Content uploaded by Robert Fonod

Author content

All content in this area was uploaded by Robert Fonod on Oct 18, 2017

Content may be subject to copyright.

Thruster Fault Detection, Isolation and

Accommodation for an Autonomous

Spacecraft ⋆

R. Fonod ∗D. Henry ∗E. Bornschlegl ∗∗ C. Charbonnel ∗∗∗

∗Universit´e de Bordeaux, IMS UMR CNRS 5218, Talence, France

{robert.fonod, david.henry}@ims-bordeaux.fr

∗∗ European Space Agency, Noordwijk, The Netherlands

∗∗∗ Thales Alenia Space, Cannes, France

Abstract: The presented work is a result of a research collaboration between European Space

Agency, Thales Alenia Space and IMS Laboratory with the aim of promoting fault-tolerant

control strategies to advance spacecraft autonomy. A multiple observer based scheme is proposed

jointly with an online constrained allocation algorithm to detect, isolate and accommodate

a single thruster fault aﬀecting the propulsion system of an autonomous spacecraft. Robust

residual generator with enhanced robustness to time delays induced by the propulsion drive

electronics and uncertainties on thruster rise times is used for fault detection purposes. A

decision test on the residual of the fault detector triggers a bank of nonlinear unknown input

observers which is in charge of conﬁning the fault to a subset of possible faults. The faulty

thruster isolation is achieved by matching the residual and the thruster force directions using

the direction cosine approach. Finally, the fault is accommodated by redistributing the desired

forces and torques among the remaining (healthy) thrusters and closing the isolated thruster.

Simulation results from the “high-ﬁdelity” industrial simulator, provided by Thales Alenia

Space, demonstrate the fault-tolerance capabilities of the proposed scheme.

1. INTRODUCTION

Space exploration missions require critical autonomous

proximity operations. Mission safety is usually guaran-

teed via hierarchical implementation of Fault/Failure De-

tection, Isolation and Recovery (FDIR) approach (see

for instance Olive [2012], Zolghadri [2012]). Fault detec-

tion and isolation are performed by simple cross checks

between redundant units, limit checking, voting mecha-

nisms, etc. Fixed thresholds are used for quick recogni-

tion of out-of-tolerance conditions. The recovery action

is usually performed by switching to (hot) redundant

units/strings (multiple sensors, actuators, processors, etc)

or/and changing the operation mode to safe mode followed

by ground intervention. Current FDIR techniques used in

space systems are industrially well mastered, but may be

not suﬃcient in some cases, specially for faulty situations

causing quick and abnormal dynamics deviation in critical

space operations. This is the case of thruster faults during

terminal rendezvous and docking/capture phases, when a

thruster failure could possibly lead to mission loss. Liter-

ature reports (see e.g. Wander and F¨orstner [2012]) that

conventional FDIR methods are suﬀering from signiﬁcant

shortcomings, like often missing on-board fault isolation,

increased mass and system complexity due to redundant

equipment, ground intervention is not always possible as

a result of large communication delays or visibility issues.

⋆This research work was supported by European Space Agency

(ESA) and Thales Alenia Space France in frame of ESA’s Network-

ing/Partnering Initiative (NPI) program.

This motivates the European Space Agency (ESA) to

manage studies for the development of fully autonomous

on-board solutions that shall cope with all the possible

faults that may occur and endanger the mission. There-

fore, advanced Fault Detection and Isolation (FDI) ap-

proaches should be speciﬁcally developed to safely conju-

gate the necessary robustness/stability of the spacecraft

control, trajectory dynamics and the vehicle nominal per-

formance. Alternatively to redundancy-based FDIR tech-

niques, model-based algorithms may oﬀer a good balance

between advanced strategies and existing physical redun-

dancies that may lead to more eﬃcient health monitoring

and recovery systems based on fewer redundant compo-

nents while providing large fault coverage capabilities.

In this paper, the application concerns the rendezvous

phase of the Mars Sample Return (MSR) mission. The

goal of this mission is to return samples from Mars to

Earth for analysis. Obviously, the rendezvous phase might

be endangered if a thruster fault occurs. As a consequence,

the Guidance, Navigation, and Control (GNC) system may

not fully compensate, for example, spatial disturbances,

and/or may lose attitude, and/or the position of the

sample container (target). This problem becomes highly

critical during the last 20 meters of the rendezvous phase.

During this phase, the chaser spacecraft must be correctly

positioned in the approach corridor to successfully capture

the target as well as the chaser’s attitude need to be

maintained in the rendezvous sensor’ ﬁeld of view.

