Tuesday, September 24, 2019

737 AoA and Redundancy

The undetected failure of one Angle of Attack (AoA) sensor can spawn a host of flight deck effects on the Boeing 737. AoA malfunction is the root stimulus that triggered the events that unfolded on Lion Air JT610 and Ethiopian ET302. The challenge is to decrease the likelihood of undetected malfunction while retaining acceptable loss of function. The simplest and most effective strategy is to boost the ability to recognize a failed AoA sensor without reference to any other AoA sensor. The most complex solution would be to install or to derive additional AoA readings and which can still result in malfunction.

Considering "modern" jet airplanes, Boeing airplanes have utilized two AoA sensors and Airbus has used three AoA sensors. Airbus started with a different goal, envelope protection, and designed three channels that each depend on their own sensor. Boeing allows the center "control" channel to use either left or right AoA sensor where applicable. On the 737, there is a center control channel only with optional fail-op autoland.

For reference, the BAC 1-11 had four AoA vanes, and the 737-100/200 just one.

BAC 1-11

737-200

Redundancy serves two basic purposes: The ability to recognize a failure and the ability to operate in the presence of failure. The former objective is met with two sources of data. If the two sources disagree, then the function can be disabled (fail-passive or fail-safe) - effectively suppressing malfunction from one fault. If continued operation is desired, two sources cannot easily resolve which is the correct value. In this case, a third source is provided to break the tie (two over one).

Stall warning is provided as two independent systems. Each side (left and right) operate with their own sensor set and their own output circuits. Each side has a stick shaker and each side can trigger the elevator feel differential pressure circuit (which increases the opposing feel forces to aft column travel).  The concept is either side can trigger stall warning. The benefit is that one failure will only take out one side of the stall warning function - the other side will remain operable. The downside is that each side is susceptible to malfunction from a single failure.

Malfunction is the incorrect or undesired response to a fault or failure. The safest action in response to failure is to do nothing in preference to malfunction. Malfunction comes from using bad data, from faulty logic, from sneak circuits, or from bad hardware. Input signal management works to recognize bad inputs to prevent any effect. Dissimilar processors work to diminish common logic or hardware circuitry effects. Redundant hardware works to diminish single-point hardware effects.

Stall warning uses AoA as the significant sensor input. Adding a third AoA sensor would permit a comparison, for example Left to Center and Right to Center, allowing both Left and Right to compare to Center. But if Center fails, it could take out both Left and Right. Instead, a front-end process must look at all three sources L-C-R and select the AoA that matches the majority, and discounts any outlier. 

While a three channel solution seemingly provides a fail-operative solution, allowing operation in the presence of one failed AoA sensor, it still turns out to be susceptible to simultaneous failures of two AoA sensors out-voting the one good AoA sensor. It has happened a couple of times on A320/A321, one a fatal accident. 

The 2008 fatal accident revealed the flaw in using majority rules with three AoA sensors.

Flight GXL888T from Perpignan – Rivesaltes aerodrome was undertaken in the context of the end of a leasing agreement, before the return of D-AXLA to its owner. The programme of planned checks could not be performed in general air traffic, so the flight was shortened. In level flight at FL320, angle of attack sensors 1 and 2 stopped moving and their positions did not change until the end of the flight. After about an hour of flight, the aeroplane returned to the departure aerodrome airspace and the crew was cleared to carry out an ILS procedure to runway 33, followed by a go around and a departure towards Frankfurt/Main (Germany). Shortly before overflying the initial approach fix, the crew carried out the check on the angle of attack protections in normal law. They lost control of the aeroplane, which crashed into the sea.
Equipment Qualification 
To ensure compliance with the regulatory requirements, the minimum levels of performance applicable to each item of equipment, in all of the specified operating conditions, are defined in the technical standard order for the equipment, if it exists (in the case of AOA sensors, TSO C54 issued by the FAA or ETSO C54 issued by EASA). The AOA sensors installed on aeroplanes in the A320 family comply with these technical standard orders, meet the specifications set by Airbus and are approved to be installed on these aeroplanes. However, during the investigation, it was noted that for the impermeability tests, undertaken by the equipment suppliers to demonstrate compliance with the minimum levels of performance defined by the technical standard orders, the installation conditions for the AOA sensors were different from those on the aeroplane. 
Even if this difference between the installation of the AOA sensors during the impermeability tests and in operation did not contribute to the accident, it nevertheless constitutes a safety loophole and this is why the BEA recommends:  
That EASA, in liaison with the other regulatory authorities, ensures that, in order to certify the adequacy of an item of equipment in relation to the regulatory requirements as well as to the specifications defined by a manufacturer, the equipment installation conditions during tests performed by equipment manufacturers are representative of those on the aeroplane.


