You are on page 1of 17

CEAS Aeronaut J (2016) 7:315–331

DOI 10.1007/s13272-016-0189-0

ORIGINAL PAPER

SPYDER: a software package for system diagnosis engineering
C. Modest1 • F. Thielecke1

Received: 12 December 2014 / Revised: 28 September 2015 / Accepted: 1 March 2016 / Published online: 28 March 2016 
Deutsches Zentrum für Luft- und Raumfahrt e.V. 2016

Abstract Modern aircraft systems comprise hardware 1 Introduction
and software with high complexity. In order to assure an
operation at high availability and low maintenance cost, In the year 2050, all European flights should arrive within
diagnosis functions become essential. These functions 1 min of the planned arrival time [1]. This is a very
detect faults and failures, identify sources of faults and ambitious aim considering the current status. In 2012,
failures and assess the current state of health. A reduction 16.7 % of all European flights had a delay of more than
in operating cost, better planning of maintenance actions, 15 min [2]. That was mainly due to technical issues [3]
and new business cases for operator and equipment man- which caused maintenance actions, high cost and incon-
ufactures are gained as a result. A systematic approach for veniences for passengers.
the design and test of diagnosis functions supported by an To close the gap, efficient diagnosis functions are seen
integrated model-based tool chain is introduced in this as key contributors. These detect faults and failures, iden-
paper. That is the SPYDER concept, a Software Package tify root causes, and assess the health status of systems and
for sYstem Diagnosis EngineeRing. Embedded into the components. Therewith, a system operation at higher
general system development process, a stepwise design and availability and reduced maintenance cost is gained. Long
test of diagnosis functions is performed. It focuses on aircraft on ground (AOG) times induced by high rates of
failures and starts with failure–effect analysis, continues false alarms and no-fault-founds (NFF) [4] indicate that
with sensor placement and proceeds further to configura- current diagnosis functions and development strategies
tion and testing. The method has been applied to multi- possess weaknesses. Instead of supporting the system
functional fuel cell systems that are used as illustrative operation they often lead to hindrances. This motivates the
examples. use of more efficient diagnosis functions that are developed
in a systematic and model-based process. These functions
Keywords Failure diagnosis  Fuel cells  Model-based can be split into two main areas of application. This con-
systems engineering  Expert systems cerns fault diagnosis and failure diagnosis. The latter is in
the focus of the paper at hand. A novel development
framework for failure diagnosis is introduced. This consists
of an interwoven process, an implementation strategy and a
tool. The overall goal is to increase the efficiency and ease
the implementation of failure diagnosis for complex air-
This paper is based on a presentation at the German Aerospace
craft systems.
Congress, September16–18, 2014, Augsburg, Germany. The paper is organized as follows. Section 2 gives a
general overview about failure diagnosis. Related work in
& C. Modest the field of software tools, development processes and
christian.modest@tuhh.de
implementation strategies is presented in Sect. 3. A concept
1
Hamburg University of Technology, Institute of Aircraft for more efficient diagnosis functions is illustrated in Sect. 4.
Systems Engineering, Nesspriel 5, 21129 Hamburg, Germany Section 5 depicts an embedded framework for the design and

123

Discrete failure indicators and specific feature character- nical processes. size.316 C. and certainty factors for each FM are determined. This is supported by the model-based tool chain SPY. but focuses thereby on general aspects and Indicator the distribution of work between company and supplier. and the combination of different signals is done to extract Extensions to include fault diagnosis functions are discussed. There are various definitions of failure diagnosis for tech. Data Acquisition 3. In a generalization. However. 1. Thielecke test. following. The latter are seen as methods software tools that assist the development. for the implementation of diagnosis functions. it is the task of determining type. The tool made by PHM Sensors t technology provides a functional modeling framework [14]. ther definitions like [8] and all have in common that they differ slightly in what to include and what to perform in failure diagnosis. 6. These are strategies for design and test. features. However. The latter indicate abnormal behavior and the occurrence of failures. Signal analysis in Sect. is done by state detec- 2 Diagnosis functions tion. Threshold checking and pattern recognition tech- niques are possible activities for evaluation of features. 13]. Further approaches exist that Data Manipulation mostly deal with the development of advanced models for t direct online integration and the operation parallel to the supervised system [12. Four of the failure diagnosis. data Feature Threshold principles is emphasized by Scandura [11]. 8 and an outlook on open topics is given in the end. Charact. current research. the content of the paper affects three aspects of blocks are explained in the following by means of imple. The ISO 13374 [9] on condition moni. The assessment of the behavior. 7. 3 Related work toring and diagnostics of machines makes an attempt to standardize fault and failure diagnosis. the development and imple- blocks are related to failure diagnosis as are depicted in mentation of the specific functions is left to the user. A failure effect analysis 123 . The content of the paper is summarized manipulation is carried out in the next step. The functions themselves are not defined in [9]. This definition of failure diagnosis is referred to in the tification but also the detection of failures. Modest and F. A generic FM1 FM6 FMN FM5 approach for health management systems engineering is Health proposed by Wilmering [10]. This shows different steps of Assessment development. and measures to fill the blocks with life. but it is not depicted how to do it. menting diagnosis functions. either normal or persistent faulty.1 Development processes There are various publications on the design of diagnosis FM3 Certainty FM4 FM2 and general health management functions. no guidelines are provided. Data acquisition is performed on the lowest level. These are input to the health assessment [5]. that can be influenced by failures. according to Isermann istics are derived. Blanke [6] and Ding [7] (FM). location and module where potential sources of failures. Data case study in Sect. The State Detection importance of designing diagnosis and health management t t functions into the system and using systems engineering Raw data Prepr. It defines six The ISO 13374 standard defines a framework for fault and functional blocks by means of interfaces. 3. Preprocessed data is gained. 1 Diagnosis functions according to ISO 13374. Fig. There are fur. The Therefore. This DER which is introduced in Sect. failure modes time of detection of a failure. 1 Different tasks that have to be done during development are mentioned.2 Software tools t Commercial software packages can give assistance in developing diagnosis functions. System behavior is reduced to causal relationships Fig. define diagnosis to be not only the localization and iden. The software package is about filtering and conversion of sensor signals into consists of four modules that are demonstrated by means of a digital quantities.

