Skip to main content

Advanced Fault Diagnosis for Safer Flight Guidance and Control

Final Report Summary - ADDSAFE (Advanced fault diagnosis for safer flight guidance and control)

Executive summary:

The state-of-practice for aircraft manufacturers to diagnose guidance and control (G&C) faults and obtain full flight envelope protection at all times is to provide high levels of hardware redundancy in order to perform coherency tests and ensure sufficient available control action. This hardware-redundancy based fault detection and diagnosis (FDD) approach fits also into current aircraft certification processes while ensuring the highest level of safety standards. However, these FDD solutions increase the aircraft weight and complexity and thus its manufacturing and maintenance costs. Moreover, its applicability is becoming increasingly problematic when used in conjunction with the many innovative solutions being developed by the aeronautical sector towards achieving the future "sustainable" (More Affordable, Safer, Cleaner and Quieter) aircraft.

This applicability gap has resulted in a de facto "fault diagnosis bottleneck", a technological barrier constraining the full realization of the next generation of air transport due to the need to ensure the current highest levels of aircraft safety when implementing novel green and efficient technologies.

In order to address the above issues a consortium of European industries (Airbus, Deimos Space), research centers (DLR, SZTAKI, IMS-CNRS) and Universities (Delft, Leicester, Hull) was established with funding from the EU 7th Framework Program. The project, led by Deimos Space, was entitled "Advanced Fault Diagnosis for Sustainable Flight Guidance and Control (ADDSAFE)". The project web page is: http://addsafe.deimos-space.com/. The Kick-off of the project was on July 2009 at Deimos Space premises in Madrid and concluded with a Final Meeting and International Workshop on October 2012 at Airbus facilities in Toulouse.

The overall aim of ADDSAFE was to research and develop model-based FDD methods for aircraft flight control systems faults, predominantly sensor and actuator malfunctions. Highlighting the link between aircraft sustainability and FDD, it can be demonstrated for example that improving the fault diagnosis performance in flight control systems allows to optimize the aircraft structural design (resulting in weight saving), which in turn helps improve aircraft performance and to decrease its environmental footprint. The results are expected to help achieve the European Vision 2020 challenges related to the "greening" of the aircraft (by supporting the application of already developed sustainable solutions) and of "safety" (by opening the door to the use of new technologies while maintaining the current aircraft safety levels).

From a technological and scientific perspective the main benefits of the project are:
1. Identification of a set of guidelines for FDD design and analysis for aircraft G&C
2. Improved FDD methods and understanding of their applicability to aircraft FDD
3. A step towards a V&V process for advanced aircraft diagnostic systems
4. Demonstration of the most promising model-based FDD designs on industrial state-of-art flight simulation platforms.

From the perspective of the benefits to society, ADDSAFE strived to:
1. Support greener technical solutions
2. Maintain current highest safety standards
3. Improve aircraft transport cost and efficiency

The goals have been amply satisfied as proven by the final demonstration of 5 designs (out of 14) in the V&V facilities of Airbus at Toulouse. The technological readiness level (TRL) achieved with this demonstration is 5/6 since the test-benches used are the final ones prior to actual flight testing and involved the full Airbus V&V team as well as the flight control system software and hardware avionics. Furthermore, world experts and principal European aerospace stakeholders and authorities (EASA, NASA, ESA, EADS…) were invited for the demonstration and were able to see first-hand the results and successful behaviour of the designs.

Project Context and Objectives:

ADDSAFE was a three-year project divided in 6 work-packages (WP0 -greater than WP5) decomposed into a total of 14 sub-work packages. The project strived to combine the synergies between the scientific and the technological (i.e. industrial) partners at all levels of the FDD development cycle.

WP 1 "Industrial Benchmark Problem and Assessment Tools" was active during the first year of the project and focused in defining the benchmark problem and in developing the associated fault diagnosis metrics, guidelines and software assessment tools. This WP was highly industrially oriented although the scientific partners fully participated in the definition of the problem to bring in their theoretical analytical experience.

WP 2 "Development of FDD Methods and Tools" started in parallel to WP1 and lasted for the first year and a half. It was the main scientific development component of the project as it focused in enhancing the current model-based FDD methods as well as in researching new methods with stronger theoretical guarantees.

WP 3 "Application to Benchmark" was divided into two stages: preliminary design, where the goal was to set up the FDD architecture and perform an initial design and assessment; and a detailed design stage, where information from WP4 was used to guide the final design and tuning.

WP 4 "Industrial Benchmarking Assessment" started at the beginning of the third year by performing an initial assessment of the preliminary designs that guided the selection of two of the FDD approaches for full industrial validation (initially only two were scheduled to be selected due to the cost of validating each design but as it will be seen later this was changed for the better). After the FDD designs were fully completed, the industrial benchmarking and validation activities are performed.

WP 5 "Integration Issues and Demo" started as WP3 was ending and lasted until the end of the project. Its main purpose was to help transfer the FDD methods and technology developed to the Industrial aeronautics sector by means of a technology demonstration and a study of the potential integration issues.

The importance of the studies performed within the project arises due to the industrial representativeness of the benchmark, i.e. the aircraft model and fault problematic. Moreover, the final goal of the project was to validate the more promising designs in the actual Airbus' flight control system verification and validation (V&V) setup: from high-fidelity simulation models to the Iron Bird, and including real aircraft actuator rigs –which ensures industry-wide acceptance of the results.

As aforementioned, from a technological and scientific perspective the main objectives were:

1. Identification of a set of guidelines for aircraft G&C FDD design and analysis

This objective was addressed in a joint work between industrial practitioners and academic researchers in order to provide a consistent set of fault diagnosis guidelines, metrics and limitations for advanced aircraft G&C FDD. This collaboration between industry and academics gave rise to more consolidated guidelines and knowledge on the 'applicability' of the proposed FDD methods as well as of the validation processes that were used later on to compare the designs, e.g. functional engineering simulator and performance/robustness evaluation matrix.

