Design for Isolation and Recovery in a Chart

Mode Logic for the Elevator Actuators

This example shows how the model sf_aircraft uses the chart Mode Logic to detect system faults and recover from failure modes for an aircraft elevator control system. For more information on this model, see Fault Detection Control Logic in an Aircraft Elevator Control System.

There are two elevators in the system, each with an outer and inner actuator. The Actuators state has a corresponding substate for each of the four actuators. An actuator has five modes: Passive, Active, Standby, Off, and Isolated. By default, the outer actuators are on, and the inner actuators are on standby. If a fault is detected in the outer actuators, the system responds to maintain stability by turning the outer actuators off and activating the inner actuators.

States for Failure and Isolation

Each actuator contains an Off state and an Isolated state. When the fault detection logic in one of the truth tables detects a failure, it broadcasts the event go_off or go_isolated to the failing actuator. For more information, see Map Fault Conditions to Actions in Truth Tables.

The go_off event instructs the failing actuator to transition to the Off state until the condition is resolved. The event go_isolated causes the failing actuator to transition to Isolated. Transitions to the Isolated state are from the superstate L1, which contains all the other operating modes. This state has no outgoing transitions, so that once an actuator has entered Isolated it remains there. Intermittent failures that cause an actuator to fail 5 or more times, also cause a transition to Isolated. The variable fails logs the number of failures for an actuator by incrementing each time a transition occurs out of Off.

Transitions for Recovery

Transitions in the substates for each actuator account for recovery requirements of the elevator system. These requirements derive from rules for symmetry and safety of the elevators such as:

  • Only one actuator for an elevator must be active at one time.

  • Outer actuators have priority over the inner actuators.

  • Actuator activity should be symmetric if possible.

  • Switching between actuators must be kept to a minimum.

For example, one requirement of the system is if one outer actuator fails, then the other outer actuator must move to standby and the inner actuators take over. Consequently, there is a transition from each Active state to Standby, and vice versa.

For the inner left actuator (LI ), the transition to Active inside the L1 superstate is conditionally based on [!LO_act()|RI_act()]. This causes the left inner actuator to turn on if the outer actuator (LO) has failed, or the right inner actuator (RI) has turned on.

Another consequence if LO fails and moves out of Active is a transition that occurs in the right outer actuator (RO). The RO state transitions inside the L1 superstate from Active to Standby. This satisfies the requirement of the outer actuators and inner actuators to work in symmetry.

Was this topic helpful?