0.Foreword
A few years ago, when communicating with a deputy chief engineer of a domestic aviation unit, he said: "Unlike other aircraft systems, our flight control system design is a failure!" ”。
Being dialed in this way, I suddenly felt like waking up from a dream, which confirmed what I had always thought in my heart. Later, I often regarded this sentence as a classic.
1. The difference between the flight controller and other systems
In the design process of some airborne systems, designers spend 80% of their time and energy focusing on "how to achieve functional and performance indicators?" As for how to degrade and refactor after loss of functionality? How to detect and isolate after a functional error? Not the focus of its considerations.
As the end user of hydraulic, power supply, atmospheric inertial navigation and other systems, 80% of the flight control designer's time and energy are concerned about "what to do after a single failure or combined failure of the flight controller?" What happens when the interface system that provides energy or signals to the flight controller fails? ”。
After these failures occur, can the flight control system still meet the design requirements of "failure operation" and "failure safety"? How to set up signal voting and fault monitoring at all levels? This is the key point considered by the flight controller designer.
I think the fundamental reason for the difference in system design thinking is that the flight control system is a key system that is directly related to life and death. Ensuring that you have flight control capability at all times is the bottom line, red line, and lifeline of aircraft safety.
Safety is critical
Therefore, the difference in security requirements dominates the design thinking of different systems. The higher the security requirements for the system, the more efforts must be made to consider various fault scenarios and iterate the system solution to ensure that nothing goes wrong.
2. High security features
I often say, "The flight control system is the one with the highest safety requirements". Some people may not be convinced: "We are also Class A, and there are catastrophic failure states in the FHA, and the development of software and hardware should also follow DO-254 DO-178." Why are you safe? ”
1. According to the model practice, most of the FDAL functions of the flight control system are A, and the number of catastrophic failure states in the FHA accounts for about 1 3 of the whole aircraft, which is "the first place" in many airborne systems. This is evident in its high security features.
II. According to ICAO's ICAO and Commercial Aviation Safety Group's statistics and analysis of flight accidents, as well as Boeing's statistics on commercial jet accidents between 2012 and 2021, "loss of control" related accidents are extremely harmful, causing nearly half of all flight accident fatalities. The criticality of this is self-evident.
3. For complex key systems such as flight control, some foreign scholars have put forward the concept of "super A" or "A+". In addition to applying the most stringent development assurance process (Level A), more work is required, such as greater use of architectural mitigation measures such as non-similar designs.
3. Fault scenarios that should be considered
Compared with the design idea of some airborne systems that are "driven by function and performance", the flight control system is typically "driven by safety and failure".
Its outstanding feature is that in the design process, it is necessary to fully evaluate the impact of failures and iterate the system architecture for various fault scenarios.
Failure scenarios that need to be considered by the flight control system include (but are not limited to) the following situations and their combinations:
Single-channel multi-channel cockpit control signal failure; Failure of multiple flight control electronic devices in a single unit; Failure of multiple actuators in a single unit; cockpit control devices or rudder surface jamming; Rudder surface non-command sharp deviation or oscillation; Single set of multiple sets of hydraulic system failure; A single plurality of power busbars fails; Single-shot and double-shot failure; Single set Multiple sets of atmospheric or inertial navigation signals fail; Failure of the EWIS cable or signal transmission; Failure caused by temperature, altitude, electromagnetic and other environments; common-mode failure of systems and equipment; In the same installation area, the equipment fails at the same time; Rotor bursts, tire bursts, bird strikes, specific risks, etc. 4. Redundancy design
In order to ensure that the aircraft can still continue safe flight and landing (CSFL) in these fault scenarios, the flight control system pays special attention to redundancy design (including redundancy configuration and redundancy management) in the architecture design.
Redundancy focuses on physical architecture design. How many computers do you have? How many sensors do you set up? Can safety quantification requirements (e.g., 1e-9 fh) be met? Are the redundant degrees independent of each other?
