Sorry for the very long post, but I think it might be interesting for some.

There are two advantages of Fly By Wire systems, the first is obvious and very important on Military aircraft: some aircraft are inherently unstable and with Fly By Wire systems thery are still flyable, which is a huge bonus. In Civil aviation, FBW systems are here to help the pilots. Make their jobs easier and safer. Fly By Wire system is good, because the aircraft understands what do you want to do, and can also let you know what is safe to do.

Either by some restrictions in normal law, or with any feedback the system provides. One of the risks for Fly By Wire system is simple: If we assume, "if it is ok by the FBW system, it should be safe", yet most current FBW implementations doesn't monitor the consequences of our actions.

The FBW system knows any mach speed that is greater than stall speed and lower than overspeed is safe. There can be some margin, etc. but most current FBW systems doesn't try to predict possible outcomes and determine "how safe this action is" based on that. Simply because when these systems were designed a complex software that would try to judge multiple parameters in context would require very strong hardware, and a lot of research.

Any precise enough simultion of possible consequences would be too complex to be feasible if we consider what kind of computer hardware was present, and what could be installed on an Aircraft.

In fact the Fly By Wire software doesn't even recognize, that if it switches to alternate law, or direct law while the pilot is trying to do something, the results can be unexpected. (If the system doesn't limit the pilot but only provides feedback, it isn't important) And you can't depend on fly by wire system to know what is safe / what is unsafe.

Lets go back to mach speed.

If you can correct if you get close to a stall and can descent safely, your speed can be safe, even if it is close to stall speed. If you expect the wind is constant and nothing will happen: who cares.

If wind isn't constant, so your airspeed can be far from constant (thanks to turbulence), and there is something under you (either terrain, or a CB, etc) your speed might be far less safe.

Some speed can be safe in most cases, but if you can expect turbulence (thanks to weather) it can be too close to both overspeed and stall speed, etc. and can be risky.

Yet, the Fly By Wire system won't even offer any feedback about possible hazards from maintaining that speed and altitude. If the pilot assumes, it is safe (after all FBW software considers it safe), that can lead to nasty incidents.

If there is a risk of icing (and loss of airspeed data) you might prefer if the difference between stall and overspeed is significant, but if it isn't you won't get any warning.

If you trust "What you do is safe, because the FBW aircraft lets you do it" sooner or later you will run into problems.

I heard some criticism about Airbus aircraft, saying many pilots are simply "operating the system" and not flying the aircraft in many cases, and depend too much on the system.

Since there can be any software problem, or any problem with the instruments, I prefer if the pilot has the final say, and you don't have to disable many other instruments to have access to alternate law / direct law. So I prefer feedback over restrictions. (If FBW system gets incorrent airspeed data, but doesn't detect the fault, and restricts the choices of pilots based on it, that can be risky)

But if we are using FBW and related system, I would prefer if it would know "how safe this speed / maneuver, etc is in current circustances" in addition to "this is within some predetermined limits". And it would provide feedback based on it.

And if it restricts the pilot, it would warn about switching to alternate law, so it doesn't surprise the pilots.

While I am not sure if any such warnings could have helped to avoid the AF447 accident, I think early warnings that are shown before things get rough can be useful for preventing future problems.

Monitoring more data from instruments in real time, and predicting possible problems can be easier with modern computer systems. And to my best knowledge the required research is minimal (thanks to UAVs capable of both autonomous flight and remote controlled operation).

What do you think, would such early warnings be useful in civil aviation?

No, you go to ALT law and you get the warning-you go to direct law and get one too.

Having flown the Airbus, I think many of the criticisms levelled at the FBW systems originate from those who have never used them. One of the favourite criticisms is that people operate the system, not the aircraft. I have several thousand hours of A320 time, yet have never activated a FBW protection or been constrained by one. I suspect the same holds true for the vast majority of Airbus drivers. It is a myth that people fly around assuming that because the FBW permits it then it must be safe. People fly the aircraft around within normal operating parameters, just as they would a non-FBW aircraft. Get the speed too close to the limits on an Airbus and you'll get the same response from the pilots as you would if they were flying any other type. If you are the sort of pilot who flies around deliberately trying to reach those limits then you don't belong in any aircraft.

Much is also made of the regression from Normal to Alternate law. Bearing in mind what I've written above, it really is no big deal. So what if you don't have the protections of Normal law? You don't need them. The aircraft handles the same (load factor demand in pitch axis from the sidestick, roll rate demand in the roll axis). Fly the aircraft the way you flew it before and you won't see any difference until such time as you lower the landing gear and switch to Direct law. Take it to the extremes without protections and you are in no different a situation to being in a conventional aircraft, except it's easier to recover in a Airbus.

The FBW system is not designed to make the aircraft safe to fly, hence it doesn't need to know your intentions. It's the pilots' job to keep the aircraft safe and the regression of the control laws allows them to safely control the aircraft during reasonable manouevres.

elch: Sorry if I worded not so precisely: The time of the warning is important. Let me reword it.

IF the switch to alternate / direct law happens when you already doing something and get the warning at same time, unexpected results can be happen before you react to the warning.

The question is about a warning that lets you react before the aircraft actually switch to alternate law.

