Man-Machine Modeling and Safety Analysis Method for Landing Process Based on SysML and Simulink

Yuan, Yuan; Jiao, Jian; Li, Xiao-Lei; Zhao, Ting-Di

doi:https://doi.org/10.1155/2022/6971652

Mathematical Problems in Engineering

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Optimization and Reliability Design Approaches for Aircraft Structures and Systems

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 6971652 | https://doi.org/10.1155/2022/6971652

Man-Machine Modeling and Safety Analysis Method for Landing Process Based on SysML and Simulink

Yuan Yuan,¹Jian Jiao,¹Xiao-Lei Li,²and Ting-Di Zhao¹

Academic Editor: Chengwei Fei

Received05 Nov 2021

Revised22 Dec 2021

Accepted11 Jan 2022

Published11 Feb 2022

Abstract

The large-scale system’s mission process and the interaction within the system are becoming more complex with the improvement of the integration and intelligence, and the complex interactions among multiple factors, such as the unsafe behavior of personnel, equipment failures, and environmental interference, make safety analysis a greater challenge. Aimed at the safety of carrier aircraft, an integrated system modeling and safety analysis method for aircraft landing process were proposed based on System Modeling Language (SysML) and Simulink. First, the SysML models were built according to the analysis of the mission process, including system structure and behavior process, using multiple diagrams. Second, the SysML models were transformed into and integrated with the Simulink platform to build entity models with continuous dynamic characteristics and to perform safety analysis through simulation. Finally, an example of aircraft attitude control during landing was given to demonstrate the proposed method, and the safety states were analyzed and assessed under different disturbance conditions.

1. Introduction

The complexity of the large-scale industrial system, such as aircraft, has rapidly increased in recent years because of the integration and interactions among its multiple subsystems, which brings new challenges to reliability analysis and safety assessment. There are some classical techniques to evaluate the safety of the system, including failure modes, effects, and criticality analysis (FMECA), hazard and operability analysis (HAZOP), and fault tree analysis (FTA). Although they have shown the ability to support safety analysis in many domains, these classical methods depending on the event chain model may oversimplify the causal relationship and accident processes [1]. In addition, many of these reliability and/or safety analyses are mainly performed based on the experience of safety engineers, which are error prone and time-consuming, and some potential hazards could not be effectively addressed or analyzed. Hence, it is difficult for them to meet the requirements of large-scale complex systems.

The modeling and simulation can provide a more detailed description of performance characteristics, including the component interactions and behavioral processes of complex systems [2–4]. Hence, the method based on these techniques can better satisfy the demands of modern systems and provide a more practical and intuitive result. Many researchers have focused on the modeling of the man-machine system (MMS) because it is the core of the behavioral processes of complex industrial systems, including the human and equipment factors [5–7]. At the same time, the model-based safety analysis (MBSA) has become one of the mainstream technologies to address the safety modeling and simulation of modern large-scale systems [8]. In the field of MBSA, different modeling tools and modeling languages, such as SPIN and NuSMV, are chosen to conduct the modeling to meet different requirements [1, 9]. Some MBSA frameworks and data management techniques are designed to simplify the interactions between system engineering activities and reliability studies [10]. In addition, many kinds of modeling languages, such as AltaRica, Architecture Analysis and Design Language (AADL), Embedded Automotive System Technology-Architecture Description Language (EAST-ADL), and the Unified Modeling Language (UML), have been adopted and/or developed to support the study of MBSA. The UML has been used widespread for system engineering, compared with EAST-ADL and AADL. In UML, graphical notations are adopted to capture system requirements and to support system design and analysis, which can formalize and validate the specification of the system. Nevertheless, UML suffers some limitations about overly software-oriented semantics and lacks modeling possibilities for concrete physical systems [11].

SysML is the extension of UML to support the design and analysis of hardware. It inherits the advantages of UML and supports the integration of a high-level model of a physical system [12]. Moreover, it provides a method to visualize and specify both the static and dynamic aspects of the system [13]. There are 9 diagrams defined in SysML, which can be used to represent different characteristics of a system, so the SysML can provide a comprehensive hierarchical description of the system with the appropriate subset of diagrams [14]. Generally speaking, SysML has the following advantages: (1) it supports modeling of complex physical systems; (2) it focuses on modeling systems from both structural and behavioral perspectives and provides a more comprehensive description of the system, compared with other modeling languages; and (3) the SysML model is reusable and can be integrated with other modeling languages.

Since SysML was proposed, it has been applied in many fields and continuously developed, and the application can be generally divided into two categories. One is to use the SysML model to assist traditional safety analysis (e.g., FTA and FMEA) based on model checking, which belongs to indirect safety analysis. The other is to directly apply the SysML model to simulate system mission and/or behavior process and state change.

For the former, the related research studies mainly focus on how to generate safety artifacts or minimal cut sets that violate specific attributes through the SysML model, and the traditional FTA and FMEA can be supported by SysML models [15, 16]. The semiformal modeling approach based on SysML was proposed to capture and structure safety requirements, and the safety purposes were verified by model-checking techniques [17]. These methods can realize automatic or semiautomatic safety analysis and improve efficiency, but it is difficult to analyze the influence caused by the complex interaction and dynamic characteristics of the system. For the direct approaches, the research studies include how to model the system mission and/or behavior process and conduct the safety simulation for hazardous scenarios through the SysML, and the interaction between discrete behaviors and the logical behavior of fault protection function can be described and analyzed [18, 19]. The concept that integrates fault models into system models using SysML was introduced to support the functional safety testing [20]. These methods mainly get the safety models through the decomposition of system behavior and the description of the sequential logic. However, the behavior model in SysML intends to describe the design information, so it is difficult to represent the detailed execution information required for simulation and the continuous characteristics of the components in the SysML model. In addition, the methods based on SysML could not directly enable the quantitative modeling and performance simulation based on the mathematical model.

