Fault Tree Analyses as a Tool for Flight Control System

Architecture Design
Estella Chung, Woodward, Inc.
John S. Hanks, Woodward, Inc.

Key Words: Fault Tree Analysis (FTA), Loss of Function (LOF), Failure to Dispatch (FTD), System Safety

SUMMARY & CONCLUSIONS

Woodward Inc. was tasked with evaluating several flight
control rotorcraft requirements to derive an architecture that
would best support those requirements. Each architecture was
assessed using various models, including a fault tree model, to
determine if failure rate allocations to the partitions would
support the needed availability and safety performance. An
optimal system architecture was developed that would meet
regulatory compliance for system safety [1, 2] given
constraints such as cost, weight, envelope, and complexity.
System Safety was the primary driver considered in the
development phase of the Fly-By-Wire (FBW) project. The
designs consist of Flight Control Computer (FCC) electrical
lanes that interface with main and tail rotor electrohydraulic
servoactuators.
The system concept designs evaluated involved traditional
and hybrid architectural schemes for functional redundancy
and operation. The options included duplex, triplex, quadruplex
control channel redundancy and various combinations of
electrical, mechanical, or hydraulic connections.
A primary system safety analysis tool in the decision
making process for the optimal system architecture in this
application was the Fault Tree Analysis (FTA). The FTA
model provided both a visual qualitative tool to validate
proper system logic and a quantitative tool [3] to validate
probability of Loss of Function (LOF) and Failure to Dispatch
(FTD). While Woodward also applies this process to fixed-
winged aircraft, the focus of this study was a FBW rotorcraft
flight control platform (see Figure 1). The result of this study
found that a hybrid Dual-Triplex architectural scheme proved
optimal given the project constraints. This Dual-Triplex
architecture consists of four FCC channels through triplex
control lanes to dual electrohydraulic servoactuators.
1 INTRODUCTION
This study illustrates how upfront collaboration between
Reliability, System Safety, and System Engineering
disciplines is crucial during the system architecture concept
development phase to enable the realization of a successful
system.
A fundamental reliability tool used in this study was the
FTA. The FTA was performed in early design risk assessment
Figure 1. Rotorcraft FBW Flight Controls
modeling of the system and used to determine levels of system
safety that ensures risk to people and equipment is as remote
or improbable as possible. The fault tree is a top-down
approach used to identify the propagation of failures across
system partitions for each undesirable event, as well as the
probability for a combination of events that lead to the
undesirable event to occur over a given flight mission time.
Fault tree model results help determine if the system safety
requirements are met or optimized. If not met satisfactorily,
the system architecture models are revised, and the systematic
process of analyzing the system is repeated until the
requirements are met.
High priority safety requirements are drivers in flight
vehicle applications. Risk assessment is necessary to quantify
the risk of LOF or FTD of a flight vehicle leading to total loss
or degraded performance for a given concept system
architecture. Once system partitions are defined and isolated
for an architecture concept, the fault tree is used to understand
allowable failure rate probabilities that support the system
safety objective pertaining to hazard protection. Risk
assessment includes quantifying risk by assigning probabilities
to basic events in the fault tree and then propagating these
probabilities to determine the final probability of the undesired
event. The risk assessment is also used to identify the major
contributing elements. Anomalies leading to LOF or FTD are
considered for electrical components such as electrohydraulic
servovalve (EHSV) coil and solenoid coil failures, mechanical
failure modes such as valve spool/sleeve jams and single point

