surprising answer is yes, there is.

It’s all a question of probability. Engineers and mathematicians in a variety of fields are taking advantage of a newly evolving set of computing tools to assess the potential risk for a host of activities, from air travel to manned spaceflight to natural disasters such as hurricanes. The data is used by government agencies and businesses to help them determine if a particular activity is worth the danger posed and to devise ways of reducing or eliminating the risks.

Pilots rely on a host of safety systems to ward off catastrophe. Each has helped mitigate the danger of powered flight, making it far less hazardous over the years to venture away from the relative safety offered by keeping both feet planted firmly on the ground. And yet, of course, accidents still happen. The question the engineers must grapple with every day is how best to identify and subsequently reduce the risks of piloting complex turbine aircraft.

So just what are the chances that an airliner or business jet will be involved in a CFIT accident on any given flight? At first glance this may seem like an impossible question to answer with any useful degree of certainty. And yet powerful new conceptual and computing tools allow engineers to assess the risks to help them better understand and quantify the odds of such crashes occurring.

Using these mathematical probability tools, Bateman and his team of engineers calculated that the chances of an airplane being involved in a CFIT accident on any given trip aloft are about one in a million, with variations in the figures depending on where the aircraft happens to be flying. Those may sound like fairly good odds (especially considering NASA has estimated the risk of a catastrophic space shuttle failure at 1 in 145 missions), but taking into account the sheer number of commercial airline flights every year–more than 20 million last year in the U.S. alone–not to mention charter and corporate movements, it becomes clear pretty quickly that one in a million isn’t good enough.

Steve Johnson, Honeywell senior engineer for flight safety avionics, said the FAA recognized this fact back in the 1970s, when it required that certain commercial aircraft begin carrying GPWS, the precursor to today’s enhanced terrain warning systems. GPWS, which still flies in thousands of airplanes, uses radar altitude and a set of predefined protection algorithms to determine proximity and closure to the ground.

The probability of a CFIT accident occurring in a GPWS-equipped airplane, said Johnson, falls to about one every three million flights. After the FAA passed its original GPWS mandate, the CFIT accident rate began to trend downward. But sadly, CFIT accidents were still occurring, even in airplanes with GPWS.

Then came EGPWS, which for the first time combined GPS with a worldwide database of terrain and obstacles, in addition to the original alerting algorithms of classic GPWS. The result was that the chances of a CFIT accident fell dramatically to 0.03, or one in 30 million flights. Considering there have been 60 million flights of EGPWS-equipped airplanes in seven years with zero CFIT crashes, the system is performing better than advertised. Further illustrating the safety benefits of EGPWS, several crews have reported EGPWS may have prevented a crash, and some pilots have even refused radar vectors from ATC because they saw on their EGPWS displays that the heading they were given would take them perilously close to terrain.

Throwing Down the Gauntlet

Recently, a Honeywell competitor made a series of claims about its own TAWS product, comparing it with EGPWS. Officials for ACSS (Aviation Communications and Surveillance Systems), based in Phoenix and owned jointly by L-3 Communications and Thales, said that its system, the just-certified T2CAS, which combines TCAS with a class-A terrain-warning system, does a better job than EGPWS when it comes to warning pilots of potential terrain and obstacle hazards. “Simply safer” is the company’s marketing tagline.

To back up its claims that the T2CAS device represents a better terrain-alerting concept, ACSS said the system provides warnings four minutes before impact with terrain, while EGPWS gives about a minute’s warning. ACSS also said its device looks into turns, scanning for mountains or obstructions that may be to the sides of the aircraft, and provides alerts based on actual aircraft performance by configuring its protection envelope according to aircraft model. Further, ACSS claimed T2CAS is safer because, unlike EGPWS, its system provides an “Avoid Terrain!” warning when the unit determines it would be impossible to out-climb a mountain.

