CONF iture

Then why is it good enough for the 320 ?

AlphaZuluRomeo

That would be far more simple, indeed:
- for the engineering team to implement
- for the pilots to "understand"

Now, Airbus made a different "philosophical" choice. "Why" is a good question.
A guess: Alternate law retains "parts of" automation. What would we say if there was an accident and we found out that the accident could have been prevented by a protection/automation that was made inop because of a reversion to direct law, while the input data needed for this protection were available & reliable.
Exemple : Let's imagine AF447, the aircraft stalls but then the crew engage a recovery : nose down, AoA is lessened, speed come back. At this point, the PF pulls on his stick to go back to level flight but he pulls too hard.
If reversion to direct law => overstressed the plane => structural failure => irrecoverrable => crash.
If reversion to alternate law => g protection still available => no overstress => plane recovers => continue flight => lands with all souls onboard alive.

See the point? That's about "graceful degradation" if I understand the concept correctly.

airtren

I read your "may" as your making a cautious assumption, which is always welcome at the outset. A closer perspective can clarify if the more distant perspective caution is justified.

With the risk of repeating the considerations mentioned by AlphaZuluRomeo, with my own closer perspective and words:

As far as I can remember from when I looked closely at Normal Law protections, in an up-down sequential flow, the elements of the set are parallel, and independent.

Please note, dependency of more than one algorithm on a certain parameter, which, if I recall correctly is the case, does not make the elements of the set of algorithms dependent on each other, or interspersed.

An additional factor is that the Alternate Law is a subset of Normal Law, in fact a minimal subset, which means that the number of parallel algorithms in the set is minimal.

These are both elements that speak about simplicity.

It's good to remind us the philosophical and general principles, if there is a suspicion that the "higher" perspective was lost.

But I don't think it was the case, the perspective was/is there.

In the same time let's not loose the close perspective - while we look at the Forest, let's keep looking at the Tree we're concerned about.

The function of the Autotrim is an automation factor to "the Trimmed Stabilizer".

When Autotrim didn't exist, pilots did the trimming Manually - if the "trimmed stabilizer" was present - if there was no "trimmed stabilizer" on a plane, the pilot did NO trimming at all

So, the intention of the "automation" was/is to do the "autotrim", on behalf of the pilot, in those conditions in which the pilot would have done the "manual trimming". This is very important and should be remembered by everyone, pilots, engineers, system architects, managers,etc.... !

What do we have in the AF447 case?

We have the STALL condition being announced loudly - and after so much analysis, very clear in its meaning to us - and throughout the duration of that announcement, we have an "automation" decision/action of employing the "autotrim" to max NU, which obviously if it did anything, it helped the STALL.

The analysis work of last 2 years, performed by appropriate organizations, and the very clear and loud resulting recommendations for the required actions from pilots at High Altitude Stall Approach, or Stall is to bring the ND, which implies the strong recommendation of NO Manual Trimming NU during such conditions!

When remembering the few lines above, that the "automation"s role is to only do what the pilot would do manually if automation was not present, the answer to anyone's dilemma seems simple....extend the "don't do manual trim NU", with "don't do manual/automated trim NU"...

IMO, the recommendations for what "automation" is supposed to do during the conditions of the new recommendations for pilots are just one step behind. The lag seems to be normal, although the current dichotomy
present in some systems will need be resolved regardless of recommendations or not.

Dani

It's a big misconception that there is alternate law in Airbus fbw software. Of course we call it alternate, but what it basically is is a degradation of normal law. There is only normal and direct law, and the intermediate position where one degree of freedom still is in normal and the other not anymore is called alternate.

The more protection you lose, the closer you get to direct law. You could now design three dozens of different laws, a gradual sinking into direct law. To make it more easily, they invented 3 positions, which makes absolutely sense to me.

I said it and I say it once more: You as a pilot don't have to know in which law you are. There is no ECAM message "YOU ARE IN XXX LAW". You can fly the aircraft in any law. Just where the amber x's are, that's where you lost your protections.

