I work for Professor Lee, who independently came up with the idea of Soft Walls on the night
of 9/11/01 and gave a lecture about the idea
to the UC Berkeley
EECS
20 Signals and Systems undergraduate class.
One Masters student, Adam Cataldo, might
have received some funding from NASA or someone
to do research in this area. Adam finished
up in December 2003.
Currently,
the Soft Walls research is not directly funded,
though the
Center for Hybrid and Embedded Software Systems
funds work on the
Ptolemy Project which has been used as a
software laboratory to simulate the Soft Walls.
I just don't see the Snake Oil here.
What I do find really interesting is
that most software engineers have a real gut
level reaction to this proposal. I'm a very
sceptical person by nature and have raised
many points concerning Soft Walls with Professor
Lee and seen many other people raise similar
points. I think the
The Soft Walls FAQ (PDF)
has done a reasonable job answering these questions.
The Soft Walls proposal is a long term proposal
that is not something to be done lightly. Like
many research ideas, it may seem far fetched
at first, but the process of analyzing the
proposal yields many interesting avenues of
thought and future research in software verification and reliability.
A better solution would be to simply require transponders to be enabled which would allow the ground to see what is happening.
Interesting idea,,and one that could be implemented much more quickly than Soft Walls.
So, when the plane entered
restricted airspace, I guess jet fighters would be scrambled and if they caught up to the plane it might be blown up? Should every high value
target (nuke plant, oil refinery, small city)
have an air base or anti-air craft missile
batteries near by?
During 9/11, my understanding is that the
transponders were disabled so it was harder
to find the planes, so the transponders would
need to always be on (not a big problem).
Having uninterruptible transponders
brings up some of the same issues that
remote control from the ground has.
The
The Soft Walls FAQ (PDF) says:
13. Wouldn't control from the ground be preferable?
It is technically possible to control aircraft from the ground. Northrop Grumann's Global
Hawk aircraft is an unoccupied air vehicle (UAV) that is controlled from the ground. It flies
without a pilot, and played a significant role in the recent Afghan and Iraq wars. Northrop
Grumann has argued that the control system of Global Hawk could be adapted to permit
controllers on the ground to take over an airplane and fly it safely to landing.
While technically feasible, this approach is probably more complex than Soft Walls, and it
opens new vulnerabilities. For one, it creates the possibility of a hijacking from the ground,
which suggests that sites equipped to take over aircraft would require serious protection, and
personnel with access would be have to be severely vetted. Moreover, it creates a truly scary
prospect of a wholesale hijacking of an entire fleet.
A second problem is that communication delays and lack of visibility into conditi
Where do you get the idea that anytime a pilot needs to make use of a little bit of restricted air space to insure the safety of the passengers that he is endangering people on the ground?
I think the solution here is sizing the
restricted areas appropriately. I'm sure
that one can construct a no-fly zone that
is too close to an airport, but you get the idea.
BTW - Your argument is similar to the
Traditional Boeing vs. Airbus debate
where one can argue that the pilot could save
the passengers by pushing the plane outside
the 'safe' operating envelope. I agree with
this completely. If the plane is going to crash
anyway, then flying it outside the envelope
and hoping for the best seems reasonable.
However the potential cost of deliberately crashing a plane into a much larger target and costing many more lives makes requiring new large
planes to be flown within their envelope more reasonable.
I believe that there were similar arguments
about safety seat belts in automobiles, where
many people felt that they would be trapped
by the seat belt and burn to death etc. I'm
sure that more than a few people have died
this way, but the idea is that this number
is outweighed by the number of lives saved
by seat belts.
One could bring a device on board that can create the signals needed. And maybe they could at the very least just cause the plane to crash anywhere assassinating someone on board or cause the plane to crash into a bigger city under it's flight path.
I'm not an expert on spoofing GPS, but
my response to
Re:sounds neat but includes Professor Lee's response.
There was an interesting thread in
Can You Say GPS jammer? where some says it is hard
to do, and then someone else suggests that it is possible. I'd like to see GPS spoofing done, since there are more and more situations where
one could say spoof GPS and use
OnStar
to create an alibi.
