G´day all.

I saw a DVD that had an explanation of the flight envelope protection that the B777 FBW system offers and got curious as to the reasons for Boeing to have that sort as compared to the Airbus philosophy. Is there any website or documentation available where one can follow the reasoning be it economical, philosophical, technical, standardization or some other reason or combination of reasons.

I know of a number of arguments for both "sides" and have seen info about Airbus decision to basically not allow a pilot to place the plane outside the flight envelope, but haven´t been able to find out why Boeing "only" gives the pilot aural, visual and tactile feedback apart from the A/T reaction (when armed) to slowing to a stall situation.

I´m not trying to stir up the seemingly never-ending debate of my-toy-is-better-than-yours, just looking for why Boeing went the way they did.

Tordan,

I believe the difference is simply philosophical. With the FBW technology there is no reason why Boeing could not have the same protections as Airbus. Boeing however have always respected in their designs the end user, in this case the pilot. In their view it is the pilot who should decide whether the aircraft requires to be operated outside the envelope rather than have that decision already made for them by a computer.

If you read the book "21st Century Jet" about the building of the B777 you will see this philosophy borne out again and again in many of the decisions that were made during the design process.

Bsevenfour,
that is my feeling as well. I think that Boeing and, perhaps more importantly, its customers wanted this just as you say. Thanks for the hint about the book, I´ll go look for it!

Bye

I always read/hear the same argument in favor of Boeing philosophy, that the pilot should have the last word. But I can't figure out why it would be better for a pilot to be able to stall the plane.
I think the alpha protection in Airbus is not really a computer limitaton, it's a physics limitation. If an airplane stalls a 18º AoA, you can't fly at 25º AoA weather you have Airbus alpha protection or not.
For instance, in the well known Air France 320 accident, with a Boeing the only difference is that you can stall the plane and crash before the trees, but you still can't climb over them because stall is a physical limitation that affects for equal to all planes.

Don't you think so?

Yep, I agree with you there. Not having complete knowledge about the Airbus FBW system but I do know that there is a rather large amount of redundancy involved such as the hardware being delivered from different companies and at least two different programming languages being used. This is of course to weed out any one hardware glitch or software bug.

It would be interesting to see if the Airbus protection leaves a "nullzone" between for instance stall IAS and allowed IAS, and more importantly, if such a nullzone is big enough for a pilot to be able to fly closer to stall speed than the Airbus protection would allow? Personally I think, as a non-pilot, that the Airbus protection is more of help than hindrance when it comes to for instance a CFIT situation that requires maximum use of flight controls, and that Boeings choice is purely a "mental" decision, i.e. the cumstomers desire/demands overruled any possible technological advantages of the Airbus method.

Hope I´m making some sense. ;)

Mad Engineer,

The problem with the Airbus philosophy is that it creates a disconnect between the pilot and the aircraft he is flying. There is a computer in between the two who acts as an oversser of all that goes on and basically tells the pilot what he can and cannot do. While this certainly may be great when things are going well what happens when the computer isn' t having such a good day. For example at the infamous A320 airshow incident where it flew into the trees. While I know this did not involve activation of the stall protection this could never have happened on a Boeing as the pilot always has the last say.

bsevenfour IMHO I think that you have misunderstood the differences between two very capable and in most respects equal systems; Airbus 320 / 30 / 40 and Boeing 777.

There is little new in restricting the pilot’s input to protect the aircraft structure – preventing overstressing. The earliest direct control aircraft had force limiting due to aerodynamic loads, since then with the advent of powered controls ‘Q’ pot and ‘g’ wt limiting have been used extensively. Similarly, computation is not new; I believe the aircraft as old as the Comet had a mechanically computed pitch gear change and several aircraft types had mechanical yaw dampers.

Thus on conventional aircraft, there is a point at which the crew cannot make any further effective control input; the system is in command. Differences between aircraft designs and individual pilot strength may in extreme circumstances lead to structural failure (certification oversight for rudder / fin limits), but the root cause of these failures usually resides with the crew who got themselves into such a bad position that unsafe practices were required for recovery. A bad position is my definition of being outside of the safe flight envelope.

