The writer was working as an Engineering Consultant at a German firm that designed large equipments and systems for commercial and military aircraft and helicopters. The writers’ responsibilities included the establishment and subsequent management of the Reliability, Maintainability and Systems Safety department, which operated as a part of the Product Support organization.

This was the writer’s second tour in Germany. He had previously worked as a contract manager on a major European fighter aircraft program. In the performance of his duties on his second tour the writer functioned as department manager and the writer was required to interface with other European companies that were involved on the same aircraft design and development program. In certain cases the writer would direct or advise individuals working within those companies.

In total, there were six companies, including the firm the writer was on contract to. The companies and their responsibilities are shown below.

Company “A”: This firm was the primary design authority and the primary integrator. They developed all primary design specifications, manufactured some major structural elements and assembled the aircraft. They also had the primary certification responsibility for the entire aircraft with the exception of the wings.

Company “B”: This firm designed the wing structure and had design authority over all of the various companies that supplied elements of the wing to include flaps, slats, flap and slat drive systems, fuel systems and interface with engine and landing gear suppliers. This firm also was responsible for the certification of the wings.

Company “C”: The responsibility of company “C” was that of wing integrator. There was minimal design responsibility and minimal certification sign-off. The primary function of company “C” was to take the wing structure which was built by company “B” and install the systems that were built by other firms to include companies “D” and “E” (see below). The completed wing was sent to company “A”, who installed it on the completed airframe.

Company “D”: Companies “D” and “E” shared component design and manufacturing responsibilities. In some cases, one company would design a component and the other company would manufacture that component and that part would then be used in the systems designed by either company. Company “D” had design responsibility for the slat drive system. This included the preparation of Reliability and Safety documents as well as after market product support. This is the firm where the writer was employed. The writer was also the lead engineer with overall responsibility for Reliability, Maintainability and Systems Safety documentation created by companies “D”, “E” and “F”.

Company “E” was responsible for the design of the flap drive system. The flap drive mechanism was designed and built by company “D” and the actuation system was designed and built by company “E”. Interconnecting shafting was designed and built by company “E” which also designed and built the tracks or rails that supported the flaps during their transition from the closed to open and back to the closed position.

Company “F”: Company “F” worked under the design control of company “D” which prepared the design specification for the computer which controlled the operation of the flap and slat drive systems. Company “F” built the flap and slat computer. The computer was designed and built with a great deal of system redundancy to include a self-diagnostic capability. The high degree of redundancy was necessary to minimize the possibility of placing the aircraft in jeopardy due to a system malfunction. Any computer-detected malfunction would cause the respective system to shut down. Additional responsibilities included all related Reliability, Maintainability and Systems Safety documentation.

To avoid any confusion by the reader in his or her attempt to digest the alphabet soup created when inter relating the misdeeds of companies A, B, C, D,E and, F, the writer will attempt to break them down into more easily absorbed components.

Both firms “D” and “E” constructed an “Iron Bird” of their respective systems. An “Iron Bird” is a functional mock-up that allows the system designers to simulate the operation of their systems. The systems comprise all of the dynamic elements of the system to include drive elements, gearboxes, shafting, position indicating units and dynamic braking elements. The “Iron Bird” actuating elements are connected directly to controllable load cells, which simulate the air, loads that the slats or flaps would react during flight. A separate computer and not the flap/slat computer control the load cells. Since the two “Iron Birds” were about 900 miles from each other it required that each “Bird” have its own flap/slat computer. Such was not the case.

Company “F” furnished company “D” with a fully functional “brass board” flap/slat computer. A “brass board” computer had all of the capabilities of a flight worthy computer but it was not built to a full production standard. What company “F” furnished company “E” was equivalent to one eighth of the “brass board” computer being used by company “D”. As previously stated, the flap/slat computer had a very high level of redundancy. The computer is broken into two major elements and each major element was broken down into four sub-elements. What company “E” received was one of the sub-elements.

The reason given by company “F” for refusing to provide a “brass board” to company “E” was that they suspected company “E” of luring away key employees of company “F” and stealing trade secrets. The writer’s company (“D” ;) tried to intercede but company “F” steadfastly refused to cooperate. The writer made companies “B” and “C” aware of the problem and they took no action. Although the contract specifically stated, that any situation that impacted the Reliability Maintainability and Systems Safety of the aircraft must be brought to the attention of company “A”, it never was.

The small portion of the flap/slat computer would allow commands to be sent to the flap drive unit on the “iron bird”, extending and retracting the flaps, but there was absolutely no diagnostic capability. The non-redundant element was “dumb” and if any malfunctions were to arise on the flap “iron bird” the problems would have to be solved using troubleshooting techniques initiated by technicians. One of the main purposes of the flap/slat computer was to diagnose problems and provide the technician with a real time indication as to which element of the system was at fault. The other purpose was to protect the aircraft from being damaged or being placed in aerodynamic jeopardy.

The prime purpose of the “iron bird” was to verify not only the flap system but the computer as well. This would be accomplished via insertion of known faults to determine if the computer was capable of detecting those faults.

Upon completion of all the testing, the documentation would be submitted to company “B” who would draft the request for certification for the flap system. Since only 5-10% of the overall test program was accomplished, the flap system was incapable of being certified. Company “A” was unaware of this situation and it can be logically assumed that the certification authorities were also unaware. The aircraft was eventually certified and has been in series production since that time

On the very first revenue flight, for a launch customer airline, one of these “certified” aircraft landed in Egypt and during taxi in, the pilot was unable to retract the flaps. Technicians checked the indicators on the flight deck and on the computer to no avail. The computer did not recognize the fault. As a result, the aircraft was flown back to Northern Europe in non-revenue status with the flaps fully extended. Upon reaching the home base, the technicians and engineers were unable to determine the cause of the lock-up. They eventually disconnected the drive system and hand cranked the flaps to the retracted position. Upon reconnecting the system, the flaps were cycled in and out several times and the aircraft was placed back in revenue service.

During the cycling of a sub-scale “iron bird/ where only a single slat actuator was being tested against a simulated air load, the test department at company “D” decided to disassemble the actuator to check it for wear. It was after the disassembly and cleaning of the parts that the writer was called in to checkout one of the parts. Examining the part under high power magnification, the writer observed what looked like a spider web pattern that had been etched into the flat surface of the part. Further inspection under a microscope showed tiny indentations or pits that were extremely small. The indentations were so close together that the pattern looked like fine lines etched in the surface. Inspection of the mating surface showed a mirror image of the same etched pattern.

The writer had seen this phenomenon before. Stray or ungrounded electrical currents that caused sparking between mating parts caused it. The writer discussed the problem with the stress engineer who stated that he too had seen the part but he insisted that it wasn’t spark erosion. He said it was stress corrosion. The writer knew that it was a no win situation to argue a point with a German engineer.
When the sub-scale “iron bird” was put back in service, the writer had a technician in the product support group perform a test. The test was to determine if there was electrical continuity between the actuator and the sub-scale “bird”. He reported that there was no continuity.

This indicated that the electrical currents, generated by internal friction of the actuator parts, could not flow to the ground potential of the “iron bird”. The writer was satisfied that his conclusion was in fact correct. Spark erosion could destroy the bearings and the highly polished surfaces of the actuator, running up the maintenance costs and possibly cause operational problems.

Armed with this knowledge, the writer spoke with a senior design engineer who was English not German. He authorized a check of the “iron bird” to see if the same problem could be detected. It could, and it was. The iron bird installation was in accordance with the same drawings that were used to install the system on the aircraft. If no continuity existed on one, it would not exist on the other, and this was a major violation of the certification requirements. The writer made a trip to England to talk to his counterpart at company “E”. He ran a continuity check of the flap drive installation on his “iron bird” and verified that his system was also ungrounded This further compounded the problem of not being able to properly certify the wing flap system due to inadequate testing. Now, not only were the flaps not properly tested, but also both the flap and slat systems were not properly grounded. If both of these situations had been made known to either company “A” or the certification authorities, the systems would have to be redesigned, the wing would have to be modified and a new stress analysis performed. Also, the flap system would have to be re-tested using a full-up computer. Yet company “A” and the certification authorities were unaware of the problem even though the writer made a noble attempt to make the proper notification via the so-called chain of command. In this case the chain was made up of non connected individual links. As previously indicated the contract specifically stated that company “A” is made aware of such problems.

The writer prepared a technical report outlining the problems with accompanying suggested fixes. The report was sent to the department director for his review and approval. He sent the report to his bosses, the program manager and the vice president of the company.

Outlined in the report were the ramifications of the problems describing the end effects on the aircraft. Those end effects were from the lowest to the highest end effect were:
1. The arcing (sparking) could effect the proper operation of the flap/slat computer, the inertial navigation computer, the fuel control computer and, other electronic systems.
2. Each time the flaps were retracted, the static charge on the flap surface would arc to the upper skin of the wing or to the rear spar. This charge could be as high as 400-1400 volts. The constant arcing could etch away material, weakening the skin or the spar and open the base metal to corrosion, which would further weaken the structure.
3. The built-up charge on the flaps could result in electrical shock to maintenance personnel.
4. The ungrounded static charge could cause internal arcing in power transmission elements seriously effecting gears and bearings. This would result in higher than normal maintenance, higher parts consumption and, higher operating costs for the operator.
5. The proper grounding is required to eliminate the above problems but the primary requirement for proper grounding or bonding is to protect the aircraft and passengers in the event of a lightning strike. If elements are not properly grounded a lighting strike could result in a localized explosion caused by the expansion of the surrounding air resulting from the induced arcing. The writer referenced a document prepared by company, “A” which specifically stated the design requirements to protect the aircraft from lightning strikes.
6.
The document described the two areas most likely to be hit by lightning. One was the nose radome, which had built in bonding straps, and the other was a partially extended slat. If lightning would attach itself to the partially extended ungrounded slat it could at least cause a total disconnection of the slat drive shaft system. At worst, the lightening arc across to the nearest slat jack and then arc across to the wing structure causing an explosion in the wing fuel tank resulting in the loss of the wing. The lightning strike document also defined the final test of the completed aircraft to verify that all systems and major flight control elements were properly grounded. This test would be performed by company, “A” which also wrote the document.

The response to the writers’ report was not what was expected. The vice president and the program manager stated that they would take no action and they would not comply with the contract, which required our company to notify company “A”. It was their contention that if our company identified a problem of any kind our company would be required to absorb all incurred costs of the redesign.

They further indicated that if company “C” were to identify the defect in the design they would give our company direction to change the design and we would be paid for our efforts

With that, the writer took a trip to Northern Germany to confer with his counterparts in company “C”. They read the writer’s report and their response was “déjà vu - all over again”. They stated that they couldn’t notify the writer’s company of a defect in our design without admitting that their design would have to be altered and, a new stress analysis performed. They too didn’t wish to absorb the cost incurred in the redesign, modification and stress analysis.

This problem was enriching the coffers of the European Airlines, as the writer was now off to England, to visit company “B”. The writer expected a great deal of support from company “B” especially since they were the wing designer and had the overall responsibility of gaining certification. After reading the report, they stated that they were sympathetic to the writer’s plight but they were not in any position to force companies “C”, “D” and,”E” to make the necessary changes. Later, with full knowledge of the design deficiencies and the fact that the flap system was inadequately tested, company “B” obtained certification on the wing.

