Abstract image of a woman sitting on books and studying on a laptop

Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery (FDIR) System

IOSR Journals, profile picture
IOSR Journals

The document describes a model-based testing approach for a fault detection, isolation, and recovery (FDIR) system for an aircraft elevator redundancy control system. It discusses applying model-based design to develop an executable specification of the system to facilitate early verification and validation. The system contains four hydraulic actuators that can each be in one of five modes (active, standby, off, passive, isolated). Requirements for the system are presented and translated into more detailed specifications. A Simulink model is created to embody the desired behavior based on the requirements. The model includes fault detection subsystems to monitor actuator positions and hydraulic pressures and isolate faults. The approach aims to test the model against the requirements to verify compliance and catch

TechnologyBusiness
1 of 6
Download to read offline
1
2
3
4
5
6
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727 Volume 5, Issue 6 (Sep-Oct. 2012), PP 15-20 www.iosrjournals.org www.iosrjournals.org 15 | Page Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery (FDIR) System Venkatesh Kumar. N1 , Amritha Mulay. V2 , Mujeeb Ulla Jeelani 3 1 Asst. Professor, SET, JAIN University, Bangalore, Freelance consultant and Trainer. 2 Software Engineer, Allied Tools and Electronics, Bangalore. 3 Software Engineer, 7Star Technologies, Bangalore. Abstract: Model-Based Design allows the process of verification and validation of an executable system specification, which prevents errors from persisting into later stages of the design process where they are more costly and time consuming to fix. Studying a Fault Detection, Isolation, and Recovery (FDIR) system of a controller design, in this case an aircraft elevator redundancy control system is considered, which demonstrates how to trace requirements to a design, use the test cases based on those requirements, and perform the coverage analysis, which in turn reveals untested, missing, and ambiguous requirements in the specification. Key words: Model Based Design, Graphical Model, Actuator, hydraulics. I. Introduction With Model-Based Design, a graphical model, often a block diagram is used to capture the system requirements. This model produces an executable specification that describes the system behavior and can be gradually extended into an increasingly detailed design [1] [2]. Verification and validation can occur earlier in the system design process, which reduces costly iterations across many design steps. The creation of consistent, reusable, and well-documented models becomes the important stage in the development of embedded systems. Hence, the concept of model-based development (MBD) emerges. Due to the increasing complexity of the developed systems it is necessary to model correctly and to implement the chosen design in a correct manner. In general, the requirements for engineered systems are ambiguous, not rigorous, and even inconsistent. It is desirable to detect such problems as early as possible in the system design process. Model-Based approach can be used to achieve this goal by facilitating executable specifications that allow testing to start at the model level instead of after system realization. II. Description of an Elevator Control System A typical aircraft has two elevators attached on the horizontal tails (one on each side of the fuselage). There are a number of redundant parts in the system to ensure safety [2]. For example, as shown in Figure 1, there are:  Two independent hydraulic actuators per elevator (four in total).  Three separate hydraulic circuits to drive the actuators.  Two primary flight control units (PFCU).  Two control modules per actuator: Full range control law and limited / reduced range control law. In this system we limit each PFCU to have only one control law, and to control only one set of actuators to reduce the complexity of the system. A PFCU having a sophisticated Input-Output (I/O) control law, controls the left (LIO) and right (RIO) outer actuator. In case of a failure, a Direct-Link (DL) control law with reduced functionality handles the left (LDL) and right (RDL) inner actuators. Each outer actuator has a dedicated hydraulic circuit, whereas the inner actuators share one hydraulic circuit. By default, the outer actuators are on, and the inner actuators are on standby. If a fault is detected in the outer actuators or in the hydraulic circuits that are connected to them, we want the system to respond accordingly to maintain stability by turning the outer actuators off and activating the inner actuators [2]. The mode logic block operates the redundancy to assure continual operation of the system. This paper focuses on the fault detection, isolation, and recovery logic that causes the actuators to switch from one mode to another. Here simple yet representative models of the hydraulic actuators and elevators, as well as the feedback control laws are presented, to illustrate the behavior of this logic.
Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 16 | Page Figure 1 Components of the elevator redundancy system III. System requirements As mentioned, there are four actuators in total, two on each elevator. Each actuator has five modes:  Isolated mode. The actuator is turned off indefinitely. An actuator must be able to be isolated from any mode.  Off mode. The actuator is turned off temporarily because of a failure and will come back online only if all failures for that actuator are fixed.  Passive mode. The actuator is waiting and does not generate actuator control signals. An actuator in passive mode can take control of the elevator control system.  Standby mode. The actuator's control law is active, but no force is applied to the actuator. It is ready to take control of the system and will introduce minimal transients when it does.  Active mode. The actuator is active and controls the elevator. IV. Control logic system structure We know that the system contains four actuators, as shown in Figure 2, each of which can be in one of five modes: active, standby, off, passive, or isolated. To implement the mode logic in Stateflow, we create four parallel superstates that represent the actuators, and within each superstate are five exclusive states that represent the five modes given above. The actuator superstates are parallel because the actuators run concurrently in the system [4]. On the other hand, the five mode states are exclusive because an actuator is in one and only one mode at any given time. The operator would not want this actuator to be active right away because; 1) To run the risk of using two actuators simultaneously to control one elevator, 2) The operator is trying to minimize mode switching, and 3) The operator would like the elevators to be symmetric if possible (i.e., either both inner actuators are active or both outer actuators are active). So if the inner actuators are active, they should remain active even if one of the outer actuators has come back online. A better alternative is to set the actuator to the passive mode by default. Figure 2 Complete actuator control logic system without FDIR capability.
Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 17 | Page V. Fault detection and isolation Table 1 shows a small set of high-level requirements used to guide the design of the mode-logic component. Such high-level requirements can be incomplete, inconsistent, and difficult to interpret. Design errors can be introduced simply by misinterpreting the high-level requirements into more detailed requirements [6]. For example, the combination of requirements 2 and 3 from Table 1 creates an ambiguity, i.e., If one actuator can be operated only in inner loop, should the other still be operated in outer loop. Therefore, it is necessary to test the detailed requirements early in the development process to ensure their accuracy. Hence to design an implementation, the high level system requirements needs to be first translated into more detailed, subsystem level, requirements. Part of the detailed requirements that can then be translated into (formal) specifications is shown in Table 2. Based on these specifications, a controller model is designed that embodies the desired behavior. The design then needs to be tested against those requirements to verify and validate its compliance [6]. The approach demonstrated revolves around being able to independently establish test cases that are derived from the high and low-level requirements that can be executed on the design model, that has been created based on the same requirements, to verify that the requirements have been met. The ability to have full traceability of the high and low-level requirements to the design model through software implementation is achieved. Establishing such a formalized approach to testing the design is important to demonstrate that it meets the written requirements. Table 1 Small set of high-level requirements VI. Fault definition We have listed the requirements that this system must fulfil with respect to fault detection. If the aircraft is flying perfectly level, then the actuator position should maintain a constant value. If the position of an actuator increases or decreases by 10 cm from zero point, then a failure has occurred in that actuator. A failure also occurs if the change in position is very rapid. Similarly, a fault occurs in one of the hydraulic circuits if the pressure is out-of-bounds or if the pressure changes very rapidly. The fault detection subsystem that is implemented in Simulink is as shown in Figure 3. The actuator position and hydraulic pressure values are input into both the Rate of Change Threshold and Range Threshold blocks, which then determine whether or not these values are valid [6]. This information then gets sent to the actuator mode logic system. If a failure has been detected, then the mode logic system will react accordingly (e.g., an actuator can be switched off). Figure 3 Fault detection system ID Description 1 Each actuator will have five modes: Isolated, Off, Passive, Standby, and Active. 2 If possible, the same control law should be active for both the left and right elevators. 3 If available, the I/O control law should be active instead of the DL control law. 4 The actuator that is not active should be in standby. 5 If the pressure of the hydraulic circuit is low and the position measurement fails, the corresponding actuator should be switched to Off. 6 If the pressure of the hydraulic circuit is nominal and the position measurement fails, the corresponding actuator should be switched to Isolated. 7 Controller state changes should be made only in response to failure events.
Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 18 | Page VII. Using Truth Tables for fault detection As we can see above, the logic system needs to fulfil a significant number of requirements. One way to incorporate each of these requirements into Stateflow is to use truth tables. Truth tables are used to realize logical decision-making behaviour. Stateflow truth tables contain conditions, decisions, and actions, as shown in Table 3. Let's look at the first requirement we listed in this part to see how it fits into the truth table. To repeat, the first requirement is that if a failure is detected in the hydraulic pressure 1 system, while there are no other failures, we turn off the left outer actuator. This requirement is met through Decision 1 of the condition table. Note that in Decision 1, the second condition (left outer actuator failed) is blank, meaning that the condition can be either true or false. Table 3 Truth table for left elevator ID CONDITION DESCRIPTION 1 Hydraulic pressure 1 failure If a failure is detected in the hydraulic pressure 1 system, while there are no other failures, isolate the fault by switching the Left Outer actuator to the off mode. 2 Hydraulic pressure 1 fails and then recovers If a failure is detected in the hydraulic pressure 1 system and the system then recovers, switch the Left Outer actuator to the standby mode. 3 Hydraulic pressure 2 failure If a failure is detected in the hydraulic pressure 2 system, while there are no other failures, isolate the fault by switching the Left Inner actuator and the Right Inner actuator to the off mode. 4 Hydraulic pressure 2 fails and then recovers If a failure is detected in the hydraulic pressure 2 system and the system then recovers, switch the Left Inner actuator and the Right Inner actuator to the standby mode. 5 Hydraulic pressure 3 failure If a failure is detected in the hydraulic pressure 3 system, while there are no other failures, isolate the fault by switching the Right Outer actuator to the off mode. 6 Hydraulic pressure 3 fails and then recovers If a failure is detected in the hydraulic pressure 3 system and the system then recovers, switch the Right Outer actuator to the standby mode. 7 Default start-up condition If there have been no failures detected, the Outer actuators have priority over the Inner actuators. Therefore the elevator actuators should default to the following modes. The Left Outer and Right Outer actuators should transition from the Passive mode to the active mode. The Left Inner and Right Inner actuators should transition from the Passive mode to the Standby mode. Table 2 List of the detailed requirements for the mode logic design
Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 19 | Page VIII. Recovery This part of models in an aircraft elevator control system using Model-Based Design with Simulink Stateflow and Simulink Verification and Validation is accomplished. We design an actuator controller from a set of requirements and then verify that the controller meets these requirements through appropriate test cases. We can apply the design approach discussed in this case study to other event-based logic systems. We designed the overall structure of the elevator control system. In Previous section, we modified the control system to allow for the detection of faults in the actuators or hydraulic circuits and the isolation of specific actuators based on these faults. In this section, we modify the logic system once again so that actuator subsystems can be recovered once specific faults are no longer detected. Figure 4 Complete FDIR actuator logic system Now that we have the recovery requirements for the actuator control system, we can modify the Stateflow chart accordingly. The first step is to add transitions to the chart that are necessary for recovery purposes. We will add transitions to satisfy each recovery requirement by adding a transition label appropriate for each requirement. It will be necessary to transition from Active to Standby mode and vice versa. For example, look at what happens when the left outer actuator is switched off due to a failure. In this case, the right outer actuator is switched from Active to Standby mode, and the inner actuators are switched from Standby to Active mode. Tests designed for all requirements can be combined into a test harness and applied to the design model for requirements-based testing. Tests can be executed individually or in batch mode. If a test runs without any verification blocks asserting, then the design passes the test. If an assertion is detected, the simulation stops and the verification block issuing the assertion is highlighted, which helps diagnose why the test failed. IX. Coverage Analysis Creating and executing requirements-based tests to ensure that the design behaves as expected is not the same as fully testing the design. Some requirements may lack tests, the requirements themselves may be ambiguous or incomplete, and the design may contain superfluous elements. By using Simulink Verification and Validation, coverage metrics can be collected during simulation to indicate untested design elements. The coverage metrics are displayed directly in the model using coloured highlights and in a dialog box with summary information. Additionally, a detailed report of the coverage analysis is created. The coverage metrics collected include cyclomatic complexity, decision coverage, condition coverage, MC/DC, lookup table coverage, and signal range coverage. X. Requirement based Testing Let's look at the following specific requirement in order to understand how requirements are tested: If a failure is detected in both the hydraulic pressure 1 system and the left outer actuator, while there are no other failures, turn off the left outer actuator. First we generate a test case for this requirement in a Signal Builder block within the Test Cases block, as shown in Figure 5.
Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 20 | Page Figure 5 Test case in Signal Builder Block There are a total of eight signals shown in Figure 5 three signals for each hydraulic circuit, four signals for each actuator, and one signal to switch on the verification process. Let's look at the first seven signals. The test cases have been set up so that a value of 1 corresponds to a failure, and a value of 0 corresponds to a nominal value. For this requirement, there are failures in both hydraulic circuit 1 and the left outer actuator. Therefore, you see both of those signals start at 0 and then change to 1 as a failure is detected. The values of the other signals for the hydraulic circuits and actuators stay constant at 0 since no other failures are detected. For the last signal labelled do_verification, when the value is 1, we check to see whether the actual modes of the actuators correspond to the theoretical modes of the actuators. The expected modes for each actuator are specified in the section labelled Verification block settings in the Signal Builder block (upper-right section in Figure 5). In this, we expect the inner actuators to be active, the left outer actuator to be turned off, and the right outer actuator to be on standby. XI. Results and conclusion System design often starts off with a set of high-level requirements (e.g., ‘mission requirements’) that are gradually refined into a set of detailed requirements from which the subsystem specifications can be derived. Once the subsystem specifications are available, an implementation can be designed. Once the implementation has been realized, extensive testing determines whether the original requirements are met. In general, requirements are ambiguous, not very rigorous, and even inconsistent. It is desirable to find the problems as early on in the design process as possible. Model-Based Design can be used to that goal by facilitating executable specifications that allow the testing otherwise done after system realization. References [1] Jason Ghidella and Pieter J. Mosterman Requirements-Based Testing in Aircraft Control Design, The MathWorks, Inc., Natick, MA, 01760, USA. [2] Pieter J. Mosterman, Manuel A. Pereira Remelhe, Sebastian Engell, and Martin Otter, Simulation for Analysis of Aircraft Elevator Feedback and Redundancy Control. [3] Simulink, Model-Based and System-Based Design © COPYRIGHT 1990 - 2004 by The MathWorks, Inc. [4] Stateflow® Getting Started Guide ©COPYRIGHT 2004–2012 by The MathWorks, Inc. [5] Politecnico Di Milano - Dipartimento Di Ingegneria Aerospaziale Aircraft Systems –Chapter 6 – Flight Control System LECTURE NOTES, VERSION 2004. [6] Dan Ye and Guang-Hong Yang, Senior Member, IEEE, Adaptive Fault-Tolerant Tracking Control Against Actuator Faults With Application to Flight Control. IEEE Transactions On Control Systems Technology, VOL. 14, NO. 6, NOVEMBER 2006. [7] Bo Yang, Fei Zhao, Xiayun Zhao, Sen Yang Simulation Based Design of a High-Speed +Elevator System. Spring 2008.

