Content uploaded by Robert Fonod
Author content
All content in this area was uploaded by Robert Fonod on Oct 18, 2017
Content may be subject to copyright.
Thruster Fault Detection, Isolation and
Accommodation for an Autonomous
Spacecraft ⋆
R. Fonod ∗D. Henry ∗E. Bornschlegl ∗∗ C. Charbonnel ∗∗∗
∗Universit´e de Bordeaux, IMS UMR CNRS 5218, Talence, France
{robert.fonod, david.henry}@ims-bordeaux.fr
∗∗ European Space Agency, Noordwijk, The Netherlands
∗∗∗ Thales Alenia Space, Cannes, France
Abstract: The presented work is a result of a research collaboration between European Space
Agency, Thales Alenia Space and IMS Laboratory with the aim of promoting fault-tolerant
control strategies to advance spacecraft autonomy. A multiple observer based scheme is proposed
jointly with an online constrained allocation algorithm to detect, isolate and accommodate
a single thruster fault affecting the propulsion system of an autonomous spacecraft. Robust
residual generator with enhanced robustness to time delays induced by the propulsion drive
electronics and uncertainties on thruster rise times is used for fault detection purposes. A
decision test on the residual of the fault detector triggers a bank of nonlinear unknown input
observers which is in charge of confining the fault to a subset of possible faults. The faulty
thruster isolation is achieved by matching the residual and the thruster force directions using
the direction cosine approach. Finally, the fault is accommodated by redistributing the desired
forces and torques among the remaining (healthy) thrusters and closing the isolated thruster.
Simulation results from the “high-fidelity” industrial simulator, provided by Thales Alenia
Space, demonstrate the fault-tolerance capabilities of the proposed scheme.
1. INTRODUCTION
Space exploration missions require critical autonomous
proximity operations. Mission safety is usually guaran-
teed via hierarchical implementation of Fault/Failure De-
tection, Isolation and Recovery (FDIR) approach (see
for instance Olive [2012], Zolghadri [2012]). Fault detec-
tion and isolation are performed by simple cross checks
between redundant units, limit checking, voting mecha-
nisms, etc. Fixed thresholds are used for quick recogni-
tion of out-of-tolerance conditions. The recovery action
is usually performed by switching to (hot) redundant
units/strings (multiple sensors, actuators, processors, etc)
or/and changing the operation mode to safe mode followed
by ground intervention. Current FDIR techniques used in
space systems are industrially well mastered, but may be
not sufficient in some cases, specially for faulty situations
causing quick and abnormal dynamics deviation in critical
space operations. This is the case of thruster faults during
terminal rendezvous and docking/capture phases, when a
thruster failure could possibly lead to mission loss. Liter-
ature reports (see e.g. Wander and F¨orstner [2012]) that
conventional FDIR methods are suffering from significant
shortcomings, like often missing on-board fault isolation,
increased mass and system complexity due to redundant
equipment, ground intervention is not always possible as
a result of large communication delays or visibility issues.
⋆This research work was supported by European Space Agency
(ESA) and Thales Alenia Space France in frame of ESA’s Network-
ing/Partnering Initiative (NPI) program.
This motivates the European Space Agency (ESA) to
manage studies for the development of fully autonomous
on-board solutions that shall cope with all the possible
faults that may occur and endanger the mission. There-
fore, advanced Fault Detection and Isolation (FDI) ap-
proaches should be specifically developed to safely conju-
gate the necessary robustness/stability of the spacecraft
control, trajectory dynamics and the vehicle nominal per-
formance. Alternatively to redundancy-based FDIR tech-
niques, model-based algorithms may offer a good balance
between advanced strategies and existing physical redun-
dancies that may lead to more efficient health monitoring
and recovery systems based on fewer redundant compo-
nents while providing large fault coverage capabilities.
In this paper, the application concerns the rendezvous
phase of the Mars Sample Return (MSR) mission. The
goal of this mission is to return samples from Mars to
Earth for analysis. Obviously, the rendezvous phase might
be endangered if a thruster fault occurs. As a consequence,
the Guidance, Navigation, and Control (GNC) system may
not fully compensate, for example, spatial disturbances,
and/or may lose attitude, and/or the position of the
sample container (target). This problem becomes highly
critical during the last 20 meters of the rendezvous phase.
