US20030182031A1 - Aircraft signal definition for flight safety system monitoring system - Google Patents

Aircraft signal definition for flight safety system monitoring system Download PDF

Info

Publication number
US20030182031A1
US20030182031A1 US10/099,650 US9965002A US2003182031A1 US 20030182031 A1 US20030182031 A1 US 20030182031A1 US 9965002 A US9965002 A US 9965002A US 2003182031 A1 US2003182031 A1 US 2003182031A1
Authority
US
United States
Prior art keywords
aircraft
conditions
computer readable
combinations
readable medium
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/099,650
Other versions
US6631315B1 (en
Inventor
Michael Gibbs
Debi Omen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honeywell Inc
Original Assignee
Honeywell Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell Inc filed Critical Honeywell Inc
Priority to US10/099,650 priority Critical patent/US6631315B1/en
Assigned to HONEYWELL INC. reassignment HONEYWELL INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GIBBS, MICHAEL, OMEN, DEBI VAN
Priority to PCT/US2003/007562 priority patent/WO2003079040A2/en
Priority to EP03714089A priority patent/EP1573350A2/en
Priority to AU2003218103A priority patent/AU2003218103A1/en
Publication of US20030182031A1 publication Critical patent/US20030182031A1/en
Application granted granted Critical
Publication of US6631315B1 publication Critical patent/US6631315B1/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft, e.g. air-traffic control [ATC]
    • G08G5/0017Arrangements for implementing traffic-related aircraft activities, e.g. arrangements for generating, displaying, acquiring or managing traffic information
    • G08G5/0021Arrangements for implementing traffic-related aircraft activities, e.g. arrangements for generating, displaying, acquiring or managing traffic information located in the aircraft
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01CMEASURING DISTANCES, LEVELS OR BEARINGS; SURVEYING; NAVIGATION; GYROSCOPIC INSTRUMENTS; PHOTOGRAMMETRY OR VIDEOGRAMMETRY
    • G01C23/00Combined instruments indicating more than one navigational value, e.g. for aircraft; Combined measuring devices for measuring two or more variables of movement, e.g. distance, speed or acceleration
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft, e.g. air-traffic control [ATC]
    • G08G5/0095Aspects of air-traffic control not provided for in the other subgroups of this main group

