Active Model-based diagnosis -applied on the JAS39 Gripen ... · been applied on a model of the...

Active Model-based diagnosis-applied on the JAS39 Gripen fuel pressurization system

Diagnosis

Ronny Olsson

Reg nr: LiTH-ISY-EX-3264-2002

13 February 2002

Active Model-based diagnosis-appliedontheJAS39Gripenfuelpressurizationsystem

Master thesis performed at Vehicular systemsat Linköping Institute of Technology by

Ronny Olsson

Reg nr: LiTH-ISY-EX-3264-2002

Supervisors: Marcus Klein, Vehicular systems LiTH Martin Jareland, Saab AB

Examiner: Lars Nielsen, Vehicular systems LiTHLinköping 13 February 2002

Abstract

Traditional diagnosis has been performed with hardware redundancy and limitchecking. The development of more powerful computers have made a new kindof diagnosis possible. Todays computing power allows models of the system tobe run in real time and thus making model based diagnosis possible.

The objective with this thesis is to investigate the potential of model based diag-nosis, especially when combined with active diagnosis. The diagnosis system hasbeen applied on a model of the JAS39 Gripen fuel pressurization system.

With the sensors available today no satisfying diagnosis system can be built.However, by adding a couple of sensors and using active model based diagnosisall faults can be detected and isolated into a group of at most three components.

Since the diagnosis system in this thesis only had a model of the real system to betested at this thesis is not directly applicable on the real system. What can be usedis the diagnosis approach and the residuals and decision structure developed here.

Acknowledgement

This work has been carried out in cooperation with Saab AB. I would like tothank my supervisor at Saab AB, Martin Jareland, and my supervisor from LiTH,Marcus Klein, for all their guidance and support throughout this work.

I would also like to thank my colleagues at GDGT for making me feel so wel-come and for always taking the time for discussions and questions.

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11.2 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.3 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.4 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21.5 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

2 Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 Diagnosis background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52.2 General diagnosis theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62.3 Model-based diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72.4 Fault models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92.5 Test quantities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

2.5.1 Consistency relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112.5.2 Observers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

2.6 Hypothesis tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162.7 Decision structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162.8 Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182.9 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

2.9.1 Parametric model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202.9.2 Unique model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

3 Fuel system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1 System description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243.2 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

3.2.1 Pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263.2.2 Pressure regulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273.2.3 Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283.2.4 Controlled Vent Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293.2.5 Air ejector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303.2.6 Flame arrestor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303.2.7 Pressurization system . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

4 Tank pressurization diagnosis . . . . . . . . . . . . . . . . . . . . . . .33

4.1 Fault categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334.2 Fault modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

4.2.1 Pressure regulator and Controlled Vent Unit . . . . . . . . . . .354.2.2 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364.2.3 Leakage and Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . .364.2.4 Low ECS pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

4.3 Diagnosis system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364.3.1 CVU in position All, regulator active. . . . . . . . . . . . . . . . .374.3.2 CVU in position All, regulator passive . . . . . . . . . . . . . . .454.3.3 CVU in position Part, regulator active . . . . . . . . . . . . . . . .48

4.4 Decision structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504.5 Limited diagnosis system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52

4.5.1 Current sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524.5.2 Added sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .524.5.3 Decision structure 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

5 Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

5.1 Achieved Decision structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .575.2 Validation conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

6 Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

6.1 Discussion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636.1.1 General approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .636.1.2 Diagnosis system for the fuel pressurization. . . . . . . . . . .64

6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Appendix B. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

1

Chapter 1

Introduction

This chaptergivesan introductionanddescribestheobjective of this thesis.Thebackgroundto theassignmentis presentedtogetherwith thelimitations.An out-line for the reader is also given.

1.1 Introduction

SaabAB is an international,high technologycompany, active both in civil andmilitary industry. SaabAerospaceis a businessareawithin SaabAB, specializedin the developmentandproductionof the Gripencombatfighter. Gripen is thefirst operationalfourth generationaircraft, it usesintegratedcomputerizedsys-temsin orderto getair superiority. Informationis gatheredfrom all partsof theaircraft which provides new possibilitiesto useinformation for diagnosispur-poses.Theseinformationsystemsarecrucial for a safeflight andthereforeit isvery importantto supervisethem.This thesisinvestigatesthepossibilitiesto usemodel-based diagnosis in order to analyze the systems.

Thework of this masterthesishasbeenperformedat thesectionfor systemsim-ulationandthermalanalysisof generalsystems,underthebusinessunit Gripen,Linköping, Sweden.

Introduction

2

1.2 Objectives

Theobjective with this thesisis to investigatethepotentialof model-baseddiag-nosis,both in a future UnmannedAir Vehicleaswell as in Gripen.The useofactive diagnosiswill alsobepresented.Themain taskis to exemplify diagnosisconceptsby building a diagnosissystemfor the fuel tank pressurizationinGripen.An overview of thediagnosissystemsusedtodaywill bepresentedandnew methods within diagnosis will be investigated.

1.3 Background

Thegeneralaircraftsystemis complex, dynamicandnonlinear. Theseareall fac-torsthatmakesdiagnosiscomplicated.A combatfighteralsocontainsmany sub-systems,often crucial for the aircraft performance.It is thereforeimportanttosupervisethesesystemsin order to detectand if possibleisolateany malfunc-tions.Traditionally, systemsof this kind aresupervisedwith sensorredundancy,limit checkingor trendchecking.In a smallaircraft it is desirableto useaslittlehardwareaspossiblein orderto reduceweightandsave space.This is why newmethodslikemodel-baseddiagnosishavebecomemoreinteresting.Model-baseddiagnosisis an approachthat usesmoresoftwarethantraditionaldiagnosissys-tems.In model-baseddiagnosis,amodelof thesystemis built in softwareandthevaluesfrom themodelarecomparedwith thevaluesfrom thesystem.Tradition-ally software is only usedfor diagnosis,not model building. This thesiswillinvestigatethe potentialof usingmodel-baseddiagnosisasa complementto, orinstead of, hardware redundancy in aircraft systems.

The focusis held on the fuel system,which hasoriginally beendevelopedby asubcontractorbut is now maintainedand developedby SaabAerospace.Thisopensthe possibility to add new functionality and to investigate how model-based diagnosis can be used to improve the diagnosis in an aircraft system.

1.4 Limitations

Sinceno datafrom therealFuelSystemwasavailable,thesystemwasreplacedwith amodel.Saabhadalreadybuilt amodelof theFuelSystemin Easy5,asim-ulation softwareprovided by Boeing.The fuel systemcontainsfew sensorsandin orderto build aworkingdiagnosissystemmoresensorswereaddedto thesys-tem. The fuel system was also simplified into only two tanks.

Introduction

3

Themainobjective is to exemplify how a model-baseddiagnosissystemcanbebuilt, so the model in this systemis not optimizednor are the thresholdsopti-mized with statistic methods.

Sinceit is supposedto be unlikely for morethanonefault to occurat the sametime anda diagnosissystemfor multiple faultswould becomplex thediagnosissystem is limited to single faults.

The diagnosissystemis alsonot automated,that is, the faultsmustbe detectedand isolated by observing the residual results manually.

1.5 Outline

The theoryconcerningdiagnosis,model-baseddiagnosisandactive diagnosisispresentedin Chapter2. In Chapter3 the fuel pressurizationsystemis presentedandall componentsaredescribed,bothphysically andhow they aremodelled.InChapter4 the diagnosissystemfor the fuel pressurizationsystemis presented.All fault modesaredescribedandtheresidualsarepresented.Chapter5 containstheconclusionof theverificationof thesystem,togetherwith themostinterestingresults.In Chapter6 theresultsarediscussedandsuggestionsfor futurework aremade.In AppendixA all resultsfrom theverificationexperimentsarepresented.AppendixB containsa descriptionof the diagnosissystemasit is built in Sim-ulink.

Introduction

4

5

Chapter 2

Theory

This chapterintroducesthe theory and methodsusedin this thesis.The back-groundandmotivationof diagnosisarepresented.Someof theterminologyusedin theareaof diagnosisis describedin orderto simplify both theunderstandingand the reading.

2.1 Diagnosis background

Technicalsystemshave beenmanuallydiagnosedas long asthey have existed.When computersbecameavailable and more powerful, automaticdiagnosisbecamepossible.As the computingcapacityimproved moreadvancedsoftwarecouldbeused.In for examplemodel-baseddiagnosisanentiremodelof thesys-temis built in software.Thefirst reportsin theareaappearedin the70’sandauto-matic diagnosisis still an active researcharea.Few generaltheoriesexist andmuch work is still to be done.

Theory

6

2.2 General diagnosis theory

In orderto unify theterminologytheInternationalFederationof AutomaticCon-trol, (IFAC), hassuggestedsomecommonbasicterms.Thesetermsarepresentedbelow with a short explanation.The explanationsare basedon the definitionsmade by IFAC.

• Fault

A fault is anunpermitteddeviation of at leastonecharacteristicpropertyor vari-able of the system from acceptable/standard behavior.

• Failur e

A fault that implies permanentinterruptionof a systemsability to perform arequired function under specified operating conditions.

• Fault Detection

To determineif faultsarepresentin the systemandusuallyalsothe time whenthe fault occurred.

• Fault Isolation

Determinationof the locationof the fault, i.e. which componentor componentsthat have failed.

• Fault Identification

Determination of size and time-variant behavior of a fault.

• Fault Diagnosis

Two commonviews exists,thefirst includesfault detection,isolationandidenti-fication, the other only includes fault detection and isolation.

• Active Diagnosis

Whena diagnosisis performedby actively exciting thesystemto revealpossiblefaults.

• Passive Diagnosis

To passively observe the systemin order to detectand isolate faults withoutaffecting its operation.

Theory

7

In all kinds of diagnosisthe systembehavior is comparedwith its expectedbehavior. If the systemdoesnot act as expectedthe conclusionis drawn thatsomethingis wrong. Thereare several ways of comparingthe systemscurrentbehavior and its expected behavior.

