Photo: De Havilland Comet, Royal Air Force, 1964, from Wikimedia Commons.

Eddie Sez:

We want our airplanes to be able to survive when bad things happen, be those things caused by the airplane itself or the two occupants in the first row of seats. It goes without saying that we would not tolerate aircraft the likes of the De Havilland Comet, which was doomed by crashes that began in 1953 due to design of the wing, and in 1954 due to structural failure.

This is obviously an important topic for an aeronautical engineer, but what of the pilot? For us, the idea here is to explore the fault tolerance of our aircraft and learn how to anticipate and prevent these failures if possible, and develop countermeasures if not.

Fault Type Fault Tolerant Fault Intolerant
Systems "Safe Life" (nonredundant)  
Systems Fail Passive (Redundant)  
Systems Fail Safe  
Pilot Error Fail Passive (undetected)  
Pilot Error Fail Passive (detected)  
Pilot Error Fail Active ? ?

Some of these terms have specific meanings in engineering parlance:

  • The term "safe life" means the system or component is designed to last for its finite lifespan and then you expect it to fail. The problem, of course, is some of those components can bring an airplane down.

  • The term "fail safe" means the designers recognized a failure is possible but the system is designed to be inspectable in service and able to sustain detectable damage before failure compromises the entire system. A fail safe system can also automatically trigger its own replacement to maintain the subsystem's capability.

Some of these terms are borrowed from the computer industry or elsewhere and, as far as I know, are not used in the aviation world:

  • The term "fault tolerance" is meant to convey the thought a system's individual failure will not be so critical to cause system failure by virtue of its total impact on the system or built in backups and safeguards.

  • The term "fail passive" means a components failure will automatically remove that component from the system, rendering the failure non-catastrophic.

  • The Term "fail active" means a component has a built in mechanism or backup to either repair or replace a failed component.

So most of this comes from me and appears in blue. The references that I do have are shown below.



[Merriam-Webster Dictionary]


In the Beginning

[Wanhill, ¶2]

Examples of Fail Safe Systems

Fault Type Fault Tolerant Fault Intolerant
Systems Fail Safe  

A fail safe system handles problems automatically without outside intervention, notifies the pilot, and allows the aircraft to continue flying safely. Optimally, the aircraft continues as if nothing had happened. But at the very least, the pilot is left with a flyable airplane and options.

Example: Gulfstream 450 Transformer Rectifier Units

Figure: G450 TRU component locations, from FlightSafety G450 Maintenance Training Manual, figure 24-35.

The GV series electrical system is perhaps the most redundant and most fault tolerant electrical system ever designed. It is said that you never have to touch the electrical panel except when you are at the simulator. The DC electrical system is powered by four transformer rectifiers (TRUs) with a fifth, identical TRU just sitting in "ready reserve." If one of the four TRUs should fail, the fifth steps in automatically and notifies the pilot that it has done so.

With the fifth TRU operating the aircraft loses absolutely no capability. More about this: G450 Systems / DC Electrical Sources.

Gulfstream V Series Aircraft Emergency Descent Mode

Figure: GV Automatic Emergency Descent, from GV Aircraft Operating Manual, §06-04-00, figure 1.

Many high altitude aircraft, such as the GV, will automatically sense a loss of cabin pressure and execute an emergency descent without pilot interaction. Even if both pilots pass out, the aircraft descends to 15,000 feet and establishes level flight at a safe speed until the pilots regain consciousness.

The aircraft may obviously have other issues to deal with, but the system made it possible for the pilots to survive and live to deal with those problems. More about this: G450 Abnormal Procedures / Emergency Descent.

Examples of Fail Passive (Redundant) Systems

Fault Type Fault Tolerant Fault Intolerant
Systems Fail Passive (Redundant)  

A fail passive systems failure that is redundant notifies the pilot, and provides the pilot with options so the aircraft may continue flying safely. In some cases, the system may automatically disable itself. Optimally, the aircraft could continue as if nothing had happened. But at the very least, the pilot is left with a flyable airplane and options.

Gulfstream 450 Flight Control Hard Over Protection System

Figure: G450 aileron force link, from G450 Maintenance Manual, §27-13-01, figure 401, sheet 1.

Each axis of the G450 flight control system, for example, is monitored by a "Hard Over Protection System" (HOPS) that continuously compares pilot inputs into hydraulic flight control systems with the resulting output. If there is a significant difference, the actuator is hydraulically depowered, leaving the pilot with manual reversion capability.

More about this: G450 Systems / Flight Controls.

