CN111382500B - Safety analysis and verification method for turbocharging system of aircraft engine - Google Patents

Safety analysis and verification method for turbocharging system of aircraft engine Download PDF

Info

Publication number
CN111382500B
CN111382500B CN202010104688.3A CN202010104688A CN111382500B CN 111382500 B CN111382500 B CN 111382500B CN 202010104688 A CN202010104688 A CN 202010104688A CN 111382500 B CN111382500 B CN 111382500B
Authority
CN
China
Prior art keywords
safety
failure
supercharging
supercharging system
adopting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010104688.3A
Other languages
Chinese (zh)
Other versions
CN111382500A (en
Inventor
鲍梦瑶
丁水汀
李果
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Lingdong Guochuang Technology Co ltd
Original Assignee
Civil Aviation Management Institute Of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Civil Aviation Management Institute Of China filed Critical Civil Aviation Management Institute Of China
Priority to CN202010104688.3A priority Critical patent/CN111382500B/en
Publication of CN111382500A publication Critical patent/CN111382500A/en
Application granted granted Critical
Publication of CN111382500B publication Critical patent/CN111382500B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02BINTERNAL-COMBUSTION PISTON ENGINES; COMBUSTION ENGINES IN GENERAL
    • F02B77/00Component parts, details or accessories, not otherwise provided for
    • F02B77/08Safety, indicating, or supervising devices
    • F02B77/082Safety, indicating, or supervising devices relating to valves
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02BINTERNAL-COMBUSTION PISTON ENGINES; COMBUSTION ENGINES IN GENERAL
    • F02B77/00Component parts, details or accessories, not otherwise provided for
    • F02B77/08Safety, indicating, or supervising devices
    • F02B77/089Safety, indicating, or supervising devices relating to engine temperature
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01MTESTING STATIC OR DYNAMIC BALANCE OF MACHINES OR STRUCTURES; TESTING OF STRUCTURES OR APPARATUS, NOT OTHERWISE PROVIDED FOR
    • G01M15/00Testing of engines
    • G01M15/04Testing internal-combustion engines
    • G01M15/05Testing internal-combustion engines by combined monitoring of two or more different engine parameters
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Chemical & Material Sciences (AREA)
  • Combustion & Propulsion (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mechanical Engineering (AREA)
  • Computational Mathematics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Algebra (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Biology (AREA)
  • Probability & Statistics with Applications (AREA)
  • Operations Research (AREA)
  • Supercharger (AREA)

Abstract

The invention discloses a safety analysis and verification method for a turbocharging system of an aircraft engine. The method comprises the following steps: step S1: evaluating the failure probability of each failure mode of the supercharging system by adopting a Monte Carlo method, and comparing the difference between the failure modes and the failure probabilities of the supercharging system before and after adopting a safety control strategy so as to judge the effectiveness of the safety control strategy; step S2: and analyzing and checking the control software part of the supercharging system adopting the safety control strategy by adopting a model checking method so as to judge whether the control software part has the capability of processing abnormal condition input. By the method, after a safety control strategy is adopted, the probability of each failure mode of the system is reduced, and the safety level is improved; in addition, the method effectively analyzes the influence of complex control logic and component failure in the control system, finds some defects in the demand, improves the analysis efficiency, and is suitable for complex control systems with high safety requirements.

