Safety Analysis for Icing Aircraft during Landing Phase Based on Reachability Analysis

Icing is one of the leading causes of fatal aircraft accidents worldwide. Encountering icing conditions, dynamic characteristics of the aircraft will be damaged, thereby greatly affecting flight safety. Research on real-time estimations of the safety envelope under icing conditions is critical to improve flight safety. In order to determine the safety envelope, the reachability analysis based on the level set method is presented. The reachable set is obtained via computing the Hamilton-Jacobi partial differential equation (HJPDE), which is based on optimal control and is used in the landing phase of an aircraft. The results show that icing will shrink the safety envelope. Particularly under severe icing conditions, the stall speed of the aircraftwill increase, and dynamic behaviorwill be more sensitive. A slight change of command by the pilot may contribute to the flight state moving outside the safety envelope. Furthermore, the effect of flap deflectionwas considered, which positively impacts the expanding safety envelope during the landing phase. Finally, amaneuvering coping strategy based on safety envelope is proposed. Examples are provided using theNASA’s generic transportmodel (GTM), and the results can be applied to flight safety risk assessment, providing theoretical guidance for the design of envelope protection systems.


Introduction
Aircraft accidents caused by ice continue to occur.Icing not only affects the aerodynamic performance, but also degrades the control of aircraft, leading to catastrophic crashes [1].According to Federal Aviation Administration (FAA) and National Aeronautics and Space Administration (NASA) statistics, there were 16 fatal accidents associated with icing from 1976 to 1994 [2].When an aircraft encounters icing conditions, it not only generates less lift force and more resistance, but also leads to loss of control effectiveness [3,4].With the accretion of ice, the dynamic characteristics will be damaged, and the flight envelope may be greatly affected.Furthermore, the flight control system would provide the flight crew with incorrect control instructions, posing a great threat to flight safety.This has been emphasized by a number of high-profile accidents such as the ATR accident in 1994, which was caused by ice accretion.In this accident, the aircraft operated under a violating flight safety envelope.The roll anomaly occurred at the angle of attack of 5 ∘ , which was much lower than the angle of attack limit (18.1 ∘ ) under normal conditions [5].
In order to improve flight safety and reduce accidents caused by icing, the reliability method to assess the safety envelope should be established.For conventional envelope protection, the safety flight envelope is defined as the range of airspeed, flight altitude, and normal load factors at which aircraft can operate safely [6].This means that the flight envelope protection is based on these limitations and the flight state should not exceed it.However, the conventional method to define the safety envelope cannot consider upset conditions, such as change of dynamic characteristics.Hence, conventional envelope schemes, which use predetermined limits on parameters such as angle of attack and bank angle, are no longer effective in icing conditions.Therefore, in order to ensure flight safety under upset conditions, the changes of the dynamic characteristics caused by the environment should be considered.
To consider more conditions that affect the flight envelope, the problem has been extensively studied.One method to compute the safety envelope is to use the region of attraction (ROA) method [7,8], based on Lyapunov's stability theory [9].ROA methods predict a stable set in the state space around a given equilibrium, in which the system will return to the equilibrium.Although this method considers many conditions, the problem of conservatism still exists and could not be used in engineering applications.In addition, another important method based on differential manifold theory [10][11][12] is presented to determine the safety envelope.Differential manifold theory is one method for estimating the stability region of nonlinear dynamic systems that can be seen as the dynamic envelope for aircraft systems [13].It is shown that the stability boundary of the nonlinear dynamic system consists of the union of the stable manifolds of all equilibrium points and/or closed orbits on the stability boundary.Although this method could determine an accuracy envelope, it relies too much on the precision of the model and number of the dimensions cannot exceed three.Moreover, this method is mainly based on the equilibrium state, and there exist some limitations in dealing with the dynamic change process.Therefore, it is difficult to apply in studying the landing phase.
In this paper, the reachability analysis [14,15] based on the level set method has been proposed to estimate the safety envelope of the aircraft under icing conditions during landing.This allows us to predict, to some extent, the states that can be reached with a given control authority from a trim condition.The restricted set of flight states at each key point is seen as the target set.Through solving the HJPDE with the optimal control laws, the reachable set can be obtained [16][17][18].For an aircraft, the reachable set is a safe set; trajectories from states in the reachable set can reach the target set in the time horizon at some control law.Using the landing process as an example, the initial set of states is denoted as the set of acceptable aircraft flight states and the target set is the set of acceptable aircraft states at touchdown.Hence, the safety envelope is denoted as the range of states that can ensure the safety of the aircraft from the initial to target set.
The organization of the paper is as follows.The longitudinal dynamic model of icing aircraft is established in Section 2. In Section 3 fundamental concepts of the reachability analysis method that are essential to the subsequent development of this study are introduced.Safety analysis based on NASA's generic transport model (GTM) during landing phase is proposed in Section 4. Finally, conclusions are drawn in Section 5.