Some researchers have combined the SysML with other modeling tools to address the problem of quantitative modeling and simulation, among which the combination of SysML and Simulink is a typical solution. The Simulink platform has been extensively used in many fields to simulate discrete and continuous elements, especially for flight safety [21, 22]. The integration or transformation of SysML and Simulink has been studied through the cosimulation methods and extensible modules in Simulink [23–25]. A formal approach for modeling continuous system based on language mapping between SysML and Modelica is also introduced [26]. However, most of these research studies focused on the transformation rules for specific modules, and there are few considering the overall structure of the human-machine-environment and their interactions, which may lead to the incomplete transferred model or the ignorance of the critical safety factors. Besides, the safety state during the system mission is not described in detail.

In the practice of the safety field, flight process, especially takeoff and landing, is usually regarded as a focus of attention. As a typical complex process, flight safety during takeoff and landing will be affected by various factors, including equipment state, control and communication, and environmental effect. Currently, the MBSA framework has been introduced in the safety analysis of aircraft, and different modeling languages and software have been applied to evaluate the safety of aircraft systems or airborne equipment [27, 28]. On the other hand, flight safety is also impacted by the human [29] and environmental states [30], and it is necessary to study flight safety from an integrated perspective combining the man-machine system with environmental influence, especially for the carrier aircraft whose flight process is more dangerous because of the impact from multiple factors.

The safety analysis of the landing process mainly includes the simulation based on the dynamic model of aircraft and the evaluation according to the flight data. The main purpose of constructing the aircraft dynamic model is to simulate the movement of aircraft in the surrounding environment, so as to analyze the safety of the landing process [31, 32]. At present, however, it is difficult to establish a comprehensive model that contains all the influencing factors, and the effect caused by the missed factors and their interaction may be ignored. So many research studies tried to quantitatively model the relationship between flight safety and landing parameters to evaluate the landing process. The parameters or landing data and other coupling factors related to the carrier aircraft characteristics were evaluated to assist in the analysis of the landing safety envelope [33–35]. Nevertheless, these methods need to handle a large number of parameters that are not easy to acquire in some cases. Moreover, these research studies precisely defined the landing process but the man-machine system in the landing is not detailed enough. Due to the influence of different factors such as human, aircraft, and environment and their interactions, there are still large uncertainties in the change in safety state in aircraft during the landing process.

Aimed at the above challenges, this study proposed a safety analysis framework integrating conceptual model and entity model based on the authors’ previous work [36]. The proposed framework improves the ability of the behavior process modeling and the system safety evaluation based on SysML and Simulink, thus providing a feasible and efficient analysis method for the safety analysis of the landing process. Different from other safety analysis methods, it emphasizes the modeling of system hierarchy and the interactions between different components and provides a standardized method for behavioral process modeling. This study directly uses elements in SysML to define and construct the evolution path of safety state, which intuitively represents the change in safety state and keeps the consistency of modeling and evaluation. Moreover, because we use a universal modeling language, the built model is easy to adjust and reuse to improve the analysis efficiency.

The rest of the study is organized as follows. A safety-oriented process modeling and analysis method is introduced in Section 2. Then, the formal process modeling based on SysML is proposed in Section 3. Section 4 details the integration of SysML and Simulink, and the entity modeling of aircraft, personnel control, and environmental subsystem based on Simulink is also represented. Section 5 takes the aircraft attitude control as an example to illustrate the simulation model and safety analysis. Finally, this study is concluded in Section 6.

2. An Integrated Method of System Process Modeling and Safety Analysis

An integrated method of process modeling and safety analysis is proposed in this study, whose main process is shown in Figure 1. This method includes mainly 4 steps. First, based on the analysis of the mission process, the system is described from the perspective of structure and behavior, respectively, and the hierarchical structure of the system and mission process is decomposed to identify components or entities and their behaviors. Second, using different diagrams in SysML, the safety-oriented conceptual models of the identified entities and their behaviors are constructed in two dimensions, i.e., object and process. The process dimension represents the dynamic evolution process during the mission, while the models of object dimension are transformed and integrated into the Simulink platform, including the machine and personnel control model and the environmental factors to support quantitative analysis. Finally, the state changes in the system are analyzed and the safety assessment is performed through simulation based on these models.

Combined with the safety objectives and requirements, the safety states of the system can be determined, and then, these states and their changes are described in the conceptual models in the SysML, so the models can be used to support qualitative safety analysis and identify the evolution process of hazard in the mission. The quantitative analysis needs the simulation of the Simulink platform. According to the safety requirements, one or more state parameters can be defined as the safety indicators, and the safety boundary can also be determined. Furthermore, the disturbance of risk influence factors to the system is abstracted in the model. Through the simulation integrating SysML and Simulink, the dynamic process of system states can be analyzed to assess the risk of system mission.

3. The Formal Behavior Process Modeling Based on SysML

3.1. Brief Introduction to SysML

SysML, as a typical tool of model-based system engineering (MBSE), supports the specification, analysis, design, and verification of complex industrial systems that include hardware, software, information, personnel, procedures, and facilities [37]. The diagrams in SysML can be divided into three sections, i.e., the structure diagram, the requirement diagram, and the behavior diagram. Figure 2 shows the division of different types of diagrams. The structure diagram can be used to describe the hierarchical structure of a system, including package diagram, block definition diagram, internal block diagram, and parameter diagram. The behavior diagram can be used to describe the dynamic behavior of system objects, including activity diagram, sequence diagram, state diagram, and use-case diagram. The requirement diagram is a kind of cross structure that can be used to describe both static structure and dynamic behavior.