Description

Safety analysis and verification method for turbocharging system of aircraft engine
Technical Field
The invention relates to a safety analysis and verification method for a turbocharging system (hereinafter referred to as a turbocharging system) of an aircraft engine, and belongs to the technical field of aircrafts.
Background
Safety is one of the important attributes of an aircraft, which is an inherent attribute maintained by design assignment, manufacturing implementation, verification and verification, local validation, and maintenance. In recent thirty years, with the continuous development of aviation turbocharged engines, the complexity of the system is greatly increased, and the aviation safety problem related to the turbocharger is increasingly highlighted. Therefore, it is particularly important to perform system safety analysis in the design and analysis of an aircraft engine turbocharger system.
The system safety analysis comprises an evaluation process and an analysis method, and is one of effective ways for ensuring safety requirements in the aircraft development process. In a general aircraft system safety evaluation process, qualitative and quantitative analysis needs to be performed by using corresponding safety analysis methods at different stages to ensure that a product meets safety requirements, such as: the traditional safety analysis method mainly uses fault tree analysis in a functional risk analysis stage, mainly uses fault tree analysis and common cause analysis in a primary system safety analysis stage, and mainly uses fault tree analysis, fault mode and influence analysis and fault mode influence and hazard analysis in a system safety analysis stage. However, there are great difficulties and restrictions in applying these conventional analysis methods directly to the safety analysis of the turbocharged system of an aircraft engine.
In order to overcome the defects of the traditional analysis method, a model-based system safety analysis method can be developed for a turbocharging system of a certain type of aircraft engine on the basis of an aircraft engine complete machine model system, so that key influence factors are determined in a primary system safety analysis stage, and the safety level is improved through an accurate corresponding safety control strategy in the system safety analysis stage. In order to determine whether the analyzed aircraft engine complete machine model system reaches an acceptable design safety level after adopting a safety control strategy, the safety of a turbocharging system of the aircraft engine needs to be verified.
Disclosure of Invention
The invention aims to provide a safety analysis and verification method for a turbocharging system of an aircraft engine.
In order to achieve the purpose, the invention adopts the following technical scheme:
a safety analysis and verification method for an aircraft engine turbocharging system comprises the following steps:
step S1: evaluating the failure probability of each failure mode of the supercharging system by adopting a Monte Carlo method, and comparing the difference between the failure modes and the failure probabilities of the supercharging system before and after adopting a safety control strategy to judge the effectiveness of the safety control strategy;
step S2: and analyzing and checking the control software part of the supercharging system which adopts the safety control strategy by adopting a model checking method so as to judge whether the control software part has the capability of processing abnormal condition input.
Preferably, the step S1 includes the following sub-steps:
step S11: defining input and output variables of the supercharging system; the input variable is an influence factor which plays an important role in the working boundary change of the supercharging system, and the output variable is a system limit state function for judging the failure mode of the supercharging system;
step S12, randomly sampling the input variables, calculating by adopting a supercharged engine model to obtain the probability distribution characteristics of system extreme state functions corresponding to the supercharged system before and after adopting a safety control strategy, and evaluating the failure probability of each failure mode of the supercharged system before and after adopting the safety control strategy by utilizing the Monte Carlo method;
and step S13, comparing the probability distribution characteristics and the failure probability of the system extreme state functions corresponding to the front and the back of the supercharging system adopting the safety control strategy to judge the effectiveness of the safety control strategy.
Preferably, the influencing factors include throttle opening, exhaust valve diameter, altitude, engine speed and exhaust pipe diameter.
Preferably, the system limit state function comprises a function of a turbine front temperature safety margin, a supercharger rotor rotating speed safety margin, a compressor surge margin and a maximum explosion pressure safety margin.
Preferably, the Monte Carlo method is used for evaluating the failure probability of each failure mode of the supercharging system before and after the safety control strategy is adopted, and the method is realized according to the following formula.
Figure BDA0002388142660000021
Wherein p isfIndicates the failure probability of each failure mode of the supercharging system, and E ═ { E1, E2, …, ei }TA vector representing the influencing factor; f (e) ═ f (e)1,e2,…,en) Is a joint probability density function of the basic random variables; g (E) represents a system limit state function corresponding to the failure mode of the supercharging system; dfRepresenting the failure region corresponding to a certain set of system extreme state functions.
Preferably, the function of the system limit state corresponding to the failure mode of the supercharging system is represented as:
Figure BDA0002388142660000031
wherein, ysm( m 1, 2.. n.) denotes the safety margin of the boost system failure mode restriction limit, yom(m ═ 1, 2.., n) denotes the operating boundaries of the supercharging system operating state.
Preferably, the step S2 includes the following sub-steps:
step S21: establishing a standard model of the supercharging system control software part;
step S22, establishing a component failure model and adding the component failure model into the standard model;
and step S23, verifying the supercharging system control software part according to formalized safety analysis.
Preferably, the control software part of the supercharging system is subjected to formal safety analysis, including three aspects of formal description of safety attributes, system failure simulation and safety attribute verification.
Preferably, the formal description of the safety attribute is implemented by comparing a measured output value with a standard output value, and if the error of the measured output value and the standard output value output control quantity is within an allowable range, the supercharging system is considered to be safe.
Preferably, the supercharging system control software part is verified according to formal safety analysis, and the method comprises the steps of control logic check of a standard model and logic check of single or combined failure of components under the condition that the control logic is normal.
The safety analysis and verification method of the turbocharging system of the aircraft engine adopts a Monte Carlo method to evaluate and compare the difference between the failure modes and the probabilities of the system before and after the safety control strategy is adopted, and the result shows that after the safety control strategy is adopted, the probabilities of all the failure modes of the system are reduced and the safety level is improved; on the other hand, the software part of the control system is analyzed by adopting a model inspection method, and the example analysis result shows that the model inspection method can effectively analyze the influence of complex control logic and component failure in the control system, discover some defects in the demand, improve the analysis efficiency and is suitable for the complex control system with high safety requirement.
Drawings
FIG. 1 is a flow chart of a method for safety analysis and verification of an aircraft engine turbocharging system provided by the present invention;
FIG. 2 is a schematic diagram illustrating a relationship between an operating state of a supercharging system and a safety boundary in a safety analysis and verification method for a turbocharging system of an aircraft engine according to the present invention;
FIG. 3 is a schematic diagram of a probability distribution of a pre-turbine temperature safety margin of a system extreme state function in an output variable of a supercharging system in the safety analysis and verification method for an aero-engine turbocharging system provided by the invention;
FIG. 4 is a schematic diagram of a supercharger rotor speed safety margin probability distribution of a system extreme state function in an output variable of a supercharging system in the safety analysis and verification method for an aero-engine turbocharging system provided by the present invention;
FIG. 5 is a schematic diagram of the probability distribution of the surge margin of a compressor of a system extreme state function in the output variable of the turbocharging system of the aircraft engine in the safety analysis and verification method for the turbocharging system of the aircraft engine provided by the invention;
FIG. 6 is a schematic diagram of a probability distribution of a maximum burst pressure safety margin of a system extreme state function in an output variable of a supercharging system in the safety analysis and verification method for an aircraft engine turbocharging system provided by the invention;
FIG. 7 is a schematic diagram illustrating a comparison of failure probability changes of failure modes before and after a safety control strategy is adopted in the safety analysis and verification method for the turbocharged system of the aircraft engine provided by the invention; wherein, Y1For turbine front temperature safety margins, Y2For a safety margin of the speed of the supercharger rotor, Y3For compressor surge margin, Y4A maximum burst pressure safety margin;
FIG. 8 is a schematic diagram of a standard model of a supercharging system control software part established in the safety analysis and verification method for an aircraft engine turbocharging system provided by the invention;
