This paper presents the models and methods for reliability synthesis for components of UAV flight control system: flight computer and navigation system. The developed reliability models depict different variants of faulttolerant designs including designes for systems with complex reliability behavior. They have a high level of adequacy, since effectiveness of detection and switching devices was taken into account. Based on the models, we proposed the reliability synthesis methods for flight control system components that allows making reasonable design decisions. As an example of using these methods, the reliability requirements and recommendations for rational choice of fault-tolerant designs were developed to meet required reliability level of UAV flight computer and navigation system.
Although UAV’s reliability has significantly increased for the last 15 years, this
problem is still among the focus issues for manufactures and different branches of
military [
Navigation system
Pitot tube Pressure and temperature transdusers Air data subsystem (ADS)
(ADS) Magnetometer
(MM) GyГroірsоcсoкpоeпG1X GyГroірsоcсoкpоeпG2Y
Гіроскоп GyroПsоcоoсpіeZGZ
Inertial measurement unit (IMU) Ground control station (GСS) Onboard
GPS
filter (KF-1) Microprocessor
MP1 Microprocessor
MP2 Microprocessor
MP3 Microprocessor
MP R Voting unit Fault detector Kalman filter
(KF-2) Flight computer Control Unit
Power/ propulsion controller
Servo units Flight control surfaces GСS
The researches, aimed to increase FCS reliability on the design stage, are important.
It concerns reliability synthesis for navigation system and flight computer, namely,
reasonable choice of their reliability parameters and fault-tolerant configurations to
meet required reliability level. There are two major approaches for solving these
issues [
On the other hand, redundancy may not improve the reliability system if DSD have
a failure rate below the acceptable mimimum level [
Developers are often faced with complex problems as for making important
decisions for systems design within a limited time. For example, it is necessary to
choose the rational structure of FCS among many variants of its components
redundancy and ensure achieving all critical requirements. In the absence of adequate
reliability models answers to such questions are usually given based on either expert
evaluations or simplified models. For instance, to evaluate reliability of fault tolerant
systems with N-modular redundancy the designers use models without considering
real effectiveness of detection devices [
Reliability engineers usually perform reliability prediction of the military product
using relevant procedures and methods presented in MIL-HDBK-217, other standards
and reference books. The prediction methods are selected in view of reliability data
availability, i.e., data about the distribution law for the product failure-free operation
time [
The reliability behavior of FCS and its components can be represented in form of
discrete-continuous stochastic system [
In this paper, we investigated two variants of fault-tolerant flight computer (FTFC) design with implementation of majority-voting system (MVS) 2-out-of-3 microprocessors (MPs): 1) no additional standby MPs; 2) with inherent standby microprocessor as well as detection and switching devices.
A block-diagram of the second variant of FTFC design is depicted in Fig. 2, where MP is a microprocessor (there are three MPs in MVS core (MP1, MP2, MP3) and one MPR in standby mode),VU is a voting unit, FD is a fault detector and KF- 2 is a Kalman filter.
MP1 MP2 MP3 MPR
KF-2
The fault detector provides failure detection of MVS core microprocessors. It compares MP’s (MP1, MP2, and MP3) out signals and the KF- 2 input signal. If these signals are not identical, FD transfers a signal about failure of the certain MP and a command to the idle MPR to switch to corresponding VU input.
The MP software failure rate is much higher than the MP hardware failure rate [
The Kalman filter KF-2 performs linear quadratic estimation of system state, thus its reliability is much higher, than for other components. The problem of providing its fault-tolerance was not considered in the paper.
On the first stage, the model was developed in the form of Markov Chain on the
ground of basic events [
1) The basic events (BE) definition: BE-1 “Failure of MP”; BE-2 “Failure of VU”; BE-3 “Completion of detection procedure”; BE-4 “Completion of MPR switching procedure”. Since durations of the detection procedure, ТD, and MPR switching procedure, ТS, much less than the durations of failure-free operation of MP and VU, it is accepted that ТD ≈ 0 and ТS ≈ 0.
