Conference PaperPDF Available

Thruster Fault Detection, Isolation and Accommodation for an Autonomous Spacecraft

Authors:
  • Université Bordeaux

Abstract and Figures

The presented work is a result of a research collaboration between European Space Agency, Thales Alenia Space and IMS Laboratory with the aim of promoting fault-tolerant control strategies to advance spacecraft autonomy. A multiple observer based scheme is proposed jointly with an online constrained allocation algorithm to detect, isolate and accommodate a single thruster fault affecting the propulsion system of an autonomous spacecraft. Robust residual generator with enhanced robustness to time delays induced by the propulsion drive electronics and uncertainties on thruster rise times is used for fault detection purposes. A decision test on the residual of the fault detector triggers a bank of nonlinear unknown input observers which is in charge of confining the fault to a subset of possible faults. The faulty thruster isolation is achieved by matching the residual and the thruster force directions using the direction cosine approach. Finally, the fault is accommodated by redistributing the desired forces and torques among the remaining (healthy) thrusters and closing the isolated thruster. Simulation results from the "high-fidelity" industrial simulator, provided by Thales Alenia Space, demonstrate the fault-tolerance capabilities of the proposed scheme.
Content may be subject to copyright.
Thruster Fault Detection, Isolation and
Accommodation for an Autonomous
Spacecraft
R. Fonod D. Henry E. Bornschlegl ∗∗ C. Charbonnel ∗∗∗
Universit´e de Bordeaux, IMS UMR CNRS 5218, Talence, France
{robert.fonod, david.henry}@ims-bordeaux.fr
∗∗ European Space Agency, Noordwijk, The Netherlands
∗∗∗ Thales Alenia Space, Cannes, France
Abstract: The presented work is a result of a research collaboration between European Space
Agency, Thales Alenia Space and IMS Laboratory with the aim of promoting fault-tolerant
control strategies to advance spacecraft autonomy. A multiple observer based scheme is proposed
jointly with an online constrained allocation algorithm to detect, isolate and accommodate
a single thruster fault affecting the propulsion system of an autonomous spacecraft. Robust
residual generator with enhanced robustness to time delays induced by the propulsion drive
electronics and uncertainties on thruster rise times is used for fault detection purposes. A
decision test on the residual of the fault detector triggers a bank of nonlinear unknown input
observers which is in charge of confining the fault to a subset of possible faults. The faulty
thruster isolation is achieved by matching the residual and the thruster force directions using
the direction cosine approach. Finally, the fault is accommodated by redistributing the desired
forces and torques among the remaining (healthy) thrusters and closing the isolated thruster.
Simulation results from the “high-fidelity” industrial simulator, provided by Thales Alenia
Space, demonstrate the fault-tolerance capabilities of the proposed scheme.
1. INTRODUCTION
Space exploration missions require critical autonomous
proximity operations. Mission safety is usually guaran-
teed via hierarchical implementation of Fault/Failure De-
tection, Isolation and Recovery (FDIR) approach (see
for instance Olive [2012], Zolghadri [2012]). Fault detec-
tion and isolation are performed by simple cross checks
between redundant units, limit checking, voting mecha-
nisms, etc. Fixed thresholds are used for quick recogni-
tion of out-of-tolerance conditions. The recovery action
is usually performed by switching to (hot) redundant
units/strings (multiple sensors, actuators, processors, etc)
or/and changing the operation mode to safe mode followed
by ground intervention. Current FDIR techniques used in
space systems are industrially well mastered, but may be
not sufficient in some cases, specially for faulty situations
causing quick and abnormal dynamics deviation in critical
space operations. This is the case of thruster faults during
terminal rendezvous and docking/capture phases, when a
thruster failure could possibly lead to mission loss. Liter-
ature reports (see e.g. Wander and F¨orstner [2012]) that
conventional FDIR methods are suffering from significant
shortcomings, like often missing on-board fault isolation,
increased mass and system complexity due to redundant
equipment, ground intervention is not always possible as
a result of large communication delays or visibility issues.
This research work was supported by European Space Agency
(ESA) and Thales Alenia Space France in frame of ESA’s Network-
ing/Partnering Initiative (NPI) program.
This motivates the European Space Agency (ESA) to
manage studies for the development of fully autonomous
on-board solutions that shall cope with all the possible
faults that may occur and endanger the mission. There-
fore, advanced Fault Detection and Isolation (FDI) ap-
proaches should be specifically developed to safely conju-
gate the necessary robustness/stability of the spacecraft
control, trajectory dynamics and the vehicle nominal per-
formance. Alternatively to redundancy-based FDIR tech-
niques, model-based algorithms may offer a good balance
between advanced strategies and existing physical redun-
dancies that may lead to more efficient health monitoring
and recovery systems based on fewer redundant compo-
nents while providing large fault coverage capabilities.
In this paper, the application concerns the rendezvous
phase of the Mars Sample Return (MSR) mission. The
goal of this mission is to return samples from Mars to
Earth for analysis. Obviously, the rendezvous phase might
be endangered if a thruster fault occurs. As a consequence,
the Guidance, Navigation, and Control (GNC) system may
not fully compensate, for example, spatial disturbances,
and/or may lose attitude, and/or the position of the
sample container (target). This problem becomes highly
critical during the last 20 meters of the rendezvous phase.
During this phase, the chaser spacecraft must be correctly
positioned in the approach corridor to successfully capture
the target as well as the chaser’s attitude need to be
maintained in the rendezvous sensor’ field of view.
