Lecture Notes in Control and Information Sciences 399 Editors: M. Thoma, F. Allgöwer, M. Morari
Christopher Edwards, Thomas Lombaerts, and Hafid Smaili (Eds.)
Fault Tolerant Flight Control A Benchmark Challenge
ABC
Series Advisory Board P. Fleming, P. Kokotovic, A.B. Kurzhanski, H. Kwakernaak, A. Rantzer, J.N. Tsitsiklis
Editors Christopher Edwards
Hafid Smaili
University of Leicester University Road Leicester LE1 7RH United Kingdom E-mail:
[email protected]
National Aerospace Laboratory NLR Anthony Fokkerweg 2 1059 CM Amsterdam The Netherlands E-mail:
[email protected]
Thomas Lombaerts Delft University of Technology Kluyverweg 1 P.O. Box 5058 2600 GB Delft The Netherlands E-mail:
[email protected]
ISBN 978-3-642-11689-6
e-ISBN 978-3-642-11690-2
DOI 10.1007/978-3-642-11690-2 Lecture Notes in Control and Information Sciences
ISSN 0170-8643
Library of Congress Control Number: 2010924939 c 2010
Springer-Verlag Berlin Heidelberg
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable for prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typeset & Cover Design: Scientific Publishing Services Pvt. Ltd., Chennai, India. Printed on acid-free paper 543210 springer.com
Preface
The European Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Control, established in 2004 and concluded in 2008, represented a collaboration involving thirteen European partners from industry, universities and research establishments under the auspices of the Group for Aeronautical Research and Technology in Europe (GARTEUR) program1. In FM-AG(16) the following organizations participated: • Research Establishments – – – –
Centro Italiano Ricerche Aerospaziali (CIRA, Capua, Italy) Deutsches Zentrum fur Luft-und Raumfahrt (DLR, Oberpfaffenhofen) Defence Science and Technology Laboratory (DSTL, United Kingdom) Netherlands National Aerospace Laboratory (NLR, Amsterdam)
• Industry – QinetiQ (Bedford, United Kingdom) – Airbus (Toulouse, France) • Universities – Bordeaux University (LAPS, Bordeaux, France) – Delft University of Technology (DUT, Delft, the Netherlands) · Faculty of Aerospace Engineering (DUT-AE) · Delft Center of Systems and Control (DUT-DCSC) – Lille University (USTL, Lille, France) – University of Cambridge (UCAM, Cambridge, United Kingdom) 1
The Group for Aeronautical Research and Technology in EURope (GARTEUR) was formed in 1973 and has as member countries: France, Germany, the Netherlands, Spain, Sweden and the United Kingdom. According to its Memorandum of Understanding, the mission of GARTEUR is to mobilize, for the mutual benefit of the GARTEUR member countries, their scientific and technical skills, human resources, and facilities in the field of aeronautical research and technology.
VI
Preface
– University of Hull (UHUL, Hull, United Kingdom) – University of Leicester (ULES, Leicester, United Kingdom) The Action Group was chaired by Jon King (QinetiQ); Jan Breeman (NLR) was vice-chairman and acting chairman during the last months of the program. Ten meetings were held in total: Bedford (September 2004), Capua (February 2005), Oberpfaffenhofen (July 2005), Lille (February 2006), Toulouse (Mid-Term Workshop, 4-5 April 2006), Bordeaux (October 2006), Leicester (January 2007), Delft (April 2007), Cambridge (July 2007) and again Delft (20-21 November 2007), which was the venue for the Final Workshop and SIMONA Demonstration, giving an extra inter-cultural dimension to the project. The demonstration on the SIMONA Research Simulator at the Faculty of Aerospace Engineering at Delft University during the Final Workshop helped to provide a strong focus to develop the methods and provided a human appreciation of the problem. In a subsequent evaluation in the SIMONA Research Simulator, conducted in 2008, professional airline pilots were invited as an external expert group. This provided supporting information on the practical and operational implications of advanced flight control systems integration from a human factors perspective. The editors would like to emphasize that this book is the result of a joint effort by the Action Group. With respect to the contents, it was considered to be important that as many FM-AG(16) organizations as possible were given the opportunity to present their work, in order to cover a wide variety of design approaches. Hence the contributions in this book have not been selected by the editors. The book consists of five parts. Part I contains the introduction and motivation of this research project and a state-of-the-art overview in Fault Tolerant Flight Control (FTC). Part II includes the description of the benchmark challenge, consisting of details of the benchmark simulation model and the assessment criteria used to evaluate the performance of the Fault Tolerant Controllers. Part III covers all the different FDI/FTC design methods which have been applied to the benchmark simulation model. There are two different evaluation methods for these FDI/FTC designs, namely an off-line evaluation using the assessment criteria in the benchmark simulation model in Matlab, and an on-line evaluation on Delft’s SIMONA Research Simulator. The off-line evaluations are described in the individual chapters in part III, whereas the latter is treated extensively in part IV where the real time assessments on the SIMONA Research Simulator are introduced and discussed. Finally part V focuses on a review of the applied methods from an industrial perspective together with some concluding remarks. The work underpinning this book was undertaken by the participating organizations of GARTEUR FM-AG(16). These organizations, which are listed above, are thanked for their confidence in the group and their full support throughout the project. In some cases national agencies and other research funding bodies, such as STW in the Netherlands and EPSRC from the UK, gave direct financial help through the provision of grants. Without their financial support this project would not have been possible.
Preface
VII
FM-AG(16) also wishes to express its gratitude to the Netherlands Aerospace Laboratory NLR for supplying the high-fidelity nonlinear simulation model based on realistic failure scenarios validated against flight data, which is a unique facility. Also Delft University deserves thanks for offering the SIMONA Research Simulator as an evaluation platform for the FTFC methods. This re-invigorated the programme considerably. The contribution of the test pilots who participated in the FM-AG(16) simulator campaign, and provided professional feedback on the evaluated control designs, is gratefully acknowledged. The group also thanks the GARTEUR organization, in particular the Flight Mechanics Group of Responsables and the Executive Committee, for making the publication of this book possible. John Keirl from QinetiQ and Dennis Fryer from DSTL, who acted as the GARTEUR Monitoring Responsables of FM-AG(16), have provided key contributions behind the scenes. They were an indispensable link between the Action Group and the GARTEUR organization. The editors would like to thank all those who kindly provided their approval to use the pictures and illustrations in this book. The authors have taken into account to their best capacity the copyrights of the illustrations and these remain the property of the cited copyright holders. Not all the results of GARTEUR Action Group FM-AG(16) could be presented in this book. Several research teams did not submit designs for the final workshop, and there were other reasons why their work could not be included. In this respect Marcel Staroswiecki and Cyrille Christophe (Lille University), Sven Lorenz (DLR-BS), Stuart Runham (DSTL), Ron Patton (Hull University) and Youmin Zhang (Aalborg University) and all their colleagues are acknowledged for their valuable contributions during the program. Finally, special thanks to Airbus and Delft University for organizing and hosting the Mid-Term and Final Workshops respectively. December 2009
C. Edwards T.J.J. Lombaerts M.H. Smaili
Contents
Part I Surviving the Improbable: Towards Resilient Aircraft Control 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Thomas Lombaerts, Hafid Smaili, Jan Breeman 1.1 Towards More Resilient Flight Control . . . . . . . . . . . . . . . . . . . . . . 1.2 History of Flight Control Systems, Source: [40] . . . . . . . . . . . . . . . 1.2.1 Mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.2 Hydro-mechanical [33], [35] . . . . . . . . . . . . . . . . . . . . . . . 1.2.3 Fly-By-Wire Flight Control [33], [35], [34] . . . . . . . . . . . 1.2.4 Fault Tolerant Control in Fly-By-Wire Systems, Sources: [40] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.5 Airbus Philosophy, Sources: [22], [30] . . . . . . . . . . . . . . . 1.2.6 Boeing Philosophy, Sources: [24], [42] . . . . . . . . . . . . . . 1.2.7 Short Case Study of Other Fault Tolerant Systems, Source: [24] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.8 A Final Note on Fault Tolerance Properties Incorporated in Current Fly by Wire Flight Control Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Rationale of Damage Tolerant Control - Aircraft Accident Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.1 American Airlines Flight AA191, Source: [27] . . . . . . . . 1.3.2 Japan Airlines Flight JL123, Source: [27] . . . . . . . . . . . . 1.3.3 United Airlines Flight UA232, Source: [27] . . . . . . . . . . . 1.3.4 EL AL Cargo Flight LY1862, Source: [40] . . . . . . . . . . . 1.3.5 USAir Flight 427 and United Airlines Flight 585, Sources: [4], [9], [5] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.6 DHL Cargo Flight above Baghdad, Sources: [31], [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3.7 Final Note on Accident Analysis . . . . . . . . . . . . . . . . . . . . 1.4 Earlier Accomplishments in This Field, Source: [40] . . . . . . . . . . .
3 3 4 6 6 7 10 11 12 14
20 21 22 26 28 30 32 36 38 40
X
Contents
1.4.1
Self-Repairing Flight Control System (SRFCS) Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2 MD-11 Propulsion Controlled Aircraft (PCA) . . . . . . . . . 1.4.3 NASA Intelligent Flight Control System (IFCS) F-15 Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Research Challenges and Objectives . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3
Fault Tolerant Flight Control - A Survey . . . . . . . . . . . . . . . . . . . . . . Michel Verhaegen, Stoyan Kanev, Redouane Hallouzi, Colin Jones, Jan Maciejowski, Hafid Smail 2.1 Why Fault Tolerant Control? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Fault Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Modelling Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Multiplicative Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 Additive Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3 Component Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4 Main Components in an FTC System . . . . . . . . . . . . . . . . . . . . . . . . 2.5 FTC Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5.1 Passive Fault Tolerant Control . . . . . . . . . . . . . . . . . . . . . . 2.5.2 Active Fault Tolerant Control . . . . . . . . . . . . . . . . . . . . . . . 2.6 State-of-the-Art in Fault Tolerant Flight Control . . . . . . . . . . . . . . . 2.6.1 Classification of Reconfigurable Control . . . . . . . . . . . . . 2.6.2 Multiple Model Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.3 Control Allocation (CA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.4 Adaptive Feedback Linearization via Artificial Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.5 Sliding Mode Control (SMC) . . . . . . . . . . . . . . . . . . . . . . 2.6.6 Eigenstructure Assignment (EA) . . . . . . . . . . . . . . . . . . . . 2.6.7 Model Reference Adaptive Control (MRAC) . . . . . . . . . . 2.6.8 Model Predictive Control . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.9 Model Following . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.6.10 Adaptive Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7 Comparison of Fault Tolerant Flight Control Methods . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40 41 41 42 43 47
47 49 51 51 53 54 55 58 61 62 63 63 64 69 71 74 75 78 80 81 82 83 85
Fault Detection and Diagnosis for Aeronautic and Aerospace Missions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 David Henry, Silvio Simani, Ron J. Patton 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 3.2 Fault Detection and Diagnosis Approaches . . . . . . . . . . . . . . . . . . . 94 3.2.1 The Parity-Space Methods . . . . . . . . . . . . . . . . . . . . . . . . . 94 3.2.2 Particle Filtering Approach . . . . . . . . . . . . . . . . . . . . . . . . 97 3.2.3 Nonlinear EKF Approaches . . . . . . . . . . . . . . . . . . . . . . . . 99 3.2.4 Observer-Based Approaches . . . . . . . . . . . . . . . . . . . . . . . 101 3.2.5 Norm-Based Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Contents
3.2.6 H∞ Fault Estimation Approach . . . . . . . . . . . . . . . . . . . . . 3.2.7 Non-linear FDD Method . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2.8 Sliding Mode Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3 Application Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Application to ‘Oscillatory Failure Case’ (OFC) . . . . . . . 3.3.2 Simulated Aircraft Model FDD . . . . . . . . . . . . . . . . . . . . . 3.3.3 Aerospace Mission Application Examples . . . . . . . . . . . . 3.3.4 Robust Diagnosis for Mars Express Satellite Thruster Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5
Real-Time Identification of Aircraft Physical Models for Fault Tolerant Flight Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ping Chu, Jan Albert (Bob) Mulder, Jan Breeman 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 History of Aircraft Model Identification at Delft University of Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 The Two Step Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.1 Decomposition of Aircraft State and Parameter Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.2 Estimation Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3.3 Techniques to Cope with Estimation Biases . . . . . . . . . . . 4.4 On-Line Parameter Estimation Using Least Squares and Total Least Squares Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4.2 Sequential Total Least Squares (Ref. [34]) . . . . . . . . . . . . 4.4.3 Summary of TLS Method . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Real-Time Identification of Aircraft Physical Model for Fault Tolerant Flight Control, [13] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Industrial Practices in Fault Tolerant Control . . . . . . . . . . . . . . . . . . . Philippe Goupil 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Aircraft Development Process - The V-Cycle . . . . . . . . . . . . . . . . . 5.3 Some ‘Golden Rules’ for Designing a Highly Dependable System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4 Flight Control Computer Functional Specification . . . . . . . . . . . . . 5.5 System Validation and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 5.6 An Example of Monitoring: A380 Oscillatory Failure Case Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XI
104 107 109 109 110 110 113 116 120 121 129 129 130 135 136 144 146 146 147 148 149 149 152 153 157 157 157 158 161 162 163 166 166
XII
Contents
Part II RECOVER: The Benchmark Challenge 6
7
RECOVER: A Benchmark for Integrated Fault Tolerant Flight Control Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hafid Smaili, Jan Breeman, Thomas Lombaerts, Diederick Joosten 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2 Flight 1862 Accident Reconstruction and Simulation . . . . . . . . . . 6.2.1 Sequence of Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.2 Analysis of Flight 1862 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.3 Failure Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . 6.2.4 Flight Data Reconstruction and Simulation . . . . . . . . . . . 6.3 GARTEUR RECOVER Benchmark . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.3 Fault Scenarios Specification . . . . . . . . . . . . . . . . . . . . . . . 6.3.4 Graphical User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.5 Aircraft Visualisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.6 User Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.3.7 Aircraft Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4 GARTEUR RECOVER Benchmark Applications . . . . . . . . . . . . . 6.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assessment Criteria as Specifications for Reconfiguring Flight Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Thomas Lombaerts, Diederick Joosten, Hafid Smaili, Jan Breeman 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Specification Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 General Evaluation Criteria . . . . . . . . . . . . . . . . . . . . . . . . 7.2.2 Test Manoeuvres for Qualification . . . . . . . . . . . . . . . . . . 7.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
171
171 172 173 176 180 181 194 194 197 200 206 209 210 212 218 219 220 223
223 224 225 227 239 243
Part III Design Methods and Benchmark Analysis 8
Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Halim Alwi, Christopher Edwards 8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.1 Sliding Mode Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.1.2 Sliding Mode Control and Control Allocation . . . . . . . . . 8.2 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2.1 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.2.2 Design Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
247 247 247 248 249 249 254
Contents
XIII
8.3
254 256
Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.1 Fault Tolerant Controller Design . . . . . . . . . . . . . . . . . . . . 8.3.2 Heading and Altitude Control and EPR Control Mixing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.3 ILS Landing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8.3.4 Fault Tolerant Control Simulation Results . . . . . . . . . . . . 8.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft . . . Adolfo Sollazzo, Gianfranco Morani, Andrea Giovannini 9.1 Fault-Tolerant FCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.1 Adaptive Model-Following . . . . . . . . . . . . . . . . . . . . . . . . 9.1.2 The SCAS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.1.3 Limitations and Practical Solutions . . . . . . . . . . . . . . . . . . 9.2 The Classic A/P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.3 Numerical Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.4 Future Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Subspace Predictive Control Applied to Fault-Tolerant Control . . . . Redouane Hallouzi, Michel Verhaegen 10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 Architecture of the Fault-Tolerant Control System . . . . . . . . . . . . . 10.2.1 Control Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2.2 Fault Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3 Closed-Loop Subspace Predictive Control . . . . . . . . . . . . . . . . . . . . 10.3.1 Closed-Loop Subspace Predictor (CLSP) . . . . . . . . . . . . . 10.3.2 Closed-Loop Subspace Predictor Integrated with a Predictive Control Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.4 SPC (Re-)configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.5 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.5.1 Trajectory Following for the Nominal Case . . . . . . . . . . . 10.5.2 Trajectory Following for Elevator Lock-in-Place . . . . . . 10.5.3 Trajectory Following for Rudder Runaway . . . . . . . . . . . 10.5.4 Trajectory Following for “Bijlmerramp” Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.5.5 Discussion of the Simulation Results . . . . . . . . . . . . . . . . 10.6 Real-Time Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
260 261 264 270 270 273 273 274 277 279 280 280 287 289 290 293 293 295 295 296 297 297 301 303 305 306 307 309 310 312 313 315 315
XIV
Contents
11 Fault-Tolerant Control through a Synthesis of Model-Predictive Control and Nonlinear Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.A. Joosten, T.J.J. van den Boom, M. Verhaegen 11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Overall Control-Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2.1 Model Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2.2 Nonlinear Dynamic Inversion . . . . . . . . . . . . . . . . . . . . . . 11.2.3 Model Predictive Control . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2.4 Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Modeling and Dynamic Inversion of the Benchmark Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4.1 Reference Tracking: Stabiliser Runaway . . . . . . . . . . . . . 11.4.2 Right Turn and Localiser Intercept . . . . . . . . . . . . . . . . . . 11.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 A FTC Strategy for Safe Recovery against Trimmable Horizontal Stabilizer Failure with Guaranteed Nominal Performance . . . . . . . . J´erome Cieslak, David Henry, Ali Zolghadri 12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2 Nomenclature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4 Model-Based FDI Schemes: Some Assumptions for an Integrated FDI/FTC Design Approach . . . . . . . . . . . . . . . . . . . . . . . 12.4.1 Analysis of the FTC Loop . . . . . . . . . . . . . . . . . . . . . . . . . 12.4.2 Some Outlines for the Design . . . . . . . . . . . . . . . . . . . . . . 12.4.3 The Case of an Observer-Based FDI Scheme . . . . . . . . . 12.5 Important Issues about Stability and Performance in Faulty Situations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6 FM-AG16 FTC Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6.1 Modelling the Aircraft Dynamics . . . . . . . . . . . . . . . . . . . 12.6.2 Modeling the Autoflight and FCS Systems . . . . . . . . . . . 12.6.3 Design of K(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6.4 Nonlinear Simulation Results . . . . . . . . . . . . . . . . . . . . . . 12.7 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix A: Bumpless Switching Scheme . . . . . . . . . . . . . . . . . . . . . . . . . ˆK + ˆ Appendix B: Computed Controller K(s) = CˆK (sI − AˆK )−1 B ˆ DK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
319 319 320 322 322 324 327 327 331 331 332 335 335 337 337 339 340 344 344 345 346 346 347 347 350 350 354 356 356 359 360
13 Flight Control Reconfiguration Based on Online Physical Model Identification and Nonlinear Dynamic Inversion . . . . . . . . . . . . . . . . . 363 Thomas Lombaerts, Ping Chu, Jan Albert (Bob) Mulder 13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Contents
On Line Nonlinear Damaged Aircraft Model Identification: Two Step Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2.1 Aircraft State Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2.2 Aerodynamic Model Identification . . . . . . . . . . . . . . . . . . 13.3 Real Time Aerodynamic Model Identification . . . . . . . . . . . . . . . . 13.4 Application on the Boeing 747 Simulator . . . . . . . . . . . . . . . . . . . . 13.4.1 Trim Horizontal Stabilizer (THS) Runaway . . . . . . . . . . . 13.4.2 Loss of the Vertical Tail . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.3 Feedback of Aircraft Stability and Control Effector Information to the Pilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.5 Trigger for Reconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.6 Reconfiguring Control: Adaptive Nonlinear Dynamic Inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.6.1 Autopilot Control: Assessment Criteria . . . . . . . . . . . . . . 13.7 Computational Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.9 Current and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XV
13.2
14 A Combined Fault Detection, Identification and Reconfiguration System Based around Optimal Control Allocation . . . . . . . . . . . . . . . Nicholas Swain, Shadhanan Manickavasagar 14.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.1.1 Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.1.2 Fault Detection and Identification . . . . . . . . . . . . . . . . . . . 14.1.3 Software and Hardware Testing . . . . . . . . . . . . . . . . . . . . . 14.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3 Fault Tolerant Control System Overview . . . . . . . . . . . . . . . . . . . . . 14.3.1 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3.2 Outer-Loop Controller/Autopilot . . . . . . . . . . . . . . . . . . . . 14.3.3 Non-linear Dynamic Inversion . . . . . . . . . . . . . . . . . . . . . . 14.3.4 Direct Control Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3.5 Aerodynamic FDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3.6 Actuator FDI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3.7 Flight Envelope Protection . . . . . . . . . . . . . . . . . . . . . . . . . 14.4 Benchmark Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.4.1 Longitudinal Control Failure Test . . . . . . . . . . . . . . . . . . . 14.4.2 Lateral Control Failure Test . . . . . . . . . . . . . . . . . . . . . . . . 14.4.3 El-AL Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
364 366 368 371 372 373 373 375 376 377 382 395 395 396 396 399 399 399 402 403 403 405 405 406 406 407 411 414 416 418 418 419 420 421 422
XVI
Contents
15 Detection and Isolation of Actuator/Surface Faults for a Large Transport Aircraft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Andras Varga 15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.2 Design of Least Order Scalar Output Detectors . . . . . . . . . . . . . . . 15.3 Solving Fault Isolation Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4 Computational Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.5 Monitoring Actuator Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.5.1 Component Level Monitoring . . . . . . . . . . . . . . . . . . . . . . 15.5.2 System Level Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 15.5.3 Pitch Axis Fault Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 15.5.4 Gear and Roll Axes Fault Monitoring . . . . . . . . . . . . . . . . 15.6 Summary of Achieved Results and Needs for Further Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
423 423 424 426 429 430 431 433 435 439 441 442
Part IV Real-Time Flight Simulator Assessment 16 Real-Time Assessment and Piloted Evaluation of Fault Tolerant Flight Control Designs in the SIMONA Research Flight Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Olaf Stroosma, Thomas Lombaerts, Hafid Smaili, Mark Mulder 16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2 Evaluation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2.1 Experiment Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2.2 Dependent Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2.3 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2.4 Simulator Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2.5 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix 1: Failure mode test matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appendix 2: Cooper Harper Handling Qualities Rating Scale . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Piloted Evaluation Results of a Nonlinear Dynamic Inversion Based Controller Using Online Physical Model Identification . . . . . . Thomas Lombaerts, Ping Chu, Hafid Smaili, Olaf Stroosma, Jan Albert (Bob) Mulder 17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.2 Fly-by-Wire ANDI Control Law Design . . . . . . . . . . . . . . . . . . . . . 17.3 Fly-by-Wire ANDI Control Law Evaluation . . . . . . . . . . . . . . . . . . 17.4 Analysis Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.4.1 FTC and Pilot Performance Analysis Results: Time Histories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
451 451 453 453 455 457 457 463 468 471 472 474 475 477
477 478 479 481 481
Contents
XVII
17.4.2
Handling Qualities Analysis Results: CH Ratings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.4.3 Pilot Workload Analysis Results . . . . . . . . . . . . . . . . . . . . 17.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Model Reference Sliding Mode FTC with SIMONA Simulator Evaluation: EL AL Flight 1862 Bijlmermeer Incident Scenario . . . . Halim Alwi, Christopher Edwards, Olaf Stroosma, Jan Albert (Bob) Mulder 18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2 A Model Reference Sliding Mode Control Allocation Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3 Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3.1 Lateral Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3.2 Longitudinal Controller Design . . . . . . . . . . . . . . . . . . . . . 18.4 SIMONA Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.5 SIMONA Flight Simulator Results with Experienced Pilots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.5.1 SMC Controller Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 18.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
486 491 498 499 501
501 502 506 507 508 510 510 511 517 517
Part V Conclusions 19 Industrial Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Philippe Goupil, Andres Marcos 19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19.2 Considerations for Commercial Aircraft - AIRBUS . . . . . . . . . . . . 19.2.1 Industrial Limitations and Constraints . . . . . . . . . . . . . . . 19.2.2 An Aircraft Manufacturer Perspective . . . . . . . . . . . . . . . 19.2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19.3 Perspectives for Aerospace Applications - Deimos Space . . . . . . . 19.3.1 Context and Significance of the FM-AG16 for Space Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19.3.2 Assessment of the Techniques and Results . . . . . . . . . . . . 19.3.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
521 521 522 523 524 528 528 530 532 535 535
20 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Christopher Edwards, Thomas Lombaerts, Hafid Smaili 20.1 Summary of Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 20.2 Future Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
List of Contributors
Halim Alwi Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, United Kingdom, e-mail:
[email protected] Jan Breeman National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands, e-mail:
[email protected] Ping Chu Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft The Netherlands, e-mail:
[email protected] Jerome Cieslak IMS laboratory - Automatic control group - Bordeaux university, 351 cours de la liberation, 33405 Talence, France, e-mail: jerome.cieslak@ ims-bordeaux.fr
Christopher Edwards Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, United Kingdom, e-mail:
[email protected] Andrea Giovannini Italian Aerospace Research Center - CIRA, Via Maiorise, 81043 Capua (CE), Italy, e-mail:
[email protected] Philippe Goupil Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne, 31060 Toulouse Cedex 09, e-mail:
[email protected] Redouane Hallouzi ReliaCon, Rotterdamseweg 145, 2628 AL Delft, The Netherlands, e-mail:
[email protected] David Henry IMS laboratory - Automatic control group - Bordeaux university,
XX
List of Contributors
351 cours de la liberation, 33405 Talence, France, e-mail:
[email protected]
Cambridge CB2 1PZ, United Kingdom, e-mail:
[email protected]
Colin Jones ETH Zurich, Automatic Control Laboratory, ETL I28, Physikstrasse 3, 8092 Zurich, Switzerland, e-mail:
[email protected]
Shadhanan Manickavasagar QinetiQ, Cody Technology Park, Farnborough, Hampshire, GU14 0LX, United Kingdom, e-mail:
[email protected]
Diederick Joosten Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628 CD Delft, The Netherlands, e-mail:
[email protected]
Andres Marcos Advanced Projects Division, Simulation & Control Section, Deimos Space S.L., Ronda de Poniente 19, Edificio Fiteni VI, Madrid, 28760, Spain, e-mail: andres.marcos@ deimos-space.com
Stoyan Kanev ECN Wind Energy, P.O.Box 1, 1755ZG Petten, The Netherlands, e-mail:
[email protected]
Gianfranco Morani Italian Aerospace Research Center - CIRA, Via Maiorise, 81043 Capua (CE), Italy, e-mail:
[email protected]
Anthony A. Lambregts Advanced Control Systems, Federal Aviation Administration, Northwest Mountain Region, 1601 Lind Ave., SW, Renton, WA 98057, USA, e-mail:
[email protected]
Jan Albert (Bob) Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands, e-mail:
[email protected]
Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands, e-mail:
[email protected] Jan Maciejowski University of Cambridge, Engineering Department, Trumpington Street,
Mark Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands, e-mail:
[email protected] Ron Patton University of Hull, Department of Engineering, Cottingham Road, Hull HU6 7RX,
List of Contributors
XXI
United Kingdom, e-mail:
[email protected]
GU14 0LX, United Kingdom, e-mail:
[email protected]
Silvio Simani University of Ferrara, Department of Engineering, 1 Via Saragat, 44100 Ferrara, Italy, e-mail:
[email protected]
Ton van den Boom Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628 CD Delft, The Netherlands, e-mail:
[email protected]
Hafid Smaili National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands, e-mail:
[email protected] Adolfo Sollazzo Italian Aerospace Research Center - CIRA, Via Maiorise, 81043 Capua (CE), Italy, e-mail:
[email protected] Olaf Stroosma Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands, e-mail:
[email protected] Nicholas Swain QinetiQ, Cody Technology Park, Farnborough, Hampshire,
Andras Varga German Aerospace Center, DLR-Oberpfaffenhofen, Institute of Robotics and Mechatronics, Munchner Strasse 20, 82234 Wessling, Germany, e-mail:
[email protected] Michel Verhaegen Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628 CD Delft, The Netherlands, e-mail:
[email protected] Ali Zolghadri IMS laboratory - Automatic control group - Bordeaux university, 351 cours de la liberation, 33405 Talence, France, e-mail:
[email protected]
XXII
Fig. 1 Delft University, April 2007
List of Contributors
Part I
Surviving the Improbable: Towards Resilient Aircraft Control
Chapter 1
Introduction Thomas Lombaerts, Hafid Smaili, and Jan Breeman
1.1 Towards More Resilient Flight Control Within the aviation community, especially for commercial transport aircraft design, all developments focus on ensuring and improving the required safety levels and reducing the risks that critical failures occur. Recent airliner accident and incident statistics (published in 2008), [8], show that about 16% of the accidents between 1993 and 2007 can be attributed to Loss of Control In-flight (LOC-I), caused by a piloting mistake (e.g. due to spatial disorientation), technical malfunctions or unusual upsets due to external disturbances. Loss of flight control is a subcategory of Loss of Control In-flight (LOC-I), where a technical malfunction is the initial event which causes control loss. LOC-I remains the second largest accident category after Controlled Flight Into Terrain (CFIT) which accounts for 23% of air accidents. However, a short term study for the year 2008 shows that loss of control comes at the top in the list of catastrophic accidents, according to the UK Civil Aviation Authority (UK-CAA). Data examined by the international aviation community shows that, in contrast to CFIT, the share of LOC-I occurrences is not significantly decreasing. Resilient flight control, or fault tolerant flight control (FTFC), allows improved survivability and recovery from adverse flight conditions induced by faults, damage Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] Jan Breeman National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 3–45. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
4
T. Lombaerts, H. Smaili, and J. Breeman
and associated upsets. This can be achieved by ‘intelligent’ utilisation of the control authority of the remaining control effectors in all axes consisting of the control surfaces and engines or a combination of both. In this technique, control strategies are applied to restore stability and manoeuvrability of the vehicle for continued safe operation and a survivable recovery. The aim of the GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Flight Control, of which this book is the culmination, was to facilitate the proliferation of new developments in fault tolerant control design within the European aerospace research community in practical and real-time operational applications. This addresses the need to improve the resilience and safety of future aircraft and aiding the pilot to recover from adverse conditions induced by (multiple) system failures and damage that would otherwise be potentially catastrophic. Up until now, faults or damage on board aircraft have been accommodated by hardware design using duplex, triplex or even quadruplex redundancy of critical components. However, the approach of the research presented in this book is to focus on new control law design methods to accommodate (unanticipated) faults and/or damage that dramatically change the configuration of the aircraft. These methods take into account a unique combination of robustness, reconfiguration and (real-time) adaptation of the control laws.
1.2 History of Flight Control Systems, Source: [40] Shortly after the German aviation pioneer Otto Lilienthal (1848-1896) left the ground for the first time in his self-made glider from the Windmuhlenberg (windmill hill) of Derwitz (Germany) in the summer of 1891, the problem of flight in a heavier-than-air vehicle created a new challenge: namely that of controlled flight. The Wright Brothers stated in 1912 that no one else grasped the basics of human flight as clearly and thoroughly as Lilienthal did. Based on his basic understanding of the principles of the curved wing, enabling it to produce more lift, Otto Lilienthal realized during his numerous experimental flights that leaving the ground was easier than staying in the air. For controlling his flights, he invented the first means of lateral stabilization using a vertical rudder. Just before crashing to his death in 1896, he characterized the complexity and importance of aircraft flight control by stating:
Fig. 1.1 Otto Lilienthal (1848-1896) glider showing vertical tail for lateral stabilisation (1894), source: Otto Lilienthal Museum
To design one is nothing, to build one is easy, to fly one is everything.
Following the first successful motorised flight of the Wright Brothers in 1903, the first artificially controlled flight was demonstrated in 1914 by Lawrence Sperry (1892-1923), the third son of the gyrocompass co-inventor Elmer Ambrose Sperry, by flying his Curtiss-C-2 airplane hands-free in front of a speechless crowd. The
1
Introduction
5
Fig. 1.2 Commercial and military aircraft that include modern fly-by-wire technologies (Airbus A380, Dassault Falcon 7X, Eurofighter Typhoon, Joint Strike Fighter, Boeing 777), sources: Creative Commons Attribution License, Kevin Koske, Naddsy, Keta
autopilot, or as it was nicknamed Metal Mike, consisted of three gyroscopes and a magnetic compass both linked to the pneumatically operated flight control surfaces. The autopilot enabled stabilized flight by holding the pitch, roll and yaw attitudes constant while maintaining the compass course. During the next decades, Sperry and other engineers further improved the concept of automatic stabilized flight for aircraft stabilization to improve weapon targeting accuracy. By the 1950s, analog flight control computers allowed artificial modification of the aircrafts handling qualities on top of the basic stabilization functions of the autopilot. The Canadian Avro CF105 Arrow interceptor, which flew in 1958, and the inherently unstable Lockheed Martin F-16 fighter, which entered service in the late 1970s, were the first aircraft utilizing an analog flight control computer demonstrating impressive manoeuvering capabilities. On the civil front, the Aerospatiale-BAC Concorde supersonic transport (SST) made its first flight in 1969 equipped with a commercial version of an analog flight control system. In 1972, NASA performed flight experiments with a modified F-8C Crusader to investigate the potential of software controlled flight, instead of analog circuits, by means of digital fly-by-wire flight control (DFBW) technology. Allowing better and safer airplane manoeuvering and control while providing substantial cost reductions, DFBW technology as a full-time critical digital control system, was made commercial in 1987 with the first flight of the Airbus A320. Although, in 1982, the Airbus A310 and then the A300-600 flew with digital FBW technology on the spoilers, the A320 was the first commercial use of digital FBW on the primary control surfaces. During the evolution of aircraft flight control systems, several versions have been developed, dependent upon the moment in history and on the type of aircraft where they have been applied. In the following, three categories of aircraft flight control systems are described in more detail: • mechanical systems • mechanical-hydraulic systems • fly-by-wire systems
6
T. Lombaerts, H. Smaili, and J. Breeman
1.2.1 Mechanical [33], [35] The most elementary design of a flight control system is a mechanical one, consisting of cables, pulleys, capstans, levers and other mechanical devices. This kind of flight control system was used in early aircraft and is still used in current light aircraft, like the Cessna Skyhawk. Figure 1.3 illustrates a mechanical type of control system.
(a) roll, pitch and yaw channel of an early c BAE Systems, Reproduced military jet with permission
(b) roll channel of a transport aircraft
Fig. 1.3 Illustrations of mechanical flight control systems, source: ref. [37]
In larger aircraft, the control loads due to the aerodynamic forces acting on the control surfaces are too excessive for simple mechanical control. Therefore, two mechanical solutions have been developed. One option is to attempt to extract the maximum possible mechanical advantage through the levers and pulleys, however the maximum reduction in forces is limited by the inherent strength of the mechanical components in this system. One example of this type of application can be found in the Fokker 50. The alternative is to rely on so-called control tabs or servo tabs that provide aerodynamic assistance to reduce complexity. These are small surfaces hinged at the end of the control surfaces which reduce the required control force exerted by the pilot by exploiting the aerodynamic forces which act on the tabs themselves. The pilot controls are directly linked to these control tabs, and the aerodynamic force generated by the tab then in turn moves the main control surface itself. The Boeing 707 used the concept of control tabs in its flight control system.
1.2.2 Hydro-mechanical [33], [35] Due to the ever increasing size and flight envelopes of aircraft, mechanical flight control systems are not sufficient. Due to the increasing speed of the aircraft, it becomes more difficult to move the control surfaces as a result of high aerodynamic forces. This led to the application of hydraulic power. A hydro-mechanical control system consists of two parts: • a mechanical circuit, essentially the same as the mechanical flight control system • a hydraulic circuit
1
Introduction
7
Compared to the mechanical flight control system, the hydraulic part takes over the interface between the conventional mechanical circuit and the control surfaces. More precisely, the hydraulic system generates the forces for the actuators which move the aerodynamic surfaces, but it still receives its signals from the mechanical circuit which is steered by the pilot. The Boeing 727 and 737, Trident, Caravelle and the Airbus A300, used such a flight control system, including a mechanical backup, despite the fact that a total loss of the flight control system is extremely improbable. The Boeing 747 was the first aircraft in the Boeing series to have a fully powered actuation system, because the control forces required for any flight condition would have been too large to be generated by the pilot. The benefits of the hydro-mechanical flight control system compared to the purely mechanical one are the reduction in drag and the increase of control surface effectiveness due to the omission of the servo tabs. Moreover, the higher mechanical stiffness of the hydraulics leads to better flutter characteristics of the control surfaces. The main drawbacks of the hydro-mechanical control systems are its structural complexity and weight.
1.2.3 Fly-By-Wire Flight Control [33], [35], [34] In more recent civil airliners, military transport aircraft and especially military jets, the mechanical linkage between control column and control surface has been omitted and replaced by electrical wirings (hence the name fly-by-wire). All these wirings are connected to each other by means of the flight control computer (FCC). Figure 1.4 shows the situation for the General Dynamics F-16 Fighting Falcon aircraft. The computer sends electronic signals to all actuators, in this specific case flaperons and slats. Figure 1.5 shows the hierarchy of the wiring network for the Eurofighter Typhoon. The FCC bridges the gap between measurement signals (from the inertial measurement unit and the air data transducers) and pilot inputs (such as the pilot’s stick, pedal and throttle displacements) on one hand, and control surface actuators
Fig. 1.4 Illustration of the Fly-By-Wire principle on the F-16, source: ref. [23]
8
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.5 Flight Control System architecture of the Eurofighter Typhoon, source: ref. [37] c BAE Systems, Reproduced with permission
(such as flaperons, rudder and canards) on the other. Based upon the pilot control inputs and the available measured signals, the computer calculates independently the required surface deflections and gives the appropriate commands to the servos. Note the quadruplex implemented FCC. This is the fail safety principle and the approach adopts a vote by majority principle. The same procedure is applied for the most essential components. The advent of Fly-By-Wire Flight Control With the invention of the computer it became possible to control an aircraft electronically. The major initial advantages of the fly-by-wire FCS is that there is no longer a complex and heavy mechanical linkage needed between the pilot and the hydraulic system. But it is also possible to control the aircraft more accurately, flight safety is enhanced, a safe flight envelope can be defined with so-called flight control law protection, and finally this setup offers greater flexibility for evolution and for implementations of improvements in the system. During the subsequent evolution of the fly-by-wire concept, additional advantages arose, such as increased flexibility in setting the flight control characteristics of an aircraft. Another important benefit of Fly-By-Wire Flight Controls is that they define identical handling characteristics for all members of an aircraft family, from the smallest twinjet to the long-range widebody jetliners. This commonality does not only apply for the normal flight envelope, but also under extreme emergency conditions. With such a computer-based flight control system, other major advantages are that its design and maintenance are much simpler, while significantly reducing aircraft weight. Both commercial and military aircraft are now being developed with fly-by-wire flight control systems. For military aircraft, the benefits include increased agility and reduced supersonic trim drag (in conjunction with reduced static stability) and carefree handling. For commercial aircraft, the benefits include lower weight (attributed to flight controls),
1
Introduction
9
lower maintenance costs as well as passenger comfort and carefree handling. In both categories, the provision of flight envelope protection is another important benefit of fly-by-wire flight control systems. How Fly-By-Wire Control works In contrast to mechanical and hydro-mechanical control systems, in a fly-by-wire system the pilot’s commands are fed into computers, which in turn route electrical signals along wires to the actuators driving the control surfaces. Sometimes there is a mechanical backup to keep the aircraft under manual control when control of the aircraft becomes impossible with the nominal flight control system (electricity loss, the loss of all flight control computers, etc.). The computers controlling the fly-by-wire system provide multiple backup or redundancy. In the Airbus A340 for example, there are five computers in all, and a single one can fly the plane. All five computers work together. If one fails, another automatically takes over. Moreover, each of the five fly-by-wire computers is composed of two independent units which are constantly monitoring each other. Furthermore, these computers are made by different manufacturers, using different software and components. They are also programmed by independent teams, using different computer languages. This means that it is virtually impossible for the same problem to affect all computers simultaneously. It should be noted that the number of computers and units etc. differs for other aircraft in the Airbus family and also the Boeing philosophy is significantly different. The Airbus fly-by-wire system operates according to three control laws: normal, alternate and direct. • The normal law applies when all systems are working correctly, or during a single failure of a computer or peripheral. It requires a high level of integrity and redundancy of the computers, the peripherals (i.e. sensors, actuators and servoloop), and the hydraulics. When operating in normal mode, a forward or backward movement of the sidestick corresponds to a vertical load factor command by the pilot. The computers translate this demand into a pitch change, immediately moving the aircraft’s nose up or down to the desired attitude. Once the sidestick is released, the aircraft will maintain this flight path until the next pilot input. Lateral control is similar to pitch control except that the pilot sets a roll rate command. Operation under normal laws provides flight envelope protection against excessive load factors, overspeed, stall, extreme pitch attitude and extreme bank angle. • The alternate law applies when at least two failures occur. Within the normal flight envelope, the handling characteristics under alternate control laws are the same as under normal laws, if the integrity and redundancy are not enough to achieve the normal law with its protections. Out of the normal flight envelope, the pilot must take proper preventive action to avoid loss of control or high speed excursions, just as he/she would on a non-protected aircraft, but this holds only for manoeuvres corresponding to the protection that is lost. • The direct law applies when more than two failures occur, if the alternate law can not be safely achieved. In the unlikely event of a multiple system failure,
10
T. Lombaerts, H. Smaili, and J. Breeman
direct control laws provide the same handling characteristics as a good-handling conventional aircraft, almost totally independently of configuration and centre of gravity. The sidestick and control surfaces move in a direct relationship to each other. Pitch trim is no longer automatic and must be manually controlled using the trim wheel. Flight Envelope Protection All aircraft have physical limits they must not exceed. For example, if the airspeed is too slow the aircraft may stall, if the speed is too high or a manoeuvre too violent, excessive loads can be generated, with the risk of damaging the structure. These limits define the flight envelope, not to be exceeded during normal operation. The fly-by-wire concept offers inherent flight envelope protection, which is an additional guarantee against crossing these limits. Thanks to this built-in protection, pilots can count on their aircraft providing maximum performance and safety under any circumstances. The flight envelope protection function also protects against wind shear. These are strong, sudden downdrafts that may occur during storms or even in clear weather, and have caused many accidents. With a flight envelope protection system, the pilot can utilize maximum climb performance, escaping wind shear and other conditions in complete safety. It also increases the aircraft’s agility. For example, the pilot can act much more quickly when he has to carry out a sudden avoidance manoeuvre, while keeping the aircraft under perfect control. Flight envelope protection does not limit the pilot’s options, but rather allows him to use the aircraft’s maximum safe performance capacity. At the same time, the system minimizes the risk of losing control of the aircraft or subjecting it to loads it was not designed to handle.
1.2.4 Fault Tolerant Control in Fly-By-Wire Systems, Sources: [40] In aviation, all developments focus on the improvement of safety levels and reducing the risks that critical failures occur, on all possible system levels. Although most civil transport fly-by-wire aircraft are fitted with a backup system, the basic FBW system integrity is considered as critical. In Boeing and Airbus aircraft, where a total loss of the FCS is already very improbable, and beyond the certification requirements, see [20] and [19], there is a mechanical or electrical back-up system. To further improve the levels of integrity, new aircraft configurations have a degree of redundancy in terms of controls, sensors and computing. Control effector redundancy means that there are more than the minimum required control effectors, or motivators, to control the pitch axis on one hand, and the combined roll/yaw axis on the other, although the full set of controls is required to satisfy the normal performance requirements. The combination of these features provides the opportunity to reconfigure the control system in the event of failures with the aim of increasing the survivability of the aircraft. As a result, the digital fly-by-wire flight control
1
Introduction
11
system is a safety driven design built to very stringent dependability requirements. These requirements ensure that the system will not generate erroneous or faulty signals compromising flight safety and that the system remains available even in faulty conditions. The certification requirements state that all potentially catastrophic failure scenarios should have a probability rate of less than 10−9 per flight hour and no single failure should be catastrophic. Potentially catastrophic failures include control surface runaways (elevator, rudder and horizontal stabiliser), loss of control in pitch, oscillatory failures at frequencies which are critical to the aircraft’s structure and insufficient lateral control during engine failures. Failure detection and reconfiguration is performed via self-tests, signal comparison and hardware and software redundancy. Self-tests are performed by the hardware equipment to prevent any undetected failures (latent failures) and to ensure that the probability of a failure remains low.
1.2.5 Airbus Philosophy, Sources: [22], [30] In Airbus aircraft, comparison of signals from both control and monitoring channels enables detection of failures in the case that one of the signals differs from the other above a certain threshold. The detection threshold should be sufficiently robust against sensor inaccuracies and system tolerances to prevent false alarms but tight enough to detect unwanted failures. Hardware reconfiguration in the Airbus family is performed at system level whereby for each function one computer operates in active mode, and the remaining computers are in standby Fig. 1.6 Hainan Airlines A340-642 c Thomas Lombaerts mode. When the active computer fails, one of B-6510, the standby computers changes to active mode and immediately takes over the function. This holds for example for servo-loops in the case of a duplex architecture. Flight control law reconfiguration is performed in the case when sensor information, processed by the control laws, becomes unavailable or no longer trustworthy (for example, one source failed, followed by a disagreement between the two remaining sources). This control law reconfiguration is also performed in the case of flight control surface or hydraulic circuit loss. In this situation, the flight control computer switches to alternate control laws providing less protection depending on the remaining sensory information and equipment. A FBW system architecture showing its redundancy components and reconfiguration scheme (Airbus A340 [13], [30], [22]) is illustrated in fig. 1.7. Moreover, the flight control computer (FCC) architecture is a so-called COM/MON architecture where the fail-safe computers consist of a control and monitoring channel, ensuring the permanent monitoring of all the FCS components. The control channel executes the relevant function (e.g. a pilot command to a surface) while the monitoring channel
12
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.7 Modern fly-by-wire system architecture including redundancy components and reconfiguration scheme (A340), source: [30]
guards against any faults in the control channel and ensures permanent monitoring of all the components in the flight control system (sensors, actuators, other computers, etc. ...). The monitoring (MON) channel is designed to detect failure cases and to trigger reconfiguration by pointing out the failure detection to the command (COM) channel and to the other computers. Fault mitigation is achieved by means of redundancy and software and hardware dissimilarities. In the case of the Airbus A340, the redundancy components include five FBW computers and three power sources for surface actuation. Dissimilarity is achieved through the use of two completely different types of computers and two independently developed software packages designed by different teams. It should be noted that these numbers vary for other aircraft as well as for other manufacturers. Reconfiguration, for instance in pitch, consists of switching from the Primary computer (P1) to the second Primary computer (P2). In this situation, elevator actuation switches from the green system for both elevators to the blue system for the left elevator and the yellow system for the right elevator. Following a possible failure of P2, reconfiguration can be performed up to the second Secondary computer (S2).
1.2.6 Boeing Philosophy, Sources: [24], [42] A completely different fault tolerance approach has been adopted by Boeing in the Boeing 777 for example. The heart of its FBW concept is the use of triple redundancy for all hardware resources, varying from the computing system through
1
Introduction
13
electric and hydraulic power to the communication path. The 777 FBW design philosophy for safety considers the following constraints: 1. Common mode/common area faults: by designing the systems to both component and functional separation requirements. 2. Separation of FBW (line replaceable unit LRU) components: isolation and separation of redundant flight control elements to the greatest extent possible in order to minimize the possibility of loss of function. 3. FBW functional separation: allocation of electrical power to the primary flight computer (PFC) and the actuator control electronics (ACE) LRUs to provide maximum physical and electrical separation between the flight control electrical buses. The ACE functional actuator control is distributed to maximize controllability in all axes after loss of function of any ACE or supporting subsystem. The hydraulic systems are also aligned with the actuator functions to provide maximum controllability after the loss of hydraulics in one or two systems. 4. Dissimilarity: various combinations of dissimilar hardware, different component manufacturers, dissimilar control/monitor functions, different hardware and software design teams, and different compilers are considered at the level of PFCs, ACEs, inertial data, the Autopilot Flight Director Computer (AFDC) and ARINC bus. 5. The FBW effect on the structure: FBW component failures can result in oscillatory or hardover control surface motion. Structural requirements are analyzed and apportioned to all FBW components. (This constraint is a safety consideration in the Airbus philosophy too.) The system is designed to provide uninterrupted control following any two failures. Although the flight control function is necessary for safe flight and landing of the aircraft, the system includes a direct backup mode that allows the pilot to electrically position flight control surfaces without using the flight control computers. The flight control computers are configured as a Triple Modular Redundancy (TMR) system. Because of concerns about generic hardware or software failures, Fig. 1.8 KLM Boeing 777-206/ER each of the three computers is itself a TMR c PH-BQD, Tommy Desmet, via airunit. These TMR computers use three inter- liners.net nal channels that use different processor hardware from different manufacturers. Within each TMR computer, the choice of which output is to be the output of the computer is determined using the so-called principle of median value select. Each PFC lane operates in two roles: a command role or monitor role. Only one lane in each channel is allowed to be in the command role. The command lane will send the proposed surface commands, its own, together with those received from two other PFC channels, to its ARINC 629 bus. The hardware device residing in the
14
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.9 Boeing 777 PFC Lane Redundancy Management (Output Signal Monitoring), source: [42]
PFC lane will perform a median select of these three inputs of each variable. The output of the median select hardware is sent in the same wordstring as the ‘selected’ surface commands. The PFC lanes in the monitor role perform a ‘selected output’ monitoring of their command lane. The PFC command lane, meanwhile, performs ‘selected output’ monitoring of the other two PFC channels. The median value select provides fault blocking against PFC faults until the completion of the fault detection and identification and reconfiguration via PFC cross-lane monitoring. Should any of the three dissimilar processors produce an output different from the other two, it will not be selected. The three dissimilar processors are kept tightly synchronized and receive bit identical input data from the system data buses. The three channels of computers at the next level of TMR are also kept in synchronization and exchange data to keep state data consistent between the channels. The 777 actuators rely on the vote by majority principle.
1.2.7 Short Case Study of Other Fault Tolerant Systems, Source: [24] Many fault-tolerant control systems have been produced and used successfully for other aerospace applications. The following is a brief survey of a few of these other systems with a discussion of the requirements they satisfy and the design approach that was used. The systems described were selected based on the availability of information and the personal experience of the author of ref. [24]. These are believed
1
Introduction
15
to be representative of the many excellent systems in use. Table 1.1 is a summary of the systems surveyed and captures the primary attributes of these systems. F-16 Analog Fly-by-Wire Flight Control [1] Early production F-16A/B aircraft used an analog electronic FBW flight control system. From Block 25 F-16C/D onward, a digital system has been used. The F-16 is an inherent unstable aircraft that requires continuous stability augmentation. In case of problems with the flight control system, the F-16 aircraft can fail catastrophically. The system was designed to deal with two failures. The analog FBW used a quadredundant N-fold Modular Redundancy (NMR) Fig. 1.10 Belgian Air Component Fcomputer architecture with approximate con- 16AM FA-126, Dirk c Voortmans, sensus Middle Value Selection (MVS) electron- via Airliners.net ics to determine which computers’ signals are transmitted to the flight control actuators. The hydraulic actuators include voting to reject possible faulty outputs from any computer MVS or its servo amplifier. Both the computer MVS electronics and the hydraulic actuators make use of fault down logic to disengage a known, faulty signal. The analog computers use MVS on the sensor inputs to provide the same inputs to the redundant computers. Analog control integrators, the only state data involved, are held in agreement between the redundant channels by means of cross-connecting signals. The design uses neither design diversity (identical hardware) nor software. F-16 Digital Fly-by-Wire Flight Control [10] Experience with a triplex digital system on the AFTI/F-16 gave General Dynamics the confidence to abandon the proven analog FBW system of the earlier Fighting Falcon and adopt the quadruplex digital FBW system for the Block 25 and beyond F-16C/D. This choice resulted in capability and integration advantages with other Fig. 1.11 AFTI/F-16, source: NASA Multimedia Gallery aircraft systems, e.g. displays via 1553 buses. The quad-redundant analog NMR computers used in earlier production F-16A/Bs were replaced by quad-redundant digital computers. These digital computers also include simple analog backups in each computer to protect against generic hardware or software design error failures. Digital data exchange is used between computers for various reasons, namely to mechanize computer output voting, to ensure identical inputs, to keep the computers synchronized, and to maintain consistent state data.
16
T. Lombaerts, H. Smaili, and J. Breeman
Table 1.1 Survey of typical in-service fault-tolerant systems, source: ref. [24] Application Vehicle & System Type Military F-16 FBW Aircraft flight control, analog
Military Aircraft
F-16 FBW flight control, digital
Impact of Impact of Fault-Tolerant System Description Loss of MalfuncFunction tion loss of loss of 4-channel analog computer NMR idenaircraft aircraft tical hardware, approx. agreement MVS control control computer selection, MVS on computer inputs, voting hydraulic actuators, analog integrator states held consistent loss of loss of 4-channel digital computer NMR idenaircraft aircraft tical hardware and software, simple control control analog backup control, voted computer selection, voted computer inputs, voting hydraulic actuators, digital state data exchanged and kept consistent shutdown mechanical Dual standby system engine, overspeed land using protection, one engine shutdown engine
Commercial B-757, Aircraft Pratt & Whitney PW2037 jet engine control Manned Space loss of loss of 4-channel NMR, identical hardware Space Shuttle vehicle and vehicle and and software, 5th channel backup using crew crew same hardware but dissimilar software, identical inputs by data bus monitoring, computer outputs compared for crew annunciation only, computer selection by external voters (hydraulic voting actuators, pyro fire electronic discrete voting), exchange and vote of some state data Commercial B-777, Limp home potentially Two separate units, one for pilot and aircraft AIMS on backup hazardous one for copilot displays, each unit uses instruments faulty 3 sets of selfchecking dual processors, display Arinc-659 Safebus to distribute identidata cal inputs, select output from a healthy pair, exchange state data, identical hardware and software in all processing pairs Unmanned Inertial destruction destruction Dual self-checking pair processing, no space upper of vehicle of vehicle dissimilar hardware or software, both stage, flight by range by range pairs must send same critical actuation controller safety safety signals Manned X-33 destruction destruction TMR 3 identical COTS hardware and space Ex- Reusable of vehicle of vehicle software channels, RMS provides same perimental Launch by range by range inputs by exchange and MVS, voting of Vehicle safety safety outputs and some state data, dual actuation, transient fault recovery Manned X-38 Crew loss of ve- loss of ve- NMR 4 identical hardware and softspace Ex- Return Ve- hicle hicle ware channels, identical inputs by experimental hicle change and voting, voting of outputs transient fault and state data recovery, any 2 FCCs can control single fault tolerant actuation.
1
Introduction
17
Pratt and Whitney PW2037 Electronic Engine Control [29] The PW2037 was the first production commercial jet engine to use a Full-Authority Digital Electronic Control (FADEC) system with no mechanical backup control. It was introduced on the Boeing 757 civil airliner and remains representative of state of the art commercial engine controls. Because all commercial transport aircraft have at least two engines, loss of thrust from one engine is not catastrophic. An Fig. 1.12 Pratt & Whitney PW2037, engine control malfunction leading to a poten- source: Pratt & Whitney tially catastrophic engine overspeed is mitigated by mechanical overspeed protection. Because of this, electronic engine controls are capable of meeting FAA safety requirements using a dual standby system. In the worst case scenario, an engine control failure not detected by BIT (Built-In-Test) will trip the overspeed protection, resulting in the shutdown and loss of thrust from one engine only. Also this set-up does not rely on hardware design diversity. The risk of a common design error affecting both channels of one engine or all engines on the aircraft is addressed through exhaustive testing. Boeing 777 Airplane Information Management Systems (AIMS) [18] The B-777 AIMS system is used to command all cockpit displays and to interact with the crew via keyboards to provide flight management functions. Total loss of cockpit displays, a system loss of function, is potentially hazardous, particularly in adverse weather, but is not by itself a catastrophic event. A malfunction resulting in erroneous display information to the crew is possibly a greater hazard, which is mitigated somewhat by requiring that pilot and copilot displays are driven by different sources, allowing the crew to detect faulty display data by proper cross-checking. In addition to requiring fault tolerance for safety, airline operators of transport aircraft desire systems that can be operated safely with known failures until repairs can be made without interruption to revenue-generating aircraft service. For this purpose, the so-called Minimum Equipment List (MEL) has been defined, which is specific for every aircraft and type of operation, and approved by the appropriate authority. The AIMS is required to fail operationally only after two failures and must provide very robust protection against malfunctions that would produce erroneous crew displays. AIMS uses a triple, self-checking pair architecture. The complete system actually consists of two separate triple self-checking units in separate cabinets, separately driving the pilot’s and copilot’s displays. This allows the flight crew to manually compare displays. The AIMS uses the same hardware and software in both systems and in all self-checking pairs, so they do not provide dissimilarity for protection against a generic software error. A unique type of backplane bus, the
18
T. Lombaerts, H. Smaili, and J. Breeman
Arinc-659 ‘Safebus’, is used to mechanize switchover between the redundant selfchecking pairs and to provide a robust method for transferring state data between the processor pairs. Switchover to backup occurs when the backup processor pair detects that the primary processor pair has failed to transmit its data on the Safebus. US Space Shuttle FBW Flight Control [25] Together with the McDonnell Douglas F/A-18 Hornet, the Space Shuttle was one of the first digital FBW flight control systems and remains a representative example of today’s systems. The Space Shuttle is a very demanding control problem throughout an extensive flight envelope, requiring a single system that provides uninterrupted control of a space launch vehicle, control of an orbiting spacecraft, and both space and atmospheric flight control during the return to Earth. The shuttle uses a four-channel NMR approach, with a fifth computer used as a backup system. The fifth computer uses no hardware design diversity compared to the other four, but is programmed with dissimilar software. The fifth channel can be engaged manually by the crew in case the primary system fails, but this has never been necessary during the hundred or so Shuttle flights to date. The Shuttle operates the four primary computers as a redundant set, providing them with identical input data by monitoring the same data buses and holding the computers in close synchronization. The computers are programmed with the same software and should produce the same outputs. No attempt is made by the computers to select the correct output, but instead, these redundant outputs are transmitted to external voting devices. On one hand, these external voters include voting hydraulic Fig. 1.13 Space Shuttle, source: actuators for control surfaces and thrust vector NASA Multimedia Gallery control. On the other hand, there are electronic discrete command voters that control pyrotechnic ignition of the Shuttles engines and the separation of the solid rockets and the external tank. The redundant computers do exchange and compare outputs in order to alert the crew if a computer is producing a different output from the others. The crew may then choose to remove power from a faulty computer to configure the system to operate following additional failures. In fact, this is a manual fault down. Boeing Inertial Upper Stage (IUS) Guidance and Control System [12] The IUS is an example of a typical high-value unmanned space launch vehicle guidance and control system. This IUS has been used to launch the spacecraft Ulysses, Galileo and Magellan in the right orbit for interplanetary missions
1
Introduction
after they have been brought to space in the cargo bay of the Space Shuttle. Space launch vehicles must provide a high level of reliability to be economical and must not malfunction in a manner that endangers human safety or property. In the event of a malfunction, ground crews can monitor the vehicle and command destruction thanks to the incorporation of a vehicle self-destruct system and range safety systems. The control system for the IUS uses four processors configured as a dual self-checking pair. The switchover from the primary processor pair to the backup pair will occur if there is disagreement between the processor pairs. A form of electronic voting is used for critical pyrotechnic signals, requiring both processor pairs produce the same command to these actuators.
19
Fig. 1.14 Boeing Inertial Upper Stage (IUS), source: Boeing Multimedia Gallery
X-33 Reusable Launch Vehicle Control System [11] The X-33 program was a technology demonstrator for the next generation of single stage to orbit reusable launch vehicles. This prototype was unmanned. Thus, a control system failure would have primarily economic consequences. A TMR (Triple Modular Redundancy) fault-tolerant computer with dual standby actuation was selected to guarantee a high probability of successfully completing a series of sub-orbital test flights. The system used commercial-off-the-shelf (COTS) computers with custom Redundancy Management System (RMS) hardware and software to form the TMR fault-tolerant Fig. 1.15 X-33 Reusable computer. It was planned to expand from TMR to quad Launch Vehicle, source: NMR and to increase the level of actuation redundancy NASA Multimedia Gallery for the manned, operational system, for which even higher safety requirements would be imposed, however budget cuts and technical troubles have led to the cancellation of these plans. The TMR computers used MVS to vote outputs, maintain identical inputs, and to maintain consistent state data. Voting was selectively applied to some, but not to all data, to minimize the data exchange and voting required. The TMR computers were designed in order to fault down to a self-checking pair after one persistent failure. The system was designed to recover the use of a computer that had experienced a transient fault. The COTS computers and the software that runs on them are identical: no dissimilarity was used to protect from generic design errors. X-38 Prototype Crew Return Vehicle (CRV) Control System [2] The X-38 program was an unmanned technology demonstrator for a re-entry vehicle that would be used for emergency return from the International Space Station.
20
T. Lombaerts, H. Smaili, and J. Breeman
However, budget cuts have led to the cancellation of this development program after a few unmanned demonstrator test flights. The demonstration system was required to operate following any two Flight Control Computer (FCC) failures and following any one non-computer failure. A four channel NMR FCC with dual standby actuation was selected to meet these requirements. Sensors and actuators were connected to the FCCs such that Fig. 1.16 X-38 Prototype any two operating FCCs can control the vehicle. The Crew Return Vehicle, FCCs were COTS computers and were interconnected source: NASA Multimedia Gallery by special network element hardware and fault tolerant systems serviced software to form a Fault Tolerant Parallel Processor (FTPP). The FTPP was designed to provide resilience to Byzantine failures. A Byzantine fault is an arbitrary fault that occurs during the execution of an algorithm by a distributed system. It encompasses those faults that are commonly referred to as ‘crash failures’ and ‘send and omission failures’. When a Byzantine failure has occurred, the system may respond in any unpredictable way, unless it is designed to have Byzantine fault tolerance. These arbitrary failures may be loosely divided into three categories, namely a failure to take another step in the algorithm (crash failure), a failure to correctly execute a step of the algorithm, and arbitrary execution of a step other than the one indicated by the algorithm. The FTPP was also designed to discriminate between transient and permanent faults, allowing recovery of an FCC that had a transient fault. The COTS computers and the software that ran on them were identical, no dissimilarity was used to protect from generic design errors.
1.2.8 A Final Note on Fault Tolerance Properties Incorporated in Current Fly by Wire Flight Control Systems Based upon this information, it is clear that up to now, faults or damage on board an aircraft like computer failures, power/hydraulic failures, engine failures, linkage breaks and sensor failures, have been accommodated by hardware design. Critical components (flight control computers, actuators and sensors) have been implemented duplex, triplex or even quadruplex redundantly. Additionally, one can choose distributed systems and alternate controls or sensors. As a consequence, today’s research efforts are gradually shifting from correcting additive failures (sensors and actuators) towards dealing with parametric failures (major structural and engine failures). The approach discussed in this book is to focus on control law design such that more severe kinds of faults and/or damage, like aerodynamic changes (damage), control surface damage and actuator failures can be tackled. This can be done by means of robustness, reconfiguration and adaptation of the control laws. This method of control law design is motivated by a survey of recent LOC-I
1
Introduction
21
accident cases in which the control and performance capabilities of the aircraft were compromised due to the failure of one or more critical systems and structural damage.
1.3 Rationale of Damage Tolerant Control - Aircraft Accident Survey Recent flight control research activities are currently exploring the potential benefits of fault tolerant flight control (FTFC) techniques, in particular the mitigation of (severe) damage to the aircraft and its systems using reconfiguration methods. The reason for this is the observation that a considerable number of aircraft accidents over the last thirty years could possibly have been prevented in one way or another if considered from an aeronautical-technical point of view. A reconfigurable flight control system might have prevented the loss of two Boeing 737s due to rudder actuator hard overs and of a Boeing 767 due to inadvertent asymmetric thrust reverser deployment. The 1989 Sioux City DC-10 incident is an example of the crew performing their own reconfiguration using asymmetric thrust from the two remaining engines to maintain limited control in the presence of total hydraulic system failure. The crash of a Boeing 747 freighter in 1992 near Amsterdam, the Netherlands, following the separation of the two right-wing engines was potentially survivable given adequate knowledge about the remaining aerodynamic capabilities of the damaged aircraft. New forms of threat within the aviation community have recently come into play from deliberate hostile attacks on both commercial and military aircraft. A surface-to-air missile (SAM) attack has recently been demonstrated to be survivable by the crew of an Airbus A300B4 freighter performing a successful emergency landing at Baghdad International Airport after suffering from complete hydraulic system failures and severe structural wing damage. Apart from system failures and hostile actions against commercial and military aircraft, recent incident cases also show the destructive impact of hazardous atmospheric weather conditions on the structural integrity of the aircraft. In some cases, clear air turbulence (CAT) has resulted in aircraft incurring substantial structural damage and loss of engines. An increasing number of measures are currently being taken by the international aviation community to prevent LOC-I accidents due to failures, damage and upsets for which the pilot was not able to recover successfully despite available performance and control capabilities. This not only includes improvements in procedures training and human factors, but also finding measures to better mitigate system failures and increase aircraft survivability in the case of an accident or degraded flight conditions. Six recent airliner LOC-I accidents will be described in detail which demonstrate that better situational awareness or guidance would have recovered the impaired aircraft and improved survivability if unconventional control strategies were used. In some of the cases described, the crew was able to adapt to the unknown degraded flying qualities by applying control strategies (e.g. using the engine effectors to achieve stability and control augmentation) that are not part of any standard airline training curriculum. A selection of the accident cases as described
22
T. Lombaerts, H. Smaili, and J. Breeman
in this chapter formed the basis for the reconstruction of realistic and validated aircraft accident scenarios as part of the FM-AG(16) simulation benchmark. This was partly based on available flight data of the accident cases, simulation models and results from earlier studies. Although the accident survey in this chapter shows that the aircraft propulsion system can be used as the only effective means of controlling and landing a damaged aircraft when the complete flight control system is lost, within FM-AG(16) this control strategy has not been investigated (despite having evaluated some control options using differential thrust for stabilisation). This is mainly due to the additional design requirements on engine performance (e.g. response time) and health monitoring to allow them to be used as an integrated part of the flight control system. This subject is currently the topic of other proposed research initiatives in the area of damage tolerant flight control [7]. The majority of documentation and supporting graphics of the aircraft accidents cases, described in this chapter, are based on reference [27]. Selected graphics and diagrams used in this book have been reproduced from the original artwork created by Matthew Tesch for the Air Disaster series of books published by the-then Aerospace Publications (Canberra) and appear here by kind permission of the artist and the publisher. To distinguish these from other graphic material used in this document, the shorter acknowledgement (MT/AA) appears at the end of each caption.
1.3.1 American Airlines Flight AA191, Source: [27] On May 25 1979, the American Airlines widebody DC-10-10, registered N110AA, was preparing at Chicago O’Hare International Airport for departure with 271 people aboard on the transcontinental flight AA191 to Los Angeles, California. At the start on the runway, the DC-10’s acceleration and takeoff roll seemed perfectly normal at a flap setting of 10 degrees and left rudder with right aileron use as compensation for the right crosswind. But at 6000 Fig. 1.17 AA DC-10-10 N110AA, c Fischdick feet down the runway, just before rotating Werner into the takeoff attitude, pieces of the port (No 1) engine pylon fell away from the aircraft, and white vapour began to stream from the mounting. A moment later, during the rotation itself, the entire No 1 engine and pylon tore themselves loose from the aircraft, flew up over the top of the wing, and smashed back onto the runway behind the still accelerating DC-10 as it lifted into the air. The aircraft’s port wing had dropped slightly as the DC-10 lifted off, but this was quickly picked up by application of aileron and rudder and the DC-10 continued to climb out with its wings level while accelerating to a maximum speed of 172 knots. The nose up attitude of about 14 ◦ , as well as the aircraft’s heading, appeared stable with the right aileron and right rudder being used
1
Introduction
23
Fig. 1.18 Main developments in the DC-10’s disastrous takeoff, from engine separation to impact, (MT/AA)
to maintain equilibrium and it seemed that, despite the loss of its port engine, the DC-10 was responding well to control. But 10 seconds later, when the DC-10 had climbed to about 300 feet, the speed decreased to 159 knots and it began to roll to the left at an increasing rate, despite the crew’s application of right aileron. The roll quickly steepened alarmingly, even though increasing amounts of opposite rudder and aileron were being applied, and it began yawing to the left as well. Simultaneously, the nose lowered and the aircraft began to loose height, despite increasing the up elevator. At the same time, the bank increased still further. Finally, the DC-10’s wings were past the vertical in a 112 degree left roll and a 21 degree nosedown attitude, with full opposite aileron and rudder, and almost full up elevator being applied. At this point the wingtip struck the ground, pivoting the DC-10 into the ground, nose first, with enormous impact. The aircraft exploded in an enormous flash of flames and a cloud of black smoke. The DC-10 had been airborne for only 31 seconds, and none of the occupants survived. The trajectory of this ill-fated flight is illustrated in fig. 1.18. During the subsequent investigation by the National Transportation Safety Board NTSB, two key questions dominated the investigators’ minds: What had caused the engine pylon to break away so unexpectedly from the aircraft’s wing under perfectly normal operating conditions? And why had this led to such a complete loss of control? In theory, the DC-10 should certainly have been aerodynamically capable of climbing away successfully after the physical loss of the engine, and returning for
24
T. Lombaerts, H. Smaili, and J. Breeman
a safe landing. The overall investigation therefore concentrated primarily on two major areas: 1. Identifying the structural failure which led to the engine-pylon separation and determining its cause; 2. Determining the effects of the structural failure on the aircraft’s performance and systems, and identifying what led to the loss of control. The following observations in these areas were made during the analysis: 1. The analysis of the pylon structural failure revealed that fractures in the upper flange of the pylon rear bulkhead at the joint between the pylon and wing resulted in this structural failure. Moreover, a subsequent fleetwide grounding and inspection of all US registered DC-10’s revealed that in total six other American Airlines and Continental aircraft had similar fractures. All six had been subjected to the same maintenance procedures, involving removal and reinstallation of the engines and pylons. Both airlines had individually devised a procedure which they believed to be more efficient than that one recommended by the manufacturer, involving the removal of the engine and pylon as a single unit instead of removing the engines from the pylons before the pylons are removed from the wing. Altogether the evidence was compelling that the cracks in the rear bulkhead upper flanges were being introduced as a result of these irregular maintenance practices, which were unauthorized by the manufacturer as well as the FAA. 2. During the wreckage analysis, it was found that a three metre section of the port wing’s leading edge, just forward of the join between the No 1 engine pylon and the wing, was torn away with the pylon, severing the hydraulic system’s lines for the port wing’s outboard slats. Thirty five of the 36 leading edge slat tracks were subsequently examined, disclosing that, at impact, the port wing’s outboard slats were retracted, while its inboard slats, together with the starboard wing’s inboard and outboard slats, were in an extended position, as illustrated in fig. 1.19. This retraction of the port wing’s outboard slats was caused by the combination of a lack of hydraulic pressure and the air loads. This retraction was critical since it had a profound effect on the aerodynamic performance and controllability of the aircraft. The lift on the port wing was reduced and its stalling speed increased to 159 knots. Since the aircraft’s speed reduced to 159 knots during the 14◦ pitch attitude climb1 , the port wing stalled and the roll to the left was initiated. With the loss of engine No 1, all other accessories driven by this engine were lost, namely the pressure pumps of hydraulic system No 1 and the No 1 AC generator2 . The separation also severed electrical wiring, resulting in the loss of power to the captain’s instrument panel, the slat disagreement warning system, stall warning system and its stick-shaker function. This implied that there was little or 1 2
In accordance with the airline’s prescribed engine failure procedures. These accessories would have remained operational when an engine ceased to operate, but these were severed in this situation because of the physical separation of the engine from the aircraft and the damage to the hydraulic power and other lines.
1
Introduction
(a) Artist impression of the damaged aircraft during its 31 second flight, note the retracted outboard slats on the port wing, (MT/AA)
25
(b) Picture of the damaged aircraft just before impact, source: [3]
(c) Picture of the damaged aircraft just after impact, source: airdisasters.com
Fig. 1.19 Drawings and pictures of heavy damage to AA DC-10-10 N110AA
no warning to the pilot of the onset of the stall on the outboard section of the port wing. The loss of control of the DC-10 was thus the result of a combination of three events: the retraction of the port wing’s outboard leading edge slats, the loss of the slat disagreement warning system, and the loss of the stall warning system. All were consequences of the separation of the engine and pylon assembly. Each on its own would not have resulted in the crew losing control. But together, during a highly critical phase of flight, they posed a problem that gave the crew insufficient time to recognize and correct. The National Transportation Safety Board finally determined the cause of the accident to be the asymmetric stall and ensuing roll of the aircraft because of the retraction of the port wing outboard leading edge slats, and the loss of stall warning and slat disagreement indicator systems resulting from the separation of the No 1 engine and pylon assembly, at a critical point during takeoff. The separation resulted from damage inflicted by improper maintenance procedures which led to the failure of the pylon structure. Contributing to the cause were: • The vulnerability of pylon attachment points to maintenance damage and of the leading edge slat system to the damage which produced asymmetry; • Deficiencies in the FAA’s surveillance and reporting systems in failing to detect improper maintenance procedures; • Deficiencies in communication between the aircraft operators, the manufacturer and the FAA in failing to disseminate details of previous maintenance damage; • The inadequacy of prescribed engine failure crew procedures to cope with unique emergencies. Post accident analysis has indicated that the pilot had about 15 seconds to react to the failure before control was completely lost. If corrective action had been taken, the plane could have been saved [26]. Obviously, under such emergency conditions, an automatic fault-tolerant control system could have been extremely useful to assist
26
T. Lombaerts, H. Smaili, and J. Breeman
the pilots, and on-line generated diagnostic information could have been useful to recover the plane. However, it should be noted that once the pilot let the speed decrease to V2, the angle of attack of the affected left wing exceeded its stall limit thus causing a non recoverable loss of control. It is important to realize that the main contribution fault tolerant control could most probably provide in this situation, was to improve the reaction time of the pilot to recover and stabilize the aircraft and to prevent the speed to decay by taking into account the minimum speed limit. Once the stall limit was exceeded, fault tolerant control could not recover from this fatal condition anymore as there would not be enough control authority by the remaining effectors to recover from the loss of control. From an operational standpoint, a too low airspeed combined with a very low altitude leads to a lack of sufficient energy to escape from this catastrophic situation.
1.3.2 Japan Airlines Flight JL123, Source: [27] On August 12 1985, the Japan Airlines short range Boeing 747SR with registration JA8119 departed as domestic flight JL123 from Tokyo Haneda towards Osaka. Despite the usual meticulous maintenance, an ill-accomplished fuselage repair more than seven years before was in effect a time bomb which unfortunately went off during this flight. The repair was necessary because of a tail strike at a landing performed by the aircraft at Osaka in 1978. The damage required repair to the aft fuselage and Fig. 1.20 JAL B747SR JA8119, c Fischdick Collection even the rear pressure bulkhead, which sus- Werner tained heavy damage from the impact on
(a) Illustration of explosive decompression, (MT/AA, with acknowledgement to Flight International/John Marsden & Time magazine/Joe Lertola)
(b) Picture of crippled tailless aircraft
Fig. 1.21 Illustrations of heavy damage to JAL Boeing 747 JA8119, (MT/AA)
1
Introduction
27
Fig. 1.22 Trajectory of flight JL123, (MT/AA)
the fuselage hull. Unfortunately, the repair work on the bulkhead involved rivet numbers and placement which was not optimized for long term fatigue, as explained in [27]. The repaired pressure dome held for seven years. Unfortunately, on flight JL123 the repaired dome joint broke and resulted in an explosive decompression, as illustrated by fig. 21(a). The volume of air escaping violently from the passenger cabin through the ruptured bulkhead, the failure of which in itself did not destroy the aircraft, had the same impact on the tailcone and tail surfaces as an explosion. Almost the complete vertical fin was blown off, together with components of all four independent hydraulic systems powering the primary flight controls. This meant
28
T. Lombaerts, H. Smaili, and J. Breeman
that all hydraulics were lost and the crew was left with no means to control the aircraft except for the engines. An amateur photographer took a picture of the crippled tailless aircraft, as seen in fig. 21(b). The loss of the vertical tail rendered the heavy aircraft de facto laterally unstable and led to a hopeless situation for the crew. The loss of hydraulics halted the functioning of all stability augmentation equipment, resulting in the appearance of phugoid as well as Dutch roll behaviour3. The only way for the crew to stabilize the aircraft, was to apply differential thrust by handling the four throttle levers separately. In this way the experienced crew succeeded in stabilizing the aircraft for half an hour, and almost managed to bring the aircraft back to Haneda’s airport. Unfortunately, they did not make it to the airport and crashed on Mount Osutaka. According to [27], it is widely accepted that the aircraft crashed because of crew fatigue and experts believe they would never have succeeded in performing a successful landing even if they had managed to bring the crippled aircraft back to the airport. A sketch of the aircraft trajectory can be found in fig. 1.22. From the flown trajectory shown in fig. 1.22, the aircraft was still controllable to some degree through differential thrust from its engines: the only problem is that this was not an efficient way to do so by the crew. With the available controls, they did not have the necessary capabilities to bring the aircraft and the passengers back to safety.
1.3.3 United Airlines Flight UA232, Source: [27] On July 19 1989, United Airlines flight UA232 going from Denver to Chicago was operated by one of the company’s McDonnell Douglass DC-10-10’s. The aircraft involved had the registration N1819U. A little more than an hour after departure from Denver, when the DC-10 was flying above the state of Iowa, North of the town Alta, it attempted to make a heading change from 15◦ to 95◦ at an airway intersection point. Close to the end of that turn, at 80◦ , the fan Fig. 1.23 UA DC-10-10 N1819U, c Fischdick disk of engine number two, which is placed Werner on the aircraft’s tail, fractured due to a disk forging flaw. The debris of this explosive engine failure punctured the horizontal stabilizer as well as the tailcone. Also the tubes of all three independent hydraulic systems powering the flight controls were damaged, which resulted in the loss of all hydraulics, just like the situation with the 3
After this accident, the manufacturer included some safety measures in the hydraulic circuit to prevent the total loss of all hydraulics in future in similar scenarios. This led to the choice to include the vertical tail loss in the RECOVER accident scenarios list without considering the total loss of hydraulics, see chapter 6.
1
Introduction
(a) Bad quality picture of the aircraft with arrows indicating the damage locations on elevator and tailcone, source: NTSB
29
(b) Picture of re-assembled stabilizer wreckage after crash, source: [3]
Fig. 1.24 Illustrations of heavy damage to UA DC-10-10 N1819U
JAL jumbo jet four years before. This event is illustrated by some pictures. Figure 24(a) is a picture of the aircraft, where the small arrows indicate the punctured areas on the right elevator. Note the large hole in the elevator leading edge, and the missing tailcone. Note that the major damage is clearly situated in the plane of the No. 2 fan disk. Finally, fig. 24(b) shows a picture of the stabilizer on the re-assembled wreckage after the crash. This is a top view, the structure on the top left is the tail engine housing. It is clear where the No. 2 fan disk is located in that housing, since the skin is completely missing there. With regard to the stabilizer, it is clear that the inner part was damaged to a significantly larger extent than the outer one. Since the aircraft was swinging through a gradual right turn at the airway intersection at the moment the tail-mounted engine disintegrated, its ‘frozen’ control surfaces left it with the tendency to continue the turn. Figure 1.25 shows a map of the aircraft’s radar-plotted track. The post failure ground track clearly shows the right hand turn tendency. In their fight to retain control with engine power alone, the DC-10 crew had small but crucial advantages over the hapless Japanese Boeing 747 crew in a similar predicament four years before, as described above. The undamaged fin gave the aircraft some measure of directional stability, moreover a ‘dead-heading’ check pilot joined the United crew on the flight deck. The check pilot’s remarkable skills in handling the power levers undoubtedly allowed the operating crew to concentrate more closely on their crucial individual tasks. Thanks to the joint efforts of the highly experienced crew, they managed to divert the aircraft to the airport closest in the vicinity, namely the Sioux Gateway Airport. As can be clearly seen in fig. 1.25, they succeeded only once to make a left turn, but this was sufficient to line the crippled DC-10 up with one of the airport’s runways. Unfortunately, since the flaps were stuck at their ‘in’-position, the crew was forced to make their approach at high speed. Moreover, the sluggish aircraft responses to the throttle setting changes made it particularly difficult to make changes in the aircraft final approach path and speed close to the runway. This resulted in the final seconds of flight being in a nearly unsurvivable situation. Any throttle change induced some very badly damped phugoid oscillations, which are extremely dangerous at this altitude. Moreover it was impossible to set the throttles to idle at finals,
30
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.25 Map of the aircraft trajectory, (MT/AA)
because this would result again in the natural tendency of the aircraft to make a gradual right hand turn. All this resulted in the situation whereby the aircraft made extremely hard and rough contact with the ground, rolling and tumbling upside down as it broke up. Despite this dramatic end, and although 111 people died in the valiant landing attempt, the superb airmanship of the crew to nurse the aircraft back to the closest airport led to the survival of 185 passengers, including all the four crew on the flight deck. It is clear that the survival of a considerable number of the passengers depended entirely on the magnificent skills of the crew. Without these highly experienced pilots, this situation would have been definitely unsurvivable.
1.3.4 EL AL Cargo Flight LY1862, Source: [40] On October 4 1992, a Boeing 747-200F freighter aircraft operated by Israel’s national airline EL AL (registration: 4XAXG) departed from Amsterdam airport on cargo flight 1862 towards Tel Aviv. Unfortunately, while the aircraft was climbing over the most southern part of the IJsselmeer, the pylon of engine No. 3 broke off due to metal fatigue. Without the usual heavy aircraft inertia, the engine raced in Fig. 1.26 EL AL B747-200F 4X-AXG, c Fischdick front of the aircraft, but due to the moment Werner of the rotating parts it started tumbling and impacted on engine No. 4. This resulted in the loss of both right-wing engines, including serious damage to the wing leading edge resulting in the loss of lift force
1
Introduction
31
Fig. 1.27 Illustration of aircraft damage, source: [40]
and a significant drag increase. Due to this extensive damage, the aircraft was rendered considerably asymmetric. Moreover, this damage resulted in a partial loss of the hydraulics, and hydraulic systems 3 and 4 became unavailable. As illustrated in fig. 1.27, a significant number of control surfaces were paralysed after the engine separation. The outboard (low speed) ailerons, outboard flaps, spoilers No. 1, 4, 5, 6, 7, 8, 9, 12 as well as the inner left and outer right elevator were lost completely, while the inner (high speed) ailerons suffered a 50% hinge moment loss and the functionality of the horizontal stabilizer was reduced to half trim rate. After experiencing the limping behaviour of the crippled aircraft, the crew decided to return to the airport. In an attempt to make an emergency landing, the aircraft flew several right-hand circuits in order to lose altitude and to line up with runway 27. During the second line-up, the aircraft entered an unrecoverable rolldive. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor apartment building in the Bijlmermeer, a suburb of Amsterdam. The trajectory of the aircraft is shown in fig. 1.28. Since the crew was not aware of the actual scale of the damage, they decided to return to the airport as quickly as possible. However, this resulted in the fact that they attempted to make an emergency landing with the heavy take off weight of 317 tons. This would have required such a high approach speed of 133.8m/s, that no safe landing would have been possible. Jettisoning fuel in order to reduce the aircraft weight to a more acceptable 263 tons would have resulted in a lower minimum speed of 108m/s that possibly would have led to a more survivable emergency landing, even with the flaps stuck at position 1. The official analysis from this investigation concluded that given the performance and controllability of the aircraft after the separation of the engines, a successful landing was highly improbable. In 1997, the division of Control and Simulation in
32
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.28 Trajectory of EL AL flight 1862
the Faculty of Aerospace Engineering at the Delft University of Technology (DUT), in collaboration with the Netherlands National Aerospace Laboratory NLR, performed an independent analysis of the accident. In contrast to the analysis performed by the Netherlands Accident Investigation Bureau, the DFDR flight parameters were reconstructed using modelling, simulation and visualisation techniques in which the DFDR pilot control inputs were applied to detailed flight control and aerodynamic models of the accident aircraft. The purpose of the analysis was to acquire an estimate of the actual flying capabilities of the aircraft and to study alternative control strategies for a successful recovery. The application of this technique resulted in a simulation model of the impaired aircraft that could reasonably predict the performance, controllability effects and control surface deflections observed on the DFDR. Analysis of the reconstructed model (later used for the simulation benchmark in Chapter 6), indicated that from a technical point of view the damaged aircraft was recoverable if unconventional control strategies were used. Further results of this investigation, including detailed qualitative results of the analysis, can be found in [38] and [39]. Comparing this aircraft accident analysis with the previous two, shows that differential thrust is not the only way of recovering a crippled aircraft. It is possible that a limited number of control surfaces are still operative, and these should be taken into account when attempting to apply a form of unconventional control in order to bring the aircraft back to safety.
1.3.5 USAir Flight 427 and United Airlines Flight 585, Sources: [4], [9], [5] On March 3, 1991, a United Airlines (UAL) Boeing 737-200, registration number N999UA, operating as flight 585, was on a scheduled passenger flight from Denver, Colorado, to Colorado Springs, Colorado. Visual meteorological conditions (VMC) prevailed at the time, and the flight was on an instrument flight rules (IFR) flight
1
Introduction
33
plan. Numerous witnesses reported that shortly after completing its turn onto the final approach course to runway 35 at Colorado Springs Municipal Airport (COS), at about 0944 Mountain Standard Time, the airplane rolled steadily to the right and pitched nose down until it reached a nearly vertical attitude. In the last 8 seconds, the pilot requested 15 degrees of flaps, which was confirmed by the first officer and it has Fig. 1.29 United Airlines B737-200 c Fischdick been noted in the recorded cockpit sounds N999UA, Werner of the CVR that both engines were accelerating just prior to impact. This selection of 15-degrees flaps, in combination with increased thrust, is consistent with the initiation of a go-around. Despite this crew effort, the altitude continued decreasing rapidly, the indicated airspeed increased to over 200 knots, and the normal acceleration increased to over 4 G, before hitting the ground in an area known as Widefield Park, less than four miles from the runway threshold. Figure 1.30 shows a plot of United flight 585s ground track based on FDR and radar data. The airplane was destroyed completely by the impact forces and post-crash fire, and the 2 flight crew-members, 3 flight attendants and 20 passengers aboard were fatally injured. The subsequent investigation by the NTSB lasted one year and 9 months. Despite extensive damage to the flight data recorder (FDR), all the data was extractable. The
Fig. 1.30 Trajectory of United Airlines Flight 585, source: [5].
34
T. Lombaerts, H. Smaili, and J. Breeman
FDR only recorded five parameters4. The flightpath, pitch and roll angles were determined by calculations using the heading and normal acceleration (G-loads) data. The direct availability of roll attitude data would have provided direct information about sideslip angles when the roll angle and heading data were compared, thus permitting a more accurate analysis to determine the nature of the airplane’s final manoeuvre. Had rudder, aileron and spoiler deflection data been available, investigators would have been able to compare the airplane’s theoretical performance with other data that described the airplane’s flight profile to determine with a high level of confidence the effect of external (atmospheric) forces. The direct evidence provided by the parameters would also have permitted an analysis of the flight control system and engine function. Consequently, the data proved insufficient to establish why the plane suddenly went into the fatal dive. The NTSB did not rule out the possibilities of a malfunction of the rudder PCU servo (possibly causing a rudder reverse) and the effect that powerful rotor winds coming off the Rocky Mountains might have had, but there simply was not enough evidence to judge the expected cause. In the first NTSB report (issued on December 8, 1992) no ‘probable cause’ could be given. Instead, it said ‘The National Transportation Safety Board, after an exhaustive investigation effort, could not identify conclusive evidence to explain the loss of United Airlines flight 585.’ Sadly enough, three years later, a highly similar accident occurred... On September 8, 1994, at about 1903 local time, USAir flight 427, a Boeing 7373B7 (737-300), N513AU, crashed while manoeuvring to land at Pittsburgh International Airport, Pittsburgh, Pennsylvania. Flight 427 was operating as a scheduled domestic passenger flight from Chicago-O’Hare International Airport, Chicago, Illinois, to Pittsburgh. The flight departed at about 1810, with 2 pilots, 3 flight attendants, and 127 passengers on board. FDR data indicated that the accident airplane was rolling out of a left bank to its assigned heading of 100◦, after which it began to yaw and roll; the airplane’s heading moved left past 100◦ at an increasing rate. Thereafter, the airplane’s heading moved left at a rate of at least 5◦ per second. The airplane’s heading continued to move left at least at this rate until the stickshaker activated5 . The airplane’s left roll angle was also increasing rapidly during this time: the airplane’s left roll angle was about 28◦ and 5 seconds later the airplane’s left roll angle Fig. 1.31 USAir B737-300 N513AU, c Fischdick Collection exceeded 70◦ . All this happened in less than Werner 15 seconds. The airplane kept rolling to the 4 5
Since 1994, FDRs are required to have more parameters, including those to provide roll and pitch attitude data, as well as thrust data. This system warns the pilot when the aircraft is critically close to stalling.
1
Introduction
(a) Drawing of the Boeing 737 main rudder power control unit (PCA)
35
(b) Drawing of the Boeing 737 main rudder PCU servo valve
Fig. 1.32 Drawings of the faulty rudder PCU equipment on both Boeing 737s, source: [5].
left and finally entered an uncontrolled descent and impacted terrain near Aliquippa, Pennsylvania, about 6 miles northwest of the destination airport. All 132 people on board were killed, and the airplane was destroyed by impact forces and fire. The Safety Board therefore considered various scenarios that could have resulted in such an abrupt heading change, including asymmetric engine thrust reverser deployment, asymmetrical spoiler/aileron activation, transient electronic signals causing uncommanded flight control movements, yaw damper malfunctions, and a rudder cable break or pull. At the end, the Safety Board ruled out each of these scenarios as a possible factor or cause of the left yaw/roll and heading change for various reasons. After this second accident, similar to the USAir Flight 427, the NTSB reopened the investigation of Flight 585, discussed earlier6 , and came up with the following identical conclusion for both accidents: ‘The National Transportation Safety Board determines that the probable cause of the United Airlines flight 585 and USAir Flight 427 accidents was a loss of control of the airplane resulting from the movement of the rudder surface to its blowdown limit. The rudder surface most likely deflected in a direction opposite to that commanded by the pilots as a result of a jam of the main rudder power control unit servo valve secondary slide to the servo valve housing offset from its neutral position and overtravel of the primary slide’, see fig.1.32. Comparing this aircraft accident analysis with the previous ones, shows that not only a (partial) loss of hydraulics can lead to disastrous situations. Here, all hydraulics were still operational, but the rudder actuator suffered from a malfunction, leading to an extreme deflection up to its blowdown limits. Since all other control effectors, surfaces and engines, were still operative, their control authority could have been exploited by a form of unconventional control in order to bring the aircraft back to safety. In this scenario of a rudder hardover, the ailerons and differential thrust on both engines would be the steering channels par excellence to compensate for the failure. 6
And even another related accident with the same type of aircraft, namely Eastwind Flight 517.
36
T. Lombaerts, H. Smaili, and J. Breeman
Finally, flight tests conducted in a Boeing 737-300 aircraft, following the accident, demonstrated that an airspeed of 190 KIAS was close to the crossover speed for the weight and configuration of USAir Flight 427. At this speed, it was found that the ailerons and spoilers were sometimes unable to stop the roll induced by a (faulty) full rudder deflection. Moreover, the investigation by NTSB showed that if a B-737300 aircraft cruising at an airspeed of 190 knots with flaps 1 encountered a rudder hardover, recovery was impossible if altitude was maintained by the pilot. In these conditions, aircraft recovery was only possible if the pilot descended to gain airspeed, which decreases the effectiveness of the rudder and increases aileron/spoiler authority enough to compensate for the rolling moment. However, the natural reaction of the pilot would be to maintain altitude while analyzing a control problem as was the case for this accident. Simulations have shown that a roll/yaw upset is almost likely to be unrecoverable due to the surprise reaction of the pilot and the aircraft being below the crossover speed and/or close to the ground. However, a rudder hardover of a Northwest Airlines Boeing 747-400 aircraft (Flight 85) in 2002 showed that the remaining control capabilities of the aircraft, including the engines, could be used to recover the aircraft and reduce speed to conduct a successful landing. Also for these scenarios, fault tolerant control could assist to recover correctly and timely from a fault induced upset and stabilize the aircraft for an emergency landing.
1.3.6 DHL Cargo Flight above Baghdad, Sources: [31], [32] On November 22 2003, the DHL Airbus A300B4-203F freighter, registered OODLL, took off from Baghdad, bound for Bahrain. While in initial climb, at about 8000 ft, the aircraft was hit by a surfaceto-air missile. The missile entered the aircraft’s left wing from below at approximately half span. By perforating the wing skin, the projectile entered the outer wing fuel tank 1A. After it ignited, it destroyed the tank so comprehensively that the fuel Fig. 1.33 DHL A300-B4 OO-DLL, just drained out. This tank was full of fuel Werner c Fischdick Collection and luckily contained no fuel-air vapour, otherwise the wing would have been blown off the aircraft. However, it still proceeded to burn away at the rear spar. The fuel tank ribs in the area directly in front of the outboard flap burnt almost 50% through, but the front spar remained intact. Besides destroying tank 1A, the missile also pierced the inboard left wing tank 1, so it too was losing fuel. Since this inboard tank feeds directly the left engine, this led to a very time critical situation. Once the left inboard tank lost all its fuel content, the left wing engine would have stopped working. The crew knew they had to land quickly because the wing was trailing
1
Introduction
37
(a) Picture of the flying (b) Picture of damaged trail- (c) Picture of missile hole in aircraft with the left wing ing edge wing structure lower skin of wing structure on fire, the flames eating slowly their way through the wing structure Fig. 1.34 Pictures of heavy damage to DHL A300B4-203F OO-DLL
a 50m flame, see fig.34(a). They also knew that if a part of the wingtip separated they would lose all control of the aircraft. Despite the fact that the leading edge of the wing was complete along almost its entire length, unknown to the crew, the fire was gradually destroying the outer wing, creeping forward from the trailing edge. At some stage before they landed, the rear wing spar separated and the remaining structure was held together by the forward spar only, see fig.34(b). The impact hole where the surface to air missile (SAM) entered the wing box is visible in fig.34(c). Within a few seconds after impact, the aircraft lost all pressure in the three separate hydraulic systems. Consequently, the primary flight control surfaces (ailerons, rudder, elevators) and the spoilers were no longer powered and went limp as their actuators drained, trailing in the slipstream. The aircraft was rendered uncontrollable by conventional means and adopted a rapid phugoid motion. The horizontal stabilizer setting was frozen at the trim position for 215 KIAS, while flaps and slats were unavailable. Fortunately, it was a short flight with a light load, the total weight being only 220 klb, well below maximum landing weight. This was a clear and essential advantage compared with the EL AL scenario described earlier, since the aircraft was in an acceptable configuration in order to perform immediately a relatively safe landing with acceptable approach speed. Because of the expanding left wing damage, the only way to control the aircraft, namely by applying differential thrust, had also a time critical issue which ruled out any option of fuel jettison before switching over to the landing. If they had taken too long to return to the airport, the no 1 engine could have fallen dry of fuel due to the leaking no 1 fuel tank, or the structural integrity of the left wing could have been compromised because of the expanding fire, slowly ‘eating’ its way through the structure. Both would lead to unsurvivable additional damage. As the aircraft climbed towards a maximum altitude of about 12,000 feet, within 10 minutes, the crew essentially managed to apply an adaptive control strategy’ regaining control and understanding the basic principles of the flying characteristics induced by the phugoid motion. In addition to controlling pitch and roll of the aircraft by the engine throttles only, the additional drag and lift loss due to the damaged left wing needed to be compensated for. A welcome help was the fact that
38
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.35 DHL A300 flight trajectory, acknowledgement to Flight International
deploying the gear during the descent increased the damping of the phugoid. After a first unsuccessful attempt to land the aircraft using the engines only, the crew made a go-around and finally made a successful landing at Baghdad International Airport, see fig.1.35. This was a tremendous achievement, and the crew made the most of the little chance they were given. It was a remarkable premiere. This failure resulted in additional challenges with respect to the previous situations. This time, there was not only a sudden failure, but it was also developing and expanding. This is an additional challenge for the identification routine, as it has to be continuously monitoring, even after failure detection. Also some kind of indication of time critical issues to the crew could be interesting to contribute to their situational awareness. Finally, it should be noted that this incident is an extreme situation which only serves as one of the incidents motivating the need for a fault tolerant flight control system. It is not our goal to discuss this failure specifically.
1.3.7 Final Note on Accident Analysis Only a few aircraft accidents have been analysed in detail above. Three of the above examples concern the total loss of the hydraulic circuits, leaving thrust control as the only way to steer the crippled aircraft. It should be noted that these accidents just serve as a general introduction and motivation for FTFC. Thrust control only was not a specific point of research within FM-AG(16), since it has been explored already in depth (see section 1.4.2). Moreover, there are many other examples of loss of control in flight. For example, there was an unintentional asymmetric thrust reverser deployment in flight on a Lauda Air Boeing 767 above Thailand, which left the crew a ‘recovery window’ of only 4 to 6 seconds. This failure was very improbable to survive with the current autopilot systems, but the presence of an automatic adaptive control strategy would have compensated for this. Also the crash of an Air Florida Boeing 737 due to ice accretion would probably have been
1
Introduction
39
Fig. 1.36 Accident statistics, source: [8]
avoidable with this strategy, as well as the American Airlines DC-10 accident at Chicago O’Hare International Airport, described earlier. Moreover, there have been several other engine separation incidents on Boeing 747’s and DC-8’s, similar to the EL AL situation. There is even the documented story of a McDonnell Douglas F15 performing an emergency landing with only one wing due to a mid-air collision with another aircraft. After some attempts, the pilot succeeded in regaining control over the aircraft, and nursed the crippled vehicle back to the airport. Key aspects were the fact that the aircraft kept flying and even landed at high speed and that the F-15 fuselage is quite wide, containing two engines, so that it has some lifting body behaviour. After landing, the pilot acknowledged that he was not aware of missing his entire right wing, and if he had been, he would certainly have ejected... A recent worldwide civil aviation accident survey for the period 1993 to 2007, conducted by the Civil Aviation Authority of the Netherlands (CAA-NL) and based on data from the National Aerospace Laboratory NLR [8], indicates two major categories of accidents which can be attributed to a common initial event, ‘controlled flight into terrain’ where an aircraft, despite being fully controllable and under control, hits terrain due to the loss of situational awareness of the crew, counting for as much as 23% of all the accidents. This percentage is decreasing over the years thanks to the enormous international attention given to CFIT with respect to crew resource management training and development and implementation of new systems in the cockpit. The second major category is ‘loss of control in flight’, which can be attributed to mistakes made by the pilot or a technical malfunctioning. This category counts for 16% of all aircraft accidents and is not decreasing. Figure 1.36 shows a table from this survey. According to the research team of this project, a reconfiguring flight control system would make the success of the United Airlines and DHL examples less dependent on the extreme skills of the pilots. Moreover, the other examples explained above, and a significant part of this 16% of aircraft accidents due to loss of control in flight could be prevented if some form of reconfiguring control was implemented in the aircraft. It is important to acknowledge that these accidents
40
T. Lombaerts, H. Smaili, and J. Breeman
could not have been prevented at the time when they occurred, since computer capabilities at that time were not at the level they are now. From this perspective, it is very clear that research on fault tolerant flight control is in the interest of the civil as well as military aviation industry.
1.4 Earlier Accomplishments in This Field, Source: [40] Motivated by several aircraft accidents at the end of the 1970s, including the crash of American Airlines Flight 191 DC-10 at Chicago in 1979, research on reconfigurable fault tolerant flight control (RFTFC) was initiated to accommodate in-flight failures and to improve the safety and reliability of onboard avionics and flight control system equipment. Reconfigurable control aims to utilise all remaining control effectors on the aircraft (control surfaces and engines) after an unanticipated mechanical or structural failure, to recover the performance of the original system by automatic redesign of the flight control system in order to resemble the unfailed aircraft design. The first objective of reconfiguration is to guarantee system stability while the original performance is reconstructed as much a possible. Due to limitations of the control allocation scheme caused by, for instance, actuator position and rate limits, the system performance of the unfailed aircraft may not be fully achieved. In this case, the failed aircraft would be flown in a degraded mode but with sufficiently acceptable handling qualities for a successful recovery. Reconfigurable flight control systems have been successfully flight tested [21], [17], [6] and evaluated in manned simulations [21], but up to date, no RFTFC has been certified or applied in both commercial and military aircraft. Passive design approaches are robust control techniques that can handle model uncertainties, flight condition changes and several types of faults and failures without on-line fault information within the robust boundary region. Unanticipated failures that occur outside the stability region of the robust controller may result in catastrophic system instability or performance degradation. For the mitigation of mechanical or structural failures that occur outside the stability region of the robust controller, the use of active reconfigurable control becomes necessary. Fault detection and isolation (FDI) modules are necessary to deliver on-line fault information for control reconfiguration. Active fault accommodation may then be performed based on off-line predetermined (a-priori) fault scenarios, control law switching, or by means of on-line and real-time control law restructuring (architecture changes) or reconfiguration (parameter recalculation).
1.4.1 Self-Repairing Flight Control System (SRFCS) Program The earliest flight tests of reconfigurable flight control systems were performed during the Self-Repairing Flight Control System (SRFCS) program [17], sponsored by the US Air Force Wright Research and Development Center in 1984. Using a categorised pre-determined set of failure modes, the states of the system were estimated, based on the known list of failures, to determine the failed component. Residual
1
Introduction
41
errors were generated by comparison with a nominal model to isolate failures and estimate the control derivatives of the failed damaged surface for use in a control allocation scheme. The probability of the pre-defined failure cases was estimated and used to determine the weighted average for the control inputs. The limitation of this method is that modelling errors can be interpreted as a failure while the only failures that can be identified ‘correctly’ are those that fall into the predetermined fault list. The SRFCS was successfully flight tested by NASA in 1989 and 1990 on a F-15 aircraft at the Dryden Flight Research Center [17]. Real-time control reconfiguration was demonstrated for fault cases that included loss of control surfaces due to battle damage.
1.4.2 MD-11 Propulsion Controlled Aircraft (PCA) Following the Sioux City incident in 1989, the SRFCS project was followed by a program at the NASA Dryden Flight Research Center on Propulsion Controlled Aircraft (PCA). The system aims to provide a safe landing capability using only augmented engine thrust for flight control. Throughout the 1990s, the system has been successfully tested on several aircraft, including both commercial (Figure 1.37) and military, but the acceptance of PCA technology in the commercial and military field has still not been achieved. Ref. [15] provides more background on PCA.
Fig. 1.37 A McDonnell Douglas MD-11 lands at Dryden Flight Research Center equipped with a computer-assisted engine control landing system developed by a NASA-Industry team. NASA Dryden Flight Research Center Photo Collection, photo by J. Ross
1.4.3 NASA Intelligent Flight Control System (IFCS) F-15 Program In 1992, the Intelligent Flight Control (IFC) research program was established to explore the possibilities of utilising adaptive flight control technology to accommodate unanticipated failures through self-learning neural networks. Within the 19992004 Intelligent Flight Control System (IFCS) F-15 program [6] [41], sponsored by NASA Dryden, pre-trained and on-line learning neural networks were flight tested on the NASA IFCS F-15 testbed (Figure 1.38). The pre-trained neural networks
42
T. Lombaerts, H. Smaili, and J. Breeman
Fig. 1.38 NASA Drydens highly modified F-15B, tail number 837, performing Intelligent Flight Control System (IFCS) project flights. NASA Dryden Flight Research Center Photo Collection, photo by C. Thomas
provide estimates of the stability and control characteristics for model inversion. The on-line learning neural networks provide on-line compensation of errors in the estimates and from the model inversion. In addition, the adaptive neural networks compensate for changes in the aircraft dynamics due to failures or damage. Piloted simulation studies have been performed at NASA Ames of Integrated Neural Flight and Propulsion Control Systems (INFPCS) in which neural flight control architectures are combined with PCA technology. The evaluation successfully demonstrated the benefits of intelligent adaptive control [28]. Subsequent evaluations are planned to further validate the IFC technologies in a C-17 testbed [28]. Adaptive neural network based technology was further investigated in the Reconfigurable Control for Tailless Aircraft (RESTORE) program in which reconfigurable control design methods were applied to a tailless aircraft [14], [16]. Within the Active Management of Aircraft System Failures (AMASF) project, as part of NASA’s Aviation Safety Program, several issues in the area of FTFC technology were addressed. These include detection and identification of failures and icing, pilot cueing strategies to cope with failures and icing, and control reconfiguration strategies to prevent extreme flight conditions following a failure of the aircraft. In this context, a piloted simulation was conducted early in 2005 of a Control Upset Prevention and Recovery System (CUPRSys). Despite a few limitations, CUPRSys provided promising fault detection, isolation and reconfiguration capabilities [21].
1.5 Research Challenges and Objectives The objective of this Action Group was to demonstrate the capability and viability of modern fault detection, isolation and reconfiguration (FDIR) methods when applied to a realistic, nonlinear design problem and to assess their contribution to flight safety. The research group aims to further integrate the latest developments in fault detection and isolation techniques with reconfigurable control technology which has only been done by a few studies so far [36], [43]. In particular, most of the fault detection and isolation methodologies are developed independently as diagnostic or monitoring tools and not as an integral part of a reconfigurable fault tolerant control system. Most of the current reconfigurable control systems are developed
1
Introduction
43
under the assumption of perfect information from the FDI system. Furthermore, the group addressed the need for high-fidelity nonlinear simulation models, relying on accurate failure modelling, to improve the prediction of reconfigurable system performance in degraded modes. Several realistic failure modes have been considered in this research project. The most important scenarios are the engine separation (inspired by the El Al accident, see 1.3.4) and the rudder hardover (inspired by the US Airways and United Airlines accidents, see 1.3.5) cases. However, it should be noted that the scenario ‘total loss of hydraulics’, leading to the need of ‘thrust control only’ has not been considered explicitly in this research. An important motivation for this is the fact that this case has been considered intensively in the PCA project of NASA, discussed in 1.4.2. The focus of this research project is more general and not focussed on this specific strategy.
References 1. Ammons, E.: F-16 flight control system redundancy concepts. In: Guidance and Control Conference, Boulder, Colorado (August 1979) 2. Anderson, B., Bedos, T.: X-38 v201 avionics architecture. Technical Report N20000086667, NASA (February 1999) 3. Anonymous. Applying lessons learned from accidents, http://faalessons.workforceconnect.org/ 4. Anonymous. Aircraft accident report united airlines flight 585 boeing 737-291, N999UA uncontrolled collision with terrain for undetermined reasons 4 miles south of Colorado Springs municipal airport Colorado Springs, Colorado March 3, 1991. Technical report, National Transportation Safety Board, NTSB (1992) 5. Anonymous. Aircraft accident report uncontrolled descent and collision with terrain Usair flight 427 boeing 737-300, n513au near aliquippa, pennsylvania, September 8, 1994. Technical report, National Transportation Safety Board, NTSB (1999) 6. Anonymous. Intelligent flight control: Advanced concept program. Final Report BOEING-STL 99P0040, The Boeing Company (1999) 7. Anonymous. Integrated resilient aircraft control - stability, maneuverability and safe landing in the presence of adverse conditions. Technical report, National Aeronautics and Space Administration, Aeronautics Research Mission Directorate, Aviation Safety Program (April 2007) 8. Anonymous. Civil aviation safety data 1993-2007. Technical report, Civil Aviation Authority of the Netherlands, CAA-NL (2008) 9. Anonymous. Aircraft accident report: Uncontrolled descent and collision with terrain united airlines flight 585 boeing 737-200, n999ua 4 miles south of colorado springs municipal airport colorado springs, colorado, March 3, 1991. Technical report, National Transportation and Safety Board (March 27, 2001) 10. Arabian, A.: Afti/f-16 digital flight control computer design. In: NAECOn 1983, Dayton, Ohio (1983) 11. Boldue, L.: Redundancy management for the X-33 vehicle and mission computer. In: 19th Digital Avionics Systems Conference, Philadelphia, Pennsylvania (October 2000) 12. Brekke, D., Giere, N., Schlosser, R., Slavich, M., Tabor, D., Turner, B.: Next generation fault-tolerant guidance and navigation unit for the inertial upper stage. In: Rocky Mountain Guidance and Control Conference, Keystone, Co (February 1995)
44
T. Lombaerts, H. Smaili, and J. Breeman
13. Briere, D., Traverse, P.: Airbus a320/a330/a340 electrical flight controls - a family of fault tolerant systems. In: IEEE Conference (1993) 14. Brinker, J.S., Wise, K.A.: Nonlinear simulation analysis of a tailless advanced fighter aircraft reconfigurable flight control law. In: AIAA Guidance, Navigation and Control Conference and Exhibit, Portland, OR, AIAA-99-4040 (August 1999) 15. Burken, J.J., Maine, T.A., Burcham, F.W., Kahler, J.A.: Longitudinal emergency control system using thrust modulation demonstrated on an md-11 airplane. In: AIAA, ASME, SAE, and ASEE, Joint Propulsion Conference and Exhibit, 32nd, Lake Buena Vista, FL (July 1996) 16. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law for the x-36 tailless fighter aircraft. AIAA Journal of Guidance, Control and Dynamics 24(5), 896–902 (2001) 17. Corvin, J.H., Havern, W.J., Hoy, S.E., Norat, K.F., Urnes, J.M., Wells, E.A.: Selfrepairing flight control systems, volume i: Flight test evaluation on an f-15 aircraft. Final Report WL-TR-91-3025 (1991) 18. Driscoll, K., Hoyme, K.: The airplane information management system, an integrated real-time flight deck control system. In: Real-Time System Symposium (December 1992) 19. EASA. Certification Specifications for Large Aeroplanes. EASA. CS-25 20. Federal Aviation Administration FAA. Airworthiness Standards: Transport Category Airplane. Federal Aviation Administration FAA. title 14, part 25 21. Ganguli, S., Papageorgiou, G., Glavaski, S., Elgersma, M.: Piloted simulation of fault detection, isolation and reconfiguration algorithms for a civil transport aircraft. In: AIAA Guidance, Navigation and Control Conference and Exhibit, San Francisco, CA, AIAA2005-5936 (August 2005) 22. Goupil, P.: Airbus overview of fault tolerant control. In: Garteur AG-16 Workshop, April 4-5 (2006) 23. Gunston, B.: Modern Fighters. Salamander Books Ltd., London (1988) 24. Hammett, R.: Design by extrapolation: an evaluation of fault tolerant avionics. IEEE Aerospace and Electronic Systems Magazine 17(4), 17–25 (2002) 25. Jarvis, C.R., Szalai, K.J.: Ground and flight test experience with a triple redundant digital fly by wire control system. Technical Report 19810010480, NASA (1981) 26. Jiang, J.: Fault-tolerant Control Systems – An Introductory Overview. ACTA Automatica Sinica 31(1), 161–174 (2005) 27. Job, M.: Air Disaster, vol. 2. Aerospace Publications Pty Ltd. (1996) 28. KrishnaKumar, K., Gundy-Burlet, K.: Intelligent control approaches for aircraft applications. Technical report, NeuroEngineering Laboratory, NASA Ames Research Center 29. Kuhlberg, J.F., Kniat, J., Newirth, D.M., Jamison, J.C., Switalski, J.R.: Transport engine control design. In: AIAA, SAE and ASME, Joint Propulsion Conference, 18th, Cleveland, Ohio (June 1982) 30. Le Tron, X.: Airbus fly-by-wire: An integrated system design. In: Garteur AG-16 Workshop, April 4-5 (2006) 31. Learmount, D.: Missile attack, great escape. In: Flight International, pp. 34–38 (21/12/2004 - 03/01/2005) 32. Lemaignan, B.: Flying with no flight controls: Handling qualities analyses of the baghdad event. AIAA-2005-5907 (2005) 33. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight Control System Design. Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (January 2005) 34. Maoui, G. (ed.): Cockpits by Airbus Industrie. Cherche midi enterprise (1998)
1
Introduction
45
35. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: Lecture Notes AE3-302, Flight Dynamics. Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (January 2006) 36. Patton, R.J.: Fault tolerant control systems: The 1997 situation. In: Proceedings of IFAC Symposium on SAFEPROCESS, HULL, UK, August 1997, pp. 1033–1055 (1997) 37. Pratt, R.W.: Flight Control Systems, practical issues in design and implementation. In: IEE/AIAA, Stevenage, UK/Reston, USA (2000) 38. Smaili, M.H.: Flight Data Reconstruction and Simulation of EL AL Flight 1862. Final thesis, T.U. Delft (November 1997) 39. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmermeer airplane accident. AIAA-2000-4586 (August 2000) 40. Smaili, M.H., Breeman, J., Lombaerts, T.J.J., Joosten, D.A.: A simulation benchmark for integrated fault tolerant flight control evaluation. In: AIAA MST (2006) 41. Williams-Hayes, P.S.: Flight test implementation of a second generation intelligent flight control system. In: Infotech@Aerospace (2005) 42. Yeh, Y.C.: Triple-triple redundant 777 primary flight computer. In: IEEE Aerospace Application Conference, Aspen, Colorado, pp. 293–307 (1996) 43. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control systems. In: 5th IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes, Washington DC, USA, June 9-11, pp. 265–275 (2003)
Chapter 2
Fault Tolerant Flight Control - A Survey Michel Verhaegen, Stoyan Kanev, Redouane Hallouzi, Colin Jones, Jan Maciejowski, and Hafid Smail
2.1 Why Fault Tolerant Control? Nowadays, control systems are involved in nearly all aspects of our lives. They are all around us, but their presence is not always really apparent. They are in our kitchens, in our DVD-players, computers and our cars. They are found in elevators, ships, aircraft and spacecraft. Control systems are present in every industry, they are used to control chemical reactors, distillation columns, and nuclear power plants. Michel Verhaegen Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628CD Delft, The Netherlands e-mail:
[email protected] Stoyan Kanev ECN Wind Energy, P.O.Box 1, 1755ZG Petten, The Netherlands e-mail:
[email protected] Redouane Hallouzi ReliaCon, Rotterdamseweg 145, 2628AL Delft, The Netherlands e-mail:
[email protected] Colin Jones ETH Zurich, Automatic Control Laboratory ETL K14.2, Physikstrasse 38092 Zurich, Switzerland e-mail:
[email protected] Jan Maciejowski University of Cambridge, Engineering Department, Trumpington Street, Cambridge CB2 1PZ, United Kingdom e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 47–89. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
48
M. Verhaegen et al.
They are constantly and inexhaustibly working, making our life more comfortable and more efficient . . . until the system fails. Faults in technological systems are events that happen rarely, and come mostly unexpectedly. In [43] the following definition for a fault is made: A fault is an unpermitted deviation of at least one characteristic property or parameter of the system from the acceptable/usual/standard condition. Faults are difficult to accurately predict in time, and to prevent. The impact of a fault can be a small reduction in efficiency, but could also lead to overall system failure. In safety critical systems this can lead to catastrophic events with significant costs, both economically and in terms of human life. Several such examples are • the explosion at the nuclear power plant at Chernobyl, Ukraine, on 26th April 1986 [67]. About 30 people were killed immediately, while another 15,000 were killed and 50,000 left handicapped in the emergency clean-up after the accident. It is estimated that five million people were exposed to radiation in Ukraine, Belarus and Russia. • the crash of the A MERICAN A IRLINES flight 191, a McDonnell-Douglas DC-10 aircraft, at Chicago O’Hare International Airport on 25 May 1979 (see Chapter 1). In this incident 271 persons on board and 2 on the ground were killed when the aircraft crashed into an open field [74, 75]. • the explosion of the Ariane 5 rocket on 4th June 1996, where the reason was a fault in the Internal Reference Unit that had the task to provide the control system with altitude and trajectory information. As a result, incorrect altitude information was delivered to the control unit [67]. The question that immediately arises is “Could something have been done to prevent these disasters?”. While in most situations the occurrences of faults in the systems cannot be prevented, subsequent analysis often reveals that the consequences of the faults could be avoided or, at least, that their severity (in terms of economic losses, casualties, etc.) could be minimized. If faults could be detected and diagnosed rapidly enough, then, in many cases, it is possible to subsequently reconfigure the control system so that it can safely continue its operation (though with degraded performance) until the time comes when it can be switched off to allow repair. In order to minimize the chances for such catastrophic events as those summarized above, safety-critical systems must possess the properties of increased reliability and safety. A way to offer increased reliability and safety is by means of a fault-tolerant control (FTC) system design. An FTC system could have been designed to lead to a safe shutdown of the Chernobyl reactor way before it exploded [67]. Subsequent studies following the McDonnell-Douglas DC-10 crash showed that the crash could have been avoided [75]. In the last minutes of the Ariane 5 crash the normal altitude information had been replaced by some diagnostic information that the control system was not designed to understand [67]. Fortunately, there are also examples,
2
Fault Tolerant Flight Control - A Survey
49
-
Controller
inputs
Controlled System
sensors
reference
actuators
system faults
outputs
Fig. 2.1 According to their location, faults are classified into sensor, actuator and component faults.
which show that taking appropriate measures can indeed prevent disasters (see also Chapter 1): 1. A McDonnell-Douglas DC-10 aircraft executing flight 232 of U NITED A IR LINES from Denver to Minneapolis experienced a disastrous failure in the hydraulic lines that left the plane without any control surfaces at 37,000 ft. The crew then improvised a control strategy that used only the throttles of the two wing engines and managed to successfully crash-land the plane in Sioux City, Iowa, saving the lives of 184 out of the 296 passengers on board [66]. 2. In the D ELTA A IRLINES flight 1080 an elevator became jammed at 19 degrees. The pilot was not given any indication of what had actually occurred but still was able to reconfigure the remaining lateral control elements to land the aircraft safely [75]. All these examples clearly motivate the need for increased fault-tolerance in order to improve to the maximum possible extent the safety, reliability and availability of controlled systems. This is particularly true as modern systems become increasingly complex. The examples above also explain the large amount of research in the field of fault detection, diagnosis and fault-tolerant control. An overview of this research is provided in this chapter.
2.2 Fault Classification Faults are events that can take place in different parts of the controlled system. In the FTC literature faults are classified according to their location of occurrence in the system (see Figure 2.1). Actuator faults: they represent partial or total (complete) loss of control action. An example of a completely lost actuator is a “stuck” actuator that produces no (controllable) actuation regardless of the input applied to it. Total actuator faults can occur, for instance, as a result of a breakage, cut or burned wiring, short circuits, or the presence of a foreign body in the actuator. Partially failed actuators produce only a part of the normal (i.e. under nominal operating conditions) actuation. This can result from hydraulic or pneumatic leakage, increased resistance or a fall in the supply voltage, etc. Duplicating the actuators in the system in
50
M. Verhaegen et al.
order to achieve increased fault-tolerance is often not an option due to their high prices and large size and mass. Sensor faults: these faults represent incorrect readings from the sensors that the system is equipped with. Sensor faults can also be subdivided into partial and total. Total sensor faults produce information that is not related to the value of the measured physical parameter. They can be due to broken wires, lost contact with the surface, etc. Partial sensor faults produce readings that are related to the measured signal in such a way that useful information could still be retrieved. This can, for instance, be a gain reduction so that a scaled version of the signal is measured, a biased measurement resulting in a (usually constant) offset in the reading, or increased noise. Due to their smaller sizes sensors can be duplicated in the system to increase fault tolerance. For instance, by using three sensors to measure the same variable one may consider it reliable enough to compare the readings from the sensors to detect faults in (one and only one) of them. The socalled “majority voting” method can then be used to pinpoint the faulty sensor. This approach usually implies significant increases in the related costs. Component faults: these are faults in the components of the plant itself, i.e. all faults that cannot be categorized as sensor or actuator faults will be referred to as component faults. These faults represent changes in the physical parameters of the system, e.g. mass, aerodynamic coefficients, damping constant, etc., that are often due to structural damage. They often result in a change in the dynamical behaviour of the controlled system. Due to their diversity, component faults cover a very wide class of (unanticipated) situations, and as such are the most difficult ones to deal with. Further, with respect to the way faults are modelled, they are classified as additive and multiplicative, as depicted in Figure 2.2. Additive faults are suitable for representing component faults in the system, while sensor and actuator faults are in practice most often multiplicative by nature. Faults are also classified according to their time characteristics (see Figure 2.3) as abrupt, incipient and intermittent. Abrupt faults occur instantaneously often as a result of hardware damage. They can be very severe since, if they affect the performance and/or the stability of the controlled system, prompt reaction from the FTC system is required. Incipient faults represent slow parametric changes, often as a result of aging. They are more difficult to detect due to their slow time characteristics,
fault
fault signal
+
faulty signal
additive fault
signal
x
faulty signal
multiplicative fault
Fig. 2.2 According to their representation, faults are divided into additive and multiplicative.
51
fault
fault
Fault Tolerant Flight Control - A Survey
fault
2
time
time
abrupt
incipient
time
intermittent
Fig. 2.3 With respect to their time characteristics faults can be abrupt, incipient and intermittent.
but are also less severe. Finally, intermittent faults are faults that appear and disappear repeatedly, for instance due to partially damaged wiring.
2.3 Modelling Faults As already mentioned in Section 2.2, faults are often represented as additive or multiplicative adjustments to the nominal behaviour. In this section we further concentrate on the mathematical representation of these faults and will provide a discussion on when and why one representation is more appropriate than the other. Throughout this chapter the state-space representation of dynamical systems is used, so that the relation from the system inputs u ∈ Rm to the measured outputs y ∈ R p is written in the form xk+1 = Axk + Buk Snom : (2.1) yk = Cxk + Duk , where xk ∈ Rn denotes the state of the system at time instance k, and A, B, C and D are matrices (possibly time-varying) of appropriate dimension.
2.3.1 Multiplicative Faults Multiplicative modelling is mostly used to represent sensor and actuator faults. Actuator faults represent malfunctioning of the actuators of the system, for example as a result of hydraulic leakages, broken wires, or stuck control surfaces in an aircraft. Such faults can be modelled as an abrupt change of the nominal control action from uk to (2.2) ukf = uk + (I − ΣA )(u¯ − uk ), where u¯ ∈ Rm is a (not necessarily constant) vector that cannot be manipulated, and where ΣA = diag{ σ1a , σ2a , . . . , σma }, σia ∈ R. In this way σia = 0 represents a total fault (i.e a complete failure) of the i-th actuator of the system so that the control action coming from this i-th actuator becomes equal to the i-th element of the uncontrollable offset vector u, ¯ i.e. ukf (i) = u(i). ¯ On
52
M. Verhaegen et al.
the other hand, σia = 1 implies that the i-th actuator operates normally (uk (i) = u(i)). The quantities σia , i = 1, 2, . . . , m can also take values in between 0 and 1, making it possible to represent partial actuator faults. Substituting the nominal control action uk in equation (2.1) with the faulty ukf results in the following state-space model xk+1 = Axk + BΣAuk + B(I − ΣA )u¯ (2.3) Smult,a f : ¯ yk = Cxk + DΣA uk + D(I − ΣA )u. f
Models in the form (2.3) are referred to as multiplicative fault models and have been widely used in the literature (see, for example [86, 73]). It needs to be noted that while such multiplicative actuator faults do not directly affect the dynamics of the controlled system itself, they can significantly affect the dynamics of the closed-loop system, and may even affect the controllability of the system. Figure 2.4 presents a simple example with a 50% actuator fault that results in instability of the closed-loop system. In the example of Figure 2.4 a system consisting of the transfer function S(s) = 1/(s − 1) is controlled by a PI controller with transfer function C(s) = 1.5 + 5s , so that a sinusoidal reference signal is tracked under normal operating conditions (i.e. during the first 20 seconds of the simulation). At time instance t = 20 sec, a 50% loss of control effectiveness is introduced and as a result the closed-loop system stability is lost. This example makes it clear that even “seemingly simple” faults may significantly degrade the performance and can even destabilize the system. Similarly, sensor faults occurring in the system (2.1) represent incorrect reading differs from from the sensors, so that as a result the real output of the system yreal k the variable being measured. Multiplicative sensor faults can be modelled in the following way f (2.4) yk = yk + (I − ΣS )(y¯ − yk ), where y¯ ∈ R p is an offset vector, and ΣS = diag{ σ1s , . . . , σ ps }, σis ∈ R, so that σ sj = 0 represents a total fault of the j-th sensor, and σ sj = 1 models the normal mode of operation of the j-th sensor. Partial faults are then modelled by taking σ sj ∈ (0, 1). Substitution of the nominal measurement yk in (2.1) with its faulty counterpart ykf results in the following state-space model that represents multiplicative sensor faults xk+1 = Axk + Buk Smult,s f : (2.5) yk = ΣSCxk + ΣS Duk + (I − ΣS )y. ¯ In this way, combinations of multiplicative sensor and actuator faults are represented in the following way xk+1 = Axk + BΣA uk + b(ΣA , u) ¯ (2.6) Smult : yk = ΣSCxk + ΣS DΣA uk + d(ΣA , ΣS , u, ¯ y), ¯
2
Fault Tolerant Flight Control - A Survey
reference generator
53
1,5+5/s
50% fault
PI Controller
actuator fault
Monitoring
1 s−1 System
reference trajectory system output 4
2
fault occurrence
6
0
−2
−4
−6 0
5
10
15
20 time, sec
25
30
35
40
Fig. 2.4 After a multiplicative fault the system may become unstable if no reconfiguration takes place.
with
¯ = B(I − ΣA )u, ¯ b(ΣA , u) d(ΣA , ΣS , u, ¯ y) ¯ = ΣS D(I − ΣA )u¯ + (I − ΣS )y. ¯
The multiplicative model is thus a “natural” way to model a wide variety of sensor and actuator faults, but cannot be used to represent more general component faults. This fault model representation is most often used in the design of the controller reconfiguration scheme of an active FTC system since for controller redesign one usually needs the state-space matrices of the faulty system.
2.3.2 Additive Faults The additive faults representation is more general than the multiplicative one. A state-space model with additive faults has the form xk+1 = Axk + Buk + F fk Sadd : (2.7) yk = Cxk + Duk + E fk , where fk ∈ Rn f is a signal describing the faults. This representation may, in principle, be used to model a wide class of faults, including sensor, actuator, and
54
M. Verhaegen et al.
fault
f(x)
signal
+
constant scaling
faulty signal
additive fault
signal
x
constant offset
+
faulty signal
multiplicative fault
Fig. 2.5 Using additive fault representation to model total sensor (or actuator) faults results in a fault signal that depends on yk (uk ). This is not the case with the multiplicative model where the fault magnitude and the offset are independent on the signals in the state-space model.
component faults. Using model (2.7), however, often results in the signal fk becoming related to one or more of the signals uk , yk and xk . For instance, when using this additive fault representation to model a total fault in all actuators (ΣA = 0 and u¯ = 0 in equation (2.2)) then in order to make equivalent to model (2.3) one model (2.7) F B needs to take a signal fk such that E fk = − D uk holds, making fk dependent on uk . Clearly, the fault signal being a function of the control action is not desirable for controller design. On the other hand, fk is independent of uk when multiplicative representation is utilized. Figure 2.5 illustrates this. Another disadvantage of the additive model when used to represent sensor and actuator faults is that, in terms of input-output relationships, these two faults become difficult to distinguish. Indeed, suppose that the model xk+1 = Axk + Buk + fka yk = Cxk + Duk + fks , is used to represent faults in the sensors and actuators. By writing the corresponding transfer function y(z) = (C(zI − A)−1 B + D)uk + C(zI − A)−1 fka + fks , it becomes clear that the effect of an actuator fault on the output of the system can be modelled not only by the signal fka , but also by fks . An advantage is, as already mentioned, that the additive representation can be used to model a more general class of faults than multiplicative ones. In addition, it is more suitable for the design of FDD schemes because the faults are represented by one signal rather than by changes in the state-space matrices of the system as is the case with the multiplicative representation. For that reason the majority of FDD methods are focused on additive faults [33, 3, 57].
2.3.3 Component Faults The class of component faults was defined in Section 2.2 as the most general as it includes faults that may bring changes in practically any element of the system. It was defined as the class of all faults that cannot be classified as sensor or actuator
2
Fault Tolerant Flight Control - A Survey
55
faults. A component fault may introduce changes in each matrix of the state-space representation of the system due to the fact they may all depend on the same physical parameter that undergoes a change. Component faults are often modelled in the form of a linear parameter-varying (LPV) system xk+1 = A( f )xk + B( f )uk yk = C( f )xk + D( f )uk ,
(2.8)
where f ∈ Rn f is a parameter vector representing the component faults. It should be noted that this model might also be used for modelling sensor and actuator faults. Due to the fact the matrices may depend in a general, nonlinear, way on the fault signal fk this model is less suitable for fault detection and diagnosis.
2.4 Main Components in an FTC System FTC systems are generally divided into two classes: passive and active. Passive FTC systems are based on robust controller design techniques and aim at synthesizing a single, robust controller that makes the closed-loop system insensitive to anticipated faults. This approach requires no online detection of the faults, and is therefore computationally more attractive. Its applicability, however, is very restricted due to its serious disadvantages: • In order to achieve robustness to faults, usually a very restricted subset of the possible faults can be considered; often only faults that have a “small effect” on the behaviour of the system can be treated in this way. • Achieving increased robustness to certain faults is only possible at the expense of decreased nominal performance. Since faults are effects that happen very rarely it is not reasonable to significantly degrade the fault-free performance of the system only to achieve some insensitivity to a restricted class of faults. However, using passive FTC systems can also have its advantages. One advantage is that a fixed controller has relatively modest hardware and software requirements. Another advantage is that passive FTC systems, due to their lower complexity compared to active FTC systems, can be made more reliable according to classical reliability theory [84]. Examples of passive FTC systems can be found in [61, 72, 97]. As opposed to passive methods, the active approach to the design of FTC systems is based on controller redesign, or selection/mixing of predesigned controllers. This technique usually requires a fault detection and diagnosis (FDD) scheme that has the task of detecting and localizing the faults if they occur in the system. The structure of an active FDD-based FTC system is presented in Figure 2.6. The FDD part uses input-output measurement from the system to detect and localize the faults. The estimated faults are subsequently passed to a reconfiguration mechanism (RM) that changes the parameters and/or the structure of the controller in order to achieve an acceptable post-fault system performance. Depending on the way the post-fault controller is formed, active FTC methods are further subdivided into projection-based methods and on-line redesign methods.
M. Verhaegen et al.
Reconfiguration mechanism
estimated
fault
Fault Detection & Diagnosis
FDD
56
FTC reference
Controller
input
System
output
faults
Fig. 2.6 Main components of an active FTC system.