The detection and switching procedures are characterized by effectiveness measures: the probability of successful failure detection, PD, and probability of successful completion of MPR switching procedure, PS. Their values are less than 1. Therefore, in the mathematical model the events BE-3 and BE-4 are concurrent with BE-1. For these events, we use notations: CBE-3 and CBE-4. For representation of consequences of these events, the probabilities of successful and unsuccessful detection and switching are taken into account. In addition, the model includes next measures: MP – failure rate of MPs and VU – failure rate of VU.
2) Rationale for components of state vector, which represent state of research object.
State vector consists of three components: V1; V2 and V3. Component V1 represents a current value of number of operating MPs in MVS core: V1 = 3 (three operating MPs); V1 = 2 (two operating MPs), V1 = 1 (one operating MP); initial value V1 = 3. V2 represents a state of VU: V2 = 1 (operating), V2 = 0 (failed); initial value V2 = 1. V3 represents a state of MPR: V3 = 1 (operating), V3 = 0 (failed); initial value V3 = 1. The system is in critical failure (CF) state, when there is one operating MP or the failed VU: (V1 = 1) OR (V2 = 0).
3) Development of state space diagram on the ground of basic events (Table 1).
The input data are the basic events of reliability behavior algorithm of FTFC; components of state vector; reliability measures of MPs and VU; measures of DSD effectiveness.
On the second stage, FTFC structural-automaton model (SAM) was developed. The
input data were the basic events and state space diagram. In accordance with methods
presented in [
The third stage of development of FTFC reliability model is an automated building of state space diagram using SAM and specialized software “ASNA-1”. Based on the verified state space diagram, the mathematical reliability model of FTFC in the form of system of differential Chapman - Kolmogorov equations (1) was formed dP1( t ) P1( t ) 3MP PD РS 3MP (1 РS ) PD 3MP (1 PD ) VU , dt dP2( t ) P2( t ) 2MP 1 РD 2MP (1 РS ) PD 2MP PD PS VU dt P1( t )3MP (1 РS ) PD 3MP (1 PD ), dP3( t ) P3( t ) VU 3MP P1( t ) 3MP РS PD , dt dP4( t ) P4( t ) VU 2MP P2( t ) 2MP РS PD P3( t ) 3MP , dPd5(t t ) VU P1( t ) (VU 2MP РS PD 2MP )P2( t ) VU P1( t ) (VU 2MP )P4( t ) dt where Pі( t ) is probability of system being in State i ( і 1, ..., 5 ) at time t. (1) 2.2
Reliability synthesis for fault-tolerant flight computer focuses primary on solving two problems: 1) rationale for choice of FTFC design; 2) rationale for reasonable reliability measures of FTFC components. Proposed methods (Fig. 3) are developed to aid in solving these problems and based on reliability model of FTFC.
An example of practical use of proposed methods is given below.
The problem statement: 1) FC components and units have constant failure rates; 2) failure rates of MPs in MVS core equal MPR failure rate; 3) required reliability level is a minimum allowable value of FC reliability PFCmin during the time interval 0 to T1; 4) four measures Pj ( t ) ( j 1, ..., 4 ), where P1 = MP, P2 = VU, P3 = PD, P4 = PS; 5) two above mentioned variants of FTFC design.
We assumed that a designer uses following input data: T1 = 500 hours (mean time of UAV’s overhaul life is 500 hours); PFCmin = 0,999; and initial values of measures: MP = 1,8e-5 hr-1; VU = 2,9e-6 hr-1; PD = PS = 0,999.
The computation results (Fig. 4) reveal that during the time interval 0 to T1 the value of FC reliability:
for the 1st variant of FTFC design PFC(500) = PFC1 = 0,99881 is less than PFCmin that does not meet the set requirements;
for the 2nd variant of FTFC design PFC(500) = PFC2 = 0,99904 is more than PFCmin.