Numerous model-based FDI techniques has been studied
in the past decades in the academic community, see Blanke
et al. [2006] and Ding [2008] for good surveys. The still
Proceedings of the 19th World Congress
The International Federation of Automatic Control
Cape Town, South Africa. August 24-29, 2014
978-3-902823-62-5/2014 © IFAC 10543
growing interest of potential applications in aerospace
systems is demonstrated by recent publications, see, for
instance, Chen and Saif [2007], Henry [2008], Patton et al.
[2010], Falcoz et al. [2010], Posch et al. [2013]. In terms
of fault accommodation techniques, the interested reader
shall refer to literature review of Zhang and Jiang [2008].
The method introduced in this paper is sought from an
industrial perspective. The aim is to develop an algo-
rithm which can quickly detect, isolate, and accommodate
single thruster fault in a simple manner and is easily
implementable for a real spacecraft mission. As soon as
a thruster is declared to be faulty by the FDI unit, the as-
sociated (faulty) thruster is closed by a dedicated thruster
latch valve and the remaining (healthy) thrusters are used
to control the spacecraft dynamics. This fault accommoda-
tion strategy is achieved by control re-allocation technique.
By this way, the nominal (in-placed and certified) control
law remains unchanged which is an important condition
seen from an industrial point of view.
2. PROBLEM STATEMENT
The terminal rendezvous control mode corresponds to a 6
Degree of Freedom (DoF) control which ensures the ap-
plication of both commanded force and torque vectors by
means of thrusters only (reaction wheel control is turned
off). The chaser spacecraft is equipped with a chemical
propulsion system composed of N= 12 thrusters 1. The
thrusters are physically organised in four clusters and are
in charge of producing force FR3and torque TR3
vectors expressed in the chaser body-fixed reference frame
Fb={Ob;ˆ
xb,ˆ
yb,ˆ
zb}. Let Sall ={1,2,...N}denote the
set of all thruster indices. Thrusters have fixed directions
diR3,i∈ Sall and each one is able to produce a
maximum thrust of FN= 22N.
The Chemical Propulsion Drive Electronics (CPDE), that
drives the thrusting actuators, is initiating the opening of
the thruster valve for the commanded duration 0 ui(t)
1,i∈ Sall. The propulsion system is obviously a source
of uncertainty in the system. The irrational transfer
H(s) = eτ(t)s(1)
aims to model the effect of the unknown time-varying
delays τ(t)0 induced by the CPDE and the uncertainties
on the thruster rise times. Let ui(tτ(t)) be the com-
manded open rate of the ith thruster delayed by τ(t), then,
the net forces and torques generated by the thrusters are
F(t) = BFu(tτ(t)),T(t) = BTu(tτ(t)) (2)
where u(t) = [u1(t),...,uN(t)]T, and
BF= [ bF1bF2... bFN],BT= [ bT1bT2... bTN](3)
are the sensitivity (configuration) matrices. The columns
of BFand BTare the influence coefficients defining how
each thruster affects each component of F(t) and T(t),
respectivelly, and are defined as follows
bFi=diFN,bTi= (RiRM)×bFi,i∈ Sall (4)
where ×” denotes the cross product, RMR3is
the position vector of the Center of Mass (CoM), and
1The considered thruster configuration in this paper is not a
baseline MSR configuration, but a special one designed by Thales
Alenia Space to study active fault tolerant control principles.
RiR3,i∈ Sall are the position vectors of the thrusters,
both expressed in the chaser body-fixed frame Fb.
By analysing the configuration matrices BFand BT
in terms of directional properties, the following can be
concluded: thruster indices inside the sets ST i, i = 1,...,5
have similar torque directions and are defined as
ST1={1,11},ST3={4,8},ST5={3,6,9,12}
ST2={2,10},ST4={5,7},(5)
In terms of force directions, the following is revealed
bF1=bF11 ,bF4=bF8,bF3=bF12
bF2=bF10 ,bF5=bF7,bF6=bF9
(6)
which means that the thruster pairs given by ST i, i =
1,...4 produce exactly opposite forces. The last thruster
group, i.e. ST5, has the following orthogonal property
bF3·bF6= 0,bF9·bF12 = 0 (7)
where ·” denotes the dot product. Directional properties
(5)-(7) will be used to derive an explicit isolation strategy.
The considered thruster faults are modeled in a multiplica-
tive way according to (index ”f” outlines the faulty case)
uf(t)= (IΨ(t))u(t),Ψ(t) = diag(ψ1(t)...ψN(t)) (8)
where ψimodels the health status of the ith thruster, i.e.
ψi(t) = 0 if fault-free
1φi(t)/ui(t) if faulty (9)
φiallows to consider different fault scenarios. In this paper,
we deal with the so-called “open-type” thruster faults:
φi(t) = 1 fully open thruster
max{mleak, ui(t)}propellant leakage (10)
where mleak is the magnitude of the leaking thruster.
The two objectives addressed in this paper are:
(1) to quickly detect and isolate a single thruster fault
while ensuring enhanced robustness to (1), and
(2) to accommodate this fault using the remaining N1
healthy thrusters so that the rendezvous criteria are
met and the nominal controller remains in the loop.
3. FAULT DETECTION AND ISOLATION
The proposed model-based FDI scheme consists of a fault
detector which is in charge of detecting the fault pres-
ence in the system. Once a detection flag is triggered, a
bank of nonlinear Unknown Input Observers (UIOs) is
used to identify the faulty thruster group that produce
similar torques. In parallel to this, the fixed thruster force
directions are compared with the residual generated by the
fault detector. Subsequently, an isolation logic is used to
make the final decision about the faulty thruster index.
