Could there be too much automation on the plane?
In the process of discussing my article on finding errors in the software of an aircraft engine controller (FADEC), a number of issues were raised that were not directly related to the topic of that article. Seeing quite a lot of interest from readers in aviation-computer topics, I decided to tell about another quite well-known in narrow circles stories where an error in the logic of the system gave the crew some very interesting points, and the manufacturer a lot of headaches. Just in case, a warning - if you think that you can pick up aerophobia (or you already have one), then it is better not to turn the page.
So, in 2005, the first flight of the Dassault Falcon 7X aircraft took place, and a couple of years later the first aircraft of this type were handed over to customers. Falcon 7X is a representative of ultra-long business jets (currently cost under $ 60 million) with one very significant feature - this is the first business jet built on the principle of Fly-By-Wire (FBW). Although this technology has been used for a long time on passenger aircraft, the 7X was the first business aircraft in which, in general, all primary controls operated according to the FBW architecture.
I have a fairly general idea of ​​7X (so far, unfortunately, I do not have a rating for piloting this model), so I apologize in advance if I can’t talk about some nuances in all the subtleties, and it’s not necessary here.
The FBW technology implies (in most cases) not only the absence of a direct connection between the drivers (steering wheel / side stick, pedals) with control surfaces (ailerons, rudders and altitude), but also a completely different approach in the interaction of the pilot with the aircraft.
In a classic airplane, the pilot controls the position of the control surfaces directly, using them to force the airplane to perform the required evolutions. In the FBW architecture, the pilot tells the plane (or rather, the control computer) what exactly you want to receive from the aircraft, and the computer itself decides how to achieve this (which steering surfaces and how many to use). A pilot means both a person and an autopilot - this does not change the essence of the matter.
')
A small example is simple straightforward flight. On an ordinary plane in the steady state, you do not need to do anything until, until you meet, for example, a little turbulence. As soon as the local perturbation of the air environment changed the position of the aircraft, the pilot should immediately parry this change using the controls. The plane tilted to the left and, accordingly, began to turn in the same direction - it means that using the helm we activate the ailerons, return the aircraft to its previous horizontal position, turn right to compensate for the previous turn, then return to the previous course, then finally return the ailerons to neutral same position. On an airplane with FBW to ensure a straight flight, you need to set the steering wheel to set straight, and ... that's it! Now the plane knows that he needs to fly straight, and he solves this problem on his own. A gust of wind is okay, the system uses the ailerons on its own and the rest is required - the pilot does nothing at all. If it is necessary to maneuver, you do not need to worry about the effect of the speed and weight of the aircraft on its “responsiveness” - the aircraft will always respond in exactly the same way to a certain deviation of the helm The classic aircraft, the more it is loaded and the slower it flies, the more “sluggish” it is to respond to the controls.
Another FBW provides protection against the launch of the aircraft in the "wrong" flight modes. For example, if the plane flies slowly, close to the stalling speed, then how not to pull the steering wheel towards yourself, the control system simply will not create a pitch more than that at which the aircraft can still provide a safe speed.
Of course, everything is much more complicated than I described here. For example, in most cases, an aircraft (or rather, a control system) will have different sets of rules (laws) describing the interrelationships of controls and control surfaces. For example, the “normal” law works as described above. The “direct” law imitates the behavior of the classical control system - from the point of view of the pilot, he directly rejects the steering surfaces, although, as a rule, such movements are still limited to the mechanisms of protection against an airplane hitting a dangerous position. There are other laws (for example, emergency ones - when the control system detects a malfunction in its circuits), but this is the subject of a completely different article.
Let us return to our Falcon. Although at first many people were extremely wary of such a radical approach to the organization of the control system, until 2011 the FWB system (as far as I know) did not create serious problems that really affect safety. There was a lot of trifles, which is quite understandable - I think most Habr's readers can easily imagine the complexity of both the hardware and the software of such a system, and agree that the problems revealed during the initial stage of operation are simply inevitable evil.
However, everything changed in May 2007, when an event occurred, which was officially announced by the manufacturing company (and I am familiar with the direct participants in the events):
Behind this dry information is the following. The plane quietly descended to start the landing approach after some time. At an altitude of about 12,000 feet (3.5 km), an uncontrollable transposition of the horizontal stabilizer into a pitching suddenly began. Despite all the efforts of the crew, the plane began to rise sharply, and in the process overload reached 4.5G. They managed to cope with the aircraft only after dialing more than 10,000 feet (about 3 km), and to eliminate the positive pitch, the crew had to create a lurch of 100 degrees for some time.