How can knowledge of failures be encoded for the specific target system? Fig. These instances evaluate features by posed by Hess [16]. which are depicted in Fig.. Although. but none does actually show how to stepwise Agent concentrate data and come to a final conclusion about a certainty suspects Assessment current health status and existing failures.SPYDER: a software package 317 can be carried out but bidirectional failure propagation 3. Depending approach. No model is used dur- faults and the configuration of diagnosis functions are not ing run-time. three key questions have been formulated. that will be dealt with in the following Monitoring Agents parts of the paper: 1. Detection Agent Shape Agent State However. All instances of this approach work on the ISO 13374 standard which is repe- ated on every level. it is limited to static system The SPYDER concept is a novel development framework behavior.. no measures are provided to rated suspects implement the functions. The latter works with condensed and structured knowledge in the form of diagnosis rules. It aims to provide efficient diagnosis early design phases of diagnosis functions they are limited functions that support a variety of aircraft systems. What will efficient diagnosis functions look like which cannot be taken into account directly. nominal and high duced for specific components. No methods exist right indicators now that combine processes for the design and test. However. that there is a deficit symptoms in approaches that fully enable the integrated development Certainty Agent and actual implementation of efficient diagnosis functions Fusion Agent for a variety of aircraft systems. It is a general approach that behavior in terms of failures. How can the design and test of diagnosis functions be features standardized? (Data Manipulation) 2. 2 Hierarchical and distributed diagnosis engine 123 . Compared to Hess. 2. only the combined consideration will lead to a reduction in cost for development and operation. However. but only a flexible and compact diagnosis possible. By that. A three step approach is pro- monitoring agents. Indicators specific algorithms to use. This goes from measurements and means of threshold checking. Detection implementation strategies and appropriate software tools. Health 3. distributed and hierarchical approaches archical manner. An example is the indication provides no means for handling and combining data and of effects of a breakdown of a compressor. A in their application areas. deeper failure analysis for deter- development of failure diagnosis functions in an offline mining quantitative failure characteristics.4 Summary and discussion characteristics A survey of current literature showed. for the implementation of diagnosis functions are in the The lowest layer of the diagnosis engine consists of focus of current research. Therefore. These agents perform state To cope with increased system complexity and system detection and health assessment in a distributed and hier- interdependency. both the packages can give support in for failure diagnosis. further instances are intro- on the context this is translated by low. indicators are control data on a component level to a health status on a derived. 1g. Failure modes are modeled phenomenologically.3 Implementation strategies generic form if. and an increase in efficiency. the analysis of process and their online execution. It enables the 4 Diagnosis engine study of failure effect relations using bidirectional failure propagation. Extensions of models to deal central element is the separation between the model-based with dynamic behavior. Felke [17] proposes a four step possess discrete values in the range f1. The software can support a variety of aircraft systems? RODON by Combitech AB uses a physical modeling approach based on a Modelica like language [15]. 0. engine. The latter indicate the occurrence of abnormal system and aircraft level. There are further publications Aircraft Diagnostic like [18].then. These are of the 3. and are executed by software agents.

An adjustment takes place indicator for air mass flow in another branch of the by means of specific diagnosis rules. which is 1. suspects. To isolate the case. the formalization of knowledge and the individually for each system.g. air-valve-jammedg. This means This agent infers from symptoms to failures by means of that the core of each diagnosis agent is based on a rule- generating and testing hypotheses. A final set of suspects is gained in the end which handle system complexity and make the overall failure is reduced to those failures that can fully explain all the diagnosis more efficient. air-valve-jammed. This result is gained in a transparent and documented way which will be shown later in more detail. are equally possible sources of the detected abnormal system behavior. All these techniques are implemented and 1 (true). which symptoms. . The technology used is again a resolution based tool chain is introduced in the following. All symptoms are correlated by a fusion agent. infer suspects. cer- tainty factors are calculated. The main phases. 1g formed by pattern recognition techniques. an architecture of the physical system is 123 . An example for the latter is symptom 2 = 1. deter- defined as quantifying parameters.318 C. All the tasks mentioned are performed In general.. executed using rule-based expert systems [19]. to the sum of all threshold. suspects and certainties in the current explain the occurrence of symptom 1 = 1. The air mass flow m_ Air is directly used as a matching degrees irrespectively of the actual conclusion. is translated with true and the The key aspect of the proposed diagnosis engine is the difference between commanded and actual mass flow is utilization of diagnosis rules and diagnosis agents. a flexible exemplary system. In the in charge of calculating a certainty factor for each definition phase. The certainty factor itself is defined as the ratio indicator m_ Air ¼ 1 which denotes that an air mass flow of matching degrees of fuzzy diagnosis rules with specific m_ Air is low in the specific state. each feature. All the elements of the list can about symptoms. This is done by means of the The development of diagnosis functions can be standard- right branch of the diagnosis engine and fuzzy logic and ized by an embedded model-based system engineering fuzzy inference techniques. These have discrete values in the range f0. The used as a feature. If the indicator possesses a value of 0 implementation of failure diagnosis functions is gained that which equals nominal in this case the air-compressor could supports a variety of aircraft systems. 1. These are the definition phase on the left characteristics are processed by a certainty agent which is branch and the integration phase on the right branch. a between systems and failure propagation over system systematic design and test procedure supported by a model- interfaces. An example for the first case is the hypothesis. In this case. resolution symptoms. Therewith. This follows the common V-model [20] when symptoms are detected.. A further example is m_ Failure ¼ 1 which is derived By that. This is defined as the actual difference The general system design process is divided into two between feature and threshold as shown in Fig. Thielecke as well as false and true. These tasks are per- symptoms. A shape agent is awakened (MBSE) approach. A system-wide health transfer into the knowledge base of an expert system is assessment is done by an aircraft diagnostic agent. detected symptoms. . The failure diagnosis be tested failure free by means of this falsification functions are separated into dedicated sub-functions to approach. indicator color. A detection agent mine certainty factors and combine results from different combines indicators and operating conditions to reveal systems on the overall aircraft level. the list of rated suspects is gained in the end. resolution which is translated by the terms false and true. The left branch rules are thereby deduced from models and required of the diagnosis engine provides a list of suspects. Diagnosis strategy as in the case of the fusion agent. This means that features are generally latter are used to reveal symptoms. 5 Embedded development process for diagnosis To have a further possibility to pinpoint the exact failure functions and making an estimate of the most likely suspect. the certainty is in the continuous range [0. In a continuation of the example. indicators and features are identified. e. feature. It provides characteristics of as shown in Fig. strategies and fuzzy inference. To overcome this drawback. The com. 3. an initial Expert systems consist of a knowledge base and an list of suspects would be fair-compressor-defective. That exhaustive. It thus falls below a lower conclusion FM. 1] and a from m_ Failure ¼ m_ cmd  m_ act [ 0:3  m_ cmd . The latter are called based expert system. It is called the knowledge acquisition bottle- agent takes into account functional inter-dependencies neck in literature [19]. strategies for generating and testing suspects as well as bination of the indicator m_ Air ¼ 1 and the operating fuzzy logic and fuzzy inference for the provision of cer- conditions Ops ¼ Active gives the exemplary symptom 1 = tainty factors. These algorithms are inde- This is defined as the combination of Ops = Active and an pendent from the target system. Modest and F. A fix core has been developed that comprises algo- actual failure all suspects are tested on basis of further rithms on pattern recognition techniques. inference procedure to infer from facts from the system .

