AGARD-AG-300 Vol.

12

04

ADVISORY GROUP FOR AEROSPACE RESEARCH & DEVELOPMENT

7 RUE ANCELLE, 92200 NEUILLY-SUR-SEINE, FRANCE

AUG 0195

AGARDograph 300

AGARD Flight Test Techniques Series

Volume 12
on
The Principles of Flight Test Assessment of
Flight-Safety-Critical Systems in
Helicopters
(Les Principes de l'6valuation, dans le
cadre des essais en vol,
des systemes indispensables 'a la
s6curite de vol des helicopteres)

This AGARDograph has been sponsored by the Flight Mechanics Panel of AGARD.

NORTH ATLANTIC TREATY ORGANIZATION

-

IApproved iol publiJc !eiecaz%

Published August 1994

Distributionand Availability on Back Cover

 AGARD-AG-300 Vol. 12

ADVISORY GROUP FOR AEROSPACE RESEARCH & DEVELOPMENT

7 RUE ANCELLE, 92200 NEUILLY-SUR-SEINE, FRANCE

AGARDograph 300
Flight Test Techniques Series - Volume 12

The Principles of Flight Test Assessment of

Flight-Safety-Critical Systems in Helicopters
(Les Principes de l'6valuation, dans le
cadre des essais en vol,
des syst~mes indispensables A la
s6curit6 de vol des h61icopt~res)

by

J. D. L. Gregory
formerly of
Aeroplane and Armament Evaluation Establishment
Boscombe Down, Salisbury, Wilts
SP4 OJF England

This AGARDograph has been sponsored by the Flight Mechanics Panel of AGARD.

Accesion For
NTIS CRA&I
DTIC TAB
Unannounced
-l

+
--
•
--
North Atlantic Treaty Organization
Organisationdu trait6 de IAtlantique Nord
Justification

By

.................................

Distribution I

Availabiiity Co-":e
 Dist
Specia,I

A-1_
 The Mission of AGARD

According to its Charter, the mission of AGARD is to bring together the leading
personalities of the NATO nations in the
fields of science and technology relating to aerospace for the following purposes:

-Recommending effective ways for the member nations to use their research and
development capabilities for the
common benefit of the NATO community;
- Providing scientific and technical advice and assistance to the Military
Committee in the field of aerospace research

and development (with particular regard to its military application);

- Continuously stimulating advances in the aerospace sciences relevant to

strengthening the common defence posture;

- Improving the co-operation among member nations in aerospace research and

development;

- Exchange of scientific and technical information;

- Providing assistance to member nations for the purpose of increasing their

scientific and technical potential;

- Rendering scientific and technical assistance, as requested, to other NATO

bodies and to member nations in
connection with research and development problems in the aerospace field.

The highest authority within AGARD is the National Delegates Board consisting of
officially appointed senior
representatives from each member nation. The mission of AGARD is carried out
through the Panels which are composed of
experts appointed by the National Delegates, the Consultant and Exchange Programme
and the Aerospace Applications
Studies Programme. The results of AGARD work are reported to the member nations and
the NATO Authorities through the
AGARD series of publications of which this is one.

Participation in AGARD activities is by invitation only and is normally limited to

citizens of the NATO nations.

The content of this publication has been

reproduced
directly from material supplied by AGARD or the
authors.

Published August 1994

Copyright © AGARD 1994

All Rights Reserved
 ISBN 92-836-1001-6

Printed by Canada Communication Group

45 Sacrd-CaurBlvd., Hull (Quibec), Canada KJA 0S7

ii
 Preface

Since its founding in 1952, the Advisory Group for Aerospace Research and
Development has published, formerly through
the Flight Mechanics Panel and latterly through the Flight Vehicle Integration
Panel, a number of standard texts in the field of
flight testing. The original Flight Test Manual was published in the years 1954 to
1956, and was divided into four volumes:

1 Performance
2 Stability and Control
3 Instrumentation Catalog, and
4 Instrumentation Systems.

To cover developments in the field of flight test instrumentation, the Flight Test
Instrumentation Group of the Flight
Mechanics Panel was established in 1968 and updated Volumes 3 and 4 of the Flight
Test Manual via publications in the
Flight Test Instrumentation Series, AGARDograph 160.

In 1978, the Flight Mechanics Panel decided that further specialist monographs
should be published covering aspects of
Volumes 1 and 2 of the original Flight Test Manual, including the flight testing of
aircraft systems. In March 1981, the Flight
Test Techniques Group was established to carry out this task, the monographs of
this series (with the exception of AG 237
which was separately numbered) being published as individually numbered volumes of
AGARDograph 300.

In 1993, the Flight Test Techniques Group, which had by then assumed responsibility
for AGARDographs in both the 160
and 300 Series, was changed from a Working Group (WG-1 1) to a committee of the
Flight Mechanics Panel (the Flight Test
Editorial Committee). In 1994, the Flight Mechanics Panel itself was disbanded,
most of its functions (including
responsibility for the Flight Test Editorial Committee) being assumed by the new
Right Vehicle Integration Panel.

At the end of each volume in the AGARDograph 160 and 300 Series an Annex gives a
list of volumes published in the Flight
Test Instrumentation Series and in the Flight Test Techniques Series.

The present Volume (Vol. 12 of AGARDograph 300) is entitled "The Principles of

Flight Test Assessment of Flight-Safety-
Critical Systems in Helicopters".

Modem helicopters usually incorporate many engineering systems (including pilot-

aiding systems such as autostabilisers and
flight directors) which are essential to the safe and effective use of the
helicopter. Where the helicopter can be endangered by
failure of a system (or of one of its units), that system is termed flight-safety-
critical. In general, the use of those systems
should not incur a higher probability of hazard to the helicopter than that
considered acceptable from considerations of
structural or mechanical failure.

In assessing the suitability of a helicopter for its intended mission(s), it has

become increasingly important to consider the
effects of the various systems provided. In particular, assessments of the
implications of systems performance and failures
derived from calculation and ground tests should be validated by flight tests. This
paper seeks to establish the general
principles applicable to the testing in flight of any flight-safety-critical
system, with emphasis on certification rather than
system development. It does not deal with the testing of particular systems, but it
is hoped that readers will find the principles
described readily applicable to specific cases.

iii
 Prefface

Depuis sa cr6ation en 1952, le Groupe consultatif pour la recherche et les

realisations aerospatiales (AGARD), a public,
autrefois par l'interm~liaire du Panel de la m6canique du vol, et ricemnient par
celui du Panel conception int6gr6e des
vWhicules spatiaux, un certain nombre de textes normatifs dans le domaine des
essais en vol. Le premier manuel d'Essai en
vol a Wt publi6 entre les ann~es 1954 et 1956. Ce manuel est compos6 de quatre
volumes, h savoir:

1 Performances
2 Stabilit6 d'instrumentation
3 Catalogue d'instrumentation
4 Syst~mes d'instrumentation

Afin de couvrir les d6veloppements dans le domaine de l'instrumentation des essais

en vol, le Groupe de travail sur
l'instrumentation des essais en vol du Panel de la m~canique du vol a W cr66 en
1968 et les volumes 3 et 4 du Manuel des
essais en vol, sous la forme de la s6rie AGARDographie 160 sur l'Instrumentation
des essais en vol ont Wt mis Ajour.

En 1978, le Panel de la m6canique du vol a d6cid6 d'6diter d'autres monographies

sp6cialisies, couvrant les volumes 1 et 2
du Manuel des essais en vol initial, y compris les essais en vol des syst~mes de
bord. Au mois de mars 1981, le Groupe de
travail sur les techniques des essais en vol a Wtconstitu6 pour mener Abien cette
tdche. Les monographies dans cette s6rie, A
l'exception de l'AG 237 qui porte un num6ro distinct, sont num6rot~es
individuellement dans la s6rie AG 300.

En 1993, le Groupe de travail sur les techniques des essais en vol, qui dans
l'intervalle, avait accept6 la responsabilit6 des
AGARDographies dans la s6rie 160 et dans la s~rie 300, a chang6 d'appellation; le
Groupe de travail WG-l 1 est devenu un
comit6 du Panel de la m~canique du vol (le Comit6 de ridaction des essais en vol).
En 1994, le Panel de la m~canique du vol
lui-meme a Wt dissout et la plupart de ses fonctions (y compris la responsabilit6
du Comit6 de r6daction des essais en vol) ont
Wt reprises par le nouveau Panel conception int6gr6e des v~hicules a6rospatiaux.

