In recent years, a couple of boats, while motoring alongside BC Ferries, suddenly did a 90 degree turn into the path of the ferries ,killing all onboard in one instance, and killing the skippers family, wife and kids, in the other .
People ask " Why would anyone turn into the path of a BC Ferry." They probably didn't . Their autopilot did it for them.
When the button on an autopilot jams, it turns the helm hard over. It only takes a moment inattention to miss it. I've had this happen many times. Who amoung us has never had that brief moment's inattention?
I have urged the media, Transportation Safety Board, Coast Guard , and the Mounties to warn the public of the danger of relying on an autopilot in crowded waters, especialy alongside big ships. They have done nothing ,and my suggestions have met with indifference or sarcasm. Does their loyalty to protecting big businesses from the liability, overide their concern for public safety?
Boats should never use an autopilot in congested waters in heavy marine traffic areas, and this should be taught in all boater education courses. Is it? has anyone had this pointed out to them? Have you ever seen this mentioned on a safe boating pamphlet? Is it a question on any of the tests ?Not a chance. It was probably the cause of the accidents that gave us the mandatory pleasure boat operators certificate , yet the government agencies have done nothing to warn the public of the danger. That is what they are being paid for.
Brent

I agree that more regulations, laws and codes of conduct would be necessary. But this appears to me as the case where more brain usage is desireable, above all.
I would never rely on a bunch of stupid microchips and electromechanical devices to drive me through a zone infested by moving monsters made of 10^x tonnes of steel. ;)

When the button on an autopilot jams, it turns the helm hard over.
Actually, I would suspect more on some kind of electromagnetic interference which may result in false input signals for an autopilot. There is a plenty of powerful radio communication devices, radars etc. in heavily congested traffic routes. Would be curious to know if any research in marine industry has ever been made in this sense.

Actually, I would suspect more on some kind of electromagnetic interference which may result in false input signals for an autopilot. There is a plenty of powerful radio communication devices, radars etc. in heavily congested traffic routes.

I share this opinion and like to add that these very dense routes are mainly found close to bigger harbour entrances where landbased interference add to the problem.
just my two € 0,02

Regards
Richard

There is only one PIC
It is his call whether to stay on autopilot or not.
Somebody was clearly asleep whilst the boat swung across the bow of the approaching vessel and too damned close.
Several fatal aircraft icing accidents of late have had autopilots to blame, whilst icing conditions prevailed on both wings & engines
That is why we have live, competent pilots.
BR>Jack

As a computer science student, I fully trust a computer to do exactly as it is programmed to do.

I however don't trust the programmer to have done it correctly. (Remember, computers are only as smart as their programmers and users, so next time you go to scream about how stupid your computer is, remember that the programmer likely went to school far longer than you did.)


Have you tried writing to newspapers in your area, or tried to get marinas to post up warnings not to rely on auto pilot when too close to other ships? If you bring people's attention around to the fact that authorities have an option to prevent these accidents, but are doing nothing about it, then usually politics will rear its head and change things fairly quickly.

I said the PIC was an idiot
BR>Jack

As a computer science student, I fully trust a computer to do exactly as it is programmed to do....

True, given the same inputs, a computer program will produce the same outputs. However, in the case of electromagnetic interference, the inputs may not be what one expects them to be, and the processing may not execute the instructions correctly.

Design for EMI is a very important part of a control system, as is testing for EMI by exposing it to the design radiation levels across the frequency spectrum. I don't know how susceptible the autopilot in the incident was, but the radar on a ferry could easily be enough to upset it.

An actuator can go hard-over faster than a person can react, and even the simplest tiller pilots can produce forces that may be difficult to overcome in an emergency. For example, even the humble Raymarine ST1000+ tiller pilot can produce a force of 125 lb. and go hard-over in 4 seconds. And since it uses a lead-screw electromechanical drive, it will be locked in position and have to be lifted off the tiller before the rudder can be restored. When the boat suddenly turns into the path of a ferry, one's first reaction would probably be to grab the tiller, and only after finding out that didn't work, grab for the autopilot. By that time, some seconds have elapsed, even if the pilot was right at the controls (3 seconds is the reaction time used for FAA certification of aircraft to unexpected events like this). I've no idea what make or model of autopilot was actually used, but since the ST1000+ is the lowest end of the autopilot scale, this gives an indication of the potential hazard.

Another source of anomalous behavior, believe it or not, is cosmic rays. A cosmic ray can zap a gate in an electronic chip and change its state. The event is usually short-lived and not noticed. But if it happens to be, say, a high-order bit in a memory location, then suddenly the autopilot's brain is working on completely different information.

One way to help avoid such problems is to have a redundant system. This more than doubles or triples the cost and difficulty of developing it. For example in an aircraft fly-by-wire control system (typically triplex or quadruplex redundancy), redundancy management typically occupies 60% - 70% of the software, while the control laws are often on 20% - 30% of the software. But if the interference is random noise, then the channels will be affected differently and an errant channel can be detected and taken out of the mix before it does much harm. It's unlikely a recreational autopilot will have provisions like this, even with the falling cost of electronics - it's just too expensive.