FIG. 9 is a schematic diagram of a controller module of a standard model of a control software part of a supercharging system established in the safety analysis and verification method for a turbocharging system of an aircraft engine provided by the invention;
FIG. 10 is a schematic diagram of a standard model established by a component failure model and added to an established supercharging system control software part in the safety analysis and verification method for an aircraft engine turbocharging system provided by the invention;
fig. 11 is a schematic diagram of a formal description of safety attributes in the safety analysis and verification method for the turbocharged system of the aircraft engine provided in the present invention.
Detailed Description
The technical contents of the present invention will be further described in detail with reference to the accompanying drawings and specific embodiments.
The method comprises the steps of establishing a system model suitable for matching safety problems of a turbocharged engine on the basis of a certain type of piston aeroengine, completing modular division processing of various parts of the engine according to functions to establish a theoretical analysis model of the turbocharged engine system, establishing a supercharged engine model (a pre-established one-stage or multi-stage supercharged engine model) on the basis of GT-Power software serving as a platform, analyzing the coupling relation and the closeness of failure modes and influencing factors in the system by adopting a response surface method and a corresponding analysis method, determining the key degree of the influencing factors on the safety of the supercharged system, and grading the key influencing factors to obtain a corresponding safety control strategy. In order to judge whether the analyzed complete aircraft engine model system reaches an acceptable design safety level after the obtained safety control strategy is adopted, the invention provides a safety analysis and verification method of an aircraft engine turbocharging system, which is used for verifying the safety of the turbocharging system of the aircraft engine. As shown in fig. 1, the method comprises the steps of:
step S1: evaluating the failure probability of each failure mode of the supercharging system by adopting a Monte Carlo method, and comparing the difference between the failure modes and the failure probabilities of the supercharging system before and after adopting a safety control strategy so as to judge the effectiveness of the safety control strategy;
the monte carlo method is a method for calculating parameter estimators and statistics and further researching their distribution characteristics by setting a random process. The basic idea of the method is that for any probability model, the theoretical parameters can be estimated through sub-sample statistics obtained by random sampling. In addition, the Monte Carlo method can solve both the randomness problem and the certainty problem; since the evaluation of the failure probability of the turbocharging system of the aircraft engine is a process which needs quantitative analysis, and the quantitative analysis is also a requirement for validity verification of a turbocharging system safety control strategy derived from a primary system safety analysis stage in a system safety analysis stage in guidance and method for a civil onboard system and equipment safety evaluation program (ARP4761), it is reasonable to select a certain amount of probability analysis method, namely a Monte Carlo method, to evaluate the failure probability of the turbocharging system. The determination of the effectiveness of the safety control strategy adopted by the supercharging system is realized by the following substeps.
Step S11: defining input and output variables of a supercharging system; the input variables are influencing factors which play an important role in the change of the working boundary of the supercharging system, and the output variables are functions for judging the system limit state of the failure mode of the supercharging system.
For safety analysis of a supercharging system, it is necessary to include whether the operation of the supercharging system at full altitude meets safety requirements. Therefore, in the safety analysis of the supercharging system, the important concern is the engine working condition during high altitude or high speed cruising (long-term engine working state), namely the altitude is 7-10km, the throttle opening is 70% -100%, and the engine speed is 4200-. Without regard to the control system, the factors may be expressed as a set of design controllable parameters, including throttle opening e1, wastegate diameter e2, altitude e3, engine speed e4, and exhaust pipe diameter e 5. Further, a system limit state function in the output variables, comprising: turbine front temperature safety margin, supercharger rotor speed safety margin, compressor surge margin and maximum burst pressure safety margin.
And step S12, randomly sampling the input variables, calculating by adopting a supercharged engine model to obtain the probability distribution characteristics of the system extreme state functions corresponding to the supercharged system before and after the safe control strategy is adopted, and evaluating the failure probability of each failure mode of the supercharged system before and after the safe control strategy is adopted by adopting a Monte Carlo method.
Selecting a required supercharged engine model from pre-established one-stage or multi-stage supercharged engine models, taking a two-stage supercharged engine as an example, randomly sampling the input variables of the supercharged system defined in the step S11, respectively obtaining corresponding input variables before and after the adoption of the safety control strategy, inputting the corresponding input variables into the selected supercharged engine model for calculation, and obtaining the probability distribution characteristics of the system limit state functions before and after the adoption of the safety control strategy by the supercharged system. Among them, the wastegate diameter e2 is the most critical factor in the complex matching of the supercharging system and the engine. In addition, in practice, in order to meet the requirement that the power of the two-stage supercharging piston engine can be recovered to the ground state in 10000 m high altitude, the supercharging pressure needs to reach the target supercharging pressure of the pressure stabilizing tank. Therefore, for a two-stage supercharged engine, the requirement on the intake pressure at the pressure stabilizing box is stable, but when the engine speed is fixed, if the requirement on the supercharging pressure is met at high altitude, the phenomenon that the supercharging pressure exceeds the supercharging requirement can occur at low altitude; at the same height, the boost pressure requirement is met at low speed, and the intake pressure in the surge tank exceeds the boost requirement at high speed, and the actual working operation boundary deviates from the normal working operation boundary. Therefore, the purpose of changing the rotating speed of the rotor of the turbocharger and the output power of the turbine can be achieved by adjusting the diameter e2 (or the opening degree of the waste gas valve) of the waste gas valve to adjust the gas flow passing through the turbine, and the flow and the supercharging ratio of the compressor are further changed, so that the supercharging pressure reaches the target supercharging pressure of the pressure stabilizing box, and the turbocharger and the engine can be well matched under various altitudes and working conditions. Namely: in the safety control strategy, the adjustment measures for a turbocharged engine are implemented by adding a wastegate control model.
The method adopts a Monte Carlo method to evaluate the failure probability of each failure mode of the supercharging system before and after the safety control strategy is adopted, and is realized according to the following formula (1).
Figure BDA0002388142660000071
Wherein p isfIndicates the failure probability of each failure mode of the supercharging system, and E ═ E1, E2TIs an n-dimensional random variable, i.e., a vector of influencing factors; f (e) ═ f (e)1,e2,...,en) Is a joint probability density function of the basic random variables; g (E) represents a set of limit state functions corresponding to the failure modes of the supercharging system; dfRepresenting failure zones corresponding to a set of system extreme state functions G (E); function of system extreme states of failure modes of a supercharging system the system extreme state function may be expressed as:
Figure BDA0002388142660000072
wherein, ysm( m 1, 2.. n.) denotes the safety margin of the boost system failure mode restriction limit, yom(m ═ 1, 2.., n) denotes the operating boundaries of the supercharging system operating state. When G (E)<When the pressure is 0, the supercharging system is operated outside a safe boundary, namely an unsafe area, and the supercharging system can be considered to be in an unsafe working state; when G (E) ═ 0 or G (E)>And 0, the supercharging system operates on a safe boundary or in a safe area, and the supercharging system is considered to be in a safe working state.
It should be noted that, as shown in fig. 2, the safe boundary ranges of the supercharging system failure mode restriction are represented by the left and right safe boundary lines, respectively, and the minimum stable rotational speed n of the engine is represented byminAnd calibrating the speed neMaximum turbine allowable temperature Tr represented by the uppermost safety boundary linemaxThe upper left safety boundary represents the compressor surge line and the upper right boundary represents the maximum allowable supercharger speed nTCmaxAnd the area enclosed by the abscissa axis. The supercharging system working boundary can be composed of the boundary of turbine front temperature, supercharger rotor speed, compressor supercharging pressure ratio and highest explosion pressure.
And step S13, comparing the probability distribution characteristics and the failure probability of the system extreme state function corresponding to the front and the back of the supercharging system adopting the safety control strategy to judge the effectiveness of the safety control strategy.