Now in order. One of the most important indicators of the aircraft is its centering - the ratio of the center of gravity to the center of the lifting force. If the centering is too forward, then the plane simply will not be able to take off - the elevator will not be enough to lift the nose. If the rear centering is too high during takeoff, the plane will close its nose, begin to lose altitude and fall down. Accordingly, there is a range of allowable alignments, which must be maintained at certain stages of the flight.
Modern high-speed airplanes are forced to solve the centering problem from two sides at once - during the flight, the aircraft's weight changes (fuel is produced), and the center of lift changes depending on the speed - when approaching the speed of sound, tricky aerodynamic phenomena occur. By itself, the elevator is not able to cope with such a range of change of centering, so the horizontal stabilizer comes to the rescue. Having a large area, the GS is able to provide the necessary range of alignments by relatively slow changes in the angle of installation (but the centering changes relatively slowly), and the elevator is used for pitch control.
At the same time, I hope, it is clear that when the HS area is larger than the elevator area, this very elevator will hardly be able to overcome the HS (especially at high speeds). Therefore, the mechanism regulating the angle of installation of the HS, one of the most strictly certified in the entire aircraft. It is necessary to have not only duplication (often triple) of the mechanisms of the mechanism, but also the possibility of immediately stopping the movement of the HS at the start of uncontrolled movement. Even the move button most often consists of two half-buttons connected in series — if one is stuck, then the chances are great that the second will still break the chain when it is released.
A little bit about what the crew has experienced. 4.5G - by aerobatic standards, this is not very much. However, it is on flight planes, and even when the pilot knows in advance what he will do. For an ordinary passenger, already 1.5G will serve as a reason to rush to the computer at the first opportunity and start scribbling in all forums a story about how he had just miraculously escaped inevitable death in a plane crashing right in the air. In general, something up to 2G in passenger aviation is more or less acceptable, more is already an emergency. So 4.5 is very, very serious.
A roll of 100 degrees ... Some time ago a movie came out (I didn’t see it), where a drunk pilot saved the plane, turning it upside down after something like a GE wedging occurred on the plane. So, in this case, the situation was very similar to the film. For a passenger plane, normal rolls are up to 30 degrees, and at a 30-degree roll, particularly impressionable passengers start to faint. 100 degrees is slightly upside down, in fact such planes do not fly like that. The emergency procedure for removing the aircraft from the nose-up position implies a roll of 60 degrees, in this case, the guys have overdone it a bit (this is excusable).
The next day, flights on airplanes of this type were banned around the world until the causes of the accident were clarified and eliminated, the manufacturer began to understand the causes of the incident, but the interested persons (first of all, the pilots) tried to understand why the crew did not do the first seconds of the problem the most natural thing in such a situation is - didn’t you completely disconnect the mechanism for moving the HS ???
Again, retreat - given the potential problems that uncontrolled movement of the HS can create (runaway trim), on most aircraft there are either several ways to disable this system. It can be a separate button, a fuse with a special cap, by which it (the fuse) can be instantly identified, and more often even both of these devices. In addition, when moving a GE for longer than a certain time (0.5–1.5 s), a characteristic squeak is heard. And the procedure for disabling the HS is worked up to automatism - especially since it is elementary.
Therefore, it was very strange that an experienced (there was no doubt about this) crew for more than 2 minutes (!!!) struggled with the GE, instead of turning it off for a couple of seconds (maximum).
Okay, now remember that I talked about the work of the FWB. Under the “normal” law, the system decides for itself what to do with control surfaces, including HS. If on an ordinary plane the pilot himself sets the required angle of the HS, then at 7X this is (like everything else) given to the computer. Moreover, with Dassault certification, he scientifically proved that his solutions provide such a level of reliability of control of the HS that no manual safety circuits are required.
In principle, there is still a button for moving (but not shutting down) the HW, only it is activated in an “emergency” or “direct” law, and for some reason during the emergency, the plane considered that everything was in order and remained in "Normal" law. I believe that it was here that the main miscalculation of the developers was - in a clearly emergency situation, the system continued to be completely unaware of the problem, and did not allow the pilots to rectify the situation.
There are practically no safety devices (in the classical aviation sense) on such a high-tech aircraft, so even just nafig, there was no possibility to disconnect the entire HS system.
After all the boards were put on a joke, such a whistle dance began that our TR exercises with children could not be called even children's talk. Imagine - under a hundred planes each worth about $ 50 million, their owners were slightly unhappy that they suddenly lost their means of transportation. Although Dassault threw almost all of its resources into solving the problem, the task was not solved as simply as everyone had hoped.
For more than a month, all the planes remained on the ground, when, finally, the manufacturer did not announce that he had understood the problem, and would soon begin the necessary actions to bring the aircraft to a flying state. Unfortunately, I do not have inside information about exactly what the problem was, but something can be seen from the description of what needed to be done to bring the aircraft in order.