,(((
failure mechanisms, and control issues such as force fighting
between actuator stages.
The FTA is only one of several assessment tools. Other
modeling tools include system architecture diagrams depicting
the partitions in the system, closed-loop control system block
diagrams, and logic tables. While the closed-loop control
system block diagrams and logic tables are not a focus of this
paper, both tools were used alongside the FTA in the final
decision making process.
Other trade study criteria include basic reliability,
interface complexity, relative weight, and relative cost.
The flight control system consists of two hydraulic
systems and two, three or four electrical systems. As a result,
these systems are referred to as Dual-Dual, Dual-Tri, and
Dual-Quad, respectively.
2 SYSTEM FUNCTIONAL AND ARCHITECTURAL
DESCRIPTION
The rotorcraft FBW flight control system consists of three
main rotor actuators connected to a swashplate. The
swashplate is used to translate the reciprocating motion of the
actuators into rotating motion of the rotor blades. The cyclic
stick is located between the pilots knees. This control pushes
one side of the swashplate upward or downward. Cyclic stick
lateral input tilts the main rotor disk left and right through the
swashplate, which induces rotorcraft roll to move sideways.
Cyclic stick longitudinal input tilts the main rotor disk forward
and back through the swashplate, which induces rotorcraft
pitch to move forward and backwards. The collective stick is
located on the pilots left side. The collective stick input
equally increases or decreases the pitch angle of all main rotor
blades, which provides rotorcraft ascend and descend.
The tail rotor actuator is controlled by the pilots pedals
and provides rotorcraft yaw that induces the direction the nose
of the aircraft is pointed by increasing or reducing the thrust of
the tail rotor blades.
2.1 Electrohydraulic Servoactuator
There are two redundant hydraulic supplies that each
control hydraulic flow to one side of the dual-tandem piston/
cylinder (actuator) as shown in Figure 2.
Figure 2. Dual-Tandem Piston/Cylinder Actuator
There are four redundant FCCs that provide redundant
electrical interfaces to the two sets of EHSV coils, solenoid-
bypass valve (SO-BPV) coils, linear variable differential
transformer (LVDT) position feedback on the EHSV spool,
differential pressure/bypass valve sensor feedback, and LVDT
position feedback on the actuator ram position.
The EHSV is a two-stage valve design with a LVDT to
sense second-stage spool position. The EHSV incorporates a
multi-coil torque motor. Each coil is independently con-
trolled. There are two EHSVs and each controls flow to one
side of the actuator in response to electrical control signals
from the FCCs. Each EHSV contains a C1 port that flows to
the extend port of the cylinder and a C2 port that flows to the
retract port.
The de-activated solenoid operated bypass valve is spring
loaded to interconnect the actuator cylinder chambers in the
bypass state. The bypass valve is commanded to the operate
state by energizing any or all of the independent solenoid
coils. In the operate state, porting of the hydraulic pressure
from the EHSV to the cylinder ports to control actuator
motion is enabled.
A differential pressure sensor is used to measure the
difference between the pressures on each side of the piston of
each hydraulic power stage. These signals provide the
difference between the pressures in the extend and retract
chambers on each hydraulic power stage. The information is
used to assist in balancing the force exerted by each of the two
cylinders to reduce the amount of force differential, thus force
fight. When the force difference between the two systems is
minimized, force fight is minimized. This enables improved
actuator performance and a lower fatigue duty cycle on certain
actuator power stage components. The BPV spool position
sensor senses whether the bypass valve is in the bypass or
normal operation position.
Multi-coil LVDTs are used to measure actuator output
piston position. Each LVDT channel is electrically, but not
mechanically, independent.
The actuator converts hydraulic pressure and flow into
linear force and motion to provide rotorcraft main and tail
rotor actuation control.
2.2 Dual-Dual Architecture
The Dual-Dual design represents a baseline against which
other options can be measured [4]. The Dual-Dual design
schematic depicts two hydraulic systems and four electrical
control lanes partitioned among four different FCCs as shown
in Figure 3. Two electrical lanes are associated with each
hydraulic system. FCC1 and FCC2 are dedicated to system 1
and FCC3 and FCC4 are dedicated to System 2. Each of the
four FCCs share data with the other three FCCs across the
shared data bus. In this trade study, comparison of probability
of LOF of an actuator (Figure 4) and the probability of FTD
(Figure 5), with a minimum of three of the four control
channels available, are studied. The FTD hazard can be
modeled by using a two-of-four voting gate for the FTA where
one failure can be tolerated.
The benefit of this architecture is that it is the simplest of
the three architectures in terms of cost, weight, and
complexity. The disadvantage is when operating in a state
where one FCC fails, the system is only two faults away from
a catastrophic hazardanother FCC fails on the same
hydraulic system and the remaining hydraulic systems
 Figure 3. Dual-Dual Functional Schematic
Figure 4. Dual-Dual LOF FTA
hydraulic or electrical supply fails. This is a marginally
acceptable risk. The probability of LOF is the highest of the
three architectures.
2.3 Dual-Quad Architecture
The Dual-Quad design schematic depicts two hydraulic
systems and eight electrical lanes partitioned among four
different FCCs as shown in Figure 6. Four electrical control
lanes and all four FCCs are associated with each hydraulic
system. Each of the four FCCs share data with the other three
Figure 5. Dual-Dual FTA FTD
FCCs across the shared data bus. In this trade study,
