Tuesday, November 20, 2018

737 FCC Pitch Axis Augmentation - Command Integrity Mandate for Dual Channel, Fail-Safe

A line is drawn between primary flight controls that the pilot handles directly through control column, rudder pedal, and stabilizer trim; and automatic control, such as the autopilot, which manages the same surfaces through computer command. 

The Yaw Damper is an example of an automatic flight control system added to the airplane to augment flight characteristics. The Yaw Damper operates regardless whether pilot manual flight control or automatic flight control.

FCC Pitch Axis augmentation (Mach Trim, Speed Trim, and MCAS) commands may be based on a single sensor input. These commands should be checked against a calculation based on a second sensor set before becoming valid. A software update to the FCC may provide support for a dual channel mandate.


REVISED 1:01pm 20 Nov 2018
NOTE
The figures and text in italics are copied from an unofficial 737NG maintenance manual
 as a means to inform the user of the issues under discussion.
This information is revealed under fair use, and may not be fully accurate.


There are two Stall Management Yaw Dampers (SMYD) on a 737ng. The 737MAX does not use a separate SMYD "box", rather the functions have migrated to other "boxes".  The following discussion follows the 737NG architecture for point of reference.

Both SMYDs have to be operational for a primary yaw damper command.
The two SMYDs are the same. When a SMYD LRU is put in position 1, it does the primary yaw damper function during normal operations.
For primary yaw damping, both SMYDs must be operational because SMYD 1 compares its yaw damping calculations with SMYD 2 before it commands rudder movement.
For primary yaw damping, SMYD 2 monitors the yaw damping calculations of SMYD 1. These calculations must agree before SMYD 1 commands rudder movement. If the calculations of the two SMYDs do not agree, primary yaw damping disengages. 
SMYD 1 uses the main rudder PCU to move the rudder for the primary yaw damper function. For primary yaw damping, SMYD 1 compares its yaw damping calculations with SMYD 2 before it sends a command to the main rudder PCU. If the SMYD 2 calculations disagree or if SMYD 2 fails, the yaw damper function in SMYD 1 disengages even though SMYD 2 is not used for primary yaw damping

SMYD 1 is used for primary yaw damping and is connected to the both ADIRUs and left AOA Sensor for inputs.

SMYD 1 Primary Yaw Damper Command

SMYD 2 is used to match SMYD 1 primary yaw damper commands, and is available as a backup under certain conditions when SMYD 1 is not available.  SMYD 2 uses both ADIRUs and the right AOA sensor for inputs.
SMYD 2 commands rudder movement for WTRIS and standby yaw damping and turn coordination during flight control manual reversion when on standby hydraulics. SMYD 2 receives data from airplane sensors, switches and components, and uses the data to calculate and send commands to the standby rudder PCU to move the rudder.
SMYD 2 Standby Yaw Damper Command

The Flight Control Computer (FCC) is a key component of the dual channel autopilot system.

While engaged, even single channel, the FCC uses inputs from both ADIRUs to avoid a potential issue if one ADIRU produces false data.
Normally, the FCCs use pitch and heading data from the on-side IRS and roll data from the off-side IRS. The autopilot will engage only if the IRS transfer switch is in the NORMAL position. This is to prevent a possible ADIRU failure that could cause a pitch and roll hardover or a yaw damper and elevator hardover. 
Three FCC functions have been deployed to the 737 that are active while the pilot is flying manually.
  1. Mach Trim
  2. Speed Trim System (STS)
  3. Maneuver Characteristics Augmentation System, MCAS (737 MAX only)
Mach Trim
As the speed of the airplane increases, the nose starts to drop. This is called mach tuck. When the airplane airspeed is more than mach 0.615, the mach trim function gives an up elevator to keep the nose of the airplane level. This function operates with or without the autopilot engaged or the flight director on.
Speed Trim
When the engine thrust is high and the airspeed is low, the speed trim function keeps the speed set by the pilots with commands to the horizontal stabilizer. This function primarily occurs during takeoff and only operates when the autopilots are not engaged. The flight directors may be on or off.
MCAS
MCAS (Maneuvering Characteristics Augmentation System) is implemented on the 737 MAX to enhance pitch characteristics with flaps UP and at elevated angles of attack. 
The MCAS function commands nose down stabilizer to enhance pitch characteristics during steep turns with elevated load factors and during flaps up flight at airspeeds approaching stall. 
MCAS is activated without pilot input and only operates in manual, flaps up flight. 
The system is designed to allow the flight crew to use column trim switch or stabilizer aisle stand cutout switches to override MCAS input. 
The function is commanded by the Flight Control computer using input data from sensors and other airplane systems. 
The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. 
The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. 
The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew.. 
If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.
Mach trim applies a command to the elevator.

