Index Home About Blog
Newsgroups: comp.risks
X-issue: 7.67
Date: Tue, 25 Oct 88 00:55:22 EDT
From: attcan!utzoo!henry@uunet.UU.NET
Subject: Airbus A320 in service

The 3 Sept issue of Flight International has a feature article about early
operational experience with the A320.  Apparently everyone has been rather
surprised that many of its teething problems have little to do with the
electronics.  Spare parts, in particular, have been somewhat of a problem.

One thing the airlines are quite happy with is the Centralized Fault
Display System, which keeps a running log of all in-flight problems for
scrutiny by the maintenance crews.  Both British Airways and Air France
plan to link the CFDS to a communications system, so that faults can be
reported from the air and spare parts can be waiting when the aircraft
lands.  At present, the written engineering log is still the official
and legal record of in-flight problems, but after some more experience
with CFDS this may be reconsidered.  There are still occasional bugs in
the CFDS software, but things are getting fixed.  The airlines say that
CFDS has been a major factor in keeping a new airliner running unusually
well.

The fly-by-wire flight controls have behaved perfectly.

The engine-control computers likewise have a flawless record, although
at one point Air France replaced a number of them due to what seems to
have been a misunderstanding about the location of some problems.

Power spikes caused by the cutover from ground to onboard power have
been a headache, as they tend to trigger bad-power-supply detectors in
the computers.  These problems invariably happen on the ground, not in
flight.  Work is underway on fixing them.  Many of the computers
affected are in very minor control roles; a particular trouble spot has
been the microcomputer-controlled vacuum toilets chosen by Air France.

The biggest problem for both airlines is a set of design and manufacturing
flaws in the air-conditioning units, combined with shortage of spares.
Computers are not involved in this one.

Both airlines have a low opinion of the software in the Cabin Intercommu-
nication Data System, which controls cabin lights, signs, speakers, and
entertainment.  Both agree that the idea of the system is good and want
to see it operational, but the suppliers simply did not have production-
quality software ready in time.  "A kid could have written the software
for the CIDS", says BA, but in fact the current [3 Sept] software simply
does not work and BA has been bypassing it almost entirely.  The main
problem is frequent intermittent manlfunctions.

Spare flight computers are still being carried on each flight, but this
is routine for major no-go items on new airliners.  Airbus says that
there is now enough experience to justify dispatching an A320 with one
of its seven flight-control computers dead; the original rule required
all to be functioning.  Airbus is still working on "tidying up" the
flight-control software's responses to situations where the aircraft
has gone outside the normal flight envelope involuntarily, e.g. from
collision damage or sudden severe turbulence.  Assorted "nice to have"
features are also being implemented now that the schedule pressure has
relaxed.

The only change in Air France operating procedures since the airshow
crash has been a firm policy that airshow appearances will not carry
passengers henceforth.  The wreckage is being studied for lessons to
be learned; the Flight article observes that a crash into a mature
forest killed only three out of 136 people.  Of note are signs that
the floor-level emergency lighting system may not have turned on
properly, and the failure of the hand-held megaphone's mounting bracket
at rather less than its rated 9G.

The 24 Sept issue reports that the pilot of the airshow crash has been
fired, with the copilot's status yet to be decided.  A recent report by
the French civil aviation authorities contains the first independent
confirmation that the accident was caused by pilot error.  (The pilots'
union, of course, contests this.)  The report recommends an eight-year
suspension of the pilot's licence, and a two-month licence suspension
for the copilot.

"Officials familiar with the flight recorder evidence say that despite
the pilots' assertion that the aircraft was slow in responding to the
controls, the flight control computers probably prevented a worse
disaster by keeping the aeroplane unstalled when the pilots realized
too late that they were about to crash."

                                     Henry Spencer at U of Toronto Zoology
                                 uunet!attcan!utzoo!henry henry@zoo.toronto.edu


Newsgroups: comp.risks
X-issue: 7.71
Date: Sun, 6 Nov 88 02:08:09 EST
From: attcan!utzoo!henry@uunet.UU.NET
Subject: Re: A320 update

>Henry Spencer's recent article on the A320's first six months in
>service states that the fly-by-wire system has "behaved perfectly."
>It should be noted, however, that the article he was referring
>to clearly pointed out that there were failures of the primary 
>flight guidance computer, which were rectified by backup systems.

Hardware failures, dealt with by backup systems, happen even in non-
computerized aircraft.  With substantial frequency, in fact.  This did
not seem worth mentioning.  As nearly as I can tell from that article,
and the later ones, there have been no major *software* problems in the
flight-control software... which is what everyone was worried about.
Hardware failures are to be expected.

>I find Ziegler's rationale for the failures of the A320 somewhat 
>disturbing.  With only a handful of airplanes in service, for any
>significant percentage of in-flight or on-ground failures to occur,
>and then say it should be compared to the massive fleets of existing
>aircraft, is to obfuscate the issue.

How so?  Note that he is citing *percentages of flights* delayed, not
absolute counts; fleet size is irrelevant except insofar as statistics over
a small fleet are less precise than over a large fleet.  His comments
about media attention are more dubious in this regard, since occasional
failures in a small fleet are indeed more significant than the same
failures-per-day rate would be in a large fleet, but even there I think
he's got a point:  if ten 747s fail per day, nobody cares, but if an
A320 fails once every two weeks, it's a scandal.

>His confidence in the A320's backup electrical systems is also rather
>odd, considering the airplane's susceptibility to transient controls,
>and his company's failure to provide even a mediocre cabin lighting
>control system.

Notice that the transient problems are (as far as I've heard) all in
non-critical support systems, and the cabin-lighting-control problem is with
a subcontractor, presumably not the same people who did the main electrical
system.  Agreed that Airbus is responsible in the end, but the implication
that these problems spill over into more critical systems seems unjustified.

Henry Spencer at U of Toronto Zoology               uunet!attcan!utzoo!henry


Newsgroups: comp.risks
X-issue: 9.75
Date: Thu, 15 Mar 90 14:52:31 EST
From: henry@zoo.toronto.edu
Subject: Re: Airbus Crash: Reports from the Indian Press

>   A technical committee armed with comprehensive terms of reference
>   began a probe into the whole Airbus affair last week.  ...

Interestingly enough, it looks like somebody in authority at least suspected
that the results would be embarrassing to the airline (i.e. mismaintenance or
pilot error rather than technical problems).  Normally, in such an accident
investigation, the airworthiness authorities of the aircraft's country of
origin -- i.e., the people who first certified the thing as flyable --
are involved, and the manufacturer is at least kept informed.  Aviation
Week reports that India refused European airworthiness authorities' request
to participate, and also refused information requests from them and from
Airbus Industrie.

                                    Henry Spencer at U of Toronto Zoology
                                uunet!attcan!utzoo!henry henry@zoo.toronto.edu


Newsgroups: comp.risks
X-issue: 9.79
Date: Mon, 2 Apr 90 00:06:35 EDT
From: henry@zoo.toronto.edu
Subject: Indian A320 crash

One of the bigger problems in assessing the A320 is that almost everyone
has vested interests to protect.  Most European aircraft manufacturers
are involved in building it, so they (and their governments) want it to
be a commercial success.  Their US competitors (and their government)
would prefer it to be a commercial failure.  Pilots' unions often oppose
it because it is a 2-man-crew aircraft replacing 3-man-crew planes.  And
so on.  The relevance of this to the Indian crash is that India, lacking
its own facilities for reading modern crash recorders, sent the A320's
recorder to Canada for analysis.  They chose Canada specifically because
it has no vested interest in the A320!

Incidentally, the latest word in Flight International (21 March issue)
is that informal reports -- admittedly thirdhand -- claim the approach
was being flown at an excessively low speed, 106 knots as against a
recommended speed of about 130 at that point, just before the crash.

                                Henry Spencer at U of Toronto Zoology
                                uunet!attcan!utzoo!henry henry@zoo.toronto.edu


Newsgroups: comp.risks
X-issue: 9.82
Date: Thu, 19 Apr 90 00:23:29 EDT
From: henry@zoo.toronto.edu
Subject: A320 news

The latest A320, um, news, from Flight International 14 March...

As most readers know, the official conclusion of the inquiry into the first
A320 crash (the airshow at Habsheim in 1988) was pilot error: they were flying
too low and too slowly with engines at very low power, and increased power too
late to avert the crash.  This was corroborated, in detail, by the flight data
recorder and cockpit voice recorder.

The pilots have recently been charging that the FDR and CVR recordings were
tampered with by the investigators.  The last straw, apparently, came when the
pilots' lawyer asked India's prime minister to keep the French investigators
away from data on the Bangalore crash on grounds that they might tamper with it
too...

The French Minister of Transport, his Director of Civil Aviation, and the head
of the accident-investigation office are suing the pilots for libel.

            Henry Spencer at U of Toronto Zoology       uunet!attcan!utzoo!henry


Newsgroups: comp.risks
X-issue: 10.04
Date: Sun, 3 Jun 90 23:58:50 EDT
From: henry@zoo.toronto.edu
Subject: Glass cockpits (A320, etc.)

The April 30 issue of Aviation Week has a couple of interesting small
items about computerized airliners and "glass cockpits".

The first is a news item:  Airbus Industrie is considering alterations
to the A320's flight software to help guard against "overconfidence
syndrome", which they consider a significant factor in the Habsheim
and Bangalore crashes.  One possible change is upgrading the automatic
throttle management of the "alpha floor" protection mode to guard
against descents with inadequate thrust.  "Alpha floor" already runs
the throttles up automatically in emergencies like encounters with
serious windshear or maneuvers to avoid collisions.  Says Bernard
Ziegler (Airbus VP Engineering):  "The alpha floor was never designed
to save a crew that had been improperly managing a normal approach,
but we now are thinking of modifying it to serve as one more safeguard.
Such a modification will not make it a 100% safeguard, but it could
offer an additional safety margin."

The second is a background piece on the poor state of research in glass-cockpit
human factors (for example, NASA Ames, a major center of work on such things,
has no simulator representative of modern cockpits).  Hart A. Langer (United
Airlines VP flight operations) says that flight-management-system CRTs act as
"cockpit vacuum cleaners -- they suck eyeballs and fingertips right into them.
I have given check rides on these aircraft and seen four eyeballs and ten
fingertips caught in two [displays] at the same time.  This is bad enough at
cruise altitude, but it can be lethal in the low-altitude terminal area..."

               Henry Spencer at U of Toronto Zoology uunet!attcan!utzoo!henry


Newsgroups: comp.risks
X-issue: 10.49
Date: Wed, 10 Oct 90 12:39:31 EDT
From: henry@zoo.toronto.edu
Subject: Re: Equinox on A320 (UK Channel 4, Sun., 30th Sep)

>- The DFDR recording stops 4 seconds *prior* to impact with the trees. (Davis
>  added that, in his entire career, he had *never* come across a similar
>  instantaneous stoppage of a recorder.)

Is it possible that Davis is not familiar with *digital* flight recorders?
I've seen some commentary on such an issue in the aviation press recently:
the underlying problem is that some (all?) digital flight recorders buffer
incoming data in semiconductor memory, which loses its contents on power
failure.  The airworthiness authorities are starting to be seriously
displeased with the potential for loss of crucial data, and there are
mutterings about requiring non-volatile memory.

I don't know for sure that this accounts for the above claim, but it
certainly sounds like the right sort of symptoms.

(Would a simple explanation like this go unconsidered?  Quite possibly,
especially in the context of a media story whose basic slant is "dirty
work at the crossroads".  As I've commented before, there is a problem
with the A320 business in that almost all participants have axes to
grind and it is very difficult to get a balanced view.  The media are
not exempt from this, since sensation sells and boring truth doesn't.)

     Henry Spencer at U of Toronto Zoology  henry@zoo.toronto.edu  utzoo!henry


Date: Fri, 16 Aug 91 13:01:03 CDT
From: rdd@cactus.org (Robert Dorsett)
Subject: A320 revisited

[This is a re-worked sci.aeronautics reply to a comp.sys.mac.programmer post.
It's somewhat relevant in its RISKS-of-RISKS aspects...]

And Mr. Finnegan wrote:

  >The Airbus suffers from what many software safety experts consider a major
  >design problem - it uses redundant flight computers and a polling computer
  >to pick the 'majority' answer to each input (I forget the technical term
  >for this theory -- it's been way too long since I've been immersed in stuff
  >like this in school/industry).  This system is used because some CS people
  >think polling can replace stringent software testing - if 5 s/w teams all
  >write code to the same spec and test just a little, the polling computer (if
  >it is calibrated properly - another issue) statistically should be able to
  >deduce the proper answer and weed out any incorrect input.  Needless to say
  >many experts aren't convinced.

The A320 flight control system is comprised of five computers: two elevator and
aileron computers (ELAC) and three spoiler and elevator computers (SEC).  The
computers use diverse software and hardware implementations: the ELACS are
based on the 68000 and Pascal, the SEC's on the 80186 and C.  At any one time,
there is *one* and only one "hot" computer, and one standby computer.

Each computer is actually a combination of two "channels," one microprocessor
driving each channel.  One such channel is a "command" channel; the other is a
"monitor" channel.  Each is responsible for guaranteeing the output of the
other.  The command channel was written in a high-level language; the monitor
channel was written in assembler.

The ELACS are the higher-level computers, providing all the functionality as-
sociated with the complete FBW pilot interface (there are four distinct direct-
control flight modes the A320 can be in).  ELAC1 is the primary computer.
Graceful degradation is accomplished, going from ELAC1 to ELAC2 to SEC1 and so
forth.  The SEC computers provide a "direct" control law, in which sidestick
deflection more or less correlates to control surface movement.  SEC3 only
controls roll.  The pilots can also command switching from one computer to
another.

Various means (checksums, range tests, time-outs, etc) are used to determine 
computer robustness.  If the checks fail, the computer takes itself off-line.

SEC and ELAC development teams were isolated, and prevented from communicating
with one another.  This was intended to prevent teams from "contaminating" each
others' code with common approaches.  Any problems theoretically will only
arise from the *specification,* although it's entirely probable that each team
opted for similar approaches to solving problems.

The software and hardware verification regime was performed in accordance to
EUROCAE/ED-12A.  This is virtually identical to RTCA/DO-178A.  The overall
system design is fault-tolerant.

Considering the need for hardware and software diversity, I really can't see a
credible way of implementing this thing, other than a loosely-coupled,
asynchronous network--which precludes anything much more sophisticated than
polling by client services.  In general, the A320 Electronic Flight Control
System (EFCS) is a bit too complex to be condemned by a broad statement that it
uses "polling."  The A320 does not use a "judging" computer such as you
describe; clients are partially responsible for minor things such as parity or
range checking on the single inputs from the currently active flight control
computer.

What you seemed to be indicating is more akin to how the *Space Shuttle* works,
i.e., having a "majority rules" system of verifying hardware integrity.

  = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = 

I suppose I should put a big caveat on all my gripes about the A320 over the 
past three years: yes, I do think the airplane is unsafe.  But no, I do not 
believe that slipshod work went into its design and construction.  There is 
much to suggest that the design of the A320 EFCS represented a quality control 
system unprecedented in the industry, and which utilized the best techniques 
of the time.  One might quibble with some isolated aspect of it, but the 
overall approach was sound.

My major problem with the *reliability* aspect of the system is Airbus's claim 
of being able to satisfy the "one catastrophic failure every million hours" 
clause for flight control systems in the Federal Aviation Regulations.  Airbus 
can't prove it.  Moreover, the FAA requirement for the 1e-9 figure explicitly 
does *not* apply to flight control *software*, even though it applies to 
flight control *systems*.  Draw your own conclusions.  

There is also sufficient cause to doubt even our best software engineering 
techniques.  This is an issue that many people like to ignore, assuming that,
of course we can produce "perfect" software; if it doesn't work, then somebody
must have screwed up.  NOT true.

IMHO, this sort of thing doesn't belong in a civilian airliner--yet.  Airbus 
proudly points to its revolutionary airplane, but *revolutionary* anythings 
are rarely well-understood.  Related effects of their decision to use FBW--
namely, in the form of the pilot interface--will cause other problems.

But Airbus set a precedent, and created a marketing force in the process.  
Now, other companies have to raise the stakes, too, or risk losing market 
share.  Airbus is extending the A320 EFCS model to include the A330 and A340; 
Boeing's developing a "tower" (geographically localized hardware) system for 
the 777. 

Lastly, there *is* a lot wrong with the A320.  But I'm also noticing a lot of
scapegoat-bashing going on.  The A320's problems are fairly well defined, and
need to be corrected.  Let's NOT assign our favorite software-engineering
pet peeve, arbitrarily, to such a large and accessable target.  I'm not 
addressing this to you in particular, Greg; it's become pretty frequent over 
the past few months.   

Robert Dorsett rdd@cactus.org ...cs.utexas.edu!cactus.org!rdd
[References available on request.]


Date: Mon, 3 Feb 92 21:45:25 CST
From: rdd@cactus.org (Robert Dorsett)
Subject: Contribution on A320 FMSs

It's apparent that some people don't have a clear idea of how the A320's
automation is set up.  This has been a problem with net discussions for the
past couple of years, but it's not getting any better.  There have been
numerous comments attributing what are clearly flight management problems to
the electronic flight control system (FBW): given the notoriety of the A320
(and its FBW) in the academic community, it has been assumed that other
problems are unique to it.  Many are not.

