Improved fault diagnostics of a dynamic aircraft fuel system using the
advertisement
Aven CH100.tex 17/5/2007 10: 45 Page 801 Risk, Reliability and Societal Safety – Aven & Vinnem (eds) © 2007 Taylor & Francis Group, London, ISBN 978-0-415-44786-7 Improved fault diagnostics of a dynamic aircraft fuel system using the digraph approach E.M. Kelly & L.M. Bartlett Loughborough University, Loughborough, Leicestershire, UK ABSTRACT: Fault diagnosis has developed into an integral part of engineering applications. Within the increasing safety conscious climate of today’s world, prompt detection, diagnosis and rectification of faults is imperative to the operation of a system. In the case of commercial aircraft, efficient diagnosis can minimise both the financial cost of downtime and the disruption caused to passenger travel. The diagnostic method described in this paper is based on the application of the digraph procedure. Digraphs model the information flow, and hence fault propagation, through a system. A computational method has been successfully developed to conduct the fault diagnostics process and produce a list of the determined fault combinations. Guidelines are provided for a mechanism to further identify the most likely cause(s) of a given deviation. This paper looks in detail at the application of the diagnostic method to a commercial aircraft fuel system with integrated control. 1 INTRODUCTION The occurrence of failures within a system can cause disruption to the operational stability. Fault diagnosis has therefore become a primary objective in engineering applications. It is concerned with the isolation of underlying causal faults that can lead to an observable effect in a monitored process. Effective detection of system faults decreases downtime and consequently enhances operational stability (Papadopoulos & McDermid 2001). Traditional approaches employed to identify faults involved using testing algorithms to detect single failures (Novak et al. 2000, Pattipati & Alexandridis 1990). In using this approach, prospective faults are highlighted through the running of a series of tests at a particular point in time. The tests are comprised from symptoms that are related to specific system faults. The effectiveness of the method has been proven when determining single faults in a system with a known period of inactivity. Difficulties are noted when considering the complexities of multiple fault combinations. In an effort to address the diagnosis of multiple faults, extensions to the sequential testing technique have been developed and implemented (Shakeri et al. 2000). Some recent approaches have used reliability assessment tools such as Failure Modes and Effects Analysis (FMEA) (Price 1997, Price & Taylor 1997) and fault tree analysis (Hurdle et al. 2005). Attempts have been made to automate the FMEA process and increase its effectiveness through decreasing the time required for analysis. A different method (Papadopoulos et al. 2004) proposes translating the information contained in a network of interconnected fault trees into FMEA style tables. Variability in the performance of these methods is noted with increased system complexity. Digraphs, also known as signed directed graphs (Vedam & Venkatasubramanian 1997, Palmer & Chung 2000), illustrate specific fault propagations through a system. They are a type of causal model, clearly representing the cause and effect behaviour within a system. Causal models can be employed in fault diagnosis to reason about the behaviour of processes under normal and abnormal conditions (Maurya et al. 2003). The characteristics associated with modern day systems require fault diagnosis to incorporate both adaptability and identification of multiple faults (Venkatasubramanian et al. 2003). Modern systems are normally required to operate in more than one mode. An ideal diagnostic procedure would therefore incorporate an adaptable scope. This paper applies a fault diagnostics strategy based on using digraphs to the fuel system of a Boeing 777-200 aircraft. A brief insight into digraphs through considering their representation of fault propagations in a system is considered. The results yielded through automating the fault diagnostics process are reviewed along with suggestions for ‘honing-in’ on the most probable fault cause from the complete list of fault causes produced for a specific situation. 