Both types of rules Architecture test are saved in a xml data format and stored in a database. An overview is given in the of failures and temporal aspects of failure detection. 6 Software package for system diagnosis sequence with prior virtual tests before actual hardware engineering realization. and unambigu- In the integration phase. 4. Complex indi- cators are gained from the temporal appearance of indi- cators. This is followed by system integration and system documented systematically. 3. The final verification is done in the seventh step by means of the interaction of the Embedded development of diagnosis functions complete diagnosis engine and a system simulation extended by noise and disturbances. Model-based test concepts of all diagnosis tion is given as a result. the system functions to be performed increase in diagnostic efficiency and a drastic reduction in are divided into sub-functions and respective suitable so. a test of components is initially ousness in the isolation of failures can be handled and pursued. Therewith. The results are summarized in failure indicator matrices. failure modes. 3 Framework of an embedded development process for diag- nosis functions the design phase can be identified that become only visible by means of the complex interaction. A detailed description follows in Sect.SPYDER: a software package 319 1. An assessment of the indicator Fig. Elaboration of final enables the assignment of certainty factors to failures and diagnosis concept the assessment of a health status for system and compo- Require. Design of diagnosis the most valuable pairs therewith. means of a case study. life cycle cost of the system by utilizing the proposed lution approaches are identified. Minimal sets of indicators are then identified that enable the detection and isolation of failures according to the required level of detail. which 4. Virtual sets is performed and a Pareto optimal solution is identi- requirements integration test fied. A following. A dynamic model allows deeper failure analysis by taking into account temporal properties of failure propagation. ence in the second step. Fuzzy diagnosis rules are trained to perform fuzzy ments 5. The maximal sensor-feature architecture is reduced to 2. A/C Level nents. SPYDER consists of four detectability of failures. models. Analysis and definition of diagnosis 7. faults in Fig. A double V-model results in the con. Key issues like completeness with respect to designed in detail and realized by appropriate components. The latter are evaluated to gain indicators. test and final verification. the level of detail for the isolation modules as depicted in Fig. In the first step of the model-based design of diagnosis functions. This concerns the opment of diagnosis functions. Failure indicator matrices are System System transferred into exact diagnosis rules. This is performed separately for each ele- Hardware realization ment and level of the diagnosis engine. it is assumed that this is compensated by an In following steps. Component Component Coding is performed in the fifth step and executable soft- design test ware code is gained. The model-based tool chain SPYDER supports the devel- nosis functions are gathered. divergence of indicators. A detailing takes place in the third step. A model-based test is carried out in the sixth step. all requirements affecting the diag. This provides feature candidates that are analyzed in later steps to identify an optimal sen- sor-feature subset. These solutions are approach. A quasi static model propagates failure behavior and identifies relations between failure and fea- tures. Coding inference for both the tasks. That means that System development each agent is tested separately. Detailing of diagnosis elements The chosen solution is enhanced in the fourth step. This classical V-model is enhanced by a model-based approach for design and test of diagnosis functions. 4 Module concept of SPYDER 123 . A sensor recommenda- 6. 7 by maximal sensor-feature architecture is defined by experi. Although cost and effort has to be spend on developing developed on basis of requirements for system operation. concepts Characteristics of features are taken into account.

a failure mode description fm_str as well as the time of failure occurrence fm_time are defined. Both types H2 tank Cooling Kerosine tank 2 of rules are saved in xml data files. means that each model comprises a mask where a failure mode variable fm. Interfaces This consists of an optimal set of indicators and sensors. failure each generic diagnosis agent. logically beneficial. This means that all implemented failures are identified and a Current research deals with the integration of fuel cells respective name and failure model path are stored in an (FC) on board of future aircraft [23]. house gases and noise. phase. FC enable the gen- array. The number of criteria. fuzzy diagnosis rules are deduced from failure characteristics and an inference training procedure according to [22]. This process according to Fig. 7 Case study A deep model analysis is performed in the next step. This module supports the steps 3 and 4 of the development Fuel cell system 1 Kerosine tank 1 process according to Fig. It is taken into account either user mainly used to deliver electrical power during ground defined thresholds or nominal behavior as a reference. This visualization method supports the Avionics Control + Failure Diagnosis diagnosis designer in the identification of the final solution. integration has to be done in a multifunctional approach. 5 Illustrative architecture of a multifunctional fuel cell system 123 . All the these benefits consists of the replacement of the auxiliary features are then assessed automatically by means of power unit (APU). 3. Valid solu. Therewith. but also economically feasible. Therewith. Thielecke The failure–effect modeling module is about the mod. For the purpose of deeper failure analysis and the Cabin H2 dryer Exhaust air assignment of certainty factors to suspects. indicator relations are stored as failure indicator tables for Hence. As a product of the electro- model. cell system. the 3 and 4 of the development process according to Fig. a hydrogen recirculation and a cooling circle. C-code is generated for models of all components are developed. The method is used to display all comprise two fuel cell stacks. The management of exact and fuzzy diagnosis rules Fuel cell system 2 Kerosine tank 3 is done in the configuration of diagnosis engine module. This module supports the steps 2. Modest and F. the provision of the same amount of Indicators are gained by that. agent. The most optimal solution would thus be in the chemical processes exhaust gas in form of oxygen depleted middle of the circle where each criteria would have the most optimal value. 3.320 C. The eling and simulation of failures on the component level as diagnosis modules are directly readable by the cores of well as the derivation of indicators. A concept for the utilization of The user has to define at which features to look at. 3. Cargo bay 1 The transformation of failure indicator matrices into Air exact diagnosis rules takes place in the rule generation Air module. Figure 5 illus- requirements and optimization criteria. Environment The xml data files are transferred into diagnosis modules that define the specific behavior of detection agent. This is done by monitoring agents and the shape agent. This module supports the steps 4 and 5 of the development process according to Cargo bay 2 Fig. this phenomenological failure description. amongst others. the rules are human readable and transparent. The products of the FC have to be used and further systems be matrices are evaluated stepwise with respect to diagnosis replaced to overcome the weight penalty. In the first step. Each solution is normalized and the supply with reactants takes place with pure hydrogen and influence of each criteria is illustrated by means of a spring air from the aircraft cabin. the array is used to subsequently simu. Afterwards. effort and cost. The failure models module supports the steps 5. certainty agent and aircraft diagnostic agent. eration of electrical power without the emission of green- late all failures and save failure effects in terms of features. to make sure. Executable diag- means of an extension of the basic nominal behavior with a nosis functions are gained in the end. that the use of FC is not only eco- documentation purposes. The results in terms of failure power using FC results in an increased system weight. tions are highlighted by means of a radial visualization Main elements are two fuel cell systems that each method according to [21]. The latter concern trates the architecture of an exemplary multifunctional fuel unambiguity. an air supply with com- optimal solutions in a circle with n axes where n equals the pressor. Failure indicator tables are transferred into failure indicator This means that besides the electrical power all other matrices in the indicator and sensor selection module. However. 6 and 7 of the development are developed according to a SPYDER grammar. 3. fusion Fig. The APU is a combustion engine that is threshold checking.

a highly complex system results that directly lead to the purchase of sensors and other that poses high demands on failure diagnosis. For other aspects formed in a series connection. Several pipes multifunctional fuel cell system is a project of ongoing and valves are used for transportation and control of the research. the run through further times. Cooling 7. 6 Excerpt of fuel cell system 1 comprising components from Matlab toolbox Simscape has been used to derive a model multiple physical domains of the exemplary MFFCS [24]. manual way is laborious. 3. A more erties if sufficient information are available from system detailed look into one of the redundant fuel cell systems is development. The data that was available has been loads are applied to the fuel cell stacks.1 Failure–effect modeling fluid To cooling From cooling The Failure–effect modeling module deals with all aspects -+ -+ of modeling. the From cabin model comprises knowledge from different domains which allows the deep analysis of failures and their effects. Electrical loads and physical quantities are shared with external Compr. H2 • Knowledge about failures. This basis is extended with failures on the component level. the development steps for on board of future aircraft. This is used for kerosine tank inerting and behavior by means of equations. A model is used to comprise: Converter = . Challenges that arise in this the failure diagnosis functions can iteratively and easily be context are the handling of system complexity. It is demonstrated in the fol- Check valve lowing by means of the SPYDER tool. However. Figure 7 123 . Real test-rig data is not fully available at the fluids. The Fig. the aim is to provide sensors. Sensors exist to a certain assumptions have been made. electrical current point of time. functions to be Valve performed and operating conditions to be considered are H2-Pump based on knowledge about functionality. Without avionic hardware. Water as product of the air quasi-static behavior and continuous with dynamic prop- drying process is fed to the on-board water system. cost intensive and prone to human Failures of the multifunctional fuel cell system are modeled errors. It is therewith suitable for the application of depicted in Fig. This behavior is propagated by means of the Air From tank topology and can be observed through sensors. Dealing with these issues in a real integration of a MFFCS on board of future aircraft. and the integration of all diagnosis functions into a method that is ready and powerful. = Environ. isolated and identified changes occur during the system development or current efficiently there will be no chance to bring such a system assumptions prove to be wrong. It is important to note that extent to control the system. In total. The model validation is an important aspect to pressor. to Fig. Pressurized assure the significance of the gained results. The system comprises two fuel cell the steps 2.SPYDER: a software package 321 Exhaust Air approach is thus promising. as Pipe H2 well as failure behavior which is originating from the MFFCS. used to validate the model to some extent. Purge Modul Nominal system and component behavior. 3 and 4 of the development process according stacks that are supplied with pressurized air by a com. this specific case study has not the aim to make statements In total consequence. Hence. This toolbox allows an a-causal and component based modeling of physical air is gained. • Knowledge about interfaces and sensors. systems and the environment bidirectionally via interfaces. the placement of DER approach is very flexible. when it comes to the the avionic environment. Via interfaces and DC-DC converters. simulating and assessing faulty system = + = Fuel Cell DC-DC Stack behavior. The latter takes the air from the cabin. Cooling is per. • Knowledge about functionality. This includes failure behavior that is originating from outside the multifunctional fuel cell system (MFFCS). The method is the focus of this paper. 6. If proving that failures can be detected. Due to its conception the SPY- derivation of diagnostic knowledge. the hydrogen is taken directly from the H2 tank. The application of the model-based SPYDER phenomenologically on the component level. Recirculation Sensor • Knowledge about topology. It starts with modeling of cargo bay fire suppression.