Speed trim and MCAS apply a command to trim the stabilizer.

Based on information available, in all three cases of autopilot augmentation, only one FCC produces the valid command, and that FCC command is based only a single sensor set.
Only one FCC can control the mach trim actuator at a time. The IFSAU receives the FCC select signal from FCC B. This signal controls a relay in the IFSAU to find which FCC will give the mach trim actuator signals. The IFSAU sends the mach trim select status signal to the FCCs to show which FCC is in control. The IFSAU then sends mach trim power and motor drive signals to the mach trim actuator.
Only one FCC at a time supplies the speed trim signal to the stabilizer trim electric actuator. When the FCCs get electrical power, FCC A supplies the speed trim signals. If power remains on the FCCs, the on ground signal from the proximity switch electronics unit (PSEU) switches the FCC which supplies the speed trim signals. If one FCC fails, the other FCC automatically supplies the speed trim signal. 
Each FCC is comprised of two processors, each of which perform independently.

Each FCC has two 16-bit CPUs. The two processors have different part numbers to make sure that a design problem is not in both processors. The CPUs calculate different commands. This prevents a failure of both autopilot (A/P) pitch and roll commands at the same time.

The CPU 1 calculates these commands:
* Flight director (F/D) pitch and roll commands
* Mach trim commands
* Stabilizer and speed trim commands
* Altitude alert commands
* A/P roll commands in cruise and approach
* A/P pitch commands in cruise
* A/P alternate pitch commands in approach
* Autoland (approach, flare, go-around) monitor
* Aileron limiter signals
* Engage/interlock high signal
* Mode and annunciator warning logic.

The CPU 2 calculates these commands:
* A/P pitch commands in approach
* A/P alternate roll commands in approach
* Stabilizer and speed trim warnings
* Aileron limiter monitor
* Autoland monitor
* Engage/interlock low signal
* Software data loader.

While the autopilot is engaged, both CPUs are utilized to ensure a single CPU error is detected.
When in the approach mode, the CPUs calculate the same roll and pitch commands. The CPUs compare these commands before they send them to the A/P actuators. When in autoland, the two processors look at sensor data to make sure the control surfaces move correctly. Also, both CPUs continue to look at engage and interlock signals.
If the commands or signals do not agree, either CPU can disengage the autopilot. This occurs because the MCP needs the high and the low engage/interlock signal to engage the autopilot and keep it engaged. The CPU 1 can remove the high signal and the CPU 2 can remove the low signal.
For Mach trim, Speed trim, and possibly MCAS; the single active FCC CPU#1 command is made regardless of CPU#2, and regardless of the non-active FCC.  

Active FCC CPU#1 commands are made based on a single sensor set.  Active FCC CPU#2 raises an alert if the output command disagrees with the CPU#1 calculation, but does not stop CPU#1 command.

Mach Trim

Speed Trim

It appears CPU#2 is using the same sensor data as CPU#1, making it susceptible to a common failure, using the same valid but false data.

There is a cross-talk bus between the FCC's to allow sharing of sensor data. This may be already occurring in some cases.

A failure causing primary flight controls to not respond to pilot command, whether elevator or stabilizer, is a hazardous situation.

Timely action by the flight crew to stop false command to elevator or stabilizer may be necessary to avoid losing control of the airplane. 

While alerting and switching is available to inform the flight crew, their timely response cannot be assured. 

