Peter B. Ladkin (ladkin(at)rvs.uni-bielefeld.de)
Sat, 07 Apr 2001 10:25:28 +0200
Two recent documents have appeared concerning the Osprey, the U.S. Marines' V-22 tiltrotor aircraft intended as the replacement for certain of its aging helicopter fleet. Various problems during Osprey development, including the crash whose cause is related here, have already been reported in [Ladkin et al, Risks-XXX]. One document is the U.S. General Accounting Office (GAO) briefing material on its inspection of the Osprey development program, GAO-01-369R "Defense Acquisitions: Readiness of the Marine Corps' V-22 Aircraft for Full-Rate Production", which may be found by searching at http://www.gao.gov for term "Osprey" and Keyword "V-22". I highly recommend reading this material to anyone interested in the development of complex systems with crucial computer-based components. It contains some astounding material. I shall not comment further in this note on this document. The other is the text of the briefing upon release of the JAG report into the cause of the December 2000 Osprey crash during a training mission, at http://www.defenselink.mil/news/Apr2001/t04052001_t405mv22.html (thanks to Ken Garlington for the link). First, some details as to how the Osprey functions. It has an engine and a propellor-rotor, bigger than a normal propellor and smaller than a normal helicopter rotor, on the end of each wing. The engine nacelles (structures holding engine and rotors) rotate between roughly vertical (when the aircraft is said to be in "helicopter mode") and horizontal ("airplane mode"). This configuration allows the advantages of a turboprop airplane, such as speed, en-route, but those of a helicopter for take off and landing, and other functions such as loading and offloading personnel and cargo while hovering. This technology has been tested for over twenty years in prototypes such as NASA's XV-15, and the MV-22 is the first attempt at a large production tiltrotor vehicle for use in military missions. Some words now about flight control. A helicopter rotor has two basic means of adjustment. The angle of the blades can be adjusted relative to the plane of rotation ("pitch"), either uniformly for all blades ("collective pitch"), or differentially in a specific orientation relative to the aircraft body ("cyclic pitch"). This is accomplished by allowing the blades to pivot or flex about their longitudinal axis, and controlling this flexing via rigid connections from the blades to a "swash plate", which is like a large, loose washer around the rotor spindle back of the rotor. To obtain "collective" control, the swash plate is moved uniformly up and down the spindle to flex the blades together into the desired position. To obtain "cyclic" control, the swash plate is tilted on the spindle in a fixed direction relative to the aircraft body, to produce differential lift in this orientation. An airplane turns by producing differential lift on its wings (by altering their shape via ailerons) but only has two directions in which to do this; the helicopter has full 360-degree freedom in this regard. The third helicopter flight control is the power generated by the engines. In addition, the Osprey has a flight control which consists in rotating the nacelles to various positions between horizontal and a little past the vertical. Much of the flight control has to be adjusted automatically for the conditions of flight and is not freely controllable by the pilot. It is a "fly-by-wire" (FBW) machine. I find the technology remarkable, and wish it every success, which success no longer appears to be guaranteed, thanks amongst other things to the understanding of the causes, including institutional ones, of the two crashes in 2000. The briefer, General Berndt, explained what happened in December as follows. The aircraft was flying at about 160kts and the nacelles were transitioning from airplane to helicopter mode. At that point, a flight control system hydraulic line the left nacelle ruptured under pressure. The nacelle transition was stopped, as per design. These lines are titanium, 22/1000 inch thick, and operate at pressures of 5,000 psi (rather than the more conventional 3,000 psi or so of modern helicopters. Specific requirements other than those of flight control, for example weight and payload requirements, apparently necessitate this high pressure design). The rupture was caused under loading of the system to operate the swash plate, at a weak point caused by chafing of the line against a wire bundle. (I understand that titanium, whilst light and strong, is also quite brittle.) Such chafing has been noted in maintenance reports since July 1999, and some chafing was found on all remaining Ospreys during post-crash inspection. This is apparently a generic problem that has not yet been solved. The aircraft had been properly maintained, and it was ahead of its maintenance schedule, having completed its 210-hour inspection already by 157 hours, its total time at crash. (General Berndt phrased this as being in "excellent