Accident Report Finds Problems with Airbus Software

The Australian Transport Safety Bureau has released an interim report into the accident involving a Qantas Airbus A330-303 off Learmonth Western Australia on 7 October 2008 ("In-flight upset, VH-QPA, Airbus A330-303, 154 km west of Learmonth, Western Australia", AO-2008-070, ATSB, 7 October 2008 "). It appears spikes in sensor data caused the aircraft's flight control computers to make the plane pitch-down violently, seriously injuring 12 people on board. This is an interim report, but will make interesting reading for those working and teaching safety critical software. The crew was unable to read some of the error message displays in the cockpit, as so many messages were generated they scrolled off the screen. The software of the flight computers is being changed to filter out spikes better. The cause of the spikes is still unknown. But other similar incidents have occurred in the same area of Western Australia and possible interference from the Harold E. Holt Naval Communication Station is being investigated.

Qantas Airbus Accident Caused by Computer Fault

The Australian Transport Safety Bureau in "Qantas Airbus A330 accident Media Conference" has reported that the aircraft's computers causing the aircraft to pitch down violently, injuring passengers on 7 October 2008. While the accident appears due to a faulty a Air Data Inertial Reference Unit feeding incorrect data to the computers, perhaps the computers should have been programmed to detect and reject the erronious data.

... The ATSB has scheduled the media conference this evening to coincide with the release of an Operators Information Telex/Flight Operations Telex, which is being sent by Airbus to operators of all Airbus aircraft. The aim of that telex is to:

• update operators on the factors identified to date that led to the accident involving QF72,
• provide operational recommendations to mitigate risk in the event of a reoccurrence of the situation which occurred on QF72.

... The aircraft was flying at FL 370 or 37, 000 feet with Autopilot and Auto-thrust system engaged, when an Inertial Reference System fault occurred within the Number-1 Air Data Inertial Reference Unit (ADIRU 1), which resulted in the Autopilot automatically disconnecting. ...

The faulty Air Data Inertial Reference Unit continued to feed erroneous and spike values for various aircraft parameters to the aircrafts Flight Control Primary Computers which led to several consequences including:

• false stall and overspeed warnings
• loss of attitude information on the Captain's Primary Flight Display
• several Electronic Centralised Aircraft Monitoring system warnings.

About 2 minutes after the initial fault, ADIRU 1 generated very high, random and incorrect values for the aircrafts angle of attack.

These very high, random and incorrect values of the angle attack led to:

• the flight control computers commanding a nose-down aircraft movement, which resulted in the aircraft pitching down to a maximum of about 8.5 degrees,
• the triggering of a Flight Control Primary Computer pitch fault.

The crew's timely response led to the recovery of the aircraft trajectory within seconds. During the recovery the maximum altitude loss was 650 ft.

The Digital Flight Data Recorder data show that ADIRU 1 continued to generate random spikes and a second nose-down aircraft movement was encountered later on, but with less significant values in terms of aircraft's trajectory.

At this stage of the investigation, the analysis of available data indicates that the ADIRU 1 abnormal behaviour is likely as the origin of the event. ...

Related Documents: | Audio file of media conference, 14 October 2008 (18 MB)

From: "Qantas Airbus A330 accident Media Conference", Media Release, Australian Transport Safety Bureau, 2008/43, 14 October 2008

Investigation Reports Needed into Major Public Incidents

The Australian Transport Safety Bureau (ATSB) released a final report on the grounding of the ship Pasha Bulker at Newcastle on 8 June 2007. This is a clearly written technical report into what happened and what to do to stop it happening again. Fortunately there was no loss of life. Perhaps similar independent reports should be prepared where there is any major incident which risks public safety, or large financial loss.