During this phase, the chaser spacecraft must be correctly
positioned in the approach corridor to successfully capture
the target as well as the chaser’s attitude need to be
maintained in the rendezvous sensor’ field of view.
Numerous model-based FDI techniques has been studied
in the past decades in the academic community, see Blanke
et al. [2006] and Ding [2008] for good surveys. The still
Proceedings of the 19th World Congress
The International Federation of Automatic Control
Cape Town, South Africa. August 24-29, 2014
978-3-902823-62-5/2014 © IFAC 10543
growing interest of potential applications in aerospace
systems is demonstrated by recent publications, see, for
instance, Chen and Saif [2007], Henry [2008], Patton et al.
[2010], Falcoz et al. [2010], Posch et al. [2013]. In terms
of fault accommodation techniques, the interested reader
shall refer to literature review of Zhang and Jiang [2008].
The method introduced in this paper is sought from an
industrial perspective. The aim is to develop an algo-
rithm which can quickly detect, isolate, and accommodate
single thruster fault in a simple manner and is easily
implementable for a real spacecraft mission. As soon as
a thruster is declared to be faulty by the FDI unit, the as-
sociated (faulty) thruster is closed by a dedicated thruster
latch valve and the remaining (healthy) thrusters are used
to control the spacecraft dynamics. This fault accommoda-
tion strategy is achieved by control re-allocation technique.
By this way, the nominal (in-placed and certified) control
law remains unchanged which is an important condition
seen from an industrial point of view.
2. PROBLEM STATEMENT
The terminal rendezvous control mode corresponds to a 6
Degree of Freedom (DoF) control which ensures the ap-
plication of both commanded force and torque vectors by
means of thrusters only (reaction wheel control is turned
off). The chaser spacecraft is equipped with a chemical
propulsion system composed of N= 12 thrusters 1. The
thrusters are physically organised in four clusters and are
in charge of producing force F∈R3and torque T∈R3
vectors expressed in the chaser body-fixed reference frame
Fb={Ob;ˆ
xb,ˆ
yb,ˆ
zb}. Let Sall ={1,2,...N}denote the
set of all thruster indices. Thrusters have fixed directions
di∈R3,∀i∈ Sall and each one is able to produce a
maximum thrust of FN= 22N.
The Chemical Propulsion Drive Electronics (CPDE), that
drives the thrusting actuators, is initiating the opening of
the thruster valve for the commanded duration 0 ≤ui(t)≤
1,∀i∈ Sall. The propulsion system is obviously a source
of uncertainty in the system. The irrational transfer
H(s) = e−τ(t)s(1)
aims to model the effect of the unknown time-varying
delays τ(t)≥0 induced by the CPDE and the uncertainties
on the thruster rise times. Let ui(t−τ(t)) be the com-
manded open rate of the ith thruster delayed by τ(t), then,
the net forces and torques generated by the thrusters are
F(t) = BFu(t−τ(t)),T(t) = BTu(t−τ(t)) (2)
where u(t) = [u1(t),...,uN(t)]T, and
BF= [ bF1bF2... bFN],BT= [ bT1bT2... bTN](3)
are the sensitivity (configuration) matrices. The columns
of BFand BTare the influence coefficients defining how
each thruster affects each component of F(t) and T(t),
respectivelly, and are defined as follows
bFi=−diFN,bTi= (Ri−RM)×bFi,∀i∈ Sall (4)
where ” ×” denotes the cross product, RM∈R3is
the position vector of the Center of Mass (CoM), and
1The considered thruster configuration in this paper is not a
baseline MSR configuration, but a special one designed by Thales
Alenia Space to study active fault tolerant control principles.
Ri∈R3,∀i∈ Sall are the position vectors of the thrusters,
both expressed in the chaser body-fixed frame Fb.
By analysing the configuration matrices BFand BT
in terms of directional properties, the following can be
concluded: thruster indices inside the sets ST i, i = 1,...,5
have similar torque directions and are defined as
ST1={1,11},ST3={4,8},ST5={3,6,9,12}
ST2={2,10},ST4={5,7},(5)
In terms of force directions, the following is revealed
bF1=−bF11 ,bF4=−bF8,bF3=−bF12
bF2=−bF10 ,bF5=−bF7,bF6=−bF9
(6)
which means that the thruster pairs given by ST i, i =
1,...4 produce exactly opposite forces. The last thruster
group, i.e. ST5, has the following orthogonal property
bF3·bF6= 0,bF9·bF12 = 0 (7)
where ” ·” denotes the dot product. Directional properties
(5)-(7) will be used to derive an explicit isolation strategy.