3.1 Robust residual generator design
The proposed fault detector design is based on the relative
position model of the chaser and target expressed in the
local (target) frame Fl={Ol;ˆ
xl,ˆ
yl,ˆ
zl}. The interested
reader can found further details on modeling the relative
dynamics of two spacecrafts in the available space litera-
ture, see for instance Schaub and Junkins [2009]. Let a,m,
G,θand mMdenote the orbit of the target, the mass of the
chaser during rendezvous, the Mars gravitational constant,
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10544
true anomaly and the mass of the planet. When the orbit
of the rendezvous is circular, then the velocity of the chaser
and the target is given by the relation a˙
θ=pµ/a where
µ=GmM. From Kepler’s third law it follows:
a˙
θ=pµ/a = const. n=pµ/a3(11)
During the rendezvous phase, it is assumed that the chaser
motion is due to the four following forces, all given in Fl:
the Mars attraction force
Fa=mµ
((a+x)2+y2+z2)3/2(a+x)ˆ
xl+yˆ
yl+zˆ
zl
the centripetal force Fe=mn2xˆ
xl+n2yˆ
yl+ 0ˆ
zl;
the Coriolis force Fc=m(2n˙yˆ
xl2n˙xˆ
yl+ 0ˆ
zl);
and the non-gravitational (chemical thrust, perturba-
tions) forces Fd=Fdx ˆ
xl+Fdy ˆ
yl+Fdz ˆ
zl.
Then, from the 2nd Newton law, it follows
¨x=n2(a+x)µ(a+x)(a+x)2+y2+z23/2
+ 2n˙y+m1Fdx
¨y=n2y2n˙xµy(a+x)2+y2+z23/2+m1Fdy
¨z=µz(a+x)2+y2+z23/2+m1Fdz
where x, y, z denote the elements of the three dimensional
relative position vector of the chaser and target in Rl.
Because the distance between the target and the chaser
during the rendezvous phase is much smaller than the
orbit, it is possible to derive the so called Hill-Clohessy-
Wiltshire (HCW) equations by means of a first order
approximation. Hence, it follows a linear 6th order state
space model with state vector xp= [x y z ˙x˙y˙z]Tmodelling
the chaser relative motion expressed in Fl, both in fault
free (i.e. Ψ=0) and faulty (i.e. Ψ6=0) situations, i.e.
˙
xp(t) = Apxp(t)+BpR(ˆ
qt(t),ˆ
qc(t))BFuf(tτ(t)) (12)
yp(t) = Cpx(t) (13)
where the rotation matrix R(ˆ
qt,ˆ
qc) is calculated from the
quaternion estimates of the chaser ˆ
qcHand target
ˆ
qtHattitude, and rotates the force vector from Fbinto
Fl. These estimates come from the navigation. The output
vector yp=[x y z ]Tis the relative position in Flmeasured
by a Light Detection and Ranging (LIDAR) device.
The position model given by (12) and (13) is well known
and mastered for control, but rarely used for FDI purposes.
The advantage is that this model takes into account both
the rotational qcand translational xmotions of the chaser.
Thus, effects that faults have on both the chaser attitude
and translation are considered. Furthermore, this model is
naturally robust against the model uncertainties, such as
CoM and inertia, whilst the attitude model not. In Fonod
et al. [2013a], a sensitivity/robustness analysis campaign
was performed showing high reliability and efficiency (in
terms of detection times) of a fault detector based on
a position model in Fl. Here, an observer-based fault
detector is designed that has enhanced robustness to time-
varying delay τ(t) introduced in (1). This observer exploits
the position model given by (12) and (13) to generate
the state estimate ˆ
xpused to produce the residual signal
r= [r1, r2, r3]Tof the following form:
r(t) = Qyp(t)Cpˆxp(t)(14)
where Qis a weighting matrix. The design of (14) is based
on theoretical developments given in Fonod et al. [2013b].
3.2 Decision test: fault detection
The proposed decision test is motivated by the scalar
valued Generalized Likelihood Ratio (GLR) test given in
Ding [2008], i.e.
Si(k) = Ndln(σi)Nd
21 + ln(ˆσ2
i(k)) ˆσ2
i(k)
σ2
i(15)
ˆσ2
i(k) = 1
Nd
k
X
j=kNd+1
r2
i(j) (16)
where ri(k) is the ith element of the residual r(k) evaluated
at time instant t=kTs, k = 0,1,2,... where Tsis the navi-
gation sampling time, σiis the (fixed) standard deviation
of riin fault free situation and Nd>1 represents the
detection sliding window due to on-line realization. The
proposed decision test ρ(t) is defined by
ρ(t) = 1, S(k)> Jth fault declared
0, S(k)Jth fault not present (17)
where Jth is a fixed threshold selected by the designer and
S(k) is given by
S(k) =
3
X
j=1
wjSj(k),
3
X
j=1
wj= 1 (18)
where wj0, j = 1,2,3 are the weight factors used to
prioritize certain elements (axis) of the residual.
3.3 Nonlinear unknown input observer
We will briefly state the main results obtained in Chen and
Saif [2006]. Considering the following nonlinear system
˙
x(t) = Ax(t) + Bu(t) + f(x(t)) + Ed(t) (19)
y(t) = Cx(t) (20)
where xRnstands for the state vector, yRmis the
output, uRris the input, dRqis the unknown input
(disturbance) vector, and f(x)Rnis a known nonlinear
vector function of xsatisfying:
kf(x1)f(x2)k ≤ κkx1x2k,x1,x2Rn(21)
where κ > 0 stands for the Lipschitz constant.
The goal is to design an asymptotically converging state
observer to estimate xin the presence of an unknown input
d. A nonlinear UIO for the system (19)-(20) achieving this
goal has the following structure
˙
z(t) = Nz(t) + Gu(t) + Ly(t) + M f (ˆ
x(t)) (22)
ˆ
x(t) = z(t)Hy(t) (23)
where ˆ
xRnis an estimate of x,zRnis an auxiliary
signal and the matrices N,G,L,Mare designed as
in Chen and Saif [2006]:
N=MA KC,G=M B (24)
L=K(I+CH )M AH (25)
M=I+HC (26)
Kand Hbeing designed subsequently.