The ‘disconnect’ is in people’s minds by not viewing the modern control systems in the wider context of safe flight. The Boeing / Airbus differences are in philosophy (cultural background) and some commercial bigotry. Boeing argues for a design philosophy that the crew always know better and must remain in control – do something at all cost (my gross simplification). Whereas Airbus accommodates crew error, yet does not remove the overall command and control from them (again my simplification). The analogy is to live in a wooden house, buy a fire extinguisher, and then train fire prevention and fire-fighting (Boeing); I would prefer to live in a fireproof house and teach the children not to play with matches (Airbus).

Your reference to Habsheim accident perpetuates the misunderstandings of the root causes; this is not to continue discussion on the accident in this thread, but as a clarification on your statement. If any aircraft makes a fly past at a power setting so that airspeed will decrease and if the crew do not add power the aircraft may stall or it will have to descend at constant (minimum) speed. If the crew fails to add power at low altitude, the aircraft is likely to crash whatever the control system design may be. If you play with matches even in a fireproof house you can get burnt.

.. or, put another way, the designers and certifiers can only help pilots help themselves so far .... the ingenious pilot can always find a way to confound the intentions of the designer and come to grief. Hence the emphasis on not doing too many stupid things in one's daily flying routine and respect for SOPs.

If my memory serves me right; the pilots of the 'bus that crashed into trees flew below the pre-briefed fly-past altitude, thus sending the aircraft, unintentionally, into landing mode. Nothing wrong with the aircraft. An Airbus can make a go-around from low altitude just as well as a Boeing airplane, and good airmanship dictates that you should know your airplane.
I do, however, think that Airbus might have taken too great a leap into automated envelope protection, because all pilots have been trained on, and perhaps flown a substantial number of hours on "conventional" aircraft. For the new generation of pilots, especially low-timers, the Airbus philosophy will work just fine, because they will not suffer as much from negative transfer of learning.
What is needed for the more experienced, "old-school", pilots, is a good training programme and the companies selecting pilots with the ability to absorb new consepts (not just upgrading on the basis of seniority alone).
This could be a good reason why Boeing sorta' eases the new technology into the cockpit step-by-step.
And might I mention the words of a retired B747 captain, who once commented on the way companies treat their enemies' technology and research: They usually go through five phases:

Ignore - ridicule - attack - copy - steal.

Me thinks Boeing is somewhere around the copy/steal phase ;-)

Cross.

There is no such thing as a 'land' mode.

What happened in this case, is that the pilots wanted to demonstrate the Airbus feature where the aircraft sets TO/GA thrust irrespective of thrust lever position on approaching the stall.
They forgot, however, that this feature is disabled below 100' (to allow for speed loss in the flare).
Now they had the thrust levers in the idle position, waiting for the aircraft to set TO/GA thrust. Exactly as supposed to, it didn't. And they crashed. Nothing to do with the infamous "plane thinking it was going to land" or the "aircraft stuck in landing mode."
If they had pushed the thrust levers forward instead of waiting for the aircraft to add thrust, nothing would've happened. In other words, they should've thought about how the system works before doing completely non-standard things at low level.

It's curious that the FBW debate always seems to come down to the alpha protection law on Airbuses - I, as with my fellow mad-man above, can see no useful activity in the post-stall regime.

Almost never mentioned is the prescence of a full authority FBW type system on all modern large transports and many small ones - the FADEC. This has absolute authority over the thrust you can get from the engine - you'll never be able to firewall a FADEC engine.

One of our types has instructions to push the throttles fully forward during windshear escape; on the older aircraft, that means busting the TOGA rating and getting a significant thrust increase, on the newer aircraft you just get TOGA (APR technically). That would seem to be a case where the automatic limits are a potential degradation in safety, yet AFAIK every FADEC engine does the same, whichever aircraft its fitted to.

A 20% boost in thrust when you really need it would seem to be of more interest than the theoretical possibility of a harried line pilot somehow managing to fly within 0.1 degree of the stall in an emergency.

Mad’fs, FADEC so true. However, there is at least one design that gives full chat when in Windshear. The LF 507 engine on the Avro RJ removes all computed thrust ratings if a Windshear is detected and the engine is limited the fan speed or temperature limit as applicable. Both the thrust rating and Windshear detection functions are within the flight guidance computer thus they talk to each other.

FBW, but then there is Nose Wheel Steering by wire, do we get upset by that?

