September 16, 2022, ©. Leeham News: We discussed one of the critical systems for an eVTOL over the last weeks, the battery system, its cells, and its management system.
Another critical system for a VTOL is its Flight Control System (the FCS).
VTOLs pose extra challenges in the flight control space as they are several types of flying vehicles combined into one.
The VTOL hover mode comes from the Helicopter space (vertical flight) but also from the Drone market (multirotor vertical flight). And for all but the pure multicopters like VoloCity/EHang 216, they have a forward flight mode that behaves like an airplane.
The mixing of these different flight modes into one vehicle poses several challenges;
We will discuss what this means for the development and certification of a VTOL. We start this week with the hardware consequences:
The EASA SC-VTOL certification rules state, “For Category Enhanced, a single failure must not have a catastrophic effect upon the aircraft.”
This requirement, which is harder than for smaller fixed-wing aircraft and helicopters (because these have exceptions), means that the flight control system must have redundancy in all aspects.
The risk of a failure, like a hardware or software fault that can cause the crash of the VTOL, should be less than 10-9 per flight hour. It means there is one such fault allowed per one billion flight hours of the VTOL. This requirement has major implications for the VTOL’s flight control system.
The tricky transition modes for most VTOLs mean the FCS can’t have any backup modes like the Airbus FCS “direct mode,” where the pilot’s inputs move the aircraft’s movable surfaces without any computer augmentation involved (Fly By electric Wire) when the FCS has a failure.
The non-viability of a “direct mode” means the hardware and software of the flight control system must work in any conceivable scenario of a single failure with full vehicle control through the FCS computers and their augmented flight control loops.
In practice, this means we must have triple redundancy for most aspects of the FCS. The FCS computer (Figure 1) that takes in all the sensor information to compute the flight laws for the VTOL has to be triple redundant (three channels).
Triple, because if one sensor/compute channel produces a value different from the two others, a two versus one voting can be made, and the rough item can be voted out.
The mass and power available on a VTOL for a set of three of everything is limited, be it actuators for movable surfaces, movable’s position sensors, accelerometers, rate gyros, attitude gyros, air data sensors, and flight law computing devices.
So everything must be low mass and consume a minimum of electric power. Hydraulic power devices are banned (they have the advantage of a very high power density but are heavy and power hungry), so high-power electric actuators must be developed to move rudders, elevators, ailerons, and flaps when present.
If the VTOL has landing gear, it’s most likely fixed; otherwise, its operation is by electric motors. Brakes on the landing gear can have a very local hydraulic circuit (like car brakes), but these can also be electric.
The power system for all these devices must have redundancy, as must signal and control paths.
Combined, the many layers of redundancy for the system components of an FCS shall guarantee that not a single failure will endanger the VTOL.
Part of the VTOL redundancy strategy to reach 10-9 failures per flight hour will be redundancy at the control effector level.
With this, I mean the design of the VTOL must allow for one propulsion unit to malfunction, and the vehicle can still be controlled. Look at the VTOL mode of the Joby S4, Figure 2.
The rotors and their motors are distributed around the center of gravity of the VTOL. One of these can stop working, and the adjacent ones have enough excess power and thrust to cover for the one that failed.
The design team of the VTOL has to prove to the regulator that there can be a single failure in any system, and the vehicle shall still be fully controllable and able to land safely on a regular or backup landing spot.
The effort to put together such a system and then prove it fulfills the regulator requirements for the flight control of a VTOL is enormous. You must prove to the regulator that you have played through every possible failure of your complex FCS (that uses motor RPM, rotor pitch, and movable surfaces to control the aircraft) and that in all cases, however remote, the pilot will be able to control the vehicle, fly it and land it safely.
Doing these hazard analyses follows established practices and involves a lot of procedures to follow and documents to produce and review with the regulator. Only when he is satisfied you have proven you will not have a hazardous failure in one billion flight hours do you get the green light for your vehicle’s flight control.
We have now covered the straightforward part of the control of a VTOL. It’s where the requirements and the way to fulfill these are challenging, but at least there isn’t a lot of ambiguity on what to be done.
The dodgy area of a VTOL FCS is the software implemented flight laws and how the pilot interacts with the vehicle. Unlike airplanes and helicopters, there are no established standards on how this is done. The pilot control metaphors between airplanes, helicopters, and even drones are different. In the VTOL space, these collide, and there is no jury to decide which way to go.