Carnage Matey: Of course noone would fly close to the limits in civil aviation, and even if we speak about military aircrew you need serious reasons to do that.

It would be bad if any protections would be significant in everyday operation, but when you are pretty close to an accident (due to unreliable airspeed data, etc) then you can be close to the limits.

The only other case where you are close to the limits is the "coffin corner aviation" and mostly above oceans...

Even if you are close to the limits, the switch to Alternate law is really not as big an issue as you may have been led to believe. The controls handle in exactly the same way as in Normal law. Assuming you have been placed close to those limits by an unexpected surprise, the fact that you are close to the limits is more than enough to prime any competent crew to take corrective action. People don't simply wait for the aircraft to sort itself out, they take action themselves. The FBW protections are only there in case they don't take action. In Alternate law the aircraft will permit you to take almost any action you wish to correct the situation, and the transition between Normal and Alternate will be essentially seamless. There is no need to have a 'big brother' system to tell you that there would be a risk in Normal law dropping out because there is no risk in Normal law dropping out.

With reference to the Air France accident I don't really see how control law issues would be a factor. If the aircraft is in severe turbulence then overspeed/underspeed protections are an irrelevance as the aircraft will be in and out of both continuously. Any implication that the aircraft is harder to control in Alternate law is turbulence is questionable as it handles the same as in Normal law. If it's an unreliable airspeed situation then you fly it like any other aircraft by setting pitch and power and watching it like a hawk. The unreliable airspeed drill is really no more difficult in an A320 than it is in a B744.

If the aircraft is in severe turbulence then overspeed/underspeed protections are an irrelevance as the aircraft will be in and out of both continuously.

This is a key point, since if the turbulence is predictable and the continuous underspeed / overspeed problems are predictable, it can be time for an advisory / warning, I think.

At different altitude the difference in speed between underspeed and overspeed is different, at lower altitude, with gusts, turbulence instead of constant underspeed / overspeed (and all the risks associated with it) you can stay in safe speed range.

If I know well, the risks of turbulence / gusts can depend on weight and altitude (since the difference between underspeed and overspeed is bigger). And if there are risks (coffin corner aviation + weather + icing) some "early warning" could be helpful.

With reference to the Air France accident I don't really see how control law issues would be a factor.

If I remember well there was an accident where the pilot flying tried to use rudder extensively in a turbulence. One of the early acars messages are related to "RUDDER AND PEDAL TRAVEL LIMITING ACTUATION". I am not sure if operation of rudder travel limiter is different in normal / alternate law, and if unrelaible speed data and switching to alternate law could lead to unsafe operation of rudder. If I read well (elsewhere) rudder travel limiter would work differently in such scenarios.

This, alone, isn't important.

But if we see icing, turbulence, and when some instruments are lose the pilot flying is surprised by "unusual behavior" of the rudder, and as he tries to recover he loses some altitude, and descends into a CB they tried to avoid... Now that is flying in a CB with many instruments failed.

Gergely,
I think you hit the nail on the head. Although I am not a pilot, as I have mentioned in several other threads on this forum, I am in the IT industry and have worked on user interface designs for many years. I think overall the Airbus is a fine and safe line of airplanes, and their record proves that. Yet when I read through the descriptions of some of the incidents that have occurred, there seems to be a pattern of at least the possibility of a pilot not really understanding what was happening at the time of an incident. Let's use an analogy to discuss.

Suppose you own a high end passenger sedan. It has computer controlled handling characteristics which define their "modes" as primary and alternate law. In primary law, the amount of pressure you have to place on the accelerator is somewhat standard with other cars, as is the amount of pressure you need to place on the brakes to achieve a full stop. The steering characteristics are what would be described as "tight", meaning you do not have to move the steering wheel very far in order to achieve a relatively tight turn. In alternate law, all of these change. The amount of pedal pressure required for accelerating and braking double, as does the amount of steering wheel motion in order to achieve the same rate of turn as you would have had in normal law. The trigger to make the change from primary law to alternate law is a sensor which determines moisture on the road and the temperture of that moisture The change from primary to alternate is made so that you do not spin the wheels during acceleration, skid during decceleration, and you do not move too quickly into a turn and hence spin out. The indication to the driver that a change has been made from primary to alternate law (or back) is a combination of a chime and a light indicator on the dashboard.

Now, you are in your car driving with your wife beside you and two (or more) children in the back. The radio is on, and the kids are playing games. Suddenly a fight erupts in the back seat. It quickly escelates to a fever pitch. Your wife turns around and tries to stop it, but this only increases the noise in the car. At the same time, you drive into a summer thunderstorm, which quickly becomes a raging downpour mixed with hail. As the car progresses through the storm, the combination of rain (wet) mixed with hail (cold) meets the limits of acceptance for primary law, and the car switches to alternate law. You, on the other hand, are trying to calm the wife and kids down, while at the same time turning on the wipers and trying peer through the windscreen at the road. You turn back around one more time to try to settle the war as your wife screams; "You're missing the exit!". You immediately turn around, see the exit flying by, step on the brakes and turn the wheel. But, low and behold, you never heard the chime or saw the indicator light with all of the confusion. Suddenly the brakes aren't stopping the way you thought they were, and you can't get the car to turn into the exit. You're reaction isn't "the car must have changed modes", it is: "WTF is going on here??!!".

