Design for Isolation and Recovery in a Chart
Mode Logic for the Elevator Actuators
This example shows how the model
sf_aircraft uses the chart
Mode Logic to detect system faults and recover from failure
modes for an aircraft elevator control system. For more information on this model,
see Detect Faults in Aircraft Elevator Control System.
To open the model, enter:
There are two elevators in the system, each with an outer and inner actuator. The
Actuators state has a corresponding substate for each of the
four actuators. An actuator has five modes:
Isolated. By default, the outer actuators are on, and the
inner actuators are on standby. If a fault is detected in the outer actuators, the
system responds to maintain stability by turning the outer actuators off and
activating the inner actuators.
States for Failure and Isolation
Each actuator contains an
Off state and an
Isolated state. When the fault detection logic in one of the
truth tables detects a failure, it broadcasts the event
go_isolated to the failing actuator. For more information,
see Map Fault Conditions to Actions by Using Truth Tables.
go_off event instructs the failing actuator to transition
Off state until the condition is resolved. The event
go_isolated causes the failing actuator to transition to
Isolated. Transitions to the
state are from the superstate
L1, which contains all the other
operating modes. This state has no outgoing transitions, so that once an actuator
Isolated it remains there. Intermittent failures that
cause an actuator to fail 5 or more times, also cause a transition to
Isolated. The variable
fails logs the
number of failures for an actuator by incrementing each time a transition occurs out
Transitions for Recovery
Transitions in the substates for each actuator account for recovery requirements of the elevator system. These requirements derive from rules for symmetry and safety of the elevators such as:
Only one actuator for an elevator must be active at one time.
Outer actuators have priority over the inner actuators.
Actuator activity should be symmetric if possible.
Switching between actuators must be kept to a minimum.
For example, one requirement of the system is if one outer actuator fails, then
the other outer actuator must move to standby and the inner actuators take over.
Consequently, there is a transition from each
Active state to
Standby, and vice versa.
For the inner left actuator (
LI ), the transition to
Active inside the
L1 superstate is
conditionally based on
[!LO_act()|RI_act()]. This causes the left
inner actuator to turn on if the outer actuator (
LO) has failed,
or the right inner actuator (
RI) has turned on.
Another consequence if
LO fails and moves out of
Active is a transition that occurs in the right outer
RO state transitions inside
L1 superstate from
Standby. This satisfies the requirement of the outer
actuators and inner actuators to work in symmetry.