The problem is not so much the system, but complete faith in that system.
Ultimately, I think that creating a software
system to do this would be difficult, but
just because it is difficult does not mean
we should try?
I think we need to consider the alternatives as well. A Soft Walls solution is not necessarily the best solution, but we need to understand
this type of solution so that we do not implement
the wrong solution. For example, remote control
from the ground has many similar problems and
one even larger problem where a ground control
operator could be coerced into crashing a plane
or the ground control site could be taken over
etc.
[Disclaimer: I work for Professor Edward A. Lee,
who came up with the Soft Walls Project
in response to 9/11. I'm a very sceptical person,
and many of the questions here have been
raised by myself and others.]
6. How does Soft Walls relate to flight envelope protection?
As explained above, fly-by-wire aircraft have efficiency advantages over more conventional
mechanical and hydraulic control systems. But because control is mediated by computer, such
systems can also be made more intelligent. Airbus systems impose flight envelope protection
schemes, where the computers ensure that the pilot does not force the aircraft beyond its safe
performance parameters. For example, the computers can prevent the pilot from stalling the
aircraft.
Flight envelope protection works very synergistically with Soft Walls. In particular, Soft
Walls works by introducing a bias into the commands issued by the pilot when the aircraft
approaches too close to a no-fly zone. To ensure that the aircraft does not enter the no-fly
zone, the bias needs to increase as the craft gets closer until the bias overwhelms the
commands that the pilot can issue. For instance, when the aircraft has penetrated the boundary
sufficiently to be very close to the no-fly zone, the pilot may be commanding a hard turn to
the right, but the bias will nonetheless force the aircraft to turn to the left, away from the nofly
zone.
In aircraft with flight envelope protection, as for example most Airbus planes, the limits on
pilot induced maneuvers are known (because they are imposed by the on-board computers).
Thus, the extent of the bias that must be applied is known.
Not all fly-by-wire aircraft have flight envelope protection. The Boeing 777, in particular,
does not. The computers will permit the pilot to make maneuvers that exceed the safety
specifications of the aircraft. Boeing argues that this is safer than flight envelope protection
because these safety specifications conservative anyway, so allowing the pilot to exceed them
gives the pilot the authority to consider and compare the risks in responding to an emergency.
Both approaches have their merits, but Boeing's approach requires that a Soft Walls system
be more aggressive. In particular, for example, since there is no fixed limit on bank angle,
there is no single amount of bias on bank angle that is guaranteed to exceed the pilot
command. This complicates the design of the Soft Walls system, which must ensure that the
bias it introduces does not take the aircraft outside the safety specifications.
To some degree, a Soft Walls system must realize some flight envelope protection. For
example, if an aircraft is flying above a no-fly zone, then the Soft Walls system must prevent
the pilot from stalling the aircraft. If it does not, then it cannot ensure that the aircraft will not
enter the no-fly zone (because the stall could lead to loss of control).
Yep, some of the researchers are in the
Airbus camp, where the software limits pilot
maneuvers.
A case can be made that the pilot could
save the plan by executing a loop or roll
that was outside the specs of the plane
that would be prohibited by the software.
However, the point of Soft Walls is
to prevent disasters that harm more than
a plane load of people (large plane crashes in to
nuclear powerplant etc.)
I looked a little in to some of the Airbus
fly by wire crashes and if I remember correctly,
it seemed like some of the errors were UI
problems, especially when a display or control
had multiple purposes (modes). I'm not sure
if I remember the above correctly, b
[Disclaimer: I work for Professor Edward A. Lee,
who came up with the Soft Walls Project in response
to 9/11. In general, I'm a very skeptical person and I and other have asked similar questions.
In this context, I'm speaking for myself, not
for Professor Lee.]
The initial rollout of
Soft Walls would be in large new fly by wire planes. Older, large non-fly by wire planes
present various problems.
Small general aviation planes would
probably not be required to ever have Soft Walls
retrofitted, though perhaps someday new
general aviation fly by wire planes would?
