Abstract
During the climb flight of big passenger airplanes, the airplane’s vertical movement, i.e. its pitch angle, results from the elevator deflection angle chosen by the pilot. If the pitch angle becomes too large, the airplane is in danger of an airflow disruption at the wings, which can cause the airplane to crash. In some airplanes, the pilot is assisted by a software whose task is to prevent airflow disruptions. When the pitch angle becomes greater than a certain threshold, the software overrides the pilot’s decisions with respect to the elevator deflection angle and enforces presumably safe values. While the assistance software can help to prevent human failures, the software itself is also prone to errors and is - generally - a risk to be assessed carefully. For example, if software designers have forgotten that sensors might yield wrong data, the software might cause the pitch angle to become negative. Consequently, the airplane loses height and can - eventually - crash.In this paper, we provide an executable model written in Matlab/Simulink® for the control system of a passenger airplane. Our model takes also into account the software assisting the pilot to prevent airflow disruptions. When simulating the climb flight using our model, it is easy to see that the airplane might lose height in case the data provided by the pitch angle sensor are wrong. For the opposite case of correct sensor data, the simulation suggests that the control system works correctly and is able to prevent airflow disruptions effectively.The simulation, however, is not a guarantee for the control system to be safe. For this reason, we translate the Matlab/Simulink® -model into a hybrid program (HP), i.e. into the input syntax of the theorem prover KeYmaera. This paves the way to formally verify safety properties of control systems modelled in Matlab/Simulink®. As an additional contribution of this paper, we discuss the current limitations of our transformation. For example, it turns out that simple proportional (P) controllers can be easily represented by HP programs, but more advanced PD (proportional-derivative) or PID (proportional-integral-derivative) controllers can be represented as HP programs only in exceptional cases.
Highlights
During the climb flight of big passenger airplanes, the airplane’s vertical movement, i.e. its pitch angle, results from the elevator deflection angle chosen by the pilot
We provide an executable model written in Matlab/Simulink○R for the control system of a passenger airplane
The correct behaviour means that pitch angle θ remains always positive
Summary
For a complete description of the airplane motion in the three dimensional space, six variables are needed that denote the degrees of freedom of a rigid body [1]. The airplane motion is calculable by six nonlinear ordinary differential equations (ODEs) of these variables. Under certain assumptions, the ODEs can be decoupled and linearized into longitudinal and lateral equations. It is common practice to describe the longitudinal motion by a third order state space model [1], [2]:. Based on the assumption that the airplane is in steady-cruise at constant velocity, the longitudinal equations of motion for the airplane in state space form x = f (x, u) with the state vector given in (1) and the input u := δ can be written as α. Based on the above assumptions, the dynamics of the airplane around a stationary operating point pc = (αc, qc, θc, δc) for an equilibrium flight speed is obtained by Taylor linearization of f (x, u)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