So after all of that, my point is, mode should not change without pilots concurrence, especially when it will effect how the controls react to input and what they will do with that input. If the pilot is assuming that limits are being controlled by the computer (especially where it pertains to rudder breakout or throttle settings), he may very quickly find himself further confused and with even less time to react. More importantly, he may further exacerbate the situation, if not cause damage to the aircraft.

In all of the design projects I have been on, we always focus on making sure the user interface remains constant so as to minimize confusion. If you cannot do that, then you should at least make the switch to those changes a conscious decision so that the person fully understands the implications, which may take a few seconds to recall and process. Otherwise you wind up with the "what is it doing now?" syndrome. And that is what worries me about how FBW is implemented.

This is a key point, since if the turbulence is predictable and the continuous underspeed / overspeed problems are predictable, it can be time for an advisory / warning, I think.

I have to admit I'm a bit lost here. What exactly are you proposing to advise/warn of? And how would the turbulence be predictable?

If I know well, the risks of turbulence / gusts can depend on weight and altitude (since the difference between underspeed and overspeed is bigger). And if there are risks (coffin corner aviation + weather + icing) some "early warning" could be helpful.

I don't really see what this has to do with fly by wire? What you are describing is basic airmanship 101. If you can see weather on your radar, you suspect turbulence or potential icing you try to avoid it, and if you can't you select turbulence speed and if necessary descend to a lower altitude to improve your stall and overspeed margins. Again, this is standard procedure on any aircraft, not just FBW aircraft, and a warning is no more necessary on a FBW than on a conventionally controlled aircraft.

If I remember well there was an accident where the pilot flying tried to use rudder extensively in a turbulence. One of the early acars messages are related to "RUDDER AND PEDAL TRAVEL LIMITING ACTUATION". I am not sure if operation of rudder travel limiter is different in normal / alternate law, and if unrelaible speed data and switching to alternate law could lead to unsafe operation of rudder.

If its the accident I'm thinking of it occurred to an A300, which is not FBW and has an entirely different rudder feel system. That is beside the point as in that accident they shouldn't have been using rudder nor is it likely they'd have been using rudder in the Air France accident. Use of the rudder is not an appropriate or necessary technique in turbulence, and unless the aircraft lost an engine then rudder inputs would not have been necessary at all. The failure or the rudder limiter is more than likely due to the failure of it's airspeed input. The purpose of the limiters are to stop you damaging the rudder through excessive travel at high speed - no airspeed input means you have no idea how much to limit the travel, although I suspect the failure mode of the A330 is to reduce the rudder travel available and impose a reduced crosswind limit for landing. It's unlikely the AF crew needed to use the rudder (unless they'd had an engine failure), and I'd say entirely implausible that they'd have cycled opposing inputs to the rudder, which was what caused the failure in the A300 accident.

But if we see icing, turbulence, and when some instruments are lose the pilot flying is surprised by "unusual behavior" of the rudder, and as he tries to recover he loses some altitude, and descends into a CB they tried to avoid... Now that is flying in a CB with many instruments failed.

It's not impossible, but rather unlikely. If you are suggesting some uncommanded rudder hardover like in the B737 it's a possibility, but as far as I know there has been no recorded incident of a rudder hardover of that nature in an Airbus.

May I ask how much experience you have of flying large aircraft, as some of your suggestions seem to be aimed at warning pilots of fairly basic things that should be very obvious to them.

Suppose you own a high end passenger sedan. It has computer controlled handling characteristics which define their "modes" as primary and alternate law. In primary law, the amount of pressure you have to place on the accelerator is somewhat standard with other cars, as is the amount of pressure you need to place on the brakes to achieve a full stop. The steering characteristics are what would be described as "tight", meaning you do not have to move the steering wheel very far in order to achieve a relatively tight turn. In alternate law, all of these change.

Patrickal - your analogy is incorrect, but a common misconception about the Airbus. In alternate law those characteristics do not change. The car would handle the same, except the cruise control wouldn't work any more, the top end electronic speed limiter would be disabled and the device which stops you stalling the car at the traffic lights would quit. In short, it would still be easy to drive.

Whilst your story is indeed colourful, it's not a realistic scenario in the flight deck. There may be a lot going on, but as the aircraft autopilot drops out you'll get a loud, unmistakable aural warning which won't go away until you acknowledge it. As the other systems fail, you'll get a loud warning and an indicator light right in front of you that won't go away until you acknowledge it. As the aircraft drops into alternate law you'll get another warning. If your even half competent it'll be no surprise to you when the aircraft goes into alternate law as you'll have trained the scenario in the simulator a number of times and be expecting it.

So after all of that, my point is, mode should not change without pilots concurrence, especially when it will effect how the controls react to input and what they will do with that input. If the pilot is assuming that limits are being controlled by the computer (especially where it pertains to rudder breakout or throttle settings), he may very quickly find himself further confused and with even less time to react. More importantly, he may further exacerbate the situation, if not cause damage to the aircraft.

