POLITECNICO DI TORINO · the backup mode in such a way to allow the AP engagement even in the FAC loss event (fault tolerance approach). The Unreliable Airspeed Mitigation Mean (UAMM):

POLITECNICO DI TORINO DIMEAS – Dipartimento di Ingegneria Meccanica ed Aerospaziale

Thesis submitted for the

Master of Science in Aerospace Engineering

Enhanced Stall Warning

design and integration in the Airbus

A320 family Auto Flight System M a s t e r t h e s i s

Supervisors:

Manuela BATTIPEDE

Politecnico di Torino

Germain SABOT

AKKA Technologies Candidate:

Federico MASTROPASQUA

Academic Year 2019/2020

Master Thesis Federico Mastropasqua

I

La vertigine non è paura di cadere, ma voglia di volare

Lorenzo Cherubini

Abstract Federico Mastropasqua

II

Abstract

The Auto Flight System (AFS) is the Airbus avionic system in charge of managing and guiding the

aircraft during its automatic flights. The AFS has not replaced human operators yet; instead, it assists them

in controlling the plane. The system allows the crew to focus on broader aspects of operations, such as

monitoring the trajectory, weather, and managing other systems. The method of automatic flight supports

pilots in flying the aircraft within the flight envelope, enhancing safety, optimizing performance, reducing

the pilot workload (fuel consumption), and decreasing costs. This Master Thesis aims to illustrate how to

design and to implement a very actual function in the Auto Flight System to deliver to the airlines, aircrafts

facing higher standards of safety and reliability.

As an external member of the Airbus Design Office, the activities during this master thesis are

focused on the Enhanced Stall Warning (ESW) function development. Airbus started to improve its legacy

stall warning system with feasibility studies, after the catastrophic accident during the flight AF447 on 1st

June 2009 that involved an A330-203 and it provokes the total loss of the aircraft and all the 228 cabin

occupants.

Translating the high-level aircraft requirements into low-level system requirements, the

implementation of the Enhanced Stall Warning system carried out a more robust, reliable, and available

system in relation to the legacy version, which is flying on the on-service Airbus aircraft. The improvements

come from the recent UAMM update (Unreliable Airspeed Mitigation Mean) and from the fact that the new

stall warning version will consider both ADC and IRS angles of attack and speeds to trigger the stall aural

and message alarm. The warning comes out only in case of reliable stall warning avoiding the activation of

spurious and misreading alarms. Cross-check monitoring will be implemented to consolidate function data

from various sources avoiding every false autopilot disconnections. This project gets into a full field, aiming

to widen the autopilot authority even in case of multiple failures.

Further evolution of the function will be considered in this master thesis up to the introduction in

the cockpit of a new pilot interface allowing the crew to monitor in every situation the aircraft attitude and

to display the aircraft margin from the aerodynamic stall.

The stalling problem is at the state-of-the-art one of the most topical issues in the civil aviation after

the two Boeing 737 Max 8 crashes in the last year that provoked the death of more than 340 people (Lion Air

Flight 610 and Ethiopian Airlines Flight 302). This actual subject inspires this master thesis to research a

theme to investigate and a system to improve. The final chapter of this thesis is entirely dedicated to the

Boeing study case to highlight the Reason's model, which brought the complete Boeing 737 Max 8-9 fleet to

be stopped on the ground since March 2019 after the two catastrophic accidents that occurred in October

2018 and March 2019. Some considerations will be made, and some advices and preventive measures will be

given to improve flight safety since what has been learned during my experience.

Preamble Federico Mastropasqua

III

Preamble

The stall is one of the most dangerous situations a pilot can experience during a flight. The

seriousness of the stalling is not only because an aircraft is difficult to control, and it can bring to the total

loss of the plane if not recovered in a short time but also because even for a qualified pilot, the stall

circumstances are not clearly distinguishing. Consequently, the recovering actions are not taken in short

time. The handbook for recovering an aircraft from a stall situation imposes some manoeuvres not

instinctive, which in emergencies are very difficult to take. The stall situation must be recognized at the

time, and the anti-stall procedure must be followed immediately to recover the aircraft in a stable attitude.

Nowadays, this topic is at the centre of the commercial aviation world after the Boeing 737 Max 8-9

are stopped on the ground following two catastrophic accidents that occurred in October 2018 (Lion Air

Flight 610) and March 2019 (Ethiopian Airlines Flight 302). This actual subject inspires this master thesis to

research a theme to investigate and a system to improve.

Airbus, like its direct concurrent Boeing, was already developing an enhanced stall warning system

that does not face the same Boeing issues, but it covers the same application field. While Boeing’s solution is

always active and it works to correct a hardware issue and to improve the aircraft dynamical stability (see

Boeing case study chapter); Airbus’s aircraft are already dynamically stable and protected in ordinary law

avoiding any potential stall circumstances, consequently, the Stall Warning function acts only in alternate

law, when some protections are enabled, and the aircraft can reach the flight envelope limits.

On the other hands, Airbus is working on a project to enhance the availability of the autopilot

(EAPA – Enhanced Auto Pilot Availability) even in degraded situations in order to minimize the potential

accident due to human error, when at the moment the autopilot would be disengaged and the pilots would

have the aircraft control. As a matter of fact according to the Federal Aviation Administration (FAA), human

errors cause more than 88% of the general aviation accidents both in commercial airline crashes and in

general aircraft accidents. In particular, the most common human error is the loss of control by the pilot

during flight [1]. Since the computers are now more efficient and reliable than the 80’s machines, the idea of

enhancing the role of the autopilot came out, providing a network of redundancies and backup

computations as described in the following of this thesis.

The Airbus Enhanced Stall Warning function implementation allows answering a BEA/FAA request

followed to the accident of the AF447 flight from Rio de Janeiro to Paris, which saw the complete aircraft,

passengers, and crew losses. As a result of the accident analysis and investigation Airbus, which was implied

because an A330-203 performed the flight, put into practice some measure to enhance the autopilot

availability even in alternate law situations. Within this framework, the SBS (Safety Beyond Standard)

project fits: this aims to provide computers and functional backup in case the primary machines devoted to

the function fail. The main key-points of this program are:

The Enhance Auto-Pilot Availability (EAPA) aims to allow the autopilot engagement even in

case of multiple failures. With this improvement, the aircraft could fly with the engaged

autopilot even in case both FACs are lost. As an example, in the frame of Enhanced Stall Warning

Preamble Federico Mastropasqua

IV

the characteristic backup speeds will be computed by the FMGC in case of both FACs loss and

the flaps/slats information, which in nominal situations are provided by FAC through SFCC, are

acquired from FWC through IPPU (not in the state-of-the-art SA family aircraft). Moreover, the

computation of Stall Warning backup is carried out by FWC and in this way the stall warning

function is available also in case of both FAC loss. Other features are going to be implemented in

the backup mode in such a way to allow the AP engagement even in the FAC loss event (fault

tolerance approach).

The Unreliable Airspeed Mitigation Mean (UAMM): function which consists in providing

numeric backup speeds. It is also associated with specific monitoring’s allowing to flag erroneous

speed and providing enhanced warnings in case of unreliable airspeed situation. This function

also offers some estimation of the angles of attack.

The Enhance Stall Warning (ESW) function, later described in more detail, is possible due to

UAMM monitoring.

The Enhanced Stall Warning function has been implemented in the Auto Flight System of the Single

Aisle family (A318 / A319 / A320 / A321 / A319NEO / A320NEO / A321NEO) concerning the FMGC and FAC

computers. The FAC is the primary computer for this aim, and the FWC takes the backup stall warning

computation in case the FAC is out of order. In this context, the FMGC that in regular operation is only

responsible for the autopilot disengagement when the FAC send the activation request to activate the stall

alarm, in case both FAC loss, it takes the computation of the characteristic backup speeds. In this way, the

pilots can have a look at the limits of the flight envelope and understand when they are approaching the stall

conditions. The Enhanced Stall Warning system makes use of the UAMM monitoring to qualify the reliable

angles of attack, and it considers both ADC and IRS sources to compute the angle of attack to be compared

with the stall warning threshold to send the alarm. Besides, speed-based stall warning assures in case all the

AOA are lost or unreliable, the functioning of the system (even at the system level, the system is provided of

a triple redundancy).

The AF447 flight from Rio de Janeiro to Paris is the Airbus A330-203 accident that triggered the

Safety Beyond Standard project and consequently, the ESW development. It occurred on 31st May 2009,

when three hours and a half after take-off, the airplane was flying in the oceanic region, and the HF

communication was achieved, and attempting to establish an ADS-C connection failed. The aircraft entered

a slightly turbulent zone, and it could not climb the flight level FL 370 because of weather conditions. A few

minutes later, all the three Pitot’s probes iced when the aircraft got in a turbulence zone even if the anti-ice

system was turned on. The plane lost speed information, this provoked the autopilot and auto-thrust

disengagement, and the crew took the aircraft control. Without speed data, the pilots could not estimate the

attitude and the altitude of the aircraft, and they made some inappropriate operations to recover the aircraft

control and to escape the stall circumstance. Four minutes after the autopilot disconnection the A330 sank

in the Atlantic Ocean with 216 passengers and 12 crew people.

Acknowledgement Federico Mastropasqua

V

Acknowledgement

Before going deeply in my master thesis, I would like to spend a page thanking all the people who

follow me during my academic path and not only and who allow me to reach today this objective.

I would like to thank my thesis advisor Prof.ssa Manuela Battipede who approved my project and

allowed me to take this bridge between the academic background and the future working environment

through the AKKA International Graduate Program which permitted me to be here in the Auto Flight

System Airbus team developing avionics systems. Thanks go to the Politecnico di Torino which gave me all

the knowledges and the methodologies to build now a strong future in the aerospace world.

Je voudrais aussi remercier tous mes collègues qui en France ont supporté mon projet, mon travail, à

priori Hector and Germain qui ont toujours répondu à mes questions et mes doutes dans la conception et le

travail chez AKKA pendant ces six moins. Merci pour la patience et leur disponibilité. Merci à toute mon

équipe pour le support.

Un Grazie speciale è dedicato ai miei genitori Mamma Raffaella e Papà Giuseppe, che più di tutti

sanno bene quanto è stata importante la loro presenza e il loro sostegno in tutto questo lungo viaggio,

iniziato più di cinque anni fa attraverso Francia e Svizzera. Grazie ai loro sacrifici, i miei genitori hanno

sempre rispettato le mie scelte e mi hanno permesso di decidere con libertà tutte le strade da intraprendere

per il mio futuro, dandomi sempre i loro più sinceri consigli per riuscire in questo lungo viaggio.

Un grazie non meno intenso va ai miei compagni di corso che mi hanno sempre affiancato e spronato

a dare il massimo durante le impegnative sessioni di studio. Il clima di complicità che si è venuto a creare

durante gli studi ci ha permesso di giungere, oggi, tutti insieme allo stesso risultato, attraverso il continuo

supporto reciproco e alla disponibilità di ognuno ad aiutare nei momenti più difficili, grazie ad Alberto,

Filippo, Francesco ed Enrico.

Ancora un grazie a Tolosa, la città che mi ha adottato negli ultimi due anni della mia vita e mi ha

accolto all’interno di un gruppo estremamente affiatato e complice, un gruppo che mi ha permesso di

crescere personalmente e professionalmente in questo periodo e che non mi ha mai fatto percepire la

lontananza di casa, ragazzi pronti ad aiutare e ad ascoltare in ogni circostanza e su ogni piano. Da colleghi

sono diventati amici, da amici a compagni di viaggio, grazie Federico, Vincenzo, Caterina, Chiara, Rebecca,

Nicolò, Filippo, Elisa e tutti gli altri.

Ringrazio tutti coloro che seppur lontani, durante questo ultimo anno e mezzo, sono sempre stati al

mio fianco supportandomi e motivandomi attraverso i loro consigli e i loro suggerimenti, senza mai farmi

mancare il loro sostegno e il loro appoggio a distanza. Sarebbe impossibile indicarli tutti per nome, ma un

grande grazie a tutti quelli che ci sono sempre stati per avermi portato fin qui.

Table of Contents Federico Mastropasqua

VI

Table of Contents

Abstract ...................................................................................................................................................................... II

Preamble ................................................................................................................................................................... III

Acknowledgement ................................................................................................................................................... V

Table of Contents ................................................................................................................................................... VI

Table of illustrations.............................................................................................................................................. IX

1 Introduction ....................................................................................................................................................... 1

1.1 Fly-by-wire conception .......................................................................................................................... 3

1.2 About AKKA Technologies Group ......................................................................................................5

1.2.1 International Graduate Program .................................................................................................. 7

2 Airbus design developing process .................................................................................................................8

2.1 System design office activities ..............................................................................................................8

2.2 Airbus’ process ........................................................................................................................................ 11

2.2.1 Experimental Standards ............................................................................................................... 14

2.2.2 Certified Standards ....................................................................................................................... 15

2.3 Reliability Design ................................................................................................................................... 16

3 Auto Flight System ......................................................................................................................................... 19

3.1 Auto Flight System architecture ....................................................................................................... 20

3.2 Auto Flight System modes .................................................................................................................. 26

3.3 Introduction to auto-flight control laws ......................................................................................... 27

3.3.1 Roll Control – ELAC .................................................................................................................... 30

3.3.2 Pitch Control .................................................................................................................................. 31

3.3.3 Yaw Control ....................................................................................................................................33

3.4 Manual way of aircraft controlling ................................................................................................... 34

3.5 Flight Management Guidance System ............................................................................................. 34

3.6 Flight Augmentation Computer ......................................................................................................... 37

3.6.1 Yaw Damping ................................................................................................................................ 39

3.6.2 Rudder Travel Limiting Computation ...................................................................................... 41


VII

3.6.3 Rudder Trim .................................................................................................................................. 42

3.6.4 Characteristic Speed Calculation ............................................................................................. 43

3.7 Interconnection and peripheral interfaces ...................................................................................... 45

4 Stall Warning function ................................................................................................................................. 47

4.1 Stall .......................................................................................................................................................... 49

4.2 Stall pilot reaction – handling qualities ............................................................................................ 51

4.3 Stall state-of-the-art ............................................................................................................................. 54

4.3.1 Threshold determination ............................................................................................................ 55

4.3.2 To increase autopilot availability – EAPA Enhanced Auto Pilot Availability ................ 57

4.4 Air France AF 447 flight Rio de Janeiro – Paris ............................................................................. 58

4.5 Frozen probes ......................................................................................................................................... 61

4.6 Enhanced Stall Warning ..................................................................................................................... 65

4.6.1 Applicability .................................................................................................................................. 67

4.6.2 Constraints and opportunities .................................................................................................. 68

4.6.3 ESW operation modes ................................................................................................................. 68

4.6.4 Enhanced Stall Warning capacity ............................................................................................ 70

4.6.5 Angle of attack monitoring and selection ............................................................................... 70

4.6.6 Thresholds computation .............................................................................................................. 73

4.6.7 Enhanced Stall Warning Activation Request ......................................................................... 77

4.6.8 Failure cases ................................................................................................................................... 80

4.6.9 ESW new interfaces ..................................................................................................................... 83

5 Boeing 737 MAX-8 case study ..................................................................................................................... 84

5.1 Marketing point of view ...................................................................................................................... 85

5.2 Technical issues ..................................................................................................................................... 86

5.3 Certification process ............................................................................................................................ 90

6 Conclusions and improvements ................................................................................................................. 93

6.1 Enhanced Stall Warning improvements and future developments .......................................... 96

6.2 Boeing B737 Max-8 conclusions ...................................................................................................... 100

7 Appendix I – Safety Assessment ................................................................................................................102

7.1 Risk management toolset .................................................................................................................. 104

8 Appendix II – Characteristic speeds ........................................................................................................ 107

9 Appendix III - Autopilot engagement ......................................................................................................109


VIII

10 Appendix IV – Matlab code ......................................................................................................................... 111

11 Code List ......................................................................................................................................................... 116

12 References ....................................................................................................................................................... 118

Table of illustrations Federico Mastropasqua

IX

Table of illustrations

Figure 1: Auto Flight System complexity over the pilot tasks and time constant .................................................... 2

Figure 2: Fly-by-wire command system ............................................................................................................................. 3

Figure 3: AKKA worldwide presence ..................................................................................................................................5

Figure 4: AKKA's numbers in the last 15 years. ................................................................................................................ 6

Figure 5: Design Process Loop ............................................................................................................................................ 10

Figure 6: V-V model diagram illustrates the system development .............................................................................. 11

Figure 7 : System development before first flight. .......................................................................................................... 12

Figure 8: System development during flight tests. ......................................................................................................... 13

Figure 9: Experimental Process .......................................................................................................................................... 15

Figure 10: Reliability Design Diagram ............................................................................................................................... 18

Figure 11: Architecture of primary and secondary flight control computers ........................................................... 20

Figure 12: AFS Architecture ................................................................................................................................................. 21

Figure 13: Auto Flight System function architecture .................................................................................................... 24

Figure 14: Auto Flight System Operation Modes.. ........................................................................................................ 26

Figure 15: Auto Flight System operational schema ....................................................................................................... 27

Figure 16: Autopilot control loops..................................................................................................................................... 28

Figure 17: Thrust Control Laws breakdown ................................................................................................................... 30

Figure 18: Lateral Control Laws breakdown ................................................................................................................... 31

Figure 19: Elevators Computer ........................................................................................................................................... 32

Figure 20: Vertical Control Laws breakdown .................................................................................................................33

Figure 21: Yaw control ......................................................................................................................................................... 34

Figure 22: FMGC architecture in Dual Mode ................................................................................................................ 36

Figure 23: FMGC architecture in Independent Mode .................................................................................................. 36

Figure 24: FMGC architecture in Single Mode ............................................................................................................... 37

Figure 25: FAC component layout .................................................................................................................................... 39

Figure 26: Maximum Rudder Deflection. ........................................................................................................................ 42

Figure 27: General architecture of speed computation in FAC .................................................................................. 44


X

Figure 28: Speed computation using FM weight and CG calculation in FAC ....................................................... 44

Figure 29: Cockpit computer communication ............................................................................................................... 46

Figure 30 : Aerodynamic polar diagram and corresponding speed values. .............................................................. 49

Figure 31: Different aircraft behaviour in climb regarding the flight control law. ................................................. 50

Figure 32: Aircraft climb in normal law. .......................................................................................................................... 50

Figure 33 : Mach effect on aerodynamic polar ................................................................................................................ 52

Figure 34: Audio SW sources contribution in Legacy logic ........................................................................................ 56

Figure 35: Flight Envelope. ................................................................................................................................................. 57

Figure 36: Telemetry of the flight AF 447 ....................................................................................................................... 60

Figure 37: Architecture of the interface between ADR and on-board computer.. .................................................. 61

Figure 38: Position of the Pitot probes on the Airbus A330 ........................................................................................ 62

Figure 39: Flight parameters elaboration path by the ADIRS computers................................................................ 63

Figure 40: Drop effect in static pressure and vertical speed measurement ............................................................. 64

Figure 41: ESW from the aircraft point of view ............................................................................................................. 66

Figure 42: ESW operating mode and system reconfiguration upon FAC and AOA failures ............................... 69

Figure 43: AOA ADR and AOA IRS link reception at FAC ......................................................................................... 71

Figure 44: UAMM alpha monitoring and alpha reference selection. ........................................................................ 72

Figure 45: ESW alpha monitoring and ELAC watchdogs ............................................................................................ 73

Figure 46: Alpha stall warning computation in Normal Law ..................................................................................... 74

Figure 47: Alpha stall warning computation in Alternate Law .................................................................................. 75

Figure 48: Maximum Mach number tendency as function of the altitude. ............................................................. 76

Figure 49: Alpha Stall Warning threshold as Mach function. .................................................................................... 76

Figure 50: Simulink simulation of the Enhanced Stall Warning function. .............................................................. 78

Figure 51: ESW functional architecture in FMGC.. ...................................................................................................... 82

Figure 52: Comparison between the Boeing 737-800 NG and the new Boeing 737 Max 8. ................................. 86

Figure 53: Forces and torques experienced by an aircraft during a flight. ............................................................... 87

Figure 54: The anti-stall system ........................................................................................................................................ 89

Figure 55: Boeing safety design process ........................................................................................................................... 92

Figure 56: Deep stall condition for a T-tail airplane. .................................................................................................... 98

Figure 57: Logical schema of AoA_x checked as RELiable. ......................................................................................... 99


XI

Figure 58: Cost impact on the product life cycle. ......................................................................................................... 103

Figure 59: System cost on life cycle. ................................................................................................................................ 104

Figure 60: Design to safety ................................................................................................................................................. 106

Figure 61: Thrust over speed for a reaction engine. ...................................................................................................... 108

Figure 62: AP engagement logic ........................................................................................................................................ 110

Figure 63: ESW Capacity : in this simulation the ESW is based on AOA .............................................................. 114

Figure 64: Stall warning triggering. ................................................................................................................................. 114

Figure 65: ESW Capacity : in this simulation the ESW is based on speed,............................................................ 115

Figure 66: Stall warning triggering. ................................................................................................................................. 115

Introduction Federico Mastropasqua

1

1 Introduction

My master thesis treats an actual topic in the commercial aviation, and the desire to improve a

solution to the stall problem pushed me to discover an Airbus project for the enhancement of this function.

The Enhanced Stall Warning is the function introduced in the experimental standard of the Airbus

process, and it is installed in FMGC and FAC for the next software releases. The actuality of the topic comes

from the fact that Boeing 737s Max 8 are stopped on the ground since March 2019 after two catastrophic

accidents occurred in 6 months (October 2018 and March 2019). This event had vast repercussions on

Boeing 2019 economical budget further than marketing impacts. The Airbus function development began

following the A330-203 accident in June 2009, when the aircraft was lost after a stall situation that brought

the aircraft to sink in the Atlantic Ocean after the icing of the 3 AOA probes just four minutes after the

autopilot disengagement. Afterward, feasibility studies have been carried out by Airbus to develop more

robust, reliable functions able to provide backup data and additional information from different sources. In

this context, UAMM, Unreliable Airspeed Mitigation Mean, is the most impacting function developed to

provide speeds and AOA estimation backup to use in failure circumstances, (in the future explained) and

the Enhanced Stall Warning is one of these updates.

The development of the function is part of a more extensive project which aims to enlarge the

autopilot authority even in case of alternate law or to follow some kinds of failures. This project is called

EAPA (Enhanced Auto Pilot Availability) and, similar to the tendency in the automotive world, also in

aeronautic domain, the autopilot and the protection systems have to be kept engaged even in degraded

situations, to minimize the human interventions, which often in emergency cases are not able to take the

correct decisions with lucidity. The development foresees to give to the Auto Flight System and to the other

automatic on-board systems the needed data to perform nominal and backup computation from different


2

sources in such a way the system can reconfigure succeeding failure cases. In this frame, the autopilot will be

longer engaged, facing various issues now handled by the pilots.

From an aircraft point of view, the most impacted avionic system by the function implementation is

the Auto Flight System. The Auto Flight System is the structure that aims to organize and to guide the

aircraft during flight, Figure 1; it serves to assist pilots in flying the aircraft. As a matter of fact, at the state-of-

the-art, the autopilot keeps only engaged if the plane is protected in normal law. Beyond the standard flight

envelope, the aircraft still has the warning alarms and messages, but it can exceed some protections. The

AFS needs to enhance safety, maintaining the plane in the safe operational domain even in case of external

disturbs and turbulence. One of the aims of the Auto Flight System is optimizing performance at aircraft

level because the system can control the level of thrust and the surface deflections automatically to follow or

maintain the flight path dialoguing with the corresponding control computers (ELAC, SEC, and FADEC).

When the Auto Flight System controls the aircraft, it delivers the optimized value of thrust and surface

deflections to minimize flight time and fuel consumption. Consequently, decreasing maintenance and

operating costs, always limiting the structural loads, which are the most impacting costs on aircraft

maintenance. All the orders are distributed to have the maximum safety and comfort level and the minimum

impact on maintenance and fuel consumption. Evidently, all the tasks performed by the Auto Flight System

have the objectives to reduce the workload on the crew which can be focused on the supervising activities,

having, however, always the capability to override the autonomous system of flight.

Figure 1: Auto Flight System complexity over the pilot tasks and time constant


3

1.1 Fly-by-wire conception

Historically, the aircraft of the past had traditional flight control systems, including web of pulleys

and cables or metal rods and joints. When the planes became larger, also the needed forces to move the

surfaces were increased, and it was necessary to provide hydraulics commands making the control easier to

run at high speeds, when the aerodynamics forces get more impacting. In this case, the needed force to move

a control surface is powered by hydraulic means. Newer fly-by-wire control systems pull out all that

hardware and replace it with software, sensors, actuators, and wires, Figure 2. Instead of a direct line of

control from aircraft yoke to control surface, the aircraft is left with a yoke, sensors, a computer elaborating

the inputs, wires, and an actuator at the aileron, rudder, or elevator.

Fly-by-wire enables several arrays of assistance to the pilot, and it makes possible the protection

implementation and the flight envelope control. It is easy to program envelope protection, to monitor

failures and program system reconfigurations. To avoid the stall situation with fly-by-wire commands, the

yoke can be digitally limited to how far the elevator physically comes up while the yoke can move up to the

pilot wants. Through software updates, the aircraft response could be improved, and the tuning of the

function could also be done a posteriori to the entered in-service date, the modern aircraft as our phones,

computers, tablets need to be updated to enhance safety during the flight.

Fly-by-wire also allows for some significant weight savings, and this is translated into more efficient

aircraft. The weight saving is obtained because the mechanical links have been replaced with computers and

electrical wires. Indirect savings can come from smaller or more efficient control surfaces. Because the

equipment is flying and does not allow for anything outside the flight envelope, designers have more

freedom to reduce extensive controls needed for human response.

Figure 2: Fly-by-wire command system


4

Since Airbus developed its aircraft, the idea of an aircraft family to cover all market sectors came in

the minds of Roger Béteille and Felix Kracht1 from the beginning of the program. One of the A300-600 and

A310’s more notable innovations had been the replacing of web of cables and pulleys traditionally used with

electrical commands on secondary flight controls. Béteille wanted to innovate further with the next Airbus

aircraft. The introduction of modern digital “fly-by-wire” allowed the surface deflections through a

computer, which calculates precisely the needed surface deflections to make the aircraft response as the

pilot wishes. Physical and mechanical links in which the deflections of the flying control surfaces on the

wing and tail are driven directly by the pilots’ controls belonged to the conception of the past. The sidestick

became the new pilot's control columns.

Béteille recalled: “As far as I was concerned there were two elements, one being the market needs, which was for an

A320 earlier than a A340; and secondly for the technical reason that, having to make a significant step forward in technology,

like fly-by-wire, it was considerably easier and less risky to enter the field with a smaller aircraft than with a big, long-range

aircraft. Correcting a mistake is much cheaper, and the accumulation of experience is faster with a smaller, short-range aircraft,

which makes many more flights and is used in larger numbers than the long-range. There were some divergent ideas within

Airbus, but the final decision to go for the A320 was a smooth one” [2].

The A320’s fly-by-wire technology was not only a way of improving flight controls and reducing

weight. It enabled Airbus to take safety to a new level by introducing the flight envelope protection. Pilots

flying the A320 were free to operate it as usual, but the flight envelope protection prevented the aircraft

from performing manoeuvres outside its performance limits.

Fly-by-wire also firmly established the concept of commonality, which is so central to the appeal to

customers of Airbus aircraft. No matter how one plane varies in size or weight from another, fly-by-wire

commonality allows the pilot to fly them in the same way because the computer “drives” the aircraft’s flight

controls. The fly-by-wire system leads to considerable reductions in the time and costs involved in training

pilots and crew to operate them. Pilots experiencing the A380 fly-by-wire, say the feedback is the same that

on the A320 piloting except for the inertia.

1 They were two of the four Airbus founders in 1969. At the foundation, the company was called Airbus industries, and

in 2002 it became Airbus S.A.S. Company as known today. It continues the product of fusion in the European aerospace industry tracing back to the consolidation in the Airbus Industrie GIE consortium. The other two Airbus initiators were Henri Ziegler and Franz Josef Strauß


5

1.2 About AKKA Technologies Group

AKKA Technologies is a French consultant company, global leader in engineering consulting and

Research and Development services. It operates in all Europe, with a strong influence in France, Germany,

Benelux, Italy, Spain and United Kingdom, in USA and Canada, Russia, China, India and Japan, Figure 3.

