Announcement

Collapse

PMDG Forum Rules

1) SIGN YOUR POSTS. Since 1997, we have asked users to sign their real name, first and last, to all posts in the PMDG forum. We do this in order to keep conversations personal and familiar. You took the time to be here, we want to get to know you. This is one of the few rigid rules that we enforce regularly. We do so because we feel that forums in which users must engage one another personally are generally warmer, more collegial and friendly. Posts that are unsigned will be quietly removed without comment by the moderators, so to make your life easy- we recommend enabling your forum signature so that you never need to remember. Do this by clicking the username pull-down at the top right, then selecting "User Settings." You will find the signature editor on the ACCOUNT tab, about half way down the page. Look for "Edit Post Signature." Be sure to click the "Show Signatures" box.

2) BE NICE. We are all simmers here and no matter our differences of opinion, we share a common love of aviation, computing and simulation. Treat everyone else in the forum with respect even when you disagree. If someone frustrates you, walk away from the conversation or ask for a moderator to get involved. Speaking of Moderators, they prefer not to be treated as "The Thought Police" but if any behavior infringes on the enjoyment of another user or is otherwise considered to be unacceptable in the moderator's judgment, it will be addressed in keeping with our view of ensuring that this forum remains a healthy environment for all simmers.

3) BE LAWFUL: Any behavior that infringes upon the law, such as discussion or solicitation of piracy, threats, intimidation or abuse will be handled unsympathetically by the moderators. Threats and intimidation may, at the moderator's discretion, be provided to law enforcement for handling.

4) BE FACTUAL: When you post, always be factual. Moderators will remove posts that are determined not to be factually accurate.

5) RESPECT COPYRIGHTS: Posting of copyrighted material such as flight manuals owned by Boeing or various airlines is not allowed in this forum. If you have questions related to copyrighted material, please contact a forum moderator for clarification.

6) RESPECT PMDG: We love to hear what you like about our products. We also like to hear what you think can be improved, or what isn't working. Please do tell us and we will always treat your feedback with value. Just be sure to treat the team respectfully, as they do put a significant amount of effort into building and maintaining these great simulation products for you.

7) RESPECT PMDG DEVELOPERS: All of the developers will spend some time here. Given the ratio of developers-to-users, it simply isn't possible for us to answer every post and private message individually. Please know that we do try to read everything, but developer workload is simply too high to manage personal contact with tens-of-thousands of users simultaneously. In most cases, members of the development team will stick to conversations in the forum and will not answer private messages.

8) RESPECT OTHER DEVELOPERS: PMDG has always advocated for a strong development community and we have many friends within this community. Every developer offers something unique that helps to make the simming community larger and more vibrant. We insist that you treat our friends respectfully.

9) RESPECT MODERATORS: Moderators have a tough job, and none of them enjoy having to stomp out negativity. If a moderator has to weigh in to keep a thread peaceful, please respect that effort and refrain from giving the moderator any grief.

10) If you require official support for any of our products please open a support ticket through the support portal, https://support.precisionmanuals.com

11) This forum is designed primarily as a vehicle for the PMDG development team to interact with our customers, and for customers to interact with one another in a manner that is positive, supportive and assists in the general advancement of understanding the simulation and helping to make this and future simulations better. Any other use of this forum is not permitted, including but not limited to discussion of pricing policies, business practices, forum moderating policies, advertising of non-PMDG products, promotion of events, services or products that are not approved in advance by PMDG or any other topic deemed unacceptable by any forum administrator

12) HAVE FUN: This is the whole point of it all.
See more
See less

fail operational autoland and standby instruments on the BBJ

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    fail operational autoland and standby instruments on the BBJ

    Why is the fail operational autoland not an option in the BBJ?

    And why can't we switch between the various standby instruments already available? I've seen pictures of BBJ cockpits with the fully analogue standby instruments, so at least they should be an option.

    Kristoffer Rivedal

    #2
    Originally posted by SK331 View Post
    Why is the fail operational autoland not an option in the BBJ?

    And why can't we switch between the various standby instruments already available? I've seen pictures of BBJ cockpits with the fully analogue standby instruments, so at least they should be an option.
    A1: Fail Operational requires a minimum of three serviceable autopilots installed and working in the aircraft, not two.

