ArticlePDF Available

Robust FDI for fault-tolerant thrust allocation with application to spacecraft rendezvous

Authors:
  • Université Bordeaux

Abstract and Figures

This paper deals with the design and validation of an active fault-tolerant control system to detect, isolate and accommodate a single thruster fault affecting the thruster-based propulsion system of an autonomous spacecraft. The proposed method consists of a fault detector for robust and quick fault detection, a two-stage hierarchical isolation strategy for fault isolation, and an online control allocation unit scheduled by the isolation scheme for fault tolerance. A new factorization approach for the uncertain inertia matrix inverse is proposed. Thanks to this factorization, a novel robust Nonlinear Unknown Input Observers (NUIO) approach is proposed based on LMIs which ensure maximization of the admissible Lipschitz constant while at the same time satisfying an L2 gain bound and some constraints on the observer dynamics. At the first stage of the isolation scheme, a bank of NUIOs is used to identify a subset of possible faulty thrusters. Then, at the second stage, an EKF is introduced to estimate the torque bias directions. Using these directions, jointly with the detector׳s residual and the information obtained from the first stage, a set of explicit rules is derived to unambiguously isolate the faulty thruster. A Monte Carlo campaign, based on a simulator developed by Thales Alenia Space industries, is conducted in the context of a terminal rendezvous phase of the Mars Sample Return mission. Mission oriented criteria demonstrate that the proposed strategy is able to cope with a large class of realistic thruster faults and to achieve mission success.
Content may be subject to copyright.
Robust FDI for fault-tolerant thrust allocation with application to spacecraft
rendezvous\
Robert Fonoda,1,, David Henrya, Catherine Charbonnelb, Eric Bornschleglc, Damiana Losab, Samir Bennanic
\: This paper is an extended version with new methodological and applicative results of the work entitled “Thruster Fault
Detection, Isolation and Accommodation for an Autonomous Spacecraft” presented at the 19th IFAC World Congress held in
Cape Town, August 2014
aUniversity of Bordeaux, IMS Lab. UMR CNRS n.5218, F-33400 Talence, France
bThales Alenia Space, F-06156 Cannes La Bocca, France
cEuropean Space Agency, ESTEC, 2200 AG Noordwik, The Netherlands
Abstract
This paper deals with the design and validation of an active fault-tolerant control system to detect, isolate and
accommodate a single thruster fault affecting the thruster-based propulsion system of an autonomous spacecraft.
The proposed method consists of a fault detector for robust and quick fault detection, a two-stage hierarchical
isolation strategy for fault isolation, and an online control allocation unit scheduled by the isolation scheme
for fault tolerance. A new factorization approach for the uncertain inertia matrix inverse is proposed. Thanks
to this factorization, a novel robust Nonlinear Unknown Input Observers (NUIO) approach is proposed based
on LMIs which ensure maximization of the admissible Lipschitz constant while at the same time satisfying an
L2gain bound and some constraints on the observer dynamics. At the first stage of the isolation scheme, a
bank of NUIOs is used to identify a subset of possible faulty thrusters. Then, at the second stage, an EKF is
introduced to estimate the torque bias directions. Using these directions, jointly with the detector’s residual
and the information obtained from the first stage, a set of explicit rules is derived to unambiguously isolate the
faulty thruster. A Monte Carlo campaign, based on a simulator developed by Thales Alenia Space industries, is
conducted in the context of a terminal rendezvous phase of the Mars Sample Return mission. Mission oriented
criteria demonstrate that the proposed strategy is able to cope with a large class of realistic thruster faults and
to achieve mission success.
Keywords: Fault detection and isolation, fault-tolerant control, unknown input observer, linear matrix
inequalities, control allocation, space rendezvous mission, matrix factorization.
1. Introduction
1.1. Context and Motivations
The research work addressed in this paper draws expertise from actions undertaken between the Euro-
pean Space Agency (ESA), the Thales Alenia Space (TAS) industry and the IMS laboratory (laboratoire de
l’Intégration du Matériau au Système) which develop new generations of integrated Guidance, Navigation and
Control (GNC) algorithms for spacecraft with fault diagnosis and fault tolerance capabilities.
The reference space mission considered in this paper is the ESA Mars Sample Return (MSR) mission, see
(Beaty et al.,2008) for details. This deep space mission consists of two vehicles directly injected towards Mars
by launchers. The first module enters the Martian atmosphere (entry phase), lands on the Mars surface, fetches
a Martian sample and then takes-off to reach a low Mars orbit. Meanwhile the second module inserts directly
around Mars, then catches the sample (capture of the orbiting sample released by the first module), and finally
comes back to Earth ejecting the sample into Earth atmosphere with the Earth Reentry Capsule (ERC). The
work reported in this paper focuses on the terminal rendezvous phase which corresponds to the last few hundred
meters until the capture on the Mars orbit. The chaser vehicle is the MSR orbiter, while the target is a diameter
spherical container.
Corresponding author. Tel.: +33-540002419 - Fax.: +33-540006644
Email addresses: robert.fonod@ims-bordeaux.fr (Robert Fonod), david.henry@ims-bordeaux.fr (David Henry),
catherine.charbonnel@thalesaleniaspace.com (Catherine Charbonnel), eric.bornschlegl@esa.int (Eric Bornschlegl),
damiana.losa@thalesaleniaspace.com (Damiana Losa), samir.bennani@esa.int (Samir Bennani)
1Present address: Technion - Israel Institute of Technology, Department of Aerospace Engineering, Technion City, 32000 Haifa,
Israel
During the terminal rendezvous, the control of the attitude and the position of the chaser is continuous and
applied by thrusters. The control unit uses different types of sensors, namely Inertial Measurement Units (IMU),
Star Trackers (STR) and a Light Detection And Ranging (LIDAR) sensor. The set of sensors and actuators
during the terminal rendezvous is minimized to reduce the risk of fault occurrence and to reduce the power
consumption and mass. The attitude is controlled in order to keep the orbiting sample within the LIDAR field
of view. The position is controlled in order to approach the orbiting sample along its velocity axis. Then, just
before the capture, the guidance is modified in order to align the capture mechanism with the orbiting sample,
i.e. the target.
Following recent studies (Tafazoli,2009;HARVD - Final Presentation), thruster faults account for approx-
imatively one quarter of all Attitude and Orbit Control System (AOCS) failures. It seems obvious that they
can have a serious impact on the spacecraft’s ability to fulfil its mission. For instance, a hardover type fail-
ure (thruster stucks open), it could lead to a drastic increase of the propellant consumption which is already
very constrained by the travel to Mars. Dramatic consequences can occur, e.g. already in-placed GNC may
not compensate such faults, possibly leading the chaser to lose the attitude and/or the position of the sample
container.
The work addressed in this paper is concerned by the development of a model-based Fault Detection and
Isolation (FDI) scheme for a Fault-tolerant Control (FTC) of the thruster which equip the MSR chaser propulsion
system. The investigated faults have been defined in accordance with the industrial partners and follow both
the ESA and TAS requirements and their experiences. Four cases are investigated: i)thruster opening at
100% (providing maximum force regardless of the demand and being very propellant consuming) ii)thruster
closing itself (faulty thruster does not generate any thrust regardless of the demanded command by the control
authority) iii)bi-propellant leakage and iv)loss of efficiency (thrust loss).
1.2. Related Work and Limitations
In terms of model-based FDI, numerous techniques have been studied in the past decades in the academic
community, see (Patton et al.,2000;Blanke et al.,2006;Ding,2013) and references therein for good surveys.
The still growing interest of potential applications in aerospace systems has been demonstrated by recent
publications. With regards to the problem of spacecraft thruster fault diagnosis, one can mention the work of
Chen and Saif (2007) that proposed an iterative learning observer to achieve estimation of time-varying thruster
faults. Wu and Saif (2009) proposed the same approach jointly with a sliding mode technique. The work reported
in (Patton et al.,2006,2008,2010) addressed the Mars Express mission. The proposed approach is based on
both state estimation of an accurate linear model for the satellite system and unknown input decoupling to
achieve robust FDI in the presence of dynamic uncertainty during main engine deployment. The work reported
in (Henry et al.,2011;Fonod et al.,2014a;LePeuvédic et al.,2014;Fonod et al.,2015) addressed the problem of
thruster fault diagnosis of the MSR orbiter during the terminal rendezvous phase. Henry et al. (2011) proposed
a method based on a H(0) filter with robust poles assignment technique. Fonod et al. (2015) approached the
same problem using an Eigenstructure Assignment (EA) technique, whereas LePeuvédic et al. (2014) proposed
a robust H/Hfilter in combination with a bank of thruster–direction decoupling observers. Similarly in
(Falcoz et al.,2010a,b), the H/Happroach was exploited for the micro-Newton colloidal thrusters during
the experiment phase of the LISA Pathfinder mission. H/Hfilter–based strategies have been proposed in
(Grenaille et al.,2004;Henry,2008a) to diagnose the Field Emission Electric Propulsion (FEEP) thrusters of
the Microscope satellite.
In the case of an overactuated spacecraft, the cornerstone of the FDI unit is the isolation logic. It must be
accurate and robust enough to uncover the faulty thruster among thrusters which are very closely co-aligned
and it also must be able to cover a large class of realistic faults. Posch et al. (2013) proposed a torque bias
vector matching isolation method. In this approach, the torque bias is estimated using an Extend Kalman Filter
(EKF) and directly matched with the torque directions of each thruster. The main drawback of this approach
is that it is unable to consider a thruster configuration where some thrusters generate the same or very similar
torques. Similar idea has been presented in (Alwi et al.,2010), where instead of estimating the torque bias,
the sliding mode injection term is matched with the thruster directions. This method has similar drawbacks
as the previous method, additionally, the isolation performance strongly depends on the measurement noise.
In (Henry et al.,2011;Fonod et al.,2015), a cross–correlation test between the residual and the associated
thruster opening rates was considered. This approach however lacks the ability to consider both “open-type”
and “closed-type” thrusters faults at the same time (for fault classification, see Section 2.1). Moreover, in the
aerospace systems, the true inertia matrix is newer known precisely on-board. Therefore, controllers are always
validated in presence of uncertainty on the inertia to confront modelling errors. Similarly, in terms of FDI, it
is of paramount interest to analyse, and most importantly, to incorporate the effects of the uncertain inertia
within the FDI design.
2
In terms of FTC methods, the interested reader shall refer to (Blanke et al.,2006;Zhang and Jiang,2008;
Noura et al.,2009). These techniques can be in general classified into two main categories: passive FTC and
active FTC. Passive FTC relies on robust control concepts, whereas active FTC methods act on the system
component failures actively by re-designing the controller so that the stability and acceptable performance of the
entire system is maintained. The most famous active FTC strategies are the pseudoinverse methods (Ostroff,
1985;Caglayan et al.,1988;Gao and Antsaklis,1991;Bajpai et al.,2001), recently revisited by Staroswiecki
(2005), the Linear Quadratic (LQ) approach (Looze et al.,1985;Josh,1987;Veillette,1995;Staroswiecki et al.,
2007), the EA technique (Jiang,1994;Zhao and Jiang,1998;Zhang and Jiang,2001), the adaptive control
approach (Bodson and Groszkiewicz,1997;Tao et al.,2002;Zhang et al.,2004), the Model Predictive Control
(MPC) approach (Camacho and Bordons,1999;Maciejowski,2002;Hartley et al.,2012), and most recently the
supervisory approach (Yang et al.,2012;Efimov et al.,2013).
