Leeham News and Analysis
There's more to real news than a news release.
Leeham News and Analysis
- Bjorn’s Corner: New engine development. Part 4. Propulsive efficiency April 19, 2024
- Boeing unlikely to meet FAA’s 90-day deadline for new safety program April 18, 2024
- Focus on quality not slowing innovation, says GKN April 18, 2024
- Boeing defends 787, 777 against whistleblower charges April 17, 2024
- Dissecting Boeing CEO’s statement next new airplane will cost $50bn April 15, 2024
Bjorn’s Corner: Fly by steel or electrical wire, Part 7.
By Bjorn Fehrm
September 6, 2019, ©. Leeham News: In our series about classical flight controls (“fly by steel wire”) and Fly-By-Wire (FBW or “fly by electrical wire”) we discussed the flight control laws which are implemented with classical flight controls compared with the Embraer E-Jet and Airbus A320 FBW systems last week.
Now we describe alternative FBW approaches, analyzing Boeing’s 777/787 system and Airbus’ A220 system.
Figure 1. Boeing’s 777 and 787 FBW system architecture. Source: Boeing.
The FBW systems for Boeing’s 777 and 787
The Boeing FBW system philosophy was developed with the 777, which entered service 1994. Airbus had presented their FBW philosophy with the A320 seven years earlier.
Boeing chose to not follow Airbus in how the FBW system interprets the Pilot’s intentions. It wanted a system which should feel like a classical mechanical system but with additional comfort and safety functions realized in its feedback FBW architecture, Figure 1.
The philosophy is the pilot is always in control and he can overload or stall the aircraft if he needs to in order to save the aircraft from a hazard. The FBW warns him, however, when he’s approaching the limits of the aircraft. The trim stops when he approaches very low or high speeds, so he needs to continuously push or pull the Yoke for speeds outside the normal. In addition, his controls get successively heavier as he approaches the aircraft’s limits. Finally, a stick shaker activates when approaching a stall.
The system does not auto-trim, the Pilot has to trim the aircraft to balance the aircraft for a certain speed. This is called the aircraft is speed stable (if the speed drops the aircraft dips the nose and regains speed). In general, the philosophy is the aircraft shall behave like the classical aircraft the pilot trained on to get his basic flying skills.
The 787 system has the same behavior as the 777 and by it, the aircraft can share Pilot type rating. I’ve been told the 787 introduces hard stall protection in pitch when in landing configuration. If so, this makes sense as when close to the ground hard protection from stalling the aircraft makes sense.
The A220 FBW system
When the Bombardier CSeries team designed the FBW for what today is called Airbus A220, they took the best ideas from Airbus and Boeing and put them together in their system. The FBW feels like a Boeing system in normal flight, with the Pilot needing to trim the aircraft for a certain speed. This trains the Pilot for an emergency where the FBW would fall back to direct mode.
“The A220 behaves like the Cessna 152 the pilot trained on. This put’s his muscle memory in the right mode if he gets in trouble and has to rely on direct FBW mode” said Chuck Ellis, the CSeries chief test pilot when I test flew the CS300 in Wichita, KS.
Different to Boeing, the CSeries team combined the “classical” FBW feel with envelope protections like the Airbus FBW. Here the team chose a clever principle, however.
Boeing’s argument for a Pilot in control is he shall be able to overload the aircraft if it’s needed to avoid a hazard. An Airbus FBW will stop the Pilot from overstepping the envelope limits of the aircraft, be it load factor, stall speed or over-speed.
The A220 allows the Pilot to overload the aircraft when in trouble, but only when he pulls the stick past an extra force limit, called a “Soft stop”. Then he gets a load factor in pitch above Limit load (the maximum load allowed in normal flying) but there is a “Hard limit” stopping him to pass Ultimate load (the strength limit of the aircraft at 150% of Limit load). By it, the team argued they leave the Pilot in control but the FBW stops him from breaking up the aircraft. If a Pilot pulls the stick past the Soft stop the aircraft needs a structural inspection before cleared to fly again.
When test flying the CSeries the two regions of the stick felt very natural. The normal region is for normal flying and the “hard to pull” region is for serious trouble. As I haven’t flown the Boeing FBW I can’t say what I like best of the different systems. Between the Airbus classic FBW and the A220 system, I feel the latter is the better approach.