More Related Content

PDF
A High Gain Observer Based Sensorless Nonlinear Control of Induction Machine
IJPEDS-IAES
 
PDF
Design Novel Lookup Table Changed Auto Tuning FSMC: Applied to Robot Manipulator
CSCJournals
 
PDF
07 15 sep14 6532 13538-1-rv-edit_
IAES-IJPEDS
 
PDF
IRJET- A Performance of Hybrid Control in Nonlinear Dynamic Multirotor UAV
IRJET Journal
 
PDF
Closed loop performance investigation
Prabhakar Captain
 
PDF
Design Auto Adjust Sliding Surface Slope: Applied to Robot Manipulator
Waqas Tariq
 
PDF
Compound Control of Electromagnetic Linear Actuator Based on Fuzzy Switching
TELKOMNIKA JOURNAL
 
PPT
Meeting w12 chapter 4 part 2
Hattori Sidek
 
A High Gain Observer Based Sensorless Nonlinear Control of Induction Machine
IJPEDS-IAES
 
Design Novel Lookup Table Changed Auto Tuning FSMC: Applied to Robot Manipulator
CSCJournals
 
07 15 sep14 6532 13538-1-rv-edit_
IAES-IJPEDS
 
IRJET- A Performance of Hybrid Control in Nonlinear Dynamic Multirotor UAV
IRJET Journal
 
