Content uploaded by Robert Fonod

Author content

All content in this area was uploaded by Robert Fonod on Oct 18, 2017

Content may be subject to copyright.

Robust FDI for fault-tolerant thrust allocation with application to spacecraft

rendezvous\

Robert Fonoda,1,∗, David Henrya, Catherine Charbonnelb, Eric Bornschleglc, Damiana Losab, Samir Bennanic

\: This paper is an extended version with new methodological and applicative results of the work entitled “Thruster Fault

Detection, Isolation and Accommodation for an Autonomous Spacecraft” presented at the 19th IFAC World Congress held in

Cape Town, August 2014

aUniversity of Bordeaux, IMS Lab. UMR CNRS n.5218, F-33400 Talence, France

bThales Alenia Space, F-06156 Cannes La Bocca, France

cEuropean Space Agency, ESTEC, 2200 AG Noordwik, The Netherlands

Abstract

This paper deals with the design and validation of an active fault-tolerant control system to detect, isolate and

accommodate a single thruster fault aﬀecting the thruster-based propulsion system of an autonomous spacecraft.

The proposed method consists of a fault detector for robust and quick fault detection, a two-stage hierarchical

isolation strategy for fault isolation, and an online control allocation unit scheduled by the isolation scheme

for fault tolerance. A new factorization approach for the uncertain inertia matrix inverse is proposed. Thanks

to this factorization, a novel robust Nonlinear Unknown Input Observers (NUIO) approach is proposed based

on LMIs which ensure maximization of the admissible Lipschitz constant while at the same time satisfying an

L2gain bound and some constraints on the observer dynamics. At the ﬁrst stage of the isolation scheme, a

bank of NUIOs is used to identify a subset of possible faulty thrusters. Then, at the second stage, an EKF is

introduced to estimate the torque bias directions. Using these directions, jointly with the detector’s residual

and the information obtained from the ﬁrst stage, a set of explicit rules is derived to unambiguously isolate the

faulty thruster. A Monte Carlo campaign, based on a simulator developed by Thales Alenia Space industries, is

conducted in the context of a terminal rendezvous phase of the Mars Sample Return mission. Mission oriented

criteria demonstrate that the proposed strategy is able to cope with a large class of realistic thruster faults and

to achieve mission success.

Keywords: Fault detection and isolation, fault-tolerant control, unknown input observer, linear matrix

inequalities, control allocation, space rendezvous mission, matrix factorization.

1. Introduction

1.1. Context and Motivations

The research work addressed in this paper draws expertise from actions undertaken between the Euro-

pean Space Agency (ESA), the Thales Alenia Space (TAS) industry and the IMS laboratory (laboratoire de

l’Intégration du Matériau au Système) which develop new generations of integrated Guidance, Navigation and

Control (GNC) algorithms for spacecraft with fault diagnosis and fault tolerance capabilities.

The reference space mission considered in this paper is the ESA Mars Sample Return (MSR) mission, see

(Beaty et al.,2008) for details. This deep space mission consists of two vehicles directly injected towards Mars

by launchers. The ﬁrst module enters the Martian atmosphere (entry phase), lands on the Mars surface, fetches

a Martian sample and then takes-oﬀ to reach a low Mars orbit. Meanwhile the second module inserts directly

around Mars, then catches the sample (capture of the orbiting sample released by the ﬁrst module), and ﬁnally

comes back to Earth ejecting the sample into Earth atmosphere with the Earth Reentry Capsule (ERC). The

work reported in this paper focuses on the terminal rendezvous phase which corresponds to the last few hundred

meters until the capture on the Mars orbit. The chaser vehicle is the MSR orbiter, while the target is a diameter

spherical container.

∗Corresponding author. Tel.: +33-540002419 - Fax.: +33-540006644

Email addresses: robert.fonod@ims-bordeaux.fr (Robert Fonod), david.henry@ims-bordeaux.fr (David Henry),

catherine.charbonnel@thalesaleniaspace.com (Catherine Charbonnel), eric.bornschlegl@esa.int (Eric Bornschlegl),

damiana.losa@thalesaleniaspace.com (Damiana Losa), samir.bennani@esa.int (Samir Bennani)

1Present address: Technion - Israel Institute of Technology, Department of Aerospace Engineering, Technion City, 32000 Haifa,

Israel

During the terminal rendezvous, the control of the attitude and the position of the chaser is continuous and

applied by thrusters. The control unit uses diﬀerent types of sensors, namely Inertial Measurement Units (IMU),

Star Trackers (STR) and a Light Detection And Ranging (LIDAR) sensor. The set of sensors and actuators

during the terminal rendezvous is minimized to reduce the risk of fault occurrence and to reduce the power

consumption and mass. The attitude is controlled in order to keep the orbiting sample within the LIDAR ﬁeld

of view. The position is controlled in order to approach the orbiting sample along its velocity axis. Then, just

before the capture, the guidance is modiﬁed in order to align the capture mechanism with the orbiting sample,

i.e. the target.

Following recent studies (Tafazoli,2009;HARVD - Final Presentation), thruster faults account for approx-

imatively one quarter of all Attitude and Orbit Control System (AOCS) failures. It seems obvious that they

can have a serious impact on the spacecraft’s ability to fulﬁl its mission. For instance, a hardover type fail-

ure (thruster stucks open), it could lead to a drastic increase of the propellant consumption which is already

very constrained by the travel to Mars. Dramatic consequences can occur, e.g. already in-placed GNC may

not compensate such faults, possibly leading the chaser to lose the attitude and/or the position of the sample

container.

The work addressed in this paper is concerned by the development of a model-based Fault Detection and

Isolation (FDI) scheme for a Fault-tolerant Control (FTC) of the thruster which equip the MSR chaser propulsion

system. The investigated faults have been deﬁned in accordance with the industrial partners and follow both

the ESA and TAS requirements and their experiences. Four cases are investigated: i)thruster opening at

100% (providing maximum force regardless of the demand and being very propellant consuming) ii)thruster

closing itself (faulty thruster does not generate any thrust regardless of the demanded command by the control

authority) iii)bi-propellant leakage and iv)loss of eﬃciency (thrust loss).

1.2. Related Work and Limitations

In terms of model-based FDI, numerous techniques have been studied in the past decades in the academic

community, see (Patton et al.,2000;Blanke et al.,2006;Ding,2013) and references therein for good surveys.

The still growing interest of potential applications in aerospace systems has been demonstrated by recent

publications. With regards to the problem of spacecraft thruster fault diagnosis, one can mention the work of

Chen and Saif (2007) that proposed an iterative learning observer to achieve estimation of time-varying thruster

faults. Wu and Saif (2009) proposed the same approach jointly with a sliding mode technique. The work reported

in (Patton et al.,2006,2008,2010) addressed the Mars Express mission. The proposed approach is based on

both state estimation of an accurate linear model for the satellite system and unknown input decoupling to

achieve robust FDI in the presence of dynamic uncertainty during main engine deployment. The work reported

in (Henry et al.,2011;Fonod et al.,2014a;LePeuvédic et al.,2014;Fonod et al.,2015) addressed the problem of

thruster fault diagnosis of the MSR orbiter during the terminal rendezvous phase. Henry et al. (2011) proposed

a method based on a H(0) ﬁlter with robust poles assignment technique. Fonod et al. (2015) approached the

same problem using an Eigenstructure Assignment (EA) technique, whereas LePeuvédic et al. (2014) proposed

a robust H∞/H−ﬁlter in combination with a bank of thruster–direction decoupling observers. Similarly in

(Falcoz et al.,2010a,b), the H∞/H−approach was exploited for the micro-Newton colloidal thrusters during

the experiment phase of the LISA Pathﬁnder mission. H∞/H−ﬁlter–based strategies have been proposed in

(Grenaille et al.,2004;Henry,2008a) to diagnose the Field Emission Electric Propulsion (FEEP) thrusters of

the Microscope satellite.

In the case of an overactuated spacecraft, the cornerstone of the FDI unit is the isolation logic. It must be

accurate and robust enough to uncover the faulty thruster among thrusters which are very closely co-aligned

and it also must be able to cover a large class of realistic faults. Posch et al. (2013) proposed a torque bias

vector matching isolation method. In this approach, the torque bias is estimated using an Extend Kalman Filter

(EKF) and directly matched with the torque directions of each thruster. The main drawback of this approach

is that it is unable to consider a thruster conﬁguration where some thrusters generate the same or very similar

torques. Similar idea has been presented in (Alwi et al.,2010), where instead of estimating the torque bias,

the sliding mode injection term is matched with the thruster directions. This method has similar drawbacks

as the previous method, additionally, the isolation performance strongly depends on the measurement noise.

In (Henry et al.,2011;Fonod et al.,2015), a cross–correlation test between the residual and the associated

thruster opening rates was considered. This approach however lacks the ability to consider both “open-type”

and “closed-type” thrusters faults at the same time (for fault classiﬁcation, see Section 2.1). Moreover, in the

aerospace systems, the true inertia matrix is newer known precisely on-board. Therefore, controllers are always

validated in presence of uncertainty on the inertia to confront modelling errors. Similarly, in terms of FDI, it

is of paramount interest to analyse, and most importantly, to incorporate the eﬀects of the uncertain inertia

within the FDI design.

2

In terms of FTC methods, the interested reader shall refer to (Blanke et al.,2006;Zhang and Jiang,2008;

Noura et al.,2009). These techniques can be in general classiﬁed into two main categories: passive FTC and

active FTC. Passive FTC relies on robust control concepts, whereas active FTC methods act on the system

component failures actively by re-designing the controller so that the stability and acceptable performance of the

entire system is maintained. The most famous active FTC strategies are the pseudoinverse methods (Ostroﬀ,

1985;Caglayan et al.,1988;Gao and Antsaklis,1991;Bajpai et al.,2001), recently revisited by Staroswiecki

(2005), the Linear Quadratic (LQ) approach (Looze et al.,1985;Josh,1987;Veillette,1995;Staroswiecki et al.,

2007), the EA technique (Jiang,1994;Zhao and Jiang,1998;Zhang and Jiang,2001), the adaptive control

approach (Bodson and Groszkiewicz,1997;Tao et al.,2002;Zhang et al.,2004), the Model Predictive Control

(MPC) approach (Camacho and Bordons,1999;Maciejowski,2002;Hartley et al.,2012), and most recently the

supervisory approach (Yang et al.,2012;Eﬁmov et al.,2013).

The problem of designing an active FTC system for thruster faults has been rarely studied for space systems

(or very few papers have been published). The already in-placed industry-certiﬁed controllers are designed to be

robust and to achieve a predetermined performance level in a fault safe situation. The Control Allocation (CA)

technique is probably the most “ready to be implemented” FTC approach for aerospace systems. The major

reason is that the computational burden is very close or within the limits of today’s oﬀ-the-shelf embedded

computer systems. Moreover, in some cases the CA approach does not require any change in the nominal

controller which is a great advantage from an industrial point of view. Several application of the CA from

the aerospace community can be found in (Bodson,2002;Page and Steinberg,2002;Jin et al.,2006;Henry,

2008b;Oppenheimer et al.,2010;Boada et al.,2010;Fu et al.,2011). For instance, a SIMPLEX–based method

has been reacently implemented in the Automated Transfer Vehicle (ATV) developed by EADS Astrium Space

Transportation, to carry out a prescribed set of thruster faults.

Most CA algorithms assume a linear eﬀector model in the form of a matrix , i.e. the thruster conﬁguration

matrix whose elements (columns) are the inﬂuence coeﬃcients deﬁning how each thruster aﬀects each component

of the force and moment vector applied to the spacecraft. Thus, CA is fundamentally concerned by the inverse

computation of the thruster conﬁguration matrix. Since this matrix has more columns than rows, there exists

an inﬁnite number of solutions. However, by minimizing some “measure” of it, it is possible to have a unique

solution. Actuator faults can then be tackled by a CA principle so that it is not required to re-design the

nominal controller itself. A consequence is that CA can be used as a FTC solution with a little extra eﬀort on

the existing CA techniques. Alwi and Edwards (2008) exploits this idea using sliding mode techniques.

