A detailed explanation of the terms Fail Operational and Fail Passive
Fail-passive Automatic Landing System

An automatic landing system is fail-passive if, in the event of a failure, there is no significant out-of-trim condition or deviation of flight path or attitude - but the landing is not completed automatically.

NOTE: For a fail-passive automatic landing system the pilot assumes control of the aircraft after a failure.

The following are typical arrangements:

(1) A monitored automatic pilot in which automatic monitors will provide the necessary failure detection and protection.

(2) Two automatic pilots with automatic comparison to provide the necessary failure detection and protection.

Fail-operational Automatic Landing System.


An automatic landing system is fail-operational if, in the event of a failure, the approach, flare and landing can be completed by the remaining part of the automatic system.

NOTE: In the event of a failure, the automatic landing system will operate as a fail-passive system.

The following are typical arrangements:

(1) Two monitored automatic pilots, one remaining operative after a failure.

(2) Three automatic pilots, two remaining operative (to permit comparison and provide necessary failure detection and protection) after a failure.


Fail-operational Hybrid Landing System

A system which consists of a primary fail-passive automatic landing system and a secondary independent guidance system enabling the pilot to complete a landing manually after failure of the primary system.

NOTE: A typical secondary independent guidance system consists of a monitored head-up display providing guidance which normally takes the form of command information, but it may alternatively be situation (or deviation) information.

 
1. Pallet has a good book, Automatic flight Control with a section on system reliability and redundancy - a worthwhile read.

(ISBN 0-632-03495-5)

2. Also see http://www.wingsys.com/apalssa.htm (HUD - same as visual)

Land 3 is annunciated for Fail-Operational mode and Land 2 for Fail-Passive, for three A/P systems. No Autoland obviously indicates a fault which precludes the use of A/Ps for automatic landing. The annunciator system is active only when the aircraft is below 1500' RA and with G/S and LOC capture. Below 200' RA, the only change permitted in the annunciation is to No Autoland.

Land 3 or 2 annunciations mean that G/S or LOC signals are not being received. If the station fails, the aircraft continues on an inertial track for a short time until the problem is annunciated on the EADI, affected flight director commands are removed and A/P and master caution lights illuminate. The indication on the Autoland Status Annunciators may or may not change.

If a Land 2 condition exists and below 100' RA, an increment of nose-up trim is automatically applied for the flare. If the A/Ps are subsequently disengaged in the approach, a forward control force (20-30lbs) is required to counter this automatic trim condition. It is automatically removed if a multi A/P GA is initiated.

A/P control of the rudder is only active when either Land 3 or 2 is active (hence only below 1500' RA). Additionally, the Runway Align, Flare and Rollout submodes are only available during these times.

The FCCs are powered by separate electrical sources when a multi A/P approach is initiated, so the loss of a bus during a Land 3 approach is not critical, however, during a Land 2 it might mean that it's all over for autoland that day.

This all based on 767-300s

Either mode would work for RoboLander

to RoboLander Menu