The considered thruster faults are modeled in a multiplica-
tive way according to (index ”f” outlines the faulty case)
uf(t)= (I−Ψ(t))u(t),Ψ(t) = diag(ψ1(t)...ψN(t)) (8)
where ψimodels the health status of the ith thruster, i.e.
ψi(t) = 0 if fault-free
1−φi(t)/ui(t) if faulty (9)
φiallows to consider different fault scenarios. In this paper,
we deal with the so-called “open-type” thruster faults:
φi(t) = 1 fully open thruster
max{mleak, ui(t)}propellant leakage (10)
where mleak is the magnitude of the leaking thruster.
The two objectives addressed in this paper are:
(1) to quickly detect and isolate a single thruster fault
while ensuring enhanced robustness to (1), and
(2) to accommodate this fault using the remaining N−1
healthy thrusters so that the rendezvous criteria are
met and the nominal controller remains in the loop.
3. FAULT DETECTION AND ISOLATION
The proposed model-based FDI scheme consists of a fault
detector which is in charge of detecting the fault pres-
ence in the system. Once a detection flag is triggered, a
bank of nonlinear Unknown Input Observers (UIOs) is
used to identify the faulty thruster group that produce
similar torques. In parallel to this, the fixed thruster force
directions are compared with the residual generated by the
fault detector. Subsequently, an isolation logic is used to
make the final decision about the faulty thruster index.
3.1 Robust residual generator design
The proposed fault detector design is based on the relative
position model of the chaser and target expressed in the
local (target) frame Fl={Ol;ˆ
xl,ˆ
yl,ˆ
zl}. The interested
reader can found further details on modeling the relative
dynamics of two spacecrafts in the available space litera-
ture, see for instance Schaub and Junkins [2009]. Let a,m,
G,θand mMdenote the orbit of the target, the mass of the
chaser during rendezvous, the Mars gravitational constant,
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10544
true anomaly and the mass of the planet. When the orbit
of the rendezvous is circular, then the velocity of the chaser
and the target is given by the relation a˙
θ=pµ/a where
µ=GmM. From Kepler’s third law it follows:
a˙
θ=pµ/a = const. ⇒n=pµ/a3(11)
During the rendezvous phase, it is assumed that the chaser
motion is due to the four following forces, all given in Fl:
•the Mars attraction force
Fa=−mµ
((a+x)2+y2+z2)3/2(a+x)ˆ
xl+yˆ
yl+zˆ
zl
•the centripetal force Fe=mn2xˆ
xl+n2yˆ
yl+ 0ˆ
zl;
•the Coriolis force Fc=m(2n˙yˆ
xl−2n˙xˆ
yl+ 0ˆ
zl);
•and the non-gravitational (chemical thrust, perturba-
tions) forces Fd=Fdx ˆ
xl+Fdy ˆ
yl+Fdz ˆ
zl.
Then, from the 2nd Newton law, it follows
¨x=n2(a+x)−µ(a+x)(a+x)2+y2+z2−3/2
+ 2n˙y+m−1Fdx
¨y=n2y−2n˙x−µy(a+x)2+y2+z2−3/2+m−1Fdy
¨z=−µz(a+x)2+y2+z2−3/2+m−1Fdz
where x, y, z denote the elements of the three dimensional
relative position vector of the chaser and target in Rl.
Because the distance between the target and the chaser
during the rendezvous phase is much smaller than the
orbit, it is possible to derive the so called Hill-Clohessy-
Wiltshire (HCW) equations by means of a first order
approximation. Hence, it follows a linear 6th order state
space model with state vector xp= [x y z ˙x˙y˙z]Tmodelling
the chaser relative motion expressed in Fl, both in fault
free (i.e. Ψ=0) and faulty (i.e. Ψ6=0) situations, i.e.
˙
xp(t) = Apxp(t)+BpR(ˆ
qt(t),ˆ
qc(t))BFuf(t−τ(t)) (12)
yp(t) = Cpx(t) (13)
where the rotation matrix R(ˆ
qt,ˆ
qc) is calculated from the
quaternion estimates of the chaser ˆ
qc∈Hand target
ˆ
qt∈Hattitude, and rotates the force vector from Fbinto
Fl. These estimates come from the navigation. The output
vector yp=[x y z ]Tis the relative position in Flmeasured
by a Light Detection and Ranging (LIDAR) device.
