There are no shortcuts to safety in aviation – it’s up to engineers to manage safety risks budgets and schedules, even when testing new aircraft types such as eVTOLs.
Aviation consultancy Roland Berger counted 170 electrically-propelled aircraft in development around the world for a study published last July. By the time you read this, the consultancy estimates that the tally will have risen to almost 200.
By far the largest number of these aircraft are electric vertical takeoff and landing (eVTOL) aircraft – clean sheet designs using electric powertrains and propulsion systems in entirely new ways. The development programs are taking place mostly in the USA and Europe, where many startups are beginning to face the reality of turning CAD drawings into metal and composite that moves in the sky.
Bristol, UK-based Vertical Aerospace hopes to be one of the first companies to market with an eVTOL aircraft. The company plans to complete the testing and certification of its first aircraft by 2023 and to start services on short, piloted intercity routes soon after. While it is in service, Vertical plans to extend the aircraft’s range and eventually introduce autonomy to it, while expanding the number of routes that it can serve.
The company, which was founded in 2016, flew its first proof of concept demonstrator at Cotswold Airport in the UK in June 2018. Engineers at Vertical have recently concluded flight testing of its second full-size prototype, called Seraph, which weighs 1000kg, can reach speeds of up to 80km/h and carry loads of up to 250kg.
Seraph, which is now undergoing several months of ground testing, takes design cues from multi-rotor drones and like many eVTOL aircraft can be described as an enlarged drone. Seraph completed its first flight test campaign without any major incidents, thanks in no small part to Paul Harper, chief certification engineer at Vertical Aerospace. Harper is responsible for ensuring the safety of flight testing Seraph and liaising with the UK’s Civil Aviation Authority (CAA). He says, “We started as a small group of people tasked with taking drone technology and scaling it up into a useful aircraft.
“In the early days we were able to use advanced hobbyist drone kits for testing. We could build cheaply and quickly and learn from the tests. As we’ve scaled up into a heavier full-size aircraft with complex flight systems we have needed to build in redundancy and functional safety. We had to start looking at possible failure modes in dynamic situations.”
One of the possible failure scenarios with Seraph, in common with all other drones and helicopters, is rotor failure. The company had to consider what happens if one or more of Seraph’s rotors fails. To deal with this and similar risks, Harper and the rest of the team at Vertical worked out in advance of the flight testing program which parts of the aircraft had a high-risk of failure. The team then worked to mitigate the risks. Harper describes the process as a “common-sense approach”.
“Like most aerospace testing, it’s about always doing things in the least dangerous way. As a company a risk to life or a risk to people’s property is never acceptable, so we identify and take measures to mitigate them,”
“We record all of the risks, including the functional risks. In some cases we are able to design out the risk from the testing.”
For example, Seraph has an independent, backup control system in case there is a loss of control as well as a “kill switch”.
Outside of hardware-design changes, measures are taken in accordance with aviation authority rules to ensure testing is conducted in a safe manner. In the UK, companies developing experimental aircraft have to meet certain requirements to qualify as a design organization. They also have a choice of meeting either the Civil Aviation Authority’s rules on testing experimental aircraft, CAP 1220, or the European Union Aviation Safety Agency’s Part 201J. “They are very similar to each other and both are similar to the FAA’s equivalent rules thanks to agreements on processes and design approvals,” says Harper.
“The CAA were very involved up front with us. They wanted to ensure that we had the right processes and that we had considered the risks. Once they were satisfied we were going to behave they became less involved,” he says.
Processes and resources that are required to ensure safety during testing include the production of a comprehensive operations manual and test plan. Everyone involved has to be adequately qualified. Scenario planning must be undertaken, and the regulator has to be satisfied that all safety aspects have been considered alongside the high-level risks. Once the testing site has been located, a survey has to be conducted which assesses the external risks and that health and safety obligations can be met. “We have to consider how our operations might impact others and ensure everybody’s safety,” says Harper.
Another major step is to set up an occurrence reporting scheme. This is a way of recording and documenting things that go wrong during testing that weren’t anticipated in the test plan. “It could be a bracket that breaks on the aircraft or something larger – a report has to be filled out. Its identical to what happens in the testing program at a large company developing a conventional aircraft,” says Harper.
Safety risks are prioritized before any other project management risks associated with costs and time are considered. “After the test plan is produced, we know where the potential pitfalls are. We manage the test program to collect as much data as possible, so we can extract as much value as possible from the testing. That might mean adapting the test plan as we learn more about the aircraft.
“You tiptoe out to the edges of performance and get progressively more challenging to expand the flight envelope in a safe way.”
But once the testing program starts, the safety and certification manager’s role should be diminished as long as everything has been set up properly. “Once everything is in place, I can take a back seat,” says Harper. “The test is done in accordance with all the processes and the plan.”
Although safety management is always paramount, risks related to costs and time also matter to a test program. Nick Butler is global market leader for aerospace and defense for National Instruments and works with large established aerospace companies and start-ups. The company supplies equipment and instrumentation for systems testing, embedded software testing, communications and navigation systems testing, electromechanical testing as well as radar, electronic warfare and signals testing.
Butler sees his clients in the aerospace sector manage project risks regularly. He says, “It is part of the project manager’s role to meet schedules and deal with budgets. Sometimes there is a trade-off that can be made with quality and reliability to achieve targets and they may have to decide – are they going to do more testing on an asset to ensure it is mission-ready, or are they going to cut those tests to stay on budget and on time?
“Our aim is to help project managers and test engineers so they don’t have to make that type of compromise – so they can achieve the utmost quality and reliability standards while meeting budgets and schedules.”
Butler believes to avoid such compromises, aerospace companies must take a strategic approach to testing that integrates it with design, development and production cycles more closely. Ideally the test plan and the product is developed concurrently. This means rethinking the traditional approach, where engineers conduct validation, functional and production testing after design and development.
“We are trying to evolve the approach to product development so that you design then validate, then you iterate the design and validate again. The use of digital prototyping and model-based engineering allows you to minimize the amount of physical prototyping and testing in this process,” says Butler.
Dealing with complexity
Testing in the virtual world offers a way of dealing with increasingly complicated aircraft systems. As shown by Boeing’s recent challenges with the 737 Max, systems testing is arguably the most important part of aircraft certification. Similar to model-based engineering and virtual prototyping, hardware in the loop (HIL) testing is a tool that enables engineers to manage risks better.
HIL testing involves laying out an aircraft’s systems, such as an iron bird or flat-sat and inputting and outputting signals into the systems to represent different real-world scenarios. “Simulating in this way enables engineers to get a better handle on budgeting and scheduling,” says Butler. “Risk will always increase as complexity increases but we have the tools and approach to mitigate risk and keep it below a threshold.”
Testing can often be seen as a necessary evil during development, but Butler passionately believes that with proper risk management, modern test systems and approaches it can be a positive for an aerospace company. “Test data is an untapped resource,” he says, “It’s a gold mine of information that can really help customers innovate faster.
“You learn about your product by testing it, so the earlier you can test, the faster you can innovate and beat your competition to deliver a reliable high quality product on time and on budget.”
Aerospace companies are developing aircraft that are simultaneously more innovative than anything the sector has seen for decades and safe and reliable enough for commercial operations. Meeting this challenge successfully requires engineers to use the latest tools and approaches to project management, while remaining within the rules as established by more than a century of aviation development to mitigate risks.