Figure 3: AKKA worldwide presence

AKKA’s aim is to accelerate innovation and business performances anticipating market challenges

and responding to them. This is AKKA’s trademark and the reason why it has a typical division concerning

the research of new technologies and new challenges to propose to the clients with the aim to improve their

business plans and technological solutions. AKKA is at the forefront of the digital and connected world,

accelerating innovation and time to market for the world’s largest industrial groups. Digital transformation

is radically altering the design and the very nature of all their products and giving rise to constant changes in

user behaviours and technologies. Faced with this challenge, AKKA supports its clients throughout the life

cycle of their products providing them with expertise that includes the entire technological product

environment and support them in bringing their product to market in different engineering fields with top

clients in all the sectors:

Digital: Air France, Bosch, Audi

Automotive: Daimler, BMW, Porsche, Renault, FCA

Aerospace: Airbus, Safran, Thales, Dassault Aviation, Mitsubishi Aircraft Company

Railways: Alstom, Hitachi, Bombardier Transportation

Life science: Global Pharmaceutical Companies, Biotechnological Companies

Energy: General Electric, Total, EDF, Engie,

Telecommunications: Nokia, Bouygues Telecom, Orange


6

Space: ESA, CNES, Thales Alenia Space, Telespazio (joint venture between Thales Alenia Space

and Leonardo)

Defence: Thales, Naval Group, Direction Generale de l’armement

AKKA Technologies received in 2019 the title as Top Employer in France, Germany and Belgium and

it can count a headcount growth of about 35.5% in 2018 with respect to 2017. Among its engineers at least of

76% got a master’s degree and the 33% of the total employees are millennials. This data highlights the

AKKA’s ambition of growing and of hiring young engineers highly qualified in all engineering fields.

“The first half of 2018 reflects the impetus of CLEAR 2022. The strategic plan we launched at the start of the year is boosting our

growth momentum and further improving our margins. This, in addition to the launch of The AKKADEMY and our

diversification in aerospace with the acquisition of PDS Tech in the United States, has put the Group on track for a new phase of

growth, and illustrate our ambition to double in size within five years and capture growth generated by the digital revolution.”

Mauro RICCI – AKKA CEO [1]

AKKA provides to the clients three different services in function of their needed:

Work package: the client asks AKKA for developing a solution for one of its necessities and the

AKKA consultants work on this in AKKA office, selling directly the results to the client.

Expert on demand: the client needs some experts to build a team or to complete its team and

asks AKKA for a qualified expert to fulfil its needed.

Research and development: this is the only activity completely external to a client. It is a specific

division of AKKA which works on the developing technologies ex-novo inside AKKA

structures. The new developed products or technologies are finally presented to a potential

client to show the innovative aspects of the companies. AKKA research permits also to work in

a different direction than traditional one in order to create and to have ready new solutions for

the next future needed.

Figure 4: AKKA's numbers in the last 15 years. On the left it is shown the AKKA revenues which is predicted to reach the 2.5Bn€ by 2022. On the right the number of employees that with the International Graduate Program AKKAdemy should reach the 25000 employees in 2022.

As shown in Figure 4, the number of employees would increase until 25000 in 2022; this result could

be reached also with the International Graduate Program that AKKA launches in 2018, The AKKAdemy.


7

1.2.1 International Graduate Program

The AKKAdemy is so called the AKKA international graduate program, provides young talents with

the opportunity to build a career and acquire a lifelong set of consulting skills. AKKA is the only consultant

company which offers a Graduate Program. This allows the new engineers to enter in the working

environment facing with the clients needed and client challenges, it is a direct bridge between the academic

world and the working environment. In an international and professional environment, the young talents

are mentored applying the latest in-class and on-the-job training methods created to supplement the

academic theoretical background with practical experience.

The Graduate Program consists in three steps:

First month in Geneva (Switzerland): during this month the talent can experience workshops

to give an exclusive overview of AKKA sectors of activities, clients and projects. During the

month in Geneva, in a team you have to develop an “innovation project” facing with new

international challenges. Coaching from business managers on customer relations and project

presentations. Trainings on project management, Agile and SCRUM frameworks

Hands-On-Project: 12 months in France, Belgium or Germany: working on a real assignment in

an environment of high-in-demand technologies, the talents will apply their expertise and their

powerful consulting skills in a challenging role with AKKA Technologies. They will be trained

in job-relevant skills and receive continuous mentoring.

Certification: at the end of the year, the AKKAdemy Graduates are returning in Geneva sharing

the earned experience and a graduation ceremony attests the successfully finalisation of the

International Graduate Engineering Program.

Through this International Graduate Program, I got the opportunity to work and to enter in contact

with the aeronautical domain in an internal Airbus project, in the Bureau d’Etudes (Design Office in

English). During my activities I collaborated with the Airbus Auto Flight System team to develop and to

carry out the implementation of the Enhanced Stall Warning function in the Auto Flight System facing with

technical responsibilities and program constraints.

Airbus design developing process Federico Mastropasqua

8

2 Airbus design developing process

2.1 System Design Office activities

2.2Airbus’ process

2.2.1 Experimental Standards

2.2.2 Certified Standards

2.3 Reliability Design

2.1 System design office activities

The System Design Office (DO) is the engineering responsible team for the development of new

functions or new systems for the Single Aisle Airbus aircrafts Auto Flight System (A320 family). The

department receives directly the new specifications after an accident analysis and/or a feasibility study with

the main guidelines to be implemented in the system and delivers the arranged logical schemas to be coded

in the embedded computers (FMGC, FAC, FWC, etc.…) in order to achieve the needed function. Sometimes

is up to Design Office to carry out feasibility study for implementing new features, functions in the Auto

Flight Architecture. The DO’s main activities can be interpreted as a translation from very high level to low

level requirements to elaborate the external aircraft inputs (as the pressure from Pitot probe or the angles of

attack) to compute needed data that the aircraft uses to perform a flight (e.g. from the weight computation,

to flight envelope or the Auto Pilot disengagement conditions to the alarm computations).

In this regard the Squid software, developed specifically by AKKA for Airbus, is used in order to

design the system logics. It is a graphical programming environment for modelling dynamic and logical

systems, similar to Simulink by Math Works. Its primary interface is a graphical block diagramming tool


9

like Simulink. In contrast to the last one the used software is not an auto-run tool and does not allow

lunching simulations that are performed by a separate team directly in the aircraft simulators. The Design

Office activities are defined as pre-code because the logical schemas are then sent to the Code Team to really

implement them in the flight control computer in specific code languages (ADA). During the entire phase of

the function conception some iterative loops are necessary to consider and revaluate some architectural

choices with the system team, to consider all the requirements and constraints expected by the different

aircraft divisions.

In the conception process the DO is also in charge to describe in the details the simulation

procedures that are carried out by the Laboratory team to check the validity and to test the new

implemented function reliability, thus to make sure the system fulfils the safety standards and the asked

requirements. Consequently, the execution of the simulator sessions, the DO obtains in feedback the

simulation test results to enhance or to fix the eventual issues that can be occurred during the assessments

at the simulator. This design phase is the function tuning, when the system architecture is already fixed but

some gains and constants have to be optimized to enhance the aircraft airworthiness. This is another clear

example of the iterative design process.

In the case some issues are displayed in the simulation sessions, the Design Office reopens the

system conception to ensure the robustness of the developed function. After the Laboratory feedback, if the

tests are well performed, the Design Office that gives the clearance for flight, though the message “Good for

Flight”.

At this point the test aircraft is prepared to perform its first flight. The modification takes the air for

the first time. Firstly, the new implemented system or function is coded into the embedded computers and

the test aircraft can perform a flight to verify the development. Noticeably, for economic reasons, since it is

necessary arrange an entire flight with pilots and airport slots, the flight is performed to test several

functions together, what is called standard. During the flight tests or in the simulator sessions, there is the

possibility to force only one function at a time, in this way if there was a bug, this would be isolated, and it

does not impact other logics and other function tests. Furthermore, at this step of the conception, the

system might need any revisions by the Design Office in case the pilots’ feedback is not positive or they

prefer to have a different aircraft response to some manoeuvres. In this case their needed are discussed with

the system and the design managers to consider some possible improvements.

From an operational point of view, as it can be seen from the Figure 5, the Design Office sends to the

Code team the “pre-coded” function to be implemented in the embedded computers in order to run the

simulations or directly to perform the first flight with the new standard coded after the receiving the Good

for Flight clearance. This process could lead many errors in the “translation” of the logical schemas into a

computing code, because there is no way to run directly the simulations while the system is designed and

then because changing the programming language, some information and details can be lost. All the

adjustments before the coding implementation are done through human feedback. This is the reason why in

the new Airbus A350 program the logical schemas and the coding fragment are merged to reduce the

iterations, consequently, minimize errors and finally to reduce the financial impact on the design part.


10

Figure 5: Design Process Loop: The Design Office is responsible for the new function development either hardware either software and for fixing the already existing function in case of bugs or improvements. In the iterative design loop the DO is in charge to discuss about the system feasibility with the System team

and it takes in account the feedback from the Code team and of the Simulation team in order to fix/optimize and tune some function behaviours

In the V-model [2] in Figure 6, the function development is represented: starting from the left branch,

the function decomposition of requirements is shown, from aircraft level to computer level passing through

the system layer (by way of an example, for our purpose the Aircraft level is the A320 family, the system

layer is the chapter ATA-22, Auto Flight System, up to the FMGC and FAC computers). The logical

schemas realized in the Design Office are the “pre-code” block and they are sent to the Code team to be

implemented in the simulator computer to validate the design choices. The simulations sign the end of the

first V-model diagram. The second V-model considers the software and hardware development to

implement the function, at the V base the implementation/development is shown and this phase of the

conception could take also 6/8 months. In the right side of the diagram the tests and integration phases are

shown up to arrive to flight tests that mark the end of the conception process. The entire development is a

very iterative process and it could take also 2/3 years in order to develop the entire function (from the

conception to the certification by EASA).


11

Figure 6: V-V model diagram [3] illustrates the system development. In the left part it shows the project definition and the steps to be performed in the function definition in order to implement it in the on-board computers. The two V stand for the simulation development and the flight test progress. In fact,

the first part of the development needs to prepare the simulation tools to simulate flight, and then when the simulation is well accomplished the function engages the flight test path to verify the software and hardware integrity.

2.2 Airbus’ process

The Airbus design process will be expressed in detail in this paragraph, in order to illustrate the

activities developed during the working period as Airbus consultant. The documents for the validation of

the modification and the technical implementations will treat in the detail.

The Airbus procedures allow delegating and differentiating tasks and activities keeping the focus on

program deadlines and milestones. Thank to this process, Airbus manages to have many consulting

companies deal with the technical tasks and responsibilities while in the Airbus headquarter, the employees

work on the research and development of new functions, further than on the organization and the

management of the entire program. Airbus synchronizes the activities and the different teams which work

sequentially in order to deliver updated software to airlines in time with respect to the ultimate certified

standards.

The system design office takes into account all the modifications concerning the Auto Flight System

about the already flying aircrafts or the development of new experimental function to be integrated in the

further aircraft software. Every changing aims to enhance and to improve the already existing embedded

functions or to fix and to tune some gains, constants, variables ensuring the respect of the highest level of

safety answered by the standard certification authority. On the other hand, some experimental standards are

also designed and tested ex-novo to broaden the aircraft functionalities towards to more autonomous flight,

where the autopilot presence is getting wider and wider.


12

Once the modifications are designed, they have to be simulated, tested, in the experimental branch.

Once the standard has well performed a certain number of flights without any issues, it engages the certified

branch where it gets the authorization from the certified entity (EASA) and then, they finally can be sold to

the airlines to become profitable for the aircraft manufacturer2.

The simulation sessions of every aircraft components (structural, aerodynamics or avionic parts)

start from a linear system model at the beginning of the program. This simplification is made to run the

simulation faster only to check and to verify that the global behaviour answered the basic

recommendations/requirements. Little by little the model complexity grows up to simulate the entire

prototype, Figure 7. The most important constraints to be fulfilled in the Auto Flight System architecture are:

Actuators constraints: in terms of response time and maximum load. They dictate the trade-off

between strength/effort and performance (flight control commands).

Architectural constraints: stand for what the function needs to perform its tasks and what the

computer can compute (system design).

Pilots and test engineer constraints determine the aircraft behaviour in terms of performance and

flying comfort/safety (flight control laws).

During the simulation sessions many design parameters or laws structure have to be fixed in order

to respect every constraints, this is the tuning part of the function design: the structure design is frozen but

the tuning parameters has to be performed to optimize the aircraft behaviour to what the pilots and the

specifications ask.

Figure 7 : System development before first flight. The process ends when the complete aircraft model and the linear simulations reach the convergence. [4]

2 As information, the described process is not a general process but it is the Airbus procedure to concept and to

implement a new function in the Auto Flight System. It is possible that another system concerning different ATA chapter would have different standards procedures.


13

The avionic system remains developable also during the flight tests, Figure 8, where the pilots’

feedback and the flight experience can check the effective aircraft behaviour. As an example, during the

A320NEO flight tests to enhance the flight envelope, after the simulation sessions, the pilots’ feedback

judged the aircraft reaction too heavy, it means that the aircraft, having a wider flight envelope could

experience more extreme manoeuvres which are considered as not-comfortable for the cabin passengers.

Following all the possible function tuning, the aircraft could still take tacking up to 70° of roll angle and

this was considered too uncomfortable for the passengers and then, all the designed function was erased

before engaging the certificated branch.

Figure 8: System development during flight tests. The iterative process considers the pilots feedback to tune the flight laws and the function gains to optimize the aircraft behaviour

In order to create a modification in the Auto Flight System it needs to update, to adjust the

embedded computers logics (in this purpose FAC and FMGC). Each coded logical schema in the AFS

computers is presented in a formal document, the Joint Technical Event (JTE) where the modification or

correction of the current design is described in terms of:

Logical schemas: this is the most important and the most technical part of the modification; here the

function evolutions can be seen with respect to actual design. The logics are modified using the

specific software and are presented as drawing boards (SAO sheets) then translated in ADA code3 to

be implemented in the aircraft embedded computers in order to be tested in the simulator

3 Thales implemented the auto-code generator in ADA; the tool takes an XML file and produces source code for an

embedded avionics system. The development process for the auto-code generator has been performed according to the European Aviation Safety Agency (EASA) Tool Qualification Considerations standard, and the tool has been qualified for the avionics project at tool qualification level TQL-2. ADA is an internationally standardized (ISO) programming language designed for long-lived, high reliability, embedded real-time systems, embodying sound software engineering features for both sequential and concurrent applications while also providing facilities for low-level programming. The most recent version of the language, ADA 2012, includes features for contract-based programming (such as subprogram pre and post-conditions) that embed low-level requirements in the source code where they can be verified either dynamically with run-time checks or at compile time with appropriate tool support. [24]


14

environment and in the flight tests later. The SAO sheets contain the technical explication of every

function the computer could perform at very low-level syntax. The SAO sheets explain the

operational logic of how every function works, which variables treats and how it handles the input

to elaborate every computer output.

New or modified interfaces: if a new function requires additional interface or a modification to an

already existed one, a new interface is added, removed or simplify modified. This hardware

modification has impacts on the SERs (Specification Evolution Request). By interface, it means

every connection between embedded computers to data exchange and also every exchange in the

same computer from Command to Monitor part.

Formal description using an Airbus tool where the entire function evolution is traced from the kick-

off that marks the function development beginning. The document follows the function, describing

all its evolution and its development from the event that signs its beginning to the flight tests done

to validate the design.

2.2.1 Experimental Standards

The experimental standards include every immature function that is developed. Following an issue

verified during a flight and recorded in the Digital Flight Data Recorder (DFDR) or after an accident

investigation, some preventive actions are taken from the aircrafts manufacturer in order to improve the

safety standard. Some functions are developed by Airbus not as result of an accident or an issue came out in

a flight, but they are just improvement at the flight envelope in the global view to get the autopilot influence

wider and wider.

The experimental branch starts with the Joint Technical Event as described before and when some

modifications forming part of the same domain of application are designed, they pass to the simulator to be

verified and this corresponds to the standard. The full standard to be tested at the same time takes part of

the JCRI (Joint Change Request Internal), Figure 9.

The JCRI includes the associated JTEs (including the logic schemas and the modified interfaces)

and the ADIS which is the software test allowing the activation of single bits to simulate only one function

at a time during the test sessions and to create different software configuration, forcing some design

decisions. In this way even if different functions take part of the same standard, the ADIS permits to verify

the functioning of every function separately. The ADIS are available also during the flight tests or at the test

bench where the test engineer is responsible to activate the single function in certain phases of the

validation flight.

In order to validate the coding experimental standard, the JCRI documents is sent to the Code Team

for function implementation in the simulator computers (FMGC and FAC), at the same time the PGE

(Programme d’Essais, Test Program in English) is received by the Labo Team. The PGE is the document that

authorizes the tests of the new specifications. For each JTE, the Design Office prescribes the test procedure,

the scope of the test to be followed in order to validate the function design.


15

Figure 9: Experimental Process to develop system design: in the orange boxes the multidisciplinary meeting to converge on the design decisions.

2.2.2 Certified Standards

Once the standards success the planned flight in the experimental branch, they engage the certified

path in order to obtain the certification from the EASA, at the end of the validation process. When the

standard is finally certified, it can be sold to the airliners to improve safety specifications. The process is very

similar to the experimental one, except for the sent documents to approve the design and the modifications.

During the process the flying standard obtains different label (blue, red and finally black one) indicating the

maturity level of the standard:

The blue label is the coded standard in the simulator. It is the first version of the certified software.

The red label is the first software version to fly. After all the tunings during the simulation sessions,

the software receives the authorization “Good for Flight”.

The black label is the final version of the standard, the software passed all the flight tests and it got

the certification from EASA. It is ready to be installed in the aircraft’s companies.

In the certified path, the document that attests the modification is the Joint Change Request (JCR);

it consolidates for all the associated JTEs, SAOs Sheets and for the SERs.


16

As in the experimental path, a Programme d’Essais was delivered to test every JTE modification; in

the certified standard the LTR tests the certified Thales specifications. In this document, there is no need to

test every single function as in PGE, but the system is tested in its integrity and how it works at the aircraft

level.

At the end of the process, the Description of evolutions, describing all the modifications introduced

for the certified standard from Thales and the V&V Summary summarizing all the verifications &

validations performance for the certified standard from Thales are delivered EASA to closure the standard

development.

2.3 Reliability Design

Reliable Design, Figure 10, is a part of the system development process which has to be considered in

the design part of the system/function/product in general sense. Reliable Design means to establish the

system reliability requirements to be respect in the design process. In Airbus process, it is the Function

Team that draws the requirements at high level and then they are translated into low level requirements and

system requirements which must respect in the design phase. Once the requirements are set, the system is

designed making a first reliability evaluation, this is the first iterative part of the design process because if

some requirements are not considered by the design part, some design modifications must be taken into

account.

Design is fundamentally a “top-down” process. It is necessary to start from the value of the

characteristic at system level and then to break-down this value into sub values allocated to system

components or parts in a process called “system requirements allocation”.

All methods to allocate requirements to lower level system decomposition are based on experience.

Starting from an existing system, for which reliability data are available, the reliability data are:

Allocated to sub-level items according to the percentage it has in the existing system.

Allocated the requirement to sub-level items using the same value it has in the existing system, and

adding a corrective coefficient (to take into account differences between the two systems).

Concerning the design part, different approach to the problem can be suggested:

Fault avoidance: according to which the product has to ensure to not have failure in the on-service

life. Replacing “avoidance” with “minimisation” is more correct: “minimise the probability of

failures”. This “philosophy” is expensive in the program and often it is rejected. The minimization of

the probability of failure can be reached:

o Providing generous design margins in specific areas within which a failure can be accepted.

o Selecting proven, high quality parts.

o Inspecting system under production (checking system components or function in case of

software developing).

o Making acceptance test in the 100% of the components, systems.

o Keeping record to document compliance.


17

Fault tolerance: this is another approach to the reliability design methodology. According to it, in

the design part it has to make the system capable to function even in case of failure. This concept is

easily applicable in all the system in which it is not expensive creating redundancy. If something,

some components, some sensors, some computers does not work, a backup function comes into

operation. In this context, the system has to be provided of an intelligent capacity to monitor itself,

to find the failure and to reconfigure itself. This solution impacts the cost of the system and in some

cases also the weight of the system in terms of wires, sensors and computer in backup operations.

This approach does not foresee that all the system is redundant but only the cardinal sub-systems.

This is the solution Airbus adopts in the software development. As a matter of fact, in the chapter of

the Enhanced Stall Warning, reference has been made to the redundancy check and alternate

solutions to provide the system of an adequate level of reliability even facing with several

malfunctioning.

Functional redundancy is the design approach which also considering a performance degradation of

the system there is no increase of weight. This design is accomplished on-boarding components able to

perform its tasks and also other activities in particular circumstances. This is the approach, that Airbus

follows with the Flight Control Computers capable to perform several functions. In nominal case, the

primary computer takes in charge its function but in case of failure, the backup computer that in nominal

operation processes other calculations is responsible for the backup procedures in degraded cases.

Therefore, even in a degraded way the function is at least assured although in reduced status. This permits

to have the autopilot still engaged even in degraded situation.


18

Figure 10: Reliability Design Diagram

Auto Flight System Federico Mastropasqua

19

3 Auto Flight System

3.1 Auto Flight System architecture

3.2 Auto Flight System modes

3.3 Introduction to auto-flight control laws

3.3.1 Roll Control –ELAC

3.3.2 Pitch Control

3.3.2.1 Trimmable Horizontal Stabilizer

3.3.3 Yaw Control

3.4 Manual way of aircraft controlling

3.5 Flight Management Guidance System

3.6 Flight Augmentation Computer

3.6.1 Yaw damping

3.6.2 Rudder Travel Limiting computation

3.6.3 Rudder Trim

3.6.4 Characteristic Speed computation

3.7 Interconnection and peripherals interfaces

The A320, introduced in 1987, was the first aircraft flying with the primary flight control powered

by electric commands, and the mechanical links were only in backup4.

4 For completion, the A380 has been the first aircraft that could fly safely even in case of complete loss of the hydraulic

means, thanks to the electric-hydraulic servo actuators backed up by mechanical means.


20

The Airbus A320 flight controls are divided into primary and secondary flight controls. Both the

primary and secondary flight controls are controlled by a total of 7 computers, Figure 11:

Two ELAC Elevator Aileron Computer

Three SEC Spoiler and Elevator Computer

Two FAC Flight Augmentation Computer

Figure 11: Architecture of primary and secondary flight control computers

The Primary Flight Controls fitted on the aircraft are controlled by sidestick or by the Flight

Control unit inputs, which are processed by the Elevator Aileron Computer (ELAC), the Spoiler Elevator

Computer (SEC) and Flight Augmentation Computer (FAC), depending on which manoeuvre has been

requested. When the primary flight controls on the Airbus A320 are being operated, electrical signals from

the sidestick or Flight Management and Guidance System (FMGS) are sent to the Flight Control

Computers then they pass to the flight control hydraulic actuators to calibrate the strength to operate the

correct surface movement.

3.1 Auto Flight System architecture

The Auto Flight System (AFS) installed on the Single Aisle Airbus aircraft5 is made up of two types

of computers, the calculation units that elaborate pilots’ input in order to assure the correct functioning of

the flight:

The Flight Management and Guidance Computer (FMGC)

5 Different hardware configuration can be found on different aircraft, but the functions are the same. In this thesis all

the descriptions are based on A320 family Auto Flight System


21

The Flight Augmentation Computer (FAC)

And two types of control units, the interfaces through which the flight crew sets up the navigation

data to perform the flight and to follow the flight plan:

The Flight Control Unit (FCU)

The Multipurpose Control and Display Units (MCDU)

The Flight Control Unit is the interface the pilots use to enter the target variables for the lateral and

vertical navigation to guide the aircraft along the flight path. By the MCDU, the pilots insert the flight plan

(during the pre-flight operation in the airport) and later, FMGC is in charge of delivering the information to

the primary flight control to perform the flight and to follow the computed trajectory.

As it can be seen from the Figure 12, the Flight Control Unit sends and receives data from both

FMGCs which in their turn they communicate with the own MCDUs and FACs (this is the nominal

configuration, in case of failure the Auto Flight System is capable of reconfiguring itself to take data and

information from the computers that are still available). Every computer is doubled for safety reasons and,

the functions are often installed in different computers in order to provide the backup level in case of failure

(this point will be analysed more in detail in the Enhanced Stall Warning chapter, fault tolerance approach).

The FACs send the commands to the ELAC/SEC, which provides outputs to control the surfaces through

the actuators and to the FADEC to control engine thrust.

Figure 12: AFS Architecture

The computers send orders to the surfaces through the units that take input from the (auto)pilots.

The AFS sends the surface deflection commands for the autopilot function to:

ELAC1/ELAC2 for pitch and roll commands

FAC1/FAC2 for yaw dumper commands

Moreover, the AFS sends also thrust commands for the auto-thrust function to:

ECU1/EEC1 to set the thrust command on the engine 1

ECU2/EEC2 to set the thrust command on the engine 2


22

From a system point of view, the Auto Flight System is composed of three functions, Figure 13:

Flight Management allows defining flight path and to ease the navigation by previsions and

position calculation. During cockpit preparation phase, the pilot inserts a pre-planned route, from

origin airport to the destination, via MCDU. This route includes the departure, routes, waypoints,

arrival, approach, missed approach and alternate route, as selected from the NAV database. The

system generates optimum vertical and lateral flight profiles and predicted progress along the entire

flight path, through:

o Position computation (aircraft position consolidation, nav-aids selection, VOR, DME, ILS,

etc... using the navigational data).

o Navigation Data Base Management (airways, airports, beacons, procedures…) for the

routing of the aircraft.

o Flight Planning (Lateral & Vertical flight plan) and flight guidance cues using the flight

director indicators on the PFD.

o Guidance computation: ease the navigation by previsions and calculation of position.

o Determine flight phases and monitor the aircraft progress on the programmed routes into

the flight plan.

o Optimization & Prediction functions (Speed, Time – ETA, Fuel, Altitude…) considering

aircraft performance date to manage the vertical aspects of the route.

o Receives air data (from Pitot, static pressure sensor and pitch angle probe) and inertial data

for backup computations.

o Managing flight control laws and reconfiguration after failures.

o Auto-thrust system coordination considering the FADEC, control fuel flow and engine

thrust (FMGS is interfaced with ECU/EEC).

Flight Guidance: it allows the aircraft to reach the destination acting on the thrust and the control

surfaces. It controls:

o Autopilot (AP) elaborates automatically the surface control. The commands are sent to the

Flight Control System, which oversees control-surface actuation (elevators, ailerons, and

rudder) and nose wheel (steering). The autopilot could be engaged five seconds after take-

off by action on the two pushbuttons of the Flight Control Unit. Only one autopilot can be

engaged at one time, except during approach, ILS landing and Go Around. This ensures the

best redundancy level required to safety achieve auto-lands; auto-rollouts or low altitude

go-arounds. Generally, AP1 is used when the captain is PF and the AP2 when the First

Officer is PF, so AP1 has the priority and AP2 is in standby (the ELAC and the FAC use the

AP1 commands first and switch on the AP2 command in case of AP1 disengagement). This

ensures that each AP will be alternately operated. The AP could be disengaged:

By voluntary pilot action:

Action on the AP pushbutton on the FCU

Action on the side-slick (takeover pushbutton or push harder than a certain

threshold)

Action on the rudder pedals (pressed beyond a certain threshold)


23

By reaching protection:

VMO, MMO

Bank Angle in modulus over 45°

Pitch angle over 30°

In case of failures that provoke the loss of one control surface (see Appendix III).

Autopilot is just only a feature of the Flight Management and Guidance System (FMGS)

and, each of the two Flight Management and Guidance Computer manages its autopilot.