The position model given by (12) and (13) is well known
and mastered for control, but rarely used for FDI purposes.
The advantage is that this model takes into account both
the rotational qcand translational xmotions of the chaser.
Thus, effects that faults have on both the chaser attitude
and translation are considered. Furthermore, this model is
naturally robust against the model uncertainties, such as
CoM and inertia, whilst the attitude model not. In Fonod
et al. [2013a], a sensitivity/robustness analysis campaign
was performed showing high reliability and efficiency (in
terms of detection times) of a fault detector based on
a position model in Fl. Here, an observer-based fault
detector is designed that has enhanced robustness to time-
varying delay τ(t) introduced in (1). This observer exploits
the position model given by (12) and (13) to generate
the state estimate ˆ
xpused to produce the residual signal
r= [r1, r2, r3]Tof the following form:
r(t) = Qyp(t)−Cpˆxp(t)(14)
where Qis a weighting matrix. The design of (14) is based
on theoretical developments given in Fonod et al. [2013b].
3.2 Decision test: fault detection
The proposed decision test is motivated by the scalar
valued Generalized Likelihood Ratio (GLR) test given in
Ding [2008], i.e.
Si(k) = Ndln(σi)−Nd
21 + ln(ˆσ2
i(k)) −ˆσ2
i(k)
σ2
i(15)
ˆσ2
i(k) = 1
Nd
k
X
j=k−Nd+1
r2
i(j) (16)
where ri(k) is the ith element of the residual r(k) evaluated
at time instant t=kTs, k = 0,1,2,... where Tsis the navi-
gation sampling time, σiis the (fixed) standard deviation
of riin fault free situation and Nd>1 represents the
detection sliding window due to on-line realization. The
proposed decision test ρ(t) is defined by
ρ(t) = 1, S(k)> Jth ⇒fault declared
0, S(k)≤Jth ⇒fault not present (17)
where Jth is a fixed threshold selected by the designer and
S(k) is given by
S(k) =
3
X
j=1
wjSj(k),
3
X
j=1
wj= 1 (18)
where wj≥0, j = 1,2,3 are the weight factors used to
prioritize certain elements (axis) of the residual.
3.3 Nonlinear unknown input observer
We will briefly state the main results obtained in Chen and
Saif [2006]. Considering the following nonlinear system
˙
x(t) = Ax(t) + Bu(t) + f(x(t)) + Ed(t) (19)
y(t) = Cx(t) (20)
where x∈Rnstands for the state vector, y∈Rmis the
output, u∈Rris the input, d∈Rqis the unknown input
(disturbance) vector, and f(x)∈Rnis a known nonlinear
vector function of xsatisfying:
kf(x1)−f(x2)k ≤ κkx1−x2k,∀x1,x2∈Rn(21)
where κ > 0 stands for the Lipschitz constant.
The goal is to design an asymptotically converging state
observer to estimate xin the presence of an unknown input
d. A nonlinear UIO for the system (19)-(20) achieving this
goal has the following structure
˙
z(t) = Nz(t) + Gu(t) + Ly(t) + M f (ˆ
x(t)) (22)
ˆ
x(t) = z(t)−Hy(t) (23)
where ˆ
x∈Rnis an estimate of x,z∈Rnis an auxiliary
signal and the matrices N,G,L,Mare designed as
in Chen and Saif [2006]:
N=MA −KC,G=M B (24)
L=K(I+CH )−M AH (25)
M=I+HC (26)
Kand Hbeing designed subsequently.
Without loss of generality, it is assumed that Eis of full
column rank. The necessary condition for HCE =−Eto
have solution is that CE is also of full column rank and
the solution is given in a generalized form by
H=U+Y V (27)
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10545
where Ycan be chosen arbitrarily, Uand Vare given by
U=−E(CE )+,V=I+ (C E)(CE)+(28)
and (CE)+denotes the generalized pseudo-inverse of the
matrix CE given by (CE)+= ((CE)T(C E))−1(CE)T.
