Exercise set

Aircraft Control Laws, Envelope Protection, and Autopilot Exercises

Worked aircraft control exercises for phase margin, sampling, actuator limits, envelope protection, sensor bias, degraded modes, autopilot and validation.

These exercises focus on aircraft control-law implementation, envelope protection, autopilot functions, sensor limits, actuator limits, sampling, latency and validation gates. The aircraft dynamics must be understood separately; this page asks whether the control system preserves those margins in software, electronics and actuators.

Use these calculations as screening models. Flight release requires requirements traceability, software verification, hardware-in-the-loop testing, sensor calibration, actuator qualification, flight-test evidence and failure-mode procedures.

How to use these exercises

Use the set as a model-to-flight control release review. Exercises 1 to 4 establish delay, guarded phase margin, sampling rate and jitter. Exercises 5 to 9 check actuator rate, position saturation, load-factor protection, AoA bias and command limiting. Exercises 10 to 15 add autopilot tracking, quantization, sensor residuals, degraded authority, freeplay and filter lag. Exercises 16 to 18 connect proof testing, flight-test residuals and release gates.

Before calculating, name the control-law version, gain schedule, sensor source, actuator configuration, sampling period, failure mode, flight condition and protected variable. A loop can pass in a desktop model and fail after timing, filtering, actuator limits or degraded-mode logic are included. The engineering comment below each exercise identifies the evidence needed before the build can support simulator, HIL or flight-test expansion.

Release Evidence Notes

Control-law release evidence must connect model, sensor, software, actuator and flight-test data. A stable desktop model can fail after sampling, latency, rate limits, freeplay, sensor bias, quantization or degraded-mode logic are included.

The evidence package should separate loop evidence, implementation evidence and flight evidence. Loop evidence covers margins, frequency response and gain schedule. Implementation evidence covers sensor filtering, scheduler timing, jitter, quantization, actuator limits and software build. Flight evidence covers HIL results, simulator runs, test residuals, pilot cues, failure-mode procedures and envelope restrictions.

Release evidence should also identify the protected envelope variable and how the system behaves when the preferred sensor or actuator is unavailable. A nominal protection threshold is not enough if voting, degraded mode, annunciation or pilot-command blending is unclear.

Engineering Boundary Notes

Envelope protection is a safety function, not only a control feature. The acceptance case should state protected variable, sensor source, voting logic, actuator authority, pilot command blending, degraded-mode action and validation test. Treat pass results as readiness evidence for the stated mode, not as blanket approval for every configuration or failure case.

The main boundary is timing. Computation delay, sensor filtering, bus latency and actuator rate limits change stability and protection overshoot. The second boundary is authority: position limits, rate limits, trim offset, freeplay and degraded authority can all invalidate a command that looked feasible in the control law.

Common Release Mistakes

  • quoting phase margin before adding sensor filtering and computation delay;
  • sampling too slowly for the protected mode;
  • checking actuator position limit but not rate limit;
  • allowing sensor bias to move the protection threshold;
  • testing nominal mode while degraded mode has lower authority;
  • validating a model residual without a flight-test action rule.

Another common mistake is treating envelope protection as purely software. Protection depends on sensors, calibration, voting, actuator authority, cueing, pilot command blending and failure response. If any of those elements is not validated, the software threshold alone does not release the function.

Do not use a passing degraded-mode authority number without the trim, rate and timing context. One degree of spare authority can vanish under trim offset, rate limiting, aerodynamic load or pilot input priority.

Scenario Map

ScenarioMain calculationRelease decision
Loop margindelay, phase and gain marginRetune or release control law.
SamplingNyquist, aliasing and jitterSet processor and sensor rate.
Actuatorsaturation, rate and freeplayLimit command or resize actuator.
Envelope protectionload, AoA and speed thresholdsGuard flight limits.
Autopilottracking error and latencyAccept mode or restrict use.
Degraded modereduced authority and sensor failuresDefine safe operation.

Validation Package Checklist

  • control-law version and gain schedule;
  • sensor calibration, bias and voting evidence;
  • sampling period, jitter and computation delay;
  • actuator rate, position, freeplay and stiffness limits;
  • envelope threshold, guard band and pilot cue;
  • HIL, simulator and flight-test residual criteria.
  • degraded-mode entry, authority, annunciation and operational restriction;
  • software build, scheduler timing and regression evidence;
  • release action rule for failed margins, residuals or sensor disagreements.