The projection based methods rely on the controller selection from a set of off-line predesigned controllers. Usually each controller from the set is designed for a particular fault situation and is switched on by the RM whenever the corresponding fault pattern has been diagnosed by the FDD scheme. In this way only a restricted, finite class of faults can be treated. The on-line redesign methods involve on-line computation of the controller parameters, referred to as reconfigurable control, or recalculation of both the structure and the parameters of the controller, called restructurable control. Comparing the achievable post-fault system performances, the on-line redesign method is superior to the passive method and the off-line projection-based method. However, it is computationally the most expensive method as it often boils down to on-line optimization. There are a number of important issues when designing active FTC systems. Probably the most significant one is the integration between the FDD part and the FTC part. The majority of approaches in the literature are focused on one of these two parts by either considering the absence of the other or assuming that it is perfect. To be more specific, many FDD algorithms do not consider the closed-loop operation of the system and, conversely, many FTC methods assume the availability of perfect fault estimates from the FDD scheme. The interconnection of such methods is potentially infeasible and there can be no guarantees that a satisfactory post-fault performance, or even stability, can be maintained by such a scheme. It is therefore very important that the designs of the FDD and FTC, when carried out separately, are each performed bearing in mind the presence and imperfections of the other. For making the interconnection possible, one should first investigate what information from the FDD is needed by the FTC, as well as what information can actually be provided by the FDD scheme. Imprecise information from the FDD that is incorrectly interpreted by the FTC scheme might lead to a complete loss of stability of the system. The usual situation in practice is that after the occurrence of a fault in the system there is initially not enough information in terms of input/output measurements from the system to make it possible for the FDD scheme to diagnose the fault. For this reason, only after some time elapses and more information becomes available can the FDD scheme detect that a fault has occurred. Even more time is required to
2
Fault Tolerant Flight Control - A Survey
57
localize the fault and its magnitude. As a result, the information that is provided to the FTC part is initially more imprecise (i.e. with larger uncertainty), and it gets more and more accurate (with less uncertainty) as more data becomes available from the system. The FTC scheme should be able to deal with such situations. Therefore, the FTC should necessarily be capable of dealing with uncertainty in the FDD information/estimates, and should perform satisfactorily (guaranteeing at least the stability) during the transition period that the FDD scheme needs to diagnose the fault(s). Very often the dynamics of real physical systems cannot be represented accurately enough by linear dynamical models so that nonlinear models have to be used. This necessitates the development of techniques for FTC system design that can explicitly deal with nonlinearities in the mathematical representation of the system. Nonlinearities are, in fact, very often encountered in the representations of complex safety-critical controlled systems like aircraft and spacecraft. To reduce the inherent complexity of the control design, it is usual that the lateral and longitudinal dynamics of an aircraft are decoupled so that they have no effect on each other. This significantly simplifies the model of the aircraft and makes it possible to design the corresponding controllers independently. This decoupling condition can approximately be achieved for a healthy aircraft, but certain faults can easily destroy it, so that the two controllers could not be considered separately. An important issue in FTC system design is that even for a fixed operating region, where a nonlinear system allows approximation by a linear model, it is very difficult to obtain an accurate linear representation, either due to the fact that the physical parameters in the nonlinear model are not exactly known or because they vary with time. Even the nonlinear model is often derived after some simplifying assumptions, so that it only approximates the behaviour of the system. Even more, this uncertainty is further increased due to the linearization that basically consists in truncating second and higher order terms in the Taylor series expansion of the nonlinear function. As a result only a representation with uncertainty is available. It is important that the FTC system is designed to be robust to such uncertainties within the model. Another very important issue is that every real-life controlled system has control action saturation, i.e. the input and/or output signals cannot exceed certain values. In the design phase of a control system usually the effect of the saturation is accommodated by making sure that the control action will not get overly active and will remain inside the saturation limits under normal operating conditions. Faults, however, can have the effect that the control action stays at the saturation limit. For instance, when a partial 50% loss of effectiveness in an actuator has been diagnosed, a standard and easy way to accommodate the fault is to re-scale the control action by two so that the resulting actuation approximates the fault-free actuation. As a result the control action becomes twice as big and may go to the saturation limits. Clearly, in such situations one should not try to completely accommodate the fault but one should be willing to accept certain performance degradation imposed by the saturation. In other words, a trade-off between achievable performance and
58
M. Verhaegen et al.
available actuator capability might need to be made after the occurrence of a fault. This situation is often referred to as graceful performance degradation [95].
2.5 FTC Problem Formulation The dynamics of a real-life physical system can be represented in state-space in the following general form ⎧ ⎨ xk+1 = f (xk , uk , pk ), (2.9) yk = h(xk , uk , pk ), S(pk ) : ⎩ x0 = xˆ0 , where the vector xk ∈ X ⊆ Rn represents the state of the system S(pk ), uk ∈ U ⊆ Rm+nξ represents the inputs to the system, yk ∈ R p+nz denotes the outputs of the system. At each time instance t the system S(pk ) is parameterized by a (possibly unknown) parameter vector pk ∈ P ⊆ Rn p . The vector pk may represent uncertain physical parameters in the system or system faults. Nonlinear models of systems are in general inconvenient to work with due to their complexity and due to the lack of a well-developed theory for analysis and synthesis for general nonlinear models. The usual strategy to deal with them is either by approximating them with more convenient models (e.g. by means of blending of a set of local linear models as in the multi-model and in the Fuzzy control theories) or by assuming certain structure (e.g. bilinear systems, Hammerstein-Wiener systems, linearity in the input, etc.). In the multiple model approach the state space X is divided into N represen
tative and disjoint regions Xi , with Ni=1 Xi ≡ X , and in each region a point (x(i) , u(i) ) ∈ Xi × U is chosen around which the nonlinear system S(pk ) is approximated by a linear model. Under the assumption that f (·), g(·) ∈ C1 , the local linear approximation Mi (pk ) of the system S(pk ) within the open-ball neighbourhood
x − x(i) (i) (i) 0 that depend on the operating point (xk , uk ) as well as on the parameter vector pk , i.e. N
yˆk = ∑ μk yk , with μk = i=1
(i) (i)
(i)
φi (xk , uk , pk ) ∑Ni=1 φi (xk , uk , pk )
.
(2.10)
Such approximations are widely used in the literature (see, for instance, [47]). In fact it is shown in [46] that, under certain smoothness properties, the nonlinear system S(pk ) can be approximated to any desired accuracy on a compact subset of the state and input spaces by means of the representation (2.10) for a sufficiently large number of local models. The multiple model representation (2.10) is both intuitive and attractive, and is (i) related to the Takagi-Sugeno fuzzy model, where the weights μk in the linear combination of the local outputs are called degrees of membership. Suppose that the parameter vector pk is formed by two vectors, δk ∈ Δ ⊆ Rnδ and fk ∈ F ⊆ Rn f , so that δ pk = k , (2.11) fk where the vector δk is used to represent unknown, time-varying physical parameters of the system, and where the vector fk represents faults in the system. For consistency in terms of dimensions nδ + n f = n p . While both vectors are unknown, the fault vector fk is assumed to be estimated by an FDD scheme, and its estimate is denoted here as fˆk . Let δ0 ∈ Δ represent the nominal values of the uncertain parameters, and f0 ∈ F represent the fault-free mode of operation. Collect all local models Mi (pk ) into a model set M (pk ) = {M1 (pk ), M2 (pk ), . . . , MN (pk )} ,
(2.12)
and consider only one element of the set M (pk ) which, due to (2.11), is denoted as M(δ , f ). For simplicity of notation, the time symbol is omitted in M(δ , f ). The following objectives are considered: • passive robust FTC: design one controller K that achieves some desired performance for the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults fk ∈ F , • active robust FTC: given an estimate fˆ of the fault vector f by some FDD scheme, design a controller K( fˆ) that achieves some desired performance for the model M(δ , f ) for all possible uncertainties δk ∈ Δ and faults fk ∈ F , • active MM-based FTC: design a controller that achieves some desired performance for the nonlinear system S(pk ) for some fixed δk = δ0 ∈ Δ (i.e. in the case of no uncertainty) and for all possible faults fk ∈ F .
60
M. Verhaegen et al.
tracking error regulated outputs
u1
M11 M12
u2
M21 M22 y 2
K
y1
measured outputs
control actions
noises disturbances references
FL (M(δ , f ), K) Fig. 2.7 Partitioning of the model M(δ , f ) and forming the closed-loop with the controller K.
A natural continuation of this research activity is to combine the MM-based representation of the nonlinear system with the passive and active approaches to FTC in an attempt to deal with nonlinear systems with uncertainty as in (2.9). We will next provide some technical insight into the above objectives. Suppose that a continuous map, the performance index, is given by J : R nz ×nξ → R+ , such that J(M) = ∞ for any M ∈ RH ∞ , where R nz ×nξ denotes the set of rational transfer nz × nξ matrices, and RH ∞ denotes the set of stable real rational transfer matrices. Let M(δ , f ) ∈ R (p+nz )×(m+nξ ) be partitioned as follows
M11 (δ , f ) M12 (δ , f ) M(δ , f ) = , M21 (δ , f ) M22 (δ , f ) where, as depicted in Figure 2.7, the subsystem M22 (δ , f ) ∈ R p×m gives the relationships between the control actions and the measured output signals, and the subsystem M11 (δ , f ) ∈ R nz ×nξ describes the relationships between all exogenous inputs (such as noises, disturbances, reference signals) and the regulated (controlled) outputs that are related to the performance of the system (e.g. tracking errors). The feedback interconnection of the model M(δ , f ) with some controller K ∈ R m×p is represented by the lower linear fractional transformation FL (M(δ , f ), K) = M11 (δ , f ) + M12 (δ , f )K(I − M22 (δ , f )K)−1 M21 (δ , f ). For a fixed controller K, the performance of the resulting closed-loop is therefore represented by J(FL (M(δ , f ), K)).
2
Fault Tolerant Flight Control - A Survey
61
2.5.1 Passive Fault Tolerant Control The passive robust FTC problem is then defined as the following optimization problem Passive FTC: KP = arg min sup J(FL (M(δ , f ), K)). K
δ ∈Δ f ∈F
(2.13)
In this way a controller needs to be found that minimizes the worst-case performance over all possible values for the uncertainty vector δ and the fault vector f . This problem is considered in [51] where methods are developed for robust controller design in the presence of structured uncertainty. In practice, two main difficulties arise with the optimization problem (2.13), both being related to convexity. In the case when the state vector xk is directly measured (or, equivalently, when yk = xk ), the optimization problem (2.13) is convex in the controller parameters for many standard performance indices (e.g. J(·) = · 2 , J(·) = · ∞, etc.) provided that the set {M(δ , f ) : δ ∈ Δ , f ∈ F } is a convex polytope. In such cases (2.13) can be represented as a linear matrix inequality (LMI) optimization problem, for which there exist very efficient and computationally fast solvers. If M(δ , f ) is not a convex set, however, the original problem (2.13) is also nonconvex and the LMI solvers cannot be used. A “brute force” way to deal with this problem is to embed the set M(δ , f ) into a convex set. This, however, introduces unnecessary conservatism that for some problems might be unacceptable or undesirable. In order to deal with such problems a probabilistic design approach is proposed in [51] that is basically applicable for any bounded set M(δ , f ), as long as (2.13) can be rewritten as a robust LMI optimization problem (as for most state-feedback controller design problems). This method is basically an iterative algorithm that at each iteration generates a random uncertainty sample for which an ellipsoid is computed with the properties that (a) it contains the solution set (the set of all solutions to the robust LMI problem), (b) it has a smaller volume than the ellipsoid at the previous iteration. The approach is proved to converge to the solution set in a finite number of iterations with probability one. In the output-feedback case the probabilistic method described in [51] cannot be directly applied because the optimization problem (2.13) cannot be rewritten as a robust LMI optimization problem. The reason for that is that the output-feedback problem in the presence of uncertainty is a bilinear matrix inequality (BMI) problem, and BMI problems are not convex. Actually, such problems have been shown to be NP-hard meaning that they cannot be expected to have polynomial time complexity. A local BMI optimization approach is developed in [51] that is guaranteed to converge to a local optimum of the cost function J(FL (M(δ , f ), K)).
62
M. Verhaegen et al.
2.5.2 Active Fault Tolerant Control Whenever an estimate fˆ of the fault vector f is provided by some FDD scheme, and if the imprecision in this estimate is described by an additional uncertainty Δ f ∈ Δ f so that f = (I + Δ f ) fˆ, the active robust FTC can be defined as the problem: given f = (I + Δ f ) fˆ, evaluate K˜A ( fˆ) = arg min sup J(FL (M(δ , f ), K( fˆ))). K( fˆ)
δ ∈Δ Δf ∈ Δ f
(2.14)
The resulting controller would, in this way, be scheduled by the fault estimate fˆ and will be robust with respect to uncertainties both in the model M(δ , f ) and in the estimate of f . Clearly, the way in which the scheduling parameter fˆ enters the controller needs to be assumed before one could proceed with the optimization. In the above, Δ f represents the FDD uncertainty that, as already discussed, usually increases after the occurrence of a fault. This will then subsequently decrease as the FDD scheme refines the estimate based on the availability of more inputoutput data from the impaired system. As a result the “maximal uncertainty” is only active for some relatively short periods of time compared with the lifetime of the system. Therefore, assuming a maximal uncertainty size during the complete operation might be overly conservative since the robust controller effectively trades off performance for increased robustness to uncertainties. Hence, it is interesting to allow the controller to deal with an FDD uncertainty with time-varying size. To this end, however, the FDD scheme should be capable of providing not only an estimate of the fault but also an upper bound on the magnitude of the uncertainty on this estimate. The size of the FDD uncertainty might, for instance, be represented by a scalar γ f (k) such that fk = (I + γ f (k)Δ¯ f ) fˆk with Δ¯ f 2 ≤ 1. In this way the size of the uncertainty set is allowed to vary with time. In fact γ f (k) might be a vector to make it possible to assign different uncertainty sizes on the different entries of the fault vector fk . Therefore, provided that the FDD scheme produces ( fˆk , γ f (k)) at each time instance, the achievable performance in (2.14) may further be improved by computing the controller by solving the following optimization problem Active FTC: given f = (I + γ f Δ¯ f ) fˆ, evaluate KA ( fˆ, γ f ) = arg min sup K( fˆ,γ f )
δ ∈Δ Δ¯ f ∈ Δ¯ f γ f ≤ γ f ≤ γ¯ f
J(FL (M(δ , f ), K( fˆ, γ f ))),
(2.15)
where Δ¯ f = {Δ ∈ Δ f : Δ ≤ 1}, and where the vectors {γ f , γ¯f }, assumed known a-priori, define a lower and an upper bound on the possible uncertainty sizes. In this way methods can be developed for the design of robust active FTC for one uncertain local model M(δ , f ). The robust active FTC design problem is considered in [51].
2
Fault Tolerant Flight Control - A Survey
63
Fig. 2.8 Classification of approaches to reconfigurable flight control.
2.6 State-of-the-Art in Fault Tolerant Flight Control In this section an overview of the existing work in the area of fault tolerant control is given, an area that has been gaining increasing attention in the aerospace community in recent years. Some overview books and papers in the field of FTC are [36, 45, 5, 96]. Due to their improved performance and their ability to deal with a wider class of faults, active FTC methods have gained much more attention in the literature than the passive FTC methods. In the following, a survey is given focussed on current active FTC methods of which several have been evaluated within this GARTEUR action group. The survey starts with a classification of the described and evaluated FTC methodologies to approach the problem of reconfigurable flight control.
2.6.1 Classification of Reconfigurable Control Many methods have been proposed to solve the problem of fault tolerant control. As shown in Figure 2.8 they fall into two main categories: active and passive. Passive methods are essentially robust control techniques which are suitable for certain types of structural failures that can be modelled as uncertainty regions around a nominal model. Any failure which doesn’t push the system outside of the stability radius given by the robust controller will still have satisfactory stability and
64
M. Verhaegen et al.
performance guarantees. However, any controller with a large enough stability radius to encompass most failure situations will likely be unnecessarily conservative and there is no guarantee that unanticipated or multiple failures could be handled or even that such a controller exists. There are also many types of common failures, such as actuator or sensor faults, which cannot be adequately modelled as uncertainty. These problems motivate the need for a controller which more directly addresses the situation. The active methods differentiate themselves from passive approaches in that they take fault information explicitly into account and do not assume a static nominal model. Reconfigurable flight control is for the most part still an academic notion. Although there have been very few controllers implemented on physical systems and none on commercial aircraft, over the last 20 years several research programs have been formed to investigate their potential and as a result there are a variety of active methods. The following sections give an overview of each approach.
2.6.2 Multiple Model Control The multiple model (MM) method is an active approach to FTC that belongs to the class of projection based methods rather than to the on-line re-design methods. The MM method is frequently used for FDD/FTC purposes [92, 78, 27, 37]. The MM method is based on a finite set of linear models Mi , i = 1, 2, . . . , N that describe the system in different operating conditions, i.e. in the presence of different faults in the system. For each such local model Mi a controller Ci is designed (off-line). The key in the design is to develop an on-line procedure that determines the global control action through a (probabilistically) weighted combination of the different control actions that can be taken. The control action weighting is usually based on a bank of Kalman filters, where each Kalman filter is designed for one of the local models Mi . On the basis of the residuals of the Kalman filters, the probability 1 ≥ μi ≥ 0 of each model to be in effect, is computed. The control action is then computed as the weighted combination N
u(k) = ∑ μi (k)ui (k), i=1
N
∑ μi = 1,
(2.16)
i=1
where ui (k) is the control action produced by a controller designed for the i-th local model. The multiple model method is a very attractive tool for modelling and control of nonlinear systems. However, these approaches usually only consider a finite number of anticipated faults and proceed by building one local model for each anticipated fault. In this way, at each time instance only one model, say model Mi , is assumed to be in effect, so that its corresponding weight μi is approximately equal to unity and all the other weights μ j , j = i are close to zero. In such cases at each time instance one local controller is “active”, namely the one corresponding to the model Mi that is in effect. The disadvantage here is that if the current model is not in the predesigned
2
Fault Tolerant Flight Control - A Survey
65
Fig. 2.9 Multiple Model Switching and Tuning
model set and is instead formed by some convex combination of the local models in the model set (representing, for instance, unanticipated faults) then, in general, the control action (2.16) is not the optimal one for this model. It can easily be shown that forming the global control action as in (2.16) can even lead to instability of the closed-loop system. In order to avoid that when dealing with unanticipated faults, an approach is proposed in [51] that uses a bank of predictive controllers and forms the global control action in an optimal way, so that the optimal control action for the current model is used at each time instance instead of (2.16). Another disadvantage of the MM approaches is that model uncertainties, as well as uncertainties in the weights μi (k), cannot be considered. There are three types of reconfigurable control that fall under the heading of multiple model control: Multiple Model Switching and Tuning (MMST), Interacting Multiple Model (IMM) and Propulsion Controlled Aircraft (PCA). In the first two cases all expected failure scenarios are enumerated during a Failure Modes and Effects Analysis (FMEA) and fault models constructed which cover each situation. When a failure occurs, MMST switches to a pre-computed control law corresponding to the current failure situation. Rather than using the model which is closest to the current failure scenario, IMM computes a fault model as a convex combination of all pre-computed fault models and then uses this new model to make control decisions. PCA is a special case of MMST, where the only anticipated fault is a total hydraulics failure, and in this case only the engines are used for control. The following sections discuss these three approaches.
66
M. Verhaegen et al.
Fig. 2.10 Single Model vs. Multiple Model Adaptation
2.6.2.1
Multiple Model Switching and Tuning (MMST)
Although the idea of multiple model control has been around for many years, it has seen some interest in the reconfigurable control literature in the last few years [13, 34, 14, 10, 11, 12, 53, 25]. In MMST, the dynamics of each fault scenario is described by a different model. These models are referred to as the identification models [13] and are setup in parallel, with each one having a corresponding controller as shown in Figure 2.9. The problem then becomes one of choosing which model/controller pair to switch to at each time instant. Figure 2.10 helps to motivate the use of MMST in reconfigurable control systems. During a failure the plant is assumed to move from some nominal model P0 to a failure model Pf some distance away in parameter space. The top half of the figure shows an adaptive control scheme which is using only a single model, and the lower a MMST method. For certain plants, the MMST converges to the correct fault model faster than a single model approach. Consider a system of the form x˙ = A0 (p(t))x + B0 (p(t))u (2.17) P= y = C0 (p(t))x
2
Fault Tolerant Flight Control - A Survey
67
where x ∈ Rn , u ∈ Rm , y ∈ Rk , A0 ∈ Rn×n , B0 ∈ Rn×m , C0 ∈ Rk×n and p(t) ∈ S ⊆ Rl are the plant parameters. The quantity p(t) varies in time in an abrupt fashion and represents the various failure scenarios. Definition 6.1 (Model Set). The model set M is a set of N linear models M : {M1 , . . . , MN }
such that Mi :
x˙i = Ai xi + Bi u yi = Ci xi
where model Mi corresponds to a particular set of parameters pi ∈ S . A stabilizing controller Ki is designed for each model Mi ∈ M . The control law proceeds as follows. At each time step, the model which is closest to the current system is determined by computing a performance index Ji (t), which is a function of the errors ei (t) between the estimated outputs of model Mi and the measurements at time t. A commonly used index is [71]
Ji (t) = α e2i (t) + β 0t e−λ (t−τ ) e2i (τ )d τ α ≥ 0, β > 0, λ > 0 where α and β are chosen to give a desired combination of instantaneous and longterm accuracy measures. The forgetting factor λ ensures the boundedness of Ji (t) for bounded ei . The model/controller, Mi /Ki with the smallest index is switched to and a waiting period of Tmin > 0 is allowed to pass in order to prevent arbitrarily fast switching. Most MMST algorithms include a ‘tuning’ part which occurs during the period while a controller Ki is active, during which time the parameters of the corresponding model, and only the corresponding model Mi , are being updated using an appropriate identification technique (e.g. [2]). Recent interest in this approach arises from the following stability result: Theorem 6.2 [71]. Consider the switching and tuning system described above, where the N models are all fixed and the proposed switching scheme is used with β , λ , Tmin > 0, and α ≥ 0. Then, for each plant with parameter vector p ∈ S , there is a positive number TS and a function μS (p, Tmin ) > 0, such that if: • the waiting time Tmin ∈ (0, TS ) • there is at least one model Mi with parameter error || pˆi − p|| < μS (p, Tmin ) then all the signals in the overall system, as well as the performance indices {Ji (t)}, are uniformly bounded. Here TS depends only upon S , and μS also depends upon α , β , λ and S . In essence, Theorem 6.2 states that the MMST system is stable if the set of models Mi is dense enough in the parameter space S and the sampling rate Tmin is fast
68
M. Verhaegen et al.
enough. How dense and how fast depend on the particular system and Theorem 6.2 gives no insight into the selection of M or Tmin . Despite the limitations of Theorem 6.2, there are several papers which have applied these methods. In [13, 10, 11, 12] a MMST controller is developed for the highly over-actuated tailless advanced fighter aircraft (TAFA). Eleven fault models are required to cover the scenario of right wing damage ranging from 0% to 100% and a switching interval of 25ms is needed for stability. Clearly, this approach will not scale well to the situation where more than one failure, or multiple failures are considered. Ref. [14] describes a MMST scheme which can handle locked, floating, hard-over or loss of effectiveness actuator failures for an F-18 aircraft carrier landing manoeuvre. Only five models are needed for satisfactory performance, but again, multiple failures cannot be accommodated. Ref. [13] introduced a new method of failure parameterizations for jammed actuators, enabling multiple complete failures of control surfaces for an F-18 to be handled using a large number of simple models. For systems with relatively few and well understood failure modes, multiple model switching and tuning has advantages in being fast and provably stable. However, the main limitation is that there may be failure scenarios that were not modelled, which would likely be the case for multiple or structural failures. A severe limitation for larger systems is that the number of models required increases exponentially with the number of simultaneous failures considered. 2.6.2.2
Interacting Multiple Models (IMM)
The method of interacting multiple models (IMM) attempts to deal with the key limitation of MMST, namely that every fault scenario must be modelled, by considering fault models which are convex combinations of models in a model set. The primary assumption of IMM is that every possible failure can be modelled as a convex combination of models in a pre-determined model set M as defined above in Definition 6.1 ⎡ ⎤ M1 N N ⎢ ⎥ (2.18) M f = ∑ μi Mi = μ T ⎣ ... ⎦ , Mi ∈ M , μi > 0 ∈ R, ∑ μi = 1, i=1
MN
i=1
Then M f is the system: ⎧ ⎡ ⎤ ⎡ ⎤ A1 0 . . . 0 B1 ⎪ ⎪ ⎪ ⎢ 0 A2 . . . 0 ⎥ ⎢ B2 ⎥ ⎪ ⎪ ⎢ ⎪ ⎥ ⎥ ⎢ ⎪ ⎨ x˙ = ⎢ .. .. . . .. ⎥ x + ⎢ .. ⎥ u ⎣. . . . ⎦ ⎣ . ⎦ Mf : ⎪ 0 0 . . . A BN ⎪ n ⎪ ⎪ ⎪ ⎪ ⎪ ⎩ y = μ1C1 μ2C2 . . . μN CN x
(2.19)
2
Fault Tolerant Flight Control - A Survey
69
It is still an open question how to choose this model set or when the assumption that the failure model can be written as a convex combination of the models in the set, is valid. Fault detection and modelling is then done online by identifying the variables μi in Equation (2.18). Two proposed methods exist for computing the coefficients μ . In the first, a Kalman filter is designed for each Mi ∈ M and all filters are run in parallel. The probability that each of these models represents the true state of the system can be computed and the coefficients μ are set to these probabilities. This method is named Multiple Model Adaptive Estimation (MMAE) and is used in [68, 93]. In the second approach, the previous k f time instants are considered and the estimated output at each point is computed as a function of μ , which is then selected to minimize this difference. This approach is advocated in [52, 54]. Once a fault model has been identified, there are a variety of methods for control law calculation. Refs. [52] and [54] suggest a Model Predictive Control (MPC) scheme where the minimization of the past tracking error, and therefore of μ , is included in the cost function. Ref. [93] proposes an Eigenstructure Assignment (EA) (see Section 2.6.6) method and [68] uses a fixed controller, using the fault model M f only for state estimation. IMM is attractive in its ability to handle multiple failure scenarios by combining single failure models. However, the requirement of finding the coefficients μ after a failure makes this an adaptive algorithm and not a model-switching one. As a result it loses some of the speed of the MMST approach. The formulation of IMM as an MPC problem given in [54] also offers the potential of handling actuator constraints naturally. 2.6.2.3
Propulsion Controlled Aircraft (PCA)
After the possibility of control using only the engine throttles was demonstrated by the Sioux City accident (see Chapter 1), and following a recommendation from the National Transportation Safety Board of America, the PCA problem was taken up by the NASA Dryden Flight Research Center [16, 17] in order to provide a backup in case of total hydraulic failure. PCA is a specific instance of a multi-model approach where the fault model is identical to the nominal one, but in which all control surfaces are free floating. In 1995, a demonstration was made during which a MD-11 (Figure 2.11) and a F-15 recovered from a complete hydraulic failure and landed successfully under propulsion-only control [18]. PCA is a useful and important idea and solves a very practical problem. However, it clearly is not sufficient to solve the general reconfigurable control problem.
2.6.3 Control Allocation (CA) Control allocation is the problem of producing a desired set of forces and moments from a (usually large) set of actuators. For example, as shown in Figure 2.12, the output of the control law can be a set of desired moments and the job of the control
70
M. Verhaegen et al.
Fig. 2.11 Landing demonstration of MD-11 Propulsion Controlled Aircraft (PCA), NASA Dryden, 2001 (copyright NASA)
Fig. 2.12 Control Allocation scheme
allocation block is then to select appropriate setpoints for the actuators which will produce those moments. The control allocation algorithm takes as inputs the desired moments and an estimation of the input derivatives (adaptive B f matrix) from either a FDI or a system identification algorithm. The algorithm therefore has the ability to adapt the way actuation forces are generated from the available actuators, to the faults that have occurred. For example, if the effectiveness of a certain actuator becomes 0% due to a fault, the corresponding column in B f will also become 0. This actuator is then not considered anymore by the control allocation method. Instead, the remaining actuators can be used to generate the desired actuation forces. The goal is then to produce the desired moments ud by selecting the appropriate inputs to the system u. Whether this can be done depends on the difference between the size of ud ∈ Rm and the column rank of B f ∈ Rn×k . There are three cases to consider: • If m < k the moments can be selected exactly and the remaining degrees of freedom can be used (for example) to drive the actuators towards a desired position u p by minimizing [90, 15, 20]:
2
Fault Tolerant Flight Control - A Survey
71
1 2 ||u − u p||Wp
= 12 (u − u p)T Wp (u − u p) where Wp = WpT > 0 subject to Bu = ud where Wp is a weighting matrix prioritizing critical actuators. • If m = k then there is only one solution which places the moments exactly u = B−1 ud
• In the case when m > k there are not enough degrees of freedom to achieve ud and so a compromise must be made by (for example) minimizing the weighted norm 1 ||Bu − ud ||Wd 2 Control allocation has been heavily studied in relation to over-actuated systems (see [29] for a survey) and has received a great deal of attention in the literature for reconfigurable systems as it allows actuator failures to be handled without the need to modify the control law. However, there are two major limitations to this approach to reconfiguration. Firstly, the system will not necessarily be stable, even with a stabilizing control law, when m > k, as the input seen by the system may not be equal to that intended by the controller. Secondly, the dynamics and limitations of the actuators after a failure are not taken into account in the control law. This means that the controller will still be attempting to achieve the original system performance even though the actuators are not capable of achieving it. Control allocation has received considerable attention from the field of aerospace engineering. Extensions to the simple control allocation problem presented here have been considered in the literature. In [9] and [28] the problem of control allocation with magnitude and rate limits on the actuators is considered, [24] develops a control allocation controller for the extremely over-actuated Innovative Control Effector (ICE) aircraft and [98] looks at restoring as much of the performance of the original B matrix as possible after an actuator failure. Other examples of work in the area of control allocation for aerospace applications can be found in [7] and [38].
2.6.4 Adaptive Feedback Linearization via Artificial Neural Network This section examines a method primarily developed by Calise et al [42, 48, 41, 19, 21, 90, 20] involving a Model Reference Adaptive Control (MRAC) scheme through adaptive feedback linearization augmented by an Artificial Neural Network (ANN). This approach has been successfully demonstrated via simulation on the Tailless Advanced Fighter Aircraft (TAFA) [90, 20] and the X-36 [21]. The approach presented here splits the dynamics of the plane into three SISO subsystems, each of which has a model reference adaptive controller: roll, pitch and yaw. The output of each controller is a command specifying a desired roll, pitch or yaw moment and
72
M. Verhaegen et al.
it is then the job of the Integrated Control Effector Management (ICEM) [15, 90], a form of control allocation, to generate these moments using the available control surfaces. In the next three sections, a brief overview of the principles of feedback linearization on SISO systems will be given, review the particulars and benefits of its use in reconfiguration and finally discuss the ICEM and its role in the proposed method. 2.6.4.1
Single-Input Single-Output (SISO) Feedback Linearization
Consider the SISO nonlinear system x˙ = f (x, u) x ∈ Rn , u, y ∈ R y = h(x)
(2.20)
In feedback linearization the goal is to design a control law for the SISO nonlinear system given in Equation 2.20 such that the closed loop system is linear and controllable. Assuming the relative degree of h is r = n, the rth derivative of the output is the first derivative that is directly affected by the control. As a result, we can write the system dynamics in the normal form ([44], Section 4.2):
Φ1 (x) = h(x) = z1 Φ2 (x) = dh(x) = z˙1 dt
=y = z2
Φ3 (x) = d dth(x) = z˙2 2 .. .. . . r Φr (x) = d dth(x) = z˙r−1 r z˙r = hr (z, u)
= z3 .. . = zr
2
(2.21)
where Φ (x) = z = [z1 , . . . , zr ] . We now define the ‘pseudo control signal’ ν
ν = hˆ r (Φ (x), u) where hˆ r (Φ (x), u) is an invertible estimate of hr (z, u). Then the system dynamics can be expressed as z˙i = zi+1 , 1 ≤ i ≤ r − 1 z˙r = ν + Δ (2.22) y = z1 where
Δ = Δ (z, u) = hr (z, u) − hˆ r (y, u)
In effect, the transformation places r integrators between the pseudo control ν and the system output y, with the error Δ acting as a disturbance signal. This is now a linear and controllable system.
2
Fault Tolerant Flight Control - A Survey
73
Fig. 2.13 Nonlinear Adaptive Output Feedback Controller
2.6.4.2
Feedback Linearization for Reconfigurable Control
Feedback linearization can be used in a model-following configuration by choosing the pseudo control to have the form [19]
ν = yrc + νdc − νad , where νdc is the output of a stabilizing linear compensator for the linearized system given by Equation (2.22) with Δ = 0. The quantity νad is an adaptive signal designed to cancel Δ and yrc is the rth derivative of the signal to be tracked. The signal yrc can be obtained from an (at least) rth order reference model which defines the desired dynamics. If the model of the system is perfect, Δ = 0 and we could simply apply the input −1 r u = hˆ −1 r (x, ν ) = hr (x, yc + νdc ) and the system would track the reference trajectory. However, as there will always be modelling errors, the error Δ needs to be compensated online and for this an ANN can be used. Neural networks can be trained to approximate any function with an arbitrary precision. As a result, the ANN can estimate the modelling error and hence cancel it. The benefit of this approach is that no model structure needs to be assumed in order to estimate the error. Figure 2.13 shows the structure of the full controller, and Figure 2.14 that of the linear compensator. This control technique was proposed as a method of reconfigurable control in combination with Wise’s ICEM [15]. This scheme is suited to reconfigurable control, as the adaptation makes no assumptions about the structure of the system after
74
M. Verhaegen et al.
Fig. 2.14 Block Diagram of the Error Dynamics
the failure. Since the ANN can approximate any nonlinear function, it can track and cancel any structural failures which may occur under the assumption of sufficient control authority and excitation for adaptation. The techniques presented in this section have been developed and expanded upon in several publications: Single Input Single Output (SISO) stability proofs [19], input saturation [48], combined aero/engine control [42] and highly over-actuated systems [21].
2.6.5 Sliding Mode Control (SMC) This section reviews the work in [82]. The proposed controller is setup in a two-loop cascade configuration, with the ultimate goal of tracking a trajectory given by roll, pitch and yaw angle setpoints. The outer-loop takes roll, pitch and yaw setpoints and provides angular rate commands to the inner-loop, which is assumed to track the commands using the inputs to the actuators. The outer-loop is designed using standard robust SMC techniques. The innerloop is also a robust sliding mode controller but has an adaptive feature to handle actuator magnitude and rate limitations. In [82] it is shown that modifying the size of the boundary layer online can ensure that integrators do not wind up, as well as ensuring that actuator magnitude and rate limits are satisfied. There is a direct tradeoff between the size of the boundary layer and tracking performance. Therefore, this procedure provides an intuitive method of maximizing tracking while ensuring actuator limits. The benefits of this controller to reconfigurable control are two-fold. Firstly, being a robust control technique, it can handle all structural failures which modify the dynamics of the plant less than the assumed uncertainty. Secondly, the online adaptation of the boundary layer can handle partial loss of actuator surfaces, while avoiding limits and integrator windup by reducing the tracking performance. Although this technique provides benefits to aircraft control, there are limitations due to the use of SMC when it is presented with the full reconfigurable problem. 1. There must be one and only one control surface for every controlled variable and second, none of the control surfaces can ever be lost. This is handled in [82] by only considering failures which cause a partial loss of effectiveness of
2
Fault Tolerant Flight Control - A Survey
75
the control surfaces, which is not realistic as floating or jammed actuators are certainly possible failure scenarios. This problem could be addressed by placing a control allocation algorithm (see Section 2.6.3) between the requested outputs and the physical actuators. 2. The method proposes to use robust control to handle all structural failures. This requires a de-tuning of the controller to the point that it can handle uncertainties including all possible structural failures, which may well result in an excessively conservative controller in the non-failure situation.
2.6.6 Eigenstructure Assignment (EA) Eigenstructure Assignment (EA) was made popular in the 1980s primarily by Andry, Shapiro and Chung in their paper [1] where the method of Direct Eigenstructure Assignment (DEA) was introduced. The idea behind the method is to place the eigenvalues of a linear system using state feedback and then use any remaining degrees of freedom to align the eigenvectors as accurately as is possible. The eigenvalues determine the natural frequency and damping of each mode while the eigenvectors control how much each mode contributes to a given output. The following sections first give a brief overview of the theory behind EA and then a review of its use in reconfigurable control. 2.6.6.1
Introduction to Eigenstructure Assignment
The eigenstructure assignment (EA) method [63] to controller reconfiguration is a more intuitive approach than the Pseudo Inverse method (Section 6.6.3). It aims at matching the eigenstructures (i.e. the eigenvalues and the eigenvectors) of the Amatrices of the nominal and the faulty closed-loop systems. The main idea is to exactly assign some of the most dominant eigenvalues while at the same time minimizing the 2-norm of the difference between the corresponding eigenvectors. The procedure has been developed both under constant state-feedback [89] and outputfeedback [26]. More specifically, in the state-feedback case, if λi , i = 1, 2, . . . , n are the eigenvalues of the A-matrix of the nominal closed-loop system formed as the interconnection of (2.25) with the constant state-feedback control action uk = Fxk , and if vi are their corresponding eigenvectors, the EA method computes the statefeedback gain FR for the faulty model (2.26) as the solution to the following problem ⎧ Find FR ⎪ ⎪ ⎨ f f (2.23) EA : such that (Af f + B f FR )vi = λi vf i 2, i = 1, . . . , n, ⎪ and vi = arg min vi − vi Wi , ⎪ ⎩ f vi
f
f
f
2 where vi − vi W = (vi − vi )T Wi (vi − vi ). In other words, the new gain FR needs to i be such that the poles of the resulting closed-loop system coincide with the poles of the nominal closed-loop system and, in addition, the eigenvectors of the closed-loop A-matrices are as close as possible. As both the eigenvectors and the eigenvalues
76
M. Verhaegen et al.
determine the shape of the time response of the closed-loop system, this method can be thought of as trying to preserve the nominal closed-loop system time-response after the occurrence of faults. Thus, the objective of the EA method seems more “natural” than that of the Pseudo Inverse Method (PIM) and, moreover, the stability is guaranteed. The computational burden of the approach is not high since an analytic expression for the solution to (2.23) is available, i.e. no on-line optimization is necessary. The disadvantage is that model and FDD uncertainties cannot be easily incorporated in the optimization problem, and that only static controllers are considered. The references [22, 58] further describe the use of Eigenstructure Assignment. 2.6.6.2
Reconfigurable Eigenstructure Assignment
Although a method for choosing appropriate eigenvectors and eigenvalues is not immediately obvious for aircraft, some studies have been made on the effects of the eigenstructure (eigenvalues and eigenvectors) on flying qualities [23]. Methods which propose EA for use in reconfigurable flight control systems [58, 4, 94] first assume a linear fault model which has been given to the controller by a FDI system. x˙ = A f x + B f u y = Cf x The goal is then to design a stabilizing output feedback law K f u = Kf Cf x
(2.24)
such that the new eigenstructure closed-loop system A f + B f K f C f is as close as possible to that of the original closed-loop system A + BKC. The choice of K f can be made in a variety of ways, but the placement of the eigenspace is limited by Theorem 2.1. Generally the eigenvalues of the failed system, λif are ordered from most important to least and then the top max(m, k) are made to exactly match those of the non-failed system λ , while the remainder are kept stable. Similarly, the most important max(m, k) eigenvectors of the failed system, vif , are made close to those of the original system vi in the least squares sense. Theorem 2.1. [23] Consider a controllable and observable system with the output feedback law of (2.24) and the assumption that the matrices B and C are full rank. Then, there exists a matrix K ∈ Rm×k such that 1. max(m, k) closed-loop eigenvalues can be assigned 2. max(m, k) eigenvectors can be partially assigned with min(m, k) entries in each vector arbitrarily chosen There are several limitations to this approach when applied to reconfiguration. Firstly, only linear systems have been considered and actuator limitations have not been taken into account. Secondly, a perfect fault model is assumed and the effects of uncertainty have not been extensively studied. Finally, the effect of the eigenvectors in the failed system not being exactly equal to those in the nominal system
2
Fault Tolerant Flight Control - A Survey
77
is not well understood. The result of these significant limitations is that only a few researchers have proposed this approach. 2.6.6.3
Pseudo Inverse Method (PIM)
The pseudo-inverse method (PIM) [31] is one of the most cited active methods to FTC due to its computational simplicity and its ability to handle a very large class of system faults. The basic version of the PIM considers a nominal linear system xk+1 = Axk + Bu (2.25) yk = Cxk , with a linear state-feedback control law uk = Fxk , under the assumption that the state vector is available for measurement. The method allows for a very general post-fault system representation f xk+1 = A f xkf + B f uRk (2.26) ykf = C f xkf , where the new, reconfigured control law is taken with the same structure, i.e. uRk = FR xkf . The goal is then to find the new state-feedback gain matrix FR in such a way that the “distance” (defined below) between the A-matrices of the nominal and the post-fault closed-loop systems is minimized, i.e. FR = arg min (A + BF) − (A f + B f FR ) F FR PIM : (2.27) = B†f (A + BF − A f ), where B†f is the pseudo-inverse of the matrix B f . The advantages of this approach are that it is very suitable for on-line implementation due to its simplicity, and moreover, that it allows for changes in all state-space matrices of the system as a consequence of the faults. A very strong disadvantage is, however, that the optimal control law computed by equation (2.27) does not always stabilize the closed-loop system. Simple examples that confirm this fact can easily be generated, see for example [31]. To circumvent this problem, the modified pseudo-inverse method was developed in [31] that basically solves the same problem under the additional constraint that the resulting closed-loop system remains stable. This, however, results in a constrained optimization problem that increases the computational burden. A similar approach is also discussed in [77, 62], where the reconfigured control action uRk is directly computed from the nominal control uk as uRk = B†f Buk . Other modifications of this approach that were proposed include the consideration of additive faults on the state equation and additive terms on the control action to compensate for them in [73] and static output-feedback in [59].
78
M. Verhaegen et al.
Fig. 2.15 Model Reference Adaptive Control
2.6.7 Model Reference Adaptive Control (MRAC) Astr¨om defines an adaptive controller as “a controller with adjustable parameters and a mechanism for adjusting those parameters” ([2], Page 1). Clearly, all methods presented in this survey are adaptive to some degree (save for robust control techniques) as they require the identification of a fault model in order to compute a control law. The approach we consider here is Model Reference Adaptive Control (MRAC) which can be effective for many types of structural failures and is often used as a final stage in other algorithms. The goal of adaptive model-following is to force the plant output to track a reference model. We consider linear plants of the form x˙ = Ax + Bu + d y = Cx
(2.28)
where x ∈ Rn , u ∈ Rm , y ∈ Rk and a reference model of the form y˙d = Ad yd + Bd r
(2.29)
where yd ∈ Rk and r ∈ Rk . Ad and Bd are arbitrary square matrices with Ad stable. State feedback of the form shown in Figure 2.15 is considered. u = C0 r + G0 x + v where C0 ∈ Rk×k , G0 ∈ Rk×n and v ∈ Rk are free controller parameters. The closed loop dynamics are then y˙ = (CA + CBG0)x + CBC0 r + CBv + Cd
(2.30)
The goal is now to make the closed loop dynamics given by Equation (2.30) match the desired dynamics of Equation (2.29). If the model shown in Equation (2.28) was known exactly, the controller parameters C0 , G0 and v could be computed to achieve this. However, since post-failure the model in (2.28) is not known exactly,
2
Fault Tolerant Flight Control - A Survey
79
the controller parameters need to be adapted. There are two methods to achieve this: direct and indirect adaptation. 2.6.7.1
Indirect Adaptation
There are two stages in indirect adaptive control. Firstly the matrices A, B and d are estimated and then under the assumption that these estimates are correct the control parameters G0 ,C0 and v are computed such that the closed-loop system matches the desired dynamics. ˆ Bˆ and dˆ ([2]), A least squares algorithm can be used to compute the estimates A, which can then be used to compute the controller parameters such that the closed loop dynamics (2.30) match the desired ones (2.29). ˆ −1 Bd C0 = (CB) ˆ ˆ −1 (Ad C − CA) G0 = (CB) ˆ −1 (Cd) v = (CB) ˆ = 0. where we must assume that det(CB) The idea of identifying the model online and then computing a control law under the assumption that the estimated model is perfect is common in the reconfigurable control literature. For example, the EA algorithms of Section 2.6.6 and the IMM algorithms of Section 2.6.2.2 assume this type of structure. 2.6.7.2
Direct Adaptation
Direct adaptive control attempts to estimate the controller parameters G0 ,C0 and v directly rather than first computing the model parameters. We define G0 ,C0 and v as the ‘correct’ values of the controller parameters which will force the plant to track the reference model. A problem can then be formulated such that a least squares routine can be used to estimate the correct controller parameters [8]. The idea of direct adaptation is seen in algorithms such as the adaptive feedback linearization approach presented in Section 2.6.4. The basic model-reference adaptive control techniques described here are not by themselves suitable for reconfigurable control for two main reasons. Firstly, in order for these approaches to work a model structure must be assumed. However, the types of failures addressed in reconfigurable control may well cause the plant structure to change drastically. Secondly, adaptive control requires the system parameters to change slowly enough for the estimation algorithm to track them. Faults may well cause abrupt and drastic changes in the parameters moving the system instantaneously to a new region of the parameter space. There is no guarantee that the system will be stable during the transient period in which the adaptive algorithm is identifying the faulty plant. Despite the limitations of adaptive control for reconfiguration, some researchers have attempted to apply it in slightly modified forms [6, 35, 8]. As a result adaptive control on its own is not enough to handle the general problem, but may well be an important part of a reconfigurable algorithm.
80
M. Verhaegen et al.
2.6.8 Model Predictive Control After its introduction in the 1970s, model predictive control (MPC) has become a popular strategy in the field of industrial process control. The main reasons for this popularity are the abilities of MPC to control multivariable systems and to handle constraints. Initially, MPC was primarily applied to relatively slow processes such as the plants encountered in the process industry. The reason for this is that MPC can require considerable computational effort to generate the control signals as a result of an optimization that has to be performed at each time instance. This optimization is based on matching a prediction of the system output to some desired reference trajectory. The latter is assumed to be known in advance. For the relatively slow plants in the process industry, the considerable computational effort of MPC was not an issue because of the low sampling frequency of the controllers. However, for faster systems, higher frequencies were required that prevented on-line implementation of MPC for such systems. More recently, MPC has become a viable alternative for faster systems as a result of the increase in computational power that is available in modern control systems. For example, in [79] MPC has been used for real-time control of a miniature hovercraft. Another example is [56], in which MPC has been used for real-time control of an unmanned aerial vehicle. As discussed in [65], the MPC architecture allows fault-tolerance to be embedded in a relatively easy way by: (a) redefining the constraints to represent certain faults (usually actuator faults), (b) changing the internal model, (c) changing the control objectives to reflect limitations due to the faulty mode of operation. In such a way there is practically no additional optimization that needs to be executed on-line as a consequence of a fault being diagnosed, so that this method can be viewed as having an inherent self-reconfiguration property. However, if state-feedback MPC is used in an interconnection with an observer one should also take care to also reconfigure the observer appropriately in order to achieve fault-tolerant state estimation. Examples of the application of MPC to FTC are numerous [66, 51, 76, 50, 56]. Model predictive control has been proposed as a method for reconfigurable flight control due to its ability to handle constraints and changing model dynamics systematically. MPC relies on an internal model of the system and so, like many of the approaches presented in this survey, a fault model is required. There are two general classifications of aircraft faults: actuator and structural. As noted in [69], these failures can be handled naturally in a MPC framework via changes in the input constraints and internal model. Actuator limit and rate constraints can be written as: uli ≤ ui (t) ≤ uui duli ≤ u˙i (t) ≤ duui for actuator inputs u1 through um . If actuator i becomes jammed at position ui the MPC controller can be made to compensate by simply changing the constraints on input i to ui ≤ ui (t) ≤ ui 0 ≤ u˙i (t) ≤ 0
2
Fault Tolerant Flight Control - A Survey
81
The result will be similar to the control allocation approach where other input channels are used to create the same effect. As noted in [64], an MPC controller can be designed so that it has an intrinsic ability to handle jammed actuators without the need to explicitly model the failure. Structural failures can also be handled in a natural fashion by changing the internal model used to make prediction in either an adaptive fashion [52], a multi-model switching scheme [13] or by assuming an FDI scheme which provides a fault model [40, 39, 55, 66]. An important issue when using MPC is the robustness with respect to model uncertainties. Since MPC heavily depends on how well the controlled system is represented by the model used, measures should be taken in case of model uncertainty. One method to do so is to define an uncertainty region around the nominal model and to ensure that the MPC algorithm achieves a certain minimum performance level for the whole uncertainty region. MPC methods that take model uncertainty explicitly into account are referred to as robust MPC methods. One of the first research efforts that addresses the issue of robust MPC was performed by [60]. This issue has been addressed in the context of FTC in [51]. Like most active FTC methods, MPC-based FTC requires availability of fault information to accommodate faults. This requirement limits the ability of MPC-based FTC to deal with unanticipated fault conditions for which fault information cannot be obtained most of the time. An FTC algorithm that has this ability is therefore very desirable. Such an algorithm is subspace predictive control (SPC). This algorithm consists of a predictor that is derived using subspace identification theory [87], making it a data-driven control method. This subspace predictor is subsequently integrated into a predictive control objective function. The basic SPC algorithm was introduced by [30] and has since been used by various researchers [91, 49, 88]. If the subspace predictor is updated on-line with new input-output data when it becomes available, then SPC has the ability to adapt to changing system conditions, which can also include unanticipated faults. Besides having this ability, another important advantage of the SPC algorithm is that the issue of robustness with respect to model uncertainty is implicitly addressed because of the adaptation of the predictor. In [37] the SPC algorithm is used for FTC of the GARTEUR benchmark model.
2.6.9 Model Following The model following method is another approach to active FTC. Basically, the method considers a reference model of the form M xM k+1 = AM xk + BM rk , M M yk = xk ,
where rk is a reference trajectory signal. The goal is to compute matrices Kr and Kx such that the feedback interconnection of the open-loop system (2.25) and the state-feedback control action uk = Kr rk + Kx xk
82
M. Verhaegen et al.
matches the reference model. To this end the reference model and closed-loop system are written in the form M yM k+1 = AM xk + BM rk , yk+1 = (CA + CBKx )xk + CBKr rk ,
so that perfect model following (PMF) can be achieved by selecting Kx = (CB)−1 (AM − CA), PMF: Kr = (CB)−1 BM ,
(2.31)
provided that the system is square (i.e. dim(y) = dim(u)), and that the inverse of the matrix CB exists. When the exact system matrices (A, B) in (2.31) are unknown, ˆ B), ˆ resulting in the indirect they can be substituted by some estimated values (A, (explicit) method [8]. The indirect method provides no guarantees for closed-loop ˆ may not be invertible. In order to avoid stability, and in addition, the matrix (CB) the need for estimating the plant parameters, the direct (implicit) method of model following can be used, which directly estimates the controller gain matrices Kr and Kx by means of an adaptive scheme. Two approaches to direct model following exist, the output error method and the input error method. Examples of the application of the model following approach can be found in [8, 70, 85]. We note here, that the direct model following method is based on adaptation rules and as such is also a candidate for the group of adaptive control methods. The model following methods have the advantage that they usually do not require an FDD scheme. A strong drawback is, however, that they are not applicable to sensor faults. In addition, these methods do not deal with model uncertainty.
2.6.10 Adaptive Control Adaptive control methods form a class of methods that is very suitable for active FTC. Due to their ability to automatically adapt to changes in the system parameters, these methods could be called “self-reconfiguable”, i.e. they often don’t require the “reconfiguration mechanism” and “FDD” components, as in Figure 2.6. This, however is mostly true for component faults and actuator faults, but not for some sensor faults. If one, for instance, makes use of an adaptive control scheme based on output-feedback design to compensate for sensor faults it will make the faulty measurement (rather than the true signal) track a desired reference signal, and this in turn may even lead to instability. Indeed, in a case of a total sensor failure an adaptive controller may try to increase the control action to make the faulty measured signal equal to the desired value which will not be possible due to the complete failure of the sensor. In such cases an FDD scheme is needed to detect the sensor failure, and a reconfiguration mechanism would have to appropriately reconfigure the adaptive controller. We note here that the direct model following and MM approaches, discussed above, also belong to the class of adaptive control algorithms. LPV control methods for FTC design are also members of this class. In [51] LPV FTC methods
2
Fault Tolerant Flight Control - A Survey
83
are developed that deal with structured parametric and FDD uncertainty. Furthermore, these methods are applicable to a wide class of faults as the fault signal is allowed to enter the state-space matrices of the system in any way as long as the matrices remain bounded. Other applications of LPV control for FTC can be found, for example in [80, 32].
2.7 Comparison of Fault Tolerant Flight Control Methods The table on the next page presents a comparison of the fault tolerant control methods, applicable for reconfigurable flight control, considered in this survey. Filled circles mean that the method has the indicated property while empty circles imply that an author has suggested that the approach could be modified to incorporate the property. The columns are explained as follows: • • • •
Failures: Types of failures that the method can handle Robust: The method uses robust control techniques Adaptive: The method uses adaptive control techniques Fault Model: – FDI: An FDI algorithm is incorporated into the method – Assumed: The method assumes an algorithm which provides a fault model
• Constraints: The method can handle actuator constraints • Model Type: The type of internal model used The table also shows the fault tolerant control methodologies that have been selected for further evaluation in this action group. Their application in the different control designs using the GARTEUR FTFC benchmark and achieved real-time performances are described in the subsequent chapters of this book.
Comparison of reconfigurable control methods * Evaluated in this Action Group 1: Can handle partial loss of effectiveness of actuators, but not complete loss 2: Assumes robust control can handle all forms of structural failures
Failures Robust Adaptive Fault Model Constraints Model Type Actuator Structural FDI Assumed Linear Nonlinear Multiple Model Switching and Tuning (MMST) • • • • Interacting Multiple Model (IMM) • • • ◦ • Propulsion Controlled Aircraft (PCA) • ◦ • • • Control Allocation (CA)* • • ◦ • Feedback Linearization • • • • • Sliding Mode Control (SMC)* ◦1 • •2 • • Eigenstructure Assignment (EA) • • • Pseudo Inverse Method (PIM) • • • Model Reference Adaptive Control (MRAC)* • • • • ◦ Model Predictive Control (MPC)* • • ◦ ◦ • • • • •
Method
84 M. Verhaegen et al.
2
Fault Tolerant Flight Control - A Survey
85
References 1. Andry, A.N., Shapiro, E.Y., Chung, J.C.: Eigenstructure assignment for linear systems. IEEE Transactions on Aerospace Electronic Systems 19(5) (September 1983) 2. Astr¨om, K.J., Wittenmark, B.: Adaptive control, 2nd edn. Addison-Wesley Publishing Company, Reading (1995) 3. Basseville, M.: On-board component fault detection and isolation using the statistical local approach. Automatica 34(11), 1391–1415 (1998) 4. Belkharraz, A.I., Sobel, K.: Fault tolerant flight control for a class of control surface failures. In: Proceedings of the American Control Conference, June 2000. IEEE, Los Alamitos (2000) 5. Blanke, M., Kinnaert, M., Lunze, J., Staroswiecki, M.: Diagnosis and fault-tolerant control, 2nd edn. Springer, Heidelberg (2006) 6. Bodson, M.: Multivariable adaptive algorithms for reconfigurable flight control. In: Proceedings of the 33rd Conference on Decision and Control, December 1994. IEEE, Los Alamitos (1994) 7. Bodson, M.: Evaluation of optimization methods for control allocation. Journal of Guidance, Control, and Dynamics 25(4), 703–711 (2002) 8. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997) 9. Bordignon, K.A., Durham, W.C.: Closed-form solutions to constrained control allocation problem. Journal of Guidance, Control and Dynamics 18(5) (September 1995) 10. Boskovic, J.D., Li, S.M., Mehra, R.K.: Reconfigurable flight control design using multiple switching controllers and on-line estimation of damage-related parameters. In: Proceedings of the 2000 IEEE International Conference on Control Applications, September 2000. IEEE, Los Alamitos (2000) 11. Boskovic, J.D., Li, S.M., Mehra, R.K.: Study of an adaptive reconfigurable control scheme for tailless advanced fighter aircraft (TAFA) in the presence of wing damage. In: Position Location and Navigation Symposium, pp. 341–348. IEEE, Los Alamitos (2000) 12. Boskovic, J.D., Li, S.M., Mehra, R.K.: Robust supervisory fault-tolerant flight control system. In: Proceedings of the American Control Conference (June 2001) 13. Boskovic, J.D., Mehra, R.K.: A multiple model-based reconfigurable flight control system design. In: Proceedings on the 37th IEEE Conference on Decision & Control, December 1998. IEEE, Los Alamitos (1998) 14. Boskovic, J.D., Mehra, R.K.: Stable multiple model adaptive flight control for accommodation of a large class of control effector failures. In: Proceedings of the American Control Conference (June 1999) 15. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless aircraft. Journal of Guidance, Control and Dynamics 24(5) (September 2001) 16. Burcham, F.W., Burken, J.J., Maine, T.A., Bull, J.: Emergency flight control using only engine thrust and lateral center-of-gravity offset: a first look. Technical report, NASA (1997) 17. Burcham, F.W., Burken, J.J., Maine, T.A., Fullerton, C.G.: Development and flight test of an emergency flight control system using only engine thrust on an MD-11 transport airplane. Technical report, NASA (October 1997) 18. Burken, J.J., Burcham, F.W.: Flight-test results of propulsion-only emergency control system on MD-11 airplane. Journal of Guidance, Control and Dynamics 20(5) (October 1997)
86
M. Verhaegen et al.
19. Calise, A.J., Hovakimyan, N., Idan, M.: Adaptive output feedback control of nonlinear systems using neural networks. Automatica 37(8) (March 2001) 20. Calise, A.J., Lee, S., Sharma, M.: Direct adaptive reconfigurable control of a tailless fighter aircraft. In: AIAA Guidance, Navigation and Control Conference, Boston, MA (August 1998) 21. Calise, A.J., Lee, S., Sharma, M.: Development of a reconfigurable flight control law for the X-36 tailless fighter aircraft. In: AIAA Guidance, Navigation, and Control Conference (August 2000) 22. Davidson, J.B., Andrisani, D.: Gain weighted eigenspace assignment. Technical report, NASA (May 1994) 23. Davidson, J.B., Andrisani, D.: Lateral-directional eigenvector flying qualities guidelines for high performance aircraft. Technical report, NASA (December 1996) 24. Davidson, J.B., Lallman, F.J., Bundick, W.T.: Real-time adaptive control allocation applied to a high performance aircraft. In: 5th SIAM Conference on Control & Its Applications (2001) 25. Demetriou, M.A.: Adaptive reorganization of switched systems with faulty actuators. In: Proceedings of the 40th IEEE Conference on Decision and Control (December 2001) 26. Duan, G.R.: Parametric eigenstructure assignment via output feedback based on singular value decompositions. IEE Proceedings - Control Theory and Applications 150(1), 93– 100 (2003) 27. Ducard, G., Geering, H.P.: Efficient nonlinear actuator fault detection and isolation system for unmanned aerial vehicles. Journal of Guidance, Control, and Dynamics 31(1), 225–237 (2008) 28. Durham, W.C., Bordignon, K.A.: Multiple control effector rate limiting. Journal of Guidance, Control and Dynamics 19(1) (February 1996) 29. Enns, D.F.: Control allocation approaches. In: Proceedings of AIAA GNC Conference (August 1998) 30. Favoreel, W.: Subspace methods for identification and control of linear and bilinear systems. PhD thesis, Faculty of Engineering, K.U. Leuven, Belgium (1999) 31. Gao, Z., Antsaklis, P.: Stability of the pseudo-inverse method for reconfigurable control systems. International Journal of Control 53(3), 717–729 (1991) 32. G´asp´ar, P., Bokor, J.: A fault-tolerant rollover prevention system based on an LPV method. International Journal of Vehicle Design 42(3-4), 392–412 (2006) 33. Gertler, J.: Designing dynamic consistancy relations for fault detection and isolation. International Journal of Control 73(8), 720–732 (2000) 34. Gopinathan, M., Boskovic, J.D., Mehra, R.K., Rago, C.: A multiple model predictive scheme for fault-tolerant flight control design. In: Proceedings of the 37th IEEE Conference on Decision & Control, December 1998. IEEE, Los Alamitos (1998) 35. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods. In: Proceedings of the 34th Conference on Decision & Control, December 1995. IEEE, Los Alamitos (1995) 36. Hajiyev, C., Caliskan, F.: Fault diagnosis and reconfiguration in flight control systems. Kluwer Academic Publishers, Dordrecht (2003) 37. Hallouzi, R.: Multiple-model based diagnosis for adaptive fault-tolerant control. PhD thesis, Delft University of Technology (2008) 38. H¨arkeg˚ard, O.: Dynamic control allocation using constrained quadratic programming. Journal of Guidance, Control, and Dynamics 27(6), 1028–1034 (2004) 39. Huzmezan, M., Maciejowski, J.M.: Reconfiguration and scheduling in flight using quasiLPV high-fidelity models and MBPC control. In: Proceedings of the American Control Conference (June 1998)
2
Fault Tolerant Flight Control - A Survey
87
40. Huzmezan, M., Maciejowski, J.M.: Reconfigurable flight control of a high incidence research model using predictive control. In: UKACC International Conference on CONTROL (September 1998) 41. Idan, M., Johnson, M., Calise, A.J.: A hierarchical approach to adaptive control for improved flight safety. AIAA Journal on Guidance, Control and Dynamics (July 2001) 42. Idan, M., Johnson, M., Calise, A.J., Kaneshige, J.: Intelligent aerodynamic/propulsion flight control for flight safety: a nonlinear adaptive approach. In: American Control Conference, ACC (2001) 43. Isermann, R., Ball´e, P.: Trends in the application of model-based fault detection and diagnosis of technical processes. Control Engineering Practice 5(5), 709–719 (1997) 44. Isidori, A.: Nonlinear control systems, 2nd edn. Springer, Heidelberg (1989) 45. Jiang, J.: Fault-tolerant control systems - an introductory overview. Acta Automatica Sinica 31(1), 161–174 (2005) 46. Johansen, T.A.: Operating regime based process modeling and identification. The Norwegian Institute of Technology, University of Trondheim, ph.d. thesis, itk-report 94-109w edition (1994) 47. Johansen, T., Foss, B.: Identification of non-linear system structure and parameters using regime decomposition. Automatica 31(2), 321–326 (1995) 48. Johnson, E.N., Calise, A.J.: Neural network adaptive control of systems with input saturation. In: American Control Conference (ACC), Arlington, Virginia (June 2001) 49. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive controller design. Control Engineering Practice 11(3), 261–278 (2003) 50. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable flight control. Control Engineering Practice 13(6), 771–788 (2005) 51. Kanev, S.: Robust fault-tolerant control. PhD thesis, University of Twente (2004) 52. Kanev, S., Verhaegen, M.: Controller reconfiguration for non-linear systems. Control Engineering Practice 8, 1223–1235 (2000) 53. Kanev, S., Verhaegen, M.: A bank of reconfigurable LQG controllers for linear systems subjected to failures. In: 39th IEEE Conference on Decision and Control (December 2000) 54. Kanev, S., Verhaegen, M., Nijsse, G.: A method for the design of fault-tolerant systems in case of sensor and actuator faults. In: European Control Conference, ECC (September 2001) 55. Kerrigan, E.: Fault-tolerant control of the COSY ship propulsion benchmark using model predictive control. Technical report, University of Cambridge (November 1998) 56. Keviczky, T., Balas, G.J.: Software-enabled receding horizon control for autonomous unmanned aerial vehicle guidance. Journal of Guidance, Control, and Dynamics 29(3), 680–694 (2006) 57. Kinnaert, M.: Fault diagnosis based on analytical models for linear and nonlinear systems - a tutorial. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 37– 50 (2003) 58. Konstantopoulos, I.K., Antsaklis, P.J.: Eigenstructure assignment in reconfigurable control systems. Technical report, Interdisciplinary Studies of Intelligent Systems (January 1996) 59. Konstantopoulos, I.K., Antsaklis, P.J.: An optimization approach to control reconfiguration. Dynamics and Control 9(3), 255–270 (1999) 60. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive control using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
88
M. Verhaegen et al.
61. Liao, F., Wang, J.L., Yang, G.H.: Reliable robust flight tracking control: an LMI approach. IEEE Transactions on Control Systems Technology 10(1), 76–89 (2002) 62. Liu, W.: An on-line expert system-based fault-tolerant control system. Expert Systems with Applications 11(1), 59–64 (1996) 63. Liu, G., Patton, R.: Eigenstructure assignment for control systems design. John Wiley & Sons, Chichester (1998) 64. Maciejowski, J.M.: The implicit daisy-chaining property of constrained predictive control. Applied Math and Computer Science 8(4), 695–711 (1998) 65. Maciejowski, J.M.: Predictive control with constraints. Prentice Hall, Englewood Cliffs (2002) 66. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight 1862. In: Proceedings of the 5th Symposium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPROCESS 2003), Washington D.C., USA, pp. 121–126 (2003) 67. Mahmoud, M., Jiang, J., Zhang, Y.: Active fault tolerant control systems: stochastic analysis and synthesis. Springer, Berlin (2003) 68. Maybeck, P.S.: Multiple model adaptive algorithms for detecting and compensating sensor and actuator/surface failures in aircraft flight control systems. International Journal of Robust and Nonlinear Control 9, 1051–1070 (1999) 69. Mignone, D.: Control and estimation of hybrid systems with mathematical optimization. PhD thesis, Swiss Federal Institute of Technology, ETH (January 2002) 70. Morse, W., Ossman, K.: Model-following reconfigurable flight control system for the AFTI/F-16. Journal of Guidance, Control, and Dynamics 13(6), 969–976 (1990) 71. Narendra, K.S., Balakrishnan, J.: Adaptive control using multiple models. IEEE Transactions on Automatic Control 42(2) (February 1997) 72. Niemann, H., Stoustrup, J.: Passive fault tolerant control of a double inverted pendulum - case study. Control Engineering Practice 13(8), 1047–1059 (2005) 73. Noura, H., Sauter, D., Hamelin, F., Theilliol: Fault-tolerant control in dynamic systems: application to a winding machine. IEEE Control Systems Magazine 20(1), 33–49 (2000) 74. NTSB. Aircraft accident report - american airlines, inc. DC-10-10. Technical Report NTSB-AAR-79-17, National Transpotration Safety Board, USA (1979) 75. Patton, R.: Fault tolerant control: the 1997 situation. In: Proceedings of the 3rd Symposium on Fault Detection, Supervision and Safety for Technical Processes (SAFEPROCESS 1997), pp. 1033–1054. Hull University, Hull (1997) 76. Prakash, J., Narasimhan, S., Patwardhan, S.C.: Integrating model based fault diagnosis with model predictive control. Industrial & Engineering Chemistry Research 44(12), 4344–4360 (2005) 77. Rauch, H.: Intelligent fault diagnosis and control reconfiguration. IEEE Control System Magazine 14(3), 6–12 (1994) 78. Ru, J., Li, X.R.: Variable-structure multiple-model approach to fault detection, identification, and estimation. IEEE Transactions on Control Systems Technology 16(5), 1029– 1038 (2008) 79. Seguchi, H., Ohtsuka, T.: Nonlinear receding horizon control of an underactuated hovercraft. International Journal of Robust and Nonlinear Control 13(3-4), 381–398 (2003) 80. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE Transactions on Control Systems Technology 14(5), 920–925 (2006) 81. Shtessel, Y.B.: Sliding mode control: overview and applications to aerospace control. Talk notes (2001) 82. Shtessel, Y.B., Buffington, J.: Multiple time scale flight control using reconfigurable sliding modes. AIAA Journal on Guidance, Control and Dynamics 22(6), 873–883 (1999)
2
Fault Tolerant Flight Control - A Survey
89
83. Slotine, J.J.E., Li, W.: Applied Nonlinear Control. Prentice-Hall International, Inc., Englewood Cliffs (1991) 84. Stoustrup, J., Blondel, V.D.: Fault tolerant control: A simultaneous stabilization result. IEEE Transactions on Automatic Control 49(4), 305–310 (2004) 85. Tao, G., Chen, S., Joshi, S.: An adaptive actuator failure compensation controller using output feedback. IEEE Transactions on Automatic Control 47(3), 506–511 (2002) 86. Tao, G., Ma, X., Joshi, S.: Adaptive state feedback and tracking control of systems with actuator failures. IEEE Transactions on Automatic Control 46(1), 78–95 (2001) 87. Verhaegen, M., Verdult, V.: Filtering and system identification: an introduction. Cambridge University Press, Cambridge (2007) 88. Wang, X., Huang, B., Chen, T.: Data-driven predictive control for solid oxide fuel cells. Journal of Process Control 17(2), 103–114 (2007) 89. Wang, G.S., Lv, Q., Liang, B., Duan, G.R.: Design of reconfiguring control systems via state feedback eigenstructure assignment. International Journal of Information Technology 11(7), 61–70 (2005) 90. Wise, K.A., Brinker, J.S., Calise, A.J., Enns, D.F., Elgersma, M.R., Voulgaris, P.: Direct adaptive reconfigurable flight control for a tailless advanced fighter aircraft. International Journal of Robust and Nonlinear Control 9(14), 999–1022 (1999) 91. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. International Journal of Adaptive Control and Signal Processing 15, 535–561 (2001) 92. Yen, G.G., Ho, L.-W.: Online multiple-model-based fault diagnosis and accommodation. IEEE Transactions on Industrial Electronics 50(2), 296–312 (2003) 93. Zhang, Y., Jiang, J.: An interacting multiple-model based fault detection, diagnosis and fault-tolerant control approach. In: Proceedings of the 38th Conference on Decision & Control (December 1999) 94. Zhang, Y., Jiang, J.: Integrated design of reconfigurable fault-tolerant control systems. Journal of Guidance 24(1), 133–136 (2000) 95. Zhang, Y.M., Jiang, J.: Fault tolerant control system design with explicit consideration of performance degradation. IEEE Transactions on Aerospace and Electronic Systems 39(3), 838–848 (2003) 96. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control in active fault-tolerant control systems. In: Proceedings of the IFAC SAFEPROCESS, Beijing, China (August 2006) 97. Zhang, D., Wang, Z., Hu, S.: Robust satisfactory fault-tolerant control of uncertain linear discrete-time systems: an LMI approach. International Journal of Systems Science 38(2), 151–165 (2007) 98. Zhenyu, Y., Huazhang, S., Zongji, C.: The frequency-domain heterogeneous control mixer module for control reconfiguration. In: Proceedings of the 1999 IEEE International Conference on Control Applications, August 1999. IEEE, Los Alamitos (1999)
Chapter 3
Fault Detection and Diagnosis for Aeronautic and Aerospace Missions David Henry, Silvio Simani, and Ron J. Patton
3.1 Introduction The term Fault Detection and Diagnosis (FDD) is a development of the term Fault Detection and Isolation (FDI). Generally speaking, FDD goes slightly further than FDI by including the possibility of estimating the effect of the fault and/or diagnosing the effect or severity of the fault. Hence, the term FDD also covers the capability of isolating or locating a fault. Both of these topics have received considerable attention worldwide and have been theoretically and experimentally investigated with different types of approaches, as can be seen from the general survey works [1, 2, 3, 4, 5, 6, 7]. To complete the terminology, the use of the word ‘failure’ (widely used in the early literature) has been generally replaced by the word ‘fault’ [1]. This is important and it is now widely recognised that faults are unwanted malfunctions of a system, whereas a failure denotes a total cessation of a function, via a subsystem or a total system failure [8]. The developments outlined in this Chapter have been stimulated mainly by the trend in automation toward systems with increasing complexity and the growing demands for fault-tolerance, cost efficiency, reliability, and safety as these constitute fundamental design features in modern control systems. Studies of the ways in which FDI and FDD methods can be applied in aerospace systems have been David Henry IMS laboratory, Bordeaux 1 University, 351 cours de la lib´eration, 33405 Talence c´edex e-mail:
[email protected] Silvio Simani University of Ferrara, Department of Engineering, 1 Via Saragat, 44100 Ferrara, Italy e-mail:
[email protected] Ron J. Patton University of Hull, Department of Engineering, Cottingham Road, Hull HU6 7RX, United Kingdom e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 91–128. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
92
D. Henry, S. Simani, and R.J. Patton
given by [9, 10]. This Chapter moves the subject on about 17 years by presenting a non-exhaustive overview of recent advances in model-based FDI/FDD and their applicability for aeronautical systems and aerospace missions. This Chapter focuses on methods that have either been applied to real aerospace systems or to high fidelity simulations. For the remainder of the Chapter the terms FDI and FDD will be replaced by the term FDD because of the overlap between these two topics and as a consequence of the preference for the use of the term FDD in aerospace system studies. Measurement sensors are among the most important components for flight control and aircraft safety. For example, pitot tube air velocity sensors work in a harsh environment (e.g. the possibility of becoming iced up at high altitude). When sensors of this kind have a common mode fault (e.g. all becoming iced up) all the redundant lanes of the flight control system can potentially fail as a consequence of failing to receive suitable air data information. It is generally the case that the fault probabilities for sensors are high when compared with other components and control actuators, thus making these devices the least reliable components of the flight system. In order to improve the reliability of the system, sensor hardware and software (analytical) redundancy schemes have been investigated for aircraft over the last twenty or more years [9, 10]. For small and military aircraft, multiple hardware redundancy is harder to achieve due to a lack of operating space and weight limitations. Multiple hardware is costly and very complex to engineer and maintain. Analytical redundancy makes use of a mathematical model of the monitored process and is therefore often referred to as the model-based approach to FDD [1, 4, 11, 12]. The model-based FDD algorithms are normally programmed in computer software that may be difficult to implement on real and complex systems, where modelling uncertainty arises inevitably (due for example to process noise, parameter variations and modelling errors). The FDD procedure for incipient faults represents a challenge to the theory of model-based FDD techniques due to the inseparable mixture between fault effects and modelling uncertainty. This has been defined in the literature as the robustness problem in FDI/FDD [1, 3]. Model-based FDI/FDD commonly make use of the so-called ‘residual signal’ to facilitate the detection and isolation of faults. Methods which use the residual approach are known as the residual based methods. By far the most studied topic of the use of residual generators for FDI/FDD has been that of the deterministic state observer [13, 14, 3]. In the context of observers for stochastic systems there have also been many studies [15, 16, 3]. A number of researchers have developed residual-based methods using the parity space concept [17, 18, 2]. Others have developed the theme of robust FDI/FDD around the Unknown Input Observer (UIO) [19, 3]. Parameter identification has been a key subject for some investigators [15, 20]. Another popular approach to FDD/FDI, particularly considering robustness has been via the use of eigenstructure assignment (EA) coupled with the UIO. Patton and co-workers [21, 22] conducted a number of studies on this subject and a toolbox
3
FDD for Aeronautic and Aerospace Missions
93
for EA design was developed [23]. The UIO together with EA have been applied successfully in a robust FDI/FDD study on a jet engine [24]. Geometrical concepts for FDI/FDD (and the so-called ‘failure’ detection for the USA) were first proposed by [25]. The geometrical concepts were successfully extended in theoretical work to nonlinear systems [26, 27]. Nonlinear geometric approaches can also be found in [28, 29], in which the fault estimation method relies on the successive derivatives of input/output signals. A drawback of these strategies is a high sensitivity to measurement noise and uncertainty due to dynamical system structure. Ref. [30] describes an interesting FDD application of an UIO strategy for Lipschitz-bounded nonlinear systems. This approach is applicable to a wide class of non-linear systems without requiring a non-linear geometrical approach. A further approach to FDI/FDD has been based on state estimation using nonlinear stochastic methods such ‘Particle Filters’, a technique belonging to the class of Monte-Carlo methods, for nonlinear systems with non-Gaussian noise [31, 32]. Soft computing techniques for FDD/FDI [33] can be also exploited, making use of neural networks, fuzzy logic or neuro-fuzzy structures. Uppal and Patton [34] have shown that the neuro-fuzzy approach can be developed from the UIO concept, making structured residuals as consequents in a neuro-fuzzy system with sets of residual signals covering the non-linear operation of the system being monitored. In essence, the soft computing approaches make use of ‘implicit’ rather than ‘explicit’ models of the monitored system and hence also constitute a part of the model-based approach. The main advantages of the soft computing approaches is that an implicit mathematical model of the system being diagnosed or monitored is not required and the techniques handle non-linear dynamics in a very natural way, making them very suitable for the design of FDD schemes. Adaptive methods for fault estimation and FDI/FDD are applicable to a wide class of nonlinear systems and are becoming popular as they blend well with fault tolerant Control (FTC) or fault detection, isolation and recovery (FDIR). One adaptive method that addresses only output sensor faults, is reported in [35]. A crucial issue with any FDD scheme is its robustness to modelling uncertainty. The robustness problem in FDD is defined as the maximisation of the detectability and isolability of faults together with the minimisation of the effects of uncertainty and disturbances on the FDD procedure [1, 3, 6]. A number of FDD techniques have been mainly developed for linear systems. However, practical models of real-world systems are mostly nonlinear. Hence, viable procedures for practical application of FDD techniques must take into account model-reality mismatches and hence modelling uncertainty. For aircraft and aerospace systems the development of FDD tools that can be applied to real systems design and integration is still an open issue, particularly with interest in the reduction in the use of some multiple hardware and the integrated development of analytical redundancy methods. This is an important area for practical research. This Chapter is organised as follows. Section 3.2 summarises the basic methodologies for actuator, system component and sensor FDD. The methods are based on output estimation approaches, in conjunction with residual processing schemes,
94
D. Henry, S. Simani, and R.J. Patton
which include simple threshold detection (for the deterministic case), as well as statistical analysis when data is affected by noise. The final result consists of a strategy based on model-based FDI, namely to generate robust and redundant residual signals. The concept of residual generation is examined with reference to dynamic observers or Kalman filters. A residual signal is defined as an output estimation error, in general obtained by the difference between the measurement of one output and its corresponding estimate. Section 3.2 outlines the design of these FDD estimators for both deterministic and stochastic environments. Section 3.3 shows how the proposed FDD algorithms can be applied to the diagnosis of actuators, process components and input-output sensors for general example of a flight control problem. Other aerospace examples (e.g. spacecraft)are also considered. In particular, the FDD techniques presented in this Chapter have been tested on time series of data acquired from different high fidelity prototypes, whose linear mathematical descriptions are obtained by using both ‘first principles’ modelling and dynamic system identification procedures. Results from simulations show that diagnosed faults are perfectly compatible with the FDD requirements for these applications. Finally, Section 3.4 summarises the contributions and achievements of the Chapter.
3.2 Fault Detection and Diagnosis Approaches The model-based approach to FDD in dynamic systems has been receiving more and more attention over the last two decades, in the contexts of both research and real application. Stemming from this activity, a great variety of methods are found in the current literature, based on the use of mathematical models of the systems under investigation and exploiting modern control theory. This Section provides an overview of the various fault detection methods, with particular attention to FDD techniques related to the applications described in this Chapter. Residual generators based on different methods, such as state and output observers, parity relations and parameter estimation, are just special cases in this general framework. In the following, some commonly used residual generation and evaluation methods are discussed and their mathematical formulation presented. This Section presents and summarises special features and problems regarding the different FDD methods.
3.2.1 The Parity-Space Methods A significant number of publications address the problem of fault diagnosis using the parity space approach, see for instance [36, 37, 38, 39, 9, 18, 40, 3]. The most common application of parity space methods in the aerospace field is based on the redundancy available in Inertial Measurement Units (IMUs) [41, 39, 3, 42, 43]. The redundant measurements acquired from the IMUs are used for deriving the so-called parity-space relations. In particular, three configurations are used, i.e. the octahedron, dodecahedron and dedicated pyramidal configurations, see fig. 3.1 for an illustration.
3
FDD for Aeronautic and Aerospace Missions
95
Fig. 3.1 The octahedron (left), the dodecahedron (centre)and the dedicated pyramid (right) configurations
In the octahedron configuration, each axis (labelled numerically 1 through 6) contains a gyro and an accelerometer. Complementary axes i.e. 1 and 2, 3 and 4, and 5 and 6) make angles of 90 deg with each other and are symmetrically placed with respect to the body frame, i.e. instruments 1 and 2 are both inclined 45 deg with respect to the z body axis. Instruments 3 and 4, are inclined 45 deg with respect to the x body axis and 5 and 6, 45 deg with respect to the y body axis. This configuration facilitates the determination of 7 (static) parity relations defined according to (see [41] for more details). r1 = m1 − m2 − m3 − m4 r2 = m2 + m3 − m5 r3 = m6 + m1 − m3 r4 = m4 + m5 − m1 (3.1) r5 = m4 + m6 + m2 r6 = m1 + m2 + m6 − m5 r7 = m4 + m5 + m6 − m3 These equations are used to detect and isolate a single axis fault in either gyros or accelerometers or a simultaneous correlated double axis fault. The dedicated pyramidal configuration is based on two IMUs arranged in a geometric configuration, so that any single failure (1-axis gyro or 1-axis accelerometer) can be detected and isolated, through the 7 following (static) parity relations: r1 = (m1 + m4) − (m2 + m5 ) r2 = (m2 + m5) − (m3 + m6 ) r3 = (m3 + m6) − (m1 + m4 ) r4 = 2(m1 + m3 + m5) − 3(m1 + m4 ) r5 = 2(m2 + m4 + m6) − 3(m1 + m4 ) r6 = 2(m1 + m3 + m5) − 3(m2 + m5 ) r7 = 2(m2 + m4 + m6) − 3(m2 + m5 )
(3.2)
where measurements m1 , m3 , m5 are for IMU1 and m2 , m4 , m6 are for IMU2. For the fault detection purpose, only ri (t), i = 1, 2, 3 are used whereas the four last signals ri (t), i = 4, ..., 7 are used for fault isolation in gyros and accelerometers. The
96
D. Henry, S. Simani, and R.J. Patton
dedicated pyramidal configuration FDD technique is used in the Mars Sample Return mission, a mission undertaken jointly by NASA and the ESA. The parity-space approach can be based on the parity equations derived from the dynamic model of the system under diagnosis. The relationship between the parityspace approach and other model-based approaches has been described by a number of authors. For example, Patton and Chen describe the equivalent properties between the state observer approach and the parity space, under certain conditions [9, 18] and [44] have described the relationship between the parity space and parameter estimation approaches. In all of these methods the analytical redundancy that is developed relies on an input-output polynomial description of the system under diagnosis. The methods comprise input-output strategies for FDD, in some sense. The use of input-output forms facilitates the development of analytical descriptions for the disturbance decoupled residual generators. These dynamic filters, organised into bank structures, are able to achieve fault isolation properties. An appropriate choice of their parameters facilitates the maximistaion of the robustness with respect to both measurement noise and modelling errors, whilst optimising fault sensitivity characteristics. An approach which is strongly based on the use of input-output polynomials is referred to as the Polynomial Method (PM), presented in [45]. The PM requires the knowledge of the input-output representation of the continuous-time (or discretetime), time-invariant linear dynamic system affected by faults and disturbances. An important aspect of the PM residual generator design concerns the decoupling properties of the disturbance. This decoupling is obtained by means of a suitable coordinate exchange of the monitored input-output system. Hence, the residual generator model for the investigated system depends on suitable design polynomials and matrices, which can be arbitrarily selected among the polynomials with degree greater than or equal to the maximum row degree of the input output model. The diagnostic capabilities of the PM residual generator strongly depend on the choice of the residual transfer function. The analytical solution to this problem exists and is unique, as demonstrated in [46], due to the choice of a quadratic constraint equation. The design of the PM filter is completed by introducing a method for assigning both the zeros and the poles of the continuous time transfer function from the fault to the residual. The pole and zero locations influence the transient characteristics(maximum overshoot, delay time, rise time, settling time, etc.) of the filter as described in [45]. Finally, this PM method can be used for fault isolation. In particular, for the isolation of a fault affecting one of the output sensors, under the hypotheses that the input sensors and the remaining output sensors are fault-free, a generalized bank of residual generator filters is used. The number of these generators is equal to the number m of the system outputs, and the i-th device (i = 1, . . . , m) is driven by all but the i-th output and all the inputs of the system. In this case, a fault on the i-th output sensor affects all but the i-th residual generator. The same technique can be applied for the isolation of input sensor faults. However, it must be emphasised that the PM approach is merely a re-iteration or a new interpretation of the parity space philosophy of utilising input-output signals in polynomial form.
3
FDD for Aeronautic and Aerospace Missions
97
3.2.2 Particle Filtering Approach The particle filtering approach [47, 48, 49], also called the ‘Condensation Algorithm’ [50] or the ‘Markov Chain Monte Carlo Method’ [51, 52], is a probabilistic technique that aims to estimate jointly the state of the system x and the discrete fault modes z at time t as the a-posteriori distribution: p (s(t)|y(t), y(t − 1), ...., u(t), u(t − 1).....)
(3.3)
where s(t) = (x(t), z(t)), knowing a set of samples i.e. output/input data y(t), y(t − 1), ...., u(t), u(t − 1)..... Within the Bayesian context, the filtering problem is simplified by assuming that s(t) evolves in a Markovian way. A Markov system is one in which past and future states are conditionally independent, given the current state. The Markovian assumption facilitates a recursive formulation of the estimation problem. The problem then turns out to be the computation of xˆ and zˆ satisfying the following jump Markov linear Gaussian model: z(t) ∼ P (z(t)|z(t − 1)) x(t) = A(z(t))x(t − 1) + B(z(t))u(t) + E1(z(t))w(t) y(t) = C(z(t))x(t) + D(z(t))u(t) + E2 (z(t))v(t)
(3.4)
where y(t) ∈ ℜm denotes the observations, x(t) ∈ ℜn the unknown Gaussian states, u ∈ ℜ p a known control signal and where z(t) ∈ {1, ..., q} is the set of unknown discrete states i.e. the fault modes). The noise processes are assumed to be Gaussian so that w(t) ∼ N (0, I) and v(t) ∼ N (0, I). The parameters A, B,C, D, E1 , E2 and P (z(t)|z(t − 1)) are known matrices with D(z(t))D(z(t))T > 0 for any z(t). 3.2.2.1
Kalman Filters
If we consider only one discrete mode z(t) in (3.4), linear transition and observation functions for the continuous parameters and Gaussian noise, then the ‘belief state’ has a multivariate Gaussian probability distribution that can be computed incrementally using a Kalman filer. At each time-step t, the Kalman filtering algorithm updates sufficient statistics (μ (t − 1), σ 2 (t − 1)), prior mean and covariance of the continuous distribution, with the new observation y(t). However, in the case of non-linear transformations, the Kalman filtering algorithm does not offer an efficient solution. Good approximations can be achieved by the extended Kalman filter (EKF) or via the unscented Kalman filter (UKF). Rather than using the standard Kalman filter update to compute the a-posteriori distribution, the UKF performs as follows: Given a m-dimensional continuous space, 2m + 1 sigma points are chosen based on the a-priori covariance. The non linear equations are then applied to each of the sigma points and the a-posteriori distribution is approximated by a Gaussian distribution whose mean and covariance are computed from the sigma points. The mean is set to the weighted mean of the transitioned sigma points and the covariance is taken to be the sum of the weighted
98
D. Henry, S. Simani, and R.J. Patton
squared derivations of the transitioned sigma points from the mean. The UKF update yields an approximation to the a-posteriori probability whose error depends on how different the true probability distribution is from the ideal Gaussian case. 3.2.2.2
Particle Filters
The successes of the Kalman, EKF and UKF filtering approaches strongly depend on how the belief states behave to a multivariate Gaussian. To overcome this problem, the particle filter has been proposed in [50]. Basically, a particle filter is a Markov chain Monte Carlo algorithm that approximates the belief state using a set of ‘particles’ and keeps the distribution updated as new observations are made over time. To proceed, the algorithm operates in three steps: 1. The Monte Carlo step. This step considers the evolution of the system over time. It uses the stochastic model of the system to generate a possible future state for each sample. 2. The reviewing step. This step corresponds to conditioning on the observations. Each sample is weighted by the likelihood of seeing the observations in the updated state representing the sample. This step leads to samples that predict the observations well and with high weighting, and samples that are unlikely to generate the observations, with low weighting. 3. The resampling step. In this step, a set of uniformly weighted samples from the distribution represented by the weighted samples, is resampled. In this resampling stage, the probability that a new sample is a copy of a particular sample is proportional to its corresponding weighting. In other words, high-weighted samples may be replaced by several samples and low-weighted samples may disappear. 3.2.2.3
Rao-Blackwellized Particle Filters
Particle filters have a number of properties that make them suitable for FDD applications, e.g. they can be applied to nonlinear models with arbitrary prior belief distributions, the computation time depends only on the number of samples, not on the complexity of the model, etc. However, it should be stressed that the number of samples required to cope with high dimensional continuous state systems x is enormous, leading to curse of dimensionality and rendering the practical onboard implementation questionable. To solve this problem, the Rao-Blackwellized Particle Filter method can be used. This approach is intended for application in problems of tracking linear multimodal systems with Gaussian noise. In these systems, the belief state is a mixture of signals with different Gaussian statistics. The idea is to combine both the Particle filter that samples the discrete modes z(t) and the Kalman filter for each mode z that propagates sufficient statistics (μi (t), σi2 (t)) for the state x(t). Note that as in the particle filtering approach, a resampling step is needed to prevent particle impoverishment. The interested reader can refer to [53, 54, 55] for more theoretical details.
3
FDD for Aeronautic and Aerospace Missions
99
The particle filtering approach has been used successfully for fault diagnosis in planetary rovers, e.g. the Hyperion robot (four wheeled robot), the K-9 rover (six wheeled rover). The software code for the implementation of the PF strategy is freely available at the website http://www.cs.ubc.ca/˜nando/software.html[53, 32].
3.2.3 Nonlinear EKF Approaches In a similar way to the approaches outlined in subsection 3.2.2, an extended Kalmantype unknown input estimator is proposed in [56, 57, 58] to solve the FDD problem of fault diagnosis in aircraft and reusable launch vehicles control surfaces. The methodology is based on joint parameter and state estimation techniques and consists in providing an (optimal) estimate of the fault. Consider the following nonlinear state-space model in the discrete-time framework x(k + 1) = fi (x(k), δs (k), Ψ (x, k)) + v(k) y(k) = g(x(k)) + w(k)
(3.5)
where fi (.) = f (x(k), δs (k), Ψ (x, k))
δi (k)
(3.6)
δs refers to the healthy control surfaces and Ψ (x) is a vector composed of nonlinear functions depending on a subset of the state vector x. The index ”i” is used to outline that the estimation of the i-th fault δˆi needs to be performed. The stochastic inputs v and w denote the process and measurement noises, respectively which are assumed to be uncorrelated white noise processes with covariance matrices: Q(k) = E{v(k)v(k)T },
R(k) = E{w(k)w(k)T }
(3.7)
The initial estimates of state and covariance matrix are denoted by: x0 = E{x0 }
(3.8)
P0 = E{(x0 − x0 )(x0 − x0 )T }
(3.9)
Following the method proposed in [59], the problem of recursively estimating the augmented state vector x can be formulated as a nonlinear filtering problem that minimizes the conditional mean-square-error, i.e: k−1 } x(k) ˆ = argmin E{x(k) ˜ T x(k)|Y ˜
(3.10)
where x(k) ˜ = x(k) − x(k) ˆ is the state estimate error and Y k−1 = {y0 , y1 , · · · , yk−1 } is a matrix containing the past measurements. The state estimate x(k) ˆ is equivalent to
100
D. Henry, S. Simani, and R.J. Patton
the conditional mean of the Gaussian probability density function p(x(k)/Y (k−1) ) ∼ N (x(k), ˆ P(k)) such as: x(k) ˆ = E{x(k)|Y (k−1) }
(3.11)
T (k−1) P(k) = E{(x(k) − x(k))(x(k) ˆ − x(k)) ˆ |Y }
(3.12)
and where:
refers to the state covariance matrix in charge to quantify the uncertainty of the estimate. The estimation algorithm can then be formulated into the following nonlinear observer-based scheme: x(k ˆ + 1) = fi (x(k), ˆ δs (k), Ψ (x, k)) + K(k)e(k) (3.13) y(k) ˆ = g(x(k)) ˆ where K(k) is a non stationary gain to be computed and e(k) = y(k) − y(k/k ˆ − 1) is the innovation sequence associated to the covariance matrix Pee : T k−1 ˆ − y(k)) ˆ |Y } Pee = E{(y(k) − y(k))(y(k)
(3.14)
ˆ Based on the previous estimate of the state x(k/k) ˆ with covariance P(k/k), the filter computes at a subsequent time-step an optimal forecast of the state x(k ˆ + 1/k) and its ˆ + 1/k) whenever observations become available. This leads covariance matrix P(k to the following update equations: x(k ˆ + 1) = x(k) ˆ + K(k)e(k) P(k + 1) = P(k) − K(k)Pee (k)K T (k)
(3.15)
The expression of K(k) is given by: −1 (k) K(k) = Pxy (k)Pee
(3.16)
where Pxy denotes the predicted cross-correlation matrix defined as follows: T k−1 ˆ − y(k)) ˆ |Y } Pxy = E{(x(k) − x(k))(y(k)
(3.17)
As the above statistical expectations are generally intractable, some kind of approximation must be used, like for e.g. the Extended Kalman Filter (EKF) which is based on a first-order Taylor linearization. However, even if the EKF estimator seems to be adapted, some well-known drawbacks exist in practice, i.e. the parameters estimates can converge slower than the state estimates and in general, only local convergence can be expected. Based on the work reported in [59], this motivated [57, 58, 56] to use an approximation of the nonlinear function ‘ fi (.)’ by means of a multi-dimensional extension of Stirling’s interpolation formula. Although this method presents some optimality proofs, the key feature remains the a-priori choice of the covariance matrices Q and R. The matrix Q controls the
3
FDD for Aeronautic and Aerospace Missions
101
flexibility of the model whereas the measurement covariance matrix R controls the flexibility of the measurement equations. In the most practical cases, the optimization of Q and R is done by iteratively testing different values and evaluating the results over a test period. In practice, this tuning problem is often tackled as an ad hoc process involving a very large number of manual trials. In view of this difficulty, it has been chosen in [56] to automatically tune these matrices by means of an optimization method. The performance index to be minimized corresponds to the root-mean-square of the state estimate errors subjected to positivity constraints of Q and R matrices that is: ⎧ 1 t 2 ⎨ Q > 0, R > 0 f T (3.18) R = diag(ri ) s.t. J(k) = N1 ∑( x Π x) ⎩ t0 Q = diag(qi ) For convenience, the additional constraints Q = diag(qi ) and R = diag(ri ) are imposed in the optimization algorithm. Π is a weighting matrix introduced to manage separately each component of the vector x. ˜ t0 and t f are respectively the initial and final discrete time of the tuning interval and N denotes the number of data points in the tuning interval. Because of the multi-parameter, non-linear and discrete nature of this optimization problem, a Particle Swarm Optimization (PSO) algorithm is retained in [56] to derive a numerical solution. This approach has been applied successfully in [56] to the problem of control surface failures in the HL-20 Reusable Launch Vehicles (RLV) during its landing phase. See fig. 3.8 that illustrates some results.
3.2.4 Observer-Based Approaches 3.2.4.1
Disturbance Decoupling Approaches
In the disturbance decoupling approaches, the aim is to generate the fault indicating signals i.e. the residuals denoted r)so that they behave in the orthogonal space of unknown inputs(disturbances, modelling errors), whilst maintaining sensitivity to faults. In [60], this approach is used for IMU and thruster fault diagnosis of the Mars Express spacecraft. A bank of UIOs (see Section 1 for definition) with minimum variance state estimation error is used and organised into an estimator bank for fault detection and isolation. The unknown inputs are estimated in a moving time window; the unknown input direction(s) is/are estimated via additional states in an augmented state observer structure. The unknown inputs are updated in the moving window and the minimum variance estimator is re-initialised at the end of each window period. It is assumed that faults do not occur during the unknown input estimation phase. Carefully selected performance criteria indices are used together with Monte Carlo robustness tuning and performance evaluation to provide a fault diagnosis solution.
102
D. Henry, S. Simani, and R.J. Patton
To proceed, let the system model be given in the discrete-time domain according to:
xk+1 = Ak xk + Bk uk + Ek dk + Fk1 fk + w1k yk = Ck xk + Fk2 fk + w2k
(3.19)
where xk , uk , yk denote the state, the input and the output vectors, respectively. Each entry of fk corresponds to a specific fault, dk denotes the unknown inputs to be decoupled and w1k , w2k are independent zero-mean white noise sequences with covariance matrices Qk , Rk , assumed to be known. The authors show that the following UIO can be used for FDD: zk+1 = Fk+1 zk + Tk+1 Bk uk + Kk+1 yk yˆk+1 = Ck+1 zk+1 + Ck+1 Hk+1 yk+1
(3.20)
The residual rk is also defined according to rk = yk − yˆk . Then the problem turns out to be the design of F, T, K, H to achieve disturbance decoupling with minimum variance of state estimation, K playing the role of a Kalman gain. It is shown in [16, 3] that the decoupling objectives are achieved iff the following conditions are satisfied: Ek = Hk+1Ck+1 Ek
(3.21)
Tk+1 = I − Hk+1Ck+1 1 Ck Fk+1 = Tk+1 Ak − Kk+1
(3.22) (3.23)
2 = Fk+1 Hk Kk+1
(3.24)
1 2 + Kk+1 Kk+1 = Kk+1
(3.25)
The necessary and sufficient condition for the existence of a solution to Eq. (3.21) is rank (Ck+1 Ek ) = rank (Ek ) and a special solution is: −1 (Ck+1 Ek )T Hk+1 = Ek (Ck+1 Ek )T (Ck+1 Ek )
(3.26)
1 The matrix Kk+1 is designed to stabilise the observer and achieve minimum state estimation error variance. The solution to this problem is:
−1 1 Kk+1 = A1k+1 PkCkT Ck PkCkT + Rk
(3.27)
where A1k+1 = Tk+1 Ak and Pk = E{(xk − xˆk )(xk − xˆk )T } is the covariance matrix of the estimation state error at time k that can be computed according to the recursive equation: T +H T Pk+1 = A1k+1 Pk+1 (A1k+1 )T + Tk+1 Qk Tk+1 k+1 Rk+1 Hk+1 1 1 T Pk+1 = Pk − Kk+1Ck Pk (Ak+1 )
(3.28)
Remark 1. It can be seen that the observer structure described above is equivalent to a classical Kalman filter for systems without unknown inputs.
3
FDD for Aeronautic and Aerospace Missions
103
Remark 2. Note that the UIO decoupling approach was used for FDD in gyroscopes [61]. For this study the author used eigenstructure assignment to achieve the necessary de-coupling, based on the work on EA for UIO decoupling by [22]. 3.2.4.2
Iterative Learning Observer Approach
The Iterative Learning Observer (ILO) approach is proposed in [62] to diagnose time-varying faults in satellite thrusters. The goal is to derive jointly an estimate of the system state and an estimate of the fault. The ILO-based strategy uses a learning mechanism to perform estimation instead of using integrators that are used e.g. in adaptive observers. To proceed, let the system be modelled according to the following nonlinear state space model: x(t) ˙ = f (x(t)) + Bu(t) + B f u f (t) (3.29) y = Cx where x, u, y denote the state, the input and the output vectors. The vector u f denotes an additive time varying signal that models the faults to be estimated. It is assumed that u f is bounded and that ||u f (t) − K1 u f (t − τ )||∞ is finite where K1 and τ are defined below. The structure of the ILO is then defined according to: ˙ˆ = f (x(t)) x(t) ˆ + Bu(t) + Λ (y(t) − Cˆx(t)) + B f ϕ (t) ϕ (t) = K1 ϕ (t − τ ) + K2(y(t) − Cx(t)) ˆ
(3.30)
where K1 , K2 are gain matrices. The parameter τ is the updating interval. It may be taken as the sampling-time interval, or as an integer multiple of the sampling-time interval. The parameter Λ is a positive definite matrix and ϕ (t) is called the ILO input that is used to estimate the time-varying fault. As it can be seen, the signal ϕ (t) is updated by both its past information and the state estimation error.
3.2.5 Norm-Based Approaches The majority of methods discussed above involve the use of an open-loop model of the monitored system, in spite of that the FDD scheme is placed in a feedback loop. In such situations, it is well known that faults may be compensated by control actions and the early detection of them is clearly more difficult. This motivates the so-called integrated design of control and diagnosis schemes, according to the ideas proposed by [63] where robust controllers and fault detectors are designed together by optimizing a set of mixed control and fault detection objectives. For an application study on Reentry Launch Vehicles (RLV), see [64]. However, in many practical cases, this solution cannot be applied since the existing control laws are already certified for flight and consequently cannot be removed. To overcome this problem, the H∞ methods proposed in [65, 66, 67, 68, 69, 70, 71, 72] can be used. The proposed methods can be classified as:
104
D. Henry, S. Simani, and R.J. Patton
• fault signal estimation based approaches: see [65, 67, 70, 71] • and residuals generation based approaches: see [66, 73, 74, 68, 69, 75, 76, 72] A great advantage of these methods is that the framework employed i.e. the H∞ framework) facilitates the inclusion of several robustness objectives within the design procedure, e.g. against various disturbances, perturbations and model uncertainties.
3.2.6 H∞ Fault Estimation Approach Consider the system model in the following LFR (Linear Fractional Representation) form, placed in a feedback control loop (see fig. 3.2 for easy reference): y = Fu (P, Δ ) d f u , y = Ku (3.31) where d denotes the exogenous disturbances (including measurement noise) and f models the faults to be detected. The controller K is assumed to be known and fˆ is the output of the filter F to be designed. The known LTI model is denoted by P and Δ is a block diagonal operator specifying how the modelling errors enter P. Δ belongs to the structure Δ so that Δ = {block diag(δ1r Ik1 , ..., δmr r Ikmr , δ1c Ikmr +1 , ..., δmc c Ikmr +mc , Δ1C , ..., ΔmCC ), δir ∈ ℜ, δic ∈ C , ΔiC ∈ C }, where δir Iki , i = 1, ..., mr , δ jc Ikmr + j , j = 1, ..., mc and ΔlC , l = 1, ..., mC are known as the ‘repeated real scalar’ blocks, the ‘repeated complex scalar’ blocks and the ‘full complex’ blocks, respectively. The H∞ -based fault estimation problem is equivalent to the design problem of a (stable) filter F such that, for all model perturbations Δ ∈ ||Δ ||∞ ≤ 1, fˆ is an optimal estimate, in the H∞ -norm sense, of the fault signal f . To achieve high FDD performance, some model-based FDD schemes include a fault model in the design procedure. Here, the fault model is represented as a colouring filter for f . In other words, f is considered to be the result of filtering a
Fig. 3.2 The H∞ -based fault estimation problem.
3
FDD for Aeronautic and Aerospace Missions
105
fictitious signal f through a filter W f . This filter is chosen taking into account the frequency location of the fault to be detected, e.g. if the energy of the faults to be detected are located at low frequencies, W f is chosen to be a low-pass filter. Now, let us define the estimation error signal e: e = f − fˆ
(3.32)
Then the design problem turns out to be a minimization problem of the maximal gain of the closed-loop transfers from the signals f and d to the fault estimation error e. In other words, the goal is to design the filter F so that: ||Ted ||∞ < α ,
∀Δ ∈ Δ : ||Δ ||∞ ≤ 1
(3.33)
||Te f ||∞ < β ,
∀Δ ∈ Δ : ||Δ ||∞ ≤ 1
(3.34)
where Ted and Te f denote the closed-loop transfer functions between e and d, and e and f , respectively. α and β are two positive constants which are introduced to manage separately ||Ted ||∞ and ||Te f ||∞ . Of course, the smallest α and β are, the highest the FDD performances will be. In this formulation, ||M||∞ = supω σ (M( jω )) is the H∞ -norm of M and σ (•) denotes the maximum singular value. To solve the filter design problem, two approaches have been developed. The first involves the solution of a Riccati equation (see for instance [65]) and the second approach uses linear matrix inequality (LMI) optimization techniques. Since an LMI-based approach has the advantage of eliminating the regularity restrictions attached to the Riccati-based solution, the LMI-based approach is often preferred. This approach has been successfully applied for fault diagnosis of control surfaces faults in the X-33 and Hopper RLVs, see for instance [77]. 3.2.6.1
H∞ /H− Residual Generation Strategy
Based on similar reasoning to the above, Hou and Patton proposed the now wellknown H∞ /H− Residual Generation Strategy [78, 79] which has the joint design goals of maximising the sensitivity of the FDI/FDD residuals to the faults, whilst minimising the residuals to the modelling uncertainty, via H∞ optimisation. In order to develop a structured residual approach, [68, 69] proposed a method to generate a structured residual vector r in the following general form (see [66, 73, 74, 68, 69, 75, 76, 72] for more details): y(s) u(s) = K(s)y(s) (3.35) r(s) = My y(s) + Mu u(s) − L(s) u(s) The proposed method is developed in a very similar manner to the well known H∞ /μ robust controller design technique. The FDD problem consists of jointly designing My , Mu and L(s) such that the effects that faults have on r are maximized in the H− -norm sense, whilst minimizing the influence of unknown inputs and model
106
D. Henry, S. Simani, and R.J. Patton
uncertainties, in the H∞ -norm sense. The role of My , Mu is to merge optimally the available measurements and control signals, in the H∞ /H− sense outlined above. A great benefit of the proposed approach is that the residuals structuring matrices are jointly designed with, say, the dynamical part of the FDD scheme. Furthermore, it is shown how robust poles assignment and H2g -specifications can be specified within the design procedure. The motivations for using such a mix of performance measures are: • H∞ performances are convenient to enforce robustness to model uncertainty (e.g. external disturbances, nonlinear parametric uncertainties and neglected dynamics) and to express frequency-domain specifications. • H− objectives are useful for fault sensitivity requirements over specified frequency ranges. • H2g specifications and regional filter poles assignment are convenient to tune the transient response and to enforce some minimum decay rate of the residual. This feature becomes very important from a decision making point of view, as the residual is generally post-processed by a hypothesis based test to make a final decision about the fault. To proceed, consider the system model in the LFR form placed in a feedback control loop given by equation (3.31). Let the residual signal r be defined according to: r = z − zˆ
(3.36)
where zˆ is an estimation of z = My y + Mu u, a subset of measurements y and inputs u. My and Mu are two (constant) residual structuring matrices. The goal is to derive simultaneously My , Mu and L(s) : zˆ = L(s) yu such that: • (S.1): ||Td→r ||∞ < γ1 . Td→r also denotes the closed-loop transfer function between r and d. • (S.2): ||T f →r ||− > γ2 over a specified frequency range Ω . T f →r denotes the closed-loop transfer function between r and f , and Ω is the frequency range where the energy of the faults is likely to be concentrated. From a practical point of view, Ω is chosen depending on the nature of the faults to be detected, e.g. small drifts suggests choosing Ω in a low frequency range. In this formulation, ||M||− = infω ∈Ω σ (M( jω )), Ω = [ω1 ; ω2 ] denotes the H− norm of M. σ (M( jω )) denotes the minimum non-zero singular value of matrix M( jω ) and Ω = [ω1 ; ω2 ] the evaluated frequency range in which σ (M( jω )) = 0. As explained previously, to achieve high performances, model-based FDD schemes often use disturbance, measurement noise and fault models into the design procedure. Here, such models are represented as colouring filters. In other words, d and f are considered to be the result of filtering fictitious signals through dynamical filters. Let Wd and W f denote these filters. The solution of the design FDD scheme problem is then handled using the following lemma [68]: Lemma 1. Consider the coloring filter W f defined above. Introduce WF , a right invertible transfer matrix so that ||W f ||− = γλ2 ||WF ||− and ||WF ||− > λ , where
3
FDD for Aeronautic and Aerospace Missions
107
λ = 1 + γ2 . Define the signal r˜ such that r˜ = r −WF (s) f . Then a sufficient condition for the fault sensitivity specification (S.2) to hold, is ||T f →˜r ||∞ < 1
(3.37)
where T f →˜r denotes the closed-loop transfer function between r˜ and f . Using the above lemma, the H∞ /H− filter design problem can be re-cast in a fictitious H∞ -framework: Using linear fractional algebra and including γ1 , λ ,WF and the weighting functions Wd into the model P, one can derive from (3.31) a new model ˜ y , Mu ) depending on the residual structuring matrices My and Mu so that: P(M ˜ y , Mu ), L , Δ d rr˜ = Fu Fl P(M (3.38) T where d = d f
T
in which d is the fictitious signal generating d through Wd . In ∞ 1/2 ||d(t)||2 dt ≤ 1, since it is always this formulation, we assume that d 2 = −∞ ˜ y , Mu ). possible to scale P(M Then, a sufficient condition for specifications (S.1) and (S.2) to hold is: Fl P(M ˜ y , Mu ), L < 1 (3.39) ∞ This equation seems to be similar to a standard H∞ equation. In fact, this is not ˜ y , Mu ) depends on My and Mu that are unknown. To the case since the transfer P(M overcome this problem, a method based on LMI optimisation techniques is proposed in [68].
3.2.7 Non-linear FDD Method This Section presents the development of a new nonlinear FDD scheme providing both fault detection and the estimation of the fault size. Moreover, the information brought by the fault size estimation can be very useful for offline maintenance purposes and for on-line reconfiguration of the automatic flight control system. This method is based on the NonLinear Geometric Approach (NLGA) developed by de Persis and Isidori [27] who showed that the problem of the FDD for nonlinear systems is solvable if and only if there is an unobservability distribution that leads, by means of an appropriate coordinate change, to the determination of an observable quotient subsystem which is unaffected by all faults but one. For this subsystem, an adaptive nonlinear filter providing fault size estimation is developed. It is worth observing that the basic NLGA FDD scheme [80] based on residual signals cannot provide fault size estimation. This method was applied to a simulation study of a Vertical Take-Off and Landing (VTOL) aircraft with reference to a reduced-order model [80]. The new proposed FDD scheme belongs to the NLGA framework, where a coordinate transformation is the starting point to design a set of adaptive filters in order to detect additive faults acting on the monitored system and to estimate the magnitude
108
D. Henry, S. Simani, and R.J. Patton
of the fault. The proposed approach can be properly applied to a nonlinear system model in the form described in [27]. Moreover, as detailed in [81] and subsequently developed in [27], a state and output coordinate transformation can be applied to the considered nonlinear system if and only if a proper fault detectability condition is satisfied. In this case, the nonlinear system in the new reference frame can be decomposed into 3 subsystems where the first one (the x¯1 -subsystem) is always decoupled from the disturbance vector and affected by the fault. The new proposed FDD scheme can be applied only if the fault detectability condition presented in [81] holds and some new constraints are satisfied, as described in [82]. Thus, an adaptive filter can be designed with reference to the transformed nonlinear system, in order to perform an estimation of the fault signal, which asymptotically converges to the magnitude of the fault f . The proposed adaptive filter that solves this FDD problem is based on the least squares algorithm with forgetting factor [83] and described by a suitable adaptation law [45]. It can also be shown that the designed adaptive filter represents a solution to the considered FDD problem, so that the fault signal estimate provides an asymptotically convergent estimation of the magnitude of the actual fault, as reported in [45]. 3.2.7.1
NLGA Particle Filter FDD Scheme
This Section addresses the FDD problem for a nonlinear stochastic dynamic system. When stochastic systems are considered, much of the FDD schemes rely on the system being linear and the noise and disturbances as having Gaussian statistics. In such cases, the Kalman filter is usually employed for state estimation and its innovation is then used as the residual [3]. The idea used in the linear case mentioned above has been extended to some nonlinear stochastic systems with additive Gaussian noise and disturbance by employing linearisation and ‘Gaussianisation’ techniques, and in this case, the Kalman filter is usually replaced by the Extended Kalman Filter (EKF) [53]. Although this EKF-based approach appears straightforward, there are no general results to guarantee that the approximations will work well in real applications. FDD problems that are truly nonlinear and are non-Gaussian stochastic systems are still the subject of extensive investigation in the literature. Recently, the Particle Filter (PF), a Monte Carlo based method for nonlinear nonGaussian state estimation, has attracted much attention [53, 32]. Polynomial extended Kalman filters and the Unscented Kalman Filter (UKF) represent alternative techniques with performance superior to that of the EKF [84]. However, the interest for PF based methods stems from their ability to be able to handle any functional nonlinearity and system or measurement noise of any probability distribution. As an example, the work [32] represents an attempt to introduce PF into the field of FDD. The fault isolation problem is also investigated. By combining PF with the NLGA design technique, a particle filtering based approach i.e. the NLGA-PF) to FDD is presented. In particular, the PF is employed to develop a method for solving the FDD problem for the nonlinear stochastic model
3
FDD for Aeronautic and Aerospace Missions
109
of the system under diagnosis, which is derived by following a NLGA strategy. The use of the NLGA facilitates the determination of disturbance decoupled residual generators in a stochastic framework. The fault isolation and the disturbance decoupling suggested in this section is different from the method presented in [32], as achieved via the NLGA strategy.
3.2.8 Sliding Mode Observer Sliding mode observers are one of the nonlinear FDI approaches discussed in the literature. In sliding mode systems, the trajectories are forced to evolve along a surface in the state space [112]. The associated sliding motion is of reduced order and poses very specific robustness properties [112]. Sliding mode ideas can be used in an observer context [120]. The idea is to design the observer gains so that the sliding surface is reached and maintained so that the error between the plant and the observer outputs is zero. In the last decade, sliding mode observers have been used for FDI. The first sliding mode observer designs used typical residual based FDI ideas [122, 114]. The idea was to ensure the sliding motion was broken when faults/failures occurred in the system and a residual was generated containing information about the fault. The more recent work by Edwards et al [113], Tan & Edwards [119], Jiang et al [115] and Kim et al [117] represent some of the approaches which have the capability to reconstruct/identify faults. Not only do these design approaches have the ability to detect and isolate the source of the fault/failure they also provide further information about the fault/failure which can be used especially for fault accommodation. In terms of FTC, the availability of a fault reconstruction signal means that sensor faults can be corrected before the measurement signals are used by the controller, and the severity of an actuator fault (actuator effectiveness) can be estimated, which is beneficial for controller reconfiguration [124, 121, 123]. A generic FDI development in terms of the reconstruction of faults using sliding mode observers is given in Edwards et al [113]. The novelty of the work in Edwards et al [113], is the use of the concept of the ’equivalent output error injection signal’ to reconstruct faults. Tan & Edwards [119] extended this work for robust reconstruction of sensor and actuator faults by minimizing the effect of modeling uncertainty on the reconstruction in an L2 sense [116]. One of the benefits of using the method proposed in [113, 119, 118, 111] compared to other sliding mode observer based FDI methods is that the sliding motion is not broken even in the event of faults/failures. This allows the possibility of using the sliding mode observer not only for FDI but also as a state estimator. However, for FDI purposes, emphasis is placed on the fault estimation and not the state estimation.
3.3 Application Examples In the following sections, several examples are presented in order to test the FDD techniques presented in Section3.2. Complete design procedures for FDI for
110
D. Henry, S. Simani, and R.J. Patton
isolation and identification of actuator as well as input and output sensor faults are developed. In order to analyze the diagnostic effectiveness of the FDD strategies in the presence of abrupt changes or drifts in measurements, realistic fault scenarios have been considered. The results obtained by the presented FDD approaches indicate that the detected faults on the various processes are of interest for future aircraft and aerospace diagnostic applications.
3.3.1 Application to ‘Oscillatory Failure Case’ (OFC) The term ‘Oscillatory Failure Case’ (OFC) is used to deal with an unwanted aircraft control surface oscillation. Such faults lead to strong interactions with loads and aero–elasticity when located within actuator bandwidth. Consequently, early and robust detection of OFC is very important because it has an impact on the flight envelope and on the structures. The need for this early and robust detection has motivated Airbus to develop model-based fault diagnosis methods to tackle the problem of OFC, see chapter 5 for extensive details. In [57, 58], the nonlinear EKF estimator described in Section 3.2.3 is used to estimate an OFC in the Electrical Flight Control System. More precisely, the OFCs that are considered are those due to electronic components in fault modes generating spurious sinusoidal signals. These oscillatory signals propagate through the servo-loop control, leading to control surface oscillation. The faulty components are located inside the Analog Inputs/Outputs, the position sensors or the actuators. OFC signals are modelled as sinusoidal signals with frequency and amplitude uniformly distributed over the frequency range 0 − 10Hz. Beyond 10Hz, an OFC has no significant effects because of the low-pass behaviour of the actuator. It is necessary to detect an OFC beyond a given amplitude in a given number of periods, whatever the OFC frequency. The time for detection is expressed in period numbers, which means that, depending on the failure frequency, the time really allowed for detection is not the same. To solve the OFC detection problem, the authors use an approximation of the nonlinear model of the actuator by means of a multi-dimensional extension of Stirling’s interpolation formula. This facilitates a simplified implementation since differentiability of the nonlinear mappings is not required. As an illustration, fig. 3.3 show the behaviour of the residual signal r(k) = y(k) − y(k) ˆ in both fault-free and faulty situations, for some real telemetric flight data. For the purpose of faults, a simulated OFC with amplitude 0.4 deg and frequency 5Hz was injected at time 800 seconds. The interested reader can refer to [57, 58] for more details.
3.3.2 Simulated Aircraft Model FDD To show the diagnostic characteristics brought by the application of the proposed PM and NLGA-AF FDD schemes to a general aviation PIPER PA30 aircraft, R R and Simulink environments are some simulation results obtained in the Matlab
FDD for Aeronautic and Aerospace Missions 1
0.5
0.5
0
0
111
residual (°)
1
residual (°)
3
−0.5
−0.5
−1
−1
−1.5
0
500
1000 Time (s)
1500
−1.5
0
500
1000
1500
Time (s)
Fig. 3.3 Behaviour of the residual r - Fault-free situation (left) / OFC (right)
reported in this Section which also considers briefly the important features of the performance evaluation of the diagnosis schemes, i.e. their robustness and reliability with respect to the uncertainty and disturbance acting on the system by means of a Monte-Carlo analysis. The mathematical simulation model of the aircraft used in this Section is based on the classical nonlinear 6 Degrees of Freedom (6 DoF) rigid body formulation [85], whose motion occurs as a consequence of applied forces and moments (aerodynamic, thrust and gravitational). A set of local approximations for these forces has been computed and scheduled depending on the values assumed by True Air Speed (TAS), flap, altitude, curvature radius and flight path angle. In this way, it is also possible to obtain a simplified mathematical model for each flight condition that is suitable for a state-space representation, as it can be made explicit. The parameters in the analytic representation of the aerodynamic actions have been obtained from wind tunnel experimental data. It should be observed that aerodynamic forces and moments are not implemented by the classical linearised expressions (stability derivatives). Static aerodynamic actions (e.g. lift and drag characteristics), are implemented by means of cubic splines approximating nonlinear experimental curves. More details can be found in the related paper [86]. The linear aircraft model used by the proposed PM described in Section 3.2.1 embeds the linearisation both of the 6 DoF model and of the propulsion system. On the other hand, the NLGA-AF FDD scheme described in Section 3.2.7 requires a nonlinear input affine system [27], but the adopted simulation model of the aircraft does not fulfil this requirement. For this reason, a simplified aircraft model has been considered, as reported in [45]. The PM residual generator filters are fed by the 4 component input vector c(t) and the 9 component output vector y(t) acquired from the nonlinear simulation aircraft model [87, 46]. Each filter of the PM bank is independent of one of the 4 input signals and then is also insensitive to the corresponding fault signals. Clearly, the residual generator bank has been designed to be decoupled from the disturbance signals, i.e. the wind gust signals, which represent disturbance terms acting on the aircraft system.
112
D. Henry, S. Simani, and R.J. Patton 1
Elevator sensor residuals
0.5 0 -0.5
0
50
100 150 200 Samples (sec.)
250 300
Rudder sensor residuals
5 0 -5 -10 -15 -20 -25
0
Aileron sensor residuals
-8 -10
-1 -1.5
4 2 0 -2 -4 -6
50
100 150 200 Samples (sec.)
250 300
0
50
14 12 10 8 6 4 2 0 -2 -4 0
50
100 150 200 250 300 Samples (sec.) Throttle sensor residuals
100 150 200 250 300 Samples (sec.)
Fig. 3.4 PM residuals for the elevator sensor fault diagnosis.
In order to assess the diagnosis technique, different fault sizes have been simulated on each sensor. As an example, the 4 residual functions rci (t) generated by the filter bank for input sensor fault isolation, under both fault-free and faulty conditions are shown in fig. 3.4. Continuous lines represent the fault-free residual functions, while the dashed lines depict the faulty residual signals. The dotted lines correspond to the settled thresholds. The fault considered in Fig 3.4 has been generated on the elevator sensor of the considered aircraft, starting at time t = 150 s. The first residual function of fig. 3.4 also provides the isolation of the input sensor fault under consideration. Regarding the new NLGA-AF FDD scheme, in order to assess its effectiveness in estimating the faults affecting the input sensors, the same flight condition (a coordinated turn at constant altitude) previously described for the PM evaluation has been considered. A bank of 4 adaptive filters has been used in order to perform the diagnosis, the isolation, and the estimation of the elevator, aileron, rudder and throttle actuator fault magnitudes. It is important to note that each filter is structurally decoupled from the vertical and lateral wind disturbance components and is sensitive to a single input sensor fault. In fig. 3.5, the simulation results referring to a particular case are reported, where a small fault with a size of 2o starting at time t = 150 s is added to the elevator actuator. With reference to the results obtained, the proposed FDD strategies appear to be promising for diagnostic application to commercial aircraft. Advantages and drawbacks of the PM and the new NLGA-AF FDD methods developed in this Section can be summarised as follows. Both PM filters and NLGA-AF perform lowpass filtering of input/output measurements. For the particular aircraft application, the computational burden of polynomial filters is lower than that of NLGA adaptive filters, so that they are suitable for low-cost implementations. On the other hand, NLGA-AF can obtain smaller detection time, compared with PM filters, thanks to
3
FDD for Aeronautic and Aerospace Missions
113
Elevator sensor fault estimate
Aileron sensor fault estimate
3
0.5
2
0
1
-0.5
0
-1
-1
0
100
200
Samples (sec.) Rudder sensor fault estimate
300
-1.5
0
100
200
300
100
200
300
Samples (sec.) Throttle sensor fault estimate
1.5 0.02
1
0.01
0.5
0
0 -0.5
0
-0.01 100
200
Samples (sec.)
300
-0.02
0
Samples (sec.)
Fig. 3.5 Adaptive filters via the nonlinear geometric approach for elevator sensor fault diagnosis and size estimation.
the fact that they directly take into account nonlinear terms [45]. It is worth noting that the results of the Monte-Carlo analysis applied to the PM and NLGA-AF FDD scheme show how the proper design and optimisation of the dynamic filters allows the achievement of low false and missed alarm rates, with high detection and isolation rates, and with minimal detection and isolation delay times, as described in [45]. As for the NLGA-NF, the NLGA Particle Filter (NLGA-PF) has been designed as described in [82, 46]). The NLGA-PF filter is implemented via the algorithm summarised in Section 3.2.2 with a number M = 200 of particles and it uses 20000 data samples δthk and nek , acquired from the continuous-time aircraft model. As an example, the residual functions generated by the NLGA-NF and NLGA-PF filters for the throttle actuator FDI, under both fault-free and faulty conditions, are shown in fig. 3.6. The continuous lines represent the fault-free residual functions, whilst the dotted lines depict the faulty residual signals. As illustrated in fig. 3.6, the fault has been generated on the throttle actuator of the aircraft, starting at time t = 100s.
3.3.3 Aerospace Mission Application Examples The fault detection, isolation and recovery techniques currently used for in flight critical functions rely on hardware/software redundancy associated with simple consistency checks or voting mechanisms, or simple estimation techniques such as Kalman filters. Fixed thresholds, once validated with all the known delays in the signals propagation (acquisition, frequency, filtering, ...) are used for rapid recognition of out-of-tolerance conditions. These actions (fault detection and isolation) are
114
D. Henry, S. Simani, and R.J. Patton
Fig. 3.6 NLGA-PF and NLGA-NF residuals for throttle actuator FDD.
often done by operators using telemetry data collected by ground stations. This data are usually elaborated using on-board functions based on, e.g. hardware redundancy like IMUs placed in a pyramidal structure, cross checks using many star-trackers or short rendezvous sensors, limit value checking with regard to certain tolerances of normal values. However, the potential lack of communication between the system and the stations and/or the time used to analyse the collected data, could lead the missions to be aborted. This problem becomes crucial e.g. during the hypersonic phase of an atmospheric re-entry and specially during the well known blackout phase where no communication between the vehicle and the ground stations exist due to excessive thermic flow. In such cases, only on-board fault detection and isolation solutions can be considered for aerospace systems. Model-based methods applied to aerospace example systems can be considered today as a mature and structured field of research. Significant progress has been made during the past two decades to address the problem of robustness and performances assessment. However, except within the Livingstone system [88] which flew on the Deep Space One spacecraft as part of the Remote Agent Experiment, such techniques have not been used so far in on-board computers for aerospace missions. The principal reason is related to the fact that any new technique should provide a solution having well-defined real-time characteristics and well-defined error rates. The selection of an advanced model-based fault diagnosis solution at a local or global level, necessarily includes a trade-off between the best adequacy of the technique and its implementation level for covering an expected fault profile, as well as its industrialisation process with support tools for its design/tuning and validation. Very attractive advanced algorithmic solutions would not be accepted, without such industrial framework capability, e.g. for easy parameter tuning and validation by non specialist operators. A classical approach could therefore be preferred despite its smaller fault coverage, because classical methods are well industrially mastered and well characterized, without risk of excessive false alarms. It follows that a good balance between physical redundancy and model-based techniques could be the right solution, leading to more efficient health monitoring systems based on less redundant elements. See discussion in [9, 10].
3
FDD for Aeronautic and Aerospace Missions
115
This section presents the results achieved when several diagnosis techniques, that are designed exploiting both hardware and system redundancy, are applied successfully to aerospace missions. 3.3.3.1
The Microscope Satellite
M ICROSCOPE is a satellite to be launched on a circular, quasi-polar, sunsynchronous orbit at an altitude of 700km with ascending and descending nodes at 6:00 and 18:00, respectively. To control its trajectory, M ICROSCOPE uses the coupling of six ultra-sensitive accelerometer sensors, a stellar sensor and a very precise electric propulsion system composed by twelve Field Emission Electric Propulsion (FEEP) thrusters. The mission can be in danger if a FEEP thruster fault occurs, since the satellite may not compensate for non-gravitational disturbances which are indispensable prior conditions for testing the Equivalence Principle. To overcome this problem, an FDI scheme that consists of a bank of 12 H∞ /H− residual generators is proposed in [72]. The design is done so that the sensitivity level of the i − th residual with respect to the i − th FEEP thruster fault fi is maximised in the H− -norm sense, whilst guaranteeing robustness against measurement noises n and spatial disturbances h(ϖα , ϖspin ) in the H∞ -norm sense. Fig. 3.7 illustrate the behaviour of the residuals ri (t), i = 1, ..., 12, the behaviour of the decision test and the isolation criteria, for some faulty situations. As can be seen in the figures, after a small transient behaviour, all faults are successfully detected and isolated by the FDD unit. 3.3.3.2
The HL-20 RLV
The RLV vehicle shown in Fig. 3.8 was defined as a component of the Personnel Launch System (PLS) mission. This has initially been designed to support several manned-space missions including the orbital rescue of astronauts, the International Space Station (ISS) crew exchange and some satellite repair missions. A typical atmospheric re-entry for a medium or high L/D vehicle consists of performing three successive flight phases, namely the Hypersonic phase from about 120 km high down to TAEM (Terminal Area Energy Management) handover, the TAEM phase from Mach 2 gate down to Mach 0.5 gate and the auto-landing phase from Mach 0.5 gate down to the wheel stop on the runway. After having achieved the hypersonic path, the vehicle initiates the TAEM phase characterized by an entry point called TEP (Terminal Exit Point), typically defined when crossing Mach 2 gate, and an exit point called NEP (Nominal Exit Point) which is defined in terms of altitude, velocity and distance to the runway. Finally, the landing path is defined in terms of desired altitude from the runaway threshold and is composed of three successive sections, i.e. a steep outer glideslope, a parabolic pullup manoeuver and a shallow inner glideslope. The work presented in [89, 90, 56] focuses on any type of faults in the wing flap actuators during the landing phase. The strategy proposed by the authors consists of a bank of two H∞ /H− fault detection filters that are designed so that a given filter is
116
D. Henry, S. Simani, and R.J. Patton
Fig. 3.7 Fault-free and faulty residuals with the decision test (left) and the isolation criteria (right).
made robust against measurement noise, winds turbulence, the guidance reference signals and faults in a given wing flap actuator, whilst remaining sensitive to all faults in the other wing flap actuator. For the purpose of estimating the position of the faulty control surfaces, the nonlinear EKF method presented in Section 3.2.3 is used. Fig. 3.8 illustrates the results for some nonlinear simulations in the presence of wind and atmospheric turbulence. As it can be seen, the faults are successfully detected, isolated and estimated by the FDI unit.
3.3.4 Robust Diagnosis for Mars Express Satellite Thruster Faults This Section summarises a practical solution example with low computational cost to the problem of the robust residual generator design for the FDD of the thrusters of the Mars Express (MEX) satellite model subject to disturbance, uncertainty and measurement noises. The main challenge is the detection and isolation of faults in any one of the four active thrusters of the spacecraft during the phases of main engine burn that cause large torque and centre of mass disturbances. This is the socalled ‘thruster modulation’ problem, which is very difficult to solve using classical robust FDD methods. The proposed FDD strategy is based on fault decoupling observer design for residual generation and isolation where a separate estimation of disturbance torque
3
FDD for Aeronautic and Aerospace Missions
117
30
30
Runaway-type fault on δwfl δwfl (deg)
δwfl (deg)
δwfl
25
20 10
Fault is declared by the FDI unit
0
20 15
δˆwfl
10
−10
5 10
20 30 40 Simulation time (s)
50
60
20
25 30 Simulation time (s)
20
Jamming-type fault on δwfr
δwfr
12
15
δwfr (deg)
δwfr (deg)
11 10 5
Fault is declared by the FDI unit
0
10 9
δˆwfr
8 7
−5
0
20 40 Simulation time (s)
60
32
34 36 38 40 Simulation time (s)
42
44
Fig. 3.8 HL–20 vehicle (top), residuals and position estimates (bottom)
makes the isolation possible. This disturbance is mainly contributed by the main engine misalignment but may also include un-modelled dynamics. Local linear mathematical models of the satellite are estimated by means of a robust dynamic system identification approach based on minimisation of the estimation error [5, 91]. The identified models are used in the design of robust FDD residual generators based on dynamic observers that are structurally decoupled from both disturbances and estimated uncertainties acting on the space vehicle. For the satellite problem, the main source of disturbance is caused by the large torque imbalance effects arising from
118
D. Henry, S. Simani, and R.J. Patton
deployment of the main engine. These FDD observers are organised into observer bank structures, providing good fault isolation properties. The parameters of these optimal robust disturbance decoupling observers together with the use of a concurrent disturbance estimation strategy are designed jointly to maximise the robustness with respect to both measurement noise and modelling errors, whilst optimising fault sensitivity characteristics. The FDD robustness obtained via unknown decoupling is far less conservative than the best robustness that can be achieved using nonlinear strategies. Nonlinear methods usually work well if the nonlinear structure of the mathematical model of the system under investigation is perfectly known. Nonlinear system approaches are challenged heavily when the uncertainties are unstructured, whilst the approach can be easily outperformed when the concurrent disturbance estimation strategy is exploited, due to the conservativeness of the robust results arising from the way in which the uncertainty bounds are defined. In this study software algorithms to determine the overall performances of the proposed FDD methods are described and implemented in the MATLAB and SIMULINK environments. They perform simulations of the attitude control of the MEX satellite system based on a reasonable detailed nonlinear model of the MEX satellite system. The overall FDD scheme exploits a Monte Carlo (MC) tool for both the design of the robust FDD technique and the final performance evaluation, as described in [92, 93, 94, 95, 60]. As shown in fig. 3.9, the structure of the MEX orbiter consists of a cube-shaped spacecraft with two solar panel wings extending from opposite sides. More details can be found in [96]. The background to the FDD methods used in this study has developed from the combined experiences of the academic authors [92, 93, 94, 95, 60]. The main approach to the FDD is to make use of unknown input decoupling to suppress/remove the large main engine-induced disturbances from the residuals used for the FDD of the gas thrusters. The decoupling approach is based on the work of Chen and Patton [16, 97], with the additional feature of direction of unknown input estimation
Fig. 3.9 The MEX structure.