2. Improved FDD methods and understanding of their applicability to aircraft FDD

The goal of this objective was to provide a convergence ground for academics and practitioners to help guarantee the successful application of the studied and developed FDD methods. A two-step approach was followed to achieve the objective. First, the more established FDD methods were applied to aircraft control FDD –it is noted that many of these methods had been shown to work well in non-aeronautical applications and were just in need of aircraft application experience build-up. Then, based on the lessons learnt from the previous step, recent scientific developments for fault diagnosis and criteria optimization were brought to an acceptable stage of ‘applicability' in order to further narrow the time-to-practice of these methods –with the subsequent benefits arising from the formal guarantees these methods provide.

3. A step towards a V&V process for aircraft advanced diagnostic systems

A key step for the successful transfer to the aeronautics sector of the developed FDD methods is their demonstration on standardized V&V processes similar to those used by industry. This was the target of the third objective.

4. Demonstration of the most promising model-based FDD designs on industrial state-of-art flight simulation platform

The final objective was to show the use of the selected FDD methods from the validation activities in Airbus' state-of-the-art installations for flight simulation and comprehensive assessment. These installations are the final testing environment of a flight control system prior to full-scale flight test campaigns and as such the results from this demonstration certainly have great impact on transferring the develop technology to the key end-users.

Due to the cost of the validation campaigns, initially only two designs were to be selected with each undergoing only two coding phases (set-up to improve the design after each coding test). Finally, due to the "light" computation load and the potential of the designs, 5 designs where selected and all underwent 3 coding phases. In addition, an extra coding phase was applied (with internal Airbus funding!!!) which showcased the great interest and potential the FDD techniques developed had for Airbus.

The project was divided into two main phases. For the 1st phase of the project, between Kick-off (M0) and Critical Review Meeting (M19), the focus of activities was on two main development lines:

(i) Developing the FDD benchmark and associated V&V tools
(ii) Researching the FDD methods

The 2nd phase was dedicated to:

(iii) Demonstrating the applicability of the FDD methods (i.e. designing the FDD filters for the benchmark problem)
(iv) Benchmarking, verifying and validating the resulting FDD designs.

Following the above breakdown of activities and the objectives of the project, the layout of the results summary is as follows:
1. Benchmark
2. Industrial verification and validation (V&V) tools
3. FDD methods
4. Industrial V&V

Project Results:

2.1 Benchmark
The benchmark definition included a description of the fault scenarios and of the aircraft model development.

2.1.1 Fault scenarios
Three kinds of scenarios were defined covering a wide range of possible sensor and actuator faults related to structural design objectives and aircraft performance.

For all scenarios, required probabilities of false alarm as well as missed detection were specified based on real industrial constraints (not given here for confidentiality reasons). The project was defined to have a strong practical component in order to transfer to the industrial world the selected methods. For example, among other criteria, a high level of systematic FDD design tuning is typically required in industry so the proposed solutions had to be assessed for possible use on different control surfaces and different aircraft. Thus, in the fault scenario description, the acceptable tuning complexity from an industrial point of view was defined.

It is important to note that, on all civil commercial aircraft, the fault scenarios defined are already detected by dedicated FDD designs (so-called monitoring). Indeed, the airworthiness regulations, applied worldwide by all aircraft manufacturers, require using rigorous design principles to detect safety-critical faults and to cancel their effects. The proposed fault scenarios are not studied for safety reasons but for structural design optimization. As reminded in the introduction, if it is possible to decrease the minimum detectable amplitude then the aircraft structure can be alleviated and the corresponding weight saving leads to better aircraft performances and to a better environmental footprint.

Aircraft performances

The first failure scenario concerned the detection of an abnormal aircraft behavior leading to the degradation of aircraft performance. This abnormal configuration can be caused by an actuator or a sensor failure in the control loop of a control surface, between the Flight Control Computer (FCC) and the moving surface, including these two elements. Consequently, only one control surface is impacted. More precisely, the case of an aileron stuck at a fixed deflection was considered. The reaction of the aircraft to this dissymmetry is a deflection of other ailerons, or possibly other control surfaces like the rudder, leading to an increase of drag proportional to the amplitude and to the origin of the failure. If this dissymmetry remains undetected during a significant time it can result in fuel over-consumption. The failure root cause could be for instance a sensor bias: e.g. the actuator rod is servo-controlled at 0 degree but an undetected bias on the position sensor leads to an unwanted deflection of an unknown amplitude, proportional to the bias. The simulated scenario was a jamming of the left inboard aileron at a fixed small deflection during a cruise flight phase. Three different cases were proposed: S1.1) "Liquid" jamming, which means that an additive bias occurs on the rod sensor (the control surface is still under control); S1.2) "Solid" jamming, which means that the control surface is stuck at a fixed position. This is strictly speaking the real case of a control surface jamming (any upstream command has no effect as the control surface is physically jammed); S1.3) Aileron disconnection: physical disconnection between the control surface and the actuator rod. However, the rod sensor works correctly.

Actuator/sensor faults

The second scenario concerned the detection of actuator or sensor failures with a possible impact on the aircraft structural design. Three sub-scenarios were defined:

S2.1) This scenario dealt with actuator/sensor failures which led to unwanted control surface oscillations. This is termed Oscillatory Failure Case (OFC). These failures occur between the FCC and the moving surface, including these two elements. OFC detection performance is directly related to aircraft structural design. Improving OFC detection implies direct structural design improvements leading to weight saving. Both liquid (i.e. additive) and solid (a.k.a. interference) OFC inside the control loop of ailerons and elevators are considered. OFC faults were injected during simulated typical manoeuvres involving these control surfaces. The overall FDD requirement was to detect in a fixed number of periods a small amplitude liquid or solid OFC, in order to reconfigure on a healthy adjacent actuator (as before the reconfiguration was not part of ADDSAFE). The real-time constraints were stringent as the required detection time was given in number of periods which meant that, depending of the failure frequency, the time really allowed varied.

S2.2) The second sub-scenario also dealt with actuator/sensor faults located in the servo-loop control of the moving surfaces. This fault case considered an unwanted deflection of the control surface and is called runaway (a.k.a. hard-over). The control surface can go until its stops if the runaway remains undetected. Runaways occur at any (unknown) dynamics. Under specific circumstances, depending on the control surface impacted, runaway must be detected very quickly for structural load aspects. The elevator runway was considered in this study. For structural design objectives, it is crucial to detect the fault before the control surface deflects too much.

