
Embraer Phenom 300 yaw damper fail due to loss of GPS signal [pdf] - a-no-n
http://www.faa.gov/documentLibrary/media/Notice/GENOT_7110_711_EMB-300.pdf
======
Animats
What a mess. We botched GPS/AHRS integration in our 2005 Grand Challenge
vehicle. Seen this type of problem.

Here's the problem. You have an Attitude and Heading Reference System (AHRS)
with three rate gyros and three accelerometers, plus a magnetometer as a
compass. From this information, you want to get aircraft orientation and
heading. Integrating the rate gyros gives orientation, but because you're
integrating a rate, there's cumulative error over time. The accelerometers
give you a down reference. Not always a good one. Some AHRS units will lose
their down reference if you fly in a circle for a while, and the
accelerometers see a consistent but wrong "down" direction from centrifugal
force.

So AHRS systems are prone to cumulative error accumulation. You also have a
GPS system, which is prone to short-term noise but does not accumulate
cumulative error. GPS is position only; there's no orientation info from GPS.
(There are some multiple-antenna GPS systems that get orientation, but those
are rare) So AHRS/GPS systems try to combine the two using various filters.
Those filters embody assumptions about the error properties of each system.
Fusion of the two sources provides position information, with the GPS fixes
being augmented with short-term info from the AHRS. However, it's possible for
GPS position to "jump" due to radio propagation problems. You see this on
smartphones all the time. It's not as bad for aircraft, which usually have a
clear view of the sky. (It's much harder for ground vehicles, which can't
always see enough GPS satellites. We had a lot of trouble with this in 2005.)

The important outputs are attitude (pitch, roll, and yaw) which drive the
artificial horizon ball (or, today, a graphic which looks like one). There's
also heading, which drives the compass. The attitude outputs also drive the
aircraft's stability control systems. The AHRS data can be used raw, or
combined with GPS data to get not only attitude but position.

Usually, the AHRS outputs are used without GPS info to drive the aircraft
systems that just need attitude. But the fused AHRS/GPS data is usually
better, and dealing with inconstencies between the unaugmented AHRS info and
the fused data is a pain. So there's a temptation to use the fused data for
everything. Embraer apparently did this.

There's an argument for source integration. Air France 447 crashed because
they lost airspeed and altitude data when the pitot tubes and static ports
froze up. An integrated AHRS/GPS system would have given them accurate info on
vertical speed and altitude even without air sensors. So integration isn't
fundamentally a bad idea. If you integrate sources, though, you have to deal
with sensor conflicts. That's a hard problem. Filters alone will not do it.

The integration used by Embraer (who did the avionics, by the way?) apparently
doesn't handle GPS failures properly. The AHRS is still there, and that's all
you need for aircraft stability. But if the fused outputs are used for
stability augmentation, stall warning, and such, apparently they can fail when
the GPS data does.

~~~
raverbashing
> who did the avionics, by the way?

Garmin

------
dfsegoat
This is a known issue - and old issue.

These jets cannot fly without GPS.

When they (the military) knocked out GPS intentionally around China Lake NAS a
few months back (for testing aircraft in GPS denied environments) -- all
Embraers were told to avoid the area:

 _THIS NOTAM APPLIES TO ALL AIRCRAFT RELYING ON GPS. ADDITIONALLY, DUE TO GPS
INTERFERENCE IMPACTS POTENTIALLY AFFECTING EMBRAER PHENOM 300 AIRCRAFT FLIGHT
STABILITY CONTROLS, FAA RECOMMENDS EMB PHENOM PILOTS AVOID THE ABOVE TESTING
AREA AND CLOSELY MONITOR FLIGHT CONTROL SYSTEMS DUE TO POTENTIAL LOSS OF GPS
SIGNAL._

[https://www.faasafety.gov/files/notices/2016/Jun/CHLK_16-08_...](https://www.faasafety.gov/files/notices/2016/Jun/CHLK_16-08_GPS_Flight_Advisory.pdf)

~~~
raverbashing
> These jets cannot fly without GPS.