801 Aven CH100.tex 17/5/2007 10: 45 Page 802 2 THE DIGRAPH METHOD 2.1 Description A digraph (Kohda & Henley 1988) is constructed from a set of nodes and edges. The nodes represent system process variables and the edges connecting the nodes illustrate the interrelationships that exist between components in a system. Nodes are also used to represent component failure modes; whereby a signed edge connecting a failure mode node to a process variable node indicates the resulting disturbance caused by the failure mode. Digraph nodes contain an alphanumeric label which symbolises a specific process variable or component failure mode. With regards to process variable nodes, the numeric section of the label corresponds to a precise location in the application system. The precursor to the numeric section indicates the type of process variable the node represents. Examples of process variables include temperature, mass flow, pressure and signals from sensors. Following the same order, these would be represented in nodes by the precursors T, M, P and S. Process variable deviations (Andrews & Morgan 1986, Andrews & Brennan 1990) are expressed as one of five discrete values: +10, +1, 0, −1 and −10 corresponding to large high, small high, normal, small low and large low deviations. A simple digraph is illustrated in Figure 1. In the simple digraph illustration it can be noted that P1 and P2, the nodes, are connected by three edges. The alphanumeric code P1 represents pressure at location one. The edge with a gain of +1 is considered to be the normal edge since this represents the relationship that is normally true; pressure at location one has a positive effect on pressure at location two. The second and third edges in the illustration are termed conditional edges since their relationship is only true whenever the condition represented by ‘:’ exists. It must be noted that only one edge is true at any one time. An unexpected process deviation within a system is represented by ‘highlighting’ the respective node in the digraph. Subsequent propagation of the deviation through the system is conducted by marking all of the nodes which were affected by the initial highlighting. This process, termed ‘back-tracing’, is described further in Section 5.3. 2.2 Figure 1. A simple digraph relevant component failures of the system are compiled. A failure mode code is then attached to each fault. The system is also separated into sub-units and components. 2 Digraph Generation: The unit digraph models for the sub-units, previously noted in step one, are generated. All process variable deviations which could have an effect on the variables in the model are taken into consideration. The extent of the effect any disturbance may have on the system with regards to the assigning of discrete values is also noted. The system digraph is formed by connecting common variables from the sub-unit models. The fault diagnostics process is conducted using the system digraph. System behaviour can be monitored using data retrieved from sensors. In a given mode of operation the system would have a set of expected sensor readings. These are compared with the actual system readings during the diagnostics procedure (Steps 3 to 5) to identify the presence of any deviations. 3 Determination of System Deviations: The expected system sensor readings are noted. The actual sensor readings from the system are retrieved and then compared with those expected to determine the existence of any deviations. 4 Flagging of Non-Deviations: Non-deviating sensor nodes in the digraph are ‘flagged’. It is assumed that a non-deviating reading indicates the absence of a failure. 5 Back-tracing Process: If a sensor registers a deviation then fault diagnosis involves back-tracing through the system digraph from the node which represents the location of the given deviation. The back-tracing process ceases once either (i) a flagged section is reached or (ii) no more back-tracing is possible. For multiple deviating sensors the diagnostic results obtained through back-tracing from each deviating node are ANDed together. All potential fault causes are listed at the end of the fault diagnostics procedure. Procedure A generalized procedure outlining the main steps involved in developing a system digraph is provided: 3 1 System Analysis: Firstly the system under investigation is defined. A specific number is allocated to each component so generating a straightforward location reference approach for process variables and component failure modes at a given point. All The Boeing 777-200 is a twinjet aircraft that entered into revenue service in the middle of 1995. Fuel is stored in three tanks; the left main, centre and right BOEING 777-200 FUEL SYSTEM 3.1 System architecture 802 Aven CH100.tex 17/5/2007 10: 45 Page 803 – Phases Three & Four: Fuel can be transferred from one wing to the other by opening one of the crossfeed valves and shutting off the pumps on the side to which fuel is being transferred. – Phase Five: For cases whereby the fuel pumps are switched off and the cross-feed valves are closed, engine feed can occur through suction via the suction bypass valves in the main tanks. 3.3 Monitoring system behaviour Figure 2. Boeing 777-200 fuel system (left side). main. A surge tank is situated outboard of each main tank; the function of which is to temporarily hold fuel that flows due to aircraft turns, thermal expansion or overfilling. The 777-200 fuel system can hold a total of 117,400 litres; 35,200 in each main tank and 47,000 in the centre tank. Figure 2 provides an illustration of the left side of the Boeing 777-200 fuel system.The right side exhibits a similar structure. The engine feed operating mode is the only phase considered in this analysis. The components of interest in the engine feed mode are briefly described in Section 3.2. 