[american institute of aeronautics and astronautics guidance, navigation, and control conference -...

Copyright ©1996, American Institute of Aeronautics and Astronautics, Inc.

AIAA Meeting Papers on Disc, July 1996A9635667, AIAA Paper 96-3784

Design of deep stall protection for the C-17A

Obi I. IloputaifeMcDonnell Douglas Aerospace, Long Beach, CA

AIAA, Guidance, Navigation and Control Conference, San Diego, CA, July 29-31, 1996

We present the design of the C-17 angle-of-attack limiter system (ALS). The C-17, without an ALS for protection, hasa locked-in deep stall potential. The ALS uses a unique method of computing sideslip. This computed sideslip is thenused in failure monitoring to provide a minimum Fail-Op-Fail-Op-Fail-Passive capability. At ALS engagement, tactilefeel provides the pilot with heads-up awareness of the flight regime. After over 2000 stall tests, and assaults to alphalimit, the pilot community has gained full confidence that the ALS will protect the C-17 from entering the locked-indeep stall region. (Author)

AIAA-96-3784

DESIGN OF DEEP STALL PROTECTION FOR THE C-17A

Obi I. Iloputaife*C-17 Avionics/Flight Controls IPT

McDonnell Douglas AerospaceLong Beach, California

ABSTRACTThis paper presents the design of the C-17

angle-of-attack limiter system (ALS). The C-17,without an ALS for protection, has a locked-in deepstall potential. The ALS uses a unique method ofcomputing sideslip. This computed sideslip is then usedin failure monitoring to provide a minimum Fail-Op-Fail-Op-Fail-Passive capability. At ALS engagement,tactile feel provides the pilot with heads-up awarenessof the flight regime. After over 2000 stall tests, andassaults to alpha limit, the pilot community has gainedthe confidence that the ALS will protect the C-17 fromentering the locked-in deep stall region.

INTRODUCTIONThe C-17 A, Figure 1, is a high performance,

military cargo airplane. Its basic mission is to routinelydeliver outsize cargo to austere airfields around theworld. The C-17A can routinely operate out of unpavedrunways in forward battle areas, land and combat off-load all its cargo, or deliver necessary cargo using itsLow Altitude Parachute Extraction System capability.

BACKGROUNDThe C-17A flight control system began as a

mechanical system with a limited authority Stability andCommand Augmentation System (SCAS). Laterdevelopment revealed the potential inability to complywith a paragraph in the Air Vehicle Specification1

without some form of deep stall protection. Therequirement in the AVS is that, "The airplane shall bereadily recoverable from all attainable attitudes andmotions."

The C-17 is a T-tail airplane, and like manyairplanes with a T-tail configuration, has a locked-indeep stall potential (Figure 2).

NOTE: MAXIMUM AIRCRAFT NOSE DOWN AUTHORITY

ANU

AND

POTENTIAL FOflLOCKED-INDEEP STALL

\ NO LOCKED-IN^ DEEP STALL

POSSIBLE

Figure 1: USAF C-17A Globemaster HI

Figure 2: Pitching Moment Curve Showing Deep-StallPotential

As illustrated in Figure 3, it is extremelydifficult to recover from a locked-in deep stall, withoutspecial recovery devices (i.e., chutes), using theavailable pitch control authority.

* Sr. Principal Engineer, AV/F IPT, Sr. Member AIAACopyright © 1996 by the American Institute ofAeronautics and Astronautics, Inc. All rights reserved.

American Institute of Aeronautics and Astronautics

ANUNOTE: i' » constant

vane. The three vane pairs are adequate to meet theaccuracy and redundancy requirements.

The numbering of the angle-of-attack vanes isas follows:

AND

Figure 3: Available Aircraft Pitch Authority

One way to assure recovery in this configuration is toalways retain a minimum static margin, illustrated as"Static Pitching Moment Margin" in Figure 3. A studyinvestigated various ways of limiting the aircraft angle-of-attack to prevent excursions beyond that required forthe minimum static margin. The two leading candidateswere an Angle-of-Attack Limiter System (ALS) and astick pusher.

The study resulted in the selection of anextremely reliable ALS, instead of a stick pusher, toprovide the required protection from deep stall. Thestick pusher lacked the required reliability and has apotential for single point failure. A hard-over failure ofthe stick pusher would require the pilot to carry heavyand untrimmed forces until landing, in violation of theC-17 Air Vehicle Specifications'.

