C-17 Flight Control System Overview

Brian W. Kowal, USAF

Carl J. Scherz, McDonnell Douglas
Richard Quinlivan, General Electric

ABSTRACT reconfigurarion, and limited fault annunciation. The Stability

and Control Augmentation System (SCAS) functions are
The McDonnell Douglas C-17 airlifter completed its first implemented in a quadruplex set of digital General Electric
flight on 15 September 1991. Since that time the aircraft has flight control computers (FCCS) which provide fail-op, fail-op,
compiled an impressive flight test record. One of the major and fail safe control after computer failures. There are two dual
reasons for the C-17's flight test success has been its flight digital Spoiler ControliElectronic Flap Computers (SC/EFC)
control system (FCS). The inherent redundancy and robustness which provide the control law computations for the spoilers,
of the FCS has permitted a more aggressive flight test program flaps, slats, and speedbrakes. These computers drive a
than would be possible otherwise. redundant (except for the spoilers) set of electrohydraulic
This paper starts with the basic requirements which drove servoactuators. There is a backup mechanical system which
the C-17 design. It explains the background behind the deep can provide control of the ailerons, elevators, rudders, and
stall avoidance, probability of loss of control, all engine out stabilizer surfaces in the event of primary system failures.
control and safe go-around requirements. The overall flight The C- 17 has 29 control surfaces. These include a trimmable
control system design is presented. The FCS features which horizontal stabilizer, four elevators, two ailerons, two rudders,
satisfy the above requirements are described. The C-17 eight spoilers, four flaps, and eight slats. These surfaces are
combines the best features of a modern fly-by-wire system with shown in Figure 1.
the best elements of a traditional mechanical system. This
combination results in a system which is flexible enough to
optimize the capabilities of the C-17 yet redundant and
dissimilar enough to provide protection against a wide rage of
failure conditions. Specific failure modes and their design
safeguards are reviewed.
After the FCS design is presented, the early flight test results
are reviewed. During the first six months of flight test the
aircraft accomplished almost all its major objectives ahead of
schedule. Several minor anomalies were encountered during
the early flight test program. These anomalies and their effect
on the final flight control design are discussed.
FLIGHT CONTROL SYSTEM OVERVIEW
Fig. 1. Flight Control Surfaces
The C-17 Flight Control System (FCS) provides vehicle
stability and control augmentation, failure identification and
C-17 PROGRAM HISTORY

Ba5ed on a presentation at NAECON '92

During the fiscal year 1981 budget review the secretary of
0885189851921$3 00 IEEE 1992 defense directed funding for a new airlift aircraft. An initial