So it's not just the incompetence of programmers that determines autopilot safety. (Actually failure to program correctly to the requirements is actually quite unusual, especially after even a modest amount of testing. But not specifying the right requirements in the first place - now there's the rub.) A single redundant autopilot simply cannot be trusted to do the right thing all the time.

Don't get me started on cosmic rays, Tom.... I have friends who work on neutrino and dark-matter detectors, and you know how sensitive those are to such interference ;) And I've seen plenty of single-redundant control systems on solar cars get cooked by EMI from the motors- everything works fine on the bench, but toss it all in at once with a few hundred high-frequency volts and everything's toast.

I really do not like it when people trust their electronics before their eyes. My runabout has a radar cross-section not much bigger than that of a B-2 stealth bomber. I've been nearly run down several times in narrow channels by big, fancy boats whose pilots were too busy watching the radar and GPS to bother looking out the windshield. This in Force 1 weather and broad daylight.

<end rant>.....

Some people trust their computers and calculators more than their eyes , experience, and logic when it comes to design issues.
Brent

Autopilots need to be "swung" before use too, most people ignore this simple part of the process....resulting in the stories above......oh, and keep the tools away from the sensor, it is magnetic don't forget.

oh, and keep the tools away from the sensor, it is magnetic don't forget.

I think that is one of the biggest issues with many automated systems these days. I don't have much experience working with auto pilots for boats, but I do work with a lot of other sytems. Lack of proper redundancy is a major point I see a lot of people over looking.

As for 'cosmic rays', they should have no effect on a properly designed system. The issue is, how often are these systems properly designed? After all, all critical memory should be stored in self error checking and correcting memory structures. (Extra data is used, and it is run through a map problem before use, if the equation works out, data is good to go, if something doesn't work out right, the data is looked at, automatically corrected, and off you go again. If it fails to correct properly, then systems should fail gracefully.) Should they be allowed to continue being used if they are so poorly designed as to not have effective third and forth tier backup redundancy on critical aspects?

on the subject of redundancy etc, the electronic engine controls made for Morse in Japan, do not have fail safe operation, the fail in the mode they are in at the time, ooooops.

Interesting thread. An autopilot is a form of robot, operating in an environment where humans can be at risk. The design requirements for industrial robots where humans can enter the "reach envelope" are strenuous, especially if the humans are likely to be untrained or members of the public.

Autopilots came about at a time when society was much less obsessive about safety than it is now. If they were being introduced for the first time you can bet tha all kinds of failure modes and effects analysis would be performed at the requirements, design and testing stages to ensure the chances of a dangerous failure were minimized or eliminated.

The same has often been said about cars; the safety research has been mostlyl about the occupant but if they were just appearing on the market all kinds of questions about their impact (nasty pun) on pedestrians would be asked.

yeah anchient, we are just too darn smart for ourselves now, it is stifling much new development work, particularly in inventions, I have found many are simply not bothering any more

It may be interesting to compare against the autopilot of an aircraft. A simple 2-axis system for a single engine Cessna, fail-passive with no autoland or other fancy stuff, is going to run you at least six thousand bucks. Up that by an order of magnitude for something you might find on a small twin-turboprop, and perhaps another order of magnitude above that for something that can guide a commercial jet to a runway.

This is equipment that's been radiation-hardened, tested to destruction hundreds of times over, its code debugged and optimized by dozens of the best software engineers around. Every component in the system is regularly inspected by trained technicians. Do the pilots trust it? Only for about half a second- they're trained to keep a close eye on everything that's going on during a landing approach, and if the autopilot makes a mistake, to switch to manual control. I've been on planes where the autopilot made a slight jolt, and the pilot immediately took over before most of the passengers realized it. That's why we still have people up front in our planes!

Now, the boat version:
You buy a non-redundant, fail-{we-don't-know-how-until-it-does}, single-servo unit for a few hundred, maybe a thousand or two, dollars. You install its actuator down below and its control head out in the open, exposed to rain, spray, etc. It receives few inspections and no maintenance unless it fails. But we trust this device to do its job, even to the point where some folks will leave the helm for a few minutes in a channel, because the autopilot can handle it?

Exactly - its the same folks who never bother to check oil & tires - their wrecks are in the CHP yards for the world to see - or who purchase a firearm and some wonk disarms & shoots them. They never went to charm school either
All this goes to the Einstein infinity versus mans stupidity thingy ... where he states categorically that he now has some serious doubts on the infinity bit. Amen!!

Surely the auto-pilot instructions have all that lawyer-inserted text that includes "do not leave unsupervised", not for steering an automobile", "do not immerse in water", "not suitable for children under seven" etc?

I recall seeing a program on a modern jet which crashed: turned out the auto-pilot was designed to stop controlling the ailerons if the pilot moved the stick but to keep operating the other control surfaces. Nobody told the pilots, so before the crash the cockpit recorder hears the pilots desperately trying to figure out why they were flying almost upside down.

I just bought a new toaster. about 3 lines on how to use it, not very clear, and reams of crap on all the ways you can kill yourself if you really want to do that with a toaster.

