POLITECNICO DI TORINO DIMEAS – Dipartimento di Ingegneria Meccanica ed Aerospaziale Thesis submitted for the Master of Science in Aerospace Engineering Enhanced Stall Warning design and integration in the Airbus A320 family Auto Flight System Master thesis Supervisors: Manuela BATTIPEDE Politecnico di Torino Germain SABOT AKKA Technologies Candidate: Federico MASTROPASQUA Academic Year 2019/2020
133
Embed
POLITECNICO DI TORINO · the backup mode in such a way to allow the AP engagement even in the FAC loss event (fault tolerance approach). The Unreliable Airspeed Mitigation Mean (UAMM):
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
POLITECNICO DI TORINO DIMEAS – Dipartimento di Ingegneria Meccanica ed Aerospaziale
Thesis submitted for the
Master of Science in Aerospace Engineering
Enhanced Stall Warning
design and integration in the Airbus
A320 family Auto Flight System M a s t e r t h e s i s
Supervisors:
Manuela BATTIPEDE
Politecnico di Torino
Germain SABOT
AKKA Technologies Candidate:
Federico MASTROPASQUA
Academic Year 2019/2020
Master Thesis Federico Mastropasqua
I
La vertigine non è paura di cadere, ma voglia di volare
Lorenzo Cherubini
Abstract Federico Mastropasqua
II
Abstract
The Auto Flight System (AFS) is the Airbus avionic system in charge of managing and guiding the
aircraft during its automatic flights. The AFS has not replaced human operators yet; instead, it assists them
in controlling the plane. The system allows the crew to focus on broader aspects of operations, such as
monitoring the trajectory, weather, and managing other systems. The method of automatic flight supports
pilots in flying the aircraft within the flight envelope, enhancing safety, optimizing performance, reducing
the pilot workload (fuel consumption), and decreasing costs. This Master Thesis aims to illustrate how to
design and to implement a very actual function in the Auto Flight System to deliver to the airlines, aircrafts
facing higher standards of safety and reliability.
As an external member of the Airbus Design Office, the activities during this master thesis are
focused on the Enhanced Stall Warning (ESW) function development. Airbus started to improve its legacy
stall warning system with feasibility studies, after the catastrophic accident during the flight AF447 on 1st
June 2009 that involved an A330-203 and it provokes the total loss of the aircraft and all the 228 cabin
occupants.
Translating the high-level aircraft requirements into low-level system requirements, the
implementation of the Enhanced Stall Warning system carried out a more robust, reliable, and available
system in relation to the legacy version, which is flying on the on-service Airbus aircraft. The improvements
come from the recent UAMM update (Unreliable Airspeed Mitigation Mean) and from the fact that the new
stall warning version will consider both ADC and IRS angles of attack and speeds to trigger the stall aural
and message alarm. The warning comes out only in case of reliable stall warning avoiding the activation of
spurious and misreading alarms. Cross-check monitoring will be implemented to consolidate function data
from various sources avoiding every false autopilot disconnections. This project gets into a full field, aiming
to widen the autopilot authority even in case of multiple failures.
Further evolution of the function will be considered in this master thesis up to the introduction in
the cockpit of a new pilot interface allowing the crew to monitor in every situation the aircraft attitude and
to display the aircraft margin from the aerodynamic stall.
The stalling problem is at the state-of-the-art one of the most topical issues in the civil aviation after
the two Boeing 737 Max 8 crashes in the last year that provoked the death of more than 340 people (Lion Air
Flight 610 and Ethiopian Airlines Flight 302). This actual subject inspires this master thesis to research a
theme to investigate and a system to improve. The final chapter of this thesis is entirely dedicated to the
Boeing study case to highlight the Reason's model, which brought the complete Boeing 737 Max 8-9 fleet to
be stopped on the ground since March 2019 after the two catastrophic accidents that occurred in October
2018 and March 2019. Some considerations will be made, and some advices and preventive measures will be
given to improve flight safety since what has been learned during my experience.
Preamble Federico Mastropasqua
III
Preamble
The stall is one of the most dangerous situations a pilot can experience during a flight. The
seriousness of the stalling is not only because an aircraft is difficult to control, and it can bring to the total
loss of the plane if not recovered in a short time but also because even for a qualified pilot, the stall
circumstances are not clearly distinguishing. Consequently, the recovering actions are not taken in short
time. The handbook for recovering an aircraft from a stall situation imposes some manoeuvres not
instinctive, which in emergencies are very difficult to take. The stall situation must be recognized at the
time, and the anti-stall procedure must be followed immediately to recover the aircraft in a stable attitude.
Nowadays, this topic is at the centre of the commercial aviation world after the Boeing 737 Max 8-9
are stopped on the ground following two catastrophic accidents that occurred in October 2018 (Lion Air
Flight 610) and March 2019 (Ethiopian Airlines Flight 302). This actual subject inspires this master thesis to
research a theme to investigate and a system to improve.
Airbus, like its direct concurrent Boeing, was already developing an enhanced stall warning system
that does not face the same Boeing issues, but it covers the same application field. While Boeing’s solution is
always active and it works to correct a hardware issue and to improve the aircraft dynamical stability (see
Boeing case study chapter); Airbus’s aircraft are already dynamically stable and protected in ordinary law
avoiding any potential stall circumstances, consequently, the Stall Warning function acts only in alternate
law, when some protections are enabled, and the aircraft can reach the flight envelope limits.
On the other hands, Airbus is working on a project to enhance the availability of the autopilot
(EAPA – Enhanced Auto Pilot Availability) even in degraded situations in order to minimize the potential
accident due to human error, when at the moment the autopilot would be disengaged and the pilots would
have the aircraft control. As a matter of fact according to the Federal Aviation Administration (FAA), human
errors cause more than 88% of the general aviation accidents both in commercial airline crashes and in
general aircraft accidents. In particular, the most common human error is the loss of control by the pilot
during flight [1]. Since the computers are now more efficient and reliable than the 80’s machines, the idea of
enhancing the role of the autopilot came out, providing a network of redundancies and backup
computations as described in the following of this thesis.
The Airbus Enhanced Stall Warning function implementation allows answering a BEA/FAA request
followed to the accident of the AF447 flight from Rio de Janeiro to Paris, which saw the complete aircraft,
passengers, and crew losses. As a result of the accident analysis and investigation Airbus, which was implied
because an A330-203 performed the flight, put into practice some measure to enhance the autopilot
availability even in alternate law situations. Within this framework, the SBS (Safety Beyond Standard)
project fits: this aims to provide computers and functional backup in case the primary machines devoted to
the function fail. The main key-points of this program are:
The Enhance Auto-Pilot Availability (EAPA) aims to allow the autopilot engagement even in
case of multiple failures. With this improvement, the aircraft could fly with the engaged
autopilot even in case both FACs are lost. As an example, in the frame of Enhanced Stall Warning
Preamble Federico Mastropasqua
IV
the characteristic backup speeds will be computed by the FMGC in case of both FACs loss and
the flaps/slats information, which in nominal situations are provided by FAC through SFCC, are
acquired from FWC through IPPU (not in the state-of-the-art SA family aircraft). Moreover, the
computation of Stall Warning backup is carried out by FWC and in this way the stall warning
function is available also in case of both FAC loss. Other features are going to be implemented in
the backup mode in such a way to allow the AP engagement even in the FAC loss event (fault
tolerance approach).
The Unreliable Airspeed Mitigation Mean (UAMM): function which consists in providing
numeric backup speeds. It is also associated with specific monitoring’s allowing to flag erroneous
speed and providing enhanced warnings in case of unreliable airspeed situation. This function
also offers some estimation of the angles of attack.
The Enhance Stall Warning (ESW) function, later described in more detail, is possible due to
UAMM monitoring.
The Enhanced Stall Warning function has been implemented in the Auto Flight System of the Single
Aisle family (A318 / A319 / A320 / A321 / A319NEO / A320NEO / A321NEO) concerning the FMGC and FAC
computers. The FAC is the primary computer for this aim, and the FWC takes the backup stall warning
computation in case the FAC is out of order. In this context, the FMGC that in regular operation is only
responsible for the autopilot disengagement when the FAC send the activation request to activate the stall
alarm, in case both FAC loss, it takes the computation of the characteristic backup speeds. In this way, the
pilots can have a look at the limits of the flight envelope and understand when they are approaching the stall
conditions. The Enhanced Stall Warning system makes use of the UAMM monitoring to qualify the reliable
angles of attack, and it considers both ADC and IRS sources to compute the angle of attack to be compared
with the stall warning threshold to send the alarm. Besides, speed-based stall warning assures in case all the
AOA are lost or unreliable, the functioning of the system (even at the system level, the system is provided of
a triple redundancy).
The AF447 flight from Rio de Janeiro to Paris is the Airbus A330-203 accident that triggered the
Safety Beyond Standard project and consequently, the ESW development. It occurred on 31st May 2009,
when three hours and a half after take-off, the airplane was flying in the oceanic region, and the HF
communication was achieved, and attempting to establish an ADS-C connection failed. The aircraft entered
a slightly turbulent zone, and it could not climb the flight level FL 370 because of weather conditions. A few
minutes later, all the three Pitot’s probes iced when the aircraft got in a turbulence zone even if the anti-ice
system was turned on. The plane lost speed information, this provoked the autopilot and auto-thrust
disengagement, and the crew took the aircraft control. Without speed data, the pilots could not estimate the
attitude and the altitude of the aircraft, and they made some inappropriate operations to recover the aircraft
control and to escape the stall circumstance. Four minutes after the autopilot disconnection the A330 sank
in the Atlantic Ocean with 216 passengers and 12 crew people.
Acknowledgement Federico Mastropasqua
V
Acknowledgement
Before going deeply in my master thesis, I would like to spend a page thanking all the people who
follow me during my academic path and not only and who allow me to reach today this objective.
I would like to thank my thesis advisor Prof.ssa Manuela Battipede who approved my project and
allowed me to take this bridge between the academic background and the future working environment
through the AKKA International Graduate Program which permitted me to be here in the Auto Flight
System Airbus team developing avionics systems. Thanks go to the Politecnico di Torino which gave me all
the knowledges and the methodologies to build now a strong future in the aerospace world.
Je voudrais aussi remercier tous mes collègues qui en France ont supporté mon projet, mon travail, à
priori Hector and Germain qui ont toujours répondu à mes questions et mes doutes dans la conception et le
travail chez AKKA pendant ces six moins. Merci pour la patience et leur disponibilité. Merci à toute mon
équipe pour le support.
Un Grazie speciale è dedicato ai miei genitori Mamma Raffaella e Papà Giuseppe, che più di tutti
sanno bene quanto è stata importante la loro presenza e il loro sostegno in tutto questo lungo viaggio,
iniziato più di cinque anni fa attraverso Francia e Svizzera. Grazie ai loro sacrifici, i miei genitori hanno
sempre rispettato le mie scelte e mi hanno permesso di decidere con libertà tutte le strade da intraprendere
per il mio futuro, dandomi sempre i loro più sinceri consigli per riuscire in questo lungo viaggio.
Un grazie non meno intenso va ai miei compagni di corso che mi hanno sempre affiancato e spronato
a dare il massimo durante le impegnative sessioni di studio. Il clima di complicità che si è venuto a creare
durante gli studi ci ha permesso di giungere, oggi, tutti insieme allo stesso risultato, attraverso il continuo
supporto reciproco e alla disponibilità di ognuno ad aiutare nei momenti più difficili, grazie ad Alberto,
Filippo, Francesco ed Enrico.
Ancora un grazie a Tolosa, la città che mi ha adottato negli ultimi due anni della mia vita e mi ha
accolto all’interno di un gruppo estremamente affiatato e complice, un gruppo che mi ha permesso di
crescere personalmente e professionalmente in questo periodo e che non mi ha mai fatto percepire la
lontananza di casa, ragazzi pronti ad aiutare e ad ascoltare in ogni circostanza e su ogni piano. Da colleghi
sono diventati amici, da amici a compagni di viaggio, grazie Federico, Vincenzo, Caterina, Chiara, Rebecca,
Nicolò, Filippo, Elisa e tutti gli altri.
Ringrazio tutti coloro che seppur lontani, durante questo ultimo anno e mezzo, sono sempre stati al
mio fianco supportandomi e motivandomi attraverso i loro consigli e i loro suggerimenti, senza mai farmi
mancare il loro sostegno e il loro appoggio a distanza. Sarebbe impossibile indicarli tutti per nome, ma un
grande grazie a tutti quelli che ci sono sempre stati per avermi portato fin qui.
Table of Contents Federico Mastropasqua
VI
Table of Contents
Abstract ...................................................................................................................................................................... II
Preamble ................................................................................................................................................................... III
Acknowledgement ................................................................................................................................................... V
Table of Contents ................................................................................................................................................... VI
Table of illustrations.............................................................................................................................................. IX
1.2 About AKKA Technologies Group ......................................................................................................5
1.2.1 International Graduate Program .................................................................................................. 7
2 Airbus design developing process .................................................................................................................8
2.1 System design office activities ..............................................................................................................8
2.2 Airbus’ process ........................................................................................................................................ 11
3 Auto Flight System ......................................................................................................................................... 19
3.1 Auto Flight System architecture ....................................................................................................... 20
3.2 Auto Flight System modes .................................................................................................................. 26
3.3 Introduction to auto-flight control laws ......................................................................................... 27
3.3.1 Roll Control – ELAC .................................................................................................................... 30
3.3.2 Pitch Control .................................................................................................................................. 31
3.3.3 Yaw Control ....................................................................................................................................33
3.4 Manual way of aircraft controlling ................................................................................................... 34
3.5 Flight Management Guidance System ............................................................................................. 34
3.6.3 Rudder Trim .................................................................................................................................. 42
5.3 Certification process ............................................................................................................................ 90
6 Conclusions and improvements ................................................................................................................. 93
6.1 Enhanced Stall Warning improvements and future developments .......................................... 96
6.2 Boeing B737 Max-8 conclusions ...................................................................................................... 100
7 Appendix I – Safety Assessment ................................................................................................................102
8 Appendix II – Characteristic speeds ........................................................................................................ 107
9 Appendix III - Autopilot engagement ......................................................................................................109
Table of Contents Federico Mastropasqua
VIII
10 Appendix IV – Matlab code ......................................................................................................................... 111
11 Code List ......................................................................................................................................................... 116
Figure 4: AKKA's numbers in the last 15 years. ................................................................................................................ 6
Figure 5: Design Process Loop ............................................................................................................................................ 10
Figure 6: V-V model diagram illustrates the system development .............................................................................. 11
Figure 7 : System development before first flight. .......................................................................................................... 12
Figure 8: System development during flight tests. ......................................................................................................... 13
Figure 9: Experimental Process .......................................................................................................................................... 15
Figure 13: Auto Flight System function architecture .................................................................................................... 24
Figure 14: Auto Flight System Operation Modes.. ........................................................................................................ 26
Figure 15: Auto Flight System operational schema ....................................................................................................... 27
Figure 16: Autopilot control loops..................................................................................................................................... 28
Figure 17: Thrust Control Laws breakdown ................................................................................................................... 30
Figure 18: Lateral Control Laws breakdown ................................................................................................................... 31
Figure 20: Vertical Control Laws breakdown .................................................................................................................33
Figure 21: Yaw control ......................................................................................................................................................... 34
Figure 22: FMGC architecture in Dual Mode ................................................................................................................ 36
Figure 23: FMGC architecture in Independent Mode .................................................................................................. 36
Figure 24: FMGC architecture in Single Mode ............................................................................................................... 37
Figure 25: FAC component layout .................................................................................................................................... 39
Figure 26: Maximum Rudder Deflection. ........................................................................................................................ 42
Figure 27: General architecture of speed computation in FAC .................................................................................. 44
Table of illustrations Federico Mastropasqua
X
Figure 28: Speed computation using FM weight and CG calculation in FAC ....................................................... 44
Figure 29: Cockpit computer communication ............................................................................................................... 46
Figure 31: Different aircraft behaviour in climb regarding the flight control law. ................................................. 50
Figure 32: Aircraft climb in normal law. .......................................................................................................................... 50
Figure 33 : Mach effect on aerodynamic polar ................................................................................................................ 52
Figure 36: Telemetry of the flight AF 447 ....................................................................................................................... 60
Figure 37: Architecture of the interface between ADR and on-board computer.. .................................................. 61
Figure 38: Position of the Pitot probes on the Airbus A330 ........................................................................................ 62
Figure 39: Flight parameters elaboration path by the ADIRS computers................................................................ 63
Figure 40: Drop effect in static pressure and vertical speed measurement ............................................................. 64
Figure 41: ESW from the aircraft point of view ............................................................................................................. 66
Figure 42: ESW operating mode and system reconfiguration upon FAC and AOA failures ............................... 69
Figure 43: AOA ADR and AOA IRS link reception at FAC ......................................................................................... 71
Figure 50: Simulink simulation of the Enhanced Stall Warning function. .............................................................. 78
Figure 51: ESW functional architecture in FMGC.. ...................................................................................................... 82
Figure 52: Comparison between the Boeing 737-800 NG and the new Boeing 737 Max 8. ................................. 86
Figure 53: Forces and torques experienced by an aircraft during a flight. ............................................................... 87
Figure 54: The anti-stall system ........................................................................................................................................ 89
Figure 55: Boeing safety design process ........................................................................................................................... 92
Figure 56: Deep stall condition for a T-tail airplane. .................................................................................................... 98
Figure 57: Logical schema of AoA_x checked as RELiable. ......................................................................................... 99
Table of illustrations Federico Mastropasqua
XI
Figure 58: Cost impact on the product life cycle. ......................................................................................................... 103
Figure 59: System cost on life cycle. ................................................................................................................................ 104
Figure 60: Design to safety ................................................................................................................................................. 106
Figure 61: Thrust over speed for a reaction engine. ...................................................................................................... 108
Figure 62: AP engagement logic ........................................................................................................................................ 110
Figure 63: ESW Capacity : in this simulation the ESW is based on AOA .............................................................. 114
My master thesis treats an actual topic in the commercial aviation, and the desire to improve a
solution to the stall problem pushed me to discover an Airbus project for the enhancement of this function.
The Enhanced Stall Warning is the function introduced in the experimental standard of the Airbus
process, and it is installed in FMGC and FAC for the next software releases. The actuality of the topic comes
from the fact that Boeing 737s Max 8 are stopped on the ground since March 2019 after two catastrophic
accidents occurred in 6 months (October 2018 and March 2019). This event had vast repercussions on
Boeing 2019 economical budget further than marketing impacts. The Airbus function development began
following the A330-203 accident in June 2009, when the aircraft was lost after a stall situation that brought
the aircraft to sink in the Atlantic Ocean after the icing of the 3 AOA probes just four minutes after the
autopilot disengagement. Afterward, feasibility studies have been carried out by Airbus to develop more
robust, reliable functions able to provide backup data and additional information from different sources. In
this context, UAMM, Unreliable Airspeed Mitigation Mean, is the most impacting function developed to
provide speeds and AOA estimation backup to use in failure circumstances, (in the future explained) and
the Enhanced Stall Warning is one of these updates.
The development of the function is part of a more extensive project which aims to enlarge the
autopilot authority even in case of alternate law or to follow some kinds of failures. This project is called
EAPA (Enhanced Auto Pilot Availability) and, similar to the tendency in the automotive world, also in
aeronautic domain, the autopilot and the protection systems have to be kept engaged even in degraded
situations, to minimize the human interventions, which often in emergency cases are not able to take the
correct decisions with lucidity. The development foresees to give to the Auto Flight System and to the other
automatic on-board systems the needed data to perform nominal and backup computation from different
Introduction Federico Mastropasqua
2
sources in such a way the system can reconfigure succeeding failure cases. In this frame, the autopilot will be
longer engaged, facing various issues now handled by the pilots.
From an aircraft point of view, the most impacted avionic system by the function implementation is
the Auto Flight System. The Auto Flight System is the structure that aims to organize and to guide the
aircraft during flight, Figure 1; it serves to assist pilots in flying the aircraft. As a matter of fact, at the state-of-
the-art, the autopilot keeps only engaged if the plane is protected in normal law. Beyond the standard flight
envelope, the aircraft still has the warning alarms and messages, but it can exceed some protections. The
AFS needs to enhance safety, maintaining the plane in the safe operational domain even in case of external
disturbs and turbulence. One of the aims of the Auto Flight System is optimizing performance at aircraft
level because the system can control the level of thrust and the surface deflections automatically to follow or
maintain the flight path dialoguing with the corresponding control computers (ELAC, SEC, and FADEC).
When the Auto Flight System controls the aircraft, it delivers the optimized value of thrust and surface
deflections to minimize flight time and fuel consumption. Consequently, decreasing maintenance and
operating costs, always limiting the structural loads, which are the most impacting costs on aircraft
maintenance. All the orders are distributed to have the maximum safety and comfort level and the minimum
impact on maintenance and fuel consumption. Evidently, all the tasks performed by the Auto Flight System
have the objectives to reduce the workload on the crew which can be focused on the supervising activities,
having, however, always the capability to override the autonomous system of flight.
Figure 1: Auto Flight System complexity over the pilot tasks and time constant
Introduction Federico Mastropasqua
3
1.1 Fly-by-wire conception
Historically, the aircraft of the past had traditional flight control systems, including web of pulleys
and cables or metal rods and joints. When the planes became larger, also the needed forces to move the
surfaces were increased, and it was necessary to provide hydraulics commands making the control easier to
run at high speeds, when the aerodynamics forces get more impacting. In this case, the needed force to move
a control surface is powered by hydraulic means. Newer fly-by-wire control systems pull out all that
hardware and replace it with software, sensors, actuators, and wires, Figure 2. Instead of a direct line of
control from aircraft yoke to control surface, the aircraft is left with a yoke, sensors, a computer elaborating
the inputs, wires, and an actuator at the aileron, rudder, or elevator.
Fly-by-wire enables several arrays of assistance to the pilot, and it makes possible the protection
implementation and the flight envelope control. It is easy to program envelope protection, to monitor
failures and program system reconfigurations. To avoid the stall situation with fly-by-wire commands, the
yoke can be digitally limited to how far the elevator physically comes up while the yoke can move up to the
pilot wants. Through software updates, the aircraft response could be improved, and the tuning of the
function could also be done a posteriori to the entered in-service date, the modern aircraft as our phones,
computers, tablets need to be updated to enhance safety during the flight.
Fly-by-wire also allows for some significant weight savings, and this is translated into more efficient
aircraft. The weight saving is obtained because the mechanical links have been replaced with computers and
electrical wires. Indirect savings can come from smaller or more efficient control surfaces. Because the
equipment is flying and does not allow for anything outside the flight envelope, designers have more
freedom to reduce extensive controls needed for human response.
Figure 2: Fly-by-wire command system
Introduction Federico Mastropasqua
4
Since Airbus developed its aircraft, the idea of an aircraft family to cover all market sectors came in
the minds of Roger Béteille and Felix Kracht1 from the beginning of the program. One of the A300-600 and
A310’s more notable innovations had been the replacing of web of cables and pulleys traditionally used with
electrical commands on secondary flight controls. Béteille wanted to innovate further with the next Airbus
aircraft. The introduction of modern digital “fly-by-wire” allowed the surface deflections through a
computer, which calculates precisely the needed surface deflections to make the aircraft response as the
pilot wishes. Physical and mechanical links in which the deflections of the flying control surfaces on the
wing and tail are driven directly by the pilots’ controls belonged to the conception of the past. The sidestick
became the new pilot's control columns.
Béteille recalled: “As far as I was concerned there were two elements, one being the market needs, which was for an
A320 earlier than a A340; and secondly for the technical reason that, having to make a significant step forward in technology,
like fly-by-wire, it was considerably easier and less risky to enter the field with a smaller aircraft than with a big, long-range
aircraft. Correcting a mistake is much cheaper, and the accumulation of experience is faster with a smaller, short-range aircraft,
which makes many more flights and is used in larger numbers than the long-range. There were some divergent ideas within
Airbus, but the final decision to go for the A320 was a smooth one” [2].
The A320’s fly-by-wire technology was not only a way of improving flight controls and reducing
weight. It enabled Airbus to take safety to a new level by introducing the flight envelope protection. Pilots
flying the A320 were free to operate it as usual, but the flight envelope protection prevented the aircraft
from performing manoeuvres outside its performance limits.
Fly-by-wire also firmly established the concept of commonality, which is so central to the appeal to
customers of Airbus aircraft. No matter how one plane varies in size or weight from another, fly-by-wire
commonality allows the pilot to fly them in the same way because the computer “drives” the aircraft’s flight
controls. The fly-by-wire system leads to considerable reductions in the time and costs involved in training
pilots and crew to operate them. Pilots experiencing the A380 fly-by-wire, say the feedback is the same that
on the A320 piloting except for the inertia.
1 They were two of the four Airbus founders in 1969. At the foundation, the company was called Airbus industries, and
in 2002 it became Airbus S.A.S. Company as known today. It continues the product of fusion in the European aerospace industry tracing back to the consolidation in the Airbus Industrie GIE consortium. The other two Airbus initiators were Henri Ziegler and Franz Josef Strauß
Introduction Federico Mastropasqua
5
1.2 About AKKA Technologies Group
AKKA Technologies is a French consultant company, global leader in engineering consulting and
Research and Development services. It operates in all Europe, with a strong influence in France, Germany,
Benelux, Italy, Spain and United Kingdom, in USA and Canada, Russia, China, India and Japan, Figure 3.
Figure 3: AKKA worldwide presence
AKKA’s aim is to accelerate innovation and business performances anticipating market challenges
and responding to them. This is AKKA’s trademark and the reason why it has a typical division concerning
the research of new technologies and new challenges to propose to the clients with the aim to improve their
business plans and technological solutions. AKKA is at the forefront of the digital and connected world,
accelerating innovation and time to market for the world’s largest industrial groups. Digital transformation
is radically altering the design and the very nature of all their products and giving rise to constant changes in
user behaviours and technologies. Faced with this challenge, AKKA supports its clients throughout the life
cycle of their products providing them with expertise that includes the entire technological product
environment and support them in bringing their product to market in different engineering fields with top
clients in all the sectors:
Digital: Air France, Bosch, Audi
Automotive: Daimler, BMW, Porsche, Renault, FCA
Aerospace: Airbus, Safran, Thales, Dassault Aviation, Mitsubishi Aircraft Company
Space: ESA, CNES, Thales Alenia Space, Telespazio (joint venture between Thales Alenia Space
and Leonardo)
Defence: Thales, Naval Group, Direction Generale de l’armement
AKKA Technologies received in 2019 the title as Top Employer in France, Germany and Belgium and
it can count a headcount growth of about 35.5% in 2018 with respect to 2017. Among its engineers at least of
76% got a master’s degree and the 33% of the total employees are millennials. This data highlights the
AKKA’s ambition of growing and of hiring young engineers highly qualified in all engineering fields.
“The first half of 2018 reflects the impetus of CLEAR 2022. The strategic plan we launched at the start of the year is boosting our
growth momentum and further improving our margins. This, in addition to the launch of The AKKADEMY and our
diversification in aerospace with the acquisition of PDS Tech in the United States, has put the Group on track for a new phase of
growth, and illustrate our ambition to double in size within five years and capture growth generated by the digital revolution.”
Mauro RICCI – AKKA CEO [1]
AKKA provides to the clients three different services in function of their needed:
Work package: the client asks AKKA for developing a solution for one of its necessities and the
AKKA consultants work on this in AKKA office, selling directly the results to the client.
Expert on demand: the client needs some experts to build a team or to complete its team and
asks AKKA for a qualified expert to fulfil its needed.