3
FDD for Aeronautic and Aerospace Missions
-3
x 10
119
C o m p a r is o n o f s y m p t om s f o r f a u lt is o l a t io n ( S 2 ) O b se rve r-0
9
O b se rve r-1 O b se rve r-2 O b se rve r-3
W e ig h te d
rk
a v e r a g in g f u n c t i o n [ r a d / s e c ]
8
O b se rve r-4 7 F a u lt 6
is o la ti o n w in d o w
5
4
3
2
1
0 7 00
7 05
710
7 15
7 20
t im e [ s e c ]
D e tecti on ti m e t
d
I s o la t io n t im e t
i
Fig. 3.10 Residual signals for faulty thrusters.
using an augmented observer described in [3]. Instead of using the nonlinear physical model of the satellite directly, this model is used in a robust recursive identification study to generate an identified model taking account of some of the modelling errors associated with variations around a point of operation of the system. The iterative procedure is included in the MC strategy to optimize the model and structure of the residuals for robust FDD. The work of Simani and co-workers has been used for the identification study [5]. The identified model is then used in the residual generation strategy [92, 93, 94, 95, 60]. Once the linear model for the system under investigation is available, the FDI scheme relies on the design of the so-called ORDDO [98]. The original work by Uppal and Patton made use of a multiple-model structure consisting of a group of decoupling observers for generating the required FDI residuals. Each observer in the group is designed to be sensitive to a subset of faults (that have to be detected and isolated). The authors selected the ORDDO strategy for its ability to decouple faults and to make the FDI design robust w.r.t. the modelling/parameter uncertainty, noise and disturbance. A separate augmented observer proposed originally by Chen and Patton [3] is included in the design in order to estimate the directions of the distribution of the disturbance torque, mainly caused by main engine misalignment, into the system. As an example, the residual signals due to the thruster fault case are reported in fig. 3.10. The residuals indicate a fault occurrence when their values are lower or
120
D. Henry, S. Simani, and R.J. Patton
higher than the thresholds fixed in fault-free conditions. Regarding the MEX thruster FDD, fig.3.10 shows the faulty residuals when thruster 1 is open. According to the observer bank design described in [95, 60], the residual signal with the smallest value indicates the corresponding faulty thruster command signal. In this case, the thruster fault commences at the instant t = 700s. Finally, various indices for performance evaluation of the suggested method were analysed on the monitored MEX system. The MC simulation approach to both the FDD scheme design and its performance evaluation as exploited here has facilitated more reliable results than the conventional software reliability models [92, 93, 94, 95, 60]. These evaluation performance and reliability indices were computed based on extensive simulations using the MEX MATLAB and SIMULINK environments. Through many MC runs, the imperfect process modelling, uncertainty, disturbance and noise can be taken into account, to give more accurate and realistic results. The complete procedure was implemented using MATLAB and SIMULINK software tools in order to automate the simulation process. The diagnosis feasibility and reliability studies are of paramount importance for real application of FDI once implemented on-board future spacecraft.
3.4 Conclusion This chapter has provided some theoretical and mainly application study results for the detection and diagnosis of faults in the actuators and sensors of aircraft and aerospace systems, through the use of different FDD schemes. Residual generators can be designed from the input-output description of the linearised model of the system under diagnosis and the disturbance decoupling has been obtained. A procedure for optimising the residual generator fault sensitivity and dynamic response has also been presented. An important aspect of the strategies based on linear residual generators is the simplicity of the technique used to generate these residuals when compared with different schemes. The algorithmic simplicity is a very important aspect when considering the need for verification and validation of a demonstrable scheme for air-worthiness certification. The more complex the computations required to implement the scheme, the higher the cost and complexity in terms of air-worthiness certification. On the other hand, nonlinear methodologies rely on a design scheme based on the structural decoupling of the disturbance obtained by means of a coordinate transformation in the state space and in the output space. To apply the nonlinear theory, a simplified model of the system under investigation can be required. The mixed H− /H∞ optimisation of the tradeoff between fault sensitivity, disturbances and modelling errors is now well understood in the theoretical work and is a promising area for application study. On the other hand, UIO strategies can have practical application via moving ‘unknown input estimation windows’ as demonstrated on a real satellite thruster modulation design problem. The nonlinear FDD strategies can be based also on adaptive filters scheme. In addition to a proper detection and isolation, these methods provided also a fault size
3
FDD for Aeronautic and Aerospace Missions
121
estimation. This feature is not usual for a fault detection and isolation method and can be very useful during an on-line automatic flight control system reconfiguration, in order to recover a faulty operating condition. Compared with similar methods proposed in the literature, the nonlinear adaptive fault diagnosis technique described here has the advantage of being applicable to more general classes of nonlinear systems and less sensitive to measurement noise, since it does not use input/output signal derivatives. Suitable filtering algorithms for stochastic systems were also proposed. The knowledge regarding the noise process acting on the system under diagnosis can be exploited by the fault diagnosis method design, hence the proposed scheme provides a possible solution to nonlinear system diagnosis with non-Gaussian noise and disturbance. The main advantage of nonlinear based FDD techniques with disturbance decoupling features is represented by the fact that they take into account directly the model nonlinearity and the system reality-model mismatch. The FDD techniques that have been outlined in this chapter have been tested by considering high fidelity simulators that are able to take into account disturbances and measurement errors acting on the system under investigation. Moreover, the robustness characteristics and the achievable performances of the FDD approaches described have been carefully considered and investigated. The effectiveness of the proposed diagnosis schemes was shown by simulations and a comparison with widely used data driven and model-based FDI schemes with disturbance decoupling. The reliability and the robustness properties of the designed residual generators to model uncertainty, disturbances and measurements noise were analysed via extensive simulations, including the use of Monte-Carlo simulation experiments to tune the FDD parameters. Finally, the need to bridge the design gap between FDD and recovery mechanisms, i.e. e.g. Fault Tolerant Control (FTC) schemes is obvious. FDD and FTC strategies can be combined as shown in Chapter 12 and in related works by the same authors and by [99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110].
References 1. Patton, R.J., Frank, P.M., Clark, R.N.: Fault Diagnosis in Dynamic Systems, Theory and Application. Control Engineering Series. Prentice Hall, New York (1989) 2. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New York (1998) 3. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems. Kluwer Academic Publishers, Dordrecht (1999) 4. Patton, R.J., Frank, P.M., Clark, R.N.: Advances in Fault Diagnosis for Dynamic Systems. Springer, London (2000) 5. Simani, S., Fantuzzi, C., Patton, R.J.: Model-based fault diagnosis in dynamic systems using identification techniques. In: Advances in Industrial Control, 1st edn. Springer, London (November 2003) 6. Isermann, R.: Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance, 1st edn. Springer, Heidelberg (November 28, 2005)
122
D. Henry, S. Simani, and R.J. Patton
7. Ding, S.X.: Model-based Fault Diagnosis Techniques: Design Schemes, Algorithms, and Tools, 1st edn. Springer, Heidelberg (April 10, 2008) 8. Isermann, R., Ball´e, P.: Trends in the application of model-based fault detection and diagnosis of technical processes. Control Engineering Practice 5(5), 709–719 (1997) 9. Patton, R.J.: Fault detection and diagnosis in aerospace systems using analytical redundancy. Computing & Control Engineering Journal 2(3), 127–136 (1991) 10. Labarr`ere, M., Patton, R.J.: Detection of sensor failures. In: Pelegrin, M., Hollister, W.M. (eds.) Concise Encyclopedia of Aeoronautics and Space Systems, vol. 2, pp. 101– 110. Pergamon Press, Oxford (1993) 11. Marcos, A., Ganguli, S., Balas, G.J.: An application of H∞ fault detection and isolation to a transport aircraft. Control Engineering Practice 13, 105–119 (2005) 12. Amato, F., Cosentino, C., Mattei, M., Paviglianiti, G.: A direct/functional redundancy scheme for fault detection and isolation on an aircraft. Aerospace Science and Technology 10, 338–345 (2006) 13. Frank, P.M.: On-line fault detection in uncertain non-linear systems using diagnostic observers - a survey. International Journal of Systems and Science 25, 2129–2154 (1994) 14. Chen, J., Patton, R.J.: Observer-based fault detection and isolation: robustness and applications. Control Engineering Practice 5, 671–682 (1997) 15. Basseville, M., Nikiforov, I.V.: Detection of Abrupt Changes: Theory and Application. Prentice-Hall Inc., Englewood Cliffs (1993) 16. Chen, J., Patton, R.J.: Optimal filtering and robust fault diagnosis of stochastic systems with unknown disturbances. IEE Proceedings on Control Theory & Applications 143(1), 31–36 (1996) 17. Gertler, J.: Survey of model-based failure detection and isolation in complex plants. IEEE Control System Magazine 8, 3–11 (1988) 18. Patton, R.J., Chen, J.: A review of parity space approaches to fault diagnosis for aerospace systems. AIAA Journal of Guidance, Control & Dynamics 17, 278–285 (1994) 19. Chen, J., Patton, R.J., Zhang, H.Y.: Design of unknown input observers and robust fault detection filters. International Journal of Control 63, 85–105 (1996) 20. Isermann, R.: Supervision, Fault Detection and Fault Diagnosis Methods - An Introduction. Control Eng. Practice 5(5), 639–652 (1997) 21. Patton, R.J.: Robust fault detection using eigenstructure assignment. In: Proc. 12th IMACS World Congress on Scientific Computation, pp. 431–434 (1988) 22. Patton, R.J., Chen, J.: On eigenstructure assignment for robust fault diagnosis. Int. J. of Robust & Nonlinear Control - Special Issue on Fault Detection and Isolation 10 (2000) 23. Liu, G.P., Patton, R.J.: Eigenstructure Assignment for Control System Design. John Wiley and Sons Ltd., Chichester (1998) 24. Patton, R.J., Chen, J.: Robust fault detection of jet engine sensor systems using eigenstructure assignment. AIAA Journal of Guidance, Control & Dynamics 15, 1491–1497 (1992) 25. Massoumnia, M.A.: A geometric appoach to failure detection and identification in linear systems. PhD thesis, Massachusetts Institute of Technology, Massachusetts, USA (1986) 26. Hammouri, H., Kinnaert, M., El Yaagoubi, E.: Observer–based approach to fault detection and isolation for nonlinear systems. IEEE Transactions on Automatic Control 44, 1879–1884 (1879) 27. De Persis, C., Isidori, A.: A geometric approach to non–linear fault detection and isolation. IEEE Transactions on Automatic Control 45, 853–865 (2001)
3
FDD for Aeronautic and Aerospace Missions
123
28. Kabor´e, P., Othman, S., McKenna, T., Hammouri, H.: An observer-based fault diagnosis for a class of nonlinear systems – application to a free radical copolymerization reaction. International Journal of Control 73, 787–803 (2000) 29. Kabor´e, P., Wang, H.: Design of fault diagnosis filters and fault tolerant control for a class of nonlinear systems. IEEE Trans. on Automatic Control 46(11), 1805–1810 (2001) 30. Pertew, A., Marquez, H., Zhao, Q.: LMI–based sensor fault diagnosis for nonlinear Lipschitz systems. Automatica 43(8), 1464–1469 (2007) 31. Cheng, Q., Varshney, P., Michels, J., Belcastro, C.: Fault detection in dynamic systems via decision fusion. IEEE Trans. on Aerospace and Electronics Systems 44, 227–242 (2008) 32. Zhang, Q., Campillo, F., Cerou, F., Legland, F.: Nonlinear system fault detection and isolation based on bootstrap particle filters. In: Proc. of 44th IEEE CDC-ECC, Seville, Spain, December 2005, pp. 3821–3826 (2005) 33. Korbicz, J., Koscielny, J.M., Kowalczuk, Z., Cholewa, W. (eds.): Fault Diagnosis: Models, Artificial Intelligence, Applications, 1st edn. Springer, Heidelberg (February 12, 2004) 34. Uppal, F.J., Patton, R.J.: Neuro-fuzzy uncertainty de-coupling: A multiple-model paradigm for fault detection and isolation. Int. Journal of Adaptive Control & Signal Processing (Invited Special Issue Paper) 19, 281–304 (2005) 35. Wang, H., Huang, Z., Daley, S.: On the use of adaptive updating rules for actuator and sensor diagnosis. Automatica 33(2), 217–225 (1997) 36. Chow, E.Y.: Failure detection system design methodology. PhD thesis, Lab. Information and Decision system, University of Cambridge (1980) 37. Gertler, J.: Survey of model-based failure detection and isolation in complex plants. IEEE Control Systems Magazine (1988) 38. Patton, R.J., Chen, J.: A review of parity space approaches to fault diagnosis. In: IFAC Symposium Safeprocess 1991, pp. 239–255 (1991) 39. Chen, J., Zhang, H.Y.: Parity vector approach for detecting failures in dynamic systems. International Journal of Systems and Science 21, 765–770 (1991) 40. Gertler, J.: Fault detection and isolation using parity relations. Control Eng. Practice 5(5), 653–661 (1997) 41. Satin, A.L., Gates, R.L.: Evaluation of parity equations for gyro failure detection and isolation. Journal of Guidance and Control 1(1), 14–20 (2005) 42. Shim, D.S., Yang, C.K.: Geometric fdi based on svd for redundant inertial sensor systems. In: Proceedings of the 5th Asian Control Conference, Melbourne - Australia, vol. 29, pp. 1093–1099 (2004) 43. Yang, C.K., Shim, D.S.: Double faults isolation based on the reduced-order parity vectors in redundant sensor configuration. International Journal of Control, Automation and Systems 5(2), 155–160 (2007) 44. Gertler, J., DiPierro, G.: On the relationship between parity relations and parameter estimation. In: Proceedings of SAFEPROCESS 1997, Hull - England, pp. 468–473. IFAC (1997) 45. Castaldi, P., Geri, W., Bonf`e, M., Simani, S., Benini, M.: Design of residual generators and adaptive filters for the fdi of aircraft model sensors. In: Control Engineering Practice, 2009. ACA 2007 – 17th IFAC Symposium on Automatic Control in Aerospace Special Issue. Elsevier Science, Amsterdam (2007)
124
D. Henry, S. Simani, and R.J. Patton
46. Benini, M., Bonf`e, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Evaluation of Fault Diagnosis Strategies for a Simulated Aircraft Nonlinear Model. Journal of Control Science and Engineering 2008, 1–18 (2008); Special Issue on Robustness Issues in Fault Diagnosis and Fault Tolerant Control. Hindawi Publishing Corporation 47. Doucent, A.: On sequential simulation-based methods for Bayesian filtering. Technical report, Cambridge University (1998) 48. Liu, J., Chen, R.: Sequential montecarlo methods for dynamic systems. Journal of the American Statistical Association 93 (1998) 49. Pitt, M., Shephard, N.: Filtering via simulation: Auxiliary particle filter. Journal of the American Statistical Association 94 (1999) 50. Isard, M., Blake, A.: Condensation: conditional density propagation for visual tracking. International Journal of Computer Vision 29(1), 5–28 (1998) 51. Fox, D., Burgard, W., Thrun, S.: Markov localization for mobile robots in dynamic environments. Journal of Artificial Intelligence 11, 391–427 (1999) 52. Thrun, S., Fox, D., Burgard, W.: Montecarlo localization with mixture proposal distribution. In: Proceedings of the AAAI National Conf. on Artificial Intelligence. AAAI, Menlo Park (2000) 53. Doucet, A., de Freitas, N., Gordon, N. (eds.): Sequential Monte Carlo Methods in Practice. Statistics for Engineering and Information Science. Springer, New York (July 2001) 54. DeFreitas, N.: Rao-blackwellised particle filtering for fault diagnosis. Aerospace (2002) 55. Hutter, F., Dearden, R.: Efficient on-line fault diagnosis for non-linear systems. In: International Symposium on Artificial Intelligence, Robotics and Automation in Space, Nara, Japan, May 19-23 (2003) 56. Falcoz, A., Henry, D., Zolghadri, A.: A nonlinear fault identification scheme for reusable launch vehicles control surfaces. International Review of Aerospace Engineering (October 2008) 57. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Robust and early detection of oscillatory failure case for new generation airbus. In: AIAA GNC 2008, Honolulu, Hawaii. AIAA (2008) 58. Lavigne, L., Zolghadri, A., Goupil, P., Simon, P.: Oscillatory failure case detection for new generation airbus aircraft: a model-based challenge. In: Proceedings of the 47th IEEE Conference on Decision and Control, Cancun, Mexico, pp. 1249–1254. IEEE, Los Alamitos (2008) 59. Norgaard, M., Poulsen, N.K., Ravn, O.: New developments in state estimation for nonlinear systems. Automatica 36, 1627–1638 (2000) 60. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Robust fdi applied to thuster faults of a satellite system. In: Control Engineering Practice, 2009. ACA 2007 – 17th IFAC Symposium on Automatic Control in Aerospace Special Issue (2007) 61. Venkateswaran, N., Siva, M., Goel, P.: Analytical redundancy based fault detection of gyroscopes in spacecraft applications. ACTA Astronomica 50(9), 535–545 (2002) 62. Chen, W., Saif, M.: Observer-based fault diagnosis of satellite systems subject to timevarying thruster faults. Transactions of the ASME 129, 352–356 (2007) 63. Jacobson, C.A., Nett, C.N.: An integrated approach to control and diagnosis for the minimisation of uncertainties effects on residual generation. IEEE Control Systems Magazine 11(6), 22–29 (1991) 64. Marcos, A., Balas, G.: A robust integrated controller/diagnosis aircraft application. International Journal of Robust and Nonlinear Control 15, 531–551 (2005) 65. Mangoubi, R.: Robust estimation and failure detection: A concise treatment. Springer, Heidelberg (1998)
3
FDD for Aeronautic and Aerospace Missions
125
66. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A new multi-objective filter design for guaranteed robust fdi performance. In: Proceedings of CDC 2001, Orlando, Florida, USA, pp. 173–178 (2001) 67. Marcos, A., Ganguli, S., Balas, G.: An application of h∞ fault detection and isolation to a transport aircraft. Control Engineering Practice 13, 105–119 (2005) 68. Henry, D., Zolghadri, A.: Design and analysis of robust residual generators for systems under feedback control. Automatica 41, 251–264 (2005) 69. Henry, D., Zolghadri, A.: Design of fault diagnosis filters: A multi-objective approach. Journal of Franklin Institute 342(4), 421–446 (2005) 70. Castro, H.V., Bennani, S., Marcos, A.: Robust filter design for a re-entry vehicle. In: Proceedings of the 7th International Conference on Dynamics and Control of Systems and Structures in Space, Greenwish, UK (2006) 71. Castro, H.V., Bennani, S., Marcos, A.: Integrated vs decoupled fault detection filter and flight control law designs for a re-entry vehicle. In: Proceedings of the 2006 IEEE International Conference on Control Applications, Munich, Germany (2006) 72. Henry, D.: Fault diagnosis of the MICROSCOPE satellite actuators using h∞ /h− filters. AIAA Journal of Guidance, Control, and Dynamics 31(3), 699–711 (2008) 73. Henry, D., Zolghadri, A., Castang, F., Monsion, M.: A multiobjective filtering approach for fault diagnosis with guaranteed sensitivity performances. In: Proceedings of the 15th IFAC World Congress, Barcelona, Spain. IFAC (2002) 74. Henry, D., Zolgahdri, A.: h∞ /h− filters for fault diagnosis in systems under feedback control. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 87–92. IFAC (2003) 75. Henry, D., Zolghadri, A.: Norm-based design of robust fdi schemes for uncertain systems under feedback control: Comparison of two approaches. Control Engineering Practice 14(9), 1081–1097 (2006) 76. Zolghadri, A., Castang, F., Henry, D.: Design of robust fault detection filters for multivariable feedback systems. International Journal of Modelling and Simulation 26(1), 17–26 (2006) 77. Kerr, M.L., Marcos, A., Penin, L.F., Bornschlegl, E.: Gain-scheduled fdi for a re-entry vehicle. In: AIAA Guidance, Navigation and Control Conferences and Exhibit, Honoluku - Hawaii, AIAA–2008–7266. AIAA (2008) 78. Hou, M., Patton, R.J.: An LMI approach to H∞ /H− fault detection observers. In: Proceedings of the UKACC International Conference, CONTROL 1996 (1996) 79. Hou, M., Patton, R.J.: An H∞ /H− approach to the design of robust fault diagnosis observers based upon LMI optimisation. In: Proceedings of the 4th European Control Conference, ECC 1997, Brussels, July 1–4 (1997) 80. De Persis, C., De Sanctis, R., Isidori, A.: Nonlinear actuator fault detection and isolation for a VTOL aircraft. In: Proceedings of the American Control Conference, June 2001, pp. 4449–4454 (2001) 81. De Persis, C., Isidori, A.: On the observability codistributions of a nonlinear system. Systems and Control Letters 40, 297–304 (2000) 82. Bonf`e, M., Castaldi, P., Geri, W., Simani, S.: Nonlinear Actuator Fault Detection and Isolation for a General Aviation Aircraft. Space Technology – Space Engineering, Telecommunication, Systems Engineering and Control 27, 107–113 (2007); Special Issue on Automatic Control in Aerospace 83. Ioannou, P., Sun, J.: Robust Adaptive Control. PTR Prentice–Hall, Upper Saddle River (1996) 84. Germani, A., Manes, C., Palumbo, P.: Filtering of Stochastic Nonlinear Differential Systems via a Carleman Approximation Approach. IEEE Transactions on Automatic Control 52, 2166–2172 (2007)
126
D. Henry, S. Simani, and R.J. Patton
85. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. John Wiley and Son, Chichester (2003) 86. Bonf`e, M., Castaldi, P., Geri, W., Simani, S.: Fault Detection and Isolation for On– Board Sensors of a General Aviation Aircraft. International Journal of Adaptive Control and Signal Processing 20, 381–408 (2006) (Copyright 2006 John Wiley & Sons, Ltd.) 87. Bonf`e, M., Castaldi, P., Geri, W., Simani, S.: Design and Performance Evaluation of Residual Generators for the FDI of an Aircraft. International Journal of Automation and Computing 4, 156–163 (2007), doi:10.1007/s11633–007–0156–7 88. Williams, B.C., Nayak, P.P.: A model-based approach to reactive self-configuring systems. In: Proceedings of the 13th National Conf. on Artificial Intelligence and 8th Innovative Applications of Artificial Intelligence Conf., pp. 971–978. AAAI Press/The MIT Press (1996) 89. Falcoz, A., Henry, D., Zolghadri, A.: Development of a robust model-based fault diagnosis technique for re-entry launch vehicles: A case study. Progress report (2007) 90. Falcoz, A., Henry, D., Zolghadri, A., Bornschleg, E., Ganet, M.: On-board model-based robust fdir strategy for reusable launch vehicles (rlv). In: 7th International ESA Conference on Guidance, Navigation and Control Systems, County Kerry, Ireland (2008) 91. Simani, S.: Identification of Residual Generators for Fault Detection and Isolation of a Satellite Simulated Model. In: EUCA, I. (ed.) European Control Conference 2007 – ECC 2007, Kos, Greece, July 2–5, vol. CD–Rom, pp. 2296–2303. EUCA, ICCS, IFAC, ACPA & IEEE CSS (2007) 92. Patton, R.J., Uppal, F., Simani, S., Polle, B.: A Monte Carlo Analysis and Design for FDI of a Satellite Attitude Control System. In: B. C. Department of Automation, Tsinghua University (ed.) SAFEPROCESS 2006, 6th IFAC Symposium on Fault Detection Supervision and Safety for Technical Processes, IFAC, Beijing, PR China, August 30 – September 1, vol. CDRom, pp. 1393–1398 (2006) 93. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Monte–Carlo Reliability and Performance Analysis of Satellite FDI System. In: IFAC (ed.) MECHATRONICS 2006 – 4th IFAC Symposium on Mechatronic Systems, Heidelberg, Germany, September 12-14, vol. CD–Rom, pp. 187–192. VDI VDE, IFAC (2006) 94. Patton, R.J., Uppal, F., Simani, S., Polle, B.: Robust FDI Applied to Thruster Faults of A Satellite System. In: IFAC (ed.) ACA2007 – 17th IFAC Symposium on Automatic Control in Aerospace, Toulouse, France, June 25–29, vol. CD–Rom, pp. 1–6. IFAC ACA, IFAC (2007) 95. Patton, R.J., Uppal, F.J., Simani, S., Polle, B.: Reliable fault diagnosis scheme for a spacecraft attitude control system. Journal of Risk and Reliability 222(2), 139–152 (2008); 6th IFAC SAFEPROCESS Special Issue. Professional Engineering Publishing 96. ESA, ESA – Mars Express – The Spacecraft, tech. rep., ESA – European Space Agency (October 2005), http://www.esa.int/SPECIALS/MarsExpress/ 97. K¨oenig, D., Patton, R.J.: New design of robust kalman filters for fault detection and isolation. In: Chen, H.-F., Cheng, D.-Z., Zhang, J.-F. (eds.) 14th World Congress of IFAC, Beijing, P.R. China, July 5-9, CD–ROM Paper P–7e–09–6 (1999) 98. Uppal, F.J., Patton, R.: Neuro–fuzzy uncertainty de–coupling: A multiple–model paradigm for fault detection and isolation. International Journal of Adaptive Control & Signal Processing 19(4), 281–304 (2005); Invited Special Issue Paper 99. Patton, R.J.: Fault-tolerant control: the 1997 situation (survey). In: Proceedings of IFAC Symposium SAFEPROCESS 1997, pp. 1033–1055 (1997) 100. Chen, J., Patton, R.J., Chen, Z.: Active fault-tolerant flight control systems design using the linear matrix inequality method. Trans. Inst. MC 21, 77–84 (1999)
3
FDD for Aeronautic and Aerospace Missions
127
101. Blanke, M., Frei, C.W., Kraus, F., Patton, R.J., Staroswiecki, M.: What is fault-tolerant control? In: Proceedings of IFAC Symposium SAFEPROCESS 2000, pp. 40–51 (2000) 102. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006) 103. Cieslak, J., Henry, D., Zolghadri, A., Goupil, P.: Development of an on-board fault tolerant control strategy with application to the Garteur AG16 benchmark. In: Proceedings of the 17th IFAC Symposium on Automatic Control in Aerospace, Toulouse, France (2007) 104. Cieslak, J., Henry, D., Zolghadri, A.: An active fault tolerant flight control strategy for safe recovery against trimmable horizontal stabilizer failure: a case study. AIAA Journal of Guidance, Control, and Dynamics (2007) (to appear) 105. Cieslak, J., Henry, D., Zolghadri, A.: Une m´ethodologie pour la synth`ese de syst´emes de commande tol´erants aux d´efauts, revue e´ lectronique e-STA (Sciences et technologies pour l’automatique), vol. 1, pp. 19–26 (2007) 106. Blanke, M., Kinnaert, M., Lunze, M., Staroswiecki, M.: Diagnosis and fault tolerant control, 2nd edn. Springer, New York (2008) 107. Bonf`e, M., Castaldi, P., Simani, S.: Active Fault Tolerant Control Scheme for a General Aviation Aircraft Model. In: 17th Mediterranean Conference on Control and Automation (Makedonia Palace, Thessaloniki, Greece), Mediterranean Control Association MCA, IEEE Control Systems Society CSS, IEEE Robotics & Automation Society RAS, June 24–26 (2009) (accepted) 108. Bertozzi, N., Castaldi, P., Bonf`e, M., Simani, S., Bertoni, G.: Integrated design of an aircraft guidance system using feedback linearization. In: IFAC Workshop Aerospace Guidance, Navigation and Flight Control Systems – AGNFCS 2009, Samara, RUSSIA, IFAC Technical Committee on Automatic Control in Aerospace, Russian Academy of Sciences (RAS), Samara Scientific Center (SSC), Department of Dynamics and Motion Control, IFAC – International Federation of Automatic Control, June 30 -July 2, pp. 1–6 (2009) (accepted) 109. Bonf`e, M., Castaldi, P., Simani, S.: Fault Diagnosis and Fault Tolerant Control Integrated Designs Applied to a Civil Unmanned Aerial Vehicle (CUAV). In: Faculty of Engineering CTAC, Coventry University Computing (eds.) 20th International Conference on Systems Engineering – ICSE 2009, Coventry, UK, September 2009, Control Theory and Applications Centre, Coventry University, CTAC, Coventry University, in cooperation with Technical University of Wroclaw, Wroclaw, Poland, and the University of Nevada, Las Vegas, USA (2009) 110. Patton, R.J., Putra, D., Klinkhieo, S.: A fault-tolerant control approach to friction compensation. In: Proceedings of European Control Conference, ECC 2009 (2009); Invited Session on FTC in Mechatronic Systems 111. Alwi, H., Edwards, C., Tan, C.P.: Sliding mode estimation schemes for incipient sensor faults. Automatica 45(7), 1679–1685 (2009) 112. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor & Francis, London (1998) 113. Edwards, C., Spurgeon, S.K., Patton, R.J.: Sliding mode observers for fault detection. Automatica 36, 541–553 (2000) 114. Hermans, F.J.J., Zarrop, M.B.: Sliding mode observers for robust sensor monitoring. In: Proceedings of the 13th IFAC World Congress, pp. 211–216 (1996) 115. Jiang, B., Staroswiecki, M., Cocquempot, V.: Fault estimation in nonlinear uncertain systems using robust sliding–mode observers. IEE Proceedings: Control Theory & Applications 151, 29–37 (2004) 116. Khalil, H.K.: Nonlinear Systems. Prentice Hall, Englewood Cliffs (1992)
128
D. Henry, S. Simani, and R.J. Patton
117. Kim, Y.W., Rizzoni, G., Utkin, V.: Developing a fault tolerant power train system by integrating the design of control and diagnostics. International Journal of Robust and Nonlinear Control 11, 1095–1114 (2001) 118. Tan, C.P., Edwards, C.: Sliding mode observers for detection and reconstruction of sensor faults. Automatica, 1815–1821 (2002) 119. Tan, C.P., Edwards, C.: Sliding mode observers for robust detection and reconstruction of actuator and sensor faults. International Journal of Robust and Nonlinear Control 13, 443–463 (2003) 120. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992) 121. Wu, N.E., Zhang, Y., Zhou, K.: Detection, estimation, and accommodation of loss of control effectiveness. International Journal of Adaptive Control and Signal Processing 14, 775–795 (2000) 122. Yang, H., Saif, M.: Fault detection in a class of nonlinear systems via adaptive sliding observer. In: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, pp. 2199–2204 (1995) 123. Zhang, Y., Jiang, J.: Design of integrated fault detection, diagnosis and reconfigurable control systems. In: Proceedings of the IEEE Conference on Decision and Control, pp. 3587–3592 (1999) 124. Zhang, Y.M., Jiang, J.: Active fault-tolerant control system against partial actuator failures. IEE Proceedings: Control Theory & Applications 149, 95–104 (2002)
Chapter 4
Real-Time Identification of Aircraft Physical Models for Fault Tolerant Flight Control Ping Chu, Jan Albert (Bob) Mulder, and Jan Breeman
4.1 Introduction The primary goal of aircraft fault tolerant flight control is to recover or maintain safe flight when failures have occurred. Aircraft failures can be categorized into subsystem failures and airframe/structural failures. Modern aircraft subsystems are equipped with redundancies and failure detection systems for maintaining and monitoring the health status of subsystems. However, when failures such as engine separations, vertical tail loss, or wing separation (see Chapter 1) have occurred to aircraft, the airframe/structure of the aircraft will experience significant changes. These failures are not detected by current on-board monitoring systems. As a consequence of these failures, the aerodynamic model and even the mass/inertia properties of the aircraft will be obviously different from their nominal forms. The basic flight control system designed for the nominal aircraft will suffer from the new configuration of the vehicle. In most cases, the human pilot will take over from the automatic flight control system (autopilot) when unexpected behaviour has been recognised, and will try to handle the aircraft manually. Experienced pilots have been trained for handling aircraft with a limited number of failures. However, unsuccessful recovery of the flight may still happen due to human errors or limitations imposed by the Ping Chu Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Jan Albert (Bob) Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Jan Breeman National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 129–155. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
130
P. Chu, J.A. (Bob) Mulder, and J. Breeman
flight control architecture. Many cases referring to human errors causing incidents/accidents have been reported. In those cases, situational awareness and psychological stress have been the major factors of introducing wrong decisions/commands from human pilots (see Chapter 1). In order to avoid errors of human pilots or to enhance the capabilities of automatic flight control systems, failures will have to be detected and identified on board during the flight. This chapter is dedicated to discuss an approach which has been developed within TU Delft for on-board and real-time identification of aircraft models including damaged aircraft models. Aircraft models can be identified using different approaches. Especially for structurally damaged aircraft, model identification is particularly challenging. The main difficulty of model identification for damaged aircraft is finding the proper structure of the model. Therefore, non-physical models are commonly applied for this type of identification. Artificial Neural Networks (ANN) is a typical approach (Ref. [23]). However, the convergence problem is always an issue in this approach due to the selection of the network structure and the way of optimising the input-output mapping between the real system output and ANN model output (neural weights estimation). For aircraft model identification, even when the aircraft is damaged and the structure of the aerodynamic model for the aircraft is significantly changed, the kinematic model of the vehicle should follow the flight dynamics. Moreover, experienced researchers in flight dynamics and aerodynamics may still insert physical knowledge for predicting the model structure of the damaged aircraft as compared to its nominal one. For example, the nominal model for fixed wing aircraft has symmetrical properties. This means that longitudinal and lateral aerodynamic models are independent with respect to the aircraft lateral and longitudinal state variables respectively. For airframe/structure damaged aircraft, this condition might no longer be valid and longitudinal and lateral models might even be tightly coupled. From the analysis of the identified aerodynamic parameters, one may recognise how serious the damage is. This approach is therefore referring to aircraft physical model identification. The advantage of this approach is that flight control designers can always introduce their knowledge in flight dynamics and aerodynamics in defining the model structure and physically interpret results of the identification. This is the main idea of the present chapter.
4.2 History of Aircraft Model Identification at Delft University of Technology Since the early sixties the Faculty of Aerospace Engineering of the Delft University of Technology and the National Aerospace Laboratory, Amsterdam have been engaged in the development of methods to derive aircraft performance as well as stability and control characteristics from dynamic flight test data. Traditional methods of performance testing employed measurements in steady straight flight conditions in which the aircraft experienced neither translational nor angular accelerations. Attention was focused on the analysis and design of ‘hybrid’ flight test manoeuvres
4
Real-Time Identification of Aircraft Physical Models for FTFC
131
consisting of quasi-steady as well as nonsteady flight conditions for the derivation of all aircraft performance and stability and control characteristics of interest. The emphasis on the simultaneous measurement of performance and stability and control characteristics dictated development and application of high accuracy flight test measurement techniques and transducers. The key to success proved to be what was called flight path reconstruction, i.e. a technique to accurately reconstruct the time history of the aircraft’s state during the flight test manoeuvre. The results of these investigations were reported in references (Refs. [8], [10], [9], [17], [14], [15], [16], [7], [5], [6], [32], [4], [30], [21]). Between 1967 and 1968, a number of flight test programs were carried out to evaluate the quality and performance of the flight test methods, the flight test measurement system and the data reduction procedures developed for the derivation of aircraft performance, stability and control characteristics from measurements in nominally symmetric nonsteady manoeuvring flight. Symmetric flight trials flown with the DHC 2 Beaver aircraft owned by the Delft University of Technology yielded most encouraging results. These investigations were extended next to high-subsonic jet flight. In the early seventies, a new high accuracy flight test instrumentation system was built which was small enough to be installed in a wing mounted pod on the Hawker Hunter MK 7 experimental aircraft owned by the National Aerospace Laboratory. During 1973 and 1974 several successful flight tests were conducted. The higher speeds and different propulsion system required new aerodynamic models. Also, the flight path reconstruction needed an extended model which included the effects of curvature and rotation of the earth. This gave birth to a new concept namely, the calibration of engine gross thrust and mass flow sensor systems in dynamic flight simultaneously with the identification of aerodynamic parameters, and independent of any data from
Fig. 4.1 Delft University DHC2 Beaver PH-VTH, photo by Jack Wolbrink
132
P. Chu, J.A. (Bob) Mulder, and J. Breeman
Fig. 4.2 NLR Hawker Hunter MK7, PH-NLH, copyright Richard Vandervord, via airliners.net
the engine manufacturer. An overview of the results of these very successful flight tests is given in Ref. [29]. Around 1978, further flight test programs were planned aiming at aircraft model identification both in symmetric and asymmetric nonsteady manoeuvring flight in an international cooperative program with DLR in Braunschweig, Germany. The results of these investigations were reported in Ref. [33]. The method for parameter identification developed at DUT was by then dubbed the Two- Step Method: in the first step, the flight path is reconstructed, followed by the second step in which the parameters are identified. Based upon the confidence and experience gained in methods and analysis, further flight test programs were carried out by the National Aerospace Laboratory (NLR) to investigate the applicability of this method for the case of a twin engined transport type aircraft, the Fokker F 28 Fellowship. Initial results of the assessment of performance and stability and control characteristics were reported in Ref. [2]. The techniques developed in the course of these flight test programs were subsequently applied with a high degree of success during the testing and development phase of the Fokker 50 and Fokker 100 type aircraft (Ref. [3]). In 1987 flight simulation models were developed for the Cessna Citation 500 of the Dutch Government civil aviation flying school (RLS) flight simulator (Ref. [29]) based on the same technique. The National Aerospace Laboratory and Delft University of Technology have cooperated in a flight test program with the Fairchild Metro II experimental aircraft owned by NLR. These experiments have demonstrated that estimation of the aircraft state, as well as the identification of longitudinal and lateral aerodynamic model parameters can be performed on-board in real time (Refs. [20], [19], [22]). In the same flight test programme, attention was focused on different measurement and analysis methods to identify propeller thrust in dynamic flight test manoeuvres (Ref. [26]).
4
Real-Time Identification of Aircraft Physical Models for FTFC
(a) Fokker F28 PH-JHG, photo by Klaus P. Krapp
(c) Fokker zap16.com
50
PH-DMO,
source:
133
(b) RLS Cessna Citation 500, PH-CTF, c Erik Frikke, via airliners.net
(d) Fokker zap16.com
100
PH-MKC,
Fig. 4.3 Fokker F28, Cessna Citation 500, Fokker 50 and 100
c Fig. 4.4 NLR Fairchild Metro II, PH-NLZ, Terence Li, via airliners.net
source:
134
P. Chu, J.A. (Bob) Mulder, and J. Breeman
Since 1993, Delft University of Technology has conducted a series of developments to improve the on-board flight test instrumentation system for its new laboratory aircraft, a Cessna Citation II (see Fig. 4.5), due to the availability of new Global Positioning Systems GPS and solid state inertial sensors.
Fig. 4.5 TU Delft/NLR Cessna Citation II laboratory aircraft
The new flight test instrumentation system even offers the capability of measuring the attitude of the aircraft using a GPS multi antenna receiver (see Fig. 4.6) to calibrate rotational rate sensors in flight. With the new instrumentation system, many successful flight tests were performed and a flight simulation model of the Citation II was obtained under the support of the Dutch Applied Science foundation (STW). Thus, this successful chain of experiments and analyses amply demonstrated that nonsteady flight test techniques as developed and tested at the Delft University of Technology and the National Aerospace Laboratory was a proven, cost effective and well established technique for the measurement of performance and stability and control characteristics as required for the certification of aircraft. The goals of most flight test programs for civil and military aircraft are the certification for airworthiness and the estimation of performance and stability and control characteristics. While certain characteristics can be measured directly in flight such
(a) left wing tip
(b) fuselage
Fig. 4.6 GPS antennas on the Cessna Citation II
(c) nose
4
Real-Time Identification of Aircraft Physical Models for FTFC
135
as rate of climb in stationary rectilinear flight or damping ratios and time constants of eigenmotions, a much more efficient approach is to start with the mathematical model of the aerodynamic forces and moments from measurements of dynamic flight test manoeuvres. Identification implies the development of an adequate mathematical model structure as well as estimation of the numerical values of the parameters in the model. When applied to aircraft, this process is often referred to as aircraft parameter identification. After successful identification of aerodynamic models for different aircraft configurations and flight conditions they may be exploited in numerous different ways. It is possible now to compute a variety of performance and stability and control characteristics, to compile tables and graphs for Aircraft Operations Manuals and compare actual aerodynamic characteristics with theoretical predictions using Computational Fluid Dynamics (CFD) or wind tunnel results. A very interesting application is the enhancement of the fidelity of mathematical models for flight simulation. During the last two decades, the advent of the digital computer and improvements in flight measurement techniques has made a tremendous impact on the theory and practice of aircraft parameter identification. Stability and control derivatives are the parameters in a linear aerodynamic model of the aircraft. Linear aerodynamic models can be represented by homogeneous polynomials of the first degree in the state and control input variables of the linearized equations of motion. Such polynomials are widely used as linear approximations of aerodynamic forces and moments acting on the aircraft in dynamic flight conditions. In general the domain in which linear models are valid is restricted to small deviations from a nominal flight condition. The advantage of using nonlinear models is that such models should be valid for a larger range of flight conditions and that flight test manoeuvres are much less constrained in terms of manoeuvre amplitudes. A proven way of representing nonlinear models is by using higher order polynomials in the state and control input variables. In principle, the domain of nonlinear models covers larger deviations from a given nominal flight condition, as compared to linear models. This chapter presents and discusses a successful and practical method for aircraft parameter identification that has originated at the Delft University of Technology. This method is referred to here as the Two-Step Method (Ref. [28]), although one may find other names like Estimation Before Modelling (EBM) in the literature. The chapter goes into some detail on the two-step method as an attractive and efficient identification tool for real-time aircraft aerodynamic model identification for fault tolerant flight control.
4.3 The Two Step Method In the two-step method, the state trajectory is estimated in the first step while the aerodynamic parameters are estimated in the second step. The first step is also a joint state and parameter estimation problem, since several unknown parameters appear in the models of flight test instrumentation systems. However, the number of unknown parameters in the flight test instrumentation system is much less than
136
P. Chu, J.A. (Bob) Mulder, and J. Breeman
the number of aerodynamic parameters, and therefore, this estimation problem is relatively easy to solve. There is also an important factor to guarantee the estimation accuracy in the first step due to the application of only kinematic models of aircraft. The complex yet uncertain aerodynamic model is not included in the first step. Once the flight path trajectory has been estimated, the aerodynamic model becomes linear-in-the-parameters (Refs. [27], [31], [28], [32]). Simple regression methods can then be applied to estimate these parameters. This is considered to be a great advantage of the two-step method which can be implemented recursively, and therefore is suitable for real-time applications. An alternative is the Maximum Likelihood method which attempts to solve the joint state and parameter estimation problem by searching for the global optimum of a likelihood function composed of output errors (Ref. [24]) or prediction errors. Since the state and parameter estimation problems are solved simultaneously the method may be termed the One-Step Method (Ref. [32]). Convergence problems may often be encountered when applying the one-step Maximum Likelihood method if a large number of unknown parameters is involved (ref. [1]). The two-step method does not suffer from such problems and is therefore very suitable for the routine analysis of large amounts of flight test data. This section presents an analytical comparison of the two-step method and the one-step Maximum Likelihood method. It is shown that in contrast to Maximum Likelihood estimates, the estimates as generated by the two-step method are neither (asymptotically) unbiased nor efficient when linear regression methods are applied to the second step of the two-step method. This holds true, however, except for the limiting case in which measurement noise becomes negligible as compared to aerodynamic process noise. This limit case is argued to be representative for state of the art flight test instrumentation systems.
4.3.1 Decomposition of Aircraft State and Parameter Estimation The equation of motion of an aircraft flying over a spherical, rotating earth, through an atmosphere relative to the earth, in the local-level navigation frame will be given below. The location of the aircraft centre of gravity relative to the earth is given by the spherical polar coordinates δ (latitude), μ (longitude), and R (geocentric radius). Their rates of change are related to the components of the velocity Un in the local-navigation reference frame Fn (North-East-Down) relative to the earth. If the components of Un are defined as Un = [UN UE UD ]T the relation between Un and the spherical polar coordinates is: UN δ˙ = ; R
μ˙ =
UE ; R cos δ
R˙ = −UD
(4.1)
The rates of change of the velocity components in Fn are related to the specific force components Ax , Ay , and Az in the aircraft body-fixed reference frame Fb as follows:
4
Real-Time Identification of Aircraft Physical Models for FTFC
137
U˙ N = Ax cos θ cos ψ + Ay (sin φ sin θ cos ψ − cos φ sin ψ ) + + Az (cos φ sin θ cos ψ + sin φ sin ψ ) + UN UD − UE2 tan δ − 2 Ω UE sin δ R = Ax cos θ sin ψ + Ay (sin φ sin θ sin ψ + cos φ cos ψ ) + (4.2) + Az (cos φ sin θ sin ψ − sin φ cos ψ ) + UN UE tan δ + UE UD + + 2 Ω (UE sin δ + UD cos δ ) R U 2 + UE2 + = −Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ − N R − 2 Ω UE cos δ + g +
U˙ E
U˙ D
in which the rotational rate of the earth is expressed by Ω ( Ω = 7.2921 · 10−5 rad/s ), and g denotes acceleration due to gravity. A convenient expression for the magnitude of gravity is: g = 9.780318
Re R
2
1 + 5.3024 × 10−3 sin2 δ − 5.9 × 10−6 sin2 2δ
(4.3)
where the average radius of the earth Re = 6367434m. The relation between the time derivatives of the Euler angles φ , θ , ψ and the rotational rates p, q, r in the body-fixed reference frame is: UE cos ψ + Ω cos δ φ˙ = p + q sin φ tan θ + r cos φ tan θ − + R cos θ UN sin ψ + , R cos θ UE UN cos ψ ˙ + Ω cos δ sin ψ + , (4.4) θ = q cos φ − r sin φ + R R UE + Ω cos δ tan θ cos ψ + ψ˙ = q sin φ sec θ + r cos φ sec θ + R UN tan θ sin ψ UE tan δ + + + Ω sin δ R R In Eq. (4.3) Ax , Ay and Az denote the aerodynamic specific force components directly sensed by ideal accelerometers. From these the aerodynamic forces X = m Ax , Y = m Ay and Z = m Az , and the dimensionless aerodynamic force coefficients CX = 1 X 2 , CY = 1 Y 2 and CZ = 1 Z 2 , where ρ , V and S are the air density, true 2 ρV
S
2 ρV
S
2 ρV
S
airspeed and wing area. The aircraft rotational motion can be described by Euler’s dynamic equation. Assuming that the aircraft inertia matrix is given by I , Euler’s equation has the following form:
ω˙ = I −1 (T − ω × I ω )
(4.5)
138
P. Chu, J.A. (Bob) Mulder, and J. Breeman
T T where ω = p q r denotes the rotational rate vector and T = L M N is total moment vector about the centre of gravity of the aircraft. The dimensionless moment coefficients about each axis follow from Cl = and Cn =
N
1 ρV 2 S 2
L 1 2 2 ρ V Sb
,
Cm =
M 1 2 2 ρ V Sc
with the wing span b and aerodynamic mean chord c.
The observations of the system are provided by flight instrumentation system including inertial sensors, airdata sensors and satellite radio navigation devices. The observation model is given after laboratory calibrations (Ref. [28]) as 1. inertial sensors
⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ λx Ax pm p Axm ⎣ Aym ⎦ = ⎣ Ay ⎦ + ⎣ λy ⎦ ; ⎣ qm ⎦ = ⎣ q ⎦ A zm Az λz rm r ⎡
(4.6)
2. airdata sensors ! V = (UN − WN )2 + (UE − WE )2 + (UD − WD )2
α = arctan
(UN −WN )(cφ sθ cψ +sφ sψ )+(UE −WE )(cφ sθ sψ −sφ cψ )+(UD −WD )cφ cθ (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
β = arctan
(UN −WN )(sφ sθ cψ −cφ sψ )+(UE −WE )(sφ sθ sψ +cφ cψ )+(UD −WD )sφ cθ (UE −WE )cθ cψ +(UE −WE )cθ sψ −(UE −WE )sθ
(4.7)
where cθ = cos θ , sφ = sin φ etc. 3. position and velocity sensors
δm = δ ; μm = μ ; Rm = R; UNm = UN ; UEm = UE ; UDm = UD
(4.8)
where λ and W are the known sensor biases and wind velocity components. Combining all these equations in a general form, the aircraft model is given as x(t) ˙ = f [x(t), u(t), ξ ] y(t) = h[x(t), u(t), ξ ]
(4.9)
ym (k) = y(k) + v(k) The dimensionless force and moment coefficients can be expressed in terms of aerodynamic, engine thrust and control surface deflection angle variables. This is called the aerodynamic model. Applying the output-error method (Ref. [1]), the unknown parameters ξ are estimated by minimizing the negative logarithm of the likelihood function composed of the output errors:
4
Real-Time Identification of Aircraft Physical Models for FTFC
(ξ ) =
1 N N ∑ μ (k, ξ )T Vv−1(ξ )μ (k, ξ ) + 2 ln detVv (ξ ) 2 k=1
139
(4.10)
where μ (k, ξ ) is the computed system output error vector and Vv (ξ ) is the covariance matrix of the output errors. Since the state and the parameter estimation problems are solved simultaneously, the method may be termed the One-Step Method (OSM) (Ref. [28]). The aircraft model to be used for the following discussion is a reorganization of the same model as used in the one-step method in the sense that the accelerometers and the rate gyros serve as system inputs. With this organization of the model, the unknown parameter vector ξ can be T separated into two sets ξ = ξ1T ξ2T in which ξ1 consists only of unknown parameters from the flight test instrumentation system. These parameters are biases and scale factors in the models of the inertial and air data transducers. The ξ2 are the aerodynamic parameters. The aircraft model can then be written in the following form: x(t) ˙ = f [x(t), um1 (t), ξ1 ] + G[x(t)]w(t) y1 (t) = h[x(t), um1 (t), ξ1 , w(t)] ym1 (k) = y1 (k) + v1 (k)
(4.11)
y2 (t) = h[x(t), um1 (t), um2 (t), ξ2 , w(t)] ym2 (k) = y2 (k) + v2 (k) It should be noticed that in order to meet this model, certain conditions have to be satisfied. These are: 1. The mass and inertial characteristics have to be known. 2. The measured or calculated angular acceleration must be available. It can be seen that the aerodynamic model only appears in the second observation equation. The first observation equation only consists of air data measurements. It can also be recognized that the system outputs consist of um1 and um2 . The um1 denote the measured quantities of specific forces and the rotation rates and um2 represents the elevator deflection and the thrust force. The process noise vector w(t) then consists of the measurement noise of the accelerometers and rate gyros. Although the system state equations are decomposed from aerodynamic models, y2 will be compatible if and only if the state variables x , parameters ξ1 and measured quantities um1 and um2 are the true values. Therefore the system model is not totally decomposed. In this situation, joint state and parameter estimation is the only viable solution. Using the Maximum Likelihood method all the parameters ξ may be estimated by minimizing the negative logarithm of the likelihood function composed of the prediction errors:
140
P. Chu, J.A. (Bob) Mulder, and J. Breeman
(a) High performance accelerometers as part of TU Delft flight test instrumentation system, source: Honeywell
(b) High performance fiber (c) Inertial sensor calibraoptical rate sensors as part tion facility at TU Delft, of TU Delft flight test instru- source: Acutronic mentation system, source: Fizoptika
Fig. 4.7 Inertial measurement unit equipment used at Delft University of Technology
(ξ ) =
1 2
N
∑ μ (k|k − 1, ξ )T Vμ−1 (k|k − 1, ξ )μ (k|k − 1, ξ )
k=1 N + 12 ∑ ln detVμ (k|k − 1, ξ ) k=1
(4.12)
where μ (k|k − 1, ξ ) is the predicted output error vector:
μ (k, ξ ) ˆ − 1, ξ ), um1 (k), ξ1 ] ym1 (k) − h1 [x(k|k μ (k|k − 1, ξ ) = 1 = ym2 (k) − h2 [x(k|k μ2 (k, ξ ) ˆ − 1, ξ ), um1 (k), um2 (k), ξ ] (4.13) As the prediction error vector and its covariance matrix in Eq. (4.12) are calculated from an extended or iterated-extended Kalman filter with two sets of observation equations, it may be seen that it is a joint state and parameter estimation problem. In order to decompose the estimation problem, the following assumptions have to be made: Assumption 1: The measured aerodynamic specific force and rotation rate are very accurate. This is equivalent to the case that process noise in Eq. (4.12) is negligible. Note that modern inertial sensors are nearly noise free; therefore this assumption has indeed a practical meaning, and the system state equations in Eq (4.12) reduce to a deterministic type while the prediction errors are simplified to output errors. Furthermore, the observation noise in practice is assumed to be uncorrelated and the likelihood function for this case becomes: (ξ ) = =
1 N T N ∑ μ (k, ξ )Vv−1(ξ )μ (k, ξ ) + 2 ln detVv (ξ ) 2 k=1 1 N T N (ξ1 )μ1 (k, ξ1 ) + ln detVv1 (ξ1 ) ∑ μ1 (k, ξ1 )Vv−1 1 2 k=1 2 +
(4.14)
N 1 N T (ξ2 )μ2 (k, ξ ) + ln detVv2 (ξ2 ) = 1 (ξ1 ) + 2(ξ ) ∑ μ2 (k, ξ )Vv−1 2 2 k=1 2
4
Real-Time Identification of Aircraft Physical Models for FTFC
141
in which μ1 , μ2 , Vv1 , and Vv2 are the calculated output errors and corresponding covariance matrices with
V (ξ ) 0 Vv (ξ ) = v1 1 0 Vv2 (ξ2 ) It may be seen from Eq. (4.14) that the likelihood function is now decomposed into two terms with respect to two observation models. All cross coupling terms in Eq. (4.12) are neglected (Ref. [4]). The necessary condition for a minimum of Eq. (4.14) is: " # " ∂ (ξ ) # 2 ∂ 1 (ξ1 ) ∂ (ξ ) ∂ ξ 1 (4.15) = + ∂ ∂2ξ(1ξ ) = 0 ∂ξ 0 ∂ξ 2
The equivalent forms of Eq. (4.15) are: ∂ 1 (ξ1 ) ∂ ξ1i
and: ∂ 2 (ξ ) ∂ ξ2i
N ∂ μ T (k,ξ ) 1 −1 1 ∂ ξ1i Vv1 (ξ1 )μ1 (k, ξ1 ) i k=1 N ∂ Vv (ξ ) − 12 ∑ μ1T (k, ξ )Vv−1 (ξ1 ) ∂ 1ξ 1 Vv−1 (ξ1 )μ1 (k, ξ1 ) 1 1 1i k=1 N ∂ μ T (k,ξ ) + ∑ ∂2 ξ Vv−1 (ξ2 )μ2 (k, ξ ) 2 k=1 1i ∂ Vv (ξ ) + N2 Tr Vv−1 (ξ1 ) ∂ 1ξ 1 = 0; (i = 1, 2, . . . , L1 ) 1 1i
(4.16)
N ∂ μ T (k,ξ ) −1 2 ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ ) k=1 N ∂ Vv (ξ ) − 12 ∑ μ2T (k, ξ )Vv−1 (ξ2 ) ∂ 2ξ 2 Vv−1 (ξ2 )μ2 (k, ξ ) 2 2 2i k=1 ∂ Vv (ξ ) + N2 Tr Vv−1 (ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 ) 2 2
(4.17)
+ ∂∂2ξ(ξ ) = ∑ 1
= ∑
i
in which L1 and L2 are the sizes of the parameter sets ξ1 and ξ2 respectively. Eq. (4.16) shows that the gradient of the second term of the likelihood function with respect to the first set of parameters ξ1 should also be evaluated to satisfy the minimization condition because the second output error vector is also the function of the first set of parameters ξ1 . This leads to the following assumption which has to be made: Assumption 2: With only the first set of observation equations y1 (t) the identifiability of parameter ξ1 is guaranteed and the state variables x(k) , parameters ξ1 can be estimated by minimizing the first term of the likelihood function. In order to satisfy this assumption, the flight instrumentation system should make information available about ground velocity, air velocity, altitude, and aircraft attitude. This is in practice achievable with modern flight instrumentation systems. With this assumption, the contribution from the second observation equation can be
142
P. Chu, J.A. (Bob) Mulder, and J. Breeman
neglected with respect to the estimation accuracy. It is equivalent to the case that the second output error vector only takes the estimated states and parameters as perfect measurements, therefore, μ2 (k, ξ ) is no longer a function of ξ1 , i.e.:
μ2 (k, ξ ) = μ2 (k, ξ2 )
(4.18)
The gradient of the second likelihood function with respect to the first set of parameters is then: N ∂ μ2T (k, ξ2 ) −1 ∂ 2 (ξ ) =∑ Vv2 (ξ2 )μ2 (k, ξ2 ) = 0 (4.19) ∂ ξ1 ∂ ξ1 k=1 The necessary conditions in Eqs. (4.16),(4.17) become: ∂ 1 (ξ1 ) ∂ ξ1i
N ∂ μ T (k,ξ ) 1 −1 1 ∂ ξ1i Vv1 (ξ1 )μ1 (k, ξ1 ) k=1 N ∂ Vv (ξ ) − 12 ∑ μ1T (k, ξ )Vv−1 (ξ1 ) ∂ 1ξ 1 Vv−1 (ξ1 )μ1 (k, ξ1 ) 1 1 1i k=1 ∂ Vv (ξ ) + N2 Tr Vv−1 (ξ1 ) ∂ 1ξ 1 = 0; (i = 1, 2, . . . , L1 ) 1 1i
= ∑
(4.20)
and: ∂ 2 (ξ ) ∂ ξ2i
N ∂ μ T (k,ξ ) 2 −1 2 ∂ ξ2i Vv2 (ξ2 )μ2 (k, ξ2 ) k=1 N ∂ Vv (ξ ) − 12 ∑ μ2T (k, ξ2 )Vv−1 (ξ2 ) ∂ 2ξ 2 Vv−1 (ξ2 )μ2 (k, ξ2 ) 2 2 2i k=1 ∂ Vv (ξ ) + N2 Tr Vv−1 (ξ2 ) ∂ 2ξ 2 = 0; (i = 1, 2, . . . , L2 ) 2 2i
= ∑
(4.21)
Now the original joint state and parameter estimation problem Eq. (4.12) is solved in two consecutive steps. In the first step the state trajectory is estimated simultaneously with some unknown parameters from the flight test instrumentation system Eq. (4.20) named Flight Path Reconstruction (Refs. [14], [7], [5], [6], [30]) while the aerodynamic parameters are estimated in the second step Eq. (4.21). The method is then called the two-step method (Refs. [28], [32]). From above discussions it is shown that in the limiting case, the two-step method may produce the same results as the joint state and parameter estimation algorithm i.e. one-step Maximum Likelihood method. This limit case requires an accurate flight test instrumentation system to make the flight path reconstruction perfect, i.e.: xˆFPR (k|k − 1) = x(k);
ξˆ1FPR = ξ1
(4.22)
where the subscript FPR means Flight Path Reconstruction. In practice, the measurements of the inertial, air data and other navigation sensors are accurate but certainly not perfect, and the result of the flight path reconstruction depends on the accuracies of these measurements. The aerodynamic parameter estimation takes the result from the flight path reconstruction as state and parameter measurements whether it is perfectly estimated or not, i.e.:
4
Real-Time Identification of Aircraft Physical Models for FTFC
143
ξ1m = ξˆ1FPR
(4.23)
xm (k) = xˆFPR (k|k − 1);
The second set of the observation equations, which is in fact the aerodynamic model, is now written as: y2 (k) = h2 [xm (k), um1 (k), um2 (k), ξ1m , ξ2 ]
(4.24)
It should be noticed that Eq. (4.24) is usually not compatible due to the errors in xm ,um1 , um2 , and ξ1m , i.e.: y2 (k) = h2 [xm (k), um1 (k), um2 (k), ξ1m , ξ2 ]
(4.25)
Once the flight path reconstruction is performed, the second set of observation equations becomes Linear-in-the-parameters. This means that the aerodynamic models are linear functions of aerodynamic parameters when all the measurements, which are needed to identify the aerodynamic parameters are available from direct measurements and the result of the flight path reconstruction. Therefore Eq (4.3), and the nonlinear observation model Eq. (4.24), can be written in the form: ym2 (k) = Hm [xm (k), um1 (k), um2 (k), ξ1m ]ξ2 + v2 (k)
(4.26)
where Hm [xm (k), um1 (k), um2 (k), ξ1m ] is a matrix of the variables xm ,um1 , um2 and ξ1m . Since these variables are all available, this matrix may be called a data matrix. The model becomes now a set of linear regression equations and the estimation problem for this type of model is easier to solve than nonlinear models. This is considered to be a great advantage of the two-step method. Eq. (4.26) can further be written in terms of the total number of samples: Ym = Ξm ξ2 + ζ
(4.27)
in which: Ym = [yTm2 (1), yTm2 (2), . . . , yTm2 (k), . . . , yTm2 (N)]T
ζ = [vT2 (1), vT2 (2), . . . , vT2 (k), . . . , vT2 (N)]T Ξm = [HmT (1), HmT (1), . . . , HmT (k), . . . , HmT (N)]T
(4.28)
The likelihood function to model Eq. (4.26) now becomes:
where:
1 1 2 (ξ2 ) = (Ym − Ξm ξ2 )T Σζ−1 (Ym − Ξm ξ2 ) + ln det Σζ 2 2
(4.29)
Σζ = E{ζ ζ T }
(4.30)
The maximum Likelihood estimates of ξ2 is then:
ξˆ2ML = (ΞmT Σζ−1 Ξm )−1 ΞmT Σζ−1Ym
(4.31)
144
P. Chu, J.A. (Bob) Mulder, and J. Breeman
It is shown from the aerodynamic model Eq. (4.3) that the aerodynamic parameters are all independent from each other. Therefore, the multi-output parameter estimation problem of Eq. (4.29) can be simplified as number of single-output parameter estimations. For each parameter estimation problem the Maximum Likelihood parameter estimation is reduced to a Least Squares estimation problem (Ref. [4]): (i) (i)T (i) (i)T (i) (i) ξˆ2ML = (Ξm Ξm )−1 Ξm Ym = ξˆ2LS
(4.32)
In Eq. (4.32) index i denotes the ith aerodynamic model. In the present case i = 1, 2, 3, see Eq. (4.3). The index i will be dropped in the following discussions for simplicity.
4.3.2 Estimation Properties The estimation properties of the aerodynamic parameters may be analyzed in two different cases: namely when the result of flight path reconstruction is perfect and imperfect. A. Perfect flight path reconstruction
Ξm = Ξ
(4.33)
it is shown below that the Least Squares estimates of aerodynamic model parameters are unbiased when measurement noise is independent from the measured data matrix and moreover it is efficient if the measurement noise is Gaussian distributed. The expectation of the Least Squares estimates of parameter ξ2 is: % $ & ' ' & (4.34) E ξˆ2LS = E (Ξ T Ξ )−1 Ξ T Ym = ξ2 + E (Ξ T Ξ )−1 Ξ T ζ The Least Squares estimation is unbiased if: ' & E (Ξ T Ξ )−1 Ξ T ζ = 0
(4.35)
This means that the measured data matrix should be independent of the measurement noise. This is the case when the measurement noise ζ is white, then: ' & ' & (4.36) E (Ξ T Ξ )−1 Ξ T ζ = E (Ξ T Ξ )−1 Ξ T E{ζ } = 0 When the measurement noise ζ is Gaussian distributed, the covariance matrix is minimized and equals to Cramer-Rao lower bound: % $ % $ (4.37) Cov ξˆ2LS = E (Ξ T Σζ−1 Ξ )−1 = M −1 where M is the Fisher information matrix ( Σζ is a scalar in the present case):
4
Real-Time Identification of Aircraft Physical Models for FTFC
⎫ ⎧ ⎬ ⎨ ∂ 2 (ξ ) (( 2 2 ( M=E ( T ⎩ ∂ ξ2 ∂ ξ2 ξ =ξˆ ⎭ 2 2
145
(4.38)
LS
From Eq. (4.27) we have:
ζ = Ym − Ξ ξ2 n = Ym − Ξ ξˆ2
(4.39)
When ζ is white and Gaussian, the Least Squares estimation is unbiased. Therefore n is also white and Gaussian. The negative logarithm of the likelihood function can then be written as the form of eq. (4.29): 1 1 2 (ξˆ2LS ) = (Ym − Ξm ξˆ2LS )T Σζ−1 (Ym − Ξm ξˆ2LS ) + ln det Σζ 2 2
(4.40)
and the expectation of the second order partial derivatives of Eq. (4.40) is: ⎧ ⎫ ⎨ ∂ 2 (ξ ) (( ⎬ $ % 2 2 ( T −1 = E M=E (4.41) Ξ Σ Ξ ζ ⎩ ∂ξ ∂ξT ( ˆ ⎭ 2
2
ξ2 =ξ2LS
Comparing Eqs. (4.41) and (4.37) the Least Squares estimation is efficient. B. In the imperfect flight path reconstruction case the measured data matrix can approximately be written in terms of a sum of the true data matrix and an additional error term: Ξm = Ξ + Δ Ξ (4.42) The Least Squares estimates of ξ2 can be calculated if the error term is known. Unfortunately, this error term is usually an unknown and the Least Squares method only takes the measured data matrix with errors to calculate the Least Squares estimates of the unknown parameters ξ2 using the incompatible observation equations Eq. (4.25):
ξˆ2LS = (ΞmT Ξm )−1 ΞmT Ym
(4.43)
The expectation of the Least Squares estimates of parameter ξ2 in the present case is then: % $ & ' E ξˆ2LS = E (ΞmT Ξm )−1 ΞmT Ym (4.44) & ' & ' = ξ2 − E (ΞmT Ξm )−1 ΞmT Δ Ξ ξ2 + E (ΞmT Ξm )−1 ΞmT ζ Eq. (4.44) shows that even when the noise is white the Least Squares method using an incorrectly measured data matrix still produces biased estimates of parameters. The estimation bias is given by: & ' E (ΞmT Ξm )−1 ΞmT Δ Ξ ξ2 (4.45)
146
P. Chu, J.A. (Bob) Mulder, and J. Breeman
The actual Fisher information matrix is then: % $ % $ M = E ΞmT Σζ−1 Ξm = E (Ξ + Δ Ξ )T Σζ−1 (Ξ + Δ Ξ )
(4.46)
Comparing Eqs. (4.46) and (4.37), the Least Squares estimation is not efficient because of the errors in the data.
4.3.3 Techniques to Cope with Estimation Biases It may be seen from previous sections that biased estimates of the aerodynamic parameters are caused by a number of reasons. In order to keep the Least Squares estimates of ξ2 unbiased and efficient, several techniques which can cope with the estimation biases of the Least Squares method may be applied. These techniques are: a) accurate flight test instrumentation system (Refs. [15], [16], [31], [28], [32]), b) instrumental variable method (Ref. [18]), and c) Total Least Squares method ([22], [19], [20]). The Total Least Squares method has been applied with success at the Delft University of Technology to aircraft aerodynamic parameter estimation especially for the case of errors in the data matrix.
4.4 On-Line Parameter Estimation Using Least Squares and Total Least Squares Methods The most common method to solve an over determined set of linear equations is the least-squares estimator (LS). The numerical simplicity of the LS regression estimator and the availability of recursive algorithms are probably the prime reasons behind its extreme proliferation. Although LS regression only acknowledges disturbances in the dependent variables, it is often applied to cases where not only the system’s output, but also the independent explanatory variables are affected by uncertainties. This applies to many aerospace applications, for example in the equation error approach to aerodynamic model development and the validation from flight test data. Here, both the dependent and independent variables are directly or indirectly derived from measurements of the vehicle states and inputs, and are corrupted by errors. However, the noise that affects the measurements on the explanatory variables is not properly addressed by an LS estimator. The counterpart of the least-squares estimator that correctly handles the ‘errorin-variables problem’ is the total least-squares estimator (TLS) (Ref. [35]). Instead of minimizing the sum of squares of residuals on only the response variable, it seeks to minimize the sum of squares of residuals on all the variables in the equation. Unfortunately, TLS estimators do not share the desirable computational properties of the ordinary LS estimators. A recursive algorithm that directly propagates a TLS estimate over the incoming measurements is not available (Refs. [20], [21]). Total least-squares parameter estimates are found by computing the singular value
4
Real-Time Identification of Aircraft Physical Models for FTFC
147
decomposition (SVD) of the compound matrix of explanatory and explained variables (Refs. [11], [36]). Since the size of this matrix is directly related to the number of measurements, computation of a TLS estimate can be problematic for large sets of measurements. Although no direct recursive algorithms are known, sequential techniques are available that determine an updated SVD by means of another singular value decomposition (Ref. [25]); the latter however is of a constant dimension that is related to the number of model parameters and not the number of measurements. Being part of most robust and adaptive control systems, least-squares estimators are used in an environment where computational effort and manageability of data are of great importance. Efficient recursive or sequential algorithms are therefore mandatory. At the same time the context of measured data which corrupts both dependent and independent variables constitutes a strong preference for total leastsquares estimators. This subsection presents a brief analysis of the TLS problem as it is typically encountered during parameter estimation for aerospace dynamic models. Based on this analysis, an efficient method for sequential computation of the TLS estimate is proposed.
4.4.1 Preliminaries The ordinary least-squares problem deals with the determination of the vector x ∈ ℜn that minimizes Ax − b 2 , in which the matrix of independent variables A ∈ ℜm×n and the vector of dependent variables b ∈ ℜm are the known elements in the overdetermined set of equations b ≈ Ax. If rank(A) equals the dimension of the parameter vector n, the least-squares problem has the unique solution xLS = (AT A)−1 AT b (Refs. [11], [36]). The recursive least-squares algorithm computes the solution to the LS problem for ATm = [ATm−1 , aTm ] and bTm = [bTm−1 , bm ] from the solution for the case Am−1 , bm−1 . If the matrix ATm Am = ATm−1 Am−1 + aTm am is written −1 + aTm Iam , the matrix inversion lemma can be used to yield as Pm−1 (ATm Am )−1 = Pm = Pm−1 −
Pm−1 aTm am Pm−1 1 + amPm−1 aTm
(4.47)
in which the remaining inverse is scalar. Setting k = (Pm−1 aTm )/(1 + am Pm−1 aTm ) and using (4.47), the recursive least-squares estimator consists of the following two steps after the computation of k: Pm = Pm−1 − k amPm−1 xm = xm−1 + k(bm − am xm−1 )
(4.48)
Because the matrix A contains the set of row vectors of explanatory variables - one for each measurement - and the rank of a matrix equals its number of independent row vectors, rank(A) cannot decrease when a new measurement is added. Once enough independent measurements have been collected, the matrix AT A therefore cannot become rank deficient again, although its condition may deteriorate. This ensures successful propagation of the matrix P , a property that will prove useful for the sequential TLS as well.
148
P. Chu, J.A. (Bob) Mulder, and J. Breeman
The total least-squares solution for the overdetermined set b ≈ Ax is the vector that satifies the approximate set of compatible equations b ≈ A xT LS , for which the Frobenius norm [A, b] − [A , b ] F is minimal (Ref. [36]). If U Σ V T is the singular value decomposition of [A, b] where Σ = diag(σ1 , . . . , σn , σn+1 ) contains the ordered set of real singular values for which σi ≥ σi+1 , then the closest approximate set of rank n is U Σ V T with Σ = diag(σ1 , . . . , σn , 0) . The desired solution xT LS must then satisfy U Σ V T [xTT LS , −1]T = 0 . Hence, the vector [xTT LS , −1]T is part of the kernel of U Σ V T and must be perpendicular to the first n column vectors of V . As V is orthonormal, the desired vector equals the last column vector of V .
4.4.2 Sequential Total Least Squares (Ref. [34]) The singular values of a matrix C are the square roots of the eigenvalues of the matrix CT C ; the columns of the matrix of right singular values vectors V are the corresponding eigenvectors of CT C . The TLS problem is thus reduced to finding the eigenvector that is associated with the smallest eigenvalue of [A, b]T [A, b] . Computation of CT C is usually strongly discouraged because of numerical inaccuracies (Ref. [11], [36]). When the original matrix is ill conditioned, the product CT C can become singular due to finite-precision computations. However, examples of such matrices are highly academic. It is important to note that ill conditioning in a system identification application due to insufficient excitation does not play a role here. As was noted before, a full-rank matrix of variables cannot become rank deficient again. Erroneous singularity of the matrix [A, b]T [A, b] can only occur when a newly added row of measurements contains solely elements that lead to underflow of all previous measurements. Assuming measurement errors (spikes) have been removed, this is not a realistic scenario. Additionally, if such measurements would occur, the ill conditioning of the matrix would also lead to unreliable parameter estimates if computation takes place with infinite precision. The eigenvector that is associated with the smallest eigenvalue of an invertible matrix equals the eigenvector for the largest eigenvalue of the matrix inverse. The power method (Ref. [11]) is based on the characteristic that lim Ak x converges to k→∞
a multiple of the dominant eigenvector of A that is not perpendicular to the initial x ; the dominant eigenvector is the one associated with the largest eigenvalue. Application of the power method to the inverse of a matrix therefore produces a series of vectors that converge to the eigenvector for the smallest eigenvalue of the original matrix. A TLS estimate can thus be found most easily by applying the power method to ([A, b]T [A, b])−1 . At this point, a sequential algorithm for computing the TLS estimates can be formulated on the basis of the propagation of the matrix P = ([A, b]T [A, b])−1 , similar to the role of the matrix P in recursive ordinary least squares. Because the power method computes the parameter estimate from the propagated matrix directly, the estimate itself is not used in the recursion. Hence, the complete TLS propagation consists only of
4
Real-Time Identification of Aircraft Physical Models for FTFC
Pm = Pm−1 −
pT p 1 + p[am, bm ]T
149
(4.49)
with p = [am , bm ]Pm−1 . If the actual estimate is required, it can be computed by updating the eigenvector estimate v in the iteration vk+1 = P(vk , vk,n+1 )
(4.50)
In Eq. (4.50) vk,n+1 denotes the (n + 1)th element of the vector vk . By dividing the vector by its last element, an explosion of the iterated vector and potential numerical problems are avoided. Because eigenvectors can arbitrarily be scaled, this does not influence the iteration itself. Instead, because the last element of the vector is repeatedly scaled to 1, vk+1,n+1 converges to the largest eigenvalue of P and can be used as a convergence requirement for the iteration: The dominant eigenvector is found when the difference between vk,n+1 and vk+1,n+1 drops below a preset convergence requirement. By choosing v0 = [0, . . . , 0, 1]T , it is guaranteed that the vector has a component along the desired eigenvector. Because the converged vector can be used as starting point for a later iteration when P has been updated, v needs only to be initialized once. Finally, the actual parameter estimate is obtained from the eigenvector estimate: (4.51) xT LS = −v1:n /vn+1
4.4.3 Summary of TLS Method The application of the total least-squares method to typical aerospace parameter estimation problems was briefly discussed. The commonly mentioned threat of information loss by reducing the variables matrix to its inner square was analyzed and found harmless to applications where a series of measurements arrive with time. Together with the notion that instead of singular values, only the smallest eigenvector of the inner square matrix is required to compute TLS estimates, this led to the presentation of a computationally superior sequential TLS method. The suggested method satisfies all the requirements on an estimator for real-time applications: Its computational demand for each step is independent of the number of preceding measurements and memory requirements are constant. Propagation of the inverted inner square matrix with arriving measurement does not depend on computation of the actual parameter estimate; without it, the number of operations per step is deterministic and smaller than that for the recursive ordinary least-squares estimator.
4.5 Real-Time Identification of Aircraft Physical Model for Fault Tolerant Flight Control, [13] Now the basic framework for on-line and real-time parameter identification has been presented, the step towards in-flight fault detection has to be made. The goal of the parameter identification is to provide a controller with the most likely, most
150
P. Chu, J.A. (Bob) Mulder, and J. Breeman
reliable model in flight. During normal flight with an undamaged aircraft, such a model can best be based on an extensive set of aerodynamic data, which has been previously built on the results of flight testing in different parts of the flight envelope. A structure with different hyperboxes for different Mach numbers and angles of attack can be used to provide the best estimation of the behaviour of an undamaged aircraft. The flight controller can fully rely on this data to control the aircraft. Based on different error criteria, the best aerodynamic model available will be chosen to be forwarded to the model-based controller. This means that the on-line estimated aerodynamic model will only be used if the aircraft encounters a failure. As long as an aircraft is not damaged, the aerodynamic models originating from the database will be the most accurate source. When a failure does occur, a different situation is created, in which the aerodynamic models originating from the database lose their reliability. A successful fault tolerant flight control (FTFC) system will need to take two crucial steps in order to adapt the controller to this new situation. I. Trigger reconfiguration. This means that the control system needs to realize that the current aerodynamic model (originating from the available aerodynamic database) is not sufficiently accurate. The difficulty of this step is to create a system which is both sufficiently reliable and sensitive to make a correct decision for reconfiguration, without pilot interference. II. Loading the on-line identified model of the damaged aircraft into the control system. As soon as the conclusion is drawn that the model from the database is unreliable, the on-line identified model can be loaded. This identification has continuously been performed during the flight, meaning it is readily available for uploading. In order to remove the compromise between data loss and adaptivity which is the negative effect of the use of a forgetting factor in any recursive parameter estimation approaches, a different approach is now suggested. The use of a forgetting factor λ < 1 has been shown to be useful in making the identification adaptive to model changes over time. The effect of this forgetting factor is that the covariance matrix
X Aircraft
Real-time identification of aerodyn. model
Trigger reconfig.
X
X
States
Choose most accurate model
To controller: Output of most accurate aerodyn. model available
Database aerodynamic models
Fig. 4.8 Trigger for reconfiguration and real-time aerodynamic model identification
4
Real-Time Identification of Aircraft Physical Models for FTFC
151
Fig. 4.9 An example of model based adaptive flight controller using on-line identified aircraft physical model
P does not reduce to zero, but constantly grows whenever the input channels are excited insufficiently. A solution to the problem of data loss and model instability would be to artificially only increase the covariance matrix P, when the current model cannot be relied upon anymore. In this way, no data will be lost during normal flight, maintaining the quality of the model also in constant flight conditions. In case an error occurs that affects the model, the aircraft will move (or this induced movement will be counteracted by the nominal flight control system), creating sufficient data on the input channels to identify the new model within a limited time span. The major requirement for this procedure is that reliable information is available about the quality of the aerodynamic model. In Ref. [12], the authors describe a procedure to use the innovation (difference between the model prediction and the actual behaviour of the system or aircraft) as a measure for the quality of the model. The absolute value of the innovation does not only depend on the model quality, but also on the noise in the input channels, which makes it unsuitable for quality determination. Instead, the ‘whiteness’ of the innovation is used as a quality measure, since a perfect model would have a residual comparable to the noise present in the input signals. Once the whiteness criterion has suggested that the current model contains errors, reconfiguration will take place. The covariance matrix of the parameter estimator gives a measure for quality of the data that has entered the identification. Without a forgetting factor, this ‘data richness’ can only improve, since all information from previous measurements is retained. This results in a gradual ‘freezing’ of the parameter values, since every new data point is weighted less in the parameter
152
P. Chu, J.A. (Bob) Mulder, and J. Breeman
identification. When it is concluded that the real-life situation has changed to such an extent that the identified model is not valid anymore, this old data should be disregarded. By artificially returning the covariance matrix to its initial state (a matrix with relatively large values), the parameters are more influenced by new measurements and can be identified based on the flight data of the aircraft in its new, changed situation. The newly identified model will be available to be presented to a model based adaptive flight controller. Fig. 4.9 illustrates an example of this type of flight controller.
4.6 Conclusions In this chapter, the decomposition of the aircraft state and parameter estimation problem has been discussed and the resulting two-step method is proven to possess the same estimation properties as that of one-step Maximum Likelihood method, in the case of accurate measurements given by the flight test instrumentation systems. Once the flight path reconstruction has been performed, the aerodynamic parameter estimation becomes linear-in-the-parameters. A simple linear Least Squares method can be applied to estimate the aerodynamic parameters. The Total Least Squares method may be used in case of necessity. Since the system and observation models for the flight path reconstruction are known in detail it is not necessary to evaluate different model structures, and flight path reconstruction needs only to be solved once for each flight test manoeuvre without any knowledge about aircraft aerodynamic models. This is considered to be one of the advantages of the two-step method because the aerodynamic model must be assumed to be known correctly in advance before the one-step maximum likelihood method can be used. In the case of incorrect aerodynamic models, the one-step method may diverge or converge to wrong values of aerodynamic parameters (local maximum of the likelihood function). Therefore, the modification of the aerodynamic models has to be considered and the one-step joint state and parameter estimation procedure has to be performed over and over again. The two-step method does not suffer from this problem. One can always construct the modified aerodynamic model and run the linear Least Squares method to estimate the aerodynamic parameter again using the same reconstructed state trajectories. Therefore, this method is very suitable for routine analysis of large amounts of flight test data. The optimization algorithms and initial parameters for the one-step method must be selected properly in order to achieve the global maximum of the likelihood function – even in the case that correct aerodynamic models are specified. On the other hand, this problem is obviated by the use of the two-step method as the solution of the Least Squares method is direct and unique. In the case of errors in the measured data or from the first step of the two step approach, Total Least Squares can be applied to reduce the bias of the model parameter estimates.
4
Real-Time Identification of Aircraft Physical Models for FTFC
153
Recursive and sequential approaches for both steps can easily be implemented for on-line applications of model identification, in order to realize the design of model based adaptive flight controllers.
References 1. Anonymous. Rotorcraft system identification. Technical Report AGARD-AR-280, AGARD (1991) 2. Breeman, J.H., Erkelens, L.J.J., Nieuwpoort, A.M.H.: Determination of performance and stability characteristics from dynamic manoeuvres with a transport aircraft using parameter identification. In: AGARD FMP Symposium on Flight Test Techniques, Lisbon (1984) 3. Breeman, J.H., Simons, J.L.: Evaluation of a method to extract performance data from dynamic manoeuvres for a jet transport aircraft. In: 11th ICAS congress, Lisbon (1978) 4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Analytical and numerical comparison of the maximum likelihood method and two step method for aircraft state and parameter estimation. In: Proceedings of the 10th IFAC Symposium on System Identification, SYSID 1994, July 1994, vol. 3, pp. 61–66 (1994) 5. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Aircraft flight path reconstruction with nonlinear adaptive filters. In: Proceedings of the American Control Conference, ACC, Seattle, vol. 2, pp. 1196–1200 (1995) 6. Chu, Q.P., Mulder, J.A., Van Woerkom, P.T.L.M.: Modified recursive maximum likelihood adaptive filter for nonlinear aircraft flight path reconstruction. AIAA Journal of Guidance, Control and Dynamics 19(6), 1285–1295 (1996) 7. Chu, Q.P., Verbass, A., Mulder, J.A., van den Broek, P.P.: Nonlinear adaptive filtering with application to spaceplane flight path reconstruction. In: Proceedings of the 2nd ESA International Conference on Guidance, Navigation and Control Systems, ESTEC, ESTEC Conference Bureau, Noordwijk, April 1994, pp. 107–116 (1994) 8. Gerlach, O.H.: Analyse van een mogelijke methode voor het meten van prestaties en stabiliteits- en besturingseigenschappen van een vliegtuig in niet stationaire, symmetrische vluchten (analysis of a possible method for the measurement of performance and stability and control characteristics in non-steady symmetrical flight). Technical Report VTH-117, Delft University of Technology, Department of Aerospace Engineering (November 1964) 9. Gerlach, O.H.: Determination of performance and stability perameters from non-steady flight test manoeuvres. In: SAE paper, number 700236, Wichita, Kansas. National business aircraft meeting (1970) 10. Gerlach, O.H.: Determination of stability derivatives and performance characteristics from non-steady flight test manoeuvres. Technical Report CP-85, AGARD, Toulouse (1971), Also as report VTH-163, Delft University of Technology, Department of Aerospace Engineering (February 1976) 11. Golub, G.H., Van Loan, C.F.: Matrix Computations. Johns Hopkins University Press, Baltimore (1996) 12. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems. Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003) 13. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identification and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology, Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007)
154
P. Chu, J.A. (Bob) Mulder, and J. Breeman
14. Jonkers, H.L.: Application of the kalman filter to flight path reconstruction from flight test data including estimation of instrumental bias error corrections. Technical Report VTH-162, Delft University of Technology, Department of Aerospace Engineering (February 1976) 15. Jonkers, H.L., Mulder, J.A.: Accuracy limits in nonsteady flight testing. In: The tenth congress of the International Council of the Aerospace Sciences, ICAS, number 76-46, Ottawa, October 1976. ICAS (1976) 16. Jonkers, H.L., Mulder, J.A.: New developments and accuracy limits in aircraft flight testing. In: AIAA Aircraft System and Technology Meeting, number AIAA 76-897, Dallas, Texas (September 1976) 17. Jonkers, H.L., Mulder, J.A., van Woerkom, K.: Measurements in non-steady flight: Instrumentation and analysis. In: Proceedings of the 7th international aerospace instrumentation symposium, Cranfield (1972) 18. Klein, V.: Identification evaluation method. AGARD Lecture Series, vol. 104, pp. 2-1– 2-21 (1979) 19. Laban, M.: Online aircraft state and parameter estimation. Technical Report AGARDCP-519, paper 29, AGARD (May 1992) 20. Laban, M.: Online aircraft aerodynamic model identification. PhD thesis, Delft University of Technology (1994) 21. Laban, M., Masui, K.: Total least squares estimation of aerodynamic model parameters from flight data. Journal of Aircraft 30(1), 150–152 (1993) 22. Laban, M., Mulder, J.A.: Online identification of aircraft aerodynamic model parameters. In: 9th IFAC/IFORS Symposium on Identification and System Parameter Estimation, Budapest, Hungary (July 1991) 23. Liu, Y., Cukic, B., Fuller, E., Yerramalla, S., Gururajan, S.: Monitoring techniques for an online neuro-adaptive controller. The Journal of Systems and Software 79, 1527–1540 (2006) 24. Maine, R.E., Illif, K.W.: Agard flight test techniques series. On identification of dynamic systems - application to aircraft, part 1: The output error approach, vol. 3. Technical report, AGARDograph (1986) 25. Moonen, M., van Dooren, P., Vandewalle, J.: An svd updating algorithm for subspace tracking. SIAM Journal on Matrix Analysis and Applications 13(4), 1015–1038 (1992) 26. Muhammad, H.: Identification of turboprop thrust from flight test data. PhD thesis, Delft University of Technology (December 1995) 27. Mulder, J.A.: Estimation of thrust and drag in nonsteady flight. In: Proceedings of the 4th IFAC Symposium, Identification and System Parameter Estimation, Tbilisi (1976) 28. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. Technical Report LR-497, Delft University of Technology, Delft, the Netherlands (1986) 29. Mulder, J.A., Baarspul, M., Breeman, J.H., Nieuwpoort, A.M.H.: Determination of the mathematical model for the new dutch government civil aviation flying school flight simulator. In: 18th Annual Symposium on Society of Flight Test Engineers, SFTE, Amsterdam (September 1987), Also as Memorandum M-578, Delft University of Technology, Department of Aerospace Engineering (July 1987) 30. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear aircraft flight path reconstruction review and new advances. Progress in Aerospace Sciences 35(7), 673–726 (1999) 31. Mulder, J.A., Jonkers, H.L., Horsten, J.J., Breeman, J.H., Simons, J.L.: Analysis of aircraft performance, stability and control measurements. AGARD Lecture Series, vol. 104 (1979)
4
Real-Time Identification of Aircraft Physical Models for FTFC
155
32. Mulder, J.A., Sridhar, J.K., Breeman, J.H.: Identification of dynamic systems, applications to aircraft, part 2: nonlinear analysis and manoeuvre design. AGARDograph 300, vol. 3 (1986) 33. Plaetschke, E., Mulder, J.A., Breeman, J.H.: Results of beaver aircraft parameter identification. Technical Report FB 83-10, DFVLR Institut f¨ur Flugmechanik, Braunschweig, Germany (1983) 34. Soijer, M.W.: Sequential computation of total least squares parameter estimates. Journal of Guidance and Control 27(3), 501–503 (2003) 35. Van Huffel, S.: Analysis of the Total Least Squares Problem and its use in Parameter Estimation. PhD thesis, Catholic University of Leuven (1987) 36. van Huffel, S., Vandewalle, J.: The total least squares problem computational aspects and analysis. SIAM, Philadelphia (1991)
Chapter 5
Industrial Practices in Fault Tolerant Control Philippe Goupil
5.1 Introduction Electrical Flight Control System (EFCS1 ), first developed by Aerospatiale and installed on Concorde (as an analog system) and then designed with digital technology on Airbus aircraft from the 1980’s (A310), provides more sophisticated control of the aircraft and flight envelope protection functions[3],[4],[5]. The main characteristics are that high-level control laws in normal operation allow all control surfaces to be controlled electrically and that the system is designed to be available under all circumstances. The EFCS is a safety-critical system designed to meet very stringent requirements in terms of safety and availability. Most, but not all, of these requirements come directly from the Aviation Authorities (for example FAA, EASA, for details see [2],[1]). In this chapter, Fault Tolerant practices used to design a dependable safety-critical EFCS are described. In section 5.2, as a general introduction, the aircraft development process is described using the V-cycle. The next section details some ‘golden rules’ used for designing a Fault Tolerant EFCS. Section 5.4 outlines the flight control computer specification and shows how the dedicated process contributes to the EFCS Fault Tolerant design. Section 5.5 discusses some aspects of the system validation and verification as a part of the Fault Tolerant design. Finally, the last section shows an example of a failure detection technique implemented on the A380, illustrating one of the golden rules previously described.
5.2 Aircraft Development Process - The V-Cycle This section describes the aircraft development process that is depicted in the Vcycle (Fig. 5.1). Strictly following this cycle achieves Fault Tolerance. The first Philippe Goupil Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne, 31060 Toulouse Cedex 09 e-mail:
[email protected] 1
EFCS is also known as Fly-By-Wire (FBW).
C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 157–167. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
158
P. Goupil
branch of the V-cycle is the development phase. It starts with the aircraft specification corresponding to the ’top level requirements’: the definition of the needs, the choice of concepts, control laws, technologies, etc. The aircraft is decomposed into sub-parts called systems which are specified in the next step. The systems are decomposed in sub-parts called ‘equipment’ which are then specified. For example, the software of the Flight Control Computers is specified thanks to a specific graphical language and an automatic generation tool produces the code (see Section 5.4). At this step the code is used in a desktop simulator to begin the initial validation. It is also used in a development simulator, a real cockpit where everything is simulated. After equipment specification, the corresponding code is generated and implemented inside the equipment. Then, the second part of the V-cycle can start. This integration phase consists of a severe validation campaign on different test benches (see Section 5.5 for more details), from the simplest ones (an actuator bench) to more complete ones (the ‘Iron Bird’). The validation phase ends with the flight tests. The V-cycle ends with the certification process. Significant verification and validation is performed all along the cycle (see Section 5.5). The verification objective is to get assurance that the product (system/equipment) is compliant to its specification. The validation objective is, on the one hand, to get the assurance that the specifications are correct and complete, and on the other hand, to get the assurance that the final product is compliant with the customer needs. Consequently, the V-cycle is not a fixed process but rather an iterative process due to the verification and validation activities that can lead to changes in some specifications all along the cycle. Aviation Authorities regulations (FAR/CS [2],[1]) are requirements and part of the aircraft specification. Hence verification and validation need to demonstrate aircraft compliance to these requirements in order to obtain certification. As a consequence, certification may be considered as a sub-process of the validation and verification process but with a more of formalism (certification sheets, reviews...) and a particular point of view (safety oriented).
5.3 Some ‘Golden Rules’ for Designing a Highly Dependable System The EFCS is a safety-critical system in the sense that catastrophic consequences may result from its failures, such as a control surface runaway (e.g. rudder or Trimmable Horizontal Stabilizer), loss of control on the pitch axis, lack of control after an engine burst or an oscillatory failure at a frequency critical to the structure (see Section 5.6). The detection of all related failures is therefore a very important point to be considered in the aircraft design. All these failures must be extremely improbable, i.e. with a probability of less than 10−9 per flight hour and considering qualitative requirements (FAR/CS 25.1309). Specifically for flight controls, FAR/CS 25.671 requires that a catastrophic consequence must not be due to a single failure or a control surface jam or a pilot control jam. This qualitative requirement is on top of the probabilistic assessment. In order to be compliant with Airworthiness
5
Industrial Practices in Fault Tolerant Control
159
Fig. 5.1 V-cycle representing the aircraft development process.
requirements for aircraft certification and to design a fault-tolerant aircraft, Airbus uses a number of ‘golden rules’[5, 6] outlined below: • A Safety System Assessment (SSA) to assess the effect of each functional failure on the system. The SSA is a kind of fault tree that studies all the possible combinations of failures to determine the probability of occurrence of an event. The probability of each elementary failure is given by the manufacturer of the equipment concerned and is re-evaluated or confirmed by experience. This safety analysis can lead to a modification of the flight control architecture (e.g. degree of redundancy) and thus contributes to the design of a more fault tolerant system, compliant with the safety requirements in the regulations. • A stringent development process, based on the guidelines: ARP4754/ED7911[7] for aircraft system development, DO178/ED1212[8] for software development and DO254/ED8013[9] for hardware development. For instance, for software development, the dedicated guidelines do not concern the content of the software, but rather the development process to comply with (planning, development, verification, configuration management, quality assurance issues) in order to obtain the aircraft certification. • Hardware redundancy: for example the use of multiple FBW computers (5 on an A330/A340, and 6 on an A380), and the use of different power sources for control surface actuation. Three hydraulic sources are used on the A320/A340. Four power sources are used on A380 (2 hydraulic and 2 electric). Furthermore, as a last backup, in an emergency situation, a Ram Air Turbine provides enough
160
P. Goupil
energy to pressurize one of the hydraulic circuits and/or to supply the electric network. Redundant sensors also provide air data and inertial information to other systems through dedicated, separate but identical units2 . • Monitoring: all the elements of the flight control system are monitored in realtime, for example the sensors, actuators, probes, and the other computers. An example of such monitoring is given in Section 6. • Reconfiguration: meaning automatic management following a failure. This is a key point in the design of a fault-tolerant aircraft. There are two levels of reconfiguration: – First level, system reconfiguration: consider a control surface with two actuators (Fig. 2). The first one is in active mode and is servo-controlled by computer P1. The second one is in passive mode (it follows the movement of the active actuator) and is associated with a second computer P2, in standby mode. If a failure is detected (by the dedicated monitoring schemes, see above) on the active actuator, then it changes to passive mode and the passive one becomes active. There is a hand-over: P2 becomes active and controls its associated actuator while P1 changes to stand-by mode. P1 loses its functionality on this actuator but not all the others functionalities (control of other actuators, flight control law calculations, etc). This reconfiguration is clearly based on hardware redundancy (computers and actuators). – Second level, flight control law reconfiguration: in normal conditions, with the EFCS the aircraft is protected against critical events[5] such as stall, overspeed, etc. The corresponding flight control law is called the ‘normal law’. However some protection can be lost following failures, for example the loss of a control surface, IRS (Inertial Reference System), ADR (Air Data Reference) or a Flight Control Computer. As a result of the loss of protection, there is a reversion to low-level laws. Flight is still possible, but with less protection. The last level law is the ‘direct law’ where there is no protection. The probability of reverting to a low-level law is very small. This reconfiguration is a way to be fault tolerant and is due to a loss of hardware redundancy. For more information on the control laws, see chapter 1. • Dissimilarity: this is also a very important point to ensure fault tolerance. All Airbus aircraft have at least two types of computer: a primary and a secondary computer. Their hardware and software are different, and they are not developed by the same teams. The system reconfiguration (hand-over) described above uses primary and secondary computers (Fig. 2). The secondary computer is simpler than the primary computer. The dissimilarity also concerns actuators. On the A380, two types are used: the conventional hydraulic actuator and a new generation of electrically powered actuators - the Electro-Hydrostatic Actuator (EHA). EHA has been developed mainly from the viewpoint of reducing the number of hydraulic systems, generating significant weight and cost savings, and providing additional dissimilarity[10]. Electrical Backup Hydraulic Actuators (EBHA) are 2
A.k.a as ADIRU (Air Data Inertial Reference Units).
5
Industrial Practices in Fault Tolerant Control
161
also used on the A380. An EBHA can be viewed as an actuator with two modes: a conventional hydraulic one that can switch to an EHA mode. • Installation segregation: computers are not physically installed at the same place on the aircraft, to avoid total loss in the case of any damage. Such an event could be for example an engine rotor-burst that cuts the electrical wires supplying the computers. The same reasoning leads to segregation of hydraulic and electrical routes. • Flight Control Computer architecture: this is divided into two parts, a command channel (COM) and a monitoring channel (MON). Each channel monitors the other but each channel has a specific task. The COM channel provides the main functions allocated to the computer (flight control law computation and the servocontrol of moving surfaces). The MON channel ensures (mainly) the permanent monitoring of all the components of the flight control system (sensors, actuators, other computers, probes, etc.). It is designed to detect failure cases and to trigger reconfiguration by signalling the failure detection to the COM channel and to the other computers. • A perfect robustness for software and system equipment: e.g. no monitoring false alarms, protection against ElectroMagnetic Interference and severe lightning strikes, no upset in the case of total air cooling loss, etc.
5.4 Flight Control Computer Functional Specification The specification of a computer includes, on the one hand, an ‘equipment and software development’ technical specification used to design the hardware and (partly) the software. On the other hand, a functional specification accurately defines the functions implemented by the software. This functional specification is another key point for designing a Fault Tolerant EFCS. The main specified functions are: flight control laws, monitoring functions, slaving of control surfaces and reconfigurations. In the first step, a graphical tool allows specification of these functions (computer aided-specification). A limited set of graphical symbols (adder, filter, integrator, look-up tables) is used to describe each part of the algorithm in dedicated ‘functional specification sheets’. This specification is under the control of a configuration management tool and its syntax is partially checked automatically. In a second step, an automatic generation tool produces the code to be directly implemented in the flight control computer. Such a tool has as input the functional specification sheets, and a library of software packages, one package for each symbol used. The automatic programming tool links together the symbol packages. The software produced is also intensively checked at this step[5]. The use of such tools is part of the Fault Tolerant design of the EFCS and thus has a positive impact on safety. An automatic tool ensures that a modification to the specification can be coded easily even if this modification needs to be embodied rapidly (situation encountered during the flight test phase for example). Automatic programming, through the use of a formal specification language, also allows onboard code from one aircraft program to be used on another.
162
P. Goupil
Fig. 5.2 System reconfiguration. In the case of two actuators per control surface, a first primary computer P1 ensures the servo control of the active actuator powered by a first hydraulic system. A second primary computer P2, in stand-by mode, is associated with the second actuator in passive mode. A second hydraulic system powers this second actuator. When a failure is detected, a hand-over between P1 and P2 changes the active actuator to passive mode and the passive one becomes active. S1 and S2 are the secondary computers ensuring a second line of redundancy with the same principle.
5.5 System Validation and Verification The system validation and verification proceeds through several steps: • Peer review of the specifications, and their justification. This is done in light of the lessons learned by scrutinizing incidents that occur in airline service. • Analysis, most notably the SSA which, for a given failure condition, checks that the monitoring and reconfiguration logic allows the fulfillment of the quantitative and qualitative objectives, but also analysis of system performance, and integration with the structure. • Tests on a desktop simulator using the automatically produced software coupled to a rigid aircraft model. • Tests on a System Integration Bench (SIB), a test bench used to tune the servocontrol of a given control surface, with simulated inputs and observation of computer internal variables. This bench offers the possibility of validating degraded configurations: e.g. low hydraulic pressure and high aerodynamic loads on the control surface.
5
Industrial Practices in Fault Tolerant Control
163
• Tests on the ‘Iron Bird’: a test bench that is a kind of very light aircraft, without the fuselage, the structure, the seats, etc, but with all system equipment installed and powered as on an aircraft (e.g. hydraulic and electric circuits). • Tests on a flight simulator: a test bench with a real aircraft cockpit, flight control computers and coupled to a rigid aircraft model. The Iron Bird can also be coupled to the flight simulator. • Flight tests, on several aircraft, fitted with ‘heavy’ flight test instrumentation. More than 10000 flight control parameters are permanently monitored and recorded.
5.6 An Example of Monitoring: A380 Oscillatory Failure Case Detection As previously mentioned, the EFCS is a safety-critical system designed to meet very stringent requirements in terms of safety and availability. The detection of all related failures is therefore a very important point to be considered in the aircraft design. In particular, in the context of overall aircraft optimization and their increasing size, system design objectives originating from structural load design constraints are more and more stringent. The main issue is weight saving to improve the aircraft performance (e.g. fuel consumption, noise, range). Consequently, for system failures impacting the aircraft structure, the performance of detection methods must be improved, while retaining perfect robustness. EASA regulations CS 25.302 used for aircraft certification state that the system must be designed so that it cannot produce hazardous loads on the aircraft. EFCS-failure cases having an influence on structural loads are mainly runaway or jamming of a control surface, the loss of limitations (e.g. rudder deflection limitation as a function of aircraft speed), loss of an EFCS special function to reduce structural design loads (e.g. Load Alleviation Function) or degradation of deflection rates. Some EFCS failures may also result in unwanted control surface oscillations, generating loads on the structure when located within the actuator bandwidth. This failure case is called an Oscillatory Failure Case (OFC)[11]. These failures, coupled with the aeroelastic behaviour of the aircraft, may lead to unacceptably high loads or vibrations. The worst case corresponds to resonance phenomena with the aircraft natural modes. This is very improbable as the OFC frequencies are uniformly distributed. But one cannot prove that it is impossible, so this case has to be covered. OFC amplitude must be contained by the system design within an envelope function of the frequency. The ‘usual’ monitoring techniques cannot guarantee staying within an envelope with acceptable robustness and a specific OFC detection must be used. The ability to detect these failures is very important because it has an impact on the structural design of the aircraft since the load envelope constraints must be respected. More precisely, if an OFC of given amplitude cannot be detected and passivated, this amplitude must be considered in the load computations. The result of this computation can lead to reinforcement of the structure. In order to avoid reinforcing the structure and consequently to save weight, low amplitude OFCs must be detected in time. Only OFCs located
164
P. Goupil
Fig. 5.3 OFC source location in the control loop.
in the servo-loop control of the moving surfaces are considered, that is, between the Flight Control Computer and the control surface, including these two elements (Fig. 3). Consequently, the failures under consideration impact only one control surface. OFCs are mainly due to electronic components in fault mode generating spurious sinusoidal signals. This oscillatory signal propagates through the servo-loop control, leading to control surface oscillations. The faulty components are located inside the Analog Inputs/Outputs, the position sensors or the actuators. The flight control computer may also generate unwanted oscillations of the command current sent to the actuator servo-valve. OFC signals are considered as sinusoids with frequency and amplitude uniformly distributed over the frequency range 0-10 Hz. Beyond 10 Hz, OFCs have no significant effects because of the low-pass behaviour of the actuator. For structure-related system objectives, it is necessary to detect OFCs beyond a given amplitude in a given number of periods, whatever the OFC frequency. For example, it could be necessary to detect an OFC with minimal amplitude of 1 degree in 5 periods, in the frequency band 5-10 Hz. The time detection is expressed in period numbers, which means that, depending on the failure frequency, the time allowed for detection is not the same. Two kinds of OFC have to be considered: ‘liquid’ and ‘solid’ failures. The liquid failure adds to the normal signal (inside the control loop) while the solid failure substitutes the normal signal. The OFC detection methodology must take into account the specifics of these two different cases. To detect an OFC on the A380, the concept of analytical redundancy is used. This is a conventional approach well known in the Fault Diagnosis community[12, 13]. The principle consists of comparing the real functioning of the monitored control surface with an ideal functioning expected in the absence of failure, in order to exhibit the failure. A nonlinear knowledge-based model of the actuator is used to
5
Industrial Practices in Fault Tolerant Control
165
Fig. 5.4 Synopsis of OFC detection by analytical redundancy.
provide this ideal functioning. The overall method is usually built in two steps[6]: residual generation and residual evaluation. Firstly, a residual is generated by comparing the real position p of the control surface (obtained by a sensor) with an estimated position produced by the actuator model. The input of the model is the flight control law (the command used in the servo-control of the control surface). Then secondly, the residual is decomposed in several spectral sub-bands. In each
166
P. Goupil
sub-band, counting oscillations of the filtered residual, performs the OFC detection. The overall method is summarized in Fig. 4. Specific counting is applied for each failure type (liquid and solid). In this approach, the flight control law is considered as fault-free. All its oscillations are calculated in order to compensate for any normal perturbation (e.g. an external disturbance such as turbulence). The hypothesis of a fault-free command is justified because the flight control law is also monitored by dedicated techniques. For more details, the reader can refer to Ref [6]. This modelbased method is currently used on the A380 and gives highly satisfactory results in term of robustness and detection and permits very stringent load requirements to be met.
5.7 Conclusions Safety is the first priority: in service experience has shown that the Airbus EFCS is safe, and even features safety margins. For future and upcoming programs, in particular in the context of aircraft overall optimization and their increasing size, more stringent requirements will be demanded. Consequently, new solutions should be studied. The example given in Section 6 shows that Airbus is continuously improving, in an innovative way, the Fault Tolerant design of its aircraft. The collaborative work done in a research group like GARTEUR AG-16 is a good chance to study the capabilities and viability of novel Fault Tolerant Control techniques. With respect to Fault Tolerance, one of the future challenge to be faced is to get the system right ’first time’. Future work will focus on this challenge.
References 1. Anon. Certification Specifications for Large Aeroplanes, Amendment 1, CS-25. European Aviation Safety Agency (EASA) (former JAA) 2. Anon. FAR/CS 25, Airworthiness Standards: Transport Category Airplane, vol. 14, part 25. FAA 3. Bri´ere, B., Favre, C., Traverse, P.: A familly of fault-tolerant systems: electrical flight controls, from a320/330/340 to future military transport aircraft. Micoprocessors and Microsystems 19(2) (1995) 4. Favre, C.: Fly-by-wire for commercial aircraft: the airbus experience. International Journal of Control 59(1), 139–157 (1994) 5. Traverse, P., Lacaze, I., Souyris, J.: Airbus fly-by-wire: A total approach to dependability. In: Proc. 18th IFIP World Computer Congress, Toulouse, France (2004) 6. Goupil, P.: Oscillatory Failure Case detection in A380 Electrical Flight Control System by analytical redundancy. In: 17th IFAC Symposium on Automatic Control in Aerospace, Toulouse (2007) 7. Anon. ARP 4754/ED79, Certification Considerations for Highly-Integrated or Complex Systems. SAE, no. ARP4754, and EUROCAE, no. ED79 (1996) 8. Anon. DO178B/ED12, Software Considerations in Airborne Systems and Equipment Certification. ARINC, no. DO178B, and EUROCAE, no. ED12 (1992) 9. Anon. DO254/ED80, Design Assurance Guidance for Airborne Electronic Hardware. ARINC, no. DO254, and EUROCAE, no. ED80 (2000)
5
Industrial Practices in Fault Tolerant Control
167
10. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achievements and Lessons Learnt. In: Proc. 25th Congress of the International Council of the Aeronautical Sciences, Hamburg (2006) 11. Besch, H.M., Giesseler, H.G., Schuller, J.: Impact of Electronic Flight Control System (EFCS) Failure Cases on Structural Design Loads. AGARD Report 815, Loads and Requirements for Military Aircraft (1996) 12. Zolghadri, A., Goetz, C., Bergeon, B., Denoise, X.: Integrity monitoring of flight parameters using analytical redundancy. In: UKACC International Conference on Control (CONTROL 1998), Swansea, UK, pp. 1534–1539 (1998) 13. Frank, P.M.: Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy: A survey and some new results. Automatica 26(3), 459–474 (1990)
Part II
RECOVER: The Benchmark Challenge
Chapter 6
RECOVER: A Benchmark for Integrated Fault Tolerant Flight Control Evaluation Hafid Smaili, Jan Breeman, Thomas Lombaerts, and Diederick Joosten
6.1 Introduction Fault tolerant flight control (FTFC), or intelligent self-adaptive control, enables improved survivability and recovery from adverse flight conditions induced by faults, damage and associated upsets. This can be achieved by ’intelligent’ utilisation of the control authority of the remaining control effectors in all axes consisting of the control surfaces and engines or a combination of both. In this technique, control strategies are applied to restore vehicle stability, manoeuvrability and conventional piloting techniques for continued safe operation and a survivable landing of the aircraft. The design of the GARTEUR REconfigurable COntrol for Vehicle Emergency Return (RECOVER) benchmark was driven by the requirement to demonstrate, both offline and in real-time (piloted) simulation, the performance and viability of new fault tolerant flight control schemes when applied to a realistic, nonlinear advanced Hafid Smaili National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] Jan Breeman National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Diederick Joosten Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628 CD Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 171–221. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
172
H. Smaili et al.
flight control application. The test scenarios of the benchmark provide challenging assessment criteria, based on a review of operational requirements, to assess the effectiveness and potential of the FTFC methods to improve aircraft survivability. The assessment criteria of the GARTEUR RECOVER benchmark scenarios are further described in detail in Chapter 7. This Chapter provides a description of the flight data reconstruction, analysis and simulation modelling of the 1992 Amsterdam Bijlmermeer aircraft accident case (Flight 1862) using the Digital Flight Data Recorder (DFDR) recovered after the accident. This study, based on accident investigation work conducted for the Flight 1862 case [17, 18], resulted in high fidelity non-linear aircraft and fault models for a large transport aircraft that are part of the GARTEUR RECOVER benchmark. Section 6.2 of this Chapter first starts with a description of the Flight 1862 accident case in order to provide a background on the events that led up to the accident, associated flight technical issues, aircraft handling characteristics and survivability aspects. The application of flight data from the accident aircraft’s DFDR is described for the reconstruction and simulation of the Flight 1862 benchmark scenario. Section 6.3 provides a description of the GARTEUR RECOVER benchmark including design specifications, simulation model architecture, analysis and visualisation tools and some examples demonstrating the use of the benchmark. Chapter 7 provides a detailed description of the defined operational assessment criteria, which are an integral part of the RECOVER benchmark, for the evaluation of new fault tolerant flight control algorithms. A quick reference guide to the GARTEUR RECOVER benchmark is provided as part of the software package [6]. The additional literature references [8, 9, 12] provide further details of the basic simulation architecture, mathematical models, signal definitions and conventions.
6.2 Flight 1862 Accident Reconstruction and Simulation On October 4, 1992, a Boeing 747-200F freighter, Flight 1862, went down near Amsterdam Schiphol Airport after the separation of both right-wing engines. In an attempt to return to the airport for an emergency landing, the aircraft flew several right-hand circuits in order to lose altitude and to line up with the runway as intended by the crew. During the second line-up, the crew lost control of the aircraft. As a result, the aircraft crashed, 13 km east of the airport, into an eleven-floor apartment building in the Bijlmermeer, a suburb of Amsterdam. Results of the accident investigation, conducted by several organisations including the Netherlands Accident Investigation Bureau [2] and the aircraft manufacturer, were hampered by the fact that the actual extent of the structural damage to the right-wing, due to the loss of both engines, was unknown. The analysis from this investigation concluded that given the performance and controllability of the aircraft after the separation of the engines, a safe landing was highly improbable. In 1997, the division of Control and Simulation of the Faculty of Aerospace Engineering of the Delft University of Technology (DUT), in collaboration with the Netherlands National Aerospace Laboratory NLR, conducted an independent
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
173
analysis of the accident [17, 18]. In contrast to the analysis performed by the Netherlands Accident Investigation Bureau, the parameters of the digital flight data recorder (DFDR) were reconstructed using comprehensive modelling, simulation and visualisation techniques. In this alternative approach, the DFDR pilot control inputs were applied to detailed flight control and aerodynamic models of the accident aircraft. The purpose of the analysis was to acquire an estimate of the actual flying capabilities of the aircraft and to study alternative (unconventional) pilot control strategies for a safe recovery and landing. The application of this technique resulted in a simulation model of the impaired aircraft that could reasonably predict the performance, controllability effects and control surface deflections as observed on the DFDR. The analysis of the reconstructed model of the aircraft, as used for the GARTEUR RECOVER benchmark, indicated that from a flight mechanics point of view, the Flight 1862 accident aircraft was recoverable if unconventional control strategies were used [17, 18].
6.2.1 Sequence of Events The events that led up to the crash of Flight 1862 are described using Fig. 6.3 illustrating the aircraft’s flight trajectory and time of the events. The Flight 1862 accident aircraft was scheduled for a cargo flight to Ben Gurion International Airport, Tel Aviv, with an intermediate stop at Amsterdam Schiphol Airport after a flight from John F. Kennedy International Airport, New York. The flight crew received an air traffic control slot time of 17:20 (UTC) for departure. The aircraft was refueled with 72 metric tons of Jet A1 fuel and was loaded with a total of 114.7 metric tons of cargo. The takeoff gross weight of the aircraft was 338.3 metric tons. At the time of departure, the preferred runways at Amsterdam Schiphol Airport consisted of runway 01L (Zwanenburgbaan) for takeoff and 06 (Kaagbaan) for landing. The aircraft was cleared for push back at 17:04 and taxied out at 17:14 (Fig. 6.1). The first officer was assigned as the pilot flying (PF). The takeoff from runway 01L was started at 17:21 and the aircraft was cleared by air traffic control (ATC) for the Pampus departure. At 17:27.30, while climbing through an altitude of about 6,500 feet, the aircraft encountered a separation of the engines No. 3 and 4. The captain immediately took control of the aircraft. Following the separation of both right-wing engines, the emergency call ”mayday, mayday, mayday, we have an emergency”, was transmitted by the co-pilot. The aircraft started a right turn to return to the airport for an emergency landing. According to eyewitnesses, dumping of the onboard fuel started immediately (Fig. 6.2). Amsterdam Radar confirmed the emergency call and directed the flight during the emergency procedure. After the crew acknowledged their intentions, they were instructed to turn to a westerly heading of 260 degrees. At 17:28.17, the crew reported a fire on engine No. 3 and they indicated a loss of thrust on both engines No. 3 and 4. At 17:28.57, the aircraft was informed that the main runway for landing was runway 06. The wind at that time was coming from a
174
H. Smaili et al.
Fig. 6.1 The Flight 1862 accident aircraft taxiing before takeoff at Amsterdam Schiphol Airport, October 4, 1992 (copyright Werner Fischdick)
Fig. 6.2 The Flight 1862 accident aircraft returning to the airport after separation of the No. 3 and 4 engines (picture: R. Plooy, Diemen)
heading of 40 degrees at 21 knots. The crew of the flight, however, requested the use of runway 27 for landing. Because the aircraft was only 7 miles from the airport at an altitude of 5,000 feet, a straight-in approach was not possible. ATC instructed the crew to a northerly heading of 360 degrees to fly a circuit and to descend to 2,000 feet. By then the wind was coming from a heading of 50 degrees at 22 knots. At 17:31.17, the crew indicated that they needed “12 miles final for landing”. During the transmission of this reply, the crew commenced the selection of flaps 1 for landing. While instructed to turn right to a heading of 100 degrees, the crew reported ”No. 3 and 4 are out and we have problems with the flaps”. After the aircraft
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
175
Fig. 6.3 Flight 1862 ground track showing time (UTC) of events (copyright Google Earth)
was established on a heading of 120 degrees, the crew maintained an indicated airspeed of 260 knots and a gradual descent. ATC cleared Flight 1862 for approach and instructed a westerly heading of 270 degrees to intercept the final approach course. Indicated airspeed remained at about 260 knots at an altitude of 4,000 feet. After the heading instruction from ATC, it took about thirty seconds before the heading change was actually performed. When it became clear that the aircraft was going to overshoot the runway centerline, ATC instructed Flight 1862 to turn to a heading of 290 degrees to intercept the localizer from the south. Twenty seconds later a new heading of 310 degrees was instructed by ATC, along with the clearance to descend to 1,500 feet. At 17:35.03, the crew acknowledged the clearance by reporting “1,500, and we have a controlling problem”. At this point, the DFDR shows that indicated airspeed decreased below 260 knots which appeared to be causing a further significant reduction in controllability. The crew was losing control of the aircraft and approximately 25 seconds later the captain called, ”going down 1862, going down”. During this transmission, the crew tried to recover the aircraft by raising the flaps and by lowering the gear. The stick shaker1 and ground proximity warning system were audible in the background of the transmission. The remaining engines No. 1 and 2 were set at maximum thrust. At 17:35.42, the aircraft impacted in the Amsterdam Bijlmermeer area (Fig. 6.4) at a roll angle of approximately 104 degrees to the right, a load factor of about 2.5g and approximately 70 degrees pitch down. 1
The stick shaker is a component of the aircraft’s Stall Protection System that rapidly vibrates the control column to warn the pilot of an imminent stall.
176
H. Smaili et al.
Fig. 6.4 Impact area of the Flight 1862 accident aircraft (picture: Jos Wiersema)
6.2.2 Analysis of Flight 1862 Following the accident, the digital flight data recorder of the aircraft was found and analysed [2]. This section provides an analysis of the accident flight based on the data as observed on the DFDR. This includes a description of the aircraft’s performance and control capabilities following the separation of the right-wing engines. The results of this analysis are further described in [17, 18]. The Flight 1862 controllability and performance analysis in this Section was used for the validation of the reconstructed aircraft model and the piloted simulator checkout preceding the experimental evaluations in this Action Group (Part IV). 6.2.2.1
Control Capabilities
The aircraft design and certification requirements [3, 4] state that there should be enough controllability to handle a multiple engine failure on one side in order to continue flight. For certification, this requirement has to be demonstrated during flight test up to the so called air minimum control speed or Vmca . This speed is defined as the minimum speed during a failure of the most critical engine at which aircraft control and a fixed heading can be maintained with full rudder and with sufficient lateral control authority to bank 5 degrees into the operating engine(s). The first sign of an engine failure will be a sudden roll (φ ) of the aircraft. If directional control with the rudder pedals is not applied, or with a fixed rudder deflection (δr ), thrust asymmetry will cause the aircraft to yaw. Assuming a right multiple engine failure for the nominal case with no structural wing damage, the resulting yaw
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
177
will create a negative sideslip angle (β ) that creates a positive rolling moment to the right (L¯ β ). Instant control compensation in an engine failure flight condition may consist of applying a rudder pedal input to counteract the yawing moment due to thrust asymmetry (N¯ t ), a control wheel deflection to counteract the rolling moment due to sideslip (L¯ β ) and rudder deflection (L¯ δr ) or applying a thrust reduction on the remaining engines to decrease the yawing moment. For the case of Flight 1862 (Fig. 6.5), the wing damage caused an additional lift loss (Δ Ldamage ) and drag increase (Δ Ddamage ) on the right wing. Because these effects are a function of angle-of-attack, an increase in angle-of-attack will create an additional rolling moment (Δ L¯ damage ) and yawing moment (Δ N¯ damage ) into the direction of the dead engines. This in turn will require more opposite control wheel deflection, especially to counteract bank steepening during manoeuvring. Banking into the dead engines will increase the minimum control speed and therefore reduce the available controllability. The Flight 1862 accident aircraft was designed to have enough rudder authority to keep the control wheel almost neutral with two engines inoperative on one side. This flight condition can be maintained up to the remaining engines set at maximum continuous thrust (MCT) corresponding to an engine pressure ratio (EPR) of 1.35 (MCT/EPR 1.35). Note that maximum continuous thrust is defined as the maximum thrust setting at which the engines may be operated for unlimited time. The engine pressure ratio is used here as a measure for the applied power setting and represents the total pressure ratio across the engine (according to the Flight 1862 DFDR, an EPR of about 1.45 was used as the takeoff thrust setting). For the Flight 1862 case, the DFDR indicates that control wheel deflections between 20 to 60 degrees to the left were needed for lateral control and straight flight (Fig. 6(a)). The aerodynamic effects due to the wing damage and degraded effectiveness of the right-wing inboard aileron required larger left wing down control wheel deflections than in the nominal case. The largest deflection of approximately 60 degrees was required for straight and almost level flight. This condition could only be maintained at full rudder pedal and at high thrust (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45). As observed on the DFDR data, maximum available rudder was needed during straight flight (constant track angle) to counteract the yawing moment caused by the separated right-wing engines. The traces of the rudder control surface activity as a response to the rudder pedal inputs are shown in Fig. 6(b). In this figure, it can be seen that, between about t=490s and t=790s into the flight, the lower rudder lags the upper rudder when full pedal is applied. The simulation model of the Flight 1862 aircraft, developed during the study in [17, 18], enabled a reconstruction of the DFDR rudder deflections and an analysis of the contribution of their control authority to the aircraft’s control capabilities. By applying the DFDR pilot control inputs to the simulation, taking into account the rudder surface hinge moments and partial loss of hydraulic pressure, rudder deflections could be reconstructed subjected to the effects of calculated aerodynamic blowdown and sideslip. As the cause of the limited lower rudder control authority was unknown [2], the lower rudder deflections, as observed in Fig. 6(b), were approximated in the simulation study in [17, 18] by
178
H. Smaili et al.
Fig. 6.5 Flight 1862 aircraft forces and moments for equilibrium flight with separated rightwing engines and wing damage
6
RECOVER: A Benchmark for Integrated FTFC Evaluation 10 Rudder surface deflection (deg)
Control wheel position (deg)
100
50
0
−50
−100 0
179
200
400 600 Time (sec)
800
(a) DFDR control wheel position (maximum deflection +/- 88 deg)
8 6 4 2 0 −2 −4 0
Upper rudder Lower rudder 200
400 600 Time (sec)
800
(b) DFDR rudder surface deflections
Fig. 6.6 Flight 1862 Digital Flight Data Recorder (DFDR) control wheel and rudder surface deflections
assuming a reduced lower rudder actuator hinge moment as a failure mode showing a reasonable match with the DFDR rudder deflections. 6.2.2.2
Performance Capabilities
The maximum performance capability indicates the climb capability of an aircraft, for the current condition, that is available with constant airspeed. The actual climb rate of the aircraft may not be equal to the maximum climb capability. In this condition the aircraft acceleration is not equal to zero. The maximum performance capability is calculated by differentiation of the aircraft’s specific energy according to the following equation: dH V dV dhe = + ∗ dt dt g dt
(6.1)
Where: dhe dt = rate of change of specific energy (feet/minute) dH dt = altitude or climb rate (feet/minute) V 2 g = acceleration along the flight path (feet/minute ) g= gravitational acceleration (feet/minute2)
V = airspeed along the flight path (feet/minute) The DFDR indicates that the Flight 1862 controllability and performance condition, after separation of the right-wing engines, required engine thrust settings between approximately MCT (EPR 1.3) and overboost thrust (EPR 1.62) (Fig. 6.7). A high thrust setting (engine #1 set at EPR 1.56 and engine #2 set at EPR 1.45) was needed to sustain almost straight and level flight.
H. Smaili et al.
Engine pressure ratio (−)
180
1.6 1.5 1.4 1.3 1.2 1.1 Engine #1 Engine #2
1 0.9 0
200
400 600 Time (sec)
800
Fig. 6.7 Flight 1862 DFDR engine No. 1 and 2 thrust settings
An energy analysis of the flight using the DFDR data [2] indicated that after the separation of the engines, the aircraft had level flight capability at go-around thrust and at an indicated airspeed (IAS) of approximately 270 knots. Maneuvering capabilities were marginal and resulted in a loss of altitude. A normal load of 1.1g, equivalent to 25 degrees of bank, reduced the maximum climb capability to approximately minus 400 feet per minute. At MCT thrust and at an indicated airspeed of approximately 270 knots, maximum climb performance was about minus 350 feet per minute. Below 260 knots, a normal load factor of 1.15g and an angle-of-attack above approximately 8 degrees resulted in significant performance degradation. At an airspeed of 256 knots, a normal load factor of 1.2g (corresponding to about 33 degrees of bank angle) and MCT thrust, maximum climb performance was reduced to minus 2000 feet per minute.
6.2.3 Failure Mode Configuration Fig. 6.8 provides an overview of the sustained damage to the Flight 1862 aircraft’s structure and onboard systems after the separation of both right-wing engines. An analysis of the engine separation dynamics concluded [2] that the sequence was initiated by the detachment of the right inboard engine and pylon (engine No. 3) from the main wing due to a combination of structural overload and metal fatigue in the pylon-wing joint. Following detachment, the analysis shows that the right inboard engine struck the right outboard engine (engine No. 4) in its trajectory while rupturing the right-wing leading edge up to the front spar. The associated loss of hydraulic systems resulted in limited control capabilities due to unavailable control surfaces aggravated by aerodynamic disturbances caused by the right-wing structural damage. The crew of Flight 1862 was confronted with a flight condition that was very different from what they expected based on training. The damage to Flight 1862 resulted in degraded flying qualities that required unconventional (untrained) control strategies and operating procedures to manoeuvre the aircraft. Additionally, the failure mode configuration caused an unknown degradation of the nominal flight
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
181
Fig. 6.8 Failure modes and structural damage configuration of the Flight 1862 accident aircraft, suffering right-wing engine separation, partial loss of hydraulics and change in aerodynamics
envelope of the aircraft in terms of minimum control speed and maneuverability precluding safe operation using the remaining control capabilities. For the heavy aircraft configuration at a weight of 317,460 kg (700,000 lb) and at a relative low indicated airspeed of around 260 knots, the DFDR indicates that flight control was almost lost requiring full rudder pedal, 60 to 70 percent maximum control wheel deflection and a high thrust setting on the remaining engines.
6.2.4 Flight Data Reconstruction and Simulation The DFDR (Fig. 6.9) of the Flight 1862 accident aircraft was recovered in a highly damaged state and the tape was broken in four places. The data used for the Flight 1862 reconstruction was obtained from the Netherlands National Aerospace Laboratory NLR. The quality of the DFDR data, with a sample rate of 1 Hz, was improved by applying several interpolation routines to the original raw data parameters (Table 6.1) for the estimation of missing or damaged parts. During the reconstruction, several repeated revisions and corrections to this data were made, based on engineering judgement, using the original raw data dump. The Flight 1862 reconstruction and simulation is based on a model validation method using inverse simulation [5] (Fig. 6.10). The DFDR pilot control inputs U p are directly applied to the nonlinear simulation model of the aircraft and the flight control system. The response error of the simulation output Xc and measured DFDR
182
H. Smaili et al.
Fig. 6.9 Digital Flight Data Recorder (picture: NTSB) Table 6.1 DFDR parameters used for the Flight 1862 accident reconstruction and simulation Parameter Lapsed time (sec) Vane angle-of-attack (deg) Altitude (feet) Control column position (deg) Control wheel position (deg) EPR engine 1 EPR engine 2 EPR engine 3 EPR engine 4 Flap handle position (deg) Heading (deg) Indicated airspeed (knots) Lateral acceleration (g) Longitudinal acceleration (g) Mach number Pitch angle (deg) Roll angle (deg) Rudder pedal position (deg) Lower rudder deflection (deg) Upper rudder deflection (deg) Stabilizer trim (units) Vertical acceleration (g)
DFDR notation LAPSE AAT ALT CCP CWP EPR1 EPR2 EPR3 EPR4 FLAPH HEAD IAS LATG LONG MACH PITCH ROLL RPP RUDLO RUDUP STAB VERG
data Xm are input to a feedback controller. The output of the feedback controller is a measure of the fidelity of the reconstructed model. The reconstruction method has the advantage that the combined effect of structural and flight control system failures can be visualised using the simulation inputs and outputs. The estimation of the aerodynamic effects due to structural damage caused by engine separation can be performed by adjusting the parameters of an a-priori model structure of the damaged
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
183
Fig. 6.10 Inverse simulation principle for flight data reconstruction [5]
wing until the controller output is minimised. An additional advantage of the method is that the DFDR data, with a low sample rate, can be used directly to excite the simulation model. The Flight 1862 reconstruction and simulation modelling process is illustrated in Fig. 6.11. A proportional feedback controller was used to feed back the DFDR and calculated pitch and roll state error responses to obtain a proof-ofmatch between DFDR measurements and simulation data. Initial reconstruction of the DFDR data was conducted for the departure phase of the undamaged aircraft using the published Flight 1862 weight and configuration. This allowed a validation of the nonlinear baseline aircraft model and reconstruction methodology by means of a proof-of-match with the DFDR data. The additional effects due to engine separation could then be identified for the damaged aircraft in the subsequent flight phases using the model reconstruction process. The example flight parameters, illustrated in Fig. 6.12, show that the applied reconstruction methodology achieves a close match between the DFDR and baseline aircraft model before the separation of the right-wing engines. The effect of wind conditions on the reconstructed data was taken into account by including a wind model in the simulation using meteorological data recorded at the time of the crash. Gust and turbulence effects were not included in the simulation. 6.2.4.1
Model Reconstruction
The amount of structural damage to the Flight 1862 aircraft’s right wing, after the separation of both right-wing engines, is shown in Fig. 6.13. The damage indicated in this figure was estimated by examining wing debris recovered along the flight path of the aircraft. The figure shows that most damage is concentrated in the vicinity of engine No. 3 with smaller damaged parts in the direction of engine No. 4. Based on the reconstructed wing structure, it can be concluded that the right wing was damaged up to the front spar of the leading edge. The figure also indicates that the right inboard aileron and spoiler panels No. 10 and 11 are located behind the most severely damaged wing parts. This condition leads to a reduction of the control effectiveness of these surfaces directly behind the disturbed flow causing a further reduction of lateral control capabilities.
184
H. Smaili et al.
Fig. 6.11 Flight 1862 reconstruction and simulation modelling setup [17]
A similar incident in 1993, in which a Boeing 747 freighter (Flight 46E) lost its left inboard engine [16], substantiates the amount of structural damage most probably incurred by the Flight 1862 accident aircraft (Fig. 6.14). In the 1993 incident, the flight crew managed to recover the aircraft and conduct an emergency landing despite the severe performance and controllability problems caused by the separated engine. The Flight 46E control and performance capabilities were representative of those encountered on Flight 1862. Ref. [16] shows that the pilot required up to full right rudder pedal, approximately 60 degrees of right wing down control wheel deflection and overboost thrust on engine No. 1 to control the aircraft towards a survivable landing. The aerodynamic effects due to engine separation and structural wing damage were estimated using the Flight 1862 reconstruction and simulation modelling process as illustrated in Fig. 6.11. The reconstructed aerodynamic effects were added as contributions to the baseline aerodynamic coefficient equations of the validated undamaged aircraft model. An initial estimation of the aerodynamic drag effects of a partially damaged wing, having the most significant impact on aircraft performance, was done using literature wind-tunnel data for a representative wing having a cut-out, up to the front spar, at mid-span [17]. The loss of lift as a function of angle-of-attack, caused by the damaged wing, is based on Boeing wind-tunnel data. Additional effects were estimated to take into account the contribution of the separated right-wing engines and leading edge structural damage to the aircraft’s pitching moment and control effectiveness of the right-wing inboard aileron and spoilers.