My wife's flowers came with care instructions which include the warning "not for consumption". Geeze, if I'd known that I wouldn't have bought them; suppose she got hungry?

You cant compare a 200dollar auto pilot with that of an aircraft, and yeas they do suddenly do this 90degree thing .If you hav'nt experienced it you need more sea time.

However -I dont think they do it any more, its been some years that I heard of one doing it, but I had one that did it twice for no reason ,compass swung, no aliens around, no one switched the radio on ,--which was always blamed.

I did not buy that brand again, Brand withdrawn for obvious reasons.

I just bought a new toaster. about 3 lines on how to use it, not very clear, and reams of crap on all the ways you can kill yourself if you really want to do that with a toaster.
From http://xkcd.com/293/ :

I keep finding lizards in the crumb tray of my toaster. I suppose they go for some crumbs.

You know the little geko things. Only in Thai they area Jingjok.

Look up the word "Dictionary" in the dictionary. A little hand comes out and slaps you in the face.
Brent

A hand held control for an auto pilot on a boat lets you walk out on the aft deck with eyes wide open and be ready to run to the helm in super fast order.

Electronics can be very reliable if it was designed to accomodate the possible hazards. If it works in a wet environment it has to be waterproofed, if there is emi it must be shielded, it should consider certain behaviour patterns and give audible alarm when certain cryteria is exceeded.

The problem is most manufacturers want to spend $5 on the product but want to sell for $1500. So they go skimpy on protective measures since it's not obviously noticable and most have the idea they hope the customer gets it wet and it packs up or a bit of static gets on an input and blows it, then have to come buy another one.

If you are on auto pilot in confined areas you should'nt leave the helm.

It says on the box--an aid to navigation and a continuous look out should be maintained.

When mine did it sometimes I would leave it to see if it would eventually return the the preset heading,- it did not, It recovered some but about half.

when trained as a pilot (aircraft) your eyes sweep the gauges every 20 seconds, 30 seconds at most. The auto pilot lets you stretch--that's all.

You cant compare a 200dollar auto pilot with that of an aircraft, and yeas they do suddenly do this 90degree thing .If you hav'nt experienced it you need more sea time.

However -I dont think they do it any more, its been some years that I heard of one doing it, but I had one that did it twice for no reason ,compass swung, no aliens around, no one switched the radio on ,--which was always blamed.

I did not buy that brand again, Brand withdrawn for obvious reasons.

Interference has been a significant problem with many pilots particularly from VHF transmission when they would commonly go hard over. The Tiller pilots were really bad for this when the input was the electronic compass and this endangered boats when running in heavy weather , not just shipping channels.

Modern autopilots work off the NMEA data stream more commonly the GPS position and derive their heading from that They seem much more reliable and better shielded and noise filtered.

From http://xkcd.com/293/ :
this sums up american lawyers, where common sense is like a kryptonite cash cow

when trained as a pilot (aircraft) your eyes sweep the gauges every 20 seconds, 30 seconds at most.

And what happens when stewardess enters the cockpit?
Hmmmm, this makes me think about the real origin of the word "cockpit"...

Ok, ok, I'll leave now...

OK, I think he's gone. So what does happen when a stewardess enters the cockpit?

He switches the autopilot on.

According to a TV program I watched a week or two back, the pilot wakes up, lifting his foot off the footrest and accidentally switching off the transponder as he does so, accepts his coffee and eyes the stewardess thoughtfully. Shortly after there is a mid-air collision. Turned out one of the planes was at the wrong altitude, courtesy of a poorly designed ground control system. If the transponder had stayed on the systems of the 2 planes would have detected the situation and an alert would have sounded.

Most automatic systems are very reliable and will do exactly what they are told with great precision. If they are told to do the wrong thing, they will do it with a perfection that no human can match.

As a former engineer I have always had reservations about control systems with a combination of human and automatic control. Theoretically it should have the best parts of its 2 components, but the worst features can come together at the wrong time. Preferably, the automatic system should back up the human not the other way around. With an auto pilot the designer may be thinking that the human pilot will take over in a situation that the machine was not intended to handle, but with highspeed aircraft the human may not be able to spot the problem in time, With shipping he/she may not even be on watch.

Sooner or later the human will be taken out of the equation altogether, it is going to happen; perhaps it is time. The technology is capable of it, properly designed of course. Let the pilot have a comfortable seat and give him automatically generated tests from time to time to keep him awake, for a few years until all the bugs are out and the crash rate falls below the current system then lay them off.

http://www.youtube.com/watch?v=reRRgEET6Kw&NR=1 :cool:

If it has no balls, no pu..y, say, if you cannot fu.. it, it will fu.. you, sooner or later! If it has B.. and P..it may fu..k you as well but you might notice in advance and take care. Thats what I told my pupils ages ago.
In our early days we have been very impressed by sophisticated systems, and have loved to own such systems as a backup for our "poor handmade" seamanship. Today people rely totally on such stuff and are in a situation where they are the "backup" for the crap! Or (often) not.
My two cent (€ as usual)