Now, the writers only hope, was that the lack of electrical bonding of the flaps and slats would be discovered by company “A” when they performed the lightning bonding check, after the aircraft was fully assembled. The writer does not know if the test was never performed or if the test was unable to detect the lack of bonding between the flaps and slats and the wing structure. In either case, every plane that was rolled off the production line was an accident waiting to happen.
The writer could not notify company “A” of the problem because to do so would result in his termination. What the writer did do, was to create a CYA (cover your ass) file. This was necessary, to protect the writer from involvement, in any future litigation that might arise if one of the aircraft crashed. Legal culpability wasn’t a real problem if the aircraft was registered in any country other than the United States. But, if that model aircraft were registered in the United States, the writer would turn over a copy of the CYA file to the FAA Large Aircraft Certification Branch in Seattle, to absolve himself of legal culpability.

The writer returned to his duties as department manager and shortly thereafter the department director, an American was discharged. A German who didn’t understand the organization function replaced him. One of the first actions taken by the new director was to restrict the access of the writer to the test labs. Shortly thereafter, the writer and his staff were placed under the control of the engineering manager.

Since the writer was persona non grata in the test labs, there really wasn’t too much to do other than to concentrate on the training of the German staff members. It was during this lull in the writers’ activities that something happened in the “iron bird” test lab. It was so serious that only a few people knew about it and those, few who knew, were told to keep quiet, and above all, this information was to be withheld from our associate contractors and especially from company “A”.

The writer only learned about the situation after he finished his contract and had been working in Italy for almost six months. The writer’s new position was as a consultant to the director of an Italian helicopter manufacturer. His duties were similar to those in his previous position in Germany. Set up the program and train and supervise the staff.

The writer made frequent trips back to Germany, to visit friends. It was on one such trip that the writer had an opportunity to chat with the previously mentioned English design engineer.

He told me that they had been pressure cycling two hydraulic control modules when one of them developed a hairline crack and began spraying hydraulic fluid all over the lab. The two modules were part of a power control unit, which comprises the two modules, two hydraulic motors and a gearbox. With the exception of the gear box
internal design, the power controls units for the flap and slat drive systems are the same.

The control modules, as the name implies, control the speed and direction of the flaps and the slats. By pressure cycling the modules, the engineers could duplicate the stresses and strains that the module would see during each flight cycle. The pressure would cycle from zero to 3000 pounds per square inch and back to zero. The leak developed at about the 1800th cycle, which was equivalent to 1800 flight hours. The module was disassembled and examined, to determine the cause of the internal crack. A new module was built up and used as a replacement for the defective module. When the replacement module had been cycled 1800 times, the second non-leaking module was connected into the test stand and the test continued until several thousand more cycles were run.

Upon the completion of the tests, the modules, the gearbox and the hydraulic motors were assembled to form a slat power control unit. This unit was then installed on the “iron bird”. As soon as the hydraulic pressure of 3000 pounds per square inch was applied to the module, one of the hydraulic motors began driving the gearbox and the slats started to extend. The engineers were amazed, because the computer and the command sensor unit were both in off or retracted position. The computer was aware that the slats were moving but it couldn’t tell them to stop, because, it had not commanded the slats to start.

The slats moved to the full out position and mechanically locked-up. The problem was traced to an internal hairline crack that allowed the fluid to bypass a control valve and flow directly to the motor. The engineers had no idea how many pressure cycles had been applied before the crack developed. They also determined that the cracks (external and internal) had propagated from the same general area inside the module. The root cause was a faulty manufacturing process.

Had the cracking occurred early on in the “iron bird” development program there would not be much of a problem, but when it did happen, there were about seventeen aircraft in revenue service. This was a major problem that impacted the flight safety of those aircraft as well as the aircraft in flight test and in the production cycle.

If it occurred on the slat system during cruise flight, nothing would happen, because the air loads on the slats were greater that the power developed by the slowly turning hydraulic motor. When the aircraft slowed down to low speed cruise the air loads would decrease and the slats would slowly extend. This too was not much of a problem because the pilot could still control the aircraft. Besides, the pilot would be extending the slats anyway, in preparation for landing.

If an external leak developed, it would result in the loss of a hydraulic system. This would not constitute a problem because the aircraft has three hydraulic systems, and the aircraft could be successfully operated on two hydraulic systems. In a pinch, it could be operated on only one system.

However, if the internal crack developed in the flap power control unit during high-speed flight, the flaps would slowly extend. In the case of the flaps, the air loads assist the flaps in extending. When they extend to a critical point the flaps could be torn away from the wings causing loss of control or the wings could be torn away from the aircraft. Either way the airplane would crash and everyone aboard would perish.

Because of the magnitude of the problem, company “A” and the certification authorities should have been notified and the seventeen operational aircraft should have been grounded until a certifiable fix was implemented. Such was not the case. What company “D” did, was to take seventeen ship-sets of power control units and they incorporated what they felt was an acceptable fix. They then contacted the operators, telling them that they had improved the design of the power control units and they would provide two “improved” units along with a technician to exchange the “improved” units for the installed units. The airlines thought that it was a good deal, so they accepted their offer.

It was never determined if the fix solved the cracking problem. It is the writer’s opinion that the fix will only delay the onset of the crack development.

This information was added to the writer’s CYA file and promptly forgotten. Several months later while perusing an American aviation journal, the writer came across an article stating that the aircraft under discussion was about to receive FAA certification. This caused the writer to take action. He promptly made a photocopy of the CYA file, added a cover letter and fired it off via international airmail to the FAA office in Seattle.

Two months later, the writer received a short letter from the FAA thanking him for his comments. Two months after the first letter a second letter arrived. This letter stated that the FAA had brought the matter to the attention of their French counterparts and the French stated that they were aware of the problems and that the systems were modified to certification standards.

With that news in hand, the writer contacted his English friend who was still working at company “D”. The writer inquired about the status of the system design in light of the French reply to the FAA. The writer was told that the design had not been changed. This prompted a second letter to the FAA, in which the writer absolved himself of any culpability in the event of a crash. The writer further stated in the letter that the FAA would have full responsibility, if they didn’t take action. The writer also requested that his name not be used if the FAA confronted any of the involved companies, as Europe was a fertile ground for a consulting engineer. Since there was a strong interrelationship between European aerospace firms, being blackballed by one firm was to be blackballed by all of them. To further protect himself the writer would inform future clients of his actions before negotiating a contract. The writer was to work on two more contracts in Europe. One in Italy and another in Holland.

While still employed by the Italian Helicopter Company, the writer took his final trip back to Germany. While walking down the main street, the writer observed a BMW pull up to the curb. The door opened and out stepped one of the writers former staff subordinates. He asked the writer if he had written a letter to the FAA. The writer replied that he actually wrote two letters. The writer asked the reason for the question. He was told that there was a major investigation headed by the FAA and that the vice president and the program manager were fired. He also stated that the FAA had shown my letter to everyone involved. So much for future work in the European aircraft industry.

While still working in Europe, the writer made frequent trips to England and Northern Europe. On several of those trips the writer found himself flying on one of those infamous aircraft. It was white knuckles all the way. The writer was constantly observing the wings waiting for something to happen. In Europe, passengers can request to go forward to the flight deck. On those trips, the writer would query the pilots as to how they would counter a flap runaway or non-commanded flap operation. They would always state that it would never happen, because the computer would stop it. Upon hearing their answer, the writer told them the story. When the writer finished, the pilots would stare blankly out the window. The writer then told them how to counter such a condition by shutting down two of the three hydraulic systems. This would stop the movement. The writer went on to say that they could then turn on one of the two systems. If the flaps started to move, that switch would be placed in the off position and the other switch turned on. If the flaps didn’t move, when the first switch was turned on, then the second switch would be left in the off position. The writer further stated that they had only a few seconds to take their initial action of turning both systems off. The writer further suggested that the pilots inform their training departments, so that this condition could be incorporated into the simulator-training syllabus.

Upon returning to the United States, the writer would on occasion contact any new operators of the company “A” aircraft, telling their training department of the problem and suggesting that they incorporate the flap runaway condition into their simulator program. Once, when the writer was on a well-deserved vacation, visiting his oldest son in Montana, he contacted another operator to explain the problem and the suggested counter action. They expressed some degree of surprise at his calling and thanked him. Several days later the writer received a call. The woman on the other end of the line identified herself as a member of the legal staff of the American subsidiary of company “A”. She stated that the operator who wondered why they had not been informed of such a serious problem had contacted her office.

The lawyer asked the writer why he was badmouthing their product, which had been certified by the European and American authorities. The writer explained that the problem was kept secret from her company and that he made those calls in the interest of safety and not to defame her company and its products. The writer told the lawyer that he would gladly stop making the calls, if the lawyer could arrange a telephone conference between himself and an engineer, who could explain exactly how company “A” solved all the problems. She agreed to set up such a teleconference but needless to say, the call never came. The writer did stop making his calls, but he didn’t lose interest.

FOLLOW ON INFORMATION: The nature of the program was that companies “D” and “E’ would alternate in the lead rolls in the design of the flap and slat drive systems. On the follow on aircraft, company “E” would direct the efforts of company “F” the builders of the flap slat computer. Company “F” openly stated that if company “E” were lead contractor, company “F” would break from the consortia and bid on the contract as an independent firm. I do not know if this came to pass as by that time I left the program. In any case, I firmly believe that company “F” was intransigent in their way of doing things and did not adequately perform a proper Failure Mode Effects Analysis on the Flap Slat computer so the problem goes on. As an added note an Air Canada A-320 had the flaps retract during takeoff and the computer did not stop this action and the pilots had to power their way out of the situation.

If you fly an Airbus and your Flaps or Slats have uncommanded movement you can do one of two things. Shut off both hydraulic systems powering the effected system. Turn one system on. If the system moves then shut that system off and turn the other system on. If the system does not move, leave the other system off. You can also take your chances by turning one system off and leaving the other system on. If the movement stops then leave the other system on. You have to be fast for the second option because if you guessed wrong the following air loads will pull the flaps out and then there is a third thing to do and that is to pray.







------------------
The Cat

Just in case you didn't see this on the A-320 thread below I am adding it in for your further information.

In a previous post someone made the comment about mismatched wires and indexed connector plugs and how could this lead to the problem discussed in this thread. Here is how it could happen. A major German supplier of power drive systems for the secondary flight control systems on Airbus Aircraft did not incorporate indexed electrical connectors on any of the components they supplied on the A-310. It was their contention that they would impact the delivery schedule of their systems to the wing integrator and besides, it would have a severe impact on the cost of their equipment.
With this in mind consider the following. The only means incorporated in the wiring system to combat misconnection of connectors onto an appliance was tiebacks on the wire looms. The first time the appliances required maintenance or were removed for cause thew tiebacks were cut. After the maintenance the tiebacks were either not replaced or, they were not in the same condition as before the maintenance. This would allow for cross connecting. If the wires were cross-connected on the PPUs the first time power was applied the flap or slat system would shut down and the computer could not diagnose the problem. If the wires on the command sensor unit were cross connected there would be no indication as to the problem but it would seriously impact the problem of trouble shooting if a defect were to occur.

If a connector were mis connected on the power control unit the system would not operate correctly and the effected system would most likely lock up and to top it off the computer may not be able to diagnose the problem.

I can’t say if this problem was rectified on later models but it still exists on the A-310.

If you want to hear more about this and other problems go to my posting entitled “How safe is your aircraft”?, on these threads.


------------------
The Cat



------------------
The Cat

ISN'T ANYONE INTERESTED IN THIS SUBJECT? AFTER ALL A LOT OF YOU FLY THE SUBJECT AIRCRAFT.

------------------
The Cat

too many words, not enough pictures.

did nobody tell you that a pilot's normal attention span is only.........sorry what was this about?