Theorem 1. (Chen and Saif [2006]). Assume that CE is
of full column rank and that the following Linear Matrix
Inequality (LMI)
X X12
XT
12 −I<0 (29)
where Xand X12 are defined as
X=[(I+U C)A]TP+P(I+U C )A−CT¯
KT
−¯
KC + (V CA)T¯
YT+¯
Y(V CA) + κI
X12 =√κ[P(I+U C) + ¯
Y(V C)]
has a feasible solution for ¯
Y,¯
Kand P=PT>0, then the
nonlinear UIO given by (22) and (23) can be designed with
Y=P−1¯
Y, and K=P−1¯
Kmaking Nbeing Hurwitz
and the estimation error e(t) = ˆ
x(t)−x(t) tending to zero
asymptotically for any initial value of e(0).
Proof. The proof can be found in Chen and Saif [2006].
3.4 Thruster group isolation: a bank of nonlinear UIOs
Recalling the thruster configuration properties given by
(5)-(7), we assume, that for fault isolation it is easier to
obtain explicit information from the angular velocity ω∈
R3measurement than from the linear position/velocity.
Therefore, the below model of the attitude dynamics of a
rigid-body spacecraft in the body-fixed frame Fb
J˙
ω(t) = BTuf(t)−ω(t)×Jω(t) (30)
is used for the design of a bank of UIOs. In (30), J∈R3×3
stands for the inertia of the chaser in Fb. A nonlinear UIO,
as introduced in section 3.3, has been selected because
of its decoupling properties and the ability to take into
account nonlinearities of the attitude dynamics.
The attitude model (30) can be represented in the form
of (19) and (20) with the following assignment: x=ω,
f(ω) = −J−1ω×Jω,A=0,B=J−1BT, and
C=I. One may argue that f(ω) is not globally Lipschitz,
because the Jacobian ∂f/∂ωis not uniformly bounded
over R3. However, f(ω) is continuously differentiable on
R3. Thus, it is locally Lipschitz. This means that the
angular velocity shall be bounded in magnitude which is
a reasonable assumption from a practical point of view.
Using a constrained optimization algorithm, one can find
a Lipschitz constant κover the set S={ω∈R3:|ωi| ≤
¯ωi, i = 1,2,3}, where ¯ωi>0 is the upper bound of the
angular velocity in the given axis.
For each thruster group ST i, a dedicated UIO is designed.
Each UIO is such that it can fully estimate the angular
velocity ωwith all the inputs except those belonging to
ST i, i.e. ui, i ∈ Sall \ST i. As a result, the UIO dedicated
to the thruster group ST i will not be influenced by faults
occurring in thrusters that belong to ST i , while all the
other UIOs will be. Based on Theorem 1, the design of a
bank of nonlinear UIOs is summarized in Algorithm 1.
The ith observer only estimates the angular velocity ˆ
ωiof
the chaser from the measurement ω. Therefore, the compu-
tational burden is reduced since there is no need to process
Algorithm 1 Bank of nonlinear UIO design
Find a Lipschitz constant κsatisfying (21);
for k= 1 to 5 do
Construct B⋆
kwhose columns are bT i ,∀i∈ Sall\ST k ;
Set E=bT i for any arbitrary i∈ ST k and B=B⋆
k;
Compute Uand Vaccording to (28);
Solve the LMI defined by (29) for ¯
Y,¯
Kand P=PT>0;
Let Y=P−1¯
Yand K=P−1¯
K;
Using Yand K, the kth UIO gains are given by (24)-(27);
end for
the entire state vector (i.e. the linear position/velocity and
attitude in addition). For real-time reasons, the UIOs are
triggered only when ρ(t) indicates that a fault has been
occurred. Even if only ωis estimated, keeping the UIOs
switched off before the fault is detected seems to be a good
strategy, regarding the nonlinear nature of the observer.
Let tddenote the fault detection time, i.e. the time when
the fault is declared by ρ(t), and D={1,2,...5}the set of all
indices linked with the thruster groups ST1, ..., ST5. Each
observer is initialized with the (known) measurement at
time td, i.e. ˆ
ωi(td) = ω(td),∀i∈ D. By this, all observers
have zero initial estimation error. Hence, the observer
initial convergence (transient phase) problem is avoided.
Defining the angular velocity estimation error of the ith
observer as ei(t) = ˆ
ωi(t)−ω(t), then the faulty thruster
group ST i is identified based on the following rule
σg(t) = arg min
i∈D kei(t)k, t > td(31)
where σg(t) : R+→ D represents the identified thruster
group index that is most likely affected by a fault.