The auto-trim of the Airbus FBW is very convenient and many FBW systems implement it (for example the Daussalt Falcon Biz jets). But it trains the muscle memory away from Direct mode flying of the aircraft. A trim for speed FBW is more work, but it retains the flying feel of a normal aircraft in the Pilot’s subconscious muscle memory.
In the next Corner, we take a look at the E-Jets second-generation FBW before we dig deeper into the safety aspects of flight control systems by discussing helper systems like the 737 MCAS system.
Little exercise:
“If a Pilot pulls the stick past the Soft stop the aircraft needs a structural inspection before cleared to fly again.”
Could we just assume this functionality present on the F-GFKC A320
and revisit the Habsheim crash?
Would it have turned things to the better or have made the crash worse?
It wouldn’t have made any difference. The AF296 crash would have happened to any other aircraft type, B737, C series, B777 given the pilots actions. The pilot, who was sentenced to jail for this crash a actually had his sentence increased on appeal. This was the A320s first flight with passengers: French journalists and their families. The idea of the flight was to be a spectacular slow flypast of a crowd lined up on a runway at 100ft with the A320 at high angle of attack to demonstrate its flight envelop protection. Bad planning was involved. When the aircraft came around it was found the crowd was instead lined up at a nearby grass strip. The pilot conducted a radical manoeuvre to line up on the grass strip so as to continue the display. To do that he disabled alpha floor and auto throttle. This now meant the aircraft FCS no longer acted to manage minimum flying speed. The copilot was issuing warnings to the senior company pilot (pilot flying) at this point. Unfortunately the grass strip was high ground surrounded by forest. A note here: Jet aircraft use spoilers to descend because apart from dumping lift the drag they create allows the engines to run at higher settings. Should a go around be required the spoilers can be retracted in an instant and the engines excess power available immediately. With alpha floor disabled the aircraft engines were near idle and might take nearly 9 seconds to spool up instead of 1.6 seconds had the alpha floor not been disabled. As the impending crash was becoming apparent the pilot tried to climb by pulling back on the side stick but the aircraft refused to because the aircraft was to slow to climb and alpha stall protection wouldn’t allow the nose any higher and the engines didn’t have time to spool up to increase air speed. Had the Airbuses systems not prevented it this pilot would likely have stalled the aircraft and worsened the crash. Although all aboard survived the crash 3 souls lost their lives to smoke inhalation: a disabled boy who could not escape and a little girl whose seat belt jammed and a woman who re-entered the wreckage to try to save the girl. The pilot essentially tried to blame airbus for stopping him from stalling the aircraft under the delusion that had he just been able to raise the nose that the aircraft would climb instead of stall.
I really can’t see the point of allowing a A220 pilot to partially over stress the aircraft. I can only imagine a collision avoidance manoeuvre.
I’m struggling to see how allowing a pilot to stall an airliner even in the most dire circumstances could ever be a a good thing.
My pondering s in all this is what proof does Boeing have that exceeding and Aircraft limits has saved and aircraft?
As a former Technician/Engineer (no letters with the E part), I always strove to hit management that without data we were simply guessing.
Equally good questions, how many pilots are Chuck Yeager that really know how to fly (the best of the best as it were) ?
I have come to be biased to Airbus take vs Boeing.
I tend to black and white so am not bought into the C series approach.
@Grubbie
@TransWorld
When you see falling meteorite you can then exceed the envelope or escape from a falling skyscraper (I saw it once in 2012, not year, a movie). Guess I also struggle to imagine how exceeding limits would save any commercial airliner in practice. Maybe it’s kind of placebo for pilots fears.
February 1959: Pan Am Flight 115, a Pan American World Airways Boeing 707, upset and went into a high-speed dive while cruising over the Atlantic at flight level 350. Control was not recovered until reaching 6,000 ft. After landing safely at Gander, extensive structural damage was found, but there were only a few minor injuries. The Captain was in the cabin when the autopilot disconnected without adequate warning to the First Officer, who was distracted with a “howgozit” report form. It wasn’t until the first officer felt the stall buffet that he realized they were descending rapidly and about to turn upside down. He was unable to level the wings. Fortunately, the Captain was able to return to the cockpit and strap into his seat while enduring significant G-forces. He took over the controls, leveled the wings and pulled out of the dive.[15]
China Airlines Flight 006 (callsign “Dynasty 006”) was a daily non-stop flight from Taipei to Los Angeles International Airport. On 19 February 1985, the Boeing 747SP operating the flight was involved in an aircraft upset accident, following the failure of the No. 4 engine, while cruising at 41,000 ft (12,500 m). The plane rolled over and plunged 30,000 ft (9,100 m), experiencing high speeds and g-forces (approaching 5g) before the captain was able to recover from the dive, and then to divert to San Francisco International Airport.