Started reading the long piece, but got lost somewhere between supplier E and F.
Gave up.
Pilots are simple souls: If it don't involve
beer, sex or flying stories, it ain't no good.... :)

------------------
Men, this is no drill...

Worth perserving with, if only to get an insight into the absurd politics and human ignorance - never mind to be made aware of some alarming problems that might be encountered on the Scarebus!

Why is everybody complaining about the way the airbus is built? Boeing also assembles the planes in the Seattle area form components gathered all over the globe. Everybody that has ever had to deal with maintenance knows that almost every plane is different. serial# ... has this ,but from serial#.... this system is installed, modified after serial#.... Sounds familiar? Fun to do maintenance with all this fine print

Lu Zuckerman

You can not change the system, unless at great personal risk.

Where did you get this stuff ??


------------------
Smooth Trimmer

To: Streamline:

As indicated in the posting I worked on the program as manager of RMS on the wing secondary flight control system. Everything in the post is true. I have been in the industry since 1955 and I started in RMS in 1968. I have found problems on every program that I worked on and 90% of the things that were wrong were never corrected because of many reasons including cost and pride of the designer. I swear that I will never do this work again for the above reasons but I can't do anything else unless it is teaching which I do on occasion. I am now working on the newest Jet to come onto the market and when I finish that job I'll be working on the A380. I'm 70 years old and I'm still slogging my way through life.

------------------
The Cat

To:Lu Zuckerman

Maybe you should propose to work for a technical commission within the CAA structure or pilot organisation.I am sure they can use someone with your integrity.

------------------
Smooth Trimmer

Sure know now why many companies' travel departments avoid travel on AirBus aircraft if at all possible.
To be fair, the Boeing Company has not been all that straightforward with regard to the rudder hardover incidents, which date all the way back to the 707.
And Douglas....well the DC10 after inital problems has turned out ok, only now to be retired by many airlines (except as freighters). The MD-11 seems to turn turtle on landing from time to time,.....so that leaves....the Lockheed L1011 as the best?
To those that have flown this wonderful aircraft, nothing is better.

LU Z.

I have read your posting and I understand fully that you were wondering why there were no comments/reactions.
An eye opener it is, your article and the way it is written makes it understandable for all in this industry. Companies A through
F.are easely identified.
Now, with your experience and insight, would you agree with me that at the U.S side of the ocean there are also companies A to Z in the same industry and having the same ethics.
(Now Tower D. is gonna read your article in full )
I also took the effort to look up several of your previous postings and I am with Straemline here, you are an "asset" worth to have in house.
And as for company "D", we where not impressed from were I came from.

I will read your future postings anytime.
Best regards
AV

Yes, the whole saga made me think about the 737 hardover issue (although there it is only Boeing primarily involved on that one)

The advice to pilots regarding shutting down the hydraulics reminded me of the DC-10 which lost control to the elevators in-flight. The pilot had previously considered this possibility and (independantly) practiced landing on differential flaps (or was it slats? long time ago) on the sim, and as result got the 'plane down safely.

The modern transport aircraft is a wonder of self-diagnosing and redundant systems so it's not surprising that accident rates are low; but there's always been the "if this happens, and if then that happens" possibilities. Irresponsible of manufacturers (whether East or West of the Atlantic) to sweep safety under the carpet, or "cost evaluate" pax lives.

------------------
What goes around . . .
. . often lands better!

Do you really think that anyone in their right mind is going to read all of that??????

:) :) :) :) :) :) :) :)

It is an amazing account. Sadly it is all too common in todays litigious world. I have never had a problem with the flaps on the A320 but I do know of a nasty incident when negative g activated the wing tip brake with the flaps at full. The ECAM said place the flap lever to 3 (it assumed asymmetry) and the crew then had the wrong flight control bias for the existing flap position. That was a computer software problem, but it was swept under the carpet in a similar manner.

FL390

Part of the problem is that people are not prepared to listen to or read such accounts. I did read it through, it took all of 5 minutes. Furthermore there is nothing in the least amusing about it. It is potentially a nightmare situation for you guys out there who have to fly the aircraft. I do not fly it anymore, although I had a very high regard for it when I did.

Very interesting reading to say the least. I would suggest that people print this out and take time to read it. You'll have no problems identifying the companies involved. And this shouldn't just interest Airbus fliers, but all pilots, because you can be damn sure that ths kind of thing happens at all Airplane Manufacturers, whether they sub-contract or not.

Thank's LU, it's having people like you posting on PPRuNe that make it worthwhile logging on. Scary to think that selecting a flap setting (or activating your rudder) could trigger off a disaster, all because the maufacturers want to save money or even save face.

I'm not a pilot, just another sort of techie, but I read it all the way through. Twice.

Deja vu all over again.

The saga of the booster joints on the Challenger shuttle is eerily similar, with tenders, competing companies, CYA files, warning events, "lost" reports etc.

There are plenty of similar stories in my field. Try building a hospital.
Is this sort of "company/project culture" an unchangeable, inevitable part of human nature?
Will we EVER learn? I dunno.

Courageous post. Pity that there aren't more people like Lu around.

Many of the younger guys have been mesmerized by the AirBus FBW system, and how it can "protect" the pilot from a problem. The older guys certainly know better, Murphy's law is there to catch the unwary. In addition, it has created a group of young guys who have VERY poor airmanship, and a lack of understanding of the required aeronautical skills. The type is best be avoided, crew or pax.

My intuition tells me that in order to increase their share of the market Airbus was forced to explore new areas, hence new and greather risk.

In stead of using the FBW to improve on performance they concentrated on the flight control laws, affecting the pilots more than payload.

Once they found the money to finance it there was no way back.

We will see how big a gamble the A 380 will turn out to be.

------------------
Smooth Trimmer

[This message has been edited by Streamline (edited 06 June 2001).]

Lu Zuckerman..some good points there although I have to suggest that the actual number of incidents/accidents involving Airbus aircraft semms very low (perhaps by luck).

There are a significant number of problems with all of the Boeing range which are very serious.

737: Rudder hardovers, has killed people and only now taken seriously (how could it be ignored)

747: CTR tank fuel pumps. Killed all on TWA and destroyed Thai 737 recently.

767: Elevator problems of significance. Inferred that Egypt Air crash was suicide but this far from certain. Additionally on One Engine at MLW, the autopilot on this aircraft will not intercept a localiser without rolling inverted. Amazed it was certifiable.

MD11: Final report on SR111 not yet released but understand that when it is both airline and manufacturer will be criticised harshly. Particularly in relation to wiring circuits/insulation in area around O/H panel.

My point is that no single airframe manufacturer should be isolated in this regard. So far in terms of actual loss of life, Boeing appear to have more to answer for than Airbus - however Airbus should not become complacent.

I suppose it is all a matter of 'acceptable risk' (hate that term). The Kapton wiring fiasco is a great example. The US military won't jeopardise their aircrew with this stuff but airfliner manufacturers don't seem to care.

411A - I'm sorry but you seem like a very bitter old man. No doubts the same criticisms you level against young pilots were said of yourself years ago. Who cares if you can fly a great partial panel NDB approach on one engine in a DC6 or whatever - it isn't overly relevant any more.

The chance of being on partial panel (ie: a turn & slip indicator and a magnetic compass) is so remote it is deemed - rightly or wrongly, an 'acceptable risk'.

An ability to understand malfunctions of Flight Control Computers is deemed more relevant and these new guys sure are hot on that stuff. Even then (as a recent A300 incident in your company demonstrates) most of the new guys still have very good stick-and-rudder skills - which in that case saved the day.

The newer breed of pilots I do admit are not as skilled in certain areas as we are but it is largely in areas that are irrelevant. I am as happy to fly with most of these guys as I was with most of my peers ages ago.

Your comments re the L1011 are also a little deluded. Have flown most of these things and prefer my A340's and 777's any day. The Trimotor was overly complex (DLC!), underpowered, smelly and didn't have enough wheels! Nice to fly though.

I normally only read. But this one requires a response to FL390. You must not be aware of the multitude of problems that have occured with Airbus Industries. This is only one of many. My company will not allow any employee to board an Airbus under any circumstances. Get the message son.

Which company is that..............Boeing???
Seriously though - suggest that as per my previous post you may well have more to worry about on a Boeing than you realise.

They all have their faults.

<font face="Verdana, Arial, Helvetica" size="2">Who cares if you can fly a great partial panel NDB approach on one engine in a DC6 or whatever </font>

Well developed & sound flying skills not relevent? It would be putting it mildly to to say I don't agree.

It's not whether or not those skills are used to fly partial panel, asymmetric NDB circling approaches in a DC6. The point is I think 411A is making is whether or not those skills are there just in case they're needed.

Think of how many times incidents occur that require the exercise of just those skills eg the DC10 with that had an uncontained disk failure, or the Gimli Glider (to pick the first two to come to mind).

Nasty events & occurrences [i]will[/] happen but now the potential range of nasties has widened to include computerised & automated system malfunctions.

Indeed...and the partial panel SE NDB approach in the DC6 is something that simply isn't relevant any more. Good stick-and rudder however still is needed (and would have helped save China Airlies pax).

411A however strikes me as one of those miserable old sods who begrudges everybody else that has done better than himself (esp CX pilots) and has let this influence all his thoughts.

New pilots are no worse than the old guys - only with a different operational focus. I'm happy to fly with them anytime.

To: All,

It was not my intent to single out a specific aircraft. In a previous post in this thread I indicated that I have been involved in Reliability, Systems Safety and Maintainability since 1968 and from that time to today I have worked on all types or equipment and systems. In that post I indicated that on 90% of those assignments my recommendations for change and those of my colleagues were ignored because of the attitudes of design engineering. Their reasons for refusal were manifold and included, they didn’t want their designs criticized, they had a not invented here complex, they said it would add to program costs or, the suggested change would impact the schedule. Theses are a few as there were many more to include that they wouldn’t change the design on the basis of a few calculations from a “numbers cruncher”. This sadly in many cases was true. The RMS Engineers in many cases have no mechanical or electronic background other than that from the courses in University. They do not have a clue as to the actual operation of the equipment and they eventually look at the equipment and systems as mathematical entities and they end up manipulating number to make the systems meet the spec requirements relative to RMS.

The only Boeing system I ever worked on was the V-22 and I was fired from that program because I kept bringing up the possibility of decreasing the reliability of the hydraulic system because of a design peculiararity of the Bell designed Prop Rotors. On the Apache program I identified 27 different design defects that would effect RMS. My report to the US Army was time sensitive but it was held up beyond the due date by the assistant chief engineer because he did not agree with my usage of the terms shall and will. When I provided the proper usage references he released my report but it was too late and the 27 identified items were cast in concrete and contributed to the unreliability and poor maintainability of the AH-64. The Army is still paying for that engineers intransigence. I could go on and on.

Investigate any program from Civil Aircraft to automobiles and everything in-between and you will find the same problems.


------------------
The Cat

Tom Tipper---
You missed the boat once again. In over 30 years of airline flying, I have done very well, nearly all tax-free overseas. However, that avenue is closing for expat guys now, as airlines realise that very high pay (CX as an example) can no longer be supported due to competition from other lower cost carriers. The only places that you find the big bucks (Korean as an example) are where there is a large area of concern, and they have their own unique set of problems.

One of my last assignments was to qualify junior F/O's in older wide-body aircraft after they had been in the AirBus glass cockpit environment for an extended period.
The airline was so concerned about the lack of basic airmanship and situational awareness that the sim and line training program was extended to twice the normal in order to cater for the reduced flying skills.

The young guys sure may be hot stuff when it comes to computers, but when the screen goes blank, or the problem has not been seen before, the basic handling skills needed are just not there. OR, if they are, and the aircraft does not respond to the desired input from pilots (recent A320 in Spain), then the situation becomes grave indeed.