Traditionally, diagnosishas been performed by limit checking, sensorsarecheckedagainsta setof datawhich is predefined.If a sensorvalueleavesits nor-mal rangeanalarmis generated.Thismethodhasacoupleof drawbacks,thesys-temmightbehave in differentwaysdependingontheoperatingconditions.If thisis thecasethedatasetmight have to bevery large in orderto cover all possibleworking conditionsor the thresholdsusedmight have to be generous.This wayof diagnosingthe systemis alsovery closelyconnectedto onespecificsystem.Sincethesetof datais adaptedto a specificsystemit might behardto reuseon asimilar system.

Anotherway of diagnosinga systemis to usemultiple sensors.This approachiscalledhardwareredundancy. Hardwareredundancy hastheadvantagethatevenifone sensorfails the systemmight still be able to function normally, using theworkingsensors.Thedrawbackis thatin orderto identify thefailing component,andnot just that some componentis failing, at leastthreesensorsmeasuringthesamevalueis needed.Theextra hardwareis expensive,addsweightandrequiresspace. Extra hardware also increase the complexity of the system.

Model-baseddiagnosisis the latest contribution to diagnosistheory. Model-baseddiagnosisoffers an opportunityto improve traditionaldiagnosisbasedonlimit checkingandhardwareredundancy. It couldbeusedon its own, but alsoasa complement to the above mentioned methods.

2.3 Model-based diagnosis

An alternative to the traditional approachesis model-baseddiagnosis.Thisapproachmight be usedon its own or as a complementto other methods.Inmodel-baseddiagnosisa softwaremodelof thesystemis built andthesystemiscomparedwith themodel,seeFigure2.1.If themodelis correctthesystemsout-put shouldbeequal,or closeto, theoutputfrom themodel,giventhesameinput.Thesevaluescanthenbecomparedandfaultscanbedetectedandin somecasesalso isolated and identified.

Comparedto the traditional methodsmodel-baseddiagnosishas potentially acouple of advantages.

Theory

8

• Smaller faults can be detected and the detection time is shorter. This is dueto thefactthatthethresholdscanbekeptcloserto theoptimalcasesincethemodel should be designed to function under all working conditions.

• It is valid for the entire working range.• It can be performed passively as well as actively.• Isolation and sometimes identification becomes possible.• Disturbances can be compensated for which makes it possible to diagnose

faults in spite of the presence of disturbances.• Compared to hardware redundancy model-based diagnosis is suitable for

more kinds of components. Some components might not be possible toduplicate and other components than sensors might be modelled.

• Model-based diagnosis also offers the opportunity to re-use models ormodel components, in some cases only parameter changes or some othersmaller adjustments have to be made.

• If a model for the control system is already built, which is often the case,that model could with small adjustments be used also for diagnosis.

Figure 2.1: Basic diagnosis system

Process

Model

Test quantitygenerator

Decisionlogic

faults disturbances

u(t)

y(t)

Diagnosis statement

Theory

9

Theproblemwith model-baseddiagnosisis theneedof a reliablemodelandper-hapsalsoa morecomplex designprocedure.In orderto build a satisfyingmodelgoodsystemknowledgeis needed.Thelimiting factorof theperformanceis usu-ally theaccuracy of themodel.Muchwork mustbedonein orderto getasatisfy-ing model. Model-baseddiagnosissometimesalso requiresmore computingcapability.

Therearealsosituationswheremodel-baseddiagnosisnot fully canreplacehard-wareredundancy. Critical componentsin for exampleanairplanemight have tobe duplicatedso that it is possibleto switch from a failing sensorto a workingone. Model-baseddiagnosisdoeson the other hand offer the opportunity toswitch to the model if the hardware fails. If the diagnosissystemfor exampleidentify a sensorasthe failing componentit is possibleto keeprunningthesys-tem,usingthevaluesfrom themodelinsteadof thevaluesfrom thesensor. Thisapproach is referred to as Fault Tolerant Control, (FTC).

2.4 Fault models

In adiagnosissystemnotonly thesystemhasto bemodelled,alsothefaultsneedto bemodelledin orderto bedetected.A faultmodelis a representationof possi-ble faultsandhow they affect thesystem.If anunmodelledfaultoccurs,thediag-nosissystemwill not beableto give a correctdiagnose.All faultsmight not bepossibleto model and which onesto model requiresgood systemknowledge.Thereareseveralwaysto modela fault, seeNyberg andFrisk [8], but thesearethe most common fault models.

• Fault signals

A fault can be modelled as an additive signal, typically:

(2.1)

where

yobs(t) = observed value

ycorr(t) = correct value

f(t) = fault signal

This is the most generalway of modelling a fault, it can describeall typesoffaults.It is oftenusedfor sensorfaultsof thetype“off sets”.Unfortunatelygen-eral fault models makes fault isolation difficult.

yobs t( ) ycorr t( ) f t( )+=

Theory

10

• Deviations in constant parameters

A fault can also be modelled as a deviation of a constant parameter, typically:

(2.2)

where

y(t) = Measured valuek = constantf(t) = Fault signal, zero in the fault free case.u(t) = Input

Sensorfaultsareoften modelledthis way if they areof the type “gain errors”.This faultmodelis alsousefulwhenthesignalin thefault freecasehasa low andconstantvariance,i.e. thedeviationsfrom themeanvalueof thesignalaresmall.Whena fault is presentthevarianceis still constantbut higher, i.e. thedeviationsarebigger. Thereare also somefaults that consistof a deviation of a physicalparameter, these faults are also suited for this kind of fault model.

A faultmightbehave in many differentways,usuallythefault canbecategorizedinto one of the following groups, also shown in Figure 2.2.

• Incipient faults

Incipient faults are faults that graduallydevelop to a larger and larger fault. Itmightoccurfor examplewhenacomponentis wornoutor developingcalibrationerrors of a sensor.

• Intermittent faults

Intermittentfaultsarefaultsthatoccuranddisappearrepeatedly, typically a looseconnection.

• Abrupt changes

Whena variablesuddenlychangesits value,a typical exampleis a componentthat suddenly breaks.

y t( ) k f t( )+( )u t( )=

f t( )0 NF{ }

K NF{ }C

=

Theory

11

Figure 2.2: Different fault behavior

2.5 Test quantities

Test quantitiesare relationsbetweenthe measuredvaluesand data from themodel.The idea is that when a fault is not presentthe test quantity shouldbesmallandwhena fault is presentit shoulddeviatesignificantlyfrom zero.A testquantityshould,in orderto make fault isolationpossible,be designedin suchaway that someof the faultsaredecoupled.That a fault is decoupledmeansthatthe fault doesnot effect the test quantity in any way. By decouplingdifferentfaultsfrom differenttestquantitiesit becomespossibleto isolatefaults.Therearea numberof ways to constructtest quantitiesand someof them are presentedbelow.

2.5.1 Consistency relation

A consistency relationis adirectrelationbetweenactuatorandmeasurementsig-nals.It is themostcommonlyusedtestquantitydueto its simplicity. Whencom-paringthevaluesfrom themodelwith themeasurementsthedifferencebetweenthe values is called a residual.

1 2 3 4 5 6 70Time [s]

0.5

faul

t am

plitu

de

incipient faultabrupt changeintermittent fault

Theory

12

If we for examplecomparethemeasuredpressurePmeaswith themodelledpres-

sure Pmod the residual R is received as:

(2.3)

It is alsopossibleto comparetwo valuesfrom themodel,if therearetwo waystoreceive the samevalue, i.e. two functionswith differentvariablesthat give thesame result. For example:

(2.4)

TheresidualR is what latercanbeusedto isolatethefault with hypothesistestsin a decision structure. The residual has to fulfill two important demands.

The residualthat describesthe physical relationsmustbe zero in the fault freecaseandthe residualhasto be non-zerowhena fault is present.Theserequire-ments are important if the residual is to be used in a decision structure.

Example.1

Considerthe massM below, affectedby the two forcesFfriction andF. Newtons

equations gives the following consistency relation:

Rewritten as:

R Pmeas Pmod–=

R P1 x1( ) P1 x2( )–=

F Ma Ff riction+=

F Ff ri ction– Ma– 0=

MF

Ffriction

a

Theory

13

F is anactuatorsignal,andtheactuatorsignalis known in thefault freecase.Theaccelerationis a sensorsignalandFfriction is a known disturbance.If theactuator

signal F is to be supervised, and the actuator signal can be divided as:

Then the residual can be written as:

-------------------------------------------------------------------------------------

In this example the two requirements are fulfilled.

In thenonlinearcaseit is usuallyharderto form residualgeneratorswith desireddecouplingproperties.Thereareno generaltheorieslike therewerein thelinearcase.If higherorderderivativesarepresentit might be a goodideato decouplethemsincethey areusuallyhardto measure.Onewayof dealingwith derivativesand compute the residual is to approximate the differentiated variables.

(2.5)

This methodmay not alwaysbe sufficient andotherstrategies thenhave to bechosen.Theproblemcanalsobesolvedby transformingtheconsistency relation,for reasonablysmallsystemsthis is possibleto doby hand,but for morecomplexsystemsthismightbeverydifficult. Themethodis bestpresentedby anexample.

Example.2

Consider a system described by the following differential equation.

In theseequationsf is anactuatorfault thathasto besupervised.By differentiat-ing the measurementequationand eliminating x a consistency relation is pro-duced.

F F1 faul t+=

faul t Ma F1– Ff riction+=

x̂̇s

sTd 1+------------------y=

ẋ x( )3sin– u f+( )2⋅=y x u f+( )+=

ẏ y u–( ) u2⋅3

sin u̇–+ h y u f, ,( )=

Theory

14

In theseequationsthetimederivativesareassumedto beunknown, thereforesta-ble first-order dynamics is added to these equations.

By rewriting this equation the following relation is received.

The internal form of this filter is:

-------------------------------------------------------------------------------------

This example was taken from Frisk [1], page 73.

As mentionedearlierthe theorybehindnon linear consistency relationsis com-plicatedandwill not becoveredfurtherin this thesis,for a morecompleteexam-ination of this theory see Frisk [1], or Nyberg and Frisk [8].