The ELAC and the SEC are merely actuator and controllers for the control surfaces; they are

also reconfigurable in case of failure of one of the SEC, ELAC6 or FAC [5].

o Flight Director (FD) gives guidance information to the pilot; these orders are shown on the

PFD through the CDS. The FMGC1 normally drives the FD symbols (crossed bars or yaw

bar or flight path director symbols) on CAPT PFD and the FMGC2 normally drives the FD

symbols on F/O PFD in case of the failure of one FMGC.

o Auto-thrust (A/THR) provides thrust adjustments in order to acquire and maintain a given

speed for automatic Engine Control, through the EEC/ECU. The A/THR function, in the

Auto Flight System (AFS) does not manage a throttle displacement but a thrust value. The

lever position determines the maximum thrust which can be commanded by the auto thrust

system. Auto-thrust is armed by action on the FCU pushbutton or automatically by moving

the thrust lever to TOGA/FLX during Take Off and Go Around, both A/THR are always

engaged at the same time but only one (A/THR1 or A/THR2) is active depending on AP and

FD engagement statuses. The A/THR could be disengaged:

By voluntary pilot action:

Action on the FCU pushbutton

Taking the levers to IDLE

In case of failures

6 ELAC and SEC are ACE (Actuator Control Electronics) themselves with further flight envelope protection logic.


24

Figure 13: Auto Flight System function architecture. The dashed boxes show how the different functions are calculated in the AFS computers

Flight Envelope defines the aircraft flight envelope and it provides information about speeds on the

Primary Flight Display (PFD) in nominal situation.

o Calculate the characteristic speeds (low speed or high-speed protections) that are shown

on the PFD and more detailed in the Appendix II – Characteristic speeds

High speed protection (VMAX)

Stall warning speed (VSW)

Lower selectable speed (VLS)

Maximum operational speed (V MAX OP) giving margin against buffeting

Airspeed tendency (V_CAS TREND)

o Define Aircraft Configuration: in flight or on ground, slats and flaps positions, engines

Manoeuvring speed (VMAN) function of the slat and flap positions

Minimum flap retraction speed (V3)

Minimum slat retraction speed (V4)

Predictive VFE at next flap/slat position (V FEN)

o Detect configuration outside normal operating flight envelope as alpha-floor, tail-strike

Indication (only in Long Range Airbus aircrafts), longitudinal (pitch +30°/-15°) or lateral

(bank angle 67°) protection.

Bank angle protection

Pitch attitude protection

High angle of attack protection (computed by the ELAC)

o Detect abnormal flight conditions

Wind-shear7: the wind-shear aural warning and the corresponding message on PFD

are calculated by the FAC considering the vertical speed, the airspeed, the ground

7 The wind-shear is a sudden change in wind direction and/or speed over a relatively short distance in the atmosphere.

This can influence aircraft performance during take-off and landing phase. In wind-shear conditions, the principle is to


25

speed so the total slope, the longitudinal wind gradient and vertical wind. The angle

of attack in wind-shear is computed as an aircraft energy level. Consequently, the

computed angle of attack is compared to the alpha wind-shear threshold and the

alarm sounds if the aircraft is in the approach (1300 ft. to 50 ft.) or in the take-off

phase (lift-off to 1300 ft.)

Low energy detection is an aural warning that sounds when the energy level is

under a threshold considering slaps and flaps configuration, horizontal deceleration

rate and the flight path by the FAC. In addition, the altitude has to be comprised

between 1000 ft. and 2000 ft., the alpha floor is not activated and the aircraft is in

normal law. If the aircraft continues loosing speed after the low energy warning the

system automatically keeps the aircraft in a safe flight domain when the incidence

angle is lower than alpha-floor and the Radio Altimeter is higher than 100 ft., so the

message A.FLOOR appears on the PFD and the thrust is automatically set in TOGA.

The low energy warning disappears when the thrust level is high enough, if the

alpha floor protection is trigged on and if the pitch go around mode is trigged

o Acquire law autopilot order - AP/FD modes reversions

VMAX and VLS are used in the FMGC for speed limitation of AP/FD and A/THR

functions

o Compensate engine failure (lateral thrust dissymmetry detection)

o Protect load factor (Nz law)

o Runway Overrun Prevention System (ROPS)(not yet in the state-of-the-art): this is an

experimental function, which aims to enhance safety for all braking modes (manual and

automatic) at landing, protecting the aircraft to run off the landing strip, basing itself on

neural networks. This system is called ROPS and it contains the ROW and the ROP

functions. The first one is a system that assesses in real time in flight the landing distance

(in both dry and wet conditions), in other terms the distance to the touch-down and it

performs an alarm of go-around in case the landing distance available is too short. The

second system assesses the stopping distance in real time on ground and an alarm appears

on the PFD recommending the maximum brake or the maximum reverse [6].

o Unreliable Airspeed Mitigation Mean function (UAMM) (not yet in the state-of-the-art) is

a new function which consists in providing a numeric back up speed. It is also associated

with specific monitoring’s allowing to flag erroneous speeds and providing enhanced

warnings in case of unreliable airspeed situation. In the frame of the UAMM function, the

FAC must compute a backup speed, back up Mach and back up characteristic speeds. The

computation of those data requires parameters which are not acquired by the current flying

FAC software (as example IRS data). For the backup computation the N1-AOA monitoring

and the theta-gamma estimation are introduced to enhance the calculation of the angles of

reduce the detection threshold according to the detected wind-shear in order to get the possibility of performing a go around sooner.


26

attack, using these estimations it will be possible the usage of one AOA when it remains

alone because the estimation can give reliability to the AOA data.

3.2 Auto Flight System modes

The modes are the ways of working of the Auto Flight System, the manner of processing feedback

signals and elaborating control surfaces/thrust orders. Each mode has some targets to reach. The flight

modes take in input pilot or autopilot commands in order to treat/elaborate these inputs for the purpose of

guiding the aircraft through the ordered flight path. There are two types of Guidance that can be chosen by

the crew on the Flight Control Unit, Figure 14. The selected or managed mode is selectable from the crew by

the FCU in the middle of the cockpit:

When the autopilot is in SELECTED state, the target values for altitude, heading/track, and vertical

speed/flight path angle, speed/Mach are inserted manually and then the AFS guides the aircraft to

the manually selected target. Selected mode is engaged by pulling the corresponding knob on the

FCU located on the pilot’s glare shield.

When the autopilot is in MANAGED state, these target values come from the Flight Management

System which acquires data from the pre-planned routes inserted in the pre-flight operation by the

pilots through the Multi Control Display Unit. The autopilot is “slaved” to the FMS and it is tasked

to follow the Flight Plan. The AP is engaged by pushing the corresponding knob on the Flight

Control Unit8.

Figure 14: Auto Flight System Operation Modes..

8 The side stick controllers and the throttle control lever do not move when the autopilot and the A/THR are engaged, in

order to simplify the fly-by-wire mechanism and to reduce the cockpit maintenance.


27

Regardless of the Auto Flight System mode (both selected or managed) the aircraft is protected in

the flight envelope and the autopilot, flight director and the auto-thrust are available either the commands

are entered manually by the pilots through the Flight Control Unit, either the orders are directly processed

by the FMGC inputs.

Figure 15: Auto Flight System operational schema: the AFS green box is doubled because the FMGC and FAC computers are redundant for safety reasons. The AFS outputs are sent to the navigation displays and to the PFD, to the FADEC for engine thrust control and to FCC

3.3 Introduction to auto-flight control laws

Each mode of the Auto Flight System has an associated control law, defined by an “operational

logic”. These control logics are often closed loops with feedbacks, to return to the pilot the manoeuvre effect

at guidance and control level. In the Auto Flight System, Figure 16, four feedback loops work together in

order to control the aircraft following the planned flight path:

Surface position actuator loop;

Control loop;

Guidance loop;

Navigation loop.


28

Figure 16: Autopilot control loops: the fastest loop is for the control of the surface position. The blue loop is in charge to control the aircraft attitude; it considers the Euler angles of the aircraft. The bigger loop oversees the guidance and it is the midterm management loop, controlling the load factor, the speed or the Mach number (depending of the flight law selected). Finally, the slower loop controls the navigation of the aircraft and it takes care of introducing the

aircraft in the air traffic. The AFS does not include the communication system which is part of another ATA chapter.

The inner loop is dedicated in controlling the surface deflection. The pilots or the autopilot give

orders to the ELAC/SEC/FAC through the sidestick and then the surface loop guides the surfaces to

maintain the correct deflection. The inner loop is a high-speed control cycle with response time incredibly

short. The control variables are:

Rudder deflection 𝛿𝑟;

Ailerons deflection 𝛿𝑎 ;

Elevator deflection 𝛿𝑒 .

The surface deflections create accelerations and attitude changings, which are used as main

feedback in the attitude control loop. The control loop is in charge to manage the aircraft attitude. The

variables used as feedback are:

Pitch angle 𝜃

Roll angle 𝜑

Sideslip angle 𝛽

This loop is a short period of monitoring to control aircraft attitude and acceleration.

The outer loop is devoted to trajectory control. Therefore it provides the guidance function in a big

loop, and it sends to the inner cycle (AP) or to display (FD) the load factor increments, bank angle...

Selecting the appropriate pitch attitude and bank angle to maintain or change the flight path. The guidance

loop takes the inputs from the FCU but in direct law, it could take the inputs directly from the sidestick.

The outer loop controls:

Altitude

Heading


29

Speed (acting on the thrust)

To follow the flight plan, the outer loop controls the centre of gravity position and limits the FCU or

FMS targets in amplitude and speed to limit the effects of failures. The speed vectors and the aircraft

position are used as the main feedbacks to compute orders.

Therefore, there is another external loop that considers the navigation (navigator loop or big loop);

the Flight Management System manages this function, and it handles:

The current aircraft position.

The aircraft route, keeping information about the aircraft position in time and space

Select the best altitude, heading and space to go there.

Finally, the navigation loop aims to insert the aircraft with harmony into the crowded airspace,

considering:

Communicating with Air Traffic Control (ATC)

Adding the fourth dimension to the navigation (time)

Avoiding other aircraft.

The navigation loop is the slowest in the Auto Flight System; the refreshing time is about 5/10

seconds; by contrast, the surface deflection loop works at 400Hz frequency.

A titre of example the flight control laws handling the thrust is reported in the Figure 17: in the auto-

thrust law, the parameter under control is the engine revolutions per minute (N1) and acting on this variable

through the EEC/ECU the target speed is reached in order to follow the selected flight path (both in vertical

and lateral navigation).

Aircraft with different motorization have dissimilar thrust law. Nevertheless, even if the Auto Flight

Engine is common for all the SA family, regarding the motorization, the thrust law is disparate. The Auto

Flight software is developed and specialized for each variant aircraft (A318 / A319 / A320 / A321 / A319NEO /

A320NEO / A321NEO), either as regards to the engines either concerning the CG positions and the various

configurations9.

9 For this purpose, the Design Office could collaborate with the handling qualities (HQ) team or with the performance

team to deliver optimized software dealing with the topic purposes.


30

Figure 17: Thrust Control Laws breakdown

The communication module is not part of Auto Flight System.

3.3.1 Roll Control – ELAC

Roll control on Airbus A320 (and SA family in general) is accomplished by using of side-slick

movements or autopilot commands. When ailerons are moved, a 𝛿𝑎 aileron as an electrical signal is sent to

the active ELAC computer. The Airbus A320 has two operational ELAC computers available, one operating

in active mode while the other acts in damping mode and serves as a back-up in case of failure. The ELAC

sends later a 𝛿𝑃 spoiler signal to both the SECs computers, which controls the flight spoilers and the FAC

computer, which sends turn coordination orders for the rudder trim.

Unlike the SEC, which consists of three independent computers, the FAC has only two working

computers in the same order as both ELAC’s. The computer then processes these signals into an output that

activates the hydraulic system actuators connected to the control surfaces. At the output of the inner loop, a

gain K permits to switch from inner cruise loop to an approach inner loop. The deflection orders are limited

in amplitude and variation speed.

The control surfaces will deflect according to side-slick input. For safety matters, the signal

processing by the flight control computer uses pre-set limitations and instructions (laws). This means that

pre-scribed limitations cannot be exceeded. When the autopilot controls the aircraft, the ELAC and the

FAC receive an electric signal generated by the FMCS. Usually, ELAC1 is in control, in case ELAC1 fails,

ELAC2 automatically takes over control. Similarly, the FAC and the SEC computers are being backed-up.

The ailerons have two electrically controlled hydraulic actuators connected to each aileron. One of

these actuators is in control while the other actuator is in damping mode. The actuators are connected to


31

the Green and Blue hydraulic system. In the Figure 18, the lateral control law is shown; as it can be seen the

outer target variables are different in function of the flight phase. Afterwards, the inner loop is common

independently on which the outer variable is targeted, and it is in charge to stabilize and to trim the aircraft

sending an electric signal to the hydraulic actuators.

Figure 18: Lateral Control Laws breakdown

3.3.2 Pitch Control

On the Airbus A320 family aircraft, pitch control is maintained in two ways. Primarily the elevators

are used to pitch the aircraft. Besides the elevators there is the Trimmable Horizontal Stabilizer (THS),

where the elevators are attached to, which is used to trim the aircraft. The elevators are operated by either

sidestick movement or, in case of autopilot engagement, by the FMGS. In manual control when the sidestick

is used to operate the elevators, electrical signals are generated by the sidestick and sent to both ELAC

computers. The signals received by the ELAC computers are then converted into outputs which drive the

hydraulic system actuators connected to the elevator. Normally ELAC1 is in control with ELAC2 serving as

back-up. In case of dual ELAC failure, SEC1 or 2 automatically takes over control. The loss of elevator is

categorised as CAT, the aircraft gets out of control and the loss of the aircraft is natural, Figure 19.


32

Figure 19: Elevators Computer

When the autopilot is in command, the FMGS is maintaining pitch control, the 𝛿𝑄 commanded

generated in the pitch basic loop is sent as electrical signals to both ELAC’s which produce an output

activating the elevators actuators. The 𝛿𝑄 command is limited in amplitude and in variation speed.

In the pitch basic loop, there are two modes:

Cruise, where the 𝛿𝜃 elevator command is generated from the outer loop command, thus 𝛿𝜃 , in

feedback the system receives a pitch angle (𝜃) and a pitch attitude rate (�̇�). In certain modes (ALT,

V/S, FPA) engine torque compensation is added to the term 𝛿𝜃 to minimize the path deviation to do

important thrust variations.

Approach/landing, where the 𝛿𝑒 elevator command is generated from the outer loop command of 𝑁𝑧,

the aircraft receives the vertical acceleration, the pitch angle, the pitch attitude rate and roll angle in

feedback.

Each elevator is powered by two hydraulic actuators, one in active mode while the other serves as

back-up. Both actuators become active in case of large pitch demands.

In order to perform a vertical control, Figure 20, the target variables are the altitude, the vertical speed

or the flight path angle (input entered in the FCU) which are controlled by the outer loop, acting on the

inner loop through little increment in the load factor. Therefore, the sidestick and the input entered directly

in the FCU, does not act in a straight line to the surface deflection but it commands an increment in the

normal load factor. Subsequently, the incremental load factor is function of the aircraft configuration

(slaps/flaps, speed brakes) and it computes the surface deflection through the kinematic and dynamic

equation implemented in the FMGC. The orders are mediated by the auto-thrust that applies thrust

correction in order to perform a more comfortable flight profile.


33

Figure 20: Vertical Control Laws breakdown

3.3.2.1 Trimmable Horizontal Stabilizer – THS

The THS is positioned by a screw actuator and driven by two hydraulic motors. In turn the

hydraulic motors are driven by one or three electric motors. Only one electric motor can be operative at a

time while the other two are in a standby role. The electric motors are being controlled by either ELAC or

SEC computers. Operating the THS by using the mechanical trim wheel has priority over the electrical trim.

3.3.3 Yaw Control

The aileron deflection command controls the turn coordination and is carried out by the Yaw

Damper function in cruise by FAC. Each FAC receives two deflection commands from each FMGC for

rudder control. The rudder control is also used in the guidance command through 𝛿𝑟 for the Yaw Damper

function for yaw axis stabilization in automatic landing, Figure 21. The rudder limitation is function of speed.

The rudder is being controlled in three different ways, namely:

Manually by rudder pedal movement: there are two pairs of rudder pedals installed and are

connected mechanically to each other. They are linked to the artificial feel unit by a cable loop,

which in turn is connected to the hydraulic rudder actuators via a differential unit. Movement of the

pedals generates a signal which is send to the active ELAC. The ELAC then calculates yaw damping

turn coordination and rudder trim orders and sends these to the FAC computers. Both FAC

computers control the yaw damper servos, rudder trim and rudder limit motors.

Rudder trim is achieved by two electric motors; each controlled by its associated FAC. Rudder trim

is done manually by operation of the rudder trim control located on the over-head panel.

Autopilot Rudder Movement in case of autopilot engagement, both FAC computers receive

commands from the FMGS for rudder trimming and yaw control.


34

Figure 21: Yaw control [7]

3.4 Manual way of aircraft controlling

In case the pilot takes directly the aircraft control with sidestick and pedals, the FMGC if it is

capable, gives to the crew instructions using the flight director cues and yaw cue; it is the pilot who follows

the cues with the manual controls (using rudder pedals and sidestick). The pilot’s commands are considered

by the flight control computers (FAC, SEC, and ELAC) which determine the way in which the control

surfaces will be moved, possibly limiting the deflection ordered by the pilot to remain the aircraft within its

flight envelope. FAC, SEC, and ELAC orders are sent to respective actuator controllers. There is a final

control function on the actuator, to allow actuator redundancy for control surfaces e.g. for elevators: each

servo-jack has three control modes:

Active so the jack position is electrically controlled

Damping so the jack follows surface movement

Centring so the jack is hydraulically retained in the neutral position [7]

ELAC, SEC and FAC can be reconfigured according to law degradation status, the output of these

FCC can be sent to different actuators, so the electrical circuit between an FCC output and an actuator

input includes some switching circuitry.

3.5 Flight Management Guidance System

The role of Flight Management Guidance System (FMGS) is to perform various functions to help

the flight crew in the management of the flight (reducing the workload, improving the crew efficiency and

eliminating many routine operations generally performed by the pilots) and to control directly the ailerons

and the elevators when the autopilot is engaged.

The computation and processing devices receive information sources (ATA-34) as:


35

Navigation information which contains details of airfields, airways, routes, waypoints, procedures

(SIDs, STARs, approaches).

Aircraft performance information.

Air Data and Inertial Reference System (ADIRS) and the Global Positioning System (GPS) for

position and dynamic information.

The clock to synchronize tasks and operations among computers and control units.

Radio navigator information.

The computation and processing device receive input (ATA-22) from:

Flight Control Unit (FCU)

Multipurpose Control and Display Units (MCDUs)

Multi Functions Display (MFD)

The computation and processing device provide outputs (ATA-27, ATA-31) to:

Flight Control System for pitch, roll and yaw control

Auto-thrust System for thrust control

EFIS and MCDU System for the display information

Navigation Radio for the automatic tuning of radio aids

The FMGS is a dual-dual type system for the autopilot and auto-thrust functions. In cruise mode

only one autopilot can be engaged. Both APs can be engaged (through the AP1 and AP2 pushbutton

switches located on the FCU) only when ILS approach mode is selected.

Redundant FMGS are divided in two channels: COMMAND (issue commands to flight controllers)

and MONITOR (monitor the result of the commands, e.g. by analysing air data and inertial data to detect

anomalies) either FMGC performs all operations, if one FMGC fails.

The FMGS has three modes of operations:

Dual mode (the normal mode), Figure 22: The Flight Management System works normally in dual

mode on the master/slave concept. Both FMGCs perform the same functions simultaneously and use

all crew inputs on MCDU1 or 2. The slave system synchronizes on the master system for the

initialization of flight performance modes or for the guidance modes or for the radio navigation. The

results are compared and, in case of discrepancy, the MCDU displays messages (position; weight,

target speed). If one AP is engaged, the related FMGC is master:

o It uses the onside FD for guidance

o It controls the A/THR

o It controls the FMA 1 and 2

If two APs are engaged, FMGC1 is master; otherwise the master depends on which pushbutton is

pressed. If dual mode cannot be maintained (incompatible data base...), both FMGCs revert to independent

mode.


36

Figure 22: FMGC architecture in Dual Mode

Independent mode (each FMGC being controlled by its associated MCDU and it affects only the

onside EFIS and RMP10), Figure 23: the system selects this degraded mode automatically if it has a

major mismatch (database incompatibility, operations program incompatibility). No information is

transferred from one FMGC to the other and therefore neither synchronization nor comparison can

be performed. Both FMGCs work independently and are linked only to peripherals on their own

sides of the flight deck.

Figure 23: FMGC architecture in Independent Mode

Single mode (using one FMGC only), Figure 24: In case of FMGC failure this degraded mode is

automatically selected by the system, the opposite FMGC takes control of MCDU 1 and 2

10

RMP = Radio Management Panel


37

independently and feeds both NDs with the same data. All the functions of the flight management

are available through MCDU1 and 2.

Figure 24: FMGC architecture in Single Mode

3.6 Flight Augmentation Computer

FAC (Flight Augmentation Computer) is the modular computer designed for digital (discrete) and

analogical variables. This paragraph is completely dedicated to explain how FAC works and which tasks it

performs because this is the main computer on which my thesis is based, since the Enhanced Stall Warning

function is mainly implemented in FAC. FAC computer is divided into three parts:

Two virtual channels, the COMMAND channel and the MONITOR’s one

One independent channel which performs the FIDS11 functions

The COMMAND channel receives ARINC sensor data as form of analogue or discrete signals in

order to compute the control laws. Subsequently, it generates the flight commands used to drive the

corresponding servo-actuators. The interfaces between the computer and the actuators, and the feedback

position are of the analogue type. Similarly, the monitor channel receives the sensor data required to

compute the control law. Monitor channel’s role is to consolidate the computation of the command channel

and to monitor the servo loops to be able to change over to the opposite FAC in case of failure.

The FAC performs six main functions:

Input management and monitoring. This function is doubled, and it is responsible for the

acquisition and monitoring of the input parameters that have various forms, some of them are

consolidated before being used by the control laws. The input can be analogue signals in alternate

11

For maintenance purposes, the FIDS centralize the failure information from the various BITE of the AFS computers and provides an interface between these BITEs and the Centralized Fault Display Interface Unit (CFDIU). The FIDS function is only active in FAC [29].


38

current from various rudder position control sensor, ARINC signals from various systems (ADIRS,

LGCIU12, ELAC, FMGC, SFCC and from the opposite FAC), discrete signals from engagement

pushbutton switched and landing gear data and analogue direct current signals.

Control law computation. The actuator position commands are computed by the CPU based on the

above ARINC and analogue data and the embedded control laws. A real-time monitor supervises the

sequencing of the various tasks and the activation of a watchdog to protect the processing unit itself

against incorrect program running.

Control rudder-surface servo-loops. This function provides the current signals for actuator control.

These signals are generated from the computer software orders and the feedback position of the

sensor (LVDT or RVDT) for the three analogue power loops (yaw damper, rudder travel limiting

and rudder trim).

Engage logic. This is the function that consolidates the statuses of the various monitors and makes

possible to pressurize the servos if all the required conditions have been met. In the event of a fault,

this engage logic can cut off the control signals to the servos.

Output management. This function, as the first one, is doubled and it is responsible for the

generation of the output parameters. The outputs are for the implementation of various cross-

monitors with the monitoring channel or they are sent to the other aircraft systems (opposite FAC,

FMGC, DMC and trim indicator [8]) or they can be analogue (where a current amplifier provides

the interface between the digital servo error and each servo after D/A conversion) and discrete (to

make possible to indicate the status of the computer and to command the engage relays) outputs.

Power supplies. This is the function that provides the power supply to each channel from the

28VDC of the aircraft network. The voltage provides to each channel is +5V, +15V and –15V, each

power supply is monitored by the other channel.

The software organization inside FAC is divided into the application program contained in the

memory modules and the executive program that enables the control of the CPU, ARINC inputs/outputs

and safety tests, etc. There are differences in the command and in the monitoring part of the FAC:

dissymmetric programming concerning different languages and different algorithms. A specific methodology

is applied from the design phase to the programming phase ensuring a safety level compatible with the FAC

functions.

To ensure the correct software execution, specific monitoring functions are introduced both in the

hardware and in the software part. The software is also organized in fast or slow tasks and in background

tasks which can be delayed. The fast cycle concerns the yaw computation, while in the slow cycle other

functions are computed except weight calculation that is, however, performs in the very slow cycle.

12

Two Landing Gear Control and Interface Units (LGCIUs) control the extension and retraction of the gear and the operation of the doors. They also supply information about the landing gear to ECAM for display, and send signals indicating whether the aircraft is in flight or on the ground to other aircraft systems. There are 2 LGCIU’s fitted on the SA family. One LGCIU controls one complete gear cycle, then switches over automatically to the other LGCIU at the completion of the retraction cycle. It also switches over in case of failure [30].


39

The FAC is devoted primarily to rudder control (sending commands to four electrical actuators for

rudder trim and rudder travel limiting, one per FAC and per function) and all the associated function (e.g.

yaw dumper, sending yaw dumper commands to two hydraulic servo actuators (one per FAC). Another

important function in FAC is the assurance of the flight envelope protection.

In order to control and use the system, in the cockpit there are two pushbutton switches to FAC

engagement and a RUD TRIM control panel, at last indications and warning on the ECAM display units

appear to inform the crew about the control surface position.

Figure 25: FAC component layout [9]

The computer role is to ensure the optimum flight control surface deflection to have easy handling

and a good stability and to improve safety from over-speed, stall, wind-shear, manoeuvre (excessive load

factor). The FAC is a dual-dual type system. FAC1 and FAC2 can be engaged at the same time through FAC1

and FAC2 pushbutton switches on the overhead panel. Only one system is active at a time, FAC1 has the

priority, FAC2 being in standby and synchronized on FAC1 orders.

3.6.1 Yaw Damping

The yaw damping provides the turn coordination and guidance in cruise, during ILS approach mode

and roll-out. It is also involved in engine failure recovery when the autopilot is engaged (in manual flight,

ELAC is in charge of this function) and obviously in yaw stabilization. The yam damping assures in manual

control the accomplishment of the yaw orders from the elevator aileron computer (ELAC), to stabilize and

to coordinate the aircraft. The ELAC computes the corresponding data and transmits them to the rudder

surface via the servo loop of yaw damper. In the case of ELAC failure the yaw-damping for Dutch Roll is

provided in the degraded law. In automatic control, the accomplishment of the autopilot commands take

order from the Flight Management and Guidance Computer for turn coordination and guidance (align and

roll out), only in cruise the function manage the Dutch Roll damping.

The system consists of two electro-hydraulic servo-actuators (one per FAC) centred to the neural

position by an external spring device. Each servo-actuator includes a feedback position transduces (Linear


40

Variable Differential Transducer), two Flight Augmentation Computer, a feedback position transducer unit

located on the output shaft common to both servo-actuators (two Rotary Variable Differential Transducer)

and finally two pushbutton switches FLT CTL/FAC common to the RUD TRIM and RTL function for FAC

engagement).

The entire computations specific to this function (laws, logic and engagement) are duplicated in

each FAC. The system operates using the changeover technique, so when both the yaw damper is engaged

the channel 2 is synchronized on the position of the other channel and its associated servo-actuator is

depressurized. This depressurization is performed by two solenoid valves, each one drives a bypass valve

and only one solenoid valve is required to depressurize the servo-actuator. A pressure switch monitors the

status of the solenoid valves. If the two servo-actuators are not pressurized, the rudder is centred to the

neutral position (zero or the trimmed value).

This function sends the rudder the orders that are not reproduced at the rudder pedals (through the

Green hydraulic system). A current amplifier in the FAC delivers the orders to slave the servo-actuator in

position. A servo valve then executes these orders. The slaving order is never interrupted even when a failure

is detected: the servo-actuator is neutralized through action on the electro-valves. Each solenoid valve is

under the control of an independent logic. The LVDT transducers serve for the slaving and the RVDT

transducers permit to monitor this slaving. Each FAC generates the priority order in the form of a hard-

wired discrete variable.

As the other FAC function, also the Yaw Damper can work both in manual mode and in automatic

mode. In the case in which the AP is not engaged (manual mode), the Yaw Damper is linked to the ELAC

and in the normal manual mode the roll axis is managed by the lateral deflection law integrated in the

control of the rudder (for stabilization and turn coordination). In case of emergency, during the degraded

law, the ELAC must operate in the roll axis. In the other hand, the FAC computes the yaw damper function

and generates a simplified law of Dutch roll damping.

In the automatic mode, with the AP engaged, the yaw damper operated in Dutch roll damping

except in approach phases and in turn coordination to reduce the sideslip in turn. These two orders are

inhibited during the landing phase and accomplished directly in the AP guidance orders. In addition, during

the automatic mode, the system provides an assistance in engine failure recovery from a lateral acceleration

signal through a threshold and accomplishes the guidance orders (align and roll out).