6
RECOVER: A Benchmark for Integrated FTFC Evaluation 300
Altitude (feet)
6000
4000
2000 DFDR Simulation 100
150
200 250 Time (s)
300
Indicated airspeed (knots)
8000
0 50
200
150 DFDR Simulation 100
150
200 250 Time (s)
300
350
(b) DFDR and reconstructed indicated airspeed
30
15 Pitch angle (deg)
Roll angle (deg)
250
100 50
350
(a) DFDR and reconstructed altitude
20 10 0 −10 −20 50
185
DFDR Simulation 100
150
200 250 Time (s)
300
5
0 50
350
(c) DFDR and reconstructed roll angle
10
DFDR Simulation 100
150
200 250 Time (s)
300
350
(d) DFDR and reconstructed pitch angle
Control wheel position (deg)
20 10 0 −10 −20 DFDR Simulation
−30 50
100
150
200 250 Time (s)
300
350
(e) DFDR and reconstructed control wheel position
Control column position (deg)
5 30
4 3 2 1 0 −1 DFDR Simulation
−2 −3 50
100
150
200 250 Time (s)
300
350
(f) DFDR and reconstructed control column position
Fig. 6.12 Validation of the unfailed nonlinear baseline aircraft model and DFDR reconstruction methodology for the Flight 1862 departure phase (t=47-371s)
186
H. Smaili et al.
Fig. 6.13 Flight 1862 estimated right-wing structural damage configuration (black and shaded parts indicating loss of leading edge structure)
Fig. 6.14 Structural wing damage due to separation of engine No. 2, Evergreen Boeing 747121, Anchorage, 1993 [16]
The applied reconstruction methodology, as shown in Fig. 6.11, allows an iterative adjustment of the initial aerodynamic estimates in an a-priori model structure, that accounts for the overall effect of the separated right-wing engines, to obtain a match with the DFDR data. The objective of the simulation tuning process was to closely match the Flight 1862 trends in performance and control capabilities as provided by the DFDR throughout the different flight phases. Fig. 15(a), 15(b), 15(c) and 15(d) illustrate the effects of the estimated rightwing damage aerodynamic contributions on example reconstructed model inputs and outputs for the flight stage between t=378s and t=647s. It can be seen that, under the prevailing flight conditions, a reasonable match between the DFDR and
RECOVER: A Benchmark for Integrated FTFC Evaluation
Control wheel position (deg)
100
DFDR Simulation
50
0
−50
−100
400
450
500 550 Time (s)
600
650
0
−50
−100
40
20
20
−20 DFDR Simulation
−40 400
450
500 550 Time (s)
600
650
(c) Reconstructed roll angle without aerodynamic estimates
400
450
500 550 Time (s)
600
650
(b) Reconstructed control wheel position including aerodynamic estimates
40
0
DFDR Simulation
50
Roll angle (deg)
Roll angle (deg)
(a) Reconstructed control wheel position without aerodynamic estimates
187
100 Control wheel position (deg)
6
0
−20 DFDR Simulation
−40 400
450
500 550 Time (s)
600
650
(d) Reconstructed roll angle including aerodynamic estimates
Fig. 6.15 Effect of estimated aerodynamic contributions due to right-wing engine separation on reconstructed control wheel deflection and roll angle (t=378-647s)
reconstructed control wheel deflection (Fig. 15(a) and 15(b)) and roll angle (Fig. 15(c) and 15(d)) can be achieved. Fig. 16(a) shows the estimated amount of aerodynamic drag increase, due to the loss of the right-wing engines, obtained by reconstruction of the DFDR aircraft performance capabilities [17]. The shown reconstructed DFDR data includes the flight segment up to the loss of control and with the inboard trailing edge flaps extended to the flaps 1 detent. The figure indicates that, for the amount of right-wing leading edge structural damage as shown in Fig. 6.13, a drag increase of about 10 percent at low angle-of-attack may be expected as compared to the unfailed case. At higher angle-of-attack, local flow separation at the right-wing damaged section (mid-span) occurs, resulting in a rapid increase of drag of about 20 to 30 percent. This effect resulted in a significant reduction of the aircraft’s maximum climb capability down to approximately minus 1500-2000 feet/min, as observed on the DFDR, and can be predicted well by the reconstructed model as shown in Fig. 16(b). The reduced control authority of the damaged aircraft was insufficient to recover from the significant performance degradation using the remaining engines as shown in Fig. 6.16 for both the DFDR data and reconstructed model. Post-accident visualisation of the
188
H. Smaili et al.
Flight 1862 loss of control sequence using the DFDR data is shown in Fig. 6.17 illustrating the relevant flight parameters as reconstructed by the simulation model. Further validation and analysis results of the baseline aircraft model and Flight 1862 DFDR reconstruction can be obtained from [17, 18]. 6.2.4.2
Simulation Analysis and Piloted Validation
A simulation analysis and piloted validation of the reconstructed Flight 1862 aircraft model was performed to demonstrate the flight mechanical capabilities of the damaged aircraft as a guidance for the FTFC control design teams in this Action Group. Additionally, the analysis provided a reference for the definition of the benchmark’s operational assessment criteria and flight envelope limitations (Chapter 7). Fig. 18(a) indicates the estimated performance capabilities of the Flight 1862 accident aircraft, after separation of both right-wing engines, as a function of thrust and aircraft weight [17, 18]. The reconstructed model indicates that in these conditions and at a heavy weight of 317,460 kg (700,000 lb), level flight capability was available between maximum continuous thrust (MCT) and take-off/go-around thrust (TOGA). At or above approximately TOGA thrust, the aircraft had limited climb capabilities. The required control wheel deflections, or lateral control margins, as a function of thrust and weight are indicated in Fig. 18(b). It can be seen that adequate lateral control capabilities remained available to achieve the estimated performance capabilities as shown in Fig. 18(a). Fig. 18(a) and 18(b) indicate a significant improvement in performance capabilities and lateral control margins when a weight reduction up to 261,972 kg (577,648 lb) achieved by fuel jettison is assumed [17]. In general, the analysis shows that aircraft performance, following the separation of both right-wing engines, remains sufficient to continue stabilised flight in preparation for an emergency landing or further weight reduction by means of fuel jettison. The Flight 1862 simulation predicts sufficient performance and controllability, after the separation of the right-wing engines, to fly a low-drag/low power approach profile at a higher than nominal glide slope angle of about 3.5 degrees for a highspeed landing or ditch at an airspeed of 200/210kts and at a lower weight of 261,972 kg (577,648 lb) (Fig. 18(c)). Note again that this weight could have been obtained by jettisoning more fuel. The lower thrust requirement for this approach profile results in a further improvement of lateral control margins that are adequate to compensate for additional thrust variations (Fig. 18(d)). The above data was obtained by calculating a stabilised (trimmed) flight condition for the reconstructed nonlinear damaged aircraft model in the conditions as specified by the Flight 1862 DFDR. Results from piloted validation, as part of the simulator checkout prior to the Action Group’s experimental campaign (Part IV), generally confirm the performance and control capabilities as observed on the DFDR and found during the offline analyses. Fig. 6.19 and 6.20 provide simulator data for the validation of the loss of control sequence and predicted gliding capabilities of the damaged aircraft. For the validation, the pilot was briefed to try to maintain above 260 knots for stabilised flight and to set the flaps to the first detent
RECOVER: A Benchmark for Integrated FTFC Evaluation
Airplane drag coefficient (−)
0.1
Nominal airplane drag Flight 1862 airplane drag
0.08
0.06
0.04
0.02 650
700
750 800 Time (s)
850
(a) Estimated aerodynamic drag increase due to loss of right-wing engines
Maximum climb capability (feet/min*1000)
6
Indicated airspeed (knots)
Altitude (feet)
3000 2000 1000 DFDR Simulation 700
750 800 Time (s)
40 20
750 800 Time (s)
850
750 800 Time (s)
850
750 800 Time (s)
850
750 800 Time (s)
850
DFDR Simulation
280 260 240 220 700
−10 −20 −30
50
0
−50
750 800 Time (s)
850
(g) DFDR and reconstructed control wheel position
DFDR Simulation 700
(f) DFDR and reconstructed pitch angle Control column position (deg)
Control wheel position (deg)
DFDR Simulation
700
750 800 Time (s)
300
−50 650
850
(e) DFDR and reconstructed roll angle
−100 650
320
−40
0 700
700
0
60
100
−3 650
10
DFDR Simulation
80
−20 650
−2
(d) DFDR and reconstructed indicated airspeed
Pitch angle (deg)
Roll angle (deg)
100
−1
200 650
850
(c) DFDR and reconstructed altitude
120
0
340
4000
DFDR Simulation
(b) DFDR and reconstructed maximum climb capability
5000
0 650
1
189
10
DFDR Simulation
5
0
−5 650
700
(h) DFDR and reconstructed control column position
Fig. 6.16 DFDR and reconstructed flight parameters of the Flight 1862 final stage of flight up to the loss of control (inboard trailing edge flaps 1, t=648-874s)
190
H. Smaili et al.
(a) t=815s: Maximum climb capability: -1500 feet/min, Control wheel deflection: 60 deg left, Angle-of-attack: 6.5 deg, MCT thrust
(b) t=855s: Maximum climb capability: -700 feet/min, Control wheel deflection: 88 deg full left, Angle-of-attack: 7.5 deg, Takeoff/Go-around thrust
(c) t=874s: Control wheel deflection: 88 deg full left, Angle-ofattack: 12 deg, Maximum thrust
Fig. 6.17 Post-accident visualisation of the Flight 1862 DFDR data illustrating loss of control sequence and relevant flight parameters as reconstructed by the simulation model (NLR)
RECOVER: A Benchmark for Integrated FTFC Evaluation
1.5
317,460 kg (700,000 lb) 261,972 kg (577,648 lb)
Control wheel position (deg)
Maximum climb capability (feet/min*1000)
6
1
0.5
0
−0.5 1
MCT 1.1
TOGA
1.2 1.3 1.4 1.5 EPR engines #1 & #2 (−)
−60 MCT
−4 −5 −6
180 190 200 210 Indicated airspeed (knots)
220
(c) Effect of indicated airspeed and weight on glide slope angle for simulated lowdrag/low power approach profile
1.1
TOGA
1.2 1.3 1.4 1.5 EPR engines #1 & #2 (−)
1.6
(b) Effect of engine thrust and weight on control wheel position for straight flight at 260kts
Control wheel position (deg)
Glide slope angle (deg)
−40
100
317,460 kg (700,000 lb) 261,972 kg (577,648 lb)
170
−20
1
1.6
−3
−7 160
317,460 kg (700,000 lb) 261,972 kg (577,648 lb)
−80
(a) Effect of engine thrust and weight on maximum climb performance for straight flight at 260kts −2
0
191
317,460 kg (700,000 lb) 261,972 kg (577,648 lb)
50
0
−50
−100 −7
−6
−5 −4 −3 Glide slope angle (deg)
−2
(d) Effect of glide slope angle and weight on control wheel position for simulated low-drag/low power approach profile
Fig. 6.18 Flight 1862 estimated aircraft performance, lateral control and gliding capabilities following the separation of the right-wing engines (inboard trailing edge flaps 1, full rudder pedal)
(flaps 1) for approach according to the DFDR. For the engine separation scenario, the simulator data confirms that larger control wheel deflections are required when airspeed reduces or load factor increases. After the failure, a moderate climb requires takeoff/go-around thrust (EPR 1.45-1.5) on the remaining engines No. 1 and 2, further control wheel deflections between approximately 40 and 60 degrees to the left and full rudder pedal for straight flight. The climb capability in these conditions is between approximately 200-500 feet/min. For the current aircraft configuration, loss of flight control (Fig. 6.19) occurs at around 260kts while the aircraft is in a 30 degrees bank turn and the engines set at maximum continuous thrust. The resulting climb capability is reduced to approximately minus 1,000-1,500 feet/min prior to the loss of control. Fig. 6.20 provides a validation of the offline predicted gliding capabilities of the damaged aircraft. The data shows that at almost idle thrust,
192
H. Smaili et al. 310
Indicated airspeed (knots)
Altitude (feet)
2000 1500 1000 500 0 0
50
100
150 200 Time (sec)
250
300
300 290 280 270 260 250 240 230 0
350
(a) Altitude
50
100
150 200 Time (sec)
250
300
350
300
350
300
350
(b) Indicated airspeed
50
8
Angle−of−attack (deg)
Roll angle (deg)
40 30 20 10 0 −10
6
4
2
−20 −30 0
50
100
150 200 Time (sec)
250
300
0 0
350
50
Engine pressure ratio (−)
1.6 1.5 1.4 1.3 1.2 1.1 1 0
50
100
150 200 Time (sec)
250
300
350
150 200 Time (sec)
250
150 200 Time (sec)
250
0
−1
−2
−3 0
50
100
(f) Maximum climb capability 14
Rudder pedal position (deg)
100
Control wheel position (deg)
250
1
(e) Engine #1 and #2 EPR
50
0
−50
−100 0
150 200 Time (sec)
(d) Angle-of-attack Maximum climb capability (feet/min * 1000)
(c) Roll angle
100
50
100
150 200 Time (sec)
250
300
(g) Control wheel position
350
12 10 8 6 4 2 0 0
50
100
300
350
(h) Rudder pedal position
Fig. 6.19 Piloted simulator validation of aircraft loss of control sequence for engine separation failure mode occurring at t=150s (Flight 1862 scenario)
RECOVER: A Benchmark for Integrated FTFC Evaluation
Indicated airspeed (knots)
6
Altitude (feet)
2000 1500 1000 500 0 0
100
200
300 400 Time (sec)
500
300
280
260
240
220 0
600
50
3
40
2
30 20 10 0 −10 −20 200
300 400 Time (sec)
500
600
300 400 Time (sec)
500
600
300 400 Time (sec)
500
600
300 400 Time (sec)
500
0
−2 −3
−5 0
600
1.5 1.4 1.3 1.2 1.1 100
200
300 400 Time (sec)
100
200
(d) Flight path angle
500
600
Maximum climb capability (feet/min * 1000)
Engine pressure ratio (−)
500
−1
1
0
−1
−2
−3 0
(e) Engine #1 and #2 EPR
100
200
(f) Maximum climb capability 14
Rudder pedal position (deg)
100
Control wheel position (deg)
300 400 Time (sec)
−4 100
1.6
50
0
−50
−100 0
200
1
(c) Roll angle
1 0
100
(b) Indicated airspeed
Flight path angle (deg)
Roll angle (deg)
(a) Altitude
−30 0
193
100
200
300 400 Time (sec)
500
(g) Control wheel position
600
12 10 8 6 4 2 0 0
100
200
600
(h) Rudder pedal position
Fig. 6.20 Piloted simulator validation of aircraft gliding capabilities for engine separation failure mode occurring at t=215s (Flight 1862 scenario)
194
H. Smaili et al.
stabilised flight is maintained while decelerating along a 3-4 degrees glide slope requiring control wheel deflections between neutral and 20 degrees to the right. The estimated control capabilities of the Flight 1862 aircraft only satisfy a part of the critical requirements for survivability and safe operation of a damaged aircraft. Additional operational requirements include knowledge concerning the aircraft’s limited operating envelope following a failure or damage, information on the configuration of the damaged aircraft and piloting skills.
6.3 GARTEUR RECOVER Benchmark For the (real-time) assessment of new fault tolerant flight control techniques, as performed in this Action Group, a simulation benchmark was developed based on the reconstructed and validated Flight 1862 aircraft model. The basic architecture of the GARTEUR REconfigurable COntrol for Vehicle Emergency Return (RECOVER) simulation benchmark is based on the Delft University Aircraft Simulation and Analysis Tool DASMAT [12]. The DASMAT package was developed by the Delft University of Technology in order to meet the requirements for computer assisted R R /Simulink and the evaluation of flight control sysdesign (CAD) using Matlab tems. The DASMAT tool was further enhanced with a full nonlinear simulation of the Boeing 747-100/200 aircraft and its hydro-mechanical flight control system (Flightlab747/ FTLAB747) for the Flight 1862 accident study conducted by Delft University [17, 18]. The simulation environment was subsequently utilised and further enhanced as a realistic platform for the evaluation of fault detection and fault tolerant control schemes within other research programmes [14, 15].
6.3.1 Description The GARTEUR RECOVER software package is equipped with several simulation and analysis tools, all centered around a generic nonlinear aircraft model for sixdegrees-of-freedom nonlinear aircraft simulations. For high performance computation and visualisation capabilities, the package has been integrated as a toolbox R R /Simulink . The tools of the RECOVER in the computing environment Matlab benchmark include trimming and linearisation for (adaptive) flight control law design, nonlinear off-line (interactive) simulations, simulation data analysis and flight trajectory and pilot interface visualisations. Customisation of the RECOVER software by applying user-generated models to the generic package is possible for the simulation of any specific aircraft type or fault scenario. In conjunction with the R R R /Simulink Real-Time Workshop , the benchmark model is suitable for Matlab integration on simulation platforms for piloted hardware in the loop testing. The GARTEUR RECOVER benchmark provides enhanced graphical and high resolution aircraft visualisation capabilities supporting tool-based advanced control system design and evaluation. This includes, for instance, the replay and animation of offline (or piloted) simulation data, the visualisation of fault or aircraft upset recovery scenarios or analysis of flight control system states and performance.
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
195
Fig. 6.21 GARTEUR RECOVER benchmark software architecture and tools
Additionally, the capabilities of the software are suitable for any educational or demonstration purposes providing insight into the design of advanced flight control algorithms, aircraft flight dynamics and handling qualities and human factors interfaces. The software architecture of the RECOVER simulation benchmark (Fig. 6.21) comprises a generic aircraft model and aircraft specific modules including aerodynamics, flight control system and engines. The baseline flight control system model reflects the hydro-mechanical system architecture of the Boeing 747-100/200
196
H. Smaili et al.
(a) Original benchmark model with classic controller and pilot control inputs
(b) RECOVER benchmark model with modern controller and control surface inputs Fig. 6.22 Adaptation of original benchmark model for simulation of ’fly-by-wire’ aircraft
aircraft [1, 8]. All modelled control surfaces are subjected to aerodynamic effects and mechanical (rate) limits throughout the flight envelope to account for actuator force limitations and control surface floating in the case of (multiple) hydraulic system failures. Through the graphical user interface (Section 6.3.4), the user has access to the RECOVER benchmark simulation and analysis tools. The original aircraft model of the RECOVER benchmark [15, 17] was based on the classical Boeing 747-100/200 aircraft with a hydro-mechanical flight control system (Fig. 22(a)) and with the pilot cockpit controls as inputs. For the research goals in this Action Group, a ’fly-by-wire’ version of the Boeing 747-100/200 aircraft was created where all twenty-six aerodynamic control surfaces and four engines can be controlled individually. This allows new fault tolerant flight control designs, as developed in this Action Group, to have the capability to completely reconfigure the utilisation of the available flight control effectors (Fig. 22(b)). Fig. 6.23 illustrates a schematic overview of the GARTEUR RECOVER benchmark including relationships between the different model components of the benchmark. The basic aircraft model contains airframe, actuator, engine and turbulence models and is represented by the outline in the diagram designated as B747 model. As described above, the input of this model was initially based on the pilot’s control inputs, which have a fixed linkage to the control surfaces. To control the surfaces separately, as required for the reconfigurable control algorithms, the Pilot controls
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
197
Fig. 6.23 Detailed schematic of the GARTEUR RECOVER benchmark showing model component relationships including test manoeuvre and failure scenario generation and fault injection
to actuators block is separated from the baseline aircraft model. A basic classical controller is available in the benchmark, based on the Boeing 747 classic autopilot including autothrottle, to serve as a reference for new adaptive control algorithm designs. Any newly designed FTFC controller, to be evaluated with the benchmark model, is meant to replace the classic autopilot and autothrottle and should drive the separate control surfaces directly. This is indicated in the diagram by the outline called Modern Controller. In order to operate the benchmark, a scenario and failure mode generator is added. The scenario consists of commands fed into the autopilot and autothrottle, while the failures are directly introduced into the airframe, flight R R /Simulink Goto/From blocks control system and propulsion models via Matlab as indicated by the broken lines.
6.3.2 Implementation The GARTEUR RECOVER benchmark model consists of a combination of R R Matlab scripts and Simulink block diagrams. In order to ensure consistency, the top-level models have been built from common blocks that are linked to libraries. All blocks and libraries are contained in the root directory of the benchmark called R version 6.5.1). ’RECOVERv65’ (extension ’v65’ referring to the current Matlab A basic library (B747 library.mdl) contains the basic aircraft, engine and actuator models, complete with failure models (Fig. 6.24). For the purpose of the GARTEUR applications, an additional library was developed (ag16 library.mdl), based on the basic library, that contains the larger and more extensively modified sub-models out of which the top-level benchmark is built (Fig. 6.25). This extended
198
Fig. 6.24 GARTEUR RECOVER (B747 library.mdl)
H. Smaili et al.
benchmark
basic
aircraft
simulation
library
library contains models of the aircraft, the actuators, the sensors, the classic flight control system and the benchmark failure generator. The actual benchmark model (b747 auto g.mdl) is depicted in Fig. 6.26. The most important block is airframe which is the combination of the aircraft aerodynamic model, engines and actuators. It also contains the fault models and the turbulence and wind models. The inputs to this block are twenty-six separately controllable aerodynamic surfaces and four engine controls. The autoflight block represents the implementation of the classic Boeing 747-100/200 autoflight system based on [11]. This is the block that is to be replaced by any new FTFC controller design and is intended as a working example of how the new controller is supposed to fit into the aircraft. The classic autoflight system block consists internally of the B747-100/200 hydro-mechanical flight control system model (FCS) which forms the inner control loop and the autopilot and autothrottle systems, which together form the outer control loop. It is important to note that in the actual aircraft the autoflight block is driven by switches and dials operated by the pilot. The pilot can independently select a pitch mode and a roll mode and an autothrottle setting. The pitch mode is used to control the aircraft in the vertical plane (up and down) and the roll mode is used to control the aircraft in the horizontal plane (left and right). The autothrottle in the classical autoflight system is needed to keep the airspeed at a constant reference value during manoeuvres in the vertical and horizontal plane (advanced flight control concepts, such as Multi-Input Multi-Output (MIMO) controllers, do not necessarily use thrust
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
199
Fig. 6.25 GARTEUR RECOVER benchmark component library (ag16 library.mdl)
Fig. 6.26 GARTEUR (b747 auto g.mdl)
RECOVER
benchmark
main
model
components
to control airspeed). In the benchmark, the pilot commands are replaced by signals generated by the benchmark scenario generator. A new FTFC controller is not required to work in independent axes like the classical autopilot controller; however, it should be able to accept the same commands.
200
H. Smaili et al.
The Test Scenarios block uses two pitch modes: altitude select and landing (glideslope) and three roll modes: bank angle command, heading select and landing (localizer). The Standard Sensors block represents three standard sensor systems that are available in a modern aircraft, i.e. an Inertial Reference System (IRS), an Air Data Computer (ADC) and an Instrument Landing System (ILS) receiver. The ILS model in this block generates the glideslope deviation angle, the localiser deviation angle and the distance to the threshold. Since the ILS signals have a limited coverage area, ’glideslope valid’ and ’localizer valid’ signals are available to determine when the ILS is in range. The Standard Sensors block also contains realistic measurement noise levels for these sensors. Since the classic Boeing 747-100/200 autoflight system [11] did not exactly use the standard sensors, there is a dedicated measurements block (B747 Sensors) for this purpose. It should be noted that there is not more information in these measurements than in the Standard Sensors block, so any new controller should not use the B747 Sensors block. The Failure Generator block activates any failure mode, as currently implemented and described in Section 6.3.3.2, that is selected by the user during the benchmark initialisation and trim procedure (Section 6.3.6). For the Flight 1862 scenario, all reconstructed failure modes associated with the physical loss of the two right-wing engines (Fig. 6.8) are activated. The time delay after which a failure mode is activated during any simulation can be customised in this block. For interactive (manual) simulation purposes, an open loop simulation model (b747 funpc d.mdl) is available (Fig. 6.27). It contains the same aircraft, engine and actuator model as the benchmark. Also the failure generator is exactly the same. The RECOVER open loop model is in a functional form, i.e. it has explicit inputs (12) and outputs (140). The inputs basically consist of the pilot’s controls as found on the Boeing 747 flight deck. The structure of this model is very similar to the model that is used for trimming (b747 trim d.mdl).
6.3.3 Fault Scenarios Specification For the specification of the GARTEUR RECOVER benchmark fault scenarios, the Action Group conducted a survey to identify commonly encountered failure modes and damage to large transport aircraft. There was a contribution from Airbus to this study, which ensured that the studied problems are indeed practical. The other part of this study was an aircraft loss of control analysis based on accident and incident databases. The selected fault scenarios from this analysis have proven to be critical in recent accident and incident cases and represent a combination of structural damage and stuck or erroneous control surfaces. An additional requirement for the selection of the fault scenarios was the availability of sufficient information or flight test data for the modelling and validation of the failure modes. The final result of the study was a recommendation for a list of standard faults to be studied, a standard flight scenario and a set of operational assessment criteria (Chapter 7).
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
Fig. 6.27 GARTEUR RECOVER (b747 funpc d.mdl)
6.3.3.1
functional
model
for
201
open
loop
simulation
Flight Scenario
The geometry of the GARTEUR RECOVER benchmark flight scenario is roughly modelled after the Flight 1862 accident profile (Fig. 6.28). The scenario consists of a number of phases. First, it starts with a short section of normal flight, after which the fault occurs, which is in turn followed by a recovery phase. If this recovery is successful, the aircraft should again be in a stable flight condition, although not necessarily at the original altitude and heading. After recovery, an optional identification phase is introduced during which the flying capabilities of the aircraft can be assessed. This allows for a complete parameter identification of the model of the damaged aircraft as well as the identification of the safe flight envelope. Hopefully, the knowledge gained during this identification phase can be used by the controller to improve the chances for a safe landing. In principle, the flight control system is now reconfigured to allow safe flight within the identified limited operating boundaries. The performance of the reconfigured aircraft is subsequently assessed in a series of five flight phases. These consist of straight and level flight, a right-hand turn to a course intercepting the localizer, localizer intercept, glideslope intercept and the final approach. During the final approach phase, the aircraft is subjected to a sudden lateral displacement just before the threshold, which simulates the effect of a low altitude windshear. The landing itself is not part of the benchmark, because a realistic aerodynamic model of the damaged aircraft with ground effect is not
202
H. Smaili et al.
Fig. 6.28 GARTEUR RECOVER benchmark flight scenario for qualification of fault tolerant flight control systems for safe landing of a damaged large transport aircraft (source: Jerome Cieslak / IMS-Bordeaux)
available. However, it is assumed that if the aircraft is brought to the threshold in a stable condition, the pilot would be able to take care of the final flare and landing (taking into account any operational limitations of the damaged aircraft). The RECOVER benchmark scenario and in particular the definition of the fault tolerant flight control assessment criteria are further elaborated in Chapter 7. The Table 6.2 summarises the test scenario phases that can be selected in the benchmark. The aircraft is trimmed to the required steady initial condition for each of the test scenarios. If the previous test was unsuccessful, the next test can be executed anyway. The user should transfer any control reconfiguration scheme and any other built-up knowledge about the state of the aircraft from one test scenario to the next. 6.3.3.2
Fault Cases and Models
A description of the selected fault cases and their effect on the aircraft handling qualities is shown in Table 6.3. Although the first four failure modes in the table are serious, it might be expected that continued flight to the original destination would be possible. That is not true for the last two fault cases which are extremely serious and where a landing at the nearest airport becomes very critical. The next to last case is directionally unstable due to the loss of the vertical tail and rudder controls. It is similar to aircraft accident cases in which a loss of the vertical tail occurred (e.g. JAL Flight 123), although it is not intended to be an accurate representation. The last fault case is an accurate representation of the Flight 1862 accident case as described in this Chapter. In this case, the aircraft is not unstable, but handling
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
203
Table 6.2 GARTEUR RECOVER benchmark test scenario phases Test scenario 0
1
2
3
4
-1
Name
Description
Failure event
This is the test phase during which the failure is supposed to occur first. It is scheduled to occur after 5 seconds of normal steady flight. The main task of the control system is to recover from any adverse flight situation and to regain steady flight in an arbitrary (safe) flight condition. Straight flight This is the first assessment test of the recovered aircraft. It is primarily to show that a trimmed condition can be maintained. Right turn and localizer inter- This is the second assessment test to show that cept the aircraft can be safely manoeuvred in the horizontal plane so that the aircraft is lined up for landing. Glideslope intercept This is the third assessment test to show that the aircraft can be safely manoeuvred in the vertical plane so that a landing can be made. Final approach with sidestep This is the fourth assessment test to show that the aircraft can recover from an additional disturbance very close to the runway. Parameter identification (user This is an optional test that can be freely used supplied) by the developer for purposes like determining a new dynamic model of the failed aircraft or a safe flight envelope. It is supposed to occur after the failure event, but before any of the test scenarios, so that any obtained results could be used in these scenarios.
qualities are degraded and the flight envelope is severely limited. In the last two cases, it cannot be expected that the aircraft will be able to follow the reference trajectory closely. The benchmark assessment criteria have been designed to take this into account by emphasising end conditions in the specifications (Chapter 7). Appendix 1 of Chapter 17 shows a complete overview of the failure mode test matrix for the (piloted) evaluation of the FTFC methods indicating available means of flight control reconfiguration and assessment criteria. Fig. 6.29, 6.30, 6.31, 6.32 and 6.33 illustrate how the selected fault cases are modR R /Simulink RECOVER benchmark model. elled and implemented in the Matlab As an example, Fig. 6.29 shows the model for the rudder failure modes, including the rudder hardover and vertical tail loss fault cases. The first part of the rudder failure model implements fault case #4 (Table 6.3) which is the rudder runaway or rudder hardover failure mode. In this failure mode, the rudder surfaces are deflected
204
H. Smaili et al.
Table 6.3 GARTEUR RECOVER benchmark standard fault cases and effect on aircraft handling qualities Failure Name Description mode 0 No failure Baseline undamaged aircraft 1 Stuck elevators All elevator surfaces are stuck in a faulty position with a downward offset from trim of 3 degrees. 2 Stuck aileron All aileron surfaces are stuck in a faulty position with a downward offset from trim of 3 degrees. 3 Stabiliser run- The stabiliser surface moves away quickly to a downward offset from trim of 2 degrees. 4 Rudder run- All rudder surfaces move away quickly to the left aerodynamic blowdown deflection limit. Maximum rudder deflection is speed dependent. 5 Stuck ele- As failure mode #1 with turbuvators (with lence and wind turbulence) 6 Stuck aileron As failure mode #2 with turbu(with turbu- lence and wind lence) 7 Stabiliser run- As failure mode #3 with turbuaway (with tur- lence and wind bulence) 8 Rudder run- As failure mode #4 with turbuaway (with lence and wind turbulence) 9 Loss of vertical Rudder control surfaces not tail available 10
Flight 1862 case (dynamic method)
11
Flight 1862 case (static method)
Effect on aircraft
Criticality
Sustained pitch Major down moment
Reduction of lat- Major eral control effectiveness Sustained pitch Catastrophic down moment Sustained left yaw- Catastrophic ing moment
Loss of all damping Catastrophic in the roll and yaw axes Separation of right-wing en- Loss of lateral Catastrophic gines #3 and #4 control margins and effectiveness, sustained right rolling moment, sustained pitch down moment, reduction of aircraft performance capabilities As failure mode #10. Allows comparison with the original Flight 1862 failure model. Implemented using values in masked entries and cannot be used for test scenario #1, which requires a failure to occur at t=5s.
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
205
Fig. 6.29 Rudder fault model including rudder hardover and vertical tail loss failure modes
to the maximum left aerodynamic blowdown limit, which is dependent on airspeed (at 270kts the maximum rudder deflection is about 15 deg while at 165kts the rudder is deflected to a maximum of 25 deg). The flag failure4 for the rudder hardover failure mode is generated by the benchmark failure generator and enters the diagram via a From block. The model first holds the current value of the rudder surface and then adds a constant value via an offset (currently set to zero) and a positive ramp. The ramp is set at the published maximum B747-100/200 rudder deflection rate. The second part of the rudder failure model implements fault case #9 which is the loss of the vertical tail. The vertical tail loss is approximated by assuming that there is no rudder and therefore the effect of the rudder is made equal to zero. The other models for the control surface fault cases are very similar and are shown in Fig. 6.30, 6.31 and 6.32. The Flight 1862 scenario is the most complicated failure mode implemented in the benchmark and consists of a combination of both hydraulic system and structural failure modes. The separation of both right-wing engines will result in a loss of hydraulic systems No. 3 and 4 and a loss of control surfaces according to the B747-100/200 hydraulic systems architecture as described in Ref. [1]. Additional effects on the weight and balance of the aircraft, including a lateral shift of the center-of-gravity and an estimated weight loss due to the missing engines, are taken into account. The aerodynamic effects due to the loss of the right-wing engines, estimated using the Flight 1862 DFDR data, are calculated in a separate model (Fig. 6.33) and added as contributions to the baseline aerodynamic coefficients.
206
H. Smaili et al.
Fig. 6.30 Elevator fault model including stuck elevator failure mode
Fig. 6.31 Aileron fault model including stuck aileron failure mode
6.3.4 Graphical User Interface R The GARTEUR RECOVER benchmark is operated via a Matlab graphical user interface (Fig. 6.34) from which the different benchmark tools may be selected. The user options in the main menu are divided into three main sections allowing benchmark initialisation and simulations to be performed, run the analysis tools and opening the user manual for reference purposes. A typical evaluation of a designed control algorithm (Section 6.3.6) will start with the initialisation of an open loop or closed loop simulation including the calculation of the trim condition and selection of test scenario and fault case. This is done via the Open-Loop Simulation
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
207
Fig. 6.32 Stabiliser fault model including stabiliser runaway failure mode
Fig. 6.33 Fault model including estimated aerodynamic effects due to separation of the rightwing engines No. 3 and 4 (Flight 1862 scenario)
208
H. Smaili et al.
Fig. 6.34 GARTEUR RECOVER benchmark main menu
or Closed-Loop Simulation button. The closed loop simulation is conducted with the preset benchmark test scenarios as defined in Table 6.3. Following simulation (open loop, closed loop or via manually controlled inputs in the open loop functional model (Fig. 6.27)), the performance of the designed control algorithms can be evaluated by running the benchmark assessment criteria (Show Assessment Criteria button). Additional time responses of the aircraft states following a simulation can be generated using the plot sim.m script via the Plot Simulation Results button. For control law design purposes, the nonlinear aircraft model can be linearised using an integrated linearisation routine (Linearise Aircraft button). This routine allows a linear model of the aircraft to be obtained with thirty control inputs consisting of all control surfaces and engine thrust settings. A visualisation tool (Section 6.3.5) is integrated with the benchmark for aircraft manoeuvre and trajectory analysis or interactive (real-time) simulations and can be selected using the Recover Visualisation button. A user reference to the RECOVER benchmark is available via the Help Recover button.
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
209
6.3.5 Aircraft Visualisation The GARTEUR RECOVER benchmark aircraft visualisation and animation tool provides a graphical solution for the visualisation of the benchmark’s specified approach and landing scenario and flight trajectory. (Fig. 6.35). The tool provides high resolution graphic representations of the aircraft, cockpit flight instrumentation and airport environment (Amsterdam Schiphol airport and surroundings) for interactive (real-time) simulations or manoeuvre and flight path analysis. The pilot interface (Fig. 36(a) and 36(b)), showing the main aircraft, control system and engine state parameters, is based on specifications of the electronic flight instrument system (EFIS) displays as found on the B747-400 aircraft. Additional features on the displays, not found on the standard B747-400 instrumentation, are included to assess human-machine interfacing (HMI) aspects of new fault tolerant flight control algorithms and flight envelope protection measures. For these design applications, the standard primary flight display (PFD) can be configured to display the aircraft’s bank angle, pitch angle and airspeed envelope protection limits as calculated by a new intelligent self-adaptive control system. The lower display (Engine Indicating and Crew Alerting System (EICAS) display) provides the parameters of the four engines, using Engine Pressure Ratio (EPR) as the main thrust setting reference, and inboard trailing edge flap position. Additional aircraft state information on the EICAS display includes angle-of-attack and sideslip. The status of the flight control system and control laws is provided by the presentation of the control surface deflections. A basic 3D aircraft model, representing the B747-100/200 aircraft, and
Fig. 6.35 GARTEUR RECOVER benchmark high resolution aircraft visualisation tool showing out-of-the-window view and electronic flight instrument system (EFIS) displays for interactive (real-time) simulation and analysis of new fault tolerant flight control systems
210
(a) Primary Flight Display: indicated airspeed (1), altitude (2), aircraft attitude and envelope protection limits (3), aircraft heading (4)
H. Smaili et al.
(b) EICAS display: engine EPR (1), inboard trailing edge flap position, angle-ofattack, sideslip and load factor (2), control surface and stabiliser deflections (3)
Fig. 6.36 GARTEUR RECOVER benchmark electronic flight instrument system (EFIS) display elements
a view of the aircraft’s flight path in the out-of-the-window view allows analysis of the flight trajectory and manoeuvres. The RECOVER interactive simulation window can be started via the RECOVER Visualisation button following initialisation of an open loop or closed loop simulation.
6.3.6 User Example This section demonstrates the steps necessary for a typical closed loop simulation within the GARTEUR RECOVER benchmark (b747 auto g.mdl) for an investigation of the aircraft behaviour. A separation of both right-wing engines is selected R as an example failure mode (Flight 1862 scenario). The Matlab command line scripts are set up to give reasonable default values for all questions during initialisation of the simulation. The user may enter the correct data if he wants to deviate from the default values. The user input prompt is indicated by a semicolon during initialisation. Fig. 6.37: After selecting Closed-Loop Simulation in the main menu, the closed R command window and the first step is loop initialisation is started in the Matlab to define the failure model. For this example, the dynamic version of the Flight 1862 failure case is chosen (failure mode #10). Fig. 6.38: The next step is to choose the test scenario. The Failure event scenario is chosen, which shows the effect of the sudden occurrence of the failure after five seconds of flight. In addition, turbulence and predefined wind conditions can be selected. Fig. 6.39: The program continues by giving the selected choices together with the aircraft and flight condition that were set by the test scenario. This includes the
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
211
Fig. 6.37 Selection of failure mode
Fig. 6.38 Selection of test scenario
weight and balance of the aircraft, altitude and airspeed and aircraft configuration. For the Failure event scenario, the pitch mode is selected as Altitude select with a reference altitude (1000m in this example) and the roll mode is selected as Bank angle command with a reference bank angle of 0 deg. No further information to the trim routine is required since everything is prescribed by the test scenario. Fig. 6.40: The user is then able to set initial values for the controls used for trimming, but it is usually sufficient to accept the default values here. For trimming, the b747 trim d.mdl model is used. This completes the setup of the trim routine for the optimisation. The trim routine runs and gives a trim result in terms of stabiliser deflection and thrust. The user is asked if he is satisfied with the trim results. Fig. 6.41: If the optimisation is acceptable, the required engine EPR setting is derived from the thrust in the next step and the trim results can be saved. Fig. 6.42: The simulation is performed using the closed loop model given in b747 auto g.mdl which contains the test scenario generator. When the simulation has ended, the user is able to save the results and to make some plots. These
212
H. Smaili et al.
Fig. 6.39 Confirmation of test scenario and aircraft and control mode variables set by the test scenario
plots are generated by the plot sim.m script that can also be activated via the main menu. Fig. 6.43: The plotted simulation results of the aircraft states demonstrate that up to t=5s the flight condition is stable. When the failure is inserted at t=5s the aircraft begins to diverge. The simulation run has been ended at t=35s because the angle-of-attack (α ) is outside the validated model boundaries. Fig. 6.44: The calculated specific forces show the effect of the sudden loss of thrust, due to the separation of the right-wing engines, on the longitudinal acceleration (Axb ) at t=5s. Lateral acceleration (Ayb ) shows an increase following the detachment of the engines at t=5s due to sideslip caused by the asymmetrical thrust and wing damage configuration.
6.3.7 Aircraft Characteristics The Boeing 747-100/200 aircraft is a large jet transport aircraft designed for long distance operations. All systems aboard the aircraft are made operational by four fan jet turbo-engines that deliver the required thrust. Through a mechanical gearbox underneath each engine, the engine high pressure shaft (N2) is connected with pressure and electrical generating units. In addition, engine compressor bleed air is taken from the engine for pneumatic air supply. The hydraulic system of the B747 series aircraft consists of four independent main hydraulic supply systems. The systems No. 1 and 4 are the primary systems whereas the systems No. 2 and 3 are the secondary systems. Each system is
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
213
Fig. 6.40 Controls initialisation for trimming and trim routine results
associated with an engine. Pressurization units for hydraulic power to the flight control and landing gear systems are located at every engine. The B747-100/200 flight control system comprises a primary flight control system and a secondary flight control system. The primary flight control surfaces are powered by irreversible hydraulic actuators which are supplied by the four independent hydraulic systems. The actuators for the elevator, aileron and rudder surfaces are driven by single dual tandem type actuators supplied by two independent
214
H. Smaili et al.
Fig. 6.41 Trimmed engine EPR settings and end of the optimisation procedure
Fig. 6.42 Execution of the closed loop simulation
hydraulic systems (full boost). The spoilers of the secondary flight control system are driven by conventional single cylinder actuators. The availability of the control surfaces will be affected in case of the loss of hydraulic supply. The control surface actuators are designed to allow unrestricted operation of the surface in the event of the loss of one actuator (half boost). When hydraulic supply to both actuators is lost, the surface reverts to a zero-hinge moment floating position. The arrangements of the hydraulic power supply distribution for the B747-100/200 flight control system is summarised in Table 6.4. The B747-100/200 high lift system consists of the trailing edge flaps and the leading edge flaps with selectable detents of 1, 5, 10, 20, 25 and 30 degrees. Automatic flap retraction to the 25 detent (flap load relief) is provided to prevent structural overload of the fully extended trailing edge flaps when indicated airspeed exceeds
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
Fig. 6.43 State variables during benchmark run with (b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
215
closed
loop
model
Fig. 6.44 Specific forces in body axes during benchmark run with closed loop model (b747 auto g.mdl) and Flight 1862 failure case starting at t=5s
216
H. Smaili et al.
Table 6.4 Arrangements of the hydraulic power supply distribution for the B747-100/200 flight control system Hydraulic system #1
#2
#3
#4
Longitudinal axis
Lateral axis
Directional axis
Left outboard elevator Left outboard aileron Right inboard elevator Left inboard aileron
Upper rudder Upper rudder turn coordinator Right inboard elevator Left outboard aileron Lower rudder Stabiliser Right inboard aileron Lower rudder yaw Spoilers #2,#3,#10,#11 damper Left inboard elevator Right outboard aileron Upper rudder Stabiliser Left inboard aileron Upper rudder yaw Spoilers #1,#4,#9,#12 damper Right outboard elevator Right outboard aileron Lower rudder Left inboard elevator Right inboard aileron Lower rudder turn Spoilers #5,#6,#7,#8 coordinator
High lift Inboard flaps
Outboard flaps
Table 6.5 B747-100/200 flight control surface operating limits (positive sign: surface deflection downward / spoiler panel up) Control surface
Symbol
Mechanical limit (deg)
Inboard elevator Outboard elevator Stabiliser Inboard aileron Outboard aileron Spoilers #1 - #4 Spoilers #9 - #12 Spoilers #5, #8 Spoilers #6, #7 Upper rudder Lower rudder
δei δeo ih δai δao δsp1−4 δsp9−12 δsp5 , δsp8 δsp6 , δsp7 δru δrl
+17/-23 +17/-23 +3/-12 +20/-20 +15/-25 +45 +45 +20 +20 +25/-25 +25/-25
Two hydraulic One hydraulic system rate (Full system rate (Half boost, deg/sec) boost, deg/sec) +37/-37 +30/-26 +37/-37 +30/-26 +/-0.2 to +/-0.5 +/-0.1 to +/-0.25 +40/-45 +27/-35 +45/-55 +22/-45 +75 0 +75 0 +75 0 +25 0 +50/-50 +40/-40 +50/-50 +40/-40
169kts at flaps 30. Extension of the outboard trailing edge flaps will unlock the outboard ailerons. The B747-100/200 flight control surface arrangements and operating limitations are illustrated in Fig. 6.45 and Table 6.5. Fig. 6.46 and Table 6.6 provide aircraft operational data and geometric dimensions for both the B747-100/200 and B747-200F (freighter version). For the benchmark simulation, the B747-100/200 hydraulic and flight control system specifications, as described in this Section, were taken from [1, 8].
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
217
Fig. 6.45 Boeing 747-100/200 flight control surface arrangements and body axes and moment definitions (L¯ = rolling moment, M = pitching moment, N¯ = yawing moment, p = roll rate, q = pitch rate, r = yaw rate) Table 6.6 B747-100/200 series operational data and geometric dimensions B747-100/200 Wing area Wing mean aerodynamic chord (MAC) Wing span Length overall Height overall Engines
m2
511 8.324 m 59.65 m 70.66 m 19.33 m Pratt & Whitney JT9D3 Takeoff thrust rating (standard day / sea 193 kN (43,500 lb st) level) Maximum takeoff weight 321,995 kg (710,000 lb) Maximum landing weight 255,782 kg (564,000 lb) Maximum zero fuel weight 238,776 kg (526,500 lb) Load factor range flaps up -1.0/+2.5 Load factor range flaps down 0/+2
B747-200F (Freighter) 511 m2 8.324 m 59.65 m 70.66 m 19.33 m Pratt & Whitney JT9D7J 222 kN (50,000 lb st) 377,842 kg (833,000 lb) 285,763 kg (630,000 lb) 267,619 kg (590,000 lb) -1.0/+2.5 0/+2
218
H. Smaili et al.
Fig. 6.46 Boeing 747-100/200 large transport aircraft
6.4 GARTEUR RECOVER Benchmark Applications Earlier versions of the GARTEUR RECOVER benchmark aircraft model have been used by a number of investigators and organisations in several studies [7, 10, 14, 15, 19]. For example, in a recent study, performed by the University of Cambridge [13], a reconfiguration scheme was developed and applied to the Flight 1862 benchmark scenario using Model Predictive Control (MPC). The MPC scheme aims to restore the original functionality of the pilot’s controls using a referencemodel based approach. For the initial demonstration of the MPC reconfiguration capabilities in this study, the assumption was made that all necessary information about the failed condition of the aircraft was available from the fault detection and isolation (FDI) unit. The investigation demonstrated that when precise information regarding the failure condition of the aircraft is available, a reconfigurable control scheme exists that enables safe landing of a heavily damaged aircraft (Fig. 6.47). An extension of this research, in which the FDI information requirements for successful
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
219
Fig. 6.47 Simulation demonstrating flight control reconfiguration and safe landing of the Flight 1862 accident aircraft using Model Predictive Control (MPC) (red: accident aircraft, green: reconfigured aircraft) [13]
reconfiguration are addressed, formed the basis of a PhD project at the Delft University of Technology financed by the Dutch Technology Foundation STW. Some of the developed reconfiguration schemes in this project were further evaluated in this Action Group.
6.5 Conclusion A simulation benchmark for the integrated evaluation of new fault detection, isolation and reconfigurable control techniques has been developed within the framework of the GARTEUR Flight Mechanics Action Group FM-AG(16) on Fault Tolerant Control. The REconfigurable COntrol for Vehicle Emergency Return (RECOVER) benchmark addresses the need for high-fidelity nonlinear simulation models to improve the prediction of the performance of newly designed fault tolerant flight control system algorithms in degraded modes. The GARTEUR RECOVER benchmark provides accurate failure models, realistic scenarios and assessment criteria for a civil large transport aircraft with fault conditions ranging in severity from major to catastrophic. The benchmark aircraft model has been validated against data from the Digital Flight Data Recorder (DFDR) recovered after the crash of a Boeing 747-200 freighter aircraft (Flight 1862), caused by the separation of its right-wing
220
H. Smaili et al.
engines, in the Amsterdam Bijlmermeer in 1992. For the reconstruction of the accident flight data, a methodology based on inverse simulation was used to obtain a proof-of-match between the Flight 1862 DFDR measurements and simulation. This assured the validity of the simulation, as part of the benchmark, in terms of aircraft performance and controllability representative of a damaged large transport aircraft operating in a degraded and limited flight envelope. The identified operational constraints of the Flight 1862 accident aircraft provided a guidance for the fault tolerant control design challenge in the GARTEUR FM-AG(16) Action Group and a reference for the definition of the benchmark assessment criteria. The GARTEUR RECOVER benchmark is suitable for both offline design and analysis of new fault tolerant flight control systems and integration on simulation platforms for piloted hardware in the loop testing. The enhanced graphical tools of the benchmark, including high resolution aircraft visualisation, support tool-based advanced flight control system design and evaluation within research, educational or industrial framework. Acknowledgements. The authors recognise the contributions of the members of the GARTEUR FM-AG(16) Action Group to this Chapter. The authors also appreciate the funding that the Dutch Technology Foundation STW has provided as part of the GARTEUR activities. Special thanks to Jaap Groeneweg and Ronald Verhoeven of NLR for their contribution to the RECOVER aircraft visualisation tools. Finally, a word of thanks to all those who have contributed to the further improvement of the GARTEUR RECOVER benchmark model within their flight control research programmes, especially Andres Marcos of DEIMOS Space and Gary Balas of the University of Minnesota.
References 1. Anon. Boeing 747 Aircraft Operations Manual (1976) 2. Anon. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety Board, Hoofddorp, The Netherlands (1994) 3. Anon. MIL-HDBK-1797 Flying qualities of piloted aircraft (1997) 4. Federal Aviation Administration, Department of Transport. FAR/JAR 25 Airworthiness Standards: Transport Category Airplanes 5. Fischenberg, D.: Ground effect modeling using a hybrid approach of inverse simulation and system identification. In: AIAA Modeling and Simulation Technologies Conference and Exhibit, AIAA-1999-4324, Portland, OR (August 1999) 6. GARTEUR. GARTEUR RECOVER benchmark quickstart guide (2009) 7. Hallouzi, R., Verhaegen, M., Kanev, S.: Model weight estimation for FDI using convex fault models. In: IFAC Conference 2006 (2006) 8. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA CR-114494 (September 1970) 9. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I. NASA CR-1756 (March 1971) 10. Harefors, M., Bates, D.G.: Integrated propulsion-based flight control system design for a civil transport aircraft. In: Proceedings of the IEEE Conference on Control Applications, Glasgow (September 2002)
6
RECOVER: A Benchmark for Integrated FTFC Evaluation
221
11. van Keulen, R.: Real-time simulation and analysis of the automatic flight control system of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1991) 12. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1996) 13. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight 1862. In: IFAC Safeprocess Conference (2003) 14. Marcos, A., Balas, G.J.: Linear parameter varying modeling of the Boeing 747-100/200 longitudinal motion. American Insitute of Aeronautics and Astronautics 2001, AIAA2001-4347 (2001) 15. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota (June 2003) 16. National Transportation Safety Board. In-flight engine separation Japan Airlines, Inc. Flight 46E, Boeing 747-121, N473EV, Anchorage, Alaska, March 31 (1993); Aircraft accident report NTSB/AAR-93/06 (October 1993) 17. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1997) 18. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amsterdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000) 19. Szaszi, I., et al.: Application of FDI to a nonlinear Boeing 747 aircraft. In: 10th Mediterranean Conference on Control and Automation - MED 2002 (2002)
Chapter 7
Assessment Criteria as Specifications for Reconfiguring Flight Control Thomas Lombaerts, Diederick Joosten, Hafid Smaili, and Jan Breeman
7.1 Introduction To obtain a quantitative measure of predicted FTFC system performance in degraded modes, specifications need to be defined to assess proper functioning under realistic operational flight conditions. The goal of the benchmark specifications modelling, as described in this chapter, is to create a set of assessment criteria in order to evaluate the quality of the performance of fault detection and identification (FDI) and reconfigurable control algorithms. The lay-out of this chapter is as follows. First, the specifications modelling process is introduced by discussing the benchmark scenario. Subsequently, the general evaluation criteria will be considered by defining two classes of test manoeuvres. Thereafter, focus is placed on the test manoeuvres for FTFC qualification, which is the major topic of this chapter. After the discussion on how the assessment quantities of interest can be divided into two categories, four qualification test manoeuvres are discussed in depth. These include straight Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Diederick Joosten Delft University of Technology, Delft Center of Systems and Control, Mekelweg 2, 2628 CD Delft, The Netherlands e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] Jan Breeman National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 223–243. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
224
T. Lombaerts et al.
flight, right turn and localizer intercept, glideslope intercept and final approach with sidestep. Finally, a summary of the specified assessment quantities is given for the different FTFC qualification test manoeuvres. These criteria have also been published in Ref. [3].
7.2 Specification Modelling The goal of specifications modelling is to create a set of assessment criteria in order to evaluate the quality of the performance of fault detection and identification (FDI) and controller reconfiguration algorithms. A schematic overview of the benchmark scenario, as introduced in chapter 6, is provided in Fig. 7.1.
Fig. 7.1 Benchmark scenario with test manoeuvres for qualification of FTFC techniques
Obviously, after the introduction of a failure to the aircraft, a total catastrophe is to be avoided. Therefore, it is necessary that a failure is detected promptly. Furthermore, a new trim condition, or quasi-trim condition, must be established quickly for safe continuation of the flight. This phase is called initial recovery, as illustrated in Fig. 7.1, and needs to be completed as soon as possible, even before firm flight control reconfiguration takes place. The normal operating limits of the non-crippled aircraft, i.e. maximum and minimum velocity, maximum g-load, can be seen as worst-case bounds on the allowable manoeuvres during all subsequent phases. After fault identification and reconfiguration, the four qualification manoeuvres are performed according to the scenario as shown in Fig. 7.1. The FTFC assessment criteria are defined for two different phases during the flight control reconfiguration process. First, criteria are enumerated for the Fault Detection and Identification phase. After control reconfiguration has taken place, some test manoeuvres for qualification have been selected for which specifications have been defined. These criteria enable the assessment of the correct functioning of the reconfigured control system under realistic operational conditions.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
225
7.2.1 General Evaluation Criteria For the assessment of Fault Detection and Identification algorithms, it is customary to define the following list of criteria, as can be found in Ref. [1]: • • • • •
the time needed to detect a failure; the ratio of successful detection of failures versus the number of false alarms; the time needed to give a first reaction or control input and re-establish trim; the operating limits of the aircraft may not be exceeded after failure introduction; the ability to reconfigure the controller such that the aircraft states are controlled with adequate performance, and preferably with desired performance.
The above criteria are usually applied for FDI in general. However, for the RECOVER benchmark emphasis is placed on operational assessment criteria that impose constraints on the total flight trajectory instead of the technical FDI criteria only. Therefore, the operational criteria have been defined by using the FDI requirements, as mentioned above, as a basis. The result of this study can be found in the remainder of this chapter. Some graphic examples of the applied operational assessment criteria, which hold for one of the aircraft states or variables, are depicted in Figs. 7.2 and 7.3. Fig. 7.2 applies for test manoeuvres with trajectory constraints, where Fig. 7.3 applies for test manoeuvres with end-point position constraints. The specifications apply to certain variables which are relevant and critical for each flight phase, e.g. position information, linear rates, angular rates, linear accelerations, angular accelerations and g-forces, each in the three axes of the aircraft reference system. The list of relevant assessment quantities will be enumerated later for each test manoeuvre separately. These variables have to comply with certain
Fig. 7.2 Graphic representation of FDI and control reconfiguration assessment criteria representing test manoeuvre with trajectory constraints
226
T. Lombaerts et al.
Fig. 7.3 Graphic representation of FDI and control reconfiguration assessment criteria representing test manoeuvre with end-point position constraints
operational limitations, which can be divided over two categories, according to the relevant part of the time span. When a failure occurs at time t0 , the flight control systems have some time for identification and reconfiguration up to the moment trecovery , whereafter a test manoeuvre is performed in order to analyse if the reconfiguration was successful. In the first part, where identification and reconfiguration take place, the variables are limited by structural and crew capability (human performance) boundaries. After trecovery the qualification test manoeuvre is performed. In the case of a test manoeuvre with trajectory constraints, some fairly stringent manoeuvre limitations are defined for the relevant assessment quantity values from trecovery onward till the end of the test manoeuvre. These limitations define a box which specifies if the manoeuvre performance is desired or adequate (Fig. 7.2). On the other hand, when a test manoeuvre is considered with end-point position constraints, the relevant assessment quantity values are restricted to a larger range defined by slightly reduced safe flight boundaries as initial trajectory constraints (critical manoeuvre limitations, Fig. 7.3). More stringent boundaries to evaluate the manoeuvre quality are then defined at the end point tfinal , where the boundaries represent a limitation box specifying whether the manoeuvre performance is desired or adequate. The aircraft must be in (quasi) steady state at tfinal , otherwise the performance criteria cannot be guaranteed persistently. A possible definition of adequate and desired performance boxes for the benchmark flight phases including straight flight, right turn and localizer intercept, glideslope intercept and final approach with sidestep down to decision height will be discussed later in this chapter. The performance limitations may depend on many other variables, like indicated airspeed of the aircraft and altitude. Therefore, it is
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
227
important to define one representative reference trajectory with fixed altitude and velocity as initial conditions, because in that way the complexity is already reduced considerably. Here, most interest is in low altitudes because of the small margins there. The manoeuvres are a very important aspect in this work. It should be noted that there are two kinds of manoeuvres. The first kind are manoeuvres for parameter identification that take place in the identification and reconfiguration phase, before trecovery in Fig. 7.2 and 7.3, these are facultative manoeuvres. The other kind of manoeuvres are test manoeuvres for qualification which are performed during the second part of the time span in Fig. 7.2 and 7.3, after trecovery . These are mandatory for qualification of the fault tolerant flight control system.
7.2.2 Test Manoeuvres for Qualification As discussed in the foregoing paragraph, four qualification test manoeuvres have been defined which are mandatory and will be used to obtain the RECOVER benchmark criteria. The straight flight and glideslope intercept are two manoeuvres with trajectory constraints. On the other hand, right turn with localizer intercept and final approach with sidestep have end-point position constraints. The motivation for this is that there are no critical requirements on the turn and the approach themselves, as long as the aircraft ends up at the right location at the end of the manoeuvre. The straight flight and final approach test manoeuvres have longitudinal as well as lateral constraints. The other two manoeuvres deal only with one axis at a time. As such, the right turn manoeuvre has only lateral constraints where the glideslope intercept has only longitudinal constraints. The aircraft should be in (quasi-)equilibrium at tfinal for the end-point position constraints and after trecovery for the trajectory constraints. To achieve this requirement for all four test manoeuvres, all angular rates (p,q,r) as well as the three linear acceleration components (ax ,ay ,az ) should be as small as possible within certain boundaries. For any failure scenario, the time to reach equilibrium is a very important criterion. The assessment variables can be defined in two different categories, namely specification boundary variables and competitiveness variables. Specification boundary quantities provide limits which cannot be exceeded, like safe flight boundaries and performance boxes. On the other hand, competitiveness criteria have been defined that allow to distinguish between the performances of different reconfigurable control strategies. For any manoeuvre, the time to accomplish the manoeuvre is a very important competitiveness criterion. In some situations, assessment variables can belong to both categories simultaneously. For each test manoeuvre, a list of relevant quantities is enumerated in Table 7.2, 7.3, 7.4 and 7.5. In the first two columns of each table, an indication is given about the category the quantity belongs to. The abbreviations ’sb’ and ’cc’ represent specification boundary and competitiveness variables respectively.
228
T. Lombaerts et al.
Table 7.1 Initial conditions for the three benchmark scenario’s: nominal flight, heavy weight (Flight 1862) and low weight (Flight 1862) manoeuvre
straight right turn GS int final flight LOC int approach h [m] 600 600 600 90 V [m/s] 92.6/133.8 92.6/133.8 92.6/133.8 85/133.8/108 flap setting 20/1 20/1 20/1 25/1/1 landing gear up up down down
The initial conditions for the benchmark qualification test manoeuvres are defined in Table 7.1. A distinction is made between a nominal flight scenario, a heavy weight Flight 1862 scenario and a low weight Flight 1862 scenario, since each of the Flight 1862 scenarios has a different aircraft weight value. In the nominal situation, the aircraft weight is approximately 263 tons and the touchdown speed is 165 knots. As the Flight 1862 accident happened just after take off, the aircraft weight was considerably higher, namely 317 tons (after separation of the right-wing engines). This resulted into the fact that the crew had to maintain a high speed of about 260 knots, which reduced the chances for a survivable landing significantly. Based on the Flight 1862 performance capability analysis [4], the aircraft was able to maintain level flight in order to reduce the landing weight by dumping fuel. A weight reduction due to fuel jettison down to approximately 263 tons would have led to a more survivable landing at a speed of about 210 knots. With the flap setting stuck at 1 and an aircraft weight of 317 tons, the minimum speed is limited to the relatively high value of 133.8 m/s. The stuck flap setting at position 1 in the case of the Flight 1862 accident scenario results into a minimum allowable speed of 108 m/s in the final approach phase at a weight of 263 tons in the case of fuel jettison. The benchmark qualification test manoeuvres are based on operational procedures in order to approximate realistic flight conditions as much as possible. To achieve this, some manoeuvres have been based upon the instrument approach chart to runway 27 of Amsterdam airport Schiphol (ICAO-code EHAM). This chart is included in the appendix of this chapter. In this chart, a red line marks the trajectory of the flight 1862 accident aircraft. Indicated in green in this chart is the approximate trajectory of the proposed benchmark scenario. Note that closely following this trajectory is not part of the benchmark criteria. The end-point is more relevant than the trajectory in this set-up. 7.2.2.1
Straight Flight
The first benchmark qualification test manoeuvre is performing a straight flight downwind, with the presence of some turbulence. Analysing the closed loop system time responses of course χ and flight path angle γ allows comparison of the quality of the different reconfiguring control strategies. During this test manoeuvre, the aircraft should remain in a predefined box, like a virtual tunnel in the sky. In
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
229
Table 7.2 Specified assessment quantities for the straight flight qualification manoeuvre sb ✓ ✓ ✓ ✓ ✓ ✓ ✓
cc symbol quantity ✓ V velocity χ course or track angle ✓ γ flight path angle ✓ α angle of attack β sideslip angle ✓ load factor ✓ nz φ roll angle ✓
order to analyse this manoeuvre, the assessment quantities of interest are defined in Table 7.2. The abbreviations sb and cc in the first two columns of the table represent specification boundary (sb) and competitiveness criteria (cc) respectively. Applying the above mentioned specifications and criteria to the benchmark simulation model with the classical (mechanical) flight control system results in the plots shown in Fig. 7.5. The performance of each fault tolerant control design can be assessed by generating similar plots for the relevant outputs. The routines to generate the performance plots are an integral part of the benchmark simulation software package. In Fig. 7.5, competitiveness criteria apply on all shown states, except for the angle of attack α . The light regions indicate where the desired performance is not met, where failure to achieve adequate performance is indicated by the darker regions. It is clear that for the straight flight phase, trajectory constraints apply. Fig. 7.5 shows that the baseline aircraft model, with classical control system, satisfies all assessment criteria for the straight flight phase with considerable margins. 7.2.2.2
Right Turn and Localizer Intercept
The second benchmark test manoeuvre starts by performing a right turn, with the presence of some turbulence. After 10 seconds of straight flight, a right turn is initiated in order to reach the localizer (LOC) intercept course. No special limitations
Fig. 7.4 Definition of performance boxes for straight flight qualification manoeuvre
230
T. Lombaerts et al.
Straight flight 2 χ [°]
TAS
[m/s]
States with specs 100
0
V
90 0
10
20
30
40
−2
50
0 −2
10
20
30
40
50
0
10
20
30
40
50
0
10
20 30 time [s]
40
50
15 α [°]
γ [°]
2
0
10 5 0
0
10
20
30
40
50
10
−10
φ [°]
nz [−]
β [°]
2 0
40 20 0 −20 −40
0
10
20
30
40
50
0
10
20 30 time [s]
40
50
0 −2
(a) aircraft states Kinematic accelerations in body axes
axb [m/s2]
0.1 0.05 0 −0.05 −0.1
0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25 time [s]
30
35
40
45
50
ayb [m/s2]
0.05
0
−0.05
azb [m/s2]
0.6 0.4 0.2 0 −0.2
(b) kinematic accelerations Fig. 7.5 Specifications on the aircraft states for the downwind straight flight qualification manoeuvre
are imposed on the turn manoeuvre itself1 , except for the fact that the time necessary to complete the turn is a competitiveness criterion. The specific lateral force Ay and 1
E.g. also a left turn is allowed, as can be seen in Fig. 7.6.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
231
Table 7.3 Specified assessment quantities for the right turn and localizer intercept qualification manoeuvre sb cc symbol quantity ✓ xrunway distance from runway threshold λ localizer deviation during end phase ✓ ✓ Λ LOC intercept angle ✓ ✓ V velocity φ roll angle during turn ✓ φ roll angle during end phase ✓ ✓ ✓ p roll rate during end phase ✓ q pitch rate during end phase ✓ r yaw rate during end phase ✓ ax longitudinal acceleration during end phase lateral acceleration during end phase ✓ ay vertical acceleration during end phase ✓ az α angle of attack ✓ β sideslip angle ✓ ✓ lateral specific force ✓ ✓ Ay load factor ✓ ✓ nz altitude deviation ✓ ✓ Δh
altitude changes Δh during this manoeuvre should be minimal for the sake of passenger comfort and trajectory accuracy respectively. The localizer intercept manoeuvre is performed with a 45◦ heading change, where ±5◦ deviation is still acceptable and velocity should be close to the reference value. After this manoeuvre, the aircraft should be on the localizer beam. In order to analyse this final position and the equilibrium at the end of this manoeuvre, an end phase for evaluation is defined. This end phase starts on the moment the aircraft crosses a vertical plane at 15 km distance from the runway threshold. From this moment onward, the end phase lasts for the following 10 seconds, during which angular rates and linear accelerations should remain within their predefined equilibrium limits to show that the aircraft is fully stabilized. The relevant assessment quantities during the complete manoeuvre are enumerated in Table 7.3. The abbreviations sb and cc in the first two columns of the table represent specification boundary (sb) and competitiveness criteria (cc) respectively. As illustrated by the performance box in Fig. 7.6, it is clear that the allowed cross track deviation is presented as the localizer angular deviation, while the longitudinal deviation is linear. The roll angle φ is an assessment quantity to verify if the aircraft rolled out properly to end the turn manoeuvre. As the localiser and glideslope are presented to the pilot on an uncalibrated scale, the deviations are indicated in ”dots” (1 dot is 1.25◦ ). During tracking of the localizer, 0.5 dot localiser deviation is allowed as a maximum, see also Fig. 7.7. The right turn and localizer intercept performance criteria are as follows: Applying the above mentioned specifications and criteria to the benchmark simulation model with the classical control system results in the plots shown in Fig. 7.8.
232
T. Lombaerts et al.
Fig. 7.6 Definition of performance boxes for right turn and localizer intercept
Fig. 7.7 Primary Flight Display (PFD) with the Localizer (LOC) deviation scale and magenta diamond shaped LOC signal indicator in the middle of the scale
In Fig. 7.8, competitiveness criteria apply on all shown states, except for the angle of attack α . The light regions indicate where the desired performance is not met, where failure to achieve adequate performance is indicated by the darker regions. It is clear that end-point position constraints can be found for certain states in the right turn and localizer intercept phase. It can be seen in Fig. 7.8 that not all criteria are met. More precisely, the roll angle φ the aircraft achieves is slightly too large.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
VTAS [m/s]
0
40 20 0 −20 −40
0
50
100
150
100
90
200
0
50
100
150
r [°/s]
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100 time [s]
150
200
0
b
qb [°/s]
100
2
0 −2
0
50
100
150
−2
200
15
10
10
β [°]
α [°]
50
0 −2
200
2
5 0 0
50
100
150
2
2
y
0 −2
0 −10
200 n [−]
nz [−]
0 2
b
−5
φ [°]
right turn and LOC intercept
5
p [°/s]
lambda [°]
States with specs
233
0 −2
0
50
100 time [s]
150
200
(a) aircraft states Kinematic accelerations in body axes
axb [m/s2]
2 0 −2 0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100 120 time [s]
140
160
180
200
220
ayb [m/s2]
2 0 −2
azb [m/s2]
2 0 −2
(b) kinematic accelerations Fig. 7.8 Specifications on the aircraft states for the right hand turn and localizer intercept flight qualification manoeuvre
234
T. Lombaerts et al.
Table 7.4 Specified assessment quantities for the glideslope intercept qualification manoeuvre sb cc symbol quantity ✓ xrunway longitudinal distance from runway threshold ✓ ✓ V velocity glideslope deviation during end phase ✓ ✓ Γ α angle of attack ✓ ✓ p roll rate during end phase ✓ q pitch rate during end phase ✓ r yaw rate during end phase longitudinal acceleration during end phase ✓ ax lateral acceleration during end phase ✓ ay vertical acceleration during end phase ✓ az load factor ✓ ✓ nz λ localizer deviation ✓ ✓
However, for comfort reasons, it is advisable to enforce that the fault tolerant flight control designs satisfy this requirement. 7.2.2.3
Glideslope Intercept
The third benchmark test manoeuvre is the interception of the glideslope in the presence of some turbulence. Note that also in actual practice, localizer intercept occurs before glideslope intercept according to operational practices. After 10 seconds of straight flight, the glideslope interception point is met at 11.5 km from the runway threshold and the aircraft starts following the 3◦ glideslope downward. After the interception point, the aircraft should remain within a predefined box, like a virtual funnel in the sky. In order to analyse this final position and the equilibrium at the end of the manoeuvre, an end phase for evaluation is defined. This end phase starts at the moment the aircraft intercepts the extension of the runway center line at 11.5 km distance from the threshold. From this moment onward, the end phase lasts for the following 10 seconds during which angular rates and linear accelerations should remain within their predefined equilibrium limits. For this manoeuvre, assessment quantities of interest are included in Table 7.4. The abbreviations sb and cc in the first two columns of the table represent specification boundary (sb) and competitiveness criteria (cc) respectively. The deviation from the glideslope is also expressed in dots, where one dot equals 0.35◦. An illustration for this can be found in Fig. 7.9. The angle of attack α is a primary assessment quantity of interest because it is an important parameter in order to keep the aircraft within its stall limits. As illustrated in Fig. 7.10, it is clear that vertical deviation is expressed in an angular way, analogously as the right turn and localizer intercept scenario. Applying the above mentioned specifications and criteria to the benchmark simulation model with the classical control system results in the plots shown in Fig. 7.11.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
235
Fig. 7.9 Primary Flight Display (PFD) with the Glideslope (GS) deviation scale and magenta diamond shaped GS signal indicator in the middle of the scale
Fig. 7.10 Definition of performance boxes for glideslope intercept qualification manoeuvre
In Fig. 7.11, competitiveness criteria apply on all shown aircraft states, except for the angle of attack α . As with the foregoing specifications, the light regions indicate where the desired performance is not met and failure to comply with adequate performance is indicated by the darker regions. For this test phase, end-point constraints apply after the glideslope interception point. For this particular example with the baseline classical control system, the aircraft satisfies all assessment criteria for the glideslope intercept phase with considerable margins, except for the localizer error angle λ . However, this maximum localizer deviation can still be used as a design guideline for the fault tolerant control designs.
236
T. Lombaerts et al.
States with specs
glideslope intercept
90
[m/s] V 0
20
40
60
80
15 10 5 0 0
20
40
60
60
80
0
20
40
60
80
0
20
40
60
80
0
20
40 time [s]
60
80
0
b
0 −2
0
20
40
60
−2
80
5 λ [°]
2
z
40
2 r [°/s]
b
q [°/s]
2
n [−]
20
0 −2
80
0 2
b
α [°]
TAS
0 −1
100
p [°/s]
Γ [°]
1
0 −2
0
20
40
60
0
20
40 time [s]
60
0 −5
80
γ [°]
5 0 −5
80
(a) aircraft states Kinematic accelerations in body axes
2
axb [m/s ]
2 0 −2 0
10
20
30
40
50
60
70
80
0
10
20
30
40
50
60
70
80
0
10
20
30
40 time [s]
50
60
70
80
2
ayb [m/s ]
2 0 −2
2
azb [m/s ]
2 0 −2
(b) kinematic accelerations Fig. 7.11 Specifications on the aircraft states for the glideslope intercept qualification manoeuvre
7.2.2.4
Final Approach with Sidestep
The last benchmark test manoeuvre is the final approach down to decision height, with a 300 feet lateral offset around half a nautical mile from the runway threshold.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
237
Table 7.5 Specified assessment quantities for the final approach with sidestep qualification manoeuvre sb ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
cc symbol quantity ✓ Δx longitudinal deviation at end-point lateral deviation at end-point ✓ Δy ✓ u forward velocity ✓ w vertical velocity χ track angle ✓ ψ heading angle φ roll angle at end-point ✓ ✓ vr transversal velocity above runway at end-point ✓ p roll rate during end phase ✓ q pitch rate during end phase ✓ r yaw rate during end phase longitudinal acceleration during end phase ✓ ax lateral acceleration during end phase ✓ ay vertical acceleration during end phase ✓ az α angle of attack ✓ load factor ✓ ✓ nz
Some turbulence is included during this manoeuvre. No special limitations are imposed on the approach manoeuvre itself, except for the fact that the time necessary to complete the approach is a competitiveness criterion. Additionally, lateral specific force Ay and glideslope deviations Γ during this manoeuvre should be minimal for the sake of passenger comfort and trajectory accuracy respectively. However, after this manoeuvre, the aircraft should arrive in a predefined performance box on decision height above the runway (note that the flare manoeuvre is not included in this study). The origin of the reference frame for these performance boxes is placed at decision height on the centerline of the runway above the runway threshold and is defined as the end-point. It is assumed that the aircraft ends up in the vicinity of this point at the end of the manoeuvre. In order to analyse this final position and the equilibrium at the end of this manoeuvre, an end phase for evaluation is defined. This end phase starts 10 seconds before the aircraft reaches the runway threshold and ends on the moment the aircraft crosses the threshold. During this test phase, angular rates and linear accelerations should remain within their predefined equilibrium limits. To analyse the complete manoeuvre, the assessment quantities of interest are enumerated in Table 7.5. The abbreviations sb and cc in the first two columns of the table represent the specification boundary (sb) and competitiveness criteria (cc) respectively. As can be seen from the illustration of the performance box in Fig. 7.12, the allowed cross track deviation Δ y is more restricted than the wider longitudinal Δ x range. Also in this phase, the roll angle φ is an assessment quantity to verify if the aircraft rolled out properly to end the turn manoeuvre. The vertical speed w can be deduced from the glideslope angle γ and forward speed u. The heading ψ is a measure of the alignment of the aircraft with the runway. A measure of the alignment of the velocity vector with the runway is indicated by the track angle χ . Because
238
T. Lombaerts et al.
arriving at the runway is the main challenge, the track should be aligned with the runway and not necessarily the heading. The heading deviates from the track angle due to the wind components. Normally the aircraft will align the heading with the runway to put the landing gear wheels in the direction of the ground velocity. This is called a de-crab manoeuvre, but this is not a strictly necessary practice during Boeing 747 crosswind landings according to the Aircraft Operation Manual, so it is not considered here. However, it should be noted that de-crab is still required for other types of aircraft. For the Boeing 747 aircraft, the roll angle φ should be kept small close to the ground in order to prevent one of the outboard engines and/or wingtips hitting the runway. For this reason, a roll angle deviation of maximum ±8◦ is acceptable. Lateral velocity vr with reference to the runway is also relevant here, since lateral velocity is not consistent with sideslip angle β in the presence of turbulence. Also the angular rates p, q, r (pitch, roll and yaw) should be minimal in order to guarantee a smooth touchdown. Finally the angle of attack α should be well within its stall limits. Applying the above mentioned specifications and criteria on the simulation model with the classical controller results in the plots shown in Fig. 7.13. In Fig. 7.13, competitiveness criteria apply on all shown states, except for the angle of attack α . Again, the light regions indicate where the desired performance is not met, and adequate performance failure is indicated by the darker regions. It is clear that for this phase, end-point position constraints apply. For this particular example with the baseline aircraft model including classical control system, a number of criteria have been violated. However, these requirements can still be used as a design guideline for the fault tolerant control systems. Since these advanced control systems have more freedom to control the aircraft, it can be expected that they are capable of meeting these requirements.
Fig. 7.12 Definition of performance boxes for approach with sidestep qualification manoeuvre
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
w [m/s]
90
0.2 0 −0.2
0.2 0 −0.2
b
p [m/s]
10 0 −10
30
40
50
0
10
10
10
20
20
20
30
40
30
50
40
30
10 0 −10
0.2 0 −0.2
0.2 0 −0.2
50
40
50 α [°]
b
z
20
ψ [°] 0
0
2 0 −2
10
0
10
20
30
0
10
20 30 time [s]
8 6 4
vr [m/s]
2 0 −2
r [m/s]
φ [°]
χ [°]
0
n [−]
final approach with sidestep
100
qb [m/s]
u [m/s]
States with specs
239
40
50
40
50
0
10
20
30
40
50
0
10
20
30
40
50
0
10
20
30
40
50
0
10
20
30
40
50
0
10
20 30 time [s]
40
50
15 10 5 0
(a) aircraft states Kinematic accelerations in body axes
2
axb [m/s ]
2 0 −2 0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25 time [s]
30
35
40
45
50
2
ayb [m/s ]
2 0 −2
2
azb [m/s ]
2 0 −2
(b) kinematic accelerations Fig. 7.13 Specifications on the aircraft states for the final approach with sidestep qualification manoeuvre
7.3 Discussion The proposed assessment criteria, as discussed in this chapter, can be used to evaluate the performances of the different fault tolerant control methods and strategies.
240
T. Lombaerts et al.
Table 7.6 Summary of all benchmark assessment quantities and their relevance for each qualification test manoeuvre symbol xrunway x y Δx Δy Δh u vr w V φ θ ψ p q r ax ay az α β γ χ λ Γ Λ Ay nz t
description
straight right turn glideslope final flight LOC int intercept approach longitudinal distance from runway threshold ✓ ✓ longitudinal position ✓ lateral position ✓ longitudinal deviation at end-point ✓ lateral deviation at end-point ✓ altitude deviation ✓ forward velocity ✓ transversal velocity above runway at end-point ✓ vertical velocity ✓ velocity ✓ ✓ ✓ roll angle ✓ ✓ ✓ pitch attitude angle heading angle ✓ roll rate during end-phase ✓ ✓ ✓ ✓ pitch rate during end-phase ✓ ✓ ✓ ✓ yaw rate during end-phase ✓ ✓ ✓ ✓ longitudinal acceleration during end-phase ✓ ✓ ✓ ✓ lateral acceleration during end-phase ✓ ✓ ✓ ✓ vertical acceleration during end-phase ✓ ✓ ✓ ✓ angle of attack ✓ ✓ ✓ ✓ sideslip angle ✓ ✓ flight path angle ✓ track angle ✓ ✓ localizer deviation ✓ ✓ glideslope deviation ✓ LOC intercept angle ✓ lateral specific force ✓ load factor ✓ ✓ ✓ ✓ time ✓ ✓ ✓ ✓
By making a distinction between the described four different qualification test manoeuvres, instead of considering one global sequence of manoeuvres, it is possible to identify particular advantages and disadvantages of each FTFC method. The test scenarios have been integrated in the FTFC benchmark simulation environment for analytical evaluation purposes. A final assessment using piloted simulation (as conducted on the SIMONA research simulator of Delft University of Technology as part of this study) will provide pilot opinions on the operational acceptability of the designed FTFC methodologies. Real-time piloted simulation also makes it possible to analyse objectively the failure accommodation capabilities and handling qualities of reconfigurable flight control systems for aircraft subjected to critical structural and system failure modes. By flying the benchmark scenario with the baseline nondamaged aircraft model, a comparison can be made to determine the overall quality of all control algorithms with reference to the standard situation.
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
241
As a final remark, it should be noted that the assessment criteria, as described in this chapter for each qualification test manoeuvre, are an evaluation tool. However, they should be put in the right perspective. The ultimate goal is to perform a survivable recovery of the damaged aircraft and this is also the final and paramount evaluation criterion. Table 7.6 shows a summary of all the benchmark assessment variables and an indication for which qualification test manoeuvre they are relevant. Acknowledgements. Valuable contributions to the benchmark specifications document, Ref. [2], which served as a source for this chapter, came from Remco van der Sluis, aerospace engineer and KLM-pilot, and Bob Mulder, head of the Control and Simulation division at Delft University of Technology and Boeing 767 captain.
242
T. Lombaerts et al.
Appendix: Instrument Approach Chart EHAM RWY 27 ILS
7
Assessment Criteria as Specifications for Reconfiguring Flight Control
243
References 1. Hajiyev, C., Fikret, C.: Fault diagnosis and reconfiguration in flight control systems. Kluwer Academic, Boston (2003) 2. Lombaerts, T.J.J., Breeman, J., Joosten, D.A., van den Boom, T.J.J., Chu, Q.P., Mulder, J.A., Verhaegen, M.: Specifications modelling document for Garteur AG16 fault tolerant control. Technical report, Delft University of Technology (December 2005) 3. Lombaerts, T.J.J., Joosten, D.A., Breeman, J.A., Smaili, M.H., van den Boom, A.J.J., Chu, Q.P., Mulder, J.A., Verhaegen, M.: Assessment criteria as specifications for reconfiguring control. In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA2006-6331, Keystone, CO (August 2006) 4. Smaili, H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amsterdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies conference and exhibit, AIAA-2000-4586 (August 2000)
Part III
Design Methods and Benchmark Analysis
Chapter 8
Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation Halim Alwi and Christopher Edwards
8.1 Introduction 8.1.1 Sliding Mode Control Sliding mode control was conceived in the USSR during the 1950’s and spread to the ‘west’ after the end of the ‘cold war’. Sliding mode control (SMC) is a nonlinear type of control methodology and a special case of variable structure control. An interesting account of early developments in this area appears in [26]. SMC is a robust control methodology and it is quite unique compared to other controller design paradigms, since the performance of the controller depends on the design of the ‘sliding surface’ and not the state tracking directly. The idea of sliding mode control is to force the trajectory of the states onto a predefined surface in the state space. Once reached (usually in finite time), the states are forced to remain on that surface for all subsequent time. Sliding mode control has an inherent robustness property to a certain type of uncertainty which makes SMC a strong candidate for passive fault tolerant control (FTC). Recent accounts of the theory associated with sliding modes appear in [14, 27]. Sliding mode control systems are, in theory, completely insensitive to a class of uncertainty called matched uncertainty [14]. This represents uncertainty which occurs in the channels associated with the control inputs. Intuitively this suggests SMC schemes should inherently have passive FTC capability with respect to actuator faults. The work by Hess & Wells [19] argues that sliding mode control has the potential to become an alternative to reconfigurable control Halim Alwi Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, UK e-mail:
[email protected] Christopher Edwards Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, UK e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 247–272. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
248
H. Alwi and C. Edwards
and has the ability to maintain the required performance without requiring fault detection and isolation (FDI). There are two stages for designing SMC controllers. First to be designed is the sliding surface. Only then can the control law be designed so that sliding is achieved in finite time, and once achieved, is maintained on the surface. Once sliding occurs, robustness to matched uncertainty is guaranteed and the system behaves as a reduced order motion independent of the control. The closed loop performance of the scheme depends on the choice of the sliding surface. Traditional sliding mode control laws consist of linear and nonlinear components. The nonlinear control law drives the states towards the sliding surface and once on the surface, the linear control law becomes more dominant. This chapter considers the design of a certain type of sliding mode controller based on an uncertain linear representation of the plant. For this class of system, under the assumption that all states are available, there is a good deal of literature to describe the different design approaches – ostensively for the selection of the sliding surface (see for example [14]). In this chapter, a so–called unit–vector controller [22] will be adopted.
8.1.2 Sliding Mode Control and Control Allocation Recently sliding mode controllers have been shown to handle actuator faults without requiring any FDI [1] and sensor fault reconstruction schemes using sliding modes have avoided reconfiguring the controller when sensor faults occur [2]. Although sliding mode schemes have an inherent ability to deal with actuator faults, as with many other conventional modern control methods (e.g. LQR, H∞ , μ -synthesis) there is no inherent ability to deal with total actuator failures [20]. In most safety critical systems e.g. passenger aircraft [7], there is actuator redundancy. The use of these redundant control surfaces has been shown to raise the survivability level of an aircraft during an in–flight emergency resulting from faults or failures. It has been argued and shown that, with clever manipulation of the remaining available actuators, safe return flight and landing is possible (see [10] for examples of many flight incidents where redundant actuators have been used). One of the challenges of using traditional control ideas for over–actuated systems, or systems with redundancy, is how to deal with these additional degrees of freedom. A typical solution is to group or factorize similar actuators together so that a single control signal is distributed to all the ‘similar’ actuators (see for example [12]). This is based on the idea that the redundant actuators are an exact duplication of the actuators used for design. In real engineering systems however, the actuators might not be the same and may have different dynamics. Control allocation (CA) has emerged as one of the most studied techniques when dealing with systems with redundancy (see for example [15, 6, 9, 13]). One benefit of using CA is that the controller remains the same and the control is distributed to all available actuators without reconfiguration. This is vital in terms of simplicity of design and for fault tolerant control.
8
Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation
249
The combination of sliding modes and CA therefore seems to have great potential for the development of simple, robust fault tolerant flight controllers. Shin et al.[23], Wells & Hess [28] and Shtessel et al.[24] are some of the researchers actively working on this combination. However most of this literature uses only CA schemes, without formally exploring in detail the stability of the closed loop system. In [3], a rigorous design procedure has been developed from a theoretical perspective to achieve FTC while proving stability for a class of faults and failures. This chapter describes designs, and the associated performance analysis of the sliding mode FTC scheme from [3], on the GARTEUR AG16 benchmark.
8.2 Controller Design 8.2.1 Problem Formulation This chapter considers a situation where a fault associated with the actuators develops in a system. It will be assumed that the system subject to actuator faults or failures, can be written as x(t) ˙ = Ax(t) + Bu(t) − BK(t)u(t)
(8.1)
where A ∈ IRn×n and B ∈ IRn×m . The effectiveness gain K(t) = diag(k1 (t), . . . , km (t)) where the ki (t) are scalars satisfying 0 ≤ ki (t) ≤ 1. These scalars model a decrease in effectiveness of a particular actuator. If ki (t) = 0, the ith actuator is working perfectly whereas if ki (t) > 0, a fault is present, and if ki (t) = 1 the actuator has failed completely. In this chapter, information about K(t) will be incorporated into the control allocation algorithm. In most CA strategies, the control signal is distributed equally among all the actuators [23, 24, 28] or distributed based on the limits (position and rate) of the actuators [13, 5, 6, 18]. In this chapter, the control is distributed based on the efficiency of the actuators, and redistributed to the remaining ‘healthy’ actuators when faults/failures occur. The information necessary to compute K(t) on–line in real time can be supplied by a fault reconstruction scheme as described in [25] for example, or by using a measurement of the actual actuator deflection which is available in many systems e.g. passenger aircraft [7]. Alternatively fault reconstruction schemes based on Kalman filters [29] can be used. The idea is that if an actuator fault occurs, the control input u(t) is reallocated to minimize the use of the faulty control surfaces. 8.2.1.1
Control Allocation
In much of the control allocation literature it is assumed that rank(B) = l < m. As shown in [18], the input distribution matrix B is then factorized as B = Bν N
(8.2)
250
H. Alwi and C. Edwards
where Bν ∈ IRn×l , N ∈ IRl×m and both matrices have rank l < m [18]. Then a ‘virtual control input’ is defined as ν (t) := Nu(t) The control law ν (t) is designed based on the pair (A, Bν ) which is assumed to be controllable. Once the design of ν (t) is complete, by direct manipulation, the true control signal u(t) is recovered as u(t) = N † ν (t) where N † ∈ IRm×l is a right pseudoinverse of the matrix N. The choice of N † is not unique and different approaches have been proposed in the literature [23, 13, 5, 6, 18] for the choice of the pseudo inverse N † . However for most systems with actuator redundancy, the assumption that rank(B) = l < m is not valid and hence the perfect factorization in (8.2) cannot hold. However usually the system states can be reordered, and the matrix B from (8.1) can be partitioned as: B1 B= (8.3) B2 where B1 ∈ IR(n−l)×m and B2 ∈ IRl×m has rank l. The partition is in keeping with the notion of splitting the control law from the control allocation task [17, 13, 4]. This separation comes naturally with design methods like feedback linearization and backstepping [17, 4]. In most aircraft systems the control objectives can be achieved by commanding some desired moment to be generated by the control surfaces [17, 4]. Therefore in aircraft systems, B2 is associated with the equations of angular acceleration in roll, pitch and yaw [18]. However this can be extended to any system even for systems which have no obvious splitting of control law and control allocation [4]. Here it is assumed that the matrix B2 represents the dominant contribution of the control action on the system, while B1 generally will have elements of small magnitude compared with B2 . Compared to the work in [23] where it is assumed that B1 = 0, here B1 = 0 will be considered explicitly in the controller design and in the stability analysis. It will be assumed without loss of generality that the states of the system in (8.1) have been transformed so that B2 BT2 = Il and therefore B2 = 1. This is always possible since rank(B2 ) = l by construction. As in [3], let the ‘virtual control’
so that
ν (t) := B2 u(t)
(8.4)
u(t) = B†2 ν (t)
(8.5)
where the pseudo inverse is chosen as B†2 := W BT2 (B2W BT2 )−1
(8.6)
where W ∈ IRm×m is a symmetric positive definite (s.p.d) diagonal weighting matrix. It can be shown that the pseudo-inverse in (8.6) arises from the optimization problem min uTW −1 u subject to B2 u = ν u
(8.7)
8
Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation
251
In this chapter a novel choice of weighting matrix W will be considered. Specifically, the weight W will be chosen as W := I − K
(8.8)
and so W = diag{w1 , . . . , wm } where wi = 1 − ki . Note in a fault free situation W = I. As ki → 1, wi → 0 and so the associated component ui in (8.7) is weighted heavily since w1i becomes large. With the choice of u(t) from (8.5) the fault term from (8.1) can be written as BKu(t) = BKB†2 ν (t); and therefore (8.1) becomes x(t) ˙ = Ax(t) + 8.2.1.2
B KB† B1 B†2 ν (t) − 1 2† ν (t) Il B2 KB2
(8.9)
Sliding Mode and Control Allocation
Sliding mode control (SMC) techniques [14, 27], will now be used to synthesize the ‘virtual control’ ν (t). Define a so–called switching function σ (t) : IRn → IRl to be
σ (t) = Sx(t) where S ∈ IRl×n and det(SBν ) = 0. The matrix S represents design freedom. Let S be the hyperplane defined by S = {x(t) ∈ IRn : Sx(t) = 0} If a control law can be developed which forces the closed–loop trajectories onto the surface S in finite time and constrains the states to remain there, then an ideal sliding motion is said to have been attained [14]. During the sliding motion, some of the dynamics of the closed–loop system collapse, and the sliding dynamics associated with the motion once constrained to S will be of order n − m. The selection of the sliding surface is the first part of any design and defines the system’s closed–loop performance. The sliding surface will be designed based on the nominal no fault condition (K = 0). The second aspect of the control design, is the synthesis of a control law to guarantee that the surface is reached in finite time and a sliding mode is subsequently maintained. First define νˆ (t) := (B2W 2 BT2 )(B2W BT2 )−1 ν (t) (8.10) ˆ where then as argued in [3], after a coordinate transformation, x → Tr x = x,
I −B1 BT2 Tr = (8.11) 0 Il equation (8.9) becomes:
252
H. Alwi and C. Edwards
B1 BN2 B+ 0 x˙ˆ1 (t) xˆ1 (t) Aˆ 11 Aˆ 12 2 ν ˆ (t) ˆ ν (t) + + = I 0 xˆ2 (t) x˙ˆ2 (t) Aˆ 21 Aˆ 22 ,-./ , -. / Aˆ
where
(8.12)
Bˆ
2 T 2 T −1 B+ 2 := W B2 (B2W B2 )
(8.13)
BN2 := (I − BT2 B2 )
(8.14)
and It is important to point out that there is an upper bound on the norm of the pseudoinverse B+ 2 in (8.13) which is independent of W . Specifically: Proposition 8.1. There exists a scalar γ0 , which is finite, such that 2 T 2 T −1 B+ 2 = W B2 (B2W B2 ) < γ0
(8.15)
for all W = diag(w1 . . . wm ) such that 0 < wi ≤ 1.
Proof: see [3].
The virtual control law will now be designed based on the fault-free system in which the top partition of the last term in (8.12) is zero since B1 BN2 B+ ˆ 2 |W =I = 0. In the x(t) coordinates in (8.12), a choice for the sliding surface is (8.16) Sˆ := STr−1 = M Il where M ∈ IRl×(n−l) represents design freedom. Define
γ1 := MB1 BN2
(8.17)
ˆ B) ˆ is controllable, then (Aˆ 11 , Aˆ 12 ) is controllable [14] and a matrix M can If (A, always be found to make A˜ 11 = Aˆ 11 − Aˆ 12M stable. Also since N + MB1 BN2 B+ 2 < MB1 B2 B2 < γ1 γ0
provided γ1 < γ10 , MB1 BN2 B+ 2 < 1 for all 0 < W ≤ I. To facilitate the subsequent analysis, define ˜ := A˜ 21 (sI − A˜ 11 )−1 B1 BN2 G(s) (8.18) where s represents the Laplace variable and the matrix A˜ 21 := M A˜ 11 + Aˆ 21 − Aˆ 22 M. ˜ By construction the transfer function G(s) is stable. If ˜ G(s) ∞ = γ2
(8.19)
then the following is true: Proposition 8.2. During a fault or failure condition, for any combination of 0 < wi ≤ 1, the closed–loop system will be stable if
8
Fault Tolerant Control Using Sliding Modes with On-Line Control Allocation
0≤
γ2 γ0 0
277
(9.12)
The derivative of V in (9.11) has the following expression (see [2]): 1 V˙ = −eT Pe + 2tr{ Δ GT Δ G˙ + γ1 BTm PexT + γ1 1 ΔΨ T Δ Ψ˙ + γ2 BTm PeuT } + γ2 1 Δ vT Δ v˙ + γ3 BTm Pe γ3 Choosing:
G˙ 0 = −γ1 BTm PexT C˙0 = −γ2C0 BTm PeuT C0 v˙ 0 = −γ3 BTm Pe
(9.13)
(9.14)
nullifies the last three terms in the expression for the derivative in (9.13). Expressions (9.14) represent the adaptation rules for the control law parameters, affected by the three scalars γi with i = 1, . . . , 3 in terms of adaptability rate. Finally, by taking into account (9.14), (9.13) and (9.9) it is possible to obtain the non-positiveness of Lyapunov candidate function derivative: V˙ = −eT Pe ≤ 0
(9.15)
That ensures asymptotic stability for the error dynamic system. The next section describes how the technique above is actually implemented to achieve the required fault-tolerance.
9.1.2 The SCAS Architecture The SCAS module is made of two nested sub-modules both designed by means of the adaptive technique described in the previous section. The inner module takes care of the angular rates, while the outer one copes with the control of the attitude angles. This solution exploits the separation between the faster angular rate dynamics and the attitude angles dynamics, which are slower. The approach achieves a sensible reduction in the control law complexity, that is to say the total number of controller states is decreased with respect to an all-in-one control module. A detailed schematic of the SCAS architecture is depicted in Fig. 9.3, while the detailed graphical description of each module is reported in Fig. 9.4. The variables reported in Fig. 9.4 directly refer to the adaptive model-following theory described in Section 9.1.1. It is, now, worth giving a detailed description about how it is implemented. With reference to the variables of Section 9.1.1, the state, the output, the control and the reference vectors for the outer loop, the angular rates regulator, are set-up as follows:
278
A. Sollazzo, G. Morani, and A. Giovannini
Fig. 9.3 The SCAS architecture
Fig. 9.4 The internal architecture of each SCAS module
x = vTAS , α , φ , θ y = φ, θ u = pdem , qdem , rdem r = φdem , θdem For the inner loop, the variables are set-up as: x = vTAS , α , p, q, r y = p, q, r u = δa , δe , δr r = pdem , qdem , rdem where the control variable, u, is left generically as the ailerons, the elevator and the rudder commands. The design parameters of both the inner and the outer loops consist of a few matrices. First of all, the dynamics of the reference model are expressed in terms of the two matrices Am and Bm with the limitation that the former must be chosen with negative eigenvalues and the latter invertible. The desired error
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
279
dynamics are chosen by means of Ae . The tuning of this matrix allows the modification of the system performance, in conjunction with the reference model parameters, but it also affects the capability of rejecting noise and disturbances, so it has meaning in terms of the real control system bandwidth. The matrix Q, used in the calculation of the Lyapunov matrix P (see equation 9.12), can be interpreted as a weighting matrix. The tuning of this matrix makes it possible to trade off the tracking requirement, in terms of adaptability, of one or more output variables with respect to the others. Finally, the three parameters γ1 , γ2 and γ3 are used to change the adaptive capability, the higher the values of these parameters, the faster the adaptability. These parameters have been designed by means of a trial and error analysis.
9.1.3 Limitations and Practical Solutions Adaptive model-following is a very robust control technique, but it also requires several strong hypotheses to be verified. The first hypothesis concerns the necessity to avoid unmodelled dynamics. This need arises trivially because the control laws, and particularly the adaptation rules, cannot properly process the dynamics of the system, if this information is incomplete. The invalidity of the aforementioned hypothesis may lead to instability. Some authors [4] express this need by assuming the transmission zeros have a negative real part. Even though the two assumptions are substantially different, they both deal with the same problem. In the case of unmodelled dynamics, they can be made stable in closed loop if the zeros of transmission are located in the negative real half plane. In the benchmark, both the actuators and sensors models do not have a dynamic representation, they only concern the nonlinearities and noise (in the case of the sensors). This is a particularly favourable condition for the adaptive model-following technique and facilitates successful results. The second fundamental hypothesis for adaptive model-following concerns the high frequency gain, that is the CB matrix. This matrix, as already discussed in Section 9.1.1, needs to be full rank. In the benchmark no sensor failures are considered, this avoids problems with the equivalent C matrix, whose rank never decreases. Similar assertions may be made concerning the equivalent B matrix. In fact, even though actuator failures are considered in the benchmark, the high redundancy level of the control devices always ensures a sufficient number of control variables, hence avoiding non-right invertibility issues of the high frequency gain matrix. Finally, adaptive model-following is a control technique for linear plants. This means that the nonlinearities in the plant may give problems, particularly those nonlinearities that cause abrupt variations in the plant behaviour. Some examples of these kinds of nonlinearities are the actuators limits, both in terms of rate and position, but also those like the stall conditions. All the nonlinearities are not treated in the implementation of the adaptive model-following, here discussed. To deal with the actuator limitations, it would be necessary to adopt techniques such as control allocation [8]-[13] or similar techniques to rearrange the control effort [3]. The rearrangement could be based on the knowledge of the limitations concerning the
280
A. Sollazzo, G. Morani, and A. Giovannini
control variables and, in the case of failures, of the current actuator condition. In the FCS here described, the only way to avoid this kind of problem has been to reduce the performance as far as possible without going below an acceptable level. A harder problem is the stall condition. It is always necessary to include a proper envelope protection system. For instance, as is typically done in classical control, it would be possible to consider a module to override the control laws when the flight condition approaches stall. In the case of an FTC technique, in the case of structural damage, this is a very critical topic due to the higher complexity level of such a FCS and the interactions between the control laws and the envelope protection module. Moreover, in the case of heavy structural damage (as in the case of the Bijlmermeer accident [6]) the stall angle may change significantly (from 15 to 8.5 degrees), so, while designing the envelope protection strategy, it is necessary to avoid destructive interactions between the control laws and the stall prevention system. Thus, two opposite philosophies are possible: one could try to identify the new value of the stall angle by means of a proper FDI technique and to use it as a new threshold. The latter would adopt a safety rule by considering blindly a reduction in the supposed stall angle of a certain percentage of the nominal one. This technique was taken into account in order to retain one of the main features of the FCS, that is to say, the absence of an FDI subsystem. On the other hand, this represents a drawback due to the performance reduction caused in all cases that do not involve a stall angle variation with respect to the nominal one. In practice, this assertion relates to all the benchmark cases except for the EL AL 1862 test scenario. This results from the weakness of a strategy that tries to recover stability in the case of severe structural damage without having knowledge of what has actually happened. In the FCS, described here, the stall prevention module involves two actions. The first concerns the attitude angles (φ , θ ), whose references are both limited by means of a couple of variable thresholds that depend on the current value of the angle of attack. The second action refers to the attitude rates (p, q, r), whose references are modified to counteract the stall condition when a stall condition is approached.
9.2 The Classic A/P The Autopilot mode module employs a total of six modes, three longitudinal modes and three lateral modes. Both lateral and longitudinal autopilot modes are designed by means of classical control techniques, involving sequential loop closure, and by adopting schemes that use proportional/integral regulators (see [14]). A list of the modes is given in the following table. Moreover, in addition a classical autothrottle module has been designed for true airspeed regulation.
9.3 Numerical Validation The Fault-Tolerant FCS has been tested by means of the benchmark software environment, described in chapter 6. The SCAS architecture has been customised in terms of the control variables, u, to match the control effectors set. The full set of
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
281
Table 9.1 List of Autopilot available modes Longitudinal
Lateral
Altitude Hold/Select Heading Hold/Select Glideslope Intercept Localizer Intercept Approach Lon Approach Lat
Table 9.2 List of control variables variable description
δaiL δaiR δaoL δaoR δsp δspb δe i δe o δr u δr l ih Δ th
the left inboard aileron command the right inboard aileron command the left outboard aileron command the right outboard aileron command the spoilers command the speedbrakes command the inboard elevators command the outboard elevators command the upper rudder command the lower rudder command the horizontal stabilizer command the differential throttle command
control variables is reported in Table 9.2. It is worth adding that the A/P module provides the demand for the attitude angles, φ and θ , and the mean value of the throttle command to the engines. The benchmark environment includes a detailed model of the vehicle, and is able to reproduce the actual behaviour even in faulty conditions. Figures 9.5 and 9.6 report the considered surface failure scenarios and the EL AL 1862 flight failure condition [6], [7]. The FCS has been tested in the face of each failure condition, while performing all the available manoeuvres (see chapter 6 for details). These manoeuvres represent the four phases of an emergency landing manoeuvre after a failure occurs during the initial climb phase. These manoeuvres are: straight flight, a right turn and localizer beam intercept, glideslope beam intercept and the final approach. All the tests have been carried out in turbulence and windy (uwind = 11 m/s, vwind = 12 m/s, wwind = 0 m/s) conditions. The results of the numerical tests are reported in terms of time histories of the main quantities with respect to the fixed manoeuvre along with their desired and acceptable limits (see chapter 7 for details). Even though all the combinations of faulty conditions and manoeuvres have been explored, it is not practical to report all the figures here. Only the most meaningful results are reported here and, at the end of the section, a table with a summary of the test results is added to give an overview of the fault-tolerance achieved thanks to the proposed FCS.
282
A. Sollazzo, G. Morani, and A. Giovannini
Fig. 9.5 The surfaces failure scenario
Fig. 9.6 The EL AL 1862 flight failure scenario
One of the worse failure cases is the rudder runaway. In this situation, the rudder generates a strong yawing moment that reduces the directional manoeuvrability. This problem is particularly evident in the case of the right turn manoeuvre (see Fig.9.7), when it is necessary to generate a yawing moment opposite to the disturbing one to perform the turn. The performance is not really good, but stability is maintained. The loss of the vertical fin seems not to be a critical failure (see Fig.9.8). The adaptive FCS is able to handle this condition without any problem, the performances
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
Right Turn and LOC intercept
λ [deg]
States with specs 5
1
0
0.5 0
50
100
150
90 50
100
150
200
q [deg/s]
40 20 0 −20 −40
0 0
50
100
150
200
2 α [deg]
r [deg/s]
p [deg/s]
0 2
−2
0
200
100
φ [deg]
vTAS [m/s]
−5
0 −2
0
50
100
150
nz 0
50
100
150
200
0.4
0.6
0.8
1
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0 −2 15 10 5 0
2 0 −2 0
50
100
150
200
0 −2
RCmax [m/s]
β [deg]
0.2
2
0
ny
0
2
200
10
−10
283
4 2 0 −2 −4
Fig. 9.7 Right turn and Localizer intercept with rudder runaway
Right Turn and LOC intercept
λ [deg]
States with specs 5
1
0
0.5 0
50
100
150
90 50
100
150
200
q [deg/s]
40 20 0 −20 −40
0 0
50
100
150
200
2 α [deg]
r [deg/s]
p [deg/s]
0 2
−2
0
200
100
φ [deg]
vTAS [m/s]
−5
0 −2
0
50
100
150
0.6
0.8
1
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0 −2 15 10 5 0
nz 0
50
100
150
200
2 0 −2 0
50
100
150
200
0 −2
RCmax [m/s]
β [deg] ny
0.4
2
0 −10
0.2
2
200
10
0
4 2 0 −2 −4
Fig. 9.8 Right turn and Localizer intercept with loss of vertical tail
284
A. Sollazzo, G. Morani, and A. Giovannini
States with specs
glideslope intercept vTAS [m/s]
Γ [deg]
1 0 −1
0
50
100
100
150
10 5 0 0
50
100
50
100
150
0
50
100
150
0
50
100
150
0
50
100
150
0
50
100
150
0 −2
150
2 r [deg/s]
2 q [deg/s]
0 2 p [deg/s]
α [deg]
15
0 −2
90
0
50
100
0 −2
150
0 −2
RCmax [m/s]
λ [deg]
2
0 −2 −4 −6 −8
0
50
100
0 −5
150
2 γ [deg]
nZ [g]
5
0 −2 −4
0
50
100
150
Fig. 9.9 Glideslope beam intercept with elevators stuck
are also acceptable. The stuck elevator failure also does not represent a critical condition in any of the considered manoeuvres, thanks to the stabilizer being used as an alternative control surface. As an example the glideslope intercept manoeuvre is considered, and it is evident the control laws manage the failure with no difficulties (see Fig.9.9). However, the stabilizer runaway is a quite important failure. During the glideslope intercept, it is evident (see Fig.9.10) that the pitch down disturbing moment, generated by the failed stabilizer, makes the aircraft dive quickly. The control laws ”work hard” to react and to reach the proper altitude to follow the beam. Here, the absence of an FDI subsystem is evidently a drawback. The control laws suppose all the surfaces are available and the control effort is distributed on this basis. If FDI information is available, starting from the knowledge of the failure, all the control effort would have been moved onto the elevators. In Fig.9.11 the whole manoeuvre is performed in the case of rudder runaway. As discussed earlier the right turn is the critical phase, but in this case the failure occurs during the early straight flight, so the aircraft has time to acquire a proper attitude to approach the turn and the successive phases of the manoeuvre. The EL AL 1862 failure scenario is surely the most difficult condition (see Fig.9.12). This failure is particularly critical not only due to the reduced number of control effectors available, but also due to the structural damage on the right wing that makes strong and abrupt variations in the inertial and aerodynamical parameters, such as the stall angle. This important parameter is significantly reduced
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
States with specs
glideslope intercept 100
vTAS [m/s]
Γ [deg]
1 0 −1
0
50
100
90
150
10 5 0
50
100
150
0
50
100
0
50
100
150
0
50
100
150
0
50
100
150
0
50
100
150
0 −2
150
2 r [deg/s]
2 q [deg/s]
0 2 p [deg/s]
α [deg]
15
0 −2
285
0
50
100
0 −2
150
0 −2
RCmax [m/s]
λ [deg]
2
0 −2 −4 −6 −8
0
50
100
0 −5
150
2 γ [deg]
nZ [g]
5
0 −2 −4
0
50
100
150
Fig. 9.10 Glideslope beam intercept with stabilizer runaway
States 20 φ [deg]
p [deg/s]
10 0 −10
0
100
200
300
400
0 −20
500
0 −1
0
100
200
300
400
r [deg/s]
ψ [deg] 0
100
200
300
400
300
400
500
0
100
200
300
400
500
0
100
200
300
400
500
100
200
300
400
500
100
200
300
400
500
100
200
300
400
500
200 0
500
800 h [m]
95 vTAS [m/s]
200
400
0
90 85
100
5 0
500
5
−5
0
10 θ [deg]
q [deg/s]
1
0
100
200
300
400
500
600 400
0 4
0 x [m]
α [deg]
8 6 4
0
100
200
300
400
−2 −4
500
x 10
0 4
x 10 1 y [m]
β [deg]
20 0 −20
0
100
200
300
400
500
0 −1
0
time [s]
Fig. 9.11 Entire emergency manoeuvre with rudder runaway
time [s]
286
A. Sollazzo, G. Morani, and A. Giovannini
States 10 φ [deg]
p [deg/s]
20 0
0 −20
−10
0
100
200
300
400
500
0
100
200
300
400
500
0
100
200
300
400
500
0
100
200
300
400
500
100
200
300
400
500
0
100
200
300
400
500
0
100
200
300
400
500
θ [deg]
q [deg/s]
10 2 0
0
100
200
300
400
0
500
400 ψ [deg]
2 r [deg/s]
5
−2
0 −2
300 200
0
100
200
300
400
500
600 h [m]
vTAS [m/s]
140 135 130
0
100
200
300
400
400 200
500
0 4
0 x [m]
α [deg]
10 5 0
0
100
200
300
400
y [m]
β [deg]
10000
0 −5
−2 −4
500
5
x 10
0
100
200
300
400
500
5000 0 −5000
Fig. 9.12 Entire emergency manoeuvre in the case of flight EL AL 1862 failure scenario
as a result of the damage. As the right turn phase starts, the angle of attack increases quickly, approaching the new stall value, thus a persistent oscillation arises, slightly damped, but it only fades out when the right turn is almost accomplished. The following table gives a summary of the test results. First of all it is necessary to define a classification able to give an idea of the overall effectiveness of the FCS to achieve stable flight and, if possible, good quality of performance. A four levels scale is used as follows: • Not critical (). The failure condition is not critical both in terms of stability and performance achieved; • Negligibly critical (). The failure does not compromise the stability, but the performances are slightly degraded; • Critical (). The failure results in strong reduction in performance even though stability can be maintained; • Dramatically critical (•). The failure causes instability; It is evident that stuck elevators, stuck ailerons and the loss of the vertical tail are easily manageable failure conditions. However, stabilizer runaway and even more dramatically rudder runaway are critical failure conditions. Finally, the EL AL 1862 failure case is quite manageable by means of the adaptive FCS, even though it is not always possible to achieve acceptable performances.
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
287
Table 9.3 Summary of results Straight Flt RT and LOC Glideslope Full Manoeuvre Stuck Elevators Stuck Ailerons Stabilizer runaway Rudder runaway Loss of Vertical Tail EL AL 1862 case
•
9.4 Future Development In this section some preliminary results of further developments are shown. A Control Allocation module is used to improve robustness of the closed loop system and to achieve a better management of the control effector ranges. The module exploits the Active Set method whose original implementation is fully discussed in [10]. With reference to the scheme of Fig.9.1, the aforementioned module would need a FDI module (not developed yet) and so a strong hypothesis is made here. A simple actuator monitoring system is assumed to be present and fully efficient, thus a stuck or runaway failure is supposed to be accurately reported within a delay of 4 seconds. It is worthwhile remarking that the only data the monitor provides, is a logical one such as healthy/failed and therefore information about the kind of failure which has occurred or the position of the failed surface are not assumed to be available. Two failure conditions make evident the improvement which can be achieved by adopting a control allocation strategy in conjunction with the adaptive model
Fig. 9.13 Rudder runaway failure case, improvements achievable thanks to control allocation: trajectory
A. Sollazzo, G. Morani, and A. Giovannini
20
400
15
350 ψ [deg]
φ [deg]
288
10 5 0 −5
300 250 200
0
50
100
150
150
200
5
0
50
100
150
200
0
50
100
150
200
4
r [deg/s]
p [deg/s]
2 0
−5
0 −2
−10
0
50
100
150
−4
200
10000
y [m]
5000
0
AMF AMF+CA
−5000
0
20
40
60
80
100
120
140
160
180
200
220
(a) Upper Rudder [deg]
25 20 15
AMF AMF+CA
10 5 0
0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
Inner Ailerons [deg]
20 10 0 −10 −20
Outer Ailerons [deg]
20 10 0 −10 −20 −30
Throttles [pu] (eng 1,2 − eng 3,4)
2
1.5
1
0.5
(b) Fig. 9.14 Rudder runaway failure case, improvements achievable thanks to control allocation: time histories
following, one is the rudder runaway while performing the right turn manoeuvre. Figure 9.13 shows both the achievable trajectory with and without the Control Allocation module. Moreover, in Fig.9.14 the time histories of some state variables are reported. The black dashed lines represent the results obtained with the control allocation, while the blue solid lines represent the ‘adaptive only’ technique. It is evident how the control allocation module gives smoother manoeuvres. The second condition chosen is the horizontal stabilizer failure, while flying straight and with level wings. The results are reported in Fig.9.15, using the line style meaning as previously used. The improvements achieved are evident.
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
98
7 6 α [deg]
94
V
TAS
[m/s]
96
92 90
289
5 4 3
0
10
20
30
40
2
50
10
0
10
20
30
40
50
0
10
20
30
40
50
2 1 q [deg/s]
θ [deg]
5
0
0 −1
−5
0
10
20
30
40
−2
50
altitude [m]
700 600 500 AMF
400
AMF+CA 300
0
5
10
15
20
25
30
35
40
45
50
(a) 3
Stabilizer [deg]
2.5 AMF AMF+CA
2 1.5 1 0.5 0
0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25
30
35
40
45
50
0
5
10
15
20
25 time [s]
30
35
40
45
50
Inner Elevators [deg]
0 −5 −10 −15 −20 −25
Outer Elevators [deg]
−4 −6 −8 −10 −12 −14 −16
(b) Fig. 9.15 Stabilizer runaway failure case, improvements achievable thanks to control allocation
9.5 Conclusions The numerical tests demonstrate that the adaptive model-following technique can be applied successfully to recover from the surface failures in the presence of sufficient remaining control efficiency. In the face of structural damage, (El Al 1862 case) the control laws adopted are again efficient as long as their applicability hypotheses remain valid, that is to say controllability, observability and the absence of unmodelled dynamics. In fact, the main weak point of the FCS, as has been shown by the numerical tests, is the poor ability to recover steady flight, while the envelope limits are exceeded. In this condition the aircraft behaviour abruptly changes, thus representing a critical situation for the adaptive control and a real threat to stability. This condition is particularly critical in the case of structural damage, when
290
A. Sollazzo, G. Morani, and A. Giovannini
the envelope limits may change significantly. A proper solution should be adopted to achieve more efficient envelope protection, so preserving the validity of the hypotheses necessary for the applicability of the adaptive control technique. Concerning the performances achieved in faulty conditions, it is fair to say that they are slightly degraded if compared with those of the nominal conditions. In detail, in the case of surface damage, the performance loss is not so evident, but in the case of structural damage, the behaviour of the aircraft is significantly different from the nominal case. Furthermore, the aircraft dynamics are also made worse by the flight conditions which are really close to the stall limit. It is worthwhile remarking that, in the case of stuck surfaces, the damaged ones are considered locked at a nearly neutral position. In these conditions, the disturbing moment which is generated is almost negligible, thus the unfailed surfaces are efficient enough to provide the manoeuvrability necessary for attitude control. This is the reason that these failure conditions are quite simple to recover from. In the case of surfaces locked out of their neutral position (e.g. see the stabilizer and rudder runaway), the adaptive model-following control laws may not be sufficient to recover stable flight and they need the help of a specific technique such as control allocation - along with a broader set of information about the current state of the actuators (need of a FDI subsystem). The adaptive model-following scheme represents an attractive starting point to build up a fault-tolerant FCS. That is to say, it can be used successfully as the core control law, but it should be integrated with several other modules such as a control allocation system (to efficiently and quickly redistribute the control effort) a FDI subsystem (for providing information to the control allocation system to give information about the new flight envelope limits) and to ensure a consolidated set of feedback signals. A further optional module could be a proper supervisor able to reconfigure the trajectories starting from knowledge of the current flight envelope limits (e.g. right turn not safe but left turn possible) and the control devices availability.
References 1. Patton, R.J.: Fault-Tolerant Control Systems: The 1997 Situation. In: Proc. of the IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes, vol. 2 (1997) 2. Kim, K.S., Lee, K.J., Kim, Y.: Reconfigurable Flight Control System Design Using Direct Adaptive Method. Journal of Guidance, Control, and Dynamics 26(4) (2003) 3. Tandale, M., Valasek, J.: Structured Adaptive Model Inversion Control to Simultaneously Handle Actuator failure and Actuator Saturation. In: Proc. of the AIAA Guidance, Navigation and Control Conf. (2003) 4. Bodson, M., Groszkiewicz, J.E.: Multivariable Adaptive Algorithms for Reconfigurable Flight Control. IEEE Transactions on Control Systems Technology 5(2) (1997) 5. Boskovic, J.D., Mehra, R.K.: Multiple-Model Adaptive Flight Control Scheme for Accommodation of Actuator Failures. Journal of Guidance, Control, and Dynamics 25(4) (2002)
9
An Adaptive Fault-Tolerant FCS for a Large Transport Aircraft
291
6. Smaili, M.H.: Flight Data Reconstruction and Simulation of the 1992 Amsterdam Bijlmermeer Airplane Accident. In: AIAA Modeling and Simulation Technologies Conf. (2000) 7. Smaili, M.H., Breeman, J., Lombaerts, T.J., Joosten, D.A.: A Simulation Benchmark for Integrated Fault Tolerant Flight Control Evaluation. In: AIAA Modeling and Simulation Technologies Conf. (2006) 8. Durham, W.C.: Constrained Control Allocation. AIAA Journal of Guidance, Control, and Dynamics 16(4) (2002) 9. Bodson, M.: Evaluation of Optimization Methods for Control Allocation. AIAA Journal of Guidance, Control, and Dynamics 25(4) (2002) 10. Harkegard, O.: Efficent Active Set Algorithms for Solving Constrained Least squares Problems in Aircraft Control Allocation. In: Proc. of the 41st IEEE Conf. on Decision and Control (2002) 11. Virnig, J., Bodden, D.: Multivariable Control Allocation and Control Law Conditioning when Control Effector Limit. In: Proc. of the AIAA Guidance, Navigation and Control Conf. (2000) 12. Enns, D.: Control Allocation Approaches. In: Proc. of the AIAA Guidance, Navigation and Control Conf. (1998) 13. Buffington, J., Chandler, P.: Integration of on-line system identification and optimizationbased control allocation. In: AIAA Guidance, Navigation, and Control Conf. (1998) 14. van Keulen, R.: Real-time Simulation and Analysis of the Automatic Control System of the Boeing 747/200. MA Thesis, Technical University of Delft (1991)
Chapter 10
Subspace Predictive Control Applied to Fault-Tolerant Control Redouane Hallouzi and Michel Verhaegen
10.1 Introduction Subspace identification is a technique that can be used for identification of statespace models from input-output data. This technique has drawn considerable interest in the last two decades [1, 2], especially for linear time-invariant systems. A reason for this is the efficient way in which models are identified for systems of high order and with multiple inputs and outputs. Subspace identification can be used to form a subspace predictor for prediction of future outputs from past input-output data and a future input-sequence. This subspace predictor can be computed without realization of the actual state-space models, which significantly reduces computational requirements. In [3] the subspace predictor has been combined with model predictive control [4], resulting in a control algorithm that has been given the name subspace predictive control (SPC). In SPC, the output predicted by the subspace predictor is part of the cost function of the predictive controller. As a result of the subspace predictor being generated completely from input-output data, the SPC algorithm is a data-driven one. In this chapter, which is partly based on [5], extensions are made to the SPC algorithm that include the derivation of the subspace predictor in a stochastic closed-loop setting and the recursive update of this predictor. In previous papers in which SPC has been used [3, 6, 7], the subspace predictor has been derived using open-loop subspace identification techniques. However, when the SPC algorithm is active, the data gathered to update the predictor inherently is closed-loop data. It has been proven that using closed-loop data from a stochastic system for subspace identification Redouane Hallouzi ReliaCon, Rotterdamseweg 145, 2628AL Delft, The Netherlands e-mail:
[email protected] Michel Verhaegen Delft University of Technology, Delft Center for Systems and Control, Mekelweg 2, 2628CD Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 293–317. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
294
R. Hallouzi and M. Verhaegen
results in a biased predictor [8]. Therefore, a number of different methods have appeared in literature to deal with this issue [8, 9, 10]. Most of these methods require explicit knowledge of the controller or are based on (overly) stringent assumptions that limit their applicability. Recently, a practically applicable closed-loop subspace identification method that does not require explicit knowledge of the controller has been developed in [11]. Based on this method a subspace predictor under closed-loop conditions can be derived [12], which is also used in this chapter. Another novel feature of the SPC algorithm presented in this chapter is the way in which the subspace predictor is updated in a recursive manner. This updating scheme differs from others that are based on the “receding horizon” principle, such as, for example, the scheme proposed in [6]. In the “receding horizon” updating scheme the predictor is based on input-output data from a fixed time window lagging behind the current time sample. In the recursive updating scheme new data is appended to the old data, which is discounted with an exponential forgetting factor. This scheme has the advantage that it can be implemented in a computationally efficient manner by using Givens rotations [13]. The implementation of SPC as an adaptive controller makes it very suitable for fault-tolerant control (FTC) of aircraft. Most FTC systems deal with faults by using pre-designed or parameter dependent controllers depending on the type of fault that has occurred [14]. These systems require that the faults either be known in advance or be modelled by a variation of specific parameters [15, 16, 17]. In this way control designs can be made for each anticipated fault. Besides the fact that this approach can be very involved, unanticipated faults or faults that cannot be modelled by parameter changes such as severe structural damage can occur. An advantage of SPC is that it can adapt on-line to this type of fault. This property is the result of the subspace predictor that is continuously updated using new input-output data. The main contribution of this chapter is to display the usefulness of SPC for realistic FTC problems. The developed SPC-based FTC system is applied to the benchmark model. Simulations are performed with this model, in which the objective is to fly a pre-defined flight trajectory even after the occurrence of a number of critical faults. The considered fault conditions are stuck control surfaces and the fault condition of the aircraft during the disaster with EL AL flight 1862, that crashed into an apartment building in Amsterdam in 1992. This disaster is also referred to as the “Bijlmerramp”. Most aircraft flying today have control laws that are designed using classical single-loop control methods. These methods are preferable over multivariable control methods from a clearance point of view [18]. However, single-loop control methods are likely to display a degraded performance in case of faults that cause cross-couplings between flight modes. These cross-couplings are the result of loss of symmetry of the aircraft after faults. Multivariable control methods can cope better with these cross-couplings because they simultaneously achieve several control objectives. Multivariable control methods are therefore to be preferred over singleloop control methods from an FTC point of view [19, 20]. This is one of the reasons that research into multivariable flight control recently has attracted considerable
10
Subspace Predictive Control Applied to Fault-Tolerant Control
295
interest. From this perspective the FTC application of SPC, which is also a multivariable control method, is well motivated. This chapter is organized as follows. First, the architecture of the FTC system is explained in Section 10.2. Subsequently, the closed-loop SPC algorithm is described in Section 10.3. In Section 10.4 the mechanism that (re-)configures the SPCbased FTC system is explained. The simulation results of this system applied to the benchmark given in Section 10.5. Section 10.6 explains how the proposed FTC is implemented in a real-time simulation environment. Finally, concluding remarks are provided in Section 10.7.
10.2 Architecture of the Fault-Tolerant Control System The architecture of the SPC-based FTC system consists of two control loops. The task of the outer control loop is to provide reference signals for the manipulated variables to be tracked by the inner loop. The manipulated variables are roll angle φ , pitch angle θ , and true airspeed VTAS , each of which is a function of one of three controlled variables. These controlled variables are the altitude h, the heading angle ψ , and the true airspeed VTAS , respectively. A desired flight trajectory can be generated by choosing appropriate reference signals for the controlled variables. The architecture of the SPC-based FTC system is depicted in Fig. 10.1. In this figure it can be seen that, besides the two control loops, a fault isolation system is present. Both the control loops and the fault isolation system are explained in more detail in the following.
href , ψref , VTAS,ref
Trajectory Generation
φref , θref , VTAS,ref
SPC
us
y Aircraft
Fault Isolation Fm Fig. 10.1 Architecture of the SPC-based FTC system.
10.2.1 Control Loops The outer loop is implemented by means of a straightforward proportional integral derivative (PID) scheme. In order to track a desired altitude href , a pitch angle command is generated as follows
296
R. Hallouzi and M. Verhaegen
θref = Pθ (h − href ) + Iθ
0
(h − href )dt + Dθ
d(h − href ) , dt
(10.1)
where Pθ , Iθ , and Dθ are design parameters that determine the behaviour of the outer loop. The desired heading angle ψref is tracked by issuing a roll angle command to the inner loop. This command is generated as follows
φref = Pφ (ψ − ψref ) + Iφ
0
(ψ − ψref )dt + Dφ
d(ψ − ψref ) , dt
(10.2)
where Pφ , Iφ , and Dφ are the design parameters. An anti-windup scheme is implemented for both (10.1) and (10.2) to prevent the integrators from continuing to integrate in case of saturated control signals. The command for true airspeed is generated in the outer loop by directly issuing the true airspeed command to the inner loop. The inner loop is implemented using SPC, which is explained in detail in Section 10.3.
10.2.2 Fault Isolation When SPC is used for FTC, in principle no fault information is required because SPC has the ability to adapt to changed system conditions. However, this adaptation process can take some time. In case of anticipated faults the adaptation can be expedited by using prior knowledge of the fault. This prior knowledge includes information as to which controls should be used to accommodate the anticipated fault. The requirement for the fault isolation scheme used in this chapter is therefore to obtain this information by determining which controls cannot be used anymore due to anticipated faults. This requirement is more easily achieved than the requirements for fault detection and isolation (FDI) systems commonly used for FTC. For unanticipated faults a more general scheme is used that contains a number of redundant controls. An important requirement for FDI systems commonly used for FTC is that the faults should be estimated with a certain accuracy, since they are directly used by the FTC system [15, 21, 16]. If these faults are not estimated accurately enough, poor performance of the FTC system may result. There also exist methods that explicitly take uncertainty of the FDI information into account, such as for example the methods developed in [22]. A requirement for the application of these methods is that the uncertainty of the FDI information must be known. Obtaining this uncertainty, however, is not a straightforward task. Therefore, the SPC algorithm uses a different philosophy to deal with fault model uncertainty. This philosophy is to let the controller adapt to a changing system using available input-output data. In this way, no fault model is used and also no fault model uncertainty is required. Fault isolation is implemented by using multiple-model estimation. A multiplemodel system consists of a model set that contains local models, each corresponding to a specific condition of the system. In an FDI setting, the local models usually represent different fault conditions of the monitored system [23]. Besides fault models, the model set also contains the nominal fault-free model of the system. When the
10
Subspace Predictive Control Applied to Fault-Tolerant Control
297
system is in its fault-free operation mode, the model corresponding to the nominal case has maximum activation, which corresponds to a model weight of one, and all other models in the model set have a model weight of zero (minimum activation). In case of a fault, one or more of the local models corresponding to faults have model weights greater than zero. The model set used for fault isolation is derived using the convex model structure presented in [24] and the model set design method presented in [25]. Since the local models in this model set are valid in a limited region around the operating point at which they have been derived, they are used accordingly. This means that fault isolation is performed only near this operating point in the simulations.
10.3 Closed-Loop Subspace Predictive Control The SPC algorithm [3] elegantly combines a subspace predictor with a generalized predictive control law. When the subspace predictor is updated recursively, SPC has the ability to adapt to unanticipated conditions. In this section, it is first explained how the subspace predictor is derived in a closed-loop setting and how it can be updated recursively, then it is explained how the predictor is integrated with a predictive controller.
10.3.1 Closed-Loop Subspace Predictor Contrary to previous papers in which SPC was used [3, 6, 7], the subspace predictor is derived using closed-loop identification techniques. In these previous papers, open-loop identification techniques were used under closed-loop conditions. This results in a biased predictor due to correlation between inputs and measurement noise [8]. In [9] an SPC method has been described, in which the subspace predictor is based on a closed-loop identification method, but this method is based on explicit controller knowledge and also assumes that the controller is time-invariant. This assumption prohibits the use of SPC as an adaptive controller. Therefore, the subspace predictor is derived using the closed-loop identification techniques developed in [11], which do not have the aforementioned limitations. In [12] a complete explanation is given of how these identification techniques can be used to derive a subspace predictor that can be integrated with a predictive control law. In this section, only the elementary steps are treated. 10.3.1.1
Derivation of the Subspace Predictor
The model considered for deriving the subspace predictor is a state-space model in innovation form xk+1 = Axk + Buk + Kek , yk = Cxk + ek ,
(10.3) (10.4)
298
R. Hallouzi and M. Verhaegen
where xk ∈ Rn is the state of the system, uk ∈ Rm is the input of the system, yk ∈ Rl is the output of the system, and ek is assumed to be a zero-mean white noise sequence. The matrices A, B, C, and K are the state-space matrices that describe the system. The model described by (10.3)-(10.4) can also be written as xk+1 = Φ xk + Buk + Kyk ,
(10.5)
where Φ = A − KC is assumed to be stable. Subspace identification is based on relations between matrices that are systematically filled with input-output data. Two of such data matrices that are required for the derivation of the subspace predictor are created as follows (10.6) Yk = yk yk+1 · · · yk+ j−1 , ⎤ ⎡ uk−p uk−p+1 · · · uk−p+ j−1 ⎢ yk−p yk−p+1 · · · yk−p+ j−1⎥ ⎥ ⎢ ⎢uk−p+1 uk−p+2 · · · uk−p+ j ⎥ ⎥ ⎢ ⎥ ⎢ Z[k−p,k) = ⎢yk−p+1 yk−p+3 · · · yk−p+ j ⎥ , (10.7) ⎥ ⎢ .. .. .. ⎥ ⎢ . . ··· . ⎥ ⎢ ⎣ uk−1 uk · · · uk+ j−2 ⎦ yk−1 yk · · · yk+ j−2 where p denotes the “past” time horizon, the subscript [k − p, k) denotes the range of the time indices of the first column of Z[k−p,k) , and j denotes the number of columns that is used to create the data matrix Z[k−p,k) . Usually it holds that j p. Let f denote the “future” time horizon, then the following matrix relation can be derived [11, 12] ⎤ ⎤ ⎡ ⎤ ⎡ ⎡ 0 0 ··· 0 Ek Yk ⎢ Ek+1 ⎥ ⎢ Yk+1 ⎥ ⎢ C[B K] 0 · · · 0⎥ ⎥ ⎥ ⎢ ⎥ ⎢ ⎢ Z[k,k+ f ) + ⎢ . ⎥ ⎥ ⎢ .. ⎥ = ⎢ .. . . . .. . . .. ⎦ ⎣ .. ⎦ ⎣ . ⎦ ⎣ . Yk+ f −1 Ek+ f −1 CΦ f −2 [B K] · · · C[B K] 0 ⎡ s−1 ⎤ s−2 ··· ··· C[B K] CΦ [B K] CΦ [B K] · · · s−1 [B K] · · · ⎢ 0 C Φ · · · · · · C Φ [B K] ⎥ ⎢ ⎥ +⎢ ⎥ Z[k−p,k) , .. .. . . . . . . . . ⎣ ⎦ . . . . . . s−1 f −1 0 ··· 0 CΦ [B K] · · · CΦ [B K]
(10.8)
where Ek+i and Yk+i , ∀i ∈ {0, 1, . . . , f − 1}, are defined in a similar manner as Yk in (10.6). Note that an important property of (10.8) is that the first block row does not depend on “future” inputs, i.e. uk , ∀i ∈ {0, 1, . . . , f − 1}. It is this property that allows for an unbiased estimate of the system matrices. In order to estimate the predictor, it suffices to only consider the first block row, which can be written in the compact form (10.9) Yk = Ξ0 Z[k−p,k) + Ek .
10
Subspace Predictive Control Applied to Fault-Tolerant Control
299
Subsequently, Ξ0 can be estimated by solving the least squares problem
Ξˆ 0 = arg min Yk − Ξ0Z[k−p,k) 2F . Ξ0
(10.10)
This least squares problem can be solved by performing an RQ-decomposition [13] R
. /, -
Z[k−p,k) 0 QT1 R = 11 , R21 R22 QT2 Yk
(10.11)
from which the estimate Ξˆ 0 can be computed as
Ξˆ 0 = R21 R−1 11 .
