Simulating Faults in Integrated Systems and their Impact on the Aircraft

Aparna Kansal & Amy PritchettGeorgia Institute of Technology, Atlanta, GA

This work is funded by NASACurtis E. Hanson, Technical Monitor

Simulating Faults in Integrated Systems and their Impact on the Aircraft

33rd Digital Avionics Systems ConferenceOctober 5-9, 2014

Introduction

2

Aparna Kansal | 33rd Digital Avionics Systems Conference 3

Complex Integrated Aircraft Systems

Autopilot

Pilots

Fault Management

Adaptive Control

Sensors

Control Surfaces

4

Complex Systems

System Behavior

• Cannot be determined just by study of component behavior

Addition of Components • Increases system complexity

Safety and Hazards

• Difficult to consider all hazards in design

Emergence• Dynamic interactions between

components can cause unexpected behavior

Characteristics of Complex

SystemsConvenience

• Distributed, no central control• Convenient to develop system

components independently• Ease of maintenance and updating• Concept of emergence

Aparna Kansal | 33rd Digital Avionics Systems Conference

5Aparna Kansal | 33rd Digital Avionics Systems Conference

“Aerospace Recommended Practice 4754 Rev. A: Guidelines for Development of Civil Aircraft and Systems”, 2010.

Existing Guidelines for Validating Aircraft Components

Their Concerns: Conventional safety assessment

techniques inadequate Non-deterministic developmental

errors Unavailability of suitable numerical

methods for characterizing errors Large number of test cases required

Their Suggestions: Qualitative approach Top-down iterative approach from

aircraft-level downwards

Guidelines and recommended practices adopted by aircraft regulatory authorities large-scale aircraft systems

Functional System

Electronic Hardware Development Life-Cycle

(DO-254/ ED-80)

System Design

Information

Function, Failure & Safety Information

Safety Assessment Process Guidelines & Methods

(ARP 4761)

Aircraft & System Development Processes

(ARP 4754/ ED-79)

Guidelines for Integrated Modular Avionics (DO-297/ ED-124)

Software Development Life-Cycle

(DO-178C/ ED-12C)

Safety Assessment of Aircraft in Commercial Service (DO-178C/ ED-12C)

Operation

Development Phase In-Service/Operational Phase

Intended Aircraft

Function

Validation can be streamlined by directing testing around the construct of axioms, i.e.,• Assumptions and design considerations, and • System-level interactions due to the violation of these axioms

Simulation Approach

6


Simulation Framework

Simulation-based model to identify emergent behavior arising due to interactions between aircraft components in an integrated system, through the violation of their key axiomatic conditions

• Component functions• Axiomatic set of

Conditions• Communication

Channels

• Aircraft dynamics• Aircraft state

variables

System Components

Aircraft

External Agent

• Violate axiom• Introduce

disturbance/fault

Simulation Framework Elements


Simulation Execution

Identify component functions

Implement in simulation framework

Simulate fault introduction and recovery

• Apply model in simulation environment, introduce fault and recovery at fixed times

• Integrate components, apply aircraft model, set up faults due to axiom violation

• Emulate components as dynamic representations of key functions


Scripts

Work Models

Simulation Environment: Work Models that Compute (WMC)

Actions

Agents

Resources

Scenario

Aircraft

Components

Environment

Resources

Case Study

10

Motivation

Script

Fault Management

Axiom:No control

reversal, sign is always known

6 DOF Aircraft

Sensors

Adaptive Control

Introduce Fault

Fault Detection Time

Repair Fault

12Aparna Kansal | 33rd Digital Avionics Systems Conference

Rudder Reversal USAir Flight 427, Boeing 737-300(September 8, 1994)

Rudder pedal/yaw damper input

Hydraulic Power Control Unit Input rod

Servo Valve slide movement

Rudder Panel movement

Wake Turbulence

Sudden yaw damper input rod movement

Servo valve slides jam

Left rudder movement with right input

Abnormal Condition Axiom:• Servo valve cannot jam/only

jam temporarily• Rudder application in

opposite direction will cause rudder to move towards neutral position

Complex System

Conditions

System Behavior

Axiom Violation


Elevator Reversal: Simulation Configuration in WMC Co

mpo

nent

s •Adaptive Control: Adapts to change in dynamics to maintain aircraft stability

•Fault Management: Checks aircraft state and reports any fault to adaptive control

Axio

ms •Adaptive Control:

Direction of pitching moment is known for given elevator input

•Fault Management: Detect and notify fault to the adaptive control before loss of control

Airc

raft

Sta

te•6DOF Aircraft in continuous descent for landing from 31000 ft

•Aircraft state updated every 0.05 seconds

•Monitor elevator angle, altitude, vertical speed and pitch angle

Faul

t Int

rodu

ction

•Elevator reversal: Alt 10000 ft, IAS<250 kts, time 1000 sec

•Fault detected after certain time, updated to adaptive control

•Fault duration is varied

ADB C


Elevator Reversal: Study

Onset of Control Reversal

1 sec

2 sec

5 sec

10 sec

12 sec

Conclusion

15


Contributions

Outcomes from Case Study• Component failures can be simulated by violating component axioms to identify their

impact on the integrated system and the aircraft.• Such simulations can identify requirements for other components• The timing of components executing a task is an important criteria to consider

WMC Simulation Environment• Ability to allow a range of component models• Allows each component to specify its own update time • Using shared format for storing data as resources allows for simple models to be

generated quickly• Incorporating simple representations of component models is sufficient to obtain an

initial understanding of the effects of violating axioms• Its streamlined form allows for a large number of runs examining a number of test

cases in lesser time• As the design and test program progresses, potential also exists to include progressively

detailed – and ultimately complete – models of the components


Contributions

Focusing Test Cases on Component Axioms• Helps quickly focus test cases on probable, though unexpected, adverse behaviors• Helps identify possible emergent behavior due to violation of assumptions made for the

functioning of the aircraft components• Looks at the effect on the integrated system as a whole when axioms of any component are

violated, which is required for validation of complex systems


Acknowledgements

Mr. Curtis E. Hanson, NASA Armstrong Flight Research Center, Technical Monitor

VELCRO Research Team

CEC Lab Members

This work is sponsored by:The National Aeronautics and Space Administration


References

Johnson, E.N. and Calise, A.J., “Limited Authority Adaptive Flight Control for Reusable Launch Vehicles,” AIAA Journal of Guidance, Control, and Dynamics, Vol. 26, No. 6, pp. 906-913, 2003.

Johnson, E.N. and Pritchett, A.R., “Generic Pilot and Flight Control Model for Use in Simulation Studies,” AIAA Modeling and Simulation Technologies Conference, 2003.

Pritchett, A.R., Feigh, K.M., Kim, S.Y. and Kannan, S., “Work Models that Compute to Support the Design of Multi-Agent Concepts of Operation,” AIAA Journal of Aerospace Information Systems, to appear 2014.

Thank You!

Questions?

20

Simulating Faults in Integrated Systems and their Impact on the Aircraft

Documents

Transcript of Simulating Faults in Integrated Systems and their Impact on the Aircraft