In an embodiment of the present invention, as shown in fig. 3 to 6, probability distribution characteristics of system limit state functions before and after the step S12 of the supercharging system using the safety control strategy are respectively shown, that is, probability distribution of turbine front temperature safety margin, probability distribution of supercharger rotor rotation speed safety margin, probability distribution of compressor surge margin, and probability distribution of maximum explosion pressure safety margin before and after the safety control strategy is used. It can be easily found that the distribution of the safety margins is more dispersed before the safety control strategy is adopted and more concentrated after the safety control strategy is adopted, and the distribution of the safety margins is more concentrated in [0.02, 0.2], such as: the safety margin distribution interval of the rotating speed of the supercharger rotor is changed from-0.4, 0.8 to-0.2, 0.5; in addition, it should be noted that the occurrence frequency of the safety margin distribution is obviously reduced when G (E) is less than 0, namely, the safety level of the rotating speed of the supercharger rotor is improved after the control strategy is adopted, and the system operation state is good. Similarly, the turbine front temperature, the compressor surge margin and the maximum explosion pressure show the variation trend, and the description is omitted here.
In addition, in order to further analyze the influence on the failure probability of each failure mode of the supercharging system after the safety control strategy is adopted, as can be seen from fig. 7, after the safety control strategy is adopted, the failure probability of the system limit state function g (e) corresponding to the safety margin of each working boundary of the supercharging system is reduced; the failure probability of the failure mode of the supercharger rotor over-rotation is reduced to the maximum, which shows that after a safety control strategy is adopted for a waste gas valve, the influence on the rotating speed of the supercharger rotor is most obvious, and after a part of waste gas is discharged through the waste gas valve, the flow of the waste gas flowing through a turbine can be reduced, the exhaust back pressure is reduced, so that the rotating speed of the supercharger is prevented from over-rotation, and the rotating speed of the supercharger rotor is reasonably improved; if the corresponding exhaust gas valve opening degree changes, the change of the exhaust gas quantity and the air pressure of the turbine drives the change of the rotating speed of the supercharger rotor, so that the supercharging pressure of the air inlet of the air compressor is influenced, and the influence on the surge margin of the air compressor is obvious; because the turbocharger is in pneumatic connection with the engine, the influence of the highest explosion pressure of the engine caused by the reaction hysteresis of the turbocharger is smaller than the rotating speed of a rotor of the turbocharger and the surge margin of a compressor, and the reflected positive feedback characteristic is finally reflected on the probability change of the temperature safety margin before the turbine. Therefore, from the above analysis, it can be seen that the safety control strategy employed by the supercharging system can result in an increase in the safety level, but the magnitude of the increase in the safety level is not the same for different parameters.
Step S2: and analyzing and checking the supercharging system control software part adopting the safety control strategy by adopting a model checking method to judge whether the software part has the capability of processing abnormal condition input.
For piston aircraft engines, the control system directly influences the safety of the engine, and the control software as a core component of the control system naturally plays an increasingly important role in safety. However, as the scale of control system software continues to increase and the real-time environment in which it operates becomes more complex, software errors tend to be propagated, amplified, and difficult to isolate, thereby making failures difficult to diagnose and making safety analysis difficult. Generally, in order to ensure the security of the system, an effective method is needed to verify the security analysis of the control software. However, research finds that the traditional safety analysis methods such as fault tree analysis are not suitable for the software part of the control system because the traditional safety analysis methods mainly depend on the skills and experiences of analysts and are limited by the cognitive ability of human beings, all possible behaviors (including normal and abnormal behaviors) of the system are difficult to predict, the influence of some system failure states or misjudgment system failures is easy to be overlooked, and even unexpected failures still occur in an evaluated individual system. Therefore, the engine control system software safety analysis method based on model inspection (called the model inspection method for short) analyzes and inspects the supercharging system control software part adopting the safety control strategy to judge whether the software part has the capability of processing abnormal condition input, thereby ensuring the safe work of the aero-engine. The model inspection method has the advantages that the model inspection utilizes a traversal algorithm, so that all states of the supercharging system can be mathematically guaranteed to be searched, and omission does not occur; and a computer inspection tool can be utilized to realize an automatic analysis process, so that the dependence on the skill and experience of an analyst is reduced.
The method adopts a model checking method to analyze and check the control software part of the supercharging system after a safety control strategy is adopted, and comprises the following substeps:
step S21: and establishing a standard model of a control software part of the supercharging system.
As shown in fig. 8 and 9, Matlab/Simulink software is used as a modeling tool to complete the establishment of the standard model of the control software part of the supercharging system.
Specifically, fig. 8 is a standard model of a supercharging system, fig. 9 is a controller module of the standard model of the supercharging system, and it can be seen that the input of the controller (controller) is determined by throttle opening (Thro sensor 1, Thro sensor2) and engine speed (n sensor 1, n sensor2) of two channels; the output of the controller (controller) is a waste gas valve opening control signal obtained by two control mode channels (control mode ch1 and control mode ch2), which can control all sensors of the supercharging system, namely when the throttle opening (Thro sensor 1) of the channel 1 and the engine speed (n sensor 1) fail, a failure detection module (logic) generates a corresponding channel selection signal after detecting a sensor input signal and transfers the signal into a control mode channel (control mode ch1) through a control switching circuit (Index Vector 1) to realize the control of the signals of the throttle opening (Throsensor 2) and the engine speed (n sensor2) of the channel 2, and vice versa. In addition, in order to further improve the safety of the supercharging system, the output signals of the control mode channels (control mode ch1 and control mode ch2) also enter the failure detection module (logic Compare 2) and are detected as the input signals of the failure detection module (logic Compare 2), and the generated channel selection signals are used for controlling the operation of the switching circuit (Index Vector 2): if the signal of the tunnel 1 (in the present invention, the signal of the throttle opening (Thro sensor 1) and the signal of the engine speed (n sensor 1), and in reality, a plurality of different sensor signals, namely sensor group signals, are possible to be wrong), the signal of the tunnel 1 is used for controlling the opening of the exhaust valve, and the signal of the tunnel 2 (in the present invention, the signal of the throttle opening (Thro sensor2) and the signal of the engine speed (n sensor2), and in reality, a plurality of different sensor signals, namely sensor group signals, are possible to be used as a hot backup; otherwise, the signal of channel 2 is used to control the opening of the waste gas valve, while the signal of channel 2 should be non-deactivating at this time; if the signals of both channel 1 and channel 2 fail in the task, the controller loses control functionality.
And step S22, establishing a component failure model and adding the component failure model into the standard model.
As shown in fig. 10, in order to describe the operation of the failed system, a component failure model is established and added to the standard model of the supercharging system control software part established in step S21, so as to implement the control logic of the standard model and check the component failure under the condition that the control logic is normal. In an embodiment of the invention, component failure is exemplified by an over-range failure of the sensor (the output signal is outside the range of the signal it should be added to the standard model). In the embodiment of the invention, in order to simulate (excite) failure in analysis, a mode of adding a switch (switch) is adopted to realize that the output signal of the sensor in analysis can be switched between normal and failure at will.
And step S23, verifying the control software part of the supercharging system according to a formalized safety analysis method.
After the standard model and the component failure model of the supercharging system control software portion are established in steps S21 and S22, the supercharging system control software portion may be validated according to a formalized safety analysis. The method comprises the following steps of performing formal safety analysis on a control software part of the supercharging system, wherein the formal safety analysis comprises three aspects of formal description of safety attributes, system failure simulation and safety attribute verification. The formalized safety analysis of the supercharging system control software portion is described in detail below.
For the formal description of the safety attribute, the step is realized by comparing the measured output value with the standard output value, namely if the error of the two output control quantities is within the allowable range, the supercharging system is considered to be safe. The standard output refers to the output that the supercharging system should have under normal conditions. As shown in fig. 11, after comparing the output signal (in1) of the measured supercharging system with the standard output signal (in2), if the error between the two is within the allowable range, i.e., | in1-in2| ≦ epsilon (epsilon is a small amount), the output result (result) is safe; if the error between the two values exceeds the allowable range, the output result (result) is an error. The formal description of the supercharging system safety attribute is the basis for subsequent formal verification of the supercharging system safety attribute.
