Homicidal autopilots

In recent years, a couple of boats, while motoring alongside BC Ferries, suddenly did a 90 degree turn into the path of the ferries ,killing all onboard in one instance, and killing the skippers family, wife and kids, in the other .
People ask " Why would anyone turn into the path of a BC Ferry." They probably didn't . Their autopilot did it for them.
When the button on an autopilot jams, it turns the helm hard over. It only takes a moment inattention to miss it. I've had this happen many times. Who amoung us has never had that brief moment's inattention?
I have urged the media, Transportation Safety Board, Coast Guard , and the Mounties to warn the public of the danger of relying on an autopilot in crowded waters, especialy alongside big ships. They have done nothing ,and my suggestions have met with indifference or sarcasm. Does their loyalty to protecting big businesses from the liability, overide their concern for public safety?
Boats should never use an autopilot in congested waters in heavy marine traffic areas, and this should be taught in all boater education courses. Is it? has anyone had this pointed out to them? Have you ever seen this mentioned on a safe boating pamphlet? Is it a question on any of the tests ?Not a chance. It was probably the cause of the accidents that gave us the mandatory pleasure boat operators certificate , yet the government agencies have done nothing to warn the public of the danger. That is what they are being paid for.
Brent

 

I agree that more regulations, laws and codes of conduct would be necessary. But this appears to me as the case where more brain usage is desireable, above all.
I would never rely on a bunch of stupid microchips and electromechanical devices to drive me through a zone infested by moving monsters made of 10^x tonnes of steel.

Actually, I would suspect more on some kind of electromagnetic interference which may result in false input signals for an autopilot. There is a plenty of powerful radio communication devices, radars etc. in heavily congested traffic routes. Would be curious to know if any research in marine industry has ever been made in this sense.

 

I share this opinion and like to add that these very dense routes are mainly found close to bigger harbour entrances where landbased interference add to the problem.
just my two € 0,02

Regards
Richard

 

There is only one PIC
It is his call whether to stay on autopilot or not.
Somebody was clearly asleep whilst the boat swung across the bow of the approaching vessel and too damned close.
Several fatal aircraft icing accidents of late have had autopilots to blame, whilst icing conditions prevailed on both wings & engines
That is why we have live, competent pilots.
BR>Jack

 

As a computer science student, I fully trust a computer to do exactly as it is programmed to do.

I however don't trust the programmer to have done it correctly. (Remember, computers are only as smart as their programmers and users, so next time you go to scream about how stupid your computer is, remember that the programmer likely went to school far longer than you did.)


Have you tried writing to newspapers in your area, or tried to get marinas to post up warnings not to rely on auto pilot when too close to other ships? If you bring people's attention around to the fact that authorities have an option to prevent these accidents, but are doing nothing about it, then usually politics will rear its head and change things fairly quickly.

 

I said the PIC was an idiot
BR>Jack

 

True, given the same inputs, a computer program will produce the same outputs. However, in the case of electromagnetic interference, the inputs may not be what one expects them to be, and the processing may not execute the instructions correctly.

Design for EMI is a very important part of a control system, as is testing for EMI by exposing it to the design radiation levels across the frequency spectrum. I don't know how susceptible the autopilot in the incident was, but the radar on a ferry could easily be enough to upset it.

An actuator can go hard-over faster than a person can react, and even the simplest tiller pilots can produce forces that may be difficult to overcome in an emergency. For example, even the humble Raymarine ST1000+ tiller pilot can produce a force of 125 lb. and go hard-over in 4 seconds. And since it uses a lead-screw electromechanical drive, it will be locked in position and have to be lifted off the tiller before the rudder can be restored. When the boat suddenly turns into the path of a ferry, one's first reaction would probably be to grab the tiller, and only after finding out that didn't work, grab for the autopilot. By that time, some seconds have elapsed, even if the pilot was right at the controls (3 seconds is the reaction time used for FAA certification of aircraft to unexpected events like this). I've no idea what make or model of autopilot was actually used, but since the ST1000+ is the lowest end of the autopilot scale, this gives an indication of the potential hazard.

Another source of anomalous behavior, believe it or not, is cosmic rays. A cosmic ray can zap a gate in an electronic chip and change its state. The event is usually short-lived and not noticed. But if it happens to be, say, a high-order bit in a memory location, then suddenly the autopilot's brain is working on completely different information.