Research and development: this is the only activity completely external to a client. It is a specific
division of AKKA which works on the developing technologies ex-novo inside AKKA
structures. The new developed products or technologies are finally presented to a potential
client to show the innovative aspects of the companies. AKKA research permits also to work in
a different direction than traditional one in order to create and to have ready new solutions for
the next future needed.
Figure 4: AKKA's numbers in the last 15 years. On the left it is shown the AKKA revenues which is predicted to reach the 2.5Bn€ by 2022. On the right the number of employees that with the International Graduate Program AKKAdemy should reach the 25000 employees in 2022.
As shown in Figure 4, the number of employees would increase until 25000 in 2022; this result could
be reached also with the International Graduate Program that AKKA launches in 2018, The AKKAdemy.
Introduction Federico Mastropasqua
7
1.2.1 International Graduate Program
The AKKAdemy is so called the AKKA international graduate program, provides young talents with
the opportunity to build a career and acquire a lifelong set of consulting skills. AKKA is the only consultant
company which offers a Graduate Program. This allows the new engineers to enter in the working
environment facing with the clients needed and client challenges, it is a direct bridge between the academic
world and the working environment. In an international and professional environment, the young talents
are mentored applying the latest in-class and on-the-job training methods created to supplement the
academic theoretical background with practical experience.
The Graduate Program consists in three steps:
First month in Geneva (Switzerland): during this month the talent can experience workshops
to give an exclusive overview of AKKA sectors of activities, clients and projects. During the
month in Geneva, in a team you have to develop an “innovation project” facing with new
international challenges. Coaching from business managers on customer relations and project
presentations. Trainings on project management, Agile and SCRUM frameworks
Hands-On-Project: 12 months in France, Belgium or Germany: working on a real assignment in
an environment of high-in-demand technologies, the talents will apply their expertise and their
powerful consulting skills in a challenging role with AKKA Technologies. They will be trained
in job-relevant skills and receive continuous mentoring.
Certification: at the end of the year, the AKKAdemy Graduates are returning in Geneva sharing
the earned experience and a graduation ceremony attests the successfully finalisation of the
International Graduate Engineering Program.
Through this International Graduate Program, I got the opportunity to work and to enter in contact
with the aeronautical domain in an internal Airbus project, in the Bureau d’Etudes (Design Office in
English). During my activities I collaborated with the Airbus Auto Flight System team to develop and to
carry out the implementation of the Enhanced Stall Warning function in the Auto Flight System facing with
technical responsibilities and program constraints.
Airbus design developing process Federico Mastropasqua
8
2 Airbus design developing process
2.1 System Design Office activities
2.2Airbus’ process
2.2.1 Experimental Standards
2.2.2 Certified Standards
2.3 Reliability Design
2.1 System design office activities
The System Design Office (DO) is the engineering responsible team for the development of new
functions or new systems for the Single Aisle Airbus aircrafts Auto Flight System (A320 family). The
department receives directly the new specifications after an accident analysis and/or a feasibility study with
the main guidelines to be implemented in the system and delivers the arranged logical schemas to be coded
in the embedded computers (FMGC, FAC, FWC, etc.…) in order to achieve the needed function. Sometimes
is up to Design Office to carry out feasibility study for implementing new features, functions in the Auto
Flight Architecture. The DO’s main activities can be interpreted as a translation from very high level to low
level requirements to elaborate the external aircraft inputs (as the pressure from Pitot probe or the angles of
attack) to compute needed data that the aircraft uses to perform a flight (e.g. from the weight computation,
to flight envelope or the Auto Pilot disengagement conditions to the alarm computations).
In this regard the Squid software, developed specifically by AKKA for Airbus, is used in order to
design the system logics. It is a graphical programming environment for modelling dynamic and logical
systems, similar to Simulink by Math Works. Its primary interface is a graphical block diagramming tool
Airbus design developing process Federico Mastropasqua
9
like Simulink. In contrast to the last one the used software is not an auto-run tool and does not allow
lunching simulations that are performed by a separate team directly in the aircraft simulators. The Design
Office activities are defined as pre-code because the logical schemas are then sent to the Code Team to really
implement them in the flight control computer in specific code languages (ADA). During the entire phase of
the function conception some iterative loops are necessary to consider and revaluate some architectural
choices with the system team, to consider all the requirements and constraints expected by the different
aircraft divisions.
In the conception process the DO is also in charge to describe in the details the simulation
procedures that are carried out by the Laboratory team to check the validity and to test the new
implemented function reliability, thus to make sure the system fulfils the safety standards and the asked
requirements. Consequently, the execution of the simulator sessions, the DO obtains in feedback the
simulation test results to enhance or to fix the eventual issues that can be occurred during the assessments
at the simulator. This design phase is the function tuning, when the system architecture is already fixed but
some gains and constants have to be optimized to enhance the aircraft airworthiness. This is another clear
example of the iterative design process.
In the case some issues are displayed in the simulation sessions, the Design Office reopens the
system conception to ensure the robustness of the developed function. After the Laboratory feedback, if the
tests are well performed, the Design Office that gives the clearance for flight, though the message “Good for
Flight”.
At this point the test aircraft is prepared to perform its first flight. The modification takes the air for
the first time. Firstly, the new implemented system or function is coded into the embedded computers and
the test aircraft can perform a flight to verify the development. Noticeably, for economic reasons, since it is
necessary arrange an entire flight with pilots and airport slots, the flight is performed to test several
functions together, what is called standard. During the flight tests or in the simulator sessions, there is the
possibility to force only one function at a time, in this way if there was a bug, this would be isolated, and it
does not impact other logics and other function tests. Furthermore, at this step of the conception, the
system might need any revisions by the Design Office in case the pilots’ feedback is not positive or they
prefer to have a different aircraft response to some manoeuvres. In this case their needed are discussed with
the system and the design managers to consider some possible improvements.
From an operational point of view, as it can be seen from the Figure 5, the Design Office sends to the
Code team the “pre-coded” function to be implemented in the embedded computers in order to run the
simulations or directly to perform the first flight with the new standard coded after the receiving the Good
for Flight clearance. This process could lead many errors in the “translation” of the logical schemas into a
computing code, because there is no way to run directly the simulations while the system is designed and
then because changing the programming language, some information and details can be lost. All the
adjustments before the coding implementation are done through human feedback. This is the reason why in
the new Airbus A350 program the logical schemas and the coding fragment are merged to reduce the
iterations, consequently, minimize errors and finally to reduce the financial impact on the design part.
Airbus design developing process Federico Mastropasqua
10
Figure 5: Design Process Loop: The Design Office is responsible for the new function development either hardware either software and for fixing the already existing function in case of bugs or improvements. In the iterative design loop the DO is in charge to discuss about the system feasibility with the System team
and it takes in account the feedback from the Code team and of the Simulation team in order to fix/optimize and tune some function behaviours
In the V-model [2] in Figure 6, the function development is represented: starting from the left branch,
the function decomposition of requirements is shown, from aircraft level to computer level passing through
the system layer (by way of an example, for our purpose the Aircraft level is the A320 family, the system
layer is the chapter ATA-22, Auto Flight System, up to the FMGC and FAC computers). The logical
schemas realized in the Design Office are the “pre-code” block and they are sent to the Code team to be
implemented in the simulator computer to validate the design choices. The simulations sign the end of the
first V-model diagram. The second V-model considers the software and hardware development to
implement the function, at the V base the implementation/development is shown and this phase of the
conception could take also 6/8 months. In the right side of the diagram the tests and integration phases are
shown up to arrive to flight tests that mark the end of the conception process. The entire development is a
very iterative process and it could take also 2/3 years in order to develop the entire function (from the
conception to the certification by EASA).
Airbus design developing process Federico Mastropasqua
11
Figure 6: V-V model diagram [3] illustrates the system development. In the left part it shows the project definition and the steps to be performed in the function definition in order to implement it in the on-board computers. The two V stand for the simulation development and the flight test progress. In fact,
the first part of the development needs to prepare the simulation tools to simulate flight, and then when the simulation is well accomplished the function engages the flight test path to verify the software and hardware integrity.
2.2 Airbus’ process
The Airbus design process will be expressed in detail in this paragraph, in order to illustrate the
activities developed during the working period as Airbus consultant. The documents for the validation of
the modification and the technical implementations will treat in the detail.
The Airbus procedures allow delegating and differentiating tasks and activities keeping the focus on
program deadlines and milestones. Thank to this process, Airbus manages to have many consulting
companies deal with the technical tasks and responsibilities while in the Airbus headquarter, the employees
work on the research and development of new functions, further than on the organization and the
management of the entire program. Airbus synchronizes the activities and the different teams which work
sequentially in order to deliver updated software to airlines in time with respect to the ultimate certified
standards.
The system design office takes into account all the modifications concerning the Auto Flight System
about the already flying aircrafts or the development of new experimental function to be integrated in the
further aircraft software. Every changing aims to enhance and to improve the already existing embedded
functions or to fix and to tune some gains, constants, variables ensuring the respect of the highest level of
safety answered by the standard certification authority. On the other hand, some experimental standards are
also designed and tested ex-novo to broaden the aircraft functionalities towards to more autonomous flight,
where the autopilot presence is getting wider and wider.
Airbus design developing process Federico Mastropasqua
12
Once the modifications are designed, they have to be simulated, tested, in the experimental branch.
Once the standard has well performed a certain number of flights without any issues, it engages the certified
branch where it gets the authorization from the certified entity (EASA) and then, they finally can be sold to
the airlines to become profitable for the aircraft manufacturer2.
The simulation sessions of every aircraft components (structural, aerodynamics or avionic parts)
start from a linear system model at the beginning of the program. This simplification is made to run the
simulation faster only to check and to verify that the global behaviour answered the basic
recommendations/requirements. Little by little the model complexity grows up to simulate the entire
prototype, Figure 7. The most important constraints to be fulfilled in the Auto Flight System architecture are:
Actuators constraints: in terms of response time and maximum load. They dictate the trade-off
between strength/effort and performance (flight control commands).
Architectural constraints: stand for what the function needs to perform its tasks and what the
computer can compute (system design).
Pilots and test engineer constraints determine the aircraft behaviour in terms of performance and
flying comfort/safety (flight control laws).
During the simulation sessions many design parameters or laws structure have to be fixed in order
to respect every constraints, this is the tuning part of the function design: the structure design is frozen but
the tuning parameters has to be performed to optimize the aircraft behaviour to what the pilots and the
specifications ask.
Figure 7 : System development before first flight. The process ends when the complete aircraft model and the linear simulations reach the convergence. [4]
2 As information, the described process is not a general process but it is the Airbus procedure to concept and to
implement a new function in the Auto Flight System. It is possible that another system concerning different ATA chapter would have different standards procedures.
Airbus design developing process Federico Mastropasqua
13
The avionic system remains developable also during the flight tests, Figure 8, where the pilots’
feedback and the flight experience can check the effective aircraft behaviour. As an example, during the
A320NEO flight tests to enhance the flight envelope, after the simulation sessions, the pilots’ feedback
judged the aircraft reaction too heavy, it means that the aircraft, having a wider flight envelope could
experience more extreme manoeuvres which are considered as not-comfortable for the cabin passengers.
Following all the possible function tuning, the aircraft could still take tacking up to 70° of roll angle and
this was considered too uncomfortable for the passengers and then, all the designed function was erased
before engaging the certificated branch.
Figure 8: System development during flight tests. The iterative process considers the pilots feedback to tune the flight laws and the function gains to optimize the aircraft behaviour
In order to create a modification in the Auto Flight System it needs to update, to adjust the
embedded computers logics (in this purpose FAC and FMGC). Each coded logical schema in the AFS
computers is presented in a formal document, the Joint Technical Event (JTE) where the modification or
correction of the current design is described in terms of:
Logical schemas: this is the most important and the most technical part of the modification; here the
function evolutions can be seen with respect to actual design. The logics are modified using the
specific software and are presented as drawing boards (SAO sheets) then translated in ADA code3 to
be implemented in the aircraft embedded computers in order to be tested in the simulator
3 Thales implemented the auto-code generator in ADA; the tool takes an XML file and produces source code for an
embedded avionics system. The development process for the auto-code generator has been performed according to the European Aviation Safety Agency (EASA) Tool Qualification Considerations standard, and the tool has been qualified for the avionics project at tool qualification level TQL-2. ADA is an internationally standardized (ISO) programming language designed for long-lived, high reliability, embedded real-time systems, embodying sound software engineering features for both sequential and concurrent applications while also providing facilities for low-level programming. The most recent version of the language, ADA 2012, includes features for contract-based programming (such as subprogram pre and post-conditions) that embed low-level requirements in the source code where they can be verified either dynamically with run-time checks or at compile time with appropriate tool support. [24]
Airbus design developing process Federico Mastropasqua
14
environment and in the flight tests later. The SAO sheets contain the technical explication of every
function the computer could perform at very low-level syntax. The SAO sheets explain the
operational logic of how every function works, which variables treats and how it handles the input
to elaborate every computer output.
New or modified interfaces: if a new function requires additional interface or a modification to an
already existed one, a new interface is added, removed or simplify modified. This hardware
modification has impacts on the SERs (Specification Evolution Request). By interface, it means
every connection between embedded computers to data exchange and also every exchange in the
same computer from Command to Monitor part.
Formal description using an Airbus tool where the entire function evolution is traced from the kick-
off that marks the function development beginning. The document follows the function, describing
all its evolution and its development from the event that signs its beginning to the flight tests done
to validate the design.
2.2.1 Experimental Standards
The experimental standards include every immature function that is developed. Following an issue
verified during a flight and recorded in the Digital Flight Data Recorder (DFDR) or after an accident
investigation, some preventive actions are taken from the aircrafts manufacturer in order to improve the
safety standard. Some functions are developed by Airbus not as result of an accident or an issue came out in
a flight, but they are just improvement at the flight envelope in the global view to get the autopilot influence
wider and wider.
The experimental branch starts with the Joint Technical Event as described before and when some
modifications forming part of the same domain of application are designed, they pass to the simulator to be
verified and this corresponds to the standard. The full standard to be tested at the same time takes part of
the JCRI (Joint Change Request Internal), Figure 9.
The JCRI includes the associated JTEs (including the logic schemas and the modified interfaces)
and the ADIS which is the software test allowing the activation of single bits to simulate only one function
at a time during the test sessions and to create different software configuration, forcing some design
decisions. In this way even if different functions take part of the same standard, the ADIS permits to verify
the functioning of every function separately. The ADIS are available also during the flight tests or at the test
bench where the test engineer is responsible to activate the single function in certain phases of the
validation flight.
In order to validate the coding experimental standard, the JCRI documents is sent to the Code Team
for function implementation in the simulator computers (FMGC and FAC), at the same time the PGE
(Programme d’Essais, Test Program in English) is received by the Labo Team. The PGE is the document that
authorizes the tests of the new specifications. For each JTE, the Design Office prescribes the test procedure,
the scope of the test to be followed in order to validate the function design.
Airbus design developing process Federico Mastropasqua
15
Figure 9: Experimental Process to develop system design: in the orange boxes the multidisciplinary meeting to converge on the design decisions.
2.2.2 Certified Standards
Once the standards success the planned flight in the experimental branch, they engage the certified
path in order to obtain the certification from the EASA, at the end of the validation process. When the
standard is finally certified, it can be sold to the airliners to improve safety specifications. The process is very
similar to the experimental one, except for the sent documents to approve the design and the modifications.
During the process the flying standard obtains different label (blue, red and finally black one) indicating the
maturity level of the standard:
The blue label is the coded standard in the simulator. It is the first version of the certified software.
The red label is the first software version to fly. After all the tunings during the simulation sessions,
the software receives the authorization “Good for Flight”.
The black label is the final version of the standard, the software passed all the flight tests and it got
the certification from EASA. It is ready to be installed in the aircraft’s companies.
In the certified path, the document that attests the modification is the Joint Change Request (JCR);
it consolidates for all the associated JTEs, SAOs Sheets and for the SERs.
Airbus design developing process Federico Mastropasqua
16
As in the experimental path, a Programme d’Essais was delivered to test every JTE modification; in
the certified standard the LTR tests the certified Thales specifications. In this document, there is no need to
test every single function as in PGE, but the system is tested in its integrity and how it works at the aircraft
level.
At the end of the process, the Description of evolutions, describing all the modifications introduced
for the certified standard from Thales and the V&V Summary summarizing all the verifications &
validations performance for the certified standard from Thales are delivered EASA to closure the standard
development.
2.3 Reliability Design
Reliable Design, Figure 10, is a part of the system development process which has to be considered in
the design part of the system/function/product in general sense. Reliable Design means to establish the
system reliability requirements to be respect in the design process. In Airbus process, it is the Function
Team that draws the requirements at high level and then they are translated into low level requirements and
system requirements which must respect in the design phase. Once the requirements are set, the system is
designed making a first reliability evaluation, this is the first iterative part of the design process because if
some requirements are not considered by the design part, some design modifications must be taken into
account.
Design is fundamentally a “top-down” process. It is necessary to start from the value of the
characteristic at system level and then to break-down this value into sub values allocated to system
components or parts in a process called “system requirements allocation”.
All methods to allocate requirements to lower level system decomposition are based on experience.
Starting from an existing system, for which reliability data are available, the reliability data are:
Allocated to sub-level items according to the percentage it has in the existing system.
Allocated the requirement to sub-level items using the same value it has in the existing system, and
adding a corrective coefficient (to take into account differences between the two systems).
Concerning the design part, different approach to the problem can be suggested:
Fault avoidance: according to which the product has to ensure to not have failure in the on-service
life. Replacing “avoidance” with “minimisation” is more correct: “minimise the probability of
failures”. This “philosophy” is expensive in the program and often it is rejected. The minimization of
the probability of failure can be reached:
o Providing generous design margins in specific areas within which a failure can be accepted.
o Selecting proven, high quality parts.
o Inspecting system under production (checking system components or function in case of
software developing).
o Making acceptance test in the 100% of the components, systems.
o Keeping record to document compliance.
Airbus design developing process Federico Mastropasqua
17
Fault tolerance: this is another approach to the reliability design methodology. According to it, in
the design part it has to make the system capable to function even in case of failure. This concept is
easily applicable in all the system in which it is not expensive creating redundancy. If something,
some components, some sensors, some computers does not work, a backup function comes into
operation. In this context, the system has to be provided of an intelligent capacity to monitor itself,
to find the failure and to reconfigure itself. This solution impacts the cost of the system and in some
cases also the weight of the system in terms of wires, sensors and computer in backup operations.
This approach does not foresee that all the system is redundant but only the cardinal sub-systems.
This is the solution Airbus adopts in the software development. As a matter of fact, in the chapter of
the Enhanced Stall Warning, reference has been made to the redundancy check and alternate
solutions to provide the system of an adequate level of reliability even facing with several
malfunctioning.
Functional redundancy is the design approach which also considering a performance degradation of
the system there is no increase of weight. This design is accomplished on-boarding components able to
perform its tasks and also other activities in particular circumstances. This is the approach, that Airbus
follows with the Flight Control Computers capable to perform several functions. In nominal case, the
primary computer takes in charge its function but in case of failure, the backup computer that in nominal
operation processes other calculations is responsible for the backup procedures in degraded cases.
Therefore, even in a degraded way the function is at least assured although in reduced status. This permits
to have the autopilot still engaged even in degraded situation.
Airbus design developing process Federico Mastropasqua
18
Figure 10: Reliability Design Diagram
Auto Flight System Federico Mastropasqua
19
3 Auto Flight System
3.1 Auto Flight System architecture
3.2 Auto Flight System modes
3.3 Introduction to auto-flight control laws
3.3.1 Roll Control –ELAC
3.3.2 Pitch Control
3.3.2.1 Trimmable Horizontal Stabilizer
3.3.3 Yaw Control
3.4 Manual way of aircraft controlling
3.5 Flight Management Guidance System
3.6 Flight Augmentation Computer
3.6.1 Yaw damping
3.6.2 Rudder Travel Limiting computation
3.6.3 Rudder Trim
3.6.4 Characteristic Speed computation
3.7 Interconnection and peripherals interfaces
The A320, introduced in 1987, was the first aircraft flying with the primary flight control powered
by electric commands, and the mechanical links were only in backup4.
4 For completion, the A380 has been the first aircraft that could fly safely even in case of complete loss of the hydraulic
means, thanks to the electric-hydraulic servo actuators backed up by mechanical means.
Auto Flight System Federico Mastropasqua
20
The Airbus A320 flight controls are divided into primary and secondary flight controls. Both the
primary and secondary flight controls are controlled by a total of 7 computers, Figure 11:
Two ELAC Elevator Aileron Computer
Three SEC Spoiler and Elevator Computer
Two FAC Flight Augmentation Computer
Figure 11: Architecture of primary and secondary flight control computers
The Primary Flight Controls fitted on the aircraft are controlled by sidestick or by the Flight
Control unit inputs, which are processed by the Elevator Aileron Computer (ELAC), the Spoiler Elevator
Computer (SEC) and Flight Augmentation Computer (FAC), depending on which manoeuvre has been
requested. When the primary flight controls on the Airbus A320 are being operated, electrical signals from
the sidestick or Flight Management and Guidance System (FMGS) are sent to the Flight Control
Computers then they pass to the flight control hydraulic actuators to calibrate the strength to operate the
correct surface movement.
3.1 Auto Flight System architecture
The Auto Flight System (AFS) installed on the Single Aisle Airbus aircraft5 is made up of two types
of computers, the calculation units that elaborate pilots’ input in order to assure the correct functioning of
the flight:
The Flight Management and Guidance Computer (FMGC)
5 Different hardware configuration can be found on different aircraft, but the functions are the same. In this thesis all
the descriptions are based on A320 family Auto Flight System
Auto Flight System Federico Mastropasqua
21
The Flight Augmentation Computer (FAC)
And two types of control units, the interfaces through which the flight crew sets up the navigation
data to perform the flight and to follow the flight plan:
The Flight Control Unit (FCU)
The Multipurpose Control and Display Units (MCDU)
The Flight Control Unit is the interface the pilots use to enter the target variables for the lateral and
vertical navigation to guide the aircraft along the flight path. By the MCDU, the pilots insert the flight plan
(during the pre-flight operation in the airport) and later, FMGC is in charge of delivering the information to
the primary flight control to perform the flight and to follow the computed trajectory.
As it can be seen from the Figure 12, the Flight Control Unit sends and receives data from both
FMGCs which in their turn they communicate with the own MCDUs and FACs (this is the nominal
configuration, in case of failure the Auto Flight System is capable of reconfiguring itself to take data and
information from the computers that are still available). Every computer is doubled for safety reasons and,
the functions are often installed in different computers in order to provide the backup level in case of failure
(this point will be analysed more in detail in the Enhanced Stall Warning chapter, fault tolerance approach).
The FACs send the commands to the ELAC/SEC, which provides outputs to control the surfaces through
the actuators and to the FADEC to control engine thrust.
Figure 12: AFS Architecture
The computers send orders to the surfaces through the units that take input from the (auto)pilots.
The AFS sends the surface deflection commands for the autopilot function to:
ELAC1/ELAC2 for pitch and roll commands
FAC1/FAC2 for yaw dumper commands
Moreover, the AFS sends also thrust commands for the auto-thrust function to:
ECU1/EEC1 to set the thrust command on the engine 1
ECU2/EEC2 to set the thrust command on the engine 2
Auto Flight System Federico Mastropasqua
22
From a system point of view, the Auto Flight System is composed of three functions, Figure 13:
Flight Management allows defining flight path and to ease the navigation by previsions and
position calculation. During cockpit preparation phase, the pilot inserts a pre-planned route, from
origin airport to the destination, via MCDU. This route includes the departure, routes, waypoints,
arrival, approach, missed approach and alternate route, as selected from the NAV database. The
system generates optimum vertical and lateral flight profiles and predicted progress along the entire
flight path, through:
o Position computation (aircraft position consolidation, nav-aids selection, VOR, DME, ILS,
etc... using the navigational data).
o Navigation Data Base Management (airways, airports, beacons, procedures…) for the
routing of the aircraft.
o Flight Planning (Lateral & Vertical flight plan) and flight guidance cues using the flight
director indicators on the PFD.
o Guidance computation: ease the navigation by previsions and calculation of position.
o Determine flight phases and monitor the aircraft progress on the programmed routes into
the flight plan.
o Optimization & Prediction functions (Speed, Time – ETA, Fuel, Altitude…) considering
aircraft performance date to manage the vertical aspects of the route.
o Receives air data (from Pitot, static pressure sensor and pitch angle probe) and inertial data
for backup computations.
o Managing flight control laws and reconfiguration after failures.
o Auto-thrust system coordination considering the FADEC, control fuel flow and engine
thrust (FMGS is interfaced with ECU/EEC).
Flight Guidance: it allows the aircraft to reach the destination acting on the thrust and the control
surfaces. It controls:
o Autopilot (AP) elaborates automatically the surface control. The commands are sent to the
Flight Control System, which oversees control-surface actuation (elevators, ailerons, and
rudder) and nose wheel (steering). The autopilot could be engaged five seconds after take-
off by action on the two pushbuttons of the Flight Control Unit. Only one autopilot can be
engaged at one time, except during approach, ILS landing and Go Around. This ensures the
best redundancy level required to safety achieve auto-lands; auto-rollouts or low altitude
go-arounds. Generally, AP1 is used when the captain is PF and the AP2 when the First
Officer is PF, so AP1 has the priority and AP2 is in standby (the ELAC and the FAC use the
AP1 commands first and switch on the AP2 command in case of AP1 disengagement). This
ensures that each AP will be alternately operated. The AP could be disengaged:
By voluntary pilot action:
Action on the AP pushbutton on the FCU
Action on the side-slick (takeover pushbutton or push harder than a certain
threshold)
Action on the rudder pedals (pressed beyond a certain threshold)
Auto Flight System Federico Mastropasqua
23
By reaching protection:
VMO, MMO
Bank Angle in modulus over 45°
Pitch angle over 30°
In case of failures that provoke the loss of one control surface (see Appendix III).
Autopilot is just only a feature of the Flight Management and Guidance System (FMGS)
and, each of the two Flight Management and Guidance Computer manages its autopilot.
The ELAC and the SEC are merely actuator and controllers for the control surfaces; they are
also reconfigurable in case of failure of one of the SEC, ELAC6 or FAC [5].
o Flight Director (FD) gives guidance information to the pilot; these orders are shown on the
PFD through the CDS. The FMGC1 normally drives the FD symbols (crossed bars or yaw
bar or flight path director symbols) on CAPT PFD and the FMGC2 normally drives the FD
symbols on F/O PFD in case of the failure of one FMGC.
o Auto-thrust (A/THR) provides thrust adjustments in order to acquire and maintain a given
speed for automatic Engine Control, through the EEC/ECU. The A/THR function, in the
Auto Flight System (AFS) does not manage a throttle displacement but a thrust value. The
lever position determines the maximum thrust which can be commanded by the auto thrust
system. Auto-thrust is armed by action on the FCU pushbutton or automatically by moving
the thrust lever to TOGA/FLX during Take Off and Go Around, both A/THR are always
engaged at the same time but only one (A/THR1 or A/THR2) is active depending on AP and
FD engagement statuses. The A/THR could be disengaged:
By voluntary pilot action:
Action on the FCU pushbutton
Taking the levers to IDLE
In case of failures
6 ELAC and SEC are ACE (Actuator Control Electronics) themselves with further flight envelope protection logic.
Auto Flight System Federico Mastropasqua
24
Figure 13: Auto Flight System function architecture. The dashed boxes show how the different functions are calculated in the AFS computers
Flight Envelope defines the aircraft flight envelope and it provides information about speeds on the
Primary Flight Display (PFD) in nominal situation.
o Calculate the characteristic speeds (low speed or high-speed protections) that are shown
on the PFD and more detailed in the Appendix II – Characteristic speeds
High speed protection (VMAX)
Stall warning speed (VSW)
Lower selectable speed (VLS)
Maximum operational speed (V MAX OP) giving margin against buffeting
Airspeed tendency (V_CAS TREND)
o Define Aircraft Configuration: in flight or on ground, slats and flaps positions, engines
Manoeuvring speed (VMAN) function of the slat and flap positions
Minimum flap retraction speed (V3)
Minimum slat retraction speed (V4)
Predictive VFE at next flap/slat position (V FEN)
o Detect configuration outside normal operating flight envelope as alpha-floor, tail-strike
Indication (only in Long Range Airbus aircrafts), longitudinal (pitch +30°/-15°) or lateral
(bank angle 67°) protection.