2.5.2 Observers

Anotherway of generatinga testquantity is to usean observer. Observersaremorepowerful thanconsistency relationsbut arealsomorecomplex andharderto work with. It canbehardto geta intuitive feelingof how theobserver is work-ing, seeGustafssonet al. [5] or GladandLjung [3] for moreinformation.Somemajor difficulties with observers are:

• Observer structure and to ensure stability.• Decoupling of faults and disturbances.

A numberof differentobserverscanbegenerated,considerfor examplethesys-tem below.

h u y f, ,( ) ḟ y u– f–( )3 u f+( )2 y u–( )3 u2⋅sin+⋅sin–=

r α ṙ⋅+ ẏ y u–( ) u2⋅3

sin u̇–+=

ż zα---–

1α--- y u–( )– y u–( )3 u2⋅sin+=

r zα---

1α--- y u–( )+=

r α ṙ⋅+ h u u f, ,( )=

Theory

15

(2.6)

ThematrixesA, B andC areknown andu andy canbemeasured,x0 is theinitial

valueandx is unknown. Oneway of estimatingx would be to simulatethesys-tem using the real signal u.

(2.7)

This estimationwill not beperfectsincetheequationshave differentinitial val-ues.Thissystemis alsoverysensitive to disturbances.Onewayof improving thisobserver would be to usethe informationin y. If the simulationwasperfecttheestimatedoutputwouldbeequalto theoutputfrom therealsystem.Thus,thefol-lowing signal can be used to improve the observer.

(2.8)

In this equationK is a [n x m]-dimensionalmatrix which feedsbacktheestima-tion quality. Thereareseveralwaysof choosingK but onegoodway is to useaKalmanfilter, seeGustafssonet al. [5]. TheKalmanfilter ensuresstability in thelinearcase.Thereis no generalway of doing this in thenon-linearcasebut oneapproachis to linearizethesystemarounda numberof working pointsandthenuselinearmethods.This givesanobserver which is likely to work in a surround-ing of the working points.

Theobserver canthenbeusedto comparetheestimatedvaluewith themeasuredvalue, producing a residual in the same way as for a consistency relation.

Consistency relationsarebettersuitedfor linear systemswheresimplemodelscanbebuilt. In thelinearcasethesystemcanbemodelledasafilter which is easyto transforminto a consistency relation.Filtersarewell suitedfor real time sys-tems since the calculations are simpler then when an observer structure is used.

Observers are better suited in the non-linearcase,where filters are hardertodesign,especiallyin combinationwith linearization.Thedrawbackwith observ-ers is the additionalcalculationsthat have to be madein order to estimatethe

ẋ A= x Bu

y Cx

x 0( ) x0==

+

x̂̇ Ax̂ Bu

x̂ 0( ) x̂0=

+=

x̂̇ Ax̂ Bu K y Cx̂–( )+ +=

Theory

16

futurevalueof thesignal.SeeNyberg andFrisk [8] or Frisk [1] for moreinfor-mation about nonlinear residual generation.

2.6 Hypothesis tests

Formally thehypothesistesthastwo regions.Thenull hypothesistest,H0, is that

the fault modepresentin theprocessbelongsto thesetM of fault modes.H1 isthe alternative hypothesis,and it meansthat the presentfault mode doesnot

belongto M. That is, if H0 is rejectedandH1 acceptedthe fault mustbelongto

thecomplementof M, i.e. Mc. Eachhypothesistestgivesadditionalinformationof which fault modesthat canbe present.Togetherwith the decisionlogic thisinformation is used to form a diagnosis statement.

The null hypothesis and the alternative hypothesis can formally be written as:

H0: Fp ∈ Μ “The faults in M can explain data”

H1: Fp ∈ Μc “No fault in M can explain data”

It is importantto rememberthe conventionthat whenH0 is rejectedwe assume

that H1 is true, but when H0 is not rejected we do not assume anything.

Eachhypothesistestshouldcontaina rejectionregion, a subsetwherethe nullhypothesisis rejected.Thetestquantities,Tk(x), arecomparedwith somethresh-

old Jk. If Tk(x) ≥ Jk thenH0 is rejected.This statementcould actuallyalsobeusedasthedefinitionof therejectionregion.A setof hypothesistestscanthenbeusedto form an influencestructureor a decisionstructure.The influencestruc-turedescribeshow the faults ideally affect the testquantitieswhile thedecisionstructure describes how the fault diagnose depends on the test quantities.

2.7 Decision structure

By using test quantitiesthat decoupledifferent setsof faults and performinghypothesistestson thesethe fault canbe detectedandhopefully also isolated.Eachtestquantityhasacorrespondinghypothesistest.Whena fault is decoupledin a testquantitythis meansthat the hypothesistestwill not besensitive to thatparticular fault.

Theory

17

It is usefulto setup an influencestructurein orderto seehow the faultsideallyaffect the test quantities.Ideal in this casemeansthat no unmodelleddistur-bancesexist andthereis nonoisepresent.An influencestructureis amatrix,builtup with 0:s, 1:s and X:s. Below is an example of an influence structure.

Table 1: Influence structure

A 1 in thek:th row andj:th columnmeansthatTk(x) will beaffectedof all faults

belongingto the fault modeof the j:th column.A 0 in thek:th row andj:th col-umnmeansthatif thefault modepresentin thesystemis equalto thefault modeof thej:th column,thenTk(x) will not beaffected,i.e. thatfault is decoupled.An

X in thek:th row andj:th columnmeansthatfor somebut notall faultsbelongingto thefaultmodeof thej:th column,Tk(x) will beaffected.TheX:s couldbeseen

as “don’t care”.

Unfortunatelytheidealcaseis rarelypresent,thereforeit is necessaryto relaxtheconditionsandreplacetheinfluencestructurewith a decisionstructure.In realitysomeof the1:sin theinfluencestructuremightappearin suchawaythatit is bet-ter to replacethemwith anX, in ordernot to draw falseconclusions.The influ-encestructureabove can then for example be transformedinto the followingdecision structure.

Table 2: Decision structure

Fromthedecisionstructureit is possibleto seewhich testswill respondto a par-ticular fault.For examplein Table2 it canbeseenthat if no fault,NF, is presentno test will respond, but if F2 is present bothδ2(x) andδ3(x) may respond.

T1(x)T2(x)T3(x)

NF F1 F2 F3

0 0 1 0

0 0 1 1

0 X 0 1

δ1(x)δ2(x)δ3(x)

NF F1 F2 F3

0 0 X 00 0 X 1

0 X 0 X

Theory

18

Example.3

Giventhedecisionstructurein Table2, assumethatδ1(x) andδ2(x) react,show-

ing that and are rejected. The following diagnosis is then received:

-------------------------------------------------------------------------------------

In thisequationΩ is thesetof all faults.Obviously thefault is isolatedto befaultmode 2.

2.8 Thresholds

Whencomparingthevaluesfrom themodelwith thevaluesfrom thesystemonecannot expectthevaluesto beexactly thesame.Dueto modelerrors,measure-mentnoiseanddisturbancestheresidualcannot beexpectedto beexactly zero.This forcesusto usethresholdsin orderto avoid falsealarms.If Tk(x) is thetest

quantity and Jk is the threshold this can be written:

H0 is not rejected if Tk < Jk

H0 is rejected if Tk ≥ Jk

Thetestquantitycanalsobebasedon thelikelihoodfunctionandin thatcasetherelations are reversed, see Nyberg and Frisk [8].

It is not obvioushow to setthethresholdsin sucha way that faultseasilycanbedetectedat thesametime asthenumberof falsealarmsareminimized.Onewayof settingthethresholdsis to performa largenumberof simulations.No simula-tionswill give exactly thesameresultsincenoiseis present.Thenoiseis chosenaswhite noise.Thethresholdis thensetaccordingto a worstcasescenario.Thiswill give a systemthat is unlikely to fire falsealarmsbut unfortunatelythereis arisk for misseddetectioninstead.The thresholdsmight be set so high that analarm is not even generated when a fault is present.

Thelevel of theconstantandtimeinvariantthresholdscanalsobecalculatedwithstatisticmethods.By runningthe systemandobserve the varianceof the signalthe thresholdcanbesetto a valuewherethe risk of falsealarmsis for example5% or the risk for missed detection is for example 3%.

H10 H2

0

S F2{ } F2 F3,{ } Ω F2=∩ ∩=

Theory

19

Whenonly whitenoiseis present,constantandtime invariantthresholdsis appli-cable,but this is howeverrarelythecase.It is thereforeusuallybetterto useadap-tive thresholds.Thesethresholdsarebasedon knowledgeof modeluncertaintiesand adaptthemselves to the currentoperatingcondition. When known modeluncertaintiesaresmall thethresholdscanbekeptsmallandwheretheuncertain-tiesarelarger thethresholdsareenlargedin orderto avoid falsealarms.No gen-eral methodfor adaptive thresholdsexists but a commonlyusedstructureis theone presented in equation (2.9), see Nyberg and Frisk [8].

(2.9)

The ideawith adaptive thresholdsis to adaptthe thresholdto the modeluncer-tainties.HFD andHLP arelinearfilters,k andc areconstantsandp is thedifferen-

tiating operator. The filter HFD handlesweighting in frequency domain, the

thresholdis madelarge for the frequencieswherethe model is moreuncertainandsmall wherethe model is moreaccurate.Filter HLP is a low passfilter for

handlinghigh frequency disturbances.Theconstantc is determinedby measure-ment noiseand also preventsthe thresholdfrom equalingzero when the inputsignal is zero. The constant k controls how generous the threshold should be.

Figure 2.3: Adaptive threshold

Jadp t( ) kHLP p( ) HFD p( )u t( ) c+( )=

20 40 60 80 100 1200.7

0.8

0.9

1

1.1

1.2

1.3

1.4

1.5

x 105

Time [s]

Pre

ssur

e(Pa)

Measured signalThreshold

Theory

20

In Figure 2.3 the function of an adaptive thresholdis shown. The thresholdbecomesmoregenerouswhenthesystemis dynamicsincethemodelin thiscaseis lessaccuratein thesystemsdynamicpartsbut very accuratein steadystate.Itis actuallyoftenthecasethatthemodelis uncertainfor high frequenciesandthusHFD is often designed to make the threshold generous in these cases.