The 2014 incident triggered an Airworthiness Directive and AoA sensor replacement.
An occurrence was reported where an Airbus A321 aeroplane encountered a blockage of two Angle of Attack (AOA) probes during climb, leading to activation of the Alpha Protection (Alpha Prot) while the Mach number increased. The flight crew managed to regain full control and the flight landed uneventfully. 
When Alpha Prot is activated due to blocked AOA probes, the flight control laws order a continuous nose down pitch rate that, in a worst case scenario, cannot be stopped with backward sidestick inputs, even in the full backward position. If the Mach number increases during a nose down order, the AOA value of the Alpha Prot will continue to decrease. As a result, the flight control laws will continue to order a nose down pitch rate, even if the speed is above minimum selectable speed, known as VLS. 
This condition, if not corrected, could result in loss of control of the aeroplane.
Investigation results indicated that A320 family aeroplanes equipped with certain UTC Aerospace (UTAS, formerly known as Goodrich) AOA sensors, or equipped with certain SEXTANT/THOMSON AOA sensors, appear to have a greater susceptibility to adverse environmental conditions than aeroplanes equipped with the latest Thales AOA sensor, Part Number (P/N) C16291AB, which was designed to improve A320 aeroplane AOA indication behaviour in heavy rain conditions. 
Having determined that replacement of these AOA sensors was necessary to achieve and maintain the required safety level of the aeroplane, EASA issued AD 2015-0087, retaining the requirements of EASA AD 2012-0236R1, AD 2013-0022 (partially), and AD 2014-0266-E, which were superseded, and requiring the insertion of an Emergency Procedure in the Aircraft Flight Manual (AFM), modification of the aeroplanes by replacement of the affected P/N sensors, and, after modification, prohibiting (re-)installation of those P/N AOA sensors. That AD also required repetitive detailed visual inspections (DET) and functional heating tests of certain Thales AOA sensors and provided an optional terminating action for those inspections. 
After EASA AD 2015-0087 was issued, based on further analysis results, Airbus issued Operators Information Transmission (OIT) Ref. 999.0015/15 Revision 1, instructing operators to speed up the removal from service of UTAS P/N 0861ED2 AOA sensors. Consequently, EASA issued AD 2015-0135, retaining the requirements of EASA AD 2015-0087, which was superseded, but reducing the compliance times for aeroplanes with UTAS P/N 0861ED2 AOA sensors installed. 
EASA AD 2015-0135 was revised to remove the requirement for repetitive DET of certain Thales AOA sensors, and to allow, for certain configurations of AOA sensors and Elevator Aileron Computer (ELAC), the removal of the Emergency Procedure from the AFM.
Since EASA AD 2015-135R2 was issued, it was determined that the AFM Emergency Procedure can also be removed for other AOA sensors and ELAC configurations. This AD revises paragraph (20) accordingly.
An outcome was a renewed interest in detecting AoA failures without regard to any other AoA sensor. In the first place, due to a host of factors, AoA sensors do not output exactly the same value, there will always be some differences. In the second place, as we have learned, two AoA sensors could fail simultaneously.  A very interesting paper was produced in 2016 that describes the types of failures that AoA sensor outputs might introduce with means to detect them using other data and sensor inputs. 



Of direct application are the ability to recognize a large bias error and a fast sensor drift error. 


JT610 encountered a large bias error. This can be detected during the takeoff roll and during stable cruise flight. ET302 encountered both large bias error and fast sensor drift error. The fast sensor drift error would have been apparent instantly. The JT610 captain's AoA sensor should have been declared failed before the airplane took off. The ET302 captain's AoA sensor should have been declared failed within a few seconds from the fault occurring. In both cases, the failed AoA sensor should not have triggered stall warning. 

A second flight deck effect is related to Air Data Compensation. Due to accuracy objectives, notably for RVSM, the air data static port is compensated by angle of attack.  Using incorrect AoA will drive airspeed and altitude away from their correct value (tens of knots, hundreds of feet) and can trigger disagree alerts. The combination of stall warning and uncertainty over airspeed is a special kind of hell. The whole point of AoA-based stall warning is to avoid any reliance on airspeed or air data. But the AoA malfunction has the opposite effect.

Airspeed (IAS) Disagree Alert
Note: If the AoA malfunction indicates excessive AoA angles, then the minimum speed indications are pushed up against current airspeed
Altitude (ALT) Disagree Alert
The objective with Air Data compensation is fail-operational, one AoA sensor should not necessarily take out a whole Air Data output. With two AoA sources to draw from, each Air Data Computer (Air Data, Inertial Reference Unit, ADIRU), could rely on the "off-side" AoA if the "on-side" AoA is not available. Key to that logic is properly declaring the AoA failed. In the case of JT610 and ET302, the Captains airspeed and altitude were driven offset by the use of the malfunctioning AoA data. 

