**Tool-Based Design and Evaluation of Resilient Flight Control Systems**

Hafid Smaili1, Jan Breeman2 and Thomas Lombaerts3

*National Aerospace Laboratory NLR/Delft University of Technology 1NLR Cockpit & Flight Operations Department, Amsterdam, 2NLR Avionics & Systems Department, Amsterdam, 3DLR Institute of Robotics and Mechatronics, Wessling, 1,2The Netherlands 3Germany* 

## **1. Introduction**

184 Automatic Flight Control Systems – Latest Developments

Van der Kamp, Reinier., et. al. (2005). Investigation on the Chinook operations with an

Florence, Italy, September 13-15, 2005

external sling load after cable failure", *31st European Rotorcraft Annual Forum,*

A large transport aircraft simulation benchmark (REconfigurable COntrol for Vehicle Emergency Return RECOVER) has been developed within the European GARTEUR Flight Mechanics Action Group 16 (FM-AG(16)) on Fault Tolerant Control (2004-2008) for the integrated evaluation of fault detection, identification (FDI) and reconfigurable flight control systems. The benchmark includes a suitable set of assessment criteria and failure cases, based on reconstructed accident scenarios, to assess the potential of new adaptive control strategies to improve aircraft survivability. The application of reconstruction and modeling techniques, using accident flight data for validation, has resulted in high fidelity non-linear aircraft and fault models to evaluate new Fault Tolerant Flight Control (FTFC) concepts and their real-time performance to accommodate in-flight failures (Edwards et al., 2010).

This chapter will give an overview of advanced flight control developments and pilot training related initiatives to reduce the amount of in-flight loss-of-control (LOC-I) accidents. The GARTEUR RECOVER benchmark, validated with accident flight data and used during the GARTEUR FM-AG(16) program, will be described. The modular features of the benchmark will be outlined that address the need for tool-based design of modern resilient flight control systems that mitigate potentially catastrophic (mechanical) failures and aircraft upsets.

## **2. Program overview**

Fault tolerant flight control (FTFC) enables improved survivability and recovery from adverse flight conditions induced by faults, damage and associated upsets. This can be achieved by "intelligent" utilisation of the control authority of the remaining control effectors in all axes consisting of the control surfaces and engines or a combination of both. In this technique, control strategies are applied to restore stability and maneuverability of the vehicle for continued safe operation and a survivable landing.

Tool-Based Design and Evaluation of Resilient Flight Control Systems 187

to provide challenging assessment criteria to evaluate the effectiveness and potential of the FTFC methods being investigated (Lombaerts et al., 2006) The simulation model of the benchmark was earlier applied in an investigation of the 1992 Amsterdam Bijlmermeer airplane accident (Flight 1862) (Netherlands Aviation Safety Board, 1994; Smaili, 1997, 2000) and has been validated against data from the Digital Flight Data Recorder (DFDR) of the

The potential of the developed fault tolerant flight control methods to improve aircraft survivability, for both manual and automatic flight, has been demonstrated in 2008 during a piloted assessment in the SIMONA research flight simulator of the Delft University of

An increasing number of measures are currently being taken by the international aviation community to prevent Loss Of Control In-Flight (LOC-I) accidents due to failures, damage and upsets for which the pilot was not able to recover successfully despite the available performance and control capabilities. Recent airliner accident and incident statistics (Civil Aviation Authority of the Netherlands (CAA-NL), 2007) show that about 16% of the accidents between the 1993 and 2007 period can be attributed to LOC-I, caused by a piloting mistake, technical malfunction or unusual upsets due to external (atmospheric) disturbances. However, worldwide civil aviation safety statistics indicate that today 'inflight loss of control' has become the main cause of aircraft accidents (followed by 'controlled flight into terrain' (CFIT)). Data examined by the international aviation community shows that, in contrast to CFIT, the share of LOC-I occurrences is not significantly decreasing. The actions taken by the aviation community to lower the number of LOC-I occurrences not only include improvements in procedures training and human factors, but also finding measures to better mitigate system failures and increase aircraft

Reconfigurable flight control, or "intelligent flight control", is aimed to prevent aircraft loss due to multiple failures when the aircraft is still flyable given the available control power. Motivated by several aircraft accidents at the end of the 1970's, in particular the crash of an American Airlines DC-10 (Flight 191) at Chicago in 1979, research on "selfrepairing", or reconfigurable fault tolerant flight control (RFTFC), was initiated to accommodate in-flight failures. Reconfigurable control aims to utilise all remaining control effectors on the aircraft after a (unanticipated) mechanical or structural failure to recover the performance of the original system by automatic redesign of the flight control system. The first objective of reconfiguration is to guarantee system stability while the original performance is reconstructed as much as possible. Due to limitations of the control allocation scheme caused by, for instance, actuator position and rate limits, the system performance of the unfailed aircraft may not be fully achieved. In this case, the failed aircraft would be flown in a degraded mode but with sufficiently acceptable handling qualities for a successful recovery. Reconfigurable flight control systems have been successfully flight tested and evaluated in manned simulations (Burcham & Fullerton, 2004; Corder, 2004; Ganguli et al., 2005; The Boeing Company, 1999; Wright

Technology (Edwards et al., 2010; Stroosma et al., 2009).

survivability in case of an accident or degraded flight conditions.

**3. Fault tolerant flight control systems** 

accident flight.

Laboratory, 1991).

From 2004-2008, a research group on Fault Tolerant Control, comprising a collaboration of thirteen European partners from industry, universities and research institutions, was established within the framework of the Group for Aeronautical Research and Technology in Europe (GARTEUR) co-operation program (Table 1). The aim of the research group, Flight Mechanics Action Group FM-AG(16), is to demonstrate the capability and potential of innovative reconfigurable flight control algorithms to improve aircraft survivability. The group facilitated the proliferation of new developments in fault tolerant control design within the European aerospace research and academic community towards practical and real-time operational applications. This addresses the need to improve the resilience and safety of future aircraft and aiding the pilot to recover from adverse conditions induced by (multiple) system failures, damage and (atmospheric) upsets that would otherwise be potentially catastrophic. Up till now, faults or damage on board of aircraft have been accommodated by hardware design using duplex, triplex or even quadruplex redundancy of critical components. The approach of the GARTEUR research focussed on providing redundancy by means of new adaptive control law design methods to accommodate (unanticipated) faults and/or damage that dramatically change the configuration of the aircraft. These methods take into account a novel combination of robustness, reconfiguration and (real-time) adaptation of the control laws (Edwards et al., 2010; Lombaerts et al., 2009).


Table 1. GARTEUR Flight Mechanics Action Group 16 (FM-AG(16)) Fault Tolerant Control consortium

The group addressed the need for high-fidelity nonlinear simulation models, relying on accurate failure modelling, to improve the prediction of reconfigurable system performance in degraded modes. As part of this research, a simulation benchmark was developed, based on the Boeing 747-100/200 large transport aircraft, for the assessment of fault tolerant flight control methods. The test scenarios that are an integral part of the benchmark were selected to provide challenging assessment criteria to evaluate the effectiveness and potential of the FTFC methods being investigated (Lombaerts et al., 2006) The simulation model of the benchmark was earlier applied in an investigation of the 1992 Amsterdam Bijlmermeer airplane accident (Flight 1862) (Netherlands Aviation Safety Board, 1994; Smaili, 1997, 2000) and has been validated against data from the Digital Flight Data Recorder (DFDR) of the accident flight.

The potential of the developed fault tolerant flight control methods to improve aircraft survivability, for both manual and automatic flight, has been demonstrated in 2008 during a piloted assessment in the SIMONA research flight simulator of the Delft University of Technology (Edwards et al., 2010; Stroosma et al., 2009).

## **3. Fault tolerant flight control systems**

186 Automatic Flight Control Systems – Latest Developments

From 2004-2008, a research group on Fault Tolerant Control, comprising a collaboration of thirteen European partners from industry, universities and research institutions, was established within the framework of the Group for Aeronautical Research and Technology in Europe (GARTEUR) co-operation program (Table 1). The aim of the research group, Flight Mechanics Action Group FM-AG(16), is to demonstrate the capability and potential of innovative reconfigurable flight control algorithms to improve aircraft survivability. The group facilitated the proliferation of new developments in fault tolerant control design within the European aerospace research and academic community towards practical and real-time operational applications. This addresses the need to improve the resilience and safety of future aircraft and aiding the pilot to recover from adverse conditions induced by (multiple) system failures, damage and (atmospheric) upsets that would otherwise be potentially catastrophic. Up till now, faults or damage on board of aircraft have been accommodated by hardware design using duplex, triplex or even quadruplex redundancy of critical components. The approach of the GARTEUR research focussed on providing redundancy by means of new adaptive control law design methods to accommodate (unanticipated) faults and/or damage that dramatically change the configuration of the aircraft. These methods take into account a novel combination of robustness, reconfiguration and (real-time) adaptation of the control laws (Edwards et al., 2010; Lombaerts et al., 2009).