    A2: Good question. Why not send PMDG some photos so that they can see exactly what you mean?
    Michael Codd

    Comment


      #3
      Originally posted by Michael Codd View Post

      A1: Fail Operational requires a minimum of three serviceable autopilots installed and working in the aircraft, not two.
      Not true, it requires three AP channels. The NG comes with two as the standard. The third became available with the Collins MCP. Not many airlines have it however. Air Berlin and JAL are the only two I know of.
      This feature is a part of the options you can select in the regular NGXu..
      Kristoffer Rivedal

      Comment


        #4
        Originally posted by Michael Codd View Post

        A1: Fail Operational requires a minimum of three serviceable autopilots installed and working in the aircraft, not two.
        You don't need 3 autopilots to be fail operational. There are many airplanes with just two autopilots (Including B737 NGs) that are CATIIIB fail operational. I believe the fail operational 737s have an adittional channel and an electrical rudder PCU (standard 737 autopilots don't actuate on the rudder at all) and they also get additional redundancy from the ISFD inertial.
        Omar Josef
        Spain

        Comment


          #5
          Originally posted by Aeromar View Post
          You don't need 3 autopilots to be fail operational. There are many airplanes with just two autopilots (Including B737 NGs) that are CATIIIB fail operational. I believe the fail operational 737s have an adittional channel and an electrical rudder PCU (standard 737 autopilots don't actuate on the rudder at all) and they also get additional redundancy from the ISFD inertial.
          I am very surprised, Omar, because I am not aware of any Boeing aircraft fitted with only two autopilots where their systems are referred to as 'Fail Operational'. The only ones I know of are referred to as 'Fail Passive'.

          These two phrases are often confused with each other, but my understanding is that 'Fail Operational' means a single A/P fault will not prevent the remaining two autopilots from carrying out an automatic landing; whereas Fail Passive' means a single fault in the one remaining A/P system will not result in a significant deviation from the desired flight path.

          Are you saying if you lose one autopilot in your B737 and you are now left with only one autopilot channel engaged then the aircraft is still capable of carrying out a full CATIIIB autoland? To be honest, I find this difficult to understand when I know of other Boeing aircraft fitted with only two autopilots, such as the early B747/100 series, that could only continue an approach to coupled (CAT 1) limits with one remaining autopilot channel engaged; and not only because it would not flare the aircraft. Even the much later B744 limitations state that it is not permitted to autoland at all unless a minimum of two out of its three autopilot channels remain engaged.
          Michael Codd

          Comment


            #6
            Originally posted by SK331 View Post
            And why can't we switch between the various standby instruments already available? I've seen pictures of BBJ cockpits with the fully analogue standby instruments, so at least they should be an option.
            Those with the non BBJ standby instruments are no "real" BBJ's. They are 737NG's where somebody installed aux tanks and an executive cabin. But they were not build by Boeing as BBJ's, which means that they may not have all BBJ features, such as the changed cabin pressure schedule, etc.

            Comment


              #7
              Originally posted by Michael Codd View Post

              I am very surprised, Omar, because I am not aware of any Boeing aircraft fitted with only two autopilots where their systems are referred to as 'Fail Operational'. The only ones I know of are referred to as 'Fail Passive'.

              These two phrases are often confused with each other, but my understanding is that 'Fail Operational' means a single A/P fault will not prevent the remaining two autopilots from carrying out an automatic landing; whereas Fail Passive' means a single fault in the one remaining A/P system will not result in a significant deviation from the desired flight path.

              Are you saying if you lose one autopilot in your B737 and you are now left with only one autopilot channel engaged then the aircraft is still capable of carrying out a full CATIIIB autoland? To be honest, I find this difficult to understand when I know of other Boeing aircraft fitted with only two autopilots, such as the early B747/100 series, that could only continue an approach to coupled (CAT 1) limits with one remaining autopilot channel engaged; and not only because it would not flare the aircraft. Even the much later B744 limitations state that it is not permitted to autoland at all unless a minimum of two out of its three autopilot channels remain engaged.
              Oh there are many fail operational 737s that do CATIIIB. Fly Dubai 737s are fail operational and they have 2 collins autopilots. You just have to pay more money to get these options.

