Autonomous engine systems for helicopters depend on standards-based controls

Story

November 26, 2024

Rich Jaenicke

Green Hills Software, Inc.

U.S. Army photo: Scott T. Sturkol, Fort McCoy Public Affairs Office

More complex combat-helicopter engines require large increases in diagnostic/prognostic capability, which also require a greater number of sensor inputs to the electronic engine controls (EECs.) At the same time, military helicopters face the increased need for resilient cybersecurity. Together, these trends drive the need for multicore processors in the EECs, despite the challenge of ensuring real-time determinism when different processor cores compete for the same shared resources. The foundation for a solution to both challenges is a certified, hardened real-time operating system (RTOS) with multicore interference mitigation. Multicore interference mitigation enforces real-time determinism even when multiple processor cores are vying for access to the same processor resources.

Although fully autonomous aircraft are not likely to get certified for several years, some aircraft systems already operate autonomously. One such system is the full authority digital engine control (FADEC) found in many airplanes and some helicopters. FADECs – which have complete autonomous control of the engine without pilot backup – have redundant control channels to provide full flight capability in the event of a failure in one of the channels.

A FADEC is a type of electronic engine control (EEC), and all modern aircraft use some type of EEC to increase engine performance, efficiency, reliability, and safety while reducing maintenance costs. EECs automatically adjust engine output to compensate for engine temperature, air temperature, altitude, and other sensor inputs as part of normal operations. EECs manage the startup phase to get to a stable idle and continue through the entire operating envelope from idle to full throttle. EECs also automatically keep the engine within safe operating limits for speed and temperature while detecting any failures in the engine. (Figure 1.)

[Figure 1 ǀ TRIUMPH EMC-100 FADEC is a dual-channel engine control running the INTEGRITY-178 RTOS.]

In an airplane, the EEC combines the pilot’s power level position with the environmental sensor readings to calculate the engine operating parameters, such as fuel flow and stator vane position required to achieve the thrust indicated by the pilot. Every power setting at any altitude results in optimum engine performance and maximum fuel efficiency.

Helicopter EECs: higher efficiency and performance

In a helicopter, thrust is not provided directly by increasing engine power but by changing the angle of the rotor blades. The power of the turboshaft engine still needs to be adjusted to achieve the goal of a nearly constant rotor RPM, which maximizes stability and control. Achieving constant rotor RPM requires adjusting the engine output based on air pressure and temperature as well as the pitch angle of the rotor blades, which changes the drag. Although those adjustments can be done manually to varying degrees of success, manual control is usually reserved for emergency operations. Under normal operation, those adjustments are made automatically by an EEC.

EECs continuously analyze data inputs from sensors and send commands to effectors, such as fuel meters, to control engine performance while keeping the engine within safe and efficient operating parameters. On a helicopter, the sensors typically include:

ambient air temperature
air pressure
power turbine inlet air temperature
torque
rotational speed of the turboshaft inside the combustion chamber

The main output is the command for the fuel-metering system to adjust the fuel flow and thus the engine output. Additional advanced outputs can include variable bleed control, which prevents turbine blade stall at low speeds; and active clearance control for the turbine blades to prevent gas leakage as thermal and mechanical loads change the clearance between the blade tips and the surrounding casing.

EECs provide simplified, hands-off engine starting, much like an electronic ignition in an automobile. The full progression can include automatic engine starting, sequencing ignition, start fuel, and stabilized engine operation at idle.

The controls monitor key engine-operating parameters to automatically keep the engine within safe operating limits for speed and temperature and also detect any failures in the engine. EECs also run built-in tests on themselves to detect internal errors. In each case, the EEC is designed to mitigate such failures through backup functions or by reverting to a safe operating state.

Although early EECs were implemented with analog circuitry to process the inputs and outputs, current EECs use a microprocessor to program the control functions in software digitally. A digital EEC enables much more complex algorithms that achieve higher engine efficiency and performance. A digital EEC includes digital memory that can store not only the engine operating parameters but also engine measurements and any fault logs generated during operation. Such data is essential for prognostics and maintenance activities.

Digital EECs typically utilize a safety-critical real-time operating system (RTOS) to provide the high-assurance software infrastructure to host the various engine control, monitoring, and built-in test applications. For example, the INTEGRITY-178 safety-critical RTOS from Green Hills Software has been deployed in EECs since 2003.

Full authority digital engine controls

Many of the latest EECs are full authority digital engine controls (FADECs), which have complete control of the engine without pilot backup. Although some people and companies use the term “FADEC” interchangeably with “EEC,” “DEC” [digital engine control], and “ECU” [electronic control unit], a true FADEC has no provision for reversion to manual pilot control. FADECs include redundant control channels, a primary and a backup, so that if one channel fails, the other can take over.

The best way to look at a FADEC is at the system level: A FADEC system includes not only the digital EEC for each engine but also all the sensors, effectors, and indicators required for autonomous engine control.

FADEC systems have many advantages. At a high level, they are autonomous and self-monitoring, thereby reducing the pilot’s workload. FADECs also increase safety and reliability through redundancy.