Now you laugh at me and say "if they (AF447) would have been in normal law, the aircraft never fell into stall". This might be right. But as a wise pilot you just don't pull these maneuvers, even if you can (in normal law). "It is possible in normal law" is no excuse for behaving like an imbecile.

airtren

A common main path, versus different main paths is not really relevant. That's because a common path implies branching separate ways into separate sub-paths depending on Law, when decisions and outputs are specific and different for each Law, which ultimately is sort of equivalent. This type of sub-path, which be then the object of the considerations made in this discussion, is still technically a different path, even if a short one. In cases when outputs are similar, the branching/separation may be followed by a rejoining a common path.

Huh? Do I misread this, or is a typo?

The more protections you lose the closer you are to direct law.

Dani

Sorry, wrote it in a hurry, but you are right. Of course these are new branches, and software engineers think like that. I have nothing against it. I just want to help non software engineers to think correctly. Pilots get confused when showing too much complexity. They like it simple (anyone said KISS? ), because in the air and under stress you lose your ability to think in details.

When an outstander, which most of the contributers here are, hears about all this laws, he thinks: How could they have made it so complicated. It isn't complicated. Just think straight, think KISS, and Airbus is KISS.

airtren

For one understanding them well, they're simple - you're right

Interestingly, that applies also to algorithms and their implementation

This is a very good additional argument of why the SS (under PF control) should be placed so that it can be seen - under stress, the visual contact with the SS, is the easiest way to know what's going on with it.

CONF iture

Of course there are :

• F/CTL ALTN LAW
• F/CTL DIRECT LAW

Airbus is so KISS when manually flying that he trims for you ... but sometimes he does not. When he does not he supposed to advise you but it appears he may forget as well.

Don't rush your judgement as you rush your writing.

DozyWannabe

Doesn't a drop to Direct Law have an amber "USE MAN PITCH TRIM" annunciation?

Organfreak

Dozy:
Yup.

CONF iture

• But disappears in Abnormal Attitudes Law
• BEA pretends Altn Law was the active Law all the way

What I can report from my own experiment in the sim :

• I could not get a fwd autotrim
• But USE MAN PITCH TRIM FLAG was NOT displayed on the PFD

Dani

CONFiture:

it doesn't disappear, it never appears.

I do not doubt this. Imagine: No valid speed, therefor several fault messages from/through ADR.

Which is confirmed by FCOM. The aircraft behaves like they say it does.

This message appears in direct law, not in alternate law.

The only way you can tell that you are in alternate law is (apart from ECAM messages, thanks for the correction) are the amber crosses on PFD.

Dani

Lyman

What you seem to be missing, perhaps, philosophically, is the aircraft is mimicking the actual degradation of the suite of cues, displays, and controls that are the very genesis of the LAW degrade in the first place.

When, for any reason, cues and behaviour of airframe are lost to the holes in the cheese, how beneficial is it for the a/c to do the same? Fair enough, this is true for Direct DIRECT also. However, once in DIRECT, the skillset is less chsallenged, the a/c becomes a simple machine, not an automatic one. The interface is straightforward, and quickly acquired. At this point, airmanship is the key, not the interface that mimics it.

To change the response and controls automatically, requires an additional workload, and from my perspective, a most unwelcome one. Looking out the telescope frrom the small end, (what we are doing here), is easy, and without stress or penalty.

Looking through the telescope in reverse, (what the crew were doing), does not form a large enough background for global view. When the flying gets complex, why add additional changes that may cause consternation to a hyperfocused crew, looking for the ONE thing that needs the most attention? Simplification is the driving force, or should be.

The bottom line is the additional workload. Unwelcome, says I.

Right, Wrong, or Indifferent, the crew were unable to isolate the simplest move, get the Nose Down.

The confusion came from somewhere, I say a fair portion of it came from the platform. Fair?

CONF iture

Perpignan told a different story as the USE MAN PITCH TRIM FLAG was initially displayed but disappeared when the flight switched into Abnormal Attitudes Law.

Dani, what is that FCOM reference that could explain I was not able to get a forward autotrim ?