3.2 Engine feed operating mode The main purpose of the engine feed operating mode is to supply fuel to the engines from the main and centre tanks. Six powered fuel pumps supply fuel to the engines. These pumps have individual control switches and are controlled manually by the pilot. The centre tank has two override/jettison pumps that operate at higher pressures than the main tank pumps. Each main tank comprises a forward boost and aft boost pump. Fuel scavenge pumps transfer fuel from the bottom of the centre tanks to the main tanks once fuel levels in both of the tanks are low enough. Float operated shut off valves ensure that the transfer process does not start whilst the tank levels are considered to be ‘too high’. Two manually controlled cross-feed valves connect the left and right sides of the fuel system and so allow the transfer of fuel from one side to the other. Spar valves permit the transfer of fuel from the engine feed manifold to the engines. The spar valves are controlled by the pilot via the fuel control switch in the cockpit. The engine feed operating mode is subdivided into five operational phases. The five phases represent the manner in which engine feed can be conducted: – Phase One: Fuel is pumped from the centre tank into the engine feed manifold by the jettison/override pumps. – Phase Two: Once the centre tank is nearly empty, fuel is pumped from the main tanks into the engine feed manifold by the main tank boost pumps. A mixture of sensors and switches are utilised in the fuel system to provide system information regarding flow, pressure and tank levels. Data related to component control switches and their respective component positions is also obtained and compared to highlight any inconsistencies, if present. Flow meters are located at the inlet to both engines. There is therefore a left and right flow meter. The flow readings are classified into three groups; flow, no flow and partial flow. Low pressure at the fuel pump outlets is noted by a light on the fuel panel. There is a low pressure light for the left and right aft boost, forward boost and jettison/override pumps. The lights are linked to an associated low pressure switch located on the pumps. The fuel pumps and valves are controlled via their respective switches by the pilot. Should an actual valve position and the position indicated by its respective switch disagree, a warning is issued to the pilot. The engine indicating and crew alert system notes the total fuel quantity. The fuel synoptic display indicates the individual tank quantities obtained from the tank units. Tank units are constructed from an ultrasonic transmitter/receiver and still-well. The information retrieved from the units is utilised to determine the tank height. For initial research the tank heights are scaled from 0–10 since the exact output is unknown and therefore an arbitrary scaling system is used. (Note: 0 = empty, 10 full) 3.4 Component failure modes A total of 59 types of component failure modes are considered in the analysis. It is assumed that the stated failure modes may affect the functionality of the aircraft fuel system. Each component failure mode is allocated a code associated to a related component identification tag. Seven failure modes are linked to faults in the crossfeed section whilst the remaining fifty-two can be found in the left and right sides of the fuel system. The majority (40) of the failures are associated with valves and fuel pumps. Pumps are considered to fail in either ‘run’ or ‘no run’ scenarios. There are three related valve failure modes; open, closed or stuck in an intermediate position. 803 Aven CH100.tex 17/5/2007 10: 45 Page 804 Figure 3. Left main tank section. Each tank (centre and main) possesses a single failure mode; tank fractured. There are three possible manifold and pipe component failures. These relate to fractures and complete or partial blockages. 4 FUEL SYSTEM DIGRAPH DEVELOPMENT With the system defined and component failure modes identified, the next step involves generating the system digraph (step 2 from Section 2.2). The fuel system is split into three main sections: – Cross-feed. – Left centre tank and left main tank. – Right centre tank and right main tank. In total, the system digraph for the engine feed phase is constructed from 282 nodes; of which 88 are process variable nodes and 194 are component failure mode nodes. The unit digraphs for the centre and main tanks (left and right wings) are developed through a process of building up from the tank levels nodes to the fuel pumps, engine feed manifold and spar valves at the inlet to the engines. The cross-feed section digraph encompasses the pipe-work and related valves that connect the left and right engine feed manifolds. As a means of illustrating the development of the fuel system digraph, Figure 3 depicts a section of the pipe-work incorporating a spar valve and suction bypass valve in the left wing. Fuel enters the left engine via the spar valve from the engine feed manifold. The numbered locations noted in Figure 3 (40, 48, 49 & 50) form a reference approach, utilised when generating the