Table 1. GARTEUR Flight Mechanics Action Group 16 (FM-AG(16)) Fault Tolerant Control

The group addressed the need for high-fidelity nonlinear simulation models, relying on accurate failure modelling, to improve the prediction of reconfigurable system performance in degraded modes. As part of this research, a simulation benchmark was developed, based on the Boeing 747-100/200 large transport aircraft, for the assessment of fault tolerant flight control methods. The test scenarios that are an integral part of the benchmark were selected

consortium

An increasing number of measures are currently being taken by the international aviation community to prevent Loss Of Control In-Flight (LOC-I) accidents due to failures, damage and upsets for which the pilot was not able to recover successfully despite the available performance and control capabilities. Recent airliner accident and incident statistics (Civil Aviation Authority of the Netherlands (CAA-NL), 2007) show that about 16% of the accidents between the 1993 and 2007 period can be attributed to LOC-I, caused by a piloting mistake, technical malfunction or unusual upsets due to external (atmospheric) disturbances. However, worldwide civil aviation safety statistics indicate that today 'inflight loss of control' has become the main cause of aircraft accidents (followed by 'controlled flight into terrain' (CFIT)). Data examined by the international aviation community shows that, in contrast to CFIT, the share of LOC-I occurrences is not significantly decreasing. The actions taken by the aviation community to lower the number of LOC-I occurrences not only include improvements in procedures training and human factors, but also finding measures to better mitigate system failures and increase aircraft survivability in case of an accident or degraded flight conditions.

Reconfigurable flight control, or "intelligent flight control", is aimed to prevent aircraft loss due to multiple failures when the aircraft is still flyable given the available control power. Motivated by several aircraft accidents at the end of the 1970's, in particular the crash of an American Airlines DC-10 (Flight 191) at Chicago in 1979, research on "selfrepairing", or reconfigurable fault tolerant flight control (RFTFC), was initiated to accommodate in-flight failures. Reconfigurable control aims to utilise all remaining control effectors on the aircraft after a (unanticipated) mechanical or structural failure to recover the performance of the original system by automatic redesign of the flight control system. The first objective of reconfiguration is to guarantee system stability while the original performance is reconstructed as much as possible. Due to limitations of the control allocation scheme caused by, for instance, actuator position and rate limits, the system performance of the unfailed aircraft may not be fully achieved. In this case, the failed aircraft would be flown in a degraded mode but with sufficiently acceptable handling qualities for a successful recovery. Reconfigurable flight control systems have been successfully flight tested and evaluated in manned simulations (Burcham & Fullerton, 2004; Corder, 2004; Ganguli et al., 2005; The Boeing Company, 1999; Wright Laboratory, 1991).

Tool-Based Design and Evaluation of Resilient Flight Control Systems 189

Apart from system failures and hostile actions against commercial and military aircraft, recent incident cases also show the destructive impact of hazardous atmospheric weather conditions on the structural integrity of the aircraft. In some cases, clear air turbulence has resulted in aircraft incurring substantial structural damage and loss of engines due to clear

A number of new fault detection and isolation methods have been proposed in the literature (Patton, 1997; Zhang & Jiang, 2003, Zhang, 2005) together with methods for reconfiguring flight control systems. To assess these new methods for aerospace applications, they need to be integrated and applied to realistic operational scenarios that include representative levels of non-linearity, noise and disturbance. This will then allow the benefits of these new flight

Studies of airliner LOC-I accidents (Edwards, 2010; Smaili, 1997, 2000) show that better situational awareness or guidance would have recovered the impaired aircraft and improved survivability if unconventional control strategies were used. In some of the cases studied, the crew was able to adapt to the unknown degraded flying qualities by applying control strategies (e.g. using the engines effectors to achieve stability and control

The results of a LOC-I study concerning the 1992 Amsterdam accident case (Smaili, 1997, 2000), in which a detailed reconstruction and simulation of the accident flight was conducted based on the recovered Digital Flight Data Recorder (DFDR), formed the basis for realistic and validated aircraft accident scenarios as part of the GARTEUR FM-AG(16) aircraft simulation benchmark. The study resulted in high fidelity non-linear fault models for a civil large transport aircraft that addresses the need to improve the prediction of

On October 4th, 1992, a Boeing 747-200F freighter aircraft, Flight 1862 (Figure 3), went down near Amsterdam Schiphol Airport after the separation of both right-wing engines. In an attempt to return to the airport for an emergency landing, the aircraft flew several right-hand circuits in order to lose altitude and to line up with the runway as intended by the crew. During the second line-up, the crew lost control of the aircraft. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor apartment building in the Bijlmermeer, a suburb of Amsterdam. Results of the accident investigation, conducted by several organisations including the Netherlands Accident Investigation Bureau and the aircraft manufacturer, were hampered by the fact that the actual extent of the structural damage to the right-wing, due to the loss of both engines, was unknown. The analysis from this investigation concluded that given the performance and controllability of the aircraft after the separation of the engines, a

In 1997, the division of Control and Simulation of the Faculty of Aerospace Engineering of the Delft University of Technology (DUT), in collaboration with the Netherlands National Aerospace Laboratory NLR, performed an independent analysis of the accident (Smaili, 1997, 2000). In contrast to the analysis performed by the Netherlands Accident Investigation Bureau, the parameters of the DFDR were reconstructed using comprehensive modelling, simulation and visualisation techniques. In this alternative approach, the DFDR pilot control

control technologies to be evaluated in terms of functionality and performance.

augmentation) that are not part of any standard airline training curriculum.

reconfigurable system performance in degraded modes.

successful landing was highly improbable (Smaili, 1997, 2000).

**4. Flight 1862 aircraft accident case** 

air turbulence (CAT).

Adaptive or reconfigurable flight control strategies might have prevented the loss of two Boeing 737s due to a rudder actuator hardover and of a Boeing 767 due to inadvertent asymmetric thrust reverser deployment. The 1989 Sioux City DC-10 incident is an example of the crew performing their own reconfiguration using asymmetric thrust from the two remaining engines to maintain limited control in the presence of total hydraulic system failure. Following the Sioux City incident in 1989, during which the engines were used as only remaining control effectors after loss of all hydraulics, a program was initiated at the NASA Dryden Flight Research Center on Propulsion Controlled Aircraft (PCA) (Burcham 2004). The system aims to provide a safe landing capability using only augmented engine thrust for flight control. Throughout the 1990's, the system has been successfully tested on several aircraft, including both commercial and military (Figure 1).

Fig. 1. McDonnell Douglas MD-11 landing at Dryden Flight Research Center equipped with a computer-assisted engine control landing system developed by NASA (NASA Dryden photo collection)

The crash of a Boeing 747 freighter in 1992 near Amsterdam, the Netherlands, following the separation of the two right-wing engines, was potentially survivable given adequate knowledge about the remaining aerodynamic capabilities of the damaged aircraft (Smaili, 1997, 2000). New kinds of threats within the aviation community have recently been introduced by deliberate hostile attacks on both commercial and military aircraft. For instance, a surface-to-air missile (SAM) attack has recently been demonstrated to be survivable by the crew of an Airbus A300B4 freighter performing a successful emergency landing at Baghdad International Airport after suffering from complete hydraulic system failures and severe structural wing damage (Figure 2).

Fig. 2. Emergency landing sequence using engines only and left wing structural damage due to surface-to-air missile impact, DHL A300B4-203F, Baghdad, 2003

188 Automatic Flight Control Systems – Latest Developments

Adaptive or reconfigurable flight control strategies might have prevented the loss of two Boeing 737s due to a rudder actuator hardover and of a Boeing 767 due to inadvertent asymmetric thrust reverser deployment. The 1989 Sioux City DC-10 incident is an example of the crew performing their own reconfiguration using asymmetric thrust from the two remaining engines to maintain limited control in the presence of total hydraulic system failure. Following the Sioux City incident in 1989, during which the engines were used as only remaining control effectors after loss of all hydraulics, a program was initiated at the NASA Dryden Flight Research Center on Propulsion Controlled Aircraft (PCA) (Burcham 2004). The system aims to provide a safe landing capability using only augmented engine thrust for flight control. Throughout the 1990's, the system has been successfully tested on

Fig. 1. McDonnell Douglas MD-11 landing at Dryden Flight Research Center equipped with a computer-assisted engine control landing system developed by NASA (NASA

The crash of a Boeing 747 freighter in 1992 near Amsterdam, the Netherlands, following the separation of the two right-wing engines, was potentially survivable given adequate knowledge about the remaining aerodynamic capabilities of the damaged aircraft (Smaili, 1997, 2000). New kinds of threats within the aviation community have recently been introduced by deliberate hostile attacks on both commercial and military aircraft. For instance, a surface-to-air missile (SAM) attack has recently been demonstrated to be survivable by the crew of an Airbus A300B4 freighter performing a successful emergency landing at Baghdad International Airport after suffering from complete hydraulic system

Fig. 2. Emergency landing sequence using engines only and left wing structural damage due

several aircraft, including both commercial and military (Figure 1).

failures and severe structural wing damage (Figure 2).

to surface-to-air missile impact, DHL A300B4-203F, Baghdad, 2003

Dryden photo collection)

Apart from system failures and hostile actions against commercial and military aircraft, recent incident cases also show the destructive impact of hazardous atmospheric weather conditions on the structural integrity of the aircraft. In some cases, clear air turbulence has resulted in aircraft incurring substantial structural damage and loss of engines due to clear air turbulence (CAT).

