Presupuestos: Los aspectos básicos de la reforma y los efectos de la Crisis de

A jet-engine is one of the most complex pieces of machinery ever created. No engine is the same and performance varies from engine to engine and on the same engine over time [78]. The engine components degrade at different rates and after an overhaul or repair performance is also affected. This presents a challenge for the control system because it should be able to cope with both slow degradations in performance and rapid changes due to overhaul [78].

Fig. 1.4 Model checking verification approach: verification is performed in an a priori manner. The verification is performed in a model of the system under analysis before generating the product or a prototype.

In its early days, jet-engine control consisted mainly in regulating fuel flow into the combustor, controlling the air-fuel mix. Over the years new control inputs have been progressively added to the control scheme. Actuators such as guide vanes, variable exhaust nozzles, variable compressor stators, and variable bleed valves, among others, have been added to the jet-engine in order to obtain more thrust, better efficiency, and reduce weight [166]. This in turn created the necessity for a change in the control scheme, giving birth to more advanced algorithms.

A modern engine control system is in charge not only of control activities. As shown in Figure 1.1, there are many other functions running in the control computer (e.g. EEC). The three main functions are [38]:

• Communication with the aircraft to receive control commands and report status.

• Running the control algorithm to meet engine performance.

• Health management for diagnostics, prognostics, and control.

Advances in computer power allowed the possibility to add health management functions. Because most of the health monitoring functions are related to control actuators, health

management is tightly related to the control system itself [78]. Fault detection, isolation, and accommodation plays a fundamental role in engine control and performance [78, 166]. Jet-engine control must be fault tolerant and highly reliable for safety reasons, which means redundancy in both hardware and software components of the control system.

The main purpose of a jet-engine is that of providing a thrust output according to the pilot’s demand [135, 149]. In whichever way thrust is regulated (e.g. shaft speed, pressure ratio), the control scheme for a commercial jet-engine is that of gain scheduling: a digital controller with multiple controller tunings (e.g. different sets of gains), the controller tuning is changed depending on the operating conditions. The controller is implemented in its digital form in the EEC and the gains for the controller are stored in a look-up table manner. To maintain engine variables within limits a min-select strategy is preferred, which means that the control strategy will comprise several control loops [149]. The controller will switch between control loops during different engine operating modes and conditions. This type of control is preferred because of its simplicity compared to more advanced control methodologies [127, 149]. Even if more advanced control architectures and approaches have been tested in real engines, this has either been in a prototype or military application. Certification of military applications is regulated by a different legal framework which is more flexible than that of commercial, which partially explains why intelligent and adaptive control schemes have already been implemented in military aircraft [18]. There are still gaps to be filled to bring more advanced control schemes into the commercial side of aviation, which may also include a change in paradigm about the way certification is conducted and what it entails.

This complexity makes the control system design for a jet engine a very challenging task. The complexity resides not only in the nature of the process but in the complexity of the control scheme itself. The control is implemented in the EEC and interacts with several functionalities creating data dependencies, and because different functionalities are constrained to different timing requirements this also adds to the complexity of the controller [78]. For these reasons, modern commercial jet-engine control software, under the levels of criticality designated by DO-178C, is classified as software level A: its failure is potentially catastrophic.

Before more advanced control schemes reach enough maturity to become part of commer- cial aviation, gain scheduling will be the default option in jet-engine control. Even though gain scheduling is a well-known control scheme and has been around for over 50 years, in practical applications it is still challenging to guarantee stability and prove its correctness [94, 97, 127, 138]. Demonstrating safety and requirements conformity for a gain scheduling controller is challenging from the design, verification, and implementation points of view.

To prove stability and performance in an analytical manner is complicated [97, 127, 138], also there are no performance guarantees in between design points [18]. Also, a jet-engine consists of several control-loops for different engine conditions, accounting for every possible variation is impractical at the least.

For a complex control system, such as a jet-engine control scheme that contains several limit restrictions, control loops, fault modes, and signal selection to handle faults, ensuring that a safe mode is reached in the event of multiple faults is non-trivial. Classical control design methods are hard to scale for such a complex system, therefore relying strongly in extensive testing activities in order to guarantee safety, performance, and certification compliance.