Honeywell KFC-225 autopilot - what could cause this failure?

[Peter]

In the two years from new I have had perhaps a dozen failures. Some of
these are in the computer unit (e.g. sudden selection of +2000fpm or
-2000fpm VS, with interesting results especially if the latter...)
whereas others have been in the roll servos (several have failed, the
last one having burned out a component on the circuit board).

The most worrying feature is the software design which doesn't seem to
act on or even report total control failures. The following is a video
I did showing that a total failure in roll control (this is the
above-mentioned burned out roll servo)

www.peter2000.co.uk/aviation/kfc225-1.html

doesn't get noticed by the AP at all; it just sits there quite
happily, even though obviously the control loop error must be
constantly increasing...

I have just had a different failure, this time in pitch, but the
manifestation is the same. The AP was in a simple altitude-hold
heading-bug mode, and suddenly the plane dived from 2400ft to 2000ft,
at which point the red button was used to disconnect it. Subsequently,
it would not hold altitude, very slowly climbing. It would also not
intercept a preset altitude. At no time did the computer show any
fault condition. I have no video of this one but two engineers as
witnesses.

The inability to hold altitude happened once before, several months
ago, briefly, and didn't come back.

Both altimeters are fine and agree with the GPS altitude. As far as I
can tell, the transponder's flight level readout (which comes from the
same encoding altimeter as the AP is driven from) has always been fine
too. Is it possible for the gilham code to the AP to be corrupted,
without the AP noticing this? Gilham Code is same as Gray Code; only 1
bit changing at a time, so corruption should be obvious.

Is it possible for the baro subscale pot output (which is analog
AFAIK) to get disconnected, without the AP noticing this? There is
certainly the potential for at least 1000ft of deviation if the
subscale signal was faulty.

Ground tests have, I gather, showed nothing wrong. This doesn't mean
very much because I know the KFC225 passes the standard preflight self
tests even with the roll servo burned out! The problem here is that
while an avionics engineer can attach a laptop to the unit and check
that it is getting the correct inputs (the gilham code from the
encoding altimeter, the voltage from the altimeter's baro subscale
pot, etc, and he can see if there is anything in the error log), this
cannot be at all easily done in flight. There is no way to isolate
faults unless they are obvious on the ground.

The roll servo is a brand new unit, not a reworked one, which has just
been fitted, so if that is faulty, it lasted just half an hour in the
air... The reason I think it might be faulty is that I have
established the KFC225 doesn't notice a dud roll servo, so it probably
doesn't notice a dud pitch servo. It should notice a dud pitch TRIM
servo, in that there is a timeout on how long the trim is driven for
before it automatically disconnects; that's an obvious
certification/safety requirement.

The pitch trim portion is driven from a strain gauge fitted to the
pitch servo, and the pitch trim servo drives the pitch trim so as to
maintain the strain within some limits. (It isn't all that precise
because the aircraft is usually slightly out of trim when the AP is
disconnected). Now... if the pitch servo was dud, or doing its own
thing, or was commanded to do something spurious, would there be a
trim problem? I don't think so, and in the last failure there wasn't.

This system has a history of faults which left no trace on the ground
(except the burned-out servo(s), nothing was ever found; if Honeywell
found a fault subsequently they certainly didn't say so). The computer
unit has been changed twice.

Can anyone suggest any way forward, anything that could be done to
narrow it down?


Peter.

 

[martin griffith]

In the two years from new I have had perhaps a dozen failures. Some of
these are in the computer unit (e.g. sudden selection of +2000fpm or
-2000fpm VS, with interesting results especially if the latter...)
whereas others have been in the roll servos (several have failed, the
last one having burned out a component on the circuit board).
snip
Can anyone suggest any way forward, anything that could be done to
narrow it down?


Peter.

You could post this message on comp.arch.embedded, but IMHO, its a
software bug, that Honeywell should sort out. With out access to the
source code,or good diagnosticss you will have one hell of a time
figuring out whats happening.

Anyone make a better AP??



martin

Serious error.
All shortcuts have disappeared.
Screen. Mind. Both are blank.

 

[Joerg]

Hi Peter,

The mpeg didn't play for me but just a few thoughts:

Since they say they couldn't reproduce it on the ground, could this be a
noise issue? Possible sources would be the radio, a transponder
transmission, engine ignition, maybe a motor driven trim, fuel equalizer
pump if you have one. Just think about other stuff on your aircraft that
produces either RF or commutation noise and comes on automatically and
possibly unnoticed by the pilot.

