1、SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is entirelyvoluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefro
2、m, is the sole responsibility of the user.”SAE reviews each technical report at least every five years at which time it may be reaffirmed, revised, or cancelled. SAE invites your written comments and suggestions.Copyright 2007 SAE InternationalAll rights reserved. No part of this publication may be
3、reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of SAE.TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada)Tel: 724-776-4970 (outside USA)Fax: 724
4、-776-0790Email: CustomerServicesae.orgSAE WEB ADDRESS: http:/www.sae.orgAEROSPACE INFORMATION REPORTAIR5273Issued 2001-12Reaffirmed 2007-01Actuation System Failure Detection MethodsRATIONALEThis document has been reaffirmed to comply with the SAE 5-year Review policy.FOREWORDThis AIR is a sister doc
5、ument to AIR4094 and AIR4253. It provides only the failure detection method detail to accompany the more complete architecture and hardware descriptions contained in the referenced AIRs.TABLE OF CONTENTS1. SCOPE .31.1 Purpose .32. REFERENCES .32.1 Applicable Documents .32.2 Related Publications 42.3
6、 Definitions 42.3.1 Acronyms and Abbreviations .43. BACKGROUND63.1 Evolution 63.2 Avoiding the “Nuisance-Disconnect“73.3 Architecture and Application 73.3.1 Cross-Channel Versus In-Line Monitoring .83.4 Designing “By the Numbers“83.4.1 Probability of Failure 83.4.2 Fault Coverage 93.4.3 Commercial A
7、ircraft Failure Criticality and Probability.103.4.4 Military Aircraft Failure Criticality and Probability.123.5 System Separation.133.6 Fighting Between Redundant Commands to a Surface.14SAE AIR5273 - 2 -TABLE OF CONTENTS (Continued)3.7 Electronic Rigging 143.7.1 Electronic Rigging Purpose143.7.2 Ri
8、gging Definitions .153.7.3 Rigging and Failure Detection153.8 Real-Time Monitoring, Continuous Built-In-Test and Initiated Built-In-Test 164. MONITORING TECHNIQUES 174.1 Failure Locations174.2 Failure Types .174.2.1 Passive Failures.174.2.2 Active Failures .184.2.3 Latent Failures .184.2.4 Oscillato
9、ry Failures.184.3 Failure Detection Approach194.4 EHV Failure Detection204.4.1 Passive Failures and the Use of Bias 214.4.2 Where to Detect Failure .224.5 Direct Drive Valve Failure Detection 224.6 Linear and Rotary Variable Transformer Failure Detection244.7 Logic Valve Failure Detection.254.8 Sole
10、noid Valve Failure Detection .264.9 Outer Loop Modeling .265. SERVOACTUATOR FAILURE DETECTION DESCRIPTIONS 275.1 F-111 275.2 Tornado 285.3 Space Shuttle Orbiter.305.4 F-16315.5 F/A-18 C/D .335.6 LAVI355.7 X-29A .375.8 V-22385.9 A319/A320/A321 - A330/A340.395.10 C-17 .425.11 B-777 .435.12 Saab 200044
11、5.13 N-250 .475.14 RAH-66 505.15 Light Combat Aircraft .516. NOTES546.1 Key Words54SAE AIR5273 - 3 -1. SCOPE:This AIR provides descriptions of aircraft actuation system failure-detection methods. The methods are those used for ground and in-flight detection of failures in electrohydraulic actuation
12、systems for primary flight control. The AIR concentrates on full Fly-By-Wire (FBW) flight control actuation though it includes one augmented-control system. The background to the subject is discussed in terms of the impact that factors such as the system architecture have on the detection methods ch
13、osen for the flight control system. The types of failure covered by each monitoring technique are listed and discussed in general. The way in which these techniques have evolved is illustrated with an historical review of the methods adopted for a series of aircraft, arranged approximately in design
14、 chronological order.1.1 Purpose:The purpose of this document is to aid the designers of the systems of the future by showing what succeeded in the past.2. REFERENCES:2.1 Applicable Documents:The latest issue of the documents shall be used except in those cases where an invitation for bid or procure
15、ment contract specifically identifies the issues in effect on a particular date. In the event of a conflict between the text of this document and the references cited herein, the text of this document takes precedence. 2.1.1 SAE Publications: Available from SAE, 400 Commonwealth Drive, Warrendale, P
16、A 15096-0001. Web site: www.sae.org. Telephone: (724)-776-4970SAE AIR4094, Aircraft Flight Control Systems Descriptions.SAE AIR4253, FBW Actuation System Descriptions.SAE Paper 831484, Development of Redundant Flight Control Actuation Systems for the F/A-18 Strike Fighter, H.E. Harschburger.SAE Publ
17、ication, Aircraft Flight Control System Design, E.T. Raymond and C.C. Chenoweth.2.1.2 U.S. Government Publications: Available from DODSSP, Subscription Services Desk, Building 4D, 700 Robbins Avenue, Philadelphia, PA 19111-5094. Web site: http:/assist.daps.mil or http:/stinet.dtic.mil/MIL-F-9490, Fl