Closed loop performance investigation
Prabhakar Captain
 
Design Auto Adjust Sliding Surface Slope: Applied to Robot Manipulator
Waqas Tariq
 
Compound Control of Electromagnetic Linear Actuator Based on Fuzzy Switching
TELKOMNIKA JOURNAL
 
Meeting w12 chapter 4 part 2
Hattori Sidek
 

What's hot (20)

PDF
FRACTIONAL-ORDER PROPORTIONALINTEGRAL (FOPI) CONTROLLER FOR MECANUM-WHEELED R...
IAEME Publication
 
PPTX
Introduction to control system 1
turna67
 
PDF
Novel Artificial Control of Nonlinear Uncertain System: Design a Novel Modifi...
Waqas Tariq
 
PDF
Design Adaptive Fuzzy Inference Sliding Mode Algorithm: Applied to Robot Arm
Waqas Tariq
 
PDF
Sliding Mode Methodology Vs. Computed Torque Methodology Using MATLAB/SIMULIN...
CSCJournals
 
PDF
dSPACE DS1104 Based Real Time Implementation of Sliding Mode Control of Induc...
International Journal of Power Electronics and Drive Systems
 
PDF
Basics of control system
MUHAMMADU SATHIK RAJA
 
PDF
Artificial Chattering Free on-line Fuzzy Sliding Mode Algorithm for Uncertain...
CSCJournals
 
PDF
Adaptive MIMO Fuzzy Compensate Fuzzy Sliding Mode Algorithm: Applied to Secon...
CSCJournals
 
PDF
B010511015
IOSR Journals
 
PDF
Design Baseline Computed Torque Controller
CSCJournals
 
PPTX
Formulation of Generalized Block Backstepping Control Law of Underactuated Me...
Shubhobrata Rudra
 
PDF
Speed Sensorless Vector Control of Unbalanced Three-Phase Induction Motor wit...
IAES-IJPEDS
 
PPTX
Propulsion control system
MilindPatil136
 
PPT
Introduction to control systems
Hendi Saryanto
 
PDF
Continuous & discontinuous conduction
Dr. Bilal Abdullah Nasir
 
PDF
Novel Method of FOC to Speed Control in Three-Phase IM under Normal and Fault...
IJPEDS-IAES
 
DOCX
Introduction to Control System Design
Andrew Wilhelm
 
PDF
Design Novel Nonlinear Controller Applied to Robot Manipulator: Design New Fe...
Waqas Tariq
 
DOCX
Robot control systems
allterminate
 
FRACTIONAL-ORDER PROPORTIONALINTEGRAL (FOPI) CONTROLLER FOR MECANUM-WHEELED R...
IAEME Publication
 
Introduction to control system 1
turna67
 
Novel Artificial Control of Nonlinear Uncertain System: Design a Novel Modifi...
Waqas Tariq
 
Design Adaptive Fuzzy Inference Sliding Mode Algorithm: Applied to Robot Arm
Waqas Tariq
 
Sliding Mode Methodology Vs. Computed Torque Methodology Using MATLAB/SIMULIN...
CSCJournals
 
dSPACE DS1104 Based Real Time Implementation of Sliding Mode Control of Induc...
International Journal of Power Electronics and Drive Systems
 
Basics of control system
MUHAMMADU SATHIK RAJA
 
Artificial Chattering Free on-line Fuzzy Sliding Mode Algorithm for Uncertain...
CSCJournals
 
Adaptive MIMO Fuzzy Compensate Fuzzy Sliding Mode Algorithm: Applied to Secon...
CSCJournals
 
B010511015
IOSR Journals
 
Design Baseline Computed Torque Controller
CSCJournals
 
Formulation of Generalized Block Backstepping Control Law of Underactuated Me...
Shubhobrata Rudra
 
Speed Sensorless Vector Control of Unbalanced Three-Phase Induction Motor wit...
IAES-IJPEDS
 
Propulsion control system
MilindPatil136
 
Introduction to control systems
Hendi Saryanto
 
Continuous & discontinuous conduction
Dr. Bilal Abdullah Nasir
 
Novel Method of FOC to Speed Control in Three-Phase IM under Normal and Fault...
IJPEDS-IAES
 
Introduction to Control System Design
Andrew Wilhelm
 
Design Novel Nonlinear Controller Applied to Robot Manipulator: Design New Fe...
Waqas Tariq
 
Robot control systems
allterminate
 
Ad

Viewers also liked (20)

PDF
Eigenvalues for HIV-1 dynamic model with two delays
IOSR Journals
 
PDF
K017346572
IOSR Journals
 
PDF
De-Noising Corrupted ECG Signals By Empirical Mode Decomposition (EMD) With A...
IOSR Journals
 
PDF
B0541218
IOSR Journals
 
PDF
Antimicrobial Screening of Vanga Vennai and Mathan Thailam for Diabetic Foot ...
IOSR Journals
 
PDF
L017427378
IOSR Journals
 
PDF
Educational Process Mining-Different Perspectives
IOSR Journals
 
PDF
Design of Gabor Filter for Noise Reduction in Betel Vine leaves Disease Segme...
IOSR Journals
 
PDF
B0350507
IOSR Journals
 
PDF
I01045865
IOSR Journals
 
PDF
D01042335
IOSR Journals
 
PDF
D1304022532
IOSR Journals
 
PDF
Proximate, Mineral and Anti-Nutrient Evaluation of Pumpkin Pulp (Cucurbita Pepo)
IOSR Journals
 
