Leeham News and Analysis
There's more to real news than a news release.
Leeham News and Analysis
- Dissecting Boeing CEO’s statement next new airplane will cost $50bn April 15, 2024
- Bjorn’s Corner: New engine development. Part 3. Propulsive efficiency April 12, 2024
- A350-1000 or 777-9? Part 2 April 11, 2024
- Pontifications: Boeing “transparency”–not so much. April 9, 2024
- Airbus charges and write-offs since 1999: more than €33bn April 8, 2024
Bjorn’s Corner: Fly by steel or electrical wire, Part 2
By Bjorn Fehrm
July 25, 2019, ©. Leeham News: In our series about classical flight controls (“fly by steel wire”) and Fly-By-Wire (FBW or “fly by electrical wire”) this week we cover the difference in system infrastructure the two controls methods call for.
We will use the Boeing 737 as the classical control example and the Airbus A320 as the FBW example.
The Flight controls define the system infrastructure
Last week we talked about the very wide flight envelope in dynamic pressure, Q, an airliner experiences and how this affects the displacement and force needed for moving the control surfaces when flying the aircraft.
A classical system like the 737 flight controls use hydraulic power to achieve this and clever aerodynamic aids to provide a manageable direct mechanical backup in pitch and roll should the hydraulics fail.
The FBW A320 relies on a functioning hydraulic system at all times. It has no mechanical flight control backup. It has a temporary “FBW reboot” backup using mechanical elevator trim for pitch control and mechanical rudder control to cater for roll via secondary yaw-roll coupling. The control mode is good enough for continued flight during the reboot but not for descent and landing. While this mode needs no electrics (not even battery, it moves the valves on the hydraulic jacks mechanically) it needs hydraulic pressure to the horizontal stabilizer trim jack and at least one of the rudder actuators.
Consequently, the A320 needs more redundancy in the hydraulic system. In addition to a dual circuit base system (Figure 1) with engine-driven pumps and an electrical pump pressurized third backup system (powered by batteries if needed), it has a fourth backup system.
The backup hydraulic system has a Ram Air Turbine (RAT) hydraulic pump adding a fourth level of redundancy with longer endurance than a battery-driven backup pump. The resulting hydraulic system is shown on the right-hand side of Figure 1.
Figure 1. The layout of the A320 hydraulic systems (green, yellow and blue backup) with their controlled surfaces and pumps. Source: Airbus and Leeham Co. Click to see details.
Figure 1 also shows how the three different hydraulic systems are dividing the aircraft’s different control surfaces between them, with several redundant actuators per surface (the rudder, for instance, has three actuators each feed by its circuit).
Different to the A320, the 737 flight control system is architected so the aircraft can be flown and landed without functioning hydraulics. Hence its hydraulic system can function with a three circuit system with principally the same architecture but without the RAT pump.
Similar to the hydraulic system, the A320 electrical system has a higher redundancy level than the 737 to guarantee an uninterrupted supply of power to the FBW system. It has five levels of redundancy, whereas the 737 is fine with four levels. The 737 and A320 have dual main electrical buses which distribute AC and DC power from engine-driven generators, Figure 2 left graph. These can individually supply all systems in the aircraft.
Figure 2. The principal operation of the A320 electrical power supply to, among other systems, its FBW. Source: Airbus and Leeham Co. Click to see details.
In addition, both have an APU with a generator which can be run in the air and supply all electrical buses on the aircraft, second graph. If the two engine generators and the APU generator can’t supply power (third graph), the A320 has a generator driven by the RAT hydraulics which supplies consumers on the Essential buss with electrical power. Finally, should all generators fail, the essential bus connected systems, which includes critical parts of the FBW, are feed by the dual batteries (last graph).
The 737 has in principle the same system without the RAT based emergency generator, giving it a four-level redundancy. This is enough as the Flight Control system can work without electrical power.
In the next Corner, we look at how the classical and FBW control systems achieve their control function redundancy.
The B747 uses the windmilling effect of the big engines to provide sufficient hydraulic pressure I believe. Older aircraft like the B727 & DC8 had servo tabs on the trailing edge of some flight control surfaces. The flight controls deflected these directly and they would then deflect the larger surface. Very complicated for high speed aircraft due to the need to compensate for Q at high speed. These refinements were known as “geared servo spring tabs”. The B36 used these without any power controls. They can be finicky to design due to their vulnerability to flutter. Some aircraft like the MRCA Tornado IDS use molten salt batteries. These rather than making the electrolyte conductive by solution in water use a pyrotechnical charge to melt the a salt. Long shelf life, first used in V2 missile. The ADV variant of the Tornado used a RAT which was blocked by the undercarriage when it was extended. If you had the balls for a landing rather than ejection you might loose control.
The 737, at least up to the NG (I don’t know about the MAX), has tabs on the elevators and ailerons to provide aerodynamic assistance when hydraulics are lost. Operating without hydraulics is known as ‘manual reversion’ and there is no auto pilot available. It is also the reason for one of the very few maintenance manual required reasons for a post maintenance flight test. The tabs are operated by adjustable push rods which are adjusted to a standard setting on the ground. Only a flight test where hydraulics are switched off can reveal what additional adjustment is needed to achieve a smooth transition between hydraulics available and no hydraulics.
Bjorn:
I learned more in one short article on the A320 (and aspects of the 737) that I had in 50 years or more following this field.
Fantastic.
I know the 787 has a RAT (electric and hydraulic?) what about 777 , 747?
note: the 787 RAT was what allowed them to land in San Antonio when the entire electrical system failed – I never got a full read but it seemed like the battery system was knocked off line as they had total system loss.
