Detect Faults in Aircraft Elevator Control System

This example uses:

开放型号

This example shows how to design a fault detection, isolation, and recovery (FDIR) application for a pair of aircraft elevators controlled by redundant actuators. This model uses the same fault detection control logic as the Avionics subsystem of the Aerospace Blockset™ exampleHL-20 Project with Optional FlightGear Interface（航空空间）。

Elevator Control System

A typical aircraft has two elevators, one on each side of the fuselage, attached on the horizontal tails. To enhance the safety of the aircraft, the elevator control system contains these redundant parts:

四个独立的液压致动器（每台电梯两个执行器）。
三个驱动执行器的液压电路。每个外部执行器都有一个专用的液压回路。内部执行器共享液压电路。
Two primary flight control units (PFCU).
Two control modules per actuator: full range control law and limited/reduced range control law.

如果飞机飞行完美，则执行器位置应保持恒定值。故障检测系统会在执行器中注册故障：

The position of the actuator increases or decreases by 10 cm from this zero point.
The actuator changes position rapidly (for instance, if the position changes at least 20 cm in 0.01 seconds).

The fault detection system also registers a fault in one of the hydraulic circuits if the pressure is out of bounds or if the pressure changes rapidly. In this example, the fault detection system checks that:

The pressure in the hydraulic circuit is between 500 kPa and 2 MPa.
压力在0.01秒内变化不超过100 kPa。

Fault Detection Control Logic

The Stateflow® chart Mode Logic defines the fault detection logic for the elevator control system. The chart contains a parallel substate for each actuator in the system. Each actuator can be in one of five modes:Passive,Standby,积极的,离开，和Isolated。These operating modes are represented as substates of the parallel states.

By default, the outer actuators start in积极的mode and the inner actuators start inStandby模式。如果在外部执行器或连接到它们的液压电路中检测到故障，则断层检测系统通过禁用外部执行器并激活内部执行器来做出响应。

Inject Failures Into Fault Detection System

为了尝试模型，在模拟过程中，您可以通过故障注入UI将液压电路和执行器位置故障引入故障检测系统。

For example, to inject a failure in Hydraulic Circuit 1, select theH1check box and click更新。UI运行此MATLAB®代码以与Simulink®模型通信：金宝app

功能Inject_failure_Callback(hObject,eventdata,handles)

mname = gcs;

。。。

blockname = mname +。。。"/Signal conditioning and failures /Hydraulic Pressures/Measured "+。。。newline+"Hydraulic system 1 pressures/Hydraulic pressure/H1_fail";val = get（handles.h1，“价值”);

ifval set_param（blockName，value = =“ 1”);elseset_param(blockname,value=“ 0”);end

。。。

end

该代码打开信号条件子系统中的开关，该开关导致故障检测系统在液压电路中注册故障。

图表模式逻辑通过使用真实表功能和事件广播来响应液压电路和执行器中的故障。例如，如果故障检测系统在液压电路1中注册了孤立的故障，则：

The truth table functionl_switchbroadcasts the eventgo_off取代LO。
The substateLOenters the离开mode and sends the eventE取代李。
因为取代LOis no longer in the积极的mode,李enters the积极的模式。
因为取代李现在处于活动模式，RIenters the积极的模式并发送第二个事件E取代RO。
The substateROenters theStandby模式。

After the fault detection systems registers a failure in Hydraulic Circuit 1, the left outer actuator is turned off, the right outer actuator is placed on standby, and the inner actuators are activated.

从液压失败中恢复

故障检测控制逻辑使系统能够从液压电路故障中恢复。例如，要将液压电路1带回到网上，在失败注入UI中，请清除H1check box and click更新。In the chart, the condition!u.low_press[0]becomes true, so the substateLO从离开mode to theStandby模式。结果，如果故障检测系统在模拟后面的另一个故障注册，则可以激活左外执行器。

Isolate Actuators After Failures

When the fault detection system registers a failure in one of the actuators, that actuator can no longer be activated. In the chart Mode Logic, the failure of an actuator is represented by the substateIsolated。该替代没有传出的过渡，因此一旦执行器进入Isolated状态，其余模拟仍处于该状态。

参考

Pieter J. Mosterman和Jason Ghidella，“航空航天中故障场景训练的模型重复使用”，Proceedings of the AIAA® Modeling and Simulation Technologies Conference，CD-ROM，Paper 2004-4931，8月16日至19日，2004年，罗德岛会议中心，普罗维登斯，RI。

Jason R. Ghidella and Pieter J. Mosterman, "Applying Model-Based Design to a Fault Detection, Isolation, and Recovery System," inMilitary Embedded Systems, Summer, 2006.