GB2448351A - Method and apparatus for active system safety - Google Patents
Method and apparatus for active system safety Download PDFInfo
- Publication number
- GB2448351A GB2448351A GB0707057A GB0707057A GB2448351A GB 2448351 A GB2448351 A GB 2448351A GB 0707057 A GB0707057 A GB 0707057A GB 0707057 A GB0707057 A GB 0707057A GB 2448351 A GB2448351 A GB 2448351A
- Authority
- GB
- United Kingdom
- Prior art keywords
- elements
- behaviour
- anomalous
- safety
- dependence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 230000002547 anomalous effect Effects 0.000 claims abstract description 76
- 230000009471 action Effects 0.000 claims abstract description 39
- 230000003542 behavioural effect Effects 0.000 claims abstract description 21
- 230000001747 exhibiting effect Effects 0.000 claims abstract description 10
- 238000012360 testing method Methods 0.000 claims description 19
- 238000012544 monitoring process Methods 0.000 claims description 11
- 230000006378 damage Effects 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 10
- 230000001419 dependent effect Effects 0.000 claims description 6
- 238000009825 accumulation Methods 0.000 claims description 5
- 230000035945 sensitivity Effects 0.000 claims description 5
- 230000002035 prolonged effect Effects 0.000 claims description 4
- 230000001902 propagating effect Effects 0.000 claims description 4
- 238000003491 array Methods 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 66
- 238000004458 analytical method Methods 0.000 description 41
- 239000011159 matrix material Substances 0.000 description 32
- 230000001186 cumulative effect Effects 0.000 description 24
- 230000008569 process Effects 0.000 description 18
- 238000011084 recovery Methods 0.000 description 16
- 238000011156 evaluation Methods 0.000 description 14
- 238000013461 design Methods 0.000 description 13
- 238000013459 approach Methods 0.000 description 11
- 230000000694 effects Effects 0.000 description 10
- 230000007257 malfunction Effects 0.000 description 9
- 206010000117 Abnormal behaviour Diseases 0.000 description 8
- RZVHIXYEVGDQDX-UHFFFAOYSA-N 9,10-anthraquinone Chemical compound C1=CC=C2C(=O)C3=CC=CC=C3C(=O)C2=C1 RZVHIXYEVGDQDX-UHFFFAOYSA-N 0.000 description 5
- 239000000446 fuel Substances 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000003466 anti-cipated effect Effects 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 230000032683 aging Effects 0.000 description 3
- 238000004378 air conditioning Methods 0.000 description 3
- 230000010006 flight Effects 0.000 description 3
- 230000001939 inductive effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000004393 prognosis Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 235000008733 Citrus aurantifolia Nutrition 0.000 description 2
- 235000011941 Tilia x europaea Nutrition 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000001364 causal effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000004571 lime Substances 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 238000004040 coloring Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000013210 evaluation model Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 208000028755 loss of height Diseases 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 239000002184 metal Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000005382 thermal cycling Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
- G05B23/0243—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
- G05B23/0245—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model based on a qualitative model, e.g. rule based; if-then decisions
- G05B23/0248—Causal models, e.g. fault tree; digraphs; qualitative physics
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Emergency Alarm Devices (AREA)
- Alarm Systems (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
A method is disclosed of providing active system safety for a system comprising a plurality of elements (1 to 5). The method comprises: detecting an element (1) that is exhibiting anomalous behaviou; determining at least one element (3, 6, 2, 4, 5) likely to be causally linked to the anomalous behaviour by using a set of dependency values associated with respective pairs of the elements (1 to 5), each dependency value representing a level of behavioural dependence between the elements of the pair; and performing a safety-related action in dependence on the determination.
Description
METHOD AND APPARATUS FOR ACTIVE SYSTEM SAFETY
The present invention relates to a method and apparatus for active system safely.
Background to the invention
The purpose of active system safety is the avoidance of' harm and the improvement of the operational reliability of an object or system as a whole in real time of its functioning.
Previous approaches to achieving safely in complex systems have used the well-established methods of fault-tree analysis (FTA) to identify possible faults, and Failure Mode and Critical Effect Analysis (FMCEA) to determine their likely implications and propose timely action. FTA assunies that all possible faults in the system considered can be foreseen and is used during the design phase in an attempt to identify them. FMCEA ensures that each consequence of the identified fault is analyzed and its effects are anticipated whilst conserving safe operation of the system or machine. In summary the safety of the system is based on its initial design and the intrinsic features incorporated to avoid it causing ham-i during its operation.
These methods can be applied at different levels of detail by the design of specific fault trees enumerating the influence of every possible fault for every component, element or subsysteni. When all fault trees have been defined all possible conditions at every decision point are considered and the probability of their occurrence is estimated. This design analysis of the anticipated consequences of faults from the known set of faults provides the basis for the justification of design decisions of the system itself, and its elements and sub-systems. In application domains such as Aviation, Railways, Automotive, Nuclear Power and Industrial Control, and other dynamic systems involving moving substance, engineers are designing systems containing thousands of components, hundreds of elements and tens of subsystems.
Fault Tree Analysis is effective provided that the class of faults is complete or at least considered as having an acceptably significant coverage, the faults also need to be known beforehand i.e. have been anticipated. The fault behaviour of the system can be modelled by a set of fault trees with known weights (representing probabilities) on each branch and leaf. Essentially FTA is a static design technique and tool; it captures inforniation known when the system was initially designed rather than during its operation. However for large dynamic systems using FTA and FMCEA based techniques do not oiler a complete solution and also have some drawbacks: I. All fault trees are considered as static structures 2. All fault trees are developed only during design of the object 3. A specific fault tree must be developed for every component, element or subsystem 4. The overall complexity of these trees grows exponentially as the system gets larger 5. The inter-relation and interaction of multiple subsystems is often not covered by 1 5 analysis, due to the sheer complexity When dealing with safety, a hindsight' approach is commonly used to cope with the complexity. Only after an incident has happened is an analysis of fault trees combined with other available evidence in retrospective attempts to determine the faults which caused the incident. Of course by that tinie considerable irreversible damage and harm to people, property and the environment may have been done. The purpose of active system safety is to avoid harm by the improvement of the reliability of the whole system during both short operations and its long term lifespan.
With the FTA approach there is no real-time' possibility to act on the possible how of events during the operation of the system. The Markov and Bayesean Analysis approaches, often used with FTA, are based on a probabilistic analysis of mutual exclusiveness of possible outcomes for every fault event considered. They presume that the probability of changing between (fault) states is constant and that the future state of the system is independent of past states, except for the preceding one. This intrinsically limits the analytic power of mutual dependence because either one fault instance or another is assumed. In reality they may be related because the occurrence of one fault may contribute to inducing other faults during operation.
It is desirable to avoid the typical drawbacks of previous approaches to the diagnosis and anticipation of faulty elements.
The table below outlines typical limitations of FTA identified by the present applicant on the left and the requirements also identified by the present applicant for an improved approach on the right ("MASS" is an abbreviation of "Machine for Active System Safety):
FAULT TREE ANALYSIS MASS REQUIREMENTS
Tbe class of all faults is known hefbre operalioii of The class of hiults changes during the life cycle of the application an object or system (of its elements) due to ageing, maintenance or other reasons.