The ALS employs a full authority quadruplexdigital Fly-by-Wire system. This mechanizationprovides the necessary safety margin, with minimumrequirements of Fail-Operational-Fail-Operational forredundancy, and 10"9 probability of erroneous angle-of-attack limiting.

This paper discusses the development andvalidation of the ALS with slight emphasis on controllaw and signal management design.

ANGLE OF ATTACK MEASUREMENTSince vane type sensors provide increased

accuracy at high angles of attack, six alpha vanes, threeon each side of the airplane, are the primary sources ofangle of attack measurement for the C-17. The vanearrangement involves three groups of left-right pairs:upper, middle, and lower pairs. Vanes in each groupare on the same fuselage reference location in the X-Zplane. True angle-of-attack calculation and failuremonitoring require one vane pair and one additional

1-2-3-4-5-.6-

Upper leftUpper rightMiddle leftMiddle rightLower leftLower right

Inertial signals, from quadruple redundantInertial Reference Sensors (BR.S), complement thesensed angle of attack.

Each vane senses local angle-of-attack. TheALS then corrects these measurements to true aircraftreference angle-of-attack before use and disseminationto other functions. However, the biggest challenge wasin providing failure monitoring for the alpha sensors toprevent erroneous limiting of angle-of-attack. Localangle-of-attack is dependent on sideslip angle, but theC-17 has no sideslip sensors. This made the failuremonitoring task particularly difficult.

To prevent nuisance vane failures, the initialfailure detection algorithm used a detection threshold of20 degrees. Of course, this implied a propagation of upto 20 degrees of alpha error in the ALS. Fortunately,validation of the high alpha aerodynamics occurredwithout the ALS during the initial flight test phase.This gave adequate time to develop a better InputSignal Management (ISM) algorithm.

Analysis of various ISM methods revealed thatusing sideslip to condition the vane measurementsbefore monitoring provided the only acceptablesolution. Sideslip in the monitoring equation allows areduction of the detection threshold from 20 degrees to2.5 degrees. The lower detection threshold significantlyreduces the risk of error propagation without anyincrease in nuisance disconnects.

Computation of Sideslip AngleThere are various methods of obtaining

sideslip, such as installation of sideslip sensors, andestimation of sideslip from lateral acceleration.Computation from lateral acceleration is inherentlyinaccurate in the presence of winds and requiresextensive gain scheduling. Also, addition of sideslipsensors on the airplane, at this stage in the program, wasnot a cost-effective alternative.

After observing how the vanes behaved duringthe initial high alpha flight testing, it was apparent that


generation of sideslip was possible from exploiting therelationship between the vanes. Analysis of wind tunneland flight test data revealed that the angle-of-attackvanes have the following characteristics:

1) Without atmospheric disturbances, sideslip orfailures, vanes in the same group behave alike.

2) In the presence of sideslip (steady), vanes onthe same side have a fixed relationship.

3) Vanes in the same pair haverelationship with sideslip and roll rate.

a fixed

4) Each vane pair has unique regions of angle-of-attack in which they are insensitive to sideslip.

5) Vanes on the same side behave closer to eachother in the presence of atmospheric disturbances thanvanes on opposite sides.

It is possible to generate sideslip from thesebehavior patterns, using a combination employing vanesfrom the same side, and the three left-right vane pairs.

Since vanes on the same side have a fixedrelationship with sideslip, it results in six sideslipestimates after a combination as follows:

n = (a, - a3)k,i,5 = (a, - as)k2}35 = («3 - as)k3

24 = (02 -Z6 = (02 -

}46 = (a,

Also, vanes on opposite sides (vane pairs) can generatesideslip as follows:

J12= (O-i - 02 + KpP)k7= (03 - 04 + KpP)k8

J56= (05 - 06 + KpP)k9

Where, k j through kg are functions of angle of attack,Kp is a function of angle-of-attack and velocity, and Pis aircraft roll rate.

Notice that loss of one vane automaticallyeliminates three sideslip angles. However, loss of fivevanes causes complete loss of sideslip. The challenge isin selecting the correct sideslip from the nine computedvalues in the presence of failures.

