1. Home
  2. FLIGHT SAFETY
  3. Single-pilot operations
FLIGHT SAFETY
0

Single-pilot operations

0

Who retains final authority over the human single pilot – AI, a ground pilot, or the PIC on board?

By J Peter Berendsen
ATP/CFI. B747-8i, B737, MD11
Contributing Writer

AI-powered system could be trained to assist in the cockpit and even land the plane in extreme emergencies, such as pilot incapacitation..

You’re alone. You’re in a BBJ enroute MIA (Intl, Miami FL) to DOH (Doha, Qatar). There is no second pilot, but you are allowed to rest in your seat. An artificial intelligence (AI)-powered system monitors you, while a ground pilot (GP) based at ATC in Malta controls your aircraft. You wake up from the pressure in your ears.

The aircraft is clearly descending. Immediately, an alert tells you to sit up and request control back from the GP via the remote control interface. The answer – “Unable to assign control to aircraft. Diversion initiated to TIP (Tripoli, Libya).”

Your VIP passengers want to fly to Qatar, not Libya. That could create complications for them. When you type “Why?” the response is clear – “Incapacitation detected.” You are taken out of the loop, and watch helplessly as your aircraft lands in a hostile foreign land.

To most professional pilots this may seem far-fetched. But the movement to reduced crew operations (RCOs) is gaining strength, pushed by national private ATC companies and by some airlines. The manufacturers are busy enough with other issues, but have to stay ahead of any new development.

Business aircraft certified for single-pilot operations under Part 23 are flown safely every day. However, as we get to larger aircraft, 2 pilots are required by certification. There is a push from industry, manufacturers, and private ATC companies to allow RCOs in aircraft that currently require 2 pilots in their seats at all times. However, this would require a monitoring of the one pilot by a ground station.

Safety and certification

The enthusiasm for RCO or single-pilot operations still has to meet the reality of civil transport certification. In the US, transport aircraft are certified under Part 25, while in Europe they are certified under CS25. FAA and EASA work closely to keep their regulatory framework aligned.

Pilots have to be properly licensed and type rated, and must meet recent experience requirements to be allowed to operate a civil transport aircraft. The aircraft itself is certified to a type certificate which is kept valid by ongoing scheduled maintenance. The flight deck has to meet certification criteria such as field of vision, ergonomic aspects, and instrumentation.

It is reasonable to assume that remote pilots and ground stations that intend to take over control of a civil aircraft must be certified as well. The assumption that standards established for remotely-piloted aircraft systems (RPASs) and general aviation (GA) single-pilot aircraft may be transferred to transport category airplanes in commercial air transport is not feasible, because of the high standards of Part 25 certification.

To circumvent the GP qualification question, properly licensed and experienced air pilots are envisioned for the GP role. Regular rotations between the ground and air role would keep experience current. However, their assignments to the ground station will not count as experience gained in the air. Depending on the scheduling arrangements, this may cause all pilots to be less experienced in actual flight.

NASA research showed in 2016 that the ground station itself, if intended to be used to remote fly the aircraft manually, will have to fulfill many of the requirements of the real aircraft. As type rated pilots are envisioned as GPs, the ground-based cockpit will most likely look like the real deal – minus oxygen masks. A rigorous maintenance program will have to be followed for the ground stations as well.

Cirrus Vision Jets are equipped with a unique safety feature called Safe Return Autoland, which allows passengers to land the plane with just the push of a button in the event of pilot incapacitation..

An airline with several aircraft types will therefore probably also need several aircraft type ground stations, much like there are training simulators for each type of aircraft today. Simpler stations could only be used if the landing of the aircraft is automatic, which would require a fully autonomous aircraft system capability, even in unfavorable weather and terrain conditions.

One of the main hurdles is how to establish a safe status for an aircraft that is under distress (eg, by incapacitation). Trains and cars can brake and stop and achieve a safe status. Aircraft have to be in continuous forward motion to create lift and thus possess potentially destructive kinetic energy while in motion. Safe status is only achieved after parking on the ramp.

