Risk Quantification and Visualization Method for Loss-of-Control Scenarios in Flight

Abstract

This paper proposes a flight risk analysis method that combines risk assessment and visual deduction to study the causes of flight accidents, specifically the loss of control caused by failure factors. The goal is to explore the impact of these failure factors on loss-of-control events and illustrate the risk evolution under different scenarios in a clear and intuitive manner. To achieve this, the paper develops a failure scenario tree to guide flight simulations under different loss-of-control scenarios. The next step involves developing a multi-parameters risk assessment method that can quantify flight risk at each time step of the flight simulation. This assessment method uses entropy weight and a grey correlation algorithm to assign variable weights to the different parameters. Finally, the paper presents the visual deduction of the risk evolution process under different loss-of-control scenarios using a risk tree that concisely represents the time-series risk assessment results and failure logical chains. Taking three common failure factors (actuator failure, engine failure, and wing icing) as cases, the paper designs 25 different loss-of-control scenarios to demonstrate the flight risk analysis method. By comparing the risk evolution process under different loss-of-control scenarios, the paper explores the impact of the failure factors on flight safety. The analysis results indicate that this method combines risk analysis from both individual and global perspectives, enabling effective analysis of risk evolution in loss-of-control events.

1. Introduction

The primary focus of aviation safety supervision agencies is to ensure continuous risk management of aircraft [1]. One of the most significant hazardous conditions that can occur is the loss of control (LOC), which is the leading cause of fixed-wing general aviation accidents [2]. There are three main categories of factors that can cause loss-of-control events: technical failure (such as aircraft system/component failures), non-technical failure (such as flight crew omissions or inappropriate actions), and harsh environmental conditions (such as icing or wind-shear) [3]. In most cases, flight accidents, particularly fatal ones, occur as a direct result of LOC [4]. In 2019, 17% of fixed-wing general aviation accidents involved LOC, while for fatal accidents, this percentage increased to 42% [5]. Therefore, improving flight safety across loss-of-control scenarios is a crucial research objective.

Recent research efforts on LOC have focused on several areas, including modeling and simulation, flight envelope estimation, and control law design. Flight simulation is a widely used approach due to its affordability and flexibility. However, when simulating loss-of-control scenarios, it is crucial to build a high-fidelity simulation model that includes failure factors. Gumusboga et al. [6] developed a comprehensive flight dynamics model of aircraft with control surface failures. Ignatyev et al. [7] used a combination of wind tunnel tests and flight simulation to investigate the interplay of aerodynamics and flight dynamics in icing conditions. The flight envelope defines the safe boundaries within which an aircraft may be flown and recovered [8,9]. The flight envelope estimation and protection system is an augmentation to a conventional flight management system that prevents loss-of-control events [10,11]. Several methods, such as neural networks [12] and immunity-based methods [13], have been used to reliably identify the limiting flight condition boundaries, such as in the case of elevator or throttle failure. Additionally, control schemes such as fault-tolerant control [14], adaptive sliding mode control [15], and linear adaptive control [16] have been proposed to prevent aircraft with failures from exceeding the flight envelope. However, these approaches have primarily focused on addressing loss-of-control scenarios caused by a single failure factor. Overall, ongoing research aims to improve flight safety in loss-of-control scenarios through various modeling and control strategies.

However, the contributing failures can occur individually or (more often) in combination [17], which motivates the risk analysis methods for complex loss-of-control scenarios caused by multi-failure factors. Failure mode and effects analysis (FMEA) and Fault tree analysis (FTA) [18] were developed to identify and analyze known or potential failure modes. It is evident that the methods focus on a logically structured process to determine the factors and chains of failure. However, the methods cannot directly point out the impacts of failure factors on aircraft dynamic response because of the lack of flight tests or simulations under complex loss-of-control scenarios. Furthermore, some data-driven risk assessment methods have been developed for risk visualization.Typically, the risk assessment methods define risk probabilities and risk severities via probability distributions in a more precise manner according to flight data obtained via Monte-Carlo simulation or real flights [19]. Hervas et al. [20] introduced a probabilistic data-driven model based on multi-task Gaussian processes and evaluated the operational risk of multiple UAVs under complex environments. Pei et al. [21] adopted an extremum theory to quantify flight risk under icing conditions. Subsequently, Wang et al. [22] adopted a multivariate copula model to evaluate landing risk under turbulent-windshear conditions. Moreover, deep neural networks were developed for supporting risk assessment and fault diagnosis [23,24]. The results of risk assessment cannot illustrate the relationship between flight parameter abnormal variations and risk evolutions directly. Since the abnormal variations of flight parameters are closely related to flight accidents, it is feasible to evaluate the risk according to flight parameter limitations. Burdun [25] developed safety spectra to capture the complex interactions and performance variability of risk-related flight parameters. The integrated safety spectrum is mapped at the highest risk level taking into account all safety spectra for single parameters, which provides a suitable basis for risk analysis. Then, the risk value is multiplied by percentages based on different risk colors in the integrated safety spectrum to obtain a quantitative basis for measuring risk under different operational commands. References [26,27] established a flight-safety window describing two-dimensional operational domains for multi-factors conditions. Subsequently, they established flight-safety space describing three-dimensional operational domains for icing conditions. Obviously, risk evolution is a dynamic process that is related to multiple parameters. Hence, risk evaluation should be developed from single index to multi-index comprehensive evaluation.

The entropy weight method has drawn attention for its multi-index objective evaluation ability. Recently, the entropy weight method has been widely used in mine safety evaluation [28] and product comprehensive evaluation [29]. The algorithm is an objective weighting method that determines the weights of parameters by processing the information contained in their response curves. Moreover, the grey correlation algorithm is used to calculate the dynamic weight coefficient for improving safety evaluation. The evaluation method based on the entropy weight and the grey correlation has been widely used in reliability evaluation of the power system [30], design of aircraft mission success space [31], risk evaluation of the project [32], and financial investment [33]. Consequently, the evaluation method has advantages of stronger objectivity, better adaptability, and higher accuracy compared with the traditional fixed-weight method. However, there are few studies on the evaluation index system based on multiple parameters for in-flight loss-of-control scenarios. Therefore, the quantitative assessment of flight risk based on multiple parameters, with an effective visualization, is sorely needed for flight safety.

In view of the reasons stated above, this paper proposes a flight risk analysis method combined with risk quantitative assessment and visual deduction for loss-of-control events. Due to the complex mechanism of loss-of-control events caused by multiple failure factors, the failure scenario tree was developed to generate clear, logical, and orderly loss-of-control scenario schemes, which can guide flight simulation. Moreover, the multi-parameter risk assessment method with variable weight was proposed based on entropy weight and grey correlation algorithm. The method is embedded into flight simulation and qualifies risk through constructing an evaluation index system including multi-dimensional flight parameters. The risk tree was developed to concisely illustrate the comparisons of the risk evolution process under different loss-of-control scenarios. The visual deduction of the risk evolution process based on the risk tree not only reflects the logical sequence of failure factors, but also shows the dynamic nature of the risk evolution. It can facilitate revealing the mechanism of the risk evolution and presenting targeted security protection strategies across complex loss-of-control scenarios. Notwithstanding the novel method, our study has limitations. The interaction and probabilistic effects of failure factors were not considered in the study. Moreover, although previous studies have proven that human factors are also relevant to loss-of-control events, they were not considered in the study because their models were too complex to build accurately.