In SysML, each diagram represents a slightly different view of the model. A complex system can be described by multiview visual diagrams to improve the integrality of the model, but it is generally not necessary to use all of the SysML diagrams in one model. A system process can be completely described by modeling its structural and behavioral characteristics, and the former can be described by the block definition diagram (BDD), while the latter can be expressed by the use-case diagram (UCD), the activity diagram (AD), sequence diagram (SD), and state machine diagram (stmD).

3.2. System Behavior Process Modeling Based on SysML

The characteristics of the behavior processes in complex systems can be modeled using SysML. First, the composition structure and organizational relationship of the system are defined. Second, the behavior process is decomposed based on the activities or events. Furthermore, the interactions between objects can be modeled. Finally, the state changes in system components and their impact on system safety are characterized, as shown in Figure 3. Step 1. System structure modeling: The mission process is analyzed to determine which objects or entities should be modeled. The system mission is an interactive process of multiple factors, which are generally classified into three categories, i.e., human, machine, and environmental factors, and the environment factors can impact the behavior of human and machine. Therefore, the whole system can be divided into three types of entities: system operator, equipment and/or components, and environmental factors. The BDD diagram is adopted to list the corresponding entities and describe their properties including the values and operations, as shown in Figure 4. Moreover, BDD can represent the hierarchical relationships among these entities and their attributes to support further modeling. Step 2. System behavior process modeling: The behavior process can be divided into subprocesses, which are successively modeled by the UCD and AD diagram, where UCD is used to determine the functional requirements and system architecture, and AD is used to describe the detailed information. Through UCD, we can identify further the entities in the process and their behaviors; then, AD supplies the mechanism to describe the basic actions of different entities during the process, including the transfer of events, energy, or data. The modeling of the specific subprocess is shown in Figure 5, where the input and output of the actions, and the object nodes and control nodes are modeled. The object node represents signals, values, etc., that is passed between two actions, and the control node displays the logical relationship between the actions. Step 3. The description of interactions between entities: The interaction between entities in the system is not only an essential process to complete system mission but also the cause of exceptions and even accidents. Therefore, it is necessary to analyze the interaction between entities during each process. The SD is selected to describe the temporal sequence logic and the interactions, including the lifeline, messages, etc., which are transferred between various factors. As shown in Figure 6, the interactions between lifelines are represented by the messages that are passed between the dashed lines, and the message is described by a text on the line. The conditions that control the message delivery can be shown in square brackets. Step 4. The description of states and state changes: Description of object state can explicitly represent how an object state changes over time with events or actions. Accident is the unexpected and/or unaccepted state, so the aim of process decomposition and interaction description is to help identify the potentially unaccepted states, namely hazards. The different states of each entity in the system and the transition between different states during the mission process can be displayed in the stmD. The specific steps of the analysis of state change are as follows.(1)The lower-level object state changes are analyzed. The state changes in human, machine, and environment are described, where the internal/external behavior and the transition event will be represented.(2)The indicators that could characterize the safety of the system are defined. The dynamical indicators are taken as criteria for state changes in safety, which can be established from historical data and expert experience.(3)The safety of the system is evaluated. The impact of lower-level objects on the safety of the system is analyzed through the simulation based on the behavioral process models. As shown in Figure 7, the safety of the system translates between different states and is assessed according to the change in the indicator.

4. The Entity Modeling of Landing Process

4.1. The Integration of SysML and Simulink Models

The formal model using SysML can reduce the ambiguity of the description and enhance the readability of the model. However, SysML lacks the ability to model and quantitatively simulate the continuous operation process, especially when the physical characteristics and behavior process of the man-machine system are complicated. Therefore, it is necessary to study the integration between the visual modeling of SysML and the dynamic simulation of an entity. In order to effectively analyze the behavior processes of the system, this study chooses the Simulink platform to combine with SysML models to simulate the behavior process including man-machine system and environmental impact. There exist many methods to support the model transformations between different modeling languages, among which the OMG’s queries/views/transformations (QVTs) and triple graph grammars (TGGs) are two common transformation approaches. Compared with the QVT, the TGG method can be bidirectional between the two languages and is more traceable, which benefits the parameter passing. Hence, the TGG method is adopted in this study to integrate SysML and Simulink, and the transformation method is shown in Figure 8.

The specific transformation rules based on TGG mainly include the following aspects, as shown in Figure 9. There are mainly three types of transformation, namely, object transformation, parameter transformation, and control transformation. The object transformation transforms the objects in the original model into the target model to ensure that the objects in the two modeling languages are consistent. The parameter transformation can be achieved through parameter sharing when the model parameters are simple. For complex model, the parameters are transformed by specifying the same transformative value attributes and types between the different models. The transformation rules of control instructions and connection relationships in different models are defined to enable the corresponding results.

The TGG rule supporting the transformation between the AD in SysML and the target model in Simulink is shown in Figure 10. Since the action nodes, object nodes, and the control nodes are the most critical components in the AD, the transformation based on TGG is mainly focused on these three kinds of nodes. In step 1, the same value type is defined between the object node in srcObj1 and the data in trgObj1. In step 2, the action node in srcObj1 is converted into the relevant subsystem block in trgObj2. In step 3, the control node in AD is transformed into the logical operator, bus creator, bus selector, etc., which can execute mathematical calculations, relational operations, and logical operations. Finally, the returned value from the target object can be transmitted to the source object, ensuring the consistency of the model.

The other SysML models can also be transformed following the above rules. The system hierarchy relationship, the property of the object, and the corresponding object entities in the BDD are converted to the subsystem module (i.e., constant and integral module) in Simulink. In the SD, the messages, constraints, and composite potion can be translated into the bus creation, bus selection module, and data transmission control between different modules to demonstrate the interaction between entities. Based on the description of the state and state transition of structural elements in stmD, an object-oriented state-flow model can be constructed to represent the entity state evolution process of the system and subsystems.

