Bjorn’s Corner: Sustainable Air Transport. Part 37. VTOL Flight Control.

By Bjorn Fehrm.

September 16, 2022, ©. Leeham News: We discussed one of the critical systems for an eVTOL over the last weeks, the battery system, its cells, and its management system.

Another critical system for a VTOL is its Flight Control System (the FCS).

Figure 1. The Honeywell UAM FBW (Fly By Wire) triple channel computer. Source: Honeywell.

The Flight Control of VTOLS

VTOLs pose extra challenges in the flight control space as they are several types of flying vehicles combined into one.

The VTOL hover mode comes from the Helicopter space (vertical flight) but also from the Drone market (multirotor vertical flight). And for all but the pure multicopters like VoloCity/EHang 216, they have a forward flight mode that behaves like an airplane.

The mixing of these different flight modes into one vehicle poses several challenges;

  • Each mode has its unique problems and solutions; hardware-, software-, flight dynamics wise, and how a pilot controls the vehicle.
  • The VTOL mixes these and introduces tricky transition modes between the different modes.

We will discuss what this means for the development and certification of a VTOL. We start this week with the hardware consequences:

VTOL Flight Control Hardware

The EASA SC-VTOL certification rules state, “For Category Enhanced, a single failure must not have a catastrophic effect upon the aircraft.”

This requirement, which is harder than for smaller fixed-wing aircraft and helicopters (because these have exceptions), means that the flight control system must have redundancy in all aspects.

The risk of a failure, like a hardware or software fault that can cause the crash of the VTOL, should be less than 10-9 per flight hour. It means there is one such fault allowed per one billion flight hours of the VTOL. This requirement has major implications for the VTOL’s flight control system.

The tricky transition modes for most VTOLs mean the FCS can’t have any backup modes like the Airbus FCS “direct mode,” where the pilot’s inputs move the aircraft’s movable surfaces without any computer augmentation involved (Fly By electric Wire) when the FCS has a failure.

The non-viability of a “direct mode” means the hardware and software of the flight control system must work in any conceivable scenario of a single failure with full vehicle control through the FCS computers and their augmented flight control loops.

Hardware consequences

In practice, this means we must have triple redundancy for most aspects of the FCS. The FCS computer (Figure 1) that takes in all the sensor information to compute the flight laws for the VTOL has to be triple redundant (three channels).

Triple, because if one sensor/compute channel produces a value different from the two others, a two versus one voting can be made, and the rough item can be voted out.

The mass and power available on a VTOL for a set of three of everything is limited, be it actuators for movable surfaces, movable’s position sensors, accelerometers, rate gyros, attitude gyros, air data sensors, and flight law computing devices.

So everything must be low mass and consume a minimum of electric power. Hydraulic power devices are banned (they have the advantage of a very high power density but are heavy and power hungry), so high-power electric actuators must be developed to move rudders, elevators, ailerons, and flaps when present.

If the VTOL has landing gear, it’s most likely fixed; otherwise, its operation is by electric motors. Brakes on the landing gear can have a very local hydraulic circuit (like car brakes), but these can also be electric.

The power system for all these devices must have redundancy, as must signal and control paths.

Combined, the many layers of redundancy for the system components of an FCS shall guarantee that not a single failure will endanger the VTOL.

Many control effectors

Part of the VTOL redundancy strategy to reach 10-9 failures per flight hour will be redundancy at the control effector level.

With this, I mean the design of the VTOL must allow for one propulsion unit to malfunction, and the vehicle can still be controlled. Look at the VTOL mode of the Joby S4, Figure 2.

Figure 2. The Vertical mode of the Joby S4. Source: Joby Aviation.

The rotors and their motors are distributed around the center of gravity of the VTOL. One of these can stop working, and the adjacent ones have enough excess power and thrust to cover for the one that failed.

Demonstration of Certification Compliance

The design team of the VTOL has to prove to the regulator that there can be a single failure in any system, and the vehicle shall still be fully controllable and able to land safely on a regular or backup landing spot.