Without loss of generality, it is assumed that Eis of full
column rank. The necessary condition for HCE =Eto
have solution is that CE is also of full column rank and
the solution is given in a generalized form by
H=U+Y V (27)
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10545
where Ycan be chosen arbitrarily, Uand Vare given by
U=E(CE )+,V=I+ (C E)(CE)+(28)
and (CE)+denotes the generalized pseudo-inverse of the
matrix CE given by (CE)+= ((CE)T(C E))1(CE)T.
Theorem 1. (Chen and Saif [2006]). Assume that CE is
of full column rank and that the following Linear Matrix
Inequality (LMI)
X X12
XT
12 I<0 (29)
where Xand X12 are defined as
X=[(I+U C)A]TP+P(I+U C )ACT¯
KT
¯
KC + (V CA)T¯
YT+¯
Y(V CA) + κI
X12 =κ[P(I+U C) + ¯
Y(V C)]
has a feasible solution for ¯
Y,¯
Kand P=PT>0, then the
nonlinear UIO given by (22) and (23) can be designed with
Y=P1¯
Y, and K=P1¯
Kmaking Nbeing Hurwitz
and the estimation error e(t) = ˆ
x(t)x(t) tending to zero
asymptotically for any initial value of e(0).
Proof. The proof can be found in Chen and Saif [2006].
3.4 Thruster group isolation: a bank of nonlinear UIOs
Recalling the thruster configuration properties given by
(5)-(7), we assume, that for fault isolation it is easier to
obtain explicit information from the angular velocity ω
R3measurement than from the linear position/velocity.
Therefore, the below model of the attitude dynamics of a
rigid-body spacecraft in the body-fixed frame Fb
J˙
ω(t) = BTuf(t)ω(t)×Jω(t) (30)
is used for the design of a bank of UIOs. In (30), JR3×3
stands for the inertia of the chaser in Fb. A nonlinear UIO,
as introduced in section 3.3, has been selected because
of its decoupling properties and the ability to take into
account nonlinearities of the attitude dynamics.
The attitude model (30) can be represented in the form
of (19) and (20) with the following assignment: x=ω,
f(ω) = J1ω×Jω,A=0,B=J1BT, and
C=I. One may argue that f(ω) is not globally Lipschitz,
because the Jacobian f/∂ωis not uniformly bounded
over R3. However, f(ω) is continuously differentiable on
R3. Thus, it is locally Lipschitz. This means that the
angular velocity shall be bounded in magnitude which is
a reasonable assumption from a practical point of view.
Using a constrained optimization algorithm, one can find
a Lipschitz constant κover the set S={ωR3:|ωi| ≤
¯ωi, i = 1,2,3}, where ¯ωi>0 is the upper bound of the
angular velocity in the given axis.
For each thruster group ST i, a dedicated UIO is designed.
Each UIO is such that it can fully estimate the angular
velocity ωwith all the inputs except those belonging to
ST i, i.e. ui, i ∈ Sall \ST i. As a result, the UIO dedicated
to the thruster group ST i will not be influenced by faults
occurring in thrusters that belong to ST i , while all the
other UIOs will be. Based on Theorem 1, the design of a
bank of nonlinear UIOs is summarized in Algorithm 1.
The ith observer only estimates the angular velocity ˆ
ωiof
the chaser from the measurement ω. Therefore, the compu-
tational burden is reduced since there is no need to process
Algorithm 1 Bank of nonlinear UIO design
Find a Lipschitz constant κsatisfying (21);
for k= 1 to 5 do
Construct B
kwhose columns are bT i ,i∈ Sall\ST k ;
Set E=bT i for any arbitrary i∈ ST k and B=B
k;
Compute Uand Vaccording to (28);
Solve the LMI defined by (29) for ¯
Y,¯
Kand P=PT>0;
Let Y=P1¯
Yand K=P1¯
K;
Using Yand K, the kth UIO gains are given by (24)-(27);
end for
the entire state vector (i.e. the linear position/velocity and
attitude in addition). For real-time reasons, the UIOs are
triggered only when ρ(t) indicates that a fault has been
occurred. Even if only ωis estimated, keeping the UIOs
switched off before the fault is detected seems to be a good
strategy, regarding the nonlinear nature of the observer.
Let tddenote the fault detection time, i.e. the time when
the fault is declared by ρ(t), and D={1,2,...5}the set of all
indices linked with the thruster groups ST1, ..., ST5. Each
observer is initialized with the (known) measurement at
time td, i.e. ˆ
ωi(td) = ω(td),i∈ D. By this, all observers
have zero initial estimation error. Hence, the observer
initial convergence (transient phase) problem is avoided.
Defining the angular velocity estimation error of the ith
observer as ei(t) = ˆ
ωi(t)ω(t), then the faulty thruster
group ST i is identified based on the following rule
σg(t) = arg min
i∈D kei(t)k, t > td(31)
where σg(t) : R+→ D represents the identified thruster
group index that is most likely affected by a fault.
Remark 1. It is assumed that the time-varying delay (1)
has no big effect on the isolation performance. Therefore,
τ(t) is not considered in (30). Furthermore, the isolation
process is triggered by the decision test ρ(t) which already
has enhanced robustness to τ(t).