Fault tree analysis is static, developed during design Dependence between elements of the system is of the object, its sub-systems and elements reflected in dynamic changes of structure and significance 3 Fault trees are defined at design time and reviewed Structure of dependence is becoming variable and alter events/accidents to detect and understand the must be updated durmg life cycle using existing and cause(s) using expert opinion updated information otherwise the predictive power of prognosis is gradually eroded 4 Number of hiult trees, and their interactions grows The possibility to identify, keep and manage of all cumulatively with the complexity of a system possible scenarios and fliult trees for any system of objects of reasonable complexity is disputable in practice Markov and Bayesean approaches are generally A realistic model of the system might not be used to analyse the outcome of the flow of events Markovian the rate of transitions is changing, as during Operation well as importance of consequences and the possibilities for recovery and or repair before harm is inflicted 6 Mutual exclusion of possibilities is implied for l'he consequences of many common events are not event analysis mutually exclusive Another more realistic model is required 7 There is no possibility to use F'l'A in real time of A model for prognosis of the system behaviour must system operation due to the inherent complexity in he used in real-time to improve the operational large systems reliability of the system, and safety Table I: Fault Tree Analysis: technique and drawbacks
Summary of the Invention
According to a lirst aspect of the present invention there is provided a method of providing active system safety for a system comprising a plurality of elements, the method comprising: detecting an element that is exhibiting anomalous behaviour; determining at least one element likely to be causally linked to the anomalous behaviour by using a set of dependency values associated with respective pairs ofthe elements, each dependency value representing a level of behavioural dependence between the elements Jo of the pair; and performing a safety-related action in dependence on the determination.
The method may comprise determining the element most likely to be causally linked to the anomalous behaviour.
The determining step may comprise, for each of a plurality of test elements, determining an overall dependency value, representing a level of behavioural dependence between the test element and the detected anomalous element, with reference to at least one path between the test element and the detected anomalous element, each path comprising a sequence of two or niore elements including the detected anomalous element at one end and the test element at the other end.
The overall dependency value for a test element may be determined from the or each dependency value along the at least one path between the test element and the detected anomalous element.
The overall dependency value may be determined from an accumulation of the or each dependency value along the at least one path between the test element and the detected anomalous element.
A lest element may be considered likely to be causally linked to the anomalous behaviour ii it is determined to have an overall dependency value greater than a predetermined threshold.
An element niay be considered likely to be causally linked to the anomalous behaviour if there is deterniined to be a level of behavioural dependence between the element and the detected anomalous element greater than a predetermined level.
The niethod may comprise determining the most likely element as the test element having the highest overall dependency value.
The method may comprise propagating the or each path outwardly from the detected anomalous element.
The method niay comprise halting propagation of a path when the accumulation for that path becomes less than a predetermined value.
The set of test elements considered niay be determined as part of the method and represents a subset of the plurality of elements, the other elements being assumed to have a lower likelihood of being causally linked to the anomalous behaviour.
Dependency values may be expressed as a likelihood.
Likelihoods may be expressed as a probability.
The determining step may coniprise determining at least one element likely to be causing or at least contributing to the anomalous behaviour, such that the at least one element is causally linked to the anomalous behaviour by causing or at least contributing to the anomalous behaviour.
The safety-related action may be performed on at least one of the at least one element determined to be likely to be causing or at least contributing to the anomalous behaviour.
The determining step may comprise determining at least one element likely to be affected by the anomalous behaviour, such that the at least one element is causally linked to the anomalous behaviour by being affected by the anomalous behaviour.
The at least one element likely to be affected by the anomalous behaviour may be the at least one element likely to suffer harm or risk as a result of the anomalous behaviour.
The safety-related action may be performed so as to mitigate any consequences for at least one of the at least one element determined to be likely to be affected by the anomalous behaviour.
The safely-related action may define the advice andlor feedback which is to be applied to improve the current and/or Iuiture operational reliability of the element and/or the system and thereby its safely.
At least one of the dependency values may comprise two dilièrent values, one representing a level of behavioural dependence of a first element on the second element, and the other representing a level of behavioural dependence of the second element on the Iirst element, and coniprising using the value appropriate to the determination being made.
The method may comprise detecting anomalous behaviour of an element by reference to a behavioural model fbr the element.
The method may comprise updating the behavioural models during use of the method, particularly to improve their capability lbr identifying anomalies in parts of the system that affect safety and/or to improve the current and future safety of the system.
The method niay comprise transmitting information produced by the method to a separate location where the informed can be securely monitored and/or stored and/or analysed.
The method niay comprise combining information produced by the method in the form of a display so as to highlight current and/or future safety issues and priorities, the information relating to at least one entity or element or group of elements such as an aircrafl, train or automobile.
The method may comprise monitoring at least one physical characteristic of each element for use in detecting the anomalous behaviour.
The method may comprise adapting the monitoring of elements for anomalous behaviour based on a history of immediate past behaviour so as to iniprove the sensitivity of detection.
The method may comprise adapting the monitoring of elements for anomalous behaviour over a prolonged period so as to enable detection of factors affocting safty that only become apparent over a prolonged period of time.
The method niay comprise detecting anomalous behaviour that might afThct the safety of the element and/or the system.
The method may comprise performing at least the determining step in relation to each of a plurality of sets of dependency values.
The niethod may comprise performing the satèty-related action in dependence on the determinations relating to the plurality of sets of dependency values.
The method may coniprise detecting a plurality of elements that are exhibiting anomalous behaviour, and perfbrming the determining step in relation to each of the plurality of detected anomalous elements.
The method may comprise determining at least one element likely to be causally linked to the anomalous behaviour of each of the detected anomalous elements.
The method may comprise perRrrning the safety-related action in dependence on the determinations relating to the plurality of detected anomalous elements A behavioural dependence between two elements may exist when the behaviour of one element has an influence on the behaviour of the other element, the level of behavioural dependence being dependent on the extent of that influence.
The method may be implemented by mechanical, electro-mechanical, electrical, electronic means including Field Programmable Gate Arrays, Custom Designed Integrated Circuits ASICs or Microprocessors, employing analogue and or digital techniques.
The method may comprise using fault tolerant techniques, for example making use of redundancy, so as to iniprove overall operational reliability of the system.
Being causally linked to the anomalous behaviour may be equivalent to being causally associated with the anomalous behaviour.
According to a second aspect of the present invention there is provided an apparatus for providing active system safety fbr a systeni comprising a plurality of elenients, the apparatus comprising: nieans for detecting an element that is exhibiting anomalous behaviour; means for determining at least one element likely to be causally linked to the anomalous behaviour by using a set of dependency values associated with respective pairs of the elements, each dependency value representing a level of behavioural dependence between the elements of the pair; and means for performing a safety-related action in dependence on the determination. -According to a third aspect of the present invention there is provided a program for controlling an apparatus to perform a method according to the first aspect of the present invention or which, when loaded into an apparatus, causes the apparatus to become an apparatus according to the second aspect of the present invention. The program may be carried on a carrier medium. The carrier medium may be a storage medium. The carrier niediuni may be a transmission medium.
According to a fourth aspect of the present invention there is provided an apparatus programmed by a program according to the third aspect of the present invention.
According to a fifth aspect of the present invention there is provided a storage medium containing a prograni according to the third aspect of the present invention.
Brief description of the drawings
Figure 1 illustrates the flow of data between the processing elements of the machine and the infomiation that results from the processing; Figure 2 illustrates the structure of' the Object and its operational use; Figure 3 illustrates a Dependency Matrix example for six Elements; Figure 4 illustrates a step by step analysis of a Dependency Matrix; Figure 5 illustrates schematic of a MASS system: Figure 6 illustrates Operational Modes for an Aircraft; and Figure 7 illustrates a practical implementation of MASS.
Explanation of the problem the invention addresses As systems become more and niore complex it becomes more and more difficult to carry out a complete FTA/FMCEA analysis at design tinie. That is not to say that such an analysis would not be useful. It still has a contribution to make in ensuring that the design of an object or system is as thorough and intrinsically safe as possible. However, additional causes of faults may develop over long periods of operation of the system due to ageing and undesirable interactions. Sonic such faults may not even have been Ibreseen at design time. An embodiment of the invention introduces the new technical effect of Active System Safety which embodies a new approach to detection, evaluation and nianagenient of a fault within an operational object and which eliminates at least sonic of the drawbacks mentioned in the table above. The active safely approach involves a process of monitoring the real-tinie operation of the object, modelling its key elements, analysing their individual and interactive behaviours, determining any element which appears to be nialfunctioning, anticipating its influence on other elements, assessing the elements that are most likely be contributing to the malfunction and then using the resulting information to determine action that will either directly or indirectly to improve the safe behaviour of the object to avoid harm.
