Early warning and prediction of flight parameter abnormalities for improved system safety assessment

Reliability Engineering and System Safety 76 (2002) 19±27

www.elsevier.com/locate/ress

Early warning and prediction of ¯ight parameter abnormalities for improved system safety assessment A. Zolghadri* Laboratoire d'Automatique et Productique, Universite Bordeaux I, 351 cours de la LibeÂration, 33405 Talence cedex, France Received 23 November 2000; accepted 24 October 2001

Abstract It is widely accepted that human error is a major contributing factor in aircraft accidents. The early detection of a subsystem abnormality that is developing during ¯ight is potentially important, because the extra time before an alert range is reached may improve the crew's situation awareness. The ¯ight crew may thus consider and try more options for dealing with the failure situation. Robust numerical algorithms and techniques are proposed for rapid recognition of faulty situations, which have the potential for such early detection. The warning system includes a model-based multi-step ahead predictor, which provides predictive information on some ¯ight critical parameters. A key feature of the proposed techniques is that it takes advantage of the on-board information redundancy, computer technology and graphics displays, uses the already available measurements and hence requires only input±output processing for implementation in on-board computers. This is an important aspect when considering the testability and certi®cability of the software implementation. The system is tested on a simulated typical landing approach scenario of a civil aircraft using the RCAM 1 benchmark. q 2002 Elsevier Science Ltd. All rights reserved. Keywords: Flight monitoring system; Accident prevention; Predictive information; Model estimation; Multi-step ahead prediction

1. Introduction and problem setting Safety becomes more important in civil avionics ®eld, as more people are transported, higher costs are involved in establishing safety, and the reputation of airlines and aircraft manufacturers is paramount, in an increasingly competitive market. The present level of safety in aviation is widely recognized. However, with the expected growth of air traf®c and the foreseeable use of larger airplanes carrying a greater number of passengers per vehicle, the current accident rates must be improved so that aviation safety records continue at the highest level. Advances in future aircraft cockpits are being made possible by the rapid progress in display media, graphics displays, computer technologies, and human factor methodologies. These technologies may enable the design of cockpits with improved crew situation awareness and workload. Government and industry research programs have been established in Europe and in the United States to develop and apply these technologies. On the ¯ight deck, * Tel.: 133-56-846-530; fax: 133-56-846-644. E-mail address: [email protected] (A. Zolghadri). 1 RCAM is a research civil aircraft benchmark developed by the Group for Aeronautical Research and Technology in Europe (GARTEUR).

safety is strongly related to the `situation awareness'. Situation awareness implies `that the pilot has an integrated understanding of the factors that will contribute to the safe ¯ying of the aircraft under normal or non-normal conditions' [9,11]. As situation awareness increases, the crew is increasingly able to think `ahead' of the aircraft, and do this for a wider variety of situations. Failure to understand, in an early stage, the implications of certain system failures on the capability of other aircraft systems has been cited as a contributing factor in several accidents [8,12]. However, current automated ¯ight monitoring systems do not alert the ¯ight crew of a failure until a parameter value has exceeded an alert limit. Near-time parameter prediction may help the ¯ight crew make longterm predictions of when a parameter will reach an alert range [12,13,17]. The early noti®cation to the ¯ight crew of a system parameter deviation will provide additional time to assess the situation, and leading to more timely or appropriate responses for dealing with in-¯ight failures. This would contribute to improve situation awareness and system status assessment during time critical situations. The paper describes the status of an on-going research program to develop a highly reliable predictive-based information system to aid the ¯ight crew during fault recognition and system status identi®cation, to increase

0951-8320/02/$ - see front matter q 2002 Elsevier Science Ltd. All rights reserved. PII: S 0951-832 0(01)00137-5