A number of new fault detection and isolation methods have been proposed in the literature (Patton, 1997; Zhang & Jiang, 2003, Zhang, 2005) together with methods for reconfiguring flight control systems. To assess these new methods for aerospace applications, they need to be integrated and applied to realistic operational scenarios that include representative levels of non-linearity, noise and disturbance. This will then allow the benefits of these new flight control technologies to be evaluated in terms of functionality and performance.

Studies of airliner LOC-I accidents (Edwards, 2010; Smaili, 1997, 2000) show that better situational awareness or guidance would have recovered the impaired aircraft and improved survivability if unconventional control strategies were used. In some of the cases studied, the crew was able to adapt to the unknown degraded flying qualities by applying control strategies (e.g. using the engines effectors to achieve stability and control augmentation) that are not part of any standard airline training curriculum.

The results of a LOC-I study concerning the 1992 Amsterdam accident case (Smaili, 1997, 2000), in which a detailed reconstruction and simulation of the accident flight was conducted based on the recovered Digital Flight Data Recorder (DFDR), formed the basis for realistic and validated aircraft accident scenarios as part of the GARTEUR FM-AG(16) aircraft simulation benchmark. The study resulted in high fidelity non-linear fault models for a civil large transport aircraft that addresses the need to improve the prediction of reconfigurable system performance in degraded modes.

## **4. Flight 1862 aircraft accident case**

On October 4th, 1992, a Boeing 747-200F freighter aircraft, Flight 1862 (Figure 3), went down near Amsterdam Schiphol Airport after the separation of both right-wing engines. In an attempt to return to the airport for an emergency landing, the aircraft flew several right-hand circuits in order to lose altitude and to line up with the runway as intended by the crew. During the second line-up, the crew lost control of the aircraft. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor apartment building in the Bijlmermeer, a suburb of Amsterdam. Results of the accident investigation, conducted by several organisations including the Netherlands Accident Investigation Bureau and the aircraft manufacturer, were hampered by the fact that the actual extent of the structural damage to the right-wing, due to the loss of both engines, was unknown. The analysis from this investigation concluded that given the performance and controllability of the aircraft after the separation of the engines, a successful landing was highly improbable (Smaili, 1997, 2000).

In 1997, the division of Control and Simulation of the Faculty of Aerospace Engineering of the Delft University of Technology (DUT), in collaboration with the Netherlands National Aerospace Laboratory NLR, performed an independent analysis of the accident (Smaili, 1997, 2000). In contrast to the analysis performed by the Netherlands Accident Investigation Bureau, the parameters of the DFDR were reconstructed using comprehensive modelling, simulation and visualisation techniques. In this alternative approach, the DFDR pilot control

Tool-Based Design and Evaluation of Resilient Flight Control Systems 191

Fig. 4. Failure modes and structural damage configuration of the Flight 1862 accident aircraft suffering right-wing engine separation, partial loss of hydraulics and change in

Figure 5 presents the performance capabilities of the Flight 1862 accident aircraft after separation of both right-wing engines, reconstructed via the methods described in (Edwards et al., 2010; Smaili, 1997, 2000), as a function of thrust and aircraft weight. The reconstructed model indicates that in these conditions and at heavy weight (700,000 lbs / 317,460 kg), level flight capability was available between Maximum Continuous Thrust (MCT) and Take-Off/Go Around thrust (TOGA). At or above approximately TOGA thrust, the aircraft had limited climb capability. Analysis shows that adequate control capabilities remained available to achieve the estimated performance capabilities. Figure 5 indicates a significant improvement in available performance and controllability at a lower weight if more fuel had

Simulation analysis of the accident flight using the reconstructed model (Edwards et al., 2010; Smaili, 1997, 2000) predicts sufficient performance and controllability, after the separation of the engines, to fly a low-drag approach profile at a 3.5 degrees glide slope angle for a high-speed landing or ditch at 200/210 KIAS and at a lower weight. Note again that this lower weight could have been obtained by jettisoning more fuel. The lower thrust requirement for this approach profile results in a significant improvement in lateral control margins that are adequate to compensate for additional thrust variations. The above predictions have been confirmed during the piloted simulator campaign later in the

aerodynamics

been jettisoned.

GARTEUR FM-AG(16) program.

**4.2 Aircraft survivability assessment** 

inputs were applied to detailed flight control and aerodynamic models of the accident aircraft. The purpose of the analysis was to acquire an estimate of the actual flying capabilities of the aircraft and to study alternative (unconventional) pilot control strategies for a successful recovery. The application of this technique resulted in a simulation model of the impaired aircraft that could reasonably predict the performance, controllability effects and control surface deflections as observed on the DFDR. The analysis of the reconstructed model of the aircraft, as used for the GARTEUR FM-AG(16) benchmark, indicated that from a flight mechanics point of view, the Flight 1862 accident aircraft was recoverable if unconventional control strategies were used (Smaili, 1997, 2000).

Fig. 3. Cargo accident aircraft prior to takeoff at Amsterdam Schiphol Airport (left). Reconstructed loss of control based on flight data following separation of the right-wing engines (right), EL AL Flight 1862, B747-200F, Amsterdam, 1992 (copyright Werner Fischdick, NLR)

## **4.1 Aircraft damage configuration**

The Flight 1862 damage configuration to both the aircraft's structure and onboard systems, after the separation of both right-wing engines, is illustrated in Figure 4. An analysis of the engine separation dynamics concluded that the sequence was initiated by the detachment of the right inboard engine and pylon (engine no. 3) from the main wing due to a combination of structural overload and metal fatigue in the pylon-wing joint. Following detachment, the right inboard engine struck the right outboard engine (engine no. 4) in its trajectory also rupturing the right-wing leading edge up to the front spar. The associated loss of hydraulic systems resulted in limited control capabilities due to unavailable control surfaces aggravated by aerodynamic disturbances caused by the right-wing structural damage.

The crew of Flight 1862 was confronted with a flight condition that was very different from what they expected based on training. The Flight 1862 failure mode configuration resulted in degraded flying qualities and performance that required adaptive and unconventional (untrained) control strategies. Additionally, the failure mode configuration caused an unknown degradation of the nominal flight envelope of the aircraft in terms of minimum control speed and manoeuvrability. For the heavy aircraft configuration at a relative low speed of around 260 knots IAS, the DFDR indicated that flight control was almost lost requiring full rudder pedal, 60 to 70 percent maximum control wheel deflection and a high thrust setting on the remaining engines.

190 Automatic Flight Control Systems – Latest Developments

inputs were applied to detailed flight control and aerodynamic models of the accident aircraft. The purpose of the analysis was to acquire an estimate of the actual flying capabilities of the aircraft and to study alternative (unconventional) pilot control strategies for a successful recovery. The application of this technique resulted in a simulation model of the impaired aircraft that could reasonably predict the performance, controllability effects and control surface deflections as observed on the DFDR. The analysis of the reconstructed model of the aircraft, as used for the GARTEUR FM-AG(16) benchmark, indicated that from a flight mechanics point of view, the Flight 1862 accident aircraft was recoverable if

Fig. 3. Cargo accident aircraft prior to takeoff at Amsterdam Schiphol Airport (left). Reconstructed loss of control based on flight data following separation of the right-wing engines (right), EL AL Flight 1862, B747-200F, Amsterdam, 1992 (copyright Werner

The Flight 1862 damage configuration to both the aircraft's structure and onboard systems, after the separation of both right-wing engines, is illustrated in Figure 4. An analysis of the engine separation dynamics concluded that the sequence was initiated by the detachment of the right inboard engine and pylon (engine no. 3) from the main wing due to a combination of structural overload and metal fatigue in the pylon-wing joint. Following detachment, the right inboard engine struck the right outboard engine (engine no. 4) in its trajectory also rupturing the right-wing leading edge up to the front spar. The associated loss of hydraulic systems resulted in limited control capabilities due to unavailable control surfaces aggravated by aerodynamic disturbances caused by the right-wing structural damage.