24 IEEE AES MAGAZINE, July 1992

 Program Management Directive (PMD) was issued on 10
December 1979 and the C-X Mission Element Need Statement
(MENS) was released on 28 November 1980. In October 1980
the C-X Program Office issued the C-X RFP. Douglas Aircraft
Company was announced as the winner of the C-X competition
in August 1981 and an engineering development contract was
awarded in July 1982. The technical objectives of the program
as stated in the PMD were:
to provide for rapid intertheater deployment of
combat forces to support national strategy goals,
meet mobiliq requirements within a theater of
operation, provide a tactical outsize capability not
available now, and provide needed total force
structure modernization.
The Defense Authorization Act of 198 1 required that a study
be performed which detailed the overall United States mobility
requirements. This study recommended the addition of 20
million ton miles per day (MTM-D) of intertheater airlift to
the 1986 projected capability baseline of 46 NTM/D. Specific
C-17 requirements are listed in Table 1.
Table 1. Specific C-17 Requirements
Rapid intertheater deployment;
Intratheater operation;
Tactical outsize cargo capability;
Austere airfield operation;
Oversize cargo capability
Long range direct delivery.
Two of the more significant of these requirements are the
tactical outsize cargo capability and the long range direct
delivery capability. Currently none of our transport aircraft can
deliver outsize cargo directly to a small, austere airfield. The
C- 17 will provide this capability. The long range direct delivery
capability principal benefit is the reduction in the time required
to deliver combat units to battle. This capability will eliminate
some of the need for transshipment and will eliminate some
of the time, personnel, and equipment required for ground
handling. Direct delivery will also avoid possible cargo attack
or sabotage that can occur at intermediate staging areas.
The current program plans are to procure one flight test
aircraft, two structural ground test articles, and 120 production
aircraft. The Initial Operational Capability (IOC) is planned
for September 1994.
FLIGHT CONTROL SYSTEM REQUIREMENTS
The C-17 Flight Control System was designed in accordance
with MIL-F-9490D. The major flight control system design
requirements are listed in Table 2.
During early 1987 a 500 hour deep stall wind tunnel test
program was conducted in the MCAIR (St. Louis) mini-speed
Table 2. Major FCS Requirements
Deep stall avoidance;
High total flight control system reliability;
IEEE AES MAGAZINE, July 1992
Fig. 2. Deep Stall Characteristics
All engine out control;
Safe Go-around
wind tunnel. The program focused on the C-17 post stall
stability and control characteristics. These tests confirmed that
the C-17 exhibited a post-stall deep stall condition for some
high lift configurations from which the aircraft is not
recoverable. These characteristics are illustrated in Figure 2.
The aircraft departure into a deep stall condition can be rapid,
about two seconds, after reaching stall. One of the basic C- 17
development specification requirements is that “the airplane
shall be readily recoverable from all attainable attitudes and
motions.” Because of this requirement an angle-of-attack
limiting system (ALS) was added to the SCAS. The ALS
computes the limit angle-of-attack based on speed, engine
pressure ratio (EPR), and aircraft configuration. This computed
limit is compared with the actual angle-of-attack and the pilot’s
ability to command an increase in angle-of-attack is restricted.
In addition to the ALS, stall warning is provided with a
stickshaker and aural warnings.
The total flight control system reliability requirement is
derived from the “Airplane Special Failure State” requirement
which states that:
Certain components, systems or combinations
thereof may have an extremely remote probability
of failure during a given mission . . . failures
which have a probability of occurrence less than
1 X 10”“ - 9per mission may be considered to be
special failure states . . .
and the C- I7 air vehicle general safety design requirement
which states:
Risks associated with hazardous conditions shall
be reduced to an acceptable level . . .
The C-17 System Safety Program Plan states that an
“acceptable level” for catastrophic failures is at most less than
lo** - 9 per hour. A catastrophic failure rate of I X IO** - 9
per mission will meet all of the above requirements. This
requirement is allocated between the Electronic Flight Control
System (EFCS) and the Mechanical Flight Control System
(MFCS). The EFCS allocation is derived from the air vehicle
requirements for airplane failure states which states that:
25
 All flight control system failure stutes that result
in below level 3 flying qualities shall not have a
cumulative failure probability of greater than
5 X IO** - 7 per mission (3.8 hours).
The EFCS is allocated 1 X lo** - 7 per mission of this
requirement and the remainder (4 X lo**
-7) is allocated to mechanical failures and some hydraulic
system (flight control) component failures. From the 1 X lo** .
- 7 per mission requirement for the EFCS, the MFCS
requirement may be backed out of the I X IO** - 9 per mission
requirement. The MFCS reliability requirement is 1 X lo** - 2
per mission. These requirements resulted in a quadruplex
electronic flight control system with a simplex backup
mechanical flight control system.
Within the C- 17 Air Vehicle Specification there is an explicit
requirement for the vehicle to be controllable with all engines
out. This resulted in two major design features. The mechanical
flight control system is predicted to provide better than level
3 flying qualifies throughout the operational flight envelope
except at high altitudes. At the higher altitudes the dutch roll
damping metric is not quite met. This resulted in the
incorporation of an emergency yaw SCAS which operates on
emergency electrical power upon loss of all generated electrical
power. Two of the flight control computers retain control of
the lower rudder to provide the necessary yaw damping. The
other design feature is the incorporation of a Ram Air Turbine
(RAT) which powers the fourth hydraulic system upon loss of
the normal four hydraulic systems. The RAT would provide
power to the right aileron, right mid-board and out-board
spoiler, the lower rudder, and the two left elevators. The
stabilizer trim is active and the flaps are controllable.
Early in the program it was estimated that the climb gradient
with the flaps extended greater than the go-around flap setting
was marginal (this is now estimated to be adequate). Based on
this original assessment, a redundant flap control system was
designed and an analog backup flap control unit was added.
The analog backup provides only a retract capability.
EFCS OVERVIEW
The C-17 Electronic Flight Control System (EFCS) is the