As wasmentionedabove thereis nogeneralmethodto constructadaptive thresh-olds.By usingstatisticmethodsit is possibleto seewhatmodeluncertaintiesthataffect the diagnosissystemthe most.By usingMonte Carlo simulationsbetteradaptive thresholdscanbebuilt. Theideais to performa lot of simulations,eachwith slightly differentvariablesandwith sensornoisepresent,andthenusesta-tistic methodsto calculatethe level of the thresholdsin orderto minimize falsealarmsand maximizethe systemsability to detectand isolatefaults.Sincenohardwarecomponentshave anexactvaluethis methodmakesit possibleto con-struct thresholdswith betterperformancethan if just onesimulationwascom-paredto therealsystemin orderto find out for which frequenciesthethresholdsshould be more generous.

Sincethesimulationsarevery time consumingthis methodhasnot beenusedinthis thesis,the systemhasonly beencomparedwith the model in onecaseandthe thresholds are constructed ad. hoc. according to equation (2.9).

2.9 Models

In model-baseddiagnosismodelbuilding is essential.Theresultsfrom thediag-nosissystemaredirectly dependenton how accuratethemodelis. Sincetheval-uesfrom the modelwill be comparedwith the valuesfrom the physical systemthey mustbehave in thesameway if notunacceptablylargethresholdsneedto beused.Thereare several ways of building a software model and two commonwayswill bepresentedhere.For a full descriptionof differentmodeldesigns,seeGlad and Ljung [4].

2.9.1 Parametric model

Oneway of constructinga modelis to ignorethesystemsphysicalstructureandonly observe the input and output. By using someidentificationsoftware, forexampletheSystemIdentificationToolbox(SITB) in Matlab, thesystemcanbeparameterized,theseparameterscanthenbeusedwhenbuilding a mathematicalmodelof thesystem.Theadvantageswith thiskind of modelis thattheuserdoesnothave to botherwith theinternalbehavior of thesystem,only inputandoutput

Theory

21

matters.Sometimesthe systemis so complex that it is impossibleto setup anyothermodel.This kind of modelis sometimesreferredto asa blackbox model.Parametricmodelscanbevery hardto build if thesystemis non linearor regu-latedsincetheidentificationsoftwaredoesoftennotsupportidentificationof nonlinearmodels.Whensomebut not all of thesystemsinternalbehavior is known,this informationcouldbeaddedto themodel,giving uswhatis calleda grey boxmodel.

A common linear model is the Box-Jenkins model in (2.10).

(2.10)

where e(t) is white noise and:

B(q) =b1+b2q-1+...+bnbq

-nb+1

C(q) = 1+c1q-1+...+cncq

-nc

D(q) = 1+d1q-1+...+dndq

-nd

F(q) = 1+f1q-1+...+fnfq

-nf

Box-Jenkinsmodelcanbesimplifiedby for exampleignoringto modelthenoise,i.e. to say that C(q)/D(q)=1.Thereare also other variationsof this model butthese will not be presented here.

Whenbuilding thiskind of modelthesystemsin- andoutputneedto beobserved.It is importantto chooseinput sothat thesystemsbehavior is revealed.Thustheinput hasto excite thesystemasmuchaspossible.This is not alwayseasysinceit might bea working systemandthenonly ordinarysignalscanbeused.Muchwork shouldbeput in thechoiceof input,somecommoninputsarenoiseor tele-graphsignals.SeeGlad and Ljung [4] for more information aboutparametricmodels.

2.9.2 Unique model

If thesystemsphysicalbehavior is easyto understandandthesystemis not to bigor complex it mightbeagoodideato build auniquemodel.In thiskind of modelbuilding every physical relationshipis modelledasequationsin somesoftwarelanguage,for exampleSimulink in Matlab. Naturally this demandsgoodsystemknowledge and good understandingof how each elementwithin the systemworks.It hastheadvantagethatthemodeldoesnotwasteany parametersonesti-matingredundantinformation,whichmightbethecasewith aparametricmodel.

y t( ) B q( )F q( )------------u t nk–( )

C q( )D q( )------------e t( )+=

Theory

22

A uniquemodel also makes it easierto estimatewhetherthe resultsfrom themodelareaccurateor not.Sinceeveryphysicalcomponentis consideredit is alsoeasierto understandhow a fault influencesthesystemandthefault is alsoeasierto model.

If auniqueor aparametricmodelshouldbeusedoftendependson theidentifica-tion softwareavailableandif thesystemcontainsnonlinearelementsor is regu-lated in some way.

Below is a unique model of the earlier mentioned mass example.

Figure 2.4: Mass example

Product

500

Mass

1

Friction force

10

Actuator force

0.018

Acceleration

/home/goofy101/ronol/Tanktryck/Massexample.mdl

Massexample

page 1/1printed 21−Nov−2001 12:41

23

Chapter 3

Fuel system

In this chapter the Gripen Fuel System will be described. The system will bedescribed both on a general level and also with focus on the fuel tank pressuriza-tion and its components. The mathematical description of these components willbe presented in section 3.2 and in section 3.3 the complete fuel pressurizationmodel will be presented.

Figure 3.1: JAS 39 Gripen fuel system

Fuel system

24

3.1 System description

TheGripenfuel systemhasseveral tasks,of which themostimportantis to pro-vide fuel to theengine,but thesystemis alsohelpingtheaircraft to optimizethecenterof gravity by moving fuel betweentheinternaltanks.Fuelis alsousedasacoolingmediumfor someof theelectronicson board.The fuel tankshave to bepressurizedfor several reasons,if the fuel is not kept underpressurethereis arisk of cavitation problemsespeciallyat higheraltitudes.Thepressurizationalsohelpswhenmoving fuel betweenthetanks.Anotherimportanttaskis to helptheengineto suckin fuel if thefuel pumpshouldbreakdown. In this thesisthefocusis on fuel tank pressurization.The entirefuel systemwith all fuel tankscanbeseen in Figure 3.1.

The air that suppliesthe fuel systemis provided by the environmentalcontrolsystem,ECS.The air is dry, cold, and hasbeencleanedby the environmentalcontrolsystembeforeit entersthefuel system.As theair entersthefuel tanksitpassesa pressureregulator. This regulatoris setto keepthepressurein theCon-trolledVentUnit, CVU, at25kPaoverambientpressureatall times.Theair thenflows throughanair ejectorwhich addsextra airflow into thetanks.Theair ejec-tor also helpswith ventilating the tanksat refueling or fuel transfer. It is con-nected to a vent tank, kept at ambient air pressure at all times.

Figure 3.2: Pressurization System Principle

CVU

T1

T3

WT DT

Vent tank

Flame arrestor

Air ejector

Pressureregulator

Air cleaner

Airsupply

Ambient air

Air pressure reference

T2

J1-A-A4009-AA-02

Fuel system

25

As the air leaves the air ejectorit entersthe CVU, the CVU is responsiblefordividing theairflow to thedifferenttanks.TheCVU hasthreedifferentpositions,All, Partial, and Medium. PositionMedium is only usedduring refueling.Alltanksarethenventilatedinto thevent tank,makingroomfor the fuel. WhentheCVU is in position All, all tanksare pressurized.When in position Partial, alltanksexcepttank1 arepressurized.Thereasonwhy tank1 is notalwayspressur-ized is becausethe fuel pumptakesthe fuel from tank 1 andthereforeall othertanksshouldbepressurizedin orderto helpwith the fuel transferto tank1. Thefuel tank pressurization principle can be seen in figure Figure 3.2.

3.2 Components

For a betterunderstandingof how the systemis operatingandhow it hasbeenmodelled,eachcomponentwill herebedescribed.Both thefunctionalityandthemathematicalexpressionof the componentsperformancewill be presented.Below is afigureof therefuelandfuel transfersystem,with all tanks,pumpsandthe most important valves.

Figure 3.3: Refuel and fuel transfer system

Fuel system

26

Noticethatonly oneboostpumpis used,a ratheruniquesolutionin orderto savespaceandweight.Thisalsomakesthefuel pressurizationmoreimportantwhenitcomesto the aspectof fuel transfer. Notice also the air to air refueling probe,designed for the export version of JAS 39 Gripen.

3.2.1 Pipes

Thepipesin thefuel systemaremodelledasorifices.An orifice is a flow restric-tion in a duct.Orificesarewell suitedwhenmodellingturbulentairflows, whichis generally the case in the fuel system.

Figure 3.4: Orifice

The flow through an orifice is modelled by:

(3.1)

where

= mass flow [kg/s]

A = orifice area [m2]Pu = upstream pressure [Pa] (abs)

Pd = downstream pressure [Pa] (abs)

T = temperature [K]R = gas constant = 287 [J/(kgK)]K(Pu/Pd) = look-up-table [-]

The valuesof K(Pu/Pd) from the look-up-tabledependson the valuesof Pu/Pd,

the geometricshapeof the flow restrictionandon the fluid flowing throughtheorifice.

air flow

Orifice

ṁA K Pu⋅ ⋅

R T⋅-----------------------

PuPd------⋅=

ṁ

Fuel system

27

3.2.2 Pressure regulator

Thepressureregulatorhastwo mainassignments.To regulatethepressurein thetanksto 25±5 kPaoverambientair pressurewhenthetanksareto bepressurizedandto cut theairflow to thetankswhentheyarenot to bepressurized.Thepres-sureregulatoris fed with air by theECSandthentheairflow passestheair ejec-tor. Therearealsotwo otherconnections.Onefor referencepressurefrom CVUand one for the surroundingair pressure.The pressureregulator works like avalve.A valve is modelledasanorificewith variablearea.Thevalvesusedin themodel of the fuel system are of the same principal type as “butterfly valves”.

Figure 3.5: Butterfly valve

Theflow throughthebutterfly valve is controlledby anactuator,regulatingtheangleϕ. Whenϕ=0˚ thevalveis completelyclosedandwhenϕ=90˚ thevalveiscompletelyopen.The flow throughthe valve canbe calculatedby using(3.1).Alternatively the following formula might be used.