fuel system digraph for the engine feed operating mode. A section of the respective left main tank digraph is presented in Figure 4. Mass flow along the left engine feed manifold is represented by the process flow structure exhibited by nodes M48 → M50. The direction of flow in the manifold, and hence the direction of the edges connecting the mass flow nodes, is towards the spar valve which allows fuel to pass to the left engine. There are three identical failure modes associated with the mass flow nodes that represent the left engine feed manifold. Two failure modes, left engine feed manifold fractured and partially blocked (LMF, LMPB), Figure 4. Left main tank digraph section. result in a small negative disturbance and the mode, left engine feed manifold blocked (LMB), results in a large negative disturbance. These disturbances are indicated by signing the edges, connecting the failure mode nodes to the process variable nodes, ‘−1’ and ‘−10’. The left spar valve is denoted by the relationship between nodes M49 and M50. If the spar valve is closed then this normally positive relationship is nullified, as indicated by the conditional edge signing ‘0: SPVL Closed’. There are three spar valve failure modes which may result in a disturbance on mass flow entering the left engine: spar valve open (SVLO), spar valve closed (SVLC) and spar valve intermediate position (SVLI). The failure modes would generate a large positive, large negative and small negative disturbance respectively. These deviations are indicated by the signs, ‘+10’, ‘−10’ and ‘−1’ on the edges connecting the failure mode nodes to M50. The branch encompassing the suction bypass valve (LMTL → M49) extends from the main tank level node (LMTL). The relationship between the level node LMTL and the mass flow node M40 represents the suction bypass valve. The tank level normally has no effect on mass flow at location 40. Should the circumstances change, as defined by the conditional edge connecting LMTL and M40, then mass flow would be drawn from the main tank into the engine feed manifold. For mass flow to pass through to the manifold it is required that the left fuel pumps do not run and for the cross-feed section not to be engaged. There are three pipe failure modes associated with node M40; pipe blocked (P40B), partially blocked (P40PB) and fractured (P40F). A further failure mode considered is suction bypass valve failed closed (BVLC), thus causing a large negative disturbance. The signal flow structure exhibited by nodes SFCSW → M50 illustrates the control relationships that are assumed from the possible pilot inputs for the spar valve. The pilot input is represented using the fuel control switch node, SFCSW. The fuel control 804 Aven CH100.tex 17/5/2007 10: 45 Page 805 switch controls the mass flow entering the engine via the left spar valve. If the pilot sets the switch in the ‘run’ position then the denoted relationship is positive. Conversely, if the switch is set in the ‘cut-off’ position then a negative relationship is exhibited. 5 SYSTEM FAULT DIAGNOSTICS The method for performing system diagnostics using digraphs is based on comparing system sensor readings with those which would be expected whilst the system is in a known operating mode. The first step therefore involves determining if any system variable deviations exist. The presence of a deviation is considered indicative of a fault having occurred. Non-deviating nodes in the digraph are ‘flagged’. It is assumed that a non-deviating transmitter reading indicates the absence of failure in its respective section. Back-tracing commences from the location of any noted deviations to determine the possible fault causes. 5.1 Fault diagnostics program The process of back-tracing within the Boeing 777200 fuel system digraph model, from a deviating node to determine possible component failure mode combinations, is automated through running scripted code in Matlab. The diagnostic program can be sub-divided into four main sections. Namely; input, comparison, fault diagnostics and output. During the ‘input’ stage the individual fuel system transmitter readings, switch positions and assumed engine feed operating mode phase are ‘read into’ the program by way of three text files. The program then determines the expected system readings from the noted operating mode phase. Two deviation matrices, [D] and [DI], are formed during the ‘comparison’ phase by comparing the retrieved data with those readings which would be expected under the assumed engine feed operating mode phase. If the readings are identical then a corresponding element in the deviation matrix is allocated the value ‘0’. This indicates the presence of nondeviating data and so it is assumed no failures are present in the associated specific section of the fuel system. Should a reading deviate then the respective element in the matrix is assigned a value which is consistent with the deviation (e.g. +10). The matrix [D] considers deviations associated with the switch positions that have previously been determined by the pilot whilst [DI] contains deviations noted by the indication