Figure 4 shows the sideslip computationschematic. Allocation of estimated sideslip angle toeach group is such that each vane has only onerepresentation as follows:

Group 1:Group 2:Group 3:

P.3,5,5,

^24.J26,

J46»

B*

Figure 4: Sideslip Computation Schematic

Using this technique, a vane failure wouldproduce a sideslip value that is either higher or lowerthan other values in the group. Low sideslip valuescould be due to stuck vane pairs or from regions wherea particular vane pair is insensitive to sideslip. Mostfailures manifest as higher values of sideslip, since atypical vane failure is either "stuck" or "running away,"therefore, increasing the value of the difference. Eachgroup uses a triplex signal selection process(Middle/Average/Last). This process involves selectingthe middle value when there are no declared failures,the average of the two remaining values in the presenceof one failure, and the last value when there are twofailures. A failure on each of the three sideslip angles ina group, will invalidate that group's output. Furtherprocessing of the outputs of the three groups, using thesame Middle/Average/Last selection criteria, producesthe final sideslip angle. The final selection eliminatesany errors that might have propagated from the initialselection process.

Loss of three vanes causes the loss of seven ofthe nine sideslip angles input to the processing logic.Processing continues however, until a fourth vanefailure occurs. The fourth vane failure will cause lossof the monitoring function because it is difficult todiscern which of the two sideslip angles is correct. It is


therefor only necessary to detect a large variation in thetwo remaining sideslip angles to correctly shut offangle-of-attack calculation. Detection of the final vanefailure is also possible because the higher of the tworemaining sideslip angles would either be the correctvalue or the value from a failed vane. If it is the correctvalue, then mechanical tracking continues. Else, theerroneous sideslip causes the error between the vanes toexceed the detection threshold for the final failure.

Figure 5 shows a comparison of measured(BETA_VANE) and computed sideslip angle(BETAEST) from actual C-17 flight test data. Themaximum error in sideslip angle is less than threedegrees during the dynamic portion of the maneuver.This degree of accuracy is adequate for monitoring.

25.0u

HF.t0.0

-25.a

>>-w

0.0 50.0 100.0 150.0 200.0 250.0

TIME

Figure 5: Comparison of Estimated and MeasuredSideslip

Failure Detection and IsolationSignal management of the vanes includes

detection of three types of failures: electrical failures(each vane is electrically quadruple redundant), ratefailures, and mechanical failures. The latter requiresreducing the output of the vanes to a common reference.Conditioning of the six local angles of attack andreduction to a common fuselage aircraft referenceinvolves computed sideslip angle, true aircraft angle-of-attack, and aircraft roll rate. This reference is a point onthe airplane where all the vanes read the same angle inthe absence of failures. Figure 6 is a schematic of themechanical failure detection algorithm.

The final mechanization provides a minimumFail-Operational-Fail-Operational-Fail-Passiveredundancy with three vane pairs. The final Fail-Passive requirement provides the crew adequate time,after the final failure annunciation, to react and recoverthe airplane to a more benign attitude prior to ALSdeactivation. After detection and isolation of the firsttwo vane pair failures, an "ALS Fail-Op" annunciationadvises the crew of the condition—one more failure

would result in complete shutdown. On detection of thethird vane pair failure, the annunciation reverts to"ALPHA LIMIT INOP," and synthesized alpha, frominertial and air data measurements, provides fiveadditional seconds of ALS operation, before a completeshut down.

a,—.

"3— '

P —PR-

O'S—

as—

FuselageReferenceConversion

WLocal toFuselageReferenceConversion

3

'

Weighted

3/

Threshold

jO^ -| | r Mechanical—— "W"* ~y~ ' fall

!„„„„..„...-....-..__...„— —J

Figure 6: Alpha Vane ISM Schematic

Implementation of the signal managementalgorithm in the C-17 non-real-time simulation providesthe basis for the analysis results in Figure 7. Varioustest results confirm the ability of the algorithm to detectand isolate all types and combinations of failures. Thesimulation results in Figure 7 are for vane failures in amaneuvering flight consisting of pitch control input,maximum rudder pedal input and moderate VonKarman turbulence.

The simulation involves applying the first,second, third, and fourth failures to the vanes in thefollowing order: left upper vane (AOA VANE 1) slow-over (increasing alpha) at 1 second, left middle vane(AOA VANE 3) slow-over (decreasing alpha) at 10seconds, right middle vane (AOA VANE 4) slow-over(decreasing alpha) at 20 seconds, and right upper vane(AOA VANE 2) freezes at 40 seconds.

