Safety Issues in Fly-by-Wire Control Systems

Although fully fly-by-wire flight control systems have become common on very fast or large airplanes, questions remain as to their safety. No matter what level of redundancy is provided, one can always imagine improbable situations in which all hydraulic or electrical systems are wiped out. Because of the very high-power requirements of hydraulic controls, their pumps are driven by the main engines. This makes necessary long high-pressure tubing runs between the engines and the control surfaces. The long high-pressure hydraulic lines are subject to breakage from fatigue; from wing, tail, and fuselage structural deflections; and from corrosion and maintenance operations.

The dangers of high-pressure hydraulic line breakage or leaking, with drainage of the system, could be avoided at some cost in weight and complexity with standby emergency electrically driven hydraulic pumps located at each control surface. An additional safety issue is hydraulic fluid contamination. Precision high-pressure hydraulic pumps, valves, and actuators are sensitive to hydraulic fluid contamination.

In view of rare but possible multiple hydraulic and electrical system failures, not to mention sabotage, midair collisions, and incorrect maintenance, how far should one go in providing some form of last-ditch backup manual control? Should airplanes in passenger service have last-ditch manual control system reversion? If so, how will that be accomplished with side-stick controllers?

In the early days of hydraulically operated controls and relatively small airplanes the answer was easy. For example, the 307 Stratoliner experience and other hydraulic power problems on the XB-47 led Boeing to provide automatic reversion to direct pilot control following loss in hydraulic pressure on the production B-47 airplanes. Follow-up trim tabs geared to the artificial feel system minimized trim change when the hydraulic system was cut out. Also, when hydraulic power was lost, spring tabs were unlocked from neutral.

Manual reversion saved at least one Boeing 727 when all hydraulic power was lost, and a United Airlines Boeing 720 made a safe landing without electrical power. The last-ditch safety issue is less easily addressed for commercial airplanes of the Boeing 747 class and any larger superjumbos that may be built. Both Lockheed L1011 and Boeing 747 jumbos lost three out of their four hydraulic systems in flight. The L1011 had a fan hub failure; the 747 flew into San Francisco approach lights. A rear bulkhead failure in Japan wiped out all four hydraulic systems of another 747, causing the loss of the airplane.

In another such incident the crew, headed by Delta Airlines Captain Jack McMahan, was able to save a Lockheed 1011 in 1977 when the left elevator jammed full up, apparently dur­ing flight control check prior to takeoff at San Diego (McMahan, 1983). There is no cockpit indicator for this type of failure on the 1011, and the ground crew did not notice the prob­lem. McMahan controlled the airplane with differential thrust to a landing at Los Angeles. This incident was a focus of a 1982 NASA Langley workshop on restructurable controls.

Workshop attendees discussed the possible roles of real-time parameter identification and rapid control system redesign as a solution for control failures.

Thus, although fully mechanical systems can also fail in many ways, such as cable misrig or breakage, jammed bellcranks, and missing bolts, questions remain as to the safety of modern fly-by-wire control systems. The 1977 Lockheed 1011 incident, a complete loss in hydraulic power in a DC-10 in 1989, and other complete control system losses led to the interesting research in propulsion-controlled aircraft described in Sec. 20.11.