Announcement

Collapse
No announcement yet.

Volaris A321 loses both ELACS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Originally posted by Gabriel View Post
    - The autoflight and autothrust don't need to give up immediately. At the very least, they can keep the current pitch and thrust (thurst in fact will be kept by the thrust lock feature) while they give the pilots a clear indication of what is happening (a Unerliable Airspeed, take manual control, disconnect AP/AT, keep pitch 5, move throttle off and back to CLB" would be very nice (better than the miryads of ECAM fail messages from which the pilots have to deduce that they have an unreliable airspeed condition) and easy, and the autoflight can wait until pilot action to disangage. A few seconds of that will not hurt, and in any event whatever the current pitch and thrust cannot be worse.
    If you dig back into the AF447 thread I once proposed that the A/P should have a UAS mode that uses current weight and altitude to set pitch and power (doing away with thrust lock). It would present a master warning and a flashing amber mode indication on the FMA. I don't see any reason against this and I think it would eliminate the need for more complex solutions like the AoA system you propose. The plane would remain in autoflight and Normal law and clear the UAS situation in a minute or two.

    I have to wonder why this isn't being done.

    Comment


    • #62
      Originally posted by Gabriel View Post
      I don't consider loss of autoflight a very serious condition. Planes can be released without autopilot. I flew in (at least) one of them. Now, if you tell me that in alternate law you need autoflight for the plane to be safe, then I consider THAT DESIGN PHILOSOPHY an unacceptable condition (unacceptable in the same terms stated above, ok?).
      It's the combination of degraded protections and manual flight that worries me. Two layers of cheese I dearly depend on have been stripped away. AF447 is all the testimony I need that experienced pilots flying for a major flag carrier airline can lose these two layers and create quite a mess. Again and again I have agreed with you that the Airbus philosophy is less safe in such a circumstance. At that point the plane is technically not certifiable. Therefore, any circumstance where a degradation of control law is compounded by a loss of autoflight must be removed if possible.

      Why? Because the plane is no longer flyable and a death machine? No. Because modern aviation safety, which is astoundingly effective, is based upon layers of redundancy. It must be flyable AND fault-tolerant (due to the frequency of accidents being attributed to 'unthinkable' pilot error, I don't think 'fault-passive' goes far enough).

      Comment


      • #63
        Originally posted by Evan View Post
        OK, that's confusing, I admit, and you misinterpreted it. What I meant by 'dispatching with one engine' was based on the hypothesis that this could have been a dispatch with one ELAC and was referring to the low probability of losing the other one. I don't like the idea of dispatching without redundancy for a key flight control system and without redundancy for autoflight based on the unlikelihood of a second failure. The engine analogy was referring to the low probabilty of a second failure.
        Okay, but you can't compare the criticity of losing the second engine vs losing the second ELAC, and that is part of the decision process of what is MELable or not. Risk = exposure * frequency * consequence.

        With one ELAC you might have no backup to keep autoflight operative, but then autoflight itself has a backup, it is called pilot.

        With one engine you have no backup for the production of thrust, and the loss of thrust is not backed up by anything else except excess airspeed (that last seconds) and altitude (that lasts minutes).

        From the effect point of view, losing both ELAC is similar to losing ONE engine: Degraded performance (in each function) and the risk that the pilots screw it up. Losing both engines is much worse, the plane cannot sustain flight. It's hard to find a comparison but if was forced to do it I would compare to loss all control laws and be left with the mechanical backup: If you can't get the equipment back online, something very bad IS going to happen unless you manage the situation perfectly AND all the planets align for you.

        --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
        --- Defend what you say with arguments, not by imposing your credentials ---

        Comment


        • #64
          Originally posted by Evan View Post
          If you dig back into the AF447 thread I once proposed that the A/P should have a UAS mode that uses current weight and altitude to set pitch and power (doing away with thrust lock). It would present a master warning and a flashing amber mode indication on the FMA. I don't see any reason against this.
          That's my point.

          I think it would eliminate the need for more complex solutions like the AoA system you propose.
          I didn't propose that. I proposed that the AP flies pitch and the AT flies thrust. They can look up the values in the tables faster, more accurately, and more reliably than the pilots. The AoA vanes would be used only for degraded AoA envelope protection in the style of the slow speed envelope protection of the (NOT abnormal) alternate law.