18、ight Control Systems Design, Installation and Test of, Piloted Aircraft, General Specifications for.MIL-STD-882, System Safety Program Requirements.SAE AIR5273 - 4 -2.1.3 FAA Publications: Available from Federal Aviation Administration, 800 Independence Avenue, SW, Washington, DC 20591AC 25.13091A F
19、AA Advisory Circular, System Design Analysis, (1988, June).NPA 25C-199 JAA Notice of Proposed Rule Making, Interaction of Systems and Structure, (1996, April).2.1.4 RTCA Publications: Available from RTCA Inc., 1140 Connecticut Avenue, NW, Suite 1020, Washington, DC 20036.RTCA DO-178 Software Conside
20、rations in Airborne Systems and Equipment Certification2.2 Related Publications:The following publications are provided for information purposes only and are not a required part of this SAE Aerospace Technical Report.2.2.1 SAE Publications: Available from SAE, 400 Commonwealth Drive, Warrendale, PA
21、15096-0001SAE Publication, Fly-By-Wire A Historical and Design Perspective, V.R. Schmitt, J.W. Morris and G. Jenney (1998)2.3 Definitions:2.3.1 Acronyms and Abbreviations:BIT Built-In-TestCBIT Continuous Built-In-Test CCDL Cross Channel Data Link CCM Cross-Channel Monitoring CMM Common Mode Monitor
22、CRM Command Response Monitor CSAS Command and Stability Augmentation System DDV Direct Drive Valve DFCC Digital Flight Control Computer ECU Electronic Control Unit SAE AIR5273 - 5 -2.3.1 (Continued):EHV Electrohydraulic Servovalve EICAS Engine Indicating and Crew Alerting System FAA Federal Aviation
23、 AdministrationFBW Fly-By-Wire FCC Flight Control Computer FHA Functional Hazard Analysis FMEA Failure Modes and Effects Analysis FMECA Failure Modes and Effects Criticality AnalysisFO / FS Fail-Operate / Fail-Safe FO2/ FS Double-Fail-Operate / Fail-Safe FS Fail-SafeIBIT Initiated Built-In-Test IFCM
24、 Integrated Flight Control Module ILM In-Line monitoring JAA Joint Aviation AuthoritiesLCA Light Combat Aircraft LES Leading Edge Slat LRU Line Replaceable Unit LVDT Linear Variable Differential TransformerMBIT Maintenance Built In Test MCV Main Control Valve MMC Mechanical Mode Coupler MTBF Mean Ti
25、me Between Failures SAE AIR5273 - 6 -2.3.1 (Continued):NPRM New Proposed Rule MakingNVM Non-Volatile MemoryPBIT Preflight Built-In-Test PLOC Probability of Loss of Control RLS Reservoir-Level-Switching RVDT Rotary Variable Differential TransformerRVT (Sometimes used) RVDT With Only Four WiresSVM Ser
26、vovalve Monitor WRA Weapon Removable Assembly3. BACKGROUND:This section discusses some of the aspects of the design of flight control actuation systems. It attempts to discuss their impact on failure detection design only and to avoid a more general discussion of control system design.3.1 Evolution:
27、Primary flight control actuation systems have evolved through three generations since the general adoption of full-time powered actuation. Analog FBW replaced the electronic augmentation of mechanical commands and has in its turn been replaced by digital FBW. Meanwhile, the servoactuators have also
28、changed significantly. Hydromechanical complication and relatively simple electrical interfaces marked the earlier FBW actuation concepts found in the Space Shuttle and the F-16. The current generation, typified by the Airbus “family”, the Boeing 777 and the V-22, employ significantly simpler hydrom
29、echanical logic and depend much more upon electronic failure detection and the associated electronic equipment.The reasons for this are: Increased confidence in integrated electronics and digital processing, because of the increased competence and reliability of the hardware, allows advantage to be
30、taken of the weight and initial cost savings made possible by the use of electrical logic instead of hydromechanical logic. Decentralization of the associated electronics makes the cable weight penalty for a more complex electrical interface less severe, a factor of increasing importance, as actuati
31、on systems become less centralized.SAE AIR5273 - 7 -3.2 Avoiding the “Nuisance-Disconnect”:The flight control and actuation systems used in FBW aircraft employ redundancy for safety and incorporate many elements, as shown Figure 1, that interact in a closed loop manner.FIGURE 1 - The FBW Servoactuat
32、or and Its InteractionsBecause of the interactions and because the precise states of many of the elements cannot be known, it is often difficult to diagnose servoactuator failures as quickly as the aircraft requires. To one degree or another, all of the satisfactory methods developed to date filter
33、out transient events and require persistence of indication before a failure will be declared. The design of a diagnostic method always requires a balance to be drawn between satisfactory performance and an acceptable risk of the “nuisance-disconnect”. This is defined as the declaration of a failure
34、when none exists and the consequent mistaken attempt to provide protection by disconnecting correctly operating system components.3.3 Architecture and Application:The primary flight control servoactuators flying today use many different diagnostic techniques. These differences are a function of the
