Re: Flight envelope protections

From: (Robert Dorsett)
Date:         02 Dec 92 13:18:55 PST
References:   1
Followups:    1 2
Next article
View raw article
  or MIME structure (Michael T. Palmer) wrote:

> This has some serious consequences.  For example, in the China Airlines
> B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03),
> the crew was forced to overstress (and structurally damage)

That might be overstating the case a bit. :-) The NTSB report suggests
they didn't have a clue how to recover from the spiral, once they entered
it, lacking military aerobatic training and being completely disoriented.  I
don't believe the report distinguishes the tailplane's damage as being
incidental or intentional.

> the horizontal
> tail surfaces to recover from a roll and near-vertical dive following an
> automatic disconnect of the autopilot when it could no longer compensate
> for an asymmetric thrust condition.  At the time of disconnect, full
> rudder was engaged to one side and the crew was unaware of this.  The
> crew recovered control with about 10,000 ft of altitude left (from an
> original high-altitude cruise).  It is very likely that if the aircraft
> had prevented the crew from initiating control commands that would lead
> to aircraft damage, the aircraft (and passengers) would have been lost.

Your point's well taken, and the risks are certainly worth considering.  But
allow me to play devil's advocate, for a minute, without diluting your argu-
ment, and suggest that the EFCS would have prevented an A3[2-4]0 from getting
into the unusual attitude to begin with.  The protections are both aerodynamic
and input-filtering (and configuration-evaluating, and...).  In the China
Air incident, the flip-over was caused by a "dumb" autopilot/autothrottle
design configuration oversight, following an engine abnormality.  If a similar
event had occurred on an A3[2-4]0, the EFCS would probably have limited both
the authority of the FMS to put the airplane into the steep bank, *and* would
have provided maximum corrective action, using opposing controls, to keep the
airplane in the prescribed operating envelope.

But let's suppose some other kind of fault flips the airplane over: rotor,
wake turbulence, transient EFCS bug (REALLY unlikely).  I would have less
confidence in the system than in a 747, but there are saving graces in the
system design.

During the flip-over itself, the system would have reverted to Alternate Law
when one of these conditions were met:
    Pitch > 50 degrees nosePup or < 30 degrees nosePdown.
    Bank > 125 degrees.
    AOA > 30 degrees or < P10 degrees.
    Speed > 460 knots or < 60 knots.
    Mach > 0.91 or < 0.1.
There would not have been protections or auto-trim; there would have been
full-authority direct law in roll, without yaw-damper services.  It is not
clear whether "device-saving" protections would have been in place (likely,
no doubt, considering the extensive use of composites in the tail surfaces).
(don't forget: you have to remember all this when the shiny side's the wrong
way up :-))

I also wonder how well the four accelerometers the EFCS uses would have
held up to all this.  No matter: they're durable.

A320 simulators use pretty much the same EFCS code as the actual airplane.
Since programming errors often show up in 90-degree increments (tan 90!),
I suspect it would be interesting to turn off the motion system and take
the thing up for a spin, so to speak... :-)

More grist for the mill:

In an unnamed regulatory agency's commentary on a paper that Pete Mellor and I
are cooking up, there was a note that in the case of even a
"run-away" surface (actuator OR software malfunction), the remaining devices/
governing software would function to provide a "virtual" effect, providing
handling qualities that would mask the abnormality.  I was aware that a
"make-up" feature existed, but the precise wording raises the question of how
much loading, exactly, the run-away surface might introduce, or how violent
an oscillation the system could be trying to cover up.

I find this *quite* disquieting, especially since, in the FAA's Special
Conditions for the A320's certification in the United States, the point was
clearly made that the FAA does *not* believe the pilots have a right to be
warned of failures of this sort:

This is from the Federal Register 54:17, January 27, 1989, pages 3989 and

P. 3996: paragraph 2(a)2(i), the item under discussion: active controls, basic
criteria, with the system in failure conditions:

    "(i) Warnings must be provided to annunciate the existence of failure
    conditions which affect the structural capability of the airplane and
    for which the associated reduction in airworthiness can be minimized by
    suitable flight limitations.  Failure conditions which affect the
    structural capability of the airplane and for which there is no
    suitable compensating flight  limitation need not be annunciated to the
    flightcrew, but must be detected before the next flight."

P. 3989, the oh-so-enlightening, explanatory commentary:

    "The second commenter believes that the flightcrew must be aware of any
    failure conditions which affect the structural capability of the
    airplane, whether or not a compensating procedure exists.  The FAA does
    not concur with this comment.  It is not necessary for the flight crew
    to be aware of a failure in the active control system during the flight
    on  which the failure occurs if there is no available corrective
    action; however, the airplane should not be exposed to the failure
    condition for an extended period of time.  The flightcrew must
    therefore be alerted to the failure condition prior to the next flight."

This is from the FAA, the agency in charge of establishing airworthiness and
certification practices in the United States!  In reality, the A320 likely
*does* provide enough feedback: but the FAA, apparently unnecessarily, has
certainly opened the door for the practice to be introduced in subsequent

> Unfortunately, it appears that engine manufacturers may be heading down
> the same path as Airbus with respect to their electronic engine controllers.

Beyond "dumb" smartness, Pete Mellor has uncovered reason to believe
the engine controllers do not use dissimilar software.  On the A320, there
are two FADECS per engine: a common-cause-of-failure logic fault could con-
ceivably take out both controllers.  It's not clear whether this could happen
in tandem, based on environmental conditions, or serially, which could intro-
duce a short timing delay in which the input parameters could be "corrected."

> If nothing else, I hope I have brought up some topics that deserve
> discussion among readers of this newsgroup.  After all, aren't we the
> ones in positions to influence our industry (all in our own way, of
> course)?

Especially in software, of particular relevance to the net.  A lot (if not
most) of the people writing this code--4M on the A320, 10M+ on the
A330 and A340--are *not* aero engineers: just programmers, ostensibly with
CS backgrounds (a more frightening thought I can't imagine! :-)), performing
under strictly governed, structured, controlled environments: to specif-

Airbus even mentioned the "CS" types it brought in from "outside" to
buttress a comment on its quality-control practices, in an article, as if
to make the point that mere engineers weren't writing this stuff: the
"pros" are doing it. :-)  Yeah, we know what we're doing, SURE... :-)

Computers on the brain...

Alphabet soup:

AOA     Angle of Attack
CS      Computer Science
EFCS    Electronic Flight Control System
FADEC   Full-Authority Digital Engine Control
FMS     Flight Management System
M       Megabyte
NTSB    National Transportation Safety Board

Robert Dorsett!!rdd