The mode does not change from Normal to Alternate without pilot concurrence for fun, it changes because the aircraft is physically unable to continue operating in normal. It means it has lost the inputs or systems required to maintain normal law. You cannot offer the chance for the pilot to continue in normal law because the ship can't do it! What the aircraft does provide is ample warnings to the pilots of what it's done and what systems are degraded. For emphasis, even after this, the aircraft flies just fine with the same handling characteristics as before. And once again, you don't use the rudder in flight unless you've lost an engine, and even then you always use it with caution, not reckless abandon like in the A300 accident.

While you say: Avoiding these conditions is basic airmanship, which is entirely true and I know it well, that it is basic airmaship, the quest is: If you can't guess what altitude is safe for speed margins (based on weather data, etc) accurately enough or if you don't do it for any reason, why shouldn't the computer actually do some calculations to show you safe altitude, safe speed range, etc. and provide as much information as possible, and if you fly outside of the "suggested safe limit" offer a nice amber advisory to show you are faster / slower than suggested.

Why? Simply because when you watch weather radar, try to guess how can you avoid them you can be busy, and any help offered by the computer system can be valuable.

What is trivial for you, isn't trivial for the system itself :)

It already does. The FMC gives you an optimum cruise altitude and guidance altitudes for heavy turbulence are generally 4000 feet or more below that optimim. What you are proposing is starting to sound more like a technical impossibility: a device that takes radar returns, calculates the intensity of the turbulence in a rapidly changing weather environment then fires off a series of predictions of what your margins will be. Notwithstanding the technical difficulties, you don't need a computer to tell you what speed to fly at in turbulence because the manufacturers have already told you what speed is best. You don't need an amber advisory because you can see what speed you're doing on yout instruments and compare it to the manufacturers published turbulence speed. If you need a flashy advisory to remind you of your turbulence speed you shouldn't be in the flight deck.

Even if such a device existed, there are up and down draughts throughout cells with different turbulence associated with each. Each encounter will be different and poses the potential to see you chasing one speed target only to find it's a completely different one 5 seconds later. You'd be more likely to get into a pilot induced oscillation from following that, which will do you more harm than good.

It already does. The FMC gives you an optimum cruise altitude and guidance altitudes for heavy turbulence are generally 4000 feet or more below that optimim.

If such information is already present, then I am happy :) But we will get back to it.


What you are proposing is starting to sound more like a technical impossibility: a device that takes radar returns, calculates the intensity of the turbulence in a rapidly changing weather environment then fires off a series of predictions of what your margins will be.


It is a bit different. Why? Because you don't need to say: how to fly in an environment where you shouldn't fly. All you need is to evaluate risks, considering your speed, altitude, weather, and any failed instruments (and conditions for icing)

When you determine how safe "your future" is, you use a simple scale.Say: 0 is totally safe, 1 is certain disaster.

If without pilot intervention the situation becomes risky enough in some time frame, you get an advisory. To buy you some time. If you see the computer predicts a probable / possible threat to your safety before it happens, and before you could detect it without this system in essence buys you time, where you can react.


Notwithstanding the technical difficulties, you don't need a computer to tell you what speed to fly at in turbulence because the manufacturers have already told you what speed is best.


I know about turbulence penetration speed.


You don't need an amber advisory because you can see what speed you're doing on yout instruments and compare it to the manufacturers published turbulence speed. If you need a flashy advisory to remind you of your turbulence speed you shouldn't be in the flight deck.


What you say is about the present, the nature of early warnings is they predict a probable future. You speak about how hard it is to analyze the data, and it is indeed a huge task even more for a human being in the flight deck.

But computers are efficient at analyzing huge amount of data, quickly and efficiently. They won't give you a strategy about "how to avoid the worst of the storm", but will be able to tell you "how bad it will be if we are going this way".

The computer can tell you, where can you end up, with about what possible airspeeds with sane and safe maneuvers, and if it would get you into trouble, in some timeframe it could warn you.

The goal isn't to "tell the pilot how to fly", the computer shouldn't know that, this is why we have a pilot there. But it is to give more time for a pilot to react to a predictable threat.

Imagine why TCAS and GPWS prevents accidents. They don't report the collision, but detect a possible threat that is predictable with some certainity, and give you time to safely avoid accidents. TCAS doesn't determine "how close you would be to a collision" without it, it isn't super precise.


Even if such a device existed, there are up and down draughts throughout cells with different turbulence associated with each. Each encounter will be different and poses the potential to see you chasing one speed target only to find it's a completely different one 5 seconds later. You'd be more likely to get into a pilot induced oscillation from following that, which will do you more harm than good.


It wouldn't give you speed target, it would give you a warning that tells you: if you don't act soon, in some time you will end up flying into a thunderstorm and some turbulence, and you won't be at safe speed / altitude for that with safe maneuvers.

And the pilot makes a decision based on it.

The computer shouldn't tell you what you do, since you should make decision. But should give you feedback about how safe / unsafe some course of action can be.

A speed target inside the turbulence isn't an early warning, it doesn't offer you a chance to have the best possible speed and altitude.

OK, I see some of your points but in order to debate this I really need to know where you are coming from. What is your level of flying experience and which aircraft types please? I can't pitch a response at the appropriate technical level unless I can gauge whether you are a pro pilot suggesting this technique or an enthusiastic amateur, and yes, it does make a difference.

Although I am not a pilot, as I have mentioned in several other threads on this forum, I am in the IT industry

What is the point?