The ability to achieve a safe mode or safe return in a single-pilot-operated aircraft raises challenges for certification. Airbus has incorporated an auto emergency descent feature in its A350-1000, which will fly the aircraft to an altitude where there’s enough breathing oxygen.

Cirrus, being certified under the more lenient Part 23, went one step further and just introduced a safe return feature. Any passenger can press this guarded switch on the cabin ceiling, then the aircraft will calculate where the next suitable runway is, and will land there automatically. If unintentionally pressed, a push on the autopilot button regains control to the pilot-in-command (PIC). This is how it should be, but not everyone sees it that way.

Commercial air transport RCOs envision constant monitoring of the single pilot and the ability to take over irreversibly, because both incapacitation and ill intent are envisioned as problems to prepare for. This means that the final authority over the operation of the aircraft resides not solely on board, but also on the ground.

Single-pilot operations will most likely come with a ground control facility to take over the aircraft completely, leaving the onboard pilot with no control. This thought was inspired by the terrorism attacks of Sep 11 and the incapacitation of the first officer of Germanwings Flight 9525 in 2015, who was able to lock out the captain and subsequently crash the aircraft. However, airline pilot homicide-suicide is an extremely rare event. Only 6 cases have been reported since 1970 in airline operations, including commuter flights. The risk can be assumed as extremely improbable.

Why does FAA require 2 pilots for larger aircraft?

Flight duties may be shared by the on board pilots, the ground pilot, and system automation. However, the aircraft commander in the aircraft must have final authority..

The failure probability or probability of incapacitation of one single airline pilot is 10-6 per flight sector. With the addition of a second pilot, this risk is reduced to 10-9 for both of them failing together.

To say that the probability of flightcrew incapacitation is 1 in 100 million is valid because both pilots are completely capable of replacing each other, have the same situational awareness and access to the same information, and have the same ability to manipulate the aircraft and lead the crew and passengers.

This system worked well until it was disturbed by new regulations in the wake of the Sep 11 terrorist attacks. In the case of Germanwings Flight 9525, the regulation to keep the cockpit door locked gave the incapacitated copilot the possibility to lock out his backup system – in this case, it was the captain who could not get back in. This is an example of well-intended regulation interfering with other aspects of air transport safety.

The single-pilot/GP system would have to meet a higher standard because they are not completely interchangeable. The GP, for example, could be replaced by a new GP. The link failure, however, would leave the single pilot without a backup and the GP without any possibility to control the aircraft. At a minimum, the link to the GP and the ground piloting station have to meet a failure rate of
< 10-6. The reliability of the single-pilot/GP complex system under common cause failures has to be robust.

As professional aviators, we know that the number of flights that have been saved by 2 professional pilots working together far exceeds the extremely rare cases of pilots who have had bad intentions.

Remote takeover

The ability to take over an aircraft remotely opens up a whole new category of security threats resulting from cyber attacks on the network, and/or from physical attacks or sabotage at the ground station. Ground stations and datalink networks are able to control a large number of aircraft. This makes them high-value targets for terrorism. In essence, the currently decentralized command and control system with an individual cockpit in each aircraft will be replaced by a more rewarding target – the central ground control stations and data dissemination networks.

Risk management

A reliable risk assessment of single-pilot operations will require the methods of evidence-based risk assessment to evaluate the level of safety achievable with these operations. Although incapacitation is a fairly remote risk that may require massive amounts of technology to overcome, other systems, such as the network control link connection, may be far more likely to fail.

One of the most complex failure scenarios is the failure of parts or all of the electrical system. Since all modern warning and flight management systems are based on electrical power, the precise cause and location of a failure is difficult to detect, so countermeasures may be ineffective. In an electrical fire or short, the consequences may be devastating.

One of the certification requirements of electrical systems in aircraft is that they can be isolated by the crew in case of electrical malfunction or fire. This includes the Internet broadband antenna system.

Certification of AI systems

The monitoring AI system will require close scrutiny in certification, as its decisions form the basis for taking control away from the onboard pilot. The system may also have to be installed in dual configuration. By definition, an AI system is programmed and trained, and over time it will be able to make its own determinations. The certification of such a program is different from a numerical engineering program which can be tested for correct results. It will be nearly impossible to test all possible results that an AI program may have. In the case of an AI system monitoring human behavior, this is even more true.