Following is an attempt to explain what flight management on the A320 is, how
it differs from FBW, and how it compares to other airplanes (such as the 757).
Issues pertaining to the Strasbourg crash appear about 2/3 through. A glossary
for the (necessary) alphabet soup follows at the end.  Manufacturers each tend
to use their own proprietary jargon; in light of that, I've tried to keep the
discussion as generic as possible.

First, the physical concept of "autopilot" is obsolete on the A320.  Instead,
Airbus uses a "Flight Management and Guidance System" (FMGS).  A more generic
term for this is a flight management *system* (FMS).  Note the emphasis on
*system*.

An FMS is a way to accomplish four major goals:

        o  Control the flight path of an airplane, in four dimensions,
           from takeoff to landing.

        o  Make sure that this is done as profitably as possible.

        o  Provide high-level services to flight displays and other
           systems.

        o  Eliminate many of the "book-keeping" roles in the operations
           environment, traditionally performed by a flight engineer.

An FMS has many components, the most important of which are:

1.  A Flight Management Computer (FMC).  This does all the thinking.  It
derives data from many sources, such as air data computers.  On the A320, many
input services are partially integrated into the FMS proper.  An A320 has two
FMCs.

2.  Inertial Reference System (IRS) units.  These are what Inertial Navigation
Systems (INSs) have evolved into; when combined with an FMC, they lead to more
features, and are more reliable.  They provide position information to the FMC.
The FMC has the capability of automatically tuning in VORs and DMEs and
verifying the aircraft location, thus correcting for en route precession error
in the IRS.  There are three IRSs on the A320.

3.  A Control Data Unit (CDU).  This lets the pilot enter a variety of abstract
data, such as the flight number, what the intended route of flight is,
preferred cruising altitudes, navaids and fixes to use, etc.  The FMC is able
to relate all this to an internal database of airports and navaids, and provide
a number of convenient features.  Using this--as well as features which amount
to being a glorified performance calculator-- the pilot can sketch out a
relatively profitable trip.  There are normally two CDUs on the A320, one for
each pilot.

As the first of many asides, at least one recent poster has implied that the
FMS interface is similar to that of an INS, which it isn't.  The pilot
generally does not deal with lat/long numbers, so the potential for a KAL 007
sort of mismanagement is minimal: he deals with gate numbers and four-digit
ICAO mnemonics for the airport at hand (but mistakes are still quite common).
Some airlines have card readers that feed everything in automatically: the
pilot need only verify the flight plan.  This process, too, is different from
the INS.  The user does not normally view the navigation product of the FMS
through lat/long readouts on the CDU.  Instead, a navigation display shows a
plan view of aircraft position, in a variety of scales and formats.  The use of
the CDU is required when any changes to various types of abstract data are
made.

4.  A Flight Control Unit (FCU).  This is what confuses a lot of people.  The
FCU is where the autopilot interface used to be in older airplanes, such as the
747-200.  It looks a lot like it as well.  It is used for selecting short-term
features of the FMS, especially heading hold, altitude capture, rate of
descent, and autothrottle.  The FCU's similarity to an old-fashioned autopilot
interface is intentional, but, again, it's just an interface to the FMS.  This
concept is extended to other input devices in the cockpit.  The frequency
selectors on the radio panels, for instance, serve as user-friendly input
mechanisms for the FMS.


Autopilots (until the advent of FMSs) traditionally have been structured
around the pilot commanding short-term actions, which the autopilot then
faithfully executed.  This frees the pilot to adopt a more supervisory role: he
can deal with ATC, systems, track weather better, etc.  It is also generally
less fatiguing than hand-flying.  Airbus classifies traditional autopilot
management as "selected" control.

FMSs also provide such short-term capability (via the FCU).  But the FMS can
be set to meet all the waypoints and clearance altitudes *automatically*,
without any significant interaction needed from the pilots on the CDU or FCU.
Airbus classifies this as "managed" control.

In effect, with a properly set-up FMS, the pilot can plan a flight from takeoff
to landing.  After lining up the airplane on the runway, he can just turn loose
the FMS, which then flies the airplane, requiring minimal crew interaction.
The system can then take the airplane through a category III landing (700 feet
runway visual range).  Of course, air traffic control is rarely so obliging, so
en route modifications must be made to the stored flight plan.

This is all done with the presumption that the FMS will figure out and use the
absolutely cheapest way to fly the airplane.  Even a 1% waste of fuel can cost
an airline tens of millions of dollars a year.  The main problem with
"profitability" is that ATC is not geared to handle FMS-equipped airplanes, and
its actions soak up a lot of the "saved" money.  It is not clear whether this
situation will change in our lifetimes.

FMSs are here to stay: but the design of interfaces are a major point of
contention among many pilots.  Mention "automation," and they don't think EICAS
or FBW: they think FMS.  While many features have been added at the hardware
level in the last ten years, the CDU interface has changed hardly at all.  A
significant criticism--and the most persistent--is that, since any changes to
an airplane's clearance (the route of flight ATC has approved for it) require
changes to the internal flight plan, and since this requires use of the CDU,
thus leading to a heads-down posture, safety can be affected: the pilots are
not able to practice "see and avoid."  In addition, it requires a SIGNIFICANT
refocusing of one's attention and attitude, from flying the airplane, to
dealing with an unfriendly user interface.  It therefore helps put pilots even
further out of the loop.  This increases workload, but workload can increase
even more in terminal environments, where frequent changes to clearances are
common (a terminal environment is the airspace where aircraft are being routed
to or from a nearby airport).  Many airlines have restricted CDU use under
18,000'; still more under 10,000'.  In such cases, the airplane is flown with
the FCU, or, occasionally, even by hand (!).

Balanced against the CDU interface problem is the high degree of "situational
awareness" the overall system provides, when one isn't fiddling with the CDU.
The FMS provides a number of output services, including navigation
information:, the FMCs are the heart of navigation services.  One can therefore
look at one's navigation display, and see a graphic spatial representation of
heading, track (calculated path across the ground), nearby alternate airports,
where one will be when one completes a climb or descent, what VORs the airplane
is using, where the fixes are, etc.  This sort of thing is pretty popular with
pilots.  But the quality of the derived data products is dependent on the
quality of data in the system: thus, there's a tendency to try to keep as much
of the display "valid" as possible, which lends to excessive CDU interaction.

On the issue of "authority," it is important to note that the pilot must
explicitly requests FMS services.  The FMS is "on" all the time; but it only
*controls* the airplane when the pilot wants it.  Whether executing a stored
flight plan, or selecting short-term features, the PILOT holds the ultimate
authority over the operation of the system.  If, after the FMS is engaged, it
performs unsatisfactorily, the pilot can just "click it off" (disengage it).
There are at least three ways to accomplish this (a switch on the sidestick,
buttons on the FCU, or, as a very rare last resort, a circuit breaker).  After
disengagement, the pilot simply flies "manual" (although "manual" in the A320
is still filtered by numerous computers, and still an artificial construct).
The capacity to disconnect assumes the pilot is "in the loop," and is aware
that a problem (whatever its cause) exists, to the point of applying corrective
action in time.  Cockpit interruptions, heads-down postures (CDU interaction or
systems diagnostics), fatigue, or checklists can affect this capability.
Another factor is the WILLINGNESS to disconnect: a significant problem is that
pilots tend to wait too long before clicking off a system; they can become
over-dependent on automation.

It is unlikely that faults in FMS design could logically migrate to the FBW
computers, or vice versa, barring *possibly* a significant electrical system
failure.  There are elaborate safeguards to protect against completely
off-the-wall instructions, but a more insidious, higher-level (but erroneous)
command within parameters would simply be quietly executed by the receiving
system.  It is impossible, as one person recently suggested on sci.aeronautics,
for the *FBW* to "freeze" the airplane into some arbitrary navigation maneuver,
such as a holding pattern (that tale, repeated at least twice in the last
couple of years, is taking on the form of an Urban Legend).

The important point to note about all of this is that the FMS has NOTHING
WHATSOEVER TO DO WITH FLY-BY-WIRE.  It is at least a couple of levels "higher,"
from the systems integration perspective, than the FBW service.  FMSs are used
in virtually all modern airliners, such as the 757, 767, 737, MD-11, MD-80,
A310, A300-600, and, yes, the A320.  Pick an airliner manufactured since 1982,
and it'll probably have a cockpit designed around an FMS control concept,
regardless of whether it has glass displays, FBW, or both.

Of particular interest, recently, has been the A320 FMSs "vertical navigation"
functionality.  In what follows, "autopilot" should be regarded as a synonym
for "FCU," with the understanding that it's just a high-level interface to the
FMS, using a subset of FMS features, and can be "clicked off."

A few people have been saying things like "altitude can't be set on the
autopilot."  That is incorrect.  The A320's altitude selector is located on the
right side of the FCU.  Not only can the user set the altitude to fly, but can
also set the rate of climb that the airplane should fly at in order to achieve
it.  The latter can be achieved three ways:

1.  By pressing an "Expedite" button, located under the altitude-selector
window.  This will make the airplane reach the desired altitude as FAST as
possible, using either maximum climb attitude and climb thrust, or flight-idle
and maximum airspeed.

(With the following two modes, one can either select a capture altitude, or let
the airplane fly "free."  The distinguishing feature between the modes is a
simple push-button.)

2. By simply dialing a value into the vertical-speed selector.  For example, if
one wishes to fly 3000 feet per minute up, the user just dials in 3000 fpm.

3.  By flying a flight path angle (FPA).  This is an angle the airplane's
flight path will make with the ground.  The intended use of this feature is
rather obscure (other advanced aircraft do not support it), but apparently one
application is for use in conjunction with nonprecision approaches to airports.
A non-precision approach is one that does not include vertical guidance: the
airplane is vectored in a manner such that it reaches a "final approach fix"
pointed in the right direction relative to some sort of navigation aid, then
flies down to a minimum descent altitude.  It then flies toward the airport
until it sees it, and can land visually, or is compelled to try again (or
divert to an alternate).  An ILS, in comparison, provides vertical guidance
from the final approach fix down to the ground, even in very marginal
visibility.  A normal ILS (or visual) approach angle is 3.0 degrees; a
non-precision approach is too complex to categorize briefly.  The point has to
be made, though, that FPA is one of the strangest features in the A320: the
airspace system isn't really set up to let the pilots use it effectively.

On the A320, in a rather dubious interface, the FPA mode and vertical-speed
mode share the same selector.  The way vertical speed is set is to dial in a
TWO-digit number.  So 30 = 3000 feet per minute up; -30 = 3000 fpm down.  There
is no additional feedback--like a couple of extra zeroes-- to indicate one's
dialing in "3000."  The SAME selector, and the SAME indicator, are used to set
"flight path angle." So 30 would then equal a flight-path command of 3.0
degrees down.  The difference between the two modes, as said before, is the
push of a button, and an easy-to-overlook decimal point.  The A320 uses a
liquid-crystal display, with fixed numeric elements, to display all of the FCU
indicators.

So, say one wishes to fly a 3.0 degree flight path.  This is the normal slant
range between a "final approach fix" and an airport.  This would give one a
descent from 700 to 900 feet per minute, and the computer would automatically
adjust the aircraft's attitude to maintain a glide path, if the pilot lowers
flaps, commands a change in airspeed, etc.  But there's a clear potential for
disaster if this mode is *confused* with "vertical speed" mode.  How
significant is this?  If one is 3000' above the ground, and sets a 3.0 degree
flight path, one would contact with the ground in four minutes.  If one
accidentally engages vertical speed mode, instead, one will contact in sixty
seconds.  All this is a tad bit simplified, to relate it to normal
"straight-in" approach angles: the let-down portion of a non-precision approach
would require an even steeper angle (4.0 degrees), with similar consequences
should modes be confused.

I am interpreting union comments on the Strasbourg crash as suggesting this
type of mode confusion may have contributed to the crash.  In this case, the
FPA mode may have been used in response to an enroute descent air traffic
control clearance.  When the airplane crashed, it was descending at some 2300'
per second, according to one source.  The angle of descent between the two
transition points the airplane was cleared to fly was 2.28 degrees (from 9000'
to 5000', over 19 statute (?) miles).

Similar theories about the FPA mode abounded after the Bangalore crash, but
proved unfounded (instead, a more complex pattern of FMS mismanagement
emerged).  The British pilots' union, though, early on cited the poor interface
as one that needed to be improved, in a report dated July 1988, a few months
after the airplane was introduced into service:

    "4.2.  Glareshield Flight Control Unit.  Despite the LCD labelling
    on the FCU, and the FMA annunciation on the PFD, it is still
    possible for pilots to commence an approach in the wrong vertical
    mode, i.e., vertical speed rather than flight path angle.  Under
    pressure, the tendency is merely to look at the figures one is
    selecting, and the figures themselves look almost identical in both
    modes.  The selection of FPA merely adds a decimal point.  I have
    seen a non-precision approach commenced with the selection of
    3000 fpm instead of 3.0 and the result was quite exciting.  The FCU
    figures in FPA mode should be made to look quite different - e.g.
    the figure after the decimal point in small font."

An important point is that automatic control of the airplane can lead to a
mismanaged energy state, just as manual control can.  The FBW protections in
the A320 are designed to provide high-speed, loaded, and slow-speed
protections.  It does nothing to stop the pilot from managing the airplane in
such a manner that it gets dangerously close to an obstruction (the ground)
without enough energy--or even too much energy--to pull out of danger.  This is
what Airbus claimed happened with the crashes at Habsheim and Bangalore, with
the pilots flying manually and dealing with the FCU, respectively.  Airbus's
Bernard Ziegler's "black holes": energy states the airplane could not recover
from.

Airbus is faced with the contradictory problems of "protecting" against gross
incompetence (safety issues which IT defined as problems, and which its
marketing people ran away with), without being able to "protect" from the types
of mismanagement their own extreme, and unrealistic, protections appear to
engender.  Far from changing its interface, it long ago froze it, for use in
its newest aircraft, the A330 and A340, thus assuring commonality in
training--and theoretically ensuring a market share among airlines who have
bought heavily into the A320.  But I digress. :-)

If nothing else, I hope I've made the point that FBW is NOT equivalent to
flight management.  FBW computers are relatively simple and straight-forward in
design and purpose: FMSs are fairly complex software/hardware packages.  The
correct functioning of them is important (especially when used in certain
ways), but not as ESSENTIAL as the FBW system.

In addition, note that the A320's automation includes many more services than
just FMS-derived and FBW: there are various mechanisms to display and control
systems information, warning and caution computers, etc.  It's also important
to note that the A320's cockpit design concept (with the exception of
sidesticks and throttle management) is fairly close to that of other airplanes
in production or development at this time (747-400, 777, MD-11, etc). FMS is
not unique to the A320, although its actual integrated environment (as with all
the airframe vendors) is proprietary and unique.

Irritating Jargon:

ATC           Air Traffic Control autothrottle  A mechanism for controlling 
              aircraft speed from the autopilot.  
CDU           Control Data Unit 
DME           Distance Measuring Equipment/station.
EICAS         Engine Indication and Crew Alerting System.
FBW           Fly by Wire.  
FCU           Flight Control Unit.
fix           A geographic point, designated by the FAA as a reference point.
              Used in navigation and routing by ATC.
FMC           Flight Management Computer.  
FMGS          Flight Management and Guidance System.  
FMS           Flight Management System.  
IFR           Instrument Flight Rules.  
ICAO          International Civil Aviation Organization.  
ILS           Instrument Landing System.  
INS           Inertial Navigation System.
IRS           Inertial Reference System.  
KAL           Korean Airlines.  
PFD           Primary Flight Display 
VOR           VHF Omni Range.

Robert Dorsett   rdd@cactus.org   UUCP: ...cs.utexas.edu!cactus.org!rdd


Newsgroups: sci.aeronautics.airliners
From: rdd@cactus.org (Robert Dorsett)
Subject: Seeking pointers on switch design.
Date: Tue, 24 Nov 92 05:15:42 CST

I'm looking for pointers to articles on the human-factors ramifications of
switch design.  I've noticed an interesting difference between Airbus and
Boeing switch philosophy.

Boeing seems to build the "on" state into the switch.  It might be a white
bar, indicating a closed circuit or open valve on a placarded systems
a subdued "on" function description, with an "engage" bar, etc.  But the
philosophy seems to be: "default" state == off (dark indicator), pilot action
to turn it on (white indicator), operational state = on (white indicator)
until pilot turns it off again or an abnormal state occurs (colored indicator,
annunciator).  This doesn't violate the "dark cockpit" philosophy, since only
one color (white) is used for selects, and abnormal states are clearly
detectable.

Airbus (in the A320, and presumably the A340 and A330), on the other hand,
seems to use smart-logic to default to an "on" state which is completely
dark.  The switches, when pressed, then show an *abnormal* state, like turning
a fuel pump off.  Nearly all of the switches also have a "failure" state-flag,
showing an amber or red fault message.  There are also systems with "mixed"
switch formats.  For instance, since a fuel pump state is normally on, a
switch, when pressed, turns it off and indicates an off state.  But crossfeed
valve switches, when pressed, show an "ON," followed by "OPEN," state, which
seems more "positive."  So the Airbus philosophy seems to be: initialize
switch states at boot time (on, no indicator), pilot action to turn it off
(illuminated, abnormal state), operational state = dark until pilot triggers
a disconnect.

