Flight Controls and Navigation

One of the primary reasons for monitoring is to infer the flying status and adjust the settings needed for flight appropriately. This category includes all such tasks that involve controlling and navigating the flight. Typically the flight control tasks are performed by the PF, while navigation tasks may be performed by the PF, PM or by both pilots.

In order to program an IA system to perform these tasks, one has to identify all the rules and pro- cedures that determine what values be changed and when. The crew does this by accounting for the dependencies and redundancies among readings, history of the displays, the trends in change, inputs 43

4 SAFETY RELEVANT REQUIREMENTS IN IA SYSTEMS

from the other pilot, known conditions, etc. Because the flying tasks fall on the PF, when the IA sys- tem assumes the role of a PF it shall be capable of setting all the system parameters and taking relevant actions as a human pilot such as deciding the automation mode, enabling and disabling the autopilot, deploy flaps, desired altitude setting, etc. Since most of these tasks involve electronic controls and settings, the IA system shall have seamless access and authority to modify them directly.

A concern with letting the IA system modify the values is the scope of “automation surprises” – situations in which the human pilot is unaware of changes performed by automation. To mitigate this issue, requirements ensure that automation communicates its actions unambiguously to the other pilot should be defined.

Consider the task of applying speed brakes, a type of flight control surface used on an aircraft to increase drag or increase the angle of approach, during landing. Typically, if the airplane is too high and/or too fast before landing, the PF may instruct the PM to use the speed brake to get rid of some of the excess energy the airplane carries. Under normal circumstances, the PM performs the actions and confirms to the PF that the action was taken.

When an IA system is considered to perform this task, the level of automation expected from an IA system has to be clearly determined. If the IA system is expected to be “proactive” in identifying the need for speed brake deployment, then it shall be able to apply the brakes after confirming intended actions to the PF and confirm after the action is taken. A requirement for such an IA system shall be:

While the role of IA system is PM, when the conditions to deploy speed brakes are true and the confirmation obtained from PF to deploy speed brakes is true, then speed brakes shall be deployed; otherwise the speed brakes shall be not be deployed.

On the other hand, if the IA is not proactive, i.e., it has to wait for the PF to give directions on deploying the speed brakes, then the requirement shall be:

While the role of IA system is PM, when the conditions to deploy speed brakes are true and message from PF is ‘deploy speed brakes’ , then speed brakes shall be deployed; otherwise the speed brakes shall be not be deployed.

To avoid the situation where the PF may give an incorrect direction, we want to build in safety into the IA system by ensuring that the speed brakes will not be deployed in inappropriate situations.

While the role of IA system is PM, if the conditions to deploy speed brakes are false and message from PF is ‘deploy speed brakes’ , then speed brakes shall be not be deployed.

When the IA system is the PF, then the IA system may be designed to apply the speed brakes as appropriate and just inform the other crew mate. Again, depending upon the type of advances of the IA system, the requirement may vary. In its simplest form, a typical requirement shall be:

While the role of IA system is PF, when the conditions to deploy speed brakes are true, then speed brakes shall be deployed and message to PM shall be ‘speed brakes have been deployed’ .

4.5 Requirements Categorization

In all the above requirements, a crucial aspect is being able to communicate with the pilot in an unambiguous and timely manner. While we concentrate on the aspects of control in this sub-section, we elaborately explain the communication aspects in the crew communication category.

For most tasks related to flight controls, like the above, the requirements can be inferred from SOPs, CRMs and training materials. However, the expected behavior in abnormal/anomalous situations is not well defined. For instance, consider the broadly specified responsibility of the pilot in command as defined by the general operating and flight rules, “In an in-flight emergency requiring immediate action, the pilot in command may deviate from any rule of this part to the extent required to meet that emergency” . To define the requirements of an IA system to perform the PF role in emergency situations, one has to prioritize and enlist all the actions that are appropriate for every emergency situation. The challenge is that for humans this relates to their knowledge of operating the aircraft, experience handling situations at various levels of emergency, general common sense and intuition; whereas for IA system all these have to be factored in. Defining safe actions for all emergency situations may be a demanding task. One approach is to gather knowledge or train the IA system from such past reports on deviations and use that data to determine the best course of action.