Bodies, such as the coroner's court only have jurisdiction where there is an actual death. Also physical injury may only play a small part in many incidents which could have a large and detrimental impact on the public. At present it is necessary to rely on an uncoordinated array of overlapping investigative agencies and ad-hoc inquiries. Major incidents may require a special public inquiry, but a government may be reluctant to launch an inquiry which may find them at fault. Something like a more general version of the ATSB, can carry out an independent investigation, would be useful.

ps: Perhaps some time could be saved by calling the public inquiry into the Sydney Nort West Metro Project now. This project is quite clearly a disaster in the making. ;-)

Marine Safety Investigation Report - Final Independent investigation into the grounding of the Panamanian registered bulk carrier Pasha Bulker on Nobbys Beach, Newcastle, New South Wales on 8 June 2007

Occurrence Details

Occurrence Number:	243	Location:	Nobbys Beach, Newcastle
Occurrence Date:	08 June 2007	State:	NSW
Occurrence Time:	0951 (UTC +10)	Highest Injury Level:	None
Occurrence Category:	Incident	Investigation Type:	Occurrence Investigation
Occurrence Class:		Investigation Status:	Completed
Occurrence Type:	Grounding	Release Date:	23 May 2008

Vessel Details

Vessel:	Pasha Bulker		Flag:	Panam
IMO:	9317729
Type of Operation:	Bulk carrier
Damage to Vessel:	Substantial
Departure Point:	Newcastle anchorage		Departure Time:	0748 local time
Destination:	To sea

• Abstract

On 23 May 2007, the Panamanian registered bulk carrier Pasha Bulker anchored 2.4 miles off the coast near Newcastle, New South Wales. The ship had sufficient water ballast on board for the good weather at the time, and was not expected to load its coal cargo for about three weeks.

At midday on 7 June, Pasha Bulker's master veered more anchor cable after a gale warning was issued. The weather deteriorated and shortly after midnight, the wind had reached gale force.

At 0500 on 8 June, the wind had increased to strong gale force and the weather was severe. At 0625, Pasha Bulker started to drag its anchor. The master decided to put to sea and at 0748, the anchor was aweigh. The ship was now 1.2 miles from the shore and, with the southeast wind fine on the starboard bow, it made good a north-easterly course. At 0906, the master altered the ship’s course to starboard to put the wind on the port bow in an attempt to make good a southerly course on a south-southeasterly heading. However, its heading became south-westerly and, with the wind on the port beam, the ship started to rapidly approach the coast.

At 0931, with Nobbys Beach 0.8 of a mile away, the master attempted a starboard turn. The manoeuvre did not succeed and at 0946, with grounding imminent, he requested assistance from authorities ashore. At 0951, Pasha Bulker grounded on Nobbys Beach and the ship's momentum carried it further onto the beach. The crew were evacuated by helicopter during the afternoon.

On 2 July, Pasha Bulker was successfully refloated. The ship was temporarily repaired in Newcastle and on 26 July, taken in tow to Vietnam to undergo permanent repairs.

The report identifies a number of safety issues and issues recommendations or safety advisory notices to address them.

Download complete report [4.6 MB PDF]

Marine Safety Recommendations

[MR20080009] [MR20080010] [MR20080011] [MR20080012] [MR20080013] [MR20080014] [MR20080015] [MR20080016] [MR20080017] [MR20080018] [MR20080019]

Safety Advisory Notices

[MS20080015] [MS20080016] [MS20080017] [MS20080018]

---

Related Links: | Media release | Media conference audio file .avi 55 MB |

Digital Apollo

Digital Apollo: Human and Machine in Spaceflight by David A. Mindell (2008) is a new book covering the technical history of the development of the computer software for the first manned lunar landing. This book would be of value to students of software engineering.

Mindell concentrates on the development of the interface between the computer and the crew, pointing out that there were few precedents for the design. It was not clear if the astronauts should be simply passengers in an automated and remote controlled system, or if they should, or could, pilot the spacecraft like an aeroplane. Previous books have covered the politics of this issue, and Mindell perhaps dwells to much on how this conflicted with the "Right Stuff" macho image of test pilots.
But Mindell provides new technical details of how contemporary systems then worked and how Apollo's approach was developed.

The Apollo systems were developed from ones designed for missiles and designed to be fully automated. This was modified to allow the crew the option to control part of the flight, but via the computer, making an early "fly by wire" system. The techniques and some of the hardware and software, was later adopted for military and then civilian aircraft. The DSKY interface of Apollo will look familiar to operators of civilian airliners and military computers, with a panel of indicator lights, small alphanumeric display and a keypad underneath. The Apollo side stick controllers, with multiple operating modes are the predecessors of military aircraft and Airbus airliner controls.

