FADEC Control Laws & Protections
Article 04 built the hardware: two channels, a private alternator, an independent bodyguard. This article is the software those parts run — the schedules that wake the engine, hold it at idle, accelerate it without choking it, set its thrust, and snatch it back from the edge when something goes wrong. One theme runs through every law on this page: fuel must neither choke the engine (surge, overtemperature) nor starve it (flameout). Every schedule below is a different answer to that same balancing problem.
┌──────────────────────────────────┐
│ ④ PROTECTIONS (the apex — │ MEASTO · stall recovery
│ may intervene at any time) │ keep-out zone · IPTOS · LP TOS
├──────────────────────────────────┤ OPU (N1/N2) · red-line limiters
│ ③ RATINGS & LIMITS │ four rated EPRs · FLEX/DERATE
│ │ seven maximum limits
├──────────────────────────────────┤
│ ② RUNNING CONTROL │ steady-state EPR (A/THR or TLA)
│ │ accel/decel closed loops
│ │ three idles + five floors
├──────────────────────────────────┤ └ degradation: EPR → N1 rated
│ ① WAKE-UP LAYER │ → N1 not rated
│ ignition fuel (4 corrections) │
│ accel to idle · auto relight │
│ quick relight · T30 weather │
└──────────────────────────────────┘
1. The wake-up layer: ignition fuel, and "light, then lean"
"The EEC sets the necessary fuel flow for ignition to occur in relation to the N3 speed. This flow is adjusted to make allowance for the: P20 / T20 / EGT / Oil temperature." — "A secondary EEC schedule gives protection from too much fuel flow. The maximum permitted fuel flow is directly related to P30 and N3."
Even the first drops of fuel are computed: scheduled on N3, then corrected by four parameters — including, perhaps surprisingly, oil temperature (a cold-soaked engine atomises fuel poorly and is granted a little more). A secondary schedule caps the flow against P30 and N3 so that no correction can over-fuel the start. Two specialised variants bracket the basic law. On a ground start, the main schedule deliberately slows the acceleration — protection against the high-EGT, near-stall behaviour that weak starter air pressure invites. At high-altitude relight the logic runs the other way:
"For in-flight relights, at high altitude, the EEC sets an equivalent to the ground start fuel flow for initial ignition only. Immediately that satisfactory ignition has occurred the EEC decreases the flow sufficiently in relation to the altitude. This is necessary to prevent a possible HP compressor stall condition."
Light, then lean: in thin air the flame needs a generous fuel flow to catch, but the compressor cannot digest that flow once combustion is established — so the instant ignition succeeds, the EEC pulls the fuel back in proportion to altitude. This single sentence returns as the silent partner of every in-flight relight in article 26.
2. Three idles and five floors
"The EEC reads the throttle resolver angle and the MODIDLE discrete status (set by the EIVMU) to set one of three idle speeds: ‐ Minimum modulated idle ‐ Approach idle ‐ Reverse idle."
| Idle | Purpose | Detail |
|---|---|---|
| Minimum modulated | lowest runnable speed | rises with bleed demand — feeding packs or anti-ice raises the idle |
| Approach | guarantee go-around response | set high enough that the engine can accelerate to go-around thrust within a defined time |
| Reverse | protect the reverser structure | initially low (so deploying pivoting doors are not blasted); if reverse is selected but not pulled to max within about 5 seconds, idle rises automatically to approach-idle level |
Below whichever idle is current run five floors — and the EEC feeds whichever floor demands the most fuel:
"The EEC sets the highest fuel flow necessary to prevent engine operation below these minimum limits: ‐ Minimum P30, for sufficient engine bleed air ‐ Minimum N3, for satisfactory IDG operation and for protection from flame-out ‐ Minimum N1, to prevent ice on the air intake fairing/spinner ‐ Minimum fuel flow, for protection from flame-out ‐ Minimum T30, for protection from flame-out during bad weather conditions."
The third floor is a genuine piece of trivia with operational meaning: N1 has an anti-icing minimum — turn the fan too slowly and the spinner ices. So "what is idle N1 on this aircraft?" has no fixed answer: idle is the maximum of five floors evaluated under the current conditions, which is why the idle figure on the EWD visibly moves with bleed configuration and weather (article 15).
3. Acceleration: closed loops, rate caps, and the automatic fuel release in a surge
Acceleration from idle to maximum rating runs closed-loop throughout (on N3 rate-of-change plus P20), and a slam acceleration is caught first by a fuel-flow rate-of-change cap — the first gulp is always metered. The sentence most worth memorising in the whole acceleration law is this one:
"If a surge occurs during acceleration, the EEC automatically decreases the fuel flow to agree with the sudden decrease in P30. An EEC logic instruction then causes the fuel schedule to operate to a decreased limit to help the engine come out of the surge condition."