The researches, using the above-mentioned input data, allow rationalizing reliability requirements to FTFC components and drawing next conclusions:
1. In order to maintain required reliability level of FTFC without standby MPs in MVS core, it is necessary to rise reliability requirements to MPs (MP ≤ 8e-5 hr-1) or VU (VU ≤ 2,3e-6 hr-1) reliability.
2. FTFC design with implementation of MVS 2-out-of-3 MPs and inherent MP as well as DSD allows increasing reliability to required level without changing requirements to reliability of MPs and VU. In addition, it is possible to scale back requirements to DSD effectiveness.
3. Using the proposed methods and set input data, we can advise the UAV designer two above examined variants of FTFC as its reasonable configurations. 3
3.1
Reliability block diagrams for two navigation system configurations: 1) without redundancy; 2) with dual modular redundancy (DMR) for gyroscopes and accelerometers in inertial measurement unit (IMU), are depicted in Fig. 5. The denotation IS was used for the integrated subsystem, which includes two parts: air data subsystem (ADS); magnetometer (MM).
IMU
Gx
Gy Gz Ax Ау Аz
KF-1 IS 1)
IMU
Gx1 Gx2
Gy1 Gy2 IS
Gz1 Gz2 Аx1 Аx2 2) Ау1 Ау2 Аz1 Аz2
KF-1
Multi-sensor information redundancy is implemented in NS. It should provide required level of reliability. The task is to define the expedient values of reliability measures of NS components. Failure rates of NS components are chosen as reliability measures: 1 is failure rate of the onboard GPS; 2 = 3 = 4 = G – failure rates of gyroscopes (Gx, Gy, Gz); 5 = 6 = 7 = A – failure rates of accelerometers (Ax, Ay, Az); 8 is failure rate of IS (sum of failure rates of ADS, MM and PS); 9 is failure rate of KF-1. Since main and standby gyroscopes and accelerometers have the same circuitry, so their failure rates are equal.
Kalman Filter KF-1 performs linear quadratic estimation and integration of the data
from GPS, IMU and IS [
Onboard GPS is a main source of the navigation data [
Reliability calculation was conducted for two above-mentioned variants of NS structure (Fig. 5). For the second configuration it considered that DSDs perform their functions with probability of successful failure detection PD = 1 and probability of successful completion of switching procedure PS = 1. It was assumed that duration of all processes and procedures, which take place in NS, are distributed according to an exponential law.
It considered that the designer uses the next input data for reliability synthesis for NS: time interval T1 = 500 hours; minimum allowable value of NS reliability PNSmin = 0,999; initial values of failure rates of NS components: 1 = 3e-4 hr-1; G = 9e-5 hr-1; A = 6e-5 hr-1; 8 = 4e-4 hr-1, 9 = 1,6e-6 hr-1.
The computation results for two variants of NS proved expediency of DMR for gyroscopes and accelerometers in IMU. Reliability value for the 1st variant of NS is PNS(500) = PNS1 = 0,99411 that less than PNSmin. Implementation of dual redundancy for gyroscopes and accelerometers allows to increase NS reliability to the value PNS(500) = PNS2 = 0,99903 and provide required reliability level on the interval of T2 = 845 hr. These conclusions were drawn considering that DSD perform their functions with probability equals 1. To raise adequacy of NS reliability model it was proposed to develop a reliability model of fault-tolerant unit with dual modular redundancy and taking into account the real DSD effectiveness: PD < 1 and PS < 1. 3.2
A reliability model was developed according to the methods presented in [
The model includes reliability measures (M – failure rate of the main part and R – failure rate of standby part of FTU) and DSD effectiveness measures (probability of successful completion of detection procedure – PD and probability of successful completion of switching procedure – PS).
A detection device controls continuously operability of the main FTU part. If detection procedure is successful (the detection device defines a failure of the main part), the detection device will transfer a signal to the switching device that unhooks the main part and hooks up the standby part.
