4 saves in 2 years does sound very impressive. I guess these accidents were relatively common. That would certainly explain the development of this system, and how aggressive it's allowed to act.
Impressive tech, no question. However, I find it difficult to praise the technological advance of autonomous systems in any killing machine. I could care less about any cost savings for the tax payer in this context but I am glad that the pilot got to go home to his family that day.
That's pretty amazing, especially considering how fast everything is happening. It has to feel pretty good for the engineers, etc. who worked on this system and see it saving lives like this.
I wonder if the 5G limitation on the avoidance system is to allow pilot a chance to recover from GLOC, or if it is due to other concerns like the structural integrity of the aircraft or more unpredictable handling at more than 5Gs. Can more than 5 sustained Gs kill someone if they aren't conscious and able to counteract the blood pooling in their lower extremities?
5G is definitely more tolerable than 9G, especially in a GLOC situation, yet still allows for a pretty aggressive avoidance maneuver.
The 5G limit is going to be decided in concert with the minimum altitude and an upper speed limit.
GLOC would be most common at the merge, where they'll be at corner speed (the speed that allows them to get the tightest turning radius whilst bleeding the least amount of energy) and need to instantaneously load to 9Gs.
So from an engineering perspective, I'm sure they massaged the G limit, minimum recovery altitude and maximum likely speed into the most optimal set of parameters, with 5G offering a good trade-off between minimum recovery altitude and pilot comfort.
The planes themselves are G-rated to 9Gs, which is entirely a flight control system limit, because the bag of bones in the front seat tends not to do so well over 9Gs for sustained periods -- but the actual airframe will be able to sustain much higher before structural failures will start occurring.
The maximum g-load for an F-16 carrying external fuel tanks or air-to-ground ordinance is 5G and is enforced by the flight computer to prevent the extra weight on the wing hardpoints from causing structural damage to the air frame.
Within the cockpit, on the left side, there's a CAT switch that's used to switch between CAT-I (lighter loadouts, such as A-A) which permits more G-intensive maneuvering, and CAT-III (external tanks or A-G ordinance).
As far as sustained loads higher than 5G's, I could see the potential to kill someone, but I would also guess that the more immediate threat after G-LOC is probably the ground.
How would you do system-level testing on this system? Obviously there's going to be a simulator, but would you ever install it in a plane and dive at the ground?
Correct, there was probably a significant amount of simulator testing. Keep in mind that these kinds of simulators use real hardware and the avionics are being given inputs just like in the aircraft (i.e. the GPS antenna is simulated, but GPS inputs and uncertainty propagate through the system just like in the actual aircraft)
Most likely there is a test mode that raises the altitude floor/projected flight path at which it takes over. You could then perform the level-off at a safer altitude.
Yes. From what I heard when working at Saab (which makes sytems like this), it is a very... memorable... experience sitting in the second seat of a fighter aircraft when the pilot demonstrates this capability.
Altitude above sea level is absolute, whereas your altitude above ground depends on the terrain.
So maybe one way to test this on a real plane would be to trick the software into thinking the terrain is 5000 feet higher than it is. Then it can execute the maneuver against a safe fake "ground", still giving the test pilot time to intervene if it doesn't work properly.
Test pilots have done much more dangerous things. The pilot still has time to recover from a faux "uncontrolled" descent if the system appears to not work.
Plus, I'd bet a million dollars that the GCAS kick-in threshold is parameterized, and the test pilots had it set to kick in at a much higher altitude than the final product.
A couple different options come to mind. a) The recovery level here is enough that a test pilot would have time to still recover after the software should have recovered. b) The terrain height is pulled from a database based on the position so you could fake the software to adding more space to recover by adding a test area in the database where terrain is at 15000 feet.
Sort of. They had a system where a single lever would release bombs, then level and recover. Their system would not engage after the pilot passed out, rather engaging the system would make the pilot pass out. This allowed them to "safely" dive bomb at 90-degree angle, making them much more accurate than any other dive bomber from the period.
The downsides were that the automatic recovery was very-high-g, almost guaranteed to make the pilot pass out, and flying slowly with the pilot passed out in a very predictable pattern over enemy troops was not very good for you, especially after the enemies figured out the recovery pattern.
Interestingly, according to this source some german pilots disabled the Stukas automatic dive brakes (pull-up mechanism) since the flight profile from an automatic recovery would be very predictable for ground troops trying to hit you.
It may be coming to larger military aircraft next.[1] Recovery strategies for fighters can be drastic. The F-16 auto-GCAS commands a roll rate up to 720°/sec, followed by a 5G pull-up. Only fighters and some aerobatic aircraft are capable of such aggressive maneuvers.
On the other hand, fighters are expected to fly fast and aggressively close to terrain. The goals of the F-16 auto-GCAS are
1. Do No Harm (don't initiate a maneuver that causes a crash)
2. Do Not Interfere (the pilot may be in an aggressive combat maneuver)
3. Avoid Ground Collisions
The conflict between 2) and 3) is tough. The rule of the F-16 system is not to interfere until a crash is less than 1.5 seconds away. This was established by flight testing with fighter pilots flying aggressive profiles that might be used in combat.