Remark 1. It is assumed that the time-varying delay (1)
has no big effect on the isolation performance. Therefore,
τ(t) is not considered in (30). Furthermore, the isolation
process is triggered by the decision test ρ(t) which already
has enhanced robustness to τ(t).
3.5 Isolation logic
Once the thruster group ST i is identified by σg, the faulty
thruster can be easily isolated by examining the angle
of the vector rgiven by (14) along the force directions
bF i, i ∈ ST i. When the ith thruster is faulty, then vectors
rand bF i should be collinear. The degree of collinearity
can be computed using the direction cosine approach:
cos(θi(t)) = bT
F ir(t)/(kbF i kkr(t)k), where θiis the angle
between the vectors rand bF i. If rand bF i are collinear,
then cos(θi) = 1 (and the angle between the two vectors
θi= 0). Thus, the following isolation logic
σ(t) = arg max
j∈ST i
bT
F j r(t)
kbF j kkr(t)k(32)
results in the thruster index matching the faulty thruster.
This isolation logic has to clearly indicate which actuator is
faulty. Therefore, only thrusters belonging to the (already)
identified group ST i are tested in (32). Since the force
directions within the groups ST i, i ∈ D are either exactly
opposite, see (6), or are orthogonal, see (7), it makes the
isolation logic σ(t) : R+× D → Sall very reliable.
To avoid initial transition phenomena and to ensure ro-
bustness, we introduce two confirmation windows δg>0
for σg(t) and δ > 0 for σ(t). The whole fault detection and
isolation strategy is summarised in Algorithm 2.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10546
Algorithm 2 Thruster fault detection and isolation
if ρ(t) = 1 then
Decision = Declare a fault presence and run the UIOs;
if σg(t) = σg(ν),∀ν∈(t−δg, t]then
Decision = The faulty thruster group ST i is identified;
if σ(t) = σ(ν),∀ν∈(t−δ, t]then
Decision = Declare the ith =σ(t) thruster to be faulty
end all if
4. FAULT ACCOMMODATION
In the investigated thruster configuration, an additional
freedom is available to achieve fault tolerance. Particularly,
it means that it is possible to achieve admissible GNC
performance even if only N−1 (healthy) thrusters are used
to control the spacecraft. The nominal 6DOF control law
is designed based on certain predetermined performance
criteria. Hence, after the fault occurrence, it is desirable
to keep the nominal controller in the loop and perform the
fault accommodation on the control allocation level which
can counteract the effect of the fault in a simple manner.
Fig. 1. Principal accommodation scheme for thruster faults
Figure 1 illustrates the proposed Fault Detection, Isola-
tion and Accommodation (FDI-A) scheme implemented
within the GNC system. The FDI-A strategy works as
follows: as soon as the faulty thruster index is clearly
isolated by Algorithm 2, the faulty thruster is switched
off using a dedicated thruster latch valve and the desired
forces and torques are re-allocated among the remaining
N−1 healthy thrusters. Here, the quadratic programming
approach, also known as l2-optimal control allocation, is
used. This problem is posed as the following Sequential
Least-Squares (SLS) problem:
u= arg min
u∈M kWu(u−ud)k(33)
M= arg min
0≤u≤¯
ukWv(Bau−vd)k(34)
where BT
a= [BT
FBT
T] is the overall configuration matrix,
vdis the augumented vector of the desired forces and
torques, ¯
u= [¯u1, ..., ¯u12]Tare the upper limits defined
as: ¯ui= 1,∀i∈ Sall\σ(t) and ¯ui= 0, i =σ(t). This
optimization problem should be understood as follows:
given M, the set of feasible control inputs minimizing
Bau−vd(weighted by Wv), pick the control input that
minimize u−ud(weighted by Wu). Here, udis the
desired control input and Wuand Wvare nonsingular
weighting matrices. Wuaffects the control distribution
among the thrusters and Wvaffects the prioritization
among force/torque components when Bau−vdcannot
be attained due to, e.g. thruster constraints. A faster
algorithm can be obtained by approximating the SLS
formulation as a Weighted Least-Squares (WLS) problem:
min kWu(u−ud)k2+γkWv(Bau−vd)k2
subj.to 0≤u≤¯
u(35)
As γ→ ∞, the two formulations have the same optimal
solution u. The cost function (35) may be re-written as
kWu(u−ud)k2+γkWv(Bau−vd)k2
=
√γWvBa
Wu
|{z }
A◦
u−√γWvvd
Wuud
|{z }
b◦
2
(36)
allowing the minimization problem to be formulated as
min kA◦u−b◦k2,subj. to 0≤u≤¯
u(37)
which can be solved using an active set algorithm, see
H¨arkeg˚ard [2002] for implementation details. This algo-
rithm determines the optimal solution in a finite number
of iterations. The max number of iteration Nca can be
considered to reflect the max computation time available.