The effort to put together such a system and then prove it fulfills the regulator requirements for the flight control of a VTOL is enormous. You must prove to the regulator that you have played through every possible failure of your complex FCS (that uses motor RPM, rotor pitch, and movable surfaces to control the aircraft) and that in all cases, however remote, the pilot will be able to control the vehicle, fly it and land it safely.

Doing these hazard analyses follows established practices and involves a lot of procedures to follow and documents to produce and review with the regulator. Only when he is satisfied you have proven you will not have a hazardous failure in one billion flight hours do you get the green light for your vehicle’s flight control.

The Hardware is the easy part

We have now covered the straightforward part of the control of a VTOL. It’s where the requirements and the way to fulfill these are challenging, but at least there isn’t a lot of ambiguity on what to be done.

The dodgy area of a VTOL FCS is the software implemented flight laws and how the pilot interacts with the vehicle. Unlike airplanes and helicopters, there are no established standards on how this is done. The pilot control metaphors between airplanes, helicopters, and even drones are different. In the VTOL space, these collide, and there is no jury to decide which way to go.

14 Comments on “Bjorn’s Corner: Sustainable Air Transport. Part 37. VTOL Flight Control.

  1. increase pilot || system distance.

    i.e. what has been started with Airbus FBW:
    you are less of a pilot than a commander.

    The “executive passenger” says where to go.
    The system decides how to achieve that.

    “I’m Afraid I Can’t Do That, Dave.”

    • Yes, this is indeed the direction. Not to this extreme, but the VTOL pilot tells the FCS where he wants to go, and the FBW figures out what effectors it needs to manipulate (rotor RPMs, movable actuation, etc. ) to get it done. For instance, the throttle is not a throttle; it’s a “give me this forward speed” device. More on this next week.

      • Beyond airframe control these systems will need environmental awareness.
        terrain, obstructions, meteo …

        • Fortunately we have amazingly accurate, robust new sensors. MEMS based gyroscopes, accelerometers, tilt meters, magnetometers, chip based barometers and variometers (all in an top line cellphone). MMW radar and LIDAR, stereoscopic robot vision (Well developed by the automotive industry) that can generate a 3D model of the environment.
          Even the Jetson One has most of these)

        • I suspect one major safety advantage of a piloted aircraft is that the pilot is is inclined to make sure the aircraft that he is about to fly is in good order. Pilotless aircraft may lead to a cost breakthrough in regional transport and freight. It will impact pilot training for larger aircraft.

          • ” It will impact pilot training for larger aircraft.”

            Isn’t that limited to the US domestic pilot “market” due to the “slavery arrangement” forcing a career path from (low pay) regional to larger main line frames? ( proficiency requirements)

            Does it actually apply elsewhere?

  2. Wow, I had imagined certification to be complex, but wow again.
    There are some pretty optimistic plans for evtol programs out there, I hope they are successful.

    • Scope expands:
      Autonomous Human Air Transport designs will probably need rather involved (predictive) failure detection and management/alleviation.
      ( this also aims at Bernhard’s first sentence above )

  3. “Hydraulic power devices are banned (they have the advantage of a very high power density but are heavy and power hungry)”
    -There are few actuators I can see that meet requirements of no power draw when stationary and the ease of triplication. The front runner is likely the EHA “Electro Hydrostatic Actuator” where each actuator has an individual electric drive for a reversible pump. The electric drive is stopped if the actuator is stationary. Triplication would require fault tolerant bypass valves.
    -I question whether triplication is enough given its record of failure and vulnerability to common mode failure. Drones seem to rely on IMU, GPS, LiDAR, barometers, magnetometers to fuse a kind of synthetic air data.

    • Interesting concept. A reversible gear pump with worm gear drive reduction would do that, although fluid “slippage’ past the stalled gears might be a problem over minutes of fixed position. The FW could compensate for this with small pulsed movements, but this would not quite be zero energy when stopped.

      • reversible hydraulic drives for marine autopilots can be had in “non reversible” ( just like the manual steering actuator pump. “check block valves” )

    • If you demand different power sources for backup units hydraulics with fully charged hydraulic accumulators when you take off is one way. If they accumulators size and pressure is enough it does not drain battery power in flight if used.

Leave a Reply

Your email address will not be published. Required fields are marked *