What is the point?

I suspect there isn't any.
Some folks in the IT industry seem to think that their particular expertise is applicable to FBW aircraft types.

These folks are truly....out to lunch, in more ways than one.:ugh::ugh:

What is the point? I suspect there isn't any.
Some folks in the IT industry seem to think that their particular expertise is applicable to FBW aircraft types.
I'm a software engineer too (radiology systems), so I apologize if we IT people seem to be out of our depths here.

The point is that, in my job:
- I want to make sure that patients are not harmed in any way by any software fault;
- I want to make sure the system interface is designed so that patients are not harmed in any way by any inappropriate use of the system.

Thus, unfortunately, FBW airplane accidents are indeed interesting to me, the same as any other accident or incident involving computers and softwares, because there may be lessons to be drawn regarding software safety and usability.

Carnage matey!,

I have to agree with everything you have posted so far on this thread.
The design philosophy of the current Airbus FBW system has proven itself over the years. I have flown A320/330/340 and found the transition of flight modes absolutely transparent.
I do not understand why people with no aviation background post on pprune and try to explain day to day flying operations to pilots.
As you said above there is no handling difference between normal and alternate law, you get the same response for the same sidestick input.
Also I do not see the need for a system to state the obvious. We all know how to operate the weather radar and FMGS to our advantage.

Now for all the armchair experts. There is a reason why the Airbus reverts to alternate law with unreliable speed. It actually happens to make the pilots job easier, since you can't trust the airspeed indications, you have to fly pitch attitude and thrust setting.
The last thing you need in this situation is for the overspeed protection to activate and the aircraft to pitch up on its own, that is why the switch occurs from normal law to alternate, because in this situation it is the most appropriate control law. I will not comment on the rudder travel limiter, as it already has been explained by carnage matey.

ALK A343,

There is a reason why the Airbus reverts to alternate law with unreliable speed. It actually happens to make the pilots job easier, since you can't trust the airspeed indications, you have to fly pitch attitude and thrust setting.
The last thing you need in this situation is for the overspeed protection to activate and the aircraft to pitch up on its own, that is why the switch occurs from normal law to alternate, because in this situation it is the most appropriate control law.Point taken, and from what I understand it indeed looks like the best option by far.
Actually, I am much more surprised by what I've read regarding the Quantas incident: is this pitch down a situation where the switch from normal law to alternate law did not happen soon enough? My apologies if I misunderstood this report, which I went through rather too quickly:
http://www.atsb.gov.au/publications/investigation_reports/2008/AAIR/pdf/AO2008070_interim.pdf

Experinence is closer to ameteur side. Flying is a hobby for me, and I am often more interested in UAVs than in other aircraft :)

I come from IT industry, but I think, that possible algorithms for detecting future threats aren't that closely related to aviation, and I fear that if I would start to discuss them in depth, I wouldn't get many replies.

ALK A343: I don't want to sound rude, but while you say, it is trivial to know how to fly your aircraft, I could say, how it is trivial to follow some "industry best practices for user interface design, and why their benefits are trivial", and it is true for any system, from aircraft to nuclear reactor.

I don't want to point to the post about tech log Philosophy, but I would want to ask you kindly to understand when I speak about early warnings I am speaking about ways to predict the possible / probable future.

Thank you very much about reinforcing the point that the rudder shouldn't be used on flight level, which is a well known fact even for us "armchair experts", "self loading freight", etc. types, but I would like to remind you, using the rudder is an instinct for many pilots, and use of rudder in turbulence happens even if it isn't recommended.

And I would like to show the point: Current protections in FBW rules are mostly transparent, because noone in his sane mind would fly close to those limits. Yet they are present.

They are present and you seem to agree to their presence.

And even the people who say: pilots should have their final say, would implement similar protections with feedback. (Ie: if you want to do something unsafe, it should be harder, you get a warning, etc.) And feedback can be gradual feedback (If you get closer to the limits, it will be harder to move the stick that way, etc. which warns you before you reach the limits).

Why there are protections against dangers present only if you "ignore basic airmanship 101"? Because they proven themselves efficient. We agree on this.

But if we would stay with proven systems, that are considered good in an era, you would be flying a DC-3.

The nature of the technological advancement is to improve proven systems.

Currently the system only protects you if you do something that is dangerous right now, and it is out of specification of your aircraft...

If a system would tell you when you are getting "dangerously close to the limits" but wouldn't restrict you in anyway, that would be an extra layer of protection.

It would be just as transparent as the current ones, since you don't get dangerously close to limits, since you do know basic airmanship 101, so they are almost as unneeded as current protections, and they could get just as proven.

If the system would also tell you: With the analysis of various data, if we do this, you would get close to the limits in 5 secounds. You wouldn't trigger that added protection.

If the system would tell you, if we continue this way you would end up too close to a dangerous TS pretty soon, and would mark "potentially unsafe areas" on your wx radar if you select a mode, etc. you would avoid the TS just as well as you do now, and would never trigger a warning.

If switch to alternate mode would come with some very slight delay, and prevent you from reacting to speed data (or anything triggered you) by going after your instincts and using "too much force" without limits, and would give you a secound to think (and keep some protections based on last good speed data for this secound)? Not sure, but people who fly these aircraft probably know if they might need that extra freedom in that secound (if they aren't close to any limit when it happens).