Now do the same careful research for situations where over stressing the airframe went not well and caused crashes.
I presume that an Airbus wouldn’t allow the mishandling that caused the upsets in the first place. In the Airtanker A330 incident(where the pilot got his camera caught in the controls) the computer intervened to save the aircraft from a terminal dive.
I believe that Captain Sullenberger did try to stall his A320 for the last few feet in order to get the landing speed as low as possible, but the computer wouldn’t let him.
@Bubba
I would say that in those two examples lack of FBW limitations didn’t help at all, I would say it made even worse because allowed to aircraft to enter into dangerous conditions.
@Grubbie
In Sully case I think better was that FBW didn’t allow to stall aircraft, even it would eventually to lower speed, but would cause easily that aircraft would hit uneven to the water and be badly damaged.
Seattle times 5th amendment article, cover up quacking like a duck.
This is what happens when an accident investigation becomes a criminal probe. It stifles investigations. This is shameful.
Normally I agree. But in this case I think everyone already knows MCAS was at fault in the two accidents — would be shocking if investigators learned otherwise. So the question is whether the decisions Boeing made to cause these accidents were merely grossly negligent, or were criminally negligent.
I’m with you on this. Whatever the problems with MCAS and training and documentation around it the two fatal crashed not caused by deliberate indifference to human life or for instance fraudulent certification (signing of on checklists or tests that hadn’t been performed). I’ve been involved in two many root cause analysis on industrial incidents to believe this. I’ve always been stunned by how miscommunication, ambiguity and mistaken assumption or interpretation have lined up the holes is the swiss cheese slices.
The problem is that witnesses become reluctant to reveal information that might implicated them even though it would be helpful in understanding the accident. Furthermore witnesses are reluctant to reveal information that might embarrass a colleague because they feel empathy for that colleague or fear the reprisal. It messes up quality control in the same way. As Demining said “blame the system not the people”
I’m not sure how this is handled in the US (Grand Jury, DoJ, FBI) but in a Commonwealth country it might be handled by either a coronial inquest, commission of inquiry or the sledge hammer royal commission. Neither is criminal in nature but criminal charges can come out of evidence discovered or for deliberately lying or misleading. The royal commission can compel witness’s to appear before the commission and the commissioner can wire tap, spy or intercept mail at its own discretion.
I remember the “Harold of Free Enterprise” capsizing in the English Channel. The Judge put that down that deadly capsizing to ‘organisational ambiguity’. A seaman had noticed that the ramp had not been closed properly but he had another job to do and knew that checking the ramp was the job of another sailor. Unfortunately that sailor had been called away on other duties.
I agree, my experience is that it’s far more likely to be aligned deficiencies in the process, than someone deliberately or knowingly wanted to place lives in danger. Confirmation bias also plays a role, data are interpreted in the way that most benefits the goals, and the goals can be as simple and seemingly unharmful as getting things done.
Transworld mentioned the Macondo / Deepwater Horizon incident in a previous article, that is an excellent case study in confirmation bias and the alignment of many factors to cause a disaster.
Medical doctors have review procedures to get to the critical truth among themselves. Boeing should similarly have a mechanism to come clean about what happened internally, and hopefully will do that with aviation authorities.
The Seattle Times have run a few articles on this that indicate what probably happened, based on background reporting, that seems plausible. The role of MCAS was expanded and altered to address a new problem during flight testing, but the safety analysis based on the original problem continued to be used, when it was no longer appropriate.
This should have been caught but wasn’t, not by Boeing or by the FAA or by test pilots or by engineers or by programmers. Each group working on their own piece, assumed the original safety analysis covered the new role or would be reviewed by others, but no one actually did this or followed up to see it was done.
If it had been done, the deficiencies would have been obvious. As it was, MCAS got lumped into the trim system and the runaway trim checklist, but the malfunctioning MCAS behavior would not have been obvious or recognizable to most pilots.