Definitions

  • the present invention relates to flight safety, and in particular to a flight safety system that monitors sets of state values to provide warnings of potentially unsafe situations.
  • CFIT Controlled Flight Into Terrain
  • a wrong descent mode is thought to have been selected. While the crew selected a parameter for a flight path angle, it was applied to a vertical speed mode of descent. The parameter was too great for such a mode, likely causing the accident. In a further example, it was not realized that a first officer's flight director was still selected and the autoflight system was following Flight Director guidance. In one more example, a crew failed to retract speedbrakes when attempting to climb out of a canyon.
  • An aircraft signal definition is provided to enable definition and monitoring of sets of aircraft input signals to customize such signals for different aircraft.
  • the input signals are compared against known combinations of potentially dangerous input signal values by operational software and hardware of a monitoring function.
  • the aircraft signal definition is created using a text editor or custom application.
  • a compiler receives the aircraft signal definition to generate a binary file that comprises the definition of all the input signals used by the monitoring function.
  • the binary file also contains logic that specifies how the inputs are to be interpreted.
  • the file is then loaded into the monitoring function, where it is validated and used to continuously monitor the condition of the aircraft.
  • Undesirable input value combinations describing the state of an aircraft are initially identified by experts. Error messages and identification of potential alarms are generated based on both knowledge of actual accidents, and on use of expert knowledge to predict potentially dangerous states. The combinations are entered into the aircraft signal definition for use by the monitoring function. Different aircraft signal definitions are written for different aircraft, and are useable with identical monitoring functions.
  • FIG. 1 is a simplified block diagram of a flight safety system utilizing sets of input values.
  • FIG. 2 is a flow chart showing operation of the system of FIG. 1 in comparing combinations of input values to determine unsafe states for an aircraft.
  • FIG. 3 is a diagram of an analysis structure for analyzing combinations of input variables.
  • FIG. 4 is a diagram of a comparison of one pair of variables (speedbrakes and thrust) for different values of the variables.
  • FIG. 5 is a block diagram of a system for generating and using aircraft signal definitions.
  • FIG. 6 is a text representation of aircraft signal definition condition clauses.
  • a system that monitors states of a vehicle such as an aircraft or other vehicle such as a spacecraft, or land-based vehicle is shown at 110 in FIG. 1.
  • a plurality of sensors 115 sense the state of the aircraft, such as airspeed, thrust and many other input values. In one embodiment, over 100 values are sensed.
  • the sensors are coupled to a states module 120 that is integrated with a processor 125 , or separate from it.
  • the states module 120 converts physical sensor signals to digital signals if not already in such form for use by the processor 125 .
  • Processor 125 is coupled to a database 130 .
  • Database 130 contains a record of identified unsafe states, or combinations of values. It receives the sensed values, and queries the records for to identify unsafe or undesired combinations of sensed values.
  • database 130 contains error messages in one embodiment, or other information identifying a mechanism by which to notify an operator of an unsafe condition or state of the aircraft.
  • database 130 comprises a database server, either integrated with processor 125 , or independent from processor 125 .
  • Identified unsafe states are provided back to the processor 125 .
  • Processor 125 receives such identifications and associated error messages or other information and provides a corresponding notice to operators via a display 135 .
  • Display 135 is used to represent all visual displays, audible alarms, and any other type of mechanism usable for calling operator attention to potentially unsafe conditions.
  • inputs defining the state of the aircraft include commands that are pending or being implemented by computers or other devices on the aircraft.
  • commands for example include autopilot, autothrottle, flight phase, programmed trajectory and others.
  • the commands are provided by operators of the aircraft, such as a crew, or computer in control of the aircraft.
  • Command values such as on or off, are provided via a user input mechanism 140 .
  • Mechanism 140 is used to represent physical switches, keyboards, buttons and any other type of device usable on aircraft for entering commands, including voice recognition.
  • a memory 150 or other computer readable medium such as RAM, ROM, tape, disk drive, carrier wave or other memory is coupled to processor 125 to provide storage of data and computer executable code for execution on processor 125 .
  • processor 125 , memory 150 and database 130 comprise a standard or modified personal computer, or other type of computer or electronic device capable of carrying out functions associated with the current invention.
  • a flowchart representative of functions carried out by one embodiment of the current invention are shown at 200 in FIG. 2.
  • state information such as input values obtained from the various sensors and commands that are currently in effect in the aircraft is obtained. This information is collected and sent to the database at 220 . The database then performs queries to find matches with previously identified potentially unsafe combinations of inputs.
  • the current state information is stored in a desired database format, and the known unsafe combinations are used as a query against the current state information.
  • current values defining the state are used to query the known unsafe combination dataset.
  • a combination of two input values may be indicative of a potentially unsafe condition of the aircraft. Whether or not such condition is really potentially unsafe may depend on the value of one or more further input conditions. Thus, many combinations are simply pairs of values, while others actually consist of comparing values of more than two input values.
  • query block 230 Prior to provision of a warning, query block 230 performs the additional comparison. The comparison is also done at 260 in further embodiments, and the information related to additional values is used to tailor the error information.
  • T may be user selected, or predetermined, and ranges from seconds or minutes to less than a second. Many values do not change rapidly, and T may be a function of how rapidly the values may change.
  • error information such as warnings, or commands for warning mechanisms are retrieved at 260 , and at 270 , such error information is used to provide cautions, warnings or advisories at 270 .
  • Display formats may also be altered, such as by turning on an indicator for one of the states, for instance, a speed brake indicator.
  • Predetermined undesirable combinations are determined in one embodiment by starting with a matrix shown at 300 in FIG. 3.
  • the matrix consists of a set of rows 310 of state variables with corresponding potential values, and a set of columns 320 of state variables with corresponding values.
  • the columns and rows are identical, starting with state variable 1 having potential values 1 , 2 and 3 , state variable 2 having potential values 1 and 2 , and further state variables and values.
  • the values may be quantized, or otherwise characterized, such as by indicating a high, medium, low or very low airspeed.
  • all potential pairs of values for the variables are identified in the matrix.