Yes. For some of this, we need to analyze weather data first, to be able to improve algorithms that can utilize the processing power available now.

But I think that is a better waste of unusued CPU / GPU time, than looking for extra terrestial life that has radio equipment that is somewhat compatibile with our systems, and has enough power to broadcast any signal to us.

On every modern transport category aircraft flying today, there is a yaw damping system fitted to take care of unwanted yaw axis excursions. There is no need to touch the rudder in the cruise, climb or pre-landing descent phases, turbulence or not. Unusual attitude recovery or engine out are both different stories, but we have covered that already.

I would like to remind you, using the rudder is an instinct for many pilots, and use of rudder in turbulence happens even if it isn't recommended.

From what sources might we be able to substantiate such a statement?

The study was mentioned in other threads here (related to AF447), will do the search for you if you want :)

vapilot2004,

If I'm not mistaken, I think GV is referring to this post (http://www.pprune.org/rumours-news/376433-af447-67.html#post4993330) by desitter in the AF447 thread (had drawn my attention too):

Application of rudder, instinctual -

what has been said of rudder input in normal flight is very interesting and telling. One should consider the animations the NTSB often publish as part of their public dockets. It would seem that a sudden upset almost always leads to rapid, one would say instinctual, rudder input from the PF. Sometimes this may be justified but from what has been said by pilots here, not often. Perhaps this goes back to training days in small aircraft where more rudder authority is required to escape an upset or establish stable flight in turbulence - the ideas imprinted there could somehow just become part of the airman's natural skills.
I haven't checked it (and none replied), but it sure is intriguing:confused:

Gergely,

If a system would tell you when you are getting "dangerously close to the limits" but wouldn't restrict you in anyway, that would be an extra layer of protection.Just a word of caution there: as you probably know, such a system would only act as a protection if its specificity and detectivity were high enough. On the contrary, if the rates of false alarms and/or false negatives were to high, it might actually hinder the pilot rather than help him.

So the real problem may be feasibility: you speak of "basic airmanship 101", but some detection tasks which are quite obvious for humans are very tricky for computers. So "basic airmanship 101" may actually require "expert computership 999"...

JuggleDan: Yes, this is why such systems aren't common yet :) What is beasic airmanship for any of us isn't that basic things for a computer, but it is getting feasible...

But this is why advancement we seen in last decades opens up new possibilities. I think in middle of 1990s the costs and size (and power and cooling requirements) of an "1 GFLOPS computer" would be make it pretty hard to imagine how that much computing power would be used on an aircraft. Now you can buy a TESLA S1070 system with... Which is 4096 GFLOPS. It is compact, no special power / cooling requirements, safe.

Should I speak about software? I doubt if use of SNN (http://en.wikipedia.org/wiki/Spiking_neural_network)s would be possible / practical about 10 years ago. Just as an example, because we are speaking about "perception" and what our computers can detect about the weather.

We need to analyze a lot of data to make the system reliable, and extensive testing? It would be more useful than SETI@Home, but when concept of smart cockpit, etc. was designed, such options weren't a possibility :)

How feedback is possible if we keep a sidestick is also very different now.

with unreliable airspeed data fed into the FBW computer, does the FBW now allows the aircraft to maneuver more than allowed?

Thus allowing the aircraft to be over stressed or over loaded.

with unreliable airspeed data fed into the FBW computer, does the FBW now allows the aircraft to maneuver more than allowed?

Thus allowing the aircraft to be over stressed or over loaded.

That's why the flight control laws become degraded with gradual loss of reliable input data. Once the data coming into the FBW systems passes a certain level of unreliability, the FBW system gradually hands full authority - and responsibility - back to the crew.

So at the lowest level, in Direct Law, the flight controls can be manipulated so as to exceed the aircraft's design envelope. But the key thing is that it is then under the flight crew's control - and they will be presumed to be exercising appropriate caution with their control inputs.

The only way to defeat this arrangement is to have all the airspeed etc. data be consistently wrong coming into the FBW system. If it doesn't know there's anything wrong, then it could inadvertently cause a problem. But the same would apply to a non-FBW a/c in the same circumstances - if every piece of data is misleading, but consistent, you'll inevitably be misled.

It seems like you want to put limits on the limits. The limits were determined by experienced people. Somehow, I think that providing some kind of warning in advance of reaching the limit might prevent the pilot from using all of his ability to control the aircraft.

What is the point?

I suspect there isn't any.
Some folks in the IT industry seem to think that their particular expertise is applicable to FBW aircraft types.

These folks are truly....out to lunch, in more ways than one.

My point is that, I don't think we in the IT industry are out to lunch as much as we are not invited to lunch. Although I do not have a commercial pilots license, I do have very good understanding of interaction of people with computer based logic systems. And I do not think many would disagree that it seems that more and more incidents appear to have, at least as part of their cause, a mis-understanding by one or more of the crew on how their interaction (or lack of) with the systems in the aircraft will effect the aircraft and it's controls. There have been many threads on this and other boards here on PPRune discussing the issues of automation in the cockpit. Just in the past several years, the A320 crash in San Paoloi, the Turkish Airline 737 crash in Amsterdam, the recent crash in Buffalo, all have to have at some level either a misunderstanding of how the system is supposed to work or a failure to notice when some indiication is being given. In either case, in my mind, this shows an interface issue.