7. Can Soft Walls be deployed on non-fly-by-wire aircraft?
In fly-by-wire aircraft, Soft Walls is "just" a software change. However, only a fraction of the
fleet today is fly-by-wire. From the New York Times, April 2002 [9]:
"In November, the F.A.A. counted about 2,300 fly-by-wire planes among Boeing and
Airbus models, the two most popular among big jets; another 8,700 planes in those fleets
had conventional mechanical systems.
Herman A. Rediess, director of the Office of Aviation Research at the F.A.A., said in a
paper representing his own views: ''For the near future, no airline will have the financial
resources to even modify the F.B.W. aircraft. It's not clear that they would even have
sufficient funds to retrofit the non-F.B.W. aircraft.''
Adding fly-by-wire ability to older planes would be wildly expensive. George K.
Muellner, an Air Force veteran and president of Boeing's research and development arm,
called the Phantom Works, recalled that the Air Force had taken some of its oldest F-4's
and converted them into pilotless drones, for use as target practice. The conversion, he
said, cost more than the plane did new."
Converting older aircraft to fly-by-wire is clearly out of the question. However, there is an
alternative, which is to modify the autopilot systems in older aircraft to implement fly-bywire.
The effectiveness of this strategy is still an open question (see the next question).
BTW, the next question is "8. Can Soft Walls be realized as part of the autopilot system?"
[Disclosure: I work for Professor Edward A. Lee,
who came up with the Soft Walls in response to 9/11.
I'm a very skeptical person by nature, and have
asked similar questions, or been around when
others have asked these good questions.]
The Soft Walls system relies on localization information. The aircraft computers have to
reliably know where the aircraft is. Avionics systems today already include localization
systems, which are required for navigation (and for more advanced safety systems, like
ground proximity warning systems).
The principle source of localization information today is the global positioning system (GPS),
which uses signals emitted by a suite of 24 satellites. A GPS receiver performs a simple
triangulation calculation to determine the location of the receiver. However, most aircraft
have at least two backup systems. First, an inertial navigation system (INS) measures
acceleration to determine when the aircraft is turning, ascending, or descending, and
continually calculates the new location based on its knowledge of the previous location.
Second, a variety of radio beacons are also used to triangulate the aircraft location. Radio
beacons are particularly common around airports, and automatic landing systems rely on
them.
Most radio signals can be jammed. This means that a malicious party transmits a radio signal
that swamps the one of interest, making it impossible to receive reliably. GPS signals are
vulnerable to jamming. During the second Iraq war, Russian-made GPS jamming devices
were sold to the Iraquis to use against smart munitions, many of which rely on GPS.
Some radio signals can also be spoofed. This means that a malicious party transmits a radio
signal that masquerades as the radio signal of interest, hoping that it will be picked up instead
of the legitimate signal. Spoofing can be prevented by encryption techniques if the encryption
key can be kept private. That is, it can be made extremely difficult (in today's technology,
essentially impossible) to construct a legitimate signal without having knowledge of a key that
can be very closely guarded.
GPS signals currently contain encrypted channels that make spoofing by synthesizing a signal
extremely difficult. Radio beacons can be both spoofed and jammed, and hence probably
cannot be relied upon in a hostile environment. INS systems cannot be either spoofed or
jammed, since they do not use communications of any kind.
If a radio signal cannot be spoofed, then jamming can be reliably detected. Hence, if the GPS
system is being jammed, then the Soft Walls system will know that it is being jammed, and
instead of begin confused by random data, would switch to backup systems, primarily INS.
Without knowledge of the encryption key, GPS cannot be spoofed by constructing an
artificial GPS signal. However, it may be technically feasible to pick up a GPS signal at one
location and rebroadcast it to another location in such a fashion as to confuse a GPS receiver
at the second location into thinking it is actually at the first. However, this technique would be
difficult to use in a hijacking scenario. To go undetected, it would require that a second
aircraft start at the same place and at the same time as the aircraft to be hijacked, and then
slowly diverge so that over time it is at a different location. That second aircraft would have
to rebroadcast what it receives from the GPS satellites at high enough power that the first
aircraft picks up its signals rather than the ones coming directly from the satellites. Even if
this highly unlikely scenario could be pulled off, the transponders of the two aircraft would
report the same locations to air traffic control, which will certainly raise suspicion. Air traffic
control would determine that the aircraft had collided, but were still flying.