The system failure simulation is carried out after the component failure model is established, namely, the supercharging system performance under a specific failure mode is simulated, so that safety problems are found and corrected in time before more strict formal analysis.
The safety attribute verification needs to judge whether counterexamples occur in the certification process, that is, whether the supercharging system meets the assumed conditions defined in advance, so as to further judge whether the safety attribute of the supercharging system is acceptable.
For the supercharging system control software adopting the safety control strategy, firstly, a verification target of a safety attribute verification process is provided, then, a hypothesis condition is defined, and finally, the compatibility of the whole model is checked and verified by the verification target. According to the verification result, the control system can be improved after analysis. The verification process is mainly explained by adopting a simulation Design verification (Simulink Design verify) module in Matlab/Simulink software as a verification tool and dividing the verification process into two cases: firstly, control logic inspection of a standard model; secondly, under the condition that the control logic is normal, the logic check of single or combined failure of the components (such as the sensors) is carried out.
For the control logic check of the standard model, it is considered in the present invention whether the output of the control logic module meets the supercharging system safety design requirements. Namely, the following results are proved: in the control logic module, when the throttle opening (Thro sensor 1) and the engine speed (n sensor 1) are not failed, a failure detection module (logic) detects a sensor input signal and generates signal output of the throttle opening (Thro sensor 1) and the engine speed (n sensor 1) of a selection channel 1; when the throttle opening (Thro sensor 1) of the channel 1 and the engine speed (n sensor 1) fail, and the throttle opening (Thro sensor2) of the channel 2 and the engine speed (n sensor2) do not fail, the failure detection module (logic) detects a sensor input signal, generates and selects a signal output of the throttle opening (Thro sensor2) of the channel 2 and the engine speed (n sensor 2); when the throttle opening (Throsensor 1) of the channel 1, the engine speed (n sensor 1), the throttle opening (Throsensor 2) of the channel 2 and the engine speed (n sensor2) are all failed, the failure detection module (logic) detects a sensor input signal and generates a channel selection alarm signal to be output so as to prevent further accidents.
In addition, in the embodiment of the invention, for the supercharging system control software adopting the safety control strategy, the verification targets of the safety attribute verification process are as follows: when the failure detection module (logic) detects that the throttle opening (Thro sensor 1) of the channel 1 and the engine speed (n sensor 1) are not failed, signals of the throttle opening (Thro sensor 1) and the engine speed (n sensor 1) of the channel selection channel 1 are generated and output no matter whether the throttle opening (Thro sensor2) of the channel 2 and the engine speed (n sensor2) are failed or not. In order to meet the above-mentioned proof, a hypothesis condition is provided, and the safe operation state of the supercharging system is judged according to the range of the output signal. On the basis of the above, the compatibility of the entire model is checked.
Assuming that the verification of the verification target is performed, the verification result is an error. For this verification result, a counter-example is provided in tabular form. When the throttle opening (Thro sensor 1) of the channel 1 and the engine speed (n sensor 1) work normally, and the throttle opening (Throsensor 2) of the channel 2 and the engine speed (n sensor2) fail, the failure detection module (logic) detects the sensor input signal and generates failure signal outputs of the throttle opening (Thro sensor2) of the channel selection channel 2 and the engine speed (n sensor2), namely the control logic is incorrect, and the safety requirement of the initial design of the supercharging system is not met. Therefore, changes to the logic design of the control system are required. It should be noted that, because the logic design of the control system is different during design, and the logic error occurring in the control system is also different, the counter example here is only an error example, and not an error, it is only the case, and may be a different error.
For the problem of logic inspection that the control software has normal logic and single or combined failure occurs to the components, one embodiment of the invention takes sensor failure as an example, and adopts the established component failure model to perform model inspection of single failure and combined failure on the sensor. Since the analysis object relates to 4 input sensors, there are 4 cases of single sensor failure, 6 cases of combined sensor failure (including any two sensor combined failure), 4 cases of combined sensor failure, and 1 case of combined four sensor failure, which total 15 cases. For the 15 sensor failure conditions, after a failure model is added into a standard model to form a system extension model; then, the software design of the control system under each failure condition is checked one by one on the basis, and the purpose is to confirm whether the model meets the system specification through traversal, namely whether the proposition | in1-in2| is less than or equal to epsilon is true when one or more sensors fail. In addition, it should be noted that only one failure case is taken as an example, and the rest of the failure case checking process is the same, so that it is not repeated here.
In the embodiment of the invention, when the throttle opening (Thro sensor 1), the engine speed (n sensor 1) and the throttle opening (Thro sensor2) and the engine speed (n sensor2) are verified to be invalid, the output verification result (preset value) is an error. That is, in this case, it is assumed that a failure occurs in the first sensor group and a failure also occurs in the second sensor group, but when the counter example indicates that a failure occurs in the first sensor group and a failure also occurs in the second sensor group, the signal output from the control system is not normal, so that safe operation of the engine cannot be ensured. It should be noted that, because the logic design of the control system is different during design, and the logic error occurring in the control system is also different, the counter example here is only an error example, and not an error, it is only the case, and may be a different error.
From an analysis of the above 15 sensor failure cases, it is shown that if the system is designed with dual redundancy measures in the model, the control system will have such fault tolerance capability: when the sensor group in the channel 1 fails, the control system can convert the sensor group input signals in the channel 2 according to the design intention, if the sensor group in the channel 2 does not fail and does not fail during the rest flight tasks, the control signals output by the control system are kept normal, and the engine can work safely; however, if a failure of the sensor group in the passage 2 has occurred or a failure has occurred during the flight mission, the control signal outputted from the control system is not normal, so that safe operation of the engine cannot be guaranteed. In the latter case, the software system should be further modified to ensure a safe level of software in the event of an identified sensor failure.
From the above analysis process, it can also be revealed that, compared to the conventional security analysis method, the method of model verification: 1) the method can effectively combine the system development process based on the model to perform formal analysis on the standard model and the extended model, so that the safety analysis and the performance design are performed synchronously; 2) errors in the supercharging system control software caused by complex control logic and component failure can be analyzed more, and defects existing at the demand level can be found. In addition, it should be particularly noted that, due to the complexity of the aircraft engine turbocharging system, the number of the sensors of the turbocharging control system is far more than 4, and the failure modes grow exponentially with the number of the sensors (for example, 15 failure modes of 4 sensors, 63 failure modes of 6 sensors, and 152 failure modes of 8 sensors), so that the automatic model detection process can traverse the whole software part of the turbocharging system, thereby enabling the detection to be more complete and greatly improving the analysis efficiency (reducing manual verification and adopting automatic computer support).
The safety analysis and verification method of the turbocharging system of the aircraft engine adopts a Monte Carlo method to evaluate and compare the difference between the failure modes and the probabilities of the system before and after the safety control strategy is adopted, and the result shows that after the safety control strategy is adopted, the probabilities of all the failure modes of the system are reduced and the safety level is improved; on the other hand, the software part of the control system is analyzed by adopting a model inspection method, and the example analysis result shows that the model inspection method can effectively analyze the influence of complex control logic and component failure in the control system, discover some defects in the demand, improve the analysis efficiency and is suitable for the complex control system with high safety requirement.
The safety analysis and verification method of the turbocharging system of the aircraft engine provided by the invention is explained in detail above. It will be apparent to those skilled in the art that any obvious modifications thereto can be made without departing from the true spirit of the invention, which is to be accorded the full scope of the claims herein.

