Multi-modal safety analysis of the more electric aircraft starter generator system

Aiming at the characteristics of complex structure, strong coupling and different multi-modal safety levels of more electric aircraft starter generator system, a safety analysis method based on the operating process and a multi-modal failure rate calculation method are proposed. This paper analyses the architecture, operating process and modals of more electric aircraft starter generator system and decomposes the system into eight operating modals. Based on the construction of SafetyLab, a domestic safety analysis platform, the structural models and failure rate calculation models of eight modals of starter generator system are established, and the top event failure rate of each modal, the highest transient failure rate and the steady state failure rate of the system are calculated for a complete safety analysis, taking a typical starter generator system as an example. The method proposed in this paper helps to solve the problem of multi-modal failure rate analysis of complex systems with different equipment involved in the operating process. The multi-modal failure rate calculation method proposed in this paper is also applicable to the safety analysis of other multi-modal complex systems.


INTRODUCTION
To fulfil all the emission and fuel consumption requirements while also meeting those for aircraft safety, new architectures are needed.Currently, the most popular alternative that researchers are working on from a range of perspectives is the more electric aircraft initiative [1][2][3].At present, most researchers believe that the safety level of more electric aircraft can be improved by increasing component redundancy.However, some researchers also use algorithms to evaluate the performance of power systems and provide the best power supply path for the load to avoid safety issues [4].
The more electric aircraft starter generator system is closely related to the aircraft functions of ground take-off, in-flight start and electricity generation during cruise.Once the system fault, it will affect flight safety directly [5][6].As a key technology for more electric aircraft, starter generator system research is relatively lagging behind in China.Current research focus on the control and performance optimization of starter generator system [7][8][9][10], while little research pays attention to the safety analysis.Therefore, there is an urgent need to utilize scientific, reasonable, and efficient system safety analysis methods for design optimization of starter generator system, while accumulating experience for the development of domestic more electric aircraft.
The methods used for system safety analysis include Failure Mode, Effects and Criticality Analysis (FMECA) [11], Bayesian Network (BN) [12], Markov Analysis (MA) [13] and Fault Tree Analysis (FTA) [14] and so on.The FTA is a typical qualitative and quantitative safety analysis method, which has been widely used in the safety analysis of aircraft oxygen system [15], flight control system [16], landing gear system [17] and other systems.However, the traditional FTA relies on manual modeling and calculation.For systems with complex structures and functions such as starter generator system, there are problems such as low efficiency, complex modifications, and heavy workload.Therefore, it is necessary to use the relevant safety analysis platform to assist in modeling.Existing safety analysis platforms with FTA functionality come mainly from Europe and the USA, such as Isograph reliability analysis software developed by Isograph company in the UK, and ITEM and Relex software developed in the USA.However, the application of such foreign software would risk technical blocking and information leakage.SafetyLab is a completely domestic safety analysis platform, with the advantages of rich functionality, easy operation and low hardware requirements, which can better solve the problems of low work efficiency, as well as avoid the risk of technical blocking and information leakage.
This paper analyzes the architecture and operating process of more electric aircraft starter generator system comprehensively.Based on the differences in safety levels of each operating mode, the system is decomposed into eight safety analysis modals.Based on the SafetyLab platform developed by members of our group, the multi-modal safety models of the system are established.This paper also establishes the multi-modal failure rate calculation models of the starter generator system, which the various safety indicators of the system are calculated.The results show that the starter generator system meets the safety requirements.

Architectural of the starter generator system
The more electric aircraft starter generator system is located in two parts: the main engine and the Auxiliary Power Unit (APU) [18].During normal aircraft operating, the Variable Frequency Starter Generator (VFSG) is used as the core motor of the system for the main engine, usually powered by the APU, while the APU Starter Generator (ASG) is used as the core motor of the system for the APU, usually powered by the external power.Both the VFSG and ASG are three-stage starter generators with similar architectural and function.Figure 1 illustrates the overall architecture of the more electric aircraft starter generator system.The starter generator system consists of a Main Generator (MG), an Exciter Generator (EG), and a Permanent Magnet Generator (PMG), which form the main body of the system.It's combined with components such as ATRU, CMSC, excitation power circuit, rotating rectifier, and various breakers and contactors to achieve current control and voltage regulation during system operating.The starter generator system can achieve switching between start and generation functions, providing the torque required for engine start and the electric power required for normal aircraft operating.
Figure 1: Architectural of the more electric aircraft starter generator system 2.2.Operating modes of the starter generator system According to the different operating functions of the system, the starter generator system is decomposed into start condition, transition condition, and generation condition.Under different operating conditions, slight differences in the operating of various components within the system can have an impact on the overall safety analysis of the system, so it is necessary to subdivide the operating mode of the system.Table 1 analyzes the operation modes of the starter generator system.In the Tab.1, n1 represents the maximum RPM for constant torque start, n2 represents the engine disengagement RPM, and n3 represents the minimum RPM for engine generation.In the case of the B787, n1 takes a value of 4000rpm, n2 takes a value of 6780rpm, and n3 takes a value of 7200rpm.