(10.12)
Let t denote the current time instant, then based on the estimate Ξˆ 0 , a subspace predictor of the following form can be derived wp
Λr .⎡ /, ⎤- . /, . /, ⎡ ⎤ ⎡ ⎤ u ⎡ Λ1 0 Γ1 ⎢ t−p⎥ yˆt+1 ⎢ yˆt+2 ⎥ ⎢ Γ2 ⎥ ⎢yt−p⎥ ⎢ ⎥ ⎢ ⎥ ⎢ . ⎥ ⎢ Λ2 Λ1 ⎢ ⎢ .. ⎥ = ⎢ .. ⎥ ⎢ .. ⎥ + ⎢ .. ⎥ ⎢ . ⎣ . ⎦ ⎣ . ⎦⎢ . ⎣ut−1⎦ ⎣ .. Γf −1 yˆt+ f −1 Λ Λ f −1 f −2 yt−1 Γr
··· .. . .. . ···
⎤0 ⎡ ut ⎤ .. ⎥ ⎢ u t+1 ⎥ .⎥ ⎥ ⎥⎢ , ⎢ ⎥ ⎣ .. ⎥ ⎦ . ⎦ 0 Λ1 ut+ f −2
(10.13)
where Γr and Λr are the desired subspace predictor matrices and the parameters Γi and Λi can be constructed from Ξˆ 0 as i−1
Γi = Ξˆ i + ∑ Cˆ Φˆ i− j−1 Kˆ Γj ,
(10.14)
j=0
i−1
Λi = Cˆ Φˆ i−1 Bˆ + ∑ Cˆ Φˆ i− j−1 Kˆ Λ j ,
(10.15)
j=1
ˆ The parameters Ξˆ i , ∀i ∈ {1, . . . , f − 1} can be conwith Γ0 = Ξˆ 0 and Λ1 = Cˆ B. ˆ structed from Ξ0 by using the relation ⎡ ˆ ˆ s−1 ˆ ˆ ˆ ˆ s−2 ˆ ˆ CΦ [B K] CΦ [B K] ˆ ⎢ 0 Cˆ Φˆ s−1 [Bˆ K] ⎢ ⎢ .. . .. ⎣ . 0 ···
··· ··· ··· ··· .. .. . . ˆ 0 Cˆ Φˆ s−1 [Bˆ K]
⎤ ⎡ ˆ ⎤ ˆ Bˆ K] ˆ ··· C[ Ξ0 ˆ ⎥ ⎢ Ξˆ 1 ⎥ · · · Cˆ Φˆ [Bˆ K] ⎥ ⎥ ⎢ ⎥=⎢ . ⎥, .. .. ⎦ ⎣ .. ⎦ . . ˆ · · · Cˆ Φˆ f −1 [Bˆ K] Ξˆ f −1
(10.16)
where the matrix on the left-hand side of (10.16) is an estimate of the corresponding matrix from (10.8).
300
10.3.1.2
R. Hallouzi and M. Verhaegen
Recursive Implementation of R-Update
For the construction of the data matrices Yk and Z[k−p,k) explained in the previous section it was assumed that input-output data was present from time instants: k − p, k − p + 1, . . ., k + j − 1. For an adaptive implementation of the subspace predictor, the predictor matrices should be recomputed again each time new data becomes present, i.e. at each sample time. In case of the receding horizon updating scheme, this would mean that new data matrices Yk+1 and Z[k−p+1,k+1) must be generated using data from time instants: k − p + 1, k − p + 2, . . ., k + j. Subsequently, a new estimate for the predictor matrices could be obtained by computing the RQdecomposition from (10.11) based on the new data matrices. However, computing such an RQ-decomposition at each sample time can become computationally expensive for large data matrices. This computation can be prevented by using Cholesky updating and downdating of the R-matrix [6]. The principle of this method is that old data is removed in the downdating step and new data is included in the updating step. These two steps combined require much less computational effort than computing the whole RQ-decomposition. A drawback of using Cholesky updating and downdating is that matrix RRT is required to be positive definite at any time. However, this cannot be guaranteed. Therefore, a recursive updating scheme of the R-matrix is used, which is similar to the one developed in [26]. This recursive updating scheme differs from the “receding horizon” scheme in the fact that it does not use a fixed window of data. Instead, new data is appended to the old R-matrix, after it is discounted with an exponential forgetting factor. The recursive updating scheme is explained in the following. Let the upper left and bottom left block matrix of R at time instant t − 1 (R(t − 1)) be denoted by R11 (t − 1) and R21 (t − 1), respectively. If new data becomes available at time instant t, a new vector [wTp ytT ]T can be created, where w p is defined in (10.13). This vector can be used to update matrix R(t − 1). The updating step consists of firstly appending [wTp ytT ]T to [R11 (t − 1)T R21 (t − 1)T ]T . Subsequently, by applying a sequence of orthogonal Givens rotations [13], the matrix is made lower triangular, i.e. updated. This sequence of manipulations is described in the following equation # "√
R11 (t) 0 λ R (t − 1) w p 11 √ Ω= , (10.17) R21 (t) y˜t λ R21 (t − 1) yt where Ω denotes the sequence of orthogonal transformations and R11 (t) (which is lower triangular) and R21 (t) are the matrices from which an updated Ξˆ 0 can be computed according to (10.12). A more detailed explanation of how Ω can be computed is given in [25]. Note that R33 is not considered in the updating process because it does not influence the computation of R11 (t) and R21 (t). Also, in (10.17) a forgetting factor λ ∈ [0, 1] is implemented to discount old data. The smaller the value of λ that is chosen, the more old data is discounted.
10
Subspace Predictive Control Applied to Fault-Tolerant Control
301
10.3.2 Closed-Loop Subspace Predictor Integrated with a Predictive Control Law The predictive control problem can be formulated as follows. Given a future reference output r f = [rt+1 rt+2 . . . rt+Np ] and a prediction of the outputs yˆ f = [yˆt+1 yˆt+2 . . . yˆt+Np ], find an input sequence u f = [ut ut+1 . . . ut+Nc −1 ] such that the following quadratic cost function is minimized Nc −1
Np
J=
∑ (yˆt+k − rt+k )T Qc (yˆt+k − rt+k ) + ∑
k=1
T ut+k Rc ut+k ,
k=0
= (yˆ f − r f )T Qa (yˆ f − r f ) + uTf Ra u f ,
(10.18)
where N p is the prediction horizon, Nc is the control horizon, Qc ∈ Rl×l , and Rc ∈ Rm×m are the weighting matrices for the tracking error and the input effort, respectively. The matrices Qa ∈ RNp l×Np l and Ra ∈ RNc m×Nc m are formed from Qc and Rc as follows ⎤ ⎤ ⎡ ⎡ Qc 0 0 Rc 0 0 ⎥ ⎥ ⎢ ⎢ Qa = ⎣ 0 . . . 0 ⎦ , R a = ⎣ 0 . . . 0 ⎦ . (10.19) 0 0 Qc
0 0 Rc
The cost function used in [3] is equal to (10.18). However, this cost function does not permit a zero steady-state tracking error in the case of a non-zero constant reference combined with a system that does not contain an integrator. Therefore, in [7] the input signal in the cost function has been replaced by incremental inputs Δ u f , where Δ = (1 − z−1 ) and z−1 is the back-shift operator of one time step. In order to also penalize large control deflections, a cost function is used with both incremental inputs and the regular input signals J = (yˆ f − r f )T Qa (yˆ f − r f ) + uTf Ra u f + Δ uTf RΔa Δ u f ,
(10.20)
where RΔa has matrices RΔc on its diagonal and is constructed in a similar way as Ra . This cost function requires a prediction of the future output, i.e. yˆ f . The subspace predictor derived in (10.13) can be used for this purpose. In order to include a control horizon, the subspace predictor is modified as follows . ⎡ Im ⎢ ⎢0 ⎢ ⎢ .. ⎢. ⎢ yˆ f = Γr w p + Λr ⎢ 0 ⎢ ⎢0 ⎢ ⎢. ⎣ ..
E
/, 0 ··· . I .. m
.. .. . . ··· 0 ··· 0 .. .
0 ··· 0
⎤0 .. ⎥ .⎥ ⎥ ⎥ 0⎥ ⎥ u , Im⎥ ⎥ f Im⎥ ⎥ .. ⎥ .⎦ Im
(10.21)
302
R. Hallouzi and M. Verhaegen
where the matrix E ensures that the input remains constant after the control horizon Nc . Next, Δ u f can be written as a function of the optimization variable u f .⎡
SΔ
/, Im 0 0 · · · ⎢−Im Im 0 ⎢ ⎢ .. . Δuf = ⎢ ⎢ 0 −Im Im ⎢ .. . . . . . . ⎣ . . . . 0 · · · 0 −Im
⎤.⎡ 0 0 0⎥ ⎥ ⎢0 .. ⎥ ⎢ .⎥ . ⎥uf − ⎢ ⎣ .. ⎥ 0⎦ 0 Im
Sw
0 0 .. .
/, ··· 0 0 ··· 0 0 .. .. . .
Im 0 .. .
⎤0 0⎥ ⎥ .. ⎥ w p . .⎦
(10.22)
0 ··· 0 0 0 0
When relations (10.21) and (10.22) are substituted into (10.20) and the terms that do not depend on u f are discarded, the following cost function results J(u f ) = uTf E T ΛrT QaΛr E + SΔT RΔa SΔ + Ra u f +2 wTp ΓrT QaΛr E − rT QaΛr E − wTp SwT RΔa SΔ u f . (10.23) Constraints should be placed on u f , Δ u f , and yˆ f according to the physical limitations of the aircraft. These constraints can be formulated as follows Umin ≤ u f ≤ Umax ,
(10.24)
Δ Umin ≤ Δ u f ≤ Δ Umax , Ymin ≤ yˆ f ≤ Ymax ,
(10.25) (10.26)
where Umin = [uTmin · · · uTmin ]T , Δ Umin = [Δ uTmin · · · Δ uTmin ]T , Ymin = [yTmin · · · yTmin ]T , and the same notation also holds for the parameters with subscript max. Since the considered optimization variable is u f , relations (10.21) and (10.22) are substituted into constraints (10.24)-(10.26). This substitution results in the inequality constraint (10.27) Aineq u f ≤ bineq , with T Aineq = INc m − INc m SΔT − SΔT (Λr E)T − (Λr E)T , T T bineq = Umax − Umin (Δ Umax + Sw w p )T (−Δ Umin − Sw w p )T T (Ymax − Γr w p )T (−Ymin + Γr w p )T .
(10.28)
(10.29)
The predictive control law can now be formulated as a solution of the following quadratic programming (QP) problem at each sample time min J(u f ) uf
s.t. Aineq u f ≤ bineq .
(10.30)
10
Subspace Predictive Control Applied to Fault-Tolerant Control
303
Efficient solvers exist for this QP problem [4]. At each sample time only the first input vector from u f , i.e. ut , is used for control. The control law (10.30) is derived for linear time invariant systems of the form (10.3)-(10.4). However, in this chapter it is applied to a nonlinear aircraft model. This usage is justified since the nonlinear aircraft model can be approximated well by a linear parameter-varying (LPV) model [27], which has the same structure as (10.3)-(10.4) but with time varying system matrices. The variation of the timedependent parameters is relatively small most of the time. In this case SPC can easily adapt to the time varying system. Only during fast variations of the timedependent parameters with respect to the dynamics of the aircraft or during strong nonlinear behaviour of the aircraft, SPC can be less accurate.
10.4 SPC (Re-)configuration SPC is a control method that can adapt itself to the system for which it is used. In order to fully exploit these capabilities, preferably all relevant available inputs and outputs should be used to estimate the subspace predictor. Since the benchmark model has 30 control inputs and even more outputs, a selection of these inputs and outputs must be made to minimize the computational burden of updating the subspace predictor. Therefore, the SPC-based FTC system is configured such that it uses different sets of control inputs for different fault conditions. For anticipated faults a specific set of inputs is chosen and for unanticipated faults a more general set is chosen. In this way, the changed dynamics in case of anticipated faults can be captured quicker than purely relying on adaptation of SPC. Both sets of control inputs are chosen such that sufficient control redundancy is available to perform “elementary manoeuvres” after the occurrence of a fault. By “elementary manoeuvres” three basic abilities of the aircraft are meant. These are: the ability to descend or ascend, the ability to change heading, and the ability to decelerate or accelerate. The SPC-based FTC system is demonstrated for three fault conditions, all of which are also used as benchmark faults in GARTEUR AG-16. Two of these three fault conditions are an anticipated elevator lock-in-place and an anticipated rudder runaway. Lock-in-place is characterized by the freezing of a control surface at a certain position, regardless of the actuator commands. Runaway of a control surface is characterized as when the surface suddenly deflects to its maximum or minimum deflection position and locks at that position. These faults can have drastic consequences since they make further operation of the aircraft extremely difficult. The considered rudder runaway fault affects both the upper and lower rudder. The elevator lock-in-place fault affects all 4 elevator surfaces. The two faults are isolated using the multiple-model framework with a model set as described in [25]. This model set contains local models that correspond to “lock-in-place” faults at the maximum and minimum deflection. The third fault condition is the condition of the aircraft during the disastrous “Bijlmerramp” scenario. For this fault condition it is not reasonable to assume that it can be anticipated because of the highly improbable faults that occurred during this disaster. Therefore this fault condition is treated as
304
R. Hallouzi and M. Verhaegen
an unanticipated fault. The faults that occurred on the aircraft during this disaster include loss of the engines and the pylons on the right wing of the aircraft. This loss caused a shift of the center of gravity of the aircraft, a total weight loss of 10.028 kg and damage to the right wing of the aircraft. This wing damage at its turn resulted in lift loss, increased drag, a yawing moment and a pitching moment. On top of these faults, hydraulic system 3 and 4 malfunctioned, which resulted in reduced or total loss of control authority of a number of control surfaces [28]. In the nominal case, the previously mentioned manoeuvres can be performed using SPC with an input vector uk consisting of only 4 inputs, which are listed in Table 10.1. Each input can, however, drive more than one of the controls of the benchmark. This is because it is assumed that these controls are symmetrically actuated (or asymmetrically in case of the ailerons and spoilers). In Table 10.1 the number of different controls driven by single SPC inputs is shown between brackets. The control surfaces that are not directly driven by SPC are chosen constant and equal to a value that is valid for a trimmed situation at the beginning of the flight simulation. For an elevator lock-in-place fault, the SPC-based FTC system uses the stabilizer instead of the elevator surfaces for control of the longitudinal motion. For the rudder lock-in-place fault, the engine controls are subdivided into a control input that controls the left engines and one that controls the right engines such that differential engine thrust can be used when necessary. Furthermore, spoilers are used asymmetrically to increase the control authority in the lateral direction. A positive value of the SPC spoilers input results in a positive deflection of spoilers 5 to 8, while spoilers 13 to 16 remain at a zero deflection. A negative value of the SPC spoilers input results in a positive deflection of spoilers 13 to 16, while spoilers 5 to 8 remain at a zero deflection. For unanticipated faults a set of inputs is chosen with redundant control authority for both longitudinal and lateral dynamics. Note that for anticipated conditions, the input set can be chosen smaller. This has the additional benefit that SPC can be implemented in a more computationally efficient manner. Besides the input vector uk , the SPC-based FTC system also requires a number of measurements from the aircraft to be used in the output vector yk . A selection is made from the many available measurements taking into consideration three issues. The first issue is the size of the output vector yk , which determines the size of the data matrices defined in (10.6) and (10.7). The size of these matrices should be kept as small as possible to keep the computational requirements of the SPC-based FTC system low. The second issue is concerned with the quality of the subspace predictor. For this purpose, the chosen outputs should capture the relevant dynamics of the system. Finally, the third issue is concerned with the manipulated variables. The control objective of the SPC-based FTC system is for the reference trajectory r f to be tracked by the predicted output vector yˆ f (see (10.20)). Therefore, the output vector yk should include the measurements of the physical quantities to be manipulated. With the previous considerations in mind, 7 outputs are chosen, which are listed in Table 10.2. Each of these outputs has been augmented with realistic noise corresponding to that of conventional aircraft sensors [29]. The SPC-based FTC system should be initialized such that it does not start identifying the system from scratch when a switch is made from nominal operation to an
10
Subspace Predictive Control Applied to Fault-Tolerant Control
305
Table 10.1 SPC input allocation. Ailerons (4) Elevators (4) Nominal case Rudders (2) Engines (4) Ailerons (4) Stabilizer (1) Elevator lock-in-place Rudders (2) Engines (4) Ailerons (4) Spoilers (8) Rudder lock-in-place Elevators (4) Engines left (2) Engines right (2) Ailerons (4) Spoilers (8) Elevators (4) Unanticipated faults Stabilizer (1) Rudders (2) Engines left (2) Engines right (2)
Table 10.2 Outputs used for SPC. Output Symbol Unit roll angle φ deg θ deg pitch angle ψ deg heading angle true airspeed VTAS m/s α deg angle of attack β deg sideslip angle h m altitude
operation mode corresponding to a fault or when the simulation starts from T = 0 s. Therefore, matrix R is initialized using input-output data obtained from simulation of the open-loop aircraft. In case of anticipated faults, open-loop data of the model with the anticipated fault is used to initialize the R matrix. And, in case of unanticipated faults, open-loop data of the nominal model is used to initialize the R matrix.
10.5 Simulation Results In this section the results of four simulations are presented. In all four simulations a flight scenario is flown consisting of an initial straight and level flight at an
306
R. Hallouzi and M. Verhaegen
altitude of 980 m. During this first flight phase, the faults are inserted. Next, a second phase consisting of a heading change is initiated. The third and final flight phase of the trajectory consists of a descent to an altitude of 100 m. In the first simulation, the flight scenario is simulated without any faults. In the second, third, and fourth simulation, faults are injected during the first flight phase. In the second simulation a lock-in-place fault of the elevators is injected, in the third simulation a rudder runaway fault is injected, and in the fourth simulation the faults that occurred during the “Bijlmerramp” are injected. Before the actual simulation results are presented, the choices for the simulation settings and tuning parameters are described first. The aircraft model is simulated at a frequency of 100 Hz. The operation frequency of the SPC-based FTC system is 10 Hz, which is chosen sufficiently fast relative to the aircraft dynamics. The fastest mode of the aircraft that has been observed from linearizations of the nonlinear aircraft model at different operating points is about 0.25 Hz. The SPC parameters are chosen as: p = 20, f = 20, λ = 0.995, N p = f , and Nc = 5. The subspace predictor parameters p and f are chosen relative to the aircraft dynamics. The parameter λ is tuned such that the predictor is modified just enough at each sample time to cope with the varying dynamics. The weights Qa , Ra , and RΔa are tuned relative to each other based on a combination of simulation experience and “rules of thumb” from [4]. These weights are tuned differently for the different settings described in Table 10.1. Furthermore, weight Qa only contains nonzero entries on its diagonal for the entries that are manipulated by SPC, i.e. φ , θ , VTAS , and β . The tuning procedure for the outer loop parameters Pθ , Iθ , Dθ , Pφ , Iφ , and Dφ is based on simulation experience, similar to the weighting matrices. Parameter j, which determines the number of columns in the data matrices in (10.6) and (10.7) is chosen to have a value of 1000. This means that the data matrices contain 1000/10 Hz=100 s of data. Note that these large data matrices are created only once for each condition. Once an R-matrix is computed based on these data matrices, only the R-matrix is used and updated in SPC. The R-matrix is generally much smaller than the data matrices since its dimensions do not depend on j. All simulations have been performed under closed-loop conditions with realistic measurement noise levels. Moreover, turbulence that is modelled according to the Dryden turbulence model is added to the simulated aircraft.
10.5.1 Trajectory Following for the Nominal Case In this section, the simulation results for the nominal condition are presented. The flight trajectory starts with a straight and level flight at an altitude of 980 m, a true airspeed of 92.6 m/s, and a flap setting of 20 deg. During the first flight phase the control objective is to maintain a constant altitude, heading angle, velocity, and sideslip angle. Next, at T = 75 s a change in heading angle from 180 deg to 60 deg is initiated. Finally, at T = 150 s a descent is initiated to an altitude of 100 m. This descent is performed with a fixed flight path angle γ of −5 deg. In Fig. 10.2 the references for the manipulated variables are represented by dashed lines. It can be
10
Subspace Predictive Control Applied to Fault-Tolerant Control
93.2 True airspeed [m/s]
Roll angle [deg]
20 0 Reference signal System response
−20 −40
93 92.8 92.6 92.4
Sideslip angle [deg]
10 Pitch angle [deg]
307
5 0 −5 0
50
100
150 Time [s]
200
250
1 0 −1 −2 −3 0
300
50
100
150 Time [s]
200
250
300
Heading angle [deg] Angle of Attack [deg]
Fig. 10.2 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the nominal condition. The dashed signals correspond to the control reference signals.
10 5 0 1000
200 800 Altitude [m]
150
Altitude [m]
100 50
600 400
1000 −10000
200
500 0 0
−5000
0 1
50
100
150 Time [s]
200
250
1.5
300
4
x 10
2 y [m]
2.5
3
0
x [m]
Fig. 10.3 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the nominal condition.
seen that the reference signals are tracked very well, especially when the fact is considered that the SPC-based FTC system is completely data-driven. It can be seen that during the heading change manoeuvre, the sideslip angle is allowed to have a minimal tracking error, preventing large surface deflections. The flight trajectory is depicted in Fig. 10.3 as well as the angle of attack, heading angle, and the altitude. The actuator deflections and the engine commands are depicted in Fig. 10.4. The engine commands are expressed in engine pressure ratio (EPR). It can be seen that the control signals are quite smooth and remain well within their operating limits, which is a result of the constraints on u f .
10.5.2 Trajectory Following for Elevator Lock-in-Place In this section, the simulation results for elevator lock-in-place are presented. The simulation starts with the same initial condition as is described in the previous
308
R. Hallouzi and M. Verhaegen
Rudders [deg]
Ailerons [deg]
2 10 5 0 −5
1 0 −1
10 EPR engines
Elevators [deg]
−2
5 0 −5 0
50
100
150 Time [s]
200
250
300
1.4 1.2 1 0.8 0.6 0
50
100
150 Time [s]
200
250
300
Fig. 10.4 Actuator deflections and engine commands for the nominal condition.
section for the nominal case. The elevator lock-in-place fault is injected at T = 18 s at a deflection of 1.9 deg. The fault is correctly isolated at T = 28 s. The relatively large isolation delay is a result of the fact that the elevator locks at a deflection position, which exactly suits the flight condition at that time. So, the faults can not be isolated until the aircraft is sufficiently excited by turbulence. It can be seen in Fig. 10.5 that the reference signal for the true airspeed has been increased just after isolation of the fault. This has been done to increase the effectiveness of the stabilizer surface to allow sufficient control authority. Furthermore it can be seen that tracking of the reference signals is performed satisfactorily. Only during the descent, which is again performed with a fixed flight path angle of −5 deg, the pitch angle command is tracked with a small error. In Fig. 10.6, the angle of attack, heading angle, and altitude are depicted together with the flight trajectory. For comparison purposes, the same trajectory is also flown using the autopilot from the GARTEUR AG-16 benchmark, the result of which is indicated by a grey signal in the figure showing the flight trajectory. It can be seen that the result of the fault is a pitching moment which cannot be counteracted by the autopilot since it does not have control over the stabilizer. Therefore, when the autopilot is used, human pilot intervention is required to accommodate this fault. Since the elevator lock-in-place fault does not affect lateral motion, the heading change manoeuvre is still performed adequately by the autopilot. In Fig. 10.7 the actuator deflections and engine commands of the SPC-based FTC system are shown. It can be seen that the elevator deflection remains constant after the fault is injected and that the stabilizer takes over after the fault is isolated. Note also that the rate of change of the stabilizer input is small when compared to the other surfaces. The reason for this is that the stabilizer surface has a maximum deflection rate of 0.5 deg/s, which is about 100 times smaller than the other surfaces. Generally, it can be concluded from these simulation results that the reaction on the fault is performed quickly and adequately as a result of the available prior knowledge being open-loop simulation data from a similar fault condition. This prior knowledge has significantly reduced adaptation time.
10
Subspace Predictive Control Applied to Fault-Tolerant Control
True airspeed [m/s]
Roll angle [deg]
10 0 −10 −20
Reference signal System response
−30 −40
Sideslip angle [deg]
Pitch angle [deg]
10 5 0 −5 −10 0
50
100
150 Time [s]
200
250
120 110 100 90
0.5 0 −0.5 −1 −1.5 0
300
309
50
100
150 Time [s]
200
250
300
Heading angle [deg] Angle of Attack [deg]
Fig. 10.5 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for elevator lock-in-place. The dashed signals correspond to the control reference signals.
6 4 2
1200
200 Altitude [m]
150 100 50
Altitude [m]
Fault injection SPC−based FTC Autopilot
1000 800 600 400
1000 200
500 0 0
0 0
50
100
150 Time [s]
200
250
300
0.5
1 4
x 10
1.5
2 y [m]
−15000 −10000 −5000 2.5
3
0
x [m]
Fig. 10.6 Angle of attack, heading angle, altitude, and trajectory of the aircraft for elevator lock-in-place. In the trajectory plot, the gray line corresponds to the trajectory flown with the autopilot.
10.5.3 Trajectory Following for Rudder Runaway In this section, the simulation results for rudder runaway are presented. The rudder runaway fault is injected at T = 18 s. After this, the upper and lower rudder surfaces start moving with a rate of 50 deg/s from their position at T = 18 s to the maximum deflection position of 25 deg. The rudder runaway fault is isolated at T = 22 s. It can be seen in Fig. 10.8 that the aircraft starts to slip immediately after insertion of the fault and that the reference signals are not tracked very well just after the fault. This is because SPC needs some time to gather data for adapting to the faulty condition. After this has been done, the reference signals are tracked satisfactorily again, except for the sideslip angle. The reason for this is that it cannot be controlled completely towards zero due to the severity of the fault. At T = 75 s the heading change
Stabilizer [deg]
−1
5 0 −5
−2 −3
3 2 1 EPR engines
Rudders [deg]
R. Hallouzi and M. Verhaegen
10
Elevators [deg]
Ailerons [deg]
310
1 0 −1 0
50
100
150 Time [s]
200
250
300
1.6 1.4 1.2 1 0.8 0.6 0
50
100
150 Time [s]
200
250
300
Fig. 10.7 Actuator deflections and engine commands for elevator lock-in-place.
is initiated. Subsequently, at T = 150 s a descent to 100 m is initiated with a fixed flight path angle of −5 deg. Note that the aircraft picks up speed in this descent. This is the result of the fact that the engines are required to provide differential thrust to counteract the yawing moment of the rudder runaway and can therefore not reduce thrust. In Fig. 10.9 it can be seen that both the heading change and the descent manoeuvre are performed adequately. Furthermore, it can be observed that the autopilot is unable to counteract the yawing moment resulting from the rudder runaway fault, not even with a full deflection of the spoilers and ailerons. It is therefore clear that the human pilot must intervene to try to accommodate the fault. In Fig. 10.10 it can be seen that after the fault some time is required before the control signals become smooth again, which is a result of the adaptation process. Also, it can be seen how the ailerons work together with the engines (providing differential thrust), and the spoilers to counteract the yawing moment resulting from the rudder runaway fault. Next, it can be observed that in the time interval T = 150 − 300 s the rudders have moved away from their maximum deflection position of 25 deg because the aircraft picks up speed resulting in a reduced blowdown limit, which means that the rudders are forced back towards their neutral position.
10.5.4 Trajectory Following for “Bijlmerramp” Condition In this section, the simulation results for the “Bijlmerramp” fault condition are presented. The simulation setting in this section differs from the setting of the previous three simulations in the fact that it can accommodate unanticipated faults. The setting for unanticipated faults continuously uses 7 inputs to control the aircraft, as is described in Table 10.1. Furthermore, no FDI is used for this setting. The simulation starts at an altitude of 980 m, a true airspeed of 133.8 m/s, and a flap setting of 1 deg according to the initial conditions defined in GARTEUR AG-16 for this specific fault. The fault is injected at T = 10 s. Immediately after injection of the fault, the aircraft starts to roll and slip as can be seen in Fig. 10.11. However, the
10
Subspace Predictive Control Applied to Fault-Tolerant Control
160 True airspeed [m/s]
Roll angle [deg]
20 0 −20
Reference signal System response
140 120 100 80
20
Sideslip angle [deg]
Pitch angle [deg]
−40
10 5 0 −5 −10 0
311
50
100
150 Time [s]
200
250
10 0 −10 0
300
50
100
150 Time [s]
200
250
300
Heading angle [deg] Angle of Attack [deg]
Fig. 10.8 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for rudder runaway. The dashed signals correspond to the control reference signals.
10 5 0
Fault injection
1200
200
1000
SPC−based FTC Autopilot
Altitude [m]
150
Altitude [m]
100 50
1000
800 600 400 200
−15000 −10000 −5000
500 0 0
0 0
50
100
150 Time [s]
200
250
0.5
1
300 4
x 10
1.5
2 2.5 y [m]
3
3.5
0 5000
x [m]
Fig. 10.9 Angle of attack, heading angle, altitude, and trajectory of the aircraft for rudder runaway. In the trajectory plot, the gray line corresponds to the trajectory flown with the autopilot.
SPC-based FTC system manages to quickly regain control and track the reference signals again after a period of about 15 s. In Fig. 10.12 it can be seen that the trajectory can be flown safely even after occurrence of the very severe fault condition. Furthermore, it can be seen that the autopilot is not capable of safely flying the aircraft, since it crashes about 50 s after the injection of the fault. In Fig. 10.13 the actuator deflections and the engine commands for the “Bijlmerramp” scenario are shown. It can be seen that the right engines immediately stop providing thrust after the fault is injected. Furthermore, it can be observed that the stabilizer is used in a limited range to prevent overly large altitude fluctuations due to the slow operation of this surface. An important conclusion that can be drawn from this simulation is that the SPC-based FTC system is able to adapt to an unanticipated condition, which severely changes the dynamics of the aircraft.
R. Hallouzi and M. Verhaegen
Rudders [deg]
20 0
20 10 0 −10 40 20 0 −20 −40
EPR right engines EPR left engines
Elevators [deg]
−20
Spoilers [deg]
Ailerons [deg]
312
Time [s]
30 20 10 0
1.6 1.4 1.2 1 0.8 0.6 1.6 1.4 1.2 1 0.8 0.6 0
50
100
150 Time [s]
200
250
300
200
250
300
Fig. 10.10 Actuator deflections and engine commands for rudder runaway.
135 True airspeed [m/s]
Roll angle [deg]
10 0 −10 −20
Reference signal System response
−30 −40
Sideslip angle [deg]
Pitch angle [deg]
10 5 0 −5 0
50
100
150 Time [s]
200
250
300
134 133 132
5 0 −5 −10 0
50
100
150 Time [s]
Fig. 10.11 Roll angle, pitch angle, true airspeed, and sideslip angle of the aircraft for the “Bijlmerramp” fault condition. The dashed signals correspond to the control reference signals.
10.5.5 Discussion of the Simulation Results The presented simulation results show that by using the proposed methodology it is possible to design a controller for the nominal and faulty aircraft using only inputoutput data. This conclusion is remarkable, especially when the complexity of the aircraft model is considered. Two desirable properties of the proposed control design methodology are 1. Modeling of the system to be controlled takes up a large part of the design process of model-based controllers. Since the proposed methodology provides a framework to derive a controller using only input-output data, a significant amount of time can be saved in the design process. 2. For fault-tolerant control it is often required to have a model of the post-fault system. This requirement results in the impossibility of providing fault-tolerant
Subspace Predictive Control Applied to Fault-Tolerant Control
Heading angle [deg] Angle of Attack [deg]
10
313
8 6 4 2
SPC−based FTC Autopilot
Fault injection
1200
200 1000 Altitude [m]
150 100
Altitude [m]
50
1000
800 600 400 200 −15000
0
500
−200 0.5
0 0
50
100
150 Time [s]
200
250
300
−10000 1
1.5
−5000 2
2.5
4
x 10
3
3.5
0
x [m]
y [m]
Rudders [deg]
20 0 −20 20
0 −20
2 0 50
100
150 Time [s]
200
250
300
1.6 1.4 1.2 1 0.8 0.6
EPR right engines
30 20 10 0 −10
−2 0
20
EPR left engines
0 −20
Stabilizer [deg]
Spoilers [deg] Elevators [deg] Ailerons [deg]
Fig. 10.12 Angle of attack, heading angle, altitude, and trajectory of the aircraft for the “Bijlmerramp” fault condition. In the trajectory plot, the gray line corresponds to the trajectory flown with the autopilot.
2 1 0 0
50
100
150 Time [s]
200
250
300
Fig. 10.13 Actuator deflections and engine commands for “Bijlmerramp” fault condition.
control for all possible faults since not all possible faults can be anticipated. However, the proposed methodology can even deal with unanticipated faults by adapting on-line to faults using input-output data. Therefore, it is a very suitable method for fault-tolerant control.
10.6 Real-Time Implementation The simulation results of the SPC-based FTC system presented in the previous section have been obtained using off-line simulations. An important property of a control method that is meant for real-time on-line implementation is its computational requirements. These requirements should not be too large such that they restrict a practical implementation for realistic systems. In order to demonstrate that the
314
R. Hallouzi and M. Verhaegen
presented SPC-based FTC system does not have too restrictive computational requirements, an on-line version has been developed. This on-line version has been created in the scope of GARTEUR AG-16. In this project the participants have been invited to develop on-line FTC schemes for implementation on the SIMONA research flight simulator [30]. A real-time simulator environment has been developed specifically for this research simulator. This environment, which has been named Delft University Environment for Communication and Activation (DUECA) [31], poses different requirements to the FTC system than the off-line simulation environment, which is MATLAB/Simulink. An important requirement of the on-line simulation environment is that all computations required for the FTC system should be finished well within the sample time of the benchmark model, which is 0.01 s. Since the computations required for the developed SPC-based FTC system are too heavy to be finished within 0.01 s, a multi-rate real-time architecture has been developed. This architecture consists of 2 blocks that run at different operating frequencies. One block runs at the same frequency as the aircraft model and one block runs at a frequency of 10 Hz. A schematic diagram of the multi-rate architecture is shown in Fig. 10.14. In Block 2 the time-consuming computations that cannot be finished within 0.01 s are performed. These computations include the update of the subspace predictor and the solver for the quadratic programming problem (10.30). Block 1 contains the less intensive computations, such as the computations required for the multiple-model FDI system. It should be noted that the frequency of 10 Hz of Block 2 is chosen sufficiently fast relative to the dynamics of the benchmark model. The tuning parameters of the on-line SPC-based FTC system that determine the computational requirements are chosen as: N p = 20, Nc = 5, p = 20, f = 20, m = 5, and l = 7. Furthermore, the maximum number of iterations of the solver for the quadratic programming problem has been set to 100 to ensure that the available
Boeing 747 Model 100 Hz FTC Block 1
FTC Block 2
Fig. 10.14 Schematic diagram of the multi-rate real-time architecture.
10 Hz
10
Subspace Predictive Control Applied to Fault-Tolerant Control
315
computation time is never violated. The described parameter configuration results in an SPC-based FTC system that is fast enough to be run on the DUECA simulation environment using a computer with an AMD Athlon 64 X2 5600+ processor operating at 2.8 GHz and 4 Gb of RAM. It should be remarked, however, that it has not been possible to implement the setting for unanticipated faults sufficiently fast on this computer. Because for this setting it holds m = 7, ceteris paribus. Since the on-line results are similar to the off-line results, which have been previously presented, no on-line results are presented in this chapter. In conclusion, it is remarked that the on-line version of the SPC-based FTC system demonstrates that it is indeed possible to perform real-time data-driven adaptive control of a complex system such as the benchmark model.
10.7 Conclusions A reconfigurable fault-tolerant control system has been presented that is able to adapt on-line to faults. This system consists of a subspace predictor, derived in a closed-loop setting, combined with predictive control. The subspace predictor, which does not require knowledge of a mathematical model, is continuously updated on-line using new input-output data. It is this property that gives the proposed system its ability to adapt to faults. These faults may be either anticipated or unanticipated. In case of anticipated faults, prior knowledge of the faults allows the changed dynamics to be captured faster than purely relying on adaptation. A special setting for unanticipated faults has been designed that uses more control inputs than for anticipated faults to fully exploit the adaptation capabilities. The proposed faulttolerant control system is evaluated in simulation on a detailed benchmark model. In the performed simulations, three fault conditions have been successfully accommodated. These fault conditions include an elevator lock-in-place, rudder runaway, and the “Bijlmerramp” fault condition. In the simulations it could be observed that the controller requires some time to adapt to the new fault situation. This is an inevitable consequence of the data-driven adaptation concept. However, in general it can be concluded from the simulations that the system allows to safely perform the required elementary manoeuvres in both nominal and faulty conditions.
References 1. Van Overschee, P., De Moor, B.: Subspace identification for linear systems: theory, implementation, applications. Kluwer Academic Publishers, Dordrecht (1996) 2. Verhaegen, M., Dewilde, P.: Subspace identification, part I: The output-error state space model identification class of algorithms. International Journal of Control 56(5), 1187– 1210 (1992) 3. Favoreel, W., de Moor, B.: SPC: Subspace Predictive Control. In: Proceedings of the IFAC World Congress, Beijing, China (July 1999) 4. Maciejowski, J.M.: Predictive Control with Constraints. Prentice Hall, Englewood Cliffs (2002)
316
R. Hallouzi and M. Verhaegen
5. Hallouzi, R., Verhaegen, M.: Fault-tolerant subspace predictive control applied to a Boeing 747 model. Journal of Guidance, Control, and Dynamics 31(4), 873–883 (2008) 6. Woodley, B.R., How, J.P., Kosut, R.L.: Subspace based direct adaptive H∞ control. International Journal of Adaptive Control and Signal Processing 15, 535–561 (2001) 7. Kadali, R., Huang, B., Rossiter, A.: A data driven subspace approach to predictive controller design. Control Engineering Practice 11(3), 261–278 (2003) 8. Ljung, L., McKelvey, T.: Subspace identification from closed loop data. Signal Processing 52(2), 209–215 (1996) 9. Favoreel, W., de Moor, B., Gevers, M., van Overschee, P.: Closed-loop model-free subspace-based LQG-design. In: Proceedings of the Mediterranean Conference on Control and Automation, Haifa, Israel (June 1999) 10. Jansson, M.: A new subspace identification method for open and closed loop data. In: Proceedings of the IFAC World Congress, Prague, Czech Republic (July 2005) 11. Chiuso, A.: The role of vector autoregressive modeling in predictor-based subspace identification. Automatica 43(6), 1034–1048 (2007) 12. Dong, J., Verhaegen, M., Holweg, E.: Closed-loop subspace predictive control for fault tolerant MPC design. In: Proceedings of the IFAC World Congress, Seoul, Korea (July 2008) 13. Golub, G.H., Van Loan, C.F.: Matrix Computations, 3rd edn. The John Hopkins University Press, Baltimore (1996) 14. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems. Kluwer Academic Publishers, Dordrecht (2003) 15. Song, Y., Campa, G., Napolitano, M., Seanor, B., Perhinschi, M.G.: Online parameter estimation techniques comparison within a fault tolerant flight control system. Journal of Guidance, Control, and Dynamics 25(3), 528–537 (2002) 16. Shin, J.-Y., Belcastro, C.M.: Performance analysis on fault tolerant control system. IEEE Transactions on Control Systems Technology 14(5), 920–925 (2006) 17. Belkharraz, A.I., Sobel, K.: Simple adaptive control for aircraft control surface failures. IEEE Transactions on Aerospace and Electronic Systems 43(2), 600–611 (2007) 18. Fielding, C., Varga, A., Bennani, S., Selier, M. (eds.): Advanced Techniques for Clearance of Flight Control Laws. Springer, Heidelberg (2002) 19. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable flight control. IEEE Transactions on Control Systems Technology 5(2), 217–229 (1997) 20. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable flight control. Control Engineering Practice 13(6), 771–788 (2005) 21. Pachter, M., Huang, Y.-S.: Fault tolerant flight control. Journal of Guidance, Control, and Dynamics 26(1), 151–160 (2003) 22. Kanev, S.: Robust Fault-Tolerant Control. PhD thesis, University of Twente, Enschede, The Netherlands (2004) 23. Zhang, Y., Rong Li, X.: Detection and diagnosis of sensor and actuator failures using IMM estimator. IEEE Transactions on Aerospace and Electronic Systems 34(4), 1293– 1313 (1998) 24. Hallouzi, R., Verhaegen, M., Kanev, S.: Multiple model estimation: a convex model formulation. International Journal of Adaptive Control and Signal Processing (2008), doi:10.1002/acs.1034 25. Hallouzi, R.: Multiple-Model Based Diagnosis for Adaptive Fault-Tolerant Control. PhD thesis, Delft University of Technology, Delft, The Netherlands (2008) 26. Lovera, M., Gustafsson, T., Verhaegen, M.: Recursive subspace identification of linear and non-linear Wiener state-space models. Automatica 36, 1639–1650 (2000)
10
Subspace Predictive Control Applied to Fault-Tolerant Control
317
27. Marcos, A., Balas, G.J.: Development of linear-parameter-varying models for aircraft. Journal of Guidance, Control and Dynamics 27(2), 218–228 (2004) 28. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amsterdam Bijlmermeer airplane accident. In: AIAA Modelling and Simulation Technologies Conference and Exhibit, Denver, Colorado USA (August 2000) 29. Breeman, J.: Quick start guide to AG 16 benchmark model. Technical report, NLR (2006) 30. SIMONA. TU Delft - SIMONA research simulator (2007) (last checked October 8, 2007) 31. Van Paassen, M.M., Stroosma, O., Delatour, J.: DUECA - data-driven activation in distributed real-time computation. In: Proceedings of the AIAA Modeling and Simulation Technologies Conference and Exhibit, Denver, CO, USA (August 2000)
Chapter 11
Fault-Tolerant Control through a Synthesis of Model-Predictive Control and Nonlinear Inversion D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
.
11.1 Introduction By itself reconfigurable and fault-tolerant control is a challenging task. In general fault-tolerant control requires mechanisms to detect and identify a failure, furthermore, it must be flexible as to accommodate such a failure. In the more specific case of fault-tolerant flight control, several specific challenges exist according to [1]: • flight control is a multi-variable control problem with strong cross-couplings, especially appearing after an asymmetric failure occurs; • flight control is a nonlinear problem which means that trim values change with operating conditions, requiring continuous use of nonlinear or adaptive algorithms; • an aircraft may become highly unstable after occurrence of a failure, leaving little time for reconfiguration; In order to tackle these challenges, we will introduce a control method that is globally valid, easily reconfigurable and above all, constrained. The solution that is presented here is a synthesis between model-predictive control (MPC) and a nonlinear dynamic inversion method (NDI). Section 11.2 provides the motivation for D.A. Joosten Delft University of Technology, Delft, The Netherlands e-mail:
[email protected] T.J.J van den Boom Delft University of Technology, Delft, The Netherlands e-mail:
[email protected] M. Verhaegen Delft University of Technology, Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 319–336. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
320
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
this setup, and furthermore, the section provides a clear introduction as to how both methods interact. Section 11.2.2 and 11.2.3 provide a discussion of the theory of MPC and dynamic inversion, whereas Section 11.2.4 on control allocation, and the mapping of constraints, provides the theory that is required to make the proposed combination of MPC and dynamic inversion interact correctly. Subsequently Section 11.3 introduces the relevant equations of motion of the benchmark aircraft and applies NDI theory to these. The chapter continues with the introduction of simulation results in Section 11.4 and wraps up with a discussion and conclusions in Section 11.5.
11.2 Overall Control-Setup The goal of this section is to provide an insightful introduction to the control setup that is presented in this chapter. Subsequent sections provide more detailed information with respect to the different components of the setup. The starting point of this section is the presumption that model-predictive control (MPC) is well suited to the needs of a reconfigurable control method. The latter is also concluded in [2] where MPC is compared with several other control methods that are deemed suitable. The previous statement is motivated through inspection of the following properties of MPC: as a control strategy MPC is based upon online optimization that utilizes a model of the system under control, which means that the internal model may be changed in between the time-steps of the optimization algorithm; furthermore, MPC is a constrained control method which means that actuator failures, like stuck control surfaces can relatively easily be incorporated and hence accommodated for; and finally, MPC inherently incorporates a control allocation method, which indicates that it is also possible to give preference to the use of certain actuators in order to perform a manoeuvre. The multi-variable setting is natural to MPC, hence strengthening the motivation of its suitability as a faulttolerant and reconfigurable control method. MPC for nonlinear systems, however, only leads to tractable optimization problems in very specific cases. It may be concluded from different surveys and books on MPC [3, 4, 5, 6] that MPC is well-suited to LTI systems. However, it has been stated in the introductory chapter that aircraft pose a control problem that is nonlinear, and hence MPC in general is not directly applicable to aircraft. It is for this reason that it is deemed necessary to combine MPC with a nonlinear control method. Dynamic inversion is such a method. It allows the inversion of the nonlinear kinematics of the aircraft such that linear and time-invariant behaviour is obtained. This linear behaviour can be controlled with one of the commonly available MPC algorithms. Some measures are needed though, because of the interconnection and constraints. The synthesis of MPC and NDI into one controller is not new. An example of the combination of MPC and feedback linearization (FBL), which is a more strict variation on NDI, in order to obtain globally valid and constrained control for the flight of a re-entry vehicle is to be found in [7], the combination of robust MPC and feedback linearization for an F-16 is presented in [8], and the combination of
11
FTFC Using MPC and Model Inversion
321
Reconfigurable controller x
Aircraft x NDI
MPC r
x
AB
CONTROL ALLOCATION
fnew , gnew , Unew , Xnew
x˙ = f (x) + g(x)u
x
u
FDI
Fig. 11.1 Overview of the complete FTFC loop and the individual components. Additionally, the FDI block is shown to stress the importance of a failure detection method that delivers a new system description and a new set of constraints after the introduction of a failure.
robust MPC and feedback linearisation is evaluated in [9]. The theory presented in this chapter differs from existing literature in two aspects; the first of which is that the combination of NDI and MPC is not only applied as a form of globally valid and constrained nonlinear control, but also as a reconfigurable method; the second difference lies in the fact that it is assumed here that the system has control effector redundancy in the nominal and fault-free case, i.e. that it is over-actuated. The latter is not the case in the previously mentioned references [7], [9]. Next to these [10] provides an application of robust MPC so as to achieve reconfigurable behaviour, linear subspace identification and predictive control are synthesized into one in [11], NDI and online identification of the aerodynamic derivatives of the aircraft are combined in [12]. An example that considers the use of MPC, without NDI, in a simulation of the Bijlmermeer accident scenario is to be found in [13]. Figure 11.1 provides an overview of how MPC and NDI are combined in this chapter. The concept of a combination between NDI and MPC such as to form a reconfigurable, globally valid, nonlinear, and constrained controller seems intuitive, but there are several interconnection issues that require attention. Such issues are caused by the fact that the number of system inputs is in general much larger than the number of states that are to be controlled, which is actually a prerequisite for FTFC. The latter forces us to include control allocation in between the NDI block and the aircraft. This will be elabortated upon in Section 11.2.4. Furthermore, it is not a priori clear how the constraints on the inputs relate to the constraints of the MPC controller. Subsection 11.2.1 introduces the model structure and Section 11.2.2 introduces dynamic inversion. The next subsection provides the details of the MPC strategy that has been applied. Finally, subsection 11.2.4 provides details on how to distribute the desired control effort over the physical inputs. For reasons of clarity, several assumptions, mainly because of simplicity, are posed here that hold throughout the entire chapter. It is assumed that a new model will become available through online identification of the aerodynamic parameters based on the work presented in Chapter 13 and [14]. Other assumptions that are made are that full-state information is assumed to be available, and more importantly, we assume that there are redundant control effectors, such that these can be
322
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
applied in case a primary actuator fails. Finally, it is noted that this method is best suited for failures of actuators/control surfaces and structural failures of the airframe. Sensor failures are not considered here, and furthermore, it is assumed that the current position of control surfaces is measured for purposes of control.
11.2.1 Model Structure This section starts with an introduction of the system-type that is considered and continues to present the aspects that are involved in the combination of feedback linearisation and model predictive control. In this chapter we consider nonlinear discrete-time systems that are either affine in the input, or made affine in the input through approximation: x(k + 1) = f (x(k)) + g(x(k))u(k), y(k) = h(x(k)),
(11.1) (11.2)
where x(k) ∈ Rn is the state vector, u(k) ∈ Rm is the vector of inputs, and k indicates that this system is a discrete-time system with sampling-interval T . Furthermore, f (x) ∈ Rn×1 , g(x) ∈ Rn×m . Both the input u ∈ U and x ∈ X belong to a polyhedral set, i.e. they can be written as U = {u ∈ Rm | A u ≤ b}, X = {x ∈ Rn | Ax x ≤ bx },
(11.3) (11.4)
for some matrices A, Ax and vectors b, bx . Furthermore, it is assumed that the output y(k) = x(k), is such that h(x(k)) = x(k). It must be remarked that it is also possible to apply FBL to the system in continuous time. This, however, leads to issues with respect to the control allocation problem such as depicted in Figure 11.1. The control allocation will consist of a constrained quadratic programming problem and will necessarily be performed in discrete-time. It is therefore more logical to perform all steps in discrete-time, and as such, to discretise the nonlinear system before applying FBL.
11.2.2 Nonlinear Dynamic Inversion Feedback linearisation is a control method that will obtain linear and decoupled input-output behaviour through the application of a static and nonlinear feedback law. Aspects like relative degree, partial feedback linearisation and uncontrollable internal dynamics are important issues within the standard framework of feedback linearisation as presented in [15, 16]. Feedback linearisation in its most basic form, input-state linearisation, is what is applied here. Input-state linearisation to some extent avoids the aforementioned issues but is also applicable to a smaller range of systems. The presented implementation applies the concept of a virtual input and hence allows the use of the available control effector redundancy in a further step, whereas FBL in its purest form does not.
11
FTFC Using MPC and Model Inversion
323
It is necessary to include dummy outputs in equation (11.1) for input-state linearisation when m ≥ n in order to be able to apply FBL, since u and y, or x in this particular case, are required to be sized equally. Alternatively, it is possible to introduce a virtual input z(x(k), u(k)) = g(x(k))u(k), z ∈ Rn and to split up the problem of input-state, or possibly partial state, linearisation and control allocation, such that x(k + 1) = f (x(k)) + z(x(k), u(k)),
(11.5)
where z(x(k), u(k)) is assumed to be a virtual input of the system that can be used for linearisation purposes. This relation between z(x(k), u(k)) and u(k), and how to make use of the freedom therein, is the topic of Section 11.2.4 on control allocation. It is clear to see that in order to invert the nonlinear dynamics, a choice z(k) = g(x(k))u(k) = − f (x(k)) + ν (k),
(11.6)
will result in decoupled closed-loop behaviour that equals x(k + 1) = ν (k),
(11.7)
where ν (k) ∈ Rn is a new input to the inverted system. Optionally, through proper selection of z(k) one can incorporate some desired dynamics such that x(k + 1) = Ades x(k) + ν (k). The latter equation shows that the chosen control law decouples the system, such that the closed-loop constitutes a series of integrators in parallel. Furthermore, it is clear to see that when the number of inputs m is smaller than the number of states n, provided that we wish to linearize all n states, it will be impossible to invert the entire dynamics. When m = n there will exist a unique solution to equation (11.6) and when m > n then there will exist a whole set of solutions u(k) to this equation. It is necessary to make the remark that it is assumed in this chapter that m > n, and hence input redundancy exists. Therefore, the input u(k) will have to be allocated at every discrete-time step. The latter is commonly called nonlinear dynamic inversion (NDI) instead of FBL. In summary, the input-state linearisation that is presented in this section leads to LTI behaviour that relates ν (k) to x(k), and retains freedom in the allocation of u(k). A restrictive result of the above is that the original input constraints on u(k) must now be mapped into constraints on ν , since ν (k) will be controlled using model predictive control (see Figure 11.1). The next section will introduce an MPC algorithm that has been tailored to this situation, such that this issue can be avoided to a large extent. Remark: It must be noted that discretisation of nonlinear dynamic systems is not at all trivial. In this chapter the nonlinear system is sampled with sampling interval T and first order Euler integration is applied. The difference equation (11.1) is obtained from the original nonlinear system as follows x˙ = f (x) + g(x)u ≈ x ⇔,
x(k + 1) − x(k) T
x(k + 1) ≈ T f (x(k)) + x(k) + T g(x(k))u.
(11.8) (11.9)
324
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
The authors acknowledge that the Euler method, which is a first-order method, is typically associated with an integration error that is proportional to the sampling interval T . This makes the Euler method less accurate than higher order methods such as the Runge-Kutta method. There are two specific reasons why Euler’s method is applied here. For one, use of higher order methods would complicate the dynamic inversion of the nonlinear aircraft model in Section 11.3 unnecessarily. Next to that, and more importantly, the simulation settings for the benchmark model are such that the Euler method is applied in the simulation. Hence, the Euler method is chosen over higher-order methods for discretization.
11.2.3 Model Predictive Control Now that a linear discrete-time system (11.7) has been obtained through NDI, it is straightforward to apply model predictive control (MPC). MPC applies an internal model of the system under consideration. It is this model that is used to predict future values of dependent variables as a function of independent variables, in most cases the system input, over a prediction horizon. Application of a cost-function allows for the minimisation of this cost function over the horizon, subject to constraints. The first input is applied to the system and the optimisation is repeated during the next time-step. A possible objective function, where the prediction horizon is chosen equal to N time steps, is J(νk ) =
N
∑ e(k + i|k)T Qe(k + i|k),
(11.10)
i=1
ˆ + i|k) is the predicted value of where e(k + i|k) = x(k ˆ + i|k) − xr (k + i|k), and x(k x(k + i) at time k. r(k) ∈ Rn is the reference signal and Q 0 is a state weighting matrix, respectively. We introduce the following variables ⎡
⎤ x(k + 1|k) ⎢ x(k + 2|k) ⎥ ⎢ ⎥ x˜ = ⎢ ⎥, .. ⎣ ⎦ . x(k + N|k) ⎤ u(k|k) ⎢ u(k + 1|k) ⎥ ⎢ ⎥ u˜ = ⎢ ⎥, .. ⎣ ⎦ . u(k + N − 1|k) ⎡
⎡
⎤ xr (k + 1|k) ⎢ xr (k + 2|k) ⎥ ⎢ ⎥ x˜r = ⎢ ⎥, .. ⎣ ⎦ . ⎡
xr (k + N|k)
ν (k|k) ν (k + 1|k)r .. .
⎤
⎥ ⎢ ⎥ ⎢ ν˜ = ⎢ ⎥, ⎦ ⎣ ν (k + N − 1|k)r (11.11)
11
FTFC Using MPC and Model Inversion
325
and Q˜ = IN ⊗ Q,
(11.12)
where IN is an identity matrix of size N, and where the operator ⊗ indicates the Kronecker product of two matrices.1 Now, using relationship (11.7) the above objective function (11.10) can be expanded into ˜ x˜ − x˜r ), J(ν (k)) = (x˜ − x˜r )T Q( T ˜ ν˜ − x˜r ), = (ν˜ − x˜r ) Q( T ˜ ˜ r. = ν˜ Qν˜ − 2x˜Tr Q˜ ν˜ − 2x˜Tr Q˜
(11.14)
The minimisation of J(ν˜ (k)) constitutes a quadratic programming problem (QP). The argument of the minimisation of this QP is the vector ν˜ ∗ (k). In order to be able to take into account the constraints on the physical input u(k) it is necessary to incorporate equation (11.6) which denotes the relationship between ν (k) and u(k) and the constraints on input u(k) as in (11.3). Both of these can be expanded over the horizon as follows ⎡ ⎤ ⎡ ⎤ − f (x(k)) g(x(k)) 0 . . . 0 ⎢ − f (x(k + 1)) ⎥ ⎢ ⎥ ˜ ⎢ .. ⎥ .. . . .. u(k) ˜ = ⎢ ⎥ +ν (k) (11.15) ⎣ . ⎦ .. . . . ⎣ ⎦ . 0 0 . . . g(x(k + N − 1)) − f (x(k + N − 1)) -. / , , -. / ˜ =C(x)
=b˜ eq (x)
and T (IN ⊗ A) u(k) ˜ ≤ 1 1 ... 1 ⊗ b. , -. / -. / , =A˜
(11.16)
=b˜
Hence, it can be concluded that the optimization of cost-function (11.14) subject to (11.15) and (11.16) will produce the optimal vector ν˜ ∗ (k). It must be noted, however, that u(k) ˜ appears in the equality constraint (11.15) and that the same constraint also depends nonlinearly on the state x(k). ˜ The input u(k) ˜ is an independent variable and therefore it is necessary to append it to the cost-function (11.14) such that the constraints can also be incorporated in to the problem as follows 1
The Kronecker product of two matrices A and B is defined as ⎡
a11 B ⎢ A ⊗ B = ⎣ ... am1 B
⎤ . . . a1n B . ⎥ .. . .. ⎦ , . . . amn B
where ai j is the i, j-th entry of matrix A ∈ Rm×n .
(11.13)
326
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
T T
u˜ 0 0 u˜ 0 u˜ min + , ν˜ ν˜ 0 Q˜ ν˜ −2x˜Tr Q˜ ν˜ ,u˜ u˜ s.t. C˜ | − INn = b˜ eq , ν˜ u˜ ˜ ˜ A0 ≤ b. ν˜
(11.17) (11.18) (11.19)
The minimisation of (11.17), subject to (11.18) and (11.19) leads to a feasible u˜∗ and an optimal ν˜ ∗ . Note that equation (11.18) incorporates the relationship between the virtual input z, the physical input u, and the variable ν (see remark). The latter may be interpreted as if the dynamic inversion were embedded into the MPC problem. It must be noted, however, that it is not possible to weight the input u(k) ˜ during this phase because that impairs the state-tracking capability of the controller. The argument of the optimisation u˜∗ is not unique, since g(x(k)) is a wide matrix. Hence, it is possible to pose a second optimisation problem in the form of a control allocation problem, which will be the subject of the next section. One issue, that was already mentioned in the previous paragraph, is that the equality constraint (11.18) depends on the state in a nonlinear fashion. This constraint therefore has to be approximated such that it is either constant or linearly dependent on the state at time k. Several possible approximations are: 1. assume that x(k) is constant over the horizon such that T C˜ ≈ In ⊗ g(x(k)), b˜ eq ≈ 1 1 . . . 1 f (x(k)); 2. apply the input that was computed for the previous time-step to predict the evolution of the state over the horizon; 3. assume that the system state will follow the reference state according to a stable and linear time-invariant (LTI) reference system; 4. exploit a Jacobian linearization of f (x(k)) and g(x(k)) to obtain a local LTI model that can be applied to predict the evolution of the state over the horizon. The authors acknowledge that what is presented in this section is a tailor-made MPC implementation, and suggest referring to [6] for an in-depth investigation of MPC and its properties in general. Remark: The addition of u(k) ˜ in (11.17) may seem redundant, but it avoids the complex and computationally expensive mapping of the polytope U that bounds u(k) to a polytope that bounds ν (k) via the relationship g(x(k))u(k) = − f (x(k)) + ν (k).
(11.20)
This must be done every time-step and is very closely related to the subject of computational geometry. It is however well-known that projection methods, as described in [17], are computationally very intensive and therefore not suitable for this application. Even the more advanced and much faster methods like the equality set
11
FTFC Using MPC and Model Inversion
327
projection algorithm from [18] was shown to be prohibitive where computational complexity is concerned.
11.2.4 Control Allocation The previous sections have shown that it is possible to construct a globally valid, but constrained and nonlinear controller by means of a combination of MPC and FBL. Until now, however, we have only computed a feasible input u∗k . This input is not unique, since in general the number of inputs is known to be larger than the number of controlled states. In many cases it will be desirable to be able to redistribute this feasible input such that, for instance, the absolute size of the inputs is minimal, or such that the change of the input with respect to the previous time-step is minimised. Since m ≥ n, there is freedom in choosing u. One way to solve this problem involves the following quadratic programming problem min uT Qu u + Δ uT Ru Δ u,
(11.21)
u
∗
s.t. g(x(k))u(k) = g(x(k))u (k), Au ≤ b, where Δ u = u(k) − u(k − 1) and where Qu , Ru 0 are input weighting matrices. The above optimisation problem may be interpreted as follows: given one feasible input u∗ (k) that results from the MPC step, this control allocation problem will find a u(k) that satisfies the mixed objective posed above: minimisation of the inputs and minimisation of the change of u(k) with respect to the previous timestep, while satisfying the control allocation goal by means of the equality constraint g(x(k))u(k) = g(x(k))u∗ k). It is this control allocation strategy that completes the FTFC setup that has been presented in this section. We have provided the necessary theory and results that are required for the integration of MPC and NDI into a single controller. The next section will show the merits of this FTFC method by means of an example that involves the nonlinear equations of motion of a fixed-wing aircraft which is represented by the benchmark model.
11.3 Modeling and Dynamic Inversion of the Benchmark Model This section applies the previously introduced NDI theory to the benchmark aircraft. In order to do so, we introduce the relevant equations of motion that stem from a first-principles model of the aircraft. In favour of brevity we introduce only those kinematic equations that are relevant for NDI purposes. Furthermore, we present these state-equations in their discrete time approximation directly. The goal of this section is to present the nonlinear control laws that are required to arrive at linear and time-invariant behaviour for purposes of control through MPC.
328
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
A total number of four states will be linearised using the NDI method. These states are the roll attitude φ , the pitch angle θ , the yaw angle ψ and the indicated airspeed V , respectively. With these four states it is possible to control both the orientation and the velocity of the aircraft. Through the application of NDI we strive for linearisation of these four state equations. In order to arrive at the required control laws we split the problem in two separate stages. First, we model the discretised but nonlinear equation for the airspeed V of the benchmark aircraft and linearise this. Subsequently, we perform the same actions for the equations that belong to the three attitude states. Additionally, in the first instance we will assume that the forces (X,Y, Z) and moments (L, M, N), that enter the system equations, are inputs to the system. The nonlinear and discretised state equation for the airspeed is given as follows: T V (k + 1) = V (k) + [cos α cos β m
sin β
⎡ ⎤ X(k) sin α cos β ] ⎣Y (k) ⎦ , Z(k)
(11.22)
where α and β are the angle of attack and sideslip angle, respectively. The variable T is introduced here to represent the sampling interval. Hence, the time between two time-steps k and k + 1 is T seconds. Then, using the notational convention of Section 11.2.2 we introduce the virtual input z1 as ⎡
T z1 (k) = [cos α cos β m
sin β
⎤ X(k) sin α cos β ] ⎣Y (k) ⎦ , Z(k)
(11.23)
such that when z1 (k) = (ades − 1)V (k) + ν1 (k),
(11.24)
the state equation becomes linear and is represented as V (k + 1) = adesV (k) + ν1 (k).
(11.25)
Performing NDI for the attitude states requires some additional steps, whilst they do not depend on the external forces and moments directly. We model the behaviour of the attitude states as ⎡
⎤ ⎡ ⎤ ⎤⎡ ⎤ ⎡ 1 sin φ tan θ cos φ tan θ φ (k + 1) φ (k) p(k) ⎣ θ (k + 1) ⎦ = T ⎣0 cos φ − sin φ ⎦ ⎣ q(k) ⎦ + ⎣ θ (k) ⎦ , sin φ cos φ ψ (k + 1) ψ (k) r(k) 0 cos θ cos θ
(11.26)
where p, q, r are the roll-, pitch- and yaw rate. In order to apply NDI we shift these equations one step in time in order to arrive at
11
FTFC Using MPC and Model Inversion
329
⎤ ⎡ ⎤ ⎡ ⎤ 1 sin φ tan θ cos φ tan θ φ (k + 2) p(k + 1) ⎣ θ (k + 2) ⎦ = T ⎣0 cos φ − sin φ ⎦ (k + 1) ⎣ q(k + 1)⎦ , sin φ cos φ ψ (k + 2) r(k + 1) 0 cos θ cos θ ⎡ ⎤ φ (k + 1) + ⎣ θ (k + 1) ⎦ , (11.27) ψ (k + 1) ⎡
such that we may plug in the equations that govern the states p, q, r, ⎤ ⎤⎞ ⎡ ⎤ ⎛ ⎤ ⎡ ⎤ ⎡ ⎡ ⎡ p(k) 100 p(k + 1) 0 −r q L(k) ⎣ q(k + 1)⎦ = ⎝−T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ + T J −1 ⎣M(k)⎦ , r(k) 001 r(k + 1) −q p 0 N(k) where
⎡
⎤ Ixx 0 −Ixz J = ⎣ 0 Iyy 0 ⎦ −Ixz 0 Izz
(11.28)
and where I∗∗ indicates the inertia, in order to arrive at ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ 1 sin φ tan θ cos φ tan θ φ (k + 2) φ (k + 1) ⎣ θ (k + 2) ⎦ = ⎣ θ (k + 1) ⎦ + T ⎣0 cos φ − sin φ ⎦ (k + 1) sin φ cos φ ψ (k + 2) ψ (k + 1) 0 cos θ cos θ ⎛ ⎡ ⎤ ⎡ ⎤⎞ ⎡ ⎤ 0 −r q 100 p(k) − ⎝T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ −q p 0 001 r(k) ⎡ ⎤ L(k) +T J −1 ⎣M(k)⎦ . (11.29) N(k) Using the same method that was applied for the airspeed, we choose the virtual input ⎡ ⎤ L(k) z2 (k) = T J −1 ⎣M(k)⎦ . (11.30) N(k) Choosing this virtual input to equal ⎤ ⎡ ⎤ ⎡ 1 sin φ tan θ cos φ tan θ φ (k + 1) − sin φ ⎦ (k + 1) z2 (k) = (Ades − I) ⎣ θ (k + 1) ⎦ − T ⎣0 cos φ sin φ cos φ ψ (k + 1) 0 ⎛ ⎡ ⎤ ⎡ cos⎤θ⎞ ⎡ cos⎤θ 0 −r q 100 p(k) − ⎝T J −1 ⎣ r 0 −p⎦ J − ⎣0 1 0⎦⎠ ⎣ q(k) ⎦ , (11.31) −q p 0 001 r(k)
330
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
leads to the linear and time-invariant closed-loop behaviour ⎡ ⎤ ⎡ ⎤ φ (k + 2) p(k + 1) ⎣ θ (k + 2) ⎦ = (Ades − I) ⎣ q(k + 1)⎦ + ν2 (k), ψ (k + 2) r(k + 1)
(11.32)
where Ades ∈ R3×3 is the desired linear time invariant behaviour and where ν2 is the input to the linearised system. At this stage we may conclude that when z1 and z2 satisfy equation (11.24) and (11.31) that the linear state behaviour equals ⎡ ⎤ ⎤ ⎡ V (k + 1) V (k)
⎢ φ (k + 2) ⎥ ⎥ ⎢ ⎢ ⎥ = ades 0 ⎢ φ (k + 1) ⎥ + ν1 (k) . (11.33) ⎣ θ (k + 2) ⎦ 0 Ades ⎣ θ (k + 1) ⎦ ν2 (k) ψ (k + 2) ψ (k + 1) What remains now is to introduce expressions for the forces F = [X,Y, Z]T and moments M = [L, M, N]T . The forces are the sum of the external forces and the contribution of the aerodynamics, and the moments are dependent of the aerodynamics only, which leads to the expressions: F = Fgrav + Fwind + Faero,
(11.34)
M = Maero ,
(11.35)
where the subscripts indicate the contribution of gravity, the wind and the aerodynamic model, respectively. We model the aerodynamics as follows T 1 2 pb qc rb ρV S CFx 1 α α 2 α 3 β β 2 β 3 2V +C u , (11.36) Fu 2V 2V 2 ⎡ ⎤ b00 T 1 2 ⎣ pb qc rb = ρV S 0 c¯ 0⎦ CMx 1 α α 2 α 3 β β 2 β 3 2V +C u ,(11.37) Mu 2V 2V 2 00b
Faero = Maero
where ρ is the air density, S, b, c¯ are the wing area, wing span and wing chord, respectively. The input variable u is a vector composed of the control surfaces and engines of the aircraft. In this chapter we make use of a subset of these control effectors. In this particular case we apply our controller to the four elevator surfaces, the four ailerons, the two rudder halves and the four engines, hence u ∈ R14 . The aerodynamic parameters CFx ,CMx ∈ R3×10 and CFu ,CMu ∈ R3×14 are determined online through a recursive identification method, using the approach presented in Chapter 13 and [14]. Although not strictly required in the nominal and failure-free case, the identification method is applied in both the nominal and the failure case. Because of the fact we apply data from recursive identification, we do not have to model failures explicitly. As an example one might consider a rudder that has become stuck. Such a failure will result in a change in the basic aerodynamic parameters to account for the static aerodynamic moment that this creates. Furthermore the effectiveness of the rudder itself will be reduced to zero. Additionally, although not applied here, it is possible to include direct knowledge
11
FTFC Using MPC and Model Inversion
331
of actuator failures in the controller. The uncertainty caused by failures of the aircraft structure or actuators is considered to be small because of the relatively fast response of the identification algorithm. In summary, we may apply MPC to the linear system of equation (11.33), provided that the input u from (11.36)-(11.37) is allocated such that the virtual inputs z1 , z2 in (11.23) and (11.30) satisfy equations (11.24) and (11.31). Additionally, the physical constraints are entered into the problem to arrive at the MPC problem (11.17,11.18,11.19) and the control allocation and weighting problem (11.21) from Section 11.2.
11.4 Simulation Results In this section we evaluate the performance of the combination of MPC and NDI as a reconfigurable control method. We do so in two individual examples. The first example involves a so-called stabiliser runaway of the benchmark aircraft. The second example shows the simulation results when one of the manoeuvres from the benchmark assessment criteria is flown.
11.4.1 Reference Tracking: Stabiliser Runaway Here, it will be shown that the control strategy proposed in this paper allows retention of a trim condition and tracking of a reference with the benchmark aircraft in the event of a failure. In this particular example, it is shown that a combination of the reconfigurable controller and the online identification algorithm can retain stability after the introduction of the stabiliser runaway failure at time t = 10 [s]. At this time the stabiliser moves to its extreme trim angle of 2o . Next to that, it is shown that, despite the stabiliser being inoperative and stuck at an extreme position, it is still possible to track a doublet-like reference signal with the pitch rate q [rad/s] using another combination of the control surfaces. The states that are controlled, are the roll attitude φ , the pitch attitude θ and the yaw attitude ψ , respectively. The inputs that are used in this example are the four different aileron surfaces, the four elevator surfaces, the two rudder surfaces, and the stabiliser trim angle. The other inputs, including the engines, remain at their trim value for the initial condition. Figure 11.2 depicts the results that were obtained in simulation. Several important notions can be derived from this figure. First of all, it can be seen from the figure that, although the online identification is initialised with data that was obtained offline, it takes approximately 3 [s] for the closed loop to stabilise the system for the reference state p, q, r = 0. Furthermore, it is clear to see, that although a failure is introduced at t = 10 [s] relatively little effect is noticeable in the state-response. The latter indicates that the controller successfully succeeds at redistributing the desired control effort over the remaining control surfaces and that the FDI algorithm identifies the new situation quickly. And finally, it is easily seen from the figure that
332
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
roll rate p [rad/s]
0.1 measurement reference 0
pitch rate q [rad/s]
-0.1 0
5
10
15
20
25
30
35
0
5
10
15
20
25
30
35
0
5
10
15
20
25
30
35
0.1
0
-0.1
yaw rate q [rad/s]
0.1
0
-0.1 time [s]
Fig. 11.2 Simulation result for the body rates p, q, r with respect to a reference after introduction of a stabiliser runaway fault at t = 10 [s]
in spite of the failure of the stabiliser, it is still possible to track a reference on the pitch rate. It is assumed that extensive tuning of parameters like the state- and input weighting matrices Q, Qu , Ru , the selected sampling interval T , and the prediction horizon N will lead to greatly improved tracking behaviour. What remains to be said about this example is that the computational complexity of the control method is quite high. It is expected that this can be greatly improved upon through a more efficient implementation of the controller. Furthermore, although not visible in the provided results, the online identification algorithm suffers from lack of excitation when the system is controlled to be in steady-state for extended periods of time. Both of these issues are not addressed in this chapter, but will be the topic of future research.
11.4.2 Right Turn and Localiser Intercept What may be concluded from the previous example is that the method is very much dependent of the quality of the model that is identified online. This holds particularly true for control based on NDI in this setting. Because of the fact that the aircraft is simulated in closed loop with the controller, it is also very important that
11
FTFC Using MPC and Model Inversion
333
States with specs
right turn and LOC intercept
0
50
100
150
LOCvalid
0 -5
0.5
40 20 0 -20 -40
200
VTAS
100 90 0
50
100
150
200
0 0
50
100
150
200
α
r
0 0
50
100
150
200
300
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
0
50
100
150
200
2 nz
β ny
100
15 10 5 0
200
10 0 -10
0
0 -2
2
-2
0
2 q
p
2
-2
1
φ
λ
5
0
50
100
150
200
0
50
100
150
200
0 -2
2 0 -2
Fig. 11.3 Overview of several aircraft states during a right-hand turn and subsequent localiser intercept. The top left and top right graph in the figure depict the angle λ with respect to the localiser beam and the signal that indicates whether the localiser signal is valid.
the quality of the initial estimate of the aircraft parameters is high. Furthermore, the aerodynamic model of the benchmark may basically be regarded to be a black-box system, hence it is not possible to use exact knowledge of this model for testing purposes. This, combined with the fact that the control method is particularly sensitive to tuning of the weighting matrices in both MPC and the control allocation method, makes it difficult to achieve proper results for flying full manoeuvres from the list of assessment criteria. In order to show the applicability of the method, provided that the uncertainty of the aerodynamic model is not too high and that the tuning of the controller is appropriately chosen, we show an example manoeuvre that was obtained through simulation of the benchmark where the aerodynamics have been replaced by a static but, still nonlinear model. Figures 11.3, 11.4 and 11.5, which are included at the end of the chapter, show the results when the aircraft is made to fly a turn to the right followed by a localiser intercept. Figure 11.3 shows a subset of the aircraft states and the angle between the aircraft heading and the localiser beam λ during this particular simulation example. Also indicated in the figure, are the assessment specifications. Figure 11.4 and 11.5 show the accelerations of the aircraft and the horizontal trajectory of the aircraft. The results presented here consider a flight in a fault-free scenario, but given the simplified aerodynamic model, different failure scenarios, with stuck control surfaces perform equally well. What may be concluded from this simulation is that the combination of MPC and the inversion of the nonlinear aircraft kinematics through
334
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen Kinematic accelerations in body axes
0
axb
[ms−2 ]
2
-2 0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
0
20
40
60
80
100
120
140
160
180
200
220
0
ayb
[ms−2 ]
2
-2
0
azb
[ms−2 ]
2
-2
Fig. 11.4 Overview of the accelerations of the aircraft body during the right turn and localiser intercept. horizontal trajectory 0
1000
2000
3000
ye (East)
4000
5000
6000
7000
8000
9000
10000
-2.2
-2
-1.8
-1.6
-1.4
-1.2
-1
xe (North)
Fig. 11.5 Representation of the horizontal trajectory that was flown by the aircraft during the right hand turn and localiser intercept manoeuvre.
11
FTFC Using MPC and Model Inversion
335
NDI is valid for FTFC purposes, provided correct knowledge of the aerodynamics of the aircraft is available.
11.5 Conclusion This chapter has presented the combination of MPC and FBL into a constrained and globally valid control method and is as such an evolution of previous work ([19]). Using the proposed control method, it is possible to implement a reconfigurable flight control-law that is valid throughout the flight envelope. The reconfigurable properties are a result of efficient distribution of the desired control effort over the remaining and redundant control inputs. Furthermore, the method can take into account various input, state and output constraints. The latter is particularly useful when actuators get stuck in a certain position. An example has been provided that shows that the combination of the proposed control strategy an online and recursive identification can retain a trim state as well as track a reference when the body states of the benchmark model are controlled. Practical issues that will be the topic of future research are related to the construction of a more computationally efficient adaptation of this controller. Additionally, it will have to be taken into account that the recursive identification scheme is applied in a closed-loop setting whilst this is not explicitly accounted for at the moment. From a theoretical point of view an interesting subject for future research is the addition of robustness to the FTFC method whilst it is well-known that feedback linearisation and dynamic inversion methods are not particularly robust to modelling uncertainties. Such modelling uncertainties particularly arise in situations where FDI information is not available instantaneously. In order to achieve this, it is necessary to include theory for determination of the uncertainty in a model after having performed feedback linearisation, as discussed in [20]. The same holds for the development of theory that explains the effect of discretisation on model uncertainty so as to obtain an uncertain discrete-time feedback linearised system that is suitable for control with robust model predictive control methods like [21]. Increased robustness of the FTFC method will be of great importance in applications where there is latency in the FDI system. Robustness with respect to modeling uncertainty is required to guarantee stability until new and accurate FDI information becomes available after a failure has occurred.
References 1. Bodson, M.: Identification with modeling uncertainty and reconfigurable control. In: Proceedings of the 32nd IEEE Conference on Decision and Control, pp. 2242–2247 (1993) 2. Jones, C.N.: Reconfigurable flight control. Technical report, Engineering Dept., University of Cambridge (2002) 3. Mayne, D.Q., Rawlings, J.B., Rao, C.V., Scokaert, P.O.M.: Constrained model predictive control: stability and optimality. Automatica 36(6), 789–814 (2000) 4. Bemporad, A., Morari, M.: Robustness in identification and control, 245 (1999)
336
D.A. Joosten, T.J.J. van den Boom, and M. Verhaegen
5. Qin, S.J., Badgwell, T.A.: A survey of industrial model predictive control technology. Control Engineering Practice 11(7), 733–764 (2003) 6. Maciejowski, J.M.: Predictive control: with constraints. Pearson Education, Harlow (2002) 7. van Soest, W.R., Chu, Q.P., Mulder, J.A.: Combined feedback linearization and constrained model predictive control for entry flight. Journal of Guidance, Control and Dynamics 29(2), 427–434 (2006) 8. van Eduard Oort, Q.P., Chu, J.A.: Robust Model Predictive Control of a Feedback Linearized F-16/MATV Aircraft Model. In: Proceedings of the AIAA Guidance, Navigation, and Control Conference and Exhibit, AIAA-2006-6318 (2006) 9. van den Boom, T.J.J.: Robust nonlinear predictive control using feedback linearization and linear matrix inequalities. In: Proceedings of the American Control Conference, June 1997, pp. 3068–3072 (1997) 10. Kale, M.M., Chipperfield, A.J.: Stabilized MPC formulations for robust reconfigurable flight control. Control Engineering Practice 13(6), 771–788 (2005) 11. Hallouzi, R., Verhaegen, M.: Reconfigurable fault tolerant control of a boeing 747 using subspace predictive control. In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA 2007-6665 (2007) 12. Huisman, H.: Fault tolerant flight control based on real-time physical model identification and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology (2007) 13. Maciejowski, J.M., Jones, C.N.: MPC fault-tolerant flight control case study: Flight 1862. In: IFAC Safeprocess Conference (2003) 14. Lombaerts, T., Chu, Q., Mulder, J., Joosten, D.: Real time damaged aircraft model identification for reconfiguring flight control. In: Proceedings of the AIAA Atmospheric Flight Mechanics Conference and Exhibit, AIAA-2007-6717 (2007) 15. Isidori, A.: Nonlinear control systems. Springer, Heidelberg (1995) 16. Slotine, J.J.E., Li, W.: Applied nonlinear control. Prentice Hall, Englewood Cliffs (1991) 17. Preparata, F.P., Shamos, M.I.: Computational geometry: an introduction. Springer, New York (1985) 18. Jones, C.N., Kerigan, E.C., Maciejowski, J.M.: Equality set projection: A new algorithm for the projection of polytopes in halfspace representation. Technical Report CUED/FINFENG/TR.463, Department of Engineering, University of Cambridge (2004) 19. Joosten, D.A., van den Boom, T.J.J., Lombaerts, T.J.J.: Effective control allocation in fault-tolerant flight control with MPC and feedback linearization. In: Proceedings of the European Conference on Systems and control, Kos, Greece, July 2007, pp. 3552–3559 (2007) 20. Juliana, S., Chu, Q., Mulder, J., van Baten, T.: The analytical derivation of nonlinear dynamic inversion control for parametric uncertain system. In: AIAA Guidance, Navigation, and Control Conference and Exnhibit, AIAA-2005-5849, San Francisco, CA (August 2005) 21. Kothare, M.V., Balakrishnan, V., Morari, M.: Robust constrained model predictive control using linear matrix inequalities. Automatica 32(10), 1361–1379 (1996)
Chapter 12
A FTC Strategy for Safe Recovery against Trimmable Horizontal Stabilizer Failure with Guaranteed Nominal Performance J´erome Cieslak, David Henry, and Ali Zolghadri
12.1 Introduction The need for increased flight safety and aircraft reliability leads to the design of reconfigurable fault tolerant control systems. Such systems are meant to manage faulty situations and help the crew to recover control capabilities quickly. Fault Tolerant Control (FTC) is one solution to tackle this problem and has received considerable attention from the control research community and aeronautical engineering researchers in the past couple of decades (for a survey, see for instance [1, 2, 3]). The main objective of fault tolerant control is to maintain a specified performance level in the presence of faults. Two approaches can be distinguished in this area: passive and active. In the passive approach, the control algorithm is designed so that the system is able to achieve its given objectives, in healthy as well as faulty situations. Unfortunately, achieving robustness to certain faults is only possible at the expense of decreased nominal performance. Active approaches react to fault events by using a reconfiguration mechanism and, in certain cases, this ensures nominal performance in fault free situations. This is a great benefit of active FTC approaches. Active FTC is characterized by an on-line Fault Detection and Isolation (FDI) and a reconfiguration mechanism. This scheme requires the control law to react to faults through reconfiguration and FDI modules [4]. Many studies, based on a potentially known fault scenario, have contributed to the development of active FTC strategies J´erome Cieslak IMS laboratory, Bordeaux 1 University, 351 cours de la lib´eration, 33405 Talence c´edex e-mail:
[email protected] David Henry IMS laboratory, Bordeaux 1 University, 351 cours de la lib´eration, 33405 Talence c´edex e-mail:
[email protected] Ali Zolghadri IMS laboratory, Bordeaux 1 University, 351 cours de la lib´eration, 33405 Talence c´edex e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 337–361. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
338
J. Cieslak, D. Henry, and A. Zolghadri
for aeronautical systems (see for instance [3, 5, 6, 7]). The goal is to maintain overall system stability and acceptable performance in spite of the occurrence of faults by reconfiguring the nominal control law when a fault is detected by the FDI unit. The FDI mechanism is supposed to detect and diagnose any relevant failures which could lead to flight performance degradation. This must be done sufficiently early and in compliance with the stringent operational and flight dynamics constraints, to set up timely safe recovery actions and to improve the situation and awareness of the crew. The main difficulty that appears when integrating the different units to build a reliable active FTC law is that each individual subsystem is assumed to operate correctly: its output is instantaneously available to provide decisions/actions to other subsystems. This implies some interactions between the reconfigurable controller and the FDI unit as mentioned for instance in [8, 2, 9, 10]. To take into account this interaction, one solution could be the progressive accommodation scheme as proposed in [11]. The goal is to find in one step a stabilizing solution and to iterate step by step to refine the solution to determine an optimal solution (in the LQ sense). However, in this case, computational burden could be a critical factor. Some work combines a fault tolerant controller with a diagnostic filter. In [12], the authors use the standard H∞ setting to design a nominal controller and a robust detection filter. In this configuration, the Youla parametrization of all stabilizing controllers is selected to ensure fault compensation, with the assurance that closed-loop stability is maintained in the presence of a fault. In [13, 14, 15], the dual Youla parametrization is used for determining the set of all faulty processes which can be stabilized by the (nominal) control law. It is shown how both fault diagnosis and fault tolerant control can be combined in the same architecture and this is an interesting framework for analyzing the relationship between FDI and FTC. However, in order to cope with performance degradation when faults are not detected by the FDI part, the authors proposed to activate the fault tolerant controller all the time. As a consequence, their approach is equivalent to a passive FTC scheme. Other work in the literature is based on Linear Parameter Varying (LPV) techniques [16, 17, 18]. The idea is to use the residual output of the FDI scheme jointly with some subspace of the system states, as scheduling parameters of the LPV fault tolerant controller. In this chapter, an attempt is made to provide an active FTC strategy which addresses the aforementioned issues, i.e. the development of a FTC scheme that takes into account within the design procedure: • the FDI scheme performance: the final goal is to design simultaneously the FDI and the FTC units so that they attain a guaranteed performance level when they operate together. • the nominal autopilot and the nominal Flight Control System (FCS) are already in place. (This way, stability is proved and flying qualities are maintained, despite the presence of faults and uncertainties, e.g. mass and center of gravity variations) The proposed approach is based on H∞ control theory. This aspect is an important issue in this contribution. The H∞ setting has been chosen since it can be extended
12
Recovery against THS Failure with Guaranteed Nominal Performance
339
to the LPV cases using the L2 -induced vector norm. In this work, the LTI setting has been revealed to be sufficient to address the FTC problem.
12.2 Nomenclature Throughout this contribution, the following notations are used: The Euclidean norm is always used and is written without a subscript; for example x . Similarly in the matrix case, the induced vector norm is used: A = σ (A) where σ (A) denotes the maximum singular value of A. Signals, for example w(t) or w, are assumed to be of bounded energy, and their norm is denoted by w 2 , i.e. ∞ 1/2 ||w(t)||2 dt < ∞. Linear models, for example, P(s) or simply P, are w 2 = −∞ assumed to be in RH∞ , i.e. real rational functions with ||P||∞ = supω σ (P( jω )) < ∞. Block diagrams are used to represent interconnections of systems. For example, the structure shown in Fig. 12.1 represents the equations
η = Δε ε = P11 η + P12u y = P21 η + P22u
(12.1)
In terms of the input u and output y, this can be expressed as the upper linear fractional representation (LFR) y = Fu (P, Δ )u that is deduced from (12.1) using some linear algebra manipulations: Fu (P, Δ ) = P21 Δ (I − P11Δ )−1 P12 + P22
(12.2)
where P11 , P12 , P21 , P22 are deduced from the partition of P as illustrated in Fig. 12.1. Similarly, the lower LFR Fl (PK) is defined according to Fl (P, Δ ) = P12 K(I − P22K)−1 P21 + P11
(12.3)
In this formulation, it is assumed that Δ belongs to a structure Δ describing the set of all model perturbations, so that
Δ = {block diag(δ1r Ik1 , ..., δmr r Ikmr , δ1c Ikmr +1 , ..., δmc c Ikmr +mc , Δ1C , ..., ΔmCC ), δir ∈ R, δic ∈ C, ΔiC ∈ C}
η u
Δ
P
Fig. 12.1 The interconnection structure of systems.
ε y
(12.4)
340
J. Cieslak, D. Henry, and A. Zolghadri
where δir Iki , i = 1, ..., mr , δ jc Ikmr + j , j = 1, ..., mc and ΔlC , l = 1, ..., mC are known respectively as the ‘repeated real scalar’ blocks, the ’repeated complex scalar’ blocks and the ‘full complex’ blocks. The following classical notations are used when dealing with aircraft characteristics (the notation ”•” refer to indices): p, q, r = roll, pitch, yaw rate. VTAS = true air speed. α , β = angle of attack and the side slip angle. φ , θ , ψ = roll, pitch, yaw angle. xe , ye , h = ground position of the aircraft. δa • •, δe • •, δr • = aileron, elevator, rudder deflection. δsp •, δ f • =spoiler and flap deflection. ih = stabilizer deflection. EPR• = thrust engine position.
12.3 Problem Statement In the GARTEUR FM AG16 benchmark, the pilot commands are replaced by signals generated by the benchmark scenario generator. The autoflight system integrates a longitudinal and a lateral controller. Each controller contains inner and outer loops. Referring to Fig. 12.2, the autoflight system consists of the Flight Control System (FCS) which forms the inner control loop, and an outer loop represented by the autopilot system (one autothrottle has not been considered in this study). In addition, an on-board FDI unit has been placed within the simulator. The faulty situation investigated in this contribution consists of the motion of the Trimmable Horizontal Stabilizer (THS) surface at the maximum rate limit (i.e. +0.5 deg/s) to the extreme positions. This is termed a runaway. We assume that such faults correspond to a hardware malfunction and that it is then not possible to act on the faulty THS surface to accommodate it or return it into its neutral position. The goal is to develop a FTC scheme to accommodate this fault using the remaining control surfaces. Remark 12.1. Since the considered THS fault can be considered as a symmetric fault, it acts only in the longitudinal motion of the aircraft. This key feature is an important aspect for the following developments.
Fig. 12.2 Benchmark setup
12
Recovery against THS Failure with Guaranteed Nominal Performance
341
Following the basic ideas presented in [19], the design of the FTC loop is tackled according to the block diagram of Fig. 12.3. The proposed reconfigurable flight control scheme is made-up of three parts: a FDI part represented by the dynamical ˜ filters Hy (s), Hu (s) and a decision making rule, a FTC part represented by K(s) which generates an additional control signal u˜ to be added to the nominal control signal uo in faulty situations, and a FTC activation mechanism to activate the FTC strategy. Once again, the overall FTC strategy works in such a way that, in a fault free situation, the FTC loop is not activated leaving the aircraft only controlled by the autoflight control system. When the FTC strategy is activated, the control law is reconfigured by adding the signal u˜ to the nominal control signal uo . The activation of this loop is done by using a switching logic, i.e. the autoflight control system is not removed when no fault is present, and consequently the overall scheme ensures nominal flight performance in fault free situations. The activation of the switch is done by the decision making rule coming from the FDI unit. The proposed architecture implies some important issues. The first question concerns the activation delay of the strategy FTC. During this time interval, the faulty system is controlled by the nominal control law which has not been designed for faulty situations. This problem is also highly related to the time delay detection of the FDI part. In this contribution, a method is discussed to address this problem efficiently. From Fig. 12.3, in a fault free situation, the FTC scheme is in open loop. Consequently, an important requirement is that the interconnection of Hy (s), Hu (s) ˜ and K(s) must be stable. Since Hy (s) and Hu (s) are, by definition, stable detection filters since they generate a residual signal vector r(t), this problem is equivalent to a stability requirement ˜ on K(s). This will be discussed and clarified in section 12.6.
Fig. 12.3 The benchmark setup associated to the proposed FTC strategy
342
J. Cieslak, D. Henry, and A. Zolghadri
Fig. 12.4 General FTC setup with an analytical redundancy
Another important aspect is the availability of the FDI mechanism. In the case of analytical redundancy, the representations of the filters Hy (s) and Hu (s) are also available. The decision making rules that activate the FTC strategy are then monitored by the residual signal r. The diagram in Fig. 12.3 can be then represented by the diagram of Fig. 12.4 where Kn (s) is the autoflight control system and G(s) is the model of the aircraft. The FTC design problem is now equivalent to the design of a ˜ dynamical fault tolerant controller K(s) that ensures in some sense, input/output insensitivity against the fault. This problem can be formulated in the following manner: Problem 12.1. Suppose that the faulty system is stabilisable. The goal is to design ˜ a stable controller K(s) to produce the new control signal ˜ u(t) = u0 (t) + K(s)r(t)
(12.5)
such that the stability of the aircraft and the required control objectives are guar˜ anteed for the THS fault. Using an H∞ formulation [20, 21], this means that K(s) should satisfy Fl P1 , K˜ < γ1 (12.6) ∞ where P1 (s) is deduced from Kn (s), G(s), Hy (s) and Hu (s) using standard algebraic manipulations. The scalar γ1denotes some FTC performance level to be achieved. In this formulation, Fl P1 , K˜ corresponds to the lower LFT (linear fractional trans˜ formation) of P1 (s) by K(s). When the FDI mechanism is available on-board, the FTC problem can be seen as the design of a new dynamical filter denoted by K(s), as seen in Fig. 12.5. The on-board FDI unit is also used to manage the activation switch. In this case, the synthesis Problem 12.1 can be formulated as follows:
12
Recovery against THS Failure with Guaranteed Nominal Performance
343
Problem 12.2. Suppose that the faulty system is stabilisable. The goal is to design a stable controller K(s) to produce the new control signal y(t) u(t) = u0 (t) + K(s) (12.7) u0 (t) such that the stability of the aircraft and the required control objectives are guaranteed for the THS fault. This means in the H∞ framework that K(s) should satisfy: Fl P2 , K < γ2 (12.8) ∞ Here, P2 (s) is deduced from Kn (s) and G(s) after some straightforward algebraic manipulation. Again, the scalar γ2 represents some performance level to be achieved. Some key features of the proposed method are: • the simultaneous design of the FDI unit and the FTC mechanism so that they provide a guaranteed performance level when they operate together. • the existing systems that are available on-board are retained to reduce the certification process. This includes the flight controller Kn and a FDI unit, if available. In terms of the AG16 benchmark, it is assumed that an on-board FDI algorithm is available. Thus, we focus on Problem 12.2. However it is assumed that the presented developments still satisfy Problem 12.1, provided some assumptions that are described in the following paragraph are satisfied. This means that in the context of the AG16 problem, it is possible to take into account the model-based FDI schemes proposed by the partners within the design procedure of the FTC scheme. This is another important aspect of the proposed method. Remark 12.2. In Figs. 12.4 and 12.5, it is natural to ask about the stability of the FTC loop in the presence of the switch. Here, we assume that once a fault is detected, the
Fig. 12.5 General FTC setup with an on-board FDI scheme
344
J. Cieslak, D. Henry, and A. Zolghadri
switch is definitively activated and the compensation signal u˜ remains active for all subsequent time. The remaining problem concerns the transient behaviour of u. ˜ To avoid ‘bumps’, a solution to manage this problem is given in the appendix.
12.4 Model-Based FDI Schemes: Some Assumptions for an Integrated FDI/FTC Design Approach Before proceeding to the design of the FTC loop as depicted in Fig. 12.5, the structure of the FTC system presented in Fig. 12.4 is analyzed to highlight some interesting features with respect to the interaction between the FDI and FTC units. The goal is to derive some assumptions about the FDI schemes for an integrated FDI/FTC design approach.
12.4.1 Analysis of the FTC Loop ˜ B, ˜ D), ˜ C, ˜ (Au , Bu ,Cu , Du ) Consider the setup shown in Fig. 12.4. Let (A, B,C, D), (A, ˜ and (Ay , By ,Cy , Dy ) be the state-space representations of G(s), K(s), Hu (s) and Hy (s) respectively. The FTC loop state-space model GFTC (s), which is the transfer function between the nominal control signal u0 and the measurements y, is derived from ˜ G(s), K(s), Hu (s) and Hy (s) according to: ⎧ x˙c A11 A12 xc B1 ⎪ ⎪ = + u0 ⎨ x˙u 0 A x B u u u GFTC : (12.9) xc ⎪ ⎪ + D22 u0 ⎩ y = C1 C2 xu The matrices A11 , A12 , B1 ,C1 ,C2 and D22 are deduced from the aforementioned state-space representations according to: ⎞ ⎛ ˜ ˜ yC BMC˜ A+ BM DD BM DCy ˜ y DMC˜ B˜ I + Dy DM D˜ Cy ⎠ ˜ y C + DM DD ˜ yC A˜ + BD A11 = ⎝ BD (12.10) ˜ y C ˜ y By DMC˜ By I + DM DD Ay + By DM DC ⎞ ⎞ ⎛ ˜ ˜ BM DCu BM(I + DDu ) ˜ u) ⎠ A12 = ⎝ B˜ I + Dy DM D˜ Cu ⎠ B1 = ⎝ B˜ Du + Dy DM(I + DD ˜ ˜ By DM(I + DDu ) By DM DCu ˜ yC DMC˜ DM DC ˜ y ˜ u C1 = C + DM DD C2 = DM DC ˜ y D −1 ˜ u D22 = DM I + DD M = I − DD ⎛
= (xT
x˜T
xTy )T
(12.11) (12.12) (12.13)
The augmented state vector xc is xc where x, x, ˜ xy and xu are the state ˜ vectors associated with G(s), K(s), Hy (s) and Hu (s) respectively. From (12.9), it can be seen that the poles of GFTC (s) are given by the eigenvalues of A11 and Au . Note that the expression for A11 does not contain the Au , Bu ,Cu
12
Recovery against THS Failure with Guaranteed Nominal Performance
345
and Du matrices. It follows that Hu (s) (stable filter) does not impact on the stability of GFTC (s). This property justifies the choice to take the signal uo for the FDI part instead of u in which case, an internal loop appears affecting the stability of GFTC (s). Now, consider the diagram in Fig. 12.5 and let the state-space realizations of the transfer function matrices Kn (s) and GFTC (s) (see equation (12.9)) be given by (An , Bn ,Cn , Dn ) and (AG , BG ,CG , DG ) respectively. By definition A11 A12 B1 AG = DG = D22 (12.14) BG = CG = C1 C2 0 Au Bu Let xn be the state vector of Kn (s) and denote by xG the augmented vector so that xG = (xT x˜T xTy xTu )T . Direct calculations lead to the following closed loop statespace model ⎧ x˙G xG ⎪ ⎪ = AT + BT yre f ⎨ x˙n xn (12.15) xG ⎪ ⎪ + DT yre f ⎩ y = CT xn where AT , BT ,CT and DT are given by: AG − BG Dn NCG BGCn − BG Dn NDGCn AT = −Bn NCG An − Bn NDGCn CT = NCG NDGCn
DT = NDG Dn
BG Dn (I − NDG Dn ) BT = Bn (I − NDG Dn ) (12.16) N = (I + DG Dn )−1 (12.17)
Expression (12.15) shows that the stability of the overall loop depends on the stability of the FDI filter. This is an expected and rather evident result. Then, expression (12.15) reveals that the FDI and FTC dynamics are highly coupled.
12.4.2 Some Outlines for the Design The above analysis allows an outline for the design of an integrated FTC/FDI unit. A nice feature of the proposed FTC architecture presented in Fig. 12.3, is that the K(s) filter can be seen as the set of all admissible FDI/FTC units which achieve some level of performance represented by γ2 (see Problem 12.2). This suggests the following design procedure. First, design K(s) according to some FTC objectives. Once K(s) is designed, the challenge is to deduce from K(s) the FDI part Hy (s) and ˜ Hu (s), and the FTC part K(s). The proposed procedure consists of designing Hy (s) and Hu (s) and then to integrate the FDI performance specifications into the FTC design procedure. Thus, the FDI/FTC couple obtained is a solution to the problem of integrated FTC/FDI unit design, if and only if this couple belongs to the set K(s), that is if Fl P2 , Fl F, K˜ < γ2 F(s) = (Hy (s) Hu (s)) (12.18) ∞
346
J. Cieslak, D. Henry, and A. Zolghadri
12.4.3 The Case of an Observer-Based FDI Scheme Now suppose that the FDI scheme has an observer-based architecture: that is Hu (s) = C(sI − A − LC)−1B
Hy (s) = −C(sI − A − LC)−1L − I
(12.19)
where L denotes the observer gain. Now, suppose without loss of generality that D = 0, i.e. G(s) is a strict proper transfer function. Then, equation (12.15) becomes ⎧⎛ ⎞ ⎛ ⎞⎛ ⎞ ˜ ⎞ ⎛ x˙ x BDC A − BDnC BCn BC˜ ⎪ ⎪ BDn ⎪ ⎜ x˙ ⎟ ⎜ ⎪ ⎟ ⎜ ⎟ 0 ⎪ n⎟ ⎪ ⎟ ⎜ xn ⎟ + ⎝ Bn ⎠ yre f ⎜ −BnC An 0 ⎪⎜ ⎪ ˜ ⎝ x˙˜ ⎠ = ⎝ ⎠ ⎝ x˜ ⎠ ˜ 0 0 A BC ⎪ ⎪ 0 ⎨ ˙ ˜ ˜ ζ 0 −BC A + LC − BDC ζ ⎛ ⎞0 x ⎪ ⎪ ⎪ ⎪ ⎜ xn ⎟ ⎪ ⎪ ⎟ ⎪ y = (C 0) ⎜ ⎪ ⎝ x˜ ⎠ ⎪ ⎪ ⎩ ζ (12.20) where 0 and ζ denote the null matrix of appropriate dimension and the estimation error x − xˆ respectively. Noting that the A-matrix in (12.20) is upper block triangular, it follows that the ˜ stability of the global FTC scheme depends on the local FTC loop K(s) and the nominal control law Kn (s). In other words, (12.20) reveals a separation principle. This suggests a very interesting design procedure that is well known in the LQG (Linear Quadratic Gaussian) control theory namely: the local FTC and the observerbased FDI schemes can be designed separately.
12.5 Important Issues about Stability and Performance in Faulty Situations Recalling the definition of GFTC , it is clear that as long as GFTC is close to G (see Fig. 12.4 for easy reference) in some metric sense, then stability and nominal performance are preserved, despite the presence of faults. Thus, the goal is to design ˜ (or equivalently K(s)) so that Hy (s), Hu (s), K(s) min
˜ (Hy ,Hu ,K)/K
M (GFTC , G)
(12.21)
where M (.) denotes a metric. Since this problem is addressed within the H∞ setting and more precisely within the ‘mixed sensitivity’ approach [20, 22], it is easy to prove using H∞ theory that this problem can be addressed using the singular value framework, or the structured singular value formalism [23] if G and therefore GFTC , involves model perturbations Δ ∈ Δ (see the nomenclature section 12.2 or [23] if necessary). Thus, applying the ‘mixed sensitivity’ H∞ theory leads to the following proposition:
12
Recovery against THS Failure with Guaranteed Nominal Performance
347
Proposition 12.1. Consider the diagrams depicted in Figs. 12.4 and 12.5. Let S, R, T denote respectively the (nominal) sensitivity function, the sensitivity function of the controlled input and the complementary sensitivity function, i.e. S = (I + GKn )−1
R = Kn (I + GKn )−1
T = GKn (I + GKn )−1
(12.22)
Denote W1 ,W2 and W3 as the weighting functions used to shape S, R and T respectively. Then, a necessary and sufficient condition for the FTC loop composed by ˜ (or equivalently K(s)) to preserve stability and performance is: Hy (s), Hu (s), K(s) σ (SFTC ( jω )) ≤ σ W1−1 ( jω ) σ (RFTC ( jω )) ≤ σ W2−1 ( jω ) σ (TFTC ( jω )) ≤ σ W1−1 ( jω )
∀ω
(12.23)
∀ω
(12.24)
∀ω
(12.25)
The index .FTC is used to denote the faulty sensitivity functions. These are defined according to (12.22) where G is replaced by GFTC . −1 −1 −1 The gap between σ W1 ( jω ) , σ W2 ( jω ) , σ W3 ( jω ) and σ (SFTC ( jω )), σ (RFTC ( jω )), σ (TFTC ( jω )) respectively ∀ω indicates the loss of the FTC loop performance with regard to the nominal ones. If σ (SFTC ( jω )) = σ (S( jω )), σ (RFTC ( jω )) = σ (R( jω )) and σ (TFTC ( jω )) = σ (T ( jω )) ∀ω , or equivalently M (GFTC , G) = 0, then the same performance (therefore stability) are attained in both the fault free and faulty situations. This means, for example, that the fault is fully compensated using the remaining fault-free actuators.
12.6 FM-AG16 FTC Problem Now consider the problem of designing the FTC loop to compensate THS runaway failures. We assume that an on-board fault diagnosis unit that detects and isolates this fault type is available. Thus, the problem we focus on is Problem 12.2, i.e. the goal is to design K(s) such that (12.7) and (12.8) are achieved.
12.6.1 Modelling the Aircraft Dynamics The benchmark model includes aircraft aerodynamic models and engines. In addition, actuator and sensor characteristics are taken into account, together with models for wind, atmospheric turbulence and faults. The aerodynamic forces and moments are defined in terms of aerodynamic coefficients. These coefficients are given in the form of look-up tables. They are functions of a wide set of parameters (pitch angle, angle of attack, true airspeed, altitude etc...). The dimension of the aircraft output vector is 142. However, all these output signals are not necessary to control the aircraft. Indeed, the FCS (inner control loop) uses only 16 measured signals and the autopilot which corresponds to the outer control loop needing 67 measured signals. The dynamical behaviour of the aircraft is described by the following nonlinear state representation:
348
J. Cieslak, D. Henry, and A. Zolghadri
x˙NL (t) = f (xNL (t), uNL (t)) yNL (t) = g(xNL (t), uNL (t)) + v(t)
(12.26)
where xNL , uNL , yNL are the state, input, and output vectors of the full aircraft nonlinear model. The signals v are the measurement noises which are assumed to be Gaussian distributed random signals. In this formulation, it is assumed that model parameters (mass, inertia ...etc...) are fixed at their nominal values. The nonlinear model is then trimmed according to: h = 1000m, VTAS = 133.8m/s, m = 263000kg, M = 0.3977 (12.27) p = q = r = 0, θ = α = 3.95deg, β = φ = ψ = 0 (12.28) Simplified models for the longitudinal and lateral modes can then be derived to obtain a better physical insight into the modes and their interactions. These models are widely used in aeronautical engineering and are not developed here. Since the fault considered here acts only on the longitudinal motion of the aircraft (see Remark 12.1), only the longitudinal mode is considered. This boils down to the following state space model: x(t) ˙ = Ax(t) + Bu(t) (12.29) y(t) = Cx(t) + v(t) where x denotes the longitudinal state vector which is defined by x = (q VTAS α θ h)T . The vector u = (δe•• ih )T is the control input and y = (q θ h˙ h VTAS )T is the measured output vector. Taking into account the THS fault and after some abuse of notation, the following linear state-space model is derived: x(t) ˙ = Ax(t) + Be u(t) + B f fT HS (t) (12.30) y(t) = Cx(t) + v(t) The input signals u = δe•• correspond to the elevator defections, and fT HS = ih denotes the THS fault. The state space matrices A, Be , B f and C are defined according to ⎛ ⎞ 0 −3, 45.10−6 −6, 7926.10−1 −8, 6.10−6 −8, 856.10−1 ⎜ −1, 6179.10−1 −7, 588.10−3 4, 9965 −9.8 4, 59.10−5 ⎟ ⎜ ⎟ −3 −6, 735.10−1 A=⎜ 1, 0084 −1, 0036.10 0 5, 9.10−6 ⎟ ⎜ ⎟ ⎝ ⎠ 1 0 0 0 0 2 2 0 0 −1, 338.10 1, 338.10 0 (12.31) ⎛ ⎞ −4, 965.10−3 −4, 965.10−3 −4, 794.10−3 −4, 794.10−3 ⎜ ⎟ 0 0 0 0 ⎜ ⎟ −4 −1, 86.10−4 −1, 9.10−4 −4 ⎟ (12.32) Be = ⎜ −1, 86.10 −1, 9.10 ⎜ ⎟ ⎝ ⎠ 0 0 0 0 0 0 0 0
12
Recovery against THS Failure with Guaranteed Nominal Performance
349
⎛
⎞ −4, 5944.10−2 ⎜ ⎟ 0 ⎜ ⎟ −3 ⎜ B f = ⎜ −1, 912.10 ⎟ ⎟ ⎝ ⎠ 0 0 ⎛ 10 0 0 ⎜0 0 0 1 ⎜ 2 1, 338.102 0 0 −1, 338.10 C=⎜ ⎜ ⎝0 0 0 0 01 0 0
(12.33) ⎞ 0 0⎟ ⎟ 0⎟ ⎟ 1⎠ 0
(12.34)
Note that this model is clearly an approximation of the real faulty behaviour of the aircraft. To validate the above linear model, nonlinear simulations were performed versus linear ones. For easy reference, measurement noises have been removed in the simulations. Figure 12.6 shows linear and non linear simulation results. It can be seen that the linearized model responses are close to the responses of the nonlinear model given in (12.26).
Fig. 12.6 Dynamic behaviour of the outputs predicted by the linear and nonlinear models for the considered THS fault
350
J. Cieslak, D. Henry, and A. Zolghadri
Fig. 12.7 Autoflight and FCS systems for longitudinal motions
12.6.2 Modeling the Autoflight and FCS Systems For longitudinal motion, the Autoflight and FCS systems which have been used are represented in Fig. 12.7. It can be seen from this figure that the elevator control system is composed of control loops that manage the elevator control surface δe•• . The THS position is controlled by thumb switches on the pilot and co-pilot control wheels (actions given by the test scenarios). The autoflight control system is a gain scheduled controller where the scheduling parameters are h and VTAS . The scalars K1 , K2 , K3 , K4 , K5 and K6 are constant gains and K7 (s) and K8 (s) are dynamical controllers designed to maintain stability and performance during longitudinal flight.
12.6.3 Design of K(s) Following the developments presented in Section 12.3, the problem of designing a FTC loop able to accommodate the THS fault is considered as illustrated in Fig. 12.8.
Fig. 12.8 The FTC scheme
12
Recovery against THS Failure with Guaranteed Nominal Performance
351
Fig. 12.9 The “mixed sensitivity” scheme
To this end, the ‘mixed sensitivity’ H∞ approach is used [20, 22]. The setup used for the design problem is given in Fig. 12.9. W 1 (s) and W 2 (s) are the weighting functions used to shape the transfer functions SFTC (s) and RFTC (s) given by −1 SFTC (s) = I + C(sI − A)−1 Be K(s)M C(sI − A)−1B f
(12.35)
(12.36) RFTC (s) = K(s)MSFTC (s) 0100 where the matrix M = is introduced to select h and θ from y (see Fig. 0001 12.8 for easy reference). SFTC (s) and RFTC (s) also refer to the faulty sensitivity function and the faulty sensitivity function of the controlled input respectively. Using some linear-fractional algebra manipulations, the problem illustrated in Fig. 12.9 can be re-cast in a standard H∞ form, as illustrated in Fig. 12.10. Then K(s) can be computed using any standard H∞ control design method [22]. However, as outlined in section 12.3, K(s) operates in an open loop manner in a fault free situation. Therefore, K(s) must be designed to be stable. This problem is referred to in the literature as the H∞ strong stabilization problem which can be formulated in our context as follows:
Problem 12.3. Consider the problem depicted in Fig. 12.10. The goal is to find a stabilizing controller K(s) ∈ RH∞ such that Fl (P, K) < γ γ < 1 (12.37) ∞ where P(s) is deduced from Fig. 12.10 by including W 1 (s) and W 2 (s) within Gu (s) = C(sI − A)−1Be and G f (s) = C(sI − A)−1 B f . ARE (Algebraic Riccati Equation) solutions exist in the literature that address this problem, see for instance [24]. As an alternative, the following technique which has been revealed to be computationally powerful, is proposed. It is based on the Youla parametrisation (the Youla parameter is denoted Q(s)) that facilitates the definition of the set of all controllers satisfying (12.37):
352
J. Cieslak, D. Henry, and A. Zolghadri
Proposition 12.2. Assume that a solution to the optimal H∞ problem above exists ˆ Q(s)) with Q ∈ RH∞ and ||Q||∞ < γ for a γ < 1, i.e. there exists K(s) = Fl (K(s), ˆ such that (12.37) holds. Denote by Fl (K(s), Q(s)) the set of all controllers satisfying (12.37). Then, there exists a solution to the H∞ strong stabilization Problem 12.3 if Aq Bq of some suitable order with ||Q||∞ < γ such and only if there exists Q = Cq Dq that Bˆ 2 Rˆ −1Cq Aˆ + Bˆ 2Rˆ −1 DqCˆ2 A= (12.38) Bq Sˆ−1Cˆ2 Aq + Bq Sˆ−1 Dˆ 22Cq is stable, where Rˆ = I − Dq Dˆ 22 and Sˆ = I − Dˆ 22 Dq . The matrix A denotes the system ˆ Bˆ 1 , Bˆ 2 , Cˆ1 , Cˆ2 , Dˆ 11 , Dˆ 12 , Dˆ 21 and Dˆ 22 denote the matrix associated with K(s) and A, ⎤ ⎡ Aˆ Bˆ 1 Bˆ 2 ˆ ˆ = ⎣ Cˆ1 Dˆ 11 Dˆ 12 ⎦. state space matrices associated with K(s), i.e. K(s) ˆ ˆ ˆ C2 D21 D2 2 This proposition shows that Problem 12.3 is equivalent to finding a suitable Youla parameter such that A is stable and ||Q||∞ < γ . In particular, the central controller ˆ ˆ K(s) = Fl (K(s), 0) = K(s) is a suitable solution if a stable Aˆ is found. The weighting function W 1 (s) has been chosen to impose a small damping ratio on the altitude h (m) and the pitch angle θ (rad) in the faulty situation. Moreover an integral component is introduced in W 1 (s) to ensure rejection of the THS fault. The transfer function W 2 (s) has been fixed to take into account actuator saturation −1 phenomena. More precisely, W 2 (s) is a low pass filter. This choice is required to attenuate the energy of the control signal applied to the elevator surfaces such that the control signal behaviour remains smooth (high frequency filter action). The transfer functions W 1 (s) and W 2 (s) are defined according to 50s + 1 0.5s + 1 , W 1 (s) = diag(Wθ (s),Wh (s)) = diag 18 (12.39) 5.10−2s + 1 10−7 s + 1 W 2 (s) = 0.1
Fig. 12.10 The standard H∞ design problem
0.1s + 1 I4 2.5.10−4s + 1
(12.40)
12
Recovery against THS Failure with Guaranteed Nominal Performance
353
Fig. 12.11 Post analysis of the computed solution K(s)
From this choice, it is assumed that GFTC (s) will be ‘close’ to G(s) despite the presence of the THS fault. Thus, following section 12.5, stability of the FTC law is proved and nominal performance is preserved. This will be a posteriori verified using a singular values analysis (see Fig. 12.11). The transfer function K(s) is then synthesized applying proposition 12.2. Note ˆ 0) = Kˆ is retained since Aˆ is stable. The computed that the central solution K = Fl (K, controller Kˆ is given in its state-space form in the appendix. Figure 12.11 shows the frequency responses obtained for the computed solution K(s). It can be seen that σ T fT HS →θ ( jω ) < σ Wθ−1 ( jω ) ∀ω (12.41) σ T fT HS →h ( jω ) < σ Wh−1 ( jω ) and
σ T fT HS →δe•• ( jω ) < σ W2−1 ( jω )
∀ω ∀ω
(12.42) (12.43)
indicating that the FTC controller K(s) achieves the desired performance level. Moreover, the small gap between the singular values and the associated weighting functions shows definitively that the nominal performance of the benchmark control law are preserved.
354
J. Cieslak, D. Henry, and A. Zolghadri
12.6.4 Nonlinear Simulation Results The controller K(s) has been implemented within the nonlinear simulator aircraft as illustrated in Fig. 12.8. The faulty scenario corresponds to the THS fault occurring at t = 5s. To emphasize the benefit of the proposed FTC scheme, the same simulation is carried out in fault free situation. In this situation, the system is controlled only by the standard FCS. Figure 12.12 illustrates the behaviour of the aircraft in both fault free (FCS engaged) and faulty situations (FTC strategy engaged). It can be seen that with the designed FTC scheme, the aircraft maintains a normal flight trajectory and is landed safely. Figures 12.13 illustrate more precisely the behaviour of the aircraft via the altitude h(t), the pitch rate q(t), the velocity VTAS (t), ˙ and the control signals δe•• (t). It can be the pitch angle θ (t), the altitude rate h(t) seen from the plots that the flying conditions in the faulty situation are close to the fault free ones, i.e. quick compensation of the fault with damping ratio almost null on input/output system signals. Furthermore, it can be seen that, as expected, the elevator deflections do not violate the position and rate limits (the deflection and rate limits for the elevators are [−23 deg; +17 deg] and ±37 deg/s, respectively).
Fig. 12.12 Behavior of the aircraft - Landing approach
Recovery against THS Failure with Guaranteed Nominal Performance
10 0 −10 −20 0
200
200
400
200
400
200 Time (s)
400
10 hdot [m/s]
theta [deg]
0
−5 0
400
10 5 0 −5 0
200
0
−10 0
400
135 [m/s]
1500
500
TAS
1000 fault free situation faulty situation
0 0
200 Time (s)
134
V
h [m]
355
5 q [deg/s]
Elevator surfaces [deg]
12
133 0
400
˙ - Landing approach Fig. 12.13 Behavior of h(t), q(t),VTAS (t), θ (t), h(t)
Fault−free trajectory With FTC strategy in faulty situation
1.6
1.5
1.4
Nz [g]
1.3
1.2
1.1
1
0.9
0.8 0
50
100
150
200
250
Time (s)
Fig. 12.14 Behavior of the load factor
300
350
400
450
500
356
J. Cieslak, D. Henry, and A. Zolghadri
Figure 12.14 illustrates the behaviour of the load factor nz (t). It can be seen that the magnitude of the undesirable transients on nz caused by the occurrence of faults is reduced. From a practical point of view, the aircraft exhibits smaller excursions in altitude, airspeed, etc. Remark 12.3. Following Remark 12.2, the activation of the switch may cause some undesirable transient behaviours of both the input/output signals u/y. These phenomena, known as ‘bumps’, are due to discontinuities between the two switched control laws. To overcome this problem, a solution is discussed in the appendix A. Here, such a ‘bumpless’ solution has been revealed not to be necessary.
12.7 Concluding Remarks The faulty situation investigated in this contribution corresponds to a movement to an extreme position of the Trimmable Horizontal Stabilizer (THS) occurring when the airplane is in normal flight. As the design of the FDI is not of primary interest in this work, information coming from available on-board detection mechanism was assumed to activate the fault tolerant controller. From a practical point of view, the proposed approach has some advantages over existing FTC. The proposed FTC design method uses some well-known and robust numerical tools, commonly used in the robust control community (the H∞ ‘mixed-sensitivity’ approach). Another advantage is the design of the FTC loop takes into account the existing flight control system. The FTC system works in a way that when a fault is detected, the control law is, in real time, reconfigured by adding an additional feedback loop. This is an interesting aspect of this design scheme since the overall scheme ensures specified nominal flight performance in fault-free situations. When hardware redundancy FDI mechanisms are not available, a procedure has been suggested to extract the optimal analytical FDI unit from the set of all admissible (joint) FDI/FTC units K(s).
Appendix A: Bumpless Switching Scheme The activation of the FTC strategy is done using a switching logic and thus may cause some undesired phenomena such as ‘bumps’ or actuator saturation. In fact, the difference between the states of nominal control law and the states of switching control law leads to these bumps. Figure 12.15 presents the proposed solution to manage these undesired bumps. The aim is to drive K(s) before the switch by a y matrix gain Fs , such that u˜ → 0 and τ → according to: u0 ⎧ u˜ =⎛K τ ⎞ ⎪ ⎪ ⎨ x (12.44) ⎝ y⎠ τ = F ⎪ s ⎪ ⎩ u0
12
Recovery against THS Failure with Guaranteed Nominal Performance
357
Fig. 12.15 FTC architecture with bumpless scheme
where τ denotes the input signal from K(s) before the switch, x is the state vector of K(s) and Fs is the static design gain. Different approaches can be used to design Fs . Here, we propose to use the idea initially suggested by [25]. To compute Fs , the following quadratic criterion is minimized: T 0 1 ∞ T y y J(u, ˜ τ) = We τ − u˜ Wu u˜ + τ − dt (12.45) u0 u0 2 0 where Wu and We are constant positive-definite weighting matrices of appropriate dimensions. Wu and We allow trade-offs with respect to the desired objectives; that is, if it is desirable to minimize the magnitude of u, ˜ then we should choose a high value for Wu . At switching time ts (the time at which the fault is detected), we have u(t ˜ s ) → 0, then u(ts ) → u0 (ts ). Hence, there are no bump effects. Similarly, if we y want to reduce the energy of τ − , then the value of We must be set to be high. u0 y(ts ) and so there is no discontinuity between τ and Then, at ts we have τ (ts ) → u 0 (ts ) y at the switching time. This means that from a practical point of view, a tradeu0 y must be investigated. off between minimizing the magnitude u˜ of and τ − u0 Once Wu and We have been chosen, the solution is given by: T T T B Π + D WuC Fs = N ⎝ T T −We + B M C Wu DNWe + Π BNWe
⎞T
⎛
where M and N are defined according to:
T
⎠
(12.46)
358
J. Cieslak, D. Henry, and A. Zolghadri
M = (A + Π B)−1 T N = − D Wu D + We
(12.47) −1
(12.48)
The matrix Π is the positive definite stationary solution of the following ARE:
Π A + AΠ + Π BΠ + C = 0
(12.49)
Finally, the matrices A, B and C are given by: T
T
A = A + BND WuC T
B = BNB T
T
C = C Wu (I + DN D Wu )C
(12.50) (12.51)
where A, B,C D denotes the state-space matrices of K(s). Remark 12.4. Using this strategy, we assume that Fs has access to the controller states x. This is a modest assumption because most modern controllers are realized in software form, so the states are computer variables. Remark 12.5. The proposed scheme is an unidirectional solution that reduces the undesirable bump effects during the switch from the nominal situation to the failure situation. If ts2 is the time at which the switch from the failure situation to the nominal situation is done, just before the switch at time ts−2 , the controller K(s) satisfies the following equation: ⎧ ⎛ ⎞ x ⎪ ⎪ ⎪ ⎪ u˜ = K ⎝ y ⎠ ⎪ ⎪ ⎨ ⎛ u0 ⎞ (12.52) x ⎪ ⎪ ⎪ ⎪ τ = Fs ⎝ y ⎠ ⎪ ⎪ ⎩ u0 Then the control signal applied to the system at ts−2 is given by ˜ s−2 ) u(ts−2 ) = u0 (ts−2 ) + u(t
(12.53)
After the switch, at time ts+2 , the controller K(s) is derived from equation (12.44). Then, we have u(ts+2 ) = u0 (ts+2 ). Hence, to avoid undesirable ‘bumps’, the sufficient and necessary condition is that u(t ˜ s−2 ) → 0 . Unfortunately, because at time − ts2 the FTC strategy is activated, it is not possible to modify the controller K(s). The discontinuity due to the switch from the failure situation to the nominal situation is thus related to the dynamics of the FTC loop that would be activated at the switching time.
12
Recovery against THS Failure with Guaranteed Nominal Performance
359
ˆ Appendix B: Computed Controller K(s) = CˆK (sI − Aˆ K )−1 Bˆ K + Dˆ K ⎛
−1, 7162 3, 3565 ⎜ 2, 9558.101 −3, 7388.101 ⎜ ⎜ −7, 788.10−1 9, 774.10−1 ⎜ ⎜ 1, 1398 −3, 4239 ⎜ ⎜ −2, 339.101 2, 329.101 ⎜ ⎜ Aˆ K = ⎜ −8, 95.10−2 2, 43.10−2 ⎜ ⎜ −2, 86.10−2 2, 3.10−3 ⎜ ⎜ −2, 82.10−1 1, 62.10−2 ⎜ ⎜ −1, 656.101 1, 5729 ⎜ ⎝ 8, 11.10−2 4, 52.101 −1, 57.101 −4, 8599
−1, 185.10−1 1, 2848 −3, 37.10−2 1, 174.10−1 −3, 271.10−1 −3, 954.10−4 −7, 8845.10−6 −5, 1039.10−4 −8, 04.10−2 −1, 3291 1, 212.10−1
6, 811.10−1 −7, 8587 2, 058.10−1 −7, 375.10−1 −1, 6779 −1, 62.10−2 −2, 2.10−3 −1, 75.10−2 6, 244.10−1 7, 6391 −7, 662.10−1
−7, 7.10−1 −1, 7738 7, 5.10−2 −6, 838.10−1 3, 7997.101 1, 052.10−1 ... 9, 5.10−3 6, 45.10−2 −5, 1504 −9, 4739 −4, 814.10−1
⎞ −1, 8435.10−4 −6, 782.10−4 9, 5556 −9, 9179 1, 32.102 −3, 1287.10−4 −1, 4.10−3 1, 787.101 −2, 631.101 −3, 0634.102⎟ ⎟ 6, 363.10−6 3, 0341.10−5 −4, 226.10−1 8, 68.10−1 6, 4394 ⎟ ⎟ 1, 635.10−5 8, 234.10−5 3, 179.10−1 −5, 07 −4, 9275 ⎟ ⎟ −2, 8.10−3 −1, 89.10−2 5, 296.101 2, 8089.102 −3, 6264.103⎟ ⎟ ⎟ −1, 0293.10−7 1, 9424.10−5 −3, 49.10−2 5, 067.10−1 1, 2117.101 ⎟ ⎟ 1 −6 −2 −2 −1 −1, 0021.10 3, 0821.10 −3, 14.10 6, 66.10 8, 467.10 ⎟ ⎟ 1, 1915.10−6 −1, 0036.101 −2, 009.10−1 4, 902.10−1 5, 9173 ⎟ ⎟ −4 −3 1 1 2 7, 026.10 3, 5.10 −3, 4859.10 −1, 667.10 2, 48.10 ⎟ ⎟ −4 −3 1 2 5, 0864.10 3, 3.10 −8, 123 −5, 3855.10 6, 9177.10 ⎠ 1, 4594.10−4 4, 85.10−5 −9, 948 3, 1692 −2, 491.101 ⎞ ⎛ 1, 833.101 3, 9147 1 ⎜ −6, 4812 −3, 692.10 ⎟ ⎟ ⎜ ⎟ ⎜ 5, 96.10−2 1, 056 ⎟ ⎜ ⎟ ⎜ 9, 0322 −3, 1293 ⎟ ⎜ 1 ⎟ ⎜ 2, 3477 1, 0917.10 ⎟ ⎜ −3 −3 ⎟ −2, 1.10 −9, 3.10 Bˆ K = ⎜ ⎟ ⎜ ⎜ −1, 844.10−4 −3, 599.10−4 ⎟ ⎟ ⎜ ⎜ 1, 211.10−4 −5, 418.10−4 ⎟ ⎟ ⎜ ⎜ 1, 0733.101 3, 5049 ⎟ ⎟ ⎜ ⎝ 3, 3436 4, 823.101 ⎠ 3, 409.101 −4, 0377 ⎛ −1 −1 3.10−3 2, 47.10−2 −5, 0408 1, 814.10 −2, 251.10 ⎜ 1, 809.10−1 −2, 251.10−1 3.10−3 2, 47.10−2 −5, 0413 CˆK = ⎜ ⎝ 1, 743.10−1 −2, 165.10−1 2, 9.10−3 2, 39.10−2 −4, 8544 ... 1, 765.10−1 −2, 165.10−1 2, 9.10−3 2, 4.10−2 −4, 8534 ⎞ 5, 061 −6, 5826 2, 2217 3, 291.10−1 5, 739.10−1 4, 7531 −1 −1 2, 9577 7, 3394 3, 3558 3, 295.10 5, 738.10 4, 7518 ⎟ ⎟ ... −8, 0836 −1, 4562 2, 8813 3, 162.10−1 5, 493.10−1 4, 5393 ⎠ −2, 446.10−1 6, 696.10−1 −8, 6756 3, 15.10−1 5, 501.10−1 4, 5458
4, 78.10−4 3, 9454.10−4 −3, 0156.10−5 5, 389.10−4 −3, 96.10−2 ... −1, 0014.101 −4, 6584.10−6 −3, 4045.10−5 4, 5.10−3 7, 6.10−3 5, 9167.10−4
Dˆ K = 0
360
J. Cieslak, D. Henry, and A. Zolghadri
References 1. Zhang, Y., Jiang, J.: Bibliographical review on reconfigurable fault-tolerant control system. In: Proceedings of SAFEPROCESS 2003, Washington DC, USA, pp. 265–276. IFAC (2003) 2. Zhang, Y., Jiang, J.: Issues on integration of fault diagnosis and reconfigurable control in active fault-tolerant control systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006) 3. Steinberg, M.: Historical overview of research in reconfigurable flight control. Proceedings of the Institution of Mechanical Engineers, Part G - Journal of Aerospace Engineering 219(4), 263–275 (2005) 4. Staroswiecki, M.: From control to supervision. Annual Reviews in Control 25, 1–11 (2001) 5. Moerder, D., Halyo, N., Broussard, J., Caglayan, A.: Application of precomputed control laws in a reconfigurable aircraft flight control system. Journal of Guidance, Control and Dynamics 12(3), 325–333 (1989) 6. Huzmezan, M., Maciejowski, J.: Reconfigurable flight control of a high incidence research model using predictive control. In: International Conference on Control, Piscataway, NJ, pp. 1169–1174. Inst. of Electrical and Electronics Engineers (1998) 7. Chen, J., Patton, R.: Fault tolerant control using LMI design. In: Proceedings of European Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001) 8. Maki, M., Jiang, J., Hagino, K.: A stability guaranteed active fault-tolerant control system against actuator failures. In: International Conference on Control, Piscataway, NJ, pp. 1893–1898. Inst. of Electrical and Electronics Engineers (1998) 9. Cieslak, J., Henry, D., Zolghadri, A.: A methodoly for the design of active fault tolerant systems. In: Proceedings of SAFEPROCESS 2006, Beijing, China. IFAC (2006) 10. Cieslak, J., Henry, D., Zolghadri, A.: Development of an active fault tolerant flight control strategy. AIAA Journal of Guidance, Control, and Dynamics 31(1), 135–147 (2007) 11. Staroswiecki, M., Yang, H., Jiang, B.: Progressive accomodation of aircraft actuator faults. In: Proceedings of SAFEPROCESS 2006, Beijing, China, CD–ROM. IFAC (2006) 12. Campos-Delgado, D., Palaciosa, E., Espinoza-Trejo, D.R.: Fault accomodation strategy for LTI systems based on the gimc structure: Additive faults. In: Proceedings of Conference on Decision and Control and the European Control Conference, Seville, Spain, CD–ROM. IEEE, Los Alamitos (2005) 13. Niemann, H., Stoustrup, J.: Fault tolerant feedback control. In: Proceedings of European Control Conference, Porto, Portugal. IEEE, Los Alamitos (2001) 14. Niemann, H., Stoustrup, J.: Reliable control using the primary and dual youla parametrizations. In: Proceedings of Conference on Decision and Control, Las Vegas, USA. IEEE, Los Alamitos (2002) 15. Niemann, H., Stoustrup, J.: An architecture for sampled-data fault tolerant controllers. Int. Journal of Nonlinear Control (2004) 16. Ganguli, S., Marcos, A., Balas, G.: Reconfigurable LPV control design for boeing 747100/200 longitudinal axis. In: Proceedings of American Control Conference, Anchorage, USA, pp. 3612–3617 (2002) 17. Gaspar, P., Szaszi, I., Bokor, J.: Reconfigurable control structure to prevent the rollover of heavy vehicles. Control Engineering Practice 13(6), 699–711 (2005) 18. Gaspar, P., Bokor, J.: A fault-tolerant rollover prevention system based on a LPV method. International Journal of Vehicle Design 42(3-4), 392–412 (2006)
12
Recovery against THS Failure with Guaranteed Nominal Performance
361
19. Zhou, K., Ren, Z.: A new controller architecture for high performance, robust and faulttolerant control. IEEE Transactions on Automatic Control 46(10), 1613–1618 (2001) 20. Doyle, J., Glover, K., Khargonekar, P.P., Francis, B.A.: State-space solutions to standard H2 and H∞ control problems. IEEE Transactions on Automatic Control 34(8), 831–847 (1989) 21. Gahinet, P., Apkarian, P.: A linear matrix inequality approach to H∞ control. Int. Journal Robust Nonlinear Control 4, 421–428 (1994) 22. Zhou, K., Doyle, J., Glover, K.: Robust and optimal control. Prentice Hall, Englewood Cliffs (1996) 23. Packard, A., Fan, M., Doyle, J.: A power method for the structured singular value. In: Proceedings of Conference on Control Decision, pp. 2132–2137. IEEE, Los Alamitos (1988) 24. Campos-Delgado, D.U., Zhou, K.: A parametric optimization approach to H∞ and H2 strong stabilization. Automatica 39(7), 1205–1211 (2003) 25. Turner, M., Walker, D.: Linear quadratic bumpless transfer. Automatica 36(8), 1089– 1101 (2000)
Chapter 13
Flight Control Reconfiguration Based on Online Physical Model Identification and Nonlinear Dynamic Inversion Thomas Lombaerts, Ping Chu, and Jan Albert (Bob) Mulder
13.1 Introduction There are many control approaches possible in order to achieve fault tolerant flight control. An important aspect of these algorithms is that they should not only be robust, but even adaptive in some way, in order to adapt to the faulty situation, see Ref. [1] and [5] in the literature. In the category of adaptive control algorithms, a distinction is made between indirect adaptive control and direct adaptive control. Indirect adaptive control involves two stages. First, an estimate of the plant model is generated online. Once the model is available, it is used to generate controller parameters. Instead of estimating a plant model, a direct adaptive control algorithm estimates the controller parameters directly in the controller. This can be done via two main approaches: output error and input error. Of both main categories mentioned here, indirect adaptive control is preferable due to its flexibility and its property of being model based. In both categories, there are also two subversions, namely model reference adaptive control (MRAC) and self-tuning control (STC). In the former, one relies on a reference model and works on minimizing the tracking error between plant output and reference output (such as the concept of sliding mode control). With model reference indirect adaptive control it is feasible to achieve three important goals, namely trim value adjustment for the inputs, Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Ping Chu Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Jan Albert (Bob) Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 363–397. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
364
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
decoupling of inputs and outputs and closed loop tracking of pilot commands, see Ref. [1]. Self-tuning control focuses on adapting the (PID) control gains of the controller by making use of the estimated parameter values and is known to be more flexible, see Ref. [21]. Currently, much research is performed in the field of indirect adaptive control, where the adaptation is more extensive than only tuning the PID control gains. One of these new indirect control possibilities is adaptive model predictive control (AMPC), which is an interesting algorithm thanks to its nature to deal with (input) inequality constraints. These constraints are a good representation for actuator faults. It should be noted that there have been already some successful applications of MPC in the field of fault tolerant flight control, see Ref. [10] and [14]. An alternative indirect adaptive nonlinear control approach is discussed in this chapter, which allows to develop a reconfigurable control routine placing emphasis on the use of physical models, and thus producing internal parameters which are physically interpretable at any time. This chapter discusses the combination of the two step method as an identification procedure, and nonlinear dynamic inversion as a control method in order to obtain a model based fault tolerant flight controller for the benchmark simulation model used in this research project. This approach can deal with component failures as well as structural failures. An overview of fault scenarios for which this method is valid can be found in Table 13.1, building on a similar table with failure scenarios from [9] and [7]. It should be noted that this method is not explicitly valid for the structural loss of engine(s) and severe structural damage. However, experiments have shown that the method is implicitly valid for these scenarios. Current research is investigating the possible extension of the explicit validity of this method for these failure scenarios. The structure of this chapter is as follows. First the consecutive steps of this two step method are discussed: Aircraft State Estimation (ASE) and Aerodynamic Model Identification (AMI) in sections 13.2.1 and 13.2.2. Section 13.3 discusses briefly the real time computer based aerodynamic model identification tool which has been developed. Thereafter, as an illustration, some preliminary identification results are shown for damaged aircraft models, see Section 13.4. The NDI based reconfiguring control method is discussed in Section 13.6 , after the selected trigger for reconfiguration which is briefly introduced in Section 13.5. Finally, the most important conclusions and some topics for future work will be introduced in Sections 13.8 and 13.9.
