Blog: Aviation Cyber Security
EFB Tampering. Approach and Landing Performance Part 1
Approach and Landing Performance Part 1: Introduction and Landing Distance Calculations
TL;DR
- Approach and landing performance applications perform calculations to provide critical performance data to pilots (e.g. speed / flap settings on approach)
- Modifying any one of these could have severe consequences. For example, an aircraft going off the end of a runway or colliding with another aircraft on the runway due to incorrect landing distance calculations
- To assess risk we used licenced commercial pilots in our simulator having made various modifications to an approach and landing performance application installed on an EFB
Introduction
In a previous post we discussed the potential consequences of tampered take-off performance applications. We now discuss the integrity of Approach and Landing Performance applications, and potential consequences of them being tampered with.
As with the take-off performance application, PTP modified an approach and landing performance application on an EFB. In order to assess risks accurately we used licenced airline pilots in our commercial aircraft simulator – the pilots carried out tasks as if they were on a commercial flight including completing any applicable cross-checks. This ensured our assessment was accurate and enabled us to determine if there are any weaknesses as well as to consider what improvements could be made.
Approach and landing calculations
Calculation of approach and landing performance has always been a critical part of the planning phase prior to conducting an approach/landing. Various performance items need to be considered including;
- What speed and flap setting to use on approach / landing?
- How much runway is needed to stop the aircraft? Are Land And Hold Short (LAHSO) operations in use and if so will this be a concern for the stopping distance?
- What sort of braking will be required and is reverse thrust required?
- What are the weather conditions? Is the temperature a consideration (is it cold, i.e. will the altimeter overread)?
- What is the elevation of the runway and is there any runway slope?
The calculation of these items is critical. A miscalculation could have significant consequences and hence in many airlines both pilots are required to independently calculate approach / landing performance. As a gross error check a comparison of the pilot’s calculations is then made.
Whilst many pilots still use paper charts with a pen and paper to calculate their approach / landing performance, it is becoming increasingly common to calculate the performance using EFBs. Accuracy and efficiency (time saving) is improved by using EFB applications, all in all the use of EFBs ensures a more robust calculation of performance.
In airlines where pilots use paper charts to calculate their performance, whilst the EFB isn’t doing the calculation is may still be providing much of the required data. Airport charts displaying critical data may be consulted from the EFB with items like the Landing Distance Available being obtained from the EFB chart / manual application.
As with take-off performance, sadly there have been multiple accidents over the years with the cause being attributable to the incorrect calculation of approach and / or landing performance.
It is also important to consider secondary effects of any miscalculation, including human factors. Pilot perception of a threat can affect their behaviour and how they handle the aircraft (including deliberate mishandling). In 1997, an MD11 crashed on landing in Newark, USA. The NTSB report states: “The flight crew’s calculation error in determining the runway length required for landing influenced the Captain’s subsequent actions during final approach and landing by… touching down early”. The report also stated “… confusion about calculated landing distances may result in potentially hazardous miscalculations of available runway distances after touchdown”.
The FedEx pilots concern about being able to stop the aircraft within the landing distance available resulted their mishandling of the aircraft on landing. A bounce followed by significant yaw and roll (resulting in a crash) was the outcome.
Full report: https://reports.aviation-safety.net/1997/19970731-0_MD11_N611FE.pdf
The FedEx accident has similarities to the Iberia A340-600 which overran the runway in Quito, Ecuador in 2007. The pilots deliberately dipped below the approach profile in order to attempt to land at the very beginning of the runway due to their concern about their ability to stop the aircraft prior to the runway end. This resulted in a hard landing, damaging important parts of the aircraft making it impossible to stop on the runway. Whilst all those on board survived the Iberia accident, the aircraft was written off.
Iberia A340 overrun at Quito, Ecuador
(More photos of Iberia Quito overrun available at: https://www.jetphotos.com/photographer/5766/photos)
Targets
Landing Distance Calculations
Runways come in various shapes and sizes (whilst always rectangular, runways are often built on terrain that isn’t completely flat and therefore have varying degrees of slope).
Pilots assess the runway in use and decide upon an appropriate configuration for their landing. In order to assess where they must land by and what sort of braking will be needed, pilots determine the Landing Distance Available and then compare it with the calculated Landing Distance Required. Put simply, the Landing Distance Available must be greater than the Landing Distance Required.
Landing Distance Available (LDA):
The length of runway which is declared available and is suitable for the ground run of an aeroplane landing. This is a fixed distance, however landing after an extended “float” (a.k.a a “deep landing”) will result in less than the entire LDA being available for the landing roll.
