Keywords

1 Introduction

The development of domestic aircraft industry, as well as entering the international market of air traffic and achieving reliability in the country’s defence is impossible without increasing the level of flight safety and reducing the number and the severity of accidents and catastrophes happening to aircraft (AC). One of the promising ways of solving this problem is based on utilizing modern means of processing information that improves mathematical support of air transportation systems (ATS), which is used to prevent critical combinations of events affecting flight safety.

Despite the considerable success in the building of aircraft control systems, the level of automation, computerization and equipment in general of the ATS’s in general remains inadequate for emergency prevention when the emergency arises because of a combination of unfavourable factors, each of which taken separately wouldn’t affect safety in a critical way. Nowadays, there is practically no information about automated systems, which would allow control of an ATS with flight safety as the main criterion, as well as calculation of probability of emergencies related to adverse combinations of failures and errors for various periods of time.

The above mentioned considerations stipulate the urgency and practical importance of this research by means of developing new problem statements, models and algorithms of their control with flight safety taken as the main criterion [17].

2 Air Transportation System as Control Object

Let’s look at an ATS as an object of control with flight safety as the main criterion. The elements comprising this system are: the aircraft; the crew; the system that controls motion in the air (AMCS); airport personnel that prepare and control the flight.

Complex interactions between the ATS’s subsystems and their processes can cause critical combinations of factors and events, which, as a rule, lead to accidents.

Flight safety is defined as an ATS’s property that describes the level of danger to people and material objects onboard the aircraft in the process of its operation. Flight safety failure can occur even if there are no failures in the aircraft or other parts of the ATS. The reason for that can be errors in equipment design (not all conditions and requirements are met), errors in regulatory and operational documentation, or occurrence of unpredictable or not accountable for operating conditions (force majeure). To prevent the emergencies, this article suggests analysis, identification and elimination of possible dangerous combinations of events.

3 Problem Statement

Situations are described as accidents if they cause destruction of the aircraft without deaths of human beings; if there are victims among human beings, the situation is described as catastrophic [1].

Let us assume that we have a list of accidents and catastrophic situations \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \), each of which is a consequence of a combination of events possible for the given type of an ATS, and for every \( A_{i} \in \{ A_{1} ,A_{2} , \ldots ,A_{n} \} ,i = \overline{1,n} \) one or several event trees are built: [24] \( \{ D_{1} ,D_{2} , \ldots ,D_{m} \} ,m \ge n \), which describe the process of appearance and development of critical combinations of these events for every \( A_{i} \in \{ A_{1} ,A_{2} , \ldots ,A_{n} \} ,i = \overline{1,n} \).

To solve the problem, not only models of Markov’s processes can be used, but other processes, as well. In this case, calculation of probability is carried out using neural network apparatus, fuzzy logic, etc.…

Let us also accept that we know the current state of the ATS, including the intensity of the streams of appearance and restoration of failures of the ATS elements λi(t), μj(t), \( i = \overline{1,n} ,j = \overline{1,m} \), which lead to or prevent, respectively, accidents or catastrophic situations \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \).

In view of the above, the problem statement is as follows:

  1. 1.

    \( \forall t \in [t_{H} ,t_{K} ] \) calculate probabilities \( P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t), \)\( \mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t),i = \overline{1,n} \) describing the possibility of accidents or catastrophes, critical combinations of events included in the list \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \);

  2. 2.