If detection procedure is unsuccessful, fault-tolerant unit will come to state of critical failure. In addition, FTU will come to state of critical failure, if detection procedure is successful but the switching procedure is unsuccessful.
2) The state vector consists of two components: V1 – a state of main part (1, 0; initial value V1 = 1); V2 – a state of standby part (1, 0; initial value V2 = 1).
The basic events of reliability behavior of FTU: BE-1 – “Failure of main part”; BE2 – “Completion of detection procedure”; BE-3 – “Completion of switching procedure”; BE-4 – “Failure of standby part”.
3) The fault-tolerant unit is in critical failure state, when there is a failed main part and standby part is not hooked up: V1 = 0.
The developed state space diagram for the investigated FTU with dual redundancy and taking into account DSD effectiveness is presented in Table 3.
The model simplification was used on the basis that the research object is described by one group of procedures with long duration and another group of procedures with much less duration. This condition simplifies the model however reduces the degree of its adequacy. The detection procedure is auxiliary in the structure of FTU. If do not take into account duration of procedure in 20 ms, computation of FCS reliability for the UAV flight time interval (up to 10 hours) brings not significant error. For the proposed mathematical model, the next simplifications were done: duration of detection procedure TD = 0 and switching procedure – TS = 0. Accordingly, the basic events BE-2 and BE-3 are concurrent with BE-1 and got denotations CBE-2 and CBE-3.
It was taken into account that the duration of all procedures in research object are
random variables having an exponential distribution, and a number of events on the
observation interval is defined by the Poisson distribution. In accordance with the
methods presented in [
The mathematical reliability model of fault-tolerant unit (2) was formed dP1( t ) dt dP2( t ) dt dP3( t ) dt ( M R )P1( t ), ( M PDРS R )P1( t ) M Р2( t ), M (1 PDРS )P1( t ) M P2( t ).
where Pі( t ) is probability of system being in State i ( і 1, ...,3 ) at time t. 3.3
The same assumptions and input data were used as in the section 3.1. Results of reliability estimation for the 2nd variant of NS and its components (units of gyroscopes (UG) and accelerometers (UA)) with perfect and non-perfect DSD are presented in Table 5.
The graphs of UG reliability at different values of DSD effectiveness are shown in Fig. 6.
The results, presented in Table 5 and Fig. 6, confirm that reliability depends on the detection and switching effectiveness. The proposed model gives an opportunity to rationalize necessary values of measures of DSD effectiveness. 3.4
Proposed reliability synthesis methods are developed for fault-tolerant NS components. They are based on reliability models of NS components and use of specialized software ASNA-1. The main difference of these methods from the mentioned above methods (section 2.2) is that for reliability synthesis for NS we can investigate rational variants of fault-tolerant modules (units). Using reliability synthesis methods for FC we evaluated fault-tolerant units with DMR for gyroscopes, accelerometers, Kalman Filter (KF-1). We used following input data: T1 = 500 hours; PNSmin = 0,999. The computation results, which indicate reasonable reliability measures of NS components, are presented in Table 6.
Hence, these methods allow adjusting with designer the acceptable values of reliability measures of NS components as well as measures of DSD effectiveness. 4
Conclusions 1. A necessity and actuality of improvement of existent models and methods of reliability synthesis for fault-tolerant systems have been rationalized in making decisions on design of UAV flight control system.
2. The developed reliability models of navigation system and flight computer represent the different variants of fault-tolerant designs and have a high level of adequacy.
3. Based on the models, we proposed the reliability synthesis methods for components of UAV flight control system. Automation of multiple analysis procedures allows quickly (during a few hours) making reasonable design decisions.
4. Reliability requirements and recommendations for rational choice of fault-tolerant designs of navigation system and flight computer have been developed to meet required reliability level.
5. We are planning further research studies to investigate reliability of UAV autopilot and its fault-tolerant modules, availability of all FCS components as well as solving optimization problems.