              Airbuses also have 2 autopilots and I think most of the new ones are Fail Operational. What you say is correct according to ATPL theory, but of course, there's more to it. In most CATIIIB airplanes, if you start an approach and you get a certain failure before the alert height, you may continue the approach and downgrade from IIIB to IIIA (which is usually as simple as increasing your DH to 50ft from 0ft). That's how we did it on the 3 autopilot 757. After the alert height, you will only go around if your ASA says "No Autoland". If you lose one autopilot, the other one may take over and still do the autoland on higher minimums. It's all about that redundancy for which you may or may not need a full additional autopilot. It's not about the amount of autopilot, it's about the channels and the amount of data/hyd/elec sources available for those autopilots.

              Don't think about losing an autopilot. Think about losing a hyd source, or an engine generator, etc. Is the battery available to get an extra AC source? Is the APU on and will it go on buses automatically? Is there a third source of attitude information (3IRS or ISFD)? Is there redundancy on radio altitude?

              I have never flown a Fail Operational 737 but I assume the system would be similar (All the 737s in my airline are fail passive CATIIIA to 50ft). At a certain height, there would be power and control separation. Each autopilot would use an independent power source (battery, gen, apu, etc) and each autopilot would control separate channels (roll, yaw, pitch), etc. On the 757 you could feel a short vibration on the rudder pedals when the third autopilot took over. What I know is that fail operational 737s separate control by using an additional channel that controls the rudder electrically and also get additional inertial data from the ISFD's own inertial. Maybe the system isn't as robust as in more modern airplanes like the 757 onwards and that could result in different degradations or a higher alert height. As I said, I haven't studied or flown fail operational 737s, but I know there are many CATIIIB fail operational 737s out there.

              In the FMC settings of the NGX/NGXu you can switch to fail operational mode and it'll do rollout and CATIIIB to CATIIIA degradation. It'll also do the wind compensation change and it's really cool to watch. Above certain height, the airplane compensates for wind by keeping wings level and crabbing to the wind. Below certain height, the airplane will decrab by point the nose to the runway and compensate wind with a bank angle. Then it'll touch down with one wheel first. You can see this if you do an autoland in P3D with a crazy crosswind, say 40kts.
              Last edited by Aeromar; 25Oct2020, 09:32.
              Omar Josef
              Spain

              Comment


                #8
                Originally posted by Aeromar View Post
                Oh there are many fail operational 737s that do CATIIIB. All Fly Dubai 737s are fail operational.

                Airbuses also have 2 autopilots and I think most of the new ones are Fail Operational...............
                I understand what you are saying, including the bit about the autoland reversionary decision that is made (subject to an airline's own approved procedures) on every planned autoland approach by the pilots at approx 1,000ft AGL.

                Unfortunately I am not familiar with Airbus or Fly Dubai's 737 operations. I am always willing to be corrected, but what I do not believe is that the pilots of a commercial aircraft with only two autopilots fitted are permitted by their aircraft's FCOM Limitations section to carry out a full autoland with only one remaining autopilot channel engaged after a fault has occurred in the other autopilot channel that renders it unserviceable for the rest of that approach.

                In the Boeing aircraft I am familiar with, during a normal dual autopilot equipped autoland only one of the two engaged autopilots will be controlling the aircraft at any given time throughout the approach and that will be the cne with the least error signal. This means the other serviceable channel is still engaged but passive so that unannounced switching between the two autopilots may take place at any given time. This is why this mode of operation is called Fail Passive and not Fail Operational.

                During a triple channel autoland approach the signals from the three autopilots are handled somewhat differently in that they are normally compared with each other after the autoland system has carried its own self-test, From then onwards the channel with the mean signal will be controlling the aircraft's flight path. This is inherently very safe and more accurate when it comes to following the ILS signals and landing on the runway centreline. It also means if one of the three autopilot channels should fail this self-test, or develop a single fault or drop out at any time during the approach the remaining two autopilots will still be operational and capable of autolanding the aircraft (subject of course to the usual reversionary minima decision, if any). This is why this mode of operation is called Fail Operational.

