Simulating Faults in Integrated Systems and
their Impact on the Aircraft
33rd Digital Avionics Systems Conference
October 5-9, 2014
Aparna Kansal & Amy Pritchett
Georgia Institute of Technology, Atlanta, GA
This work is funded by NASA
Curtis E. Hanson, Technical Monitor
Introduction
2
Complex Integrated Aircraft Systems
Sensors
Fault Management
Adaptive Control
Autopilot
Control Surfaces
Pilots
Aparna Kansal | 33rd Digital Avionics Systems Conference
3
Complex Systems
System
Behavior
• Cannot be determined just by
study of component behavior
Addition of
Components
Convenience
• Increases system complexity
Characteristics
of Complex
Systems
• Distributed, no central control
• Convenient to develop system
components independently
• Ease of maintenance and updating
• Concept of emergence
Safety and
Hazards
Emergence
• Difficult to consider all hazards
in design
• Dynamic interactions between
components can cause
unexpected behavior
Aparna Kansal | 33rd Digital Avionics Systems Conference
4
Existing Guidelines for Validating Aircraft Components
Their Concerns:
 Conventional safety assessment
techniques inadequate
Function,
System
Failure & Safety
Design
 Non-deterministic developmental
Information
Information
Functional
errors
Aircraft & System Development
System
Processes
Validation
can be streamlinedOperation
by directing
testing around the
(ARP 4754/ ED-79)
 Unavailability of suitable numerical
construct of axioms, i.e.,
methods for characterizing errors
• Assumptions and design considerations,
and number of test cases required
 Large
Guidelines for
Safety Assessment Process
Guidelines & Methods
(ARP 4761)
Intended
Aircraft
Function
Safety Assessment of Aircraft
in Commercial Service
(DO-178C/ ED-12C)
•Integrated
System-level
interactions due to the violation of these axioms
Modular
Avionics
(DO-297/ ED-124)
Electronic Hardware
Development Life-Cycle
(DO-254/ ED-80)
Their Suggestions:
 Qualitative approach
 Top-down iterative approach from
aircraft-level downwards
Software Development
Life-Cycle
(DO-178C/ ED-12C)
Development Phase
In-Service/Operational Phase
Guidelines and recommended practices adopted by aircraft
regulatory authorities large-scale aircraft systems
Aparna Kansal | 33rd Digital Avionics Systems Conference
“Aerospace Recommended Practice 4754 Rev. A: Guidelines
for Development of Civil Aircraft and Systems”, 2010.
5
Simulation Approach
6
Simulation Framework
 Simulation-based model to identify emergent behavior arising due to
interactions between aircraft components in an integrated system,
through the violation of their key axiomatic conditions
System
Components
Simulation
Framework
Elements
Aircraft
External
Agent
Aparna Kansal | 33rd Digital Avionics Systems Conference
• Component functions
• Axiomatic set of
Conditions
• Communication
Channels
• Aircraft dynamics
• Aircraft state
variables
• Violate axiom
• Introduce
disturbance/fault
7
Simulation Execution
Identify
component
functions
• Emulate components as
dynamic representations of
key functions
Implement in • Integrate components, apply
simulation
aircraft model, set up faults
framework
due to axiom violation
Simulate fault • Apply model in simulation
environment, introduce fault
introduction
and recovery at fixed times
and recovery
Aparna Kansal | 33rd Digital Avionics Systems Conference
8
Simulation Environment: Work Models that Compute (WMC)
Scenario
Scripts
Work Models
Environment
Agents
Actions
Resources
Resources
Aircraft
Components
Aparna Kansal | 33rd Digital Avionics Systems Conference
9
Case Study
10
Motivation
Adaptive
Control
Sensors
Script
Introduce
Fault
6 DOF
Aircraft
Repair Fault
Fault Detection
Time
Fault
Management
Axiom:
No control
reversal, sign is
always known
Rudder Reversal USAir Flight 427, Boeing 737-300
(September 8, 1994)
Rudder pedal/yaw
damper input
Complex
System
Hydraulic Power
