Design Considerations of Fault-Tolerant Electromechanical Actuator Systems for More Electric Aircraft (MEA)

This paper studies the concerns such as architecture and reliability in the deployment of electromechanical actuator (EMA) in the actuation system for more electric aircraft (MEA). First, the reliability of the actuation system architecture such as control surface redundancy and actuator redundancy will be studied to determine an appropriate actuator architecture, with or without considering jamming. Then, the considerations for fault-tolerance and redundancy of the prime electric motor will be discussed in terms of reliability, weight, control complexity, and cost based on a direct-drive EMA designed for MEA. The comparison results demonstrate the configuration of two anti-jamming EMAs with dual three-phase drives connected in parallel can meet the requirements of the safety-critical actuation applications, promoting the deployment of fully electric actuation system on the MEA. Finally, a fault-tolerant motor with double 3-phase system designed for EMA will be presented, with performance under normal and fault conditions validated.


INTRODUCTION
The more electric aircraft (MEA) is a trend for the next generation of aircraft, with the ultimate goal of the all-electric aircraft (AEA). Increased electrification will lead to a simpler power-by-wire system which optimizes aircraft performance, improves efficiency, and reduces overall weight and costs [1] [2]. Moving forward to MEA is also driven by the recent enabling technology advances in the development of power electronics, high dense electric motors, new motor/converter topologies, fault-tolerant electric drive systems.
The concept of a MEA brings in challenges for the aircraft design, among which two of the most challenging parts are the electrical power system and the electrical actuation system. Generally, modern aircraft actuation systems including primary control surfaces, secondary control surfaces, landing gear system are powered by a combination of hydraulic, pneumatic, and mechanical system. Adopting electrically powered actuators, viz., electro-mechanical actuator (EMA), to replace the concentrated hydraulic actuators brings the benefits of weight reduction, improved maintainability, and the potential advantage of more flexible flight control by introducing distributed actuation system architecture.
The feasibility and reliability of EMA deployment have been explored by the US Air Force in the C-161, C-141, and F-18 [3], and Boeing has deployed an EMA driven spoiler in its advanced B787 [4]. SAFRAN and Airbus have corporately developed an EMA integrated with direct-drive BLDC and roller screw, which had been firstly tested for A320 aileron in Jan 2011 [4] [5]. Despite that, a major concern regarding the utilization of EMAs in the primary control surface is the mechanical jamming, which is critical and potentially disastrous for aircraft, while jamming is not a problem for hydraulic actuator or EHA as they will inherently be able to convert into damper mode after a failure, making it jammingfree and fail-safe [6]. A possible solution to this is to deploy an EMA with a coupler or disconnected device, which is used for slat and THSA on A380 [7], although this will inevitably complicate the structure and increase the size, weight and cost.
Another concern is the reliability of the electric drive system including the prime electric motor, power converter, and control electronics, in particular when considering shortcircuit or open-circuit faults in the motor winding and/or semiconductor switches, and faults in the controller. Fault tolerant electric drives with a level redundancy would sustain normal operation after one or two single-point faults but its redundancy configuration, oversizing factor, control complexity, and cost has to be considered [6] [7]. Many research has been done on fault-tolerant electric drives for aerospace applications. However, the overall reliability and performance at application-level, e.g. surface-level, have not been considered by most of them.

FCCs
Electrical Systems

II. RELIABILITY OF ACTUATION SYSTEM ARCHITECTURE A. Actuation System Architecture
For considerations of the feasibility and deployment of actuation systems in the aircraft, the evaluation criteria includes reliability, weight, efficiency, complexity and cost etc. Among these, the level of failure probability is a critical factor. There are many configurations available for an individual control surface of the actuation system due to different combinations of flight control computers (FCCs), power supplies, actuators. This indicates the necessity to assess the failure rate of each configuration to determinate the feasibility of deployment in the aircraft actuation system.
A typical flight control actuation system is illustrated in Fig. 1. In general, three to four FCCs and two or three independent electrical power systems are available for the commercial aircraft to provide necessary level of redundancy for safety. The configuration for control surfaces and actuators depends on the function, safety criticality, and aircraft size.
Three typical actuator configurations for individual control surface are illustrated in Fig. 2. According to the failure probability of each component, the overall failure probability can be evaluated by using the method of either fault tree analysis or a fault dependency diagram.