20

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

their understanding of the situation and to reduce the practice of `merely reacting to situations'. In a series of papers [12,13], Trujillo described the status of experiments conducted at the NASA to evaluate certain issues about the usefulness of predictive information in a modern ¯ight deck. Eighteen current commercial airline pilots participated as test subjects. The speci®c issues addressed where the relative time criticality of failures, the subjective utility of such information for different parameters or sensors and the preferred form and prediction time for displaying predictive information. The main conclusion was that, while predictive information is bene®cial, it must be in the proper form for safety to increase [12]. In other words, the predictive information must be available in an appropriate form, which is oriented to the user's task. The work reported in Refs. [12,13] was focused on the bene®ts of the predictive information rather than how to generate such predictions. In this paper, we investigate the problem of how reliable multi-step ahead estimation of critical ¯ight parameters can be performed, based on a bank of models covering the underlying ¯ight domain. The paper is organized as follows. Section 2 outlines the main features of the proposed approach. Section 3 describes the estimation/prediction procedure, as well as a method to handle the prediction accuracy. Section 4 is devoted to aircraft model and system speci®cation. Finally, Section 5 presents some evaluation results based on a typical landing approach scenario of the RCAM benchmark. 2. State-of the-art and objectives In-¯ight subsystems employ highly sophisticated fault tolerant processing systems with redundant capacity to perform a given task. The new generation of transport aircraft includes integrated Electronic Flight Instrument System (EFIS). The EFIS combines the display ¯exibility of the cathode ray tube or liquid crystal display and the computing power of the microprocessor to provide the crew with an easily assimilated display of the aircraft situation in space as well as the system's status. The aircraft situation is depicted by two displays. The ®rst, Primary Flight Display (PFD) provides the pilot with information

on aircraft altitude, attitudes, heading and airspeed, while autopilot ¯ight mode data is also displayed. The second is the Navigation Display (ND). PFDs replace most conventional ¯ight and engine instruments. Display management computers acquire and process all input from aircraft sensors and computers to generate the display images. If a display fails, automatic and manual switching allows the display to be transferred to an operable display unit. In order to ful®ll the safety requirements for availability, duplex, triplex or quadruplex parallel systems are often implemented. In order to ful®ll the safety requirements for data integrity, monitoring mechanisms (cross-check, feedback, etc.) are developed. These mechanisms are based on limit-value checking of some safety-critical parameters, associated with some simple logical procedures. Monitored variables are checked with regard to certain tolerances of normal values. Alarms are triggered if the thresholds are exceeded. If the limit-value violation signi®es a dangerous process state and functioning, an appropriate action can be initiated. In setting the thresholds compromises have to be made between the detection size of abnormal deviations and false alarms because of normal ¯uctuations in the variables. Limit-value based monitoring methods are only able to react after a change. Moreover, these approaches fail if the tolerances depend on a dynamically changing operating point [10]. Although the Fly-By-Wire system in the new generation civil aircraft (for instance A320) includes a number of features to protect the aircraft from the effects of pilot errors [5] (operating the aircraft outside the ¯ight envelope), most accident reports identify ¯ight crew errors as a major causal factor: about 70% of aircraft accidents are attributed to ¯ight crew (Boeing data [12]). The ®rst idea to improve the current limit-value based monitoring systems is to use a model-based Fault Detection and Isolation technique [4,10,15,16]. It is well known that while catastrophic or hard over failures can be uncovered rapidly by on-line monitoring, the more subtle, soft drifting and slowly developing failures are more rapidly detected and isolated by the use of techniques based on modern estimation/decision theory. See Refs. [4,10] for a survey. The basic idea is shown in Fig. 1.

Fig. 1. Basic FDI scheme.

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

The designed system should provide solutions having well-de®ned real-time characteristics and well-de®ned error-rates. The above FDI system generates real-time fault messages but does not give any reliable prediction of the value of a system output. To compute a reliable predicted value of an output parameter in the future, say at time t 1 m, the value of the future (manually or automatically) generated control signals up to time t 1 m 2 1 must be known or estimated in advance. Thus the crew is not really aided for considering more strategic planning in situations that slowly develop. On the other hand, pilots of modern ¯ight decks are often overwhelmed with a large number of modes, displays, alert messages, etc. As automation and the number of automatically generated fault messages increase, so does the dif®culty of recognizing, anticipating, and preventing system errors (too much crew effort to integrate and assimilate all relevant displayed information quickly, easily and accurately). Pilots seem to simplify the decision-making task by focusing on only a few aspects of the information potentially available to them [11]. More potential bene®ts could be expected for improved decision-making if rather, some type of predictive information is displayed without any automatically generated decision variables. The bene®ts of such strategy are in realm of improved pilot decision-making. Motivated by the earlier discussion, an alternative strategy is now developed (Fig. 2). It is composed of a model estimation/updating algorithm, which includes the process of updating and automatic management of faulty models, and a multi-step ahead predictor, which provides predictive information (together with some precision indicator) to EIS displays. Note that the `system' generating the ¯ight parameters and signals is de®ned as a set of predominantly active components, many of which are electronic or mechanic components like sensors, actuators, feed back, displays, embedded computers, that are interconnected via dedicated direct links or by communication. The existing software and hardware environment can be used directly by the proposed techniques, thus avoiding loss of past investments. Again, how the predictive information is presented is very important. This aspect, as well as the software architecture and implementation aspects are currently under investigation and will not be analyzed here.