Numerous model-based FDI techniques has been studied

in the past decades in the academic community, see Blanke

et al. [2006] and Ding [2008] for good surveys. The still

Proceedings of the 19th World Congress

The International Federation of Automatic Control

Cape Town, South Africa. August 24-29, 2014

978-3-902823-62-5/2014 © IFAC 10543

growing interest of potential applications in aerospace

systems is demonstrated by recent publications, see, for

instance, Chen and Saif [2007], Henry [2008], Patton et al.

[2010], Falcoz et al. [2010], Posch et al. [2013]. In terms

of fault accommodation techniques, the interested reader

shall refer to literature review of Zhang and Jiang [2008].

The method introduced in this paper is sought from an

industrial perspective. The aim is to develop an algo-

rithm which can quickly detect, isolate, and accommodate

single thruster fault in a simple manner and is easily

implementable for a real spacecraft mission. As soon as

a thruster is declared to be faulty by the FDI unit, the as-

sociated (faulty) thruster is closed by a dedicated thruster

latch valve and the remaining (healthy) thrusters are used

to control the spacecraft dynamics. This fault accommoda-

tion strategy is achieved by control re-allocation technique.

By this way, the nominal (in-placed and certiﬁed) control

law remains unchanged which is an important condition

seen from an industrial point of view.

2. PROBLEM STATEMENT

The terminal rendezvous control mode corresponds to a 6

Degree of Freedom (DoF) control which ensures the ap-

plication of both commanded force and torque vectors by

means of thrusters only (reaction wheel control is turned

oﬀ). The chaser spacecraft is equipped with a chemical

propulsion system composed of N= 12 thrusters 1. The

thrusters are physically organised in four clusters and are

in charge of producing force F∈R3and torque T∈R3

vectors expressed in the chaser body-ﬁxed reference frame

Fb={Ob;ˆ

xb,ˆ

yb,ˆ

zb}. Let Sall ={1,2,...N}denote the

set of all thruster indices. Thrusters have ﬁxed directions

di∈R3,∀i∈ Sall and each one is able to produce a

maximum thrust of FN= 22N.

The Chemical Propulsion Drive Electronics (CPDE), that

drives the thrusting actuators, is initiating the opening of

the thruster valve for the commanded duration 0 ≤ui(t)≤

1,∀i∈ Sall. The propulsion system is obviously a source

of uncertainty in the system. The irrational transfer

H(s) = e−τ(t)s(1)

aims to model the eﬀect of the unknown time-varying

delays τ(t)≥0 induced by the CPDE and the uncertainties

on the thruster rise times. Let ui(t−τ(t)) be the com-

manded open rate of the ith thruster delayed by τ(t), then,

the net forces and torques generated by the thrusters are

F(t) = BFu(t−τ(t)),T(t) = BTu(t−τ(t)) (2)

where u(t) = [u1(t),...,uN(t)]T, and

BF= [ bF1bF2... bFN],BT= [ bT1bT2... bTN](3)

are the sensitivity (conﬁguration) matrices. The columns

of BFand BTare the inﬂuence coeﬃcients deﬁning how

each thruster aﬀects each component of F(t) and T(t),

respectivelly, and are deﬁned as follows

bFi=−diFN,bTi= (Ri−RM)×bFi,∀i∈ Sall (4)

where ” ×” denotes the cross product, RM∈R3is

the position vector of the Center of Mass (CoM), and

1The considered thruster conﬁguration in this paper is not a

baseline MSR conﬁguration, but a special one designed by Thales

Alenia Space to study active fault tolerant control principles.

Ri∈R3,∀i∈ Sall are the position vectors of the thrusters,

both expressed in the chaser body-ﬁxed frame Fb.

By analysing the conﬁguration matrices BFand BT

in terms of directional properties, the following can be

concluded: thruster indices inside the sets ST i, i = 1,...,5

have similar torque directions and are deﬁned as

ST1={1,11},ST3={4,8},ST5={3,6,9,12}

ST2={2,10},ST4={5,7},(5)

In terms of force directions, the following is revealed

bF1=−bF11 ,bF4=−bF8,bF3=−bF12

bF2=−bF10 ,bF5=−bF7,bF6=−bF9

(6)

which means that the thruster pairs given by ST i, i =

1,...4 produce exactly opposite forces. The last thruster

group, i.e. ST5, has the following orthogonal property

bF3·bF6= 0,bF9·bF12 = 0 (7)

where ” ·” denotes the dot product. Directional properties

(5)-(7) will be used to derive an explicit isolation strategy.