The first failure detection and isolationoccured at approximately 8 seconds—indicated byLAVOK1 going low. The second (LAVOK3) and third(LAVOK4) failure detection occured at 15 and 27seconds respectively. The final failure on vane 2(LAVOK2) also triggered intantaneous loss of vanes 5(LAVOK5) and 6 (LAVOK6) at 33 seconds.Computed "ALPHAT" tracks true aircraft angle-of-attack (ALPHA) until five seconds after declaration ofthe final failure (i.e., at 38 seconds)~also indicated bythe AOAOK signal going low. Declaration of totalvane failure occurred because the ALS will not operatewith less than three vanes; one pair and any of theremaining four.


•M.U-

2S.O-

0.0-50.0-

i

D.O-

[ -50.0-

-100.0-25.0 -i

I

0.0-

20.0-

(E 10.0-r

cc 0.0-

. -10. C -;

i.O-

i o.s.0.0-1.0-

\ 0.1-S

0.0-1.0-

n2 o.s-5

0.0-1.0-

| 0-S

1 o.o

/

*-*

x"

0.0

0.0

•J

\w

1(

1

/*

/*

K**

).0

0.0

r*

r+

&

X

2

tMO

"

s.

^%,

1.0

Til

0.0

"X

s.

\

w.\

y.IE

3

Ni

W

S^,p

1.0

0.0

Jrf

•• 1

40

4

^^

•*«,

-**

1.0

O.Q

«w

**•

V.

•»•'

SC

s

3U.V-H

| 20.0-

< 10.0-

o.o -1<»

> o.o-1-50.0-125.0-1

•>Ul

| 0.0-

-JS.D-lO.O-i

SE °-°'£yg» -10.0-

-a.o -t.o !iii

1.0-

S 0.5-

l.O-i

^«Vi "-

O.Q-1.0-

S n s-§ "

0.0-1.0-

£ 0.5-

0.0-0.0

/

^

/

\0.0

0.0

>*l"

Mi

MH

1

1

73

s*

1.0

D.O

?•"

a

2

S i

«==

^

4*»

>.Q

Tl

3.0

S

s

\*.

J

>IE

31

*s.

\

ik-

1.D

).0

— s.

MMM«

»*r*

«

V

«M>

/"*

» "

2.0

1.0

^

V.

*•**

9

SI

9.0

1.0

TIME T1KC

Figure 7: Simulation Results of Failure Detection Logic


Computed "BETAEST" tracks true aircraftsideslip angle (BETA) with the first two failures havingno effect on accuracy. During the time the third failureremains undetected, computed sideslip deviates fromactual. Tracking resumes once detection and isolationof the third failure occur. Upon the fourth failure, aresulting large deviation in computed sideslip anglecauses an error large enough to trigger declaration ofthe final failure. Computed sideslip angle becomesinvalid instantly (BETAOK low at 33 seconds).

Selection of True Angle-of-attackThe true angle-of-attack computation

algorithm involves selection of the middle/average/lastvalue from processed vane pair data. Computation oftrue angle-of-attack requires a minimum of one vanepair (left and right). Reduction of local vane data to the"true" angle-of-attack reference using local sideslip,aircraft roll rate, aircraft pitch rate, and otherconfiguration information, allows the use of the triplexsignal selection algorithm.

Figure 8 shows a comparison of measured(ALPHJ3OOM) and computed angle-of-attack(ALPHAT) from C-17 flight test.

0.0 10.0 20.0 30.0 40.0 50.0 EO.O

TIME

Figure 8: Flight Test Comparison of True andMeasured AOA

ANGLE-OF-ATTACK LIMITER CONTROLLAWS

The C-17 pitch axis control is normally in a g-command configuration. However, to providemaximum deep stall protection, the control systemswitches to an alpha command configuration when theangle-of-attack limiter system activates. Activationusually occurs outside the operational envelope. In thismode, pilot's stick force is directly proportional toangle-of-attack. Figure 9 illustrates this concept ofsplitting the C-17 flight envelope. This implementationassures that the ALS does not interfere with normaloperation of the aircraft within the operational

envelope. However, at some extreme attitudes,indicated by rapid and abnormal deceleration, ALSactivation could occur within the operational envelopeto preclude overshoot into deep stall.

o>

"Hard Limit

" aSofl Limit

" astall Warning

Operational Envelope(g-command region)

Figure 9: C-17 Alpha Limiter System OperationalEnvelope

Employment of extensive pilot-in-the-loopsimulation in the early design phase helped refine thesystem architecture. Two pilots vigorously exercisedthe system. Design engineers were on the spot toanalyze, resolve and reprogram solutions to allidentified problems. This process continued for weeks,until the system was satisfactory to both pilots.