A la fin de chacun des volumes dans les snines 160 et 300, une annexe donne la
liste des volumes publics dans la snine
Instrumentation des essais en vol et dans la s~rie Techniques des essais en vol.

Le prisent volume (Vol. 12 de l'AGARDographie 300) est intitul6 <<Les Principes de

1'6valuation, dans le cadre des essais en
vol, des syst~mes indispensables A la s6curit6 de vol des h~licopt~res>>.

Normalement, les h~licopt~res modemnes int~grent un certain nombre de syst~mes

technog~niques (y compris des syst~mes
d'aide au pilote tels que les centrales de stabilisation et les directeurs de vol)
qui sont indispensables Al'emploi efficace de cet
a~ronef dans les conditions de s6curit6 requises. Toutes les fois que l'h~icopt~re
risque d'8tre mis en danger suite Aune panne
d'un syst~me (ou de F'un de ses 6l6ments) le syst~me est d~sign6 «indispensable it
la sicurit6 de volx». En g~n~ral, l'emploi
de ces syst~mes ne devrait entrainer une probabilit6 de dommages plus grande que
celle consid&r6e comme 6tant acceptable
dans le cas de d~faillances m6caniques ou structurales.

Lorsqu'il s'agit d'6valuer l'aptitude d'un h~licopt~re donn6 vis-?i-vis de sa

future mission on missions, il devient de plus en
plus important de consid6rer l'impact des diff~rents syst~mes privus. En
particulier, les 6valnations des conniquences des
pannes et des performances des syst~mes, 6tablies sur la base de calculs et
d'essais au sol, doivent 6tre valid~es par des essais
en vol. Cette communication a pour objet d'6tablir les principes g~n~raux
applicables lors des essais en vol de tout
syst~me indispensable Aila s~curit6 de vol, en mettant l'accent sur l'homologation
de prif~rence an d6veloppement des
syst~mes. Elle ne traite pas d'essais de syst~mes sp6cifiqnes, mais il est A
souhaiter que le lecteur pourra appliquer les
principes y d6crits A des cas sp6cifiques sans trop de difficult6s.

iv
 Acknowledgement
to
Flight Test Editorial Committee Members

In the preparation of the present volume the members of the Flight Test Editorial
Committee listed below took an active part.
AGARD has been most fortunate in finding these competent people willing to
contribute their knowledge and time in the
preparation of this and other volumes.

La liste des membres du Comit6 de r6daction des essais en vol qui ont particip6 A
la r6daction de ce volume figure ci-dessous.
L'AGARD peut 8tre fier que ces personnes comp6tentes aient bien voulu accepter de
partager leurs connaissances et aient
consacr6 le temps n6cessaire A l'61aboration de ce volume et autres documents.

Appleford, J.K.
A&AEEIUK
Bever, G.
NASA/US
Bothe, H.
DLR/GE
Campos, L.M.B.
IST/PO
Delle Chiaie, S.
DASRSIIT
Russell, R.A.
NAWC/US
van der Velde, R.L.
NLR/NE
Zundel, Y.
CEV/FR

R.R.
HILDEBRAND, AFFTC

Member, Flight Vehicle Integration Panel

Chairman, Flight Test Editorial Committee

 Contents

Page

Preface
iii

Preface iv

Acknowledgement v

1. Introduction of Basic Principles 1

1.1 Basic airworthiness principles 1
1.2 Application to systems 1
1.3 System performance testing 1
1.4 System failure testing 1
1.5 Principles of failure testing 2

2. The Principles in Operation 3

2.1 Analysis of failures by causes 3
2.2 Frequency of occurrence of failures and of failure states 4
2.3 Classification of failures by their effects 4
2.4 Criteria of acceptability 5
2.5 Factors affecting required and available intervention times 5
2.6 Acceptable risk levels 6
2.7 Current requirements relating to system failures 7

3. Procedure for Flight Testing 7

3.1 Specification of the system 7
3.2 System performance tests 7
3.3 System failure tests 7
3.4 Post-failure performance tests 8

4. Product of the Flight Test Programme 8

4.1 Flight envelopes 8
4.2 Piloting procedures 9
4.3 Recommendations for system improvements 9
4.4 Comparison of specified and achieved system performance 9

References 10

Figures 11

Annex 1 - Specifications and Requirements Al

Annex 2 - AGARD Flight Test Instrumentation and Flight Test Techniques Series A2

vi
1. INTRODUCTION OF BASIC system when operating
correctly, but also the
PRINCIPLES ability to survive failures of
the system. Such
systems are referred to in
this document as
1.1 Basic Airworthiness Principles being 'flight- safety-
critical'. Testing is
It is taken as axiomatic that helicopters must necessary to establish:
operate safely and effectively. Helicopters are * the envelope of
conditions within which
mechanical devices and, in mechanical terms, the system behaves correctly
(ie system
the quest for greater effectiveness (e.g. performance tests), and
enhanced capability in respect of mass, speed, * what happens when
failures occur within
manoeuvrability and acceleration) is the systems (ie system failure
tests).
constrained by safety considerations (e.g. of
mechanical and structural integrity). Much 1.3 System Performance
Testing
development effort goes into extending the The system performance tests
actually carried
flight envelope, without infringing mechanical out will depend, of course,
upon the nature of
and structural stress limits, in order to provide the system. For example, a
flight path
both the structural and mechanical controller requires different
tests from a rotor
"performance" demanded by the helicopter's speed governor. However,
fundamental to all
role(s) and an acceptable level of "safety". such testing is the principle
of establishing the
envelope within which the
system behaves
However, failures can occur and it has been adequately. It may be
desirable for a system
necessary to recognise this fact in the way to operate over the entire
helicopter flight
helicopters are operated and maintained. If the envelope but, if the system
performance is
structural or mechanical integrity is impaired inadequate, it may be
necessary to curtail the
by a failure the result may be: flight envelope to match the
system capability.
* immediately critical (eg if a rotor blade Equally, a system may be
required to operate
fails), only over part of the
helicopter total envelope
• critical in the longer term (eg if cracking (an automatic approach system,
for example)
occurs in the fuselage) or, perhaps, but, again, it is necessary to
define precisely
• not critical at all (eg if some the range of conditions within
which the
non-structural fairing starts to crack, but does system will do its job
properly. In assessing
not detach) the adequacy of a dynamic
system there are
 two fundamental properties
that need to be
Failures that are immediately critical and established. These are the
authority and the
would entail loss of the helicopter must not be response of the system, which
are analogous,
allowed to happen in Service use. The relevant in flying qualities terms, to
the range of
components (e.g. rotor heads, blades, and control available and the
responsiveness of the
gearboxes) are therefore subjected to extensive aircraft to the controls.
testing to determine their Safe Lives so that, in
Service, they can be changed before they fail. 1.4 System Failure Testing
Other components whose failure is not Although an analogy can be
drawn with the
immediately critical are monitored and testing of the structural and
mechanical
rectified as required, the urgency of the repair elements of the helicopter (as
illustrated in the
depending upon the criticality of the failure. right hand side of Figure 1),
a special category
This classification of failure effects, and their arises in the failure testing
of systems in which
treatment, is illustrated in the left hand side of failure can give rise to a
disturbance to the
Figure 1. flight path. This is because
corrective action
must be provided by the pilot
rather than by
1.2 Application to Systems the designer or by the
maintenance crews on
A similar reasoning can be applied to many of the ground. The following
systems are typical
the pilot-aiding (and some other) systems that of those in which piloting
action is required to
are increasingly used in most helicopters, counter the effects of
failure:
where the flight safety of the helicopter * Flying controls.
requires not only the proper performance of the
 2