The considered thruster faults are modeled in a multiplica-

tive way according to (index ”f” outlines the faulty case)

uf(t)= (I−Ψ(t))u(t),Ψ(t) = diag(ψ1(t)...ψN(t)) (8)

where ψimodels the health status of the ith thruster, i.e.

ψi(t) = 0 if fault-free

1−φi(t)/ui(t) if faulty (9)

φiallows to consider diﬀerent fault scenarios. In this paper,

we deal with the so-called “open-type” thruster faults:

φi(t) = 1 fully open thruster

max{mleak, ui(t)}propellant leakage (10)

where mleak is the magnitude of the leaking thruster.

The two objectives addressed in this paper are:

(1) to quickly detect and isolate a single thruster fault

while ensuring enhanced robustness to (1), and

(2) to accommodate this fault using the remaining N−1

healthy thrusters so that the rendezvous criteria are

met and the nominal controller remains in the loop.

3. FAULT DETECTION AND ISOLATION

The proposed model-based FDI scheme consists of a fault

detector which is in charge of detecting the fault pres-

ence in the system. Once a detection ﬂag is triggered, a

bank of nonlinear Unknown Input Observers (UIOs) is

used to identify the faulty thruster group that produce

similar torques. In parallel to this, the ﬁxed thruster force

directions are compared with the residual generated by the

fault detector. Subsequently, an isolation logic is used to

make the ﬁnal decision about the faulty thruster index.

3.1 Robust residual generator design

The proposed fault detector design is based on the relative

position model of the chaser and target expressed in the

local (target) frame Fl={Ol;ˆ

xl,ˆ

yl,ˆ

zl}. The interested

reader can found further details on modeling the relative

dynamics of two spacecrafts in the available space litera-

ture, see for instance Schaub and Junkins [2009]. Let a,m,

G,θand mMdenote the orbit of the target, the mass of the

chaser during rendezvous, the Mars gravitational constant,

19th IFAC World Congress

Cape Town, South Africa. August 24-29, 2014

10544

true anomaly and the mass of the planet. When the orbit

of the rendezvous is circular, then the velocity of the chaser

and the target is given by the relation a˙

θ=pµ/a where

µ=GmM. From Kepler’s third law it follows:

a˙

θ=pµ/a = const. ⇒n=pµ/a3(11)

During the rendezvous phase, it is assumed that the chaser

motion is due to the four following forces, all given in Fl:

•the Mars attraction force

Fa=−mµ

((a+x)2+y2+z2)3/2(a+x)ˆ

xl+yˆ

yl+zˆ

zl

•the centripetal force Fe=mn2xˆ

xl+n2yˆ

yl+ 0ˆ

zl;

•the Coriolis force Fc=m(2n˙yˆ

xl−2n˙xˆ

yl+ 0ˆ

zl);

•and the non-gravitational (chemical thrust, perturba-

tions) forces Fd=Fdx ˆ

xl+Fdy ˆ

yl+Fdz ˆ

zl.

Then, from the 2nd Newton law, it follows

¨x=n2(a+x)−µ(a+x)(a+x)2+y2+z2−3/2

+ 2n˙y+m−1Fdx

¨y=n2y−2n˙x−µy(a+x)2+y2+z2−3/2+m−1Fdy

¨z=−µz(a+x)2+y2+z2−3/2+m−1Fdz

where x, y, z denote the elements of the three dimensional

relative position vector of the chaser and target in Rl.

Because the distance between the target and the chaser

during the rendezvous phase is much smaller than the

orbit, it is possible to derive the so called Hill-Clohessy-

Wiltshire (HCW) equations by means of a ﬁrst order

approximation. Hence, it follows a linear 6th order state

space model with state vector xp= [x y z ˙x˙y˙z]Tmodelling

the chaser relative motion expressed in Fl, both in fault

free (i.e. Ψ=0) and faulty (i.e. Ψ6=0) situations, i.e.

˙

xp(t) = Apxp(t)+BpR(ˆ

qt(t),ˆ

qc(t))BFuf(t−τ(t)) (12)

yp(t) = Cpx(t) (13)

where the rotation matrix R(ˆ

qt,ˆ

qc) is calculated from the

quaternion estimates of the chaser ˆ

qc∈Hand target

ˆ

qt∈Hattitude, and rotates the force vector from Fbinto

Fl. These estimates come from the navigation. The output

vector yp=[x y z ]Tis the relative position in Flmeasured

by a Light Detection and Ranging (LIDAR) device.