Nothing at all wrong with computers and highly automated flightdecks, so long as the required skills are THERE in the event of a problem. To advocate otherwise showes your basic lack of maturity

yeah whatever.

411A I really must take exception to some of the drivell you are coming out with.

&lt;some companies will not permit employees to travel on A320&gt;

In the light of some of the over-patriotic protectionist scams that come out of the good old USA this is no surprise. American aircraft are built like American cars - Overweight, overpowered and very uneconomical. Check out the trend of Boeing market share in the world.

&lt;...qualify junior F/O's in older wide-body aircraft after they had been in the AirBus glass cockpit environment for an extended period....airline was so concerned about the lack of basic airmanship and situational awareness that the sim and line training program was extended to twice the normal in order to cater for the reduced flying skills.&gt;

- Having come from a well designed aircraft that has an interface that povides excellent situational awareness - I am not surprised. Airmanship comes from the experience gained as the sum total of your exposure to abnormal situations both practical and technical. If you are saying glass guys do not get exposure to practical 'situations' then you are clearly wrong. If you are saying that they do not get as much exposure to technical abnormals then this is probably true as the industry is becoming a safer place with more modern aircraft.


&lt;the aircraft does not respond to the desired input from pilots (recent A320 in Spain), then the situation becomes grave indeed&gt;

As has already been thrashed out they should recognised the signs of windshear earlier and executed the correct procedure - NOT continued into an uncontrollable situation.

In this business judgement is more important than flying skills (although a certain min standard is required).

FBW aircraft are here to stay. I was brought up on heavy metal with big levers & lots of big rods & cables. I have several thousand hours on both Boeing & Airbus types. I am currently a Captain on a Boeing but I would take the A3xx anyday for excellence of design, comfort & safety.

Put some reason behind your arguement or pipe down.

The only post with any incite so far comes from 411a.To defend the Eurobus simply because you have the misfortune to fly it is stupidity itself.I have flown most Boeing models and all have faults(not many though and the 777/744 are as perfect as you can get today).It would be refreshing to hear from an impartial Airbus driver who has the guts to 'come clean' on its obvious software design faults.
In the latest incident,I do think windshear is being used as a scapegoat.Comparisons to the microburst that occurred at DFW in August 1985 are a desperate effort to avoid culpability.By all accounts,the windshear encountered on this occasion was recoverable if the poor Spanish pilot had been allowed to execute that recovery.
THe design flaws of commercial aircraft only surface when the chips are down(ie.non-normal operaions).I am fully prepared to admit that the Airbus is a nice safe package under normal conditions,but it seems to me that when the unexpected happens ,extrication from those set of conditions is a real battle for the pilot.
It is how the Airbus has responded to these abnormal events that will serve as its final testament when judgement day comes in the year 2020 or so,and the aircraft is put out to pasture.
Leave FBW and software control laws to high performance military aircraft that need it.In commercial aviation,let the pilots fly the damned thing.

PAX speaking !

(but with a lot of sim and software background)

What happens in a fbw aircraft when the computer is presented with conditions/situations that nobody anticipated? We all know that most aviation tragedies are the result of a "chain" (eg the 1011 in the everglades way back - a couple of dozen "chain events")

Can a pilot with excellent "stick and rudder skills" do anything about it? Will the computer(s) allow him to exercise those skills?

I love travelling in the "ScareBus" - it's my preference "across the pond" against my alternative 767 (from a pax comfort aspect) I was impressed by the "glass cosckpit" when a kind GF skipper allowed me to visit while en-route to UK, but I was a tad nervous when there was a "tray table" where the "pole" should have been.

When sh|t comes to bust, can a good pilot, with great "stick&rudder", tell the computer(s) to "reggub off" and have full command of the aircraft.

(I'll admit that, with a trained monkey at the controls it's probably better for the computer to be saying "reggub off", but I don't want to fly in an aircraft with a trained monkey flying - I'd rather have a skilled aviator)

How much over-ride does a good pilot have??

------------------
What goes around . . .
. . often lands better!

Caulfield---
I'm afraid you are preaching to the choir, and the choir only knows one tune...."don't confuse me with facts, my mind is made up"
And the choir is mostly made up of junior guys, hardly a fountain of useful information.

411A, Perhaps the extended training was because the instruction wasn't very good. Never seen a general problem converting either way!

BusyB--
And you would be a trainer/TRE/IRE or company designee now or in the past?

411A, Yes. You still haven't answered my question though, have you?

Lu;

after reading your long ones (here and the other thread) i come away with-

the reason you didn't notify company A was basically the same reason the other companies did not want to tell company A-MONEY.

how can you "transfer" responsibility to the FAA?

and then you requested your name be withheld for same reason-MONEY.

i am in no way condemning, but as we evaluate the information in these threads about this and the cost of lifes, we have to remember that these companies are often run by PEOPLE just like us, and it is amazing what we all will do for the money.

though the specific details over the years have changed a bit, some of the big points in history haven't:
we aren't called serfs anymore, but the big money people still only care about their money and don't care about the "common" people who work and fly in their machines.

i really loved the line, "when the writer finished, the pilots would stare blankly out the window."

what else could they do?

they were evaluating what you told them and pondering if you had escaped from a mental hospital, (you came on board) or where the nearest suitable airport was.

can you imagine the pilots trying to tell their training departments to incorporate that info about a malfunction that is "not supposed" to happen?

they will be stared at! and blankly at that!

then your encouraging information about the wires/pins/connectors.

and you actually asked, "Isn't anyone interested in this subject?"

we're all staring out the windows!!

again, not condeming at all, but more like;

"uh, thanks for the information" stare out the window and wish it was legal to drink in cruise.

and as metro driver said, how much about the Boeings don't we know?

i am on the Boeing now-the classic 300/400's but they are aging as fast as i am.

i have a job offer to go the the Airbus 320 in NYC but NOW have a real problem with that.

at least i am familiar with the B737. but as they age, their weak spots will rise to the surface soon enough.

and who knows all about the new generations with all the pressure that Boeing has been under lately?

the only reason i still fly them at times is the same-MONEY. how many pilots will fly for free? we all want more money.

and that's just the aircraft itself.

let's not talk about the possible problems each time you let passengers and baggage on board. and don't read the labels on the soft drinks and think about what is really in the crew meals!!!

we'll all be JUMPING out of the windows!!!

so for the Boeing: keep some fuel in the center tanks, stay away from the barber pole, add ten knots to all the flap speeds and don't go to the high altitudes where the yellow lines in the speed tape get close together.

new proceedure for recurrent training should be two days in the sim and then at least one day reading all the threads about our specific aircraft!!

something's gonna get us:

airbus or angina
boeing or botulism
computers or colon cancer .........

again, thanks a lot for the information, but pardon me while i look out the window. a little of the "carpe diem" thing. enjoying the view before the thing goes inverted.

and on a diversion line of thought
i have always been amazed at how they legislate that pilots must have 8 to 12 hours between bottle and throttle, depending on what part of the world you fly in, and the people who rule the world, have wine in their hands when they make these and other world steering decisions.

and does any one really wonder why we chase the cabin crew every chance we get?? with aircraft the way they are, every chance might be our last.

cheers

BusyB---
The described training was done mainly by the aircraft manufacturers reps, or guys with long experience on type. No problem from that end.

ExSim you hit the nail on the head. I for one want total direct control of my aircraft if ever the s**t hits the fan. Im not talking about simple things like engine failure but major bloodey catastrophes where everything is falling apart.
The A320 "chainsaw" incident spoke volumes about the Scarebus philosophy in eliminating the pilot out of the direct-control loop. Ive got almost 13,000 hours (8,000 total on medium jets) and you cant pull the wool over my eyes and say he could not have flown out of that manouver in that configuration if there were no damn computers on board. What amazed me was that the so-called experts said the A320 computer-input accomplished a survivable crash better than any pilot-input. Hello! What caused the bloodey thing to prang in the FIRST PLACE!

To: stator vane

Yes it is true that I didn’t contact company “A” because of money as to do so, I would have committed occupational suicide and would never work in Europe again. However after leaving that contract I worked on three different jobs in Europe and on all three I told my potential employers what I had done. I tried every thing to get my employer (Company D) to understand the ramifications of not complying with the contract and that if anything happened they would be financially liable. The reason I turned the problem over to the FAA was to eliminate my financial culpability should one of the aircraft get pranged and killed a lot of people. In the USA damages are unlimited in the event of a crash and the lawyers can go after anyone that had anything to do with the design of the aircraft including the RMS engineers. A case in point is the crash of a commercial CH-47 in the North Sea several years ago. The lawyers not only sued Boeing they went after the senior transmission designer and two of his men because the change they made to the gear boxes proved to be faulty resulting in the crash.

By turning the problem over to the FAA I went on record as having made them aware of the problem. Asking them to not mention my name was to protect my earning capability while working in Europe. Again that ties into money so, I guess I was guilty a second time. The FAA not only revealed the source of the information (me) they also made the report available to the RMS group at Boeing in Seattle. Even after company A was made aware of the problems the design was never changed. Now there are several questionable ADs on the slat and flap drive system. The original was written by company A and was translated from French to English by the FAA and the Canadian MOT. In reading the two English versions of the AD you would believe that they addressed two different aircraft. There is no telling what the French version said. I brought this problem to the attention of the FAA, the CAA and the DGCA and they were totally unresponsive. It just goes to show you, they don't care either.


------------------
The Cat

Just when I thought the forum was turning into a coffee klatsch.
Thanks for the post, Lu Z.
Next time, in order to grab the attention of bored and apathetic pilots, try to start out with your summary: how to solve the problem when we encounter it by immediately flipping those switches.

I´d like to know what else I should be on the lookout for.


411A, your point is unpopular, but I agree. And I´m not an old sod (yet).

Lu;

thank you for the response.

and i hope not to over extend the welcome, but since i may be going into the A320 but haven't been in it yet, though studying the systems via an aftermarket publication, could you tell me in clear terms, which hydraulics to turn off if that should happen. you said there were three systems and to turn two off.
is it intuitive to know which two of the three to choose?

and perhaps i have been at an 8000 foot cabin altitude too long, but this morning while waking up, i was reminded of the Welsh miners and the disasters they endured. i visited a mine in Wales and was impressed with the dangers that they faced every day at work.

i felt a strong connection with them.

we do just the opposite from going under the ground, yet there are many similarities. we fly these aircraft and are often unaware of the hidden possible dangers that surround us. hidden by the designers and builders of these tools which we use to carry passengers around with.

the more things change, the more they stay the same.

To: stator vane and Bigmouth

The following defines the hydraulic systems and their relationship to the flaps and slats. This applies to the A-310 but I believe the same is true for all Airbus aircraft (Please check to make sure).

The A-310 has three hydraulic systems. Green, Yellow and Blue.

The Flaps are powered by the Yellow and Green systems.

The Slats are powered by the Blue and Green systems.

The Green system is the primary system so it will take a bit of guts to turn that system off as well as one of the secondary systems but then again you have no choice. It is only for a few seconds and after all, what can transpire in a few seconds?????

Here is another point to ponder. I told my employer to incorporate shutoff valves on the power control units to accommodate this potential failure. They indicated that it was an aircraft problem and company A should incorporate the valves. Company A was never told of the possible problem of a runaway so they didn’t incorporate the isolation valves. Now, when it happens, the pilots must place the passengers and themselves in jeopardy when they shut off two of the hydraulic systems not knowing if they can turn one of them on again.