When an elenient of an object develops a fault it will sooner or later cause the behaviour of the element (and the object) to diverge froni that intended. Sonic faults will be inimediately manifested by discrepancies in their behaviour, whereas the manifestation of other faults may be delayed for sonic time, in which case they are relCrred to as latent finilts. The active systeni safety approach to fault detection and management has the advantage ollaking into account any detectable signs of a latent fault; this is achieved by an analysis of the influence of malfunctioning elements on one another and offers at least sonic possibility of awareness of their existence and the opportunity to take timely and appropriate action.
In safety related and safety critical systems it is important that the object is available and has appropriately safe behaviour according to its context of operation. For example in an aircrall if an air conditioning element failed at high altitude then the safety consequences would be more serious than at low altitude. Possibly the flight could safely continue by rapidly reducing altitude to a safe level, thus improving operational reliability and availability. In an embodiment of the invention MASS works in tandem with the object being monitored and thus must itself have at the very least as high a level of availability as possible. One means of achieving this is to use the active system safety approach within the embodiment of the active system safty nionitor itself; in this way the invention can be used to achieve sonic level of fault tolerance in its own implementation and in the object or system it is coupled with.
An example from aviation is as follows: here the aircraft is the object under consideration and ii incorporates many subs vstems (e.g. landing gear, wings, rudder, engine management, fuel management, flight management, air conditioning etc) each comprised of elements such as individual engines, fuel pumps and sensors. Data from sensors on these elen1ents, and the environment in which they are operating, are recorded in the so-called black box' flight data recorder during flight. Alter flight, and also alter a crash, the information can be retrieved and analysed to monitor the operation of the aircraft in flight and/or to discover the reason(s) why it may have crashed. An embodiment of' the invention, when applied in Aviation, creates a system where the flight data is still recorded, however, the data are also evaluated by the MASS in real time of operation (flight) to monitor current and anticipated faults in the elements (of' the aircraft) based on the comparison between the actual and modelled behaviour of the elements and the network of dependency (influence) between the potential and actual faults olihe elements i.e. propagation of malfunction between elements. In this way advice can be derived from the fault diagnosis and prognosis and used on a continuing basis to provide information to the aircraft's pilots, or used directly by a flight management subsystem, with a view to avoiding harm and thereby improve safety.
In some systems the object exists within an environment which also may have a high level of' influence on it, for example an aircraft flying through an unexpected air pocket which causes a sudden loss of height. To account for this, within MASS some pseudo' elements of' the object may represent aspects of the environment, such as barometric pressure in the atmosphere in the example above. It may also be usef'ul to consider the whole object as one of the elements. In this way both the object and aspects of its environment can be brought within the scope of Active System Safely.
What an embodiment of the invention does An embodiment of the invention relates to a machine for active system safty (MASS) which diagnoses and or prognoses faulty elements of the dynaniic object or system that it nionitors in real time of' its operation. Ii provides action advice such that the efThcts of such faults can be avoided or mitigated, thus reducing harni and thereby improving system safety.
The purpose of' an embodiment of this invention is to improve the behaviour and reliability of dynamic objects (systems) which are intended to be safe, for example aircraft during their operation. All objects are subject to malfunctions during their lifetime due to faults developing and sooner or later becoming apparent during operation. Typical causes of faults are oversiressing of materials, metal fatigue from vibration or thermal cycling, gamma radiation inducing faults in electronics, loss of fuel or motive force, and simply ageing. A system is illustrated in Figure I, being composed from three sub-systems I, 2 and 3. (It should be noted that the hierarchical distinction between systems, subsystenis, object and elements is not generally important in the context of the invention. For example, a group of elements can be considered to relate to a subsystem, but the subsystem may itself be considered as an element that is itself considered, as a whole, in relation to other elements. For example, one might naturally view an aircraft as a system rather than as an element, but it also interacts with the atmosphere and so the interaction between the aircraft and the atmosphere can be considered to be between two elements in a similar way as one would consider the interaction between elements of the aircraft like engines, fuel pumps and sensors.) The first is the Object I (typically a machine or system) that already exists and which needs to operate in its environment in as safe a nianner as possible, for example an aircraft (object) flying through the atmosphere (environment). The object is composed from functional elements labelled a, b, c, d and e. The elements may be grouped into subsystems for convenience, so for example an aircraft engine might be a subsystem which contains elements such as fuel injectors, a rotor and an igniter.
Some elements receive data about their environment from outside the systeni via interfaces (labelled 4), such as say air temperature and pressure. Data often how from element to element to enable them to share parameter values and to control synchronization within the overall systern this is illustrated by the headed arrows connecting the elements and subsystems. The object I is operated by a controller which is either a human (e.g. a pilot), or an automatic subsystem (e.g. an auto-pilot) via the interface labelled 5 by sending request actions (commands) to change parameter values for the elements or to activate the desired functions.
The second sub-system 2 relates more closely to an embodiment of the invention i1self the Machine for Active System Safety (MASS). It monitors streams of data gathered from the element sensors of the object 1 via the interface labelled 6. These data are stored usually in a lime series of data frames, with each frame containing values for each of the element parameters that are being monitored. There is a model in 2 for each element being monitored in the object 1. It is important of course that the modelling should be accurate enough to show up defective behaviour in an element, achievable in real time of operation of the object I and Ir more reliable than the real object (to ensure availability).
A set of elenient comparators monitor the operational behaviour of the actual elements and the modelled behaviour of the elements based on the values in the data frames.
Having a time series of stored frames of values greatly assists with detection of data patterns and trends over lime. The element modelling analysis monitors the data for any indication that there is any discrepancy in its behaviour in the current context. The analysis of the implications of the discrepancy is characterized by a table of dependency values which defines the likelihood of a fault in one element being an influence on another element. Clearly the content of this Dependency Table (also refrred to as the Dependency Matrix) needs to be application specific in order to be of relevance. The values in the table are initially provided by experts in the application domain based on their experience, the nature of the object and its elements. In a more refined embodiment of the invention the values in the Dependency Table can be updated automatically based on the past behaviour of the object in order to refine the eflictiveness of MASS in the long term.
The relation of dependence between elements is associated with an edge which has a direction which defines which element is the infiuencer and which is influenced. There is a weight associated with the direction (say between element a and b), this being the probability that ian element a has an influence on element b". Of course it may also be the case that there is mutual dependence between two elements in which case two values may link them, one for the influence ofa on b and the other for the influence of b on a. It is also to be noted that the view of dependence is reversible, so that the likelihood of a having an influence on b might equally be considered as the likelihood of b being influenced by a. Further, the manner of representing and storing the dependency values is not important. For example, although described herein as being represented in the form of a matrix, this is not essential. Also, it is not essential that separate values (or pairs of values) be stored to represent each link: for example where two links are highly correlated, a single dependency value (or pair of values) could be used to represent both links for the sake of efficiency or convenience.
It now beconies possible to follow the forward paths from element to element defined by the Dependency Table to analyse how the discrepancy influences the behaviour of the object as each element propagates its effect to its other related elements. By accumulating the probability weights along each path ii is possible to determine the overall efièct of the discrepancy as a list of affected elements and the probability of the malfunction spreading to them. Now by fbllowing the backward paths from the element which originally manifested the malfunction to all the elements that it is influenced by, and again accumulating the cumulative probabilities, it becomes possible to determine the element most likely to be causing the discrepancy.
Threshold values can be used to ensure the termination of a path when the cumulative probability along it is so small as to be practically insignificant. When there are multiple paths connecting the same Iwo elements that only the most likely path is considered. A set of appropriate actions can now be made by reference to an Action Table which associates a nieans for corrective action with each element's recovery. For example if a Pilot were involved the action might be to show arelevant advice niessage on the Human Machine Interlace. In the example mentioned before, if the air conditioning failed at too high an altitude then the action message would be to reduce altitude as quickly and as safely possible. 1 0
The third subsystem 3 is the Operational Controller that couples together the Oblect I and the Machine for Active System SafiMy 2. II niay be embodied in a number of ways for example with a human being or some more mechanistic control system. In Aviation, subsystem 3 could be a Pilot or a Flight Control System.
