Quadruplex

Increasing the level of redundancy to four separate lanes of AFCS would be necessary if voting logic was used and continued augmentation after two failures was required. The system reliability may be less than expected, however, due to mechanical complex­ity involved in this level of redundancy particularly as rotorcraft do not have multiple means of generating control forces and moments about a given axis. The advent of digital computation and self-monitoring, as mentioned above, have enabled a triplex system to perform at the level of fault tolerance formerly possible only with a quadruplex system. It is probable, therefore, that in the future, a quadruplex, digital AFCS with self-monitoring would only be fitted on an aircraft with catastrophic failure modes. Such a system, based on a component MTBF of 1000 hours, would have a theoretical probability of total failure of 7.1 x 10_n per hour or an MTBF of over 1 200 000 000 hours.

6.5.4.4 Signal consolidation

All the systems described above have consisted of separated lanes of AFCS with consolidation only at the main servo jack. Alternative architectures arrange for all the sensor signals to go to all of the computers and for all of the computers to drive all of the actuators. This serves to improve the availability of the system because a lane containing a failed component can continue to operate using signals from the surviving components in the other lane(s). Although theoretically the reliability is not changed, actually there will be an improvement because common failures or simultaneous dissimilar failures in the different lanes will be required before the AFCS integrity is in question.

6.5.4.6 Failure modes, effects and criticality analysis

The systems described above have been necessarily simplistic and have assumed independent sensor packages and electrical/hydraulic supplies to each lane. Actual systems are generally more complicated with the precise system architecture varying with aircraft type or AFCS manufacturer. Typically a triplex, or quadruplex, system may still offer augmentation following a range of failures but at a degraded level and within a reduced flight envelope. In addition, optional sensors may be used to provide a synthetic signal following failure of the primary sensor. For example, a rate gyro signal may be integrated and used to replace the signal from a failed vertical reference system (VRS).

It should be clear that to assess an AFCS requires a detailed knowledge of the system architecture and its intended modes of operation, including operation following failures. An evaluation called a Failure Modes, Effects and Criticality Analysis (FMECA) is usually conducted in order to determine the likely effects of all conceivable failures to ensure the validity of any degraded modes assessment conducted as part of the flight test programme. Due to the limited time available only the more probable failure cases will be subject to an in-flight assessment. So, for example, although there may be a variety of failures that could lead to the loss of a primary sensor, such as a vertical gyro, or the loss of a lane in a multiplexed system, flight testing would simply involve assessing the permissible envelope with a single lane disengaged or with the feed from the gyro disabled. It is, however, worth remembering the number of occasions that the FMECA has proved, through bitter flight experience, to be incomplete. For example, supposedly dissimilar components in individual lanes that are all susceptible to the same common mode failure due to a similarity in design.