21

3. Multi-step ahead predictor for critical ¯ight parameters 3.1. Model estimation The multi-step ahead prediction of ¯ight parameters will be based on their state space model estimate. During the last decade there has been a growing interest in state space subspace-based system identi®cation methods (see Refs. [14,15]). The advantage of subspace methods compared to methods based on optimization of a criterion function such as the likelihood or the prediction error [6] lies in their numerical properties. They can be implemented numerically ef®ciently and use only standard reliable numerical tools such as singular-value decomposition. Numerically ef®cient algorithms have been developed to identify mixed deterministic-stochastic systems. In Ref. [14], a subspace algorithm is derived (the so-called N4SID algorithm) to consistently identify stochastic state space models from given output data without forming the covariance matrix and using only semi-in®nite block Hankel matrices. The algorithm developed in Ref. [14] is based on a numerically robust square root algorithm, that mainly uses QR-decomposition and Quotient Singular-Value Decomposition of the triangular factors and is completely data driven instead of covariance driven. State sequences are determined through the projection of output data. These state sequences are shown to be outputs of non-steady state Kalman ®lter banks [14]. In the interest of brevity, throughout this section an earnest attempt will be made to avoid duplicating material presented in Ref. [14]. Toward this end, the focus of this section will lie wholly with the problem formulation and the main assumptions used. The interested reader can refer to Ref. [14] for detailed background and proofs. Moreover, for simplicity we will here only discuss scalar signals but the discussion later also holds for the multi-variable case with some minor notational changes. Let y…t† [ R; t ˆ 0; 1; ¼; N be a data sequence (a time series) that is generated by the following stochastic system: x…t 1 1† ˆ A…u†x…t† 1 w…t†

…1†

_ ˆ C…u†x…t† 1 v…t† y…t†

…2†

n

where x…t† [ R is the state vector of the process at discrete time instant t, v(t) is the measurement noise and w(t) is the

Fig. 2. Generation of predictive system status information.

22

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

process noise. A…u† [ Rn£n and C…u† [ Rl£n : u is a parameter vector with all elements of the state-space matrices. It is assumed that v(t) and w(t) are both zero mean, stationary white sequences, Gaussian with covariance matrix: " # ! ! wt Q S
t t E dtk …3† w k vk ˆ vt St R where E denotes the expected value operator and d is the Kronecker delta. It is assumed that the stochastic process is zero mean stationary, i.e.: E‰x…t†Š ˆ 0 and Ebx…t†x…t†t c ˆ L: The state covariance matrix L is assumed independent of the time t. It is now well established from practical applications [2,10] that the subspace-based family of methods is robust with respect to some signal non-stationarities. This particular aspect becomes important when dealing with ¯ight parameters, as the stationarity assumption is not often satis®ed, especially in a faulty situation. However, the main open problem with subspace identi®cation methods is that of the asymptotic statistical analysis. Actually, it is not well understood how the algorithms perform when only a ®nite number of samples are available. In Ref. [3] the authors discussed the asymptotic properties of the estimates of system matrices, and established some asymptotic results when the estimation is performed using a particular class of subspace algorithms. For the particular problem considered here, it is obvious that the multi-step ahead predictions of ¯ight parameters cannot be delivered without any information about their accuracy. In particular, as it will be seen in Section 3.2, we need the covariance matrix of the estimated parameters for computation of the accuracy of the predictor. That is why, in the sequel, we propose that the subspace-identi®ed model be used as initial model for a prediction error estimation method [6] to get the estimate of parameters covariance matrix. 3.2. Multi-step ahead predictor Returning to the underlying application, let y(t) be now a ¯ight output signal (see Table 1). Denote K the optimum steady-state Kalman ®lter gain. Suppose that, using the joint subspace/Prediction Error estimation procedure described earlier, we are given the matrices A(uà ), C(uà ) and K(uà ) where u^ [ Rn…n12† is an estimated parameter vector with all elements of the state-space matrices. The optimal state estimate is obtained from ^ 1 1† ˆ A…u^ †x…t† ^ 1 K…u^ †…y…t† 2 y…t†† ^ x…t