The FDD requirement was to detect the elevator runaway before the control surface exceeded a given (small) deflection, whatever the runaway speed (from the slowest to the fastest). This meant that the detection time was not constant, and indeed could be very short in case of strong dynamics.

S2.3) The last sub-scenario concerned an elevator stuck at the null position (0 degree). As this fault remains undetected until there is a manoeuvre involving the elevators a coordinated turn was simulated. Only one elevator was considered in faulty situation, the other remained nominal. As with the previous scenarios, the root cause is an actuator/sensor fault located in the servo-loop control of the moving surfaces, between the FCC and the control surface, including these two elements.

Flight parameter consolidation

With fly-by-wire (FBW) systems, the general principle of the aircraft control in manual mode consists of several steps. First of all, the pilot inputs (mainly sidestick and rudder pedal actions, measured by dedicated sensors) are converted in piloting objectives (e.g. vertical load factor demand on the longitudinal axis on Airbus' aircraft). These objectives are then compared to the real state of the aircraft described by a set of flight parameters, which are measured by dedicated redundant sensors (inertial, clinometric…). This comparison feeds the Flight Control Law computation that generates a command to servo-control each moving surface according to the piloting objectives.

As redundant flight parameter measurements are sent to the flight control computer (FCC), a sensor management system is generally used to determine the aircraft state. It consists of two simultaneous steps: choice (or computation) of a unique and valid measurement among the redundant sensors and, in parallel, sensor monitoring to discard a measurement in case of failure. This approach can be termed as "consolidation". Sensor management systems based on majority voting schemes are widely used in Electrical Flight Control Systems. They rely on the assumption that the majority of the redundant measurements are fault-free and sufficiently accurate, and that any dissimilar signal is a faulty signal. Early and robust fault detection is required for discarding the obnoxious values and to consolidate a correct signal.

Two fault scenarios were proposed, applicable to flight parameters a (angle of attack), nz (vertical load factor) and r (yaw rate):

S3.1) The first challenge was to detect and isolate only one faulty sensor. In this case, the state of practice (consistency check) already adequately covers its detection and isolation. However, in the frame of future environmentally-friendlier aircraft, it is interesting to perform an earlier detection of smaller and smaller fault amplitudes, while keeping the FDD design robustness compliant with the certification requirements.

S3.2) The second scenario concerned the detection and isolation of two simultaneous faulty sensors. If two of the sensors are erroneous at the same time, the faulty measurement is likely to be selected. For instance, in the case of the yaw rate measurement, this can result in higher fuel consumption over a long period of time due to non-trim offsets of the control surfaces for incipient faults. Under some circumstances, and for some more severe faulty profiles, this can lead to some degradation of the controller, and consequently to a non-optimized aerodynamic configuration of the aircraft generating drag and higher fuel consumption as well. However, it is worth noting that the general case of two simultaneous erroneous flight parameter measurements has been demonstrated to be extremely improbable, which is required for certification. Nevertheless, such a scenario is interesting because on the one hand, the aircraft designers always strive to surpass the certification requirements and may choose to address this scenario in their design as an additional system benefit if the additional complexity of the solution is not prohibitive.

2.1.2 Aircraft model

The aircraft model used as part of the FDD benchmark was highly representative of a generic twin-engine civil commercial aircraft. It included a nonlinear rigid-body aircraft model with a full set of control surfaces, actuator models, sensor models, flight control laws (FCL) and pilot inputs. It was a closed-loop, non-linear model based on the representation and allowed exploring the whole flight domain considering a wide class of pilot inputs and wind perturbations.

The available pilot inputs were: the side stick (longitudinal and lateral inputs), the pedals, the high-lift configuration lever (slats and flaps), the airbrakes and the throttle lever.

The actuator modeling was based on three elements: the actuator model itself, a control surface position saturation that could be dissymmetric and a rate limiter representing the physical limitations. The model input was commanded actuator position (output of the FCL computation) while the output was realized actuator position. The actuator model described the physical behaviour of the actuator rod speed in function of the hydraulic pressure delivered to the actuator and in function of the forces applied on the control surface and reacted by the actuator. Although it was termed an actuator model, it should be noted that the modeling covered the control loop, between the Flight Control Computer (FCC) and the control surface, including these two elements. As ADDSAFE did not aim at studying failure reconfiguration, only one actuator was simulated per control surface (no adjacent redundant actuator).

Flight mechanics modeling was based on the so-called fundamental principle of dynamics. In the ADDSAFE aircraft model, both quaternion system and Euler angle formulations could be used. The main forces and moments acting on the aircraft were also simulated: aerodynamic effects, gravity and engine thrust.

The current benchmark dealt with manual control (so auto-pilot guidance laws were not included) but for better manoeuvre management, the auto-thrust control law, which is useful for managing the trust and maintain the speed constant, was kept. Regarding manual laws, as the goal was not to study failure reconfiguration all the unusual control laws were removed. Except for these mentioned points, all other on-board computer elements were kept.

An Integrated Sensor Model allowed simulating very accurately all sensors involved. A plethora of information was needed and integrated in the model: sensor characteristics (location, noise,filter...) calibration data, aerodynamic coefficients, flight mechanics equations, system requirements (e.g. delays) and etcetera. This model was thus very complex.

2.2 INDUSTRIAL VERIFICATION AND VALIDATION TOOLS

The FDD challenge tackled in ADDSAFE consisted mainly in sensor and actuator malfunctions,specifically: flight parameter management system, abnormal aircraft behaviour, servo-loop actuator fault and sensor fault. The importance of the studies carried out within the project arose, on the one hand, due to the industrial representativeness of the benchmark proposed by Airbus, which consisted of a generic civil aircraft model and realistic fault scenarios, and on the other hand, the industrial validation of the more promising designs in the actual Airbus flight control system Verification and Validation (V&V) process –depicted below.

