Bjorn’s Corner: Fly by Steel or Electrical wire, Part 5

By Bjorn Fehrm

August 23, 2019, ©. Leeham News: In our series about classical flight controls (“fly by steel wire”) and Fly-By-Wire (FBW or “fly by electrical wire”) we now look at practical implementations after discussing the authority of the flight control system last week.

As before we compare the classical 737 system to the A320 FBW system.

Figure 1. The two mechanical control pitch systems of the 737 are visible in the upper left. Each side has a complete system shown at the lower part of the figure (except for the trim which has dual wire sets but one actuator motor/drum). Source: Boeing.

The build-up of a classical versus Fly-By-Wire control system

For our analysis of the differences between a classical control system and a FBW variant, we focus on the pitch control channel. It’s the most critical channel when it comes to aircraft control and each implementation must offer redundancy for this important function. We will focus a bit less on how the normal tasks of pitch control are done in this Corner (we discuss this in subsequent Corners), rather how the designers have handled what can go wrong.

Mechanical control

For a mechanical system controlling hydraulic valves which in turn pressures actuators moving the surfaces, the highest risk for malfunction is mechanics which can jam (wires/links going bust from wear is not likely with the maintenance of modern jets) and hydraulic leaks.

The 737 mechanical pitch system is, therefore, divided into two complete systems; a left and a right system, Figure 1. These are linked below the feet of the pilots by a torque tube with a break-out clutch.

Should, for instance, the Captain’s (left) system jam, the Co-pilot can pull hard on his yoke until the clutch disengages his right system from the Captain’s side. He can now fly and land the 737 with his control of the right elevator (with some precautions re. configurations and speeds), the other jammed system staying in its jammed position.

Should the hydraulics leak in one of the three circuits, the other two will still function and give control of the aircraft. In the end, if all hydraulics fail, the Pilot can land the aircraft via only the mechanical links to the elevator and horizontal stabilator trim system (again with precautions and limitations).

FBW control

As described last week the feedback type FBW of the A320 has full authority for the pitch channel. Hence we must have a fault-proof redundancy concept, both for the control system and the infrastructure serving it. Figure 2 shows the redundant concept of the A320 FBW pitch channel.

Figure 2. The FBW pitch control system of the A320 Source: Airbus.

The pitch channel has two Elevator Aileron Computers (ELACs) with their inputs and sensors which are backed up by two Spoilers Elevator Computers (SECs) with their set of inputs and sensors.

In total, the pitch channel has four channels with separate computers which forms the redundancy concept. We can also see the actuators for the elevators which are driven by the three hydraulic systems, Blue (B),  Green (G) and Yellow (Y).

The trim system is taking commands from the ELACs to execute Autotrim for the aircraft. You don’t trim a FBW Airbus, it’s done by the FBW. The trim system is also redundant with three electrical motors controlling the valves of the Trimmable Horizontal Stabilator’s (THS) dual actuators, each feed by a different hydraulic system.

In normal operation, ELAC2 is in control driving the elevators over the Green and Yellow jacks and the stab trim over Motor 1.

If ELAC2 or the channels hydraulics has a problem, ELAC1 takes control via its Blue jacks and the trim via Motor 2.

If both ELACs are faulty, SEC1 or 2 takes control of the elevators and trim via Motors 2 or 3. The exact way its done it a logical maze so we don’t dig into it, suffice to say it works and give additional redundancy.

Should the FBW computers need a reboot, the Pilot can control pitch via the Mechanical pitch trim link to the control valves of the stabilator jacks during the recovery of the FBW system.

In summary, the multiple redundancies guarantee there is no loss of pitch authority in the lifetime of the aircraft.

In next Corner, we look at the flight laws for these controls and how to fix issues like uneven pitch moment curves at different parts of the flight envelope (which MCAS does).

23 Comments on “Bjorn’s Corner: Fly by Steel or Electrical wire, Part 5

  1. An interesting corner as usual Bjorn.

    In another post, Transworld commented “I am betting a fire in the electrical compartment on a FBW would take that aircraft down”.

    I’d be interested to understand how a fire in the avionics bay is mitigated, or how the components, and systems in a FBW aircraft are located/routed to provide protection from fire.

    • I am seeing a mechanical trim system via the Elevator there so ??????

      It so Machiavellian in its redundancy approach.

      Some higher order math seems involved.