The problem of designing an active FTC system for thruster faults has been rarely studied for space systems
(or very few papers have been published). The already in-placed industry-certified controllers are designed to be
robust and to achieve a predetermined performance level in a fault safe situation. The Control Allocation (CA)
technique is probably the most “ready to be implemented” FTC approach for aerospace systems. The major
reason is that the computational burden is very close or within the limits of today’s off-the-shelf embedded
computer systems. Moreover, in some cases the CA approach does not require any change in the nominal
controller which is a great advantage from an industrial point of view. Several application of the CA from
the aerospace community can be found in (Bodson,2002;Page and Steinberg,2002;Jin et al.,2006;Henry,
2008b;Oppenheimer et al.,2010;Boada et al.,2010;Fu et al.,2011). For instance, a SIMPLEX–based method
has been reacently implemented in the Automated Transfer Vehicle (ATV) developed by EADS Astrium Space
Transportation, to carry out a prescribed set of thruster faults.
Most CA algorithms assume a linear effector model in the form of a matrix , i.e. the thruster configuration
matrix whose elements (columns) are the influence coefficients defining how each thruster affects each component
of the force and moment vector applied to the spacecraft. Thus, CA is fundamentally concerned by the inverse
computation of the thruster configuration matrix. Since this matrix has more columns than rows, there exists
an infinite number of solutions. However, by minimizing some “measure” of it, it is possible to have a unique
solution. Actuator faults can then be tackled by a CA principle so that it is not required to re-design the
nominal controller itself. A consequence is that CA can be used as a FTC solution with a little extra effort on
the existing CA techniques. Alwi and Edwards (2008) exploits this idea using sliding mode techniques.
1.3. Proposed Approach and Contributions
This paper addresses the design and validation of a complete FDI/FTC system for the aforementioned
thruster fault scenarios. The proposed method consists of: i) a fault detector for robust and quick fault detection,
ii) a two-stage hierarchical isolation strategy for faulty thruster isolation and iii) an online CA unit scheduled by
the isolation scheme for fault tolerance. The utilized fault detector design follows the developments introduced
in (Fonod et al.,2013). This detector offers enhanced robustness against time-varying input delays. The original
idea of the two-stage isolation strategy proposed in this paper initiates from (Fonod et al.,2014a), where a bank
of asymptotically stable Nonlinear Unknown Input Observers (NUIOs) has been used for the first stage and a
simple residual vector matching approach for the second stage. Here, a bank of 5 robust NUIOs together with an
EKF-based torque bias direction estimator is considered. A new factorization approach for the uncertain inertia
matrix inverse is proposed. Thanks to this factorization, a novel robust NUIO design is proposed with bounded
L2gain from the system input to the estimation error. By this, the effect of the uncertain inertia on the state
estimation error is attenuated. Additionally, it is shown that under some Lipschitz condition, it is possible to
constrain the NUIO dynamics into a prescribed dynamic region using the notion of Linear Matrix Inequality
(LMI) regions. The NUIO gains are obtained from the feasible solution to the LMI optimization problem, offering
numerically tractable procedure to account jointly the observer dynamics constraint, the L2specification, and
the maximization of the admissible Lipschitz constant. As the outcome of the first stage, a subset of thrusters is
identified as “possible faulty”. For the second stage, an EKF is introduced to estimate the torque bias directions
due to the thruster fault. Using these directions, the fault detector’s residual and the information obtained from
the first stage, a set of explicit rules is derived to unambiguously isolate the faulty thruster. These rules consist
in evaluating the torque bias direction estimate with respect to the thruster torque directions and the detector’s
residual with respect to the thruster force directions of the already identified (faulty) thruster set, respectively.
In specific cases, a sequential decision test is also used. As soon as the faulty thruster is identified, a control
re-allocation algorithm is used to redistribute the control effort among the available healthy actuators, while at
the same time disengaging the faulty one. Here, based on the precursor work of (Jin et al.,1995), a modified
version of the Nonlinear Iterative Pseudoinverse Controller (NIPC) algorithm is presented. A complete Monte
Carlo campaign is conducted in the context of the terminal rendezvous phase. Mission oriented criteria are
3
evaluated to demonstrate the effectiveness of the proposed method subject to various sources of uncertainties,
spatial disturbances, delays and imperfect navigation.
The paper is organized as follows. Section 2is devoted to the thruster-based propulsion system of the chaser.
It also introduces the considered actuator fault model. Sections 3and 4are dedicated to the FDI unit design.
Section 5deals with the FTC algorithm. Finally, a simulation campaign is conducted in Section 6in the context
of the terminal rendezvous phase. Concluding remarks are given in Section 7.
Notations: Let denote R,C,Z+, and Hthe set of real numbers, complex numbers, non-negative integers, and
the set of quaternions, respectively. The notation Rm×nis used for real matrices of dimension m×n. diag(. . .)
represents a block diagonal matrix. Iand 0represents the identity and zero matrix with the appropriate
dimension, respectively. The symbol ,×, and ·stands for the Kronecker, cross and dot product, respectively.
The notation P>0(P<0) means that Pis a real symmetric and positive (negative) definite matrix. The
notation Λ(A)stands for the set of all eigenvalues and λmax stands for the maximum eigenvalue of a square
matrix A, respectively. In symmetric block matrices, the symbol denotes an element that is induced by
symmetry. k·kprefers to either the p-norm of a vector or the induced matrix p-norm. If p= 2,k·kpis written
without the subscript, i.e. k·k. With L2a space of all Lebensque measurable functions having a finite L2norm
kuk`2is denoted, where kuk2
`2=R
0ku(t)k2dt.N(µ, σ)stays for the normal distribution with mean value µ
and standard deviation σ.U(a, b)denotes the uniform distribution with boundaries aand b.
2. Background on Thruster-based Propulsion System and Fault Considerations
The MSR chaser spacecraft is equipped with a chemical propulsion system composed of 12 thrusters. The
thrusters are physically organised in four groups (see Fig. 1for illustration) and are in charge of producing force
aFR3and a torque TR3vector.
Figure 1: Thruster configuration of the chaser spacecraft2
Let denote Sall ={1,2, . . . 12}the set of all the thruster indices. All thrusters have fixed directions dk
R3,k∈ Sall and each one is able to produce a maximum thrust of ||FT|| = 22 N. The Chemical Propulsion Drive
Electronics (CPDE) driving the thrusters, is initiating the opening of each thruster valve for the commanded
duration 0uk1,k∈ Sall which are in fact scaled ON-times. The scaling is done versus the sampling
period Tsof the control unit and is defined according to ui(tk) = Toni(tk)/Ts, where Toni(tk)is the actual/real
firing duration (ON time) of the ith thruster at control cycle tk=kTs.
The propulsion system is obviously a source of uncertainty in the system. The transfer function
H(s) = eτ(t)s(1)
aims to model the effect of the unknown time-varying delays induced by the CPDE and the uncertainties on
the thruster rise times (see Pettazzi et al. (2009)). The delay τ(t)is assumed to be unknown and time-varying,
but upper bounded by a known constant ¯τ, i.e. τ(t)¯τ.
Let be uk(tτ(t)) the commanded open duration of the kth thruster delayed by τ(t). The net forces and
torques generated by thrusters (in fault-free case) are given in the chaser body fixed frame Fb={Ob,~
Xb,~
Yb,~
Zb}
(see Fig. 1for an illustration) according to
F(t) = BFu(tτ(t)),T(t) = BTu(tτ(t)) (2)
In the above equation u(t) = [u1(t), u2(t), . . . , u12(t)]T, and
BF=bF1,bF2,...,bF12 ,BT=bT1,bT2,...,bT12 (3)
2The considered thruster configuration in this paper is a special one designed by TAS to study active FTC strategies.
4
are the thruster sensitivity (configuration) matrices with3
bF k =dk||FT||,bTk = (dpk dCoM )×bF k ,k∈ Sall
where dCoM R3is the position vector of the Center of Mass (CoM) from the center of the chaser geometrical
frame Fg, and dpk R3,k∈ Sall are the position (location) vectors of the thrusters, all given in Fg.
By analysing the matrices BFand BTin terms of directional properties, the following can be concluded:
the torque directions of the thrusters having index inside the sets ST k, k = 1,...,4are the same and those
having index inside the set ST5are similar. In our case, the above subsets are defined as follows:
ST1={1,11},ST3={4,8},ST5={3,6,9,12}
ST2={2,10},ST4={5,7},(4)
In terms of force directions, the following is revealed
bF1=bF11,bF4=bF8,bF3=bF12
bF2=bF10,bF5=bF7,bF6=bF9(5)
which means that the thruster pairs of the sets ST k, k = 1, ..., 4produce exactly opposite forces. The last
thruster group, i.e. ST5, has the following properties
bF3·bF6= 0,bT3≈ −bT6≈ −bT9bT12 (6)
Relations in (6) mean that thrusters belonging to ST5group produce a) forces perpendicular to the forces of
their neighbours b) nearly collinear torques. The directional properties given by (4)-(6) will be later used to
derive an explicit fault isolation strategy.
2.1. Thruster Fault Modelling
With regards to the possible faults occurring in the thruster-based propulsion system, the focus is on the
so-called “open-type” (fully open or leaking thruster) and “closed-type” (blocked-closed thruster or loss of
efficiency) faults. These faults have been defined in accordance with the industrial partners and follow both the
TAS and ESA experiences. The following mathematical model can be used to describe these faults
ϕk(t) = max{uk(t), mleak }if open-type
(1 mloss)uk(t)if closed-type
where the index krefers to the kth thruster. In this formalism, 0< mleak <1models a leakage fault and
0< mloss <1an efficiency loss fault. It is obvious that mleak = 1 refers to a fully open and mloss = 1 to a
blocked-closed thruster fault, respectively.
Assuming no simultaneous faults, the considered thruster faults can be modelled in a multiplicative way
according to (the index foutlines the faulty case)
uf(t) = IΨ(t)u(t)(7)
with Ψ(t) = diag(ψ1(t), . . . , ψ12(t)), where 0ψk(t)1,k∈ Sall are unknown. The status of the kth thruster
is modelled by ψkas follows
ψk(t) = 0if healthy
1ϕk(t)/uk(t)if faulty
where ϕkallows to consider different fault scenarios.
3. Design of the Robust Fault Detector
The proposed fault detector consists of an observer-based residual generator and a sequential decision which
evaluates the residual. The observer is designed based on the EA technique and uses a model of the relative
position between the chaser and the target given in the local (target) frame. In (Fonod et al.,2015), it was
shown that, in terms of robustness/sensitivity, the position model-based FDI scheme tends to achieve very
similar FDI performances as a scheme based on a pure attitude model.
5
Mars
Target
Chaser
Inertial
Reference
Frame
The Rendezvous
Orbit
Figure 2: The Mars rendezvous orbit with the associated frames
3.1. Relative Position Model
Consider the illustration of the rendezvous between the chaser and target spacecraft around Mars given by
Fig. 2where Fl={OT,~
Xl,~
Yl,~
Zl}is the local (target centred) reference frame oriented as shown in Fig. 2.
During the rendezvous phase on a circular orbit, it is assumed that the chaser motion is due to the four following
forces, all given in Fl
the Mars attraction force ~
Fa=mµ
((a+ξ)2+η2+ζ2)3/2(a+ξ)~
Xl+η~
Yl+ζ~
Zl, where ξ, η , ζ denote the
three components of the relative position vector r= [ξ, η, ζ ]Tof the chaser from the origin OTof the
target frame Fl,
the centripetal force ~
Fe=mn2(a+ξ)~
Xl+n2η~
Yl,
the Coriolis force ~
Fc=m2n˙η~
Xl2n˙
ξ~
Yl,
the force due to the thruster-based propulsion system ~
Ft=Fξ~
Xl+Fη~
Yl+Fζ~
Zl. (This force vector is
the one given by the equation (2) expressed in Fl.)
In these relations, µ=G.mM4and n= ˙ν=pµ/a3, where a,m,Gand mMare the radius of the circular orbit
of the target, the mass of the chaser, the universal gravitational constant and the mass of Mars, respectively.