The early plans for Apollo did not take into account the difficulty of developing software and it was seen as just an adjunct to the hardware development. The software process became a bottleneck in the program, partly due to the success of the digital computer in replacing analogue hardware and so becoming central to the success of the project. This is a lesson military projects routinely fail to learn, with software development being seen as just something you do after the important part of building the hardware. The Australian Seasprite is one recent example of such a failure and the problem is increasing in government and corporate systems.

One of the useful lessons in the book for software engineers is how you end up doing some of the overall project planning for your clients. In the case of Apollo, there were no clear plans as to how the mission was to be structured. The software developers had to make up a structure for their work and this was adopted for the mission overall.

Mindell argues that many of the techniques for the systematic development and testing of software were either developed for, or refined with Apollo. One aspect not touched on was that how with the later Space Shuttle program the software engineering techniques had reached a point where they were superior to those for the hardware. In his comments on the Rogers Commission into the Challenger disaster, Richard Feynman praised the systematic development of the shuttle's software and criticised the processes for hardware.

It will be a startling less for modern students to see photos of little old ladies literally weaving the binary programs into magnetic core memories for Apollo. ;-)

Improved Air Traffic Control with Cooperative Surveillance Techniques

Stephan Schulz from Comsoft GmbH, Germany, will talk about Air Traffic Control, 2008-08-06 at NICTA in Canberra:

NICTA LC SEMINAR

Improved Air Traffic Control with Cooperative Surveillance Techniques

Stephan Schulz (Comsoft GmbH)

DATE: 2008-08-06
TIME: 16:00:00 - 17:00:00
LOCATION: NICTA - 7 London Circuit

ABSTRACT:
Aircraft in controlled airspace are flying under the direction of air traffic controllers, which are responsible for safe, orderly, and expeditious traffic flow. In particular, maintaining proper aircraft separation is not left to individual pilots, but subject to air traffic control.

To support controllers in their task, surveillance systems are used to provide an air situation picture. The quality of the air situation picture determines both the workload of the controller and the safe separation limits of aircraft, and hence significantly influences the safe capacity of the air space. Most of todays surveillance systems are based on rotating antenna radars. However, radars are expensive to build and operate. They have a relatively low update rate and limited scalability.

New surveillance techniques rely on cooperative aircraft to overcome this disadvantage. Multilateration systems use a scalable array of small, low-cost sensors to determine aircraft position and parameters from the time difference of arrival of aircraft transponder signals. They achieve high accuracy, can provide updates several times per second, and provide secondary information about the aircraft based on the content of the received messages.

An even more radical departure from classical radar is Automated Dependent Surveillance - Broadcast. With ADS-B, the aircraft determines its own position using a global navigation satellite system. It broadcasts this position and auxiliary information, typically several times per second. The signal can be received by a low-cost ADS-B ground station with a simple omni-directional antenna. Thus, a small, passive sensor can provide a high-quality air situation picture.

BIO:
Stephan Schulz studied computer science and physics at the University of Kaiserslautern and graduated (Dipl. Inform.) in 1995. In the same year he joined the Automated Reasoning Group at the Technical University Munich. In 2000 he obtained a Ph.D. in computer science for his work on learning search control strategies for first-order deduction. He has contributed to the development of several high-performance deduction systems. Dr. Schulz is best known for developing E, one of the most friendly theorem provers for first-order equational logic. He taught at TU Munich, the University of Miami, and the University of the West Indies.

In 2005 he joined Comsoft GmbH, a German provider of solutions in he field of air traffic control, where he now is responsible for research and development of future surveillance technologies.

Vodafone software problems risk public safety

Vodafone changed to a new billing system in 2007 and there appear to be ongoing problems with the system. When I was unable to see any of the 2008 billing details for my Vodafone mobile phone, with their online system, I complained to the Telecommunications Ombudsman.

Vodafone then promptly contacted me and arranged to send paper copies of the missing bills and call details (which they did). Also they refunded some items on the bill which I queried.

However, the Vodafone online system is still not working properly. I can see my latest bill, but If I attempt to look at Account Summary or Call Details I get: "An error has occurred. Sorry for the inconvenience - There has been a communication problem and your request has not been processed. Please try again later.".