The position model given by (12) and (13) is well known

and mastered for control, but rarely used for FDI purposes.

The advantage is that this model takes into account both

the rotational qcand translational xmotions of the chaser.

Thus, eﬀects that faults have on both the chaser attitude

and translation are considered. Furthermore, this model is

naturally robust against the model uncertainties, such as

CoM and inertia, whilst the attitude model not. In Fonod

et al. [2013a], a sensitivity/robustness analysis campaign

was performed showing high reliability and eﬃciency (in

terms of detection times) of a fault detector based on

a position model in Fl. Here, an observer-based fault

detector is designed that has enhanced robustness to time-

varying delay τ(t) introduced in (1). This observer exploits

the position model given by (12) and (13) to generate

the state estimate ˆ

xpused to produce the residual signal

r= [r1, r2, r3]Tof the following form:

r(t) = Qyp(t)−Cpˆxp(t)(14)

where Qis a weighting matrix. The design of (14) is based

on theoretical developments given in Fonod et al. [2013b].

3.2 Decision test: fault detection

The proposed decision test is motivated by the scalar

valued Generalized Likelihood Ratio (GLR) test given in

Ding [2008], i.e.

Si(k) = Ndln(σi)−Nd

21 + ln(ˆσ2

i(k)) −ˆσ2

i(k)

σ2

i(15)

ˆσ2

i(k) = 1

Nd

k

X

j=k−Nd+1

r2

i(j) (16)

where ri(k) is the ith element of the residual r(k) evaluated

at time instant t=kTs, k = 0,1,2,... where Tsis the navi-

gation sampling time, σiis the (ﬁxed) standard deviation

of riin fault free situation and Nd>1 represents the

detection sliding window due to on-line realization. The

proposed decision test ρ(t) is deﬁned by

ρ(t) = 1, S(k)> Jth ⇒fault declared

0, S(k)≤Jth ⇒fault not present (17)

where Jth is a ﬁxed threshold selected by the designer and

S(k) is given by

S(k) =

3

X

j=1

wjSj(k),

3

X

j=1

wj= 1 (18)

where wj≥0, j = 1,2,3 are the weight factors used to

prioritize certain elements (axis) of the residual.

3.3 Nonlinear unknown input observer

We will brieﬂy state the main results obtained in Chen and

Saif [2006]. Considering the following nonlinear system

˙

x(t) = Ax(t) + Bu(t) + f(x(t)) + Ed(t) (19)

y(t) = Cx(t) (20)

where x∈Rnstands for the state vector, y∈Rmis the

output, u∈Rris the input, d∈Rqis the unknown input

(disturbance) vector, and f(x)∈Rnis a known nonlinear

vector function of xsatisfying:

kf(x1)−f(x2)k ≤ κkx1−x2k,∀x1,x2∈Rn(21)

where κ > 0 stands for the Lipschitz constant.

The goal is to design an asymptotically converging state

observer to estimate xin the presence of an unknown input

d. A nonlinear UIO for the system (19)-(20) achieving this

goal has the following structure

˙

z(t) = Nz(t) + Gu(t) + Ly(t) + M f (ˆ

x(t)) (22)

ˆ

x(t) = z(t)−Hy(t) (23)

where ˆ

x∈Rnis an estimate of x,z∈Rnis an auxiliary

signal and the matrices N,G,L,Mare designed as

in Chen and Saif [2006]:

N=MA −KC,G=M B (24)

L=K(I+CH )−M AH (25)

M=I+HC (26)

Kand Hbeing designed subsequently.

Without loss of generality, it is assumed that Eis of full

column rank. The necessary condition for HCE =−Eto

have solution is that CE is also of full column rank and

the solution is given in a generalized form by

H=U+Y V (27)

19th IFAC World Congress

Cape Town, South Africa. August 24-29, 2014

10545

where Ycan be chosen arbitrarily, Uand Vare given by

U=−E(CE )+,V=I+ (C E)(CE)+(28)

and (CE)+denotes the generalized pseudo-inverse of the

matrix CE given by (CE)+= ((CE)T(C E))−1(CE)T.

Theorem 1. (Chen and Saif [2006]). Assume that CE is

of full column rank and that the following Linear Matrix

Inequality (LMI)

X X12

XT

12 −I<0 (29)

where Xand X12 are deﬁned as

X=[(I+U C)A]TP+P(I+U C )A−CT¯

KT

−¯

KC + (V CA)T¯

YT+¯

Y(V CA) + κI

X12 =√κ[P(I+U C) + ¯

Y(V C)]

has a feasible solution for ¯

Y,¯

Kand P=PT>0, then the

nonlinear UIO given by (22) and (23) can be designed with

Y=P−1¯

Y, and K=P−1¯

Kmaking Nbeing Hurwitz

and the estimation error e(t) = ˆ

x(t)−x(t) tending to zero

asymptotically for any initial value of e(0).

