Tech Log The very best in practical technical discussion on the web

AF447

Old 29th Jun 2009, 18:35
  #2501 (permalink)  

Sun worshipper
 
Join Date: Dec 2001
Location: Paris
Posts: 494
Likes: 0
Received 0 Likes on 0 Posts
PJ2,
lomapaseo;
Quote:
Somewhere the FCOM etc. needs to be standardized in this respect so at least we know after the fact what side of the judgement curve (man or machine) needs to be looked at.
Failing the original opportunity to fulfill this philosophical need, ostensibly because the power and promise of "automation" was intoxicating to so many, what is now to be a re-examination has been a long time coming.
If there is one aspect of modern aviation this accident has shown is the hidden level of integration and automation now present in our airplanes.
As a pilot, I can understand the implications of one failure or a set of faults, their resulting performance degradation, the various reversions...
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !
Here, for instance - and I understand how frustrating it is - The ADR DISAGREE condition is the last stage of elimination of one or more possibly faulty ADRs, meaning that in any case, we will end up with a dual ADR failure condition - or more. The fact is that when the A/P was lost, the AFCS had already determined that it couldn't work with the amount of suspect data coming from at least 2 ADRs...the voting about which is wrong and should be taken out first, then the determination on whether the comparisons between the data from the remaining ADRs was worth performing happens somewhere else, here, inside the PRIMs.
All this is very confusing.
Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
Lemurian is offline  
Old 29th Jun 2009, 18:47
  #2502 (permalink)  
 
Join Date: Mar 2002
Location: Florida
Posts: 4,569
Likes: 0
Received 1 Like on 1 Post
Lemurian

As a pilot, I can understand the implications of one failure or a set of faults, their resulting performance degradation, the various reversions...
But when it comes to really knowing where the monitoring is, where the decisions to accept or eliminate a given component come from...good luck !


Better stay with my very simple FCOM and accept how they wrote it.
Do I make sense ?
The issue that I was responding, initially from Safetypee was the subjective avoidance of weather vs standardized guidance in an FCOM

My read of what you wrote was the hard and soft aspects of dealing with a systems failure in an FCOM.

Either way we are postulating on what went wrong without knowing what, how or why in this accident.
lomapaseo is offline  
Old 29th Jun 2009, 19:07
  #2503 (permalink)  
 
Join Date: Mar 2005
Location: 41N12E
Posts: 80
Likes: 0
Received 0 Likes on 0 Posts
beanbag

..got it now:-))
sleepypilot is offline  
Old 29th Jun 2009, 19:18
  #2504 (permalink)  
PJ2
 
Join Date: Mar 2003
Location: BC
Age: 76
Posts: 2,484
Received 0 Likes on 0 Posts
lemurian;
Do I make sense ?
Yes.
The fact is that when the A/P was lost, the AFCS had already determined that it couldn't work with the amount of suspect data coming from at least 2 ADRs...the voting about which is wrong and should be taken out first, then the determination on whether the comparisons between the data from the remaining ADRs was worth performing happens somewhere else, here, inside the PRIMs.
All this is very confusing.
Interestingly, this has led us to the same issues which arose in the Amsterdam B737 stall accident, that issue being, the difficulty in determining which of two datasets is the accurate one. Peter Ladkin expressed these issues far better than I of course but it is not a simple matter of just selecting the "working" computer...

The design works brilliantly and I think those who fly the Airbus would agree it is a joy to fly, but when a serious degradation of system capability occurs, the task of understanding what the fundamental, primary problem is and what, as an airman, one is to do first in terms of securing control of the aircraft, can quickly become an overwhelming challenge when also faced with external threats such as weather or traffic.
PJ2 is offline  
Old 29th Jun 2009, 19:43
  #2505 (permalink)  
 
Join Date: Dec 2002
Location: UK
Posts: 2,451
Likes: 0
Received 9 Likes on 5 Posts
Re avoiding storms (lomapaseo #2535), “unfortunately this is often subjectively interpreted”. I agree, perhaps this is one of the significant differences in this accident – not flight in a Cb, but the margin by which the Cbs were avoided.

Re “Above the storm has been interpreted as good-enough yet is that not a greater risk to pitot, engines etc.?” The report linked in #2526 suggest that the icing conditions can occur above the storm. This together with weather radar weakness in detecting the vertical extent of the core and emerging cells beyond it would exclude Cb over-flight as an option.

EGMA re #2536, the central point in the ‘engine’ report (linked in #2526) is that perceptions or mechanism of conventional icing is not the same as ice particle icing; the latter can have a very sudden onset, see the plots of TAT rise.
The contribution (or otherwise) of drain holes is shown in the presentation Instrument External Probes.
I do not know what the specific changes are between the different pitot designs; shape may be a critical factor or just a simple increase in anti icing heat flow, which was a fix for one of the engine types.

There is no evidence of any upset. It has been shown that the aircraft can be flown without airspeed information, and in other respects – lack of protections, structures, manoeuvre capability, etc, it is comparable with conventional aircraft.