This appears to be a systemic problem, not within the Telecommunication Ombudsman's power to address. Vodafone could simply respond to each complaint by sending a paper copy and offering a partial refund, without fixing the system.

If there is a problem with Vodafone's billing system, there is a risk of financial fraud from misuse of the system. If the problems extend to the telecommunications system Vodafone provides, the safety of the public is at risk. As Vodafone's system is interconnected nationally and internationally, it places the entire telecommunications system at risk of fraud, crime and terrorism.

The ACMA needs to check if Vodafone is complying with its license conditions.

A well documented example of how a problem with a poorly maintained Vodafone system has implications for terrorism is detailed in "The Athens Affair" (by Vassilis Prevelakis and Diomidis Spinellis, IEEE Spectrum, July 2007). In this instance more than 100 senior people, who were customers of Vodafone Greece, had their mobile phones bugged due to poor system maintenance. Those bugged included the Prime Minister, the ministers of national defense, foreign affairs and justice, plus senior staff of the ministries of National Defense, Public Order, Merchant Marine, Foreign Affairs, Hellenic Navy general staff and an employee at the United States Embassy.

Hackers attached the Vodafone switches and exploited the system's facility designed for legal phone taps, modifying the system software. The attack was eventually discovered when it interfered with the delivery of text messages. Why the software change was not discovered in routine system maintenance has not been publicly revealed. Investigators were hampered by Vodafone deleting the system logs and by one of the engineers being found dead in an apparent suicide.

13th Australian Conference onSafety Related Programmable Systems

The 13th Australian Conference on Safety Related Programmable Systems is in Canberra, 21-22 August 2008.

13th Australian Conference on
Safety Related Programmable Systems

University House

Australian National University

CANBERRA, 21-22 August 2008

Regulating for Safety – is it enough?

The Australian Safety Critical Systems Association (aSCSa) announces its 13th National Conference on Safety Related Systems. The 2008 conference will be held in Canberra, ACT at University House, (Map), The Australian National University and its theme will be the role of regulation in the development and deployment of safety-related software intensive systems. Apart from specific hazardous industries where some level of regulation exists, the only direct governance for the development and deployment of safety-related software intensive systems is occupational health and safety legislation which is often applied after the fact. Tort (Common) Law could also be considered as an after-the-fact control.

Continuing the very successful format of recent annual conferences, international and local keynote speakers will address this topical issue. The keynote speakers include:

John McDermid Professor of Software Engineering Science at the University of York, UK

Frank McCormick President (Certification Services, Inc., USA) and FAA Consultant DER

Paul Cheeseman Deputy Technical Director, Asset Management, Lloyd’s Register Rail, UK

A “Call for Papers” has been issued. A programme for the conference is expected to be available July 2008 following the notification of acceptances. The two-day conference will commence at 9.00am Thursday 21 August 2008.

To complement the conference a course and a tutorial are offered. Prof John McDermid will present a short course on evidenced-based approaches for safety, commencing 2.00pm Wednesday, 20 August 2008. To register, please complete the registration form: [Editable Form] [Paper-based]

Want more information about the conference?

For questions about the Conference Program, please contact:

Dr Tony Cant (Program Chair) Trusted Computer Systems Group Information Network Division Defence Science and Technology Organisation

PO Box 1500 Edinburgh SA 5111 Australia Email: tony.cant(a)dsto.defence.gov.au

...

Australian Government E-Security Framework

The Minister for Broadband, Communications and the Digital Economy announced a Whole-of-Government review of e-security on 3 July 2008. The Attorney-General’s Department, will conduct the review, of both the public and private sectors, by October 2008. The public and industry were invited to contribute. Available are:

1. E-Security Review web site
2. Media Release (copy appended)
   
3. E-Security Review 2008 Terms of Reference (PDF 19KB)
4. E-Security Review 2008 Public Discussion Paper (PDF 42KB)

Also giving an idea of the government's current thinking on e-security is the Trusted Information Sharing Network (TISN). This is a forum for those running critical infrastructure on security issues which affect critical infrastructure. This has a Computer Network Vulnerability Assessment Program. Also there is the Attorney-General's Critical Infrastructure Protection Branch.