It’s pretty easy to see the ‘failure’ chain. As for the root cause: was it the decision not to install a modern B787 based FCS on the 737 MAX or not design a new aircraft back in 2011? Was it the decision (or impossible directive) to maintain type rating with the 737NG which forced the elimination of all new alerts and alarms as this would require retraining? That in itself meant that MCAS could have no alarms to inform the crew that it had inhibited itself due to sensor disagree which compelled them to use only one sensor so that fault would manifest as pseudo stabiliser run away. This was OK when the trim rate was 0.6 degrees per second for 5 seconds not 2.5 for 9 seconds, Was the problem the architecture, philosophy and software of the system which prevented the sensors from talking to each other in all scenarios. Was the root cause the reduction in manual trim wheel size on the NG series back in the 1990s to make way for new displays and keypad consoles.
Sorry, I desagree – there is a line between no-blame-air-investigation culture and a simple responsability for own actions – and clearly people in Boeing crossed this line far away.
Someone had to propose, order, revise and approve MCAS – or not did his job properly at least or undertook a decision to close one eye and gave a green light.
In the US it needs to be kept out of the criminal sphere to prevent people from “taking the fifth”.
In Canada it is handled differently, witnesses can be compelled to provide evidence that incriminates them but that testimony can’t then be used in an action against them. This applies to witnesses in a number of kinds of proceedings, criminal and civil.
http://www.aclrc.com/section-13
“witnesses other than an accused can be (and often are) compelled to appear in Court and give evidence. Section 13 of the Charter protects these witnesses who are compelled to give evidence. It ensures that these witnesses cannot have that any compelled incriminating evidence used against them in later proceedings. In other words, it is a bargain struck between the Crown and a witness being forced to give evidence – the Crown can compel the witness to answer incriminating questions, but in exchange, they cannot use that evidence to incriminate the witness in subsequent proceedings”
So defacto immunity.
In the US it’s negotiated separately, but often is done. Even when the one testifying thinks they did nothing wrong/illegal their lawyer asks for immunity for protection. Could be they didn’t realize it was criminal, or just to prevent prevent the headaches/costs of prosecution.
Interesting series. At some point you wonder about all the complexity put in place (feedback forces, keeping muscle memory, etc) just for the pilots, when the ultimate goal is the plane.
Wouldn t it be simpler/safer now to have planes without pilots ? At least no suicides… Perhaps a future corner?
Are driver-less cars safer than cars with drivers?
https://www.itgstextbook.com/case-study-2019-driverless-cars.php
I think it depends on who’s driving… That is a 16 year old driver, or a sober experienced driver on a clear day. A driver-less car programmed by the 737-MAX MCAS programmer (ok, I’m making a lot of assumptions here, in trying to make a point, by ‘programmer’ I’m meaning the entire Boeing system that conceived, designed, tested and implemented MCAS) or a driver-less car programmed by a more experienced programmer?
the MAX case is not really about experienced or not.
It is about ignoring/forgetting intentional or not
basic design principles that are decidedly “state of the art”.
This is conceited arrogance. We can do no wrong”
There is nothing unfortunate or unexpected about it.
From what Ive heard that data is in and self driving cars are 16 times safer than manually driven. The real reason it will happen is the potential increase in traffic flow. I imagine a doubling in traffic flow and a halving in fuel consumption. There will be no energy or time wasted braking and idling at traffic lights. Vehicles will simply coast to a slower speed to let cross traffic flow. The vehicles will form closely separated ‘trains’ that will take up less road space. Pilotless aircraft will begin with delivery drones, move up to air taxis with a ‘pilot’ to take care of the problem of a child running out onto the landing pad and then be eliminated. At some point the technology will make it to large jets.
The best thing about designing fully automatic systems that don’t need a pilot (but will probably be given one) is that it will stop the laziness and ‘good enough’ approach we see in aviation where failures of instruments and controls are meant to be handled by reversion to a pilot. If there is no pilot they’ll have to get the automation right. Humans are good problem solvers but they are slow. Take the case of AF447 whereby speed sensors froze and the crew were startled and stalled the aircraft. There was more than enough information for the autopilot to continue flying. There was 3 dimensional position and velocity data from the GPS and Inertial Navigation System. That can infer dynamic pressure. The INS would also provide acceleration and therefore calculation of cross/head wind. Engine thrust and control surface settings were all known. Furthermore reliance on a human pilot as backup means not enough redundancy is built in. There should be more pitot static tubes and a diversity of alpha sensors of both vane and pressure nulling type. Architecture should be triple/quadruplicated as is used in spacecraft. It’s just no good enough yet. The 1 failure in ten million is also not good enough given both the A320 and B737 have accumulated 12 times that standard.