Seems to me that Boeing's the correct approach: a thou-shalt-not, drilled
into me at an early point, was never to use double-negatives to prompt user
actions ("Do you not want to save the file? Y/N") .  An action should ideally
be expressed in *positive* terms.  And the interface should be consistent
across all systems and within systems.

On the other hand, Airbus' design can be rationalized in that if the computers
do *all* routine management, as they do, then bringing the pilots in the loop
at initial start-up is an invitation for error: in this model, pilot involve-
ment is an *abnormal* event, and signs of that involvement should be
highlighted.  This raises interesting implications of the pilots being out of
the loop TOO long, perhaps never dealing with a system or mentally "reviewing"
that system for several flights, as would be the case with more "hands-on"
initialization and management.  This could be the reason behind Airbus's
pre-flight "walk-through," in which each switch illuminates in sequence,
requiring the pilot to depress it to extinguish the light.

Comments?  References?




---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: drinkard@bcstec.ca.boeing.com (Terrell D. Drinkard)
Subject: Re: Seeking pointers on switch design.
Date: 01 Dec 92 02:10:47 PST

In article <airliners.1992.28@ohare.Chicago.COM> rdd@cactus.org (Robert
Dorsett) writes:

>I'm looking for pointers to articles on the human-factors ramifications of
>switch design.  I've noticed an interesting difference between Airbus and
>Boeing switch philosophy.
>
[Much interesting material deleted]
>
>On the other hand, Airbus' design can be rationalized in that if the computers
>do *all* routine management, as they do, then bringing the pilots in the loop
>at initial start-up is an invitation for error: in this model, pilot involve-
>ment is an *abnormal* event, and signs of that involvement should be
>highlighted.  This raises interesting implications of the pilots being out of
>the loop TOO long, perhaps never dealing with a system or mentally "reviewing"
>that system for several flights, as would be the case with more "hands-on"
>initialization and management.  This could be the reason behind Airbus's
>pre-flight "walk-through," in which each switch illuminates in sequence,
>requiring the pilot to depress it to extinguish the light.
>
>Comments?  References?

I'd just like to address one small part of your message, the part dealing
with pilots being out of the loop too long.  I've read not to long ago that
there is research being performed on a tweak of the flight management
systems paradigm.  Instead of the FMCS just flying the programmed course,
the new thought is to have it tell the pilot the next step and have the
pilot initiate the maneuver.  This keeps the flight crew mentally engaged,
one hopes.  Apparently there is a history of incidents where the pilot was
too far behind the airplane.

I just love this industry!  :-)



--
Terry
drinkard@bcstec.boeing.com
"Anyone who thinks they can hold the company responsible for what I say has
more lawyers than sense."


Newsgroups: sci.aeronautics.airliners
From: palmer@icat.larc.nasa.gov (Michael T. Palmer)
Subject: Flight Envelope Protection (was: TV prog. on 777)
Date: 01 Dec 92 13:54:51 PST

Robert Dorsett <rdd@cactus.org> writes:

>As I understand it, the FBW system is the only way the pilots can signal
>the actuators.  Boeing is simply providing a "conventional" control law and
>interface, with "protections" that can be over-ridden by the pilot, if
>necessary.  Redundancy/backup is at the hardware level, not in alternate
>select modes.

[etc]

>On the other hand, I do think it's a positive step that Boeing's not "re-
>writing" the book by offering *artificial* control laws, as Airbus is doing.
>Thus, to override the protections, the pilots just need to push or pull
>*harder,* or click an overrride button: they don't have to deal with or
>anticipate the effects of *four* distinct control law modes, and the many
>permutations within each mode, depending upon system status, as is the case
>with the A3[2-4]0.


This is correct, and highlights a very important distinction between the
approaches to flight envelope protection being taken by Boeing & Airbus.
The B-777 will have protections, but as you noted the crew can override
them by using excess force on the control column.  So, the airplane will
make it more difficult to do something it thinks shouldn't be done, but
will always leave the final decision to the crew.  In contrast, the
protection on the A320 *cannot* be overridden - you either get switched
into an alternate control mode, or your inputs are ignored.

This has some serious consequences.  For example, in the China Airlines
B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03),
the crew was forced to overstress (and structurally damage) the horizontal
tail surfaces to recover from a roll and near-vertical dive following an
automatic disconnect of the autopilot when it could no longer compensate
for an asymmetric thrust condition.  At the time of disconnect, full
rudder was engaged to one side and the crew was unaware of this.  The
crew recovered control with about 10,000 ft of altitude left (from an
original high-altitude cruise).  It is very likely that if the aircraft
had prevented the crew from initiating control commands that would lead
to aircraft damage, the aircraft (and passengers) would have been lost.

Unfortunately, it appears that engine manufacturers may be heading down
the same path as Airbus with respect to their electronic engine controllers.
I can't remember which engine it was, but I remember reading that when
the controller detects a condition for which the proper action is to shut
the engine down, it will do it itself AND THE CREW CANNOT OVERRIDE THIS
ACTION.  Now, this may seem like a good idea on paper, but remember the
Eastern L-1011 out of Miami in 1983 (NTSB/AAR-84-04) with the triple
engine failure because the oil seals were missing?  Can you imagine the
tragic result if the engines had ALL detected this condition (in flight)
and shut themselves down?  It seems to me that letting the crew decide
to sacrifice an engine to save the airframe is probably a good idea.

If nothing else, I hope I have brought up some topics that deserve
discussion among readers of this newsgroup.  After all, aren't we the
ones in positions to influence our industry (all in our own way, of
course)?

--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail



Newsgroups: sci.aeronautics.airliners
From: rdd@cactus.org (Robert Dorsett)
Subject: Re: Flight envelope protections
Date: 02 Dec 92 13:18:55 PST

palmer@icat.larc.nasa.gov (Michael T. Palmer) wrote:

> This has some serious consequences.  For example, in the China Airlines
> B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03),
> the crew was forced to overstress (and structurally damage)
               ^^^^^^

That might be overstating the case a bit. :-) The NTSB report suggests
they didn't have a clue how to recover from the spiral, once they entered
it, lacking military aerobatic training and being completely disoriented.  I
don't believe the report distinguishes the tailplane's damage as being
incidental or intentional.


> the horizontal
> tail surfaces to recover from a roll and near-vertical dive following an
> automatic disconnect of the autopilot when it could no longer compensate
> for an asymmetric thrust condition.  At the time of disconnect, full
> rudder was engaged to one side and the crew was unaware of this.  The
> crew recovered control with about 10,000 ft of altitude left (from an
> original high-altitude cruise).  It is very likely that if the aircraft
> had prevented the crew from initiating control commands that would lead
> to aircraft damage, the aircraft (and passengers) would have been lost.

Your point's well taken, and the risks are certainly worth considering.  But
allow me to play devil's advocate, for a minute, without diluting your argu-
ment, and suggest that the EFCS would have prevented an A3[2-4]0 from getting
into the unusual attitude to begin with.  The protections are both aerodynamic
and input-filtering (and configuration-evaluating, and...).  In the China
Air incident, the flip-over was caused by a "dumb" autopilot/autothrottle
design configuration oversight, following an engine abnormality.  If a similar
event had occurred on an A3[2-4]0, the EFCS would probably have limited both
the authority of the FMS to put the airplane into the steep bank, *and* would
have provided maximum corrective action, using opposing controls, to keep the
airplane in the prescribed operating envelope.

But let's suppose some other kind of fault flips the airplane over: rotor,
wake turbulence, transient EFCS bug (REALLY unlikely).  I would have less
confidence in the system than in a 747, but there are saving graces in the
system design.

During the flip-over itself, the system would have reverted to Alternate Law
when one of these conditions were met:
    Pitch > 50 degrees nosePup or < 30 degrees nosePdown.
    Bank > 125 degrees.
    AOA > 30 degrees or < P10 degrees.
    Speed > 460 knots or < 60 knots.
    Mach > 0.91 or < 0.1.
There would not have been protections or auto-trim; there would have been
full-authority direct law in roll, without yaw-damper services.  It is not
clear whether "device-saving" protections would have been in place (likely,
no doubt, considering the extensive use of composites in the tail surfaces).
(don't forget: you have to remember all this when the shiny side's the wrong
way up :-))

I also wonder how well the four accelerometers the EFCS uses would have
held up to all this.  No matter: they're durable.

A320 simulators use pretty much the same EFCS code as the actual airplane.
Since programming errors often show up in 90-degree increments (tan 90!),
I suspect it would be interesting to turn off the motion system and take
the thing up for a spin, so to speak... :-)


More grist for the mill:

In an unnamed regulatory agency's commentary on a paper that Pete Mellor and I
are cooking up, there was a note that in the case of even a
"run-away" surface (actuator OR software malfunction), the remaining devices/
governing software would function to provide a "virtual" effect, providing
handling qualities that would mask the abnormality.  I was aware that a
"make-up" feature existed, but the precise wording raises the question of how
much loading, exactly, the run-away surface might introduce, or how violent
an oscillation the system could be trying to cover up.

I find this *quite* disquieting, especially since, in the FAA's Special
Conditions for the A320's certification in the United States, the point was
clearly made that the FAA does *not* believe the pilots have a right to be
warned of failures of this sort:

This is from the Federal Register 54:17, January 27, 1989, pages 3989 and
3996:

P. 3996: paragraph 2(a)2(i), the item under discussion: active controls, basic
criteria, with the system in failure conditions:

    "(i) Warnings must be provided to annunciate the existence of failure
    conditions which affect the structural capability of the airplane and
    for which the associated reduction in airworthiness can be minimized by
    suitable flight limitations.  Failure conditions which affect the
    structural capability of the airplane and for which there is no
    suitable compensating flight  limitation need not be annunciated to the
    flightcrew, but must be detected before the next flight."

P. 3989, the oh-so-enlightening, explanatory commentary:

    "The second commenter believes that the flightcrew must be aware of any
    failure conditions which affect the structural capability of the
    airplane, whether or not a compensating procedure exists.  The FAA does
    not concur with this comment.  It is not necessary for the flight crew
    to be aware of a failure in the active control system during the flight
    on  which the failure occurs if there is no available corrective
    action; however, the airplane should not be exposed to the failure
    condition for an extended period of time.  The flightcrew must
    therefore be alerted to the failure condition prior to the next flight."

This is from the FAA, the agency in charge of establishing airworthiness and
certification practices in the United States!  In reality, the A320 likely
*does* provide enough feedback: but the FAA, apparently unnecessarily, has
certainly opened the door for the practice to be introduced in subsequent
types.


> Unfortunately, it appears that engine manufacturers may be heading down
> the same path as Airbus with respect to their electronic engine controllers.

Beyond "dumb" smartness, Pete Mellor has uncovered reason to believe
the engine controllers do not use dissimilar software.  On the A320, there
are two FADECS per engine: a common-cause-of-failure logic fault could con-
ceivably take out both controllers.  It's not clear whether this could happen
in tandem, based on environmental conditions, or serially, which could intro-
duce a short timing delay in which the input parameters could be "corrected."


> If nothing else, I hope I have brought up some topics that deserve
> discussion among readers of this newsgroup.  After all, aren't we the
> ones in positions to influence our industry (all in our own way, of
> course)?

Especially in software, of particular relevance to the net.  A lot (if not
most) of the people writing this code--4M on the A320, 10M+ on the
A330 and A340--are *not* aero engineers: just programmers, ostensibly with
CS backgrounds (a more frightening thought I can't imagine! :-)), performing
under strictly governed, structured, controlled environments: to specif-
ication.

Airbus even mentioned the "CS" types it brought in from "outside" to
buttress a comment on its quality-control practices, in an article, as if
to make the point that mere engineers weren't writing this stuff: the
"pros" are doing it. :-)  Yeah, we know what we're doing, SURE... :-)

Computers on the brain...


Alphabet soup:

AOA     Angle of Attack
CS      Computer Science
EFCS    Electronic Flight Control System
FADEC   Full-Authority Digital Engine Control
FMS     Flight Management System
M       Megabyte
NTSB    National Transportation Safety Board




---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: palmer@icat.larc.nasa.gov (Michael T. Palmer)
Subject: Re: Flight envelope protections
Date: 04 Dec 92 22:30:33 PST

rdd@cactus.org (Robert Dorsett) writes:

>palmer@icat.larc.nasa.gov (Michael T. Palmer) wrote:

>> This has some serious consequences.  For example, in the China Airlines
>> B-747 incident 300 nm northwest of San Francisco in 1985 (NTSB/AAR-86-03),
>> the crew was forced to overstress (and structurally damage)
>               ^^^^^^

>That might be overstating the case a bit. :-) The NTSB report suggests
>they didn't have a clue how to recover from the spiral, once they entered
>it, lacking military aerobatic training and being completely disoriented.  I
>don't believe the report distinguishes the tailplane's damage as being
>incidental or intentional.

Agreed.  I didn't mean to imply necessarily that they KNEW they needed to
overstress the airframe, and it is *possible* that this occurred during
control inputs that did not actually contribute to the recovery.  It's been
awhile since I read that report, and I didn't have it handy to refer to.


>> crew recovered control with about 10,000 ft of altitude left (from an
>> original high-altitude cruise).  It is very likely that if the aircraft
>> had prevented the crew from initiating control commands that would lead
>> to aircraft damage, the aircraft (and passengers) would have been lost.

>Your point's well taken, and the risks are certainly worth considering.  But
>allow me to play devil's advocate, for a minute, without diluting your argu-
>ment, and suggest that the EFCS would have prevented an A3[2-4]0 from getting
>into the unusual attitude to begin with.  The protections are both aerodynamic
>and input-filtering (and configuration-evaluating, and...).  In the China
>Air incident, the flip-over was caused by a "dumb" autopilot/autothrottle
>design configuration oversight, following an engine abnormality.  If a similar
>event had occurred on an A3[2-4]0, the EFCS would probably have limited both
>the authority of the FMS to put the airplane into the steep bank, *and* would
>have provided maximum corrective action, using opposing controls, to keep the
>airplane in the prescribed operating envelope.

Well... given the recent post here about the A310 in Moscow going 88 degrees
nose-up, I'm not sure that I agree that the Airbus EFCS would necessarily
prevent the aircraft from attaining "unusual" attitudes.  In fact, it was the
"smarts" of the A310 autopilot that actually contributed to that incident.
As that poster also mentioned, though, I would like VERY MUCH to see more
documentation and a fuller description of exactly what happened.


>This is from the Federal Register 54:17, January 27, 1989, pages 3989 and
>3996:

>P. 3989, the oh-so-enlightening, explanatory commentary:

>    "The second commenter believes that the flightcrew must be aware of any
>    failure conditions which affect the structural capability of the
>    airplane, whether or not a compensating procedure exists.  The FAA does
>    not concur with this comment.  It is not necessary for the flight crew
>    to be aware of a failure in the active control system during the flight
>    on  which the failure occurs if there is no available corrective
>    action; however, the airplane should not be exposed to the failure
>    condition for an extended period of time.  The flightcrew must
>    therefore be alerted to the failure condition prior to the next flight."

Oh, I get it!  Just because a condition exists that may affect OTHER choices
I make about how to respond to OTHER occurrences during that flight, that
doesn't mean that I have the right to know what is going on with my aircraft.
Hmm, seems reasonable... NOT!


>This is from the FAA, the agency in charge of establishing airworthiness and
>certification practices in the United States!  In reality, the A320 likely
>*does* provide enough feedback: but the FAA, apparently unnecessarily, has
>certainly opened the door for the practice to be introduced in subsequent
>types.

I agree completely.  I work in the Human/Automation Integration Branch in
the Flight Management Division at NASA Langley.  We have worked for some
time examining the complicated interrelationships between events that lead
to accidents, and have even constructed software prototypes that try to
determine these relationships and make them more explicit.

What really scares us is the prevalent attitude of many in the industry
that they can anticipate ALL the "important" ways that things will interact,
and provide procedures for dealing with them.  And whenever you point to
an example of how they failed and how that lead to an accident, they respond
"Oh, but we've already fixed that."  Sure.  But what about the NEXT one
that you haven't "fixed" yet!?!

By the way, the charter of our organization (as if you couldn't tell from
what I've said so far) is NOT to solve problems in the cockpit by increasing
the amount of automation.  Rather, we seek to propose better ways of using
the capabilities of both the automation and the flight crew, which may even
mean rethinking many of the traditional tasks that automation is used for
now.  And we do NOT see the "pilot as manager" scenario as being necessarily
ideal.  Humans tend to make lousy system monitors.  Ask the Nuclear people.
Human-machine systems work best when the humans are actively *involved*.


>> If nothing else, I hope I have brought up some topics that deserve
>> discussion among readers of this newsgroup.  After all, aren't we the
>> ones in positions to influence our industry (all in our own way, of
>> course)?

>Especially in software, of particular relevance to the net.  A lot (if not
>most) of the people writing this code--4M on the A320, 10M+ on the
>A330 and A340--are *not* aero engineers: just programmers, ostensibly with
>CS backgrounds (a more frightening thought I can't imagine! :-)), performing
>under strictly governed, structured, controlled environments: to specif-
>ication.

