Range Is Defined Relative to a Safe Harbour

For decades, a twin-engine airliner could fly no more than sixty minutes from a usable runway. The fear was simple: lose one engine over open water, and you needed to be able to reach a place to land on the one that remained. ETOPS — Extended-range Twin-engine Operational Performance Standards — is usually described as the rule that lifted that limit, letting modern twins fly transoceanic routes once reserved for three- and four-engine aircraft. That description is true, and it misses the point entirely.

ETOPS did not grant aircraft permission to fly farther from a runway. It defined, with regulatory precision, the maximum time a twin may ever be from a runway it can actually reach with one engine out. The governing quantity is diversion time: the longest single-engine flight time to an adequate alternate, in still air, at the speed the aircraft can hold on the remaining engine. An ETOPS-180 rating does not say “this jet is good for three hours over water.” It says “this jet may never be more than three single-engine hours from a runway that can take it.” The range is whatever those reachable runways permit. It is derived, not asserted.

The distinction is not pedantry. It is the whole discipline. If you ask “how far can this aircraft fly?” you will build a system that optimizes endurance and discovers its fallback was insufficient at the worst possible moment. If you ask “where can it always turn?” you build a system whose reach is bounded by guaranteed safety, and the range falls out as a consequence. The AI field, planning autonomous agents, is asking the first question. It measures capability — how long a horizon, how many steps, how much the agent can accomplish unsupervised — and treats the fallback as an afterthought. That is the wrong axis. The right axis is the aviation one: at every point on the route, is a reachable, adequate safe harbour inside the envelope?

Two words carry the doctrine, and both are exacting. An alternate must be adequate, and it must be reachable. Neither is satisfied by a dot on a chart.

Adequate means the runway can actually receive the aircraft in the degraded state it will arrive in. It needs the runway length for a heavier-than-planned, possibly single-engine landing; the approach aids to get the aircraft down in the weather it will meet; the firefighting, the ability to handle the aircraft once it stops. A field that is fine for a routine arrival but cannot take a crippled jet in bad weather is not an adequate alternate. It is a place that looks like one. Reachable means the alternate sits inside the single-engine-out time envelope — not the all-engines-running envelope. The relevant distance is not how far the aircraft can fly today; it is how far it can fly after the failure that put it in trouble, flying slower, on less.

The same two words govern any AI fallback worth the name. A fallback that exists in principle but cannot catch the specific failure mode you will be in is not a fallback — it is a place that looks like one. A rollback that cannot run because the state is already committed. A human handoff with no human on call. A safe-default that itself depends on the subsystem that just failed. A circuit-breaker that trips one step after the irreversible call. Each of these is an under-specified alternate: present on the architecture diagram, absent from the worst-case arrival state. The discipline is to specify the fallback set against the state you will actually arrive in when things go wrong — not against the happy path, where every fallback is trivially reachable because you never needed it.

On 7 October 2013, a Royal New Zealand Air Force No. 40 Squadron Boeing 757, flight callsign NZ7571, departed Christchurch for Pegasus Field on the Ross Ice Shelf in Antarctica with 130 people aboard. The 757 did not carry the fuel to fly to Antarctica and return to Christchurch without refuelling at Pegasus. So the crew did what the doctrine requires: they pre-computed a point of safe return, the last position from which they could still turn back to a usable runway with reserves intact. Past that point, the designed diversion — return to Christchurch — would be foreclosed by the fuel envelope. The only reachable runway would be the one ahead.

As the flight approached that point, forecasters assured the crew the weather at Pegasus would improve, and on that forecast the crew was cleared to continue past the point of safe return. Roughly twenty minutes later, the observations told a different story: a fog bank had enveloped the runway in near-whiteout conditions. The fallback was already gone. The crew flew three approaches and, on the third, acquired the approach lights and runway markings at about 110 feet and landed below published minima. There was no damage and no injuries. The Transport Accident Investigation Commission found the crew’s decisions appropriate — but identified gaps in the original risk assessment, notably the absence of 757-suitable alternate approach procedures and thin consideration of which Antarctic aerodromes could actually take the aircraft.