Bank angle protection
Pitch attitude protection
High angle of attack protection (computed by the ELAC)
o Detect abnormal flight conditions
Wind-shear7: the wind-shear aural warning and the corresponding message on PFD
are calculated by the FAC considering the vertical speed, the airspeed, the ground
7 The wind-shear is a sudden change in wind direction and/or speed over a relatively short distance in the atmosphere.
This can influence aircraft performance during take-off and landing phase. In wind-shear conditions, the principle is to
Auto Flight System Federico Mastropasqua
25
speed so the total slope, the longitudinal wind gradient and vertical wind. The angle
of attack in wind-shear is computed as an aircraft energy level. Consequently, the
computed angle of attack is compared to the alpha wind-shear threshold and the
alarm sounds if the aircraft is in the approach (1300 ft. to 50 ft.) or in the take-off
phase (lift-off to 1300 ft.)
Low energy detection is an aural warning that sounds when the energy level is
under a threshold considering slaps and flaps configuration, horizontal deceleration
rate and the flight path by the FAC. In addition, the altitude has to be comprised
between 1000 ft. and 2000 ft., the alpha floor is not activated and the aircraft is in
normal law. If the aircraft continues loosing speed after the low energy warning the
system automatically keeps the aircraft in a safe flight domain when the incidence
angle is lower than alpha-floor and the Radio Altimeter is higher than 100 ft., so the
message A.FLOOR appears on the PFD and the thrust is automatically set in TOGA.
The low energy warning disappears when the thrust level is high enough, if the
alpha floor protection is trigged on and if the pitch go around mode is trigged
o Acquire law autopilot order - AP/FD modes reversions
VMAX and VLS are used in the FMGC for speed limitation of AP/FD and A/THR
functions
o Compensate engine failure (lateral thrust dissymmetry detection)
o Protect load factor (Nz law)
o Runway Overrun Prevention System (ROPS)(not yet in the state-of-the-art): this is an
experimental function, which aims to enhance safety for all braking modes (manual and
automatic) at landing, protecting the aircraft to run off the landing strip, basing itself on
neural networks. This system is called ROPS and it contains the ROW and the ROP
functions. The first one is a system that assesses in real time in flight the landing distance
(in both dry and wet conditions), in other terms the distance to the touch-down and it
performs an alarm of go-around in case the landing distance available is too short. The
second system assesses the stopping distance in real time on ground and an alarm appears
on the PFD recommending the maximum brake or the maximum reverse [6].
o Unreliable Airspeed Mitigation Mean function (UAMM) (not yet in the state-of-the-art) is
a new function which consists in providing a numeric back up speed. It is also associated
with specific monitoring’s allowing to flag erroneous speeds and providing enhanced
warnings in case of unreliable airspeed situation. In the frame of the UAMM function, the
FAC must compute a backup speed, back up Mach and back up characteristic speeds. The
computation of those data requires parameters which are not acquired by the current flying
FAC software (as example IRS data). For the backup computation the N1-AOA monitoring
and the theta-gamma estimation are introduced to enhance the calculation of the angles of
reduce the detection threshold according to the detected wind-shear in order to get the possibility of performing a go around sooner.
Auto Flight System Federico Mastropasqua
26
attack, using these estimations it will be possible the usage of one AOA when it remains
alone because the estimation can give reliability to the AOA data.
3.2 Auto Flight System modes
The modes are the ways of working of the Auto Flight System, the manner of processing feedback
signals and elaborating control surfaces/thrust orders. Each mode has some targets to reach. The flight
modes take in input pilot or autopilot commands in order to treat/elaborate these inputs for the purpose of
guiding the aircraft through the ordered flight path. There are two types of Guidance that can be chosen by
the crew on the Flight Control Unit, Figure 14. The selected or managed mode is selectable from the crew by
the FCU in the middle of the cockpit:
When the autopilot is in SELECTED state, the target values for altitude, heading/track, and vertical
speed/flight path angle, speed/Mach are inserted manually and then the AFS guides the aircraft to
the manually selected target. Selected mode is engaged by pulling the corresponding knob on the
FCU located on the pilot’s glare shield.
When the autopilot is in MANAGED state, these target values come from the Flight Management
System which acquires data from the pre-planned routes inserted in the pre-flight operation by the
pilots through the Multi Control Display Unit. The autopilot is “slaved” to the FMS and it is tasked
to follow the Flight Plan. The AP is engaged by pushing the corresponding knob on the Flight
Control Unit8.
Figure 14: Auto Flight System Operation Modes..
8 The side stick controllers and the throttle control lever do not move when the autopilot and the A/THR are engaged, in
order to simplify the fly-by-wire mechanism and to reduce the cockpit maintenance.
Auto Flight System Federico Mastropasqua
27
Regardless of the Auto Flight System mode (both selected or managed) the aircraft is protected in
the flight envelope and the autopilot, flight director and the auto-thrust are available either the commands
are entered manually by the pilots through the Flight Control Unit, either the orders are directly processed
by the FMGC inputs.
Figure 15: Auto Flight System operational schema: the AFS green box is doubled because the FMGC and FAC computers are redundant for safety reasons. The AFS outputs are sent to the navigation displays and to the PFD, to the FADEC for engine thrust control and to FCC
3.3 Introduction to auto-flight control laws
Each mode of the Auto Flight System has an associated control law, defined by an “operational
logic”. These control logics are often closed loops with feedbacks, to return to the pilot the manoeuvre effect
at guidance and control level. In the Auto Flight System, Figure 16, four feedback loops work together in
order to control the aircraft following the planned flight path:
Surface position actuator loop;
Control loop;
Guidance loop;
Navigation loop.
Auto Flight System Federico Mastropasqua
28
Figure 16: Autopilot control loops: the fastest loop is for the control of the surface position. The blue loop is in charge to control the aircraft attitude; it considers the Euler angles of the aircraft. The bigger loop oversees the guidance and it is the midterm management loop, controlling the load factor, the speed or the Mach number (depending of the flight law selected). Finally, the slower loop controls the navigation of the aircraft and it takes care of introducing the
aircraft in the air traffic. The AFS does not include the communication system which is part of another ATA chapter.
The inner loop is dedicated in controlling the surface deflection. The pilots or the autopilot give
orders to the ELAC/SEC/FAC through the sidestick and then the surface loop guides the surfaces to
maintain the correct deflection. The inner loop is a high-speed control cycle with response time incredibly
short. The control variables are:
Rudder deflection 𝛿𝑟;
Ailerons deflection 𝛿𝑎 ;
Elevator deflection 𝛿𝑒 .
The surface deflections create accelerations and attitude changings, which are used as main
feedback in the attitude control loop. The control loop is in charge to manage the aircraft attitude. The
variables used as feedback are:
Pitch angle 𝜃
Roll angle 𝜑
Sideslip angle 𝛽
This loop is a short period of monitoring to control aircraft attitude and acceleration.
The outer loop is devoted to trajectory control. Therefore it provides the guidance function in a big
loop, and it sends to the inner cycle (AP) or to display (FD) the load factor increments, bank angle...
Selecting the appropriate pitch attitude and bank angle to maintain or change the flight path. The guidance
loop takes the inputs from the FCU but in direct law, it could take the inputs directly from the sidestick.
The outer loop controls:
Altitude
Heading
Auto Flight System Federico Mastropasqua
29
Speed (acting on the thrust)
To follow the flight plan, the outer loop controls the centre of gravity position and limits the FCU or
FMS targets in amplitude and speed to limit the effects of failures. The speed vectors and the aircraft
position are used as the main feedbacks to compute orders.
Therefore, there is another external loop that considers the navigation (navigator loop or big loop);
the Flight Management System manages this function, and it handles:
The current aircraft position.
The aircraft route, keeping information about the aircraft position in time and space
Select the best altitude, heading and space to go there.
Finally, the navigation loop aims to insert the aircraft with harmony into the crowded airspace,
considering:
Communicating with Air Traffic Control (ATC)
Adding the fourth dimension to the navigation (time)
Avoiding other aircraft.
The navigation loop is the slowest in the Auto Flight System; the refreshing time is about 5/10
seconds; by contrast, the surface deflection loop works at 400Hz frequency.
A titre of example the flight control laws handling the thrust is reported in the Figure 17: in the auto-
thrust law, the parameter under control is the engine revolutions per minute (N1) and acting on this variable
through the EEC/ECU the target speed is reached in order to follow the selected flight path (both in vertical
and lateral navigation).
Aircraft with different motorization have dissimilar thrust law. Nevertheless, even if the Auto Flight
Engine is common for all the SA family, regarding the motorization, the thrust law is disparate. The Auto
Flight software is developed and specialized for each variant aircraft (A318 / A319 / A320 / A321 / A319NEO /
A320NEO / A321NEO), either as regards to the engines either concerning the CG positions and the various
configurations9.
9 For this purpose, the Design Office could collaborate with the handling qualities (HQ) team or with the performance
team to deliver optimized software dealing with the topic purposes.
Auto Flight System Federico Mastropasqua
30
Figure 17: Thrust Control Laws breakdown
The communication module is not part of Auto Flight System.
3.3.1 Roll Control – ELAC
Roll control on Airbus A320 (and SA family in general) is accomplished by using of side-slick
movements or autopilot commands. When ailerons are moved, a 𝛿𝑎 aileron as an electrical signal is sent to
the active ELAC computer. The Airbus A320 has two operational ELAC computers available, one operating
in active mode while the other acts in damping mode and serves as a back-up in case of failure. The ELAC
sends later a 𝛿𝑃 spoiler signal to both the SECs computers, which controls the flight spoilers and the FAC
computer, which sends turn coordination orders for the rudder trim.
Unlike the SEC, which consists of three independent computers, the FAC has only two working
computers in the same order as both ELAC’s. The computer then processes these signals into an output that
activates the hydraulic system actuators connected to the control surfaces. At the output of the inner loop, a
gain K permits to switch from inner cruise loop to an approach inner loop. The deflection orders are limited
in amplitude and variation speed.
The control surfaces will deflect according to side-slick input. For safety matters, the signal
processing by the flight control computer uses pre-set limitations and instructions (laws). This means that
pre-scribed limitations cannot be exceeded. When the autopilot controls the aircraft, the ELAC and the
FAC receive an electric signal generated by the FMCS. Usually, ELAC1 is in control, in case ELAC1 fails,
ELAC2 automatically takes over control. Similarly, the FAC and the SEC computers are being backed-up.
The ailerons have two electrically controlled hydraulic actuators connected to each aileron. One of
these actuators is in control while the other actuator is in damping mode. The actuators are connected to
Auto Flight System Federico Mastropasqua
31
the Green and Blue hydraulic system. In the Figure 18, the lateral control law is shown; as it can be seen the
outer target variables are different in function of the flight phase. Afterwards, the inner loop is common
independently on which the outer variable is targeted, and it is in charge to stabilize and to trim the aircraft
sending an electric signal to the hydraulic actuators.
Figure 18: Lateral Control Laws breakdown
3.3.2 Pitch Control
On the Airbus A320 family aircraft, pitch control is maintained in two ways. Primarily the elevators
are used to pitch the aircraft. Besides the elevators there is the Trimmable Horizontal Stabilizer (THS),
where the elevators are attached to, which is used to trim the aircraft. The elevators are operated by either
sidestick movement or, in case of autopilot engagement, by the FMGS. In manual control when the sidestick
is used to operate the elevators, electrical signals are generated by the sidestick and sent to both ELAC
computers. The signals received by the ELAC computers are then converted into outputs which drive the
hydraulic system actuators connected to the elevator. Normally ELAC1 is in control with ELAC2 serving as
back-up. In case of dual ELAC failure, SEC1 or 2 automatically takes over control. The loss of elevator is
categorised as CAT, the aircraft gets out of control and the loss of the aircraft is natural, Figure 19.
Auto Flight System Federico Mastropasqua
32
Figure 19: Elevators Computer
When the autopilot is in command, the FMGS is maintaining pitch control, the 𝛿𝑄 commanded
generated in the pitch basic loop is sent as electrical signals to both ELAC’s which produce an output
activating the elevators actuators. The 𝛿𝑄 command is limited in amplitude and in variation speed.
In the pitch basic loop, there are two modes:
Cruise, where the 𝛿𝜃 elevator command is generated from the outer loop command, thus 𝛿𝜃 , in
feedback the system receives a pitch angle (𝜃) and a pitch attitude rate (�̇�). In certain modes (ALT,
V/S, FPA) engine torque compensation is added to the term 𝛿𝜃 to minimize the path deviation to do
important thrust variations.
Approach/landing, where the 𝛿𝑒 elevator command is generated from the outer loop command of 𝑁𝑧,
the aircraft receives the vertical acceleration, the pitch angle, the pitch attitude rate and roll angle in
feedback.
Each elevator is powered by two hydraulic actuators, one in active mode while the other serves as
back-up. Both actuators become active in case of large pitch demands.
In order to perform a vertical control, Figure 20, the target variables are the altitude, the vertical speed
or the flight path angle (input entered in the FCU) which are controlled by the outer loop, acting on the
inner loop through little increment in the load factor. Therefore, the sidestick and the input entered directly
in the FCU, does not act in a straight line to the surface deflection but it commands an increment in the
normal load factor. Subsequently, the incremental load factor is function of the aircraft configuration
(slaps/flaps, speed brakes) and it computes the surface deflection through the kinematic and dynamic
equation implemented in the FMGC. The orders are mediated by the auto-thrust that applies thrust
correction in order to perform a more comfortable flight profile.
Auto Flight System Federico Mastropasqua
33
Figure 20: Vertical Control Laws breakdown
3.3.2.1 Trimmable Horizontal Stabilizer – THS
The THS is positioned by a screw actuator and driven by two hydraulic motors. In turn the
hydraulic motors are driven by one or three electric motors. Only one electric motor can be operative at a
time while the other two are in a standby role. The electric motors are being controlled by either ELAC or
SEC computers. Operating the THS by using the mechanical trim wheel has priority over the electrical trim.
3.3.3 Yaw Control
The aileron deflection command controls the turn coordination and is carried out by the Yaw
Damper function in cruise by FAC. Each FAC receives two deflection commands from each FMGC for
rudder control. The rudder control is also used in the guidance command through 𝛿𝑟 for the Yaw Damper
function for yaw axis stabilization in automatic landing, Figure 21. The rudder limitation is function of speed.
The rudder is being controlled in three different ways, namely:
Manually by rudder pedal movement: there are two pairs of rudder pedals installed and are
connected mechanically to each other. They are linked to the artificial feel unit by a cable loop,
which in turn is connected to the hydraulic rudder actuators via a differential unit. Movement of the
pedals generates a signal which is send to the active ELAC. The ELAC then calculates yaw damping
turn coordination and rudder trim orders and sends these to the FAC computers. Both FAC
computers control the yaw damper servos, rudder trim and rudder limit motors.
Rudder trim is achieved by two electric motors; each controlled by its associated FAC. Rudder trim
is done manually by operation of the rudder trim control located on the over-head panel.
Autopilot Rudder Movement in case of autopilot engagement, both FAC computers receive
commands from the FMGS for rudder trimming and yaw control.
Auto Flight System Federico Mastropasqua
34
Figure 21: Yaw control [7]
3.4 Manual way of aircraft controlling
In case the pilot takes directly the aircraft control with sidestick and pedals, the FMGC if it is
capable, gives to the crew instructions using the flight director cues and yaw cue; it is the pilot who follows
the cues with the manual controls (using rudder pedals and sidestick). The pilot’s commands are considered
by the flight control computers (FAC, SEC, and ELAC) which determine the way in which the control
surfaces will be moved, possibly limiting the deflection ordered by the pilot to remain the aircraft within its
flight envelope. FAC, SEC, and ELAC orders are sent to respective actuator controllers. There is a final
control function on the actuator, to allow actuator redundancy for control surfaces e.g. for elevators: each
servo-jack has three control modes:
Active so the jack position is electrically controlled
Damping so the jack follows surface movement
Centring so the jack is hydraulically retained in the neutral position [7]
ELAC, SEC and FAC can be reconfigured according to law degradation status, the output of these
FCC can be sent to different actuators, so the electrical circuit between an FCC output and an actuator
input includes some switching circuitry.
3.5 Flight Management Guidance System
The role of Flight Management Guidance System (FMGS) is to perform various functions to help
the flight crew in the management of the flight (reducing the workload, improving the crew efficiency and
eliminating many routine operations generally performed by the pilots) and to control directly the ailerons
and the elevators when the autopilot is engaged.
The computation and processing devices receive information sources (ATA-34) as:
Auto Flight System Federico Mastropasqua
35
Navigation information which contains details of airfields, airways, routes, waypoints, procedures
(SIDs, STARs, approaches).
Aircraft performance information.
Air Data and Inertial Reference System (ADIRS) and the Global Positioning System (GPS) for
position and dynamic information.
The clock to synchronize tasks and operations among computers and control units.
Radio navigator information.
The computation and processing device receive input (ATA-22) from:
Flight Control Unit (FCU)
Multipurpose Control and Display Units (MCDUs)
Multi Functions Display (MFD)
The computation and processing device provide outputs (ATA-27, ATA-31) to:
Flight Control System for pitch, roll and yaw control
Auto-thrust System for thrust control
EFIS and MCDU System for the display information
Navigation Radio for the automatic tuning of radio aids
The FMGS is a dual-dual type system for the autopilot and auto-thrust functions. In cruise mode
only one autopilot can be engaged. Both APs can be engaged (through the AP1 and AP2 pushbutton
switches located on the FCU) only when ILS approach mode is selected.
Redundant FMGS are divided in two channels: COMMAND (issue commands to flight controllers)
and MONITOR (monitor the result of the commands, e.g. by analysing air data and inertial data to detect
anomalies) either FMGC performs all operations, if one FMGC fails.
The FMGS has three modes of operations:
Dual mode (the normal mode), Figure 22: The Flight Management System works normally in dual
mode on the master/slave concept. Both FMGCs perform the same functions simultaneously and use
all crew inputs on MCDU1 or 2. The slave system synchronizes on the master system for the
initialization of flight performance modes or for the guidance modes or for the radio navigation. The
results are compared and, in case of discrepancy, the MCDU displays messages (position; weight,
target speed). If one AP is engaged, the related FMGC is master:
o It uses the onside FD for guidance
o It controls the A/THR
o It controls the FMA 1 and 2
If two APs are engaged, FMGC1 is master; otherwise the master depends on which pushbutton is
pressed. If dual mode cannot be maintained (incompatible data base...), both FMGCs revert to independent
mode.
Auto Flight System Federico Mastropasqua
36
Figure 22: FMGC architecture in Dual Mode
Independent mode (each FMGC being controlled by its associated MCDU and it affects only the
onside EFIS and RMP10), Figure 23: the system selects this degraded mode automatically if it has a
major mismatch (database incompatibility, operations program incompatibility). No information is
transferred from one FMGC to the other and therefore neither synchronization nor comparison can
be performed. Both FMGCs work independently and are linked only to peripherals on their own
sides of the flight deck.
Figure 23: FMGC architecture in Independent Mode
Single mode (using one FMGC only), Figure 24: In case of FMGC failure this degraded mode is
automatically selected by the system, the opposite FMGC takes control of MCDU 1 and 2
10
RMP = Radio Management Panel
Auto Flight System Federico Mastropasqua
37
independently and feeds both NDs with the same data. All the functions of the flight management
are available through MCDU1 and 2.
Figure 24: FMGC architecture in Single Mode
3.6 Flight Augmentation Computer
FAC (Flight Augmentation Computer) is the modular computer designed for digital (discrete) and
analogical variables. This paragraph is completely dedicated to explain how FAC works and which tasks it
performs because this is the main computer on which my thesis is based, since the Enhanced Stall Warning
function is mainly implemented in FAC. FAC computer is divided into three parts:
Two virtual channels, the COMMAND channel and the MONITOR’s one
One independent channel which performs the FIDS11 functions
The COMMAND channel receives ARINC sensor data as form of analogue or discrete signals in
order to compute the control laws. Subsequently, it generates the flight commands used to drive the
corresponding servo-actuators. The interfaces between the computer and the actuators, and the feedback
position are of the analogue type. Similarly, the monitor channel receives the sensor data required to
compute the control law. Monitor channel’s role is to consolidate the computation of the command channel
and to monitor the servo loops to be able to change over to the opposite FAC in case of failure.
The FAC performs six main functions:
Input management and monitoring. This function is doubled, and it is responsible for the
acquisition and monitoring of the input parameters that have various forms, some of them are
consolidated before being used by the control laws. The input can be analogue signals in alternate
11
For maintenance purposes, the FIDS centralize the failure information from the various BITE of the AFS computers and provides an interface between these BITEs and the Centralized Fault Display Interface Unit (CFDIU). The FIDS function is only active in FAC [29].
Auto Flight System Federico Mastropasqua
38
current from various rudder position control sensor, ARINC signals from various systems (ADIRS,
LGCIU12, ELAC, FMGC, SFCC and from the opposite FAC), discrete signals from engagement
pushbutton switched and landing gear data and analogue direct current signals.
Control law computation. The actuator position commands are computed by the CPU based on the
above ARINC and analogue data and the embedded control laws. A real-time monitor supervises the
sequencing of the various tasks and the activation of a watchdog to protect the processing unit itself
against incorrect program running.
Control rudder-surface servo-loops. This function provides the current signals for actuator control.
These signals are generated from the computer software orders and the feedback position of the
sensor (LVDT or RVDT) for the three analogue power loops (yaw damper, rudder travel limiting
and rudder trim).
Engage logic. This is the function that consolidates the statuses of the various monitors and makes
possible to pressurize the servos if all the required conditions have been met. In the event of a fault,
this engage logic can cut off the control signals to the servos.
Output management. This function, as the first one, is doubled and it is responsible for the
generation of the output parameters. The outputs are for the implementation of various cross-
monitors with the monitoring channel or they are sent to the other aircraft systems (opposite FAC,
FMGC, DMC and trim indicator [8]) or they can be analogue (where a current amplifier provides
the interface between the digital servo error and each servo after D/A conversion) and discrete (to
make possible to indicate the status of the computer and to command the engage relays) outputs.
Power supplies. This is the function that provides the power supply to each channel from the
28VDC of the aircraft network. The voltage provides to each channel is +5V, +15V and –15V, each
power supply is monitored by the other channel.
The software organization inside FAC is divided into the application program contained in the
memory modules and the executive program that enables the control of the CPU, ARINC inputs/outputs
and safety tests, etc. There are differences in the command and in the monitoring part of the FAC:
dissymmetric programming concerning different languages and different algorithms. A specific methodology
is applied from the design phase to the programming phase ensuring a safety level compatible with the FAC
functions.
To ensure the correct software execution, specific monitoring functions are introduced both in the
hardware and in the software part. The software is also organized in fast or slow tasks and in background
tasks which can be delayed. The fast cycle concerns the yaw computation, while in the slow cycle other
functions are computed except weight calculation that is, however, performs in the very slow cycle.
12
Two Landing Gear Control and Interface Units (LGCIUs) control the extension and retraction of the gear and the operation of the doors. They also supply information about the landing gear to ECAM for display, and send signals indicating whether the aircraft is in flight or on the ground to other aircraft systems. There are 2 LGCIU’s fitted on the SA family. One LGCIU controls one complete gear cycle, then switches over automatically to the other LGCIU at the completion of the retraction cycle. It also switches over in case of failure [30].
Auto Flight System Federico Mastropasqua
39
The FAC is devoted primarily to rudder control (sending commands to four electrical actuators for
rudder trim and rudder travel limiting, one per FAC and per function) and all the associated function (e.g.
yaw dumper, sending yaw dumper commands to two hydraulic servo actuators (one per FAC). Another
important function in FAC is the assurance of the flight envelope protection.
In order to control and use the system, in the cockpit there are two pushbutton switches to FAC
engagement and a RUD TRIM control panel, at last indications and warning on the ECAM display units
appear to inform the crew about the control surface position.
Figure 25: FAC component layout [9]
The computer role is to ensure the optimum flight control surface deflection to have easy handling
and a good stability and to improve safety from over-speed, stall, wind-shear, manoeuvre (excessive load
factor). The FAC is a dual-dual type system. FAC1 and FAC2 can be engaged at the same time through FAC1
and FAC2 pushbutton switches on the overhead panel. Only one system is active at a time, FAC1 has the
priority, FAC2 being in standby and synchronized on FAC1 orders.
3.6.1 Yaw Damping
The yaw damping provides the turn coordination and guidance in cruise, during ILS approach mode
and roll-out. It is also involved in engine failure recovery when the autopilot is engaged (in manual flight,
ELAC is in charge of this function) and obviously in yaw stabilization. The yam damping assures in manual
control the accomplishment of the yaw orders from the elevator aileron computer (ELAC), to stabilize and
to coordinate the aircraft. The ELAC computes the corresponding data and transmits them to the rudder
surface via the servo loop of yaw damper. In the case of ELAC failure the yaw-damping for Dutch Roll is
provided in the degraded law. In automatic control, the accomplishment of the autopilot commands take
order from the Flight Management and Guidance Computer for turn coordination and guidance (align and
roll out), only in cruise the function manage the Dutch Roll damping.
The system consists of two electro-hydraulic servo-actuators (one per FAC) centred to the neural
position by an external spring device. Each servo-actuator includes a feedback position transduces (Linear
Auto Flight System Federico Mastropasqua
40
Variable Differential Transducer), two Flight Augmentation Computer, a feedback position transducer unit
located on the output shaft common to both servo-actuators (two Rotary Variable Differential Transducer)
and finally two pushbutton switches FLT CTL/FAC common to the RUD TRIM and RTL function for FAC
engagement).
The entire computations specific to this function (laws, logic and engagement) are duplicated in
each FAC. The system operates using the changeover technique, so when both the yaw damper is engaged
the channel 2 is synchronized on the position of the other channel and its associated servo-actuator is
depressurized. This depressurization is performed by two solenoid valves, each one drives a bypass valve
and only one solenoid valve is required to depressurize the servo-actuator. A pressure switch monitors the
status of the solenoid valves. If the two servo-actuators are not pressurized, the rudder is centred to the
neutral position (zero or the trimmed value).
This function sends the rudder the orders that are not reproduced at the rudder pedals (through the
Green hydraulic system). A current amplifier in the FAC delivers the orders to slave the servo-actuator in
position. A servo valve then executes these orders. The slaving order is never interrupted even when a failure
is detected: the servo-actuator is neutralized through action on the electro-valves. Each solenoid valve is
under the control of an independent logic. The LVDT transducers serve for the slaving and the RVDT
transducers permit to monitor this slaving. Each FAC generates the priority order in the form of a hard-
wired discrete variable.