1.3. Proposed Approach and Contributions

This paper addresses the design and validation of a complete FDI/FTC system for the aforementioned

thruster fault scenarios. The proposed method consists of: i) a fault detector for robust and quick fault detection,

ii) a two-stage hierarchical isolation strategy for faulty thruster isolation and iii) an online CA unit scheduled by

the isolation scheme for fault tolerance. The utilized fault detector design follows the developments introduced

in (Fonod et al.,2013). This detector oﬀers enhanced robustness against time-varying input delays. The original

idea of the two-stage isolation strategy proposed in this paper initiates from (Fonod et al.,2014a), where a bank

of asymptotically stable Nonlinear Unknown Input Observers (NUIOs) has been used for the ﬁrst stage and a

simple residual vector matching approach for the second stage. Here, a bank of 5 robust NUIOs together with an

EKF-based torque bias direction estimator is considered. A new factorization approach for the uncertain inertia

matrix inverse is proposed. Thanks to this factorization, a novel robust NUIO design is proposed with bounded

L2gain from the system input to the estimation error. By this, the eﬀect of the uncertain inertia on the state

estimation error is attenuated. Additionally, it is shown that under some Lipschitz condition, it is possible to

constrain the NUIO dynamics into a prescribed dynamic region using the notion of Linear Matrix Inequality

(LMI) regions. The NUIO gains are obtained from the feasible solution to the LMI optimization problem, oﬀering

numerically tractable procedure to account jointly the observer dynamics constraint, the L2speciﬁcation, and

the maximization of the admissible Lipschitz constant. As the outcome of the ﬁrst stage, a subset of thrusters is

identiﬁed as “possible faulty”. For the second stage, an EKF is introduced to estimate the torque bias directions

due to the thruster fault. Using these directions, the fault detector’s residual and the information obtained from

the ﬁrst stage, a set of explicit rules is derived to unambiguously isolate the faulty thruster. These rules consist

in evaluating the torque bias direction estimate with respect to the thruster torque directions and the detector’s

residual with respect to the thruster force directions of the already identiﬁed (faulty) thruster set, respectively.

In speciﬁc cases, a sequential decision test is also used. As soon as the faulty thruster is identiﬁed, a control

re-allocation algorithm is used to redistribute the control eﬀort among the available healthy actuators, while at

the same time disengaging the faulty one. Here, based on the precursor work of (Jin et al.,1995), a modiﬁed

version of the Nonlinear Iterative Pseudoinverse Controller (NIPC) algorithm is presented. A complete Monte

Carlo campaign is conducted in the context of the terminal rendezvous phase. Mission oriented criteria are

3

evaluated to demonstrate the eﬀectiveness of the proposed method subject to various sources of uncertainties,

spatial disturbances, delays and imperfect navigation.

The paper is organized as follows. Section 2is devoted to the thruster-based propulsion system of the chaser.

It also introduces the considered actuator fault model. Sections 3and 4are dedicated to the FDI unit design.

Section 5deals with the FTC algorithm. Finally, a simulation campaign is conducted in Section 6in the context

of the terminal rendezvous phase. Concluding remarks are given in Section 7.

Notations: Let denote R,C,Z+, and Hthe set of real numbers, complex numbers, non-negative integers, and

the set of quaternions, respectively. The notation Rm×nis used for real matrices of dimension m×n. diag(. . .)

represents a block diagonal matrix. Iand 0represents the identity and zero matrix with the appropriate

dimension, respectively. The symbol ⊗,×, and ·stands for the Kronecker, cross and dot product, respectively.

The notation P>0(P<0) means that Pis a real symmetric and positive (negative) deﬁnite matrix. The

notation Λ(A)stands for the set of all eigenvalues and λmax stands for the maximum eigenvalue of a square

matrix A, respectively. In symmetric block matrices, the symbol ∗denotes an element that is induced by

symmetry. k·kprefers to either the p-norm of a vector or the induced matrix p-norm. If p= 2,k·kpis written

without the subscript, i.e. k·k. With L2a space of all Lebensque measurable functions having a ﬁnite L2norm

kuk`2is denoted, where kuk2

`2=R∞

0ku(t)k2dt.N(µ, σ)stays for the normal distribution with mean value µ

and standard deviation σ.U(a, b)denotes the uniform distribution with boundaries aand b.

2. Background on Thruster-based Propulsion System and Fault Considerations

The MSR chaser spacecraft is equipped with a chemical propulsion system composed of 12 thrusters. The

thrusters are physically organised in four groups (see Fig. 1for illustration) and are in charge of producing force

aF∈R3and a torque T∈R3vector.

Figure 1: Thruster conﬁguration of the chaser spacecraft2

Let denote Sall ={1,2, . . . 12}the set of all the thruster indices. All thrusters have ﬁxed directions dk∈

R3,∀k∈ Sall and each one is able to produce a maximum thrust of ||FT|| = 22 N. The Chemical Propulsion Drive

Electronics (CPDE) driving the thrusters, is initiating the opening of each thruster valve for the commanded

duration 0≤uk≤1,∀k∈ Sall which are in fact scaled ON-times. The scaling is done versus the sampling

period Tsof the control unit and is deﬁned according to ui(tk) = Toni(tk)/Ts, where Toni(tk)is the actual/real

ﬁring duration (ON time) of the ith thruster at control cycle tk=kTs.

The propulsion system is obviously a source of uncertainty in the system. The transfer function

H(s) = e−τ(t)s(1)

aims to model the eﬀect of the unknown time-varying delays induced by the CPDE and the uncertainties on

the thruster rise times (see Pettazzi et al. (2009)). The delay τ(t)is assumed to be unknown and time-varying,

but upper bounded by a known constant ¯τ, i.e. τ(t)≤¯τ.

Let be uk(t−τ(t)) the commanded open duration of the kth thruster delayed by τ(t). The net forces and

torques generated by thrusters (in fault-free case) are given in the chaser body ﬁxed frame Fb={Ob,~

Xb,~

Yb,~

Zb}

(see Fig. 1for an illustration) according to

F(t) = BFu(t−τ(t)),T(t) = BTu(t−τ(t)) (2)

In the above equation u(t) = [u1(t), u2(t), . . . , u12(t)]T, and

BF=bF1,bF2,...,bF12 ,BT=bT1,bT2,...,bT12 (3)

2The considered thruster conﬁguration in this paper is a special one designed by TAS to study active FTC strategies.

4

are the thruster sensitivity (conﬁguration) matrices with3

bF k =−dk||FT||,bTk = (dpk −dCoM )×bF k ,∀k∈ Sall

where dCoM ∈R3is the position vector of the Center of Mass (CoM) from the center of the chaser geometrical

frame Fg, and dpk ∈R3,∀k∈ Sall are the position (location) vectors of the thrusters, all given in Fg.

By analysing the matrices BFand BTin terms of directional properties, the following can be concluded:

the torque directions of the thrusters having index inside the sets ST k, k = 1,...,4are the same and those

having index inside the set ST5are similar. In our case, the above subsets are deﬁned as follows:

ST1={1,11},ST3={4,8},ST5={3,6,9,12}

ST2={2,10},ST4={5,7},(4)

In terms of force directions, the following is revealed

bF1=−bF11,bF4=−bF8,bF3=−bF12

bF2=−bF10,bF5=−bF7,bF6=−bF9(5)

which means that the thruster pairs of the sets ST k, k = 1, ..., 4produce exactly opposite forces. The last

thruster group, i.e. ST5, has the following properties

bF3·bF6= 0,bT3≈ −bT6≈ −bT9≈bT12 (6)

Relations in (6) mean that thrusters belonging to ST5group produce a) forces perpendicular to the forces of

their neighbours b) nearly collinear torques. The directional properties given by (4)-(6) will be later used to

derive an explicit fault isolation strategy.

2.1. Thruster Fault Modelling

With regards to the possible faults occurring in the thruster-based propulsion system, the focus is on the

so-called “open-type” (fully open or leaking thruster) and “closed-type” (blocked-closed thruster or loss of

eﬃciency) faults. These faults have been deﬁned in accordance with the industrial partners and follow both the

TAS and ESA experiences. The following mathematical model can be used to describe these faults

ϕk(t) = max{uk(t), mleak }if open-type

(1 −mloss)uk(t)if closed-type

where the index ”k”refers to the kth thruster. In this formalism, 0< mleak <1models a leakage fault and

0< mloss <1an eﬃciency loss fault. It is obvious that mleak = 1 refers to a fully open and mloss = 1 to a

blocked-closed thruster fault, respectively.

Assuming no simultaneous faults, the considered thruster faults can be modelled in a multiplicative way

according to (the index foutlines the faulty case)

uf(t) = I−Ψ(t)u(t)(7)

with Ψ(t) = diag(ψ1(t), . . . , ψ12(t)), where 0≤ψk(t)≤1,∀k∈ Sall are unknown. The status of the kth thruster

is modelled by ψkas follows

ψk(t) = 0if healthy

1−ϕk(t)/uk(t)if faulty

where ϕkallows to consider diﬀerent fault scenarios.

3. Design of the Robust Fault Detector

The proposed fault detector consists of an observer-based residual generator and a sequential decision which

evaluates the residual. The observer is designed based on the EA technique and uses a model of the relative

position between the chaser and the target given in the local (target) frame. In (Fonod et al.,2015), it was

shown that, in terms of robustness/sensitivity, the position model-based FDI scheme tends to achieve very

similar FDI performances as a scheme based on a pure attitude model.

5

Mars

Target

Chaser

Inertial

Reference

Frame

The Rendezvous

Orbit

Figure 2: The Mars rendezvous orbit with the associated frames

3.1. Relative Position Model

Consider the illustration of the rendezvous between the chaser and target spacecraft around Mars given by

Fig. 2where Fl={OT,~

Xl,~

Yl,~

Zl}is the local (target centred) reference frame oriented as shown in Fig. 2.

During the rendezvous phase on a circular orbit, it is assumed that the chaser motion is due to the four following

forces, all given in Fl

•the Mars attraction force ~

Fa=−mµ

((a+ξ)2+η2+ζ2)3/2(a+ξ)~

Xl+η~

Yl+ζ~

Zl, where ξ, η , ζ denote the

three components of the relative position vector ∆r= [ξ, η, ζ ]Tof the chaser from the origin OTof the

target frame Fl,

•the centripetal force ~

Fe=mn2(a+ξ)~

Xl+n2η~

Yl,

•the Coriolis force ~

Fc=m2n˙η~

Xl−2n˙

ξ~

Yl,

•the force due to the thruster-based propulsion system ~

Ft=Fξ~

Xl+Fη~

Yl+Fζ~

Zl. (This force vector is

the one given by the equation (2) expressed in Fl.)

In these relations, µ=G.mM4and n= ˙ν=pµ/a3, where a,m,Gand mMare the radius of the circular orbit

of the target, the mass of the chaser, the universal gravitational constant and the mass of Mars, respectively.

It can be veriﬁed that the above equations lead to a 6th order nonlinear state space model whose state and

force input vectors are given by xp= [ξ η ζ ˙

ξ˙η˙

ζ]Tand Ft= [FξFηFζ]T, respectively. Noting that the distance

between the target and the chaser during the rendezvous phase is negligible compared to the radius of the target

orbit, i.e. k∆rk a. It is then possible to derive the so called Hill-Clohessy-Wiltshire equations by means of a

ﬁrst order approximation of the nonlinear state space model (Sidi,1997). Finally, introducing the fault model

and the CPDE unknown time-varying delay τ(t)introduced in Section 2, leads to the following linear 6th order

state space model of the chaser relative motion expressed in Fl, both in fault-free (Ψ=0) and faulty (Ψ6=0)

situations, i.e.