    \( \forall A_{i} \in \{ A_{1} ,A_{2} , \ldots ,A_{n} \} ,i = \overline{1,n} \) determine the vector of controlling factors \( \mathop {\mu^{*} (t)}\limits^{ \to } \in \{ \mathop M\limits^{ \to } (t)\} \), which allow for the time interval \( \Delta T = t_{H} - t_{K} \) and all acceptable environmental conditions achievement of the maximum for the safety criterion of ATS operation for accidents and catastrophes included in the following list: \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \). This criterion looks as follows:

$$ \int\limits_{{t_{K} }}^{{t_{H} }} {(\sum\limits_{i = 1}^{n} {(\eta_{i} (1 - P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t))dt. \to \hbox{max} } } $$
(1)

The limitations are:

$$ P_{i} = P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t) > A,i = \overline{1,n} , $$
(2)
$$ P_{i} = P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t) < B,i = \overline{1,n} . $$
(3)

And boundary conditions are:

$$ \begin{aligned} F_{i}^{{(t_{H} )}} (\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {x} (t),\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {\mu } (t),\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {\lambda } (t)) & = 0,\quad i = \overline{{n_{1} + 1,n_{2} }} , \\ F_{i}^{{(t_{K} )}} (\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {x} (t),\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {\mu } (t),\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\rightharpoonup}$}} {\lambda } (t)) & = 0,\quad i = \overline{{n_{3} + 1,n_{4} }} , \\ \end{aligned} $$
(4)

\( \{ (\mathop X\limits^{ \to } (t)\} ,\{ \mathop {\rm M}\limits^{ \to } (t)\} ,\{ \mathop \varLambda \limits^{ \to } (t)\} \) are the sets of the acceptable changes of the vectors \( \mathop {x(t)}\limits^{ \to } ,\mathop {\mu (t)}\limits^{ \to } \) and \( \mathop {\lambda (t)}\limits^{ \to } \), respectively; t is the time; \( \eta_{i} ,i = \overline{1,n} \) are weight coefficients ordering the following list: \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \) by the severity of the accidents and; \( k,m,n_{i} ,i = \overline{1,4} \), A and B are known constants).

In other words, to solve the problem, it is necessary for every \( A_{i} \in \{ A_{1} ,A_{2} , \ldots ,A_{n} \} ,i = \overline{1,n} \) to choose such intensity of failure restoration \( \mu^{*}_{i} (t).i = \overline{1,k} \). The pilot can increase the intensity of the ATS’s elements, which will allow achievement of the maximum value for criterion (1) on the preset time interval \( [t_{H} t_{k} ] \) with limitations (2), (3) and initial conditions (4).

The method of solving the problem being developed here is founded on the idea of distributing the principles of analysis of the safety of aircraft, most well worked in the models of reliability and safety [1], to the sphere of safe operation of the whole air transportation system.

According to this approach, the article suggests calculating the probability of critical combinations of events causing emergency situations as the probability of the realization of corresponding sections of the event tree.

Therefore, in order to solve the stated problem, it’s necessary:

  • to work out mathematical models and algorithms of formal tree synthesis for ATS’s events \( \{ D_{1} ,D_{2} , \ldots ,D_{m} \} \), including those based on reduction and completion methods [1];

  • to build an event tree D, which combines trees \( \{ D_{1} ,D_{2} , \ldots ,D_{m} \} \) and allows calculation of minimal sections corresponding to critical combinations of events in the ATS;

  • to work out an algorithm allowing numerical calculation of probabilities \( P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t),\quad i = \overline{1,n} \) for different critical combinations, which are also called minimal sections of the event tree D.

To solve the problem, the following approach is used. An event tree D is built, the minimal sections of that tree are determined, which correspond to possible critical combinations of events. The minimal sections are categorized by the numbers of elements included in them, as two-element ones, three-element ones, etc.… For each class of sections a graph of states is built, for which a system of Kolmogorov-Chapman’s differential equations for Markov’s processes is created. From their solution, the probability is calculated of an adverse combination of circumstances formalized by the corresponding minimal section. In the process of ATS’s operation, constant changes of the event tree take place and, consequently, minimal sections are changed too. An automated system for each adverse combination of circumstances determines its probability and suggests a list of actions, which will eliminate the reasons for such situations to appear. For the solution of the problem the list of actions is chosen, which provides for the minimal probability of the emergency situation.

