Flight envelope protection is a human machine interface extension of an aircraft's control system that prevents the pilot of an aircraft from making control commands that would force the aircraft to exceed its structural and aerodynamic operating limits.[1][2][3] It is used in some form in all modern commercial fly-by-wire aircraft.[4] The professed advantage of flight envelope protection systems is that they restrict a pilot's excessive control inputs, whether in surprise reaction to emergencies or otherwise, from translating into excessive flight control surface movements. Notionally, this allows pilots to react quickly to an emergency while blunting the effect of an excessive control input resulting from "startle," by electronically limiting excessive control surface movements that could over-stress the airframe and endanger the safety of the aircraft.[5][6]
In practice, these limitations have sometimes resulted in unintended human factors errors and accidents of their own.
Function
Aircraft have a flight envelope that describes its safe performance limits in regard to such things as minimum and maximum operating speeds, and its operating structural strength.[1][2][3] Flight envelope protection calculates that flight envelope (and adds a margin of safety) and uses this information to stop pilots from making control inputs that would put the aircraft outside that flight envelope.[5] The interference of the flight envelope protection system with the pilot's commands can happen in two different ways (which can also be combined):
Ignoring part or all of an control input that would bring an aircraft's state of flight closer to or even outside of its operational borders. This method is applied in most sidestick-controlledfly-by-wire aircraft with rate command.
Inform the pilot that the respective command is bringing the aircraft closer to the calculated operational borders; this communication can happen by simple alarms or tactile feedback. This method is often applied in aircraft with conventional controls.
For example, if the pilot uses the rearward side-stick to pitch the aircraft nose up, the control computers creating the flight envelope protection can prevent the pilot pitching the aircraft beyond the stallingangle of attack:
In the first case, if the pilot tries to apply even more rearward control, the flight envelope protection would cause the aircraft to ignore this command.[4][5] Flight envelope protection can in this way increase aircraft safety by allowing the pilot to apply maximum control forces in an emergency while not at the same time inadvertently putting the aircraft outside the margins of its operational safety. Examples of where this might stop air accidents are when it allows a pilot to make a quick evasive maneuver in response to a ground proximity warning system warning, or in quick response to an approaching aircraft and a potential mid air collision.[4] In this case without a flight envelope protection system, "you would probably hold back from maneuvering as hard as you could for fear of tumbling out of control, or worse. You would have to sneak up on it [2.5 G, the design limit], and when you got there you wouldn't be able to tell, because very few commercial pilots have ever flown 2.5 G. But in the A320, you wouldn't have to hesitate: you could just slam the controller all the way to the side and instantly get out of there as fast as the plane will take you."[5] Thus the makers of the Airbus argue: "envelope protection doesn't constrain the pilot. It liberates the pilot from uncertainty – and thus enhances safety."[5]
In the second case, e.g. when using a force-feedback-system to communicate with the pilot, if the pilot tries to apply even more rearward control, the flight envelope protection would present increasing counterforces on the controls so that the pilot has to apply increasing force in order to continue the control input that is perceived as dangerous by the flight envelope protection.
While most designers of modern fly-by-wire aircraft stick to either one of these two solutions ('sidestick-control & no feedback' or 'conventional control & feedback', see also below), there are also approaches in science to combine both of them: As a study demonstrated, force-feedback applied to the side-stick of an aircraft controlled via roll rate and g-load (as e.g. an modern Airbus aircraft) can be used to increase adherence to a save flight envelope and thus reduce the risk of pilots entering dangerous states of flights outside the operational borders while maintaining the pilots' final authority and increasing their situation awareness.[7]
Airbus and Boeing
The Airbus A320 was the first commercial aircraft to incorporate full flight-envelope protection into its flight-control software. This was instigated by former Airbus senior vice president for engineering Bernard Ziegler. In the Airbus, the flight envelope protection cannot be overridden completely, although the crew can fly beyond flight envelope limits by selecting an alternate "control law".[4][8][9][10] Boeing took a different approach with the 777 by allowing the crew to override flight envelope limits by using excessive force on the flight controls.[4][11]
One objection raised against flight envelope protection is the incident that happened to China Airlines Flight 006, a Boeing 747SP-09, northwest of San Francisco in 1985.[5] In this flight incident, the crew was forced to overstress (and structurally damage) the horizontal tail surfaces in order to recover from a roll and near-vertical dive. (This had been caused by an automatic disconnect of the autopilot and incorrect handling of a yaw brought about by an engine flame-out). The pilot recovered control with about 10,000ft of altitude remaining (from its original high-altitude cruise). To do this, the pilot had to pull the aircraft with an estimated 5.5 G, or more than twice its design limits.[5] Had the aircraft incorporated a flight envelope protection system, this excessive manoeuvre could not have been performed, greatly reducing chances of recovery.
