Fault-Tolerant Data Processing in an Integrated Airborne Navigational Equipment

Copyright to IFAC Fault Detection, Supervision and Safety for Technical Processes, Kingston Upon Hull, UK., 1997

FAULT-TOLERANT DATA PROCESSING IN AN INTEGRATED AIRBORNE NAVIGATIONAL EQUIPMENT

Yu. P. Grisbin, D. Janczak

Bialystok Technical University, Faculty ofElectr. Eng., ul. Grunwaldzka 11115, 15-893 Bialystok, Poland

Abstract: This paper presents the structure and algorithms of fault - tolerant data processing in an integrated airborne navigational equipment. Failures and malfunctions of different sensors have been described by the additive Gauss-Markov models and by the outliers with the Markov chain properties. For such models suboptimal integrated filtering algorithms have been developed using a problem decomposition, the Gauss approximation method and the generalized likelihood ratio (GLR) approach. It is shown that the system structure contains a GLR failure detector, a multichannel outliers screening procedure and a bias cancellation circuit. Copyright© 1998 !FAC Keywords: failure detection, integrated signal processing, integrity of navigation systems, fault diagnosis.

l. INTRODUCTION

First of all it is necessary to model the failures of individual systems. Possible failures and malfunctions have been modelled as: I) an abrupt constant biases in observations with unknown onset time and value (antenna beam distortion, time jumps in the GPS due to a gradual degradation of the satellite clock (Brown and Hwang, 1987), random bias in the INS due to drift of gyroscopes and so on; 2) random drifts which can be caused by multiple path propagation effects in the MLS (Kelly, 1992), frequency shifts in the GPS, incipient failures in the INS and number of other failures; 3) outliers in observations from different navigational sources. In the situation when not all sensors are failed using the integrated filter estimates makes it possible to detect failures of the individual sensors and to inform about it the user.

The main objective of the paper is to describe a structure and algorithms in multisensor airborne navigational equipment which on the one hand would be tolerant to possible failures of the information sources and on the other hand could enhance an integrity of a whole navigational system. Usually such an equipment includes as a sensor Microwave Landing System (MLS), Distance Measurement Equipment (DME), Global Positioning System (GPS), Inertial Navigational System (INS) and System of Air Signals (SAS) (Fadden and Schwab, 1989). In this case a fault-tolerant signal processing is based on information and hardware redundancy. For such a system the one of the main characteristics is the integrity (Everett, et al., 1989), which can be thought of as an ability of the system to detect false function and to inform about it the user of the system. The higher reliability and integrity of an airborne equipment may be achieved due to detection of the individual sensor failures and computation of the state estimates using the data which have its origin in the normal operated sensors.

So the main aim of the paper is a development of an integrated filter algorithm which could be faulttolerant in the presence of the failures and outliers mentioned above. This algorithm has been developed 197

take on value 1 , when the outliers are absent, and eTj »1, when they are present. The time

for the aircraft state vector which contained nine components such as x, y, z - position. ..1Vx, LiVy, LiVz - INS velocity errors, an altimeter bias and the GPS clock's shift and velocity. But these limitations is not fundamental and all the results can be applied to an

dependence of the sequence y(k) can be described by a stationary · Markov chain of which initial probability vector prO) and transition matrix Pr can be known or not:

arbitrary case.

It should be noted that a numerical evaluation of

such important integrity parameters as detection and false alarm probabilities, time to alarm, the magnitude of an allowable failure without detection and probability of missed detection deviate from the theme of the paper.

(3)

It is easy to show that equation (1) describe a broad variety . of the system failures and malfunctions which take place in different parts of the system (Grishin. 1994). They can be caused by changes of the transition and observation matrices as well as the covariance matrices of disturbance and observation noises.

2. THE SYSTEM AND FAILURES MODELS The dynamics and the observations of the system can be written as:

Thus the system and failure model described by (1) differ from those proposed by Willsky (1986). Firstly the failures here are treated as the additive Markov process in the dynamics or observation equations with an unknown onset time and secondly the outliers in the observation channels which result to the system malfunctions influence upon the system input simultaneously with possible failures.