Stall Warning is performed in the Stall Management Yaw Damper (SMYD). The SMYD and the ADIRU each are connected to the AoA resolver (analog electrical) output.  Both systems each must perform their own test to determine if the AoA sensor is failed.  In this case, both systems would need to conduct their own battery of tests to confirm the health of the AoA sensor. Had the ADIRU performed the large bias test and the fast sensor drift test, then there would have been no airspeed or altitude disagree.

L-SMYD L-AoA interface

L-ADIRU L-AoA Interface
Finally, AoA is used by MCAS. Boeing has proposed that MCAS be fail-passive, and to use both AoA sensors to reveal any single failure.  As mentioned earlier, it does remain susceptible to simultaneous, dual failures. However, the FCC (which performs MCAS) receives AoA from the ADIRU, which should detect any failure independently.

The false triggering of stall warning and the simultaneous presentation of airspeed and altitude disagree create high workload for the flight crew. The addition of simple tests to detect AoA sensor malfunction without regard to another AoA sensor should prevent the flight deck effects and permit confident use of a remaining single AoA sensor. The addition of a third AoA sensor on top of enhanced failure detection may have only minimal benefit in availability. The use of a third AoA sensor without enhanced failure detection may result in lower availability and higher complexity.

The issues with AoA driving stall warning and air data are somewhat generic, certainly across 737, but also to other Boeing airplanes, for example 747-400.


It would not be reasonable to persist 737 MAX grounding solely on the basis of false trigger of stall warning or airspeed/altitude disagree due to undetected AoA sensor failure, when the same issues are present on other 737 models and other Boing models. It would be far more palatable to issue an AD or otherwise compel Boeing to enhance AoA failure detection in both the ADIRU and SMYD in an expeditious manner on all 737, and to look at all other models as well.



Peter Lemme

peter @ satcom.guru
Follow me on twitter: @Satcom_Guru
Copyright 2019 satcom.guru All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 38 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chaired the SAE-ITC AEEC Ku/Ka-band satcom subcommittee for more than ten years, developing ARINC 791 and 792 characteristics, and continues as a member. He contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success. 

5 comments:

  1. alex englishSeptember 24, 2019 at 2:30 AM

    Bingo! Thanks for the excellent summary. Pilots are Kings, coders keep them in power.

    ReplyDelete
  2. AnonymousSeptember 25, 2019 at 2:03 PM

    Why not use an Accelerometer and/or gyro system to verify AOA sensor values?
    Using multiple AOA sensors, you are still prone to common malfunctions, such as icing etc.
    Using an independent means of pitch sensing would negate the common malfunctions?

    ReplyDelete
  3. AnonymousOctober 6, 2019 at 9:15 AM

    Are the data flight recorder tracings input directly from the AOA vane, or are they fed from the flight control computer? I'm just trying to isolate where the bad data is originating from. Thank you, Richard

    ReplyDelete
  4. John KnoxJanuary 15, 2020 at 11:12 PM

    I think this is an excellent summary also. I believe it would be propitious if Boeing would examine methods of enhanced detection and isolation of angle of attack sensor faults as mentioned in the included reference and many other references. Some of these include angle of attack models as in the simulator. They likely would not be used in this case but could be used in the future. Boeing has apparently decided to keep the 737MAX8 with about 4500 orders. That means it will be around for a long time. All the attention has been on the sensor. I question that suppose one had a perfect sensor and well-designed system then would the design flaw in the airframe be corrected? It seems to me that Boeing has constructed an airframe whose aerodynamics is not well known and is difficult to predict. I hope the engine position does not require a redesign. If the CG is actually moved forward significantly it would degrade the ride qualities. It seems that without much doubt the A320NEO is the better airplane.

    ReplyDelete
  5. TomMarch 10, 2020 at 1:23 AM

    Maybe it's time to stop using mechanical, Vane Type, AoA sensors. Textron currently equips the Beech and Cessna line with leading edge AoA sensors, which still require heat but have no moving parts. There are also the type that use differential pressure on a pitot probe. I think the industry needs to evaluate the high failure rate of the vane type mechanical probe. I would like to see an analysis of the failure rates and reliability, pros vs cons. of the different types. The existing failure rate should be part of the calculation of having a safe system and I see this a a key place where improvement needs to be made.

    ReplyDelete

Subscribe to: Post Comments (Atom)