No need for FUD. Loss of Yaw Damper is not something that would endanger an
aircraft

~~~
dfsegoat
tried to edit it. but why would they mention it so prominently in the NOTAM?

~~~
janoc
Because when this bug happens, the pilot is going to face a "christmas tree"
of warning lights and cautions, most likely provoking an immediate PAN or
Mayday and a possible diversion to the nearest suitable airport.

Loss of attitude info is a serious business, in the worst case the pilot may
be left to fly only "raw data" and using the backup "steam gauge" instruments,
because the displays and automation will stop working. Such event is no cake
on a big jet, even during daylight, perfect weather and with the crew
perfectly current and capable to fly like that.

Murphy will have it that it happens during night, in a storm and most crews
today are trained to rely on the automation and rarely getting to hand fly,
even less raw data, without any of the computers. The result will be another
AF443 ...

~~~
raverbashing
See the other links around, there's a Garmin manual showing the failure modes
regarding loss of GPS data (even some people saying loss of GPS only should
not cause YD failure)

And it's AF447

------
a-no-n
[http://forums.jetcareers.com/threads/emb-300-phenom-yaw-
damp...](http://forums.jetcareers.com/threads/emb-300-phenom-yaw-damper-fail-
due-to-unreliable-or-unavalible-gps-signal.234746/page-2)

~~~
a-no-n
Another pilot forum also
[https://www.pilotsofamerica.com/community/threads/gps-
interf...](https://www.pilotsofamerica.com/community/threads/gps-interference-
testing-affecting-biz-jets.95388/)

~~~
taspeotis
And on HN:
[https://news.ycombinator.com/item?id=11856131](https://news.ycombinator.com/item?id=11856131)

------
dogma1138
How does an aircraft gets certified with out an INS for stability control?

------
smegel
> VENTRAL RUDDER FAIL, YAW DAMPER FAIL, AUTO PILOT FAIL, AND CAS MESSAGES
> ASSOCIATED WITH UNEXPECTED ROLLING AND YAWING OSCILLATIONS (DUTCH ROLL) AT
> HIGH AIRSPEEDS

Damn.

------
mmanfrin
Can someone provide context?

~~~
JshWright
It appears that the Embraer Phenom 300 has GPS so deeply integrated into its
"flight control computer" that the loss of GPS results in the loss of a number
of important systems, including the system that prevents a common aerodynamic
instability, known as "Dutch Roll".

Modern planes aren't flown directly by people. They're flown by computers,
with people using the controls in the cockpit to tell the computer what they
want the plane to do (there is no direct link between the stick/yoke and the
flight surfaces). The computer integrates all the information at its disposal
and determines what movements of the flight control systems are necessary to
meet the pilot's commands (this is known as fly by wire). In this case, it
seems that computer is _really_ dependant on GPS.

~~~
jsmthrowaway
> (there is no direct link between the stick/yoke and the flight surfaces)

Almost true and oft-repeated. There are still means to somewhat control most
FBW aircraft in the unlikely event all electrical control is lost; A320 can
pitch/yaw with mechanical linkage to stabilizer trim and the rudder, for
example (but, to your point, neither involve the sidestick). The flight is
very likely headed for an unpleasant end but the intent is to buy time to
restore computer control. Landing with trim, rudder, and differential thrust
alone is possible (some have landed with less), but it's a big ask for a pilot
accustomed to automation.

That scenario aside, when a whole lot of things fail an Airbus can also go
into a mode called Direct Law, which basically tells the computer to take a
hike and puts the pilot in direct control of surfaces proportional to airspeed
(and puts structural integrity in jeopardy, because the computer isn't helping
to obey design limits). The aircraft is extremely sensitive in this
configuration.

(If you saw _Sully_ recently, one of the reasons he quickly started the APU
was to prevent the aircraft from leaving the relative safety of Normal Law in
the absence of electrical power. This was described in the report, if I
recall, and was one of the more critical decisions made.)

Boeing is entirely different in FBW philosophy from Airbus. A coarse summary
might be that Airbus drivers are negotiating with a computer while Boeing
drivers are generally flying the airplane. Both have merits and drawbacks and
vocal camps.