The crew of Flight 1862 was confronted with a flight condition that was very different from what they expected based on training. The Flight 1862 failure mode configuration resulted in degraded flying qualities and performance that required adaptive and unconventional (untrained) control strategies. Additionally, the failure mode configuration caused an unknown degradation of the nominal flight envelope of the aircraft in terms of minimum control speed and manoeuvrability. For the heavy aircraft configuration at a relative low speed of around 260 knots IAS, the DFDR indicated that flight control was almost lost requiring full rudder pedal, 60 to 70 percent maximum control wheel deflection and a high

unconventional control strategies were used (Smaili, 1997, 2000).

Fischdick, NLR)

**4.1 Aircraft damage configuration** 

thrust setting on the remaining engines.

Fig. 4. Failure modes and structural damage configuration of the Flight 1862 accident aircraft suffering right-wing engine separation, partial loss of hydraulics and change in aerodynamics

## **4.2 Aircraft survivability assessment**

Figure 5 presents the performance capabilities of the Flight 1862 accident aircraft after separation of both right-wing engines, reconstructed via the methods described in (Edwards et al., 2010; Smaili, 1997, 2000), as a function of thrust and aircraft weight. The reconstructed model indicates that in these conditions and at heavy weight (700,000 lbs / 317,460 kg), level flight capability was available between Maximum Continuous Thrust (MCT) and Take-Off/Go Around thrust (TOGA). At or above approximately TOGA thrust, the aircraft had limited climb capability. Analysis shows that adequate control capabilities remained available to achieve the estimated performance capabilities. Figure 5 indicates a significant improvement in available performance and controllability at a lower weight if more fuel had been jettisoned.

Simulation analysis of the accident flight using the reconstructed model (Edwards et al., 2010; Smaili, 1997, 2000) predicts sufficient performance and controllability, after the separation of the engines, to fly a low-drag approach profile at a 3.5 degrees glide slope angle for a high-speed landing or ditch at 200/210 KIAS and at a lower weight. Note again that this lower weight could have been obtained by jettisoning more fuel. The lower thrust requirement for this approach profile results in a significant improvement in lateral control margins that are adequate to compensate for additional thrust variations. The above predictions have been confirmed during the piloted simulator campaign later in the GARTEUR FM-AG(16) program.

Tool-Based Design and Evaluation of Resilient Flight Control Systems 193

Fig. 6. GARTEUR RECOVER Benchmark main model components for closed-loop

Fig. 7. GARTEUR RECOVER Benchmark functional model for open-loop nonlinear off-line

simulations

(interactive) simulations

Fig. 5. Flight 1862: Effect of engine thrust and weight on maximum climb performance for straight flight at 260 KIAS

## **5. GARTEUR RECOVER benchmark**

For the assessment of novel fault tolerant flight control techniques, the GARTEUR FM-AG (16) research group developed a simulation benchmark, based on the reconstructed Flight 1862 aircraft model (REconfigurable COntrol for Vehicle Emergency Return RECOVER). The benchmark simulation environment is based on the Delft University Aircraft Simulation and Analysis Tool DASMAT. The DASMAT tool was further enhanced with a full nonlinear simulation of the Boeing 747-100/200 aircraft (Flightlab747 / FTLAB747), including flight control system architecture, for the Flight 1862 accident study as conducted by Delft University. The simulation environment was subsequently utilised and further enhanced as a realistic tool for evaluation of fault detection and fault tolerant control schemes within other research programmes (Marcos & Balas, 2001). Reference (Edwards et al., 2010) provides details on the model reconstruction and validation based on the Flight 1862 accident data and simulation model implementations. For the application of the benchmark model, reference (Edwards et al., 2010) also provides a description regarding the benchmark model architecture, mathematical models and user examples.

The GARTEUR RECOVER benchmark has been developed as a Matlab®/Simulink® platform for the design and integrated (real-time) evaluation of new fault tolerant control techniques (Figure 6, 7 and 8). The benchmark consists of a set of high fidelity simulation and flight control design tools, including aircraft fault scenarios. For a representative simulation of damaged aircraft handling qualities and performances, the benchmark aircraft model has been validated against data from the Digital Flight Data Recorder (DFDR) of the EL AL Flight 1862 Boeing 747-200 accident aircraft that crashed near Amsterdam in 1992 caused by the separation of its right-wing engines.

192 Automatic Flight Control Systems – Latest Developments

260 KIAS / Flaps 1 / Lower rudder authority 5.1 degrees / Full pedal

700,000 lbs / 317,460 kg 577,648 lbs / 261,972 kg

Fig. 5. Flight 1862: Effect of engine thrust and weight on maximum climb performance for

Engines 1 & 2 EPR

MCT TOGA

1 1.1 1.2 1.3 1.4 1.5 1.6

For the assessment of novel fault tolerant flight control techniques, the GARTEUR FM-AG (16) research group developed a simulation benchmark, based on the reconstructed Flight 1862 aircraft model (REconfigurable COntrol for Vehicle Emergency Return RECOVER). The benchmark simulation environment is based on the Delft University Aircraft Simulation and Analysis Tool DASMAT. The DASMAT tool was further enhanced with a full nonlinear simulation of the Boeing 747-100/200 aircraft (Flightlab747 / FTLAB747), including flight control system architecture, for the Flight 1862 accident study as conducted by Delft University. The simulation environment was subsequently utilised and further enhanced as a realistic tool for evaluation of fault detection and fault tolerant control schemes within other research programmes (Marcos & Balas, 2001). Reference (Edwards et al., 2010) provides details on the model reconstruction and validation based on the Flight 1862 accident data and simulation model implementations. For the application of the benchmark model, reference (Edwards et al., 2010) also provides a description regarding the benchmark

The GARTEUR RECOVER benchmark has been developed as a Matlab®/Simulink® platform for the design and integrated (real-time) evaluation of new fault tolerant control techniques (Figure 6, 7 and 8). The benchmark consists of a set of high fidelity simulation and flight control design tools, including aircraft fault scenarios. For a representative simulation of damaged aircraft handling qualities and performances, the benchmark aircraft model has been validated against data from the Digital Flight Data Recorder (DFDR) of the EL AL Flight 1862 Boeing 747-200 accident aircraft that crashed near Amsterdam in 1992

straight flight at 260 KIAS



0

200

400

Maximum Performance Capability (feet/min)

600 800

1000

1200

1400

**5. GARTEUR RECOVER benchmark** 

model architecture, mathematical models and user examples.

caused by the separation of its right-wing engines.

Fig. 6. GARTEUR RECOVER Benchmark main model components for closed-loop simulations

Fig. 7. GARTEUR RECOVER Benchmark functional model for open-loop nonlinear off-line (interactive) simulations

Tool-Based Design and Evaluation of Resilient Flight Control Systems 195

The GARTEUR RECOVER benchmark software package is equipped with several simulation and analysis tools, all centered around a generic non-linear aircraft model for six degrees-of-freedom non-linear aircraft simulations. For high performance computation and visualisation capabilities, the package has been integrated as a toolbox in the computing environment Matlab®/Simulink®. The benchmark is operated via a Matlab® graphical user interface (Figure 9) from which the different benchmark tools may be selected. The user options in the main menu are divided into three main sections allowing to initialise the benchmark, run the simulations and select the analysis tools. The tools of the GARTEUR RECOVER benchmark include trimming and linearisation for (fault tolerant) flight control law design, nonlinear off-line (interactive) simulations, simulation data analysis and flight trajectory and pilot interface visualisations (Figure 10). The modularity of the benchmark makes it customisable to address research goals in terms of aircraft type, flight control system configuration, failure scenarios and flight control law

The test scenarios that are an integral part of the GARTEUR RECOVER benchmark were selected to provide challenging (operational) assessment criteria, as specifications for reconfigurable control, to evaluate the effectiveness and potential of the FTFC methods being investigated in the GARTEUR program. Validated against data from the DFDR, the benchmark provides accurate aerodynamic and flight control failure models, realistic scenarios and assessment criteria for a civil large transport aircraft with fault conditions

The geometry of the GARTEUR RECOVER benchmark flight scenario (Figure 11) is roughly modelled after the Flight 1862 accident profile. The scenario consists of a number of phases. First, it starts with a short section of normal flight after which a fault occurs, which is in turn followed by a recovery phase. If this recovery is successful, the aircraft should again be in a stable flight condition, although not necessarily at the original altitude and heading. After recovery, an optional identification phase is introduced during which the flying capabilities of the aircraft can be assessed. This allows for a complete parameter identification of the model for the damaged aircraft as well as the identification of the safe flight envelope. The knowledge gained during this identification phase can be used by the controller to improve the chances of a safe landing. In principle, the flight control system is now reconfigured to allow safe flight. The performance of the reconfigured aircraft is subsequently assessed in a series of five flight phases. These consist of straight and level flight, a right-hand turn to a course intercepting the localizer, localizer intercept, glideslope intercept and the final approach. During the final approach phase, the aircraft is subjected to a sudden lateral displacement just before the threshold, which simulates the effect of a low altitude windshear. The landing itself is not part of the benchmark, because a realistic aerodynamic model of the damaged aircraft in ground effect is not available. However, it is believed that if the aircraft is brought to the threshold in a stable condition, the pilot will certainly be able to take care of the final flare

The GARTEUR RECOVER benchmark simulation model, as applied within this research program, is available via the website of the project after registration

assessment criteria.

and landing.

