Detecting controller malfunctions in electromagnetic environments. I. Modeling and estimation of nominal system function

A strategy for detecting control law calculation errors in critical flight control computers during laboratory validation testing is presented. This paper addresses part I of the detection strategy which involves the use of modeling of the aircraft control laws and the design of Kalman filters to predict the correct control commands.


Introduction
Verifying the integrity of control computers operating in harsh electromagnetic environments is a key issue in the development, certification, and operation of control systems performing flight critical functions for future transport aircraft. Flight-critical systems with high reliability specifications will be required on future commercial aircraft for critical functions such as stability augmentation, flutter suppression, and guidance and control. Since these systems are used in critical control applications, the problem of verifying the functional integrity of the control computer in adverse as well as nominal operating environments becomes a key issue. An adverse operating environment of particular concern for critical aircraft systems is the electromagnetic environment (EME) caused by sources such as lightning, high-intensity radiated fields (HIRF) associated with radar and radio frequency (RF) transmitters, personal electronic devices carried onto the aircraft by passengers, electromagnetic interference and incompatibilities of onhoard equipment, onhoard or ground-based terrorists using Rp weapons, and erroneous ground-based or airborne military activities in which tracking radars lock onto a commercial transport.
The failure phenomena associated with electromagnetically induced transient signals that ultimately affect performance and reliability of a digital system are collectively known as digital system upset. The occurrence of digital system upset in critical flight systems can cause catastrophic deviations from the flight path of the aircraft that compromise safe flight [I]. Upset phenomena 123 can interfere with normal operation of the processors within a control computer and result in degraded performance and reliability at the closed-loop system level. Since there are numerous error modes that can occur in a digital controller, it is impractical to determine and model each of the failure modes and then design a corresponding detector. The most practical strategy is to model the nominal function of the controller and detect when it is not performing nominally.
One attribute that defines the functional integrity of the control computer is the correctness of the control law calculation. A strategy has been developed for detecting control law calculation errors in critical control computers during laboratory validation testing. The detection strategy involves the use of a Kalman filter to predict the correct control command, and a statistical decision rule to determine if the computer's command calculation is correct. Design of the Kalman filter requires that the control law calculation be modeled as a linear stochastic state equation.
A model-based monitoring scheme has been chosen for the formulation of the design problem because it is desired to have the capability of analytically determining the performance of the detector. The model developed must depict the dynamic variation in the control commands that occur over the flight condition of interest, the stochastic variation that occurs when the aircraft is subjected to atmospheric disturbances and when the measurements are noisy, and the uncertainty associated with the tracking of the aircraft for each flight. Previous work on detecting computer upset includes a processor-level scheme [31, as well as a systems-level scheme [4,51. The monitor presented in [4,5] is based on linear state space models and was demonstrated on the longitudinal control laws of a simulated B737 Autoland control computer. The work in this paper uses an improved simulator, models three control laws, and validates the estimation process by checking the model on fifty simulations. This paper presents the modeling and estimation required to generate the nominal control commands necessary for the proper functioning of the malfunction detector. This problem is motivated by the need for having a detection scheme for application to a laboratory set-up for testing an Nredundant fault tolerant control computer. This paper addresses the modeling of the control command and the design of a Kalman filter for state estimation. This process will he demonstrated for the elevator, throttle, and aileron control laws of a Boeing 737(B737) Autoland control system for landing the aircraft in light clear air turhulence. The flight data to he used in this work is generated by a B737 Autoland simulator. The formulation for the problem is presented in Section 2, the modeling and Kalman filter design strategies US. Government work not protected by US. copyright 1525 are presented in Section 3, and examples of the strategies as applied to simulated data are presented in Section 4.

