Soft failures, hard landings

4184
image: Boeing CV2 courtesy of Boeing

Flight test reports tell eloquently of the new capabilities—and new challenges—electric vertical take-off and landing aircraft will bring

Whether manned or unmanned, electric vertical take-off and landing (eVTOL) aircraft are an exciting and promising technology with the potential to make aviation even more accessible and a greater part of everyday life.

But will people trust them? The consequence of a software-controlled air vehicle going wrong with untrained passengers or over unaware people on the ground means great rigour must be applied to the development of these vehicles.

Accident reports from the test community show some of the challenges of creating safe and certified eVTOL systems. The maturing of the technology is evident in the open and honest reporting of these incidents. Lessons are being learnt and shared, improving safety for all. But the issues being uncovered will need to be solved and certified before the public regards the safety of these machines as the same as driving your car or having a parcel delivered.

Boeing in the wind

The Boeing CV2 is a giant drone designed to carry 200 kg of cargo. Without a pilot or crew, the consequence of an accident is reduced for the operator. But 200 kg falling from the sky is more than enough to damage or kill. Therefore, standards for this type of aircraft cannot be less than for a piloted aircraft if either is to operate over populated areas.

In 2019 a CV2 sustained substantial damage during a contingency landing during flight testing. The aircraft was turning after take-off to parallel the runway in 30 knots of wind, when it deviated from the programmed flight profile. The system identified the anomaly and immediately aborted the flight to a planned landing zone. However, it exceeded its first geo‑fence boundary and then initiated a ‘land now’ procedure, whereupon it drifted further before exceeding the final geo‑fence zone. Then, the vehicle logic cut all power to the vehicle and it dropped to the ground (as designed) and was substantially damaged.

The analysis showed that higher than expected winds (30 knots) caused the initial deviation as well as high vibration within the aircraft navigation system. It was determined there had been insufficient tests related to high crosswinds and insufficient ability to determine winds during test flights. Further, the physical separation between abort zone and geo-fences was inadequate for aircraft manoeuvre in the crosswinds.

Software mix-up, Heaviside down

The Kittyhawk Heaviside 2 is an eVTOL developmental single-seat aircraft that can take-off and land vertically but also fly like a conventional fixed‑wing aircraft. It was undergoing a flight test with a new version of developmental software. It was flying without a pilot and, at the time of the incident, being controlled by a ground station with the pilot-in-command (PIC) observing the aircraft from the ground. About 10 minutes into the flight, the ground station notified the PIC that multiple flight computer limits were exceeded; the PIC took manual control of the aircraft and initiated an immediate landing. The PIC noticed degraded control and positioned for a conventional vertical landing into wind.

As the aircraft slowed and transitioned to a hover configuration, there was further doubt about aircraft control and the aircraft landed with 37 knots of forward speed, 20 degrees nose down and 20 degrees of left roll. The aircraft was not designed for forward landings and was substantially damaged, with the nose section separating from the aircraft.

Review of the aircraft data showed a software timing error had occurred which affected the software-driven flight controls. This timing error was caused by another software program that was used to manage the charging of the aircraft batteries on the ground. This software had, due to operator error, not been properly stopped by the ground station prior to flight. The battery charging script running in an error state in the background during flight significantly increased use of computer processing resources and caused the timing error to occur. This error was able to be repeated in the ground-based hardware in the loop simulator.

Dumbing down is hard to do: the need for smart systems

The challenge for developers of eVTOL aircraft is that their entire systems will have to be safe ‘out of the box’. Unlike the pioneering days of manned aviation 100 years ago, there will be no opportunity to learn safety by trial and error and write its rules in human blood. In contrast to early 20th century aviation, there is no frisson of glamour to eVTOL flight and it is not regarded as a heroic activity. Systems will be held to a high standard of safety from day one.

DO-178 Software Considerations in Airborne Systems and Equipment Certification is a set of guidelines that deal with safety critical software for use in airborne systems. It is essentially a standard for developing avionics software that has safety of flight considerations. DO-178 does not specify what type of code or how to write software; moreover, it specifies a process that must be followed depending on the failure condition that may result.

There are five levels—A through E—with Level A having a catastrophic failure condition where failure may cause deaths, usually with loss of the airplane. Level D is a minor failure condition where failure slightly reduces the safety margin or slightly increases crew workload.

DO-178 has five main software processes—planning, development, verification, configuration management and quality assurance. At the start of the software design process, the failure condition needs to be correctly identified as, once the DO-178 process is started, a change in failure condition will mean re-starting the process. Software that commands, control and monitors safety critical functions should receive Level A consideration. If we consider the incidents above with people on board or under the aircraft, then we are considering level A certification under DO-178.

If you are a pilot, you are probably reading this and wondering where are the checklists to turn off charging programs or double-check geo-fences and wind limits. This is a layer of defence in the Reason model—just tell people to do better, right?

What is the point of eVTOL if it takes as much skill, training and checking as a helicopter pilot currently requires?

But from a marketing point of view, requiring traditional aviation discipline is defeating the purpose and blocking the potential of this technology. Its attraction is that it should take less skill to operate, whether the pilot is on board or controlling remotely. What is the point of eVTOL if it takes as much skill, training and checking as a helicopter pilot currently requires?

If eVTOL technology becomes the preserve of the rich, who can hire a helicopter pilot every morning and afternoon and is the average person really going to be tolerant of the noise of such machines next door twice a day? Companies such as Skyryse are developing new ways to control helicopters utilising an iPad to reduce the training requirements for the pilots.

The organisations building these aircraft are aware of the software certification standards that are required to bring their aircraft to the general public. The software certification standards outline processes required for the different levels of consequence.

Meanwhile, makers test in remote areas away from the population and conduct initial tests without anybody in the aircraft to safely develop their products. Years of developmental flight test will need to be conducted to make this form of aviation safe and reliable.

1 COMMENT

  1. I’m a pilot and also have taken on flying drones as a hobby.
    The software has come a long way so that now flying has become a push-button affair.
    But now there are so many complexities in the software and electronics that a simple wire break or bad solder connection can cause a catastrophe.
    I have experienced many tricopter and quadcopter crashes thanks to these sorts of faults, including a few drops of rain causing them.
    I have experimented in software design and hardware to stabilize model helicopters as well.
    I am convinced that the technology won’t be able to overcome the many obstacles to drone acceptance by authorities and the public.
    More research and development should be put into lighter than air vehicles that at least crash slowly.

Comments are closed.