comparison of probability of LOF (Figure 7) of an actuator
and the probability of FTD (Figure 8), with a minimum of
three of the four control channels available, are studied. The
FTD hazard can be modeled by using two-of-four voting gates
for the FTA where one failure per gate can be tolerated. Basic
events FCC1, FCC2, FCC3, and FCC4 in System A are
repeated in System B.
The benefit of this architecture is that it is the most
redundant of the three architectures. There is an over-
 Figure 6. Dual-Quad Functional Schematic
Figure 7. Dual-Quad LOF FTA
abundance of coverage margin. When operating in a state
where one FCC fails, the system is four faults away from a
catastrophic hazardthree FCCs must fail and the remaining
hydraulic systems hydraulic or electrical supply must fail to
lead to a total loss of control. This architecture will offer the
lowest probability of total loss. The disadvantage is that it has
the highest cost, weight, and interface complexity because it
carries with it additional redundant coils and sensors when
compared to the other two architectures.
2.4 Dual-Tri Architecture
The Dual-Tri architecture is the preferred innovative approach
for the rotorcraft. The Dual-Tri design schematic depicts two
Figure 8. Dual-Quad FTD FTA
hydraulic systems and six electrical control lanes partitioned
among four different FCCs as shown in Figure 9. Three
electrical lanes are associated with each hydraulic system.
FCC1 is dedicated to System 1 only and FCC4 is dedicated to
System 2 only. FCC2 and FCC3 are used in both systems.
Each of the four FCCs share data with the other three FCCs
across the shared data bus. In this trade study comparison of
probability of LOF (Figure 10) of an actuator and the
probability of FTD (Figure 11), with a minimum of three of
the four control channels available, are studied. The FTD
hazard can be modeled by using two-of-three voting gates for
the FTA where one failure per gate can be tolerated. Basic
events FCC2 and FCC3 in System A are repeated in System B.
 Figure 9. Dual-Tri Functional Schematic
Figure 10. Dual-Tri LOF FTA
The benefit of this architecture is that it offers an
additional control channel beyond what the Dual-Dual
architecture offers. When operating in a state where one FCC
fails, the system is three faults away from a catastrophic
hazardtwo FCCs must fail and the remaining hydraulic
systems hydraulic or electrical supply must fail to lead to a
total loss of control. Along with the Dual-Quad this
architecture offers a lower probability of LOF compared to the
Dual-Dual architecture. In addition, the Dual-Tri offers the
lowest probability of FTD.
3 SUMMARY
Analyzing a conceptual design in the earliest stages of the
system development lifecycle allows for early design risk
assessment of system scenarios. Table 1 illustrates a summary
Figure 11. Dual-Tri FTD FTA
of the results of the trade study of the three architectures. The
Dual-Dual architecture is not the best acceptably safe solution
for the FBW rotorcraft application, but, forms a good baseline
for further analysis. Woodward provided an alternative viable
option in the Dual-Tri architecture that demonstrates by FTA
that there is no degradation of probability of LOF versus the
Dual-Quad option. In addition, the probability of FTD is the
lowest of the three options. Based on fewer parts associated
with fewer channels for the Dual-Tri architecture, the basic
reliability, complexity, weight, and cost are all favorable
versus the Dual-Quad. The FTA validates that system safety
for probability of LOF is not compromised with a Dual-Tri
architecture option and further provides many other benefits
for a more efficient flight control system.
 Table 1. Summary Table of Architecture Trade Study Results
several patents for Woodward as co-inventor for methods to
REFERENCES
improve control of brushless DC motors. She joined
1. SAE ARP4754, Certification Considerations for Highly- Woodwards System Engineering Department in 2014. She
Integrated or Complex Aircraft Systems. holds a Bachelor degree in Electrical Engineering from
2. SAE ARP4761, Guidelines and Methods for Conducting UCLA.
the Safety Assessment Process on Civil Airborne Systems
John S. Hanks, PE
and Equipment.
Woodward
3. John Andrews, Introduction to Fault Tree Analysis.
25200 W. Rye Canyon Road
2015 Annual Reliability and Maintainability Symposium.
Santa Clarita, California 91355 USA
4. G. Jacazio, P. Serena Guinzio, and M. Sorli, A Dual-
Duplex Electrohydraulic System for the Fly-By-Wire e-mail: John.Hanks@Woodward.com
Control of a Helicopter Main Rotor, 26th International
Mr. Hanks is a Reliability Engineer Analyst for Woodward.
Congress of the Aeronautical Sciences, ICAS 2008.
He has worked at Woodward for over 27 years. His expertise
BIOGRAPHIES is in hydraulic aircraft servo controls and electromechanical
flight controls. These analyses include development,
Estella Chung
production, and test activity for military and commercial
Woodward
programs. Over his 27-year tenure with Woodward he has
25200 W. Rye Canyon Road
accumulated over 12 years of Reliability and Maintainability
Santa Clarita, California 91355 USA
Engineering experience. John also has Test Engineering,
e-mail: Estella.Chung@Woodward.com Project Engineering, and Operations Management experience.
He has received several Corporate Innovation Awards and
Ms. Chung is a Systems Engineer for Woodward. She joined
holds a patent for improvement in systems product testing.
Woodward in 1991 as an Electronics Engineer in the
Mr. Hanks is a Certified Reliability Engineer, Registered
Electronics Flight Control Group. She has over 24 years of
Professional Engineer, and Six Sigma Master Black Belt. He
experience in design, development, testing, and production of
holds a Bachelor degree in Mechanical Engineering and a
electronic control systems for electromechanical actuation
Masters degree in Engineering from California State
systems for several military and commercial programs. She
University, Northridge.
has received several Corporate Innovation Awards and holds