This paper employs a combination of loss-of-control scenario simulation, quantitative risk assessment, and risk visualization to demonstrate the impacts of failure factors on flight risk evolution and illustrate the risk evolution under different scenarios. The key contributions of this study are as follows: (1) Development of a failure scenario tree that clarifies the logical structure of loss-of-control events and guides flight simulation based on assumed loss-of-control scenarios. (2) Creation of a multi-parameter risk assessment method with variable weight, using entropy weight and a grey correlation algorithm, to accurately and rigorously quantify flight risk. (3) Development of a risk tree to concisely illustrate the comparisons of the risk evolution process.

The rest of this paper is organized as follows. In Section 2, three failure factors (actuator failure, engine failure, and wing icing) are discussed in detail, and their models are built. A failure scenario tree composed of the failure factors is built to guide flight simulation under loss-of-control scenarios. In Section 3, the flight risk analysis method combining risk quantitative assessment and visual deduction is discussed in detail. The risk crucial parameters are normalized based on the deterministic description of single parameter limitation to eliminate the impacts of their dimensions and units on risk assessment. Then, for a loss-of-control scenario, flight risk is quantified by using the multi-parameter risk assessment method based on entropy weight and grey correlation algorithm. The risk tree is constructed, including risk branches, flight risk spectrums, and risk weight performances, to realize the visual deduction of the risk evolution process under different loss-of-control scenarios. Section 4 is devoted to the risk tree that illustrates the comparisons of the risk evolution process under 25 loss-of-control scenarios. In addition, the impacts of failure factors are explored by relying on the risk tree combining flight risk spectrums and risk weight performances, and some operation strategies to respond to loss-of-control scenarios are proposed. Finally, some conclusions are presented in Section 5.

2. LOC Scenario Materials

The performance of flight maneuvers relies on the interplay between engine thrust and control surface deflection. The failure of actuators can directly impact the control surface’s ability to function correctly, while wing icing can lead to significant degradation in aerodynamic characteristics. According to [17], the worst-case scenario for flight hazards involves a combination of system failures, icing conditions, and inappropriate crew response. Crew response, which is dependent on situational awareness, handling/skill, and decision-making, is too complex to model accurately. Therefore, this paper does not take inappropriate crew response into account.

To explain the flight risk analysis method in detail and unveil the mechanisms behind loss-of-control (LOC) due to multiple failure factors, this study selected three failure factors: actuator failure, engine failure, and wing icing. Moreover, a failure scenario tree comprising these failure factors was created to guide flight simulation during LOC scenarios. The accuracy and validity of the flight simulation rely heavily on the effectiveness of the failure effect models; therefore, these models are discussed in detail.

2.1. Actuator Failure Effect Model

Each control surface is driven by the actuator. Actuator failures cause the malfunction of the control surfaces, which deteriorates the aircraft’s flight performance. There are four main types: loss failure (Equation (1)), deviation failure (Equation (2)), stuck failure (Equation (3)), and floating failure (Equation (4)). The effect of actuator failures is discussed as follows.

In the case of loss failure, the same operation input $x_{\mathrm{in}}\left(t\right)$ results in a smaller actuator output $x_{\mathrm{out}}\left(t\right)$ compared to that achieved in the case with no failure. In the case of deviation failure, there is always a deviation between operation input $x_{\mathrm{in}}\left(t\right)$ and actuator output $x_{\mathrm{out}}\left(t\right)$. In the case of stuck failure, actuator output $x_{\mathrm{out}}\left(t\right)$ is locked in a certain value and does not vary with any operation input $x_{\mathrm{in}}\left(t\right)$. In the case of floating failure, the control surface floats at a zero-moment position, and the control function of the control surface is completely lost.

$$x_{\mathrm{out}}\left(t\right)=f_l\times x_{\mathrm{in}}\left(t\right)$$

(1)

$$x_{\mathrm{out}}\left(t\right)=x_{\mathrm{in}}\left(t\right)+f_d$$

(2)

$$x_{\mathrm{out}}\left(t\right)=f_s$$

(3)

$$x_{\mathrm{out}}\left(t\right)=f_i$$

(4)

where $f_l$ is the loss failure parameter and is in the range $(0,1)$. $f_d$ is the deviation failure parameter and is usually constant. $f_s$ is the stuck failure parameter, which is constant within the limit value. $f_i$ is the floating failure parameter, which is related to the Euler angles of the aircraft and the mechanical property of the actuator.

2.2. Engine Failure Effect Model

Because the operational condition of the engines is critical, any conditions that seriously deviate from the design will result in engine failure. Only extreme faults (single or double engine failure) were modeled and analyzed here. The performance of engine failure has an immediate impact on force and moment. In addition, for twin-engine aircraft, single engine failure not only causes a thrust decrease but also results in the asymmetric yaw effect. Thus, the engine failure effect model can be expressed as:

$$\left\{\begin{array}{c}\Delta T=T_{\mathrm{left}}+T_{\mathrm{right}}-T\hfill \\ \Delta N_T=\left(T_{\mathrm{left}}-T_{\mathrm{right}}\right)\times y_T\hfill \end{array}\right.$$

(5)

where $\Delta T$ is the thrust loss, $\Delta N_T$ is the additional yawing moment, $T_{\mathrm{left}}$ is the thrust of the left engine, $T_{\mathrm{right}}$ is the thrust of the right engine, T is the gross thrust without fault, $y_T$ is the distance from the center of thrust to the vertical symmetrical plane of the aircraft body.

2.3. Wing Icing Effect Model

Aircraft icing can cause severe aerodynamic and flight mechanical effects [34]. The main aerodynamic degradation is expected to be caused by wing icing and manifests itself in reduced lift and stall characteristics and increased drag [35]. To comprehensively analyze the effects of ice accretion on the aircraft flight dynamic characteristics, Bragg et al. [36] developed the following simple but physically representative model, as shown in Equation (6). The approach uses $\eta$ and $k_{i,\mathrm{ice}}$ to characterize the effects of various icing conditions on aircraft aerodynamic coefficients; this approach has simple forms and clear physical significance.

$$C_{i\left(\mathrm{ice}\right)}=C_i+\eta k_{i,\mathrm{ice}}{C}_i$$

(6)

where $C_i$ denotes the parameter affected by aircraft icing, $k_{i,\mathrm{ice}}$ is the icing sensitivity coefficient, and $\eta \in \left[0,3\right]$ represents the severity of icing. The case of ice shedding corresponds to a sudden zero in the aircraft-icing parameter $\eta$.

However, the icing sensitivity coefficient $k_{i,\mathrm{ice}}$ is related to the aircraft’s structural configuration, airfoil, etc. [34]. Hence, the value ranges of $k_{i,\mathrm{ice}}$ for the various aerodynamic coefficients need to be determined before flight simulation, which can be seen in

Table 1. $k_{i,\mathrm{ice}}$ of the aerodynamic coefficients.