^ ˆ C…u^ †x…t† ^ y…t† …4†

Denote e the so-called innovation process:

Table 1 Output de®nition of RCAM Symbol

Name

Unit

q nx nz wV z VA V b p r f uV vV y x c u a g x ny

y(1) ˆ pitch rate (in FB) y(2) ˆ horizontal load factor (in FB) ˆ Fx/mg y(3) ˆ vertical load factor (in FB) ˆ Fz/mg 2 1 y(4) ˆ z component of inertial velocity in FV y(5) ˆ z position of aircraft CoG in FE y(6) ˆ air speed y(7) ˆ total inertial velocity y(8) ˆ angle of sideslip y(9) ˆ roll rate (in FB) y(10) ˆ yaw rate (in FB) y(11) ˆ roll angle (Euler angle) y(12) ˆ x component of inertial velocity in FV y(13) ˆ y component of inertial velocity in FV y(14) ˆ y position of aircraft CoG in FE y(15) ˆ inertial track angle y(16) ˆ heading angle (Euler angle) y(17) ˆ pitch angle (Euler angle) y(18) ˆ angle of attack y(19) ˆ inertial ¯ight path angle y(20) ˆ x position of aircraft CoG in FE y(21) ˆ lateral load factor (in FB) ˆ Fy/mg

rad/s rad/s rad/s m/s m m/s m/s rad rad/s rad/s rad m/s m/s m rad rad rad rad rad m m

where F…q21 ; u^ † ˆ C…u^ †…qI 2 A…u^ ††21 K…u^ † 1 I

…7†

F…q ; u^ † is inversible and 21

F 21 …q21 ; u^ † ˆ I 2 C…u†‰qI 2 A…u^ † 1 K…u^ †C…u^ †Š21 K…u^ † …8† The `innovation form' of Eq. (7) corresponds to the following state equations: x…t 1 1† ˆ A…u^ †x…t† 1 K…u^ †e…t† y…t† ˆ C…u^ †x…t† 1 e…t†

…9† …10†

To obtain multi-step ahead estimation, one can repeatedly propagate the one-step ahead estimation (Eq. (4)) a number of time steps into the future. This procedure leads to the following equation for n-step ahead prediction: ^ 1 n† ˆ ‰C…u^ †A…u^ †n21 ‰A…u^ † 2 K…u^ †C…u^ †ŠŠx…t† ^ y…t 1 ‰C…u^ †A…u^ †n21 K…u^ †Šy…t†

…11†

The earlier relation can also be written as ^ 1 n† ˆ P…u^ ; q†y…t† y…t

…12†

where the ®lter P…u^ ; q† is de®ned as

P…u^ ; q† ˆ C…u^ †A…u^ † n21 ‰A…u^ † 2 K…u^ †C…u^ †Š‰qI 2 A…u^ †

^ 1 v…t† e…t† ˆ C…u†x…t† 2 C…u^ †x…t†

…5†

1 K…u^ †C…u^ †Š21 K…u^ † 1 C…u^ †A…u^ †n21 K…u^ † …13†

y…t† ˆ F…q21 ; u^ †e…t†

…6†

The Eq. (12) states that the n-step ahead predictor is a linear function of the output signal up to time t. The remaining

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

23

problem is how to estimate the accuracy of the above n-step ahead predictor. In Section 3.3, we derive an expression to solve this problem.