Problem Formulation
The objective of the laboratory set-up is to determine the susceptibility of the fault tolerant controller to upset caused by high-intensity radiated fields (HIRF). The primary elements in the laboratory test set-up are: the fault tolerant controller, the simulation of the aircraft, engines, sensors, and actuators, the HIRF test chamber, and the control law calculation malfunction detector. Malfunctions in control law calculations result when the basic mathematical operations of the processor are performed incorrectly. The controller is interfaced to a simulation of the aircraft, engines, sensors, and actuators in order to assure the operating environment of the controller during testing.
The controller with N processors is placed inside the HIRF test chamber and subjected to disturbances that could occur from radars or high-power radio transmitters.
The controller is monitored by the upset detector during testing to determine if any of the disturbances causes a controller upset. Electrical isolation of electromagnetic disturbances inside the HIRF test chamber is achieved using fiber optics. The processors in the redundant controller are typically asynchronous or loosely synchronized. The sensor signals that are input to each processor are generated by the plant simulation. It is assumed that each processor calculates all control laws, and that the control laws of each processor are identical and are implemented with the same software. Therefore, one set of models for the control law calculations will be developed. This set of models will be applicable to each processor.  The strategy which has been developed for detecting control law calculation errors in a critical control computer on-line during EME testing is shown in Figure 1. The system parameters must first be calculated. The Kalman filter is then designed to generate an on-line prediction of the correct system-level calculation. Use of the Kalman filter allows the detector to be designed independently of the equations, logic, and software implementation in the control computer. It is the function of the upset detector to determine whether or not the control law calculation is correct. The detector calculates the difference between the predicted command from the filter and the control law command from the control computer under test, and uses a statistical decision rule to determine the significance of the difference. It then makes a determination as to whether or not the control command calculation is correct. This paper considers the Model Generator and Kalman Filter blocks in Figure 1 In this paper, bold variables indicate vectors or matrices, and the superscript T represents matrix transpose. One time step corresponds to one data frame of the controller in which all control laws are calculated. The measurement matrix H(k) is one-dimensional and will be unity since the control law calculation is defined as the state variable and can therefore be measured directly. The process noise and measurement noise sequences are assumed to be independent, zero-mean Gaussian, and white. The deterministic quantities that must be evaluated for the Kalman filter design are the state transition matrix F(k) and the input matrix G(k). The stochastic quantities that must be determined for the Kalman filter design are the process noise scaling matrix Q(k), the process noise covariance Q(k), and the measurement noise covariance R(k). Since the control law calculation in the flight control computer is not implemented in the form of equations (1) and (2), obtaining the parameter matrices associated with the state model results in a parameter identification problem. Parameter identification methods and algorithms have been widely available in the literature for many years. In this paper a least-squares regression will be used to yield a good approximation to the correct control law calculation. The deterministic quantities of the model, namely state transition matrix FQ and input matrix G&), are obtained using the least-squares estimation. More sophisticated parameter identification methods may be employed in future work as necessary to improve performance of the detector.

Model
Section 3 presents the method used to generate system parameters of the model that are required in the Kalman filter. Section 4 contains examples of modeling and estimation strategies using these methods for the elevator, throttle, and aileron commands of a B737 Autoland control system simulation. Since the control laws are decoupled in the B737 Autoland, it is assumed that these commands can be modeled separately.

Modeling and Kalman Filter Design
A design strategy that uses least-squares regression to generate model parameters for the design of Kalman filters is shown in this section. The initial state equation is modeled in continuous time and then discretized to reflect the command cycle time of the control computer under test. Evaluation of alternative control computers could, therefore, be accomplished by discretizing the continuous-time calculation models to reflect the corresponding command cycle times. For simplicity, it is assumed that the model is time-invariant over an interval of interest. The general form of the continuous-time deterministic time-invariant model assumed for the control law calculation of the control computer over the interval of interest is: where: x(t) -control command for continuous-time model X(t) =time derivative of the control command u(t) -input vector to the computer A = system matrix Binput maaiX for continuous-time model Data values for the control command and input vector are obtained from a B737 computer simulation. The parameters A and B can be determined using the least-squares estimation [7], which is given by: The vector X is the regression vector, and 0 is the parameter vector that contains the model parameter A as its first element and B as the vector of remaining elements. The discrete model is obtained from the continuous model using a sampling time that corresponds to the time increment between data points, associated with the command cycle of the control computer. The form of the discrete model is: x(k + 1) = Fx(k) + Gu(k) (5) where: x(k) is the control command for the discrete-time model and U@) is the corresponding input vector.
Once the deterministic elements, F and G , are determined, the Kalman filter can be designed for estimating the command generated by the critical control computer. The stochastic elements of the Kalman filter equations are determined using modeling error information. The modeling error is calculated to be the difference between the command specified by the model in equation 5 and the actual command generated by the simulation at each frame.

