ATM Modernization, Business & GA, Commercial, Military

Safety in Avionics: Bubble of Protection

By David Evans | November 1, 1999

There is a subtle yet profound difference in the flight control systems on Boeing and Airbus aircraft. Yes, they both have ailerons, flaps, slats, rudders and spoilers. And, yes, both manufacturers have gone to fly-by-wire technology, placing computers between the pilot’s control inputs and the ultimate movement of the control surfaces.

But there is one significant difference. On the Airbus airplanes, "hard" constraints have been programmed into the software. According to Airbus, these limits allow pilots to more consistently extract maximum available performance from the airplane, while minimizing the risk of over-controlling and possibly overstressing it.

More specifically, this "bubble of protection" prevents the pilot from exceeding predetermined limits for various parameters, including bank rate, airspeed and G-loading. For example, the pilot is not allowed to exceed the airplane’s 2.5-G design load, even though a 50% safety factor is built into the structure, suggesting that the airplane is strong enough to pull 3.8 Gs.

The basic idea is to prevent the pilot from overstressing or stalling the airplane—although there is a segment of the flight envelope where lift can be maintained under a wing loading of more than 2.5 Gs (see illustration).

Boeing’s fly-by-wire B777, on the other hand, features "soft" limits. As the pilot approaches pre-set thresholds, aural and visual warnings are triggered, and control forces increase. If, as the saying goes, a pilot finds himself staring at a windscreen full of rocks, he can pull more than 2.5 Gs to avoid collision with terrain. He can pull 5 Gs, if that’s what he believes it takes to avoid catastrophe.

Capt. Ron Rogers, an A320 pilot and director of aircraft development and evaluation programs for the Air Line Pilots Association, quipped in a recent report that compares Boeing’s soft limits and Airbus’ hard limits, "Although aircraft structural integrity may be compromised by a G-load in excess of 3.8 Gs, aircraft structural integrity is more severely compromised by terrain impact."

Pilots like Rogers are saying, let us pull Gs, if need be, to save airplanes and lives. Give us access to that portion of the flight envelope above 2.5 Gs. They point to cases where aircrews have pulled well over 2.5 Gs to save the situation.

Case in point: the high-speed upset of a China Airlines B747SP in 1985. Crossing the Pacific Ocean at 41,000 feet en route to Los Angeles, the crew shut down the No. 4 outboard right engine after it experienced a compressor stall. To correct for the asymmetric thrust of the remaining three engines (which can lead to a yaw-induced roll), the autopilot cranked in some 23 units of left aileron. When the autopilot reached its limits and disconnected, handing the problem to the flight crew, the airplane suddenly departed from controlled flight. The nose dropped, the airplane rolled right through 60o and in the next two minutes plummeted from 40,000 feet to 9,000 feet—about 6 miles—before the crew was able to regain control.

In their desperate efforts during this dive, the crew passed through 5 Gs. The stresses literally were pulling parts off the airplane. The entire left elevator and three quarters of the right elevator, and 32 to 36 feet (9.75 to 11 m) of the horizontal stabilizer, were ripped off the aircraft. The wings and landing gear were damaged. The tail-mounted auxiliary power unit reportedly was ripped off and rests today on the bottom of the Pacific.

But the crew was able to save the airplane, climb to 27,000 feet and make a diversionary landing at San Francisco. The case stands as a triumph of rugged Boeing design.

Had this airplane been an Airbus with its hard control limits, what would have happened? John Lauber, head of Airbus’ new safety office in Washington, D.C., recalled the case. The autopilot had been set to maintain altitude and heading; as the airspeed decayed, the autopilot control authority limits were reached. On the Airbus design, say, the four-engine A340, he explained, the altitude hold would disconnect as a result of the system’s low airspeed protections. The system, as it were, would trade-off altitude for speed, preventing the situation from degrading to the point of an upset.

The whole idea of the Airbus design, he said, is to "prevent airplanes from getting into situations where pulling more than 2.5 Gs is necessary."

Are there circumstances the designers might not have foreseen? Probably, concedes Lauber, but look at the record, he suggests. Most fatal accidents involve controlled flight into terrain (CFIT) and loss of control (LOC). If these are the two big killers, he said, the question asked at Airbus was, essentially, "What can fly-by-wire do to help prevent these kinds of accidents?"

The answer to that question led to a design with hard limits. The typical rank-and-file airline pilot can theoretically spend an entire flying career rarely exceeding 1.25 Gs. For the case where the pilot is staring at potential impact with the ground, the Airbus system is programmed so that with a full aft input on the side stick controller, the airplane automatically will pitch up to optimum angle-of-attack, retract speed brakes, and apply take-off thrust. Pilots executing this maneuver lose less altitude than if they were manually controlling the airplane (in most cases of CFIT, the difference between survival and death is a mere 100 feet). They don’t have to think about exceeding structural limits or risking loss of control of the aircraft.

Pilots like Rogers remain unconvinced. The abnormal attitude law in the software, he points out, reveals the expectation that the airplane occasionally may find itself past the normal envelope. Even so, there may be cases (e.g., upsets from severe wake turbulence) where the pilot may need to override the system’s programmed limits. The pilot, after all, is ultimately responsible.

For this reason, the Douglas MD-90 allows the pilot to select emergency thrust by pushing the throttles through a brake bar. On the B777, the pilot can activate a single protected switch to attain direct control authority over the airplane.

On the Embraer EMB-145 regional jet, a single button on the control yoke disables the stall-warning stick pusher, the autopilot, and the elevator trim system. On the Canadair regional jet (CRJ), a toggle switch next to his knee allows the captain to disconnect the stick pusher.

This ability to override is key, according to Rogers. And, in this respect, Airbus apparently stands alone. There is no single switch that enables the pilot to circumvent the computer and gain direct control of the airplane.

Rogers argues that an override switch on the side stick controller, to allow another half-G with a single press (from 2.5 to 3 Gs, and with a second press from 3 to 3.5 Gs), would provide the kind of emergency override that a pilot may need someday. If the pilot is to be denied access to the full aerodynamic performance of the airplane, he also is denied access to the full range of options in an emergency.

Lauber demurs. The danger, he counters, is that adding another half-G could take a pilot "from an incipient stall right into a stall."

"If we have a button," he says, "then the pilot has to be trained on how to use the button, and there are no supporting data on which to base procedures or training."

The hard control limits in the Airbus design, he adds, provide a consistent "feel" for the aircraft, from the 120-passenger A319 to the 350-passenger A340. That consistency itself builds proficiency and confidence. After all, Lauber points out, the pilot isn’t in control when anti-skid brakes are applied, yet they provide superior stopping power. Rogers counters that pilots control the brakes with their feet and can shut off the anti-skid, should they feel the need.

Lauber also asserted that the Airbus hard limits allow a pilot to consistently and safely achieve better performance—within preset limits. Few pilots experience anything close to 2.5 Gs in training; why allow them to get into an unfamiliar regime?

As Lauber says, "You don’t need engineering test pilot skills to fly this airplane."

It is a seductive pitch. Superb engineering has been marshaled to minimize the potential for human error, to keep average pilots within the limits of their average training and skills. But I am reminded of a point made in a seminal 1975 book, Systemantics: How Systems Work and Especially How They Fail, in which author John Gall observed, "When a fail-safe system fails, it fails by failing to fail safe." And, against that remote but possible day, pilots like Ron Rogers still believe an override button is necessary. Those in Rogers’ camp hold the view that should the bubble burst, it’s up to the pilot.

Receive the latest avionics news right to your inbox