This is a successful recovery, not a tragedy, and it must not be confused with the 1979 Mount Erebus disaster — an Air New Zealand DC-10 that struck the mountain in whiteout after a navigation error, killing all 257 aboard. The two events share Antarctica and fog; they share nothing else. What makes NZ7571 instructive is precisely that it ended well. The failure was not the landing. The failure was structural and upstream: the aircraft was committed past an irreversible point on a forecast — a prediction of improving weather — rather than on an observation, with the designed fallback already foreclosed and the alternate set too thin to absorb the conditions that actually arrived.

Autonomous agents fail in exactly the shape of NZ7571, typically without anyone having computed a point of safe return at all. An agent executing a multi-step task routinely commits past a rollback horizon — the last step before an irreversible side effect. A message is sent. Money moves. A resource is deleted. A downstream system is called and cannot be uncalled. Before that step, the operation is reversible; after it, it is not. The agent crosses that line the way the 757 crossed its point of safe return — except that the aircraft’s crew knew where the line was, and most agent architectures do not draw one.

And agents cross it on the same kind of evidence that failed NZ7571: a forecast rather than an observation. The agent acts on its predicted model of the world — the plan it formed, the state it expects the tools to be in, the outcome it anticipates — not on the world as currently observed. When the prediction diverges from reality, the irreversible step has already executed, and the fallback set is found to be under-specified: a rollback that cannot run because the state is committed; a human escalation with no human watching; a safe-default that routes through the very component that failed. The system is past its point of safe return, and no one computed one.

The corrective is structural, and it is the aviation corrective translated directly. Pre-compute the point of safe return for every extended operation, and refuse to pass it without a reachable adequate fallback inside the worst-case envelope. Specify the fallback set against the degraded state the agent will actually arrive in, not the happy path. And treat the gap between forecast and observation — the predicted world diverging from the observed one — as a first-class trigger to divert early, not as noise to press through. The aircraft that turns back before the point of safe return loses a little range. The one that presses on past it on a forecast bets its margin on hope. Agents make the same bet, at machine speed, routinely.

Here is the part that should change how you think about fallback discipline. Diversion-adequacy doctrine does not merely restrict operation. It is what enables wider operation. ETOPS is the reason twins — which burn substantially less fuel than three- and four-engine aircraft — fly the direct over-water routes at all, instead of the fuel-wasting doglegs that kept early twins hugging coastlines to stay within a short diversion envelope. The discipline of always-a-runway is precisely what unlocked the range. It did not cap it.

The civilian exemplar makes the point concrete — and it is a different operator from the cautionary one. On 1 December 2015, Air New Zealand flew the aviation industry’s first-ever scheduled ETOPS-330 service, Auckland to Buenos Aires, a Boeing 777-200ER on a roughly twelve-hour sector across the Southern Ocean. That route was viable because the diversion-adequacy framework let the twin fly direct, rather than detouring to stay within a tighter diversion envelope. The airline did not earn the longer reach by ignoring the safe-harbour rule. It earned it by satisfying the rule so thoroughly that the regulator was willing to license a reachable adequate alternate three hundred and thirty single-engine minutes away. Rigorous fallback discipline was the precondition for the wider operation, not a tax on it.

The AI corollary is the one worth carrying out of this brief. Fallback rigor is not the price you pay for autonomy. It is the thing that lets you grant autonomy at all. You let an agent operate over a longer horizon, with less supervision, across more irreversible actions, because you can prove a reachable adequate safe harbour is always inside the envelope — not despite that proof, but on the strength of it. The teams that treat rollback, handoff, and safe-default as afterthoughts will keep their agents on short leashes, hugging the coastline. The teams that engineer the fallback set as carefully as ETOPS engineers a diversion airport are the ones who will fly the direct routes.

The in-depth companion develops the full argument: the precise ETOPS rule and its tier history, the complete anatomy of NZ7571 and its forecast-versus-observation failure mode, the mapping to agent rollback horizons and abstention thresholds, the banking analogue of reachable reserves, and the engineering posture that pre-computes a point of safe return for every autonomous operation. Read it at Always a Runway: Diversion-Airport Doctrine for Autonomous Systems .