(www.faulttolerantcontrol.nl).

ranging in severity from major to catastrophic.

Fig. 8. GARTEUR RECOVER Benchmark component library

Fig. 9. GARTEUR RECOVER Benchmark graphical user interface for the selection of simulation and analysis tools

194 Automatic Flight Control Systems – Latest Developments

Fig. 8. GARTEUR RECOVER Benchmark component library

Fig. 9. GARTEUR RECOVER Benchmark graphical user interface for the selection of

simulation and analysis tools

The GARTEUR RECOVER benchmark software package is equipped with several simulation and analysis tools, all centered around a generic non-linear aircraft model for six degrees-of-freedom non-linear aircraft simulations. For high performance computation and visualisation capabilities, the package has been integrated as a toolbox in the computing environment Matlab®/Simulink®. The benchmark is operated via a Matlab® graphical user interface (Figure 9) from which the different benchmark tools may be selected. The user options in the main menu are divided into three main sections allowing to initialise the benchmark, run the simulations and select the analysis tools. The tools of the GARTEUR RECOVER benchmark include trimming and linearisation for (fault tolerant) flight control law design, nonlinear off-line (interactive) simulations, simulation data analysis and flight trajectory and pilot interface visualisations (Figure 10). The modularity of the benchmark makes it customisable to address research goals in terms of aircraft type, flight control system configuration, failure scenarios and flight control law assessment criteria.

The test scenarios that are an integral part of the GARTEUR RECOVER benchmark were selected to provide challenging (operational) assessment criteria, as specifications for reconfigurable control, to evaluate the effectiveness and potential of the FTFC methods being investigated in the GARTEUR program. Validated against data from the DFDR, the benchmark provides accurate aerodynamic and flight control failure models, realistic scenarios and assessment criteria for a civil large transport aircraft with fault conditions ranging in severity from major to catastrophic.

The geometry of the GARTEUR RECOVER benchmark flight scenario (Figure 11) is roughly modelled after the Flight 1862 accident profile. The scenario consists of a number of phases. First, it starts with a short section of normal flight after which a fault occurs, which is in turn followed by a recovery phase. If this recovery is successful, the aircraft should again be in a stable flight condition, although not necessarily at the original altitude and heading. After recovery, an optional identification phase is introduced during which the flying capabilities of the aircraft can be assessed. This allows for a complete parameter identification of the model for the damaged aircraft as well as the identification of the safe flight envelope. The knowledge gained during this identification phase can be used by the controller to improve the chances of a safe landing. In principle, the flight control system is now reconfigured to allow safe flight. The performance of the reconfigured aircraft is subsequently assessed in a series of five flight phases. These consist of straight and level flight, a right-hand turn to a course intercepting the localizer, localizer intercept, glideslope intercept and the final approach. During the final approach phase, the aircraft is subjected to a sudden lateral displacement just before the threshold, which simulates the effect of a low altitude windshear. The landing itself is not part of the benchmark, because a realistic aerodynamic model of the damaged aircraft in ground effect is not available. However, it is believed that if the aircraft is brought to the threshold in a stable condition, the pilot will certainly be able to take care of the final flare and landing.

The GARTEUR RECOVER benchmark simulation model, as applied within this research program, is available via the website of the project after registration (www.faulttolerantcontrol.nl).

Tool-Based Design and Evaluation of Resilient Flight Control Systems 197

Fig. 11. GARTEUR RECOVER Benchmark flight scenario for qualification of fault tolerant flight control systems for safe landing of a damaged large transport aircraft (Edwards et al.,

The developed fault tolerant flight control schemes in this project have been evaluated in a piloted simulator assessment using a real-time integration of the GARTEUR RECOVER benchmark model, including reconstructed accident scenarios (Edwards et al., 2010; Stroosma et al., 2009). The evaluation was conducted in the SIMONA Research Simulation (SRS) facility, a full 6 degrees of freedom motion research simulator, of the Delft University

Fig. 12. Evaluation of GARTEUR FM-AG(16) FTFC techniques in the Delft University SIMONA Research Simulator based on reconstructed accident scenarios (Left: Boeing 747

cockpit configuration. Right: visual system dome)

**6. Flight simulator integration and piloted assessment** 

2010; Lombaerts et al., 2006)

of Technology (Figure 12).

Fig. 10. GARTEUR RECOVER Benchmark high resolution aircraft visualisation tool for interactive (real-time) simulation and validation of new fault tolerant flight control algorithms. Tool features include pilot interface displays, environment modeling, aircraft flight path animation and detailed renditions of Amsterdam Schiphol airport as part of the benchmark approach and landing scenario

196 Automatic Flight Control Systems – Latest Developments

Fig. 10. GARTEUR RECOVER Benchmark high resolution aircraft visualisation tool for interactive (real-time) simulation and validation of new fault tolerant flight control algorithms. Tool features include pilot interface displays, environment modeling, aircraft flight path animation and detailed renditions of Amsterdam Schiphol airport as part of the

benchmark approach and landing scenario

Fig. 11. GARTEUR RECOVER Benchmark flight scenario for qualification of fault tolerant flight control systems for safe landing of a damaged large transport aircraft (Edwards et al., 2010; Lombaerts et al., 2006)

## **6. Flight simulator integration and piloted assessment**

The developed fault tolerant flight control schemes in this project have been evaluated in a piloted simulator assessment using a real-time integration of the GARTEUR RECOVER benchmark model, including reconstructed accident scenarios (Edwards et al., 2010; Stroosma et al., 2009). The evaluation was conducted in the SIMONA Research Simulation (SRS) facility, a full 6 degrees of freedom motion research simulator, of the Delft University of Technology (Figure 12).

Fig. 12. Evaluation of GARTEUR FM-AG(16) FTFC techniques in the Delft University SIMONA Research Simulator based on reconstructed accident scenarios (Left: Boeing 747 cockpit configuration. Right: visual system dome)

Tool-Based Design and Evaluation of Resilient Flight Control Systems 199

The NASA Aviation Safety Program (NASA, 2011), which is a partnership between NASA and the Federal Aviation Administration (FAA), the Department of Defense (DoD) and the aviation industry, aims to further reduce the observed worldwide trends in aviation accidents by means of new loss-of-control prevention, mitigation and recovery techniques. These techniques, currently being investigated by the AvSP program apart from other measures, should assure to meet the demands of the transition to the Next Generation Air

Future requirements from a flight deck system safety point of view include a more integrated design of information systems available to the pilot including displays and interactions, flight decision support systems (e.g. advisories during adverse and/or upset conditions including automatic recovery) and the allocation of functions between the pilot and automatic systems during nominal and degraded flight conditions. This new "intelligent" flight deck should be able to sense onboard (flight control) system and environmental-induced hazards in real-time and provide the necessary and timely actions to

Part of the technology strategies of the AvSP program include methods for improvements of vehicle system health-monitoring and survivability rate through "self-repairing" mechanisms in case of system failures. Within the AvSP Integrated Resilient Aircraft Control (IRAC) program (NASA, 2011), multidisciplinary integrated aircraft control design tools and techniques are investigated and developed to allow safe aircraft operation in the event of flight into adverse conditions (e.g. loss-of-control or upsets due to onboard control system failures, environmental factors or aerodynamic degradation caused by damage or icing). Adaptive flight control, as discussed in this chapter and investigated by the GARTEUR program, is provided within the IRAC program as a design option (in support of pilot training) to mitigate in-flight loss-of-control by enhancing the stability and maneuverability margins of the (damaged) aircraft for a safe and survivable landing. Additional applications of adaptive flight control might include the prevention or recovery of aircraft departures following inadvertent stall or unusual attitudes. These developments require accurate modeling of the dynamics involved in loss-of-control caused by failures or (post-departure) upset conditions in terms of system behaviour and aerodynamic characteristics. This requirement will allow representative simulation of dynamic flight conditions, based on wind tunnel data in combination with computational fluid dynamic (CFD) techniques (Figure 14), for adaptive control law

Within the Active Management of Aircraft System Failures (AMASF) project, as part of the AvSP program, several issues in the area of FTFC technology have been addressed. These include detection and identification of failures and icing, pilot cueing strategies to cope with failures and icing and control reconfiguration strategies to prevent extreme flight conditions following a failure of the aircraft. In this context, a piloted simulation was conducted early 2005 of a Control Upset Prevention and Recovery System (CUPRSys). Despite few limitations, CUPRSys provided promising fault detection, isolation and reconfiguration

**7. Developments in aircraft loss-of-control prevention** 

prevent or recover from any adverse condition (Figure 14).