Crossunder and Phoenix_x, I could argue that the A320 in question has a type of "land mode". I apologize for not being familiar enough with all of the Airbus flight modes, so I don't know the term for the below 100ft flight mode. However clearly a "mode change" occurred at 100ft, where automatic TOGA thrust was no longer available.

With all of the FBW automatics incorporated into both Boeing and Airbus aircraft, I think it's the complexity of the system "mode changes" that needs to be well understood. To me, a "mode change" happens when the behavior of the FBW automatics change, when passing through a certain trigger event. When a "mode change" occurs, the system behavior changes, and the new "mode" must be properly identified and its behavior must be well understood. The challenge for the new FBW "system manager" type of pilot, is to be completely familiar with the system behavior in all possible system "modes", and all events that trigger a change to new a "mode".

My problem with the "Bus" philosophy is that there are so many of these system "mode changes" and a fairly large number of "trigger" events that cause the "mode changes". It's a lot to keep up with, especially when an unnoticed "mode change" can get you into trouble (as was the case with the above mentioned A320 accident, and the recent A340 incident at Johannesburg).

Please understand that I'm not "Bus" bashing here, instead I'm interested in possible design problems that can result from the various control system design philosophies.

A 20% boost in thrust when you really need it would seem to be of more interest than the theoretical possibility of a harried line pilot somehow managing to fly within 0.1 degree of the stall in an emergency.

This opens the argument further to other types, specifically fighters such as the F-16 which have a +9G limit. Very good, stops the pilot over stressing the aeroplane, but:

What happens if it 'only' needs +9.1G to stop it hitting the ground?

Almost never mentioned is the prescence of a full authority FBW type system on all modern large transports and many small ones - the FADEC. This has absolute authority over the thrust you can get from the engine - you'll never be able to firewall a FADEC engine.

I have a similar device on my 1964 Twin Comanche. When I push the blue levers forward, the RPMs are limited to 2700 RPM. If only the damned designers would let me take the RPMs to 2900 RPM, I could get a bit more power out of the engines for a short while in an emergency situation, even though it would break them in the long term.

Of course it's kind of useful to be able to push the blue levers to the stops and not worry about keeping the RPMs below the redline manually.

Still, I'm concerned that this disconnect between me and the aircraft I'm flying breaches my fundamental rights of freedom as a pilot. What do you think? ;)

What happens if it 'only' needs +9.1G to stop it hitting the ground?

In that particular case, we'd probably be talking very quick (they cannot withstand 9g for long periods of time) and aggressive manoeuvring close to the ground, whereby the pilot would most likely NOT be calmly looking at the g-meter through his black & white tunnel vision, carefylly and calmly adjusting sidestick pressure to achieve 9.1g! The poor sod would probably be pulling until the metal bent, eyes wide open and break the aircraft into little pieces. And - in this case, bitchin' Betty would be flashing an "X" in his HUD and yelling, telling him to get his butt outta there ASAP; nevermind trying to pull up. Eject!

Extreme situations often provoke extreme reactions, and the only one able to think clearly will most likely be the software. Or Martin Baker.

alf5071h

I feel I must respond to your post. The summaries you have of the design philosphies of both Airbus and Boeing are indeed as you indicate gross simplifications.

Boeing argues for a design philosophy that the crew always know better and must remain in control – do something at all cost (my gross simplification).

This is untrue. If this were their design philosophy that the crew always know better why would they have put any protections at all on their 777fbw system.



Whereas Airbus accommodates crew error, yet does not remove the overall command and control from them (again my simplification).

Again I believe untrue. As far as accommodating crew error you later through your own admission acknowledge this not to be the case

If you play with matches even in a fireproof house you can get burnt.

As far as the later part of your statement I believe it does remove command and control from the crew under certain circumstances and I believe the Habsheim incident is a perfect example. You write



If any aircraft makes a fly past at a power setting so that airspeed will decrease and if the crew do not add power the aircraft may stall or it will have to descend at constant (minimum) speed. If the crew fails to add power at low altitude, the aircraft is likely to crash whatever the control system design may be.

Given the scenario I agree with the bit in bold 100%. But it seems that for the Airbus control system design under certain cicumstances the all seeing computer working behind the scenes believes this not to be the case (hence the disconnect I mentioned between pilot and aircraft) This is borne out by the posting of Phoenix_X, who on his profile I noticed has flown the Airbus. He writes



If they had pushed the thrust levers forward instead of waiting for the aircraft to add thrust, nothing would've happened.