Question: Aside from the debate on integrated automation and degraded operation, would the EFIS still indicate or be able to indicate the reversionary modes (alerts and cautions) with the supposed complete ADIRS shutdown?
If not, then the debate is not so much about gradual degradation of systems and basic control capability, it would be of the crew’s awareness of the change of state and triggering the need for knowledge of the required precautions.
safetypee is offline  
Old 29th Jun 2009, 19:51
  #2506 (permalink)  
 
Join Date: Jun 2009
Location: Earth
Posts: 79
Likes: 0
Received 0 Likes on 0 Posts
Reading the ALTN LAW / DIR LAW schematic, I still have a bucketful of questions, all germane to our thread subject. Some of them are :

are all switching to ALTN LAW combined with an AP disconnect ?

is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?

Thanks

Last edited by Svarin; 29th Jun 2009 at 19:52. Reason: grammar
Svarin is offline  
Old 29th Jun 2009, 20:54
  #2507 (permalink)  
 
Join Date: Jul 2002
Location: california
Posts: 35
Likes: 0
Received 0 Likes on 0 Posts
PJ2:

A 737 stalled ? Oh no !
Surely not due to computers running things ?

You mean the airbus golden rules apply to a boeing aircraft ? Naaaa!

facecious me !

Re: Autopilot lost stuff

To me the 330 autopilot disconnects with a double ADR Fault, but not with an ADR disagree (alone), that is unless you have other things going wrong which trigger AP Lost.

(the boxed items on top of the schematic point to AP lost ..on the left and the unboxed part points to ALT law...bottom)

But also, ADR disagree means one's been tossed and the two remaining disagree right ? so AP lost....
Shoot me if this is wrong.

Last edited by captainflame; 29th Jun 2009 at 21:00. Reason: Added info.
captainflame is offline  
Old 29th Jun 2009, 21:03
  #2508 (permalink)  
 
Join Date: Jun 2001
Location: East of the Sun & West of the Moon
Posts: 286
Likes: 0
Received 0 Likes on 0 Posts
Quote Svarin:

Reading the ALTN LAW / DIR LAW schematic, I still have a bucketful of questions, all germane to our thread subject. Some of them are :

are all switching to ALTN LAW combined with an AP disconnect ?

is there any condition where the aircraft would switch to ALTN LAW and continue AP operation ?
Svarin,

No, reversion to Alternate Law is not always combined with an autopilot disconnect. Many situations will trigger both, but some do not. A significant example would be the Emergency Electrical Configuration where, with the aircraft in Alternate Law, AP2 remains available until the Land Recovery pushbutton is selected. This is done during approach to recover some of the aircraft functions that are necessary for landing that are not required during cruise flight. In order to maintain within the minimal capacity available from the emergency generator or batteries other functions that are non-essential to the approach and landing are depowered and amongst those is AP2.

ELAC
ELAC is offline  
Old 29th Jun 2009, 21:05
  #2509 (permalink)  
PJ2
 
Join Date: Mar 2003
Location: BC
Age: 76
Posts: 2,484
Received 0 Likes on 0 Posts
Re 737's stalling, yeah, go figure. Something about mind thy airspeed lest the earth rise up and smite thee?...

The way you have interpreted the chart is the way I do as well.

PJ2
PJ2 is offline  
Old 29th Jun 2009, 21:43
  #2510 (permalink)  
 
Join Date: Apr 2004
Location: germany
Posts: 1
Likes: 0
Received 0 Likes on 0 Posts
Question black box search

What is the latest on the presumably sunk AF 330 data recorder/"black box" search? (If this theme has already been more than exhausted [as the things locater batteries must be by now]then please forgive my suddenly barging in here asking that question again plus my laziness in not bothering to wade through all the posts to find out). Anyway, a day or so after the aircraft was missing and presumed crashed into the Atlantic, I was watching a televised press conference on the news where a high ranking AF official was up to bat. At one point he said there was a strong possibility that the flight data recorder may never be found or retrieved. I found that an odd thing to say so early on - particularly since data recorders for years have been specifically designed and improved by clever boffins to be found - and in virtually any environment imaginable (including, I assume, an ocean floor).
orbitsled is offline  
Old 29th Jun 2009, 21:59
  #2511 (permalink)  
Per Ardua ad Astraeus
 
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes on 0 Posts
Situation confused by conflicting statements. I guess someone knows.
BOAC is offline  
Old 29th Jun 2009, 22:50
  #2512 (permalink)  
 
Join Date: Nov 2006
Location: SoCalif
Posts: 896
Likes: 0
Received 0 Likes on 0 Posts
Anticipated Failures

The safety analysis done in the design phase obviously accounted for a single pitot failure, for all conceivable reasons. Could the safety analysis not have considered the possibility of all three freezing over nearly at once, at night, in cruise?

Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.