5. SIMULATION RESULTS
The FDI-A scheme described in the previous sections is im-
plemented within the MSR “high-fidelity” industrial sim-
ulator. Following the design steps given in Algorithm 1, a
bank of 5 nonlinear observers were designed with κ= 0.2.
The WLS control allocation algorithm presented in sec-
tion 4 was implemented using Wv=I,Wu=I,ud=0,
Nca = 100, and γ= 100. The remaining design parameters
were chosen as follows: Q=I,Nd= 10, Jth = 200,
Ts= 0.1, wi= 1/3,∀i∈ {1,2,3},δg= 0.5, and δ= 0.5.
The simulation examples are all carried out during the
last 20m of the rendezvous phase. The navigation unit is
assumed to be decoupled from thruster faults, but provid-
ing noisy estimates. We also assume delays induced by the
CPDE device, uncertainties on thruster rise times, uncer-
tain mass, Inertia, CoM (thus uncertain BT) and spatial
disturbances (i.e. gravity gradient, atmospheric drag, and
solar radiation pressure).
Fig. 2. MSR rendezvous corridor
The first fault scenario corresponds to a fully open thruster
fault (thruster provides maximum thrust regardless of
the control signal) occurring at tf= 1100sand affecting
thruster No.7. To emphasize the relevance of the engage-
ment of the proposed scheme into the GNC system, two
identical simulations are carried out. First, when the FDI-
A scheme is active (FDI-A on), and second, when not
(FDI-A off). Figure 2 clearly illustrates the consequence
when the fault is not accommodated, i.e. chaser miss the
target and the mission is lost. On the other hand, when
the proposed approach is active, the chaser maintains
nominal trajectory, i.e. stays inside the rendezvous corridor
and the MSR capture requirements are met, see Fig.3.
Furthermore, it can be inferred from Fig.2 that the chaser
keeps its attitude pointing towards the target. Hence, the
target remains visible from the rendezvous sensors.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10547
Chaser spacecraft Y axis
Chaser spacecraft Z axis
Lateral Y velocity
Lateral Z velocity
Longitudinal X velocity
Misalignment requirement
Basket aperture
Target center (FDI−A on)
Target center (FDI−A off)
Velocity requirement
Target velocity (FDI−A on)
Target velocity (FDI−A off)
Nominal velocity
Out of requirement (3 sigma)
Target velocity (FDI−A on)
Target velocity (FDI−A off)
Fig. 3. MSR capture performance: position misalignment
on +X face (top left), lateral velocity (top right) and
longitudinal velocity (bottom) requirements
0 200 400 600 800 1000 1200 1400
−0.5
0
0.5
r(t)
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 1
||ω1−ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 2
||ω2−ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 3
||ω3−ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 4
||ω4−ω||
1100 1102 1104 1106 1108 1110
0
0.5
1x 10−3 Estimation error of UIO 5
||ω5−ω||
Time (s)
1100 1102 1104 1106 1108 1110
0
0.5
1
GLR decision test
ρ(t)
1100 1102 1104 1106 1108 1110
1
3
5
Faulty thruster group isolation
σg(t)
conf. window δg
1100 1102 1104 1106 1108 1110
−1
0
1
cos(θi)
Direction Cosines for ST5
3 6 9 12
1100 1102 1104 1106 1108 1110
0
3
6
9
12
Time (s)
σ(t)
Identified faulty thruster index
conf. window δ
Residual signal of the fault detector
group confirmed within 0.8s
thruster clearly isolated
fault detected within 1.2s
1000x
Fig. 4. Fault detection and isolation algorithm behaviour
Figure 4 aims to illustrate the time behaviour of the FDI
algorithm for the second fault scenario which corresponds
to a leaking thruster of size mleak = 15% and affecting
thruster No.3 from tf= 1100s. This fault is maintained
during the whole length of the simulation and is not
accommodated. The fault presence is declared at td=
1101.2sand the faulty thruster index clearly isolated at
ti=1102.5s. As it can be seen from Fig.4, despite the small
leakage size, external disturbances and uncertainties, the
right thruster index was isolated in a reasonable time.