heart of an integrated digital fly-by-wire manual and automatic
flight control system and ground proximity warning system.
The EFCS consists of
4 Flight Control Computers operating as a quadruplex set
2 Spoiler Control Electronic Flap Computers
1 Automatic Flight Control System Control Panel (AFCS CP)
1 Flight Control System Actuator Panel
1 Ground Proximity Warning System (GPWS) panel
2 Control Stick Sensor Assemblies (CSSAs).
Figure 3 is a picture of the LRUs which make up the EFCS.
The system provides primary flight control for the C-17
including full time stability and control augmentation for
manual flight modes and an integrated AFCS consisting of
autopilot, autothrottle, and flight director functions. In addition
26
-
r
-
-.
Fig. 3. Electronic Flight Control System LRUs
the EFCS provides fly-by-wire control of the spoilers, slats,
and flaps. Angle-of-attack limiting for stall protection is closely
integrated with the SCAS.
Air data signals and inertial signals are provided by
quadruplex (two dual channels) Air Data Computers and
quadruplex Inertial Reference Units via the quadruplex FCS
MIL-STD-I 553B Multiplex Data Bus.
The Manual Flight Control System of the C-17 is provided
by the SCAS function of the EFCS. The EFCS in concert with
the associated sensing and actuation system implements SCAS
control laws which are intended to provide the C-17 with level
1 handling qualities. The redundancy of the EFCS and the
associated sensing and actuation systems is designed to
maintain these handling qualities with a high level of fault and
battle damage tolerance. The EFCS itself provides fail operate/
fail operatelfail safe performance in response to like failures.
Fail safe in this case is a reversion to the mechanical backup
system. The sensing and actuation systems and the control
surfaces have a similar capability through a combination of
component redundancy and control surface redundancy.
The pitch axis control system is composed of the pitch SCAS
which controls the elevators and the pitch trim system which
controls the horizontal stabilizer. The pitch SCAS has the
following modes and submodes:
1. Pitch Takeoff mode
2. Pitch Rate Command/Attitude Hold mode
3. Pitch Attitude CommandiAttitude Hold mode
4. Pitch Rate Command Roll Submode
5 . Pitch Rate Command Angle of Attack (AOA)
Limit Submode
The Pitch Takeoff mode is the initial power-up, on ground
mode and is also active after landing when the aircraft has been
on the ground for approximately one second. This mode
provides direct elevator deflection per pound of stick force
during the ground roll. Once weight is off the wheels and the
pitch stick force is reduced below a preprogrammed breakout
the system reverts to the Pitch Rate Command/Attitude Hold
mode.
IEEE AES MAGAZINE, July 1992
 The Pitch Rate CommandiAttitude Hold mode provides
attitude hold when the pitch stick force is below the
preprogrammed breakout, and a pitch rate command
proportional to stick force when the pitch stick force is greater
than the preprogrammed breakout. This is the basic pitch SCAS
mode and provides nearly constant stick force per g for a given
airspeed. The Pitch Attitude CommandiAttitude Hold mode
commands a change in attitude from the reference pitch attitude
proportional to the stick force above the preprogrammed A
breakout and commands attitude hold to the reference attitude
c FLAPS RaL
when the pitch stick force is below the preprogrammed
breakout. This mode is primarily used during approach and
landing.
The Pitch Rate Command Roll submode provides pitch rate
commands proportional to stick force but does not include an
attitude hold function for pitch stick force less than the
preprogrammed breakout. This submode automatically
-
becomes active when the aircraft is at large bank angles. EFCS
The Pitch Rate Command Angle-of-Attack (AOA) Limit
submode is automatically engaged when the AOA Limit
I
submode is active. In this submode pitch angle is commanded
to preclude exceedance of the AOA limit threshold.
The roll SCAS includes the following basic modes:
1 . Roll Takeoff mode SCEFC
2. Roll Rate Command/Attitude Hold mode
3. Roll Approach mode
The Roll Takeoff mode is similar to the Pitch Takeoff mode
in that it is engaged automatically upon power-up on the ground.
On landing after approximately one second the SCAS reverts
to the Roll Takeoff mode. Fig. 4. FCS Actuator Panel
The Roll Rate Command/Attitude Hold mode provides a roll
rate command proportional to stick force, and provides attitude
roll mode has insufficient damping and level 3 flying qualities
hold when the roll stick force is below the preprogrammed
cannot be met with just the mechanical system.
breakout. This is the basic roll SCAS mode. In this mode the
Flaps are deployed as a function of flap handle position and
spoiler command is proportional to stick force, only the aileron
a flap index computed by the Mission Computer and entered
command is augmented.
in the EFCS by the pilot.
The only difference between the Roll Approach mode and
The FCS Actuator Panel (AP) provides the flight crew the
the Roll Rate Command/Attitude Hold mode is that the spoiler
capability to revert any axis of the EFCS to the backup
commands are roll rate augmented also.
The yaw SCAS has the following basic modes: Mechanical Flight Control System (MFCS). Separate rotary
switches are provided for primary pitch, roll, and yaw axis
1 . Yaw Takeoff mode
reversions to one of two MFCS gains. Lights on the FCS
2 . Yaw Normal mode. Actuator Panel annunciate EFCS reversions to the MFCS.
3. Yaw Emergency Power mode Pushbuttons on the FCS Actuator Panel allow initiation of
The Yaw Takeoff mode is designed much the same as the Preflight Built-in-Test (PBIT) for the FCCs and the SCEFCs.
Pitch and Roll Takeoff modes in that there is a direct control Failure of PBIT is annunciated on the FCS AP. The AP also
of the rudder on the ground and the system automatically includes a pushbutton for pilot initiated reset of certain flight
changes to an augmented mode after liftoff. control system faults.
The Yaw Normal mode provides yaw damping, turn Figure 4 shows the FCS AP.
coordination, response to pilot rudder pedal inputs, and parallel The Flight Control Computers and the Spoiler Control
rudder pedal trim for yaw control. The turn coordination is Electronic Flap Computers each use three MIL-STD- 1750A
active whenever the flaps are retracted. CPUs. These CPUs are Performance Semiconductor PACE 20
The Yaw Emergency Power mode is identical to the Yaw MHz chipsets rated at 1 MIP (DAIS mix). In the FCC one
Normal mode except that turn coordination is not provided. processor serves as an I/O processor and the other two perform
This mode is intended for use at high altitudes after the loss the control law computations. In the SCEFC one processor
of all electrical power. At high altitudes the unaugmented dutch serves as an 1/0processor and the other two are configured as