Boeing 757 Pitot-Static System

Figure: B-757 pitot-static system, from May Day, "Flying Blind," Season 1, Episode 4, 17 Sep 2003

Pitot-static systems are usually considered fault tolerant because they have multiple back ups and are usually monitored electronically. But they can also be fault intolerant because they are often designed to be completely independent of any external sources. The systems can be driven purely by air pressures without any electrical power required. Even some aircraft with glass cockpits simply report the output of the pneumatics of the pitot-static system. With these airplanes, pilots must constantly guard against failures by crosschecking other sources.

In the case of Aeroperu 603, the static ports were covered with tape, leaving the airspeed and altimeter indications in doubt. Many aircraft have electronic comparison monitors, but even these can be fooled. These pilots were fooled by the fact their transponder was reporting the same altitude as their errant instruments, failing to realize the transponder was using outputs of the same faulty pitot-static system. Pilots should understand which of their systems are fault intolerant and tend to fail non-gracefully. Only with added systems knowledge can these faults be detected and dealt with.

More about this: Mishaps / Aeroperu 603.

Example of Safe Life (Nonredundant) Systems

Fault Type Fault Tolerant Fault Intolerant
Systems Safe Life (nonredundant)  

A safe life systems failure that is nonredundant might notify the pilot, but more than likely will not. It will at the least reduce the aircraft's capability and could be catastrophic very quickly. Pilots should be aware of these "weak links" and be wary of accepting aircraft systems failures that leave them with nonredunant vulnerabilities.

If a system can fail under the normal life span of the aircraft and has no backup system, it is non-redundant and can be termed as a single-point-failure system. These non-tolerant systems require careful monitoring and related systems need to be handled with special care, in fear that they might trigger the single-point-failure system to fail. Of course a big problem here is that we often don't know where these systems are.

MD-83 Horizontal Stabilizer

Figure: MD-83 stabilizer trim, from May Day, "Cutting Corners," Season 1, Episode 5, 15 Oct 2003

The DC-9 was designed with a single-point-failure stabilizer trim system and that design followed on to the MD-83 and Boeing 717. If the stabilizer jack screws were to fail, the only thing preventing the stabilizer from moving into an uncontrollable position was a single "acme nut." The crew of Alaska Airline 261 did not know this, nobody did, and continued troubleshooting until the part failed. The manufacturer should have placed a warning in the flight manual that because this was a single-point failure system, once it had failed all further attempts to move the stabilizer should have been stopped.

More about this: Mishaps / Alaska Airlines 261.

Example of Fail Active Pilot Error Systems

Fault Type Fault Tolerant Fault Intolerant
Pilot Error Fail Active ? ?

A fail active pilot error system is one in which the aircraft judges pilot inputs to be faulty, overrides the inputs, and provides corrective action. The corrective action may or may not be overrideable. A stick pusher, for example, actively attempts to recover from a stall. In most aircraft, the pilot can override the pusher if he or she deems that appropriate. In other aircraft, however, no amount of pilot input can override the aircraft's decision to avoid a stall.

Airbus 320 Alpha Protection Mode

Photo: Amateur photographer video of Air France 296 just prior to impact, from May Day, "Plane vs Pilot," Season 9, Episode 3.

What about correcting a pilot error automatically, without pilot intervention? This goes to the heart of what some call the "Boeing versus Airbus Philosophy" difference. The Boeing philosophy meaning that the aircraft monitors the pilot and notifies him or her when there is a problem; the Airbus philosophy being that the aircraft can override the pilot's inputs to protect the airplane.

On all modern Airbus planes, starting from the A320 up to the A340, computers prevent the pilot from climbing above 30 degrees (to prevent a stall) or pitch down below 15 degrees (to prevent overspeed). Furthermore, it would not allow the pilot to bank or roll more than 67 degrees or make any maneuvers greater than 2.5 times the force of gravity.

It is a controversial subject. On the face of it, how can having the aircraft automatically prevent a stall be a bad thing? In 1988, one of the first Airbus 320 jets crashed during an air show in Habsheim, France. The pilots planned a low altitude fly by at maximum angle of attack and 100 feet, but for various reasons ended up at 30 feet. When the pilot realized he was at tree top level he commanded full power and got a delayed response from the engines, perhaps due to the restricted air flow caused by the high deck angle. The official accident blames the pilot, but this report was written by the government of France who had a vested interest in the aircraft being exonerated. (It is thought the company would have failed had the aircraft been found causal.) The flight data recorder shows the elevator moved down after the pilot commanded nose up and some contend the aircraft entered the stall protection mode just prior to reaching the trees. There was also a four minute gap in the cockpit voice recorder and photographic evidence the both the flight data recorder and cockpit voice recorder's had been replaced. The French justice system did not buy this and convicted the pilot of involuntary manslaughter.