* Engine and fuel control systems and Clearly, the tests conducted
(and the criteria of
rotorspeed governors, acceptability applied to the
results) must reflect
* Automatic stabilizers, the specifications to which
the helicopter has
* Flight path control systems. been designed and built.
However, it should
* Cockpit displays, especially attitude be noted that, because of the
complexities of
displays, flight directors and weapon aiming the man/machine interface, it
is impossible to
displays intended to provide orientation or write a specification in
respect of some
manoeuvre guidance. aspects, such as flying
qualities, that will
* Systems having aerodynamic effects, guarantee a satisfactory
machine. For this
such as external flotation bags, de-icing reason, specifications
dealing with such matters
systems, hoists, armament, or sling systems. are often better regarded as
being advisory
rather than mandatory, and it
is not unusual for
Clearly, a helicopter suffering a failure of such a feature which does not quite
meet the
a system should be able to survive both the applicable specification
requirement to be
moment of failure and a subsequent period judged acceptable (and vice
versa).
sufficient to allow the flight to be completed
or safely terminated. 1.5.2 Identification and
Classification of
Failures.
1.5 Principles of Failure Testing A preliminary theoretical
study of each
The test methods developed piecemeal to deal potentially flight-safety-
critical system should
with specific, relatively simple, systems have be made to identify all
possible failures, their
proved acceptable in the past. However, the consequences for the
helicopter, and their
increasing number and complexity of probabilities of occurrence.
In conducting this
safety-critical systems require a more rigorous study it should be noted that:
and systematic approach. In all such testing * Any system failure that
affects the flight
there are fundamental principles that need to path is potentially flight-
safety-critical.
be recognised, and the primary objective of * A helicopter having
suffered an initial
this paper is to define these principles, and failure is then in a
'degraded' condition which
develop a set of rules that can be applied to may present a new situation
for the survival of
the failure testing of any safety-critical further failures.
helicopter system which relies on pilot * Failures whose
probability of occurrence
intervention in the event of malfunction. can be shown to be
sufficiently low can be
disregarded.
The flight test programme must be sufficiently
rigorous to ensure that the helicopter's failure 1.5.3 Criteria of
Acceptability.
characteristics are identified and investigated In conducting the preliminary
theoretical study,
thoroughly, so that its safety and operational and when planning the flight
tests, it is
effectiveness in Service use can be maximised. necessary to adopt some
general criteria of
At the same time, that programme must be acceptability, such as:
conducted without unreasonable hazard to the * Definition of the
failure rate that is
helicopter. The following paragraphs introduce accepted as being so low that
such failures can
(and offer some initial guidance on) the be excluded from
consideration.
principal aspects that must be considered. * Definition of the
failure rates that are
acceptable for various classes
of failure, e.g.
1.5.1 Specifications. those whose consequences are,
for instance,
The design of a helicopter is governed by a innocuous, mission affecting,
safety reducing,
series of general and particular specifications, or dangerous. (This is a
difficult topic: it is
such as: dealt with in Reference 2 but,
inevitably, falls
* Specifications for individual systems. back on the procuring agency
when the most
* Specification for the helicopter, critical types of failure are
being considered.)
* General specification of required flying * The helicopter must
remain controllable
qualities, such as those contained in after surviving a failure so
that the flight may
References 1, 2 and 3. be continued or terminated in
safety.
3

* A system failure may be regarded as a component in the electrical

circuit. Hence in
survivable if it is considered that a typical analysing the failures that
can occur within a
experienced pilot, unwarned and performing system it is not unreasonable
to ask oneself the
his normal tasks, could intervene successfully question "what is the worst
that this system
to counter the failure. can do to the helicopter?".
The response
* If it is accepted that the pilot cannot might be, for an
autostabiliser system, that the
always intervene successfully, then the maximum effect that the
system can produce is
probability of his being unable to do so must a full-stroke maximum-rate
runaway of any of
be compatible with the acceptable loss rate. its actuators. The system
might then be
judged satisfactory from the
failure point of
1.5.4 Preliminary Ground Tests. view if it were to be shown
by flight test that,
Where available, rigs and/or simulators should following an actuator
runaway, the ensuing
be used to refine the theoretical studies of manoeuvre could be survived.
This has been a
potential failure cases and their recovery, and traditional way of treating
autostabiliser and
thus enhance the confidence with which "worst autopilot systems, and is
still the basis of
cases" are identified for flight test. much engine failure testing.
(Conversely, if the results of the flight tests
show that the fidelity of the rig/simulator is However, this method becomes
less than
adequate, consideration should be given to satisfactory as systems
become more and more
using it for interactive investigation of failures complex and failures can
produce aberrant
which it would be impracticable to conduct in behaviour in more than one
channel, or over a
flight: an example might be simultaneous period of time. It is then
necessary to
failure of two channels, whose probability of examine, by detailed
theoretical analysis, the
occurrence is estimated to be too high to consequences of failure of
each component in
discount.) order to identify those whose
failure can
adversely affect the system.
This procedure is,
1.5.5 Scope of Flight Tests. of course, well known, and is
commonly
While the scope of the flight tests will depend referred to as "failure mode
and effect
on the details of the particular system under analysis" or FIVEIA. In
current rotorcraft
investigation, the following must always be flying qualities
specifications, such as
borne in mind: ADS33C (Reference 2),
manufacturers are
* The test programme must include the required to list all failures
and their immediate
critical failures, although they should be and subsequent effects on
flying qualities.
examined initially in benign conditions. Such a FMEA needs to be
comprehensive and
* The programme should establish the correct. It also needs to be
usable. If all
most adverse conditions in which a critical initial failures are
considered and subsequent
failure remains survivable, failures are not excluded the
list is long and
* The flight tests of failures should aim at unwieldy. It is necessary for
failures to be
being representative of real operations, and categorised, so that the FMEA
describes a
avoid being a 'circus trick' performable only by manageable number of 'failure
states' (as
a highly skilled test pilot currently practised in required by ADS33C) rather
than just a huge
failure testing. number of individual
failures.

2. THE PRINCIPLES IN OPERATION Initially the FMEA is

theoretical and the stated
effects on flying qualities
are predictions.
2.1 Analysis of Failures by Causes. Normally, therefore, the FMEA
is validated or
For flight test purposes, it is necessary to modified during development
by rig tests of
assess failures in terms of their effect on the the system which simulate
component failures
helicopter, although those effects are caused by and show what actually
occurs. The rig tests
some malfunction within a system. For also allow attention to be
focussed closely on
example, a nose down divergence could be those areas that the FMEA
suggests are
caused by a control system actuator being critical. Thus the analysis
and rig tests
driven to full travel as a result of the failure of provide valuable guidance
before flight
 4

examination of critical aspects. Flight test Moderate or Severe, whose

implications are
remains essential since it is not unusual - a discussed below.
realist might even say usual - for flight results
to differ from rig results because of the 2.3.1 Failures producing Mild
disturbance.
difficulties of making a completely If a failure occurs that
produces only a gradual
representative simulation. change in the flight path,
this does not
immediately hazard the
helicopter, but the pilot
2.2 Frequency of Occurrence of Failures and should be warned that such a
failure has
of Failure States. occurred. The warning could be
of any
Manufacturers are required by ADS33C to suitable type (eg visual or
aural) provided that
calculate the probability of failure states being the pilot gets the message in
adequate time to
encountered. There are two elements to this. avoid difficulties, such as
running out of
The first is the determination of frequency of height.
occurrence of failures. The second is analysis
of how often failures will lead to particular 2.3.2 Failures producing
Moderate
consequences, since these will depend on disturbance.
external factors such as speed, altitude, visual Here the motion of the
helicopter provides a
cues, cg position etc. For its calculation it is cue for the pilot and it may
well be
necessary to know all the relevant variables supplemented by other cues
such as instrument
and their frequency of occurrence. The indications, engine or rotor
noise, or even a
number of possibilities can be very large and, specific warning. Such
failures are no great
as with the FMEA, classification of effects is problem if the cues are good,
the flight
essential if the predicted frequency spectra are conditions are not too bad,
and the change of
to be usable. flight path is not immediately
critical, so that
the pilot can avoid difficult
conditions.
Again, theoretical estimates need to be updated
in the light of actual experience, since actual 2.3.3 Failures producing
Severe disturbance.
failure rates may differ from those predicted, Some failures can produce so
rapid a
and are liable to change with time as systems divergence that the
helicopter can be at risk in
become mature or as modifications are a few seconds, or even less.
Here the pilot
introduced. must intervene very rapidly
to contain the
 situation, and such
intervention preferably
2.3 Classification of Failures by their Effects. should not entail the
operation of cut-outs or
The two preceding paragraphs discuss failures switches that require separate
actions. In some
as they are seen by the design engineer, who circumstances the cues are not
conspicuous
sees a system 'from the inside'. The pilot, and the problem for the pilot
can lie in
however, is primarily concerned with what the recognising that a failure has
occurred before a
system produces. This is true not only when critical situation has
developed, even if
the system is functioning correctly, but also - dynamic cues are supplemented
by a warning
or even especially - when it goes wrong. It (this can arise, for example,
when the normal
would be very satisfactory if whenever a operation of an automatic mode
involves
failure occurred it produced a mild but clearly coarse changes of aircraft
attitude such that the
recognisable disturbance to the flight path so initial disturbance resulting
from an autopilot
that the pilot was both aware of the failure and "runaway" is not obvious). In
both these
easily able to counter its effects. Although instances the pilot intervenes
to restore the
many failures are like this, the effects of some helicopter initially to a safe
attitude and then
are so mild that they are quite likely not to be to a safe flight path.
Sometimes, it is
noticed by the pilot. Other failures can occur necessary to control the
flight path to avoid an
whose effects are severe enough to require obstacle, such as the ground
if the helicopter is
immediate reaction from the pilot to maintain flying very low. Here the
closeness of the
control of the helicopter. It is convenient to ground can curtail the time
available for
classify the effects of failures as being Mild, successful intervention.
5