X(k + 1) = ptx(k)] + U(k) + w(k) + + vc(k,t) I(k,t), [

(1)

y(k) = h(x(k)] + b(k) +r(k)·u(k) + + vH(k,t) I(k , f),

where x(k) is the state vector, U(k) is the input control signal vector, vcrk,fi) is a bias of the state vector arising in random time fi, I(k,f) is the unit

3. SYSTEM STRUCTURE AND ALGORITHMS OF FAULT - TOLERANT DATA PROCESSING

step function, w(k) is the system input noise vector, y(k) is the measurement vector, b(k) is the unknown constant bias vector, vH(k,ti) is the Markov drift

As it follows from (1), the development of a reliable integrated filter can be carried out using the nonlinear filtering theory (Sage and Melsa, 1972). However immediate application of this theory yields too complicated algorithm to use in real-time systems. To overcome these difficulties it is necessary to decompose the algorithm and to introduce the fault detection procedure as its inherent part.

which models soft failures of such systems as INS, SAS and errors due to the influence of multipath effects in MLS, u(k) is a zero mean observation noise with the covariance matrix R(k) ,

r j(k) = {I,

eTj > I} - is a multiplier which is due to

presence the of outliers in the observation channel. The incipient model described by the Markov process can be presented as Vj(k + I,ti ) = lfJj(k + I,k) v/k,t) + ~j(k),

3.1. Algorithm decomposition (2)

j=I, ... ,N,

Before the algorithm synthesis it is worthy to consider a structure of a real airborne navigation aid which is presented in Fig. 1. It consist of a number of radionavigation and self-contained sensors. Each sensor has an independent diagnostic facilities which check a sensor serviceability and control a state matrix circuit. The latter determines an availability of the sensor output data. When a sensor is out of order the integrated filter does not use sensor's data and the plane state vector estimate is computed with use of normally operating sensors only.

where lfJj(k+I,k) - a transition matrix, which belongs to a finite set of functions,

~j(k)

is a

white Gaussian sequences with zero mean and covariances lkj (k), j - a number of possible failure models of which prior probabilities P/t,) can be given or not. The a priori distributions of the random value ti are assumed to be unknown. The outliers in the observation equations (1) are described by a random multiplier r(k), which can

198

details below. The second step of solving the problem is the synthesis of the integrated filtering algorithm robust to the presence of malfunctions (outliers) in the observation channels. As it follows from (1) the outliers in the observation channels are described by a random variable y(k) which is assumed to be the Markov chain with two states: 1 and u> 1 . For such a model the optimal estimates of the state vector x(k) can be obtained using infinite amount of memory, that is it is necessary to calculate the estimates for all possible realisations of y(k) (Grishin and Kazarinov, 1985). So in practice it is necessary to find suboptimal estimation algorithms which could be implemented in the real-time systems. One of the possible approaches to solve this problem is using the Gaussian approximation method.

3.2. Multichannel outliers screening

It can be shown that for a system which contains N observation channels with the outliers this method yields the following expression for the state vector estimate (Grishin and Kazarinov, 1985):

Fig. 1. The structure of the fault-tolerant airborne navigation equipment (DF - diagnostic facilities, SM - state matrix circuit. eR coordinate recalculation, FOIA - fault detection-identification algorithm, GC gate circuit. F AS - failure alarm signal, Tr transmitter, IFA - integrated filtering algorithm) It should be noted that the diagnostic facilities

x(k / k)= UJ

=

0'2

UN

L L " LXj],. ,iN (k / k)· p(iJ, .. ,i N / k) =

iJ=J i2=J iN=J = f/J · x(k - 11 k -1) +

+

can

uJ 0'2 LN { L L " UN LP;],. .JN (k / k)HjT (k) x (4) j=J

detect only solid failures in an airborne equipment and can not determine faults in the ground-based or space-based facilities.

iJ=J j2=J iN=J

x [ij(k)RJk)r) p(i}>i2 , ... ,iN / k) x x [yJk)- HJk).tfJ.x(k - 11 k -1)] }.