I have seen such noise become a real problem with composite structures.

Regards, Joerg

 

[Peter]

Hi Peter,

The mpeg didn't play for me but just a few thoughts:

Since they say they couldn't reproduce it on the ground, could this be a
noise issue? Possible sources would be the radio, a transponder
transmission, engine ignition, maybe a motor driven trim, fuel equalizer
pump if you have one. Just think about other stuff on your aircraft that
produces either RF or commutation noise and comes on automatically and
possibly unnoticed by the pilot.

I have seen such noise become a real problem with composite structures.

Regards, Joerg

Yes Joerg, very possibly. However I have done 250 hrs in this
aircraft, using the autopilot in much the same way whenever I have
used it, perhaps 30% of those hours. It has gone for as much as (!!)
50 airborne hours between failures, so if it was noise I would have
expected it to happen a lot more often.

I do have EMC issues, e.g. VHF transmission causes the oil pressure to
go to zero, but that is common on this type and variant (TB20GT) and
the reason for that is fairly obvious: a poorly filtered input on the
diff amplifier on the pressure transducer input.

It is possible that autopilot failures correlate to proximity of
ground radar... The wiring is of generally very high standard though;
I've been doing hardware/software design for 25 years and can see some
things...

The bottom line is whether servos should burn out, no matter what. The
KFC-225 has only one processor (I have the schematics) and the
software didn't appear to crash outright in any of the failures.

 

[Joerg]

Hi Peter,

As far as I know the Socata TB20 is metal but has a composite cabin,
cowl and tail. Ground Radar is one source and when you fly through a
powerful long range beam that can really upset electronics. These are
hard to discern because it can happen tens of miles from the site and
their antennas turn slowly. But the software should recover. I don't
know about aerospace electronics but in medical we must demonstrate that
our systems come back to normal within seconds after a defibrillator
hit. If they remain in la la land instead of recovering we would not get
the agency blessing.

Anyway, there is another noise source but this one could only be
correlated if you'd record the NAV or GPS data the instant the AP quits.
There could be a high powered AM station on the ground. Also, some VHF
and UHF TV transmitters use highly directional antennas so you might get
hit with the full brunt well after passing a mast. They also concentrate
the beam to a very narrow vertical range of just a few degrees, mostly
to save energy costs. Therefore, the magnitude of the EMI effect depends
on the altitude when you fly through their antenna pattern. Last but not
least there are satellite feeder stations for TV and communications
which work with a beam width of just a few degrees and point upward. Due
to the narrow beam width the field strength can be tremendous. Again,
these can often be identified as a cause if the location where the AP
fails happens to correlate.

Then there is always the chance that a certain data pattern the AP sees
upsets the software. But that would be a very bad sign.

There is a way to test for at least some of the EMI behavior but it
would have to happen in a shielded environment and that can be expensive
or hard to find. You can blast the unit with variable frequencies. It is
a test that all system have to go through after completing a design.
What I do for pre-compliance is a trick that can pinpoint vulnerable
spots: I use an EMCO near field probe kit (little loop and point
antennas on a stick with a BNC at the end) or just a 2" loop soldered to
a coax if I don't have the kit with me. Then I send a few watts into the
probe and go over the unit under test in a dousing rod fashion. It is
tedious but usually finds the culprit.

The oil pressure EMI issue is a bit scary. Does Socata know about that?
They should really fix this. Protecting an input from EMI isn't rocket
science. If it is legal you could use ferrite toroids and have these
affixed on the cable bundle right before the gauge or its electronics
box if it has a separate one. 43 material (Amidon) works pretty good at
VHF. Even Radio Shack has some but in aircraft I'd stay away from the
snap-on cores because they can come off when you hit rough air.

Regards, Joerg

 

[Everett M. Greene]

The bottom line is whether servos should burn out, no matter what. The
KFC-225 has only one processor (I have the schematics) and the
software didn't appear to crash outright in any of the failures.

There was some discussion recently in one of the embedded
computing newsgroups about damage that can occur if motors
aren't driven properly (as in correct waveform, duration,
etc.).