Joint media release

The Hon Robert McClelland MP
Attorney-General

Senator the Hon Stephen Conroy
Minister for Broadband, Communications and the Digital Economy
Deputy Leader of the Government in the Senate

---

Whole-of-Government review of e-security

The Attorney-General Robert McClelland and the Minister for Broadband, Communications and the Digital Economy Senator Stephen Conroy today announced a whole-of-government review of e-security.

Australia’s ever-increasing reliance on information and communications technology and the threat of a hostile online environment has prompted the review, which will assist the development of a national framework for securing Australia’s electronic networks.

“New and networked systems increasingly underpin our business and social interactions, but they also provide fertile ground for exploitation by cyber criminals”, Mr McClelland said.

“The e-security review is an opportunity to look at what help the Government can provide to develop a more secure and trusted electronic operating environment for both the public and private sectors. The review will also consider whether Commonwealth programs can be better focused to deal with the ever increasing range of online threats.”

Senator Conroy said that the review of e-security was a vital step towards fostering confidence in using the internet for personal and business activities.

“A secure online environment trusted by the community coupled with the Government’s rollout of the National Broadband Network is critical to our nation’s continued social and economic prosperity,” Senator Conroy said.

A multi-agency team, led by the Attorney-General’s Department, will conduct the review, which will be completed by the end of this year.

The terms of reference for the review are attached. Details of how the public and industry can contribute to this review are available at: www.ag.gov.au/esecurityreview

Date: 3 July 2008

Media Contact:
Adam Sims, Mr McClelland’s office 0419 480 224
Tim Marshall, Senator Conroy’s office 0408 258 457

E-SECURITY REVIEW 2008
TERMS OF REFERENCE

The Attorney-General's Department is to lead a review of the Australian Government’s e‑security policy, programs and capabilities, assisted by other agencies represented on the E‑Security Policy and Coordination Committee. The review will take account of both the threat from electronic intrusions into Australian networks and the threat from complementary attacks on their physical, administrative or personnel security arrangements.

The purpose of the review is to develop a new Australian Government E-Security Framework in order to create a secure and trusted electronic operating environment for both the public and private sectors.

The review will:

1. develop a new Australian Government policy framework for e-security, covering the span of e-security issues across government, business and the community
2. examine current programs, arrangements and agency capabilities and capacities that contribute to e-security, including:
   • those being implemented by agencies under the E-Security National Agenda
   • incident response and crisis management arrangements for e-security, including the recommendations from Australia’s participation in Exercise Cyber Storm II, and
   • other relevant information and communications technologies (ICT) initiatives being undertaken by the Commonwealth and by state and territory governments to establish their suitability and effectiveness to achieve the policy objectives of the new Framework.
3. address emerging e-security issues including:
   • those resulting from technological change, including roll-out of the National Broadband Network, and
   • an increasingly hostile online security environment, which does not respect traditional jurisdictional boundaries
4. consider opportunities provided by international cooperation, including engagement with similar economies and like-minded governments
5. bring forward recommendations, prioritised in accordance with an assessment of risk, for consideration by Government to:
   • tailor programs and agency capabilities and capacity to achieve the policy objectives of the new Framework
   • address current and emerging threats, and
   • determine how to measure the success of each approach
6. principally focus on measures to be effective in the period to mid-2011, but also take into account longer term considerations, and
7. consult with relevant stakeholders and experts in government, business, academia and the community.

The review is to be completed for Government consideration by October 2008.

An executive committee comprising senior representatives of the Attorney-General’s Department, the Defence Signals Directorate, ASIO, the Department of the Prime Minister and Cabinet, the Department of Broadband, Communications and the Digital Economy, the Australian Federal Police and the Australian Government Information Management Office will provide oversight of the Review.