In the case of subsystem 3 being a pilot the invention provides a Human Machine Interface (HMI) labelled 7 in Figure 1. This indicates the recommended action(s) to be taken and optionally the reasons for them i.e. a summary of the element fault scenarios derived by an embodiment of the invention presented in a form that the Pilot can easily understand. The Pilot then interprets this information within the current flight (or ground) context and pilots the aircraft accordingly. The safety control loop in this case is closed' by the Pilot and ultimately the Pilot is in control of the situation and must exercise judgment based on the advice given.
In the case of subsystem 3 being a Flight Control System (FCS), the safety control loop is a closed loop' system and the Pilot is not involved in the decision making. The interface 7 now takes the form of data signals, for example individual analogue or digital signals or a network connection via which the actions and fault reasons from subsystem 2 (MASS) arc passed to subsystem 3. The FCS now determines the safest way to resolve the current situation based on the current context. Clearly the design of such an FCS requires the utmost care.
The actual reason for the manifested discrepancy between current and expected (modelled) data for an element might be either the suspected clement itself or elements that have a significance influence on it. Such elements may actually have a fault or niay currently have latent faults that they are not yet evident. Also it may be the case that the element causing the fault in the object does not have a sensor, or has a broken sensor, and thus is effectively invisible.
The compact format of the Dependency and Recovery Tables of links and weights between elements provides an alternative to keeping all fault trees for all possible scenarios. Instead the implications of a discrepancy are derived from them in realtime of the objects operation, thus drawbacks 4 and 6 mentioned above in the Table I are overcome.
Further details of an embodiment of the invention An embodiment of the invention is a machine that continuous/v implements the following process, which is referred to as the Active System Safety Process: Before the operation of the system an initial set of dependencies is derived for the object's elements based on domain expert's knowledge and opinions. This comprises a graph with a set of edges representing the dependency relations between the elements and each edge has associated with it a direction and weight representing the probability of influence of one element on the other: it may also be represented as a table referred to as the Dependency Matrix. The action to be taken when the most likely source of the object's malfunction has been determined is held in the Recovery Matrix.
In order for the process to achieve termination there is a threshold E that is used to judge significance when evaluating the influence between related elements. There is also a threshold p which is used to determine and ultimately terminate the backward evaluation of the paths that bear an influence on the element manifesting the discrepancy.
The process of Active System Safety is performed during flight operation by repeatedly checking every element for any discrepancies between current and expected data by evaluating models relating to each element. Ii such a discrepancy is detected then the influence of the "suspected element" is evaluated for all paths emanating from it whilst probability along each path is cumulatively greater than the threshold value E. At the same time the process builds list of all "possible consequences" i.e. paths of influence, ranked by the size of the cumulative probability along the analysed path. The result of this analysis is the consequence', a list of the elements affected each with the probability of the malfunction being propagated to them. Now all paths to the suspected element are determined by following all the references connected to it backwards (in reverse) to identify the most likely causation path. This process is continued along each path whilst the cumulative probabilities of dependencies are greater than p resulting in a list of paths and their cumulative probabilities.
The action associated with the element at the start of the most probable path can now be determined and be presented to the people or other means of operational control of the object, such as the pilot, flight engineer, or ground service stall to either to fix or to report the problem and thus mitigate its harmful consequences.
Now based on the data accumulated during the flight, and on longer term flight data from previous flights, the links in the Dependency Matrix can be re-evaluated and adjusted to reflect the current knowledge of the most current relations between of the object and its elements.
By using this process it becomes possible to implement an active systeni safety which avoids at least some of the drawbacks described in Table I above.
Based on the Active Safety technical eliect, a nuniber of further refinements and extensions are envisaged. The Element Models and the Element Model Behaviour Comparator (Figure 1, Box 2) may have their criteria for judging anomalous behaviour adapted dynamically to the current operational context. The paranieter profiles used to characterise the monitoring of factors affecting system safety can depend on the immediate past history of system behaviour (for example the Flight Mode of an operational aircraft such as takeoff, cruising, landing). An example might be an aircraft engine where high revolution speed limits would be acceptable fbr a short period during the takcofr flight mode but lower limits would be used for longer term cruising' flight mode. This can lead to an improvement in the sensitivity of detection of safely-related anomalies in the system's behaviour.
Data in the longer term may be accumulated (and possibly condensed) to enable detection of Itulty elenienis or factors affecting system safety which can only become apparent over a long period of time (for example aircraft flight data over many flights -ideally over the whole operational life of the aircraft). In this case the Element Model Behaviour Comparator takes into account the longer term trends in data associated with the elements of the object. Achieving this relies on analysis of Flight Data for each flight and keeping summary records of previous flights for the value ranges of the data. Accordingly the current limits (criteria) for detecting anomalous behaviour in each Element Model can be refined over the objects operational lifespan. This offers significant improvements over present techniques where data is often overwritten after each flight, or even within a flight.
The data associated with Active Safety within MASS (such as factors afiecting system safety and the results of Dependency Matrix analysis and the Recovery Matrix analysis) niay be transmitted to a separate location where it can be securely monitored, stored and analysed. This may be done in parallel with the local storage of data in MASS itself, for example onboard the aircraft. The benefits are data assurance in the event of a catastrophic disaster involving the loss of the MASS unit and the ability to store all operational data accumulated from the whole operational lifespan of the aircraft for further analysis.
The accumulated operational results of the active safCty system may be processed and used to update the contents of the Safety Dependency Matrix in order to improve its capability for identifying discrepancies in elements that affect safety of the system, and the relations between them. Also the Recovery Matrix actions can he updated in order to improve the advice and feedback that can be applied to improve the current and future safety of the system. The aim here is to improve the sensitivity of detection of actual element faults and to avoid so called false positives', i.e. erroneous advice provided to the Operational Controller, see Figure 1.
The scope of active system safely may be expanded to niore than a single object at the same time, for exaniple all aircraft in a given airspace. This could provide a scheme whereby the results of the Dependency Matrix analysis and the Recovery Matrix analysis of one or more entities (for example aircraft, trains, automobiles) are transmitted to a common point and are combined in the fbrrn of a display to highlight current and future safety issues and priorities in the airspace.
The Active Safety process can be implemented by a variety of technologies for recording and retrieval of data and also processing it in the functional blocks shown in Figure 1.
MASS could be implemented using mechanical, eleciro-mechanical, electrical, electronic means (including Field Programmable Gate Arrays, Custom Designed Integrated Circuits ASICs or Microprocessors) employing analogue and or digital techniques.
The implementation of MASS using the hardware and or software may be designed and fabricated using fuult tolerant techniques making use of redundancy in the implementation to improve its overall operational reliability and thereby its availability. The intent here is that the operational reliability of the unit implementing MASS should be at least as high as that of the object being monitored, and ideally high enough to achieve continuous availability of operation of MASS during the whole operational lifespan of the object being monitored. It is important that the MASS implementation has a higher level of availability than the object or system that it is coupled to and monitoring.
More detailed description of an embodiment of the invention An enibodimeni of the invention relates to a machine for active system safety (MASS) which diagnoses and/or prognoses faulty elements of the dynamic object that it monitors in real time of its operation. It provides action advice such that the elThcis of such faults can he avoided or mitigated, thus reducing harm and thereby iniproving system safety.
The salient features of the invention are illustrated in Figure 2.
The left hand side of Figure 2 shows how the structure /the object is considered to be composed. The object II is coniposed of functional elements 12. An element model 13 defines the expected behaviour for each element and a set of predicates 14 define whether the current behaviour is as expected for each element for each distinct mode of the objects operation (for example in the case of the object being an aircraft the operational modes might he taxiing, taking off', cruising, landing).