Most of the issues centered on the engagementand disengagement transients. Angle-of-attack limiterengagement normally occurs at the "soft limit" (Figure9). Once engaged, the system maintains alpha at thislimit. Any additional increase in alpha is availablethrough the pitch control stick and requires deliberateaction by the pilot. However, the maximum achievableangle-of-attack is at the "hard limit." The ALS designis such that a 2.5 degree transient overshoot beyond the"hard limit" is permissible. Alpha "hard limit" is eitherstall angle-of-attack, or 4 degrees below the minimumstatic pitching moment margin (illustrated in Figure 3)required for recovery, whichever is lower. Stall angle isa function of flaps, engine thrust, number of enginesoperating, aircraft rates, etc.

Figure 10 shows the ALS control lawschematic. It is a simple alpha command system withrate of change of angle-of-attack ( C X ) for short termdamping and longitudinal acceleration ( u ) for phugoiddamping.


"'Force-Command

Model"com ,

d°H«LM

0

"•Soft Limit ' W "\£

a — ——————————————————— '

P ——— •Q —— »p __ 3x ——— >an —— >\ — :

alpha andvelocity ratecomputation

& /C————————— K|

u

Proportional PlusIntegral Controller

Elevator^Command

Figure 10: ALS Control Law Schematic

Engagement of ALS is very straight forward;either alpha is at the "soft limit," or the aircraft is in anunusual attitude resulting in excessive deceleration.However, disengagement became an issue sincedisengagement must occur at appropriate times topreclude secondary stalls while not limiting the pilot'sability to control the airplane in an envelope that isclearly operational.

The algorithm shown in Figure 11 determineswhen it is safe to switch from alpha command to g-command. Generally, switching would occur when theg-command error signal is providing more recoverymoment than it's the alpha command counterpart. Theexception is that this condition must occur in theoperational envelope, when the aircraft is notdecelerating too rapidly, and the pilot is not applyingback pressure on the control stick.

g-commandEngage

a-commandEngage

mit

Figure 11: Alpha-command/g-command SwitchingSchematic

Figure 12 shows a typical flight test result for aIg Stall maneuver. The time traces show thephenomenon inherent in the ALS; a temporary stop at

alpha "soft limit" (indicated by ALS DISCRETE goinghigh at 47 seconds) and the additional alpha response topilot control input up to the "hard limit" (AOAPLM)thereafter. Application of additional force on the stick,after attaining the "hard limit" would not result inadditional alpha response.

Validation of the C-17 ALS in both flight testand Pilot-in-the-loop simulation involved combinationsof control inputs representative, and sometimes, moresevere than those specified in MIL-S-836912.

50.0

"^ "soft (mil

Recovery Componentof g-command

Recovery Componentof a-command

— t •>— •

g-command>

a-command

g-command<,

a-command

-so.oI.D

o.s

0.0175.0

150.0

i zs.a100.030.0

20.0

O.D 20.0 10.0

line60.0 80.0

Figure 12: Flight Test Result from a Ig Stall


These tests involved more than 2000 stall points,without adverse incidents. Those results are not part ofthis paper.

CONCLUSIONDesigning the angle-of-attack limiter system

for the C-17 took several iterations and a great deal ofcooperation and patience from all to properly blend theALS with the g-command control laws and provide theexcellent deep stall protection system that is now part ofthe C-17.

The input signal management algorithms forthe alpha sensors required innovative concepts that wereonly possible through extensive investigation anddiligent design practices. This resulted in an 8:1reduction in detection threshold and a correspondingincrease in accuracy, while providing full coverage forfailure detection and isolation.

ACKNOWLEDGMENTSSpecial thanks to Pilots Doug Burns and Don

Brown for their assistance and patience throughout thedevelopment of the alpha limiter system. I also extendmy sincere appreciation to Tim Dalhstrom for hisadvice and inputs in shaping the control systemphilosophy, and all other engineers who helped makethe system possible.

REFERENCES1. Anon; "Prime Item Development Specificationfor the C-17A Air Vehicle," Specification numberMDC-S002, Revision B, 1987.

2. Anon; "Stall/Post-Stall/Spin Flight TestDemonstration Requirements for Airplanes," MIL-S-8369 I.March 1971.

8American Institute of Aeronautics and Astronautics

[american institute of aeronautics and astronautics guidance, navigation, and control conference -...

Documents