Right Way Up

Flight Detent,
Flt engs have been known to make mistakes, such as the 747 classic that diverted into CWL with a double engine flameout due fuel mismanagement.
The basis for systems monitoring in new electric jets is reasonable. What is not reasonable is the lax way that the programming seems to be carried out. The logic should be based on the perspective of a pilot or engineer , not a 20 year old computer geek.

Flight Detent

No, Gentlemen, I do not exaggerate at all!

I understand no system is perfect, but please!

Look at Jettison Valve above, and also ask why, thats the reason for my comment regarding engineering common sense.

I say again, somebody with an engineering background and common sense needs to be continuously monitoring these airplane systems, to make decisions and carry out actions in a proactive manner, not when the engine(s) start running down!

NO, I don't think I am overstating this at all, the FE can make the airplane control systems much more uncomplicated, and it follows that the airplane will be much cheaper and simpler to build.
And, of course, much more reliable!

FD

nicholasw

So, you have a software component developed to (say) DO-178B level C, but actually a system safety analysis reveals that the minimum acceptable level is A?

Doesn't someone have strong words to say about this? Like the safety authority, or QA, or anyone?

BEagle

That would require the program office to be adequately testiculated...

Which they are not.

The arrogant 'software failure to control the problem is a double failure and will not be considered' attitude of the Toulouse people is breathtaking....

ExSimGuy

Detent and BEagle certainly have some valid points. "Dad Speaking" - I worked building sims for DC-10 and others back 35+ years ago, when they were "latest since sliced bread" and we found some of the things we had to simulate quite scarey (certain hydraulic failure combInations caused a "hydraulic hardover" of the rudders, erroneous extinguisher indications for the holds, etc) which were present on aircraft flying, but had never been noticed until we "computer modelled" the systems!

I'm a 55 year-old "computer geek", and I'm scared at the thought that the busses and new "Boings" that I fly on so regularly have so much more "electronic control" that the drivers are "in theory" almost redundant - even though the old systems still had enough potential for "electronic errors"

How much more expensive is it to have "3-crew, 4-holer" than a 2 engine ("they are so reliable these days") 2- crew Aircraft, with the functions of the FE (apart from knowing the bars and the birds) and even the RO (Radio Operator? remember??!!) taken over by a bunch of puters that really don't have any great personal fear of colliding with the ground at M.9???

Okay - I'm "out of it" technologically these days, but a few more eyeballs in the office, and a few more switches to operate might not be such a bad thing to go with - and maybe some real "meters" connected to important stuff like fuel tanks?!

Don't get me wrong, I'm looking forward to the experience of flying the new GF 380 from BAH to LHR on my vacation flights, but I just hope it doesn't turn out to be a Titanic! ("Hey, NOTHING can go wrong - it's all monitored - and controlled - by computers". There's something to be said for the good old 1011)

birdofprey

With replacement of the 3rd man in the cockpit by the computer brains but you have to realise that behind the computers is a whole bunch of engineers, simulations, tests and capability that allows scenarios that the 3rd man could never even contemplate to be run. It seems that the manufacturers miss a few from time to time but lets face with the design practices its pretty tough to get into a dangerous failure condition.

Thats my rant in favour of the engineers, hurrah for tweed jackets and leather elbow patches!

ElNino

On the other hand, once the uncontemplatable does occur, the 3rd man would be somewhat better than the computer at dealing with it. And therein lies the flaw with over-computerisation.

Roadster280

To my mind, it matters not what the system is. Whether it be software, hydraulic or electrical, whatever. The analysis of what might go wrong, the risk of it going wrong, and the consequences of it going wrong are the factors to be managed.

If the software fails, and the valve doesn't open, so the manual override is selected, you are still in the $hit if the solenoid that operates the valve is itself $hagged. But the risk of all of these occurring simultaneously is multiplicative, so very small. If the consequence of this occurring is death of 800 people, then "small" has to be very very small indeed. But it can't ever be zero. Even staying on the ground carries a risk of death by meteor strike, but that is very very very small.

It doesnt seem right to single out software as against any other "system". The tyres on the AF Concorde failed rather spectacularly, nothing to do with any clever bits, it was plain old rubber.

Risk analysis. Something computers are rather good at...

PAXboy

Plain pax speaking, albeit with 25 years in telecommunications watching it go from 'plug-n-socket' to fibre optic.

Yes, but we will always face a circular debate since the risk analysis is ... Software! And it was written by someone who is not a pilot! Getting communication betwen the end user (pilots) the supplier and carrier is an art not a science.

I have no doubt that the costs of cutting out the third system were what drove the decision. Money and nothing else. Reading the AAIB report on the VAA problem reminded me of early electronic telephone systems. "They have duel control" said the supplier, "Each monitors itself and there is an automatic handover if it goes wrong."