Based on the transformation method, the entity models can be established to describe and calculate the actual behavior of the objects in the mission process. According to the system structure analysis in Section 3.2, the entity model of the landing process can be divided into aircraft subsystem, personal control subsystem, and environment subsystem.

4.2. Aircraft Subsystem Modeling

The dynamic models of aircraft during landing can be generally divided into two categories, i.e., the nonlinear model of six degrees of freedom motion and the small perturbation linearization model [38]. The former can fully describe the motion of the aircraft, but the strong coupling and nonlinear characteristics of the motion equation may make it difficult to draw a conclusion by direct nonlinear system analysis. The landing process can be regarded as a constant motion of constant speed and angle. The flight speed is generally less than Mach 0.2 during landing, and the aircraft movement can be considered as linear because it is not almost impacted by air compressibility during landing [39, 40]. Therefore, the linear small-disturbance state equation is adopted to express the aerodynamic characteristics of the aircraft, which is convenient to study its flight and stability characteristics.

In this study, we assumed that the aircraft only longitudinally moves during landing and ignores its transverse motion. When the aircraft is in longitudinal motion of the landing, the external forces acting on the aircraft under the track coordinates are shown in Figure 11.

The dotted line in Figure 11 is the horizontal line; is the aircraft gravity; is the thrust generated by the engine and refers to the longitudinal axis of the aircraft; is the air resistance to the aircraft; is the lift force on the plane; and is the velocity of the aircraft. The angle between the plane’s velocity and the plane’s longitudinal axis is called the plane’s angle of attack. The angle is called the plane’s pitch angle. The angle between the plane’s velocity and the horizontal line is called the track angle of the plane. The angular velocity of the longitudinal axis of the aircraft in the longitudinal plane is called the pitch angle velocity of the aircraft.

The longitudinal small-disturbance state equation of the aircraft can be expressed as follows:where is the state vector; and are the control vector and output vector, respectively; and represent the matrices including the flight state parameters and aerodynamic derivatives of the aircraft; and and are parameter matrices that support the computation. Moreover,

The mathematical relationship between the flight state attributes and aerodynamic parameters of the aircraft is described in equation (1). Some basic attributes involved in the system are shown in Table 1. The table also displays the belonged modules for different attributes. These include the important performance parameters of the aircraft and the main conditions that can affect flight. The dynamic simulation model of flight according to the longitudinal small-disturbance equation is shown in Figure 12. The flight state parameters of the aircraft can be obtained through the model calculation, by inputting the into the state equation, including the variation of the speed (VT), the variation of the attack angle (alpha), and the variation of the pitch angle speed (q).

4.3. Personnel Control Subsystem Modeling

During the landing process, it is necessary to accurately control the glide trajectory of carrier aircraft to ensure safety. When the actual flight state deviates from the target, it can be restored by adjusting the control. The control mode of aircraft generally includes manual control and autopilot control. This study focuses on the safety of the man-machine system, so the manual control mode is modeled and analyzed.

This study focuses on the longitudinal motion of aircraft during the landing process, so the manual control can be appropriately simplified. It is assumed that the pilot’s manual control of the aircraft attitude is mainly achieved by manipulating the elevator of the aircraft in longitudinal motion, and the pilot’s operation of the aircraft is a continuous trajectory tracking behavior. Therefore, the attitude control function of the aircraft in the personal control subsystem can be realized by constantly changing the angle of the elevator according to the relevant instruction. In this model, the expected value of parameters in the instruction is taken as input, and the deviation angle of the elevator is taken as output. At the same time, the actual value of the flight parameter is introduced as negative feedback to make the actual flight parameter as stable as possible at the expected value.

The system feedback control function is realized by using the cascade proportional-integral-derivative (PID) control model. The control principle of the longitudinal motion of aircraft is shown in Figure 13. The altitude variation instruction and the value of the altitude feedback are taken as the input to the PID in the outer loop, to adjust the pitch angle. Then, the pitch angle rate is calculated with the value of the pitch angle feedback. In the internal loop, the calculated value and pitch angle rate feedback are taken as input, processed by the limiter, to control the elevator operating angle. Finally, the elevator operating angle is transmitted to the aircraft model. The relationship between the input and output in PID can be expressed in equation (3). The is usually used to represent the deviation between the expected value and the actual value, as shown in equation (4).where is the output of PID; is the deviation between the expected value and the actual value; is the actual value; is the expected value; is the proportional gain; is the integral time constant; and is the derivative time constant.

4.4. Environmental Subsystem Modeling

The influence of environmental factors on the landing process is mainly considered in environment modeling. The carrier aircraft may be disturbed by lots of external factors such as aircraft carrier wake, crosswind, and precipitation during the landing process [41]. In addition, due to the influence of sea waves, sea surges, and wind, the aircraft carrier will generate six degrees of freedom movement in the sea. It is believed that the main influence of atmospheric disturbance on aircraft landing is caused by the vertical component of turbulence. In this study, therefore, only the disturbance of the vertical component is considered on the altitude control of the aircraft.

There are many external environmental factors that may affect the landing process. Theoretically, it is necessary to establish the corresponding models to describe their influence, but they are beyond the scope of this study because it mainly focuses on the modeling and safety analysis of the man-machine system. It is assumed that the influence of different environmental factors on the aircraft can be synthetically expressed. The difference in the comprehensive influence can be expressed by different degrees of effect on the aircraft. Considering their actual effect in the model, the influences are regarded as the disturbance to the human-machine system in the instructions of the control module. The comprehensive influence is expressed as the deviation of the elevator angle in the output of the personnel control subsystem. It is implemented in the additive white Gaussian noise (AWGN) module in the control loop in Simulink. The AWGN obeys the Gaussian distribution and is the most basic noise and interference model. The signal-to-noise ratio (SNR) and the controlling value are the actual input parameters to the AWGN. This model adjusts the SNR of the module to realize the different degree disturbances of the comprehensive environmental impact. The improved control loop schematic diagram is shown in Figure 14.