3.5 Isolation logic
Once the thruster group ST i is identified by σg, the faulty
thruster can be easily isolated by examining the angle
of the vector rgiven by (14) along the force directions
bF i, i ∈ ST i. When the ith thruster is faulty, then vectors
rand bF i should be collinear. The degree of collinearity
can be computed using the direction cosine approach:
cos(θi(t)) = bT
F ir(t)/(kbF i kkr(t)k), where θiis the angle
between the vectors rand bF i. If rand bF i are collinear,
then cos(θi) = 1 (and the angle between the two vectors
θi= 0). Thus, the following isolation logic
σ(t) = arg max
j∈ST i
bT
F j r(t)
kbF j kkr(t)k(32)
results in the thruster index matching the faulty thruster.
This isolation logic has to clearly indicate which actuator is
faulty. Therefore, only thrusters belonging to the (already)
identified group ST i are tested in (32). Since the force
directions within the groups ST i, i ∈ D are either exactly
opposite, see (6), or are orthogonal, see (7), it makes the
isolation logic σ(t) : R+× D Sall very reliable.
To avoid initial transition phenomena and to ensure ro-
bustness, we introduce two confirmation windows δg>0
for σg(t) and δ > 0 for σ(t). The whole fault detection and
isolation strategy is summarised in Algorithm 2.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10546
Algorithm 2 Thruster fault detection and isolation
if ρ(t) = 1 then
Decision = Declare a fault presence and run the UIOs;
if σg(t) = σg(ν),ν(tδg, t]then
Decision = The faulty thruster group ST i is identified;
if σ(t) = σ(ν),ν(tδ, t]then
Decision = Declare the ith =σ(t) thruster to be faulty
end all if
4. FAULT ACCOMMODATION
In the investigated thruster configuration, an additional
freedom is available to achieve fault tolerance. Particularly,
it means that it is possible to achieve admissible GNC
performance even if only N1 (healthy) thrusters are used
to control the spacecraft. The nominal 6DOF control law
is designed based on certain predetermined performance
criteria. Hence, after the fault occurrence, it is desirable
to keep the nominal controller in the loop and perform the
fault accommodation on the control allocation level which
can counteract the effect of the fault in a simple manner.
Fig. 1. Principal accommodation scheme for thruster faults
Figure 1 illustrates the proposed Fault Detection, Isola-
tion and Accommodation (FDI-A) scheme implemented
within the GNC system. The FDI-A strategy works as
follows: as soon as the faulty thruster index is clearly
isolated by Algorithm 2, the faulty thruster is switched
off using a dedicated thruster latch valve and the desired
forces and torques are re-allocated among the remaining
N1 healthy thrusters. Here, the quadratic programming
approach, also known as l2-optimal control allocation, is
used. This problem is posed as the following Sequential
Least-Squares (SLS) problem:
u= arg min
u∈M kWu(uud)k(33)
M= arg min
0u¯
ukWv(Bauvd)k(34)
where BT
a= [BT
FBT
T] is the overall configuration matrix,
vdis the augumented vector of the desired forces and
torques, ¯
u= [¯u1, ..., ¯u12]Tare the upper limits defined
as: ¯ui= 1,i∈ Sall\σ(t) and ¯ui= 0, i =σ(t). This
optimization problem should be understood as follows:
given M, the set of feasible control inputs minimizing
Bauvd(weighted by Wv), pick the control input that
minimize uud(weighted by Wu). Here, udis the
desired control input and Wuand Wvare nonsingular
weighting matrices. Wuaffects the control distribution
among the thrusters and Wvaffects the prioritization
among force/torque components when Bauvdcannot
be attained due to, e.g. thruster constraints. A faster
algorithm can be obtained by approximating the SLS
formulation as a Weighted Least-Squares (WLS) problem:
min kWu(uud)k2+γkWv(Bauvd)k2
subj.to 0u¯
u(35)
As γ→ ∞, the two formulations have the same optimal
solution u. The cost function (35) may be re-written as
kWu(uud)k2+γkWv(Bauvd)k2
=
γWvBa
Wu
|{z }
A
uγWvvd
Wuud
|{z }
b
2
(36)
allowing the minimization problem to be formulated as
min kAubk2,subj. to 0u¯
u(37)
which can be solved using an active set algorithm, see
arkeg˚ard [2002] for implementation details. This algo-
rithm determines the optimal solution in a finite number
of iterations. The max number of iteration Nca can be
considered to reflect the max computation time available.
5. SIMULATION RESULTS
The FDI-A scheme described in the previous sections is im-
plemented within the MSR “high-fidelity” industrial sim-
ulator. Following the design steps given in Algorithm 1, a
bank of 5 nonlinear observers were designed with κ= 0.2.
The WLS control allocation algorithm presented in sec-
tion 4 was implemented using Wv=I,Wu=I,ud=0,
Nca = 100, and γ= 100. The remaining design parameters
were chosen as follows: Q=I,Nd= 10, Jth = 200,
Ts= 0.1, wi= 1/3,i∈ {1,2,3},δg= 0.5, and δ= 0.5.
The simulation examples are all carried out during the
last 20m of the rendezvous phase. The navigation unit is
assumed to be decoupled from thruster faults, but provid-
ing noisy estimates. We also assume delays induced by the
CPDE device, uncertainties on thruster rise times, uncer-
tain mass, Inertia, CoM (thus uncertain BT) and spatial
disturbances (i.e. gravity gradient, atmospheric drag, and
solar radiation pressure).
Fig. 2. MSR rendezvous corridor
The first fault scenario corresponds to a fully open thruster
fault (thruster provides maximum thrust regardless of
the control signal) occurring at tf= 1100sand affecting
thruster No.7. To emphasize the relevance of the engage-
ment of the proposed scheme into the GNC system, two
identical simulations are carried out. First, when the FDI-
A scheme is active (FDI-A on), and second, when not
(FDI-A off). Figure 2 clearly illustrates the consequence
when the fault is not accommodated, i.e. chaser miss the
target and the mission is lost. On the other hand, when
the proposed approach is active, the chaser maintains
nominal trajectory, i.e. stays inside the rendezvous corridor
and the MSR capture requirements are met, see Fig.3.