${\mathit{C}}_{*}$	$C_{L_a}$	$C_{D_a}$	$C_{l_a}$	$C_{l_{{\delta }_a}}$	$C_{l_p}$
${\mathit{k}}_{i,ice}$	$-0.138$	$0.121$	$-0.075$	$-0.083$	$-0.077$
${\mathit{C}}_{*}$	$C_{m_a}$	$C_{m_{{\delta }_{\mathrm{e}}}}$	$C_{m_q}$	$C_{n_{{\delta }_{\mathrm{r}}}}$	$C_{n_{\mathrm{r}}}$
${\mathit{k}}_{i,ice}$	$-0.073$	$-0.074$	$-0.026$	$-0.055$	$-0.043$

.

In actual flight conditions, aerodynamic characteristics on both sides of the wing may differ because of the randomness of ice shedding and anti-icing/deicing system failure. Hence, an asymmetric icing effect model was established. The difference in the lift force and drag force between the left and right wing halves is expressed as follows:

$$\left\{\begin{array}{c}\Delta L_{ice}=\frac{1}{2}Q{S}_w{d}_{mgc}\left(C_{L\_\mathrm{left}}-C_{L\_\mathrm{right}}\right)\hfill \\ \Delta N_{ice}=\frac{1}{2}Q{S}_w{d}_{mgc}\left(C_{D\_\mathrm{right}}-C_{D\_\mathrm{left}}\right)\hfill \end{array}\right.$$

(7)

where $\Delta L_{ice}$ is the additional rolling moment, $\Delta N_{ice}$ is the additional yawing moment, Q is the dynamic pressure, $d_{mgc}$ is the distance along the body X-axis from the mean geometric chord to the aircraft center line, $S_w$ is the wing area, $C_{L\_\mathrm{left}}$, $C_{D\_\mathrm{left}}$, $C_{L\_\mathrm{right}}$, and $C_{D\_\mathrm{right}}$ represent the icing coefficient, which varies across icing conditions.

2.4. Failure Scenario Tree

Burdun [25] developed the situational tree containing baseline scenarios and operational factors to examine the combined effects of various operational factors on an aircraft’s safety performance. Inspired by that, the failure scenario tree is proposed to guide flight simulations under loss-of-control scenarios with several failure factors tightly coupled. A failure scenario tree is composed of static fault chains and is an oriented diagram with pre-designed loss-of-control scenarios at its core. It consists of failure nodes (failure factors) and oriented arcs (failure processes). In a failure scenario tree, the node is the discrete component, and the oriented arc is the continuous component. The node can denote the failure factor, restoring factor, or operation factor. The oriented arc reflects the inherent logical relationship of coupling between flight dynamics, failure factors, and flight safety. As a result, the failure scenario tree begins from the safe flight state that is initially trimmed and undergoes multi-failure factors and the failure processes between the failure factors, finally ending with the accident criterion.

The cognition for loss-of-control scenarios should be developed from two aspects: the micro-structure of the flight (a failure scenario branch) and the macro-structure of the flight (a failure scenario tree). The relationship between these two structures is shown in Figure 1. The failure scenario tree ${\mathit{\Omega }}_{\mathrm{TR}}$ contains n failure nodes, $E_j$, and N failure scenario branches, $S_{i_{*}}$. The failure scenario branch $S_{i_{*}}\in {\mathit{\Omega }}_{\mathrm{TR}}$, whose character depends on failure node set ${\mathit{E}}^{*}$ and failure process set ${\mathit{\Phi }}^{*}$, is given by Equation (8). Typically, the single loss-of-control scenario composed of a failure factor and the complex loss-of-control scenario composed of coupled multi-failure factors are both described by the failure scenario branch, $S_{i_{*}}$,

$$S_{i_{*}}=({\mathit{E}}^{*},{\mathit{\Phi }}^{*}),i_{*}\in \{1,\cdots ,N\}$$

(8)

where ${\mathit{E}}^{*}$ is a subset of the failure node set $\mathit{E}$, and ${\mathit{\Phi }}^{*}$ is a subset of the failure process set, $\mathit{\Phi }$.

The failure scenario branch and the failure scenario tree are shown in Figure 1. The operation node represents the event where the pilot performs normal or upset recovery maneuvers. The failure node represents the event of incorrect maneuver, component, or system faults, and harsh environments, such as a stuck actuator, system degradation, or aircraft icing. The restoring node represents the event of a component or system fault that is automatically or manually repaired, such as control law reconstruction, actuator repair, engine restart, or escape from a harsh environment. The overall goal of constructing the failure scenario tree is to examine the combined impacts of various failure factors on the aircraft’s performance by guiding the flight simulation under the failure scenarios and then generate missing flight data on multi-failures scenarios in advance.

As the process shows in Figure 2, flight simulation under the loss-of-control scenario typically involves the flight boundary of the aircraft that is characterized by longitudinal and lateral coupling characteristics. The characteristics are nonlinear, and their effects are not negligible. Therefore, it is appropriate to use the six-degree-of-freedom (six-DOF) equations to simulate the dynamic response of the aircraft [37]. When the aircraft encounters failure problems, variables and coefficients in its six-DOF equations must be modified according to Equations (1)–(7). As the flight risk analysis method combining risk quantitative assessment and visual deduction is the core of the study, the model of rigid aircraft motion will not be discussed further in this study. Readers can refer to [38] for more details. For the atmospheric data and approximation of the international standard atmosphere, readers can refer to [39]. In addition, a number of assumptions should be explicated. The atmospheric turbulence and the fuel consumption were neglected during flight simulation.

2.5. LOC Scenarios Simulation Cases

In this paper, the aircraft is powered by two engines, and allows for control over three control surfaces (elevator ${\delta }_{\mathrm{e}}$, aileron ${\delta }_{\mathrm{a}}$, and rudder ${\delta }_{\mathrm{r}}$) and throttle ${\delta }_{\mathrm{th}}$. The units and limitations of control variables are given in

Table 2. The operation input units and limitations.

Operation	Units	Limitation
Elevator ${\delta }_{\mathrm{e}}$	degree	$[-30,20]$
Aileron ${\delta }_{\mathrm{a}}$	degree	$[-30,30]$
Rudder ${\delta }_{\mathrm{r}}$	degree	$[-45,45]$
Throttle ${\delta }_{\mathrm{th}}$	%	$[0,100]$

. It should be noted that throttle ${\delta }_{\mathrm{th}}=0$ means that throttle levers are at idle position.

While climb makes up 14% of flight time, this phase accounts for 10% of the fatal accidents and 20% of the onboard fatalities [40]. Climb-turn is a complex climb maneuver because it depends on the combination of engine thrust and three control surfaces’ deflection. Hence, climb-turn was selected in this paper. In order to track the flight commands (commanded airspeed $V_{\mathrm{cmd}}$, commanded climb rate ${\dot{H}}_{\mathrm{cmd}}$ and commanded bank angle ${\varphi }_{\mathrm{cmd}}$), an autopilot based on a proportional–integral–derivative controller was designed, and its control laws are introduced as follows:

$$\Delta {\delta }_{\mathrm{e}}=K_{p\dot{H}}\Delta \dot{H}+K_{i\dot{H}}\Delta \ddot{H}+K_{d\dot{H}}q$$

(9)

$$\Delta {\delta }_{\mathrm{a}}=K_{p\varphi }\Delta \varphi +K_{i\varphi }\Delta \dot{\varphi }+K_{d\varphi }p$$

(10)

$$\Delta {\delta }_{\mathrm{r}}=K_{p\beta }\Delta \beta +K_{i\beta }\Delta \dot{\beta }+K_{d\beta }r$$

(11)

$$\Delta {\delta }_{\mathrm{th}}=K_{pT}\Delta V$$

(12)

where $K_{*}$ is the controller parameter, $\Delta \dot{H}$, $\Delta \varphi$, $\Delta \beta$ and $\Delta V$ denote the increment of command and actual signal.