P30 — HP compressor delivery pressure — collapsing is the fingerprint of a surge: the instant the compressor backflows, its outlet pressure caves. If fuel kept flowing to the original schedule, the fuel/air ratio would explode into sustained surge and overtemperature. Instead fuel follows P30, so the flow always matches the air the compressor is actually delivering — and the schedule then runs to a reduced limit until the engine is clear. Deceleration mirrors the same idea with the opposite worry: the rate cap on the way down exists to prevent flameout.
4. Steady state, and the degradation chain: EPR → N1 rated → N1 not rated
"In auto-thrust mode the Auto-Flight System calculates and transmits an EPR TARGET to the EEC. … In manual thrust mode the EEC reads the throttle resolver angle and controls the engine to the related EPR TARGET. There are four rated values of EPR (calculated by the EEC) which are given at identified throttle positions: Maximum take-off / Maximum continuous / Maximum climb / Minimum idle."
Normal steady-state control targets EPR — automatic mode receives the target from the auto-flight system, manual mode derives it from lever angle against four rated values at the marked detents. When EPR cannot be trusted, the chain degrades:
"If the EEC finds that the EPR is not accurate, a software instruction will change engine control to the back-up (reversionary) N1 schedule. This schedule can also be set manually by flight crew selection of the N1 MODE push-button."
| Mode | How thrust is computed | Corrections | Meaning |
|---|---|---|---|
| N1 rated | the EEC converts its computed EPR into an equivalent N1 from stored data | corrected for ambient conditions and Mach (using aircraft P0/P20/T20 if engine sensors are unavailable) | the rating still exists — only the control currency changed |
| N1 not rated (degraded) | idle lever position = idle N1; TOGA position = red-line N1; linear interpolation between | none | the rating concept is gone — the lever is a bare ruler whose top is the red line |
Read the degraded row with the chill it deserves: in not-rated mode, full forward lever means straight to the N1 red line. The FADEC is no longer computing "today's maximum permitted thrust" for you — the discretion returns to your hand (article 21 covers the alert and procedure that accompany this). And one trigger is precise enough to quote:
"In the case where the aircraft is in Emergency Electrical Configuration, the engine (EEC) will pass into N1 degraded mode, because heating of P20T20 probe is lost and there is only one ADIRU available."
Emergency electrical configuration does not risk degradation — it guarantees it: both legs of the air-data chain (the engine's own probe heating, and the cross-check partner) fail together. This is the thrust-control world that follows a double engine failure (article 33). Reverse thrust, finally, always runs on a dedicated N1 reverse schedule, manual only — and pulling the reverser levers automatically disconnects the A/THR.
5. Air-data voting: four conditions and one asymmetric rule
The EEC holds two air-data sources — its own P20T20 probe (article 04) and two ADIRUs — validates both (including compensation for the effect of probe heating on the reading), then resolves them in four tiers:
| Condition | Situation | Source used |
|---|---|---|
| 1 | engine data agrees with ADIRU 1 | ADIRU 1 (or ADIRU 2 if agreement is with 2) |
| 2 | engine and aircraft data nearly identical | aircraft data |
| 3 | a difference, but acceptable | the mid-value |
| 4 | the difference is not acceptable | the engine's own data |
Inside condition 4 hides the precise gateway into the degradation chain:
"‐ If engine P20 is more than aircraft P20 the EEC will stay in EPR control ‐ If engine P20 is less than aircraft P20 the EEC will change to N1 reversionary control (rated)."
Why asymmetric? Because EPR = P50/P20: an under-reading P20 inflates the computed EPR — the engine believes it is producing more thrust than it is (the dangerous direction; think of a partially iced P20 line), while an over-reading P20 merely understates EPR and the engine gives a little extra (the conservative direction). Error toward danger → abandon EPR; error toward conservatism → keep it. One asymmetric rule, one philosophy: better to over-push than to imagine thrust that is not there.
A related housekeeping threshold worth a line: probe heat runs from N1 > 10 % and is off below 10 % N1 (or on the ground below 45 % N3) — so a cool probe at ground idle is normal, not a snag.
