Exercise set
Aircraft Control Laws, Envelope Protection, and Autopilot Exercises
Worked aircraft control exercises for phase margin, sampling, actuator limits, envelope protection, sensor bias, degraded modes, autopilot and validation.
These exercises focus on aircraft control-law implementation, envelope protection, autopilot functions, sensor limits, actuator limits, sampling, latency and validation gates. The aircraft dynamics must be understood separately; this page asks whether the control system preserves those margins in software, electronics and actuators.
Use these calculations as screening models. Flight release requires requirements traceability, software verification, hardware-in-the-loop testing, sensor calibration, actuator qualification, flight-test evidence and failure-mode procedures.
How to use these exercises
Use the set as a model-to-flight control release review. Exercises 1 to 4 establish delay, guarded phase margin, sampling rate and jitter. Exercises 5 to 9 check actuator rate, position saturation, load-factor protection, AoA bias and command limiting. Exercises 10 to 15 add autopilot tracking, quantization, sensor residuals, degraded authority, freeplay and filter lag. Exercises 16 to 18 connect proof testing, flight-test residuals and release gates.
Before calculating, name the control-law version, gain schedule, sensor source, actuator configuration, sampling period, failure mode, flight condition and protected variable. A loop can pass in a desktop model and fail after timing, filtering, actuator limits or degraded-mode logic are included. The engineering comment below each exercise identifies the evidence needed before the build can support simulator, HIL or flight-test expansion.
Release Evidence Notes
Control-law release evidence must connect model, sensor, software, actuator and flight-test data. A stable desktop model can fail after sampling, latency, rate limits, freeplay, sensor bias, quantization or degraded-mode logic are included.
The evidence package should separate loop evidence, implementation evidence and flight evidence. Loop evidence covers margins, frequency response and gain schedule. Implementation evidence covers sensor filtering, scheduler timing, jitter, quantization, actuator limits and software build. Flight evidence covers HIL results, simulator runs, test residuals, pilot cues, failure-mode procedures and envelope restrictions.
Release evidence should also identify the protected envelope variable and how the system behaves when the preferred sensor or actuator is unavailable. A nominal protection threshold is not enough if voting, degraded mode, annunciation or pilot-command blending is unclear.
Engineering Boundary Notes
Envelope protection is a safety function, not only a control feature. The acceptance case should state protected variable, sensor source, voting logic, actuator authority, pilot command blending, degraded-mode action and validation test. Treat pass results as readiness evidence for the stated mode, not as blanket approval for every configuration or failure case.
The main boundary is timing. Computation delay, sensor filtering, bus latency and actuator rate limits change stability and protection overshoot. The second boundary is authority: position limits, rate limits, trim offset, freeplay and degraded authority can all invalidate a command that looked feasible in the control law.
Common Release Mistakes
- quoting phase margin before adding sensor filtering and computation delay;
- sampling too slowly for the protected mode;
- checking actuator position limit but not rate limit;
- allowing sensor bias to move the protection threshold;
- testing nominal mode while degraded mode has lower authority;
- validating a model residual without a flight-test action rule.
Another common mistake is treating envelope protection as purely software. Protection depends on sensors, calibration, voting, actuator authority, cueing, pilot command blending and failure response. If any of those elements is not validated, the software threshold alone does not release the function.
Do not use a passing degraded-mode authority number without the trim, rate and timing context. One degree of spare authority can vanish under trim offset, rate limiting, aerodynamic load or pilot input priority.
Scenario Map
| Scenario | Main calculation | Release decision |
|---|---|---|
| Loop margin | delay, phase and gain margin | Retune or release control law. |
| Sampling | Nyquist, aliasing and jitter | Set processor and sensor rate. |
| Actuator | saturation, rate and freeplay | Limit command or resize actuator. |
| Envelope protection | load, AoA and speed thresholds | Guard flight limits. |
| Autopilot | tracking error and latency | Accept mode or restrict use. |
| Degraded mode | reduced authority and sensor failures | Define safe operation. |
Validation Package Checklist
- control-law version and gain schedule;
- sensor calibration, bias and voting evidence;
- sampling period, jitter and computation delay;
- actuator rate, position, freeplay and stiffness limits;
- envelope threshold, guard band and pilot cue;
- HIL, simulator and flight-test residual criteria.