B. Failure Probability Analysis without Considering Jamming
The method of a fault dependency diagram offers a rapidly evaluation of overall failure rate for a given control surface actuation system configuration. In the A320, two Elevator Aileron Computers (ELAC) and two Spoiler Elevator Computers (SEC) are utilized for the elevator surface, and each elevator has two actuators. Fig. 3 depicts the fault dependency diagram of a control surface with two EMAs connected in parallel without considering jamming problem.
The FCC is at the core of any modern aircraft either civil or military aircraft and subject to strict compliance to safety standards for software and hardware such as DO-178C and DO-254, with a failure probability in a level of 10 -4 [8] [9]. Considering the criticality of FCC, it is often used with dual or triple redundancy.
According to the specification regulation for development of civil aircrafts and systems from ARP4754 [10], the probability of loss of control (PLOC), which is the worst case, should be less than 1.0×10 -9 per flight hour. With this, the failure probability demands on the actuator or EMA could be obtained. From Fig. 3, this can be expressed as below P(1)+P(2)-P(1)*P(2)≤ 1.0×10 -9 (1) P(1) =(3.3×10 -4 )^3 (2) P(2)= (P(EMA))^a (3) where P(1) is the equivalent failure probability of first part, P(2) is the equivalent failure probability of second part, P(EMA) is the failure probability of each EMA, a is the number of EMAs connected in parallel.
As for the example shows in the Fig. 3, two actuators are used for the control surface, the failure probability of an EMA should then be lower than 3.2×10 -5 . Based on a similar idea, if a control surface e.g. rudder, is deployed with three EMAs connected in parallel, the failure probability of an EMA should be less than 1.0×10 -3 . If only one EMA #1 is used for a control surface, e.g. a spoiler, the failure probability of EMA should be less than 1.0×10 -9 . In all, the failure probability demands on EMAs for control surface with different levels of redundancy are summarized in Table 1.
The probability of failure of an EMA is determined by its components. An EMA normally consists of a direct-drive rotating motor or of a high-speed motor plus a gearbox under some circumstances, a mechanical screw such as roller screw or ball screw (converting rotation to linear movement), and a controller & inverter. A fault tree analysis (FTA) can be utilized for determining the failure rate of an EMA [6], and the simplified fault tree of a single-lane EMA is shown in Fig. 4.  Fig. 4 Fault tree of a single-channel EMA.
The failure probability of power supply is not direct as it may include both AC and DC power bus for the current civil aircraft with 115-120V/400HZ AC power system, in which a AC/DC converter has to be used although a matrix converter could possibly be adopted to avoid the AC/DC converter. A probability of 7.0 x 10 -4 for loss of one channel AC power was suggested in [11] in 2008, which should be improved in the last ten years. In 2011, John and Glynn [6] suggest that the probability of loss of power bus is around 5.4 × 10 −5 , and a figure of 4.8 × 10 −5 was assumed in [8]. With the increasing demanding for on-board generation system, a higher voltage DC electrical systems like ±270V DC system is to be considered to reduce current and wire weight, which will also improve the reliability of aircraft electrical power system. Thus, a figure of 5.4×10 −5 for the loss of power supply is used.
The mechanical part involves both mechanical screw, e.g., planetary roller screw, and bearing. A failure probability of 1.5×10 -6 for roller screw could be identified from their MTBF in [12]. According to Tavner's study [13], the bearings is to be responsible for the 95% of AC motor failure in the worst case, from which a failure probability of 6.0×10 -6 could be achieved by the MTBF of 159021 hours in Industry obtained by IEEE Survey.
Similarly, the winding failure probability of 3.1×10 -7 can be calculated by assuming winding failure responsible for the remaining 5% of total failures in the AC motor [13]. A conservative figure of 8.6×10 -5 can be assigned to the Controller & Inverter failure [14]. Clearly, the mechanical components is more reliable than the electronic part.
Each component failure will lead to the loss of control of EMA, and the resultant probability of loss of control of this EMA is around 1.5×10 -4 per flight hour from Fig. 4, which clearly is not less than 1.0×10 -9 per flight hour; this data however is reasonable compared to the merged failure rate of 50.2 failures per million operating hours for military quality linear EMAs stated by NPRD-2011 [15]. In fact, all the EMA components failure probability is many orders of magnitude higher than the target requirement. For a control surface with two EMAs connected in parallel, this single-lane EMA is still unable to provide the required reliability, but it works for a control surface with three EMAs on the other hand, as compared to the data in Table 1. Hence, one EMA configuration may be used for less-critical surfaces like spoilers or slats, while the safe-critical surfaces such as ailerons and the rudder necessarily require a higher level of redundancy.
To make the EMA feasible for the control surfaces such as elevators and ailerons with two EMAs connected in parallel, the failure probability of EMAs has to be improved. A scheme of EMAs with multi-lane fault-tolerant electric drive is proposed. Fig. 5 shows the basic fault tree of an EMA with dual-lane electric drives, which also refers to a dual-lane faulttolerant EMA.
The resulting failure probability is now 1.5×10 -5 , which is significantly reduced compared to its single-lane counterpart and apparently meets the demands of less than 3.2×10 -5 stated in Table 1. Similarly, if a third lane electric drive is incorporated into the EMA, the failure probability of the electric part can be further reduced to 2.7×10 -12 , but unfortunately the resulting reliability of the EMA is now restricted by the mechanical failure probability of 1.5×10 -6 .