It can be verified that the above equations lead to a 6th order nonlinear state space model whose state and
force input vectors are given by xp= [ξ η ζ ˙
ξ˙η˙
ζ]Tand Ft= [FξFηFζ]T, respectively. Noting that the distance
between the target and the chaser during the rendezvous phase is negligible compared to the radius of the target
orbit, i.e. krk  a. It is then possible to derive the so called Hill-Clohessy-Wiltshire equations by means of a
first order approximation of the nonlinear state space model (Sidi,1997). Finally, introducing the fault model
and the CPDE unknown time-varying delay τ(t)introduced in Section 2, leads to the following linear 6th order
state space model of the chaser relative motion expressed in Fl, both in fault-free (Ψ=0) and faulty (Ψ6=0)
situations, i.e.
˙
xp(t) = Apxp(t) + BpR(ˆ
qt(t),ˆ
qc(t))BFuf(tτ(t)) (8)
yp(t) = Cpxp(t)(9)
Ap=
0 0 0 1 0 0
0 0 0 0 1 0
0 0 0 0 0 1
3n20 0 0 2n0
0 0 0 2n0 0
0 0 n20 0 0
,Bp=1
m
000
000
000
100
010
001
,Cp=
100000
010000
001000
3Numerical values with regards to the spacecraft geometry are omitted for confidentiality reasons.
4Considered values: G.
= 6.67384 ×1011 (N.m2kg2) and mM
.
= 6.4173 ×1023 (kg).
6
In (8), the rotation matrix R(ˆ
qt,ˆ
qc)is calculated from the attitude quaternion estimates of the chaser ˆ
qcH
and target ˆ
qtH. They rotate the force due to thrusters, i.e. Ff=BFuf(tτ(t)), from Fbinto Fl.
These estimates are assumed to be available on-board since they are computed online by the navigation unit.
The output vector yp= ∆r= [ξ η ζ]Tis the relative position expressed in Fl. In the context of our study,
this relative position is measured by the LIDAR device. Moreover, it is assumed that the navigation unit is
decoupled from thruster faults, but providing noisy state estimates.
3.2. Residual Generation and Evaluation
The proposed residual generator is based on a full-order observer using the position model (8) and (9),
introduced in the previous section. The observer is designed using the well known EA technique so that the
residual vector output, i.e. the output estimation error weighted by a matrix Q
r(t) = Qyp(t)Cpˆ
xp(t),r= [r1, r2, r3]T(10)
is (approximately) decoupled from the unwanted effects of the time-varying delay τ(t).Fonod et al. (2013)
address this problem using two different approaches, i.e. using a Padé approximation and a Cayley-Hamilton
theorem-based transformation. The earlier method is employed in this paper. The idea is to use the model
(8)-(9) to generate the state estimate ˆ
xpused to produce the residual vector r. Since the EA technique is well
mastered in the FDI community, technical developments are not considered in this paper. The interested reader
can refer to e.g., (Patton et al.,2000;Blanke et al.,2006;Ding,2013).
The proposed decision making rule is a slightly modified version of the scalar valued Generalized Likelihood
Ratio (GLR) test for the variance (see e.g. Ding (2013)). The considered decision test %Jth is defined by
%Jth (t) = (1if Sw(r(tk)) > Jth fault declared
0if Sw(r(tk)) Jth fault not present (11)
with Sw(r(tk)) = P3
i=1 wiSi(ri(tk)), where wi0, i = 1,2,3being the normalized weight factors used to
prioritize certain elements (axes) of the residual and Si(ri(tk)) is the estimated log likelihood of the GLR
algorithm applied to the ith residual ri(tk)evaluated at time instant t=tk=kTs, k Z+. In (11), the fixed
threshold Jth is an additional design parameter, see (Basseville and Nikiforov,1993) for discussion about its
tuning. The fault is declared at time td, i.e.
td= arg inf
tt0{%Jth (t)=1}(12)
where t00is time required for rto the achieve steady state (settle down) when Ψ(t) = 0,t[0, t0).
4. Hierarchical Isolation Strategy
Recalling the thruster configuration properties given by (4)-(6) and taking into account that thrusters cause
both linear and rotational motions, a set of explicit rules can be derived to unambiguously isolate a single
thruster fault. These rules are implemented on a hierarchical two-stage basis as follows:
i)The first stage utilizes a bank of five NUIOs based on the nonlinear model of the attitude dynamics. This
bank is in charge of confining the faulty thruster into a single group ST j , j = 1,...,5(subset of thrusters),
in other words, the task is to to find the faulty group index "j". An enhanced NUIO approach is adopted
for this purposes because of its decoupling properties, adjustable error dynamics and ability to take into
account both nonlinearities and uncertainties of the attitude dynamics,
ii)The second stage aims at uniquely isolating the faulty thruster index "i" within the already identified
subset, i.e. find i∈ STj . This stage uses jointly an EKF (being in charge of estimating the torque bias
directions due to the fault), a torque bias matching approach and/or a Wald’s sequential test, and finally
a residual/force direction marching approach.
It is obvious that in case of (small) truster faults, the spacecraft attitude dynamics is more likely prone to
dynamic deviations than the translation one. This gives the motivation to derive the first isolation rule using
the angular velocity measurement rather than the one obtained from the LIDAR device. On the other hand,
due to the fact that some thrusters produce exactly the same or very similar torques, it is very hard to obtain
a global isolation strategy based exclusively on angular velocity measurements. Therefore, the second isolation
rule of the proposed global isolation strategy uses the information about the position dynamics contained in the
fault detector’s residual. This chronology of isolation steps gives to the fault an extra time to propagate into
the translation dynamics.
7
4.1. Thruster Group Isolation Using a Bank of NUIOs
Let’s consider the spacecraft as a rigid body (flex modes and slosh phenomena are not considered in this
work), this model is given by (Sidi,1997)
˙
ω(t) = J1BTuf(t)J1ω(t)×Jω(t)(13)
where ω= [p, q, r]Tis the rotational velocity vector and JR3×3is the real inertia matrix. In (13), both ω
and Jare given in the chaser’s body-fixed frame Fb. Since the attitude model involves the inertia matrix J
and its inverse J1, robustness issue against uncertainties in Jis a key feature in the design of the NUIO. This
problem is addressed in the following subsection.
4.1.1. Chaser Attitude Dynamics and Inertia Uncertainty
Let the inertia matrix Jhaving the general form
J=
Jxx Jxy Jxz
Jxy Jyy Jyz
Jxz Jyz Jzz
(14)
First, we define a factorization of Jby introducing a diagonal matrix JdR9×9with the uncertain terms of
J, i.e.
Jd=diag(Jxx, Jyy , Jz z , Jxy I2, Jxz I2, Jyz I2)(15)
where I2is an identity matrix of size 2. The Jdmatrix can now be associated with two placement matrices
RJand SJ,
RJ=
100101000
010010010
001000101
,ST
J=
100010100
010100001
001001010
to give the factorized expression of Jas follows
J=RJJdSJ(16)
The inertia uncertainty can be expressed by direct multiplicative uncertainty as
Jd=Jd0(I+J)(17)
where Jd0consists of nominal values of Jdand Jrepresents the uncertainty in the diagonal form
J=diag(∆Jxx,Jyy ,Jz z ,Jxy I2,Jxz I2,Jyz I2)(18)
with |Jij | ≤ ¯
δij ,i, j ∈ {x, y, z}, where 0¯
δij 1is the upper bound of the considered uncertainty level
along the given axis. If ¯
δij <1for any i, j couple, it is possible to reduce conservatism by introducing the
following scaling
J=W
J,T
J
JI(19)
where
W=diag(¯
δxx,¯
δyy ,¯
δzz ,¯
δxyI2,¯
δxzI2,¯
δyz I2)
Finally, inserting (17) into (16) gives the inertia matrix expressed in the additive uncertainty form
J=J0+R
J
JSJ(20)
where J0=RJJd0SJand R
J=RJJd0W. The inverse of Jappears in (13), therefore, it is essential, to
express this inverse in a factorized form. Proposition 1provides a method to achieve it.
Proposition 1 (Uncertain inertia inverse factorization). If kJ1
0R
JkkSJk ≤ 1, then the inverse of the
uncertain inertia matrix (20)can be expressed as
J1=J1
0+R22S2(21)
where R2,S2are constant matrices given by R2=J1
0R
Jk(I+SJJ1
0R
J)1kand S2=SJJ1
0. Matrix 2
satisfies T
22I.
8
Proof: see Appendix A.
Utilizing the above proposition with the definition of the state vector x=ω, it can be verified that equation
(13) can be represented in the following nonlinear state space representation
˙
x(t) = Ax(t) + Φ(x(t)) + ∆Φ(x(t)) + (B+ ∆B)uf(t)(22)
y(t) = Cx(t)(23)
with the following assignments
Φ(x(t)) = J1
0x(t)×J0x(t)Ax(t),B=R22S2BT,A=˙
x
x(x0,J0)
Φ(x(t)) = J1x(t)×Jx(t) + J1
0x(t)×J0x(t),B=J1
0BT,C=I
(24)
This formulation is now suitable for the NUIO theory proposed in the subsection.
4.1.2. Robust Nonlinear Unknown Input Observer Design
Consider the model given by (22)-(23) without the nonlinear uncertainty Φ(x(t)), but with a disturbance
vector doccurring in the state equation (this will be justified later in Section 4.1.3), i.e.
˙
x(t) = Ax(t) + Φ(x(t)) + (B+ ∆B)u(t) + Ed(t)(25)
y(t) = Cx(t)(26)
As usual in the UIO theory, the design of the observer parameters is done without fault consideration, i.e.
Ψ= 0 uf=u. Thus, fault sensitivity performance can only be checked a posteriori (see e.g. Patton et al.
(2000)).
Assumption 1. It is assumed that Φ(x)is Lipschitz in a region Scontaining the origin, i.e. kΦ(x1)
Φ(x2)k ≤ γkx1x2k,(x1,x2)∈ S where γ > 0stands for the Lipschitz constant. If S=Rn,Φis globally
Lipschitz. Otherwise, it is locally Lipschitz.
Assumption 2. It is assumed that Eis of full column rank and that rank(C E ) = rank(E).
Note that Assumption 1is reasonable in our case, since Φ(x)in (22) is continuously differentiable on R3
and thus, it is locally Lipschitz. This means that the angular velocity shall be bounded in magnitude which is a
reasonable assumption from a practical point of view, too. Assumption 2can be done without loss of generality,
see e.g. (Chen and Patton,1999) if necessary.
Under Assumptions 1and 2, the goal turns out to design the following NUIO
˙
z(t) = N z(t) + Gu(t) + Ly(t) + MΦ(ˆ
x(t)) (27)
ˆ
x(t) = z(t) + Hy(t)(28)
in such a way that ˆ
xlends robustness against the uncertainties Bu and is decoupled from the unknown inputs
d. In (27)–(28), ˆ
xRnstands for the estimate of xand zRnis an auxiliary signal. It can be verified that
a solution to this problem yields if and only if
N=MA KC,(29)
L=K(ICH ) + MAH,(30)
M=IHC,(31)
G=MB (32)
(IHC)E=0(33)
The general solution to (33) can be written as
H=U+Y V (34)
where Ymust be chosen so that it does not cause rank deficiency of H. Matrices Uand Vare given by
U=E(CE ),V=I(C E)(CE)(35)
where (CE )denotes the generalized pseudo-inverse of the matrix CE .
9
The aim is now to design the parameters Kand Ysuch that the estimation error e=xˆxtends asymp-
totically to zero with maximum admissible Lipschitz constant γand such that the L2gain from Bu to the
estimation error eis bounded by
kek`2
kBuk`2κ, u∈ L2[0,),kBuk`26= 0 (36)
for a given κ > 0. The following theorem provides a LMI-based method for NUIO design.