Old Carthusian

I rather think that it would not be a fair attribution to suspect the platform. The factor that might best describe what you're driving at would be 'Know your machine' which is a training and cultural issue. We have no evidence of a chain of command, CRM or use of standard procedures. Given that all of these seem lacking any platform is going to produce a similar result in similar circumstances.

DozyWannabe

And yet on the A320 sim I did. Have you tried talking to the sim engineers about that one?

Thus far there have been no emergency fixes released for the A330 in terms of hardware or software, but there has been a new stall recovery procedure which instructs use of the sidestick to push the nose down. This suggests to me that Airbus and the BEA got positive autotrim response when they tried it on their A330 sim.

Lyman

Not only that, but the MEMO, when released by BEA, provided no NEW MECHANICAL issues that hadn't been addressed....We don't go there....

OC... It isn't that black and white. There are four degradations that can obtain post UAS. ALT1, ALT2, DIRECT, and ABNORMAL. PITCH and POWER are nothing if not offspring of MANUAL, why present one or more of these different concepts when ostensibly, P/P is always the Drill? P/P is successful, or it is not, and if not, protection memory accomplishes what? Protections obtain when the pilot has lost control anyway? Why bother with stops along the way to DIRECT (PITCH AND POWER)? Did the a/c linger in NORMAL whilst P/P could be applied? If not, why not? And if inertials were such the hot ticket, why not blacken both PFDS in favor of an ISIS with reads in RED?

Complexity for the sake of......?

Another thought. Why leave NORMAL LAW at all? It is possible for NORMAL to retain, even with a/p loss. Just not with unreliable speeds.

Old Carthusian

It would still come down to training wouldn't it? Me, I'm no Airbus pilot but those who post on this board seem to have no problems with the system as configured. One can legitimately argue that it can be improved but then so can everything. It's logical and it works so I would be very leery of attributing any causal factors to it. The issue is really the inability to analyse the UAS correctly and the unexplained stick movements by the PF (we all have our suspicions but we can't be certain). I would agree that P/P is the drill but if you don't get your initial analysis right then it becomes rather moot.

infrequentflyer789

You're right, but it's also a general statement of the need to be cautious about what is or is not "simple" in software without detailed knowledge. A fair few years in software development has taught me that it's very easy for someone to believe they know enough about the internals of a system to assess the impact of a change request, when in fact they don't. Dependencies can be very subtle. Often the CR will eventually (sometimes only after the test start failing or the user bug reports start landing) hit the desk of the person that does understand the impact and result in an expletive laden exclamation about how that change could obviously never be done without a major redesign...

Unless you've actually worked with and modified (not just read) the actual code, I would always advise that caution. Sometimes I might even follow that advice myself [I have, I admit, been on both sides of this issue...].


Be interested if you know whether or not there would be a change required for getting AOA into the FCPC around the ADIRU in the event of ADIRU going "failed".

Stall warning.

And therein lies the dillema - warning vs actual conditions. Maybe I didn't expalin well.

If the 'bus flight control is in a mode where it is confident that stall condition is anywhere near, it will take action to prevent it (over and above trim limits). Normal law.

If it has lost confidence (e.g. airdata fail) about its condition but has indication that it might be stalling, it will warn the real pilots, but not take overriding action. The pilots can then use actual intelligence (of which the machine has none) to assess the warning and the condition of the a/c and take action. Worth looking at Perpignan report for another example of the difference (dual aoa failure, outlier aoa not trusted for protection but used for warning).

In this case, 447, the warning was actually right, and the pilots assessment fatally wrong.

Change it so the FCC will act and "protect" in the warning scenario based on known-bad data, then you might save 447. At the same time, you risk the warning being wrong (due to bad data), the pilot assessment and actions being correct, and the a/c "protecting" them into the ground...

I think the risks either way are going to be very very difficult to quantify which is why this is a tough call.

CONF iture

Your A320 sim didn't trim up under STALL WRN, and yet my A330 sim did ... as also AF447.

And we have Jacques Rosay, Airbus VP Chief Test Pilot, who states :