A complete validation package should make the control release reproducible. Another engineer should be able to see which build was tested, what timing and actuator limits were included, which mode or failure case was covered and what restriction or retest follows if a margin gate fails.

Exercise 1: Delay Phase Lag

A pitch loop has crossover frequency:

\omega_c=8\ \text{rad/s}

Total computation and sensor delay is:

t_d=35\ \text{ms}

Estimate phase lag in degrees.

Solution

\phi_d=\omega_c t_d=8(0.035)=0.28\ \text{rad}
\displaystyle \phi_d=0.28\frac{180}{\pi}=16.0^\circ

Engineering Comment

Delay consumes phase margin directly. Add it before declaring a loop stable.

Plausibility Check

Higher crossover frequency or delay increases phase lag.

Exercise 2: Guarded Phase Margin

Nominal phase margin is 48^\circ. Delay consumes 16^\circ and filter uncertainty allowance is 5^\circ. Compute guarded margin.

Solution

PM_g=48-16-5=27^\circ

Engineering Comment

If requirement is 30^\circ, the loop fails and should be retuned or slowed.

Plausibility Check

Guarded margin is lower than nominal margin.

Exercise 3: Sampling Frequency

A protected mode has relevant frequency f=6\ \text{Hz}. Use a minimum sampling ratio of 10 samples per cycle. Compute required sampling rate.

Solution

f_s=10f=60\ \text{Hz}

Engineering Comment

Nyquist alone is not enough for control quality. Protection logic needs phase and timing margin.

Plausibility Check

The sampling rate is much higher than the signal frequency.

Exercise 4: Jitter Phase Screen

Sampling jitter is 4\ \text{ms} at \omega=12\ \text{rad/s}. Estimate phase uncertainty.

Solution

\phi_j=12(0.004)=0.048\ \text{rad}=2.75^\circ

Engineering Comment

Jitter should be included in the timing budget when margins are narrow.

Plausibility Check

Small jitter at moderate frequency creates a few degrees of uncertainty.

Exercise 5: Actuator Rate Limit

An elevator actuator can move 28^\circ/\text{s}. A command requires 12^\circ in 0.35\ \text{s}. Does it pass?

Solution

Required rate:

\displaystyle \dot{\delta}=\frac{12}{0.35}=34.3^\circ/\text{s}

Since 34.3>28, it fails.

Engineering Comment

The control law must limit command rate or use a different actuator.

Plausibility Check

Moving a large angle in short time demands high rate.

Exercise 6: Actuator Position Saturation

Autopilot command is 14^\circ elevator. Trim already uses 7^\circ and actuator limit is 20^\circ. Compute remaining reserve.

Solution

Total demand:

\delta=14+7=21^\circ

Reserve:

20-21=-1^\circ

Engineering Comment

The actuator saturates. The autopilot command should be limited or trim schedule revised.

Plausibility Check

Negative reserve means demand exceeds limit.

Exercise 7: Load-Factor Protection

Limit load factor is 3.8g. Protection threshold is set at 3.5g. Sensor uncertainty is 0.18g. Compute guarded threshold relative to limit.

Solution

Worst indicated threshold:

n_g=3.5+0.18=3.68g

Margin:

3.8-3.68=0.12g

Engineering Comment

The threshold passes narrowly. If latency allows overshoot above 0.12g, it is not safe.

Plausibility Check

Uncertainty moves the effective threshold toward the limit.

Exercise 8: Angle-of-Attack Bias

AoA protection triggers at 14.0^\circ. Sensor bias is +1.2^\circ and true stall warning should occur by 13.5^\circ. What true AoA triggers protection?

Solution

Indicated AoA is true plus bias:

\alpha_i=\alpha_t+1.2^\circ

Protection at \alpha_i=14.0^\circ occurs at:

\alpha_t=14.0-1.2=12.8^\circ

Engineering Comment

This conservative bias triggers early. A negative bias would be more dangerous.

Plausibility Check

Positive bias makes indicated angle larger than true angle.

Exercise 9: Roll-Rate Command Limit

Maximum allowed roll rate is 45^\circ/\text{s}. Pilot command requests 60^\circ/\text{s}. Control law gain maps command to roll rate one-to-one. Compute limited command.

Solution

The command must be clipped to:

p_{cmd}=45^\circ/\text{s}

Engineering Comment

Clipping should be smooth and annunciated if it changes handling expectations.

Plausibility Check

The limited value equals the maximum allowed rate.

Exercise 10: Autopilot Altitude Error

Altitude command is 8000\ \text{ft} and measured altitude is 7925\ \text{ft}. Compute tracking error.