In this article it is suggested to calculate dependencies \( P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t),\quad i = \overline{1,n} \) with the help of the apparatus of Markov’s processes. If the processes under consideration can’t be described by this formal apparatus, using statistical analysis methods is also possible, as well as the theory of neural networks, expert systems and other methods. In case we use Markov’s processes, which are often used to calculate the reliability of aircraft, the sought for probabilities of the realization of critical combinations of events are calculated by solving the Kolmogorov-Chapman’s equation system, which is built from the state graph [8]. Its solution can be gained analytically, if the number of section elements is small, or using numerical methods. In case when the law of failure distribution is unknown, expert methods can be used to calculate probabilities, and they can be combined with formal methods.

Kolmogorov-Chapman’s system of differential equations for n-element minimal section consists of 2n equations for probabilities P0(t), …, P n2 −1(t) of event combinations, preceding the given n-element combination. The equations look as follows:

4 Mathematical Model

To solve the problem a mathematical model has been worked out, including:

  • a set of dynamic event trees describing the reasons and the development paths of accidents and catastrophic situations caused by critical combinations of events;

  • a set of graphs of minimal sections of the event tree, used to build a system of differential equations;

  • logical and mathematical models allowing calculating the probability of critical combinations of events when the law of time distribution between events is not exponential;

  • systems of Kolmogorov-Chapman’s differential equations allowing calculating the probability of accidents and catastrophic situations.

Nowadays, a large number of mathematical models and algorithms have been worked out and tested practically. They allow building of event trees to analyze modes of complex system functioning, including reduction and completion methods necessary to design aircraft [1]. For example, for an ATS based on a forward-looking twin-engine airplane a fragment of such an event tree will look like this (Fig. 1).

Fig. 1
figure 1

Fragment of an event tree D describing the appearance of an emergency situation for a forward-looking twin-engine airplane

Full size image

The following designations are assumed for Fig. 1: Cc—emergency situation; A1—functional failure (FF) of an aircraft creating an emergency situation at landing controlled by steering-control; A2—combinations of FF of an aircraft, erroneous actions of the crew (EAC) and parameters of expected operating conditions (EOC) creating an emergency situation at the landing of the; B1—loss of 50 % the required thrust of the propulsion system; B2—reduction of the efficiency of longitudinal and transversal control by half; B3—FF of flight equipment; B4—FF of an aircraft; B5—EAC and parameters of external conditions; C1—failure of one of the aircraft’s engines; C2—failure of the second engine (after the failure of the first one); C3—Noticeable reduction of the efficiency of pitch control; C4—Noticeable reduction of the efficiency of list control; C5—loss of flight parameter indication by the pilot at the controls; C6—faulty indication of one of flight parameters for the pilot at the controls; C7—not signaled autopilot failure at the landing assisted by flight director; C8—loss of effectiveness by the rudder; C9—loss of flight parameter indication by the co-pilot; C10—faulty indication of one of flight parameters for the co-pilot; C11—EAC; C12—adverse external conditions; C13—combination of pilotage inaccuracies and adverse weather conditions; D1—hydrosupply failures; D2—FF in the system of pitch control; D3—FF in the system of list control; D4—hydrosupply failures; D5—loss of attitude indication; D6—loss of indication of altitude and speed parameters; D7—faulty indication of one of attitude parameters; D8—faulty indication of one of altitude and speed parameters; D9—faulty indication of Yagi arrows; D10—disappearance of Yagi arrows; D11—failures on the rudder control system; D12—failures of hydrosully of rudder control; D13—failure of the rudder correction mechanism in the min position; D14—loss of indication of attitude parameters; D15—loss of faulty indication of one of altitude and speed parameters; D16—faulty indication of one of attitude parameters; D17—faulty indication of one of altitude and speed parameters; D18—incorrect approach descent; D19—lateral wind over 8 m/s; E1—loss of pressure in hydraulic system; E2—depressurization of hydraulic system; E3—open-circuit in the wiring of control of one of the sections of elevation rudder (ER); E4—jamming of the booster rod of an ER section; E5—open-circuit in the wiring of control of one of the sections an aileron; E6—jamming of the booster rod of an aileron section; E7—depressurization of hydraulic system; E8—loss of pressure in hydraulic system; F1—failure of hydraulic pump; F2—pumping plant failure; G1—destruction of hydraulic reservoir; G2—failure of pressure sources.