A loss-of-control scenario is a representation of the specific failure scenario branch composed of failure nodes and failure processes. The sequence starts with an initiating event, followed by failure nodes, and finally concludes in the end state. According to statistical analysis of the factors contributing to LOC accidents, three common failure factors (actuator failure, engine failure, and wing icing) were selected as cases. According to LOC accident characteristics, a list of 17 failure nodes is assumed, as shown in

Table 3. Failure node $E_j$.

${\mathit{E}}_{*}$	Failure Node	${\mathit{E}}_{*}$	Failure Node
$E_{\mathrm{start}}$	Start	$E_{\mathrm{fai}\_0}$	Actuator is repaired and works properly
$E_{\mathrm{end}}$	End	$E_{\mathrm{fai}\_1}$	${\delta }_a$ is stuck at 5 degree
$E_{\mathrm{ice}\_0}$	No icing, $\eta =0$	$E_{\mathrm{fai}\_2}$	${\delta }_e$ is stuck at 5 degree
$E_{\mathrm{ice}\_1}$	Light icing, $\eta =1$	$E_{\mathrm{fai}\_3}$	Elevator float
$E_{\mathrm{ice}\_2}$	Heavy icing, $\eta =3$	$E_{\mathrm{T}\_1}$	Single engine failure
$E_{\mathrm{ice}\_3\mathrm{l}}$	Asymmetric light icing, $\eta =1$	$E_{\mathrm{T}\_2}$	Double engine failure
$E_{\mathrm{ice}\_3\mathrm{h}}$	Asymmetric heavy icing, $\eta =3$	$E_{\mathrm{T}\_3}$	Faulty engines restart successfully
$E_{\mathrm{ice}\_4}$	Ice shedding, $\eta =0$	$E_{\mathrm{level}}$	Terminate the task and recover to level
$E_{\mathrm{ice}\_5}$	Anti-icing/deicing system work		flight. ${\dot{H}}_{\mathrm{cmd}}=0$ m/s, ${\varphi }_{\mathrm{cmd}}=0$ degree

, and a list of 10 failure processes is developed, as shown in

Table 4. Failure process ${\Phi }_s$.

${\mathit{\Phi }}_{*}$	Failure Process	${\mathit{\Phi }}_{*}$	Failure Process
${\Phi }_0$	No failure	${\Phi }_{\mathrm{f}\_1}$	Actuator stuck
${\Phi }_{\mathrm{i}\_1}$	Ice accumulate	${\Phi }_{\mathrm{f}\_2}$	Actuator float free
${\Phi }_{\mathrm{i}\_2}$	Ice decrease	${\Phi }_{\mathrm{T}\_1}$	No thrust
${\Phi }_{\mathrm{i}\_3}$	Ice changes asymmetrically	${\Phi }_{\mathrm{T}\_2}$	Asymmetry thrust
${\Phi }_{\mathrm{i}\_4}$	Ice remains fixed	${\Phi }_{\mathrm{level}}$	Wing level

. The combination of failure nodes and failure processes can result in many possible failure scenario branches. By reference to the existed LOC accidents [5], 25 preplanned loss-of-control scenarios were defined as shown in

Table 5. Failure scenario branch $S_{i_{*}}$.

${\mathit{S}}_{*}$	Definition	${\mathit{S}}_{*}$	Definition
$S_0$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}$	$S_{13}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_3}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_2}}{\to }{E}_{\mathrm{ice}\_0}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{level}}\stackrel{{\Phi }_{\mathrm{level}}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_1$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_2}}{\to }{E}_{\mathrm{ice}\_0}\hfill \\ \stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{14}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_3}\stackrel{{\Phi }_{\mathrm{f}\_2}}{\to }{E}_{\mathrm{fai}\_0}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{level}}\hfill \\ \stackrel{{\Phi }_{\mathrm{level}}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_2$	$E_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{fai}\_2}\stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{end}}$	$S_{15}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_1}\stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{end}}$
$S_3$	$E_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}$	$S_{16}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_1}\stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{T}\_2}}{\to }{E}_{\mathrm{T}\_3}\hfill \\ \stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_4$	$E_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{fai}\_3}\stackrel{{\Phi }_{\mathrm{f}\_2}}{\to }{E}_{\mathrm{end}}$	$S_{17}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_1}\stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{i}\_2}}{\to }{E}_{\mathrm{ice}\_3\mathrm{l}}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_5$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_3}}{\to }{E}_{\mathrm{ice}\_3\mathrm{l}}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{18}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_1}\stackrel{{\Phi }_{\mathrm{f}\_1}}{\to }{E}_{\mathrm{fai}\_0}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{level}}\hfill \\ \stackrel{{\Phi }_{\mathrm{level}}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_6$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_2}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_2}}{\to }{E}_{\mathrm{ice}\_1}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{19}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{T}\_2}}{\to }{E}_{\mathrm{T}\_3}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}$
$S_7$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_2}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_2}}{\to }{E}_{\mathrm{ice}\_0}\hfill \\ \stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{20}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{T}\_2}}{\to }{E}_{\mathrm{T}\_3}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_8$	$E_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_2}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}$	$S_{21}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{T}\_2}}{\to }{E}_{\mathrm{T}\_2}\stackrel{{\Phi }_{\mathrm{T}\_1}}{\to }{E}_{\mathrm{T}\_3}\hfill \\ \stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_9$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_2}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_3}}{\to }{E}_{\mathrm{ice}\_3\mathrm{h}}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{22}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_1}\stackrel{{\Phi }_{\mathrm{T}\_2}}{\to }{E}_{\mathrm{end}}$
$S_{10}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_2}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\stackrel{{\Phi }_{\mathrm{i}\_3}}{\to }{E}_{\mathrm{ice}\_3\mathrm{h}}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_4}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{23}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_2}\stackrel{{\Phi }_{\mathrm{T}\_1}}{\to }{E}_{\mathrm{T}\_3}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{end}}$
$S_{11}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fail}\_3}\stackrel{{\Phi }_{\mathrm{f}\_2}}{\to }{E}_{\mathrm{end}}$	$S_{24}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_2}\stackrel{{\Phi }_{\mathrm{T}\_1}}{\to }{E}_{\mathrm{T}\_3}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$
$S_{12}$	$\begin{array}{c}{E}_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{fai}\_3}\stackrel{{\Phi }_{\mathrm{i}\_1}}{\to }{E}_{\mathrm{ice}\_1}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{ice}\_5}\hfill \\ \stackrel{{\Phi }_{\mathrm{i}\_3}}{\to }{E}_{\mathrm{ice}\_3\mathrm{l}}\stackrel{{\Phi }_{\mathrm{i}\_4}}{\to }{E}_{\mathrm{end}}\hfill \end{array}$	$S_{25}$	$E_{\mathrm{start}}\stackrel{{\Phi }_0}{\to }{E}_{\mathrm{T}\_2}\stackrel{{\Phi }_{\mathrm{T}\_1}}{\to }{E}_{\mathrm{end}}$

. According to the preplanned loss-of-control scenarios, the failure scenario tree can be classified into 6 groups of failure scenario branches: light icing, heavy icing, elevator failure, aileron failure, single engine failure, and double engine failure, as shown in Figure 3.