                We have only to look at what happened with the B737 Max and its faulty MCAS system to see how disastrous it can be to rely totally on only one safety critical component such as a single sensor (or autopilot for that matter) to control the aircraft at all times. Rest assured I have no desire whatsoever to be on board any aircraft where the two 'passive' pilots are relying solely on a single autopilot channel to autoland their aircraft safely in thick fog. Keep flying safely Omar!
                Michael Codd

                Comment


                  #9
                  Originally posted by Emi View Post

                  Those with the non BBJ standby instruments are no "real" BBJ's. They are 737NG's where somebody installed aux tanks and an executive cabin. But they were not build by Boeing as BBJ's, which means that they may not have all BBJ features, such as the changed cabin pressure schedule, etc.
                  Interesting. Nice to know.
                  Kristoffer Rivedal

                  Comment


                    #10
                    Originally posted by Michael Codd View Post

                    I understand what you are saying, including the bit about the autoland reversionary decision that is made (subject to an airline's own approved procedures) on every planned autoland approach by the pilots at approx 1,000ft AGL.

                    Unfortunately I am not familiar with Airbus or Fly Dubai's 737 operations. I am always willing to be corrected, but what I do not believe is that the pilots of a commercial aircraft with only two autopilots fitted are permitted by their aircraft's FCOM Limitations section to carry out a full autoland with only one remaining autopilot channel engaged after a fault has occurred in the other autopilot channel that renders it unserviceable for the rest of that approach.
                    So, one thing is to begin an autoland approach and a completely different one is to continue an autoland approach. On the 757 we could CONTINUE autolands below the alert height even if we lost an engine but we could not initiate one having lost the engine before starting the approach. Every airplane will have different requirements and I don't know the restrictions that fail operational 737s have. But if they are fail operational, by definition, below the alert height they will only go around if they read the words "NO AUTOLAND" on the PFD. If they read something like LAND2 or NO LAND 3, all they will probably do is increase the DH to 50ft. The key here is the alert height, which is a concept exclusive to fail operational operations. I "believe" it's exclusive because I haven't been able to find information on it in my current manuals other than a simple definition.

                    Again, I'm not 100% knowledgeable on how some dual autopilot 737s achieve the required robustness to be considered fail operational and to be able to perform triple channel approaches. As I said before, I know they have a rudder channel and an additional electric PCU for it and they also use inertial information from the ISFD. They'll probably have some way to guarantee independent AC power to each autopilot and that could come from automatic switching or from the battery. On the 757 the third autopilot uses the battery, but some people have the useless habit of turning on the APU before autoland.

                    But to the question "can an airplane be fail operational with 2 autopilots", knowing Fly Dubai's 737s and most Airbuses with two autopilots are fail operational, the answer is clearly yes.

                    Omar Josef
                    Spain

                    Comment


                      #11
                      I hate that ticking sound. I wish PMDG would just add the integrated standby instrument system as an option.
                      Eric Fisher

                      Comment


                      • DDowns
                        DDowns commented
                        Editing a comment
                        Off topic....

                      #12
                      Originally posted by Aeromar View Post
                      So, one thing is to begin an autoland approach and a completely different one is to continue an autoland approach. On the 757 we could CONTINUE autolands below the alert height even if we lost an engine but we could not initiate one having lost the engine before starting the approach. Every airplane will have different requirements and I don't know the restrictions that fail operational 737s have. But if they are fail operational, by definition, below the alert height they will only go around if they read the words "NO AUTOLAND" on the PFD. If they read something like LAND2 or NO LAND 3, all they will probably do is increase the DH to 50ft. The key here is the alert height, which is a concept exclusive to fail operational operations. I "believe" it's exclusive because I haven't been able to find information on it in my current manuals other than a simple definition..........