------------------
The Cat

[This message has been edited by Lu Zuckerman (edited 08 June 2001).]

[This message has been edited by Lu Zuckerman (edited 08 June 2001).]

[This message has been edited by Lu Zuckerman (edited 08 June 2001).]

Pilots and engineers need each other but have very dissimilar jobs.

In the 320 the flaps are indeed operated by the Green and Yellow Hydraulic system, wich are also the main systems.

They way I read fcom 1.27.50 p1 the problem has been remedied by the adition of wingtip brakes. wich activate in case of flap or slat assymetry, overspeed, symetrical runnaway, and UNCOMMANDED MOVEMENT.

Should you switch of the 2 main hyd systems instead of relying on the WTBs you wil be at FL390 or so in ALTERNATE law on ONE SPOILER with only ONE ELEVATOR active wich wil move at half speed, further more you have just disabled the left WTB. Have another cup of tea hold the bikkies.

It is a PILOT'S reponsibility to make sure that he has the LATEST fact before making up his mind to execute any procedure.

Good day

[This message has been edited by Haas_320 (edited 09 June 2001).]

To: Haas-320

The thing that precipitated this thread was that the A-310 Iron bird experienced a slat uncommanded runaway and the computer which was in the non-commanded (at rest) condition did not recognize the movement nor, could it stop it by commanding the wing tip brakes to operate. The second situation mentioned in my posting was that an Air Canada A-320 experienced an uncommanded flap retraction on takeoff. The computer did not activate the wingtip brakes and only superior airmanship and full engine power saved the day.

Also, a Lufthansa A-310 on its’ first revenue flight to Cairo could not retract the flaps after landing. They had to fly it back to Frankfurt in non-revenue status. When the got to Frankfurt they couldn’t diagnose the problem so they disconnected the system and hand cranked it to the retracted position. They hooked it up and tested it and it worked perfectly but they still did not understand why it happened and the computer was of no use at all.

What it boils down to is that the flaps on the A-310 were not adequately tested and should not have been certified and the Flap/Slat computer was not adequately analyzed for failures and their effects.

If you read my first post in this thread I raised the unasked question, did what happened on the A-310 also happen on the follow-on Airbus aircraft. It remains to be seen as the flying hours accumulate.


------------------
The Cat

To, LU Zuckerman,


Errr......Sir,Err... What do you do in your spare time!!!!...errr..Sir , What are your hobbies!!

Thanks lu zuckerman,

I have read the complete thread including the mishaps on 320, I didn't realize the original post was about the 310. I thought the WTB's were added later as a new feature.
On the 320 I read that the assymetry pickups are independant of the sfcc's I don't know if the sfcc still command the WTB's

ioooett ioooes veryyyyyyy haaaaard toooooo taaooolk with foot iiiiin mouuuuuth.

Please accept my apologies for an inaccurate post. http://www.pprune.org/ubb/NonCGI/redface.gif




[This message has been edited by Haas_320 (edited 09 June 2001).]

Slasher - with all respect the Airbus wasn,t at fault in the chainsaw incident. The PIC in that case flew below 100ft at very slow speed. He assumed that the Alpha Floor protection would kick in to protect him from a stall or too low IAS.

However he was below 100ft and this protection doesn't work then (ie: it thinks the plane wants to land). When he realised the problem he eventually applied TOGA but it was too late.

So what was at fault was the PIC was TOO reliant on the a/c saving his butt. It is this aspect which is where the likes of 411A are out of the loop. New pilots need to understand the limits of the new technology which is there to save us - they should never take it for granted. In general most of these new guys have a greater understanding of the systems and their limitationsthan old buggers like me ever will.

I will always fly "stick and rudder" and I will always be very safe. But if old age or senility catch up with me I am always VERY happy to have the back-stop which Mr. Airbus has provided me with.

The flight envelope protection which Airbus designed into their equipment ensures that my decisions in relation to the safety of the aircraft are always the best ones - provided I don't try to rely on them in ignorance of basic airmanship (as in the case of the 'chainsaw').

This is where the basic skills I learnt many many moons ago F/O doing partial panel NDBs are no longer too relevant. Nice to have done but largely a thing of the past - much the same as wing warping for Wilbur Wright!

You should look no further for endorsement of flight envelope protection than from Boeing itself and the 777. Short of sidesticks this is tacit admission that FBW technology is THE way to go and an inevitable fact of aviation in the future.
This is Boeings' way of saying "Gee Sorry Airbus - You were right all along"

To: Haas-320

No apologies necessary. Regarding the Wing Tip Brakes and the PPUs I can only speak for the A-310 and I can only assume that the follow-on aircraft share the same architecture.

On the A-310 there are three PPUs on each of the two systems (flap/slat). One is mounted on the Power Control unit and the other two are attached to the Wing Tip Brakes. Each PPU consists of a gear drive and two rotary potentiometers. One potentiometer is electrically connected to the instrumentation system for cockpit display. The Flap/Slat Computer (FSC) monitors the other. If the FSC detects any deviation between the three it will actuate the Wing Tip Brakes. It monitors the Pot on the PCU against the other two pots. If there is a deviation between the PCU pot and the other two the FSC interprets it as a disconnect. If there is a difference between the outboard pots the FSC interprets it as a dissymetry and in both cases, locks up the brakes.

In a previous post I addressed the fact that none of the electrical connections on the Flap/Slat electrical control and protection system are indexed to prevent mis-connection of power or monitoring circuits. On the PPUs the two pots rotate at different speeds. If one of the pots is mis-connected the FSC will get a false signal that there is a problem and lock up the brakes. The computer will indicate on its’ dolls eyes (visual problem indicators on the computer) that there is a disconnect or asymmetry as it only takes 2-3 rotations of the respective drive shafts to cause the pots to give this false indication. In the next scene the mechanics are going crazy trying to diagnose the problem


------------------
The Cat

Having read all of the above threads, i thought i would put in a line engineers perspective of the A320. I've been a line engineer for over 17 years, and initially spent my early days working on Boeing a/c.
When the company that i was working for at the time announced that were they ordering A320's for delivery in 93,i like most engineers in the company thought o no. However after having spent the last eight years working & looking after various operators A320's, all i can say it's an engineers dream to look after. Most systems are very logical and straight forward, yes it does have some unusual little quirks but once you get those mastered it really is very simple. Also the construction and simplicity of the a/c Boeing really need to wake up and take notice. Day to day maintenance of the a/c is very easy. I for one have not met an engineer that does'nt like the A320/321. The only bad A320's are those fitted with V2500 engines, as the CFM56 equiped a/c are far more reliable and trustworthy. Having worked and flown hundreds of times on A320/321 a/c it has a big thumbs up from me, and extemely confident to fly on it, particularly as i've seen it thrown around with great confidence during crew training.

Lu

I wouldn't argue with a word of what you say in your original post, or with its relevance, which people can work out for themselves.

But in 1955 when you started in this industry, manufacturing organisations were smaller, simpler and more centralised. For better or worse the system is globalised now, and we'd better just get good at being global and running disparate, complex manufacturing systems which produce safe aeroplanes.

The accident rate reductions say that is what is happening (safer aeroplanes, I mean - plus all credit to the crews who help them to be safer).

'cos one thing's for sure: we ain't going back to the way things were, even if we wanted to.

And that is true whether you're a US-headquartered manufacturer or a Europe-headquartered one.

To: shortfinals


You stated,” But in 1955 when you started in this industry, manufacturing organizations were smaller, simpler and more centralized. For better or worse the system is globalizes now, and we'd better just get good at being global and running disparate, complex manufacturing systems which produce safe airplanes”.

This is totally true in 1955 things were centralized but in the aircraft program alluded to in my post things were a lot different. If it wasn’t a globalize program it was Pan European with a few major contractors in the United States. In this case, egos and nationalism got in the way of cooperation.

The contract specifically stated that any thing that effected Reliability, Maintainability and Safety had to be immediately reported to the prime contractor. It wasn’t. The prime contractor implied that there would be maximum cooperation between the subcontractors on a given system. In the case of the wings there was minimal if no cooperation. The prime contractor stated that in order to get Canadian certification it was required that the FMEAs would address every single piece part in a given system. In the case of the flap /slat computer it wasn’t.


------------------
The Cat

Thanks Lu for making us all a little less complacent.

And while we´re on the subject, let´s just put the "chainsaw"-incident straight:
The ´manoeuver they flew would have hardly worked in a "conventional" aircraft - the stick shaker would have come on because of the LOW speed - then he put in the power, but forgot about physics of high-bypass-ratio-engines!
The airplane never stalled, as a conventional plane would have - instead the trees "got in the way" of the acceleration of the aircraft and it´s engines, which just need a certain time if they´re running at low N1... (as we all should know).
No design glitch here, but the complacency of the pilot showing the Airbus philosophy of the time.

These things are great to fly/operate if everything works, but if the MAJOR f@ck-up occurs the workload rises exponentially.

Basic flying skills, that have nothing to to with "big arms" to handle a bloody yoke in manual reversion, are very much necessary any complex aircraft!




[This message has been edited by wonderbusdriver (edited 11 June 2001).]

Airbus Industrie weren't the only one's to have had problems. Although I am a Boeing fan
you may find this article from the Seattle Times of interest:
_____________________________________________

PUBLICATION DATE 06/05/95
NEWSPAPER THE SEATTLE TIMES
COPYRIGHT 1995
EDITION FINAL
SECTION NEWS
PAGE

COMPUTER WITH.WINGS --BOEING's ULTRA COMPLEX 777 FLIES INTO DEBATE OVER TECHNOLOGY HAZARDS

BY BYRON ACOHIDO

(Copyright, 1995, The Seattle Times Co.)
Nothing defines The Boeing Co. so much as its uncanny ability to shepherd risks, Throughout its history Boeing has gambled big - and triumphed - by introducing new jetliners that pushed existing technology to its limits, then delivering in the face of high-pressure deadlines.
Boeing has done it again with the new 777. After more than five years and $5 billion in development, the 777 is to carry its first paying passengers this week, precisely on schedule.
For all the thousands of aircraft it has built since 1916, Boeing has never made anything like the 777.
The 777 is Boeing's first full-fledged "fly-by-wire" aircraft, in industry 'argon. The "wire" is electrical circuitry. A 777 pilot will not so much fly the airplane as tend a sprawling, vastly complex network of computers flying the airplane.
The 777's computerized controls are so advanced that they fall into an area of rising debate among technology professionals and academics: How do you assure safety when ultracomplex computer systems are used in potentially hazardous applications?
The control system proved so difficult to assemble and test that Boeing was forced to abandon a conservative development strategy as it hurried to meet its delivery deadline. After numerous delays and scores of changes, the final version of the 777's key flight-control software was delivered in April this year - 11 months after Boeing had originally promised it, only four weeks before the first airplane was delivered to United Airlines.
The combination of an ultracomplex technology and development that constantly ran behind schedule has left some software experts, pilots, aviation-safety consultants and even 777-program insiders wondering if Boeing left itself enough time to adequately test the arcane software code that drives the 777's computers.
"It's a question of extensiveness," says Prof.. Bev Littlewood, director for the Centre for Software Reliability at City University in London, and the author of several research papers on software safety. "Even a small change in software can have catastrophic effects."
Boeing officials declined to be interviewed for this story.
However, Anthony Broderick, Federal Aviation Administration associate administrator, said the 777 came through its development period as no other jetliner ever has.
"The testing has shown the 777 to be the finest, most reliable, safest airplane ever delivered," Broderick said.
Jim Treacy, the FAA's national expert on integrating airplane computer systems, and Mike DeWalt, the agency's top software expert, acknowledge that the agency allowed major changes to the 777's development plan so the airplane would stay on schedule. But they say the changes were reasonable and that they largely followed procedural rules hashed out years ago.
Treacy and DeWalt believe that any significant problems with the 777 were revealed and fixed in what they characterize as a routine development, testing and certification process.
Even so, Treacy termed "unfortunate" the degree to which jet-transport builders are allowed to plant "a stake in the ground" representing the projected FAA certification date for a new model, usually a few weeks before delivery.
"It's become: Everything else can move but the certification date," he said. "There's very much a huge pressure on the part of the applicant that says you gotta meet that date. "