Dx is set to zero and the torque t is set to be about modeling of the nominal behavior please see [26] undefined. Thereby. temperature T. failure signal Fig.in  pair. This will be shown in detail The second equation defines the torque to be equal at both in the following. the detection of small leakages the ports: is not an aim of the current approach. Jam block itself comprises two physical equations. An example of a failure model of the mechanical shaft is According to the phenomenological approach several fail- shown in Fig. the Dx ¼ Ax  Bx : ð3Þ factor has been set to value where a direct effect on the system operation is achieved. It comprises an electrical motor. The first Therefore. The electrical motor. density q. In case of the nominal behavior.out Þ: ð1Þ (c. For details that case. the torque is set and [27]. kv ¼ ð2Þ there is a solid ground attached where the rotational 0. Leakage Shaft kv failure mode port Compr. the kv. It includes a mechanical jam and a rupture. 8 Failure model of an air compressor capacity and a valve representing a controllable leakage. reduced efficiency of the fuel cells.322 C. a mechanical shaft. A 123 . jamming of valves. Hence.in  pair.leak:. as well as increased activation losses and spring constant c. amongst others. This is achieved by an adaption of the specific Shaft Ground flow coefficient kv . The The current focus of the SPYDER approach is on failures. Modest and F. if FM ¼¼ leakage failure. mechanical failures of the last one is represented by adapting damping factor d and compressor. The failure mode port is unidirectional. In compressor itself as well as a compressor map. Motor port Env. m_ Air is a function of flow d coefficient kv . Thielecke Capacity Pipe failure mode port physical El. the Both the equations are influenced by the failure of a jam. This covers high leakages of pipes The first one is modeled as a simplified clutch whereas the and valves. By means of Jam a failure signal. In detail. 9 Failure model of a mechanical shaft by means of an if–else clause.out c m_ Air ¼ kv   ðpair. Two of them are physical conserving and bidirec- tional.leak: value:  The Jam block is linked to two physical ports. ures have been modeled. The integration into the overall model is done via three ports. A failure model of an t ¼ tA ¼ tB : ð4Þ air compressor is depicted in Fig. which influences the mass flow m_ Air Rupture Inertia through the valve. and pressure p J [25]: rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi qair.in A failure signal activates the failure mode FM in the model Fig. At port B kv. The kv factor is changed thereby from zero to a specific kv. otherwise: velocity x is set to zero and the torque t is undefined. if FM == Jam Dx ¼ 0 else t ¼ 0: ð5Þ Relevant failures have been chosen based on [28]. the mechanical shaft as well to zero and Dx is undefined: as the compressor are assumed to be influenced by failures.d)=f(FM) Tair. A B simulated. 9.leak: factor has to be set to a value that equation defines the difference in rotational velocity: represents a failure of the pipe and not a fault. 8. The model comprises a block representing the pipe’s Fig. 7 Failure model of an air pipe Compressor Map shows a an illustrative example of a failure model of a pipe of the air supply. Mech. the valve can be opened and a leakage be Mech.

Two features are shown. evaluation of features and determination of indicators. A drop in electrical voltage U can be observed as an effect. The relation between failures a deviation between fi and thresh occurs. threshold checking has been chosen as a simple and robust technique [5]. A transition to the and indicators is summarized in failure indicator tables. An increase in current I happens -1 -1 likewise and a new operating point on the fuel cells U-I curve is reached. if f [ threshhigh & t [ tp .2 t All effects of failures are observed by means of a Fig. For the eval.SPYDER: a software package 323 reuse of the failure models is achieved by a failure model voltage U [v] mass flow m [kg/s] library and the object oriented modeling approach. 2 has been assigned a value in a value Low at times td. 11 Effects of a leakage of an air pipe maximal sensor-feature architecture.2 will show which sensors. design changes and 180 further applications. The classes are related to the system function to be performed.2 respectively. sensor failures. Values for y and x are chosen by valuable information for failure diagnosis. it has been chosen as one of the features for the first class of indicators. Figure 11 depicts exemplary descriptive values of the range fLow. This has been imple- mented in the model using engineering judgment. and further electrical load P [kW] voltage U [v] information needed only for failure isolation. 1g are cators are actually needed in an optimal case. This These comprise an initial state. ing. Therewith. The features fi are checked for exceeding or falling deposited. The counter state is reached from the initial state. otherwise: uation of the features. the magnitude such that a persistent deviation in voltage can be general procedure of assigning values to indicators looks observed. This time includes a check of the deviation every each class defines its own table. All FM are then 120 simulated consecutively for different operating conditions.leak: from Eq.05 eases iterative development loops. at the inlet of fuel cell stack A. which are mass flow of air < Low. 10 Operating conditions of the illustrative example. The failure–effect modeling module allows an automatic The threshold checking is realized with state charts. Sub-sets of 30 the maximal sensor-feature architecture are allocated to 180 each class of indicators. Nom. > if f \ threshlow & t [ tp . A persistent deviation between Operating condition 1 expected and observed voltage output occurred in the Operating previous example. This Lower 0. 0.1 and td. if and configured automatically. indicators with values in the range f1. > : Nom. 0. At time tF the failure has been activated in the like follows: 8 model. Voltage is directly linked to the system 15 condition 2 120 function of providing electrical power. Sensor types and positions have been chosen that can provide y seconds for x cycles. effects of the failure of a high leakage of the air pipe. tF tF t t These are depicted in Fig.1 t tD. failure state is triggered after the deviation persisted for Different classes of indicators are considered thereby and time tp . State charts are then loaded time tp . In operating condition one there is no load acting on the 0 0 system whereas in the second operating condition a load of 30 kW has been applied. ð6Þ electrical interface to the DC–DC converter. The the indicators of the previous example are assigned the factor kv. mass flow of oxygen depleted air and mass Fig. Highg. These discrete values are then transferred into more sensor recommendations. The analysis in engineering judgment. The relation 123 . Hence. Hence. where state charts are state. The failure–effect modeling module threshold identifies all failure modes FM that are currently imple- mented in the components of the MFFCS. As a result of the threshold check- SubSect. a counter state and a failure is based on a function library. and the voltage at the Indicator X ¼ High. 10 by means of the electrical indicator U* indicator m* load that has to be provided by all the fuel cell stacks. the detection of potentially latent failures. tP tP Further features are measurements of current at both the t t fuel cell stacks. 7. flow of water at the outlet of the MFFCS. features and indi. The designer of the diagnosis functions has to below an upper or lower threshold thresh for a persistence choose the features of interest. It will give gained. tD.01 In the case study two operating conditions are considered.

