Planning for failures

Before flight testing can take place a significant amount of preparation and planning is required. A failure modes, effects and criticality analysis (FMECA) will have been conducted to determine the probability of component failure and the effect of these failures on the system as a whole. It is then the job of the test team to evaluate the ultimate consequence of these system failures in the role. As part of this process, or in parallel to it, the test team will gain their detailed system knowledge. As a result of the FMECA it may be necessary to have specialized equipment designed and built to inject failures if the normal cockpit controls cannot be used to achieve this. It may also be necessary to approach the manufacturer for clearance to conduct certain tests and to provide more generous limitations. The difficulty of the anticipated recovery manoeuvre(s) will affect the requirement for crew training so these are defined at the planning stage and simulator time booked if appropriate.

7.6.1 Alerting the pilot

Specification documents (such as Ministry of Defence Standard 00-970 [7.2]) stipulate that for all failures that can affect the operation of an aircraft some means of alerting the crew must be provided. These documents also lay down the characteristics of the warnings, for example, the colours to be used and viewing arcs. Warnings can take the form of audio tones, flashing attention-getters and captions, either individually or in combinations. The first stage when assessing any warning is to determine if it performs its primary function, in other words, does it warn the pilot? Since the attention-getting quality of any warning is its most important feature it is assessed under an extensive range of environmental and mission conditions. The appropriateness of the level of warning provided is also considered for any failure state. Clearly the more serious the potential outcome of a failure the stronger the attention-getting qualities of the associated warning must be. Thus major emergencies such as engine fires or low hydraulic pressure are normally indicated to the crew with audio tones and red captions. An excess of these captions and audio signals is counter-productive and therefore the cockpit assessment will determine if they are only used when the crew must act immediately to ensure the aircraft’s safety.

Of course warnings are not restricted to the alerting of failure states, they are also used to indicate to the pilot that the aircraft is approaching or exceeding the flight envelope; the most common parameters being structural limits, torque and rotor speed. The assessment of flight envelope warnings concentrates on the four key areas of accuracy, clarity, utility and reliability. Dealing first with accuracy it is obvious that an inaccurate warning is of little use, but it is sometimes not realized that an inaccurate warning can be worse than no warning at all. Take the example of a high rotor speed audio warning which is set at a level that is below the maximum permitted NR. In this situation pilots may rely on the audio system and may not control rotor speed until the alert is heard. An inaccurate or unreliable warning could have serious consequences in this situation. Turning to clarity, any alerting system must provide an unambiguous message to the pilot that will direct him or her to react correctly. Audio warnings associated with low rotor speed or engine failure and high NR are particularly important in this respect, as an incorrect reaction by the pilot will usually exacerbate the problem. Utility is a measure of the usefulness of an alerting system in helping the pilot to respect the flight envelope limitations and whilst permitting exploitation of the full potential of the aircraft. Whilst an alerting system that tells the pilot he has already exceeded a limit may be useful to the ground crew in directing their post-flight rectification activities, it has little utility as far as the pilot is concerned. Similarly a system which is triggered very close to the limiting value may not provide an adequate margin to prevent an exceedence during dynamic situations. Well-designed warning systems can have high utility, such as those that assist the pilot in maintaining the optimum rotor speed during a single engine flyaway without having to monitor the cockpit gauge. In other words an alerting system should provide cues to the pilot on the proximity of the limit and thus allow him to ‘fly the buffet’. Although most warnings and alerts are visual or aural there are tactile systems in operation as well; the Bell 430, for example, employs a collective lever shaker to alert the pilot to high values of torque. Clearly a warning or alerting system must be very reliable and not give spurious alerts otherwise crews will quickly lose confidence in it and eventually choose to ignore it.

The assessment of alerting systems has obvious dangers particularly where it is necessary to go to the flight envelope limit to activate the warning. An incremental approach is vital and the use of telemetry with careful monitoring of trends is commonplace. This may be a situation where more generous limits can be sought from the manufacturer during the trials planning stage. Alternatively it may be possible to adjust the warning to activate at an artificial value although this is not without hazard as the modification may invalidate the assessment especially if it involves recompiling software.

Alerting the pilot to failures of non-critical systems is often an area that is poorly engineered and this can have serious consequences. Failures of sensors that feed the flight instruments, navigation system or flight control system fall into this category. During the assessment of the aircraft it will be necessary to determine if the crew is warned adequately about the degradation caused by such failures. For example, if the compass reverts to a directional gyro mode on failure which reduces its accuracy; this should be indicated clearly to the crew.