right-hand side in Eq. (17) is a linear function of the data and ^ 1 n†: So the variance of the n-step ahead is equal to y…t prediction error can be written as:

3.3. Accuracy of the multi-step ahead prediction error

^ 1 n†Š Var‰1…t 1 n†Š ˆ Var‰y…t 1 n† 2 y…t   ˆ 1 1 a21 1 ¼ 1 a2n21 s 2

The procedure described in Section 3.2 for computing the multi-step ahead prediction of y, tends to accumulate errors from one propagation to the next. Obviously, since we only have an estimate of the system from which y was generated, we will get an increased uncertainty in the predictions. Therefore this lack of knowledge must be quanti®ed and presented in an appropriate format to the crew. This can be done by calculating ®rst the variance of the n-step ahead predictor. 3.3.1. Calculations for the variance In Ref. [1] an expression was provided for the variance of an n-step ahead predictor, in the case where the signal is modeled exactly by an input±output ARMA model. In this section, we derive a more general closed form expression for the above-established predictor. Let N…q21 ; u^ † F…q ; u^ † ˆ D…q21 ; u^ † 21

…14†

" 1 Var

! # b…q21 ; u0 † b…q21 ; u^ † y…t† 2 N…q21 ; u0 † N…q21 ; u^ †

…18†

where s 2 ˆ E‰e…t†et …t†Š; and u 0 corresponds to the `true' parameter vector. Lemma. The last term of the right-hand side in Eq. (18) can be computed as follows: " ˆ Var <…

! # b…q21 ; u0 † b…q21 ; u^ † y…t† ˆ Var‰V…u^ †Š 2 N…q21 ; u0 † N…q21 ; u^ †

 dV…u† t dV…u† uˆu0 P… uˆu0 du du

where P is the estimated covariance matrix of the estimated parameter vector: P ˆ E…u 2 u^ †…u 2 u^ †t ; dV … u† C…q 21 ; u† ˆ du …qI 2 A…u† 1 K…u†C…u††2

…19†

where N and D are polynomials in the backward-shift operator of order l. Let a and b be polynomials satisfying the Bezout identity:

with

a…q21 ; u^ † ˆ 1 1 a1 q21 1 ¼ 1 an21 q2n11

…15a†

C…q 21 ; u† ˆ qI…n 2 1†‰K…u†C…u†…K…u†C…u†A…u†n22 †A…u†Š

b…q21 ; u^ † ˆ b0 1 b1 q21 1 ¼ 1 al21 q2l11

…15b†

1 qI…n 2 1†‰K…u†C…u†A…u†n21 A…u†Š

N…q21 ; u^ † q2n b…q21 ; u^ † 21 ^ ˆ a …q ; u † 1 D…q21 ; u^ † D…q21 ; u^ †

…15c†

1 qI…n 2 1†‰K…u†C…u†A…u†n22 A…u†Š

Then

"

1 ‰K…u†C…u†A…u†n21 q2 I 2 K…u†C…u†A…u†n qIŠ

#

q2n b…q21 ; u^ † y…t 1 n† ˆ a…q21 ; u^ † 1 e…t 1 n† D…q21 ; u^ †

b…q21 ; u^ † ˆ a…q ; u^ †e…t 1 n† 1 e…t† D…q21 ; u^ † 21

1 ‰K…u†C…u†A…u†n21 q2 I 2 K…u†C…u†A…u†n qIŠ …20† …16†

Since F is inversible (see Eq. (8)) and using Eq. (14) one can write:

b…q21 ; u^ † y…t 1 n† ˆ a…q21 ; u^ †e…t 1 n† 1 y…t† N…q21 ; u^ †

…17†

The ®rst term of the right-hand side in Eq. (17) is a linear function of e…t 1 1†; e…t 1 2†; ¼; e…t 1 n†; which are all independent on the data y(t), y(t 2 1),¼ available at time t, as in the optimal case, the innovation process is a white noise with the covariance Ebe…t†et …t†c ˆ L ˆ  u†Ct …u† 1 R where PÅ is the steady-state covariance C…u†P… matrix of the estimated state vector. The last term of the

where A…u^ †ˆ

dA…u† ^ †ˆ dC…u† ; K…u^ †ˆ dK…u† ; C… u du uˆu^ du uˆu^ du uˆu^

Proof. Under the assumption that uà is suf®ciently close to u 0, one can apply the Gauss' approximation formula and get  dV…u† t dV…u† Var‰V…u^ †Š < … uˆu0 P… uˆu0 du du

