You’re at work again. The mission of the day involves a longer flight than usual, so you decide to brush the rust off your autopilot skills and engage some upper modes. It is a bumpy day, but the system appears to be handling it well. Suddenly a severe gust of wind catches you, kicks the autopilot offline, and almost gives you some impromptu unusual attitude training. You grab the controls, reacting to the change in flight path and aural tones alerting you to the autopilot’s disengagement. With the aircraft back under your control, you can feel its reluctance to obey your commands as obediently as usual. Looking at your advisory panel, you see the reason: your stability augmentation system (SAS) has malfunctioned. You disable the SAS in accordance with the published emergency procedures. The change in handling qualities is not unmanageable by any means. Still, you prudently terminate the flight and bring the aircraft to a suitable airfield for a safe landing and maintenance without incident.
Helicopters are machines whose safe range of operation is constrained by the limits of mechanical and structural integrity. Performance is maximized by slowly expanding the flight envelope to approach these limits, but only through extensive testing to keep the level of risk acceptable. Engineers and helicopter pilots, while very different, are the same in one respect: neither likes surprises. They both know that despite all the forethought and planning, things break. Most professional aviators try to keep their knowledge and skills at their peak in order to best handle whatever in-flight emergency may come when the odds turn against them and a failure occurs. Yet when those odds do turn, it is nice to know that a lot has already been done to keep things as “fail-safe” as possible.
In the civilian world, Parts 27 and 29 of the Federal Aviation Regulations (FARs) define the airworthiness standards for Normal and Transport category rotorcraft (the military consults the various Aeronautical Design Standard documents, i.e., ADS-33 etc.). It is here that you will find all the design requirements for certification. Not only requirements for normal operation, but also requirements that must be met in the event of failure of any critical structural, mechanical, electronic, or supplemental piloting system. In essence, they are the part of the FARs that mandate surprises be kept to a minimum.
Before flight testing of failures can take place, a significant amount of preparation and planning is required. As systems become more complex, engineers conduct failure mode and effect analysis (FMEA) on individual systems to determine the probability of component failure and the effect of these failures on the helicopter as a whole. This provides a theoretical view of “what is the worst that this system can do to the helicopter?” Failures of structural components such as rotor heads, blades, gearboxes, etc., would be immediately critical as they imply loss of the helicopter, and cannot be allowed to happen in service, so fatigue testing to develop life-limits on parts is obviously done early in the design phase to bring the probability of their failure down to an insignificant level. Beyond this, the most important failures are those that affect the flight path of the aircraft, and for these the test methodology employed always remains the same. As in all testing, an incremental buildup method is used. Only one parameter at a time is varied, especially in the case of critical components such as flight control systems and powerplants, where a failure can quickly take the aircraft from a safe flight condition to a potentially hazardous one.
Using the example flight above to keep within the scope of this article, a look at section 27.672 of the FARs will show the requirements for a failure of “stability augmentation, automatic, and power-operated systems.” In general, the method that the regulations like to follow is that some means of alerting the pilot must first be provided for any failure of a system that can affect the operation of the aircraft; the pilot must then have ample time to react; and finally the aircraft must be controllable in its degraded state after the initial failure.
Warnings can take the form of sounds, lights, captions, or a combination thereof. Total reaction time after the failure will be a combination of helicopter and pilot response time. Helicopter response time is the time between the failure occurring, and the pilot becoming aware of it. Pilot response time spans from the time of awareness to taking action on the controls. Re-examining the above hypothetical flight, it can be seen that all the elements in the fail-safe nature of the system worked as they should, and aided in ensuring a safe landing.
The next time you are in a room full of your peers telling your “There I was…” story, quietly take a minute to appreciate the efforts taken by engineers and test pilots to purposely introduce failures into working systems and progressively make such failures harder to deal with, in order to define the normal flight envelope and develop emergency procedures for the aircraft you fly. Without them, you may not be here to tell the story at all.