                      But to the question "can an airplane be fail operational with 2 autopilots", knowing Fly Dubai's 737s and most Airbuses with two autopilots are fail operational, the answer is clearly yes.
                      Hi Omar,
                      I don't disagree with most of what you have said in your first paragraph, but I'm sorry to say we are going to have to disagree on your interpretation of the technical term 'Fail Operational' with regard to the number of serviceable autopilot channels available to complete an autoland. Three serviceable Autopilots, LAND 3 and Fail Operational are all key words that go together, I.e. with the ability to continue the approach below 1,000ft should one A/P system fail, just as two serviceable autopilots and LAND2 and Fail Passive are also inextricably linked.

                      As I said earlier, if a fault should develop in any one of the two remaining autopilot channels below 1,000ft then the aircraft will not be able to complete an autoland on only a single Autopilot . This issue is purely about the number of autopilots fitted to the aircraft and the faulting has nothing to do with an engine failure, because that is a separate issue that would be dependant on whether or not the aircraft manual permits it. Anyway, you don't have to take my word for what I have been saying all along if you don't want to, because here's the proof I think you were looking for and it is taken from a Boeing approved manual.

                      IMG_2394.JPG ​​​​​​​
                      Michael Codd

                      Comment


                        #13
                        How do you stop the raddle in the stand by instrument's.
                        Stanford Kenyon

                        Comment


                        • B777ER
                          B777ER commented
                          Editing a comment
                          You can't but be careful, according to Dan, it's off topic.

                        #14
                        Could you show me the off topic post.
                        Stanford Kenyon

                        Comment


                        #15
                        So basically we have to live that noise?
                        Stanford Kenyon

                        Comment


                          #16

                          This is the part you're misunderstanding. That snippet of text talks about a "fault" and doesn't specify it needs to be an autopilot fault. It usually refers to the faults listed in the downgrade table. For example, loss of a generator or a source of air data or inertial. You could have an airplane with 2 autopilots in which is one of the autopilots fails, the other one can take over and still manage all three channels (pitch, yaw and roll) provided there's enough redundancy on the data that it is fed. Just let go (haha) we know there are examples of real world airplanes with only two autopilots that are fail operational. You can even set up the NGXu to be fail operational and it will work realistically like a Fly Dubai 737 would work Captura de pantalla 2020-10-25 215639.jpg .

                          Omar Josef
                          Spain

                          Comment


                            #17
                            FMS, setup, under Equipment, page 1. Auto land is lock with BBJ. Page 11, standby instruments is lock with BBJ. You are going to change this aren't you. I cant fly with that rattle noise, I don't know could.
                            Stanford Kenyon

                            Comment


                              #18
                              Originally posted by Aeromar View Post
                              This is the part you're misunderstanding. That snippet of text talks about a "fault" and doesn't specify it needs to be an autopilot fault. It usually refers to the faults listed in the downgrade table. For example, loss of a generator or a source of air data or inertial. You could have an airplane with 2 autopilots in which is one of the autopilots fails, the other one can take over and still manage all three channels (pitch, yaw and roll) provided there's enough redundancy on the data that it is fed. Just let go (haha) we know there are examples of real world airplanes with only two autopilots that are fail operational. You can even set up the NGXu to be fail operational and it will work realistically like a Fly Dubai 737 would work.
                              Hi Omar,
                              I hope not. It seems the optional Boeing modifications incorporated in many B737s allowing the aircraft to use its APU generator for autolands is apparently interpreted as being 100% compliant with the definition of ‘Fail Operational’ and therefore its two autopilots are all this aircraft really needs. This assumption is true – at least in theory – in which case it follows that the B737’s autoland system should be capable of completing an autoland on its one remaining autopilot whenever a single system failure results in an autopilot failure or disconnect; but unless I am completely mistaken this is not true.

                              Have you ever asked yourself the question why Boeing went to the additional expense of installing three autopilots on later aircraft types, such as the B777 with the same number of engines as the B737, or the B744 with its four engines? I have and so I delved a lot deeper into this topic and just received confirmation from a B737 qualified pilot friend of mine that according to his old FCOM this aircraft’s dual autopilots are indeed ‘Fail Passive’ in their mode of operation. It is the three inertial sources that operate in a ‘Fail Operational’ mode on these modified B737 aircraft; not the two autopilots! His Boeing quote below confirms what I have been saying all along, in that for an autoland system to be totally 100% ‘Fail Operational’ in its mode of operation it requires three autopilots and not two.