As the other FAC function, also the Yaw Damper can work both in manual mode and in automatic
mode. In the case in which the AP is not engaged (manual mode), the Yaw Damper is linked to the ELAC
and in the normal manual mode the roll axis is managed by the lateral deflection law integrated in the
control of the rudder (for stabilization and turn coordination). In case of emergency, during the degraded
law, the ELAC must operate in the roll axis. In the other hand, the FAC computes the yaw damper function
and generates a simplified law of Dutch roll damping.
In the automatic mode, with the AP engaged, the yaw damper operated in Dutch roll damping
except in approach phases and in turn coordination to reduce the sideslip in turn. These two orders are
inhibited during the landing phase and accomplished directly in the AP guidance orders. In addition, during
the automatic mode, the system provides an assistance in engine failure recovery from a lateral acceleration
signal through a threshold and accomplishes the guidance orders (align and roll out).
From the system part this function depends on the engagement of the pushbutton switch and on the
logic of the mode: if the AP in engaged or not, ELAC in normal mode or not and the status of the ADIRS. In
order to switch on the Yaw Damper function, a specific monitoring must be performed to the computation
comparison and power comparators, further a global monitor of the computers. The correct operation of the
mode is checked:
For the ELAC if the normal law is not executed and the ELAC turns to the standby law on the roll
axis.
For the AP if the acquisition of the AP engagement signal is not correct or if the status of the
peripherals does not allow the achievement of the function (dual failure of the ADIRS)
Auto Flight System Federico Mastropasqua
41
In these cases, the AP disconnects, and the system returns to the manual mode without FAC
disconnection. The loss of the yaw damping function is indicated on the display unit of the ECAM system:
in case of one channel loss, a warning is emitted, in total loss a warning and a chime is emitted.
3.6.2 Rudder Travel Limiting Computation
This function limits the rudder excursion through a control law of speed and altitude, in case of
failure the function returns to the low speed limitation, Figure 26. In order to perform this function, the
system consists of two engagement pushbutton switches, both the FAC units, an electro-mechanical rudder
travel limitation unit with two motors and two position transducers integrated in the unit.
The rudder travel-limiting system operates using the changeover technique, so when both sides are
engaged the side 1 has priority; the side 2 is in standby. The side 2 is active when the side 1 is disengaged
(case of failure) or the motor in standby is not supplied. Synchronization is achieved on the rudder position
prior to engagement, so amplitude and speed limitation are introduced. The first limitation concerns the fact
that the rudder remains compatible with the air-structure limits, and the second condition prevents
saturation of the limitation unit. Upon total loss of the rudder travel-limiting function, a control permits to
bring back the stops to the low speed conditions to restore maximum rudder deflection as soon as slaps are
extended.
This function has two different operational modes:
In normal operation the active system controls the limitation unit through its motor. It limits the
rudder travel according to a parameter specific to the flight envelope in the corrected airspeed (this
parameter is delivered by the ADIRS, but it is monitored by the FAC). When this mode is active the
rudder travel limiting channel number 1 is active and drives the associated motor. The other channel
is in standby (synchronization mode) and the power electronic set of the associated motor is not
supplied. The logics are the same for the command and the monitor part.
Return to low speed conditions is the emergency mode, it serves in case of the FAC failure or of the
power electronic set. This mode is independent from the normal one and it is only initiated at low
speed (in slat extended configuration). The logic behind this mode controls a relay that switches the
motor on a supply independent from the power electronic set of the limitation unit in normal mode.
These switching relays are activated upon slat extension, in case of dual failure of the rudder travel
limitation function and during a fixed time corresponding to the acquisition of the maximum stop.
Auto Flight System Federico Mastropasqua
42
Figure 26: Maximum Rudder Deflection. It is evident that increasing the flight speed the rudder deflection is reduced hyperbolically in order to deliver the same aerodynamic torque to the aircraft. The maximum deflection is saturated for low speed and it is sized in case of OEI at take-off. This is a structural
limitation.
In case of Rudder travel limit failure, the slaps are extended, and the deflection is forced to the low-
speed maximum.
3.6.3 Rudder Trim
The FAC, then it receives the orders from FMGC actuates the rudder trim motor linked to an
artificial feel unit to move the rudder.
This function ensures in manual control the accomplishment of the pilot trim orders from the
manual trim control and of the deflection orders from the ELACs (engine failure recovery); in the other
hand, in automatic control the system ensures the accomplishment of the autopilot orders (auto-trim on the
yaw axis) and the generation and the accomplishment of the engine failure recovery function. The system
consists of an electro-mechanical actuator moved by two three-phase asynchronous motors connected to a
reduction gear by rigid linkage, both FAC, four transducer units (Rotary Variable Differential Transducer -
RVDT) configured in such a way that a single failure would not affect all the units at the same time, two
engage pushbutton switches, a rudder-trim control switch located on the RUD TRIM control panel, a RUD
TRIM/RESET pushbutton switch and a rudder trim indicator with liquid-crystal display.
As the rudder travel limiting, this function operates using the changeover technique, each channel is
duplicated and monitored:
The FAC COMMAND side slaves the position of the system
The MONITOR side monitors the system
The operation of the rudder trim function depends on the engagement status of FAC and of AP and
of the specific monitoring to the computation comparators and power comparators functions. There are two
modes of operations:
The manual mode
The automatic mode
Auto Flight System Federico Mastropasqua
43
As the automatic mode has priority, the pilot trim is not possible in AP-engaged configuration.
However, in manual mode, the system is not under the control of the ADIRS, it remains available for the
pilot trim part even in case of total failure of these peripherals.
The automatic mode is lost if AP engaged signal is not validated or if the peripherals status does not
allow the achievement of the function. In addition to the loss of rudder trim, also the AP is disconnected and
the system returns to the manual mode without FAC disconnection, the AP also provides signals which
validate the detection of engine failure as a function of the engine rating.
3.6.4 Characteristic Speed Calculation
The Flight Augmentation Computer fulfils the control of the speed scale on the Primary Flight
Display, to adapt the gains of the Flight Management and Guidance Computer and Elevator Aileron
Computer, to distribute the signal for the FMGC control laws, to protect the flight envelope in automatic
flight (speed limitations for the FMGC or alpha-floor for the auto-thrust), to display flap/slat manoeuvre
speeds or the rudder control surface positions and to provide the wind-shear and low energy warning.
The information the FAC transmits to the FMGC (speed data, weight, centre of gravity, flight path
angle and alpha-floor) is processed from the validity of the status matrix (SSM) and the FAC HEALTHY
hard-wired discrete variable.
The speed computation principle is because most of the presented speed data are function of the
weight. As the weight changes slowly, this parameter is frozen upon modification of the configuration
(speed-brakes or control surfaces extended, deceleration, turn …), to avoid transient on the speed
presentation. On the ground, the initial weight and gravity centre are calculated by FMS. In cruise phase,
updating computations are performed by engine consumption laws approximated in the FAC. The
computation begins with the curves 𝐶𝑧𝑚𝑎𝑥 and from the condition of equilibrium of the aircraft with thrust
and balance correction. This permits to obtain the stall warning speed 𝑉𝑠@1𝑔. From 𝑉𝑠@1𝑔, the FAC
computes the aircraft weight considering:
The equilibrium incidence;
The equilibrium speeds;
The thrust;
The centre of gravity;
The altitude.
Beyond the computation range, the computation of the weight is frozen. The weight is realigned
through a correction fuel used term previously defined in the FAC. The computation of the centre of gravity
according to the stability plane altitude, configuration and speed is deduced from the weight computation,
Figure 28.
The FAC uses the FM weight and CG to compute characteristic speeds (VLS, VSW, etc...), Figure 27,
further aircraft configuration in slats and flaps, airbrakes. Some constants and gains depend on the
motorizations and they differ upon the A320 family.
Auto Flight System Federico Mastropasqua
44
Figure 27: General architecture of speed computation in FAC
Figure 28: Speed computation using FM weight and CG calculation in FAC
Auto Flight System Federico Mastropasqua
45
Another function develops by the FAC is the computation of Alpha Floor Protection; this function
was not duplicated in the SA family before the NEO version and permits to protect the aircraft against
excessive angle of attack. To implement this scope, a comparison is made between the aircraft angle of
attack and the predetermined thresholds function of configuration. Beyond the threshold, the FAC transmit
a command signal to the auto-thrust which will apply TOGA thrust. This function is also developed to
protect the aircraft against longitudinal wind variation in approach by determining wind acceleration
(deduced from the difference between ground and air acceleration). The Alpha Floor Protection is no longer
available in case of double ADIRS failure. The ELAC direct computation of the Alpha Floor Protection is
considered as soon as the first detection is made either by the FAC or by the ELAC.
The FAC fulfils detection function generating the necessary signals to output the warning:
Wind-shear;
Low-energy;
Stall.
3.7 Interconnection and peripheral interfaces
The interconnection between the FACs, the FMGCs and the peripherals makes sure that a single
failure of a peripheral has no effect on the AFS/FMS functions, Figure 29.
Concerning the pitch and roll axes: the FMGC 1 and 2 send autopilot orders through output buses
to the ELACs, according the autopilot engaged (the bus 1 has the priority in the case in which both the
autopilots are engaged, so in the approach and landing phase). In their turn, the ELACs transmit deflection
commands to the surfaces on the pitch and roll axes.
The same logic is applied in the yaw axis, so both the FMGC send autopilot orders to the FACs
which control both yaw dumper hydraulic servo actuators (transient commands) and all the four electrical
actuators (one per FAC and per function) for rudder trim and for rudder travel limiting (in permanent
command). All the servomotors operate using the automatic changeover.
In order to send commands to the engine, the FMGCs compute and transmit data through the FCU,
EIU and ECU/EEC using ARINC bus. To consolidate engine data; the priority FMGC compares the output
parameters from the FCU with its own available data by means of associated logic. Each FMGC receives
four ARINC buses for computation: two buses associated with the own side, the other associated with the
opposite side.
Auto Flight System Federico Mastropasqua
46
Figure 29: Cockpit computer communication [7]
Stall Warning function Federico Mastropasqua
47
4 Stall Warning function
4.1 Stall
4.2 Stall pilot reaction
4.3 State-of-the-art
4.3.1 Threshold determination
4.3.2 To increase autopilot availability – EAPA
4.4 Air France AF 447 flight Rio de Janeiro – Paris
4.5 Frozen probes
4.6 Enhanced Stall Warning
4.6.1 Applicability
4.6.2 Constraints and opportunities
4.6.3 ESW operating modes
4.6.4 Enhanced Stall Warning capacity
4.6.5 Angle of attack monitoring and selection
4.6.6 Thresholds computation
4.6.7 Enhanced Stall Warning activation request
4.6.8 Failure cases
4.6.9 ESW new interfaces
This chapter is the most technical and systematic part of this master thesis. In these pages, the
solution, I developed during the master thesis in the Airbus Design Office, is been presented and analysed in
the technical details. All the architectural choices are been discussed. The Enhanced Sta ll Warning function
Stall Warning function Federico Mastropasqua
48
implemented in the Single Aisle family is inherited by the more recent A350 XWB and arranged according
the needed of the aircraft systems.
The A350 was the first Airbus aircraft fitted with manual protection in autopilot. This new concept
is composed of a set of modifications aiming at improving the safety provided at aircraft level and now the
expertise Airbus developed in A350 program is moving to the Single Aisle Family (A320 family). The
program objective is to define a set of generic requirements aiming at implementing the same available
existing protections in manual flight even when autopilot is engaged in all Airbus civil aircraft fitting with
Flight Envelope protection device. In this purpose, the autopilot is been engaged even outside the normal
flight envelope and until the protections in manual flight are available, the autopilot is able to handle the
aircraft. At this stage, the implementation is different between A380 and SA/LR (except the A350 XWB)13
Regarding Primary Flight Control Systems, A380 architecture is really similar to the architecture of
A350. On these aircraft, manual protection and AP/FD orders are hosted in the same computer and
manual protection have a “voter based” structure. Therefore, the A350 design can be easily
transposed to A380 program.
On SA and LR (A320, A330, A340), the separation of Auto Flight System (AP orders computation)
and Flight Control System (manual protections by logic) computers does not allow reproducing
exactly the A350 architecture for manual protections in autopilot. As a result, feasibility studies
were carried out in order to determine the technical adaptation needed to implement autopilot on
these programs. According to these studies the most suitable computer to implement the new
functions are the FAC and the FMGC of the Auto Flight Computer, some adjustments must be
introduced in the Flight Warning System and in the ELAC computer to consider the manual
protection.
The Enhanced Stall Warning function is necessary when the aircraft is not in normal law, otherwise
the high angle of attack protection (Alpha protection) would act avoiding the aircraft stall. This function
has implemented to enhance the automatic protection even in degraded situation; in this way the human
intervention is decreasingly needed. In fact, the stall conditions are difficult to be foreseen and in emergency
cases the human instincts are not often sufficient to take the control of the aircraft and they carry to tragic
ending, this is the case of the flight AF-447 from Rio de Janeiro to Paris which initiated the project in which
the Enhanced Stall Warning function is part of. Following a short introduction on the stall condition and
the manual manoeuvrings to recover the aircraft from a stall situation according a test pilot interview in
October by me, this chapter explains how the function has been implemented in the Auto Flight System of
the Single Aisle Airbus family.
13
SA = Single Aisle, LR = Long Range, XWB = Extra Wide Body, the A350XWB is not part of the Long Range family even if it is designed for the same purpose but it is apart because different choices in the design conception.
Stall Warning function Federico Mastropasqua
49
4.1 Stall
As an aircraft slows down, in order to keep the same amount of lift to sustain level flight, it must
raise the angle of attack (the angle between the aircraft and the incoming airflow).
At a certain point, when flying slower and slower, alpha becomes large enough so that the airflow
over the wing will not follow the wing profile anymore: it starts to separate from the wing. Gradually, less
and less extra lift is possible by increasing alpha; at its maximum potential to generate lift (alpha 𝐶𝐿𝑚𝑎𝑥 ), a
stall occurs. To safely stay away from a stall, Airbus takes a little margin on that alpha 𝐶𝐿𝑚𝑎𝑥 (or angle of
attack at which a stall would occur), and does not allow pilots for fling a speed slower than would result in
an angle higher than that “alpha max”, the highest angle of attack that is considered safe.
Figure 30 : Aerodynamic polar diagram and corresponding speed values displayed on the Primary Flight Display to maintain the aircraft in the normal flight envelope. The alpha max selected showed in the aerodynamic polar is the incidence angle with a marge with respect to the alpha stall at 1g.
The resulting protections are displayed on the speed scale of the Airbus aircraft to be visible to the
pilots, Figure 30. Alpha max is the lowest possible safe speed to prevent stalling, and below that speed a full
red band is displayed in the PFD. Even if a pilot pulls on the sidestick, the flight computers will refuse to fly
an angle of attack higher than that alpha max. The airplane will safely stay within the flight envelope.
Aircraft without this protection requires pilots to feel the stick shaker (the stick starts to shake on
an impending stall) and pull/ease off, pull/ease off on the controls continuously, to remain at the edge of that
stick shaker, Figure 31.
In the PFD in the speed bar the slowest speed the pilot could reach is 𝑉𝛼𝑚𝑎𝑥 and all slower speeds
are indicated by a red bar. Above this red bar, an amber/black bar is displayed and it represents the 𝛼𝑝𝑟𝑜𝑡:
this is the range where you would be flying in alpha protection mode, but 𝛼𝑚𝑎𝑥is not reached yet.
Stall Warning function Federico Mastropasqua
50
Figure 31: Different aircraft behaviour in climb regarding the flight control law. On the left a protected aircraft, with “Alpha Prot” engaged, it allows having the maximum climb angle without overshoot in the flight. The non-protected aircraft flies with many deviations with rapport to the ideal trajectory, the
aircraft in this flight law, reach the alpha max and then it releases the pitch-up to reduce lift. The trajectory is clearly rougher.
In normal conditions, without any issues or failure, an Airbus flies in “Normal Law”. All the
protections are available, including alpha protection, and in pitch the pilots do not control the elevator
directly, but a certain G-load, or nose up/down-acceleration is ordered to the aircraft. When the stick is
pulled back, the flight computers does not ask directly for a deflection of the elevator like on a conventional
airplane but orders load factor to climb. The load factor obviously depends on the deflection rate and
deflection angle of the sidestick. Releasing the stick back to neutral results in a neutral 1 G load factor
demand, the airplane keeps its climbing. There is no need to trim therefore, Figure 32.
Figure 32: Aircraft climb in normal law. Even in the climb phase the sidestick is in zero-position. To end the climb a gentle pitch-down must be impressed by the pilot on the sidestick.
This way of flying makes it intuitive but also uniform among the many types of Airbus. Flying an
A350 in pitch feels the same to a pilot than flying an A330 or A320, thanks to this normal law of the fly-by-
wire. That helps Airbus with common type ratings for pilots, which in return can save costs for airlines in
Stall Warning function Federico Mastropasqua
51
training and flexibility to deploy their pilots. The design part, the flight control and the system design are
common between the entire fleet; the only changing is the flight laws.
When the plane flies slower and slower and reaches the top of the amber/black bar (reaching alpha
protection) next to the speed scale because of one issue in flight control systems, the handling becomes
different. The top of the amber/black bar represents the angle of attack that conforms to alpha protection,
where flight control law changes. Flying slower will not result in a G-load demand anymore in pitch but will
directly request an angle of attack from the airplane.
When the angle of attack becomes larger than alpha protection, the elevator control starts flying in a
protection mode. Over the range of the amber/black band, instead of flying a G load, the aircraft waits
directly for an angle of attack. The auto-trim stops working and pilots will notice the handling qualities
change.
When the stick is pulled gently and the aircraft slows down gradually into this protection range,
releasing the stick will result in the airplane automatically recovering to the alpha protection speed at the
top of the amber/black band. That speed corresponds to an angle of attack with still a safe margin to a stall.
The airplane restores itself to alpha protection if the pilot is not paying attention.
If the pilot keeps pulling though, instead of releasing the stick, he will be able to pull only up to
alpha max, not further. That corresponds to the speed on top of the red band. At this point, another
protection is present which becomes active involving the auto-thrust if the aircraft is flying in normal law:
the alpha floor protection. In case of low speed, the auto-thrust automatically comes on with full thrust to
recover from the precarious condition [10]
There is another amber line next to speed scale. The top of that represents VLS or the lowest
selectable speed with the auto-thrust engaged, that is an additional protection. Pilots flying a speed below
this VLS for some reasons are generally invited to the office to explain the issue.
4.2 Stall pilot reaction – handling qualities
As said in the previous paragraph, for a given configuration and at a given Mach number, a wing
stalls at a given Angle of Attack (AOA) called AOA Stall, Figure 33. When the Mach number increases, the
value of the AOA STALL decreases.
When approaching the AOA Stall, the wing generates a certain level of buffeting, which tends to
increase in level at high Mach number. When the AOA increases and approaches the AOA STALL, in certain
cases, a phenomenon of pitch up occurs as a result of a change in the lift distribution along the wingspan.
The effect of the pitch up is a self-tendency of the aircraft to increase its angle of attack without further
inputs on the elevators. Generally, for a given wing, this phenomenon occurs at a lower angle of attack when
the Mach number is higher. The only mean to counter the pitch up is to apply a nose down elevator input.
When the aerodynamic flow on the wing is stalled, the only possible mean to recover a normal flow regime
is to decrease the AOA at a value lower than AOA Stall. Stall is an AOA problem only. It is not directly a
speed issue.
Stall Warning function Federico Mastropasqua
52
[11]
Figure 33 : Mach effect on aerodynamic polar: at higher Mach number the curves are shifted towards left and lower. Higher the Mach number is and lower is the alpha max. In a more significant manner at a high Mach, the compressibility of the air is notably manifested by the appearance of buffet at a high angle of
attack, whose amplitude can then increase until it becomes dissuasive (deterrent buffet). The appearance of buffet (buffet onset) is defined by an oscillatory vertical acceleration whose amplitude reaches 0.2 g from peak to peak at the pilot’s seat. The notion of deterrent buffet is subjective. It is neither known nor
shared by the airline pilot community.
In normal law, the Electronic Flight Control System (EFCS) considers the actual AOA and limits it
to a value AOA MAX (lower than AOA Stall). The EFCS adjusts the AOA max limitation to account for the
reduction of the AOA Stall with increasing Mach number. Equally, for a given Mach number and a given
AOA, the EFCS considers the natural pitch up effect of the wing for this Mach number and this AOA and
applies on the elevators the appropriate longitudinal pre-command to counter its effect.
On fly-by-wire aircrafts, following certain malfunctions in case of sensor or computer failure, the
flight controls cannot ensure the protections against the stall. Depending on the nature of the failure, they
revert to alternate law or direct law. In both cases, the pilot has to ensure the protection against the stall,
based upon the aural stall warning (SW), or a strong buffeting which if encountered it is an indication of an
incipient stall condition. In both Alternative and Direct Law, the aural SW is set at a value called AOA Stall
Warning, which is lower than AOA Stall. The triggering of the Stall Warning just means that the AOA has
reached the AOA SW and so the AOA has to be reduced. It is absolutely essential for the pilots to know that
Stall Warning function Federico Mastropasqua
53
the onset of the aural SW does not mean that the aircraft is stalling, and that just a gentle and smooth
reaction on the side-slick is needed.
The value of the AOA SW depends on the Mach number. At high Mach number, the AOA SW is set
at a value specifying the warning occurs just before encountering the pitch up effect and the buffeting. If the
anemometric information used to set the AOA SW is erroneous, the SW will not sound at the proper AOA,
in that case, the clue indicating the approach to the stall is the strong buffeting (spurious stall warning), this
is the reason why the new stall warning update receives data from various sources to avoid any spurious
alarms.
Typically, in cruise at high Mach number and high altitude, at or close to the maximum
recommended flight level, there is a small margin between the actual cruise AOA and the AOA Stall. Hence,
in Alternate or Direct Law, the margin with the AOA is even smaller. The encounter of turbulence induces
quick variations of the AOA. Therefore, when the aircraft is flying close to the maximum recommended
altitude, it is not improbable that turbulence might induce temporary peaks of AOA SW leading to
intermittent onset of aural SW (spurious stall warning). Equally, in similar high flight level cruise
conditions, at turbulence speed, if the pilot makes significant longitudinal inputs, the possibility to reach
the AOA SW value is not as remote. For those reasons, when in Alternate or Direct Law, it is recommended
to fly at a cruise flight level lower than the maximum recommended.
The pilots are qualified to avoid and to recover the stall situation. The traditional approach to stall
training consisted in a controlled deceleration to the Stall Warning, followed by a power recovery with
minimum altitude loss. Experience shows that if the pilot is determined to maintain the altitude, this
procedure may lead to the stall. A practical exercise done in flight Direct Law on the A340-600 and well
reproduced in the simulator consists in performing a low altitude level flight deceleration at idle until the
SW is triggered, and then to push the THR levers to TOGA while continuing to pull on the stick in order to
maintain the altitude. The results of such manoeuvre are:
In clean configuration, even if the pilot reacts immediately to the SW by commanding TOGA, when
the thrust reaches TOGA (20 seconds later), the aircraft stalls.
In approach configuration, if the pilot reacts immediately to the SW, the aircraft reached α𝑠𝑤 − 2°
In approach configuration, if the pilots react with a delay of 2 seconds to the SW, the aircraft stalls
[12].
This experiment showed that increasing the thrust at the SW in order to increase the speed and
hence to decrease the AOA is not the proper reaction in many cases. In addition, it is to be noticed that at
high altitude; the effect of the thrust increase on the speed rise is very slow, so that the phenomenon
described above for the clean configuration is exacerbated. Obviously, the procedure leads to potentially
unrecoverable situations if it is applied once the aircraft has reached the aerodynamic stall. Even if the
traditional procedure can work in certain conditions if the pilot reacts immediately to the SW, or if he is not
too adamant on keeping the altitude, the major issue comes from the fact that once the SW threshold has
been crossed, it is difficult to know if the aircraft is still approaching to stall or already stalled. Difference
Stall Warning function Federico Mastropasqua
54
between an approach to stall and an actual stall is not easy to determine, even for specialists. Several
accidents happened where the “approach to stall” procedure was applied when the aircraft was stalled.
To react to the stall condition is paramount to decrease the AOA; this is obtained directly by
decreasing the pitch order. The pitch control is direct AOA command. The AOA decrease may be obtained
indirectly by increasing the speed but adding thrust to increase the speed leads to an initial adverse
longitudinal effect, which trends to increase further the AOA. It is important to know that if such a thrust
increase was applied when the aircraft is already stalled, the longitudinal effect would bring the aircraft
further into the stall, to a situation possibly unrecoverable. Conversely, the first effect of reducing the thrust
is to reduce the AOA.
Therefore, first the AOA must be reduced. If anything, release to back pressure on stick or column
and apply a nose down pitch input until out of stall (no longer have stall indication). In certain cases, an
action in the same direction on the longitudinal trim may be needed:
First, thrust has an adverse effect on AOA for aircraft with engines below the wings.
Second, when the stall clues have disappeared, increase the speed if need. Progressively increase the
thrust with care, due to the thrust pitch effect.
In practice, in straight flight without stick input, the first reaction when the SW is triggered should
be to gently push on the stick to decrease the pitch attitude by about two or three degree in order to
decrease the AOA. During manoeuvres, the reduction of the AOA is generally obtained just by releasing the
backpressure on the stick; applying a progressive forward stick inputs ensures a quicker reduction of the
AOA. If the SW situation occurs with high thrust, in addition to the stick reaction, reducing the thrust may
be necessary [13].
4.3 Stall state-of-the-art
The normal law of the fly-by-wire flight control system on the Airbus aircrafts offers high angle of
attack protection that limits it to a value that is below the stall angle of attack. In alternate law, the normal
law high angle of attack protection is lost but the stall warning is still available. It consists in the aural
message followed by a cricket sound and the illumination of the Master Warning light. In the state-of-the
art configuration this is triggered by the FWC when it measures the highest of the valid angle of attack
values exceeds the limit.
However, the autopilot is not yet fitted with the same protections as the ones available in Manual
control laws, this is the purpose of the Airbus project Safety Beyond Standard but it is not yet implemented
in Single Aisle aircraft, it is recalled that the Enhanced Stall Warning is one of the first improvement in this
direction. For instance, autopilot is not fitted with AOA exceedance, the autopilot will be disengaged, and
AOA protections of manual control law will take over. Its objective is to protect the aircraft from stalling
and to bring it back in the operational flight domain. When back in the operational flight domain, it is
possible to re-engage the AP. On A350, the autopilot is fitted with the same protections as in manual flight.
Thus, in case of AOA exceedance, the AP is not disengaged anymore but the AOA protection takes over. The
Stall Warning function Federico Mastropasqua
55
AOA protection oversees bringing the aircraft back in the operational Flight Domain. The activation of
manual protection with the autopilot still engaged is indicated on the FMA by the message “AP IN PROT”.
When the aircraft is back in the operational Flight Domain, the AOA protection is deactivated, and the
autopilot automatically takes over (since it is still engaged) in order to guide the aircraft.
For the AOA monitoring, the validity of the angle of attack depends also on the airspeed. In normal
operation, the monitoring logic is the triplex, this means that the checked value is the voted one, meaning
the median between the three airspeeds coming from the three probes, this logic is also applicable for AOA;
when one of the three AOA/speed deviates too much from the other two, it is automatically rejected by the
PRIM and the voted value than becomes the average of the two remaining values. In this case, when only
two values are still available, if the difference overtakes a defined threshold, the PRIM rejects both the
AOA/airspeeds and the control law reconfigure to alternate14. In the legacy logic, if the CAS measurements
for the three ADR were lower than 60 kts, the angle of attack values of the same ADR are invalid, and the
Stall Warning is then inoperative. This results from a logic stating that the airflow must be enough to ensure
a valid measurement by the angle of attack sensors, especially to prevent spurious warnings. In certain
situation of deep stall, the speed can be inferior of 60kts (AF447 fight Rio de Janeiro- Paris case study) and
in these circumstances the AOA would be unavailable. In the SA family aircrafts the stall warning threshold
is independent of Mach. In the other hand in bigger aircraft, as A330 the threshold depends from the Mach
in such a way that it is triggered (in alternate and direct law) before the appearance of buffet.