Dynamic Model
The accretion of ice will alter the wing's profile shape and lead to alterations of the aircraft's overall lift and drag properties.When the aircraft encounters icing conditions, the stall angle will decrease deeply, as shown in Figure 1.As a result, the safety envelope of the aircraft may change significantly.In order to estimate the safety envelope, the dynamic model under icing conditions should first be established.

Equations of Motion.
Aircraft flight dynamics typically consist of the 8th rigid-body equations of motion.However, it is difficult for these high-dimension systems to visualize their envelope as more than two [19].In order to study the dynamic characteristics in the landing phase, the velocity , the flight-path angle , and altitude ℎ of the aircraft are chosen as the flight states, to analyze how the aircraft dynamics are affected by icing.The longitudinal dynamic model considered is presented as follows: where where  is the mass;  is thrust of the aircraft;  is the angle of attack;  is the acceleration of gravity;  is drag of the aircraft;  is lift of the aircraft;  = (1/2) 2 is the dynamic pressure;  is the atmospheric density;  is the reference wing surface area.It should be noted that the aircraft dynamics used in this paper are NASA's GTM, the axial force coefficient   , and the normal force coefficient   can be found in [20].

Iced Aircraft Model.
As shown in [21], the accurate expression of the aerodynamic parameters with the change of angle of attack, pitch angle rate , and flap setting   can be obtained in the form of a polynomial by fitting the flight parameters.The axial force coefficient   and the normal force coefficient   are shown as follows: In this equation, polynomial coefficient   (i=1, 2, 3, 4) and   (i=1, 2, 3, 4) are the functions of the so-called icing parameter .It is shown in [22] that the changes in aerodynamic coefficients can be captured through the icing severity parameter.In particular, the icing severity factor can be described by a linear variation of the parameters: The icing severity parameter  is a time-varying parameter and representing the amount and severity of the icing encounter for a particular aircraft operation under a linear aerodynamic regime. () represents the change in the aircraft parameters, which is typically a constant for a given aircraft. () is the original dynamical parameter that connects with icing.As noted in [23], the icing parameter  ranges from 0 to  max .If  =0, it represents the aircraft has not encountered icing conditions and is considered clean.Conversely, if  =  max , it represents the aircraft is fully iced.Naturally, a typical value of  max is 1.

Computation of the Safety Envelope
For civil aircraft, the guarantee of safety is considered the most important part when synthesizing controllers of complex safety-critical systems.Although there exist envelope protection systems in the flight control system, it is still insufficient to achieve multiple controls.For conventional envelope protection, the safety flight envelope is to make use of the altitude limitations, and the flight state should not exceed these.However, it fails when the flight system is associated with controller design and may also be inadequate to help predict the unanticipated problems with all possible initial conditions.Conventional envelope protection is difficult to implement in practice, especially for continuous state systems.Alternatively, a possible approach is to use the reachability analysis theory.On one hand, the theory can observe the system's synthesizing states and input constraints, such as stall speed, height, and altitude, which can be incorporated as the initial boundary of the continuous state system.On the other hand, through using reachability analysis, all points belonging to all possible trajectories can be computed from all possible initial states, thus ensuring safety.