Theorem 1. Consider the (Lipschitz) nonlinear system given by (25)-(26). The NUIO given by (27)-(28)is
asymptotically stable with maximum Lipschitz constant γand the L2gain from Bu to eis bounded by
κ > 0, if there exists a positive definite matrix P=PT>0and matrices ¯
K,¯
Yas solutions of the following
optimization problem:
max
P, ¯
K, ¯
Y
ξ(37)
s.t.
Ψ11 +Γ11 12 13 0 0
∗ −I0 0 0
∗ −I0 0
∗ −κ2I S2BT
∗ −I
<0,ξ γ
10(38)
where
Ψ11 = ((IUC)A)TP+P(IU C )A+ (1 + ξ)I(39)
Γ11 =(V CA)T¯
YT¯
Y V C A CT¯
KT¯
KC (40)
12 =P(IUC)¯
Y V C (41)
13 =P(IUC)R2¯
Y V CR2(42)
Once the problem is solved, then
K=P1¯
K,Y=P1¯
Y, γ=pξ(43)
Proof: see Appendix B.
Remark 1. It should be outlined that NUIO designed according to Theorem 1tolerates any additive uncer-
tainty ∆Φ(x)in Φ(x), i.e Φ(x) = Φ(x) + ∆Φ(x), with Lipschitz constant less than or equal to γγ, see
the work of Abbaszadeh and Marquez (2009) for a discussion.
Remark 2. The maximization of the admissible Lipschitz constant γmay result in unsatisfactory dynamical
behaviour of the state estimation error. To overcome this problem, the D-stability concept proposed by Chilali
and Gahinet (1996) can be used jointly with Theorem 1, thanks to the LMI formulation (38). Substituting (31),
(34) and (43) into (29) and transposing, it yields NT=AT(U C A)T(¯
Y V CA)TP1(¯
KC )TP1. Then,
direct application of the developments proposed in (Chilali and Gahinet,1996) shows that the eigenvalues of N
can be assigned into a prescribed region D=ns
k=1Dkif there exist a common Lyapunov matrix P=PT>0
and matrices ¯
Kand ¯
Ysuch that the set of nsLMIs
αkP+βk(ATP(UCA)TP(¯
Y V CA)T(¯
KC )T)+ (44)
βT
k(P A P(U CA)¯
Y V C A ¯
KC )<0k= 1,2, . . . , ns
is simultaneously satisfied. In this expression, αkand βkare matrices of appropriate dimension defining each
region Dk.
4.1.3. Comments on Computational Issues
The Lipschitz constant γfor Φ(ω)can be easily computed using a constrained optimization algorithm over
the set Sω={ωR3:|ωk| ≤ ¯ω, k = 1,2,3}, where ¯ωis the upper bound of the angular velocity for each
axis. The LMI region assignment approach described in Remark 2is also considered to adjust adequately the
dynamics of the NUIOs. For each NUIO, the chosen region Dresults in the intersection of three elementary
LMI regions Dk, k = 1,2,3defined according to:
-D1: left-half plane delimited by a vertical line α,α > 0;
10
-D2: disk with center at (b, 0) and radius c;
-D3: conic region with center at the origin and inner angle 0< β < π/2pointing left.
These parameters (α, b, c, β)have to be tuned such that the estimation error dynamics react quick enough to any
type of considered fault, allowing early distinction among the healthy/faulty thruster groups ST k, k = 1, ..., 5.
(See the following section about the proposed thruster group isolation strategy.)
For each thruster group ST k, k = 1, ..., 5(see equation (4) for definition), a dedicated NUIO is designed
based on Algorithm 1. The kth NUIO is such that it can fully estimate the angular velocity ωwith all control
inputs except those associated with ST k , i.e. with ui,i∈ Sall\ST k. On the other hand, din equation (25)
stays for the control inputs associated with ST k (i.e. ui,i∈ ST k ). As a result, the NUIO dedicated to the
group ST k shall not be affected by faults occurring in the thrusters belonging to ST k due to the decoupling
property, while all the other NUIOs will be (“are expected to be” to be more precise since the design of the
NUIOs are done without fault sensitivity constraint).
Algorithm 1 Design of the bank of 5 NUIOs
1: Compute γfor Φ(ω)over Sω, choose the attenuation level κ;
2: for k= 1 to 5do
3: B?
k= [b
1, ..., b
12]where b
i=J1
0bT i,i∈ Sall \ST k and b
i=0,i∈ ST k;
4: Set E,J1
0bT i for any arbitrary i∈ STk and B,B?
k;
5: Compute Uand Vaccording to (35);
6: Prescribe the desired dynamics using D(α, b, c, β);
7: Solve problem (37) under LMI constraints (38) and (44)(P,¯
K,¯
Y, ξ);
8: Set K=P1¯
K,Y=P1¯
Yand γ
k,ξ;
9: Using Kand Y, gains for the kth NUIO are given by (29)-(32) and (34);
10: end for
It is important to note that dcan be exactly decoupled only if the columns of Brelated to dare zero. If
this is not the case, only the known directions, i.e. b
i=J1
0bT i, i ∈ ST k, can be exactly decoupled, while the
uncertain columns b
i, i ∈ ST k (columns of Bassociated with ST k ) are attenuated in L2sense (with upper
bound κ) since the entire Bmatrix is considered in (36). Furthermore, if a constant γlinked to a given
NUIO verifies γ> γ, then the associated observer tolerates an additionally nonlinear uncertainty in Φ(ω),
see Remark 1.
Note that all observers estimate only the angular rate ωof the chaser. Therefore, the computational burden is
reduced since there is no need to process the entire state vector (i.e., the linear position/velocity and the attitude
in addition). For real-time reasons, the bank of 5 NUIOs is triggered only when the decision signal %Jth indicates
the fault occurrence, i.e., when %Jth (t)=1for ttd. Even if only ωis estimated, keeping the NUIOs switched
off before the fault is detected seems to be a good strategy, concerning the nonlinear nature of the observer.
Each observer is initialized then with the known measurement at time td, i.e., ˆ
ωk(td) = ω(td),k∈ {1,...,5}.
By this, all observers have a zero initial estimation error. Hence, the observer initial convergence (transient
phase) problem is avoided.
4.1.4. Thruster Group Isolation Logic - First Stage
Due to the aforementioned structuration of the bank of the NUIOs, it seems clear that the NUIO with the
minimum estimation error (in some norm sense) reveals that a fault occurs in the associated set ST k. Such a
property provides an efficient isolation rule that can be written according to
¯σg(t) = arg min
kkek(t)k, t > td(45)
where ek(t)denotes the estimation error at time tassociated with the kth NUIO. Note that the bank of NUIOs
is triggered only when the fault indicating signal %Jth (see Eq. (11)) indicates that a fault has occurred, that is
for t > td. To avoid initial transition phenomena and to ensure robustness against noise, a confirmation time
window, δg>0, is introduced, i.e.
tg= arg inf
ttd+δg{¯σg(t) = ¯σg(ϑ),ϑ(tδg, t]}(46)
where tgis the isolation time of the faulty thruster group j= ¯σg(tg).
In ideal conditions, at this isolation stage, the minimum time (tdtf) + δghas elapsed from the fault
occurrence at t=tf, thus allowing extra time for the fault to induce observable dynamic deviations in the
11
translation dynamics contained in the residual signal rgiven by (10). Therefore, as soon as the faulty thruster
group index "j" is confirmed, the faulty thruster can be uniquely isolated by simply examining the degree of
alignment between rand the fixed force vector directions bF k, k ∈ ST j (see equation (3) for definition of bF k )
under the assumption that the fault type is known. This is the purpose of the next subsection.
4.2. Final Thruster Fault Isolation - Second Stage
As soon as the faulty thruster group ST j is identified at the first stage, the faulty thruster can be easily
isolated by examining the angle of the vector ralong the fixed force directions bFk ,k∈ ST j . If the kth thruster
is faulty, then vectors rR3and bF k R3should be collinear (owing the fault model (7)). The degree of
collinearity can be computed using the direction cosine approach: θk
d=bF k ·r/(kbF k kkrk), where θk
dis the
angle between the vectors rand bFk . If rand bF k are collinear, then cos(θk
d)=1. Thus, the following rule is
proposed to isolate the faulty thruster uniquely:
¯σ(t) = arg min
k∈ST j ρ(t)bF k ·r(t)
kbF kkkr(t)k, t tg(47)
In this equation, ρdetermines whether an “open-” or “closed-type” thruster fault has occurred (see Section 2.1
about fault considerations). The notation ttgindicates that this rule is applied only when the NUIO–based
strategy (first stage) subscribed and confirmed the fault to the subset ST j .
With respect to ρ, the following two definitions are adopted depending on the identified thruster group STj ,
i.e.
a) Definition for j=1,...,4
Recalling the geometrical properties in terms of torque directions (see Section 2), i.e. that thrusters belonging
to the first four groups ST j , j = 1,...,4generate torques in the same direction within these groups, i.e.
bT k =bT h ,k, h ∈ ST j . This property allows to consider the following definition for ρwhen j6= 5, i.e.
ρ(1:4)(t) = sign bT k ·ˆ
Tbias(t),for any k∈ ST j , j 6= 5 (48)
where ˆ
Tbias R3is the estimate of the real torque bias Tbias and sign(·)stands for the signum function. This
bias is due to the faulty thruster (see equation (7)) and should be understood as follows5
Tbias(t) = BTΨ(t)u(t),Ψ(t)6=0(49)
It is obvious that the two fault types, i.e. “open-” and “closed-type”, result in exactly opposite torque bias
(shift) relative to the torque direction bT k,k∈ ST j , j 6= 5.
The torque bias (49) can be estimated using an EKF based on the nominal (J,J0) attitude dynamics
model (13), see for instance (Posch et al.,2013) for realisation details. Note that in (48), the direction vector
bT k can be any from ST j since they are equal for all j= 1,...,4.
b) Definition for j=5
Considering the thruster group 5, it is obvious that the previous strategy cannot be used since bT k , k
ST5are not unique/same-valued direction vectors, see equation (6). However, a special property of thrusters
belonging to this subset is that they barely produce any torque in the x- and y-axis. This enables to focus only
on the z-axis. Thus, the following definition for ρwhen j= 5 is proposed:
ρ(5)(t) = fW ald rbias(tk), j = 5 (50)
where rbias(tk) = ˆ
Tz
bias(tk)ˆ
Tz
bias(tk1),ˆ
Tz
bias is the third component (i.e. the component on the z-axis) of
ˆ
Tbias and fW ald(·)stands for the sequential Wald test for the variance applied on rbias . This test can result in
three possible situations:
fW aldrbias (tk)=
1if decision in favour of “closed-type”
0if no decision has been adopted
1if no decision in favour of “open-type”
(51)
Implementation details on the sequential Wald test, also known as Sequential Probability Ratio Test (SPRT)
test, can be found in (Basseville and Nikiforov,1993).
5In other words, this bias can be also understood as a difference (bias) between the real torques applied on the spacecraft and
the torques as seen from the controller point of view.
12
Improvement of the Strategy
For the thruster group number 5, taking into account (6), it is possible to slightly improve the reliability of
the isolation algorithm (47) by dividing the set ST5into two smaller subsets, i.e. Sa
T5={3,12}and Sb
T5={6,9}.
Now, the isolation rule (47) can be redefined for j= 5 as follows
¯σ(t) =
arg min
k∈Sa
T5ρ(5)(t)bF k ·r(t)
kbF kkkr(t)k,if min
k∈Sa
T5
ρ(5) bT k ·ˆ
Tbiasmin
k∈Sb
T5
ρ(5) bT k ·ˆ
Tbias
arg min
k∈Sb
T5ρ(5)(t)bF k ·r(t)
kbF kkkr(t)k, otherwise
Now, the logic (47) is able to isolate any of the four considered fault scenarios (see Section 2.1), thus thruster
fault of both types, within any truster group ST j , j = 1,...,5(supposing that the thruster group isolation j= ¯σg
was successful).