4.3.1 Threshold determination
In the legacy version of the stall warning system, on the Long Range aircraft, in alternate law and in
clean configuration the AOA threshold that triggers the stall warning is function of Mach value. In a
schematic manner, the threshold is stable below a Mach of the order of 0.3, then reduces in a quasi-linear
manner up to a Mach number 0.75, after which it falls more rapidly when the Mach increases up to Mach
0.82 to become constant. According some tests the decreasing level in indicated speed for an increase of 1°
in the angle of attack is about 25 kt in cruise and 5 kts in take-off and in the approach phase, considering
that at the reduction of the speed corresponds an increase in the angle of attack (if the load factor is
constant and in a calm atmosphere).
In cruise at Mach 0.8 the margin between the flight angle of attack and the angle of attack of the
stall warning is of the order of 1.5 degrees, but the stall warning speed displayed on the airspeed bar (in
alternate and in direct law) is about 40 𝑘𝑡𝑠 below the current speed.
14
In normal law the aircraft is fully protected in the entire flight envelope in term of bank and the pitch angles, load factor at high speed and at high angle of attack. When the protections are not triggered, the longitudinal orders from the sidestick commands a load factor according to the aircraft’s normal axis and the lateral orders command a rate of roll. The alternate law concerns two different levels:
Alternate 1 where the commands are the same of the normal law but with fewer protections
Alternate 2 where the pilots command the ailerons and lift dumpers directly. In direct law, the protections are lost and orders from sidestick control the position of the control surfaces directly.
Stall Warning function Federico Mastropasqua
56
In Legacy logic on Single Aisle family, FWS (the flight warning system just before the introduction
of Enhanced Stall Warning) is responsible for computing the stall warning. In this logic FWS computed
only Stall Warning using its own monitoring. Its monitoring was only SSM ones, no comparison available,
that means we cannot detect a runaway alpha. In Legacy logics, the computation of the stall warning relies
on one AOA value and the first angle of attack exceeding the threshold would send the alarm, Figure 34. Two
computations laws can be distinguished:
In normal law: The Stall warning depends essentially on the Slat/Flap configuration. The threshold
for the Stall detection is fixed for:
o A318/A319/A320
Clean configuration: 13.5°
Slats extended: 22°
o A321
Clean configuration: 13.5°
Slats extended: 21°
In alternate and degraded law, the Alpha thresholds are not constant but driven by table depending
on the aircraft configuration and the altitude, provided by the Handling Quality team that has to be
interpolated with FWC computation.
As at least one AOA value is intended to overpass the threshold, the legacy stall warning triggers the
alarm.
Figure 34: Audio SW sources contribution in Legacy logic
The Legacy computation also considers the NCD AOA Characterization. It considers AOA coded
Not Computed Data when CAS decreases below 60kts. This condition occurs when the computed
airspeed (CAS) is valid and lower than 60 kts. This on-ground condition could be erroneously
triggered in flight in the following operational circumstances:
Undetected erroneous computation of Pitot probe.
Pitot probe out of the airflow.
Pitot probe obstructed by ice or any foreign material,
In case of deep stall situation.
Stall Warning function Federico Mastropasqua
57
4.3.2 To increase autopilot availability – EAPA Enhanced Auto Pilot Availability
With the introduction of manual protection in autopilot, the autopilot domain benefits from all the
flight domain protection available in manual. Consequently, the autopilot does not need to disengage in case
of flight domain excursion. The autopilot can remain engaged if manual protections are available. Therefore,
the limits of the autopilot flight domain (in terms of Pitch, AOA, Bank angle, described in the following) are
extended up to the Abnormal Flight Domain. It automatically leads to the extension of the autopilot flight
domain and the increase of AP availability, Figure 35.
Figure 35: Flight Envelope to be increased in order to allow the autopilot to manage also the alternate law due to system reconfiguration and function backup. When the aircraft is in the normal flight envelope in normal law and the pilot leaves the sidestick/pedals, the aircraft keeps this attitude. In alternate
law, when the aircraft exceeds the normal flight envelope, and the pilot leaves the commands, the aircraft brings it back autonomously at the limit of the flight envelope.
Airbus aircraft have five protections in normal flight mode (at the state-of-the-art) to assure the
flight safety and to not exceed the flight envelope:
Load Factor Limitation prevents pilot from overstressing the aircraft even if full sidestick
deflections are applied. This protection automatically limits the control input to allow the aircraft
remaining within AOM (Aircraft Operating Manual) “G” limitation.
High Angle of Attack Protection: which protects against stalling and the effects of wind-shear has
priority over all other protection functions. The protection engages when the angle of attack is
between 𝛼𝑝𝑟𝑜𝑡 and 𝛼𝑚𝑎𝑥. It limits the angle of attack commanded by the pilot's sidestick to 𝛼𝑚𝑎𝑥
even if full sidestick deflection is applied. If the autopilot is engaged, it is automatically disengaged
with activation of High Angle of Attack Protection. Alpha Floor (Automatic application of TOGA
thrust) may be activated by the auto-thrust system if engagement parameters are met.
High Speed Protection engages to automatically recover from high speed upset. There are two speed
limitations for high altitude aircraft, VMO (Velocity Maximum Operational) and MMO (Mach
Maximum Operational). The two speeds are the same at approximately 31,000 feet, below which
over-speed is determined by VMO and above 31,000 feet by MMO. Activation of High-Speed
Protection results in reducing the positive spiral static stability of the aircraft from its normal 33° to
0° which means that if the pilot releases the sidestick, the aircraft will roll to a wings level attitude
Stall Warning function Federico Mastropasqua
58
(typically when the aircraft flies within its flight envelope and the pilot releases the sidestick, the
aircraft keeps its attitude, if and only if its bank angle is below than 33°. In high speed protection,
when the pilot releases the sidestick the aircraft assures its dynamic stability bringing at bank angle
0°). It also reduces the sidestick nose down authority and applies a permanent nose up order to help
reduce speed and recovery to normal flight. Activation of High-Speed Protection results in
automatic autopilot reversible disengagement. Once the speed has decreased below VMO/MMO,
Normal Law is restored, and the autopilot can be re-engaged.
Attitude Protection limits the maximum bank angle of the aircraft. Within the normal flight
envelope, if the sidestick is released when bank angle is above 33°, the bank angle is automatically
reduced to 33°. With full sidestick deflection, the maximum achievable bank angle is 67°. If either
Angle of Attack or High-Speed Protection is active, full sidestick deflection will result in a
maximum bank angle of 45°. With High Speed Protection active, release of the sidestick will cause
the aircraft to return to a wings level (0° bank) attitude. Pitch Attitude Protection limits also the
aircraft attitude to a maximum of 30° nose up or 15° nose down.
Low Energy Protection is available when the aircraft is between 100 ft. and 2000 ft. with flaps set at
configuration 2 or greater. The low energy warning is computed by the PRIMs using parameters of
configuration, airspeed deceleration rate and flight path angle. The aural warning "Speed Speed"
indicates to the pilot that aircraft energy is decreasing and that thrust must be added to recover a
positive flight path angle. Alpha Floor protection is available and will engage if pilot actions are
inappropriate or insufficient [14].
4.4 Air France AF 447 flight Rio de Janeiro – Paris
The flight AF 447, operating by Airbus A330-203, took off from Rio de Janeiro directed to Paris
Charles de Gaulle on 31st May 2009. Three hours and half after take-off, the aeroplane was flying in the
oceanic region and the HF communication was achieved but attempts to establish an ADS-C connection
failed. The aircraft entered in a slightly turbulent zone and it could not climb the flight level FL 370 because
of weather conditions. The pilot left the cockpit and as the turbulence increased the co-pilots changed route
(given the length of the planned flight and in compliance with the Air France operations manual and with
the regulations in force, the flight crew was augmented by a co-pilot). The crew decided to reduce the speed
to about Mach 0.8 and engine de-icing was turned on.
Two minutes later, likely following the obstruction of the Pitot probes by ice crystals the speed
indications were incorrect and some automatic systems disconnected (autopilot and auto-thrust included).
The co-pilots had the aircraft control, it began to roll to the right and the PF made a nose-up and left input.
The stall warning triggered briefly twice in a row. The calibrated airspeed displayed on the Primary Flight
Display and recorded showed a drastically drop down from 275 kts to 60 kts, few moments later the speed
was displayed on the Integrated Standby Instrument System (ISIS). The flight control law reconfigured
from normal to alternate and the Flight Director, even if it was not disconnected by the crew, made the
crossbar disappear. The PF made rapid and high amplitude roll control inputs, from stop to stop and he also
made a nose-up input that increased the aircraft’s pitch attitude up to 11° in ten seconds. The PNF read
Stall Warning function Federico Mastropasqua
59
messages from ECAM in a disordered manner (auto-thrust loss and alternate law activation). The aircraft
attitude was recovered through nose-down inputs and thrust lever application; also the airspeeds were back
valid after 29 seconds of invalidity.
Some seconds later, the stall warning was triggered again and the PF gave TOGA order and a nose-
up input, the trimmable horizontal stabilizer made a nose-up movement from 3° to 13° and it remained in
the latter position until the end of the flight. The aeroplane was climbing with an attitude of 16° and it
reached its maximus altitude of 38 000 ft.
During the following seconds, all the recorded speeds became invalid and the stall warning stopped,
after having sounded continuously for 54 seconds. The altitude was then about 35,000 ft., the angle of attack
exceeded 40 degrees and the vertical speed was about -10,000 ft. /min. The aeroplane’s pitch attitude did not
exceed 15 degrees and the engines’ N1’s was close to 100%. The aeroplane was subject to roll oscillations to
the right that sometimes reached 40 degrees. The PF made an input on the sidestick to the left stop and
nose-up, which lasted about 30 seconds. Around fifteen seconds later, the PF made pitch-down inputs. In
the following moments, the angle of attack decreased, the speeds became valid again and the stall warning
triggered again.
The recordings stopped at 2 h 14 min 28. The last recorded values were a vertical speed of -10,912
ft./min (more than 55 m/s), a ground speed of 107 kts, pitch attitude of 16.2 degrees nose-up, roll angle of 5.3
degrees left and a magnetic heading of 270 degrees.
No emergency message was transmitted by the crew because they did not have the time to send an
emergency message. Four minutes after the autopilot disengagement the aircraft crashed in the ocean.
The Reason’s Model leading to the accident resulted since the following succession of events:
Temporary inconsistency between the measured airspeeds, likely following the obstruction of the
Pitot probes by ice crystals that led to autopilot disconnection and a reconfiguration to alternate
law.
Inappropriate human control inputs that destabilized the flight path.
The crew not making the connection between the losses of indicated airspeeds and the appropriate
procedure.
The PNF’s late identification of the deviation in the flight path and insufficient correction by the PF
The crew not identifying the approach to stall, the lack of an immediate reaction on its part and exit
from the flight envelope,
The crew’s failure to diagnose the stall situation and, consequently, the lack of any actions that
would have made recovery possible.
Stall Warning function Federico Mastropasqua
60
The BEA15 addressed 41 Safety Recommendations to the DGAC (Direction générale de l’aviation
civile), EASA, the FAA, ICAO and to the Brazilian and Senegalese authorities (the responsible counties of
the airspace where the accident took place) related to flight recorders, certification, training and recurrent
training of pilots, relief of the Captain, SAR and ATC, flight simulators, cockpit ergonomics, operational
feedback and oversight of operators by the national oversight authority. Among these recommendations
Enhanced Auto Pilot Availability, Unreliable Airspeed Mean Mitigation and Enhanced Stall Warning were
developed by Airbus to improve the safety flight of Airbus fleet and to face BEA requirements.
According the FDR parameters analysis, a speed drop was recorded in ADR 2 and ADR 1 which
caused the Auto Pilot disengagement and the immediate passage to the Alternate Law after the Pitot Probe
malfunction triggering. Thereafter, also the ADR 3 measured a speed drop that trigged the Auto-thrust
disengagement and the Flight Directors disconnection. Few minutes later the second Flight Director was
lost and thus the ADR 1 and ADR 2 were rejected by the FMGC, thus only the first Flight Director was
showed in the PFR 1.
From the moment the aircraft switched in Alternate Law the Stall Warning alarm was repeatedly
triggered and deactivated until the end of the flight, see Figure 36. Only one Mach value was recorded but the
Stall Warning threshold depended by the three Mach numbers.
Figure 36: Telemetry of the flight AF 447 as Mach number, angle of incidence and Stall Warning alarm in the cockpit over the time
15
In accordance with Annex 13 to the Convention on International Civil Aviation Organization and to the French Civil Aviation Code (Book VII), the BEA, as Investigation Authority of the State of Registry of the aeroplane, instituted a safety investigation and a team was formed to conduct it.
Stall Warning function Federico Mastropasqua
61
In the last graph in Figure 36, the Stall Warning alarm shows that the first signal was so short that
the pilots could not perceive it but the “Master Warning” parameter in the FWC 1 trigged at that moment.
This short alarm could be affected by the fact that the three Mach numbers were abnormally very low
because of the fact the Pitot probes were frozen. Furthermore, the activation threshold increases up to more
than 8°, thus the Stall Warning alarm is stopped because this value is higher to the recorded incidence.
4.5 Frozen probes
The ADR aircraft speed is deduced from the measurement of two pressures and a total air
temperature (TAT):
Total pressure (Pt) by means of the Pitot probe
Static pressure (Ps) by means of a static pressure sensor. Because of the position of the static
pressure sensors, the measured static pressure overestimates the real static pressure. The value of
the measured static pressure must thus be corrected of this error before being used to calculate
other parameters. The value of the correction depends on the Mach and considers the position of the
sensors on the fuselage. Thus, the correction performed by ADR 3 is different from that performed
by ADR 1 and ADR 2. In fact the “Standby” probes linked to the ADR 3, it is the only one whose
information is corrected considering the sideslip16, while all the probes (“Captain” that is connected
to the ADR 1, the “First Officer” that supplies ADR 2 and ADR 3) are corrected with the CG
transportation, for avoiding the consideration of wind-shear, Figure 37 and Figure 38.
Figure 37: Architecture of the interface between ADR and on-board computer. The first probe is connected to the Captain side, the second probe is linked to the First Officer side and the third one is as backup of both the lines. Normally, the third probe is used if it selected manually by the crew through the rotate
switch in the overhead panel or it is automatically designated in case the first probe fails.
16
On A340-300 and A330-300 the correction of the static pressure measurement is negligible in cruise because of the position of the static pressure probes and the Mach, but it does not apply to SA family and other aircraft.
Stall Warning function Federico Mastropasqua
62
The Airbus aircraft have three Pitot probes and six static pressure sensors. These probes are fitted
with drains allowing the water evacuation and with an electric heating system designed to prevent the
creation of ice.
Figure 38: Position of the Pitot probes on the Airbus A330. Because of the position of the third probe, the measured values must be corrected by the sideslip angle.
The pneumatic measurements are converted into electrical signals by ADM (Air Data Module) and
delivered to the calculators to perform the computations. Knowing the total and the static pressure makes it
possible to calculate a Mach value that provides access to the correction of static pressure.
𝑝𝑜
𝑝= (1 +
𝛾 − 1
2𝑀2)
𝛾𝛾−1
⇒ 𝑀 = √2
𝛾 − 1[(
𝑝𝑜
𝑝+ 1)
𝛾−1𝛾
+ 1]
Successively, with the known Mach value, the TAT measurement makes it possible to determinate
the static air temperature (SAT) that is with the computed Mach is used to calculate the CAS and the
standard altitude:
𝑇𝑜
𝑇= 1 +
𝛾 − 1
2𝑀2 ⇒ 𝑇 =
𝑇𝑜
1 +𝛾 − 1
2 𝑀2
𝐶𝐴𝑆 = √𝛾𝑅𝑇 ∙ 𝑀 = √𝛾𝑅𝑇𝑜
1 +𝛾 − 1
2 𝑀2∙ √
2
𝛾 − 1[(
𝑝𝑜
𝑝+ 1)
𝛾−1𝛾
+ 1]
Stall Warning function Federico Mastropasqua
63
Only at this point, it is possible to calculate the true air speed (TAS17).
𝐸𝐴𝑆 = 𝑐𝑜𝑀 √𝑝𝑜
𝑝
𝑇𝐴𝑆 = 𝐸𝐴𝑆 √𝜌0
𝜌
The calibrated speed (CAS) and the Mach number are the main items of speed information used by
the pilot and by the Auto Flight System (under the MACH and SPD functions) to control the aircraft. These
parameters are elaborated by three computers, called ADIRU, each consisting of:
An ADR module which calculates the aerodynamic parameters, specifically the CAS and the Mach
number
An IRS module that provides the parameters delivered by the inertial units, it uses the true air speed
to calculate the wind speed from the ground speed and attitudes. It also uses the derivative of the
standard altitude value that it combines with the integration of the measured acceleration to
calculate the vertical speed (called baro-inertial Vzbi, in Figure 39) which is displayed on the PFD in
nominal flights.
Figure 39: Flight parameters elaboration path by the ADIRS computers.
17
At higher altitudes CAS can be corrected for compressibility error to give equivalent airspeed (EAS). In practice compressibility error is negligible below about 3,000 m (10,000 ft) and 370 km/h (200 kts).
Stall Warning function Federico Mastropasqua
64
At certain altitudes, according to the flight conditions (temperature and Mach) when the presence
of ice crystals is greater than the de-icing capacity, this accumulation can affect the use of the total pressure
probes. This results in a temporary and reversible deterioration of total pressure measurement. Experience
and follow-up of these phenomena in very severe conditions showed that this function loss is of limited
duration, in general around 1 or 2 minutes.
In case of dropping in the measurement of the total pressure the first consequence is a following
drop in Mach and in CAS. The drop in Mach leads in its turn a falling in standard altitude due to the
correction of the measured static pressure. This loss has different impacts according to the ADR under
investigation: in the flight conditions of the event, it is of the order of 300 to 350 ft. for ADR1 or 2 but only of
80ft for ADR3. As consequence this drop in indicated standard altitude is also reflected in a transient
variation in Vzbi. Just as the drop in standard altitude is lower for ADR 3 than the other two probes, the
Vzbi reduction is lower for ADR 3 than ADR1 or 2, as showed in the graph in Figure 40.
Figure 40: Drop effect in static pressure and vertical speed measurement as consequence of the total pressure measurement falling
As second consequence in the decreasing of the measured Mach value, an impact on the SAT is
affected and thus in the true air speed and in the wind speed as illustrated in the Table 1 :
Stall Warning function Federico Mastropasqua
65
Table 1: The consequences of Pitot icing that would result in a drop in Mach from 0.8 to 0.3 and all the consequences in air data parameters. This table takes data from a simulation of an A330-200 flying at FL350 at Mach 0.8 in standard atmosphere with a 30 kts head wind.
The internal monitoring checking the frozen probe status works by comparison between the
current value reads from the probe and the value in the previous loop, if the value is kept in different loops
the probe is labelled as frozen and it is not more used in the further computations. The frozen monitor also
considers if there is any variation in the load factor without AOA variation, also in this case the probe is
labelled as frozen. The frozen monitoring has been introduced by the UAMM updates, just following the
AF447 accident.
4.6 Enhanced Stall Warning
According the BEA recommendation after the A330 accident, Enhanced Stall Warning (ESW) is an
Airbus safety initiative which intends to answer the in-service events identified by the Airbus Safety
Investigation team. It also brings additional safety compared to the current architecture by further
improving the reliability and availability of the Stall Warning (majority of the cases were related to spurious
Stall Warning) even in extreme failure situations.
The first step of evolution of Stall Warning consists on moving legacy Stall Warning logic from
FWC to the FAC on A320 aircraft family. In case of detected loss of both FAC, the FWC is still able to
perform a backup stall warning with a new logic. In the event of double FAC loss, the FMGC takes in
charge the characteristic backup speeds.
ESW function is activated through dedicated hardware pin programming (HPP) at FAC side, then
FAC converts this information into Software Pin Programming (SPP) and can be transferred it to EIS/HUD
for the visual alert, to FWS for audio message and to FMGC for autopilot disengagement. As precaution and
to avoid any regression form at software side, the legacy FWC Stall Warning computation is not removed
but it is completely inhibited when the ESW pin programming is installed, otherwise it is used to rise the
alarm when the old logic occurs, Figure 41.
The aim of the Enhanced Stall Warning function is:
To make use of the state-of-the-art angle of attack UAMM monitoring for AOA selection and for
improving function reliability.
To provide a Speed based Stall Warning in case of total loss of AOA, ensuring a stall warning
computation from reliable sources even in case of multiple failures.
Stall Warning function Federico Mastropasqua
66
To provide a backup Stall Warning from FWC in case of the failure of the primary Stall Warning
computer (FAC).
To provide a backup for characteristic speeds (FMGC).
The main key points of this first step of evolution are:
Enhanced Stall Warning capacity. This capacity is computed directly in FAC if the function can
perform its task. The ESW capacity is based either on AOA either on speed. The information then is
sent to the FWC to notify the system status. In case the capability is sent as false in Boolean
language, the FWC takes the SW backup computation.
Stall Warning Activation Request is now computed in FAC side, considering both AOA and speed
capacity (AOA has priority on speed calculation). This is the computation to send the alarm in case
of stall. This information is sent to FWC to trigger the aural alert, to EIS/HUD to show the “STALL
STALL” message and to FMGC to disengage the AP not in normal law.
New threshold computation in stall warning speed based and in AOA based.
Figure 41: ESW from the aircraft point of view. The overall function is showed and divided for every computer.
The Enhanced Stall Warning function performs in FAC the acquisition, the monitoring, the
consistency check, the selection and finally the correction of the AOA from both ADIRU sources (ADC and
IRS). Lastly, it emits the AOA status (healthy, rejected or failed) to FWS for DFDR recording purpose. In
Stall Warning function Federico Mastropasqua
67
the meanwhile the ELAC sends its AOA watchdog to FAC for improving the AOA monitoring. In case the
ELAC monitoring rejects all the AOA, the ESW capacity based on the angles of attack is lost and the system
reconfigures automatically on the ESW speed based.
ESW performs a new computation of the thresholds (both AOA and speed threshold) to trigger the
warning in case the current AOA or speed values is above or below respectively of the thresholds. After stall
warning activation request, the system sends to the FMGC the autopilot disconnection order only in
alternate law.
4.6.1 Applicability
This project concerns the Single Aisle family (A318CEO, A319CEO, A320CEO, A321CEO, A319NEO,
A320NEO, and A321NEO) and SA Electrical rudder program.
According the fault tree analysis performed at aircraft level, the loss of Stall Warning function (SW)
in degraded law with an aircraft out of Normal flight envelope has been classified as HAZ (hazardous): the
pilots would lose information about the minimum flying speed and the stall warning would be out of order,
in this way if the pilots lead the aircraft at the minimum of flight envelope, they do not have any instrument
which provides them information about the stall of the aircraft. Likewise, the spurious Stall Warning and
𝑉𝛼𝑆𝑊 in degraded law with an aircraft out of Normal flight envelope is classified HAZ. The spurious stall
warning is a danger in the same measure of a missing alarm.
Although, the Enhanced Stall Warning has to improve the safety and availability of the function, the
legacy function shall be maintained but the two functions must not trigger the alarms at the same time. In
other terms, only one function must be operative at a time. The ESW wiring allows the function for
working, if the hardware pin programming is connected from the aircraft to the computer, thus the ESW is
active; otherwise the legacy logic is kept, and it works as the ESW is not implemented. While aircraft is on
the ground, the pin programming ESW activated at FAC side shall ensure all the systems have adequate
configuration. The Enhanced Stall Warning is active only when the all supporting systems are at adequate
configuration.
Since the aural alarm is generated by FWS, if triggering and computation is hosted by FAC any
transmission delay, caused by the cycle time of the new equipment plus the communication time must be
compensated. This could be compensated by reviewing the alert thresholds (alpha and speed stall warning
alert) by the handling qualities team considering the transmission time from FAC to FWC. The direct
consequence is the reduction of the flight envelope considering alpha. From the avionic point of view the
transmission time taken to deliver the stall warning activation request has been chosen as the fast
transmission rate available (35ms).
Stall Warning function Federico Mastropasqua
68
4.6.2 Constraints and opportunities
In the Enhanced Stall Warning development no architectural changings are predicted in Auto Flight
System, the hardware architecture must be preserved. Only the introduction of new pin programming is
allowed. The pin programming is effectively a hardware modification to declare the installation of a new
function. When a new function is installed in the AFS (FAC, FMGC and all the other FCC) it needs to
relate to the aircraft ground to ensure the correct alimentation. Inside the flight computer the pin-
programming is a Boolean that is set to one if the function is correctly installed. The pin programming
information is shared among all the computers where the function runs.
In order to perform correctly its tasks the Enhanced Stall Warning needs to communicate with
updated computer. In this purpose FAC must contain the UAMM updating because the Enhanced Stall
Warning takes advantage from UAMM monitoring and backups to deliver a more robust function regarding
the state-of-the-art. FMGC must be equipped with the last available software and the FWC at same update.
Concerning the ELAC, the installation of the last software version is advisable, but this is not blocking for
the ESW activation. Even if the ELAC is not equipped with the last software version, nevertheless the FAC
can compute the Stall Warning basing on UAMM monitoring but without the ELAC AOA watchdogs, since
for ELAC not capable to emit an AOA watchdog signal, this will be read as FALSE inside FAC and the usage
of the AOA will depend only from the FAC internal monitoring.
4.6.3 ESW operation modes
Implementing the ESW in the FAC, rather than in FWC as in legacy solution, reduces the common
points between the loss of flight control protection and the loss of the ESW (sources segregation), because
before the modification the protection was computed in the ELAC. However, this embedded function
carries the negative point of the delay between FAC and FWS, this delay augmentation could be taken into
account while defining new alpha threshold for the FAC (𝛼𝑠𝑤).
ESW has two modes of operation, Bypass mode and Backup mode (failure situation), see Figure 42.
The Bypass mode, performed when at least one FAC is in normal mode, has different logics available
to compute the Stall Warning depending on the AOA or speed availability. In fact when at least one AOA is
available (either from ADC either from IRS) according to UAMM monitoring upon broken, failed, iced
sensors and SSM treatment, to verify the correct reception of the signal from the sending computer (ADC or
IRS), FAC performs the Stall Warning computation based on AOA. In this case the FAC allows
qualification of AOA using state-of-art AOA monitoring, estimation and selection methods (Voted/Average
and Last value). ESW uses the reference AOA to compare with the Stall Warning threshold (𝛼𝑆𝑊𝑡ℎ𝑟)
computed by itself to produce a Stall Warning activation message. In case all the AOA are lost, the speed
based stall warning takes in charge the function, when at least one ADC speed is available and the
characteristic speed are valid.
The new speed threshold computations is considered in this new stall warning update and the
current speed is compared with the speed threshold and if it is below the threshold the activation request
Stall Warning function Federico Mastropasqua
69
sends the Boolean set as TRUE to the FMGC to the AP disengagement, to the FWC for the aural alarm and
to the EIS/HUD for the “STALL STALL” massage.