>Airbus even mentioned the "CS" types it brought in from "outside" to
>buttress a comment on its quality-control practices, in an article, as if
>to make the point that mere engineers weren't writing this stuff: the
>"pros" are doing it. :-)  Yeah, we know what we're doing, SURE... :-)

Ummm... this point came up in a Newsweek article (now THERE'S an accurate
and unbiased source of information!) about digital flight control systems.
They were shocked that programmers, not pilots, were writing the software.
I feel at least somewhat qualified to address this issue, since my undergrad
is Aerospace Engineering, my master's is Computer Science, and I'm working
on the Ph.D. in Human-Machine Systems.

Pilots and engineers tend to be experts in specifying how things should
happen.  My experience with their programming ability is that they tend to
not be aware of most of the advances in Computer Science that have occurred
over the past 25 years.  The result is poorly designed and implemented code
that takes Herculean efforts to get working properly and maintain.  On the
other hand, programmers do not necessarily make good system designers... they
tend to think in terms of how things will be implemented (and the limitations
of that implementation) rather than in terms of what the system MUST be able
to do.  I have met only a few people who can combine both talents, to become
very good system designers AND software designers.

These people have the ability to hear what the pilots and engineers say, and
translate that into a total system design, including software design, that
meets the requirements and can be implemented.  At THIS point, the actual
programmers become involved.  If changes need to be made due to, say, hardware
limitations, then these can be incorporated by either a requirements OR an
implementation change.

So, I don't think you should be afraid that CS people are writing the code.
In fact, you should be glad that they are.  You just need to make sure that
they are filling in the pieces of a software design that was put together
by a competent person like I described above.


>Robert Dorsett
>rdd@cactus.org
>...cs.utexas.edu!cactus.org!rdd

I hope I get to meet you at a conference sometime soon!  It's great to see
that other people are grappling with the same issues.

--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail



Newsgroups: sci.aeronautics.airliners,rec.travel.air
From: rdd@cactus.org (Robert Dorsett)
Subject: Re: Airbus safety (was Re: TWAs Status)
Date: 10 Dec 92 16:07:03 PST

In article <1992Dec01.173212.27936@news.mentorg.com> philip@mentorg.com
(Philip Peake) writes:

>It wasn't unintentional - it was a deliberately (contrived) example.
>The arguments I have heard so far seem to say that just because its always
>been done that way, it always should be - aircraft design has changed a LOT
>since the stick control was introduced - maybe this is no longer the
>correct control mechanisim ?

Transport aircraft design hasn't changed much at all in the last 30 years.
We fine-tune various features, change the aspect ratio, develop better drag
profiles, better powerplants, occasionally build a better, lighter system.
Certainly improved manufacturing techniques.  But the *engineering* discipline
is so WELL defined that if you give three manufacturers the task of developing
three different airplanes for the same mission profile, you'll now come up
with almost identical airplanes.   It is a discipline so evolved that we can
come up with physical implementations which can match design performance
objectives to within a percentage point.

This is not the result of "wild-catting," or breaking the rules: it's the
result of decades of working over the same problem, developing a very
intimate understanding of this particular type of development problem.  We
should expect that the same considerations must be applied to how the
pilots control the airplane.  The "old" model may not be the best available,
but it's well-understood, and is likely preferable to any "replacement"
we are likely to produce with current technology.


>If you are against the idea of insulating the pilot, maybe we should
>remove servo brakes and power steering from cars too ?

The pilot IS in the loop.  You can complain about that, and try to eliminate
that, if you want to.  However, since he IS in the loop, the unique feedback
requirements needed to let him do his job require a more interactive environ-
ment than either contemporary glass cockpits *or*, in this case, the A320
sidestick, provide.

Christopher Davis already addressed your point in his reply: *hydraulics*
is the equivalent of power steering, not FBW control.  However, note that
we've been providing completely artificial feel to go along with this, for
the past thirty years.  Yet all of a sudden, on the pretext that the "FBW"
in their airplane mandates it, Airbus, which is in the business of selling
technology, cavalierly introduces a control device which:

	1.  Has no interconnect between the pilots.
	2.  Has no active feedback.
	3.  Utilizes artificial control laws in the normal and alternate
            flight modes.

I suggest that the issue has NOTHING to do with technological "advantages"
human requirements: it is completely marketing-driven.


>|> In essence, my point is that standards don't exist because of happenstance.
>|> They exist because it makes life easier for everyone.  This is particularly
>|> important when human lives are at stake.
>
>Standards are also perpetuated by vested interests,

Yeah, that powerful yoke-manufacturer lobby.  The bastards.  Just because
they won't retool to build sidesticks, they gotta ruin it for the rest of
us. :-)

Seriously, this is a tremendously conservative industry.  What isn't broken,
doesn't get fixed.  However, when a better mouse-trap is invented, it is
almost always adopted, universally.  The fact that no other manufacturer
is rushing to repeat Airbus' example suggests the arbitrariness of the
use of the sidesticks: if there were even minor operational or material
advantages in using them (and modified control laws) as interfaces to the
EFCS, you could bet your last dollar every other manufacturer would be doing
so, not least as the result of airline demand.   We don't see that.


> even when better ideas
>ar around.

This isn't one of them.  We aren't operating in a vacuum: NASA, as one example,
has been running a lot of research (over, and over) over the last 20 years,
addressing precisely these issues: the Airbus implementation is arguably on
the weaker of a variety of choices available.


>If all new pilots were taught nothing but the side stick,
>how long would the old arangementy last - and if the old arangement

Why should pilots be taught nothing but a unique, *proprietary* side-stick
design that no pilot had any experience with before four years ago, and which
is only one of a variety of other possible designs?

You imply that the sidestick's just a yoke wrapped up in a little handle.  It
isn't: the issue's a lot more complex, and, within that simple interface,
there are *many* ways to proceed.  The certification authorities, you will
note, have not codified mandatory control qualities of this interface (and
WON'T): thus, in a worst-case, we could have Airbus running its stick (+
control laws), Boeing running its own, MDC running its own, etc.


>is so wonderful, why do military fighter aircraft, where tight control
>by the pilot os ESSENTIAL use side stick controls ?

Not all do: several continue to use center-sticks.  In either case, the
issue is in large degree driven by the need to effectively control
the aircraft at high g's--but even then, it's a significantly different
design than that used in the A320.

I would also note that in fighter aircraft, there isn't the issue of
two-pilot "peers" having to quickly and instinctively figure out who is
flying the airplane.  On the A320, there is no interconnect between the
sidesticks: the captain can command a full-left in an emergency evasive
maneuver, the F/O full-right, and the net result will be an algebraically
added "zero."


>The problem is the PILOTS, not the design

Here we flip to cockpit integration, not sidesticks.

The problem is a design philosophy which is unwilling to accomodate the human
element.  I also see a great deal of "stick it to the pilots" going on: a
number of proponents of pilot-isolation don't even bother to cite alleged
economic or safety benefits, anymore: the pilot-isolation increasingly appears
to be an engineering-driven goal in itself.

The Airbus approach has gone too far.  Thankfully, however, it seems to be
on its way out: new designs, such as the 777, are more sophisticated,
yet have more conventional and interactive interfaces.  And the research
community is coming squarely on the side of more interactive, appropriate
feedback.  New designs will be more human-factors-driven, not engineering-
driven.  And, with luck, we'll see a return to the *evolutionary* application
of high technology, rather than the *revolutionary* application of the same.

And who knows, in 20 years, when we have enough underlying experience and
research under our belts, we can try a *standardized* alternate interface.


BTW, and for the record, I *like* the idea of sidesticks: for no other reason
than to be able to see the entire instrument panel, unencumbered.  I simply
don't like this particular implementation, and have concerns about the
human requirements any sidestick design could introduce.





>Philip


---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd




Newsgroups: sci.aeronautics.airliners
From: rdd@cactus.org (Robert Dorsett)
Subject: Re: Flight controls
Date: 10 Dec 92 16:07:06 PST

In <airliners.1992.77@ohare.Chicago.COM> philip@rainbow.mentorg.com (Philip
Peake) wrote:

> In article <airliners.1992.67@ohare.Chicago.COM>, rdd@cactus.org (Robert
> Dorsett

> if you want to knock the A320, there are much better grounds for doing
> so than ergonomics - without the more serious design problems, there
> would probably have been many fewer "accidents", and hence less reason
> to blame the ergonomics.

I am hard pressed to think of many other things.  Structurally, the A320 is
extremely conservative, highly conventional.  In systems layout and design,
highly conventional.  There are a few frills, such as the cabin lighting
system, toilets, or window heat, which have been "automated," but only in
relatively self-contained manners (toilet going out doesn't have the slightest
ramification on ELAC 1 being able to do its job, for instance: they aren't
on the same networks :-)).

The EFCS, in turn, has been the focus of so much attention that at least one
pundit suggested that other aspects may have been allowed to lapse, as
evidenced by the initial problems with the toilets or the cabin intercom/
lighting system, the latter of which, in the words of a BA maintenance
engineer, had software so simple "a child could have done it better."  These
aren't safety-critical items (well, maybe the lighting is: it didn't work at
Habsheim).

Two of the three accidents were misuses of the FMGS MCU; the other--the
first--was so bizarre, such an outrageous case of poor airmanship, that I've
yet to fully assess the implications. This therefore seems to call for better
ergonomics or training, with the latter recognized as precisely what it is: a
kludge, covering up poor design.

It's important to note that while, on a quantifiable basis, the A320's EFCS
is most subject to criticism, it's equally clear that, thus far, the EFCS has
performed almost flawlessly.  And even if it doesn't meet the 1-in-a-billion
failure rate, it's likely that if it produces even one EFCS-induced
catastrophic failure every 10 years, the human and material costs can be
easily absorbed by the industry--and when it does fail, we probably wouldn't
be able to determine what happens, since the DFDR certainly doesn't record
the myriad execution paths.

The real issue, of course, is whether this is as safe as a conventional
system.  And if it isn't, there are tremendous ethical and moral issues
at play.



> Besides "cosmetic" issues like tactile feedback, and some layout issues,

This isn't cosmetic.  The choice of using sidesticks, the four major flight
control modes, the many possible permutations within those modes, are part of
a highly integrated *system* design.  If one looks at it for itself, it's a
very "sexy" design, a startingly coherent design philosophy. How well it
adapts to the real world is another issue, entirely, of course.

I would even suggest that if one disqualifies one aspect of this model:
sidestick, throttle control, switch design--the totality could suffer
irreparable damage.  None of this is "cosmetic."  It's the heart of how the
airplane is controlled.


> the 767
> is pretty close to an A320 - as you have said (I think - sorry if I misquote
> you)
> the 767 is just more conventional in cockpit design - its a pity its automatic
> landing system can be as good as the best pilot on a good day, and a rough as
> the worst on a bad day ... usually more towards the latter ...

I would not have rated the airplanes as equivalents.  The 767 is "equivalent"
to an A310, but even then, there are significant differences in cockpit
design.  If I've given the impression of "equivalency," it was by mistake:
perhaps in avionics maintenance practices, or the A320 or 747-400 as
"consumers" of the benefits of the 767/A310 learning curve; little else.  The
airplane I'd compare with the A320 is the 747-400, at least in cockpit design,
systems design, and AIDS/BITE integration; certainly not the mission
requirements.


> ) writes:
> |> We can automate easily quantifiable issues: simple tasks.  Judgement and
> |> airmanship has thus far evaded us, on all levels.  Until we get a grip on
> |> it, talk of fully autonomous aircraft or ground control is nothing more
> |> than science fiction.
>
> [...] history, even modern history is littered with comments from
> people writing off things as "science fiction", "can't be done", "will never
> replace
> the current ...." etc who have had to eat their words shortly after.

In the software engineering community, words like "Oh, that's easy," or "I can
do that on time, on schedule, and under budget" are *always* eaten, later on.
Software is an art, not an engineering discipline.

I wonder what the aero manufacturers are doing that the rest of us poor sods
aren't, that let them miraculously produce highly complex packages right on
schedule, in a certification environment in which even a day's delay can costs
millions of dollars.  10M of code in an A330/340, indeed.  I have a hard enough
time keeping my little 1M Microsoft Word in line.

Usually, when I write "stupid" things, I regret it an hour later.  It's
been over 72 hours, now, and I stand by my words.  At this point in time,
it is not feasible to create fully autonomous transport aircraft, as implied
in the original article.  By the time it is, I expect my bones to be dust.


Incidentally, a few people seem to have interpreted my comments about software
engineering as coming from an AE perspective: they weren't.  I'm not sanguine
about CS types writing this stuff: I simply don't think development
technology's at a point where we can write reliable software with the level
of confidence I feel is necessary.  This is a whole other discussion, though.

I actually have little experience with the capabilities of AE-types to write
code.  Although I suppose if they had done it, the EFCS would have been
written in FORTRAN, not C/Pascal/assembly. :-)

I will concede that the CS approach is likely the lesser of two evils.




---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@cactus.org>
Subject: Re: Safety and design rankings (was Re: Flight controls)
Date: 11 Dec 92 17:42:28 PST

In article <airliners.1992.138@ohare.Chicago.COM> kls@ohare.Chicago.COM
(Karl Swartz) writes:

>> These aren't safety-critical items (well, maybe the lighting is: it didn't
>> work at Habsheim).
>
> I believe both intercom and lighting are considered safety-critical
> items.

Sorry: that was poorly phrased.  It is a must-have, and, yes, it did
fail.  However, I understand the problem was mechanical in nature (CCF?); the
software problems were eventually fixed.

I don't know about the intercom, but the PA system is, as well.


>Lighting in general may not be deemed critical, though certainly the
>directional lighting in the floor is.

Floor directional lighting is relatively new.  It complements, but does not
replace, the regular emergency floods: both are now considered critical.

For the semantics fans: we should probably be careful in our use of the term
"safety-critical" with respect to these systems: it is not, for instance, in
the same league as the EFCS, and the software likely doesn't require the
same confidence.  Anyone known for sure?  I would suspect emergency lighting
is listed as an "essential function," not critical.


> Is the MD-11 comparable to the 747-400 in this regard?  I would assume
> so since they are of comparable vintage.

I would suggest not: the former is more of a derivative, the latter more of
a new type, with its new wing (which was designed to support the all-upper-
deck concept, plus maybe one more derivative after that), electrical system,
extensive use of composites, new APU, etc.  Each has a high degree of direct
commonality with its predecessor, but from a technology basis, I don't think
they're in the same league.

One commenter to the paper Pete and I are brewing up took exception to my
comparison, though: he feels the 767 was more of an equivalent to the A320.
I disagree, from both design and avionics perspectives.

Perhaps some of the Boeing people posting here can comment on the
commonality of the various versions of the 747.


> Where do the new generation 737s (-300/-400/-500) fit into this?

FMS, new engines, composites, just about everything else is derivative.  The
"glass" in the cockpits is hackwork, IMHO, nowhere NEAR as integrated as
the "all-new" glass airplanes such as the 747-400.  I don't believe systems
control has changed much at all.


> And, for completeness, where do the glass-cockpit version of the MD-80
> family fit into the picture?

My PERSONAL mental "ranking" of the sophistication of these airplanes is
about:


                   High-high automation/integration
One philosophy
   |
  777                                                     Another philosophy
   |
747-400<--------------------------------------------------->A320/A330/A340
                                |
                     HIgh automation/integration
                                |
                              MD-11
                                |
             757/767<--------------------->A310, A300-600
                                |
              FMS only, varying or no glass, no standards
                                |
                747-300,737-300,-400,-500, MD-8X, F.100
                                |
                    INS/PMS, conventional otherwise
                                |
                           747-200/SP
                                |
              INS only, very smart autopilot, fair integration
                                |
                              L1011
                                |
                              A300
                                |
        INS only, simple, coupled autopilots, fair integration
                                |
                        747-100/200, DC-10
                                |
          First/second-generation design, little integration
                                |
             two-man            |                    three-man
      DC-9,737-100,737-200<-----|
                                |
                              KC-135
                                |
                                 --------------->727, DC-9, 707, DC-8

Two-man airplanes have always used more automation than three-man crews;
hence, I give them a slight edge among the "first-generation" airplanes.

Others may have differing impressions; there's no hard and fast rule to
apply.

Of all these airplanes, the original 747 family has the best internal
cockpit consistency, by far.  Otherwise, the new Airbusses have the best
design consistency.  But I count some 19 fundamental cockpit designs in
operation, countless permutations existing in most of them, depending on
customer preferences in avionics and cockpit layout.

The FMS's used on these airplanes are generally done by Honeywell, except
that Boeing's using Smiths Industries for the 737, for some reason.

Note that INS's on older-generation airplanes were often not purchased by
customers who intended to use them for domestic service: EAL's A300-B4's, for
instance, didn't even have them for service to South America.  All of the
first-generation airplanes currently have INS retrofits available; there are
also on-again, off-again plans to offer a relatively sophisticated glass
cockpit for the 727, with new engines.

But it's important to note that INS interfaces were pretty much localized,
with maybe a coupled mode for the autopilot.  The devices were nowhere near
as integrated in the cockpit design as 1980's/1990's crop, even if they were
explicitly sold with airplanes (such as the early 747).  They were "packages,"
not the "essence."