      Bases look to be solidly covered

      Staying tuned.

    • Transworld doesnt get the concept of ‘redundancy’ at the flight safety level. At a minimum there are triplicates of essential computer processors and controls including the connections to actuators. All in one avionics bay is 1960s thinking.

      • Duke:

        You do not speak for me. You are flat wrong (and I am being polite). Coming from an RR fanboy that is pretty rich. Siting and spouting stuff is not the same thing as having worked in the real world.

        I have seen too many cases where the so called safety was a paper safety and was not tested in the real world. While I do not fault RR nor the AHJs on engine blowups, the one that blew out the wing on Qantas A380 is a case in point. They made an assumption and it was based on good data. It just turned out to be wrong you could not have 3 major areas of impact on a wing in that specific case.

        There is only ONE main electronics bay on an aircraft.

        So, you can have all the paper isolation you want in there, but a real world situation could well turn out to prove that wrong.

        We have just seen a case where the AHJ (including the EASA) let 737s simulator change dramatically how the hand trim wheel works.

        I know of two fires that the suppression systems did not work as advertises.

        One was a Fuel Tank fire in the S.E. US that took all the foam in a 500 mile radius to squelch as the system did not work the way they “theorized”

        I also know of a hangar that it did not work and what saved it was the maint screw throwing in bypasses and extending the tank water for 8 hrs vs the 45 minutes it had.

        Unlike you I have worked in the real world where that stuff gets proven or proven totally wrong at times.

        So yes I question it. Unlike someone who thinks engines blowing up on the wing on a regular basis is a non issue.

        • I hope it will meet your thoughts:

          “12.3.1.5 Computer Architecture
          Each computer can be considered as being two different and independent computers placed side by side (see Figure 12.5). These two (sub)computers have different functions and are placed adjacent to each other to make aircraft maintenance easier.

          Both command and monitoring channels of the computer are simultaneously active or simultaneously passive, ready to take control. Each channel includes one or more processors, their associated memories, input/output circuits, a power supply unit, and specific software. When the results of these two channels diverge significantly, the links between the computer and the exterior world are cut by the channel or channels which detected the failure.”

          “Flight control computers must be robust. In particular, they must be especially protected against overvoltages and undervoltages, electromagnetic aggressions, and indirect effects of lightning. They are cooled by a ventilation system but must operate correctly even if ventilation is lost.”

          ” 12.3.1.6 Installation
          The electrical installation, in particular the many electrical connections, also comprises a common-point risk. This is avoided by extensive segregation. In normal operation, two electrical generation systems exist without a single common point. The links between computers are limited, the links used for monitoring are not routed with those used for control.

          The destruction of a part of the aircraft is also
          taken into account; the computers are placed at three different locations, certain links to the actuators run under the floor, others overhead, and others in the cargo compartment.”

          https://www.google.com/url?sa=t&source=web&rct=j&url=http://www.davi.ws/avionics/TheAvionicsHandbook_Cap_12.pdf&ved=2ahUKEwjjv6XzspzkAhWgTBUIHf4zBKAQFjAYegQIARAB&usg=AOvVaw2gEOENlT_2eruR6iEc13Kp

        • I dont speak for you, but when others read your claims and think there is any truth to them, its a worry
          “I am betting a fire in the electrical compartment on a FBW would take that aircraft down where as a 737 could land ..” was the claim.
          Why dont you just say that it was a slip up rather than divert to unrelated to FBW flight controls other issues like engines ( which is full of unsubstantiated claims as well) and screw jacks.

          The Boeing 777 paper says
          3.1.1 Separation of FBW Components
          The separation is required for redundant flight control elements including LRUs, associated wiring and hydraulic lines to the greatest extent possible.
          General system/airplane design decisions for separation include the following:
          – multiple equipment bays for redundant LRUs,
          – physical separation of redundant LRUs,
          – flight deck equipment and wiring separation and
          protection from foreign object collision, and
          – separation of electrical and hydraulic line routing
          through airplane structure.

          An interesting point with the 777 having PFC and 3 separate computer processors from 3 different manufacturers with separate code and compilors ( 2 were written in ADA the other in C). The original approach was to use 3 separate teams for coding, but that didnt work out.