From: Whole-of-Government review of e-security, Attorney-General and the Minister for Broadband, Communications and the Digital Economy, Australian Government, 3 July 2008

Photochromic glasses dangerously reduce night vision

A worrying finding from investigation into a UK shipping accident is that photochromic glasses block so much light that they should not be used by ship's lookouts. The report on the loss of the yacht Ouzo and its crew of three, found that the lookout on the ship Pride of Bilbao, which collided with it, was wearing "reactolite" (photochromic or photoctomatic) prescription spectacles. These darken in reaction to ultra violet (UV) in daylight. At night these appear clear, but actually block 20% of the light (ordinary coated lenses only block 0.6% of the light). Perhaps there should be clearer warnings against the use of these lenses for other night activities, such as driving a car, or flying an aircraft.

The seaman lookout on board Pride of Bilbao at the time of the incident was 60 years of age. He had worked on board the vessel for 10 months and had sailed previously on board similar vessels for many years. He was, therefore, an experienced lookout.

He had a valid ENG 1 certificate of health, which includes a requirement for regular eyesight tests.

His eyes had been tested privately in 2005, after which he was prescribed glasses to adjust his slight short-sighted vision. As a consequence, he purchased a pair of reactolite, or photochromic lensed glasses, that he could wear both during the day and at night because they darkened only in reaction to daylight or ultra violet (UV) light.

Following the accident, the MAIB had the lookout’s eyes examined once again and his prescription was found to be still correct. His eyes were also tested for other defects or anomalies that might have affected his vision or night time adaptation, but none were found.

2.5.3 The seaman lookout’s glasses

... The lookout’s photochromic glasses were sent to University College London’s Institute of Ophthalmology to assess whether they might have had an adverse effect upon his night vision.

The glasses were examined and a report was prepared (Annex 1), which concluded that the optical transmission of the lenses was no more than 80% efficient and, taking into account all of the other known factors, was probably less at the time of the accident. This compares to 94.7% and 99.4% optical transmittance of ordinary uncoated and coated lenses, respectively. This was a startling result as the consequences of such a reduction in night vision had not been fully appreciated by opticians and ophthalmologists before the investigation of this accident.

The report also stated that it would be correct to assume that a uniform reduction in brightness due to the optical density of the lenses would decrease the likelihood that a subject would detect the lights of shipping vessels.

It appears, therefore, that the lookout’s glasses would have been a contributory factor when considering why Ouzo’s lights were not seen earlier. However, there are no rules or guidelines concerning the wearing of such glasses on the bridge of a vessel at night.

This incident has raised a serious concern that glasses fitted with photochromic lenses are inappropriate for use by lookouts on the bridge of merchant vessels. It also raises the question of applicability of use by operators in other modes of transport.

The MAIB also requested the Institute of Ophthalmology to test lenses from the major tinted photochromic lens manufacturers to determine whether the concerns raised in the initial report regarding the lookout’s glasses were widespread, and not just applicable to that particular pair or manufacturer (see Annex 2). The report concluded that all of the photochromic lenses tested showed significant reductions in the amount of transmitted light.

However the lenses of the glasses supplied for test by the MAIB were significantly inferior to the other currently commercially available lenses indicating that either manufacturers have improved the performance of their photochromic materials, or that the performance of photochromic glasses is reduced with time. As at least one manufacturer only guarantees the performance of lenses for 2 years, the latter reason may be the most likely.

This is obviously an additional concern regarding photochromic lens glasses, however it is outside the scope of this investigation. ...

From: Report on the investigation of the loss of the sailing yacht Ouzo and her three crew South of the Isle of Wight during the night of 20/21 August 2006, Report No 7/2007, Marine Accident Investigation Branch, United Kingdom, April 2007

Optionally piloted UAVs

In a talk at the Australian Defence Force Academy last year, I mentioned that one option being looked at for future military aircraft was optionally manned (or piloted) or flow with no one on board as a UAVs.

These are civilian or military aircraft modified to be flow without a pilot. This can be useful where sometimes a crew is needed, to fly the aircraft where UAVs are not permitted or where people are needed to do things a computer can't.

At present these are mostly proposals, not real systems. The German built Diamond DA42 civilian twin engine light aircraft, adapted for surveillance., is offered as an "Optional Piloted Surveillance and Reconnaissance System". Further in the future Lockheed Martin has proposed a pilotless F-35 fighter.

