Complex systems inhabit a “gray world” of partial failures, MIT’s Olivier de Weck says: While a system may continue to operate as a whole, bits and pieces inevitably degrade. Over time, these small failures can add up to a single catastrophic failure, incapacitating the system.
“Think about your car,” says de Weck, an associate professor of aeronautics and astronautics and engineering systems. “Most of the things are working, but maybe your right rearview mirror is cracked, and maybe one of the cylinders in your engine isn’t working well, and your left taillight is out. The reality is that many, many real-world systems have partial failures.”
This is no less the case for aircraft. De Weck says it’s not uncommon that, from time to time, a plane’s sensors may short-circuit, or its rudders may fail to respond: “And then the question is, in that partially failed state, how will the system perform?”
The answer to that question is often unclear — partly because of how systems are initially designed. When deciding on the configuration of aircraft, engineers typically design for the optimal condition: a scenario in which all components are working perfectly. However, de Weck notes that much of a plane’s lifetime is spent in a partially failed state. What if, he reasoned, aircraft and other complex systems could be designed from the outset to operate not in the optimal scenario, but for suboptimal conditions?
De Weck and his colleagues at MIT and the Draper Laboratory have created a design approach that tailors planes to fly in the face of likely failures. The method, which the authors call a “multistate design approach,” determines the likelihood of various failures over an airplane’s lifetime. Through simulations, the researchers changed a plane’s geometry — for example, making its tail higher, or its rudder smaller — and then observed its performance under various failure scenarios. De Weck says engineers may use the approach to design safer, longer-lasting aerial vehicles. The group will publish a paper describing its approach in the Journal of Aircraft.
“If you admit ahead of time that the system will spend most of its life in a degraded state, you make different design decisions,” de Weck says. “You can end up with airplanes that look quite different, because you’re really emphasizing robustness over optimality.”
De Weck collaborated with Jeremy Agte, formerly at Draper Laboratory and now an assistant professor of aeronautics and astronautics at the Air Force Institute of Technology, and Nicholas Borer, a systems design engineer at MIT. Agte says making design changes based on likely failures may be particularly useful for vehicles engineered for long-duration missions.
“As our systems operate for longer and longer periods of time, these changes translate to significantly improved mission completion rates,” Agte says. “For instance, an Air Force unmanned aerial vehicle that experiences a failure would have inherent stability and control designed to ensure adequate performance for continued mission operation, rather than having to turn around and come home.”
The weight of failure
As a case study, the group analyzed the performance of a military twin-engine turboprop plane — a small, 12-seater aircraft that has been well-studied in the past. The researchers set about doing what de Weck calls “guided brainstorming”: essentially drawing up a list of potential failures, starting from perfect condition and branching out to consider various possible malfunctions.
“It looks kind of like a tree where initially everything is working perfectly, and then as the tree opens up, different failure trajectories can happen,” de Weck says.
The group then used an open-source flight simulator to model how the plane would fly — following certain branches of the tree, as it were. The researchers modified the simulator to change the shape of the plane under different failure conditions, and analyzed the plane’s resulting performance. They found that for certain scenarios, changing the geometry of the plane significantly improved its safety, or robustness, following a failure.
For example, the group studied the plane’s operation during a maneuver called the “Dutch roll,” in which the plane rocks from side to side, its wingtips rolling in a figure-eight motion. The potentially dangerous motion is much more pronounced when a plane’s rudder is faulty, or one of its engines isn’t responding. Using their design approach, the group found that in such partially failed conditions, if the plane’s tail was larger, it could damp the motion, and steady the aircraft.
Of course, a plane’s shape can’t morph in midflight to accommodate an engine sputter or a rudder malfunction. To arrive at a plane’s final shape — a geometry that can withstand potential failures — de Weck and his researchers weighed the likelihood of each partial failure, using that data to inform their decisions on how to change the plane’s shape in a way that would address the likeliest failures.
De Weck says that while the group’s focus on failure represents a completely new approach to design, there is also a psychological element with which engineers may have to grapple.
“Many engineers are perfectionists, so deliberately designing something that’s not going to be fully functional is hard,” de Weck says. “But we’re showing that by acknowledging imperfection, you can actually make the system better.”
Jaroslaw Sobieski, a distinguished research associate at NASA Langley Research Center, views the new design approach as a potential improvement in the overall safety of aircraft. He says engineering future systems with failure in mind will ensure that “even if failure occurs, the flight operation will continue” — albeit with some loss in performance — “but sufficient to at least [achieve] a safe landing. In practice, that alternative may actually increase the safety level and reduce the aircraft cost,” when compared with other design approaches.
The team is using its approach to evaluate the performance of an unmanned aerial vehicle (UAV) that flies over Antarctica continuously for six months at a time, at high altitudes, to map its ice sheets. This vehicle must fly, even in the face of inevitable failures: It’s on a remote mission, and grounding the UAV for repairs is impossible. Using their method, de Weck and his colleagues are finding that the vehicle’s shape plays a crucial role in its long-term performance.
In addition to lengthy UAV missions, de Weck says the group’s approach may be used to design other systems that operate remotely, without access to regular maintenance — such as undersea sensor networks and possible colonies in space.
“If we look at the space station, the air-handling system, the water-recycling system, those systems are really important, but their components also tend to fail,” de Weck says. “So applying this [approach] to the design of habitats, and even long-term planetary colonies, is something we want to look at.”