Case study
Angle of Attack Sensor Bias Envelope Protection Case Study
AoA sensor-bias case study with alpha disagreement, false envelope-protection trigger, source voting, filtering latency, degraded mode and release evidence.
This case study examines a biased angle-of-attack sensor that can trigger envelope protection even though the aircraft is not near stall. The engineering question is not whether one alpha vane is wrong. It is whether the control system detects the bad source before protection logic uses it in a way that changes aircraft response.
The scenario is realistic but not tied to one aircraft or accident. It is intended for engineering learning: sensor calibration, disagreement monitoring, filtering, protection thresholds, degraded modes and release evidence must be reviewed together.
Case context
A flight-test aircraft has three angle-of-attack channels. During a clean-configuration climb and mild maneuver, channel A reads several degrees higher than channels B and C. No pitot-static blockage is indicated, inertial data are stable and the aircraft response is normal. The flight-control system includes an alpha-based protection law that begins nose-down command blending near a protection threshold.
The review team must decide whether the event is a nuisance indication, a calibration problem, a monitoring logic problem or a release blocker.
Failure Boundary
The fault boundary is narrower than a complete flight-control validation program and wider than a sensor bench check. The case asks whether one biased AoA channel can remain valid long enough to influence protection commands. It does not redesign the aircraft control law, change the aerodynamic stall model or certify every high-alpha manoeuvre.
For this event, the protected functions are allowed to continue only if three claims are true:
- the biased source is detected before it can dominate the selected alpha value;
- the system enters a known degraded mode rather than silently blending a false protection command;
- true high-alpha cases still trigger valid protection after the monitor change.
This boundary prevents two weak dispositions. One weak disposition says “maintenance calibrated the vane, so release the aircraft” without proving the logic catches a recurrence. The other says “the monitor will reject the channel” without proving that real stall protection is still available after rejection.
Simplified data
Use one representative point from the event.
| Quantity | Value |
|---|---|
| pitch attitude, \theta | 11.5^\circ |
| flight-path angle, \gamma | 2.7^\circ |
| channel A angle of attack | 12.5^\circ |
| channel B angle of attack | 8.8^\circ |
| channel C angle of attack | 9.0^\circ |
| alpha protection threshold | 12.0^\circ |
| critical angle of attack estimate | 15.0^\circ |
| old disagreement threshold | 5.0^\circ peak-to-peak |
| proposed monitor threshold | 2.5^\circ from median |
| alpha rate during maneuver | 7.5^\circ/\text{s} |
| filter group delay | 0.08\ \text{s} |
Channels B and C agree with each other and with flight reconstruction. Channel A is the suspect channel.
The dataset is deliberately compact. A real investigation would also inspect sideslip, flap configuration, Mach number, load factor, vane heater status, local flow distortion, calibration history, maintenance disturbance, signal quality, fault flags and pilot cue timing. The simplified point is still enough to show why alpha source selection is an aircraft-level safety issue.
Step 1: Reconstruct expected alpha
For small longitudinal angles:
Using the flight data:
This matches channels B and C:
The channel A bias relative to the reconstructed value is:
A 3.7^\circ alpha bias is not a small display error when protection thresholds are only a few degrees away.
The reconstruction is not used as the production alpha source. It is an independent consistency check. If pitch attitude, flight-path angle, inertial acceleration, airspeed and aircraft response all support an alpha near (9^\circ), then a single channel at (12.5^\circ) needs fault treatment rather than averaging.
Step 2: Check false protection risk
The true reconstructed margin to the protection threshold is:
The channel A margin is:
If the protection law uses channel A directly, it can interpret a normal condition as a threshold exceedance. The margin to the estimated critical angle remains:
Engineering comment: the aircraft is not at the critical alpha estimate in this representative point. The hazard is a false or premature protection response driven by a biased input, not a real aerodynamic stall.
The operational effect depends on how the protection law blends commands. A small false nose-down command may be a nuisance during benign flight, but it can become a release blocker if it changes workload near terrain, during approach, during a climb segment or during envelope expansion. The hazard statement should therefore include both numerical margin and aircraft response.
Step 3: Evaluate disagreement monitoring
The old monitor uses peak-to-peak spread:
Because 3.7^\circ<5.0^\circ, the old monitor does not reject the channel.
The proposed monitor compares each channel with the median. For channel A:
Because 3.5^\circ>2.5^\circ, channel A is rejected after the persistence timer. Channels B and C remain valid because they are close to the median.
Source Selection and Persistence
Median voting is attractive for three channels because one high or low outlier cannot drag the selected value. It is not a complete safety argument by itself. The monitor also needs persistence time, reset logic, validity flags, annunciation and degraded-mode consequences.