˙

xp(t) = Apxp(t) + BpR(ˆ

qt(t),ˆ

qc(t))BFuf(t−τ(t)) (8)

yp(t) = Cpxp(t)(9)

Ap=

0 0 0 1 0 0

0 0 0 0 1 0

0 0 0 0 0 1

3n20 0 0 2n0

0 0 0 −2n0 0

0 0 −n20 0 0

,Bp=1

m

000

000

000

100

010

001

,Cp=

100000

010000

001000

3Numerical values with regards to the spacecraft geometry are omitted for conﬁdentiality reasons.

4Considered values: G.

= 6.67384 ×10−11 (N.m2kg−2) and mM

.

= 6.4173 ×1023 (kg).

6

In (8), the rotation matrix R(ˆ

qt,ˆ

qc)is calculated from the attitude quaternion estimates of the chaser ˆ

qc∈H

and target ˆ

qt∈H. They rotate the force due to thrusters, i.e. Ff=BFuf(t−τ(t)), from Fbinto Fl.

These estimates are assumed to be available on-board since they are computed online by the navigation unit.

The output vector yp= ∆r= [ξ η ζ]Tis the relative position expressed in Fl. In the context of our study,

this relative position is measured by the LIDAR device. Moreover, it is assumed that the navigation unit is

decoupled from thruster faults, but providing noisy state estimates.

3.2. Residual Generation and Evaluation

The proposed residual generator is based on a full-order observer using the position model (8) and (9),

introduced in the previous section. The observer is designed using the well known EA technique so that the

residual vector output, i.e. the output estimation error weighted by a matrix Q

r(t) = Qyp(t)−Cpˆ

xp(t),r= [r1, r2, r3]T(10)

is (approximately) decoupled from the unwanted eﬀects of the time-varying delay τ(t).Fonod et al. (2013)

address this problem using two diﬀerent approaches, i.e. using a Padé approximation and a Cayley-Hamilton

theorem-based transformation. The earlier method is employed in this paper. The idea is to use the model

(8)-(9) to generate the state estimate ˆ

xpused to produce the residual vector r. Since the EA technique is well

mastered in the FDI community, technical developments are not considered in this paper. The interested reader

can refer to e.g., (Patton et al.,2000;Blanke et al.,2006;Ding,2013).

The proposed decision making rule is a slightly modiﬁed version of the scalar valued Generalized Likelihood

Ratio (GLR) test for the variance (see e.g. Ding (2013)). The considered decision test %Jth is deﬁned by

%Jth (t) = (1if Sw(r(tk)) > Jth ⇒fault declared

0if Sw(r(tk)) ≤Jth ⇒fault not present (11)

with Sw(r(tk)) = P3

i=1 wiSi(ri(tk)), where wi≥0, i = 1,2,3being the normalized weight factors used to

prioritize certain elements (axes) of the residual and Si(ri(tk)) is the estimated log likelihood of the GLR

algorithm applied to the ith residual ri(tk)evaluated at time instant t=tk=kTs, k ∈Z+. In (11), the ﬁxed

threshold Jth is an additional design parameter, see (Basseville and Nikiforov,1993) for discussion about its

tuning. The fault is declared at time td, i.e.

td= arg inf

t≥t0{%Jth (t)=1}(12)

where t0≥0is time required for rto the achieve steady state (settle down) when Ψ(t) = 0,∀t∈[0, t0).

4. Hierarchical Isolation Strategy

Recalling the thruster conﬁguration properties given by (4)-(6) and taking into account that thrusters cause

both linear and rotational motions, a set of explicit rules can be derived to unambiguously isolate a single

thruster fault. These rules are implemented on a hierarchical two-stage basis as follows:

i)The ﬁrst stage utilizes a bank of ﬁve NUIOs based on the nonlinear model of the attitude dynamics. This

bank is in charge of conﬁning the faulty thruster into a single group ST j , j = 1,...,5(subset of thrusters),

in other words, the task is to to ﬁnd the faulty group index "j". An enhanced NUIO approach is adopted

for this purposes because of its decoupling properties, adjustable error dynamics and ability to take into

account both nonlinearities and uncertainties of the attitude dynamics,

ii)The second stage aims at uniquely isolating the faulty thruster index "i" within the already identiﬁed

subset, i.e. ﬁnd i∈ STj . This stage uses jointly an EKF (being in charge of estimating the torque bias

directions due to the fault), a torque bias matching approach and/or a Wald’s sequential test, and ﬁnally

a residual/force direction marching approach.

It is obvious that in case of (small) truster faults, the spacecraft attitude dynamics is more likely prone to

dynamic deviations than the translation one. This gives the motivation to derive the ﬁrst isolation rule using

the angular velocity measurement rather than the one obtained from the LIDAR device. On the other hand,

due to the fact that some thrusters produce exactly the same or very similar torques, it is very hard to obtain

a global isolation strategy based exclusively on angular velocity measurements. Therefore, the second isolation

rule of the proposed global isolation strategy uses the information about the position dynamics contained in the

fault detector’s residual. This chronology of isolation steps gives to the fault an extra time to propagate into

the translation dynamics.

7

4.1. Thruster Group Isolation Using a Bank of NUIOs

Let’s consider the spacecraft as a rigid body (ﬂex modes and slosh phenomena are not considered in this

work), this model is given by (Sidi,1997)

˙

ω(t) = J−1BTuf(t)−J−1ω(t)×Jω(t)(13)

where ω= [p, q, r]Tis the rotational velocity vector and J∈R3×3is the real inertia matrix. In (13), both ω

and Jare given in the chaser’s body-ﬁxed frame Fb. Since the attitude model involves the inertia matrix J

and its inverse J−1, robustness issue against uncertainties in Jis a key feature in the design of the NUIO. This

problem is addressed in the following subsection.

4.1.1. Chaser Attitude Dynamics and Inertia Uncertainty

Let the inertia matrix Jhaving the general form

J=

Jxx Jxy Jxz

Jxy Jyy Jyz

Jxz Jyz Jzz

(14)

First, we deﬁne a factorization of Jby introducing a diagonal matrix Jd∈R9×9with the uncertain terms of

J, i.e.

Jd=diag(Jxx, Jyy , Jz z , Jxy I2, Jxz I2, Jyz I2)(15)

where I2is an identity matrix of size 2. The Jdmatrix can now be associated with two placement matrices

RJand SJ,

RJ=

100101000

010010010

001000101

,ST

J=

100010100

010100001

001001010

to give the factorized expression of Jas follows

J=RJJdSJ(16)

The inertia uncertainty can be expressed by direct multiplicative uncertainty as

Jd=Jd0(I+∆J)(17)

where Jd0consists of nominal values of Jdand ∆Jrepresents the uncertainty in the diagonal form

∆J=diag(∆Jxx,∆Jyy ,∆Jz z ,∆Jxy I2,∆Jxz I2,∆Jyz I2)(18)

with |∆Jij | ≤ ¯

δij ,∀i, j ∈ {x, y, z}, where 0≤¯

δij ≤1is the upper bound of the considered uncertainty level

along the given axis. If ¯

δij <1for any i, j couple, it is possible to reduce conservatism by introducing the

following scaling

∆J=W∆∗

J,∆∗T

J∆∗

J≤I(19)

where

W=diag(¯

δxx,¯

δyy ,¯

δzz ,¯

δxyI2,¯

δxzI2,¯

δyz I2)

Finally, inserting (17) into (16) gives the inertia matrix expressed in the additive uncertainty form

J=J0+R∗

J∆∗

JSJ(20)

where J0=RJJd0SJand R∗

J=RJJd0W. The inverse of Jappears in (13), therefore, it is essential, to

express this inverse in a factorized form. Proposition 1provides a method to achieve it.

Proposition 1 (Uncertain inertia inverse factorization). If kJ−1

0R∗

JkkSJk ≤ 1, then the inverse of the

uncertain inertia matrix (20)can be expressed as

J−1=J−1

0+R2∆2S2(21)

where R2,S2are constant matrices given by R2=J−1

0R∗

Jk(I+SJJ−1

0R∗

J)−1kand S2=SJJ−1

0. Matrix ∆2

satisﬁes ∆T

2∆2≤I.

8

Proof: see Appendix A.

Utilizing the above proposition with the deﬁnition of the state vector x=ω, it can be veriﬁed that equation

(13) can be represented in the following nonlinear state space representation

˙

x(t) = Ax(t) + Φ(x(t)) + ∆Φ(x(t)) + (B+ ∆B)uf(t)(22)

y(t) = Cx(t)(23)

with the following assignments

Φ(x(t)) = −J−1

0x(t)×J0x(t)−Ax(t),∆B=R2∆2S2BT,A=∂˙

x

∂x(x0,J0)

∆Φ(x(t)) = −J−1x(t)×Jx(t) + J−1

0x(t)×J0x(t),B=J−1

0BT,C=I

(24)

This formulation is now suitable for the NUIO theory proposed in the subsection.

4.1.2. Robust Nonlinear Unknown Input Observer Design

Consider the model given by (22)-(23) without the nonlinear uncertainty ∆Φ(x(t)), but with a disturbance

vector doccurring in the state equation (this will be justiﬁed later in Section 4.1.3), i.e.

˙

x(t) = Ax(t) + Φ(x(t)) + (B+ ∆B)u(t) + Ed(t)(25)

y(t) = Cx(t)(26)

As usual in the UIO theory, the design of the observer parameters is done without fault consideration, i.e.

Ψ= 0 ⇒uf=u. Thus, fault sensitivity performance can only be checked a posteriori (see e.g. Patton et al.

(2000)).

Assumption 1. It is assumed that Φ(x)is Lipschitz in a region Scontaining the origin, i.e. kΦ(x1)−

Φ(x2)k ≤ γkx1−x2k,∀(x1,x2)∈ S where γ > 0stands for the Lipschitz constant. If S=Rn,Φis globally

Lipschitz. Otherwise, it is locally Lipschitz.

Assumption 2. It is assumed that Eis of full column rank and that rank(C E ) = rank(E).

Note that Assumption 1is reasonable in our case, since Φ(x)in (22) is continuously diﬀerentiable on R3

and thus, it is locally Lipschitz. This means that the angular velocity shall be bounded in magnitude which is a

reasonable assumption from a practical point of view, too. Assumption 2can be done without loss of generality,

see e.g. (Chen and Patton,1999) if necessary.

Under Assumptions 1and 2, the goal turns out to design the following NUIO

˙

z(t) = N z(t) + Gu(t) + Ly(t) + MΦ(ˆ

x(t)) (27)

ˆ

x(t) = z(t) + Hy(t)(28)

in such a way that ˆ

xlends robustness against the uncertainties ∆Bu and is decoupled from the unknown inputs

d. In (27)–(28), ˆ

x∈Rnstands for the estimate of xand z∈Rnis an auxiliary signal. It can be veriﬁed that

a solution to this problem yields if and only if

N=MA −KC,(29)

L=K(I−CH ) + MAH,(30)

M=I−HC,(31)

G=MB (32)

(I−HC)E=0(33)

The general solution to (33) can be written as

H=U+Y V (34)

where Ymust be chosen so that it does not cause rank deﬁciency of H. Matrices Uand Vare given by

U=E(CE )†,V=I−(C E)(CE)†(35)

where (CE )†denotes the generalized pseudo-inverse of the matrix CE .

9

The aim is now to design the parameters Kand Ysuch that the estimation error e=x−ˆxtends asymp-

totically to zero with maximum admissible Lipschitz constant γ∗and such that the L2gain from ∆Bu to the

estimation error eis bounded by

kek`2

k∆Buk`2≤κ, ∀u∈ L2[0,∞),k∆Buk`26= 0 (36)

for a given κ > 0. The following theorem provides a LMI-based method for NUIO design.

Theorem 1. Consider the (Lipschitz) nonlinear system given by (25)-(26). The NUIO given by (27)-(28)is

asymptotically stable with maximum Lipschitz constant γ∗and the L2gain from ∆Bu to eis bounded by

κ > 0, if there exists a positive deﬁnite matrix P=PT>0and matrices ¯

K,¯

Yas solutions of the following

optimization problem:

max

P, ¯

K, ¯

Y

ξ(37)

s.t.