Finally, another confirmation window, δ > 0, is introduced according to
ti= arg inf
ttg+δ{¯σ(t) = ¯σ(ϑ),ϑ(tδ, t]}(52)
where tiis the isolation time of the faulty thruster. Let i= ¯σ(ti)for future reference.
5. Fault Accommodation
Once a faulty thruster is isolated, a fault accommodation mechanism has to be engaged in order to maintain
the capture objectives of the MSR mission. To carry out such objectives, TAS has designed the thruster config-
uration presented in Section 2. This configuration disposes of some Degrees of Freedom (DoF) to achieve fault
tolerance (functional redundancy). Particularly, the set of N= 12 thrusters is placed on the chaser spacecraft
(see Fig. 1) such that the nominally attainable set Waof propulsion moments Tand forces Fis relatively close
to the sets obtained by combining the thrust of any N1 = 11 thruster. From a practical viewpoint it means
that it is possible to achieve the required capture accuracy and the necessary GNC performance with only
eleven healthy thrusters. On the other hand, the nominal 6 DoF control law that is planned to be implemented
on-board, is designed to guarantee the capture objectives such as: attitude alignment versus the target, the
longitudinal and lateral velocities and the position in the rendezvous corridor. Since the CA technique do not
require any modification in the control law, it motivates to propose the fault tolerance solution to be based on
this philosophy. Moreover, the CA solution is further justified by the fact that all thrusters are individually
equipped with a Thruster Latch Valve (TLV) able to disengage the propellant arrival, switching off de facto
the associated thruster. Thus, as soon as the ith thruster is confirmed to be faulty by ¯σ, see (47) and (52),
the faulty thruster is switched off using the dedicated TLV and the desired forces Fdand torques Tdof the
controller are redistributed among the remaining N1healthy thrusters. Figure 3gives an overview of the
proposed FDI/CA-based FTC solution implemented within the GNC architecture.
Navigation
Unit
6 DOF
Controller
Control
Allocation
Chaser
Dynamics
Propulsion
System
Fault
Detection and
Isolation
Thruster Faults
Uncertainties, Delays
Uncertainties,
Spatial Disturbances
ref
Noise
closingthei-ththruster
Figure 3: FDI/CA-based FTC strategy for thruster faults implemented within the GNC architecture
5.1. Reconfigurable Control Allocation
The on-board CA algorithm shall determine in real-time, i.e. at each control cycle (10 Hz frequency), the
proper thruster selection and their firing times to achieve the controller-commanded torque and force impulses.
13
Many CA algorithms have potential to be applied, see (Johansen and Fossen,2013) for a recent survey on CA
techniques. To make use of the remaining healthy thrusters in case of a failure, it is required to reconfigure the
CA scheme (re-allocation). This re-allocation can be achieved easily by changing some constraints or parameters
of the existing CA algorithms.
In this paper, a modified version of the NIPC approach is proposed. The original version of the NIPC
algorithm was presented by Jin et al. (1995). The NIPC method solves the following optimization problem
u= arg min
ukWv¯
Bu vdkp
s.t. 0uk¯uk,k∈ Sall
(53)
where ¯
B= [¯
b1, ..., ¯
b12] = [BT
TBT
F]Tis the overall thruster configuration matrix, vd= [TT
dFT
d]Tis the vector
of the desired torque and force commands of the 6 DoF control law synthesized by the 6 DoF controller and
followed by the thruster modulator unit, and ¯ukis the maximum opening duration of the kth thruster. The core
of the fault tolerance principle is that if the ith thruster is faulty, then ¯uiis set to 0. The weighting matrix Wv
affects the prioritization among torque/force components when ¯
Bu vdcannot be attained due to thruster
physical constraints. The different choices of the vector p-norm in (53) result in:
1. Minimum flow rate allocation: min kuk1
2. Minimum power allocation: min kuk2
3. Minimum peak torque/force allocation: min kuk
Using the minimum flow rate allocation will yield the greatest control authority for flow rate limited thruster
systems. Similarly for the other two allocations. It is known that stability of the closed-loop system can be
guaranteed as long as the constraints of the optimization problem (53) are met (feasibility implies stability).
Algorithm 2 NIPC control allocation with fault tolerance principle
1: Set iter = 0 and v=vd;
2: if the ith thruster is declared to be faulty then
3: Construct ¯
Bifrom ¯
Bsuch that ¯
bi=0and set ¯ui,0;
4: else
5: Set ¯
Bi,¯
B;
6: end if
7: while kWverrorkp> ε and iter < N max
iter do
8: v=v+λcerror;
9: upc =¯
Bp+
iv;
10: uc= (upc +|upc|)/2;
11: for k= 1 to Ndo
12: if uc
k>¯ukthen uc
k= ¯uk;end if
13: if uc
k< MIB/2then uc
k= 0;end if
14: if MIB/2uc
k< MIB then uc
k=MIB;end if
15: end for
16: error =¯
Biucvd;
17: iter =iter + 1;
18: end while
19: Set u,uc;
The proposed NIPC method that solves the re-allocation problem to ensure thruster fault tolerance, is given
in Algorithm 2. This algorithm also solves the optimization problem (53). It terminates if a certain precision
ε0of the allocated torques/forces, weighted by Wv, is achieved (typical choice is ε0) or if the maximum
number of iterations Nmax
iter is reached. Nmax
iter can be considered to reflect the max computation time available.
In Algorithm 2,MIB stands for the Minimum Impulse Bit, i.e. the minimum shooting time that a thruster can
execute, λc>0allows to manage the convergence time of the algorithm and ¯
Bp+
istands for the generalized
inverse of ¯
Bigiven in step 3(optimal in the sense of the chosen p-norm). It is obvious, that both Nmax
iter and
λcinfluence the computational burdens of the algorithm.
Fault tolerance is achieved due to step 3and consequently to steps 9and 12 in the Algorithm 2. The index
"i" being determined by the FDI unit. Changing the minimization objective in (53) is very simple since it results
in changing the criterion p∈ {1,2,∞} in steps 7and 9.
Remark 3. The NIPC algorithm has been compared with other powerful CA approaches presented in (Härkegård,
2003). Results from a numerical campaign have shown that the NIPC approach constitutes a good trade-off
14
between accuracy and computational complexity. This is mostly due to the algorithm’s conceptual simplicity,
i.e. the matrices ¯
Bp+
iin step 9are all fixed, thus it is possible to pre-compute them all off-line. This enables
to reduce the computational burdens, but the price to pay is a higher memory consumption.
6. Simulation Campaign
The scenario considered in this study is focused on the terminal rendezvous phase, which brings the chaser
from approximately 20 m range up to the capture point. The objective is to successfully capture the target.
To achieve this, the MSR capture conditions in terms of positions and velocities, and of relative attitude and
angular rates must be achieved within a certain precision (see Table 1for numerical values). Furthermore,
during the whole rendezvous phase, the chaser spacecraft must maintain its position within the rendezvous
corridor and must keep its attitude pointing towards the target with a maximum misalignment of 20 degrees
on all the axis (roll, pitch, and yaw axes).
Capture condition Nominal value Max variation Unit
Translational
conditions
Position misalignment on +X face 0.0 0.20 m
Longitudinal X velocity accuracy 0.1 0.05 m/s
Lateral Y and Z velocity error 0.0 0.04 m/s
Rotational
conditions
Angular rate error 0 0.3?deg/s
Angular misalignment 0 2?deg
Table 1: Baseline MSR conditions for successful capture (?are 3σrequirements)
The FTC strategy described in the previous sections has been implemented within the MSR high-fidelity
industrial simulator provided by Thales Alenia Space industries. This simulator includes a nonlinear model of the
rigid body dynamics of the chaser and target in a Mars orbit. Simulation assumes that Mars is in a Keplerian
orbit about the Sun. The chaser and target orbits around Mars are modelled using Gauss’ equations, with
the gravitational field of Mars calculated using a spherical harmonic expansion with the Mars50c coefficients
(Konopliv and Sjogren,1995;Hartley et al.,2012). The attitude dynamics are modelled assuming that the
chaser and target are rigid bodies (Sidi,1997).
Following the design steps given in Algorithm 1, a bank of 5 NUIOs has been designed. The numerical values
for α,b,c,β, and κbeing fixed to 0,0.18,0.05,π/4, and 0.9for all NUIOs, respectively. The numerical values
of γand γare found to be 0.9047 and 1.4039 ×104. The selected parameters for the NIPC (see Algorithm 2)
algorithm correspond to: Wv=I,Nmax
iter = 350,λc= 1.89,ε= 107and p= 2, i.e. the 2nd vector norm
was chosen leading to minimum power allocation. Each thruster is considered to have MIB = 0.068 s. Above
this, the actual commanded open durations are quantised by step of 0.01 s. The GLR decision test given by
(11) has been implemented recursively with Jth = 33,Ts= 0.1s, t0= 100 s and wi= 1/3,i∈ {1,2,3}. The
chosen threshold Jth has been determined through Monte Carlo simulations to ensure minimum (ideally zero)
false alarm rate. This approach is widely used in the FDI community (see Patton et al. (2006) for more details).
For the two-stage isolation logic, a confirmation window δg= 1.5s has been considered in (46) and δ= 0.5s in
(52). The 4th order Runge-Kutta integration method has been used to propagate the nonlinear equations for
the EKF to obtain the estimate ˆ
Tbias of the torque bias. The EKF state covariance matrix was tuned such that
the estimated torque bias “directions” are as close as possible to the real ones. The measurement covariance
matrix has been selected based on the knowledge of the gyro model.
Figure 4serves as a simulation example and aims to highlight the need for an active FTC solution. This
example corresponds to a fully open thruster fault (i.e. case 1) occurring at tf= 1100sand affecting thruster
No.7. To emphasize the relevance of the engagement of the proposed FTC scheme into the GNC system,
two identical simulations are carried out. First, when the proposed FTC strategy is active (FTC on), and
second, when it is disengaged (FTC off). Figure 4clearly illustrates the consequence when such a fault is not
accommodated, i.e. the chaser misses the target and the mission fails. On the other hand, when the proposed
approach is engaged, the chaser maintains nominal trajectory, i.e. stays inside the rendezvous corridor and
the MSR capture requirements are met. Furthermore, it can be inferred from Fig.4that the chaser keeps its
attitude pointing towards the target all the time.
A Monte Carlo simulation campaign is often used in the industry to test and validate the performance of an
FDI/FTC system. In this simulation study, a high number of simulation models with randomly drawn dynamics
is associated with the following three thruster fault scenarios:
case 1: fully open thruster, i.e. mleak = 1;
case 2: bipropellant leakage ranging from 7% to 20%, i.e. mleak ∼ U(0.07,0.2);
15
Figure 4: Chaser trajectory within the MSR rendezvous corridor
case 3: loss of efficiency ranging from 30% to 100%, i.e. mloss ∼ U(0.3,1).
The selected leakage and efficiency loss intervals were determined based on the study presented in (Fonod et al.,
2014b). In this study, it was shown that if the FDI unit fails to detect or isolate a small thruster fault (e.g.
mloss .15%), the effect that this fault has on the GNC system and/or on the final MSR capture performance
requirements is negligible. It is due to the fact that such relatively small fault has a very little impact on the
system dynamics and shall be compensated by a robust control law. On the other hand, such faults are very
hard or even impossible to detect and isolate.
For each faulty case, a set of 1000 Monte Carlo simulations has been carried out in order to assess the
performance of the proposed FTC strategy. Thruster faults are uniformly distributed among all the 12 thrusters.
In all cases, fault occurs at time tf= 1000 s and is maintained. All the (3×1000) simulations were carried
out under realistic conditions, i.e. the navigation unit is considered to deliver “non-perfect” state estimates.