13.2 On Line Nonlinear Damaged Aircraft Model Identification: Two Step Method The identification method considered in this study is the so-called two step method, which has been continuously under development at Delft University of Technology over the last 20 years, see Ref. [15] and [3]. The last major milestones in this development process can be found in Ref. [11] and [16]. There are many other identification algorithms mentioned in the literature like maximum likelihood
13
Online Physical Model Identification and NDI
365
effect minor with sensor redundancy and sensor loss detection (usually the case) ✓ sensor inertial sensor miscalibrated miscalibration (accelerometer or gyro) ✓ partial hydraulics maximum rate/deflection loss decrease on several control surfaces ✓ full hydraulics one or more control loss surfaces become stuck at last position or start floating ✓ control loss on one or more control one or more surfaces become stuck actuators at last position ✓ ✓ structural loss of effectiveness of control (part of) control surfaces is reduced surface minor change in aerodynamics ✓ engine(s) out thrust becomes asymmetric, ✓
failure sensor loss
increased drag due to nonzero sideslip β ✓ ✓ structural loss of large change in possible engine(s) operating region; significant change in aerodynamics, mass and moments of inertia ✓ ✓ severe structural large change in possible damage operating region; significant change in aerodynamics, mass and moments of inertia
method validity
sensor actuator structural
Table 13.1 Overview of fault scenarios and effects in vehicle and aerodynamic model, ✓ indicates explicit validity of the method, (✓) points out implicit validity.
affected parameters parameters related to sensor output
(✓)
λaccX/Y /Z or λrg p/q/r
✓
C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ a
e
✓ r
C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓ a e r and/or C(X /Y /Z/l/m/n)0 C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓ a e r and/or C(X /Y /Z/l/m/n)0 C(Y /l/n)δ , C(X /Z/m)δ , C(Y /l/n)δ ✓ a e r and/or C(X /Z/m)0/α /q and/or C(Y /l/n)0/β /p/r C(X /Y /Z/l/m/n)T
✓
(l/r)
and/or C(X /Z/m)0/α /q and/or C(Y /l/n)0/β /p/r all aerodynamic parameters, aerodynamic model structure, maircra f t , (x/y/z)cg and I
(✓)
all aerodynamic parameters, aerodynamic model structure, maircra f t , (x/y/z)cg and I
(✓)
identification (MLI) and other one step identification routines, but not all of them are applicable on line. One of the few procedures which can be implemented in real time is the so-called filtering method developed at DLR, see Ref. [8]. This is a joint state and parameter estimation algorithm, but very complex. The advantage of the two step method is that it is easier to implement on-line. Key concept of the two step method, is that the identification procedure has been split into two consecutive
366
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
steps, as substantiated in Ref. [4]. One of the major advantages of the two step method, is the decomposition of a global non-linear one step identification method in two separate steps, where the nonlinear part is isolated in the aircraft state estimation step. Consequently, the aerodynamic model parameter identification procedure in the second step can be simplified to a linear procedure. The aim is to update an a priori aerodynamic model (obtained by means of windtunnel tests and CFD calculations) by means of on-line flight data. The first step is called the Aircraft State Estimation phase, where the second one is the Aerodynamic Model Identification step. In the Aircraft State Estimation procedure, an Iterated Extended Kalman Filter is used to determine the aircraft states, the measurement equipment properties (sensor biases) and the wind components, by making use of the nonlinear kinematic and observation models, based upon redundant but contaminated information from all sensors (air data, inertial, magnetic and GPS measurements). By means of this state information, the input signals of the pilot and the earlier measurements, it is possible to construct the combined aerodynamic and thrust forces and moments acting on the aircraft, and by means of a recursive least squares operation, finally the aerodynamic derivatives can be deduced. Validation tests by means of batch process identification, least squares innovation analysis and reconstruction of velocity and angular rate components using these aerodynamic derivatives have shown that this method is very accurate.
13.2.1 Aircraft State Estimation Estimating the aircraft states can be based upon redundant but contaminated information from all sensors. Standard available sensor information on civil airliners is classified in three categories. First there are the air data sensors, providing true airspeed VTAS , angle of attack α , angle of sideslip β . A second class is the data from the inertial navigation system (INS, consisting of inertial and magnetic equipment) giving measurement values for the specific forces Ax , Ay , Az , the rotational rates p, q, r and aircraft attitude angles φ , θ , ψ . The third and last category is a combination of INS and GPS measurements leading to data for three dimensional position x, y, z and inertial velocity components un , vn , wn . At first sight there is some redundancy in the velocity information, since it appears true airspeed VTAS , angle of attack α , angle of sideslip β allows the calculation the velocity components. Table 13.2 Instrumentation error information for measuring equipment sensor translational accelerometer rate gyro integrating gyro INS/GPS INS/GPS pitot tube airflow angle vane
variables bias error noise error Ax , Ay , Az ✓ ✓ p, q, r ✓ ✓ φ, θ, ψ ✓ x, y, z ✓ ✓ un , vn , wn ✓ VTAS α, β ✓
13
Online Physical Model Identification and NDI
367
However, it should be realized that these components are airspeed related, where the inertial velocity components concern the ground speed. Comparing both sets leads to the derivation of the wind components. Table 13.2 gives information about the instrumentation errors which occur for each kind of measuring equipment mentioned above. By making use of the kinematic and observation model of the aircraft, it is possible to estimate part of the instrumentation errors, which will be discussed in more detail below. 13.2.1.1
Nonlinear Aircraft Kinematics Model
The state space model of the nonlinear system equations describing the kinematics of the aircraft is given as x˙ (t) = f(x(t), um (t), θ ,t) + G(x(t))w(t), zm (t) = h(x(t), um (t), θ ,t) + v(t),
t = ti ,
x(t0 ) = x0
(13.1)
i = 1, 2, . . .
(13.2)
where equation (13.1) is known as the kinematic state equation with input noise vector w and expression (13.2) is called the observation equation with output noise vector v. The nonlinear vector functions f and h may depend both implicitly (via x and um ) and explicitly on t and it will be assumed that both f and h are continuous and continuously differentiable with respect to all elements of x and um . The system equation variables are defined as follows: x = [x y z ub vb wb φ θ ψ ]T
(13.3)
um = u + λ + w = [Ax Ay Az p q r] + [λx λy λz λ p λq λr ] + w
(13.4)
θ = [λ wwind ] = [λx λy λz λ p λq λr uwind vwind wwind ] zm = [xGPS yGPS zGPS uGPS vGPS wGPS φINS θINS ψINS
(13.5)
T
T
VTAS αADS βADS ]T
T
T
(13.6)
where the aircraft state vector x in (13.3) contains inertial position, body air velocity components and aircraft attitude angles. The measured input vector um in (13.4) consists of specific forces and angular rates, perturbed with sensor biases and input noise, where the sensor biases and wind ground speed components are collected in vector θ in (13.5), which contributes to the augmented state vector xaug = [x, θ ]. Finally, there is the measured output vector zm in (13.5), consisting of GPS-aided INS measurement data of position and velocity components (navigational frame of reference) and INS supplied attitude angles as well as air data system (ADS) measurements for true airspeed, angle of attack and angle of sideslip. Also the measured output vector is contaminated with output noise. Additionally, the input noise vector w(t) is a continuous time white noise process and the output noise vector v(ti ) is a discrete time white noise sequence. Both are mutually uncorrelated as well as between the different input and output channels individually. Moreover, based upon the known on-board measurement equipment
368
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
characteristics, standard deviations are specified by the equipment manufacturers. Therefore, the error model can be described as follows: v(ti ) = [ vx vy vz vu vv vw vφ vθ vψ vV vα vβ ]T w(t) ' T E w(t)w (τ ) ' & E v(ti )vT (t j ) & ' E w(t)vT (ti ) &
(13.7)
= [wx wy wz w p wq wr ]
(13.8)
= Qδ (t − τ )
(13.9)
T
= Rδi j = 0,
(13.10) f or t = ti ,
i = 1, 2, . . .
(13.11)
where Q = diag(σw2x , σw2y , σw2z , σw2 p , σw2q , σw2r ) R=
diag(σv2x , σv2y , σv2z , σv2u , σv2v , σv2w , σv2φ , σv2θ , σv2ψ , σv2V , σv2α , σv2β )
(13.12) (13.13)
As mentioned in the introduction and apparent from the structure above, a Kalman Filter can be used in order to estimate the aircraft states, inertial sensor biases and wind velocity components.
13.2.2 Aerodynamic Model Identification The procedure for the second step is rather purpose dependent. For a pure in-flight identification task aiming at the construction of a precise mathematical aircraft model, the procedure must be as accurate as possible. However, in the case of an identification task for the purpose of fault tolerant flight control, the model structure has to be representative, where a trade off is made between accuracy versus computational speed, and thus model complexity. Since in this step the least squares procedure is used, the model structure must be determined first, after which this regression method can be applied in order to estimate the so-called aerodynamic model parameters. Another important issue is the determination of the aerodynamic model accuracy. Especially in the case of reconfiguring control, the supply of a reliable value for an uncertainty bound is essential in order to include some measure of robustness in the controller synthesis phase. 13.2.2.1
Aerodynamic Aircraft Model
The measurements and the Kalman filter states, more precisely the aircraft states and the IMU properties are the available data for the second step in the identification procedure. With this available information, it is possible to calculate the inertial measurements without bias, but the noise contribution cannot be compensated for. One key issue in this step is the determination of the forces and moments acting on the aircraft. Since these cannot be measured directly, it is possible to construct them with the help of the measurements of specific aerodynamic forces acting on the aircraft and angular rates and accelerations of the aircraft, which have already been
13
Online Physical Model Identification and NDI
369
corrected by means of the instrumentation errors (biases), which were obtained in the aircraft state estimation step. In this way the dimensionless forces and moments can be calculated: • dimensionless forces:
CX = CY = CZ =
X 1/2ρ V 2 S Y 1/2ρ V 2 S Z 1/2ρ V 2 S
= = =
mAx 1/2ρ V 2 S mAy 1/2ρ V 2 S mAz 1/2ρ V 2 S
(13.14)
• dimensionless moments: pI ˙ xx + qr (Izz − Iyy ) − (pq + r˙) Ixz 1/2ρ V 2 Sb qI ˙ yy + rp (Ixx − Izz) + p2 − r2 Ixz M = Cm = 1 1/2ρ V 2 Sc¯ /2ρ V 2 Sc¯ r˙Izz + pq (Iyy − Ixx ) + (qr − p) ˙ Ixz N Cn = 1 = 1/2ρ V 2 Sb /2ρ V 2 Sb Cl =
L
1/2ρ V 2 Sb
=
(13.15)
At this moment mass and inertia are considered as known constants. In the absence of a structural failure, real time mass and inertia can be calculated by integrating fuel flow and subtracting it from the total take off values. Future research is aimed at taking into account changing masses and inertia in the presence of structural failures. Air density can be deduced from altitude measurements. The rotational accelerations are obtained by differentiating the noisy rotational rates, which have been corrected for their biases. It should be noted that current generation ring laser gyroscope noise levels are low enough (σ pqr = 0.001◦/s) to permit differentiating these signals. 13.2.2.2
Least Squares Procedure
As already mentioned, the aerodynamic model structure must be defined before the model parameters are estimated by means of the least squares. This model structure has been set up by a first order Taylor series expansion with respect to the aircraft states which are relevant for each force and moment component separately. The resulting structures which have been chosen for the longitudinal and the lateral situation respectively are given below: CX = CX0 + CXα α + CXα 2 α 2 + CXq +CXδe δeol + CXih ih + CXδsp ol
1
qc¯ + CXδe δeir + CXδe δeil + CXδe δeor or ir il V δsp1 + ... + CXδsp δsp12 + CXδ δ fo + CXδ δ fi 12
+CXEPR1 EPR1 + ... + CXEPR4 EPR4 + CXβ β + CXp
fo
pb rb + CXr 2V 2V
fi
(13.16)
370
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
qc¯ + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol + or ir il ol V δsp1 + ... + CZδsp δsp12 + CZδ δ fo + CZδ δ fi
CZ = CZ0 + CZα α + CZq +CZih ih + CZδsp
1
fo
12
fi
+CZEPR1 EPR1 + ... + CZEPR4 EPR4 + CZβ β + CZ p
pb rb + CZr 2V 2V
(13.17)
qc¯ + Cmδe δeir + Cmδe δeil + Cmδe δeor + Cmδe δeol + or ir il ol V δsp1 + ... + Cmδsp δsp12 + Cmδ δ fo + Cmδ δ fi
Cm = Cm0 + Cmα α + Cmq +Cmih ih + Cmδsp
1
fo
12
+CmEPR1 EPR1 + ... + CmEPR4 EPR4 + Cmβ β + Cm p
fi
pb rb + Cmr 2V 2V
(13.18)
pb rb + CYr + CYδa δair + CYδa δail + CYδa δaor or ir il 2V 2V δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12
CY = CY0 + CYβ β + CYp +CYδa
ol
u
l
1
12
qc¯ + CYEPR1 EPR1 + ... + CYEPR4 EPR4 (13.19) V pb rb + Clr + Clδa δair + Clδa δail + Clδa δaor + Clδa δaol + Cl = Cl0 + Clβ β + Cl p or ir il ol 2V 2V qc¯ + +Clδr δru + Clδr δrl + Clδsp δsp1 + ... + Clδsp δsp12 + Clα α + Clq u 1 12 l V + CYα α + CYq
+ ClEPR1 EPR1 + ... + ClEPR4 EPR4
(13.20)
pb rb + Cnr + Cnδa δair + Cnδa δail + Cnδa δaor or ir il 2V 2V δaol + Cnδr δru + Cnδr δrl + Cnδsp δsp1 + ... + Cnδsp δsp12
Cn = Cn0 + Cnβ β + Cn p +Cnδa
ol
u
l
1
qc¯ + Cnα α + Cnq + CnEPR1 EPR1 + ... + CnEPR4 EPR4 V
12
(13.21)
From the above expressions, it is clear that the aerodynamic model parameters, also known as the aerodynamic derivatives, apply on states as well as control inputs, namely control surface deflections and engine settings. It should be noted that the contributions indicated in boxes are the aerodynamic consequences of possible cross-couplings: they represent the contributions of longitudinal states on lateral forces and moments and vice versa. They appear due to asymmetries after failures. Moreover, also the aerodynamic derivatives related to the inputs have cross coupling effects, but these are assumed to be limited by the hardware constraints of the actuator hardware of each control surface type independently, present in the hardware logic block of the RECOVER simulation model: for example differential deflection of flaps is not possible. For the benchmark model as given, the only valid cross coupling control inputs feasible in reality are the engine settings. Conventionally,
13
Online Physical Model Identification and NDI
371
Fig. 13.1 Overview of the two step method: measurements serve for ASE step, which estimates the aircraft states. These states, combined with the measurements, allow the calculation of the forces and moments. The latter are used, together with the estimated states and control surface deflections, for the AMI step, which produces the estimated aerodynamic and control derivatives.
all are identical and give only longitudinal steering capability, but they can provide also some lateral degree of controllability if differential thrust is applied. However, in a general perspective, this kind of cross couplings is completely dependent on the aircraft model concerned. The validation tests have shown that the identification results obtained with this procedure are representative, accurate and reliable. These validation tests can be found in Ref. [13]. Now that it has been confirmed that the procedure works satisfactorily for nominal non-damaged aircraft, the next challenge is to analyse the performance of this identification procedure for damaged aircraft. This will be the subject of section 13.4. Finally, figure 13.1 gives a high-level logical structure overview of the two step method algorithm, pointing out the inputs and outputs of each macro-step.
13.3 Real Time Aerodynamic Model Identification This above mentioned recursive two step method has been implemented in SimulinkTMand combined with the conventional sensor output of a Cessna Citation simulator next to the Boeing 747 simulator of this project. A connected joystick provides the input. This allows real-time computer based identification calculations while performing flight manoeuvres by hand in a SimulinkTMaircraft simulator. The
372
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
Fig. 13.2 Overview of the operator information screen for real time identification. The left and middle columns in the screen give the aerodynamic derivative values, the right column gives (from top to bottom) aircraft attitude, trajectory and covariances for symmetrical (left) and asymmetrical (right) estimates.
progress of the identification process is continuously visualized on the computer display. The development of the aerodynamic derivatives is shown in a real-time developing box plot like representation, while also the time varying covariance of the aerodynamic derivatives is shown. The latter information provides some indication to the user if it is needed to adapt his manual input signal in order to reduce the uncertainty of the identification results.
13.4 Application on the Boeing 747 Simulator Two examples will be shown here for the two step method. One component failure, i.e. trim horizontal stabilizer runaway, and a parametric failure, i.e. loss of the vertical tail. Both give a good illustration of the two step method’s capabilities. In order to analyse the differences between the nominal and damaged models, the same control inputs must be applied. Moreover, the best identification results can only be obtained if the control inputs excite all steering channels of the aircraft. Therefore, three different control inputs are consecutively applied: first a 3-2-1-1 input on the pitch channel and thereafter doublets on roll and yaw respectively. De- Fig. 13.3 Trajectory of the spite excitation of roll and yaw occur simultaneously in aircraft for the stabilizer regular flights in order to perform coordinated turns, it runaway scenario
13
Online Physical Model Identification and NDI
373
has been chosen deliberately in this set-up to implement both control inputs consecutively. The reason for this is the fact that a simultaneous implementation may lead to undesirable correlations in the identification results. For each scenario, the identification result of the damaged simulation model is compared with the nominal non-damaged one, which is supplied in red in each graphic as a benchmark. It should be noted that the damaged identification result for the horizontal stabilizer runaway does not last longer than 20 seconds of the total time span. The reason for this is the fact that the aircraft crashes after these 20 seconds, as illustrated by its trajectory in Fig. 13.3.
13.4.1 Trim Horizontal Stabilizer (THS) Runaway The identification results for the stabilizer related aerodynamic derivatives are shown in Fig. 4(a), where the deflections of the horizontal stabilizer are shown in Fig. 4(b). For the nominal situation, the stabilizer remains fixed in its trim setting. In the runaway situation, the gradually deviating behaviour during the first 10 seconds is apparent. Note that these plots start from the 5th second onward, since the earlier identification results are not reliable because the first step of state estimation is not yet converged in this phase. Taking this into account, it is clear that the initial trim setting of the stabilizer is identical in both scenarios. Taking a closer look at the identification results, it is clear that the unconventional change in force and moment contribution from the jammed THS can be identified by means of the two step method.
13.4.2 Loss of the Vertical Tail The identification results for the rudder related aerodynamic derivatives are shown in Fig. 5(a), where the deflections of the rudder are shown in Fig. 5(b). Since there is 0.5
aerodynamic derivatives, symmetric contributions horizontal stabilizer
nominal stabilizer runaway
0.2
CXih
0.1 0
0
−0.1 −0.2
0
10
20
30
40
50
60 −0.5
1
CZih
ih
0.5 0
−1
−0.5 −1
0
10
20
30
40
50
60
0.2
Cmih
−1.5
nominal stabilizer runaway
0.1 0 −0.1 −0.2
−2 0
10
20
30
40
50
60
(a) identification of stabilizer related aerodynamic derivatives
5
10
15
20
25
30 35 time[s]
40
45
50
55
60
(b) horizontal stabilizer runaway
Fig. 13.4 Identification of stabilizer related aerodynamic derivatives for damaged Boeing 747 simulation model, horizontal stabilizer runaway scenario
374
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder 6 nominal loss of vertical tail
aerodynamic derivatives, asymmetric contributions rudder
CYdr
0.01
5
0
4 −0.01
3 −0.02
0
10
20
30
40
50
60
2
−3
x 10
dr
10
Cldr
5
−5
1
0
0
0
10
20
30
40
50
60
−1
−3
5
x 10
−2 nominal loss of vertical tail
Cndr
0
−3
−5 −10 −15
−4 0
10
20
30
40
50
60
(a) identification of rudder related aerodynamic derivatives
0
10
20
30 time[s]
40
50
60
(b) rudder deflections for vertical tail loss scenario
0.16 nominal loss of vertical tail 0.14
0.12
0.1
Cnb
0.08
0.06
0.04
0.02
0
−0.02
0
10
20
30
40
50
60
(c) directional stability for vertical tail loss scenario Fig. 13.5 Identification of rudder related aerodynamic derivatives for damaged Boeing 747 simulation model, vertical tail loss scenario
no rudder anymore in the situation of a vertical tail loss, the loss of yawing control should be visible in the identification result. For the nominal situation, the rudder makes a doublet movement. Note that this doublet is not perfect, since the compensating influence of the yaw damper appears in this channel. In the vertical tail loss scenario, no deflection is visible anymore since the rudder is lost. Note that each control surface has redundant deflection sensors, and the absence of any measurement signal leads effectively to the ‘no deflection conclusion’, as shown in this figure. Taking a closer look at the identification results, it is clear that no convergence is possible in the tail loss scenario, where the nominal scenario clearly leads to a better convergence behaviour. Another obvious consequence of the tail loss scenario is the huge reduction in lateral static stability. This can be seen in the behaviour of the aerodynamic derivative Cnβ , as shown in Fig. 5(c). A positive value for Cnβ , also known as Weathercock stability, indicates static directional stability. From Fig. 5(c), it is clear that the nominal aircraft is stable, but the damaged aircraft is observed to be lightly directionally statically unstable, as would be expected for a tailless 747 aircraft. This simulation also shows that there is no rudder deflection necessary to observe this, even a doublet on the roll channel (ailerons) induces some sideslip in order to make a static stability analysis. Summarizing, analysing both
13
Online Physical Model Identification and NDI
375
results, it is clear that the loss of the tail surface can be identified by means of these identification results. In order to perform a validation of the accuracy of the identification results in both applications presented above, the innovations can be calculated again. This clearly shows that the least squares result is accurate. Also the reconstruction of linear velocity components and angular rates confirms the trustworthiness of the identification results.
13.4.3 Feedback of Aircraft Stability and Control Effector Information to the Pilot The identified parameters contain valuable information about the physical state of the aircraft. The absolute value has less significance than its change compared to the initial value. Also, it requires a good understanding of flight dynamics and aerodynamic modeling to understand these parameters. For this reason, it is paramount to translate these values to a suitable format, which can be easily interpreted by the pilot. For example, the parameters Cmα and Cnβ could be presented as stability factors, while Cmδe , Clδa , Cnδr and CXEPR could be presented as elevator-, aileron-, rudderand engine-effectiveness respectively. It is worthwhile to investigate the possibility to present the parameters to the pilot in a proper way, giving him insight in the physical condition of the aircraft; as an example a possible visual presentation of this information to the pilot is given in Fig. 13.6.
Fig. 13.6 Example of visualization of control effector effectiveness for the pilot, this information is based upon control effector effectiveness parameters, like Cmδe , Clδa , Cnδr and CXEPR .
376
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
13.5 Trigger for Reconfiguration In order to ensure proper adaptivity of the identification routine for failure dynamics, there are two major options. One is to rely on a weighting factor λ in the recursive least squares procedure, the other is to incorporate a trigger for re-identification. In Ref. [7], an evaluation has been made between both alternatives. Since the former has the disadvantage that older data, which might still contain useful information, is thrown away due to the limiting history horizon, the latter option has been preferred. This limiting history horizon has a major drawback during long periods of stationary flight with no control inputs, like cruise, because the model is likely to become unstable due to the lack of significant excitations. This is a very relevant issue, since cruise flight conditions constitute the largest part of a typical flight profile. The concept of a re-identification trigger works by increasing the covariance matrix P artificially when the current model cannot be relied upon anymore. In this way, no data will be lost during normal flight, maintaining the quality of the model also in constant flight conditions. In case an error occurs that affects the model, the aircraft will move (and this induced movement will be counteracted by the (auto)pilot), creating sufficient excitation data on the input channels to identify the new model within a limited time span. The major requirement for this procedure is that reliable information is available about the quality of the aerodynamic model. In [6], the authors describe a procedure to use the innovation (the difference between the model prediction and the actual behaviour of the system or aircraft) as a measure of the quality of the model. The absolute value of the innovation does not only depend on the model quality, but also on the noise in the input channels, which makes it unsuitable for quality determination. Instead, the whiteness of the innovation is used as a quality measure, since a perfect model would have a residual comparable to the noise present in the input signals. The residual (innovation) of the estimated aerodynamic model can be calculated as follows:
Δ (k) = z (k) − X (k) θˆ RLS (k)
(13.22)
in which Δ (k) is the innovation, z (k) is the state measurement from the actual aircraft, X (k) is the data matrix and θˆ LS (k) is the vector of estimated parameters. The faults, which change the system dynamics, also change the characteristics of Δ (k) and make it different from white noise. Two criteria, namely the autocorrelation criterion πk and the innovation average value Δ (k), have been analysed to decide whether this innovation is dominated by white noise, or contains a residual of an incorrect aerodynamic model. If the latter is the case, the reconfiguration of the model should be triggered. The former should be ignored in order to prevent false alarms. Analysis has revealed that the average value of the innovation of a period of time, calculated in (13.23) is the preferable criterion. This calculation reveals the mean value of the residual, which will deviate from zero once the model becomes inaccurate. 1 nav Δ (k) = (13.23) ∑ Δ (k − i) nav i=0
13
Online Physical Model Identification and NDI
377
Δ (k) stands for the average innovation, nav is the number of samples over which this average is taken (a proper range appears to be 25 − 100, corresponding to 0.5s − 4s). For the triggering of the re-identification a threshold value has been chosen based on several simulated test flights, with and without failure. Besides use of the residual mean value, it is possible to rely also on other criteria, like spectral analyses. This is the subject of further research. Once this monitoring criterion has suggested the current model contains errors, the re-identification will take place. The covariance matrix P of the RLS procedure gives a measure for quality of the data that has entered the identification. Without forgetting factor, this data richness can only improve, since all information from previous measurements is retained. This results in a gradual freezing of the parameter values since every new datapoint is weighted less in the parameter identification. When it is concluded that the real-life situation has changed to such an extent that the identified model is not valid anymore, this old data should be disregarded. By artificially returning the covariance matrix to its initial state - a diagonal matrix with very large values (in the order of 106 ) - the parameters are more influenced by new measurements and can be identified based on the flight data of the aircraft in its new, changed situation. Since each of the six dimensionless forces and moments [CX CY CZ Cl Cm Cn ]T has a separate innovation channel, the reconfiguration can be focused on the respective parameter set that triggers the reconfiguration. For this reason, six covariance matrices P are stored and updated separately. When for example the criterion value of rollmoment parameters Cl exceeds the threshold, only these parameters are triggered for re-identification. This prevents unnecessary destabilizing the aircraft model parts that are used in the control system.
13.6 Reconfiguring Control: Adaptive Nonlinear Dynamic Inversion For the reconfigurable control algorithm, a model based control method needs to be chosen. One of the valid approaches is the so-called concept of adaptive nonlinear dynamic inversion. Nonlinear dynamic inversion has been used before in the literature for flight control and aircraft guidance, see Ref. [2], [20] and [19], where one of its main advantages is the absence of any need of gain scheduling over the flight envelope. In Ref. [18], enhanced NDI strategies have been applied for reconfigurable flight control in the case of stuck or missing effectors. However, this reference mentions the need for relatively noise free critical measurements and uses only one NDI loop with a position/angle allocator. The application discussed in this section however, can deal with noisy measurements thanks to the presence of a robust identification routine acting on the measurements. Moreover, a dual NDI loop has been implemented here, with inner loop body angular rate and outer loop aerodynamic angle tracking properties. This overall combination increases greatly the ability to reconfigure the aircraft in the presence of component as well as structural failures.
378
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
The general idea of nonlinear dynamic inversion is as follows. Consider the nonlinear MIMO system dynamic model, which is assumed to be affine in the input: x˙ = f(x) + G(x) · u
(13.24)
The output y of the system is then expressed as a function h of the aircraft state vector x: y(x) = h(x) (13.25) Defining the matrix ∇h (x) as the Jacobian matrix:
∂ h(x) = ∇h(x) ∂x
(13.26)
the time derivatives of the outputs (13.25) can be expressed as: dy = ∇h (x) [f(x) + G(x) · u] = L1f h (x) + Lg h (x) u dt
(13.27)
where L1f h (x) = ∇h (x) f(x) denotes the first order Lie derivative vector and the Lg h (x) = ∇h (x) G(x). If the second term of eq. (13.27) is zero, more time derivatives of eq. (13.27) are required, generally until the second term of eq. (13.27) is nonzero. This nonzero time derivative order is defined as ”relative degree”. In general, as the elements within the output vector y(x) may have different relative degrees, it is convenient to write the time derivative for each output as: m d ri hi (x) d ri y i ri = = L h (x) + Lg j Lrfi −1 hi (x) u j i ∑ f dt ri dt ri j=1
(13.28)
In eq. (13.28), ri is the relative degree for the ith output. A collection of all differentiated (rith order) outputs yields: yr (x) = l (x) + M (x) u with:
⎡
⎤ ⎥ ⎥ ⎦
(13.30)
⎤ Lrf1 h1 (x) ⎢ Lrf2 h2 (x) ⎥ ⎥ ⎢ l (x) = ⎢ ⎥ .. ⎦ ⎣ . rm L f hm (x)
(13.31)
⎢ yr (x) = ⎢ ⎣ ⎡
and
d r1 h1 (x) dt r1
(13.29)
.. .
d rm hm (x) dt rm
13
Online Physical Model Identification and NDI ⎡
Lg1 Lrf1 −1 h1 (x) Lg2 Lrf1 −1 h1 (x) ⎢ L Lr2 −1 h (x) L Lr2 −1 h (x) g2 f ⎢ g1 f 2 2 M (x) = ⎢ .. .. ⎢ ⎣ . . Lg1 Lrfm −1 hm (x) Lg2 Lrfm −1 hm (x)
379 ⎤ · · · Lgm Lrf1 −1 h1 (x) · · · Lgm Lrf2 −1 h2 (x) ⎥ ⎥ ⎥ .. .. ⎥ ⎦ . . rm −1 · · · Lgm L f hm (x)
(13.32)
Solving for u if the total relative degree r = r1 + r2 + . . . + rm = n, with n the number of states of the system, by introducing a virtual outer loop control input vector ν , which consists of time derivatives of control variables cvi (x) up to the corresponding relative degree ri : u = M −1 (x) [ν − l (x)] ⎡
with:
⎢ ν (x) = ⎢ ⎣
d r1 cv1 (x) dt r1
.. .
d rm cvm (x) dt rm
(13.33)
⎤ ⎥ ⎥ ⎦
(13.34)
then this results in a closed-loop system with a linear and decoupled input-output relation: ⎤ ⎤ ⎡ r1 ⎡ r1 ⎢ yr (x) = ⎢ ⎣
d h1 (x) dt r1
.. .
d rm hm (x) dt rm
⎥ ⎢ ⎥=ν =⎢ ⎦ ⎣
d cv1 (x) dt r1
.. .
d rm cvm (x) dt rm
⎥ ⎥ ⎦
(13.35)
Thus the control law for tracking tasks d ri hid d ri cvi = − k0i e − k1i e˙ − . . . − k(ri−1)i e(ri −1) with e = yid (t) − yi (t) (13.36) dt ri dt ri for i = 1, . . . , m with the k j s chosen so that pn + kn−1 pn−1 + . . . + k1 p is a stable polynomial, leads to the exponentially stable tracking dynamics for i = 1, . . . , m: e(ri ) + k(ri−1)i e(ri −1) + . . . + k1i e˙ + k0i e = 0 with e (t) → 0
(13.37)
By making use of Nonlinear Dynamic Inversion (NDI), the nonlinear aircraft dynamics can be cancelled out such that the resulting system behaves like a pure single r-th order integrator. In (13.33), l(x) represents the airframe/engine model and M(x) is the so-called effector blending model. Note that the effector blending model M(x) needs to be inverted. See also ref. [3] and [21]. Equation (13.33) can be rewritten for an aircraft by considering the dynamic equation of an aircraft: ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎛ ⎡ ⎤⎞ p˙ L p p x˙ = ⎣ q˙ ⎦ = I−1 ⎣M ⎦ − I−1 ⎣ q⎦ × ⎝I ⎣ q⎦⎠ (13.38) r˙ N r r
380
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
T T where p q r are the rotational rates and L M N the angular moments acting on the aircraft. The inertia matrix I stands for: ⎡ ⎤ Ixx −Ixy −Ixz I = ⎣−Iyx Iyy −Iyz ⎦ (13.39) −Izx −Izy Izz where the moments of inertia Ixy , Iyx , Iyz and Izy are assumed to be zero. As outlined in Section 13.2.2, these angular moments can be seen as a combination of different state and control variables. With the model described here, a controller has a complete overview of aircraft behaviour as a function of states and control settings. NDI cancels out all non-linear parts, in order to obtain a system which behaves as a pure integrator, regardless of the state. This pure integrator can be controlled by a linT ear controller which produces the virtual control input ν p νq νr . Relying on the information given in (13.15), (13.18) and (13.21), the aircraft dynamics in (13.38) can be rewritten in the form of (13.33). Here it should be noted that (13.18) and (13.21) can be split into a part describing the contribution of the states and a contribution of the control surface settings, where thrust, stabilizer and flaps are grouped together with the states in the airframe/engine model. Moreover, the individual control derivatives of the different aileron, elevator, rudder and spoiler surfaces from the identification step have been combined into equivalent global control derivatives which are used in the effector blending model of the control phase. Inserting this into (13.38) yields ⎡ ⎤ ⎛⎡ ⎤ ⎡ ˜ ⎤ ⎡ ⎤⎞ bClδa 0 bC˜lδr p˙ δa bClstates 1 x˙ = ⎣ q˙ ⎦ = ρ V 2 SI−1 ⎝⎣cCmstates ⎦ + ⎣ 0 cC˜mδe 0 ⎦ ⎣δe ⎦⎠ + 2 bCnstates δr r˙ bC˜nδa 0 bC˜nδr ⎡ ⎤ ⎛ ⎡ ⎤⎞ p p −1 ⎣ ⎦ ⎝ ⎣ ⎦⎠ q q −I × I (13.40) r r where: C˜lδa = −Clδa +Clδa −Clδaor +Clδa −Clδsp ... −Clδsp +Clδsp ... +Clδsp ir
il
1
ol
8
5
C˜nδa = −Cnδa +Cnδa −Cnδaor +Cnδa −Cnδsp ... −Cnδsp +Cnδsp ... +Cnδsp ir
il
ol
1
5
8
C˜mδe = Cmδe +Cmδe +Cmδeor +Cmδe ir
il
(13.41)
12 12
(13.42) (13.43)
ol
C˜lδr = Clδru +Clδr
(13.44)
l
C˜nδr = Cnδru +Cnδr
(13.45)
l
and ⎤ pb ⎤ ⎡ rb + Clr 2V + CTc Tc Cl0 + Clβ β + Cl p 2V Clstates qc¯ ⎥ ⎣Cmstates ⎦ = ⎢ ⎣Cm0 + Cmα α + Cmq V + Cmih ih + Cmδ fo δ fo + Cmδ fi δ fi + CmTc Tc ⎦ Cnstates C + C β + C pb + C rb + C T ⎡
n0
nβ
n p 2V
nr 2V
nTc c
(13.46)
13
Online Physical Model Identification and NDI
381
In order to obtain rate control, the rotational rates of the aircraft are selected to be the control variables. T (13.47) cv(x) = p q r Differentiation of this results in the virtual inputs: T dcv(x) = x˙ = ν p νq νr dt
(13.48)
T At this point, equation (13.40) can be solved for the control inputs δa δe δr , resulting in a similar structure as in (13.33): ⎡ ⎤ ⎡ ˜ ⎤−1 bClδa 0 bC˜lδr δa ⎣δe ⎦ = ⎣ 0 cC˜m 0 ⎦ · δe ˜ ˜ δr bCn 0 bCn ⎧ δa ⎛⎡ ⎤δr ⎡ ⎤ ⎛ ⎡ ⎤⎞⎞ ⎡ ⎤⎫ νp p p bClstates ⎬ ⎨ I ⎝⎣νq ⎦ + I−1 ⎣ q ⎦ × ⎝I ⎣ q ⎦⎠⎠ − ⎣cCmstates ⎦ (13.49) ⎭ ⎩ 12 ρ V 2 S ν bC r r r
nstates
The first part of (13.49) performs the control inversion, while the second part contains the state inversion. Subsequently, the different aileron, elevator, rudder and spoiler surfaces are coupled and deflect in a fixed coordinated way. The development of a more flexible control allocation algorithm is part of the future work. Nevertheless, the results shown here prove that this simplification has no serious detrimental effect on the performance of the FTFC module. The classical weakness of NDI, its sensitivity to modelling errors which leads to erroneous inversion and thus a possibly unstable result, is circumvented here by making use of the real time identified physical model, which has a greater accuracy than an off-line model. As a result, one does not only obtain an adaptive NDI routine which renders the aircraft behaviour like a pure integrator in nominal situations. In failure situations, the modified aircraft model is identified by the two step method and immediately applied in the model-based adaptive NDI routine, which allows reconfiguring for the failure in real time. The NDI routine is composed of two loops. The inner loop allows for rate control on roll and pitch steering. Yaw control is achieved by sideslip control. This is an optimal way of manual control for the human pilot. The outer loop adds another NDI routine for angle control on heading, flight path angle and sideslip. This is the so-called concept of angle control, where it should be noted that the angles of the groundspeed velocity vector and not the aircraft angles are controlled. These three quantities form an ideal basis for the design of the classical autopilot modes (under development), which can be designed in the final overall outer loop by making use of classical feedback or alternatively NDI control. Classical feedback control can be sufficient in this outer loop, since the closed middle and inner loop system relying on NDI twice has a linear input-output relation.
382
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
Research has revealed that this adaptive model based control approach has an important advantage since a very representative aerodynamic model is available by means of the two step method described earlier. In this way, a fault tolerant control scheme has been obtained which is virtually capable of handling any aircraft failure, as long as it is identified and represented correctly by the on-line aircraft model. Despite the promising impression of adaptive NDI, there are still some issues and risks in development and implementation. Especially for fault tolerant flight control using NDI, two issues arise. First of all, there is the problem of robustness: if the real time identification routine is not able to make an accurate fit of the aircraft model, the possibility exists that classical NDI leads to an unsatisfactory result. Therefore, robust NDI should be considered for application in this context, but real time applicability is a major concern here. Moreover, the risk of singularity needs precautions. Since inversion of the effector blending model b(x) is needed, singularity requirements apply to this model. This is the domain of control allocation, which still needs further investigation. For the applications in this Garteur context, some assumptions have been made. Namely, a sufficiently accurate aircraft model should be supplied by the identification procedure, such that NDI can be applied successfully. Generally, this is not a problem for the two step method considering the failure cases which have been investigated in this research project. Secondly, after the failure, every channel (roll/pitch/yaw) of the crippled aircraft still needs to be controllable in some way, otherwise no effector blending model inversion is possible. The principle of Adaptive NDI (ANDI) has been applied on two levels. The lower level is manual control, which has been verified by means of workload evaluation runs in the SIMONA Research Simulator and is discussed extensively in Chapter 17. The upper level is full automatic autopilot control, which has been evaluated by the previously defined assessment criteria. For both control alternatives, the same inner loop has been established, which focuses on pure body fixed angular rate control as elaborated in equation (13.49) and as illustrated in Fig. 13.7. The distinction between the inner and outer loop has been based upon the time scale separation principle. Mind that in each approach, the two step method is operational and supplying the real time identified model parameters, including failure characteristics when relevant.
13.6.1 Autopilot Control: Assessment Criteria For autopilot control, a double loop is needed over the inner loop rate control described earlier. Similarly as for the manual control lay-out, a pure classical feedback loop works for unfailed aircraft, but this will not perform adequately for asymmetrically damaged aircraft, where a certain steady non-zero sideslip angle β and/or roll angle φ are necessary to compensate for the asymmetry. Therefore, all loops considered here must be NDI-based. The middle loop quantities are the aerodynamic angles, namely roll angle φ , angle of attack α and sideslip angle β . The equations for the three quantities need to be derived.
13
Online Physical Model Identification and NDI
383
Fig. 13.7 NDI rate control inner loop
First, in order to obtain roll angle control, an equation needs to be found which expresses the change in roll angle in terms of the required rotational rates. Reference [17] provides: dφ = φ˙ = p + (q sin φ + r cos φ ) tan θ (13.50) dt T Separating the rotational rates p q r yields: ⎡ ⎤ p φ˙ = 1 sin φ tan θ cos φ tan θ ⎣ q ⎦ (13.51) r Second, the angle of attack must be represented in a similar way, in terms of the required rotational rates. Since: α˙ ≈ θ˙ − γ˙ (13.52) this problems boils down to finding equations for θ˙ and γ˙. The glideslope angle γ is the angle between the total velocity vector and its vertical component in the earth fixed reference frame: sin γ =
we V
γ = arcsin
w
e
V
(13.53)
A descent (we > 0) results in a positive glideslope angle. Differentiating (13.53) results in: w˙e w˙e 1 =7 γ˙ = ! 2 w V V 2 − w2e 1 − V e2 1 = 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] (13.54) 2 V − w2e
384
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
This equation is obtained by rotating the vertical acceleration Az from the earth into the body reference frame. Note that no rotational rates can be found in this equation. On the other hand, the time derivative of the pitch angle θ˙ depends on the rates in the following way: θ˙ = q cos φ − r sin φ (13.55) Separating the rates yields: ⎡ ⎤ p θ˙ = 0 cos φ − sin φ ⎣ q ⎦ r
(13.56)
Combining (13.52), (13.54) and (13.56) results in the NDI equation for the angle of attack α : 1 α˙ ≈ θ˙ − γ˙ = − 7 · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g] + V 2 − w2e ⎡ ⎤ p (13.57) + 0 cos φ − sin φ ⎣ q ⎦ r It now becomes clear that the rotational rates can be found in this overall equation and thus NDI can be applied. The last outer loop is needed in order to convert the yaw rate r towards a sideslip β command. This loop must also be NDI-based, where the feedback path makes use of the lateral specific force Ay (which is related to the sideslip angle), the roll angle φ and the pitch attitude angle θ . The control law can be deduced, where a relationship must be found between the sideslip angle β and the body fixed angular rates. From [17], the sideslip angle β can be written as follows: (13.58) v = V sin β Rewriting for β and differentiating and inserting the equation for v˙ from the nonlinear aircraft kinematics yields: v 1 d arcsin =√ β˙ = · v˙ dt V V 2 − v2 1 = √ · [Ay + g cos θ sin φ + pw − ru] 2 V − v2 ⎡ ⎤ p w 1 −u = √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ (13.59) V 2 − v2 r The different controls for roll angle φ , angle of attack α and sideslip angle β can now be combined in the following equation:
13
Online Physical Model Identification and NDI
385
⎡ ⎤ ⎡ ⎤ 0 φ˙ 1 ⎢ ⎥ ⎣α˙ ⎦ = ⎢− √V 2 −w2e · [−Ax sin θ + Ay sin φ cos θ + Az cos φ cos θ + g]⎥ + ⎣ ⎦ √ 1 β˙ · [Ay + g cos θ sin φ ] 2 2 V −v ⎤⎡ ⎤ ⎡ 1 sin φ tan θ cos φ tan θ p ⎢ cos φ − sin φ ⎥ ⎣q ⎦ +⎣ 0 (13.60) ⎦ √w √ −u 0 r 2 2 2 2 V −v
V −v
The equation can now be rewritten for the required rotational velocities: ⎤−1 ⎡ ⎤ ⎡ 1 sin φ tan θ cos φ tan θ p cos φ − sin φ ⎥ ⎣ q⎦ = ⎢ ⎦ · ⎣ 0w −u √ √ 0 r 2 2 2 2 V −v V −v ⎧ ⎤⎫ ⎡ ⎡ ⎤ ⎪ ⎪ 0 ⎪ φ˙ ⎪ ⎨ ⎥⎬ ⎢− √ 1 · [−A sin θ + A sin φ cos θ + A cos φ cos θ + g] x y z ⎥ ⎢ ⎣α˙ ⎦ − 2 −w2 V e ⎦⎪ ⎣ ⎪ ⎪ ⎪ √ 1 · [Ay + g cos θ sin φ ] ⎩ β˙ ⎭ 2 2 V −v
(13.61) The outer loop quantities to be controlled in this setting are the true airspeed VTAS , the flight path angle γ and the course χ . It should be noted that these quantities allow total control over the velocity vector, respectively regarding magnitude, elevation and azimuth in the polar coordinates. Ref. [12] explains the conventional coupling between the course χ and the roll angle φ . Regarding the demanded flight path angle γcomm , this can be rewritten in terms of the required angle of attack α . Unfortunately the expression α ≈ θ − γcomm is not accurate enough for this purpose, and therefore a more elaborate expression is deduced from Ref. [22]: sin γ
= a sin θ − b cos θ a = cos α cos β with: b = sin φ sin β + cos φ sin α cos β
(13.62)
This equation has been rewritten: sin γ
sin γ cos φ sin α cos β cos θ sin α
= a sin θ − b cos θ a = cos α cos β ≈ 1 with: b = sin φ sin β + cos φ sin α cos β = sin θ − (sin φ sin β + cos φ sin α cos β ) cos θ = − sin γ + sin θ − sin φ sin β cos θ tan θ sin γ = − + − tan φ tan β cos φ cos β cos θ cos φ cos β (13.63)
386
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
For thrust control, an NDI loop has been added parallel to the middle loop which inverts the velocity VTAS . This velocity can be expressed as: ! VTAS = u2b + v2b + w2b (13.64) Differentiating (13.64): 1 V˙TAS = ! (2ub u˙b + 2vbv˙b + 2wb w˙ b ) u2b + v2b + w2b 1 = ! (ub (−g sin θ + rvb − qwb + Ax ) + 2 ub + v2b + w2b + vb (g cos θ sin φ + pwb − rub + Ay ) + wb (g cos θ cos φ + qub − pvb + Az )) and therefore ρV 2S ˜ 1 ˙ Cx + CxT Tc + VTAS = ! ub −g sin θ + rvb − qwb + 2m u2b + v2b + w2b ρV 2S ˜ Cy + CyT Tc + +vb g cos θ sin φ + pwb − rub + 2m ρV 2S ˜ Cz + CzT Tc +wb g cos θ cos φ + qub − pvb + 2m 1 = ! (g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) + u2b + v2b + w2b ρV 2S ˜ ˜ ˜ ubCx + vbCy + wbCz + + 2m 1 ρV 2S (ubCxT + vbCyT + wbCzT ) Tc +! u2b + v2b + w2b 2m
(13.65)
Rewriting for the thrust lever input Tc results in: Tc =
−1 ρV 2S (ubCxT + vbCyT + wbCzT ) · 2m ! V˙TAS u2b + v2b + w2b − (g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) + ρV 2S ˜ ˜ ˜ ubCx + vbCy + wbCz + 2m
13
Online Physical Model Identification and NDI
387
−1 ρV S (u Cx + vbCyT + wbCzT ) = · 2m b T g (−ub sin θ + cos θ (vb sin φ + wb cos φ )) + V˙TAS − V ρV S ˜ + ubCx + vbC˜y + wbC˜z 2m
(13.66)
wherein: qc¯ C˜x = CX0 + CXα α + CXα 2 α 2 + CXq + CXδe δeir + CXδe δeil + CXδe δeor or ir il V +CXδe δeol + CXih ih + CXδ δ fo + CXδ δ fi (13.67) fo
ol
fi
pb rb + CYr + CYδa δair + CYδa δail + CYδa δaor C˜y = CY0 + CYβ β + CYp or ir il 2V 2V +CYδa δaol + CYδr δru + CYδr δrl + CYδsp δsp1 + ... + CYδsp δsp12 (13.68) u
ol
l
1
12
qc¯ C˜z = CZ0 + CZα α + CZq + CZδe δeir + CZδe δeil + CZδe δeor + CZδe δeol + or ir il ol V (13.69) +CZih ih + CZδ δ fo + CZδ δ fi fo
fi
As a result, Fig. 13.8 shows the autopilot control outer loop architecture. In this set-up the outer loop quantities VTAS , γ and χ can provide the connection to the Mode Control Panel, operated by the human pilot, on which he can set up specific values for these quantities to be tracked. Alternatively, and as used in the experiments considered here, the same quantities can be used to implement waypoint control, where these quantities can be calculated from the distance between the last and next waypoint in the three cartesian coordinate components using trigonometry. Finally, two more remarks must be added concerning Fig. 13.8. The acronym ‘LC’ stands for linear controller. Moreover, some requirements have been implemented on the roll angle, which is limited between +45◦ and −45◦ . These maximum roll angles should be adapted in post failure conditions, dependent upon the extent of the damage suffered by the aircraft, and thus how far the safe flight envelope has been reduced. In order to have some commonality in the evaluation of the different FTFC strategies, it has been decided to focus on three cases for the off-line evaluation, namely stabilizer runaway, rudder loss and the engine separation Bijlmermeer accident. In order to save space, the first two scenarios are discussed jointly below. 13.6.1.1
Stabilizer Runaway and Rudder Loss
First of all, a comparison has been made between the unfailed and the failed trajectory, as can be seen in Fig. 9(a). It is clear that there is almost no difference in the trajectory between the unfailed and the stabilizer runaway situation. For the rudder loss scenario, there is a significant difference. The reason for this is that the maximum safe roll angle without rudder is limited to 20◦ . This is related to the issue
388
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
Fig. 13.8 NDI autopilot outer loop, featuring VTAS , γ and χ control
of the post-failure safe flight envelope. Currently, these manoeuvre limits have been defined heuristically following evaluating simulation runs for this analysis. Future research will investigate the use of safe flight envelope prediction in order to derive these manoeuvre limits based on the model estimation parameters. Two benchmark trajectory phases have been analysed for this control setup, namely straight flight and right hand turn. The straight flight is the time span between the failure occurrence and the first waypoint. The phase between first and second waypoint is classified as the right hand turn manoeuvre. Besides, the beneficial influence of the repeated identification procedure after failure is illustrated in Fig. 9(b). As can be seen in this figure, the NDI controller is not capable of flying properly from the second waypoint towards the third one without identifying the new aircraft dynamics. As a matter of fact, loss of the rudder is a drastic structural failure, as already illustrated in section 13.4.2, and the NDI controller is not able to fulfil the mission profile with the new aircraft configuration if the mathematical model used by the controller is not updated post-failure. Concerning the straight flight phase, the states as well as the specific forces have been analysed in Fig. 13.10. The state requirements are clearly all satisfied, and also the specific forces seem acceptable. It is apparent that there is no significant influence from the stabilizer runaway in any of the graphs. The rudder loss effect is clearly visible in the lateral specific force Ay time history. However, the force scale shows that this is not a significant issue. Also for the right turn, the state requirements are satisfied as can be seen in Fig. 13.11. Due to the more stringent roll angle limitation from 30 to 20 degrees after rudder loss, it takes a longer time to execute the turn in the different scenarios, which explains the time difference in figures 11(a) and 11(b). The same issue holds for the kinematic acceleration requirements in Fig. 13.12. Only body roll and yaw rates together with sideslip angle suffer small violations of the specifications; this is connected to the behaviour explained
13
Online Physical Model Identification and NDI
389
3D view of the trajectory
0 2000
NDI no failure 4000 NDI stabilizer runaway NDI rudder loss 6000 failure waypoint8000 10000 8000 12000
6000 14000
4000 2000
16000 0
(a) aircraft trajectory with FTFC autopilot along three waypoints in the scenario’s unfailed, stabilizer runaway and rudder loss
(b) part of aircraft trajectory with FTFC autopilot between two final waypoints in the scenario rudder loss without identification
Fig. 13.9 Aircraft trajectory with FTFC autopilot along three waypoints
below, together with the analysis of the lateral kinematic acceleration. Analysing the kinematic accelerations in Fig. 13.12 shows that only the lateral kinematic acceleration ay is not satisfied. This is caused by the directional stability problem, due to the missing rudder surface. This missing rudder eliminates directional stability, as shown in Fig. 5(c). Consequently, lateral damping is insufficient during the turn, and after ending the right hand turn, the aircraft also has the tendency to continue a slipping flight, which is indicated by the time history of this quantity. This problem can be solved by incorporating differential thrust in order to promote artificial lateral damping. This is one of the points for further work. The control surface deflections are shown and compared hereafter. Fig. 13.13 shows the control surface deflections commanded by the fault tolerant flight control system in a nominal unfailed scenario. On the contrary, Fig. 13.14 gives the same
2
−2 40
50
60
40
5
70
50
60
70
−10 40
50
60
70
1.5 1 0.5 40
45
50
55
60
45
50
55
60
0 40
50
60
70
2
60
70
0
0 −2 40
50
60
−9
70
70
time [s]
(a) states
Azb [m/s2]
[deg] phi
65
0.05
−0.05 −0.1 40
NDI no failure NDI stabilizer runaway NDI rudder loss 50
70
0.1
NDI no failure NDI stabilizer runaway NDI rudder loss
time [s] 40 20 0 −20 −40 40
65
10
10 0
beta
52
15
0
Axb [m/s2]
70
Ayb [m/s2]
chi [deg] 60
2
54
[deg]
gamma [deg] [deg]
50
nz [−]
VTAS
130 40
Specific forces in body axes
Straight flight
135
alpha
[m/s]
States with specs 140
−9.5
−10 40
45
50
55 time [s]
60
65
70
(b) specific forces
Fig. 13.10 Straight flight phase performance check with assessment criteria for stabilizer runaway and rudder loss
100
120
140
nz [−]
10
80
100
120
120
140
80
100
120
140
2
120 time [s]
0 80
100
120 time [s]
140
−10
80
100
120
140
160
80
100
120
140
160
80
100
120
140
160
80
100
120 time [s]
140
160
2
[deg]
0 80
100
120
140
160
2
−2
phi
[deg/s]
160
−2 15 10
80
100
120
140
160
5
10
ny [−] 100
140
0
2 0 −2 80
120
0
−2
140
100
100
[deg] qbody
80
15 10 5 0
[deg/s] pbody
−2
10 5 0 −5
right turn and LOC intercept 40 20 0 −20 −40
alpha
80
alpha
rbody [deg]
80
rbody
140
0 beta
140
[deg]
120
0
ny [−]
120
beta
100
[deg] qbody
80
−10
100
2 0
2
−2
80
States with specs 140 135 130
2
nz [−]
140
10 0 −10
VTAS
120
phi
100
[deg/s]
80
right turn and LOC intercept 40 20 0 −20 −40
[deg/s]
[deg]
States with specs
[m/s]
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
140 135 130
[deg/s]
pbody
[deg/s] VTAS
[m/s]
390
80
100
120
140
160
80
100
120 time [s]
140
160
0 −2
2 0 −2
140
(a) states nominal and stabilizer runaway
(b) states rudder loss
Fig. 13.11 Right turn flight phase states performance check with assessment criteria for stabilizer runaway and rudder loss
Kinematic accelerations in body axes
Kinematic accelerations in body axes 2 axb [m/s2]
axb [m/s2]
2 0 −2 70
0 −2
80
90
100
110
120
130
140
150
70
80
90
100
110
120
130
140
150
160
80
90
100
110
120
130
140
150
160
90
100
110
120 time [s]
130
140
150
160
4 ayb [m/s2]
ayb [m/s2]
2 0 −2 −4 −6 70
0
−4 80
90
100
110
120
130
140
−6 70
150
2
2 azb [m/s2]
azb [m/s2]
2
−2
0 −2
0 −2
−4 70
80
90
100
110 time [s]
120
130
140
150
(a) states nominal and stabilizer runaway
70
80
(b) states rudder loss
Fig. 13.12 Right turn flight phase kinematic accelerations performance check with assessment criteria for stabilizer runaway and rudder loss
deflections in the stabilizer runaway scenario. In this figure, it can be seen that the elevators compensate for the disturbing stabilizer failure. Finally, Fig. 13.15 represents the control surface deflections in the vertical tail loss scenario. Here, it is clear that there are no rudder deflections anymore after the failure, since the aircraft lacks the complete rudder. On the contrary, aileron and spoiler deflections indicate that they are more active compared to the unfailed scenario, since they are compensating for the lack of rudder input. 13.6.1.2
Engine Separation Bijlmermeer Accident
Comparing the unfailed and failed trajectories for the engine separation scenario leads to the result shown in Fig. 13.16. The classic controller is by no means capable of handling the failure, while the nonlinear dynamic inversion based fault
13
Online Physical Model Identification and NDI 20 15
0 inner aileron right inner aileron left outer aileron right outer aileron left
−40
0
20
40
60
80
100
120
140
160
180
140
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 spoiler #6180 160
140
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 spoiler #12180 160
inner elevator right inner elevator left outer elevator right outer elevator left
10
e
−20
δ [deg]
a
δ [deg]
20
391
5
200 0
30 δsp [deg]
−5 20 10 0
0
20
40
60
80
100
120
0
0
20
40
60
80
100 time [s]
120
40
60
80
100
120
0
20
40
60
80
100 time [s]
120
140
160
180
200
180
200
5 i ; δ [deg]
r
0 −5
h
δsp [deg]
20
20
10 200
60 40
0
stabilizer angle upper rudder lower rudder
−10 −15
200
(a) ailerons and spoilers
140
160
(b) elevators, stabilizer and rudders
Fig. 13.13 Nominal scenario flight control surface deflections
20 15
0 inner aileron right inner aileron left outer aileron right outer aileron left
−40
0
20
40
60
80
100
120
140
160
5
180
0
200
−5
30 δsp [deg]
−10
140
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 spoiler #6180 160
140
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 spoiler #12180 160
20 10 0
0
20
40
60
80
100
120
20
0
20
40
60
80
100 time [s]
120
20
40
60
80
100
120
0
20
40
60
80
100 time [s]
120
140
160
180
200
180
200
5 i ; δ [deg]
r
0 −5
h
δsp [deg]
40
0
10 200
60
0
inner elevator right inner elevator left outer elevator right outer elevator left
10
e
−20
δ [deg]
a
δ [deg]
20
stabilizer angle upper rudder lower rudder
−10 −15
200
(a) ailerons and spoilers
140
160
(b) elevators, stabilizer and rudders
Fig. 13.14 Stabilizer runaway scenario flight control surface deflections
20 15
0 inner aileron right inner aileron left outer aileron right outer aileron left
−40
0
20
40
60
80
100
120
140
160
180
140
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 spoiler #6180 160
140
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 spoiler #12180 160
inner elevator right inner elevator left outer elevator right outer elevator left
10
e
−20
δ [deg]
a
δ [deg]
20
5
200 0
60 δsp [deg]
−5 40 20 0
0
20
40
60
80
100
120
0
0
20
40
60
80
100 time [s]
120
(a) ailerons and spoilers
40
60
80
100
120
0
20
40
60
80
100 time [s]
120
140
160
180
200
180
200
5 0
h
r
i ; δ [deg]
δsp [deg]
20
20
10 200
60 40
0
−5 stabilizer angle upper rudder lower rudder
−10
200
−15
140
160
(b) elevators, stabilizer and rudders
Fig. 13.15 Vertical tail loss scenario flight control surface deflections
392
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder 3D view of the trajectory
600 400 200 0 2000 4000
NDI no failure NDI failure classic failure 6000failure waypoint 8000 10000 8000 12000
6000 14000
4000 2000
16000 0
Fig. 13.16 Aircraft trajectory with autopilot along three waypoints in the scenario’s FTFC controlled no failure, FTFC controlled with failure, classically controlled with failure
tolerant controller clearly can. Despite its failure accommodation qualities, it is clear that there is a difference in the trajectory between the unfailed and the NDI failed situation. The reason for this is again that the maximum safe roll angle with right wing damage, lost right wing engines and only half the hydraulics is limited to 20◦ , again due to the post-failure safe flight envelope. The same two benchmark trajectory phases have been analysed for this scenario too. The straight flight is the time span between the failure occurrence and the first waypoint. The phase between first and second waypoint is classified as the right hand turn manoeuvre.
60
2
5
40
45
50
55
60
50
55
60
65
−10
40 20 0 −20 −40
40
45
50
55
60
65
0 35
45
50 55 time [s]
60
40
45
50
55
60
65
70
40
45
50
55
60
65
70
1.5
0 40
45
50
55
60
65
2
−2
1 0.5 0 −0.5 35
0 40
45
50 55 time [s] NDI no failure NDI failure classic failure
40
0.5
10
65
nz [−]
beta [deg]
15
45
10 0
phi
40
0 −2
62
65
Axb [m/s2]
55
Ayb [m/s2]
50
[deg]
gamma [deg] [deg]
45
1
64
65
60
−9
65 Azb [m/s2]
chi [deg]
165 40
Specific forces in body axes
Straight flight
170
alpha
VTAS
[m/s]
States with specs 175
NDI no failure NDI failure classic failure
−10 −11 −12 −13 35
40
45
50
55
60
65
70
time [s]
(a) states
(b) specific forces
Fig. 13.17 Straight flight phase performance check with assessment criteria for the three engine separation scenarios
Online Physical Model Identification and NDI
100
120
140
100
120
100
120
140
120 time [s]
[deg] phi
140
160
80
100
120
140
160
2
−2
0 80
100
120 time [s]
140
−10
80
100
120
140
160
80
100
120
140
160
80
100
120
140
160
80
100
120 140 time [s]
160
2 0
80
100
120
140
160
80
100
120
140
160
80
100
120 140 time [s]
160
−2 15 10 5
2
10
ny [−] 100
120
0
2 0 −2 80
100
0 80
−2
80
[deg/s]
[m/s]
140
10 5 0 −5
right turn and LOC intercept 40 20 0 −20 −40
[deg] qbody
120
[deg/s] pbody
100
10
2
140
80
15 5
10
80
−2
rbody
rbody [deg]
80
0 beta
100
[deg]
140
0
ny [−]
140
beta
[deg] qbody
120
alpha
100
nz [−]
80
−10
120
0
2
−2
100
right turn and LOC intercept 150
alpha
10 0 −10
80
2
393
nz [−]
140
VTAS
120
phi
100
[deg/s]
80
right turn and LOC intercept 40 20 0 −20 −40
[deg/s]
[deg]
States with specs 170 165 160
[deg/s]
pbody
[deg/s] VTAS
[m/s]
13
0 −2
2 0 −2
140
(a) states nominal
(b) states engine separation
Fig. 13.18 Right turn flight phase states performance check with assessment criteria for the three engine separation scenarios
Concerning the straight flight phase, the states as well as the specific forces have been analysed in Fig. 13.17. The state requirements are satisfied, and also the specific forces seem acceptable in Fig. 13.17. In the state graphs, it can be seen that proper energy management is important in this failed situation as explained in chapter 6; only altitude or speed can be maintained. The choice has been made to increase speed up to 170m/s and then to allow the speed to decrease down to 133.8m/s, after which the throttle is opened. From figs. 13.18 and 13.19, the same conclusions can be drawn. Due to the more stringent roll angle limitation from 30 to 20 degrees after the engine separation failure, it takes a longer time to execute the turn in the failed scenario, which explains the time difference. All requirements in figs. 13.18 and 13.19 are satisfied. In the Kinematic accelerations in body axes
Kinematic accelerations in body axes 2 axb [m/s2]
axb [m/s2]
2 0 −2
0 −2
80
90
100
110
120
130
140
150
80
90
100
110
120
130
140
150
160
170
80
90
100
110
120
130
140
150
160
170
80
90
100
110
120 130 time [s]
140
150
160
170
4 ayb [m/s2]
ayb [m/s2]
2 0 −2 −4 −6 80
90
100
110
120
130
140
0 −2 −4
150
2
2 azb [m/s2]
azb [m/s2]
2
0 −2
0 −2
−4 80
90
100
110 time [s]
120
130
140
150
(a) kinematic accelerations nominal runaway
(b) kinematic acceleration engine separation
Fig. 13.19 Right turn flight phase kinematic accelerations performance check with assessment criteria for the three engine separation scenarios
394
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder 15
20 inner aileron right inner aileron left outer aileron right outer aileron left
a
0 −10 −20
0
20
40
60
80
100
120
inner elevator right inner elevator left outer elevator right outer elevator left
10 δe [deg]
δ [deg]
10
140
160
5
0
15
100
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 #6 120 spoiler 140
100
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 120 spoiler #12 140
10 5 0
0
20
40
60
80
δsp [deg]
40 30 20 10 0
0
20
40
60
80 time [s]
0
20
40
60
80
100
120
140
160
140
160
4 160
2 ih; δr [deg]
δsp [deg]
−5
0 −2 stabilizer angle upper rudder lower rudder
−4 −6
160
(a) ailerons and spoilers
0
20
40
60
80 time [s]
100
120
(b) elevators, stabilizer and rudders
Fig. 13.20 Nominal scenario flight control surface deflections 20
15 10 inner aileron right inner aileron left outer aileron right outer aileron left
−40
0
20
40
60
80
100
120
140
e
−20
δ [deg]
a
δ [deg]
0
160
inner elevator right inner elevator left outer elevator right outer elevator left
5 0
180 −5
60 δsp [deg]
−10 40 20 0
0
20
40
60
80
100
120
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 140spoiler #6 160
0
0
20
40
60
80
100
120
40
60
80
60
80
100
120
140
160
180
100
120
140
160
180
stabilizer angle upper rudder lower rudder
5
r h
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 spoiler #12 140 160
10 i ; δ [deg]
δsp [deg]
20
20
15 180
60 40
0
0 −5 −10
180
0
20
40
time [s]
time [s]
(a) ailerons and spoilers
(b) elevators, stabilizer and rudders
Fig. 13.21 Engine separation scenario with fault tolerant controller flight control surface deflections 15
20
a
0 −10 −20
0
10
20
30
40
50
60
inner elevator right inner elevator left outer elevator right outer elevator left
10
inner aileron right inner aileron left outer aileron right outer aileron left
δe [deg]
δ [deg]
10
70
80
5
0
15 10 5 0
0
10
20
30
40
spoiler #1 spoiler #2 spoiler #3 spoiler #4 spoiler #5 spoiler #6 70
50
60
50
spoiler #7 spoiler #8 spoiler #9 spoiler #10 spoiler #11 60 spoiler #12 70
20
δ
sp
[deg]
40 30
10 0
0
10
20
30
40 time [s]
(a) ailerons and spoilers
0
10
20
30
40
50
60
70
80
70
80
4 80
2 ih; δr [deg]
δ
sp
[deg]
−5
0 −2 stabilizer angle upper rudder lower rudder
−4
80
−6
0
10
20
30
40 time [s]
50
60
(b) elevators, stabilizer and rudders
Fig. 13.22 Engine separation scenario with classic controller flight control surface deflections
13
Online Physical Model Identification and NDI
395
failed situation the requirements on the lateral kinematic acceleration ay are not completely met. This is due to the asymmetric damage. A certain non-zero roll angle φ , sideslip angle β and thus lateral kinematic acceleration ay are needed to keep the aircraft in equilibrium. The control surface deflections are shown and compared hereafter. Fig. 13.20 shows the control surface deflections commanded by the fault tolerant flight control system in a nominal unfailed scenario. Fig. 13.21 gives the same deflections in the engine separation scenario. In this figure, it can be seen that quite some control surfaces are inoperative due to the partial loss of hydraulics. However, the remaining operative control surfaces, like two of the four elevators and a small subset of ailerons and spoilers, are able to steer the aircraft along the predefined waypoints. Finally, Fig. 13.22 represents the control surface deflections for the same engine separation scenario, but with the classical controller with less control authority. The simulation ends considerably sooner compared with figs. 13.20 and 13.21, this is because the aircraft hits the terrain.
13.7 Computational Load Due to the large increase in computer calculation power over recent years, the advanced computations required for parameter estimation can now be performed in real-time on a PC with a Pentium 4 processor. Even when the calculation effort is increased by using a larger number of parameters or multiple covariance matrices, simulations show that modern PC systems are able to perform the calculations at frequencies ranging from 20Hz-100Hz. From a computational perspective, the routine applied here consists of three major modules, namely an Iterated Extended Kalman Filter, a Recursive Least Squares procedure and a Nonlinear Dynamic Inversion routine. Of these, the first one is the heaviest from a computational point of view, and thus the one with the largest possible gain in computational cost. However, this Iterated Extended Kalman filter is needed in order to deal with the disturbances which occur in sensor information (biases and noise) and to take into account atmospheric wind. The last aspect leads to the transition from an EKF towards an IEKF with an additional iteration loop in the update step. However, when one can assume that a state observer is included in a separate part of the avionics, the computational cost can be reduced considerably. Nevertheless, for all results presented in this chapter, it is important to realize that this last assumption has not been made.
13.8 Conclusions Summarizing, it can be stated that, following numerical as well as physical experiments on the Simona Research Simulator, the fault tolerant flight control approach based upon the real time physical model identification integrated with nonlinear dynamic inversion is successful in recovering damaged aircraft. The designed methods
396
T. Lombaerts, P. Chu, and J.A. (Bob) Mulder
are capable of accommodating the damage scenarios which have been investigated in this project. Another important result is that model identification using the two step method has proven to be real time implementable in practice. Experiments have shown that even a real time static stability analysis is possible with this method. As already stated, experiments have been performed on desktop computers and on the Simona Research Simulator. The analysis of manual control in Simona has demonstrated superior handling qualities, the pilot workload is reduced dramatically in failure conditions. Also autopilot control, which has been verified numerically, shows satisfactory performance. The crippled aircraft is kept in the air and satisfies almost all criteria which have been defined as an evaluation standard for the FTFC strategies.
13.9 Current and Future Work Based upon the results which have been obtained so far, current work is developing and future work is targeted. Current work focuses on two aspects to increase the adaptivity of the two step method for failures. While the conventional approach works sufficiently for the set of failures studied, it is expected that its performance will degrade for heavily structurally damaged aircraft. For these kinds of failures, it is important to extend the aerodynamic model structure and to estimate the mass parameters on-line. The former is done by means of piecewise sequential modified stepwise regression or adaptive recursive orthogonal least squares. Longer term future research work involves the further development of NDI control with control allocation and robust control, where uncertainty bounds can be based upon the RLS covariances. Finally, it has been found that damage induced flight restrictions are very important during post failure flight. Therefore, efforts should also be put into the estimation of the post-failure safe flight envelope. Acknowledgements. The material presented in this chapter is the result of a cooperation between several people at the division of Control and Simulation at Delft University’s Faculty of Aerospace Engineering. Apart from the authors of this chapter, credit should go to Herve Huisman, who provided essential development material for this research project during his MSc, see Ref. [7]. Outside the division, Diederick Joosten and his supervisors should also be mentioned, with whom an intensive cooperation has taken place in a research project on fault tolerant flight control. This research is supported by the Dutch Technology Foundation (STW) under project number 06515.
References 1. Bodson, M., Groszkiewicz, J.E.: Multivariable adaptive algorithms for reconfigurable flight control. IEEE Transactions on Control Systems Technology 3(2) (March 1997) 2. Campa, G., Seanor, B., Gu, Y., Napolitano, M.R.: Nldi guidance control laws for close formation flight. In: American Control Conference, Portland, OR, USA, June 8-10 (2005)
13
Online Physical Model Identification and NDI
397
3. Chu, Q.P.: Lecture Notes AE4-394, Modern Flight Test Technologies and System Identification. Delft University of Technology, Faculty of Aerospace Engineering (2007) 4. Chu, Q.P., Mulder, J.A., Sridhar, J.K.: Decomposition of Aircraft State and Parameter Estimation Problems. In: Proceedings of fhe 10th IFAC Symposium on System Identifiation, vol. 3, pp. 61–66 (1994) 5. Groszkiewicz, J.E., Bodson, M.: Flight control reconfiguration using adaptive methods. In: Proceedings of the 34th Conference on Decision & Control, New Orleans, LA, December 1995. IEEE, Los Alamitos (1995) 6. Hajiyev, C., Caliskan, F.: Fault Diagnosis and Reconfiguration in Flight Control Systems. Cooperative Systems, vol. 2. Kluwer Academic Publishers, Dordrecht (2003) 7. Huisman, H.O.: Fault tolerant flight control based on real-time physical model identification and nonlinear dynamic inversion. Master’s thesis, Delft University of Technology, Faculty of Aerospace Engineering, Control and Simulation Division, June 20 (2007) 8. Jategaonkar, R.: Flight Vehicle System Identification: A Time Domain Methodology, 1st edn. Progress in Astronautics and Aeronautics Series, vol. 216. AIAA (2006) 9. Jones, C.N.: Reconfigurable flight control first year report. Technical report, Control Group Department of Engineering, University of Cambridge (2005) 10. Kale, M.M., Chipperfield, A.J.: Stabilized mpc formulations for robust reconfigurable flight control. Control Engineering Practice 13, 771–788 (2004) 11. Laban, M.: On-Line Aircraft Aerodynamic Model Identification. Ph.D. thesis, Delft University of Technology (May 1994) 12. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A.: Lecture Notes AE4-301, Automatic Flight Control System Design. Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (January 2005) 13. Lombaerts, T.J.J., Chu, Q.P., Mulder, J.A., Joosten, D.A.: Real time damaged aircraft model identification for reconfiguring control. In: Proceedings of the AIAA AFM conference, number AIAA-2007-6717, Hilton Head, SC (August 2007) 14. Maciejowski, J.M.: Modelling and predictive control: Enabling technologies for reconfiguration. Annual Reviews in Control 23, 13–23 (1999) 15. Mulder, J.A.: Design and evaluation of dynamic flight test manoeuvers. PhD thesis, TU Delft, Faculty of Aerospace Engineering (1986) 16. Mulder, J.A., Chu, Q.P., Sridhar, J.K., Breeman, J.H., Laban, M.: Non-linear aircraft flight path reconstruction review and new advances. Progress in Aerospace Sciences, PIAS 35, 673–726 (1999) 17. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (January 2006) 18. Ostroff, A.J., Bacon, B.J.: Enhanced ndi strategies for reconfigurable flight control. In: Proceedings of the American Control Conference, Anchorage, AK, May 8-10 (2002) 19. Ramakrishna, V., Hunt, L.R., Meyer, G.: Parameter variations, relative degree, and stable inversion. Automatica 37, 871–880 (2001) 20. Reiner, J., Balas, G.J., Garrard, W.L.: Flight control design using robust dynamic inversion and time-scale separation. Automatica 32(11), 1493–1504 (1996) 21. Slotine, J.-J.E., Li, W.: Applied Nonlinear Control. Prentice Hall, Englewood Cliffs (1991) 22. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley Europe, Chichester (2003)
Chapter 14
A Combined Fault Detection, Identification and Reconfiguration System Based around Optimal Control Allocation Nicholas Swain and Shadhanan Manickavasagar
14.1 Background The approach to the fault tolerant control problem presented here is based on many years of research into the topic. The primary focus of this research has always been military combat aircraft, though the application to a civil transport platform has proved useful to further enhance the algorithms for both civil and military application.
14.1.1 Control Allocation The research began by considering the problem of controlling aircraft with multiple redundant control surfaces, both with and without failures. A standard control system will try to control the rotational rates or attitudes using the control surface deflections to give the right combination of roll, pitch and yaw moments. An individual control surface will, in general, create moments in all three rotational axes (roll, pitch and yaw), and so the generation of a combined roll, pitch and yaw demand requires a balanced combination of control surface deflections. A conventional aircraft layout tends to have a simple arrangement of flight control surfaces. Typically these will consist of symmetrically-coupled tail-plane or trailing edge surfaces for pitch control, asymmetrically-coupled trailing edge surfaces for roll control and a rudder for yaw control. This arrangement makes the flight control task easier since the control allocation can be assumed to be decoupled with control of each rotational axis being assigned to a distinct set of surfaces. For modern and Nicholas Swain QinetiQ, The Enclave, Bedford, MK44 2FQ, United Kingdom e-mail:
[email protected] Shadhanan Manickavasagar QinetiQ, Cody Technology Park, Farnborough, GU14 0LX, United Kingdom e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 399–422. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
400
N. Swain and S. Manickavasagar 3 controls
6 controls 5000
Pitch Moment
Pitch Moment
5000
0
−5000 −5000
0 Roll Moment
5000
0
−5000 −5000
0 Roll Moment
5000
Fig. 14.1 Illustration of the attainable moments for a 2 dimensional moment demand with 3 (on the left) and 6 (on the right) control surfaces
future aircraft the design drivers often require a less conventional layout, perhaps with multiple trailing edge surfaces and no tail-plane or rudder. Such arrangements mean that traditional approaches to control allocation are no longer ideal or, indeed, possible, thus an alternative approach is necessary. With multiple (more than three) control surfaces, each capable of generating moments in each rotational axis, there is, in general, an infinite number of combinations of control surface deflections that meet a given set of moment demands. It seems natural in this situation to seek a ‘best’ combination of deflections from the multiple (infinite) solutions to the control allocation problem. This, in turn, suggests the use of some form of optimisation method. Initial work looked at an existing approach to this problem developed by Durham, who had been working on a technique called direct control allocation (DCA) [1]. This approach was concerned with identifying the point where a vector intersected the surface of a convex hull. The convex hull represented the attainable moment set generated under the assumption of a linear transformation between the set of achievable control surface deflections and the set of moments produced. The method employed by Durham searched around the outside of the convex hull to identify the point at which a vector (representing the moment demands) intersected this hull. This approach was effective with a small number of control surfaces, and a working system which accommodated both rate and position limits of the available control surfaces was quickly developed. With this system, optimal control that extracted maximum performance in both the nominal cases (when all the surfaces were available) was demonstrated. When one or more surfaces had failed, the optimal control allocation helps to minimise the impact of the failure [2]. As can be easily appreciated, the mapping from the set of control surfaces to the set of attainable moments becomes much more complex as the number of control surfaces increases, and consequently the associated convex hull becomes much more complex. Fig. 14.1 shows two example mappings from attainable control deflection sets to a two dimensional attainable moment. In the first case, with only three
14
A Combined FDIR System Based around Optimal Control Allocation
401
control surfaces, the attainable moment set is fairly simple, being the projection of a cube onto the plane producing an attainable moment set bounded by a hexagonal convex hull. However, it can be seen in Fig. 14.1 that, even with as little as six control surfaces, mapping the convex hull can become very complex. This means that even with a modest number of control surfaces, the original DCA algorithm is computationally expensive and thus is not practical for real-time simulation. Therefore, an alternative method of identifying the intersection of the demand vector and the boundary of the attainable moment set was developed. This alternative approach was based on the simplex linear programming technique originally developed by Dantzig [3]. The advantage of this approach was that the algorithm was significantly faster than the original DCA algorithm. Additionally the computational cost with the new algorithm increased in an approximately linear fashion with increasing number of control surfaces, as opposed to the exponential increase of the original algorithm. By implementing this modified DCA algorithm it was possible to create a real-time system that was practical for simulation testing. The method was tested on a combat aircraft conceptual design, with and without failures, and the performance was compared against more conventional control allocation strategies [4, 5]. This testing demonstrated the potential performance benefits of using an optimal control allocation method that made best use of the available control surfaces. Though the initial testing of the modified DCA algorithm was very promising it soon became apparent that the linear programming optimisation method was not flexible enough to enable more complex designs to be developed. Specifically there were two main problems: • the three components of the moment demand could not be independently considered (and weightings applied to allow trade-off between roll, pitch and yaw) • it was not possible to add secondary requirements into the optimisation such as minimising overall surface deflections to improve drag or radar cross-section These two issues suggested the introduction of a quadratic cost function. Since the linear programming technique was no longer applicable, the move to a quadratic programming technique was investigated. There are many existing quadratic programming techniques available of which a method called active set optimisation was chosen as appropriate to the task [6]. A standard active-set algorithm was implemented in C using a combination of bespoke components and existing published algorithms [7]. Though the resulting algorithm worked as desired, there were again problems with real-time implementation due to its complexity. Through application of the algorithms on many different simulation models (including the benchmark aircraft from the GARTEUR action group) a refined algorithm has been developed that is more robust and has increased efficiency by using an optimisation algorithm that is tuned specifically to the control allocation problem. The result is an algorithm capable of calculating the optimal control surface deflections in real-time at appropriate frame rates (100Hz) on a model with a large number of surfaces (the implementation of the benchmark used in this research
402
N. Swain and S. Manickavasagar
assumes 20 independent control surfaces) and has been tested on systems with very modest computational power (see Section 14.1.3).
14.1.2 Fault Detection and Identification The control allocation algorithm assumes that it has access to various parameters that define the moment generation capability of the control surfaces, such as control surface position limits and control surface effectiveness. This information can be provided by look-up tables if the aircraft is assumed to never experience faults or failures. However, if it is assumed that a fault or failure is possible, then these parameters need to be updated in flight. Therefore, in parallel to the later developments of the DCA algorithms (especially the version based on quadratic programming), there has been research into approaches to estimate these parameters online. This adds fault detection and identification (FDI) capabilities to the reconfigurable control system, thus creating a fault detection, identification and reconfiguration (FDIR) control system, or more generally a fault tolerant control (FTC) system. Various methods and algorithms have been tested in developing an appropriate FDI system. Initial developments looked at using online learning of the aircraft’s control effectiveness by employing neural networks. Previous work into the use of neural networks in FDIR was investigated, in particular the work of Napolitano [8, 9]. Napolitano had developed some enhanced neural network update algorithms and successfully applied them to fault detection, identification and reconfiguration, both in simulation and in flight. However, the neural networks performing the FDI were intrinsically embedded into the control system, which was contrary to one of the design drivers of the system being developed at QinetiQ. The system that QinetiQ was researching aimed to keep the ‘learning’ components of the FDIR system separate from the main control loop since it was felt that these components introduced reduced determinism and increased risk that could make clearance/certification a problem. By keeping them separate from the main control loop it is hoped that clearance of such novel flight control systems can be made less problematic by allowing increased visibility of how the system is adapting, and allow a firewall or monitoring system between the FDI components and the main control loop (see Fig. 14.2). For this reason the neural network approach of Napolitano was modified to separate the reconfigurable control task (that was to be handled by the DCA) and the FDI task (that was to be performed by distinct neural networks employing the Extended Back Propagation algorithms of Napolitano). The networks were extensively tested - various set-ups and configurations were tried. Though the networks were capable of identifying a parameter very well locally, they had problems in global identification (i.e. across the flight envelope). Thus the complex neural networks were abandoned in favour of an alternative, simpler approach that assumed that failures acted as a linear gain on the nominal control effectiveness (provided by a reference model). Changes in this gain were approximated using the time history of aircraft response relative to predicted response. This algorithm functioned very well with a high fidelity reference model and no
14
A Combined FDIR System Based around Optimal Control Allocation
403
Fig. 14.2 An FTC system with distinct adaptive/reconfigurable control loop and fault detection and identification system to enable safety monitoring of parameters detected in flight
sensor noise. But, as the reference model deviated from the ‘true’ performance of the model, and as sensor noise was introduced, the performance was greatly reduced; consequently, this approach proved to be impractical. In order to address this, a general survey of other techniques for online parameter identification was carried out. Kalman filters were identified as a possible way to increase robustness, by decreasing sensitivity to model uncertainty and sensor noise. A new FDI system that used a Kalman filter to identify a ‘mean’ gain on the control surface effectiveness was created. Testing proved that this approach had increased robustness, but with increased detection times. However, increased robustness and stability is felt to be more important in this identification task; if responsiveness proves to be an issue, then a dual system, which includes a fast component and a slower, more robust component, may need to be developed.
14.1.3 Software and Hardware Testing In order to understand and address implementation issues, the algorithms have been applied to many different models including a diamond-wing planform, tailless unmanned concepts and the ADMIRE (Aero-Data Model In Research Environment) model from FOI (Swedish Defence Research Agency). Additionally, the system has been tested with hardware-in-the-loop to investigate the issues of limited processing power, real life noise/interference and time synchronisation. Fig. 14.3 shows the hardware-in-the-loop test system as tested with the ADMIRE model [10].
14.2 Introduction A modern aircraft will have a range of possible force and moment generators that can be used to alter its trajectory. These shall be referred to as control effectors or more simply as controls. These control effectors can be anything that is able to generate a change in the total force and/or torque acting on the aircraft. Some examples are listed below but the list is not exhaustive • Moving flaps such as elevators, rudders ailerons, leading or trailing edge flaps • Moving aerofoils such as tailplanes, canards, twisting/morphing wings, moving wings or rotary wings/blades
404
N. Swain and S. Manickavasagar
• Other mechanical aerodynamic effectors such as spoilers, airbrakes, undercarriage • Thrust vectoring and differential thrust • Gyroscopic torque/force generators • Direct flow control In free flight, an aircraft (when considered as a rigid body) has six degrees of freedom: three translational and three rotational. It is typical to place a Cartesian axis system centred on a reference point in the aircraft with the x – axis pointing out through the nose of the aircraft, the y – axis aligned level with the wings and pointing out of the starboardside of the aircraft, and the z – axis pointing down through the underside of the aircraft. With six degrees of freedom, a generalised force acting on the aircraft can be resolved into six components: three forces acting in alignment with the x, y and z axes and three moments acting about these axes. In line with standard convention this summary shall refer to these as Fx , Fy and Fz for the forces Fig. 14.3 Hardware in the loop test system consisting of:- (1) A synthetic environment running the open-loop simulation model and a 3D visualisation being driven by the achieved servo deflections. Provides the sensor feedback to the flight control computer via serial connection. (2) Servo hardware arranged into the control layout of the ADMIRE aircraft. Servo demands come from the Flight control computer and achieved servo deflections are fed to the synthetic environment and back to the flight control computer. (3) Flight control computer based on PC104 small footprint computer architecture (running at 133 MHz). Flight control receives inputs from a pilot via RF receiver and sensor feedback from the synthetic environment via Serial connection. Full FTC components (NDI, DCA, Aero FDI and Actuator FDI) run in real-time on the hardware
14
A Combined FDIR System Based around Optimal Control Allocation
405
acting in the x, y and z directions respectively and L, M and N for the moments acting about the x, y and z axes respectively. By utilising the control effectors it is possible to create changes in the six forces and moments, each control having an effect on each of the forces and moments (these effects may be independent or coupled with the effect of the other controls).
14.3 Fault Tolerant Control System Overview The Fault Tolerant Control system is composed of several key components as illustrated below in Fig. 14.4. The core control is performed by a combination of NDI to perform dynamic inversion, and control allocation (referred to as Direct Control Allocation) to make optimal use of the control surfaces. This is supported by the Fault Detection and Identification (FDI) system, which consists of three subsystems. There are two parameter identification systems, the first of which is dedicated to identifying the actuator performance post-fault and the second to identifying changes in the aerodynamic effectiveness of each control surface. The third is the envelope protection system that identifies changes in the aircraft limits after failures have occurred.
14.3.1 Sensors The FDI system requires specific information to successfully identify faults that have occurred. In addition to the more typically available sensor data, information such as achieved actuator deflections, feedback for the Actuator FDI and rotational acceleration data for the NDI system have been included in the aircraft model. The achieved actuator deflection sensors are not necessarily utilised by current flight control systems but this information is often present within the actuator’s own internal control and could be made available to the FCS. Also, it may be uncommon to find rotational acceleration sensor data in legacy aircraft, but this could be a
Fig. 14.4 FTC System Overview
406
N. Swain and S. Manickavasagar
requirement for future aircraft, or it may be possible to derive appropriate rotational acceleration figures from other acceleration sensors.
14.3.2 Outer-Loop Controller/Autopilot The flight control system (FCS) on the benchmark model is classical in nature and comprises an integrated inner-loop and outer-loop control functionality. This FCS takes high-level demands as input, and outputs control surface deflection demands required by the aircraft to attain or maintain stable flight. However, to incorporate the proposed FTC system, the direct link between the autopilot and the actuators needed to be broken. It was then necessary to identify and generate rate demands that would be used as inputs to the NDI system in the place of the actuator demand outputs. A preferred approach would be to design the outer-loop controller such that it is completely separate from the inner-loop control functionality, which would enable the outer-loop controller to be naturally coupled with the NDI and DCA components of the FTC system. However, this approach was not taken to enable a more fair comparison against the benchmark model (since the nature of the outerloop controller can greatly change the way the aircraft responds or handles).
14.3.3 Non-linear Dynamic Inversion Non-linear Dynamic Inversion or NDI is used because of its simplicity in implementation and high performance. It has been successfully implemented on many aircraft models, demonstrating good flying qualities and stabilisation. Various forms of NDI have also been successfully applied in actual flight tests [11]. The essential principle behind NDI is to invert the non-linear equations of motion to provide a favourable response, particularly by avoiding cross-coupling effects between the rotational axes. The response of the aircraft will be as desired if the NDI controller is provided with perfect sensor feedback and if there is sufficient control power. However, even under situations of noisy sensors and non-instantaneous control response (due to actuator dynamics) NDI produces a very good response. The main strength is that, being based on the non-linear rigid body equations of motion, this control method does not need to be scheduled for different flight conditions as would be necessary when using linear control methods. As an example of how the NDI control system functions, consider the rotational equation of motion for the pitch axis of the aircraft q˙ =
M Ixz 2 (Izz − Ixx ) p − r2 + pr − Iyy Iyy Iyy
(14.1)
This relates the pitch acceleration q˙ to the pitch moment M, taking into account the inertial cross coupling of the roll rate p and yaw rate r. This form assumes that the aircraft has lateral symmetry such that the products of inertia Ixy and Iyz are zero [12].
14
A Combined FDIR System Based around Optimal Control Allocation
407
Equation 14.1 enables a relationship between a pitch acceleration demand q˙d and the pitch moment to be derived. However, rotational acceleration is not a practical parameter to control directly, it is far more useful for the inner-loop control to be driven by rotational rate demands such as qd . Therefore the NDI controller derives the pitch acceleration demand from the pitch rate demand such that q˙d = (qd − q)bq
(14.2)
where bq is a constant, referred to as the pitch bandwidth. The bandwidth is the only part of the derived control system that has to be tuned for the specific platform. If the bandwidth is set too low the response of the closed-loop system will be sluggish, whilst if it is set too high there is a risk of large-scale oscillatory transients in the response of the system. In practice, however, it is an easy task to set an appropriate value for the bandwidth for the chosen aircraft based on the size of the aircraft and the response rate of the actuation system. A complete control system for roll, pitch and yaw can easily be derived based on these simple concepts to create a simple but powerful control strategy [13]. The only deviation from the standard NDI implementation is the addition of limit blocks on the roll, pitch and yaw rate demands, and acceleration demands. These limit blocks were added to allow the envelope protection system to limit the demands placed on the aircraft.
14.3.4 Direct Control Allocation The general basis of the control allocation assumes that the change in moments produced by a change in surface position are based on a simple linear relationship ⎡ ⎤ ΔL Δ m = ⎣ Δ M ⎦ = BΔ u (14.3) ΔN where Δ m is the change in moment, Δ u is the change in surface deflection and B is a matrix whose components are defined as Bi, j =
∂ mi ∂uj
(14.4)
The matrix B is referred to here as the control effectiveness matrix. The control allocation is performed by a method referred to as Direct Control Allocation (DCA). This name is principally historical, based on the origins of the very early research carried out at QinetiQ [2]; a better name would be Optimal Incremental Control Allocation. The principal aim of the DCA is to take a change in moment demand from the dynamic inversion block and to make best use of the available control effectors to provide that demand, or at least minimise the error between what is demanded and what is achieved. This is illustrated in Fig. 14.5.
408
N. Swain and S. Manickavasagar
Fig. 14.5 The role of DCA. The demanded changes in moments (with suffix ‘dem’) are mapped to a change in control surface by the DCA block. The intention is that the achieved change in moments (indicated with the suffix ‘ach’) caused by the new surface deflections will be as close to the demand as possible
The specific role of the DCA is to find an optimal change in surface positions that minimises an appropriate cost function. The exact nature of the cost function used is dependent on the optimisation criterion that is chosen. It is perhaps obvious that minimising the change in control surface deflection used to meet a given demand is beneficial, since excessive changes in control surface deflection increase power requirements and actuator wear. However, testing with a control allocation algorithm that only minimises the change in surface deflection identifies a flaw with this approach. Though each change in surface deflection is minimised to require the smallest amount of actuator usage, the accumulative effect with time of each individual change in surface deflection can lead to large control deflections where the individual surfaces can be cancelling out the effect of each other, and so providing no net benefit to the control of the aircraft. This is not acceptable since it increases the risk of surface saturation and can adversely affect the total drag or radar crosssection of the aircraft. For this reason an optimisation criterion called the biased minimum deflection criterion was proposed. Again, the basis of this criterion is to minimise the change in control surface deflection, but not relative to the current surface deflections. Instead the change in surface deflection is minimised about a surface deflection biased towards a preferred control surface deflection. This preferred deflection could simply be zero for all surfaces or could be chosen to optimise for a secondary effect such as reduction of drag or radar cross-section. The combined task of best meeting the change in moment demand whilst minimising the change in deflection relative to a preferred deflection can be formulated as a quadratic programming task of the form, 1 min C = ν H ν + f ν ν 2
(14.5)
subject to an equality constraint (that encompasses the change in moment demand) Aν = 0
(14.6)
and an inequality constraint that accounts for the position and rate limits of the actuators ν L ≤ ν ≤ νU (14.7)
14
A Combined FDIR System Based around Optimal Control Allocation
409
There are many ways to solve such a quadratic programming problem. The DCA algorithm uses an active set method approach that has been formulated for the specific task to increase computational efficiency. Since H in (14.5) is positive definite then the cost function is convex and so there is a unique solution. The algorithm will generally find this minima in a few iterations (generally less than or equal to the number of control effectors). In a few rare situations the algorithm will run on beyond this and it can enter a cycle. Though, theoretically, this cycle can continue indefinitely in practice it is easy to guard against. In this state there is generally only slight variation in the value of the cost function and for the real-world control allocation problem it is acceptable to use a very near optimal solution (sensor noise and disturbances are likely to be far more significant than a small variation away from the optimal solution). The function of the DCA algorithm can be seen in Fig. 14.6.For this illustration, total moment rather than change in moment is being tested, and the demand is only for roll and pitch moment (i.e. yaw moment demand is ignored) since it is easier to visualise what is happening in the two dimensional case. Additionally, in this case, the results are based on a subset of nine of the controls surfaces from the benchmark model (two ailerons, four spoilers, two elevators and the stabiliser), with surface effectivenesses and surface deflection limits sampled at a single flight condition. Fig. 14.6 shows the output of three control allocation schemes to a range of different moment demands as indicated by the circle (labelled ‘Moment Demand’). For any given point on the moment demand locus, each allocation scheme will generate a set of control surface deflections that will generate an achieved moment. Ideally the demanded surface deflections will generate the required moment demand, however the surface deflections are bounded by the actuator deflection limits and so the demand is not necessarily achievable. The three traces (for DCA and two basic control allocation schemes BCA1 and BCA2) show the respective loci of moments achieved for three different control allocation schemes in response to different moment demands that generate the Moment Demand locus. DCA is the optimal control allocation algorithm that is the basis of the FTC system being presented here. BCA1 is a simple allocation scheme that assigns each surface a distinct role for delivering either roll or pitch moments (in this case the two ailerons and four spoilers are used for roll control and the two elevators and the stabiliser are used for pitch control). The strategy utilised in BCA1 is very simple, but is similar to control allocation approaches on many production and experimental aircraft, especially when the control allocation task is embedded in the overall inner-loop control task. BCA2 is a slightly more sophisticated version of BCA1 that makes use of the actuator position limits. It can be easily seen that the DCA produces a significantly larger proportion of the moment demand for the majority of possible demands. BCA1 and BCA2 both produce much smaller proportions of the moment demand, though BCA2 does cover a slightly larger area that suggests better performance. However, there is a small region where the achieved moment is larger than the demanded moment, which is unlikely to be acceptable. The reason this occurs is that both BCA1 and BCA2 assume that an individual surface only generates moments in one of the two axes i.e. the ailerons and spoilers
410
N. Swain and S. Manickavasagar
6
5
x 10
4 3
Pitch Moment (N.m)
2 1 0 −1 −2
Attainable Moments Moment Demand DCA Achieved BCA1 Achieved BCA2 Achieved
−3 −4 −5 −14
−12
−10
−8
−6
−4 −2 Roll Moment (N.m)
0
2
4
6 6
x 10
Fig. 14.6 A comparison of the moment generation capability of several control allocation schemes.
only generate roll moments and the elevators and stabiliser only generate pitch moments. In reality, all surfaces will generate some moments in all rotational axes, and it is the fact that these additional effects have been ignored that allows the achieved moments to exceed the demands. Again, it is quite common for these secondary moment generation effects to be ignored in existing control allocation strategies except in certain specific cases such as the roll-yaw coupling of rudders. The shaded region in Fig. 14.6 indicates the total set of attainable moments for combinations of control surface deflections within the limits of the actuator position limits (this region being the convex hull, similar to that illustrated in Fig. 14.1). It can be seen that DCA spans the entire shaded region that lies within the loci of moment demands. This indicates that DCA is generating the maximum attainable moments for any given demand, as should be expected from an optimal control allocation scheme. The Control Allocation algorithm is dependent on several pieces of information being provided. The required inputs for the control allocation algorithm are: • • • • •
Demanded changes in roll pitch and yaw moments Control deflections Control effectiveness matrix Control rate limits Control position limits
The first of these is provided by the dynamic inversion component of the control system and the second is provided by position sensors. The final three are not easily obtained. In the nominal case, values for these three inputs can be generated from
14
A Combined FDIR System Based around Optimal Control Allocation
411
knowledge of the actuator dynamics (for the positional and rate limits) and from a reference model or schedule (for the effectiveness matrix). However when the aircraft is damaged, some or all of this information will be different from the nominal case and so it is desirable to ascertain the new values of these inputs. The higher the accuracy of this new information, the more efficient and accurate the control allocation can be. The identification of this information is the role of the FDI system, which consists of two main components referred to as aerodynamic FDI and actuator FDI.
14.3.5 Aerodynamic FDI The task of identifying accurately the control effectiveness of each surface to produce moments in each of the three rotational axes (and forces in each of the linear axes) is the biggest challenge of the current Fault Tolerant algorithms. Essentially, it is an online parameter identification system working in real-time using limited information to infer values for a large number of parameters. This is a very difficult task and so, in the past, people have avoided this route by trying to limit the types of faults that are covered by the FDI system. Also, on detecting a failure, many systems require that predetermined inputs are applied to the surfaces to isolate the effects of a given control(s) to aid the identification process. This, unfortunately, would require the aircraft to stop its current role, adopt a straight and level flight condition (or at the very least a benign manoeuvre) and consume time to go through the identification process. This would have a negative impact on task or mission performance and may put the aircraft unduly at risk. Therefore it was the aim to try to create algorithms that were capable of detecting ‘any’ faults applied to the surface in a quick and accurate fashion, without the need for post failure identification routines that apply predetermined inputs. The current system is based on a Kalman filter [14]. Kalman filters are most commonly used for state estimation of dynamic systems when the signals are noisy and when some states are unobservable. However, Kalman filters are also employed for system identification, which is the role they adopt in this system. The system assumes that the change in aerodynamic effectiveness of a given control effector can be represented as a gain on the surface effectiveness predicted by an online reference model and that the same gain applies for all the moments (and forces) such that ∂m ∂m = λi (14.8) ∂ ui estimated ∂ ui re f erence where λi is the surface effectiveness of the ith control effector, ui is the deflection of the ith control effector and m is the moment vector. If no failure has occurred and there is a perfect reference model then the surface effectiveness gains are expected to be unity. An imperfect reference model or sensor noise will mean that the value of λ will vary even when there are no failures. Since the effectiveness values that form the reference model are also used to drive the DCA component, then this variation
412
N. Swain and S. Manickavasagar
Fig. 14.7 Estimation of force and moment errors and change in force and moment errors
in λ is used to correct for errors in the reference model, but there is an assumption that such variations are small. It is only in the presence of failures that the values of λ are assumed to greatly vary from unity. The advantage of this approach is that, although the error is modelled as a linear relationship, the reference model can account for non-linearity in the aircraft aerodynamics. As long as the percentage loss of effectiveness is not highly sensitive to flight condition, the gain will not change rapidly with time. The obvious exception to this is when a failure occurs. At the time of the failure a step change in one or more of the effectiveness gains is assumed. If the error between the reference model and actual aircraft is large and highly non-linear then the above assumptions will no longer be valid. For this reason a reasonably accurate model is required.
Fig. 14.8 Calculation of surface effectiveness lambda values
14
A Combined FDIR System Based around Optimal Control Allocation
Left Inboard Aileron
1
1
0.8
0.8
0.6
0.6
λ
λ
Right Inboard Aileron
0.4
0.4
0.2
0.2
0 0
50
100 150 Time (s)
200
0 0
250
1
1
0.8
0.8
0.6
0.6
0.4
0.4
0.2
0.2 50
100 150 Time (s)
200
No Failure Case Failure Case 50
100 150 Time (s)
200
250
Left Outboard Aileron
λ
λ
Right Outboard Aileron
0 0
413
250
0 0
50
100 150 Time (s)
200
250
Fig. 14.9 Reduced Control Surface Effectiveness
The structure of the system is illustrated in Figs. 14.7 and 14.8. The Kalman filter uses errors in the predicted change in forces and moments to estimate a gain on the surface effectiveness for each surface. This gain is zero when there are no failures (since the system is based on change in forces and moments) and so λ values are equal to the output of the filter plus one. The filter uses an error generated between the estimated forces and moments that the aircraft has currently acting on it and the forces and moments predicted by the reference model for the current flight condition. The achieved forces and moments are calculated by inverting the rigid body equations of motion though this is only approximate when the incoming sensors signals are noisy. Fig. 14.9 shows the results for a fault of a 40% reduction in the control surface effectiveness of the left outboard aileron. It can be seen that the control surface effectiveness for the first three ailerons, are at its nominal level (i.e. close to 1) where a slight deviation can be seen in the measure of the control effectiveness. As discussed earlier in the section, this can be attributed to small discrepancies within the reference model and noise in the signals. However, for the left outboard aileron, the control surface effectiveness shows a larger difference due to the fault and settles out at approximately 55%. The nominal control surface effectiveness of this surface is approximately 90%. In comparison to the reduced control surface effectiveness, results in a decrease of 39% which shows both an accurate detection and identification of the fault. The reduced control surface effectiveness takes a
414
N. Swain and S. Manickavasagar
significant length of time to settle out. In order to increase the robustness of the FDI component the Kalman Filter has its sensitivity set at a fairly low level. There is always a trade-off to be made between robustness and sensitivity but the overall response time of the system could be increased by a higher fidelity reference model or better sensors. This said, the current system seems to fly well in most failure cases due to an inherent robustness within the inner-loop control. If it is required to increase overall detection times of aerodynamic faults then it may be necessary to modify the sensitivity of the FDI algorithm. This may be possible with a two component aerodynamic FDI system that consists of a fast component with low authority and a slower component with higher authority.
14.3.6 Actuator FDI The actuator parameter identification is a much simpler task than the control effectiveness identification task. Each actuator is a single input, single output (SISO) system with a few key parameters defining the performance, such as rate limits and position limits. As for the aerodynamic faults, the FDI system for the actuator faults requires some reference model of each actuator’s dynamics. This is much easier to obtain as the dynamics of actuators are easily modelled. One new feature present in the benchmark model that had not been addressed in previous testing was variable position limits based on flight condition. In the benchmark each surface has hard limits that are set by the maximum travel of the actuator, as is the case in simpler simulation models of actuator dynamics. But the aerodynamic loading on individual surfaces based on flight condition can mean that there is insufficient hydraulic power to attain the maximum deflection, thus the benchmark model also incorporates aerodynamic limits that vary with height and Mach number. The existence of these variable aerodynamic limits could be ignored by the actuator FDI system. In this case, the reduced limits would be identified by the system but would be assumed to arise from faults, which could mean that future control deflection demands are artificially restricted by the DCA system. Therefore the variable limits were added to the actuator reference model such that, before any failures occur, the DCA uses the full deflection range (limited by current aerodynamic limits if necessary). After an actuator failure or fault has occurred the detected reduced limits are used. Fig. 14.10 illustrates the actuator FDI system. By comparing sensor feedback of achieved surface deflections against those predicted by the reference models, an error signal is generated. It is assumed that the actuator dynamic faults are in position and rate limits only, this being the information used by the DCA scheme. An upper and lower position limit and an upper and lower rate limit are monitored, therefore a total of four parameters are identified for each actuator. Additional information (such as damping and frequency) could be included, but research suggests that, for control allocation, little benefit is gained from higher-order accuracy.
14
A Combined FDIR System Based around Optimal Control Allocation
415
Fig. 14.10 Schematic of Actuator FDI System
Though simple, this system can detect many different faults such as: • Control restrictions caused by a loss of hydraulic power or a physical restriction on the surface due to damage or icing will be detected as a change in the upper and/or lower limits to new, non-equal values. • Surface jams caused by total failure of a stepping actuator or physical restriction. Detected as a change of upper and/or lower position limits to new, equal, values. • Reduced rate limits due to partial loss of actuation power. Detected as new upper and/or lower rate limits. • Surface runaway caused by an error in the signal driving the actuator or an internal malfunction in the actuator. Detected initially as a change in upper and lower rate limits to the same value (that being the rate at which the surface is ‘running’ away). Once the actuator has saturated, the fault will change to the surface jam case. In the case of physical damage that causes the surface to become disconnected from the actuator (and possibly in the case of a total loss of hydraulic power), the surface will float freely. How this fault is detected depends on what signal is fed back to the actuator FDI system; either surface deflection or actuator deflection. In the former case the actuation system could detect the failure as zero upper and lower rate limits, but it would not detect the latter case. However, a floating surface tends to have a greatly reduced aerodynamic effect on the aircraft dynamics, and so the latter case could be detected as an aerodynamic fault rather than an actuator fault. There are other possible actuator failures such as oscillatory errors, offsets and intermittent sticking. These failures are not accommodated by the current actuator FDI system since such failures have not been a feature of any simulation models investigated to date. The system could be augmented to accommodate these failures with an extension to the logic within the actuator FDI algorithm or by separate preprocessing of the actuator errors. Fig. 14.11 shows the time history of two aileron surface deflections subject to a fault (control restriction of control surface deflection of ±5 degrees) at 0 seconds. A bank angle demand is used as an input to excite the control surfaces. The actuator FDI system accurately detects and identifies the fault after 0.29 seconds of it reaching the 5 deg deflection limit for the right outboard aileron. It can be seen that
416
N. Swain and S. Manickavasagar Right Inboard Aileron Aileron Deflection (deg)
Aileron Deflection (deg)
Right Inboard Aileron 20 10 0 −10 −20 0
10
20
30
40
6 5.5 5 4.5 4 22
50
10 0 −10
Surface Demands Surface Achieved Position Limits
−20 −30 0
10
20 30 Time (s)
40
23
23.5
24
Right Outboard Aileron
20
Aileron Deflection (deg)
Aileron Deflection (deg)
Right Outboard Aileron
22.5
50
6 5.5 5 4.5 4 21
21.2
21.4 21.6 Time (s)
21.8
22
Fig. 14.11 Control Restriction on Aileron Deflection (Right-hand plots show detail of left hand-plots)
the actuator position limits are reduced to the aileron control restriction limits (of ±5 degrees) which ensures that the new deflection limits are used by the DCA. It takes 0.45 seconds before the upper position limit for the right inboard aileron is reduced compared to the 0.1 seconds detection time for the right outboard aileron. The delay in detection time can be attributed to the sensitivity of the algorithm being limited by specified tolerances that allow greater robustness in the presence of noise. The noisier the system the lower the sensitivity will be, if higher sensitivity is required then a change in the sensor suite would be necessary either through using less noisy sensors or introducing redundancy in the sensors to allow better approximation of the true signal. However, the small delays in detection time seen here are not significant to cause a problem in maintaining control of the aircraft.
14.3.7 Flight Envelope Protection When a control system is designed for a platform, limits are normally placed on the demands coming into, or contained within, the inner-loop and outer-loop controllers. These limits are introduced to protect the structural integrity of the platform and to prevent loss of stability or departure. Modern aircraft can have what is called ‘carefree’ handling, where it is impossible (or at least, should be impossible) to overstress the platform or cause departure. If an aircraft experiences some sort of fault or failure then the limits proposed for the undamaged aircraft may no longer be valid. In this case new limits should be used, but the values for the modified limits will be highly dependent on the failure(s) that have occurred. An on-line system is necessary to identify modified limits to try
14
A Combined FDIR System Based around Optimal Control Allocation 4 3.5
25 Roll Control Gain
Bank Angle Demand Limit (deg)
30
20 15 10 5 0 40
417
3 2.5 2 1.5 1 0.5
45
50 Time (s)
55
60
0 40
45
50 Time (s)
55
60
Fig. 14.12 Flight envelope protection output for bank angle demand limit and roll control gain in presence of failure (at 50 seconds)
and maintain ‘carefree’ handling. This is the aim of the flight envelope protection (FEP) component of the FDI system. Ideally the FEP system will be able to perform online stability and control assessment of the damaged aircraft’s flying qualities across the flight envelope or, at the very least, at the current flight condition. Additionally, to protect the structure, online stress analysis would need to be performed for various aerodynamic loadings to identify the integrity of the platform. Obviously this involves a huge amount of computational capability to perform in real-time and so is currently impractical. Research into FEP is still underway to find practical methods of approximating the new limits online but a basic system has been developed using a combination of heuristics and interpolation/extrapolation of offline assessment results. The current system that has been developed has two main components: the health and inner-loop limit estimation system, and the outer-loop limit estimation system. The health system calculates a percentage health for each of the three rotational axes based on the platform’s current ability to deliver moments in that axis. This takes into consideration loss of control surface effectiveness, reduced rate limits and control surface saturation. The current health for each of roll, pitch and yaw is used to set limits for the inner-loop rate control system (the NDI component). In the current system, the demands on rotational rate, rotational acceleration and the rate control bandwidth are all limited. The values used for these limits decrease as the health in the respective channel (roll, pitch or yaw) decreases. There are two levels of limit applied: the recovery limit and the reinforcement limit. The recovery limit is applied if the current rotational rate demand is tending the aircraft back towards steady-state, whilst the reinforcement limit is applied if the rotational rate demand is moving the aircraft further away from steady-state. These two limit levels can be set at the same value, but testing suggests that the reinforcement limit should be lower than the recovery limit thus allowing more conservative limits on demands that could increase the risk of departure, whilst not reducing the aircraft’s ability to reach, or recover to, steady state. The outer-loop estimation system uses the failure information from the other FDI system components to identify limits for the demands in the outer-loop control such
418
N. Swain and S. Manickavasagar
as bank angle, angle of attack, speed, linear acceleration and height rate. These are all higher order effects whose limits are not directly linked to the moment generation ability of the aircraft but are more to do with preserving stability. It is not currently possible to calculate these values online due to the high computational cost, but research is currently looking for appropriate means to estimate these limits online. In the meantime, a system based on offline assessment has been developed. Various failure cases were tested in simulation to identify appropriate limits on the outer-loop parameters, and a series of look up tables were generated. For partial failures the limits from the tables were interpolated from the non-failure and complete failure cases. For multiple failures the limits from the tables were extrapolated. The full system as outlined above was applied to a UCAV (Unmanned Combat Air Vehicle) concept as part of our research but time constraints have meant that a full version of the system has not been applied to the benchmark model. However, testing with the benchmark has highlighted the importance of the flight envelope protection system, and a reduced system that limited the bank angle and roll rate demands was necessary to prevent departure (see El-Al benchmark example in 14.4.3). The Fig. 14.12 illustrates the output from the simplified FEP system implemented on the benchmark model. The time history is for the full El-Al failure case, with the failure occurring at 50 seconds. The FEP system is specifying a limit for bank angle demand and a gain for the roll rate demands between the autopilot and the innerloop control. Before the failure occurs the limits remain at their nominal values (29 degrees and 3 respectively). After the failure has occurred the parameters reduce over a period of about 1.8 seconds to reach the post-failure values of approximately 14 degrees and 1.5. The reduction is not instantaneous, since the failure detection system takes a finite time to identify the nature of the failure and the output from the FEP system changes as the various failed actuators are identified.
14.4 Benchmark Tests Presented here are the results from three tests with the full benchmark model, one with a longitudinal control failure, one with a lateral control failure and the final case is the results from testing with the full El-Al failure.
14.4.1 Longitudinal Control Failure Test Fig. 14.13 provides time histories for selected states in phase 1 (straight and level flight) of the benchmark trajectory. There are two time histories overlaid, one is the case with no failure, in the other the stabiliser starts to runaway at 40 seconds. The stabiliser deflection increases at approximately 0.5 degrees per second until hitting its upper limit at 50.1 seconds (running from -2.04 degrees, the deflection at 40 seconds, and running to 3 degrees, the upper limit for the stabiliser). It can be seen that the time histories are very similar though there are a few differences in the longitudinal response. There is a very small adjustment in the speed during the time that the stabiliser takes to run away. Height also deviates from the no failure case but
A Combined FDIR System Based around Optimal Control Allocation
0.01 0 −0.01 −0.02 0
50
90.01 90.005 90 89.995 89.99 0
100
93
50
0.01
0 −0.005 −0.01 0
100
92.6 92.4 92.2 0
5.8 5.6 5.4 0
50 100 Time (s)
50
100
981 Height (m)
92.8
419
0.005
6 AoA (deg)
Speed (m/s)
Sideslip (deg)
0.02
Heading (deg)
Bank angle (deg)
14
980 No Failure Failure
979 978 0
50 100 Time (s)
50 100 Time (s)
Fig. 14.13 Time history for the longitudinal failure case, stabiliser runaway occurring at 40 seconds. The time history for the case with no failure is provided for comparison
only by a few centimetres. The most marked difference is in angle of attack. With the displacement of the stabiliser the trim condition is at a slightly increased angle of attack. Overall, though potentially very problematic, the stabiliser runaway is handled with practically no noticeable effect on the response of the aircraft.
14.4.2 Lateral Control Failure Test Fig. 14.14 provides the time history for a test with a loss of the vertical tail before entering phase 3 of the benchmark tests (right-hand turn and localiser intercept). The failure occurs at 20 seconds but has no noticeable impact on the response of 30
220
15
200 10
10
0
Sideslip (deg)
180 Heading (deg)
Bank angle (deg)
20
160 140
5
0
120 −10
−5 100
−20
0
50
100
150
200
80
250
94
9
93.5
8
0
50
100
150
200
−10
250
0
50
100
150
No Failure
7
Height (m)
AoA (deg)
Speed (m/s)
92.5
250
1100
Failure
1050 93
200
6
1000
950 92
91.5
5
0
50
100 150 Time (s)
200
250
4
0
50
100 150 Time (s)
200
250
900
0
50
100 150 Time (s)
200
250
Fig. 14.14 Time history for the lateral control failure case, loss of vertical tail occurring at 20 seconds. The time history for the case with no failure is provided for comparison
420
N. Swain and S. Manickavasagar
the aircraft until the turn is initiated to change the heading from 90 degrees to 210 degrees. It can be seen that the turn is performed in a controlled fashion but that the turn rate is lower than the case in which there is no failure. This is due to the flight envelope protection system requiring the reduction in bank angle limit to prevent departure. This is demonstrated in the full El-Al case next.
14.4.3 El-AL Case Fig. 14.15 illustrates the time-history of key states for the case with the full El-Al benchmark test failure. The failure is applied at 20 seconds. It can be seen that, particularly in the bank angle, sideslip and speed time-histories, the failure causes a disturbance that is successfully suppressed. The failed case settles into a flight condition with non-zero sideslip due to the loss of the two engines and the damage to the wing. It is possible that this sideslip could be removed by use of controls but the benchmark did not have sideslip suppression and so it was not included in the FTC version either. The aircraft starts to perform a right-hand turn from a heading of 90 degrees to a heading of 268 degrees at 200 seconds. The key point to note is that the time history for the failure case with FTC enabled but with no flight envelope protection departs shortly after starting the turn (most clearly seen in the angle of attack and bank angle plots). The simulation for this case ceased at 274 seconds when the aircraft state went out of bounds.
Fig. 14.15 Time histories for the full El-Al benchmark failure case. The Failure occurs at 20 seconds. The aircraft then performs a right-hand turn followed by a left-hand turn. Time histories of the no failure case and the failure case with no flight envelope protection are included for comparison
14
A Combined FDIR System Based around Optimal Control Allocation
421
The case with an active flight envelope protection system does not depart but, as in the lateral control failure case, has a lower turn rate. This is again due to the reduced limits from the FEP system that have limited the maximum bank angle demand and the roll rate control gain that reduces the demand entering the innerloop control system. After the aircraft has settled on a heading of 268 degrees a left-hand turn is demanded from a heading of 268 degrees to a new heading of 180 degrees at 400 seconds. This extra turn is added to test whether the port-wise turn performance is also acceptable since an asymmetric failure such as this can impact port-wise and starboardwise performance differently. The reduced bank angle has reduced the turn rate again but the aircraft is capable of making the turn and attaining the new heading. Altogether this time history demonstrates that the full FTC system enables even the extreme failure case of the full EL-Al scenario to be accommodated. After the failure the aircraft is still able to manoeuvre, accurately acquire new headings and would be able to proceed to and perform the landing. The time history for the case without the FEP system highlights the importance of having an active flight envelope protection as part of fault tolerant control.
14.5 Conclusion A system has been successfully developed for fault tolerant control based around non-linear dynamic inversion and optimal control allocation. This system has been extensively tested in simulation with different aircraft models including the El-Al 747 benchmark model used in the GARTEUR action group. This testing has demonstrated that the system provides excellent flying qualities without failures and allows a graceful degradation of performance if the aircraft experiences failures. The specific application to the benchmark model proved very useful since it features a validated model of a real-life failure case. The experience from this testing has allowed a more robust system to be developed. One key lesson from this research is the importance of a flight envelope protection system. The testing with the full El-Al failure case and the ‘loss of vertical tail’ case demonstrates that failures can mean that the nominal limits in the inner-loop or outer-loop control are no longer appropriate to prevent departure. In these cases it was necessary to reduce the bank angle demand limit and the roll gain limit to prevent the aircraft crashing. More extensive testing on other models has suggested that combinations of faults can require adjustment in several control limits, not only to prevent departure but also to maintain acceptable flying and handling qualities. Overall, the combined FDIR system based around optimal control allocation has allowed a full FTC system to be rapidly applied to various aircraft models, and has demonstrated the potential of FTC to improve aircraft safety. However, there is potential for improvements, especially in the aerodynamic and actuator FDI, and the flight envelope protection. It is the aim that these will be investigated in future research.
422
N. Swain and S. Manickavasagar
Acknowledgement. The work documented here is based on many years of research into Fault Detection, Identification and Reconfiguration, the vast majority of which was carried out on behalf of the Ministry of Defence. The authors would like to acknowledge the support and guidance of the Ministry of Defence and Defence Science and Technology Laboratories (DSTL) in this work.
References 1. Durham, W.C.: Attainable Moments for the Constrained Control Allocation Problem. Journal of Guidance, Control and Dynamics 17(6), 1371–1373 (1994) 2. Swain, N.J.N.: Developments in direct control allocation for aeronautical vehicles. Unpublished DERA report (September 1999) 3. Fraleigh, J.B., Beauregard, R.A.: Linear Algebra, 2nd edn. Addison-Wesley Publishing, Reading (1990) 4. Berry, A.J., Swain, N.J.N.: A comparison of several control allocation schemes for reconfigurable flight control. Unpublished QinetiQ report (July 2001) 5. D’Mello, G.W., Hegarty, S.A., King, J., Swain, N.J.N.: Reconfigurable control: A simulation study of flight control system tolerance to airframe battle damage and actuator failures. Unpublished QinetiQ report (March 2002) 6. Optimization Toolbox 3, Eighth Printing, Matlab User’s Guide (September 2007) 7. Press, W.H., Teukolsky, S.A., Vettering, W.T., Flannery, B.P.: Numerical Recipes in C. The Art of Scientific Computing, 2nd edn. (1992) 8. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.: Neural Network Based Scheme for Sensor Failure Detection, Identification and Accommodation. Journal of Guidance, Control and Dynamics 18(6), 1280–1286 (1995) 9. Napolitano, M.R., Neppach, C., Casdorph, V., Naylor, S., Innocenti, M., Silvestri, G.: Online Learning Neural Architectures and Cross-correlation Analysis for Actuator Failure Detection and Identification. International Journal of Control 63(3), 433–455 (1996) 10. Swain, N.J.N.: Research into Realisable Fault Tolerant Control. In: 19th Interantional Unmanned Air Vehicle Systems Conference (March 2004) 11. Smith, P.R., Berry, A.J.: Flight test experience of a non-linear dynamic inversion control law on the VAAC Harrier, AIAA-2000-3914 (August 2000) 12. Stevens, B.L., Lewis, F.L.: Aircraft Control and Simulation, 2nd edn. Wiley, Chichester (2003) 13. Smith, P.R., Burnell, J.J.: Non-linear dynamic inversion (NDI): a top down approach to control law design. Unpublished DRA Report (March 1994) 14. Kalman, R.E., Bucy, R.S.: New Results and Methods in Linear Filtering and Prediction Theory. Transactions of the ASME - Journal of Basic Engineering 83, 95–107 (1961)
Chapter 15
Detection and Isolation of Actuator/Surface Faults for a Large Transport Aircraft Andras Varga
15.1 Introduction In this chapter we address the problem of detection and isolation of actuator faults for a Boeing 747-100/200 from the perspective of fault tolerant control (FTC). The main goal of FTC is to allow, after a successful identification of faults, the application of appropriate control reconfiguration to ensure safe operation of the aircraft in the presence of identified failures or, in extreme cases, to guarantee a safe landing to the nearest airport. The most relevant faults for our analysis are related to four categories of primary control surfaces: elevator, stabilizer, rudder, and ailerons. In numerous studies, the occurrence of actuator faults for the Boeing 747100/200 aircraft has been addressed in a simplistic way, by assuming that all faults related to a surface category occur simultaneously [1, 2]. For example, it is usually assumed that all four elevators are simultaneously affected by the same fault or, equivalently, each elevator fault is assimilated with a global fault on all elevator surfaces. As a consequence, the typical approach to compensate for elevator faults is to use the stabilizer for the aircraft altitude control and ignore the possibility of employing, for the same purpose, the remaining healthy elevator surfaces. For the purpose of FTC, such a simplifying assumption of simultaneous elevator faults prevents exploiting the existing freedom in using healthy surfaces which could compensate (fully or partially) the disturbance induced by the faulty surfaces. This way of addressing the fault occurrence aspect is clearly not appropriate for the purpose of FTC, where precise information on the available healthy actuators/surfaces and faulty ones could be vital for an appropriate control reconfiguration. The existing redundancy in the control surfaces makes it easier to cope with Andras Varga German Aerospace Center, DLR - Oberpfaffenhofen Institute of Robotics and Mechatronics D-82234 Wessling, Germany e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 423–448. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
424
A. Varga
partial failures providing an increased overall safety. Thus, handling only complete surface failures is not a realistic option for FTC. In this chapter we focus on the design of residual generators with least dynamical orders to solve actuator fault detection and isolation problems for the Boeing 747-100/200 aircraft. The main result of our analysis is the proof of feasibility of the complete isolation of all primary actuator/surface faults in the nominal case by using a minimal number of additional surface angle sensors. The analysis of the nominal case provides residual filter specifications which can be employed in a more realistic design, where robustness aspects with respect to external noise (gusts, measurements) and parametric/flight condition uncertainties are also considered. The paper is organized as follows. First we briefly review the solution of the fault detection problem using scalar output detectors with least dynamical order. The corresponding design procedure is based on the nullspace method in combination with dynamic cover techniques. This method is the basis for the design of a bank of residual generators to solve the more involved fault detection and isolation problems, where a given fault-to-residual influence structure must be achieved. The design methods of residual generators for fault detection and isolation have been recently implemented as robust numerical software, which extends the Fault Detection Toolbox [3] of DLR. The new tools were used to study the feasibility of complete fault detection and isolation of actuator faults for a Boeing 747-100/200 aircraft. Fault detection both at component (actuator) level as well as at the system level are discussed. Residual synthesis results are presented for detecting and isolating both longitudinal and lateral axis failures for several influence structures of increasing complexity. The main result of our study is the solution of the complete isolation problem by employing a minimum number of additional surface sensors.
15.2 Design of Least Order Scalar Output Detectors Consider the linear time-invariant system described by the input-output relations y(s) = Gu (s)u(s) + Gd (s)d(s) + G f (s)f(s),
(15.1)
where y(s), u(s), d(s), and f(s) are Laplace-transformed vectors of the p-dimensional system output vector y(t), mu -dimensional control input vector u(t), m f dimensional fault signal vector f (t), and md -dimensional disturbance vector d(t), respectively, and where Gu (s), G f (s) and Gd (s) are the transfer-function matrices (TFMs) from the control inputs to outputs, fault signals to outputs, and disturbances to outputs, respectively. To detect faults, residual generator filters (or fault detectors) having the general form
y(s) r(s) = R(s) (15.2) u(s) are employed, where r(t) is the residual signal generated from the available measurements y(t) and control inputs u(t). A residual generator must fulfill two basic
15
Detection and Isolation of Actuator/Surface Faults
425
requirements: 1) to generate zero residuals in the fault-free case, for arbitrary control and disturbance inputs; 2) to generate nonzero residuals when any fault occurs in the system. These requirements can be made precise as follows: Fault Detection Problem (FDP): Determine a proper and stable linear residual generator having the general form (15.2) such that: (i) r(t) = 0 when f (t) = 0 for all u(t) and d(t); (ii) r(t) = 0 when fi (t) = 0, for i = 1, . . . , m f . In addition to the above requirements, it is often necessary for practical use that the TFM of the detector R(s) has the least possible McMillan degree. Note that as a fault detector, we can always choose R(s) as a rational row vector. The fulfilment of requirement (ii) ensures that faults produce non-zero residual responses. When designing fault detectors this requirement for fault detectability is usually replaced by the stronger request that persistent (constant) faults produce asymptotically persistent (constant) residuals. This requirement is known as strong fault detectability and has a special importance for practical applications [22]. Let G fi (λ ) be the ith column of G f (λ ). A necessary and sufficient condition for the existence of a solution of the FDP is the following [4, 5]: Theorem 15.1. For the system (15.1) the FDP is solvable iff
rank [ Gd (λ ) G fi (λ ) ] > rank Gd (λ ), i = 1, . . . , m f
(15.3)
The requirements (i) and (ii) of the FDP can be easily transcribed into equivalent algebraic conditions. Condition (i) is equivalent to R(s)G(s) = 0
where G(s) =
(15.4)
Gu (s) Gd (s) , 0 Imu
(15.5)
while the detectability condition (ii) is equivalent to R fi (s) = 0, i = 1, . . . , m f
(15.6)
where R fi (s) is the ith column of R f (s) := R(s)
G f (s) 0
(15.7)
Enforcing the strong detectability of constant faults is equivalent to ensuring finite non-zero DC-gains for each column of R f (s), i.e. 0 < R fi (0) < ∞, i = 1, . . . , m f (15.8)
426
A. Varga
Conditions (15.4) and (15.6) (or (15.8)) lead to a straightforward design procedure: FD Least Order Synthesis Procedure 1. Compute a minimal basis Nl (s) for the left nullspace of G(s). 2. Choose a rational vector h(s) such that R(s) = h(s)Nl (s) has least McMillan degree and fulfils (15.6) (or (15.8)). 3. If necessary, replace R(s) by m(s)R(s), where m(s) is chosen to achieve a desired dynamics for the resulting detector.
The scalar output detector R(s) at Step 2) is determined as a linear combination of the basis vectors (rows of Nl (s)), such that conditions (15.6) or (15.8) are fulfilled. The above expression for R(s) represents a parametrization of all possible detectors and is the basis for the class of nullspace methods introduced in [6]. While this work relies on using polynomial nullspace bases for Nl (s), an alternative approach relying on proper rational bases has been proposed by the author in [7]. The main advantage of this latter method is to rely exclusively on reliable numerical techniques based on state-space computations (see Section 15.4).
15.3 Solving Fault Isolation Problems The more advanced functionality of fault isolation (i.e., obtaining the exact location of faults) can be often achieved by designing a bank of fault detectors [8] or by direct design of fault isolation filters [9]. Designing detectors which are sensitive to some faults and insensitive to others can be reformulated as a standard FDP, by formally redefining the faults to be rejected in the residual as fictitious disturbances. Let R(s) be a given detector and let R f (s) be the corresponding fault-to-residual TFM in (15.7). We denote Rif j (s) as the (i, j) entry of R f (s). We define the fault signature matrix S, with (i, j) entry Si j given by Si j = 1 if Rif j (0) = 0 Si j = −1 if Rif j (0) = 0 and Rif j (s) = 0 Si j = 0 if Rif j (s) = 0 If Si j = 1 then we say that the fault j is strongly detected in residual i. If Si j = −1 then the fault j is only weakly detected in residual i. The fault j is not detected in residual i if Si j = 0. The following fault detection and isolation problem (FDIP) can now be formulated: Given a q × m f fault signature matrix S determine a bank of q stable and proper scalar output residual generator filters
15
Detection and Isolation of Actuator/Surface Faults
ri (s) = Ri (s)
427
y(s) , i = 1, . . . , q u(s)
(15.9)
such that, for all u(t) and d(t) we have: (i) ri (t) = 0 when f j (t) = 0, ∀ j with Si j = 0; (ii) ri (t) = 0 when f j (t) = 0, ∀ j with Si j = 0. In this formulation of the FDIP, each scalar output detector Ri (s) achieves an influence structure representing the ith row of the desired fault signature structure matrix S. For example, to achieve the complete isolation of a maximum of k simultaneous faults, the choice S = Ik is necessary. In many practical applications this strong isolation can not be achieved due to the lack of sufficient number of measurements. If we can assume that the faults occur one at a time, a so-called weak isolation of k faults could be possible by using a fault signature matrix whose ith row contains all ones except the element in column i which is zero. For example, for 3 faults S is chosen as ⎡ ⎤ 011 S =⎣1 0 1⎦ 110 If this fault signature specification can be achieved, then the occurrence of fault i can be detected if all residuals (excepting the ith residual) are non-zero. More insight into how to specify fault signature matrices can be found in [10]. i Let S be a given q × m f fault signature matrix and denote by Gf (s) the matrix formed from the columns of G f (s) whose column indices j correspond to zero elements in row i of S. The solvability conditions of the FDIP build up from the solvability of q individual FDPs. Theorem 15.2. For the system (15.1) the FDIP with given fault signature matrix S is solvable if and only if for each i = 1, . . . , q, we have i
i
rank [ Gd (s) Gf (s) G f j (s) ] > rank [ Gd (s) G f (s) ]
(15.10)
for all j such that Si j = 0. The standard approach to determine R(s) is to design for each row i of the fault signature matrix S, a detector Ri (s) which generates the ith residual signal ri (t), and thus represents the ith row of R(s). For this purpose, the nullspace method can be applied with G(s) in (15.5) replaced by # " i Gu (s) Gd (s) Gf (s) G(s) = Imu 0 0 i (s), formed from the columns of G f (s) and with a redefined fault to output TFM G f whose indices j correspond to Si j = 0.