For a persistence timer of (0.40\ \text{s}), the channel A deviation must remain above the threshold long enough:
If turbulence creates a brief spike, the monitor should avoid nuisance rejection. If a vane is biased, stuck or miscalibrated, the deviation should persist and force rejection. The selected value after rejection should be recorded explicitly:
After channel A is rejected, the remaining two channels need their own consistency rule. A two-channel system cannot identify which source is wrong from disagreement alone; it can only detect loss of agreement. The degraded-mode procedure should therefore restrict the envelope, change crew cues or require additional cross-checks if one more alpha disagreement appears.
Step 4: Include filter delay
Filtering reduces noisy vane motion but adds delay. At the observed alpha rate:
This lag is smaller than the channel A bias, but it is not negligible. If the protection threshold has only a small margin, filtering delay, sensor bias and quantization must be included together rather than reviewed separately.
Filtering also changes fault timing. A heavily filtered signal may delay both a false trip and a valid protection trigger. A lightly filtered signal may preserve timing but increase nuisance trips. The monitor threshold cannot be tuned only against smooth reconstructed data; it must be replayed against turbulence, sideslip, manoeuvre transients and real high-alpha approaches.
Aircraft-Level Response Check
A sensor monitor passes only if the aircraft response remains acceptable. The event replay should compare at least three simulations or HIL runs:
| Run | Fault condition | Expected response |
|---|---|---|
| nominal | all AoA channels valid | protection remains available and no false rejection occurs |
| false high A | channel A biased high by (3.7^\circ) | channel A is rejected before it drives protection |
| true high alpha | all channels rise consistently toward threshold | protection activates with required timing |
The false-high-alpha case checks nuisance or unsafe command blending. The true-high-alpha case protects against the opposite mistake: making the monitor so aggressive that it masks a real stall approach. Both cases must use the same software build, thresholds, filter settings and source-selection logic intended for release.
The response review should include pilot-visible cues. If the system silently degrades, the pilot may continue a test point believing full protection is available. If the annunciation is too sensitive, nuisance alerts can create distraction and unnecessary aborts. The release evidence should show the intended cue, procedure and limitation for a rejected AoA channel.
Corrective action
The release package should include:
- inspection and recalibration of the channel A vane and resolver or transducer;
- maintenance check for alignment, freedom of motion, heating and contamination;
- updated disagreement monitor based on median deviation, not only peak-to-peak spread;
- persistence timer and nuisance-trip assessment;
- degraded-mode logic that prevents one rejected channel from driving protection;
- hardware-in-the-loop replay of the event;
- flight-test or simulation evidence for threshold crossing, sensor bias and turbulence;
- regression tests for valid high-alpha cases so real stall protection is not disabled.
The corrected logic should use a validated source selection rule. A simple screen is:
with channel rejection when:
for longer than a defined persistence time. Final implementation may be more complex, but the release record should show why it rejects a biased channel while still preserving protection in genuine high-alpha conditions.
Do not release a threshold change without regression testing low-speed manoeuvres. A monitor that works at one climb point may fail in sideslip, with flaps extended, with disturbed local flow, or during rapid pitch input. The corrective action should bind the calibration repair, software logic and operating limitations into one configuration.
Validation evidence and release decision
The event should not be released as “no fault found” because the old monitor allowed a biased channel to remain valid. A defensible release requires calibration evidence, replay evidence, fault-injection evidence and aircraft-level response evidence.
| Evidence item | Release question answered |
|---|---|
| vane inspection and calibration | is the failed source physically corrected or isolated? |
| channel residual trend | does the bias recur across temperature, speed and configuration? |
| HIL replay | does the software reject the biased channel on the recorded event? |
| fault injection | are frozen, biased, noisy and delayed channels detected? |
| true high-alpha regression | does real protection still activate in time? |
| degraded-mode procedure | do crew cues and limitations match the remaining redundancy? |
| configuration record | are sensor serials, software build, thresholds and filters controlled? |
The aircraft can return to the planned test envelope only after channel A calibration is corrected or the channel is removed from normal protection input, the revised monitor is verified, and the protection law is shown to behave correctly for both false-high-alpha and true-high-alpha cases. The release should state the approved configuration, software version, sensor serial numbers, thresholds, persistence times, filter settings, degraded-mode annunciation and open limitations.
For this case, unrestricted release is not justified from the original evidence. A restricted release can be defensible after the biased source is repaired or deselected, the median-deviation monitor is verified, and the test envelope excludes points that depend on full alpha-protection authority until regression evidence is complete.
Common mistakes
A common mistake is treating an angle-of-attack fault as a sensor-only maintenance item. In a protected aircraft, the sensor is part of the control law. Another mistake is validating nominal protection thresholds without injecting biased, frozen, noisy or delayed sensor inputs. A third is tightening disagreement thresholds without checking nuisance trips in turbulence, sideslip and rapid maneuvering. A strong review ties sensor calibration, voting logic, filtering, latency, degraded mode, pilot cues and flight-test evidence to one release decision.