Reliability and availability

When an aircraft is evaluated for a particular role the reliability of the complete vehicle will be almost as important as the handling qualities that it possesses. Thus the vehicle specification will often include some statement of the minimum acceptable reliability. When a helicopter is fitted with an AFCS, on which it depends for normal operation, the reliability of this system has increased importance. It is usual for the system availability to be specified when serious degradation of the handling qualities results from total AFCS failure. Thus some minimum number of major failures is specified before any degradation in AFCS performance is allowed.

The reliability of an AFCS is usually defined as the probability of total system failure, but can also be expressed as a mean time between failure (MTBF). In the case of an ACT helicopter such a failure would be catastrophic, most likely resulting in the loss of the aircraft, and so the specified reliability of the overall flight control system would be very high. Typical figures are 10 ~9 per flight hour for civil applications and 10 ~7 for military systems. Associated with reliability requirements is the availability of a system. This is defined as the requirement that it should continue to operate after a specified number of major failures. For example, a system may be specified such that it shall function correctly after one or two failures. Clearly, this implies duplication, or redundancy, in the system. Redundancy is often required to ensure that the AFCS meets the necessary reliability since individual component reliability cannot be guaranteed for the extreme MTBFs specified.

The degree of multiplexing, or redundancy, incorporated into an AFCS will depend on the handling qualities of the unaugmented aircraft and whether successful completion of the mission is dependent on AFCS integrity. Degrees of multiplexing can be ranked in order of increasing fault tolerance. To gain some idea of the theoretical improvement in reliability, an individual component MTBF of 1000 hours has been assumed in the following examples.

6.5.4.1 Simplex

A simplex system has no built-in fault tolerance and will cease to function following a single failure. Thus a simplex AFCS would only be acceptable in a helicopter with acceptable unaugmented handling qualities and when the majority of the mission could be completed satisfactorily with the ‘raw’ aircraft. A simplex system may be reduced to the main components (sensors/computer/actuator), all of which are required for satisfactory operation. The probability of failure of the example system would be, typically, 3 x 10 ~3 per hour, giving a MTBF of approximately 330 hours.

6.5.4.2 Duplex

The duplex system consists of two completely separate AFCS systems, from sensors through to actuators although the actuation will be combined at the pilot valve of the main servo jack. Without any form of system monitoring it is impossible to arrange for automatic deselection of a malfunctioning lane and therefore the system would have a probability of first failure similar to the simplex AFCS. In fact it might be worse since there are twice as many components in this system. The advantage it has over a simplex system is that a runaway in one lane will be sensed and countered by the other, assuming that a simultaneous failure has not occurred, therefore the ensuing departure from controlled flight will be more benign. Unfortunately fault diagnosis will be more difficult since the pilot has no way of determining which lane has failed and which operated correctly to counter the disturbance. Therefore the handling qualities of the raw aircraft must still be acceptable to ensure flight safety during the fault diagnosis and deselection process. More modern duplex systems feature digital computation that enables self-monitoring at the expense of increased computation time. This is often achieved by engineering a pseudo third lane that monitors sensor information and determines the appropriate actuator response. Using this approach it is possible to indicate a failed lane or to arrange for automatic deselection, in which case the probability of system failure resulting in visibility of the raw handling qualities reduces to 9 x 10 6 per hour giving an MTBF of over 110000 hours as two failures are now required before augmentation is lost.

6.5.4.3 Triplex

Three separate lanes are necessary in aircraft where the handling qualities dictate the need for stability augmentation following two failures or where their impact on manual fault diagnosis and manual deselection of a failed lane are unacceptable. As noted above this latter requirement can now be satisfied using a self-monitored duplex (or pseudo triplex) system. In all cases however automatic monitoring and deselection of a single failed lane requires the presence of three signals so that the two good lanes can ‘vote’ out the bad one. Such a system can survive a single failure with no change in handling qualities although it provides no protection against a common mode failure that causes two signals to go bad at the same time. Following a first failure, however, in the event of a disparity between the two surviving channels the voting logic will fail and the aircraft will suffer a total loss of augmentation just like that caused by a single failure in the duplex system. It is at this point that the greater the availability provided by triplex systems becomes evident in that the crew can regain augmentation after the second failure provided the surviving lane can be correctly identified. Once again, through the use of self-monitoring, modern digital systems can improve the situation by providing automatic deselection following a second failure, thereby reducing the probability of total failure to 2.7 x 10 ~7 per hour, a MTBF of 37000000 hours.