Claims (9)

1. A safety analysis and verification method for an aircraft engine turbocharging system is characterized by comprising the following steps:
step S1: evaluating the failure probability of each failure mode of the supercharging system by adopting a Monte Carlo method, and comparing the difference between the failure modes and the failure probabilities of the supercharging system before and after adopting a safety control strategy to judge the effectiveness of the safety control strategy;
step S2: analyzing and checking a control software part of the supercharging system which adopts the safety control strategy by adopting a model checking method so as to judge whether the control software part has the capability of processing abnormal condition input;
step S1 specifically includes the following steps:
step S11: defining input and output variables of the supercharging system; the input variable is an influence factor which plays an important role in the working boundary change of the supercharging system, and the output variable is a system limit state function for judging the failure mode of the supercharging system;
step S12, randomly sampling the input variables, calculating by adopting a supercharged engine model to obtain the probability distribution characteristics of system extreme state functions corresponding to the supercharged system before and after adopting a safety control strategy, and evaluating the failure probability of each failure mode of the supercharged system before and after adopting the safety control strategy by utilizing the Monte Carlo method;
and step S13, comparing the probability distribution characteristics and the failure probability of the system extreme state functions corresponding to the front and the back of the supercharging system adopting the safety control strategy to judge the effectiveness of the safety control strategy.
2. A safety analysis validation method for an aircraft engine turbocharging system according to claim 1, characterized in that:
the influencing factors comprise throttle opening, waste gas valve diameter, altitude, engine speed and exhaust pipe diameter.
3. A safety analysis validation method for an aircraft engine turbocharging system according to claim 1, characterized in that:
the system limit state function comprises functions of a turbine front temperature safety margin, a supercharger rotor rotating speed safety margin, a compressor surge margin and a highest explosion pressure safety margin.
4. A safety analysis validation method for an aircraft engine turbocharging system according to claim 1, characterized in that:
evaluating the failure probability of each failure mode of the supercharging system before and after the safety control strategy is adopted by utilizing the Monte Carlo method, and realizing the failure probability according to the following formula;
Figure FDA0002929126330000021
wherein p isfIndicates the failure probability of each failure mode of the supercharging system, E ═ E1, E2TA vector representing the influencing factor; f (e) ═ f (e)1,e2,...,en) Is a joint probability density function of the basic random variables; g (E) represents a system limit state function corresponding to the failure mode of the supercharging system; dfRepresenting the failure region corresponding to a certain set of system extreme state functions.
5. A safety analysis validation method for an aircraft engine turbocharging system according to claim 4, wherein:
the function of the system limit state corresponding to the failure mode of the supercharging system is represented as:
Figure FDA0002929126330000022
wherein, ysm(m 1, 2.. n.) denotes the safety margin of the boost system failure mode restriction limit, yom(m-1, 2, …, n) represents an operating boundary of the supercharging system operating state.
6. A safety analysis and verification method for an aircraft engine turbocharging system according to claim 1, wherein the step S2 comprises the substeps of:
step S21: establishing a standard model of the supercharging system control software part;
step S22, establishing a component failure model and adding the component failure model into the standard model;
and step S23, verifying the supercharging system control software part according to formalized safety analysis.
7. A safety analysis validation method for an aircraft engine turbocharging system according to claim 6, wherein:
and performing formal safety analysis on the supercharging system control software part, wherein the formal safety analysis comprises three aspects of safety attribute formal description, system failure simulation and safety attribute verification.
8. A safety analysis validation method for an aircraft engine turbocharging system according to claim 7, wherein:
the safety attribute is formally described, the safety attribute is realized by comparing a measured output value with a standard output value, and if the error of the measured output value and the standard output value output control quantity is within an allowable range, the supercharging system is considered to be safe.
9. A safety analysis validation method for an aircraft engine turbocharging system according to claim 7, wherein:
and verifying the supercharging system control software part according to formal safety analysis, including control logic verification of a standard model and logic verification of single or combined failure of components under the condition that the control logic is normal.
CN202010104688.3A 2020-02-20 2020-02-20 Safety analysis and verification method for turbocharging system of aircraft engine Active CN111382500B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010104688.3A CN111382500B (en) 2020-02-20 2020-02-20 Safety analysis and verification method for turbocharging system of aircraft engine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010104688.3A CN111382500B (en) 2020-02-20 2020-02-20 Safety analysis and verification method for turbocharging system of aircraft engine