As can be seen from this document, the control units (read specialized computers) must be replaced with a horizontal stabilizer, and most importantly, almost all aircraft control systems are updated.
So, in 2005, the first flight of the Dassault Falcon 7X aircraft took place, and a couple of years later the first aircraft of this type were handed over to customers. Falcon 7X is a representative of ultra-long business jets (currently cost under $ 60 million) with one very significant feature - this is the first business jet built on the principle of Fly-By-Wire (FBW). Although this technology has been used for a long time on passenger aircraft, the 7X was the first business aircraft in which, in general, all primary controls operated according to the FBW architecture.
I have a fairly general idea of ​​7X (so far, unfortunately, I do not have a rating for piloting this model), so I apologize in advance if I can’t talk about some nuances in all the subtleties, and it’s not necessary here.
The FBW technology implies (in most cases) not only the absence of a direct connection between the drivers (steering wheel / side stick, pedals) with control surfaces (ailerons, rudders and altitude), but also a completely different approach in the interaction of the pilot with the aircraft.
In a classic airplane, the pilot controls the position of the control surfaces directly, using them to force the airplane to perform the required evolutions. In the FBW architecture, the pilot tells the plane (or rather, the control computer) what exactly you want to receive from the aircraft, and the computer itself decides how to achieve this (which steering surfaces and how many to use). A pilot means both a person and an autopilot - this does not change the essence of the matter.
')
A small example is simple straightforward flight. On an ordinary plane in the steady state, you do not need to do anything until, until you meet, for example, a little turbulence. As soon as the local perturbation of the air environment changed the position of the aircraft, the pilot should immediately parry this change using the controls. The plane tilted to the left and, accordingly, began to turn in the same direction - it means that using the helm we activate the ailerons, return the aircraft to its previous horizontal position, turn right to compensate for the previous turn, then return to the previous course, then finally return the ailerons to neutral same position. On an airplane with FBW to ensure a straight flight, you need to set the steering wheel to set straight, and ... that's it! Now the plane knows that he needs to fly straight, and he solves this problem on his own. A gust of wind is okay, the system uses the ailerons on its own and the rest is required - the pilot does nothing at all. If it is necessary to maneuver, you do not need to worry about the effect of the speed and weight of the aircraft on its “responsiveness” - the aircraft will always respond in exactly the same way to a certain deviation of the helm The classic aircraft, the more it is loaded and the slower it flies, the more “sluggish” it is to respond to the controls.
Another FBW provides protection against the launch of the aircraft in the "wrong" flight modes. For example, if the plane flies slowly, close to the stalling speed, then how not to pull the steering wheel towards yourself, the control system simply will not create a pitch more than that at which the aircraft can still provide a safe speed.
Of course, everything is much more complicated than I described here. For example, in most cases, an aircraft (or rather, a control system) will have different sets of rules (laws) describing the interrelationships of controls and control surfaces. For example, the “normal” law works as described above. The “direct” law imitates the behavior of the classical control system - from the point of view of the pilot, he directly rejects the steering surfaces, although, as a rule, such movements are still limited to the mechanisms of protection against an airplane hitting a dangerous position. There are other laws (for example, emergency ones - when the control system detects a malfunction in its circuits), but this is the subject of a completely different article.
Let us return to our Falcon. Although at first many people were extremely wary of such a radical approach to the organization of the control system, until 2011 the FWB system (as far as I know) did not create serious problems that really affect safety. There was a lot of trifles, which is quite understandable - I think most Habr's readers can easily imagine the complexity of both the hardware and the software of such a system, and agree that the problems revealed during the initial stage of operation are simply inevitable evil.
However, everything changed in May 2007, when an event occurred, which was officially announced by the manufacturing company (and I am familiar with the direct participants in the events):
Behind this dry information is the following. The plane quietly descended to start the landing approach after some time. At an altitude of about 12,000 feet (3.5 km), an uncontrollable transposition of the horizontal stabilizer into a pitching suddenly began. Despite all the efforts of the crew, the plane began to rise sharply, and in the process overload reached 4.5G. They managed to cope with the aircraft only after dialing more than 10,000 feet (about 3 km), and to eliminate the positive pitch, the crew had to create a lurch of 100 degrees for some time.
Now in order. One of the most important indicators of the aircraft is its centering - the ratio of the center of gravity to the center of the lifting force. If the centering is too forward, then the plane simply will not be able to take off - the elevator will not be enough to lift the nose. If the rear centering is too high during takeoff, the plane will close its nose, begin to lose altitude and fall down. Accordingly, there is a range of allowable alignments, which must be maintained at certain stages of the flight.
