This article was originally published in 2010. It is part of the ELMG redux series of articles that will be republished over the summer. These articles cover subjects in and around digital control of power electronics.
Redux – Safety Critical Digital Control – Planes in Fog
Just before Christmas 2006 I spent sometime (24 hours) in Copenhagen Airport as I waited for my plane after doing a week of meetings in Southern Sweden. I very nearly had a forced stopover in London at Heathrow as London fog shut that airport. This stranded almost eighty thousand people who could not go on their holidays.
My connecting flight into Heathrow was cancelled due to that very fog in London. As a result I did not ever get to London and so I missed my connection out of London. Luckily for me I was re-routed the next day directly through Hong Kong missing the crowds of delayed passengers at Heathrow. Thanks to all those that helped me.
Copenhagen Airport
As I waited at Copenhagen I thought about a number of things
- The large numbers of people at Heathrow and how their holidays would go? My sympathy to all the people who were delayed in Europe at or around Christmas time.
- Why, if an airliner can land itself at LAX in perfectly good weather, can an airliner not land itself in London in the fog? The pilot on my last flight to LA informed the passengers that the plane we were on would land itself at LAX. I cannot verify whether the plane did or did not land itself but we did get down safely.
- What would my pre-school age daughter say if I did not get home for Christmas?
So if the plane can land on a sunny day in LAX why can it not land in the fog at London?
The guidance system on an airliner is an safety critical digital control system. It takes inputs from various guidance sensors (like GPS and inertial guidance) and produces outputs for the control surfaces like the elevators and ailerons. As such it will be a mixture of hardware and firmware software. The program code is most probably written in a safety critical digital control useful language (not C) such as ADA. The method to write the software is (hopefully) well defined and the code is well inspected and walked through. The guidance system is then certified along with the aircraft by the FAA and other suitable safety authorities.
A Sunny Day in LA.
So let me say that again – on a good sunny day in LA my pilot can let the machine land itself but in London my plane cannot land because of the fog. I thought about why this was and even asked a friend. He said that it was “All because of the labour unions” which I hadn’t even considered. I decided that it may well be something else. Labour unions may have something to do with it but I don’t have time to write about that.
Critical Failure Modes Analysis
Consider the failure mode of the plane landing in Heathrow in the fog. If something goes wrong with the part of the guidance/landing system that takes care of height, then the airliner hits hard into the runway and makes a mess. Consider the same failure mode in the good weather at LAX. The plane is at the wrong height and would dive into the runway. Instead the over riding backup system looks out the window and takes control of the plane.
Safety Critical Digital Control on a plane needs a Pilot
So here is the skinny – it is OK for the plane to land itself so long as the backup override system is working. This backup is the pilot and so long as she isn’t struck down by food poisoning and she can see the runway she will not let the plane crash.
I am glad my flight to London was cancelled.
There have been incidents where the pilot has attempted to stop the plane crashing but the embedded systems in the plane have refused to help out. That, though, is something for another time.
Since this article was written safety of airliners and their safety critical digital control systems has come into sharp focus. Apologies and condolences to all and everyone who have been touched by the failings of digital control systems in the airline industry.