- degraded-mode entry, authority, annunciation and operational restriction;
- software build, scheduler timing and regression evidence;
- release action rule for failed margins, residuals or sensor disagreements.
A complete validation package should make the control release reproducible. Another engineer should be able to see which build was tested, what timing and actuator limits were included, which mode or failure case was covered and what restriction or retest follows if a margin gate fails.
Exercise 1: Delay Phase Lag
A pitch loop has crossover frequency:
Total computation and sensor delay is:
Estimate phase lag in degrees.
Solution
Engineering Comment
Delay consumes phase margin directly. Add it before declaring a loop stable.
Plausibility Check
Higher crossover frequency or delay increases phase lag.
Exercise 2: Guarded Phase Margin
Nominal phase margin is 48^\circ. Delay consumes 16^\circ and filter uncertainty allowance is 5^\circ. Compute guarded margin.
Solution
Engineering Comment
If requirement is 30^\circ, the loop fails and should be retuned or slowed.
Plausibility Check
Guarded margin is lower than nominal margin.
Exercise 3: Sampling Frequency
A protected mode has relevant frequency f=6\ \text{Hz}. Use a minimum sampling ratio of 10 samples per cycle. Compute required sampling rate.
Solution
Engineering Comment
Nyquist alone is not enough for control quality. Protection logic needs phase and timing margin.
Plausibility Check
The sampling rate is much higher than the signal frequency.
Exercise 4: Jitter Phase Screen
Sampling jitter is 4\ \text{ms} at \omega=12\ \text{rad/s}. Estimate phase uncertainty.
Solution
Engineering Comment
Jitter should be included in the timing budget when margins are narrow.
Plausibility Check
Small jitter at moderate frequency creates a few degrees of uncertainty.
Exercise 5: Actuator Rate Limit
An elevator actuator can move 28^\circ/\text{s}. A command requires 12^\circ in 0.35\ \text{s}. Does it pass?
Solution
Required rate:
Since 34.3>28, it fails.
Engineering Comment
The control law must limit command rate or use a different actuator.
Plausibility Check
Moving a large angle in short time demands high rate.
Exercise 6: Actuator Position Saturation
Autopilot command is 14^\circ elevator. Trim already uses 7^\circ and actuator limit is 20^\circ. Compute remaining reserve.
Solution
Total demand:
Reserve:
Engineering Comment
The actuator saturates. The autopilot command should be limited or trim schedule revised.
Plausibility Check
Negative reserve means demand exceeds limit.
Exercise 7: Load-Factor Protection
Limit load factor is 3.8g. Protection threshold is set at 3.5g. Sensor uncertainty is 0.18g. Compute guarded threshold relative to limit.
Solution
Worst indicated threshold:
Margin:
Engineering Comment
The threshold passes narrowly. If latency allows overshoot above 0.12g, it is not safe.
Plausibility Check
Uncertainty moves the effective threshold toward the limit.
Exercise 8: Angle-of-Attack Bias
AoA protection triggers at 14.0^\circ. Sensor bias is +1.2^\circ and true stall warning should occur by 13.5^\circ. What true AoA triggers protection?
Solution
Indicated AoA is true plus bias:
Protection at \alpha_i=14.0^\circ occurs at:
Engineering Comment
This conservative bias triggers early. A negative bias would be more dangerous.
Plausibility Check
Positive bias makes indicated angle larger than true angle.
Exercise 9: Roll-Rate Command Limit
Maximum allowed roll rate is 45^\circ/\text{s}. Pilot command requests 60^\circ/\text{s}. Control law gain maps command to roll rate one-to-one. Compute limited command.