Security considerations

Data and networks are subject to cyber attacks. While it may be assumed that the highest standards in cyber security will apply to the datalink between ground station and aircraft, a cyber attack cannot be excluded. As the consequences may include loss of direct control of the aircraft, this is a major obstacle to single-pilot operations. The probability of a cyber attack may be higher than the demonstrated probability of incapacitation or even homicide-suicide.

As data is transmitted in networks, the number of access points for cyber attackers multiplies. There are almost no relevant access points for cyber attackers to a conventional aircraft in flight as flight-relevant and entertainment systems are strictly and physically separated. False data sent up to the aircraft could be rejected by the pilots easily. If there is a remote steering possibility, flight-relevant electronics cannot be separated from the network any more. Via the network, multiple points enable access for hackers and terrorists.

Ground sabotage

All envisioned single-pilot operating concepts include ground pilots in ground stations who can work together with the flying pilot and take over control if required. Due to signal latency, there will probably be more than one ground station for each flight. A minimum of 3 are planned in the tripartite concept – departure, cruise, and arrival.

While it is safe to presume that the highest standards in building security will be applied when designing and constructing these ground stations, it will always be easier to access a ground station than an airborne aircraft cockpit.

Incapacitation and mental state of the ground pilot have to be monitored in the same way as the airborne single pilot. In case of incapacitation, the cabin crew will have to open the cockpit to help the flying pilot. This possibility already exists, but it’s less relevant since there is always a second person in the cockpit who can deny entry to any unauthorized person.

With only one pilot, the cockpit would be accessed easily after incapacitation. In order to ensure a secure flight, the cockpit would have to be taken over by ground control. In connection with a cyber attack, this could be devastating.

Passive cockpit

The complete disabling of the aircraft cockpit and control from a ground station is a theoretical concept that seems to be a viable solution for hijacking and terrorism. As aircraft move away from mechanical linkage between cockpit controls and flight control surfaces to fully fly-by-wire (FBW) systems, this becomes a technical possibility. If the controls in the cockpit are just electronic input mechanisms, it means that it’s fairly easy to disable them remotely and send the replacement inputs from afar. This opens new possibilities for cyber terrorism.

Ethics require the final authority to be the PIC on board

The monitoring and understanding of the human voice and facial expressions has reached a level where it may be possible to monitor the human’s emotional state and performance in a cockpit continuously. Human perception AI detects nuanced emotions, complex cognitive states, behaviors, activities, interactions, and objects people use.

The central question is the hand-off challenge. Should the system’s design prevent the human from regaining control if AI algorithms come to the conclusion that the pilot’s emotional state and performance are unsafe?

While this question seems far-fetched at first, there are attempts to make similar systems mandatory in the automotive area. It is very relevant as we approach the single-pilot cruise concept. It can be shown that for technical, legal, and ethical reasons, a commander is required on board any aircraft carrying humans. For similar reasons, his deputy or second-in-command (SIC) has to be on board as well. This requirement does not preclude remote monitoring, but it does preclude remote command.

The progression toward reduced-crew, single-pilot, and remote-pilot operations is seen as an inevitable result of technical progress. But we should note that there is a big difference between getting rid of the radio operator, the flight navigator, or the flight engineer, and eliminating the second pilot. The SIC has the same qualification and training as the PIC and the same situational awareness. Both are “in the boat” with their passengers, and share their fate. There is no higher motivation for a good and safe outcome than that.

As professional pilots, we know the value of our work. In the near future, we may have to explain what we do even better to regulators, politicians, and the public. What works for us? The fact that somebody needs to take the blame if something goes wrong. That would be the captain. The final authority must rest on board with the aircraft commander. And a fully qualified human SIC is required on board.

Jörg Peter Berendsen flies Boeing 747s as a captain for Lufthansa. He holds ATP and CFII licenses, and writes regularly for Pro Pilot on aviation-related subjects.

© Queensmith Communications Corporation
Close

Share this video