Complex systems inhabit a “gray world” of
partial failures, Massachusetts Institute of Technology’s (MIT) Olivier de Weck
says: While a system may continue to operate as a whole, bits and pieces
inevitably degrade. Over time, these small failures can add up to a single
catastrophic failure, incapacitating the system.
“Think about your car,” says de Weck, an
associate professor of aeronautics and astronautics and engineering systems. “Most of the things are working, but maybe your right rearview mirror is
cracked, and maybe one of the cylinders in your engine isn’t working well, and
your left taillight is out. The reality is that many, many real-world systems
have partial failures.”
This is no less the case for aircraft. De Weck
says it’s not uncommon that, from time to time, a plane’s sensors may short circuit,
or its rudders may fail to respond: “And then the question is, in that
partially failed state, how will the system perform?”
The answer to that question is often unclear—partly
because of how systems are initially designed. When deciding on the
configuration of aircraft, engineers typically design for the optimal
condition: a scenario in which all components are working perfectly. However,
de Weck notes that much of a plane’s lifetime is spent in a partially failed
state. What if, he reasoned, aircraft and other complex systems could be
designed from the outset to operate not in the optimal scenario, but for
suboptimal conditions?
De Weck and his colleagues at MIT and the
Draper Laboratory have created a design approach that tailors planes to fly in
the face of likely failures. The method, which the authors call a “multistate
design approach,” determines the likelihood of various failures over an
airplane’s lifetime. Through simulations, the researchers changed a plane’s
geometry—for example, making its tail higher, or its rudder smaller—and then
observed its performance under various failure scenarios. De Weck says
engineers may use the approach to design safer, longer-lasting aerial vehicles.
The group will publish a paper describing its approach in the Journal of
Aircraft.
“If you admit ahead of time that the system
will spend most of its life in a degraded state, you make different design
decisions,” de Weck says. “You can end up with airplanes that look quite
different, because you’re really emphasizing robustness over optimality.”
De Weck collaborated with Jeremy Agte,
formerly at Draper Laboratory and now an assistant professor of aeronautics and
astronautics at the Air Force Institute of Technology, and Nicholas Borer, a systems
design engineer at MIT. Agte says making design changes based on likely
failures may be particularly useful for vehicles engineered for long-duration
missions.
“As our systems operate for longer and longer
periods of time, these changes translate to significantly improved mission
completion rates,” Agte says. “For instance, an Air Force unmanned aerial
vehicle that experiences a failure would have inherent stability and control
designed to ensure adequate performance for continued mission operation, rather
than having to turn around and come home.”
The weight of failure
As a case study, the group analyzed the performance of a military twin-engine
turboprop plane—a small, 12-seater aircraft that has been well-studied in the
past. The researchers set about doing what de Weck calls “guided
brainstorming”: essentially drawing up a list of potential failures, starting
from perfect condition, and branching out to consider various possible
malfunctions.
“It looks kind of like a tree where initially
everything is working perfectly, and then as the tree opens up, different
failure trajectories can happen,” de Weck says.
The group then used an open source flight
simulator to model how the plane would fly—following certain branches of the
tree, as it were. The researchers modified the simulator to change the shape of
the plane under different failure conditions, and analyzed the plane’s
resulting performance. They found that for certain scenarios, changing the
geometry of the plane significantly improved its safety, or robustness,
following a failure.
For example, the group studied the plane’s
operation during a maneuver called the “Dutch roll,” in which the plane rocks
from side to side, its wingtips rolling in a figure-eight motion. The
potentially dangerous motion is much more pronounced when a plane’s rudder is
faulty, or one of its engines isn’t responding. Using their design approach,
the group found that in such partially failed conditions, if the plane’s tail
was larger, it could damp the motion, and steady the aircraft.
Of course, a plane’s shape can’t morph in
midflight to accommodate an engine sputter or a rudder malfunction. To arrive
at a plane’s final shape—a geometry that can withstand potential failures—de
Weck and his researchers weighed the likelihood of each partial failure, using
that data to inform their decisions on how to change the plane’s shape in a way
that would address the likeliest failures.
Beyond perfection
De Weck says that while the group’s focus on failure represents a completely
new approach to design, there is also a psychological element with which engineers
may have to grapple.
“Many engineers are perfectionists, so
deliberately designing something that’s not going to be fully functional is
hard,” de Weck says. “But we’re showing that by acknowledging imperfection, you
can actually make the system better.”
Jaroslaw Sobieski, a distinguished research
associate at NASA
Langley Research
Center, views the new
design approach as a potential improvement in the overall safety of aircraft.
He says engineering future systems with failure in mind will ensure that “even
if failure occurs, the flight operation will continue”—albeit with some loss in
performance—”but sufficient to at least [achieve] a safe landing. In practice,
that alternative may actually increase the safety level and reduce the aircraft
cost,” when compared with other design approaches.
The team is using its approach to evaluate the
performance of an unmanned aerial vehicle (UAV) that flies over Antarctica continuously for six months at a time, at high
altitudes, to map its ice sheets. This vehicle must fly, even in the face of
inevitable failures: It’s on a remote mission, and grounding the UAV for
repairs is impossible. Using their method, de Weck and his colleagues are
finding that the vehicle’s shape plays a crucial role in its long-term
performance.
In addition to lengthy UAV missions, de Weck
says the group’s approach may be used to design other systems that operate
remotely, without access to regular maintenance—such as undersea sensor
networks and possible colonies in space.
“If we look at the space
station, the air-handling system, the water-recycling system, those systems are
really important, but their components also tend to fail,” de Weck says. “So
applying this [approach] to the design of habitats, and even long-term
planetary colonies, is something we want to look at.”