2.3.4 Failures producing Delayed although others are possible

and might in some
disturbances. circumstances be appropriate.
Clearly for a
These can arise if a failure occurs within a failure to be judged to be
satisfactory the
system that does not produce an immediate required intervention time
must be less than
effect, but does so later on if, say, a second the intervention time
available. Figure 3, a
failure occurs, or the system mode is changed. very simple example, shows how
the 'required'
(It should be noted that while such dormant and 'available' intervention
times can be used
failures must be considered during design and to define a limiting
condition, in this case the
testing, from a pilot's viewpoint they do not maximum speed at which
recovery is possible.
exist because, until the second event occurs,
there is no change to the aircraft attitude or 2.5 Factors affecting Required
and Available
flight path). Such dormant failures, if they Intervention Times.
subsequently produce a disturbance, can be 'Required' and 'available'
intervention times are
classified as above by the severity of the affected principally by the
flight conditions,
disturbance, ie mild, moderate or major. A the aircraft/system
characteristics and the level
failed warning system is a dormant failure if of attention that the pilot is
able to devote to
the pilot is unaware of it. This classification the flying task, as indicated
below:
of failures is summarised in Figure 2.
2.5.1 Flight Conditions
2.4 Criteria of Acceptability. * VFR v IFR - In
principle, if the visual
For the effects of a particular system failure to displays are adequate, then a
failure in
be tolerable, it must be possible for the pilot to instrument flight is similar
to one in visual
recognise the failure in any phase or condition flight. However, cockpit
displays are seldom
of flight in which it can occur, and to restore as reassuring as a view of the
outside world,
the helicopter to safe flight. The recovery and the process of
recognition, diagnosis and
action should not require exceptional piloting recovery is often more
difficult and lengthy in
skill and, throughout the disturbance and instrument flight.
recovery, the helicopter should remain within * Level v Manoeuvring
Flight - A
its "never exceed" limitations and clear of the failure-caused perturbation in
the flight path is
ground. more readily recognised in
level flight than in
 an automatic manoeuvre that
itself is a
It is obviously essential that, following a succession of perturbations.
Further, in
system failure, sufficient time is available for manoeuvres the margin between
safe and
the pilot to recognise the effects of that failure unsafe flight attitudes can be
reduced, which
and to initiate successful recovery action. The correspondingly reduces the
time available for
interval between the failure and the pilot's intervention. These aspects
are summarised in
recovery action is commonly called the Figure 4.
'intervention time'. For any failure that can * Airspeed - The
intervention time
lead to a loss of control there is an interval available is often greatly
reduced at the higher
after which successful recovery action is airspeeds (but other factors
such as altitude,
impossible; this interval is the 'available' weight and configuration can
also have
intervention time. Equally there is an interval significant effects).
that the pilot needs to recognise and initiate * Height - Proximity to
the ground, or to
recovery action; this is the 'required' other hazards, self-evidently
reduces the
intervention time. intervention time available.

In flight testing, where precise measurement is 2.5.2 Aircraft and System

Characteristics
necessary, it is usual to define the intervention * Poor Stabilisation - If
the flight path is
time as the interval between the start of the not smooth because the
stabilization system
failure (usually the initial movement of an does not work well, then this
delays the
actuator) and the start of the pilot's action (the recognition of failure-caused
perturbations.
first movement of the control). This definition However, if the system is so
poor that it
has been successfully used for many years, requires the pilot
occasionally to intervene,
 6

then his close monitoring of the system will be through a flight director) it
becomes very
beneficial. difficult to decide how often
a failure is likely
* Cue Quality - Clear cues shorten the to lead to disaster. Whether
it does or not
intervention time required, particularly if they depends on the nature of the
failure, the flight
give an "instinctive" indication of the recovery conditions at the time, and
the required
action to be taken. intervention time. This latter
depends heavily
on the pilot's ability to
cross-check between
2.5.3 Piloting Actions what is happening and what
ought to be
* Pilot Attention Level - A pilot who is happening and hence to
recognise
attentively monitoring system behaviour will abnormalities.
react more quickly than one who is bored by
inaction or preoccupied with other tasks. Such complex situations can be
dealt with by
* "Hands On" v "Hands Off " - Flying calculation. The principle is
illustrated in
"hands on" shortens intervention times, but Figure 5. The FMEA provides
data on the
there are often occasions when hands are distribution of possible
defects and failures.
needed elsewhere than on the flying controls. The operational flight
spectrum provides the
distribution of all possible
flight conditions.
2.6 Acceptable Risk Levels. The helicopter response to any
failure is
Achieved intervention times can be very small provided by theoretical
computation supported
- even effectively zero if the pilot is by flight test data. The
consequent reaction of
manoeuvring the helicopter when the failure the pilot can be described by
a single (or, more
occurs - or many seconds if the effect of the probably, by a distribution
of) required
failure is obscured by a poor cue environment, intervention time(s) based on
theoretical
ADS33C for example specifies times between analysis and confirmed by
flight test data.
3 and 10 sec. Since the severity of a failure Thus from any set of initial
conditions the
depends upon the factors described in para 2,5 recovery manoeuvre can be
calculated.
above, it is usually possible and necessary to Whether or not this is
successful can be
define a flight envelope or set of conditions determined by the application
of a suitable
within which the helicopter is safe in the event crash criterion (e.g. the
helicopter hits the
of failure. Outside this envelope there is a risk ground, or a critical load is
exceeded).
of disaster that increases with distance from Repeated calculations from
different randomly
the 'safe' area. selected initial conditions
will enable an
overall figure to be determined
for the total
For example, a helicopter might be safe in the number of survivable failures
occurring for
event of a particular failure at speeds up to each one that causes a crash.
Separately, the
120 knots but be subject to increasing risk at system reliability data can
provide the
higher speeds. Careful examination of this risk probability of failures
occurring. These two
up to, say, 140 knots may show that it is very figures are the terms of the
"crash equation"
low when expressed as 'accidents per flying that enables the crash rate to
be calculated,
hour' - a figure of 1 x 10' perhaps. Whilst it namely:-
is difficult to accept that accidents should be
regarded as "normal", nonetheless the principle hours /failure x failures
/crash
has found favour where the gain in operational
hours /crash
capability is significant. In time of war, it is
often desirable for tactical reasons to use the To apply this method to a
specific helicopter
maximum possible speed or the lowest and mission, many
supplementary questions
possible altitude because of the reduced need to be answered, but the
method has been
exposure to enemy fire, and overall helicopter used successfully. In
particular, it allows the
losses may even be reduced despite a small trade-off to be made between
operational
increase in technical risk. capability and risk level from
system failure,
and may show that accepting a
slight increase
With complex systems performing automatic in risk from system failure can
produce such
manoeuvres (or determining manoeuvres
7

an improvement in capability that overall risk 3.2 System Performance Tests.