35、year in which they were designed, the differing performance they must provide and the various system architectures in which they are employed. There is no universally applicable, “best” architectural approach. The architecture chosen for each new aircraft will be determined by its mission and by the
36、 component and subsystem technology available to the design team. This available technology will change for each new generation of aircraft and this will force a re-evaluation for each new aircraft.SAE AIR5273 - 8 -3.3.1 Cross-Channel Versus In-Line Monitoring: The architectures proposed for the fir
37、st generation of FBW aircraft were frequently differentiated by their approach to monitoring. Four-channel architectures featuring cross-channel comparison for failure detection competed with triplex architectures employing “in-line” monitoring.Cross-channel comparisons between four channels typical
38、ly allows the detection and isolation of the first and second failures but not the third since a one-on-one comparison provides no basis for distinguishing the bad channel from the good. With this type of architecture care must be taken to avoid the potential for single failures that will result in
39、an even number of channels being compared since there is no way to distinguish the bad from the good. Two dual transducers, for example, provide no protection against disconnection of a single load path to the two probes of one paired transducer.In-line monitoring provides “self-monitoring” of each
40、channel and therefore can be designed to provide sustained operation with only one remaining channel. A triplex in-line monitored approach therefore provides the same degree of fault protection as a quadruplex cross-compared architecture, though each channel of the triplex architecture contains appr
41、eciably more hardware than each channel of the quadruplex architecture. In-line monitoring allows a greater degree of system separation, a desirable feature for flight critical applications and of great assistance to the certification of commercial aircraft. Present-day FBW architectures almost inva
42、riably use combinations of in-line and cross-channel monitoring, protected for system safety, as described in the system separation discussion of 3.5.3.4 Designing “By the Numbers”:3.4.1 Probability of Failure: Actuation systems were once designed to operate following a selected combination of failu
43、res such as “any hydromechanical failure plus loss of any two electrical systems”. It is now customary to design an actuation system and each Line-Replaceable-Unit (LRU) to achieve allocated probabilities of loss of function and loss of control. Loss of function means that the system can no longer p
44、erform its intended function. In general it will have reverted to a Fail-Safe (FS) mode of operation that allows continued safe flight and landing. This loss of function may or may not allow completion of a mission and mission reliability is one way in which military actuation systems are specified.
45、 Loss of control, by contrast, means loss of control of the aircraft.Some military actuation systems have an FS mode that does not allow safe landing. Such a mode may allow continued flight for a time sufficient only to allow engine restart or safe ejection.In the military aircraft field the terms P
46、robability of Loss of Function (PLOF) and Probability of Loss of Control (PLOC) are customarily used. During the preliminary phase of a military air vehicle design, the prime contractor and the procuring agency must agree on the vehicle mission reliability, its PLOC and the associated safety hazard
47、categories, see 3.4.3 and 3.4.4.SAE AIR5273 - 9 -3.4.1 (Continued):Each possible failure must be considered for its probability and for its consequences using Failure Modes and Effects Analysis (FMEA) or Failure Modes and Effects Criticality Analysis (FMECA), Fault Tree Analysis and Functional Hazar
48、d Analysis techniques, see 3.4.3. The design of the failure-detection methods and the “coverage” they achieve is a vital part of this process.Accessing historical data covering the failure rates and failure modes of actuation system components is also of prime importance. SAE publication “Aircraft F
49、light Control System Design”, section 12.1.9, lists potential sources.3.4.2 Fault Coverage: Fault coverage is the number of failures that will be detected expressed as a percentage of all failures that could occur. It is a direct result of a systems overall architectural design together with the detailed design of its hardware and software. Fault coverage is a vital system aspect, because it is often true that certain undetected failures can result in loss of control. In this case the product of the probability of these failures and their “lack of cover