5. Case Study

5.1. Mission Process Modeling of Landing Process

The landing process was analyzed to identify the various objects and main behavior involved in the system. The basic process of aircraft landing is shown in Figure 15. The pilot, after checking the state of the aircraft, sends a request to the control center, and the control center issues an allowable landing command to the aircraft and the landing signal officer (LSO, the staff guiding the aircraft landing) according to the landing situation. After receiving the order, the pilot flies to the aircraft carrier. Meanwhile, the control center and the LSO keep sending auxiliary navigation information to the aircraft via the Fresnel lens (the equipment providing the optical-assisted landing). The pilot adjusts the aircraft attitude until it touches the ground or goes around.

Considering the multiple factors and mission stages in the landing process, the attitude control of the aircraft is taken as an example to establish the safety-oriented SysML models and conduct the safety analysis. During the landing process, the aircraft glides at a certain speed when the LSO uses the Fresnel lens optical landing system (FLOLS) to signal the pilot and guide the flight. The pilot controls the pitch angle by adjusting the elevator to ensure that the aircraft can glide as much as possible on the ideal track. As shown in Figure 16, the factors involved in the attitude control are divided into three classes in BDD, i.e., system operator: pilot and landing signal officer; equipment: aircraft, arresting cable, and Fresnel lens; and environmental conditions: aft flow, rainfall, and wind shear. The definitions of the operations and values are detailed in BDD. Taking the aircraft module as an example, its values include the attack angle α, the pitch angle θ, and the altitude h, and its operations consist of the combat mission, takeoff, and landing.

According to the analysis of the attitude control process, there are two parallel actions, i.e., aircraft manipulation and optical guidance, which usually happen at the same time. The aircraft attitude control can be modeled and analyzed in detail by using AD, as shown in Figure 17. The “maintain the state” and the “adjust the state” are the subprocesses and subsequent actions of the “aircraft manipulation,” and the pilot adjusts the state by adjusting the elevator and controlling aircraft power. The parameter value of the command issued by the guide related to the ideal glide trajectory is transmitted to the control subsystem through the input port. In this way, the information interactions between different entities in the process of attitude adjustment can also be comprehensively and clearly presented.

The state machine diagram is chosen to model the real-time state and the state transition of the aircraft, pilot, and LSO with the excitation events [42]. The track deviation, which refers to the positional relationship between the actual landing track and the ideal landing one, is one of the most important indicators for measuring the safety of aircraft landing and attitude control. Therefore, the dynamic deviation is taken as a criterion for state changes in this study. Figure 18 shows the state change in carrier aircraft during the landing process. When the pilot is ready to land and receives the landing signal, the aircraft will be adjusted and transferred between different altitude deviation states, influenced by the external disturbance and pilot control adjustments. The deviation adjustment of aircraft in the diagram is a compound state, which has a significant impact on the aircraft state. The ready-to-land, landing guidance and successful landing nodes are all simple states, taken as a cause or effect of a compound state. The operational deviation and environmental interference may lead to the state of beyond ideal height deviation, which is originally within the ideal altitude deviation. And the effective adjustment can make it possible to return to the ideal state.

The adjustment of altitude deviation has a critical effect on flight safety during the landing. The safety of aircraft can be evaluated by the state change in stmD, as shown in Figure 19. There are five state nodes in the stmD, in which the normal, critical, and dangerous state nodes directly indicate the safety state of the system, and the others represent the event state. The normal state represents that the system is in a safe state; the dangerous state represents the unexpected and/or unaccepted state; and the critical state is an intermediate state. The system can change among these three states relying on the relationship between the actual deviation and the prescribed deviation. When the actual deviation is greater than the allowable value, the system will be in a dangerous state. When the actual deviation is less than or equal to the ideal deviation, the system will be in a safe state. Similarly, other conversion relations are shown in the stmD as well.

Based on the above discussion and the models, the flight attitude control model is constructed in Simulink, as shown in Figure 20. Different modules represent the relevant subsystem, respectively. The ideal trajectory sent from the LSO is taken as the overall system input and is processed into the aircraft subsystem after being processed by the control subsystem. The flight parameters are calculated and displayed on the scope modules at the same time. The influence factors of the environmental subsystem participate in the negative feedback adjustment in the control subsystem, reflecting the impact of the comprehensive interference on the human-machine system.

The initial parameters of the aircraft during the landing process are assumed as follows: the altitude of the aircraft at the entrance to the glide trajectory is 240 m, while the glide angle of the aircraft is -3°, and the initial flight speed is 102 m/s. The parameter matrix of the small-disturbance state equation is also given.

In this case, the carrier aircraft receives the landing command at 300 meters. The pilot manipulates the elevator in time to make maneuvers, corrects the initial vertical trajectory deviation, maintains a 240 meters fixed-altitude flight for a period of time, and then executes gliding under the guidance. The change in aircraft pitch angle and the pitch angle speed during the process are shown in Figures 21 and 22. According to the figures, it can be concluded that a large maneuver is required because the aircraft does not reach the specified glide height in the initial state, resulting in a rapid change in the pitch angle. Figure 21 shows that the pitch angle first reversely increases and then decreases. When the aircraft enters the sliding phase, the pitch angle speed change is gradually stable, as shown in Figure 22. Based on the analysis of these figures, it is considered that the flight attitude control function can realize the effective control of the aircraft by adjusting the control command in the process of landing and meet the requirements of safety.