~~~
JshWright
> Almost true and oft-repeated. There are still means to somewhat control most
> FBW aircraft in the unlikely event all electrical control is lost; A320 can
> pitch/yaw with mechanical linkage to stabilizer trim and the rudder, for
> example (but, to your point, neither involve the sidestick).

Yeah, that's why I was specific about the stick/yoke connection. Though, after
some research, it appears I was wrong about that as well (as least in the case
of Embraer). In the 190, the ailerons are, effectively, directly controlled
(there is a hydraulic system in line, but it is directly actuated by cables
from the yoke). I was unable to find any conclusive details about the Phenom
300 after a cursory search, but it appears it is "fully" FBW.

> Boeing is entirely different in FBW philosophy from Airbus. A coarse summary
> might be that Airbus drivers are negotiating with a computer while Boeing
> drivers are generally flying the airplane. Both have merits and drawbacks
> and vocal camps.

Yeah, and both sides can point to major incidents that wouldn't have happened
in the other cockpit.

~~~
throwanem
I know of Air France 447 in the "fly the airplane" camp. (An inexperienced
copilot stalled the aircraft all the way from cruise altitude to impact, and
because the sidesticks aren't linked, no one else could tell that was what was
wrong.)

What's a good example in the "negotiate with the computer" camp? Perhaps it's
merely a tendency on my part, but I don't think I have run across any accident
which militates as strongly in favor of Airbus's design as AF 447 seems to
militate against it.

~~~
TuxerLulz
AF447 is more complicated than just that sidestick issue, if you look at the
accident report closely.

The contributing factors were loss of outside air temperature and airspeed
sensors because of icing, a dark moonless night above the ocean, and
flying/falling outside of the operating range of the stall horn (when they
pitched the nose down, they started recovering from the stall, airspeed went
up, and the stall horn activated. when they pitched up, they went back outside
of the operating range, and the horn muted).

A big contributing factor as well was that in an airbus, in normal operating
conditions, pulling the stick all the way back will configure the aircraft for
the best rate of climb (which can be different from just putting the elevator
in full climb conditions). Due to the pitot tubes being iced up, the flight
computers were in Direct mode (where movement of the sidestick is directly
translated in movement of the flight controls, without computer intervention),
which didn't help.

~~~
raverbashing
> the flight computers were in Direct mode

Almost that, they were in Alternate Law

------
0xcde4c3db
Anyone have a sense of what the primary failure is here? Is there some Kalman
filter that gets out of whack when an error term can't be calculated, or what?

------
rsync
Translation: we never tested flight with the GPS off.

~~~
raverbashing
Planes are not built by "stuff.js" hackers I'm afraid

And it does work without GPS, as this link (which was posted in this page
[http://forums.jetcareers.com/threads/emb-300-phenom-yaw-
damp...](http://forums.jetcareers.com/threads/emb-300-phenom-yaw-damper-fail-
due-to-unreliable-or-unavalible-gps-signal.234746/page-2) ) shows

------
throwaway_exer
I have a commercial rating. The HN title is wrong.

What this is saying:

1) If you don't have a yaw damper, then you'll have a rough ride

2) because the autopilot will induce oscillation (dutch roll) after loss of
GPS

~~~
JshWright
The HN title is literally the subject of the notice, very slightly paraphrased
(abbreviations expanded, etc), so you may want to let the FAA know they got it
wrong...

I also think you misread the notice. The report is stating the loss of GPS
apparently resulted in the subsequent loss of a number of other systems,
including the yaw damper.

~~~
throwaway_exer
I think you're right. The wording about "no yaw damper" would have been
clearer as "failed yaw damper" \- I guess that's what was meant.