Start
The start condition is decomposed into two modes: 3-phase start mode and 2-phase start mode.Figure 2 shows the operating state of the system components for the 3-phase start mode of the starter generator system.At initial start, the RPM of the engine is zero.The system supplies constant frequency and variable frequency 3-phase Alternating Current (AC) to the exciter generator stator winding and main generator stator winding respectively, and the interaction between the rotating magnetic fields drives the rotor RPM of the main generator, thus completing the initial start of the main engine.When the engine RPM reaches n1, theGEC1 is disconnected, and the starter generator system is switched from 3-phase start to 2-phase start.But the main function of the system remains to provide the start torque.When RPM of the engine accelerates to n2, the starter generator system enters transition mode, at which point the system neither outputs torque nor generates electricity.As the RPM of the engine continues to increase to n3, the system switches to the generate mode.The stator winding of the main generator cuts the magnetic field of the rotor winding, generating 3-phase AC.

MULTI-MODAL SAFETY MODELING PLATFORM AND SOLUTION FOR STARTER GENERATOR SYSTEM
3.1.Safety modelling platform--SafetyLab SafetyLab, also known as the Accident Dynamic Simulation and Analysis Platform, is a domestic software, which was developed with the participation of our research team.SafetyLab platform has the advantages of rich functionality, easy operation, and low hardware requirements.The system structure models built by SafetyLab can clarify the operating status of each component under different operating modals.When performing fault tree analysis, the models can intuitively reflect the relationship between the bottom events and the system architectural.SafetyLab can accurately and efficiently complete the safety analysis research of this paper.Figure 3 displays the operation interface of SafetyLab.

Multi-modal division of the starter generator system
On the one hand, there are differences in the operation of the components in the different operating modals of the system; on the other hand, the starter generator system has high requirements for the transient switching performance of the operating modes during operation.Therefore, it is necessary to conduct safety analysis of switching transient and process states between various operating modes of the starter generator system.Before conducting safety modeling, the four modes mentioned above can be divided into eight safety analysis modals.Figure 4 illustrates the eight modals of the starter generator system.At the "3-phase start mode -zero RPM start" modal, the Generator Control Unit (GCU) controls the on-off of components such as GEC1, GEC2, ATRUC and SC.Therefore, whether the GCU can correctly issue contactor control signals will also have an impact on the safety level of the operating modal of "3-phase start mode -zero RPM start".Figure 5 shows the first layer of the structural model of the system in this modal.Within the starter generator system of the main engine in the "3-phase start mode -zero RPM start" modal, APU supplies power to 230V AC bus bar via APB.Then, the AC current being sent to the bus bar will be divided into two current flows.It's one flow direction, 230V 3-phase AC flows through GEC1 and GEC2 into the exciter generator stator winding and generates a pulsating magnetic field around the stator winding.The rotor winding of the exciter generator cuts the magnetic induction lines to produce 3-phase AC.The AC is rectified to Direct Current (DC) by the rotating rectifier and fed to the rotor winding of the main generator, around which a constant magnetic field is formed.In the other flow direction, 230V 3-phase AC flows through the ATRUC into the ATRU.ATRU rectifies AC to 270V DC to supply CMSC.The CMSC further inverts DC power into AC power with controlled current and voltage.The controlled AC will flow through the SC into the stator winding of the main generator and create a three-phase rotating magnetic field around the winding.Finally, the rotating magnetic field interacts with the constant magnetic field, and the main generator outputs the start torque to drive the main engine to rotate.Figure 6 shows the second layer of the structural model of the system in this modal.