Redundancy management focuses on logical architecture design. For example, how to vote on several signals? How to implement fault monitoring and system refactoring?
Specifically, I would like to mention a few points:
Should the voting machine consider using mean or median voting? Do you still need one set of data left? How to select the voting machine architecture and parameters? What parameters does the monitor monitor? How is the monitoring threshold determined? How to isolate a fault after monitoring? How do you make a trade-off between the performance and robustness of the monitor? (It is necessary to detect faults, but also not to frequently report false alarms).
An example of a three-redundancy voting architecture.
Through redundancy configuration and redundancy management, aircraft and system designs can be guaranteed to meet safety and airworthiness requirements.
Good redundancy design is the ultimate challenge to the experience and ability of flight control designers.
5. Design focus
The redundancy design of the flight control system is a comprehensive problem with multiple design objectives and multiple design elements, and it is a process of trade-off and compromise.
Trade-offs
Highlights of redundancy design, including:
aerodynamic margin arrangement of rudder surfaces (aircraft design feature); redundancy arrangement of flight control cockpit sensors; redundancy arrangements for flight control electronic devices (e.g. computers); Design of flight control system working mode; Active/standby switching logic of flight control electronic equipment; Command monitoring architecture design inside flight control electronic equipment; Signal voting and fault monitoring design of flight control system; redundancy arrangement of actuators; design of the working mode of the actuator; Active/standby switching logic of actuator on the same rudder surface; redundancy and working methods of the bus; redundancy arrangement and voting logic for sensors such as atmospheric inertial navigation; redundancy arrangement and switching logic for power supply; redundancy arrangement and fault reconstruction logic of hydraulic pressure supply; Partition isolation design for equipment installation; Isolation design for EWIS cabling. In the design of the flight control system, the key safety requirements should be identified first and considered in the architecture. Rapid iteration should be done early in the design to avoid the risk of architectural changes later in the design.
6. "Failure work" and "failure safety".
The flight control system generates the physical architecture and logical architecture through redundant design. And under different fault conditions, meet the requirements of "failure work" or "failure safety":
A computer is down?
Active/standby switching, working normally!
Two computers down?
Active/standby switching, working normally!
Three computers down?
System degradation, direct rod-to-rudder control!
Is the main driver's side bar blocked?
Permission transfer, co-pilot operation!
Aileron actuator failed?
Brother actuator is in, normal drive!
Aileron two actuators failed?
Ability Downgrade, Spoiler Compensation!
All the air data?
System downgrade, guaranteed landing!
Two sets of hydraulic losses?
There is one set left, enough for me!
Double failure? RAT + battery, help me continue my life!
7.Summary
Despite all the measures taken by the aviation industry to ensure safety, in recent years, shocking incidents have continued to occur.
Typical aviation incidents related to flight control systems include:
On May 24, 2011, the Falcon 7X business jet flattail non-command movement incident. On October 29, 2018 and March 10, 2019, the 737max-8 crashes of Indonesian Lion Air and Ethiopian Airlines. On June 14, 2020, three flight control computers of China Airlines Airbus A330 in Taiwan, China, failed.
As a safety-critical system with a high degree of integration of mechanics, electrofluids and hydraulics, the flight control system has a direct impact on aircraft safety and public interests.
Three awes
As civil aviation practitioners, we should learn lessons from these incidents and use them as a reference in the development of models. Always keep in mind the "reverence for life, reverence for regulations, and reverence for duty", and contribute to the safe and high-quality development of the civil aviation industry.
Extended reading: Civil Aircraft Development Guarantee and the new version of ARP4754B 4761A preliminary study.
An introduction to the Airbus A350 fly-by-wire flight control system architecture.
An introduction to the Airbus A380 fly-by-wire flight control system architecture.
An introduction to the Airbus A320 fly-by-wire flight control system architecture.
An introduction to the Boeing 787 fly-by-wire flight control system architecture.
An introduction to the Boeing 777 fly-by-wire system architecture.