I think everyone agrees that flying is no longer stick and rudder only. I won't argue if this is a good thing or a bad thing ( although I would rather have a stronger focus on pure flying skills and the training that promotes them.) The crew is tasked with interacting with a complex logic system, both in FBW aircraft, as well as non-FBW which have complex auto-pilot systems. When this interaction breaks down, the results are often tragic. The human factors involved in these breakdowns are not specific to aviation. We have seen them in nuclear power plants, transportation systems, communication systems,etc. It can be any system that controls a large and complex functions. And that is my point. We need more focus on how the human mind reacts to a system that is using some level of logic to make a decision. Too often, in all interactions between humans and computers, the interaction hits a "what is it doing now" moment. And in that moment, the human must determine if the logic in the system has broken down, or they don't understand the logic, or maybe a third or fourth or fifth possibility. The trouble is, in aviation, they usually don't have all that much time.

I am sorry if you think that pilots are the only ones who have any serious input into this discussion. Most of us in the IT industry succeed when we listen to everyone, and try to totally understand what the user requirements are and how the logic systems we are building will support those requirements.
Most of my questions on this board are trying to understand the human interaction level, and how the human mind interperts and anticipates logic systems. It's more than just flying. It's understanding the system and the mind that uses it. And I am sorry, but I don' think you need a commercial pilots license to do so.

Truth of the argument is independent of the person making it. E.g. "All other parameters being equal, the lift is proportional to velocity squared" is true even if made by IT consultant. "People who fly Airbus are not pilots anymore but mere system operators and it's all FBW fault" is false even when Airbus TRI/TRE says so. Therefore IT people, planespotters et al can and do make valuable contributions to PPRuNe, just not every time they post.

However, notions that there are enough data to predict the exact behaviour of aeroplane in turbulence and that failures leading to FBW degradation can be predicted and we just need more computing power to calculate when they will occur are false. You can play all day with your ANNs and SNNs or whatever but you can not have the meaningful output without the meaningful input. There's no radar or laser or whatever that will tell you how the air ahead of your aeroplane exactly churns and whether you'll get updraft/downdraft/positive windshear/negative windshear. Most of the time you get all of them in quite a short timeframe. Weatherpersons can estimate general area and general strength of the turbulence but even them don't get it right every time.

For example: one of the reasons of A330 switching to Alternate 2 law is loss of rudder pedals transducer. What inputs would you use to feed your computer that gives you "Caution - rudder pedals transducer failure in 5 seconds, prepare for alternate law" alert as its output?

411A Wrote:
What is the point? I suspect there isn't any.
Some folks in the IT industry seem to think that their particular expertise is applicable to FBW aircraft types.

These folks are truly....out to lunch, in more ways than one.:ugh::ugh:

Most (ie: 99.999%) of people who say they have "IT experience" have only ever played with Windows computers or maybe done a bit of system admin. I suspect the person here has no idea about how safety critical systems work, are designed, are built etc.

The analogy with the car is misleading in a number of cases, firstly anyone can get into a car and drive it without understand how the various systems on board interact and work under various conditions. Studies in Finland have shown that driving with modern "safety" features such as ABS, ESP etc actually cause more problems for persons who are not trained in their use. How many people here have actually been to an ESP driving course? Answer: NONE.

Compared with aircraft where all pilots who fly the Airbus, Boeing etc are explicitly trained to use and understand those systems. As many posters here have pointed out, operating such aircraft under the given situations (ie: failure, degradation of functionality etc) is NOT a problem.

So, unless the original poster has worked with avionics systems at the level where he has a very deep understanding of the theory and practise safety critical systems then any comment is hearsay.

fc101
E145 driver
* some comments and notes above attributable to a friend who works with such systems (railway and avionics)

I wonder why people aren't as up-in-arms about computer controlling the engines? Surely a FADEC can be just as much of a problem as fly-by-wire? In the same way the alternate law can appear, the FADEC can fail and go into alternate mode. IIRC it would lead to situations potentially much worse than alternate law with flight controls.

How many protections do you want on the end protection, the one that really counts? Be interested to see how you you could actually do that without seriously degrading the dark cockpit concept. Be careful of the "what's it doing now?" syndrome becoming the "what protection are we protecting now?" KISS:ouch:

I suspect the person here has no idea about how safety critical systems work, are designed, are built etc.

OK, so I will put my "qualifications" in here, make one final point, and then I will shut up. For the past 10 years, I have worked on both the design and implementation of command and control systems which are used to tie multiple public safety agencies together in critical response situations (ie; terrorist attacks, natural disasters, etc). I have consulted with many of these agencies on their own systems, and have been directly involved in helping them establish and maintain systems focused on detecting, preventing and responding to major emergencies. Most of my focus in on the human interface side, and understanding both the human and cultural traits that will affect how a person will interact with the systems we design. It is somewhat beyond "playing with Windows".