          The plane would remain in autoflight and Normal law and clear the UAS situation in a minute or two.
          Probably it cannot remain in normal law without speed/Mach information, but ok, it can remain in alternate law. The autoflight would be available in this special UAS mode. The pilots may choose to disconnect it though.

          I have to wonder why this isn't being done.
          That's my point. I have to wonder why the authorities didn't require something like that. And there it comes my moderate "unacceptable".

          --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
          --- Defend what you say with arguments, not by imposing your credentials ---

          Comment


          • #65
            Originally posted by Gabriel View Post
            Okay, but you can't compare the criticity of losing the second engine vs losing the second ELAC
            Again, of course I'm not doing that. Forget the engine analogy, which was yours in the first place. It's just adding confusion. Let's just keep this apples to apples.

            With one ELAC you might have no backup to keep autoflight operative, but then autoflight itself has a backup, it is called pilot.
            A pilot can be a back-up or a fuck-up, as we have seen. It's not enough without that tactile feedback.

            Comment


            • #66
              Originally posted by Evan View Post
              It's the combination of degraded protections and manual flight that worries me. Two layers of cheese I dearly depend on have been stripped away. AF447 is all the testimony I need that experienced pilots flying for a major flag carrier airline can lose these two layers and create quite a mess. Again and again I have agreed with you that the Airbus philosophy is less safe in such a circumstance. At that point the plane is technically not certifiable. Therefore, any circumstance where a degradation of control law is compounded by a loss of autoflight must be removed if possible.

              Why? Because the plane is no longer flyable and a death machine? No. Because modern aviation safety, which is astoundingly effective, is based upon layers of redundancy. It must be flyable AND fault-tolerant (due to the frequency of accidents being attributed to 'unthinkable' pilot error, I don't think 'fault-passive' goes far enough).
              The plane should be "safe enough" in manual flight. If it's not, remove these conditions. I don't like a condition that is safe only if autoflight is available. Not until we get rid of the pilots altogether.

              --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
              --- Defend what you say with arguments, not by imposing your credentials ---

              Comment


              • #67
                Originally posted by Evan View Post
                A pilot can be a back-up or a fuck-up, as we have seen. It's not enough without that tactile feedback.
                If (IF) that's the case, what we do?

                a) Ensure that there is no foreseeable situation that is unsafe for manual flight.

                b) Ensure that there are no foreseeable situation where the AP or AT becomes unavailable simultaneously with the loss of protections, AND then we inhibit the AP/AT disconnect switch for any situation where protections are lost.

                You know what my answer will be.

                --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                --- Defend what you say with arguments, not by imposing your credentials ---

                Comment


                • #68
                  Originally posted by Evan View Post
                  Forget the engine analogy
                  What analogy?

                  --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                  --- Defend what you say with arguments, not by imposing your credentials ---

                  Comment


                  • #69
                    Originally posted by Gabriel View Post
                    That's my point. I have to wonder why the authorities didn't require something like that. And there it comes my moderate "unacceptable".
                    I think, back in the 80's, it was considered more prudent to hand everything over to the crew and expect them to use CRM and procedure as well as basic airmanship. Avionics could only be trusted when they had good air data. Pilots could be trusted when they didn't.

                    Now we know that isn't universally true. Basically, the autopilot needs to know two things to keep the a/c in the envelope: altitude and weight. It also knows the power and pitch settings at the moment of UAS. It knows if the engines are throttled back for a penetration speed target. It knows the 'virtual' throttle lever angle. It knows ground speed. I see no reason to disconnect. It just has to alert the crew to the situation and they simply need to monitor and work any QRH procedures and ECAM. It can't depart level flight until the sppeds come back. If they don't (has this ever happened?), the crew would have to take it offline. Then it would be in Alternate Law. If speeds come back as usual, the mode reverts to the previous flight mode and FCU settings and manual control is available in Normal law.

                    What am I missing?

                    Comment


                    • #70
                      Originally posted by Gabriel View Post
                      AND then we inhibit the AP/AT disconnect switch for any situation where protections are lost.

                      You know what my answer will be.
                      No, you go too far with what I'm saying. There's a big difference between a crew electing to fly manually and a crew having to fly manually. The crew should be trained in these circumstances to always maintain autoflight when possible (already a requirement in RVSM). If they don't like what it's doing, they can always go off it.