5.2. Safety Analysis of Landing Process

Many factors, such as pilot error, equipment fault, and complicated environmental conditions, can have a great impact on the landing process, all of which increase the uncertainty of the flight attitude control. Here, we take the attitude control under different disturbance degrees, for example, to illustrate the safety analysis. In combination with factors such as personnel control, environmental conditions, and landing conditions, the different degrees of disturbance, used to indicate the severity of influencing factors, can be classified into 3 categories, i.e., H1, H2, and H3, as shown in Table 2.

As mentioned in the above analysis, the landing track deviation of the aircraft is a critical indicator, so we classified the landing track deviation (as shown in Table 3) for further analysis. According to the analysis in Section 5.1, when the upper limit of the allowable value of the track deviation is exceeded, the aircraft is considered to be in a dangerous state. At this time, the pilot needs to take the emergency operation of the deviation correction by adjusting the elevator. For the safety analysis, the influence of different factors in the event can be simplified as the comprehensive interference of external environmental factors. Hence, the comprehensive influence of H1, H2, and H3 can be represented by the AWGN module to be added into the personnel control subsystem. A certain signal-to-noise ratio (SNR) of the AWGN module is determined based on the state combination of different disturbance events. Different degrees of disturbance to the environment can be realized by adjusting the SNR.

According to the classification of ideal range and allowable range of the vertical deviation in Table 3, the aircraft state is divided into safe state, critical state, and dangerous state. The safe state refers to the vertical deviation within the ideal range, the dangerous state refers to the vertical deviation outside the allowable range, and other cases belong to the critical state. The transition among these 3 states can be defined by the state diagram in Stateflow, where the letter “a” is the vertical deviation from Simulink continuous system (aircraft), as shown in Figure 23.

The actual flight altitude under different disturbance degrees is shown in Figure 24, where the green line is the expected or ideal altitude during the landing process. The curves of H1, H2, and H3 are the actual flight altitude under different interferences, respectively. In general, as shown in the figure, the aircraft starts from the initial position (the altitude is about 300 m) at the beginning of landing and reaches the glide altitude after about 6 seconds of maneuver; then, the aircraft confirms and keeps the altitude until it enters the slide path at about the 20th second. It can be seen that the actual altitudes under different interference conditions are different.

Figure 24 only shows the macrotrend of the altitude of aircraft, so a more detailed analysis is needed. The real-time vertical deviation between the actual path and ideal path is shown in Figure 25. Same as Figure 24, it is obvious that the deviation rapidly decreases from 60 meters to about zero after the maneuver. When the aircraft needs to turn into the slide phase at about the 20th second, the deviation suddenly increases again due to the delay of the corresponding maneuver and gradually decreases after the aircraft stabilizes. In the whole process, we can see that H1 maintains a stable trend, while H2 and H3 need constant adjustment where H3 has a bigger fluctuation.

By studying the aircraft state with time, the influence of different interference degrees on aircraft safety can be analyzed further. The change in the aircraft state is shown in Figure 26. It can be seen that under the three interference conditions, the changes in aircraft state have a similar trend, that is, they have a similar time period in a dangerous state and critical state. In these three cases, the aircraft is in the dangerous state between 0 and 5 seconds and 40 and 62 seconds, in the critical state between 20 and 40 seconds and 62 and 68 seconds, and in the safe state for the rest of the time, because of different maneuver in different stage. The flight time in dangerous and critical states under different disturbance conditions is calculated, as shown in Table 4. Although the critical time of H1 is bigger than that of H3 and H2, the dangerous time in H3 increases about 11.7% compared with H1, and both the critical and dangerous times in H3 are all longer than H2. It can be concluded that the risk gradually increases.

The simulation results show that the degree of the aircraft deviating from the safe state is different under different interference levels as well as the time in the safe state. The pilot can adjust the operation to restore the aircraft to the normal state from a small deviation. However, when the interference is serious, the effectiveness of the pilot’s adjustment operation will be limited, and the risk level of the aircraft will greatly increase. Therefore, the research on improving the anti-interference ability and fault tolerance will play an important role in improving flight safety. Moreover, the time calculated based on quantitative simulation can be used to support the optimization of the pilot’s manipulation and improve the recovery ability of aircraft.

6. Conclusions

This study proposed an integrated method based on SysML and Simulink to model and analyze the safety of the complex processes including the interaction of man-machine system, and the landing process of aircraft was taken as a case study to demonstrate the proposed method. The formal modeling of behavior process was construed by SysML, including the models of system’s structure, dynamic process, interaction, and state change. Based on the integration of SysML and Simulink platform, the entity models of human, machine, and environment systems are established. Finally, the safety of the aircraft attitude control process is analyzed to verify the proposed method.

Compared with the state-of-the-art approaches to behavior process modeling and safety analysis for mission process, the main contributions of this study are as follows: (1) the relationship between the system safety and components is considered and represented, which can express not only the logical relationship of behavior but also the continuous dynamic characteristics of components, and (2) the model of landing process is general and flexible, supporting reuse and refinement of mission process scenarios as required. Using a universal modeling language and platform, the method can improve the analysis efficiency and reduce the skill requirement for analysts. Moreover, this method can be used to simulate the safety of aircraft during the landing in different scenarios, which can also provide a reference for the actual flight test and the formulation of the flight plan. At the same time, the presented methodology still has some limits. The integrated impacts on the safety of the system caused by the possible machine degradation and human error and the environmental factors are not adequately analyzed in the current version. Future works will focus on strengthening the state evolution of human, machine, and environmental factors in the system. In addition, we directly use the altitude deviation as the safety state indicator, which limits the predictability of the evolution of safety to a certain extent. The evaluation model based on flight parameters and disturbance parameters will be considered to help predict the safety of the system in the future.