From the system part this function depends on the engagement of the pushbutton switch and on the

logic of the mode: if the AP in engaged or not, ELAC in normal mode or not and the status of the ADIRS. In

order to switch on the Yaw Damper function, a specific monitoring must be performed to the computation

comparison and power comparators, further a global monitor of the computers. The correct operation of the

mode is checked:

For the ELAC if the normal law is not executed and the ELAC turns to the standby law on the roll

axis.

For the AP if the acquisition of the AP engagement signal is not correct or if the status of the

peripherals does not allow the achievement of the function (dual failure of the ADIRS)


41

In these cases, the AP disconnects, and the system returns to the manual mode without FAC

disconnection. The loss of the yaw damping function is indicated on the display unit of the ECAM system:

in case of one channel loss, a warning is emitted, in total loss a warning and a chime is emitted.

3.6.2 Rudder Travel Limiting Computation

This function limits the rudder excursion through a control law of speed and altitude, in case of

failure the function returns to the low speed limitation, Figure 26. In order to perform this function, the

system consists of two engagement pushbutton switches, both the FAC units, an electro-mechanical rudder

travel limitation unit with two motors and two position transducers integrated in the unit.

The rudder travel-limiting system operates using the changeover technique, so when both sides are

engaged the side 1 has priority; the side 2 is in standby. The side 2 is active when the side 1 is disengaged

(case of failure) or the motor in standby is not supplied. Synchronization is achieved on the rudder position

prior to engagement, so amplitude and speed limitation are introduced. The first limitation concerns the fact

that the rudder remains compatible with the air-structure limits, and the second condition prevents

saturation of the limitation unit. Upon total loss of the rudder travel-limiting function, a control permits to

bring back the stops to the low speed conditions to restore maximum rudder deflection as soon as slaps are

extended.

This function has two different operational modes:

In normal operation the active system controls the limitation unit through its motor. It limits the

rudder travel according to a parameter specific to the flight envelope in the corrected airspeed (this

parameter is delivered by the ADIRS, but it is monitored by the FAC). When this mode is active the

rudder travel limiting channel number 1 is active and drives the associated motor. The other channel

is in standby (synchronization mode) and the power electronic set of the associated motor is not

supplied. The logics are the same for the command and the monitor part.

Return to low speed conditions is the emergency mode, it serves in case of the FAC failure or of the

power electronic set. This mode is independent from the normal one and it is only initiated at low

speed (in slat extended configuration). The logic behind this mode controls a relay that switches the

motor on a supply independent from the power electronic set of the limitation unit in normal mode.

These switching relays are activated upon slat extension, in case of dual failure of the rudder travel

limitation function and during a fixed time corresponding to the acquisition of the maximum stop.


42

Figure 26: Maximum Rudder Deflection. It is evident that increasing the flight speed the rudder deflection is reduced hyperbolically in order to deliver the same aerodynamic torque to the aircraft. The maximum deflection is saturated for low speed and it is sized in case of OEI at take-off. This is a structural

limitation.

In case of Rudder travel limit failure, the slaps are extended, and the deflection is forced to the low-

speed maximum.

3.6.3 Rudder Trim

The FAC, then it receives the orders from FMGC actuates the rudder trim motor linked to an

artificial feel unit to move the rudder.

This function ensures in manual control the accomplishment of the pilot trim orders from the

manual trim control and of the deflection orders from the ELACs (engine failure recovery); in the other

hand, in automatic control the system ensures the accomplishment of the autopilot orders (auto-trim on the

yaw axis) and the generation and the accomplishment of the engine failure recovery function. The system

consists of an electro-mechanical actuator moved by two three-phase asynchronous motors connected to a

reduction gear by rigid linkage, both FAC, four transducer units (Rotary Variable Differential Transducer -

RVDT) configured in such a way that a single failure would not affect all the units at the same time, two

engage pushbutton switches, a rudder-trim control switch located on the RUD TRIM control panel, a RUD

TRIM/RESET pushbutton switch and a rudder trim indicator with liquid-crystal display.

As the rudder travel limiting, this function operates using the changeover technique, each channel is

duplicated and monitored:

The FAC COMMAND side slaves the position of the system

The MONITOR side monitors the system

The operation of the rudder trim function depends on the engagement status of FAC and of AP and

of the specific monitoring to the computation comparators and power comparators functions. There are two

modes of operations:

The manual mode

The automatic mode


43

As the automatic mode has priority, the pilot trim is not possible in AP-engaged configuration.

However, in manual mode, the system is not under the control of the ADIRS, it remains available for the

pilot trim part even in case of total failure of these peripherals.

The automatic mode is lost if AP engaged signal is not validated or if the peripherals status does not

allow the achievement of the function. In addition to the loss of rudder trim, also the AP is disconnected and

the system returns to the manual mode without FAC disconnection, the AP also provides signals which

validate the detection of engine failure as a function of the engine rating.

3.6.4 Characteristic Speed Calculation

The Flight Augmentation Computer fulfils the control of the speed scale on the Primary Flight

Display, to adapt the gains of the Flight Management and Guidance Computer and Elevator Aileron

Computer, to distribute the signal for the FMGC control laws, to protect the flight envelope in automatic

flight (speed limitations for the FMGC or alpha-floor for the auto-thrust), to display flap/slat manoeuvre

speeds or the rudder control surface positions and to provide the wind-shear and low energy warning.

The information the FAC transmits to the FMGC (speed data, weight, centre of gravity, flight path

angle and alpha-floor) is processed from the validity of the status matrix (SSM) and the FAC HEALTHY

hard-wired discrete variable.

The speed computation principle is because most of the presented speed data are function of the

weight. As the weight changes slowly, this parameter is frozen upon modification of the configuration

(speed-brakes or control surfaces extended, deceleration, turn …), to avoid transient on the speed

presentation. On the ground, the initial weight and gravity centre are calculated by FMS. In cruise phase,

updating computations are performed by engine consumption laws approximated in the FAC. The

computation begins with the curves 𝐶𝑧𝑚𝑎𝑥 and from the condition of equilibrium of the aircraft with thrust

and balance correction. This permits to obtain the stall warning speed 𝑉𝑠@1𝑔. From 𝑉𝑠@1𝑔, the FAC

computes the aircraft weight considering:

The equilibrium incidence;

The equilibrium speeds;

The thrust;

The centre of gravity;

The altitude.

Beyond the computation range, the computation of the weight is frozen. The weight is realigned

through a correction fuel used term previously defined in the FAC. The computation of the centre of gravity

according to the stability plane altitude, configuration and speed is deduced from the weight computation,

Figure 28.

The FAC uses the FM weight and CG to compute characteristic speeds (VLS, VSW, etc...), Figure 27,

further aircraft configuration in slats and flaps, airbrakes. Some constants and gains depend on the

motorizations and they differ upon the A320 family.


44

Figure 27: General architecture of speed computation in FAC

Figure 28: Speed computation using FM weight and CG calculation in FAC


45

Another function develops by the FAC is the computation of Alpha Floor Protection; this function

was not duplicated in the SA family before the NEO version and permits to protect the aircraft against

excessive angle of attack. To implement this scope, a comparison is made between the aircraft angle of

attack and the predetermined thresholds function of configuration. Beyond the threshold, the FAC transmit

a command signal to the auto-thrust which will apply TOGA thrust. This function is also developed to

protect the aircraft against longitudinal wind variation in approach by determining wind acceleration

(deduced from the difference between ground and air acceleration). The Alpha Floor Protection is no longer

available in case of double ADIRS failure. The ELAC direct computation of the Alpha Floor Protection is

considered as soon as the first detection is made either by the FAC or by the ELAC.

The FAC fulfils detection function generating the necessary signals to output the warning:

Wind-shear;

Low-energy;

Stall.

3.7 Interconnection and peripheral interfaces

The interconnection between the FACs, the FMGCs and the peripherals makes sure that a single

failure of a peripheral has no effect on the AFS/FMS functions, Figure 29.

Concerning the pitch and roll axes: the FMGC 1 and 2 send autopilot orders through output buses

to the ELACs, according the autopilot engaged (the bus 1 has the priority in the case in which both the

autopilots are engaged, so in the approach and landing phase). In their turn, the ELACs transmit deflection

commands to the surfaces on the pitch and roll axes.

The same logic is applied in the yaw axis, so both the FMGC send autopilot orders to the FACs

which control both yaw dumper hydraulic servo actuators (transient commands) and all the four electrical

actuators (one per FAC and per function) for rudder trim and for rudder travel limiting (in permanent

command). All the servomotors operate using the automatic changeover.

In order to send commands to the engine, the FMGCs compute and transmit data through the FCU,

EIU and ECU/EEC using ARINC bus. To consolidate engine data; the priority FMGC compares the output

parameters from the FCU with its own available data by means of associated logic. Each FMGC receives

four ARINC buses for computation: two buses associated with the own side, the other associated with the

opposite side.


46

Figure 29: Cockpit computer communication [7]

Stall Warning function Federico Mastropasqua

47

4 Stall Warning function

4.1 Stall

4.2 Stall pilot reaction

4.3 State-of-the-art

4.3.1 Threshold determination

4.3.2 To increase autopilot availability – EAPA

4.4 Air France AF 447 flight Rio de Janeiro – Paris

4.5 Frozen probes

4.6 Enhanced Stall Warning

4.6.1 Applicability

4.6.2 Constraints and opportunities

4.6.3 ESW operating modes

4.6.4 Enhanced Stall Warning capacity

4.6.5 Angle of attack monitoring and selection

4.6.6 Thresholds computation

4.6.7 Enhanced Stall Warning activation request

4.6.8 Failure cases

4.6.9 ESW new interfaces

This chapter is the most technical and systematic part of this master thesis. In these pages, the

solution, I developed during the master thesis in the Airbus Design Office, is been presented and analysed in

the technical details. All the architectural choices are been discussed. The Enhanced Sta ll Warning function


48

implemented in the Single Aisle family is inherited by the more recent A350 XWB and arranged according

the needed of the aircraft systems.

The A350 was the first Airbus aircraft fitted with manual protection in autopilot. This new concept

is composed of a set of modifications aiming at improving the safety provided at aircraft level and now the

expertise Airbus developed in A350 program is moving to the Single Aisle Family (A320 family). The

program objective is to define a set of generic requirements aiming at implementing the same available

existing protections in manual flight even when autopilot is engaged in all Airbus civil aircraft fitting with

Flight Envelope protection device. In this purpose, the autopilot is been engaged even outside the normal

flight envelope and until the protections in manual flight are available, the autopilot is able to handle the

aircraft. At this stage, the implementation is different between A380 and SA/LR (except the A350 XWB)13

Regarding Primary Flight Control Systems, A380 architecture is really similar to the architecture of

A350. On these aircraft, manual protection and AP/FD orders are hosted in the same computer and

manual protection have a “voter based” structure. Therefore, the A350 design can be easily

transposed to A380 program.

On SA and LR (A320, A330, A340), the separation of Auto Flight System (AP orders computation)

and Flight Control System (manual protections by logic) computers does not allow reproducing

exactly the A350 architecture for manual protections in autopilot. As a result, feasibility studies

were carried out in order to determine the technical adaptation needed to implement autopilot on

these programs. According to these studies the most suitable computer to implement the new

functions are the FAC and the FMGC of the Auto Flight Computer, some adjustments must be

introduced in the Flight Warning System and in the ELAC computer to consider the manual

protection.

The Enhanced Stall Warning function is necessary when the aircraft is not in normal law, otherwise

the high angle of attack protection (Alpha protection) would act avoiding the aircraft stall. This function

has implemented to enhance the automatic protection even in degraded situation; in this way the human

intervention is decreasingly needed. In fact, the stall conditions are difficult to be foreseen and in emergency

cases the human instincts are not often sufficient to take the control of the aircraft and they carry to tragic

ending, this is the case of the flight AF-447 from Rio de Janeiro to Paris which initiated the project in which

the Enhanced Stall Warning function is part of. Following a short introduction on the stall condition and

the manual manoeuvrings to recover the aircraft from a stall situation according a test pilot interview in

October by me, this chapter explains how the function has been implemented in the Auto Flight System of

the Single Aisle Airbus family.

13

SA = Single Aisle, LR = Long Range, XWB = Extra Wide Body, the A350XWB is not part of the Long Range family even if it is designed for the same purpose but it is apart because different choices in the design conception.


49

4.1 Stall

As an aircraft slows down, in order to keep the same amount of lift to sustain level flight, it must

raise the angle of attack (the angle between the aircraft and the incoming airflow).

At a certain point, when flying slower and slower, alpha becomes large enough so that the airflow

over the wing will not follow the wing profile anymore: it starts to separate from the wing. Gradually, less

and less extra lift is possible by increasing alpha; at its maximum potential to generate lift (alpha 𝐶𝐿𝑚𝑎𝑥 ), a

stall occurs. To safely stay away from a stall, Airbus takes a little margin on that alpha 𝐶𝐿𝑚𝑎𝑥 (or angle of

attack at which a stall would occur), and does not allow pilots for fling a speed slower than would result in

an angle higher than that “alpha max”, the highest angle of attack that is considered safe.

Figure 30 : Aerodynamic polar diagram and corresponding speed values displayed on the Primary Flight Display to maintain the aircraft in the normal flight envelope. The alpha max selected showed in the aerodynamic polar is the incidence angle with a marge with respect to the alpha stall at 1g.

The resulting protections are displayed on the speed scale of the Airbus aircraft to be visible to the

pilots, Figure 30. Alpha max is the lowest possible safe speed to prevent stalling, and below that speed a full

red band is displayed in the PFD. Even if a pilot pulls on the sidestick, the flight computers will refuse to fly

an angle of attack higher than that alpha max. The airplane will safely stay within the flight envelope.

Aircraft without this protection requires pilots to feel the stick shaker (the stick starts to shake on

an impending stall) and pull/ease off, pull/ease off on the controls continuously, to remain at the edge of that

stick shaker, Figure 31.

In the PFD in the speed bar the slowest speed the pilot could reach is 𝑉𝛼𝑚𝑎𝑥 and all slower speeds

are indicated by a red bar. Above this red bar, an amber/black bar is displayed and it represents the 𝛼𝑝𝑟𝑜𝑡:

this is the range where you would be flying in alpha protection mode, but 𝛼𝑚𝑎𝑥is not reached yet.


50

Figure 31: Different aircraft behaviour in climb regarding the flight control law. On the left a protected aircraft, with “Alpha Prot” engaged, it allows having the maximum climb angle without overshoot in the flight. The non-protected aircraft flies with many deviations with rapport to the ideal trajectory, the

aircraft in this flight law, reach the alpha max and then it releases the pitch-up to reduce lift. The trajectory is clearly rougher.

In normal conditions, without any issues or failure, an Airbus flies in “Normal Law”. All the

protections are available, including alpha protection, and in pitch the pilots do not control the elevator

directly, but a certain G-load, or nose up/down-acceleration is ordered to the aircraft. When the stick is

pulled back, the flight computers does not ask directly for a deflection of the elevator like on a conventional

airplane but orders load factor to climb. The load factor obviously depends on the deflection rate and

deflection angle of the sidestick. Releasing the stick back to neutral results in a neutral 1 G load factor

demand, the airplane keeps its climbing. There is no need to trim therefore, Figure 32.

Figure 32: Aircraft climb in normal law. Even in the climb phase the sidestick is in zero-position. To end the climb a gentle pitch-down must be impressed by the pilot on the sidestick.

This way of flying makes it intuitive but also uniform among the many types of Airbus. Flying an

A350 in pitch feels the same to a pilot than flying an A330 or A320, thanks to this normal law of the fly-by-

wire. That helps Airbus with common type ratings for pilots, which in return can save costs for airlines in


51

training and flexibility to deploy their pilots. The design part, the flight control and the system design are

common between the entire fleet; the only changing is the flight laws.

When the plane flies slower and slower and reaches the top of the amber/black bar (reaching alpha

protection) next to the speed scale because of one issue in flight control systems, the handling becomes

different. The top of the amber/black bar represents the angle of attack that conforms to alpha protection,

where flight control law changes. Flying slower will not result in a G-load demand anymore in pitch but will

directly request an angle of attack from the airplane.

When the angle of attack becomes larger than alpha protection, the elevator control starts flying in a

protection mode. Over the range of the amber/black band, instead of flying a G load, the aircraft waits

directly for an angle of attack. The auto-trim stops working and pilots will notice the handling qualities

change.

When the stick is pulled gently and the aircraft slows down gradually into this protection range,

releasing the stick will result in the airplane automatically recovering to the alpha protection speed at the

top of the amber/black band. That speed corresponds to an angle of attack with still a safe margin to a stall.

The airplane restores itself to alpha protection if the pilot is not paying attention.

If the pilot keeps pulling though, instead of releasing the stick, he will be able to pull only up to

alpha max, not further. That corresponds to the speed on top of the red band. At this point, another

protection is present which becomes active involving the auto-thrust if the aircraft is flying in normal law:

the alpha floor protection. In case of low speed, the auto-thrust automatically comes on with full thrust to

recover from the precarious condition [10]

There is another amber line next to speed scale. The top of that represents VLS or the lowest

selectable speed with the auto-thrust engaged, that is an additional protection. Pilots flying a speed below

this VLS for some reasons are generally invited to the office to explain the issue.

4.2 Stall pilot reaction – handling qualities

As said in the previous paragraph, for a given configuration and at a given Mach number, a wing

stalls at a given Angle of Attack (AOA) called AOA Stall, Figure 33. When the Mach number increases, the

value of the AOA STALL decreases.

When approaching the AOA Stall, the wing generates a certain level of buffeting, which tends to

increase in level at high Mach number. When the AOA increases and approaches the AOA STALL, in certain

cases, a phenomenon of pitch up occurs as a result of a change in the lift distribution along the wingspan.

The effect of the pitch up is a self-tendency of the aircraft to increase its angle of attack without further

inputs on the elevators. Generally, for a given wing, this phenomenon occurs at a lower angle of attack when

the Mach number is higher. The only mean to counter the pitch up is to apply a nose down elevator input.

When the aerodynamic flow on the wing is stalled, the only possible mean to recover a normal flow regime

is to decrease the AOA at a value lower than AOA Stall. Stall is an AOA problem only. It is not directly a

speed issue.


52

[11]

Figure 33 : Mach effect on aerodynamic polar: at higher Mach number the curves are shifted towards left and lower. Higher the Mach number is and lower is the alpha max. In a more significant manner at a high Mach, the compressibility of the air is notably manifested by the appearance of buffet at a high angle of

attack, whose amplitude can then increase until it becomes dissuasive (deterrent buffet). The appearance of buffet (buffet onset) is defined by an oscillatory vertical acceleration whose amplitude reaches 0.2 g from peak to peak at the pilot’s seat. The notion of deterrent buffet is subjective. It is neither known nor

shared by the airline pilot community.

In normal law, the Electronic Flight Control System (EFCS) considers the actual AOA and limits it

to a value AOA MAX (lower than AOA Stall). The EFCS adjusts the AOA max limitation to account for the

reduction of the AOA Stall with increasing Mach number. Equally, for a given Mach number and a given

AOA, the EFCS considers the natural pitch up effect of the wing for this Mach number and this AOA and

applies on the elevators the appropriate longitudinal pre-command to counter its effect.

On fly-by-wire aircrafts, following certain malfunctions in case of sensor or computer failure, the

flight controls cannot ensure the protections against the stall. Depending on the nature of the failure, they

revert to alternate law or direct law. In both cases, the pilot has to ensure the protection against the stall,

based upon the aural stall warning (SW), or a strong buffeting which if encountered it is an indication of an

incipient stall condition. In both Alternative and Direct Law, the aural SW is set at a value called AOA Stall

Warning, which is lower than AOA Stall. The triggering of the Stall Warning just means that the AOA has

reached the AOA SW and so the AOA has to be reduced. It is absolutely essential for the pilots to know that


53

the onset of the aural SW does not mean that the aircraft is stalling, and that just a gentle and smooth

reaction on the side-slick is needed.

The value of the AOA SW depends on the Mach number. At high Mach number, the AOA SW is set

at a value specifying the warning occurs just before encountering the pitch up effect and the buffeting. If the

anemometric information used to set the AOA SW is erroneous, the SW will not sound at the proper AOA,

in that case, the clue indicating the approach to the stall is the strong buffeting (spurious stall warning), this

is the reason why the new stall warning update receives data from various sources to avoid any spurious

alarms.

Typically, in cruise at high Mach number and high altitude, at or close to the maximum

recommended flight level, there is a small margin between the actual cruise AOA and the AOA Stall. Hence,

in Alternate or Direct Law, the margin with the AOA is even smaller. The encounter of turbulence induces

quick variations of the AOA. Therefore, when the aircraft is flying close to the maximum recommended

altitude, it is not improbable that turbulence might induce temporary peaks of AOA SW leading to

intermittent onset of aural SW (spurious stall warning). Equally, in similar high flight level cruise

conditions, at turbulence speed, if the pilot makes significant longitudinal inputs, the possibility to reach

the AOA SW value is not as remote. For those reasons, when in Alternate or Direct Law, it is recommended

to fly at a cruise flight level lower than the maximum recommended.

The pilots are qualified to avoid and to recover the stall situation. The traditional approach to stall

training consisted in a controlled deceleration to the Stall Warning, followed by a power recovery with

minimum altitude loss. Experience shows that if the pilot is determined to maintain the altitude, this

procedure may lead to the stall. A practical exercise done in flight Direct Law on the A340-600 and well

reproduced in the simulator consists in performing a low altitude level flight deceleration at idle until the

SW is triggered, and then to push the THR levers to TOGA while continuing to pull on the stick in order to

maintain the altitude. The results of such manoeuvre are:

In clean configuration, even if the pilot reacts immediately to the SW by commanding TOGA, when

the thrust reaches TOGA (20 seconds later), the aircraft stalls.

In approach configuration, if the pilot reacts immediately to the SW, the aircraft reached α𝑠𝑤 − 2°

In approach configuration, if the pilots react with a delay of 2 seconds to the SW, the aircraft stalls

[12].

This experiment showed that increasing the thrust at the SW in order to increase the speed and

hence to decrease the AOA is not the proper reaction in many cases. In addition, it is to be noticed that at

high altitude; the effect of the thrust increase on the speed rise is very slow, so that the phenomenon

described above for the clean configuration is exacerbated. Obviously, the procedure leads to potentially

unrecoverable situations if it is applied once the aircraft has reached the aerodynamic stall. Even if the

traditional procedure can work in certain conditions if the pilot reacts immediately to the SW, or if he is not

too adamant on keeping the altitude, the major issue comes from the fact that once the SW threshold has

been crossed, it is difficult to know if the aircraft is still approaching to stall or already stalled. Difference


54

between an approach to stall and an actual stall is not easy to determine, even for specialists. Several

accidents happened where the “approach to stall” procedure was applied when the aircraft was stalled.

To react to the stall condition is paramount to decrease the AOA; this is obtained directly by

decreasing the pitch order. The pitch control is direct AOA command. The AOA decrease may be obtained

indirectly by increasing the speed but adding thrust to increase the speed leads to an initial adverse

longitudinal effect, which trends to increase further the AOA. It is important to know that if such a thrust

increase was applied when the aircraft is already stalled, the longitudinal effect would bring the aircraft

further into the stall, to a situation possibly unrecoverable. Conversely, the first effect of reducing the thrust

is to reduce the AOA.

Therefore, first the AOA must be reduced. If anything, release to back pressure on stick or column

and apply a nose down pitch input until out of stall (no longer have stall indication). In certain cases, an

action in the same direction on the longitudinal trim may be needed:

First, thrust has an adverse effect on AOA for aircraft with engines below the wings.

Second, when the stall clues have disappeared, increase the speed if need. Progressively increase the

thrust with care, due to the thrust pitch effect.

In practice, in straight flight without stick input, the first reaction when the SW is triggered should

be to gently push on the stick to decrease the pitch attitude by about two or three degree in order to

decrease the AOA. During manoeuvres, the reduction of the AOA is generally obtained just by releasing the

backpressure on the stick; applying a progressive forward stick inputs ensures a quicker reduction of the

AOA. If the SW situation occurs with high thrust, in addition to the stick reaction, reducing the thrust may

be necessary [13].

4.3 Stall state-of-the-art

The normal law of the fly-by-wire flight control system on the Airbus aircrafts offers high angle of

attack protection that limits it to a value that is below the stall angle of attack. In alternate law, the normal

law high angle of attack protection is lost but the stall warning is still available. It consists in the aural

message followed by a cricket sound and the illumination of the Master Warning light. In the state-of-the

art configuration this is triggered by the FWC when it measures the highest of the valid angle of attack

values exceeds the limit.

However, the autopilot is not yet fitted with the same protections as the ones available in Manual

control laws, this is the purpose of the Airbus project Safety Beyond Standard but it is not yet implemented

in Single Aisle aircraft, it is recalled that the Enhanced Stall Warning is one of the first improvement in this

direction. For instance, autopilot is not fitted with AOA exceedance, the autopilot will be disengaged, and

AOA protections of manual control law will take over. Its objective is to protect the aircraft from stalling

and to bring it back in the operational flight domain. When back in the operational flight domain, it is

possible to re-engage the AP. On A350, the autopilot is fitted with the same protections as in manual flight.

Thus, in case of AOA exceedance, the AP is not disengaged anymore but the AOA protection takes over. The


55

AOA protection oversees bringing the aircraft back in the operational Flight Domain. The activation of

manual protection with the autopilot still engaged is indicated on the FMA by the message “AP IN PROT”.

When the aircraft is back in the operational Flight Domain, the AOA protection is deactivated, and the

autopilot automatically takes over (since it is still engaged) in order to guide the aircraft.

For the AOA monitoring, the validity of the angle of attack depends also on the airspeed. In normal

operation, the monitoring logic is the triplex, this means that the checked value is the voted one, meaning

the median between the three airspeeds coming from the three probes, this logic is also applicable for AOA;

when one of the three AOA/speed deviates too much from the other two, it is automatically rejected by the

PRIM and the voted value than becomes the average of the two remaining values. In this case, when only

two values are still available, if the difference overtakes a defined threshold, the PRIM rejects both the

AOA/airspeeds and the control law reconfigure to alternate14. In the legacy logic, if the CAS measurements

for the three ADR were lower than 60 kts, the angle of attack values of the same ADR are invalid, and the

Stall Warning is then inoperative. This results from a logic stating that the airflow must be enough to ensure

a valid measurement by the angle of attack sensors, especially to prevent spurious warnings. In certain

situation of deep stall, the speed can be inferior of 60kts (AF447 fight Rio de Janeiro- Paris case study) and

in these circumstances the AOA would be unavailable. In the SA family aircrafts the stall warning threshold

is independent of Mach. In the other hand in bigger aircraft, as A330 the threshold depends from the Mach

in such a way that it is triggered (in alternate and direct law) before the appearance of buffet.

4.3.1 Threshold determination

In the legacy version of the stall warning system, on the Long Range aircraft, in alternate law and in

clean configuration the AOA threshold that triggers the stall warning is function of Mach value. In a

schematic manner, the threshold is stable below a Mach of the order of 0.3, then reduces in a quasi-linear

manner up to a Mach number 0.75, after which it falls more rapidly when the Mach increases up to Mach

0.82 to become constant. According some tests the decreasing level in indicated speed for an increase of 1°

in the angle of attack is about 25 kt in cruise and 5 kts in take-off and in the approach phase, considering

that at the reduction of the speed corresponds an increase in the angle of attack (if the load factor is

constant and in a calm atmosphere).

In cruise at Mach 0.8 the margin between the flight angle of attack and the angle of attack of the

stall warning is of the order of 1.5 degrees, but the stall warning speed displayed on the airspeed bar (in

alternate and in direct law) is about 40 𝑘𝑡𝑠 below the current speed.

14

In normal law the aircraft is fully protected in the entire flight envelope in term of bank and the pitch angles, load factor at high speed and at high angle of attack. When the protections are not triggered, the longitudinal orders from the sidestick commands a load factor according to the aircraft’s normal axis and the lateral orders command a rate of roll. The alternate law concerns two different levels:

Alternate 1 where the commands are the same of the normal law but with fewer protections

Alternate 2 where the pilots command the ailerons and lift dumpers directly. In direct law, the protections are lost and orders from sidestick control the position of the control surfaces directly.