One way to help avoid such problems is to have a redundant system. This more than doubles or triples the cost and difficulty of developing it. For example in an aircraft fly-by-wire control system (typically triplex or quadruplex redundancy), redundancy management typically occupies 60% - 70% of the software, while the control laws are often on 20% - 30% of the software. But if the interference is random noise, then the channels will be affected differently and an errant channel can be detected and taken out of the mix before it does much harm. It's unlikely a recreational autopilot will have provisions like this, even with the falling cost of electronics - it's just too expensive.

So it's not just the incompetence of programmers that determines autopilot safety. (Actually failure to program correctly to the requirements is actually quite unusual, especially after even a modest amount of testing. But not specifying the right requirements in the first place - now there's the rub.) A single redundant autopilot simply cannot be trusted to do the right thing all the time.

 

Don't get me started on cosmic rays, Tom.... I have friends who work on neutrino and dark-matter detectors, and you know how sensitive those are to such interference And I've seen plenty of single-redundant control systems on solar cars get cooked by EMI from the motors- everything works fine on the bench, but toss it all in at once with a few hundred high-frequency volts and everything's toast.

I really do not like it when people trust their electronics before their eyes. My runabout has a radar cross-section not much bigger than that of a B-2 stealth bomber. I've been nearly run down several times in narrow channels by big, fancy boats whose pilots were too busy watching the radar and GPS to bother looking out the windshield. This in Force 1 weather and broad daylight.

<end rant>.....

 

Some people trust their computers and calculators more than their eyes , experience, and logic when it comes to design issues.
Brent

 

Autopilots need to be "swung" before use too, most people ignore this simple part of the process....resulting in the stories above......oh, and keep the tools away from the sensor, it is magnetic don't forget.

 

I think that is one of the biggest issues with many automated systems these days. I don't have much experience working with auto pilots for boats, but I do work with a lot of other sytems. Lack of proper redundancy is a major point I see a lot of people over looking.

As for 'cosmic rays', they should have no effect on a properly designed system. The issue is, how often are these systems properly designed? After all, all critical memory should be stored in self error checking and correcting memory structures. (Extra data is used, and it is run through a map problem before use, if the equation works out, data is good to go, if something doesn't work out right, the data is looked at, automatically corrected, and off you go again. If it fails to correct properly, then systems should fail gracefully.) Should they be allowed to continue being used if they are so poorly designed as to not have effective third and forth tier backup redundancy on critical aspects?

 

on the subject of redundancy etc, the electronic engine controls made for Morse in Japan, do not have fail safe operation, the fail in the mode they are in at the time, ooooops.

 

Interesting thread. An autopilot is a form of robot, operating in an environment where humans can be at risk. The design requirements for industrial robots where humans can enter the "reach envelope" are strenuous, especially if the humans are likely to be untrained or members of the public.

Autopilots came about at a time when society was much less obsessive about safety than it is now. If they were being introduced for the first time you can bet tha all kinds of failure modes and effects analysis would be performed at the requirements, design and testing stages to ensure the chances of a dangerous failure were minimized or eliminated.

The same has often been said about cars; the safety research has been mostlyl about the occupant but if they were just appearing on the market all kinds of questions about their impact (nasty pun) on pedestrians would be asked.

 

yeah anchient, we are just too darn smart for ourselves now, it is stifling much new development work, particularly in inventions, I have found many are simply not bothering any more

 

It may be interesting to compare against the autopilot of an aircraft. A simple 2-axis system for a single engine Cessna, fail-passive with no autoland or other fancy stuff, is going to run you at least six thousand bucks. Up that by an order of magnitude for something you might find on a small twin-turboprop, and perhaps another order of magnitude above that for something that can guide a commercial jet to a runway.

This is equipment that's been radiation-hardened, tested to destruction hundreds of times over, its code debugged and optimized by dozens of the best software engineers around. Every component in the system is regularly inspected by trained technicians. Do the pilots trust it? Only for about half a second- they're trained to keep a close eye on everything that's going on during a landing approach, and if the autopilot makes a mistake, to switch to manual control. I've been on planes where the autopilot made a slight jolt, and the pilot immediately took over before most of the passengers realized it. That's why we still have people up front in our planes!

Now, the boat version:
You buy a non-redundant, fail-{we-don't-know-how-until-it-does}, single-servo unit for a few hundred, maybe a thousand or two, dollars. You install its actuator down below and its control head out in the open, exposed to rain, spray, etc. It receives few inspections and no maintenance unless it fails. But we trust this device to do its job, even to the point where some folks will leave the helm for a few minutes in a channel, because the autopilot can handle it?