Data Availability

All of the data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors appreciate the relevant staff providing us with the help.

References

H. Wang, D. Zhong, and T. Zhao, “Avionics system failure analysis and verification based on model checking,” Engineering Failure Analysis, vol. 105, pp. 373–385, 2019.
View at: Publisher Site | Google Scholar
C. Lu, C.-W. Fei, H.-T. Liu, H. Li, and L.-Q. An, “Moving extremum surrogate modeling strategy for dynamic reliability estimation of turbine blisk with multi-physics fields,” Aerospace Science and Technology, vol. 106, p. 106112, 2020.
View at: Publisher Site | Google Scholar
S. H. Boukhalkhal, A. N. T. Ihaddoudène, L. F. Da Costa Neves et al., “Performance assessment of steel structures with semi-rigid joints in seismic areas,” International Journal of Structural Integrity, vol. 11, no. 1, pp. 13–28, 2019.
View at: Publisher Site | Google Scholar
S. Singh and S. Abdullah, “Durability analysis using Markov chain modeling under random loading for automobile crankshaft,” International Journal of Structural Integrity, vol. 10, no. 4, pp. 454–468, 2019.
View at: Publisher Site | Google Scholar
H. Che, S. Zeng, and J. Guo, “Reliability assessment of man-machine systems subject to mutually dependent machine degradation and human errors,” Reliability Engineering & System Safety, vol. 190, p. 106504, 2019.
View at: Publisher Site | Google Scholar
C. Fei, H. Liu, S. Li, H. Li, L. An, and C. Lu, “Dynamic parametric modeling-based model updating strategy of aeroengine casings,” Chinese Journal of Aeronautics, vol. 34, no. 12, pp. 145–157, 2021.
View at: Publisher Site | Google Scholar
C. Lu, C. Fei, Y. Feng, Y.-J. Zhao, X.-W. Dong, and Y.-S. Choy, “Probabilistic analyses of structural dynamic response with modified Kriging-based moving extremum framework,” Engineering Failure Analysis, vol. 125, p. 105398, 2021.
View at: Publisher Site | Google Scholar
S. Sharvia and Y. Papadopoulos, “Integrating model checking with HiP-HOPS in model-based safety analysis,” Reliability Engineering & System Safety, vol. 135, pp. 64–80, 2015.
View at: Publisher Site | Google Scholar
Q. Wei, J. Jiao, and T. Zhao, “Flight control system failure modeling and verification based on SPIN,” Engineering Failure Analysis, vol. 82, pp. 501–513, 2017.
View at: Publisher Site | Google Scholar
P. Graignic, T. Vosgien, M. Jankovic, V. Tuloup, J. Berquet, and N. Troussier, “Complex system simulation: proposition of a MBSE framework for Design-Analysis integration,” Procedia Computer Science, vol. 16, pp. 59–68, 2013.
View at: Publisher Site | Google Scholar
B. Willard, “UML for systems engineering,” Computer Standards & Interfaces, vol. 29, no. 1, pp. 69–81, 2007.
View at: Publisher Site | Google Scholar
Omg, “OMG systems modeling language (OMG SysML),” 2007, http://www.omgsysml.org.
View at: Google Scholar
L. Bassi, C. Secchi, M. Bonfe, and C. Fantuzzi, “A SysML-Based methodology for manufacturing machinery modeling and design,” IEEE/ASME Transactions On Mechatronics, vol. 16, no. 6, pp. 1049–1062, 2011.
View at: Publisher Site | Google Scholar
S. Zhou, J. Jiao, and Q. Sun, “A safety modeling method based on SysML,” in Proceedings of the 2014 International Conference on Reliability, Maintainability and Safety (ICRMS), pp. 1180–1185, IEEE, Guangzhou, China, August 2014.
View at: Google Scholar
P. David, V. Idasiak, and F. Kratz, “Reliability study of complex physical systems using SysML,” Reliability Engineering & System Safety, vol. 95, no. 4, pp. 431–450, 2010.
View at: Publisher Site | Google Scholar
R. Krishnan and S. V. Bhada, “An integrated system design and safety framework for Model-Based safety analysis,” IEEE Access, vol. 8, pp. 146483–146497, 2020.
View at: Publisher Site | Google Scholar
J. Pétin, D. Evrot, G. Morel, and P. Lamy, “Combining SysML and formal models for safety requirements verification,” in Proceedings of the 22nd International Conference on Software & Systems Engineering and their Applications (ICSSEA), IEEE, NW Washington, DCUnited States, December 2010.
View at: Google Scholar
J. Dahmann, A. Markina-Khusid, A. Doren, T. Wheeler, M. Cotter, and M. Kelley, “SysML executable systems of system architecture definition: a working example Systems Conference,” in Proceedings of the 2017 Annual IEEE International Systems Conference (SysCon), pp. 1–6, IEEE, Montreal, QC, Canada, April 2017.
View at: Google Scholar
C. Gibson, R. Karban, L. Andolfato, and J. Day, “Abstractions for executable and checkable fault management models,” Procedia Computer Science, vol. 28, pp. 146–154, 2014.
View at: Publisher Site | Google Scholar
A. Thoma, B. Kormann, and B. Vogel-Heuser, “Fault-centric system modeling using SysML for reliability testing,” in Proceedings of the 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012), IEEE, Krakow, Poland, Sept. 2012.
View at: Publisher Site | Google Scholar
V. I. George, J. D’Souza, C. P. Kurian, and I. Thirunavukkarasu, “A Simulink model for an aircraft landing system using energy functions,” in Proceedings of the 7th IEEE Conference on Industrial Electronics and Applications (ICIEA), pp. 355–360, IEEE, Singapore, July 2012.