(3.2)

where

C = constant of proportionality

ϕAirflow

Shaft Disk

Duct

ṁ A C⋅T

------------= Pu2 Pd

2–

kgNs------- K

Fuel system

28

Theareais however asmentionedearliernot constant.Theeffective areaof thevalve has to be calculated by measuring angle position of the shaft using:

(3.3)

where

Aeff = effective area [m2]

A0 = maximum effective area [m2]

ϕ = valve angle [°]

Theactuatorthat regulatestheangleis controlledby anordinaryPI-regulatorinthemodel.Theproportionalityandintegral constantshavebeenadaptedto fit the“real system”.The pressureregulator is an active component,that is, it canbecontrolledin order to excite the system.This makes it possibleto createaddi-tional residuals and thereby enhance the ability to diagnose the system.

3.2.3 Volume

Thevolumein thetanksaswell asthetemperatureareconsideredto beconstantat thetimeof measurementandcalculation.Thismightseemto bea limiting fac-tor but the measurementand calculating processis so fast that any volumechanges due to fuel consumption etc. are negligible.

Figure 3.6: Volume

Sincethevolumeis constantandthegasmassflow into thevolumeis known thepressure can be calculated using the ideal gas law.

(3.4)

where

P = pressure [Pa]

V = volume [m3]m = gas mass in volume [kg]R = gas constant = 287 [J/(kgK)]T = temperature [K]

Aef f A0 1 ϕcos–( )=

P,V,T

PV mRT=

Fuel system

29

Sinceall variablesexceptthegasmassareconstantthe idealgaslaw caneasilybedifferentiated.Thetemperatureis in factnotconstantbut it canbesetconstantsincethe temperatureis known at all timesandthereforeeasilycanbe put intothe equation.According to the simulationsmadethis solution is satisfyinglyaccurate.By differentiatingwe get the rateof changein air pressure,which isusedas feed back to the pressureregulator. The masschangeis calculatedasmass flow in minus mass flow out.

(3.5)

The differentiation of the ideal gas law now gives us:

(3.6)

3.2.4 Controlled Vent Unit

The ControlledVent Unit, CVU, is an importantpart of the fuel pressurizationsystem. It has the following assignments:

• Ensure that the tanks are ventilated during refueling.• Keep all tanks except T1 pressurized during flight.• Keeping T1 pressurized when ordered.• Protect the tanks against large pressure differences.• Send out an alert if the pressure is to high or to low.

The CVU is basicallyworking like a switch, it hasthreepositions,All, PartialandMedium.WhentheCVU is setin positionAll, it keepsall tankspressurizedby allowing air to flow from thepressureregulatorout into thetanks.Whenit isset in position Partial the CVU cuts off the flow to T1 and therebyall tanksexceptT1 getspressurized.PositionMedium is usedduring refueling.Wheninposition Medium the CVU allows all tanks to be ventilatedand thus makingroom for the fuel. The CVU also hastwo pressureswitches,indicating if thepressureis to high or to low, theseswitchesarein themodelreplacedwith pres-suresensorsin the tanks.In additionto this it hasa relief valve thatprotectsthetanks against high pressure differences.

The CVU is in Simulink modelledasa switch with threepositions.The reliefvalve is modelled as an orifice connected to surrounding air pressure.

ṁ ṁin ṁout–=

ṖRTV

-------- ṁin ṁout–( )=

Fuel system

30

3.2.5 Air ejector

Theair ejectoris asimpleconstructionwith acomplicatedbehavior. Its maintaskis to feedtheCVU with air duringpressurizationof thetanks.Theprimaryflowfrom the pressureregulatordrivesthe secondaryflow from the ventilationtank.Whentheair pressurefrom theregulatoris higherthanthepressurein the tanksair flows from the regulator throughthe air ejector, inducing a secondaryflowfrom the vent tank. Theseairflows thenmix andflow throughthe CVU to thetanks that are to be pressurized, see Figure 3.7 and equation (3.7).

Whentheair pressurein the tanksis higherthanthepressurefrom thepressureregulatortheejectorcutsoff theflow from thepressureregulatorin orderto pre-vent fuel from enteringthepressureregulator. Thesecondaryflow openingstaysopen at all times, allowing the tanks to ventilate also this way.

(3.7)

Figure 3.7: Air ejector

The Simulink model of the air ejector is basedon the behavior of the ejectorratherthanon the physical equationsdescribingit. It is modelledasa low passfilter togetherwith a leakagefrom the tanks,correspondingto the leakagewhenthe pressureregulator is deactivatedor the pressureis higher in the fuel tanksthan in the pressure regulator.

3.2.6 Flame arrestor

The flamearrestoris basicallyan orifice to ambientair, andit is alsomodelledlike an orifice. It is designedto prevent externalfire to spreadinto the fuel sys-tem. That is, the fuel or fuel gasesthat leak out from the vent pipe might be

FlowToCVU PrimaryFlow SecondaryFlow+=

Primary flow

Secondary flow

Secondary flow

Flow to CVU

Fuel system

31

ignited andthe flamearrestorcontainsa device that prevent the flamesto reachthevent tank.Massflow equation(3.2) is usedto calculatethepressurelossoutto ambient air.

3.2.7 Pressurization system

Thetwo mostcritical partsof thefuel pressurizationsystemarethepressurereg-ulatorandtheControlledVentUnit, CVU. They control thelevel of thepressureandalsowhich tanksthat areto be pressurized.The pressureregulatorandtheCVU are also the most complex componentsin the fuel pressurizationsystemandthustheonesthatarehardestto build anaccuratemodelof. Figure3.8showsa moredetailedfigureof thefuel pressurizationsystem,with extra attentionpaidto the CVU.

Figure 3.8: Function of the Controlled Vent Unit

CVU ControlledVent Unit

T2A Vent Tank

Vent Pipe

T1F T1A T3

T2F

Pressure Regulator

Air Cleaner

ECS

NGT

Drop Tank

T4 T5

Air Ejector

J1-A-370000-G-S3627-72398-A-01-2

Fuel system

32

33

Chapter 4

Tank pressurization diagnosis

In this chapter, thediagnosissystemfor the tankpressurizationis described.Allresidualsarepresentedtogetherwith thedecisionstructurethatmakesfault isola-tion possible.Eachfault modeis testedagainst the Easy5modelandpresentedtogetherwith their thresholds.First a generalsolutionis presentedandthenthesystemwill be limited to thenumberof sensorsmostlikely to beadded,andtheuseof model-baseddiagnosisin this caseis alsodiscussed.In this chapteronlythe theoreticalbehavior of the systemis discussed,the validatedsystemis dis-cussed in Chapter 5.

4.1 Fault categories

ThecombatfighterGripenhasbeenflying for over tenyearsandduringthis timestatisticsover all faultsthathave occurredhave beengatheredandsavedin orderto continuouslyimprove the system.This statisticsis unfortunatelynot public.Thereforethe following discussionhasbeenmade.The tankpressurizationsys-temhasbeenchosenfor testingactivediagnosissinceit is ratherlimited andcon-tainsonecomplex moving part,thesocalledCVU. Thefaultsthatcanoccurcanbedivided into four categories,moving parts, sensors, solid objects andfunc-tionality.


34

As for all systemssomecomponentsaremoreerrorpronethanother. In general,moving parts, suchasvalves,have shown to beerrorprone.Somesensors, likepressuresensorsbasedon a thin membranecan be sensitive. Sensorsthat areexposedto high temperatures,vibration,i.e. canalsobeunreliable.Sensorssometimes also have the possibility to diagnosethemselves and in thosecasesthediagnosissystemcanbe mademuchmorereliable.As mentionedearlierpipes,tanksandothersolid objectsarenot very likely to fail. Sometimesfunctionalityfaults canbetreatedthesameway ascomponentfaults.In thecaseof tankpres-surizationthe incomingpressureis importantto monitor. If this pressureis toolow theentirediagnosissystemwill beuncertainsinceit is designedwith a lowerlimit for incoming pressure.

4.2 Fault modes

In thissectionthe15 faultmodesfoundin thetankpressurizationsystemarepre-sented.Thetwo fault modesleakageandblockinghasbeensetasonly two faultmodes,althoughtherearemany placeswhereapipecanleakor beblocked.Thisis donein orderto limit thesizeof thedecisionstructure,if a faultcanbeisolatedasa leakageit is left up to the mechanicto find out wherethe leakageis. In alldiagnosissystemsthereis alsothe statein which the systemis supposedto be,the no fault state.

Below the faults considered are listed.

Moving parts

Fault 1: Pressure regulator failing.Fault 2: Controlled Vent Unit failing.

Sensors

Fault 3: Pressure sensor in tank T1 failing, (PT1).

Fault 4: Pressure sensor in tank Rest failing, (PRest).

Fault 5: Pressure sensor in ambient air failing, (PAtmosphere).

Fault 6: Pressure sensor in the ECS system failing, (PECS).

Fault 7: Temperature sensor failing, (T).Fault 8: Volume sensor in tank T1 failing, (VT1).

Fault 9: Volume sensor in tank Rest failing, (VRest).

Fault 10: Position sensor for pressure regulator failing, (A).Fault 11: Position sensor for Controlled Vent Unit failing, (CVUMeasured).


35

Solid objects

Fault 12: Leakage.Fault 13: Blocking.

Functionality

Fault 14: Low pressure from Environmental Control System.Fault 15: No Fault, referred to as NF.

Mostof thefaultsaremodelledin thesamewayandthereforeit mightbein placeto onceagainpresentthemostgeneralwayof modellinga fault,whichalsois themodel that is generally used in this thesis, equation (2.1).

Thismeansthattheobservedvalueequalsthecorrectvalueplusa fault signal.Inthe fault free case the fault signal equals zero.

Below the fault modes and their different ways of failing are presented.

4.2.1 Pressure regulator and Controlled Vent Unit

The pressureregulator is, as mentionedin section “Pressureregulator” onpage27, modelledasa PI-controller. Thereareseveral reasonswhy thepressureregulatormight fail. Sinceit is supposedto be a controllabledevice thereis ofcoursethe possibility of badconnectionto the controlling device. Thereis alsothe possibility that someinternalpart is jammingor that the pressureregulatoritself jamsin someway. Thefault wheretheconnectionto thecontrollingunit isfailing, i.e. the pressureregulator doesnot assumethe correctmode,active orclosed,is modelledwith a switch.Regardlessof which of the otherreasonsforthefault it is simulatedby addinga constantto theP- or I-values,or by changingthe gain, i.e. the maximum area.