Publications (2)

Publication Number Publication Date
CN111382500A CN111382500A (en) 2020-07-07
CN111382500B true CN111382500B (en) 2021-03-30

Family

ID=71218567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010104688.3A Active CN111382500B (en) 2020-02-20 2020-02-20 Safety analysis and verification method for turbocharging system of aircraft engine

Country Status (1)

Country Link
CN (1) CN111382500B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112560340B (en) * 2020-12-09 2022-02-01 南京航空航天大学 Method for estimating surge margin of aircraft engine and control method
CN114186350B (en) * 2022-01-25 2022-04-19 北京航空航天大学 Design method of two-stage supercharging device of aviation power system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778295A (en) * 2014-01-26 2014-05-07 南京航空航天大学 Method for evaluating operating reliability of multi-model integrated aero-engine under multiple failure modes
CN104750932A (en) * 2015-04-01 2015-07-01 电子科技大学 Structural reliability analysis method based on agent model under condition of hybrid uncertainty
CN105608263A (en) * 2015-12-17 2016-05-25 北京航空航天大学 Adaptive processing method oriented to service life probability analysis of turbine leaf disc structure
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures
CN108829955A (en) * 2018-06-01 2018-11-16 南京航空航天大学 A kind of aero-engine seaworthiness security verification method
CN109242335A (en) * 2018-09-28 2019-01-18 北京航空航天大学 A kind of efficient calculation method of probability Failure risk evaluation based on probabilistic density evolution theory
CN109872040A (en) * 2019-01-17 2019-06-11 南京航空航天大学 A kind of two part relation probability of malfunction methods of risk assessment of aero-engine