LASTLY, note that the manufacturers are MUCH more assertive about preventing
customers customizing their cockpits.  This really got out of hand: for
instance, I have a picture of a KLM 747-200 with some seven HSI's and CDI's
and four full-sized ADI's, blanketing every spare square inch of the pilots'
panels--that's what THEIR chief pilot apparently felt comfortable with. :-)
Options are much more limited on modern airplanes; all customer variations
are much "closer" to the manufacturer standard cockpit (the one that gets
in all the publicity photos) than they used to be.  Then again, nearly all
the major airlines don't have anything resembling the engineering and design
departments  that they used to have, so they've forfeited the right to
comment, to a large degree.  Performance is now ensured by legal contract,
rather than design, with the dollar being the bottom line.


Caveat: I generally don't know that much about Douglas products
(except for the DC-10 :-)); Boeing and Airbus have always caught my
interests.



---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: palmer@icat.larc.nasa.gov (Michael T. Palmer)
Subject: Re: Airbus safety (was Re: TWAs Status)
Date: 11 Dec 92 17:42:30 PST

rdd@cactus.org (Robert Dorsett) writes:

>Seriously, this is a tremendously conservative industry.  What isn't broken,
>doesn't get fixed.  However, when a better mouse-trap is invented, it is
>almost always adopted, universally.  The fact that no other manufacturer
>is rushing to repeat Airbus' example suggests the arbitrariness of the
>use of the sidesticks: if there were even minor operational or material
>advantages in using them (and modified control laws) as interfaces to the
>EFCS, you could bet your last dollar every other manufacturer would be doing
>so, not least as the result of airline demand.   We don't see that.

>This isn't one of them.  We aren't operating in a vacuum: NASA, as one
>example, has been running a lot of research (over, and over) over the
>last 20 years, addressing precisely these issues: the Airbus
>implementation is arguably on the weaker of a variety of choices
>available.

My contacts at Boeing agree - Boeing Flight Deck Research has been looking
at sidestick controllers for a long time.  They have decided that until they
develop an airplane that is flown *differently* they will continue to use
the column/yoke arrangement.  Now, what I mean by differently really refers
to switching from ATTITUDE control laws to VELOCITY VECTOR control laws.
Mr Dorsett is correct; NASA Langley has decades of experience with sidestick
controllers in our B-737 aircraft (it has TWO cockpits - standard in front,
and an aft research cab from which you can fly the entire flight profile
including landing).

The sidestick control has been shown to be best when commanding velocity
vector changes instead of attitude changes.  This is an interesting way of
using automation to ease the burden on the pilot while allowing him to
also remain in the loop, since the automation configures the control
surfaces to maintain the commanded direction of flight, but the pilot
still "flies" the airplane (when not in full-autopilot).  The velocity
vector control-stick steering mode is by far the mode of choice of the
pilots we bring in for experiments.

Based on the work here and their own efforts, Boeing has decided that until
they build a velocity vector airplane (hint: High-Speed Civil Transport)
they will not provide a totally different way to fly an airplane designed
with attitude control laws in mind.

Please note that I am neither a Boeing employee nor spokesman, and I neither
(officially) recommend nor approve of actions taken by them.  All the info
provided here (about Boeing's position) was provided to me personally by
Boeing employees, though, so I have no reason to doubt it.  It would be nice
if some of you lurking Boeing people jumped in to correct any mistakes I
have made.  :-)

--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail



Newsgroups: sci.aeronautics.airliners
From: palmer@icat.larc.nasa.gov (Michael T. Palmer)
Subject: Re: Airbus safety (was Re: TWAs Status)
Date: 11 Dec 92 17:42:32 PST

rdd@cactus.org (Robert Dorsett) writes:

>I would also note that in fighter aircraft, there isn't the issue of
>two-pilot "peers" having to quickly and instinctively figure out who is
>flying the airplane.  On the A320, there is no interconnect between the
>sidesticks: the captain can command a full-left in an emergency evasive
>maneuver, the F/O full-right, and the net result will be an algebraically
>added "zero."

I believe this is incorrect, though I don't have the documentation here
right now.  My understanding is that whenever one of the sticks reaches
a critical percentage of deflection (say, 75%), it becomes automatically
the selected input device.  At this point, the other control stick is
ignored.  So it's a race.  Whoever slams their stick to the stops first
wins, and the only way for the other crewmember to override is to physically
attack the winner.  Neat, huh?

I'm not sure how sub-critical deflections are handled - they may indeed
be algebraically summed.  If any Airbus people can provide the straight
scoop, I'd appreciate it.

In the sidestick implementations used at NASA, the sticks are interconnected
("logically", really, since they are hydraulically back-driven) so that,
like in current cockpits, whoever is strongest (i.e., most scared-to-death)
wins.

--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@rascal.ics.utexas.edu>
Subject: Re: Airbus safety
Date: 13 Dec 92 12:14:14 PST

In article <airliners.1992.148@ohare.Chicago.COM> philip@rainbow.mentorg.com
(Philip Peake) writes:

> |> >If all new pilots were taught nothing but the side stick,
> |> >how long would the old arangementy last - and if the old arangement
> |>
> |> Why should pilots be taught nothing but a unique, *proprietary* side-stick
> |> design that no pilot had any experience with before four years ago, and
> |> which is only one of a variety of other possible designs?
>
> You are avoiding the question - read it again, the operative word is "if".
> I really don't think that a side-stick qualifies as "*proprietary*" does it ?

Not if one views it merely as a "substitute" interface.  The A320 sidestick
is not a "parallel" substitute: it's a replacement design concept.
Besides the ergonomics, which raise their own issues, and which, as you note,
would be duplicated by just about any manufacturer attempting to develop its
own, it's what it DOES that determines its uniqueness.

For instance, some pilots seem to like a specific feature: pull straight
back on the stick to activate the TOGA mode.  A few pilots *prefer* this to
the regular stick-throttle combination one would instinctively use in such
modes, despite the fact that if you did this on a "real" airplane, you'd
soon stall it.

So, should Boeing adopt this paradigm, if it goes to a sidestick design?  This
is one of MANY unique characteristics that solely characterize *Airbus'*
sidestick.  There are no official standards; no "sidestick specification" is
in the public record.  The software is jealously guarded.  If Boeing decides
to duplicate the stick concept, should it do so by examining operating manuals
and hope it catches most of the idiosyncrasies?  Or should it run away with
the *idea*, and improve on it, offering its own version?

In many ways, what I fear is what happens with "consumer software."  Take a
word processor, for instance: a simple idea, with *many* variations.  Different
companies have different ways of looking at the same problem: indeed, none of
them may be a "best" solution.  I don't think this comparison is off base:
Airbus has REPEATEDLY and PUBLICLY stated that its technology is its selling
point: to distinguish itself from Boeing, it MUST continue to do its own
thing.

The problem is that software is so much more easily changed than hardware,
that we could very well start an avionics equivalent of "creeping featurism."
Changing the way a stick behaves can be done in just one firmware update: no
need to develop new tooling, production techniques, train assemblers and
maintenance engineers, offer the retrofit during the next C check, etc.
Just the internal development process, which one can assume is faster and
cheaper than for hardware.  But, by virtue of this ease, it's also more
*unstable* than hardware-based solutions.

Evidence to support this position?  The A320 has about 4M of code.  The A330/
A340, 10M.  It's happening as we speak...

Do any Honeywell people reading know how big the 777 EFCS is going to be?


> Changing the subject slightly, the world's safest aircraft (Concorde) uses
> technology which was new, and for a time unacceptable to various licensing
> authorities - it didn't have a MECHANICAL link between the stick and the
> control
> surfaces - only hydraulic. There was *much* concern over this, and lots of
> reaction from the pilots and safety mob - they almost won, and the Concorde
> almost had to be produced with a mechanical linkage, which no FULL CREW would
> be able to budge one mm if they all tried together - in fact, the linkages
> would probably have failed, before it would have been possible to move a
> control surface, when moving at full speed.

I think you're overstating the situation considerably.  Like they'd build
an unflyable mock-up?   :-)

In the late 1950's and 1960's, there was considerable controversy over
hydraulics, much of it justified: there was a low confidence level among
pilots with conventional hydraulic systems.  O-ring seals tended to break
down, and the systems were rather "leaky"; many a flight had at least a
partial failure.  Pilots fully realized the benefits of hydraulics, and,
starting after the 707, accepted the desirability of flying by hydraulics.
However, what a lot of pilots wanted was a hybrid system, fly-by-cable,
COMBINED with hydraulic boost.  So, for instance, the 727 was developed with
full-time hydraulic flight controls, but also a cable-driven "back-up" mode,
which used control tabs to aerodynamically move the surfaces.  When hydraul-
ics were completely lost, controls became heavy, but the airplane had a
"get it on the ground" capability.  The 727 was the last such airliner to
have this capability.


Much of the controversy surrounding the BIG airliners, such as the 747, but
even the 737, was that the manufacturers wanted to take away these tabs.
This debate was an important part of an industry-wide *process*, which helped
induce the manufacturers to develop more reliable systems: a 747 with the
hydraulics reliability of, say, a 707, would not have been acceptable.  This
technological advance, combined with the *necessity* of using it in the
specified mission profiles, helped silence objections.

So Concorde certainly wasn't the first to go all-hydraulic, and the debate
didn't start there.

I can't comment on Concorde-ish control forces, but on even the 747, the
"raw" forces in cruise, while high, don't require superhuman effort: the
figures I've seen ranged from 50 lbs to 150 lbs.  This would be unacceptable
for normal operations, but is hardly the equivalent of trying to lift a
ton of cement with one's little finger.


> As I said, it has proved to be the worlds' safest aircraft.

Sure, 14 airplanes, piloted by superbly qualified and trained aircrews,
with immaculate and detailed maintenance.  Flying what, TWO flights a day (no,
not two per plane, two FLIGHTs, in the fleet) on 2 or so very well-defined
routes, to major international airports?

Concorde's an interesting experiment, but let's face it: its contribution is
merely that it can be done, not that it can be done economically, or, even,
safely, in the same types of conditions other airplanes are flown in.  It is,
however, an engineering achievement that France and England can be proud of,
and I hope British Airways and Air France continue turning their Concorde
profits, if, for nothing else, the living history the airplane represents.


> I don't seem to have noticed any raving about the TGV, the latest versions of
> which achieve speeds comparable to that of aircraft, and use a side-stick ...

You will no doubt be DELIGHTED to note that I know nothing about trains.
Nor do I particularly care to learn. :-)  My interest here is airliners, not
mass transportation.  I'd suggest we compare standards within the genre.




--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@rascal.ics.utexas.edu>
Subject: A320 sidestick description + references (Re: Airbus safety)
Date: 13 Dec 92 12:14:17 PST

In <airliners.1992.147@ohare.Chicago.COM> palmer@icat.larc.nasa.gov
(Michael T. Palmer) writes:

> rdd@cactus.org (Robert Dorsett) writes:
> >On the A320, there is no interconnect between the
> >sidesticks: the captain can command a full-left in an emergency evasive
> >maneuver, the F/O full-right, and the net result will be an algebraically
> >added "zero."

> I believe this is incorrect, though I don't have the documentation here
> right now.  My understanding is that whenever one of the sticks reaches
> a critical percentage of deflection (say, 75%), it becomes automatically
> the selected input device.  At this point, the other control stick is
> ignored.  So it's a race.  Whoever slams their stick to the stops first
> wins, and the only way for the other crewmember to override is to physically
> attack the winner.  Neat, huh?

I've looked into this closely.  Unless there have been significant, recent
changes, it doesn't work this way (other designs do, though).  Here's an
excerpt from the impending A320 paper that Pete Mellor and I are writing
("The A320 Electronic Flight Control System," title subject to change), which
might help clear things up.

I've inserted a couple of comments in brackets; these clarify passages,
based on respondent comments.


---------------------------

4.1.  Sidesticks; [AIRB88, 1.09.20, 3-5; ZIE86, COR88]

The main flight control interface for the EFCS is one of two
"sidestick" controllers.  Conventional airplanes have two "control
columns," mounted between each pilot's legs.  The A320 does away with
these, and instead has sidesticks mounted on the side-walls of the
cockpit (incidentally resulting in outstanding pilot visibility of
flight instrumentation).

Conventional control devices reflect control forces to some degree.
This "feel" is usually either supplied aerodynamically by the airplane,
or, as in most airliners, via an artificial feed-back system.  The
sidesticks on the A320 do not have artificial feel.  On the A320,
springs are used to discourage abrupt control movements.  Flight
control specialists seem to regard this as a valid "artificial"
feedback mechanism, but the point must be emphasized that the pilot is
only reacting to the qualities of the spring: no tactile feedback
relates to what the airplane may be doing (unlike a conventional
control system); thus, secondary cues, such as the design of the flight
displays, take on more importance.

[...]

Following are some of the force-characteristics of the sidesticks on
the A320 [adapted from COR86]:

Limits:
                    	                 Roll
                 Pitch            In          Out
Max.  load       10 daN           3 daN       2 daN
Threshold        0.5 daN          0.4 daN     0.4 daN
Deflection       +-16 deg.        20 deg.     20 deg.
Orientation      20 deg fwd.      12 deg in   12 deg in.

Proper pilot arm position is important for proper use of the sidestick.
[actually, not that important: an early concern that proved unjustified]
Thus, Airbus has included a fully-adjustable seat-arm, which features
an LCD readout for arm angle.  A pilot entering an aircraft need only
remember his optimal settings, and set them up.  The arm-rest rest
position may be changed within an interval of [+20,-15] degrees.
Supporting arm position may be adapted in the interval of [+15, -12]
degrees.

The sidesticks are not mechanically interconnected: inputs to one can't
be felt on the other.  Their inputs are algebraically added, with a
maximum limit corresponding to the maximum deflection of one sidestick.
No weight is given to the captain.  Thus, if the captain pulls full
left, and his first officer pulls full right, the net effect is zero.
The last pilot to click on an override thumb-button (also used to
disconnect the autopilot) obtains control: a small indicator light in
front of the other pilot signals this fact.  The potential exists for
the pilots to "fight" over control of the sidesticks.  Rather than the
"strongest" pilot winning, the one with the fastest thumb will win.  If
the override button is held down for more than 30 seconds, it will
"deactivate" the other sidestick.  If the deactivated sidestick's
override button is pushed, it will re-activate.

This scheme has been the subject of much criticism from pilots: it is
widely felt that one pilot should feel what the other pilot is up to,
through the stick.  Inter-pilot communication in an emergency may also
be enhanced through better tactile feedback [PIK88, HEL86, SUM87].

Note that there is no trim control on the sidestick, since this is
normally handled by the Normal and Alternate control laws (see below).
In Direct law, pitch [trim!] must be set through controls on the center
control pedestal.

The only other button, besides the override switch, is a push-to-talk
trigger, for the radios.

The sidesticks are not merely a different interface, otherwise causing
the same functional effects as a conventional airplane.  The pilot's
role in flight management is fundamentally changed, depending upon the
mode the flight control computers are in.  For example, in Normal Law,
which is what the airplane is normally flown in (see below, 5.1), in
a turn, a pilot must normally pull back on the stick, to compensate for
lost lift.  On the A320, this is not necessary: the pilot just moves
the stick in the direction he wishes to turn, and the airplane will
turn, automatically supplying the necessary elevator to maintain
altitude [HOP87].  The sidestick is more of a "flight path command"
interface, rather than a conventional "flight control surface
deflection" interface.  If, that is, the appropriate computer support
is there: if not, the same sidesticks are used with one of the other
"redundant" control laws, which are much more conventional in design.
This raises an interesting issue of whether a pilot, who, with a
properly-functioning system, will fly in "Normal" law almost all the
time, will be "current" enough to satisfactorily fly the airplane in a
significantly degraded mode, more akin to conventional control laws.
This issue is addressed in training, not the interface.

AIRB88    Airbus Industrie/Aeroformation, Flight Crew Operating
Manual, 1988.

COR88    S. G. Corps, "Airbus A320 side stick and fly-by-wire--an
update," Society of Automotive Engineers Paper 861801. [Very GOOD
paper]

HEL86    Peter H.  Heldt, "Airline requirements on a fly-by-wire
aircraft--a pilot's view," Society of Automotive Engineers paper 861804.
[so-so]

HOP87     Harry Hopkins, "Simulating the A320," Flight International,
12 September 1987. [good article, weak on this issue]

PIK88    J.  R.  Pike, "A320 in service--initial report," British Air
Line Pilots Association, July 31, 1988. [extensive comments]

SUM87    L.G.  Summers, et.  al., "Fly-by-wire sidestick controller
evaluation," a paper presented at the SAE Aerospace Technology
Conference and Exposition, Oct.  5-8, 1987. [ this is a decent overview
of the MANY options available ]

ZIE86    Bernard Ziegler, "Front seat on the future," Aerospace
America, April 1986. [nicely-illustrated pap]


----------------------

How accurate is all this?  Besides the cited sources, I've run into
several other comments on the "algebraic" nature of the sidesticks.
I haven't tried a neutral deflection in a simulator, but a recent email
comment indicated that pilots, while trying to avoid an aircraft on the
ground, commanded opposite inputs, thus leaving the flight path
unchanged.  If true, this would also tend to support the "algebraic,"
additive nature of inputs.

In addition, of the A320 pilots who have reviewed the paper thus far,
none have contested this point.  One pilot did raise the issue that
later transition work isn't as difficult as might be gathered from the
last paragraph.  So far, this is a minority viewpoint.