Therefore all signals used by the FDI scheme, NIPC algorithm and the 6 DoF controller are replaced with their
respective uncertain values. Time-varying delays induced by the CPDE device and spatial disturbances (e.g.,
solar radiation pressure, gravity gradient, and atmospheric drag assuming an exponential atmospheric model)
are also considered.
For each run, the nominal model parameters were scattered within a specific limit (see Table 2for details).
The mass, the CoM and the inertia were scattered according to the normal distribution and truncated to the
corresponding 3σvalues. The 1% multiplicative uncertainty on the thrusters forces models the uncertainty on
the thruster rise times and the thruster misalignment phenomena. Because the real configuration matrix ¯
Bis
never precisely known on-board, an uncertain configuration matrix is considered for on-board computational
purposes (control law, FDI, CA). This matrix has been computed using a worst-case scenario when an offset
of 3cm was added to each axis of the nominal CoM (see Table 2). A 10% initial navigation uncertainty is
considered on the Cartesian coordinates xp(see Table 3).
Property Nominal value Unit Uncertainty Distribution
Mass (m) 1575 kg ±10% N(1,0.1/3)
Inertia (J)
1450 20 5
20 1800 5
55 1200
kg ·m2±20% N(1,0.2/3)
CoM (dCoM )0.880 0.035 0.035Tm±3cm N(0,0.03/3)
Thrust (12 × kFTk)12 ×22 N±1% N(1,0.01)
Cartesian coordinates (xp) Converted orbital elements
(see Table 3)
m, m/s ±10% N(1,0.1/3)
Table 2: Considered parameter uncertainties of the chaser spacecraft
To evaluate performance and reliability of the proposed FDI scheme, some statistical indices have been used
like the mean detection delay and its corresponding deviation. The considered indices are listed below:
µ(τd)(τd)- mean/standard deviation (st.dev.) of the detection delay τd=tdtf,
µ(τg)(τg)- mean/st.dev. of the thruster group isolation delay τg=tgtd,
µ(τi)(τi)- mean/st.dev. of the thruster isolation delay τi=titg,
16
Orbital parameter Chaser Target Unit
Semimajor axis 3893 3893 km
Eccentricity 0 0 n/a
Inclination 30 30 deg
RAAN 0 0 deg
Argument of periapsis 0 0 deg
True anomaly -32.16×1050 deg
Table 3: Initial Keplerian orbital parameters of the chaser and target
µ(τo)(τo)- mean/st.dev. of the overall detection and isolation delay τo=titf,
pf- FDI unit fail rate, i.e. the number of wrongly isolated thrusters divided by the total number of Monte
Carlo runs (1000 for each fault scenario).
These performance indices are calculated for each fault case separately. Table 4presents complete results
obtained from the simulation campaign. This table demonstrates that the proposed FDI scheme is able to detect
and isolate almost all considered thruster faults with good detection/isolation performances. In addition, it also
shows a good reliability since no false detection/isolation has been revealed for the first two faulty scenarios
(pf= 0). Considering the thrust loss scenario, in about 110 simulation cases, the FDI unit failed to either
detect or correctly isolate the faulty thruster. As it will be shown in the next, this fact does not violate any
capture condition nor the mission success.
Metric Fully open Leakage Thrust loss
µ(τd)(τd)2.36/0.14 (s) 4.97/0.75 (s) 48.44/53.29 (s)
µ(τg)(τg)1.50/0.86 (s) 1.75/0.37 (s) 3.37/5.16 (s)
µ(τi)(τi)0.40/0.00 (s) 3.70/11.39 (s) 4.20/8.21 (s)
µ(τo)(τo)4.27/0.87 (s) 10.41/11.71 (s) 56.01/54.57 (s)
pf0 0 0.11
Table 4: FDI performances based on 3×1000 Monte Carlo runs
Figures 5a-9b illustrate the fault tolerant capabilities of the proposed technique. The capture conditions in
terms of position and velocities are given in Fig. 5a, Fig. 7a, and Fig. 9a for fully open thruster, leaking thruster
and efficiency loss thruster fault, respectively. Figure 5b, Fig. 7b and Fig. 9b illustrate that in all faulty cases
the chaser maintains the nominal trajectory (i.e. stays inside the rendezvous corridor) and that the chaser keeps
its attitude pointing towards the target, thus, leading to a successful capture. Finally, Fig. 6b, Fig. 8b and
Fig. 10b show that the proposed strategy is able to meet the required 3σcapture accuracy in terms of angular
misalignment and angular rate errors.
Note that the early detection of the occurrence of incipient or small size thruster faults (e.g., small propellant
leakage or small thrust loss) is clearly more difficult. Another problem can arise when a fully blocked thruster
(i.e. mloss = 1) is not commanded and thus a fault detection is almost impossible. As seen in Fig. 9a and Fig. 9b,
despite the fact that in some cases the FDI unit failed, the required capture tolerances and attitude/trajectory
conditions are fully met.
On the other hand, in some particular cases, the attitude misalignment requirement (3 - sigma) is not met
even if the FDI unit succeeded. This can be the case when it takes too long for the FDI unit to detect and/or
isolate the faulty thruster or when the control accuracy is very degraded, e.g., due to a worst case uncertainty
or strong disturbance. In such cases, the solution consists in a corrective maneuver (e.g. triggering a collision
avoidance maneuver) that is engaged at the higher level of the fault management unit, see (LePeuvédic et al.,
2014).
7. Conclusion
In this paper, a systematic procedure has been presented for the theoretical design and application of a
model-based approach to FDI/CA-based FTC of an autonomous rendezvous system in the terminal phase. The
aim was to detect and isolate a single thruster fault affecting the chaser propulsion system and to accommodate
it as quick as possible. The proposed FDI scheme consists of a robust fault detector and a NUIO and EKF-
based hierarchical isolation logic. The NUIO gains are given by solving an LMI optimization problem, which
ensures maximization of the admissible Lipschitz constant while simultaneously satisfying an L2gain bound
17
−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
0.6
0.8
Chaser spacecraft Y axis
Chaser spacecraft Z axis
Basket aperture
Misalignment requirement
Target center (FDI success)
−6
−4
−2
0
2
4
6
Lateral Y velocity
Lateral Z velocity
Velocity requirement
Target lateral velocity (FDI success)
2 4 6 8 10 12 14 16 18
−1
0
1
2
3
Longitudinal X velocity (cm/s)
Nominal velocity
Out of requirement (3 sigma)
Target velocity (FDI success)
(a) Position misalignment (top left), lateral velocity (top right)
and longitudinal velocity (bottom)
(b) Chaser’s attitude error (left) and trajectory inside the ren-
dezvous corridor (right)
Figure 5: Capture position requirements and GNC performances for fault case 1
1 2 3 4 5 6 7 8 9 1011 12
0
20
40
60
80
100
120
Thruster indices distribution
0.9 0.95 1 1.05 1.1
0
50
100
Mass (10%)
−0.02 0 0.02
0
50
100
CoM (x−axis) −0.02 0 0.02
0
50
100
CoM (y−axis) −0.02 0 0.02
0
50
100
CoM (z−axis)
0.8 1 1.2
0
50
100 Inertia (Ixx)
0.8 1 1.2
0
50
100 Inertia (Ixy)
0.8 1 1.2
0
50
100 Inertia (Ixz)
0.8 1 1.2
0
50
100 Inertia (Iyx)
0.8 1 1.2
0
50
100 Inertia (Iyy)
0.8 1 1.2
0
50
100 Inertia (Iyz)
0.8 1 1.2
0
50
100 Inertia (Izx)
0.8 1 1.2
0
50
100 Inertia (Izy)
0.8 1 1.2
0
50
100 Inertia (Izz)
(a) Inertia (top left), mass (middle left), CoM (bottom left) and
thruster indices (top right) distribution
(b) Angular misalignment (left) and angular rate error (right)
at capture
Figure 6: Considered distributions and capture angular requirements for fault case 1
−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
0.6
0.8
Chaser spacecraft Y axis
Chaser spacecraft Z axis
Basket aperture
Misalignment requirement
Target center (FDI success)
−6
−4
−2
0
2
4
6
Lateral Y velocity
Lateral Z velocity
Velocity requirement
Target lateral velocity (FDI success)
2 4 6 8 10 12 14 16 18
−1
0
1
2
3
Longitudinal X velocity (cm/s)
Nominal velocity
Out of requirement (3 sigma)
Target velocity (FDI success)
(a) Position misalignment (top left), lateral velocity (top right)
and longitudinal velocity (bottom)
(b) Chaser’s attitude error (left) and trajectory inside the ren-
dezvous corridor (right)
Figure 7: Capture position requirements and GNC performances for fault case 2
18
1 2 3 4 5 6 7 8 9 1011 12
0
20
40
60
80
100
120
Thruster indices distribution
8 10 12 14 16 18 20
0
10
20
30
40
Leakage size [%]
0.9 0.95 1 1.05 1.1
0
50
100
Mass (10%)
−0.02 0 0.02
0
50
100
CoM (x−axis) −0.02 0 0.02
0
50
100
CoM (y−axis) −0.02 0 0.02
0
50
100
CoM (z−axis)
0.8 1 1.2
0
50
100 Inertia (Ixx)
0.8 1 1.2
0
50
100 Inertia (Ixy)
0.8 1 1.2
0
50
100 Inertia (Ixz)
0.8 1 1.2
0
50
100 Inertia (Iyx)
0.8 1 1.2
0
50
100 Inertia (Iyy)
0.8 1 1.2
0
50
100 Inertia (Iyz)
0.8 1 1.2
0
50
100 Inertia (Izx)
0.8 1 1.2
0
50
100 Inertia (Izy)
0.8 1 1.2
0
50
100 Inertia (Izz)
(a) Inertia (top left), mass (middle left), CoM (bottom left),
thruster indices (top right) and leakage size (bottom right) dis-
tribution
(b) Angular misalignment (left) and angular rate error (right)
at capture
Figure 8: Considered distributions and capture angular requirements for fault case 2
−0.8
−0.6
−0.4
−0.2
0
0.2
0.4
0.6
0.8
Chaser spacecraft Y axis
Chaser spacecraft Z axis
Basket aperture
Misalignment requirement
Target center (FDI success)
Target center (FDI failed)
−6
−4
−2
0
2
4
6
Lateral Y velocity
Lateral Z velocity
Velocity requirement
Target lateral velocity (FDI success)
Target lateral velocity (FDI failed)
2 4 6 8 10 12 14 16 18
−1
0
1
2
3
Longitudinal X velocity (cm/s)
Nominal velocity
Out of requirement (3 sigma)
Target velocity (FDI success)
Target velocity (FDI failed)
(a) Position misalignment (top left), lateral velocity (top right)
and longitudinal velocity (bottom)
(b) Chaser’s attitude error (left) and trajectory inside the ren-
dezvous corridor (right)
Figure 9: Capture position requirements and GNC performances for fault case 3
1 2 3 4 5 6 7 8 9 1011 12
0
20
40
60
80
100
Thruster indices distribution
40 60 80 100
0
10
20
30
40
Thrust loss size [%]
0.9 0.95 1 1.05 1.1
0
50
100
Mass (10%)
−0.02 0 0.02
0
50
100
CoM (x−axis) −0.02 0 0.02
0
50
100
CoM (y−axis) −0.02 0 0.02
0
50
100
CoM (z−axis)
0.8 1 1.2
0
50
100 Inertia (Ixx)
0.8 1 1.2
0
50
100 Inertia (Ixy)
0.8 1 1.2
0
50
100 Inertia (Ixz)
0.8 1 1.2
0
50
100 Inertia (Iyx)
0.8 1 1.2
0
50
100 Inertia (Iyy)
0.8 1 1.2
0
50
100 Inertia (Iyz)
0.8 1 1.2
0
50
100 Inertia (Izx)
0.8 1 1.2
0
50
100 Inertia (Izy)
0.8 1 1.2
0
50
100 Inertia (Izz)
(a) Inertia (top left), mass (middle left), CoM (bottom left),
thruster indices (top right) and thrust loss size (bottom right)
distribution
(b) Angular misalignment (left) and angular rate error (right)
at capture
Figure 10: Considered distributions and capture angular requirements for fault case 3
19
and pole constraints on observer dynamics. The L2attenuation is considered to minimize the effect of the
uncertain inertia on the state estimation error. The NUIO design together with the derivation of the uncertain
inertia inverse factorization can be considered as a contribution to the theory. The thruster fault tolerance is
achieved by an improved version of the the NIPC control allocation algorithm scheduled by the robust FDI
scheme. A Monte Carlo simulation campaign has been performed to assess the performance and robustness of
the FDI/CA-based FTC system subject to parameter uncertainties, spatial disturbances, delays and imperfect
navigation. The obtained results indicate that for all the considered fault profiles, which are those considered
to be the most relevant by the industrial partners, the proposed strategy can carry out the terminal rendezvous
successfully and meet all the required capture specifications.