The relations between the elements of the object are defined by a Dependency Matrix 15 and the Recovery Matrix 16. The definition of items 11 to 16 result from analysis olan expert in the operation of the object within its operational environment bearing mind the intended purpose of the object and its expected operational behaviour. Items 11 and 12 coniprise the scope of the object itself and its constituent parts, whereas items 13 to 16 provide additional information about the object which is part of MASS.
The right hand side of Figure 2 shows how the operational u.ve o/the object is monitored by MASS (items 13 to 27). It assesses the behaviour of the object's elements in real time of operation and proposes action to conserve or improve its safety. A set of sensors I 7 monitors parameters of the elements of the object and or the environment of the object (for example engine revolutions of the engine (element), air speed of the aircraft (whole object), and barometric pressure of the air (environment). The sensor values are captured in real tinie 1 8 and stored in operational data frames 19 in a convenient format for subsequent analysis of a single frame or a series of frames of a time period. The real time data is then analysed 20 to determine the operational mode 21 of the object which provides the context for further analysis of the detailed operational data.
The element predicates 14 are then applied to the element models 13, in the context of the operational mode 21, in order to determine whether each element is exhibiting its expected behaviour in the current operational mode. This involves modelling each element's behaviour and comparing ii, via the predicates 14, with the actual behaviour S derived from one or niore franics of the operational data. If any of the elements are faulty then the result of this analysis indicates a discrepancy 23 related to an element, which is not necessarily the actual faulty element itself.
Now the dependency matrix 24 is evaluated based on the current discrepancy in order to evaluate the consequences of the discrepancy based on the probability that each element has of propagating it and the relations between the elements which are already defined in the dependency matrix 15. The result of this analysis is the consequence 25 which is a list of elements affected by the original discrepancy and the probability of the malfunction being propagated to it. The element manifesting the discrepancy is then used as the starting point for evaluating the recovery matrix 26 to discover the action 27 needed to conserve or improve the safety of the object. This evaluation relies on analysing the elements that contribute to the consequence in order to determine the element which is most likely to be causing the discrepancy 23.
Each element 12 has an element model 13 which models its behaviour in real time, such that malll.jnction of the element can be detected by the predicates 14 in the operational context (mode) 21 of the object in order to improve the relevance, accuracy and sensitivity of discrimination between normal and abnormal behaviour of the object. If a predicate 14 evaluates to false (rather than true) then this indicates a specific discrepancy 23 for the element, each predicate being defined to identify a specific discrepancy.
The dependency between elements, with respect to propagation (influence) of malfunction behaviour from one element to another can be defined as graph (visual) or matrix (mathematical) form as illustrated in Figure 3. In the graph form each clement is represented by a node and each relation is represented by an edge: note that the relation is directional, indicating the direction of flow of the influence. The graph form is convenient for analysis and presentation by people, however for niachine analysis ii is more convenient to represent the same information in the form of a matrix. The graph and matrix forms are directly equivalent.
An example in Figure 3 shows a graph representing six elements, a matrix showing the notation conventions and a niatrix of cells that is equivalent to the graph. In this case the possibility of element I inducing a fault in element 2 is P1,2= 0.03. Note that the matrix fbrm conveniently allows for the situation where two elements are co-dependent. For instance elements I and 2 are co-dependent with P1.2 = 0.30 and P21 = 0.60. Whenever a discrepancy (Figure 2, 13) is detected during operation of MASS the dependency matrix is evaluated in order to determine the likely consequence; this evaluation must take into account, and resolve, cases of co-dependence and also circular dependencies such as P I.3, P32 and P2,1 of Figure 3.
The process for evaluating the dependency matrix involves searching all paths (sequences of related elements) &om the element indicated by the failure ofa predicate, referred to as the suspect" element. The purpose of the evaluation is to lind the nodes (elements) in the paths that are significant in terms of propagating the laulty behaviour. Each path with an edge froni the suspect node is followed whilst calculating the cumulative probability of each vertex traversed until that value falls below a threshold E. The threshold is used to terminate the evaluation once it becomes of no significance, the value of the threshold is determined empirically for a particular object in its operational context.
Evaluation is also terminated when a node has been included in another path in order to avoid endless looping in the evaluation of the graph. If there are multiple paths connecting the same 2 nodes (e.g. between elements I and 2 in Figure 3: path P 1.2 (0.3) and path P1,3 (0.5) and P3,2 (0.7)) then the path with the higher cumulative probability is taken. The matrix is not considered to be Markovian as the sum of probabilities associated with the edges from a particular node may not be equal to l and thus several paths (consequences) may be possible.
Tracing through the graph starts at the suspected' node and terminates when the all the significant paths of nodes have been followed and the elements and their cumulative probabilities have been determined. The evaluation leading to the Result follows the steps below: Initially a Queue is created to hold a list of tuples of data ordered by cumulative probability. Each tuple contains the start node, the end node and the cumulative probability so far. A tuple representing each node of the graph is put into the queue with default values of the probability significance threshold for the cumulative probability
field, as illustrated in Figure 4.
If the (highest) probability of the top tuple in Queue is less than then the process is terminated, otherwise node I is the active node and its edges P1,2 and P1,3 are compared, with P being the greater as shown by the bold line in the second step (more detail below).
Now Queue is updated by moving the highest priority tuple to Result, in this case for node 3, and updating the edge information (predecessor node and cumulative probability) fbr the nodes visited in this step (nodes 2 and 3) based on the probability along each edge.
The updated tuples are shown in italics in the Queue column. The content of Queue is now resorted by probability value.
More formally: 1. The suspect' node is determined by an element (node) predicate 2. Queue initially contains a tuple for each node of the graph.
Each tuple contains node number, predecessor node, cumulative probability of path.
All predecessor values are set to none' All cumulative probability values are set to the significance threshold value E 3. Result is initially empty but will contain a tuple for each node of the graph that is significant in terms of propagation of faulty behaviour 4. An initial tuple is added to Result, it represents the suspect node, it has no predecessor and a cumulative probability of I.0 The status at this point is illustrated in Figure 4, step I 5. Now while Queue is not empty and the highest priority olany tuple in Queue is greater or equal to the threshold E a. For the node of the highest probability tuple in Queue find all the edges adjacent to other nodes that have not previously been included in a path, and the highest probability path of multiple duplicate paths is taken, and update their cumulative probabilities in Queue in their tuples b. Order the tuples in Queue by probability c. Move the tuple with the highest probability from Queue and add it to Result 6. Result now contains the list of all nodes that form significant paths from the suspect node A step by step example is illustrated in Figure 4 which shows each of six stages in the evaluation olthe graph defined in Figure 3. The columns are the a) step number b) graph status, with the current path shown in a thicker line and the current active node being evaluated shown in bold c) Queue is a list of nodes yet to be analysed, it contains tuples of the node number, its predecessor node and the cumulative probability so far along the path. It is sorted by probability d) Result is a list of tuples of the node number, its predecessor node and the cumulative probability which are the result of the analysis. It defines the paths in the graph that are significant The evaluation proceeds as illustrated in Figure 4: Step 1: Node (element) I is assumed to be the one manifesting the syniptonis of a fault (a predicate failure). Initially all the nodes are given their default edge information and entered into Queue; the probability of the suspect node is initially set to 1.0 and the probability of all the other nodes is initially set to the threshold value. No edges have yet been traversed. The Result contains only the tuple for the initial suspect node, in this case node 1.
Step 2: lithe (highest) probability of the lop luple in Queue is less than then the process is terminated, otherwise node I is the active node and its edges P1,2 and P1,3 are compared, with P1 being the greater as shown by the bold line. Now Queue is updated by moving the the highest priority tuple to Result, in this case node 3, and updating the edge information (predecessor node and cumulative probability) for the nodes visited in this step (nodes 2 and 3) based on the probability along each edge, these are shown in italics in the Queue column. The content of Queue is now re-ordered by probability value.
