|
This article is cited in 1 scientific paper (total in 1 paper)
Computing methodologies and applications
Safety analysis of longitudinal motion controllers during climb flight
T. Baar, H. Schulte Hochschule für Technik und Wirtschaft (HTW) Berlin, Germany,
Campus Wilhelminenhof, Wilhelminenhofstraße 75A, 12459 Berlin
Abstract:
During the climb flight of big passenger airplanes, the airplane's
vertical movement, i.e. its pitch angle, results from the elevator deflection
angle chosen by the pilot. If the pitch angle becomes too large, the airplane is
in danger of an airflow disruption at the wings, which can cause the airplane to
crash. In some airplanes, the pilot is assisted by a software whose task is to
prevent airflow disruptions. When the pitch angle becomes greater than a certain
threshold, the software overrides the pilot's decisions with respect to the
elevator deflection angle and enforces presumably safe values.
While the assistance software can help to prevent human failures, the software
itself is also prone to errors and is – generally – a risk to be assessed
carefully.
For example, if software designers have forgotten that sensors might yield wrong
data, the software might cause the pitch angle to become negative. Consequently,
the airplane loses height and can – eventually – crash.
In this paper, we provide an executable model written in Matlab/Simulink$^{\mathrm{\circledR}}$ for the
control system of a passenger airplane. Our model takes also into account the
software assisting the pilot to prevent airflow disruptions. When simulating the
climb flight using our model, it is easy to see that the airplane might lose
height in case the data provided by the pitch angle sensor are wrong. For the
opposite case of correct sensor data, the simulation suggests that the control
system works correctly and is able to prevent airflow disruptions effectively.
The simulation,
however, is not a guarantee for the control system to be safe. For this reason,
we translate the Matlab/Simulink$^{\mathrm{\circledR}}$-model into a hybrid program (HP), i.e. into the input
syntax of the theorem prover KeYmaera.
This paves the way to formally verify safety properties of control systems
modelled in Matlab/Simulink$^{\mathrm{\circledR}}$.
As an additional contribution of this paper, we discuss the current limitations
of our transformation. For example, it turns out that simple proportional (P)
controllers can be easily represented by HP programs, but more advanced PD
(proportional-derivative) or PID (proportional-integral-derivative) controllers
can be represented as HP programs only in exceptional cases.
Keywords:
cyber-physical system (CPS), formal safety analysis, hybrid automaton.
Received: 30.09.2019 Revised: 19.11.2019 Accepted: 27.11.2019
Citation:
T. Baar, H. Schulte, “Safety analysis of longitudinal motion controllers during climb flight”, Model. Anal. Inform. Sist., 26:4 (2019), 488–501
Linking options:
https://www.mathnet.ru/eng/mais693 https://www.mathnet.ru/eng/mais/v26/i4/p488
|
|