of loss in combat is reduced. These tests will exercise the
system over the
relevant flight and
environmental envelopes to
2.7 Current Requirements relating to System see how it behaves. Its
behaviour will be
Failures. regarded as satisfactory if it
enables the
Current requirements are numerous, lengthy required performance to be
achieved within the
and detailed. Some subjects, such as flying constraints imposed by other
applicable
qualities or automatic flight control systems requirements, especially those
in respect of
are extensively covered; others such as cockpit flying qualities. A primary
objective of this
displays are less favoured. The continuing work is to see if there are
any circumstances in
emergence of new technologies makes it very which the system performance
is
difficult to keep specifications up to date, and unsatisfactory. If the
behaviour is bad enough
this leads to their being inadequate in some it might be necessary to
preclude operation in
respects such that it is possible for a helicopter that condition. It is
essential that "worst
to meet existing requirements but still be liable cases" be examined. If an aft
cg position is
to system behaviour or system failures that adverse, some flying must be
done at aft cg.
make it insufficiently safe. When this occurs If a volatile fuel is adverse,
then try the
the certification or clearance authority needs to volatile fuel. One, or rather
a few, words of
seek improvement to the system, introduce warning, however. It is
possible to stack up
special operating procedures, or restrict the adverse conditions so
thoroughly, but
operation of the helicopter so that potentially unreasonably, that one shows
that the
dangerous situations are avoided. The Annex helicopter should not fly at
all. Worst cases
discusses principal current requirements. must be examined, but sensible
judgements
must be made about them based
on the overall
3. PROCEDURE FOR FLIGHT TESTING probability of the worst case
arising.

(NOTE: As stated in the Preface, this paper 3.3 System Failure Tests.
seeks to deal with the flight testing of any Failures must be tested in
flight and this
flight-safety-critical system. While the requires a method for
'injecting' failures into
principles will remain the same for all systems, the system. Providing this
facility is often
the details of the tests will depend upon the quite difficult, and it merits
consideration at a
particular system.) very early stage in the
planning of a
programme. If the helicopter
is to be seen to
3.1 Specification of the System. be safe, then the tests must
include the most
For the system to be tested properly it is critical cases. However
certain obvious
essential that there be a clear understanding of precautions are necessary. It
is sensible to
what it is supposed to do. This is usually start with easy cases and
proceed progressively
written in the specification for the system. to critical ones. (Selection
of the failures to be
This might be supplemented by a statement of tried in flight will be aided
if an FMEA is
requirement, which tends to define an available and if rig tests or
simulations have
operational need rather than an engineer's been done. This is
particularly desirable in the
solution. In particular, the required system case of complex systems, and
can greatly
performance must be stated, and the flight shorten the flight programme.)
The objective
envelope within which this performance is to of the tests is to establish
that failures can be
be obtained. If the formal specification is survived when the pilot
intervenes after a
insufficiently explicit it may be necessary, for realistic intervention time,
that is, that the
flight test purposes, to devise supplementary intervention time required by
the pilot is less
criteria for system performance from rational than the available
intervention time imposed
consideration of the intended operational by the system and the
circumstances. A test
usage. helicopter with dual pilot
stations is highly
desirable, and is essential if
the most rigorous
tests are to be conducted
safely.
 8

Safety is enhanced in flight if the pilot is * loss of a particular

function
warned when the failure is to be injected and, * similar system
performance but a higher
in successive tests, consciously increases the susceptibility in the event
of further failures.
intervention time. In a progressive case it will
then be possible to make a good estimate of If the system performance is
degraded then
the maximum intervention time available operating close to the
extremes of the flight
without hazarding the helicopter. As part of envelope is likely to be
unsatisfactory. If a
this process it will be necessary to decide what function is missing then the
implications of
constitutes a safe recovery, taking into account this will need to be
considered. These cases
the general criteria of acceptability introduced should be examined in
flight, again
in para 2.4. In a particular case a safe approaching critical
conditions gradually. If
recovery might be defined as one in which the the system degradation means
that the
helicopter does not exceed any of its "never helicopter is more
vulnerable in the event of a
exceed" limits: in another, it might be further failure, then it may
be necessary to
determined by the height lost during recovery, conduct appropriate flight
tests. It will
certainly be necessary to
advise on the best
Determination of a realistic intervention time course of action in view of
the higher risk
required is often difficult but may be necessary level in the degraded state.
if there are no"requirements" that are both
relevant and sound. For an operationally 4. PRODUCT OF THE FLIGHT
TEST
representative required intervention time to be PROGRAMME
established in flight, the pilot must be unaware
that a failure is to be injected, and not be The principal products of the
flight test
untypically practised at recognising failure programme may be summarised
as follows:
cues and taking appropriate control action. A
pilot who has been engaged in a failure test 4.1 Flight Envelopes.
programme is therefore not a good subject for Perhaps the most important
outcome of the test
tests of unwamed failures. In practice, it is programme is the
investigation and subsequent
necessary to conduct most of the programme definition of the various
flight envelopes that
with one or two pilots, gradually approaching can be adopted for Service
use, namely:
critical cases and making the best estimates of * Normal Operation
- The system
available and necessary recovery times. When performance tests will
determine the
 this has been done it is then possible to take performance of each flight-
safety-critical
an unpractised pilot and subject him to system, including the
effects on that
unwarned tests. The safety pilot must be performance of adverse
conditions (e.g.
completely familiar with the test that is to be turbulence, or high ambient
temperature), so
made and preferably should inject the failures. that the flight envelope
over which the
The test points must be chosen with care. If characteristics of all
flight-safety-critical
they are too easy the results will have little systems remain satisfactory
can be defined.
value, if they are too difficult the risk increases Similarly, the failure tests
will define the flight
and the safety pilot is naturally inclined to envelope within which
recovery is assured
intervene. Such tests are most relevant where from the effects of any
failure (or combination
usable cues are not prominent and the of failures) whose
probability of occurrence is
consequences of delayed intervention are insufficiently low to
discount. By taking the
serious, for it is in these circumstances that more conservative flight
conditions indicated
simulation most requires verification. This by these two envelopes, the
flight envelope for
will serve as a check on the estimates made normal operation can be
derived.
from the previous test programme. * Flight with Degraded
System - The tests
will indicate the
advisability of curtailing the
3.4 Post Failure Performance Tests. normal flight envelope
following an initial
Following a failure a system is degraded and failure. If the number of
possible failures is
this is likely to appear as: large then it will be
necessary to exercise some
* degradation of system performance
 9

mental discipline to produce limitations that

are adequate and usable.
* Flight Envelope with Higher Risk
Levels - If it is considered desirable by the
operators of the helicopter, then some
extensions to the permitted flight envelope
could be made with a concomitant reduction in
safety. However, if this is done it is necessary
to be quite clear about the nature or degree of
the higher risk levels, so that intelligent
judgements can be made about their use.

4.2 Piloting Procedures.

A satisfactorily-completed failure test
programme will yield realistic empirical
evidence on both the immediate action to be
taken when a failure occurs, and the
procedures to be followed to identify the
nature of that failure and the subsequent
corrective action to be taken. (There have
been cases, for instance, of single governor
failures on multi-engine helicopters leading to
the shutting down of the wrong engine, which
simple procedural checks would have avoided.)
This evidence will be used to derive
comprehensive but concise emergency
procedures for inclusion in the aircrew manual.
Moreover, it may lead to the recommendation
that pilots should experience failures in flight
as part of their training.

4.3 Recommendations for System

Improvements.
Recommendations for improvements are the
inevitable outcome of a flight test programme.
In the testing of a system that is flight safety
critical, it is specially relevant to consider if
modification can improve the safety of the
helicopter operation.

4.4 Comparison of Specified and Achieved

System Performance.
For the helicopter and its operator this is
probably the least important product of the
programme. It has, however, interest for the
manufacturer. It determines whether he gets
paid.
10

REFERENCES

1. US Air Force. Military Specification MIL-H-8501A Notice 1 dated B. Rotorcraft

Handling
Qualities.

2. United States Army Aviation Systems Command, St Louis, Mo. Aeronautical Design
Standard ADS-33C dated August 1989. Handling Qualities Requirements for Military
Rotorcraft.

3. UK Ministry of Defence, London. Defence Standard 00-970. Design and

Airworthiness
Requirements for Service Aircraft. Volume 2 - Rotorcraft, Issue 1 dated 31 July
1984, to
Amendment 8 dated December 1990.