By modifying the variables and the coefficients in six-DOF equations according to the failure scenario branches, the climb-turn simulation of aircraft under loss-of-control scenarios was conducted. The initial flight state was set to maintain level flight at $H=3000$ m, $V_0=130$ m/s, then the aircraft initiates the climb-turn with a commanded airspeed $V_{\mathrm{cmd}}=130$ m/s, commanded climb rate ${\dot{H}}_{\mathrm{cmd}}=10$ m/s, and commanded bank angle ${\varphi }_{\mathrm{cmd}}=20$ degrees. The flight simulation time was set at 300 s. The results of three-dimensional (3-D) flight path are given in Figure 4. It should be noted that the Z-axis has negative numbers for increasing altitude. In Figure 4, compared with the flight path of $S_0$, the climb-turn of aircraft under loss-of-control scenarios succeeded three times ($S_1$, $S_3$, and $S_5$), deviated four times ($S_6$, $S_7$, $S_{19}$, and $S_{20}$), and others all end with aircraft crash. The simulation results will be discussed in detail in Section 4.

3. Risk Analysis Methodology

Flight risk is closely accompanied by flight parameter abnormal variations, so it is feasible to evaluate risk by analyzing the parameter variations [26]. The traditional evaluation of flight risk is based on the description of a single parameter limitation. By referring to the limitation described in the flight manual, the risk-related flight parameters can be determined, and the severity of risk can be directly assessed. However, the conventional risk evaluation method has limitations as a result of considering only one flight parameter and a hard boundary as binary separation between safety and risk. On the one hand, flight risk evolution is a dynamic process related to multi-dimensional flight parameters coupling characteristics. On the other hand, the conversion between the safety state and risk state may be instantaneous or gradual and positive or reverse during flight. Hence, flight risk assessment should be adapted from single-parameter evaluation to multi-parameters comprehensive evaluation.

Risk quantitative assessment and visual deduction are involved in the proposed risk analysis method. The procedure can be summarized as follows.

Step 1: Risk level evaluation for single parameter. The risk crucial parameters are normalized by using the standardization method of multi-scaled variables, which can eliminate the impacts of their dimensions and units on risk assessment. The hardline graph for risk-related flight parameters is transformed into a color-coded graph categorized by flight risk spectrum.

Step 2: Risk comprehensive assessment for multi-parameters. Based on the risk spectrum of all risk-related flight parameters, flight risk is quantified at each time step of flight simulation by using the multi-parameter risk assessment method based on entropy weight and the grey correlation algorithm. The integrated risk spectrum exhibiting the color-coded time-history of flight risk status is determined.

Step 3: Risk visual deduction. According to the integrated risk spectrums, a risk tree including some risk branches is constructed to realize the visual deduction of the risk evolution process under different loss-of-control scenarios.

The schematic diagram is shown in Figure 5, and the details will be further discussed in the sections below.

3.1. Flight Risk Spectrum for Single Parameter

Color is the most succinct and efficient medium for storing and communicating risk-related information from an operator (a pilot or automaton). The visual alert has been widely used in aircraft alerting systems to immediately inform the crew of specific non-normal aircraft conditions [41]. The color-coded requirements of warning levels, display features, and human engineering considerations have been discussed in [42]. Hence, a color-coded graph may be more appropriate than a hardline graph for denoting flight-risk parameters [25]. A standardization method of multi-scaled variables based on the risk level evaluation of single parameters was proposed to divide the risk level of flight parameters and confirm whether the corresponding flight state has a positive or negative level of risk, which can be used to better denote flight parameter variations (and thus, flight-risk evolution). The relationship’s color-coded interval and fuzzy constraint is shown in Figure 6. Five basic colors (i.e., green, yellow, red, grey, and black) are used to denote risk levels (i.e., ‘normal’, ‘warning’, ‘dangerous’, ‘uncertain’, and ‘catastrophic’) of each flight parameter, respectively, which is elected as the risk-related flight parameter. The shades of color represent the positive and negative level of risk of the risk-related flight parameter.

Here, x represents a certain risk-related flight parameter. $x_0$ represents a datum reference point whose value is usually set to 0 or trimmed value. $x_g$ and $x_h$ represent the lower and upper limits of x, respectively. While $x\le x_g$ or $x\ge x_h$, the risk level of x is ‘catastrophic’, which indicates that an incident event is inevitable, and only expressed by black. When $x\in [x_g,x_e)\cup [x_f,x_h)$, the risk level of x is ‘uncertain’ and is expressed by light grey and dark grey, respectively. When $x\in [x_e,x_c)\cup [x_d,x_f)$, the risk level of x is ‘dangerous’ and is expressed by light red and dark red, respectively. When $x\in [x_c,x_a)\cup [x_b,x_d)$, the risk level of x is ‘warning’ and is expressed by light yellow and dark yellow, respectively. Finally, when $x\in [x_a,x_0)\cup [x_0,x_b)$, the risk level of x is ‘normal’ and is expressed by light green and dark green, respectively. It should be noted that the colored interval and fuzzy constraint of flight parameters are closely related to their available limitations.

An example specification of colored intervals for selected risk-related flight parameters during climb maneuver is presented in

Table 6. Colored interval of risk-related flight parameters.

Parameter	Unit	Break Point
			$x_g$		$x_e$		$x_c$		$x_a$		$x_0$		$x_h$		$x_d$		$x_f$		$x_h$
Airspeed V	m/s		60		70		80		95		130		205		235		255		275
Climb rate $\dot{H}$	m/s		−24		−21		−12		0		10		15		18		21		24
Angle of attack $\alpha$	${}^{\circ }$		−10		−8		−5		−2		4.5		14		16		18		20
Sideslip angle $\beta$	${}^{\circ }$		−45		−35		−25		−20		0		20		25		35		45
Bank angle $\varphi$	${}^{\circ }$		−65		−60		−50		−35		0		35		50		60		65
Roll rate p	${}^{\circ }/\mathrm{s}$		−40		−33		−25		−15		0		15		25		33		40
Pitch rate q	${}^{\circ }/\mathrm{s}$		−32		−27		−21		−13		0		13		21		27		32
Yaw rate r	${}^{\circ }/\mathrm{s}$		−32		−27		−21		−13		0		13		21		27		32

. The break points were set based on the limitations of the risk-related flight parameters described in the flight manual, except for $x_0$. A safe and comfortable climb maneuver should be a steady climb within the available limitations. A steady climb means that the aircraft maintains wing level without roll or yaw. To avoid complex calculations and improve the applicability of the colored intervals, the value of the datum reference point $x_0$ was set to the trim value under steady climb conditions, namely, the trim airspeed $V_0=130$ m/s, the trim climb rate ${\dot{H}}_0=10$ m/s, and the trim angle of attack ${\alpha }_0=4.5$ degrees. An example of the risk spectrum for a single flight parameter ($\alpha$) is shown in Figure 7. The colored stripes in the table represent the colored intervals of the risk level of the risk-related flight parameter, which satisfy the condition that the constraints of flight parameters are fuzzy. However, this risk evaluation based on the description of single parameter limitation is simplistic and lacks attention to the multi-dimensional coupling characteristics of flight parameters.