. represent a component.. TH2 = Low 8 losses .. Det. This inter- . further indicators does not only cause a drop in voltage but also a decrease in are taken into account. losses Ind... Therewith. Not all failures have a direct effect on any of the tional state. This are based on measurements of pressure and valve control indicator is not needed to detect the system function rele. indicators of the class of potentially latent module from Fig.. current amongst others. The same applies for an has an effect on system pressure and on the valve control increased friction of the compressor. these indicators air mass flow m_ provided to the fuel cell stacks. m_ H2 = Low 1 summary.. Pipe . . I H2 .. Using indicators from this table. these indicators can provide further occur. .. . In the specific case. .... The high leakage of the air pipe system function is observed. By means of these indicators. . . 1 and temperature amongst others.. .. .. a direct effect can result if the failure why these indicators are declared as having a maintenance progresses further or the system reaches a certain opera- effect. . High further indicators are taken into account. .... these cator PC = High.. This can be done by means of the indi- dependent propagation of failure effects. The relation between failures and vant failure. To be able to localize the failure.. These are related .. . effects and the Compressor Increased friction Ind. . example of the case study is a breakdown of the purge In general.. which represents higher power con- failures potentially remain hidden in the system. assigning a specific fail. .. The isolation of failures can be started in the next step.   Highly increas. I H2 .. . failures can be detected  Highly increas.. FC stack A .valve = 8 during operation of the system.. It has been shown... reaching a current of the hydrogen supply which is part of a control certain operational state. but can help in the isolation of the origin of the indicators is summarized in Table 3 decreased voltage... .  and mass transportation losses of fuel cell stack A are Mass transp. of three examples. . a loss of system function can loop. as there are High generally more failures that lead to the same effect... the fuel cell stacks failures may also relate to failures that have an actual effect are still operational for a period of time and no effect on on the system functions... .... leakage Ind. . leakage Ind. .. FC stack A .. the two failures of delivered at the same quality as well as exhaust gas and the example could be isolated explicitly. between failure and indicator is shown in Table 1 by means Table 3 Effects of failures that can help in detecting latent failures. In this case study.... m_ = Low 8 . However. That is the reason water.... in the Ind. . . Electrical power can be stack A. .. However. Det.. .. ure might not always be possible. Leakage of the air pipe FC stack A . losses Ind..valve = 8 illustrative examples. However. only to the failure isolation. If they also enable the fuel cells due to a breakdown of the purge module... leakage Ind. This is due to redundancy and time made detectable. . Compressor Jam Ind. PC = High 1 operational interval of detecting the indicators.. Table 2 shows an exemplary Purge module Breakdown Ind. The failure indicator table has four columns which Component Failure mode Effect-early Det.. That is a reason why the failure should be system functions... Ind.324 C.... . Thielecke Table 1 Effects of failures with relevance to functions to be fulfilled Table 2 Effects of failures that can support failure isolation Component Failure mode Effect-func.. Air pipe . a failure mode. 1 val is related to operating conditions and control states.... An example would be a hydrogen clogging in the information for failure isolation... U = Low 8 Highly increas... By that... .. that a high leakage of the air pipe make these specific failures detectable.. p = Low 7 current case a decreased voltage. The same applies for the indicator of a Increased friction in the compressor has no direct effect low temperature T of hydrogen H2 at the outlet of fuel cell on any of the system functions.. Component Failure mode Effect-maint..... An sumption in the compressor compared to the nominal state. 6. .. Chosen features are measurements of mass flow ... Mass transp. ... . Modest and F.. U  = Low 8 Mass transp.. Air pipe . U  = Low 8 Compressor ... To detection of the potentially latent failures. they may be 123 ..

ferred into indicator sets. which have no direct sect. Based on the directed illustrative example is depicted in Fig. to latent failures. required level of failure isolation are identified. Sensor maximal length of existing traces to be considered. The failures can lead to false alarms. a trace of two indicators was failure isolation should be achieved during operation. This can provide considering failures with no direct effect on system func- further means for pinpointing sources of failures. There. In the example. the basis always followed by an increase of valve control current of diagnostic performance is mainly influenced by the influencing the mass flow of hydrogen provided to the fuel requirements. sensors and interfaces. which are related to four classes of failures and failures of the respective matrix are activated and consid- five classes of indicators. This leads to multiple indicators indicators by means of the logical and. An approach for handling of indicators is transferred into failure indicator matrices. the indicators are sepa- means to detect such failures and isolate them to be root rated into sub-sets of indicators. which are needed for a detail. 7: means. which are input to the indicator The relations between failures and indicators are trans- and sensor selection module. complex indicators and multiple criteria of optimal- the concept of complex indicators. An answer on the separated into sub-sets of failures. 13. are part of an optimal minimal set for High leakage of air pipe : p ¼ Low ! the detection of all relevant failures. it can be ing optimality. The total amount of failures is ered during the evaluation of all the matrices. This has to be con- selection module provides means to the user to set the sidered during the design of diagnosis functions. stack A. Analyzing the diagnostic performance is taken into account in determin- temporal occurrence of all respective indicators. The leakage of structure of the table is similar to the previous ones. Nevertheless. dedicated sensor matrices. The Data from the first SPYDER module is con. 12. which are now analyzed in tem functions. as well as weight of wiring for sensors. the system functions to be performed. where is defined in terms of maximal divergence of indicators and indicators are detected. Optimality mation about the interval and specific points of time. However. In case of the 123 .SPYDER: a software package 325 optimal choices as the synergies are high. The relation between indicator and sensor is stored in a directed graph as shown in Fig. All indicators of the three classes are related to effect on system functions. f5. that a high leakage from the air pipe the effort. to failure localization. like amount of sensors leads to a decreased mass flow of air at the inlet of fuel and indicators. and p = Low. The sensor failure and the temporal occurrence. IH2 . the indicator and sensor Sensors are prone to failures as well. It thus comes for free without raising It has been shown. it is explicitly defined. It failures and the isolation of root causes to a specific level of is based on the theory of minimal hitting sets 31]. Further indicators. if the indicators f5g and f6g which are Ind. The last column of the data sheets provides infor.2 Indicator and sensor selection of the air pipe. NFF or latent failures of relation between failures and simple as well as complex other system components. 12. stored as Excel data sheets.valve ¼ high declares ! Compl. which have an effect on selection of optimal indicators will be given in Sub. A maximal sensor-feature architecture has been defined by the graph comprises the link between simple and complex engineering judgment. According to the failure indicator Sensors are prone to failures as well. and those failures related to features. focus is on failures and indicators with respect to the sys- tained in Excel data sheets. There are 20 graph and a specific set of indicators. which level of cell stack. The indicator and sensor selection bination of indicators and sensors which enable the module deals with the identification of an optimal minimal detection of all relevant failures and the localization set of all indicators and their related sensors. This is based according to a required level of detail. taken into account. Ind. on requirements that determine the detectability of relevant The basic approach for evaluation is presented in [30]. indicators with respective table is taken into account. All tables are tors in Fig. These are specific patterns. In relation to the example this means of Eq. f7g for the example of the high leakage 7. This information is used to analyze the amount of sensors. f16g would be activated by means of the directed graph for failure localization. The sets and the where each failure that has been simulated is linked to at graph are evaluated stepwise to identify an optimal com- least one indicator. which are f2. which are based on measurements from sensors. This concerns ambiguity groups of failures shown. Apart from hard facts. An sensor failures is introduced in [29]. To offer specific tables and the previous analysis. An example is given by ity is introduced in [32]. A drop in pressure follows likewise.valve followedby = High. 6g. Furthermore. For an air pipe highlights the link between failure and indica- further information please refer to [29]. The detail.16. A sensor recommendation for specific traces of failures by taking into account the tem. the complex indicator ð7Þ IH 2 .2. An extension of this approach poral occurrence of the related indicators. 7. which are related to the cause of the effects introduced previously. that for this particular failure the drop in pressure is that all point to the same indicators. a fourth class of system function. 3g. failure diagnosis is given. It defines tions.