6. CONCLUSIONS
In this paper, a method to unambiguously detect, isolate
and accommodate a single “open-type” thruster fault of
an autonomous spacecraft has been studied. The method
differs from the usual solutions by the use of two observers,
one for detection and one for thruster group isolation.
Time delays induced by the propulsion drive electronic and
uncertainties on thruster rise times have been considered
on the detection level. Finally, when a thruster is clearly
isolated, the faulty thruster is turned off and the remaining
N−1 healthy thrusters are used. This makes the fault
accommodation without any change in the nominal con-
troller (GNC system), requiring any redundant thruster
set or any additional valve position sensor. This is in con-
trast to the classical FDIR approach, used in the satellite
systems, where fault isolation is not always possible.
REFERENCES
M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki.
Diagnosis and Fault-Tolerant Control. Springer, 2006.
W. Chen and M. Saif. Unknown input observer design
for a class of nonlinear systems: an LMI approach. In
Proc. of American Control Conference, pages 834–838,
Minneapolis, USA, 2006.
W. Chen and M. Saif. Observer-based fault diagnosis
of satellite systems subject to time-varying thruster
faults. Journal of Dynamic Systems, Measurement and
Control, 129(3):352–356, 2007.
S.X. Ding. Model-based fault diagnosis techniques: design
schemes, algorithms, and tools. Springer Verlag, 2008.
A. Falcoz, F. Boquet, M. Dinh, B. Polle, G. Flandin, and
E. Bornschlegl. Robust fault diagnosis strategies for
spacecraft application to LISA pathfinder experiment.
In Proc. of IFAC Symposium on Automatic Control in
Aerospace, pages 404–409, 2010.
R. Fonod, D. Henry, E. Bornschlegl, and C. Charbonnel.
Robust fault detection for systems with electronic in-
duced delays: Application to the rendezvous phase of the
MSR mission. In Proc. of European Control Conference,
pages 1439–1444, Z¨urich, Switzerland, 2013a.
R. Fonod, D. Henry, C. Charbonnel, and E. Bornschlegl.
Robust thruster fault diagnosis: Application to the ren-
dezvous phase of the Mars Sample Return mission. In
Proc. of CEAS Specialist Conference on Guidance, Nav-
igation and Control, pages 1496–1510, Delft, NL, 2013b.
Ola H¨arkeg˚ard. Efficient active set algorithms for solving
constrained least squares problems in aircraft control
allocation. In Proc. of Conference on Decision and
Control, pages 1295–1300, Las Vegas, NV, 2002.
D. Henry. Fault diagnosis of microscope satellite thrusters
using H∞/H−filters. Journal of Guidance, Control, and
Dynamics, 31(3):699–711, 2008.
X. Olive. FDI(R) for satellites: How to deal with high
availability and robustness in the space domain? Inter-
national Journal of Applied Mathematics and Computer
Science, 22(1):99–107, 2012.
R. Patton, F. Uppal, S. Simani, and B. Polle. Robust FDI
applied to thruster faults of a satellite system. Control
Engineering Practice, 18(9):1093–1109, 2010.
A. Posch, A.O. Schwientek, J. Sommer, and W. Fichter.
Model-based on-board realtime thruster fault monitor-
ing. In Proc. of IFAC Symposium on Automatic Control
in Aerospace, pages 553–558, W¨urzburg, Germany, 2013.
H. Schaub and J.L. Junkins. Analytical Mechanics of Space
Systems. AIAA Education Series, Reston, VA, 2009.
A. Wander and R. F¨orstner. Innovative fault detection,
isolation and recovery strategies on-board spacecraft:
State of the art and research challenges. In Proc. of
Deutscher Luft- und Raumfahrkongress, Berlin, 2012.
Y. Zhang and J. Jiang. Bibliographical review on recon-
figurable fault-tolerant control systems. Annual Reviews
in Control, 32(2):229–252, 2008.
A. Zolghadri. Advanced model-based FDIR techniques for
aerospace systems: Today challenges and opportunities.
Progress in Aerospace Sciences, 53(3):18–29, 2012.
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
10548