                              Approach mode allows both A/Ps to be engaged at the same time. Dual A/P operation provides fail–passive operation through landing flare and touchdown or an automatic go–around. During fail passive operation, the flight controls respond to the A/P commanding the lesser control movement. If a failure occurs in one A/P, the failed channel is counteracted by the second channel such that both A/Ps disconnect with minimal airplane maneuvering and with aural and visual warnings to the pilot.

                              Having three autopilots has everything to do with autopilot redundancy and improved safety in a fully functioning ‘Fail Operational’ system. In a monitored system with three autopilots a single failure will be detected if one disagrees with the other two, but in a system with only two it can be uncertain which one is faulty’- in which case both units will usually come offline. Contrary to what you have previously said, this is why all the pilots I know were taught to always think “Autopilot” whenever a single fault occurred in their aircraft and this is especially important when conducting an autoland or coupled approach, so that you can make the correct decisions about what is or is not available and what reversionary minima you may need.

                              In my opinion the much loved B744 and its younger -8 model have an almost perfect ‘Fail Operational’ system, partly because of the way in which their electrical systems are split and the four hydraulic systems work during all automatic approaches. For example, it is possible to experience a single system failure that causes an autopilot channel to fail and/or drop out andthe aircraft will still carry out an autoland using slightly raised RVR limits on the remaining two autopilots. You can even suffer a single engine failure and it will still autoland and roll out on its three autopilots and remaining engines using a Zero DHt and 75m RVR; and that RVR requirement is only so the pilots could see sufficiently to turn off the runway! I ask you, how good is that?!

                              Therefore, there isn’t much more I would want Boeing to fit to their B737's apart from a third autopilot and two more engines; if only because the last thing I want is to be on board any aircraft which is attempting to autoland in thick fog using a single autopilot and one engine! To conclude, many thanks for this interesting discussion and if you disagree with everything I have said here all I ask is that you think “Autopilot” every time you have a single system failure of any sort while carrying out an autoland in your B737, In addition, I hope you will always have a sound CAT 1 diversion airfield up your sleeve with enough fuel on board whenever the destination weather is poor. Oh yes! - one more thing - keep your flight deck door locked because I might be one of your passengers and want to get off! LOL
                              Michael Codd

                              Comment


                                #19
                                Michael,

                                I'm sorry, but you're letting your own biases to get in the way of being given direct and sourced information that says you're off-base. When I search for "Fail Operational Autoland", this is the definition I find-

                                Fail-operational Automatic Landing System.

                                An automatic landing system is fail-operational if, in the event of a failure, the approach, flare and landing can be completed by the remaining part of the automatic system.
                                NOTE: In the event of a failure, the automatic landing system will operate as a fail-passive system.
                                The following are typical arrangements:
                                (1) Two monitored automatic pilots, one remaining operative after a failure.
                                (2) Three automatic pilots, two remaining operative (to permit comparison and provide necessary failure detection and protection) after a failure.
                                The salient point here - you can have 2 autopilots as long as they are monitored. This is how both the Hawker-Siddeley Trident and Vickers VC-10 achieved their CAT IIIB certifications without having 3 autopilots either. By having dual-monitored autopilots, they could ensure operational redundancy necessary to get the certification.
                                Last edited by CAPFlyer; 29Oct2020, 18:07.
                                Chris Trott

                                Comment


                                • DDowns
                                  DDowns commented
                                  Editing a comment
                                  Chris, monitored by what? Monitored by flight crew or by system fault detection? In industrial safety systems, the 1OO2 case is usually avoided in favor of 1003 because if there are only two signals and they differ then which one is correct? Any variance between signals from a dual system requires that both be assumed incorrect. This can be mitigate with a design that self checks and cross checks but it has to be validated with failure rate tests. The IEEE led industry in this discipline in the early days of nuclear power plants and has evolved into very robust systems today (if the concepts are applied... hint Japanese power plant without redundant backup power).