Proof. The proof can be found in Chen and Saif [2006].

3.4 Thruster group isolation: a bank of nonlinear UIOs

Recalling the thruster conﬁguration properties given by

(5)-(7), we assume, that for fault isolation it is easier to

obtain explicit information from the angular velocity ω∈

R3measurement than from the linear position/velocity.

Therefore, the below model of the attitude dynamics of a

rigid-body spacecraft in the body-ﬁxed frame Fb

J˙

ω(t) = BTuf(t)−ω(t)×Jω(t) (30)

is used for the design of a bank of UIOs. In (30), J∈R3×3

stands for the inertia of the chaser in Fb. A nonlinear UIO,

as introduced in section 3.3, has been selected because

of its decoupling properties and the ability to take into

account nonlinearities of the attitude dynamics.

The attitude model (30) can be represented in the form

of (19) and (20) with the following assignment: x=ω,

f(ω) = −J−1ω×Jω,A=0,B=J−1BT, and

C=I. One may argue that f(ω) is not globally Lipschitz,

because the Jacobian ∂f/∂ωis not uniformly bounded

over R3. However, f(ω) is continuously diﬀerentiable on

R3. Thus, it is locally Lipschitz. This means that the

angular velocity shall be bounded in magnitude which is

a reasonable assumption from a practical point of view.

Using a constrained optimization algorithm, one can ﬁnd

a Lipschitz constant κover the set S={ω∈R3:|ωi| ≤

¯ωi, i = 1,2,3}, where ¯ωi>0 is the upper bound of the

angular velocity in the given axis.

For each thruster group ST i, a dedicated UIO is designed.

Each UIO is such that it can fully estimate the angular

velocity ωwith all the inputs except those belonging to

ST i, i.e. ui, i ∈ Sall \ST i. As a result, the UIO dedicated

to the thruster group ST i will not be inﬂuenced by faults

occurring in thrusters that belong to ST i , while all the

other UIOs will be. Based on Theorem 1, the design of a

bank of nonlinear UIOs is summarized in Algorithm 1.

The ith observer only estimates the angular velocity ˆ

ωiof

the chaser from the measurement ω. Therefore, the compu-

tational burden is reduced since there is no need to process

Algorithm 1 Bank of nonlinear UIO design

Find a Lipschitz constant κsatisfying (21);

for k= 1 to 5 do

Construct B⋆

kwhose columns are bT i ,∀i∈ Sall\ST k ;

Set E=bT i for any arbitrary i∈ ST k and B=B⋆

k;

Compute Uand Vaccording to (28);

Solve the LMI deﬁned by (29) for ¯

Y,¯

Kand P=PT>0;

Let Y=P−1¯

Yand K=P−1¯

K;

Using Yand K, the kth UIO gains are given by (24)-(27);

end for

the entire state vector (i.e. the linear position/velocity and

attitude in addition). For real-time reasons, the UIOs are

triggered only when ρ(t) indicates that a fault has been

occurred. Even if only ωis estimated, keeping the UIOs

switched oﬀ before the fault is detected seems to be a good

strategy, regarding the nonlinear nature of the observer.

Let tddenote the fault detection time, i.e. the time when

the fault is declared by ρ(t), and D={1,2,...5}the set of all

indices linked with the thruster groups ST1, ..., ST5. Each

observer is initialized with the (known) measurement at

time td, i.e. ˆ

ωi(td) = ω(td),∀i∈ D. By this, all observers

have zero initial estimation error. Hence, the observer

initial convergence (transient phase) problem is avoided.

Deﬁning the angular velocity estimation error of the ith

observer as ei(t) = ˆ

ωi(t)−ω(t), then the faulty thruster

group ST i is identiﬁed based on the following rule

σg(t) = arg min

i∈D kei(t)k, t > td(31)

where σg(t) : R+→ D represents the identiﬁed thruster

group index that is most likely aﬀected by a fault.

Remark 1. It is assumed that the time-varying delay (1)

has no big eﬀect on the isolation performance. Therefore,

τ(t) is not considered in (30). Furthermore, the isolation

process is triggered by the decision test ρ(t) which already

has enhanced robustness to τ(t).