SincetheControlledVentUnit, CVU, is basicallyworking asa switch,all faultsare modelledso that the CVU is in the wrong position comparedto the oneorderedby the controlling system.It is alsopossiblefor the CVU to get stuckbetweenthesepositionsandthis fault modeis simulatedby changingthe outletareas from the CVU.

yobs t( ) ycorr t( ) f t( )+=


36

4.2.2 Sensors

Sensorscanbreakin differentways,but it is hardto know exactly how they willfail in every singlecaseso the generalfault model from equation(2.1) is used.Bias faults were simulatedby addinga constantvalue to the valuesfrom theEasy5 model, to simulate a sensor that breaks a random signal was added.

4.2.3 Leakage and Blocking

All leakagesaresimulatedwith a new orifice leadingto ambientair, with a vari-ablearea.Also in thiscasethefaultmodelfrom equation(2.1)wasused.Whenapipeis blockedit is simulatedby changingthepipeareas,i.e. equation(2.1)wasused again.

4.2.4 Low ECS pressure

Low pressurefrom theECSwassimulatedsimply by usinga small input signal.Themodelworkedalsounderthesecircumstancesbut it is a fault casesincetheairplanedoesnot meet the requirementstatedin the specificationif the inputpressure is too low.

4.3 Diagnosis system

Thediagnosissystemthathasbeenimplementedfor thetankpressurizationsys-tem is basedon a numberof fictive sensors.This way eleven testquantitiesareproducedandfrom thesethe onesthat arepossibleto realizeareselected.Eachtestquantityis describedin detailbelow. For eachtestquantitya fault thatexcitesthat specificquantity is simulatedand the thresholdedresult is presented.Thethresholdsaredashedandthe measuredsignalsolid, exceptwhenthe measuredvalueis comparedto a constantlevel whenboth theconstantlevel andthemea-suredsignal are solid. Each test quantity is also describedmathematically. Inorderto getasmuchinformationaspossiblefrom thepresentedresultsdifferentfaultsareusedto excite theresidualswhenpossible.Sinceit is possibleto excitethesystemandthusperformactivediagnosis,theresidualsdependontheorderedposition for the pressure regulator and the CVU.

Thediagnosissystemwastestedduringthreedifferentworking conditions,pres-sureregulatoractive with CVU in positionAll, pressureregulatorpassive withCVU in positionAll, andpressureregulatoractive with CVU in positionPartial.The fourth possiblecombination,pressureregulator passive, CVU in positionPartial, was also considered but did not contribute with any additional residual.


37

4.3.1 CVU in position All, regulator active

Whenthepressureregulatoris setin positionactive andtheCVU in positionall,the following six residuals can be calculated.

ECS pressure check

Sincethe pressurelevel deliveredby the ECSis critical for the tank pressuriza-tion it is importantto supervise.This relationis an exampleof traditional limitcheckingwherethemeasuredvaluesarecomparedwith a predefinedlimit. If themeasured value is below the limit an alarm is generated.

The residual is calculated as:

(4.1)

Thelimit is setto 200kPa over ambientpressure.TheresidualR1 is usedto test

the hypothesis :

This meansthatR1 is sensitive for low pressureinto thesystemor if thepressure

sensorfor ECSis failing. In orderto determinewhich faultsthateffect a certainresidualtheresidualitself is studied.All sensorsignalsin theresidualmustnatu-rally affect its behavior. If thereareany physical relationsin the residual,con-tainingvariablesof somekind, onemustalsoconsiderwhetherthesemighteffectthe residualif oneof themchanges.Physical constantslike the molar gascon-stant,etc.canof coursenotchangetheirvaluesandthusdonoteffect theresidualin any otherway thanparticipatingin theequations.In this casetheonly thingsthataffect theresidualarethesensorsignalandthephysicalbehavior of theECS.sotheresidualis sensitive for fault modesF6 andF14. In Figure4.1aninput sig-

nal that initially is underthethresholdis shown. Observe thatit is duringtheini-tial 50 secondsthat the residualin this casewould signalfault, after50 secondsthe pressure rises above the threshold.

R1 PECSmeasured Pl imi t–=

H10

H10 Fp NF F1 F2 F3 F4 F5 F7 F8 F9 F10 F11 F12 F13, , , , , , , , , , , ,{ }∈;

H11 Fp F6 F14,{ }∈;


38

Figure 4.1: Thresholded input pressure

It is importantto rememberthatevenif is not rejectedthefault modesin

arenot excludedaspossiblefaults.This is dueto thenomenclaturepresentedinchapter2, wherethedon’t care symbolX wasintroduced.SinceX is usedin thedecisionstructureit is not possibleto saythat sincethenull hypothesiswasnotrejectedit is true, one must insteaddraw the conclusionthat since the nullhypothesiswasnot rejectedall fault modesarepossible,includingNF. Thedeci-sions corresponding to hypothesis test are presented below.

if is not rejected.

if is rejected.

Pressure check Tank 1, (T1)

Betweenthepressuresensorfor ECSandthepressuresensorin tankT1 therearemany components,amongthesethe pressureregulatorandthe CVU, both withmoving partsandthuserror prone.The pressurein tank T1 is simulatedin thefault free caseand then comparedwith the measuredvalue from the Easy5model.

(4.2)

20 40 60 80 100 120

1.4

1.6

1.8

2

2.2

2.4

x 105

Time(s)

Pre

ssur

e(Pa)

H10 H1

1

H1

S1 Ω= H10

S1 F6 F14,{ }= H10

R2 PT1T R⋅

V------------ A C⋅

T------------ PECS

2 PT12– t PAtm+d

0

t

∫⋅–=


39

Equation (4.2) uses the nomenclature from equation (3.1) and (3.2).

The residual R2 is used to test the hypothesis :

ThismeansthatresidualR2 is sensitive to all faultsexceptthesensorsignalsgiv-

ing thepressurein tankRestandthepositionsfor thepressureregulatorandtheCVU, thus all other sensors or physical relations are embedded in the equation.

This residualis anexampleof model-baseddiagnosis,thepressuresimulatedinSimulink is comparedwith the measuredpressurefrom EASY-5. Sincemodelfaultsareimpossibleto avoid adaptive thresholdsproveveryuseful.Herethefirstexample of how an adaptive thresholdmight be used is presented.Adaptivethresholds have previously been presented in“Thresholds” on page18.

Below in Figure4.2 is thethresholdedpressurein tankT1, thepressureregulatorheregoesfrom active to closedafter 70 seconds,i.e. oneof the regulatorsfaultmodes.

Figure 4.2: Thresholded pressure tank T1

It is clearly shown how the thresholdsare more generousin the initial, moredynamiccase,andhow they get closerto the measuredvaluewhenthe systemreachesa region wherethe model is moreaccurate.Faultsduring the dynamic

H20

H20 Fp NF F4 F, 10 F11, ,{ }∈;

H21 Fp F1 F2 F3 F5 F6 F7 F8 F9 F12 F13 F14, , , , , , , , , ,{ }∈;

Time [s]

Pre

ssur

e [Pa

]

20 40 60 80 100 120

0.7

0.8

0.9

1

1.1

1.2

1.3

1.4

1.5

1.6

x 105


40

stagesarethusharderto detectthanfaultsthatoccurduringsteadystate.This is alimitation but not asbig a limitation asonemight think. During dynamicstagesof the flight high stressis put on all partsof the aircraft, making sensorslessaccurateandalsomakingothersystemsthanthediagnosissystemgo into specialmodes.It canthereforebediscussedwhetheror not any diagnosisshouldbeper-formedduringthesestagesor if thediagnosissystemshouldbelimited to steadyflight, or at leastallowed to leave lessaccurateresultsduring dynamicstages.This alsoshows thebenefitsof usingadaptive thresholds,theresultsarerelevantduring the entire working range if the thresholds are constructed correctly.

Pressure check Rest

Residual3 is verysimilar to residual2, thepressuredifferencebetweenthesimu-latedandmeasuredpressurein tank Restis calculated.The differencebetweenthese residuals is only the use of different sensors.

The residual looks like:

(4.3)

Thenomenclatureis likebeforetakenfrom equation(3.1)and(3.2).Theresidual

R3 is used to test the hypothesis :

Comparedto R2, R3 is sensitive for F4 insteadof F3, andapparentlynot sensitive

to F2. Thereasonwhy R3 is notsensitive for faultsin theCVU is thattankRestis

pressurizedbothwhenCVU is in positionPartial andin positionAll. ShouldtheCVU fail in sucha way that thepassageto tankRestis blocked in any way thiswould countasa blockingandnot a failing CVU. In Figure4.4 the thresholdedpressurein tankRestis shown. Thesolid line shows themeasuredpressureandthedashedline is theadaptedthreshold.In thiscaseasensorfaultwith thesizeof

R3 PRestT R⋅

V------------ A C⋅

T------------ PECS

2 PRest2– t PAtm+d

0

t

∫⋅–=

H30

H30 Fp NF F3 F10, F11, ,{ }∈;

H31 Fp F1 F2 F4 F5 F6 F7 F8 F9 F12 F13 F14, , , , , , , , , ,{ }∈;


41

5 kPa was introducedafter approximately50 seconds,causingthe measuredvalue to break the threshold shortly afterwards.

Figure 4.3: Thresholded pressure tank Rest

Sincethesamemodeluncertaintiesarepresentin this casea similar thresholdasfor R2 was used.This examplealso illustratesthe needof both an upperand

lower threshold,the faults can naturally causedeflectionsboth to higher andlower values.

Area check

Theregulatedareain thepressureregulatorcanbesimulated.This simulationisusedwhenconstructingR4. In R4 thesimulatedareais comparedto themeasured

area.Thefactthataregulatoris presentin thesystemactuallymakesdiagnosisofthesystema lot harder. Theregulatorhasthecapacityto hideotherfaults,like aleakagefor example.Theonly way to getaroundthis problemis to have a resid-ual that actually checks the regulated area.