                                • CAPFlyer
                                  CAPFlyer commented
                                  Editing a comment
                                  I would actually love to know as well, but those technical documents don't seem to be readily available, but I'm certain it's systematic/mechanical in nature, not crew monitored. I found this same definition in a couple places, including an FAA web page (that is outdated), but I'm guessing the specifics are buried in an Advisory Circular or Certification Standard somewhere that isn't readily searchable from the web.

                                • Michael Codd
                                  Michael Codd commented
                                  Editing a comment
                                  Just had some feedback from a former Trident pilot and all those he flew were fitted with three autopilots complete with their own rudder channels. For two autopilots to be regarded as 100% Fail Operational (and not just Fail Passive) they would both need to be monitored by the autoland system and working together at the same time to control the aircraft.throughout the approach.

                                #20
                                Originally posted by CAPFlyer View Post
                                Michael,
                                I'm sorry, but you're letting your own biases to get in the way of being given direct and sourced information that says you're off-base. When I search for "Fail Operational Autoland", this is the definition I find-

                                The salient point here - you can have 2 autopilots as long as they are monitored. This is how both the Hawker-Siddeley Trident and Vickers VC-10 achieved their CAT IIIB certifications without having 3 autopilots either. By having dual-monitored autopilots, they could ensure operational redundancy necessary to get the certification.
                                Chris,
                                With respect, I suggest you meant to say experience rather than own biases, because I am familiar with two and three autopilot installations in other Boeing aircraft. The fact that two autopilots are monitored is not the real issue here, it is how they behave if one of them develops a fault and fails or drops out that determines whether the autopilots themselves are Fail Operational or Fail Passive. For example, just as in the B737, the early B747/100 series also had two autopilots and they were also certified for autolands. They were monitored throughout the approach by the autoland system provided both autopilots remained engaged in Land mode. Boeing defined their dual mode of operation as 'Fail Passive'; just as it does in the early B737 FCOM. This definition recognises the fact that although both autopilots are engaged and being monitored only one of them would actually be in control of the autoland system at any particular time.

                                Unless I am completely wrong about all of this, a single engaged B737 autopilot simply isn't capable of completing an autoland all on its own even if the aircraft has the optional APU mod incorporated. Therefore it follows nothing fundamental has changed with respect to the two 737 autopilots own mode of operation is concerned. Besides, it is Boeing who defined dual autopilot installations as 'Fail Passive' in their early B737 and B747 FCOMs; not me! This is why I honestly believe the complete disconnect of one of only two autopilots in a modified B737 aircraft isn't fully explained by the current definition of 'fail operational' in the latest B737 FCOM.

                                I am more than happy to be corrected about anything I have said here if it is proved wrong and I always do my best to remain impartial and consider all of the facts before arriving at what I feel is a logical conclusion. Unfortunately, I have still not been able to find any reference that says if one B737 autopilot fails completely or disconnects because of a single fault during an autoland approach that it can still safely complete an autoland on the one remaining autopilot. If anyone can provide this information then I will admit I am mistaken and happily accept your interpretation of what Fail Operational means. But without this proof I think the lawyers could have a field day arguing over the technicalities of whether or not the true definition of 'Fail Operational' really applies to three autopilots or if it also includes the two fitted to modified B737's.
                                Michael Codd

                                Comment


                                  #21
                                  My understanding is that in a dual AP fail operational autoland system, each FCC has two channels (one in command, one monitoring). Thus if one of the APs fails, there are still two channels available (one monitoring the other) so the autoland can continue, but with higher minima.

                                  Comment


                                    #22
                                    Omar is 100% right on post #10 about the rudder channel & PCU. I’ve personally flown plenty of fail-op CAT IIIb NGs on lease from a Euro partner airline. There’s obviously only 2 AP channel.
                                    It’s a well established certified customer option ... not sure why we’re having this debate. If you’re unhappy about the level of redundancy then I invite you to pursue this with the FAA.

                                    On the tech side, this guy on pprune explains it but pretty much the same as what Omar wrote.

                                    On B737NG aircraft fitted with fail operational systems electrically operated rudder actuators, which receive inputs from their respective FCC, provide an alignment and rollout capability not present in fail passive aircraft. Rudder pedal movement and nose-wheel steering are provided by feedback through the rudder flight control system. Additional inertial information for the fail operational capability is provided by the Integrated Standby Flight Display (ISFD).