Ψ11 +Γ11 Ω12 Ω13 0 0

∗ −I0 0 0

∗ ∗ −I0 0

∗ ∗ ∗ −κ2I S2BT

∗ ∗ ∗ ∗ −I

<0,ξ γ

∗1≥0(38)

where

Ψ11 = ((I−UC)A)TP+P(I−U C )A+ (1 + ξ)I(39)

Γ11 =−(V CA)T¯

YT−¯

Y V C A −CT¯

KT−¯

KC (40)

Ω12 =P(I−UC)−¯

Y V C (41)

Ω13 =P(I−UC)R2−¯

Y V CR2(42)

Once the problem is solved, then

K=P−1¯

K,Y=P−1¯

Y, γ∗=pξ(43)

Proof: see Appendix B.

Remark 1. It should be outlined that NUIO designed according to Theorem 1tolerates any additive uncer-

tainty ∆Φ(x)in Φ∆(x), i.e Φ∆(x) = Φ(x) + ∆Φ(x), with Lipschitz constant less than or equal to γ∗−γ, see

the work of Abbaszadeh and Marquez (2009) for a discussion.

Remark 2. The maximization of the admissible Lipschitz constant γ∗may result in unsatisfactory dynamical

behaviour of the state estimation error. To overcome this problem, the D-stability concept proposed by Chilali

and Gahinet (1996) can be used jointly with Theorem 1, thanks to the LMI formulation (38). Substituting (31),

(34) and (43) into (29) and transposing, it yields NT=AT−(U C A)T−(¯

Y V CA)TP−1−(¯

KC )TP−1. Then,

direct application of the developments proposed in (Chilali and Gahinet,1996) shows that the eigenvalues of N

can be assigned into a prescribed region D=∩ns

k=1Dkif there exist a common Lyapunov matrix P=PT>0

and matrices ¯

Kand ¯

Ysuch that the set of nsLMIs

αk⊗P+βk⊗(ATP−(UCA)TP−(¯

Y V CA)T−(¯

KC )T)+ (44)

βT

k⊗(P A −P(U CA)−¯

Y V C A −¯

KC )<0k= 1,2, . . . , ns

is simultaneously satisﬁed. In this expression, αkand βkare matrices of appropriate dimension deﬁning each

region Dk.

4.1.3. Comments on Computational Issues

The Lipschitz constant γfor Φ(ω)can be easily computed using a constrained optimization algorithm over

the set Sω={ω∈R3:|ωk| ≤ ¯ω, k = 1,2,3}, where ¯ωis the upper bound of the angular velocity for each

axis. The LMI region assignment approach described in Remark 2is also considered to adjust adequately the

dynamics of the NUIOs. For each NUIO, the chosen region Dresults in the intersection of three elementary

LMI regions Dk, k = 1,2,3deﬁned according to:

-D1: left-half plane delimited by a vertical line −α,α > 0;

10

-D2: disk with center at (−b, 0) and radius c;

-D3: conic region with center at the origin and inner angle 0< β < π/2pointing left.

These parameters (α, b, c, β)have to be tuned such that the estimation error dynamics react quick enough to any

type of considered fault, allowing early distinction among the healthy/faulty thruster groups ST k, k = 1, ..., 5.

(See the following section about the proposed thruster group isolation strategy.)

For each thruster group ST k, k = 1, ..., 5(see equation (4) for deﬁnition), a dedicated NUIO is designed

based on Algorithm 1. The kth NUIO is such that it can fully estimate the angular velocity ωwith all control

inputs except those associated with ST k , i.e. with ui,∀i∈ Sall\ST k. On the other hand, din equation (25)

stays for the control inputs associated with ST k (i.e. ui,∀i∈ ST k ). As a result, the NUIO dedicated to the

group ST k shall not be aﬀected by faults occurring in the thrusters belonging to ST k due to the decoupling

property, while all the other NUIOs will be (“are expected to be” to be more precise since the design of the

NUIOs are done without fault sensitivity constraint).

Algorithm 1 Design of the bank of 5 NUIOs

1: Compute γfor Φ(ω)over Sω, choose the attenuation level κ;

2: for k= 1 to 5do

3: B?

k= [b∗

1, ..., b∗

12]where b∗

i=J−1

0bT i,∀i∈ Sall \ST k and b∗

i=0,∀i∈ ST k;

4: Set E,J−1

0bT i for any arbitrary i∈ STk and B,B?

k;

5: Compute Uand Vaccording to (35);

6: Prescribe the desired dynamics using D(α, b, c, β);

7: Solve problem (37) under LMI constraints (38) and (44)⇒(P,¯

K,¯

Y, ξ);

8: Set K=P−1¯

K,Y=P−1¯

Yand γ∗

k,√ξ;

9: Using Kand Y, gains for the kth NUIO are given by (29)-(32) and (34);

10: end for

It is important to note that dcan be exactly decoupled only if the columns of ∆Brelated to dare zero. If

this is not the case, only the known directions, i.e. b∗

i=J−1

0bT i, i ∈ ST k, can be exactly decoupled, while the

uncertain columns ∆b∗

i, i ∈ ST k (columns of ∆Bassociated with ST k ) are attenuated in L2sense (with upper

bound κ) since the entire ∆Bmatrix is considered in (36). Furthermore, if a constant γ∗linked to a given

NUIO veriﬁes γ∗> γ, then the associated observer tolerates an additionally nonlinear uncertainty in Φ∆(ω),

see Remark 1.

Note that all observers estimate only the angular rate ωof the chaser. Therefore, the computational burden is

reduced since there is no need to process the entire state vector (i.e., the linear position/velocity and the attitude

in addition). For real-time reasons, the bank of 5 NUIOs is triggered only when the decision signal %Jth indicates

the fault occurrence, i.e., when %Jth (t)=1for t≥td. Even if only ωis estimated, keeping the NUIOs switched

oﬀ before the fault is detected seems to be a good strategy, concerning the nonlinear nature of the observer.

Each observer is initialized then with the known measurement at time td, i.e., ˆ

ωk(td) = ω(td),∀k∈ {1,...,5}.

By this, all observers have a zero initial estimation error. Hence, the observer initial convergence (transient

phase) problem is avoided.

4.1.4. Thruster Group Isolation Logic - First Stage

Due to the aforementioned structuration of the bank of the NUIOs, it seems clear that the NUIO with the

minimum estimation error (in some norm sense) reveals that a fault occurs in the associated set ST k. Such a

property provides an eﬃcient isolation rule that can be written according to

¯σg(t) = arg min

kkek(t)k, t > td(45)

where ek(t)denotes the estimation error at time tassociated with the kth NUIO. Note that the bank of NUIOs

is triggered only when the fault indicating signal %Jth (see Eq. (11)) indicates that a fault has occurred, that is

for t > td. To avoid initial transition phenomena and to ensure robustness against noise, a conﬁrmation time

window, δg>0, is introduced, i.e.

tg= arg inf

t≥td+δg{¯σg(t) = ¯σg(ϑ),∀ϑ∈(t−δg, t]}(46)

where tgis the isolation time of the faulty thruster group j= ¯σg(tg).

In ideal conditions, at this isolation stage, the minimum time (td−tf) + δghas elapsed from the fault

occurrence at t=tf, thus allowing extra time for the fault to induce observable dynamic deviations in the

11

translation dynamics contained in the residual signal rgiven by (10). Therefore, as soon as the faulty thruster

group index "j" is conﬁrmed, the faulty thruster can be uniquely isolated by simply examining the degree of

alignment between rand the ﬁxed force vector directions bF k, k ∈ ST j (see equation (3) for deﬁnition of bF k )

under the assumption that the fault type is known. This is the purpose of the next subsection.

4.2. Final Thruster Fault Isolation - Second Stage

As soon as the faulty thruster group ST j is identiﬁed at the ﬁrst stage, the faulty thruster can be easily

isolated by examining the angle of the vector ralong the ﬁxed force directions bFk ,∀k∈ ST j . If the kth thruster

is faulty, then vectors r∈R3and bF k ∈R3should be collinear (owing the fault model (7)). The degree of

collinearity can be computed using the direction cosine approach: θk

d=bF k ·r/(kbF k kkrk), where θk

dis the

angle between the vectors rand bFk . If rand bF k are collinear, then cos(θk

d)=1. Thus, the following rule is

proposed to isolate the faulty thruster uniquely:

¯σ(t) = arg min

k∈ST j ρ(t)bF k ·r(t)

kbF kkkr(t)k, t ≥tg(47)

In this equation, ρdetermines whether an “open-” or “closed-type” thruster fault has occurred (see Section 2.1

about fault considerations). The notation t≥tgindicates that this rule is applied only when the NUIO–based

strategy (ﬁrst stage) subscribed and conﬁrmed the fault to the subset ST j .

With respect to ρ, the following two deﬁnitions are adopted depending on the identiﬁed thruster group STj ,

i.e.

a) Deﬁnition for j=1,...,4

Recalling the geometrical properties in terms of torque directions (see Section 2), i.e. that thrusters belonging

to the ﬁrst four groups ST j , j = 1,...,4generate torques in the same direction within these groups, i.e.

bT k =bT h ,∀k, h ∈ ST j . This property allows to consider the following deﬁnition for ρwhen j6= 5, i.e.

ρ(1:4)(t) = sign bT k ·ˆ

Tbias(t),for any k∈ ST j , j 6= 5 (48)

where ˆ

Tbias ∈R3is the estimate of the real torque bias Tbias and sign(·)stands for the signum function. This

bias is due to the faulty thruster (see equation (7)) and should be understood as follows5

Tbias(t) = −BTΨ(t)u(t),Ψ(t)6=0(49)

It is obvious that the two fault types, i.e. “open-” and “closed-type”, result in exactly opposite torque bias

(shift) relative to the torque direction bT k,∀k∈ ST j , j 6= 5.

The torque bias (49) can be estimated using an EKF based on the nominal (J,J0) attitude dynamics

model (13), see for instance (Posch et al.,2013) for realisation details. Note that in (48), the direction vector

bT k can be any from ST j since they are equal for all j= 1,...,4.

b) Deﬁnition for j=5

Considering the thruster group 5, it is obvious that the previous strategy cannot be used since bT k , k ∈

ST5are not unique/same-valued direction vectors, see equation (6). However, a special property of thrusters

belonging to this subset is that they barely produce any torque in the x- and y-axis. This enables to focus only

on the z-axis. Thus, the following deﬁnition for ρwhen j= 5 is proposed:

ρ(5)(t) = fW ald rbias(tk), j = 5 (50)

where rbias(tk) = ˆ

Tz

bias(tk)−ˆ

Tz

bias(tk−1),ˆ

Tz

bias is the third component (i.e. the component on the z-axis) of

ˆ

Tbias and fW ald(·)stands for the sequential Wald test for the variance applied on rbias . This test can result in

three possible situations:

fW aldrbias (tk)=

1if decision in favour of “closed-type”

0if no decision has been adopted

−1if no decision in favour of “open-type”

(51)

Implementation details on the sequential Wald test, also known as Sequential Probability Ratio Test (SPRT)

test, can be found in (Basseville and Nikiforov,1993).

5In other words, this bias can be also understood as a diﬀerence (bias) between the real torques applied on the spacecraft and

the torques as seen from the controller point of view.

12

Improvement of the Strategy

For the thruster group number 5, taking into account (6), it is possible to slightly improve the reliability of

the isolation algorithm (47) by dividing the set ST5into two smaller subsets, i.e. Sa

T5={3,12}and Sb

T5={6,9}.

Now, the isolation rule (47) can be redeﬁned for j= 5 as follows

¯σ(t) =

arg min

k∈Sa

T5ρ(5)(t)bF k ·r(t)

kbF kkkr(t)k,if min

k∈Sa

T5

ρ(5) bT k ·ˆ

Tbias≥min

k∈Sb

T5

ρ(5) bT k ·ˆ

Tbias

arg min

k∈Sb

T5ρ(5)(t)bF k ·r(t)

kbF kkkr(t)k, otherwise

Now, the logic (47) is able to isolate any of the four considered fault scenarios (see Section 2.1), thus thruster

fault of both types, within any truster group ST j , j = 1,...,5(supposing that the thruster group isolation j= ¯σg

was successful).