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8832497B2 (en) * 2012-02-07 2014-09-09 A.L.D. Advanced Logistics Development Ltd Methods, apparatus and systems for performing dynamic fault tree analysis

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778295A (en) * 2014-01-26 2014-05-07 南京航空航天大学 Method for evaluating operating reliability of multi-model integrated aero-engine under multiple failure modes
CN104750932A (en) * 2015-04-01 2015-07-01 电子科技大学 Structural reliability analysis method based on agent model under condition of hybrid uncertainty
CN105608263A (en) * 2015-12-17 2016-05-25 北京航空航天大学 Adaptive processing method oriented to service life probability analysis of turbine leaf disc structure
CN107703914A (en) * 2017-09-30 2018-02-16 中国民用航空飞行学院 A kind of aero-engine FADEC security of system appraisal procedures
CN108829955A (en) * 2018-06-01 2018-11-16 南京航空航天大学 A kind of aero-engine seaworthiness security verification method
CN109242335A (en) * 2018-09-28 2019-01-18 北京航空航天大学 A kind of efficient calculation method of probability Failure risk evaluation based on probabilistic density evolution theory
CN109872040A (en) * 2019-01-17 2019-06-11 南京航空航天大学 A kind of two part relation probability of malfunction methods of risk assessment of aero-engine

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
A system for accurate measuring of thermal-structure displacement on a high speed rotating turbine disk by using digital image correlation technology;Li G , Bao M , Ding S , et al.;《Applied Thermal Engineering》;20171231;第36-46页 *
CAUSALITY DIAGRAM BASED SAFETY ANALYSIS OF MICRO TURBOJET ENGINE;Ding Shuiting , Bao Mengyao;《Transactio ns of Nanjing Univ ersity of Aero na utics& Astr onautics》;20111223;第262-268页 *
Sensitivity Analysis for Safety Design Verification of General Aviation Reciprocating Aircraft Engine;CAO, Jiaokun, DING, et al.;《Chinese Journal of Aeronautics》;20121231;第675-680页 *
基于模型的航空发动机系统安全性研究;鲍梦瑶,李果,丁水汀;《航空动力学报》;20160831;第31卷(第8期);第2029-2039页 *
航空活塞发动机涡轮增压器失效关键影响因素分级;鲍梦瑶,丁水汀,李果;《北京航空航天大学学报》;20190630;第45卷(第6期);第1071-1080页 *
飞机系统安全评估技术的发展;李爱军,武坚,王长青;《航空制造技术》;20121231;第26-29页 *

Also Published As

Publication number Publication date
CN111382500A (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN106503746B (en) A kind of Fault Diagnosis of Aeroengines method based on offset of performance amount
CN111382500B (en) Safety analysis and verification method for turbocharging system of aircraft engine
US7593828B2 (en) Method and apparatus for monitoring a variable geometry intake air compressor device
US7137773B1 (en) Model-based statistical process to determine diagnostic limits in a sensor position system for a turbocharger
CN100458122C (en) Methods and apparatus for assessing gas turbine damage
US7181334B2 (en) Method and apparatus to diagnose intake airflow
DE102011113169A1 (en) System for diagnosing fault conditions of a gas flow control system for turbocharged engines
US11687071B2 (en) Methods of health degradation estimation and fault isolation for system health monitoring
US20210372295A1 (en) Turbine engine operational testing
US11434843B1 (en) Engine mass flow observer with fault mitigation
CN111581763B (en) Method for evaluating air path fault diagnosis result of aero-engine
Volponi et al. Improved engine health monitoring using full flight data and companion engine information
Kobayashi et al. Hybrid Kalman filter approach for aircraft engine in-flight diagnostics: Sensor fault detection case
Stenfelt et al. Automatic gas turbine matching scheme adaptation for robust GPA diagnostics
US10787982B2 (en) System and method for calibrating a vehicle component
CN116595680B (en) Cross-generation development small-bypass-ratio turbofan engine host and stress application matching method
Bao et al. Classification and Control of Key Factors Affecting the Failure of Aviation Piston Turbocharger Systems Using Model‐Based System Safety Analysis
Schilling et al. Model-based detection and isolation of faults due to ageing in the air and fuel paths of common-rail direct injection diesel engines equipped with a λ and a nitrogen oxides sensor
EP3619583B1 (en) Diagnostic systems and methods for isolating failure modes of a vehicle
EP0541326A2 (en) Determination of control system status
Viassolo et al. Advanced estimation for aircraft engines
Barbosa et al. Industrial gas turbine diagnostics using fuzzy logic
CN112906855A (en) Dynamic threshold variable cycle engine multiple fault diagnosis device
CN112749789A (en) Aero-engine multiple fault diagnosis device based on self-association neural network
CN115903738B (en) Diagnostic method and device for main fuel control system of aero-engine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20221207

Address after: 100080 d4112, 4 / F, block D, Zhizhen building, No. 7, Zhichun Road, Haidian District, Beijing

Patentee after: Beijing Lingdong Guochuang Technology Co.,Ltd.

Address before: 100102 No.3, Huajiadi East Road, Chaoyang District, Beijing

Patentee before: CIVIL AVIATION MANAGEMENT INSTITUTE OF CHINA

TR01 Transfer of patent right