The point I was trying to get to had to do with what I think is an overdependence on technology, and not enough focus on good training and skill levels. I do not think technolgy can fix these issues. We don't need more protections, we need more good pilots, trained well and paid what they are worth. I think that designing a good system that has simplicity at its heart to support them in such a way that they can understand it is the key to safety in any of these systems. I think too many levels of artificial logic make it more difficult for the human logic at the top of the chain (or in the front seats of the plane) to sort through it all. Simplify the systems and train the pilots. And that from an old gray haired IT guy.

I'll shut up now.

fc101,

Compared with aircraft where all pilots who fly the Airbus, Boeing etc are explicitly trained to use and understand those systems. As many posters here have pointed out, operating such aircraft under the given situations (ie: failure, degradation of functionality etc) is NOT a problem.


Having done scientific programming and software engineering for about 15 years, I respectfully disagree with you: for a variety of reasons, interacting with computers and computer softwares can sometimes be very taxing, even for highly trained and qualified professionals.

You find interacting with FBW systems easy, and that's a GOOD thing. However, I think you do so not only because of your training and qualifications, but also because these systems have actually been designed by IT people who have done extensive research of cockpit ergonomics and human-computer interactions!

As a matter of fact, I just googled for "Aérospatiale usability", and easily found a 300-page "Human factors for civil flight deck design" book. I guess there must be plenty other books and articles of the same around.

So, expertise in IT and in human-computer interaction is definitely relevant to FBW. However, the point where I disagree with patrickal is that I doubt Airbus waited for any of us to tell them something that is just plain common knowledge in our field... Something tells me they did their homework, and did it long ago!

Diaz: Easy to explain the difference, as you see one of the key questions is: If there is a difference between what you know and what you do we can see potential problems.

"Instinct" is the keyword here.

Why it is dangerous? Such instincts can kick in when something bad happens. These instincts are supposed to protect your life, but if you are flying an aircraft they can be dangerous. These protections aren't important in everyday operation when you don't even come close to the limits. But when your instincts try to save you but place you in danger, they can be important. Sadly it is about the same time when you can lose protections...

Jetdoc: I think you posted about a valid problem, the question is: I would say the feedback should be gradual for exactly this reason. If they would see any specific limit when controlling the aircraft it would be a valid risk, if they would see gradual feedback from the aircraft (they would feel it is harder to push the stick in one way) then these added protections could work as extra information.

Clandestino: As you see, the first post speaks about common oppinions about the FBW concept. I doesn't say I agree with them, but it is there to show, that there are many different approaches used to design FBW software and it is one of the few things people do remember about differences between Airbus and Boeing, it is something where they do have oppinions. And this is why I say while consensus isn't reached about what can and what should an FBW system do, there is still some place to discuss possibilities. Which is the point of the thread.

How early a warning can be, and how long you can maintain protections, feedback, etc largely depends on the cause of the problems. Of course the question is: Some would argue that if the level of protection (and warning) could be different in different scenarios wouldn't that confuse pilots who expect a warning? I hope that in most cases you use your knowledge, skills, etc to fly. The protections are needed when some pilots might use instincts and in such cases they can't observe same limits so easily.

Mind if I also point out one thing more: When the pilots are flying the aircraft, they often don't have time for checking charts, doing calculations, and knowing what will be save. When these data can be important for safety any way to see / feel / etc these data can potentially improve safety.

Why warnings and why no constantly displayed data? Because if I recall correctly, too many irrevelant data displayed at once could force the pilot to split his attention and can be dangerous, this is why the amount of displayed extra data should be limited to warnings and alternatives to lost instrument readings. And these options are only present if you can make sure they are reliable enough.

fc101: In first part of your comment, you speak about "how safety critical systems work", then, you say the requirement is experience in how avionics are determined.

And sadly, most people who "played with windows", wouldn't consider the possible risks, and how it can be implemented or other such topics, and probably wouldn't point to anything new.

Let me remind you most Windows systems doesn't know "how long a measured data is valid" based on physical possibilities, windows isn't designed to decide: If I can't measure airspeed, how can it be calculated.

Facts often don't support the common opinion.

My point is that proposal you made in the first post is completely unrealistic. Turbulence is unpredictable. Failures that degrade FBW are unpredictable (and extremely rare, too). No amount of computing power can change that.

Gergely

If a system would tell you when you are getting "dangerously close to the limits" but wouldn't restrict you in anyway, that would be an extra layer of protection.Let me give you an example of one of these extra layers that already exist. You have experience of the "amateur side" - how do you know when you are getting close to the IAS limit for your aircraft? You look at the ASI and compare the needle position with the limit mark on the scale. You then use pilot judgement to assess how soon you will reach the limit, and whether you need to take action.

In a modern cockpit such as the Airbus FBW, the ASI has a "speed trend" indication in the form of a yellow arrow extending up or down from the present speed. If the speed is steady the arrow does not show. If the speed is changing the length of the arrow shows you how quickly the change is happening, and predicts what the a/c speed will be in 10 seconds. So in this FBW cockpit the pilot has a visual 10 seconds warning before reaching the limit, and before the next protection becomes necessary. This is plenty of time to take action.

Regarding weather radar, in most cases the pilot will have 20 minutes warning of storms - why do you need more?

Regarding changes of flight control laws - the a/c cannot predict that this will be necessary, because the change is not necessary until a failure occurs. So no advance warning is possible.