Finally, another conﬁrmation window, δ > 0, is introduced according to

ti= arg inf

t≥tg+δ{¯σ(t) = ¯σ(ϑ),∀ϑ∈(t−δ, t]}(52)

where tiis the isolation time of the faulty thruster. Let i= ¯σ(ti)for future reference.

5. Fault Accommodation

Once a faulty thruster is isolated, a fault accommodation mechanism has to be engaged in order to maintain

the capture objectives of the MSR mission. To carry out such objectives, TAS has designed the thruster conﬁg-

uration presented in Section 2. This conﬁguration disposes of some Degrees of Freedom (DoF) to achieve fault

tolerance (functional redundancy). Particularly, the set of N= 12 thrusters is placed on the chaser spacecraft

(see Fig. 1) such that the nominally attainable set Waof propulsion moments Tand forces Fis relatively close

to the sets obtained by combining the thrust of any N−1 = 11 thruster. From a practical viewpoint it means

that it is possible to achieve the required capture accuracy and the necessary GNC performance with only

eleven healthy thrusters. On the other hand, the nominal 6 DoF control law that is planned to be implemented

on-board, is designed to guarantee the capture objectives such as: attitude alignment versus the target, the

longitudinal and lateral velocities and the position in the rendezvous corridor. Since the CA technique do not

require any modiﬁcation in the control law, it motivates to propose the fault tolerance solution to be based on

this philosophy. Moreover, the CA solution is further justiﬁed by the fact that all thrusters are individually

equipped with a Thruster Latch Valve (TLV) able to disengage the propellant arrival, switching oﬀ de facto

the associated thruster. Thus, as soon as the ith thruster is conﬁrmed to be faulty by ¯σ, see (47) and (52),

the faulty thruster is switched oﬀ using the dedicated TLV and the desired forces Fdand torques Tdof the

controller are redistributed among the remaining N−1healthy thrusters. Figure 3gives an overview of the

proposed FDI/CA-based FTC solution implemented within the GNC architecture.

Navigation

Unit

6 DOF

Controller

Control

Allocation

Chaser

Dynamics

Propulsion

System

Fault

Detection and

Isolation

Thruster Faults

Uncertainties, Delays

Uncertainties,

Spatial Disturbances

ref

Noise

closingthei-ththruster

Figure 3: FDI/CA-based FTC strategy for thruster faults implemented within the GNC architecture

5.1. Reconﬁgurable Control Allocation

The on-board CA algorithm shall determine in real-time, i.e. at each control cycle (10 Hz frequency), the

proper thruster selection and their ﬁring times to achieve the controller-commanded torque and force impulses.

13

Many CA algorithms have potential to be applied, see (Johansen and Fossen,2013) for a recent survey on CA

techniques. To make use of the remaining healthy thrusters in case of a failure, it is required to reconﬁgure the

CA scheme (re-allocation). This re-allocation can be achieved easily by changing some constraints or parameters

of the existing CA algorithms.

In this paper, a modiﬁed version of the NIPC approach is proposed. The original version of the NIPC

algorithm was presented by Jin et al. (1995). The NIPC method solves the following optimization problem

u= arg min

ukWv¯

Bu −vdkp

s.t. 0≤uk≤¯uk,∀k∈ Sall

(53)

where ¯

B= [¯

b1, ..., ¯

b12] = [BT

TBT

F]Tis the overall thruster conﬁguration matrix, vd= [TT

dFT

d]Tis the vector

of the desired torque and force commands of the 6 DoF control law synthesized by the 6 DoF controller and

followed by the thruster modulator unit, and ¯ukis the maximum opening duration of the kth thruster. The core

of the fault tolerance principle is that if the ith thruster is faulty, then ¯uiis set to 0. The weighting matrix Wv

aﬀects the prioritization among torque/force components when ¯

Bu −vdcannot be attained due to thruster

physical constraints. The diﬀerent choices of the vector p-norm in (53) result in:

1. Minimum ﬂow rate allocation: min kuk1

2. Minimum power allocation: min kuk2

3. Minimum peak torque/force allocation: min kuk∞

Using the minimum ﬂow rate allocation will yield the greatest control authority for ﬂow rate limited thruster

systems. Similarly for the other two allocations. It is known that stability of the closed-loop system can be

guaranteed as long as the constraints of the optimization problem (53) are met (feasibility implies stability).

Algorithm 2 NIPC control allocation with fault tolerance principle

1: Set iter = 0 and v=vd;

2: if the ith thruster is declared to be faulty then

3: Construct ¯

Bifrom ¯

Bsuch that ¯

bi=0and set ¯ui,0;

4: else

5: Set ¯

Bi,¯

B;

6: end if

7: while kWv∗errorkp> ε and iter < N max

iter do

8: v=v+λc∗error;

9: upc =¯

Bp+

iv;

10: uc= (upc +|upc|)/2;

11: for k= 1 to Ndo

12: if uc

k>¯ukthen uc

k= ¯uk;end if

13: if uc

k< MIB/2then uc

k= 0;end if

14: if MIB/2≤uc

k< MIB then uc

k=MIB;end if

15: end for

16: error =¯

Biuc−vd;

17: iter =iter + 1;

18: end while

19: Set u,uc;

The proposed NIPC method that solves the re-allocation problem to ensure thruster fault tolerance, is given

in Algorithm 2. This algorithm also solves the optimization problem (53). It terminates if a certain precision

ε≥0of the allocated torques/forces, weighted by Wv, is achieved (typical choice is ε→0) or if the maximum

number of iterations Nmax

iter is reached. Nmax

iter can be considered to reﬂect the max computation time available.

In Algorithm 2,MIB stands for the Minimum Impulse Bit, i.e. the minimum shooting time that a thruster can

execute, λc>0allows to manage the convergence time of the algorithm and ¯

Bp+

istands for the generalized

inverse of ¯

Bigiven in step 3(optimal in the sense of the chosen p-norm). It is obvious, that both Nmax

iter and

λcinﬂuence the computational burdens of the algorithm.

Fault tolerance is achieved due to step 3and consequently to steps 9and 12 in the Algorithm 2. The index

"i" being determined by the FDI unit. Changing the minimization objective in (53) is very simple since it results

in changing the criterion p∈ {1,2,∞} in steps 7and 9.

Remark 3. The NIPC algorithm has been compared with other powerful CA approaches presented in (Härkegård,

2003). Results from a numerical campaign have shown that the NIPC approach constitutes a good trade-oﬀ

14

between accuracy and computational complexity. This is mostly due to the algorithm’s conceptual simplicity,

i.e. the matrices ¯

Bp+

iin step 9are all ﬁxed, thus it is possible to pre-compute them all oﬀ-line. This enables

to reduce the computational burdens, but the price to pay is a higher memory consumption.

6. Simulation Campaign

The scenario considered in this study is focused on the terminal rendezvous phase, which brings the chaser

from approximately 20 m range up to the capture point. The objective is to successfully capture the target.

To achieve this, the MSR capture conditions in terms of positions and velocities, and of relative attitude and

angular rates must be achieved within a certain precision (see Table 1for numerical values). Furthermore,

during the whole rendezvous phase, the chaser spacecraft must maintain its position within the rendezvous

corridor and must keep its attitude pointing towards the target with a maximum misalignment of 20 degrees

on all the axis (roll, pitch, and yaw axes).

Capture condition Nominal value Max variation Unit

Translational

conditions

Position misalignment on +X face 0.0 0.20 m

Longitudinal X velocity accuracy 0.1 0.05 m/s

Lateral Y and Z velocity error 0.0 0.04 m/s

Rotational

conditions

Angular rate error 0 0.3?deg/s

Angular misalignment 0 2?deg

Table 1: Baseline MSR conditions for successful capture (?are 3σrequirements)

The FTC strategy described in the previous sections has been implemented within the MSR high-ﬁdelity

industrial simulator provided by Thales Alenia Space industries. This simulator includes a nonlinear model of the

rigid body dynamics of the chaser and target in a Mars orbit. Simulation assumes that Mars is in a Keplerian

orbit about the Sun. The chaser and target orbits around Mars are modelled using Gauss’ equations, with

the gravitational ﬁeld of Mars calculated using a spherical harmonic expansion with the Mars50c coeﬃcients

(Konopliv and Sjogren,1995;Hartley et al.,2012). The attitude dynamics are modelled assuming that the

chaser and target are rigid bodies (Sidi,1997).

Following the design steps given in Algorithm 1, a bank of 5 NUIOs has been designed. The numerical values

for α,b,c,β, and κbeing ﬁxed to 0,0.18,0.05,π/4, and 0.9for all NUIOs, respectively. The numerical values

of γand γ∗are found to be 0.9047 and 1.4039 ×104. The selected parameters for the NIPC (see Algorithm 2)

algorithm correspond to: Wv=I,Nmax

iter = 350,λc= 1.89,ε= 10−7and p= 2, i.e. the 2nd vector norm

was chosen leading to minimum power allocation. Each thruster is considered to have MIB = 0.068 s. Above

this, the actual commanded open durations are quantised by step of 0.01 s. The GLR decision test given by

(11) has been implemented recursively with Jth = 33,Ts= 0.1s, t0= 100 s and wi= 1/3,∀i∈ {1,2,3}. The

chosen threshold Jth has been determined through Monte Carlo simulations to ensure minimum (ideally zero)

false alarm rate. This approach is widely used in the FDI community (see Patton et al. (2006) for more details).

For the two-stage isolation logic, a conﬁrmation window δg= 1.5s has been considered in (46) and δ= 0.5s in

(52). The 4th order Runge-Kutta integration method has been used to propagate the nonlinear equations for

the EKF to obtain the estimate ˆ

Tbias of the torque bias. The EKF state covariance matrix was tuned such that

the estimated torque bias “directions” are as close as possible to the real ones. The measurement covariance

matrix has been selected based on the knowledge of the gyro model.

Figure 4serves as a simulation example and aims to highlight the need for an active FTC solution. This

example corresponds to a fully open thruster fault (i.e. case 1) occurring at tf= 1100sand aﬀecting thruster

No.7. To emphasize the relevance of the engagement of the proposed FTC scheme into the GNC system,

two identical simulations are carried out. First, when the proposed FTC strategy is active (FTC on), and

second, when it is disengaged (FTC oﬀ). Figure 4clearly illustrates the consequence when such a fault is not

accommodated, i.e. the chaser misses the target and the mission fails. On the other hand, when the proposed

approach is engaged, the chaser maintains nominal trajectory, i.e. stays inside the rendezvous corridor and

the MSR capture requirements are met. Furthermore, it can be inferred from Fig.4that the chaser keeps its

attitude pointing towards the target all the time.

A Monte Carlo simulation campaign is often used in the industry to test and validate the performance of an

FDI/FTC system. In this simulation study, a high number of simulation models with randomly drawn dynamics

is associated with the following three thruster fault scenarios:

•case 1: fully open thruster, i.e. mleak = 1;

•case 2: bipropellant leakage ranging from 7% to 20%, i.e. mleak ∼ U(0.07,0.2);

15

Figure 4: Chaser trajectory within the MSR rendezvous corridor

•case 3: loss of eﬃciency ranging from 30% to 100%, i.e. mloss ∼ U(0.3,1).

The selected leakage and eﬃciency loss intervals were determined based on the study presented in (Fonod et al.,

2014b). In this study, it was shown that if the FDI unit fails to detect or isolate a small thruster fault (e.g.

mloss .15%), the eﬀect that this fault has on the GNC system and/or on the ﬁnal MSR capture performance

requirements is negligible. It is due to the fact that such relatively small fault has a very little impact on the

system dynamics and shall be compensated by a robust control law. On the other hand, such faults are very

hard or even impossible to detect and isolate.