In backup mode, both FAC are out of order and the FWC takes the backup stall warning
computation and the FMGC takes charge of the backup characteristic speeds to give to the pilot a general
look on the flight envelope even in case of both FAC loss.
Figure 42: ESW operating mode and system reconfiguration upon FAC and AOA failures
Stall Warning function Federico Mastropasqua
70
4.6.4 Enhanced Stall Warning capacity
The enhanced stall warning when it is in bypass mode, is able to monitor its capacity to perform the
function and it sends a signal to FMGC, FWC to inform about its status. Until at least one AOA is available
(both ADC and IRS) the ESW computes the stall warning basing on AOA and in case AOAs are no longer
valid, the system reconfigures itself to switch on the speed capacity. The speed capacity is set until at least
one CAS is valid and the characteristic speeds (VLS, VMAX, 𝑉𝛼𝑆𝑊) are valid.
Speed based stall warning is available in degraded case, when there is no more AOA reliable. This
function is selected when the FAC rejects all AOAs (no reliable neither uncertain) from the watchdogs or
from the monitoring and at least one speed reference on ADR is available and VLS is defined as healthy.In
order to validate CAS, the speeds are checked one by one with respect:
The acquisition could be not healthy because of an issue in the signal transmission from ADC to
FAC.
Triplex monitoring among OWN, OPP, 3;
Duplex monitoring among OWN, OPP, 3 and backup speeds when a speed is already rejected by the
triplex;
Ice monitoring checking if the CAS value is changed from the previous value measured in the
previous loop (in a delay of 0.875s).
Two vs Two Monitoring: the single speed value is compared with the voted speed value and with
the backup speed, the voted value is also compared with the backup speed value and if all the three
comparisons exceed a certain threshold the monitoring marks the speed as failed.
The last two monitoring were introduced by the UAMM update.
The characteristic speeds availability needs the ADC acquisitions are healthy and there are no
failures in the SFCC (legacy logic, before UAMM). After the UAMM implementation, the characteristic
speed availability considers also the IRS acquisitions.
In case both the AOA and speed based stall warning are lost, the FAC sends the information that it
is no longer capable to perform the function.
4.6.5 Angle of attack monitoring and selection
In the current SA aircraft, three independent angle of attack sensors are available and each sensor
provides the AOA data to dedicated ADR (OWN, OPP, 3) and to dedicated IRS (OWN, OPP, 3) via
corresponding links, Figure 43. IRS refresh rate is three times slower compared to ADR. The data from ADR
and IRS are processed by FAC which treats them through SSM and Refresh monitoring (ADR and IRS
sources) and UAMM probe monitoring. The FAC performs its own SSM and Refresh monitoring on the
ADR and IRS AOA link.
Stall Warning function Federico Mastropasqua
71
Figure 43: AOA ADR and AOA IRS link reception at FAC
The reference AOA is selected by FAC monitoring (both UAMM ones and SSM refresh) and it is
used for the comparison with the alpha threshold, evidently in the ESW in bypass mode, Table 3:
If all the AOA are available, the alpha reference is the voted value among the ADC angles of attack.
If two ADC and three IRS AOA are available, the function computes the reference angle making the
average between the ADC AOA valid.
Even if there is only one ADC AOA available by the UAMM monitoring (considering the 𝜃 − 𝛾
estimator and the Nz-AOA monitoring), and three IRS are qualified, the reference angle will be the
last ADC.
Only in case the entire three ADC are lost, the reference angle of attack will be computed upon the
same logic then before but checking between the IRS sources (Voted/Average/Last value).
The performed monitoring for the purpose of the ESW takes advantage of UAMM alpha
monitoring. UAMM has required implementation of several alpha monitoring, Table 2:
Broken probe detection at take-off because of the values diverge by comparison with theta Euler’s
angle;
Iced probe monitoring (Nz-AoA);
Drift detection (triplex monitoring by comparison);
Disagreement detection (duplex monitoring);
Theta-gamma monitoring: this monitoring will trigger only in case of triple ADR CAS rejection. This
means in this situation there is no other speed source to check the consistency of backup speed. The
aircraft is flying only with backup speeds. Consequently, UAMM backup speeds will be computed
Stall Warning function Federico Mastropasqua
72
based on AOA not rejected by this monitoring. In this case ESW should not use an AOA rejected
from backup speed computation;
Nz-AOA monitoring (shall be made available when ADR CAS is available and also when all ADR
CAS is rejected) shall be optimized specifically for this purpose, in which the rejection by the
monitoring shall be reversed18 if:
o The backup speed is consistent with the ADR CAS
o The AOA is no more blocked: 𝐴𝑜𝐴𝑚𝑎𝑥 − 𝐴𝑜𝐴𝑚𝑖𝑛 > 𝑐𝑜𝑛𝑠𝑡𝑎𝑛𝑡
o The AOA is consistent with Theta-Gamma estimator for a long time
o The AOA is consistent with each still not rejected AOA for a long time.
Figure 44: UAMM alpha monitoring and alpha reference selection. In the Simulink schema the NU means Not Used for Enhanced Stall Warning purpose, on the other hand, VAL means valid. In the IRS/ADC selection boxes the selection logic is implemented upon Voted/Average and Last value.
In case of failure, when the AOA X is not used for enhanced stall warning computation because of
the explained monitoring, a signal is sent from FAC to FWC to inform about which angle of attack is not
used for ESW computation, in this way it is not used even for the computation of 𝑉𝛼𝑆𝑊 to have a consistency
between the function calculations, Figure 44. The ELAC with adequate updated software is able to send a
signal (watchdog) to inform FAC if all the angles of attack are not usable, in this case the AOA capacity is
automatically lost, and the system reconfigures the speed-based stall warning.
18
The reversibility helps to prevent the permanent rejection of AOAs, because the AOA blockages due to ice-crystals are frequent but transient.
Stall Warning function Federico Mastropasqua
73
The triggered ELAC watchdog is sent to FAC to reconfigure the system on speed based enhanced
stall warning. The watchdog is sent when the ELAC measures a discrepancy between the aircraft attitude
and the speed: this means that when the measured attitude is pitched up according to the AOAs, the
recorded speed continues to increase or vice-versa. Consequently, the AOAs are measuring an incorrect
attitude because of some failures. In fact, with the thrust lever set, it is impossible having an aircraft pitch
up and simultaneously a speed increase (or vice-versa). In this case the ELAC watchdog is triggered and the
FAC loses the AOA based stall warning, because the AOA are no longer reliable, Figure 45, all the AOA are
labelled as Not Used and the system reconfigures on speed based SW. This adjustment has been necessary
to avoid the Boeing 737 Max 8 stall situation: in which the aircraft is in actual fact pitched down, in fact the
speed continues increasing but the AOAs say that there is a nose up that triggers the stall warning even if it
is not the real case. Therefore, the system would recover the stall situation reducing the AOA with a pitch
down, but the nose is already down and hence the stall situation becomes an unrecoverable deep stall with
the consequences that Boeing experienced. Finally, the ELAC watchdog is a system to enhance the Stall
Warning availability and reliability and to avoid every spurious alarm.
Figure 45: ESW alpha monitoring and ELAC watchdogs
4.6.6 Thresholds computation
When the alpha reference is computed and selected, it is used to calculate the stall warning through
a comparison with the alpha stall warning. The threshold computation logic varies according to the aircraft
configuration, flight control law status.
The threshold computations are reviewed in order to consider the UAMM backup and
improvements. It is necessary to make a clarification in the threshold computation, which is computed
Stall Warning function Federico Mastropasqua
74
either in normal law either in alternate law. As a matter of fact, even if the Stall Warning alarm is emitted
only in alternate law, because otherwise the protections would prevent the aircraft from the stall, the AOA
threshold is additionally computed in Normal Law. In this case the information sent to FMGC will not have
the aim to disconnect the autopilot but rather to order the elevator and the auto-thrust to correct
adjustments to recover the aircraft attitude because of the protections.
For this purpose the AOA stall warning threshold depends only on the aircraft slats/flaps
configurations and it considers if the SFCC are capable to send the correct information either through FAC
either through IPPU19, Figure 46. Regarding the acquired information, FAC computes a constant for the
hyper configuration and a different constant for the clean configuration. Evidently, the constants are
different according the aircraft of the SA family depending on aerodynamic solutions and performances.
Figure 46: Alpha stall warning computation in Normal Law
In alternate law, Figure 47 the AOA SW threshold is used to make a comparison with the reference
AOA in order to trigger the alarm. At this aim the threshold is computed in hyper configuration as done in
normal law, consequently a constant is taken if the slats and flaps position are extended. In clean
configuration, an AOA threshold depending on the Mach number is computed. Therefore, the Mach
availability is checked:
19
IPPU is another new function implemented in the same time that enhanced stall warning and it will allow sending to FAC slats and flaps positions even in case of SFCC failure, the information come directly from the FWC. Still, in case of double FAC loss, the IPPU function allows the correct reception from FMGC of slats and flaps information that normally are sent to FMGC through FAC. Only one condition at time could be covered, the IPPU allows slats and flaps information:
Double FAC loss
Double SFCC failure If both FAC and both SFCC loss, the IPPU is no longer capable to send the information.
Stall Warning function Federico Mastropasqua
75
In case all Mach ADR and backup Mach are valid, the Mach reference is the selected value among
Mach ADR or MACH backup selected using UAMM monitoring.
In case all Mach ADR and backup Mach are not valid, (but BARO ADC acquisition are still healthy),
the system reconfigures itself to take a Mach value from the minimum between the maximum Mach
computed before and a Mach value obtained from GPS altitude (IRS), Figure 48, Figure 49.
In case of uncertainty, it is better to assume a Mach number larger than the actual one, leading to
reduce the displayed margin with rapport to reality and therefore to be on the safe side. To have an over
estimation of Mach is very remote based on in service experience. Even though if there is an erroneous high
Mach on one or several ADR; the Maximum Mach based on IRS avoid the possibility to select this erroneous
value and thereby it can eliminate the possibility to have an overshoot of Mach value and thereby to have an
undue stall warning from it.
In case of all Mach reference is lost, the Mach value is set to zero, such that the AOA threshold
considered is the minimum speed saturation.
Figure 47: Alpha stall warning computation in Alternate Law
For the speed based SW, a new computation of the 𝑉𝛼𝑆𝑊 was implemented. The 𝑉𝛼𝑆𝑊
computed by
handling qualities team is function of the VLS speed (the minimum value of speed selectable from the pilots
in the FCU) and the load factor though a parameter in order to create a marge and which to be tuned during
the simulator sessions.
Stall Warning function Federico Mastropasqua
76
Figure 48: Maximum Mach number tendency as function of the altitude. The Mach value is then used to compute the alpha stall warning in alternate law in clean configuration. The Mach value is saturated above a threshold altitude for aerodynamic purposes. The Mach tendency over the altitude follows the
factor load over the speed tendency (flight envelope).
Figure 49: Alpha Stall Warning threshold as Mach function. This interpolation is used by the FAC to trigger the activation request sent then to FWC in alternate law in clean configuration. The Mach values are computed as altitude function.
Stall Warning function Federico Mastropasqua
77
4.6.7 Enhanced Stall Warning Activation Request
Once the thresholds are computed, they are compared with the reference AOA in order to emit the
stall warning triggering:
When 𝛼𝑟𝑒𝑓𝑒𝑟𝑒𝑛𝑐𝑒 >= 𝛼𝑆𝑊𝑡ℎ𝑟
FAC produces SW activation request for FWS, EIS and HUD
FWS transmits the SW request produced by FAC to audio system to produce Stall Warning audio
alert. EIS and HUD display red “STALL STALL” message on PFD.
In case of no AOA available, the Bypass mode is kept but the computation of the Stall Warning is
based on the speed. FAC performs the Stall Warning computation based 𝑉𝛼𝑠𝑤𝑏𝑎𝑐𝑘𝑢𝑝 which in turn
computed based on speed data instead of AOA data. As the 𝑉𝑆𝑊 based on VLS is independent on the AOA,
using it for Stall Warning condition will give more confidence than using an alpha disqualified by the FAC
by its monitoring; this improves the reliability and availability of Stall Warning.
Consequently, when 𝑉𝐶𝐴𝑆 ≤ 𝑉𝛼𝑆𝑊𝑏𝑎𝑐𝑘𝑢𝑝
FAC produces SW activation request for FWS, EIS and HUD
FWS transmits the SW request produced by FAC to audio system to produce Stall Warning audio
alert. EIS and HUD display red “STALL STALL” message on PFD.
In alternate law, the activation request is sent to FMGC to disengage the autopilot following the
legacy logic in FMGC. No modifications are needed in FMGC to acquire the enhanced stall warning signal
to disconnect the autopilot.
Stall Warning function Federico Mastropasqua
78
Figure 50: Simulink simulation of the Enhanced Stall Warning function. The function has been simplified to allow it running outside the A320 flight control computers. The monitoring is forced manually to work
Stall Warning function Federico Mastropasqua
79
Table 2: Table to sum up the AOA monitoring and estimation. The 𝐶𝐿𝑚𝑎𝑥monitoring has been used in Long Range aircraft but it is not applicable on ESW
because, in stall situation the load factor is close to zero, so CL/AOA/speed cannot be determined from the lift equation. Hence, an alpha monitoring based on lift equation will be reliable to qualify a reference alpha to compute the Stall Warning
Availability
𝛼𝐴𝐷𝑅 & 𝛼𝐼𝑅𝑆
3 𝛼𝐴𝐷𝑅
reliable
2 𝛼𝐴𝐷𝑅
reliable
1 𝛼𝐴𝐷𝑅
reliable
0 𝛼𝐴𝐷𝑅
3 𝛼𝐼𝑅𝑆
0 𝛼𝐴𝐷𝑅
2 𝛼𝐼𝑅𝑆
0 𝛼𝐴𝐷𝑅
1 𝛼𝐼𝑅𝑆
0 𝛼𝐴𝐷𝑅
0 𝛼𝐼𝑅𝑆
SW Voted ADR Average ADR Last ADR Voted IRS Average IRS Last IRS Based on VLS
Table 3: AOA selection criteria for ESW
Stall Warning function Federico Mastropasqua
80
In normal law, the activation request is not sent at the aim to disconnect the autopilot but with the
purpose to trigger the alpha floor warning; it is inhibited in case of wind-shear and in take-off mode below
1500 ft. The inhibition in wind-shear means that in cruise when a wind-shear is detected by the FAC
monitoring, the activation request is set to zero in order to not create spurious alarm or attitude recovering.
The wind-shear phenomena have higher priority over stall warning because they last only few seconds and
there is not necessity to alert the pilot or the autopilot to take recovering manoeuvres. On the other hand,
typically at take-off the aircraft is completely protected, and the AP is engaged, thus in order to avoid
spurious stall warning the function is inhibited.
4.6.8 Failure cases
In case of two FAC losses, the system switches in Backup Mode. The Stall Warning computation is
taken in charge by the FWC and the FMGC computes the backup characteristic speeds which are sent for
emission to EIS and HUD for display.
The FWS performs the SW reference AOA qualification by using various state-of-art AOA
monitoring, estimation and selection techniques and it computes the process followed by the FAC in bypass
mode (except for the speed calculation that is not done in backup mode by the FWS).
The modifications in FMGC need to compute the characteristic backup speeds, which are displayed
to the pilot through the Primary Flight Display, Figure 51. In this way, even in case of double FAC loss, the
crew are aware of the basic information about the flight envelope, at least concerning the upper and lower
limits (VLS, VSW, and VMAX). As a matter of fact, the ADR could send the air data to compute the
characteristic speeds, but at the state-of-the-art this data are processing by FAC to elaborate the speeds,
consequently, with the ESW update, the FMGC could compute the computation in backup. In backup
computations some simplifications are taken into account with rapport to FAC calculations, in FMGC the
sharklet, the motorization and the airbrakes contributions were not considered and the most conservative
case was always considered, getting smaller the flight envelope either to safety reasons either for design and
timing constraints.
For the computation of the characteristic backup speeds, the COM part of FMGC receives the AOA
ADC OPP from the MON part (in the FMGC COM side does not have the reception of all three AOAs20).
The 𝑉𝛼𝑆𝑊 computed inside the FMGC is consistent with the Stall condition computed inside the FWC (in
case of FAC loss); since in case of failure these computations are performed in two different computers the
coherence must be kept between FWC and FMGC. The FMGC uses the SSM and Refresh monitoring to
validate the ADC AOA acquisitions (as performed in FAC) and it memorizes the result of FAC’s range
monitoring at take-off for qualifying the reference AOA in case the FACs are lost, the monitoring result is
saved in such a way even the FAC fails, the FMGC has the needed information to qualify the AOA.
20
As FMGC COM as only AOA OWN and 3 reception, but the MON part of FMGC has all three AOA reception
Stall Warning function Federico Mastropasqua
81
The range monitoring at take-off allows AOA to be recognized erroneous when going out of the
nominal take-off range during lift-off and rollout phases. The AOA of each ADR is monitored on ground to
reject it from the stall warning computation if the AOA is out of the range; the ADR3 considers an extra
range because of its position on the fuselage.
The monitoring is achieved at take off when the CAS is on a specific range. This monitoring is a
safety measure to check which AOA are available since take-off, and it refers to the Boeing Lion Air JT610
that ended with the first catastrophic accident and the complete destruction of the Boeing 737 Max 8. In
that occasion, the angle of attack sensors on either side of the aircraft’s nose differed by about 20 degrees in
their measurements even during the ground taxi phase, when the plane’s pitch was level. This means that
one of the two measures were clearly completely wrong, and it should have been both rejected.
The FMGC needs selection logic to compute the alpha reference; this is the alpha value that is used
in the computation of the backup characteristic speeds. The logic inside the FMGC for the AOA selection is
similar to FWC one and it is based on voted/maximum/last value (the difference between this logic and
what it is implemented in FAC is that, when only two AOA sources are available, it will use the maximum
between two as the reference AOA instead of selecting the average, obviously this consideration is made to
have a more conservative computation in backup situation). This solution allows avoiding the chance of
missing Stall Warning in case of an underestimated AOA, because in this case the average may lead to
missing Stall Warning but by the selection of the maximum among two, the system never misses the Stall
Warning.
The computation of the backup characteristic speeds needs input as AOA, Mach number, altitude,
calibrated airspeed coming from ADR, slat and flap positions to obtain the aircraft configuration and the
aircraft weight from Flight Management System. All these inputs with the function update are independent
from FAC status as the objective is to improve the availability of the characteristic speeds, to have the
autopilot engaged even with FAC loss, in the future development, and at the moment, to display the flight
envelop speed limitation to the crew. All the constant inputs coming from FAC are memorized inside
FMGC in order to have them available in case of FAC failure (landing gear position or AOA status at take-
off).
In case of unavailability of the aircraft slats/flaps configurations, due to the data loss from SFCC, the
Stall Warning is maintained with the updated function. This function is ensured by the information from
FWC which supplies slats/flaps position acquired by dedicated sensors (IPPU that is independent from
SFCC) to FAC through FMGC.
Slat and flap positions are sent directly from FWC in the frame of Autopilot without FAC project,
because no reception of SFCC is present in FMGC. The FWC provides the slats and flaps positions through
a new implemented function called IPPU. Currently, slats and flaps positions are sent to FAC from SFCC
and they are used mainly in characteristic speeds computation in FAC and their loss leads to AP/FD/ATHR
loss. By the present modification, FMGC receives back-up slat/flap positions in case of both FAC failures
that allow it to compute the backup characteristic speeds. These new slats and flaps positions measured by
Stall Warning function Federico Mastropasqua
82
IPPUs are sent from FWC and are monitored by FMGC. The information of slat and flap positions is sent
also to FAC in case of double SFCC failure.
Figure 51: ESW functional architecture in FMGC. The FMGC is in charge to compute the backup characteristic speeds in case of double FAC loss. On the left side there are the FMGC inputs, (in case of FAC failures, the range monitoring at take-off is saved in FMGC), on the right side the characteristic speeds are
sent for emission to the displays. In the middle of the schema, the information links are shown to highlight the needed for compute each variable.
The backup 𝑉𝛼𝑆𝑊is computed in FMGC and it needs of the calibrated airspeed, the alpha stall
warning and the zero lift angle of attack for its computation. The calibrated air speed is provide from ADC
and the angles of incidence (𝛼𝑠𝑤 and 𝛼0) are computed inside FMGC, in the same way the FAC computes
them in nominal operation, except the fact that in FMGC airbrakes, sharklet contributions are not been
considered but it is always taken the more conservative computation to ensure the same calculation for all
the SA fleet. In alternate law, the 𝑉𝛼𝑆𝑊 is the lowest speed limit, the crew should never reach this speed,
hence it is important to have the 𝑉𝛼𝑆𝑊 on speed tape. At the state-of-the-art in the event of double FAC loss,
no more 𝑉𝛼𝑆𝑊is available to EIS and HUD.
The 𝛼𝑆𝑊 is the alpha threshold at which the stall warning is triggered when the reference incidence
exceeds this value, this angle of incidence is used in the computation of the 𝑉𝛼𝑆𝑊on a similar computation as
in FAC in nominal case:
In hyper configuration the 𝛼𝑆𝑊 is function of the slat position.
In clean configuration the 𝛼𝑆𝑊 is function of the Mach number and slat position.
The computation of the 𝑉𝑀𝐴𝑋 is elaborated regarding the slat and flap configurations and
experimental constant are selected in function of the S/F positions and regarding the landing gear position.
The 𝑉𝑚𝑎𝑥 is limited on the upper side by the 𝑉𝑀𝑂, a new acquisition in the FMGC. Before this upgrade no
information on VMO was used in FMGC.
Stall Warning function Federico Mastropasqua
83
In this step of evolution of the Enhanced Stall Warning update, the computation of VLS is not
considered because of lack of time in the program scheduling, in order to test the FMGC interface a really
simplified computation of VLS is elaborated starting from the 𝑉𝛼𝑆𝑊. Working with the handling qualities
team new considerations and simplification on this speed are considered to provide the aircraft to the lower
selectable speed in normal law with the autopilot engaged.
4.6.9 ESW new interfaces
To install the Enhanced Stall Warning function on the flight control computers, it is requested a
new hardware Pin-Prog connection between the FAC computer and the ground that allows all the Auto
Flight System to compute the new function. This hardware Pin-Prog actives the software Pin-Prog that is
emitted by FAC and acquired by the FWS, EIS and FMGC in order to differentiate the “ESW INSTALLED”
or “ESW NOT INSTALLED” status. Since the ESW function relies strongly on the UAMM function, both
pin-progs are consolidated, such that ESW cannot be performed without UAMM installed at this point.
Another interface input needed to include the ESW function is the discrete ARINC input connecting the
FAC COM lane to the ELAC OWN and OPP to inform about the AOA watchdog monitoring status. In the
event of AOA watchdog monitoring is triggered from ELAC, the FAC inhibits the alpha based Stall Warning
and switch to speed-based Stall Warning. In addition, to perform the enhanced function a connection with
the EIS, the FWS and the FMGC is needed through a FAC ARINC output. In particular the FAC informs
the FWS, the EIS and the FMGC about the activation request of the ESW, so the alarm message appears on
the displays and the aural alarm is sent when the AP is disconnected by the FMGC. In the other hand,
another Boolean is sent to the FWS to inform about the ESW FAC capability status.
Each FAC computes its capacity to compute the Enhanced Stall Warning alert and sends the results
to FWC, EIS and HUD if the SW activation is requested by the FAC.
The FAC sends to Flight Warning Computer three signals to inform about which AOA is not used
in order to compute the alpha reference for enhanced stall warning purpose. This information is memorized
inside the FWC because in double FAC loss, it could calculate the back-up stall warning with the correct
angles of attack. Another signal sent by the FAC about the AOA monitoring is delivered to FMGC to inform
about the Range at take-off monitoring. When the aircraft is taking-off, when the speed is between 80 and
100 kts a FAC monitoring verifies that the range of the AOA values is correct and it sends the results to
FMGC which receives the data to memorize them in order to have them even in case of double FAC loss, in
case the FMGC should compute the back-up characteristic speeds.
Boeing 737 MAX-8 case study Federico Mastropasqua
84
5 Boeing 737 MAX-8 case study
5.1 Marketing point of view
5.2 Technical issues
5.3 Certification process
The project to renew the Boeing 737 was born to overcome the rival challenges against Airbus in
order to deliver on time the forth Boeing 737 generation after the Air Show in Paris in 2011, where Airbus
sold 667 A320NEO in a week, basically more orders than the Boeing had received for the 737s in the entirety
of 2010. As a matter of fact the Boeing 737 Max was the answer of the United State aircraft manufacturer to
the Airbus A320NEO that was presented in 2010, promising to save the 6% of the fuel consummation with
respect to the 737NG with its new engines and aerodynamic solutions21. The first obstacle Boeing faced in
the B737 renovation was the 737 platform itself. It would take a considerable amount of work to update a
46-year-old design with all the technology it needed to be just as efficient as the competition answered.
Complete aircraft overhauls are rare: the 737-last received one in 1983, in 1997, with the debut of the third
generation 737NG, while the A320 hadn’t been refreshed since its launch in 1988 until 2010.
21
NEO stands for New Engine Option. The new engines mounted on the A320 evolution is the key point of the success of this new aircraft. In 2018, for instance, Southwest Airlines’ fleet of 751 Boeing 737s burned through 2.1 billion gallons of fuel per year at an average cost of $2.20 per gallon (0,58$/liter) for a total of $4.6 billion. A 1 percent increase in fuel efficiency would save $46 million.
Boeing 737 MAX-8 case study Federico Mastropasqua
85
At the same time, the designers could not update the aircraft too much. By law, a pilot can only fly
one type of airplane at a time. However, the Federal Aviation Administration allows different models of
airplanes with similar design characteristics to share a common “Type Certificate” (for instance, the Boeing
737’s three previous generations all have a common type certificate). Boeing did not want to renew its
flagship product in a too heavy way such as it would have lost the “Type Certificate”.
5.1 Marketing point of view
The Boeing 737 first appeared in 1967, it was a small aircraft with small engines and relatively simple
systems, with rapport to modern aircraft. Airlines liked it because of its simplicity, reliability, and flexibility.
Without mentioning the fact that it could be piloted by a two-person cockpit crew—as opposed to the
three or four of previous airliners—this made it a significant cost saver. Over the years, market and
technological forces pushed the Boeing 737 into ever-larger versions with increasing electronic and
mechanical complexity. Airliners constitute enormous capital investments both for the industries that make
them and the customers who buy them, and they all go through a similar growth process. The program’s
chief pilot, Ed Wilson, said that pilots rated on previous versions of the 737 could switch to the Max with
just “2 ½ hours of computer-based training.” This was another key selling point for airlines: no expensive
classroom time, no costly simulator time.
“Everything about the design and manufacture of the Max was done to preserve the myth that ‘it’s just a 737.’ Recertifying it as a
new aircraft would have taken years and millions of dollars. In fact, the pilot licensed to fly the 737 in 1967 is still licensed to fly
all subsequent versions of the 737.” [15]
The major selling point of the Boeing 737 Max is that it is much the same that the older Boeing 737,
and any pilot who has flown other Boeing 737s can fly a Boeing 737 Max without expensive training,
without recertification, without another type of rating. Airlines—Southwest22 is a prominent example —
tend to go for one “standard” airplane. They want to have one airplane that all their pilots can fly because
that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs.
Most of those market and technical forces are on the side of economics, not safety. They work as
allies to relentlessly drive down what the industry calls “seat-mile costs”—the cost of flying a passenger seat
from one mile. Two years into development, Boeing promised the Max would be 8 percent more fuel-
efficient than the A320NEO. Accordingly, between its fuel and training efficiency, the Max seemed like a
winning prospect for everyone — especially Boeing, which sold a record-breaking $200 billion worth of
Boeing 737 Max before the first prototype took the flight.
