Modeling Aircraft Flap System Failure Scenarios with SystemModeler
Explore the contents of this article with a free Wolfram SystemModeler trial. Have you heard about the Boeing 747 Dreamlifter that flew to the wrong airport and was forced to land on too short of a runway? Luckily, that story had a happy ending, and no passengers were hurt. Still, it is a potentially dangerous scenario when the landing distance required (LDR) is longer than the runway, and there are other possible reasons for such a situation besides a pilot gone astray.
One potential cause of such a scenario is a flap system failure. Flaps are hinged devices located on the trailing edges of the wings, where their angular position can be adjusted to change the lift properties of the plane. For example, suitably adjusting the flap position can enable the plane to be flown at a lower speed while maintaining its lift, or allow it to be landed with a steeper angle of descent without any increase in speed. One of several resulting advantages is that the LDR becomes shorter. This makes me wonder: Could a small flap failure increase the LDR so much that the assigned runway is suddenly too short?
To answer such a question, you have to understand the effects that a failure on a component level have at a system level. How will the control system react to it? Can we somehow figure out how to detect it during a test procedure? Can we come up with a safety procedure to compensate for it, and what happens if the pilot or maintenance personnel for some reason fail to follow that procedure?
Together with my colleague, engineer Olle Isaksson, we thought we’d use Wolfram SystemModeler 4 and the newly released Wolfram Hydraulic library to simulate and analyze some potential failures that can occur in the flap system of a Cessna 441 Conquest II aircraft.
The desired angular position of the flaps on this Cessna aircraft is set manually by the pilot via the plane’s instrument panel. Which flap angle is preferable depends, among other factors, on which flight phase the plane is in, since that directly affects which flight characteristics are desired. For example, during takeoff, the flaps are extended to an angle of 10 degrees in order to provide extra lift force, and during landing, they’re extended to 30 degrees to increase both lift and drag force. These seemingly small adjustments to the flaps’ angular position allow for shorter runways, reduce the stress put on the aircraft, and give the pilot more time to react. For this particular aircraft, there are two additional positions: 0 degrees in mid-air and 20 degrees when approaching landing. Take a look at the video below for a short demonstration of how the flaps move.
The flap system of this Cessna aircraft is electrically operated and hydraulically actuated. This means that the flap system is controlled by electrical signals, but the actual movement of the flaps and landing gears is driven by a hydraulic system with pumps, valves, cylinders, and other useful components. The pilot controls the flap position through a flap selector switch located on the instrument panel. Changing the flap selector switch position sends out an electrical signal that, together with limit switches, energizes a bypass valve so that pressure builds up in the hydraulic power system.
In tandem with bypass valve energization, a solenoid of the flap control valve becomes energized, resulting in an open connection between the cylinder (flap actuator) and the pump and reservoir. The hydraulic cylinder is mechanically connected to the flaps, which consequently causes the flaps to extend or retract when the cylinder moves in response to changes in chamber pressure.
The Cessna flap system model, implemented in SystemModeler, consists of six customized components: a pilot, an electrical system, a power plant, a hydraulic power system, the flaps, and the landing gears.
As shown above, the Cessna model is hierarchical, with several sub levels. The pilot model receives signals from both the electrical subsystem and the flaps, for example, in the form of system pressure data or information about the current flap position. The powerPlant subsystem contains two engines that connect to pumps in the hydraulicPower model, which in turn provides pressurized fluid to the flaps and landingGear subsystems. To avoid a blog post longer than Ulysses, I’m going to leave the detailed exploration of the models up to a forthcoming post, where the modeling process will be described in more detail.
Now that you have a general sense of the model components and their interactions, let’s take some time to think about some potential failures. Despite the risk of aggravating my slight fear of flying, I took a look at some accident reports for different Cessna aircraft. This revealed that failing limit switches, hydraulic leakages, and mechanical failures are examples of flap failures that affect the aircraft at a system level. So let’s include the following scenarios in the failure analysis:
1. A pipe in the flap subsystem is leaking.
2. The mechanical rod that connects the flap to the cylinder is broken.
3. An electrical failure in the flap control valve occurs in mid-air.
Let’s first take a look at the nominal scenario where everything works as it should, and the pilot can enjoy the perks of having a fully functioning flap system. The pilot moves the flap selector switch to positions 10° -> 20° -> 30° -> 0°, which corresponds to takeoff -> approach -> landing -> up. Note that this is quite an odd combination of flap commands to use in real life within a time span of 20 seconds, so it’s just a means of studying the system. It can for example be seen as a test run to see if the flaps are working properly.
First load the WSMLink and define the model.
My colleague Olle conveniently included different failure modes in several components in the Cessna model, so in order to investigate the effects of, for example, a pin-short in a solenoid, I simply have to change the failure mode parameter of a solenoid to pin-short, and then simulate the model.
In the nominal case, I want to make sure that the relevant failure parameters are set to 0, which means that the components are fully functioning. Since the failure modes are structural parameters, I need to use WSMSetValues instead of WSMParameterValues.