Other advantages of FADECs for helicopter engines can include:

Load sharing between the two engines on a twin-engine aircraft
Transient load anticipation (using rotor speed and collective pitch rates)
Transient torque smoothing (using power turbine rates)
Contingency power capability to meet aircraft demands
Surge avoidance
Automatic switch-over to an independent backup control system
Control system self-test, self-diagnosis, and fault identification
Accurate torque matching

Safety certification to DAL A

Even though an engine is certificated as part of the airplane or rotorcraft, a commercial engine and its controls (EEC or FADEC) first must receive its own Type certificate under Part 33. Advisory circular AC 33.28-3 “Guidance Material For 14 CFR §33.28, Engine Control Systems” states that “Design, implementation, and verification of software as specified in Level A (DO-178C) is normally needed for turbine engines.” Additionally, any helicopter FADEC needs to be at DAL A because its failure would result in the loss of ability to maintain flight.

Even when the EEC software has been designed to RTCA/DO-178B DAL A, the use of a partitioning operation system permits partitions that perform noncritical functions to be developed to lower levels, thereby reducing life cycle costs.

Example: CH-47 Chinook

The heart of the FADEC system on the CH-47D/F Chinook tandem-rotor helicopter consists of an electronic control unit (ECU) and a hydro-mechanical unit (HMU) for each of the two Honeywell T55-714A turboshaft engines¹. Both the ECU and HMU are manufactured by Triumph Group (Triumph), and the ECU runs the INTEGRITY-178 RTOS from Green Hills Software.

The ECU for the CH-47D/F is the Triumph EMC-100 dual-channel engine control unit, which consists of two dissimilar, mechanically separated channels operating independently but cooperating with each other. The primary channel provides precise engine power management and rotor speed control throughout the engine’s operational range. The second channel provides full mission capability should a failure occur in the primary channel.

The EMC-100 software is organized in a multipartition architecture, with application-specific control system software running in isolated partitions on the RTOS. The ECU software has been designed to RTCA/DO-178B DAL A, but the software architecture permits partitions that perform noncritical functions to be developed to lower levels, thereby reducing life cycle costs.

The HMU meters the engine fuel flow as commanded by the ECU in both primary and reversionary mode operation. Additional functions provided by the HMU include electrical power generation, compressor air bleed management, and positive engine shutoff.

The FADEC system includes several additional components to provide information and control, including the master caution/advisory panel, engine-condition levers, increase/decrease RPM switches, thrust control position transducer, and the FADEC control panel. (Figure 2.)

[Figure 2 ǀ The components of the CH-47D FADEC, including the Triumph electronic control unit (ECU) running the INTEGRITY-178 RTOS. Graphics courtesy U.S. Army Warfighting Center and Green Hills Software.]

Triumph ECUs are deployed in a wide variety of U.S. military helicopters, including the AH-64D Apache, CH-47D/F and MH-47D/F/G Chinook, UH-60L/M/V Black Hawk, HH-60 Pave Hawk, MH-60 Jayhawk, and SH-60 Sea Hawk. Triumph ECUs are also deployed internationally in commercial Airbus helicopters, including the H130, H135, H160, and H225.

Future directions for EECs

As engine manufacturers strive for lower thrust-specific fuel consumption, lower weight, and higher reliability, EECs will necessarily become more intricate. More complex engines require significant increases in diagnostic/prognostic capability, which will also require a greater number of sensor inputs to the EECs. Together, these trends drive the need for multicore processors in the EECs, despite the challenge of ensuring real-time determinism when different processor cores compete for the same shared resources.

Another trend is the increased need for resilient cybersecurity. As aircraft and their engines share increasing volumes of data over higher bandwidth communications, the opportunity for cyberattacks increases considerably. In addition to being susceptible to interference from high-bandwidth communications such as cellular networks and satellite communications, aircraft systems are also vulnerable from a variety of other sources, such as field-loadable software, maintenance laptops, and wireless aircraft sensor networks. Once any of the subsystems is breached, an attacker can move laterally to other parts of the aircraft, including flight-critical systems.

The foundation for a solution to both challenges is a hardened RTOS with multicore interference mitigation, which enforces real-time determinism even when multiple processor cores are vying for access to the same processor resources. The bandwidth allocation and monitoring (BAM) functionality in the INTEGRITY-178 tuMP RTOS enables a software architect to reserve a specific amount of bandwidth for each processor core to access shared resources. This provides a quality of service that mitigates bandwidth hogs, whether due to application design, unfair hardware arbitration schemes, or malware.

BAM enables system integrators to meet both DO-178C airworthiness objectives and AC 20-193 multicore objectives to DAL A. This RTOS also provides cybersecurity assurance, as it meets both ISO/IEC 15408 Common Criteria to evaluation assurance level (EAL) 6+ and the NSA-defined Separation Kernel Protection Profile (SKPP) to “high robustness.” High robustness provides resilience to attacks from highly motivated and well-funded actors such as hostile nation-states and national laboratories.

Note

¹ “CH-47D POWER PLANT (714) Student Handout,” U.S. Army Warfighting Center, Fort Rucker, Alabama, Oct. 2006. www.chinook-helicopter.com/standards/Army_D_Model_AQC_Classes/Engine_714.pdf

Richard Jaenicke is the director of marketing for safety- and security-critical products at Green Hills Software and has over 25 years of experience working with embedded software and systems. Prior to joining Green Hills, he worked at Mercury Systems, where he was responsible for marketing avionics software/hardware and signal-processing systems. Rich holds an MS in computer systems engineering from Rensselaer Polytechnic Institute and a BA in computer science from Dartmouth College.

Green Hills Software https://www.ghs.com/