system, such as low pressure at a specific pump outlet or no flow at the inlet to one of the engines. On generating the deviation matrices the next phase is the ‘flagging’ process. Firstly, values are allocated to flags representing the cross-feed, left wing and right wing sections. Each section has two associated flags, related to the two deviation matrices. If deviations are outlined in [D] or [DI] for a specific section then its corresponding flag is assigned the value ‘1’. The value ‘0’ is used for situations where no deviations are registered. The next stage involves allocating values to the flags used to represent the individual transmitter elements noted in the deviation matrices. The fault diagnostics process involves re-enacting the procedure of back-tracing through using matrices which contain the individual component failure mode results for a registered deviation. The number of flags signed ‘1’, representing system deviations for given tank sections and transmitters, dictates which backtracing results should be ANDed. Diagnostics of the fuel system during the engine feed operating mode is split into two sections: (i) no deviations registered by the flow meter at the engine inlet and (ii) deviations registered by the flow meter at the engine inlet. This sectioning was decided upon due to the fact that the main purpose of the engine feed operating mode is to provide fuel to the engines. The tank level data is used to calculate the rate of change in the fuel system tank levels. These calculations are performed after data has been retrieved from the second sampling interval. The tank level rate of change data is utilised when performing fault diagnostics of the fuel scavenge section. Once the operating mode has switched from phase one to phase two the fuel scavenge pumps are switched on. As the main tank level decreases, the remaining fuel in the centre tank is transferred to the main tank. The diagnostic results are displayed whilst the program runs. Initial display features involve noting the status of the fuel system sections with regards to the presence or absence of any noted deviations. If deviations are noted, the determined fault diagnostic results are displayed on screen for each section. 5.2 Diagnostic considerations As an initial means of ‘honing-in’on the most probable fault cause for a given set of deviations, the following ‘logic’ statements were applied to the diagnostic strategy: 805 – Should a pump switch deviation be present then it is assumed that a pump ‘no run’ or ‘run’ failure has occurred. For scenarios containing a ‘−10’ pump switch deviation and noted low pressure by the indication system, the failure leading to the disturbance is documented as pump ‘no run’. When considering only a pump low pressure deviation a list of failures associated with both the pump and associated pump pipe-work are recorded. – When taking into account the situation ‘no flow’ at the engine inlet, other component data is utilised to determine the possible system failures that may Aven CH100.tex 17/5/2007 10: 45 Page 806 have led to the variation in flow. The ‘spar valve closed’ failure is only considered on its own when either the valve switch or valve position notes a deviation of ‘−10’. Should no deviation be noted in the switch and valve positions, all failures determined through back-tracing from the location of the flow meter are considered. For cases where both a flow meter and pump deviation are noted, it is assumed a single failure associated with the pump is the most likely cause. However, multiple failure combinations associated with both of the deviations are also recorded. The same logic is employed for registered ‘partial flow’ at the engine inlet. – The fuel scavenge system is considered once the first interval data has been retrieved, due to the fact that both tank levels and the rate of change in tank levels are utilised to determine if any deviations are present. A failure is assumed to have occurred in the fuel scavenge section if: (i) Centre tank (CT) level ≤ 2, CTdhdt = 0, (ii) Main tank (MT) level < 6, MTdhdt < 0. – Actual cross-feed valve faults are taken into account when either a deviation is noted with the cross-feed valve switch or cross-feed valve position. The back-tracing conducted by the program is dependant on the specific engine feed operating mode phase, as determined by the pilot. Consequently, sections of the digraph can be ‘turned on or off’ accordingly. All control aspects of the engine feed phase come about through the pilot – switch interface. The pilot conducts informed decisions based on the data retrieved from the flow meters and tanks levels, as well as the indication lights. Consequently, when backtracing along the routes between the switches and controlled components there is no need to consider the paths separately. Loop operators (Andrews & Brennan 1990) need not be employed since they do not form ‘complete’ control loops. 