Now let me describe what would have happened on a 777. If they were doing a low fly-by below 100ft letting the speed come back to the stall. They firstly would have got warnings of the low airspeed situation. If they continued to let the speed bleed off the autothrust would 'wake-up' and try to regain the airspeed. Now lets take the worst case scenario where the autothrust system was switched off at any stage if they had pushed the thrust levers forward manually they would have got increased thrust. All completely intuitive.

I've never flown either type, so I'm wondering:

bsevenfour:

The B777s autothrust system clearly allows the aircraft to be landed (ie. low altitude + airspeed/AoA close to stall situation), so is there a sort of "landing mode" on the B777 as well? (OK, maybe it's not actually called landing mode, but you now what I mean...)


Phoenix_X:

Prior to the crash of Air France 296 - did the aircraft itself automatically switch off the alpha floor protection because of the low altitude? I take it they were flying "manually"... Is this so with the latest software on today's A320s?
Which types of warnings do you get when approaching stalling AoA/speed? Is there an Airbus version of stick shaker as well?

Crossunder & bsevenfour:

The B777 A/T reduces thrust to idle at c.25R in normal operation.

The stall protection modes are not active below 100R on approach or below 400' AAL on takeoff, interestingly. This effectively means there is an un-annunciated 'Landing Mode', very similar to the Airbus one...

As for the argument about 'hard' and 'soft' envelope protection, I tend to side (very slightly) with the Airbus philosophy (even though I fly a Boeing!). The most oft-quoted example is the 'need-to-pull-a-bit-harder-to-get-over-the-mountain-bugger-it-won't-let-me' scenario. As CFIT is still one of the largest killers, it would seem to be the most relevant, also.

Take aircraft A & B. A has full (hard) envelope protection, B makes it difficult, but possible, to go outside the protection.

In aircraft A, once you get the dreaded "Whoop Whoop", full back-stick commands TOGA thrust and a computed trajectory to maximise the obstacle clearance potential. No thought required.

In B, you press the buttons and pull back. How hard? Well, if your AoA is too low you will hit the mountain. Too high and your gradient will suffer and you hit the mountain as well. You do have some flight director guidance but I can't find an explanation as to what it is. Chances are you won't get it right if it is a marginal escape as you most likely are flying at night/in IMC so can't see the obstacle (otherwise why are you trying to hit it?)

The point I am trying to make is that I would rather have a bunch of computers recalculating my optimum 'escape vector' hundreds of times a second and keeping the wing just on the performance 'sweet spot', than to try and figure all that out myself. I would rather have spare capacity to work out where the **** we were and what to do about it!

Human Factor,

fighters with G limiting have an over-ride switch to provide a certain % over G when needed

bsevenfour we differ only in our simplifications; the problem is far more complex than we have discussed.

Crossunder and Fullwings have adequately replied to the A320 and 777 points. The issue is not within the system’s switching, but the failure of the crew in any aircraft to ‘switch on’ to changing conditions or circumstance.

CFIT, how hard to pull? The crew rarely see the ground until it is too late; the best design philosophy is to fit EGPWS and train not to activate any alert.

Fighters pulling ‘g’? See the recent photo of a F16 at the bottom of the loop (pulling xx ‘g’) as the pilot switches to a 'Martin Baker' design after a misjudgement.

quote:
--------------------------------------------------------------------------------
If they had pushed the thrust levers forward instead of waiting for the aircraft to add thrust, nothing would've happened.
--------------------------------------------------------------------------------

Now let me describe what would have happened on a 777. If they were doing a low fly-by below 100ft letting the speed come back to the stall. They firstly would have got warnings of the low airspeed situation. If they continued to let the speed bleed off the autothrust would 'wake-up' and try to regain the airspeed. Now lets take the worst case scenario where the autothrust system was switched off at any stage if they had pushed the thrust levers forward manually they would have got increased thrust. All completely intuitive.

I believe that statement about Airbus is being misinterpreted - what it means, if I may be excused from putting words into another's quote, is...

If they had pushed the thrust levers forward instead of waiting for the aircraft to add thrust, nothing bad would've happened. (because they would have got the increased thrust)