--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: palmer@icat.larc.nasa.gov (Michael T. Palmer)
Subject: Re: A320 sidestick description + references (Re: Airbus safety)
Date: 14 Dec 92 14:11:43 PST

Robert Dorsett <rdd@rascal.ics.utexas.edu> writes:

>In <airliners.1992.147@ohare.Chicago.COM> palmer@icat.larc.nasa.gov
>(Michael T. Palmer) writes:

>> rdd@cactus.org (Robert Dorsett) writes:
>> >On the A320, there is no interconnect between the
>> >sidesticks: the captain can command a full-left in an emergency evasive
>> >maneuver, the F/O full-right, and the net result will be an algebraically
>> >added "zero."

>> I believe this is incorrect, though I don't have the documentation here
>> right now.  My understanding is that whenever one of the sticks reaches
>> a critical percentage of deflection (say, 75%), it becomes automatically
>> the selected input device.  At this point, the other control stick is
>> ignored.  So it's a race.  Whoever slams their stick to the stops first
>> wins, and the only way for the other crewmember to override is to physically
>> attack the winner.  Neat, huh?

>I've looked into this closely.  Unless there have been significant, recent
>changes, it doesn't work this way (other designs do, though).  Here's an
>excerpt from the impending A320 paper that Pete Mellor and I are writing
>("The A320 Electronic Flight Control System," title subject to change), which
>might help clear things up.


Okee dokee.  You're right; I must have been remembering the specs for a
different system.  I can now recall the stories about the thumb switch for
overriding the other stick (my officemate and some of our test pilots
participated in a week of A320 training down in Florida last year).  Their
reaction to it sparked quite a lengthy debate about the various sidestick
implementations.

Personally, the lack of feedback about what the other crewmember is doing
is just astounding.  Does nobody remember their flight training?!?  How
do you think your instructors (or YOU, if you teach) were able to know what
you were doing even before the aircraft responded to your inputs?  Tactile
feedback can be a powerful and rich source of information.

And when, pray tell, would an algebraic sum of the control inputs be the
desired method of responding to the flight crew's actions?  Did the
designers think that the pilots would agree that the captain would only
move his stick left/right and the first officer only fore/aft?  "I'll be
the base of the triangle, you be the height, and we'll let the EFCS do the
hypoteneuse!"  (For those with a math/statics background:  "I'll be the
i, you be the j, and we'll let the EFCS do the resultant vector!").

My point is that if the crewmembers are trying to do something different,
the system should make that MORE not LESS visible.  Otherwise, when the
aircraft does not respond as they expect it to, each crewmember will simply
increase the magnitude of his control input without really understanding
what the h--- is going on.  I guess this is what Reason would identify as
a "latent system error."  The pilots will eventually make an error; yep,
the designers made sure of that.

--
Michael T. Palmer, M/S 152, NASA Langley Research Center, Hampton, VA 23681
Voice: 804-864-2044,   FAX: 804-864-7793,   Email: m.t.palmer@larc.nasa.gov
PGP 2.0 Public Key now available -- Consider it an envelope for your e-mail



Newsgroups: sci.aeronautics.airliners
From: rdd@cactus.org (Robert Dorsett)
Subject: Errata (Re: A320 sidestick description + references)
Date: 15 Dec 92 00:13:24 PST

I thought I had caught most of these, but someone pointed them out:

1.  A "daN" is a deca Newton, or 2.248 lbs.  Airbus's main redeeming feature
is that it's gone SI.

2.  The "thumb-override" design means the guy with the *slowest* thumb will
win, in the final estimation, not the fastest.  Then again, if we really
did have a thumb-war, the next guy would be fast to hit it again; I believe
that's what I was thinking when I originally wrote the sentence.  Apologies
for any confusion this caused.

3.  The comments on the necessity of applying back-stick in a turn were
ambiguous.  I was using as an example a situation of an airplane, straight
and level.  Suppose you're in a conventional airplane.  You want to turn.
You'd turn the wheel.  This causes the airplane to bank.  However, this
decreases the net lift vector, which means the airplane will also descend.
To counteract this effect, you'd apply slight back-stick, to command up-
elevator, thus a greater angle of attack, thus more lift, to maintain level
flight in the turn.  It's all very coordinated, very natural.

On the A320, one would simply use the stick to command a yaw.  The system
automagically applies the appropriate elevator correction to maintain the
ancipated flight-path.  If the pilot were to command any pitch-up, the
airplane would CLIMB in the turn.

This takes place in "Normal" law, the default flight mode.  This is not
"normal" as in "conventional": that's the "Direct" law, which is also the
landing mode, so as to allow the pilot to handle a cross-wind landing and
flare properly.



If there are any more ways I can make this more confusing, please let me know.
:-)




---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd


Newsgroups: sci.aeronautics.airliners
From: drinkard@bcstec.ca.boeing.com (Terrell D. Drinkard)
Subject: Re: Northwest cancels Airbus
Date: 16 Dec 92 04:19:49 PST

In article <airliners.1992.110@ohare.Chicago.COM> hoyme@src.honeywell.com
(Ken Hoyme) writes:

        [much deleted material about the NWA/Airbus cancelations]

>....    (But then, NWA is already
>deeply in debt to Airbus, since they decided to buy A320s based on a
>dynamite financing package that Boeing could not match.)

We here at Boeing also like to think that the Northwest, and the United,
purchase of the A320 were both driven by financial considerations only.
Not true.  The plain facts are that the A320 flies higher, faster, and
farther than the competing Boeing 737-400 while carrying a heavier load and
burning less gas to boot.  That isn't fuel per seat, that is trip fuel.
Northwest's decision, as noted by their VP of Finance a couple of months
ago, was based on superior performance and a higher acquisition cost than
that of the 737.  United came to pretty much the same conclusion.

None of the above is intended to make little of the financial implications
of each of those deals, just put it in a technical frame of reference.

--
Terry
drinkard@bcstec.boeing.com
"Anyone who thinks they can hold the company responsible for what I say has
more lawyers than sense."


Newsgroups: sci.aeronautics.airliners
From: hoyme@src.honeywell.com (Ken Hoyme)
Subject: Re: Airbus safety
Date: 16 Dec 92 14:00:45 PST

In article <airliners.1992.153@ohare.Chicago.COM> Robert Dorsett
<rdd@rascal.ics.utexas.edu> writes:

> The problem is that software is so much more easily changed than hardware,
> that we could very well start an avionics equivalent of "creeping featurism."
> Changing the way a stick behaves can be done in just one firmware update: no
> need to develop new tooling, production techniques, train assemblers and
> maintenance engineers, offer the retrofit during the next C check, etc.
> Just the internal development process, which one can assume is faster and
> cheaper than for hardware.  But, by virtue of this ease, it's also more
> *unstable* than hardware-based solutions.

> Evidence to support this position?  The A320 has about 4M of code.  The A330/
> A340, 10M.  It's happening as we speak...

> Do any Honeywell people reading know how big the 777 EFCS is going to be?

Well, this is an apples-to-oranges comparison.  I can only speak (and
only in vauge terms, of course) about the portion of the 777 that
Honeywell is producing.  Honeywell's Airplane Information Management
System (AIMS) contains the FMS function similar to previous generation
airplanes, but does not encompass the autopilot (Rockwell Collins) nor
the FBW Flight Controls (GEC).  The FMS alone requires about 2Mbytes of
executable code.  It also requires a Nav Data Base and RAM for
operation.  I do not know the complexity of the other components of the
"EFCS".  Of course, Displays could be considered another part of the
system.  That function lives in AIMS on the 777.


Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@rascal.ics.utexas.edu>
Subject: Re: shielding of digital avionics and subnets
Date: 01 Feb 93 22:30:55 PST

In <airliners.1993.123@ohare.Chicago.COM> kannan91@iastate.edu wrote:

>Finally since Mr. Drinkard is from Boeing I would also like to
>know how does this philosophy about shielding change with respect
>to the 777 as it will be a fly-by-wire airliner where EMI could
>affect control actuation as well.

I can't speak for Mr. Drinkard or Boeing, but back when the A320 was
being developed, Airbus was claiming a 600N weight savings over a con-
ventional control system.  This was around 1984: by 1988, that figure was
distributed as 200 *pounds*, and in late articles, the savings aren't
mentioned at all.  It is safe to conclude that Airbus neglected to include
the importance of shielding in its weight forecasts.

There have also been articles which indicate that spurious interference,
or even latent static buildup, causes a great number of "unsubstantiated"
component failures and erratic behavior.  I.e.: device fails: crew reports
it.  Removed from aircraft, bench-tested.  Nothing wrong.  Ergo: damned pilots
overstating the problem again, gotta take 'em out of the loop. :-)  This
affects relatively "old-technology" airplanes, such as the 747-200, as well
as more modern airplanes.

The A320 has been exensively tested, according to a standard "DO" something-
or-another.  The Brits even made Airbus fly the A320 near one of those
gigawatt-range military arrays near the English channel, as part of its
certification conditions (this was shortly after a series of reports
of Apaches suddenly wanting to flip over after doing the same).  From
published reports, though, I suspect that the probability of "minor glitches"
is *much* higher than single-instance catastrophic failure.  Of course,
it's hard to estimate when a "lot" of minor problems suddenly become a big
one.

What is UTTERLY APPALLING about the current situation is the trend of
manufacturers to hide circuit breakers from the pilots.  In the A330 and
A340, circuit breakers are below deck.  Yet in the A320, A310, 757, and vir-
tually other modern airplane, pilot-developed CB work-arounds to faults in
the *system* design are common.  It should be interesting to see what the
A330 and A340 dispatch reliability turns out to be.

When the 747-400 was being developed, Boeing initially considered hiding
the circuit breakers in a similar manner, but abandoned the idea.  Does
anyone know if they've returned to this philosophy in the 777?   I'm quite
disturbed by the prospect of maintenance-reported "non-existent" glitches
getting imbedded in manufacturer human-performance engineering design
considerations.





--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: rdd@rascal.ics.utexas.edu (Robert Dorsett)
Subject: Pilot attitudes on A320 (RE: A320 cockpit visit)
Date: 17 Jun 93 23:51:35 PDT

>  It is very strange, I've spoke with people who do not fly A320, they do not
>like it, I've spoke with people who fly it, they are found of it ! I cannot
>understand that.

I've a theory on this.  Four components:

1.  Anyone remember MacEvangelism?  The sales and marketing effort for the
Macintosh, taken on a slightly "religious" bent.  Airbus shares a similar
culture, in almost every aspect of production and operations.  It *isn't*
limited to the marketing people.  Engineers, pilots, training, all reflect
this.  Airbus is proud of its technology, and explicitly makes a big deal of
it, for the purpose of differentiating its products.  This is actually
a fairly sharp tact, since *most* airlines aren't "Airbus airlines," and that
single entry into the fleet has to make a significant, favorable impression.
What better way than characterizing the traditional, safe, conservative
competition as technical Luddites?

2.  I suspect the first couple of crashes may be partially attributable to
this er, over-enthusiasm.  Aeroformation's training program is called VACBI,
Video-Audio-Computer-*Based* Instruction.  It can be likened to brainwashing:
very intensive, one-on-one interaction with the computer: answer the right
questions the right way enough times, and you become a Believer.  It goes
beyond "traditional" teaching techniques.  Well, a clear problem with the
early software was that it emphasized the gee-whiz features of the systems,
at the detriment of basic airmanship and operational philosophies needed to
maintain safe flight.  After the second plane augured in, Airbus issued
plaintive warnings to pilots to fly the airplane the "old fashioned way,"
and not to maneuver anywhere near the protections, since by default that
means one is in a low-energy category to begin with, and may not have
sufficient maneuvering capability, to avoid pesky obstacles, like golf
courses.  Yet even now, as Andy's Mexicana visit article clearly shows,
pilots are still flying well into the envelope.  There's no excuse for this.

3.  Pilots aren't the smartest creatures in the world.  Every two or three
months in AIRLINE PILOT, the ALPA rag, one sees "letters to the editor" from
A320 pilots.  These invariably boil down to "gee, it flies great, so why's
everyone criticising the airplane?"  Sort of like the attitudes of DC-10
pilots: "gee, it flies great, so why's everyone criticising the airplane?"
:-)  Hey, it makes their landings look good!  Flies like a fighter!  All
that rubbish.  The ramifications of an airplane design possibly being
responsible for an unnecessary crash every few years doesn't seem to rate
very highly among these people.

Another significant component of this is that a LOT of pilots, bless them,
confuse FBW with glass.  Thus, a pilot might upgrade to an A320 from a DC-9,
see all the glass, and think it's WONDERFUL, and attribute the existence of
glass to the FBW system.  This hasn't a great deal to do with the A320's
contribution to technology, though, and "glass" predated the A320 by seven
years or so.

4.  The "Can Do" mentality.  Pilots tend to be gadget hounds: they WANT to
fly the shiniest, newest airplane on the block, and, once in it, WILL make
it work.  After you fly a few trips and it doesn't kill you, you become a
bit more trusting.  This relates to training: *total* immersion: forget
everything you've learned, and focus on the new airplane, "make it work."
Military pilots, for instance, are legendary in disparaging equipment they're
*not* flying.  When they transition, though, they HAVE to make it
work, or suffer the consequences.  It's common to see them become "instant
converts."  Many pilots are frank about this.  I suspect the same psychology
is at work, here.

Is this sort of "admiration" and "devotion" "real"?  Yeah, probably.  And I
have an ethical dilemma when discussing this sort of thing with pilots: is
it wise to undermine their confidence in a system which they HAVE to make
work?

*My* experience has been similar to the others: A320 pilots luuuuuuuuv their
airplanes.  Yet when I've probed a little bit, I've usually uncovered some
pretty spectacular problems, which they're "working around" to do their job,
or otherwise compensating for.  I also usually find a dichotomy of intense
fondness for the glass, but a real preference for older airplanes, like the
727.  "If only they were more glassy..."


Whatever the reason, the FACT remains that there have been three A320
crashes, in as many years.  No other aircraft of similar technological
vintage--757/767, A310, A300-600, 747-400--can claim the same.  It is
very puzzling that, considering the "glassy" similarities among these air-
planes, there haven't been more problems, fleet-wise.  Perhaps one
difference is that on the other airplanes, pilots are more in the loop,
on their toes--whereas with the A320/330/340, one is in that blasted
*cocoon*, and taught to BELIEVE!

Then again, there is evidence that from a cockpit-workload perspective,
older, conventional cockpits, with simpler flight controls, may be safer
and have lower workload in emergency situations.  See Wiener et. al.,
"The Impact of Cockpit Automation on Crew Coordination and Communication,"
released November 1991 as NASA CR 177587.

As an old pilot once told me: "NO airplane is safe."  All things con-
sidered, I'd rather have a pilot with a healthy grain of skepticism for
the gee-whiz features, and make this a general requirement for the breed.
Perhaps if more pilots were skeptical, manufacturers would be less likely
to be "innovative" for poorly based functional or practical reasons.  It's
telling that Airbus has extended the old maxim "trust your instruments" to
"believe in your airplane."  Blind faith has no place in an effective
safety culture.




--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@cactus.org>
Subject: Re: A320 cockpit visit)
Date: 24 Jun 93 00:37:52 PDT

In article <airliners.1993.466@ohare.Chicago.COM> Mike@oscar.demon.co.uk
(Mike Collins) writes:

>In article <airliners.1993.456@ohare.Chicago.COM>
>rdd@rascal.ics.utexas.edu writes:
>
>>what ever the reason, the FACT remains that there have been three A320
>>crashes, in as many years.  No other aircraft of similar technological
>>vintage--757/767, A310, A300-600, 747-400--can claim the same.  It is
>>very puzzling that, considering the "glassy" similarities among these air-
>>planes, there haven't been more problems, fleet-wise.  Perhaps one
>>difference is that on the other airplanes, pilots are more in the loop,
>>on their toes--whereas with the A320/330/340, one is in that blasted
>>*cocoon*, and taught to BELIEVE!
>
>But hang on here. I can remember as a kid in the mid sixties reading about
>a series of crashes involving the B727. Uk newspapers were running headlines
>like "Jinx Jet Crashes Again". Well they would wouldn't they? They were trying
>to sell the Trident. But the fact remains that the cause of these crashes (as
>far as I remember) was pilots were upgrading from piston craft to jets and
>had no idea of the true handling "quirks" of the 727.

Two points:

1.  The A320 should be compared to aircraft with similar avionics and
operating philosophies: those are the airplanes listed.  There have been
no 757 crashes (released 1982), one 767 (1983) crash, two (?) A310 (1982)
crashes, one (?) A300-600 (1982) crash, and no 747-400 (1988) crashes.
Yet in the first three years of operation, the A320 had three.  Something's
wrong, there.  Yeah, it *could* be bad luck--that happens.  But the circum-
stances gel quite well with critics' theories and concerns raised by pre-
existing research.

2.  The 727 situation was a different era, and should be viewed accordingly.
The pilots were upgrading to *jets*, and had no experience with jets.  In
particular, jet aircraft can sustain very high rates of descent, quietly,
which is believed to have played poorly on the "flying instincts" of the
previous-generation prop pilots.