For each faulty case, a set of 1000 Monte Carlo simulations has been carried out in order to assess the

performance of the proposed FTC strategy. Thruster faults are uniformly distributed among all the 12 thrusters.

In all cases, fault occurs at time tf= 1000 s and is maintained. All the (3×1000) simulations were carried

out under realistic conditions, i.e. the navigation unit is considered to deliver “non-perfect” state estimates.

Therefore all signals used by the FDI scheme, NIPC algorithm and the 6 DoF controller are replaced with their

respective uncertain values. Time-varying delays induced by the CPDE device and spatial disturbances (e.g.,

solar radiation pressure, gravity gradient, and atmospheric drag assuming an exponential atmospheric model)

are also considered.

For each run, the nominal model parameters were scattered within a speciﬁc limit (see Table 2for details).

The mass, the CoM and the inertia were scattered according to the normal distribution and truncated to the

corresponding 3σvalues. The 1% multiplicative uncertainty on the thrusters forces models the uncertainty on

the thruster rise times and the thruster misalignment phenomena. Because the real conﬁguration matrix ¯

Bis

never precisely known on-board, an uncertain conﬁguration matrix is considered for on-board computational

purposes (control law, FDI, CA). This matrix has been computed using a worst-case scenario when an oﬀset

of −3cm was added to each axis of the nominal CoM (see Table 2). A 10% initial navigation uncertainty is

considered on the Cartesian coordinates xp(see Table 3).

Property Nominal value Unit Uncertainty Distribution

Mass (m) 1575 kg ±10% N(1,0.1/3)

Inertia (J)

1450 −20 5

−20 1800 −5

5−5 1200

kg ·m2±20% N(1,0.2/3)

CoM (dCoM )0.880 0.035 0.035Tm±3cm N(0,0.03/3)

Thrust (12 × kFTk)12 ×22 N±1% N(1,0.01)

Cartesian coordinates (xp) Converted orbital elements

(see Table 3)

m, m/s ±10% N(1,0.1/3)

Table 2: Considered parameter uncertainties of the chaser spacecraft

To evaluate performance and reliability of the proposed FDI scheme, some statistical indices have been used

like the mean detection delay and its corresponding deviation. The considered indices are listed below:

•µ(τd)/σ(τd)- mean/standard deviation (st.dev.) of the detection delay τd=td−tf,

•µ(τg)/σ(τg)- mean/st.dev. of the thruster group isolation delay τg=tg−td,

•µ(τi)/σ(τi)- mean/st.dev. of the thruster isolation delay τi=ti−tg,

16

Orbital parameter Chaser Target Unit

Semimajor axis 3893 3893 km

Eccentricity 0 0 n/a

Inclination 30 30 deg

RAAN 0 0 deg

Argument of periapsis 0 0 deg

True anomaly -32.16×10−50 deg

Table 3: Initial Keplerian orbital parameters of the chaser and target

•µ(τo)/σ(τo)- mean/st.dev. of the overall detection and isolation delay τo=ti−tf,

•pf- FDI unit fail rate, i.e. the number of wrongly isolated thrusters divided by the total number of Monte

Carlo runs (1000 for each fault scenario).

These performance indices are calculated for each fault case separately. Table 4presents complete results

obtained from the simulation campaign. This table demonstrates that the proposed FDI scheme is able to detect

and isolate almost all considered thruster faults with good detection/isolation performances. In addition, it also

shows a good reliability since no false detection/isolation has been revealed for the ﬁrst two faulty scenarios

(pf= 0). Considering the thrust loss scenario, in about 110 simulation cases, the FDI unit failed to either

detect or correctly isolate the faulty thruster. As it will be shown in the next, this fact does not violate any

capture condition nor the mission success.

Metric Fully open Leakage Thrust loss

µ(τd)/σ(τd)2.36/0.14 (s) 4.97/0.75 (s) 48.44/53.29 (s)

µ(τg)/σ(τg)1.50/0.86 (s) 1.75/0.37 (s) 3.37/5.16 (s)

µ(τi)/σ(τi)0.40/0.00 (s) 3.70/11.39 (s) 4.20/8.21 (s)

µ(τo)/σ(τo)4.27/0.87 (s) 10.41/11.71 (s) 56.01/54.57 (s)

pf0 0 0.11

Table 4: FDI performances based on 3×1000 Monte Carlo runs

Figures 5a-9b illustrate the fault tolerant capabilities of the proposed technique. The capture conditions in

terms of position and velocities are given in Fig. 5a, Fig. 7a, and Fig. 9a for fully open thruster, leaking thruster

and eﬃciency loss thruster fault, respectively. Figure 5b, Fig. 7b and Fig. 9b illustrate that in all faulty cases

the chaser maintains the nominal trajectory (i.e. stays inside the rendezvous corridor) and that the chaser keeps

its attitude pointing towards the target, thus, leading to a successful capture. Finally, Fig. 6b, Fig. 8b and

Fig. 10b show that the proposed strategy is able to meet the required 3σcapture accuracy in terms of angular

misalignment and angular rate errors.

Note that the early detection of the occurrence of incipient or small size thruster faults (e.g., small propellant

leakage or small thrust loss) is clearly more diﬃcult. Another problem can arise when a fully blocked thruster

(i.e. mloss = 1) is not commanded and thus a fault detection is almost impossible. As seen in Fig. 9a and Fig. 9b,

despite the fact that in some cases the FDI unit failed, the required capture tolerances and attitude/trajectory

conditions are fully met.

On the other hand, in some particular cases, the attitude misalignment requirement (3 - sigma) is not met

even if the FDI unit succeeded. This can be the case when it takes too long for the FDI unit to detect and/or

isolate the faulty thruster or when the control accuracy is very degraded, e.g., due to a worst case uncertainty

or strong disturbance. In such cases, the solution consists in a corrective maneuver (e.g. triggering a collision

avoidance maneuver) that is engaged at the higher level of the fault management unit, see (LePeuvédic et al.,

2014).

7. Conclusion

In this paper, a systematic procedure has been presented for the theoretical design and application of a

model-based approach to FDI/CA-based FTC of an autonomous rendezvous system in the terminal phase. The

aim was to detect and isolate a single thruster fault aﬀecting the chaser propulsion system and to accommodate

it as quick as possible. The proposed FDI scheme consists of a robust fault detector and a NUIO and EKF-

based hierarchical isolation logic. The NUIO gains are given by solving an LMI optimization problem, which

ensures maximization of the admissible Lipschitz constant while simultaneously satisfying an L2gain bound

17

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

Chaser spacecraft Y axis

Chaser spacecraft Z axis

Basket aperture

Misalignment requirement

Target center (FDI success)

−6

−4

−2

0

2

4

6

Lateral Y velocity

Lateral Z velocity

Velocity requirement

Target lateral velocity (FDI success)

2 4 6 8 10 12 14 16 18

−1

0

1

2

3

Longitudinal X velocity (cm/s)

Nominal velocity

Out of requirement (3 sigma)

Target velocity (FDI success)

(a) Position misalignment (top left), lateral velocity (top right)

and longitudinal velocity (bottom)

(b) Chaser’s attitude error (left) and trajectory inside the ren-

dezvous corridor (right)

Figure 5: Capture position requirements and GNC performances for fault case 1

1 2 3 4 5 6 7 8 9 1011 12

0

20

40

60

80

100

120

Thruster indices distribution

0.9 0.95 1 1.05 1.1

0

50

100

Mass (10%)

−0.02 0 0.02

0

50

100

CoM (x−axis) −0.02 0 0.02

0

50

100

CoM (y−axis) −0.02 0 0.02

0

50

100

CoM (z−axis)

0.8 1 1.2

0

50

100 Inertia (Ixx)

0.8 1 1.2

0

50

100 Inertia (Ixy)

0.8 1 1.2

0

50

100 Inertia (Ixz)

0.8 1 1.2

0

50

100 Inertia (Iyx)

0.8 1 1.2

0

50

100 Inertia (Iyy)

0.8 1 1.2

0

50

100 Inertia (Iyz)

0.8 1 1.2

0

50

100 Inertia (Izx)

0.8 1 1.2

0

50

100 Inertia (Izy)

0.8 1 1.2

0

50

100 Inertia (Izz)

(a) Inertia (top left), mass (middle left), CoM (bottom left) and

thruster indices (top right) distribution

(b) Angular misalignment (left) and angular rate error (right)

at capture

Figure 6: Considered distributions and capture angular requirements for fault case 1

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

Chaser spacecraft Y axis

Chaser spacecraft Z axis

Basket aperture

Misalignment requirement

Target center (FDI success)

−6

−4

−2

0

2

4

6

Lateral Y velocity

Lateral Z velocity

Velocity requirement

Target lateral velocity (FDI success)

2 4 6 8 10 12 14 16 18

−1

0

1

2

3

Longitudinal X velocity (cm/s)

Nominal velocity

Out of requirement (3 sigma)

Target velocity (FDI success)

(a) Position misalignment (top left), lateral velocity (top right)

and longitudinal velocity (bottom)

(b) Chaser’s attitude error (left) and trajectory inside the ren-

dezvous corridor (right)

Figure 7: Capture position requirements and GNC performances for fault case 2

18

1 2 3 4 5 6 7 8 9 1011 12

0

20

40

60

80

100

120

Thruster indices distribution

8 10 12 14 16 18 20

0

10

20

30

40

Leakage size [%]

0.9 0.95 1 1.05 1.1

0

50

100

Mass (10%)

−0.02 0 0.02

0

50

100

CoM (x−axis) −0.02 0 0.02

0

50

100

CoM (y−axis) −0.02 0 0.02

0

50

100

CoM (z−axis)

0.8 1 1.2

0

50

100 Inertia (Ixx)

0.8 1 1.2

0

50

100 Inertia (Ixy)

0.8 1 1.2

0

50

100 Inertia (Ixz)

0.8 1 1.2

0

50

100 Inertia (Iyx)

0.8 1 1.2

0

50

100 Inertia (Iyy)

0.8 1 1.2

0

50

100 Inertia (Iyz)

0.8 1 1.2

0

50

100 Inertia (Izx)

0.8 1 1.2

0

50

100 Inertia (Izy)

0.8 1 1.2

0

50

100 Inertia (Izz)

(a) Inertia (top left), mass (middle left), CoM (bottom left),

thruster indices (top right) and leakage size (bottom right) dis-

tribution

(b) Angular misalignment (left) and angular rate error (right)

at capture

Figure 8: Considered distributions and capture angular requirements for fault case 2

−0.8

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

Chaser spacecraft Y axis

Chaser spacecraft Z axis

Basket aperture

Misalignment requirement

Target center (FDI success)

Target center (FDI failed)

−6

−4

−2

0

2

4

6

Lateral Y velocity

Lateral Z velocity

Velocity requirement

Target lateral velocity (FDI success)

Target lateral velocity (FDI failed)

2 4 6 8 10 12 14 16 18

−1

0

1

2

3

Longitudinal X velocity (cm/s)

Nominal velocity

Out of requirement (3 sigma)

Target velocity (FDI success)

Target velocity (FDI failed)

(a) Position misalignment (top left), lateral velocity (top right)

and longitudinal velocity (bottom)

(b) Chaser’s attitude error (left) and trajectory inside the ren-

dezvous corridor (right)

Figure 9: Capture position requirements and GNC performances for fault case 3

1 2 3 4 5 6 7 8 9 1011 12

0

20

40

60

80

100

Thruster indices distribution

40 60 80 100

0

10

20

30

40

Thrust loss size [%]

0.9 0.95 1 1.05 1.1

0

50

100

Mass (10%)

−0.02 0 0.02

0

50

100

CoM (x−axis) −0.02 0 0.02

0

50

100

CoM (y−axis) −0.02 0 0.02

0

50

100

CoM (z−axis)

0.8 1 1.2

0

50

100 Inertia (Ixx)

0.8 1 1.2

0

50

100 Inertia (Ixy)

0.8 1 1.2

0

50

100 Inertia (Ixz)

0.8 1 1.2

0

50

100 Inertia (Iyx)

0.8 1 1.2

0

50

100 Inertia (Iyy)

0.8 1 1.2

0

50

100 Inertia (Iyz)

0.8 1 1.2

0

50

100 Inertia (Izx)

0.8 1 1.2

0

50

100 Inertia (Izy)

0.8 1 1.2

0

50

100 Inertia (Izz)

(a) Inertia (top left), mass (middle left), CoM (bottom left),

thruster indices (top right) and thrust loss size (bottom right)

distribution

(b) Angular misalignment (left) and angular rate error (right)

at capture

Figure 10: Considered distributions and capture angular requirements for fault case 3

19

and pole constraints on observer dynamics. The L2attenuation is considered to minimize the eﬀect of the

uncertain inertia on the state estimation error. The NUIO design together with the derivation of the uncertain

inertia inverse factorization can be considered as a contribution to the theory. The thruster fault tolerance is

achieved by an improved version of the the NIPC control allocation algorithm scheduled by the robust FDI

scheme. A Monte Carlo simulation campaign has been performed to assess the performance and robustness of

the FDI/CA-based FTC system subject to parameter uncertainties, spatial disturbances, delays and imperfect

navigation. The obtained results indicate that for all the considered fault proﬁles, which are those considered

to be the most relevant by the industrial partners, the proposed strategy can carry out the terminal rendezvous

successfully and meet all the required capture speciﬁcations.