428
A. Varga
The resulting global detector can be assembled as ⎡ 1 ⎤ R (s) ⎢ .. ⎥ R(s) = ⎣ . ⎦
(15.11)
Rq (s) and has a total McMillan degree which is bounded by the sum of the McMillan degrees of the component detectors. Note that this upper bound can be effectively achieved, for example, by choosing mutually different poles for the individual detectors. Using the least order design techniques described in this paper, for each row of S we can design a scalar output detector of least McMillan degree. However, even if each detector has the least possible order, there is generally no guarantee that the resulting order of R(s) is also the least possible one. To the best of our knowledge, the determination of a detector of least global McMillan degree for a given fault signature S is still an open problem. A solution to this problem has been recently suggested in [11] and is summarized in the following synthesis procedure: FDI Synthesis Procedure 1. For i = 1, ..., q a. Redefine disturbance vector d to include all faults f j for which Si j = 0. b. Redefine fault vector f by deleting all faults f j for which Si j = 0. c. Compute Ri (s) of order νi using the FD Least Order Synthesis Procedure. 2. Ensure that for νi ≤ ν j , the poles of Ri (s) are among the poles of R j (s). 3. Form the global detector R(s) according to (15.11).
It was conjectured in [11] that the McMillan degree of R(s) resulting from this procedure is the least possible one. We describe now an enhanced two step approach to design a bank of detectors, which for larger values of q, is potentially more efficient than the above standard approach. In a first step, we can reduce the complexity of the original problem by decoupling the influences of disturbances and control inputs on the residuals. In a second stage, a residual generation filter is determined for a system without control and disturbance inputs which achieves the desired fault signature. Let Nl (s) be a minimal left nullspace basis for G(s) defined in (15.5) and define a new system without control and disturbance inputs as y(s) := N f (s)f(s),
where N f (s) := Nl (s)
G f (s) . 0
(15.12)
(15.13)
15
Detection and Isolation of Actuator/Surface Faults
429
The system (15.12) has generally a reduced McMillan degree [12] and also a reduced number of outputs p − rd , where rd is the normal rank of Gd (s). For the reduced system (15.12) with TFM N f (s) we can determine, using the FDI Synthesis Procedure, a bank of q scalar output least order detectors of the form ri (s) = Ri (s) y(s), i = 1, . . . , q
(15.14)
such that the same conditions are fulfilled as for the original FDIP. The TFM of the final detector can be assembled as ⎡ 1 ⎤ R (s) ⎢ .. ⎥ R(s) = ⎣ . ⎦ Nl (s) (15.15) q R (s) Comparing (15.15) and (15.11) we have Ri (s) = Ri (s)Nl (s),
(15.16)
which can be also interpreted as an updating formula of a preliminary (incomplete) design. The resulting order of the ith detector is the same as before, but this two step approach has the advantage that the nullspace computation and the associated least order design involve systems of reduced orders (in the sizes of state, input and output vectors). The above procedure has been used for the example studied in [13, Table 2], where a 18 × 9 fault signature matrix S served as specification. Each line of S can be realized by a detector of order 1 or 2 with eigenvalues {−1} or {−1, −2}. The sum of the orders of the resulting individual detectors is 32, but the resulting global detector R(s) has McMillan degree 6. Interestingly, the “least order” detector computed in [13] has order 14.
15.4 Computational Aspects For the numerical computations, state space representation based algorithms have been developed to serve as a basis for robust software implementations. For this purpose, a state space realization of (15.1) is employed x(t) ˙ = Ax(t) + Buu(t) + Bd d(t) + B f f (t) y(t) =Cx(t) + Duu(t) + Dd d(t) + D f f (t)
(15.17)
with the n-dimensional state vector x(t). The corresponding TFMs of the model in (15.1) are Gu (s) = C(sI − A)−1 Bu + Du Gd (s) = C(sI − A)−1 Bd + Dd G f (s) = C(sI − A)−1 B f + D f
430
A. Varga
The FD Synthesis Procedure to design scalar output residual generators with least dynamical orders can be performed using the numerically sound computational approach proposed recently in [11]. This approach represents an enhancement of the minimal dynamic covers techniques introduced in [7], by employing Type I dynamic covers (instead of Type II covers) to achieve the maximal order reduction of the resulting detector. A basic computational ingredient to perform Step 1 is a reliable numerical algorithm to compute least order rational nullspaces of rational matrices using state-space methods [7]. The main computation in this algorithm is the orthogonal reduction of the system pencil matrix of the realization of G(s) in (15.5) to a Kronecker-like form, from which, practically without any additional computation, a least order rational nullspace basis can be obtained. The existence conditions of the solution (15.6) can be easily checked using the outcome of the nullspace computation algorithm [11]. The least order fault detector at Step 2 can be obtained by selecting an appropriate linear combination of the basis vectors by eliminating non-essential dynamics using Type I dynamic covers based order reduction [11, 14]. To perform Step 3, stable coprime factorization techniques can be used for which reliable numerical algorithms based on pole assignment techniques are available [15]. The efficient implementation of the enhanced FDI Synthesis Procedure requires an explicit updating of a preliminary design (15.16). State space realization based computations of N f (s) in (15.13) as well as of the resulting least order detectors Ri (s) in (15.16) are described in [12]. Remarkably, the matrices of the underlying state space realizations of N f (s) can be obtained using exclusively orthogonal transformations on the system matrices of the original state space realization (15.17). By using these updating techniques, any need to determine minimal realizations (e.g., in (15.13)) has been practically eliminated. For all underlying numerical computations, robust numerical software is available in the D ESCRIPTOR S YSTEMS Toolbox [16]. This software underlies the implementation of a first version of a the FAULT D ETECTION Toolbox [3], where several tools are available to solve the main classes of fault detection problems. The recently developed enhancements have been implemented in a new function fdsyn which is fully documented in [17].
15.5 Monitoring Actuator Failures The monitoring of primary actuator failures of an aircraft is of paramount importance for the safe operation and for the continuous situational awareness of the pilots. In this section we address the fault detection and isolation of all FTC relevant actuator failures by combining component level and system level fault monitoring techniques. The main goal of our analysis is to prove the feasibility of a complete fault diagnosis system capable of localizing individual or simultaneous actuator/surface faults. For our study we consider the Boeing 747-100/200 aircraft for which a high fidelity nonlinear simulation model with a full set of control surfaces is available. This
15
Detection and Isolation of Actuator/Surface Faults
431
model with 11 primary control surface actuators (4 elevators, 1 stabilizer, 4 ailerons, 2 rudders) has been set up within the GARTER FM-AG16 as a benchmark for FTC studies. The original model [18] with only pilot inputs has been used in several fault detection studies [2], with focus on various aspects mentioned in Section 1. For the Boeing 747-100/200 aircraft several fault scenarios are of particular interest. For example, the ability to detect single primary actuator faults is of critical importance, since it can be seen as part of the aircraft specification according to the requirements of FAA/FAR and EASA/CS. Thus a minimum request from the FTC perspective is the requirement that for modern aircraft design, no single failure leads to a catastrophic consequence. Simultaneous faults can also occur, especially when multiple surface damage occurs. The detection and isolation of simultaneous faults requires a more involved residual generation system and also the availability of a sufficiently large number of measurements. Although surface angle sensors can be installed on each control surface, an interesting aspect is to determine the minimum number of sensors necessary to completely solve the fault isolation problem. We give an answer to this problem by combining component level and system level fault monitoring. The main goal of our study of detectability and isolability of actuator/surface faults was to demonstrate the feasibility of FDI for a complete set of faults. The full isolation requires placing a minimum number of additional surface angle sensors. An interesting result of our study also reveals the best achievable isolation capabilities in the absence of additional sensors. Only the nominal case is studied corresponding to a normal cruise flight. The results obtained, consisting of several residual generators and the corresponding faultto-residual filter specifications, can serve as meaningful specifications for a more realistic design where input/output noise and uncertainties in the model parameters and flight conditions are also addressed. Finding the minimal number of additional sensors allowing the isolation of all surface faults is one of the main achievements of this study. In what follows, we show first the capabilities of component level monitoring, which is traditionally used on present day aircraft. The intrinsic limitations of this approach, for example, to detect surface failures leading to loss of effectiveness, require addressing the FDIP using system level monitoring. However, the system level approach has its own limitations due to the restricted number of available measurements, therefore full FDI is not possible unless additional surface sensors are used. As expected, the final solution of the FDIP is a combination of both approaches by employing a minimal number of sensors.
15.5.1 Component Level Monitoring Typically actuators are modelled as first order linear systems which together with the corresponding control surfaces have transfer functions of the form gu (s) =
K s+K
(15.18)
432
A. Varga
Here the value of K is determined taking into account the physical rate limits of the respective surface, and represents an average value applicable to all flight conditions. Typical choices for the Boeing actuators are: 37/(s + 37) for the elevators, 0.5/(s + 0.5) for the stabilizer, 50/(s + 50) for the ruders and ailerons. The task of the fault detection at the actuator level is to identify typical actuator faults like ‘stuck actuator’ (also called lock-in place failure), ‘actuator runaway’ (also called hard-over failure), ‘free-play’ (also called float-type failure), or loss of actuator effectiveness. In what follows we discuss some aspects of fault detection and isolation for a generic actuator. Consider the actuator model (15.18) for which we would like to design a fault detector able to identify the fault types mentioned previously. For this purpose, a simple detector which estimates the deviation of surface position on the basis of measured control surface position and commanded control surface position is given by the simple observer-like structure R(s) = 1 −gu (s) Note that the dynamics of the filter can be arbitrarily assigned by replacing R(s) with m(s)R(s), where m(s) is an arbitrary stable transfer function. With such a detector, an actuator fault can be easily detected by checking the condition r(t) = 0. The stationary value of the residual signal r(∞) can also be used to estimate the actual DC-gain of the actuator, say g0 , and thus the actuator effectiveness. Since g0 = 1 − r(∞), in the fault-free case we have g0 = 1. DC-gain values in the range [ 0, 1 ] indicate a loss of actuator effectiveness with a zero gain indicating ‘free-play’. Values outside this domain indicate either a ‘stuck actuator’ in a certain position or even an ‘actuator runaway’ (i.e., stuck in an extreme position). The main weakness of this simple fault detection scheme is that it does not work properly in the case of surface position sensor failures. This lack of reliability against combined actuator and sensor failures could be a source of false alarms. Another potential problem is when the actuator is fault free but the corresponding control surface is damaged. The associated loss of effectiveness of the actuation/control surface system can not be detected in this way. A typical approach to overcome the first weakness is to add hardware redundancy by increasing the number of sensors to a level which ensures a satisfactory reliability of measurements. A standard approach is to use three sensors in a voting logic for validity checking. This is the minimum hardware redundancy to guarantee the reliability of monitoring. Interestingly, using model based fault detection techniques, it is possible to obtain practically the same level of confidence by using only two sensors (the model based approach provides a third ‘virtual’ sensor). The actuator system with two identical sensors is described by the transferfunction matrix 1 g (s) Gu (s) = 1 u
15
Detection and Isolation of Actuator/Surface Faults
433
The fault TFM corresponding to the actuator fault f1 and two sensor faults f2 and f3 is G f (s) = [ Gu (s) I2 ] A possible least order detector for this setup can be chosen as ⎤ ⎡ 1 −1 0 R(s) = ⎣ 0 1 −gu (s) ⎦ 1 0 −gu (s) and can be realized as a first order system. The resulting fault detection system achieves the following fault signature ⎡ ⎤ 011 S =⎣1 0 1⎦ 110 Assuming that the actuator fault and sensor faults occur one at a time, this influence structure provides a complete isolation of a single fault by using the following isolation logic: – actuator fault occurred if r1 = 0, r2 = 0, and r3 = 0; – first sensor failed if r1 = 0, r2 = 0, and r3 = 0; – second sensor failed if r1 = 0, r2 = 0, and r3 = 0. In this way, the occurrence of each fault can be reliably detected. For fault identification, the information provided by either residual signal r1 or r2 can be employed. To address the second aspect of loss of control surface effectiveness a system level analysis could be appropriate (see next section). For component level diagnosis more detailed actuator models can be used, by explicitly modelling the dynamics of all actuator components. Such an approach based on physical parametric models is also suitable for health monitoring purposes. Another application of potential interest is to detect the so-called ‘oscillatory failure’ (e.g., of a rudder) as a result of limit cycle oscillations. This type of failure can trigger an aeroelastic resonance behaviour of the aircraft with unacceptably high loads. To identify this type of fault, the detection scheme above can be supplemented with an additional signal analysis based oscillation detection system (e.g., sub-band filtering followed by Fourier analysis).
15.5.2 System Level Monitoring The monitoring of actuator faults at the system level is primarily intended to increase overall aircraft safety by detecting fault categories which can not be handled by the usual component level monitoring. Such faults are, for example, the loss of efficiency of control surfaces due to possible structural damage or as a result of icing.
434
A. Varga
The study of the nominal case has as its main purpose getting a clear understanding of the intrinsic limitations in solving the FDIP in an idealized situation. Furthermore, the achieved fault-to-residual specifications can serve as reference models for a model-matching formulation of the FDIP [19], where system variabilities (parametric, flight conditions) are fully considered. Actuator fault diagnosis for the whole aircraft can be done in several ways. An approach advocated by several authors is to use so-called multi-models describing the aircraft in normal flight conditions as well as in several faulty situations. A bank of model detection filters can be designed to ensure a desired model-to-residual signature allowing the application of simple decision logic to identify the current model (normal or faulty). The main advantage of this approach is its simplicity, both because of a simple design of the detectors as well as because of the simple residual evaluation scheme. The main disadvantage is the need for a large number of models (and thus detectors) to cover many faults and combinations of faults. Moreover, different levels of actuator efficiency loss are usually represented as separate models, thus making the number of necessary detectors increase exponentially. The approach we follow in our study is to model actuator faults as additive disturbances. The linearized fault model of the aircraft corresponding to a given set of parameter values and a specific flight condition (e.g., straight-and-level flight) has the standard input-output form (15.1) and the detector is designed in the filter form (15.2). The linearized models which have been employed were determined using the nominal values of the parameters in Table 15.5.2. In what follows we summarize the results of designing fault detectors for the nominal case. Table 15.1 Definition of variables and trim condition Variable
Nominal Value Range
Altitude Air speed Landing gear Mass[kg] Xcg Ycg [m] Zcg [m] Flight path angle (γ ) Flap setting
600 m (2000 ft) 92.6 m/s up 317,000 25% 0 0 0o 20o
[ 0, 1000 ] [ 85, 135 ] [ [ [ [
263,000, 320,000 ] 22%, 28% ] -1, 1 ] -1, 1 ]
The longitudinal and full order linearized state space models of the aircraft are given in Appendices A and B. These models correspond to the following parameter values: mass = 317,000 kg, center of gravity coordinates: Xcg = 25%, Ycg = 0, Zcg = 0. The chosen flight condition is a straight-and-level flight at altitude 600 m, with a speed of 92.6 m/s, with a flap setting at 20o and with landing gear up. For more details on the employed model see [18].
15
Detection and Isolation of Actuator/Surface Faults
435
15.5.3 Pitch Axis Fault Monitoring To detect elevator and/or stabilizer faults, we use the longitudinal aircraft model in state-space form (15.17), where the matrices A, Bu , C, and Du are defined in Appendix A. The elevator and stabilizer fault inputs are defined as ⎞ ⎡ ⎤ ⎛ right inner elevator fault[rad] f1 ⎢ f2 ⎥ ⎜ left inner elevator fault[rad]⎟ ⎟ ⎢ ⎥ ⎜ ⎟ ⎥ ⎜ f =⎢ ⎢ f3 ⎥ ⎜right outer elevator fault[rad]⎟ ⎣ f4 ⎦ ⎝ left outer elevator fault[rad]⎠ stabilizer fault[rad] f5 and thus B f = Bu (:, 1 : 5) and D f = Du (:, 1 : 5). For this study of the nominal case we consider no disturbance inputs for the model. The achievable fault signature is ⎤ ⎡ 1 1 1 1 1 ⎢ 0 0 1 1 1⎥ ⎥ ⎢ ⎢ 1 1 0 0 1⎥ ⎥ ⎢ ⎥ S=⎢ ⎢ 1 1 1 1 0⎥ ⎢ −1 −1 0 0 0 ⎥ ⎥ ⎢ ⎣ 0 0 −1 −1 0 ⎦ 0 0 0 0 −1 From the last three lines of S it can be observed that the isolation of faults grouped in three groups ( f1 , f2 ), ( f3 , f4 ) and f5 is achievable, although all groups are only weakly detectable. System level monitoring can be used as a complementary tool to device level monitoring in the case when sensor fault monitoring is not additionally provided. The simplest fault detection task is to determine if any actuator fault in the pitch axis has occurred. This comes down to the design of a fault detector achieving the trivial signature corresponding to the first row of S S0 = 1 1 1 1 1 by using the lowest order dynamics. To design such a detector, the function fdsyn has been used. Using the least order design option, a first order residual generator can be determined. The resulting fault-to-residual dynamics are
10 10 10.43 10.43 −5.188s + 58.45 R f (s) = s + 10 s + 10 s + 10 s + 10 s + 10 If we would like to isolate elevator and stabilizer faults, only the following choice of the signature matrix is achievable
1111 0 S1 = 0 0 0 0 −1
436
A. Varga
with the second row having only a weak detectability structure. If we assume that elevator and stabilizer faults can not simultaneously occur, we can achieve elevator and stabilizer fault isolation by using the specification matrix
11111 S2 = 11110 To isolate ( f1 , f2 , f3 , f4 ) and f5 the following decision logic can be used: – elevator fault occurred if r2 = 0; – stabilizer fault occurred if r1 = 0 and r2 = 0. A residual generator achieving the above specification can be obtained as a bank of two detectors using the function fdsyn. Using the least order design option, two first order detectors can be determined, leading to a residual generator of total order 2. Provided we can assume that the groups of faults ( f1 , f2 ), ( f3 , f4 ) and f5 do not simultaneously occur, the achievable specification ⎡ ⎤ 00111 S3 = ⎣ 1 1 0 0 1 ⎦ 11110 can be used for weak isolation using the following decision logic: – inner elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0; – outer elevator fault occurred if r1 = 0, r2 = 0, and r3 = 0; – stabilizer fault occurred if r1 = 0, r2 = 0, and r3 = 0. Using the least order design option, three first order detectors can be obtained using the function fdsyn leading to a detector of total order 3. Note that without the least order design option, a detector of total order 10 results, while using the standard observer based approach (see for example [20]), a detector of total order 15 is to be expected. The resulting fault-to-residual dynamics are ⎡ 0
0
10 10 s + 10 s + 10
⎢ ⎢ 10 ⎢ 10 R f (s) = ⎢ 0 0 ⎢ s + 10 s + 10 ⎣ 10 10.74 10.74 10 s + 10 s + 10 s + 10 s + 10
862.7s − 1889 s + 10 −835.1s + 2028 s + 10
⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦
0
The step responses associated with the faults are presented in Fig. 15.1. A more realistic setting is to add actuator dynamics to each input actuator-surface channel [2]. As already mentioned, the elevator dynamics can be approximated by transfer functions of the form 37/(s + 37), while for the stabilizer dynamics we take 0.5/(s + 0.5) as suggested in [2]. The resulting model has now order 10 and we can achieve the same fault signature with a bank of three detectors of total order 6. The step responses from the faults are presented in Fig. 15.2.
15
Detection and Isolation of Actuator/Surface Faults
437
Step responses achieving specification S = [0 0 1 1 1; 1 1 0 0 1; 1 1 1 1 0] From: f
From: f
1
From: f
2
From: f
3
From: f
4
5
10 8 To: r
1
6 4 2 0
2
0 To: r
Residuals
−2
−5
−10
To: r
3
1 0.5 0 −0.5 −1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1
Time (sec)
Fig. 15.1 Step responses from the faults: f 1 = 1, ..., f4 = 1, f5 = 0.01.
Further enhancement of fault isolation is possible by employing direct measurements of surface positions. For example, with a single additional measurement of the stabilizer surface angle it is possible to achieve the signature specification ⎡ ⎤ 11000 S4 = ⎣ 0 0 1 1 0 ⎦ 00001 and thus to isolate the inner elevator, the outer elevator and the stabilizer faults. The above specification can be achieved using a bank of three detectors of total order 5. The step responses from the faults are presented in Fig. 15.3. Finally, for complete fault isolation it is to be expected that measurements from all surfaces are necessary. Solving the fault detection and isolation problem corresponds to achieving the specification S5 = I5 using the function fdsyn or employing directly the specially devised function fdi, available in the FAULT D ETECTION toolbox [3]. This latter function is based on the method proposed in [9]. Using this function, we obtain a detector of order 5 which solves the complete fault detection and isolation problem. Interestingly, this detector is the same as that one obtained by using single surface monitoring schemes. This remarkable result also illustrates the real strengths of the recently developed minimal degree design techniques [9]. In contrast, the methods traditionally used (e.g., using a bank of 5 observer based detectors [20]) could lead to detectors of total order up to 70 in the case when actuator dynamics are included. Interestingly, complete isolation can also be achieved by choosing a minimal number of three surface measurements: two from the left elevators and one from the
438
A. Varga Step responses achieving specification S = [0 0 1 1 1; 1 1 0 0 1; 1 1 1 1 0] From: f1
From: f2
From: f3
From: f4
From: f5
1
To: r1
0
−1
2 To: r2
Residuals
−2
1 0 −1 1
To: r3
0.5 0 −0.5 −1 0
0.5
1 0
0.5
1 0
0.5 Time (sec)
1 0
0.5
1 0
0.5
1
Fig. 15.2 Step responses from the faults (included actuator dynamics): f 1 = 1, ..., f4 = 1, f5 = 0.01. Step responses for block FDI specification From: f
From: f
1
From: f
2
From: f
3
From: f
4
5
1
To: r1
0.5 0 −0.5
0.5 To: r2
Residuals
−1 1
0 −0.5 −1 1
To: r3
0.5 0 −0.5 −1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1
Time (sec)
Fig. 15.3 Step responses from the faults with stabilizer angle measurement.
stabilizer. The resulting bank of five detectors has a total order of 7 and the resulting fault-to-residual TFM is 370 10 370 10 10 , , , , R f (s) = diag s + 10 s2 + 47s + 370 s + 10 s2 + 47s + 370 s + 10
15
Detection and Isolation of Actuator/Surface Faults
439
The step responses from the faults are presented in Fig. 15.4. Step responses for complete FDI specification From: f
From: f
1
From: f
2
From: f
3
From: f
4
5
1
To: r1
0.5 0 −0.5 −1 1
To: r2
0.5 0
−1 1 0.5 To: r3
Residuals
−0.5
0 −0.5 −1 1
To: r4
0.5 0 −0.5 −1 1
To: r5
0.5 0 −0.5 −1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1
Time (sec)
Fig. 15.4 Step responses from the faults with left elevators and stabilizer angles measurements.
15.5.4 Gear and Roll Axes Fault Monitoring To detect rudder and/or aileron faults, we consider the full order (n = 10) aircraft model in state-space form (15.17). The definition of state, input and output variables and the corresponding state space matrices are given in Appendix B. The aileron and rudder fault inputs are defined as ⎞ ⎡ ⎤⎛ right inner aileron fault [rad] f1 ⎢ f2 ⎥ ⎜ left inner aileron fault [rad] ⎟ ⎟ ⎢ ⎥⎜ ⎢ f3 ⎥ ⎜ right outer aileron fault [rad] ⎟ ⎟ ⎜ ⎢ ⎥ f = ⎢ ⎥⎜ ⎟ ⎢ f4 ⎥ ⎜ left outer aileron fault [rad] ⎟ ⎣ f5 ⎦ ⎝ upper rudder fault [rad] ⎠ lower rudder fault [rad] f6 and thus B f and D f are formed from the columns {1, 2, 3, 4, 10, 11} of Bu and Du , respectively. For the two inner aileron faults { f1 , f2 }, two outer aileron faults { f3 , f4 }, and two rudder faults { f5 , f6 }, the FDIP with the fault signature ⎡ ⎤ 110000 S1 = ⎣ 0 0 1 1 0 0 ⎦ 000011
440
A. Varga
is achievable using a bank of three detectors with global order 3. The resulting faultto-residual TFM is ⎡ 10 ⎤ 10 0 0 0 0 ⎢ s + 10 s + 10 ⎥ ⎢ ⎥ 10 10 ⎢ ⎥ R f (s) = ⎢ 0 0 0 0 ⎥ ⎢ ⎥ s + 10 s + 10 ⎣ ⎦ 11.85 10 0 0 0 0 s + 10 s + 10 The step responses from the faults are presented in Fig. 15.5. Step responses for block FDI specification From: f
From: f
1
From: f
2
From: f
3
From: f
4
From: f
5
6
1
To: r1
0.5 0 −0.5
0.5 To: r2
Residuals
−1 1
0 −0.5 −1
To: r3
1 0.5 0 −0.5 −1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1
Time (sec)
Fig. 15.5 Step responses from the aileron and rudder faults.
We include now the actuator models and add three surface angle sensors for the two right ailerons and for the upper rudder. With this sensor location the complete FDIP with S2 = I6 can be solved to isolate all aileron and rudder failures. The resulting detector has order 9 and the achieved fault-to-residual TFM is 10 100 10 , , , R f (s) = diag s + 10 s2 + 20s + 100 s + 10 100 10 −0.0002566s + 100 , , s2 + 20s + 100 s + 10 s2 + 20s + 100 The step responses from the faults are presented in Fig. 15.6.
15
Detection and Isolation of Actuator/Surface Faults
441
Step responses for complete FDI specification From: f1
From: f2
From: f3
From: f4
From: f5
From: f6
To: r1
1
0
To: r2
−1 1
0
To: r3
0
−1 1 To: r4
Residuals
−1 1
0
To: r5
−1 1
0
To: r6
−1 1
0
−1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1 0
0.5
1
Time (sec)
Fig. 15.6 Step responses from the aileron and rudder faults.
15.6 Summary of Achieved Results and Needs for Further Analysis The nominal design of residual generators which has been undertaken provides valuable insight into the nature of the FDIP for aircraft actuator failures, demonstrates the feasibility of complete fault isolation, and provides filter specifications which can be useful in a more realistic design of robust residual generators. The analysis which has been performed of the FDIP for a complete set of primary flight surfaces shows that a combination of component level monitoring with a system level monitoring, allows the solution of this problem for a set of 11 actuator/surface failures. Our study demonstrated the interesting fact that by appropriately locating a minimal number of 6 surface angle sensors, complete isolation of faults is possible. The resulting orders of the residual generators are surprisingly low: order 7 for pitch axis monitoring and 9 for gear/roll axis monitoring. These figures lower to 3 and 3, respectively, if no actuator models are included in the design. By using the proposed least order detector design techniques implemented in reliable numerical software, a seamless switching among a large number of different sensor configurations was possible using a single global model of larger order. Interestingly, the reliability of the numerical algorithms which were employed allowed us, to recover the same simple results in the case when sensors are used for all surfaces, as those obtained working with each actuator/surface component individually. For the complete solution of the FDIP, the following aspects still need careful consideration:
442
A. Varga
1. Surface angle sensor faults. To achieve complete reliability of the fault monitoring system, it is important to also consider possible faults in the surface angle sensors. For example, by adding sensors to all surfaces, the complete isolation of all actuator faults is possible, while additionally the isolation of a sensor fault (e.g., stabilizer angle sensor) can be achieved. With three sensors (e.g., two for left elevators and one for stabilizer), to achieve the isolation of one sensor fault, we have to assume that sensor and actuator faults do not occur simultaneously. A complete analysis of sensor location and assignment aspects is important for practical applications (see also Part II of [21] for a recent survey). 2. Robustness against noisy inputs and noisy measurements. The effect of noisy inputs and noisy measurements must be considered in a realistic design. Typical noisy inputs for aircraft are gust turbulences, which can be taken into account by feeding white noise into the system via stable and minimum-phase Dryden spectra filters. Colouring filters driven by white noise can be used to model noise in sensor measurements. For further details see [2] and the literature cited therein. 3. Robustness against parametric uncertainties. The robustness of the designed detectors against parametric uncertainties is important for practical applicability. Typical uncertain parameters to be considered for robustness studies are mass, the coordinates of the center of gravity, as well as flight conditions (speed, altitude). There are many possibilities to enforce the robustness of the designed detectors [22] and this challenging aspect will be considered in further studies. The results provided in this work can be seen as realistic specifications of what can be aimed to be achieved in the most favourable situation.
References 1. Sz´aszi, I., Ganguli, S., Marcos, A., Balas, G.J., Bokor, J.: Application of FDI to a nonlinear Boeing-747 aircraft. In: Proc. Mediterranean Conference on Control and Automation, Lisbon, Portugal (2002) 2. Marcos, A., Ganguli, S., Balas, G.J.: An application of H∞ fault detection and isolation to a transport aircraft. Control Engineering Practice 13, 105–119 (2005) 3. Varga, A.: A FAULT DETECTION toolbox for M ATLAB. In: Proc. of CACSD 2006, Munich, Germany (2006) 4. Ding, X., Frank, P.M.: Frequency domain approach and threshold selector for robust model-based fault detection and isolation. In: Proc. of IFAC Symposium SAFEPROCESS 1991, Baden-Baden, Germany (1991) 5. Nyberg, M.: Criterions for detectability and strong detectability of faults in linear systems. Int. J. Control 75, 490–501 (2002) 6. Frisk, E., Nyberg, M.: A minimal polynomial basis solution to residual generation for fault diagnosis in linear systems. Automatica 37, 1417–1424 (2001) 7. Varga, A.: On computing least order fault detectors using rational nullspace bases. In: Proc. of IFAC Symp. SAFEPROCESS 2003, Washington D.C (2003) 8. Gertler, J.: Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker, New York (1998)
15
Detection and Isolation of Actuator/Surface Faults
443
9. Varga, A.: New computational approach for the design of fault detection and isolation filters. In: Voicu, M. (ed.) Advances in Automatic Control. The Kluwer International Series in Engineering and Computer Science, vol. 754, pp. 367–381. Kluwer Academic Publishers, Dordrecht (2004) 10. Gertler, J.: Designing dynamic consistency relation for fault detection and isolation. Int. J. Control 73, 720–732 (2000) 11. Varga, A.: On designing least order residual generators for fault detection and isolation. In: Proc. 16th Internat. Conf. on Control Systems and Computer Science, Bucharest, Romania, pp. 323–330 (2007) 12. Varga, A.: On computing nullspace bases – a fault detection perspective. In: Proc. IFAC 2008 Word Congress, Seoul, Korea (2008) 13. Yuan, Z., Vansteenkiste, G.C., Wen, C.Y.: Improving the observer-based FDI design for efficient fault isolation. Int. J. Control 68(1), 197–218 (1997) 14. Varga, A.: Reliable algorithms for computing minimal dynamic covers. In: Proc. of CDC 2003, Maui, Hawaii (2003) 15. Varga, A.: Computation of coprime factorizations of rational matrices. Lin. Alg. & Appl. 271, 83–115 (1998) 16. Varga, A.: A D ESCRIPTOR S YSTEMS toolbox for M ATLAB. In: Proc. CACSD 2000 Symposium, Anchorage, Alaska (2000) 17. Varga, A.: Linear FDI-Techniques and Software Tools. FAULT D ETECTION Toolbox V0.8 – Technical Documentation, German Aerospace Center (DLR), Institute of Robotics and Mechatronics (2008) 18. Marcos, A., Balas, G.J.: A Boeing 747-100/200 Aircraft Fault Tolerant and Fault Diagnostic Benchmark. Technical Report AEM-UoM-2003-1, Department of Aerospace and Engineering Mechanics, University of Minnesota, USA (2003) 19. Varga, A.: Numerically reliable methods for optimal design of fault detection filters. In: Proc. of CDC 2005, Seville, Spain (2005) 20. Patton, R.J., Hou, M.: Design of fault detection and isolation observers: a matrix pencil approach. Automatica 34(9), 1135–1140 (1998) 21. Commault, C., Dion, J.-M.: Sensor location for diagnosis in linear systems: a structural analysis. IEEE Trans. Automat. Control 52, 155–169 (2007) 22. Chen, J., Patton, R.J.: Robust Model-Based Fault Diagnosis for Dynamic Systems. Kluwer Academic Publishers, London (1999)
444
A. Varga
Appendix A Linearized Longitudinal Model Definition of variables For the trim conditions defined for the nominal values in Table 15.5.2, the corresponding linearized nominal longitudinal state space model of the Boeing 747 has the form x(t) ˙ = Ax(t) + Buu(t) y(t) = Cx(t) + Duu(t) where the state, input and output variables are defined as follows: ⎤ ⎡ ⎛ ⎞ δq pitch rate [rad/s] ⎢ δ VTAS ⎥ ⎜ true airspeed [m/s] ⎟ ⎥ ⎢ ⎜ ⎟ ⎥ =: ⎜ angle of attack [rad] ⎟ δ α x =⎢ ⎥ ⎢ ⎜ ⎟ ⎣ δθ ⎦ ⎝ pitch angle [rad] ⎠ δ he altitude [m] ⎤ ⎛ ⎞ δeir right inner elevator [rad] ⎢ δeil ⎥ ⎜ left inner elevator [rad] ⎟ ⎥ ⎢ ⎜ ⎟ ⎢ δeor ⎥ ⎜ right outer elevator [rad] ⎟ ⎥ ⎢ ⎜ ⎟ ⎢ δeol ⎥ ⎜ left outer elevator [rad] ⎟ ⎥ ⎢ ⎜ ⎟ ⎥ ⎜ ⎟ u =⎢ ⎢ δih ⎥ =: ⎜ stabilizer trim angle [rad] ⎟ ⎢ δ EPR1 ⎥ ⎜ ⎟ thrust engine #1 [rad] ⎥ ⎢ ⎜ ⎟ ⎢ δ EPR2 ⎥ ⎜ ⎟ thrust engine #2 [rad] ⎥ ⎢ ⎜ ⎟ ⎣ δ EPR3 ⎦ ⎝ thrust engine #3 [rad] ⎠ δ EPR4 thrust engine #4 [rad] ⎡
⎛ ⎤ ⎞ angle of attack [rad] δα ⎜ ⎢ δ V˙TAS ⎥ acceleration [m/s2 ] ⎟ ⎜ ⎥ ⎟ ⎢ ⎜ ⎢ δθ ⎥ pitch angle [rad] ⎟ ⎜ ⎥ ⎟ ⎢ y =⎢ ⎥ =: ⎜ pitch rate [rad/s] ⎟ ⎜ ⎟ ⎢ δq ⎥ ⎝ vertical velocity [m/s] ⎠ ⎣ δ Vz ⎦ δ he altitude [m] ⎡
15
Detection and Isolation of Actuator/Surface Faults
State-model matrices ⎤ −0.4861 0.000317 −0.5588 0 −2.04 · 10−6 ⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥ ⎥ ⎢ ⎢ A = ⎢ 1.0053 −0.0021 −0.5211 0 9.30 · 10−6 ⎥ ⎥ ⎣ 1 0 0 0 0⎦ 0 0 −92.6 92.6 0 ⎡
⎡
−0.1455 −0.1455 −0.1494 −0.1494 −1.2860 ⎢ 0 0 0 0 −0.3122 ⎢ −0.0071 −0.0071 −0.0074 −0.0074 −0.0676 Bu = ⎢ ⎢ ⎣ 0 0 0 0 0 0 0 0 0 0
⎤ 0.0013 0.0035 0.0035 0.0013 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥ −0.0004 −0.0004 −0.0004 −0.0004 ⎥ ⎥ 0 0 0 0⎦ 0 0 0 0
⎡
⎤ 0 0 1 0 0 ⎢ 0 −0.0199 3.0796 −9.8048 8.98 · 10−5 ⎥ ⎢ ⎥ ⎢0 0 0 1 0⎥ ⎢ ⎥ C =⎢ 0 0 0 0⎥ ⎢1 ⎥ ⎣0 0 −92.6 92.6 0⎦ 0 0 0 0 1 ⎡
0 ⎢0 ⎢ ⎢0 Du = ⎢ ⎢0 ⎢ ⎣0 0
0 0 0 0 0 0
0 0 0 0 0 0
⎤ 0 0 0 0 0 0 0 −0.3122 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥ 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0⎦ 0 0 0 0 0 0
445
446
A. Varga
Appendix B Linearized Full Order Model Definition of variables The trim conditions are defined for the nominal values specified in Table 15.5.2. The state, control and output variables are defined as follows: ⎤ ⎛ ⎡ ⎞ roll rate [rad/s] δp ⎜ ⎢ δq ⎥ pitch rate [rad/s] ⎟ ⎥ ⎜ ⎢ ⎟ ⎜ ⎢ δr ⎥ yaw rate [rad/s] ⎟ ⎥ ⎜ ⎢ ⎟ ⎜ true airspeed [m/s] ⎟ ⎢ δ VTAS ⎥ ⎥ ⎜ ⎢ ⎟ ⎜ angle of attack [rad] ⎟ ⎢ δα ⎥ ⎥ ⎜ ⎢ ⎟ x =⎢ ⎥ =: ⎜ sideslip angle [rad] ⎟ ⎜ ⎢ δβ ⎥ ⎟ ⎜ ⎢ δφ ⎥ roll angle [rad] ⎟ ⎥ ⎜ ⎢ ⎟ ⎜ ⎢ δθ ⎥ pitch angle [rad] ⎟ ⎥ ⎜ ⎢ ⎟ ⎝ ⎣ δψ ⎦ yaw angle [rad] ⎠ altitude [m] δ he ⎛ ⎤ ⎡ ⎞ δair right inner aileron [rad] ⎜ ⎢ δail ⎥ left inner aileron [rad] ⎟ ⎜ ⎥ ⎢ ⎟ ⎜ right outer aileron [rad] ⎟ ⎢ δaor ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ ⎢ δaol ⎥ left outer aileron [rad] ⎟ ⎜ ⎥ ⎢ ⎟ ⎜ right inner elevator [rad] ⎟ ⎢ δeir ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ left inner elevator [rad] ⎟ ⎢ δeil ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ right outer elevator [rad] ⎟ ⎢ δeor ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ ⎥ ⎟ u =⎢ ⎢ δeol ⎥ =: ⎜ left outer elevator [rad] ⎟ ⎜ stabilizer trim angle [rad] ⎟ ⎢ δih ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ upper rudder surface [rad] ⎟ ⎢ δru ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ lower rudder surface [rad] ⎟ ⎢ δrl ⎥ ⎜ ⎥ ⎢ ⎟ ⎜ ⎢ δ EPR1 ⎥ thrust engine #1 [rad] ⎟ ⎥ ⎜ ⎢ ⎟ ⎜ ⎢ δ EPR2 ⎥ thrust engine #2 [rad] ⎟ ⎜ ⎥ ⎢ ⎟ ⎝ ⎣ δ EPR3 ⎦ thrust engine #3 [rad] ⎠ δ EPR4 thrust engine #4 [rad] ⎤ ⎡ ⎞ ⎛ angle of attack [rad] δα ⎢ δ V˙TAS ⎥ ⎜ acceleration [m/s2 ] ⎟ ⎥ ⎢ ⎟ ⎜ ⎢ δθ ⎥ ⎜ pitch angle [rad] ⎟ ⎥ ⎢ ⎟ ⎜ ⎢ δq ⎥ ⎜ pitch rate [rad/s] ⎟ ⎥ ⎢ ⎟ ⎜ ⎢ δ Vz ⎥ ⎜ z-velocity [m/s] ⎟ ⎥ ⎢ ⎟ ⎜ ⎥ ⎟ ⎜ y =⎢ altitude [m] ⎢ δ he ⎥ =: ⎜ ⎟ ⎢ δp ⎥ ⎟ ⎜ roll rate [rad/s] ⎥ ⎢ ⎟ ⎜ ⎢ δr ⎥ ⎟ ⎜ yaw rate [rad/s] ⎥ ⎢ ⎟ ⎜ ⎢ δβ ⎥ ⎜ sideslip angle [rad] ⎟ ⎥ ⎢ ⎟ ⎜ ⎣ δ Vy ⎦ ⎝ y-velocity [m/s] ⎠ δφ roll angle [rad]
15
Detection and Isolation of Actuator/Surface Faults
447
State-model matrices ⎡
−.8226 0 0.1666 0 0 −1.4189 0.000471 ⎢ 0 −0.4861 0 0.000317 −0.5588 0 0 ⎢ ⎢ −.1303 0 −0.0199 0 0 0.2387 −0.00166 ⎢ ⎢ 0 0 0 −0.0199 3.0796 0 0 ⎢ ⎢ 0 1.0053 0 −0.0021 −0.5211 0 0 A=⎢ ⎢ 0.139 0 −0.9867 0 0 −0.0819 0.10505 ⎢ ⎢ 1 0 0.1265 0 0 0 0 ⎢ ⎢ 0 1 0 0 0 0 0 ⎢ ⎣ 0 0 1.008 0 0 0 0 0 0 0 0 −92.6 0 0
⎡
0 ⎢0 ⎢ ⎢0 ⎢ ⎢0 ⎢ ⎢0 ⎢ C=⎢ ⎢0 ⎢1 ⎢ ⎢0 ⎢ ⎢0 ⎢ ⎣0 0
⎤ 0 0 0 −2.04 · 10−6 ⎥ ⎥ 0 0⎥ ⎥ 0 8.98 · 10−5 ⎥ ⎥ 0 9.30 · 10−6 ⎥ ⎥ 0 0⎥ ⎥ 0 0⎥ ⎥ 0 0⎥ ⎥ 0 0⎦ 0 0 ⎤ 0 1 0 0 0 0 0 −0.0199 3.0796 0 0 −9.8048 0 8.98 · 10−5 ⎥ ⎥ 0 0 0 0 10 0 0⎥ ⎥ 0 0 0 0 0 0 0⎥ ⎥ 0 −92.6 0 0 92.6 0 0⎥ ⎥ 0 0 0 0 0 0 1⎥ ⎥ 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0⎥ ⎥ 0 0 1 0 0 0 0⎥ ⎥ 0 0 92.6 −11.6213 0 92.6 0⎦ 0 0 0 1 0 0 0 0 0 0 −9.8048 0 0 0 0 0 92.6
0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0
448
A. Varga
⎡
−0.0629 0.0629 −0.1819 0.1819 0 0 0 ⎢ 0.0107 0.0107 −0.0676 −0.0676 −0.1455 −0.1455 −0.1494 ⎢ ⎢ −0.0142 0.0142 −0.0128 0.0128 0 0 0 ⎢ ⎢ 0 0 0 0 0 0 0 ⎢ ⎢ 0 0 −0.0098 −0.0098 −0.0071 −0.0071 −0.0074 Bu = ⎢ ⎢ 0 0 0 0 0 0 0 ⎢ ⎢ 0 0 0 0 0 0 0 ⎢ ⎢ 0 0 0 0 0 0 0 ⎢ ⎣ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ⎤ 0 0 0.0652 0.0185 0.0034 0.0019 −0.0019 −0.0034 −0.1494 −1.2860 0 0 0.0013 0.0035 0.0035 0.0013 ⎥ ⎥ 0 0 −0.1272 −0.0929 0.0195 0.0111 −0.0111 −0.0195 ⎥ ⎥ 0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥ −0.0074 −0.0676 0 0 −0.0004 −0.0004 −0.0004 −0.0004 ⎥ ⎥ 0 0 0.0078 0.0066 0.0001 0.0001 −0.0001 −0.0001 ⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎦ 0 0 0 0 0 0 0 0 ⎡
0 ⎢0 ⎢ ⎢0 ⎢ ⎢0 ⎢ ⎢0 ⎢ Du = ⎢ ⎢0 ⎢0 ⎢ ⎢0 ⎢ ⎢0 ⎢ ⎣0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0
⎤ 0 0 0 0 0 0 0 0 0 −0.3122 0 0 0.1999 0.1999 0.1999 0.1999 ⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎥ ⎥ 0 0 0 0 0 0 0 0⎦ 0 0 0 0 0 0 0 0
Part IV
Real-Time Flight Simulator Assessment
Chapter 16
Real-Time Assessment and Piloted Evaluation of Fault Tolerant Flight Control Designs in the SIMONA Research Flight Simulator Olaf Stroosma, Thomas Lombaerts, Hafid Smaili, and Mark Mulder
16.1 Introduction Desktop-based simulations are extremely useful tools for the development of new controller applications and techniques as is evident from the theoretical sections of this book. But, in addition to testing the new controllers in an off-line, desktop-based benchmark simulation, an online piloted moving-base simulator evaluation can give new insights into real-time performance issues, applicability in an operational environment and if applicable, handling qualities of different aircraft configurations. It can serve as a proof-of-concept and allows the assessment of the benefits of the controllers in terms of compensation for impaired aircraft control, performance improvements in failed configurations and lowering of pilot workload. For this purpose, the aircraft model and the fault-tolerant controllers can be implemented in a pilot-in-the-loop flight simulator. Pilots with operational experience on the aircraft in question can be used to assess the efficiency of the controllers and their influence Olaf Stroosma Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Mark Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 451–475. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
452
O. Stroosma et al.
on the handling of the aircraft. Ideally the pilot should not be aware of any differences in handling with the controller engaged for the normal fault free and damaged aircraft, and be able to perform normal flying tasks with satisfactory performance in both cases. To ensure an acceptable level of validity of this assessment, the fidelity of the simulator must be sufficiently high. In addition to the dynamic behaviour of the simulated aircraft model, aspects that influence the fidelity are the appearance and functionality of the flight displays, the feel in the flight controls, the presence and field of view of an outside visual system, and the characteristics of any motion system. To increase reproducibility of the evaluation, these parameters should be documented together with the assessment results. Integration of the controllers in a real-time aircraft simulation environment, which is necessary to perform the piloted evaluation, can help identify implementation issues which would forbid practical introduction in an actual aircraft flight control system. Reliance on physical parameters which are not measured in the aircraft (e.g. sideslip angle), sensitivity to noise and delays in measurements and excessive computational loads are examples of such problems. These issues can usually be evaluated without a pilot actively in control and lead to relatively deterministic results. A more operationally oriented evaluation with a human pilot in the loop introduces variability in the results. To reduce this variation, the experiment design benefits from a well defined test scenario, appropriate performance measures and other human factors related measurement variables. To select the appropriate scenario and measurements, the intended goal of the evaluation has to be taken into account. For a general impression of the flying qualities, a procedure such as an approach and landing can be suitable. If a more detailed insight is required in lateral and/or longitudinal performance or handling qualities, more stylized manoeuvres can be performed. Examples of these include altitude captures, speed and trim changes, bank and heading captures, as well as localizer and glideslope capture and tracking. Apart from the achieved performance, which can be objectively determined, pilot feedback in the form of comments or rating scales for handling qualities (e.g. Cooper-Harper [2]) and Pilot-in-the-Loop Oscillations (PIO) can be valuable subjective results. Within the GARTEUR FM-AG(16) Action Group a number of fault-tolerant flight control (FTFC) algorithms were developed as described in Part III of this book. Their underlying principles ranged from H∞ (chapter 12), sliding mode control allocation (chapter 8) and model-predictive control (chapter 10) to parameter estimation and nonlinear dynamic inversion (chapter 13). As part of the Action Group’s work, a real-time assessment and piloted evaluation was performed for several of these algorithms. The objectives of this evaluation can be summarized as follows: • Analyzing real-time performance and integration issues of the reconfigurable fault tolerant flight control algorithms by integrating them in the complete aircraft environment. • Qualitative assessment of the FTFC algorithms in terms of aircraft handling qualities in both nominal and failed conditions. • Quantitative assessment of the FTFC algorithms benefits in terms of pilot workload to substantiate the handling qualities ratings.
16
Real-Time Assessment and Piloted Evaluation
453
• Providing an additional control design challenge to raise the technology readiness level (TRL) of the FTFC control designs by demonstrating the capability in ensuring a survivable recovery of a damaged aircraft in real-time operational conditions and procedures. The current chapter describes the evaluation method, the configuration details of the simulator used for the piloted evaluation, and software integration issues. Also, a summary of the evaluation results is given. An elaborate discussion of the handling qualities results is part of the chapters on the evaluated algorithms themselves (Chapters 13 and 18). This chapter will follow the standard format for reporting human factors experiments and include implementation related issues in section 16.2.4.5.
16.2 Evaluation Method The GARTEUR FM-AG(16) piloted evaluation campaign was performed in three stages. The first stage was the implementation and integration into the simulator of the particular FTFC algorithms. Any implementation issues such as computational load and signal requirements (sensor availability and characteristics such as noise) could be identified and resolved here. The second and third stage, as described in the next sections, involved piloted evaluations on the simulator. The method for the piloted evaluations was based on procedures for human factors experiments and was designed to assess the FTFC failure accomodation capabilities in terms of aircraft stabilization, controllability and pilot workload. Some procedures were shortened to allow more controllers to be examined within the available time frame. The number of pilots and repetitions were smaller than required for a full statistical analysis of the experiment.
16.2.1 Experiment Design A subset of the total number of controllers developed within FM-AG(16) was available for the piloted simulator evaluation during failed and unfailed flying conditions (see Table 16.1). The baseline condition for comparison was the conventional flight control system, which was manually flown (FTFC-0). Some of the evaluated controllers provided full auto-flight, allowing the pilot to adjust the controller setpoints for speed, altitude, and heading in addition to an automatic landing system (FTFC-1, -2, -5). Others were set up such that the pilot could manually manoeuvre the aircraft (FTFC3, -7), much like the conventional manual control strategy (FTFC-0). In this case, the perceived dynamics could optionally be modified by the fly-by-wire algorithm, e.g. by using a rate command/attitude hold scheme. During the evaluation, the aircraft was flown in the manual classical (mechanical) flight control system mode (FTFC0) or in FTFC mode (FTFC-1, -2, -3, -5 and -7). In the FTFC- 0 configuration, aircraft control was achieved via the mechanical and hydraulic system architecture
454
O. Stroosma et al.
Table 16.1 GARTEUR FM-AG(16) fault tolerant flight control algorithms (* evaluated in piloted simulation) No. FTFC algorithm 0* Classic Flight Control System 1* Model Reference Adaptive Sliding Modes Control with Control Allocation (MRAC) 2* Integral Action Control (INTAC) 3* 4
5* 6 7*
8
Developer NLR University of Leicester
Control type Manual (classic) Auto-flight
Reference Chapter 6 Chapter 18
University of Leicester University of Bordeaux QinetiQ
Auto-flight
Chapter 8
FTC with Guaranteed Nominal Performance (H∞ ) Fault Detection, Identification and Reconfiguration System Based Around Optimal Control Allocation Subspace Predictive Control Delft University of Technology Real-Time Model Identification Delft University and Model Predictive Control of Technology Real-Time Model Identification Delft University and Nonlinear Dynamic Inversion of Technology Control Adaptive Model Following Control CIRA
Manual (classic) & Chapter 12 Altitude hold Manual & Chapter 14 Auto-flight Auto-flight
Chapter 10
Manual (FBW)
Chapter 11
Manual (FBW)
Chapter 13
Auto-flight
Chapter 9
modelled after the real aircraft. In the other configurations, all control surfaces apart from the flaps, landing gear and engines, were commanded via the respective FTFC algorithm. Following integration of the FTFC algorithms in the simulator, the second evaluation stage consisted of a preliminary assessment of a variety of controllers from different participants in the group, as summarized in Table 16.1. The goal here was to receive feedback on all controllers from pilots flying them in a realistic setting. The most mature manual (FTFC-7) and auto-flight (FTFC-1) controllers were selected to be demonstrated at the group’s final workshop on 21st November 2007. The experiment results of these two reconfigurable control schemes are fully described in chapters 18 and 13. In the third and final evaluation stage, the manual controller (FTFC-7) went through a more in-depth evaluation, in which handling qualities were rated by several professional airline pilots, in April 2008. In the preliminary evaluation, all controllers were evaluated with the failures they were designed for. The evaluation pilot first flew the scenario with the failure in the classical aircraft, followed by the same scenario with the fault-tolerant controller activated. For the final evaluation, the order of classical and fault-tolerant controller was randomized over the pilots and two failure scenarios were flown: a runaway failure of the rudder surfaces and the engine separation failure (Flight 1862). The controller was also assessed in the nominal case with no failure.
16
Real-Time Assessment and Piloted Evaluation
455
16.2.2 Dependent Measures The controllers were assessed on two types of dependent measures: implementation measures and operational measures. 16.2.2.1
Implementation Measures
Apart from the controller’s ability to function within the constraints of its input signals (sensor availability, noise, delays etc.), another measure of a controller’s practical applicability is the computational load it places on the Flight Control Computer. The amount of additional calculations necessary for fault-tolerant control must be sufficiently low to enable actual introduction within the foreseeable future. The computational loads of the FM-AG(16) algorithms were measured in the simulator software environment without a pilot in the loop. For comparison purposes a standard desktop PC (AMD AthlonTM X2 5600+ processor) was used to measure the time needed by each algorithm to perform a single integration step. The simulation software was used to time the invocation of the controller’s main function. This function included some overhead of getting the input data from other parts of the simulation and publishing the results, but this overhead was minimal (typically around 20 μ s) and identical for all evaluated controllers. Because of the diverse structures of the controllers, a relatively wide spread in computation time was expected. This measurement can help in identifying the relative impact of the controller design on the computational load. An analysis of the measured real-time computational loads of the evaluated control algorithms can be found in section 16.3. 16.2.2.2
Operational Measures
The operational variables were concerned with the interaction between the controller and pilot. Both objective and subjective operational variables were measured. The objective measurements in the FM-AG(16) simulator assessment consisted of the pilots control inputs as indicator of physical and mental workload, and the states of the aircraft. The subjective measurements comprised pilot comments and handling qualities ratings according to the Cooper-Harper handling qualities rating scale (see Appendix 2 and [2]). This rating scale is commonly used to provide a framework in assessing the handling qualities of a particular aircraft (or configuration) and the required workload and performance in a particular task. As such, it should always be accompanied by a task description and measurable “required” and “adequate” performance criteria. The Cooper-Harper handling qualities ratings are grouped into Level 1 (rating 1-3), Level 2 (rating 4-6) and Level 3 (rating 7-9), with Level 1 being required for any non-degraded operational aircraft. The performance of the reconfigured aircraft was assessed in a series of six flight phases, most of which were explicitly rated by the pilot. These flight phases were: • Straight and level flight (not rated) • Altitude captures • Bank angle captures
456
O. Stroosma et al.
• Right-hand turn (not rated) • Localizer intercept • Glideslope intercept
Table 16.2 Evaluation maneuvers and associated performance criteria Maneuver Altitude capture
Description
Intercept the new altitude with a climb or sink rate of at least 1000 feet/minute and without over- or undershoots outside of the required performance band. Maintain heading and airspeed within the required performance bands. Bank angle Attain a 20 degree bank ancapture gle as quickly and precisely as possible and hold it stable. Maintain altitude and airspeed within the required performance bands.
Localizer intercept
Lateral performance
Longitudinal mance
Required:
Required:
• heading:
±2◦
Adequate:
perfor-
• altitude: ± 50 feet • speed: ± 5 knots
• heading: ±4◦
Adequate:
Required:
Required:
• bank: 20 ± 1◦
• altitude: ± 50 feet • speed: ± 5 knots
Adequate: • bank: 20 ± 2◦
• altitude: ± 100 feet • speed: ± 10 knots
Adequate: • altitude: ± 100 feet • speed: ± 10 knots
Intercept and follow the Required: Required: localizer. Maintain altitude and airspeed within the re- • localizer offset: ± • altitude: ± 50 feet 0.5 dot • speed: ± 5 knots quired performance bands. Adequate:
Adequate:
• localizer offset: ± 1 • altitude: ± 100 feet dot • speed: ± 10 knots Glideslope intercept
Intercept and follow the Required: Required: glide slope and localizer. Maintain airspeed with the • localizer offset: ± • glideslope offset: ± 0.5 dot 0.5 dot required performance band. • speed: ± 5 knots Adequate: Adequate: • localizer offset: ± 1 dot • glideslope offset: ± 1 dot • speed: ± 10 knots
16
Real-Time Assessment and Piloted Evaluation
457
The wording on the scale is geared towards use during the development program of a new aircraft type. For an aircraft with structural or mechanical failures, it is sometimes tempting to take the degradations into account in the rating and not rate it as a fully functional aircraft ready to go into production. In such a case, the pilot may be willing to give a low (good) rating, even though the required workload and degraded performance would be totally unacceptable in daily operations. It must be stressed that the rating should be given to the aircraft ‘as is’ without taking the mitigating circumstances of the failure into account. Only in this way can a fair comparison be made between the nominal aircraft and the failed aircraft, as well as between the classical and fault-tolerant control schemes. To increase the validity of the rating, especially for inexperienced pilots, they were advised for every evaluation to explicitly follow the decision tree of the rating scale and correlate the attained performance with the experienced workload. Winning time by directly choosing a pilot rating number or not relating the rating with the actual performance would have seriously degraded the quality of the recorded ratings. In the FM-AG(16) evaluation, a number of tasks and performance criteria were defined. In general, the lateral and longitudinal handling qualities were given separate ratings. Also, in some cases the task direction would be influenced by the specific failure, so these were split up as well, e.g. right and left bank angle captures or up and down altitude captures. Table 16.2 summarizes the tasks that were to be rated, along with the adequate and required performance criteria. The pilots were given feedback on their performance before filling in the rating scales, as described in section 16.2.5.
16.2.3 Participants Familiarity with the flown aircraft is one of the main requirements for the participants in a piloted evaluation. Some flight test or evaluation experience is also beneficial, especially when using standard rating scales. In the FM-AG(16) simulator campaign six professional airline pilots with an average experience of about 14.000 flight hours, participated in the evaluation. Five pilots, who conducted the handling qualities evaluation, were type rated for the Boeing 747 aircraft while one pilot was rated for the Boeing 767 and Airbus A330 aircraft. Some of the pilots had engineering flight testing experience. Table 16.3 shows information on the individual background and experience of the evaluation pilots.
16.2.4 Simulator Configuration The FM-AG(16) evaluation was performed on the SIMONA Research Simulator (SRS, Fig. 16.1) at Delft University of Technology. The SRS is a 6-DOF research flight simulator, with configurable flight deck instrumentation systems, wide-view outside visual display system, hydraulic control loading and motion system. As a tool for human factors research in aviation, it has been used for fundamental and applied research in a number of topics, including human (motion) perception, pilot
458
O. Stroosma et al.
Table 16.3 Evaluation pilots in the GARTEUR FM-AG(16) assessment Pilot 1 2 3 4 5 6
Age 64 51 43 54 40 N/A
Flight hours 13000 14000 15000 18000 12000 N/A
Type ratings Cessna Citation II, DC-3, DC-8, Boeing 747-200/300/400 Boeing 747-400 Boeing 747-300, Boeing 767 Boeing 747-400, Boeing 737, DC-10, DC-9, Fokker F-28 Boeing 747-400, Boeing 737 Cessna Citation II, Boeing 767, Airbus A330
control behaviour, aircraft handling qualities, pilot-in-the-loop oscillations, fly-bywire control algorithms, flight deck display and interface design, and flight procedures [5]. The simulator’s middleware software architecture called DUECA (Delft University Environment for Communication and Activation) allows rapid-access for programming of the SRS, relieving the user of taking care of the complexities of network communication, synchronization, and real-time scheduling of the different simulation modules [6]. Section 16.2.4.5 describes how DUECA was used to integrate the aircraft model and the FTFC algorithms in the simulator. To achieve sufficient confidence in the validity of the simulator results, great care was taken to optimize the simulator’s fidelity. It was configured to match the actual aircraft as closely as possible. 16.2.4.1
Flight Deck Instrumentation
The flight deck of the SRS resembles a generic, two-person side-by-side cockpit as found in many modern airliners. For the FM-AG(16) experiment, the SIMONA cockpit was configured to represent the Boeing 747 aircraft type with glass cockpit lay-out (Fig. 16.2). The installed hardware consisted of two aircraft seats, a hydraulically actuated control column (captain’s position) and rudder pedals, an electrically
(a) Outside view
(b) Cockpit view
Fig. 16.1 The SIMONA (SImulation, MOtion and NAvigation) Research Simulator (SRS) at Delft University of Technology, (courtesy of Delft University)
16
Real-Time Assessment and Piloted Evaluation
459
Fig. 16.2 SRS flight deck in Boeing 747 configuration for the GARTEUR FM-AG(16) simulator campaign
actuated sidestick (first officer’s position, not used in this experiment), a Boeing 777 control pedestal, four Liquid Crystal Display (LCD) screens to display the flight instruments and a Boeing 737 mode control panel (MCP). The displays were based on the Boeing 747-400 Electronic Flight Instrumentation System (EFIS, see Fig. 16.3). They were shown on the LCD panels mounted in front of the pilot at the ergonomically correct locations. Although not all display functionality was incorporated, the pilot had all the information available to fly the given trajectory. One notable omission was the Flight Director (FD), which normally gives steering commands to the pilot. Especially during the localizer and glide slope capture and tracking, the use of “raw” ILS (Instrument Landing System) data instead of the FD added somewhat to the pilot workload. To help the pilots assess the reconfigurable controller’s actions, the surface deflections of the elevators (left/right), ailerons (left/right, inner/outer) and rudders (upper/lower) were shown in the upper right hand corner of the Engine Indication and Crew Alerting System Display (EICAS). 16.2.4.2
Outside Visual System
The SRS has a wide field-of-view collimated outside visual system to give the pilot attitude information, as well as to induce a sense of motion through the virtual world. Three LCD projectors produce computer generated images on a rearprojection screen, which was viewed by the pilots through the collimating mirror. The resulting visual has a field of view of 180◦ × 40◦ , with a resolution of 1280 ×
460
O. Stroosma et al.
(a) Primary Flight Display (PFD)
(b) Engine Indicating and Crew Alerting System (EICAS) Display showing engine parameters and flight control surface deflections for reconfiguration status (aileron (AIL), elevator (ELEV) and rudder (RUD)) respectively
Fig. 16.3 The SRS flight deck displays representing the Boeing 747-400 Electronic Flight Instrumentation System (EFIS)
1024 pixels per projector. The update rate of the visual was the same as the main simulation at 100 Hz, while the projector refresh rate was 60 Hz. The display latency was around 30 ms. For this evaluation, a visual representation of Amsterdam Airport Schiphol was used. All runways and major taxiways were in their correct location, complemented with the most important buildings on the airfield. The surrounding area was kept simpler, with a textured ground plane showing a rough outline of the Dutch coast and North Sea. 16.2.4.3
Control Loading Feel System
The pilot used a conventional control wheel and column, which were loaded with hydraulic actuators. The simulated dynamics of the controls were a constant massspring-damper system with parameters representative of the aircraft in the evaluated condition (Table 16.4). The simulation model did not allow for feedback of surface forces to the controls, a feature that normally would have been present in a Boeing 747 aircraft through the aircraft’s q-feel system. The absence of surface deflection feedback forces may have had an effect on pilot control efficiency, especially in the mechanical failure cases.
16
Real-Time Assessment and Piloted Evaluation
461
Table 16.4 Control loading feel system characteristics
arm spring constant inertia damping break-out stiction/friction
16.2.4.4
pitch 0.714m 474Nm/rad 5.577Nms2 /rad 195.3Nms/rad 11.1Nm 11.1Nm
roll 0.17m 5.416Nm/rad 0.478Nms2 /rad 1.116Nms/rad 0.1313Nm 0.1313Nm
Motion System
The motion system of the SRS is a six degrees-of-freedom hydraulic hexapod . Its cueing algorithm, or washout filters, can be easily adjusted to fit new aircraft dynamics or manoeuvres. For the experiment, the severity of the motion was tuned down somewhat to allow for the sometimes violent manoeuvres of the failures without reaching the limits of the motion base. The cueing algorithm was of the classical washout design, with high-pass filters on all degrees of freedom and a tilt coordination channel to simulate low frequency surge and sway cues by tilting the simulator. The sway tilt was especially apparent in some failure cases where large sideslip angles and sideforces were persistently present. The SRS motion system charactersitics are provided in Table 16.5. 16.2.4.5
Aircraft Model and Flight Control Systems
For the experiment, the benchmark model and the designed fault tolerant control R to the real-time environment. This conalgorithms were converted from Simulink version comprised reformatting for standardized input/output, code generation with
Table 16.5 SRS motion system characteristics (adapted from [5]) DOF
surge sway heave roll pitch yaw
Kinematics minimum maximum deflection deflection
gain
−0.981m −1.031m −0.363 −25.9◦ −23.7◦ −41.6◦
0.5 0.5 0.4 0.5 0.5 0.5
1.259m 1.031m 0.678m 25.9◦ 24.3◦ 41.6◦
Motion cueing algorithm highhigh-pass low-pass pass break break filter frequency frequency order 2 2.0rad/s 4.0rad/s 2 2.0rad/s 4.0rad/s 3 2.0rad/s 1 2.0rad/s 1 2.0rad/s 1 1.0rad/s -
damping
1.0 1.0 1.0 -
462
O. Stroosma et al.
R Mathworks’ Real-Time Workshop , integration in the real-time simulator environment DUECA and validation. The DUECA software environment provides a framework to compose modular, distributed, real-time simulations on a variety of platforms (desktop PC, fixed-base and moving base simulators and flying laboratory). It works with a data-flow architecture using a publish-subscribe mechanism, combined with time-tagging on the exchanged data to ensure data consistency. For the current project, this meant that different controllers could be easily combined with a single aircraft model as long as they conformed to the standard data channels to be published and subscribed (Fig. 16.4). The first type of data channels in this figure are standardized input and output channels which apply to all controllers. The second type contains the signals between the MCP and the controller, which were linked to a fixed number of controls on the panel. These controls could be reprogrammed to fit the needs of a particular controller. The last type of signals were the outputs from the controller which could be freely specified and which were written to disk for later analysis. A mechanism was set up within DUECA to be able to switch between controllers on-the-fly, using an intermediary between the aircraft model and the controllers, which subscribed to the output of all controllers and published only the output of the controller which was active. All non-active controllers could be brought in an idle state to avoid computational overhead and the aircraft model could run without any knowledge of which controller was actually driving it. This setup allowed a highly parallel development process where, after the overall framework was in place, the different controllers could be developed independently from each other.
failures
manual pilot inputs
FTC or classical FCS
I/O
actuator data
aircraft model
logging data
logging
output data
I/O
MCP I/O FDI
sensor data
sensors
= fixed and standardized data channels = reprogrammable data channels = fully flexible data channels
Fig. 16.4 Integration of fault tolerant control algorithms in the SIMONA real-time simulator environment
16
Real-Time Assessment and Piloted Evaluation
463
The aircraft model was validated against simulator and flight test data according to the procedures in [3] and [1]. The Digital Flight Data Recorder (DFDR) of the Flight 1862 accident aircraft was used for the validation of the aircraft dynamics and performance characteristics representing the physical loss of two right-wing engines [4], [3]. Information regarding the general characteristics and operational data of the Boeing 747-100/200 aircraft can be found in chapter 6. To ensure the validity of the real-time simulation, a validation step was included in the development phase. Both the online model implementation and the different controllers were checked to conform to the offline analysis versions by means of proof-of-match. Any differences between the two implementations were considered small enough not to be noticeable by the pilot. The baseline aircraft model, control feel system and Flight 1862 controllability and performance characteristics were finally validated using pilot-in-the-loop simulation.
16.2.5 Procedure The scenario of the FM-AG(16) piloted evaluation was designed to resemble an operational flight profile, based on the flight path of Flight 1862 in the Amsterdam Airport Schiphol terminal area (Fig. 16.5) [4], [3]. Each pilot would start to fly the classical control system mode in unfailed condition to familiarise himself with the baseline aircraft handling qualities. This procedure was repeated several times until the pilot felt confident to proceed. The pilot would rate if the unfailed baseline aircraft model exhibited at least Level 1 handling
Fig. 16.5 Experiment scenario and tasks of the GARTEUR FM-AG(16) piloted simulator assessment
464
O. Stroosma et al.
qualities (CHR 1-3). The same procedure was conducted to familiarise the pilot with the fly-by-wire configuration in unfailed conditions. Apart from a general evaluation of the aircraft’s behaviour during the approach, additional test manoeuvres were introduced in a number of flight phases to examine the specific performance and handling qualities of the (damaged) aircraft. The first flight phase was started at an altitude of 2000 feet near the airport on an outbound course at a speed of 260 KIAS and a northerly heading of 360 degrees. In this phase, the controller should stabilize the aircraft, identify and correct any deviations from the nominal trimmed aircraft condition, and give the pilot a sense of its non-failed handling qualities. When stabilised on the outbound course, the pilot was cleared to turn 90 degrees to an easterly heading and accelerate from 260 to 270 knots to allow a minimum control speed margin for the Flight 1862 scenario. The experiment coordinator then notified the pilot of the nature and timing of a failure before applying it. This was done to consistently remove the aspect of surprise and pilot troubleshooting from the evaluation. The evaluation’s objective was not to take these into account, but to focus on the relative performance and workload levels of the augmented and unaugmented aircraft configurations in a best-case scenario (i.e. the pilot being fully aware of the failure). It is expected that an unprepared and unaware pilot will have much greater difficulty in controlling the failed aircraft without the fault tolerant controller, leading to an even higher observed benefit of the controller in such a scenario. Appendix 1 provides a complete list of the simulated failure modes, their reconfiguration strategy and assessment. During the recovery phase, after the failure was introduced, the pilot’s task was to bring the aircraft back from any adverse flight condition to a stable state at an altitude of 2000 feet and 270 knots. In this phase, the pilot was allowed to familiarise himself with the aircraft behaviour and try different strategies to bring the aircraft manually back under control. The recovery phase allowed any FTFC algorithm that was active to identify the problem, determine a new dynamic model of the damaged aircraft and reconfigure itself to the new situation. Following a succesful recovery to a stable condition, an optional identification phase was introduced during which the flying capabilities of the aircraft could be assessed. This allowed for a complete parameter identification of the model for the damaged aircraft as well as the identification of the safe flight envelope. The knowledge gained during this identification phase could be used by the controller to improve the chances of a safe and survivable landing. For the control algorithms evaluated in FM-AG(16), no explicit identification phase was necessary, because the controllers were able to identify the failure and reconfigure the flight control system during the initial recovery. If necessary, this could be done continuously during later phases. When fully reconfigured, the flight control system would allow continuous safe flight after the identification phase. After the recovery phase, a straight and level flight phase was initiated during which the pilot could assess the workload necessary to maintain the aircraft in a stable condition. Once stabilised at 2000 feet, and selecting a flap setting of one
16
Real-Time Assessment and Piloted Evaluation
465
degree1, the pilot was asked to initiate a climb and a rapid and precise altitude capture to 2500 feet. During the climb, airspeed and heading had to be kept constant. This manoeuvre was meant to examine the longitudinal handling qualities of the damaged aircraft configuration. When leveled off at 2500 feet, the pilot was asked to perform a roll capture task that consisted of capturing 20 degrees of bank angle to the left and right. Again, the goal was to make these captures as rapid and precise as possible, while maintaining altitude and speed. Banking the aircraft in this way was expected to expose any undesirable lateral handling qualities. When the bank angle capture task was completed, the pilot would start a descent for a new altitude capture to bring the aircraft back to 2000 feet. Speed and heading were maintained during the descent. Finally, a right-hand turn towards a heading of 240 degrees was performed which brought the aircraft on an intercept course to the ILS localizer of runway 27 at Amsterdam Airport Schiphol. For all failures, except the Flight 1862 scenario, the pilot was asked to decelerate to 174 knots, which was the reference speed for a flap setting of 20 degrees (Vref20 ) at the chosen weight configuration (317.000 kg). Once stabilised on the new heading and airspeed, the simulator was paused to give the pilot the opportunity to rate the altitude and bank angle capture tasks using the Cooper-Harper rating scale and fill in a questionnaire. To assist in providing the Cooper-Harper ratings, the pilot was presented with time histories of the relevant flight parameters. The adequate and desired performance boundaries for the test manoeuvres, as referenced in the Cooper-Harper scale, have been defined according to Table 16.2 and were shown in the time histories. Figures 16.6 and 16.7 illustrate an example of time histories for a simulation run that includes the different task manoeuvres and their performance boundaries. To maintain a consistent geometry for the final approach phase across different runs, the aircraft was then repositioned at a point before the localizer intercept. To allow some time for re-stabilization after the simulator ‘unfreeze’, a point 5NM along track from the intercept point was used. This intercept point was also moved back 5 NM from the standard intercept point to allow for more time to capture the localizer. Especially for the Flight 1862 failure case this was helpful because the intercept was performed with high speeds (270kts as opposed to 174kts). For the approach and landing phase, the tasks consisted of intercepting and capturing the localiser to align with the runway and intercepting and capturing the glide path for the final approach. The tasks were performed using raw ILS data presented on the primary flight display. The localizer was captured at an altitude of 2000 feet with an airspeed of 174 knots for all failure scenarios except for the Flight 1862 case. For this scenario, a higher speed of 270 knots was used to maintain sufficient directional control margins for level flight (minimum speed is about 260 knots according to the DFDR). When the aircraft was stabilised on the localizer, the pilot would intercept the glideslope for the final descent. During the descent, airspeed was further reduced to 220 knots for the Flight 1862 case or 169 knots (Vref25 ) for all other scenarios. For most failure cases the normal configuration changes of flaps up to 25 degrees and landing gear 1
The Flight 1862 aircraft model was validated for a flap setting of 1 degree. For consistency, all evaluations were therefore performed in this configuration
466
O. Stroosma et al.
(a) Altitude capture task (2000 feet and 2500 feet)
(b) Bank angle capture task (20◦ and −20◦ ) Fig. 16.6 Handling qualities task performance as shown after each run to the pilot (dashed lines: desired performance, dotted lines: adequate performance)
16
Real-Time Assessment and Piloted Evaluation
467
(a) Localizer capture task
(b) Glideslope capture task Fig. 16.7 Handling qualities task performance as shown after each run to the pilot (dashed lines: desired performance, dotted lines: adequate performance)
468
O. Stroosma et al.
Table 16.6 Aircraft configurations and flight conditions for the GARTEUR FM-AG(16) piloted evaluation test scenario (* Flight 1862 scenario) Flight phase
Aircraft mass Altitude Airspeed Center-of-Gravity Flaps Gear (kg*1000) (feet) (knots) (%MAC) 317/327* 2000 270 25 1 up
Failure & Parameter Identification Phase Straight Flight 317 Localiser Intercept 317 Glideslope Intercept 317
2000 2000 2000
270 25 174/270* 25 162/220* 25
1 up 20/1* up 25/1* down/up*
were made. For the Flight 1862 scenario, however, the landing phase was conducted with the approach configuration (flaps 1 degree and gear up) because this was the only available configuration from the DFDR which was used for the validation of the model. At an altitude of 50 feet the run was stopped and the pilot was again asked to fill in the rating scales and questionnaires for the localiser and glideslope capture tasks using the specified performance metrics. The landing itself was not part of the experiment, because a realistic aerodynamic model of the damaged aircraft in ground effect and with the gear extended was not available. However, it was assumed that if the aircraft was brought to the threshold in a stable condition and within the runway boundaries, the pilot would likely have been able to perform the final flare and landing as well. The aircraft configurations and flight conditions, as used in the test scenario, are summarised in Table 16.6.
16.3 Results From the implementation and piloted evaluation, a number of results were obtained for several of the FM-AG(16) reconfigurable control algorithms. In several cases, these resulted in adjustments or partial redesigns of the controllers to improve their practical applicability. One of the controllers was redesigned to be able to cope with additional time delays in the online sensor simulation. Another was split up in a fast (time critical) and slow (computationally intensive) part to allow real-time operation. Due to the pilots entering previously untested parts of the flight envelope (airspeeds, angles of attack), hitherto unknown instabilities were sometimes discovered. Based on pilot comments, the designers of the controllers were also able to fine-tune the outer control loops to achieve acceptable tracking behaviour. Pilot comments also indicated that future work should include the determination, presentation and possibly protection of the remaining safe flight envelope. Although the fault tolerant controllers can effectively support the pilot in bringing the aircraft safely to the ground, they cannot overcome the inherent physical limitations of the damaged vehicle. At some point in the flight envelope, the remaining control options
16
Real-Time Assessment and Piloted Evaluation
469
Table 16.7 Computational load measured as time needed for a single integration step on a desktop processor No. FTFC algorithm 0 1
2 3 5 7
Classic Flight Control System Model Reference Adaptive Sliding Modes Control with Control Allocation (MRAC) Integral Action Control (INTAC) FTC with Guaranteed Nominal Performance Subspace Predictive Control Real-Time Model Identification and Nonlinear Dynamic Inversion Control
Frame time 0.020ms 0.15ms
0.15ms 0.028ms 41ms@10Hz 2.6ms
will still be exhausted and the aircraft will become uncontrollable. A drawback of the currently investigated controllers is the abrupt loss of control when the safe flight envelope is abandoned, because the controller has up to that point been actively providing the pilot with acceptable handling qualities or tracking performance. In the classical flight control configuration, the pilot would be more aware of nearing the limits of maximum control deflections by his own direct actions on the controls. He would be better able to ‘back off’ somewhat to retain control than when he is flying more detached from the physical world with the controller engaged. A way to give the pilot back his ‘situational awareness’ would be a valuable addition to a fault tolerant flight control scheme. In the course of the integration process, the computational burden of the different controllers was assessed according to the method described in section 16.2.2.1. The required times to complete a single frame or integration step are summarized in Table 16.7. As can be seen from these results, the structure of the algorithm has a large influence on the computational load. The third control algorithm, for instance, added very little computational overhead to the classical flight control system by using a fixed linear filter. On the other hand, the seventh control algorithm employed realtime state reconstruction using an iterated extended Kalman filter at every time step, leading to a much larger demand on the processor. Handling qualities and workload results were collected for the manually flown Real-Time Model Identification and Nonlinear Dynamic Inversion Controller (FTFC-7). From the preliminary evaluations this controller was deemed the most interesting manual control algorithm because it allowed the collection of operational data for a number of failures. A full discussion of the evaluation results for this controller can be found in chapter 13, but to illustrate the evaluation method, some results are discussed here. In general, the handling qualities results for this algorithm show that for the Flight 1862 scenario normal flight control was restored
470
O. Stroosma et al.
(a) classical control
(b) fault tolerant control
Fig. 16.8 Localizer capture task handling qualities ratings for classical control and fault tolerant control
pilot stick deflection
roll [rad]
1 0 −1 −2
0
200
400
0
200
400
600
800
1000
1200
600
800
1000
1200
pitch [rad]
0.2 0.1 0 −0.1 −0.2
pilot pedal deflection
yaw [rad]
0.2 classic FTFC
0.15 0.1 0.05 0
0
200
400
600 time [s]
800
1000
1200
Fig. 16.9 Measured pilot control activities for engine separation failure mode
to acceptable levels while physical and mental workload were reduced significantly. This is illustrated in Fig. 16.8 showing the lateral handling qualities pilot ratings for the localizer capture task. It can be seen that, for this task, both the baseline and fault-tolerant fly-by-wire (FBW) aircraft were rated Level 1 (Rating 1-3). After
16
Real-Time Assessment and Piloted Evaluation
471
separation of the right-wing engines the lateral handling qualities of the conventional aircraft with the classical flight control system degraded to Level 2. The reconfigured aircraft (FBW) still shows Level 1 handling qualities after incurring significant damage due to the loss of the right-wing engines. This was substantiated by the measured pilot control activities, representative of workload, which indicated that the pilot did not need to compensate for the failure after reconfiguration (Fig. 16.9). For the rudder runaway failure, the pilots rated the augmented aircraft as Level 2, the same as the unaugmented configuration. Based on the ratings, pilot comments, and recorded control activities, an investigation was performed on the causes and possible solutions to this problem. Chapter 13 describes how this process helped in identifying future research areas for this particular algorithm and failure type.
16.4 Conclusions The GARTEUR FM-AG(16) piloted simulator campaign provided a unique opportunity to assess novel fault tolerant flight control techniques and pilot performance under flight validated failure mode scenarios and operational conditions. Taking the extra step of applying the designed reconfigurable control algorithms in a pilotin-the-loop simulator has shown to provide new insights above those gained in an offline analysis. Implementing the control algorithms to work with available sensor data and in real-time requires smart design decisions and optimizations. With feedback from pilots, the ultimate users of the system, a new work domain is entered where pure aircraft performance characteristics are supplemented with the need for good handling qualities and a good pilot-vehicle interface. The piloted assessment on the SIMONA Research Simulator, as part of the action group’s goals, has shown to be a highly effective way of quickly producing new versions of the reconfigurable control schemes which were better flyable and conformed more to pilot expectations. Therefore, having a realistic motion simulator at hand for development and evaluation can be particularly useful if the aircraft’s handling qualities in nominal and failed conditions must be taken into account in the design. From a piloting perspective, the evaluated fault tolerant control designs were shown to add much to the survivability of a damaged aircraft. The simulation campaign demonstrated that the reconfigurable fault tolerant controllers exhibited better performance than achievable by an unsupported pilot, especially after failures. This improved performance consisted of a reduction of pilot (physical/mental) workload, increase of safety and a higher probability of a successful landing. Also the identification of the failure and the selection of a suitable recovery strategy were handled better by the fault tolerant control systems. The GARTEUR FM-AG(16) experiments demonstrated that future work in the area of faul tolerant flight control should not only include a continued focus on the aircraft’s handling qualities in nominal and failed conditions, but in particular investigate innovative methods for the determination and protection of the aircraft’s safe flight envelope.
Stuck aileron
Stabilizer runaway*
Rudder runaway*
Stuck elevators (with tur- Robust detection of actuator/surface fail- All elevator surfaces are stuck in a faulty Remaining surfaces: bulence) ure position with an offset from trim. • stabiliser • ailerons (symmetric) • differential thrust
Stuck aileron (with turbu- Robust Detection of actuator/surface All aileron surfaces are stuck in a faulty Remaining surfaces: lence) failure position with an offset from trim. • stabiliser • ailerons (symmetric) • differential thrust
3.
4.
5.
6.
All aileron surfaces are stuck in a faulty Remaining surfaces: position with an offset from trim. • ailerons (other) • spoilers
Detection of actuator / surface failure
All rudder surfaces move quickly to an extreme position. Remaining surfaces Asymmetric thrust
Provide analytical means of identifying The stabiliser surface moves quickly to Remaining surfaces: safety critical control surface failure an extreme position • elevator (bad stabiliser) • ailerons (symmetric) • flaps • differential thrust
Detection of actuator / surface failure
Reconfiguration
All elevator surfaces are stuck in a faulty Remaining surfaces: position with an offset from trim. • stabiliser • ailerons (symmetric) • differential thrust
Description
2.
Detection of actuator / surface failure
Aim
Failure mode No failure Stuck elevators
0. 1.
• • • •
• • • •
• • •
• • •
• • •
• • •
No false FDI detection Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
No false FDI detection Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
Assessment
Major
Major
Critical
Critical
Major
Major
Criticality
472 O. Stroosma et al.
Appendix 1: Failure Mode Test Matrix
Loss of vertical tail*
9.
* Used in piloted simulator evaluation
10. Engine separation & re- Detection of flight critical structural and sulting structural damage system failures in order to (El Al Flight 1862)* • continue safe flight and landing (civil) • improve mission effectiveness (military)
Detection of actuator/surface failure and The loss of the vertical tail leads to the loss of directional stability loss of all rudder control surfaces as well as the loss of all damping in the roll and yaw axes.
Rudder runaway (with Robust detection of actuator/surface fail- All rudder surfaces move quickly to an turbulence) ure extreme position.
• • •
• • • •
• • • •
Transient behaviour (load factor) Stability Controllability (authority) Continued safe flight and landing
Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
No false FDI detection Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
No false FDI detection Transient behaviour (load factor) Controllability (authority) Continued safe flight and landing
assessment
Real time control law reconfigura- • tion • Remaining surfaces • Remaining engines • Remaining sensors
Remaining surfaces Asymmetric thrust
Remaining surfaces Asymmetric thrust
failure mode aim description reconfiguration Stabilizer runaway (with Provide robust analytical means of iden- The stabiliser surface moves quickly to Remaining surfaces: turbulence) tifying safety critical control surface fail- an extreme position • elevator (bad stabiliser) ure • ailerons (symmetric) • flaps • differential thrust
8.
7.
Catastrophic
Catastrophic
Critical
criticality Critical
16 Real-Time Assessment and Piloted Evaluation 473
474
O. Stroosma et al.
Appendix 2: Cooper Harper Handling Qualities Rating Scale
16
Real-Time Assessment and Piloted Evaluation
475
References 1. Anonymous. The simulation of a jumbo jet transport aircraft. Modeling data, vol. ii. Technical Report D6-30643, Boeing (September 1970) 2. Cooper, G.E., Harper Jr., R.P.: The use of pilot rating in the evaluation of aircraft handling qualities. Technical Report TN D-5153, NASA (1969) 3. Smaili, M.H.: Flight data reconstruction and simulation of El Al flight 1862. Master’s thesis, Delft University of Technology (November 1997) 4. Smaili, M.H.: Flight data reconstruction and simulation of the 1992 amsterdam bijlmermeer airplane accident. In: AIAA Modeling and Simulation Conference and Exhibit, AIAA-2008-4586. AIAA (August 2000) 5. Stroosma, O., Van Paassen, M.M., Mulder, M.: Using the simona research simulator for human-machine interaction research. In: AIAA Modeling and Simulation Conference and Exhibit, AIAA-2003-5525. AIAA (August 2003) 6. Van Paassen, M.M., Stroosma, O.: Dueca - data-driven activation in distributed real-time computation. In: AIAA Modeling and Simulation Conference and Exhibit, AIAA-20004503. AIAA (August 2000)
Chapter 17
Piloted Evaluation Results of a Nonlinear Dynamic Inversion Based Controller Using Online Physical Model Identification Thomas Lombaerts, Ping Chu, Hafid Smaili, Olaf Stroosma, and Jan Albert (Bob) Mulder
17.1 Introduction As the survey of major aircraft accidents and incidents in Chapter 1 has shown, it is sometimes still physically possible to control a damaged aircraft while components such as control surfaces, engines or parts of the structure have failed. In some cases, (differential) engine control was used by the pilot to replace conventional control via the ailerons and elevators due to loss of the hydraulic system. In other cases, some control surfaces may still be operating to replace the failed ones. This redundancy can be exploited by an automated reconfigurable system which identifies the remaining control options and drives the available surfaces. Ideally, the system would Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Ping Chu Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, P.O. Box 90502, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] Olaf Stroosma Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Jan Albert (Bob) Mulder Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 477–499. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
478
T. Lombaerts et al.
also be able to cope with unforeseen failures and adapt itself accordingly. If the system takes the form of a manual fly-by-wire flight control algorithm, as opposed to a fully automatic system, the requirements on the (degraded) handling qualities also need to be taken into account. The system must provide the pilot with good handling qualities in normal flight conditions and acceptable handling qualities in failed conditions. This chapter discusses the results of a piloted simulator evaluation, conducted in the SIMONA Research Simulator of the Delft University of Technology, of the combination of the two-step method as an identification procedure, and nonlinear dynamic inversion as discussed in Chapter 13. The objectives of the piloted evaluation are to assess the real-time aircraft failure mode accommodation capabilities, following a potentially catastrophic failure mode. This will be done in terms of aircraft failure recovery capabilities, stabilisation, controllability and required pilot workload to conduct a survivable approach and landing. As with the other fault tolerant control algorithms tested in the simulator, the same flight scenarios, failure modes and subtasks were used. The measurement of the performance of the designed NDI based control algorithm with online physical model identification has been conducted in two ways: • Qualitative: by means of subjective handling qualities ratings • Quantitative: by means of objective pilot workload measurements These measurements allow an initial assessment of the achieved performance of the adaptive NDI control algorithm in a real-time operational environment using (subjective) pilot ratings that are correlated with objective (quantitative) data of pilot control activity as a measure of workload. Pilot evaluations of fault tolerant control algorithms have been organised before, as discussed in [2] and [3]. In [2], handling qualities evaluations have been discussed for a reconfigurable control law on the X-36 tailless advanced fighter aircraft (TAFA) for a pitch capture, bank capture and a 360 degrees roll manoeuvre task. In [3], handling qualities as well as workload have been analysed for a pitch down manoeuvre in order to evaluate fault detection, isolation and reconfiguration algorithms for a civil transport aircraft. However, the handling qualities and workload assessment in this chapter are based upon a more elaborate experiment, involving a realistic complete approach manoeuvre. Chapter 16 provides a complete description of the experiment setup and the simulator equipment used in order to put the results, as presented in this chapter, in the correct perspective.
17.2 Fly-by-Wire ANDI Control Law Design For the manual fly-by-wire ANDI control law design, a simplified single outer loop is needed in order to convert the pilot pedal inputs towards a sideslip β command rather than a yaw rate r command. The inner loop is a rate feedback loop structure, as discussed in Chapter 13. A pure classical feedback loop works for unfailed aircraft, but this will not perform adequately for asymmetrically damaged aircraft
17
Piloted Evaluation Results of an ANDI Based Controller
479
where a certain steady non-zero sideslip angle β and/or roll angle φ are necessary to compensate for the asymmetry. Therefore, this loop must also be NDI-based, where the feedback path makes use of the lateral specific force Ay (which is related to the sideslip angle), the roll angle φ and the commanded roll rate pcomm . The control law can be deduced analogously as for the inner loop described earlier, where at this stage a relation must be found between the sideslip angle β and the body fixed angular rates. From [1], the sideslip angle β can be written as follows: v = V sin β
(17.1)
Rewriting for β and differentiating and inserting the equation for v˙ from the nonlinear aircraft kinematics yields: v 1 d arcsin =√ β˙ = · v˙ 2 dt V V − v2 1 = √ · [Ay + g cos θ sin φ + pw − ru] 2 V − v2 ⎡ ⎤ w p 1 −u = √ · [Ay + g cos θ sin φ ] + √V 2 −v2 0 √V 2 −v2 ⎣ q ⎦ V 2 − v2 r
(17.2)
Since controlling the sideslip β is implemented by the rudder δr via primarily the yaw rate r, since u w, equation (17.2) can be rewritten for the NDI loop command for r in the rate control loop where the virtual input is νβ = β˙ and where pcomm is the commanded roll rate by the pilot, which tracks the cockpit roll wheel deflection: r=
−u √ V 2 − v2
−1 1 · νβ − √ [Ay + g cos θ sin φ + wpcomm ] V 2 − v2
(17.3)
As a result, fig. 17.1 shows the manual fly-by-wire ANDI control outer loop architecture. In this setup, the control law provides a conventional attitude rate command and attitude hold control strategy as applied in modern fly-by-wire transport aircraft. Control wheel steering supplies a reference roll rate, pitch rate tracks the control column and the pedals give the commanded sideslip angle, which is limited between +5◦ and −5◦ . Moreover, in order to ensure comfortable aircraft responses to the pilot inputs, some first order low pass filters have been added in the input channel. This manual fly-by-wire control setup provided the baseline for the ANDI reconfigurable control law evaluation in the SIMONA Research Simulator and has been flown in three aircraft failure scenarios besides the unfailed flight.
17.3 Fly-by-Wire ANDI Control Law Evaluation The aircraft damage scenarios that were flown during the FM-AG(16) piloted evaluation of the fly-by-wire ANDI control strategy included the Stabiliser Runaway scenario, Rudder Runaway scenario and Flight 1862 accident case. The failure
480
T. Lombaerts et al.
Fig. 17.1 NDI manual control outer loop
scenarios were selected from the GARTEUR RECOVER benchmark model’s failure mode library and are based on recent accident cases as surveyed in Chapter 1. For the Flight 1862 case, digital flight data recovered from the accident site was used for the validation of the Flight 1862 aircraft dynamics (Chapter 6). Considering the restricted available time for the experiment, the evaluation phase has concentrated on these three scenarios. In every scenario, the pilot starts flying at an altitude of 2000 ft and with a speed of 260 kts towards the north. After a 90 degree heading change eastward, the failure is triggered and the pilot’s task is to stabilize the plane and familiarise himself with the degraded handling qualities and reduced performance. After familiarisation, several evaluation manoeuvres are flown including altitude captures and bank angle captures. This allows the pilot to verify the stability and controllability of the aircraft. After the handling qualities evaluation manoeuvres, a conventional terminal area approach is flown that includes a right hand turn in order to bring the aircraft onto a localizer intercept course. Finally, the final approach phase consisting of the localizer and glideslope intercept phases concludes the flight. The simulation is ended at a height of 50 feet above the runway threshold.1 All flights were conducted according to the applicable procedures in the Amsterdam Schiphol Terminal Area. The aircraft trajectory is illustrated in fig. 17.2. Note that altitude captures and bank angle captures are not visible on this scale. Details of the experiment scenario, including handling qualities and performance metrics, are further elaborated in Chapter 7. Experienced airline and engineering pilots, rated for the Boeing 747 aircraft, conducted the evaluation. For the handling qualities and pilot workload analysis, the experiment data from five pilots has been taken into account for both the Rudder Hardover and Flight 1862 accident case scenarios. Due to time constraints, no ratings and workload data for the stabiliser runaway failure are available. 1
The landing itself is not part of the benchmark, because a realistic aerodynamic model of the damaged aircraft in ground effect is not available. However, it is believed that if the aircraft is brought to the threshold in a stable condition, the pilot would be able to perform a survivable final flare and landing.
17
Piloted Evaluation Results of an ANDI Based Controller
481
Fig. 17.2 Trajectory of the piloted simulation runs in the SIMONA research simulator
17.4 Analysis Results In this section, handling qualities and workload results are given on the manually flown Real-Time Model Identification and Nonlinear Dynamic Inversion Controller. First the time histories of the pilot inputs, a selection of aircraft states, and the control surface deflections are analysed. Subsequently, focus is placed on the analysis of handling qualities and pilot workload calculations.
17.4.1 FTC and Pilot Performance Analysis Results: Time Histories Figure 3(a) shows the pilot control deflections for the unfailed situation. This figure shows that there is no significant difference in required control deflections between both control alternatives in unfailed conditions, but this graph serves as a benchmark for the subsequent analysis for the different failure cases. Figure 3(b) shows that no sustained pitch deflection is necessary to compensate for the failure in the FTFC case, in contrast to the classic control case, which occurs at approximately at t = 150s. No significant differences are visible in the roll and yaw channel, because the failure has only consequences for the longitudinal controls. In fact, this behavior can also be called ’autotrim’, because all unrequested pitch rates are automatically canceled out. During the simulation run, the pilot stated that there was no noticeable difference between the FTFC controlled aircraft suffering stabilizer runaway and an unfailed aircraft. In the Flight 1862 failure mode scenario, both right-wing engines (no. 3 and 4) are separated simultaneously resulting in substantial structural wing damage and partial loss of hydraulics. In this particular case, the aircraft dynamics closely match the flight data as obtained from the digital flight data recorder (DFDR). Figure 3(c) illustrates that the failure mode is highly demanding for the pilot to compensate for. The pilot has to use all available steering channels (roll by the steering wheel,
482
T. Lombaerts et al.
pitch by the column and yaw by the pedals) in order to keep the aircraft under control in the classical control system configuration. The separation of the right-wing engines occurs around t = 200s into the flight for both the classical and ANDI control system. For the classical control system configuration, some pilots were not able to maintain control of the aircraft while trying to recover and stabilise after the separation of the right-wing engines. Due to the characteristics of this failure, the demand for the pilot is dependent upon the speed regime where the damaged aircraft is flying. At high speed (above approximately 260 KTS) and at a weight of 317.000 kg, the aircraft appears to be controllable, while at lower speeds the handling deteriorates significantly until control is lost around 200 KTS in a gliding condition (almost idle thrust on the remaining engines no. 1 and 2). Several other interesting observations were made for this failure scenario. For all pilots, the separation of both right-wing engines and the subsequent damage to the aircraft necessitated the use of both hands on the control wheel throughout most of the flight to keep the aircraft under control (Figure 5(a)). The sustained control forces, both to control bank angle and yaw, resulted in significant physical workloads as commented by the pilots afterwards and confirmed by their ratings. Additionally, most pilots commented about the obstruction of the primary flight instruments by the control wheel deflected at large angles required for lateral control (Figure 5(b)). The lateral control capabilities of the damaged aircraft with the classical control system showed that approaching approximately 260 knots in level flight, controlling left bank angles towards the operating engines became progressively sluggish requiring up to almost full control wheel deflection while applying full rudder pedal. For a right turn into the separated engines, the baseline aircraft had a tendency to overbank up to the point where control was lost (Figure 17.6). It was furthermore observed that lateral control capabilities were improved at increasing sink rates while intercepting the glideslope and reducing thrust on the remaining engines to decelerate and stabilise for a gliding condition towards the runway. However, for a successful landing, the pilot requires knowledge concerning the aircrafts minimum control speed under the prevailing conditions in order to remain within the degraded safe flight envelope boundaries. After control reconfiguration by the fly-by-wire ANDI control law, following a real-time identification of the damaged aircraft dynamics, the experiment showed that conventional control strategies were restored allowing normal use of the control wheel, column and pedal to conduct a successful landing (Figure 17.7). Aircraft recovery transients and stabilisation by the ANDI fault tolerant control laws, immediately after the separation of the engines, proved to be acceptable (almost a non-event as commented by the pilots). Comparing the classical control system and the fault tolerant control algorithms in Figure 3(c) shows that the ANDI control laws require no more control effort from the pilot on the roll, pitch and yaw steering channels than before the failure. Only near the end of this particular simulation run for the FTFC configuration a major pilot control action in the lateral axis can be seen at about t=900s resulting in a saturation of the ailerons. This appeared to be a corrective action by the pilot as the damaged aircraft accidently decelerated below the (unavailable) minimum control speed during final approach. More information about this will be given later, see also fig. 17.9. This event highlights how
17
Piloted Evaluation Results of an ANDI Based Controller
483
information about the remaining pilot authority and the restricted safe flight envelope would contribute significantly to the pilot’s awareness. The rudder runaway is the most challenging failure from the pilot perspective. The failure occurs shortly before t = 200s. In this scenario, both upper and lower rudder surfaces are deflected uncommanded towards the aerodynamic blowdown limit (dependent on airspeed). As can be seen in Figure 3(d), the pilot has to use all available steering channels (roll by the steering wheel, pitch by the column and yaw by the pedals) to keep the aircraft under control in the case of classical control. This is remarkable, since only two channels (roll and pitch) retain their efficiency. Rudder demands via the pedal inputs have no use in this failure scenario, nevertheless it can be seen that the pilot is still tempted to use the pedals as a natural (trained) reaction, despite being aware of the failure characteristics via the pre-flight briefing. The aircraft failure transient behavior following a sudden rudder hardover of the classical control system appeared to be rather critical. As can be seen in Figure 17.8, providing a visualisation of the simulator data, the baseline aircraft attains an initial large roll upset following a left rudder hardover without immediate pilot compensation. Most pilots were able to recover and stabilise the aircraft by manually applying differential thrust following the failure (Figure 4(d)). However, the application of differential thrust to stabilise the aircraft and improve lateral control margins resulted in difficulties controlling airspeed as commented by some of the pilots. The ANDI control algorithm, on the other hand, requires no more control effort from the pilot on these steering channels as before the failure. The pedals for instance, need no pilot input at all to minimize the sideslip of the aircraft in the case of FTFC. Only at the very end, a small pedal input is given by the pilot in order to line the aircraft up with the runway a few seconds before touchdown. It should also be noted that, to ensure sufficient lateral controllability, differential thrust must be applied. For the current FTFC control algorithm, differential thrust has been applied manually by the pilot during the recovery and stabilisation phase which appeared to be less critical immediately after reconfiguration. Generally, comparing classical and fault tolerant control in the failure scenarios above shows that a fault tolerant flight controller requires no more control effort from the pilot on these steering channels than before the failure. The pedals for instance, need no pilot input at all to minimize the sideslip of the aircraft in the case of FTFC. Finally, some comments are given concerning the time scale. No timing requirements have been given to the pilot, resulting in some variations in time scales, depending on failure and control system. Fig. 17.8 and 17.9 show the time histories of a selection of the most important aircraft states. These confirm the evaluation trajectory as outlined in fig. 16.5. Moreover, altitude and roll angle plots illustrate the altitude and roll angle captures executed by the test pilot to evaluate the post-failure handling qualities of the aircraft. Fig. 17.9 gives some additional information about the situation where the safe flight envelope boundary has been exceeded. The velocity graph shows that airspeed in the fault tolerant control case is allowed to reduce significantly lower than for the classical control case. At some point, the minimum controllable airspeed is exceeded, slightly above 100 m/s, and the aircraft exhibits a rolling tendency to the right which
484
T. Lombaerts et al.
pilot stick deflection 0.5 0
roll [rad]
roll [rad]
pilot stick deflection 1 0.5 0
−0.5
−0.5
−1 0
100
200
300
400
500
600
700
800
900
1000
0.15
0.3
0.1
0.2
pitch [rad]
pitch [rad]
−1
0.05 0 −0.05
100
200
300
400
500
600
700
800
900
0
0
200
300
400
500 time [s]
600
700
800
900
yaw [rad]
yaw [rad]
classic FTFC
0.01
100
300
400
500
600
700
800
900
1000
0
100
200
300
400
500
600
700
800
900
1000
−3
pilot pedal deflection
0
200
0
1000
0.02
−0.01
100
0.1
−0.1 0
0
classic FTFC
−2 −4 −6
1000
pilot pedal deflection
x 10
0
100
200
(a) unfailed
300
pitch [rad]
roll [rad]
1
−1
0
200
400
600
800
1000
0.1
0.1
0.05
0 −0.1 0
200
400
600
800
1000
0
200
400
800
900
1000
0
200
400
600
800
1000
1200
1400
600
800
1000
1200
1400
0
−0.1
1200
pilot pedal deflection
pilot pedal deflection 0.4
classic FTFC
0.15 0.1 0.05 0
200
400
600 time [s]
800
1000
(c) engine separation scenario
1200
yaw [rad]
yaw [rad]
700
−0.05
0.2
0
600
0 −1
1200
0.2
−0.2
500 time [s]
pilot stick deflection 2
0
pitch [rad]
roll [rad]
pilot stick deflection 1
−2
400
(b) stabilizer runaway
classic classic failure FTFC FTFC failure
0.2 0 −0.2 −0.4
0
200
400
600
800
1000
1200
1400
time [s]
(d) rudder runaway
Fig. 17.3 The pilot control actions during the different scenarios which were flown manually. Range of available pilot control deflections: roll ±1.536 rad, pitch ±0.221 rad, yaw ±0.244 rad
is almost impossible to counteract. Opening throttles for increasing airspeed even aggravates this behavior, since only the left hand engines are providing thrust. After some major effort, the test pilot succeeds to stabilize the aircraft again, but altitude and speed conditions do not permit to line up the aircraft successfully with the runway. Fig. 17.10 shows the time histories of the control surface deflections for the different scenarios. These graphs demonstrate that the ANDI-controller uses the remaining active control surfaces in a way similar to what a human pilot would do. However, for the classical control system, the control surface deflections are proportional to the pilot’s commands whereas in the fly-by-wire ANDI case, there is no direct coupling anymore. In fig. 10(b), for instance, it is clear that the disturbing influence of the stabilizer runaway is counteracted by means of the elevators, however, without command from the pilot as can be seen in fig. 3(b). The same principle holds for the other scenarios. Another difference between the classical control system and the ANDI algorithm is visible in the application of the elevator for the nominal
17
Piloted Evaluation Results of an ANDI Based Controller
485
(a) Aircraft stabilised before failure. Altitude 2000 feet, Airspeed 260 KTS, Sideslip 0 deg, Bank angle 0 deg
(b) Left rudder hardover to blowdown limit. Altitude 2000 feet, Airspeed 260 KTS, Maximum sideslip excursion 11.8 deg, Maximum bank angle approximately 30 deg
(c) Pilot standing-by before failure insertion
(d) Pilot applies full right-wing down control wheel deflection and differential thrust for aircraft recovery
Fig. 17.4 Piloted simulation of left rudder hardover inducing a large upset of the aircraft c without ANDI reconfigurable control laws (flight animation by Rassimtech AVDS)
(unfailed) and rudder hardover cases as shown in fig. 10(a) and 10(d). The ANDI algorithm uses the elevator as an ’auto-trim’ feature that automatically compensates for a mistrimmed stabilizer. Information regarding control reconfiguration status by the ANDI algorithm was available to the pilot via the engine indicating and crew alerting system (EICAS) display in the cockpit. Figures 11(a) and 11(b) illustrate the EICAS display before and after the separation of the right-wing engines. As shown in the figures, the asymmetric physical loss of the engines is recovered and compensated by allocation of control to the remaining surfaces. For this scenario, the inboard ailerons are only half operational, supported by the remaining spoilers, as indicated by the damage information in Chapter 6, and this is also visible in fig. 10(c). This figure shows also that the FTFC algorithm exploits the full control authority of the rudder, where
486
(a) Pilot (left) requiring both hands for lateral control after separation of both rightwing engines without control reconfiguration
T. Lombaerts et al.
(b) Pilot’s head position (left) to scan primary flight instruments while applying left control wheel deflection to counteract roll without control reconfiguration
Fig. 17.5 Pilot control activity after separation of both right-wing engines for classical hydromechanical control system configuration
the human pilot relies less on rudder control input. As a consequence, slightly less aileron deflections are needed in the FTFC case compared to classic control. The balance between aileron and rudder use can be improved by means of further optimisation of the control allocation scheme. The reconfiguration status of the ANDI algorithm for a sudden rudder hardover, as presented to the pilot, is illustrated in Figures 11(c) and 11(d). Following the failure, lateral and directional control is allocated to the ailerons and spoilers providing roll and yaw compensation while any longitudinal trim offsets, due to the failure, are compensated by the elevators. In fig. 10(d), the faulty rudder behavior illustrates the aerodynamic blowdown effect which is taken into account in the RECOVER simulation model. As a result the maximum rudder deflection is slightly below 15◦ for an airspeed around 270 knots, and even close to 25◦ (the physical maximum deflection limit imposed by the rudder control system structure) for an airspeed of 165 knots. Based upon these simulation runs, handling qualities as well as pilot workload have been analysed, as is shown next. Simulations have shown that the stabilizer runaway was the least challenging from a pilot point of view, as explained earlier. Therefore, the subsequent discussions focus primarily on engine separation and rudder hardover, since these are the most interesting scenarios from a pilot point of view.
17.4.2 Handling Qualities Analysis Results: CH Ratings The experiment pilots were asked to rate both the baseline aircraft with the hydro-mechanical control system configuration and the fly-by-wire ANDI reconfigurable control laws using the Cooper-Harper handling qualities rating scale, see
17
Piloted Evaluation Results of an ANDI Based Controller
(a) Aircraft intercepting localiser
(b) Aircraft capturing localiser
(c) Aircraft overbanking to the right. Full aileron and rudder applied to compensate roll
(d) Loss of lateral control
487
Fig. 17.6 Piloted simulation showing separated right-wing engines and loss of lateral control due to overbank tendency without control reconfiguration and automatic stabilisation (flight c animation by Rassimtech AVDS)
Appendix 2 in Chapter 16. Both the rudder runaway scenario and Flight 1862 engine separation scenario were rated. As a comparison basis, the classical flight control system and fly-by-wire ANDI control algorithms were rated for the nominal flight conditions (no failure modes). This also provided the opportunity to familiarise the pilots with the different baseline control strategies. The handling qualities analysis results are illustrated in Figures 17.12 and 17.13. For all evaluation tasks, pilot handling qualities ratings were provided for both longitudinal and lateral task performance. For the evaluated control algorithm, the piloted evaluation tasks included altitude capture, bank angle acquisition and localizer capture up to the intercept of the glideslope. The bank angle capture task was subdivided into an evaluation of left and right bank acquisition capabilities to account for asymmetric failure modes. Figures 17.12 and 17.13 show the individual ratings, horizontally separated as classical (left) and fault tolerant (right), and from top to
488
T. Lombaerts et al.
Fig. 17.7 Piloted simulator demonstration of approach and landing after separation of both right-wing engines using fly-by-wire ANDI control reconfiguration (courtesy of RTL4 Television, The Netherlands)
Selection of aircraft states rudder runaway scenario
Selection of aircraft states rudder runaway scenario
0
200
400
600
800
1000
1200
0.1
0
200
400
600
800
1000
1200
0
1400
0.5 0 −0.5
500
1400
0.2
0
1000
heading [rad]
angle of attack [rad]
0
0
200
400
600
800
1000
1200
1400
0
200
400
600
800
1000
1200
1400
0
200
400
600
800
1000
1200
1400
0
200
400
600
800
1000
1200
1400
5 0 −5
150 100 50
time [s]
time [s]
0.2 classic FTFC
0 −0.2
0
200
400
600
800 time [s]
1000
1200
1400
roll angle [rad]
flight path angle [rad] angle of sideslip [rad]
altitude [m]
0.2
true airspeed [m/s]
pitch [rad]
0.4
1 classic FTFC
0 −1
0
200
400
600
800
1000
1200
1400
time [s]
Fig. 17.8 Comparison of a selection of aircraft states for the rudder runaway scenario
bottom the tasks altitude capture, left bank capture, right bank capture and localizer intercept respectively. The experiment results show that both the baseline (classical) and fly-by-wire ANDI (FBW-ANDI) aircraft configuration were rated Level 1 (Rating 1-3) by most pilots for the unfailed condition. This provides a comparison basis when analysing pilot performance in degraded conditions for the different flight control system configurations. The trends of the pilot ratings for the ANDI reconfigurable control algorithm show that, especially for the Flight 1862 engine separation scenario,
17
Piloted Evaluation Results of an ANDI Based Controller Selection of aircraft states engine separation scenario
Selection of aircraft states engine separation scenario altitude [m]
0
200
400
600
800
1000
500 0
1200 heading [rad]
0.4 0.2 0
0
200
400
600
800
1000
0.1 0 −0.1
0
200
400
600
800
1000
1200
0.2 classic FTFC
0 −0.2
0
200
400
600 time [s]
800
1000
0
200
400
600
800
1000
1200
0
200
400
600
800
1000
1200
0
200
400
600
800
1000
10 5 0 −5
1200 true airspeed [m/s]
angle of attack [rad] flight path angle [rad] angle of sideslip [rad]
1000
0
200 150 100 50
1200
1
roll angle [rad]
pitch [rad]
0.2
−0.2
489
classic FTFC
0.5 0 −0.5
1200
0
200
400
600 time [s]
800
1000
1200
Fig. 17.9 Comparison of a selection of aircraft states for the engine separation scenario
control surface deflections
control surface deflections aileron [deg]
20
10 0 −10 −20
0
100
200
300
400
500
600
700
800
900
1000
elevator [deg]
10 0 −10 −20
0
100
200
300
400
500
600
700
800
900
1000
10 0 −10 −20
elevator and stabilizer [deg]
aileron [deg]
20
200
300
400
500
600
700
800
900
1000
0
100
200
300
400
500
600
700
800
900
1000
0
−20 −30
6 classic FTFC
5 0
0
100
200
300
400
500 time [s]
600
700
800
900
rudder [deg]
rudder [deg]
100
−10
10
−5
0
10
2 0 −2
1000
classic classic failure FTFC FTFC failure
4
0
100
200
(a) unfailed
300
control surface deflections aileron [deg]
aileron [deg]
−20
0
200
400
600
800
1000
elevator [deg]
elevator [deg]
800
900
1000
−20
0
200
400
600
800
1000
1200
1400
0
200
400
600
800
1000
1200
1400
10
20 10 0 0
200
400
600
800
1000
5 0 −5 −10
1200
30 classic classic failure FTFC FTFC failure
20 10 0 0
200
400
600 time [s]
800
1000
(c) engine separation scenario
1200
rudder [deg]
30 rudder [deg]
700
0
−40
1200
30
−10
600
20
0
−10
500 time [s]
control surface deflections
20
−40
400
(b) stabilizer runaway
classic classic failure FTFC FTFC failure
20 10 0 −10
0
200
400
600
800
1000
1200
1400
time [s]
(d) rudder runaway
Fig. 17.10 Time histories of the control surface deflections involved in the different scenarios which were flown manually
490
T. Lombaerts et al.
(a) EICAS display before failure
(b) EICAS display showing control surface reconfiguration after separation of rightwing engines
(c) EICAS display before failure
(d) EICAS display showing control surface reconfiguration after rudder hardover to blowdown limit
Fig. 17.11 Engine indicating and crew alerting system (EICAS) display providing control reconfiguration status of ANDI control algorithm
conventional flight control was restored up to acceptable handling qualities levels (upper Level 1) following a failure. In these conditions, no significant task performance degradations occurred as compared to the unfailed fly-by-wire aircraft while physical and mental workload was reduced as indicated by an analysis of the aggregated control forces and pilot comments. After incurring significant damage due to the loss of the right-wing engines, the pilot ratings for the conventional aircraft with classical control system clearly show that in all conditions, above the minimum control speed, Level 2 handling qualities existed. The reconfigured aircraft (FBW-ANDI) is able to improve the handling qualities back towards the upper Level 1 region. This was substantiated by the measured pilot control activities, representative of workload, indicating no sustained pilot compensation after control reconfiguration.
17
Piloted Evaluation Results of an ANDI Based Controller
491
The rudder hardover scenario appears to be more critical from a handling qualities perspective. As with the Flight 1862 case, Level 2 handling qualities were obtained in most conditions for the classical control system. However, the lateral control tasks were observed to induce severely coupled longitudinal and lateral dynamics resulting in further degradation of the handling qualities to Level 3. For the reconfigured aircraft, the handling qualities ratings remain about Level 2 after control reconfiguration despite no required sustained control inputs by the pilot. Most likely, the main reason for the inferior rating is caused by the fact that the fault tolerant controller is a rate controller, it minimizes disturbances in angular rates, but not the disturbed angle itself. As a consequence, rudder hardover results in a yaw rate to the left which is eliminated by the controller, but the heading angle change built-up meanwhile is not eliminated automatically, and is left to the pilot to compensate. Later on in this chapter, a solution will be proposed for this problem.
17.4.3 Pilot Workload Analysis Results Handling quality ratings are only one means to evaluate the performance of a flight control system, and despite use of the Cooper Harper Rating Scale, they still involve some pilot subjectivity, although this is eliminated as much as possible. On the other hand, there is the quantifiable pilot workload analysis. This subsection focuses on the latter part of the study. Specific metrics exist in order to analyse the specific workload properties of a flight control system, excluding possible secondary influences, like the control loading system characteristics, as described in Chapter 16. The workload of the pilot while controlling the aircraft can be divided into physical workload and compensatory workload. Especially during failure conditions, the pilot may be required to apply prolonged control inputs to maintain controllability of the damaged aircraft. For the Flight 1862 scenario, for instance, the asymmetric aircraft configuration caused by the separation of both right-wing engines and subsequent damage to the right wing requires sustained large control wheel deflections and the application of full rudder pedal throughout the flight. It is clear that in these conditions the physical effort exerted by the pilot to maintain control of the aircraft can be significant and fatiguing. To maintain stability of the (damaged) aircraft, the pilot is required to apply compensatory workload by making constant adjustments to achieve task objectives (e.g. capturing a heading). The quantities studied here allow a distinctive analysis of physical workload and compensatory workload. The former is represented by average force and root mean square of the pilot control deflections, as illustrated in section 17.4.3.1. The latter can be observed by analysing the root mean square of the pilot control deflection rates or the pilot control power, as done in section 17.4.3.2. This pilot workload figures have been calculated for two different phases, namely the specific part of the localizer intercept phase (left), which is defined as the time span between the triggering of the LOC valid flag and the GS valid flag, and secondarily the total simulation run (right). For the latter, the time span is defined as follows. Unfailed situations are considered from start to end of the simulation run.
492
T. Lombaerts et al. Altitude Capture Task (Classical)
Altitude Capture Task (FBW) 6 Longitudinal HQR
Longitudinal HQR
6 5 4 3 2
5 4 3 2 1
No Fail
Rudder
Engine
No Fail
Left Bank Capture Task (Classical)
Engine
Left Bank Capture Task (FBW) 7 Longitudinal HQR
8 Longitudinal HQR
Rudder
6
4
2
6 5 4 3 2
No Fail
Rudder
Engine
No Fail
Right Bank Capture Task (Classical)
Engine
Right Bank Capture Task (FBW) 7 Longitudinal HQR
8 Longitudinal HQR
Rudder
6
4
2
6 5 4 3 2
No Fail
Rudder
Engine
No Fail
6
5
5
4 3 2 1
Engine
Localiser Capture Task (FBW)
6 Longitudinal HQR
Longitudinal HQR
Localiser Capture Task (Classical)
Rudder
4 3 2 1
No Fail
Rudder
Engine
No Fail
Rudder
Engine
Fig. 17.12 Pilot longitudinal handling qualities ratings of classical and FTFC flight control system configurations for the different aircraft failure scenarios.
17
Piloted Evaluation Results of an ANDI Based Controller Altitude Capture Task (Classical)
Altitude Capture Task (FBW)
7
6
Lateral HQR
6 Lateral HQR
493
5 4
5 4 3
3 2
2 No Fail
Rudder
Engine
No Fail
Left Bank Capture Task (Classical)
Rudder
Engine
Left Bank Capture Task (FBW) 6
8 Lateral HQR
Lateral HQR
5 6 4
4 3 2
2 1 No Fail
Rudder
Engine
No Fail
Right Bank Capture Task (Classical)
Rudder
Engine
Right Bank Capture Task (FBW) 6
8 Lateral HQR
Lateral HQR
5 6 4
4 3 2
2 1 No Fail
Rudder
Engine
No Fail
6
5
5
4 3 2
Engine
Localiser Capture Task (FBW)
6
Lateral HQR
Lateral HQR
Localiser Capture Task (Classical)
Rudder
4 3 2
1
1 No Fail
Rudder
Engine
No Fail
Rudder
Engine
Fig. 17.13 Pilot lateral handling qualities ratings of classical and FTFC flight control system configurations for the different aircraft failure scenarios.
494
T. Lombaerts et al.
Scenarios including failures are restricted to the time span after the failure till the end. The localizer intercept phase work levels are comparable, since the time intervals are almost identical, thanks to the well-defined start and end points and the prescribed airspeed and trajectory. However, for the total simulation run, there are considerable variations in the time span from beginning till end, as can be seen in figures 17.3 and 17.10, which makes the absolute workload values not comparable. Therefore, average workload levels have been calculated for the total simulation run. In each graph, a distinction is made between roll, pitch and yaw channel, as illustrated by the three graphs separated vertically. In each control channel, six cases have been studied, namely unfailed, engine separation and rudder runaway, each time with classical and fault tolerant control. In each case, the workload figure of each of the five pilots is represented individually by means of bar plots, after which the mean and standard deviations are superimposed on these bar plots for every case, in order to facilitate mutual comparisons. Note that no data are available for pilot 1 in the localizer intercept phase for the engine separation failure with fault tolerant controller, this is because the safe flight envelope boundary has been exceeded before the GS valid flag was raised, leading to unreliable results since they are not representative. 17.4.3.1
Physical Workload
The physical workload quantifies the physical effort a pilot has to exert in order to accomplish the requested mission profile. This workload can be represented in the first place by the aggregate of the applied control force (wheel, column and pedal) or the average value of the absolute forces. Alternatively the root mean square of the pilot control deflections can be used, that is calculated as follows: RMSdefl =
δctrl 2 √ n
(17.4)
where δctrl is the pilot control deflection under consideration and n is the length of the recorded data sample. Note that both measures are set up in such a way that variations in data sample lengths are automatically taken into account, which is important for the total simulation run data. Figures 17.14 and 17.15 illustrate the physical workload analysis results in the presentation as was introduced earlier. Figure 17.14 depicts the average pilot forces, and figure 17.15 portrays the root mean square of the pilot control deflections. Both figures lead to the same observations regarding the measured physical workload during the experiment. The unfailed conditions confirm that this is a sound comparison basis between classic and FTFC, since both have the same ratings. Significant physical workload can be seen for the different failure scenarios to maintain control of the damaged aircraft. Especially for the Flight 1862 engine separation scenario, the data shows that for the complete duration of the flight and during the individual tasks, compensation of the failure was required in all control axes (roll, pitch and yaw). For the rudder hardover scenario, compensation is especially
17
Piloted Evaluation Results of an ANDI Based Controller Average exerted pilot force during localizer intercept phase
Average exerted pilot force during complete simulation run 6 roll force [Nm]
roll force [Nm]
6 4 2 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
pitch force [Nm]
pitch force [Nm]
20
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
30 20 10 0
FTFC rudder runaway
300 pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
300 200 100 classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
yaw force [N]
400 yaw force [N]
2
40
40
0
4
0
FTFC rudder runaway
60
0
495
pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
200 100 0
FTFC rudder runaway
(a) localizer intercept phase
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(b) complete simulation run
Fig. 17.14 Total average pilot force during localizer intercept phase (left) and during complete simulation run (right)
Root mean square of pilot control deflections during localizer intercept phase
Root mean square of pilot control deflections during complete simulation run 0.8 RMS roll
RMS roll
1
0.5
0.6 0.4 0.2
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
0
FTFC rudder runaway
0.08
0.08
0.06
0.06
RMS pitch
RMS pitch
0
0.04 0.02 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
0.2 0.1 0
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
0.02
0.2 pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(a) localizer intercept phase
RMS yaw
RMS yaw
0.3
FTFC no failure
0.04
0
FTFC rudder runaway
classic no failure
pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
0.15 0.1 0.05 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(b) complete simulation run
Fig. 17.15 Root mean square of pilot control deflections during localizer intercept phase (left) and during complete simulation run (right)
apparent in the roll channel, while the other channels require less compensation. For the reconfigured aircraft, utilising the ANDI control algorithms, the control forces are reduced significantly indicating that use of the pilot controls was decreased. Additionally, the data shows more consistency amongst the pilots in most cases for the FTFC configuration as represented by the standard deviations in the graphs. Only the applied rudder pedal force for the FTFC engine separation case is an exception to this trend, but it can be seen that this is caused by test pilot 2 who exhibits significantly higher and above-average control behavior as compared to the other subjects. This was partly based on a misunderstanding of the pilot regarding the implemented control strategy of the controller in which the pedals directly command sideslip angle. For the rudder hardover scenario, the data shows that almost all pilots had a natural tendency to react to the failure by applying rudder pedal despite being briefed that rudder was not available. The minimum overlap of the errorbars
496
T. Lombaerts et al.
Root mean square of pilot control deflection rates during complete simulation run
Root mean square of pilot control deflection rates during localizer intercept phase
0.4 RMS roll rate
RMS roll rate
0.4 0.3 0.2 0.1 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
RMS pitch rate
RMS pitch rate
0.02 0.01 classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
0.03 0.02 0.01 0
FTFC rudder runaway
0.03 pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
0.01 0.005
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(a) localizer intercept phase
RMS yaw rate
0.015 RMS yaw rate
0.1
0.04
0.03
0
0.2
0
FTFC rudder runaway
0.04
0
0.3
pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
0.02 0.01 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(b) complete simulation run
Fig. 17.16 Root mean square of pilot control deflection rates during localizer intercept phase (left) and during complete simulation run (right)
of workload, for the limited number of subjects, between the classical and ANDI control system confirms that the observed trends are significant. Summarizing, it can be stated that average absolute force as well as pilot control deflections RMS confirm that the FTFC reduces the physical workload considerably, compared to classical control. 17.4.3.2
Compensatory Workload: RMS of Pilot Control Deflections
The compensatory workload is an indication of the correcting or stabilizing efforts applied by the pilot. The most frequently used variable to quantify this type of workload is the root mean square of the pilot control deflection rates. These are presented in fig. 17.16. These results show no decisive confirmation about any changes in the workload. This can be partly explained by the nature of the experiment. In order to be able to draw the right conclusions about the compensatory workload based upon the RMS of the deflection rates, one needs to make the test pilots feel familiar with the system. Because of a lack of training in these specific experiments and the absence of repetitions, this causes a lot of spread in the data, as can be seen in the relatively large standard deviations in fig. 17.16. Each pilot was still in the process of determining his control strategy, which differs from pilot to pilot. With enough experience, after sufficient repetitions, these control strategies would converge again. However, including more training for the pilots disagrees with the setup of the experiment to confront the pilots with failures they are unfamiliar with. An alternative method to represent compensatory workload is the power level required by the pilot to control and stabilise the aircraft. The pilot power takes into account both the applied physical control forces and compensating deflection rates. For the total simulation run, the power level is again averaged over the time interval and has been calculated as follows:
17
Piloted Evaluation Results of an ANDI Based Controller 0 tend
497
d δctrl (t) dt dt 0 tend 1 d δctrl (t) dt F(t) · Pav = Ttot t=t0 dt P=
t=t0
F(t) ·
(17.5) (17.6)
These power values are depicted in fig. 17.17. Although not as decisive as for the physical workload, the trends are still clear. The unfailed conditions confirm that this is a good comparison basis between classic and FTFC, since both have the same ratings. Taking into account the different behavior of pilot no 2, causing a higher spread in the data, the workload shows more consensus between the subjects. The yaw power values should ideally be zero in the rudder failure case, since the pedals have no effective use. As a matter of fact, the pilots still had the natural intuitive tendency to use the pedals to compensate for the disturbance. Some pilots realized this fact after a while, others were aware of it from the start. As a consequence, some yaw power values are zero where others are nonzero but still relatively small. In summary, there are indications that the pilot’s compensatory workload is also made easier by the fault tolerant control, although these indications may not be as decisive as for his physical workload. It should be noted that this manual FTFC algorithm has not yet been fully optimized for HQ ratings. This is partly the reason for these less clear observations. As a final remark, it can be noted that all workload assessment figures confirm a clear improvement in both types of pilot workload increase for the rudder runaway scenario, although this is not clear from the pilot’s appreciation through the Cooper Harper Handling Qualities assessment. It is believed that this is caused by the somehow unnatural and disturbing attitude of the aircraft post-failure, including non-zero bank and sideslip angle. Most likely, the reason for the lower rating is caused by the fact that the fault tolerant controller is a Total exerted pilot power during localizer intercept phase
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
average pitch power [W]
0
pitch power [W]
average roll power [W]
0.2
0.4 0.2 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
yaw power [W]
0.6 pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
0.4 0.2 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(a) localizer intercept phase
average yaw power [W]
roll power [W]
Total average exerted pilot power during complete simulation run
0.4
0.4 0.2 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
0.01
0.005
0
0.02 pilot 1 pilot 2 pilot 3 pilot 4 pilot 5 mean
0.015 0.01 0.005 0
classic no failure
FTFC no failure
classic engine separation
FTFC engine separation
classic rudder runaway
FTFC rudder runaway
(b) complete simulation run
Fig. 17.17 Average pilot power during localizer intercept phase (left) and during complete simulation run (right)
498
T. Lombaerts et al.
Fig. 17.18 Input structure setup for a rate control attitude hold controller
rate controller, it minimizes disturbed angular rates, but not the disturbed angle itself. A possible solution for this is the implementation of a rate control attitude hold algorithm, as shown in fig. 17.18. The beneficial effect of this feature can possibly be tested in a new campaign.
17.5 Conclusions As part of an experimental campaign in the SIMONA Research Simulator, the manually operated Adaptive Nonlinear Dynamic Inversion (ANDI) based controller using Online Physical Model Identification was evaluated for a damaged aircraft during a piloted simulator assessment. The scenarios for the evaluation were selected based on their criticality to the operation of the aircraft and available flight data for the validation of the damaged aircraft dynamics. The experiment results show that the controller is successful in recovering the ability to control damaged aircraft after incurring a physical loss of two right-wing engines or a sudden hardover of the rudder. Simulation results have shown that the handling qualities of the fault tolerant controller devaluate less for most failures, indicating improved task performance. Moreover, it has been found that the average increase in workload after failure is considerably reduced for the fault tolerant controller, compared to the classical controller. The data shows more consistency amongst the pilots in most cases for the FTFC configuration. These observations apply for physical as well as compensatory (mental) workload. For the rudder runaway scenario, physical workload was reduced with the ANDI reconfiguration algorithm, but the lack of a rate control/attitude hold control scheme caused a negative effect on aircraft handling. To allow a fully automatic reconfiguration of failure modes that affect the lateral control axes, the fault tolerant flight control laws should include a rate control/attitude hold control scheme. Analysis of the control surface deflections has shown that their behavior is similar for both the conventional hydro-mechanical control system and FTFC control laws. The major difference is that in the latter situation these commands do not come
17
Piloted Evaluation Results of an ANDI Based Controller
499
from the pilot directly. This is the clear advantage of the physical approach which has been followed in this method. Future research in control allocation schemes for the ANDI control algorithm will optimize the balance between the use of the different control surfaces. Due to the automatic failure recovery and stabilisation capabilities of reconfigurable control, it is expected that the pilot is able to land the aircraft sooner due to the reduction of the time consuming learning phase for the pilot to understand the new basic principles of the damaged aircraft’s flying characteristics. Although control reconfiguration can utilise the control effectors in an optimal manner for stabilisation, the experiment has shown that information regarding the safe flight envelope should be an integral part of a fault tolerant flight control scheme to assist the pilot in controlling the aircraft. For both the Flight 1862 and rudder hardover case, as part of the scenarios surveyed in this research, the pilots demonstrated the ability to fly the damaged aircraft, following control reconfiguration, back to the airport and conduct a survivable approach and landing.
References 1. Mulder, J.A., van Staveren, W.H.J.J., van der Vaart, J.C., de Weerdt, E.: AE3-302 Flight Dynamics, Lecture Notes. Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands, January 25 (2006) 2. Brinker, J.S., Wise, K.A.: Flight testing of reconfigurable control law on the X-36 tailless aircraft. Guidance, Control and Dynamics 24(5), 903–909 (2001) 3. Ganguli, S., Papageorgiou, G., van der Vaart, J.C., Elgersma, M.: Piloted Simulation of Fault Detection, Isolation and Reconfiguration Algorithms for a Civil Transport Aircraft. In: AIAA Guidance, Navigation and Control Conference and Exhibit, AIAA-2005-5936, San Francisco, CA (August 2005)
Chapter 18
Model Reference Sliding Mode FTC with SIMONA Simulator Evaluation: EL AL Flight 1862 Bijlmermeer Incident Scenario Halim Alwi, Christopher Edwards, Olaf Stroosma, and Jan Albert (Bob) Mulder
18.1 Introduction This chapter presents flight simulator results obtained by experienced pilots based on the EL AL flight 1862 (Bijlmermeer incident) scenario. The results in this chapter are the outcome of a controller evaluation flight testing campaign and the GARTEUR AG16 final workshop at Delft University in November 2007. The results represent the successful real time implementation of a SMC controller in real time on the SIMONA 6-DOF flight simulator. The EL AL flight 1862 incident represents a challenging scenario for any fault tolerant control strategy. In this chapter, it will be assumed that the controller has no knowledge of the failure and damage to the airframe, and that there is no FDI or fault estimation available. The controller that has been used is a model reference sliding mode controller – an alternative to the integral action sliding mode controller proposed in Chapter 8. Here, since it is assumed that the controller has no knowledge of the failure and Halim Alwi Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, UK e-mail:
[email protected] Christopher Edwards Control and Instrumentation Research Group, Department of Engineering, University of Leicester, University Road, Leicester, LE1 7RH, UK e-mail:
[email protected] Olaf Stroosma Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands e-mail:
[email protected] Jan Albert (Bob) Mulder Faculty of Aerospace Engineering, P.O. Box 5058, 2600 GB Delft, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 501–517. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
502
H. Alwi et al.
the damage to the airframe, fixed control allocation will be used. In this situation, there is no control signal redistribution to the healthy control surfaces. Instead, the fixed and equally distributed control allocation scheme is sufficient to access the remaining available control surfaces and ‘passively’ control the aircraft while ensuring stability and some nominal performance. An outer loop ILS (inertial landing system) PID scheme described in Chapter 8 is also used in this chapter in order to provide an outer loop command (roll and flight path demand) to guide the aircraft to capture the localizer (LOC) and glide slope (GS), as in a typical landing procedure.