Which angles do the flaps actually take on compared to those commanded by the pilot in the nominal case?
As can be seen, the angular position of the flaps follows the commands given by the pilot, with some delay due to the time it takes for the flaps to extend or retract.
Let’s also take a look at the pressure development in the hydraulic relief valve, which corresponds to the pressure supplied to the flaps. Another interesting aspect, especially for electrical failures, is the electrical signal that commands the flaps to extend.
In the plots above, we can see how the pressure peaks correspond to the retraction and extension of the flaps, and how the electrical signal peaks when an extend flap command is issued from the pilot.
Now let’s examine the other scenarios and see how they compare to the nominal scenario.
Scenario: Leaking Pipe
In this failure scenario, the flaps have the same initial position as in the nominal case, but there is a leaking pipe in the flap subsystem. The leakage is injected by changing the value of parameter fm for the pipe in question from 0 to 2.
The figures show a simulation of the system with a pipe leakage: to the left, the commanded flap angle and the actual flap angle; to the right, the pressure development in the hydraulic relief valve in subsystem hydraulicPower.
We can see that the leakage reduces system pressure, which in turn causes a reduction in cylinder force. The reduction leads to a slower flap movement, which, seen from a system perspective, curtails the response time. Such a scenario could potentially be dangerous if the pilot is in a situation where the flaps have to be moved quickly, for example, if the plane approaches the runway too fast or at a wrong angle.
Scenario: A Broken Rod
As previously mentioned, the flap subsystem contains a hydraulic cylinder that drives the movement of the flaps. In this scenario, let’s investigate what happens if the rod connected to the flaps is broken, which in the model means that no force can be transferred between the two ends of the rod.
In the two bottom plots, we can see that there is a pressure buildup in the system, and the electrical signal behaves as expected. Despite this, the flaps remain in the up position. Since the rod is broken, the cylinder cannot transfer any force at all to move the flaps (see upper right plot), independent of the flap switch command. In this case, the seemingly small component failure would actually lead to a longer LDR.
Scenario: Mid-Air Electrical Failure
Sometimes failures aren’t discovered until the plane is already in the air, and in such situations, it is even more important to be prepared and have safety procedures that can remedy any problems that might occur. Let’s for example explore the scenario when there is a mid-air electrical failure. The pilot failed to test the flaps before takeoff, and so the retraction command is first used in mid-air. The electrical failure occurs in the flap control valve where the up-solenoid has a pin-short. The shorted solenoid trips the circuit breaker in mid-air, causing the pilot to lose control over the flaps.
From the pilot’s point of view, the failure isn’t noticeable until he or she tries to retract the flaps from 10 to 0 degrees, since the extend function is still initially functional. However, the second the pilot tries to move the flaps back up, the short circuit to ground is no longer isolated from the circuit breaker, and all control over the flaps is lost with the unpleasant side effect of the plane suddenly needing a longer runway. Seems like a pretty bad position to be in, right? Actually, it doesn’t necessarily have to be, if we can use our modeling expertise to model and test a safety procedure that might help the situation.
Scenario: Mid-Air Electrical Failure with a Safety Procedure
It’s possible to use the Cessna model to come up with a safety procedure that makes it possible to land the plane safely despite the mid-air electrical failure. Such a procedure could, for instance, be to move the switch to landing and then reset the circuit breaker. When reset, it should be possible to directly move the flaps to landing position and land safely, even though the retract function is still malfunctioning. So let’s see if this maneuver does the trick.
The figures show a simulation of the system with a mid-air electrical failure where the shorted solenoid triggers an emergency flap extension.
The shorted solenoid trips the circuit breaker in mid-air, causing the pilot to lose control over the flaps. The pilot then puts the switch in landing position, resets the circuit breaker, and manages to extend the flaps.
What’s the Conclusion?
So, what about my original question: Could a flap failure increase the LDR so much that the assigned runway becomes too short?
Judging from the failure analysis just performed, it does seem like a plausible scenario. If the increase in the LDR resulting from a flap failure (for example, the mid-air electrical failure discussed above) exceeds the runway margin, then that could potentially happen. However, the model has not been created in cooperation with Cessna, and assumptions have been made regarding, for example, the electrical design and parameter values. In other words, it’s not possible to guarantee that all aspects of the model are 100% accurate or complete. Still, it shows the potential of using modeling as a means of exploring different failure scenarios, how faults can be detected, and how to design safety procedures.
I used Wolfram SystemModeler to analyze faults after a particular sequence of commands, something that could be done during a test procedure, for example. Using the same principles, it’s possible to use SystemModeler to perform fault-code coverage analysis for systems with diagnostic trouble codes. I also tested a proposed safety procedure, and seeing how that interacts and triggers different responses in the system as a whole, such tests have the potential to lead to a better understanding of the human-machine interaction.
If you want to try out some failure modeling yourself, or just get a feel for the tools that I have used in this blog, trial versions of both SystemModeler and Mathematica and available for download online. Also the Wolfram Hydraulic library, along with several other libraries from other domains, can be explored and downloaded from Wolfram’s brand new SystemModeler Library Store.