The performances of risk-related flight parameters were transformed to the flight risk spectrum, which can visually display the risk level changes of them, according to Table 6. In order to construct a risk assessment matrix containing all risk-related flight parameters, five basic colors representing risk levels should be specified numerical values (i.e., risk spectrum values). Consequently, the risk spectrum value of the i–th risk-related flight parameter $c_i\left(t\right)$ is determined by Equation (13). It should be noted that the difference of risk spectrum value of neighboring colored intervals gradually increased from the center to both sides for distinguishing incident conditions from safer flight conditions. Each risk spectrum of single risk-related flight parameters can provide much valuable information. Hence, it is crucial to quantify flight risk by comprehensively processing the information contained in the risk spectrum of all risk-related flight parameters.

$$c_i\left(t\right)=\left\{\begin{array}{cc}14& x\ge x_h\\ 10& x_f\le x<x_h\\ 6& x_d\le x<x_f\\ 3& x_b\le x<x_d\\ 1& x_0\le x<x_b\\ -1& x_a\le x<x_0\\ -3& x_{\mathrm{c}}\le x<x_a\\ -6& x_e\le x<x_{\mathrm{c}}\\ -10& x_g\le x<x_e\\ -14& x<x_g\end{array}\right.$$

(13)

3.2. Flight Risk Comprehensive Assessment

As mentioned earlier, flight risk quantification by comprehensively processing the risk spectrum of all risk-related flight parameters can facilitate the construction of an integrated risk spectrum whose variations can directly reflect the evolution of flight risk. A risk quantification method based on multi-dimensional flight parameters was proposed. This was different from the method that determines the integrated safety spectrum at each time step through simple comparison in [25,26,27]. The value of the integrated risk spectrum is obtained through a weighted calculation of the risk spectrum values of n risk-related flight parameters at time t. The integrated risk value $R\left(t\right)$ is expressed, as shown in Equation (14). As a result, flight risk quantification is closely related to the weight coefficients of risk-related flight parameters.

$$R\left(t\right)=\sum _{i=1}^m{p}_i\left(t\right)\times \left|c_i\left(t\right)\right|$$

(14)

where $p_i\left(t\right)$ is the variable weight, which is obtained by using entropy weight and the grey correlation algorithm.

In order to satisfy the accuracy and rigorousness of flight risk quantification, a multi-parameter risk assessment method with variable weight based on entropy weight and the grey correlation algorithm is proposed. The risk assessment method is an objective weighting method that determines the dynamic weights of risk-related flight parameters by processing the information contained in the risk spectrum. The process of flight risk quantification is given as follows.

The risk evaluation matrix $\mathit{C}$ at time t is constructed first, as shown in Equation (15), which is composed of the risk reference sequence ${\mathit{C}}_0$ and risk spectrum matrix ${\mathit{C}}_{mn}$.

$$\mathit{C}=\left[\begin{array}{c}{\mathit{C}}_0\hfill \\ {\mathit{C}}_{mn}\hfill \end{array}\right]=\left[\begin{array}{ccc}{c}_{01}& \cdots & c_{0n}\\ c_{11}& \cdots & c_{1n}\\ ⋮& \cdots & ⋮\\ c_{m1}& \cdots & c_{mn}\end{array}\right]$$

(15)

where $c_{i{j}_{*}}=\left|c_i\left(t_{*}\right)\right|$, $j_{*}=t_{*}\times f_s+1$, $t_{*}\in [0,t]$, m is the number of risk-related flight parameters, $n=t\times f_s+1$ is the number of samples, and $f_s$ is sampling frequency.

Calculate the information entropy of the i-th risk-related parameter, $H_{ij}$, as shown in Equation (16). The information entropy is a probability-based index used to measure the “uncertainty”, “disorder”, or “surprise” in a system. It quantifies how “informative” or “surprising” the entire set of risk-related parameters is, based on the average of all possible outcome information.

$$H_{ij}=-\frac{1}{lnn}\sum _{j_{*}=1}^n{f}_{i{j}_{*}}ln{f}_{i{j}_{*}}$$

(16)

where

$$f_{i{j}_{*}}=\frac{c_{i{j}_{*}}}{{\displaystyle \sum _{j_{*}=1}^n}{c}_{i{j}_{*}}}$$

(17)

Then, calculate the entropy weight ${\omega }_{ij}$ that represents the relative importance of the i-th risk-related parameter, as shown in Equation (18).

$${\omega }_{ij}=\frac{{\displaystyle \sum _{i=1}^m}{H}_{ij}+1-2H_{ij}}{{\displaystyle \sum _{i=1}^m}\left({\displaystyle \sum _{i=1}^m}{H}_{ij}+1-2H_{ij}\right)}$$

(18)

Calculate the grey correlation coefficient ${\xi }_{i{j}_{*}}$ that represents the level of correlation between risk reference sequence ${\mathit{C}}_0$ and the risk spectrum sequence of the i-th risk-related parameter ${\mathit{C}}_{in}$, as shown in Equation (19) [31],

$${\xi }_{i{j}_{*}}=\frac{\left\{\underset{i=1}{\overset{m}{min}}\left[\underset{j_{*}=1}{\overset{n}{min}}\left|c_{i{j}_{*}}-c_{0j_{*}}\right|\right]+\kappa \underset{i=1}{\overset{m}{max}}\left[\underset{j_{*}=1}{\overset{n}{max}}\left|c_{i{j}_{*}}-c_{0j_{*}}\right|\right]\right\}}{\left\{\left|c_{i{j}_{*}}-c_{0j_{*}}\right|+\kappa \underset{i=1}{\overset{m}{max}}\left[\underset{j_{*}=1}{\overset{n}{max}}\left|c_{i{j}_{*}}-c_{0j_{*}}\right|\right]\right\}}$$

(19)

where $\kappa \in \left(0,1\right)$ is the discrimination coefficient and is generally set to $0.5$.

Calculate the grey correlation degree of the i-th risk-related parameter $g_{ij}$, as shown in Equation (20). It denotes the comparative evaluation of the risk reference sequence and the i-th risk spectrum sequence.

$$g_{ij}=\sum _{j_{*}=1}^n{\omega }_{ij}{\xi }_{i{j}_{*}}$$

(20)

$$p_{ij}=\frac{g_{ij}}{{\displaystyle \sum _{i=1}^m}{g}_{ij}}$$

(21)

The risk weight of the i-th risk-related parameter $p_{ij}$ is shown in Equation (21). An example of the risk weight performance is shown in Figure 8. The risk weights reflect the correlation between risk-related flight parameters and the integrated risk and help determine flight parameter impact on flight risk.

The value of integrated risk at time t is shown in Equation (22),

$$R\left(t\right)=\sum _{i=1}^m{p}_{ij}{c}_{ij}$$

(22)

The colored interval of integrated risk differs slightly from that of risk-related flight parameters, as shown in

Table 7. Integrated risk spectra and the colored interval of R.