Control Unit Input rod
Servo Valve slide
movement
Rudder Panel
movement
Abnormal Condition Axiom:
• Servo valve cannot jam/only
jam temporarily
• Rudder application in
opposite direction will cause
rudder to move towards
neutral position
Axiom Violation
Aparna Kansal | 33rd Digital Avionics Systems Conference
Wake Turbulence
Conditions
Sudden yaw damper
input rod movement
Servo valve slides jam
Left rudder movement
with right input
System
Behavior
12
Elevator Reversal: Simulation Configuration in WMC
•Fault Management:
Detect and notify fault
to the adaptive control
before loss of control
•6DOF Aircraft in
continuous descent for
landing from 31000 ft
•Aircraft state updated
every 0.05 seconds
•Monitor elevator
angle, altitude, vertical
speed and pitch angle
Aparna Kansal | 33rd Digital Avionics Systems Conference
Fault Introduction
•Fault Management:
Checks aircraft state
and reports any fault
to adaptive control
•Adaptive Control:
Direction of pitching
moment is known for
given elevator input
C
A
Aircraft State
•Adaptive Control:
Adapts to change in
dynamics to maintain
aircraft stability
D
Axioms
Components
B
•Elevator reversal: Alt
10000 ft, IAS<250 kts,
time 1000 sec
•Fault detected after
certain time, updated
to adaptive control
•Fault duration is varied
13
Elevator Reversal: Study
1 sec
2 sec
5 sec
10 sec
12 sec
Onset of Control
Reversal
Aparna Kansal | 33rd Digital Avionics Systems Conference
14
Conclusion
15
Contributions
Outcomes from Case Study
•
•
•
Component failures can be simulated by violating component axioms to identify their
impact on the integrated system and the aircraft.
Such simulations can identify requirements for other components
The timing of components executing a task is an important criteria to consider
WMC Simulation Environment
•
•
•
•
•
•
Ability to allow a range of component models
Allows each component to specify its own update time
Using shared format for storing data as resources allows for simple models to be
generated quickly
Incorporating simple representations of component models is sufficient to obtain an
initial understanding of the effects of violating axioms
Its streamlined form allows for a large number of runs examining a number of test
cases in lesser time
As the design and test program progresses, potential also exists to include progressively
detailed – and ultimately complete – models of the components
Aparna Kansal | 33rd Digital Avionics Systems Conference
16
Contributions
Focusing Test Cases on Component Axioms
•
•
•
Helps quickly focus test cases on probable, though unexpected, adverse behaviors
Helps identify possible emergent behavior due to violation of assumptions made for the
functioning of the aircraft components
Looks at the effect on the integrated system as a whole when axioms of any component are
violated, which is required for validation of complex systems
Aparna Kansal | 33rd Digital Avionics Systems Conference
17
Acknowledgements
Mr. Curtis E. Hanson, NASA Armstrong Flight Research Center,
Technical Monitor
VELCRO Research Team
CEC Lab Members
This work is sponsored by:
The National Aeronautics and Space Administration
Aparna Kansal | 33rd Digital Avionics Systems Conference
18
References
 Johnson, E.N. and Calise, A.J., “Limited Authority Adaptive Flight Control
for Reusable Launch Vehicles,” AIAA Journal of Guidance, Control, and
Dynamics, Vol. 26, No. 6, pp. 906-913, 2003.
 Johnson, E.N. and Pritchett, A.R., “Generic Pilot and Flight Control Model
for Use in Simulation Studies,” AIAA Modeling and Simulation Technologies
Conference, 2003.
 Pritchett, A.R., Feigh, K.M., Kim, S.Y. and Kannan, S., “Work Models that
Compute to Support the Design of Multi-Agent Concepts of Operation,”
AIAA Journal of Aerospace Information Systems, to appear 2014.
Aparna Kansal | 33rd Digital Avionics Systems Conference
19
Thank You!
Questions?
20