Step 3: If the (highest) probability of the top tuple in Queue is less than then the process is terniinated, otherwise node 3 is the active node and its edges P3,4 and P3,6 are compared, with P3,6 being the greater as shown by the bold line. Node 2 is not considered as it has already been taken into account during step 2. Now Queue is updated by moving the highest priority tuple to Result, in this case for node 6, and updating the edge information (predecessor node and cumulative probability) for the nodes visited in this step (nodes 4 an 6) based on the probability along each edge, these are shown in italics in the Queue column. The content of Queue is now resorted by probability value.
Step 4: lithe (highest) probability of the lop tuple in Queue is less than then the process is terminated, otherwise node 6 is the active node and its sole edge P6,5 shown by the bold line. Now Queue is updated by moving the highest priority tuple to Result, in this case node 2, and updating the edge information (predecessor node and cumulative probability) for the nodes visited in this step (node 5) based on the probability along each edge, these are shown in italics in the Queue column. The content of Queue is now re-ordered by probability value.
Step 5: 11 the (highest) probability oithc top tuple in Queue is less than E then the process is terminated, otherwise node 2 is the active node and its sole edge P1,2 is shown by the bold line. The edge P2, also provides part of a path from node I to node 2 and this is S shown as a dotted line in Figure 4, step 5. The cumulative probability ofthe path P1,(0.5) and P(0.3) is 0.15 which is less than the alternative path P1,2(0.3) and therefore it is discounted. Now Queue is updated by moving the highest priority tuple to Result, in this case node 4, and updating the edge information (predecessor node and cumulative probability) for the nodes visited in this step (in this case none) based on the probability along each edge, these are shown in italics in the Queue column. The content of Queue is now resorted by probability value.
Step 6: lithe (highest) probability of the top tuple in Queue is less than then the process is terminated, otherwise node 4 is the active node and its sole edge P3,4 is shown by the bold line. When only a single tuple remains in Queue and in this example it is assumed its probability is less than and so it is not moved to the Result. Now the Result contains all the significant paths, the consequence of Figure 2 item 15.
Now thai the set of elements affected by the element's abnormal behaviour have been determined by the dependency analysis, further analysis can be performed to evaluate the set of elements most likely to be causing the element's abnormal behaviour. This information can then be used to determine the action to conserve or iniprove the safety of the object by adjusting the way it is operated to mitigate the short and longer term effect of the abnormal operational behaviour of the object. This is needed for three niain reasons: I. an element sensor or its evaluation model may be inaccurate 2. abnormal behaviour in one element may not manifest abnormal behaviour in another element 3. it is desirable to be able to decide on a recovery action based on the set elements of significance determined by the dependency analysis and then the recovery analysis In order to achieve this the Recovery Matrix, see Figure 3, must be evaluated to find the set of elements most likely to be causing the abnormal behaviour. The Recovery Matrix has the same!brm as the Dependency Matrix except that: I. the element identified as exhibiting a discrepancy is the initial "suspect" element 2. the edges of the graph are searched in the opposite direction (backwards) to follow the causal flow of abnomial behaviour to an element 3. the value associated with each edge is now viewed as the probability that the behaviour of the active node (currently being considered) is influenced by nodes which have a edge to it 4. a difThrent threshold value p is used, this being the causal significance threshold The result of this analysis is a list of tuples defining the set of nodes which are the most likely cause of the abnormal behaviour, ranked by cumulative probability of cause. The tuple with the highest probability indicates the node which is the most likely cause of the abnormal behaviour. In a simple system an action could be associated with each node and this could also be stored in the recovery matrix.
It is to he noted that there could be a different set of graphs (with possibly the same set of nodes, but different weights on the edges). Each graph represents a diflerent failure' viewpoint, e.g. electrical, hydraulic, mechanical, and so on. In such a case there would be multiple evaluations of the graphs to find the likely cause from each viewpoint. If the topology of the graphs is the same, this idea is referred to as graph colouring'. The set of results could then be used to get a clearer picture of the nature of the fliult and so give more appropriate safety advice.
II is also possible to perform multiple back and forward searches, for example from three nodes exhibiting anomalous behaviour, and then determine whether there is a high probability of common causes or eliects by analyLing the results of the multiple searches.
An illustrative application of an embodiment of the invention A schematic of MASS is illustrated in Figure 5 which depicts a practical implementation k)r Aviation. Boxes 31 to 34 are part of an aircraft. Box 3 1 represents the sensors on the aircraft, such as temperature and pressure sensors monitoring elements of the object. Box 32 represents the Flight Control Systeni which takes the sensor values and presents them to the Flight Crew 35 via the Flight Systeni interface 34. The Flight Crew 35 pilot the aircraft by providing commands to the Flight Control System resulting in control commands being given to actuators to make adjustments to the aircrafts flight surfaces, engines and undercarriage etc. The values from the sensors are also received by the MASS Flight Data Interface 36 which acts as the Data Access Unit (DAU) for the MASS system. Additional sensors, specilic to MASS 37 may also provide data, for example accelerometers in the 3 dimensions. Operational Flight Data from the DAU 36 is received by the MASS Evaluation Unit which iniplenients the process described below in Figure 37.
This results in an accumulation of operational flight data in the MASS Flight Data Memory 39 which may be copied in real time via radio or satellite link to a remote MASS Data Storage Facility 40 for security and analysis. The result of the MASS Evaluation Unit 31 is a safety actionwhich is presented to the Flight Crew 35 via the MASS lnterliice 41. This might be either a small PDA device or an instrument on the aircraft control panel; it shows action advice in a Ibrm easily understood by the pilot.
The MASS power supply provides power to the MASS equipment and in particular it may be independent of the aircrafts main power supply so that data is still monitored and collected even if the aireralis supply fails e.g. due to engine failure.
The MASS is concerned with monitoring the operation of the object and its elements and in order to perform this effectively it is helpful to partition the operation of the object into separate characteristic modes. This makes it possible to fine tune the element Model Predicates (Figure 7, box 67) to be very specific to the characteristics of each particular niode.
For example during take-off very high engine speed is to be expected, even essential, whereas during cruising or descent this could indicate a potentially unsafe situation.
Figure 6 illustrates a set of operational modes for an aircraft, labeled 5 1 to 58. The edges between the modes indicate the expected changes between niodes and these are determined by Flight Mode Predicates (Figure 7, Box 64), sonic simple examples of these are as follows: Parked: the aircraft is stationery with ignition oil Taxi-out: when the speed of the aircraft V lies in the following range: 0< V < 25 kmls (and no previous flight niode has been recorded as part of this specific flight).
Take-ofj when the speed of the aircraft V is greater than 25 km/s and the previous flight mode was Taxi-out'. In the case of the previous flight phase being Landing', the acceleration (i.e. the rate of change of the speed) of the aircrall must also increase from <0 to >0 fur a duration of more than, say, 3 sec.
Climb: when the speed of the aircraft V is greater than 25 km/s and the barometric altitude is greater than 1000 feet and the rate of climb (i.e. the vertical speed) is positive and greater than + 100 feet/mm and the previous flight mode was Take-oil.
cruise: when the rate of climb of the aircraft is less than +100 feet/mm, but greater than -feel/nun and the previous flight mode was Climb'.
Descent: when the rate of climb of the aircraft is negative but less than -100 feet/mm and the previous flight mode was either Climb' or Cruise'.
Landing: when the speed of the aircraft V is less than the minimum landing speed, VMax Landing, (a/c specific) and the rate of climb is negative but greater than -100 feet/mm (for say 3 see) and the previous flight mode was either Climb' or Cruise' or Descent' or Take-ofr.
Taxi-in: when the speed of the aircraft V lies in the following range: 0< V <25 km/s and the previous flight mode was Landing'.