It is, of course, futile to try to say which of the two systems is “safer.” After all, there has never been a CFIT accident involving an airplane equipped with EGPWS–so in some sense EGPWS has proven itself infinitely safe–while on the other hand T2CAS has yet to be installed in even a single customer airplane (first installations are due to start soon) and begin real-world operations beyond the flight-test regimen. The ACSS product may one day match the safety record of EGPWS, but until T2CAS gets some more time under its belt such comparisons are of little value. What is clear, however, is that having either system on board would be better than having no protection at all.

Honeywell said that the claims made by ACSS misrepresent the true capabilities of EGPWS while also ignoring the shortcomings of all terrain databases, namely that they invariably contain inaccuracies that are difficult to remedy because they’re hard to find.

“The nightmare of all engineers is having a flaw in the database,” said Johnson. Honeywell, he said, has uncovered scores of anomalies in its database, some small, some large, and has fixed them in each instance. ACSS, meanwhile, has said publicly that its database is free of errors and, therefore, no revisions or updates will be necessary.

Johnson suggested this philosophy may signal a certain level of naiveté on his rival’s part.

“They know what they know,” he said, meaning that ACSS does not know what it does not know, specifically that its database contains errors that have yet to be uncovered.

The discovery of anomalies in the EGPWS database is the principal reason Honeywell chose not to give pilots an avoid-terrain warning, as the ACSS system does, Johnson said. “Because there are flaws in the database, we don’t want to be telling the pilot he should go left or right” since that might turn the aircraft into a mountain that the database mistakenly thinks is directly ahead. It comes back to the probability issue, he said. “The best chances for an escape,” said Johnson, “are to roll wings level, push the power levers forward and start climbing.”

ACSS counters by saying that rolling to a heading that points the nose of the aircraft directly toward a mountain may not always be the appropriate course of action. Johnson said he agrees in principal with this argument and  that Honeywell may one day modify EGPWS to give alternate warnings similar to those provided by T2CAS. But he does not believe this will happen anytime soon.

“It all comes back to a question of database integrity,” he said. “If we can ensure the integrity of the data then we can start changing the algorithms. But we’re not even close to being able to do that yet.”

As for the ACSS assertion that its device is safer because it looks into turns, Johnson and Bateman said EGPWS always looks into turns. The difference is that EGPWS looks into the turn proportional to the amount of bank that is applied, while the ACSS system  is claimed to look 90 degrees into turns. This means that if an EGPWS-equipped airplane enters a 20-degree bank to the left, the system will open its sideways aperture by 20 degrees. During a demonstration flight this was shown in all cases to be adequate for EGPWS to issue a terrain alert.

But in a lab simulation that ACSS has been showing to the aviation press, two airplanes are made to fly identical approaches to Aspen, Colo., after which they begin a missed approach, in this case a flight procedure developed for Air Wisconsin that contains a tight, nonstandard climbing turn to the left. In the simulation one airplane flies with T2CAS and the other with EGPWS. It is assumed that for some reason both airplanes begin a shallower turn rather than the tight turn shown on the approach plate. While the T2CAS-equipped aircraft gets a terrain alert early in the exercise, the EGPWS airplane continues far into its turn, getting an alert at a point where rolling wings level and climbing would not be sufficient to clear terrain.

A Honeywell spokesman conceded that while it is possible the exercise presented by ACSS could be one of those rare instances where EGPWS does not provide an alert–for whatever reason–he added that the potential anomaly, if it indeed exists, could be remedied with the customer by running simulations or actual flights into airports where terrain poses a danger. But because this is a nonstandard missed-approach procedure performed in the lab by a competitor, the simulation itself could very well be flawed, the spokesman said.

Bateman, who is largely credited with inventing the concepts that led to the introduction of EGPWS, was more emphatic in his assessment: “I would love to put our system in one airplane and theirs in another and let’s go have a shootout,” he said. “Then we’ll see whose is better. I don’t mean to sound arrogant, but I’m just very skeptical about a system that has yet to prove itself in the real world.”