3.5 Isolation logic

Once the thruster group ST i is identiﬁed by σg, the faulty

thruster can be easily isolated by examining the angle

of the vector rgiven by (14) along the force directions

bF i, i ∈ ST i. When the ith thruster is faulty, then vectors

rand bF i should be collinear. The degree of collinearity

can be computed using the direction cosine approach:

cos(θi(t)) = bT

F ir(t)/(kbF i kkr(t)k), where θiis the angle

between the vectors rand bF i. If rand bF i are collinear,

then cos(θi) = 1 (and the angle between the two vectors

θi= 0). Thus, the following isolation logic

σ(t) = arg max

j∈ST i

bT

F j r(t)

kbF j kkr(t)k(32)

results in the thruster index matching the faulty thruster.

This isolation logic has to clearly indicate which actuator is

faulty. Therefore, only thrusters belonging to the (already)

identiﬁed group ST i are tested in (32). Since the force

directions within the groups ST i, i ∈ D are either exactly

opposite, see (6), or are orthogonal, see (7), it makes the

isolation logic σ(t) : R+× D → Sall very reliable.

To avoid initial transition phenomena and to ensure ro-

bustness, we introduce two conﬁrmation windows δg>0

for σg(t) and δ > 0 for σ(t). The whole fault detection and

isolation strategy is summarised in Algorithm 2.

19th IFAC World Congress

Cape Town, South Africa. August 24-29, 2014

10546

Algorithm 2 Thruster fault detection and isolation

if ρ(t) = 1 then

Decision = Declare a fault presence and run the UIOs;

if σg(t) = σg(ν),∀ν∈(t−δg, t]then

Decision = The faulty thruster group ST i is identiﬁed;

if σ(t) = σ(ν),∀ν∈(t−δ, t]then

Decision = Declare the ith =σ(t) thruster to be faulty

end all if

4. FAULT ACCOMMODATION

In the investigated thruster conﬁguration, an additional

freedom is available to achieve fault tolerance. Particularly,

it means that it is possible to achieve admissible GNC

performance even if only N−1 (healthy) thrusters are used

to control the spacecraft. The nominal 6DOF control law

is designed based on certain predetermined performance

criteria. Hence, after the fault occurrence, it is desirable

to keep the nominal controller in the loop and perform the

fault accommodation on the control allocation level which

can counteract the eﬀect of the fault in a simple manner.

Fig. 1. Principal accommodation scheme for thruster faults

Figure 1 illustrates the proposed Fault Detection, Isola-

tion and Accommodation (FDI-A) scheme implemented

within the GNC system. The FDI-A strategy works as

follows: as soon as the faulty thruster index is clearly

isolated by Algorithm 2, the faulty thruster is switched

oﬀ using a dedicated thruster latch valve and the desired

forces and torques are re-allocated among the remaining

N−1 healthy thrusters. Here, the quadratic programming

approach, also known as l2-optimal control allocation, is

used. This problem is posed as the following Sequential

Least-Squares (SLS) problem:

u= arg min

u∈M kWu(u−ud)k(33)

M= arg min

0≤u≤¯

ukWv(Bau−vd)k(34)

where BT

a= [BT

FBT

T] is the overall conﬁguration matrix,

vdis the augumented vector of the desired forces and

torques, ¯

u= [¯u1, ..., ¯u12]Tare the upper limits deﬁned

as: ¯ui= 1,∀i∈ Sall\σ(t) and ¯ui= 0, i =σ(t). This

optimization problem should be understood as follows:

given M, the set of feasible control inputs minimizing

Bau−vd(weighted by Wv), pick the control input that

minimize u−ud(weighted by Wu). Here, udis the

desired control input and Wuand Wvare nonsingular

weighting matrices. Wuaﬀects the control distribution

among the thrusters and Wvaﬀects the prioritization

among force/torque components when Bau−vdcannot

be attained due to, e.g. thruster constraints. A faster

algorithm can be obtained by approximating the SLS

formulation as a Weighted Least-Squares (WLS) problem:

min kWu(u−ud)k2+γkWv(Bau−vd)k2

subj.to 0≤u≤¯

u(35)

As γ→ ∞, the two formulations have the same optimal

solution u. The cost function (35) may be re-written as

kWu(u−ud)k2+γkWv(Bau−vd)k2

=

√γWvBa

Wu

|{z }

A◦

u−√γWvvd

Wuud

|{z }

b◦

2

(36)

allowing the minimization problem to be formulated as

min kA◦u−b◦k2,subj. to 0≤u≤¯

u(37)

which can be solved using an active set algorithm, see

H¨arkeg˚ard [2002] for implementation details. This algo-

rithm determines the optimal solution in a ﬁnite number

of iterations. The max number of iteration Nca can be

considered to reﬂect the max computation time available.