  • One or more experts are used to determine whether or not such pairs present a potentially dangerous or otherwise undesirable combination. The experts rely on their own experience, knowledge and education, as well as analysis of previous accidents. By thinking about every possible combination and possible causes and effects, many undesirable combinations or states are methodically identified.
  • the experts, or others determine what type of warning or indication to provide to operators of aircraft that encounter such combinations.
  • One type of indication is information advising the operator about the conflict.
  • Another indication informs the operator to ignore a reading.
  • Such an indication will save operators from cutting engine speed on takeoff due to faulty thrust readings.
  • the operator may be warned to abort take-off, or ignore the high reading and rely on other readings, such as ground or air speed.
  • the database of unsafe combinations is generated. If such unsafe combinations depend on other input values, or if the type of information communicated to an operator is dependent on other input values, this is incorporated into the database in the form of further embedded queries or other mechanism to trigger such further comparisons.
  • FIG. 4 One example of an undesirable combination of variable values is shown in FIG. 4.
  • a combination of a high level of thrust and deployed speedbrakes is not one that a pilot would intentionally choose. Such a combination has been responsible for several tail strike landings when pilots deploy the speedbrakes to acquire the glideslope, then forget that they are out and attempt to maintain the glideslope with high levels of thrust and pitch.
  • the speedbrake variable has three potential values, in, out and high. Thrust also has three values, idle, medium and high. If the speedbrakes are out or high, different levels of alarm are provided, from advisory information, caution information and an actual warning when thrust is high.
  • Variables have values referred to as input values.
  • the input values need to be translated to a form usable by the system.
  • an aircraft signal definition language is used to identify the input values and describe logic usable by a monitor function to determine unsafe states of the aircraft or other vehicle.
  • a block diagram of an aircraft situation monitor is shown at 510 in FIG. 5.
  • the monitor 510 comprises an aircraft signal definition 520 describing the input values from a selected aircraft.
  • the aircraft signal definition 520 is a high level computer readable language description of one particular aircraft in one embodiment. It is created by any type of text editor or special application program designed to assist in easily creating such a definition.
  • the aircraft signal definition has a definition of inputs and logic representing the unsafe conditions.
  • the aircraft signal definition 520 is provided to a compiler 530 , which translates the aircraft signal definition 520 .
  • Compiler 530 produces a symbol table 535 that is useful for debugging purposes. It also produces a binary representation 540 of the aircraft signal definition 520 to a monitor 550 .
  • Monitor 550 is a combination of hardware and software that is stable from aircraft to aircraft in one embodiment. Monitor 550 is implemented in processor 125 in one embodiment, or database 130 in a further embodiment. The functions of monitor 550 are distributed across different hardware and software in a further embodiment.
  • the compiler is a single-pass design that generates an intermediate binary code that is interpreted by the monitor 550 . It supports conditional compilation, global and local scoping rules for identifiers, and has a user selectable option for generating both little-endian and big-endian numeric values.
  • the aircraft signal definition is written in a high level, platform independent language. The use of translation to an interpreted language allows compilers to be adapted to different platforms without modifying the high level language.
  • a compiler provides source code for running directly on the platform in further embodiments.
  • the aircraft signal definition specifies the source, size and type of input parameters. It also provides the triggering logic that determines when a condition is occurring, timing data associated with the detection and clearing of conditions, the conditions along with which a condition should not trigger, and the actions to be taken when the condition exists.
  • the I/O characteristics of each aircraft type are isolated from the operation software and hardware of the monitor 550 . The result is a programming language that is custom designed for the task of describing aircraft I/O and condition evaluation logic for onboard avionics systems. This allows the monitor to be developed and certified one time for use with many different types of aircraft.
  • FIG. 6 shows examples of the condition clauses in an aircraft signal definition.
  • a condition name and ID is indicated at 610 .
  • a text name, “Low Altitude w/Medium Descent Rate” name with an ID of “10” is provided. All text after semi colons are comments that are not translated into binary form in one embodiment.
  • Inputs required to detect the previously identified condition are indicated at 620 .
  • the inputs are vertical speed, radar altitude and airspeed.
  • Triggering and timing logic for the condition are identified at 630 . The logic indicates when the condition is satisfied, meaning that a potential dangerous state of the aircraft exists. Each input is compared to a trigger or threshold value. Time for the condition is also specified as needing to exist for at least 10 seconds. The time is reset after 5 seconds.
  • the aircraft signal definition is represented as a text file with a content defined by the diagrams below. Text in the ASD is case-insensitive and white space is not significant. All text on a line that follows a semicolon (that is not embedded in a quoted string), is considered to be a comment and is ignored by the compiler. aircraft_signal_definition
  • a system and method compares combinations of vehicle input values against known combinations of potentially dangerous vehicle input value combinations. Alarms and error messages are selectively generated based on such comparisons.
  • An aircraft signal definition is provided to enable definition and monitoring of sets of aircraft input signals to customize such signals for different aircraft. The input signals are compared against known combinations of potentially dangerous vehicle input values by operational software and hardware of a monitoring function. The aircraft signal definition is created using a text editor or custom application.
  • a compiler receives the aircraft signal definition to generate a binary file that comprises the definition of all the input signals used by the monitoring function.
  • the binary file also contains logic that specifies how the inputs are to be interpreted.
  • the file is then loaded into the monitor function, where it is validated and used to continuously monitor the condition of the aircraft.
  • Undesirable combinations of input values for an aircraft are initially identified by experts. Error messages and identification of potential alarms are generated based on both knowledge of actual accidents, and on use of expert knowledge to predict potentially dangerous states. Multiple input signals such as two or more input signals are compared in further embodiments. The combinations are entered into the aircraft signal definition for use by the monitoring function. Different aircraft signal definition are written for different aircraft, and are useable with monitoring functions that need not be changed. The actual definitions described are but one of many such definitions may easily be substituted or derived using the teaching of the present application.