Bateman went on to refute other claims made by ACSS. The question of what a pilot should do when he receives a terrain alert or warning has become a subject of some debate. The EGPWS pilot’s guide states that climbing is the only recommended response to a terrain warning, unless a warning is given while operating in VMC or “if the pilot determines, based on all available information, that turning in addition to climbing is the safest course of action.” While Bateman said he would dissuade pilots from maneuvering so close to terrain, Honeywell chief test pilot Markus Johnson (who arguably has as much experience flying with EGPWS as anyone in the world) said the terrain display can safely be used by the pilot to make judgment-based decisions, particularly in the moments just after receiving a terrain alert when there is still plenty of time to react.

ACSS, conversely, places black Xs over terrain that T2CAS calculates cannot be out-climbed. ACSS also claimed that with EGPWS the aural terrain warnings will continue even after terrain is cleared and that terrain warnings are provided with only one minute of standard look-ahead time. During a recent flight in a Honeywell King Air through the Cascades, test pilot Johnson attempted to show that the claims are misleading. As soon as the aircraft’s velocity vector goes above the terrain (plus a certain built-in cushion) the terrain alert stops. In most cases during the demonstration EGPWS gave about a minute of warning time, but in instances where more time was required EGPWS provided extra margins.

“We could give three or four minutes of warning time as a baseline standard,” said Bateman, “but in the real world pilots would end up getting so many nuisance warnings that they might stop listening.”

The look-ahead envelope, he added, is always calculated along the current velocity vector, with a second prediction line calculated along the climb gradient, typically six degrees. While ACSS designed a system that calculates its protection envelope based on a host of performance-based inputs, including aircraft weight, OAT and engine health, the EGPWS team in Redmond reasoned that a worse-case minimum climb angle (assuming all engines are operating) provides adequate protection in almost every conceivable circumstance, said Bateman.

Climb performance, he continued, plays a part in only a small percentage of CFIT accidents. The classic CFIT accident, rather, involves a descent during the last few hundred feet of an approach when an airplane strikes the ground short of the runway.

Adding fuel to the debate over whose system is better or safer is the fact that Honeywell last summer sued ACSS, along with three other competitors, for EGPWS patent infringement. Honeywell and ACSS have entered arbitration to seek a possible settlement. A battle for market share has grown fiercer recently with T2CAS gaining its TSO authorization from the FAA. (Most turbine airplanes will be required by the FAA to carry an approved TAWS beginning in March 2005.)

Added Functionality
In addition to the classic GPWS modes and the terrain database, Honeywell has modified the EGPWS software periodically to add new features that are designed to help differentiate its products from other boxes on the market. Yasuo Ishihara, principal engineer for Honeywell in Redmond, explained that additional functionality has been built into EGPWS to give pilots extra margins for safety. For instance, the system now includes what Honeywell calls peaks mode, a free add-on that allows pilots to view terrain on the display in cruise flight. Terrain in peaks mode is shown independent of aircraft altitude with the highest and lowest terrain noted in figures in the lower right portion of the display. Ishihara said peaks mode increases situational awareness and can be useful during emergency descents in mountainous regions.

Another improvement to EGPWS is the addition of geometric altitude, an internally computed figure that is designed to compensate for altimeter errors. Using GPS-derived altitude in conjunction with uncorrected standard altitude, radio altitude and RAIM GPS failure indications, EGPWS can make an educated guess about the true height of the aircraft, independent of the barometric altimetry system. EGPWS computes the final geometric altitude by combining all the available altitude information and using a blending algorithm to come up with what it determines is a reasonable figure. With geometric altitude, said Ishihara, EGPWS can operate reliably in the event of extreme local pressure or temperature variations, crew miss-sets of the altimeter or errors that may arise in QFE operating environments.

A third added feature of EGPWS is described as runway logic, wherein the unit automatically picks what it believes is the most probable intended runway (using aircraft track, bearing and altitude to all runway ends) by creating a 3-D model that adjusts protection scales as needed. Runway logic is the first step toward development of another new EGPWS feature, an optional runway awareness and advisory system (RAAS) designed to reduce runway incursions (see 'EGPWS software add-on improves airport safety').