…21†

The calculations for the variance are then straightforward. It

24

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

is helpful to employ a software tool that supports symbolic mathematical operations (for instance MAPLE). A

Remark. A more simple expression can be derived by noting that ‰qI 2 …A…u† 2 K…u†C…u††Š

21

<

s X

21

q ‰…A…u†

jˆ0

2 K…u†C…u††q21 Šj For some speci®ed integer s. This approximation is based on the fact that A…u† 2 K…u†C…u† is stable (all of its poles are strictly inside the unit circle). 3.3.2. Quanti®cation of the predictor accuracy An important aspect when generating and displaying predictive ¯ight information is the problem of the pilot's decision behavior and his reliance on the displayed information. Clearly, decision-making faced with inadequate or incongruous predictive information may occur in a failure scenario. The earlier estimated variance of the n-step ahead predictor can now be used in order to decide how long the prediction horizon should be. To do this, we can check if the calculated variance is lower than a pre-speci®ed threshold. If the variance were larger than the threshold, it would be of no use in trying to make longer predictions with the estimated model. This means that either a more accurate model is to be identi®ed according to the actual ¯ight conditions, or making longer predictions are simply not possible. An example of quanti®ed con®dence level can be borrowed from software for airworthy equipment: the classi®cation is made according to the potential system failure the software could contribute to. The levels are: A (catastrophic failure: failure conditions which would prevent continued safe ¯ight and landing), B (hazardous/Severemajor), C (major), D (minor), E (no effect). So the idea is to quantify the prediction accuracy according to speci®ed con®dence levels (very high, high, medium, low). The con®dence intervals for predictions of ¯ight parameters can be calculated, based on the prediction error variance obtained earlier, and displayed to the crew with an appropriate graphical format. The con®dence boundaries can be placed for each a=2 ^ 1 n†Š1=2 ; estimate using the expression ^tt21 ‰var…y…t a=2 where tt21 is the a /2 signi®cance point on a t-distribution. However, note that the estimated covariance matrix that comes out of the model estimation procedure has meaning only if (or to the extent that) the prediction errors actually are normally distributed. For ¯ight real data, the normal distribution is often rather poorly realized. What we can say is that for instance, on

^ 1 n†Š1=2 approxiaverage, y…t 1 n† falls within ^2‰var…y…t mately 95% of the time. 4. Application to a RCAM mission: a landing approach scenario 4.1. RCAM model and basic aircraft dynamics The RCAM is based on six degrees of freedom mathematical dynamic aircraft model, de®ned in Matlab/Simulink [7,8]. It includes aerodynamic, engine, atmospheric and gravity models. In addition, actuator and sensor characteristics are taken into account, together with models for wind and atmospheric turbulence. Here, the design process used for the RCAM controller produces an autopilot, which is similar to an actual aircraft autopilot. The controller has been designed with a longitudinal and lateral component, each of which contains inner and outer loops, as with a conventional autopilot. For simulations, the dynamical behavior of the aircraft is described by a non-linear state representation. This nonlinear model can be linearized around an operation condition. Once a trim condition is established for the non-linear aircraft model within the simulation environment, a linear model is generated to capture the dynamics around the equilibrium point. The wind turbulence model is based on the Dryden spectra. To model turbulence, white noises are ®ltered through forming ®lters. The interested reader can refer to Refs. [7,8] for further details. Table 1 describes the available outputs. Table 2 presents the possible parameter choices in RCAM. FE denotes the earth-®xed reference frame, FB stands for the body-®xed reference frame, CoG denotes `Centre of Gravity', FV denotes vehicle-carried vertical frame, FM denotes the measurement reference frame and cÅ is the mean aerodynamic chord. See Refs. [7,8]) for more details. 4.2. A landing approach scenario In this section, some simulation results are presented to show how predictive system status information can be generated. In Ref. [8], a typical landing approach scenario is de®ned to evaluate the performance of different control laws (see Fig. 3). The considered mission consists of manoeuvres that can be evaluated by means of non-linear simulations. The mission starts at an altitude of 1000 m and with a track angle Table 2 Possible parameter choices in RCAM Parameter