The FAA issued an Airworthiness Directive drawing attention to the hazard created in the response to a single failed sensor causing false commands to trim stabilizer.
This AD was prompted by analysis performed by the manufacturer showing that if an erroneously high single angle of attack (AOA) sensor input is received by the flight control system, there is a potential for repeated nose-down trim commands of the horizontal stabilizer. We are issuing this AD to address this potential resulting nose-down trim, which could cause the flight crew to have difficulty controlling the airplane, and lead to excessive nose-down attitude, significant altitude loss, and possible impact with terrain.
Conclusion and Recommendation
The integrity of an autonomous command to the primary flight controls should not normally be based on a single set of sensor data.  Fail-Safe assurances need to account for sensor malfunction.

Of the Boeing types, only the 737 provides Mach trim, Speed trim, or MCAS functions for manual flight. As far as I am aware, no other Boeing models use the FCC to augment pitch axis while under manual flight control.

The Yaw Damper architecture is an example of a dual-channel philosophy.  

The FCC engaged-mode calculations, even single channel, depend on two sensor systems to prevent inappropriate response to a single sensor failure.  Yet no such feature exists for FCC commands while not engaged.

The Mach trim, Speed trim, and MCAS commands should be valid, normally, only if all three conditions apply:
  1. more than one sensor input agrees
  2. sensor data is valid and reasonable
  3. both FCCs CPU commands agree 
A dual channel mandate would require CPU#1 from FCC#1 and CPU#1 form FCC#2 both calculate commands. The active FCC command is valid only if it agrees with the non-active FCC command calculation.

A dual channel mandate could require CPU#2 from FCC#1 and FCC#2 to both calculate commands and to compare that to their CPU#1 command values.  A difference by either FCC CPU#2 should raise a flight deck alert.

The Mach trim, Speed trim, and MCAS commands should probably be inhibited while only one sensor or one FCC is available. In each case, pilot awareness of the loss of augmentation may be the safest course of action. 

A decision to revert to a single channel mode, if dual channel is not available, must balance the benefit of augmentation against the potential for false commands, and where the false commands may be persistent.

The existing dual FCC architecture may be capable of supporting a dual mandate for Mach Trim, Speed Trim, and MCAS. 

The changes necessary to create the dual channel mandate may be limited to FCC software revision only.

There has been no significant incident that I am aware implicating malfunction of the Mach trim or Speed trim system, in decades of service.

The heightened awareness of MCAS as a result of AD provides the ready backstop, where crews are quick on the draw to flip the autopilot trim cutout switch.

Further, maintenance issues may be a factor in limiting exposures.

The benefits from a dual channel solution are limited in scope, but worthy of pursuit in some fashion. Certainly, a fail-safe architecture should be applicable going forward.

Stay tuned!

Peter Lemme

peter @ satcom.guru
Follow me on twitter: @Satcom_Guru
Copyright 2018 satcom.guru All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 37 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter was chairman of the SAE-ITC AEEC Ku/Ka-band satcom subcommittee, developing ARINC 791 and 792 characteristics and contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success.

10 comments:

  1. You have done an outstanding job in explaining the vulnerability of the Mach trim, Speed trim and especially the Mcas system and what MUST be implemented to make those systems safer. Boeing needs to update the software ASAP and ALL airlines operating the 737 MAX 8 and 9 should demand that it be done ASAP as well.
    Thank you againg for this article.

    ReplyDelete
  2. So what is it that pilots simply cannot fly planes without computers, any more?

    ReplyDelete
  3. Pilots can fly fine if they just shut off the computers. the problem is trying to fly with a broken computer.

    ReplyDelete
  4. Great explanation!
    The problem is to fly with a broken computer that commands a system you are unaware of!!