Furthermore, it can be inferred from Fig.2 that the chaser
keeps its attitude pointing towards the target. Hence, the
target remains visible from the rendezvous sensors.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10547
Chaser spacecraft Y axis
Chaser spacecraft Z axis
Lateral Y velocity
Lateral Z velocity
Longitudinal X velocity
Misalignment requirement
Basket aperture
Target center (FDI−A on)
Target center (FDI−A off)
Velocity requirement
Target velocity (FDI−A on)
Target velocity (FDI−A off)
Nominal velocity
Out of requirement (3 sigma)
Target velocity (FDI−A on)
Target velocity (FDI−A off)
Fig. 3. MSR capture performance: position misalignment
on +X face (top left), lateral velocity (top right) and
longitudinal velocity (bottom) requirements
0 200 400 600 800 1000 1200 1400
−0.5
0
0.5
r(t)
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 1
||ω1ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 2
||ω2ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 3
||ω3ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 4
||ω4ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 5
||ω5ω||
Time (s)
1100 1102 1104 1106 1108 1110
0
0.5
1
GLR decision test
ρ(t)
1100 1102 1104 1106 1108 1110
1
3
5
Faulty thruster group isolation
σg(t)
conf. window δg
1100 1102 1104 1106 1108 1110
−1
0
1
cos(θi)
Direction Cosines for ST5
3 6 9 12
1100 1102 1104 1106 1108 1110
0
3
6
9
12
Time (s)
σ(t)
Identified faulty thruster index
conf. window δ
Residual signal of the fault detector
group confirmed within 0.8s
thruster clearly isolated
fault detected within 1.2s
1000x
Fig. 4. Fault detection and isolation algorithm behaviour
Figure 4 aims to illustrate the time behaviour of the FDI
algorithm for the second fault scenario which corresponds
to a leaking thruster of size mleak = 15% and affecting
thruster No.3 from tf= 1100s. This fault is maintained
during the whole length of the simulation and is not
accommodated. The fault presence is declared at td=
1101.2sand the faulty thruster index clearly isolated at
ti=1102.5s. As it can be seen from Fig.4, despite the small
leakage size, external disturbances and uncertainties, the
right thruster index was isolated in a reasonable time.
6. CONCLUSIONS
In this paper, a method to unambiguously detect, isolate
and accommodate a single “open-type” thruster fault of
an autonomous spacecraft has been studied. The method
differs from the usual solutions by the use of two observers,
one for detection and one for thruster group isolation.
Time delays induced by the propulsion drive electronic and
uncertainties on thruster rise times have been considered
on the detection level. Finally, when a thruster is clearly
isolated, the faulty thruster is turned off and the remaining
N1 healthy thrusters are used. This makes the fault
accommodation without any change in the nominal con-
troller (GNC system), requiring any redundant thruster
set or any additional valve position sensor. This is in con-
trast to the classical FDIR approach, used in the satellite
systems, where fault isolation is not always possible.
REFERENCES
M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki.
Diagnosis and Fault-Tolerant Control. Springer, 2006.
W. Chen and M. Saif. Unknown input observer design
for a class of nonlinear systems: an LMI approach. In
Proc. of American Control Conference, pages 834–838,
Minneapolis, USA, 2006.
W. Chen and M. Saif. Observer-based fault diagnosis
of satellite systems subject to time-varying thruster
faults. Journal of Dynamic Systems, Measurement and
Control, 129(3):352–356, 2007.
S.X. Ding. Model-based fault diagnosis techniques: design
schemes, algorithms, and tools. Springer Verlag, 2008.
A. Falcoz, F. Boquet, M. Dinh, B. Polle, G. Flandin, and
E. Bornschlegl. Robust fault diagnosis strategies for
spacecraft application to LISA pathfinder experiment.
In Proc. of IFAC Symposium on Automatic Control in
Aerospace, pages 404–409, 2010.
R. Fonod, D. Henry, E. Bornschlegl, and C. Charbonnel.
Robust fault detection for systems with electronic in-
duced delays: Application to the rendezvous phase of the
MSR mission. In Proc. of European Control Conference,
pages 1439–1444, Z¨urich, Switzerland, 2013a.
R. Fonod, D. Henry, C. Charbonnel, and E. Bornschlegl.
Robust thruster fault diagnosis: Application to the ren-
dezvous phase of the Mars Sample Return mission. In
Proc. of CEAS Specialist Conference on Guidance, Nav-
igation and Control, pages 1496–1510, Delft, NL, 2013b.
Ola H¨arkeg˚ard. Efficient active set algorithms for solving
constrained least squares problems in aircraft control
allocation. In Proc. of Conference on Decision and
Control, pages 1295–1300, Las Vegas, NV, 2002.
D. Henry. Fault diagnosis of microscope satellite thrusters
using H/Hfilters. Journal of Guidance, Control, and
Dynamics, 31(3):699–711, 2008.
X. Olive. FDI(R) for satellites: How to deal with high
availability and robustness in the space domain? Inter-
national Journal of Applied Mathematics and Computer
Science, 22(1):99–107, 2012.
R. Patton, F. Uppal, S. Simani, and B. Polle. Robust FDI
applied to thruster faults of a satellite system. Control
Engineering Practice, 18(9):1093–1109, 2010.
A. Posch, A.O. Schwientek, J. Sommer, and W. Fichter.
Model-based on-board realtime thruster fault monitor-
ing. In Proc. of IFAC Symposium on Automatic Control
in Aerospace, pages 553–558, W¨urzburg, Germany, 2013.