Complete Disclaimer: I work for Professor Edward A. Lee, who came up with the Soft Walls idea on 9/11/01. It turns out that other people have had similar ideas at other times.
I don't speak for Professor Lee, but I'll sprinkle some comments around. In general,
I'm a very skeptical person, and I and others
have asked many of the
same questions that I see in this article.
The Soft Walls FAQ discusses the slightly different case of a forced landing on 5th Avenue, which would never be ok.
15. Can pilots tolerate a reduction of navigable airspace?
Among the more extreme ideas circulating include restricting aircraft to narrowly defined air
lanes, making, in effect, tunnels in the sky. This greatly reduces flexibility in the system,
making it much more difficult to adapt to unusual weather or traffic conditions, for example.
If Soft Walls is deployed, the regulatory bodies that define the no-fly zones will have to
exercise restraint to not unnecessarily reduce the navigable airspace. Ideally, Soft Walls does
not reduce legally navigable airspace at all, since regulatory bodies already restrict the
airspace around inhabited areas. As such, Soft Walls only reduces navigable airspace by
removing the space where flying is unacceptable anyway.
But there is a significant difference between regulatory no-fly zones (what we have now) and
regions into which an aircraft will not fly (what Soft Walls will impose). Some pilots argue
that there are emergencies on an aircraft that would justify flying through regions of airspace
where flight is forbidden. However, the pilot who does this is choosing to override the
regulatory bodies, putting people on the ground at risk in an effort to protect the people in the
craft. Should the pilot have a right to make that decision? Soft Walls means that the decision
is made by the regulatory bodies. There is no aircraft emergency grave enough to justify an
attempt to land on Fifth Avenue, and no pilot should have the right to choose to take that risk.
Soft Walls can enforce that policy.
Of course, it is not new that there are regions into which aircraft will not fly. No aircraft, for
example, can fly through a mountain, no matter how grave the on-board emergency that
makes the pilot want to be on the other side of the mountain. Soft Walls creates no-fly zones
where enforcement is gentler than that defined by mountains, but the constraint is equally
strong. The aircraft simply cannot fly there.
Slashdot Mirror
That clip looks to be from the Airbus 320 Paris Crash of June 26, 1988.
The side of the plane looks like it says "Air France", the mpeg file is titled af320
See Re:Traditional Boeing vs. Airbus debate for more links.
Airbus Paris Crash
Rebuttal about Airbus Paris Crash
The proposed solution is a long term solution for large aircraft capable of causing damage to high value targets such as nuclear power plants etc.
It is feasible to eventually equip all large aircraft with a suitable set of navigation systems.
I smell a scam on the Department of Homeland Insecurity money pile.
BTW - The proposal predates 9/11, see Peter Huber, Cleared To Land, Forbes Magazine, March 18, 1991, pg 130
I work for Professor Lee, who independently came up with the idea of Soft Walls on the night of 9/11/01 and gave a lecture about the idea to the UC Berkeley EECS 20 Signals and Systems undergraduate class.
One Masters student, Adam Cataldo, might have received some funding from NASA or someone to do research in this area. Adam finished up in December 2003. Currently, the Soft Walls research is not directly funded, though the Center for Hybrid and Embedded Software Systems funds work on the Ptolemy Project which has been used as a software laboratory to simulate the Soft Walls.
I just don't see the Snake Oil here.
What I do find really interesting is that most software engineers have a real gut level reaction to this proposal. I'm a very sceptical person by nature and have raised many points concerning Soft Walls with Professor Lee and seen many other people raise similar points. I think the The Soft Walls FAQ (PDF) has done a reasonable job answering these questions.
The Soft Walls proposal is a long term proposal that is not something to be done lightly. Like many research ideas, it may seem far fetched at first, but the process of analyzing the proposal yields many interesting avenues of thought and future research in software verification and reliability. A better solution would be to simply require transponders to be enabled which would allow the ground to see what is happening.