The first branch of the V-cycle is the development phase. It starts with the aircraft specification corresponding to the "top level requirements": the definition of the needs, the choice of concepts, control laws, technologies, etc. The aircraft is decomposed into sub-parts, called systems, which are specified in the next step. The systems are decomposed in subparts called "equipment" (e.g. a Flight Control Computer, FCC), which are then specified. At this step, this specification can be used in a desktop simulator to fly the aircraft in its environment to check that it satisfies the performance and safety requirements before the associated code is even implemented in the equipment. This specification is also used in a development-simulator, a real cockpit where all systems and environment are simulated. After equipment specification, the corresponding flight code is generated and implemented in the hardware equipment. The second part of the V-cycle can then start. This integration phase consists of a severe validation campaign on different test benches, from the simplest ones (an actuator bench) to more complete ones (the "Iron Bird"). The validation phase ends with flight tests and the overall V-cycle ends with the certification process. ADDSAFE addressed the development and the integration phases: from FDD design coding to high-fidelity simulators (flight tests were not part of the project). Indeed, a key step for the successful transfer to the aeronautics practitioners of the developed FDD methods was their demonstration on standardized industrial validation processes. As already mentioned, the proposed validation was a two-steps process: first, an industrial software assessment tool (FES) is used and secondly, validation on physical aircraft rigs is performed.

2.2.1 Functional Engineering Simulator

The Functional Engineering Simulator (FES), developed by Deimos Space S.L.U. was a non-real time simulator based on Simulink, Matlab and XML that includes Airbus aircraft benchmark as well as robustness and performances analysis tools for all the fault scenarios defined in the project. The FES is not currently part of the industrial V-cycle. However, it would be located towards the end of the development phase, between the simulation code generation and the implementation of the code in the equipment.

FES is a term used in Space to describe a software simulator describing at a functional level the components of a system (including its operating environment). FES are used in support of the specification, design, verification and operations of space systems, and can be used across the spacecraft development life-cycle, including activities such as system design validation, software V&V, spacecraft unit and sub-system test activities.

The ADDSAFE-FES main objectives were:
(i) to provide a faithful simulation environment for the selected fault scenarios, and
(ii) to support the development and benchmarking of the FDD designs.

In particular, the FES allowed performing intensive Monte-Carlo campaigns for assessing the robustness and performances of the designs proposed by the consortium.

In terms of output visualization and analysis, raw data plots could be used to show the output of all the Monte Carlo simulations besides the nominal simulation. Once a simulation had been run, the raw simulation outputs could be post-processed to obtain new variables for the analysis of the system and Figures-of-Merit (FOM) were produced as scalar quantities to benchmark the design. Deimos developed two FES packages. One served as a simulation and verification FES released to all partners for their use during the development and application of the FDD methods, and the other was used for the industrial benchmarking and validation performed by the industrial partners. The latter included more sophisticated tools for multi-team FDD designs' benchmarking. Both FES were highly structured software packages, which included easy-to-use Simulink interfaces and a clean directory configuration.

2.2.2 Industrial Validation Test-Benches

From an aircraft manufacturer point of view, all new types of equipment installed in the cockpit and in the aircraft avionics compartment must be tested, including checking their connection to the other aircraft equipments as well as their integration.

After a first assessment of the equipment itself (e.g. on a desktop simulator for validating a flight guidance and control function, there are two levels of integration test facilities:

-The System Integration Test Bench for validation in an environment restricted to a single, specific aircraft system function (e.g. FCS)

-The integration simulators ("Iron Bird" or flight simulator) for validation in full a/c environment.

In the Flight Control System environment, the SIB is a test bench with simulated inputs and observation of FCC internal variables. This bench offers the possibility of validating degraded configurations: e.g. low hydraulic pressure or high aerodynamic loads on the control surface. The so-called "Iron Bird" is a kind of very light aircraft, without the fuselage, the structure, the seats, etc, but with all system equipment installed and powered as on an aircraft (e.g. hydraulic and electric circuits). Finally, the flight simulator is a test bench with a real aircraft cockpit, flight control computers and coupled to a rigid aircraft model. The Iron Bird can also be coupled to the flight simulator.

For the ADDSAFE project, the choice of the validation test facility depended on the characteristics of the FDD designs and it was also associated to the fault scenario coverage.

2.3 FDD METHODS

As aforementioned in the introduction, the most obvious method for on-board fault detection is the use of hardware redundancy, where measurements from multiple sensors are compared with each other and the existence of a failure is determined by implementing consistency checks and other built-in tests of various sophistications. However, the use of hardware may not be possible or desirable since it imposes a penalty in terms of volume, weight and cost. Additionally, direct access to certain variables is often not possible via physical measurements. In these cases, indirect measurements may be used to infer the component status using a mathematical model of it.

Most of the model-based methods rely on the idea of analytical redundancy in which, in contrast to physical or hardware redundancy, real physical measurements are complemented with analytically computed redundant variables. A common method to analytically detect the existence of a failure is to look for anomalies in the plant's output relative to a model-based estimate of that output generating a so-called residual. The generated residual has to include enough information to determine that a specific fault has occurred. The basis of the design of any robust FDI method is to make the residuals become sensitive to one or more faults whilst at the same time making the residuals insensitive to modelling errors and uncertain disturbance effects acting upon the system being monitored. If the residual signals maintain these sensitivity properties over a suitable range of the system's dynamic operation, then we can say that a robust FDI can be achieved.

The main conceptual differences between hardware and analytical redundancy FDD schemes (as well as between analytical open and closed loop approaches).

The approaches followed in ADDSAFE were divided into two main categories, briefly detailed next:
1. Traditional model-based FDD approaches
2. Advanced model-based FDD methodologies

Traditional model-based FDD approaches place emphasis on the use of a more or less accurate model of a linear time invariant (LTI) system. In essence, these methods generate residuals from comparison of the system measurements with their estimates. A threshold function (fixed or variable) can be used to provide additional levels of detection while for fault isolation the generated residual has to include enough information to determine that a specific fault has occurred. Robustness of the FDD filter algorithm is determined by its insensitivity to disturbances, errors and model discrepancies and is the currently more critical issue in designing an FDD system.

These techniques have been shown to work well in a number of real applications but might encounter difficulties when it comes to their use in aerospace applications where the dynamics, perturbations and safety-critical limits encountered are very difficult to handle.

Most of these present-day techniques traditionally rely on a design cycle composed of:
i) Simplifications of the problem (e.g. use of numerically linearized nominal models)
ii) Conservative synthesis
iii) Ad hoc analysis and tuning

This design and analysis cycle results in conservative designs and is highly dependent on the experience and knowledge on the system by the designer. Nevertheless, as these techniques have been successfully applied in many other fields they represent an ideal stepping-stone to incrementally evaluate the possibility of using model-based FDD techniques in aircraft.