56

In Legacy logic on Single Aisle family, FWS (the flight warning system just before the introduction

of Enhanced Stall Warning) is responsible for computing the stall warning. In this logic FWS computed

only Stall Warning using its own monitoring. Its monitoring was only SSM ones, no comparison available,

that means we cannot detect a runaway alpha. In Legacy logics, the computation of the stall warning relies

on one AOA value and the first angle of attack exceeding the threshold would send the alarm, Figure 34. Two

computations laws can be distinguished:

In normal law: The Stall warning depends essentially on the Slat/Flap configuration. The threshold

for the Stall detection is fixed for:

o A318/A319/A320

Clean configuration: 13.5°

Slats extended: 22°

o A321

Clean configuration: 13.5°

Slats extended: 21°

In alternate and degraded law, the Alpha thresholds are not constant but driven by table depending

on the aircraft configuration and the altitude, provided by the Handling Quality team that has to be

interpolated with FWC computation.

As at least one AOA value is intended to overpass the threshold, the legacy stall warning triggers the

alarm.

Figure 34: Audio SW sources contribution in Legacy logic

The Legacy computation also considers the NCD AOA Characterization. It considers AOA coded

Not Computed Data when CAS decreases below 60kts. This condition occurs when the computed

airspeed (CAS) is valid and lower than 60 kts. This on-ground condition could be erroneously

triggered in flight in the following operational circumstances:

Undetected erroneous computation of Pitot probe.

Pitot probe out of the airflow.

Pitot probe obstructed by ice or any foreign material,

In case of deep stall situation.


57

4.3.2 To increase autopilot availability – EAPA Enhanced Auto Pilot Availability

With the introduction of manual protection in autopilot, the autopilot domain benefits from all the

flight domain protection available in manual. Consequently, the autopilot does not need to disengage in case

of flight domain excursion. The autopilot can remain engaged if manual protections are available. Therefore,

the limits of the autopilot flight domain (in terms of Pitch, AOA, Bank angle, described in the following) are

extended up to the Abnormal Flight Domain. It automatically leads to the extension of the autopilot flight

domain and the increase of AP availability, Figure 35.

Figure 35: Flight Envelope to be increased in order to allow the autopilot to manage also the alternate law due to system reconfiguration and function backup. When the aircraft is in the normal flight envelope in normal law and the pilot leaves the sidestick/pedals, the aircraft keeps this attitude. In alternate

law, when the aircraft exceeds the normal flight envelope, and the pilot leaves the commands, the aircraft brings it back autonomously at the limit of the flight envelope.

Airbus aircraft have five protections in normal flight mode (at the state-of-the-art) to assure the

flight safety and to not exceed the flight envelope:

Load Factor Limitation prevents pilot from overstressing the aircraft even if full sidestick

deflections are applied. This protection automatically limits the control input to allow the aircraft

remaining within AOM (Aircraft Operating Manual) “G” limitation.

High Angle of Attack Protection: which protects against stalling and the effects of wind-shear has

priority over all other protection functions. The protection engages when the angle of attack is

between 𝛼𝑝𝑟𝑜𝑡 and 𝛼𝑚𝑎𝑥. It limits the angle of attack commanded by the pilot's sidestick to 𝛼𝑚𝑎𝑥

even if full sidestick deflection is applied. If the autopilot is engaged, it is automatically disengaged

with activation of High Angle of Attack Protection. Alpha Floor (Automatic application of TOGA

thrust) may be activated by the auto-thrust system if engagement parameters are met.

High Speed Protection engages to automatically recover from high speed upset. There are two speed

limitations for high altitude aircraft, VMO (Velocity Maximum Operational) and MMO (Mach

Maximum Operational). The two speeds are the same at approximately 31,000 feet, below which

over-speed is determined by VMO and above 31,000 feet by MMO. Activation of High-Speed

Protection results in reducing the positive spiral static stability of the aircraft from its normal 33° to

0° which means that if the pilot releases the sidestick, the aircraft will roll to a wings level attitude


58

(typically when the aircraft flies within its flight envelope and the pilot releases the sidestick, the

aircraft keeps its attitude, if and only if its bank angle is below than 33°. In high speed protection,

when the pilot releases the sidestick the aircraft assures its dynamic stability bringing at bank angle

0°). It also reduces the sidestick nose down authority and applies a permanent nose up order to help

reduce speed and recovery to normal flight. Activation of High-Speed Protection results in

automatic autopilot reversible disengagement. Once the speed has decreased below VMO/MMO,

Normal Law is restored, and the autopilot can be re-engaged.

Attitude Protection limits the maximum bank angle of the aircraft. Within the normal flight

envelope, if the sidestick is released when bank angle is above 33°, the bank angle is automatically

reduced to 33°. With full sidestick deflection, the maximum achievable bank angle is 67°. If either

Angle of Attack or High-Speed Protection is active, full sidestick deflection will result in a

maximum bank angle of 45°. With High Speed Protection active, release of the sidestick will cause

the aircraft to return to a wings level (0° bank) attitude. Pitch Attitude Protection limits also the

aircraft attitude to a maximum of 30° nose up or 15° nose down.

Low Energy Protection is available when the aircraft is between 100 ft. and 2000 ft. with flaps set at

configuration 2 or greater. The low energy warning is computed by the PRIMs using parameters of

configuration, airspeed deceleration rate and flight path angle. The aural warning "Speed Speed"

indicates to the pilot that aircraft energy is decreasing and that thrust must be added to recover a

positive flight path angle. Alpha Floor protection is available and will engage if pilot actions are

inappropriate or insufficient [14].

4.4 Air France AF 447 flight Rio de Janeiro – Paris

The flight AF 447, operating by Airbus A330-203, took off from Rio de Janeiro directed to Paris

Charles de Gaulle on 31st May 2009. Three hours and half after take-off, the aeroplane was flying in the

oceanic region and the HF communication was achieved but attempts to establish an ADS-C connection

failed. The aircraft entered in a slightly turbulent zone and it could not climb the flight level FL 370 because

of weather conditions. The pilot left the cockpit and as the turbulence increased the co-pilots changed route

(given the length of the planned flight and in compliance with the Air France operations manual and with

the regulations in force, the flight crew was augmented by a co-pilot). The crew decided to reduce the speed

to about Mach 0.8 and engine de-icing was turned on.

Two minutes later, likely following the obstruction of the Pitot probes by ice crystals the speed

indications were incorrect and some automatic systems disconnected (autopilot and auto-thrust included).

The co-pilots had the aircraft control, it began to roll to the right and the PF made a nose-up and left input.

The stall warning triggered briefly twice in a row. The calibrated airspeed displayed on the Primary Flight

Display and recorded showed a drastically drop down from 275 kts to 60 kts, few moments later the speed

was displayed on the Integrated Standby Instrument System (ISIS). The flight control law reconfigured

from normal to alternate and the Flight Director, even if it was not disconnected by the crew, made the

crossbar disappear. The PF made rapid and high amplitude roll control inputs, from stop to stop and he also

made a nose-up input that increased the aircraft’s pitch attitude up to 11° in ten seconds. The PNF read


59

messages from ECAM in a disordered manner (auto-thrust loss and alternate law activation). The aircraft

attitude was recovered through nose-down inputs and thrust lever application; also the airspeeds were back

valid after 29 seconds of invalidity.

Some seconds later, the stall warning was triggered again and the PF gave TOGA order and a nose-

up input, the trimmable horizontal stabilizer made a nose-up movement from 3° to 13° and it remained in

the latter position until the end of the flight. The aeroplane was climbing with an attitude of 16° and it

reached its maximus altitude of 38 000 ft.

During the following seconds, all the recorded speeds became invalid and the stall warning stopped,

after having sounded continuously for 54 seconds. The altitude was then about 35,000 ft., the angle of attack

exceeded 40 degrees and the vertical speed was about -10,000 ft. /min. The aeroplane’s pitch attitude did not

exceed 15 degrees and the engines’ N1’s was close to 100%. The aeroplane was subject to roll oscillations to

the right that sometimes reached 40 degrees. The PF made an input on the sidestick to the left stop and

nose-up, which lasted about 30 seconds. Around fifteen seconds later, the PF made pitch-down inputs. In

the following moments, the angle of attack decreased, the speeds became valid again and the stall warning

triggered again.

The recordings stopped at 2 h 14 min 28. The last recorded values were a vertical speed of -10,912

ft./min (more than 55 m/s), a ground speed of 107 kts, pitch attitude of 16.2 degrees nose-up, roll angle of 5.3

degrees left and a magnetic heading of 270 degrees.

No emergency message was transmitted by the crew because they did not have the time to send an

emergency message. Four minutes after the autopilot disengagement the aircraft crashed in the ocean.

The Reason’s Model leading to the accident resulted since the following succession of events:

Temporary inconsistency between the measured airspeeds, likely following the obstruction of the

Pitot probes by ice crystals that led to autopilot disconnection and a reconfiguration to alternate

law.

Inappropriate human control inputs that destabilized the flight path.

The crew not making the connection between the losses of indicated airspeeds and the appropriate

procedure.

The PNF’s late identification of the deviation in the flight path and insufficient correction by the PF

The crew not identifying the approach to stall, the lack of an immediate reaction on its part and exit

from the flight envelope,

The crew’s failure to diagnose the stall situation and, consequently, the lack of any actions that

would have made recovery possible.


60

The BEA15 addressed 41 Safety Recommendations to the DGAC (Direction générale de l’aviation

civile), EASA, the FAA, ICAO and to the Brazilian and Senegalese authorities (the responsible counties of

the airspace where the accident took place) related to flight recorders, certification, training and recurrent

training of pilots, relief of the Captain, SAR and ATC, flight simulators, cockpit ergonomics, operational

feedback and oversight of operators by the national oversight authority. Among these recommendations

Enhanced Auto Pilot Availability, Unreliable Airspeed Mean Mitigation and Enhanced Stall Warning were

developed by Airbus to improve the safety flight of Airbus fleet and to face BEA requirements.

According the FDR parameters analysis, a speed drop was recorded in ADR 2 and ADR 1 which

caused the Auto Pilot disengagement and the immediate passage to the Alternate Law after the Pitot Probe

malfunction triggering. Thereafter, also the ADR 3 measured a speed drop that trigged the Auto-thrust

disengagement and the Flight Directors disconnection. Few minutes later the second Flight Director was

lost and thus the ADR 1 and ADR 2 were rejected by the FMGC, thus only the first Flight Director was

showed in the PFR 1.

From the moment the aircraft switched in Alternate Law the Stall Warning alarm was repeatedly

triggered and deactivated until the end of the flight, see Figure 36. Only one Mach value was recorded but the

Stall Warning threshold depended by the three Mach numbers.

Figure 36: Telemetry of the flight AF 447 as Mach number, angle of incidence and Stall Warning alarm in the cockpit over the time

15

In accordance with Annex 13 to the Convention on International Civil Aviation Organization and to the French Civil Aviation Code (Book VII), the BEA, as Investigation Authority of the State of Registry of the aeroplane, instituted a safety investigation and a team was formed to conduct it.


61

In the last graph in Figure 36, the Stall Warning alarm shows that the first signal was so short that

the pilots could not perceive it but the “Master Warning” parameter in the FWC 1 trigged at that moment.

This short alarm could be affected by the fact that the three Mach numbers were abnormally very low

because of the fact the Pitot probes were frozen. Furthermore, the activation threshold increases up to more

than 8°, thus the Stall Warning alarm is stopped because this value is higher to the recorded incidence.

4.5 Frozen probes

The ADR aircraft speed is deduced from the measurement of two pressures and a total air

temperature (TAT):

Total pressure (Pt) by means of the Pitot probe

Static pressure (Ps) by means of a static pressure sensor. Because of the position of the static

pressure sensors, the measured static pressure overestimates the real static pressure. The value of

the measured static pressure must thus be corrected of this error before being used to calculate

other parameters. The value of the correction depends on the Mach and considers the position of the

sensors on the fuselage. Thus, the correction performed by ADR 3 is different from that performed

by ADR 1 and ADR 2. In fact the “Standby” probes linked to the ADR 3, it is the only one whose

information is corrected considering the sideslip16, while all the probes (“Captain” that is connected

to the ADR 1, the “First Officer” that supplies ADR 2 and ADR 3) are corrected with the CG

transportation, for avoiding the consideration of wind-shear, Figure 37 and Figure 38.

Figure 37: Architecture of the interface between ADR and on-board computer. The first probe is connected to the Captain side, the second probe is linked to the First Officer side and the third one is as backup of both the lines. Normally, the third probe is used if it selected manually by the crew through the rotate

switch in the overhead panel or it is automatically designated in case the first probe fails.

16

On A340-300 and A330-300 the correction of the static pressure measurement is negligible in cruise because of the position of the static pressure probes and the Mach, but it does not apply to SA family and other aircraft.


62

The Airbus aircraft have three Pitot probes and six static pressure sensors. These probes are fitted

with drains allowing the water evacuation and with an electric heating system designed to prevent the

creation of ice.

Figure 38: Position of the Pitot probes on the Airbus A330. Because of the position of the third probe, the measured values must be corrected by the sideslip angle.

The pneumatic measurements are converted into electrical signals by ADM (Air Data Module) and

delivered to the calculators to perform the computations. Knowing the total and the static pressure makes it

possible to calculate a Mach value that provides access to the correction of static pressure.

𝑝𝑜

𝑝= (1 +

𝛾 − 1

2𝑀2)

𝛾𝛾−1

⇒ 𝑀 = √2

𝛾 − 1[(

𝑝𝑜

𝑝+ 1)

𝛾−1𝛾

+ 1]

Successively, with the known Mach value, the TAT measurement makes it possible to determinate

the static air temperature (SAT) that is with the computed Mach is used to calculate the CAS and the

standard altitude:

𝑇𝑜

𝑇= 1 +

𝛾 − 1

2𝑀2 ⇒ 𝑇 =

𝑇𝑜

1 +𝛾 − 1

2 𝑀2

𝐶𝐴𝑆 = √𝛾𝑅𝑇 ∙ 𝑀 = √𝛾𝑅𝑇𝑜

1 +𝛾 − 1

2 𝑀2∙ √

2

𝛾 − 1[(

𝑝𝑜

𝑝+ 1)

𝛾−1𝛾

+ 1]


63

Only at this point, it is possible to calculate the true air speed (TAS17).

𝐸𝐴𝑆 = 𝑐𝑜𝑀 √𝑝𝑜

𝑝

𝑇𝐴𝑆 = 𝐸𝐴𝑆 √𝜌0

𝜌

The calibrated speed (CAS) and the Mach number are the main items of speed information used by

the pilot and by the Auto Flight System (under the MACH and SPD functions) to control the aircraft. These

parameters are elaborated by three computers, called ADIRU, each consisting of:

An ADR module which calculates the aerodynamic parameters, specifically the CAS and the Mach

number

An IRS module that provides the parameters delivered by the inertial units, it uses the true air speed

to calculate the wind speed from the ground speed and attitudes. It also uses the derivative of the

standard altitude value that it combines with the integration of the measured acceleration to

calculate the vertical speed (called baro-inertial Vzbi, in Figure 39) which is displayed on the PFD in

nominal flights.

Figure 39: Flight parameters elaboration path by the ADIRS computers.

17

At higher altitudes CAS can be corrected for compressibility error to give equivalent airspeed (EAS). In practice compressibility error is negligible below about 3,000 m (10,000 ft) and 370 km/h (200 kts).


64

At certain altitudes, according to the flight conditions (temperature and Mach) when the presence

of ice crystals is greater than the de-icing capacity, this accumulation can affect the use of the total pressure

probes. This results in a temporary and reversible deterioration of total pressure measurement. Experience

and follow-up of these phenomena in very severe conditions showed that this function loss is of limited

duration, in general around 1 or 2 minutes.

In case of dropping in the measurement of the total pressure the first consequence is a following

drop in Mach and in CAS. The drop in Mach leads in its turn a falling in standard altitude due to the

correction of the measured static pressure. This loss has different impacts according to the ADR under

investigation: in the flight conditions of the event, it is of the order of 300 to 350 ft. for ADR1 or 2 but only of

80ft for ADR3. As consequence this drop in indicated standard altitude is also reflected in a transient

variation in Vzbi. Just as the drop in standard altitude is lower for ADR 3 than the other two probes, the

Vzbi reduction is lower for ADR 3 than ADR1 or 2, as showed in the graph in Figure 40.

Figure 40: Drop effect in static pressure and vertical speed measurement as consequence of the total pressure measurement falling

As second consequence in the decreasing of the measured Mach value, an impact on the SAT is

affected and thus in the true air speed and in the wind speed as illustrated in the Table 1 :


65

Table 1: The consequences of Pitot icing that would result in a drop in Mach from 0.8 to 0.3 and all the consequences in air data parameters. This table takes data from a simulation of an A330-200 flying at FL350 at Mach 0.8 in standard atmosphere with a 30 kts head wind.

The internal monitoring checking the frozen probe status works by comparison between the

current value reads from the probe and the value in the previous loop, if the value is kept in different loops

the probe is labelled as frozen and it is not more used in the further computations. The frozen monitor also

considers if there is any variation in the load factor without AOA variation, also in this case the probe is

labelled as frozen. The frozen monitoring has been introduced by the UAMM updates, just following the

AF447 accident.

4.6 Enhanced Stall Warning

According the BEA recommendation after the A330 accident, Enhanced Stall Warning (ESW) is an

Airbus safety initiative which intends to answer the in-service events identified by the Airbus Safety

Investigation team. It also brings additional safety compared to the current architecture by further

improving the reliability and availability of the Stall Warning (majority of the cases were related to spurious

Stall Warning) even in extreme failure situations.

The first step of evolution of Stall Warning consists on moving legacy Stall Warning logic from

FWC to the FAC on A320 aircraft family. In case of detected loss of both FAC, the FWC is still able to

perform a backup stall warning with a new logic. In the event of double FAC loss, the FMGC takes in

charge the characteristic backup speeds.

ESW function is activated through dedicated hardware pin programming (HPP) at FAC side, then

FAC converts this information into Software Pin Programming (SPP) and can be transferred it to EIS/HUD

for the visual alert, to FWS for audio message and to FMGC for autopilot disengagement. As precaution and

to avoid any regression form at software side, the legacy FWC Stall Warning computation is not removed

but it is completely inhibited when the ESW pin programming is installed, otherwise it is used to rise the

alarm when the old logic occurs, Figure 41.

The aim of the Enhanced Stall Warning function is:

To make use of the state-of-the-art angle of attack UAMM monitoring for AOA selection and for

improving function reliability.

To provide a Speed based Stall Warning in case of total loss of AOA, ensuring a stall warning

computation from reliable sources even in case of multiple failures.


66

To provide a backup Stall Warning from FWC in case of the failure of the primary Stall Warning

computer (FAC).

To provide a backup for characteristic speeds (FMGC).

The main key points of this first step of evolution are:

Enhanced Stall Warning capacity. This capacity is computed directly in FAC if the function can

perform its task. The ESW capacity is based either on AOA either on speed. The information then is

sent to the FWC to notify the system status. In case the capability is sent as false in Boolean

language, the FWC takes the SW backup computation.

Stall Warning Activation Request is now computed in FAC side, considering both AOA and speed

capacity (AOA has priority on speed calculation). This is the computation to send the alarm in case

of stall. This information is sent to FWC to trigger the aural alert, to EIS/HUD to show the “STALL

STALL” message and to FMGC to disengage the AP not in normal law.

New threshold computation in stall warning speed based and in AOA based.

Figure 41: ESW from the aircraft point of view. The overall function is showed and divided for every computer.

The Enhanced Stall Warning function performs in FAC the acquisition, the monitoring, the

consistency check, the selection and finally the correction of the AOA from both ADIRU sources (ADC and

IRS). Lastly, it emits the AOA status (healthy, rejected or failed) to FWS for DFDR recording purpose. In


67

the meanwhile the ELAC sends its AOA watchdog to FAC for improving the AOA monitoring. In case the

ELAC monitoring rejects all the AOA, the ESW capacity based on the angles of attack is lost and the system

reconfigures automatically on the ESW speed based.

ESW performs a new computation of the thresholds (both AOA and speed threshold) to trigger the

warning in case the current AOA or speed values is above or below respectively of the thresholds. After stall

warning activation request, the system sends to the FMGC the autopilot disconnection order only in

alternate law.

4.6.1 Applicability

This project concerns the Single Aisle family (A318CEO, A319CEO, A320CEO, A321CEO, A319NEO,

A320NEO, and A321NEO) and SA Electrical rudder program.

According the fault tree analysis performed at aircraft level, the loss of Stall Warning function (SW)

in degraded law with an aircraft out of Normal flight envelope has been classified as HAZ (hazardous): the

pilots would lose information about the minimum flying speed and the stall warning would be out of order,

in this way if the pilots lead the aircraft at the minimum of flight envelope, they do not have any instrument

which provides them information about the stall of the aircraft. Likewise, the spurious Stall Warning and

𝑉𝛼𝑆𝑊 in degraded law with an aircraft out of Normal flight envelope is classified HAZ. The spurious stall

warning is a danger in the same measure of a missing alarm.

Although, the Enhanced Stall Warning has to improve the safety and availability of the function, the

legacy function shall be maintained but the two functions must not trigger the alarms at the same time. In

other terms, only one function must be operative at a time. The ESW wiring allows the function for

working, if the hardware pin programming is connected from the aircraft to the computer, thus the ESW is

active; otherwise the legacy logic is kept, and it works as the ESW is not implemented. While aircraft is on

the ground, the pin programming ESW activated at FAC side shall ensure all the systems have adequate

configuration. The Enhanced Stall Warning is active only when the all supporting systems are at adequate

configuration.

Since the aural alarm is generated by FWS, if triggering and computation is hosted by FAC any

transmission delay, caused by the cycle time of the new equipment plus the communication time must be

compensated. This could be compensated by reviewing the alert thresholds (alpha and speed stall warning

alert) by the handling qualities team considering the transmission time from FAC to FWC. The direct

consequence is the reduction of the flight envelope considering alpha. From the avionic point of view the

transmission time taken to deliver the stall warning activation request has been chosen as the fast

transmission rate available (35ms).


68

4.6.2 Constraints and opportunities

In the Enhanced Stall Warning development no architectural changings are predicted in Auto Flight

System, the hardware architecture must be preserved. Only the introduction of new pin programming is

allowed. The pin programming is effectively a hardware modification to declare the installation of a new

function. When a new function is installed in the AFS (FAC, FMGC and all the other FCC) it needs to

relate to the aircraft ground to ensure the correct alimentation. Inside the flight computer the pin-

programming is a Boolean that is set to one if the function is correctly installed. The pin programming

information is shared among all the computers where the function runs.

In order to perform correctly its tasks the Enhanced Stall Warning needs to communicate with

updated computer. In this purpose FAC must contain the UAMM updating because the Enhanced Stall

Warning takes advantage from UAMM monitoring and backups to deliver a more robust function regarding

the state-of-the-art. FMGC must be equipped with the last available software and the FWC at same update.

Concerning the ELAC, the installation of the last software version is advisable, but this is not blocking for

the ESW activation. Even if the ELAC is not equipped with the last software version, nevertheless the FAC

can compute the Stall Warning basing on UAMM monitoring but without the ELAC AOA watchdogs, since

for ELAC not capable to emit an AOA watchdog signal, this will be read as FALSE inside FAC and the usage

of the AOA will depend only from the FAC internal monitoring.

4.6.3 ESW operation modes

Implementing the ESW in the FAC, rather than in FWC as in legacy solution, reduces the common

points between the loss of flight control protection and the loss of the ESW (sources segregation), because

before the modification the protection was computed in the ELAC. However, this embedded function

carries the negative point of the delay between FAC and FWS, this delay augmentation could be taken into

account while defining new alpha threshold for the FAC (𝛼𝑠𝑤).

ESW has two modes of operation, Bypass mode and Backup mode (failure situation), see Figure 42.

The Bypass mode, performed when at least one FAC is in normal mode, has different logics available

to compute the Stall Warning depending on the AOA or speed availability. In fact when at least one AOA is

available (either from ADC either from IRS) according to UAMM monitoring upon broken, failed, iced

sensors and SSM treatment, to verify the correct reception of the signal from the sending computer (ADC or

IRS), FAC performs the Stall Warning computation based on AOA. In this case the FAC allows

qualification of AOA using state-of-art AOA monitoring, estimation and selection methods (Voted/Average

and Last value). ESW uses the reference AOA to compare with the Stall Warning threshold (𝛼𝑆𝑊𝑡ℎ𝑟)

computed by itself to produce a Stall Warning activation message. In case all the AOA are lost, the speed

based stall warning takes in charge the function, when at least one ADC speed is available and the

characteristic speed are valid.

The new speed threshold computations is considered in this new stall warning update and the

current speed is compared with the speed threshold and if it is below the threshold the activation request


69

sends the Boolean set as TRUE to the FMGC to the AP disengagement, to the FWC for the aural alarm and

to the EIS/HUD for the “STALL STALL” massage.

In backup mode, both FAC are out of order and the FWC takes the backup stall warning

computation and the FMGC takes charge of the backup characteristic speeds to give to the pilot a general

look on the flight envelope even in case of both FAC loss.

Figure 42: ESW operating mode and system reconfiguration upon FAC and AOA failures


70

4.6.4 Enhanced Stall Warning capacity

The enhanced stall warning when it is in bypass mode, is able to monitor its capacity to perform the

function and it sends a signal to FMGC, FWC to inform about its status. Until at least one AOA is available

(both ADC and IRS) the ESW computes the stall warning basing on AOA and in case AOAs are no longer

valid, the system reconfigures itself to switch on the speed capacity. The speed capacity is set until at least

one CAS is valid and the characteristic speeds (VLS, VMAX, 𝑉𝛼𝑆𝑊) are valid.

Speed based stall warning is available in degraded case, when there is no more AOA reliable. This

function is selected when the FAC rejects all AOAs (no reliable neither uncertain) from the watchdogs or

from the monitoring and at least one speed reference on ADR is available and VLS is defined as healthy.In

order to validate CAS, the speeds are checked one by one with respect:

The acquisition could be not healthy because of an issue in the signal transmission from ADC to

FAC.

Triplex monitoring among OWN, OPP, 3;

Duplex monitoring among OWN, OPP, 3 and backup speeds when a speed is already rejected by the

triplex;

Ice monitoring checking if the CAS value is changed from the previous value measured in the

previous loop (in a delay of 0.875s).

Two vs Two Monitoring: the single speed value is compared with the voted speed value and with

the backup speed, the voted value is also compared with the backup speed value and if all the three

comparisons exceed a certain threshold the monitoring marks the speed as failed.

The last two monitoring were introduced by the UAMM update.

The characteristic speeds availability needs the ADC acquisitions are healthy and there are no

failures in the SFCC (legacy logic, before UAMM). After the UAMM implementation, the characteristic

speed availability considers also the IRS acquisitions.

In case both the AOA and speed based stall warning are lost, the FAC sends the information that it

is no longer capable to perform the function.

4.6.5 Angle of attack monitoring and selection

In the current SA aircraft, three independent angle of attack sensors are available and each sensor

provides the AOA data to dedicated ADR (OWN, OPP, 3) and to dedicated IRS (OWN, OPP, 3) via

corresponding links, Figure 43. IRS refresh rate is three times slower compared to ADR. The data from ADR

and IRS are processed by FAC which treats them through SSM and Refresh monitoring (ADR and IRS

sources) and UAMM probe monitoring. The FAC performs its own SSM and Refresh monitoring on the

ADR and IRS AOA link.


71

Figure 43: AOA ADR and AOA IRS link reception at FAC

The reference AOA is selected by FAC monitoring (both UAMM ones and SSM refresh) and it is

used for the comparison with the alpha threshold, evidently in the ESW in bypass mode, Table 3:

If all the AOA are available, the alpha reference is the voted value among the ADC angles of attack.

If two ADC and three IRS AOA are available, the function computes the reference angle making the

average between the ADC AOA valid.

Even if there is only one ADC AOA available by the UAMM monitoring (considering the 𝜃 − 𝛾

estimator and the Nz-AOA monitoring), and three IRS are qualified, the reference angle will be the

last ADC.

Only in case the entire three ADC are lost, the reference angle of attack will be computed upon the

same logic then before but checking between the IRS sources (Voted/Average/Last value).