Modern high-speed airplanes are forced to solve the centering problem from two sides at once - during the flight, the aircraft's weight changes (fuel is produced), and the center of lift changes depending on the speed - when approaching the speed of sound, tricky aerodynamic phenomena occur. By itself, the elevator is not able to cope with such a range of change of centering, so the horizontal stabilizer comes to the rescue. Having a large area, the GS is able to provide the necessary range of alignments by relatively slow changes in the angle of installation (but the centering changes relatively slowly), and the elevator is used for pitch control.
At the same time, I hope, it is clear that when the HS area is larger than the elevator area, this very elevator will hardly be able to overcome the HS (especially at high speeds). Therefore, the mechanism regulating the angle of installation of the HS, one of the most strictly certified in the entire aircraft. It is necessary to have not only duplication (often triple) of the mechanisms of the mechanism, but also the possibility of immediately stopping the movement of the HS at the start of uncontrolled movement. Even the move button most often consists of two half-buttons connected in series — if one is stuck, then the chances are great that the second will still break the chain when it is released.
A little bit about what the crew has experienced. 4.5G - by aerobatic standards, this is not very much. However, it is on flight planes, and even when the pilot knows in advance what he will do. For an ordinary passenger, already 1.5G will serve as a reason to rush to the computer at the first opportunity and start scribbling in all forums a story about how he had just miraculously escaped inevitable death in a plane crashing right in the air. In general, something up to 2G in passenger aviation is more or less acceptable, more is already an emergency. So 4.5 is very, very serious.
A roll of 100 degrees ... Some time ago a movie came out (I didn’t see it), where a drunk pilot saved the plane, turning it upside down after something like a GE wedging occurred on the plane. So, in this case, the situation was very similar to the film. For a passenger plane, normal rolls are up to 30 degrees, and at a 30-degree roll, particularly impressionable passengers start to faint. 100 degrees is slightly upside down, in fact such planes do not fly like that. The emergency procedure for removing the aircraft from the nose-up position implies a roll of 60 degrees, in this case, the guys have overdone it a bit (this is excusable).
The next day, flights on airplanes of this type were banned around the world until the causes of the accident were clarified and eliminated, the manufacturer began to understand the causes of the incident, but the interested persons (first of all, the pilots) tried to understand why the crew did not do the first seconds of the problem the most natural thing in such a situation is - didn’t you completely disconnect the mechanism for moving the HS ???
Again, retreat - given the potential problems that uncontrolled movement of the HS can create (runaway trim), on most aircraft there are either several ways to disable this system. It can be a separate button, a fuse with a special cap, by which it (the fuse) can be instantly identified, and more often even both of these devices. In addition, when moving a GE for longer than a certain time (0.5–1.5 s), a characteristic squeak is heard. And the procedure for disabling the HS is worked up to automatism - especially since it is elementary.
Therefore, it was very strange that an experienced (there was no doubt about this) crew for more than 2 minutes (!!!) struggled with the GE, instead of turning it off for a couple of seconds (maximum).
Okay, now remember that I talked about the work of the FWB. Under the “normal” law, the system decides for itself what to do with control surfaces, including HS. If on an ordinary plane the pilot himself sets the required angle of the HS, then at 7X this is (like everything else) given to the computer. Moreover, with Dassault certification, he scientifically proved that his solutions provide such a level of reliability of control of the HS that no manual safety circuits are required.
In principle, there is still a button for moving (but not shutting down) the HW, only it is activated in an “emergency” or “direct” law, and for some reason during the emergency, the plane considered that everything was in order and remained in "Normal" law. I believe that it was here that the main miscalculation of the developers was - in a clearly emergency situation, the system continued to be completely unaware of the problem, and did not allow the pilots to rectify the situation.
There are practically no safety devices (in the classical aviation sense) on such a high-tech aircraft, so even just nafig, there was no possibility to disconnect the entire HS system.
After all the boards were put on a joke, such a whistle dance began that our TR exercises with children could not be called even children's talk. Imagine - under a hundred planes each worth about $ 50 million, their owners were slightly unhappy that they suddenly lost their means of transportation. Although Dassault threw almost all of its resources into solving the problem, the task was not solved as simply as everyone had hoped.
For more than a month, all the planes remained on the ground, when, finally, the manufacturer did not announce that he had understood the problem, and would soon begin the necessary actions to bring the aircraft to a flying state. Unfortunately, I do not have inside information about exactly what the problem was, but something can be seen from the description of what needed to be done to bring the aircraft in order.
As can be seen from this document, the control units (read specialized computers) must be replaced with a horizontal stabilizer, and most importantly, almost all aircraft control systems are updated.
Source: https://habr.com/ru/post/202328/
All Articles