Advanced model-based FDD methodologies, explicitly dealing with challenging issues of practical applications (handling of nonlinearities and dynamic variations) together various optimization techniques (allowing fast and optimal FDD system tuning and robust detection) have appeared within the academic community in the past years. These techniques attempt to overcome the shortcomings of traditional FDD approaches both in terms of detection performance and robustness, and as such, they are widely referred to as advanced.

Advanced FDD approaches represent a logical shift from the traditional linear approaches towards nonlinear and advanced optimization methods. At the same time, these advanced approaches can open up the possibility to reduce the fault detection levels with the direct consequence of improving aircraft performance and its environmental footprint. Nevertheless, the sophistication demanded by these advanced FDD methods has often limited their use in the industrial practice.

After an initial study phase of the above methods, the partners selected at least two different methods to be applied to one of the three different fault scenarios defined in the ADDSAFE benchmark. In this way a wide coverage of different solutions is developed for the different fault scenarios.

A summary of the methods applied by each partner follows:

- DEIMOS selected the same method but at different levels, i.e. global and local perspectives, for the second fault scenario (F2) –the aircraft abnormal configuration. The selected method was based on a general methodology for H8 FDD synthesis and for the global approach used aircraft measurements and controller deflection commands, while for the local approach only the available actuator input/outputs.

-DLR selected two different FDD methods focusing on the third fault scenario (F3): the elevator runaway and the elevator jamming. One of the method, the one for the elevator runaway, was not truly a model-based but rather a signal based method (i.e. based on Narendra signal evaluation) which was later complemented by a model for robustification purposes. DLR also worked on OFC detection based on recursive Fourier transform, and provided analysis results obtained with FES and worst-case analysis tools.

- UHULL. Two main FDD approaches were selected for implementation by this partner. The first method called the Mixed H_/H8 LPV quadratic FDD approach was adopted for detecting faults in the first fault scenario (F1) and the second fault scenario (F2). The 2nd method selected was based on Extended Unknown Input Observer (EUIO) for the third fault scenario (F3). For the method 2, the residual threshold was taken as a new tuning parameter and adjusted in F3 for the sub-fault scenario (right elevator runaway) case.

- ULEIC: The first selected FDD method of this partner was based on a sliding mode observer with fault reconstruction capability, using the nonlinear representation of the local actuator model for detection fault in the third fault scenario (F3). The second selected method was described as robust sensor fault reconstruction using an LPV sliding mode observer that used a global LPV model of the benchmark model (that developed by DEIMOS). This method was used to detect faults of the first fault scenario (F1).

- IMS-CNRS. The first method selected was called "Hybrid observer based on HOSM differentiator for FDD" and it was applied to the Oscillatory Failure Case (OFC) in the third fault scenario (F3). The second method called "Reduced order FDD filter using H8/H_ design and µg analysis" was applied for the fault detection of the aircraft abnormal configuration (F2).

- UDELFT: For the first fault scenario, i.e. ADIRS monitoring (F1), this partner selected a FDD method based on an adaptive Extended Kalman Filter (AEKF) for the detection of the sensor faults. The 2nd method used online Aerodynamic Model Identification to detect the faults of the second fault scenario (F2). For the ADIRS monitoring (F1), improvements to the EKF structure were made and fusion of the redundant measurements and the residual generation was simplified.

- SZTAKI: The first selected method called a "Geometric LTI FDI filter for quasi-LPV systems" was applied to the fault of the second fault scenario (F2) and to the elevator runaway and jamming faults (F3). The 2nd method selected by this partner was called "Inversion and parity relation based FDI Filters for quasi-LPV systems", and was applied to the elevator runaway and jamming faults (F3).

To conclude, a summary of the results is given grouped in terms of the traditional issues they addressed related to the transfer and application of an FDD design (or any other type for that matter) to an actual industrial setting:
- Advanced gain-scheduling approaches for FDD design
- Advanced modeling approaches for FDD design
- FDD methodology and tuning
- Integration issues between fault diagnosis and tolerant control systems

2.3.1 Advanced gain-scheduling approaches for FDD design

During the 1990s and into this decade, design and evaluation tools have evolved to enhance the robustness of FDD schemes against small parameter variations and other disturbances.

The approach usually involves an initial design stage based on a priori notions of parameter uncertainty and knowledge of required fault sensitivities, followed by Monte Carlo tuning of the FDD parameters based on realistic system testing.

A different approach is the reliance on gain-scheduled FDD designs that provide the necessary performance around specific regions in the flight envelope by means of:
(a) the variations in the parameter scheduling and
(b) the required local robustness satisfied by any of the available robust FDD techniques for the independent point-design filters.

The problem with both approaches is that they are ad hoc techniques that require a significant amount of work and result in global designs lacking theoretical performance and robustness guarantees in the in-between design points.

During ADDFSAFE, approaches based on Linear Parameter Varying (LPV) theory were studied since they allow taking into account wider and more rapid parameter variations. The results showed that these methods are a very promising and attractive approach for the design of FDD for aircraft systems. Nonetheless, it was also seen that unless further research effort is done on their implementation complexity they are only a valid solution when the system is subject to wide dynamic changes (i.e. the "local" nature of the scenarios in ADDSAFE meant that simpler LTI designs could also satisfy the performance and robustness objectives).

2.3.2 Advanced modeling approaches for FDD design

A prerequisite for the application of LPV techniques (and to a certain extent H-based designs) is the development of highly accurate polytope, linear fractional transformation (LFT) or in more generality so-called LPV model.

Such models can be used efficiently to represent a wide class of nonlinear systems and already efficient methods and software tools to automatically generate LPV models have been developed in the last 10 years. Furthermore, they have been used to model complex aircraft systems with amply success although always from the perspective of control design and analysis.

In ADDSAFE, LPV/LFT models were developed for the full aircraft and the actuator model. Since there is no unique solution for the transition from a nonlinear aircraft model to a LPV/LFT representation, the main challenge was the development of accurate low-order rational approximations for the LPV models, so that the corresponding LFT-models had manageable sizes while maintaining the fidelity of the physical model.