Let us discuss now the possibility of the optimal fault-tolerant filter synthesis. System described by (1) is a random structure dynamical system. So an optimal estimation algorithm can be carried out only using infinite amount of memory (Grishin and Kazarinov, 1985). Therefore it is necessary to modify the problem in direction of simplification. Such a simplification leads to a suboptimal algorithm which can be applied to a real-time system with limited memory requirements. The first step in this direction is a separation of the failure detection estimation problem into an independent task. The solving of it can be found if one knows the sensor error statistical models and the integrated filter estimates. Using this information it is possible to estimate the failure onset time and the value of

ij=1,uj' j=1, .. . ,N,

where xi})2

e •• )

N

(k / k) is a partial estimate of the

state vector for certain . failures realisation in the observation channels (information sensors), p(i] , .. ,iN / k) = p[y] = ij. ··,YN = iN / y(l), .. ,y(k)]

is a posteriori probability of this realisation, 2 •..,iN (k / k) is the update covariance matrix of

P;})

the partial estimate,

~ = 1, U

are values of the

multiplier y(k) in the j-th channel for a normal and failure state of performance, Yj(k) - measurements at the output of the j-th navigational information source.

4

the vector vr(k,tj ) , (r=c, H) . So in the observation equation (1) the vector vr(k ,t), (r = C, H) can be considered then as a

The equation (4) describes a multichannel filter of which an estimate is a weighted sum of partial Kalman filter estimates. Each of the partial Kalman filters is matched with the random value r(k).

known value. This problem will be discussed in

199

A postenon probabilities of the particular combinations of y(k) act as the weight coefficients of the filter. Dependencies of these weights from the observation vector y(k) make the filter described by (4) a nonlinear filter.

inform the user. The failure detection-identification algorithm is designed on the basis of the generalized likelihood ratio (GLR) approach (Willsky, 1986; Patton. 1989) for additive linearized Gauss-Markov model of the system failures (Grishin. 1994; Grishin and Janczak, 1995a). It has been constructed in an assumption that no a priori information about failure onset time and initial conditions of the vector v(k,tj) exists.

It has been shown that a posteriori probabilities can be calculated in real time as the following: P(i1,i2, ... ,iN I k) = = f[Y(k) I

rj~,j2, ....jN (k),y/-1] x

X~rj~h.:.. jN(k) l 0'1

x{

x

0'2

y/-1]x

The formulated problem of detection and estimation of failures in the dynamic system (1) on the basis of the GLR method can be solved using the property of the Kalman filter residuals (Sage and Melsa, 1972). When the system changes have occurred, the residuals are no longer zero mean and they carl)' information about changes and about the vector v(k,tj) .

(5)

O'N

j~1 j~1" i~1 f[y(k) I rj~ .... jN (k),y}-1] x

~

* ..... jN (k) I yk-1 rj1.i] J ]}

where

-1

f[y(k) l r*,y/-J]

likelihood

function

at

~rj~ .j2 ..... jN (k) 1 y}-J]

Using a procedure, which is similar to that presented in the paper of Willsky (1986) the following form of the Kalman filter residuals for k > tj can be

is a value of the the

point

y(k),

obtained: - a priori probability of a z(k / k - J) = T(k ,t)&(k,t) + %j(k I k - J)

certain combination of channel observation serviceability, which can be calculated on the basis of a previous value of p(i]>i2' ... ,iN I k - J) and the Markov chain characteristics:

p[rj~ .. jN (k)ly/-J ) N

=

n j=J

0'

L

n=J

where z1(k I k - J) is the Kalman filter residuals, when the failures are absent, T(k, tj ) &(k, tj) random signal with random time of appearance which results from changes in the system. This signal has the form of a linear combination of Gauss-Markov noise sequences and can be calculated in a recursive form:

= P~t)P[iJ , ... ,iN

(7)

I k-J}, (6)

ij=J,(F, T(k'/j)=['I'O(k'/j) where

p/nlj/!

is the transition matrix elements of the

Markov chain

r(j) (k)

H(k)4>(k,k-l)],

&(k,tj ) = [u T ( k ,tj) &]T (k'/j)} T ,

in the j-th observation

channel. The algorithm described by (4)-(6) can be thought of as filtering with a soft multichannel outlier screening procedure which is correct for arbitrary values of (F> J (not necessary for large ones).

(8)

(9)

'Po(k,tj) = Ho(k) - H(k)t/J(k,k - J) x J

x Fo(k-J,tj)qJ- (k ,k-J),

(10)

Fo(k,tj) = K(k)'l'o(k,tj ) +t/J(k,k - J) x x Fo(k - J,tj )qJ-J (k,k - J) .