IEEE AES MAGAZINE, July 1992 27

 Fl BUS
Fig. 5. EFCS Data Bus Architecture
a self-checking pair. The AFCS Control Panel is implemented
with four MIL-STD- 1750A CPU modules organized as two
self checking pairs. These CPU modules are also implemented
with the same PACE chipsets. Program memory in all LRUs
is EEPROM.
Software for the FCC, SCEFC, and AFCS Control Panel is
written in the 573 JOVIAL language.
The EFCS data bus architecture is illustrated in Fig. 5.
Each FCC is the master bus controller for a dual MIL-STD-
1553B multiplex bus. The Inertial Reference Units and Air Data
Computers interface with the FCS through the flight control
bus and with the Avionics System through a separate 1553
mission bus. Communication between the FCCs and SCEFCs
is also via the FCC buses. There is a 2 MHz serial broadcast
bus Cross Channel Data Link (CCDL) between the FCCs which
allows the FCCs to share data. The SCEFCs have a similar
CCDL design. The Electronic Engine Controller (EEC)
communicates with the FCCs through an ARINC 429 serial
data bus.
The quadmplex FCCs and the dual SCEFCs operate as a
frame synchronous set. Sync signals are exchanged between
computers via a discrete signal interface. If a computer should
somehow fall out of synchronism it will immediately attempt
to resynchronize. During the interval a computer is
unsynchronized it more susceptible to nuisance failures. Loss
of synchronism is not of itself grounds for computer shutdown
28
- - - - -e-"
- ---1
--
-"-
-I-
Input data from the pilots and from the aircraft sensors is
received on a channelized basis on the FCC 1553B buses and
from direct connections with the pilot position and force
sensors. This data is exchanged via the CCDL as shown in
Figure 5. Each of the FCCs therefore will have identical copies
of all four sets of data. The Input Signal Management software
processes this data. A sensor selection algorithm derives a
selected value for each signal as a function of the sensor failure
states. The selected value is the average of the middle two
signals (four valid signals), the midvalue of three signals (three
valid signals), or the average of two signals (two valid signals).
A fault detection and identification algorithm compares each
valid copy of the signal to the selected value and using
predetermined thresholds decides if the signal is valid. The
signals passed to the Control Processing Function are filtered
to avoid nuisance faults. As actuator commands are computed
they are immediately passed to an output buffer where a 10
KHz free running digital to analog converter generates analog
commands for the actuator control electronics.
Figure 6 shows the primary actuator interface with the EFCS.
All four FCCs are connected to each actuator. Outputs from
all for FCCs are summed at each of the four Electrohydraulic
Servo Valves. This actuator interface functions as an output
voting node which will absorb FCC output faults and prevent
these faults from propogating to the control surfaces. A faulty
output form any FCC is counter-balanced and isolated from
IEEE AES MAGAZINE, July 1992
 ROLL ROLL PITCH
AUTO STABILIZER
TRIM AUTOPILOT AUTOPILOT
ACTUATOR
ACTUATOR