Solution
The command must be clipped to:
Engineering Comment
Clipping should be smooth and annunciated if it changes handling expectations.
Plausibility Check
The limited value equals the maximum allowed rate.
Exercise 10: Autopilot Altitude Error
Altitude command is 8000\ \text{ft} and measured altitude is 7925\ \text{ft}. Compute tracking error.
Solution
Engineering Comment
Whether this passes depends on mode, turbulence and certification tolerance.
Plausibility Check
Measured altitude below command gives positive climb error.
Exercise 11: Quantization Step
A control-surface sensor spans \pm25^\circ over a 12-bit converter. Compute angular count size.
Solution
Total span:
Counts:
Step:
Engineering Comment
This resolution is likely adequate for position feedback, but noise and calibration can dominate.
Plausibility Check
Thousands of counts over tens of degrees gives hundredths of a degree per count.
Exercise 12: Sensor Residual Threshold
Two AoA sensors differ by 2.4^\circ. The monitor threshold is 2.0^\circ for more than 0.5\ \text{s}. Difference persists for 0.8\ \text{s}. Decide.
Solution
Magnitude condition:
Time condition:
Both are met.
Engineering Comment
The monitor should flag disagreement and move to the defined degraded mode.
Plausibility Check
Both threshold and persistence exceed the limits.
Exercise 13: Degraded-Mode Authority
Normal elevator authority is 20^\circ. Degraded mode restricts authority to 70\%. A recovery manoeuvre requires 13^\circ. Does degraded mode pass?
Solution
Available degraded authority:
Since 14^\circ>13^\circ, it passes with 1^\circ margin.
Engineering Comment
The margin is narrow and should include rate limit and trim offset.
Plausibility Check
Reduced authority is still above required authority.
Exercise 14: Freeplay Deadband
Control-surface freeplay is 0.35^\circ. Small-signal command amplitude is 1.4^\circ. Compute deadband fraction.
Solution
Engineering Comment
A deadband this large can degrade limit-cycle behaviour and handling quality.
Plausibility Check
Freeplay is one quarter of the small command amplitude.
Exercise 15: Low-Pass Filter Lag
A sensor low-pass filter has cutoff f_c=8\ \text{Hz}. At signal frequency f=3\ \text{Hz}, approximate phase lag:
Solution
Engineering Comment
Filtering noise can cost substantial phase margin. The filter belongs in the loop model.
Plausibility Check
Signal frequency below cutoff still has noticeable phase lag.
Exercise 16: Interlock Proof-Test Interval
An envelope-protection interlock has dangerous undetected failure rate 1.0\times10^{-5}\ \text{per h}. Proof-test interval is 100\ \text{h}. Estimate average probability of dangerous failure during interval:
Solution
Engineering Comment
The interval must match the safety requirement and operational exposure.
Plausibility Check
Low failure rate and short interval produce a small probability.
Exercise 17: Flight-Test Model Residual
Predicted pitch-rate response peak is 5.2^\circ/\text{s} and flight-test peak is 5.8^\circ/\text{s}. Compute residual.
Solution
Engineering Comment
If limit is 10\%, the model should not be used for envelope expansion without update.
Plausibility Check
The test response is larger than prediction, so residual is positive.
Exercise 18: Control Release Gate
A control-law build has guarded phase margin 27^\circ against 30^\circ required, actuator rate demand 34.3^\circ/\text{s} against 28^\circ/\text{s} available, AoA protection conservative by 0.7^\circ and degraded authority margin 1^\circ. Decide release status.
Solution
Phase margin fails:
Rate limit fails:
AoA protection and degraded authority pass, but two control gates fail.
Engineering Comment
Do not release the build. Retune the loop, reduce crossover, revise actuator command shaping or change actuator authority before flight-test expansion.
Plausibility Check
Passing protection thresholds cannot compensate for failed stability and actuator-rate gates.