Actuator LFT/LPV modeling
Concerning the actuator LPV models the first investigations revealed that a good description could only be obtained by using a quasi-LPV model, where the actual state of the model (the control surface deflection) and the sign of its derivative were also included as known varying parameters in the model. The main reason for this is that the aerodynamic forces have a strong influence on the actuator dynamics and these forces mainly depend on the control surface position and the direction of the control surface speed.

For ADDSAFE, and assuming that the parameter vector was fixed, DLR obtained a suitable polynomial description for the actuator where the coefficients were obtained through a gridding-based least square fitting procedure. This model was amply used by the consortium members exploring the use of advanced gain-scheduled approaches.

Aircraft LFT/LPV modeling
For sensor fault detection and some specific actuator faults it may be necessary to use a "global" LPV model, which includes the actuator, aircraft and sensor dynamics. Therefore, LPV models for the full open-loop aircraft model were also generated by DLR and DEIMOS.

DLR used an approach based on the polynomial interpolation of a set of LTI models where the LTI models were obtained by trimming and linearizing the nonlinear open-loop aircraft model for different values of mass, position of center of gravity, altitude and calibrated airspeed.

DEIMOS used a different LPV/LFT model generation whereby a mix of analytical and numerical interpolation was used to obtain local and global LPV models in LFT form. These models include parametric uncertainty (mass, xCG, moment of inertia and aerodynamic coefficients) as well as time-varying parameters (VEAS and Mach –the latter only for the global models). In addition, DEIMOS model also used a more flight-mechanic friendly formulation based on Euler angles (angle-of-attack and sideslip) and VTAS. This model was used by the consortium members when studying and applying system-level approaches.

2.3.3 FDD methodology and tuning

A very strong issue for the transfer of FDD approaches to industry is the transparency on the design approach. This refers to the understanding of the methods in terms mostly of its methodology and of the capability to tie the tuning of the design with physical parameters.

Methodology
Guidelines and pseudo-codes of the methodologies were studied and proposed prior to the design of the FDD approaches and consolidated after their application in view of the validation needs.

Tuning
In ADDSAFE, efforts to (i) clarify the tuning of the methods and (ii) formalize their optimal tuning were followed although this represented a first step in this direction.

For example, due to the single system consideration (only one aircraft or specific subsystem), there was no real need to demonstrate how to tune the designs across a set of parameters (e.g. weight of aircraft, bandwidths of actuators…), thus the efforts by the teams were directed towards providing insight on the tuning with respect to the synthesis algorithm and not with respect to different systems/sub-systems.

With respect to the formal use of optimization methods, several partners exemplified these approaches but again, the local nature of ADDSAFE fault scenarios (which was desirable for this study) clearly facilitated the task and its full power could not be demonstrate. Nevertheless, these efforts served to demonstrate the potential of these techniques and to open the venue for development of tools adapted to the aircraft FDD problematic.

2.3.4 Integration issues between fault diagnosis and tolerant control systems

Currently, commercial aircraft fault tolerant control (FTC) strategies are based on fail-safe approaches whereby a nominal ("normal") control law is switched first to a robust ("alternate") solution, and then if necessary to a "direct" law controlling the actuator surfaces. Each component of the control law set ("normal", "alternate" and "direct") is designed off-line to have different levels of robustness, and thus performance.

The advantages of the current FTC are the ease of design, analysis and certification. On the other hand, the drawback is a loss of performance in the case of off-nominal events due to the safety (i.e. most conservative) design mindset of the current process. In addition, pilots must be trained for the widest array of off-nominal events: from failure in the main actuation elements (ailerons, elevators, rudders) to failure in any of the numerous high-lift devices (spoilers, slats, flaps) and including external events such as stalls or pitch-ups.

To cope with the above issues there are two general solutions. The first one is to further increase hardware redundancy but this will result in an unacceptable increase in the system cost, weight and complexity. The other solution is to implement novel FCS tolerant strategies and switch from a conservative design paradigm towards a performance oriented one.

This last solution has not been fully solved as of today because:

(i) A lack of demonstrated maturity of reconfigurable methods for commercial aircraft. By reconfigurable it is meant that the FCS can adjust, reconfigure or adapt to the current status.

(ii) A lack of research in the practical limitations arising from the interaction of reconfigurable systems with the diagnostic systems that feed them the required information to reconfigure/adapt.

The two above issues are contemplated nowadays from an independent perspective:
(i) to develop estimation/diagnosis techniques for FCS-related abnormal events and
(ii) to develop reconfigurable guidance and control techniques to maintain safety and optimize performance in the case of FCSrelated abnormal events.

In reality, these components must interact on-board, especially if the estimation/diagnosis information is to be used by the reconfigurable approaches. Thus, it is critical to investigate the issues related to their integration from a practical perspective (e.g. quality, accuracy, delays of the information) as well as to investigate approaches that directly obtain integrated designs.

In ADDSAFE, several partners undertook a first step in this direction and showed that advanced model-based FTC approaches as well as approaches that directly provided FDD+FTC capabilities can be used potentially for aircraft ensuring adequate performance and robustness while respecting the stringent safety aircraft FCS guidelines. For example, a scheme based on exploiting the fault reconstruction capabilities of sliding mode observers to correct the faulty measurement before it is used by the controller, was studied and proposed by ULEIC.

2.4 INDUSTRIAL V&V AND DEMONSTRATION

2.4.1 Verification

The starting point for the industrial verification was the preliminary designs obtained in WP 3.1 together the benchmark problem definition metrics from WP 1.1 and the full-industrial assessment FES from WP1.2. The approach originally programmed was to perform a preliminary quantified benchmarking of the FDD designs. This partial benchmarking of all the preliminary FDD designs (implemented in the standard Matlab/Simulink libraries) was to serve for the selection of two FDD designs to be subsequently consolidated in WP 3.2 including porting into AIRBUS Simulink library, prior to their industrial validation in WP 4.2.

