Main Content

Verify Fault Detection Logic in Aircraft Elevator Control System

This example shows how to use Simulink® Fault Analyzer™ to verify that the fault detection logic deploys on an aircraft elevator control system. The aircraft elevator has two elevators, one for each wing. Each elevator has two actuators and an independent hydraulic circuit. Both elevators also share an additional hydraulic circuit. Each of these circuits has an associated fault that the model logic detects when injected.

The model includes conditionals that monitor the signals from the detection monitor, which allows you to optionally log and evaluate signal values and verify if the fault detection logic executes. In this example, you simulate faults, associate the fault detection monitor outputs with conditionals, and verify the desired outputs in a Failure Mode and Effects Analysis (FMEA).

Open the Model and Inspect Faults

Open the aircraftElevatorFaultAnalyzer model.

mdlName = "aircraftElevatorFaultAnalyzer";

This model replaces the faults in the model in the Detect Faults in Aircraft Elevator Control System (Stateflow) example with Simulink Fault Analyzer faults. The model contains seven faults. Three of the faults affect the controls for the hydraulic actuators, and four affect the actuator controls.

A view of the modified model. The model contains a Stateflow chart that controls the mode logic. The mode logic sends signals to a controller subsystem and a plant. The plant has an airplane image on it. The plant sends signals to sensors, which are conditioned, and then send signals back to the mode logic.

Open the Fault Table pane to view and select the faults. In the Apps tab, click Fault Analyzer. In the Fault Analyzer tab, in the View section, click Fault Table.

The Fault Table pane for the model. The model has seven faults, each are on a different model element. Two of the faults have timed triggers, and the others are always on.

The model has faults located at different levels of the model hierarchy. To view the location of a fault, right-click the fault and select Show faulted model element in canvas. The Simulink Editor opens and highlights the location of the fault.

The location of the hydraulic_system_1_fault fault. The fault is on the output port of the block labeled Pump Pressure. The affected signal is highlighted. The image indicates the fault is in the subsystem, Measured Hydraulic system 1 pressure, which is three levels below the top level.

The faults replicate the behaviors modeled in the Detect Faults in Aircraft Elevator Control System (Stateflow) example. When injected, the fault on each hydraulic system drops the hydraulic pressure to 100, and the fault on each actuator holds the position at 15. To view the behaviors, in the Fault Table pane, right-click the fault and select Open fault behavior.

View the Conditionals

This example monitors and verifies the fault detection logic by using conditionals. You can also use conditionals to trigger fault injection. Each conditional corresponds to an output signal of the fault monitoring system. If the monitor outputs a failure signal, the conditional is true. To view the conditionals, in the Fault Table pane, open the Conditionals tab.

The Fault Table pane for the model, showing the Conditional tab. The model has seven conditionals. The conditionals are true when the signals they are assigned to are true.

As you develop your conditionals, you may find that you need to update expressions to represent more complicated fault injection conditions. You can adjust the condition expression to do this. For more information, see Create and Manage Conditionals.

Simulate the Model

You can select one or more faults to simulate at a time. For example, activate the hydraulic_system_1 and hydraulic_system_2 faults. Enable the model elements that contain these faults, and disable the other faulted model elements.

The Fault Table pane, showing the two activated faults, hydraulic_system_1_fault and hydraulic_system_2_fault, and their enabled model elements.

Because each model element only has one fault, when you enable the model element, you activate the added fault. See Define and Model Faults.

In the Fault Analyzer tab, in the Status section, ensure that the Fault Simulation button is enabled. Simulate the model. You can view the results of the simulation in the Simulation Data Inspector. In the Fault Analyzer tab, in the Review Results section, click Data Inspector. This image shows the injection status of the activated faults and the conditionals that measure if the associated monitor signals detect a fault.

The simulation results shown in the Simulation Data Inspector. The plot shows the status of the faults and the associated conditionals.

The model uses mitigation logic that relies on the output of the fault detection logic. To view the fault mitigation logic outputs, select the LO_mode, RO_mode, LI_mode, and RI_mode signals.

If you want to run more than one simulation, you can configure a design study in the Multiple Simulations panel. For more information, see Configure and Run Simulations with Multiple Simulations Panel and Simulate Models with Faults by Using the Multiple Simulations Panel.

Create an FMEA and Link to Faults and Conditionals

After you configure the faults that you want to inject and the conditionals that you want to use, you can link the faults and conditionals to elements in safety analysis spreadsheets that you create in the Safety Analysis Manager. In this example, the faults are linked to cell entries in an FMEA spreadsheet. An FMEA is a common safety analysis that analyzes unintended system or component behaviors, known as failure modes, with respect to their potential effects on the system. This analysis often includes how effective fault detection logic is at detecting abnormal behavior.

Open the FMEA spreadsheet, RobotFMEA.mldatx, in the Safety Analysis Manager.

aircraftFMEADoc = ...

The FMEA links one or more faults to a failure mode in the Failure Mode column and the associated conditional that tracks that value of the monitor system. Point to the link icon icon_link.png to view the links. You can also view the links by selecting the cell. In the Properties pane, expand the Links section.

The FMEA spreadsheet. The spreadsheet has seven rows. Links are in the cells in the Failure Mode and Detection Method columns. The cell in the first row and Failure Mode column is selected. The properties pane shows the link information.

Run Callbacks to Simulate and Evaluate FMEA

To execute code from the spreadsheet, you create and execute a callback. See Write Callbacks to Analyze Safety Analysis Manager Documents. In this example, the spreadsheet executes a callback when you click Analyze Spreadsheet. The callback runs the code in the MATLAB® script validateAircraftElevatorFMEAUsingSimulation. In this example, the script checks if the aircraft has a fault, as described in the Failure Mode column. When the fault is injected, the script checks if the monitor recognizes the fault by measuring the output of the linked conditional in the Detection Method column. If the linked conditional output is true, it verifies that the fault detection logic activates during simulation and the script adds a check flag to the Detection Method cell. Otherwise it adds an error flag. Because the third and sixth rows have two failure modes, the Detection Method column cells verify if more than one conditional is true. The other rows check one conditional. To view the callback code, open validateAircraftElevatorFMEAUsingSimulation.

Click Analyze Spreadsheet. The callback verifies that the linked conditionals are true when the faults in the same row are injected.

The FMEA spreadsheet after analysis. Each cell in the Detection Method column has a green check flag in it.

Add different failure modes to test to the spreadsheet by adding a row and linking to different combinations of faults and conditionals, and rerun the callback script to see if the faults generate the response measured by the conditionals.

Related Topics