The normal sequence of flight goes through the modes parked, taxi-out, take-ofi' climb, cruise, descent, landing, taxi-inn parked'. Occasionally the Pilot, or faults in the object or environmental circumstances, will cause other transitions between modes, for example directly from climb to descent, or a missed landing turning into a take-off again. This is illustrated in Figure 6.
An implementation of the MASS process is illustrated in Figure 7. Box 61 represents the object, in this case an aircraft, containing a number of elements, a Flight Control System and a Data Access Unit. Flight data is read from the DAU by the Capture Flight data activity on a regular basis, in this case 8 times per second, which stores it in the Flight Data Memory 66 which is typically implemented in a non-volatile technology. It contains a data frame for each sample period holding all the sample values read each time.
The current operational Flight Mode 65 is determined by the Determine Flight Mode activity 63 based on the Flight Mode Predicates 64, it is also stored in the Flight Data Memory 66.
The Evaluate Discrepancy activity 69 then evaluates the element models against the Flight Data Memory values 66 using the Element Model Predicates and Models 67 for the current flight mode 65. If a discrepancy is found then the Fault Dependency Matrix 68 is also evaluated to determine the element most affected by it 70. Now the Determine Recovery activity 71 is used to produce the Action Advice based on the Recovery Matrix 72 which embodies the sa1ty rules and possible response actions.
The Presentation activity 74 now takes the advice and the current flight niode and present the information to the crew via the Panel 77. The data format used here might be Hypertext Markup language so that a standard internet style browser can be used as a graphic display device. The presentation Ibrrnat may be characterized for different languages and cultures by means of the Language and Symbol Library 75. There niay also be a Fault Indication warning device on the aircraft panel 76 warning the Pilot not to take off, or to land as quickly as possible ii in flight. Finally the Pilot 78 receives the safety information froni MASS and responds to it based on their own perception of the overall flight situation.
It will be appreciated that operation of one or more of the above-described components can be controlled by a program operating on a device or apparatus. Such an operating program can be stored on a computer-readable medium, or could, for example, be embodied in a signal such as a downloadable data signal provided from an Internet website. The appended claims are to be interpreted as covering an operating prograni by itscll or as a record on a carrier, or as a signal, or in any other form.
Claims (46)
- CLAIMS: 1. A method of providing active system safety for a systemcomprising a plurality of elements, the method comprising: detecting an element that is exhibiting anomalous behaviour; determining at least one element likely to be causally linked to the anomalous behaviour by using a set of dependency values associated with respective pairs of the elements, each dependency value representing a level of behavioural dependence between the elements of the pair; and perlbrrning a safty-related action in dependence on the determination.
- 2. A method as claimed in any preceding claim, comprising determining the element most likely to be causally linked to the anomalous behaviour.
- 3. A method as claimed in claim I or 2, wherein the determining step comprises, for each of a plurality of test elements, determining an overall dependency value, representing a level of behavioural dependence between the test element and the detected anomalous element, with reference to at least one path between the test element and the detected anomalous element, each path comprising a sequence of two or more elements including the detected anomalous element at one end and the test element at the other end.
- 4. A method as claimed in claim 3, wherein the overall dependency value for a test element is determined from the or each dependency value along the at least one path between the test element and the detected anomalous element.
- 5. A method as claimed in claim 4, wherein the overall dependency value is determined from an accumulation of the or each dependency value along the at least one path between the test element and the detected anomalous element.
- 6. A niethod as claimed in claim 3, 4 or 5, when dependent on claim 2, comprising determining the most likely element as the test element having the highest overall dependency value.
- 7. A method as claimed in any one of claims 3 to 6, wherein a test element is considered likely to he causally linked to the anomalous behaviour if it is determined to have an overall dependency value greater than a predetermined threshold.
- 8. A method as claimed in any one of claims 3 to 7, comprising propagating the or each path outwardly from the detected anomalous element.
- 9. A method as claimed in claim 8, when dependent on claim 5, comprising halting propagation of a path when the accumulation tbr that path becomes less than a predetermined value.
- 10. A niethod as claimed in any one of claims 3 to 9, wherein the set of test elements considered is determined as part of the method and represents a subset of the plurality of elements, the other elements being assumed to have a lower likelihood of being causally linked to the anomalous behaviour.
- I I. A method as claimed in any preceding claim, wherein each dependency value is expressed as a likelihood.
- 12. A method as claimed in claim 11, wherein the likelihood is expressed as a probability.
- 13. A method as claimed in any preceding claim, wherein the determining step comprises determining at least one element likely to be causing or at least contributing to the anomalous behaviour, such that the at least one element is causally linked to the anomalous behaviour by causing or at least contributing to the anomalous behaviour.
- 14. A method as claimed in claim 13, wherein the safely-related action is performed on at least one of the at least one element determined to be likely to be causing or at least contributing to the anomalous behaviour.
- I 5. A method as claimed in any preceding claim, wherein an element is considered likely to be causally linked to the anonialous behaviour if there is determined to be a level of behavioural dependence between the element and the detected anomalous elenient greater than a predetermined level.
- 16. A method as claimed in any preceding claim, wherein the determining step comprises determining at least one element likely to be affected by the anomalous behaviour, such that the at least one element is causally linked to the anomalous behaviour by being aflected by the anomalous behaviour.
- 17. A method as claimed in claim 16, wherein the at least one element likely to be affected by the anomalous behaviour is the at least one element likely to suffer harm or risk as a result of the anomalous behaviour.
- 1 8. A method as claimed in claim 16 or 17, wherein the safty-related action is performed so as to mitigate any consequences for at least one of the at least one element determined to be likely to be affected by the anomalous behaviour.
- 19. A method as claimed in any preceding claim, wherein the sa!ty-related action delines the advice and/or feedback which is to be applied to iniprove the current and/or future operational reliability of the element and/or the system and thereby its safety.
- 20. A method as claimed in any preceding claim, wherein at least one of the dependency values comprises two dilThrent values, one representing a level of behavioural dependence of a first element on the second clement, and the other representing a level of behavioural dependence of the second element on the first clement, and coniprising using the value appropriate to the determination being made.
- 21. A method as clainied in any preceding claim, comprising detecting anomalous behaviour of an element by reference to a behavioural model for the element.
- 22. A method as claimed in claim 21, comprising updating the behavioural models during use of the method, particularly to improve their capability for identifying anomalies in parts of the system that affect safety and/or to improve the current and future safety ofthe system.
- 23. A method as claimed in any preceding claim, comprising transmitting information produced by the method to a separate location where the informed can be securely monitored and/or stored and/or analysed.
- 24. A method as claimed in any preceding claim, comprising combining information produced by the method in the form of a display so as to highlight current and/or future safety issues and priorities, the information relating to at least one entity or element or group of elements such as an aircraft, train or automobile.
- 25. A niethod as claimed in any preceding claim, comprising monitoring at least one physical characteristic of each element for use in detecting the anomalous behaviour.
- 26. A method as claimed in any preceding claim, comprising adapting the monitoring olelements for anomalous behaviour based on a history of immediate past behaviour so as to improve the sensitivity of detection.
- 27. A method as claimed in any preceding claini, comprising adapting the monitoring of elements for anomalous behaviour over a prolonged period so as to enable detection of factors affecting safety that only become apparent over a prolonged period of time.
- 28. A method as claimed in any preceding claim, comprising detecting anomalous behaviour that might aft Cci the safety of the element and/or the system.
- 29. A niethod as claimed in any preceding claim, comprising performing at least the determining step in relation to each of a plurality of sets of dependency values.
- 30. A niethod as claimed in claim 29, comprising periorming the safety-related action in dependence on the determinations relating to the plurality of sets of dependency values.
- 31. A method as claimed in any preceding claim, comprising detecting a plurality of elements that are exhibiting anomalous behaviour, and performing the determining step in relation to each of the plurality of detected anomalous elements.
- 32. A method as claimed in claim 31, comprising determining at least one element likely to be causally linked to the anomalous behaviour of each of the detected anomalous elements.