Recently Boeing has proposed an optionally manned Gulfstream G550 business jet for the US Navy’s Broad Area Maritime Surveillance (BAMS) project. On a smaller scale, the current crop of very light jets (VLJ), would seem suitable. These have advanced electronic avionics which are adaptable to remote control, carbon fiber construction which can be modified for sensors and are intended to be produced in large numbers at low cost (starting at $1M). Most have two engines, but units such as the Eclipse ECJ have a single engine.

Running Trains on WiFi

For those having difficulty getting their WiFi to work reliably at home, you may not want to take a trip on a train in Asia. The mechanical signals used to stop trains colliding are being replaced with 802.11b wireless communications (ie: WiFi):

Increasingly, moving block train control systems are being used, operating as communication-based train control (CBTC) systems. Modern CBTC systems require up to 1Mbps (megabit per second) of uninterrupted communication between the trackside automation equipment and fast-moving trains.

Because most rail operators in Asia demand a high local content, it seems appropriate to use international radio standards and commercial off-the-shelf radio components, which can provide the necessary bandwidth. This is generally achieved by using standards and technologies for wireless local area networks (WLAN), and typical CBTC systems are based on the well-known 802.11b standard. ...

From: Wireless technology takes off in Asia, International Railway Journal, July 2007

Railways use very stringent safety standards, so it would be interesting to see how they made the case that WiFi would be reliable enough for controlling trains. It may be that the article is wrong and a WiFi-like systems is being used, perhaps using different dedicated frequencies. As an example of that European railways use a modified form of the GSM phone standard, adapted for railway requirements, called GSM-Railway (GSM-R). This uses separate frequencies from the GSM phone networks and has special features for safety and reliable working. Alternatively the railway might use several different commercial networks (as has been proposed in Australia).

An example of an 802.11 train system is Alcatel's SelTrac, one version of which uses 802.11. The first use of this was the Las Vegas Monorail. There is a detailed technical paper on the technology used:

Alcatel is pioneering the implementation of an open standards RF communications technology (802.11 Frequency Hopping Spread Spectrum (FHSS)) for trains moving in excess of 120km/h. Whether it’s used for Communication-Based Train Control (CBTC) or Closed Circuit Television (CCTV), 802.11 remains the preferred choice since it’s the only standard that supports mobility and defends against obsolescence. Alcatel adopted 802.11 FHSS technology in 1999 and has performed several trials and demonstrations since then.

From: Open Standards for CBTC and CCTV, Radio-Based Communication, Ed Kuun, date: ????

It is not clear how different the technology Alcatel is from ordinary office and home WiFi.

Automated UAV Operations from Ships

Australia is planning to purchase two "Landing Helicopter Dock" (LHD) ships for its Amphibious Ships Project. These looks like small aircraft carriers, but are intended to operate helicopters, not fixed wing aircraft. However, they would be able to operate some types of small UAVs (Robot Aircraft). The mix of UAVs and helicopters could be made safe and efficient with automation.

In his April talk in Canberra, Systems Safety Engineering expert, Dr Mark Nicholson, mentioned the safety analysis needed to allow to fly in the same airspace with piloted aircraft. This problem is particularly acute for military ship borne operations, due to the limited space and high tempo of military operations.

The traditional method of achieving separation of parked, landing and departing aircraft on an aircraft carrier is to use an angled flight deck . Neither of the ships on the Australian short list has an angled flight deck, but a small Virtual Angled Deck (VAD) could be created for UAVs. The VAD would be a painted area on the fore deck of the ship. Helicopters, personnel and equipment would be prohibited from this area during UAV operations.

UAVs would approach the ship from one side to land and take off over the other side on the VAD. Aircraft could "go around" after a missed landing. A malfunction during landing or takeoff would result in the aircraft going over the side of the ship into the sea, clear of equipment and personnel. One of the ship designs, the Navantia LHD has a ski-jump ramp area which could be used for the VAD. The ski jump would assist with shorter takeoff and landing, as well as making use of an area of the deck not suited to other purposes.

Very small UAVs could use a conventional rolling takeoff and landing from the VAD, without the use of catapults or arrestor wires. Larger suitably equipped UAVs could us a Shipboard Rolling Vertical Landing (SRVL) and takeoff. This would allow much larger UAVs with higher payloads, than could otherwise be used. Apart from painting the deck, no other modifications to the ship would be required.