Notion of Safety Sets.
The reachability analysis determines if the trajectories of a system model can reach a certain target from an initial set within a given time and inputs.For example, while the aircraft is in landing phase, the initial set of states is the set of acceptable aircraft configurations; the target is the set of acceptable aircraft states at touchdown; and the envelope is the range of states that can ensure the safety of the aircraft.A safe landing refers to the flight state that begins in initial set, still remains in the safety envelope all times, and reaches the target in finite time.Mathematically, a nonlinear autonomous dynamic system can be described by the differential equation: where  is a state in state space  of  dimensions,  is the time variable, and  is the control input signal from the permissible bounded sets (, ).The vector    × [0, ] ×  →   is a bounded and Lipschitz continuous function.A trajectory can be defined as   0 , 0 ,(.)() :  →  ∈ , where  0 is the initial state at  =  0 .The initial set Ι and target set Γ are denoted as Ι, Γ ∈ .
A forward reachable set is denoted as the collections of states when starting in the initial set at time  0 and reaching at time  while a backward reachable set is denoted as the target set reaching at time   when the states starting at time : Forward reachable set: Backward reachable set: In this study, focus on the envelope that can obtain all of the possibilities and guide the aircraft back to new trim sets under the appropriate control allocations.In the process of solving the backward reachable set, despite the fact that all of the states starting from the target set eventually can reach the safe set within a given time and control laws, some of the states in the backward reachable set may extend beyond the limitations, which are not allowed in normal flights.Conversely, considering that the flight state could not remain in the trim set forever, the process of solving the forward reachable set starts from the initial set to find the new trim set, and there exist some states that can remain in the safety limitation within given control law.
For the phase of landing, in the process of descent, the dynamic characteristics of the aircraft are constantly changing.The aircraft cannot remain in one of the trim states forever and still must manipulate other flight conditions to ensure a safe landing.Thus, the aircraft not only needs to reach the new trim set that is computed by the forward reachable set, but also ensure safety, which is obtained by the backward reachable set.
In general, as illustrated in Figure 2, the safety envelope for the nonlinear autonomous dynamic system is denoted as the intersection between the backward and forward reachable set of a given trim set.

Level Set Method.
The target set and reachable set can be computed by the level set method.The level set method is a class of numerical algorithms for computing the evolution of dynamic implicit surfaces.The main idea is to embed the moving deformation curve as a zero level set into a higher dimensional function and describe the evolution of the curve from the evolution of the closed hypersurface.The level set equation is presented: where The boundary of the target and reachable set can be denoted by the zero level method function, known as ( 9), with c=0.The target set can be described as The reachable set of the target set Γ under the vector field  can be obtained by solving the terminal value HJPDE,  (, )  + min [0,  (,  (, )  )] = 0 for  ∈   ,  < 0  (, 0) =  () for  ∈   ,  = 0 where In (12),  is the Hamilton consensus, denoted as  = (, )/.The control synthesized from this calculation is For the function (, ), an implicit representation of the reachable set is obtained: As can be seen from ( 12) and ( 13), the maximum (, ) is obtained under the optimal control  * (, ).The optimal control  * (, ) represents the choice of  that maximizes the (, ) in a given state .However, the computation of the optimal input  * (, ) is extremely complex, as it is a nonconvex optimization problem and requires an exhaustive search of the domain.For the dynamic system of (1), the angle of attack  and thrust of the aircraft  are chosen as control variables.Thus, the computation of the optimal control is restricted to determine the combination of  and  that maximize the (, ).However, for the particular model in this study, the optimization problem is reduced to determine six points.The optimal input ( * ,  * ) is as follows: ( min ,  min ), ( min ,  max ), ( max ,  max ), ( max ,  min ), ( 1 ,  max ), ( 2 ,  max ), where  1 and  2 are the extreme points of (, ).The computation of the optimal control  * (, ) is detailed in [17].