5.3 Example A single faulty fuel system scenario is used to illustrate the diagnostic capability of the fuel system digraph. The system is assumed to be in phase five of the engine feed operating mode. The retrieved readings, displayed in Table 1 note a single deviation (highlighted in bold) from those expected; ‘no flow’ is registered by the left flow meter instead of ‘flow’. The readings are retrieved at 30s intervals, with the deviation being noted at t = 90s. When reading the retrieved data into the program, results are output for each interval. For the first three intervals it is noted that no deviations exist.A deviation is recorded in the left wing during interval four (t = 90 seconds). During the fault diagnostics process for interval four, the right wing and cross-feed section flags are signed ‘0’ whilst the left wing flag is signed ‘1’, thus indicating the presence of a transmitter deviation. Back-tracing commences from node M50(−10), and given the stated operating mode phase considers the process flow structure in the digraph that represents the left engine feed manifold and suction bypass valve. Node M50 marks the location of the transmitter deviation at the inlet to the left engine and ‘−10’ takes into account the magnitude of the registered deviation. The back-tracing procedure ceases at the main tank level node. The fault propagation can be followed by referencing Figure 4: 1 M50(−10) → LMB 2 M50(−10) → M49(−10) → M40(−10) →P40B, BVLC. Three diagnostic results are output by the program; left engine feed manifold blocked (LMB), pipe 40 blocked (P40B) and left suction bypass valve closed (BVLC). A fourth failure mode (SVLC) illustrated as causing a large negative disturbance on flow at location 50 (M50) in Figure 4 is not listed. The spar valve is not considered to have failed closed given that the spar switch is in the ‘RUN’ position and no warnings have been issued to the pilot regarding a disagreement between the spar valve and spar valve switch positions. Results for single and multiple deviating transmitter readings have been obtained for other example scenarios covering the entire range of the engine feed operating mode. In some cases the diagnostic results yield numerous fault options, both single and multiple. A ‘honing-in’ mechanism, as described in the following section, is therefore utilised to identify the cause considered most apt. 5.3.1 Determining the most probable fault cause Three minimal cut sets of the order one are output for the given deviation in the example discussed in the previous section. Reliability theory (Andrews & Moss 2002) regarding unavailability functions and importance measures is utilised in order to rank the cut sets yielded accordingly. It is assumed that the repair process would be initiated once a failure is revealed and therefore the unavailability is given by Equation 1: Where λ = failure rate; ν = repair rate; and t = time. Generic failure rate data (Moss 2005) is employed in Equation 1 as a means of defining the fuel system component’s unavailability. For the given example, the 806 Aven CH100.tex Table 1. 17/5/2007 10: 45 Page 807 Expected and retrieved readings. Expected Retrieved (after 90s) Variable Left Right Left Right Centre tank level Main tank level Jettison pump switch Jettison pressure light Aft boost pump switch Aft pressure light Forward boost pump switch Forward pressure light Engine flow meter Spar valve switch Spar valve & relay position Cross-feed valve 1 switch Cross-feed valve 1 light Cross-feed valve 2 switch Cross-feed valve 2 light ≤2 & >0 ≥2 OFF OFF OFF OFF OFF OFF FLOW RUN AGREE OFF OFF OFF OFF ≤2 & >0 ≥2 OFF OFF OFF OFF OFF OFF FLOW RUN AGREE --------- ≤2 & >0 ≥2 OFF OFF OFF OFF OFF OFF NO FLOW RUN AGREE OFF OFF OFF OFF ≤2 & >0 ≥2 OFF OFF OFF OFF OFF OFF FLOW RUN AGREE --------- unavailability of the relevant components were found to be: 6 – LMB: 1.69999982 × 10−7 – BVLC: 5 × 10−8 – P40B: 3 × 10−10 The fuel system digraph noticeably reflects the physical structure of the system under investigation. Thus providing a clear representation of the relationships that exist between the system variables. The complete digraph for the fuel system is relatively large in terms of the number of nodes from which the digraph is constructed. The development process is, however, greatly aided by dividing the system into sub-units and generating the system digraph through combining the unit digraphs at shared common nodes. The potential for the presence of anomalies between failure mode results is eradicated through incorporating ‘flagging’ into the diagnostics process. ‘Flagging’ is considered a consistency check and therefore removes the possibility of conflicting results arising between non-deviating transmitter nodes and the failure results achieved through back-tracing from nodes noting specific deviations.This process has been adapted further when considering the five defined phases of the engine feed operating mode. Depending on the specific phase, sections of the system digraph are effectively turned ‘on’or ‘off’accordingly. This therefore dictates the route to be followed when back-tracing from a deviating node, as exemplified in Section 5.3. The use of reliability theory permits the presentation of a numerical solution to determine the most likely fault cause