Transportation System (NextGen).

design and evaluation.

capabilities (Ganguli, et al., 2005).

Several validation steps were performed to assure the benchmark model was implemented correctly. This included proof-of-match validation and piloted checkout of the baseline aircraft, control feel system and Flight 1862 controllability and performance characteristics. To accurately replicate the operational conditions of the reconstructed Flight 1862 accident aircraft in the simulator, the experiment scenario was aimed at a landing on runway 27 of Amsterdam Schiphol airport. The SIMONA airport scenery was representative of Amsterdam Schiphol airport and its surroundings for flight under visual flight rules (VFR).

The GARTEUR FM-AG(16) piloted simulator campaign provided a unique opportunity to assess pilot performance under flight validated accident scenarios and operational conditions. Six professional airline pilots, with an average experience of about 15.000 flight hours, participated in the piloted simulations. Five pilots were type rated for the Boeing 747 aircraft while one pilot was rated for the Boeing 767 and Airbus A330 aircraft.

In general, the results show, for both automatic and manual controlled flight, that the developed FTFC strategies were able to cope with potentially catastrophic failures in case of flight critical system failures or if the aircraft configuration has changed dramatically. In most cases, apart from any slight failure transients, the pilots commented that aircraft behaviour felt conventional after control reconfiguration following a failure, while the control algorithms were successful in recovering the ability to control the damaged aircraft. Manual controlled flight under fault reconfiguration was assessed for both a runaway of the rudder to the blow-down limit and a separation of both right-wing engines (Figure 13). Part of the FTFC strategies that were evaluated in the piloted simulation campaign consisted of a combination of real-time aerodynamic model identification and adaptive nonlinear dynamic inversion for control allocation and reconfiguration (Edwards et al., 2010; Lombaerts et al., 2009). The simulation results have shown that the handling qualities of the reconfigured damaged aircraft with a fault tolerant control system degrade less, indicating improved task performance. For both the Flight 1862 and rudder hardover case, as part of the scenarios surveyed in this research program, the pilots demonstrated the ability to fly the damaged aircraft, following control reconfiguration, back to the airport and conduct a survivable approach and landing (Edwards et al., 2010).

Fig. 13. Left: GARTEUR FM-AG(16) piloted simulation showing the reconstructed Flight 1862 accident aircraft with separated right-wing engines. Right: Piloted simulation showing a sudden hardover of the rudder inducing a large roll upset of the aircraft without reconfigurable control laws (flight animation by Rassimtech AVDS©)

198 Automatic Flight Control Systems – Latest Developments

Several validation steps were performed to assure the benchmark model was implemented correctly. This included proof-of-match validation and piloted checkout of the baseline aircraft, control feel system and Flight 1862 controllability and performance characteristics. To accurately replicate the operational conditions of the reconstructed Flight 1862 accident aircraft in the simulator, the experiment scenario was aimed at a landing on runway 27 of Amsterdam Schiphol airport. The SIMONA airport scenery was representative of Amsterdam Schiphol airport and its surroundings for flight under visual flight rules (VFR). The GARTEUR FM-AG(16) piloted simulator campaign provided a unique opportunity to assess pilot performance under flight validated accident scenarios and operational conditions. Six professional airline pilots, with an average experience of about 15.000 flight hours, participated in the piloted simulations. Five pilots were type rated for the Boeing 747

In general, the results show, for both automatic and manual controlled flight, that the developed FTFC strategies were able to cope with potentially catastrophic failures in case of flight critical system failures or if the aircraft configuration has changed dramatically. In most cases, apart from any slight failure transients, the pilots commented that aircraft behaviour felt conventional after control reconfiguration following a failure, while the control algorithms were successful in recovering the ability to control the damaged aircraft. Manual controlled flight under fault reconfiguration was assessed for both a runaway of the rudder to the blow-down limit and a separation of both right-wing engines (Figure 13). Part of the FTFC strategies that were evaluated in the piloted simulation campaign consisted of a combination of real-time aerodynamic model identification and adaptive nonlinear dynamic inversion for control allocation and reconfiguration (Edwards et al., 2010; Lombaerts et al., 2009). The simulation results have shown that the handling qualities of the reconfigured damaged aircraft with a fault tolerant control system degrade less, indicating improved task performance. For both the Flight 1862 and rudder hardover case, as part of the scenarios surveyed in this research program, the pilots demonstrated the ability to fly the damaged aircraft, following control reconfiguration, back to the airport and conduct a survivable

 Fig. 13. Left: GARTEUR FM-AG(16) piloted simulation showing the reconstructed Flight 1862 accident aircraft with separated right-wing engines. Right: Piloted simulation showing

a sudden hardover of the rudder inducing a large roll upset of the aircraft without

reconfigurable control laws (flight animation by Rassimtech AVDS©)

aircraft while one pilot was rated for the Boeing 767 and Airbus A330 aircraft.

approach and landing (Edwards et al., 2010).

## **7. Developments in aircraft loss-of-control prevention**

The NASA Aviation Safety Program (NASA, 2011), which is a partnership between NASA and the Federal Aviation Administration (FAA), the Department of Defense (DoD) and the aviation industry, aims to further reduce the observed worldwide trends in aviation accidents by means of new loss-of-control prevention, mitigation and recovery techniques. These techniques, currently being investigated by the AvSP program apart from other measures, should assure to meet the demands of the transition to the Next Generation Air Transportation System (NextGen).

Future requirements from a flight deck system safety point of view include a more integrated design of information systems available to the pilot including displays and interactions, flight decision support systems (e.g. advisories during adverse and/or upset conditions including automatic recovery) and the allocation of functions between the pilot and automatic systems during nominal and degraded flight conditions. This new "intelligent" flight deck should be able to sense onboard (flight control) system and environmental-induced hazards in real-time and provide the necessary and timely actions to prevent or recover from any adverse condition (Figure 14).

Part of the technology strategies of the AvSP program include methods for improvements of vehicle system health-monitoring and survivability rate through "self-repairing" mechanisms in case of system failures. Within the AvSP Integrated Resilient Aircraft Control (IRAC) program (NASA, 2011), multidisciplinary integrated aircraft control design tools and techniques are investigated and developed to allow safe aircraft operation in the event of flight into adverse conditions (e.g. loss-of-control or upsets due to onboard control system failures, environmental factors or aerodynamic degradation caused by damage or icing). Adaptive flight control, as discussed in this chapter and investigated by the GARTEUR program, is provided within the IRAC program as a design option (in support of pilot training) to mitigate in-flight loss-of-control by enhancing the stability and maneuverability margins of the (damaged) aircraft for a safe and survivable landing. Additional applications of adaptive flight control might include the prevention or recovery of aircraft departures following inadvertent stall or unusual attitudes. These developments require accurate modeling of the dynamics involved in loss-of-control caused by failures or (post-departure) upset conditions in terms of system behaviour and aerodynamic characteristics. This requirement will allow representative simulation of dynamic flight conditions, based on wind tunnel data in combination with computational fluid dynamic (CFD) techniques (Figure 14), for adaptive control law design and evaluation.

Within the Active Management of Aircraft System Failures (AMASF) project, as part of the AvSP program, several issues in the area of FTFC technology have been addressed. These include detection and identification of failures and icing, pilot cueing strategies to cope with failures and icing and control reconfiguration strategies to prevent extreme flight conditions following a failure of the aircraft. In this context, a piloted simulation was conducted early 2005 of a Control Upset Prevention and Recovery System (CUPRSys). Despite few limitations, CUPRSys provided promising fault detection, isolation and reconfiguration capabilities (Ganguli, et al., 2005).

Tool-Based Design and Evaluation of Resilient Flight Control Systems 201

Current flight simulators, however, are considered inadequate for the simulation of many upset conditions as the aerodynamic models are only applicable to the normal flight envelope. Upset conditions can take the aircraft outside the normal envelope where aircraft behaviour may change significantly, and the pilot may have to adopt unconventional control strategies (Burks, 2009). Furthermore, standard hexapod-based motion systems are unable to reproduce the high accelerations, angular rates, and sustained G-forces occurring

The European Seventh Framework Program Simulation of Upset Recovery in Aviation (SUPRA, 2009-2012) aims to improve the aerodynamic and the motion envelope of groundbased flight simulators required for conducting advanced upset recovery simulation. The research not only involves hexapod-type flight simulators but also experimental centrifugebased simulators (Figure 16). The aerodynamic modeling within the SUPRA project employs a unique combination of engineering methods, including the application of validated CFD methods and innovative physical modeling to capture the major aerodynamic effects that occur at high angles of attack. The flight simulator motion cueing research within SUPRA aims to extend the envelope of standard FFSs by optimizing the motion cueing software. In addition, the effectiveness of the application of a new-generation centrifuge-based simulations are investigated for the simulation of G-loads that are typically present in upset conditions. Information on the SUPRA program can be found in reference (Groen et al.,

2011) and is also available via the website of the project (www.supra.aero).