H. Schaub and J.L. Junkins. Analytical Mechanics of Space
Systems. AIAA Education Series, Reston, VA, 2009.
A. Wander and R. F¨orstner. Innovative fault detection,
isolation and recovery strategies on-board spacecraft:
State of the art and research challenges. In Proc. of
Deutscher Luft- und Raumfahrkongress, Berlin, 2012.
Y. Zhang and J. Jiang. Bibliographical review on recon-
figurable fault-tolerant control systems. Annual Reviews
in Control, 32(2):229–252, 2008.
A. Zolghadri. Advanced model-based FDIR techniques for
aerospace systems: Today challenges and opportunities.
Progress in Aerospace Sciences, 53(3):18–29, 2012.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10548
... The proposed approach is based on both state estimation of an accurate linear model for the satellite system and unknown input decoupling to achieve robust FDI in the presence of dynamic uncertainty during main engine deployment. The work reported in (Henry et al., 2011;Fonod et al., 2014a;LePeuvédic et al., 2014;Fonod et al., 2015) addressed the problem of thruster fault diagnosis of the MSR orbiter during the terminal rendezvous phase. Henry et al. (2011) proposed a method based on a H(0) filter with robust poles assignment technique. ...
... This detector offers enhanced robustness against time-varying input delays. The original idea of the two-stage isolation strategy proposed in this paper initiates from (Fonod et al., 2014a), where a bank of asymptotically stable Nonlinear Unknown Input Observers (NUIOs) has been used for the first stage and a simple residual vector matching approach for the second stage. Here, a bank of 5 robust NUIOs together with an EKF-based torque bias direction estimator is considered. ...
Article
Full-text available
This paper deals with the design and validation of an active fault-tolerant control system to detect, isolate and accommodate a single thruster fault affecting the thruster-based propulsion system of an autonomous spacecraft. The proposed method consists of a fault detector for robust and quick fault detection, a two-stage hierarchical isolation strategy for fault isolation, and an online control allocation unit scheduled by the isolation scheme for fault tolerance. A new factorization approach for the uncertain inertia matrix inverse is proposed. Thanks to this factorization, a novel robust Nonlinear Unknown Input Observers (NUIO) approach is proposed based on LMIs which ensure maximization of the admissible Lipschitz constant while at the same time satisfying an L2 gain bound and some constraints on the observer dynamics. At the first stage of the isolation scheme, a bank of NUIOs is used to identify a subset of possible faulty thrusters. Then, at the second stage, an EKF is introduced to estimate the torque bias directions. Using these directions, jointly with the detector׳s residual and the information obtained from the first stage, a set of explicit rules is derived to unambiguously isolate the faulty thruster. A Monte Carlo campaign, based on a simulator developed by Thales Alenia Space industries, is conducted in the context of a terminal rendezvous phase of the Mars Sample Return mission. Mission oriented criteria demonstrate that the proposed strategy is able to cope with a large class of realistic thruster faults and to achieve mission success.
... In this paper, we consider a NUIO based FDI scheme design problem for a class of nonlinear Lipschitz systems. We extend the results presented in [14] by constraining the observer error dynamics in a prescribed LMI region. The observer synthesis is achieved by solving a LMI feasibility problem together with a pole assignment in LMI regions. ...
Conference Paper
Full-text available
In this paper, the problem of Nonlinear Unknown Input Observer (NUIO) based Fault Detection and Isolation (FDI) scheme design for a class of nonlinear Lipschitz systems is studied. The proposed FDI method is applied to detect, isolate and accommodate thruster faults of an autonomous spacecraft involved in the rendezvous phase of the Mars Sample Return (MSR) mission. Considered fault scenarios represent fully closed thruster and thruster efficiency loss. The FDI scheme consists of a bank of NUIOs with adjustable error dynamics, a robust fault detector that is based on judiciously chosen frame and an isolation logic. The bank of observers is in charge of confining the fault to a subset of possible faults and the isolation logic makes the final decision about the faulty thruster index. Finally, a thruster fault is accommodated by re-Allocating the desired forces and torques among the remaining healthy thrusters and closing the associated thruster valve. Monte Carlo results from 'high-fidelity' MSR industrial simulator demonstrate that the proposed fault tolerant strategy is able to accommodate thruster faults that may have effect on the final rendezvous criteria.
Article
The research work presented in the paper addresses the design of a model-based fault diagnosis and fault recovery system for any faults occurring in the actuator and sensor units of the chaser spacecraft of the ESA Mars Sample Return (MSR) mission. Key features of the proposed method are the use of a parity space and covariance-based strategy with jointly a H∞ observer for fault diagnosis of sensor faults, a H∞/H- filter for robust fault detection of actuator faults and a bank of unknown input observers jointly used with a dot product of vectors strategy for actuator faults. For fault accommodation, a ”retreat” FDIR strategy scheduled by the FDI unit, is retained. The proposed FDIR architecture obeys to a hierarchical one and fits the industrial requirements. Especially, it is compliant with the Aurora avionics architecture. A simulation campaign, based on a nonlinear high-fidelity simulator developed by GMV space and Thales Alenia Space industries, is conducted under highly realistic conditions.