Depending on where you come down on the "Boeing versus Airbus Philosophy," having a fail active response to pilot errors can be good or bad. More about this: Mishaps / Air France 296.

Examples of Fail Passive (detected) Pilot Error Systems

Fault Type Fault Tolerant Fault Intolerant
Pilot Error Fail Passive (Redundant)  

A fail passive pilot error system that is detected is one in which the aircraft judges pilot inputs to be faulty and notifies the pilot, providing the pilot a chance to correct the error.

Gulfstream 450 Runway Awareness Alerting System (RAAS)

[G450 Aircraft Operating Manual, §2B-20-90] The runway awareness and advisory system (RAAS) function supplies improved situational awareness for the flight crew. This improved situational awareness helps lower the probability of runway incursion incidents and accidents by providing timely aural advisory messages to the flight crew during ground taxi, takeoff (including rejected takeoffs), final approach, and landing/rollout operations. The advisories are generated based on the current aircraft position when compared to the location of the airport runways. The airport runways are stored in the threat database (internal EGPWS terrain/obstacle/airport database).

More about this: G450 Systems / Runway Awareness Alerting System (RAAS).

Examples of Fail Passive (undetected) Pilot Error Systems

Fault Type Fault Tolerant Fault Intolerant
Pilot Error Fail Passive (undetected)  

A fail passive pilot error system that is undetected is one in which the aircraft does not detect an error, or if detected, does not notify the pilot of the error. It is up to the crew to detect the pilot error.

Comair 5191 Wrong Runway

Figure: Comair 5191 runway choices, from Eddie's notes.

In 2006, the crew of Comair 5191 turned onto the wrong runway at night and ended up killing all on board because the runway they chose was too short. They were not the first crew to ever do this, but with better techniques and systems they will hopefully be the last. This type of error was not detected by technology in their aircraft, but more modern systems turn this kind of error into a fail passive system that at least warns the pilot of the error. A Runway Awareness Alerting System (RAAS) would have notified the crew which runway they were actually on. Even without such as system, the pilot technique of verifying runway heading prior to initiating the takeoff could also have prevented this crash.

More about this:

Fault Tolerance Evaluation

Fault Type Fault Tolerant Fault Intolerant
Systems "Safe Life" (nonredundant)  
Systems Fail Passive (Redundant)  
Systems Fail Safe  
Pilot Error Fail Passive (undetected)  
Pilot Error Fail Passive (detected)  
Pilot Error Fail Active ? ?

Of the possible fault modes, the ones we need to pay special notice of are those that are not fault tolerant. By identifying these before flying, we can think through ways to anticipate, avoid, or correct issues before they become problems. The best way to do this is to look at our aircraft's accident history.

Accident History

One of the advantages of flying an aircraft that has been around a few years is you can learn from the experiences of those who came before you. There are several sources of accident history given in the Links section, but individual aircraft manufacturers should be consulted for those that did not end up as mishaps worthy of NTSB investigation.

Systems and Procedures Analysis

Quite often pilots are confronted with "I've never seen that before," or "I've never heard of that before." We need to study our aircraft systems and procedures to anticipate vulnerabilities. Then we can develop techniques to mitigate the vulnerabilities before they become real problems.

Example Evaluation: GII through G550 Ground Spoiler System

Figure: Gulfstream III ground spoiler system, from Technical Order 1C-20B-1, figure 1-82.

The ground spoiler system on every Gulfstream from the GII through the G550 is the primary reason these aircraft demonstrate such good balance field and landing performance. These six panels truly spoil the lift of the wing and transfer weight to the wheels. If they were to pop up inflight, the results could be catastrophic.

The system is fail passive, nonredundant, which makes it fault intolerant. Each version of the Gulfstream has come out with newer and better detection methods to warn the pilot of a possible problem, and every generation of Gulfstream pilot has come up with newer and better techniques to guard against inadvertent spoiler deployment. But these techniques need to be understood to be correctly employed.

Gulfstream understood that if the weight on wheels (WOW) system were to fail and indicate the aircraft was still on the ground when airborne, the ground spoilers would activate if the throttles were brought to idle. They installed warning lights and provided a switch to dearm the spoilers. Pilots changed the order of the after takeoff checklist to always dearm the spoilers as soon as the gear was retracted, just to make sure. On approach to landing, the ground spoiler system was checked in the "air mode" prior to arming the ground spoilers. There are no reported incidents of getting this wrong in the GII, GIII, or GIV.

