Derivation of Diagnostic Requirements for a Distributed UAV Turbofan Engine Control System
Journal article, 2008
This paper presents a method for deriving requirements for the efficiency of diagnostic functions in distributed electronic turbofan engine control systems. Distributed engine control systems consist of sensor, actuator, and control unit nodes that exchange data over a communication network. The method is applicable to engine control systems that are partially redundant. Traditionally, turbofan engine control systems use dual channel solutions in which all units are duplicated. Our method is intended for analyzing the diagnostic requirements for systems in which a subset of the sensors and the actuators is nonredundant. Such systems rely on intelligent monitoring and analytical redundancy to detect and tolerate failures in the nonredundant units. These techniques cannot provide perfect diagnostic coverage and, hence, our method focuses on analyzing the impact of nonperfect diagnostic coverage on the reliability and safety of distributed engine control systems. The method is based on a probabilistic analysis that combines fault trees and Markov chains. The input parameters for these models include failure rates as well as several coverage factors that characterize the performance of the diagnostic functions. Since the use of intelligent monitoring can cause false alarms, i.e., an error is falsely indicated by a diagnostic function, the parameters also include a false alarm rate. The method was used to derive the diagnostic requirements for a hypothetical unmanned aerial vehicle engine control system. Given the requirement that an engine failure due to the control system is not allowed to occur more than ten times per million hours, the diagnostic functions in a node must achieve 99% error coverage for transient faults and 90–99% error coverage for permanent faults. The system-level diagnosis must achieve 90–95% detection coverage for node failures, which are not detected by the nodes themselves. These results are based on the assumption that transient faults are 100 times more frequent than permanent faults. It is important to have a method for deriving probabilistic requirements on diagnostic functions for engine control systems that rely on analytical redundancy as a means to reduce the hardware redundancy. The proposed method allows us to do this using an existing tool (FAULTTREE+) for safety and reliability analysis.