1. Field of the Invention
The present invention relates to apparatus for assuring the operation of aircraft control surfaces in the presence of recognized failure modes. More particularly, this invention pertains to apparatus for automatically switching operation of an aircraft's hydraulically-powered elevator surfaces to manual mode in the event of a recognized catastrophic failure.
2. Description of the Prior Art
The dire consequences of particular aircraft failure modes are central to Federal Aviation Administration (FAA) processes for certifying new aircraft designs. Without certification, an airliner design is not permitted to ferry civilian passengers and is therefore of little, if any, economic value. Accordingly, the inclusion of sufficient safety measures to meet FAA standards relating to all failure modes, both catastrophic and otherwise, is a necessary component of any realistic commercial airliner design.
It is recognized that the elimination of any possibility of catastrophic failure from a design is an impossibility due, in part, to the inevitable mechanical limitations of materials and components. Nevertheless, a certified design is characterized by a probability that failure modes associated with severe consequences possess extremely low probabilities. As a result, commercial air transport is considered relatively safe in terms of accidents per passenger mile.
Aircraft manufacturers must continually upgrade designs for delivery to customer airlines. Due to the competitive nature of the industry, a premium is placed upon new aircraft that most economically incorporate the latest advances in technology. Each airliner represents a substantial investment for an airline that must, in turn, restrain its own cost structure to compete successfully for cost-conscious passenger dollars.
As mentioned earlier, FAA certification usually seeks sufficiently low probabilities for catastrophic failure modes. Current FAA regulations are phrased in terms of "improbable" and "extremely improbable" occurrences where improbable is defined as one-millionth and extremely improbable is defined as one-billionth probability of an event. (Amendment 23 to FAR 25.1309(b) states: "The airplane systems and associated components, considered separately and in relation to other systems must be designed so that: (1) the occurrence of any failure condition which would prevent the continued safe flight and landing of the aircraft is extremely improbable, and (2) the occurrence of any other failure condition which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions is improbable.")
A common method for attaining a sufficiently low probability is through the incorporation of redundancy into the relevant system of the aircraft. By employing designs that feature redundant systems, one can take advantage of the following useful relationships of the laws of probability: EQU P.sub.12 (t)=P.sub.1 (t) P.sub.2 (t) (1) EQU E.sub.12 (t)=E.sub.1 (t) E.sub.2 (t) (2)
Where P.sub.1 (t) is the probability of event "1" occurring within time t and P.sub.2 (t) is the probability of event 2 occurring within time t where event 1 is statistically independent of event 2. P.sub.12 (t) is then the probability of both of events 1 and 2 occurring within the same time t. Similarly, E.sub.1 (t) is the expected time before occurrence of event 1 and E.sub.2 (t) is the expected time before the occurrence of event 2 with E.sub.12 (t) representing the expected time before the joint occurrence of both of the statistically independent events 1 and 2.
It is well recognized that the above relationships may be extended to any number of independent events so that each additional event effectively multiplies the probability of simultaneous occurrence, and expected time before simultaneous occurrence, of all independent events. Since probabilities less than certainty are always fractional amounts, it can be seen from equation 1 that the probability of failure of multiple independent (redundant) systems is lessened as the number of redundant systems is increased.
While redundancy offers a rather straightforward approach to many design issues, the routine addition of redundant systems to an aircraft may strain the design "budget" to the point of impracticality. Redundancy may add bulk not permitted within the available fuselage configuration. In the case of major systems such as aircraft hydraulics, associated sub-systems, reservoirs, fluid and power supplies may add significant configuration cost and weight to the point that operation becomes significantly more expensive in terms of both fuel and maintenance charges.
One well-recognized catastrophic failure mode that must be adequately provided for in any aircraft design concerns control of the elevator surfaces located in the tail section of the aircraft. Such surfaces are controlled by the interaction by a cable and pulley mechanical system, responsive to the pilot's (or autopilot's) command, and hydraulic actuators for moving the control surfaces. The hydraulic actuators are coupled to the cables through a mechanical linkage. The cable fits within a groove at the periphery of a disk-like sector.
The system for controlling the elevator surfaces, just as all aircraft systems, is subject to various failure modes. The most significant of such modes is known as "hardover". A hardover failure is characterized by the erroneous switching of a system to full command (i.e. full force). When this occurs in relation to the aircraft's elevator surfaces, control is lost and the surfaces are free to move by themselves. This condition, if unchecked, can, of course, cause the aircraft to crash.
A hardover failure of a hydraulically-powered aircraft control surface may result from a jam of the control valve spool or of the valve input arm. In the past, multiple surfaces, override valve spool sleeves and multiple single actuators have been employed to compensate for and to prevent hardovers. Such approaches either fail to protect against valve arm jams or are reliant upon all-active systems.