Larger aircraft are seldom flown that aggressively. Nor do they have the power and maneuverability to get out of trouble in 1.5 seconds. Today's GPWS and EGPWS systems provide up to 60 seconds
of time from the warning to airplane impact. The FAA says "The GPWS mandate reduced CFIT (controlled flight into terrain) accidents from about 9 per year in the seven years immediately preceding the mandate to about 4 per year after. This rate has remained fairly constant". So there's room for improvement through automated recovery that isn't last-second.
Not true, 95% of commercial aircraft have a TAWS system [0] that can show relative terrain on their navigation displays and provides FLTA alerts (forward looking terrain avoidance) by using an onboard terrain database. This is an FAA requirement for any aircraft with 6 or more passengers.
The terrain following radar feature that has been in fighter jets since the late 60s uses radar -- as the name implies, and serves a similar purpose. It allows the pilot to set an altitude and a "comfort" level regarding how aggressive the autopilot can be with regards to avoiding danger (basically, how quickly the plane can pull Gs to avoid terrain, and how many Gs it can pull).
That works well when you're straight and level, attentive, and the radar can point at the ground. This system can't rely on radar exclusively though because the aircraft may not have its radar pointing at the ground (as in the video, the aircraft is inverted in a pretty steep dive).
So, they have to factor in precision INS/GPS and known topology to assess terrain altitude in order to perform collision avoidance.
The F-16 system doesn't rely on radar, although it can use it, because fighters often fly with radar off. It tells the enemy you're coming. It's based on INS/GPS and a terrain database obtained from radar scans of the Earth made from the Space Shuttle in the 1990s.
Dumb question, maybe, but how long before that data becomes inaccurate? Or rather, are there any areas where the change in elevation for the purpose of this system could be big enough in a 30ish year timescale that it would cause problems?
I assume no geological process alters the land drastically enough, quickly enough, that you'd notice, but what about water-level changes (dammed rivers?), melting glaciers, etc? Is "hard" ground consistent enough that no human processes are going to cause the data to diverge from the database drastically without the chance to update the database with new topographical surveys?
Right, the Auto-GCAS feature doesn't rely on radar -- but the normal TFR system does, so the OP was half-correct in that there is a system that can use the radar to do ground collision avoidance... just not this particular system.
Can you differentiate between an aggressive maneuver that results in loss of consciousness and a similar maneuver followed by a controlled one that looks like flight into terrain but is not ?(e.g. because pilot does aggressive acrobatics). Or two aggressive maneuvers followed by almost level flight but where one of them is with loss of control.
I'm interested what would be the cues that can be taken from controllers and plane attitude that can make the software say something in the line of "this guy seems lost, I'd better pay more attention". Of course nose down is one, but what about more subtle ones?
in principle the software could be forecasting an envelope of possible future trajectories of the aircraft given the current state. if we detect that we are about to commit to a state where our only remaining future options all involve colliding with terrain, we make an intervention.
> The [Aircraft Response Model] is a sophisticated simulation of the F-16, running at a real-time rate. "It's a fairly complicated algorithm that tracks fuel-burn, takes information from the stores management system [about weapons weight and drag], and even accounts for system processing delays," said Mark A. Skoog, USAF's AFTI F-16 test director. "Using the aircraft's current state, the ARM computes a full six-degree-of-freedom simulation during a roll to wings-level. At wings-level, [ARM switches] to a 2D-type recovery--a second-order modeling of the jet's pitch response. It calculates how much [kinetic] energy it can trade for altitude until the jet reaches a desired zoom-climb speed, then holds that speed." (http://www.f-16.net/f-16_versions_article8.html)
So the system continually computes the best trajectory for avoiding the ground, and takes over if that trajectory ever goes below the currently selected "minimum descent altitude". Pilots can adjust the MDA depending on how low they plan to fly.
"What would be really useful would be a way for controllers on the ground (not ATCs) or in chase planes to assume control of airliners performing erratically, not responding to calls from ATC, air defense fighters, or their corporate offices. THAT could have averted the Germanwings crash and the 9/11 collisions without the need for highly classified hardware in every airliner."
this comment really resonated with me. we have the tech for this right now, we had it 10 years ago too... remote piloting drones is now a completely day-to-day occurance. you could argue we had it down "well enough" in the 80s even
someone somewhere should be pushing for this. i'd never thought of it before, but now i've seen this comment i'm wondering why we don't have this sort of thing. especially in light of 9/11...
That (remote control of civilian aircraft) would be such a rich target for hackers. I would much rather see the civilian aerospace industry implement carefully audited, carefully deployed autonomy (starting with partial autonomy), rather than remote control.
