Newsgroups: sci.aeronautics.airliners Path: news From: rdd@cactus.org (Robert Dorsett) Subject: Re: Flight envelope protections X-Submission-Date: Wed, 2 Dec 92 05:37:33 CST References: Message-ID: Approved: kls@ohare.Chicago.COM Sender: kls@ohare.Chicago.COM X-Submission-Message-Id: <9212021137.AA12970@cactus.org> Date: 02 Dec 92 13:18:55 PST palmer@icat.larc.nasa.gov (Michael T. Palmer) wrote: > This has some serious consequences. For example, in the China Airlines > B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03), > the crew was forced to overstress (and structurally damage) ^^^^^^ That might be overstating the case a bit. :-) The NTSB report suggests they didn't have a clue how to recover from the spiral, once they entered it, lacking military aerobatic training and being completely disoriented. I don't believe the report distinguishes the tailplane's damage as being incidental or intentional. > the horizontal > tail surfaces to recover from a roll and near-vertical dive following an > automatic disconnect of the autopilot when it could no longer compensate > for an asymmetric thrust condition. At the time of disconnect, full > rudder was engaged to one side and the crew was unaware of this. The > crew recovered control with about 10,000 ft of altitude left (from an > original high-altitude cruise). It is very likely that if the aircraft > had prevented the crew from initiating control commands that would lead > to aircraft damage, the aircraft (and passengers) would have been lost. Your point's well taken, and the risks are certainly worth considering. But allow me to play devil's advocate, for a minute, without diluting your argu- ment, and suggest that the EFCS would have prevented an A3[2-4]0 from getting into the unusual attitude to begin with. The protections are both aerodynamic and input-filtering (and configuration-evaluating, and...). In the China Air incident, the flip-over was caused by a "dumb" autopilot/autothrottle design configuration oversight, following an engine abnormality. If a similar event had occurred on an A3[2-4]0, the EFCS would probably have limited both the authority of the FMS to put the airplane into the steep bank, *and* would have provided maximum corrective action, using opposing controls, to keep the airplane in the prescribed operating envelope. But let's suppose some other kind of fault flips the airplane over: rotor, wake turbulence, transient EFCS bug (REALLY unlikely). I would have less confidence in the system than in a 747, but there are saving graces in the system design. During the flip-over itself, the system would have reverted to Alternate Law when one of these conditions were met: Pitch > 50 degrees nosePup or < 30 degrees nosePdown. Bank > 125 degrees. AOA > 30 degrees or < P10 degrees. Speed > 460 knots or < 60 knots. Mach > 0.91 or < 0.1. There would not have been protections or auto-trim; there would have been full-authority direct law in roll, without yaw-damper services. It is not clear whether "device-saving" protections would have been in place (likely, no doubt, considering the extensive use of composites in the tail surfaces). (don't forget: you have to remember all this when the shiny side's the wrong way up :-)) I also wonder how well the four accelerometers the EFCS uses would have held up to all this. No matter: they're durable. A320 simulators use pretty much the same EFCS code as the actual airplane. Since programming errors often show up in 90-degree increments (tan 90!), I suspect it would be interesting to turn off the motion system and take the thing up for a spin, so to speak... :-) More grist for the mill: In an unnamed regulatory agency's commentary on a paper that Pete Mellor and I are cooking up, there was a note that in the case of even a "run-away" surface (actuator OR software malfunction), the remaining devices/ governing software would function to provide a "virtual" effect, providing handling qualities that would mask the abnormality. I was aware that a "make-up" feature existed, but the precise wording raises the question of how much loading, exactly, the run-away surface might introduce, or how violent an oscillation the system could be trying to cover up. I find this *quite* disquieting, especially since, in the FAA's Special Conditions for the A320's certification in the United States, the point was clearly made that the FAA does *not* believe the pilots have a right to be warned of failures of this sort: This is from the Federal Register 54:17, January 27, 1989, pages 3989 and 3996: P. 3996: paragraph 2(a)2(i), the item under discussion: active controls, basic criteria, with the system in failure conditions: "(i) Warnings must be provided to annunciate the existence of failure conditions which affect the structural capability of the airplane and for which the associated reduction in airworthiness can be minimized by suitable flight limitations. Failure conditions which affect the structural capability of the airplane and for which there is no suitable compensating flight limitation need not be annunciated to the flightcrew, but must be detected before the next flight." P. 3989, the oh-so-enlightening, explanatory commentary: "The second commenter believes that the flightcrew must be aware of any failure conditions which affect the structural capability of the airplane, whether or not a compensating procedure exists. The FAA does not concur with this comment. It is not necessary for the flight crew to be aware of a failure in the active control system during the flight on which the failure occurs if there is no available corrective action; however, the airplane should not be exposed to the failure condition for an extended period of time. The flightcrew must therefore be alerted to the failure condition prior to the next flight." This is from the FAA, the agency in charge of establishing airworthiness and certification practices in the United States! In reality, the A320 likely *does* provide enough feedback: but the FAA, apparently unnecessarily, has certainly opened the door for the practice to be introduced in subsequent types. > Unfortunately, it appears that engine manufacturers may be heading down > the same path as Airbus with respect to their electronic engine controllers. Beyond "dumb" smartness, Pete Mellor has uncovered reason to believe the engine controllers do not use dissimilar software. On the A320, there are two FADECS per engine: a common-cause-of-failure logic fault could con- ceivably take out both controllers. It's not clear whether this could happen in tandem, based on environmental conditions, or serially, which could intro- duce a short timing delay in which the input parameters could be "corrected." > If nothing else, I hope I have brought up some topics that deserve > discussion among readers of this newsgroup. After all, aren't we the > ones in positions to influence our industry (all in our own way, of > course)? Especially in software, of particular relevance to the net. A lot (if not most) of the people writing this code--4M on the A320, 10M+ on the A330 and A340--are *not* aero engineers: just programmers, ostensibly with CS backgrounds (a more frightening thought I can't imagine! :-)), performing under strictly governed, structured, controlled environments: to specif- ication. Airbus even mentioned the "CS" types it brought in from "outside" to buttress a comment on its quality-control practices, in an article, as if to make the point that mere engineers weren't writing this stuff: the "pros" are doing it. :-) Yeah, we know what we're doing, SURE... :-) Computers on the brain... Alphabet soup: AOA Angle of Attack CS Computer Science EFCS Electronic Flight Control System FADEC Full-Authority Digital Engine Control FMS Flight Management System M Megabyte NTSB National Transportation Safety Board --- Robert Dorsett rdd@cactus.org ...cs.utexas.edu!cactus.org!rdd