Hi Everyone,

1. What is meant by Fail-Operational Landing System using Fail Passive Rollout Control System?


2. Fail-Operational Landing System using Fail Operational Rollout Control System?


Look forward to your responses

M.865

Hi, Not certain about B777 - but the way I believe it works is:
Fail -Operational is when you have a second system able to take over if the first system fails:

Case 1). 2 autopilots available for autoland - but something wrong with the Roll Out system so the Pilot may have to complete the Roll Out if the primary system fails.

Case 2). 2 Autopilots working and either is capable of Auto Land and Auto Roll Out.

The terms are defined in CS-AWO 300 (www.easa.eu.int/ws_prod/g/doc/Agency_Mesures/Certification_Spec/decision_ED_2003_06_RM.pdf), paras (3) & (4).
Essentially, with a fail-passive automatic landing system the pilot assumes control of the aircraft after a failure. Following a failure in a fail-operational system the automatic landing system it will operate as a fail-passive system.

The sub systems and combinations (go around, roll out) are described in CS-AWO 321.

Operations Specification C060, which provides CAT III authority for US certificated carriers, makes reference to these terms. The original fail-operational systems were built for autolanding, but not rollout. So in the early days of CAT III, the dominant limitation was visibility during the rollout, so that one could actually stay near the centerline. In order to resolve that limitation, rollout guidance was developed. In some configurations it is conceivable to have fail-operational capability for the landing portion, but a lesser degree of redundancy for the rollout guidance portion of the system. Although I have no experience of this, I suspect this might be true for retrofitted systems that were not a part of the original design.

More modern designs incorporate fail-operational systems as a part of the original design. The same system manages the autolanding and the rollout; therefore, it is unlikely to have a degradation from fail-operational to fail-passive in the rollout portion of the system and not in the autolanding portion. It is possible to completely lose the rollout guidance and still retain fail-operational autolanding capability. My standard example is the rudder pedal nosewheel steering on the 767/757; the system can be deferred under the MEL while still retaining fail-operational autolanding capability. However, such a deferral leads to the loss of rollout guidance, since the autoflight system needs the rudder pedal steering to track the localizer after landing. This precludes the use of the lowest RVR otherwise possible.

OpSpec C060 contains a set of "boilerplate" paragraphs that are intended to cover all possibilities. The actual carrier-specific limitations are contained in Tables 1, 2 and 3 of the OpSpec as it is issued to the individual carrier. It is par for the course for the boilerplate paragraphs to create some confusion, because the typical training department doesn't take the time to really teach the Op Specs.

Hope that is of some use!