747 no RAT, 4 engines with 1 hydraulic pump each plus 4 air driven hydraulic pumps. Works out to 1 engine driven pump (EDP) and 1 air driven pump (ADP) per hydraulic system.
re 777 RAT- look a bit behind flap trailing edge on right hand side in the video- a standard part of flight test
https://www.youtube.com/watch?v=BYVl8Wk-fCw
The 767 has a RAT also … used during the Air Canada flight that ran out of gas.
https://en.wikipedia.org/wiki/Gimli_Glider
Argh, that is right. Thanks
777 I thought but did not know. Cool.
What I get from Bjorns article is that redundancy is necessary but it doesn’t always matter what type of redundancy. Fly By Wire has been extraordinarily safe and reliable and the aircraft are statistically much safer. Where these aircraft have had problems in is not in the FBW system but the sensors that feed it an allow it to fly in normal law. Pitot Static tubes have frozen in flight (A330ceo AF447) or been taped over prior to cleaning and the tape not removed or blocked (B757 Birgenair Flight 301). The 4 angle of attack vanes have been filled with water due to high pressure cleaning and 3 frozen in the same position at altitude then voting the good one out. (XL Airways Flight 888T) All have lead to fatal crashes.
In this case the problem is not only the lack of robustness of the sensors but the use of multiple versions of the same type that can fail exactly the same way at the same time. Why have 4 vane type sensors on an A320 when two could be the pressure null type seeking ones that can self check against seizing.
The aircraft remains perfectly flyable in each case but pilots were not trained or able to act as the final ‘redundancy’.
My conclusion on AF447 was that when the autopilot detected faulty air speed data from the frozen pitot static sensors it should not have handed over control to the pilot but inferred the air speed data but using GPS and speed, altitude and attitude data from the inertial guidance system combined with thrust and flaps position. Pilots are notoriously unreliable flying at night.
RE using Inertial system as a standby or compaison
https://www.isasi.org/Documents/library/technical-papers/2011/Introducing-787.pdf
pages 37 to 42
may also be on 777 ?
The B787 Alternate Air Data System (Referred to As Synthetic Airspeed) is a sign that things are getting better. Pitot static tubes (Prandle Tubes) and AOA vanes are outside the aircraft and extraordinarily vulnerable. If Airbus haven’t done so already and if the major FCS suppliers aren’t offering a version I hope they do soon. The 1960’s B737 philosophy was that that there would be two of everything with the pilots or flight engineer deciding which system or instrument was working. Around the 1980s as the A320 came in the philosophy had moved to a triple redundancy system so that a 2oo3 (2 out of 3) rule could automatically determine the fault and present and act on only duplicated data. That doesn’t seem to be good enough. Rather than handing over to pilots systems should gracefully transition into backup system.
William:
Both 737 and the A320 have or did have ) close to identical record safety wise.
While not the only one, the Mode issue is an area that affects FBW, its shifts so much that mistakes are made.
AF447 and the Asiana 214 SFO.
One thing I notice in regards to hydraulic design is that triplication was about protecting against individual hydraulic failure of a single system. Trauma to the airframe could severe all three or 4 system. EG United Flight 242 (DC10 engine disintegration in tail ie Sioux City ), Turkish Airlines 981 (DC10 cargo door blowout) , Japan Airlines 123 (B747 rear pressure bulkhead blowout), DHL Baghdad shootdown attempt (A300 hit by missile in wing tips). All suffered complete hydraulic loss due to highly localised airframe trauma. Clearly this is one case steel wire to servo spring tabs would have been better. Had these aircraft used EHA (Electro Hydrostatic Actuators) they could have been saved since electricity doesn’t bleed out. A sequence of local circuit breaker trips and isolates any potential fault. A short circuit on the left wing will not destroy electrical distribution to the right and tail if the circuit breakers are correctly designed.
William:
It all has to do with a combination of routing (the DC-10 was in a narrow alley in the tail) as well as the expected methods of failure.
DC-10 only had 3 system because it was 3 engine (long over-water flights)
They did not do a correct assessment as a lot engine is not unheard of.
On the other hand A380 into HK failed in such a way as to have been deemed impossible.
Cut your wire and no servo.
EHA require both power and a control circuit. Ergo, one or the other sliced and it does now work and then its how wide spread the damage is and did it take down other system.
Or as the 787 found out, its fault isolation was all wrong .
No assessment ever is zero possible, some are deemed very low and like the A380, found to be wrong.
Thanks for your thoughts. We can’t say that the DC10 was uniquely vulnerable to total hydraulic system bleed out failures due to routing near its tail engine when we have examples of the A300 bleeding out from wing tip missile strike (it was a very tiny missile), B747 from rear pressure bulkhead due to the routing near the APU and DC10 due to failures in both tail and near cargo door. The fundamental problem was the design that allowed total bleed out of all systems.
There should have been a 4th, 5th and 6th electric and bleed air driven hydraulic mini subsystem in tail, port wing and starboard wing completely isolated from the other hydraulics to eliminate the chance of a total bleed out. Obviously EHA and EHBA actuators provide this in a different way.
Which reminds me. Swept wing aircraft should have an emergency ‘elevon’ mode for the ailerons to give pitch control when the elevator/stabiliser fails or is insufficient.
As far as control cabling does: this will be digital, likely fibre optic due to immunity to interference, lightning and short circuit, and it would be easy to route via 4 redundant path eg (before and after rear main spar and before and after forward main spar). You could even have backup by radio. The electrical power could even route this way to the EHA actuators. Engines seem to be the last thing to loose control because the have their own power so maybe it makes sense to have electrical backup batteries near the actuator themselves.
I don’t know what the examples for A380 and B787 systems failures are, do you have fight numbers or a link. I’m very interested in this area.