Egypt Air questions answered
The tragic crash of Egypt Air Flight 990 in October of last year highlighted some important flight-control design considerations for aircraft certified to FAR Part 25 standards. Transport category aircraft must be capable of continued safe flight following the failure of one or more components of a flight control system. If a portion of a flight control system jams, there must be a way for the crew to overcome the jam.
This is expressed in FAR 25.671(c), which reads in part:
The airplane must be shown by analysis, tests, or both, to be capable of continued safe flight and landing after any of the following failures or jamming in the flight control system and surfaces…
(1) Any single failure, excluding jamming...
(2) Any combination of failures not shown to be extremely improbable, excluding jamming...
(3) Any jam in a control position normally encountered during takeoff, climb, cruise, normal turns, descent, and landing unless the jam is shown to be extremely improbable, or can be alleviated.
Flight recorder data indicates that the autopilot on the Egypt Air Boeing 767 disconnected. Immediately afterward, the aircraft entered a high-speed dive from FL330. Then, 35 seconds after the autopilot disconnected, the left and right elevators began to simultaneously move in different directions and at different rates. The left elevator generally commanded an aircraft nose-up condition, while the right elevator commanded the aircraft nose down.
No official conclusions regarding the elevator movement have yet been reached. There has been widespread speculation, however, that the captain and first officer were working at cross purposes in a fight for control of the aircraft. But it should be noted that investigators have not ruled out other causes, such as an aerodynamic explanation, for the difference in elevator movement. The aircraft’s speed had reached Mach 0.94 when the elevator split occurred, well outside the design operating envelope for the 767. No mechanical failure has yet been uncovered, but it is still a possibility that is being investigated by the National Transportation Safety Board.
Whatever the cause, initial reports of the split position of the elevators raised some eyebrows among pilots and nonpilots alike. Could simultaneous, opposite-direction forces applied to the captain’s and first officer’s control columns cause the right and left elevators to move in opposite directions? The simple answer is "yes." Both control columns on the 767 are linked together. Normally, if either pilot moves a control column forward or aft to change elevator position, the other control column moves in tandem with it. The left and right elevators are physically separate, but they move together when the system is working normally.
But according to FAR Part 25, if a component of an elevator control system can jam, there must be a way to overcome the jam. In the 767, each control column operates its own set of cables, pulleys, and hydraulic actuators, which control the elevator half on its respective side. If one side jams, a force of 50 pounds or more applied to the unjammed control column will break the link connecting the two. If the right elevator was stuck, for instance, the left elevator could be moved independently to provide pitch control.
While this design feature was obviously conceived with mechanical restrictions in mind, a tug of war for control of the aircraft might also cause the link to be broken. In that case, there would not be a jammed and an unjammed side. Instead, there would be two sets of free control paths, each equally effective in moving half of the elevator. Left and right elevator movement would be free to vary in opposite directions. Aircraft pitch changes would depend partially upon how each elevator half was deflected at any given moment. Horizontal stabilizer position, and the speed of the aircraft itself, would also influence aircraft pitch changes.
In such a scenario, a difference in left and right elevator positions would naturally impart a rolling moment on the aircraft. By design, however, the aircraft’s normal means of roll control—ailerons and flight spoilers—would have greater authority and could be used to counteract this elevator-induced rolling moment. In fact, investigators know that Flight 990 maintained a relatively constant heading while the left and right elevator positions were split.
Other Transport category aircraft—and business aircraft recently certified under FAR Part 25—incorporate variations on this division-of-control design logic, according to their unique flight control systems. For example, the Lockheed 1011 utilizes a manual pitch disconnect handle. The crew can pull this handle to separate the two control columns if one side’s elevator control path becomes jammed.
It isn’t only pitch-control systems that are designed this way. Roll and yaw controls on aircraft certified under FAR Part 25 have similar redundancies. According to the regulation, if continued safe flight and landing of the aircraft is dependent on operation of a flight control system, there must be a way of working around a problem in that system. Sometimes this means getting the job done using an alternate but related system. Should the ailerons on a Boeing 737 become jammed, for instance, a transfer mechanism allows the flight spoilers to take over as the primary means of roll control on the aircraft. In that case, turning the first officer’s control yoke left or right will activate flight spoilers that provide roll control.
The power sources that actually move flight control surfaces must be redundant as well. Large jet aircraft often use hydraulic power to move primary flight controls. For example, the ailerons, elevators, and rudder on the 737 are operated by hydraulic power from both the "A" and "B" hydraulic systems. If one system is lost, the other can power all primary flight controls. If both are lost, the ailerons and elevators may be operated in a less responsive, but still effective, manual mode. The rudder in this case would be powered by a third standby hydraulic system. Trailing-edge flaps on the 737 are usually operated hydraulically, but they can be electrically driven as an alternate means if hydraulic power is lost.
The Egypt Air accident oddly enough also brings to mind FAR 25.671(d), which states, "The airplane must be designed so that it is controllable if all engines fail." Total failure of all engines on a jet aircraft is extremely rare. But should this happen, the resulting loss of hydraulic, pneumatic, and electrical power to aircraft systems must not be so debilitating in combination that aircraft control cannot be maintained. The crew must still be able to fly the aircraft while the engine failures are addressed.
In the case of Flight 990, investigators know that the start levers for both engines were placed in the cutoff position by someone in the cockpit. This action, which shut off fuel to the engines, occurred at about the same time that the elevators began to move in opposite directions. To further add to the mystery surrounding this perplexing series of events, both thrust levers were pushed forward toward high power positions at the same time that fuel to the engines was shut off.
Regulations and thoughtful design engineering can only go so far in preventing tragedy. If it turns out that criminal action was to blame for Flight 990’s demise, the sequence of events leading up to the crash may well qualify as "extremely improbable" in the context of FAR Part 25. If so, it is likely that no degree of redundancy would have made a difference in the final outcome.
Related Articles