Landing Distance Required (LDR):
The required distance for an aeroplane to land and come to a complete stop. This is a variable distance and is affected by many factors. Aircraft weight / speed / flap / brake setting, weather conditions including wind / temperature, runway condition (dry / wet /icy) and slope, and several other factors affect the LDR
EFB’s with landing performance applications enable pilots to compute the LDR. As with take-off performance applications, landing performance applications compute calculations locally as they often won’t be able to receive signal / data in the air. They also need to be performed within a relatively short time (an hour or so) of landing when weather conditions and runways in use at the destination are known.
Having calculated the LDR, the applications often compare the LDR with the LDA and warn the pilots if there is a risk of the aircraft not stopping prior to the runway end. On EFB’s where this function is not available, the pilots will compare the LDR with the LDA displayed on their approach chart to assess whether a deep landing would be an issue with regards to stopping on the runway, as well as appropriate autobrake settings. The lower the autobrake setting, the longer the landing roll will be.
When determining the autobrake setting, consideration is given to minimising brake wear. As with cars, aircraft brakes become worn over time and are replaced when they no longer perform adequately. Consequently, provided runway occupancy is not an issue, pilots will aim to minimise brake wear by using autobrake settings that result in longer (but still safe) landing rolls.
In May 2015, a Virgin Australia 737-800 stopped 5m from the runway end having landed within the required touchdown zone, using full reverse thrust, speedbrakes, and the autobrake function worked correctly. Ultimately the crew overrode the autobrakes and applied maximum manual braking whilst retaining full reverse thrust for longer than used in normal operations – thus preventing a runway excursion (by 5m).
The ATSB found that the crew calculated the landing distance required (LDR) using data for a dry runway, when in fact the runway was wet. As a result, the landing roll was significantly longer than it was expected to be. It was also noted that a 5 knot tailwind existed on final approach – something which had not been accounted for in the performance calculation. Had both items been accounted for, the subsequent calculations showed the aircraft’s expected landing distance increased by around 12%.
It should be noted that most state and airline policies require a safety margin to be applied to landing distances. Commonly a 15% safety margin is applied, i.e. the calculated LDR is increased by 15% and then a comparison with the LDA is made. If the LDR (including safety margin) is greater than the LDA, either a higher deceleration rate is required (generally by increasing the brake setting / using a greater flap setting) or a different runway should be used. The ATSB stated that the 15% margin HAD been applied in the above incident, but the stopping performance was still worse than expected.
As with the take-off performance case, PTP were able to modify landing performance calculations. With the same conditions for landing, we were able to produce different outputs for the LDR – with no way of discerning that an incorrect LDR was being calculated:
Using the information above, the following graphic shows the stopping distances on a runway that is 2500m long:
Runway excursion risk
In simple terms not enough runway to stop the aircraft prior to the runway end. This can essentially be broken down into two sections:
- Misrepresentation of the Landing Distance Available (i.e. changing the runway length)
- Miscalculation of the actual Landing Distance Required (how much runway is needed to stop the aircraft). This could either be through directly modifying the application to produce an incorrect output (such as always presenting the same result – irrespective of the data entry), or modifying the stored data to reduce the calculation output (e.g. modifying the temperature effect on landing distance, or perhaps more significantly, supressing the effect of a tailwind on landing distance)
Modification of the LDR to suggest the aircraft will stop in a shorter distance than reality has obvious potential threat, as does modification of the LDA to suggest the runway is longer than it actually is. Pilots “should” reference charts to confirm the runway length is correct in the application, but this step is easily missed. However, there is no way of confirming the stopping distance calculated is correct – pilot experience would hopefully highlight gross errors e.g. 50% increases in landing distance, but smaller deviations would be unlikely to be noticed.
Runway and airfield weather conditions
Effectiveness of braking is significantly affected by runway contamination (water / snow / ice). Stopping distances can increase (in some instances by more than double) depending on runway condition, hence accurate calculation of the LDR is especially critical in poor weather scenarios.
When calculating LDR on contaminated runways, EFB performance applications generally apply factors to the dry runway LDR – these factors are stored in the database on the EFB. Modification of any of the applicable factors would produce a different LDR calculation.
Modifying the tailwind factor could have a very significant effect. In most instances it is acceptable to land with a tailwind, provided it is accurately accounted for. As a rule-of-thumb, the landing distance increases by 21% for the first 10 knots of tailwind. Suppression or reduction of the effect of a tailwind would likely result in a significantly increased (but unaccounted for) landing roll.