Acknowledgement

The authors would like to thank the ESA (Guidance, Navigation and Control Section at European Space

Research and Technology Centre) and Thales Alenia Space France (Research and Technology/Science and

Observation within the Research and Development Department) for providing the funding that made this

research possible, through the ESA Networking/Partnering Initiative (NPI) Program.

Appendix A. Proof of Proposition 1

To prove Proposition 1, the following lemma is introduced ﬁrst:

Lemma 1 (Neumann series of a matrix, Chatelin (1983)). Consider a square matrix Asuch that kAk<

1. Let λbe any eigenvalue of A. It is clear that (I−A)is invertible if λ6= 1,∀λ∈Λ(A). The condition

kAk<1implies that |λ|<1,∀λ∈Λ(A). Thus, (I−A)is invertible and the Neumann series

(I−A)−1=

∞

X

k=0

Ak=I+A+A2+. . . (A.1)

converges. When kAk ≥ 1,(I−A)is still invertible if λ6= 1,∀λ∈Λ(A), but the Neumann series does not

converge because lim

k→∞ Ak6=0.

Proof of Lemma 1Since kAk<1, the series P∞

k=0 kAkkconverges. Since kAhk≤kAkh, the series P∞

k=0 Ak

converges, too. Denote by Zits limit. ZA =AZ =P∞

k=0 Ak+1; therefore (I−A)Z=Z(I−A) = I, which

proves (A.1).

The real inertia matrix Jis always invertible and symmetric, thus J0and J0+R∗

J∆∗

JSJare invertible and

symmetric too. Now, multiplying (20) by J−1

0from the left yields

J−1

0J=I+J−1

0R∗

J∆∗

JSJ(A.2)

inverting both sides gives

J−1J0= (I+J−1

0R∗

J∆∗

JSJ)−1(A.3)

Since ∆∗T

J∆∗

J≤I⇒ k∆∗

Jk ≤ 1, the following bound yields

kJ−1

0R∗

J∆∗

JSJk≤kJ−1

0R∗

Jkk∆∗

JkkSJk≤kJ−1

0R∗

JkkSJk(A.4)

Thus, if kJ−1

0R∗

JkkSJk<1, then the right-hand side of (A.3) can be expressed according to to Lemma 1as

follows

(I−(−J−1

0R∗

J∆∗

JSJ))−1=

∞

X

k=0

(−1)k(J−1

0R∗

J∆∗

JSJ)k(A.5)

Pre-multiplying (A.3) by J−1

0from the right and substituting (A.5) gives

J−1=

∞

P

k=0

(−1)k(J−1

0R∗

J∆∗

JSJ)kJ−1

0

=J−1

0+

∞

P

k=1

(−1)k(J−1

0R∗

J∆∗

JSJ)kJ−1

0=J−1

0+R1∆1S1

(A.6)

where

R1=J−1

0R∗

J(A.7)

S1=SJJ−1

0(A.8)

∆1=∆∗

J(−I+SJJ−1

0R∗

J∆∗

J−(SJJ−1

0R∗

J∆∗

J)2+. . .)(A.9)

20

It is needed to check if ∆T

1∆1≤1. Considering the worst-case uncertainty, i.e. ∆∗

J=I, and inserting it in

(A.9) yields to

¯

∆1=−I+SJJ−1

0R∗

J−(SJJ−1

0R∗

J)2+. . . =−

∞

X

k=0

(−1)k(SJJ−1

0R∗

J)k(A.10)

which gives the upper bound of ∆1, i.e. k∆1k ≤ k ¯

∆1k. According to Lemma 1, the right-hand side of (A.10)

is equivalent to

¯

∆1=−

∞

X

k=0

(−1)k(SJJ−1

0R∗

J)k=−(I+SJJ−1

0R∗

J)−1(A.11)

if kSJJ−1

0R∗

Jk<1, which is true since kSJJ−1

0R∗

Jk ≤ kJ−1

0R∗

JkkSJk<1. It is obvious that k¯

∆1k=

k(I+SJJ−1

0R∗

J)−1k>1, thus a new scaling matrix W2must be introduced such that

∆1=W2∆2,∆T

2∆2≤I(A.12)

where ∆2is unknown. One of the possible choice of W2is to take the norm upper bound of ∆1, i.e.

W2=k¯

∆1kI=k(I+SJJ−1

0R∗

J)−1kI(A.13)

Then, the following holds

k∆1k=kW2∆2k=k¯

∆1kk∆2k≤k¯

∆1k ⇒ ∆T

2∆2≤I

Inserting (A.12) into (A.6) and setting R2=R1W2,S2=S1, (A.6) yields (21).

Appendix B. Proof of Theorem 1

In the proof of Theorem 1, the following lemma is used:

Lemma 2 (Zhou and Khargonekar (1988)). Let D,F, and Σ(t)being matrices with appropriate dimen-

sions. If ΣT(t)Σ(t)≤I, then for any scalar > 0the following inequality holds:

DΣ(t)F+FTΣT(t)DT≤−1DDT+FTF(B.1)

Proof of Lemma 2It can be veriﬁed that the following yields

1

2DT−1

2Σ(t)FT1

2DT−1

2Σ(t)F≥0

then expanding the above yields

−1FTΣT(t)Σ(t)F+DDT≥DΣ(t)F+FTΣT(t)DT

It is obvious that kΣk ≤ 1⇔λmax(ΣTΣ)≤1⇔ΣTΣ≤I, thus

DDT+−1ETE≥−1FTΣT(t)Σ(t)F+DDT≥DΣ(t)F+FTΣT(t)DT

To proceed with the proof of Theorem 1, assume that His chosen such that (33) holds. Under the assumption

that ∆B=R2∆2S2BTwith ∆T

2∆2≤I, the error dynamics of the NUIO can be rewritten as

˙

e=Ne +M(Φ−ˆ

Φ) + M R2∆2S2BTu(B.2)

where Φand ˆ

Φstand for Φ(x)and Φ(ˆx), respectively. Considering the quadratic Lyapunov function V(t) =

e(t)TP e(t), the time derivative of V(t)along the trajectory of (B.2) is given by

˙

V=eT(NTP+P N )e+ 2eTP M(Φ−ˆ

Φ)+2eTP M R2∆2S2BTu(B.3)

Using the Lipschitz condition stated in Assumption 1and Lemma 2with = 1 it follows that

2eTP M (ˆ

Φ−Φ)≤2γkeTP M kkek ≤ eTP M M TP e +γ2eTe

2eTP M R2∆2S2BTu≤eTP MR2RT

2MTP e +uT(S2BT)TS2BTu

and (B.3) can be bounded as follows

˙

V≤eTNTP+P N +P M (I+R2RT

2)MTP+γ2Ie+uT(S2BT)TS2BTu(B.4)

21

Let’s consider the H∞performance criteria

min

κ:ZT

0

eT(t)e(t)dt ≤κ2ZT

0

uT(t)u(t)dt ∀T≥0(B.5)

then it is straightforward to verify that the L2gain from ∆Bu to eis bounded by κ > 0if and only if

Ψ10

∗Ψ2<0(B.6)

with

Ψ1=NTP+P N + (1 + γ2)I+P M (I+R2RT

2)MTP

Ψ2= (S2BT)TS2BT−κ2I

Then, by virtue of the Schur’s complement lemma, (B.6) is equivalent to

NTP+P N + (1 + γ2)I P M P M R20 0

∗ −I0 0 0

∗ ∗ −I0 0

∗ ∗ ∗ −κ2I S2BT

∗ ∗ ∗ ∗ −I

<0(B.7)

It can be seen that there is no systematic way to obtain the observer parameters directly from (B.7) due to

coupled terms. To reformulate (B.7) as an LMI, His substituted by (34), and use the following assignments

¯

Y=P Y ,¯

K=P K and ξ=γ2. Additionally, it is desired to achieve the maximum possible Lipschitz constant

γ∗and simultaneously to respect the constraint γ∗≥γ. This constraint can be rewritten by deﬁning a new

variable ξ= (γ∗)2as ξ−γ2≥0. Then, using the Schur’s complement, (38) follows. It is then obvious that

maximizing ξis equivalent to maximizing γ∗. This concludes the proof of Theorem 1.

References

Abbaszadeh, M., Marquez, H.J., 2009. LMI optimization approach to robust H∞observer design and static output feedback

stabilization for discrete-time nonlinear uncertain systems. International Journal of Robust and Nonlinear Control 19, 313–340.

doi:10.1002/rnc.1310.

Alwi, H., Edwards, C., 2008. Fault tolerant control using sliding modes with on-line control allocation. Automatica 44, 1859–1866.

doi:10.1016/j.automatica.2007.10.034.

Alwi, H., Edwards, C., Marcos, A., 2010. FDI for a mars orbiting satellite based on a sliding mode observer scheme, in: Conference

on Control and Fault-Tolerant Systems (SysTol), IEEE, Nice, France. pp. 125–130. doi:10.1109/SYSTOL.2010.5676035.

Bajpai, G., Chang, B., Lau, A., 2001. Reconﬁguration of ﬂight control systems for actuator failures. IEEE Aerospace and Electronic

Systems Magazine 16, 29–33. doi:10.1109/62.949534.

Basseville, M., Nikiforov, I., 1993. Detection of Abrupt Changes: Theory and Application. Prentice Hall, Englewood Cliﬀs, NJ.

Beaty, D., Grady, M., May, L., Gardini, B., 2008. Preliminary planning for an international Mars Sample Return mission. Technical

Report. Report of the International Mars Architecture for the Return of Samples (iMARS) Working Group.

Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M., 2006. Diagnosis and Fault-Tolerant Control. Springer, Berlin.

Boada, J., Prieur, C., Tarbouriech, S., Pittet, C., Charbonnel, C., 2010. Multi-saturation anti-windup structure for satellite control,

in: Proc. American Control Conference, Baltimore, USA. pp. 5979–5984. doi:10.1109/ACC.2010.5531254.

Bodson, M., 2002. Evaluation of optimization methods for control allocation. Journal of Guidance, Control and Dynamics 25,

703–711. doi:10.2514/2.4937.

Bodson, M., Groszkiewicz, J., 1997. Multivariable adaptive control algorithms for reconﬁgurable ﬂight control. IEEE Transactions

on Control Systems Technology 5, 217–229. doi:10.1109/87.556026.

Caglayan, A., Allen, S., Wehmuller, K., 1988. Evaluation of a second generation reconﬁguration strategy for aircraft ﬂight control

systems subjected to actuator failure/surface damage, in: IEEE National Aerospace and Electronics Conference, pp. 520–590.

doi:10.1109/NAECON.1988.195057.