Acknowledgement
The authors would like to thank the ESA (Guidance, Navigation and Control Section at European Space
Research and Technology Centre) and Thales Alenia Space France (Research and Technology/Science and
Observation within the Research and Development Department) for providing the funding that made this
research possible, through the ESA Networking/Partnering Initiative (NPI) Program.
Appendix A. Proof of Proposition 1
To prove Proposition 1, the following lemma is introduced first:
Lemma 1 (Neumann series of a matrix, Chatelin (1983)). Consider a square matrix Asuch that kAk<
1. Let λbe any eigenvalue of A. It is clear that (IA)is invertible if λ6= 1,λΛ(A). The condition
kAk<1implies that |λ|<1,λΛ(A). Thus, (IA)is invertible and the Neumann series
(IA)1=
X
k=0
Ak=I+A+A2+. . . (A.1)
converges. When kAk ≥ 1,(IA)is still invertible if λ6= 1,λΛ(A), but the Neumann series does not
converge because lim
k→∞ Ak6=0.
Proof of Lemma 1Since kAk<1, the series P
k=0 kAkkconverges. Since kAhk≤kAkh, the series P
k=0 Ak
converges, too. Denote by Zits limit. ZA =AZ =P
k=0 Ak+1; therefore (IA)Z=Z(IA) = I, which
proves (A.1).
The real inertia matrix Jis always invertible and symmetric, thus J0and J0+R
J
JSJare invertible and
symmetric too. Now, multiplying (20) by J1
0from the left yields
J1
0J=I+J1
0R
J
JSJ(A.2)
inverting both sides gives
J1J0= (I+J1
0R
J
JSJ)1(A.3)
Since T
J
JI⇒ k
Jk ≤ 1, the following bound yields
kJ1
0R
J
JSJk≤kJ1
0R
Jkk
JkkSJk≤kJ1
0R
JkkSJk(A.4)
Thus, if kJ1
0R
JkkSJk<1, then the right-hand side of (A.3) can be expressed according to to Lemma 1as
follows
(I(J1
0R
J
JSJ))1=
X
k=0
(1)k(J1
0R
J
JSJ)k(A.5)
Pre-multiplying (A.3) by J1
0from the right and substituting (A.5) gives
J1=
P
k=0
(1)k(J1
0R
J
JSJ)kJ1
0
=J1
0+
P
k=1
(1)k(J1
0R
J
JSJ)kJ1
0=J1
0+R11S1
(A.6)
where
R1=J1
0R
J(A.7)
S1=SJJ1
0(A.8)
1=
J(I+SJJ1
0R
J
J(SJJ1
0R
J
J)2+. . .)(A.9)
20
It is needed to check if T
111. Considering the worst-case uncertainty, i.e.
J=I, and inserting it in
(A.9) yields to
¯
1=I+SJJ1
0R
J(SJJ1
0R
J)2+. . . =
X
k=0
(1)k(SJJ1
0R
J)k(A.10)
which gives the upper bound of 1, i.e. k1k k ¯
1k. According to Lemma 1, the right-hand side of (A.10)
is equivalent to
¯
1=
X
k=0
(1)k(SJJ1
0R
J)k=(I+SJJ1
0R
J)1(A.11)
if kSJJ1
0R
Jk<1, which is true since kSJJ1
0R
Jk ≤ kJ1
0R
JkkSJk<1. It is obvious that k¯
1k=
k(I+SJJ1
0R
J)1k>1, thus a new scaling matrix W2must be introduced such that
1=W22,T
22I(A.12)
where 2is unknown. One of the possible choice of W2is to take the norm upper bound of 1, i.e.
W2=k¯
1kI=k(I+SJJ1
0R
J)1kI(A.13)
Then, the following holds
k1k=kW22k=k¯
1kk2k≤k¯
1k ⇒ T
22I
Inserting (A.12) into (A.6) and setting R2=R1W2,S2=S1, (A.6) yields (21).
Appendix B. Proof of Theorem 1
In the proof of Theorem 1, the following lemma is used:
Lemma 2 (Zhou and Khargonekar (1988)). Let D,F, and Σ(t)being matrices with appropriate dimen-
sions. If ΣT(t)Σ(t)I, then for any scalar  > 0the following inequality holds:
DΣ(t)F+FTΣT(t)DT1DDT+FTF(B.1)
Proof of Lemma 2It can be verified that the following yields
1
2DT1
2Σ(t)FT1
2DT1
2Σ(t)F0
then expanding the above yields
1FTΣT(t)Σ(t)F+DDTDΣ(t)F+FTΣT(t)DT
It is obvious that kΣk ≤ 1λmax(ΣTΣ)1ΣTΣI, thus
DDT+1ETE1FTΣT(t)Σ(t)F+DDTDΣ(t)F+FTΣT(t)DT
To proceed with the proof of Theorem 1, assume that His chosen such that (33) holds. Under the assumption
that B=R22S2BTwith T
22I, the error dynamics of the NUIO can be rewritten as
˙
e=Ne +M(Φˆ
Φ) + M R22S2BTu(B.2)
where Φand ˆ
Φstand for Φ(x)and Φ(ˆx), respectively. Considering the quadratic Lyapunov function V(t) =
e(t)TP e(t), the time derivative of V(t)along the trajectory of (B.2) is given by
˙
V=eT(NTP+P N )e+ 2eTP M(Φˆ
Φ)+2eTP M R22S2BTu(B.3)
Using the Lipschitz condition stated in Assumption 1and Lemma 2with = 1 it follows that
2eTP M (ˆ
ΦΦ)2γkeTP M kkek ≤ eTP M M TP e +γ2eTe
2eTP M R22S2BTueTP MR2RT
2MTP e +uT(S2BT)TS2BTu
and (B.3) can be bounded as follows
˙
VeTNTP+P N +P M (I+R2RT
2)MTP+γ2Ie+uT(S2BT)TS2BTu(B.4)
21
Let’s consider the Hperformance criteria
min
κ:ZT
0
eT(t)e(t)dt κ2ZT
0
uT(t)u(t)dt T0(B.5)
then it is straightforward to verify that the L2gain from Bu to eis bounded by κ > 0if and only if
Ψ10
Ψ2<0(B.6)
with
Ψ1=NTP+P N + (1 + γ2)I+P M (I+R2RT
2)MTP
Ψ2= (S2BT)TS2BTκ2I
Then, by virtue of the Schur’s complement lemma, (B.6) is equivalent to
NTP+P N + (1 + γ2)I P M P M R20 0
∗ −I0 0 0
∗ −I0 0
∗ −κ2I S2BT
∗ −I
<0(B.7)
It can be seen that there is no systematic way to obtain the observer parameters directly from (B.7) due to
coupled terms. To reformulate (B.7) as an LMI, His substituted by (34), and use the following assignments
¯
Y=P Y ,¯
K=P K and ξ=γ2. Additionally, it is desired to achieve the maximum possible Lipschitz constant
γand simultaneously to respect the constraint γγ. This constraint can be rewritten by defining a new
variable ξ= (γ)2as ξγ20. Then, using the Schur’s complement, (38) follows. It is then obvious that
maximizing ξis equivalent to maximizing γ. This concludes the proof of Theorem 1.
References
Abbaszadeh, M., Marquez, H.J., 2009. LMI optimization approach to robust Hobserver design and static output feedback
stabilization for discrete-time nonlinear uncertain systems. International Journal of Robust and Nonlinear Control 19, 313–340.
doi:10.1002/rnc.1310.
Alwi, H., Edwards, C., 2008. Fault tolerant control using sliding modes with on-line control allocation. Automatica 44, 1859–1866.
doi:10.1016/j.automatica.2007.10.034.
Alwi, H., Edwards, C., Marcos, A., 2010. FDI for a mars orbiting satellite based on a sliding mode observer scheme, in: Conference
on Control and Fault-Tolerant Systems (SysTol), IEEE, Nice, France. pp. 125–130. doi:10.1109/SYSTOL.2010.5676035.
Bajpai, G., Chang, B., Lau, A., 2001. Reconfiguration of flight control systems for actuator failures. IEEE Aerospace and Electronic
Systems Magazine 16, 29–33. doi:10.1109/62.949534.
Basseville, M., Nikiforov, I., 1993. Detection of Abrupt Changes: Theory and Application. Prentice Hall, Englewood Cliffs, NJ.
Beaty, D., Grady, M., May, L., Gardini, B., 2008. Preliminary planning for an international Mars Sample Return mission. Technical
Report. Report of the International Mars Architecture for the Return of Samples (iMARS) Working Group.
Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M., 2006. Diagnosis and Fault-Tolerant Control. Springer, Berlin.
Boada, J., Prieur, C., Tarbouriech, S., Pittet, C., Charbonnel, C., 2010. Multi-saturation anti-windup structure for satellite control,
in: Proc. American Control Conference, Baltimore, USA. pp. 5979–5984. doi:10.1109/ACC.2010.5531254.
Bodson, M., 2002. Evaluation of optimization methods for control allocation. Journal of Guidance, Control and Dynamics 25,
703–711. doi:10.2514/2.4937.
Bodson, M., Groszkiewicz, J., 1997. Multivariable adaptive control algorithms for reconfigurable flight control. IEEE Transactions
on Control Systems Technology 5, 217–229. doi:10.1109/87.556026.
Caglayan, A., Allen, S., Wehmuller, K., 1988. Evaluation of a second generation reconfiguration strategy for aircraft flight control
systems subjected to actuator failure/surface damage, in: IEEE National Aerospace and Electronics Conference, pp. 520–590.
doi:10.1109/NAECON.1988.195057.
Camacho, E., Bordons, C., 1999. Model Predictive Control. Springer, London.
Chatelin, F., 1983. Spectral Approximation of Linear Operators. Academic Press, Society for Industrial and Applied Mathematics,
New York.
Chen, J., Patton, R., 1999. Robust model-based fault diagnosis for dynamic systems. Kluwer Academic Publishers, Dordrecht.
doi:10.1007/978-1- 4615-5149- 2.
Chen, W., Saif, M., 2007. Observer-based fault diagnosis of satellite systems subject to time-varying thruster faults. Journal of
Dynamic Systems, Measurement and Control 129, 352–356. doi:10.1115/1.2719773.
Chilali, M., Gahinet, P., 1996. Hdesign with pole placement constraints: An LMI approach. IEEE Transactions on Automatic
Control 41, 358–367. doi:10.1109/9.486637.
Ding, S.X., 2013. Model-based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools. 2nd ed., Springer-Verlag,
London. doi:10.1007/978-1- 4471-4799- 2.