C. Failure Probability Analysis Considering Jamming
For conventional hydraulic actuators (HA) or electrohydrostatic actuators (EHAs), the fluid pressure will be removed when a fault occurs, and the actuator will be converted to damping mode automatically, under which the parallel connected actuators can drive the control surface according to commands from Cockpit without any serious issues [4][6] [7]. However, this is not the case for EMA, as the jamming of EMA, e.g. mechanical screw failure, could make the control surface freeze even if another parallel connected EMA works. Therefore, the problem of mechanical jamming is a critical concern, and must be carefully considered, as this may otherwise result in a disastrous event even in the surface with a level of redundancy.
In the aspect of reliability, fault tree analysis can also be used, but the failure probability and the logic connection of the jamming problem should be carefully dealt with. The jamming of an EMA will result in the loss of control of the surface with redundant EMAs connected in parallel without breakdown. The methods of using an anti-jamming system, a dual load path, or disconnect devices have been proposed [6] [16], ensuring free movement of control surfaces governed by the redundant actuators after the jamming of one actuator. These methods inevitably increase the system complexity but it is necessary if we want to advance the EMA for safetycritical flight control surfaces in MEA. In order to analyse the reliability, taking a control surface with two EMAs, as an example, the fault dependency diagram of the control surface and revised fault tree of an EMA can be redrawn, as in Fig. 6 and Fig. 7. One can observe that the both mechanical screw and anti-jamming part have been taken out from the EMA and being put on the last part of the fault dependency diagram to represent fault logic conditions, under which the EMA is divided into electric and mechanical part. It is not clear that the form of anti-jamming system, but it is reasonable to regard it as an electromagnetic actuation system includes control, monitoring, and actuation part. Thus, a failure probability of 1.5×10 -4 , which equals to the failure probability of a single-lane EMA, could be assigned to it [17].
Similarly, the overall failure probability of the surfaces has to meet the requirement of 1.0×10 -9 for safety. This means the demands on the failure probability of the EMA can be expressed as
From Fig. 6, the requirement of failure probability limit on the second part P(2) can be achieved, which is 5.2×10 -10 . For different levels of EMA redundancy, the corresponding failure probability limit on each EMA can be calculated from (4) and summarized in Table 2.   Fig. 7, without considering mechanical part failure, in which the resulting failure probability is 6.0×10 -6 . Similarly, the failure probability of the revised EMA with different redundancy level of electric drives can be calculated as well, and their value is summarized in Table 3. One can note that the failure probability will not be less than 6.0×10 -6 ; this is because of the restriction from motor bearing failure.
It is clear that for a control surface with only one EMA, the EMA cannot meet the safety failure probability limit irrespective of the redundancy level of electric drive redundancy. Thus, a surface with one EMA can only be used for non-safe-critical actuation systems.
For control surface with two parallel EMAs, the EMA equipped with dual electric drives with a failure probability of 6.0×10 -6 could meet the corresponding requirement of less than 2.3×10 -5 in Table 2. It is also the case for EMA driven by triple electric drives. Therefore, it is demonstrated for the surface with two parallel EMAs, the EMA with more than one electric drive is necessary to achieve a reliability of 1.0×10 -9 for safe-critical actuation applications.
The reliability demands on each EMA would be going down when the control surface is with three or more EMAs in parallel. In the case of three EMAs, e.g. Rudder, the failure probability demands on a single EMA is less than 7.3×10 -4 , suggesting EMA could meet the reliability requirement irrespective of the number of redundant electric drives, according to the figure in Table 3.
In all, it is confirmed that a level of two anti-jamming EMAs redundancy is necessary for the deployment of EMA in the aircraft safe-critical actuation control surface such as Elevator and Rudder. A single EMA configuration could only be considered for a less critical surface like flap or slat.