22
Southwest is the bigger low-cost airlines in the world. This American commercial airline has its headquarter in Dallas, Texas and it was founded in 1967. Southwest Airlines has always used only B-737 and in 2017 it had 705 B-737 aircraft in service including 13 B-737 Max and 190 ordered (before the B-737 program would be closed) which operate, on average, six flights per day. By way of example the Ryanair fleet counts 458 B-737 and 135 B-737 Max ordered in 2019 and it is the second airline in the world for operating B-737.
Boeing 737 MAX-8 case study Federico Mastropasqua
86
5.2 Technical issues
The principle of Carnot efficiency dictates that the larger and hotter the engine is, the more efficient
it becomes. The most effective way to make an engine use less fuel per unit of power produced is to make it
larger. For this reason, Boeing wanted to put bigger CFM International LEAP-1Bs [16] engine in its latest
version of the Boeing 737.
The problem arises when the original Boeing 737 had (by today’s standards) tiny little engines,
which easily cleared the ground beneath the wings. As the Boeing 737 grew and was fitted with bigger
engines, the clearance between the engines and the ground started to get a little tight, Figure 52.
Figure 52: Comparison between the Boeing 737-800 NG and the new Boeing 737 Max 8. It is evident the bigger size of the engines that has been advanced with rapport to the older version and got higher to accommodate higher fan and consequently higher bypass ratio and so inferior fuel consumption. This structural
expedient implies different handling qualities which are compensated by the MCAS in order to maintain the same type certificate.
Various hacks were developed to face this problem. One of the most noticeable was changing the
shape of the engine intakes from circular to oval, the better to clear the ground.
With the Boeing 737 Max, the situation became critical. The engines on the original Boeing 737 had a
fan diameter of about 100 centimetres; those planned for the Boeing 737 Max have 176 cm. That is a
centreline difference of over 30 cm, and the engine intakes were made oval enough to hang the new engines
beneath the wing without scraping the ground.
The solution was to extend the engine up and in front of the wing. However, doing so also meant
that the centreline of the engine’s thrust changed and the flight dynamics changes as consequence. The
𝐶𝑀𝑒𝑛becomes in absolute value bigger and it tends to destabilize the aircraft equilibrium in the
manoeuvring. Now, when the pilots applied power to the engine, the aircraft would have a significant
propensity to pitch up. This inclination to pitch up with power application thereby increased the risk that
the airplane could stall when the pilots give thrust. It is particularly likely to happen if the airplane is flying
slowly.
Worse still, because the engine nacelles were enough far in front of the wing and large that a power
increase will cause them to actually produce lift, particularly at high angles of attack. The 𝐶𝑙𝛼 of the entire
plane increases as the engines make lift when the aircraft is pitched up. Therefore, the nacelles make a bad
problem worse. In the Boeing 737 Max, the engine nacelles can, at high angles of attack produce lift, working
Boeing 737 MAX-8 case study Federico Mastropasqua
87
as wings. The lift produced by nacelles is ahead of the wing’s centre of lift, meaning the nacelles will cause
the Boeing 737 Max at a high angle of attack to go to a higher angle of attack, Figure 53.
Figure 53: Forces and torques experienced by an aircraft during a flight. Since the engines are below the airplane centre of gravity, in case the (auto)pilot puts the thrust up the aircraft answers with a following pitch-up. Consequently, if the engine nacelles are oval, they create an important lift coefficient regarding
the angle of incidence or the pitch/pitch rate. The result is that when an aircraft is approaching a stall situation and the system or the pilot realizes it, the first action by procedure is acting on the thrust but if creating a pitch up, the aircraft moves away from the static condition and the pitch up is accentuated and this
lead to a unrecoverable situation.
Moreover, pitch changings with power changes are common in aircraft. Pilots train for this problem
and are used to it. Nevertheless, there are limits to what safety regulators will allow and to what pilots will
put up with. The aircraft are statically and dynamically stable, that means that conditions should not change
markedly, there should be no significant roll, no significant pitch change, no nothing when the pilot is
adding power, lowering the flaps, or extending the landing gear.
Apparently, the Boeing 737 Max pitched up went beyond the comfort and safety standard on power
application at already-high angles of attack. Because of lack of time, resources and money, aerodynamic
changes “work” all the time, contrary, Boeing needed a solution which would work only in certain flight
phases and in particular attitude conditions. Aerodynamic solutions require a lot of design and testing to get
just right. Boeing needed something precisely targeted, carefully calibrated, and nonlinear in effect. It needed
software. Boeing relied on something called the “Manoeuvring Characteristics Augmentation System,” or
MCAS, instead of calling into question the airframe design and the engine installation. Boeing’s solution to
its hardware problem was software. MCAS was designed to compensate the excess of pitch up in thrust
applications.
Boeing chose MCAS as the less expensive solution rather than modify extensively the airframe to
accommodate the larger engines. Similar airframe modification would have meant longer landing gear
Boeing 737 MAX-8 case study Federico Mastropasqua
88
(which might not then fit in the fuselage when retracted), more wing dihedral (upward bend), redesign of
the pylon to accommodate the new engines. It is obvious that hardware changes would have a bigger impact
on the aircraft program costs.
Under an avionics point of view, on Boeing 737 Max, there are two sets of angle-of-attack sensors
and two sets of pitot tubes, one set on either side of the fuselage. Normal usage is to have the set on the
pilot’s side feeds the instruments on the pilot’s side and the set on the co-pilot’s side feeds the instruments
on the co-pilot’s side. That gives a state of natural redundancy in instrumentation that can be easily cross-
checked by either pilot. If the co-pilot thinks his airspeed indicator is acting up, he can look over to the
pilot’s airspeed indicator and see if it agrees. The system could be activated by a single sensor reading — in
both crashes, the sensors are thought to have failed, sending erroneous data to the flight computer and,
without a redundant check in place, triggering the automated system [17].
On the B-737, Boeing included redundant flight computers—one on the pilot’s side, the other on the
co-pilot’s side. The flight computers, as in Airbus aircrafts, compute the flight envelope, the navigation
system and the flight management, helping the pilot in the organising phases and in flight they aim to reduce
the pilot’s workload. Only one MCAS is embedded in Boeing cockpit.
MCAS pushes the nose of the plane down when the system thinks the plane might exceed its angle-
of-attack limits, it has the same aim of the Airbus Alpha prot but acting on different control loop; it avoids
so an aerodynamic stall, Figure 54. Boeing put MCAS into the 737 Max because the larger engines and their
placement make a stall more likely in a Boeing 737 Max than in previous Boeing 737 models.
MCAS used only one angle of attack (AOA) sensor to detect when the airplane entered a steep
climb. It activated the airplane’s pitch trim system (corresponding to the Rudder trim in Airbus conception,
but for the elevator), which is routinely used to help stabilize the airplane and make it easier to control,
especially during climb and descent. The system trimmed the airplane in modest increments for up to nine
seconds in a row until it detects that the airplane returns to a normal AOA and ends its steep climb. It also
does something else: indirectly, via a system Boeing calls the “Elevator Feel Computer,” it pushed the pilot’s
control columns downward.
Regarding the data of Lion Air JT610 black boxes, when the MCAS system pushed the nose down,
the captain repeatedly pulled it back up, probably by using thumb switches on the control column. But each
time, the MCAS system, as designed, kicked in to swivel the horizontal tail and push the nose back down
again. The data shows that after this cycle repeated 21 times, the captain ceded control to the first officer
and MCAS then pushed the nose down twice more, this time without a pilot response. After a few more
cycles of this struggle, with the horizontal tail close to the limit of its movement, the captain resumed
control and pulled back on the control column with high force. It was too late. The plane dived into the sea
at more than 500 miles per hour [18].
In the Boeing 737 Max, like most modern airliners and most modern cars, everything is monitored by
computer, if not directly controlled by computer, but it is also important that the pilots get physical
feedback about what is going on. The Boeing 737 employs redundant hydraulic systems, and those systems
link the pilot’s movement of the controls to the action of the ailerons and other parts of the airplane. But
Boeing 737 MAX-8 case study Federico Mastropasqua
89
those hydraulic systems are powerful, and they do not give the pilot direct feedback from the aerodynamic
forces that are acting on the ailerons. There is only an artificial feel, a feeling that the computer wants the
pilots to feel.
When the flight computer trims the airplane to descend, because the MCAS system thinks it is
about to stall, a set of motors and jacks push the pilot’s control columns forward. It turns out that the
Elevator Feel Computer can put a lot of force into that column—indeed, so much force that a human pilot
can quickly become exhausted trying to pull the column back, trying to tell the computer that this really,
really should not be happening.
Figure 54: The anti-stall system depended crucially on sensors that are installed on each side of the airliner—but the system consulted only the sensor on one side. The angle of attack is fed into the flight computer. If it rises too high; suggesting an imminent stall, the MCAS activates
Undeniably, not letting the pilot regain control by pulling back on the column was an explicit
design decision; as a matter of fact the MCAS has always the priority on human actions because the
hydraulic system has more strength than a human pilot. Furthermore, the MCAS is always engaged even in
case the autopilot is disconnected, in manual flight mode.
MCAS is implemented in the flight management computer, even at times when the autopilot is
turned off. In a fight between the flight management computer and human pilots over who is in charge, the
computer will always correct humans.
The Southwest airline asked Boeing why the documentation of the MCAS was not available to the
pilots and in the handbook no checklists were referred to the recover from MCAS situations; at this point
Boeing answered that: “Since the automatic control system operated in situation where the aircraft is under
relatively high factor load and near stall, a pilot should never have seen the operation of MCAS.
Boeing 737 MAX-8 case study Federico Mastropasqua
90
Consequently, Boeing did not include the MCAS description in its Flight Crew Operations Manual, when
MCAS is involved, it would trim the nose as designed to assist the pilot during recovery, likely going
unnoticed by the pilot” [19].
Furthermore, in the Boeing 737 Max, only one of the flight management computers is active at a time
— either the pilot’s computer or the copilot’s computer. And the active computer takes inputs only from the
sensors on its own side of the aircraft. When the two computers disagree, the solution for the humans in the
cockpit is to look across the control panel to see what the other instruments are saying and then sort it out.
In the Boeing system, the flight management computer does not “look across” at the other instruments. It
believes only the instruments on its side. In Boeing architecture, there is not the cross-checking monitoring,
this is what in Airbus Auto Flight System is called Independent Mode and it is active in case the two FMGC
disagree between them, in other terms, in Airbus philosophy this situation is achieved in case there has
already been a minor failure for which the two FMGC differ from each other, Figure 23. This means that if a
particular angle-of-attack sensor runs away — which happens all the time in a machine that alternates from
one extreme environment to another, vibrating and shaking all the way — the flight management computer
just believes it.
Several other instruments can be used to determine angles of attack, either directly or indirectly, in
this regard pitot tubes, the artificial horizons, etc. All these instruments would be cross-checked by a
human pilot to quickly diagnose a faulty angle-of-attack sensor. A human pilot could look out the
windshield to confirm visually and directly if the aircraft is not pitching up dangerously. That is the ultimate
check and should go directly to the pilot’s control. However, the current implementation of MCAS denies
the pilot sovereignty. It denies the pilots the ability to respond to what is before their own eyes.
5.3 Certification process
In addition to the technical causes that led to the unrecoverable stall situation, other circumstances
in the Boeing certification must be considered by an economic side. As a matter of fact, in the past, the FAA
had armies some aviation engineers in its employ. Those FAA employees worked side by side with the
airplane manufacturers to determine that an airplane was safe and could be certified as airworthy. As
airplanes became more complex and the gulf between what the FAA could pay and what an aircraft
manufacturer could pay grew larger, more and more of those engineers migrated from the public to the
private sector. Early, the FAA had no in-house ability to determine if a particular airplane’s design and
manufacture was safe. The FAA, meanwhile, said it would need 10,000 more employees and an additional
$1.8 billion of taxpayer money each year to bring certification entirely in-house. Hence, the FAA propose to
the airplane manufacturers to “auto certify” its aircrafts, creating its own certification tests.
Thus, the concept of the “Designated Engineering Representative,” or DER was born. DERs are
people in the employ of the airplane manufacturers, the engine manufacturers, and the software developers
who certified to the FAA that each single part of the aircraft answered the certification rules. The industry
absolutely relies on the public trust and it is in the interest of nobody that an aircraft crashes, and every
crash is an existential threat to the industry, this is the reason why there was no conflict of interest.
Boeing 737 MAX-8 case study Federico Mastropasqua
91
During the certification, MCAS received a “hazardous failure” designation. This meant that, in the
FAA’s judgment, any kind of MCAS malfunction would result in, at worst, “a large reduction in safety
margins” or “serious or fatal injury to a relatively small number of the occupants.” Such systems, therefore,
need at least two levels of redundancy, with a chance of failure less than 1 in 10 million. However, MCAS
does not meet any of these standards:
It has no redundancy: it takes input from just one AOA sensor at a time. That makes MCAS
completely unable to cope with a sensor malfunction.
No cross-checking monitoring were considered in the validation of the data acquired, no triplex, no
duplex, certainly not back-up computation (regarding Airbus design philosophy, all the data
coming in a computer, have to be validated by SSM treatments and by internal monitoring).
It cannot “sanity check” its data against a second sensor or switch to a backup if the original source
fails. It just believes whatever data it is given, even if that data is bad, which is what happened on
Lion Air flight 610 and Ethiopian Airlines flight 302.
It gets worse: over the last five years, 50 flights on US commercial airplanes experienced AOA sensor
issues, or about one failure for every 1.7 million commercial flight-hours. Evidently, that is a low rate, but it is
still nearly six times above what the FAA allows for “hazardous” systems: they’re only supposed to fail once
every 10 million flight-hours (see Appendix I – Safety Assessment). Worse still: the FAA did not catch the fact
that the version of MCAS actually installed on the 737 Max was much more powerful than the version
described in the design specifications. On paper, MCAS was only supposed to move the horizontal stabilizer
0.6 degrees at a time. In reality, it could move the stabilizer as much as 2.5 degrees at a time, making it
significantly more powerful when forcing the nose of the airplane down [20].
At this phase of the MCAS development, the case that the system could analyze only the data
coming from its side must create some doubts in the safety certification standard. But in reality, the FAA
added the Boeing 737 Max to the type certificate. In the case of the Boeing 737 Max, the FAA’s list extends to
30 pages, reviewing everything from engine noise to de-icing systems, aluminum fatigue to security doors.
Yet this document dedicated to minutiae does not mention MCAS once which is kind of astonishing when it
considers even the seat belts.
The FAA overlooked MCAS in other places. A combination of inexperience, lack of cultural software
understanding maybe led to the conclusion that right now all the Boeing 737 Max-8 fleet is blocked on the
ground.
In conclusion, to sum up the Boeing study case: Boeing produced a dynamically unstable airframe,
the Boeing 737 Max. Consequently, they tried to mask this dynamic instability with a software system.
Finally, the software relied on systems known for their propensity to fail (angle-of-attack indicators) and
did not appear to include even rudimentary provisions to cross-check the outputs of the angle-of-attack
sensor against other sensors, or even the other angle-of-attack sensor. To make matters worse, the fact that
all these points were not seen during the certification process.
Boeing 737 MAX-8 case study Federico Mastropasqua
92
On 13rd March 2019, the FAA grounded the Boeing 737 Max 8. Muilenburg, CEO Boeing, admitted
that MCAS was directly responsible for Ethiopian Airlines and Lion Air crashes and promised that Boeing
would fix its broken system. “It’s our responsibility to eliminate this risk,” he said. “We own it and we know
how to do it.”
Figure 55: Boeing safety design process
Conclusions and improvements Federico Mastropasqua
93
6 Conclusions and improvements
This thesis aimed to investigate the very actual problem of stall in the general aviation field and to
explain how aircraft manufacturers faced to improve their anti-stall systems avoiding the loss of plane
control in stall situations. The Airbus approach has been detailed since this thesis allowed to discover and to
improve the Airbus Auto Flight System in quality of System designer. At the end of the discussion, a chapter
on Boeing study case has been studied to better know the differences between the French and the US
aircraft manufacturer approach to the problem.
The problem statement this thesis treated is that more than 60% of aircraft accidents are due to
human errors because the autopilot disconnects after failure detections. Consequently, the aircraft loses
some protections, and the crew often is not ready to face an emergency procedure and in the worst scenario,
this ends with the loss of the entire aircraft. The most suitable solution to the problem seems to enhance the
autopilot domain and this is the direction Airbus is following to minimize the human interventions and the
Enhanced Stall Warning gets into this project bringing one of the first improvements.
The function development fits this problem statement releasing a more robust and available system
upon aircraft failures. The Enhanced Stall Warning developed in this purpose during this master thesis in
fact, considers ADC and IRS data sources for the angle of attack reference computation and also the speed to
perform more available computations of the stall alarm and the order of the autopilot disengagement. An
approach failure tolerance to the design system has been considered in order to avoid spurious alarms or
missing alerts.
The main improvement to the system was to move the function from the Flight Warning Computer
to the FAC. In this way, the warning and the flight control law are separated to enhance the safety and the
Conclusions and improvements Federico Mastropasqua
94
reliability of the aircraft. In fact, in case of warning computer failure, the FAC is still capable to trigger the
autopilot disconnection and to send the message to the displays, on the other hand in case of flight control
failure, the FWC will take the backup computation of the stall warning. The FAC is the main computer,
which takes in charge the function in normal operation but behind failures the backup computers (FMGC
and FWC) take on charge the function with some limitations in the computation accuracy but keeping the
function availability.
The Enhanced Stall Warning, as explained, consists of two working mode:
Bypass mode: when at least one FAC is healthy and the stall warning is based on AOA (with
priority, both ADC and IRS) or on speed in case the angles of attack are not more available;
Backup mode: in case of both FAC loss, the FWC takes the backup computation and the
characteristic speeds are assured by the FMGC that computes them in backup to the sending to
EIS/HUD.
The new software version allows the aircraft to maintain the autopilot engaged in safety manner
escaping the human control in some emergency conditions. Thanks to UAMM update the flight control
computers have all the needed information as AOA, aircraft speeds, upon broken, frozen, runaway failures,
which allow also to estimate the aircraft attitude and to project it to the stall calculation. The UAMM
monitoring permit to declare available the data upon:
Broken probe detection at take-off;
Iced probe monitoring (Nz-AoA);
Drift detection (triplex monitoring by comparison);
Disagreement detection (duplex monitoring);
Theta-gamma monitoring:
In the upgrade system the presented architectures are reviewed to maintain the data available and to
declare the system itself capable to perform the task basing on:
Angle of attack based Stall Warning. The computation considers both ADC and IRS probes to
ensure higher level of reliability and robustness.
Speed based Stall Warning, in this circumstances, even in case the AOA probes are lost the function
reconfigures for detecting the alarm in case the speed falls down under the selected thresholds if at
least airspeed is still available and the characteristic speeds are computed.
The robustness of the function is also assured by new AOA thresholds, which consider the 𝛼𝑠𝑤 as a
function of Mach, regarding the flight laws and the aircraft configuration.
The last remarkable improvement in FAC side for the developed function was the introduction of
the ELAC watchdogs that one triggered and sent to FAC, avoid the AOA usage for stall warning
computation and the system turns directly on speed based SW. The watchdogs aim to detect the situation
in which incoherence between AOA and speed values occurs.
Conclusions and improvements Federico Mastropasqua
95
In FMGC side, the enhanced stall warning does not impact the autopilot disengagement logic,
because to be the least possible intrusive, the legacy logic is kept to disengage the autopilot once the FAC
triggers the condition, but on the other hands it was necessary the implementation of the computation of
the characteristic backup speeds. In this purpose, no airbrake, sharklet and motorization contributions are
considered to simplify the computations without loss the goal of the function, to display the characteristic
speeds to the pilots even in case of both FAC loss.
As Design Office, the developed function answered the high level requirements set by the Functional
Team and the next step of the implementation will be the simulator tests, which will be performed during
the following month, in function of the Covid-19 healthy conditions at the simulator. The test session was
planned on April but surely some time shifting occurs. This step of implementation will be the first feedback
loop because all the potential bugs which will appear at the test bench will be fixed through a first function
iteration. During the logical implementation some compromises were mandatory to match all the time and
program constraints.
In this experience, I learnt about the complex System Design, how to translate high level
requirements into low level instructions and how to follow a scheduled plan in order to achieve the target
within the correct timing, working in a team to answer the client needs. My aerospace and system
knowledge helped me in the integration in the team and in the conception phase of the function.
I experienced the engineering working environment where compromises and iteration are in the
everyday agenda. The last proposed solution will not be the final one but surely, some improvements,
tunings and calibrations will be necessary to optimize the function behaviour to fulfil the expected results.
Some crosschecking monitoring have to be implemented in the next step of evolution and AOA
requalification will be added to the design to provide the system of the most reliable AOA value in each
flight phase.
Table 4 : Enhanced Stall Warning: Comparison of Legacy logic
Conclusions and improvements Federico Mastropasqua
96
The Table 4 shows the difference between the state-of-the-art system and the Enhanced Stall
Warning monitoring. Additional monitoring and the estimator enable the Enhanced Stall Warning to limit
the probability of undue Stall Warning occurrence. Also, it helps to avoid the risk of unavailability of Stall
Warning in critical situations. Furthermore, it facilitates the link between the monitoring detection and loss
of flight control protection. Meaning, this will help to identify, which monitoring result will have the impact
on the flight control protection. Notice that all the new updated monitoring are based on UAMM updating,
this is the reason why the UAMM function is fundamental for the development of the ESW function.
6.1 Enhanced Stall Warning improvements and future developments
The first improvement to the function is the implementation of the backup VLS computation in the
FMGC. Because of lack of time and the necessity to deliver the function within the deadline in order to not
miss the simulator slot (before the Covid-19 healthy issue), the VLS computation was missed and not
implemented in this first step of evolution of the function. It will be request to the Handling Qualities team
a simplification of the VLS actually computed in FAC to have at least an estimation of its value, because
right now it is not possible compute in FMGC the VLS as in FAC because of missing of inputs in FMGC.
The interest in applying the AOA monitoring in order to have the most correct or most verisimilar
value of angle of attack always available leads to the possibility for the pilot to install in the cockpit a
display that could show in live the exact attitude of the aircraft, displaying the incidence angle and thus, the
stall margin. As in the Primary Flight Display the speeds are always displayed with the corresponding limits
(VLS, VMAX …), the Enhanced Stall Warning evolution could give the possibility to display the incidence
angle with its limitation in function of the flight law. This implementation could be investigated in short
term before the EAPA project will become real, because with the stall margin indicator, the pilots would
have still authority in case of failure. On the other hand the EAPA project aims to let the pilot intervene the
least as possible in order to avoid human catastrophic accident in emergency situation. This solution would
be easier and cheaper than the EAPA project and it could be a helping system for the pilot to foresee the
aircraft stall.
The stall margin indicator could take the hypothesis to be implemented on both PFD and HUD
giving to the crew a clear indication of the stall conditions, and it would be displayed whatever the laws
(direct, alternate or normal). The indicator would minimizes the common points between the stall margin
indicator loss and the flight control protections losses, in this way in case one of the two systems fails, the
other one is still able to perform its operations, approach fault tolerance.
The stall margin indicator should use as far as possible the same equipment of the Stall Warning in
order to have limited delays in the transmission of the information and to have the coherence in the
computations, most of all in not-normal law, when at the state-of-the-art controlling law, the autopilot
disconnects and the crew has the control of the aircraft. In consequence, in alternate law, the aircraft
protection are limited (in alternate law) up to have the complete aircraft control in direct law, when all the
protections are disengaged and the crew operates directly on the aircraft attitude passing through the
control surfaces deflection.
Conclusions and improvements Federico Mastropasqua
97
An erroneous indication of the stall margin would be classified as HAZ (hazardous) because it
would display the margin that the pilot has for manoeuvring the aircraft to avoid a stall and an error near to
the ground, which would have consequences classified as hazardous/catastrophic.
The potential used AOA in the stall margin indicator should be submitted to UAMM monitoring in
addition to the SSM treatment (which assures only the correct acquisition to the computers) to always
deliver to the computation the most reliable angle of attack value. The only possible AOA available for stall
margin indicator purpose should be the ADC because their refreshing time is three time faster than IRS one
and since the indicator materializes the distance of the aircraft from the alpha stall it is necessary having the
fastest data refreshing and consequently transmission, otherwise the IRS should be provided of an
interpolation between two refreshing times, that could foresee the real angle of attack in live.
In order to have the most reliable AOA available for the stall margin indicator, the function would
require AOA requalification. This means that at the state-of-the-art if the CAS speed is valid and lower than
60 kts, the AOA selected is labelled as NCD (Not Computed Data), with the requalification an AOA is
considered NCD valid and it should be used in the computation if CAS is valid and lower than 60kts and all
other ADC AOA are not in normal operation.
This requalification keeps the stall warning availability in deep stall situation and multiple iced
probe situations. On ground CAS is valid above 30kts and AOA is valid when CAS is above 60kts. When
CAS is valid and less than 60kts, all the AOA are labelled NCD. In deep stall situations23 (AF447 accident is
an example), Figure 56, the aircraft can experience a speed CAS below 60kts, in such case a requalification of
the NCD ADR AOA shall be considered. That means a stall warning aural alert shall be ensured in a deep
stall situation by considering the NCD ADR AOA as valid or at least a identification of the stall margin.
23
It is considered as deep stall situation, a particular stall condition generated when the horizontal tail plane is placed exactly in the wing turbulence down-wash that is generates by the airflow that is not more attached to the wing. In these circumstances the horizontal tale plane is not more able to control the aircraft and therefore, there are no controls that aim to recover the aircraft attitude. This is the most dangerous stall condition for which every (auto) pilot actions are useless and the situation is irreversible. This is the reason why the deep stall must be avoided.
Conclusions and improvements Federico Mastropasqua
98
Figure 56: Deep stall condition for a T-tail airplane. The deep stall condition is easier for the T-tail aircrafts, but it is not exclusive for this type of airplanes, since the Flight AF447 of the A330-203 experienced the same irrecoverable condition
The monitoring that allow the practice of the ADR AOA are the same used for ESW purpose:
Broken probe detection at take-off
Iced probe monitoring (Nz-AoA)
Drift detection (triplex monitoring by comparison)
Disagreement detection (duplex monitoring)
Theta-gamma monitoring.
In case, FAC shall receive the AOA watchdog monitoring from ELAC, all AOAs inside FAC shall be
inhibited from stall warning and the stall warning based on speed shall be activated, in this case the stall
margin indicator will be lost, because it indicates the case a discrepancy between the aircraft speed and the
recorded incidence is reported. As reminder, the ELAC watchdog is triggered when the calibrated speed is
rising and the angles of attack show a positive incidence (aircraft pitching up); this condition is evidently
erroneous if the thrust level is set as constant and vice-versa.
For the stall margin indicator, the AOAs shall be categorized into three classes based on the result of
AOA monitoring and consistency check, also considering crossing check between ADR and IRS:
Reliable. A measured angle of attack (𝐴𝑜𝐴𝑥) not rejected by any monitoring is considered as REL
(reliable) if:
o There is another consistent measured angle of attack (𝐴𝑜𝐴𝑦) which is not rejected by any
monitoring or
o It is consistent with the AOA estimator based on Theta-Gamma while the 𝐴𝑜𝐴𝑦 and 𝐴𝑜𝐴𝑧
are rejected by the monitoring
Conclusions and improvements Federico Mastropasqua
99
Figure 57: Logical schema of AoA_x checked as RELiable.