Colored Interval
Integrated risk point		1.325		1.625		2.250		2.625

. Because the value of integrated risk R is always greater than 0, it is not necessary to use shades of color represent the positive and negative level of integrated risk. If $R<1.325$, then the integrated risk level is ‘normal’, which is expressed by green. When $R\in [1.325,1.625)$, the integrated risk level is ‘warning’, which is expressed by yellow. When $R\in [1.625,2.250)$, the integrated risk level is ‘dangerous’, which is expressed by red. When $R\in [2.250,2.625)$, the integrated risk level is ‘uncertain’, which is expressed by grey. When $R\ge 2.625$, the integrated risk level is ‘catastrophic’, which is expressed by black. An example of the flight risk spectrum composed of the integrated risk spectrum and the m risk spectrums of the risk-related flight parameter is shown in Figure 9.

3.3. Flight Risk Visual Deduction

A flight risk spectrum is a concise, coherent, informative expression of flight risk and risk-related flight parameters’ performance. However, a flight risk spectrum only exhibits the flight risk evolution process under a loss-of-control scenario.

The traditional FTA is a top-down, deductive risk analysis approach and has been widely used in risk evaluation, reliability analysis, and accident analysis [43]. Fault trees consist of three basic elements: events, arcs, and logic gates. The division of fault tree branches is governed by logic gates. In order to pin down failure factors at the lower levels of the system, the logic of the tree runs from a top event to failure events. However, the dynamic characterization of failure factors, including order, duration, and severity, can influence aircraft dynamic response as well as risk evolution.

FTA focuses on failure factors’ logical relationship of failure factors instead of dynamic characterization, so it cannot clearly describe the logical and time-correlated relationship between failure occurrence, aircraft dynamic response and risk evolution. As a result, the risk tree that contains the time-series risk evolution and failure logical chains visualization information was proposed to facilitate the comparisons of flight risk evolution under different loss-of-control scenarios. The risk tree takes the occurrences of failure factors as nodes of furcation and takes integrated risk spectrums as branches for realizing the visual deduction of the risk evolution process under different loss-of-control scenarios. An example of the risk tree is shown in Figure 10. The risk tree combining flight risk spectrums and risk weight performances can reveal the mechanism of LOC induced by coupled multi-failure factors.

4. Results and Analysis

4.1. Risk Tree of 25 LOC Scenarios

We took 25 loss-of-control scenarios described in Section 2.5 as examples. According to flight data from the climb-turn simulation of aircraft under loss-of-control scenarios, flight risk was accurately quantified by comprehensively processing the flight risk spectrum of all risk-related flight parameters. A risk tree representing the flight risk evolution process under 25 loss-of-control scenarios was constructed, as shown in Figure 11. It was mainly composed of six groups of failure scenario branches: light icing, heavy icing, elevator failure, aileron failure, single engine failure, and double engine failure.

The trunk of the risk tree represented the flight risk evolution process of the climb-turn under a no-failure scenario. The aircraft changed from level flight to a climb-turn by the coordinated deflections of the aileron, rudder, and elevator, as shown in Figure 12. The continuous tiny variation of both ${\delta }_{\mathrm{a}}$, ${\delta }_{\mathrm{e}}$ and ${\delta }_{\mathrm{r}}$ occurred from 50 s to 300 s. Because altitude, pressure, temperature, and density of air can affect aircraft performance, the autopilot automatically slightly adjusts throttle and three control surfaces deflection to track the flight commands during the climb-turn. In addition, the flight risk spectrum and the risk weight performance are shown in Figure 13a,b, respectively. Figure 13a shows that risk-related flight parameters were all within ‘normal’ ranges. Figure 13b shows that the risk weight of the roll rate, $w_p$, had an overshoot of 34.4%, and the risk weight of the yaw rate, $w_r$, had a 5.6% overshoot. This is because the risk-related flight parameters, the roll rate, p, and yaw rate, r, would change rapidly to eliminate the errors between dynamic response and the control command during the initial phase of the climb-turn.

4.2. Risk Analysis of 25 LOC Scenarios

4.2.1. Light Icing Baseline Scenario

The branch that represents the flight risk evolution process of the climb-turn under the light icing condition is shown in Figure 14f. Light icing had little impact on the flight safety of the climb-turn, as shown in Figure 14a,c,e. The increase in drag and the decrease in lift caused by light icing could be tolerated by adjusting the thrust and actuator deflection (Figure 15a–d). The loss of force and the moment were compensated for, and the attitude of the aircraft was stabilized. However, light icing combined with elevator failure had a greater impact on the flight safety of the climb-turn, as shown in Figure 14b,d. The elevator failures (stuck at 5 degrees or float) resulted in an immediate break in longitudinal stability. For scenario $S_2$, the elevator becoming stuck results in a decrease in pitch moment, then the pitch angle $\theta$ of the aircraft goes down to around $-50$ degrees gradually. For scenario $S_4$, the elevator float results in an oscillation in pitch angle $\theta$ because of the static stability characteristics of the aircraft. Although the pitch angle, $\theta$, changed dramatically (Figure 15e), pitch rate q and the angle of attack $\alpha$ stay in the green ‘normal’ range because the aircraft goes into nosedive. Obviously, the climb rate, $\dot{H}$ exceeded the lower limit. The risk weight of the climb rate, $w_{\dot{H}}$, rose sharply, as shown in Figure 14b,d. $\dot{H}$ became the key factor that had the greatest impact on flight safety.

4.2.2. Heavy Icing Baseline Scenarios

The flight risk evolution process under the heavy icing condition was more complicated than that under the light icing condition, as shown in Figure 16f. As the severity of icing increased, the elevator deflected to increase the pitch angle, $\theta$, as well as the angle of attack, $\alpha$ (Figure 17b,e), which enabled the climb-turn to continue. Furthermore, $\alpha$ increased until the aircraft stalled, and $\dot{H}$ increased and exceeded the limit sharply. Moreover, other risk-related parameters ($\varphi$, p, q, and r) also deteriorated, as shown in Figure 16c. The anti-icing/deicing system had a significant effect on flight risk protection because it caused the ice to symmetrically decrease to light or below, which can greatly improve aerodynamic performance. Then, $\alpha$ stopped increasing and gradually returned to normal, as shown in Figure 16a,b. However, the partial failure of the anti-icing/deicing system caused ice asymmetry, which weakened aileron control efficiency. The lateral stability of the aircraft was disturbed, and the roll angle, $\varphi$, appeared with oscillation and divergence, as shown in Figure 16d,e. For scenarios $S_8$, $S_9$, and $S_{10}$, the risk spectrum of airspeed V stays in the green ‘normal’ range during nosedive because there is not enough time until crash to build up speed for it to pass into the warning risk area. In addition, engines shutdown caused by the autopilot control law (Equation (12)) also weakens the acceleration process, as shown in Figure 17a. As a result, when encountering an icy environment, the pilot should open the anti-icing/deicing system to ensure ice decreases to light or below first. They should then judge whether the system works properly by observing the risk-related parameter, $\varphi$. Moreover, it is important that airspeed V matches the angle of attack, $\alpha$, to avoid a stall.