Interesting idea, ,and one that could be implemented much more quickly than Soft Walls.
So, when the plane entered restricted airspace, I guess jet fighters would be scrambled and if they caught up to the plane it might be blown up? Should every high value target (nuke plant, oil refinery, small city) have an air base or anti-air craft missile batteries near by?
During 9/11, my understanding is that the transponders were disabled so it was harder to find the planes, so the transponders would need to always be on (not a big problem).
Having uninterruptible transponders brings up some of the same issues that remote control from the ground has. The The Soft Walls FAQ (PDF) says:
I think the solution here is sizing the restricted areas appropriately. I'm sure that one can construct a no-fly zone that is too close to an airport, but you get the idea.
BTW - Your argument is similar to the Traditional Boeing vs. Airbus debate where one can argue that the pilot could save the passengers by pushing the plane outside the 'safe' operating envelope. I agree with this completely. If the plane is going to crash anyway, then flying it outside the envelope and hoping for the best seems reasonable.
However the potential cost of deliberately crashing a plane into a much larger target and costing many more lives makes requiring new large planes to be flown within their envelope more reasonable.
I believe that there were similar arguments about safety seat belts in automobiles, where many people felt that they would be trapped by the seat belt and burn to death etc. I'm sure that more than a few people have died this way, but the idea is that this number is outweighed by the number of lives saved by seat belts.
One could bring a device on board that can create the signals needed. And maybe they could at the very least just cause the plane to crash anywhere assassinating someone on board or cause the plane to crash into a bigger city under it's flight path.
I'm not an expert on spoofing GPS, but my response to Re:sounds neat but includes Professor Lee's response.
There was an interesting thread in Can You Say GPS jammer? where some says it is hard to do, and then someone else suggests that it is possible. I'd like to see GPS spoofing done, since there are more and more situations where one could say spoof GPS and use OnStar to create an alibi.
The problem is not so much the system, but complete faith in that system.
Ultimately, I think that creating a software system to do this would be difficult, but just because it is difficult does not mean we should try?
I think we need to consider the alternatives as well. A Soft Walls solution is not necessarily the best solution, but we need to understand this type of solution so that we do not implement the wrong solution. For example, remote control from the ground has many similar problems and one even larger problem where a ground control operator could be coerced into crashing a plane or the ground control site could be taken over etc.
Sounds interesting!
Do you have any links or papers for your project?
The Soft Walls FAQ (PDF) says:
Yep, some of the researchers are in the Airbus camp, where the software limits pilot maneuvers.
A case can be made that the pilot could save the plan by executing a loop or roll that was outside the specs of the plane that would be prohibited by the software.
Is Is it possible to loop or roll a 747 jet?
22Mb MPEG of a 707 barrel roll - seems to be corrupt?
However, the point of Soft Walls is to prevent disasters that harm more than a plane load of people (large plane crashes in to nuclear powerplant etc.)
I looked a little in to some of the Airbus fly by wire crashes and if I remember correctly, it seemed like some of the errors were UI problems, especially when a display or control had multiple purposes (modes). I'm not sure if I remember the above correctly, b
Good point.
Small planes crash in to buildings without a huge effect. In 1945, a B-25 crashed in to the Empire State Building and did not destroy it.
In January, 2002, a small plane crashed into a building in Florida and did not destroy the building.
The initial rollout of Soft Walls would be in large new fly by wire planes. Older, large non-fly by wire planes present various problems.
Small general aviation planes would probably not be required to ever have Soft Walls retrofitted, though perhaps someday new general aviation fly by wire planes would?
The Soft Walls FAQ (PDF) says:
BTW, the next question is "8. Can Soft Walls be realized as part of the autopilot system?"Basically, one uses Inertial Navigation.
The Soft Walls FAQ says:
I don't speak for Professor Lee, but I'll sprinkle some comments around. In general, I'm a very skeptical person, and I and others have asked many of the same questions that I see in this article.
A good resource is the Soft Walls FAQ (PDF).
The Soft Walls FAQ discusses the slightly different case of a forced landing on 5th Avenue, which would never be ok.