Fig. 16. SUPRA simulation facilities for conducting advanced upset recovery simulation research to improve pilot training in upset recovery and reduce LOC-I accident rates. Left: NLR Generic Research Aircraft Cockpit Environment (GRACE). Mid: TsAGI PSPK-102.

A benchmark for the integrated evaluation of new fault detection, isolation and reconfigurable control techniques has been developed within the framework of the European GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Control. Validated against data from the Digital Flight Data Recorder (DFDR), the benchmark addresses the need for high-fidelity nonlinear simulation models to improve the prediction of reconfigurable system performance in degraded modes. The GARTEUR RECOVER benchmark is suitable for both offline design and analysis of new fault tolerant flight control system algorithms and integration on simulation platforms for piloted hardware in the loop

during upsets and the recovery from adverse conditions.

Right: TNO/AMST Desdemona

**8. Summary and conclusion** 

Fig. 14. Left: Future integrated "intelligent" flight deck for safe and efficient operation in nominal and adverse conditions. Mid and right: application of wind tunnels and CFD to acquire accurate aerodynamic estimates for simulation of flight outside the normal envelope, aircraft damage and icing to mitigate in-flight loss-of-control

## **7.1 Pilot training**

A significant part of LOC-I accidents have been attributed to a lack of the crew's awareness and experience in extreme flight conditions. In the course of loss-of-control events, the aircraft often enters unusual attitudes or other types of upsets (Figure 15). To prevent or timely recover from a loss-of-control or unusual attitude situation, it is essential that the pilot rapidly recognizes the condition, initiate recovery actions and follows appropriate recovery procedures. Inadequate recovery may exacerbate the situation and lead to the loss of the aircraft.

Aviation authorities recognize the need to educate pilots on upset recovery techniques to reduce the amount of LOC-I accidents. As in-flight training with large aircraft is expensive and unsafe, ground-based flight simulators are applied as an alternative to in-flight training of loss-of-control scenarios. Ground-based full flight simulators (FFS) that are capable enough of accurately representing extreme flight conditions would significantly improve the effectiveness of upset recovery training while being part of the standard airline training program.

Fig. 15. Aircraft showing unusual attitude typical during in-flight loss-of-control or upset conditions

200 Automatic Flight Control Systems – Latest Developments

Fig. 14. Left: Future integrated "intelligent" flight deck for safe and efficient operation in nominal and adverse conditions. Mid and right: application of wind tunnels and CFD to acquire accurate aerodynamic estimates for simulation of flight outside the normal

A significant part of LOC-I accidents have been attributed to a lack of the crew's awareness and experience in extreme flight conditions. In the course of loss-of-control events, the aircraft often enters unusual attitudes or other types of upsets (Figure 15). To prevent or timely recover from a loss-of-control or unusual attitude situation, it is essential that the pilot rapidly recognizes the condition, initiate recovery actions and follows appropriate recovery procedures. Inadequate recovery may exacerbate the situation and lead to the loss

Aviation authorities recognize the need to educate pilots on upset recovery techniques to reduce the amount of LOC-I accidents. As in-flight training with large aircraft is expensive and unsafe, ground-based flight simulators are applied as an alternative to in-flight training of loss-of-control scenarios. Ground-based full flight simulators (FFS) that are capable enough of accurately representing extreme flight conditions would significantly improve the effectiveness of upset recovery training while being part of the standard airline training

Fig. 15. Aircraft showing unusual attitude typical during in-flight loss-of-control or upset

envelope, aircraft damage and icing to mitigate in-flight loss-of-control

**7.1 Pilot training** 

of the aircraft.

program.

conditions

Current flight simulators, however, are considered inadequate for the simulation of many upset conditions as the aerodynamic models are only applicable to the normal flight envelope. Upset conditions can take the aircraft outside the normal envelope where aircraft behaviour may change significantly, and the pilot may have to adopt unconventional control strategies (Burks, 2009). Furthermore, standard hexapod-based motion systems are unable to reproduce the high accelerations, angular rates, and sustained G-forces occurring during upsets and the recovery from adverse conditions.

The European Seventh Framework Program Simulation of Upset Recovery in Aviation (SUPRA, 2009-2012) aims to improve the aerodynamic and the motion envelope of groundbased flight simulators required for conducting advanced upset recovery simulation. The research not only involves hexapod-type flight simulators but also experimental centrifugebased simulators (Figure 16). The aerodynamic modeling within the SUPRA project employs a unique combination of engineering methods, including the application of validated CFD methods and innovative physical modeling to capture the major aerodynamic effects that occur at high angles of attack. The flight simulator motion cueing research within SUPRA aims to extend the envelope of standard FFSs by optimizing the motion cueing software. In addition, the effectiveness of the application of a new-generation centrifuge-based simulations are investigated for the simulation of G-loads that are typically present in upset conditions. Information on the SUPRA program can be found in reference (Groen et al., 2011) and is also available via the website of the project (www.supra.aero).

Fig. 16. SUPRA simulation facilities for conducting advanced upset recovery simulation research to improve pilot training in upset recovery and reduce LOC-I accident rates. Left: NLR Generic Research Aircraft Cockpit Environment (GRACE). Mid: TsAGI PSPK-102. Right: TNO/AMST Desdemona

## **8. Summary and conclusion**

A benchmark for the integrated evaluation of new fault detection, isolation and reconfigurable control techniques has been developed within the framework of the European GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Control. Validated against data from the Digital Flight Data Recorder (DFDR), the benchmark addresses the need for high-fidelity nonlinear simulation models to improve the prediction of reconfigurable system performance in degraded modes. The GARTEUR RECOVER benchmark is suitable for both offline design and analysis of new fault tolerant flight control system algorithms and integration on simulation platforms for piloted hardware in the loop

Tool-Based Design and Evaluation of Resilient Flight Control Systems 203

The results of the GARTEUR research program on fault tolerant flight control, as described in this chapter, have been published in the book 'Fault Tolerant Flight Control - A Benchmark Challenge' by Springer-Verlag (2010) under the Lecture Notes in Control and Information Sciences series (LNCIS-399) (Edwards et al., 2010). The book provides details of the RECOVER benchmark model architecture, mathematical models, modelled fault scenarios and examples for both offline and piloted simulation applications. The GARTEUR RECOVER benchmark simulation model, which accompanies the book, is available via the project's website (www.faulttolerantcontrol.nl) after registration. The website (Figure 17) provides further access to contact information, follow-on projects and future software

The authors recognise the contributions of the members of the GARTEUR FM-AG(16) Action Group to this chapter. The authors also appreciate the funding that the Dutch Technology Foundation STW has provided as part of the GARTEUR activities. Special thanks to Jaap Groeneweg and Ronald Verhoeven of NLR for their contribution to the RECOVER aircraft visualisation tools. A word of thanks to all those who have contributed to the further improvement of the GARTEUR RECOVER benchmark model within their flight control research programmes, especially Andres Marcos of DEIMOS Space and Gary Balas of the University of Minnesota. The authors would like to thank the SUPRA consortium and especially Eric Groen of the Netherlands Organisation for Applied Scientific Research (TNO) for their contribution to this chapter. The SUPRA project is co-financed by the

Burcham, F.W. & Fullerton, C.G. (2004). Manual Manipulation of Engine Throttles for

Burks. B. (2009). Upset Recovery Training: A Call for a Higher Standard of Training, *Royal* 

Edwards, C., Lombaerts, T.J.J. & Smaili, M.H. (Ed(s).). (2010). *Fault Tolerant Control – a* 

Ganguli, S., et al. (2005). Piloted Simulation of Fault Detection, Isolation and Reconfiguration

Lombaerts, T.J.J. et al. (2006). Assessment Criteria as Specifications for Reconfiguring

*and Control Conference,* AIAA-2005-5936, San Francisco, California, 2005 Groen, E., Fucke, L., Goman, M., Biryukov, V. & Smaili, M.H. (2011). Improving Flight

*Aeronautical Society Flight Simulation Conference: Towards the Edge of the Envelope,* 

*Benchmark Challenge,* Lecture Notes in Control and Information Sciences (LNCIS-

Algorithms for a Civil Transport Aircraft, *Proceedings of AIAA Guidance, Navigation* 

Safety by Pushing the Training Envelope: The European Project SUPRA, *Proceedings of the 3rd CEAS Air & Space Conference / 21st AIDAA Congress,* Venice,

Control, *Proceedings of AIAA Guidance, Navigation and Control Conference,* Keystone,

European Commission under Grant Agreement no. 233543.

Emergency Flight Control, NASA/TM-2004-212045

399), Springer-Verlag, ISBN 978-3-642-11689-6

Italy, October 24-28, 2011

Colorado, USA, August, 2006

Royal Aeronautical Society, London, UK, June 3-4, 2009 Civil Aviation Authority of the Netherlands. (2007). *Civil Aviation Safety Data* Corder, M. (2004). Crippled But Not Crashed. *Scientific American,* (July 2004)

updates.