18.2 A Model Reference Sliding Mode Control Allocation Scheme This chapter considers a situation where a fault associated with the actuators develops in a system. As in Chapter 8, it will be assumed that the system subject to actuator faults or failures, can be written as x(t) ˙ = Ax(t) + Bu(t) − BK(t)u(t)
(18.1)
where A ∈ IRn×n and B ∈ IRn×m and K(t) := diag(k1 (t), . . . , km (t)) are the effectiveness gain. In most control allocation (CA) strategies, the control signal is distributed equally among all the actuators [8, 9, 28] or distributed based on the limits (position and rate) of the actuators [5]. In Chapter 8, information about K(t) has been incorporated into the allocation algorithm through a weighting matrix W , so that the control is redistributed to the remaining healthy actuators when faults/failures occur. In this chapter, the CA strategy is based on the widely used approaches from the literature; i.e. fixed and equal distribution of the control signals. This is motivated by the fact that the information about K(t) in (18.1) is not always available and mirrors what happened during the EL AL flight 1862 scenario. As in Chapter 8, assume that the system states can be reordered, and the input distribution matrix B from (18.1) can be partitioned as: B1 (18.2) B= B2 where B1 ∈ IR(n−l)×m and B2 ∈ IRl×m has rank l < m. It will be assumed without loss of generality that the states of the system in (18.1) have been transformed so that B2 BT2 = Il and therefore B2 = 1. Let the ‘virtual control’ be given by
Since B2 BT2 = Il , it follows
ν (t) := B2 u(t)
(18.3)
u(t) = B†2 ν (t)
(18.4)
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
503
where the right pseudo inverse is chosen as B†2 := BT2
(18.5)
It can be shown that the pseudo-inverse in (18.5) arises from the optimization problem min u 2 u
subject to B2 u = ν
(18.6)
In terms of the stability analysis which follows, the effect of the exogenous disturbance d(t) from (18.1) is ignored. Clearly this external signal does not formally affect the stability or otherwise of the closed-loop system associated with (18.1) – although of course it affects the closed-loop performance of the system. In the real system, it will directly affect the trim points and flight envelope of the damaged aircraft. The development which follows is similar in spirit to Chapter 8 but is different in detail because of the model reference setting. Using (18.4) and (18.5), it can be shown that (18.1) can be written as x(t) ˙ = Ax(t) + BBT2 ν (t) − BKBT2ν (t)
(18.7)
In the fault free case K = 0 and BKBT2 in (18.7) is zero. Consider a reference model defined as w(t) ˙ = Am w(t) + Bm yd (t) (18.8) where yd (t) is the reference signal and Am ∈ IRn×n , Bm ∈ IRn×l with Am is stable. Define e(t) = x(t) − w(t) (18.9) and therefore from (18.7) and (18.8) the error system e(t) ˙ = Ae(t) + (A − Am)w(t) + BBT2 ν (t) − BKBT2 ν (t) − Bm yd (t)
(18.10)
Suppose the reference model matrices Am and Bm are given by Am = A + BBT2F,
Bm = BBT2 G
(18.11)
and define a feed–forward signal
νm (t) := Fw(t) + Gyd (t)
(18.12)
The matrices Am and Bm represent the reference model which defines the required system performance. The control objective is to minimize the error between the reference model and the ‘virtual’ controlled plant (A, BBT2 ) in (18.7). The matrices F and G represent the feedback and feed–forward terms which define the reference model. Sliding mode control (SMC) techniques [10, 4], will now be used to synthesize ν (t). As in Chapter 8, the so–called switching function s : IRn → IRl to be
504
H. Alwi et al.
σ (t) = Se(t) where the design parameter S ∈ IR the hyperplane defined by
l×n
(18.13)
and det(SBBT2 ) = 0 by construction. Let S be
S = {e(t) ∈ IRn : Se(t) = 0} The sliding surface will be designed based on the nominal no fault condition (K = 0). Using (18.11), equation (18.10) can be rewritten as e(t)=Ae(t) ˙ − BKBT2ν (t) + BBT2 (ν (t) −Fw(t) − Gyd (t)) , -. /
(18.14)
−νm (t)
After a coordinate transformation of the error states e → Tr e(t) = e(t) ˆ where Tr is defined in Chapter 8, it is easy to check that equation (18.14) becomes:
T Aˆ 11 Aˆ 12 0 −B1 BN 2 (I − K)B2 ν (t) e(t)= ˆ˙ e(t) ˆ + ν (t) − ν (t) − m I I − B2 (I − K)BT2 Aˆ 21 Aˆ 22 ,-./ , -. / Aˆ
(18.15)
Bˆ ν
where BN2 := (I − BT2 B2 )
(18.16)
Therefore, the last term in (18.15) is zero in a fault free case (K = 0), but is treated as (unmatched) uncertainty when K = 0. Define
and write
W := I − K
(18.17)
T T −1 B+ 2 := W B2 (B2W B2 )
(18.18)
As argued in Chapter 8, there exists a scalar γ0 which is finite and independent of W such that (18.19) B+ 2 < γ0 for all W = diag(w1 . . . wm ) such that 0 < wi ≤ 1. In the e(t) ˆ coordinates, choose Sˆ = STr−1 = M I
(18.20)
where M ∈ IRl×(n−l) represents design freedom [4]. The reduced order system which governs the sliding motion is + N + −1 ˜ N + N + −1 e˙ˆ1 (t)=(A˜ 11−B1 BN 2 B2 (I+MB1 B2 B2 ) A21)eˆ1 (t)+B1 B2 B2 (I+MB1 B2 B2 ) νm (t) (18.21)
where A˜ 11 := Aˆ 11 − Aˆ 12M and A˜ 21 := M A˜ 11 + Aˆ 21 − Aˆ 22 M. When W = I (fault free T ˙ ˜ situation), B+ 2 |W =I = B2 and the system in (18.21) ‘collapses’ to eˆ1 (t) = A11 eˆ1 (t)
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
505
which is the nominal sliding mode reduced order system for which M has been designed to guarantee stability. However, during fault/failure conditions stability of the system in (18.21) (which depends on W through B+ 2 ) needs to be established. If
where and
˜ := −A˜ 21 (sI − A˜ 11)−1 B1 BN2 G(s)
(18.22)
˜ γ2 = G(s) ∞
(18.23)
γ1 := MB1 BN2
(18.24)
then as proven in [2], during a fault or failure condition, for any combination of 0 < wi ≤ 1, the closed-loop system (18.21) will be stable if 0≤
γ2 γ0 ε , then the dynamic coefficients r(t) increase in magnitude, (according to (18.31)), to force the states back into the boundary layer around the sliding surface. The choice of the design parameters η , a, b and ε depends on the closed-loop performance specifications and requires some design iteration. The choice of these design parameters will be discussed further in Section 18.3. The proposition and proof that r(t) is bounded and motion inside a boundary layer around S is obtained is given in [1].
18.3 Controller Design The main objective of the controller design is to bring the damaged EL AL 1862 aircraft to a near landing condition on Runway 27 at Schiphol airport (through a proper landing approach using localizer (LOC) and glide slope (GS) capture procedures if possible). It is assumed that no FDI or fault reconstruction scheme is available to replicate the actual EL AL 1862 scenario – indeed the flight crew were even unaware that engine no. 3 and 4 were detached from the right wing. A linearization of the nominal aircraft has been obtained around an operating condition of 263,000 Kg, 92.6 m/s true airspeed, and an altitude of 600m at 25.6% of maximum thrust and at a 20deg flap position. The state-space system pairs representing the lateral and longitudinal systems about the trim condition can be found in Chapter 8. The states are xlat = [p r β φ ]T and xlong = [q Vtas α θ ]T . The lateral control surfaces are
δlat = [δair δail δaor δaol δsp1−4 δsp5 δsp8 δsp9−12 δr e1lat e2lat e3lat e4lat ]T while the longitudinal control surfaces are δlong = [δe δs e1long e2long e3long e4long ]T . The controlled outputs are φ and β for lateral control and flight path angle (FPA) and Vtas for longitudinal control. These linear models of the nominal (damage free) aircraft have been used to design the control schemes which will be described in the next sections.
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
507
18.3.1 Lateral Controller Design The feedback matrices for the ideal lateral model from (18.12) have been designed using eigenstructure assignment [6]. The eigenvalues were chosen as {−0.3500 ± 0.1500, −0.5000, −0.4000} and the desired and obtained eigenstructure are respectively ⎡
∗ + ∗i ⎢ 0 ⎢ ⎣ ∗ + ∗i 1 + ∗i ,
∗ − ∗i 0 ∗ − ∗i 1 − ∗i -.
∗ 0 0 1
⎡ ⎤ 0 0.3195 − 0.1369i 0.3195 + 0.1369i ⎢ −0.0000 − 0.0000i −0.0000 + 0.0000i 0⎥ ⎥ =⇒ ⎢ ⎣ 0.1619 + 0.1412i 0.1619 − 0.1412i 0⎦ 1 −0.9127 −0.9127 / -. ,
desired
0.4498 −0.0430 0.0182 −0.8919
⎤ 0.3748 −0.0526 ⎥ ⎥ 0.0275 ⎦ −0.9252 /
obtained
which yields
Flat =
0.5592 −0.8808 −0.6384 0.1010 0.0823 1.3729 2.5265 −0.5851
The feed-forward matrix Glat has been designed using the inverse steady-state gain for the virtual triple system (Alat , Bνlat ,Cclat ): specifically Glat = −(Cclat (Alat + Bνlat Flat )−1 Bνlat )−1 Here, the lateral feed-forward matrix Glat is given by
−0.3078 0.0651 Glat = 0.7310 0.3891 It will be assumed that at least one of the control surfaces for both φ and β tracking will be available when a fault or failure occurs (i.e. one of either the four ailerons or the four spoilers will be available and one of either the rudder or the four engine thrusts are available). Based on these assumptions, it can be verified from a numerical search that γ0lat from (18.19) is γ0lat = 8.1314. The matrix which defines the hyperplane must now be synthesized so that the conditions in (18.25) are satisfied. A quadratic optimal design [4] has been used to obtain the sliding surface Slat which depends on the matrix Mlat in equation (18.20) where the symmetric positive definite state weighting matrix has been chosen as Qlat = diag(2, 2, 1, 1). The first and second term of Qlat are associated with the equations of the angular acceleration in roll and yaw (i.e. the Blat,2 partition) and thus weight the virtual control term. Thus by analogy to a more typical LQR framework, they affect the speed of response of the closed–loop system. Here, the first and second terms of Qlat have been more heavily weighted compared to the last two terms to give a reasonably fast closed–loop system response. The poles associated with the reduced order sliding motion are {−0.7136 ± 0.0522i}, where
0.0813 −1.9138 Mlat = 1.3455 0.1854
508
H. Alwi et al.
Based on this value of Mlat , simple calculations from (18.24) show γ1lat = 0.0230. Therefore γ0lat γ1lat = 0.1870 < 1 and so the requirements of (18.25) are satisfied. Also for this particular choice of sliding surface, G˜ lat (s) ∞ = γ2lat = 0.0563 from (18.23). Therefore from (18.25),
γ2lat γ0lat = 0.5627 < 1 1 − γ1lat γ0lat which shows that the closed loop system is stable for all choices of 0 < wi ≤ 1. For implementation, the discontinuity in the nonlinear control term in (18.28) has been smoothed by using a sigmoidal approximation where the scalar δlat = 0.05. This removes the discontinuity and introduces a further degree of tuning to accommodate the actuator rate limits – especially during actuator fault or failure conditions. For simplicity, the variables related to the adaptive nonlinear gain have been chosen as l1lat = 0 and l2lat = 1. This removes the dependence of r(t) on x(t) and simplifies the implementation. The parameter ηlat from (18.28) was chosen as ηlat = 1. In practice, a maximum limit ρmax for the adaptive nonlinear gain in (18.30) has been imposed to avoid the actuators becoming too aggressive. Here, the maximum gain was set at ρmaxlat = 5. The adaptation parameters from (18.31) have been chosen as alat = 100, blat = 0.01 and εlat = 5 × 10−2. The parameter εlat was chosen to be able to tolerate the variation in slat (t) due to normal changes in flight conditions but small enough to enable the adaptive gain to be sensitive enough to deviation from zero due to faults or failures. Here alat has been chosen to be large to enable small changes in slat (t) to cause significant changes in the gain, so that the control system reacts quickly to a fault. The parameter blat dictates the rate at which ρlat (t) will decrease, after slat (t) has returned below the threshold εlat .
18.3.2 Longitudinal Controller Design As in the lateral controller, the feedback matrices for the ideal longitudinal model from (18.12) have been designed using eigenstructure assignment [6]. The eigenvalues were chosen as {−0.240 ± 0.170 − 0.700 − 0.125} and the desired and obtained eigenstructures are ⎡
0.5 + ∗i 0.5 − ∗i 0 ⎢ 0 0 0 ⎢ ⎣ 0.5 + ∗i 0.5 − ∗i 0 0 0 1 , -. desired
⎤ ⎡ 0 0.1812 − 0.1283i 0.1812 + 0.1283i ⎢ −0.0020 + 0.0015i −0.0020 − 0.0015i 1⎥ ⎥ =⇒ ⎢ ⎣ 0.3220 − 0.5264i 0.3220 + 0.5264i 0⎦ 0 −0.7549 −0.7549 / -. ,
−0.1057 −0.0060 0.9829 0.1510
obtained
respectively which yields
−0.0012 −0.0380 −0.6113 3.4367 Flong = −0.0523 0.0017 0.4395 −0.2396
⎤ 0.0001 1.0000 ⎥ ⎥ −0.0037 ⎦ −0.0012 /
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
509
As in the lateral control design, the feed-forward matrix Glong has been designed using the inverse steady-state gain i.e. Glong = −(Cclong (Along + Bνlong Flong )−1 Bνlong )−1 Here, the lateral feed-forward matrix Glat is given by
−0.0015 0.0438 Glong = 0.0665 −0.0024 It will be assumed that at least one of the control surfaces for FPA tracking will still be available when a fault or failure occurs. It is also assumed that at least one of the four engines is available for V tracking. Based on these assumptions, it can be verified from a numerical search that γ0long = 8.2913 from (18.19). As in the lateral controller, a quadratic optimal design has been used to obtain the sliding surface matrix. The weighting matrix has been chosen as Qlong = diag(2, 2, 1, 1). The first two terms of Qlong are associated with the Blong,2 partition in (18.2) (i.e. states q and V ) which weight the virtual control term, and have been more heavily weighted compared to the last two terms. The poles associated with the reduced order sliding motion are {−1.1157, −0.3737} where
−0.0124 −0.0037 Mlong = 0.4786 0.1247 Based on this value of Mlong , it can be shown from (18.24) that γ1long = 3.0160 × 10−4 . Therefore γ0long γ1long = 0.0025 < 1 and so the requirements of equation (18.25) are satisfied. For this choice of sliding surface, G˜ long(s) ∞ = γ2long = 0.0066 from (18.23). Therefore from (18.25),
γ2long γ0long 1 − γ1long γ0long
= 0.0551 < 1
which shows that the faulty closed-loop system is stable for all 0 < wi ≤ 1. The discontinuity in the nonlinear control term in (18.28) has been smoothed by using a sigmoidal approximation where the scalar δlong = 0.05. As in the lateral design, the variables related to the adaptive nonlinear gain have been chosen as l1long = 0 and l2long = 1. This was found to give sufficiently good performance and removes the dependence of r(t) on x(t). The parameter ηlong from (18.28) was chosen as ηlong = 1. In practice, a maximum limit ρmax for the adaptive nonlinear gain in (18.30) is imposed to avoid the actuators from becoming too aggressive. Here, the maximum gain was set at ρmaxlong = 2. The adaptation parameters from (18.31) have been chosen similar to those in the lateral design; i.e. along = 100, blong = 0.01 and εlong = 5 × 10−2. To emulate real aircraft flight control capability, an outer loop PID for heading and altitude control, as well as the EPR control mixing and ILS landing described in Chapter 8 are also used here.
510
H. Alwi et al.
Controller States x(t) & sensors LOC & GS logic
Inputs
Command: Heading Altitude Command: Roll FPA
Roll FPA
APP switch
Roll=0 FPA=0
Roll FPA
Linear component
νl
Adaptive unit vector
νn
MCP switch PID
ν(t)
Control allocation
u(t)
W Roll FPA
Command: Sideslip Vtas
Command: Roll Sideslip FPA ρ(t) Vtas
Outputs
Aircraft model
LOC & GS PID
W=I
||s|| Adaptation scheme
SIMONA simulator
Pilot inputs and switches
Data logging MCP inputs
Fig. 18.1 SIMONA interconnections
18.4 SIMONA Implementation The controller was implemented on the SIMONA flight simulator. The command inputs from the pilot are through the mode control panel (MCP). The controller was implemented as a Simulink (version 2006b) model with appropriate inputs and outputs to connect it with the SIMONA hardware, as described Figure 18.1. The controller was set up to work with an Ode4 (Runge-Kutta) solver with a fixed time step of 0.01 s (100 Hz). Using the Real-Time Workshop, the Simulink controller block diagram was converted to C-code and integrated into the SIMONA research simulator(SRS), where it runs on a dual Pentium III 1 GHz processor, together with the aircraft model and the motion control software. The available processing power is sufficient to run the controller in real time, i.e. within 10 ms per time step. A connection with the Mode Control Panel (MCP) on the flight deck enables the selection of ‘control modes’ e.g. altitude hold, heading select and reference values. The simulator trials were performed with the speed, altitude and heading select modes active. The pilot commands new headings, speeds or altitudes by adjusting the controls on the MCP. Further details on real time implementation issues can be found in Chapter 8.
18.5 SIMONA Flight Simulator Results with Experienced Pilots The controller was flown by three different pilots with experience on B747, B767, A330 and Citation II aircraft. An experienced B767 and Citation II pilot, rigorously
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
511
tested the controller during the flight evaluation campaign before the GARTEUR FM-AG16 final workshop in November 2007. During the FM-AG16 final workshop, an experienced A330 pilot, flew the damaged ‘aircraft’ on the SIMONA simulator, during the presentation to the general public, including the local Dutch press (TV news, radio and newspapers). The results presented here are from ‘flights’ flown by an experienced B747 pilot and a test pilot for NLR (National Aerospace Laboratory) during the pilot evaluation campaign in November 2007. Even though the controller has been designed based on the linearization using a weight of approximately 263 000kg, the controller was tested with a heavy trim weight of 317 000Kg. This removes the advantage of low weight and low speed maneuverability and higher performance and controllability compared to the heavy trim weight, which was one of the main findings in [7]. The heavy trim weight for the flight test also replicates the actual EL AL 1862 scenario and fits with the assumption that the exact damage and condition of the aircraft post-faults is unknown.
18.5.1 SMC Controller Evaluation Figure 18.2 shows the trajectories of three different flight tests - a classical controller, a SMC without failure and the SMC tested with the EL AL 1862 failure scenario. The no failure test of the SMC was done to give the pilot the feel of the new controller and to give the pilot a chance to familiarize himself with the controller in nominal conditions. Figure 18.2 shows that the aircraft was flown straight
SMC: ELAL 1862 scenario classical: ELAL 1862 scenario SMC: nominal
right turn
800
failure
he
600
X X
400 right turn & localizer intercept
right turn
200 0 2.5 2
X
1.5
crash
start
4
5
x 10
glideslope intercept 1
3 end
0.5
2 1
0 xe
4
0
−1
ye
Fig. 18.2 Classical & SMC controller: 3-D flight trajectory
4
x 10
512
H. Alwi et al.
and level first, before a heading change of 90 deg to the east was performed. The pilot tested the aircraft’s capability to climb to a pre-specified altitude from 600m to approximately 800m. Then the pilot commands a return to an altitude of 600m and performs another right turn to capture the LOC. At this stage, the pilot ‘arms’ the APP in order to prepare for an automated landing approach. Once the aircraft captures the LOC signal, a final turn towards the centreline of Runway 27 is started and after a while the GS signal is captured and the aircraft descends towards the runway on a 3 deg glideslope. Note that starting from the moment the pilot activates the APP button in the MCP and the LOC signal has been captured, the aircraft is on a fully automated landing mode and no other pilot input is required. (Full pilot authority flight can also be undertaken using heading and altitude changes or manual roll and FPA commands from the pilot). Figure 18.2 shows a ‘tighter’ manoeuvre for the nominal SMC controller compared to the classical controller and the SMC with the EL AL 1862 scenario. The SMC in the EL AL 1862 failure mode manages to bring the aircraft near to landing on the desired runway. Figure 18.3 shows the controlled states of the damaged aircraft with the SMC controller. Note at the beginning of the simulation, before the failure occurs at around 200sec, the FPA, Vtas and altitude show small steady state errors due to the mismatch between the designed trim conditions and the test conditions described earlier. The mismatch between the designed and test conditions demonstrate the controller coping with uncertainty and allows the pilot to rigorously test the controller outside its ‘comfort zone’. The steady state error is small and does not represent any significant loss of overall performance. Figure 18.3 shows that after the failure occurs, at approximately 200sec, the climb capability of the aircraft is degraded when the pilot requests an increase in altitude to 800m (from 600m). On the other hand, the more important descent capability of the SMC controller is not degraded as it is able to follow the glide slope of 3deg towards the runway. This is shown in Figure 18.4. The glide slope error is maintained below 0.5deg. Figure 18.3 also shows that the side slip angle of the damaged aircraft has been limited to no more than ±1.5 deg which is much better than the one from the classical controller in Figure 18.3. The heading changes of the damaged aircraft with the SMC controller in Figure 18.3 also show a more systematic and higher level of performance compared to the classical controller. This also shows that the lateral controller is able to deal with the asymmetric change in CG, weight and the asymmetric thrust conditions and maintains the desired change in heading. Decreasing the speed to approximately 120m/s does not have the devastating and unstable effect seen in the classical controller. In fact, as suggested in [7, 3], reducing the speed helps in terms of lateral control. This is seen in terms of the deviation of the side slip angle in Figure 18.3 which is much smaller than at higher speed after the failure has occurred. The roll angle tracking again shows good performance tracking even after the loss of the two engines and the hydraulics associated with the EL AL 1862 scenario. Figure 18.4 shows typical signals from the ILS sensors. It represents the DME, LOC and GS deviation, and the moment when the LOC and the GS are engaged (valid/engaged) after being ‘armed’ using the APP button on the MCP. As usual, the
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
Lateral states
Longitudinal states
20
5
10
FPA (deg)
roll angle (deg)
513
0 −10
0 −5
failure 0
200
400
600
−10
800
0.5 0 −0.5 −1 −1.5
0
200
400
600
heading angle (deg)
200
400
600
800
600
800
140 130 states cmd
120 110
800
300
0
200
400
800 altitude (m)
200 localizer intercept
100 0 −100
0
150 Vtas (m/sec)
side slip angle (deg)
−20
0
200
400 600 time (sec)
600
200 0
800
glideslope intercept
400
0
200
400 600 time (sec)
800
Fig. 18.3 EL AL 1862 scenario: SMC controller: controlled states 4
DME (m)
6
x 10
X
4
LOC engaged
failure
X
2 0
GS engaged
X 0
100
200
300
400
500
600
700
800
900
GS dev (deg)
LOC dev (deg)
1 0
−5
−10
0
200
400 600 time (sec)
0.5 0 −0.5 −1
800
200
400
600
800
0
200
400
600
800
1 GSvalid
LOC valid
1
0
0.5 0
0.5 0
0
200
400
600
800
Fig. 18.4 EL AL 1862 scenario: SMC controller: LOC and GS deviation angle
514
H. Alwi et al.
LOC is engaged before the GS. The LOC coverage is much further than the GS and this allows the aircraft to align to the extended centreline of the runway before the descent starts. Figure 18.5 shows the control surface deflections of the SMC controller under the EL AL 1862 scenario. This figure highlights the major difference between the classical controller (which is mechanically linked) and the FBW aircraft that has been provided by the GARTEUR FM-AG16 modification. In this figure, the outboard aileron can be seen to be independently mobile before the occurrence of the failure. After the failure, the right outboard aileron float due to the loss of hydraulic system 3 and 4. Independent control can be seen in the spoilers, elevators, rudders and EPR. The effect of losing the hydraulic system can also be seen in the floating of the inboard left and outboard right elevators (see Figure 18.5) where a clear distinction between the control surface deflection can also be seen. The spoilers also show similar patterns. Before the loss of engines 3 and 4, all the spoilers seem to be moving independently; but when the failure occurs, only spoilers 2,3,10 and 11 are active, the rest of the spoilers remain at zero deflection. In general, the control surface deflections of the elevators, ailerons and spoilers are almost half the ones resulting from using the classical controller (see Figure 18.5). The control surface deflections from the SMC controller do not reach the saturation limits of the surfaces and the spoilers and the ailerons are generally less aggressive. Engine EPR shows that differential thrust has been used to achieve the desired performance, especially for obtaining small sideslip and roll angles. Note that all the control surfaces are controlled independently by the control allocation SMC scheme described in the earlier sections of this chapter. The only pilot input consists of supplying the higher level commands such as heading and altitude change (or roll and FPA command through the MCP panel). Figure 18.6 and 18.7 show the adaptive gain and the associated σ (t) signals that initiate the adaptation. Before the occurrence of the failure, the sliding signal σ (t) is below the selected threshold. Once the threshold is exceeded, the gain is adapted from a minimum of 1 up to the maximum of 5 and 2 respectively for the lateral and longitudinal axes respectively. High deviation from the sliding surface σ (t) = 0 shows the severity of the faults. After the failure has occurred and during manoeuvres, the switching function plot σ (t) deviates away from the ideal sliding surface. However, in the near landing condition, the switching function returns below the adaptation threshold. During this time, the adaptive gain reduces to the minimum value of 1. Although the SMC controller can be implemented in such a way that pilot inputs (such as column, wheel and pedal) can be used; the purpose here is to show that, as a proof of concept, the SMC controller is more than able to handle all the rigorous tests and failures it is subjected to, using the minimal amount of input from the pilot (thus lowering the workload during an emergency condition). This allows the pilots to concentrate on higher level decisions. Figure 18.8 is one of the SIMONA output alternative views and provides the aircraft position relative to the actual position on a map of the Netherlands. This
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
1
EPR1&2 active engine 3 & 4 missing
0
0
200
600
rl
0
200
400
600
800
sp10&11 active
spoilers right (deg) 200
ru
4
0 0
engine 3 & 4 missing
0 −10
800
10
−10
10
sp2&3 active
20
spoilers left (deg)
400
20
rudders (deg)
EPR
2
515
sp1,4,5&6 inactive 400 600 800
2 0 −2
0
200
sp7,8,9&12 inactive 400 600 800
−10
aol ail
elevators (deg)
−20
0
200
10
400
600
eol & eir active
0 0
200
eil & eor float 400 600 800 time (sec)
air
10
aor
0 −10
800
5
−5
ailerons right (deg)
0
horizontal stabilizer (deg)
ailerons left (deg)
10
aor float 0
200
400
600
800
0
200
400 600 time (sec)
800
2 0 −2
0.1
5 4
Lat ||s(t)||
LAT adaptive gain
Fig. 18.5 EL AL 1862 scenario: SMC controller: control surfaces deflection
3 2
0.05
1
0 0
200
400 600 time (sec)
800
0
200
400 600 time (sec)
800
2
1 Long ||s(t)||
LONG adaptive gain
Fig. 18.6 EL AL 1862 scenario: SMC controller: lateral adaptive gain
1.5 1
0.5 0
0
200
400 600 time (sec)
800
0
200
400 600 time (sec)
Fig. 18.7 EL AL 1862 scenario: SMC controller: longitudinal adaptive gain
800
516
H. Alwi et al.
(a) overall trajectory
(b) zoomed trajectory near the runway Fig. 18.8 SIMONA flight trajectory of EL AL 1862 scenario with model reference SMC c controller with control allocation. Google Earth
18
Sliding Mode FTC with SIMONA Evaluation: EL AL Flight 1862 Incident
517
figure shows the actual SMC controller trajectory under the EL AL 1862 failure condition. The overall trajectory shows the aircraft manages to reach Runway 27.
18.6 Conclusions This chapter has presented piloted flight simulator results associated with the EL AL flight 1862 (Bijlmermeer incident) scenario. The results represent the successful implementation of a FTC SMC controller on the SIMONA 6-DOF flight simulator configured to represent a large transport aircraft with experienced pilots flying and evaluating the controller. The results show that not only does the proposed SMC scheme work in a no-fault condition, but it also facilitates a safe positioning of the aircraft for landing on the designated runway in EL AL flight 1862 failure conditions. This is achieved without requiring controller reconfiguration and in the absence of any information about the failures.
References 1. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Fault tolerant sliding mode control design with piloted simulator evaluation. AIAA Journal of Guidance, Control and Dynamics 31(5), 1186–1201 (2008) 2. Alwi, H., Edwards, C., Stroosma, O., Mulder, J.A.: Piloted sliding mode FTC simulator evaluation for the EL AL Flight 1862 incident. In: AIAA Guidance, Navigation, and Control Conference (2008) 3. Anon. El al flight 1862, aircraft accident report 92-11. Technical report, Netherlands Aviation Safety Board, Hoofddorp (1994) 4. Edwards, C., Spurgeon, S.K.: Sliding Mode Control: Theory and Applications. Taylor & Francis, London (1998) 5. H¨arkeg˚ard, O., Glad, S.T.: Resolving actuator redundancy - optimal control vs. control allocation. Automatica 41(1), 137–144 (2005) 6. Liu, G.P., Patton, R.J.: Eigenstructure Assignment for Control System Design. John Wiley & Sons, Chichester (1998) 7. Smaili, M.H.: Flight data reconstruction and simulation of EL AL Flight 1862. Graduation Report, Delft University of Technology (1997) 8. Shin, D., Moon, G., Kim, Y.: Design of reconfigurable flight control system using adaptive sliding mode control: actuator fault. Proceedings of the Institution of Mechanical Engineers, Part G (Journal of Aerospace Engineering) 219, 321–328 (2005) 9. Shtessel, Y., Buffington, J., Banda, S.: Tailless aircraft flight control using multiple time scale re-configurable sliding modes. IEEE Transactions on Control Systems Technology 10, 288–296 (2002) 10. Utkin, V.I.: Sliding Modes in Control Optimization. Springer, Berlin (1992) 11. Wells, S.R., Hess, R.A.: Multi–input/multi–output sliding mode control for a tailless fighter aircraft. Journal of Guidance, Control and Dynamics 26, 463–473 (2003)
Part V
Conclusions
Chapter 19
Industrial Review Philippe Goupil and Andres Marcos
19.1 Introduction The transition of the potentially viable fault tolerant flight control methodologies, as developed and evaluated within this GARTEUR Action Group, towards practical applications, requires a critical look at the design and safety issues concerning the developed adaptive control methodologies as an integrated part of the flight control system. Therefore, the aim of this chapter is to provide an evaluation by representatives from industry to look at the potential of the results of this action group for industrial application. This also facilitates the necessary knowledge transfer between academia, research and industry which is one of the main principles of the GARTEUR framework and of this project. Clearly, the application of fault mitigating control technologies, or ‘intelligent’ adaptive control, has benefits in a wide area of industrial domains, but in this research, the evaluation has been focused on the potential within the aerospace community. It is not the intention to assess which of the developed fault tolerant control methodologies is the ‘best’, or has the best performance achieved in the benchmark as compared to other methods. Instead, the main objective is to assess the achieved maturity level, potential and open issues of the fault tolerant control designs, as developed in this action group, in terms of applicability, complexity, compatibility with (future) on-board processor requirements and overall flight safety. This also includes the innovative aspects of the presented control solutions to accommodate potentially catastrophic on-board system failures for recovery of the aircraft and ensure safe continuation of the flight or to improve Philippe Goupil Airbus France, EDYC-CC Flight Control Systems, 316 Route de Bayonne, 31060 Toulouse Cedex 09 e-mail:
[email protected] Andres Marcos Advanced Projects Division, Simulation & Control Section, Deimos Space S.L., Ronda de Pendente 19, Edifices Fitment VI, Madrid, 28760, Spain e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 521–536. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
522
P. Goupil and A. Marcos
the performance and operation of the aircraft in terms of economics and efficiency. It should be remembered that in this GARTEUR Action Group, adaptive control design concepts have been assessed on their viability, both from an aircraft performance and human factors aspect, while issues from an industrial design process perspective, including the required engineering tools, design process efficiency, synthesis and flight clearance have not been taken into account. This could, however, be the subject of a subsequent research programme in which the fault tolerant flight control algorithms that have been designed and demonstrated can be used as a starting point. The evaluation of the results of this GARTEUR Action Group, as described in this chapter, has been performed by several organisations. These include Airbus, representing the European aircraft manufacturing industry and DeimosSpace, an aerospace company specializing in industrialization of innovative guidance, navigation and control solutions.
19.2 Considerations for Commercial Aircraft - AIRBUS As previously mentioned in Part I, the introduction of Fly-By-Wire (FBW) systems led to more sophisticated control of the aircraft and flight envelope protection functions. In parallel, the number of failure cases to be considered in the design of an aircraft is increasing significantly because of the growing complexity of equipment and systems. Similarly, the introduction of Electrical Flight Control Systems (EFCS) led to a number of interactions with flight physics disciplines involved in the design of an aircraft, in particular in the case of failures. These interactions must be taken into account very early in the conception of an aircraft and all along its development process. This is why fault tolerance and fault detection are key points in the design of a safety-critical EFCS created to meet very stringent requirements in terms of safety and availability. Compliance with these requirements is crucial to obtain the certification that is necessary to allow the use of an aircraft in a civil environment in complete safety. The state-of-practice for an aircraft manufacturer to diagnose and to tolerate faults, and then to obtain full flight envelope protection under all possible external disturbances, is to provide high levels of hardware redundancy. Relying on this strong redundancy, fault detection is mainly performed by cross checks, consistency checks, voting mechanisms and built-in test techniques of varying sophistication (although analytical redundancy is used for the detection of a very specific failure case in the A380 EFCS [6]). Fault tolerance relies mainly on hardware redundancy, stringent safety analysis, dissimilarity, physical installation segregation and hardware/software reconfiguration. Here reconfiguration means automatic management following a failure. These standard industrial practices fit into the current aircraft certification processes. However, for upcoming and future aircraft, on the one hand, there is a necessity to be compliant with more stringent safety requirements. However, on the other hand, there is a strong will from the aircraft manufacturers to develop more affordable, cleaner and quieter aircraft for environmental concerns, while keeping the highest safety standards and the highest operational availability. This could lead to the implementation of more advanced
19
Industrial Review
523
algorithms to achieve these stronger and stronger requirements. This is why an aircraft manufacturer like Airbus is very interested to study the viability and capabilities of advanced innovative methodologies, as developed within this GARTEUR Action Group, in order to bridge the gap between industrial needs and academia. Also it is interesting to note the continuous trend to use innovative technical solutions in the aeronautical sector to satisfy the aforementioned safety and societal imperatives: for example the use of Electro-Hydrostatic Actuators (EHA) on the A380 [7]. Other innovations could also contribute in the future to widen the gap between the scientific methods advocated by academia and industrial requirements, justifying collaborative work between both communities. One of the goals of this chapter is to provide an industrial perspective on the results of this GARTEUR Action Group, to assess the maturity level of the developed designs and to evaluate any missing requirements for a practical certified use on a safety-critical system such as a large civil aircraft. First, it is useful to start with a brief reminder of the main current industrial constraints and limitations for a practical real-time algorithm implementation in a safety-critical environment. In subsequent sections, some comments and recommendations for the possible use of the proposed methodologies in the EFCS of a large civil aircraft are proposed.
19.2.1 Industrial Limitations and Constraints From the perspective of activating a Fault Tolerant strategy, if any fault detection information is demanded, a low false alarm rate is required in order not to degrade the operational reliability. The false alarm rate must be lower than the Flight Control Computer Mean Time Between Failure (MTBF, i.e the arithmetic mean (average) time between failures of a system). Similarly, a low non-detection rate is required on a safety-critical system as the consequences of a failure might be critical. All failures with potentially a catastrophic consequence must be demonstrated to be extremely improbable to obtain certification: that is with a probability less than 10−9 per flight hour. Thus, the product of the probability of occurrence of the failure to be detected by the probability of non-detection should be less than 10−9 per flight hour. On a large civil aircraft, the flight control computer computing capacities are low compared to other classical applications (e.g. multimedia). Proven and robust processors must be used for safety-critical applications. For example, the current A340 primary computer processor is an AMD 486 DX4, at 32 MHz, representing about 19 million instructions per second. Consequently, it is very difficult to use advanced processing with a high computational burden, like an on-line optimization algorithm or even wavelet or Fourier transforms. For instance, the matrix triangularization involved in many non-linear filtering techniques is difficult to implement and all elementary operations involved in this case must be detailed at a low level. To implement a complex algorithm, a version must be developed with as much simplifications as possible, by deleting all needless operations and redundancy. In general, a loss of performance occurs after such simplifications and typically a trade-off between complexity and performance must be found.
524
P. Goupil and A. Marcos
As explained previously in the chapter on industrial practices (Part I), the typical Airbus Flight Control Computer architecture consists of two separate independent channels, each with its own clock. Consequently, there is a time asynchronism between both units. In particular some data is recorded in one unit but not in the other.For instance, in Airbus aircraft, dedicated position sensors measure the position of some control surfaces in degrees. These sensors are located inside the control surfaces. A design must be implemented in one unit only and if it requires data from the other unit, there is a time asynchronism to take into account. Moreover, the Flight Control Computers are multi-rate time triggered which means that not all data is processed with the same sampling period, even in the same unit. For example, some data is produced every 40 ms. If a FTC design works with a sampling period of 10 ms then the 40 ms data must be adapted to this faster sampling time, by using for example some prediction filter. This can have a serious impact on a design. Similarly, some useful data like the air and inertial information are sent by other dedicated computers with different sampling periods. This data received in the Flight Control Computer also presents an asynchronism to take into account. Some designs could be sensitive to all these asynchronisms and should be able to deal with it. The industrial use of innovative and advanced designs requires easy tuning for possible use on different control surfaces and different aircraft. If the tuning of some important parameters is too difficult, or requires too specific expertise, then it will not be useful for an industrialist. For instance, the initial tuning of Q and R matrices (the covariance matrices of the process noise and the measurement noise in a state space representation) is a crucial issue for nonlinear filtering (e.g in an Extended Kalman Filter). A bad choice could lead to diverging behaviour. The use of simple approaches with restricted high-level parameters which are easy to tune is also very important to reduce the test phase during the certification procedure. Due to the constraints of a safety-critical system, the convergence and the stability of the designs must be proven to avoid any diverging behaviour that can potentially degrade the availability of the flight control system (a false alarm leads to a system reconfiguration and degrades the hardware redundancy level and potentially the flight envelope protection level). Diverging behaviour could also lead to a numeric overflow entailing an automatic switch-off of the related Flight Control Computer. After this brief reminder of the main industrial limits and constraints for a real-time implementation, the next section is dedicated to an industrial perspective on the GARTEUR Action-Group results.
19.2.2 An Aircraft Manufacturer Perspective It is first interesting to note that the designs developed in this GARTEUR project are mainly model-based approaches that do not need additional hardware, like probes and sensors for example. That means that there is no additional weight (i.e. no aircraft performance degradation), no extra maintenance tasks to perform, no specific monitoring to add. This is a great advantage from an industrial point of view.
19
Industrial Review
525
For possible industrial use it is necessary to be compliant with the computational burden limitation. The Flight Control Computers perform a number of tasks, mainly sensor acquisition and monitoring, flight control law computations, servoloop computation, reconfiguration and monitoring of all the flight control system components. It is then practically impossible to dedicate too much computational load to a single fault detection algorithm dedicated to a single failure case. Similarly, the computational burden of a single Fault Tolerant flight control law must be light as several other functions (like critical event protections) must be integrated within the whole control law. In this sense, the estimation of the computational load of each design presented in Part IV is very interesting from an industrial point of view and can help to identify the impact of the new designs. From the viewpoint of this criterion only, some designs already seem to be suitable for a real-time implementation, although it is difficult to compare the algorithms as they do not perform exactly the same control task. This remark is valid for the current Flight Control Computer capacities and also taking into account the expected performance of the upcoming processors to be used in future aircraft. However, as explained in more detail later in this paragraph, more complete assessments are required before industrial mass use. This could lead to more enriched designs, and then an increase in the whole computational burden. The estimation presented in Part IV is considered as a minimum cost from an industrial standpoint. As explained in Part I, the Flight Control Computer specification includes a description of the software by using a graphical tool composed of a set of elementary symbols each corresponding to a dedicated processing operation (adder, limiter, filter, delay, etc.), before automatic coding. The next step for real-time use of the proposed designs could be coding using a kind of graphical tool in order to split as much as possible the proposed algorithm into elementary operations. This eases the estimation of the computational burden and will answer a requirement from the manufacturer or the equipment supplier in charge of the coding and of the computer hardware. On the other hand, there is a requirement from the specification designers to use high-level blocks of symbols in order to write a clearer and more readable specification. These two contradictory tendencies must be taken into account and a two-level specification writing would be useful from an industrial viewpoint. If the cost of a design is too high, some simplifications must be considered. Such simplifications generally lead to some performance loss. A classical trade-off between complexity and performances must be found. It could also be interesting to quantify the performance of the design for different simplified versions of the algorithm. As previously mentioned, a high-level tuning of the designs would be appreciated from an industrial point of view for easy adaptation to different aircraft or to different flight control surfaces on the same aircraft. For each design method, identification of such high level parameters could be useful to evaluate the applicability in a safety-critical real-time environment. Certification is a key point for industrial use. Validation in a representative environment is a major part of the certification process. In this GARTEUR project, the real-time assessment on a research flight simulator and the piloted evaluation are strong points. It shows the motivation of all the partners not to perform just an
526
P. Goupil and A. Marcos
academic exercise but the will to develop realistic designs with a view to bridge the gap between the innovative scientific methods advocated by the academic community and industrial needs. A complete industrial assessment was not the initial goal of this project, and in any case time and means were also limited. Although the validation goes far, from an industrial viewpoint, it cannot be considered as a comprehensive assessment, at least from the perspective of in-service aircraft use. The following recommendations should be taken into account to complete the validation: first of all, the advanced designs must be intensively tested in fault-free situations, in the whole flight domain and for different aircraft configurations (e.g. to explore the whole weight and balance diagram). One possibility could be to implement a design as dormant software code on a real aircraft during flight tests in order to explore a wide set of scenarios. Similarly it is necessary to perform tests in degraded configurations to assess the robustness in the case of parametric variations. For instance, to simulate a bad Trimmable Horizontal Stabilizer (THS, horizontal tail) configuration that does not correspond to the centre of gravity position, representing a human error in the flight preparation, is a good way to provoke high levels of dynamic behaviour on the elevator on some typical manoeuvres (e.g. ”push over”) and to test the robustness of the design when less deflection is available on the control surfaces. The next step is to assess the designs in the presence of strong external disturbances like wind and turbulence. Another key point concerns the robustness of the designs when they are fed by faulty inputs. For example, the behaviour of the designs must be studied in the case of uncertainty (offsets, bias, drift, delays, noise) on the input flight parameters. One other issue to consider concerns the aircraft performance: the developed designs are supposed to be tolerant to different failures and in particular they allow recovering a controllable aircraft in an extreme situation. However, the most typical failures lead fortunately to non-critical situations where it is still possible to fly. In such a situation, for example a low dynamic control surface runaway, is it better to reallocate control to the remaining control surfaces or to reconfigure on a safe redundant actuator? In the first case the robustness of the flight control system is not degraded in the sense that the redundant hardware is still available, but the aircraft configuration is not optimized, drag is generated and the whole aircraft performance is degraded with a risk of becoming non compliant with regulations like the ETOPS (Extended-range Twin-engine Operation Performance Standards)1. In the second case, the aircraft performance is maintained, without drag, but the availability of the flight control system is degraded. The question is: in non-critical situations, with the current Flight Control System architecture, is it necessary to activate a Fault Tolerant strategy or must the hardware redundancy be used? If such a choice must be made, the switching strategy between both possibilities must be studied. This implies that one possible solution could be to use the certified baseline controller in fault-free configuration, the most probable situation, and to switch on a fault tolerant controller in a faulty situation signaled by the available FDI (Fault Detection and Isolation) information. Such a configuration could also ease the 1
An international (ICAO) rule that restricts twin-engine aircraft to routes that put them within 60/90/180 minutes of an emergency or diversion airport in case of an engine failure.
19
Industrial Review
527
certification of the whole design as the nominal controller, which is active the greater part of the time, is already certified. Following the previous remark, one comment concerns the integration with the current state of the art designs. For instance, with the Airbus flight control law philosophy, the aircraft is protected against critical events, like stall or overspeed. How do the proposed innovative FDI/FTC designs integrate with the current flight control laws? How to integrate the protection in the proposed advanced algorithms? The second comment concerns fault detection. Some of the developed designs require FDI information to be activated. It is useful for industrial use to know if a design requires FDI information or not. If this is the case, what kind of information is needed? Do the designs need already existing FDI information? If it requires information that is not available, what information could be useful? The piloted evaluation on the SIMONA Research flight Simulator added a lot of value in the assessment. It is essential for the designs to meet the end-user expectations. It is also crucial to check that, particularly in a fault-free situation, the controller is ‘flyable’ and that the aircraft handling qualities remain intact. A pilot in the loop is essential for such an analysis. To illustrate that close cooperation between designers and pilots is of great interest, and corresponds to an industrial practice, it is useful to take a concrete example [8]: the Flight Control Law tolerance to engine asymmetry or failure. On a conventional aircraft, such a failure results in constant sideslip and roll rate with a very diverging heading, leading potentially to a difficult situation to manage for the pilots. Before A380, the largest passenger aircraft in the world, FBW Airbus lateral normal laws include a correction and stabilize the aircraft in a steady state of constant bank angle and sideslip, with slowly diverging heading. With the ‘super jumbo’ A380, the so-called ”Y*” lateral law is able to compensate automatically for any lateral asymmetry, for example in the case of engine asymmetry or failure. Initially in the A380 lateral law design, the lateral asymmetry was automatically compensated (passive fault tolerance): sideslip is maintained very close to zero, with a remaining roll angle of a few degrees. However, because of this automatic compensation, pilots could miss an engine failure situation: therefore, a specific means was designed to alert pilots that an engine failure had occurred. Nevertheless, after the first tests, pilots expressed the need to detect an engine failure through an aircraft movement and not only through an audio warning or a simple display in the cockpit. So, it has been decided to simulate the effect of the engine failure through the lateral law by commanding a sideslip in the same sense as the one resulting from the engine failure: thus, the engine failure is felt by pilots like on any other aircraft, but sideslip is smaller and much better controlled. Moreover, rudder and ailerons deflections are calculated in order to minimize the drag while keeping enough maneuverability to safely continue the flight. This example illustrates the necessity for an efficient awareness of the pilot about the aircraft state throughout a movement or a dedicated interface in the cockpit. The professional pilots raised this last point during the SIMONA evaluation: they felt it was useful to be aware that a FTC strategy is activated. This is an important topic for a successful transfer of the GARTEUR Action-Group results to the aircraft industry: the techniques’
528
P. Goupil and A. Marcos
integration and cross-communication with the human operator, as well as with other avionic systems, must be addressed.
19.2.3 Conclusion The GARTEUR Action-Group 16 results can be considered as a first step toward an industrial use of modern Fault Tolerant Control. Indeed, a strong focus was made during the project on the viability of the designs in a real-time environment. The piloted evaluation is also greatly appreciated from the industrial viewpoint, bringing an operational feedback essential for a representative assessment. From a strict aircraft manufacturer standpoint, before envisaging an in-service implementation of these innovative designs, some works remain to be done to complete the assessment. This GARTEUR project did not initially aim at providing such a validation. Moreover, the time and means allocated did not allow a complete industrial assessment. To complement the assessment, it is necessary to take into account all the operational constraints and to explore the whole flight envelope, in nominal and degraded configurations. It must also be honestly confessed that, on the most recent in-service FBW aircraft, the failure scenarios tested in this GARTEUR project would certainly not have had exactly the same consequences as the ones observed in this study, even with the non-FTC baseline controllers. However, the relevance of the FTC strategy is very interesting and promising in some extreme situations when some elements of the Flight Control System are still available to help the pilot to recover a controllable aircraft and to land safely thanks to a more intelligent reallocation of the control commands. In the long term, such adaptive FTC methods, coupled to advanced FDI designs, could potentially help to reduce the number of discrete low-level control laws, to reduce the hardware redundancy and then to save weight with a direct impact on the aircraft performance, to develop a more predictive maintenance and finally, to optimize the tuning of the Flight Control Laws during the flight tests. From an aircraft manufacturer viewpoint, this collaborative work was a very good opportunity to make the academic community sensitive to the industrial constraints and to share current industrial state of the art and practices on FDI and FTC. For upcoming and future programs, in the frame of the aircraft global optimization, innovative designs are needed to support the innovative technologies developed by the aircraft manufacturers to satisfy the evolving safety and societal requirements. Airbus will continue to have a great interest in all collaborative works aimed at bridging the gap between the academic design methods and the industrial requirements.
19.3 Perspectives for Aerospace Applications - Deimos Space In space systems, the usual implementation constraints found in commercial and military aviation, such as computational load and complexity, are also encountered, albeit to a greater degree due to the more limited weight and computational processing capabilities. These more restrictive limitations arise from the expensive cost,
19
Industrial Review
529
around e 10,000 to 20,000 for putting one kilogram of payload into space, and by the lengthier testing and validation processes required to classify any software/hardware as space-ready, which results in a de facto decade-long technological delay. The weight limitation directly affects the system decisions related to hardware redundancy while the computational processing limitation affects those decisions pertaining to the choice of the control and FDI techniques to be used on-board. In addressing these limitations space systems typically use (i) geometric solutions, such as the 4-to-3 inertial measurement units (IMU) configuration found in many satellite systems where four individual IMUs are positioned to provide redundant measurements in three axes -see Figure 19.1, or (ii) complete hardware duplication solution when the criticality of the system is high. An example of the latter is the use of two (fully independent) thruster sets in failover configuration, where the primary set is active until an abnormality is detected at which time the secondary set is activated and the first is switched off -note that in this case, only a fault detection scheme might be required which helps address the processing limitation. For other space systems such as winged atmospheric re-entry vehicles (e.g. Space Shuttle, X33, X38) it was seen in chapter 1 that they have more aircraft-like configurations where more redundant control actuation architectures, such as those presented in this book, can be used – capsules, like the Apollo or Soyuz, are similar but again with more limited weight capabilities compounded, by the more restrictive aerodynamic and controllability characteristics resulting from their lower Lift-to-Drag ratios.
Fig. 19.1 4-to-3 inertial measurement units (IMU) in Proba 2, Verhaert Space. Kruibeke, Belgium. Picture: Paul Hopff.
530
P. Goupil and A. Marcos
The space systems’ stringent hardware redundancy limitation has a positive influence on the consideration of advanced (model-based) FDI/FTC techniques, which provide redundancy without significant weight increase (analytical redundancy). Despite this, the processing limitation as well as implementation, performance, reliability and certification issues have all slowed the use of these techniques in space. Nevertheless, the perspective for the future is bright as there is a growing need to move towards greater space system autonomy which requires ‘intelligent’ technology for self-diagnosis and self-healing. This need is driven by the more challenging requirements of future space missions, examples of which are the lunar/mars robot and human campaigns (such as the very successful NASA Mars Exploration Mission or ESA Exomars and Mars Sample Return, both currently in development), and the in-the-drawing-board science missions involving multi-craft formation flying, Near Earth Objects (NEO) or deep space exploration in general (e.g. ESA Proba3 and the twelve-spacecraft Cross-scale concept, or the joint NASA/ESA LISA mission).
19.3.1 Context and Significance of the FM-AG16 for Space Systems As mentioned above, there are space systems (i.e. atmospheric re-entry vehicles) to which the techniques presented in this book can be more readily transferred since these systems share common problems and potentially require similar solutions to aircraft FDI/FTC. For other space systems such as satellites the techniques presented have for now only limited use since most of the considered approaches take an over-determined (in actuation terms) system perspective or are based on specific particularities of aircraft motion. Of course this limitation is just a reflection that knowledge of a system is critical to develop an appropriate control or FDI scheme and does not imply that the techniques could not be equally well used for satellites or other space systems. Additionally, it is highlighted that despite the inherent differences between aeronautics and space systems, the former have almost always been used as the perfect technological test-bed for the latter – indeed, note the close relationship in the US between space and aeronautics research as epitomized by the NASA Dryden, Glenn and Langley test centers. Thus, the aircraft application of the FDI and FTC technologies presented in this book is highly relevant for the future introduction of the techniques in space as the assessment of the results provides a first glimpse of their technological readiness level (TRL) -see Figure 19.2. It is from this perspective that the following evaluation is undertaken. In order to help contextualize the significance of the results, an assessment of the objectives and evaluation methodology (see Chapters 6, 7 and 16) of the GARTEUR FM-AG16 project is given next. First, it is very commendable that the project did not focus only in fault tolerant approaches but that it also examined the interplay between FDI and FTC, with several of the approaches directly emphasizing and utilizing it. This is very refreshing since most of the fault-related R&D projects in the last two decades have focused
19
Industrial Review
531
Fig. 19.2 Technology Readiness Level scheme, source: NASA
either on FDI or FTC as if they were two independent systems. The latter type of projects typically assume (almost) ideal knowledge on the fault information which then limits the impact of the associated results as the performance of the FDI filter is the main limitation for the performance of an active FTC scheme. Additionally, the evaluation methodology used in GARTEUR 16 involved a very well defined and realistic simulation benchmark, arising from an already mature FDI/FTC aircraft model2, as well as pilot-in-the-loop and a renowned 6DoF motion simulator such as SIMONA, all of which represent a TRL level shift from 3/4 to 5/6. This incremental validation supports the interest of the aeronautics and space fields in these advanced techniques and greatly increases the significance of the results. The main complaint on the evaluation and presentation of the results is that no real examination of the performance versus robustness trade-off is performed for any technique, with for example no design team including a Monte Carlo campaign or even a limited (e.g. maximum and minimum uncertainty) validation assessment. With respect to practical concerns (such as implementation issues, formalization of 2
As indicated in chapter 6, the main aircraft simulation model used in the RECOVER benchmark is the 2003 FTLAB747 version 6.5 developed at the University of Minnesota within the context of the NASA Aviation Safety Project (AvSP) – based on the Delft University/NLR DASMAT and FTLAB Matlab version 4.2 models. The FTLAB747v6.5 has been used in the US during the last 7 years to assess model and data based aircraft FDI and FTC approaches under the auspices of NASA by many Industry and Universities research groups, and as shown in this book, it has evolved in Europe under GARTEUR’s impulse to become a significant and realistic FDI/FTC aircraft benchmark.
532
P. Goupil and A. Marcos
the approaches within an industrial design process, or the addressing of the resulting designs’ certification) it is well recognized that the FM-AG16 project represents a first R&D step towards aircraft implementation of advanced FTC/FDI schemes, and thus sets the path for subsequent more-industrially oriented developments. Nevertheless, it is worth noting that some of the design teams did address the important industrial aspect of tuning and real-time implementation of the designs.
19.3.2 Assessment of the Techniques and Results Due to the usual programmatic complexities of this type of projects, there is some dispersion in the validation of the different approaches (e.g. some of them only use a partial set of the fault scenarios or of the benchmarking metrics), which makes a proper comparative benchmarking on the techniques’ achievements very difficult. Thus, a review of each technique is performed mostly focusing on the techniques results rather than its significance with respect to the other approaches. Chapter 8 describes an on-line sliding mode control (SMC) scheme that in theory necessitates no FDI to fulfill its fault tolerance task. The developed technique addresses the total failure case, which was claimed in the past to be a shortcoming of FTC SMC approaches since it had not been proved that they could consider this case directly in a rigorous manner. A pseudo code of the design process is given as well as insight on the tuning knobs used in the approach, which greatly facilitates judging the possible incorporation of the approach in an industrial design process. The approach presented was evaluated on SIMONA, see chapter 16 and 18, and the results are very deserving -including a very light computational workload as shown in Table 5 of chapter 16-, all of which helps demonstrate the mature level of SMC technology for FTC. Despite the claim that no FDI is necessary, the authors recognize that information on the actuator effectiveness matrix is required, which for space systems -where for example effective thruster firing is very difficult to estimate individually- is tantamount to requiring an actuation FDI scheme. The space industrial plausibility of SMC techniques, and its associate sliding mode observer (SMO), is exemplified by JAXA Micro LabSat (launched in December 14th 2002) which carries a 3-axis SMC attitude controller [5]. Chapter 9 focuses on a FTC system formed by a classical autopilot and a robust control law based on an adaptive model-following (AMF) approach. The use of AMF allows, in principle, stability using Lyapunov conditions, dynamic inversion ideas and a given reference model (that must satisfy the usual invertibility conditions arising from the latter ideas). Good discussions are found on the limitations and practical solutions for the approach, which indicate a very industrially-oriented mentality from the design team. Due to the focus on the FTC component and in trying to satisfy a no-FDI module philosophy, the results for some of the more critical fault scenarios are very challenging to the control law. As shown later by the authors, the proposed FTC-AMF law can be complemented with FDI and optimal control allocation (CA) modules to successfully tackle these more challenging fault scenarios. The technique should not be much more difficult to implement or be
19
Industrial Review
533
more computationally demanding than other adaptive techniques, but will require the usual precautions on numerical integration (of the adaptive gains) and more notably on the selection of the reference models. With respect to this issue, and with a desire to maintain the no-FDI philosophy, it is noted that it should be perfectly plausible to use banks of reference (faulty) models in the spirit of model-reference FDI schemes such as Kalman -although of course this has its own advantages and disadvantages. Chapter 10 and 13 form a cohesive conceptual approach, with a mix of subspaceidentification and model predictive control (MPC) for the first approach and of parametric-identification plus nonlinear dynamic inversion (NDI) for the latter. This cohesion in the approaches arises from the research interaction of two distinct groups at Delft University of Technology. Interest in the space community for MPC-based approaches is increasing due to the nice characteristics of the approach (optimal command input calculation based in predicted output behaviour, multi-objective, elegant theoretical underpinning) and the important computational reductions accomplished in the last few years that address the practical processing shortcomings of these methods. The situation for parametric and subspace identification methods is similar as they both need to deal with closed-loop data, noise and robustness issues in a fast and reliable manner -especially if they are to be used for on-board FDI/FTC. For deep space and NEO missions, where the system time constant from a navigation perspective is relatively slow, MPC should be a good candidate technology to achieve a large degree of autonomy if further improvements towards computationally light identification approaches can be achieved. Similarly, the use of NDI as a control technique is also becoming very standard in re-entry space systems, with for example the Space Shuttle guidance based on inversion concepts, and is expected to become a popular candidate control technique in the future (it is noted that it was used for the flight control system of one of the two X35 Joint Strike Fighter candidates [1]). The technique proposed in Chapter 10 is based on subspace predictive control (SPC), which is a mix of the better-known MPC approach with subspace identification methods. SPC uses input-output data to obtain a prediction of the future outputs, which helps to indirectly account for fault effects, and calculates a onestep-at-a-time control output to optimally achieve the desired objectives. It has the advantage of using closed-loop data in an unbiased, computationally efficient manner by means of a recursive-updating scheme. Similar to chapter 8 the authors also acknowledge the practical advantage of using FDI information and thus apply a multiple-model estimation approach to obtain the required information on the available control surfaces. The chapter discusses the proposed design approach and provides insight on the process with the advantage of including a dedicated section on the real implementation issue (which is a must for MPC-based approaches). The evaluation results show good responses to all the fault scenarios demonstrating the potential of the approach despite the computational workload, see 5 of chapter 16, which in this case is further compounded by the subspace identification component. Chapter 10 is very complete and has two distinct parts: the first presenting the parametric identification approach and the second the adaptive NDI control design
534
P. Goupil and A. Marcos
wrapped around the identification results. The proposed approach has been developed over 20 years at Delft University of Technology, see chapter 4, and as exemplified in chapter 13 and subsequently in the SIMONA evaluation, chapter 17, and consequently it is quite mature. Very detailed insight and comments are given on the approach and on the key issues, which gives a good perspective on its capabilities. The idea of the approach is to address the robustness problem endemic to NDI control solutions by including as precise as possible knowledge of the to-beinverted aircraft dynamics. This knowledge comes from applying a two-step identification method composed of a Kalman-based state estimation step, followed by a least square aerodynamic identification step. The results demonstrate a high level of accomplishment on par with those for the SMC technique of chapter 8 (both in the wide array of fault scenarios covered but also in terms of insight on the approach). From Table 5 of chapter 16, it is seen that the computational load is quite high, which as noted by the authors is the result of the use of an iterative Extended Kalman filter. Chapter 12 uses the well-known robust H∞ approach to design a fault tolerant controller against horizontal stabilizer faults. The authors discuss some very important practical issues for the acceptance of FTC schemes such as FDI detection time delay and switching/activation effects -although the subsequent development only covers them very informally. The approach presented is based on an architecture stemming from the Youla parameterization (actually the four-parameter controller [2] ), which allows the design of a fault tolerant compensator (following anti-windup and input saturation nomenclature [3] ) based on the coprime factorization FDI technique. The approach presented is important in that it allows retaining the nominal controller performance in the no-fault case and only activates the fault tolerant compensator when a fault is unequivocally detected, a property that has great implications towards the certification of such an FTC scheme. As shown in Table 5 of chapter 16, the computational load is comparable to that of the classical baseline controller thanks to the fixed LTI compensator used (and an assumption that the proper FDI information is readily available). H∞ methods, and their natural evolution to linear parameter varying (LPV) approaches, are well-matured control technologies as exemplified by their use in space (Ariane launcher [4]) and aeronautics (an LPV flight control system was the other of the two X35 Joint Strike Fighter candidates [1]). Although H∞ technology, to the best of the author’s knowledge, has not been deployed yet specifically for FDI/FTC in an industrial platform there is a recent flurry of ESA and aeronautical studies aimed at their evaluation within an industrialized setting, which highlights the relevance and maturity of the techniques for space. Chapter 14 presents a combined FDI, NDI and optimal control allocation scheme matured over several years at QinetiQ. A highly appreciated candid account is given by the authors of their experiences on the application of different approaches for each of the three modules from a practical perspective (considering ease of tuning, implementation problems and other aspects in the control design cycle). Additionally, the extremely important (for aircraft) issue of flight envelope protection (FEP) is considered -for space systems this will be relevant possibly only for
19
Industrial Review
535
atmospheric re-entry vehicles and launchers. The results show that the combination of FDI and optimal control allocation can be effectively used and moreover, that a systematic FDIR design process, with fast design turn-around and wide system coverage, can be obtained when all the key modules have achieved a matured independent development stage. Chapter 15 is the only chapter fully dedicated to FDI. The main result is a feasibility proof for complete isolation of actuator faults for the nominal case. The importance of this proof is in providing a minimal number of surface angle sensors required to achieve complete fault isolation. As noted in the chapter’s summary, it is hoped that further research will be performed to develop similar proofs for both sensor and actuator faults, and considering the robustness and noise issues. The achievement of such proofs can have potential implications in space, principally for system design, as it could pave the way to decide early on in the system development process the number and position of the sensors and actuators.
19.3.3 Conclusion In summary, a wide array of techniques have been used, by teams spanning several European countries and backgrounds, in examining the applicability of FDI/FTC technology to aircraft under the auspices of the GARTEUR FM-AG16 project. A well-defined and focused objective, rooted and supported by industrialists, was established and has led to some of the technologies increasing in their TRL level from 3/4 to 5/6 (the latter corresponding to the piloted evaluation at SIMONA). This should be the first of a series of steps, increasingly industrially-oriented, required to further increase the techniques TRL and help bridge the technological gap between the academic developments and the industrial implementations. Among these steps, proper evaluation of the results using standard techniques and metrics that industrialists can relate to should be a must, for example application of worst-case and Monte Carlo analyses leading to a clear understanding of the robustness versus performance trade-off for each technique. From a space application perspective, the project and results are highly relevant due to the difficult validation and testing of the approaches under real space environment conditions, which makes these results a first indispensable step towards their consideration in space.
References 1. Balas, G.J.: Flight control law design: An industry perspective, fundamental issues in control. European Journal of Control 9(2-3), 207–226 (2003); Special issue 2. Jacobson, C.A., Nett, C.N.: An integrated approach to controls and diagnostics using the four parameter controller. IEEE Control Systems Magazine 11(6), 22–29 (1991) 3. Marcos, A., Turner, M., Postlethwaite, I.: An architecture for design and analysis of highperformance robust antiwindup compensators. IEEE Transactions on Automatic Control 52(9) (September 2007)
536
P. Goupil and A. Marcos
4. Mauffrey, S., Meunier, P., Seillier, F., Ganet, M., Rongier, I.: H-infinity control for ariane 5 plus launcher: The industrialisation of a new technology. In: Proceedings of 5th International Conference on Launcher Technology, Madrid, Spain (2003) 5. Terui, F., Noda, A., Nakasuka, S.: Sliding mode attitude control of a bias momentum micro satellite using two wheels. In: Advances in Variable Structure Systems: Analysis, Integration and Applications, pp. 425–441. World Scientific, Singapore (2000) 6. Goupil, P.: Oscillatory Failure Case detection in the A380 Electrical Flight Control System by analytical redundancy. To appear in Control Engineering Practice (2009), doi:10.1016/j.conengprac.2009.04.003 7. Van den Bossche, D.: The A380 Flight Control Electrohydrostatic Actuators, Achievements and Lessons Learnt. In: Proc. 25th Congress of the International Council of the Aeronautical Sciences, Hamburg, Germany (2006) 8. Goupil, P.: AIRBUS State of the Art and Practices on FDI and FTC. In: Proc. of the 7th IFAC Symposium on Fault Detection, Supervision and Safety of Technical Processes, Barcelona, Spain, June 30 - July 3, pp. 564–572 (2009)
Chapter 20
Concluding Remarks Christopher Edwards, Thomas Lombaerts, and Hafid Smaili
20.1 Summary of Achievements The GARTEUR Action Group FM-AG(16) on Fault Tolerant Control, of which this book is the culminating result, has made a significant step forward in terms of bringing novel ‘intelligent’ self-adaptive flight control techniques, originally conceived within the academic and research community, to a higher technology readiness level. Although work still remains to be done before stringent safety and certification requirements are met, as stipulated by the industrial reviewers in the previous chapter, this book should provide a practical reference for the aerospace community on novel fault tolerant flight control techniques and their integration within the aircraft and cockpit environment. This includes studies on the application and integration issues of modern fault tolerant control techniques and a description of several innovative fault tolerant flight control methods. It is hoped that the promising results obtained in this project, and described in this book, will motivate the further maturing, testing and safe integration of the methods. Furthermore, it is hoped the book and the accompanying software will provide a reference, and benchmark for a critical review of new advanced flight control designs. Christopher Edwards University of Leicester, Control and Instrumentation Research Group, Department of Engineering, University Road, Leicester, LE1 7RH, UK e-mail:
[email protected] Thomas Lombaerts Delft University of Technology, Faculty of Aerospace Engineering, Kluyverweg 1, 2629 HS Delft, The Netherlands e-mail:
[email protected] Hafid Smaili National Aerospace Laboratory NLR, Anthony Fokkerweg 2, 1059 CM Amsterdam, The Netherlands e-mail:
[email protected] C. Edwards et al. (Eds.): Fault Tolerant Flight Control, LNCIS 399, pp. 537–539. c Springer-Verlag Berlin Heidelberg 2010 springerlink.com
538
C. Edwards, T. Lombaerts, and H. Smaili
Part I of this book provided a background on the current technological challenges when faced with the problem of improving the survivability and resilience of the next generation of aircraft, while ensuring recovery and safe control of the aircraft during adverse or upset conditions. The application of fault tolerant flight control, as a technology solution to this problem, has been addressed in this project and described in the book. The assessment of several new fault tolerant control design approaches applied to a realistic high fidelity aircraft benchmark problem have been described in Part II and III. Real-time aircraft integration of the controllers was assessed in a joint experimental programme (described in Part IV) that consisted of a unique collaboration between experienced pilots, flight control system design engineers and industry representatives. Industrial perspectives from two leading European aerospace organisations were provided in Part V, which give feedback on the maturity level achieved by the proposed fault tolerant control techniques. This includes aircraft integration issues and areas needing further improvement, testing or attention. From a scientific and research perspective, this project provided an opportunity for undergraduate and post-graduate students to conduct work on the topic of fault tolerant control based on a realistic advanced flight control problem. GARTEUR again proved to be an excellent framework for the exchange of ideas, knowledge and feedback between all member organisations within the Action Group. This resulted in several conference papers, journal and magazine publications, workshops, a special session at a conference, and this book. The GARTEUR RECOVER benchmark, developed in this Action Group as a R R /Simulink platform for the design and integrated (real-time) evaluation Matlab of new fault tolerant control methods, consists of a set of high fidelity simulation and control design tools, including aircraft fault scenarios validated against accident flight data. The benchmark supports tool-based design, and the evaluation of modern fault tolerant control techniques providing engineering insights into control system performance using integrated assessment criteria and high resolution aircraft visualisation. The modularity of the benchmark makes it customisable to address research goals in terms of aircraft type, flight control system configuration, failure scenarios and assessment criteria. This book and the accompanying software, may be used as an introduction to the topic and can be used for educational or demonstration purposes. Within a research or industrial framework, the book and the software tools may provide a reference to support new advanced flight control system designs and testing activities both off-line and in piloted hardware in-the-loop simulation.
20.2 Future Research The proposed fault tolerant flight control designs in this book should be regarded as a first ambitious step towards assessing their potential to improve the recovery and survivability of aircraft in adverse or upset conditions. Follow-on work will be conducted by the research organisations with the Action Group to address the
20
Concluding Remarks
539
areas of improvement identified during the project, both from a design and real-time aircraft integration aspect. Close collaboration with industry will also be maintained. This Action Group in particular demonstrated the importance of protecting the aircraft’s operational envelope following a failure of a critical onboard system or degradation of the aircraft handling characteristics. Based on the experimental evaluations in this project, it was recognised that protection of the operational envelope should be an integral part of any new intelligent self-adaptive control system. This should not only ensure acceptable controllability in degraded conditions, but also safe control of the aircraft within the remaining performance and controllability boundaries. Additional issues requiring more extensive investigation include sensor redundancy, and fault detection and identification requirements to ensure that reliable information is supplied for control reconfiguration and identification of the aircraft operational boundaries. These topics are currently being studied in followup projects as part of continuing work programmes at the Action Group’s organisations – some of which are supported by the European Commission FP7 project ‘ADDSAFE’. Within the international aviation community, urgent measures and interventions are being undertaken to reduce the amount of loss of control accidents caused by mechanical failures, atmospheric events or pilot disorientation. Within this area, the application of fault tolerant and reconfigurable control, including aircraft envelope protection, has been recognised as a possible long term option for reducing the impact of flight critical system failures, pilot disorientation following upsets or flight outside the operational boundaries in degraded conditions (e.g. icing). Fault tolerant flight control, and the (experimental) results of this Action Group, may further support these endeavors in providing technology solutions aiding the recovery and safe control of aircraft in degraded or upset conditions. Several organisations within this Action Group, conducting aircraft upset recovery training and simulation research, will utilise the experience obtained in this project to study future measures in mitigating the problem of loss of control and upset recovery and prevention. The members of the GARTEUR Action Group FM-AG(16) hope that the results of this project will contribute to a further improvement in the safety and quality of tomorrow’s air travel.
Appendix
Getting Started with the GARTEUR RECOVER Benchmark
542
Appendix
1 Introduction The GARTEUR REconfigurable COntrol for Vehicle Emergency Return (RECOVER) aircraft simulation benchmark was developed to demonstrate, both offline and in real-time (piloted) simulation, the performance and viability of newly designed fault tolerant flight control algorithms. The software package, based on the Delft University Aircraft Simulation and Analysis Tool DASMAT [2], is equipped with several simulation and analysis tools, all centered around a generic non-linear aircraft model for six-degrees-of-freedom non-linear aircraft simulations. For high performance computation and visualisation capabilities, the package has been inteR R /Simulink . The tools grated as a toolbox in the computing environment Matlab of the RECOVER benchmark include trimming and linearisation for (adaptive) flight control law design, non-linear off-line (interactive) simulations, simulation data analysis and flight trajectory and pilot interface visualisations. The modularity of the RECOVER software allows customisation by applying user-generated models to the generic package for the simulation of any specific aircraft type or fault R R R /Simulink Real-Time Workshop , scenario. In conjunction with the Matlab the benchmark model is suitable for integration on simulation platforms for piloted hardware in the loop testing. The GARTEUR RECOVER benchmark provides enhanced graphical and R high-resolution aircraft visualisation capabilities, that interface with the Matlab environment, to support tool-based advanced flight control system design and evaluation. This includes, for instance, the visualisation of flight data, the animation of fault or aircraft upset recovery scenarios or (real-time) analysis of flight control system states and performance. The capabilities of the GARTEUR RECOVER benchmark software are suitable for any educational or demonstration purposes, providing insight into the design of adaptive flight control algorithms, aircraft flight dynamics and handling qualities and human factors interfaces. This Appendix provides a practical guide to get started with the GARTEUR RECOVER Simulation Benchmark software package. It provides the necessary steps to install the software (Section 3) and get familiar with the model structure (Section 5) and the main features of the benchmark environment (Section 6). Some practical examples demonstrate the steps necessary to run a benchmark simulation (Section 6.2). It is assumed that the user is familiar with the installation and use of R R /Simulink programming environment (references can be found in the Matlab [13, 14] or on the website of The Mathworks (www.mathworks.com)). For the application of the benchmark, the user should have a basic understanding of general rigid body aircraft dynamics and aircraft simulation modeling. An introduction to these subjects can be found in several excellent books (e.g. [9, 12]). In this aspect, the GARTEUR RECOVER benchmark is an ideal tool to complement any studies on the introduction of flight control and aircraft simulation modeling using challenging design problems. The GARTEUR RECOVER benchmark should be regarded as a research tool providing the flexibility for customisation using a modular structure. As such, the
Getting Started with the GARTEUR RECOVER Benchmark
543
user is encouraged to explore and experiment with the software as much as possible to obtain insight into the model structure and its features, and adapt it to his or her own research requirements. Names and descriptions of blocks and signal definitions in the benchmark model provide a guide for the user on the model interfacing requirements. An introduction to the RECOVER benchmark, including development background, software achitecture, the main features and the aircraft operational characteristics has been provided in Chapter 6 of this book. For more details and insight into the generic simulation architecture, including the GARTEUR RECOVER benchmark mathematical models, applied reference frames, variable definitions and sign conventions the user may refer to the references [2, 3, 4, 5, 6, 7, 8, 10]. The GARTEUR RECOVER benchmark is distributed as open source software to accompany this book on fault tolerant flight control design and simulation for civil transport aircraft. The software package can be downloaded, after registration, from the GARTEUR project website hosted by NLR (www.faulttolerantcontrol .nl). Any updates of the GARTEUR RECOVER benchmark, including documentation and release notes, will be made available via the website.
2 System Requirements R The GARTEUR RECOVER benchmark was designed to run under Matlab 6.5.1 R and Simulink 5.1 as part of Release 13/Service Pack 1 (R13SP1). This means that R R /Simulink . the benchmark model can also be used with higher versions of Matlab To install and operate the benchmark model, any PC that complies with the miniR R mum hardware requirements to properly run Matlab /Simulink is suitable. The website of The Mathworks (www.mathworks.com)) provides further details on R R /Simulink . the hardware requirements to install and run Matlab The graphical visualisation capabilities of the GARTEUR RECOVER benchmark, especially the aircraft animation features, require at least a graphics card that supports Direct3D. OpenGL compatible hardware acceleration is recommended to improve the overall graphics quality and hardware performance of the RECOVER visualisation features. For customisation of the visualisation tool within R R /Simulink , specifically the inputs that drive the graphical displays, a CMatlab R 7.1 compiler needs to be installed. When running the benchmark within Matlab (Release 14) under Windows XP, the buttons of the benchmark main menu do not R 6.5.1 (R13SP1) display correctly. This graphics issue does not occur in Matlab R and should be solved for later versions of Matlab 7.1 (R14). The GARTEUR RECOVER benchmark was tested under Windows XP and Windows VISTA. For the current version of the benchmark (version 2.2) no issues, other then those mentioned in this guide, are known under these operating systems.
3 Installation and Initialisation The GARTEUR RECOVER benchmark software package is distributed via the GARTEUR project site hosted by NLR (www.faulttolerantcontrol.nl).
544
Appendix
After registration, the software can be downloaded as a packed ZIP archive. The following steps are necessary to download and install the benchmark within the R 6.5.1 (R13SP1) environment. Matlab • After registering, download the software package from the GARTEUR project website (www.faulttolerantcontrol.nl). • Unzip the package into a temporary directory. • Copy the unzipped package into a suitable destination directory, preferably into R the Toolbox directory of Matlab . Make sure that the directory structure of the unpacked package is retained. R path. The • Append the RECOVER benchmark directories to the Matlab R Matlab references provide information on how to configure the path. R • Change the Matlab directory to RECOVERv65. Datafiles generated by the benchmark tools will be made available in the data directory. R command • The benchmark can be started by typing recover in the Matlab window which activates the main user menu. This will provide further steps to start running any simulations or exploring the features and models of the RECOVER benchmark. The benchmark can be uninstalled by deleting the directory RECOVERv65. Please make sure that any backup copies are made of the user generated datafiles in the data directory before deleting.
4 License Agreement The GARTEUR RECOVER benchmark package is distributed with this book as a R R /Simulink models of the benchmark are distributed collective work. The Matlab under the Open Software License (OSL) version 3 or later, whereas the benchmark visualisation tool remains copyrighted by NLR (although freely distributable with the RECOVER benchmark). The OSLv3 license allows the user of the software to modify the models according to his or her own requirements and applications and re-distribute the software to other users under the OSLv3 licensing terms and conditions and NLR copyright. Any notices and text, including the attribution to the original developers and the book, should remain in the software package and models. To facilitate the development or application by other users, developers that have adapted the software are required to include an appropriate attribution notice in the source code to inform new users that the original software has changed. The OSLv3 license is available in the file license.txt as part of the GARTEUR RECOVER software package. Please take notice of the licensing terms and conditions before using the software.
5 Model Structure The aim of the following section is to provide an overview of the main model structure of the GARTEUR RECOVER benchmark. This can be used as a starting point
Getting Started with the GARTEUR RECOVER Benchmark
545
to further explore the model. Reference [2] provides information on all the submodels that comprise the generic aircraft simulation in the benchmark including input and output formats of the individual generic simulation blocks. R R /Simulink environment has been developed in a modThe benchmark Matlab ular and layered structure using (masked) system blocks and subsystem blocks. In this structure, each block has its specific input and ouput formats and signal definitions. When customising the RECOVER benchmark simulation for any particular research application, it is important to maintain the model format and signal relationships as much as possible to prevent any inadvertent mismatches between the many subsystems and library components. Due to the complexity of the GARTEUR RECOVER benchmark model, it is recommended to always make use of a version control method to track any changes or revert to a working version of the benchmark if necessary. Chapter 6 of this book provides an introduction to the model structure of the benchmark and its components.
5.1 Model Architecture The software architecture of the GARTEUR RECOVER simulation benchmark (Fig. 1) comprises a combination of generic aircraft models and aircraft specific modules including aerodynamics, flight control systems and propulsion systems. For the RECOVER benchmark, the aerodynamic, flight control systems and propulsion model are representative of the Boeing 747-100/200 aircraft [5, 10]. Through the graphical user interface, the user has access to the RECOVER benchmark simulation and analysis tools (Section 6).
5.2 GARTEUR RECOVER Benchmark Libraries The GARTEUR RECOVER benchmark model consists of a combination of R R R Matlab scripts and Simulink block diagrams. The Simulink block diagrams are built in a layered, modular structure consisting of subsystems with a fixed interface definition between the block inputs and outputs ([2]). In order to ensure consistency, the top-level models have been built from common blocks that are linked to R libraries. All blocks and libraries are contained in the root directory of Simulink R the benchmark called RECOVERv65 (extension v65 referring to Matlab version 6.5.1 (R13SP1)). The RECOVER benchmark libraries can be regarded as a central repository of the main benchmark simulation models. All blocks in the benchmark that are linked to a library are automatically updated by any changes of a library block. As such, it is not recommended to change a library block in the benchmark locally. However, if required, the linked blocks in the benchmark model can be changed when the link to the library is disabled. This is accomplished by selecting R message dialog window which appears as soon as the Disable Link in the Matlab user tries to change the block. In order to change a block in the library, it first needs R edit menu. It should to be unlocked by selecting Unlock Library in the Matlab
546
Appendix
Fig. 1 GARTEUR RECOVER benchmark software architecture and analysis tools relationships
be noted that any changes to the interface definitions of the models in the library should be made carefully. This includes the names of the blocks as the library links use the block names as a reference. A basic library (B747 library.mdl) for the simulation of the B747-100/200 aircraft model in the benchmark, contains the basic aircraft, engine and actuator models, complete with failure models (Fig. 2). For the GARTEUR RECOVER benchmark, an additional library was developed (ag16 library.mdl), based on the basic library, that contains the larger and more extensively modified submodels out of which the top-level benchmark is built (Fig. 3). This extended library contains models of the aircraft, the actuators, the sensors, the classic flight control system and the benchmark failure generator.
5.3 GARTEUR RECOVER Model Components The actual benchmark model (b747 auto g.mdl) is depicted in Fig. 4 and is also described in Chapter 6. The airframe block is the combination of the aircraft aerodynamic model, engines and actuators. It also contains the fault models and the turbulence and wind models. The inputs to this block are twenty-six separately controllable aerodynamic surfaces and four engine controls. The autoflight block
Getting Started with the GARTEUR RECOVER Benchmark
Fig. 2 GARTEUR RECOVER (B747 library.mdl)
benchmark
basic
547
aircraft
simulation
library
represents the implementation of the classic Boeing 747-100/200 autoflight system based on [7]. This is the block that is to be replaced by any new fault tolerant controller design and is intended as a working example of how the new controller is supposed to fit into the aircraft. The classic autoflight system block consists internally of the B747-100/200 hydro-mechanical flight control system model (FCS), which forms the inner control loop, and the autopilot and autothrottle systems which together form the outer control loop. An open-loop simulation model (b747 funpc d.mdl), enabling e.g. real-time interactive ‘engineer-in-the-loop’ simulations, is available as part of the benchmark package (Fig. 5). It contains the same aircraft, engine, actuator model and failure generator as found in the main benchmark model. The open-loop model is in a functional form, i.e. it has explicit inputs (12) and outputs (140). The inputs of the open-loop model consist of the pilot’s controls as found on the Boeing 747 aircraft. The structure of this model is very similar to the model that is used for trimming (b747 trim d.mdl). R To enable real-time ‘engineer-in-the-loop’ simulations, a Simulink S-function block (sf realtime), which emulates approximate real-time conditions, is included in the top level of the open-loop model. An additional block library in the RECOVER R root directory (Stick interface library.mdl) provides a Simulink stick manipulator block to interface with the pilot control inputs of the open-loop model.
548
Appendix
Fig. 3 GARTEUR RECOVER benchmark component library (ag16 library.mdl)
Fig. 4 GARTEUR RECOVER benchmark main model components (b747 auto g.mdl)
Getting Started with the GARTEUR RECOVER Benchmark
Fig. 5 GARTEUR RECOVER (b747 funpc d.mdl)
functional
model
549
for
open-loop
simulation
Depending on the stick configuration, adaptation of the stick interface model by the user might be necessary. R model structure at Level 5 of the benchmark Fig. 6, shows the Simulink airframe block. This level shows the main layout of the RECOVER aircraft simulation model consisting of the generic simulation models and aircraft specific modules. The aircraft specific modules (Airframe model (AFM) block and Engine frame model (EFM) block indicated with a blue background) can be customised for any particular aircraft taking into account the interface definitions of the blocks. The blocks that are not specific for any aircraft and that are part of the generic simulation models ([2]) are displayed with a white background. The generic simulation blocks consist of: AIRDATA block The atmospheric and airdata parameters are calculated in this block. The equations R S-function ac.atmos.mex. are compiled in a MEX-type Simulink WIND/TURBULENCE block In this block, the wind and gust velocities are calculated based on user-supplied R S-functions of wind and turbulence models. The benchmark simulaSimulink tion uses zero wind and zero turbulence conditions by default. The block includes a switching capability for the selection of a turbulence model based on Dryden spectra
550
Appendix
R block diagram showing main aircraft Fig. 6 GARTEUR RECOVER benchmark Simulink simulation model at Level 5 of the airframe system block
or a wind model that includes a wind profile based on meteorological data estimated at the time of the Flight 1862 aircraft accident. AFM block In this block the forces and moments of both the aircraft aerodynamics and turbulence are calculated. The aerodynamic forces and moments are determined from the aircraft specific aerodynamic model. EFM block This block calculates the propulsion forces and moments based on the aircraft specific engine model. GRAVITY block This block calculates the components of the gravity force in the air-path, stability, body and moving earth reference frames. The gravity force is calculated in the moving earth reference frame from the aircraft mass and the altitude varying gravity acceleration.
Getting Started with the GARTEUR RECOVER Benchmark
551
FM SORT block In this block all forces and moments calculated from the aerodynamic model, turbulence model, propulsion model and gravity model are combined and added. EQM block This block includes the aircraft equations of motion and are solved resulting in the aircraft states and their derivatives. In addition, the aerodynamic and total forces and moments and their coefficients are corrected for the α˙ - and β˙ - contributions. OBSERVATIONS block The observation parameters of the RECOVER benchmark are calculated in this block. The parameters are arranged in several subgroups, calculated in subblocks, consisting of accelerations, linear velocity time derivatives, flight-path related parameters and measurements outside the center of gravity. A complete list of the benchmark observation output signal formats is provided in Section 8.
6 Using the GARTEUR RECOVER Benchmark This section describes the structure and operation of the different (customisable) GARTEUR RECOVER benchmark tools which can be accessed via the RECOVER graphical user interface. A few user examples are provided demonstrating the procedures to conduct a simulation under a particular aircraft condition, perform linearisation of the non-linear aircraft model and utilise the aircraft visualisation features.
6.1 Main Menu The GARTEUR RECOVER benchmark simulation and analysis tools can be acR cessed via a Matlab graphical user interface (Fig. 7). The benchmark main menu R can be started by typing recover in the Matlab command window. The user options in the menu are divided into three main sections allowing the user to perform benchmark initialisation and simulations (Simulation) and run the analysis tools (Analysis) including aircraft linearisation, plotting of simulation results and flight control assessment criteria and aircraft visualisation. A help section on the main menu (Reference) provides a quick reference for operation and customisation of the GARTEUR RECOVER benchmark. 6.1.1
Open-Loop Simulation
The Open-Loop Simulation button (Fig. 8) in the Simulation section of the benchmark main menu will activate the initialisation of an open-loop simulation of a newly designed control algorithm. During initialisation, the calculation of a (user specified) trim condition is performed, and a particular test scenario and aircraft failure mode can be selected. Section 6.2 demonstrates the required steps to perform a typical open-loop simulation.
552
Appendix
Fig. 7 GARTEUR RECOVER benchmark graphical user interface
Fig. 8 Open-loop simulation initialisation button
6.1.2
Closed-Loop Simulation
The Closed-Loop Simulation button (Fig. 9) in the main menu activates the initialisation of a closed-loop benchmark simulation. As with the initialisation of an openloop simulation, the calculation of a (user specified) trim condition is performed and a particular test scenario and aircraft failure mode can be selected. It should be noted that the closed-loop simulation is performed using preset test scenarios as specified for the GARTEUR fault tolerant control benchmark (Chapter 6 and 7 of the book provide details on the test scenario specifications based on predefined aircraft operational requirements). An example in Chapter 6 describes the initialisation procedure to perform simulations using the closed-loop benchmark model.
Getting Started with the GARTEUR RECOVER Benchmark
553
Fig. 9 Closed-loop simulation initialisation button
6.1.3
Linearise Aircraft
For control law design purposes, the non-linear aircraft model can be linearised using a basic linearisation routine that is available as part of the RECOVER benchmark tools. The linearisation routine allows a linear model with twelve states and 29 control inputs (25 control surfaces and 4 engines) to be obtained. In the current version of the benchmark, the linearisation can only be done for the total non-linear model perturbing all twelve states and 29 control inputs. Separation into a symmetric or asymmetric linear model is an option reserved in the linearisation routine but is not yet implemented. The user may refer to reference [2] for further customisation of the benchmark linearisation routine. To obtain a linearised model, a trimmed flight condition needs to be calculated via the initialisation of a closed-loop or open-loop simulation. Fig. 10 and 11 illustrate the calculation steps of an example trim condition (TESTlin4.tri). When a trimmed flight condition is determined, the linearisation of the non-linear aircraft model can be started by using the Linearise Aircraft button in the benchmark main menu which activates the linearisation procedure (Fig. 12). The matrices of the calculated linear model, which is given in state-space form, R are available as the variables Alin, Blin, Clin, Dlin in the Matlab workspace. Note that the variable Alin is in radians but all control surface deflections (except for thrust which is in Newtons) in the matrix variable Blin are in degrees. For the purpose of designing a controller, it might be better to convert the Blin matrix back to radians (this can be done by multiplying the columns of Blin , associated with the control surface deflections, with 180/π ). The ordering of the states xlin and the control surfaces ulin of the total linear model described by the matrices Alin and Blin are as indicated in equation (1). The spoilers #6 and #7 are ground spoilers and are not used during flight. The 10th and 11th columns associated with these control surfaces can therefore be neglected during design. Also note that the number of columns of the Blin matrix is 29. The 30th column is associated with the landing gear and has not been included in the linear model. An example linear model can be accessed through the file TESTlin4.lin, available in the benchmark data folder, using the command R window. load -mat TESTlin4.lin in the Matlab
554
Fig. 10 Initialisation of benchmark trim conditions
Appendix
Getting Started with the GARTEUR RECOVER Benchmark
Fig. 11 Calculation of benchmark trim condition
555
556
Fig. 12 Initialisation and calculation of linearised benchmark model (total model)
Appendix
Getting Started with the GARTEUR RECOVER Benchmark
557
Total model: ⎧ ⎪ ⎨ xlin = pb qb rb VTAS α β φ θ ψ he xe ye ⎪ ⎩ ulin = δair δail δaor δaol δsp1−12 δeir δeil δeor δeol δih δru δrl δ f o δ f i δTN 1−4 (1) After the completion of the steps in Fig. 12, the quality of the linearisation routine can be evaluated by comparing the states (around the trimmed flight condition) between the linear and non-linear model using small actuator deflections. This is done R model called b747 auto g LINcheck.mdl and the by running the Simulink plotting routine plotBENCHMARKtestLINandNL.m. The user needs to make a selection of the actuator to be used as perturbation input for the comparison depending on which axis is to be tested (e.g. to test the quality of the lateral axis, 1.5deg of right aileron and -1.5deg of left aileron can be used). Any control input for a particular actuator to excite the linear model can be defined in the airframe for LINEAR comparison test block within the model b747 auto g LINcheck.mdl. Fig. 13, 14 and 15 show example plot results allowing the comparison of the linearised model (TESTlin4.lin) and the non-linear model after a spoiler
Fig. 13 Plots showing actuator deflections (spoilers deflected 1.5 degrees at t=1s) for comparison of linearised model (TESTlin4.lin) and non-linear model
558
Appendix
Fig. 14 Plots showing longitudinal states for comparison of linearised model (TESTlin4.lin) and non-linear model (NL: non-linear model, lin: linear model)
Fig. 15 Plots showing lateral states for comparison of linearised model (TESTlin4.lin) and non-linear model (NL: non-linear model, lin: linear model)
Getting Started with the GARTEUR RECOVER Benchmark
559
deflection input of 1.5 degrees. The aircraft states are given in radians while altitude (he ) and ground distance (xe ) are given in meters. 6.1.4
Plot Simulation Results
The Plot Simulation Results button (Fig. 16) activates the plotting function of the benchmark following a closed-loop or open-loop simulation. The plot function, called via the script plot sim.m, generates additional time responses of the aircraft including the aircraft states, pilot control deflections and specific forces. Example aircraft simulation responses obtained by the plot function are illustrated in the user examples (Chapter 6 and paragraph 6.2). 6.1.5
Show Assessment Criteria
Following a simulation (open-loop, closed-loop or via manually controlled inputs in the open-loop functional model (Fig. 5)), the performance of the designed fault
Fig. 16 Simulation time responses activation button
Fig. 17 Benchmark assessment criteria activation button
560
Appendix
Fig. 18 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase showing aircraft states with evaluation criteria
tolerant control algorithms can be evaluated using the benchmark assessment criteria. The assessment criteria are provided as plots for each phase of the benchmark scenario (Chapter 6) and can be generated using the Show Assessment Criteria button (Fig. 17) after a simulation. Fig. 18, 19 and 20 show example plots for the Right Turn and Localiser Intercept phase of the benchmark scenario. Chapters 6 and 7 provide further details on the benchmark scenario specifications and definition of the assessment criteria parameters as used in the plots. 6.1.6
RECOVER Visualisation
The GARTEUR RECOVER benchmark aircraft visualisation and animation tool (Fig. 22) provides a high-resolution visualisation of the benchmark’s approach and landing scenario and flight trajectory. The RECOVER visualisation tool is specifically aimed to support interactive (real-time) fault tolerant flight control design and evaluation for civil transport aircraft. The visualisation features include graphic renditions of the aircraft, cockpit flight instrumentation and aircraft geographic environment (Amsterdam Schiphol airport and surroundings). The RECOVER interactive simulation and visualisation window can be activated via the RECOVER Visualisation button following initialisation of an open-loop or closed-loop simulation.
Getting Started with the GARTEUR RECOVER Benchmark
561
Fig. 19 Benchmark assessment criteria plots for Right Turn and Localiser Intercept phase showing kinematic accelerations in body axes with evaluation criteria
(a) Horizontal trajectory
(b) Vertical trajectory
Fig. 20 Aircraft trajectory plots for Right Turn and Localiser Intercept phase
562
Appendix
Fig. 21 Interactive simulation and visualisation activation button
Fig. 22 GARTEUR RECOVER benchmark interactive simulation and visualisation window showing aircraft model with separated right-wing engines (Flight 1862 accident scenario)
A graphical pilot interface shows the basic flight instrumentation based on specifications of the electronic flight instrument system (EFIS) displays as found on the B747-400 aircraft. The RECOVER EFIS displays are configured to show the primary aircraft state parameters, flight control system state and engine thrust parameters. Additional features on the displays, not found on the standard B747-400 instrumentation, are included to assess the human-machine interfacing (HMI) aspects of new fault tolerant flight control algorithms. For these design applications, the RECOVER benchmark primary flight display (PFD) has the capability to display, for instance, the aircraft’s bank, pitch and airspeed envelope protection limits
Getting Started with the GARTEUR RECOVER Benchmark
563
as calculated by a new self-adaptive control system. The lower display (Engine Indicating and Crew Alerting System (EICAS) display) shows the engine parameters, using Engine Pressure Ratio (EPR) as the main thrust setting reference, inboard trailing edge flap position and landing gear status. Additional aircraft state information on the EICAS display includes angle-of-attack, sideslip and load factor. The EICAS display also enables monitoring of the activity of the flight control system and control law performance by presenting all individual control surface deflections. A basic 3D aircraft model, representing the B747-100/200 aircraft, and the aircraft’s reconstructed flight path in the out-the-window view allows analysis of the flight trajectory and maneuvers. The following features of the interactive simulation window can be controlled by keyboard and mouse: • • • • • • •
shift -W: switch to aircraft view mode shift -A: switch to cockpit view mode shift -C: Activate free viewing (aircraft view mode) P: Activate/deactivate aircraft flight path (aircraft view mode) Left mouse/touch pad button: zoom out (aircraft view mode) Right mouse/touch pad button: zoom in (aircraft view mode) Mouse or touchpad: Move viewpoint (aircraft view mode)
Fig. 23 shows the information available on the RECOVER benchmark primary flight display. Fig. 24 provides a description of the parameters that are available on the RECOVER benchmark EICAS display. For a realistic visualisation of the benchmark scenario, the RECOVER visualisation tool includes a high-resolution geographic rendition of the Amsterdam area including a detailed layout of the Amsterdam Schiphol Airport runway configurations (Fig. 25). Currently, only runway 27 is configured with an instrument landing system (ILS) as part of the GARTEUR benchmark scenario. However, further customisation of the airport approach and landing aids is possible within the benchmark model (e.g. an extension of ILS availability). The aircraft’s flight trajectory can be visualised by pressing P before starting, or during, a (real-time) simulation. Fig. 26 and Fig. 27 illustrate the flight path visualisation capability in the RECOVER out-the-window view (free viewing mode), following a simulation of a landing test scenario and in-flight maneuver. Although not part of the GARTEUR benchmark scenario, runway 06 of the Schiphol airport scenery is equipped with approach lighting and a visual approach slope indicator (VASI) (Fig. 28 and 29) to replicate the pilot’s viewpoint during a typical approach and landing test scenario under visual meteorological conditions (VMC). All parameters presented on the RECOVER flight instrumentation displays and R incontrolling the out-the-window view are available as inputs via a Simulink terface in the output & visualisation block (top system level). The RECOVER visualisation window input variables, including the signal element number, variable name, dimension and description are summarised in Tables 1 and 2.
564
Appendix
Fig. 23 GARTEUR RECOVER benchmark primary flight display (PFD) elements
1 2 3 4 5 6
ILS DME distance Pitch envelope limit Radio altitude Selected altitude Bank angle envelope limit Altitude
12 13 14 15 16 17
7 8 9 10
Vertical speed Selected altitude Vertical speed Atmospheric pressure (QNH)
18 19 20 21
11 Glideslope indicator
22
Flight director Localiser indicator Selected heading Magnetic heading ILS course Minimum speed (red) and minimum maneuvering speed (yellow) Attitude indicator Indicated airspeed Selected airspeed Maximum speed (red) and maximum maneuvering speed (yellow) Selected airspeed
Getting Started with the GARTEUR RECOVER Benchmark
565
Fig. 24 GARTEUR RECOVER benchmark engine indicating and crew alerting system (EICAS) display elements
1
Total air temperature
2 3
Landing gear indicator 8 Commanded and actual inboard 9 trailing edge flap position Angle-of-attack (ALFA), sideslip 10 (BETA) and load factor (GLOAD) Right-wing inboard and outboard 11 aileron position Right-wing spoilers #7 to #12 posi- 12 tion
4 5 6
7
Right inboard and outboard elevator position Stabiliser position Left-wing spoilers #1 to #6 position Left-wing inboard and outboard aileron position Upper and lower rudder position Engine pressure ratio (EPR) and maximum EPR
566
Appendix
Fig. 25 GARTEUR RECOVER benchmark geographical rendition of Amsterdam Schiphol airport and runway configurations and dimensions
Getting Started with the GARTEUR RECOVER Benchmark
Fig. 26 Aircraft flight path visualisation during approach and landing test scenario
Fig. 27 In-flight maneuver visualisation in free viewing mode
567
568
Fig. 28 Amsterdam Schiphol runway 06 visual landing aids and ground textures
Fig. 29 Visual Approach Slope Indicator (VASI)
Appendix
Getting Started with the GARTEUR RECOVER Benchmark
569
Table 1 Aircraft state and navigation input variables for the GARTEUR RECOVER benchmark visualisation tool (output & visualisation block) Input no. 1 2 3 4 5 6 7 8
Variable
Dimension
Description
TIMERUN VCAS VSEL VGND Reserved input MACH MACHSEL VSELKTS
s knots knots knots
Simulation time Calibrated airspeed Selected airspeed Ground speed
9 10 11 12 13 14
VS VSSEL VSSELSET VMAX VSTALL WHEELSONGND
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
PHI PHILIM THETA THETALIM PSIM PSI PSISEL GHIM GHI MAGVAR ALFA BETA ALTBAROL ALTSEL ALTGND FDSETL Reserved input FDTHETACOM FDPHICOM ILSDMEL ILSCOURSEL LOCDEVL GLSDEVL LOCSHOWL GLSSHOWL ACLATR ACLONR Reserved input Reserved input Reserved input Reserved input Reserved input Reserved input Reserved input Reserved input Reserved input STATICTEMP Reserved input GSTATUS
– Mach number – Selected Mach number 1=VSEL / Selected speed mode 0=MACHSEL feet/min Vertical speed feet/min Selected vertical speed 1=on / 0=off Show selected vertical speed knots Maximum airspeed knots Stall speed 1=ground / Wheels on ground 0=flight deg Bank angle deg Bank angle envelope limit deg Pitch angle deg Pitch angle envelope limit deg Magnetic heading angle deg True heading angle deg Selected heading angle deg Magnetic track angle deg True track angle rad Magnetic variation deg Angle-of-attack deg Sideslip angle feet Baro-corrected altitude feet Selected altitude feet Radio altitude 1=on / 0=off Show flight director deg deg NM deg dot dot 1=on / 0=off 1=on / 0=off rad rad
Flight director pitch command Flight director roll command DME distance ILS ILS course ILS localiser deviation ILS glide slope deviation Show localiser deviation Show glideslope deviation Aircraft latitude Aircraft longitude
K
Static air temperature
g
Load factor
570
Appendix
Table 2 Flight control system and engine state input variables for the GARTEUR RECOVER benchmark visualisation tool (output & visualisation block) Input no. 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
Variable
Dimension
Description
EPR EPR EPR EPR EPRMAX Reserved input Reserved input PITCHTRIM DGEAR Reserved input DFLAP DFLAPCOM AILLINBOARD AILRINBOARD AILLOUTBOARD AILROUTBOARD ELEVLEFT ELEVRIGHT ELEVLEFT2 ELEVLEFT2
– – – – –
Engine pressure ratio #1 Engine pressure ratio #2 Engine pressure ratio #3 Engine pressure ratio #4 Maximum engine pressure ratio
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
DRUDDER DRUDDER2 SPOILLEFT1 SPOILLEFT2 SPOILLEFT3 SPOILLEFT4 SPOILLEFT5 SPOILLEFT6 SPOILRIGHT1 SPOILRIGHT2 SPOILRIGHT3 SPOILRIGHT4 SPOILRIGHT5 SPOILRIGHT6 LEXPSW3
88
LEXPSW4
deg Stabiliser trim angle 1=down / 0=up Landing gear selection deg deg deg deg deg deg deg deg deg deg
Flap angle (inboard flaps) Demanded flap angle Left inboard aileron deflection Right inboard aileron deflection Left outboard aileron deflection Right outboard aileron deflection Left inboard elevator deflection Right inboard elevator deflection Left outboard elevator deflection Right outboard elevator deflection deg Upper rudder deflection deg Lower rudder deflection deg Spoiler #6 deflection deg Spoiler #5 deflection deg Spoiler #4 deflection deg Spoiler #3 deflection deg Spoiler #2 deflection deg Spoiler #1 deflection deg Spoiler #7 deflection deg Spoiler #8 deflection deg Spoiler #9 deflection deg Spoiler #10 deflection deg Spoiler #11 deflection deg Spoiler #12 deflection 1=engine #3 Switch to remove engine #3 from separated/ 0=en- 3D model (Flight 1862 accident gine #3 not scenario) separated 1=engine #4 Switch to remove engine #4 from separated/ 0=en- 3D model (Flight 1862 accident gine #4 not scenario) separated
Getting Started with the GARTEUR RECOVER Benchmark
6.1.7
571
Help RECOVER
The Help RECOVER button (Fig. 30) provides a quick reference guide to start using and customising the RECOVER benchmark.
Fig. 30 Benchmark help button providing access to quick reference guide
6.2 User Example In this section, the required steps for a typical open-loop simulation within the GARTEUR RECOVER benchmark (b747 funpc d.mdl) are demonstrated for the investigation of the aircraft behaviour under the influence of failures. As an example failure mode, the loss of the vertical tail (Chapter 6) is simulated, which makes the aircraft unstable in roll and yaw and also removes the rudder control. Chapter 6 of the book describes a user example to conduct a simulation with the closed-loop model involving the separation of both right-wing engines (Flight 1862 accident R command line scripts are set up to give reasonable default scenario). The Matlab values for all questions during initialisation of the simulation. The user may enter the correct data if he wants to deviate from the default values. The user input prompt is indicated by a semicolon during initialisation. Fig. 31: After selecting Open-Loop Simulation in the main menu, the open-loop R command window and the first step is to initialisation is started in the Matlab define the failure model. For this example, the loss of vertical tail failure case is chosen (failure mode #9). The aircraft configuration may then be entered including the weight and balance of the aircraft and initial values for the pilot control inputs used for trimming. For the initial trim values of the controls, it is usually sufficient to accept the default values here. For this example, the aircraft is setup in the standard condition (clean configuration, he =2000ft, VTAS =260kts). Fig. 32: The next step is to choose the flight condition. The straight-and-level trim condition is chosen and the flight path angle and rate of climb are set at the default values. This sets up the trim routine. Fig. 33: The program continues with the start of the optimisation to determine the trim condition. For trimming, the b747 trim d.mdl model is used. The trim routine runs and gives a trim result in terms of stabiliser deflection and thrust. If the trim results are acceptable, the required EPR setting is derived from the thrust in the next step.
572
Appendix
Fig. 31 Selection of failure mode and aircraft configuration
Fig. 34: After the trim condition is calculated, the user is first asked to define a test input signal for an open-loop simulation. Note that the test signals are applied to the pilot control inputs and not to the separate control surfaces. The simulation is then performed using the open-loop model b747 funpc d.mdl. Any saved inputs and outputs are located in the data subdirectory.
Getting Started with the GARTEUR RECOVER Benchmark
573
Fig. 32 Selection of flight condition
Finally, a few time responses can be made to show the results. These plots are generated by the plot sim script. Fig. 35 shows the plotted simulation results of the aircraft states following an aileron doublet at t=2s . As can be seen in the plots, the aircraft with missing tail becomes unstable in the lateral axis after the aileron doublet at t=2s. The pilot control inputs are shown in Fig. 36. The calculated specific forces are also plotted and are shown in Fig. 37. The effect of the loss of directional stability due to the missing vertical tail is clearly visible in the lateral acceleration (Ayb ) response.
7 Aircraft and Flight Control System Specifications Fig. 38 and Table 3 provide aircraft operational data and geometric dimensions for both the B747-100/200 and B747-200F (freighter version) as simulated in the benchmark. The B747-100/200 flight control system characteristics, including arrangements and operating limitations, are illustrated in Fig. 39 and Table 4. For the benchmark simulation, the B747-100/200 hydraulic and flight control system specifications were taken from [5, 10].
8 Signal Formats This section provides a reference on the signal formats and observation outputs as available in the top system level (Level 1) of the closed-loop (b747 auto g.mdl) and open-loop (b747 funpc d.mdl) benchmark models. For all signal formats, the signal number, name, symbol, dimension and a description are provided. The GARTEUR RECOVER benchmark observation outputs follow the signal formats as described in reference [2].
574
Fig. 33 Optimisation and trim routine results
Appendix
Getting Started with the GARTEUR RECOVER Benchmark
Fig. 34 Test input signal definition for open-loop simulation (b747 funpc d.mdl)
575
576
Appendix
Fig. 35 Aircraft state response after an aileron doublet at t=2s with open-loop benchmark model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 36 Pilot control inputs showing aileron doublet as test signal at t=2s
Getting Started with the GARTEUR RECOVER Benchmark
577
Fig. 37 Aircraft specific forces in body axes after an aileron doublet at t=2s with open-loop model (b747 funpc d.mdl) and loss of vertical tail failure mode
Fig. 38 Boeing 747-100/200 large transport aircraft
578
Appendix
Table 3 B747-100/200 series operational data and geometric dimensions
Wing area Wing mean aerodynamic chord (MAC) Wing span Length overall Height overall Engines
B747-100/200
B747-200F (Freighter)
511 m2 8.324 m 59.65 m 70.66 m 19.33 m Pratt & Whitney JT9D-3
511 m2 8.324 m 59.65 m 70.66 m 19.33 m Pratt & Whitney JT9D7J 222 kN (50,000 lb st)
Takeoff thrust rating (standard day / sea 193 kN (43,500 lb st) level) Maximum takeoff weight 321,995 kg (710,000 lb) Maximum landing weight 255,782 kg (564,000 lb) Maximum zero fuel weight 238,776 kg (526,500 lb) Load factor range flaps up -1.0/+2.5 Load factor range flaps down 0/+2
377,842 kg (833,000 lb) 285,763 kg (630,000 lb) 267,619 kg (590,000 lb) -1.0/+2.5 0/+2
Fig. 39 Boeing 747-100/200 flight control surface arrangements and body axes and moment definitions (L¯ = rolling moment, M = pitching moment, N¯ = yawing moment, p = roll rate, q = pitch rate, r = yaw rate)
Getting Started with the GARTEUR RECOVER Benchmark
579
Table 4 B747-100/200 flight control surface operating limits (positive sign: surface deflection down / spoiler panel up) Control surface
Symbol
Mechanical limit (deg)
Inboard elevator Outboard elevator Stabiliser Inboard aileron Outboard aileron Spoilers #1 - #4 Spoilers #9 - #12 Spoilers #5, #8 Spoilers #6, #7 Upper rudder Lower rudder
δei δeo ih δai δao δsp1−4 δsp9−12 δsp5 , δsp8 δsp6 , δsp7 δru δrl
+17/-23 +17/-23 +3/-12 +20/-20 +15/-25 +45 +45 +20 +20 +25/-25 +25/-25
Two hydraulic system rate (Full boost, deg/sec) +37/-37 +37/-37 +/-0.2 to +/-0.5 +40/-45 +45/-55 +75 +75 +75 +25 +50/-50 +50/-50
One hydraulic system rate (Half boost, deg/sec) +30/-26 +30/-26 +/-0.1 to +/-0.25 +27/-35 +22/-45 0 0 0 0 +40/-40 +40/-40
Table 5 Aircraft states (x) No. 1 2 3 4 5 6 7 8 9 10 11 12
Name pbody qbody rbody VTAS alpha beta phi theta psi he xe ye
Symbol pb qb rb VTAS α β φ θ ψ he xe ye
Dimension rad/s rad/s rad/s m/s rad rad rad rad rad m m m
Description roll rate about body X-axis pitch rate about body Y -axis yaw rate about body Z-axis true airspeed angle of attack angle of sideslip roll angle pitch angle yaw angle geometric altitude horizontal position along earth X-axis horizontal position along earth Y -axis
Table 6 Aircraft state derivatives (xdot) No. Name
Symbol
Dimension
Description
13 14 15 16 17 18 19 20 21 22 23
pbdot qbdot rbdot VTASdot alphadot betadot phidot thetadot psidot hedot xedot
p˙b q˙b r˙b V˙TAS α˙ β˙ φ˙ θ˙ ψ˙ h˙ e x˙e
rad/s2 rad/s2 rad/s2 m/s2 rad/s rad/s rad/s rad/s rad/s m/s m/s
24
yedot
y˙e
m/s
roll acceleration about body X-axis pitch acceleration about body Y -axis yaw acceleration about body Z-axis time derivative of true airspeed angle of attack rate angle of sideslip rate roll attitude rate pitch attitude rate heading rate geometric altitude rate horizontal ground speed along earth Xaxis horizontal ground speed along earth Y axis
580
Appendix
Table 7 Airdata parameters (yair) No. Name
Symbol
Dimension
Description
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
pstat rho temp grav hpress hradio Hgeopot Vsound Mach qdyn Reynl qc qrel ptot temptot VEAS VCAS VIAS uwindb vwindb wwindb uwinde vwinde wwinde ug
pa ρ T g hp hR H Vsound M q Re qc qrel pt Tt VEAS VCAS VIAS uwb vwb wwb uwe vwe wwe uˆg
N/m2 kg/m3 K m/s2 m m m m/s – N/m2 – N/m2 – N/m2 K m/s m/s m/s m/s m/s m/s m/s m/s m/s –
50 51 52
alphag betag ugdot
αg βg u˙ˆg
rad rad 1/s
53 54 55
alphagdot betagdot ugasym
α˙ g β˙g uˆgasym
rad/s rad/s –
56
alphagasym
αgasym
rad
ambient pressure air density ambient temperature acceleration of gravity pressure altitude radio altitude geopotential altitude speed of sound Mach number dynamic pressure Reynolds number per unit length impact pressure relative impact pressure total pressure total temperature equivalent airspeed calibrated airspeed indicated airspeed wind velocity along body X-axis wind velocity along body Y -axis wind velocity along body Z-axis wind velocity along earth X-axis wind velocity along earth Y -axis wind velocity along earth Z-axis dimensionless gust velocity along negative body X-axis gust angle of attack gust angle of sideslip dimensionless gust velocity derivative along negative body X-axis gust angle of attack rate gust angle of sideslip rate dimensionless gust velocity along negative body X-axis, varying along wingspan gust angle of attack, varying along wingspan
Getting Started with the GARTEUR RECOVER Benchmark
581
Table 8 Acceleration parameters (yacc) No. 57 58 59 60
Name axb ayb azb anxb
Symbol axb ayb azb anxb
Dimension g g g g
61
anyb
anyb
g
62
anzb
anzb
g
63
anxa
anxa
g
64
anya
anya
g
65
anza
anza
g
66
anxib
anx,ib
g
67
anyib
any,ib
g
68
anzib
anz,ib
g
69 70 71
anb anib n
anb an,ib n
g g g
Description acceleration at c.g. along body X-axis acceleration at c.g. along body Y -axis acceleration at c.g. along body Z-axis accelerometer output at c.g. along body Xaxis accelerometer output at c.g. along body Y axis accelerometer output at c.g. along body Zaxis accelerometer output at c.g. along airpath X-axis accelerometer output at c.g. along airpath Y -axis accelerometer output at c.g. along airpath Z-axis accelerometer output at (x, y, z)iacc along body X-axis accelerometer output at (x, y, z)iacc along body Y -axis accelerometer output at (x, y, z)iacc along body Z-axis normal acceleration at c.g. normal acceleration at (x, y, z)iacc load factor
Table 9 Flight path related parameters (yfp) No. 72 73 74 75 76 77
Name gamma chi gammadot chidot heacc fpacc
Symbol γ χ γ˙ χ˙ h¨ e f pa
Dimension rad rad rad/s rad/s m/s2 m/s2
Description flight path angle azimuth angle flight path angle rate azimuth angle rate vertical acceleration flight path acceleration
Table 10 Energy related terms (ys) No. Name 78 Espec 79 Pspec
Symbol Es Ps
Dimension m m/s
Description specific energy specific power
582
Appendix
Table 11 Aerodynamic forces and moments (yFMaero) No. Name 80 Tbody
Symbol Tb
Dimension N
81
Ybody
Yb
N
82
Nbody
Nb
N
83
MXbody
Lb
Nm
84
MYbody
Mb
Nm
85
MZbody
Nb
Nm
Description aerodynamic tangential force in body reference frame aerodynamic sideforce coefficient in body reference frame aerodynamic normal force in body reference frame aerodynamic rolling moment in body reference frame aerodynamic pitching moment in body reference frame aerodynamic yawing moment in body reference frame
Table 12 Forces and moments due to turbulence (yFMgust) No. Name 86 Tgbody
Symbol Tgb
Dimension N
87
Ygbody
Ygb
N
88
Ngbody
Ngb
N
89
MXgbody
Lgb
Nm
90
MYgbody
Mgb
Nm
91
MZgbody
N gb
Nm
Description tangential force due to turbulence in body reference frame sideforce coefficient due to turbulence in body reference frame normal force due to turbulence in body reference frame rolling moment due to turbulence in body reference frame pitching moment due to turbulence in body reference frame yawing moment due to turbulence in body reference frame
Table 13 Propulsion forces and moments (yFMt) No. Name 92 Ttbody
Symbol Ttb
Dimension N
93
Ytbody
Ytb
N
94
Ntbody
Ntb
N
95
MXtbody
Ltb
Nm
96
MYtbody
Mtb
Nm
97
MZtbody
N tb
Nm
Description propulsion tangential force in body reference frame propulsion sideforce coefficient in body reference frame propulsion normal force in body reference frame propulsion rolling moment in body reference frame propulsion pitching moment in body reference frame propulsion yawing moment in body reference frame
Getting Started with the GARTEUR RECOVER Benchmark
583
Table 14 Aerodynamic force and moment coefficients (yCaero) No. Name 98 CDair
Symbol CDa
Dimension –
99
CYair
CYa
–
100 CLair
CLa
–
101 CLLair
Ca
–
102 CMair
Cma
–
103 CNNair
Cna
–
104 CDstab
CDs
–
105 CYstab
CYs
–
106 CLstab
CLs
–
107 CLLstab
Cs
–
108 CMstab
Cms
–
109 CNNstab
Cns
–
110 CTbody
CTb
–
111 CYbody
CYb
–
112 CNbody
CNb
–
113 CLLbody
Cb
–
114 CMbody
Cmb
–
115 CNNbody
Cnb
–
Description aerodynamic drag coefficient in airpath reference frame aerodynamic sideforce coefficient in airpath reference frame aerodynamic lift coefficient in airpath reference frame aerodynamic rolling moment coefficient in airpath reference frame aerodynamic pitching moment coefficient in airpath reference frame aerodynamic yawing moment coefficient in airpath reference frame aerodynamic drag coefficient in stability reference frame aerodynamic sideforce coefficient in stability reference frame aerodynamic lift coefficient in stability reference frame aerodynamic rolling moment coefficient in stability reference frame aerodynamic pitching moment coefficient in stability reference frame aerodynamic yawing moment coefficient in stability reference frame aerodynamic tangential force coefficient in body reference frame aerodynamic sideforce coefficient in body reference frame aerodynamic normal force coefficient in body reference frame aerodynamic rolling moment coefficient in body reference frame aerodynamic pitching moment coefficient in body reference frame aerodynamic yawing moment coefficient in body reference frame
584
Appendix
Table 15 Control surfaces (uc) No. 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140
Name delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta delta ih delta delta delta delta
air ail aor aol sp1 sp2 sp3 sp4 sp5 sp6 sp7 sp8 sp9 sp10 sp11 sp12 eir eil eor eol ru rl fo fi
Symbol δair δail δaor δaol δsp1 δsp2 δsp3 δsp4 δsp5 δsp6 δsp7 δsp8 δsp9 δsp10 δsp11 δsp12 δeir δeil δeor δeol ih δru δrl δfo δfi
Dimension rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad rad
Description right inboard aileron deflection left inboard aileron deflection right outboard aileron deflection left outboard aileron deflection spoiler #1 deflection spoiler #2 deflection spoiler #3 deflection spoiler #4 deflection spoiler #5 deflection spoiler #6 deflection spoiler #7 deflection spoiler #8 deflection spoiler #9 deflection spoiler #10 deflection spoiler #11 deflection spoiler #12 deflection right inboard elevator deflection left inboard elevator deflection right outboard elevator deflection left outboard elevator deflection stabiliser deflection upper rudder deflection lower rudder deflection outboard trailing edge flaps deflection inboard trailing edge flaps deflection
Table 16 Pilot control inputs (top level open-loop model b747 funpc d.mdl) No. Name 1 delta c
Symbol δc
Dimension rad
2 3 4 5
delta delta delta delta
δw δp δstab δsbh
rad rad rad rad
6 7
delta fh EPR1
δfh EPR1
rad –
8
EPR2
EPR2
–
9
EPR3
EPR3
–
10
EPR4
EPR4
–
11
gear
gear
0/1
w p stab sbh
Description control column position (+12.67deg/12.5deg) control wheel position (+88deg/-88deg) rudder pedal position (+14deg/-14deg) stabiliser handle position (0-15 units) speedbrake handle position (0-37deg inflight detent) flap handle position (0-30 detent) EPR engine #1 (0.94-1.62 (Flight 1862 simulation)) EPR engine #2 (0.94-1.62 (Flight 1862 simulation)) EPR engine #3 (0.94-1.62 (Flight 1862 simulation)) EPR engine #4 (0.94-1.62 (Flight 1862 simulation)) gear handle position
Getting Started with the GARTEUR RECOVER Benchmark
585
Table 17 Instrument landing system (ILS) parameters (Standard Sensors block) No. 1 2 3 4 5
Name GSdev DME GSvalid LOCdev LOCvalid
Symbol GSdev DME GSvalid LOCdev LOCvalid
Dimension rad m 0/1 rad 0/1
Description glideslope deviation distance to runway threshold glideslope signal valid localiser deviation localiser signal valid
9 Contributors The following persons and organisations contributed to the development of the GARTEUR RECOVER benchmark. Coen van der Linden (Delft University of Technology) Hafid Smaili (National Aerospace Laboratory NLR) Jan Breeman (National Aerospace Laboratory NLR) Jaap Groeneweg (National Aerospace Laboratory NLR) Ronald Verhoeven (National Aerospace Laboratory NLR) Thomas Lombaerts (Delft University of Technology) Andres Marcos (Deimos Space) Gary Balas (University of Minnesota) Chris Edwards (University of Leicester) Halim Alwi (University of Leicester) David Breeds (QinetiQ) Stuart Runham (DSTL) Contact information, organisation details and links can be found on the GARTEUR project site www.faulttolerantcontrol.nl.
References 1. GARTEUR. GARTEUR RECOVER benchmark quickstart guide, GARTEUR Flight Mechanics Action Group 16 ‘Fault Tolerant Control’ (2009) 2. van der Linden, C.A.A.M.: DASMAT- Delft University Aircraft Simulation Model and Analysis Tool. Report LR-781, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1996) 3. Smaili, M.H.: Flight data reconstruction and simulation of El Al Flight 1862. Final thesis, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1997) 4. Smaili, M.H., Mulder, J.A.: Flight data reconstruction and simulation of the 1992 Amsterdam Bijlmermeer airplane accident. In: AIAA Modeling and Simulation Technologies Conference and Exhibit, AIAA-2000-4586, Denver, CO (August 2000) 5. Hanke, C.R.: The simulation of a large transport aircraft. Modeling data, vol. II. NASA CR-114494 (September 1970)
586
Appendix
6. Hanke, C.R.: The simulation of a large transport aircraft. Mathematical model, vol. I. NASA CR-1756 (March 1971) 7. van Keulen, R.: Real-time simulation and analysis of the automatic flight control system of the Boeing 747-200. Final thesis, Delft University of Technology, Faculty of Aerospace Engineering, Delft, The Netherlands (1991) 8. Marcos, A., Balas, G.J.: A Boeing 747-100/200 aircraft fault tolerant and fault diagnostic benchmark. Technical Report AEM-UoM-2003-1, University of Minnesota, Minnesota (June 2003) 9. EL AL Flight 1862, aircraft accident report 92-11. Netherlands Aviation Safety Board, Hoofddorp, The Netherlands (1994) 10. Boeing 747 Aircraft Operations Manual (1976) 11. Stevens, B.L., Lewis, F.L.: Aircraft control and simulation. John Wiley & Sons Inc., New York (1992) 12. Etkin, B., Reid, L.D.: Dynamics of flight - stability and control, 3rd edn. Wiley, New York (1996) 13. Matlab getting started guide. Version 6.5 (Release 13) or later. The Mathworks Inc., Natick, MA (USA) 14. Simulink user’s guide. Version 5.1 (Release 13SP1) or later. The Mathworks Inc., Natick, MA (USA)
Lecture Notes in Control and Information Sciences Edited by M. Thoma, F. Allgöwer, M. Morari Further volumes of this series can be found on our homepage: springer.com Vol. 399: Edwards, C.; Lombaerts, T.; Smaili, H. (Eds.): Fault Tolerant Flight Control 586 p. 2010 [978-3-642-11689-6] Vol. 398: Willems, J.C.; Hara, S.; Ohta, Y.; Fujioka, H. (Eds.): Perspectives in Mathematical System Theory, Control, and Signal Processing 388 p. 2010 [978-3-540-93917-7] Vol. 397: Yang, H.; Jiang, B.; Cocquempot, V.: Fault Tolerant Control Design for Hybrid Systems 191 p. 2010 [978-3-642-10680-4]
Vol. 389: Bru, R.; Romero-Vivó, S. (Eds.): Positive Systems 398 p. 2009 [978-3-642-02893-9] Vol. 388: Jacques Loiseau, J.; Michiels, W.; Niculescu, S-I.; Sipahi, R. (Eds.): Topics in Time Delay Systems 418 p. 2009 [978-3-642-02896-0] Vol. 387: Xia, Y.; Fu, M.; Shi, P.: Analysis and Synthesis of Dynamical Systems with Time-Delays 283 p. 2009 [978-3-642-02695-9]
Vol. 396: Kozlowski, K. (Ed.): Robot Motion and Control 2009 475 p. 2009 [978-1-84882-984-8]
Vol. 386: Huang, D.; Nguang, S.K.: Robust Control for Uncertain Networked Control Systems with Random Delays 159 p. 2009 [978-1-84882-677-9]
Vol. 395: Talebi, H.A.: Neural Network-Based State Estimation of Nonlinear Systems appro. 200 p. 2010 [978-1-4419-1437-8]
Vol. 385: Jungers, R.: The Joint Spectral Radius 144 p. 2009 [978-3-540-95979-3]
Vol. 394: Pipeleers, G.; Demeulenaere, B.; Swevers, J.: Optimal Linear Controller Design for Periodic Inputs 177 p. 2009 [978-1-84882-974-9] Vol. 393: Ghosh, B.K.; Martin, C.F.; Zhou, Y.: Emergent Problems in Nonlinear Systems and Control 285 p. 2009 [978-3-642-03626-2] Vol. 392: Bandyopadhyay, B.; Deepak, F.; Kim, K.-S.: Sliding Mode Control Using Novel Sliding Surfaces 137 p. 2009 [978-3-642-03447-3] Vol. 391: Khaki-Sedigh, A.; Moaveni, B.: Control Configuration Selection for Multivariable Plants 232 p. 2009 [978-3-642-03192-2] Vol. 390: Chesi, G.; Garulli, A.; Tesi, A.; Vicino, A.: Homogeneous Polynomial Forms for Robustness Analysis of Uncertain Systems 197 p. 2009 [978-1-84882-780-6]
Vol. 384: Magni, L.; Raimondo, D.M.; Allgöwer, F. (Eds.): Nonlinear Model Predictive Control 572 p. 2009 [978-3-642-01093-4] Vol. 383: Sobhani-Tehrani E.: Khorasani K.; Fault Diagnosis of Nonlinear Systems Using a Hybrid Approach 360 p. 2009 [978-0-387-92906-4] Vol. 382: Bartoszewicz A.; Nowacka-Leverton A.: Time-Varying Sliding Modes for Second and Third Order Systems 192 p. 2009 [978-3-540-92216-2] Vol. 381: Hirsch M.J.; Commander C.W.; Pardalos P.M.; Murphey R. (Eds.): Optimization and Cooperative Control Strategies: Proceedings of the 8th International Conference on Cooperative Control and Optimization 459 p. 2009 [978-3-540-88062-2] Vol. 380: Basin M.: New Trends in Optimal Filtering and Control for Polynomial and Time-Delay Systems 206 p. 2008 [978-3-540-70802-5]
Vol. 379: Mellodge P.; Kachroo P.: Model Abstraction in Dynamical Systems: Application to Mobile Robot Control 116 p. 2008 [978-3-540-70792-9] Vol. 378: Femat R.; Solis-Perales G.: Robust Synchronization of Chaotic Systems Via Feedback 199 p. 2008 [978-3-540-69306-2] Vol. 377: Patan K.: Artificial Neural Networks for the Modelling and Fault Diagnosis of Technical Processes 206 p. 2008 [978-3-540-79871-2] Vol. 376: Hasegawa Y.: Approximate and Noisy Realization of Discrete-Time Dynamical Systems 245 p. 2008 [978-3-540-79433-2] Vol. 375: Bartolini G.; Fridman L.; Pisano A.; Usai E. (Eds.): Modern Sliding Mode Control Theory 465 p. 2008 [978-3-540-79015-0] Vol. 374: Huang B.; Kadali R.: Dynamic Modeling, Predictive Control and Performance Monitoring 240 p. 2008 [978-1-84800-232-6] Vol. 373: Wang Q.-G.; Ye Z.; Cai W.-J.; Hang C.-C.: PID Control for Multivariable Processes 264 p. 2008 [978-3-540-78481-4] Vol. 372: Zhou J.; Wen C.: Adaptive Backstepping Control of Uncertain Systems 241 p. 2008 [978-3-540-77806-6] Vol. 371: Blondel V.D.; Boyd S.P.; Kimura H. (Eds.): Recent Advances in Learning and Control 279 p. 2008 [978-1-84800-154-1] Vol. 370: Lee S.; Suh I.H.; Kim M.S. (Eds.): Recent Progress in Robotics: Viable Robotic Service to Human 410 p. 2008 [978-3-540-76728-2] Vol. 369: Hirsch M.J.; Pardalos P.M.; Murphey R.; Grundel D.: Advances in Cooperative Control and Optimization 423 p. 2007 [978-3-540-74354-5]
Vol. 368: Chee F.; Fernando T. Closed-Loop Control of Blood Glucose 157 p. 2007 [978-3-540-74030-8] Vol. 367: Turner M.C.; Bates D.G. (Eds.): Mathematical Methods for Robust and Nonlinear Control 444 p. 2007 [978-1-84800-024-7] Vol. 366: Bullo F.; Fujimoto K. (Eds.): Lagrangian and Hamiltonian Methods for Nonlinear Control 2006 398 p. 2007 [978-3-540-73889-3] Vol. 365: Bates D.; Hagström M. (Eds.): Nonlinear Analysis and Synthesis Techniques for Aircraft Control 360 p. 2007 [978-3-540-73718-6] Vol. 364: Chiuso A.; Ferrante A.; Pinzoni S. (Eds.): Modeling, Estimation and Control 356 p. 2007 [978-3-540-73569-4] Vol. 363: Besançon G. (Ed.): Nonlinear Observers and Applications 224 p. 2007 [978-3-540-73502-1] Vol. 362: Tarn T.-J.; Chen S.-B.; Zhou C. (Eds.): Robotic Welding, Intelligence and Automation 562 p. 2007 [978-3-540-73373-7] Vol. 361: Méndez-Acosta H.O.; Femat R.; González-Álvarez V. (Eds.): Selected Topics in Dynamics and Control of Chemical and Biological Processes 320 p. 2007 [978-3-540-73187-0] Vol. 360: Kozlowski K. (Ed.): Robot Motion and Control 2007 452 p. 2007 [978-1-84628-973-6] Vol. 359: Christophersen F.J.: Optimal Control of Constrained Piecewise Affine Systems 190 p. 2007 [978-3-540-72700-2] Vol. 358: Findeisen R.; Allgöwer F.; Biegler L.T. (Eds.): Assessment and Future Directions of Nonlinear Model Predictive Control 642 p. 2007 [978-3-540-72698-2]