PDF
H010613642
IOSR Journals
 
PDF
Rainy and Dry Days as a Stochastic Process (Albaha City)
IOSR Journals
 
PDF
Lean and Agile Manufacturing as productivity enhancement techniques - a compa...
IOSR Journals
 
PDF
Spectrophotometric Determination of Drugs and Pharmaceuticals by Cerium (IV) ...
IOSR Journals
 
PDF
Comparison of 60GHz CSRRs Ground Shield and Patterned Ground Shield On-chip B...
IOSR Journals
 
PDF
W01761157162
IOSR Journals
 
PDF
M017358794
IOSR Journals
 
Eigenvalues for HIV-1 dynamic model with two delays
IOSR Journals
 
K017346572
IOSR Journals
 
De-Noising Corrupted ECG Signals By Empirical Mode Decomposition (EMD) With A...
IOSR Journals
 
B0541218
IOSR Journals
 
Antimicrobial Screening of Vanga Vennai and Mathan Thailam for Diabetic Foot ...
IOSR Journals
 
L017427378
IOSR Journals
 
Educational Process Mining-Different Perspectives
IOSR Journals
 
Design of Gabor Filter for Noise Reduction in Betel Vine leaves Disease Segme...
IOSR Journals
 
B0350507
IOSR Journals
 
I01045865
IOSR Journals
 
D01042335
IOSR Journals
 
D1304022532
IOSR Journals
 
Proximate, Mineral and Anti-Nutrient Evaluation of Pumpkin Pulp (Cucurbita Pepo)
IOSR Journals
 
H010613642
IOSR Journals
 
Rainy and Dry Days as a Stochastic Process (Albaha City)
IOSR Journals
 
Lean and Agile Manufacturing as productivity enhancement techniques - a compa...
IOSR Journals
 
Spectrophotometric Determination of Drugs and Pharmaceuticals by Cerium (IV) ...
IOSR Journals
 
Comparison of 60GHz CSRRs Ground Shield and Patterned Ground Shield On-chip B...
IOSR Journals
 
W01761157162
IOSR Journals
 
M017358794
IOSR Journals
 
Ad

Similar to Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery (FDIR) System (20)

PDF
FAULT DETECTION AND DIAGNOSIS OF INDUCTION MACHINE WITH ON-LINE PARAMETER PR...
Sheikh R Manihar Ahmed
 
PDF
Proposed Algorithm for Surveillance Applications
Editor IJCATR
 
PDF
Actuator Fault Decoupled Residual Generation on Lateral Moving Aircraft
TELKOMNIKA JOURNAL
 
PDF
Tracy–Widom distribution based fault detection approach: Application to aircr...
ISA Interchange
 
PDF
Sensors and Actuators Integration in Embedded Systems
IDES Editor
 
PDF
Test platform for electronic control units of high-performance safety-critica...
IJECEIAES
 
PPT
fault-dectecting oil and gas process safety
Okeke Livinus
 
PDF
H04544759
IOSR-JEN
 
PPTX
Basics of process fault detection and diagnostics
Rahul Dey
 
PDF
An Overview of Adaptive Approaches in Flight Control
IJERA Editor
 
PPT
Fault tolearant system
arvinthsaran
 
PPT
Fault detection consequence
Mahbub Rashid
 
PPT
Fault tolerance and computing
Palani murugan
 
PDF
Digital Lift Controller with Fault Detection and Recovery Capabilities.pdf
joserogerskw00
 
PDF
VET4SBO Level 3 module 2 - unit 1 - v0.9 en
Karel Van Isacker
 
PDF
Optimized sensor selection for control and fault tolerance of electromagnetic...
ISA Interchange
 
PPS
IEEE WCCI 2014
Francisco Serdio
 
PDF
Automata Theory Models and Algorithms for Controlling an Aircraft Group in Av...
IRJET Journal
 
PDF
Testing of Cyber-Physical Systems: Diversity-driven Strategies
Lionel Briand
 
PPT
3271829.ppt
AhmedHeskol2
 
FAULT DETECTION AND DIAGNOSIS OF INDUCTION MACHINE WITH ON-LINE PARAMETER PR...
Sheikh R Manihar Ahmed
 
Proposed Algorithm for Surveillance Applications
Editor IJCATR
 
Actuator Fault Decoupled Residual Generation on Lateral Moving Aircraft
TELKOMNIKA JOURNAL
 
Tracy–Widom distribution based fault detection approach: Application to aircr...
ISA Interchange
 
Sensors and Actuators Integration in Embedded Systems
IDES Editor
 
Test platform for electronic control units of high-performance safety-critica...
IJECEIAES
 
fault-dectecting oil and gas process safety
Okeke Livinus
 
H04544759
IOSR-JEN
 
Basics of process fault detection and diagnostics
Rahul Dey
 
An Overview of Adaptive Approaches in Flight Control
IJERA Editor
 
Fault tolearant system
arvinthsaran
 
Fault detection consequence
Mahbub Rashid
 
Fault tolerance and computing
Palani murugan
 
Digital Lift Controller with Fault Detection and Recovery Capabilities.pdf
joserogerskw00
 
VET4SBO Level 3 module 2 - unit 1 - v0.9 en
Karel Van Isacker
 
Optimized sensor selection for control and fault tolerance of electromagnetic...
ISA Interchange
 
IEEE WCCI 2014
Francisco Serdio
 
Automata Theory Models and Algorithms for Controlling an Aircraft Group in Av...
IRJET Journal
 
Testing of Cyber-Physical Systems: Diversity-driven Strategies
Lionel Briand
 
3271829.ppt
AhmedHeskol2
 

More from IOSR Journals (20)