**9. Acknowledgements** 

**10. References** 

testing. In conjunction with enhanced graphical tools, including high resolution aircraft visualisations, the benchmark supports tool-based advanced flight control system design and evaluation within research, educational or industrial framework.

The GARTEUR Action Group FM-AG(16) on Fault Tolerant Control has made a significant step forward in terms of bringing novel "intelligent" self-adaptive flight control techniques, originally conceived within the academic and research community, to a higher technology readiness level. The research program demonstrated that the designed fault tolerant control algorithms were successful in recovering control of significantly damaged aircraft.

Within the international aviation community, urgent measures and interventions are being undertaken to reduce the amount of loss-of-control accidents caused by mechanical failures, atmospheric events or pilot disorientation. The application of fault tolerant and reconfigurable control, including aircraft envelope protection, has been recognised as a possible long term option for reducing the impact of flight critical system failures, pilot disorientation following upsets or flight outside the operational boundaries in degraded conditions (e.g. icing). Fault tolerant flight control, and the (experimental) results of this GARTEUR Action Group, may further support these endeavours in providing technology solutions aiding the recovery and safe control of damaged aircraft or in-flight upset conditions. Several organisations within this Action Group currently conduct in-flight loss of control prevention research within the EC Framework 7 program Simulation of Aircraft Upsets in Aviation SUPRA (www.supra.aero). The experience obtained by the partners in this Action Group will be utilised to study future measures in mitigating the problem of inflight loss-of-control and upset recovery and prevention.

Fig. 17. The GARTEUR FM-AG(16) Fault Tolerant Flight Control project website provides information on the project, links to ongoing research, publications and software registration (www.faulttolerantcontrol.nl)

The results of the GARTEUR research program on fault tolerant flight control, as described in this chapter, have been published in the book 'Fault Tolerant Flight Control - A Benchmark Challenge' by Springer-Verlag (2010) under the Lecture Notes in Control and Information Sciences series (LNCIS-399) (Edwards et al., 2010). The book provides details of the RECOVER benchmark model architecture, mathematical models, modelled fault scenarios and examples for both offline and piloted simulation applications. The GARTEUR RECOVER benchmark simulation model, which accompanies the book, is available via the project's website (www.faulttolerantcontrol.nl) after registration. The website (Figure 17) provides further access to contact information, follow-on projects and future software updates.

## **9. Acknowledgements**

202 Automatic Flight Control Systems – Latest Developments

testing. In conjunction with enhanced graphical tools, including high resolution aircraft visualisations, the benchmark supports tool-based advanced flight control system design

The GARTEUR Action Group FM-AG(16) on Fault Tolerant Control has made a significant step forward in terms of bringing novel "intelligent" self-adaptive flight control techniques, originally conceived within the academic and research community, to a higher technology readiness level. The research program demonstrated that the designed fault tolerant control

Within the international aviation community, urgent measures and interventions are being undertaken to reduce the amount of loss-of-control accidents caused by mechanical failures, atmospheric events or pilot disorientation. The application of fault tolerant and reconfigurable control, including aircraft envelope protection, has been recognised as a possible long term option for reducing the impact of flight critical system failures, pilot disorientation following upsets or flight outside the operational boundaries in degraded conditions (e.g. icing). Fault tolerant flight control, and the (experimental) results of this GARTEUR Action Group, may further support these endeavours in providing technology solutions aiding the recovery and safe control of damaged aircraft or in-flight upset conditions. Several organisations within this Action Group currently conduct in-flight loss of control prevention research within the EC Framework 7 program Simulation of Aircraft Upsets in Aviation SUPRA (www.supra.aero). The experience obtained by the partners in this Action Group will be utilised to study future measures in mitigating the problem of in-

 Fig. 17. The GARTEUR FM-AG(16) Fault Tolerant Flight Control project website provides information on the project, links to ongoing research, publications and software registration

algorithms were successful in recovering control of significantly damaged aircraft.

and evaluation within research, educational or industrial framework.

flight loss-of-control and upset recovery and prevention.

(www.faulttolerantcontrol.nl)

The authors recognise the contributions of the members of the GARTEUR FM-AG(16) Action Group to this chapter. The authors also appreciate the funding that the Dutch Technology Foundation STW has provided as part of the GARTEUR activities. Special thanks to Jaap Groeneweg and Ronald Verhoeven of NLR for their contribution to the RECOVER aircraft visualisation tools. A word of thanks to all those who have contributed to the further improvement of the GARTEUR RECOVER benchmark model within their flight control research programmes, especially Andres Marcos of DEIMOS Space and Gary Balas of the University of Minnesota. The authors would like to thank the SUPRA consortium and especially Eric Groen of the Netherlands Organisation for Applied Scientific Research (TNO) for their contribution to this chapter. The SUPRA project is co-financed by the European Commission under Grant Agreement no. 233543.

## **10. References**


http://www.aeronautics.nasa.gov/programs\_avsafe.htm


204 Automatic Flight Control Systems – Latest Developments

Lombaerts, T.J.J., Chu, P., Mulder, J.A. & Joosten, D.A. (2011). Modular Flight Control

NASA. (2011). Aviation Safety Program, In: *Aviation Safety Program Fact Sheet (NF-2011-04-*

Netherlands Aviation Safety Board. (1994). *EL AL Flight 1862, Aircraft Accident Report 92-11,*

Patton, R.J. (1997). Fault-Tolerant Control Systems: The 1997 Situation, *Proceedings of the IFAC Symposium on SAFEPROCESS,* pp. 1033-1055, Hull, UK, August, 1997 Stroosma, O., Smaili, M.H. & Mulder, J.A. (2009). Pilot-in-the-Loop Evaluation of Fault

Smaili, M.H. (1997). *Flight Data Reconstruction and Simulation of EL AL Flight 1862,*

Smaili, M.H. & Mulder, J.A. (2000). Flight Data Reconstruction and Simulation of the 1992

*Simulation Conference,* AIAA-2000-4586, Denver, Colorado, August, 2000 The Boeing Company. (1999). Intelligent Flight Control: Advanced Concept Program – Final

Wright Laboratory. (1991). *Self-Repairing Flight Control System,* Final Report, WL-TR-91-3025 Zhang, J. & Jiang, J. (2003). Bibliographical Review on Reconfigurable Fault-Tolerant Control

Zhang, Y. (2005). Fault Tolerant Control Systems: Historical Review and Current Research,

*Technical Processes 2003,* Washington, D.C., USA, June 9-11, 2003

Graduation Report, Delft University of Technology, Delft

19, No. 6, (2011), pp. 540–554, DOI: 10.1016/j.conengprac.2010.12.008 Marcos, A., Balas,G.J. (2001). Linear Parameter Varying Modeling of the Boeing 747-100/200

*Conference,* AIAA-2001-4347, Montreal, Canada, 2001

http://www.aeronautics.nasa.gov/programs\_avsafe.htm

*535-HQ),* 09.09.2011, Available from

*Conference,* Barcelona, Spain, 2009

Report, BOEING-STL 99P0040

Poincare, Nancy 1, France, December 5, 2005

Hoofddorp

Reconfiguration Design and Simulation. *Control Engineering Practice, Elsevier,* Vol.

Longitudinal Motion, *Proceedings of AIAA Guidance, Navigation and Control* 

Tolerant Flight Control Systems, *Proceedings of the IFAC SAFEPROCESS 2009* 

Amsterdam Bijlmermeer Airplane Accident, *Proceedings of AIAA Modeling and* 

Systems, *Proceedings 5th IFAC Symposium on Fault Detection, Supervision and Safety for* 

*Presented at the Centre de Recherche en Automatique de Nancy,* Universite Henri

## *Edited by Thomas Lombaerts*

The history of flight control is inseparably linked to the history of aviation itself. Since the early days, the concept of automatic flight control systems has evolved from mechanical control systems to highly advanced automatic fly-by-wire flight control systems which can be found nowadays in military jets and civil airliners. Even today, many research efforts are made for the further development of these flight control systems in various aspects. Recent new developments in this field focus on a wealth of different aspects. This book focuses on a selection of key research areas, such as inertial navigation, control of unmanned aircraft and helicopters, trajectory control of an unmanned space re-entry vehicle, aeroservoelastic control, adaptive flight control, and fault tolerant flight control. This book consists of two major sections. The first section focuses on a literature review and some recent theoretical developments in flight control systems. The second section discusses some concepts of adaptive and fault-tolerant flight control systems. Each technique discussed in this book is illustrated by a relevant example.

Automatic Flight Control Systems - Latest Developments

Automatic Flight

Control Systems

Latest Developments

*Edited by Thomas Lombaerts*

Photo by Petrovich9 / iStock