With the exponential introduction of autonomy, especially in vehicles, comes the increased need to test controllers under edge case scenarios. AVSandbox deals with edge cases in the environment around a vehicle; but there also needs to be consideration of edge cases within the vehicle; particularly to test and train controllers’ response to faults and failures that occur within the vehicle.
With the inclusion of failures within any model comes an appropriate level of fidelity that otherwise may not be required if no failures are present. Consider a failure in the steering system, such as breakage of a toe link, the dynamics and freedom of that wheel now need to be considered separately to the dynamics of the vehicle. This rules-out a significant proportion of vehicle modelling software that can’t inject additional degrees of freedom into the simulation.
The only way to inject these reactive failures into a model is to include the appropriate fidelity in the system model. This blog post will look at 3 types of failures, each with different methods of implementation and levels of required detail. It builds upon a previous blog post, written about the introduction of degraded bushes into suspension linkages.
Approach to Failure Modelling Within System models
One of the first questions that needs to be asked of any simulation model is “How accurate does it need to be?”. This is especially the case for simulating failures, therefore questions such as “what components/systems are impacted by a failure?” and “how will the failure manifest itself?” are next on the list.
But a key issue that is easily overlooked is “after the failure occurs, is the rest of the model good enough to accurately model the resulting dynamics?”. If it’s not, then you need to think about the simulation boundaries to limit it to where it’s still valid.
Consider a failure in an aeroplane model, in normal flight the wings will normally see an angle of attack between -15deg and +20deg. Lift and drag data is freely available for this range and will be acceptable for most conventional flight dynamics simulations. But if a failure occurs that causes wing motions with air flow that is outside that envelope of data, that data set needs to be broadened for the simulation still to be valid.
Control Failure
Control failure of a system in this case covers failures in the transmission of demand signals being received by the actuators, for example throttle pedal position change not causing the throttle valve actuator to move. In modern vehicles this is most commonly related to computer or electronics failure. But the failure mode is very important, does it stick or return, or does it do something time varying? Continuing our example, when the failure occurs, does the throttle value return to a default position or does it stick at the last received position, or does the ECU cause it to move in irregular ways?
We can easily implement the first 2 failures, but in the case of the failure causing variable outcomes, the control for that outcome needs to be modelled, potentially with all the other inputs to that controller being supplied as well.
If we want to implement a simple control loss to the controller then this can be implemented with either a switch or a latch dependent on the expected result of a failure. With a switch, when a failure occurs then it would revert to a default value, with a latch it would hold the last input before the failure.
Implementation of failure for the input to an inverter.
Above is an example of a control failure input from motorControlBus to dcdcInverter, where the 2 routes are conditionally enabled. Both are enabled then when activateFailure=true, and if the top model, switchToZero, is enabled then the output to the inverter reverts to zero when failure is activated, otherwise the latch holds the value from the instant the failure occurs.
Something’s Fallen Off (Mass Change)
A loss of a component can incorporate the effect of several failures, because if a wing falls off then there are 3 effects that need to be modified: the lift is lost, the drag is either increased or decreased depending on the proportion of the wing lost, and the mass and inertia are decreased.
Impacting the lift or drag is as simple as having a variable gain on the output of the lift or drag calculation that is based on the failure control, in a similar method to above.
Impacting the mass is a little more complex as the calculation of the mass is a lot more variable. With a static mass having at least 4 variables, being mass and inertia tensors in each primary axis, all 4 can vary differently dependent on the failure.
In Claytex, we have the VariableMassInertia body (Claytex.Mechanics.MultiBody.Bodies.VariableMassInertia), that uses a 6×6 mass matrix to define the mass of the body. This methodology is a lot more common to flexible body models, but can be used for rigid bodies, using the following constraint:
This means we can individually control each element as necessary, by propagating to variables. They can either be time varying, as in the case of a fuel tank, or can be an instantaneous change, which is more likely the case with a structural failure.
In the case below, as you may be able to notice, the leftmost engine falls off a few seconds into the flight. While the controller is able to respond to the loss, it still starts to drift laterally.
Motor/Actuator Failure
The final failure type we are going to look at is a motor or actuator failure, which again, can come in multiple forms. Depending on the system then the failure could cause multiple types of effects. In a similar manner to the Control Failure, this can either reduce or increase freedom of the actuator/motor.
If the freedom of the system is to be increased, such that the system becomes uncontrolled, then it is important that the system is of apt fidelity to be able to respond correctly to the release of control. Depending on the type of failure experienced, the same higher level of fidelity would be required if freedom is restricted.
This may limit the applications of failure to force actuated models, rather than position or speed actuated ones. Let’s look at two examples:
- An electric motor fails such that the output can rotate freely. In this case a speed actuated model would be problematic as once the failure occurs, the speed actuator would either need a physical disconnect or the output wouldn’t be able to spin “freely”. In this case, a torque or electric driven motor would be more realistic.
- Secondly, consider a hydraulic actuator with a failure that prevents the actuator changing length, in this case using a position actuator would be ok, and using a latch to the input, as seen in the Control Failure section.
UAVDynamics
These kinds of failures have been built into the UAVDynamics models, such that a wide array of failures can be expressed, using the inner-outer attributes to control failures in the lift surfaces, propellers, and motors.
Below shows the top level of an experiment, and the failures block is highlighted in the bottom left corner.
Written by: David Briant – Senior Project Engineer
Please get in touch if you have any questions or have got a topic in mind that you would like us to write about. You can submit your questions / topics via: Tech Blog Questions / Topic Suggestion.