(4.4)

The function that describesthe simulatedareais rathercomplex, actuallymorelike a smallprogram,sothedetailsof how theareais simulatedis left to Appen-dix B.

20 40 60 80 100 120

0.7

0.8

0.9

1

1.1

1.2

1.3

1.4

1.5

1.6x 10

5

Time [s]

Pre

ssur

e [Pa

]

R4 Ameasured Asimulated–=


42

The residual R4 is used to test hypothesis :

In Figure4.4thethresholdedareahasbeenaffectedby a failing temperaturesen-sor.The size of the fault was large, 1000 K, which was necessaryin order toachieve a significantchangeof thearea.Thesolid line shows themeasuredareaand the dashed line is the threshold.

Figure 4.4: Thresholded area

This examplealsoshows anotherinterestingeffect.Sincethepressureregulatoris controlledwith mechanicalfeedbackin therealsystem,it is not affectedby afailing sensor. In this caseit is insteadthemodelthat is giving thewrongvalue,sincethesoftwaremodelof courseis dependingon sensors,andthethresholdisalsogeneratedfrom themodel.The falsetemperatureaffectsthesimulatedareabut the mechanically controlled area remains correct.

This meansthatthemeasuredvalueof theregulatingareaactuallyis correct,andthatthethresholdhasbeendisplaced.Theresidualhowever still givesthecorrectresult,during the fault free stateit is zeroandwhena fault is presentit is non-zero.

H40

H40 Fp NF F2 F3, F4 F10, , F11, ,{ }∈;

H41 Fp F1 F5 F6 F7 F8 F9 F12 F13 F14, , , , , , , ,{ }∈;

20 40 60 80 100 120

−1.5

−1

−0.5

0

0.5

1

1.5

Time [s]

Are

a [%

]


43

CVU check

Whencheckingthe ControlledVent Unit the measuredpositionis simply com-paredwith thepositionthathasbeenorderedby thecontrolsystem.A measure-mentsequencewheretheCVU is orderedin differentpositionsandthepositionsare measured would reveal any faults.


(4.5)

The residual R5 is used to check the hypothesis .

Sincethe sensorsthat measurethe CVU:s positionactuallyareswitches,therewill be no uncertaintiesin the measuredvaluesandthusno thresholdis neces-sary. Below a figure where the CVU leaves its position after 50 seconds,theresidual is zero in the fault free case and signals one when fault is detected.

Figure 4.5: CVU residual

WhentheCVU is checkedin this way thesystemis not in thesamestateall thetime. It is alsopossibleto build oneresidualfor eachcasebut hereonly this oneis presented.

R5 CVUmeasured CVUordered–=

H50

H50 Fp NF F1 F3, F4 F5, , F6 F7 F8 F9 F10 F12 F13 F14, , , , , , , , ,{ }∈;

H51 Fp F2 F11,{ }∈;

0 20 40 60 80 100

−0.4

−0.2

0

0.2

0.4

0.6

0.8

1

1.2

1.4

Time [s]

Res

idua

l sig

nal


44

Pressure check T1, Rest

Whenthepressureregulatoris active andtheCVU in positionAll, thepressureshouldbethesamein bothtankT1 andtankRest.Themeasuredvaluesin thesetwo tanks are compared and used to form residual R6.


(4.6)


In Figure4.6 the thresholdedpressurein tankRestis shown. Thesensorin tankRestis herefailing afterapproximately40seconds.Thesizeof thesensorfault is5 kPa.

Figure 4.6: Sensor check T1 Rest

By usingthevaluesfrom thesensorin tankT1 to form a threshold,in thiscaseathresholdwith constantvalue,faultscanbe detected.A constantthresholdwaschosenthis time sincethevaluesaresupposedto beexactly thesamefor thetwosensors.The reasonwhy the thresholdappearsto be so closeto the measuredvalueduring the transientstageis only a visual effect, the thresholdis equally

R6 PT1 PRest–=

H60

H60 Fp NF F1 F, 5 F6 F7, , F8 F9 F10 F11 F12 F14, , , , , , ,{ }∈;

H61 Fp F2 F, 3 F4 F13, ,{ }∈;

0 20 40 60 80 100

1.22

1.24

1.26

1.28

1.3

1.32

1.34

x 105

Time [s]

Pre

ssur

e [Pa

]


45

large during the entire measurement. If the sensor in tank T1 had failed instead ofthe sensor in tank Rest it would have been the threshold that had been displacedbut the result would have been the same anyway, an alarm would have been gen-erated since the values differ to much.

In Figure 4.7 the thresholded residual is shown instead of the thresholded pres-sure. It can here be seen how the residual is approximately zero in the fault freecase and how the residual clearly deviates from zero and crosses the thresholdwhen a fault is introduced.

Figure 4.7: Thresholded residual tank Rest

4.3.2 CVU in position All, regulator passive

By keeping the CVU in the same position but turning the pressure regulator pas-sive, four of the residuals are possible to use again. Since the working conditionsnow are different the residuals will be sensitive to an other set of faults. All theseresiduals are sensor checks, i.e. hardware redundancy or limit checking. It couldthough be argued that hardware redundancy is the same thing as model-baseddiagnosis, only that in this case the relationship between the two sensors is one toone.

0 20 40 60 80 100 120 140−3000

−2000

−1000

0

1000

2000

3000

4000

5000

6000

Time [s]

Pres

sure

[Pa

)


46

Pressure check T1, Rest

This residualis verysimilar to thepreviousone,but sincetheregulatoris passiveandall tanksshouldhaveatmosphericpressure,faultsin theCVU doesnotaffectthis residual.This is becauseevenif theCVU shouldcomeinto thewrongposi-tion, i.e. position Partial, the tankscan still be ventilatedand thus shouldstillhave the same pressure.


(4.7)


Theresidualis testedby introducinga failing sensorafter50 seconds,asbeforethesizeof thefault is 5 kPa.Also in thisfigurethemeasuredsignalis solidwhilethe threshold is dashed.

Figure 4.8: Sensor check T1 Rest

Thetwo following residualsarevery similar to this onesono figureswill bepre-sented for them.

R7 PT1 PRest–=

H70

H70 Fp NF F1 F, 2 F, 5 F6 F7, , F8 F9 F10 F11 F12 F14, , , , , , ,{ }∈;

H71 Fp F3 F4 F13, ,{ }∈;

0 20 40 60 80 100 120 1400.97

0.98

0.99

1

1.01

1.02

1.03

1.04

1.05

1.06

1.07x 10

5

Time [s]

Pre

ssur

e [Pa

]


47

Pressure check T1, Atmosphere

Sincethetanksaresupposedto havethesamepressureastheambientair thetankpressurecouldalsobecomparedwith theambientpressure.This is donein orderto form residual R8.


(4.8)


Pressure check Rest, Atmosphere

The same test can of course also be done for tank Rest, forming residual R9.


(4.9)


Area check

Sincethepressureregulatoris passive theregulatedareashouldbezero.It is pos-sibleto form yet anotherarearesidualin orderto checkthis.Theadvantagewiththis residualcomparedto theotherareacheckis thatherethereis no relationto amodel,only limit checking.This is thus anotherexampleof how to usetradi-tional approachestogether with new methods like model-baseddiagnosis,together they give a better result than they would have if used on their own.

R8 PT1 PAtmosphere–=

H80


H81 Fp F1 F3 F5 F13, , ,{ }∈;

R9 PRest PAtmosphere–=

H90


H91 Fp F1 F4 F5 F13, , ,{ }∈;


48

The residual R10 looks like:

(4.10)


In this case it is not possible to check the residual without a threshold, as whenthe CVU was checked. The reason why this is impossible is that in the case withthe CVU switches were used to measure the position, but the pressure regulatoruses an ordinary linear sensor, and therefore there is a risk for sensor distur-bances. Below a thresholded fault is presented, the pressure regulator herebecomes active after 50 seconds. The constant threshold is dashed and the mea-sured value is solid.

Figure 4.9: Thresholded area

Obviously the failing pressure regulator makes the area go outside its thresholdsand thus generating an alarm.

4.3.3 CVU in position Part, regulator active

When the CVU is in position Partial, tank Rest is completely cut off from tankT1. This means that the sensor values from tank T1 does not affect R3 like they

R10 Ameasured=

H100

H100 Fp NF F2 F, 3 F4 F5 F, , 6 F7, , F8 F9 F11 F12 F13 F14, , , , , , ,{ }∈;

H101 Fp F1 F10,{ }∈;

0 20 40 60 80 100 120 140−0.1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

Time [s]

Are

a [%

]


49

did before.This meansthat also theseresidualsaresensitive to different faultsthan before.

Pressure check Rest

The following residual is formed:

(4.11)

Thenomenclatureis like beforetaken from equation(3.1) and(3.2).Thediffer-encecomparedto R3 is that thesimulatedpressuredoesnot usethevolumesen-

sor in tankT1. Sincethetwo tanksarenot connectedthereis no needto usethissensorin orderto simulatethepressurein tankRest.Only thevolumesensorintank Rest is needed.

The residual R11 is used to test the hypothesis :

Figure 4.10: Pressure check Rest

Sincethis residualdecouplesasensorthatR3 did notdecoupleit is agoodexam-

ple of how to useactive diagnosisin orderto receive residualssensitive to differ-

R11 PRestT R⋅VRest-------------- A C⋅

T------------ PECS

2 PRest2– t PAtm+d

0

t

∫⋅–=

H110

H110 Fp NF F3 F8 F10, , F11, ,{ }∈;

H111 Fp F1 F2 F, 4 F5 F6 F7 F9 F12 F13 F14, , , , , , , ,{ }∈;

20 40 60 80 100 120

0.6

0.8

1

1.2

1.4

1.6

x 105

Time [s]

Pre

ssur

e [Pa

]


50

ent faults. In Figure 4.10 the thresholdedpressurein tank Rest is shown. Asearlier the thresholdis dashedand the measuredvalue is solid. After approxi-mately50 secondsa leakageoccursin tankRestandthepressuredropsto a levelclose to ambient air pressure, clearly outside the thresholds.