Landscapes

  • Engineering & Computer Science (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Remote Sensing (AREA)
  • Traffic Control Systems (AREA)
  • Alarm Systems (AREA)

Abstract

A system and method compares combinations of vehicle variable values against known combinations of potentially dangerous vehicle input signal values. Alarms and error messages are selectively generated based on such comparisons. An aircraft signal definition is provided to enable definition and monitoring of sets of aircraft input signals to customize such signals for different aircraft. The input signals are compared against known combinations of potentially dangerous values by operational software and hardware of a monitoring function. The aircraft signal definition is created using a text editor or custom application. A compiler receives the aircraft signal definition to generate a binary file that comprises the definition of all the input signals used by the monitoring function. The binary file also contains logic that specifies how the inputs are to be interpreted. The file is then loaded into the monitor function, where it is validated and used to continuously monitor the condition of the aircraft.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application is related to copending US application: “Flight Safety System Monitoring Combinations of State Values”, docket number H0001681, filed on the same date herewith and assigned to the same assignee.[0001]
    • GOVERNMENT FUNDING
  • [0002] The invention described herein was made with U.S. Government support under Cooperative Research Agreement Number NCC-1-339 awarded by NASA. The United States Government has certain rights in the invention.
    • FIELD OF THE INVENTION
  • The present invention relates to flight safety, and in particular to a flight safety system that monitors sets of state values to provide warnings of potentially unsafe situations. [0003]
    • BACKGROUND OF THE INVENTION
  • Controlled Flight Into Terrain (CFIT) accidents have received much attention recently, but most attempts to address them have concentrated on making flight crews more aware of terrain. However, a study of recent accidents suggests that many are caused by factors unrelated to terrain. Many such accidents are near airports, where conventional terrain avoidance/warning systems are ineffective due to the inherent lower altitude of the plane required for landing. Such conventional systems usually rely upon a measurement of one parameter. [0004]
  • In one example, a wrong descent mode is thought to have been selected. While the crew selected a parameter for a flight path angle, it was applied to a vertical speed mode of descent. The parameter was too great for such a mode, likely causing the accident. In a further example, it was not realized that a first officer's flight director was still selected and the autoflight system was following Flight Director guidance. In one more example, a crew failed to retract speedbrakes when attempting to climb out of a canyon. [0005]
    • SUMMARY OF THE INVENTION
  • An aircraft signal definition is provided to enable definition and monitoring of sets of aircraft input signals to customize such signals for different aircraft. The input signals are compared against known combinations of potentially dangerous input signal values by operational software and hardware of a monitoring function. The aircraft signal definition is created using a text editor or custom application. [0006]
  • A compiler receives the aircraft signal definition to generate a binary file that comprises the definition of all the input signals used by the monitoring function. The binary file also contains logic that specifies how the inputs are to be interpreted. The file is then loaded into the monitoring function, where it is validated and used to continuously monitor the condition of the aircraft. [0007]
  • Undesirable input value combinations describing the state of an aircraft are initially identified by experts. Error messages and identification of potential alarms are generated based on both knowledge of actual accidents, and on use of expert knowledge to predict potentially dangerous states. The combinations are entered into the aircraft signal definition for use by the monitoring function. Different aircraft signal definitions are written for different aircraft, and are useable with identical monitoring functions.[0008]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a simplified block diagram of a flight safety system utilizing sets of input values. [0009]
  • FIG. 2 is a flow chart showing operation of the system of FIG. 1 in comparing combinations of input values to determine unsafe states for an aircraft. [0010]
  • FIG. 3 is a diagram of an analysis structure for analyzing combinations of input variables. [0011]
  • FIG. 4 is a diagram of a comparison of one pair of variables (speedbrakes and thrust) for different values of the variables. [0012]
  • FIG. 5 is a block diagram of a system for generating and using aircraft signal definitions. [0013]
  • FIG. 6 is a text representation of aircraft signal definition condition clauses.[0014]
    • DETAILED DESCRIPTION OF THE INVENTION
  • In the following description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention, and it is to be understood that other embodiments may be utilized and that structural, logical and electrical changes may be made without departing from the scope of the present invention. The following description is, therefore, not to be taken in a limited sense, and the scope of the present invention is defined by the appended claims. [0015]
  • Use of a system that compares combinations of values of states of a vehicle such as an aircraft to previously identified unsafe combinations is described, followed by a section describing a methodology of determining the unsafe combinations. [0016]
  • A system that monitors states of a vehicle such as an aircraft or other vehicle such as a spacecraft, or land-based vehicle is shown at [0017] 110 in FIG. 1. A plurality of sensors 115 sense the state of the aircraft, such as airspeed, thrust and many other input values. In one embodiment, over 100 values are sensed. The sensors are coupled to a states module 120 that is integrated with a processor 125, or separate from it. The states module 120 converts physical sensor signals to digital signals if not already in such form for use by the processor 125. Processor 125 is coupled to a database 130. Database 130 contains a record of identified unsafe states, or combinations of values. It receives the sensed values, and queries the records for to identify unsafe or undesired combinations of sensed values. The records in database 130 contain error messages in one embodiment, or other information identifying a mechanism by which to notify an operator of an unsafe condition or state of the aircraft. In one embodiment, database 130 comprises a database server, either integrated with processor 125, or independent from processor 125.
  • Identified unsafe states are provided back to the [0018] processor 125. Processor 125 receives such identifications and associated error messages or other information and provides a corresponding notice to operators via a display 135. Display 135 is used to represent all visual displays, audible alarms, and any other type of mechanism usable for calling operator attention to potentially unsafe conditions.
  • In one embodiment, inputs defining the state of the aircraft include commands that are pending or being implemented by computers or other devices on the aircraft. Such commands for example include autopilot, autothrottle, flight phase, programmed trajectory and others. The commands are provided by operators of the aircraft, such as a crew, or computer in control of the aircraft. Command values, such as on or off, are provided via a [0019] user input mechanism 140. Mechanism 140 is used to represent physical switches, keyboards, buttons and any other type of device usable on aircraft for entering commands, including voice recognition.