shape", but the aircraft evidently wasn't; I think he must have meant that the aircraft was properly determined to be in "excellent shape" by the maintenance procedures. It is becoming recognised in aviation maintenance circles that the inability to inspect certain regions of wire bundles and other lines often allows some dangerous deterioration to go undetected.) There are three partially-independent hydraulic systems for flight control. The line that ruptured was common to both the number one and number three systems at that point. The loss of fluid was rapid; the number one system was taken off-line immediately and a shut-off valve isolated the number three system on that side, rendering it inactive on the left, although it remained active on the right side. The number two system carried on as it should have. This form of partial redundancy likely means that it takes two independent failures to cause a total hydraulic flight control system loss. Losing your flight control is catastrophic; design principles and regulations say there should be no possibility of a single point of failure, so two is minimum. And an independently ruptured number two line at that point would have caused total loss of swash plate control on the left, so it seems that catastrophic failure can indeed be caused by certain combinations of two failures. The machine was left with one operating hydraulic swash plate control system on one side, and two operating systems on the other, but should have been able to fly normally without discernible disturbance to control. However, there is a Primary Flight Control System (PFCS) reset button available to the pilots. It illuminates under certain circumstances. When illuminated, it should be pressed, which resets the flight control system computers to a known, "safe" state. It illuminated, the crew pressed it to reset the system. This is intent, design, and correct standard procedure. However, what happened then was unplanned, unforeseen, and uncontrollable. The effect of the reset on the state of the actual flight controls in these circumstances should have been nothing. It is easy to see this: one has lost a hydraulic system, partially lost another, but one wants to continue without interruption using the remaining "assets" whilst isolated the problem as far as possible, and that happened up to that point according to design plan. However, "no change" is not what the PFCS computers commanded. They apparently commanded changes in rotor pitch and thrust, which became rapid fluctuations. The crew repeatedly recycled the reset. These flight control changes happen via the swash plate. Because of the reduced control power on one side (pressure from one hydraulic system) compared with the other (pressure from two), the rotors responded at different rates to the rapid command changes, as a matter of mechanics. This caused large fluctuations in flight state, control was lost and the aircraft crashed, from an altitude of around 1,600ft. All this happened inside about 30 seconds. The crew is completely without fault in the accident. General Berndt noted the JAG team was tasked only with determining the course of events and the immediate causes. He therefore had no comments on other aspects of the program, or how this crash will impact procedures in particular or the program in general. There are some general points to note. First, the aircraft crashed because of two presumably independent failures: the hydraulic system failure and then the PFCS command failure. So there is no apparent reason to question the fundamental design principles, which both require two independent failures for catastrophe, and (as we have noted) allow it. Second, the first failure was dealt with as designed. The failed system component was isolated as designed and the remaining systems were able to carry out the designed task. Third, the PFCS command failure, which the JAG team has said is a software failure, was completely unplanned and unexpected. The SW caused a "control excursion" and it should not have. General Berndt has said it is "an anomaly in the control logic in the computer software control laws" which seems as if it would be a design failure. But in response to a question, General Berndt suggested he couldn't actually be that specific. General Berndt was asked who provided the SW. He said he didn't know. A member of the audience said that Bell was the primary software provider. He replied "but they may subcontract". We may presume Bell was responsible for the flight control SW in the PFCS, whoever actually wrote the code. It has been noted that Bell is responsible for the engine control software in the U.K. Chinook helicopters, which have experienced uncommanded engine runaways [Ladkin, Beims, Risks-XXX]. This may or may not be related; I have no further information. But this one may have a long way to run yet. Peter B. LadkinContent-Type: text/plain X-Original-Content-Type: application/x-pkcs7-signature; name="smime.p7s" [The content of this part has been removed by the mailing list software]