In due course ... each processor wanted to abdicate control to the other and the system fell through the middle OR neither could abdicate control. The result was the same - the telephones became rather quiet. Just like the engines, except that telephone systems are easier to restart because they are already standing on the 'apron' of the equipment room and you can check lots of things before you give it a kick in the slats.

Gimme triple.

411A

<<Bring back the Flight Engineer>>

Ain't that the truth.

Sadly, this is not going to happen until there are a few smokin' holes in the ground.

On second thought, just holes, as the smokin' part will be absent due to the shortage of fuel...

Flight engineer...don't leave home without one.

Dan Winterland

Couldn't happen in a Boeing? Well, maybe not this specific case. But about the same time this incident happened, there was a very similar incident in a 744 in which the scheduling of the fuel tanks didn't happen as advertised and the crew had a bit of a fright.

And I know of two instances when flight engineers have flamed out engines by starvation.

It seems that where either computers or humans are involved in fuel management, there will be incidents!

Ignition Override

Birdofprey: You did not mention an engineer's slide rule.

At least the A-330 (all are ETOPS?) has a more reliable fuel system?

One problem these days, at least in Boeing or (M)Douglas aircraft, is the fact that we can not reset, or pull and reset a fuel pump circuit breaker. How about Airbus boost pump breakers? Many of us suspect that this 'pump circuit breaker problem' is so remote and previously unheard of, that it could be part of a cover-up, or partial cover-up, regarding TWA 800 at Long Island.

We once had a center pump breaker pop , which created the wrong fuel feed sequence: (only one good pump left) full center tank fuel and wing tanks down over 1,000 lbs. each. Without any flight engineer and no computers , the book said to turn main tank pumps off until center quantity was at 500 lbs.

The flying pilot (FO) was mostly solo for a while. And NO COMPUTERS to help us fly or manage things, using ancient Jepp Hi charts to navigate! Still more relaxed than with an FAA Inspector was on the jumpseat and an amber "fire detector loop" light came on.

JamesT73J

I see alot of reference to pilots being left 'out of the loop' when it comes to design and implementation of automated flight control and systems.

I can't believe that, because it's contrary to every software development model out there. An FCS for an aircraft is hardly a Windows application; it is arguably business and life-critical, therefore will be subject to very thorough prototyping and iteration, with the involvement of engineers and flight test crew. Of course there will be errors and bugs; that is what the process is designed to identify and rectify.

As to the reinstatement of a flight engineer, you can't put the toothpaste back in the tube. Where would a human being fit in now in the on-board engineering role? Would a flight engineer have been beneficial in the VS incident, or did the crew manage the situation as well as possible?

Automation and software are here to stay, though it is of course terribly important they are totally safe and have appropriate redundancy measures, and that the human being is in the control loop if necessary.

Airbus340FO

Preppy,
sorry the A380 fuel system will be a lot different. There will be by far more possibilities to shift fuel from cell to cell and there will be more manual transfers possible as well.

and by the way, I do not need the flight engineer to check my fuel page...

If a system has a malfunction you would usually monitor the associated system, wouldnīt you ?

Beagle:
sorry, but they ( flight engineers ) are just eating away the spare food on board and you got to watch out that something is left for you. Let them retire now at home..please !

I am happy with digital systems and wouldnīt like to have 1bit informations send via electrical lines. For me it can be 1byte infos as well. I do not want all analog data transfer.

How about full HF back on the NAT-system instead of CPDLC ?

Remember the old systems and the infos you got out of them ? Nowadays I got 100x more infos on hand about my systems which I can work with then on older aircraft.

In former times aircraft used to be much more often AOG then nowadays. Of course sometimes a hickup from a computer or sensor makes a problem, but with other data you usually can identify the errounos data and trends can be monitored as well.

On the old aircraft it was "BANG", broken ( 1bit Info )

Nowadays for example even the old flight engineers in my company, flying as a captain on the airbus, are happy with the enormous amount of infos they can retract from their aircraft and the technical status at all times during a flight. ( flight entertainment system is a different matter, so
)

They donīt want to change !

but you still got to watch for the meal or it is gone...

BEagle

Airbus A340FO, yes I agree. FEs are not needed on the A320+ series of aircraft.

However, even though the software of Airbus' own making is exceptionally reliable, the same does not necessarily apply to software used in supplementary equipment whose supplier was perhaps not required to produce software of such quality that no 'manual override' would ever be needed.

Currently you may trip and reset a very, very limited number of CBs in some aircraft - for example to recover certain avionic items. But current philosophy is that if a CB trips itself in flight, you must not reset it. Similarly, the 'try a computer reset' philosophy is only acceptable for computer systems whose checklist permits it. If the checklist or Abnormal Procedures states that, following a warning, the system should be shut off, that does not mean that it's safe to 'try a reset'....

TheShadow

http://www.eaawatch.net/

Worth looking into because it shows an Airbus pattern of design behaviour.
.