The F-35 is a 'more electric' airplane. (We'll get into the background of that choice later.) The entire flight control system is electrically powered with no hydraulic backup.
No electric, no airplane. Now that in itself is not unusual, except for two reasons. A total electrical failure -- even a transient lasting seconds -- in maneuvering flight could cause departure. Also, the need for high power to control an unstable 35-ton fighter drove the designers to a 270 VDC system, about 10 times the voltage of most airborne systems. Result: the F-35 electrical system is unique.
In the interests of reliability and integrity, the system is quad-redundant, within limits. The normal inflight source of power is the unit that failed on March 9, the engine starter generator (ESG) made by Hamilton Sundstrand (which is also in overall charge of the electrical system).
The ESG is geared to the engine shaft. It starts the engine in motor mode (rather than an air turbine from a start cart or APU, which is the usual method) as well as generating volts when the engine's running. It provides 160 kW -- more than the engine of a Cirrus SR20 aircraft.
It was redesigned under a 2004 contract to save 100 pounds in weight, and it is that design, the Alternate ESG, that has been the problem child here. Part of the redesign was 'to combine the permanent magnetic generator and F135 permanent magnetic alternator', so the AESG comprises two generator/motor sets, but they are solidly locked to a single shaft -- which is why a single failure could take both out of action.
The third level of redundancy (used to get AF-4 home) is the Honeywell Integrated Power Pack, a unique widget that combines the normal functions of a back-up generator, APU/starter, emergency power unit and the air cycle machine (ACM) that runs the environmental control system.
In normal flight, the IPP is running on engine bleed air as an ACM, providing cooling to a fluid loop that in turn cools the avionics and other systems. It also has a combustor and runs in 'bleed and burn' mode for engine starting, or as an EPU if the engine fails, giving the pilot time to attempt a restart. When the AESG went out in the latest incident, the generator attached to the IPP shaft kicked in as planned, providing up to 80 kVA of power.
The fourth level of redundancy is a 90-pound lithium-ion battery made by a US subsidiary of France's Saft. Its main tasks are to start the IPP (using the IPP generator as a motor) so the IPP can start the engine, to act as an uninterruptible power supply in case of any transient hangups and provide enough power for an emergency landing if everything else fails.
The whole shooting match is controlled by a system from GE Aerospace in England, the former Smiths Aerospace. (At least it's not Lucas.)
The outlines of this system emerged from an early-1990s technology effort called Joint Integrated Subsystem Technology or J/IST. The JSF concept demonstration aircraft (CDA) program funded J/IST through flight testing on an F-16.
It sounds complicated, and it is -- the IPP and its surrounding ducts and fluid lines would be a steampunk's dream if you made it out of copper and brass. However, the overall goal was to make things simpler.
The normal engine accessory drive -- a complex box of gears and shafts that drives generators and hydraulic pumps and includes constant-speed drives for the generators -- is gone. (The DC system does not need constant speed.) There is a limited hydraulic system for the landing gear, brakes and weapon bay doors. The IPP and battery replace three separate units and the aircraft can start itself without ground power. (It eliminates the F-16's unique hydrazine EPU, removing that nasty stuff from the logistics chain. Perrier, hydrazine ain't.)
The JSF system was also designed to handle the complicated cooling problems of a stealthy aircraft. Overall, the goal was to save weight, volume and maintenance cost -- way back, the goal was to reduce life-cycle cost by 12 percent relative to the F-16 -- as seen in this chart from 2001.
Of course, there are always compromises. You can't just drive control surfaces with electric motors and gears -- they are considered susceptible to jamming -- so you need electrohydraulic actuators with dual-redundant electric pumps, which run on the big side for flaperons and stabilizers.
Air loads on the control surfaces have to be resisted by electrical force, turning the pump motors into generators. Today's system has no place to put that power, so it has to be dumped as heat -- contributing to an overall thermal management problem. Also, the tendency of the 270 VDC system to arcing -- particularly in low air pressure -- caused the near-loss of prototype AA-1 and a long grounding.
Summing up: The dual-redundant AESG is the foundation of a flight-critical system, but was taken out by a single lubrication problem that reared its head very early in the test program. Although the immediate problem has been fixed, the next step -- in safety engineering terms -- will be to see what other failure modes could do the same thing.
There are efforts under way to improve the system. Navair issued a small business innovation research solicitation last in August calling for more robust controls, and Graham Warwick has reported on the USAF's Invent program, which is looking at a more thermally efficient hybrid architecture for stealthy aircraft.
By the way, Atomic Walrus suggests in the comments to Graham's post that the ESG isn't designed to be redundant. Lockheed Martin says specifically that it was. I don't think you want one failure to leave you with one-and-a-half backups -- at the best of times, recovering on the battery will not be a comfortable situation.
Another observation -- relevant to future programs -- is that the electrical problems (both this one and the AA-1 incident) have arisen from the use of a new system which, while it may have net advantages, is not core to the aircraft's capability -- you could in theory build a STOVL stealth fighter without it.
The same goes for another headache area, the wide-field-of-view video helmet and HUD-less cockpit. The lesson may be that any innovations that fall into the nice-to-have rather than mission-essential capability should be low-risk when you incorporate them into the design.
Also, after last year's F-35B bulkhead failure, this is the second serious issue linked directly to the weight-reduction efforts of 2004."
No comments:
Post a Comment