Against this objection, Airbus has responded that an A320 in the situation of Flight 006 "never would have fallen out of the air in the first place: the envelope protection would have automatically kept it in level flight in spite of the drag of a stalled engine".[5]
FedEx Flight 705, in April 1995, a McDonnell Douglas DC-10-30, was a case of a FedEx Flight Engineer who, facing a dismissal, attempted to hijack the plane and crash it into FedEx Headquarters in order for his family to collect his life insurance policy. After being attacked and severely injured, the flight crew was able to fight back and land the plane safely. In order to keep the attacker off balance and out of the cockpit the crew had to perform extreme maneuvers, including a barrel roll and a dive so fast the airplane couldn't measure its airspeed.
Had the crew not been able to exceed the plane's flight envelope, the crew might not have been successful [citation needed].
American Airlines Flight 587, an Airbus A300, crashed in November 2001, when the vertical stabilizer broke off due to excessive rudder inputs made by the pilot.
A flight-envelope protection system could have prevented this crash, though it can still be argued that an override button should be provided for contingencies when the pilots are aware of the need to exceed normal limits.
US Airways Flight 1549, an Airbus A320, experienced a dual engine failure after a bird strike and subsequently landed safely in the Hudson River in January 2009. The NTSB accident report[12] mentions the effect of flight envelope protection: "The airplane’s airspeed in the last 150 feet of the descent was low enough to activate the alpha-protection mode of the airplane’s fly-by-wire envelope protection features... Because of these features, the airplane could not reach the maximum angle of attack (AoA) attainable in pitch normal law for the airplane weight and configuration; however, the airplane did provide maximum performance for the weight and configuration at that time...
The flight envelope protections allowed the captain to pull full aft on the sidestick without the risk of stalling the airplane."
Air France Flight 447, an Airbus A330, entered an aerodynamic stall from which it did not recover and crashed into the Atlantic Ocean in June 2009 killing all aboard. Temporary inconsistency between measured speeds, likely a result of the obstruction of the pitot tubes by ice crystals, caused autopilot disconnection and reconfiguration to alternate law; a second consequence of the reconfiguration into alternate law was that stall protection no longer operated.
The crew made inappropriate control inputs that caused the aircraft to stall and did not recognize that the aircraft had stalled.
In October 2018 and again in March 2019, the MCAS flight protection system's erroneous activation pushed two Boeing 737 MAX airliners into unrecoverable dives, killing 346 people and resulting in the worldwide grounding of the airliner.
1 2 Pratt, R. (2000). Flight control systems: practical issues in design and implementation. Institution of Electrical Engineers. ISBN978-0-85296-766-9
1 2 Abzug MJ, Larrabee EE. (2002). Airplane stability and control: a history of the technologies that made aviation possible. Cambridge University Press, ISBN978-0-521-80992-4
1 2 Risukhin V. (2001). Controlling Pilot Error: Automation. McGraw-Hill Professional. ISBN978-0-07-137320-3
1 2 3 4 5 North, David. (2000) "Finding Common Ground in Envelope Protection Systems". Aviation Week & Space Technology, Aug 28, pp. 66–68.
↑ Traverse P. Lacaze I. Souyris J. (2004). Airbus Fly-By-Wire: A Total Approach To Dependability. IFIP International Federation for Information Processing: Building the Information Society. 156: 191–212. doi:10.1007/978-1-4020-8157-6_18
Fly-by-wire (FBW) is a system that replaces the conventional manual flight controls of an aircraft with an electronic interface. The movements of flight controls are converted to electronic signals transmitted by wires, and flight control computers determine how to move the actuators at each control surface to provide the ordered response. It can use mechanical flight control backup systems or use fully fly-by-wire controls.
American Airlines Flight 587 was a regularly scheduled international passenger flight from John F. Kennedy International Airport to Las Américas International Airport in Santo Domingo, the capital of the Dominican Republic. On November 12, 2001, the Airbus A300B4-605R flying the route, crashed into the neighborhood of Belle Harbor, on the Rockaway Peninsula of Queens, New York City, shortly after takeoff. All 260 people aboard the plane were killed, along with five people on the ground. It is the second-deadliest aviation accident in U.S. history behind the crash of American Airlines Flight 191 in 1979, and the second-deadliest aviation incident involving an Airbus A300.
A cockpit or flight deck is the area, usually near the front of an aircraft or spacecraft, from which a pilot controls the aircraft.
A stick shaker is a mechanical device designed to rapidly and noisily vibrate the control yoke of an aircraft, warning the flight crew that an imminent aerodynamic stall has been detected. It is typically present on the majority of large civil jet aircraft, as well as most large military planes.
A flight engineer (FE), also sometimes called an air engineer, is the member of an aircraft's flight crew who monitors and operates its complex aircraft systems. In the early era of aviation, the position was sometimes referred to as the "air mechanic". Flight engineers can still be found on some larger fixed-wing airplanes and helicopters. A similar crew position exists on some spacecraft. In most modern aircraft, their complex systems are both monitored and adjusted by electronic microprocessors and computers, resulting in the elimination of the flight engineer's position.
A glass cockpit is an aircraft cockpit that features electronic (digital) flight instrument displays, typically large LCD screens, rather than the traditional style of analog dials and gauges. While a traditional cockpit relies on numerous mechanical gauges to display information, a glass cockpit uses several multi-function displays driven by flight management systems, that can be adjusted to display flight information as needed. This simplifies aircraft operation and navigation and allows pilots to focus only on the most pertinent information. They are also popular with airline companies as they usually eliminate the need for a flight engineer, saving costs. In recent years the technology has also become widely available in small aircraft.