PDF
A011140104
IOSR Journals
 
PDF
M0111397100
IOSR Journals
 
PDF
L011138596
IOSR Journals
 
PDF
K011138084
IOSR Journals
 
PDF
J011137479
IOSR Journals
 
PDF
I011136673
IOSR Journals
 
PDF
G011134454
IOSR Journals
 
PDF
H011135565
IOSR Journals
 
PDF
F011134043
IOSR Journals
 
PDF
E011133639
IOSR Journals
 
PDF
D011132635
IOSR Journals
 
PDF
C011131925
IOSR Journals
 
PDF
B011130918
IOSR Journals
 
PDF
A011130108
IOSR Journals
 
PDF
I011125160
IOSR Journals
 
PDF
H011124050
IOSR Journals
 
PDF
G011123539
IOSR Journals
 
PDF
F011123134
IOSR Journals
 
PDF
E011122530
IOSR Journals
 
PDF
D011121524
IOSR Journals
 
A011140104
IOSR Journals
 
M0111397100
IOSR Journals
 
L011138596
IOSR Journals
 
K011138084
IOSR Journals
 
J011137479
IOSR Journals
 
I011136673
IOSR Journals
 
G011134454
IOSR Journals
 
H011135565
IOSR Journals
 
F011134043
IOSR Journals
 
E011133639
IOSR Journals
 
D011132635
IOSR Journals
 
C011131925
IOSR Journals
 
B011130918
IOSR Journals
 
A011130108
IOSR Journals
 
I011125160
IOSR Journals
 
H011124050
IOSR Journals
 
G011123539
IOSR Journals
 
F011123134
IOSR Journals
 
E011122530
IOSR Journals
 
D011121524
IOSR Journals
 

Recently uploaded (20)

PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Five Habits of High-Impact Board Members
OnBoard
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Unlock new opportunities with location data.pdf
Precisely
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Modernising the Digital Integration Hub
Daniel Toomey
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 

Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery (FDIR) System

  • 1. IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727 Volume 5, Issue 6 (Sep-Oct. 2012), PP 15-20 www.iosrjournals.org www.iosrjournals.org 15 | Page Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery (FDIR) System Venkatesh Kumar. N1 , Amritha Mulay. V2 , Mujeeb Ulla Jeelani 3 1 Asst. Professor, SET, JAIN University, Bangalore, Freelance consultant and Trainer. 2 Software Engineer, Allied Tools and Electronics, Bangalore. 3 Software Engineer, 7Star Technologies, Bangalore. Abstract: Model-Based Design allows the process of verification and validation of an executable system specification, which prevents errors from persisting into later stages of the design process where they are more costly and time consuming to fix. Studying a Fault Detection, Isolation, and Recovery (FDIR) system of a controller design, in this case an aircraft elevator redundancy control system is considered, which demonstrates how to trace requirements to a design, use the test cases based on those requirements, and perform the coverage analysis, which in turn reveals untested, missing, and ambiguous requirements in the specification. Key words: Model Based Design, Graphical Model, Actuator, hydraulics. I. Introduction With Model-Based Design, a graphical model, often a block diagram is used to capture the system requirements. This model produces an executable specification that describes the system behavior and can be gradually extended into an increasingly detailed design [1] [2]. Verification and validation can occur earlier in the system design process, which reduces costly iterations across many design steps. The creation of consistent, reusable, and well-documented models becomes the important stage in the development of embedded systems. Hence, the concept of model-based development (MBD) emerges. Due to the increasing complexity of the developed systems it is necessary to model correctly and to implement the chosen design in a correct manner. In general, the requirements for engineered systems are ambiguous, not rigorous, and even inconsistent. It is desirable to detect such problems as early as possible in the system design process. Model-Based approach can be used to achieve this goal by facilitating executable specifications that allow testing to start at the model level instead of after system realization. II. Description of an Elevator Control System A typical aircraft has two elevators attached on the horizontal tails (one on each side of the fuselage). There are a number of redundant parts in the system to ensure safety [2]. For example, as shown in Figure 1, there are:  Two independent hydraulic actuators per elevator (four in total).  Three separate hydraulic circuits to drive the actuators.  Two primary flight control units (PFCU).  Two control modules per actuator: Full range control law and limited / reduced range control law. In this system we limit each PFCU to have only one control law, and to control only one set of actuators to reduce the complexity of the system. A PFCU having a sophisticated Input-Output (I/O) control law, controls the left (LIO) and right (RIO) outer actuator. In case of a failure, a Direct-Link (DL) control law with reduced functionality handles the left (LDL) and right (RDL) inner actuators. Each outer actuator has a dedicated hydraulic circuit, whereas the inner actuators share one hydraulic circuit. By default, the outer actuators are on, and the inner actuators are on standby. If a fault is detected in the outer actuators or in the hydraulic circuits that are connected to them, we want the system to respond accordingly to maintain stability by turning the outer actuators off and activating the inner actuators [2]. The mode logic block operates the redundancy to assure continual operation of the system. This paper focuses on the fault detection, isolation, and recovery logic that causes the actuators to switch from one mode to another. Here simple yet representative models of the hydraulic actuators and elevators, as well as the feedback control laws are presented, to illustrate the behavior of this logic.
  • 2. Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 16 | Page Figure 1 Components of the elevator redundancy system III. System requirements As mentioned, there are four actuators in total, two on each elevator. Each actuator has five modes:  Isolated mode. The actuator is turned off indefinitely. An actuator must be able to be isolated from any mode.  Off mode. The actuator is turned off temporarily because of a failure and will come back online only if all failures for that actuator are fixed.  Passive mode. The actuator is waiting and does not generate actuator control signals. An actuator in passive mode can take control of the elevator control system.  Standby mode. The actuator's control law is active, but no force is applied to the actuator. It is ready to take control of the system and will introduce minimal transients when it does.  Active mode. The actuator is active and controls the elevator. IV. Control logic system structure We know that the system contains four actuators, as shown in Figure 2, each of which can be in one of five modes: active, standby, off, passive, or isolated. To implement the mode logic in Stateflow, we create four parallel superstates that represent the actuators, and within each superstate are five exclusive states that represent the five modes given above. The actuator superstates are parallel because the actuators run concurrently in the system [4]. On the other hand, the five mode states are exclusive because an actuator is in one and only one mode at any given time. The operator would not want this actuator to be active right away because; 1) To run the risk of using two actuators simultaneously to control one elevator, 2) The operator is trying to minimize mode switching, and 3) The operator would like the elevators to be symmetric if possible (i.e., either both inner actuators are active or both outer actuators are active). So if the inner actuators are active, they should remain active even if one of the outer actuators has come back online. A better alternative is to set the actuator to the passive mode by default. Figure 2 Complete actuator control logic system without FDIR capability.
  • 3. Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 17 | Page V. Fault detection and isolation Table 1 shows a small set of high-level requirements used to guide the design of the mode-logic component. Such high-level requirements can be incomplete, inconsistent, and difficult to interpret. Design errors can be introduced simply by misinterpreting the high-level requirements into more detailed requirements [6]. For example, the combination of requirements 2 and 3 from Table 1 creates an ambiguity, i.e., If one actuator can be operated only in inner loop, should the other still be operated in outer loop. Therefore, it is necessary to test the detailed requirements early in the development process to ensure their accuracy. Hence to design an implementation, the high level system requirements needs to be first translated into more detailed, subsystem level, requirements. Part of the detailed requirements that can then be translated into (formal) specifications is shown in Table 2. Based on these specifications, a controller model is designed that embodies the desired behavior. The design then needs to be tested against those requirements to verify and validate its compliance [6]. The approach demonstrated revolves around being able to independently establish test cases that are derived from the high and low-level requirements that can be executed on the design model, that has been created based on the same requirements, to verify that the requirements have been met. The ability to have full traceability of the high and low-level requirements to the design model through software implementation is achieved. Establishing such a formalized approach to testing the design is important to demonstrate that it meets the written requirements. Table 1 Small set of high-level requirements VI. Fault definition We have listed the requirements that this system must fulfil with respect to fault detection. If the aircraft is flying perfectly level, then the actuator position should maintain a constant value. If the position of an actuator increases or decreases by 10 cm from zero point, then a failure has occurred in that actuator. A failure also occurs if the change in position is very rapid. Similarly, a fault occurs in one of the hydraulic circuits if the pressure is out-of-bounds or if the pressure changes very rapidly. The fault detection subsystem that is implemented in Simulink is as shown in Figure 3. The actuator position and hydraulic pressure values are input into both the Rate of Change Threshold and Range Threshold blocks, which then determine whether or not these values are valid [6]. This information then gets sent to the actuator mode logic system. If a failure has been detected, then the mode logic system will react accordingly (e.g., an actuator can be switched off). Figure 3 Fault detection system ID Description 1 Each actuator will have five modes: Isolated, Off, Passive, Standby, and Active. 2 If possible, the same control law should be active for both the left and right elevators. 3 If available, the I/O control law should be active instead of the DL control law. 4 The actuator that is not active should be in standby. 5 If the pressure of the hydraulic circuit is low and the position measurement fails, the corresponding actuator should be switched to Off. 6 If the pressure of the hydraulic circuit is nominal and the position measurement fails, the corresponding actuator should be switched to Isolated. 7 Controller state changes should be made only in response to failure events.
  • 4. Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 18 | Page VII. Using Truth Tables for fault detection As we can see above, the logic system needs to fulfil a significant number of requirements. One way to incorporate each of these requirements into Stateflow is to use truth tables. Truth tables are used to realize logical decision-making behaviour. Stateflow truth tables contain conditions, decisions, and actions, as shown in Table 3. Let's look at the first requirement we listed in this part to see how it fits into the truth table. To repeat, the first requirement is that if a failure is detected in the hydraulic pressure 1 system, while there are no other failures, we turn off the left outer actuator. This requirement is met through Decision 1 of the condition table. Note that in Decision 1, the second condition (left outer actuator failed) is blank, meaning that the condition can be either true or false. Table 3 Truth table for left elevator ID CONDITION DESCRIPTION 1 Hydraulic pressure 1 failure If a failure is detected in the hydraulic pressure 1 system, while there are no other failures, isolate the fault by switching the Left Outer actuator to the off mode. 2 Hydraulic pressure 1 fails and then recovers If a failure is detected in the hydraulic pressure 1 system and the system then recovers, switch the Left Outer actuator to the standby mode. 3 Hydraulic pressure 2 failure If a failure is detected in the hydraulic pressure 2 system, while there are no other failures, isolate the fault by switching the Left Inner actuator and the Right Inner actuator to the off mode. 4 Hydraulic pressure 2 fails and then recovers If a failure is detected in the hydraulic pressure 2 system and the system then recovers, switch the Left Inner actuator and the Right Inner actuator to the standby mode. 5 Hydraulic pressure 3 failure If a failure is detected in the hydraulic pressure 3 system, while there are no other failures, isolate the fault by switching the Right Outer actuator to the off mode. 6 Hydraulic pressure 3 fails and then recovers If a failure is detected in the hydraulic pressure 3 system and the system then recovers, switch the Right Outer actuator to the standby mode. 7 Default start-up condition If there have been no failures detected, the Outer actuators have priority over the Inner actuators. Therefore the elevator actuators should default to the following modes. The Left Outer and Right Outer actuators should transition from the Passive mode to the active mode. The Left Inner and Right Inner actuators should transition from the Passive mode to the Standby mode. Table 2 List of the detailed requirements for the mode logic design
  • 5. Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 19 | Page VIII. Recovery This part of models in an aircraft elevator control system using Model-Based Design with Simulink Stateflow and Simulink Verification and Validation is accomplished. We design an actuator controller from a set of requirements and then verify that the controller meets these requirements through appropriate test cases. We can apply the design approach discussed in this case study to other event-based logic systems. We designed the overall structure of the elevator control system. In Previous section, we modified the control system to allow for the detection of faults in the actuators or hydraulic circuits and the isolation of specific actuators based on these faults. In this section, we modify the logic system once again so that actuator subsystems can be recovered once specific faults are no longer detected. Figure 4 Complete FDIR actuator logic system Now that we have the recovery requirements for the actuator control system, we can modify the Stateflow chart accordingly. The first step is to add transitions to the chart that are necessary for recovery purposes. We will add transitions to satisfy each recovery requirement by adding a transition label appropriate for each requirement. It will be necessary to transition from Active to Standby mode and vice versa. For example, look at what happens when the left outer actuator is switched off due to a failure. In this case, the right outer actuator is switched from Active to Standby mode, and the inner actuators are switched from Standby to Active mode. Tests designed for all requirements can be combined into a test harness and applied to the design model for requirements-based testing. Tests can be executed individually or in batch mode. If a test runs without any verification blocks asserting, then the design passes the test. If an assertion is detected, the simulation stops and the verification block issuing the assertion is highlighted, which helps diagnose why the test failed. IX. Coverage Analysis Creating and executing requirements-based tests to ensure that the design behaves as expected is not the same as fully testing the design. Some requirements may lack tests, the requirements themselves may be ambiguous or incomplete, and the design may contain superfluous elements. By using Simulink Verification and Validation, coverage metrics can be collected during simulation to indicate untested design elements. The coverage metrics are displayed directly in the model using coloured highlights and in a dialog box with summary information. Additionally, a detailed report of the coverage analysis is created. The coverage metrics collected include cyclomatic complexity, decision coverage, condition coverage, MC/DC, lookup table coverage, and signal range coverage. X. Requirement based Testing Let's look at the following specific requirement in order to understand how requirements are tested: If a failure is detected in both the hydraulic pressure 1 system and the left outer actuator, while there are no other failures, turn off the left outer actuator. First we generate a test case for this requirement in a Signal Builder block within the Test Cases block, as shown in Figure 5.
  • 6. Applying a Model Based Testing for a Controller Design in Fault Detection, Isolation & Recovery www.iosrjournals.org 20 | Page Figure 5 Test case in Signal Builder Block There are a total of eight signals shown in Figure 5 three signals for each hydraulic circuit, four signals for each actuator, and one signal to switch on the verification process. Let's look at the first seven signals. The test cases have been set up so that a value of 1 corresponds to a failure, and a value of 0 corresponds to a nominal value. For this requirement, there are failures in both hydraulic circuit 1 and the left outer actuator. Therefore, you see both of those signals start at 0 and then change to 1 as a failure is detected. The values of the other signals for the hydraulic circuits and actuators stay constant at 0 since no other failures are detected. For the last signal labelled do_verification, when the value is 1, we check to see whether the actual modes of the actuators correspond to the theoretical modes of the actuators. The expected modes for each actuator are specified in the section labelled Verification block settings in the Signal Builder block (upper-right section in Figure 5). In this, we expect the inner actuators to be active, the left outer actuator to be turned off, and the right outer actuator to be on standby. XI. Results and conclusion System design often starts off with a set of high-level requirements (e.g., ‘mission requirements’) that are gradually refined into a set of detailed requirements from which the subsystem specifications can be derived. Once the subsystem specifications are available, an implementation can be designed. Once the implementation has been realized, extensive testing determines whether the original requirements are met. In general, requirements are ambiguous, not very rigorous, and even inconsistent. It is desirable to find the problems as early on in the design process as possible. Model-Based Design can be used to that goal by facilitating executable specifications that allow the testing otherwise done after system realization. References [1] Jason Ghidella and Pieter J. Mosterman Requirements-Based Testing in Aircraft Control Design, The MathWorks, Inc., Natick, MA, 01760, USA. [2] Pieter J. Mosterman, Manuel A. Pereira Remelhe, Sebastian Engell, and Martin Otter, Simulation for Analysis of Aircraft Elevator Feedback and Redundancy Control. [3] Simulink, Model-Based and System-Based Design © COPYRIGHT 1990 - 2004 by The MathWorks, Inc. [4] Stateflow® Getting Started Guide ©COPYRIGHT 2004–2012 by The MathWorks, Inc. [5] Politecnico Di Milano - Dipartimento Di Ingegneria Aerospaziale Aircraft Systems –Chapter 6 – Flight Control System LECTURE NOTES, VERSION 2004. [6] Dan Ye and Guang-Hong Yang, Senior Member, IEEE, Adaptive Fault-Tolerant Tracking Control Against Actuator Faults With Application to Flight Control. IEEE Transactions On Control Systems Technology, VOL. 14, NO. 6, NOVEMBER 2006. [7] Bo Yang, Fei Zhao, Xiayun Zhao, Sen Yang Simulation Based Design of a High-Speed +Elevator System. Spring 2008.