Fig. 6. FCC Actuator Interface

ACTUATOR ACTUATOR ACTUATOR

7
ACTUATOR

SCEFC -
I - FCS

SPOILER SPOILER SPOILER SPOILER

ACTUATOR ACTUATOR ACTUATOR ACTUATOR

Fig. 7. SCEFC Actuator Interface

29
IEEE AES MAGAZINE, July 1992
the control surface. The Output Signal Management (OSM)
software function in each FCC compares local channel actuator
data with cross channel data transmitted via the CCDL from
the other FCCs to detect, identify, and remove local faults.
the FCCs also control actuator shut off valves (SOVs) which
are used to disconnect faulty actuator channels.
Figure 7 illustrates the secondary actuator interface with the
SCDRCs.
MFCS OVERVIEW
The Mechanical Flight Control System (MFCS) provides
backup control to the full authority quad Electronic Flight
Control System. It is a single channel system and consists of
linkages and cables from the pilot’s control stick and rudder
pedals to the mechanical input of the elevator, aileron, and
lower rudder.
SPECIFIC FAILURE MODES
Some specific failure modes that the C- 17 FCS was designed
to cope with are a jammed control stick, triplex or two-on-two
failures, and generic software errors. To deal with a jammed
stick, the stick includes both force sensors and position sensors.
The force sensors are located near the top of the stick and the
position sensors are located at the base of the stick below the
floor. During normal operation the position sensor commands
are processed to control the vehicle. The FCS continually
compares the position sensor values with the force sensor
values. If there is a miscompare the system assumes that there
has been a stick jam and the system will switch to the force
sensors. For the triplex or two-on-two failures the system
reverts to the mechanical flight control system after these
failures. The generic software error possibility is addressed
bywatchdog timers. If there is a watchdog timer timeout in the
four computers the system will revert to mechanical. In addition
the crew has the option to manually select the mechanical
system.
FLIGHT TEST RESULTS
As of 4 December the C-17 program has flown 21 flights
and accumulated 48 hours of flight time. This highly successful
flight test rate has been due in large part to the C-17 flight
control system. During the early flight test program several
minor anomalies occurred. On flight # 2 , the redundancy
monitoring system detected that FCC # 3 had failed. The
computer was returned to the vendor for investigation and a
subtle timing margin problem was discovered and a modified
design developed. On flight # I O the ground controllers called
for a highly aggressive lateral stick input (a flight test unique
input). The pilots compiled and the flight control system
interpreted the input as a jammed stick and reverted to the force
control mode. The reversion transients were small, and the
flying qualities were level one. The aircraft returned to base
without incident. After a thorough engineering investigation
the system design was not changed-the system reacted
properly under the circumstances. On flight #11 the aircraft
was slowing (high AOA) with full flaps and landing gear
extended when the system reverted from the electronic flight
control mode to the mechanical mode. This was found to be
caused by defective lefthand pitot probes which caused the two
lefthand probes to disagree with the two right-hand probes.
Whenever there is a significant two-on-two sensor disagreement
the system is designed to revert to the mechanical mode. This
design will be changed so that if there are any air data system
failures the system will revert to a fixed gain electronic SCAS
instead of reverting to mechanical.
SUMMARY
The C-17 has compiled an impressive flight test record. This
is due in large part to the redundancy and robustness of the
flight control system. By combining the best features of an
electronic digital flight control system with the best features
of a mechanical system, the C-17 flight control system is
tolerant of a wide range of system faults.