Unserviceable aircraft equipment
Aircraft regularly fly with unserviceable parts. Considering the number of items / parts fitted to a commercial aircraft, it is almost impossible to keep every item serviceable all the time. As a result, aircraft manufacturers create manuals which specify which parts can be unserviceable and for what duration is the unserviceability of that part acceptable (i.e. when does an engineer need to fix the part by). These manuals are called Minimum Equipment Lists (MEL) or Dispatch Deviation Guides (DDG).
The MEL / DDG will specify what factor needs to be applied to landing distances in the case of unserviceable parts. Landing performance applications allow pilots to select the aircraft deficiency and then the factor is applied automatically to the landing distance. For example, one wheel brake being inoperative could require the computed landing distance to be increased by 10%. If a factor was modified then the pilots often have no way of knowing whether it had been applied correctly as many applications do not display the factor being applied in the performance application itself. Instead, they tend to display “Factor Applied”, or something similar.
We were able to supress the effect of inoperative items on a landing performance application. The application still showed that a performance correction had been applied, when it hadn’t. In the take-off case the required thrust setting increased by 20% when applying the MEL factor. Suppression of this factor meant that the calculated thrust setting was 20% lower than it should be, yet the application displayed “Factor Applied”. For landing calculations, suppressing the factor meant the landing distance calculation was up to 50% shorter than it should have been.
Suppressed MEL factor LDR calculation
Incidents / accidents
TACA International Airlines at TGU in 2008, overran the runway having landed with a 12 knot tailwind on a wet runway. Crew applied full manual braking 4 seconds after touchdown, unable to stop the aircraft prior to runway end the aircraft overran the runway at 54 knots resulting in several fatalities.
Report: Final report not being disclosed publicly, preliminary report: https://reports.aviation-safety.net/2008/20080530-0_A320_EI-TAF_PRELIM.pdf
Video:
Virgin Australia 737 at CHC in 2015, stopped 5m from runway end. Crew calculated LDR based on a dry runway when in fact the runway was wet. Also, a tailwind existed which had not been accounted for.
Report: https://www.atsb.gov.au/media/5774950/ao-2015-046-final.pdf
Iberia A340 at UIO in 2007, overran the runway after the pilot dipped below the profile to land on the runway due to concern about stopping distance.
Report: https://www.skybrary.aero/bookshelf/books/1689.pdf
FedEx MD11 at EWR in 1997, aircraft bounced and crashed after the pilot mishandled the aircraft on landing due to concerns about runway distance required. The crew miscalculated the landing distance available on the Airport Performance Laptop Computer.
Report: https://www.ntsb.gov/investigations/AccidentReports/Reports/AAR0002.pdf
Video:
SkyLease 747 at YHZ in 2018, aircraft landed with an 8 knot tailwind but was unable to stop, ultimately stopping 210m past the runway end.
Report: Investigation ongoing
Westjet 737 at YHZ in 2020, aircraft landed and overran the runway. Whilst the investigation is ongoing, the weather at the time included a tailwind on the landing runway and the runway condition was 100% wet snow.
Report: Investigation ongoing
Ground collision / runway incursion risk
Land And Hold Short Operations (LAHSO) is a procedure mainly used in the USA. It is an air traffic control procedure for aircraft landing and holding short of an intersecting runway or point on a runway, enabling an increase in efficiency through increased runway availability / capacity.
There are several variations of LAHSO. In the image below one aircraft is landing, the other aircraft is taking-off. The landing aircraft will be instructed to “land and hold short” of the intersecting runway (currently being used for take-off). The aircraft taking off is provided will full use of its runway.
Pilots carry out a calculation of their landing distance and assess whether they can land and stop prior to any intersections on LAHSO runways. If the LDR is close to or over the distance available prior to the intersection, increased deceleration (more braking / flap) would be needed – the alternative is to either refuse LAHSO or request a different runway. If the LDR was miscalculated pilots may believe they can land and stop prior to any intersecting runways, leading them into a false sense of security. The point at which this would become apparent would be when the aircraft fails to stop in time – i.e. too late. The result would be a potential runway incursion with the amplified threat of two aircraft colliding.
Incidents / accidents
United Airlines 737 at Chicago O’Hare in 1997, aircraft landed but was unable to stop prior to the intersecting runway due to strong winds. A Boeing 747 taking off from the intersecting runway was instructed to stop by ATC, with the pilots braking so hard 6 tyres blew.
Report: None publicly available