View at: Publisher Site | Google Scholar
J. Juang and J. Chio, “Fuzzy modelling control for aircraft automatic landing system,” International Journal of Systems Science, vol. 36, no. 2, pp. 77–87, 2005.
View at: Publisher Site | Google Scholar
R. Kawahara, H. Nakamura, D. Dotan et al., “Verification of embedded system’s specification using collaborative simulation of SysML and simulink models,” in Proceedings of the International Conference on Model-Based Systems Engineering, pp. 21–28, IEEE, Haifa, March 2009.
View at: Publisher Site | Google Scholar
Y. Vanderperren and W. Dehaene, “From UML/SysML to Matlab/Simulink: current state and future perspectives,” in Proceedings of the Conference on Design, Automation and Test, IEEE, Munich, Germany, March 2006.
View at: Publisher Site | Google Scholar
Y. Cao, Y. Liu, H. Fan, and B. Fan, “SysML-based uniform behavior modeling and automated mapping of design and simulation model for complex mechatronics,” Computer-Aided Design, vol. 45, no. 3, pp. 764–776, 2013.
View at: Publisher Site | Google Scholar
T. Johnson, A. Kerzhner, C. J. J. Paredis, and R. Burkhart, “Integrating models and simulations of continuous dynamics into SysML,” Journal of Computing and Information Science in Engineering, vol. 12, no. 1, 2012.
View at: Publisher Site | Google Scholar
Y. Zhu, J. Zhang, Q. Gong, Y. Fan, P. Wang, and C. Wang, “Reliability and safety assessment with AltaRica for complex aircraft systems,” in Proceedings of the 9th International Conference on Reliability, Maintainability and Safety(ICRMS), pp. 588–593, IEEE, Guiyang, China, June 2011.
View at: Publisher Site | Google Scholar
L. Chen, J. Jiao, Q. Wei, and T. Zhao, “An improved formal failure analysis approach for safety-critical system based on MBSA,” Engineering Failure Analysis, vol. 82, pp. 713–725, 2017.
View at: Publisher Site | Google Scholar
W. Wang and T. Zhao, “The application of the root causes of human error analysis method based on HAZOP analysis in using process of weapon,” in Proceedings of the 8th International Conference on Reliability, Maintainability and Safety(ICRMS), pp. 470–477, IEEE, Chengdu, China, July 2009.
View at: Publisher Site | Google Scholar
S. H. Pourtakdoust, M. Kiani, and A. Hassanpour, “Optimal trajectory planning for flight through microburst wind shears,” Aerospace Science and Technology, vol. 15, no. 7, pp. 567–576, 2011.
View at: Publisher Site | Google Scholar
W. Zhang, Z. Zhang, Q. Zhu, and S. Xu, “Dynamics model of carrier-based aircraft landing gears landed on dynamic deck,” Chinese Journal of Aeronautics, vol. 22, no. 4, pp. 371–379, 2009.
View at: Google Scholar
D. Xu, X. Liu, and L. Wang, “Influence of changeful wind on landing safety of carrier-based airplane,” Journal of Beijing University of Aeronautics and Astronautics, vol. 36, no. 1, pp. 77–81, 2010.
View at: Google Scholar
D. Xu, L. Wang, and Z. Jia, “Parameter matching characteristics of carrier-based aircraft during deck landing process,” Hangkong Xuebao/Acta Aeronautica et Astronautica Sinica, vol. 33, no. 2, pp. 199–207, 2012.
View at: Google Scholar
Y. Dai, J. Tian, H. Rong, and T. Zhao, “Hybrid safety analysis method based on SVM and RST: an application to carrier landing of aircraft,” Safety Science, vol. 80, pp. 56–65, 2015.
View at: Publisher Site | Google Scholar
J. Jiao, M. Wei, Y. Yuan, and T. Zhao, “Risk quantification and analysis of coupled factors based on the DEMATEL model and a bayesian network,” Applied Sciences, vol. 10, no. 1, p. 317, 2020.
View at: Google Scholar
Y. Yuan, J. Jiao, and M. Wei, “An integrated safety and formal analysis for aircraft landing system based on SysML,” Journal of Physics: Conference Series, vol. 1624, no. 4, p. 42060, 2020.
View at: Publisher Site | Google Scholar
X. Wang, W. Liao, Y. Guo, D. Liu, and W. Qian, “A Design-Task-Oriented model assignment method in Model-Based system engineering,” Mathematical Problems in Engineering, vol. 2020, pp. 1–15, 2020.
View at: Publisher Site | Google Scholar
S. S. Mulgund and R. F. Stengel, “Optimal nonlinear estimation for aircraft flight control in wind shear,” Automatica, vol. 32, no. 1, pp. 3–13, 1996.
View at: Publisher Site | Google Scholar
A. Andreeva-Mori, S. Suzuki, and E. Itoh, “Rule derivation for arrival aircraft sequencing,” Aerospace Science and Technology, vol. 30, no. 1, pp. 200–209, 2013.
View at: Publisher Site | Google Scholar
R. A. Hess, “Analysis of the aircraft carrier landing task, pilot + Augmentation/Automation,” IFAC-PapersOnLine, vol. 51, no. 34, pp. 359–365, 2019.
View at: Publisher Site | Google Scholar
R. Bardera, M. A. Barcala-Montejano, A. A. Rodríguez-Sevillano, and M. León-Calero, “Wind flow investigation over an aircraft carrier deck by PIV,” Ocean Engineering, vol. 178, pp. 476–483, 2019.
View at: Publisher Site | Google Scholar
A. A. Abd Rahim, S. Abdullah, S. Singh Karam Singh, and M. Z. Nuawi, “Reliability assessment on automobile suspension system using wavelet analysis,” International Journal of Structural Integrity, vol. 10, no. 5, pp. 602–611, 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Yuan Yuan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

404

Downloads

551

Citations