Safety Analysis of Landing
The longitudinal nonlinear controlled dynamic model of NASA's GTM was used as the research aircraft.The related parameters of the aircraft are discussed in [20].In this section, the safety envelope is estimated by the reachability analysis, and the effects of flap deflection and icing are considered while studying the changing of the safety envelope.The details are described below.

Effect of Flap Deflection.
As the flap deflection is closely associated with the safety envelope, thus the transition between the flap deflections should be considered.In the process of landing, the aircraft successively deflects the flaps from 0 to the maximal deflection.In this section, three modes of flap deflections (0, 15, and 30deg) are considered.The lift and drag coefficient for these modes are presented in Figures 3 and 4, respectively.The figures show that the lift and drag coefficients will increase with the accretion of the flap deflections.
For the aircraft, the stall speed is given by the formula where  max represents the maximal lift coefficient obtained at the attack of angle, which shown in Figure 3.During the landing phase, the stall speed corresponds to flight safety.This means that the flight state may be out of the safety envelope while the speed of the aircraft is below the stall speed.The summary of the flap deflection parameter values for the GTM is shown in Table 1.
Table 1 shows that the maximal lift coefficient increases significantly with the opening of the flap, while the maximal stall speed of the aircraft decreases.The reachable set for three different flap settings ( = 0, 15, and 30 deg) can be seen in Figure 5.In Figure 5, the backward and forward reachable sets are represented by red and blue grid line, respectively.Through analysis of the three diagrams in Figure 5, we find that the reachable set increases with the accretion of the flap deflections.During the landing phase, when the pilot opens the flap, the lift coefficients of the aircraft will increase, and the maximal stall speed will simultaneity decrease.Thus, the aircraft obtains a larger safety envelope, which is denoted as the intersection between the backward and forward reachable set, as shown in Figure 6.
In Figure 6, the safety envelopes for the three different flap settings ( = 0, 15, and 30 deg) are represented by black, yellow, and red region, respectively.From the diagram, we find that opening of the flap can make the aircraft obtain a larger safety envelope.Moreover, this ensures a safe aircraft landing in a larger speed range.Thus, the flap is useful for enhancing the security of the aircraft.

Effect of Icing.
As presented in the previous section, the flap has a palpable effect on improving the safety of the flight in the landing phase.In this section, a flap deflection of 15 ∘ is considered while studying the change of safety envelope affected by icing.A fitted lift coefficient with different icing severity parameters is shown in Figure 7.It can be determined that the lift coefficient and stall angle will decrease quickly with the accretion of icing.With a decreasing maximize lift coefficient, the stall speed will change, as shown in Table 2. From Table 2, we find that the maximize lift coefficient  max will decrease with the accretion of icing.
When the aircraft suffers icing conditions, the dynamic characteristics of the aircraft will be damaged.In the landing phase, the stall speed will increase quickly, making it difficult for the aircraft to reach a safe glide speed.Thus, the safety envelope will become small at this time.Figure 8 compares the safety envelope affected by icing of ( =0, 0.1, and 0.2), presented by red, yellow, and black regions, respectively.For mild icing conditions ( =0.1), the safety landing speed can reach 75 m/s, which is enough to ensure the aircraft lands safely in a normal way.At this time, the pilot could still maintain the flight state within the safety envelope through manipulation.With the accretion of icing, the safety envelope will decrease.With severe icing conditions ( =0.2), the safety envelope shrinks deeply and the range of safe landing speeds decreases.The speed for a safe landing exceeds 80 m/s, which cannot meet the landing requirements mentioned in CCAR-25-R4.This condition is very difficult for the pilot to manipulate and increases the risk of a safe landing.Thus, the pilot should change the handling behavior.Through increasing the lift and speed, the aircraft could rise again and keep circling.After that, the deicing treatment should be conducted properly, and the landing operation is restarted until the ice is removed.