6. Ratings and the seven maxima
The four reference EPRs (TOGA, MCT, MAX CLB, idle reference) are computed in real time from the rating data the DEP selects; crew entries through the MCDU create the FLEX and DERATE ratings — the execution end of the limitations in article 00. Standing above all control modes are seven maximum limits:
"These limits are: ‐ Maximum N1 speed ‐ Maximum N2 speed ‐ Maximum N3 speed ‐ Maximum P30 ‐ Maximum rate of fuel flow ‐ Maximum (fuel flow / P30) ‐ Maximum (N1 / root T20)."
The first three are the cockpit red lines (99 / 103.3 / 100 %) living inside the control law. The last two are compound limits — fuel-flow-to-P30 against rich-mixture surge, N1-over-√T20 against fan aerodynamic limits — red lines beyond the red lines: invisible in the cockpit, present in every lever movement.
7. The anti-flameout trio
① Auto relight — the standing insurance against an idle flameout:
"The automatic relight function is armed when the ENG MASTER switch is 'ON' and the engine has satisfactorily started. The EEC then monitors the rate of change of N3 at idle and compares this to a minimum datum calculated from P30. If a flame-out condition is found the igniters are continuously energized until the condition is corrected and for 10 seconds more."
The flameout fingerprint is an N3 decay faster than any normal deceleration — and the datum is computed from P30 because combustion-chamber pressure collapses in the same instant (the same physics as §3, used in reverse). Both igniters fire continuously until recovery, plus ten seconds for good measure.
② Rain-and-hail T30 control — three actions in one package:
"During bad weather conditions, a large quantity of water and/or hail (in the core engine) can cause a sudden decrease in T30 and an engine flame-out. To prevent a flame-out in these conditions, the N3 speed is increased in relation to the T30 value by the EEC. The EEC also energizes the two igniter plugs … And sets all of the core engine bleed valves open to send the water overboard through the cold exhaust duct/CNA."
The third action is the elegant one: the seven anti-surge bleed valves of article 03 moonlight as water-dump valves — ingested water is slung into the bypass duct at IP8/HP3 before it ever reaches the combustor. T30 (three HP-compressor-exit thermocouples) is this logic's eye. The function is inhibited on the ground (via the EIVMU's air/ground signal), so taxiing through heavy rain cannot command an uncalled-for thrust increase.
③ Quick relight — the thirty-second golden window:
"This is done by selection of the ENG MASTER switch to the ON position … in the conditions that follow: ‐ The selection must be made during the 30 seconds of time that immediately follow the shutdown ‐ The engine speed must be higher than 10 percent N3. … the EEC ignores the usual automatic start checks and the position of the rotary selector. It immediately opens the PRSOV (in the FMU) and energizes the igniter plugs … The EEC will not cancel the quick relight function if fuel ignition does not occur. The flight crew must manually cancel the engine start."
This is the rescue path for an inadvertently selected MASTER OFF (article 26): the rotors are still hot and turning, and the FADEC takes a shortcut — no start checks, rotary selector ignored, fuel and ignition immediately. But note the counter-intuitive tail: quick relight has no automatic abort. If the fuel does not light, the EEC keeps trying; stopping it is your responsibility.
8. The four stability protections
The FCOM's FUNCTIONS section states all four fan/IP stability protections in full.
① MEASTO:
"Modified Engine Acceleration Schedule for Take Off (MEASTO): A logic that ensures a progressive thrust is automatically set during the takeoff roll. Engine acceleration is controlled with an 'EPR/second' rate in EPR mode."
The AMM supplies the motive: in crosswinds or intake turbulence, fan-stall risk peaks at low forward speed — so MEASTO paces the ground acceleration at a controlled EPR-per-second rate. The 32-knot engine crosswind limit of article 00 is this protection's sibling: a strong crosswind over a stationary aircraft is precisely when the fan eats its most distorted inflow. Whether MEASTO is active on a given engine is selected by the DEP's fan stall index (article 04).
② Stall recovery:
"When a fan stall is detected, a recovery logic is triggered which consists of a fuel flow reduction and Variable Stator Vanes repositioning. The protection is active until the thrust lever is moved as per ECAM procedure."
"Until the thrust lever is moved" is the origin of the THR LEVER step in the stall procedure of article 27: the protection does not stand itself down — it waits for you to act per ECAM.
③ The keep-out zone:
"To prevent fan instability, this logic avoids stabilized engine operation between the 1.16 to 1.28 EPR range (in N1 rated mode, the keep-out zone depends on the ambient conditions), when on ground with an aircraft speed below 80 kt."
At low ground speed, that EPR band is where the fan is most prone to instability — so the FADEC will pass through the band but refuses to dwell in it. Above 80 kt the inflow cleans up and the zone is released.