A conventional fixed-wing aircraft flight control system consists of flight control surfaces, the respective cockpit controls, connecting linkages, and the necessary operating mechanisms to control an aircraft's direction in flight. Aircraft engine controls are also considered as flight controls as they change speed.
A yoke, alternatively known as a control wheel or a control column, is a device used for piloting some fixed-wing aircraft.
Pilot error generally refers to an accident in which an action or decision made by the pilot was the cause or a contributing factor that led to the accident, but also includes the pilot's failure to make a correct decision or take proper action. Errors are intentional actions that fail to achieve their intended outcomes. Chicago Convention defines accident as "An occurrence associated with the operation of an aircraft [...] in which [...] a person is fatally or seriously injured [...] except when the injuries are [...] inflicted by other persons." Hence the definition of the "pilot error" does not include deliberate crash.
Air France Flight 296Q was a chartered flight of a new Airbus A320-111 operated by Air France for Air Charter International. On 26 June 1988, the plane crashed while making a low pass over Mulhouse–Habsheim Airfield as part of the Habsheim Air Show. Most of the crash sequence, which occurred in front of several thousand spectators, was caught on video. The cause of the crash has been the source of major controversy.
Aircraft upset is a dangerous condition in aircraft operations in which the flight attitude or airspeed of an aircraft is outside the normal bounds of operation for which it is designed. This may result in the loss of control (LOC) of the aircraft, and sometimes the total loss of the aircraft itself. Loss of control may be due to excessive altitude for the airplane's weight, turbulent weather, pilot disorientation, or a system failure.
A stick pusher is a device installed in some fixed-wing aircraft to prevent the aircraft from entering an aerodynamic stall. Some large fixed-wing aircraft display poor post-stall handling characteristics or are vulnerable to deep stall. To prevent such an aircraft approaching the stall the aircraft designer may install a hydraulic or electro-mechanical device that pushes forward on the elevator control system whenever the aircraft's angle of attack reaches the pre-determined value, and then ceases to push when the angle of attack falls sufficiently. A system for this purpose is known as a stick pusher.
Indian Airlines Flight 605 was a scheduled domestic passenger flight from Bombay to Bangalore. On 14 February 1990, an Airbus A320-231 registered as VT-EPN, crashed onto a golf course while attempting to land at Bangalore, killing 92 of 146 people on board.
Bernard Ziegler was a French pilot and engineer, who served in Airbus as senior vice president for engineering, well known for his evangelical zeal for the application of the fly-by-wire system in the Airbuses. He was the son of Airbus founder Henri Ziegler.
A side-stick or sidestick controller is an aircraft control stick that is located on the side console of the pilot, usually on the righthand side, or outboard on a two-seat flightdeck. Typically this is found in aircraft that are equipped with fly-by-wire control systems.
Brake to Vacate (BTV) is additional software planned by Airbus for incorporation on its line of airliners, intended to reduce runway overruns. A more tangible benefit is the increased ability to exit the runway at a specified turnoff point. The European Aviation Safety Agency certified the system, initially for use on the Airbus A380, in 2009. The second Airbus product to incorporate BTV will be the Airbus A320 family, which is much more widely used around the world than the A380. However, an A320 BTV system would be more modest, since its flight computer does not incorporate the extensive electronic architecture of the A380.
A flight control mode or flight control law is a computer software algorithm that transforms the movement of the yoke or joystick, made by an aircraft pilot, into movements of the aircraft control surfaces. The control surface movements depend on which of several modes the flight computer is in. In aircraft in which the flight control system is fly-by-wire, the movements the pilot makes to the yoke or joystick in the cockpit, to control the flight, are converted to electronic signals, which are transmitted to the flight control computers that determine how to move each control surface to provide the aircraft movement the pilot ordered.
A rudder travel limiter, or rudder limiter, is a controlling device in an aircraft used to mechanically limit the maximum rudder deflection.
The Maneuvering Characteristics Augmentation System (MCAS) is a flight stabilizing feature developed by Boeing that became notorious for its role in two fatal accidents of the 737 MAX, which killed all 346 passengers and crew on both flights.
Iberia Flight 1456 was a scheduled flight from Barcelona-El Prat Airport, Spain, to Bilbao Airport, Spain. On Wednesday, February 7, 2001, the Airbus A320, which took off from Barcelona-El Prat Airport, Spain, encountered a microburst induced wind shear on final approach to Bilbao Airport, Spain. The wind shear caused the plane's landing gear to collapse. All 143 passengers onboard survived; with 25 people suffering light injuries, and 1 person receiving serious injuries. The aircraft was irreparably damaged as a result of the ordeal and was decommissioned soon after, making it the ninth loss of an Airbus A320 at that time. This accident prompted Airbus to develop a fail safe modification for its flight control software by preventing the airplane's built-in protection against stall from being activated by a high rate of change for the angle of attack.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