A. Design aspects of motor design for EMA
The main requirements for the prime rotary motor in the EMA application are high torque density and good faulttolerant capability. In terms of high torque density, an advantageous motor topology has to be selected, e.g. permanent magnet synchronous machine (PMSM). Then, the duty cycle and thermal behaviour of the actuators have to be considered to determine the peak current density of the motor that can be achieved within the given temperature limits. The motor's thermal behaviour under normal and especially afterfault has to be dealt with as the motor will be fed with overload current under single-lane fault in order to overcome the loss of and even negative dragging torque of fault lane.
For high fault-tolerant capability, the motor typically involves multi-lane electric drives with either multi singlephase or multi three-phase windings to provide levels of redundancy, ensuring normal operation or reduced output after faults occur. In addition, the isolation between different lanes in the electrical, thermal, magnetic, and physical aspect has to be considered to mitigate the propagation of faults.
Thus, the fractional-slot concentrated winding (FSCW) PMSM topology arises due to their high torque density and achievable isolations between lanes. More importantly, this topology could provide the possibility of limiting the terminal short-circuit (SC) current to 1 p.u. of rated current because of their large per-phase inductance.

B. Thermal behaviour over the mission profile
The thermal requirements on the EMA are represented by the demands over the whole mission profile. In order to meet the safety regulations, the most serious conditions (such as critical flight phases of serious turbulence and faults) have to be considered, and this determines the sizing of the EMA. The actuation system is usually without any additional cooling system, making the thermal design quite a challenge. Moreover, the thermal behaviour of motor itself is not just determined by the thermal limitations from the materials and it is also limited by the requirements from aircraft level. For example, the maximum temperature at EMA skin should be around 100°C for qualitative safety requirement [5], at wing level, which is obviously much lower than the thermal limit of the housing material (aluminium).
Another critical challenge is the extreme working environments of high altitudes and high temperature variation ranges. For instance, the air temperature could be higher than 40 °C on the ground when taxing or in the low attitude during take-off while a negative 50 degrees Celsius could be expected in a height of 35000 feet during cruise phase.