SIMPLE CONTROL

Remove the bells and whistles and a modern jetliner is a straightforward apparatus: Two or more engines push the device through the air, causing a physical phenomenon called lift to affect the wings.
Movable surfaces on the wings (flaps, slats and spoilers) increase or decrease lift to get the jet off the ground, or to slow it for landing.
Ailerons on the outer portion of each wing move in opposing directions to cause the aircraft to roll.
Elevators, on the horizontal tail section, flip up or down, tilting the nose up or down.
The rudder, in the vertical part of the tail, swings left or right, turning the nose.
In traditional aircraft, the various control surfaces are linked to the cockpit with a system of mechanical pulleys and cables. A pilot controls them by turning a wheel, pushing or pulling the yoke the wheel is attached to, or by pressing foot pedals. .
Boeing sold thousands of such conventionally engineered commercial jetliners worldwide, and came to dominate the market, chased by U. S. rivals McDonnell Douglas and Lockheed Corp. By 1970, the big-three jet makers had mastered mechanical engineering as it applied to jetliners.
Jetliner technology began changing in the mid- 1970s with the emergence of an upstart European consortium called Airbus Industrie.
Before launching Airbus, French, British and German aerospace companies had collaborated on the angular, hooked-nosed Concorde Super Sonic Transport. The SST featured the first use of computer signals to control a critical system - engine air- intake valves - on a commercial aircraft. The SST showed that computers could be as reliable as cables in day-to-day airline operations.
Electronics was advancing at the same time. By the late 1970's tiny integrated circuits, the processing chips at the heart of every computer, became widely available, Airplane designers began exploring the possibility of replacing traditional steel control cables with wires carrying computer generated commands.
In 1978, Boeing decided to use digital technology to operate some of the control surfaces on two new aircraft, the 767 and 757. Electric signals triggered hydraulic devices in the wings to adjust the panels. It was a bold move, made cautiously. The computers controlled only secondary, nonessential controls - slats, flaps and spoilers. Boeing retained mechanical linkages for the primary controls.
The 757 went a bit further than the 767: It was the first commercial jet to use digital controls to run and monitor the engines, too.
About the same time, Airbus was developing its second model, the A310 twinjet, which used essentially the same degree of computer control as the two Boeing jets.
The early digital systems proved to be just as reliable as mechanical systems. And they had advantages: Electrical circuits saved weight compared with mechanical systems and for airlines that meant profits - less fuel, more payload or both. Electrical circuits also were easier to maintain and update.
Airbus delivered the 'first A310 to Lufthansa Airlines, in April 1983. Then five months later, it leapfrogged ahead in jetliner technology by announcing it would build aviations first all-digital commercial aircraft, the A320 twinjet.
It was a calculated decision. Airbus was a distant third in market share behind Boeing and McDonnell Douglas, and needed to do something dramatic.
The fly-by-wire A320 would be so much lighter, faster, more efficient and more reliable that it couldn't help but sell like hot cakes, Airbus reasoned. It would blaze a digital trail the way the Boeing's 707 trailblazed jet-powered commercial flight in 1960.

AN AMBIGIUOUS REALM

A cable linkage between a pilot and a flight-control surface is a simple, direct thing, operating according to visible, mechanical forces. You can see how it works. If it doesn't work, it is not difficult to track down the problem and fix it. The complexity of mechanical systems is limited by nature; you can bend metal only so many ways in a confined space.
Computers and software are something else. A processing chip embedded with a maze of microscopic switches performs discrete mathematical operations according to detailed, coded instructions. An input of data is received one calculation feeds data to another calculation, which feeds its results to another, which branches to several more.
Tiny bursts of electricity cascade at light speed through a plexus of computer codes and switches. In the end, something happens. A specific electronic signal is generated. A pattern of dots appears on a video screen. A hinged panel moves on an airplane wing.
The complexity of software is virtually unlimited. If something goes wrong, figuring out why, not to mention fixing the problem, is not simple at all.
In her new book, "Safeware, System Safety and Computers," Prof Nancy Leveson, University of Washington professor of computer science and engineering argues that computer systems are fast becoming "intellectually unmanageable."
As complexity rises, "the number of states starts to increase so quickly, you, start to begin to test a smaller and smaller fraction of the total possible," said Leveson. "As systems get more complex, it gets harder and harder to predict the interactions and the different kinds of things that can happen."

SAFETY CRITICAL'

On the 777 more than 4, million lines of coded instructions drive 150 computers that must work in harmony to monitor and adjust for the airplane's constantly changing position in the air. A minor miscalculation in one program could corrupt other programs. The results could range from a squawk, a harmless error message that comes and goes on the cockpit displays, to, loss of control. A panel might fail to move, or move at the wrong time, or in the wrong direction, or at the wrong rate, or to the wrong position.
Aircraft engineers have had two answers to the myriad ways in which things might go wrong. First, they isolated "safety critical" computer programs so that an error in one had limited effects. Second, they provided numerous redundant backup systems.
That's how Airbus designed the A320. If the A320's computer system were a building, it would be a sprawling warehouse with pairs of posts every few feet holding up the roof. It would have many, many more pairs of posts than necessary to keep the structure sound. If a single post got knocked out, its twin could bear the load. If a pair of posts, or even several pairs were lost, the structure would remain sound.
Each computer on board the A320 contained a processing chip with memory, its own low-voltage power supply and input/output circuitry. Each was designed to shut down harmlessly in cases of a serious software or hardware failure.
Because each computer "'black box" was physically separated from every other black box, and because the impact of any particular box failing was limited, the A320's architecture was deemed to be "fail-safe."
The problem with this approach is that it makes for vast duplication, with many machines and thick bundles of wire running up and down the airplane. That translates into weight, the enemy of airline profits. .

THE MARKET HEATS UP.

Though its new A320 was a hit with airlines, the Airbus partners wanted a bigger family of airplanes to compete with Booing, which offered the 150-seat 737, the 194- seat 757, the 218-seat 767 and the 420-seat 747.
Airbus had no answer for the hot-selling 747jumbo jet. It decided to stake out new territory.
Guessing that overcrowding at airports in major cities would eventually lead to more point-to-point flying between smaller cities, Airbus designed a 295-seat jet available in a two-engine version (the A330) for regional flying, or equipped with four engines (the A340) for long routes.
The new planes would feature the same fly-by-wire system as the A320, with cockpits so similar that a pilot could qualify to fly all three with minimum cross- training.
Meanwhile, Boeing was intently exploring fly-by-wire systems itself. A Boeing engineer named John Shaw in 1987 was championing a bold advance, a new computer architecture, with Aeronautical Radio Inc. (ARINC), the industry association that establishes standards for avionics.
Shaw called for abandoning the physical separation of computers, and consolidating core processing, memory, input/output, the power supply and error-tracking functions in a central cabinet.
A fly-by-wire jet would still need hundreds of separate software programs in this architecture, but the processing and memory functions would take place in a central "brain."

If current jetliner architecture resembled an overly buttressed warehouse, Shaw's architecture was a tent with a very sturdy central pole.
Shaw theorized such a system would bring about enormous weight savings and phenomenal gains in efficiency and reliability.
Shaw's design required ultrafast, ultrapowerful integrated circuits -chips that weren't expected to be available until the early 1990s. Also needed was a new "databus," the electronic pathway on which computers trade data.
The aircraft-databus standard at that time was called ARINC 429. Every computer on an airplane was hard-wired to every other computer - like having separate, one-way phone lines wired directly between your home and every other home you wanted to communicate with.
Shaw proposed moving to a new databus standard that Boeing had been developing called ARINC 629.
Compared to ARINC 429's one-lane country road, ARINC 629 was a multilane superhighway. Instead of computer-to-computer wiring, ARINC 629 would have a 'twisted pair of wires running the length of the aircraft. Every computer, the big central processing computer and certain specialized processors scattered around the airplane, would be connected to the databus. Computers could transmit data at any time. Data could zip around the system between computers and to the central processing unit as needed.
Shaw persuaded ARINC to make ARINC 629 and a "shared-resources architecture" the next industry standard. Final specifications were to be ready in late 1991.
Boeing wasn't waiting.

LAUNCHING THE 777

Airbus's A330/A340 collected 180 orders in the three years after it was launched. In October 1990, Boeing announced that it would develop the 350-seat 777 twinjet, with a firm order for 34 jets from United Airlines. It would be Boeing's first all fly-by-wire model.
It would use the ARINC 629 databus, still undeveloped, and it would use a shared- resources central computer called AIMS, for Airplane Information Management System. AIMS would be the brains for most of the 777 computer systems.
Everything about the 777, from cabin entertainment systems, to cockpit navigational systems, to its huge new fuel-sipping engines would surpass Airbus' newest models.
Boeing promised customers that the 777 would be so reliable that the company would persuade the FAA to certify the twinjet for long ocean routes from the day it entered commercial service.
FAA rules normally require twinjets to fly shorter routes for years to prove they are reliable enough to fly long distances away from a possible emergency landing site. (Losing power from one engine on a twinjet is considered an emergency.)
Boeing argued that years of successful 767 flights across the Atlantic and Pacific demonstrated that the FAA twinjet rules were obsolete. The company promised the 777 would be so carefully designed and manufactured and so thoroughly tested that there should be no question about its immediate high reliability.
Not since the launch of the 747 jumbo-jet program in the late 1960s had Boeing gone this far out on a limb.
The 747 had involved the parallel development of a novel fuselage, a new wing and new engines. However, the mechanical flight-control systems were derived from previous Boeing models.
In industry, the parallel development of two or more novel systems is considered risky because you're dealing with tiers of unknowns. There is no network of savvy parts suppliers and the accompanying experience base. There is no operating history for any of the systems, nor any knowledge about how one system will respond to another in real use.
The 747 had proved a case in point. Engine development lagged the rest of the airplane's development, and Boeing ended up paying millions of dollars in customer penalties when engines on the first jumbo jets failed to perform as promised.
Like the 747, the 777 involved the mating of an all-new airplane with new engines. But the 777 would go further with fly-by-wire, the new AR.INC 629 databus and shared-resources central computer.
Boeing committed to an ambitious development schedule: It would fly the 777 in mid-1994, After a year of test flights, the plane would enter service in June 1995. (For comparison, the SST flew as a test plane in 1969, but didn't carry its first paying passenger until 1976.)
Boeing predicted it would deliver a virtual glitch-free digital airplane.