The performed monitoring for the purpose of the ESW takes advantage of UAMM alpha

monitoring. UAMM has required implementation of several alpha monitoring, Table 2:

Broken probe detection at take-off because of the values diverge by comparison with theta Euler’s

angle;

Iced probe monitoring (Nz-AoA);

Drift detection (triplex monitoring by comparison);

Disagreement detection (duplex monitoring);

Theta-gamma monitoring: this monitoring will trigger only in case of triple ADR CAS rejection. This

means in this situation there is no other speed source to check the consistency of backup speed. The

aircraft is flying only with backup speeds. Consequently, UAMM backup speeds will be computed


72

based on AOA not rejected by this monitoring. In this case ESW should not use an AOA rejected

from backup speed computation;

Nz-AOA monitoring (shall be made available when ADR CAS is available and also when all ADR

CAS is rejected) shall be optimized specifically for this purpose, in which the rejection by the

monitoring shall be reversed18 if:

o The backup speed is consistent with the ADR CAS

o The AOA is no more blocked: 𝐴𝑜𝐴𝑚𝑎𝑥 − 𝐴𝑜𝐴𝑚𝑖𝑛 > 𝑐𝑜𝑛𝑠𝑡𝑎𝑛𝑡

o The AOA is consistent with Theta-Gamma estimator for a long time

o The AOA is consistent with each still not rejected AOA for a long time.

Figure 44: UAMM alpha monitoring and alpha reference selection. In the Simulink schema the NU means Not Used for Enhanced Stall Warning purpose, on the other hand, VAL means valid. In the IRS/ADC selection boxes the selection logic is implemented upon Voted/Average and Last value.

In case of failure, when the AOA X is not used for enhanced stall warning computation because of

the explained monitoring, a signal is sent from FAC to FWC to inform about which angle of attack is not

used for ESW computation, in this way it is not used even for the computation of 𝑉𝛼𝑆𝑊 to have a consistency

between the function calculations, Figure 44. The ELAC with adequate updated software is able to send a

signal (watchdog) to inform FAC if all the angles of attack are not usable, in this case the AOA capacity is

automatically lost, and the system reconfigures the speed-based stall warning.

18

The reversibility helps to prevent the permanent rejection of AOAs, because the AOA blockages due to ice-crystals are frequent but transient.


73

The triggered ELAC watchdog is sent to FAC to reconfigure the system on speed based enhanced

stall warning. The watchdog is sent when the ELAC measures a discrepancy between the aircraft attitude

and the speed: this means that when the measured attitude is pitched up according to the AOAs, the

recorded speed continues to increase or vice-versa. Consequently, the AOAs are measuring an incorrect

attitude because of some failures. In fact, with the thrust lever set, it is impossible having an aircraft pitch

up and simultaneously a speed increase (or vice-versa). In this case the ELAC watchdog is triggered and the

FAC loses the AOA based stall warning, because the AOA are no longer reliable, Figure 45, all the AOA are

labelled as Not Used and the system reconfigures on speed based SW. This adjustment has been necessary

to avoid the Boeing 737 Max 8 stall situation: in which the aircraft is in actual fact pitched down, in fact the

speed continues increasing but the AOAs say that there is a nose up that triggers the stall warning even if it

is not the real case. Therefore, the system would recover the stall situation reducing the AOA with a pitch

down, but the nose is already down and hence the stall situation becomes an unrecoverable deep stall with

the consequences that Boeing experienced. Finally, the ELAC watchdog is a system to enhance the Stall

Warning availability and reliability and to avoid every spurious alarm.

Figure 45: ESW alpha monitoring and ELAC watchdogs

4.6.6 Thresholds computation

When the alpha reference is computed and selected, it is used to calculate the stall warning through

a comparison with the alpha stall warning. The threshold computation logic varies according to the aircraft

configuration, flight control law status.

The threshold computations are reviewed in order to consider the UAMM backup and

improvements. It is necessary to make a clarification in the threshold computation, which is computed


74

either in normal law either in alternate law. As a matter of fact, even if the Stall Warning alarm is emitted

only in alternate law, because otherwise the protections would prevent the aircraft from the stall, the AOA

threshold is additionally computed in Normal Law. In this case the information sent to FMGC will not have

the aim to disconnect the autopilot but rather to order the elevator and the auto-thrust to correct

adjustments to recover the aircraft attitude because of the protections.

For this purpose the AOA stall warning threshold depends only on the aircraft slats/flaps

configurations and it considers if the SFCC are capable to send the correct information either through FAC

either through IPPU19, Figure 46. Regarding the acquired information, FAC computes a constant for the

hyper configuration and a different constant for the clean configuration. Evidently, the constants are

different according the aircraft of the SA family depending on aerodynamic solutions and performances.

Figure 46: Alpha stall warning computation in Normal Law

In alternate law, Figure 47 the AOA SW threshold is used to make a comparison with the reference

AOA in order to trigger the alarm. At this aim the threshold is computed in hyper configuration as done in

normal law, consequently a constant is taken if the slats and flaps position are extended. In clean

configuration, an AOA threshold depending on the Mach number is computed. Therefore, the Mach

availability is checked:

19

IPPU is another new function implemented in the same time that enhanced stall warning and it will allow sending to FAC slats and flaps positions even in case of SFCC failure, the information come directly from the FWC. Still, in case of double FAC loss, the IPPU function allows the correct reception from FMGC of slats and flaps information that normally are sent to FMGC through FAC. Only one condition at time could be covered, the IPPU allows slats and flaps information:

Double FAC loss

Double SFCC failure If both FAC and both SFCC loss, the IPPU is no longer capable to send the information.


75

In case all Mach ADR and backup Mach are valid, the Mach reference is the selected value among

Mach ADR or MACH backup selected using UAMM monitoring.

In case all Mach ADR and backup Mach are not valid, (but BARO ADC acquisition are still healthy),

the system reconfigures itself to take a Mach value from the minimum between the maximum Mach

computed before and a Mach value obtained from GPS altitude (IRS), Figure 48, Figure 49.

In case of uncertainty, it is better to assume a Mach number larger than the actual one, leading to

reduce the displayed margin with rapport to reality and therefore to be on the safe side. To have an over

estimation of Mach is very remote based on in service experience. Even though if there is an erroneous high

Mach on one or several ADR; the Maximum Mach based on IRS avoid the possibility to select this erroneous

value and thereby it can eliminate the possibility to have an overshoot of Mach value and thereby to have an

undue stall warning from it.

In case of all Mach reference is lost, the Mach value is set to zero, such that the AOA threshold

considered is the minimum speed saturation.

Figure 47: Alpha stall warning computation in Alternate Law

For the speed based SW, a new computation of the 𝑉𝛼𝑆𝑊 was implemented. The 𝑉𝛼𝑆𝑊

computed by

handling qualities team is function of the VLS speed (the minimum value of speed selectable from the pilots

in the FCU) and the load factor though a parameter in order to create a marge and which to be tuned during

the simulator sessions.


76

Figure 48: Maximum Mach number tendency as function of the altitude. The Mach value is then used to compute the alpha stall warning in alternate law in clean configuration. The Mach value is saturated above a threshold altitude for aerodynamic purposes. The Mach tendency over the altitude follows the

factor load over the speed tendency (flight envelope).

Figure 49: Alpha Stall Warning threshold as Mach function. This interpolation is used by the FAC to trigger the activation request sent then to FWC in alternate law in clean configuration. The Mach values are computed as altitude function.


77

4.6.7 Enhanced Stall Warning Activation Request

Once the thresholds are computed, they are compared with the reference AOA in order to emit the

stall warning triggering:

When 𝛼𝑟𝑒𝑓𝑒𝑟𝑒𝑛𝑐𝑒 >= 𝛼𝑆𝑊𝑡ℎ𝑟

FAC produces SW activation request for FWS, EIS and HUD

FWS transmits the SW request produced by FAC to audio system to produce Stall Warning audio

alert. EIS and HUD display red “STALL STALL” message on PFD.

In case of no AOA available, the Bypass mode is kept but the computation of the Stall Warning is

based on the speed. FAC performs the Stall Warning computation based 𝑉𝛼𝑠𝑤𝑏𝑎𝑐𝑘𝑢𝑝 which in turn

computed based on speed data instead of AOA data. As the 𝑉𝑆𝑊 based on VLS is independent on the AOA,

using it for Stall Warning condition will give more confidence than using an alpha disqualified by the FAC

by its monitoring; this improves the reliability and availability of Stall Warning.

Consequently, when 𝑉𝐶𝐴𝑆 ≤ 𝑉𝛼𝑆𝑊𝑏𝑎𝑐𝑘𝑢𝑝

FAC produces SW activation request for FWS, EIS and HUD

FWS transmits the SW request produced by FAC to audio system to produce Stall Warning audio

alert. EIS and HUD display red “STALL STALL” message on PFD.

In alternate law, the activation request is sent to FMGC to disengage the autopilot following the

legacy logic in FMGC. No modifications are needed in FMGC to acquire the enhanced stall warning signal

to disconnect the autopilot.


78

Figure 50: Simulink simulation of the Enhanced Stall Warning function. The function has been simplified to allow it running outside the A320 flight control computers. The monitoring is forced manually to work


79

Table 2: Table to sum up the AOA monitoring and estimation. The 𝐶𝐿𝑚𝑎𝑥monitoring has been used in Long Range aircraft but it is not applicable on ESW

because, in stall situation the load factor is close to zero, so CL/AOA/speed cannot be determined from the lift equation. Hence, an alpha monitoring based on lift equation will be reliable to qualify a reference alpha to compute the Stall Warning

Availability

𝛼𝐴𝐷𝑅 & 𝛼𝐼𝑅𝑆

3 𝛼𝐴𝐷𝑅

reliable

2 𝛼𝐴𝐷𝑅

reliable

1 𝛼𝐴𝐷𝑅

reliable

0 𝛼𝐴𝐷𝑅

3 𝛼𝐼𝑅𝑆

0 𝛼𝐴𝐷𝑅

2 𝛼𝐼𝑅𝑆

0 𝛼𝐴𝐷𝑅

1 𝛼𝐼𝑅𝑆

0 𝛼𝐴𝐷𝑅

0 𝛼𝐼𝑅𝑆

SW Voted ADR Average ADR Last ADR Voted IRS Average IRS Last IRS Based on VLS

Table 3: AOA selection criteria for ESW


80

In normal law, the activation request is not sent at the aim to disconnect the autopilot but with the

purpose to trigger the alpha floor warning; it is inhibited in case of wind-shear and in take-off mode below

1500 ft. The inhibition in wind-shear means that in cruise when a wind-shear is detected by the FAC

monitoring, the activation request is set to zero in order to not create spurious alarm or attitude recovering.

The wind-shear phenomena have higher priority over stall warning because they last only few seconds and

there is not necessity to alert the pilot or the autopilot to take recovering manoeuvres. On the other hand,

typically at take-off the aircraft is completely protected, and the AP is engaged, thus in order to avoid

spurious stall warning the function is inhibited.

4.6.8 Failure cases

In case of two FAC losses, the system switches in Backup Mode. The Stall Warning computation is

taken in charge by the FWC and the FMGC computes the backup characteristic speeds which are sent for

emission to EIS and HUD for display.

The FWS performs the SW reference AOA qualification by using various state-of-art AOA

monitoring, estimation and selection techniques and it computes the process followed by the FAC in bypass

mode (except for the speed calculation that is not done in backup mode by the FWS).

The modifications in FMGC need to compute the characteristic backup speeds, which are displayed

to the pilot through the Primary Flight Display, Figure 51. In this way, even in case of double FAC loss, the

crew are aware of the basic information about the flight envelope, at least concerning the upper and lower

limits (VLS, VSW, and VMAX). As a matter of fact, the ADR could send the air data to compute the

characteristic speeds, but at the state-of-the-art this data are processing by FAC to elaborate the speeds,

consequently, with the ESW update, the FMGC could compute the computation in backup. In backup

computations some simplifications are taken into account with rapport to FAC calculations, in FMGC the

sharklet, the motorization and the airbrakes contributions were not considered and the most conservative

case was always considered, getting smaller the flight envelope either to safety reasons either for design and

timing constraints.

For the computation of the characteristic backup speeds, the COM part of FMGC receives the AOA

ADC OPP from the MON part (in the FMGC COM side does not have the reception of all three AOAs20).

The 𝑉𝛼𝑆𝑊 computed inside the FMGC is consistent with the Stall condition computed inside the FWC (in

case of FAC loss); since in case of failure these computations are performed in two different computers the

coherence must be kept between FWC and FMGC. The FMGC uses the SSM and Refresh monitoring to

validate the ADC AOA acquisitions (as performed in FAC) and it memorizes the result of FAC’s range

monitoring at take-off for qualifying the reference AOA in case the FACs are lost, the monitoring result is

saved in such a way even the FAC fails, the FMGC has the needed information to qualify the AOA.

20

As FMGC COM as only AOA OWN and 3 reception, but the MON part of FMGC has all three AOA reception


81

The range monitoring at take-off allows AOA to be recognized erroneous when going out of the

nominal take-off range during lift-off and rollout phases. The AOA of each ADR is monitored on ground to

reject it from the stall warning computation if the AOA is out of the range; the ADR3 considers an extra

range because of its position on the fuselage.

The monitoring is achieved at take off when the CAS is on a specific range. This monitoring is a

safety measure to check which AOA are available since take-off, and it refers to the Boeing Lion Air JT610

that ended with the first catastrophic accident and the complete destruction of the Boeing 737 Max 8. In

that occasion, the angle of attack sensors on either side of the aircraft’s nose differed by about 20 degrees in

their measurements even during the ground taxi phase, when the plane’s pitch was level. This means that

one of the two measures were clearly completely wrong, and it should have been both rejected.

The FMGC needs selection logic to compute the alpha reference; this is the alpha value that is used

in the computation of the backup characteristic speeds. The logic inside the FMGC for the AOA selection is

similar to FWC one and it is based on voted/maximum/last value (the difference between this logic and

what it is implemented in FAC is that, when only two AOA sources are available, it will use the maximum

between two as the reference AOA instead of selecting the average, obviously this consideration is made to

have a more conservative computation in backup situation). This solution allows avoiding the chance of

missing Stall Warning in case of an underestimated AOA, because in this case the average may lead to

missing Stall Warning but by the selection of the maximum among two, the system never misses the Stall

Warning.

The computation of the backup characteristic speeds needs input as AOA, Mach number, altitude,

calibrated airspeed coming from ADR, slat and flap positions to obtain the aircraft configuration and the

aircraft weight from Flight Management System. All these inputs with the function update are independent

from FAC status as the objective is to improve the availability of the characteristic speeds, to have the

autopilot engaged even with FAC loss, in the future development, and at the moment, to display the flight

envelop speed limitation to the crew. All the constant inputs coming from FAC are memorized inside

FMGC in order to have them available in case of FAC failure (landing gear position or AOA status at take-

off).

In case of unavailability of the aircraft slats/flaps configurations, due to the data loss from SFCC, the

Stall Warning is maintained with the updated function. This function is ensured by the information from

FWC which supplies slats/flaps position acquired by dedicated sensors (IPPU that is independent from

SFCC) to FAC through FMGC.

Slat and flap positions are sent directly from FWC in the frame of Autopilot without FAC project,

because no reception of SFCC is present in FMGC. The FWC provides the slats and flaps positions through

a new implemented function called IPPU. Currently, slats and flaps positions are sent to FAC from SFCC

and they are used mainly in characteristic speeds computation in FAC and their loss leads to AP/FD/ATHR

loss. By the present modification, FMGC receives back-up slat/flap positions in case of both FAC failures

that allow it to compute the backup characteristic speeds. These new slats and flaps positions measured by


82

IPPUs are sent from FWC and are monitored by FMGC. The information of slat and flap positions is sent

also to FAC in case of double SFCC failure.

Figure 51: ESW functional architecture in FMGC. The FMGC is in charge to compute the backup characteristic speeds in case of double FAC loss. On the left side there are the FMGC inputs, (in case of FAC failures, the range monitoring at take-off is saved in FMGC), on the right side the characteristic speeds are

sent for emission to the displays. In the middle of the schema, the information links are shown to highlight the needed for compute each variable.

The backup 𝑉𝛼𝑆𝑊is computed in FMGC and it needs of the calibrated airspeed, the alpha stall

warning and the zero lift angle of attack for its computation. The calibrated air speed is provide from ADC

and the angles of incidence (𝛼𝑠𝑤 and 𝛼0) are computed inside FMGC, in the same way the FAC computes

them in nominal operation, except the fact that in FMGC airbrakes, sharklet contributions are not been

considered but it is always taken the more conservative computation to ensure the same calculation for all

the SA fleet. In alternate law, the 𝑉𝛼𝑆𝑊 is the lowest speed limit, the crew should never reach this speed,

hence it is important to have the 𝑉𝛼𝑆𝑊 on speed tape. At the state-of-the-art in the event of double FAC loss,

no more 𝑉𝛼𝑆𝑊is available to EIS and HUD.

The 𝛼𝑆𝑊 is the alpha threshold at which the stall warning is triggered when the reference incidence

exceeds this value, this angle of incidence is used in the computation of the 𝑉𝛼𝑆𝑊on a similar computation as

in FAC in nominal case:

In hyper configuration the 𝛼𝑆𝑊 is function of the slat position.

In clean configuration the 𝛼𝑆𝑊 is function of the Mach number and slat position.

The computation of the 𝑉𝑀𝐴𝑋 is elaborated regarding the slat and flap configurations and

experimental constant are selected in function of the S/F positions and regarding the landing gear position.

The 𝑉𝑚𝑎𝑥 is limited on the upper side by the 𝑉𝑀𝑂, a new acquisition in the FMGC. Before this upgrade no

information on VMO was used in FMGC.


83

In this step of evolution of the Enhanced Stall Warning update, the computation of VLS is not

considered because of lack of time in the program scheduling, in order to test the FMGC interface a really

simplified computation of VLS is elaborated starting from the 𝑉𝛼𝑆𝑊. Working with the handling qualities

team new considerations and simplification on this speed are considered to provide the aircraft to the lower

selectable speed in normal law with the autopilot engaged.

4.6.9 ESW new interfaces

To install the Enhanced Stall Warning function on the flight control computers, it is requested a

new hardware Pin-Prog connection between the FAC computer and the ground that allows all the Auto

Flight System to compute the new function. This hardware Pin-Prog actives the software Pin-Prog that is

emitted by FAC and acquired by the FWS, EIS and FMGC in order to differentiate the “ESW INSTALLED”

or “ESW NOT INSTALLED” status. Since the ESW function relies strongly on the UAMM function, both

pin-progs are consolidated, such that ESW cannot be performed without UAMM installed at this point.

Another interface input needed to include the ESW function is the discrete ARINC input connecting the

FAC COM lane to the ELAC OWN and OPP to inform about the AOA watchdog monitoring status. In the

event of AOA watchdog monitoring is triggered from ELAC, the FAC inhibits the alpha based Stall Warning

and switch to speed-based Stall Warning. In addition, to perform the enhanced function a connection with

the EIS, the FWS and the FMGC is needed through a FAC ARINC output. In particular the FAC informs

the FWS, the EIS and the FMGC about the activation request of the ESW, so the alarm message appears on

the displays and the aural alarm is sent when the AP is disconnected by the FMGC. In the other hand,

another Boolean is sent to the FWS to inform about the ESW FAC capability status.

Each FAC computes its capacity to compute the Enhanced Stall Warning alert and sends the results

to FWC, EIS and HUD if the SW activation is requested by the FAC.

The FAC sends to Flight Warning Computer three signals to inform about which AOA is not used

in order to compute the alpha reference for enhanced stall warning purpose. This information is memorized

inside the FWC because in double FAC loss, it could calculate the back-up stall warning with the correct

angles of attack. Another signal sent by the FAC about the AOA monitoring is delivered to FMGC to inform

about the Range at take-off monitoring. When the aircraft is taking-off, when the speed is between 80 and

100 kts a FAC monitoring verifies that the range of the AOA values is correct and it sends the results to

FMGC which receives the data to memorize them in order to have them even in case of double FAC loss, in

case the FMGC should compute the back-up characteristic speeds.

Boeing 737 MAX-8 case study Federico Mastropasqua

84

5 Boeing 737 MAX-8 case study

5.1 Marketing point of view

5.2 Technical issues

5.3 Certification process

The project to renew the Boeing 737 was born to overcome the rival challenges against Airbus in

order to deliver on time the forth Boeing 737 generation after the Air Show in Paris in 2011, where Airbus

sold 667 A320NEO in a week, basically more orders than the Boeing had received for the 737s in the entirety

of 2010. As a matter of fact the Boeing 737 Max was the answer of the United State aircraft manufacturer to

the Airbus A320NEO that was presented in 2010, promising to save the 6% of the fuel consummation with

respect to the 737NG with its new engines and aerodynamic solutions21. The first obstacle Boeing faced in

the B737 renovation was the 737 platform itself. It would take a considerable amount of work to update a

46-year-old design with all the technology it needed to be just as efficient as the competition answered.

Complete aircraft overhauls are rare: the 737-last received one in 1983, in 1997, with the debut of the third

generation 737NG, while the A320 hadn’t been refreshed since its launch in 1988 until 2010.

21

NEO stands for New Engine Option. The new engines mounted on the A320 evolution is the key point of the success of this new aircraft. In 2018, for instance, Southwest Airlines’ fleet of 751 Boeing 737s burned through 2.1 billion gallons of fuel per year at an average cost of $2.20 per gallon (0,58$/liter) for a total of $4.6 billion. A 1 percent increase in fuel efficiency would save $46 million.


85

At the same time, the designers could not update the aircraft too much. By law, a pilot can only fly

one type of airplane at a time. However, the Federal Aviation Administration allows different models of

airplanes with similar design characteristics to share a common “Type Certificate” (for instance, the Boeing

737’s three previous generations all have a common type certificate). Boeing did not want to renew its

flagship product in a too heavy way such as it would have lost the “Type Certificate”.

5.1 Marketing point of view

The Boeing 737 first appeared in 1967, it was a small aircraft with small engines and relatively simple

systems, with rapport to modern aircraft. Airlines liked it because of its simplicity, reliability, and flexibility.

Without mentioning the fact that it could be piloted by a two-person cockpit crew—as opposed to the

three or four of previous airliners—this made it a significant cost saver. Over the years, market and

technological forces pushed the Boeing 737 into ever-larger versions with increasing electronic and

mechanical complexity. Airliners constitute enormous capital investments both for the industries that make

them and the customers who buy them, and they all go through a similar growth process. The program’s

chief pilot, Ed Wilson, said that pilots rated on previous versions of the 737 could switch to the Max with

just “2 ½ hours of computer-based training.” This was another key selling point for airlines: no expensive

classroom time, no costly simulator time.

“Everything about the design and manufacture of the Max was done to preserve the myth that ‘it’s just a 737.’ Recertifying it as a

new aircraft would have taken years and millions of dollars. In fact, the pilot licensed to fly the 737 in 1967 is still licensed to fly

all subsequent versions of the 737.” [15]

The major selling point of the Boeing 737 Max is that it is much the same that the older Boeing 737,

and any pilot who has flown other Boeing 737s can fly a Boeing 737 Max without expensive training,

without recertification, without another type of rating. Airlines—Southwest22 is a prominent example —

tend to go for one “standard” airplane. They want to have one airplane that all their pilots can fly because

that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs.

Most of those market and technical forces are on the side of economics, not safety. They work as

allies to relentlessly drive down what the industry calls “seat-mile costs”—the cost of flying a passenger seat

from one mile. Two years into development, Boeing promised the Max would be 8 percent more fuel-

efficient than the A320NEO. Accordingly, between its fuel and training efficiency, the Max seemed like a

winning prospect for everyone — especially Boeing, which sold a record-breaking $200 billion worth of

Boeing 737 Max before the first prototype took the flight.

22

Southwest is the bigger low-cost airlines in the world. This American commercial airline has its headquarter in Dallas, Texas and it was founded in 1967. Southwest Airlines has always used only B-737 and in 2017 it had 705 B-737 aircraft in service including 13 B-737 Max and 190 ordered (before the B-737 program would be closed) which operate, on average, six flights per day. By way of example the Ryanair fleet counts 458 B-737 and 135 B-737 Max ordered in 2019 and it is the second airline in the world for operating B-737.


86

5.2 Technical issues

The principle of Carnot efficiency dictates that the larger and hotter the engine is, the more efficient

it becomes. The most effective way to make an engine use less fuel per unit of power produced is to make it

larger. For this reason, Boeing wanted to put bigger CFM International LEAP-1Bs [16] engine in its latest

version of the Boeing 737.

The problem arises when the original Boeing 737 had (by today’s standards) tiny little engines,

which easily cleared the ground beneath the wings. As the Boeing 737 grew and was fitted with bigger

engines, the clearance between the engines and the ground started to get a little tight, Figure 52.

Figure 52: Comparison between the Boeing 737-800 NG and the new Boeing 737 Max 8. It is evident the bigger size of the engines that has been advanced with rapport to the older version and got higher to accommodate higher fan and consequently higher bypass ratio and so inferior fuel consumption. This structural

expedient implies different handling qualities which are compensated by the MCAS in order to maintain the same type certificate.

Various hacks were developed to face this problem. One of the most noticeable was changing the

shape of the engine intakes from circular to oval, the better to clear the ground.

With the Boeing 737 Max, the situation became critical. The engines on the original Boeing 737 had a

fan diameter of about 100 centimetres; those planned for the Boeing 737 Max have 176 cm. That is a

centreline difference of over 30 cm, and the engine intakes were made oval enough to hang the new engines

beneath the wing without scraping the ground.

The solution was to extend the engine up and in front of the wing. However, doing so also meant

that the centreline of the engine’s thrust changed and the flight dynamics changes as consequence. The

𝐶𝑀𝑒𝑛becomes in absolute value bigger and it tends to destabilize the aircraft equilibrium in the

manoeuvring. Now, when the pilots applied power to the engine, the aircraft would have a significant

propensity to pitch up. This inclination to pitch up with power application thereby increased the risk that

the airplane could stall when the pilots give thrust. It is particularly likely to happen if the airplane is flying

slowly.

Worse still, because the engine nacelles were enough far in front of the wing and large that a power

increase will cause them to actually produce lift, particularly at high angles of attack. The 𝐶𝑙𝛼 of the entire

plane increases as the engines make lift when the aircraft is pitched up. Therefore, the nacelles make a bad

problem worse. In the Boeing 737 Max, the engine nacelles can, at high angles of attack produce lift, working


87

as wings. The lift produced by nacelles is ahead of the wing’s centre of lift, meaning the nacelles will cause

the Boeing 737 Max at a high angle of attack to go to a higher angle of attack, Figure 53.

Figure 53: Forces and torques experienced by an aircraft during a flight. Since the engines are below the airplane centre of gravity, in case the (auto)pilot puts the thrust up the aircraft answers with a following pitch-up. Consequently, if the engine nacelles are oval, they create an important lift coefficient regarding

the angle of incidence or the pitch/pitch rate. The result is that when an aircraft is approaching a stall situation and the system or the pilot realizes it, the first action by procedure is acting on the thrust but if creating a pitch up, the aircraft moves away from the static condition and the pitch up is accentuated and this

lead to a unrecoverable situation.

Moreover, pitch changings with power changes are common in aircraft. Pilots train for this problem

and are used to it. Nevertheless, there are limits to what safety regulators will allow and to what pilots will

put up with. The aircraft are statically and dynamically stable, that means that conditions should not change

markedly, there should be no significant roll, no significant pitch change, no nothing when the pilot is

adding power, lowering the flaps, or extending the landing gear.

Apparently, the Boeing 737 Max pitched up went beyond the comfort and safety standard on power

application at already-high angles of attack. Because of lack of time, resources and money, aerodynamic

changes “work” all the time, contrary, Boeing needed a solution which would work only in certain flight

phases and in particular attitude conditions. Aerodynamic solutions require a lot of design and testing to get

just right. Boeing needed something precisely targeted, carefully calibrated, and nonlinear in effect. It needed

software. Boeing relied on something called the “Manoeuvring Characteristics Augmentation System,” or

MCAS, instead of calling into question the airframe design and the engine installation. Boeing’s solution to

its hardware problem was software. MCAS was designed to compensate the excess of pitch up in thrust

applications.

Boeing chose MCAS as the less expensive solution rather than modify extensively the airframe to

accommodate the larger engines. Similar airframe modification would have meant longer landing gear


88

(which might not then fit in the fuselage when retracted), more wing dihedral (upward bend), redesign of

the pylon to accommodate the new engines. It is obvious that hardware changes would have a bigger impact

on the aircraft program costs.