In this article it is suggested to calculate dependencies \( P_{i} (\lambda_{1} (t),\lambda_{2} (t), \ldots ,\lambda_{k} (t),\mu_{1} (t),\mu_{2} (t), \ldots ,\mu_{k} (t),\overrightarrow {x} (t),t),\quad i = \overline{1,n} \) with the help of the apparatus of Markov’s processes. If the processes under consideration can’t be described by this formal apparatus, using statistical analysis methods is also possible, as well as the theory of neural networks, expert systems and other methods. In case we use Markov’s processes, which are often used to calculate the reliability of aircraft, the sought for probabilities of the realization of critical combinations of events are calculated by solving the Kolmogorov-Chapman’s equation system, which is built from the state graph [8]. Its solution can be gained analytically, if the number of section elements is small, or using numerical methods. In case when the law of failure distribution is unknown, expert methods can be used to calculate probabilities, and they can be combined with formal methods.

Kolmogorov-Chapman’s system of differential equations for n-element minimal section consists of 2n equations for probabilities P0(t), …, P n2 −1(t) of event combinations, preceding the given n-element combination. The equations look as follows:

$$ \frac{{dP_{v} (t)}}{dt} = \sum\limits_{w = 0}^{{2^{n} - 1}} {\pi_{v,w}^{ + } } P_{w} (t) - P_{v} (t)\pi_{v}^{ - } , $$
(5)
$$ \pi_{v,w}^{ + } = \left\{ {\begin{array}{*{20}l} {\lambda ,{\text{if the arc of the state graph marked}}\,\lambda \,{\text{goes from state}}\,w\,{\text{to}}\,v,} \hfill \\ {\mu ,{\text{if the arc marked}}\,\mu ,{\text{goes from state}}\,w\,{\text{to}}\,v,} \hfill \\ {0,{\text{if there is no arc going from state}}\,w\,{\text{to}}\,v\,{\text{in the graph}},} \hfill \\ \end{array} } \right. $$

\( \pi_{v}^{ - } \)—is the sum of marks of all arcs going from arc \( v \) to other nodes of the graph, \( \lambda \in \{ \lambda_{1} ,\lambda_{2} , \ldots ,\lambda_{n} \} ,\mu \in \{ \mu_{1} ,\mu_{2} , \ldots ,\mu_{n} \} ,v,w \in \{ 0, \ldots ,2^{n} - 1\} . \)

From the above, let’s formulate the common algorithm of solving the problem.

  1. 1.

    Beginning of the algorithm.

  2. 2.

    Determining of the set \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \) of accidents and catastrophic situations.

  3. 3.

    Building the set of event trees \( \{ D_{1} ,D_{2} , \ldots ,D_{m} \} \), each of which corresponds to accidents and catastrophes from the set \( \{ A_{1} ,A_{2} , \ldots ,A_{n} \} \).

  4. 4.

    Determining and classification of minimal sections corresponding to critical event combinations for each of the event trees.

  5. 5.

    For the chosen minimal section the terminal nodes are determined, which correspond to events that trigger an accident or a catastrophe described by the given minimal section.

  6. 6.

    For each event a list of actions is determined, realization of which prevents it.

  7. 7.

    For each list of actions the \( \mu_{i} \) value is calculated and a system of differential Eq. (5) is solved, which calculates the Pi(t) probability of an accident or a catastrophe; if the process of accident appearance is not Markov’s, the probability is calculated using the apparatus of neural networks, fuzzy logic, etc.…

  8. 8.