Camacho, E., Bordons, C., 1999. Model Predictive Control. Springer, London.

Chatelin, F., 1983. Spectral Approximation of Linear Operators. Academic Press, Society for Industrial and Applied Mathematics,

New York.

Chen, J., Patton, R., 1999. Robust model-based fault diagnosis for dynamic systems. Kluwer Academic Publishers, Dordrecht.

doi:10.1007/978-1- 4615-5149- 2.

Chen, W., Saif, M., 2007. Observer-based fault diagnosis of satellite systems subject to time-varying thruster faults. Journal of

Dynamic Systems, Measurement and Control 129, 352–356. doi:10.1115/1.2719773.

Chilali, M., Gahinet, P., 1996. H∞design with pole placement constraints: An LMI approach. IEEE Transactions on Automatic

Control 41, 358–367. doi:10.1109/9.486637.

Ding, S.X., 2013. Model-based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools. 2nd ed., Springer-Verlag,

London. doi:10.1007/978-1- 4471-4799- 2.

Eﬁmov, D., Cieslak, J., Henry, D., 2013. Supervisory fault tolerant control with mutual performance optimization. International

Journal of Adaptive Control and Signal Processing 27, 251–279. doi:10.1002/acs.2296.

22

Falcoz, A., Boquet, F., Dinh, M., Polle, B., Flandin, G., Bornschlegl, E., 2010a. Robust fault diagnosis for spacecraft: Application

to LISA pathﬁnder experiment, in: 18th IFAC Symposium on Automatic Control in Aerospace, IFAC, Nara, Japan. pp. 404–409.

doi:10.3182/20100906-5- JP-2022.00069.

Falcoz, A., Boquet, F., Flandin, G., 2010b. Robust H∞/H−thruster failure detection and isolation with application to the

lisa pathﬁnder spacecraft, in: AIAA Guidance, Navigation, and Control Conference, AIAA, Toronto, Ontario. doi:10.2514/6.

2010-7906.

Fonod, R., Henry, D., Bornschlegl, E., Charbonnel, C., 2013. Robust fault detection for systems with electronic induced delays:

Application to the rendezvous phase of the MSR mission, in: 12th European Control Conference, Zürich, Switzerland. pp.

1439–1444.

Fonod, R., Henry, D., Bornschlegl, E., Charbonnel, C., 2014a. Thruster fault detection, isolation and accommodation for

an autonomous spacecraft, in: 19th IFAC World Congress, Cape Town, South Africa. pp. 10543–10548. doi:10.3182/

20140824-6- ZA-1003.02144.

Fonod, R., Henry, D., Charbonnel, C., Bornschlegl, E., 2014b. A class of nonlinear unknown input observer for fault diagnosis:

Application to fault tolerant control of an autonomous spacecraft, in: 10th UKACC International Conference on Control,

Loughborough, United Kingdom. pp. 19–24. doi:10.1109/CONTROL.2014.6915108.

Fonod, R., Henry, D., Charbonnel, C., Bornschlegl, E., 2015. Position and attitude model-based thruster fault diagnosis: A

comparison study. Journal of Guidance, Control and Dynamics 38, 1012–1026. doi:10.2514/1.G000309.

Fu, Y.P., Cheng, Y.H., Jiang, B., Yang, M.K., 2011. Fault tolerant control with on-line control allocation for ﬂexible satellite

attitude control system, in: 2nd International Conference on Intelligent Control and Information Processing, IEEE. pp. 42–46.

doi:10.1109/ICICIP.2011.6008195.

Gao, Z., Antsaklis, P., 1991. Stability of the pseudo-inverse method for reconﬁgurable control systems. International Journal of

Control 53, 717–729. doi:10.1080/00207179108953643.

Grenaille, S., Henry, D., Zolghadri, A., 2004. Fault diagnosis in satellites using H∞estimators, in: International Conference on

Systems, Man and Cybernetics, IEEE, The Hague, NL. pp. 5195–5200. doi:10.1109/ICSMC.2004.1401019.

Härkegård, O., 2003. Backstepping and Control Allocation with Applications to Flight Control. Linköping studies in science and

technology. thesis no 820. Linköping University. Linköping, Sweden.

Hartley, E.N., Trodden, P.A., Richards, A.G., Maciejowski, J.M., 2012. Model predictive control system design and implementation

for spacecraft rendezvous. Control Engineering Practice 20, 695–713. doi:10.1016/j.conengprac.2012.03.009.

HARVD - Final Presentation, 2011. GMV and Thales Alenia Space and Swedish Space Corporation and SENER and jenaoptronik

and INTA, Final presentation, December 2011.

Henry, D., 2008a. Fault diagnosis of microscope satellite thrusters using H∞/H−ﬁlters. Journal of Guidance, Control, and

Dynamics 31, 699–711. doi:10.2514/1.31003.

Henry, D., 2008b. From fault diagnosis to recovery actions for aeronautic and aerospace missions: A model-based point of view,

in: 23rd IAR Workshop on Advanced Control and Diagnosis, Coventry, UK. pp. 13–19.

Henry, D., Olive, X., Bornschlegl, E., 2011. A model-based solution for fault diagnosis of thruster faults: Application to the

rendezvous phase of the Mars Sample Return mission, in: 4th European Conference for Aerospace Sciences (EUCASS), St.

Petersburg, Russian Federation. doi:10.1051/eucass/201306423.

Jiang, J., 1994. Design of reconﬁgurable control systems using eigenstructure assignments. International Journal of Control 59,

395–410. doi:10.1080/00207179408923083.

Jin, H.P., Wiktor, P., DeBra, D., 1995. An optimal thruster conﬁguration design and evaluation for quick step. Control Engineering

Practice 3, 1113–1118. doi:10.1016/0967-0661(95)00104-3.

Jin, J., Park, B., Park, Y., Tahk, M.J., 2006. Attitude control of a satellite with redundant thrusters. Aerospace Science and

Technology 10, 644–651. doi:10.1016/j.ast.2006.04.005.

Johansen, T.A., Fossen, T.I., 2013. Control allocation - survey. Automatica 49, 1087–1103. doi:10.1016/j.automatica.2013.01.035.

Josh, S., 1987. Design of failure accommodating multiloop LQG-type controllers. IEEE Transactions on Automatic Control 32,

740–741. doi:10.1109/TAC.1987.1104704.

Konopliv, A.S., Sjogren, W.L., 1995. The JPL Mars gravity ﬁeld, Mars50c, based upon Viking and Mariner 9 Doppler tracking

data. Technical Report. NASA Jet Propulsion Laboratory.

LePeuvédic, C., Charbonnel, C., Henry, D., Strippoli, L., Ankersen, F., 2014. Fault tolerant control design for terminal rendezvous

around mars, in: 9th International ESA Conference on GNC, Portugal.

Looze, D., Weiss, J., Eterno, J., Barett, N., 1985. An automatic redesign approach for restructurable control systems. IEEE Control

System Magazine 5, 16–22. doi:10.1109/MCS.1985.1104940.

Maciejowski, J., 2002. Predictive Control with Constraints. Prentice-Hall, Harlow, England.

Noura, H., Theilliol, D., Ponsart, J., Chamseddine, A., 2009. Fault-Tolerant Control Systems: Design and Practical Applications.

Springer Verlag, London.

Oppenheimer, M., Doman, D., Bolender, M., 2010. Control allocation, in: Levine, W.S. (Ed.), The control handbook, control

system applications (2nd ed., Chapter 8). CRC Press.

Ostroﬀ, A., 1985. Techniques for accommodating control eﬀector failures on a mildly statically unstable airplane, in: Proceedings

of the American Control Conference, pp. 903–906.

Page, A., Steinberg, M., 2002. High-ﬁdelity simulation testing of control allocation methods, in: AIAA Guidance, Navigation and

Control Conference and Exhibit, AIAA, Monterey, California. doi:10.2514/6.2002- 4547.

Patton, R., Frank, P., Clark, R., 2000. Issues of fault diagnosis for dynamic systems. Springer, London.

Patton, R., Uppal, F., Simani, S., Polle, B., 2006. A monte carlo analysis and design for FDI of a satellite attitude control system,

in: Proceedings of SAFEPROCESS’2006, IFAC, Beijing, China. pp. 1393–1398. doi:10.3182/20060829-4- CN- 2909.00220.

Patton, R., Uppal, F., Simani, S., Polle, B., 2008. Reliable fault diagnosis scheme for a spacecraft attitude control system.

Proceedings of the Institution of Mechanical Engineers Part O: Journal of Risk and Reliability 222, 139–152. doi:10.1243/

1748006XJRR98.

Patton, R., Uppal, F., Simani, S., Polle, B., 2010. Robust FDI applied to thruster faults of a satellite system. Control Engineering

Practice 18, 1093–1109. doi:10.1016/j.conengprac.2009.04.011.

Pettazzi, L., Lanzon, A., Theil, S., Finzi, A., 2009. Design of robust drag-free controllers with given structure. Journal of Guidance,

Control, and Dynamics 32, 1609–1621. doi:10.2514/1.40279.

Posch, A., Schwientek, A., Sommer, J., Fichter, W., 2013. Model-based on-board realtime thruster fault monitoring, in: Proceedings

of IFAC Symposium on Automatic Control in Aerospace, Würzburg, Germany. pp. 553–558. doi:10.3182/20130902-5- DE-2040.

00080.

23

Sidi, M.J., 1997. Spacecraft Dynamics and Control. Cambridge University Press, Cambridge, England, UK.

Staroswiecki, M., 2005. Fault tolerant control: the pseudo-inverse method revisited, in: Proceedings of the 16th IFAC World

Congress, IFAC, Prague, Czech Republic. pp. 1871–1871. doi:10.3182/20050703-6-CZ- 1902.01872.

Staroswiecki, M., Yang, H., Jiang, B., 2007. Progressive accommodation of parametric faults in linear quadratic control. Automatica

43, 2070–2076. doi:10.1016/j.automatica.2007.04.016.

Tafazoli, M., 2009. A study of on-orbit spacecraft failures. Acta Astronautica 64, 195–205. doi:10.1016/j.actaastro.2008.07.019.

Tao, G., Chen, S., Joshi, S., 2002. An adaptive control scheme for systems with unknown actuator failures. Automatica 38,

1027–1034. doi:10.1016/S0005-1098(02)00018- 3.

Veillette, R., 1995. Reliable linear-quadratic state-feedback control. Automatica 31, 137–143. doi:10.1016/0005-1098(94)E0045-J.

Wu, Q., Saif, M., 2009. Model-based robust fault diagnosis for satellite control systems using learning and sliding mode approaches.

Journal of computers 4, 1022–1032. doi:10.4304/jcp.4.10.1022-1032.

Yang, H., Jiang, B., Cocquempot, V., 2012. Supervisory fault tolerant control with integrated fault detection and isolation:

a switched system approach. International Journal of Applied Mathematics and Computer Science 22, 87–97. doi:10.2478/

v10006-012- 0006-9.

Zhang, X., Parisini, T., Polycarpou, M., 2004. Adaptive fault-tolerant control of nonlinear uncertain systems: An information

based diagnostic approach. IEEE Transactions on Automatic Control 49, 1259–1274. doi:10.1109/TAC.2004.832201.

Zhang, Y., Jiang, J., 2001. Integrated active fault-tolerant control using imm approach. IEEE Transactions on Aerospace and

Electronic Systems 37, 1221–1235. doi:10.1109/7.976961.

Zhang, Y., Jiang, J., 2008. Bibliographical review on reconﬁgurable fault-tolerant control systems. Annual Reviews in Control 32,

229–252. doi:10.1016/j.arcontrol.2008.03.008.

Zhao, Q., Jiang, J., 1998. Reliable state feedback control systems design against actuator failures. Automatica 34, 1267–1272.

doi:10.1016/S0005-1098(98)00072- 7.

Zhou, K., Khargonekar, P.P., 1988. Robust stabilization of linear systems with norm-bounded time-varying uncertainty. Systems

& Control Letters 10, 17–20.

24