                                    The ISFD provides the redundancy that a 3rd Autopilot would normally provide. The approach system failure matrix for fail operational equipped aircraft (contained in appropriate AFM) is slightly different than that for fail passive aircraft. One example is that if an engine fails on approach the dual channel approach and landing may be continued in a fail operational aircraft.

                                    The fail operational system allows operation in CAT IIIB conditions if the operator and crew are approved. Whereas the fail passive system is restricted to CAT IIIA operations.
                                    Eric Blais

                                    Comment


                                      #23
                                      Some additional information as per PMDGs FCOM (4.20.16):
                                      [Option - Fail-Operational Autoland]Approach mode allows both A/Ps to be engaged at the same time. Dual A/P operation provides either fail–operational or fail–passive operation through landing flare, touchdown and rollout, or through an automatic go–around. If a failure is detected, the flight controls respond to the A/P commanding the lesser control movement. If a failure occurs in one A/P, the failed channel is counteracted by the second channel such that both A/Ps disconnect with minimal airplane maneuvering and with aural and visual warnings to the pilot.
                                      For exact details why and how this allows fail operational certification you better ask the FAA, but obviously it is sufficient, otherwise the plane would not be certified.
                                      I only fly fail passive aircraft so I don't have any direct insights into this particular matter of things.

                                      Comment


                                        #24
                                        Ok, so if my understanding is correct. The reason why the BBJ isn't able to get the fail-operative autoland option is because they only have the special BBJ standby instruments, and they are not delivering the extra backup for a dual autopilot aircraft to have the third redundant Ap channel.

                                        So our only hope is to get a ISFD down the line.
                                        Kristoffer Rivedal

                                        Comment


                                          #25
                                          Originally posted by Emi View Post
                                          Some additional information as per PMDGs FCOM (4.20.16):
                                          For exact details why and how this allows fail operational certification you better ask the FAA, but obviously it is sufficient, otherwise the plane would not be certified.
                                          I only fly fail passive aircraft so I don't have any direct insights into this particular matter of things.
                                          Thanks Emi,
                                          Unfortunately, the two accidents surrounding the 737Max MCAS system should tell you 'sufficient' is sometimes never a good enough answer. I suggest you have a listen to an audio interview with the late D.P. Davies, because in it he discusses his involvement in certifying the original B707 and the later B727 for the UK authorities. I think it might make you realise we can all learn lessons from the past and that as a pilot you should question everything you do not understand about your aircraft and never take things for granted; especially when it involves anything that might involve flight safety.

                                          Thanks to Eric Blais, what he quoted regarding the ISFD from PPrune explains how the 737's autoland system can be certified as fail operational without a third autopilot. However, it seems to me there are still some important differences and unanswered questions to do with the different 737 models. For example, in the current (PMDG) NGXu FCOM it says:-

                                          "[Option - Typical, 737-800, JAA rules]
                                          The Minimum Use Height (MUH) for single channel autopilot operation is defined as 158 feet AGL." and:-

                                          "[Option - FAA rules] For single channel operation during approach, the autopilot shall not remain engaged below 50 feet AGL." and:-

                                          "[Option - Typical 737-900,] Autoland capability may only be used with flaps 30 or 40 and both engines operative."


                                          Oh well, I think have said enough on this topic - so please keep flying and autolanding safely!
                                          Michael Codd

                                          Comment


                                            #26
                                            Try the latest 737NG/MAX FCTM Section 5. Not sure if PMDG includes it, but it's fairly easy to find online. Lots and lots of infos on operational techniques between fail-op and fail-pass, although very little on actual systems and under-the-hood. If you want to PM me your email I'd be more than happy to send some chapters.

                                            Eric Blais
                                            Last edited by DaedalusX; 31Oct2020, 20:49.

                                            Comment


                                              #27
                                              Here's some extracts from 5.xx of the FCTM
                                              Eric Blais

                                              Attached Files
                                              Last edited by DaedalusX; 31Oct2020, 20:47.

                                              Comment

                                              Working...
                                              X