Solution

e_h=8000-7925=75\ \text{ft}

Engineering Comment

Whether this passes depends on mode, turbulence and certification tolerance.

Plausibility Check

Measured altitude below command gives positive climb error.

Exercise 11: Quantization Step

A control-surface sensor spans \pm25^\circ over a 12-bit converter. Compute angular count size.

Solution

Total span:

50^\circ

Counts:

2^{12}=4096

Step:

\displaystyle \Delta=\frac{50}{4096}=0.0122^\circ

Engineering Comment

This resolution is likely adequate for position feedback, but noise and calibration can dominate.

Plausibility Check

Thousands of counts over tens of degrees gives hundredths of a degree per count.

Exercise 12: Sensor Residual Threshold

Two AoA sensors differ by 2.4^\circ. The monitor threshold is 2.0^\circ for more than 0.5\ \text{s}. Difference persists for 0.8\ \text{s}. Decide.

Solution

Magnitude condition:

2.4>2.0^\circ

Time condition:

0.8>0.5\ \text{s}

Both are met.

Engineering Comment

The monitor should flag disagreement and move to the defined degraded mode.

Plausibility Check

Both threshold and persistence exceed the limits.

Exercise 13: Degraded-Mode Authority

Normal elevator authority is 20^\circ. Degraded mode restricts authority to 70\%. A recovery manoeuvre requires 13^\circ. Does degraded mode pass?

Solution

Available degraded authority:

0.70(20)=14^\circ

Since 14^\circ>13^\circ, it passes with 1^\circ margin.

Engineering Comment

The margin is narrow and should include rate limit and trim offset.

Plausibility Check

Reduced authority is still above required authority.

Exercise 14: Freeplay Deadband

Control-surface freeplay is 0.35^\circ. Small-signal command amplitude is 1.4^\circ. Compute deadband fraction.

Solution

\displaystyle f=\frac{0.35}{1.4}=0.25=25\%

Engineering Comment

A deadband this large can degrade limit-cycle behaviour and handling quality.

Plausibility Check

Freeplay is one quarter of the small command amplitude.

Exercise 15: Low-Pass Filter Lag

A sensor low-pass filter has cutoff f_c=8\ \text{Hz}. At signal frequency f=3\ \text{Hz}, approximate phase lag:

\displaystyle \phi=-\tan^{-1}\left(\frac{f}{f_c}\right)

Solution

\displaystyle \phi=-\tan^{-1}\left(\frac{3}{8}\right)=-20.6^\circ

Engineering Comment

Filtering noise can cost substantial phase margin. The filter belongs in the loop model.

Plausibility Check

Signal frequency below cutoff still has noticeable phase lag.

Exercise 16: Interlock Proof-Test Interval

An envelope-protection interlock has dangerous undetected failure rate 1.0\times10^{-5}\ \text{per h}. Proof-test interval is 100\ \text{h}. Estimate average probability of dangerous failure during interval:

\displaystyle PFD_{avg}\approx\frac{\lambda T}{2}

Solution

\displaystyle PFD_{avg}=\frac{(1.0\times10^{-5})(100)}{2}=5.0\times10^{-4}

Engineering Comment

The interval must match the safety requirement and operational exposure.

Plausibility Check

Low failure rate and short interval produce a small probability.

Exercise 17: Flight-Test Model Residual

Predicted pitch-rate response peak is 5.2^\circ/\text{s} and flight-test peak is 5.8^\circ/\text{s}. Compute residual.

Solution

\displaystyle e=\frac{5.8-5.2}{5.2}=0.115=11.5\%

Engineering Comment

If limit is 10\%, the model should not be used for envelope expansion without update.

Plausibility Check

The test response is larger than prediction, so residual is positive.

Exercise 18: Control Release Gate

A control-law build has guarded phase margin 27^\circ against 30^\circ required, actuator rate demand 34.3^\circ/\text{s} against 28^\circ/\text{s} available, AoA protection conservative by 0.7^\circ and degraded authority margin 1^\circ. Decide release status.

Solution

Phase margin fails:

27^\circ<30^\circ

Rate limit fails:

34.3>28^\circ/\text{s}

AoA protection and degraded authority pass, but two control gates fail.

Engineering Comment

Do not release the build. Retune the loop, reduce crossover, revise actuator command shaping or change actuator authority before flight-test expansion.

Plausibility Check

Passing protection thresholds cannot compensate for failed stability and actuator-rate gates.

REF

See also