Efimov, D., Cieslak, J., Henry, D., 2013. Supervisory fault tolerant control with mutual performance optimization. International
Journal of Adaptive Control and Signal Processing 27, 251–279. doi:10.1002/acs.2296.
22
Falcoz, A., Boquet, F., Dinh, M., Polle, B., Flandin, G., Bornschlegl, E., 2010a. Robust fault diagnosis for spacecraft: Application
to LISA pathfinder experiment, in: 18th IFAC Symposium on Automatic Control in Aerospace, IFAC, Nara, Japan. pp. 404–409.
doi:10.3182/20100906-5- JP-2022.00069.
Falcoz, A., Boquet, F., Flandin, G., 2010b. Robust H/Hthruster failure detection and isolation with application to the
lisa pathfinder spacecraft, in: AIAA Guidance, Navigation, and Control Conference, AIAA, Toronto, Ontario. doi:10.2514/6.
2010-7906.
Fonod, R., Henry, D., Bornschlegl, E., Charbonnel, C., 2013. Robust fault detection for systems with electronic induced delays:
Application to the rendezvous phase of the MSR mission, in: 12th European Control Conference, Zürich, Switzerland. pp.
1439–1444.
Fonod, R., Henry, D., Bornschlegl, E., Charbonnel, C., 2014a. Thruster fault detection, isolation and accommodation for
an autonomous spacecraft, in: 19th IFAC World Congress, Cape Town, South Africa. pp. 10543–10548. doi:10.3182/
20140824-6- ZA-1003.02144.
Fonod, R., Henry, D., Charbonnel, C., Bornschlegl, E., 2014b. A class of nonlinear unknown input observer for fault diagnosis:
Application to fault tolerant control of an autonomous spacecraft, in: 10th UKACC International Conference on Control,
Loughborough, United Kingdom. pp. 19–24. doi:10.1109/CONTROL.2014.6915108.
Fonod, R., Henry, D., Charbonnel, C., Bornschlegl, E., 2015. Position and attitude model-based thruster fault diagnosis: A
comparison study. Journal of Guidance, Control and Dynamics 38, 1012–1026. doi:10.2514/1.G000309.
Fu, Y.P., Cheng, Y.H., Jiang, B., Yang, M.K., 2011. Fault tolerant control with on-line control allocation for flexible satellite
attitude control system, in: 2nd International Conference on Intelligent Control and Information Processing, IEEE. pp. 42–46.
doi:10.1109/ICICIP.2011.6008195.
Gao, Z., Antsaklis, P., 1991. Stability of the pseudo-inverse method for reconfigurable control systems. International Journal of
Control 53, 717–729. doi:10.1080/00207179108953643.
Grenaille, S., Henry, D., Zolghadri, A., 2004. Fault diagnosis in satellites using Hestimators, in: International Conference on
Systems, Man and Cybernetics, IEEE, The Hague, NL. pp. 5195–5200. doi:10.1109/ICSMC.2004.1401019.
Härkegård, O., 2003. Backstepping and Control Allocation with Applications to Flight Control. Linköping studies in science and
technology. thesis no 820. Linköping University. Linköping, Sweden.
Hartley, E.N., Trodden, P.A., Richards, A.G., Maciejowski, J.M., 2012. Model predictive control system design and implementation
for spacecraft rendezvous. Control Engineering Practice 20, 695–713. doi:10.1016/j.conengprac.2012.03.009.
HARVD - Final Presentation, 2011. GMV and Thales Alenia Space and Swedish Space Corporation and SENER and jenaoptronik
and INTA, Final presentation, December 2011.
Henry, D., 2008a. Fault diagnosis of microscope satellite thrusters using H/Hfilters. Journal of Guidance, Control, and
Dynamics 31, 699–711. doi:10.2514/1.31003.
Henry, D., 2008b. From fault diagnosis to recovery actions for aeronautic and aerospace missions: A model-based point of view,
in: 23rd IAR Workshop on Advanced Control and Diagnosis, Coventry, UK. pp. 13–19.
Henry, D., Olive, X., Bornschlegl, E., 2011. A model-based solution for fault diagnosis of thruster faults: Application to the
rendezvous phase of the Mars Sample Return mission, in: 4th European Conference for Aerospace Sciences (EUCASS), St.
Petersburg, Russian Federation. doi:10.1051/eucass/201306423.
Jiang, J., 1994. Design of reconfigurable control systems using eigenstructure assignments. International Journal of Control 59,
395–410. doi:10.1080/00207179408923083.
Jin, H.P., Wiktor, P., DeBra, D., 1995. An optimal thruster configuration design and evaluation for quick step. Control Engineering
Practice 3, 1113–1118. doi:10.1016/0967-0661(95)00104-3.
Jin, J., Park, B., Park, Y., Tahk, M.J., 2006. Attitude control of a satellite with redundant thrusters. Aerospace Science and
Technology 10, 644–651. doi:10.1016/j.ast.2006.04.005.
Johansen, T.A., Fossen, T.I., 2013. Control allocation - survey. Automatica 49, 1087–1103. doi:10.1016/j.automatica.2013.01.035.
Josh, S., 1987. Design of failure accommodating multiloop LQG-type controllers. IEEE Transactions on Automatic Control 32,
740–741. doi:10.1109/TAC.1987.1104704.
Konopliv, A.S., Sjogren, W.L., 1995. The JPL Mars gravity field, Mars50c, based upon Viking and Mariner 9 Doppler tracking
data. Technical Report. NASA Jet Propulsion Laboratory.
LePeuvédic, C., Charbonnel, C., Henry, D., Strippoli, L., Ankersen, F., 2014. Fault tolerant control design for terminal rendezvous
around mars, in: 9th International ESA Conference on GNC, Portugal.
Looze, D., Weiss, J., Eterno, J., Barett, N., 1985. An automatic redesign approach for restructurable control systems. IEEE Control
System Magazine 5, 16–22. doi:10.1109/MCS.1985.1104940.
Maciejowski, J., 2002. Predictive Control with Constraints. Prentice-Hall, Harlow, England.
Noura, H., Theilliol, D., Ponsart, J., Chamseddine, A., 2009. Fault-Tolerant Control Systems: Design and Practical Applications.
Springer Verlag, London.
Oppenheimer, M., Doman, D., Bolender, M., 2010. Control allocation, in: Levine, W.S. (Ed.), The control handbook, control
system applications (2nd ed., Chapter 8). CRC Press.
Ostroff, A., 1985. Techniques for accommodating control effector failures on a mildly statically unstable airplane, in: Proceedings
of the American Control Conference, pp. 903–906.
Page, A., Steinberg, M., 2002. High-fidelity simulation testing of control allocation methods, in: AIAA Guidance, Navigation and
Control Conference and Exhibit, AIAA, Monterey, California. doi:10.2514/6.2002- 4547.
Patton, R., Frank, P., Clark, R., 2000. Issues of fault diagnosis for dynamic systems. Springer, London.
Patton, R., Uppal, F., Simani, S., Polle, B., 2006. A monte carlo analysis and design for FDI of a satellite attitude control system,
in: Proceedings of SAFEPROCESS’2006, IFAC, Beijing, China. pp. 1393–1398. doi:10.3182/20060829-4- CN- 2909.00220.
Patton, R., Uppal, F., Simani, S., Polle, B., 2008. Reliable fault diagnosis scheme for a spacecraft attitude control system.
Proceedings of the Institution of Mechanical Engineers Part O: Journal of Risk and Reliability 222, 139–152. doi:10.1243/
1748006XJRR98.
Patton, R., Uppal, F., Simani, S., Polle, B., 2010. Robust FDI applied to thruster faults of a satellite system. Control Engineering
Practice 18, 1093–1109. doi:10.1016/j.conengprac.2009.04.011.
Pettazzi, L., Lanzon, A., Theil, S., Finzi, A., 2009. Design of robust drag-free controllers with given structure. Journal of Guidance,
Control, and Dynamics 32, 1609–1621. doi:10.2514/1.40279.
Posch, A., Schwientek, A., Sommer, J., Fichter, W., 2013. Model-based on-board realtime thruster fault monitoring, in: Proceedings
of IFAC Symposium on Automatic Control in Aerospace, Würzburg, Germany. pp. 553–558. doi:10.3182/20130902-5- DE-2040.
00080.
23
Sidi, M.J., 1997. Spacecraft Dynamics and Control. Cambridge University Press, Cambridge, England, UK.
Staroswiecki, M., 2005. Fault tolerant control: the pseudo-inverse method revisited, in: Proceedings of the 16th IFAC World
Congress, IFAC, Prague, Czech Republic. pp. 1871–1871. doi:10.3182/20050703-6-CZ- 1902.01872.
Staroswiecki, M., Yang, H., Jiang, B., 2007. Progressive accommodation of parametric faults in linear quadratic control. Automatica
43, 2070–2076. doi:10.1016/j.automatica.2007.04.016.
Tafazoli, M., 2009. A study of on-orbit spacecraft failures. Acta Astronautica 64, 195–205. doi:10.1016/j.actaastro.2008.07.019.
Tao, G., Chen, S., Joshi, S., 2002. An adaptive control scheme for systems with unknown actuator failures. Automatica 38,
1027–1034. doi:10.1016/S0005-1098(02)00018- 3.
Veillette, R., 1995. Reliable linear-quadratic state-feedback control. Automatica 31, 137–143. doi:10.1016/0005-1098(94)E0045-J.
Wu, Q., Saif, M., 2009. Model-based robust fault diagnosis for satellite control systems using learning and sliding mode approaches.
Journal of computers 4, 1022–1032. doi:10.4304/jcp.4.10.1022-1032.
Yang, H., Jiang, B., Cocquempot, V., 2012. Supervisory fault tolerant control with integrated fault detection and isolation:
a switched system approach. International Journal of Applied Mathematics and Computer Science 22, 87–97. doi:10.2478/
v10006-012- 0006-9.
Zhang, X., Parisini, T., Polycarpou, M., 2004. Adaptive fault-tolerant control of nonlinear uncertain systems: An information
based diagnostic approach. IEEE Transactions on Automatic Control 49, 1259–1274. doi:10.1109/TAC.2004.832201.
Zhang, Y., Jiang, J., 2001. Integrated active fault-tolerant control using imm approach. IEEE Transactions on Aerospace and
Electronic Systems 37, 1221–1235. doi:10.1109/7.976961.
Zhang, Y., Jiang, J., 2008. Bibliographical review on reconfigurable fault-tolerant control systems. Annual Reviews in Control 32,
229–252. doi:10.1016/j.arcontrol.2008.03.008.
Zhao, Q., Jiang, J., 1998. Reliable state feedback control systems design against actuator failures. Automatica 34, 1267–1272.
doi:10.1016/S0005-1098(98)00072- 7.
Zhou, K., Khargonekar, P.P., 1988. Robust stabilization of linear systems with norm-bounded time-varying uncertainty. Systems
& Control Letters 10, 17–20.
24
... 1 Indeed, the most popular solution is the constrained control allocation (CA) technique. This approach is studied in [22] for the Mars Sample Return mission 2 and in [7,10,35] for the e.Deorbit mission, 3 with validation on industrial test facilities. The principle consists in scheduling the control allocation algorithm that manages the thruster command signals, so that the total forces and torques are re-allocated on the healthy thrusters. ...
... Such a solution requires obviously a (reliable) fault diagnosis unit, so that the control allocation algorithm is aware about the faulty thrusters. The interested reader can refer to [33,22,37,65,34,35] for the development of model-based diagnosis solutions applied to real space missions. 4 This FTC strategy is used in [15] with a time-varying terminal SMC approach and in [28] in cooperation with an adaptive integral SMC technique. ...
... With this aim, equation (22) is divided into its real part and dual part. Since the capture mechanism is a simple basket, the target's rotational dynamics can be removed from (22). Then, we can derive from (22) the two following equations, that describe the rotational and translational dynamics, respectively: ...