Flight Envelope Protection (was: TV prog. on 777)

From:         palmer@icat.larc.nasa.gov (Michael T. Palmer)
Organization: NASA Langley Research Center, Hampton, VA  USA
Date:         01 Dec 92 13:54:51 PST
References:   1
Followups:    1
Next article
View raw article
  or MIME structure

Robert Dorsett <rdd@cactus.org> writes:

>As I understand it, the FBW system is the only way the pilots can signal
>the actuators.  Boeing is simply providing a "conventional" control law and 
>interface, with "protections" that can be over-ridden by the pilot, if
>necessary.  Redundancy/backup is at the hardware level, not in alternate
>select modes.

[etc]

>On the other hand, I do think it's a positive step that Boeing's not "re-
>writing" the book by offering *artificial* control laws, as Airbus is doing.
>Thus, to override the protections, the pilots just need to push or pull
>*harder,* or click an overrride button: they don't have to deal with or 
>anticipate the effects of *four* distinct control law modes, and the many 
>permutations within each mode, depending upon system status, as is the case
>with the A3[2-4]0.


This is correct, and highlights a very important distinction between the
approaches to flight envelope protection being taken by Boeing & Airbus.
The B-777 will have protections, but as you noted the crew can override
them by using excess force on the control column.  So, the airplane will
make it more difficult to do something it thinks shouldn't be done, but
will always leave the final decision to the crew.  In contrast, the
protection on the A320 *cannot* be overridden - you either get switched
into an alternate control mode, or your inputs are ignored.

This has some serious consequences.  For example, in the China Airlines
B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03),
the crew was forced to overstress (and structurally damage) the horizontal
tail surfaces to recover from a roll and near-vertical dive following an
automatic disconnect of the autopilot when it could no longer compensate
for an asymmetric thrust condition.  At the time of disconnect, full
rudder was engaged to one side and the crew was unaware of this.  The
crew recovered control with about 10,000 ft of altitude left (from an
original high-altitude cruise).  It is very likely that if the aircraft
had prevented the crew from initiating control commands that would lead
to aircraft damage, the aircraft (and passengers) would have been lost.

Unfortunately, it appears that engine manufacturers may be heading down
the same path as Airbus with respect to their electronic engine controllers.
I can't remember which engine it was, but I remember reading that when
the controller detects a condition for which the proper action is to shut
the engine down, it will do it itself AND THE CREW CANNOT OVERRIDE THIS
ACTION.  Now, this may seem like a good idea on paper, but remember the
Eastern L-1011 out of Miami in 1983 (NTSB/AAR-84-04) with the triple
engine failure because the oil seals were missing?  Can you imagine the
tragic result if the engines had ALL detected this condition (in flight)
and shut themselves down?  It seems to me that letting the crew decide
to sacrifice an engine to save the airframe is probably a good idea.

If nothing else, I hope I have brought up some topics that deserve
discussion among readers of this newsgroup.  After all, aren't we the
ones in positions to influence our industry (all in our own way, of
course)?

-- 
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail