Verify Fault Detection Logic in Aircraft Elevator Control System
This example shows how to use Simulink® Fault Analyzer™ to verify that the fault detection logic deploys on an aircraft elevator control system. The aircraft elevator has two elevators, one for each wing. Each elevator has two actuators and an independent hydraulic circuit. Both elevators also share an additional hydraulic circuit. Each of these circuits has an associated fault that the model logic detects when injected.
The model includes conditionals that monitor the signals from the detection monitor, which allows you to optionally log and evaluate signal values and verify if the fault detection logic executes. In this example, you simulate faults, associate the fault detection monitor outputs with conditionals, and verify the desired outputs in a Failure Mode and Effects Analysis (FMEA).
Open the Model and Inspect Faults
Open the aircraftElevatorFaultAnalyzer
model.
mdlName = "aircraftElevatorFaultAnalyzer";
open_system(mdlName)
This model replaces the faults in the model in the Detect and Isolate Faults in Aircraft Elevator Control System (Stateflow) example with Simulink Fault Analyzer faults. The model contains seven faults. Three of the faults affect the controls for the hydraulic actuators, and four affect the actuator controls.
Open the Fault Table pane to view and select the faults. In the Apps tab, click Fault Analyzer. In the Fault Analyzer tab, in the View section, click Fault Table.
The model has faults located at different levels of the model hierarchy. To view the location of a fault, right-click the fault and select Show faulted model element in canvas. The Simulink Editor opens and highlights the location of the fault.
The faults replicate the behaviors modeled in the Detect and Isolate Faults in Aircraft Elevator Control System (Stateflow) example. When injected, the fault on each hydraulic system drops the hydraulic pressure to 100
, and the fault on each actuator holds the position at 15
. To view the behaviors, in the Fault Table pane, right-click the fault and select Open fault behavior.
View the Conditionals
This example monitors and verifies the fault detection logic by using conditionals. You can also use conditionals to trigger fault injection. Each conditional corresponds to an output signal of the fault monitoring system. If the monitor outputs a failure signal, the conditional is true. To view the conditionals, in the Fault Table pane, open the Conditionals tab.
As you develop your conditionals, you may find that you need to update expressions to represent more complicated fault injection conditions. You can adjust the condition expression to do this. For more information, see Create and Manage Conditionals.
Simulate the Model
You can select one or more faults to simulate at a time. For example, activate the hydraulic_system_1
and hydraulic_system_2
faults. Enable the model elements that contain these faults, and disable the other faulted model elements.
Because each model element only has one fault, when you enable the model element, you activate the added fault. See Define and Model Faults.
In the Fault Analyzer tab, in the Status section, ensure that the Fault Simulation button is enabled. Simulate the model. You can view the results of the simulation in the Simulation Data Inspector. In the Fault Analyzer tab, in the Review Results section, click Data Inspector. This image shows the injection status of the activated faults and the conditionals that measure if the associated monitor signals detect a fault.
The model uses mitigation logic that relies on the output of the fault detection logic. To view the fault mitigation logic outputs, select the LO_mode
, RO_mode
, LI_mode
, and RI_mode
signals.
If you want to run more than one simulation, you can configure a design study in the Multiple Simulations panel. For more information, see Configure and Run Simulations with Multiple Simulations Panel and Simulate Models with Faults by Using the Multiple Simulations Panel.
Create an FMEA and Link to Faults and Conditionals
After you configure the faults that you want to inject and the conditionals that you want to use, you can link the faults and conditionals to elements in safety analysis spreadsheets that you create in the Safety Analysis Manager. In this example, the faults are linked to cell entries in an FMEA spreadsheet. An FMEA is a common safety analysis that analyzes unintended system or component behaviors, known as failure modes, with respect to their potential effects on the system. This analysis often includes how effective fault detection logic is at detecting abnormal behavior.
Open the FMEA spreadsheet, RobotFMEA.mldatx
, in the Safety Analysis Manager.
aircraftFMEADoc = ... safetyAnalysisMgr.openDocument("AircraftElevatorFMEA.mldatx"); clearFlags(aircraftFMEADoc) safetyAnalysisMgr.openManager
The FMEA links one or more faults to a failure mode in the Failure Mode column and the associated conditional that tracks that value of the monitor system. Point to the link icon to view the links. You can also view the links by selecting the cell. In the Properties pane, expand the Links section.
Run Callbacks to Simulate and Evaluate FMEA
To execute code from the spreadsheet, you create and execute a callback. See Write Callbacks to Analyze Safety Analysis Manager Documents. In this example, the spreadsheet executes a callback when you click Analyze Spreadsheet. The callback runs the code in the MATLAB® script validateAircraftElevatorFMEAUsingSimulation
. In this example, the script checks if the aircraft has a fault, as described in the Failure Mode column. When the fault is injected, the script checks if the monitor recognizes the fault by measuring the output of the linked conditional in the Detection Method column. If the linked conditional output is true, it verifies that the fault detection logic activates during simulation and the script adds a check flag to the Detection Method cell. Otherwise it adds an error flag. Because the third and sixth rows have two failure modes, the Detection Method column cells verify if more than one conditional is true. The other rows check one conditional. To view the callback code, open validateAircraftElevatorFMEAUsingSimulation
.
Click Analyze Spreadsheet. The callback verifies that the linked conditionals are true when the faults in the same row are injected.
Add different failure modes to test to the spreadsheet by adding a row and linking to different combinations of faults and conditionals, and rerun the callback script to see if the faults generate the response measured by the conditionals.
Related Topics
- Define and Model Faults
- Create Spreadsheets in the Safety Analysis Manager
- Create and Manage Conditionals
- Fault Injection with Simulink Fault Analyzer
- Write Callbacks to Analyze Safety Analysis Manager Documents