4. Cooper G.E and Harper R.P. The use of pilot rating in the evaluation of aircraft
handling
qualities. NASA TN D5153 dated 1969.

5. Hindson W.S, Eshow M.M and Schroeder J.A. A pilot rating scale for evaluating
failure
transients in electronic flight control systems. AIAA-90-2827 dated August 1990.
Figure 1

oc
0>

ID u
0-o 0 (

LU - -

D zD
E
u--4--
t
Uw a
Z
L-
S0

:1 0~

CI Ou0
JJ
=- .J-=.-
0 4--
0 - C Ol- 0
-

__ __ __ _ _
0_ _ 0
_ _ _ •
ID
wJ

[z F-m
HZ

ý
LL -
I
- a-z

D 0 >
0•ý
U C:
D
CL U
 z no
LL
<
U
z~ C:
U 0 0

Uw

D >
U
D -
F- I0 -0 CLC:
04
Et L- t: 0E C a)
W

H- z
LU U LU
LU-F
H IL
LU LU
H-
12

Figure 2

EFFECT OF SEVERE MODERATE MILD DELAYED

FAILURE DISTURBANCE DISTURBANCE DISTURBANCE DISTURBANCE

PRINCIPAL Angular Attitude Visual or Appropriate

CUES acceleration, change, audible to
disturbance
attitude acceleration warning when it
occurs,
change ie as one of
other cases

PILOT Immediate, Rapid, through Restoration of As above

ACTION through flying flying controls safe flightpath
controls, to and/or cut-out following
restore operation warning
attitude

CLASSIFICATION OF FAILURES
 13

Figure 3

Intervention time avaitable

from the system Maximum
airspeed at
which recovery
is possible

TIME

N I

Intervention time
required by the pilot

AIRSPEED

EFFECT OF INTERVENTION TIMES ON LIMITING CONDITIONS

(ILLUSTRATIVE)
14

Figure 4

FACTORS AFFECTING INTERVENTION TIMES

MODE OF FLIGHT CUE QUALITY AGGRAVATING FACTORS

HOVER Good Poor hover holding

Very low height

STRAIGHT AND LEVEL Good Very high speed

TURNS Good High speed

Large adverse rot[ angle

TURN ENTRY + EXIT Fair Non-smooth change of

SPEED CHANGES condition
Large attitude changes
Large angular velocities

AUTOMATIC MANOEUVRES Probably Non-smooth changes of

eg Auto transition poor attitude
to and from hover Large variation of attitude
or ongutor velocity
target
Automatic
trocking Very tow height

Notes:
1 Very tow height is nearly atways adverse
2 "HANDS OFF" Flight increases intervention time
3 Poor stobilisotion delays failure recognition
(unless it is so bad it requires frequent pilot
intervention)
4 Low pilot attention level increases intervention time
 15

Figure 5

FAILURE OPERATIONAL
MODE + EFFECT FLIGHT
ANALYSIS SPECTRUM

FLIGHT
DEFECT
CONDITION

FAILURE I LIGHT
FAIUE COMPUTATION TEST
STATE
DATA

RELIABILITY RECOVERY
DATA MANOEUVRE

FAILURE CRASH
PROBABILITY CRITERION

FAILURES HOURS
HOURS PER X PER
PER CRASH CR
FAILURE CRASH

CRASH RATE CALCULATIONS

(SCHEMATIC)
Al-i

ANNEX 1
Specifications and Requirements

1. SPECIFICATIONS * The total probability of

encountering a
Specifications normally exist for specific specified moderate
deterioration in flying
systems and helicopters. They define what are qualities must not exceed
specified values.
the essential characteristics of the systems and * Failures of the flight
control system,
of the helicopter itself. They usually try to be (and the engine(s) and
electrical system) must
as clear as possible in their definitions and meet specific requirements: for
example, no
sometimes even specify precisely what test single failure within the
flight control system
must be performed to demonstrate compliance, should cause dangerous or
intolerable flying
However each new specification covers areas qualities.
of technological or theoretical advance, and * Special Failures: these
are failures
these normally pose new problems in flight whose probability of occurrence
is so remote
testing. that they can, with the
agreement of the
procuring authority, be
excluded from further
2. REQUIREMENTS consideration.
General requirements also exist for helicopter
flying qualities. They have tended to focus on The requirement recognises
multiple failures,
the characteristics required of flight control flight path transients at
failure, and degraded
systems (Reference 1). Recent standards have operation after failure. Pilot
attention levels
extended their scope to include cockpit and delay times are also
considered.
displays and vision aids. The US document
Aeronautical Design Standard 33C (Reference 2.4 Helicopter Response.
2) is comprehensive and includes the following The required response to all
control inputs is
topics that are directly relevant to the flight specified.
testing of critical systems.
2.5 Subjective Requirements.
2.1 Multiple Flight Envelopes. Subjective terms are used in
the document,
The Operational envelope is that required to but it is required that these
be quantified
perform the mission, whilst the Service before contract initiation.
envelope is the larger envelope of which the
helicopter is capable. 3. RATING SCALES
The Cooper-Harper scale
(Reference 4) for
2.2 Degraded Visibility, Vision Aids and rating flying qualities is a
part of the
Displays. vocabulary of any flight
tester. It is used
Tests are defined that assess the Usable Cue extensively in specification
documents. A
Environment when using vision aids and similar approach has been
adopted by Hindson,
displays. The contractor is required to define Eshow and Schroeder (Reference
5) to devise
manoeuvring envelopes for near-earth a rating scale for failure-
induced flight path
operation in poor visibility. The necessary transients. Both of these
scales facilitate
detailed assumptions on pilot delays and sensible discussion of flight
tests, they do not
reaction times must be approved by the indicate how a flight test
programme should be
procuring authority, conducted.

2.3 Failures. 4. SUMMARY

The contractor must identify all failure states In summary, it can be said that
specifications
which affect rotorcraft response or the usable remain complementary to this
document. They
cue environment. These can then be treated in provide a wealth of information
on system
one of three ways: performance characteristics, and
valuable
guidance on how to treat system
failures. In
A1-2

the more difficult cases they are unable to be

specific and require these to be either the
subject of agreement between the contractor
and the procuring authority, or of definition by
the procuring authority. In either case the wise
procuring authority will look to the flight test
agencies since they are responsible for
ensuring safety in flight.
A2-1

ANNEX 2
AGARD Flight Test Instrumentation and Flight Test Techniques Series
1. Volumes in the AGARD Flight Test Instrumentation Series, AGARDograph 160

Volume Title
Number
Publication

Date

1. Basic Principles of Flight Test Instrumentation Engineering

(Issue 2)
Issue 1: edited by A. Pool and D. Bosman
1974
Issue 2: edited by R. Borek and A. Pool
1994

2. In-Flight Temperature Measurements

by F. Trenkle and M. Reinhardt
1973

3. The Measurements of Fuel Row

by J.T. France
1972

4. The Measurements of Engine Rotation Speed

by M. Vedrunes
1973

5. Magnetic Recording of Flight Test Data

by G.E. Bennett
1974

6. Open and Closed Loop Accelerometers

by I. Mclaren
1974

7. Strain Gauge Measurements on Aircraft

by E. Kottkamp, H. Wilhelm and D. Kohl
1976

8. Linear and Angular Position Measurement of Aircraft Components

by J.C. van der Linden and H.A. Mensink
1977

9. Aeroelastic Flight Test Techniques and Instrumentation

by J.W.G. van Nunen and G. Piazzoli
1979

10. Helicopter Flight Test Instrumentation

by K.R. Ferrell
1980

11. Pressure and Flow Measurement

by W. Wuest
1980

12. Aircraft Flight Test Data Processing - A Review of the State of

the Art
by L.J. Smith and N.O. Matthews
1980

13. Practical Aspects of Instrumentation System Installation

by R.W. Borek
1981

14. The Analysis of Random Data

by D.A. Williams
1981

15. Gyroscopic Instruments and their Application to Flight Testing

by B. Stieler and H. Winter
1982

16. Trajectory Measurements for Take-off and Landing Test and Other
Short-Range Applications 1985
by P. de Benque D'Agut, H. Riebeek and A. Pool

17. Analogue Signal Conditioning for Flight Test Instrumentation

by D.W. Veatch and R.K. Bogue
1986

18. Microprocessor Applications in Airbome Flight Test

Instrumentation
by M.J. Prickett
1987

19. Digital Signal Conditioning for Right Test

by G.A. Bever
1991
A2-2

2. Volumes in the AGARD Flight Test Techniques Series

Number Title
Publication

Date

AG237 Guide to In-Flight Thrust Measurement of Turbojets and

Fan Engines by the MIDAP 1979
Study Group (UK)

The remaining volumes are published as a sequence of Volume Numbers of

AGARDograph 300.