Bounds

m: aircraft total mass Dx: x position of the CoG in FM Dy: y position of the CoG in FM Dz: z position of the CoG in FM

100 000 kg , m , 150 000 kg 0.15 cÅ , Dx , 0.31 cÅ 20.03 cÅ , Dy , 0.03 cÅ 0.0 cÅ , Dz , 0.21 cÅ

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

25

Fig. 3. The landing approach for RCAM.

of x ˆ 2908 (2708 west) (segment I, 0±1) followed by a commanded coordinated turn with a heading rate of cÇ ˆ 38/s (segment II, 1±2). For the descent phase a twosegment approach procedure is used with g ˆ 26 and 238, which has been proposed for reasons of environmental noise reduction (segment III, 2±3 and segment IV, 3±4). The desired airspeed is 70 m/s. See Ref. [8] and Table 1 for the de®nition of all variables. During the landing approach, a ¯ight parameter of paramount importance is the airspeed VA (output y(6), see Table 1). Airspeed is displayed by the EFIS and is a major safety criterion as it must always be larger than 1.05 £ Vstall, where Vstall denotes the speed below which the aircraft is unable to maintain ¯ight. For RCAM and with the nominal mass of the aircraft …m ˆ 120 000 kg† V stall ˆ 51:8 m=s: The nominal airspeed during the landing phase depends on the aircraft mass, it is taken as equal to 1.3 £ Vstall: with a nominal landing weight of 120 000 kg this results in VA < 70 m=s: The sampling period is Ts ˆ 50 ms and the simulation time is 470 s. Turbulence standard deviations are modi®ed from `moderate' conditions to harsher atmospheric conditions during the simulation. Output data generated by the controlled non-linear model of the aircraft is then processed for model estimation. Before applying the estimation/prediction algorithms, a decimation

process is used which ®lters the data with a low pass Chebyshev ®lter and then re-samples the resulting smoothed signal at a lower rate. The rate is chosen to be six, resulting in a new sampling period of 300 ms. The decimation process ®lters the data sequence in both the forward and reverse directions to remove all phase distortions. According to this landing approach trajectory, a bank of four state space models was constructed using the joint subspace/PEM identi®cation procedure described in Section 3. The order of all models is two. These models are estimated off-line. In a practical setting, design and estimation of models can be ®rst performed off-line, based on a given ¯ight trajectory and stored in non-volatile memory for initial retrieval during the mission. Airspeed predictive information, as well as corresponding con®dence levels, was then generated using the prediction algorithm (Section 3). A fault is introduced within the simulation environment. This fault corresponds to an abnormal drifting decrease of the airspeed from 70 to 62 m/s (Fig. 4). All ®gures are depicted for 15-step ahead prediction. This horizon gives quite reasonable con®dence boundaries, which corresponds to a high con®dence level (.95%). Actually, as can be seen from the ®gures, (Figs. 5±7) for a horizon of 15 samples, the predictions are quite reasonable in accuracy. In particular during the abnormal decrease of

Fig. 4. Airspeed (solid line) its prediction (dotted line), segment I.

Fig. 5. Airspeed (solid line) its prediction (dotted line), segment II.

26

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27

Note again that the proposed system makes no automatic decision about the detected situation, its sole role is to aid the crew to get a deeper insight into the situation by examining the predictive information. So, the ®nal decision-making will be attributed wholly to the crew. 5. Concluding remarks

Fig. 6. Airspeed (solid line) its prediction (dotted line), segment III.

Fig. 7. Airspeed (solid line) its prediction (dotted line), segment IV.

the airspeed (see Fig. 4), the 15-step ahead predictor is able to track the fault and so to alert the crew in advance. As can be seen in Fig. 8, when the prediction horizon increases, the tracking ability of the predictor decreases, due to the propagation of the estimation error. This means that according to the actual model, one cannot make reliable longer predictions. The solution is to identify a more accurate model, according to the actual ¯ight conditions.