Later Gulfstreams incorporated other safeguards, such as wheel speed sensors and an ingenious system that adds a fourth WOW system, in addition to the switch on each landing gear. The fourth system, termed the "Combined WOW," checked the ground/air mode of the main landing gear against the radio altimeter and airspeed. If the radio altimeter is higher than 147.5 feet, for example, the combined WOW thinks it is in the air. If the airspeed is less than 50 knots, it thinks it is on the ground. If the combined WOW disagrees with the main landing gear WOW, a warning message is generated.

When the combined WOW system was adopted, the system used to test the WOW system was eliminated, as well as the checklist item to run the test. GV pilots with prior Gulfstream experience instantly recognized the issue and adopted a technique to ensure it was safe to arm the ground spoilers. Once the landing gear was down, they would call out "Three green, four in the air." That meant they would not arm the ground spoilers unless the gear indicated all three gear were down and locked ("three green"), and all four WOW systems agreed the airplane was in the air mode ("four in the air").

More about this: G450 Systems / Landing Gear Weight on Wheels System.

Photo: N7777TY, from

Unfortunately, not all GV pilots understood the issue and some even believed the combined WOW would prevent inadvertent ground spoiler activation. As a result, the only case of such an activation was on an airplane with the greatest number of devices to prevent such activation. Had the pilots been more diligent about following their checklists or had they understood the reasoning behind the "three green, four in the air" callout, the aircraft would not have been destroyed.

More about this: Mishaps / GV N777TY.

Evaluating Your Aircraft

The entire reason for studying aircraft fault tolerance, of course, is to prevent bad things from happening to good aircraft. The Gulfstream 450 provides a good example for evaluation. It is a fairly new aircraft with a spotless mishap record, but it has a rich lineage of aircraft before it to learn from.

Learning from its ancestors

Each generation of Gulfstream seems to answer most of the fault intolerant issues of its parents. As a result, the list is rather short in the G450.

Learning from experience

With a new aircraft, or new systems on older aircraft, you quite often have to anticipate problems from systems analysis, or sometimes from hard-earned experience. The G450 flight guidance system is common to the G550 and there a lot of these airplanes out there. One of the known problems is a type of autopilot "mode confusion" when the vertical mode is changed after vertical mode capture. This can leave the airplane descending into terrain or climbing above an altitude clearance without pilot warning. More about this: G450 Abnormal Procedures / Vertical Mode Trap.

Aircraft Comparisons

Another method of aircraft analysis is to compare it to similar aircraft from other manufacturers. This serves two purposes:

  1. How does the other aircraft handle your aircraft's fault intolerant issues?

  2. What is the other aircraft's mishap history and how would your aircraft have handled these?

The G450 doesn't have any real competition when it comes to range, payload, and speed. But the Falcon 900 series comes close and has an enviable safety record. There are 500 Falcon 900 variants out there, versus 492 GIV and 301 G450 (as of 1Q 2014).

There have been 5 Falcon 900 flight mishaps (5 of 500 = 1 %), the airplane has been in service since 1984:

Although there have been no G450 flight mishaps, there have been 6 Gulfstream IV flight mishaps (6 of 793 GIV and G450 = 0.76 %), the airplane has been in service since 1985:

See Also:


FSI G450 MTM, FlightSafety International Gulfstream G450 Maintenance Training Manual, August 2008

Gulfstream G450 Maintenance Manual, Revision 18, Dec 12, 2013

Gulfstream G450 Aircraft Operating Manual, Revision 35, April 30, 2013.

Gulfstream GV Aircraft Operating Manual, GAC-AC-GV-OPS-0002, Revision 30, May 13, 2008

May Day: Pilot vs Plane, Cineflix, Season 9, Episode 3, 8 March 2010 (Air France 296)

Merriam-Webster Dictionary

NTSB Aircraft Accident Brief, AAB-04/01, Bombardier CL-600-2B16 (CL-604), C-FTBZ, Mid-Continent Airport, Wichita, Kansas, April 14, 2004

Swift, T. 1987, Damage tolerance in pressurized fuselages, 11th Plantema Memorial Lecture, New Materials and Fatigue Resistant Aircraft Design (ed. D L Simpson), pp. 1-77, Engineering Materials Advisory Services Ltd., Warley, UK.

Technical Order 1C-20B-1, C-20B Flight Manual, USAF Series, 1 November 2002

Wanhill, R.J.H., Milestone Case Histories in Aircraft Structural Integrity, National Aerospace Laboratory, NLR-TP-2002-521

Wikimedia Commons, Public Domain Artwork