14 Ind. 13 Directed graph that contains the relation between sensors.12 Ind.10 Ind.Complex indicators to system functions to failure localization 2.326 C.9 { FM 1 : : 1.6 Ind.2 Ind. 12 indi- cators are required for failure detection.16 Ind. For the case study.Sens. Thielecke Ind.8 Ind. Summarizing the result of the indicator and sensor selection module. It deals with symptoms related to the system 123 . as well as failure ð8Þ then deduce complex indicator 16 = true: indicator matrices are gained. U* = Low Ind.Indicators related 4. This is done by means of detect rules. U*M.5 Ind. and 20 complex indicators are accompanying Four cases are distinguished. detect rules. now combined and transferred into four sets of exact indicators and complex indicators. These columns are Fig. reveal symptoms. All the rules consist of a premise and a conclusion.Sensor failures Loss of mass flow FM R sensor lane { Interface failure FM S ATA24 : : 4. = Low complex Indicator Ind. cumstances.7 Ind. sensor 2 7. The detection agent utilizes a fourth group.15 Ind. Interface failures are listed as on the rule’s conclusion.Failures without direct effect on system functions { FM J : : 3.valve ¼ High optimal set of indicators and sensors.Interface failures FM Z { { { { { 1. They are important when it comes to the the temporal occurrence of simple indicators: configuration phase of diagnosis functions.Indicators related 3.11 Ind. Modest and F. but do not need to be dealt with by an deduce rules for the deduction of complex indicators from extended analysis. Eq.4 Ind. The first case is illustrated in all relevant simple indicators. For deeper analysis of failure indicator characteristics fuzzy diagnosis rules are trained in the end.13 Ind.Indicators related to latent failures to sensor failures Fig. & An optimal set of indicators has been identified using the previous module.1 Ind. diagnosis rules. two indicators are Different indicators are combined by the detection agent to required to assure the root cause isolation under all cir. 9. sus- pect rules and clear rules. 12 Failure indicator matrices showing the relation between failures and indicators. m* = Low Ind. p* = Low Ind. The activation of the premise will lead to example.Failures that effect Highly increased FM D system functions leakage of air pipe FM F FM G Increased friction of compressor : FM I : { 2.3 Rule generation sensor 3 voltmeter sensor 1 The rule generation module deals with the transformation of failure indicator matrices and complex indicators into a feature set of exact diagnosis rules. an if p ¼ Low followed by IH 2 . specific failures of the voltmeter would be taken a firing of the rule and new facts are gained that are based into account amongst others.Indicators related 5. These are deduce rules. Therewith. the failure indicator matrices complex indicator can be reduced to the valid columns.3 Ind.

. 15.. The primary Indicators of the classes one and four are combined and symptom four is assigned and a list of suspects is gained. These are symptoms. It is about symptoms without direct relation to any of the system functions. The way this result is gained is All previous indicators are used to detect symptoms of transparent and well documented which marks a major abnormal behavior and trigger the failure localization in the aspect of the SPYDER approach.. However. which are potential sources of failures. test hypotheses about sources of failures. toms of the previous two cases. the list of suspects can be long so that primary symptoms: secondary symptoms are taken into account to test the necessary condition for the particular hypothesis. four and five and are used for the separable. that air supply. In a continuation of the previous example. The characteristics of ð12Þ then detect secondary Symptom 1: all final suspects of the previous example are depicted in Fig. . This offers the pos- if primary Symptom 1 ¼ true and m¼ _ Low sibility for a deeper failure analysis. indicators Another example is given in Fig. A finer detection of secondary symptoms. granularity is not possible and could only be achieved which are accompanying primary symptoms and help when relying on exact diagnosis rules by further sensors failure localization: and indicators. indicators of class one possess nominal values: This list is already a small part of the overall system that if U  ¼ Nom and I  ¼ Nom and . this specific feature offers means for a detailed root failures and symptoms: cause identification. This requirement said. If there is no link. 14. This is carried out with fuzzy logic if primary Symptom 1 = true then suspect and fuzzy inference as is indicated in the right part of FM 1. Losses of FC Stack A: Equation 10 depicts the second case. The diagnostic result is fusion agent. Hence. and Ops ¼ Load done by means of clear rules: then detect primary Symptom 1: ð9Þ if secondary Symptom 1 = true then clear ð14Þ FM 1. There. This is if U  ¼ Low and I  ¼ High and . Leakage of Air pipe.. the secondary symptom 23 is detected. These tasks are It is obvious that the failure mode three of the hydrogen performed by means of two rules that are gained from the valve has a much higher effect on the observed deviation columns of the failure indicator matrices. related to the threshold. A clear rule leads to the final diagnosis of three suspects of then detect primary Symptom 3: the hydrogen supply. However. Indicators of class one according to Fig. Mass transp. 12 are element of the list can fully explain the detected primary combined with the operational condition Ops to detect symptom. done by means of secondary indicators. the range of the deviations is divided into Losses of FC Stack A: three parts. which are low. detected by means of two primary indicators. 15. It shows the deviation between the observed fea- The fusion agent combines all symptoms to generate and ture IH2 . ð13Þ Fig. Mass transp. 1].SPYDER: a software package 327 functions. By means of one sec-  UM:Sens ¼ Low and Ops ¼ Load ð11Þ ondary indicator.. the if U  ¼ Nom and I  ¼ Nom and . Suspect rules than the failure modes four and five of the hydrogen pump. Failures that cannot explain the secondary symptoms are Indicators of the classes one and two are combined and cleared from the list of suspects and tested to be failure indicators of class one possess nominal values: free. A list of potential sources of failure is gained in the end which and Ops ¼ Load can explain all observed symptoms.. There. Sensor failures can lead to the detection of primary symp. Hence. the high leakage of the air pipe can be localized explicitly. All elements of this list then detect primary Symptom 2: are hypotheses that could equally have caused the abnor- ð10Þ mal behavior. The 123 . This is the case for the current example. they are called primary indicators. a failure of class four are used for the detection of symptoms.valve and the threshold.. based on a chosen requirement for the design of the diag- Extensions of the specific patterns in the rules premises are nosis functions. Each degree l which lies within the continuous range [0. the characteristics of the failure have not been taken into account yet. mark the starting point for the reasoning procedure about Hence. and could have caused the symptom. and p ¼ Low final diagnosis is inferred by means of several clear rules. . so that occurred in the system and the respective effects can be these sensor failures do not remain hidden in the system. three. These belong to the hydrogen supply and fuel cell stacks should always be fully classes two. This is done by one suspect rule and one clear rule.. medium and high deviation. These parts are each characterized by fuzzy membership The conclusion of a suspect rule constitutes a list of functions which allow the determination of a matching hypotheses. The list of suspects is reduced therewith.