At the end, a complete benchmarking by DEIMOS of all the designs was performed prior to the selection. All the designs were ported to AIRBUS Simulink library and consolidated in order to ensure a correct comparison. A selection of five designs was made due to their "lightness" and potential capabilities. The final verification and benchmarking approach was as follows:

1. Initial assessment of preliminary FDD designs. First, an initial benchmarking of all the preliminary designs from WP 3.1 was performed using the benchmarking FES. This preliminary benchmarking guided the subsequent maturation of the designs in WP 3.2.

2. Porting of the preliminary and final FDD-designs for their FES benchmarking. An important activity involved the porting of the above FDD designs using the special Simulink block-set library developed by AIRBUS based on their SAO/SCADE flight-code-ready generation software. This activity was carried out in parallel with the development of the detailed designs in WP 3.2 to allow the partners to synthesize and verify their designs in the closest form to the benchmarking environment. The consolidation and porting, none programmed initially at this stage, was considered relevant due to unexpected mismatches between the design/verification FES and the validation models. In addition, performing this step before benchmarking allowed most partners to consolidate their designs removing some robustness issues arising from the previous mismatch.

3. Industrial benchmarking of all the final FDD designs. A full-fledged benchmarking of all the FDD techniques after their detailed design in WP 3.2 was conducted by DEIMOS. The objective was to have a complete picture on the relative performance of all the developed techniques, with respect to the FDD requirements from WP 1.1. The AIRBUS/DEIMOS developed quantitative metrics were obtained (which included false alarm rate, missed detection, detection time performance and also CPU processing load among others) and showed the "lightness" and high potential for most of the designs.

This activity consisted in applying a Monte Carlo campaign of 2200 runs decomposed into two main cases:

(i) 1200 fault-free runs distributed evenly (i.e. 200 each) among six benchmark-defined flight maneuvers: cruise phase, triggering of angle of attack protection, nose-up (abrupt longitudinal maneuver), triggering of pitch protection, coordinated turn and a so-called "yaw-angle-mode" which roughly corresponds to an enhanced auto-pilot hold mode.

(ii) 1000 runs with faults at the default flight manoeuvre for the selected fault scenario. These 1000 runs are distributed evenly among the different types of faults applicable to the fault scenario (e.g. if the aileron fault scenario is being examined, then 333 runs for liquid jamming, 333 runs for solid jamming and 334 for disconnection).

The first set of cases was used to assess the false alarm (FA) metric (which is the most critical for an actual deployable FDD) while the second looked more specifically to the missed detection (MD) and the detection time performance (DTP) metrics. In order words, the first case looked at robustness and the second to performance of the FDD designs.

4. Selection of the most promising candidates for their industrial validation. From all the used FDD techniques, initially two were to be selected to continue to the industrial validation process and demo. As aforementioned, thanks to the high capability and potential, as measured by the quantitative metrics results, finally AIRBUS pre-selected five designs.

The FES verification and benchmark results were: All the designs but 4 obtained maximum DTPs well below the desired one. All the designs obtained satisfactory MD% --–one case suffered a 0.3% MD which is considered acceptable. All the designs but one had zero FA%.

In summary, 9 out of the 14 designs got full marks when using the quantitative DTP, FA% and MD% metrics and the rest of designs where close by –suffering only of minor DTP or FA% shortcomings, which were later on corrected. The final selection of the FDD designs for the subsequent industrial validation stage, discussed next, took these quantitative results into account together with the ET metric and the qualitative assessment.

Considering the fastest FCC sampling period (FCC are multi-rate time triggered digital computers), the ET estimation results were: 3 designs obtained ET between 14 and 22% of the maximum CPU power, which is considered as unrealistic for an implementation in FCC. 5 designs obtained ET between 3 and 7% of the maximum CPU capacity which is considered acceptable taking into account that the FCCs used on the most recent aircraft offer more computing capacity. 5 designs obtained ET between 0.3 and 2% which is considered as excellent.

The qualitative assessment was more difficult to perform. The number of input parameters to tune oscillates between 6 and more than 40 considering each element of a matrix as a unique input parameter. The physical meaning was also difficult to establish. From an industrial point of view, this was clearly an appealing avenue worth exploring for facilitating the industrial transfer of the proposed FDD designs.

2.4.2 Validation

This validation on the standardized V&V processes used by industry is a key step for the successful transfer to the aeronautics sector of the developed diagnosis methods. This transfer was one of the most important technological objectives of the project.

The selected designs to be validated come from the technology development phase consisting of preliminary and detailed design and code prototyping/integration (see subsection above). It also included the very long and strong AIRBUS' experience in aircraft system industrial validation in general, and specifically the industrial development and validation of Flight Control Computer software.

The chosen approach was to involve in the earliest phases of the project all AIRBUS teams typically involved in the industrial validation:
- Flight Control System specialists and experts
- Flight Control Software coding team
- Flight and Integration Tests teams

The validation work performed implied two main steps:

1. Preparation of the experimental set-ups for industrial validation.
In a first step, a graphical tool allowed specifying the overall implementation of the FDD designs (i.e. computer aided-specification). A limited set of graphical symbols (adder, filters, integrator, look-up tables…) was used to describe each part of the submitted designs. In a second step, an automatic generation tool produced the code to be directly implemented in the flight control computer (FCC).

2. Industrial validation on Airbus test facilities.
Once the selected FDD designs were implemented inside the FCC, the implementation of the FDD designs was validated during severe simulation campaigns on several kinds of simulators. The validation consisted also of two phases: the detection capability and the robustness assessment. The robustness assessment consists of a series of typical manoeuvres, some of them with a strong control surface dynamic: flight control checks, push-over, take-offs in nominal configurations as well as degraded configurations (engine failure, crosswind...) Auto-Pilot disconnection, slats/flaps configuration changes, side-step, "duck-under", etc...

Depending on the selected FDD design and on the fault scenario concerned, two test benches were used:

1. A System Integration Bench, which is an actuator test bench with simulated inputs and observation of computer internal variables.
2. A flight simulator, which was a test bench equipped with a real aircraft cockpit, real flight control computers and coupled to a rigid aircraft model.

The validation campaigns were performed by AIRBUS' V&V teams but with support from the design teams. The results showed an initial lack of robustness during the first tests. This was corrected during the validation maturation of the designs along three V&V campaigns. The detection performances were generally correct with some specific configurations still showing missed detection results which were corrected by the last tests.

