FlightGlobal.com
Home
Premium
Archive
Video
Images
Forum
Atlas
Blogs
Jobs
Shop
RSS
Email Newsletters
You are in:
Home
Aviation History
1960
1960 - 2232.PDF
572 FLIGHT, 7 October 1960 AVIATION ELECTRONICS ... any number of ways but, if the failure risk allocations are sensible,the resultant MTBF will not be very different from the figures in the table. They are surprisingly low, as was indicated in the overallestimate made in the previous article. Furthermore, calculations based on these figures indicate that the probability of the airborneequipment developing a fault during a five-hour flight is a remark- able 38 per cent. The ground equipment reliability is not includedin this estimate as most faults might be expected to be, cleared during the five-hour period of the flight of one aircraft. A systemwhich just meets the ARB proposed requirement is therefore hardly likely to be favoured by the airlines, because it wouldpresent a serious servicing problem. By the same token, any acceptably serviceable system will easily achieve the safety targetand the more stringent accident risk figure of 1X 10"* per landing therefore seems not at all unreasonable.It is of interest to view the ARB proposed requirement from the standpoint of component reliability. A modern monitored pitchautopilot might contain 100 transistors, 200 diodes, 400 capacitors, 1,000 resistors, 10 motors, 20 synchros, 80 plugs and sockets and600 less critical components. On the basis of component failure rates at present being achieved in American commercial equip-ment—no comparable figures are available in Britain—it is possible to derive a maximum MTBF of 500hr for this equipment. TheMTBF can be improved only by a higher order of design and quality control in both components and equipment. The operator'srequirements allow no relaxation of present standards. These will have to be improved if full automatic landing is to be an economicproposition—and if Britain's present lead in automatic landing is to be consolidated. So much for 1 X 107. REDUNDANCY WITH ECONOMY 'T'HE basic requirement for unscheduled automatic landing, as-I stated in the foregoing pages, is that the equipment must survive a single failure and continue to operate. Fundamentally,this can be achieved by triplication of all equipment. But in providing and justifying redundant equipment in civil passengeraircraft, consideration must be given not only to overall safety, reliability and performance, but also to weight, installation difficul-ties, overall cost, maintenance problems and many other factors. Unnecessary redundancy must therefore be avoided. Items ofequipment which are inherently reliable—such as robust mechanical devices—and items which can be made to give positiveindication of their own failure—such as radio receivers with built-in failure warning of an acceptable standard—do not needmultiplication. The application of these broad principles can perhaps best beunderstood by considering how a single pitch autopilot as shown in Fig 3 can be rendered fail-safe, i.e., capable of automatic dis-connection in the presence of any single failure without substantial alteration to the flight-path of the aircraft. The most obvious method is to duplicate the autopilot com-pletely as shown in Fig 4. A discrepancy between the servo motor outputs will now indicate failure of one of the autopilots anddisconnect both. While a fail-safe capacity can be bestowed on the autopilot in this way, the weight of the system has beendoubled. The system as a whole will fail twice as frequently, and therefore require twice as much servicing as the non-duplicatedautopilot. Furthermore, if the disconnection criterion is a differ- ence between servo motor displacements or torques, the dis-connecting device must have a finite threshold equal to the sum of the differences in senser nulls and component tolerancesbetween the two autopilots. The threshold must also be large enough to accommodate the difference in system dynamicresponses. This implies that one autopilot can be in error by an amountequal to the threshold before a disconnection results; and because the control surface angle will normally be the average of theautopilot demands, an autopilot hard-over can move the surface by half the threshold setting before the disconnection occurs. Ifeach channel contains an error integrator, further complication is introduced because cross-synchronization between the channelsthen becomes essential if nuisance disconnections are to be prevented. Because the inclusion of a threshold cannot be avoided, thesame result can be achieved by substituting a "veto-servo" for the second servo motor, as shown in Fig 5, and this offers someadvantages. The basic purpose of the veto-servo is to mechanic- ally lock the servo motor drive to earth whenever the differencebetween servo motor and veto-servo outputs exceeds a threshold equivalent to that of the disconnection device, independently ofwhether the disconnection device does or does not operate. This is therefore another means of mechanically restricting outputexcursions in the event of a failure; and it avoids some of the problems which arise in the alternative system in which two servoscan have command simultaneously. Because the veto-servo is never required to drive against high torque-load, it can beextremely light and much of the weight of a second servo motor is saved. The veto-servo action, although helpful in some cases, is in-sufficient in itself to meet the requirements of a fail-safe system in that a failure to disconnect could still allow the aircraft to deviatefrom the demanded flight-path; and the pilot might not realize that a failure had occurred. It is essential that effective autopilotdisconnection should occur, that the pilot should be warned of the failure and the control runs automatically freed. The disconnectionand warning unit can only be electrical and must be made truly fail-safe. The design techniques involved in achieving this arewell known. POSITION FEEDBACK AUTOPILOT DEMAND SYSTEM Fig 3. A single pitch control axis AUTOPILOT DEMAND SYSTEM 1 SERVO MOTOR AUTOPILOT DEMAND SYSTEM 2 SERVO MOTOR ERROR •(DISCONNECT J Fig 4. A duplicated pitch autopilot AUTOPILOT DEMAND SYSTEM 1 AUTOPILOT DEMAND SYSTEM 2 Fig 5. A tail-safe pitch autopilot with veto-servo Fig 6. A completely monitored pitch autopilot AUTOPILOT DEMAND SYSTEM COMPARISON DEMAND SYSTEM SERVO MOTORH. ERROR MONITOR & DISCONNECT
Sign up to
Flight Digital Magazine
Flight Print Magazine
Airline Business Magazine
E-newsletters
RSS
Events