Under an avionics point of view, on Boeing 737 Max, there are two sets of angle-of-attack sensors

and two sets of pitot tubes, one set on either side of the fuselage. Normal usage is to have the set on the

pilot’s side feeds the instruments on the pilot’s side and the set on the co-pilot’s side feeds the instruments

on the co-pilot’s side. That gives a state of natural redundancy in instrumentation that can be easily cross-

checked by either pilot. If the co-pilot thinks his airspeed indicator is acting up, he can look over to the

pilot’s airspeed indicator and see if it agrees. The system could be activated by a single sensor reading — in

both crashes, the sensors are thought to have failed, sending erroneous data to the flight computer and,

without a redundant check in place, triggering the automated system [17].

On the B-737, Boeing included redundant flight computers—one on the pilot’s side, the other on the

co-pilot’s side. The flight computers, as in Airbus aircrafts, compute the flight envelope, the navigation

system and the flight management, helping the pilot in the organising phases and in flight they aim to reduce

the pilot’s workload. Only one MCAS is embedded in Boeing cockpit.

MCAS pushes the nose of the plane down when the system thinks the plane might exceed its angle-

of-attack limits, it has the same aim of the Airbus Alpha prot but acting on different control loop; it avoids

so an aerodynamic stall, Figure 54. Boeing put MCAS into the 737 Max because the larger engines and their

placement make a stall more likely in a Boeing 737 Max than in previous Boeing 737 models.

MCAS used only one angle of attack (AOA) sensor to detect when the airplane entered a steep

climb. It activated the airplane’s pitch trim system (corresponding to the Rudder trim in Airbus conception,

but for the elevator), which is routinely used to help stabilize the airplane and make it easier to control,

especially during climb and descent. The system trimmed the airplane in modest increments for up to nine

seconds in a row until it detects that the airplane returns to a normal AOA and ends its steep climb. It also

does something else: indirectly, via a system Boeing calls the “Elevator Feel Computer,” it pushed the pilot’s

control columns downward.

Regarding the data of Lion Air JT610 black boxes, when the MCAS system pushed the nose down,

the captain repeatedly pulled it back up, probably by using thumb switches on the control column. But each

time, the MCAS system, as designed, kicked in to swivel the horizontal tail and push the nose back down

again. The data shows that after this cycle repeated 21 times, the captain ceded control to the first officer

and MCAS then pushed the nose down twice more, this time without a pilot response. After a few more

cycles of this struggle, with the horizontal tail close to the limit of its movement, the captain resumed

control and pulled back on the control column with high force. It was too late. The plane dived into the sea

at more than 500 miles per hour [18].

In the Boeing 737 Max, like most modern airliners and most modern cars, everything is monitored by

computer, if not directly controlled by computer, but it is also important that the pilots get physical

feedback about what is going on. The Boeing 737 employs redundant hydraulic systems, and those systems

link the pilot’s movement of the controls to the action of the ailerons and other parts of the airplane. But


89

those hydraulic systems are powerful, and they do not give the pilot direct feedback from the aerodynamic

forces that are acting on the ailerons. There is only an artificial feel, a feeling that the computer wants the

pilots to feel.

When the flight computer trims the airplane to descend, because the MCAS system thinks it is

about to stall, a set of motors and jacks push the pilot’s control columns forward. It turns out that the

Elevator Feel Computer can put a lot of force into that column—indeed, so much force that a human pilot

can quickly become exhausted trying to pull the column back, trying to tell the computer that this really,

really should not be happening.

Figure 54: The anti-stall system depended crucially on sensors that are installed on each side of the airliner—but the system consulted only the sensor on one side. The angle of attack is fed into the flight computer. If it rises too high; suggesting an imminent stall, the MCAS activates

Undeniably, not letting the pilot regain control by pulling back on the column was an explicit

design decision; as a matter of fact the MCAS has always the priority on human actions because the

hydraulic system has more strength than a human pilot. Furthermore, the MCAS is always engaged even in

case the autopilot is disconnected, in manual flight mode.

MCAS is implemented in the flight management computer, even at times when the autopilot is

turned off. In a fight between the flight management computer and human pilots over who is in charge, the

computer will always correct humans.

The Southwest airline asked Boeing why the documentation of the MCAS was not available to the

pilots and in the handbook no checklists were referred to the recover from MCAS situations; at this point

Boeing answered that: “Since the automatic control system operated in situation where the aircraft is under

relatively high factor load and near stall, a pilot should never have seen the operation of MCAS.


90

Consequently, Boeing did not include the MCAS description in its Flight Crew Operations Manual, when

MCAS is involved, it would trim the nose as designed to assist the pilot during recovery, likely going

unnoticed by the pilot” [19].

Furthermore, in the Boeing 737 Max, only one of the flight management computers is active at a time

— either the pilot’s computer or the copilot’s computer. And the active computer takes inputs only from the

sensors on its own side of the aircraft. When the two computers disagree, the solution for the humans in the

cockpit is to look across the control panel to see what the other instruments are saying and then sort it out.

In the Boeing system, the flight management computer does not “look across” at the other instruments. It

believes only the instruments on its side. In Boeing architecture, there is not the cross-checking monitoring,

this is what in Airbus Auto Flight System is called Independent Mode and it is active in case the two FMGC

disagree between them, in other terms, in Airbus philosophy this situation is achieved in case there has

already been a minor failure for which the two FMGC differ from each other, Figure 23. This means that if a

particular angle-of-attack sensor runs away — which happens all the time in a machine that alternates from

one extreme environment to another, vibrating and shaking all the way — the flight management computer

just believes it.

Several other instruments can be used to determine angles of attack, either directly or indirectly, in

this regard pitot tubes, the artificial horizons, etc. All these instruments would be cross-checked by a

human pilot to quickly diagnose a faulty angle-of-attack sensor. A human pilot could look out the

windshield to confirm visually and directly if the aircraft is not pitching up dangerously. That is the ultimate

check and should go directly to the pilot’s control. However, the current implementation of MCAS denies

the pilot sovereignty. It denies the pilots the ability to respond to what is before their own eyes.

5.3 Certification process

In addition to the technical causes that led to the unrecoverable stall situation, other circumstances

in the Boeing certification must be considered by an economic side. As a matter of fact, in the past, the FAA

had armies some aviation engineers in its employ. Those FAA employees worked side by side with the

airplane manufacturers to determine that an airplane was safe and could be certified as airworthy. As

airplanes became more complex and the gulf between what the FAA could pay and what an aircraft

manufacturer could pay grew larger, more and more of those engineers migrated from the public to the

private sector. Early, the FAA had no in-house ability to determine if a particular airplane’s design and

manufacture was safe. The FAA, meanwhile, said it would need 10,000 more employees and an additional

$1.8 billion of taxpayer money each year to bring certification entirely in-house. Hence, the FAA propose to

the airplane manufacturers to “auto certify” its aircrafts, creating its own certification tests.

Thus, the concept of the “Designated Engineering Representative,” or DER was born. DERs are

people in the employ of the airplane manufacturers, the engine manufacturers, and the software developers

who certified to the FAA that each single part of the aircraft answered the certification rules. The industry

absolutely relies on the public trust and it is in the interest of nobody that an aircraft crashes, and every

crash is an existential threat to the industry, this is the reason why there was no conflict of interest.


91

During the certification, MCAS received a “hazardous failure” designation. This meant that, in the

FAA’s judgment, any kind of MCAS malfunction would result in, at worst, “a large reduction in safety

margins” or “serious or fatal injury to a relatively small number of the occupants.” Such systems, therefore,

need at least two levels of redundancy, with a chance of failure less than 1 in 10 million. However, MCAS

does not meet any of these standards:

It has no redundancy: it takes input from just one AOA sensor at a time. That makes MCAS

completely unable to cope with a sensor malfunction.

No cross-checking monitoring were considered in the validation of the data acquired, no triplex, no

duplex, certainly not back-up computation (regarding Airbus design philosophy, all the data

coming in a computer, have to be validated by SSM treatments and by internal monitoring).

It cannot “sanity check” its data against a second sensor or switch to a backup if the original source

fails. It just believes whatever data it is given, even if that data is bad, which is what happened on

Lion Air flight 610 and Ethiopian Airlines flight 302.

It gets worse: over the last five years, 50 flights on US commercial airplanes experienced AOA sensor

issues, or about one failure for every 1.7 million commercial flight-hours. Evidently, that is a low rate, but it is

still nearly six times above what the FAA allows for “hazardous” systems: they’re only supposed to fail once

every 10 million flight-hours (see Appendix I – Safety Assessment). Worse still: the FAA did not catch the fact

that the version of MCAS actually installed on the 737 Max was much more powerful than the version

described in the design specifications. On paper, MCAS was only supposed to move the horizontal stabilizer

0.6 degrees at a time. In reality, it could move the stabilizer as much as 2.5 degrees at a time, making it

significantly more powerful when forcing the nose of the airplane down [20].

At this phase of the MCAS development, the case that the system could analyze only the data

coming from its side must create some doubts in the safety certification standard. But in reality, the FAA

added the Boeing 737 Max to the type certificate. In the case of the Boeing 737 Max, the FAA’s list extends to

30 pages, reviewing everything from engine noise to de-icing systems, aluminum fatigue to security doors.

Yet this document dedicated to minutiae does not mention MCAS once which is kind of astonishing when it

considers even the seat belts.

The FAA overlooked MCAS in other places. A combination of inexperience, lack of cultural software

understanding maybe led to the conclusion that right now all the Boeing 737 Max-8 fleet is blocked on the

ground.

In conclusion, to sum up the Boeing study case: Boeing produced a dynamically unstable airframe,

the Boeing 737 Max. Consequently, they tried to mask this dynamic instability with a software system.

Finally, the software relied on systems known for their propensity to fail (angle-of-attack indicators) and

did not appear to include even rudimentary provisions to cross-check the outputs of the angle-of-attack

sensor against other sensors, or even the other angle-of-attack sensor. To make matters worse, the fact that

all these points were not seen during the certification process.


92

On 13rd March 2019, the FAA grounded the Boeing 737 Max 8. Muilenburg, CEO Boeing, admitted

that MCAS was directly responsible for Ethiopian Airlines and Lion Air crashes and promised that Boeing

would fix its broken system. “It’s our responsibility to eliminate this risk,” he said. “We own it and we know

how to do it.”

Figure 55: Boeing safety design process

Conclusions and improvements Federico Mastropasqua

93

6 Conclusions and improvements

This thesis aimed to investigate the very actual problem of stall in the general aviation field and to

explain how aircraft manufacturers faced to improve their anti-stall systems avoiding the loss of plane

control in stall situations. The Airbus approach has been detailed since this thesis allowed to discover and to

improve the Airbus Auto Flight System in quality of System designer. At the end of the discussion, a chapter

on Boeing study case has been studied to better know the differences between the French and the US

aircraft manufacturer approach to the problem.

The problem statement this thesis treated is that more than 60% of aircraft accidents are due to

human errors because the autopilot disconnects after failure detections. Consequently, the aircraft loses

some protections, and the crew often is not ready to face an emergency procedure and in the worst scenario,

this ends with the loss of the entire aircraft. The most suitable solution to the problem seems to enhance the

autopilot domain and this is the direction Airbus is following to minimize the human interventions and the

Enhanced Stall Warning gets into this project bringing one of the first improvements.

The function development fits this problem statement releasing a more robust and available system

upon aircraft failures. The Enhanced Stall Warning developed in this purpose during this master thesis in

fact, considers ADC and IRS data sources for the angle of attack reference computation and also the speed to

perform more available computations of the stall alarm and the order of the autopilot disengagement. An

approach failure tolerance to the design system has been considered in order to avoid spurious alarms or

missing alerts.

The main improvement to the system was to move the function from the Flight Warning Computer

to the FAC. In this way, the warning and the flight control law are separated to enhance the safety and the


94

reliability of the aircraft. In fact, in case of warning computer failure, the FAC is still capable to trigger the

autopilot disconnection and to send the message to the displays, on the other hand in case of flight control

failure, the FWC will take the backup computation of the stall warning. The FAC is the main computer,

which takes in charge the function in normal operation but behind failures the backup computers (FMGC

and FWC) take on charge the function with some limitations in the computation accuracy but keeping the

function availability.

The Enhanced Stall Warning, as explained, consists of two working mode:

Bypass mode: when at least one FAC is healthy and the stall warning is based on AOA (with

priority, both ADC and IRS) or on speed in case the angles of attack are not more available;

Backup mode: in case of both FAC loss, the FWC takes the backup computation and the

characteristic speeds are assured by the FMGC that computes them in backup to the sending to

EIS/HUD.

The new software version allows the aircraft to maintain the autopilot engaged in safety manner

escaping the human control in some emergency conditions. Thanks to UAMM update the flight control

computers have all the needed information as AOA, aircraft speeds, upon broken, frozen, runaway failures,

which allow also to estimate the aircraft attitude and to project it to the stall calculation. The UAMM

monitoring permit to declare available the data upon:

Broken probe detection at take-off;

Iced probe monitoring (Nz-AoA);

Drift detection (triplex monitoring by comparison);

Disagreement detection (duplex monitoring);

Theta-gamma monitoring:

In the upgrade system the presented architectures are reviewed to maintain the data available and to

declare the system itself capable to perform the task basing on:

Angle of attack based Stall Warning. The computation considers both ADC and IRS probes to

ensure higher level of reliability and robustness.

Speed based Stall Warning, in this circumstances, even in case the AOA probes are lost the function

reconfigures for detecting the alarm in case the speed falls down under the selected thresholds if at

least airspeed is still available and the characteristic speeds are computed.

The robustness of the function is also assured by new AOA thresholds, which consider the 𝛼𝑠𝑤 as a

function of Mach, regarding the flight laws and the aircraft configuration.

The last remarkable improvement in FAC side for the developed function was the introduction of

the ELAC watchdogs that one triggered and sent to FAC, avoid the AOA usage for stall warning

computation and the system turns directly on speed based SW. The watchdogs aim to detect the situation

in which incoherence between AOA and speed values occurs.


95

In FMGC side, the enhanced stall warning does not impact the autopilot disengagement logic,

because to be the least possible intrusive, the legacy logic is kept to disengage the autopilot once the FAC

triggers the condition, but on the other hands it was necessary the implementation of the computation of

the characteristic backup speeds. In this purpose, no airbrake, sharklet and motorization contributions are

considered to simplify the computations without loss the goal of the function, to display the characteristic

speeds to the pilots even in case of both FAC loss.

As Design Office, the developed function answered the high level requirements set by the Functional

Team and the next step of the implementation will be the simulator tests, which will be performed during

the following month, in function of the Covid-19 healthy conditions at the simulator. The test session was

planned on April but surely some time shifting occurs. This step of implementation will be the first feedback

loop because all the potential bugs which will appear at the test bench will be fixed through a first function

iteration. During the logical implementation some compromises were mandatory to match all the time and

program constraints.

In this experience, I learnt about the complex System Design, how to translate high level

requirements into low level instructions and how to follow a scheduled plan in order to achieve the target

within the correct timing, working in a team to answer the client needs. My aerospace and system

knowledge helped me in the integration in the team and in the conception phase of the function.

I experienced the engineering working environment where compromises and iteration are in the

everyday agenda. The last proposed solution will not be the final one but surely, some improvements,

tunings and calibrations will be necessary to optimize the function behaviour to fulfil the expected results.

Some crosschecking monitoring have to be implemented in the next step of evolution and AOA

requalification will be added to the design to provide the system of the most reliable AOA value in each

flight phase.

Table 4 : Enhanced Stall Warning: Comparison of Legacy logic


96

The Table 4 shows the difference between the state-of-the-art system and the Enhanced Stall

Warning monitoring. Additional monitoring and the estimator enable the Enhanced Stall Warning to limit

the probability of undue Stall Warning occurrence. Also, it helps to avoid the risk of unavailability of Stall

Warning in critical situations. Furthermore, it facilitates the link between the monitoring detection and loss

of flight control protection. Meaning, this will help to identify, which monitoring result will have the impact

on the flight control protection. Notice that all the new updated monitoring are based on UAMM updating,

this is the reason why the UAMM function is fundamental for the development of the ESW function.

6.1 Enhanced Stall Warning improvements and future developments

The first improvement to the function is the implementation of the backup VLS computation in the

FMGC. Because of lack of time and the necessity to deliver the function within the deadline in order to not

miss the simulator slot (before the Covid-19 healthy issue), the VLS computation was missed and not

implemented in this first step of evolution of the function. It will be request to the Handling Qualities team

a simplification of the VLS actually computed in FAC to have at least an estimation of its value, because

right now it is not possible compute in FMGC the VLS as in FAC because of missing of inputs in FMGC.

The interest in applying the AOA monitoring in order to have the most correct or most verisimilar

value of angle of attack always available leads to the possibility for the pilot to install in the cockpit a

display that could show in live the exact attitude of the aircraft, displaying the incidence angle and thus, the

stall margin. As in the Primary Flight Display the speeds are always displayed with the corresponding limits

(VLS, VMAX …), the Enhanced Stall Warning evolution could give the possibility to display the incidence

angle with its limitation in function of the flight law. This implementation could be investigated in short

term before the EAPA project will become real, because with the stall margin indicator, the pilots would

have still authority in case of failure. On the other hand the EAPA project aims to let the pilot intervene the

least as possible in order to avoid human catastrophic accident in emergency situation. This solution would

be easier and cheaper than the EAPA project and it could be a helping system for the pilot to foresee the

aircraft stall.

The stall margin indicator could take the hypothesis to be implemented on both PFD and HUD

giving to the crew a clear indication of the stall conditions, and it would be displayed whatever the laws

(direct, alternate or normal). The indicator would minimizes the common points between the stall margin

indicator loss and the flight control protections losses, in this way in case one of the two systems fails, the

other one is still able to perform its operations, approach fault tolerance.

The stall margin indicator should use as far as possible the same equipment of the Stall Warning in

order to have limited delays in the transmission of the information and to have the coherence in the

computations, most of all in not-normal law, when at the state-of-the-art controlling law, the autopilot

disconnects and the crew has the control of the aircraft. In consequence, in alternate law, the aircraft

protection are limited (in alternate law) up to have the complete aircraft control in direct law, when all the

protections are disengaged and the crew operates directly on the aircraft attitude passing through the

control surfaces deflection.


97

An erroneous indication of the stall margin would be classified as HAZ (hazardous) because it

would display the margin that the pilot has for manoeuvring the aircraft to avoid a stall and an error near to

the ground, which would have consequences classified as hazardous/catastrophic.

The potential used AOA in the stall margin indicator should be submitted to UAMM monitoring in

addition to the SSM treatment (which assures only the correct acquisition to the computers) to always

deliver to the computation the most reliable angle of attack value. The only possible AOA available for stall

margin indicator purpose should be the ADC because their refreshing time is three time faster than IRS one

and since the indicator materializes the distance of the aircraft from the alpha stall it is necessary having the

fastest data refreshing and consequently transmission, otherwise the IRS should be provided of an

interpolation between two refreshing times, that could foresee the real angle of attack in live.

In order to have the most reliable AOA available for the stall margin indicator, the function would

require AOA requalification. This means that at the state-of-the-art if the CAS speed is valid and lower than

60 kts, the AOA selected is labelled as NCD (Not Computed Data), with the requalification an AOA is

considered NCD valid and it should be used in the computation if CAS is valid and lower than 60kts and all

other ADC AOA are not in normal operation.

This requalification keeps the stall warning availability in deep stall situation and multiple iced

probe situations. On ground CAS is valid above 30kts and AOA is valid when CAS is above 60kts. When

CAS is valid and less than 60kts, all the AOA are labelled NCD. In deep stall situations23 (AF447 accident is

an example), Figure 56, the aircraft can experience a speed CAS below 60kts, in such case a requalification of

the NCD ADR AOA shall be considered. That means a stall warning aural alert shall be ensured in a deep

stall situation by considering the NCD ADR AOA as valid or at least a identification of the stall margin.

23

It is considered as deep stall situation, a particular stall condition generated when the horizontal tail plane is placed exactly in the wing turbulence down-wash that is generates by the airflow that is not more attached to the wing. In these circumstances the horizontal tale plane is not more able to control the aircraft and therefore, there are no controls that aim to recover the aircraft attitude. This is the most dangerous stall condition for which every (auto) pilot actions are useless and the situation is irreversible. This is the reason why the deep stall must be avoided.


98

Figure 56: Deep stall condition for a T-tail airplane. The deep stall condition is easier for the T-tail aircrafts, but it is not exclusive for this type of airplanes, since the Flight AF447 of the A330-203 experienced the same irrecoverable condition

The monitoring that allow the practice of the ADR AOA are the same used for ESW purpose:

Broken probe detection at take-off

Iced probe monitoring (Nz-AoA)

Drift detection (triplex monitoring by comparison)

Disagreement detection (duplex monitoring)

Theta-gamma monitoring.

In case, FAC shall receive the AOA watchdog monitoring from ELAC, all AOAs inside FAC shall be

inhibited from stall warning and the stall warning based on speed shall be activated, in this case the stall

margin indicator will be lost, because it indicates the case a discrepancy between the aircraft speed and the

recorded incidence is reported. As reminder, the ELAC watchdog is triggered when the calibrated speed is

rising and the angles of attack show a positive incidence (aircraft pitching up); this condition is evidently

erroneous if the thrust level is set as constant and vice-versa.

For the stall margin indicator, the AOAs shall be categorized into three classes based on the result of

AOA monitoring and consistency check, also considering crossing check between ADR and IRS:

Reliable. A measured angle of attack (𝐴𝑜𝐴𝑥) not rejected by any monitoring is considered as REL

(reliable) if:

o There is another consistent measured angle of attack (𝐴𝑜𝐴𝑦) which is not rejected by any

monitoring or

o It is consistent with the AOA estimator based on Theta-Gamma while the 𝐴𝑜𝐴𝑦 and 𝐴𝑜𝐴𝑧

are rejected by the monitoring


99

Figure 57: Logical schema of AoA_x checked as RELiable.

Uncertain. A measured angle of attack (𝐴𝑜𝐴𝑥) not rejected by any monitoring is considered as UNC

(uncertain) if:

o There is no other angle of attack (𝐴𝑜𝐴𝑦 which is not rejected by any monitoring) measured

by another probe to compare with it, and

o It is not consistent with the AOA estimated based on Theta-Gamma while 𝐴𝑜𝐴𝑦 and 𝐴𝑜𝐴𝑧

are rejected

Rejected if the acquisition is not well performed24.

In the evolution of the system, in the case in which only one ADR AOA is available, the consistency

check shall be performed using other available IRS AOA sources25. This is an improvement and it improves

the availability of reliable angles of attack:

If only one AOA ADR is available and the other two are not rejected

o if IRS AOA are available from other two probes and

if the ADR AOA is consistent with the median value among the remaining ADR

AOA and the other two IRS AOA,

Therefore, the ADR AOA is considered as reliable.

o Else if only one IRS AOA is available from another probe and

24

Rejected and failed are two different concepts: a variable is rejected if the SSM treatment which verifies the acquisition returns a zero. The failure of a variable is triggered in case when the comparison monitoring / UAMM or other checking detect a runaway of the value and the variable is declared as failed. Consequently, a variable could be failed but not rejected, the opposite case cannot be considered. 25

To compute the consistency between the ADR source and the IRS one, it is necessary apply a delay on ADR AOA because of the refresh time of IRS source is slower than ADR’s.


100

if the ADR AOA is consistent with the IRS AOA,

Therefore, the ADR AOA is considered as reliable.

o Else, the ADR AOA is considered uncertain

Else if all ADR AOA are lost

o IRS AOA are used

As shown in the logical schemas in Figure 57, the FAC shall use the AOA estimator based on Theta-

Gamma to maintain Stall Warning even in the case of disagreement of last two remaining AOAs sources:

Qualify the last available AOA (UNC) to reliable

Figure out the correct AOA in case of disagreement between the last two available AOA. The correct

AOA shall be considered as reliable

In case of disagreement between the last two available AOA and if the estimator is not consistent

with any of AOA, both AOA are rejected.

6.2 Boeing B737 Max-8 conclusions

As a system is the synthesis of all the components used to assemble it and it works because its

interior modules operate at the same time, also a system failure is the normal outcome in any complex

system as an aircraft could be. According Charles Perrow, a sociologist at Yale University whose 1984 book,

“Normal Accidents: Living with High-Risk Technologies” [21] says that the behavior or each component of

the system impacts more or less heavily the behavior of other components “tightly bound”. Increasing the

safety of each system, engineers apply techniques and redundancies enhancing the complexity of the system

itself and introducing other potential failure cases. Every increment, every increase in complexity,

ultimately leads to decreasing rates of return and, finally, to negative returns.

This is the root of the old engineering axiom and its aviation-specific counterpart: “Simplify, then

add lightness.” The original FAA Eisenhower-era certification requirement was a testament to simplicity:

“Planes should not exhibit significant pitch changes with changes in engine power”. This old requirement

was necessary at the time when a direct connection linked the controls in the pilot’s hands and the aircraft’s

surfaces. Right now, in the technology world where the aircrafts use to fly, there is always a software

presence between humans and the aircrafts and often there is something missing between the two loops.

A parallelism between the Boeing 737 Max-8 catastrophes and the Space Shuttle Challenger

accident can be carry out. As the NASA accident is the result of case study in normal failure, the Boeing case

came about because the rules said that a large pitch-up on power change could not been reached and an

avionic system, the MCAS is added to face this issue and it was approved by the employee of the

manufacturer, the DER. The rules didn’t say that the DER couldn’t take the business considerations into the

decision-making process. And 346 people are dead. It is likely that MCAS, originally added in the spirit of

increasing safety, has now killed more people than it could have ever saved. At the same way the NASA rules


101

said that prelaunch conferences had to be given to ensure the flight clearance, but nobody spoke about the

political repercussions of delaying a launch that there would be. The inputs were weighed, the process was

followed, and a majority consensus was to launch. And seven people died. Both the episodes are traceable to

economic and political reasons; both Boeing and NASA followed the route of the less impacting

consequences and both the cases end with engineering catastrophes.

The first improvements Boeing should take to fix the issues in MCAS function are to consider only

the reliable and available AOA that come from the angle of attack sensors on aircraft’s nose. Further, ensure

a cross-check between the captain and first-officer computers in such a way to monitor the data the flight

control computers are processing. The new software should activate only in case both sensors agree on the

fact that the aircraft’s attitude is close to stall. At the Boeing state-of-the-art the system orders a nose pitch-

down when the two sensors disagree on the aircraft attitude, even in case one of the two sensors is out of

order because of a failure, in this case of sensors disagreement the system should deactivate and let the pilots

take the aircraft control. Another important software update could be to let the pilot to be able to override

the system in case of data misreading, in this case the MCAS would not automatically reactivate, which the

original system would do multiple times [22]. At the state of the art the MCAS could be deactivated only by

turning off the system switches.

Appendix I – Safety Assessment Federico Mastropasqua

102

7 Appendix I – Safety Assessment

Reliability engineering, as a separate engineering discipline, originated in the United States during

the 1950s was born because of the increasing complexity of military electronic systems was generating

failure rates which resulted in greatly reduced availability and increased costs. With the increasing cost and

complexity of many modern systems, the importance of reliability as an effectiveness parameter, which

should be specified and paid for, has become apparent.

The reliability problem can be approached at different levels: from a mathematical point of view the

reliability concerns statistics and probability; from a control expert point of view, the reliability is an

extension of his efforts to buy and to use the best reliable and flawless components. Reliability is essentially

a “birth-to-death problem”, involving all the areas of the product lifecycle. The simplest, producer oriented

view of reliability is that in which a product is assessed against a specification or set of attributes, and when

passed is delivered to the consumer, the consumer, having accepted the product, accepts that it might fail at

some future time.

The objectives of reliability engineering are:

To apply engineering knowledge and techniques to prevent the likelihood or frequency of failures.

To identify and correct the causes of failures that can occur, despite the efforts to prevent them.

To determine ways of coping with failures that can occur, if their causes have not been corrected.

To apply methods for estimating the likely reliability of new designs.

The definition of reliability is the probability that a system/product will perform in a satisfactory

manner for a given period of time when used under specified operating conditions.

The failure severity is defined in system engineer according a table for which an event is:

Catastrophic (Level 1) when there is a failure propagation and in term of safety this is translated in

the loss of lives, or lives threatening or permanently disabling injury or occupational illness, loss of

systems (flight control system, launch site facilities, ecc…)

Hazardous (Level 2) in case of mission loss. In other terms the temporary disabling but not life-

threatening injury or temporary occupational illness, major damage to interfacing flight system or

ground facilities, etc.…

Major (Level 3) when the failure provokes the major mission degradation


103

Minor (Level 4) when the failure causes minor mission degradation or any other minor effects.