THE NATURE OF BUGS

From one perspective, all software is perfect.
Software is an intricate web of logic through which only the right data may pass. In that sense, software always does its job.
But code writers, being human, can make clerical errors, which spawn bugs - unexpected results or failures. In the 1960s, a Mariner spacecraft heading for Venus was lost because its computer code contained a semicolon instead of a comma.
Today, most coding errors are caught and corrected by sophisticated testing tools. Most often, bugs persist because programmers overlook unusual conditions that the software code might run across. The more complex the code, the greater the opportunity for programming oversights.
AS Boeing stepped up development of the 777, the digital world was advancing.
Progressively smaller, more powerful processing chips made vast calculations possible in a blink of an eye. This had touched off a software explosion.
Computers could handle more complicated code, so a more complicated code was being written, sometimes before code writers fully grasped what they were asking the software to do. Rare conditions - situations programmers failed to anticipate - became the leading cause of bugs turning up in the late stages of development programs, said UW Prof. Leveson.
"Nature imposed a discipline on hardware systems," she said. "But it just wasn't there for software. We were dealing with man's ability to discipline himself, and we've never been any good at that."
Engineers at Saab Military Aircraft learned this lesson the hard way. On Aug. 8, 1993, test pilot Lars Radestrom was demonstrating the second production model of the new fly-by-wire Gripen fighter at the Stockholm Water Festival. Entering a turn, Radestrom noted the computer banked the jet 10 degrees more than he asked for. When Radestrom tried to compensate, the jet began pitching up and down. The more the pilot tried to smooth out flight, the wilder the pitching became.
After 6.2 seconds, Radestrom bailed out and the jet crashed harmlessly on a nearby island. Despite a $3.2 billion development effort, including four years of flight testing and debugging, Saab programmers had failed to anticipate that a pilot might try large, rapid movements of the control -stick. When that happened, the software did what it was programmed to do - but not what Radestrom expected: It amplified the command.
The job of writing software for the 777 is nothing if not, complex. An FAA test pilot describes the 777 as the most complicated machine ever built: "No question, it's more complex than the Space Shuttle by a factor of two."
Keeping a 500,000-pound airplane safely aloft involves dozens of simultaneous, overlapping tasks executed by a swarm of electrical bursts flowing through a maze of microcircuits in the proper sequence, all at blinding speed.
A bug could occur if just one of the thousands of calculations occurring each millisecond unfolded out of sequence due to a rare condition - a power surge, for example or an unusual gust of wind, or an unorthodox pilot maneuver.
Interrupting software's brittle sequencing matrix is akin to snapping a single strand of a frozen spider web: the results could range from inconsequential, to catastrophic.
Trying to test a very complex digital system in advance, to catch and eliminate bugs, not to mention trying to gauge how safe the system will be, has proved daunting, if not impossible.
"Each component can be fairly small and well understood, but when you put them all together, things happen that are very difficult for us to predict, and, therefore, to even understand what we need to test for," Leveson said.
Software bugs have triggered large-scale outtages of telephone service and been blamed for throwing a Patriot missile off course during the Gulf War, allowing an Iraqi Scud missile to strike a, U.S. barracks and kill 28-soldiers. Denver's new airport opened nine months late because bugs in its computer-operated baggage system compounded to the point where the system had to be completely replaced.
IRON BIRDS, BLACK LABELS
How Boeing viewed these emerging software issues in planning the 777 was not a matter of public record or discussion. But, the company promised that the 777 would be the most reliable, most thoroughly wrung-out airplane ever built.
Boeing and the FAA Negotiated a number of demand conditions required for the new jet to meet the certification timetable.
Boeing agreed to build a huge Systems Integration Laboratory (SIL): the airplane's entire computer system assembled inside a building and connected to a full-sized, working set of 777 wing and tall flight controls, called the Iron Bird. Boeing set a goal of having the Iron Bird make 3,000 lab "flights" before the start of actual flight tests in June 1994.
Boeing agreed that the actual flight tests would be conducted with a "black-label" fly-by-wire system, an industry term signifying that hardware and software in the system was finished and ready for production., and that no more changes would be made.
A system still in development and testing is called "red label." "Black-label freeze" is time at which all systems must be complete so that, conclusive tests can be run to see how everything works together.
The original development and certification plan for the 777, assumed Boeing would open the lab in February 1993, fully assemble the 777 fly-by-wire system in the SIL within a few months, and largely debug the hardware and software with the SIL and Iron Bird through 1993 and the first half of 1994. Then flight tests would get under way with a black-label system.
By October 1994, Boeing anticipated, it would be ready to dedicate one test jet to fly 1,000 demonstration flights proving the 777 was reliable enough to carry passengers across oceans.

RED LABELED

The Systems Integration Laboratory opened on schedule. Boeing asked suppliers to have hardware and software 80 percent ready within three months and 100 percent complete by June 1993, in time for the start of the 3,000 lab flights on the Iron Bird.
Within a few weeks, it became clear there was no way the complete fly-by-wire system could be assembled and fully integrated in less than a year, much less within a few months.
In a March 1993, barely a month into the development schedule, John Miller, Boeing's 777 division airworthiness chief engineer, wrote a letter to the FAA saying red-label computers would have to be used for flight tests still more than a year away.
This was an important change in the original plan. It meant time-consuming software-verification tests would be pushed into the closing stages of the project, with delivery deadlines looming.

The FAA ruled Boeing's rationale for allowing flight-testing to proceed with red-label systems was sound.
According to FAA officials and program workers who have spoken on condition they not be identified, Boeing officials took the position that the 777's design was so robust, with so many redundant layers of backup systems, that changing the development plan wouldn't matter.

A question then, and now, is whether changes in the development plan were a good idea, given the 777's novelty and complexity.
"This is the kind of thing where you want to have the least amount of risk by conforming to the program as it was designed," said Hal Sprogis, a retired airline captain and safety consultant who researches safety issues for pilot groups.
Sprogis, who still flies as an engineer on older 747s, opposed (as many pilots did) the idea of instantly approving a new twinjet for oceanic crossings. "When they manipulate it as they go, it gives you an uncertain feeling. You begin to mistrust what's happening."

AIMS AND ACEs

No other jetliner has anything akin to the 777's AIMS computer, which serves as a central brain for most of the jet's 150 other computers.
Under John Shaw's original proposal, an ideal "shared resources" architecture would have all systems using the central computer brain.

But Boeing engineers, weren't prepared to go quite that far with the 777.
They purposely separated a safety-critical system, called the Primary Flight Computer (PFC) from AIMS. This, they argued, made the system more robust, while giving it a measure of.conservatism.
Built by G-EC-Avionics of London, the PFC works in concert with the AIMS-driven Flight Management Systems (FMS) computer and the autopilot computer to fly the airplane most of the time.
Typically a pilot taxis to the runway, takes off, and then immediately turns the airplane over to the FMS and autopilot.
If AIMS is the 777's brain, the Flight Management System is its intellect. The FMS constantly receives and analyzes information from sensors around the airplane, then tells the autopilot how to adjust the flight-control surfaces to, keep on the proper course.
The PFC calculates the precise corresponding movements the wing and tall panels must make to fly at top efficiency. The PFC's calculations are then transmitted to a bank of computers, called the Actuator Control Electronics (ACEs), which issue the commands that move the flight-control surfaces.
If a serious bug occurs in the FMS, autopilot or PFCS, the pilot can switch them off and grab the wheel. Moving the cockpit controls would send signals directly to the ACE computers commanding the flight surfaces. Thus, the plane is flown "by wire," rather than with cable-linked control surfaces.
The 777's design calls for three PFCs always running - and in effect voting - on commands. Should a discrepancy arise, the majority rules. If one PFC goes down, there are two others to back it up. If all three PFC's crash, the pilot can switch them off.
Without electricity none of this works,' so redundancy permeates the power supply, as well. There are backup power-supplies, backup generators, backup batteries. If all those somehow failed, a backup of last resort, a small device called a Ram Air Turbine, essentially a small windmill, would be deployed from the right, rear of the fuselage and generate enough electricity to keep minimum cockpit controls alive
In the unlikely event of a complete electrical system shutdown, cables from the cockpit to selected spoilers and the horizontal tail section allow the pilot to glide straight and level until the electrical system is restarted.

A BALKY BUS

Before the 777's varied computer systems could talk to each other, ARINC 629 had to be up and running.
But the new databus proved to be a major early stumbling block.
To ship or retrieve information via the databus, computers needed to be equipped with two high-powered pre-programmed processing chips and a special coupler. No one had ever mass-produced these devices before.
Early versions of one chip overheated and stopped transmitting data. The other chip worked most of the time - if it came from one supplier - but only sporadically if supplied by an alternate contractor. The coupler was several months late.
"The bus is the basic skeleton of how the airplane systems communicate. It's the one thing that needed to be rock solid from the beginning," said a source close to the 777's development. "It took about a year to work out the wrinkles, which is about what you'd expect. '" Boeing, however, had projected the databus would come together smoothly in a matter of months in early 1993.
AIMS, too, stumbled early.
AIMS would consolidate most of the 777's digital processing power in two suitcase-sized central computers. In doing so, AIMS departed from the established fail-safe architecture of physically separating different computer functions.
Honeywell had to prove that a bug in one processing function would not corrupt other functions, and, conversely, that bugs in one program could be fixed.without affecting other programs.
To do this, Honeywell turned to special software programming called "partitioning," which amounts to a strict, frenetic scheduling of time on the central processing modules. No one had ever attempted to partition so many computer programs on an airplane before.
Partitioning required the use of. 18 pre-programmed circuits (called application-specific integrated circuits, or ASIC chips) to ensure that only one program at a time could access the central computer's powerful processing modules.
"Right now you get it for 50 milliseconds or 200 milliseconds, and as soon as you're done, he gets it," is how Don Morrow, Honeywell's 777 program manager, described the system at work.
Honeywell's challenge was to create circuits sophisticated enough to distinguish and properly sequence a high volume of data from numerous sources all at once with great accuracy. "We had to prove it was deterministic and it happened that way every time.
The ASIC chips were crucial, and ended up being more than a year late from a chip supplier.
Morrow said Honeywell "really underestimated what it would take to develop" the 18 ASIC chips. "As a result we went downstream a little farther than we wanted."

LANGUAGE WOES

June 1993, once projected as the month when all software and hardware would be integrated in the SIL and ready to start. flying the Iron Bird, came and went.
ARINC 629 and AIMS were falling further behind schedule by the day. This compounded delays with the suppliers of the dozens of computers that would feed into AIMS via the new databus.
Troubles cropped up with the Primary Flight Computers. Boeing initially assigned three separate teams at GEC-Avionics to write codes that would control the wing and tail panels. This was standard practice. A software bug in one of the PFCs would be unlikely to turn up in the other two, which would outvote the third.
According to a source close to GEC-Avionics, the software teams kept asking for clarifications of Boeing's specifications for the PFC code, slowing development, until Boeing finally chose to have one team write a single program for all three PFCS.
(A British magazine, Computer Weekly, reported last week that some leading European software-safety experts have called for a detailed review of the single program Boeing ended up with before the 777 begins flying passengers.)
91
Once the PFC code was written, Boeing could not keep all three PFCs running at the same time without making the ARINC 629 databus crash. While only one PFC is needed to fly the plane, not having the other two available wiped out the safety margin. Programmers trying to smooth out the PFC's code problems had plenty of avenues to explore
First of all, they were using a language called Ada to write the PFC code. Ada has long been used in military application's on mainframe computers and was chosen by Boeing as the standard language for all of the 777's software. The 777 represented the first widespread use of Ada, a relatively cumbersome language, on computers driven by microprocessors.
In using Ada, programmers had to write 10 lines of code to do something that a newer more elegant language, like C # might do in three or four lines. More lines of code meant more opportunity for errors.
There were other hangups.
Ada and C # are high-level programming languages that use recognizable phrases, such as "jump to test l." Code writers use a translating tool called a "compiler" to translate high-level commands into machine code, the schematic of ones and zeros that guide electricity through the maze of integrated circuits.
Contractors writing compiler code had to translate Ada commands into machine code for two completely different processing chips (one made by Intel, the other by Motorola) OK'd by Boeing for use on the 777.
Ada programmers complained that early versions of the compiler code were slower than they expected.'
"You would say 'x equals y' and expect (the compiler) to translate that into maybe three machine steps," a 777 systems supplier said. "It turns out, with all the considerable options of available data, it actually translates into 20 steps."
By the fall of 1993 things were backing up steadily.
"The policy became don't change anything, proceed on schedule, explain away everything we can, then do a product enhancement after delivery," the supplier said. "As bugs showed up, we were told to expand the acceptable criteria to allow for the problem, rather than to fix the problem."
Treacy, the FAA's avionics expert acknowledged that compromises were accepted, but said that's not unusual for any big software-development project. The 777's safety margin, as far as the FAA was concerned, remained intact, he said.
"When you've decided that there are two ways to fix a particular problem, an elegant way and a Band-Aid way, and one's quicker than the other, you take the one that's quickest," Treacy said, "especially if it is not a real overriding safety thing."