  • A [0020] memory 150 or other computer readable medium such as RAM, ROM, tape, disk drive, carrier wave or other memory is coupled to processor 125 to provide storage of data and computer executable code for execution on processor 125. In one embodiment, processor 125, memory 150 and database 130 comprise a standard or modified personal computer, or other type of computer or electronic device capable of carrying out functions associated with the current invention.
  • A flowchart representative of functions carried out by one embodiment of the current invention are shown at [0021] 200 in FIG. 2. At 210, state information such as input values obtained from the various sensors and commands that are currently in effect in the aircraft is obtained. This information is collected and sent to the database at 220. The database then performs queries to find matches with previously identified potentially unsafe combinations of inputs. In one embodiment, the current state information is stored in a desired database format, and the known unsafe combinations are used as a query against the current state information. In further embodiments, current values defining the state are used to query the known unsafe combination dataset.
  • In some cases, a combination of two input values may be indicative of a potentially unsafe condition of the aircraft. Whether or not such condition is really potentially unsafe may depend on the value of one or more further input conditions. Thus, many combinations are simply pairs of values, while others actually consist of comparing values of more than two input values. Prior to provision of a warning, [0022] query block 230 performs the additional comparison. The comparison is also done at 260 in further embodiments, and the information related to additional values is used to tailor the error information.
  • If no undesirable combination of values is found at [0023] 240, the process waits for a fixed time, T, at 250 prior to starting at 210 again by obtaining then current state information. T may be user selected, or predetermined, and ranges from seconds or minutes to less than a second. Many values do not change rapidly, and T may be a function of how rapidly the values may change.
  • If one or more undesirable combinations of values are found, error information, such as warnings, or commands for warning mechanisms are retrieved at [0024] 260, and at 270, such error information is used to provide cautions, warnings or advisories at 270. Display formats may also be altered, such as by turning on an indicator for one of the states, for instance, a speed brake indicator.
  • Predetermined undesirable combinations are determined in one embodiment by starting with a matrix shown at [0025] 300 in FIG. 3. The matrix consists of a set of rows 310 of state variables with corresponding potential values, and a set of columns 320 of state variables with corresponding values. In one embodiment, the columns and rows are identical, starting with state variable 1 having potential values 1, 2 and 3, state variable 2 having potential values 1 and 2, and further state variables and values. Where the variables correspond to sensed conditions, the values may be quantized, or otherwise characterized, such as by indicating a high, medium, low or very low airspeed. In this embodiment, all potential pairs of values for the variables are identified in the matrix. One or more experts are used to determine whether or not such pairs present a potentially dangerous or otherwise undesirable combination. The experts rely on their own experience, knowledge and education, as well as analysis of previous accidents. By thinking about every possible combination and possible causes and effects, many undesirable combinations or states are methodically identified.
  • When such undesirable combinations are identified, the experts, or others determine what type of warning or indication to provide to operators of aircraft that encounter such combinations. One type of indication is information advising the operator about the conflict. Another indication informs the operator to ignore a reading. Such an indication will save operators from cutting engine speed on takeoff due to faulty thrust readings. Thus, when low acceleration in combination with medium or high thrust readings are detected, the operator may be warned to abort take-off, or ignore the high reading and rely on other readings, such as ground or air speed. [0026]
  • Upon identification of such unsafe combinations, the database of unsafe combinations is generated. If such unsafe combinations depend on other input values, or if the type of information communicated to an operator is dependent on other input values, this is incorporated into the database in the form of further embedded queries or other mechanism to trigger such further comparisons. [0027]
  • One example of an undesirable combination of variable values is shown in FIG. 4. A combination of a high level of thrust and deployed speedbrakes is not one that a pilot would intentionally choose. Such a combination has been responsible for several tail strike landings when pilots deploy the speedbrakes to acquire the glideslope, then forget that they are out and attempt to maintain the glideslope with high levels of thrust and pitch. As seen in FIG. 4, the speedbrake variable has three potential values, in, out and high. Thrust also has three values, idle, medium and high. If the speedbrakes are out or high, different levels of alarm are provided, from advisory information, caution information and an actual warning when thrust is high. [0028]
  • Variables have values referred to as input values. The input values need to be translated to a form usable by the system. In one embodiment, an aircraft signal definition language is used to identify the input values and describe logic usable by a monitor function to determine unsafe states of the aircraft or other vehicle. [0029]
  • A block diagram of an aircraft situation monitor is shown at [0030] 510 in FIG. 5. The monitor 510 comprises an aircraft signal definition 520 describing the input values from a selected aircraft. The aircraft signal definition 520 is a high level computer readable language description of one particular aircraft in one embodiment. It is created by any type of text editor or special application program designed to assist in easily creating such a definition. The aircraft signal definition has a definition of inputs and logic representing the unsafe conditions.
  • The [0031] aircraft signal definition 520 is provided to a compiler 530, which translates the aircraft signal definition 520. Compiler 530 produces a symbol table 535 that is useful for debugging purposes. It also produces a binary representation 540 of the aircraft signal definition 520 to a monitor 550. Monitor 550 is a combination of hardware and software that is stable from aircraft to aircraft in one embodiment. Monitor 550 is implemented in processor 125 in one embodiment, or database 130 in a further embodiment. The functions of monitor 550 are distributed across different hardware and software in a further embodiment.
  • In one embodiment, the compiler is a single-pass design that generates an intermediate binary code that is interpreted by the [0032] monitor 550. It supports conditional compilation, global and local scoping rules for identifiers, and has a user selectable option for generating both little-endian and big-endian numeric values. In one embodiment, the aircraft signal definition is written in a high level, platform independent language. The use of translation to an interpreted language allows compilers to be adapted to different platforms without modifying the high level language. A compiler provides source code for running directly on the platform in further embodiments.
