Aerospace and Electronic Systems Magazine April 2017 - 10
Airplane Flight Safety Using Error-Tolerant Data Stream Processing
Twice PILOTS program to detect and correct errors in a simple twostream application.
streams to be produced by the application and to be analyzed by
the runtime system to recognize known error patterns as specified
in the signatures section. If a detected error is recoverable, output
values are computed from input data after being estimated using
formulas under the estimate clause of the signatures section.2
An example PILOTS program called Twice is shown in
Figure 6 that compares two data streams. The two input streams, a
and b, are specified in the inputs section. The value of b is always
supposed to be twice as large as the value of a, so that the value of
o and e in the outputs and errors sections should always be zero
under normal conditions. There are four error signatures S0, ..., S3
under the signatures section. In this example, S1 and S2 are detectable and correctable whereas S3 is detectable, but not correctable.
APPLYING SENSOR FAULT DETECTION AND CORRECTION
TO ACTUAL COMMERCIAL FLIGHT ACCIDENTS' DATA
We present two examples of using PILOTS for aviation data error
analysis: (1) Air France Flight 447 and (2) Tuninter Flight 1153.
For each example, the flight data, experimental design, and results
Air France Flight 447 flight investigation. (Adapted from https://
dowing the flight system with the ability to estimate the speed using the
physical relationship between different speed measurements (Equation
1) to detect and correct for the error. To demonstrate the applicability
of error signatures to recover the airspeed from the actual ground speed
stored in the flight data recorder and the weather forecast-based wind
speed; we created an error signatures vector to detect airspeed sensor
faults and developed a corresponding PILOTS program.
Error Signatures Vector
In addition to considering the pitot tubes fault that actually occurred
in the AF447 flight, we design a general error signatures vector that
can detect the following four conditions: (1) normal, (2) pitot tube
fault due to icing, (3) GPS fault, and (4) simultaneous pitot tube and
GPS faults. Suppose the airplane is flying at airspeed va, from which
other speeds are expressed in relation to va as follows:
AIR FRANCE FLIGHT 447: PITOT TUBES ICING
Air France Flight 447 (AF447), which departed from Rio de Janeiro
bound for Paris on June 1st, 2009 (flight path shown in Figure 7), was
one of the worst flight accidents in aviation history . The initial cause
of the accident was identified as incorrect airspeed readings caused by
pitot tubes clogged with ice crystals. The AF447 challenge was that all
the pitot tubes failed under the same icing conditions. Other sensors or
information could have been incorporated to cross-check the sensor
readings to inform the pilots or auto-pilot of the correct aircraft speed.
Research suggests that the accident could have been prevented by en2
We used correct in earlier versions of the software/papers, but
estimate better reflects that the mathematical formula is an estimation of a data stream. Thus, the new terminology and syntax
will be used in PILOTS release 0.3.1 and higher.
Wind speed: vw ≤ ava, where a is the maximum reasonable
wind speed to airspeed ratio.
Ground speed: (1 - a)va ≤ vg ≤ (1 + a)va
Pitot tube failed airspeed: bl va va bh va, where bl and bh
are the lower and higher values of pitot tube clearance ratio
bl , bh ∈ [ 0,1] , bl ≤ bh. 0 represents a fully clogged pitot tube,
while 1 represents a fully clear pitot tube, and
GPS failed ground speed: vg = 0.
We use va and vg to denote erroneous airspeed and ground speed,
respectively. We assume that when a pitot tube icing occurs, it is
gradually clogged and thus the airspeed data reported from the pitot
tube system (which may combine multiple physical probe measurements) also gradually drops and eventually remains at a constant
speed while iced. This is consistent with data from AF447. The resulting constant speed is characterized by ratio bl and bh. On the other
hand, when a GPS fault occurs, the ground speed suddenly drops to
zero. This is why we model the failed ground speed as vg = 0. Using
these parameters and the error model Equation (2), we design the
IEEE A&E SYSTEMS MAGAZINE