          “The development of the PFC software during the 7J7 program confirmed that the three separate teams, in order to code their logic from the requirements, were having to ask Boeing so many questions for clarification of the requirements that the independence of the three teams was irreparable compromised. This is the reason why Boeing elected to revert to the usual and customary method of creating and certifying flight critical source code.”
          https://globusmax.wordpress.com/2015/03/21/the-brains-of-a-boeing-777-simple-and-complex/
          Gee , I have to wonder about your private flying, when there is clear lack of understanding or wanting to be aware of your own limitations.

          • As noted, sepeation does not sya or mean in the same bay nor are the results tested, its all based on calibration .

            You might want to ask Boeing about what happened in their rear electrical DISTRIBUTION”ON panel on the 787.

            Massive short and it did not being to isolate they way it was engineered to do.

            So, assumptions are like pundits, lots of talk but have not been in the real world, been there, done that, got boxes of T shirts.

          • Separation does say that-
            “multiple equipment bays for redundant LRUs”
            Whats your understanding of ‘multiple equipment bays’

            The 777 has something like 11 redundant ‘PFC units’ in its various equipment bays.
            There has been an incident with an Easyjet 737 which was ‘flown manually’ ( without hydraulics?) as part of its post maintenance flight check.
            An error in elevon rigging during maintenance mean it dived from 15000ft and exceeded Vmo by a 100kts !!
            https://aviation-safety.net/wikibase/58488

          • @TransWorld

            FBW is a safe and redundant metodology in case of fire because system is dispersed all over the aircraft. No matter if it’s A, B or C aircraft. And jet fighters proved this in action.

            E.g.
            “12.3.1.6 Installation

            The destruction of a part of the aircraft is also
            taken into account; the computers are placed at three different locations, certain links to the actuators run under the floor, others overhead, and others in the cargo compartment.”

      • Yes, that was an issue with the Mitsubishi MRJ certification from memory.
        The avionics bay has issues

    • There are rules in the certification requirements that an event like the flooding of an avionics bay (from the aircraft’s water system), fire or flying debris from e.g. an uncontained engine failure should not stop vital systems from working (ref why the MRJ90 was delayed in certification recently). It means, in addition to redundancy there must be physical redundancy in the placement of vital boxes and routing of redundant wiring. The system architecture must also have several backup layers for a system like FBW. The SECs in the A320 is different hardware and software to the ELACs, they are also placed apart.

      • Thank you Bjorn.

        I presume that even though the 737 has been around since the 60s, it conforms to current standards regarding physical redundancy as you describe above.

        I read with interest a quote in “https://www.moonofalabama.org/2019/07/737-max-ruder-control-does-not-meet-safety-guidelines-it-was-still-certified.html” … the quote begins:

        F.A.A. managers conceded that the Max “does not meet” agency guidelines “for protecting flight controls,” …
        had to consider whether any requested changes would interfere with Boeing’s timeline. …
        “impractical at this late point in the program,” for the company to resolve the issue. …
        the decision was based on the safety record of the plane.

        If what is contained in the article is accurate, it’s troubling.

        Statistics are fine as long as the risk doesn’t change.

          • WHther this is an issue or not it does fully fall in line with my quesion on eleconrics bays.

            Is it ignroed or ???

            We have seen cases where they assume a cable will never break (regardless of reasons) but we also have seen all to many cases where someone scrfewe3d up in things did break (AK Airline MD-80 off California )

            No redundancy to the jack screw because it can’t fail.

            Well it did because of human error.

      • Sounds like a monumental schoolboy error by Mitsubishi, but Airbus and Boeing fall for this sort of thing as well. AB ,TP400 and A380 wiring, Boeing MCAS and ridiculess 788 development period. You can be fairly certain that in each case someone tried to speak up and stop it, only to be told to shut up and get on with it. This problem should be studied, it would save a fortune.

  2. Although not written in current regulations, certification authorities, specially EASA, are also demanding an Design Error Proof FBW architecture if you are giving full authority to the computers. Therefore, along with redundancy, you need dissimilarity where you don’t have a full analyzable and testable hardware.
    In every FBW program, they will issue an Issue Paper demanding this.
    Very robust design requirements verification process for the implement FBW functions is also demanded.

  3. Emirates Airbus A380 falls off Jack’s whilst changing landing gear damaging the rad dome door number 1 and landing gear.

  4. Thank you Bjorn for your columns. We do not get this kind of analysis and insight any where else.

Leave a Reply

Your email address will not be published. Required fields are marked *