  • Differences in aircraft are represented by the aircraft signal definition. The aircraft signal definition specifies the source, size and type of input parameters. It also provides the triggering logic that determines when a condition is occurring, timing data associated with the detection and clearing of conditions, the conditions along with which a condition should not trigger, and the actions to be taken when the condition exists. The I/O characteristics of each aircraft type are isolated from the operation software and hardware of the [0033] monitor 550. The result is a programming language that is custom designed for the task of describing aircraft I/O and condition evaluation logic for onboard avionics systems. This allows the monitor to be developed and certified one time for use with many different types of aircraft.
  • FIG. 6 shows examples of the condition clauses in an aircraft signal definition. A condition name and ID is indicated at [0034] 610. In this particular example, a text name, “Low Altitude w/Medium Descent Rate” name with an ID of “10” is provided. All text after semi colons are comments that are not translated into binary form in one embodiment. Inputs required to detect the previously identified condition are indicated at 620. In the case of condition ID “10”, the inputs are vertical speed, radar altitude and airspeed. Triggering and timing logic for the condition are identified at 630. The logic indicates when the condition is satisfied, meaning that a potential dangerous state of the aircraft exists. Each input is compared to a trigger or threshold value. Time for the condition is also specified as needing to exist for at least 10 seconds. The time is reset after 5 seconds.
  • Occasionally, further conditions indicate that a previously triggered condition should be superceded by another condition. This is illustrated at [0035] 640, where if the condition is triggered, it is inhibited and removed if condition ID “9” exists. Finally, at 650, actions to be taken are identified. In this instance, a caution message “Check altitude” is provided.
  • The aircraft signal definition (ASD) is represented as a text file with a content defined by the diagrams below. Text in the ASD is case-insensitive and white space is not significant. All text on a line that follows a semicolon (that is not embedded in a quoted string), is considered to be a comment and is ignored by the compiler. aircraft_signal_definition [0036]
    Figure US20030182031A1-20030925-P00001
    Figure US20030182031A1-20030925-P00002
    Figure US20030182031A1-20030925-P00003
    Figure US20030182031A1-20030925-P00004
    Figure US20030182031A1-20030925-P00005
  • The following Backus-Naur Forms (BNF) describe the syntax of the ASD file in a different manner. Given the syntax, design of a compiler is straight forward, as the syntax is easily parsed. [0037]
    <aircraft_signal_definition> ::= asd <aircraft_id_string> { <statement> }endasd
    <aircraft_id_string> ::= <quoted_string>
    <statement> ::= <constant_declaration>| <compilation_directive>|
    <condition_declaration> [<comment>]
    <constant_declaration> ::= constant <identifier>“=” <value>
    <condition_declaration> ::= condition <condition_name>, <condition_ID>
    inputs <input_list>
    trigger when <boolean_expression>
     [exists for <duration>
     [resets after <duration>]]
    [inhibited by condition [“s”] <condition_ID>
     [{“,” <condition_ID}]]
    [removed by condition [“s”] <condition_ID>
    [{“,” <condition_ID}]]
    actions <action_list>
    [repeat after <duration>]
    endcondition
    <compilation directive> ::= if <boolean_expression> <statement> {<statement>}
    [else <statement> {<statement>}]endif
    <comment> ::= “;” <string> (comments continue until the end of the line)
    <condition_name> ::= <quoted_string> | <identifier>
    <condition_ID> ::= <number> | <identifier>
    <input_list> ::= <input_list_item> {<input_list_item>}
    <input_list_item> ::= <identifier> “=” <data_location>
    <data_location> ::= discrete <number> |
    bus <bus_name> word <offset> [bit <offset>]|
    <address> “.” <address>
    [“,” <type_identifier> [<number>]]
    <bus_name> ::= <quoted string> | <identifier>
    <offset> ::= <number> | <identifier> | <range>
    <address> ::= <number> | <identifier>
    <type_identifier> ::= scalar | integer | real | float
    <action_list> ::= <action_list_item> {<action_list_item>}
    <action_list item> ::= <user_notification> | log <quoted_string>
    <user_notification> ::= advisory message | caution message | warning message
    <quoted_string>
    <string> ::= letter | digit | symbol { letter | digit | symbol }
    <quoted_string> ::= “” <string>
    <range> ::= <number>| <identifier>“..” <number>| <identifier>
    <number> ::= [“$”][“-”] digit { digit } | <identifier>
    <identifier> ::= letter { letter | digit }
    <value> ::= <quoted_string> | <number> | true | false | <identifier>
    <duration> ::= <number> <time_units> | <identifier> <time_units>
    <time_units> ::= second | seconds | minute | minutes
    <expression> ::= <arithmetic_expression> | <boolean_expression>
    <boolean_expression> ::= true | false | [not]<value> | [not] <identifier> |
    [<open_paren>] <expression> <boolean_operator> <expression>
    [<close_paren>]
    <arithmetic_expression> ::= <number> | <identifier> | <range>|
    [<open_paren>] <arithmetic_expression>
    <arithmetic operator>
    <arithmetic_expression> [<close_paren>]
    <arithmetic_operator> ::= “+” | “−” | “*” | “/”
    <boolean_operator> ::= “=” | “<>” | “<” | “>” | “<=” | “>=” | is in |
    is not in | and | or |not
    <open_paren> ::= “(” | “[”
    <close_paren> ::= “)” |“]”
    <digit> ::= “0”..“9” | “A”..“F”
    <letter” ::= “A”..“Z” | “a”..“z” | “˜” | “!” | “@” | “#” | “$” | “%” | “{circumflex over ( )}” |
    “&” | “*” | “−” | “_” | “+” | “=” | “|” |“\” | “'” | “?” | “/”
    • CONCLUSION
  • A system and method compares combinations of vehicle input values against known combinations of potentially dangerous vehicle input value combinations. Alarms and error messages are selectively generated based on such comparisons. An aircraft signal definition is provided to enable definition and monitoring of sets of aircraft input signals to customize such signals for different aircraft. The input signals are compared against known combinations of potentially dangerous vehicle input values by operational software and hardware of a monitoring function. The aircraft signal definition is created using a text editor or custom application. [0038]
  • A compiler receives the aircraft signal definition to generate a binary file that comprises the definition of all the input signals used by the monitoring function. The binary file also contains logic that specifies how the inputs are to be interpreted. The file is then loaded into the monitor function, where it is validated and used to continuously monitor the condition of the aircraft. [0039]
  • Undesirable combinations of input values for an aircraft are initially identified by experts. Error messages and identification of potential alarms are generated based on both knowledge of actual accidents, and on use of expert knowledge to predict potentially dangerous states. Multiple input signals such as two or more input signals are compared in further embodiments. The combinations are entered into the aircraft signal definition for use by the monitoring function. Different aircraft signal definition are written for different aircraft, and are useable with monitoring functions that need not be changed. The actual definitions described are but one of many such definitions may easily be substituted or derived using the teaching of the present application. [0040]