    ReplyDelete
  5. Is there an Angle of Attack Indicator visible to the pilots other than thru the HGS (HUD) system? Seems as if there was, it would be very intuitive for the pilots to be able to have more confidence in reverting to manual control rather than allowing the automated (and very possible at times erroneous) system to drive the aircraft nose down from which the pilots may not respond in a timely manner or with a reluctance to disengage the automated system(s)

    ReplyDelete
    Replies
    1. The gap from the current pitch attitude and the pitch limit indicator PLI, if visible, is the margin to stick shaker. The speed tape gap from current speed to top of the red barber pole is the margin to stick shaker. Angle of Attack is most relevant at high values, or where there is low margin. The PLI and speed tape "gaps" shrink as you approach stick shaker. Boeing believes these displays are better integrated into the normal scan and control tasks and serve an equivalent purpose. Approach speed is compared top of the yellow bar performance comparison.

      Delete
    2. Peter - - that's a lot of technical explanation of a display that I am not sure can be quickly viewed in a high task loaded situation that the pilots are not accustomed to. In other words, how often have they been subjected to the "Shrinking Gaps" for the "equivalent purpose" - - how could they be? Are there any Boeing 737 Max flight simulators? My understanding is that there are none. So the old adage "Keep it simple" could be better realized by a single analog angle of attack indicator which is independent of all the sophisticated "equivalent purpose" displays which may not quite fill the need - - you seem to address "Approach Speed" and "Yellow bar performance comparison". Angle of attack is not really predicated on airspeed, but simply the angle between the relative wind and the chord line of the wing - - nothing to do with airspeed, although there can be a correlation. Neither is it configuration dependent - - so with the landing gear up and flaps retracted after takeoff, if the pilots control the angle of attack regardless of the airspeed, the aircraft will not stall. Trying to understand a shrinking speed tape may or may not be as intuitive as parking the angle of attack indicator needle at a value of 3 O'Clock (optimum angle of attack on most aircraft that I have experienced) or at a lesser angle of attack (more towards 4 or 5 O'Clock). In point of fact, from my background - - I have never been involved with any jet aircraft that didn't have an analog angle of attack system, other the B-737. The North American T-2, The Douglas TA-4, the F-4 Phantom II, Jet Commanders, Learjets, etc - - all had angle of attack systems and analog indicators. Some were called other things, but they all represented the angle between the relative wind and chord line of the airfoil. Perhaps an angle of attack system could be better for approaches vs airspeed - - when making precision approaches to aircraft carriers, the Navy opted for angle of attack on final. So, to restate my position - - the crews were not on approach, thus the "Shrinking Speed Tape Gap" possibly was not as intuitive as a simple AOA analog needle. And, let me ask - - if a single angle of attack sensor fails on the 737 MAX, will that be manifest in any way into the speed tape display - - just curious.

      Delete
    3. This is the basic Boeing display - it is on all models. Boeing has had no difficulty with the presentation or with understandings - it is their objective to make it easy to grasp. Of course the AOA indicator is now available as a no-cost option. I personally don't have any issue with keeping airspeed in the normal range. Yes, with AoA reading higher than it should, it would bias both minspeed and PLI towards current speed and altitude.

      http://www.boeing.com/commercial/aeromagazine/aero_12/aoa.pdf
      https://www.icao.int/Meetings/LOCI/Presentations/Dedicated%20to%20innovation%20in%20aeropspace.pdf

      Delete
    4. When this SLF took time to look up what AOA really means, there seemed to be 2 basic versions- One is airflow relative to wing chord, and the other is relative to centerline of body with then calculations to get to basic wing chord. Probably makes little real world difference. But in my search I found a document which is essentially how Boeing defines AOA along with a good description of effects, ettc

      boeing version

      John Cashman Boeing Director flight operations “ operational use of Angle of Attack "- year 2000
      Gives Boeing definition and how used.

      www.boeing.com/commercial/aeromagazine/aero_12/aoa.pdf

      And how Boeing uses a 3rd ( inertial ) system as a fallback of two AOA and other sensors

      www.ata-divisions.org/S_TD/pdf/other/IntroducingtheB-787.pdf

      See pages 38 to 42

      Tom Dott ISASI Sept 2011 “ introducing the 787 “ - look at pages 40 and 41 re INS compare to normal sensors

      Although late to show, the above may help to reduce some of the confusion re Boeing view of AOA and display and why really "not " needed since IMHO they seem to believe if not a fighter landing on a carrier, etc, AOA display not used by normal commercial.




      Delete