I would suggest that the 707, 727, and DC-8 provided the "learning curve"
for the jet age: they had higher accident rates because they were first.  If
one looks at the post-60's accident record, the 727 fares as well as other,
more modern aircraft.  It WAS a learning curve drawn in blood, though, one
which we should honor, with incremental, need-driven airframe and avionics
evolution.


Now, Airbus, of course, would have us believe that *its* interface is the
"future" of jet transport, and, if we accept that, then its accident rate
is as easily "justified."  The problem here, though, is that they haven't
changed that much about airplanes fly--only how they're flown--and NOBODY
else is jumping on the same bandwagon.  The FBW is proprietary, and their
control laws are unique.  They are vaguely similar to what Boeing was con-
sidering on the 7J7, but guess what--Boeing's opting for a "conventional"
control law and interfaces on the 777.

The industry's exploding in many different directions, many different
standards, and we're going to pay for it in more blood.  I think we're
reaching the point of negative returns on systemic safety "improvements."


> The common problem was
>allowing speed to decay on the approach.

This was discussed in depth on airliners a few months ago; see the airliners
archives on rascal.ics.utexas.edu for more information.  There aren't many
parallels that I can see: only a fool would purposely fly a 727 on the back
side of the power curve, yet it seems to be par for the course for many pilots
on the A320. :-|


>Perhaps half the problem lies with who airlines choose to be their pilots.
>If they put a "boy racer" in charge of a multi million dollar arcade game
>like the A320 what do they expect.

It's really a question of philosophies.  There are two major philosophies for
the future (three, if you count keeping things like they are).

The first is to continue with the automation of technology, and isolate the
pilot.  One day, perhaps, he will become superfluous: yet, by regulation, now,
he must be in the loop.  There is strong evidence that insulated pilots tend
to become careless pilots, "out of the loop."  So do we accept the
"management" philosophy, and choose people who are basically clerks, who
can be trained to push the right buttons and take orders, and hope that the
innate reliability of the systems doesn't *require* a stick & rudder man?

The other approach is to "keep" the pilot in the loop, yet somehow "protect"
the airplane from his mistakes.  This is the "cocoon" approach.  Let him
maneuver with some discretion, give him things to do, but forbid things from
getting too far out of hand.  This may be undesirable, too, in that the pilot
may grow to rely on the "protections" being there to save his bacon.

There is a theme unifying these approaches, and that's to drive down the
novelty of the personnel requirements which "make the pilot."  This appeals
to third world and European countries, which either don't have a military or
civilian pilot pool to draw from, or forbid their military pilots from flying
with air carriers.  More pragmatically, it eventually opens the way to
piloting as being a mere technical skill, something that anyone with a a two-
year college degree or high school diploma can handle just fine (as British
Airways is currently doing with its ab initio program).  If you lessen the
personnel requirements, you eliminate the novelty, you vastly broaden the
pilot pool, and you end up getting to pay pilots a small fraction of what
they're currently making.  I don't know about you, but I'd rather not have a
$20,000/year kid flying my $140,000,000 747, responsible for the lives of 600
people, worrying about how he's going to pay for his kid's braces.  Is such
a person going to shout down company management if he feels the airplane
is unsafe?  Ha! (cf. Continental and Eastern under Lorenzo)  Yet we have
technocrats from all directions who are happily trying to make this the case:
ATC automation/authority proponents, the airlines, the manufacturers.  Just
what we want: a committee responsible for airplane safety--with their butts
safely on the ground, naturally. :-)

But for now, is continued evolution along the automated/cocoonish tract
as safe as previous approaches?  Probably not!  Is one unnecessary crash
every five years unacceptable to the bean counters?  Probably not!


IMHO, the A320 combines the worst of the two mainstream "modern" control
philosophies.  It has a very high degree of automation (the pilots only touch
most system switches, for instance, during pre-flight, to verify that
everything is functional), together with the promises and pitfalls of
protections.  All the while providing a NEW method of flight control, in the
form of three major control laws, and countless permutations within those
control laws.  Plus the known human factors problems of FMS-based flight
guidance systems (i.e., cumbersome and too "heads-down").  I could accept one
of these problems--but not all three, not in the same airplane.


Perhaps some of the Honeywell or Boeing people on the net would like to
comment on the 777 cockpit philosophy?  I understand it makes some attempts
to keep the pilots in the loop, but I haven't read anything on it, recently.


>I think the voice commands from the FMS should, every 5 minutes, repeat what
>every pilot learnt at his instructors knee."There are old pilots and there are
>bold pilots but there are no old bold pilots"

Yeah, but how do you reconcile the old/bold parable with pilots who are
selected and trained to view it as a 9-5 job, and are neither bold nor
timid? :-)  In other words, "boldness" isn't the problem, it's the environ-
ment and training and their very strong influences on human behavior.  If
you are aware of the problem, you can work around it; if not, you can fall
victim to the environment and make a mistake that kills you and your
passengers.





---
Robert Dorsett
Senior Luddite
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@cactus.org>
Subject: Re: A320 and a bit on the bloody DC-10 (was: cockpit visit)
Date: 29 Jun 93 09:22:52 PDT

In article <airliners.1993.480@ohare.Chicago.COM>
spagiola@frinext.stanford.edu (Stefano Pagiola) once wrote:

>Robert Dorsett <rdd@cactus.org> writes
>> 1.  The A320 should be compared to aircraft with similar avionics
>> and operating philosophies: [747-400, 757, 767, A300-600, A310]
>
>I'm not sure what `similar' means in this context but it seems to me
>that the A320 isn't really comparable to any of these designs.  Yes,
>they all have `glass' cockpits and digital avionics (as do the MD-88,
>MD-11, and Fokker 100), but none of the other designs is FBW, and
>none attempts to give the kind of `protection from errors' that the
>A320 attempts

I'll try to word this carefully, since there are a number of nuances at
play.  The A320 is rather aggressively compared to the first-generation-glass
airplanes (757, A310) by *Airbus*, not me.  They're proud of the high-tech,
but use this to try to silence critics that view the airplane as a radical
departure.

In particular, the operational philosophy is a derivative of the A310.  The
major environmental changes are the use of fully integrated flight displays
(doing away with electromechanical instrumentation), and a full-time
electronic flight control system (FBW).  Further adaptations to the flight
management & guidance system (FMGS) operational philosophy have been made to
take advantage of various features offered by the EFCS.  What results is a
relatively simplified "management" environment (or, at least, fewer controls).

Now, *I* think that the various changes are pretty radical departures, when
considered in totality, and I doubt you can find too many experts that view
the A320 as a 1981-vintage product, but like I said, Airbus (these days, at
least) prefers to point out the overt similarities with other, pre-existing
systems.  Electronically and physically, there are certainly similarities.


> (what Bob Dorsett called the `cocoon' approach).

I believe the credit should go to E. Wiener and R. Curry, who, as far
as I know, first outlined this concept in detail in a 1980 document.


> The
>A320 will be comparable to the 777, when it comes out.  I fully
>expect the 777 to compare favorably, if only because Boeing could
>draw on 5 years of A320 experience.

I am not sure that's the case.  *Electronically*, the 777 is a significantly
different, more advanced airplane, and really does push new frontiers.  The
cockpit environment itself will have more in common with the 747-400 than
the A320, however.

When it comes to nuts and bolts, when I talk about airplanes of the same
vintage, I'm mainly referring to the technological goals and capabilities,
not *necessarily* the specifics of design.  Somewhat like comparing a Russian
and American warship ca. 1965: there will be no doubt they're of the same
vintage, but there will also be definite differences in design approaches.


>Rephrase that a little and it won't seem so bad: Airbus believed (and
>probably still does) that its interface approach was the future.

I can't really see that.  It's a highly proprietary, closed system.  They
do not license it, it isn't in the public domain.  The source code for all
the software is a jealously guarded secret, one which not even the author-
ities are privy to.  The various schema are the byproduct of marketing product
definition, and changed throughout the airplanes' development.  Even keeping
an open mind, I can't really find anything in the literature which suggests
they expect or would desire that others follow their example: only that what
they're doing is *better* than what others have *done*.  It's a defensive
posture (rightfully so).

I WOULD agree that Airbus CERTAINLY believes that its interface approach is
*its* future. :-)


>debate that can be undertaken a priori.  You have to try it to see.
>I think Airbus deserves praise for attempting the transition to a new
>way of flying.

Given the academic research, which really doesn't support the design
decisions, I can't help but think that this is "technology for technology's
sake," which is often counter-productive to safety.  Once again, my battle-
cry: evolution, not revolution!


>> If you are aware of the
>> problem, you can work around it; if not, you can fall victim to
>> the environment and make a mistake that kills you and your
>> passengers.
>
>As I said, I think most A320 pilots are, at this point, aware of the
>potential pitfalls and treat them with respect.  That's why I don't
>lose any sleep over flying on A320s.  But I hope it doesn't take a
>periodic crash to keep people watchful.

Take the following with a grain of salt: I mention it both for the moral
and a slightly different take of the mechanics of the crash (as opposed
to how it's generally treated in the media--but it's generally supported
by the accident report, p. 35, subsection 1.17.3).  Also consider that
the man really dislikes the DC-10.

I had an interesting conversation with a maintenance type a few weeks ago.
We were discussing the DC-10.  He was kind of down on pilots, and mentioned
a DC-10 pilot who was real proud of his airplane.  They got to talking about
the O'Hare crash, when the pilot got offended and insisted that the slat-
retraction problem had been "fixed."  "How?" he was asked.  "Well, changes to
the hydraulics system were made such that you couldn't lose your slats if
you lost hydraulic pressure."  Fine, my friend said, but that wasn't the cause
of the crash.  Yes, they lost one (maybe two) hydraulic systems, but the
problem was that the slats were moved and held in place by *cables*, which
are driven by "hydraulic motors" in the middle of the main fuselage.  In
fact, a common actuator is used for both the left and right slats.  When
the engine tore off, it took out the #1 system, but more importantly, it
took out the cables, so there weren't opposing forces, and the slats simply
retracted.

The "real" fix to the problem was that the DC-10 takeoff profile was *really*
shallowed-out, so that appropriate airspeed margins were kept in case of a
similar catastrophic engine failure.  But *this* pilot had a mystical faith
in a non-existent "hardware solution."  Kind of like the expectation a lot
of us had that the MD-11 MUST have been changed significantly, SOMEHOW...
but really wasn't. :-)

So the moral of the story, I guess, is that knowledge of the problem isn't
always indication that the problem (or the nature of its work-around) is
really understood.  I'll concede that this is kind of apples and oranges, and
thus far, pilots have been surprisingly good at working around the problems
posed by glass (maybe it does have a benefit--at least in most glassy
airplanes, it keeps 'em on their toes? :-))





---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Newsgroups: sci.aeronautics.airliners
From: Robert Dorsett <rdd@rascal.ics.utexas.edu>
Subject: Re: Lufthansa crash in Warsaw - Preliminary findings
Date: 19 Oct 93 12:49:37 PDT

In article <airliners.1993.643@ohare.Chicago.COM> rna@leland.Stanford.EDU
(Robert Ashcroft) writes:

>In article <29ivkd$7kb@news.cs.tu-berlin.de>, landmark@cs.tu-berlin.de
>(Torsten Kerschat) writes: {A320 crash in Poland)
>
>|> Ok. I thought you know, what problems can arise, when aquaplaning
>|> occurs. The thrust reversal only works, when the wheels are turning !!
>|> This is provided for security reasons ! The thrust reversal should
>|> only available on the ground.
>|> They commission said, aquaplaning can cause that.
>
>That's incredible, if it is true.  Is this a feature of all thrust-reversing
>systems, or something that was built into the A320 fly-by-wire system?
>And if this is unique to the fly-by-wire system, does it take the blame for
>the crash?

The A320 thrust reversers require both air/ground switches (mounted on
the main gear struts) to indicate a "ground" signal, before they may be
unlocked.  The spinning of the wheels is not relevant.  In this respect,
the A320 is like every other airliner in use.



--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: rdd@rascal.ics.utexas.edu (Robert Dorsett)
Subject: A320 braking methods
Date: 22 Oct 93 01:05:22 PDT

From: Robert Dorsett <rdd@rascal.ics.utexas.edu>
Reply-To: rdd@rascal.ics.utexas.edu
To: airliners@chicago.com,ata-watchers
Subject: A320 braking methods

The following is an overview intended to clarify some of my thoughts, and
outline in one place the major issues at hand.

There are two braking mechanisms in common use.  In order of importance:
	Wheel brakes + Anti-skid + ground spoilers
	Thrust reversers

Wheel brakes are how the airplane is stopped.  Many people think the
thrust reversers play a large role: it's marginal, not affecting roll-out
distance by more than 10-20%.  Most airplanes have automatic braking
systems, which apply pressure after touch-down.

Anti-skid significantly improves on braking distance in most runway
conditions, wet or dry.

Ground spoilers are used to dump lift: by destroying airflow over the
wings, they force the entire weight of the airplane on the wheels, thus
ensuring maximum friction with the available surface.  Most airplanes
have automatic spoilers: after touchdown, all panels will deploy.

Thrust reversers are designed for failure: it is MUCH LESS desirable to
have them deploy in flight, than have them fail on the ground.  I am
not aware of ANY airplane which has automatic thrust reversers.

Landing distances are based on landing in 60% of the available runway
length (plus touch-down zone distance, ~1300'),  This figure provides
the minimum field length of a landing.  To this figure is applied
correction factors for runway condition, winds, and whether anti-skid
is available, all indexed by weight and airport elevation.

Thrust reversers may NOT be used in anticipating landing distances.



Specific to the A320:

1.  Wheel brakes are modulated by a dual channel "Brake and Steering Control
Unit." The A320's brakes and nosewheel steering may be considered "steer by
wire."  The primary actuation mechanism is through pedals located near
the pilots' feet.

The BCSU is a digital computer which modulates hydraulic valves to apply
braking pressure to the carbon disc brakes.  One of two hydraulic systems,
green and yellow, may be used.  The BCS uses inputs from the two ADIRS's
(Air Data/Inertial Reference Sytem), and four wheel tachometers, to arrive
at an integrated speed.  If the ADIRS's are not valid, then the speed is
limited to the maximum of the four main landing gear wheel speeds.

If this value passes muster, then the gain is amplified, and the valves are
modulated.  The system automagically senses failure of the primary braking
hydraulic system (green) and then switches to yellow.

2.  The A320 has an automatic braking system.  This system can command
a high, medium, and low rate of braking.  If the "low" mode is selected,
braking commences gradually about 8 seconds after ground spoiler deployment,
and the deceleration limit is set at 1.7 m/s^2.  If the "medium" mode is
selected, then the braking commences immediately after ground spoiler
deployment, and the deceleration limit is set at 3.0 m/s^2.  The "hi"
mode provides maximum braking, and is normally armed only for take-off.
I would speculate that this system would be OFF in a situation like Warsaw.

3.  The A320 has an anti-skid system.  This system maintains the brakes
at the limit threshold of an impending skid.  If the system detects that
a wheel speed has dropped beneath 87% of what the system calculates the
actual airplane speed is, the brake is released.  THe maximum rate of
deceleration is 1.7 m/s^2.  The anti-skid system must be manually selected
"on."  The anti-skid system is a "modulation" applied to a braking command,
either manual or automatic.  A working anti-skid system can cut brake
distances by up to 40%.

4.  The A320 has ground spoilers.  These consist of the flight spoilers,
plus four inboard ground spoiler panels.  The purpose is to destroy lift
above the wing.

An autoamtic ground spoiler system may be armed.  When the speed brake
lever is pulled into the armed position and the thrust reversers are at
idle, or when reverse thrust is selected on either engine, the surfaces
will extend to 45 degrees, IF the airplane is on the ground and airspeeds
are greater than 66 knots.  It seems this limitation also applies to
manual selection of the spoilers.

If the airplane is in the air, spoilers are retracted at high AOA, or
in full landing configuration.  This could be relevant if the plane was
floating, or didn't sense it was on the ground.

5.  Lastly, the A320 has thrust reversers.  As stated before, thrust reversers
are more of a guarantee than a primary braking mechanism: provided the
airplane landed properly, on speed, thrust reverser failure would not be
a factor.   The thrust reversers are only available with both engine control
units operating, both air/ground sensors showing the airplane in the
GROUND configuration, and the thrust lever in the "reverse" detent.
If all three criteria apply, the reverser doors are unlocked, and hydraulic
pressure is used to move the doors.  While the doors are in transit, the
FADEC will command the engine to IDLE.


Speculation:

With all this in mind, I'm tending to think "failure to select
automatic spoilers" at this point.  Nervous pilot, foul weather, high
workload, easy mistake.  If it's assumed that they're set, and they're
not, valuable time is lost: the spoiler lever is on the left hand side of
the center pedestal (captain being qualified, and well aft, out of the
normal scan (unlike Boeing or A300/A310 spoiler/flap levers, which are in
the same area as the thrust levers).

Also, it seems to be yet another damned Airbus push/pull interface, and the
lever probably doesn't move when full spoilers are commanded.  So if the
spoilers don't get deployed quickly, the airplane floats, the A/G sensor
may not click, the thrust reversers remain locked closed, the brakes don't
work at maximum effectiveness (if they're enabled at all in the air with
the gear lever in the down position), and the anti-skid is irrelevant.  It
takes time to recover from something like this.