An example of a fuzzy diagnosis rule is illus. 3 is 0 0 supported.Symptom 4 Suspect ð15Þ Rule then assign H2 Valve .FM 4 : blockage combined using the fuzzy inference.FM 3 . There. 16. Executable diagnosis func- low tions are gained. This FC Stack B . the amount of functions has to be defined.valve [-] characteristic IH2. Modest and F.Symptom 23 P Ops c.FM 2 the failure characteristic is high the failure mode three of I_fc1_nom Air Valve B .FM 5 : cell failures Air Valve B .valve = High of the specific rule n with conclusion FMn and character- H2 Pump B . The latter adapt the core of all diag- trated in Eq.FM 4 : reduced efficiency H2 Pump B . H2 Pump B . FM 3 high Fuzzy membership 7. Failure H2 Pump B . diagnosis modules.FM 5 ence. it has to be evaluated which indicator characteristics have to be Air Valve B . Sec.. as well as detected failure. 14 Utilizing suspect and clear rules to infer root causes of a of membership functions.4 Configuration of diagnosis engine function med.FM 2 By applying Eq. Hence.Indicators Air Valve B . nosis agents to the specific target system. The configuration of diagnosis engine module deals with the management of these rules and the configuration of the diagnosis engine. combination of matching degrees for several indicator All diagnosis rules are saved in a xml data format and characteristics enables the assignment of a certainty degree stored in a xml database.FM 3 low.FM 5 : high leakage H2 Valve B .FM 3 istics c related to the matching degrees of all other fuzzy diagnosis rules. On the one hand. 15. The significance of this rule is I_fc2_low FC Stack B .FM 3: Suspected Candidates The specific fuzzy diagnosis rule says that in the case that Prim. At this point several exact and Fuzzy diagnosis rules localization. This means that 123 .. templates to be to each suspect of the final diagnosis. or further increments. The generalized scheme is shown in Eq. the width of the membership functions has to be determined.FM 3 the H2 valve is assigned. medium. An approach to cope FC Stack B . high like in the example.FM 4 transformed to a certainty factor for the failure mode. Thielecke Failure Ops if IH2 .FM 3 : stuck closed with all the challenges is presented in [22].FM 5 Sec. a genetic optimization procedure is used to derive the optimal shape Fig. filled and xslt techniques are used to automatically inter- formed by means of fuzzy diagnosis rules and fuzzy rogate the database and transfer required data into different inference. or very low. This task is per. The configuration of the diagnosis engine deals with the H2 PUMP B - FM 4 / FM 5 utilization of diagnosis rules.FM 2 : half opened FC Stack B . To always come FC Stack B . that consists of a list of rated suspects..FM 5 H2 Valve B . It is achieved in a documented way and characteristic IH2. In the consequence the step 5 of the proposed development approach according to Fig. that is not in the focus of this Fig.FM 3 : stuck closed H2 Pump B . However.valve [-] H2 Valve B .. This enables the steps 6 and 7 which covers the t t integration phase. finally a diagnostic result is gained. 16. very high. the required patterns in the specific rule’s premise.328 C.Indicator H2 Pump B .high. ln ðcÞ [ 0: ð16Þ c ln ðcÞ Clear Candidates Resolution Air Valve B . 15 Taking into account the failure characteristics for root cause paper.valve has characteristic high Effects Prim. This is depicted in Fig. 16 a certainty factor H2ValveFM3 of 90% Air Valve B . enables the planning of maintenance actions.FM 4 either low.FM 4 is done by means of the ratio of the matching degree ln ðci Þ IH2. Python scripts. the required amount. Finally. can be determined in the current example.FM 5 Effects H2 Valve B . exist.FM 4 to a correct certainty degree by means of the fuzzy infer- FC Stack B . On the MFFCS with Final Diagnosis other hand. some challenges arise.FM¼FMn ln ðcÞ Clear Rule FM ¼ P .

test and implementation of diag- nosis functions for aircraft systems supported by a model- based tool chain Three key questions concerning the Diagnosis modules development of diagnosis functions have been formulated in Sect.xml European air traffic. These are repeated in the following and exact Fuzzy answered according to the content of the paper. These are gained from simulation studies performed on basis of physical models.xml implementation and development of diagnosis functions Fuzzy diagnosis rules for aircraft systems. The matrices are transformed into diagnosis rules. more powerful diagnosis functions are required. The latter com- implemented by adapting the rule-based expert system prises a generic core that is adapted to the specific function CLIPS [19]. Main issues like completeness with respect to failure modes. What will efficient diagnosis functions look like which The code highlights one detect rule. All diagnosis modules are ing instances with clear functions and interfaces. Hence. This is addressed in the paper at hand by means of the SPYDER concept. 3. The latter are used to configure a diagnosis engine. High rates of NFF and long times of Database AOG demonstrate ongoing weaknesses. By that. a human readable and transparent format has been chosen that enables a good traceability and documentation. All the agents exact and a fuzzy part of the engine. further to coding and ends with a virtual integration test. seven steps are run through. The configuration of each agent is performed functions is finally closed. 3. Both parts are are based on a rule-based expert-system. These agents are assigned to an of symptoms by means of indicator patterns. 1. A gained in the end. The gap between defining diagnosis flexible support of a variety of aircraft systems is achieved requirements and implementing and executing diagnosis thereby. How can knowledge of failures be encoded for the An example of a part of one of the modules of the detection specific target system? agent looks like follows: The knowledge of failures and effects is encoded system- atically in failure-indicator matrices. in form of diagnosis rules. The latter consists of example is the detection agent. diverge of indicators.SPYDER: a software package 329 exact diagnosis rules 8 Conclusion Current statistics indicate that there are deficits in the . The latter is a systematic Configuration scripts & templates approach for the design. Integrated into the common V-model. efficiently by means of standardized xml techniques and 123 . the execution of logical resolution and fuzzy inference as well as the provisioning of outputs to the user. Exact part Fuzzy part This starts with the definition of requirements. and groups of unambiguous the diagnosis modules are related to the detection of failures are handled and documented systematically. The primary symptom can support a variety of aircraft systems? 4 is detected if the premise is fulfilled. How can the design and test of diagnosis functions be standardized? behavior behavior Diagnosis engine The design and test of diagnosis functions is standardized Fix core Fix core according to systems engineering principles. An loaded by the diagnosis engine. This consists of several generic comput- possess values of Nom and Low. which performs a detection several diagnosis agents. This is the case if A multi-agent concept in terms of a diagnosis engine has the operational condition equals Load and the indicators been introduced. 16 Overview of the configuration of diagnosis engine module. proceeds Fig. In the consequence and with respect to ambitious goals for the future of . symptoms. 2. executable diagnosis functions are and aircraft system by means of the diagnosis rules.

