SAFETY-CRITICAL ADA ENVIRONMENT HELPS EJECTION SEAT SAVE LIVES/MONEY

BY DR. JASON HENDRICKS, pilot (and the seats) out of a damaged F-18, was a team effort of Martin Baker, Teledyne SYSTEMS ENGINEER, MARTIN- F-14, or T-45 within 0.2 seconds Electronic Safety Products, Ada Core from the time the ejection handle is pulled. Technologies, and the U.S. Navy, is known AKER RETT ORTER ENIOR B , B P , S A complex, triple-redundant digital as FAST (Future Advanced Sequencer SOFTWARE ENGINEER, ADA CORE, sequencer senses just the right speed and Technology). The COTS project resulted in a LEE COTTER, NEW BUSINESS & altitude and then deploys a , sequencer that cost half of its predecessor. contained within the ejection seat, to The electronic sequencer architecture PRODUCT DEVELOPMENT, TELEDYNE ensure their safety.The ejection seat is a and the Ada programming environment safety-critical military application designed provided the requisite reliability for this Talk about a safety-critical application! using all commercial-off-the-shelf (COTS) project, and because of its tightly generated The U.S. Navy is using a new ejection seat components and written using the Ada object code, helped developers meet size sequencer that will catapult a pilot and co- programming language. The project, which constraints. Because it is easy to

8 | MAT 2.6 www.MAT-kmi.com follow/review, using Ada made it easier to and is controlled by the electronic FAST provide information from which decisions make changes to the system for updates and sequencer. Actually, the NACES FAST about the correct and optimum sequencing maintenance. In fact, a modified version of sequencer replaces an original NACES strategy can be made. Sequencing the FAST sequencer will be deployed for the sequencer with a reduced cost, enhanced requirements are primarily a function of the ejection seat used in the Joint Strike Fighter performance version. The sequencer is initial ejection conditions of airspeed and (JSF), and using Ada in FAST made the energized when the ejection handle is pressure altitude. Under many situations, modifications quick and easy to review. pulled, which then initiates the seat. After the sequencer further modifies the the seat has separated from the aircraft sequence timings in response to the actual HOW IT WORKS during an escape, the sequencer controls all progress of the ejection. This not only major automatic sequencing functions. ensures highly optimized seat performance, The ejection seat is formally the Navy The NACES FAST sequencer is equipped Common Ejection Seat (NACES) with its own environmental sensors that CONTINUED ON PAGE 10 www.MAT-kmi.com MAT 2.6 | 9

but also provides a degree of resiliency to addition, appropriate failure detection and unlikely and unexpected events that could correction measures have been otherwise compromise crew recovery. incorporated to maintain the “no single Two thermal batteries that are activated point failure” philosophy. at the time of seat initiation power the The sequencer comprises three sequencer. Dual redundant electrical start microprocessor control channels, each switches, operated by pyrotechnic gas essentially performing the same operations. pressure, form an important safety feature. Each channel has an electrical power The sequencer senses switch operation and supply, microprocessor, memory, inter- then executes an ejection sequence, channel communications, sensors, signal precluding inadvertent initiation of the seat communication elements (filtering, pyrotechnic devices until the seat has sampling, and A-D converters), hardware physically departed the aircraft. NACES/FAST sequencer. The " FAST " is a major voters, and outputs. The first operation is Drogue upgrade to the original NACES version although The sequencer senses environmental Deployment. As the seat separates from the the housing remains essentially the same. parameters such as seat absolute base aircraft during ejection, the sequencer at a pressure (air pressure behind the seat), seat fixed point in time, initiates drogue optimize seat performance by limiting the absolute pitot pressure, and acceleration in deployment in all ejections. Just after the parachute inflation load to 17 “g”s at three axes. In addition, each channel senses drogue deployment Environmental Sensing altitude between 0 and 8000 feet, the state of the two start switches. The Time Window operation begins in which the progressively reducing to 10 “g”s at 18000 outputs are four five high-current electrical sequencer’s onboard sensors record the seat feet as the risk of terrain proximity squib-fire signals for initiation of electro- acceleration deceleration (due to diminishes. explosive devices mounted within the seat aerodynamic drag), the pitot pressure, and Low (Altitude) Drogue Mode No pyrotechnic cartridges. These include the the base pressure (pressure behind the Continuous Sensing, for ejections drogue deployment device, drogue bridle seat). These measurements allow the occurring at altitudes below 18000 feet with attachments release, parachute deployment sequencer to determine the ejection speed velocities that lie between the Zero/Zero device, primary and backup seat harness and pressure altitude conditions. Mode and Low Drogue Mode with attachments release, and backup seat Continuous Sensing. A seat harness attachments release. FOUR MODES OF OPERATION stabilizing/retarding drogue phase is Once energized, each channel processes employed but unlike the Low Drogue with its own inputs and makes provisional At this point, the ejection seat has four Continuous Sensing Mode, the time at decisions. The three channels then cross- modes of operation related to ejection which the main parachute extraction occurs compare their individual results to airspeed and altitude conditions. These is based on pre-determined timings harmonize the outputs, and to protect include: calculated from the values sensed ejection against erroneous decisions made by a Zero/Zero mode, under low speed/low conditions. malfunctioning channel. Hardware voting pressure altitude ejection conditions (up to High (Altitude) Drogue Mode, at provides a further level of protection against 90 KEAS and below 18000 feet) the main ejections in excess of 18000 feet, a drogue incorrect outputs by preventing one parachute is deployed at the earliest phase is extended until such time as the channel alone to initiate an electro- practicable (fixed) time after ejection in sequencer senses the seat has descended explosive device. order to maximize terrain clearance. below the 18000 feet fall-through boundary, The sequencer has a substantial non- Inhibiting drogue deployment is not at which time the main parachute is volatile memory for keeping a possible because it is initiated before deployed. This ensures that the seat comprehensive record of the ejection environmental sensing. As such, the drogue occupant is recovered to more benign history (environmental sensing, decisions, bridle is released before drogue lines are atmospheric conditions in the shortest and voting) as it progresses. This data can taught (as soon as the mode decision is possible time. In this mode, a minimum later be downloaded to facilitate a detailed made), effectively disabling the deployment timing of 4. 62 analysis of the ejection sequence. phase. seconds from the start switch is enforced to The NACES design was tested at Low (Altitude) Drogue Mode with cater for ejections occurring close to the extreme speeds and altitudes, as well as Continuous Sensing, in which a seat mode boundary altitude, eliminating any more benign conditions, and has been stabilizing/retarding drogue phase occurs, possibility of parachute deployment at proven extremely reliable. The first which is required when the ejection occurs excessive airspeed. production of the original NACES flew in an at either a significant airspeed or significant F-14D in February 1990 and since that time, air pressure altitude. The sensed NO SINGLE POINT OF FAILURE hundreds of seats have been delivered to the acceleration, pitot pressure, and base U.S. Navy, most of which are now in service. pressure values are used to give a prediction The sequencer hardware/software has of the parachute deployment time when the been configured to eliminate single point velocity of the seat has decayed such that failures. For the most part, this is achieved For additional stories related to this peak parachute inflation loads will fall by a triple-redundant hardware architecture subject, search our online archives: within required limits. The aim is to that uses hardware/software-voting logic. In www.MAT-kmi.com

10 | MAT 2.6 www.MAT-kmi.com