--
Robert Dorsett
Internet: rdd@rascal.ics.utexas.edu
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd



Newsgroups: sci.aeronautics.airliners
From: rdd@cactus.org (Robert Dorsett)
Subject: Re: 777 ETOPS certification
Date: 10 Nov 93 00:02:34 PST

In article <airliners.1993.714@ohare.Chicago.COM> drinkard@bcstec.ca.boeing.com (Terrell D. Drinkard) writes:
>In article <airliners.1993.710@ohare.chicago.com>,
>Jay Vassos-Libove <libove@tom.alf.dec.com> wrote:
>
>>Boeing's first fly-by-wire plane? Really?  I had thought that
>>the 757 and 767, and the newest 747-400 models, were also
>>fly-by-wire.  Or are they just more "glass cockpit" than
>>prior planes, but not actually fly-by-wire?
>
>747, 757 and 767 are conventionally controlled.  Mostly.  The 757 does have
>fly-by-wire spoilers.  You are probably thinking of the glass cockpits and
>the extensive automation of systems.

This is an interesting point, and brings up the usual flow of conversation
with A320 pilots:

"How do you like the FBW?"
"I love it!"
"Why?"
"Well, the ADI's incredible, and I LOVE the map display."

:-)

A LOT of pilots are entering the A320 from conventional aircraft, like the
737 or 727, and have never seen glass or FMS's before.  They think that
the glass is part of FBW.  I always take this into account when processing
"love it" comments; they'd probably be just as happy on a 757.

This confusion is aided by the fact that "FBW" isn't really a closely
defined term.  A lot of pilots seem to think that it refers to "electronic
management," which includes the flight control system and flight management
system.



---
Robert Dorsett
rdd@cactus.org
...cs.utexas.edu!cactus.org!rdd



Date: 1 Dec 93 21:31:32 GMT (Wed)
From: Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
Subject: More news on the Lufthansa A320 accident in Warsaw

The story so far is that the spoilers, brakes and reverse thrust were disabled
for up to 9 seconds after landing in a storm on a waterlogged runway, and the
airplane ran off the end of the runway and into a conveniently placed earth
bank, with resulting injuries and loss of life. (First report of actuation
delay in Flight International, 13-19/10/93.)  Subsequent enquiry led various
people including myself to speculate that there was some sort of logic or
system error, which was subsequently narrowed down to a problem with the
arming logic for the spoilers-brakes-reverse-thrust combination (let's call
this the braking logic for short).

On 10 Nov, Frankfurter Allgemein reported that Lufthansa had concluded there
was a problem with the logic, and was requiring their pilots to land in a
different configuration and a different manner in such weather and runway
conditions, to `fool' the logic. This decision was supported by the
Luftfahrtbundesamt, the German equivalent of the FAA (US) or CAA (GB). Der
Spiegel, in issue 47 (22/11/93) reported on the `deadly logic' of the A320
braking systems. Der Spiegel this week (issue 48, 29/11/93) reported that
Lufthansa was talking with Airbus on a change in the braking logic to reduce
the weight-on-wheels load criterion from 12 metric tons to 2 metric tons, and
claimed that this was the first time that Airbus had to `convert their
machines' because of an accident (`ihre Maschinen nach einem Unglueck
umruesten muessen').

I talked this afternoon to David Learmount, the Operations and Safety Editor
of Flight International, concerning progress on the A320 crash in Warsaw and
the consequences. He holds an ATP (Airline Transport Pilot) or equivalent
rating.  I asked David what was afoot, since Flight International has been
relatively quiet since 13/10.  He said that Lufthansa, the Luftfahrtbundesamt,
and Airbus are all still in conference.  Firstly, the airplane is not
certificated for what Lufthansa want to do.  So, they are all trying to figure
out what *can* be done.  The certification authority (JAA, see below) may be
involved in these discussions.  Everyone, including David, is aware that
although the solution may be implemented in software, this doesn't necessarily
mean the software itself was at fault (i.e. the software may correctly
implement the braking logic, but this latter may be inappropriate).

Some other information. David said that normally one carries 5-15kts for
gusts. Carrying 20kts, as in Warsaw, is unusual. Secondly (confirming
speculation that some pilot actions may have been contributory), the pilot
tried to grease it on, rather than dumping it on. (`Dumping it on' means
landing relatively hard, which is acceptable to all but the passengers, is
likely to have compressed the squat switches, and also more likely to get the
wheels gripping and spinning.)  Thirdly, the landing was well inside the
certification envelope, which is somewhere in the region of 200kts.
Additionally, there is no information to suggest that the pilot had any
indication that the weather report was old.  David also confirmed the 12
metric ton figure for the squat switch trigger.

The Joint Airworthiness Authority certifies (or certificates, as they say)
airplanes for EU countries. Theoretically, all members of the EU are members
of the JAA, but in practice only the French (DGAC), British (CAA), Germans
(LBA) and Dutch (???) are active rule-makers. 

Many thanks to David and Flight International for this information.

Peter Ladkin

### File rr/risks-15_32 ###
=-=-=-=-=-=-=-=-=-=-= article 13 (line 482) =-=-=-=-=-=-=-=-=-=-=

Date: 4 Dec 93 01:26:43 GMT (Sat)
From: Dr Peter B Ladkin <pbl@compsci.stirling.ac.uk>
Subject: Lufthansa Warsaw crash - A Clarification [Voges, RISKS-15.31]

>   [This echoes what Peter Ladkin contributed to RISKS-15.30, and is
>   included for those of you who did not go through Peter's account.  PGN]

I'm afraid I disagree that this echoes my account. Although Udo may have
correctly reported what the TV said, I find the account misleading. I'd like
to clarify some differences.

First, `causes': the final report from the Polish authorities will be *the*
legally valid document enumerating the factors. The major players are all
discussing their favored candidates, but there is not unanimity. At least one
candidate factor mentioned in my article has not been reported yet by the
media [RISKS is sometimes first!]. It was not on Udo's list, which is a strict
subset of the candidates so far. There may be more that we're not aware of
yet.  Factor 3 reported by Udo is a misleading statement of the braking logic.

Udo reports that Airbus `agreed to modify its control system'.  I wonder. The
so-called `modification' has been available as an option to operators for some
time, and has been installed on delivered A320s.  Airbus has already noted
that this option is available to operators. This can't count as modification.

Peter Ladkin


Newsgroups: sci.aeronautics.airliners
From: rdd@netcom.com (Robert Dorsett)
Subject: Re: causes of go 'rounds?
Date: 14 May 94 00:08:41

In article <airliners.1994.1220@ohare.Chicago.COM> tetrode@aol.com
(Tetrode) writes:

>Interestingly, the pilot, in an effort to placate us nervous passsengers,
>mentioned that the reason for the abrupt nature of the maneuver was due to the
>manner in which the Airbus is programmed to respond to such a situation. He
>implied that the maneuver was more or less a push-button affair. Any comments
>on this from informed sources?

From the Northwest Airbus comment, it's reasonable to assume it's an A320.
If the pilot had pulled back on his stick, he would have increased pitch up
to CLMax (maximum lift), while simultaneously engaging alpha floor protections
on the engines, which would spool them up to go-around thrust.  The
combination of the two, especially in a light airplane, could result in a
very high deck angle.

Most go-around situations don't require this extreme a maneuver, though; I'd
be interested in hearing whether Northwest (or Airbus) actually encourages
pilots to fly that aggressively for routine go-arounds, or whether they try
to reserve them for windshear or evasion situations.

Certainly, after the Bangalore crash, Airbus went at pains to emphasize that
the airplane should be flown just like any other: by the numbers, well
within the envelope.  Perhaps some crews have yet to get the message.  Or
perhaps this is how AI recommends the airplane be flown.  Any A320 pilots
out there?




--
Robert Dorsett
rdd@netcom.com


Newsgroups: sci.aeronautics.airliners
From: rdd@netcom.com (Robert Dorsett)
Subject: Re: RISKS DIGEST 16.20
Date: 07 Jul 94 00:13:06

"Robert Morrell Jr." <bmorrell@isnet.is.wfu.edu> writes:
>Subject: Airbus
>
>I recently had the opportunity to discuss at length the various RISKS Digest
>pieces on air safety and computer controls with a relative who is an
>experienced military and civilian industry pilot.
>
>He agreed with the thrust of the threads here, but added a specific and
>general comment about the A-320.
>
>Specifically he noted that the greatest problem with the aircraft is that it
>is unique in lacking a unified "off switch" for the autopilots. All other
>aircraft have one control that can be flipped or pressed that will turn off
>the computer pilot(s) and return control to the aircraft.  Apparently doing
>this in the A-320 is no small matter.

Is your friend actually an A320 pilot?  If so, I find his comments puzzling.

Like other modern aircraft, the A320 can operate in either "managed" flight
or "selected" flight.  In "selected" flight, the pilots can command various
flight parameters (airspeed, heading, altitude) simply by dialing in
parameters into a (usually glareshield) interface.  In managed flight,
they interact with a flight computer which makes turns, etc. in automatic
consultation with a pre-programmed flight plan.

"Selected" flight is performed via the equivalent of an autopilot control
interface on the A320.  On this airplane, the management computer and guidance
computers are integrated, and called a "Flight Management and Guidance
System." (FMGS).  Under either managed or selected flight, these command
the computers that comprise the electronic flight control system (EFCS) to
perform the desired tasks.

BUT ONLY if the pilot specifically presses one or both of the autopilot
switches on the glareshield.  If the switches are not engaged, the airplane
will NOT be controlled by the FMGS (in either selected or managed mode), and
the airplane's EFCS will be controlled directly by the sidesticks, in one
of the myriad flight control laws.

Disengagement?  It's as simple as depressing a red button on either of the
pilots' sidesticks.  Then they're in control.  Or manually "clicking off" the
autopilot engage switches (there are only two, they're illuminated, and they're
side-by-side) on the glareshield.


>Generally, though he and other pilots like the A-320, it is known for having a
>"mind of its own" literally. Most pilots, according to my relative, have
>stories of the plane suddenly "up and deciding to begin an approach, go around
>or enter a traffic pattern" It seems amusing usually, but then my relative had
>never had it happen low to the ground....

As far as I can tell, these are just stories.  In reality, the flight control
system, for all the theoretical bickering, is probably quite safe.  The
flight management system is pretty conventional, and well-understood.  It
may have some idiosyncrasies, but they're not unique to this type of air-
plane (if they exist on the A320, they will occur on the 757, 767, virtually
any modern airplane which has an FMS).

Not a single one of the "FMS take-over" stories has been proven.  Many of
the stories originate among pilots and lay people who have not used FMS-
driven cockpits, and confuse the FMS featureset with the fly-by-wire
controversy.   Many have assumed the stature of urban legends.

What IS clear, however, is that the A320 user interface suffers in other
respects, such as not clearly providing mode differentiation, feedback, etc.
This is a whole other can of worms, however, and doesn't really pertain to
a lack of ability to "click it off."



--
Robert Dorsett
rdd@netcom.com



Newsgroups: sci.aeronautics.airliners
From: David Lednicer <dave@amiwest.com>
Subject: A320 comments
Date: 18 Sep 95 12:06:58 

	A friend of mine recently converted over to the A320.  At my
request, he has prepared the following comments regarding the aircraft.
These comments are posted with his permission.

Date: 20 Aug 95 21:21:04 EDT
David:

I am on my way back home after having about 36 hours off from training.
I have finished ground school, the written exam, the 3 hour oral exam,
and fixed-base simulator training.  I have my first full-flight simulator
session at 1pm this afternoon.  In all, I will have spent about 80 hours
in "the box" before I go on the line.  I'll finish up ground training on
30 August and go on I.O.E. (initial operating experience) sometime during
the first 10 days of Sept.  I will then go on vacation to the Reno Air
Races until the 21st and then out on "the line" as an A320 F/O.  So far
the training has been very good, and the aircraft is OK but not
outstanding.

The A320 is used by us to fly mainly the 2 1/2 to 3 1/2 hour legs,
typically half-transcontinental, such as our central hub to SEA or SAN.
Many of the layovers are in SEA, SFO and SAN on the west coast and BWI,
BOS, etc. on the east coast.

My general impressions of the aircraft:

Many of the systems/features are excellent, but a few are well below
average.  (Note: since I haven't flown the actual aircraft yet, comments
about handling are really relative to the simulator.  Comments about
systems are from an operational point of view, not a maintenance/
engineering point of view since we didn't cover the actual design of the
systems in class.)

Specifically,

1.  Fly-by-wire.  The flight control laws and the failure degradation
modes are excellent.  The flight control laws are: Normal Law, Alternate
Law, Direct Law, Mechanical Backup, and Unusual Attitude Law.  It requires
multiple failures of similar but independent systems to degrade.  It takes
a degradation of two levels to reach the same flight characteristics that
a 727/737/DC-9 starts out with.  We have had only one degradation to
Alternate Law in the time we've been flying them.  The minimal mechanical
backup available (rudder and pitch trim) is intended to allow the pilot
time to get a computer back up on line and should be adequate.

2. Sidestick controller:  This is GREAT!!!! It is natural from either
seat. It takes only about 10 seconds to feel comfortable with it.  I think
Boeing missed the boat by putting a yoke in the 777.  It is different from
the F-16 in that it has much more movement (about an inch and a half in
any direction).  I think that there should be more "feel" but it's pretty
good as it is.

3. Main systems:  All of the main aircraft systems, hydraulics, electrical,
pneumatic, brakes, etc. are well configured from an operational point of
view.  Systems recover/reconfigure from failures well and are easy to
understand and manage.  I don't know about the robustness of the systems,
but we are getting good dispatch reliability so they must be OK.  Rumors
have it that the mechanics think that we'll have reliability problems in
the future due to the "mimimum gauge" philosophy that is found in all
new-generation aircraft.

4. APU:  The APU itself is fine but there is one very poor flight deck
mechanization.  It in not possible to tell directly from the overhead
panel whether or not the APU is on-line and powering the aircraft.  I
believe that a mis-design of switch moding is to blame.  Someone just
wasn't thinking operationally here.

5. Flight Management Guidance System.(FMGS)  If there is a weakpoint, this
is it!  The system was designed by Honeywell of Minneapolis and they were
not allowed to look at, or use any Boeing ideas.  We can't completely
blame the frogs for this.  I would have to say that I find the system to
be inconsistant from mode to mode and it is apparent that it was designed
by EE's sitting at a desk and not by operationally oriented people.  Each
mode has a certain "logic" to it and you can make a good argument for each
individual case, but as a complete system, it is seriously lacking.  There
are some basic ATC functions that can't be done at all!  It looks like
the chief of avionics integration/flightdeckers didn't do their job very
well.  As always, pilots can adapt, and I'm sure that I'll overlook the
numerous faults shortly, but there shouldn't be any faults in the interface
and there are.

6. Autothrottles:  I don't like the autothrottles that don't move.  I much
prefer the feedback that moving levers provide.  I am sure that I'll get
used to it in the future, but I think that this is a basic
pilot-integration shortcoming of the A-320.  Boeing is definately right
in my opinion.

7. ACARS/FMGS integration:  There isn't any!  The ACARS doesn't talk to
the FMGS and vice versa. (even thought they use the same interface panel).
It is often necessary to enter the same data more than once.  In a perfect
world ACARS data would be available to the FMGS and the pilot would have
the option on auto-inserting it or putting it in manually.

8. Inertial Reference System (not INS!!!)  The system is poorly designed
from my point of view.  The three ring laser gyros can not be updated.
The FMGS calculates where it believes the aircraft is by using a weighted
position from the three RLG's and  DME/DME or VOR/DME to determine a
position, but the IRS itself is never updated.  I believe that it should
have been mechanized such that the IRS tracks drift rate and uses that
info to provide update biases.

9.  The aircraft can't dump fuel and the max landing weight is
significantly lower than the max togw.

10.  The aircraft has 40 some computers but doesn't even have a basic
calculator function on any display.  How thoughtful....

11.  Pitch trim indications are labeled such that they indicate the
position of the l.e. of the stab.  Thus a small nose up pitch trim setting
would be labeled "-1.0 "  This has the possibility of causing problems.
The trim works correctly of course.  It's just labeled wrong from my
viewpoint.

12.  More FMGS stuff:  It's easy to do hard stuff... but hard to do easy
stuff!  Fully automatic CAT III approaches and landing are a snap, but
just going around tha pattern doing touch and go's is a major pain in the
ass.  The PNF is always heads-down typing on the damn panel.

13.  Gust Load Aleviation:  They put in a gust load function.  I've heard
about the idea for 20 years but apparently no one ever actually put one
on an aricraft before the A-320.  It doesn't work......

In summary:

Like any other airplane in the world, the A-320 has both good points and
bad points.  It they had thought more about how the operator uses the
airplane to make the flight go easier and less about optimizing the
computer to make it efficient from a code point of view, the aircraft
would have been better.  However, it is quite adequate as it is and as
always the pilots are left to adapt to the deficiencies.  Then an accident
happens...

Did I hear someone say "Design-induced pilot error...?"

-------------------------------------------------------------------
David Lednicer             | "Applied Computational Fluid Dynamics"
Analytical Methods, Inc.   |   email:   dave@amiwest.com
2133 152nd Ave NE          |   tel:     (206) 643-9090
Redmond, WA  98052  USA    |   fax:     (206) 746-1299


Index Home About Blog