System structure model of the "Transition mode -RPM Equals n2" modal
When the RPM of the main engine reaches n2, the start mode of the starter generator system ends, the system needs to go through the transition mode from start to generating.In the transient state where the engine RPM equals n2, the GCU controls the SC and GEC2 disconnection.As the starter generator system is neither generating electricity nor outputting torque at this time, only the motor is required to rotate coaxially with the engine.Therefore, when considering the impact of the exciter generator and main generator on system safety, only the operating state of the mechanical part of the motor and the rotating transformer (RPM measurement) are considered.Figure 7 shows the second layer of the structural model of the system in this modal.The FTA bottom events of each modal are shown in Table 2.In the "Modals" column of the table, (1 to 8) represent the eight modals from "3-phase start mode -zero RPM start" to "generate mode -RPM greater than n3".Investigate the MIL-HDBK-217F [19] "Electronic Equipment Reliability Projections" manual and review the failure rate data of various components in the system.As an example, the failure rate of the circuit breaker components such as the GCB and APB in the starter generator system is calculated as, in equation ( 1),   is the failure rate of the bottom event component,   is the fundamental failure rate, and   ,   ,   and   represent the structure factor, application factor, quality factor and environment factor respectively.Substituting the data gives   = 0.1122 × 10 −6 /ℎ and   = 0.2805 × 10 −6 /ℎ.
The failure rate calculation model of rotating transformer is shown in equation ( 2 in equation ( 2),   and   represent the brush quantity factor and environment factor.  and   represent the Component temperature and Environmental temperature.Substituting the data gives   = 0.3584 × 10 −6 /ℎ.
For bottom events for which failure rate data is not available by consulting reliability manuals or specifications, the failure rate data can be estimated using an analogous factor approach, i.e. by multiplying the failure rate data of other similar bottom events by the failure rate correction factor, in equation ( 3),   is the failure rate of the similar component,   is the correction factor.For civil aircraft application components,   is generally taken as 25 to100.The estimated failure rate of each control signal transmission in the system is   = 0.005 × 10 −6 /ℎ (optical cable length 10m,   taken as 50).
The bottom event failure rate for each modal is obtained or estimated by the two methods described above.See Tab.3.The bottom events of each modal are independent of each other, and each bottom event occurring causes the top event to occur.Therefore, the failure rate   of relevant components can be summed to obtain the top event failure rate   of each modal, see Eq. ( 4).The system failure rate for each operating modal of the starter generator system is calculated in section 5.2.1 above.See Eq. ( 5).The results show that the "3-Phase Start Mode -Zero RPM Start" modal has the maximum transient failure rate   .
The   is 3.2257 × 10 −6 /ℎ, which reflecting the most vulnerable state of the starter generator system.

Steady state failure rate of the system
This paper will further analyze the safety level in the steady state of the system.Consider the ratio of the operating time of each modal to the total operating time and calculate the steady state failure rate of the system by weighting and summing the failure rates of each modal.
Researching relevant manuals and materials [20], obtain the total operating time T from start to stable generating and the operating time   for each modal of the starter generator system.The steady state failure rate of the system   can be calculated using the following equation ( 6): The calculation of the system steady state failure rate   is 2.1802 × 10 −6 /ℎ.Considering the regular inspection and maintenance of civil aircraft in actual operating, calculate the system reliability ( = 1000ℎ) of single-channel starter generator system in 1000h using equation (7).
( = 1000ℎ) is 0.997822.Calculations show that after 1000h of operating, the reliability of a single-channel starter generator system can still reach over 0.99.
In addition, the electric system of more electric aircraft is a multi-redundant system.Furthermore, this paper calculates the system failure rate of the dual-channel starter generator system after 1000 hours of operation using equation (8).When n is taken as 2 and  as 1000,  2 (1000) = 9.4756 × 10 −9 .For civil aircraft, the steady state failure rate of the dual-channel starter generator system after 1000 hours of operation can reach 10 −9 magnitude, which meets the airworthiness requirements.

CONCLUSION
Aiming at the characteristics of complex structure, strong coupling and different multi-modal safety levels of more electric aircraft starter generator system, a safety analysis method based on the operating process and a multi-modal failure rate calculation method are proposed.The main conclusions are as follows.i. Taking a typical type of starter generator system as an example, the architecture, operation process and modals of the system are analyzed in detail, and the structural modelling of the eight operating modals is completed based on the domestic safety analysis platform, the system analysis process is reasonable and feasible, and the platform-based auxiliary modelling is efficient.ii.Propose a multi-modal failure rate calculation method.Calculate the safety indicators such as the top event failure rate of each modal, the highest transient failure rate, and the steady state failure rate.A complete safety analysis is conducted on the system, and the calculation results verified that the typical starter generator system meets the airworthiness safety requirements.iii.The method proposed in this paper helps to solve the problem of multi-modal failure rate analysis of complex systems with different equipment involved in the operation process.
The multi-modal failure rate calculation method proposed in the paper is also applicable to the safety analysis of other multi-modal complex systems.

Figure 3 :
Figure 3: Operation interface of the domestic software SafetyLab

Figure 4 :
Figure 4: Eight safety analysis modals of the starter generator system

Figure 5 :
Figure 5: The first layer of the SafetyLab model for "3-Phase Start Mode -Zero RPM Start" modal

Table 2 .
Correspondence between bottom events and various modals In order to calculate the top event failure rate of each modal, it's necessary to first obtain the failure rate data of each bottom event.In this paper, it's assumed that the failure rate of each bottom event follows an exponential distribution.

Table 3 .
Failure rate of the bottom events

Table 4
calculates the top event failure rate for each modal.

Table 4 .
Top event failure rate of each modal