- 33. A method as claimed in claim 3 1 or 32, coniprising performing the safety-related action in dependence on the determinations relating to the plurality oldetected anomalous elements
- 34. A method as claimed in any preceding claim, wherein a behavioural dependence between two elements exists when the behaviour of one element has an influence on the behaviour of the other element, the level of behavioural dependence being dependent on the extent of that influence.
- 35. A method as claimed in any preceding claim, implemented by mechanical, electro-mechanical, electrical, electronic means including Field Programmable Gate Arrays, Custom Designed Integrated Circuits AS1Cs or Microprocessors, employing analogue and or digital techniques.
- 36. A method as claimed in any preceding claim, coniprising using fault tolerant techniques, for example making use of redundancy, so as to improve overall operational reliability of the system.
- 37. A method of providing active system safety substantially as hereinbefore described with reference to the accompanying drawings.
- 38. An apparatus for providing active systeni safety for a system comprising a plurality olelernents, the apparatus coniprising: means for detecting an element that is exhibiting anomalous behaviour; means for determining at least one element likely to be causally linked to the anomalous behaviour by using a set of dependency values associated with respective pairs of the elements, each dependency value representing a level of behavioural dependence between the elements of the pair; and means for performing a safety-related action in dependence on the determination.
- 39. An apparatus for providing active system safety substantially as hereinbefore described with reference to the accompanying drawings.
- 40. A program for controlling an apparatus to perform a method as claimed in any one of claims I to 37.
- 41. A program which, when loaded into an apparatus, causes the apparatus to become an apparatus as claimed in claim 38 or 39.
- 42. A program as claimed in claim 40 or 41, carried on a carrier niedium.
- 43. A program as claimed in claim 42, wherein the carrier medium is a storage medium.
- 44. A program as claimed in claim 42, wherein the carrier medium is a transmission tiiediuni.
- 45. An apparatus programmed by a program as claimed in any one of claims 40 to 44.
- 46. A storage medium containing a program as claimed in any one of claims 40 to 43.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0707057.6A GB2448351B8 (en) | 2007-04-12 | 2007-04-12 | Method and apparatus for active system safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0707057.6A GB2448351B8 (en) | 2007-04-12 | 2007-04-12 | Method and apparatus for active system safety |
Publications (5)
| Publication Number | Publication Date |
|---|---|
| GB0707057D0 GB0707057D0 (en) | 2007-05-30 |
| GB2448351A true GB2448351A (en) | 2008-10-15 |
| GB2448351B GB2448351B (en) | 2011-09-21 |
| GB2448351B8 GB2448351B8 (en) | 2017-03-01 |
| GB2448351A8 GB2448351A8 (en) | 2017-03-01 |
Family
ID=38135011
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB0707057.6A Expired - Fee Related GB2448351B8 (en) | 2007-04-12 | 2007-04-12 | Method and apparatus for active system safety |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2448351B8 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR3033661A1 (en) * | 2015-03-10 | 2016-09-16 | Safety Line | METHOD OF ANALYZING A FLIGHT OF AN AIRCRAFT TO EVALUATE THE EXPOSURE TO A RISK GIVEN THEFT |
| EP3477410A1 (en) * | 2017-10-27 | 2019-05-01 | The Boeing Company | Unsupervised multivariate relational fault detection system for a vehicle and method therefor |
| EP3839684A1 (en) * | 2019-12-20 | 2021-06-23 | Pratt & Whitney Canada Corp. | Method and system for diagnosing an engine or an aircraft |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223263A1 (en) * | 2002-03-01 | 2005-10-06 | Flores Pio T | Device and method for assessing the safety of systems and for obtaining safety in system, and corresponding computer program |
-
2007
- 2007-04-12 GB GB0707057.6A patent/GB2448351B8/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050223263A1 (en) * | 2002-03-01 | 2005-10-06 | Flores Pio T | Device and method for assessing the safety of systems and for obtaining safety in system, and corresponding computer program |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR3033661A1 (en) * | 2015-03-10 | 2016-09-16 | Safety Line | METHOD OF ANALYZING A FLIGHT OF AN AIRCRAFT TO EVALUATE THE EXPOSURE TO A RISK GIVEN THEFT |
| EP3477410A1 (en) * | 2017-10-27 | 2019-05-01 | The Boeing Company | Unsupervised multivariate relational fault detection system for a vehicle and method therefor |
| US10719772B2 (en) | 2017-10-27 | 2020-07-21 | The Boeing Company | Unsupervised multivariate relational fault detection system for a vehicle and method therefor |
| US11315027B2 (en) | 2017-10-27 | 2022-04-26 | The Boeing Company | Unsupervised multivariate relational fault detection system for a vehicle and method therefor |
| EP3839684A1 (en) * | 2019-12-20 | 2021-06-23 | Pratt & Whitney Canada Corp. | Method and system for diagnosing an engine or an aircraft |
| US11615656B2 (en) | 2019-12-20 | 2023-03-28 | Pratt & Whitney Canada Corp. | Method and system for diagnosing an engine or an aircraft |
Also Published As
| Publication number | Publication date |
|---|---|
| GB2448351B8 (en) | 2017-03-01 |
| GB2448351A8 (en) | 2017-03-01 |
| GB2448351B (en) | 2011-09-21 |
| GB0707057D0 (en) | 2007-05-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3486739B1 (en) | Real time streaming analytics for flight data processing | |
| Goupil | AIRBUS state of the art and practices on FDI and FTC in flight control system | |
| US8478479B2 (en) | Predicting time to maintenance by fusion between modeling and simulation for electronic equipment on board an aircraft | |
| CA2771401C (en) | Platform health monitoring system | |
| Esperon-Miguez et al. | A review of Integrated Vehicle Health Management tools for legacy platforms: Challenges and opportunities | |
| CN109829468B (en) | Bayesian network-based civil aircraft complex system fault diagnosis method | |
| US8798817B2 (en) | Methods and systems for requesting and retrieving aircraft data during flight of an aircraft | |
| EP3260943A1 (en) | Prediction methods and systems for structural repair during heavy maintenance of aircraft | |
| RU2388661C2 (en) | Method to control aircraft engine | |
| US20130197739A1 (en) | Methods and systems for aircraft health and trend monitoring | |
| JP2011529220A (en) | Method and apparatus for acquiring vehicle data | |
| JP2018185799A (en) | Data-driven unsupervised algorithm for analyzing sensor data to detect abnormal valve operation | |
| US20220242592A1 (en) | System and method for monitoring an aircraft engine | |
| Li et al. | Civil aircraft big data platform | |
| GB2448351A (en) | Method and apparatus for active system safety | |
| US20100037099A1 (en) | Diagnostic method for locating a failure in a complex system, and a device for implementing said method | |
| Wen et al. | Applications of Prognostics and Health Management in aviation industry | |
| Zibaei et al. | Diagnosis of safety incidents for cyber-physical systems: A uav example | |
| Liu et al. | Defect prediction of radar system software based on bug repositories and behavior models | |
| Raptis et al. | A particle filtering-based framework for real-time fault diagnosis of autonomous vehicles | |
| Knight et al. | Intelligent management of helicopter health and usage management systems data | |
| Bharadwaj et al. | Vehicle integrated prognostic reasoner (vipr) final report | |
| Liqing et al. | A frame design of helicopter health monitoring and diagnosis system based on testability | |
| CN112182743A (en) | Airplane system fault diagnosis method based on fault transmission characteristic matching | |
| Ortiz et al. | Multi source data integration for aircraft health management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| S117 | Correction of errors in patents and applications (sect. 117/patents act 1977) |
Free format text: REQUEST FILED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 09 JANUARY 2017 Free format text: CORRECTIONS ALLOWED; REQUEST FOR CORRECTION UNDER SECTION 117 FILED ON 09 JANUARY 2017 ALLOWED ON 24 FEBRUARY 2017 |
|
| PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 20190412 |