Design for Isolation and Recovery in a Chart
Mode Logic for the Elevator Actuators
This example shows how the model sf_aircraft uses the chart
Mode Logic to detect system faults and recover from failure
modes for an aircraft elevator control system. For more information on this model,
see Detect Faults in Aircraft Elevator Control System.
To open the model, enter:
openExample("stateflow/FaultDetectionControlLogicInAnAircraftControlSystemExample")There are two elevators in the system, each with an outer and inner actuator. The
Actuators state has a corresponding substate for each of the
four actuators. An actuator has five modes: Passive,
Active, Standby, Off,
and Isolated. By default, the outer actuators are on, and the
inner actuators are on standby. If a fault is detected in the outer actuators, the
system responds to maintain stability by turning the outer actuators off and
activating the inner actuators.
States for Failure and Isolation
Each actuator contains an Off state and an
Isolated state. When the fault detection logic in one of the
truth tables detects a failure, it broadcasts the event go_off or
go_isolated to the failing actuator.
The go_off event instructs the failing actuator to transition
to the Off state until the condition is resolved. The event
go_isolated causes the failing actuator to transition to
Isolated. Transitions to the Isolated
state are from the superstate L1, which contains all the other
operating modes. This state has no outgoing transitions, so that once an actuator
has entered Isolated it remains there. Intermittent failures that
cause an actuator to fail 5 or more times, also cause a transition to
Isolated. The variable fails logs the
number of failures for an actuator by incrementing each time a transition occurs out
of Off.
Transitions for Recovery
Transitions in the substates for each actuator account for recovery requirements of the elevator system. These requirements derive from rules for symmetry and safety of the elevators such as:
Only one actuator for an elevator must be active at one time.
Outer actuators have priority over the inner actuators.
Actuator activity should be symmetric if possible.
Switching between actuators must be kept to a minimum.
For example, one requirement of the system is if one outer actuator fails, then
the other outer actuator must move to standby and the inner actuators take over.
Consequently, there is a transition from each Active state to
Standby, and vice versa.
For the inner left actuator (LI ), the transition to
Active inside the L1 superstate is
conditionally based on [!LO_act()|RI_act()]. This causes the left
inner actuator to turn on if the outer actuator (LO) has failed,
or the right inner actuator (RI) has turned on.
Another consequence if LO fails and moves out of
Active is a transition that occurs in the right outer
actuator (RO). The RO state transitions inside
the L1 superstate from Active to
Standby. This satisfies the requirement of the outer
actuators and inner actuators to work in symmetry.
You can also select a web site from the following list:
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)