The goals investigated in the project are primarily of interest in the development of future civil aircraft. Most accident reports identify ¯ight crew errors as a major casual factor. Reliable predictive system status information may contribute signi®cantly to minimize the impact of crew error. Further investigations are necessary for elaborating an automatic model-updating unit, which is able to manage different ¯ight domains by switching from one model to another. In this context, a key question is `what is the optimal prediction horizon (how many steps ahead)?' Strictly speaking, a `general' solution can probably not be found, since each aircraft system and parameter will have to be studied with respect to its equipment ®t, its operational task and environment. Moreover, the prediction task is strongly dependant on the modeling system and the characteristics of the supervised ¯ight parameter. A topic of our current research is to ®nd a more systematic way for de®ning the best prediction horizon for a set of critical ¯ight parameters. Finally, research work must be developed to determine the most effective methods for hazard minimization and to increase the reliability of the warning system. The ®nal goal is to achieve the safe and cost-effective completion of the resulting software for implementation in on-board computers. Another important aspect to be considered is the problem of man±machine interface and human-centered design factors. References

Fig. 8. Airspeed predictions for different horizons.

[1] Astrom KJ, Wittenmark B, editors. Computer-controlled systems, theory and design. Englewood Cliffs, NJ: Prentice-Hall, 1990. [2] Basseville M, Abdelghani M, Benveniste A. Subspace-based fault detection algorithms for vibration monitoring. Automatica 1999;36:101±9. [3] Bauer D, Deistler M, Scherrer W. Consistency and asymptotic normality of some subspace algorithms for systems without observed inputs. Automatica 1999;35:1243±5. [4] Frank PM. Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy: a survey and some new results. Automatica 1990;26:459±74. [5] Ljung L, editor. System identi®cation: theory for the user. Englewood Cliffs, NJ: Prentice-Hall, 1987. [6] Johnson DM. A review of fault management techniques used in safety-critical avionic systems. Prog Aerospace Sci 1996;332:415± 31. [7] Looye G, Bennani S. Description and analysis of the research civil aircraft model (RCAM). Technical publication TP-088-27, Group for Aeronautical Research and Technology in Europe (GARTEUR), 1997.

A. Zolghadri / Reliability Engineering and System Safety 76 (2002) 19±27 [8] Magni JF, Bennani S, Terlouw J, editors. Robust ¯ight control: a design challenge Lecture notes in control and information sciences 224. Berlin: Springer, 1997. [9] Palmer MT, Abbott KH. Effects of expected-value information and display format on recognition of aircraft subsystem abnormalities. NASA Technical Paper 3395. 1994. [10] Patton R. Fault-tolerant control: the 1997 situation. SAFEPROCESS'97, IFAC Symposium on Fault Detection, Supervision and Safety, Kingston Upon Hull, UK, 1997. [11] Regal DM, Rogers VH, Boucek GP. Situational awareness in the comercial ¯ight deckÐde®nition, measurement, and enhancement. Proceedings of the Seventh Aerospace Behavioral Technology Conference and Exposition, SAE, 1989. p. 65±9. [12] Trujillo AC. Pilot mental workload with predictive system status information. Fourth Annual Symposium on Human Interaction with Complex Systems. Fairborn, OH, USA, 1998. p. 73±80.

27

[13] Trujillo AC. Airline transport pilot preferences for predictive information. NASA Technical Memorandum 4702, Langley Research Center, Hampton, Virginia 1996. [14] Van Overschee P, De Moor B, editors. Subspace identi®cation for linear systems, theory implementation, applications. Dordrecht: Kluwer Academic Publishers, 1996. [15] Verhagen M. Identi®cation of the deterministic part of mimo state space models given in innovations form from input±output data. Automatica 1999;30(1):61±64. [16] Zolghadri A. An algorithm for real-time failure detection in Kalman ®lters. IEEE Trans Autom Contr 1996;41(10):1537±40. [17] Zolghadri A, Goetz C, Bergeon B, Denoize X. Integrity monitoring of ¯ight parameters using analytical redundancy. IEE International Conference on CONTROL'98, Swansea, UK, 1998.