for a given deviation. In this manner it is possible to provide a complete list of the fault causes yielded though back-tracing, whilst also highlighting the actual fault that is considered to have occurred. This development builds on previous research were a ‘honing-in’ mechanism was cited as The Fusell-Vesely measure of minimal cut set importance provides a means of ranking the cut sets obtained from the system digraph. The expression for the Fusell-Vesely measure is illustrated in Equation 2: The importance measure is defined as the probability of occurrence of cut set i [P(Ci )] given that the system has failed. QSYS is calculated using the rare event approximation as opposed to calculating an exact value. For the given example, no difference was noted in the ranking of the cut sets when considering either the rare event or exact values for QSYS . For cases whereby many cut sets are produced, it would be computationally demanding to determine an exact value for QSYS. For the example, the cut set importance measures were found to be (QSYS = 2.2030 × 10−7 ): – LMB: 0.7717 – BVLC: 0.2463 – P40B: 1.478 × 10−3 From the results the most likely cause for the given deviation at the inlet to the left engine flow meter is noted as a blockage in the left engine feed manifold. 807 CONCLUSION Aven CH100.tex 17/5/2007 10: 45 Page 808 necessary when considering faulty scenarios that yield numerous diagnostic results. Current research considers a range of phases for the engine feed operating mode and deals with multiple faults. Furthermore, real-time diagnosis is allowed for through computer analysis. Hence, it is proposed that future research consider the inclusion of further operating modes with regards to the Boeing 777-200 fuel system. In this manner loop operators could be employed during the fault diagnostics process when taking into account the control loop associated with the refuel mode. Initial results from the application of the automated diagnostics process, based on the digraph method, to a section of a complex real system have been proven to be credible. REFERENCES Andrews, J. & Brennan, G. 1990. Application of the Digraph Method of Fault Tree Construction to a Complex Control Configuration. Reliability Engineering and System Safety, 28(3): 357. Andrews, J. & Morgan, J. 1986. Application of the Digraph Method of Fault Tree Construction to Process Plant. Reliability Engineering, 14(2): 85. Andrews, J. & Moss, T. 2002. Reliability and RiskAssessment. London: Professional Engineering Publishing. Henning, S. & Paasch, R. 2000. Diagnostic Analysis for Mechanical Systems. Proceedings of the ASME Design Engineering Technical Conferences, 4. Hurdle, E., Bartlett, L. & Andrews, J. 2005. System Fault Diagnostics Using Fault Tree Analysis, Proceedings of the 16th Advances in Reliability Technology Symposium. Iverson, D. & Pattersine-Hine, F. 1995. Advances in Digraph Model Processing Applied to Automated Monitoring and Diagnosis. Reliability Engineering and System Safety, 49(3): 325. Kohda, T. & Henley, E. 1988. On Digraphs, Fault Trees and Cut Sets. Reliability Engineering and System Safety, 20(1): 35. Maurya, M., Rengaswamy, R. & Venkatasubramanian, V. 2003. A Systematic Framework for the Development and Analysis of Signed Digraphs for Chemical Processes. 1. Algorithms and Analysis, Industrial and Chemical Engineering Research, 42(20): 4789. Moss, T. 2005. The reliability Data Handbook. London: Professional Engineering Publishing. Novak, F., Žuzek, A. & Biasizzo, A. 2000. Sequential Diagnosis Tool. Microprocessors and Microsystems, 24(4): 191. Palmer, C. & Chung, P. 2000 Creating Signed Directed Graph Models for Process Plants. Industrial and Engineering Chemistry Research, 39(7): 2548. Papadopoulos, Y. & McDermid, J. 2001. Automated Safety Monitoring: A Review and Classification of Methods. International Journal of Condition Monitoring and Diagnostic Engineering Management, 4(4): 1. Papadopoulos, Y., Parker, D. & Grante, C. 2004. Automating the Failure Modes and Effects Analysis of Safety Critical Systems, Proceedings of the Eighth IEEE Symposium on High Assurance Systems Engineering. Pattipati, K. R. and Alexandridis, M. G. 1990. Application of Heuristic Search and Information Theory to Sequential Fault Diagnosis, IEEE Transactions on Systems, Man and Cybernetics, 20(4): 872. Price, C. 1997. AutoSteve: Electrical Design Analysis. Colloquium Digest – IEE, 338(4). Price, C. & Taylor, N. 1997. Multiple Fault Diagnosis from FMEA, Proceedings from the National Conference on Artificial Intelligence. Shakeri, M., Raghavan, V., Pattipati, K. R. and PattersonHine, A. 2000. Sequential Testing Algorithms for Multiple Fault diagnosis, IEEE Transactions on Systems Man and Cybernetcis – Part A: Systems and Humans, 30 (1): 1. Vedam, H. & Venkatasubramanian, V. 1997. Signed Digraph Based Multiple Fault Diagnosis. Computers Chemical Engineering (supp), 21: S655. Venkatasubramanian, V., Rengaswamy, R., Yin, K. & Kavuri, S., 2003. A Review of Process Fault Detection and Diagnosis Part I: Quantitative Model-based Methods. Computers and Chemical Engineering, 27(3): 293. 808