Brian Kowal graduated from the University of Michigan in 1973 with a MSE in electrical engineering. From 1973 until
1977 he worked for Rockwell International on the development of the flight control system for the Space Shuttle’s approach
and landing tests. In 1977 he joined the Air Force and was assigned to the F- 16 System Program Office (SPO) at Wright
Patterson. After separating from the Air Force in 1981 , Mr Kowal joined the B-2 SPO where he led the development of
the B-2’s flight control system through first flight. He has led the C- 17 flight control system design effort since September
1989. Mr Kowal is a FAA flight instructor and holds an ATP certificate He is a member of Tau Beta Pi and Eta Kappa
Nu. He IS also a registered professional engineer in the State of California

Carl J. Scherz was employed at Vickers, Inc. from 1956to 1964, in the design, development, and testing of industrial
control systems. He received his Doctor of Science in Automatic Control Systems from Washington University, St. Louis,
in 1965. He has been employed by the McDonnell Douglas Corporation since 1965 in the development of control systems
and avionic equipment. He directed the development of the F- 15A Engine Air Inlet Control System. His next major project
involved the system design, development and flight testing of a Gust Alleviation and Ride Qualities Improvement System.
He was the Subsystem Manager for the design, development and flight testing of the F- 15E Flight Control System (FCS)
and Automatic Terrain Following System. Dr. Scherz has been working on the C- 17 FCS at Douglas Aircraft Corporation
since 1989. Dr. Scherz is presently the Business Unit Manager for C-17 FCS integration.

30 IEEE AES MAGAZINE, July I992

 Richard Quinlivan was born inNew York City on February 3, 1937. He received the BEE degree from Rensselaer
Polytechnic Institute in 1959 and the MS from Cornell University in 1961. He has been with the General Electric Company
since 1958 with assignments in Ithaca, New York and Binghamton, New York.
He was the principal investigator for the development and test of an Optimal Control Terrain Following System from
1962 to 1969 under sponsorship of the Flight Dynamics Laboratory, principal investigator for the development of Multimode
Flight Control Systems from 1970to 1974 under sponsorship of the Flight Dynamics Laboratory, and principle investigator
and technical manager for the Integrated Flight Fire Control System development and flight test from 1975 to 1980 under
sponsorship of the Flight Dynamics Laboratory and the Avionics Laboratory. He was Technical Director for the design
of the A-IO Low Altitude Safety and Targeting Enhancements (LASTE) program from 1987 to 1989. He has served as
a Technical Director of the C-17 Electronic Flight Control System since June of 1989.
Mr. Quinlivan is a member of the IEEE, the IEEEControl Systems Society, AIAA, Sigma Xi, Tau Beta Pi, Eta Kappa
Nu, and the SAE Aerospace Control and Guidance Committee.

LETTER TO EDITOR
Dear Sir:
Referring to the AESS charter, I find it encompasses
command and control. But I cannot recall any articles
addressing this subject in the magazine in recent times. Surely
the Gulf War provides a fertile field for articles on command
and control viewed in its broadest context.
I note a tendency for some authors to address this subject
in terms of computers. It covers much more than computers,
in my view.
The IFF problem on the ground has been the subject of some
discussion and interest and has been called as the cause of some
of the “friendly fire” casualties which occurred during the Gulf
War. Disconnects between the Navy and Air Force air tasking
orders have also been cited as a problem.
ECM, surely a vital adjunct of command and control, also
played a significant part in the air war successes in the Gulf
War. Much greater use of the GPS (Global Positioning System)
was also noted in the Gulf War as was the rapid unprecedented
operational deployment of the JSTARS system-a system still
in engineering development.
These developments are all contributors to better command
and control.
Can you stimulate and exhort your contributors to address
these and other interesting subjects in the command and control
arena so that the IEEE literature will more fully encompass
these topics?
Sincerely,
Rodney W. Unold, 0764514 LS
501 Nordhoff Drive
Fort Lee, NJ 07024

IEEE AES MAGAZINE, July I992 31