The present invention relates to aircraft control devices, and more particularly to autopilot hardover failure control while airborne.
Hardover failure, a serious aircraft flight safety problem, is defined as any failure of the autopilot system which will cause a rapid and sustained displacement of an aircraft aerodynamic control surface to the full extent permitted by physical constraints within the autopilot actuator system. Autopilots are commonly designed so that the maximum aerodynamic control surface deflection that can be attained by the autopilot is a small percentage of the total control surface deflection that can be manually commanded by the pilot. This low autopilot authority serves to limit the effect of a hardover failure on aircraft flight path and enables the pilot to overcome the failure, by use of the control stick or control wheel column. Successful recovery from a hardover failure, however, is dependent in pilot reaction time, which is degraded by pilot fatigue during long flights. Hardover failure along the pitch axis can occur in a nose up as well as in a nose down position. A nose down pitch axis hardover failure will result in rapid loss of altitude by the aircraft. A nose up pitch axis hardover can result in a stall of the aircraft. At low altitudes, crew safety can be jeopardized if hardover failure is not overcome within one second. Often, a delayed pilot reaction to a hardover will result in pilot overcontrol causing the aircraft to undergo violent maneuvers that are worse than the hardover itself.
One general practice has been to employ single-point monitors to disengage the autopilot in the event of failure. A single-point monitor, also known as a single-point failure detector, checks one point in the circuit under study for certain types of failures. Although such devices have served the purpose they have not proved entirely satisfactory under all conditions of service for the reasons that single-point monitors can only protect against failures of particular components within the autopilot. Many failure modes, therefore, are not monitored or controlled. Such piece-wise coverage results in the use of several monitors, each of which can only cover a small percentage of the total system. This, plus the complexity of conventional autopilot systems, results in limited failure detection and coverage unless a very large number of single-point monitors is used, in which case full coverage of all autopilot failure modes still might be obtained. Thus, many failure modes will not be protected against.
Monitors using airframe parameters such as vehicle acceleration or vehicle attitude are capable of detecting a large number of autopilot hardover failure modes, but of necessity must permit some delay, thus allowing some degree of aircraft attitude response to the hardover, before the failure is detected. These monitors typically compare the measured value of an airframe parameter to a reference value. The failure advisory is generated if the value of the measured parameter exceeds the reference value. As the reference value is decreased in order to improve failure detection performance, the number of false or nuisance autopilot disengagements increases rapidly. An example of such a monitor is a g-limiter. A g-limiter disconnects the autopilot when the airframe experiences normal (perpendicular to the floor of the aircraft) accelerations beyond a preset level. However, this device has limitations rendering it unusable for this purpose. A g-limiter will react too slowly to a hardover failure for use with a heavy transport or with an aircraft which is not highly maneuverable. There is as tendency in such aircraft, in the event of hardover failure, to remain in that condition because of inertia or lack of maneuverability. By the time that sufficient g forces have been built up to generate a g-limiter disconnect, the safety of the aircraft could be jeopardized. Furthermore, in the case of an aircraft operating at low altitudes, little time (one second or less) can be allowed for hardover detection, as has been already pointed out. A further problem with regard to the g-limiter is that the level at which the g-limiter would be set to disconnect the autopilot must be low enough to actually detect hardover failure. The g-limiter must not be set so high as to miss a hardover failure. However, if this level is set too low, nuisance disconnects, such as wind gusts or pilot action might cause, will result. The g-limiter cannot be set high enough to avoid a large number of nuisance disconnects without being set too high to rapidly detect some hardover failures. Similarly, a pitch attitude sensor would be too slow because, considering the brief amount of time available for rectifying a hardover failure, by the time that sufficient pitch has been built up by the hardover failure to trigger the pitch sensor, the aircraft could already be in jeopardy. Again, if the triggering level for the pitch attitude sensor is set sufficiently low to avoid this problem, nuisance disconnects can result.
Another means of detecting and correcting hardover failures is a redundant autopilot. Essentially, a redundant autopilot consists of two or more simultaneously operating autopilot channels. Outputs of the multiple channels are compared against one another in such a fashion that a failed channel is voted out. However, this requires extensive cross-channeling and cross-checking between channels, as well as individual channels which have a structure different from that of typical non-redundant autopilots. Accordingly, a non-redundant autopilot could not be incorporated in a redundant autopilot, and so conversion of an existing autopilot from non-redundant to redundant would require replacement of the entire autopilot. Therefore, installation of a redundant autopilot in an existing non-redundant autopilot system would be economically unjustified for the sole purpose of protecting against hardover failures.