Re: FMS capability (and Enhanced GPWS)

From:         ehahn@wren.mitre.org (Ed Hahn)
Organization: The MITRE Corporation, McLean, Va.
Date:         30 Mar 96 16:01:10 
References:   1 2 3 4
View raw article
  or MIME structure

rickydik@ix.netcom.com (Ralph Ricks ) says:

   In <airliners.1996.282@ohare.Chicago.COM> ehahn@fairlite.mitre.org (Ed
   Hahn) writes:

   >In any case, the FMS does not have terrain data available to it, and
   >the current avionics industry development is leaning more toward
   >giving the GPWS a terrain data base, and to leave the FMS alone...

   Won't the Enhanced GPWS have the same constraints of proving the
   integrity of the database that the FMS would have?
   What about the integrity of the GPS sensor, or whatever is used to
   determine the plane's location within the database?

   GPWS has saved countless lives, but it has repeatedly proven itself as
   incapable of providing sufficient warning in many CFIT accidents.
   Therefore it is inadequate as a fallback system if the database based
   system should fail to warn.

   You can't just say, "If one system doesn't work, then MAYBE the other
   will."

====
I agree with your final statement there.  However, the problems of
integrating a terrain data base go way beyond the data base integrity
issue.

Because the FMS is essentially coupled with the autopilot and flight
control systems, any changes to existing FMS software and hardware
would require significant recertification efforts to ensure that there
wouldn't be any undetected hardware/software failures which would
inhibit any part of the FMS capability.  (i.e. you wouldn't want a
failure of the CFIT function to take out the autopilot.)

While "new design" aircraft would be able to have the data base
integrated with the FMS, the real challenge is retrofitting the vast
number of aircraft already out there.

After all, it will be a LONG time before B737-300s, B757s, and B767s
(and similar MD and Airbus products) are retired from service.  The
addition of an integrated terrain data base on these aircraft would
require a basic change to the architecture of FMS, as the FMS was NOT
designed to have the CFIT function of these aircraft.  Nor, to my
knowlege, are aircraft designers leaning toward putting the CFIT
avoidance function entirely on the FMS as a RETROFIT option.  (I would
be interested to find if anyone WAS considering this.)

Despite the statements about the "inadequacies" of the GPWS, most of
the holes in the protection envelope exist because the GPWS does not
have knowledge of the terrain.  The addition of the terrain data base
would, in fact, not only "plug" these holes, but would provide a fully
integrated CFIT avoidance architecture (as opposed to having separate
CFIT avoidance functions split across several boxes).  Pilots will
tell you that having multiple alerting systems go off simultaneously
is probably the easiest way to confuse the issue, and thus prevent
immediate action.

I disagree strongly with the claim that GPWS would be "inadequate as
a fallback system if the database based system should fail to warn".
One can come up with any number of scenarios which would cripple the
CFIT avoidance function NO MATTER WHERE that function is implemented.
After all, if the database is the source of the missed warning, then
it won't matter where the data base resides.  Similarly, if the
problem is a faulty GPS sensor, it will affect the FMS just as easily
as the GPWS.  (In fact, if designed properly, the GPWS ought to have a
similar position-source fallback scheme as the FMS.)

The bottom line is that there are many ways to provide a similar level
of safety.  For new aircraft, where aircraft designers have the
freedom to set up new avionics architectures, there are definitely
many options open to choose from.

However, for existing aircraft and avionics architectures, while
designers have the same options, the realities of the certification
process will inevitably make certain channels of upgrading capability
much more attractive to the industry than other methods.  Provided
that they deliver the same level of safety, there shouldn't be any
reason why one method should be favored over any other.

Finally, despite all of the above comments, I am certainly not
attempting to stop debate on this issue.  I feel that your comments in
general are very interesting discussion points, and value their
contribution to the forum.  I hope you find my comments likewise.  :-)

ed

--------   Ed Hahn | ehahn@mitre.org | (703) 883-5988   --------
The above comment reflects the opinions of the author, and does not
constitute endorsement or implied warranty by the MITRE Corporation.
Really, I wouldn't kid you about a thing like this.