(ISBN 0-534-93744-6) 2. Raksch. U. A. algorithms.: An architecture to implement inte- grated vehicle health management systems. AUTOTESTCON proceedings. M.. P. Thielecke. Scandura. Warrendale (2011) 11. Pecht. 6. B. S. Miller. Grymlas. The PWS series in computer science. Evaluation of built-in test.:Model-based fault diagnosis techniques: design Bibliothekskonzepts. Hess. 6.:Intelligent fault diagnosis and prognosis for 25. PWS Publ. Berlin (2006) (ISBN 23. The University of Michigan (2003) munication and presentation—part 1: general guidelines (2003) 27.: Eine Methode zur optimalen Redundanzallokation im 3.: Fault-diagnosis systems: an introduction from fault (2014) (ISBN 978-1-936263-16-5) detection to fault tolerance. P... Deutscher Luft. (2012) (ISBN 978-1-936263-05-9) of the diagnosis engine.. S. com. 5. Wilmering. 3rd ed (2006) Review Commission. aviation.. Brussels (2013) 22.. The first one consists of an Extending FMECA-health management design optimization for aerospace applications. Modest and F. (2009) (ISBN 978-3-8322-8071-0) lyzed quantitatively rather than condensed to discrete 16.R.. Thielecke. European Commission: Flightpath 2050 .J. (ed): Systems engineering handbook—a guide for mance review report: an assessment of air traffic management in system life cycle processes and activities. SAE applied to a multifunctional fuel cell system. A. Hess. (DLRK) 2012.D. In: Roychoudhury.. IEEE development of diagnosis functions for failure detection.. F. 266–271 and health management society 2014. Keller. volumeBd. Felke. the SPYDER concept has been management—perspectives of an emerging field. pp. C. Neumann. Springer. C.:Archi- failures have to be considered in more detail. IEEE aerospace conference 2001. pp 643–653. Reisig. J. Shaker faults. Aerosp. Brussels (2013) 21. Haskins. P.. Wiley. 2001.. J. Schröder. Deutscher 9783540303688) Luft. Therefore. K. Daigle. Isermann. (eds. Isaksson. Vachtsevanos. 2–15 (2001) 19. Giarratano. Jennions. Adv Ind Control. R. Natishand M. M. Thielecke templates In a case study... M. In: Bregon.A: Integrated vehicle health management as a system results were gained which demonstrate that a good benefit engineering discipline. J. Bladen. prognostics and health management society 2012. C. In: von Estorff. Celaya. I. Saxena. F.: multifunctional fuel cell systems. ceedings. Münker. 2009. (eds) Proceedings of the annual conference of the cators are appropriate also for fault diagnosis. (ed. Berlin. R. L. Valuable International. Modest. Barszcz E. Gillis. European Organisation for the Safety of Air Navigation: Perfor.: The joint strike fighter (JSF) PHM concept: indicators.) Integrated vehicle health triebssystemen von Transportflugzeugen. European Organisation for the Safety of Air Navigation: Coda Vorentwurf fehlertoleranter Flugzeugsysteme.J.: Expert systems: principles and program- 1.330 C. pp 41–54. International Organization for Standardization (ISO):Condition 26.. PHM society.:Strömungsmechanik: Eine Einführung in die Physik engineering systems.:Use of COTS functional analysis faults which by definition have no direct effect on system software as an IVHM design tool for detection and isolation of functions. Apart from faults. achieved.: Integrating system health management into the early design of aerospace systems using functional fault analysis. Herwig.K.D. This has the advantage that feature values are ana. J. M. Frey. D. K.. In: Jennions.und Raumfahrtkongress schemes. it has to be analyzed if discrete indi. Vandernoot. University of Technology (2013) control-Central Office for Delay Analysis. Roemer. F.. Kurtoglu. Dube M. Hamburg digest—delays to air transport in Europe—annual 2012.... The 24th digital avionics systems con- in the support of the development and implementation of ference (DASC) (2005) diagnosis functions for complex aircraft systems is 12. J. O. B. IEEE Trans. Springer. Ding. Hadden. Black. T. D. A. A. Bunus. A point of current research is (2008) (ISBN 9778-1-4244-1936-4) the extension of the method to also deal with faults. T. international conference on prognostics and health management isolation and identification. Deutsche Gesellschaft für Luft.:Methoden zur signal. Stephen.R. Eurocontrol-Performance tional council on systems enginnering.: Diagnosis and fault-tolerant control. Williams R. A new class tectures for integrated vehicle health management. PHM society..J. B. 24. 2 of 123 .. Niculita. The fuzzy part is extended so that 15.und London (2013) (ISBN 9781447147992) Raumfahrt (2013) 8. A better analysis of the actual system behavior potential impact on aging aircraft problems.: Modeling and control of fuel cell systems and monitoring and diagnostics of machines—data processing.. 9780471729990) Berlin (2006) (ISBN 3540324410) 9. interface 17. O.. I.: Airbus multifunctional fuel cell integration... (eds) Proceedings of the 2nd operational states the system behavior is evaluated to infer international workshop on aircraft system technologies. Report of the high level group on aviation research (2011) Boston (1994). This 13. Wiegand. I. Fila. K. Blanke. 20.und modellbasierten Last- 10..Europe’s vision for ming.: can be achieved in two ways. extension of the class of failures that do not have any direct 3105–3112 (2001) effect on the system functions.. IEEE aerospace conference proceedings. Mylaraswamy. C. M. H. Pukrushpan. the second way consists of an extension of the right branch 28–45.. AIAA infotech aerospace conference (2010) 18. begrenzung in verzweigten mechanischen Landeklappen-An- neering. UAV fuel system faults.und Raumfahrtkongress (DLRK) 2012. 2010.: Derivation of fuzzy diagnosis rules for 4.: Model-based not only certainties for failures are provided but at specific diagnostics techniques for avionics applications with Rodon. Robinson. Euro. I. Syst. Co. Dissertation. Electron. Springer. Law.. and tools.J. Banner J. G.) Proceedings of the European conference of the prognostics 37.J. J. G.: Health management systems engi. AIAA pro- of diagnosis rules is under development for that. INCOSE—interna- Europe during the calendar year 2012. Hoboken (2006) (ISBN und die mathematische Modellierung von Strömungen. Thielecke.:Modellbasierter Entwurfsprozess fnr 2nd edn. The focus of this paper was on a method for the P. IEEE systems readiness technology confer- References ence. D. Ph. fuel processors. A.. Davies. Johnson. Springer. Berlin (2006) (ISBN 9783540356530) Brennstoffzellensysteme unter Verwendung eines mehrstufigen 7. Kacprzynski.. B. G. Joseph C.T.K. T. O. Berlin.. Swearingen. This class can also hold 14. However.... 3021–3026 (2002) seems achievable by that. (2012) 6.

J. Stuttgart. C. PHM Society.und Raumfahrtkongress (DLRK) 2013.und Raumfahrt (2013) congress and exhibition 2013. C. Modest.. Modest. In: Roy- choudhury. R. Reliability Analysis Center: Failure mode/mechanism 936263-05-9) distributions. 32. F.: Multi-objective design of optimized Deutscher Luft.) Proceedings of the 123 . Thielecke... 32. Celaya. F. diagnosis functions for high lift actuation systems. I. SAE international 30. In: Elsevier 29. Essex (1987) optimierter Diagnosefunktionen für Hochauftriebssysteme. (eds.S. Elsevier. Reliability Analysis Center (1997) 31. C. (U.: A theory of diagnosis from first principles. Aachen (2009) annual conference of the prognostics and health management (ISBN 978-3-8322-8314-8) society 2012. (2012) (ISBN 978-1- 28. Thielecke.SPYDER: a software package 331 Schriftenreihe Flugzeug-Systemtechnik..: Methodik zum integrierten Entwurf (ed.R. Montreal. Shaker. A.. 57–95. Reiter. F. pp 233–248. Modest.). Thielecke. SAE aerotech Deutsche Gesellschaft für Luft. Saxena.) Artificial intelligence.:A design methodology of optimized (2013) diagnosis functions for high lift actuation systems.