5. SIMULATION RESULTS

The FDI-A scheme described in the previous sections is im-

plemented within the MSR “high-ﬁdelity” industrial sim-

ulator. Following the design steps given in Algorithm 1, a

bank of 5 nonlinear observers were designed with κ= 0.2.

The WLS control allocation algorithm presented in sec-

tion 4 was implemented using Wv=I,Wu=I,ud=0,

Nca = 100, and γ= 100. The remaining design parameters

were chosen as follows: Q=I,Nd= 10, Jth = 200,

Ts= 0.1, wi= 1/3,∀i∈ {1,2,3},δg= 0.5, and δ= 0.5.

The simulation examples are all carried out during the

last 20m of the rendezvous phase. The navigation unit is

assumed to be decoupled from thruster faults, but provid-

ing noisy estimates. We also assume delays induced by the

CPDE device, uncertainties on thruster rise times, uncer-

tain mass, Inertia, CoM (thus uncertain BT) and spatial

disturbances (i.e. gravity gradient, atmospheric drag, and

solar radiation pressure).

Fig. 2. MSR rendezvous corridor

The ﬁrst fault scenario corresponds to a fully open thruster

fault (thruster provides maximum thrust regardless of

the control signal) occurring at tf= 1100sand aﬀecting

thruster No.7. To emphasize the relevance of the engage-

ment of the proposed scheme into the GNC system, two

identical simulations are carried out. First, when the FDI-

A scheme is active (FDI-A on), and second, when not

(FDI-A oﬀ). Figure 2 clearly illustrates the consequence

when the fault is not accommodated, i.e. chaser miss the

target and the mission is lost. On the other hand, when

the proposed approach is active, the chaser maintains

nominal trajectory, i.e. stays inside the rendezvous corridor

and the MSR capture requirements are met, see Fig.3.

Furthermore, it can be inferred from Fig.2 that the chaser

keeps its attitude pointing towards the target. Hence, the

target remains visible from the rendezvous sensors.

19th IFAC World Congress

Cape Town, South Africa. August 24-29, 2014

10547

Chaser spacecraft Y axis

Chaser spacecraft Z axis

Lateral Y velocity

Lateral Z velocity

Longitudinal X velocity

Misalignment requirement

Basket aperture

Target center (FDI−A on)

Target center (FDI−A off)

Velocity requirement

Target velocity (FDI−A on)

Target velocity (FDI−A off)

Nominal velocity

Out of requirement (3 sigma)

Target velocity (FDI−A on)

Target velocity (FDI−A off)

Fig. 3. MSR capture performance: position misalignment

on +X face (top left), lateral velocity (top right) and

longitudinal velocity (bottom) requirements

0 200 400 600 800 1000 1200 1400

−0.5

0

0.5

r(t)

1100 1102 1104 1106 1108 1110

0

0.5

1x 10−3 Estimation error of UIO 1

||ω1−ω||

1100 1102 1104 1106 1108 1110

0

0.5

1x 10−3 Estimation error of UIO 2

||ω2−ω||

1100 1102 1104 1106 1108 1110

0

0.5

1x 10−3 Estimation error of UIO 3

||ω3−ω||

1100 1102 1104 1106 1108 1110

0

0.5

1x 10−3 Estimation error of UIO 4

||ω4−ω||

1100 1102 1104 1106 1108 1110

0

0.5

1x 10−3 Estimation error of UIO 5

||ω5−ω||

Time (s)

1100 1102 1104 1106 1108 1110

0

0.5

1

GLR decision test

ρ(t)

1100 1102 1104 1106 1108 1110

1

3

5

Faulty thruster group isolation

σg(t)

conf. window δg

1100 1102 1104 1106 1108 1110

−1

0

1

cos(θi)

Direction Cosines for ST5

3 6 9 12

1100 1102 1104 1106 1108 1110

0

3

6

9

12

Time (s)

σ(t)

Identified faulty thruster index

conf. window δ

Residual signal of the fault detector

group confirmed within 0.8s

thruster clearly isolated

fault detected within 1.2s

1000x

Fig. 4. Fault detection and isolation algorithm behaviour

Figure 4 aims to illustrate the time behaviour of the FDI

algorithm for the second fault scenario which corresponds

to a leaking thruster of size mleak = 15% and aﬀecting

thruster No.3 from tf= 1100s. This fault is maintained

during the whole length of the simulation and is not

accommodated. The fault presence is declared at td=

1101.2sand the faulty thruster index clearly isolated at

ti=1102.5s. As it can be seen from Fig.4, despite the small

leakage size, external disturbances and uncertainties, the

right thruster index was isolated in a reasonable time.