C. Fault tolerant motor design, control strategy and comparison
The redundancy and fault management requirements carried out to the motor for the actuator in the aircraft can be defined as below [14] . It should be noted that the output is based on the surface level regarding the average torque. open-circuit (OC) & terminal short-circuit);  Acceptable output degradation, e.g. 50%, after the second fault.
As discussed in Section II, the design requirements for fault-tolerant motor is directly related to the redundancy level of control surface, and the configuration of with at least two anti-jamming EMAs connected in parallel is being confirmed as necessary in the deployment of EMA for aircraft safecritical actuation applications, which will be taken as a basis here to give an insight on the issues in the designing of faulttolerant motor. Two alternative multiple lane fault-tolerant drives, viz. multi single-phase and multi three-phase, are considered in this paper, as shown in Fig. 8. Table 4 summarized a comparison of the different motor topologies for the actuation architecture with two antijamming EMAs connected in parallel in terms of sizing factor, number of total lane, and power switches, etc.. One should note that a suitable motor design has been assumed so that the motor can survive or continue to provide required torque under OC and terminal SC condition and the same peak current limit has imposed. In addition, three or four independent power supplies are available for the modern commercial aircraft, implying non-isolated lanes exist for EMA with triple-lane electric drives.
It is clear that for either multiple single-phase electric or multiple three-phase drives, each EMA requires to driven by at least two lanes to provide the necessary fault-tolerance at surface level; with the same number of lane, the multi 3-phase drives generally requires higher amount of power switches. It indicates the higher the number of lane, the lower the overall sizing factor of the motor or surface, suggesting the EMA with higher number of lane is preferred. However, the independent power supply is limited with usually three or four for modern commercial aircraft. On the other hand, this is the view only accounted for electric faults, but the surface has to survive or keep working after the mechanical failure such as mechanical screw and bearing. Thus, a minimum size factor of 1 is necessary in case of one EMA faults, while the parallel connected EMA can still provide required output requirement. Therefore, the motor with dual-lane electric drives is select. For motor with dual-lane configuration, the number of switches for multi 3-phase drives is 24, higher than that for multi single-phase drives. However, the influence of remedial strategy under fault has also to be considered. For multiple single-phase motor, a large torque ripple is expected after remedial strategy employed to overcome the influence of fault lane, and the current in each individual phase has to be reshaped or re-scaled to overcome that, suggesting a higher sizing factor of motor is expected under the same peak current limit [6]. However for multiple 3-phase motor, the motor is divided into multiple independent 3-phase motor lane, which means the current on each lane only requires to be scaled by the required factor, reducing the control complexity and PWM implementation cost.
On the other hand, the motor is driven by the power converter, implying another requirement to the DC input filter to minimize the distortion of power supply. The multiple single-phase motor operated from an independent DC power requires significant input filter efforts, increasing the volume and weight. In contrast, the demands on the input filter for the inverter of three-phase motor is much less due to less harmonics. Therefore, the motor with dual three-phase drive is identified as the final candidate.

D. Fault-Tolerant Motor Design
The specifications of direct-drive EMA designed for a commercial aircraft like A320 is summarized in Table 5. A range of slot-pole combinations are available for FSCW PMSM deigned for EMA, among which a 24S-22P motor with double 3-phase single-layer winding is considered, as shown in Fig. 9.  The maximum output torque under peak current is depicted in Fig. 10, in which an average torque of 15Nm can be observed, with a quite small torque ripple, meeting the EMA requirement under the healthy condition.
The fault-tolerant motor is designed with high per-phase inductance to restrain the SC current to around rated current to avoid winding overheating issues. A 3-phase windings of one of the lanes are shorted at the terminals to evaluate the performance after fault, under which steady state 3-phase short-circuit current against different rotor speeds is shown in Fig. 11. As can be seen, the maximum peak value occurs at high speed area [18], and this value is being limited to 10.3A, which approximates rated current of 10.5A.
The dragging torque under a 3-phase winding shorted is illustrated in Fig. 12. The maximum dragging torque of 2.1 Nm occurs at low speed, which is around one quarter of torque under rated current. Obviously, the remaining healthy 3-phase winding can overcome this dragging torque to generate required output torque.

IV. CONCLUSIONS
This paper discussed the concerns related to the reliability and development of EMA for safe-critical actuation system in the MEA. Firstly the reliability of the actuation system architecture and the failure probability of different actuation configurations have been evaluated. Specifically, the feasibility of deployment of EMAs with anti-jamming system in the safe-critical actuation system was confirmed. Finally, the design considerations in the design of a fault-tolerant motor were presented, and the best configuration of two antijamming EMAs in parallel connected, each of EMA is equipped with dual three-phase drive, which meets the requirements of the safety-critical actuation applications has been identified. A prime rotary motor with double 3-phase winding designed for direct-drive EMA was presented and its fault-tolerant capability has been demonstrated. All of this provides a significant step advance towards the deployment of pure electric actuation systems in the future MEA.