FIRST FLIGHT

By the end of 1993, it became clear that if test flights were to begin on schedule six months later, in June 1994, it would have to be with something less than a fully functional fly-by-wire system.
As he was about to retire at the end of 1993, Boeing senior executive Dean Thornton told a SeattIe Post-Intelligencer reporter: "This airplane is one big computer. I'm not, saying we're going to fall off a cliff, but if I'm going to stay awake nights, it will be over the software, not the hardware."
By the spring of 1994, GEC Avionics still could not get all three PFCs to boot up simultaneously for an extended period. On May 3 1 a new load of the PFC software arrived from London and was installed in the SIL and on the No. 1 777. On June 7, with the aviation community eagerly waiting word from Boeing about the 777's first flight, another new PFC software load arrived to replace the one Boeing had tried out in the lab and on the airplane a week earlier.
On June 12, a cloudy, blustery day, the 777 lifted off from Everett's Paine Field before a crowd of company officials, dignitaries and reporters. Cheers.went up. Upon returning from a nearly four-hour flight, chief 777 test pilot John Cashman declared: "Best first flight ever!"
Among the people who got a more frank description from Boeing was the late Berk Greene, then the FAA's chief 777 test pilot. Greene, who communicated daily with the aviation community on computer bulletin boards, died last October.
In a message to a colleague, Green described the FAA's view of the 777 program to that point:
"The FAA has watched from a distance all the testing being done in this lab as the vendors began to deliver software, and Boeing got various elements on line. It hasn't been a very pretty spring, as vendors were late, some parts had lots of problems getting on line.
"The later they got, the worse things looked, with Boeing even taking measures like off-loading some integration testing in the labs (because they were behind) and doing these test sequences in the airplanes still on the factory floor. Lots of horror stories there as well, things like mismatches apparent between hydraulic actuator/surface models on the airplane and what was created in the lab, resulting in weird vibratory modes that weren't evident in the lab.
"Planned first flight date began to slip because of all this, and in the end, slipped about two weeks. Finally, enough things came together so that risk was.limited enough to take a chance on the flight. The amazing part: NOTHING NEW SHOWED UP on the flight.
"And that's why John Cashman (the Boeing test pilot) was bubbling 'it was beautiful.'There were pages and pages of known bugs and nonfunctionality, with workarounds going into this flight, but nothing new was found."

NEW BLACK-LABEL DATE

Within a month after the 777's first flight, new bugs materialized.
GEC had programmed the Primary Flight Computers to confirm Proper operation of the flight surfaces by monitoring "feedback" signals; if the fed-back signal from say, the rudder was significantly different than the commanded signal, the PFC was programmed to shut down the rudder.
On several early 777 flights, the airplane's rudder fed signals back to the PFC indicating it had moved about 2 degrees beyond what the PFC had commanded. The PFC immediately shut down all rudder control.
This occurred because the code writers had not anticipated how much the 777's tail flexed when the rudder moved, a source working on the 777 program said. The problem was fixed by expanding the PFC's range for acceptable feedback signals, the source said.
It was not much surprise to Boeing suppliers when the company advised them in late summer that black-label freeze - the date after which no more hardware or software changes could be made, once projected as June 1994 - was being moved to October 1994. Officially, that was still the date for beginning the 1,000 special demonstration flights to earn the ocean-crossing rating.
In September 1994 Cashman uncovered another rare condition: The big airplane could rail into a steep dive at low speeds.
FAA rules dictate that a jet must be designed so that it does not roll drastically as it slows and nears a stall, the speed at which it loses lift. Minimizing roll during a stall improves a pilot's chances of pulling out of the stall with a simple maneuver.
But Cashman discovered the 777 had a tendency to snap into an acute roll and dive several,thousand feet once it began to stall. This happened unexpectedly in a test flight over Southern California. No one was hurt but word spread that several engineers along for the ride lost their lunch.
Revisions to the PFC code controlling the ailerons, flaps and rudder wore pursued. While briefing reporters about flight-test glitches, Cashman, noted: "I think, still, the challenge is in the electronics area."

'A LONG STRUGGLE'

On Oct. 6, Boeing held a press briefing at its Everett plant for the rollout of 777 No. 4, the first to be outfitted with a finished cabin interior, and the airplane, earmarked to make the 1,000 proving flights.
Reporters asked when those flights would begin. The answer was vague. "We're going to start when we're ready ... when we get concurrence among FAA and among ourselves," said Jim Metcalfe, Boeing senior engineering test pilot. "There are a few changes we're making on the airplane."
It took another 12 weeks, until Dec. 28, 1994, and the flights began with red-label AIMS and PFC computers. Boeing and its suppliers won't discuss the delay.
John Aplin, GEC-Avionics marketing director, asked about development of the PFC computers, said: "I would characterize it as a long struggle, a lot of hard work, but never any real shocks."
Boeing officials persuaded the FAA that the flights with key systems still. red-labeled would nonetheless be a valid demonstration of a "mature" airplane.
Bob Ireland, United Airlinds'777 factory representative, noted that engineers like to push the black-label-freeze deadline as far as they can, because any small change after that can generate mountains of paperwork. The differences between the red-label software used on the proving flights and the black-label systems put into commercial use this week are believed to be insignificant, he said.
"The simple notation of red or black label itself is not relevant," Ireland said.

'LITTLE GLITCHES'

To make 1,000 flights, simulating a year's worth of actual airline usage, 777 No. 4 would have to average 8 1/2 flights a day, seven days a week. (Airlines, aren't likely to fly the 777 more than two, or three flights a day because, of the jet's size and range.)
Some observers questioned whether the proving flights proved much of, anything. By necessity, many tests involved turning around and flying while the engines were still warm. During an actual gate turnaround, the 777's engines will cool down
entirely, but Boeing persuaded the FAA the difference wouldn't matter.

On Feb. 18, with 460 flights completed, 777 No. 4's right engine seized during an oil change. The plane remained grounded for the next 12 days. When 777 No. 4 finally resumed flying March 3 it had about eight weeks to complete 540 flights, an average of 9.6 flights per day.

The PFCs finally received black-label certification in late March; AIMS certification followed about a month later, just as the 1,000 flights were wrapping up.
In the midst of completing paperwork to black label the PFC, Boeing and GEC scrambled to eliminate a stubborn problem unique to digital controls, called Pilot Induced Oscillations (PI0s), the same phenomenon linked to the crash of the Gripen fighter in Sweden.
Flight tests had shown that under certain conditions the 777's nose and tall would bend up and down 3 times-per second, like a jiggling hot dog, though the center of the plane remained steady.
Aviation Week & Space Technology magazine reported that this had occurred on several test flights. In one case, pilots attempted to smooth out the oscillations by moving the control yoke rapidly back and forth. But the digital signals couldn't keep up and the oscillations worsened.
On another flight the oscillations shook Cashman so much that his seat began to slide back and forth, causing him to push and pull on the yoke, the magazine reported. In order to steady himself enough to regain control, Cashman had to brace his foot on the dash. Then in April a guest airline pilot was attempting a touch-and-go landing when the oscillations began. The pilot pulled back sharply on the yoke and fought through the oscillations.
Peter Mellor, a software lecturer and consultant at City University in London, who recently briefed Boeing on the A320's digital system, said the emergence of PIOs so late in the development program, "indicates that the design is still immature. I get a feeling of foreboding that more of these little glitches are waiting to come out. "

CORPORATE WAYS

At least part of the blame for software bugs, say those who have studied them, lies in the corporate setting, where software writing discipline faces the pressures of time, money and career advancement.
"There is always a tension," said Bill Curtis, co-founder of Austin, Texas-based TeraQuest, a consulting group which helps corporations sharpen software development.
"If you're late to the marketplaces with a product that doesn't have enough functionality or isn't reliable enough, it could kill the company. And who wants to be responsible for killing the company?'
Carnegie Mellon University's Software Engineering Institute has begun a program tracking software-engineering practices at more than 260 leading organizations. It uses a Capability Maturity Model to assess software-engineering discipline.
On a scale of one to five, 75 percent of the participants remain stuck at Level 1, the chaos level, according to, the institute. Such companies have scant design processes and no real way of knowing whether they are on the. right or wrong track in designing complex software. Only two elite groups rank themselves at Level 5, representing an optimum process; 24 percent are at Levels 2 or 3, the early stages of embracing disciplined practices.
Companies participating in the institute's voluntary program, including Boeing, are allowed to grade themselves. said Curtis, a visiting scientist at the institute.
Bob Jorgenson, spokesman for Boeing Computer Services, the organization that supplies the basic hardware.and software used to develop the 777, said Boeing considers itself to be at Level 2 or 3, with respect to avionic systems.

"We certainly aren't real mature in our maturity model, but we're committed to it and are into it as much as anybody in the country," he said.
The Carnegie Mellon model is based on the belief that safe software results from standardized disciplined practices, such as submitting new designs to extensive peer review and conducting statistical analysis throughout development.
Leveson, of the University of Washington, warns that a false sense of security may arise from focusing "purely on schedule and process, not on quality. I think basing all your decisions on that is Just dangerous."
The answer, she argues in her book, "Safeware," is to lessen the degree to which computers and software govern potentially hazardous systems.
"There is no magic solution to any of this," she said. "We're going to have to accept that we may not be able to have all the complexity to do all the things we want."
Mike Hynes, an Oklahoma City-based aviation consultant and member of the International Society of Air Safety Investigators, believes economic factors may be pushing the use of computers in the cockpit on a dangerously accelerating curve.
"First of all, computers are not foolproof enough yet. Secondly, programmers can and do make errors. Most of these errors cannot be tested out. They are only found later on when disaster happens," Hynes said.
Said Leveson: "All of these modern aircraft are pushing the technological envelope. The question is how far can they go. And that hasn't been answered yet."

ON DEADLINE

Developing a jetliner has always been an exercise in managing imperfection. Parts don't mesh like they do on the drawing board. Systems fail. The art lies in anticipating the most serious failures, then proving to regulators they've been adequately accounted for.
In a rousing April 19 ceremony at Boeing Field, the FAA certified the 777 as safe. In doing so, the agency endorsed Boeing's approach to developing the airplane's fly- by-wire system.
Yet given the understaffed FAA's lose oversight - principally auditing a development plan that seemed constantly under alteration - the certificate mainly means a satisfactory level of paperwork had been achieved.
"I'm in a very embarrassing situation," said Mike DeWalt, the FAA's national software expert. "To say the software is safe, I cannot tell you that. I can tell you the software (development) has followed our procedures."
Although Boeing officials declined to be interviewed for this story, they have professed in numerous industry forums that the 777's highly redundant system design, coupled with great care and diligence during the development and testing process, has produced a safe airplane.