Even with a separate deck area, UAVs could impede other ship operations and be a risk to the crew. To minimize this, the UAVs could be set up for remote deck operations. The UAVs would be serviced below decks in a hangar and then transported by a robot tractor to the deck and launched without any crew present. The tractor would recover landed aircraft from the deck and return them to the hangar. The tractor would also be equipped with firefighting equipment and a bull bar to be able to push crashed aircraft over the side of the ship in an emergency.

This would reduce the risk of injuries to crew and increase the efficiency of operations. Aircraft could be launched and recovered far faster than with a conventional aircraft carrier. Only two crew would be needed on duty to maintain continuous flight operations.

The smaller UAVs already in service and planned for the ADF could be used for shipboard operation. However, VSTOL units would be particularly suitable. Like their larger counterparts, UAV helicopters suffer from speed and payload penalties. One option is to use a tiltrotor design, with the craft able to take off and land vertically, then travel as a conventional aircraft. The Bell Eagle Eye, Model 918 tilt rotor uses this approach. However, like the Bell-Boeing V-22 it requires complex mechanical couplings between the engine and the tilting rotors.


An alternative would be to use one engine for each rotor, with electrical coupling. An engine would be mounted at the wing tip directly connected to one rotor. A lightweight electrical motor/generator would be integrated with the rotor, similar to the design of the Serafina Miniature Robot Submarine.

The speed, or lift of the craft would be controlled by throttling the engines. The balance of the craft would be controlled electrically, by generating electrical power at one wing tip and transferring it to the electric motor at others. The aircraft would be able to fly and land conventionally with two engines stopped.

As an example four 6 kw MW54 miniature turboprop engines from Wren Turbines Ltd, plus four .5 kw electric motor/generators would weigh approximately 12 kg and produce 26 kw. The UAV could have a launch weight of 80 kilograms and have a speed of 300 kph and a length of 3m. Endurance of 8 hours and range of 2,000 kilometers.

On a runway the aircraft would take off conventionally, with the rotors in the horizontal position, allowing an increased payload. Neither the Eagle Eye nor Osprey can take off or land vertically, due to the diameter of the rotors. Vertical takeoff and landing would use the rotors in the vertical position, with a reduced payload.

Safe Robot Aircraft for Australian Aircraft Carrier?

Dr Mark Nicholson from University of York was recently in Australia to teach Systems Safety Engineering. I bumped into him at the coffee shop and the next day he gave a presentation at the ACS Software Sig.

One interesting application Mark mentioned was safety analysis needed to allow UAVs (Robot Aircraft) to fly in the same airspace with piloted aircraft. The rules which are used to assess if an aircraft is safe to fly assume there is a pilot in it. So changes need to be made for when the pilot is actually sitting on the ground, flying the aircraft by remote control and, at least part of the time, a computer program is flying the aircraft.

Having a computer fly a plane might sound risky, but Mark pointed out that most modern aircraft are being flown by a computer most of the time now. Modern airliners, such as those from Airbus are controlled by a computer, with the pilots controls actually input devices to the computer, much like a computer game. Most of the time the computer is flying the aircraft with the pilot monitoring the systems.

Mark pointed out an even more demanding application is where military UAVs and piloted aircraft are taking off and landing on an aircraft carrier at sea. The relatively orderly process of air traffic control used at a civilian airport doesn't apply.

Australia may be in need of Mark's skills for the Amphibious Ships Project. Defence plans to buy two large "Landing Helicopter Dock" ships to carry helicopters and landing craft. These will be large enough to also operate UAVs and F-35 Lightning II Joint Strike Fighter aircraft. But stopping the helicopters, fighters and robot aircraft from running into each other will need some carefully designed software.

Even a relatively small UAV, such as the Bell Eagle Eye, Model 918 tiltrotor would pose a considerable risk to other aircraft operating from the ship. Armed UAVs would pose a further risk.

ps: The Landing Helicopter Dock ships are likely to be a Spanish design from the company "Navantia". The decision is years away, but recently the Defense Department is reported to have decided on Navantia's F100 destroyer. Having bought one ship from Navantia, it makes sense to buy another from the same company.