 

[Joerg]

Hi Peter,

In addition to Everett's post, why do these servos burn out? Did the
manufacturer of the servos comment? I would assume they should be
protected by some means such as a circuit breaker against excessive
stress, no matter whether that is due to faulty control signals of a
jammed output load.

Regards, Joerg

 

[Dan Luke]

In addition to Everett's post, why do these servos burn
out? Did the manufacturer of the servos comment? I
would assume they should be protected by some means
such as a circuit breaker against excessive stress, no
matter whether that is due to faulty control signals of a
jammed output load.

Servos also have a finite number of repositions before failure. An
autopilot that was excessively sensitive might overwork the servos and
cause premature faiure.

 

[Joerg]

Hi Dan,

Servos also have a finite number of repositions before failure. An
autopilot that was excessively sensitive might overwork the servos and
cause premature faiure.

Wouldn't the pilot feel if the auto pilot issued lots of servo
repositionings? I am not a pilot but I could imagine that would make for
a pretty uncomfortable flight. At least for the passengers.

I had seen that once as a passenger where we got into weather. Pretty
wild until the pilot turned off the AP and flew by hand, commenting "it
can't handle this kind of stuff".

Regards, Joerg

 

[Everett M. Greene]

Servos also have a finite number of repositions before failure. An
autopilot that was excessively sensitive might overwork the servos and
cause premature faiure.

I'm no expert on autopilot servos, but I do know something
about electric motors in general and would question the
statement about the number of repositions before failure.
Unless a motor is overloaded, it should last nigh onto
forever.

 

[Dan Luke]

I'm no expert on autopilot servos, but I do
know something about electric motors in
general and would question the statement
about the number of repositions before failure.
Unless a motor is overloaded, it should last
nigh onto forever.

My experience is with electric actuators (servomotors) for valves and
dampers. Specifications for these devices list the lifetime
repositions. Direct digital control parameters that are too "tight"
will cause early failure of these actuators. Perhaps it is other
components (feedback pots possibly) in the servos that fail.

 

[Dan Luke]

Wouldn't the pilot feel if the auto pilot issued lots
of servo repositionings? I am not a pilot but I could
imagine that would make for a pretty uncomfortable
flight. At least for the passengers.

Hmm, good question. Still, it might be possible that rapid, very small
repositions could be imperceptible. I was just taking a wild shot at
this one.

 

[Peter]

As far as I know the Socata TB20 is metal but has a composite cabin,
cowl and tail. Ground Radar is one source and when you fly through a
powerful long range beam that can really upset electronics. These are
hard to discern because it can happen tens of miles from the site and
their antennas turn slowly. But the software should recover. I don't
know about aerospace electronics but in medical we must demonstrate that
our systems come back to normal within seconds after a defibrillator
hit. If they remain in la la land instead of recovering we would not get
the agency blessing.

Joerg - thank you for the details thoughts. It is what I would have
expected too.

Looking at the kfc225 computer unit schematic, there is just one CPU
(68hc16) and no watchdog. I would have expected this type of product
to either crash comprehensively, or not at all. Regarding the altitude
hold failure, I have not seen this; the AP seems to run just fine; it
just doesn't hold altitude

The oil pressure EMI issue is a bit scary. Does Socata know about that?
They should really fix this. Protecting an input from EMI isn't rocket
science. If it is legal you could use ferrite toroids and have these
affixed on the cable bundle right before the gauge or its electronics
box if it has a separate one. 43 material (Amidon) works pretty good at
VHF. Even Radio Shack has some but in aircraft I'd stay away from the
snap-on cores because they can come off when you hit rough air.

Yes, they know about it well. I think some 100nF ceramics across the
diff amp input, and some more to ground, would do it just fine. Not
sure about the paperwork though

Today I've discovered that once the kfc-225 is in level flight and
holding altitude, it doesn't use the gray code data from the encoding
altimeter - it uses its own internal encoding air pressure sensor.
This rules out the altimeter problem, and narrows it down to the
computer unit, or very few other things like the input from the
altimeter subscale pot (which it still uses).

I've often wondered whether these avionics failures are triggered by a
radar or some other high power radio/microwave signal. The test, I
think, is whether it remains there, and this altitude problem has
remained.

The problem is that the ability of any ground based engineers to
diagnose the product is very limited, due to the really dumb firmware.


Peter.