④ IPTOS:
"In the case of an Intermediate Pressure Turbine overspeed, the Intermediate Pressure Turbine Overspeed System (IPTOS) either automatically limits the engine thrust to 30 % of the maximum takeoff thrust, or automatically shuts down the affected engine. … The IPTOS protection remains active on the affected engine for the remainder of the flight. In the case of one engine inoperative in flight, the IPTOS protection is automatically inhibited on the remaining engine (when the thrust lever is set to, or above, MCT for at least 4 s)."
The last sentence is the soul of the paragraph. With one engine already failed, the surviving engine's IPTOS is deliberately disarmed — the designers chose the aircraft over the turbine: in genuine single-engine flight, no protection logic may cap the only remaining thrust at 30 %. "MCT or above for at least 4 seconds" is the disarm signal. The cockpit face of an IPTOS activation — the ENG THRUST LIMITED alert — is article 21; the exceedance context is article 28.
9. The four-layer overspeed ledger — and the LP TOS in hardware detail
| Layer | Guards against | Executor | Cut mechanism | Article |
|---|---|---|---|---|
| EEC red-line limiters | N1/N2/N3 crossing the red lines | EEC (the seven maxima, §6) | control-level fuel reduction | this article |
| OPU | hard N1/N2 overspeed (when the limiters cannot) | independent unit (dual ASIC) | FMU overspeed valve closes the shut-off valve | 04 |
| LP TOS | LP shaft breakage (fan sheds load, turbine runs away) | EEC, comparing FBH probes against rear-bearing turbine probes | automatic fuel cut via the shut-off valve's overspeed torque motor | 01 / 28 |
| IPTOS | IP turbine overspeed | EEC | limit to 30 % or shut down (§8④) | 28 |
Add the mechanical failsafe shaft from article 01 and "what if a shaft breaks" has three stacked answers: physical capture (failsafe shaft) → immediate fuel cut (LP TOS) → remainder-of-flight limitation (IPTOS, same philosophy).
The LP TOS deserves its hardware close-up, from the AMM's dedicated emergency-shutdown chapter:
"This unit (EEC) contains a turbine overspeed circuit board in channel A which has two channels (A and B) of logic for the turbine overspeed function. … Three LP compressor speed probes transmit shaft speed signals to the OPU (overspeed protection unit). This unit makes the selection of two satisfactory N1 signals … and transmits the same two satisfactory N1 signals to the EEC. One N1 signal is supplied to each logic channel … Three LP turbine speed probes transmit shaft speed signals directly to the LP turbine overspeed circuit board … When the speed of the LP rotor system is higher than 1000 rpm the LP turbine overspeed protection circuits are armed. Each logic channel (A and B) … continuously compares its LP turbine speed input with its LP compressor speed input. If the two logic channels find a specified speed difference between the LP turbine and compressor (in a specified time limit) it is accepted as a true failure condition."
Three details to file separately. First, the verdict is double-signed — both logic channels must agree within the specified time before fuel is cut: the same anti-spurious philosophy as the OPU's dual ASICs. Second, the trip can be reset from the cockpit — "the control signal from the EEC can be reset (cancelled) from the cockpit: this makes sure that a LP system malfunction will not permanently stop a serviceable engine." Third, the protection is live-tested on every ground start: during the pre-light-up checks the BITE injects a simulated speed difference, the shut-off valve momentarily closes and immediately reopens, the start proceeds undisturbed, and any defect is recorded and sent to the central maintenance system. Every routine start fires this shaft-failure insurance once, with live ammunition. (One transcription note: a mid-paragraph reference to "an IP shaft failure" reads, in context, as an LP typo — the whole section monitors the LP shaft; quoted as printed.)
10. Where these laws surface in operations
| Logic (this article) | Operational landing point | Article |
|---|---|---|
| EPR → N1 degradation chain | EPR MODE FAULT / N1 DEGRADED / RECOVERABLE | 21 |
| emergency electrics → degraded | thrust management after dual engine failure | 33 |
| stall recovery "released by lever movement" | the THR LEVER step in the stall procedure | 27 |
| IPTOS 30 % / shutdown | overlimit handling | 28 |
| quick relight never self-cancels | inadvertent MASTER OFF / in-flight relight | 26 |
| rain-hail T30 trio | engine behaviour in heavy precipitation | 15 / 27 |
| three idles | approach idle's meaning; the reverse 5-second rule | 13 / 34 |
| auto relight | continuous-ignition indications | 11 / 15 |
Self-test
[!note]- Q1. Why is idle higher on approach than in cruise? Approach configuration selects approach idle, defined so the engine can accelerate to go-around thrust within a specified time. Idle is three-tiered (minimum modulated / approach / reverse) and switches with flight phase — and beneath all three run the five floors, of which the highest bidder sets the fuel.