4.4 Decision structure

Thehypothesistestspresentedin theprevioussectioncanbeusedto form adeci-sionstructure.At first thefull decisionstructurewill bepresented,thenasmaller,for the Gripen project more relevant, decision structure will be derived.

In Table3 thefull decisionstructureis presented.R1 to R6 arereceivedwhenthe

pressureregulatoris active andtheCVU in positionAll, residualsR7 to R10 arereceivedwhenthepressureregulatoris passive andCVU in positionAll. Resid-ual R11 is received when the pressureregulator is active andCVU in positionPartial.

Table 3: Decision structure

As mentionedearlier in chapter2 a “X” meansthat the fault might affect theresidualanda“0” meansthatthefaultcannotaffect theresidual.Thismeansthatif a residualreactswherethe fault hasa “0” in the columnthat fault cannot bethe reasonwhy the residualis failing. With a goodmodelandcleverly chosenthresholdsandmeasurementareas,togetherwith the initial statementthat onlysinglefaultsareconsideredit is possibleto changemostof theX:s into 1:s.This

F 1 F 2 F 3 F 4 F 5 F 6 F 7 F 8 F 9 F 10

F 11

F 12

F 13

F 14

NF

R1 0 0 0 0 0 X 0 0 0 0 0 0 0 X 0R2 X X X 0 X X X X X 0 0 X X X 0R3 X X 0 X X X X X X 0 0 X X X 0R4 X 0 0 0 X X X X X 0 0 X X X 0R5 0 X 0 0 0 0 0 0 0 0 X 0 0 0 0R6 0 X X X 0 0 0 0 0 0 0 0 X 0 0R7 0 0 X X 0 0 0 0 0 0 0 0 X 0 0R8 X 0 X 0 X 0 0 0 0 0 0 0 X 0 0R9 X 0 0 X X 0 0 0 0 0 0 0 X 0 0R10 X 0 0 0 0 0 0 0 0 X 0 0 0 0 0R11 X X 0 X X X X 0 X 0 0 X X X 0


51

would meanthat if a fault occursall residualswith an X in that columnshouldreact.

It is of courseimpossibleto saythat the X:s could alwaysbe exchangedto 1:s,but togetherwith experimentsit is possibleto get an idea of how likely it is.Experimentshave shown that in steadystatethemodelis very accurateandthatthe residualsreacteven to very small faults,moreaboutthe modelverificationfurther on. With this in mind the decisionstructurecanbe studiedandusedtogiveavery likely diagnosis,in orderto helpthemechanicsto repair, or to informthepilot of any hazardousfaults.Whenworking asexpectedtheresidualshouldreact to the X:s.

When the decisionstructureis studied,one can seethat the column for F6 is

equalto thecolumnfor F14, andthatthecolumnfor F7, F9 andF12 alsoareequal.

This meansthat thefaultswithin thesetwo groupsareimpossibleto isolatewiththis setof testquantities.Thatsomefaultsarepresentcanthoughbedetected,aswell as which group of faults that shouldbe investigatedfurther. This is veryimportantsincetheremightbetestdataor informationaboutthecomponentshis-tory which indicateswhichof thefaultsin oneof thegroupsthatis mostlikely tohave occurred.Togetherwith the diagnosissystemthis information gives themechanic a good starting point for isolating and repairing the fault.

As canbe seenin the decisionstructureactive diagnosissignificantly improvesthe capability to detectand isolatefaults.Without the possibility to useactivediagnosisno more thanseven residualswould have beenpossibleto construct,(R1, R2, R3, R4, R5, R6, R11), but sinceseveraldifferentworking conditionscan

be usedthe decisionstructurecanbe madelarger. Without active diagnosisF10would have beenimpossibleto detect.F1 andF5 would form a groupwith F7, F9andF12 andwould thusbe impossibleto isolate.With active diagnosisboth F1andF5 arepossibleto isolate.If thesystemhadbeenrunningunderthesediffer-

ent conditionswithout interferencefrom the diagnosissystem,active diagnosiswould not have been necessary.

The two most importantcomponents,the pressureregulator and the CVU areboth possibleto isolatewhenusingactive diagnosis.In Chapter5 the diagnosissystemwill bevalidatedandtheretheperformanceof thediagnosissystembuiltin this thesis will be presented.


52

4.5 Limited diagnosis system

Thediagnosissystemin theprevioussectionsis anexampleof how a diagnosissystemcould be designedin general.The specifictank pressurizationsysteminJas39 Gripendoeshowever not have all thesesensors,in thefollowing sectionamorelimited diagnosissystemwill be presented.The sensorsthat alreadyexistwill be usedandsomesensorswill alsobe added,sensorsthat are likely to beincluded if the system is to be upgraded in the future.

Thesystemis alsonotquiteascontrollableashavebeenassumedin theprevioussections.The CVU usesthe fuel pressurein order to changeits position, thismeansthat the fuel pumphasto be runningin orderfor the CVU to changeitsposition.In the following sectionit is first assumedthat the diagnosissystemisusedwhen no fuel pressureis available and then with fuel pressureavailable.When no fuel pressure is available the CVU is in position All.

4.5.1 Current sensors

The sensors that already exist in the tank pressurization system are:

• Temperature sensor• Volume sensor in tank T1• Volume sensor in tank Rest• Pressure sensor in ambient air• Position switch for CVU

With thesesensorsonly residualR5 is possibleto construct.Moresensorshave to

be added in order to build a model-based diagnosis system.

4.5.2 Added sensors

Thesensorthat is absolutelymostcritical for themodel-baseddiagnosissystemis thesensormeasuringthepressurefrom theECS.Sincethissignalis usedasaninput signalto the diagnosissystemalmostall residualsareimpossibleto buildwithout this sensor.

In order to setup any pressurerelation it is necessarywith more than just onesensor, the pressuresensorsin tank T1 and tank Resthave thereforealsobeenadded.Thesethreesensorsare usedtogetherwith the alreadyexisting onesinorder to design a new model-based diagnosis system for the tank pressurization.


53

4.5.3 Decision structure 2

Wheninspectingtheresidualsin section4.3 thefollowing residualsarepossibleto construct with the limited set of sensors and without fuel pressure:

• Residual R1• Residual R2• Residual R3• Residual R5• Residual R6• Residual R7• Residual R8• Residual R9

WhentheCVU only canbesetin positionAll, theonly informationtheseresidu-alscangive abouttheCVU is thatit is not in positionPartial whenit is supposedto be in position All. Nothing can be said aboutwhat position the CVU is inwhen it is supposed to be in position Partial.

When fuel pressure is available also residual R11 is possible to construct.

Thus we get the following decision structure:

Table 4: Limited decision structure

F 1 F 2 F 3 F 4 F 5 F 6 F 7 F 8 F 9 F 11

F 12

F 13

F 14

NF

R1 0 0 0 0 0 X 0 0 0 0 0 0 X 0R2 X X X 0 X X X X X 0 X X X 0R3 X X 0 X X X X X X 0 X X X 0R5 0 X 0 0 0 0 0 0 0 X 0 0 0 0R6 0 X X X 0 0 0 0 0 0 0 X 0 0R7 0 0 X X 0 0 0 0 0 0 0 X 0 0R8 X 0 X 0 X 0 0 0 0 0 0 X 0 0R9 X 0 0 X X 0 0 0 0 0 0 X 0 0R11 X X 0 X X X X 0 X 0 X X X 0


54

When observing this decision structure it is clear that a couple of groups can beformed but also that some of the faults are possible to isolate. The column for F1is equal to the column for F5, these faults can therefore not be isolated more than

to a group of faults. The column for F6 is equal to the column for F14 so also

these two faults form a group. The third group consists of the columns for F7,F8,

F9 and F12. All of the other faults can be directly isolated. It is also clear that

when adding the possibility to change the position of the CVU also F8 can be iso-

lated. As mentioned above more information about the CVU also can be gath-ered. When the CVU:s position can be changed the fault mode where the CVUstands in position All but is ordered to position Partial can be revealed. Thus,without this possibility all information about the CVU can not be gathered, onlythat it does not stand in the wrong position when ordered to position All isrevealed.

Without the possibility to use active diagnosis but with fuel pressure, F1, F5, F7,

F9 and F12 would form one large group. F6 would like before be equal to F14 and

the rest of the faults would be unique. Also in this case active diagnosis improvesthe diagnosis capability.

55

Chapter 5

Verification

In this chapterthediagnosissystemis validatedandtheresultsobtainedarepre-sented.Someof the faultsarepresentedtogetherwith the residualsbehavior, acompletepresentationof thefaultswith theresidualsbehavior is givenin Appen-dix A. It is shown thatthesystemis notbehaving exactlyaccordingto thetheory.At theendof this chaptermethodsto improve thesystemin orderto make it per-form according to the theory are discussed.

Therearea numberof factorsthat affectsthe ability of the diagnosissystemtodetectandisolatefaults.The mostimportantoneis the modelitself, in ordertousea model for model-baseddiagnosisthe model has to be accurateat leastunderthecircumstancesthat thediagnosissystemis supposedto work. It is alsoimportantthatthethresholdsarewell adaptedto themodelfaultssothattherearefew falsealarmsandsothatevensmall faultscanbedetected.Theresidualsanddecisionstructurealsohave to becorrect,otherwisethereis a risk of isolatingthewrong components.

Sincethis masterthesisusesa “model of a model” to build thediagnosissystemthe focushasnot beenon optimizing neitherthe modelnor the thresholds.Themainobjective wasto exemplify theprinciplesof model-baseddiagnosis,not tobuild an optimal diagnosis system for the model.

Verification

56

The diagnosismodel is however rather accurateand the thresholdsare welladapted,althoughnotoptimal.Below Figure5.1is showing how well thediagno-sis model follows the Easy5 model.

As canbeseenin Figure5.1 theSimulink modelis very accurateat steadystatewhile during the dynamic phaseit differs a lot from the Easy5model. Thisbehavior

Active Model-based diagnosis -applied on the JAS39 Gripen ... · been applied on a model of the...

Documents

Transcript of Active Model-based diagnosis -applied on the JAS39 Gripen ... · been applied on a model of the...