The invention generally relates to the field of the operating safety of a critical system onboard a vehicle.
The vehicle can be an aircraft (such as an airplane), a guided vehicle (such as a train), a motor vehicle (such as a passenger car), a vessel (such as a submarine), etc.
The critical system can be a propulsion means (such as a synchronous electric motor), a monitoring means (such as an electric monitoring sensor), a control means (such as an electric flight control actuator of an airplane or air/fuel metering actuator of a helicopter turbine), a regulating means (such as a feedback chain), etc.
The case of an electromechanical actuation unit including a stepping induction motor will more particularly be studied.
A failure will refer to a deviation between the service delivered by a system and the expected service. A failure is caused by an error, such as an alteration in the state of the system. This error is caused by a fault.
A fault affecting a system may have more or less serious consequences for the operation of the vehicle. This is referred to as the criticality of the system.
Different standards are enforced to classify systems based on their criticality. For example, in the avionics field, standard ARP 4754 makes it possible to classify the criticality of a system according to several DAL (Design Assurance Level) levels. This scale extends between a low criticality level E and a high criticality level A. At the latter level, the possible failure rate of the system per hour of use must be less than 10−9.
A critical system must thus meet a certain number of criteria making it possible to guarantee the safety of its operation.
In this context, various notions have been developed. In particular, the notion of reliability of the critical system indicates the number of failures of any type that may affect a system. The notion of safety of the critical system indicates the number of failures that have catastrophic consequences for the vehicle.
In order to improve the reliability of a critical system, various approaches can be used, in particular by integrating a monitoring pathway in the primary control pathway incorporating the actuation unit.
FIG. 1 shows one such critical system. The system 10 is inserted between a computer 12 and mechanical system 14, actuated by the system 10. The system 10 includes a control pathway COM 16 and a monitoring pathway MON 18.
The control pathway COM 16 includes, as actuation unit, a stepping hybrid motor 20. The motor 20 is controlled by a control module 24 able to generate a command from a setpoint generated by the computer 12. At the outlet of the motor 20, several output variables are measured by appropriate sensors 22. The monitoring channel MON 18 is adapted to the monitoring of the motor 20.
The monitoring channel MON 18 includes a module 35 capable of determining an estimate of the output variables from the command applied to the motor. The monitoring channel includes a computing module 38 for computing residuals from the measured variables and estimated variables. The monitoring pathway includes a diagnostic module 40 capable of comparing each residual to a predetermined threshold and emitting an inhibiting signal to the control module 24 once the value of a residue has exceeded the corresponding threshold.
This solution of the state of the art has the following drawbacks.
The actuation unit of the control pathway includes elements that are not linear, such as the motor and the sensors, optionally the control module. The module for estimating the monitoring pathway is based on a model of the monitored actuation unit that is either a linear model or a nonlinear model.
A linear model is too imprecise to be able to be validly used to monitor a critical onboard system.
A nonlinear model is more representative of the behavior of the monitored actuation unit, but is complex both theoretically and in terms of implementation. An estimating module based on a nonlinear model uses a larger number of output quantities and requires significant computing capacities to carry out the monitoring method.
In both cases, linear and nonlinear, it is necessary to use high thresholds on the residuals to be robust with respect to disruptions of the actuation unit and the uncertainties of the model used, i.e., to limit the number of false alarms, undetected faults, etc.