It is noted that initially only two V&V campaigns were programmed due to the cost of these (i.e. the may involve up to 20 different engineers). Nevertheless, AIRBUS felt that it was possible to include one more campaign due to the simultaneous testing of similar FDD designs and furthermore and additional 4th campaign was performed thanks to AIRBUS internal funds. The latter clearly indicates the interest of AIRBUS on the developed methods.

The lessons learnt from these tests are:
- The FCC digital precision is limited and could impact some designs. Especially, the coding of a high-order (greater than2) filter could be sensitive and lead to error propagation and a diverging behaviour because of coefficient truncation. Adequate filter architectures (e.g. cascade) must be found.
- Since a limited number of symbols can be used inside any functional specification sheet, a relevant and "readable" coding architecture must be found, without creating delays between several sheets dedicated to the same design.
-A useful and very often used symbol is a look-up table. However, only a limited set of "breaking points" can be used, degrading possibly the design performances.
- Finally, a very close collaboration is needed between the designers and the Airbus teams for avoiding any errors that could waste expensive and time-consuming validation on industrial test benches. An upstream, and as complete as possible, design validation is of primary interest.

The V&V campaign results, as well as the lessons learnt, have shown that the industrial transfer depends on a better understanding of the methods, which are still considered as quite complex by the main industrial partner, but in conclusion, the V&V campaigns are considered as very promising from an industrial point of view.

2.4.3 Demonstration

The demonstration was performed during an international EU/IEEE Workshop on "Industrial and Academic Experience in Aerospace Fault Detection and Diagnosis" which followed the ADDSAFE final meeting. This workshop was co-funded by the IEEE Control Systems Society (CSS) Outreach Fund and all the ADDSAFE partners and it was co-organized by Andrés Marcos (DEIMOS) and Philippe Goupil (AIRBUS).

The workshop was devoted to the FDD practices in Aerospace and was organized by Deimos and Airbus in Toulouse, gathering 55 attendees and 29 technical speakers from academia (Universities from England, France, Netherlands, Hungary, Germany, USA), research labs (ONERA, DLR, CNRS, CIRA, CNES), European industrial stakeholders (Astrium, Eurocopter, Innovative Works) and authorities (EASA, NASA, ESA). This workshop served to present final results of the ADDSAFE project as well as their demonstration on Airbus facilities. It also served as a forum between aerospace FDD experts from industry and academia, with all very well represented and balanced.

The demo was performed during the course of an afternoon by AIRBUS' V&V team in their industrial test-benches (used prior to flight test and involving all the SW and HW avionics) in presence of the attendees and successfully showed the high technological readiness level (a TRL of up to 6) achieved by the designs.

Potential Impact:

2.5 CONCLUSIONS AND RECOMMENDATIONS

The ADDSAFE project lasted from July 2009 until October 2012. The aim of the project was to research and develop model-based FDD methods for aircraft flight control systems faults, predominantly sensor and actuator malfunctions.

From a technological and scientific perspective the main benefits of the project were expected to be:
1. Identification of a set of guidelines for FDD design and analysis for aircraft G&C
2. Improved FDD methods and understanding of their applicability to aircraft FDD
3. A step towards a V&V process for advanced aircraft diagnostic systems
4. Demonstration of model-based FDD designs on industrial V&V platforms.

2.5.1 Conclusion

The goals have been amply satisfied as proven by the final demonstration of 5 designs (out of 14) in the V&V facilities of Airbus at Toulouse. The technological readiness level (TRL) achieved with this demonstration is 5/6 since the test-benches used are the final ones prior to actual flight testing and involved the full Airbus V&V team as well as the flight control system software and hardware avionics. Furthermore, world experts and principal European aerospace stakeholders and authorities (EASA, NASA, ESA, EADS…) were invited for the demonstration and were able to see first-hand the results and successful behaviour of the designs.

2.5.2 Recommendations

Based on the developments and results of ADDSAFE several issues have been identified to further progress model-based FDD methods.

Advanced gain-scheduling approaches for FDD design

During ADDFSAFE, approaches based on Linear Parameter Varying (LPV) theory were studied since they allow taking into account wider and more rapid parameter variations. The results showed that these methods are a very promising and attractive approach for the design of FDD for aircraft systems. Nonetheless, it was also seen that unless further research effort is done on their implementation complexity they are only a valid solution when the system is subject to wide dynamic changes (i.e. the "local" nature of the scenarios in ADDSAFE meant that simpler LTI designs could also satisfy the performance and robustness objectives).

Advanced modeling approaches for FDD design

Efficient methods and software tools to automatically generate LPV models for a given nonlinear aircraft model have been developed in the last 10 years. Furthermore, they have been used to model complex aircraft systems with amply success although always from the perspective of control design and analysis.

In ADDSAFE it was explored the development of LPV models geared for FDD and successfully showed its validity for the explored cases (as testified by the use of the models by most partners). Nonetheless, more needs to be done in this aspect to consider more general cases and to address the previous LPV design complexity issue (i.e. the use of simple LPV models will directly result in simpler LPV designs).

FDD tuning

In ADDSAFE, efforts to:
(i) clarify the tuning of the methods and
(ii) formalize their optimal tuning were followed but there is still need for further studies.

For example with respect to the tuning methods, due to the single system consideration (only one aircraft or specific subsystem), there was no real need to demonstrate how to tune the designs across a set of parameters (e.g. weight of aircraft, bandwidths of actuators…), thus the efforts by the teams were directed towards providing insight on the tuning with respect to the synthesis algorithm and not with respect to different systems/sub-systems.

With respect to the formal use of optimization methods, several partners exemplified these approaches but again, the local nature of ADDSAFE fault scenarios (which was desirable for the stated goals) clearly facilitated the task and its full power could not be demonstrate. Nevertheless, these efforts served to demonstrate the potential of these techniques and to open the venue for development of tools adapted to the aircraft FDD problematic.

Integration issues between fault diagnosis and tolerant control systems

In ADDSAFE, several partners undertook a first step in this direction and showed that advanced model-based FTC approaches as well as approaches that directly provided FDD+FTC capabilities could be used potentially for aircraft ensuring adequate performance and robustness while respecting the stringent safety FCS guidelines.

List of Websites:

http://addsafe.deimos-space.com/

Related documents