GB
Graybeard is offline  
Old 29th Jun 2009, 22:57
  #2513 (permalink)  
 
Join Date: Apr 2009
Location: Petaluma
Posts: 330
Likes: 0
Received 0 Likes on 0 Posts
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Will Fraser is offline  
Old 29th Jun 2009, 23:10
  #2514 (permalink)  
 
Join Date: Jun 2009
Location: ATL
Age: 67
Posts: 131
Likes: 0
Received 0 Likes on 0 Posts
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
ClippedCub is offline  
Old 29th Jun 2009, 23:22
  #2515 (permalink)  
 
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes on 0 Posts
More complexity coming

When three pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure. Three heads are the minimum required to allow triplex redundancy and voting logic but if they are all overwhelmed by the same event the number no longer matters. Five, ten, a hundred - they will all succumb in the same way at the same time.

Now that the potential for multiple pitot heads to be offlined by a single meterological phenomena has been clearly established by the recent spate of incidents, the current system, shown to have no redundancy to this catastrophic failure mode, becomes a single point of failure in the safety analysis and as such will have to be addressed.

An alternate system will need to be developed which delivers accurate airspeed without using M. Pitot's somewhat ancient approach.

Rgds.
24V
24victor is offline  
Old 29th Jun 2009, 23:51
  #2516 (permalink)  
 
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes on 0 Posts
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
Posted as much about 1000 posts ago... quite simple implementation, though just as dangerous if pitch cannot be trusted 100%

24Victor

Assuming that was the onset of the sequence, yes.

Several matrices of multiple probes, burst heated & force drained when off-line and checked for consistency before being voted back in.. that sort of thing?
Then we have hot-wire and hot-film anemometers, which I am sure have been considered (as used in wind tunnels and now in many AirFlowMeters for car engine injection systems)
Then we have the engines, and their pressure ratios to cross-check against

But it's all getting a bit complicated again. Nothing is better than simple & foolproof
HarryMann is offline  
Old 30th Jun 2009, 00:01
  #2517 (permalink)  
 
Join Date: Jun 2009
Location: Iowa
Posts: 9
Likes: 0
Received 0 Likes on 0 Posts
When three pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
So let's put four pitot heads on there. From there I can amend what you wrote:

When four pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
We can play this game all day long. Four pitot tubes isn't enough, let's put five, five pitot tubes ... ... ... Fifty pitot tubes isn't enough... blah blah blah. You can keep adding more and more of anything to prevent any failure but it's not practical.

Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
Five computers are there for redudancy of the computers, not the airspeed system. You need to keep in mind that the supreme fear of everyone with FBW systems (prior to the supreme fear of pitot tubes and computers acting strangly) is computers FAILING in flight. Analogous to cables snapping in flight in a mechanical system.

Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
I find this statement amusing coming from you. You're asking a computer to determine which airspeed sensor is reliable? This is a situation where (as a designer of control systems) I would be running away as fast as I could. Unless I have a good model of what is happening I wouldn't want to be designing logic to figure out which one is right. The idea of the triple redudant system is that you can use a very simple model to determine which is right. The system will fail in an obvious way and independently of others in the voting pool. If you have to resort to examining each sensor for cues of failure you are probably going to have far too many false positives. I'd punt this to pilots who, even poorly trained, are probably more reliable than my system.

Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
I'd think this would be a good idea too. Since it's not done, I'd assume there is a reason. I have noticed a tendency to keep sensors separate rather than try to crosscheck values with other sensors in a tangential way. I also don't know why autopilots don't fly pitch. This is a very common system for UAVs, this is used in every autopilot where I work. These are both very good questions.
jeremiahrex is offline  
Old 30th Jun 2009, 00:08
  #2518 (permalink)  
 
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes on 0 Posts
@jeremiahrex

I'd appreciate two things; first you read what I post before replying, and second that you then consider your reply.

As stated, the number of heads doesn't matter if they are all overwhelmed by one single external occurance. This is defined as a single point of failure in a critical system, itself a big no-no. There needs to be an alternate "back up" system which can deliver accurate airspeed without depending on the existing pitot heads.

Rgds.
24V
24victor is offline  
Old 30th Jun 2009, 00:08
  #2519 (permalink)  
 
Join Date: Jan 2008
Location: London, England
Age: 56
Posts: 300
Likes: 0
Received 0 Likes on 0 Posts
My engineering head says that most of the time the current pitot probes work well enough, and it is an extremely rare occurrence that all three are lost with such tragic consequences.

There is in my mind, one obvious emergency alternative, that is already fitted to these planes, the ram air turbine.

I would imagine that a simple emergency system that was able to deduce the air speed from the RAT output could provide a viable emergency backup airspeed indication, albeit probably less accurate and no so efficient. Mind you if you have nothing else, an inefficient and not quite so accurate method of measuring your airspeed would no doubt still be very welcome.
MacBoero is offline  
Old 30th Jun 2009, 00:19
  #2520 (permalink)  
 
Join Date: Jun 2009
Location: ATL
Age: 67
Posts: 131
Likes: 0
Received 0 Likes on 0 Posts
Five computers are there for redudancy of the computers, not the airspeed system.
On a system level, redundancy is determined by the lowest redundant component. Granted, pitots are dumb with no moving parts, other than heat, however this weak link will be investigated, if it's determined to be a single point failure. Sure, we can say backup is pitch/power, but why let it get even that far.

Carrier pilots are taught to fly AOA for approach.
ClippedCub is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.