Civilian aerospace does not have the security focus that the military has. Even if you solve the security problem from airplane black-box controller all the way to the remote control cockpit, and even if you find civilian pilots willing to fly planes when a remote pilot can override them at any time... there are there costs of satellite communications, costs of designing and installing black-box remote controls on dozens, even hundreds of types of commercial aircraft, and costs of staffing remote control cockpits with pilots who can fly every type of commercial plane, 24/7.
What happens if it's insecure and allows a bad actor to take control of planes?
You could crash a plane into the ground and nobody on board could do a thing about it.
You could crash every plane into the ground at once.
Maybe that's preventable by more automated safety systems that override if you're going to crash, but there are other equally bad options and I doubt we could block them all. Flying planes out over the ocean until fuel runs out, for instance.
Yeah, this wouldn't work. You've now just increased hi-jackers attack surface from "being on the plane" to "anywhere in the entire world" ... very, very dangerous.
Speaking as someone with a good view on aerospace code, I think the issue is that the difficulty of combining the kind of code required for remote control of an aircraft with the kind of regulation, failsafes and standards of commercial airliner code is what is holding us back.
Writing UAS software is hard. Only operating UAS in warzones helps with the overheads for this. Effectively "drone-ifying" a commercial airliner is a complete nightmare which would probably require government assistance to implement in the form of cutting of red tape or funding the handling of existing red tape.
That could work for situations where the pilots are unconscious (like Helios Flight 522), but wouldn't work for the malicious pilot cases you cited, since a malicious pilot could simply disable the remote control system by turning off the corresponding circuit breakers.
In a little less than another 2 sec., as the now frantic instructor makes a third call for the student pilot to pull up, the Auto-GCAS executes a recovery maneuver at 8,760 ft. and 652 kt.
The student pilot at this point comes around and pulls back on the stick, momentarily increasing Gs beyond the Auto-GCAS standard recovery level of 5 to 9.1.
Since he came around "at this point" and seeing he still had few seconds left to zero, we don't know with 100% certainty that AGCAS was truly pilot's only option.
Auto-GCAS started pulling out at 8,760 feet ASL and bottomed out at a hair under 3,000ft AGL (Judging by the Radar altimeter).
It looks like the pilot start pulling back on the stick at about 6,690ft ASL (Based on the G-Meter going above 5Gs). If the pilot had woken up at that point and immediately pulled back then the AGL clearance drops to about 1,100ft AGL.
Then we have to consider the fact that the plane was already pulling up when the pilot yanked back on the stick. Had the Auto-GCAS not already been pulling the plane up then the pilot would have been lower when he started the recovery.
The "At this point" in the article is not well worded because "At this point" actually looks to be a second or so after Auto-GCAS activated which, when plummeting towards the ground at 650 knots in a 55 degree dive. is basically another 500'ish feet lost
All in all this implies HEAVILY that even if the pilot recovered without Auto-GCAS the margin between survival and lawn-darting would have been a LOT less than 1000ft which is far too close for comfort.
Addendum to my previous comment: As someone else pointed out the GCAS had already rolled him right-side up as well.
Without that he would have taken an extra second or two to reorient himself and take appropriate action.
That delay, plus what I wrote above would make it a certainty in my mind that he would have had an unscheduled plane to ground rendezvous without the Auto-GCAS.
To me it's impressive how fast he still responds after losing consciousness. If you've ever fainted, there's this period where you don't know where you are or even WHO you are, let alone being able to fly a plane.
No, this system only countermands order to fly into ground, not other high G manoeuvres. The 9 G would probably end up snapping wings or in an uncontrolled roll.
F-16s are G-limited to 9G. You can happily pull 9G day in, day out. The actual G loading the plane is certified for would be much, much higher than this (probably at least double).
Look at the rate of descent. He had the plane on its back for a while, losing altitude at around 1000 FPS. May have been above Mach 1. Auto-GCAS took over and snap rolled the plane around to wings-level, then pulled up. This is the most aggressive autopilot on a manned aircraft ever.
Yet it won't take over until it really, really has to. Pilots can fly close to terrain.
It's interesting that the GCAS took over based on data other than the radar altimeter. There's no radar altimeter data when the plane is on its back, because the downward-pointing radar is looking in the wrong direction. Note that the GCAS arrows are moving in before the radar altimeter data reappears.
I would assume that it keeps the last known offset between the radar altimeter and the pressure altimeter. It may have also pulled up based on the pressure altimeter, as obviously the plane won't be flying below sea level regardless. But the latter is less clear. It appears to pull up before the "sea level" altitude gets too low, but the minimal reading may look less severe because the pilot increased the pullout to 9G.
It might also mix in data from GPS and topo maps. It's also possible they have some internal dead reckoning system to perform holdover while the craft is doing aggressive maneuvers. There are a lot of ways to skin that cat.
Ignoring the loss of life, according to Wikipedia, the cost of an F-16 is just under $20M. If we consider that two full years, it's earning $40M/year!