Conference Paper
Full-text available
This paper addresses robust fault diagnosis of the chaser's thrusters used for the rendezvous phase of the Mars Sample Return (MSR) mission. The MSR mission is a future exploration mission undertaken jointly by the National Aeronautics and Space Administration (NASA) and the European Space Agency (ESA). The goal is to return tangible samples from Mars atmosphere and ground to Earth for analysis. A residual-based scheme is proposed that is robust against the presence of unknown time-varying delays induced by the thruster modulator unit. The proposed fault diagnosis design is based on Eigenstructure Assignment (EA) and first-order Pade approximation. The resulted method is able to detect quickly any kind of thruster faults and to isolate them using a cross-correlation based test. Simulation results from the MSR "high-fidelity" industrial simulator, provided by Thales Alenia Space, demonstrate that the proposed method is able to detect and isolate some thruster faults in a reasonable time, despite of delays in the thruster modulator unit, inaccurate navigation unit, and spatial disturbances (i.e. J2 gravitational perturbation, atmospheric drag, and solar radiation pressure).
Conference Paper
Full-text available
Two robust fault detection schemes are presented to detect faults affecting the thrust system of the chaser spacecraft involved in the rendezvous phase of the Mars Sample Return (MSR) mission. The idea of both proposed methods is to transform the unstructured uncertainty caused by the electronic induced delays into unknown inputs and decouple them by means of an eigenstructure assignment (EA) technique. The first method utilizes a Cayley-Hamilton theorem based transformation whereas the second relies on a first-order Padé approximation of the time delay. The performances of the proposed schemes are compared by a sensitivity/robustness analysis campaign of 4240 runs within the “high-fidelity” industrial simulator provided by Thales Alenia Space.
Article
In this paper, a bibliographical review on reconfigurable fault-tolerant control systems (FTCS) is presented. The existing approaches for fault detection and diagnosis (FDD) and reconfigurable control are considered with emphasis on the reconfigurable/restructurable controller design techniques. Several open problems and current research topics are addressed. 250 references in the open literature are listed to provide an outline of the historical and recent development in the field. The review reported in this paper is in no way to be complete, we apologize in advance if any of the existing works were left out. We encourage readers to communicate with us for any additional information.
Conference Paper
Fault monitoring is a vital part of every satellite mission. Especially for rendezvous scenarios a reliable and fast actuator fault detection is indispensable to avoid collision between both spacecraft. To reduce expensive monitoring hardware, a model-based thruster fault approach, only depending on a rate sensor is developed. It is able to reliably detected thruster stuck closed, thruster stuck open and leaking thruster faults in short time. Monte Carlo results produced in a complete satellite simulator are presented to show fault detection and isolation performance of the proposed algorithms.
Conference Paper
This paper presents research activities conjointly led by EADS Astrium Satellites and the European Space Agency on innovative and robust health monitoring system for the next generation of spacecraft. Two robust FDI schemes are presented to detect and isolate faults affecting the micro-Newton colloidal thrust system of the LISA Pathfinder spacecraft. The first FDI strategy is based on a bank of eight H∞H- residual generators designed according to the Generalized Observer Strategy whereas the second strategy consists of Kalman-based projected observers. The efficiency of the proposed FDI techniques is assessed through non linear simulations performed under realistic conditions (physical parameter uncertainties, disturbances, measurement noises, measurement delays, thruster jet misalignment,...). The results are quite encouraging, illustrate the effectiveness of the proposed techniques and suggest that the solutions could be practical viable candidates.
Book
A most critical and important issue surrounding the design of automatic control systems with the successively increasing complexity is guaranteeing a high system performance over a wide operating range and meeting the requirements on system reliability and dependability. As one of the key technologies for the problem solutions, advanced fault detection and identification (FDI) technology is receiving considerable attention. The objective of this book is to introduce basic model-based FDI schemes, advanced analysis and design algorithms and the needed mathematical and control theory tools at a level for graduate students and researchers as well as for engineers. © 2008 Springer-Verlag Berlin Heidelberg. All rights are reserved.
Article
FDI(R) for satellites: How to deal with high availability and robustness in the space domain? The European leader for satellite systems and at the forefront of orbital infrastructures, Thales Alenia Space, is a joint venture between Thales (67%) and Finmeccanica (33%) and forms with Telespazio a Space Alliance. Thales Alenia Space is a worldwide reference in telecoms, radar and optical Earth observation, defence and security, navigation and science. It has 11 industrial sites in 4 European countries (France, Italy, Spain and Belgium) with over 7200 employees worldwide. Satellite evolution and the wish to design more autonomous missions imply the enhancement of the satellite architecture and special attention paid to fault management (i.e., Fault Detection, Isolation and Recovery, or FDIR, in space). Nevertheless, the constraints on FDIR techniques and strategies remain the same as for standard missions: robustness, reactive detection, quick isolation/identification and validation. This paper gives an introduction to Fault Tolerance (FT) in the space domain and some principles for the coming FT architectures. The current context of FDIR is presented by describing the approach implemented on telecommunication satellites and, more precisely, on one of the most FDIR sensible subsystems: the AOCS (Attitude and Orbit Control System). Following the current state of FDIR in the space domain, some perspectives are given such as a centralized distributed FDIR strategy for the next generation of autonomous satellites as well as some research tracks and hybrid diagnosis.
Article
This paper discusses some trends and recent advances in model-based Fault Detection, Isolation and Recovery (FDIR) for aerospace systems. The FDIR challenges range from pre-design and design stages for upcoming and new programs, to improvement of the performance of in-service flying systems. For space missions, optimization of flight conditions and safe operation is intrinsically related to GNC (Guidance, Navigation & Control) system of the spacecraft and includes sensors and actuators monitoring. Many future space missions will require autonomous proximity operations including fault diagnosis and the subsequent control and guidance recovery actions. For upcoming and future aircraft, one of the main issues is how early and robust diagnosis of some small and subtle faults could contribute to the overall optimization of aircraft design. This issue would be an important factor for anticipating the more and more stringent requirements which would come in force for future environmentally-friendlier programs. The paper underlines the reasons for a widening gap between the advanced scientific FDIR methods being developed by the academic community and technological solutions demanded by the aerospace industry.