[!note]- Q2. After an automatic reversion to N1 rated, does full lever overspeed the engine? And in N1 not-rated? In rated N1 the rating still exists — the EEC has converted the computed EPR into an equivalent N1 with ambient and Mach corrections; full lever gives maximum rated thrust. In not-rated (degraded) mode there is no rating: TOGA position maps linearly to the red-line N1, so an unthinking full-forward push runs the engine to its limit. The lever has become a bare ruler.
[!note]- Q3. What is the asymmetric P20 rule, and why is it asymmetric? When engine and aircraft P20 disagree irreconcilably: engine P20 higher → stay in EPR; engine P20 lower → revert to N1 rated. A low P20 inflates computed EPR — phantom thrust, the dangerous direction; a high P20 deflates it — extra thrust, the conservative direction. Abandon EPR only when the error points toward danger.
[!note]- Q4. During a heavy-hail encounter, what three things does the FADEC do — and which valves moonlight in the third? It raises N3 against the falling T30, fires both igniters continuously, and opens all core bleed valves so the ingested water is slung overboard through the bypass — the seven anti-surge valves doubling as water dumps. Inhibited on the ground.
[!note]- Q5. What does the LP TOS check at every ground start, and can a tripped TOS be undone in flight? Every ground start, the BITE injects a simulated turbine/compressor speed split during pre-light-up; the shut-off valve momentarily closes and reopens — a live-fire self-test that never disturbs the start. And yes: a TOS trip can be reset from the cockpit, so a TOS malfunction cannot permanently kill a serviceable engine.
Key takeaways
| Topic | Essentials |
|---|---|
| One theme | fuel must neither choke (surge/EGT) nor starve (flameout) the engine — every law balances the same pair |
| Wake-up | ignition fuel on N3 with 4 corrections (incl. oil temp); ground starts decelerated; high-altitude relight = light then lean |
| Idle | three tiers (modulated rises with bleed; approach guarantees GA response; reverse low then auto-up at ~5 s) over five floors (P30/N3/N1-anti-ice/FF/T30) |
| Surge response | fuel follows the collapsing P30 — automatic lean-out the instant a surge begins |
| Degradation | EPR → N1 rated (rating preserved, corrected) → N1 not-rated (lever = bare ruler to the red line); emergency electrics forces degraded |
| Air-data vote | four tiers; the asymmetric P20 rule — abandon EPR only when the error is dangerous |
| Anti-flameout | auto relight (N3-rate vs P30 datum, +10 s); rain-hail trio (N3 up, igniters on, bleeds open); quick relight (30 s, N3 > 10 %, no auto-abort) |
| Stability four | MEASTO (EPR/s on the roll) · stall recovery (released only by lever movement) · keep-out 1.16–1.28 EPR below 80 kt · IPTOS (30 % or shutdown; remainder of flight; disarmed single-engine at MCT ≥ 4 s) |
| Overspeed ledger | red-line limiters → OPU (N1/N2) → LP TOS (double-signed, cockpit-resettable, live-tested every start) → IPTOS; plus the mechanical failsafe shaft |
References
- FCOM DSC-70 (FADEC functions) — the four stability protections quoted in full (MEASTO, stall recovery, keep-out zone, IPTOS).
- AMM 73-21 (FADEC, D/O — operation sections) — ignition fuel schedule and corrections, ground-start and high-altitude variants, three idles and five floors, acceleration/deceleration loops and the surge fuel-follow, EPR control and the N1 reversionary modes, emergency-electrical degradation, air-data voting and the asymmetric P20 rule, probe-heat thresholds, ratings and the seven maxima, auto relight, rain-hail T30 control, quick relight.
- AMM 76-21 (emergency shutdown system, D/O) — LP TOS architecture: channel-A circuit board with dual logic, 1000-rpm arming, probe routing via the OPU, double-signed verdict, cockpit reset, per-start BITE live test.
- Integrative synthesis (marked in text): the pyramid framing; the cold-oil atomisation reading; the "bare ruler" characterisation of degraded mode; the danger-direction logic of the P20 rule; the aircraft-over-turbine reading of the IPTOS single-engine inhibition.
Independent study material, not an Airbus publication and not endorsed by the manufacturer. Always defer to the current operator FCOM, FCTM, and QRH for operational use.