6. CONCLUSIONS

In this paper, a method to unambiguously detect, isolate

and accommodate a single “open-type” thruster fault of

an autonomous spacecraft has been studied. The method

diﬀers from the usual solutions by the use of two observers,

one for detection and one for thruster group isolation.

Time delays induced by the propulsion drive electronic and

uncertainties on thruster rise times have been considered

on the detection level. Finally, when a thruster is clearly

isolated, the faulty thruster is turned oﬀ and the remaining

N−1 healthy thrusters are used. This makes the fault

accommodation without any change in the nominal con-

troller (GNC system), requiring any redundant thruster

set or any additional valve position sensor. This is in con-

trast to the classical FDIR approach, used in the satellite

systems, where fault isolation is not always possible.

REFERENCES

M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki.

Diagnosis and Fault-Tolerant Control. Springer, 2006.

W. Chen and M. Saif. Unknown input observer design

for a class of nonlinear systems: an LMI approach. In

Proc. of American Control Conference, pages 834–838,

Minneapolis, USA, 2006.

W. Chen and M. Saif. Observer-based fault diagnosis

of satellite systems subject to time-varying thruster

faults. Journal of Dynamic Systems, Measurement and

Control, 129(3):352–356, 2007.

S.X. Ding. Model-based fault diagnosis techniques: design

schemes, algorithms, and tools. Springer Verlag, 2008.

A. Falcoz, F. Boquet, M. Dinh, B. Polle, G. Flandin, and

E. Bornschlegl. Robust fault diagnosis strategies for

spacecraft application to LISA pathﬁnder experiment.

In Proc. of IFAC Symposium on Automatic Control in

Aerospace, pages 404–409, 2010.

R. Fonod, D. Henry, E. Bornschlegl, and C. Charbonnel.

Robust fault detection for systems with electronic in-

duced delays: Application to the rendezvous phase of the

MSR mission. In Proc. of European Control Conference,

pages 1439–1444, Z¨urich, Switzerland, 2013a.

R. Fonod, D. Henry, C. Charbonnel, and E. Bornschlegl.

Robust thruster fault diagnosis: Application to the ren-

dezvous phase of the Mars Sample Return mission. In

Proc. of CEAS Specialist Conference on Guidance, Nav-

igation and Control, pages 1496–1510, Delft, NL, 2013b.

Ola H¨arkeg˚ard. Eﬃcient active set algorithms for solving

constrained least squares problems in aircraft control

allocation. In Proc. of Conference on Decision and

Control, pages 1295–1300, Las Vegas, NV, 2002.

D. Henry. Fault diagnosis of microscope satellite thrusters

using H∞/H−ﬁlters. Journal of Guidance, Control, and

Dynamics, 31(3):699–711, 2008.

X. Olive. FDI(R) for satellites: How to deal with high

availability and robustness in the space domain? Inter-

national Journal of Applied Mathematics and Computer

Science, 22(1):99–107, 2012.

R. Patton, F. Uppal, S. Simani, and B. Polle. Robust FDI

applied to thruster faults of a satellite system. Control

Engineering Practice, 18(9):1093–1109, 2010.

A. Posch, A.O. Schwientek, J. Sommer, and W. Fichter.

Model-based on-board realtime thruster fault monitor-

ing. In Proc. of IFAC Symposium on Automatic Control

in Aerospace, pages 553–558, W¨urzburg, Germany, 2013.

H. Schaub and J.L. Junkins. Analytical Mechanics of Space

Systems. AIAA Education Series, Reston, VA, 2009.

A. Wander and R. F¨orstner. Innovative fault detection,

isolation and recovery strategies on-board spacecraft:

State of the art and research challenges. In Proc. of

Deutscher Luft- und Raumfahrkongress, Berlin, 2012.

Y. Zhang and J. Jiang. Bibliographical review on recon-

ﬁgurable fault-tolerant control systems. Annual Reviews

in Control, 32(2):229–252, 2008.

A. Zolghadri. Advanced model-based FDIR techniques for

aerospace systems: Today challenges and opportunities.

Progress in Aerospace Sciences, 53(3):18–29, 2012.

19th IFAC World Congress

Cape Town, South Africa. August 24-29, 2014

10548