Volume Title
Publication

Date

1. Calibration of Air-Data Systems and Flow Direction

Sensors
by J.A. Lawford and K.R. Nippress
1988

2. Identification of Dynamic Systems

by R.E. Maine and K.W. Iliff
1985

3. Identification of Dynamic Systems - Applications to

Aircraft
Part 1: The Output Error Approach
1986
by R.E. Maine and K.W. Iliff

Part 2: Nonlinear Analysis and Manoeuvre Design

1994
by J.A. Mulder, J.K. Sridhar and J.H.
Breeman

4. Determination of Antenna Pattems and Radar Reflection

Characteristics of Aircraft 1986
by H. Bothe and D. McDonald

5. Store Separation Flight Testing

1986
by R.J. Amold and C.S. Epstein

6. Developmental Airdrop Testing Techniques and Devices

1987
by H.J. Hunter

7. Air-to-Air Radar Flight Testing

1992
by R.E. Scott

8. Flight Testing under Extreme Environmental Conditions

1988
by C.L. Henrickson

9. Aircraft Exterior Noise Measurement and Analysis

Techniques 1991
by H. Heller

10. Weapon Delivery Analysis and Ballistic Flight Testing

1992
by R.J. Amold and J.B. Knight

1i. The Testing of Fixed Wing Tanker & Receiver Aircraft

to Establish their 1992
Air-to-Air Refuelling Capabilities
by J. Bradley and K. Emerson

12. The Principles of Flight Test Assessment of Flight-

Safety-Critical Systems in Helicopters
by J.D.L. Gregory

At the time of publication of the present volume the following volumes were
in preparation:

Flight Testing of Digital Flight Control Systems

by T.D. Smith

Flight Testing of Terrain Following Systems

by C.Dallimore and M.K.Foster

Reliability and Maintainability

by J. Howell

Introduction to Flight Test Engineering

Edited by F. Stoliker

Space System Testing

by A. Wisdom

Flight Testing of Radio Navigation Systems

by H. Bothe and H.J. Hotop

Simulation in Support of Flight Testing

by L. Schilling
 REPORT DOCUMENTATION PAGE
1. Recipient's Reference 2. Originator's Reference 3. Further Reference
4. Security Classification

of Document
AGARD-AG-300 ISBN 92-836-1001-6
UNCLASSIFIED
Volume 12

5. Originator Advisory Group for Aerospace Research and Development

North Atlantic Treaty Organization
7 rue Ancelle, 92200 Neuilly-sur-Seine, France
6. Title
The Principles of Flight Test Assessment of
Flight-Safety-Critical Systems in Helicopters

7. Presented at

8. Author(s)/Editor(s)
9. Date
J.D.L. Gregory
August 1994

10. Author's/Editor's Address

11. Pages
formerly of Aeroplane and Armament Evaluation Establishment
32
Boscombe Down, Salisbury, Wilts
SP4 OJF England
United Kingdom
12. Distribution Statement There are no restrictions on the distribution
of this document.
Information about the availability of this and
other AGARD
unclassified publications is given on the back
cover.

13. Keywords/Descriptors
Helicopters Reliability
Flight control systems Control
systems
Flight tests Methodology
Critical system Safety
engineering
Criticality

14. Abstract

Modem helicopters usually incorporate many engineering systems (including

pilot-aiding
systems such as autostabilisers and flight directors) which are essential to
the safe and
effective use of the helicopter. Where the helicopter can be endangered by
failure of a
system (or of one of its units), that system is termed flight-safety-
critical. In general, the use
of those systems should not incur a higher probability of hazard to the
helicopter than that
considered acceptable from considerations of structural or mechanical
failure.
In assessing the suitability of a helicopter for its intended mission(s), it
has become
increasingly important to consider the effects of the various systems
provided. In particular,
assessments of the implications of systems performance and failures derived
from calculation
and ground tests should be validated by flight tests. This paper seeks to
establish the general
principles applicable to the testing in flight of any flight-safety-critical
system, with emphasis
on certification rather than system development. It does not deal with the
testing of particular
systems, but it is hoped that readers will find the principles described
readily applicable to
specific cases.
This AGARDograph has been sponsored by the Flight Mechanics Panel of AGARD.
-
C0
0

In
0)
C) In
E
E.

0
>

03 04
m
0 toc ;~ 0

.>
0 U5 ~ ~

Cl E Ir.Ci (1 0 0O0-ý
4

~ 0~
4

4)
M~ 0

~~04
u~
v*0
0

0~)~~
cn (00)~/> 0 m 00
0

3
0
-9
0 ~C
C

0~4 0 C4)
 0 0

0 ~ -- 0- _,-

C - -0
;;.4) 4

/2
0 ,0~
A4)- 4) ~0
c 0 0
;-

.0
u C

In0
0) 0
>0

0 5

-- 0 ZP -
04)

V) 0obho

0~ ~
0 ýa 0
+

0- 0)~>
o4
04) 0
UE w4
4<d0
0

0
0
 .- u) 4,
. U

0
0

4.1-
C,

o) C)

9CCs
'r.
>O t
~ =) ~-~ C
>,0>8

-il 0
C)

64 U 0 .C0

0C , CIS

o muC

-C! -C
o 16 ý -C

4. (:) r.)
0 C)C 9 -40

w
o 0
It)
p
.- 0) -D

Co
ltý~~
Q : UQ

CC)
0 " )
0
OCO
CO CO-
u -

C
u C13.
m
04
0
U P4

0
q 00

'21 c 0

0 o , c

C )3 'A C
cl.0 C C
04C

'- )l C)--ý

b) 0 bD
0o

-C d
:9~ -5 sw
0 ý0

oO
o ~ C 0

/C

W u
0

~CCCC ~
~ -
 a) 7=
CO0
0 a:, 0
C)L
t ) C
=0C)-

m
-0

C)
-,) mO- > ~
~
C/C
CO -*) C) 0 )