Claims (29)

1. A method of determining unsafe conditions for an aircraft, the method comprising:
describing combinations of conditions of the aircraft that represent potentially unsafe conditions in a computer readable language;
compiling the description to a binary form;
loading the binary form on a monitor;
receiving multiple input signals representing the condition of the aircraft; and
operating the monitor to identify unsafe conditions.
2. The method of claim 1 wherein the description of combinations of conditions are tailored to each aircraft.
3. The method of claim 1 wherein the description of combinations of conditions comprises multiple combinations of conditions including I/O descriptions, values, and expressions.
4. The method of claim 3 wherein the expressions comprise arithmetic or Boolean expressions.
5. The method of claim 1 wherein the description of combinations of conditions comprise inhibitors based on further conditions.
6. A method of initializing a monitor that identifies unsafe conditions for an aircraft, the method comprising:
creating an aircraft signal definition representative of combinations of conditions of the aircraft that represent potentially unsafe conditions;
translating the description to a binary form; and
loading the binary form on the monitor for identifying unsafe conditions.
7. The method of claim 6 and further comprising adding identification of inputs and triggers for unsafe conditions to the aircraft signal definition.
8. The method of claim 7 wherein the aircraft signal definition further comprises identification of unsafe condition dependent actions to be taken.
9. The method of claim 6 and further comprising adding a nuisance suppression clause to the aircraft signal definition.
10. The method of claim 6 and further comprising adding multiple condition names and IDs to the aircraft signal definition.
11. A computer readable medium having instructions for causing a computer to execute a method of determining unsafe conditions for an aircraft, the method comprising:
describing combinations of conditions of the aircraft that represent potentially unsafe conditions in a computer readable language;
compiling the description to a binary form;
loading the binary form on a monitor;
receiving multiple input signals representing the condition of the aircraft; and
operating the monitor to identify unsafe conditions.
12. The computer readable medium of claim 11 wherein the description of combinations of conditions are tailored to each aircraft.
13. The computer readable medium of claim 11 wherein the description of combinations of conditions comprises multiple combinations of conditions including I/O descriptions, values, and expressions.
14. The computer readable medium of claim 11 wherein the description of combinations of conditions comprise inhibitors based on further conditions.
15. The computer readable medium of claim 11 wherein the method further comprises obtaining the values of conditions from sensors.
16. The computer readable medium of claim 11 wherein one condition comprises a command.
17. A computer readable medium having instructions for causing a computer to execute a method of initializing a monitor that identifies unsafe conditions for an aircraft, the method comprising:
creating an aircraft signal definition representative of combinations of conditions of the aircraft that represent potentially unsafe conditions;
translating the description to a binary form; and
loading the binary form on the monitor for identifying unsafe conditions.
18. The computer readable medium of claim 17 wherein the method further comprises adding identification of inputs and triggers for unsafe conditions to the aircraft signal definition.
19. The computer readable medium of claim 18 wherein the aircraft signal definition further comprises identification of unsafe condition dependent actions to be taken.
20. The computer readable medium of claim 17 wherein the method further comprises adding a nuisance suppression clause to the aircraft signal definition.
21. The computer readable medium of claim 17 wherein the method further comprises adding multiple condition names and IDs to the aircraft signal definition.
22. A computer readable medium having a data structure used to determine unsafe states of an aircraft, the data structure comprising:
identifications of multiple conditions;
identifications of inputs corresponding to the conditions; and
triggers specifying triggering values for combinations of inputs.
23. The computer readable medium of claim 22 and further comprising identifications of actions to be taken based on combinations of predetermined input values.
24. The computer readable medium of claim 22 wherein the inputs correspond to sensor readings from the aircraft.
25. The computer readable medium of claim 24 wherein selected inputs correspond to commands provided by operators of the aircraft.
26. The computer readable medium of claim 22 and further comprising inhibitors describing conditions that inhibit triggers.
27. The computer readable medium of claim 22 wherein the elements of the data structure a modifiable for each different type of aircraft.
28. The computer readable medium of claim 22 wherein the triggers comprise arithmetic or Boolean expressions.
29. A system that determines unsafe states for a vehicle, the system comprising:
a machine readable representation of combinations of triggers and conditions of the vehicle that represent potentially unsafe states;
a translator that converts the description to a binary form;
a plurality of input signals representing the state of the vehicle; and
a monitor that receives the input signals and executes the binary form of the description to determine actions when an unsafe state is detected.
US10/099,650 2002-03-14 2002-03-14 Aircraft signal definition for flight safety system monitoring system Expired - Lifetime US6631315B1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US10/099,650 US6631315B1 (en) 2002-03-14 2002-03-14 Aircraft signal definition for flight safety system monitoring system
PCT/US2003/007562 WO2003079040A2 (en) 2002-03-14 2003-03-13 Aircraft signal definition for flight safety system monitoring system
EP03714089A EP1573350A2 (en) 2002-03-14 2003-03-13 Aircraft signal definition for flight safety system monitoring system
AU2003218103A AU2003218103A1 (en) 2002-03-14 2003-03-13 Aircraft signal definition for flight safety system monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/099,650 US6631315B1 (en) 2002-03-14 2002-03-14 Aircraft signal definition for flight safety system monitoring system