Uncertain. A measured angle of attack (𝐴𝑜𝐴𝑥) not rejected by any monitoring is considered as UNC
(uncertain) if:
o There is no other angle of attack (𝐴𝑜𝐴𝑦 which is not rejected by any monitoring) measured
by another probe to compare with it, and
o It is not consistent with the AOA estimated based on Theta-Gamma while 𝐴𝑜𝐴𝑦 and 𝐴𝑜𝐴𝑧
are rejected
Rejected if the acquisition is not well performed24.
In the evolution of the system, in the case in which only one ADR AOA is available, the consistency
check shall be performed using other available IRS AOA sources25. This is an improvement and it improves
the availability of reliable angles of attack:
If only one AOA ADR is available and the other two are not rejected
o if IRS AOA are available from other two probes and
if the ADR AOA is consistent with the median value among the remaining ADR
AOA and the other two IRS AOA,
Therefore, the ADR AOA is considered as reliable.
o Else if only one IRS AOA is available from another probe and
24
Rejected and failed are two different concepts: a variable is rejected if the SSM treatment which verifies the acquisition returns a zero. The failure of a variable is triggered in case when the comparison monitoring / UAMM or other checking detect a runaway of the value and the variable is declared as failed. Consequently, a variable could be failed but not rejected, the opposite case cannot be considered. 25
To compute the consistency between the ADR source and the IRS one, it is necessary apply a delay on ADR AOA because of the refresh time of IRS source is slower than ADR’s.
Conclusions and improvements Federico Mastropasqua
100
if the ADR AOA is consistent with the IRS AOA,
Therefore, the ADR AOA is considered as reliable.
o Else, the ADR AOA is considered uncertain
Else if all ADR AOA are lost
o IRS AOA are used
As shown in the logical schemas in Figure 57, the FAC shall use the AOA estimator based on Theta-
Gamma to maintain Stall Warning even in the case of disagreement of last two remaining AOAs sources:
Qualify the last available AOA (UNC) to reliable
Figure out the correct AOA in case of disagreement between the last two available AOA. The correct
AOA shall be considered as reliable
In case of disagreement between the last two available AOA and if the estimator is not consistent
with any of AOA, both AOA are rejected.
6.2 Boeing B737 Max-8 conclusions
As a system is the synthesis of all the components used to assemble it and it works because its
interior modules operate at the same time, also a system failure is the normal outcome in any complex
system as an aircraft could be. According Charles Perrow, a sociologist at Yale University whose 1984 book,
“Normal Accidents: Living with High-Risk Technologies” [21] says that the behavior or each component of
the system impacts more or less heavily the behavior of other components “tightly bound”. Increasing the
safety of each system, engineers apply techniques and redundancies enhancing the complexity of the system
itself and introducing other potential failure cases. Every increment, every increase in complexity,
ultimately leads to decreasing rates of return and, finally, to negative returns.
This is the root of the old engineering axiom and its aviation-specific counterpart: “Simplify, then
add lightness.” The original FAA Eisenhower-era certification requirement was a testament to simplicity:
“Planes should not exhibit significant pitch changes with changes in engine power”. This old requirement
was necessary at the time when a direct connection linked the controls in the pilot’s hands and the aircraft’s
surfaces. Right now, in the technology world where the aircrafts use to fly, there is always a software
presence between humans and the aircrafts and often there is something missing between the two loops.
A parallelism between the Boeing 737 Max-8 catastrophes and the Space Shuttle Challenger
accident can be carry out. As the NASA accident is the result of case study in normal failure, the Boeing case
came about because the rules said that a large pitch-up on power change could not been reached and an
avionic system, the MCAS is added to face this issue and it was approved by the employee of the
manufacturer, the DER. The rules didn’t say that the DER couldn’t take the business considerations into the
decision-making process. And 346 people are dead. It is likely that MCAS, originally added in the spirit of
increasing safety, has now killed more people than it could have ever saved. At the same way the NASA rules
Conclusions and improvements Federico Mastropasqua
101
said that prelaunch conferences had to be given to ensure the flight clearance, but nobody spoke about the
political repercussions of delaying a launch that there would be. The inputs were weighed, the process was
followed, and a majority consensus was to launch. And seven people died. Both the episodes are traceable to
economic and political reasons; both Boeing and NASA followed the route of the less impacting
consequences and both the cases end with engineering catastrophes.
The first improvements Boeing should take to fix the issues in MCAS function are to consider only
the reliable and available AOA that come from the angle of attack sensors on aircraft’s nose. Further, ensure
a cross-check between the captain and first-officer computers in such a way to monitor the data the flight
control computers are processing. The new software should activate only in case both sensors agree on the
fact that the aircraft’s attitude is close to stall. At the Boeing state-of-the-art the system orders a nose pitch-
down when the two sensors disagree on the aircraft attitude, even in case one of the two sensors is out of
order because of a failure, in this case of sensors disagreement the system should deactivate and let the pilots
take the aircraft control. Another important software update could be to let the pilot to be able to override
the system in case of data misreading, in this case the MCAS would not automatically reactivate, which the
original system would do multiple times [22]. At the state of the art the MCAS could be deactivated only by
turning off the system switches.
Appendix I – Safety Assessment Federico Mastropasqua
102
7 Appendix I – Safety Assessment
Reliability engineering, as a separate engineering discipline, originated in the United States during
the 1950s was born because of the increasing complexity of military electronic systems was generating
failure rates which resulted in greatly reduced availability and increased costs. With the increasing cost and
complexity of many modern systems, the importance of reliability as an effectiveness parameter, which
should be specified and paid for, has become apparent.
The reliability problem can be approached at different levels: from a mathematical point of view the
reliability concerns statistics and probability; from a control expert point of view, the reliability is an
extension of his efforts to buy and to use the best reliable and flawless components. Reliability is essentially
a “birth-to-death problem”, involving all the areas of the product lifecycle. The simplest, producer oriented
view of reliability is that in which a product is assessed against a specification or set of attributes, and when
passed is delivered to the consumer, the consumer, having accepted the product, accepts that it might fail at
some future time.
The objectives of reliability engineering are:
To apply engineering knowledge and techniques to prevent the likelihood or frequency of failures.
To identify and correct the causes of failures that can occur, despite the efforts to prevent them.
To determine ways of coping with failures that can occur, if their causes have not been corrected.
To apply methods for estimating the likely reliability of new designs.
The definition of reliability is the probability that a system/product will perform in a satisfactory
manner for a given period of time when used under specified operating conditions.
The failure severity is defined in system engineer according a table for which an event is:
Catastrophic (Level 1) when there is a failure propagation and in term of safety this is translated in
the loss of lives, or lives threatening or permanently disabling injury or occupational illness, loss of
systems (flight control system, launch site facilities, ecc…)
Hazardous (Level 2) in case of mission loss. In other terms the temporary disabling but not life-
threatening injury or temporary occupational illness, major damage to interfacing flight system or
ground facilities, etc.…
Major (Level 3) when the failure provokes the major mission degradation
Appendix I – Safety Assessment Federico Mastropasqua
103
Minor (Level 4) when the failure causes minor mission degradation or any other minor effects.
The failure occurrence plays an important role in the determination of the criticism of the failure. In
fact, the failures likelihood is classified as:
Frequent (Level 5): when in the product lifecycle the probability of occurrence is greater than 10−1
Probable (Level 4): if the probability of occurrence in the product lifecycle is lower than 10−2
Occasional (Level 3): if the probability of occurrence in the product lifecycle is lower than 10−3
Remote (Level 2): when in the product lifecycle the probability of occurrence is greater than 10−6
Improbable (Level 1), when in the product lifecycle the probability of occurrence is less than10−6.
In the civil aviation domain, one catastrophic event may occur only with a probability less than10−7.
Consequently, the failure criticality depends on its severity and probability of occurrence. If a
number from one to five is assigned to the likelihood (PN) and to the severity (SN), the criticality (CN) can
be written:
𝐶𝑁 = 𝑆𝑁 ∙ 𝑃𝑁
Table 5: Criticality table. A failure is ranked as the multiplication between the severity of its consequences and the probability that it occurs.A failure could be acceptable if its critically is lower than 6.
Figure 58: Cost impact on the product life cycle. It is evident as the most part of the cost of a product is spent during the operations and support. This is the part in which my master thesis is placed. The cost to maintain in service the aircraft is on the rang
Appendix I – Safety Assessment Federico Mastropasqua
104
Figure 59: System cost on life cycle.
In the Figure 59 the diagram shows the cost on the product lifecycle. The lower line represents the
effective costs spent during an aerospace program. The line boosts when the production starts and has the
maximum slope during the operating phase, as confirmed in Figure 58, the spent costs to maintain in service
the aircraft and the updated software in which this thesis is placed, is the maximum expending in the
product lifecycle. The upper line in Figure 59 shows the spent costs not because of direct expenses but they
are the costs to support to make decisions before the entering in production, (e.g. for the Space Shuttle
Program the decision to make reusable the orbiter impacted on 70% of the future product costs, fixing the
maintenance expenses).
7.1 Risk management toolset
In order to analyse the risk management a wide range of proven tools is available to identify and
analyse risks to safety, Figure 60. In this context, two approaches will be presented, the most common
principles:
Failure modes and effect (and critically) analysis (FMEA/FMECA): It is the most widely used and
most effective method for reliability analysis. All the possible ways of damaging a system or degradation
have to be analysed to identify potential failures in product (functional, hardware or processes failures).
Once the damaging/degrading causes are known, it is necessary assess the effect of each component failure
locally (to evaluate the failure propagation) at the higher level of system decomposition and up to the
boundary of the product/process under analysis. It needs a failure classification based on the severity of the
consequences and on the critically. This approach is powerful, but it is difficult to analyse the different
failures combinations but it is useful to consider one failure at one time. This is the reason why this
approach is used to investigate the system reliability rather than the safety. This analysis can give
information about the system safety only if the failure is critical enough to provoke a catastrophic event. In
Appendix I – Safety Assessment Federico Mastropasqua
105
order to examine the degrading situations, and potential failures in product, different approaches can be
followed:
Functional approach: function failures are considered and assessed. It is known how the system
should work and the different cases in which a system cannot perform its function are evaluated.
Hardware approach: actual hardware failure modes are considered. The FMEA/FMECA of complex
systems is usually performed by using the functional approach followed by the hardware approach
when design information on major system blocks becomes available.
Process approach: potential process failures are considered (e.g. failures in manufacturing, assembly
and integration, testing operations). Human errors are addressed in the process. FMEA/FMECA is
an effective tool in the decision-making process, provided it is a timely and iterative activity. Late
implementation or restricted application of the FMEA/FMECA dramatically limits its use as an
active tool for improving the design or process
The FMEA/FMECA is basically a bottom-up analysis considering each single elementary failure
mode and assessing its effects up to the boundary of the product or process under analysis. It is an integral
part of the design process as one tool to drive the design along the project life cycle. The process is also
updated throughout the project lifecycle. According to the FMEA/FMECA process, an item (system,
subsystem, structural part/subcomponent) is considered a critical item if:
A failure mode is identified as single-point failure together with at least a failure consequence
severity classified as catastrophic, hazardous or major.
A failure mode has failure consequences classified as catastrophic
A failure mode is classified as CN greater or equal to 6.
Fault Tree Analysis (FTA): it is the most widely used and most effective method for safety analysis
(the FMEA/FMECA is on the other side the most effective method for reliability analysis). The FTA
objectives are to identify the causes of a specific failure (especially safety-critical failures), to assess a system
design for its safety (or reliability), identifying the effects of human errors to quantify the failure probability
and contributors. FTA at the opposite side of FMEA is a deductive (top-down) approach to resolve the
causes of an event through the development of a fault tree. The fault tree is a detailed logic model describing
different combinations of failures than can provoke a specific system failure defined as Top Event. The FTA
can foresee either a qualitative analysis either a quantitative analysis. The fault tree starts with the
identification of a system failure and going back discovering or investigating subsystems failures up to find
all the elementary causes (the analysis also individuates the human errors) that would provoke it. The main
system is decomposed in many sub-systems up to the elementary components. A boundary domain can be
designed in order to investigate all the causes within the analysis is evaluated. The logical relationships of
the events are shown by logical symbols (OR and AND gates).
Appendix I – Safety Assessment Federico Mastropasqua
106
Figure 60: Design to safety
A skilled analyst develops the fault tree by deductively reasoning backward from a top event
through intermediate fault events to the root causes. The analyst reviews the model results with
knowledgeable design, operations, and maintenance personnel so they can suggest corrective actions when
the model reveals significant weaknesses. FTA computer software is used to identify the various
combinations of basic failures that result from a given failure. This method required much experience to
elaborate a complete fault tree, the analysist must have the complete view of the system or of the product in
every sub-systems up to the elementary components, as a matter of fact defining the wrong top event will
result in wrong assessments and conclusions, in the same way to setting out wrong event path because of a
wrong system knowledge.
Appendix II – Characteristic speeds Federico Mastropasqua
107
8 Appendix II – Characteristic speeds
The characteristic speeds are computed inside the Auto Flight System, in particular by the Flight
Augmentation Computer at each flight depending on the aircraft weight/CG and configurations. Once
computed they are displayed on the PFD and used from the different function as manoeuvring speeds and in
order to keep the aircraft in the safety flight envelope.
During the climb, generally the flight is limited by the Air Traffic Control instructions and the
aircraft has to accelerate maintaining the optimized climb profile managing the different slat/flap
configuration until to assume the clean configuration. In this first phase of flight the F speed and S speed are
important because they are the minimum speeds at which the flaps and the slats should be retraced. In
particular F speed stands for the minimum speed at which the transition between CONF 3 and CONF 2 or
CONF 1+F can be allowed, and it allows a margin above stall speed in configuration 1+F. On the other hand
the S speed is the minimum speed at which the clean configuration should be selected allowing a margin
above stall speed in clean configuration. These speeds are displayed only when the slats and flaps are
extended. F and S speeds are function of the aircraft attitude, weight, slat and flap positions. They are
interpolated in the Flight Augmentation Computer by tabular values. Another important speed at the end of
the climb is the Green Dot Speed that, in all engine operative, estimates the speed for the best lift-to-drag
ratio and it represents also the recommended speed holding in clean configuration. In case of one engine
inoperative in clean configuration it represents the speed to keep the highest climb gradient. The Greed Dot
speed is only displayed on the PFD in clean configuration (slaps and flats completely retracted).
At a given altitude, temperature and aircraft weight, two points of equilibrium are possible for the
thrust to compensate the drag and to stabilize the flight level, see Figure 61. The point 2 is above the Green
Dot speed and it represents a stable equilibrium point in cruise: if a disturbance provoked a speed
increasing, the drag would rise making the speed decrease to come back to the starting point 2. On the other
side if the airspeed decreased, the drag would decrease and the thrust would be higher to re-accelerate the
aircraft up to the equilibrium point 2. At the point 2 the aircraft is stable in the first regime. The point 1 is an
unstable equilibrium point because when the airspeed decrease the drag is higher than thrust and the
aircraft would continue to decelerate without any volunteer actions and vice-versa.
The point 3 is the Recommended Maximum speed for a given altitude, because higher the aircraft is
flying and the lower is the maximum thrust available. When the speed reduces below point 3, there is no
thrust margin available to accelerate while maintaining a stabilized level flight. Then the only way to stop
Appendix II – Characteristic speeds Federico Mastropasqua
108
the deceleration is to lose altitude in order to accelerate beyond point 3. REC MAX is the upper cruise
altitude limit.
Figure 61: Thrust over speed for a reaction engine. The Green Dot speed is at the minimum of the line
𝑉𝛼𝑝𝑟𝑜𝑡 is the speed corresponding to the maximum angle of attack at which Alpha Protection
becomes active. It is only displayed in normal law. 𝑉𝛼𝑚𝑎𝑥, on the other opposite, is the speed corresponding
to the maximum angle of attack the aircraft can fly in normal law. On the A320 family, 𝑉𝛼𝑝𝑟𝑜𝑡 and 𝑉𝛼𝑚𝑎𝑥
can
have different numerical values on PFD because the speeds come from different sources for the two different
displays (1 and 3 for PFD1 and 2 and 3 for PFD2) [23].
At given weight and configuration, each aircraft has a minimum selectable speed VLS at which the
auto-thrust can be engaged and a maximum speed. VLS is computed as the 1.13Vs@1g at take-off; 1.23Vs@1g
elsewhere with 0.2g/buffeting; 1.28Vs@1g in clean configuration. Deliberately flying below VLS could either
lead to an activation of the AOA protection on a protected aircraft, or expose the aircraft to a stall if it is not
protected, flying in degraded law.
At the cruise altitude, there needs to be a safe margin in relation to these lowest and highest speeds,
before the flight envelope protection activation. The VFE is the maximum speed at which the aircraft can fly
with flaps extended. Its value depends on the flaps positions. Typically, the maximum speed of the aircraft is
called VMAX and it equal to VLE (maximum speed allowed with the landing gear extended) or VFE26
according to aircraft configuration. VMAX is equal to VMO only in clean configuration. In cruise, VMO is
the higher limit of the aircraft flight envelope and it considers structural limits. V_CAS TREND is the
airspeed tendency corresponding to the speed increment in 10 seconds with the actual acceleration of the
aircraft. It is displayed as an arrow in the PDF.
Evidently, the Air Traffic Control can take action to modify the optimum cruise profile regarding the
traffic or the weather conditions, otherwise the speeds are computed to optimize the flight performance.
26
VFEN is the predictive VFE at next flap/slat position, in landing phase
Appendix III - Autopilot engagement Federico Mastropasqua
109
9 Appendix III - Autopilot engagement
The autopilot engages through two pushbutton switches located on the central section of the FCU
(AP1 and AP2). The autopilot (dis)engagement logics are coded in FMGC, in particular in the Fligth
Guidance part both in command and monitor channel. In cruise only one autopilot can be engaged at a time.
Both autopilots can be engaged only when landing and in go around modes are active or armed. When both
the autopilots are engaged, the AP1 has priority and is active while AP2 is in standby and it becomes active if
AP1 is lost. An autopilot can be engaged five seconds after lift-off in active Flight Director mode (if at least
one FD is engaged) and, in HDG and V/S modes (if no FD is engaged). At the autopilot engagement, the load
thresholds on the side stick controllers and on the rudder, pedals increase. The autopilot engagement is
indicated by the illumination of the corresponding pushbutton switch (three green bars) and the AP1 or
AP2 indication appears in the status column on the PFDs.
The pilots can disengage the autopilot by action on the disengagement button switch, with the
green bars on or acting on the side slick controller (or on pedals) that always has the priority on the
autopilot system. The autopilot system can disengage in case of detection of long power failure (LPF) by the
power unit. In the event of short interruption, the engage signal maintains its pre-cut-off state. The final
circuits are therefore supplied with back-up currents.
The autopilot engagement is accomplished through one hardware part and second part software.
Concerning the hardware part, it considers the AP ENGD Boolean that is generated in the software part, the
logic signal about the FG HEALTHY and the AP switch wired discrete variable from the FCU. The AP
ENGD Boolean hardware logic utilizes the command and the monitoring channels. During the safety test (at
power rise) the AP switch signal is inhibited prohibiting engagement through the pushbutton switch. The
AP ENGD variables are used by the FACs (selection of AUTO mode and acquisition of yaw axis guidance
signals), by the ELACs (selection of AUTO mode and acquisition of guidance signals, pitch and roll axes and
nose-wheel steering), by the FCU (illumination of the corresponding pushbutton switch and selection of
the FMGCs which generate the AP warning), the opposite FMGC and the OWN FMGC. Regarding the
engagement conditions for the software part there is at flip-flop set 1 if all the engagement conditions are
active:
Action on the engagement pushbutton switch.
Ground condition: engagement is possible in any mode only if the engine is shut down
Flight condition: engagement is possible 5 seconds after lift-off
Appendix III - Autopilot engagement Federico Mastropasqua
110
In order to provide the autopilot engagement, Figure 62, a peripherals check is performed, to verify
that at least one FAC is available (CMD and MON FAC HEALTHY wired discrete variables), that the ELAC
generates ELAC AP DISC discrete variables, in fact the AP disengages only upon a command from the two
ELACs sent to FMGC through FACs. The last sufficient and necessary condition to engage the autopilot is
that no stall warning or low energy alarm is triggered.
Figure 62: AP engagement logic
The autopilot disengages in case any failure in the computation of the characteristic speeds, this is
the reason why to enhance the autopilot authority it is necessary that the FMGC could compute the backup
characteristic speeds in case the FAC are lost. The autopilot disengages if the internal monitor in FMGC is
not healthy or if there are any flight warning in ADC, IRS or FCU. Other sufficient conditions for the
autopilot disengagement are that the Rudder trim (OWN and OPP) is not engaged or the yaw Dumper
(OWN and OPP) is not engaged, one feature disconnection leads the autopilot disengagement. Evidently
these conditions are confirmed by the FAC (OWN and OPP) healthy status.
The ELAC can send directly the autopilot disengagement status and this is the last condition to the
autopilot disconnection.
Appendix IV – Matlab code Federico Mastropasqua
111
10 Appendix IV – Matlab code
In this appendix, the MATLAB code used at the thesis purpose is proposed to simulate the
behaviour of the function in Simulink. The code runs the Simulink schema shown in the Chapter 4 of this
thesis. The Simulink simulation is just a function demo-tech. All the inputs of the function are simulated
and taken as constant only for the aim of the simulation. In the real aircraft application, these inputs come
from the ADIRS, SFCC, FMS and other on board computers following the internal monitoring or the aircraft
configurations/flight phase. Also the validity of the variables are imposed in the simulation, but in the real
case are monitored and checked if the physical link is assured. The Simulink is not realistic of the complete
aircraft model in general, but it tests the correct functioning of the Enhanced Stall Warning system
updating in terms of:
Enhanced Stall Warning Capacity
o AOA based stall warning
o Speed based stall warning
AOA monitoring and selections upon ADR and IRS failures
Thresholds computations
o AOA threshold
o Speed threshold
Inhibitions
o At take off
o In wind-shear
Stall warning activation request
ALTER_LAW = true; % A/C in alternate law
TO_mode = false; % A/C in take-off mode
WINDSHEAR_act = false; % Windshear alarm
%% Pins-prog installation, they must be active for the simulations
ESW = true; % Enhanced Stall Warning pin prog
UAMM = true; % Unreliable Airspeed Mitigation Means pin prog
%% Speed based ESW
VLS_HEALTHY = 1; % Lower selectable speed
VSW_HEALTHY = 1; % Stall Warning speed
VMAX_HEALTHY = 1; % Maximum speed
VC_3_ADR_FAIL = 0; % 3 CAS airspeed failed
%% Speed threshold
Appendix IV – Matlab code Federico Mastropasqua
112
N_z = 2; % N=L/W
VLS = 120; % [kts]
k = 0.93; % tuning factor
SPD_REF = 50; % [kts]
%% AOA based ESW
CLEAN_CONF = true; % slat inferior to 15°
SFCC_LOSS = true; % both FWC and SFCC out of order
Some simulations results are reported, the graphs are not verisimilar like the values of the graphs are
out of range but for the company political the data are strictly confidential. The graphs are reported at the
only aim to show the triggering of the stall warning in function of the angle of attack or the speed values.
Appendix IV – Matlab code Federico Mastropasqua
114
Figure 63: ESW Capacity : in this simulation the ESW is based on AOA
Figure 64: Stall warning triggering. When the voted value in case of three AOA available or the average or the last value is above the set threshold the alarm is triggered and the autopilot is disconnected. In this simulation all the AOA are available and some incertitude are introduced in the threshold level. The
saturation is forced, in reality the AOA evolution after the AP disengagement depends on the crew
Appendix IV – Matlab code Federico Mastropasqua
115
Figure 65: ESW Capacity : in this simulation the ESW is based on speed, after the AOA loss following the ELAC watchdog triggering.
Figure 66: Stall warning triggering when the CAS airspeed is below the speed threshold. Even in this case the value are not real like the saturation, after the triggering of the stall warning, the autopilot disconnects and the speed evolution depends on the crew.
Code List Federico Mastropasqua
116
11 Code List
A/C Aircraft
ADIRS Air Data Inertial Reference System
ADIRU Air Data Inertial Reference Unit
ADM Air Data Module
ADR Air Data Reference
AFS Auto Flight System
AOA Angle of Attack
AP Autopilot
CDS Cockpit Displays System
CLB Climb
DFDR Digital Flight Data Recorder
DMC Display Management Computer
DME Distance Measuring Equipment
ECAM Electronic Centralized Aircraft Monitor
ECU Engine Control Unit
EEC Electric Engine Control
EFCS Electric Flight Control System
EIS Electronic Instrument System
ELAC Elevator Aileron Computer
ESW Enhanced Stall Warning
ETA Estimated Time of Arrival
FAC Flight Augmentation Computer
FADEC Full Authority Digital Engine Control
Code List Federico Mastropasqua
117
FCU Flight Computer Unit
FD Flight Director
FDR Flight Data Recorder
FE Flight Envelope
FG Flight Guidance
FM Flight Management
FMA Flight Mode Annunciator
FMGC Flight Management and Guidance Computer
FMGS Flight Management and Guidance System
FWC Flight Warning Computer
GPWS Ground Proximity Warning System
HDG Heading
ILS Instrumental Landing System
IPPU Instrumentation Position Pick-off Units
LGCIU Landing Gear Control and Interface Units
MACH Mach number
MCDU Multipurpose Control and Display Unit
PFD Primary Flight Display
SEC Spoiler Elevator Computer
SER Specification Evolution Request
SFCC Slap/Flap Control Computer
SMI Stall Margin Indicator
SPD Speed
SSM Sign Status Matrix
TOGA Take Off / Go Around
UAMM Unreliable Airspeed Mitigation Means
VHF Very High Frequency
VOR VHF Omnidirectional Range
References Federico Mastropasqua
118
12 References
[1] M. Ricci, Clear 2022 Strategic Plan, 2018.
[2] H. M. Kevin Forsberg, The Relationship of System Engineering to the Project Cycle, October
1991.
[3] A. IDYC, “Autoflight: from systems to flight control laws,” 2010.
[4] B. d. Araujo, “AUTOFLIGHT - Deeper in flight control law and autoland,” December 2018.
[5] A. OPERATION, “General AFS Architecture for A318/319/320/321 CEO – System Description
Note,” 2002.
[6] R. Borfigat, “ SA – Flight Augmentation Computer – General Priciples,” 2017.
[7] Airbus , “A320 Primary Flight Control,” 2010.
[8] Airbus, “A320 ATA 31 EIS”.
[9] Airbus, “Flight Augmentation Computer,” 2003.
[10] B. Gilissen, “Quora,” June 2017. [Online]. Available: https://www.quora.com/What-is-
A330%E2%80%99s-alpha-protection. [Accessed December 2019].
[11] K. G. B. M. A. M. N. G. L. M. D. M. L. K. Krishnakumar, “Intelligent Control for the BEES
Flyer,” 2004.
[12] A. t. p. i. Y. 1. Gilbert Mitonneau, Interviewee, Certified flight test, Formation FMS.
[Interview]. October 2019.
References Federico Mastropasqua
119
[13] J. Rosay, “What is stall? How a pilot should react in front of a stall situation,” Airbus Safety
Magazine, 2011.
[14] I. L. J. S. P. Traverse, “Airbus Fly-by-wire: A process toward total dependability,” 2006.
[15] G. Travis, “How the Boeing 737 Max Disaster Looks to a Software Developer,” IEEE
Spectrum, April 2019. [Online]. Available: how-the-boeing-737-max-disaster-looks-to-a-