Time Domain Response Verification for Maneuvering
Coping Strategy.In this section, the time domain response verification has been done to verify the maneuvering coping strategies for different icing conditions.
For mild icing condition, the time domain simulation from the initial point A (=91m/s,  = −0.0349rad,and =40m) is shown in Figure 9.The black line represents the landing trajectory from initial A to terminal point B (=75m/s,  = 0rad, and =0m) and the trajectory can still keep in the safety envelope.This means that the mild icing envelope is safe enough for the aircraft to find at least one control for landing and the control can be easily obtained through the optimal control.Thus, this indicates that the pilot can still make a safe landing through conventional maneuver in mild icing condition.
For severe icing condition, the time domain simulation from the initial point C (=90.77m/s,  = −0.0449rad,and =41.39m) is shown in Figure 10.The black line represents    the landing trajectory with conventional maneuver.With severe icing conditions, the safety envelope shrinks deeply and there has no control to keep the landing trajectory within the safety envelope.Thus, there will be a risk of crash if the aircraft continues landing.At this time, the aircraft should stop landing and a boundary recovery manipulation can be done at the point D (= 81m/s,  = −0.065rad,and =10m).The time domain response of optimal control inputs based on the reachable set theory at the point D can be seen in Figure 11.The green line in Figure 10 represents the boundary recovery curve.The curve is from the initial point D to terminal point E (=92.31m/s, = 0.0072rad, and =44.72m).The deicing treatment can be done around the point E.Only if the mild icing condition is met after deicing, the safety envelope would enlarge enough to make the aircraft land safely.The red line from point D to the terminal point F represents the landing trajectory after deicing.

Conclusions
The safety envelope estimation based on reachability analysis is proposed in this study, which can guarantee safety of an aircraft encountering icing conditions.The feasibility of the system is verified using GTM in landing phase.The longitudinal nonlinear dynamic model of the aircraft is established based on the equations of motion and aerodynamics force and moment affected by icing.The level set method based on HJPDE is used to compute the safety envelope.The effect of flap has also been analyzed.Finally, a maneuvering coping strategy based on safety envelope is proposed.The following results were obtained.(1) The safety envelope can be denoted as the intersection between the backward and forward reachable set, and the change of flight dynamic characteristics can be observed from the safety envelope.Therefore, it is very useful to ensure aircraft safety and instructive for flight command.
(2) Flap plays a positive role in expanding the safety envelope during the landing phase, while icing will damage the dynamic characteristics of the aircraft.When the aircraft encounters icing conditions, the safety envelope will decrease.
(3) Different degrees of icing have different effects on dynamic characteristics of the aircraft.For mild icing conditions, it is still possible to secure a safe landing through the pilot's manipulation.However, for severe icing conditions, the safety envelope shrinks deeply and cannot meet the requirement for landing speed.Thus, the deicing treatment should be conducted in a proper way and the landing operation is restarted until the ice is removed.

Figure 1 :
Figure 1: The sketch map of lift coefficient of aircraft changes in clean and iced conditions.

Figure 3 :Figure 4 :
Figure 3: Lift coefficients for the different flap settings.

Figure 7 :Figure 8 :
Figure 7: Lift coefficient of aircraft changes in clean and iced.
icing safety envelope with mild icing landing trajectory with mild icing

Figure 11 :
Figure 11: Time domain response curve of control inputs.
set.Moreover, the level set function is the signed distance function.For a bounded open region Ω ∈   , the boundary is Ω ∈   , and the level set function is denoted as is the spatial gradient of ; (, ) is the level set function and Lipschitz continuous.At first, the level set function should be an implicit function, which describes the reachable

Table 1 :
Summary of flap deflection parameter values for the GTM.

Table 2 :
Effect of icing severity parameter  for the GTM.