Publications (2)

Publication Number Publication Date
US20030182031A1 true US20030182031A1 (en) 2003-09-25
US6631315B1 US6631315B1 (en) 2003-10-07

Family

ID=28039649

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/099,650 Expired - Lifetime US6631315B1 (en) 2002-03-14 2002-03-14 Aircraft signal definition for flight safety system monitoring system

Country Status (4)

Country Link
US (1) US6631315B1 (en)
EP (1) EP1573350A2 (en)
AU (1) AU2003218103A1 (en)
WO (1) WO2003079040A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080249678A1 (en) * 2005-09-23 2008-10-09 Thales Aircraft Failure Diagnostic Method and System
US20140188261A1 (en) * 2012-12-28 2014-07-03 Sunedison, Inc. Methods and systems for preventing unsafe operations

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007115140A2 (en) * 2006-03-31 2007-10-11 Alaka'i Technologies Aircraft-engine trend monitoring methods and systems

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3581014A (en) * 1970-02-09 1971-05-25 Northrop Corp Integrated system for reporting aircraft data
US3715718A (en) * 1970-08-11 1973-02-06 Sundstrand Data Control Ground proximity warning system utilizing radio and barometric altimeter combination
US4403220A (en) * 1980-02-05 1983-09-06 Donovan John S Radar system for collision avoidance
US4442491A (en) * 1981-06-23 1984-04-10 General Dynamics Corporation Training evaluation process
FR2615641B1 (en) * 1987-05-20 1989-08-18 Airbus Ind METHOD FOR DEVELOPING A STATISTICAL MODEL FOR DETERMINING THE WORKLOAD OF AN AIRCRAFT PILOT, RESULTING MODEL, DEVICE FOR CARRYING OUT SAID METHOD AND APPLICATIONS OF THE MODEL
US5311183A (en) * 1991-06-13 1994-05-10 Westinghouse Electric Corp. Windshear radar system with upper and lower elevation radar scans

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080249678A1 (en) * 2005-09-23 2008-10-09 Thales Aircraft Failure Diagnostic Method and System
US20140188261A1 (en) * 2012-12-28 2014-07-03 Sunedison, Inc. Methods and systems for preventing unsafe operations
US10032659B2 (en) * 2012-12-28 2018-07-24 Sunedison Semiconductor Limited (Uen201334164H) Methods and systems for preventing unsafe operations
US10361106B2 (en) 2012-12-28 2019-07-23 Globalwafers Co., Ltd. Methods and systems for preventing unsafe operations

Also Published As

Publication number Publication date
WO2003079040A2 (en) 2003-09-25
WO2003079040A3 (en) 2006-03-02
US6631315B1 (en) 2003-10-07
EP1573350A2 (en) 2005-09-14
AU2003218103A1 (en) 2003-09-29
AU2003218103A8 (en) 2003-09-29

Similar Documents

Publication Publication Date Title
US7088264B2 (en) Flight safety system monitoring combinations of state values
US10482774B2 (en) Management of notices to airmen
US5161158A (en) Failure analysis system
US8378853B2 (en) Intelligent crew alerting system and method for aircraft and other vehicle applications
US11238742B2 (en) Methods and systems for mitigating clearance ambiguities
Di Sorbo et al. Automated identification and qualitative characterization of safety concerns reported in uav software platforms
EP0750238A1 (en) Integrated ground collision avoidance system
US8229662B2 (en) Method for predicting collisions with obstacles on the ground and generating warnings, notably on board an aircraft
US11741841B2 (en) Method and system for updating a flight plan
US20220414213A1 (en) Adaptive cybersecurity for vehicles
US10417922B2 (en) Systems and methods for integrating terrain and weather avoidance for detection and avoidance
US6631315B1 (en) Aircraft signal definition for flight safety system monitoring system
US8712604B2 (en) Method and device for accessing the documentation of an aircraft according to alarms generated therein
Thomas et al. Imperfect automation in aviation traffic alerts: A review of conflict detection algorithms and their implications for human factors research
EP4102483A1 (en) Method and system for validating aviation data
US20220406194A1 (en) Contextual transcription augmentation methods and systems
US9189962B1 (en) System and methods for generating alert signals in a terrain awareness and warning system
CN108804522B (en) System for detecting the presence of exhaust vapors for an aircraft using composite visual images
Leiden et al. Context of human error in commercial aviation
Odisho II Predicting pilot misperception of runway excursion risk through machine learning algorithms of recorded flight data
US20240143937A1 (en) Transcription systems and methods for challenging clearances
EP4372721A1 (en) Transcription systems and methods for challenging clearances
US11994409B2 (en) Enriched aviation information notice
EP4273838A1 (en) System and process for correcting notams using a trained machine learning algorithm
Barry Using flight data in Bayesian networks and other methods to quantify airline operational risks.

Legal Events

Date Code Title Description
AS Assignment

Owner name: HONEYWELL INC., MINNESOTA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GIBBS, MICHAEL;OMEN, DEBI VAN;REEL/FRAME:012712/0027

Effective date: 20020305

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

FPAY Fee payment

Year of fee payment: 12