3.3. GLRfailure detection for the additive GaussMarkov models

(11)

&dk+J,tj) = C(k +J,k)&dk,U+ +D(k + J,tjg(k) ,

Let US consider then the part of the system structure (Fig.I.) which is responsible for a decision of the failure detection-estimation problem in each information channel (sensor). Everyone of them contains a fault detection-identification algorithm (FDIA), which is used for estimating the failures and for generating the failure alarm signal (F AS) to

(12)

D(k +J,U = [K(k) Ho(k)-C(k +J,k) x

+ J,k)

(13)

C(k + J,k) = [I - K(k)H(k)} 4>(k,k-l)

(14)

x D(k ,t j )}qJ -J (k

200

rather simple fonn which can be realized in on-line systems with a relatively limited computational burden.

REFERENCES

)'(k)

y,(I<)

Brown G. and P.Y.C. Hwang (1987). GPS failure detection by autonomous means within cockpit. Navigation, v. 33, No.4, pp.335-353 . Everett S., K. Markin and P. Wroblewski (1989). Design consideration for achieving MLS category ill requirements. Proc. IEEE, v. 77, No 11, pp 1752-176l. Fadden D. M. and R W. Schwab (1989). Aircraft interface with future ATC system. Proc. IEEE, v. 77, No 11, pp 1745-175l. Grishin Yu. P. and Yu.M. Kazarinov (1985). Fault tolerant dynamic system, Radio i S~az, Moscow (in Russian) Grishin Yu.P. (1994). An application of the additive Gauss-Markov models of discrete-time dynamic systems to the problem of abrupt changes detection. In: Proceedings of Int. AMSE Con! SYSTEMS: AnalYSiS, Control & Design, Lyon (France), v. l, pp.211-220. Grishin Yu.P. and D. Janczak (1995). Modelling and simulation of discrete-time dynamic systems with unknown parameters or structure jumps. In: Proc. 8th Int. Symp. System Modelling - Control, Zakopane (poland), v. I, pp.298-303. Grishin Yu.P. and D. Janczak (1995a). Simulation of the GLR failure detection algorithm for one class of dynamic systems with outliers in observations. In: Proc.2nd Int. Symp. Methods

to IPA

Fig. 2. The fault bias cancellation method Then the problem of failure-detection can be solved using the generalized likelihood ratio (GLR) approach. The onset time can be found from

f;=argmaxJ..(k ,tj,E(k.t;))

(15)

tj

where

i!.(.) .

is the logarithm of the likelihood ratio

and E( k.tj) is the maximum likelihood estimate of &(k ,l;) for given

1; .

It should be noted that an

expression for calculating J..(.) can be written in a recursive fonn. The required false alann probability can be obtained by a proper choice of a threshold level. Since the failure vector v(k,t;) is the part of &(k,tj

)

its estimate also are known. This estimate

can be used to cancel the input data biases. The block diagram of such a cancellation is presented in Fig.2. After detecting the sensor output abrupt changes it is necessary to control a presence of biases in the output estimates of the IF A to distinguish the sensor failures from aircraft manoeuvres. It should be noted that proposed structure makes it possible also to isolate failures, that is to determine if failures occur in the airborne navigation equipment or in the ground-based facilities. This can be carried out by comparing the data of FDIA and words of the state matrix circuits.

and Models in Automation and Robotics, Miedzyzdroje (poland), v.l , pp.355-359. Kelly RI. (1992). MLS system error model identification and synthesis. IEEE Trans. on Aerospace and Electronic Systems, v. 28, No.I, pp. 164-173. Patton RI. (1989). Fault diagnosis in dynamic systems. Theory and application, Prentice-Hall, London. Sage A.P. and I.L. Melsa (1986). Estimation theory

with applications to communication control, Mc Graw-Hill, N. Y.

4. CONCLUSION

and

Willsky A.S. (1986). Abrupt changes detection in dynamic systems. In: Detection of abrupt

The proposed algorithms of fault-tolerant signal processing have been developed for enhancing the system integrity and reliability. These algorithms heave been derived on the basis of the additive Gauss-Markov models of failures in the presence of the outliers in the observations. Such an approach has made it possible to obtain the algorithms in

changes in Signals and dynamical systems (Basseville M. And Benveniste A. (Ed.}), pp. 28-43, Springer-Verlag, Berlin.

201