4.2.3. Elevator Failure Baseline Scenarios

The branch that represents the flight risk evolution process of the climb-turn under the elevator failure condition is shown in Figure 18e. Although the flight risk spectrums (Figure 18a) show that $\alpha$ was within the ‘normal’ range, the break of longitudinal stability caused by the elevator failure resulted in $\theta$ oscillation, as shown in Figure 19e. $\dot{H}$ is related to V, $\theta$, and $\alpha$, $\dot{H}=V\sin \left(\theta -\alpha \right)$, the oscillation of $\theta$ also caused $\dot{H}$ oscillation. Hence, $\dot{H}$ toggled between the ‘normal’ range and the ‘risk’ range repeatedly, as shown in Figure 18a. The flight risk spectrums under elevator failure combined with anti-icing/deicing system failure are shown in Figure 18b,c. The risk evolutions of $S_{12}$ and $S_{13}$ were similar to that of $S_{11}$, which indicates that light icing has little influence on the flight risk evolution process. For scenarios $S_{11}$–$S_{13}$, though the elevator failure generates an unsteady pitching motion which would affect angle of attack $\alpha$ and pitch rate q, the impacts are gradually offset by the oscillation of $\theta$ due to the static stability characteristics of the aircraft. Hence, the risk spectrums of $\alpha$ and pitch rate q stay in green ‘normal’ range during descent. Furthermore, compared with Figure 14d, the sequence of failure also had little influence on the flight risk evolution process, and the key factor that had the greatest impact on flight safety was still $\dot{H}$. The positive factor (elevator repair) had an effect on the flight risk evolution process, as shown in Figure 18d. After the elevator was repaired, the large deflection of the elevator (Figure 19c) caused $\alpha$ to increase and exceed the limit sharply, and the aircraft began to stall/spin. The aileron and rudder reacted quickly in recovering the wing level during descent, as shown in Figure 19b,d. In this case, the key factor that had the greatest impact on flight safety converted from $\dot{H}$ to $\alpha$. Hence, when encountering elevator failure, the stick should be operated gently and slightly to prevent the aircraft attitude instability caused by elevator deflection after elevator repairs.

4.2.4. Aileron Failure Baseline Scenarios

Aileron failure is more dangerous than elevator failure, and the branch that represents the flight risk evolution process of the climb-turn under the aileron failure condition is shown in Figure 20e. It is noted that the break in lateral stability caused by the aileron failure resulted in $\varphi$ oscillation and p oscillation, as shown in Figure 20a. In addition, $\theta$ led to oscillation and divergence, as shown in Figure 21e. $\dot{H}$ rose sharply and fell within the ‘catastrophic’ range. The flight risk spectrums under aileron failure combined with engine failure are shown in Figure 20b,c. The risk evolutions of $S_{16}$ and $S_{17}$ are similar to that of $S_{15}$, which indicates that $\varphi$ oscillation caused by aileron failure is the primary cause of accidents, and other failures accelerate the accident process and make aircraft recovery more difficult. The positive factor (aileron repair) had an effect on the flight risk evolution process, as shown in Figure 20d. After the aileron was repaired, the error of $\varphi$ between dynamic response and the control command was eliminated by the coordinated deflections of the aileron and rudder, as shown in Figure 21b,d. However, the large deflection of the elevator (Figure 21c) caused $\alpha$ to toggle between the ‘dangerous’ range and the ‘catastrophic’ range repeatedly, and the aircraft still crashed. As a result, when encountering aileron failure, the pilot should pay more attention to $\varphi$ and try to avoid pulling the stick back substantially.

4.2.5. Single Engine Failure Baseline Scenarios

The branch that represents the flight risk evolution process of climb-turn under single engine failure conditions is shown in Figure 22e. The positive factor (engine repair) had an effect on the flight risk evolution process, as shown in Figure 22a,b. When single engine failure occurred in the early climb-turn, thrust loss was compensated by pushing the throttle levers, and the sideslip angle was modified by adjusting the deflection of the rudder, ${\delta }_{\mathrm{r}}$, and the deflections returned to normal after the engine repair, as shown in Figure 23b–d. Moreover, even if flight-icing occurred in the later climb-turn, the risk evolution was not affected, which was revealed by comparing Figure 22a with Figure 22b. Figure 22c gives the flight risk spectrum under the single engine failure combined with the double engine failure. $\alpha$ was the first to exceed the limit and fell into the grey ’uncertain’ range, then $\dot{H}$ exhibited oscillation, as shown in Figure 22c. It was caused by the large deflection of the elevator (Figure 23c) after double engine failure. Furthermore, the climb-turn did not last much longer under the single engine failure condition, and other risk-related parameters ($\dot{H}$, $\alpha$, $\varphi$, p, q, and r) deteriorated and were within the ‘catastrophic’ range concurrently, as shown in Figure 22d. As a result, when encountering a single engine failure, the climb-turn should stop at first and aim for the wing level. The larger deflection of the elevator, ${\delta }_{\mathrm{e}}$, should be avoided to prevent oscillation of the aircraft’s longitudinal attitude.

4.2.6. Double Engine Failure Baseline Scenarios

The branch that represents the flight risk evolution process of the climb-turn under the double engine failure condition is shown in Figure 24d. The positive factor (engine repair) had an effect on the flight risk evolution process, as shown in Figure 24a,b. Compared with Figure 22a,b, Figure 24a,b shows that double engine failure was riskier. Figure 24a,b indicates that it was incorrect to deflect the elevator to increase $\alpha$ under the no-engine condition because it had to cause $\theta$ oscillation, and light icing enhanced the trend, as shown in Figure 25c,e. Figure 24c gives the flight risk spectrum of the climb-turn with double engine failure and no engine recovery. Compared with Figure 24a, the positive factor (engine repair) partly eliminates the deterioration of $\dot{H}$. The stability of the lateral directional could be maintained by the coordinated deflections of the aileron and rudder at the beginning of double engine failure, as shown in Figure 25b,d. As a result, when encountering double engine failure, the climb-turn should stop first, and the aileron should be operated to return to wing level and try to reopen the engine during descent. In addition, the position of the elevator should remain stationary until power recovery.

5. Conclusions and Discussions

In this paper, a flight risk analysis method is proposed by combining risk quantitative assessment and visual deduction. It is a qualitative method (risk levels) combined with a quantitative method (multi-parameters comprehensive assessment), and visualization is used to display the risk levels. Considerable attention is paid to simulation, risk assessment, and risk visual deduction of the complex loss-of-control scenarios so as to explore the impacts of failure factors on flight safety. For demonstration, 25 loss-of-control scenarios caused by three common failure factors (actuator failure, engine failure, and icing) and their combination are simulated and analyzed. According to the results of risk visual deduction, actuator failure is the most dangerous factor, followed by engine failure, and the harmfulness of icing is closely related to its severity. Moreover, the combination of several failure factors can accelerate loss-of-control events and increase the difficulty of upset recovery. When the aircraft encounters complex loss-of-control scenarios during maneuver, the crew should first stop the maneuver, and aim for the wing level. During upset recovery, the crew needs to pay more attention to airspeed V, angle of attack $\alpha$, and climb rate $\dot{H}$.

The significant contribution of this study is the introduction of a new risk analysis method for flight under complex loss-of-control scenarios. It should be noted that the loss-of-control scenarios studied in this paper are based on reasonable assumptions and simplifications. In order to support flight test and certification programs, the loss-of-control scenarios need to be further updated according to specific flight cases, which will be investigated in the future study. In addition, the risk analysis method can be used to process the real flight data extracted from the onboard recorder for supporting accident investigation.