4
a

C- 0
0ý

C/C
CC/ Cl
4, 41~C 0C C0

(0C
") Ca) g~C

O 0 >2
Z4
-0 >1
U

0 (1)cl, ;, tlo
Im 0
 NATO OTAN

7 RUE ANCELLE * 92200 NEUILLY-SUR-SEINE

DIFFUSION DES PUBLICATIONS

FRANCE
AGARD NON CLASSIFIEES

T61copie (1)47.38.57.99 e T6lex 610 176

Aucun stock de publications n'a exist6 AAGARD. A partir de 1993, AGARD d6tiendra un
stock limit6 des publications associ~es aux cycles
de conf6rences et cours sp6ciaux ainsi que les AGARDographies et les rapports des
groupes de travail, organis6s et publi6s ý partir de 1993
inclus. Les demandes de renseignements doivent 6tre adress6es AAGARD par lettre ou
par fax A l'adresse indiqu6e ci-dessus. Veuillez ne
pas telMphoner. La diffusion initiale de toutes les publications de I'AGARD est
effectu6e aupr~s des pays membres de I'OTAN par
l'interm6diaire des centres de distribution nationaux indiqu6s ci-dessous. Des
exemplaires suppl6mentaires peuvent parfois 8tre obtenus
aupr~s de ces centres (Al'exception des Etats-Unis). Si vous souhaitez recevoir
toutes les publications de I'AGARD, ou simplement celles
qui concement certains Panels, vous pouvez demander i 6tre inclu sur la liste
d'envoi de l'un de ces centres. Les publications de I'AGARD
sont en vente aupr~s des agences indiqu6es ci-dessous, sous forme de photocopie ou
de microfiche.
CENTRES DE DIFFUSION NATIONAUX
ALLEMAGNE ISLANDE
Fachinformationszentrum, Director
of Aviation
Karlsruhe c/o
Flugrad
D-7514 Eggenstein-Leopoldshafen 2 Reykjavik
BELGIQUE ITALIE
Coordonnateur AGARD-VSL
Aeronautica Militate
Etat-major de la Force a6rienne Ufficio
del Delegato Nazionale all'AGARD
Quartier Reine Elisabeth Aeroporto
Pratica di Mare
Rue d'Evere, 1140 Bruxelles 00040
Pomezia (Roma)
CANADA LUXEMBOURG
Directeur du Service des renseignements scientifiques Voir
Belgique
Minist~re de la D6fense nationale NORVEGE
Ottawa, Ontario KIA 0K2 Norwegian
Defence Research Establishment
DANEMARK Attn:
Biblioteket
Danish Defence Research Establishment P.O. Box
25
Ryvangs All6 1 N-2007
Kjeller
P.O. Box 2715 PAYS-BAS
DK-2100 Copenhagen 0
Netherlands Delegation to AGARD
ESPAGNE National
Aerospace Laboratory NLR
INTA (AGARD Publications) P.O. Box
90502
Pintor Rosales 34 1006 BM
Amsterdam
28008 Madrid PORTUGAL
ETATS-UNIS Forqa
A6rea Portuguesa
NASA Headquarters Centro de
Documentagdo e Informaqdo
Code JOB-1 Alfragide
Washington, D.C. 20546 2700
Amadora
FRANCE ROYAUME-UNI
O.N.E.R.A. (Direction) Defence
Research Information Centre
29, Avenue de la Division Leclerc Kentigern
House
92322 ChAtillon Cedex 65 Brown
Street
GRECE Glasgow
G2 8EX
Hellenic Air Force TURQUIE
Air War College Milli
Savunma Ba~kanliffi (MSB)
Scientific and Technical Library ARGE
Daire Ba~kanli•i (MSB)
Dekelia Air Force Base Ankara
Dekelia, Athens TGA 1010
Le centre de distribution national des Etats-Unis ne detient PAS de
stocks des publications de I'AGARD.
D'6ventuelles demandes de photocopies doivent &re formul6es directement aupr~s du
NASA Center for AeroSpace Information (CASI)
A l'adresse ci-dessous. Toute notification de changement d'adresse doit 8tre fait
6galement aupras de CASI.
AGENCES DE VENTE
NASA Center for ESA/Information Retrieval
Service The British Library
AeroSpace Information (CASI) European Space Agency
Document Supply Division
800 Elkridge Landing Road 10, rue Mario Nikis
Boston Spa, Wetherby
Linthicum Heights, MD 21090-2934 75015 Paris
West Yorkshire LS23 7BQ
Etats-Unis France
Royaume-Uni
Les demandes de microfiches ou de photocopies de documents AGARD (y compris les
demandes faites aupr~s du CASI) doivent
comporter la d6nomination AGARD, ainsi que le num6ro de s6rie d'AGARD (par exemple
AGARD-AG-315). Des informations
analogues, telles que le titre et la date de publication sont souhaitables.
Veuiller noter qu'il y a lieu de sp6cifier AGARD-R-nnn et
AGARD-AR-nnn lors de la commande des rapports AGARD et des rapports consultatifs
AGARD respectivement. Des r6f6rences
bibliographiques completes ainsi que des r6sum6s des publications AGARD figurent
dans les journaux suivants:
Scientific and Technical Aerospace Reports (STAR) Government
Reports Announcements and Index (GRA&I)
publi6 par la NASA Scientific and Technical publi6 par le
National Technical Information Service
Information Division Springfield
 NASA Headquarters (JTT) Virginia 22161
Washington D.C. 20546 Etats-Unis
Etats-Unis (accessible
6galement en mode interactif dans la base de
donn6es
bibliographiques en ligne du NTIS, et sur CD-ROM)

Imprimg par le Groupe Communication

Canada
45, boul. Sacrg-Cceur, Hull (Qudbec), Canada
KIA 0S7
 NATO -•- OTAN

7 RUE ANCELLE - 92200 NEUIL.LY-SUR-SEINE

DISTRIBUTION OF UNCLASSIFIED
FRANCE
AGARD PUBLICATIONS

Telefax (1)47.38-57.99 e Telex 610 176

AGARD holds limited quantities of the publications that accompanied Lecture Series
and Special Courses held in 1993 or later, and of
AGARDographs and Working Group reports published from 1993 onward. For details,
write or send a telefax to the address given above.
Please do not telephone.
AGARD does not hold stocks of publications that accompanied earlier Lecture Series
or Courses or of any other publications. Initial
distribution of all AGARD publications is made to NATO nations through the National
Distribution Centres listed below. Further copies are
sometimes available from these centres (except in the United States). If you have a
need to receive all AGARD publications, or just those
relating to one or more specific AGARD Panels, they may be willing to include you
(or your organisation) on their distribution list.
AGARD publications may be purchased from the Sales Agencies listed below, in
photocopy or microfiche form.
NATIONAL DISTRIBUTION CENTRES
BELGIUM LUXEMBOURG
Coordonnateur AGARD - VSL See
Belgium
Etat-major de la Force a6rienne
Quartier Elisabeth
Reine1140 NETHERLANDS
Delegation to AGARD
Rue d'Evere, Bruxelles
Netherlands
R dNational
Aerospace Laboratory, NLR
CANADA P.O. Box
90502
Director Scientific Information Services 1006 BM
Amsterdam
Dept of National Defence
Ottawa, Ontario KIA 0K2 NORWAY
DENMARK
Norwegian Defence Research Establishment
Danish Defence Research Establishment Attn:
Biblioteket
Ryvangs All6 1 P.O. Box
25
P.O. Box 2715 N-2007
Kjeller
DK-2100 Copenhagen 0 PORTUGAL
FRANCE Forga
A6rea Portuguesa
O.N.E.R.A. (Direction) Centro de
Documentagdo e Informaqdo
29 Avenue de la Division Leclerc Alfragide
92322 Chdtillon Cedex 2700
Amadora
GERMANY SPAIN
Fachinformationszentrum INTA
(AGARD Publications)
Karlsruhe Pintor
Rosales 34
D-7514 Eggenstein-Leopoldshafen 2 28008
Madrid
GREECE
Hellenic Air Force TURKEY
Air War College Milli
Savunma Ba§kanligi (MSB)
Scientific and Technical Library ARGE Daire
Ba~kanlig'i (MSB)
Dekelia Air Force Base Ankara
Dekelia, Athens TGA 1010 UNITED KINGDOM
ICELAND Defence
Research Information Centre
Director of Aviation Kentigern
House
c/o Flugrad 65 Brown
Street
Reykjavik Glasgow G2
8EX
ITALY
Aeronautica Militare UNITED STATES
Ufficio del Delegato Nazionale all'AGARD NASA
Headquarters
Aeroporto Pratica di Mare Code JOB-1
00040 Pomezia (Roma) Washington,
D.C. 20546

The United States National Distribution Centre does NOT hold stocks
of AGARD publications.
Applications for copies should be made direct to the NASA Center for AeroSpace
Information (CASI) at the address below.
Change of address requests should also go to
CASI.
SALES AGENCIES
NASA Center for ESA/Information Retrieval
Service The British Library
AeroSpace Information (CASI) European Space Agency
Document Supply Centre
800 Elkridge Landing Road 10, rue Mario Nikis
Boston Spa, Wetherby
Linthicum Heights, MD 21090-2934 75015 Paris
West Yorkshire LS23 7BQ
United States France
United Kingdom
Requests for microfiches or photocopies of AGARD documents (including requests to
CASI) should include the word 'AGARD'
and the AGARD serial number (for example AGARD-AG-315). Collateral information such
as title and publication date is
desirable. Note that AGARD Reports and Advisory Reports should be specified as
AGARD-R-nnn and AGARD-AR-nnn,
respectively. Full bibliographical references and abstracts of AGARD publications
are given in the following journals:
Scientific and Technical Aerospace Reports (STAR) Government
Reports Announcements and Index (GRA&I)
published by NASA Scientific and Technical published by the
National Technical Information Service
Information Division Springfield
 NASA Headquarters (JTT) Virginia 22161
Washington D.C. 20546 United States
United States (also available
online in the NTIS Bibliographic
Database or on
CD-ROM)

Printed by Canada Communication Group

45 Sacr4-Coeur Blvd., Hull (Qudbec), Canada
KJA 0S7

ISBN 92-836-1001-6