 

[Peter]

[email protected] (Everett M. Greene) wrote

I'm no expert on autopilot servos, but I do know something
about electric motors in general and would question the
statement about the number of repositions before failure.
Unless a motor is overloaded, it should last nigh onto
forever.

I agree; DC servo brushes do last a very long time; generally years of
continuous operation. There was nothing wrong with the brushes in that
roll servo; it was the power amp which went up in smoke...


Peter.

 

[Norm Dresner]

Don't rule out power supply glitches, spikes, etc, especially caused by RFI
in and around powerful transmitters.

Norm

 

[Joerg]

Hi Peter,

Looking at the kfc225 computer unit schematic, there is just one CPU
(68hc16) and no watchdog....

No watchdog? Ouch. How did they ever get this certified?

Today I've discovered that once the kfc-225 is in level flight and
holding altitude, it doesn't use the gray code data from the encoding
altimeter - it uses its own internal encoding air pressure sensor.
This rules out the altimeter problem, and narrows it down to the
computer unit, or very few other things like the input from the
altimeter subscale pot (which it still uses).

Maybe that airpressure sensor has a problem. Either EMI or maybe the
mounting location isn't as good as for the regular altimeter. Can the
KFC-225 altitude annunciator be used to see if the unit's altimeter goes
on the fritz?

The problem is that the ability of any ground based engineers to
diagnose the product is very limited, due to the really dumb firmware.

Well, they could blast it with RF in a screened room. It is standard
procedure for any med, AV or other critical gear before type cert. I
have found pretty much any EMI problem in the screen room provided I
could have the room for at least a day. But they have to test to more
than the usual 10V/m field strength.

And I still think Socata should do a courtesy fix on that oil pressure
gauge and take care of the paperwork.

Regards, Joerg

 

[Joerg]

Hi Peter,

I agree; DC servo brushes do last a very long time; generally years of
continuous operation. There was nothing wrong with the brushes in that
roll servo; it was the power amp which went up in smoke...

Looks like a "suboptimal" power amp design. Electronics should not blow
just because of excessive actuation. I guess with all the regs you
aren't allowed to replace the busted part yourself but have to let the
service folks sell you a refurb or new version plus labor.

BTW, the clamp ferrite cores I mentioned the other day might still be pretty useful to diagnose an EMI problem. You can't leave them in there during flight but they are really handy to try out things on the ground, running the engine, keying the mike and so on.


Regards, Joerg

 

[Peter]

Looks like a "suboptimal" power amp design. Electronics should not blow
just because of excessive actuation. I guess with all the regs you
aren't allowed to replace the busted part yourself but have to let the
service folks sell you a refurb or new version plus labor.

That's correct; also I have not been able to find the schematic of the
KFC225 servos anywhere. I have found out that there is no service
manual as such. One could design an exact functional replica easily
enough but frankly I have more pressing things to do

BTW, the clamp ferrite cores I mentioned the other day might still be pretty useful to diagnose an EMI problem. You can't leave them in there during flight but they are really handy to try out things on the ground, running the engine, keying the mike and so on.

Yes, I could try placing some on the wires close to the oil pressure
gauge amplifier; that would not require any paperwork.


Peter.

 

[Peter]

No watchdog? Ouch. How did they ever get this certified?

Easy, general aviation autopilots are permitted to fail at any time,
without a warning, in any way whatsoever.

The servo clutches are supposed to be always possible to overpower,
and the pitch *trim* subsystem is supposed to warn the pilot if the
trim has been running out of control (because an excessively out of
trim condition might require more yoke force to overpower than a pilot
can physically manage). But I think those are the only certification
requirements for TSO.



Peter.

 

[Joerg]

Hi Peter,

Easy, general aviation autopilots are permitted to fail at any time,
without a warning, in any way whatsoever.

Wow. They'd never let us get away with that in medical electronics. Even
after a defibrillator hit many systems must come back to normal
operation within a prescribed time frame.

The servo clutches are supposed to be always possible to overpower,
and the pitch *trim* subsystem is supposed to warn the pilot if the
trim has been running out of control (because an excessively out of
trim condition might require more yoke force to overpower than a pilot
can physically manage). But I think those are the only certification
requirements for TSO.

I knew about the servo clutches, without override the airplane would
probably become uncontrollable if the AP fails to disengage for some
reason. But I still can't believe that the amplifiers blow.

Regards, Joerg