The failure occurrence plays an important role in the determination of the criticism of the failure. In

fact, the failures likelihood is classified as:

Frequent (Level 5): when in the product lifecycle the probability of occurrence is greater than 10−1

Probable (Level 4): if the probability of occurrence in the product lifecycle is lower than 10−2

Occasional (Level 3): if the probability of occurrence in the product lifecycle is lower than 10−3

Remote (Level 2): when in the product lifecycle the probability of occurrence is greater than 10−6

Improbable (Level 1), when in the product lifecycle the probability of occurrence is less than10−6.

In the civil aviation domain, one catastrophic event may occur only with a probability less than10−7.

Consequently, the failure criticality depends on its severity and probability of occurrence. If a

number from one to five is assigned to the likelihood (PN) and to the severity (SN), the criticality (CN) can

be written:

𝐶𝑁 = 𝑆𝑁 ∙ 𝑃𝑁

Table 5: Criticality table. A failure is ranked as the multiplication between the severity of its consequences and the probability that it occurs.A failure could be acceptable if its critically is lower than 6.

Figure 58: Cost impact on the product life cycle. It is evident as the most part of the cost of a product is spent during the operations and support. This is the part in which my master thesis is placed. The cost to maintain in service the aircraft is on the rang


104

Figure 59: System cost on life cycle.

In the Figure 59 the diagram shows the cost on the product lifecycle. The lower line represents the

effective costs spent during an aerospace program. The line boosts when the production starts and has the

maximum slope during the operating phase, as confirmed in Figure 58, the spent costs to maintain in service

the aircraft and the updated software in which this thesis is placed, is the maximum expending in the

product lifecycle. The upper line in Figure 59 shows the spent costs not because of direct expenses but they

are the costs to support to make decisions before the entering in production, (e.g. for the Space Shuttle

Program the decision to make reusable the orbiter impacted on 70% of the future product costs, fixing the

maintenance expenses).

7.1 Risk management toolset

In order to analyse the risk management a wide range of proven tools is available to identify and

analyse risks to safety, Figure 60. In this context, two approaches will be presented, the most common

principles:

Failure modes and effect (and critically) analysis (FMEA/FMECA): It is the most widely used and

most effective method for reliability analysis. All the possible ways of damaging a system or degradation

have to be analysed to identify potential failures in product (functional, hardware or processes failures).

Once the damaging/degrading causes are known, it is necessary assess the effect of each component failure

locally (to evaluate the failure propagation) at the higher level of system decomposition and up to the

boundary of the product/process under analysis. It needs a failure classification based on the severity of the

consequences and on the critically. This approach is powerful, but it is difficult to analyse the different

failures combinations but it is useful to consider one failure at one time. This is the reason why this

approach is used to investigate the system reliability rather than the safety. This analysis can give

information about the system safety only if the failure is critical enough to provoke a catastrophic event. In


105

order to examine the degrading situations, and potential failures in product, different approaches can be

followed:

Functional approach: function failures are considered and assessed. It is known how the system

should work and the different cases in which a system cannot perform its function are evaluated.

Hardware approach: actual hardware failure modes are considered. The FMEA/FMECA of complex

systems is usually performed by using the functional approach followed by the hardware approach

when design information on major system blocks becomes available.

Process approach: potential process failures are considered (e.g. failures in manufacturing, assembly

and integration, testing operations). Human errors are addressed in the process. FMEA/FMECA is

an effective tool in the decision-making process, provided it is a timely and iterative activity. Late

implementation or restricted application of the FMEA/FMECA dramatically limits its use as an

active tool for improving the design or process

The FMEA/FMECA is basically a bottom-up analysis considering each single elementary failure

mode and assessing its effects up to the boundary of the product or process under analysis. It is an integral

part of the design process as one tool to drive the design along the project life cycle. The process is also

updated throughout the project lifecycle. According to the FMEA/FMECA process, an item (system,

subsystem, structural part/subcomponent) is considered a critical item if:

A failure mode is identified as single-point failure together with at least a failure consequence

severity classified as catastrophic, hazardous or major.

A failure mode has failure consequences classified as catastrophic

A failure mode is classified as CN greater or equal to 6.

Fault Tree Analysis (FTA): it is the most widely used and most effective method for safety analysis

(the FMEA/FMECA is on the other side the most effective method for reliability analysis). The FTA

objectives are to identify the causes of a specific failure (especially safety-critical failures), to assess a system

design for its safety (or reliability), identifying the effects of human errors to quantify the failure probability

and contributors. FTA at the opposite side of FMEA is a deductive (top-down) approach to resolve the

causes of an event through the development of a fault tree. The fault tree is a detailed logic model describing

different combinations of failures than can provoke a specific system failure defined as Top Event. The FTA

can foresee either a qualitative analysis either a quantitative analysis. The fault tree starts with the

identification of a system failure and going back discovering or investigating subsystems failures up to find

all the elementary causes (the analysis also individuates the human errors) that would provoke it. The main

system is decomposed in many sub-systems up to the elementary components. A boundary domain can be

designed in order to investigate all the causes within the analysis is evaluated. The logical relationships of

the events are shown by logical symbols (OR and AND gates).


106

Figure 60: Design to safety

A skilled analyst develops the fault tree by deductively reasoning backward from a top event

through intermediate fault events to the root causes. The analyst reviews the model results with

knowledgeable design, operations, and maintenance personnel so they can suggest corrective actions when

the model reveals significant weaknesses. FTA computer software is used to identify the various

combinations of basic failures that result from a given failure. This method required much experience to

elaborate a complete fault tree, the analysist must have the complete view of the system or of the product in

every sub-systems up to the elementary components, as a matter of fact defining the wrong top event will

result in wrong assessments and conclusions, in the same way to setting out wrong event path because of a

wrong system knowledge.

Appendix II – Characteristic speeds Federico Mastropasqua

107

8 Appendix II – Characteristic speeds

The characteristic speeds are computed inside the Auto Flight System, in particular by the Flight

Augmentation Computer at each flight depending on the aircraft weight/CG and configurations. Once

computed they are displayed on the PFD and used from the different function as manoeuvring speeds and in

order to keep the aircraft in the safety flight envelope.

During the climb, generally the flight is limited by the Air Traffic Control instructions and the

aircraft has to accelerate maintaining the optimized climb profile managing the different slat/flap

configuration until to assume the clean configuration. In this first phase of flight the F speed and S speed are

important because they are the minimum speeds at which the flaps and the slats should be retraced. In

particular F speed stands for the minimum speed at which the transition between CONF 3 and CONF 2 or

CONF 1+F can be allowed, and it allows a margin above stall speed in configuration 1+F. On the other hand

the S speed is the minimum speed at which the clean configuration should be selected allowing a margin

above stall speed in clean configuration. These speeds are displayed only when the slats and flaps are

extended. F and S speeds are function of the aircraft attitude, weight, slat and flap positions. They are

interpolated in the Flight Augmentation Computer by tabular values. Another important speed at the end of

the climb is the Green Dot Speed that, in all engine operative, estimates the speed for the best lift-to-drag

ratio and it represents also the recommended speed holding in clean configuration. In case of one engine

inoperative in clean configuration it represents the speed to keep the highest climb gradient. The Greed Dot

speed is only displayed on the PFD in clean configuration (slaps and flats completely retracted).

At a given altitude, temperature and aircraft weight, two points of equilibrium are possible for the

thrust to compensate the drag and to stabilize the flight level, see Figure 61. The point 2 is above the Green

Dot speed and it represents a stable equilibrium point in cruise: if a disturbance provoked a speed

increasing, the drag would rise making the speed decrease to come back to the starting point 2. On the other

side if the airspeed decreased, the drag would decrease and the thrust would be higher to re-accelerate the

aircraft up to the equilibrium point 2. At the point 2 the aircraft is stable in the first regime. The point 1 is an

unstable equilibrium point because when the airspeed decrease the drag is higher than thrust and the

aircraft would continue to decelerate without any volunteer actions and vice-versa.

The point 3 is the Recommended Maximum speed for a given altitude, because higher the aircraft is

flying and the lower is the maximum thrust available. When the speed reduces below point 3, there is no

thrust margin available to accelerate while maintaining a stabilized level flight. Then the only way to stop

Appendix II – Characteristic speeds Federico Mastropasqua

108

the deceleration is to lose altitude in order to accelerate beyond point 3. REC MAX is the upper cruise

altitude limit.

Figure 61: Thrust over speed for a reaction engine. The Green Dot speed is at the minimum of the line

𝑉𝛼𝑝𝑟𝑜𝑡 is the speed corresponding to the maximum angle of attack at which Alpha Protection

becomes active. It is only displayed in normal law. 𝑉𝛼𝑚𝑎𝑥, on the other opposite, is the speed corresponding

to the maximum angle of attack the aircraft can fly in normal law. On the A320 family, 𝑉𝛼𝑝𝑟𝑜𝑡 and 𝑉𝛼𝑚𝑎𝑥

can

have different numerical values on PFD because the speeds come from different sources for the two different

displays (1 and 3 for PFD1 and 2 and 3 for PFD2) [23].

At given weight and configuration, each aircraft has a minimum selectable speed VLS at which the

auto-thrust can be engaged and a maximum speed. VLS is computed as the 1.13Vs@1g at take-off; 1.23Vs@1g

elsewhere with 0.2g/buffeting; 1.28Vs@1g in clean configuration. Deliberately flying below VLS could either

lead to an activation of the AOA protection on a protected aircraft, or expose the aircraft to a stall if it is not

protected, flying in degraded law.

At the cruise altitude, there needs to be a safe margin in relation to these lowest and highest speeds,

before the flight envelope protection activation. The VFE is the maximum speed at which the aircraft can fly

with flaps extended. Its value depends on the flaps positions. Typically, the maximum speed of the aircraft is

called VMAX and it equal to VLE (maximum speed allowed with the landing gear extended) or VFE26

according to aircraft configuration. VMAX is equal to VMO only in clean configuration. In cruise, VMO is

the higher limit of the aircraft flight envelope and it considers structural limits. V_CAS TREND is the

airspeed tendency corresponding to the speed increment in 10 seconds with the actual acceleration of the

aircraft. It is displayed as an arrow in the PDF.

Evidently, the Air Traffic Control can take action to modify the optimum cruise profile regarding the

traffic or the weather conditions, otherwise the speeds are computed to optimize the flight performance.

26

VFEN is the predictive VFE at next flap/slat position, in landing phase

Appendix III - Autopilot engagement Federico Mastropasqua

109

9 Appendix III - Autopilot engagement

The autopilot engages through two pushbutton switches located on the central section of the FCU

(AP1 and AP2). The autopilot (dis)engagement logics are coded in FMGC, in particular in the Fligth

Guidance part both in command and monitor channel. In cruise only one autopilot can be engaged at a time.

Both autopilots can be engaged only when landing and in go around modes are active or armed. When both

the autopilots are engaged, the AP1 has priority and is active while AP2 is in standby and it becomes active if

AP1 is lost. An autopilot can be engaged five seconds after lift-off in active Flight Director mode (if at least

one FD is engaged) and, in HDG and V/S modes (if no FD is engaged). At the autopilot engagement, the load

thresholds on the side stick controllers and on the rudder, pedals increase. The autopilot engagement is

indicated by the illumination of the corresponding pushbutton switch (three green bars) and the AP1 or

AP2 indication appears in the status column on the PFDs.

The pilots can disengage the autopilot by action on the disengagement button switch, with the

green bars on or acting on the side slick controller (or on pedals) that always has the priority on the

autopilot system. The autopilot system can disengage in case of detection of long power failure (LPF) by the

power unit. In the event of short interruption, the engage signal maintains its pre-cut-off state. The final

circuits are therefore supplied with back-up currents.

The autopilot engagement is accomplished through one hardware part and second part software.

Concerning the hardware part, it considers the AP ENGD Boolean that is generated in the software part, the

logic signal about the FG HEALTHY and the AP switch wired discrete variable from the FCU. The AP

ENGD Boolean hardware logic utilizes the command and the monitoring channels. During the safety test (at

power rise) the AP switch signal is inhibited prohibiting engagement through the pushbutton switch. The

AP ENGD variables are used by the FACs (selection of AUTO mode and acquisition of yaw axis guidance

signals), by the ELACs (selection of AUTO mode and acquisition of guidance signals, pitch and roll axes and

nose-wheel steering), by the FCU (illumination of the corresponding pushbutton switch and selection of

the FMGCs which generate the AP warning), the opposite FMGC and the OWN FMGC. Regarding the

engagement conditions for the software part there is at flip-flop set 1 if all the engagement conditions are

active:

Action on the engagement pushbutton switch.

Ground condition: engagement is possible in any mode only if the engine is shut down

Flight condition: engagement is possible 5 seconds after lift-off

Appendix III - Autopilot engagement Federico Mastropasqua

110

In order to provide the autopilot engagement, Figure 62, a peripherals check is performed, to verify

that at least one FAC is available (CMD and MON FAC HEALTHY wired discrete variables), that the ELAC

generates ELAC AP DISC discrete variables, in fact the AP disengages only upon a command from the two

ELACs sent to FMGC through FACs. The last sufficient and necessary condition to engage the autopilot is

that no stall warning or low energy alarm is triggered.

Figure 62: AP engagement logic

The autopilot disengages in case any failure in the computation of the characteristic speeds, this is

the reason why to enhance the autopilot authority it is necessary that the FMGC could compute the backup

characteristic speeds in case the FAC are lost. The autopilot disengages if the internal monitor in FMGC is

not healthy or if there are any flight warning in ADC, IRS or FCU. Other sufficient conditions for the

autopilot disengagement are that the Rudder trim (OWN and OPP) is not engaged or the yaw Dumper

(OWN and OPP) is not engaged, one feature disconnection leads the autopilot disengagement. Evidently

these conditions are confirmed by the FAC (OWN and OPP) healthy status.

The ELAC can send directly the autopilot disengagement status and this is the last condition to the

autopilot disconnection.

Appendix IV – Matlab code Federico Mastropasqua

111

10 Appendix IV – Matlab code

In this appendix, the MATLAB code used at the thesis purpose is proposed to simulate the

behaviour of the function in Simulink. The code runs the Simulink schema shown in the Chapter 4 of this

thesis. The Simulink simulation is just a function demo-tech. All the inputs of the function are simulated

and taken as constant only for the aim of the simulation. In the real aircraft application, these inputs come

from the ADIRS, SFCC, FMS and other on board computers following the internal monitoring or the aircraft

configurations/flight phase. Also the validity of the variables are imposed in the simulation, but in the real

case are monitored and checked if the physical link is assured. The Simulink is not realistic of the complete

aircraft model in general, but it tests the correct functioning of the Enhanced Stall Warning system

updating in terms of:

Enhanced Stall Warning Capacity

o AOA based stall warning

o Speed based stall warning

AOA monitoring and selections upon ADR and IRS failures

Thresholds computations

o AOA threshold

o Speed threshold

Inhibitions

o At take off

o In wind-shear

Stall warning activation request

ALTER_LAW = true; % A/C in alternate law

TO_mode = false; % A/C in take-off mode

WINDSHEAR_act = false; % Windshear alarm

%% Pins-prog installation, they must be active for the simulations

ESW = true; % Enhanced Stall Warning pin prog

UAMM = true; % Unreliable Airspeed Mitigation Means pin prog

%% Speed based ESW

VLS_HEALTHY = 1; % Lower selectable speed

VSW_HEALTHY = 1; % Stall Warning speed

VMAX_HEALTHY = 1; % Maximum speed

VC_3_ADR_FAIL = 0; % 3 CAS airspeed failed

%% Speed threshold


112

N_z = 2; % N=L/W

VLS = 120; % [kts]

k = 0.93; % tuning factor

SPD_REF = 50; % [kts]

%% AOA based ESW

CLEAN_CONF = true; % slat inferior to 15°

SFCC_LOSS = true; % both FWC and SFCC out of order

CLEAN_CONS = 13.5;

HYPER_CONS = 22.5;

MACHX = 0.45;

MACH_OWN = 0.5;

MACH_OPP = 0.4;

MACH_3 = 0.47;

BACKUP_LOSS = false; % Mach backup

ADC_HEALTHY = true; % ADC source available

ADC_OWN_HLTY = true; % ADC OWN available

ADC_OPP_HLTY = true; % ADC OPP available

ADC_3_HLTY = true; % ADC 3 available

%% UAMM AOA monitoring

AOA_ADC_OWN_VAL = true; % AOA ADC OWN available

AOA_ADC_OPP_VAL = true; % AOA ADC OPP available

AOA_ADC_3_VAL = true; % AOA ADC 3 available

AOA_IRS_OWN_VAL = false; % AOA IRS OWN available

AOA_IRS_OPP_VAL = false; % AOA IRS OPP available

AOA_IRS_3_VAL = false; % AOA IRS 3 available

ELAC_OWN_HLTY = true; % ELAC OWN available

ELAC_OPP_HLTY = true; % ELA OPP available

WATCHDOG_1 = false; % ELAC watchdog

WATCHDOG_2 = false;

%% AoA selection

ALPHA_ADC_OWN = 25;

ALPHA_ADC_OPP = 26;

ALPHA_ADC_3 = 24;

ALPHA_IRS_OWN = 22;

ALPHA_IRS_OPP = 23;

ALPHA_IRS_3 = 24;

%% SW inhibition in windshear

if WINDSHEAR_act == true

WINDSHEAR_AVAIL = true;

WINDSHEAR_WNG = true;

else

WINDSHEAR_AVAIL = true;

WINDSHEAR_WNG = false;

end

%% SW inhibition in takeoff

if TO_mode == true

PITCH_TO = true;

THR_FLX = true;

H_1500 = true;

else

PITCH_TO = false;

THR_FLX = false;

H_1500 = false;

end


113

ALT_GPS = [0, 5000, 10000, 15000, 20000, 24500, 42000]*0.3048;

MACH_IRS = [0.529, 0.576, 0.629, 0.688, 0.754, 0.82, 0.82];

alt_gpss = linspace(0, ALT_GPS(end-1));

alt_gpss_1 = linspace(ALT_GPS(end-1), ALT_GPS(end));

a = polyfit(ALT_GPS(1:end-1), MACH_IRS(1:end-1), 2);

a_1 = polyfit(ALT_GPS(end-1:end), MACH_IRS(end-1:end),1);

mach_irs = polyval(a, alt_gpss);

mach_irs_1 = polyval(a_1, alt_gpss_1);

figure (1)

plot(ALT_GPS, MACH_IRS, 'or')

hold on

plot(alt_gpss, mach_irs, 'b')

plot(alt_gpss_1, mach_irs_1, 'b')

grid

legend('DATA', 'Interpol')

xlabel('Altitude [m]')

ylabel('IRS Mach number')

title('Mach number vs. altitude')

MACH = [0.3, 0.4, 0.5, 0.7, 0.78, 0.8];

ALPHA_SW = [8, 7, 6, 4, 3.6, 3.5];

mach = linspace(MACH(1), MACH(end));

a = polyfit(MACH, ALPHA_SW, 2);

alpha_sw = polyval(a, mach);

figure(2)

plot(MACH, ALPHA_SW, 'or')

grid

hold on

plot(mach(2:end), alpha_sw(2:end), 'b')

plot([0, MACH(1)], [ALPHA_SW(1), ALPHA_SW(1)], 'b')

legend('DATA', 'Interpol')

xlabel('Mach number')

ylabel('\alpha_{SW}')

title('\alpha_{SW} vs Mach number')

sim('Schema_Simulink',10)

open_system('Schema_Simulink/Stall_warning')

open_system('Schema_Simulink/Alpha_ref')

open_system('Schema_Simulink/SW speed based/speed_ref')

open_system('Schema_Simulink/ESW_capacity/ESW_capacity')

Some simulations results are reported, the graphs are not verisimilar like the values of the graphs are

out of range but for the company political the data are strictly confidential. The graphs are reported at the

only aim to show the triggering of the stall warning in function of the angle of attack or the speed values.


114

Figure 63: ESW Capacity : in this simulation the ESW is based on AOA

Figure 64: Stall warning triggering. When the voted value in case of three AOA available or the average or the last value is above the set threshold the alarm is triggered and the autopilot is disconnected. In this simulation all the AOA are available and some incertitude are introduced in the threshold level. The

saturation is forced, in reality the AOA evolution after the AP disengagement depends on the crew


115

Figure 65: ESW Capacity : in this simulation the ESW is based on speed, after the AOA loss following the ELAC watchdog triggering.

Figure 66: Stall warning triggering when the CAS airspeed is below the speed threshold. Even in this case the value are not real like the saturation, after the triggering of the stall warning, the autopilot disconnects and the speed evolution depends on the crew.

Code List Federico Mastropasqua

116

11 Code List

A/C Aircraft

ADIRS Air Data Inertial Reference System

ADIRU Air Data Inertial Reference Unit

ADM Air Data Module

ADR Air Data Reference

AFS Auto Flight System

AOA Angle of Attack

AP Autopilot

CDS Cockpit Displays System

CLB Climb

DFDR Digital Flight Data Recorder

DMC Display Management Computer

DME Distance Measuring Equipment

ECAM Electronic Centralized Aircraft Monitor

ECU Engine Control Unit

EEC Electric Engine Control

EFCS Electric Flight Control System

EIS Electronic Instrument System

ELAC Elevator Aileron Computer

ESW Enhanced Stall Warning

ETA Estimated Time of Arrival

FAC Flight Augmentation Computer

FADEC Full Authority Digital Engine Control

Code List Federico Mastropasqua

117

FCU Flight Computer Unit

FD Flight Director

FDR Flight Data Recorder

FE Flight Envelope

FG Flight Guidance

FM Flight Management

FMA Flight Mode Annunciator

FMGC Flight Management and Guidance Computer

FMGS Flight Management and Guidance System

FWC Flight Warning Computer

GPWS Ground Proximity Warning System

HDG Heading

ILS Instrumental Landing System

IPPU Instrumentation Position Pick-off Units

LGCIU Landing Gear Control and Interface Units

MACH Mach number

MCDU Multipurpose Control and Display Unit

PFD Primary Flight Display

SEC Spoiler Elevator Computer

SER Specification Evolution Request

SFCC Slap/Flap Control Computer

SMI Stall Margin Indicator

SPD Speed

SSM Sign Status Matrix

TOGA Take Off / Go Around

UAMM Unreliable Airspeed Mitigation Means

VHF Very High Frequency

VOR VHF Omnidirectional Range

References Federico Mastropasqua

118

12 References

[1] M. Ricci, Clear 2022 Strategic Plan, 2018.

[2] H. M. Kevin Forsberg, The Relationship of System Engineering to the Project Cycle, October

1991.

[3] A. IDYC, “Autoflight: from systems to flight control laws,” 2010.

[4] B. d. Araujo, “AUTOFLIGHT - Deeper in flight control law and autoland,” December 2018.

[5] A. OPERATION, “General AFS Architecture for A318/319/320/321 CEO – System Description

Note,” 2002.

[6] R. Borfigat, “ SA – Flight Augmentation Computer – General Priciples,” 2017.

[7] Airbus , “A320 Primary Flight Control,” 2010.

[8] Airbus, “A320 ATA 31 EIS”.

[9] Airbus, “Flight Augmentation Computer,” 2003.

[10] B. Gilissen, “Quora,” June 2017. [Online]. Available: https://www.quora.com/What-is-

A330%E2%80%99s-alpha-protection. [Accessed December 2019].

[11] K. G. B. M. A. M. N. G. L. M. D. M. L. K. Krishnakumar, “Intelligent Control for the BEES

Flyer,” 2004.

[12] A. t. p. i. Y. 1. Gilbert Mitonneau, Interviewee, Certified flight test, Formation FMS.

[Interview]. October 2019.


119

[13] J. Rosay, “What is stall? How a pilot should react in front of a stall situation,” Airbus Safety

Magazine, 2011.

[14] I. L. J. S. P. Traverse, “Airbus Fly-by-wire: A process toward total dependability,” 2006.

[15] G. Travis, “How the Boeing 737 Max Disaster Looks to a Software Developer,” IEEE

Spectrum, April 2019. [Online]. Available: how-the-boeing-737-max-disaster-looks-to-a-

software-developer. [Accessed February 2020].

[16] Safran Aircraft Engine, “A technological LEAP forward,” 2016. [Online]. Available:

https://www.safran-aircraft-engines.com/commercial-engines/single-aisle-commercial-

jets/leap/leap-1b. [Accessed February 2020].

[17] D. Slotnick, “Messages reveal a top Boeing pilot knew about problems with the 737 Max's

'egregious' behavior before 2 deadly crashes,” Business Insider France, October 2019. [Online].

Available: https://www.businessinsider.fr/us/boeing-pilot-737-max-mcas-problems-

messages-2019-10. [Accessed February 2020].

[18] D. Gates, “Pilots struggled against Boeing’s 737 MAX control system on doomed Lion Air

flight,” Seattle Times, November 2018. [Online]. Available:

https://www.seattletimes.com/business/boeing-aerospace/black-box-data-reveals-lion-air-

pilots-struggle-against-boeings-737-max-flight-control-system/. [Accessed February 2020].

[19] J. Ostrower, “What is the Boeing 737 Maw Maneuvering Characteristics Augmentation

System?,” The Air Current, November 2019. [Online]. Available:

https://theaircurrent.com/aviation-safety/what-is-the-boeing-737-max-maneuvering-

characteristics-augmentation-system-mcas-jt610/. [Accessed February 2020].

[20] D. Campbell, “The many human errors that brought down the Boeing 737 Max,” May 2019.

[Online]. Available: https://www.theverge.com/2019/5/2/18518176/boeing-737-max-crash-

problems-human-error-mcas-faa. [Accessed February 2020].

[21] C. Perrow, Normal Accidents: Living with High-Risk Technologies, Basic Books, 1984.

[22] A. Ma, “Boeing is promising 3 fixes to the faulty system behind the 737 Max crashes to let

pilots stop it from forcing the plane into an unstoppable nosedive,” Business Insider France,

December 2019. [Online]. Available: https://www.businessinsider.fr/us/boeing-737-max-

mcas-fixes-2019-12. [Accessed February 2020].


120

[23] P. C. Lorraine De Baudus, “Control your speed in cruise,” Airbus Safety First, 2016.

[24] ADAcore, “Ada on Board: Thales Using AdaCore’s GNAT Pro for Critical Avionics Software,”

October 2017. [Online]. Available: https://www.adacore.com/press/ada-on-board-thales-

using-adacores-gnat-pro-for-critical-avionics-software.

[25] Airbus, “Flight Crew Operation Manual,” 2002.

[26] E. Airbus, FCL development before the first flight – Auto-flight from systems to flight control

laws, 2010.

[27] Airbus, 2006. [Online]. Available: http://www.airbusdriver.net/airbus_fltlaws.htm.

[28] SKYbrary, “Stall Warning System,” September 2019. [Online]. Available:

https://www.skybrary.aero/index.php/Stall_Warning_Systems. [Accessed Jenuary 2020].

[29] Airbus Maintanance Training, “Automatic Flight FAC general,”

http://wtruib.ru/training_A320F/automatic-flight-fac-general/, 2016.

[30] Airbus Tech, January 2014. [Online]. Available: http://theflyingengineer.com/projects/airbus-

tech/landing-gear/.

[31] Airbus, “Fly-by-wire (1980-1987),” [Online]. Available:

https://www.airbus.com/company/history/aircraft-history/1980-1987.html. [Accessed

February 2020].

[32] Thales Group, “Flight Control System and Computer for Fly-by-Wire Aircraft,” [Online].

Available: https://www.thalesgroup.com/en/flight-control-system-and-computer-fly-wire-

aircraft. [Accessed February 2020].

[33] I. J. Twombly, “How it works: flu-by-wire. The computer takes control,” July 2017. [Online].

Available: https://www.aopa.org/news-and-media/all-news/2017/july/flight-training-

magazine/fly-by-wire. [Accessed February 2020].

[34] F. Combes, Auto Flight System Familiarization, Toulouse, 2020.

[35] Wilson Kehoe Winingham, “Aviation Accidents: Human Error,” December 2018. [Online].

Available: https://www.wkw.com/aviation-accidents/blog/aviation-accidents-human-error/.

[Accessed February 2020].


121

[36] Airbus EDYC, “Autoflight from system to flight control laws,” 2010.

Documents

POLITECNICO DI TORINO · the backup mode in such a way to allow the AP engagement even in the FAC loss event (fault tolerance approach). The Unreliable Airspeed Mitigation Mean (UAMM):