                      I do concur however that any scenario whereby the loss of protections is compounded by the unavailability of autoflight must be eliminated if possible. UAS is a tough one but the above ideas on a UAS AP mode I think are a possible solution. Multiple hydraulic failures, slat track issues... I'm not sure how these things could be circumnavigated, but I bet they could. And concerning this thread, eliminate any common failure conditions for the flight control computers.

                      Comment


                      • #71
                        One other thought... Add to this UAS A/P mode a means for gauging approximate airspeed using two of the spoiler panels... Basically install modified actuators on these panels that can determine the exact pressure needed to maintain them raised by 1" (and thus air resistance). Combine this with the static air data and precalculated expectations to determine if the a/c is safely within the speed envelope or is trending to the high or low side. I don't know if such a system could determine accurate airspeed because the ice crystal presence is still a factor of that pressure, but in an age where my iPhone motion sensor can tell me how well I'm sleeping, I think sensor technology can be very good at determining air pressure by 'feel' and calculation.

                        Comment


                        • #72
                          Originally posted by Evan View Post
                          No, you go too far with what I'm saying. There's a big difference between a crew electing to fly manually and a crew having to fly manually.
                          Point made.

                          --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                          --- Defend what you say with arguments, not by imposing your credentials ---

                          Comment


                          • #73
                            Originally posted by Evan View Post
                            I think, back in the 80's, it was considered more prudent to hand everything over to the crew and expect them to use CRM and procedure as well as basic airmanship. Avionics could only be trusted when they had good air data. Pilots could be trusted when they didn't.

                            Now we know that isn't universally true. Basically, the autopilot needs to know two things to keep the a/c in the envelope: altitude and weight. It also knows the power and pitch settings at the moment of UAS. It knows if the engines are throttled back for a penetration speed target. It knows the 'virtual' throttle lever angle. It knows ground speed. I see no reason to disconnect. It just has to alert the crew to the situation and they simply need to monitor and work any QRH procedures and ECAM. It can't depart level flight until the sppeds come back. If they don't (has this ever happened?), the crew would have to take it offline. Then it would be in Alternate Law. If speeds come back as usual, the mode reverts to the previous flight mode and FCU settings and manual control is available in Normal law.

                            What am I missing?
                            Nothing, almost (I think).

                            Longitudinal motion wise (that is control of speed, pitch, AoA, altitude, vertical speed), alternate law (abnormal or not) is identical to normal law except for the envelope protections. I don't think that these envelope protections can remain in place if you lose airspeed information. So the autoflight would not need to disengage but the control law would still need to revert to alternate, until reliable speed data is recovered.

                            --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                            --- Defend what you say with arguments, not by imposing your credentials ---

                            Comment


                            • #74
                              Originally posted by Evan View Post
                              One other thought... Add to this UAS A/P mode a means for gauging approximate airspeed using two of the spoiler panels... Basically install modified actuators on these panels that can determine the exact pressure needed to maintain them raised by 1" (and thus air resistance). Combine this with the static air data and precalculated expectations to determine if the a/c is safely within the speed envelope or is trending to the high or low side. I don't know if such a system could determine accurate airspeed because the ice crystal presence is still a factor of that pressure, but in an age where my iPhone motion sensor can tell me how well I'm sleeping, I think sensor technology can be very good at determining air pressure by 'feel' and calculation.
                              That is creative and clever to say the least!!!!

                              I don't know if it would work in practice, but it would be worth to analyze.

                              Some time back I had a similar thought. In my version the AP would apply a given roll command and measure the plane response (for example the time it takes to achieve 10 degrees of bank). But I found your proposal better.

                              --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                              --- Defend what you say with arguments, not by imposing your credentials ---

                              Comment


                              • #75
                                Originally posted by Gabriel View Post
                                Nothing, almost (I think).

                                Longitudinal motion wise (that is control of speed, pitch, AoA, altitude, vertical speed), alternate law (abnormal or not) is identical to normal law except for the envelope protections. I don't think that these envelope protections can remain in place if you lose airspeed information. So the autoflight would not need to disengage but the control law would still need to revert to alternate, until reliable speed data is recovered.
                                Well, as I said, yes, if the crew needed to take over it would then be in Alternate law, but the difference in control law is irrelevant to autoflight. If the autoflight can get along in an UAS mode until the speeds return there is no reason to degrade from Normal law. In other words, the mode reversion should only occur if the autoflight is disconnected before the speeds return to agreement.

                                Comment

                                Working...
                                X