    The minimal probability value Pi*(t) is selected; using it, a corresponding list of actions is retrieved from the database and conveyed to the crew, the flying control officer and other decision making personnel.

  9. 9.

    End of the algorithm.

Analytical solution of the system (5) for a 3-element section gives us the following expression to calculate the probability of its realization:

$$ \begin{aligned} P_{7} (t) & = \frac{1}{{\mu_{2} \mu_{3} \mu_{1} }}(\mu_{2} \mu_{3} \mu_{1} e^{{ - (\mu_{2} + \mu_{1} + \mu_{3} + \lambda_{1} + \lambda_{2} + \lambda_{3} )t}} C_{8} \\ & \quad - \mu_{1} \mu_{2} \lambda_{3} e^{{ - (\mu_{1} + \mu_{2} + \lambda_{1} + \lambda_{2} )t}} C_{6} - \mu_{3} \lambda_{2} \mu_{1} e^{{ - (\mu_{3} + \mu_{1} + \lambda_{1} + \lambda_{3} )t}} C_{7} \\ & \quad - \mu_{2} \mu_{3} \lambda_{1} e^{{ - (\mu_{3} + \mu_{2} + \lambda_{2} + \lambda_{3} )t}} C_{5} + \mu_{1} \lambda_{2} \lambda_{3} e^{{ - (\mu_{1} + \lambda_{1} )t}} C_{3} \\ & \quad + \lambda_{1} \mu_{3} \lambda_{2} e^{{ - (\mu_{3} + \lambda_{3} )t}} C_{2} + \lambda_{1} \lambda_{3} \mu_{2} e^{{ - (\lambda_{2} + \mu_{2} )t}} C_{4} - \lambda_{1} \lambda_{3} \lambda_{2} C_{1} ), \\ \end{aligned} $$
(6)

C1, C2,…, C8 are constants.

The numerical solution of the system (5) is presented on Fig. 2, where the graphic dependencies are given illustrating the solution for Kolmogorov-Chapman’s differential equation system for λ1 = 10, λ2 = 1, λ3 = 1, λ4 = 1, λ5 = 1, μ1 = 0, μ2 = 5, μ3 = 5, μ4 = 5, μ5 = 5, where P1(t)—is the probability of the fact that all the ATS’s subsystems work; P2(t) is the probability of the fact that the autopilot failed at the landing assisted by the flight director; P7(t) is the probability of the fact that the autopilot failed at the landing assisted by the flight director and the efficiency of the rudder is lost; P17(t) is the probability of a non-signaled autopilot failure at the landing assisted by the flight director accompanied by the loss of the efficiency of the rudder and the loss of the indication of flight parameters by the co-pilot.

Fig. 2
figure 2

Solution of the differential equation system for a five-element minimal section

Full size image

Figure 2 shows that the probability of the fully functional state is the highest, but gets reduced in the process of functioning, while the probability of the failure of all elements is the lowest, i.e. the critical combination of the events doesn’t cause an emergency situation.

Each value of the µi parameters corresponds to certain actions of automated systems, crew and flying control officers directed at the elimination of possible reasons of an emergency.

5 Conclusion

An approach is suggested to increasing the safety of air transportation systems, which is based on analysis of critical combinations of separately non-dangerous failures and errors. A formal problem statement is worked out for air transportation system control with safety as the criterion.

To solve the problem, a mathematical model is developed, which allows calculation of probabilities of accidents and catastrophes related to aircraft when certain events are combined. In particular, formal methods are proposed to allow building and promptly correcting event trees for various operation conditions of aircraft.

Common principles of creating and operation of an informational and logical system are worked out. This system allows numeric estimation of the probability of emergency situations caused by critical combinations of events on different time intervals. It also recommends preventive measures for such situations. The software that has been developed is partly used as a component of the model of reliability and safety of air transportation systems in Open Joint Stock Company “Ilyushin Aviation Complex”.