Example: Design for B737 Autoland Control Laws
A B737 SIMULINK Autoland Simulator was used to generate the data used in these examples. Each simulation run consisted of the landing of the aircraft in light clear air turbulence (wind gust intensities of two feevsecond) [4]. Each landing has the same initial conditions, with a wind velocity of twenty knots from a 45 degree NE direction.
Plots of the control commands from a single simulation run are shown in Figures 2-4. The irregularity in the command plots is caused by compensation for the clear air turbulence to which the aircraft is subjected. For a given simulation run, data was saved every frame during the landing from glideslope engaged until flare. For each of the three control laws (elevator, throttle, and aileron), the data saved at each frame for a single mn consists of the control command value in degrees, and the values of the inputs to the calculation of that control command. The inputs to each of the control command calculations are listed in Table 1. Data for each of the three control laws was saved for fifty different simulation runs. Since the algorithms and methods used to create a mathematical model and design a Kalman filter are identical for each of the control laws, the generic process used is described here, and the results for each of the control laws are shown separately below.
The data from the first run was arbitrarily used to calculate the model parameters. Using the least-squares regression given by equation 4 on the entire data set for the first run, F and G values were determined. The sampling time for the discrete models was SO ms to agree with the data frame rate of the simulation which generated the data. In the case of all three control laws, the leastsquares regression applied to the complete data set from glideslope to flare did not yield a single acceptable model that accurately generated the command as calculated by the simulator. Thus for each control command, the entire block of data was divided into sub-blocks, and a separate set of model parameters was calculated for each subblock, the result being a set of sub-models for each control command. From this point on in the discussion, it is understood that for each control law, there is actually a set of sub-models, and a separate value for the system parameters, F and G , for each sub-model.
The model command then was calculated for each frame of every run. The model command is the control command calculated according to equation 5, using the calculated model parameters and the simulator input values. The model error, which is the difference between the control command generated by the simulator and the model command, was then calculated. FOJ each run, the variance of the model error was calculated. For the design of the Kalman filter, the covariance of the process noise Q was set equal to the mean of the model error variance over the fifty runs. Since it is assumed that the measurement error will be small, the measurement noise covariance R was set equal to QxlO.'. Note that there is a distinct Q and R calculated for each sub-model.
The value for C2 was set equal to one in all cases. The initial state for the Kalman filter was set to the trim value for the control command, and the initial covariance was set equal to one. The throttle generated six sub-models; the sub-model parameters, F and G , and process noise covariance, 0, for the throttle are shown in Tables 2 and   3, respectively.
Next a Kalman filter was applied to the data in each of the fiftv mns in order to estimate the control command value. The estimation error was calculated for each frame for each run as the difference between the value estimated by the filter and the control command value generated by the simulator. Next the mean and variance of the estimation error were Calculated for each of the fifty runs; the fifty points representing those values are shown in Figures 5-7. Each scatter plot contains one point represented by a triangle rather than an asterisk. That point is considered to be a worst case run because it contained either the largest mean or the largest variance for the estimation error. Plots of the estimation error over    Figures 8-10, respectively. The maximum absolute mean, variance, and absolute estimation error for each control command over all fifty mns are shown in Table 4.

Conclusions and Future Work
A very simple method for modeling and Kalman filter design has been developed to estimate correct control law calculations in a flight control computer. The estimates are for use in detecting control law calculation errors during tests when the computer is subjected to disturbances caused by electromagnetic fields. The modeling method involves the use of least-squares estimation to obtain model parameters for the control command. Modeling errors are corrected in the Kalman filter estimates by representing the modeling error as process noise in the filter design. The method was demonseated by developing models and Kalman filter designs for the elevator, throttle, and aileron control laws of a B737 Autoland control system for the light clear air turbulence case.
The one-step-ahead Kalman filter predictions of the elevator, throtte, and aileron commands yielded worst case estimation errors as shown in Table 4. Future plans include the refinement and IeViSiOn of the modeling and state estimation techniques based partly on the results of tests of the detection monitor which makes use of the models and Kalman filters generated using the methods described above. It is anticipated that this strategy may be applied to the cases of medium and heavy clear air turbulence, and also to data generated by an actual flight control computer.

Acknowledgments
The author wishes to acknowledge the support and technical guidance of Dr. Celeste M. Belcastro, NASA Langley Research Center HlRF project team leader. She also wishes to acknowledge Edward Hogge of Lockheed Martin for developing the B737 Simulator which was used to generate the data for this work.